mirror of https://github.com/x64dbg/TitanEngine
fixed various dumper bugs, openprocess bugs
This commit is contained in:
NtQuery
parent
35c3c618b1
commit
a3384e931f
|
|
@ -80,11 +80,11 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
|
||||||
{
|
{
|
||||||
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
||||||
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
||||||
if(PEHeader32->OptionalHeader.Magic == 0x10B)
|
if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
|
||||||
{
|
{
|
||||||
FileIs64 = false;
|
FileIs64 = false;
|
||||||
}
|
}
|
||||||
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
|
else if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
|
||||||
{
|
{
|
||||||
FileIs64 = true;
|
FileIs64 = true;
|
||||||
}
|
}
|
||||||
|
|
@ -350,7 +350,7 @@ __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageB
|
||||||
BOOL ReturnValue = false;
|
BOOL ReturnValue = false;
|
||||||
|
|
||||||
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
|
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
|
||||||
if(hProcess != INVALID_HANDLE_VALUE)
|
if(hProcess)
|
||||||
{
|
{
|
||||||
ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint);
|
ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint);
|
||||||
EngineCloseHandle(hProcess);
|
EngineCloseHandle(hProcess);
|
||||||
|
|
@ -467,8 +467,8 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS
|
||||||
HANDLE hProcess = 0;
|
HANDLE hProcess = 0;
|
||||||
BOOL ReturnValue = false;
|
BOOL ReturnValue = false;
|
||||||
|
|
||||||
hProcess = OpenProcess(PROCESS_VM_READ, FALSE, ProcessId);
|
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
|
||||||
if(hProcess != INVALID_HANDLE_VALUE)
|
if(hProcess)
|
||||||
{
|
{
|
||||||
ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName);
|
ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName);
|
||||||
EngineCloseHandle(hProcess);
|
EngineCloseHandle(hProcess);
|
||||||
|
|
@ -506,18 +506,18 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
|
||||||
wchar_t szDumpFileName[MAX_PATH];
|
wchar_t szDumpFileName[MAX_PATH];
|
||||||
MEMORY_BASIC_INFORMATION MemInfo;
|
MEMORY_BASIC_INFORMATION MemInfo;
|
||||||
ULONG_PTR DumpAddress = NULL;
|
ULONG_PTR DumpAddress = NULL;
|
||||||
ULONG_PTR EnumeratedModules[1024];
|
HMODULE EnumeratedModules[1024] = {0};
|
||||||
bool AddressIsModuleBase = false;
|
bool AddressIsModuleBase = false;
|
||||||
|
|
||||||
if(hProcess != NULL)
|
if(hProcess != NULL)
|
||||||
{
|
{
|
||||||
EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy);
|
EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy);
|
||||||
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL)
|
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL)
|
||||||
{
|
{
|
||||||
AddressIsModuleBase = false;
|
AddressIsModuleBase = false;
|
||||||
for(i = 0; i < 1024; i++)
|
for(i = 0; i < _countof(EnumeratedModules); i++)
|
||||||
{
|
{
|
||||||
if(EnumeratedModules[i] == (ULONG_PTR)MemInfo.AllocationBase)
|
if(EnumeratedModules[i] == (HMODULE)MemInfo.AllocationBase)
|
||||||
{
|
{
|
||||||
AddressIsModuleBase = true;
|
AddressIsModuleBase = true;
|
||||||
i = 1024;
|
i = 1024;
|
||||||
|
|
@ -529,14 +529,14 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
|
||||||
}
|
}
|
||||||
if(!(MemInfo.Protect & PAGE_NOACCESS) && AddressIsModuleBase == false)
|
if(!(MemInfo.Protect & PAGE_NOACCESS) && AddressIsModuleBase == false)
|
||||||
{
|
{
|
||||||
if(DumpAboveImageBaseOnly == false || (DumpAboveImageBaseOnly == true && EnumeratedModules[0] < (ULONG_PTR)MemInfo.BaseAddress))
|
if(DumpAboveImageBaseOnly == false || (DumpAboveImageBaseOnly == true && EnumeratedModules[0] < (HMODULE)MemInfo.BaseAddress))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szDumpName, MAX_PATH);
|
RtlZeroMemory(&szDumpName, MAX_PATH);
|
||||||
RtlZeroMemory(&szDumpFileName, MAX_PATH);
|
RtlZeroMemory(&szDumpFileName, MAX_PATH);
|
||||||
lstrcpyW(szDumpFileName, szDumpFolder);
|
lstrcpyW(szDumpFileName, szDumpFolder);
|
||||||
if(szDumpFileName[lstrlenW(szDumpFileName)-1] != 0x5C)
|
if(szDumpFileName[lstrlenW(szDumpFileName)-1] != L'\\')
|
||||||
{
|
{
|
||||||
szDumpFileName[lstrlenW(szDumpFileName)] = 0x5C;
|
szDumpFileName[lstrlenW(szDumpFileName)] = L'\\';
|
||||||
}
|
}
|
||||||
wsprintfW(szDumpName, L"Dump-%x_%x.dmp", (ULONG_PTR)MemInfo.BaseAddress, (ULONG_PTR)MemInfo.RegionSize);
|
wsprintfW(szDumpName, L"Dump-%x_%x.dmp", (ULONG_PTR)MemInfo.BaseAddress, (ULONG_PTR)MemInfo.RegionSize);
|
||||||
lstrcatW(szDumpFileName, szDumpName);
|
lstrcatW(szDumpFileName, szDumpName);
|
||||||
|
|
@ -572,8 +572,8 @@ __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDu
|
||||||
HANDLE hProcess = 0;
|
HANDLE hProcess = 0;
|
||||||
BOOL ReturnValue = false;
|
BOOL ReturnValue = false;
|
||||||
|
|
||||||
hProcess = OpenProcess(PROCESS_VM_READ, FALSE, ProcessId);
|
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
|
||||||
if(hProcess != INVALID_HANDLE_VALUE)
|
if(hProcess)
|
||||||
{
|
{
|
||||||
ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly);
|
ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly);
|
||||||
EngineCloseHandle(hProcess);
|
EngineCloseHandle(hProcess);
|
||||||
|
|
@ -608,16 +608,18 @@ __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBas
|
||||||
int i;
|
int i;
|
||||||
DWORD Dummy = NULL;
|
DWORD Dummy = NULL;
|
||||||
MODULEINFO RemoteModuleInfo;
|
MODULEINFO RemoteModuleInfo;
|
||||||
ULONG_PTR EnumeratedModules[1024];
|
HMODULE EnumeratedModules[1024];
|
||||||
|
|
||||||
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy))
|
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy))
|
||||||
{
|
{
|
||||||
for(i = 0; i < 512; i++)
|
for(i = 0; i < _countof(EnumeratedModules); i++)
|
||||||
{
|
{
|
||||||
if(EnumeratedModules[i] == (ULONG_PTR)ModuleBase)
|
if(EnumeratedModules[i] == (HMODULE)ModuleBase)
|
||||||
{
|
{
|
||||||
GetModuleInformation(hProcess, (HMODULE)EnumeratedModules[i], &RemoteModuleInfo, sizeof MODULEINFO);
|
if (GetModuleInformation(hProcess, (HMODULE)EnumeratedModules[i], &RemoteModuleInfo, sizeof(MODULEINFO)))
|
||||||
return(DumpMemoryW(hProcess, (LPVOID)EnumeratedModules[i], RemoteModuleInfo.SizeOfImage, szDumpFileName));
|
{
|
||||||
|
return(DumpMemoryW(hProcess, (LPVOID)EnumeratedModules[i], RemoteModuleInfo.SizeOfImage, szDumpFileName));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -646,8 +648,8 @@ __declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleB
|
||||||
HANDLE hProcess = 0;
|
HANDLE hProcess = 0;
|
||||||
BOOL ReturnValue = false;
|
BOOL ReturnValue = false;
|
||||||
|
|
||||||
hProcess = OpenProcess(PROCESS_VM_READ, FALSE, ProcessId);
|
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
|
||||||
if(hProcess != INVALID_HANDLE_VALUE)
|
if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError.
|
||||||
{
|
{
|
||||||
ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName);
|
ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName);
|
||||||
EngineCloseHandle(hProcess);
|
EngineCloseHandle(hProcess);
|
||||||
|
|
|
||||||
|
|
@ -88,7 +88,7 @@ __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName,
|
||||||
{
|
{
|
||||||
if(bProcessId[i] != NULL)
|
if(bProcessId[i] != NULL)
|
||||||
{
|
{
|
||||||
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
|
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
|
||||||
if(hProcess != NULL)
|
if(hProcess != NULL)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&EnumeratedModules[0], sizeof EnumeratedModules);
|
RtlZeroMemory(&EnumeratedModules[0], sizeof EnumeratedModules);
|
||||||
|
|
|
||||||
|
|
@ -1457,13 +1457,6 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
|
||||||
ULONG_PTR fImpRecTrace = NULL;
|
ULONG_PTR fImpRecTrace = NULL;
|
||||||
PMEMORY_CMP_HANDLER cmpModuleName;
|
PMEMORY_CMP_HANDLER cmpModuleName;
|
||||||
ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedRemoteLoadLibrary - (ULONG_PTR)&injectedImpRec);
|
ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedRemoteLoadLibrary - (ULONG_PTR)&injectedImpRec);
|
||||||
#if !defined(_WIN64)
|
|
||||||
typedef NTSTATUS(WINAPI *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
|
|
||||||
#else
|
|
||||||
typedef NTSTATUS(__fastcall *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
|
|
||||||
#endif
|
|
||||||
LPVOID ZwSetInformationThread = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwSetInformationThread");
|
|
||||||
fZwSetInformationThread cZwSetInformationThread = (fZwSetInformationThread)(ZwSetInformationThread);
|
|
||||||
LPVOID szModuleName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
LPVOID szModuleName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
||||||
LPVOID szGarbageFile = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
LPVOID szGarbageFile = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
||||||
LPVOID cModuleName = szModuleName;
|
LPVOID cModuleName = szModuleName;
|
||||||
|
|
@ -1519,10 +1512,9 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
|
||||||
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectImpRecCodeData, &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectImpRecCodeData, &NumberOfBytesWritten);
|
||||||
WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectImpRecCodeData), (LPCVOID)szGarbageFile, lstrlenA((LPSTR)szGarbageFile), &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectImpRecCodeData), (LPCVOID)szGarbageFile, lstrlenA((LPSTR)szGarbageFile), &NumberOfBytesWritten);
|
||||||
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
|
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
|
||||||
if(ZwSetInformationThread != NULL)
|
|
||||||
{
|
NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
|
||||||
cZwSetInformationThread(hThread, 0x11, NULL, NULL);
|
|
||||||
}
|
|
||||||
ResumeThread(hThread);
|
ResumeThread(hThread);
|
||||||
WaitForSingleObject(hThread, INFINITE);
|
WaitForSingleObject(hThread, INFINITE);
|
||||||
if(GetExitCodeThread(hThread, &ExitCode))
|
if(GetExitCodeThread(hThread, &ExitCode))
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue