mirror of https://github.com/x64dbg/TitanEngine
Make everything standards-compliant
This commit is contained in:
parent
4cdefb80c6
commit
a62925db7a
|
|
@ -99,6 +99,10 @@ add_library(scylla_wrapper STATIC)
|
||||||
target_sources(scylla_wrapper PRIVATE ${scylla_wrapper_SOURCES})
|
target_sources(scylla_wrapper PRIVATE ${scylla_wrapper_SOURCES})
|
||||||
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${scylla_wrapper_SOURCES})
|
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${scylla_wrapper_SOURCES})
|
||||||
|
|
||||||
|
target_compile_features(scylla_wrapper PUBLIC
|
||||||
|
cxx_std_11
|
||||||
|
)
|
||||||
|
|
||||||
target_include_directories(scylla_wrapper PUBLIC
|
target_include_directories(scylla_wrapper PUBLIC
|
||||||
"scylla_wrapper/include"
|
"scylla_wrapper/include"
|
||||||
)
|
)
|
||||||
|
|
|
||||||
1131
SDK/C/TitanEngine.h
1131
SDK/C/TitanEngine.h
File diff suppressed because it is too large
Load Diff
|
|
@ -85,7 +85,7 @@ void DebuggerReset()
|
||||||
{
|
{
|
||||||
if(engineResetCustomHandler)
|
if(engineResetCustomHandler)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&myDBGCustomHandler, sizeof CustomHandler);
|
RtlZeroMemory(&myDBGCustomHandler, sizeof(CustomHandler));
|
||||||
}
|
}
|
||||||
std::vector<BreakPointDetail>().swap(BreakPointBuffer);
|
std::vector<BreakPointDetail>().swap(BreakPointBuffer);
|
||||||
std::unordered_map<ULONG_PTR, MemoryBreakpointPageDetail>().swap(MemoryBreakpointPages);
|
std::unordered_map<ULONG_PTR, MemoryBreakpointPageDetail>().swap(MemoryBreakpointPages);
|
||||||
|
|
@ -113,11 +113,11 @@ void StepOutStepCallBack()
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
typedef void(TITCALL * fCustomBreakPoint)();
|
typedef void(TITCALL * fCustomBreakPoint)();
|
||||||
((fCustomBreakPoint)StepOutCallBack)();
|
ObjectPointerToCallback<fCustomBreakPoint>(StepOutCallBack)();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
StepOver(StepOutStepCallBack);
|
StepOver(CallbackToObjectPointer(&StepOutStepCallBack));
|
||||||
}
|
}
|
||||||
|
|
||||||
static DWORD BaseSetLastNTError(IN NTSTATUS Status)
|
static DWORD BaseSetLastNTError(IN NTSTATUS Status)
|
||||||
|
|
|
||||||
|
|
@ -12,10 +12,18 @@ static bool isAtleastVista()
|
||||||
static bool isSet = false;
|
static bool isSet = false;
|
||||||
if(isSet)
|
if(isSet)
|
||||||
return isAtleastVista;
|
return isAtleastVista;
|
||||||
OSVERSIONINFO versionInfo = {0};
|
RTL_OSVERSIONINFOW versionInfo = {0};
|
||||||
versionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
|
versionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
|
||||||
GetVersionEx(&versionInfo);
|
typedef NTSTATUS (WINAPI* tRtlGetVersion)(PRTL_OSVERSIONINFOW);
|
||||||
|
tRtlGetVersion pRtlGetVersion = (tRtlGetVersion)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
|
||||||
|
if(!pRtlGetVersion || !NT_SUCCESS(pRtlGetVersion(&versionInfo)))
|
||||||
|
{
|
||||||
|
isAtleastVista = false;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
isAtleastVista = versionInfo.dwMajorVersion >= 6;
|
isAtleastVista = versionInfo.dwMajorVersion >= 6;
|
||||||
|
}
|
||||||
isSet = true;
|
isSet = true;
|
||||||
return isAtleastVista;
|
return isAtleastVista;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -145,7 +145,7 @@ wchar_t* EngineExtractFileNameW(wchar_t* szFileName)
|
||||||
int x = 0;
|
int x = 0;
|
||||||
|
|
||||||
i = lstrlenW(szFileName);
|
i = lstrlenW(szFileName);
|
||||||
RtlZeroMemory(&engineExtractedFileNameW, sizeof engineExtractedFileNameW);
|
RtlZeroMemory(&engineExtractedFileNameW, sizeof(engineExtractedFileNameW));
|
||||||
while(i > 0 && szFileName[i] != 0x5C)
|
while(i > 0 && szFileName[i] != 0x5C)
|
||||||
{
|
{
|
||||||
i--;
|
i--;
|
||||||
|
|
@ -175,13 +175,13 @@ bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr)
|
||||||
DWORD MaxDisassmSize = 512;
|
DWORD MaxDisassmSize = 512;
|
||||||
BYTE TestChar;
|
BYTE TestChar;
|
||||||
|
|
||||||
VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.State == MEM_COMMIT)
|
if(MemInfo.State == MEM_COMMIT)
|
||||||
{
|
{
|
||||||
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512)
|
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512)
|
||||||
{
|
{
|
||||||
MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1);
|
MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1);
|
||||||
VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.State != MEM_COMMIT)
|
if(MemInfo.State != MEM_COMMIT)
|
||||||
{
|
{
|
||||||
i = MaxDisassmSize;
|
i = MaxDisassmSize;
|
||||||
|
|
@ -228,13 +228,13 @@ int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr)
|
||||||
DWORD MaxDisassmSize = 512;
|
DWORD MaxDisassmSize = 512;
|
||||||
BYTE TestChar;
|
BYTE TestChar;
|
||||||
|
|
||||||
VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.State == MEM_COMMIT)
|
if(MemInfo.State == MEM_COMMIT)
|
||||||
{
|
{
|
||||||
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512)
|
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512)
|
||||||
{
|
{
|
||||||
MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1);
|
MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1);
|
||||||
VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.State != MEM_COMMIT)
|
if(MemInfo.State != MEM_COMMIT)
|
||||||
{
|
{
|
||||||
i = MaxDisassmSize;
|
i = MaxDisassmSize;
|
||||||
|
|
@ -403,7 +403,7 @@ bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR F
|
||||||
return !!ReadFile(hFile, CopyToMemory, CopySize, &rfNumberOfBytesRead, NULL);
|
return !!ReadFile(hFile, CopyToMemory, CopySize, &rfNumberOfBytesRead, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool EngineExtractResource(char* szResourceName, wchar_t* szExtractedFileName)
|
bool EngineExtractResource(const char* szResourceName, wchar_t* szExtractedFileName)
|
||||||
{
|
{
|
||||||
|
|
||||||
HRSRC hResource;
|
HRSRC hResource;
|
||||||
|
|
@ -727,7 +727,7 @@ bool EngineIsValidReadPtrEx(LPVOID DataPointer, DWORD DataSize)
|
||||||
|
|
||||||
while(DataSize > NULL)
|
while(DataSize > NULL)
|
||||||
{
|
{
|
||||||
VirtualQuery(DataPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQuery(DataPointer, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.AllocationProtect == MEM_FREE || MemInfo.AllocationProtect == MEM_PRIVATE)
|
if(MemInfo.AllocationProtect == MEM_FREE || MemInfo.AllocationProtect == MEM_PRIVATE)
|
||||||
{
|
{
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -814,7 +814,7 @@ bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBas
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&ModuleInfo, sizeof MODULEINFO);
|
RtlZeroMemory(&ModuleInfo, sizeof(MODULEINFO));
|
||||||
GetModuleInformation(hFileProc, (HMODULE)ImageBase, &ModuleInfo, sizeof(MODULEINFO));
|
GetModuleInformation(hFileProc, (HMODULE)ImageBase, &ModuleInfo, sizeof(MODULEINFO));
|
||||||
PESize = ModuleInfo.SizeOfImage;
|
PESize = ModuleInfo.SizeOfImage;
|
||||||
__try
|
__try
|
||||||
|
|
@ -1404,9 +1404,9 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
|
||||||
{
|
{
|
||||||
if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_APIADDRESS)
|
if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_APIADDRESS)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
|
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO);
|
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
|
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
if(APIAddress >= LoadedModules[i][1] && APIAddress <= LoadedModules[i][1] + RemoteModuleInfo.SizeOfImage)
|
if(APIAddress >= LoadedModules[i][1] && APIAddress <= LoadedModules[i][1] + RemoteModuleInfo.SizeOfImage)
|
||||||
{
|
{
|
||||||
GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512);
|
GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512);
|
||||||
|
|
@ -1418,8 +1418,8 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
|
||||||
}
|
}
|
||||||
else if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS)
|
else if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
|
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
|
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage)
|
if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage)
|
||||||
{
|
{
|
||||||
GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512);
|
GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512);
|
||||||
|
|
@ -1441,8 +1441,8 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
|
||||||
}
|
}
|
||||||
else if(ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APIADDRESS || ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APINAME)
|
else if(ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APIADDRESS || ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APINAME)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
|
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
|
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage)
|
if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage)
|
||||||
{
|
{
|
||||||
DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1];
|
DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1];
|
||||||
|
|
@ -1520,10 +1520,10 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
|
||||||
|
|
||||||
if((ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER || (ReturnType > UE_OPTION_IMPORTER_REALIGN_APIADDRESS && ReturnType < UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME)) && ReturnType != UE_OPTION_IMPORTER_RETURN_DLLBASE && LoadedModules[i][1] != NULL)
|
if((ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER || (ReturnType > UE_OPTION_IMPORTER_REALIGN_APIADDRESS && ReturnType < UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME)) && ReturnType != UE_OPTION_IMPORTER_RETURN_DLLBASE && LoadedModules[i][1] != NULL)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
|
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1];
|
DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1];
|
||||||
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO);
|
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
|
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage)
|
if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage)
|
||||||
{
|
{
|
||||||
if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false))
|
if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false))
|
||||||
|
|
@ -1637,9 +1637,9 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
|
||||||
if(FileMapVA != NULL)
|
if(FileMapVA != NULL)
|
||||||
{
|
{
|
||||||
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
|
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
|
||||||
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
|
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO);
|
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
|
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false))
|
if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false))
|
||||||
{
|
{
|
||||||
__try
|
__try
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ bool EngineCompareResourceString(wchar_t* String1, wchar_t* String2);
|
||||||
ULONG_PTR EngineEstimateNewSectionRVA(ULONG_PTR FileMapVA);
|
ULONG_PTR EngineEstimateNewSectionRVA(ULONG_PTR FileMapVA);
|
||||||
bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName, LPVOID szFwdAPIName);
|
bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName, LPVOID szFwdAPIName);
|
||||||
bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR FileOffset, DWORD CopySize, LPVOID CopyToMemory);
|
bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR FileOffset, DWORD CopySize, LPVOID CopyToMemory);
|
||||||
bool EngineExtractResource(char* szResourceName, wchar_t* szExtractedFileName);
|
bool EngineExtractResource(const char* szResourceName, wchar_t* szExtractedFileName);
|
||||||
bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char* szPresentInFolder);
|
bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char* szPresentInFolder);
|
||||||
bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFile, wchar_t* szPresentInFolder);
|
bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFile, wchar_t* szPresentInFolder);
|
||||||
bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize);
|
bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize);
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ ULONG_PTR engineReservedMemoryLeft[UE_MAX_RESERVED_MEMORY_LEFT];
|
||||||
long injectedRemoteLoadLibrary(LPVOID Parameter)
|
long injectedRemoteLoadLibrary(LPVOID Parameter)
|
||||||
{
|
{
|
||||||
PInjectCodeData APIData = (PInjectCodeData)Parameter;
|
PInjectCodeData APIData = (PInjectCodeData)Parameter;
|
||||||
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectCodeData);
|
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof(InjectCodeData));
|
||||||
#if !defined(_WIN64)
|
#if !defined(_WIN64)
|
||||||
typedef ULONG_PTR(WINAPI * fLoadLibraryW)(LPCWSTR fLibraryName);
|
typedef ULONG_PTR(WINAPI * fLoadLibraryW)(LPCWSTR fLibraryName);
|
||||||
typedef ULONG_PTR(WINAPI * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
|
typedef ULONG_PTR(WINAPI * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
|
||||||
|
|
@ -56,7 +56,7 @@ long injectedRemoteFreeLibrarySimple(LPVOID Parameter)
|
||||||
|
|
||||||
PInjectCodeData APIData = (PInjectCodeData)Parameter;
|
PInjectCodeData APIData = (PInjectCodeData)Parameter;
|
||||||
LPVOID orgParameter = Parameter;
|
LPVOID orgParameter = Parameter;
|
||||||
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectCodeData);
|
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof(InjectCodeData));
|
||||||
#if !defined(_WIN64)
|
#if !defined(_WIN64)
|
||||||
typedef ULONG_PTR(WINAPI * fFreeLibrary)(HMODULE fLibBase);
|
typedef ULONG_PTR(WINAPI * fFreeLibrary)(HMODULE fLibBase);
|
||||||
typedef HMODULE(WINAPI * fGetModuleHandleW)(LPCWSTR fLibraryName);
|
typedef HMODULE(WINAPI * fGetModuleHandleW)(LPCWSTR fLibraryName);
|
||||||
|
|
@ -125,7 +125,7 @@ long injectedImpRec(LPVOID Parameter)
|
||||||
HANDLE hFile;
|
HANDLE hFile;
|
||||||
HANDLE hFileMap;
|
HANDLE hFileMap;
|
||||||
PInjectImpRecCodeData APIData = (PInjectImpRecCodeData)Parameter;
|
PInjectImpRecCodeData APIData = (PInjectImpRecCodeData)Parameter;
|
||||||
LPVOID szFileName = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectImpRecCodeData);
|
LPVOID szFileName = (LPVOID)((ULONG_PTR)Parameter + sizeof(InjectImpRecCodeData));
|
||||||
typedef ULONG_PTR(__cdecl * fTrace)(HANDLE hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace, DWORD dwExactCall);
|
typedef ULONG_PTR(__cdecl * fTrace)(HANDLE hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace, DWORD dwExactCall);
|
||||||
typedef HANDLE(WINAPI * fCreateFileW)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
|
typedef HANDLE(WINAPI * fCreateFileW)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
|
||||||
typedef HANDLE(WINAPI * fCreateFileMappingA)(HANDLE hFile, LPSECURITY_ATTRIBUTES lpFileMappingAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName);
|
typedef HANDLE(WINAPI * fCreateFileMappingA)(HANDLE hFile, LPSECURITY_ATTRIBUTES lpFileMappingAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName);
|
||||||
|
|
|
||||||
|
|
@ -49,18 +49,18 @@ bool MapFileEx(const char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, L
|
||||||
LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL);
|
LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL);
|
||||||
if(mfFileMapVA != NULL)
|
if(mfFileMapVA != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR);
|
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof(ULONG_PTR));
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
RtlZeroMemory(FileMapVA, sizeof ULONG_PTR);
|
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
|
||||||
*FileHandle = NULL;
|
*FileHandle = NULL;
|
||||||
*FileSize = NULL;
|
*FileSize = NULL;
|
||||||
EngineCloseHandle(hFile);
|
EngineCloseHandle(hFile);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(FileMapVA, sizeof ULONG_PTR);
|
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -110,18 +110,18 @@ bool MapFileExW(const wchar_t* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandl
|
||||||
LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL);
|
LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL);
|
||||||
if(mfFileMapVA != NULL)
|
if(mfFileMapVA != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR);
|
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof(ULONG_PTR));
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
RtlZeroMemory(FileMapVA, sizeof ULONG_PTR);
|
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
|
||||||
*FileHandle = NULL;
|
*FileHandle = NULL;
|
||||||
*FileSize = NULL;
|
*FileSize = NULL;
|
||||||
EngineCloseHandle(hFile);
|
EngineCloseHandle(hFile);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(FileMapVA, sizeof ULONG_PTR);
|
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ void GenericOEPVirtualProtectHit()
|
||||||
BreakPointDetail curDetail = BreakPointBuffer.at(i);
|
BreakPointDetail curDetail = BreakPointBuffer.at(i);
|
||||||
if(curDetail.BreakPointType == UE_MEMORY && curDetail.BreakPointActive == UE_BPXACTIVE)
|
if(curDetail.BreakPointType == UE_MEMORY && curDetail.BreakPointActive == UE_BPXACTIVE)
|
||||||
{
|
{
|
||||||
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)curDetail.BreakPointAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)curDetail.BreakPointAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
OldProtect = MemInfo.Protect;
|
OldProtect = MemInfo.Protect;
|
||||||
if(!(OldProtect & PAGE_GUARD))
|
if(!(OldProtect & PAGE_GUARD))
|
||||||
{
|
{
|
||||||
|
|
@ -40,14 +40,14 @@ void GenericOEPTraceHit()
|
||||||
|
|
||||||
char* szInstructionType;
|
char* szInstructionType;
|
||||||
typedef void(TITCALL * fEPCallBack)();
|
typedef void(TITCALL * fEPCallBack)();
|
||||||
fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
|
fEPCallBack myEPCallBack = ObjectPointerToCallback<fEPCallBack>(glbEntryTracerData.EPCallBack);
|
||||||
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
|
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
|
||||||
|
|
||||||
glbEntryTracerData.MemoryAccessedFrom = (ULONG_PTR)GetContextData(UE_CIP);
|
glbEntryTracerData.MemoryAccessedFrom = (ULONG_PTR)GetContextData(UE_CIP);
|
||||||
glbEntryTracerData.MemoryAccessed = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[1];
|
glbEntryTracerData.MemoryAccessed = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[1];
|
||||||
glbEntryTracerData.AccessType = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[0];
|
glbEntryTracerData.AccessType = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[0];
|
||||||
szInstructionType = (char*)DisassembleEx(dbgProcessInformation.hProcess, (void*)glbEntryTracerData.MemoryAccessedFrom, true);
|
szInstructionType = (char*)DisassembleEx(dbgProcessInformation.hProcess, (void*)glbEntryTracerData.MemoryAccessedFrom, true);
|
||||||
StepInto(&GenericOEPTraceHited);
|
StepInto(CallbackToObjectPointer(&GenericOEPTraceHited));
|
||||||
}
|
}
|
||||||
|
|
||||||
void GenericOEPTraceHited()
|
void GenericOEPTraceHited()
|
||||||
|
|
@ -60,7 +60,7 @@ void GenericOEPTraceHited()
|
||||||
ULONG_PTR NumberOfBytesRW;
|
ULONG_PTR NumberOfBytesRW;
|
||||||
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
|
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
|
||||||
typedef void(TITCALL * fEPCallBack)();
|
typedef void(TITCALL * fEPCallBack)();
|
||||||
fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
|
fEPCallBack myEPCallBack = ObjectPointerToCallback<fEPCallBack>(glbEntryTracerData.EPCallBack);
|
||||||
PMEMORY_COMPARE_HANDLER myCmpHandler;
|
PMEMORY_COMPARE_HANDLER myCmpHandler;
|
||||||
ULONG_PTR memBpxAddress;
|
ULONG_PTR memBpxAddress;
|
||||||
ULONG_PTR memBpxSize;
|
ULONG_PTR memBpxSize;
|
||||||
|
|
@ -134,12 +134,12 @@ void GenericOEPTraceHited()
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
|
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, CallbackToObjectPointer(&GenericOEPTraceHit));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
|
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, CallbackToObjectPointer(&GenericOEPTraceHit));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -162,7 +162,7 @@ void GenericOEPLibraryDetailsHit()
|
||||||
int inReg = UE_RAX;
|
int inReg = UE_RAX;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if(GetModuleBaseNameA(dbgProcessInformation.hProcess, (HMODULE)GetContextData(inReg), szModuleName, sizeof szModuleName) > NULL)
|
if(GetModuleBaseNameA(dbgProcessInformation.hProcess, (HMODULE)GetContextData(inReg), szModuleName, sizeof(szModuleName)) > NULL)
|
||||||
{
|
{
|
||||||
if(lstrcmpiA(szModuleName, "kernel32.dll") != NULL)
|
if(lstrcmpiA(szModuleName, "kernel32.dll") != NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -178,7 +178,7 @@ void GenericOEPLibraryDetailsHit()
|
||||||
{
|
{
|
||||||
if(glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_MEM_EXECUTE || glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_CNT_CODE)
|
if(glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_MEM_EXECUTE || glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_CNT_CODE)
|
||||||
{
|
{
|
||||||
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
|
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, CallbackToObjectPointer(&GenericOEPTraceHit));
|
||||||
memBreakPointSet = true;
|
memBreakPointSet = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -202,7 +202,7 @@ void GenericOEPTraceInit()
|
||||||
void* lpHashBuffer;
|
void* lpHashBuffer;
|
||||||
ULONG_PTR NumberOfBytesRW;
|
ULONG_PTR NumberOfBytesRW;
|
||||||
typedef void(TITCALL * fInitCallBack)();
|
typedef void(TITCALL * fInitCallBack)();
|
||||||
fInitCallBack myInitCallBack = (fInitCallBack)glbEntryTracerData.InitCallBack;
|
fInitCallBack myInitCallBack = ObjectPointerToCallback<fInitCallBack>(glbEntryTracerData.InitCallBack);
|
||||||
|
|
||||||
if(glbEntryTracerData.FileIsDLL)
|
if(glbEntryTracerData.FileIsDLL)
|
||||||
{
|
{
|
||||||
|
|
@ -223,9 +223,9 @@ void GenericOEPTraceInit()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
SetAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_BREAKPOINT, UE_APIEND, &GenericOEPVirtualProtectHit);
|
SetAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_BREAKPOINT, UE_APIEND, CallbackToObjectPointer(&GenericOEPVirtualProtectHit));
|
||||||
SetAPIBreakPoint("kernel32.dll", "GetModuleHandleW", UE_BREAKPOINT, UE_APIEND, &GenericOEPLibraryDetailsHit);
|
SetAPIBreakPoint("kernel32.dll", "GetModuleHandleW", UE_BREAKPOINT, UE_APIEND, CallbackToObjectPointer(&GenericOEPLibraryDetailsHit));
|
||||||
SetAPIBreakPoint("kernel32.dll", "LoadLibraryExW", UE_BREAKPOINT, UE_APIEND, &GenericOEPLibraryDetailsHit);
|
SetAPIBreakPoint("kernel32.dll", "LoadLibraryExW", UE_BREAKPOINT, UE_APIEND, CallbackToObjectPointer(&GenericOEPLibraryDetailsHit));
|
||||||
if(glbEntryTracerData.InitCallBack != NULL)
|
if(glbEntryTracerData.InitCallBack != NULL)
|
||||||
{
|
{
|
||||||
__try
|
__try
|
||||||
|
|
@ -257,7 +257,7 @@ bool GenericOEPFileInitW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID C
|
||||||
{
|
{
|
||||||
if(GetPE32DataFromMappedFileEx(FileMapVA, &PEStruct))
|
if(GetPE32DataFromMappedFileEx(FileMapVA, &PEStruct))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&glbEntryTracerData, sizeof GenericOEPTracerData);
|
RtlZeroMemory(&glbEntryTracerData, sizeof(GenericOEPTracerData));
|
||||||
glbEntryTracerData.OriginalImageBase = PEStruct.ImageBase;
|
glbEntryTracerData.OriginalImageBase = PEStruct.ImageBase;
|
||||||
glbEntryTracerData.OriginalEntryPoint = PEStruct.OriginalEntryPoint;
|
glbEntryTracerData.OriginalEntryPoint = PEStruct.OriginalEntryPoint;
|
||||||
glbEntryTracerData.SizeOfImage = PEStruct.NtSizeOfImage;
|
glbEntryTracerData.SizeOfImage = PEStruct.NtSizeOfImage;
|
||||||
|
|
|
||||||
|
|
@ -72,7 +72,7 @@ __declspec(dllexport) bool TITCALL EnableBPX(ULONG_PTR bpxAddress)
|
||||||
{
|
{
|
||||||
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress)
|
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress)
|
||||||
{
|
{
|
||||||
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
OldProtect = MemInfo.Protect;
|
OldProtect = MemInfo.Protect;
|
||||||
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
||||||
if(BreakPointBuffer.at(i).BreakPointActive == UE_BPXINACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT))
|
if(BreakPointBuffer.at(i).BreakPointActive == UE_BPXINACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT))
|
||||||
|
|
@ -144,7 +144,7 @@ __declspec(dllexport) bool TITCALL DisableBPX(ULONG_PTR bpxAddress)
|
||||||
{
|
{
|
||||||
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress)
|
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress)
|
||||||
{
|
{
|
||||||
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
OldProtect = MemInfo.Protect;
|
OldProtect = MemInfo.Protect;
|
||||||
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
||||||
if(BreakPointBuffer.at(i).BreakPointActive == UE_BPXACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT))
|
if(BreakPointBuffer.at(i).BreakPointActive == UE_BPXACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT))
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,7 @@ __declspec(dllexport) void TITCALL ForceClose()
|
||||||
{
|
{
|
||||||
StopDebug();
|
StopDebug();
|
||||||
}
|
}
|
||||||
RtlZeroMemory(&dbgProcessInformation, sizeof PROCESS_INFORMATION);
|
RtlZeroMemory(&dbgProcessInformation, sizeof(PROCESS_INFORMATION));
|
||||||
if(DebugDebuggingDLL)
|
if(DebugDebuggingDLL)
|
||||||
DeleteFileW(szDebuggerName);
|
DeleteFileW(szDebuggerName);
|
||||||
DebugDebuggingDLL = false;
|
DebugDebuggingDLL = false;
|
||||||
|
|
@ -87,7 +87,7 @@ __declspec(dllexport) void TITCALL StepOut(LPVOID StepOut, bool StepFinal)
|
||||||
{
|
{
|
||||||
DebugStepFinal = StepFinal;
|
DebugStepFinal = StepFinal;
|
||||||
StepOutCallBack = StepOut;
|
StepOutCallBack = StepOut;
|
||||||
StepOver(StepOutStepCallBack);
|
StepOver(CallbackToObjectPointer(&StepOutStepCallBack));
|
||||||
}
|
}
|
||||||
|
|
||||||
__declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack)
|
__declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack)
|
||||||
|
|
|
||||||
|
|
@ -184,7 +184,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
{
|
{
|
||||||
startAddress -= ULONG_PTR(DBGEvent.u.CreateProcessInfo.lpBaseOfImage);
|
startAddress -= ULONG_PTR(DBGEvent.u.CreateProcessInfo.lpBaseOfImage);
|
||||||
startAddress += DebugModuleImageBase;
|
startAddress += DebugModuleImageBase;
|
||||||
DBGEvent.u.CreateProcessInfo.lpStartAddress = LPTHREAD_START_ROUTINE(startAddress);
|
DBGEvent.u.CreateProcessInfo.lpStartAddress = reinterpret_cast<LPTHREAD_START_ROUTINE>(reinterpret_cast<LPVOID>(startAddress));
|
||||||
}
|
}
|
||||||
DBGEvent.u.CreateProcessInfo.lpBaseOfImage = LPVOID(DebugModuleImageBase);
|
DBGEvent.u.CreateProcessInfo.lpBaseOfImage = LPVOID(DebugModuleImageBase);
|
||||||
}
|
}
|
||||||
|
|
@ -192,7 +192,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
bool attachBreakpoint = false;
|
bool attachBreakpoint = false;
|
||||||
if(DBGFileHandle == NULL) //we didn't set the handle yet (initial process)
|
if(DBGFileHandle == NULL) //we didn't set the handle yet (initial process)
|
||||||
{
|
{
|
||||||
DBGEntryPoint = DBGEvent.u.CreateProcessInfo.lpStartAddress;
|
DBGEntryPoint = CallbackToObjectPointer(DBGEvent.u.CreateProcessInfo.lpStartAddress);
|
||||||
DBGFileHandle = DBGEvent.u.CreateProcessInfo.hFile;
|
DBGFileHandle = DBGEvent.u.CreateProcessInfo.hFile;
|
||||||
DebugDebuggingMainModuleBase = (ULONG_PTR) DBGEvent.u.CreateProcessInfo.lpBaseOfImage;
|
DebugDebuggingMainModuleBase = (ULONG_PTR) DBGEvent.u.CreateProcessInfo.lpBaseOfImage;
|
||||||
if(DebugAttachedToProcess) //we attached, set information
|
if(DebugAttachedToProcess) //we attached, set information
|
||||||
|
|
@ -202,7 +202,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
dbgProcessInformation.dwThreadId = NULL;
|
dbgProcessInformation.dwThreadId = NULL;
|
||||||
if(engineAttachedProcessDebugInfo != NULL)
|
if(engineAttachedProcessDebugInfo != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(engineAttachedProcessDebugInfo, &dbgProcessInformation, sizeof PROCESS_INFORMATION);
|
RtlMoveMemory(engineAttachedProcessDebugInfo, &dbgProcessInformation, sizeof(PROCESS_INFORMATION));
|
||||||
}
|
}
|
||||||
attachBreakpoint = true;
|
attachBreakpoint = true;
|
||||||
}
|
}
|
||||||
|
|
@ -394,7 +394,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
VirtualFree((void*)szTranslatedNativeName, NULL, MEM_RELEASE);
|
VirtualFree((void*)szTranslatedNativeName, NULL, MEM_RELEASE);
|
||||||
}
|
}
|
||||||
RtlZeroMemory(szAnsiLibraryName, sizeof(szAnsiLibraryName));
|
RtlZeroMemory(szAnsiLibraryName, sizeof(szAnsiLibraryName));
|
||||||
WideCharToMultiByte(CP_ACP, NULL, NewLibraryData.szLibraryName, -1, szAnsiLibraryName, sizeof szAnsiLibraryName, NULL, NULL);
|
WideCharToMultiByte(CP_ACP, NULL, NewLibraryData.szLibraryName, -1, szAnsiLibraryName, sizeof(szAnsiLibraryName), NULL, NULL);
|
||||||
|
|
||||||
//library breakpoint
|
//library breakpoint
|
||||||
for(int i = (int)LibrarianData.size() - 1; i >= 0; i--)
|
for(int i = (int)LibrarianData.size() - 1; i >= 0; i--)
|
||||||
|
|
@ -444,7 +444,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
if(hLoadedLibData)
|
if(hLoadedLibData)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(szAnsiLibraryName, sizeof(szAnsiLibraryName));
|
RtlZeroMemory(szAnsiLibraryName, sizeof(szAnsiLibraryName));
|
||||||
WideCharToMultiByte(CP_ACP, NULL, hLoadedLibData->szLibraryName, -1, szAnsiLibraryName, sizeof szAnsiLibraryName, NULL, NULL);
|
WideCharToMultiByte(CP_ACP, NULL, hLoadedLibData->szLibraryName, -1, szAnsiLibraryName, sizeof(szAnsiLibraryName), NULL, NULL);
|
||||||
|
|
||||||
for(int i = (int)LibrarianData.size() - 1; i >= 0; i--)
|
for(int i = (int)LibrarianData.size() - 1; i >= 0; i--)
|
||||||
{
|
{
|
||||||
|
|
@ -514,11 +514,11 @@ __declspec(dllexport) void TITCALL DebugLoop()
|
||||||
{
|
{
|
||||||
DBGCode = DBG_EXCEPTION_NOT_HANDLED; //let debuggee handle the exception
|
DBGCode = DBG_EXCEPTION_NOT_HANDLED; //let debuggee handle the exception
|
||||||
}
|
}
|
||||||
RtlMoveMemory(&TerminateDBGEvent, &DBGEvent, sizeof DEBUG_EVENT);
|
RtlMoveMemory(&TerminateDBGEvent, &DBGEvent, sizeof(DEBUG_EVENT));
|
||||||
}
|
}
|
||||||
|
|
||||||
//handle different exception codes
|
//handle different exception codes
|
||||||
switch(DBGEvent.u.Exception.ExceptionRecord.ExceptionCode)
|
switch((LONG)DBGEvent.u.Exception.ExceptionRecord.ExceptionCode)
|
||||||
{
|
{
|
||||||
case STATUS_BREAKPOINT:
|
case STATUS_BREAKPOINT:
|
||||||
{
|
{
|
||||||
|
|
@ -1373,7 +1373,7 @@ continue_dbg_event:
|
||||||
|
|
||||||
if(!SecondChance) //debugger didn't close with a second chance exception (normal exit)
|
if(!SecondChance) //debugger didn't close with a second chance exception (normal exit)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(&TerminateDBGEvent, &DBGEvent, sizeof DEBUG_EVENT);
|
RtlMoveMemory(&TerminateDBGEvent, &DBGEvent, sizeof(DEBUG_EVENT));
|
||||||
}
|
}
|
||||||
ForceClose();
|
ForceClose();
|
||||||
engineFileIsBeingDebugged = false;
|
engineFileIsBeingDebugged = false;
|
||||||
|
|
|
||||||
|
|
@ -15,11 +15,11 @@ __declspec(dllexport) bool TITCALL GetRemoteString(HANDLE hProcess, LPVOID Strin
|
||||||
{
|
{
|
||||||
MaximumStringSize = 512;
|
MaximumStringSize = 512;
|
||||||
}
|
}
|
||||||
VirtualQueryEx(hProcess, (LPVOID)StringAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)StringAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if((int)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - (ULONG_PTR)StringAddress) < MaximumStringSize)
|
if((int)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - (ULONG_PTR)StringAddress) < MaximumStringSize)
|
||||||
{
|
{
|
||||||
StringReadSize = (DWORD)((ULONG_PTR)StringAddress - (ULONG_PTR)MemInfo.BaseAddress);
|
StringReadSize = (DWORD)((ULONG_PTR)StringAddress - (ULONG_PTR)MemInfo.BaseAddress);
|
||||||
VirtualQueryEx(hProcess, (LPVOID)((ULONG_PTR)StringAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)((ULONG_PTR)StringAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.State == MEM_COMMIT)
|
if(MemInfo.State == MEM_COMMIT)
|
||||||
{
|
{
|
||||||
StringReadSize = MaximumStringSize;
|
StringReadSize = MaximumStringSize;
|
||||||
|
|
@ -94,17 +94,17 @@ __declspec(dllexport) ULONG_PTR TITCALL GetFunctionParameter(HANDLE hProcess, DW
|
||||||
{
|
{
|
||||||
StackSecondReadSize = 0;
|
StackSecondReadSize = 0;
|
||||||
}
|
}
|
||||||
StackReadSize = sizeof ULONG_PTR;
|
StackReadSize = sizeof(ULONG_PTR);
|
||||||
}
|
}
|
||||||
if(FunctionType >= UE_FUNCTION_STDCALL && FunctionType <= UE_FUNCTION_CCALL_CALL && FunctionType != UE_FUNCTION_FASTCALL_RET)
|
if(FunctionType >= UE_FUNCTION_STDCALL && FunctionType <= UE_FUNCTION_CCALL_CALL && FunctionType != UE_FUNCTION_FASTCALL_RET)
|
||||||
{
|
{
|
||||||
StackReadAddress = (ULONG_PTR)GetContextData(UE_CSP);
|
StackReadAddress = (ULONG_PTR)GetContextData(UE_CSP);
|
||||||
if(FunctionType != UE_FUNCTION_FASTCALL_CALL)
|
if(FunctionType != UE_FUNCTION_FASTCALL_CALL)
|
||||||
{
|
{
|
||||||
StackReadAddress = StackReadAddress + (ParameterNumber * sizeof ULONG_PTR);
|
StackReadAddress = StackReadAddress + (ParameterNumber * sizeof(ULONG_PTR));
|
||||||
if(FunctionType >= UE_FUNCTION_STDCALL_CALL)
|
if(FunctionType >= UE_FUNCTION_STDCALL_CALL)
|
||||||
{
|
{
|
||||||
StackReadAddress = StackReadAddress - sizeof ULONG_PTR;
|
StackReadAddress = StackReadAddress - sizeof(ULONG_PTR);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|
@ -152,23 +152,23 @@ __declspec(dllexport) ULONG_PTR TITCALL GetFunctionParameter(HANDLE hProcess, DW
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
StackReadAddress = StackReadAddress + 0x20 + ((ParameterNumber - 4) * sizeof ULONG_PTR) - sizeof ULONG_PTR;
|
StackReadAddress = StackReadAddress + 0x20 + ((ParameterNumber - 4) * sizeof(ULONG_PTR)) - sizeof(ULONG_PTR);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof ULONG_PTR, &ueNumberOfBytesRW))
|
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof(ULONG_PTR), &ueNumberOfBytesRW))
|
||||||
{
|
{
|
||||||
if(!ValueIsPointer)
|
if(!ValueIsPointer)
|
||||||
{
|
{
|
||||||
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof ULONG_PTR - StackReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof ULONG_PTR - StackReadSize), StackReadSize);
|
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof(ULONG_PTR) - StackReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof(ULONG_PTR) - StackReadSize), StackReadSize);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
StackReadAddress = StackReadBuffer;
|
StackReadAddress = StackReadBuffer;
|
||||||
if(StackSecondReadSize > NULL)
|
if(StackSecondReadSize > NULL)
|
||||||
{
|
{
|
||||||
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof ULONG_PTR, &ueNumberOfBytesRW))
|
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof(ULONG_PTR), &ueNumberOfBytesRW))
|
||||||
{
|
{
|
||||||
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof ULONG_PTR - StackSecondReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof ULONG_PTR - StackSecondReadSize), StackSecondReadSize);
|
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof(ULONG_PTR) - StackSecondReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof(ULONG_PTR) - StackSecondReadSize), StackSecondReadSize);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
@ -177,11 +177,11 @@ __declspec(dllexport) ULONG_PTR TITCALL GetFunctionParameter(HANDLE hProcess, DW
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
VirtualQueryEx(hProcess, (LPVOID)StackReadAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)StackReadAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - StackReadAddress < 512)
|
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - StackReadAddress < 512)
|
||||||
{
|
{
|
||||||
StringReadSize = (DWORD)((ULONG_PTR)StackReadAddress - (ULONG_PTR)MemInfo.BaseAddress);
|
StringReadSize = (DWORD)((ULONG_PTR)StackReadAddress - (ULONG_PTR)MemInfo.BaseAddress);
|
||||||
VirtualQueryEx(hProcess, (LPVOID)(StackReadAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)(StackReadAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.State == MEM_COMMIT)
|
if(MemInfo.State == MEM_COMMIT)
|
||||||
{
|
{
|
||||||
StringReadSize = 512;
|
StringReadSize = 512;
|
||||||
|
|
@ -221,7 +221,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
|
||||||
|
|
||||||
if(hProcess != NULL)
|
if(hProcess != NULL)
|
||||||
{
|
{
|
||||||
VirtualQueryEx(hProcess, (LPVOID)InstructionAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)InstructionAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.RegionSize > NULL)
|
if(MemInfo.RegionSize > NULL)
|
||||||
{
|
{
|
||||||
if(ReadProcessMemory(hProcess, (LPVOID)InstructionAddress, ReadMemory, MAXIMUM_INSTRUCTION_SIZE, &ueNumberOfBytesRead))
|
if(ReadProcessMemory(hProcess, (LPVOID)InstructionAddress, ReadMemory, MAXIMUM_INSTRUCTION_SIZE, &ueNumberOfBytesRead))
|
||||||
|
|
@ -305,7 +305,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
|
||||||
{
|
{
|
||||||
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 4);
|
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 4);
|
||||||
TargetedAddress = ReadMemData;
|
TargetedAddress = ReadMemData;
|
||||||
if(sizeof HANDLE == 8)
|
if(sizeof(HANDLE) == 8)
|
||||||
{
|
{
|
||||||
TargetedAddress = TargetedAddress + InstructionAddress;
|
TargetedAddress = TargetedAddress + InstructionAddress;
|
||||||
}
|
}
|
||||||
|
|
@ -314,7 +314,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
|
||||||
{
|
{
|
||||||
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 4);
|
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 4);
|
||||||
TargetedAddress = ReadMemData;
|
TargetedAddress = ReadMemData;
|
||||||
if(sizeof HANDLE == 8)
|
if(sizeof(HANDLE) == 8)
|
||||||
{
|
{
|
||||||
TargetedAddress = TargetedAddress + InstructionAddress;
|
TargetedAddress = TargetedAddress + InstructionAddress;
|
||||||
}
|
}
|
||||||
|
|
@ -440,7 +440,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
|
||||||
{
|
{
|
||||||
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 4);
|
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 4);
|
||||||
TargetedAddress = ReadMemData;
|
TargetedAddress = ReadMemData;
|
||||||
if(sizeof HANDLE == 8)
|
if(sizeof(HANDLE) == 8)
|
||||||
{
|
{
|
||||||
TargetedAddress = TargetedAddress + InstructionAddress;
|
TargetedAddress = TargetedAddress + InstructionAddress;
|
||||||
}
|
}
|
||||||
|
|
@ -449,7 +449,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
|
||||||
{
|
{
|
||||||
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 4);
|
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 4);
|
||||||
TargetedAddress = ReadMemData;
|
TargetedAddress = ReadMemData;
|
||||||
if(sizeof HANDLE == 8)
|
if(sizeof(HANDLE) == 8)
|
||||||
{
|
{
|
||||||
TargetedAddress = TargetedAddress + InstructionAddress;
|
TargetedAddress = TargetedAddress + InstructionAddress;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
|
||||||
{
|
{
|
||||||
if(ueNumberOfBytesRead == 0)
|
if(ueNumberOfBytesRead == 0)
|
||||||
{
|
{
|
||||||
if(VirtualQueryEx(hProcess, MemoryToCheck, &memoryInformation, sizeof memoryInformation) != NULL)
|
if(VirtualQueryEx(hProcess, MemoryToCheck, &memoryInformation, sizeof(memoryInformation)) != NULL)
|
||||||
{
|
{
|
||||||
SizeOfMemoryToCheck = (int)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryToCheck);
|
SizeOfMemoryToCheck = (int)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryToCheck);
|
||||||
if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
|
if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
|
||||||
|
|
@ -104,7 +104,7 @@ __declspec(dllexport) ULONG_PTR TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
|
||||||
{
|
{
|
||||||
if(ueNumberOfBytesRead == NULL)
|
if(ueNumberOfBytesRead == NULL)
|
||||||
{
|
{
|
||||||
if(VirtualQueryEx(hProcess, MemoryStart, &memoryInformation, sizeof memoryInformation) != NULL)
|
if(VirtualQueryEx(hProcess, MemoryStart, &memoryInformation, sizeof(memoryInformation)) != NULL)
|
||||||
{
|
{
|
||||||
MemorySize = (DWORD)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryStart);
|
MemorySize = (DWORD)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryStart);
|
||||||
if(!MemoryReadSafe(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
|
if(!MemoryReadSafe(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
|
||||||
|
|
@ -175,7 +175,7 @@ __declspec(dllexport) bool TITCALL FillEx(HANDLE hProcess, LPVOID MemoryStart, D
|
||||||
{
|
{
|
||||||
FillByte = &defFillByte;
|
FillByte = &defFillByte;
|
||||||
}
|
}
|
||||||
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
OldProtect = MemInfo.Protect;
|
OldProtect = MemInfo.Protect;
|
||||||
VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
||||||
for(i = 0; i < MemorySize; i++)
|
for(i = 0; i < MemorySize; i++)
|
||||||
|
|
@ -214,7 +214,7 @@ __declspec(dllexport) bool TITCALL PatchEx(HANDLE hProcess, LPVOID MemoryStart,
|
||||||
|
|
||||||
if(hProcess != NULL)
|
if(hProcess != NULL)
|
||||||
{
|
{
|
||||||
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
OldProtect = MemInfo.Protect;
|
OldProtect = MemInfo.Protect;
|
||||||
VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
||||||
|
|
||||||
|
|
@ -358,7 +358,7 @@ __declspec(dllexport) bool TITCALL MemoryReadSafe(HANDLE hProcess, LPVOID lpBase
|
||||||
ULONG_PTR endAddr = (ULONG_PTR)lpBaseAddress + nSize;
|
ULONG_PTR endAddr = (ULONG_PTR)lpBaseAddress + nSize;
|
||||||
for(ULONG_PTR page = ALIGN_DOWN_BY(lpBaseAddress, TITANENGINE_PAGESIZE); page < endAddr; page += memInfo.RegionSize)
|
for(ULONG_PTR page = ALIGN_DOWN_BY(lpBaseAddress, TITANENGINE_PAGESIZE); page < endAddr; page += memInfo.RegionSize)
|
||||||
{
|
{
|
||||||
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof memInfo))
|
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof(memInfo)))
|
||||||
break; // failure ('VirtualProtectEx' will fail too)
|
break; // failure ('VirtualProtectEx' will fail too)
|
||||||
memRegions.push_back(memInfo);
|
memRegions.push_back(memInfo);
|
||||||
}
|
}
|
||||||
|
|
@ -430,7 +430,7 @@ __declspec(dllexport) bool TITCALL MemoryWriteSafe(HANDLE hProcess, LPVOID lpBas
|
||||||
ULONG_PTR endAddr = (ULONG_PTR)lpBaseAddress + nSize;
|
ULONG_PTR endAddr = (ULONG_PTR)lpBaseAddress + nSize;
|
||||||
for(ULONG_PTR page = ALIGN_DOWN_BY(lpBaseAddress, TITANENGINE_PAGESIZE); page < endAddr; page += memInfo.RegionSize)
|
for(ULONG_PTR page = ALIGN_DOWN_BY(lpBaseAddress, TITANENGINE_PAGESIZE); page < endAddr; page += memInfo.RegionSize)
|
||||||
{
|
{
|
||||||
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof memInfo))
|
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof(memInfo)))
|
||||||
break; // failure
|
break; // failure
|
||||||
memRegions.push_back(memInfo);
|
memRegions.push_back(memInfo);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -402,6 +402,17 @@ __declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_
|
||||||
HANDLE ProcessHandle = NULL, ThreadHandle = NULL;
|
HANDLE ProcessHandle = NULL, ThreadHandle = NULL;
|
||||||
UNICODE_STRING CommandLine = { 0 };
|
UNICODE_STRING CommandLine = { 0 };
|
||||||
PUNICODE_STRING PtrCurrentDirectory = NULL;
|
PUNICODE_STRING PtrCurrentDirectory = NULL;
|
||||||
|
OBJECT_ATTRIBUTES ObjectAttributes = {};
|
||||||
|
HANDLE DebugPort = NULL;
|
||||||
|
PS_CREATE_INFO CreateInfo = {};
|
||||||
|
SIZE_T NumAttributes = 0;
|
||||||
|
SIZE_T AttributesSize = 0;
|
||||||
|
PPS_ATTRIBUTE_LIST AttributeList = NULL;
|
||||||
|
ULONG N = 0;
|
||||||
|
CLIENT_ID Cid = {};
|
||||||
|
PCLIENT_ID ClientId = NULL;
|
||||||
|
ULONG NtProcessFlags = 0;
|
||||||
|
ULONG NtThreadFlags = 0;
|
||||||
|
|
||||||
// Convert the application path to its NT equivalent
|
// Convert the application path to its NT equivalent
|
||||||
UNICODE_STRING ImagePath, NtImagePath;
|
UNICODE_STRING ImagePath, NtImagePath;
|
||||||
|
|
@ -461,9 +472,7 @@ __declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_
|
||||||
ProcessParameters->ShowWindowFlags = STARTF_USESHOWWINDOW | SW_SHOWDEFAULT;
|
ProcessParameters->ShowWindowFlags = STARTF_USESHOWWINDOW | SW_SHOWDEFAULT;
|
||||||
|
|
||||||
// Create a debug port object
|
// Create a debug port object
|
||||||
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
||||||
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
|
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
|
||||||
HANDLE DebugPort = NULL;
|
|
||||||
Status = NtCreateDebugObject(&DebugPort,
|
Status = NtCreateDebugObject(&DebugPort,
|
||||||
DEBUG_ALL_ACCESS,
|
DEBUG_ALL_ACCESS,
|
||||||
&ObjectAttributes,
|
&ObjectAttributes,
|
||||||
|
|
@ -478,7 +487,6 @@ __declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_
|
||||||
NtCurrentTeb()->DbgSsReserved[1] = DebugPort;
|
NtCurrentTeb()->DbgSsReserved[1] = DebugPort;
|
||||||
|
|
||||||
// Initialize the PS_CREATE_INFO structure
|
// Initialize the PS_CREATE_INFO structure
|
||||||
PS_CREATE_INFO CreateInfo;
|
|
||||||
RtlZeroMemory(&CreateInfo, sizeof(CreateInfo));
|
RtlZeroMemory(&CreateInfo, sizeof(CreateInfo));
|
||||||
CreateInfo.Size = sizeof(CreateInfo);
|
CreateInfo.Size = sizeof(CreateInfo);
|
||||||
CreateInfo.State = PsCreateInitialState;
|
CreateInfo.State = PsCreateInitialState;
|
||||||
|
|
@ -488,16 +496,16 @@ __declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_
|
||||||
CreateInfo.u1.InitState.AdditionalFileAccess = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
|
CreateInfo.u1.InitState.AdditionalFileAccess = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
|
||||||
|
|
||||||
// Initialize the PS_ATTRIBUTE_LIST that contains the process creation attributes
|
// Initialize the PS_ATTRIBUTE_LIST that contains the process creation attributes
|
||||||
const SIZE_T NumAttributes = 3;
|
NumAttributes = 3;
|
||||||
const SIZE_T AttributesSize = sizeof(SIZE_T) + NumAttributes * sizeof(PS_ATTRIBUTE);
|
AttributesSize = sizeof(SIZE_T) + NumAttributes * sizeof(PS_ATTRIBUTE);
|
||||||
PPS_ATTRIBUTE_LIST AttributeList = reinterpret_cast<PPS_ATTRIBUTE_LIST>(
|
AttributeList = reinterpret_cast<PPS_ATTRIBUTE_LIST>(
|
||||||
RtlAllocateHeap(RtlProcessHeap(),
|
RtlAllocateHeap(RtlProcessHeap(),
|
||||||
HEAP_ZERO_MEMORY, // Not optional
|
HEAP_ZERO_MEMORY, // Not optional
|
||||||
AttributesSize));
|
AttributesSize));
|
||||||
AttributeList->TotalLength = AttributesSize;
|
AttributeList->TotalLength = AttributesSize;
|
||||||
|
|
||||||
// In: NT style absolute image path. This is the only required attribute
|
// In: NT style absolute image path. This is the only required attribute
|
||||||
ULONG N = 0;
|
N = 0;
|
||||||
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
|
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
|
||||||
AttributeList->Attributes[N].Size = NtImagePath.Length;
|
AttributeList->Attributes[N].Size = NtImagePath.Length;
|
||||||
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(NtImagePath.Buffer);
|
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(NtImagePath.Buffer);
|
||||||
|
|
@ -510,15 +518,15 @@ __declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_
|
||||||
|
|
||||||
// Out: client ID
|
// Out: client ID
|
||||||
N++;
|
N++;
|
||||||
CLIENT_ID Cid;
|
Cid = {};
|
||||||
PCLIENT_ID ClientId = &Cid;
|
ClientId = &Cid;
|
||||||
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_CLIENT_ID;
|
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_CLIENT_ID;
|
||||||
AttributeList->Attributes[N].Size = sizeof(CLIENT_ID);
|
AttributeList->Attributes[N].Size = sizeof(CLIENT_ID);
|
||||||
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(ClientId);
|
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(ClientId);
|
||||||
|
|
||||||
// Set process and thread flags
|
// Set process and thread flags
|
||||||
ULONG NtProcessFlags = PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT; // Same as DEBUG_ONLY_THIS_PROCESS. DEBUG_PROCESS is implied by the debug port
|
NtProcessFlags = PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT; // Same as DEBUG_ONLY_THIS_PROCESS. DEBUG_PROCESS is implied by the debug port
|
||||||
ULONG NtThreadFlags = THREAD_CREATE_FLAGS_CREATE_SUSPENDED; // Always set this, because we need to do some bookkeeping before resuming
|
NtThreadFlags = THREAD_CREATE_FLAGS_CREATE_SUSPENDED; // Always set this, because we need to do some bookkeeping before resuming
|
||||||
|
|
||||||
// Create the process
|
// Create the process
|
||||||
Status = fnNtCreateUserProcess(&ProcessHandle,
|
Status = fnNtCreateUserProcess(&ProcessHandle,
|
||||||
|
|
@ -822,7 +830,7 @@ __declspec(dllexport) void TITCALL AutoDebugExW(wchar_t* szFileName, bool Reserv
|
||||||
|
|
||||||
if(szFileName != NULL)
|
if(szFileName != NULL)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&expertDebug, sizeof ExpertDebug);
|
RtlZeroMemory(&expertDebug, sizeof(ExpertDebug));
|
||||||
expertDebug.ExpertModeActive = true;
|
expertDebug.ExpertModeActive = true;
|
||||||
expertDebug.szFileName = szFileName;
|
expertDebug.szFileName = szFileName;
|
||||||
expertDebug.szCommandLine = szCommandLine;
|
expertDebug.szCommandLine = szCommandLine;
|
||||||
|
|
@ -844,7 +852,7 @@ __declspec(dllexport) void TITCALL AutoDebugExW(wchar_t* szFileName, bool Reserv
|
||||||
ForceClose();
|
ForceClose();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
RtlZeroMemory(&expertDebug, sizeof ExpertDebug);
|
RtlZeroMemory(&expertDebug, sizeof(ExpertDebug));
|
||||||
SetDebugLoopTimeOut(INFINITE);
|
SetDebugLoopTimeOut(INFINITE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -408,7 +408,7 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL)
|
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION)) != NULL)
|
||||||
{
|
{
|
||||||
AddressIsModuleBase = false;
|
AddressIsModuleBase = false;
|
||||||
for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
|
for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@ __declspec(dllexport) void TITCALL EngineUnpackerInitializeW(wchar_t* szFileName
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szEngineUnpackerSnapShot1[0], MAX_PATH * 2);
|
RtlZeroMemory(&szEngineUnpackerSnapShot1[0], MAX_PATH * 2);
|
||||||
RtlZeroMemory(&szEngineUnpackerSnapShot2[0], MAX_PATH * 2);
|
RtlZeroMemory(&szEngineUnpackerSnapShot2[0], MAX_PATH * 2);
|
||||||
RtlZeroMemory(&EngineUnpackerFileStatus, sizeof FILE_STATUS_INFO);
|
RtlZeroMemory(&EngineUnpackerFileStatus, sizeof(FILE_STATUS_INFO));
|
||||||
if(IsPE32FileValidExW(szFileName, UE_DEPTH_DEEP, &EngineUnpackerFileStatus))
|
if(IsPE32FileValidExW(szFileName, UE_DEPTH_DEEP, &EngineUnpackerFileStatus))
|
||||||
{
|
{
|
||||||
if(!EngineUnpackerFileStatus.FileIsDLL)
|
if(!EngineUnpackerFileStatus.FileIsDLL)
|
||||||
|
|
@ -119,7 +119,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
|
||||||
|
|
||||||
if(BreakType == UE_UNPACKER_CONDITION_LOADLIBRARY)
|
if(BreakType == UE_UNPACKER_CONDITION_LOADLIBRARY)
|
||||||
{
|
{
|
||||||
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyLoadLibraryCallBack))
|
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyLoadLibraryCallBack)))
|
||||||
{
|
{
|
||||||
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
||||||
return true;
|
return true;
|
||||||
|
|
@ -127,7 +127,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
|
||||||
}
|
}
|
||||||
else if(BreakType == UE_UNPACKER_CONDITION_GETPROCADDRESS)
|
else if(BreakType == UE_UNPACKER_CONDITION_GETPROCADDRESS)
|
||||||
{
|
{
|
||||||
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyGetProcAddressCallBack))
|
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyGetProcAddressCallBack)))
|
||||||
{
|
{
|
||||||
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
||||||
return true;
|
return true;
|
||||||
|
|
@ -135,7 +135,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
|
||||||
}
|
}
|
||||||
else if(BreakType == UE_UNPACKER_CONDITION_ENTRYPOINTBREAK)
|
else if(BreakType == UE_UNPACKER_CONDITION_ENTRYPOINTBREAK)
|
||||||
{
|
{
|
||||||
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyGetProcAddressCallBack))
|
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyGetProcAddressCallBack)))
|
||||||
{
|
{
|
||||||
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
||||||
return true;
|
return true;
|
||||||
|
|
@ -143,7 +143,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
|
||||||
}
|
}
|
||||||
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT1)
|
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT1)
|
||||||
{
|
{
|
||||||
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyMakeSnapshotCallBack))
|
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyMakeSnapshotCallBack)))
|
||||||
{
|
{
|
||||||
fUnpackerInformation.SnapShotNumber = 1;
|
fUnpackerInformation.SnapShotNumber = 1;
|
||||||
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
||||||
|
|
@ -152,7 +152,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
|
||||||
}
|
}
|
||||||
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT2)
|
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT2)
|
||||||
{
|
{
|
||||||
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyMakeSnapshotCallBack))
|
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyMakeSnapshotCallBack)))
|
||||||
{
|
{
|
||||||
fUnpackerInformation.SnapShotNumber = 2;
|
fUnpackerInformation.SnapShotNumber = 2;
|
||||||
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
||||||
|
|
@ -161,7 +161,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if(SetBPX(fPatternLocation, fBreakPointType, (void*)BreakType))
|
if(SetBPX(fPatternLocation, fBreakPointType, (void*)(ULONG_PTR)BreakType))
|
||||||
{
|
{
|
||||||
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
|
||||||
return true;
|
return true;
|
||||||
|
|
|
||||||
|
|
@ -180,7 +180,7 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF
|
||||||
}
|
}
|
||||||
ExporterBuildExportTableExW(BuildExportName, ".export");
|
ExporterBuildExportTableExW(BuildExportName, ".export");
|
||||||
}
|
}
|
||||||
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -238,7 +238,7 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF
|
||||||
}
|
}
|
||||||
ExporterBuildExportTableExW(BuildExportName, ".export");
|
ExporterBuildExportTableExW(BuildExportName, ".export");
|
||||||
}
|
}
|
||||||
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -276,8 +276,8 @@ __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies()
|
||||||
engineDependencyFilesCWP = engineDependencyFiles;
|
engineDependencyFilesCWP = engineDependencyFiles;
|
||||||
while(*((char*)engineDependencyFilesCWP) != 0)
|
while(*((char*)engineDependencyFilesCWP) != 0)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szTempName, sizeof szTempName);
|
RtlZeroMemory(&szTempName, sizeof(szTempName));
|
||||||
RtlZeroMemory(&szTempFolder, sizeof szTempFolder);
|
RtlZeroMemory(&szTempFolder, sizeof(szTempFolder));
|
||||||
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
|
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
|
||||||
{
|
{
|
||||||
if(GetTempFileNameW(szTempFolder, L"DeleteTempGenFile", GetTickCount(), szTempName))
|
if(GetTempFileNameW(szTempFolder, L"DeleteTempGenFile", GetTickCount(), szTempName))
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ __declspec(dllexport) void TITCALL ExporterCleanup()
|
||||||
expOrdinals[i] = 0;
|
expOrdinals[i] = 0;
|
||||||
}
|
}
|
||||||
//RtlZeroMemory(&szExportFileName, 512);
|
//RtlZeroMemory(&szExportFileName, 512);
|
||||||
RtlZeroMemory(&expExportData, sizeof IMAGE_EXPORT_DIRECTORY);
|
RtlZeroMemory(&expExportData, sizeof(IMAGE_EXPORT_DIRECTORY));
|
||||||
VirtualFree(expTableData, NULL, MEM_RELEASE);
|
VirtualFree(expTableData, NULL, MEM_RELEASE);
|
||||||
expExportNumber = NULL;
|
expExportNumber = NULL;
|
||||||
expTableData = NULL;
|
expTableData = NULL;
|
||||||
|
|
@ -139,7 +139,7 @@ __declspec(dllexport) long TITCALL ExporterEstimatedSize()
|
||||||
DWORD EstimatedSize = NULL;
|
DWORD EstimatedSize = NULL;
|
||||||
|
|
||||||
EstimatedSize = (DWORD)((ULONG_PTR)expTableDataCWP - (ULONG_PTR)expTableData);
|
EstimatedSize = (DWORD)((ULONG_PTR)expTableDataCWP - (ULONG_PTR)expTableData);
|
||||||
EstimatedSize = EstimatedSize + (expExportNumber * 12) + sizeof IMAGE_EXPORT_DIRECTORY;
|
EstimatedSize = EstimatedSize + (expExportNumber * 12) + sizeof(IMAGE_EXPORT_DIRECTORY);
|
||||||
return(EstimatedSize);
|
return(EstimatedSize);
|
||||||
}
|
}
|
||||||
__declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA)
|
__declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA)
|
||||||
|
|
@ -162,7 +162,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
|
||||||
if(expTableDataCWP != NULL)
|
if(expTableDataCWP != NULL)
|
||||||
{
|
{
|
||||||
expBuildExportData = expBuildExportDyn.Allocate(ExporterEstimatedSize());
|
expBuildExportData = expBuildExportDyn.Allocate(ExporterEstimatedSize());
|
||||||
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof IMAGE_EXPORT_DIRECTORY);
|
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof(IMAGE_EXPORT_DIRECTORY));
|
||||||
|
|
||||||
expExportData.NumberOfNames = expExportNumber;
|
expExportData.NumberOfNames = expExportNumber;
|
||||||
expExportData.NumberOfFunctions = expExportNumber;
|
expExportData.NumberOfFunctions = expExportNumber;
|
||||||
|
|
@ -204,7 +204,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
|
||||||
expExportData.AddressOfNameOrdinals = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
|
expExportData.AddressOfNameOrdinals = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
|
||||||
RtlMoveMemory(expBuildExportDataCWP, &expOrdinals, 2 * expExportNumber);
|
RtlMoveMemory(expBuildExportDataCWP, &expOrdinals, 2 * expExportNumber);
|
||||||
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + 2 * expExportNumber);
|
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + 2 * expExportNumber);
|
||||||
RtlMoveMemory(expBuildExportData, &expExportData, sizeof IMAGE_EXPORT_DIRECTORY);
|
RtlMoveMemory(expBuildExportData, &expExportData, sizeof(IMAGE_EXPORT_DIRECTORY));
|
||||||
|
|
||||||
RtlMoveMemory((LPVOID)StorePlace, expBuildExportData, (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData));
|
RtlMoveMemory((LPVOID)StorePlace, expBuildExportData, (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData));
|
||||||
|
|
||||||
|
|
@ -259,7 +259,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(char* szExportFile
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, char* szSectionName)
|
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, const char* szSectionName)
|
||||||
{
|
{
|
||||||
|
|
||||||
HANDLE FileHandle;
|
HANDLE FileHandle;
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,11 @@
|
||||||
#include "stdafx.h"
|
#include "stdafx.h"
|
||||||
#include "definitions.h"
|
#include "definitions.h"
|
||||||
|
|
||||||
|
static inline HANDLE HandleFromNtHandle(USHORT handle)
|
||||||
|
{
|
||||||
|
return (HANDLE)(ULONG_PTR)handle;
|
||||||
|
}
|
||||||
|
|
||||||
#include "Global.Handle.h"
|
#include "Global.Handle.h"
|
||||||
#include "Global.Engine.h"
|
#include "Global.Engine.h"
|
||||||
|
|
||||||
|
|
@ -59,7 +65,7 @@ __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE h
|
||||||
|
|
||||||
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
|
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
|
||||||
{
|
{
|
||||||
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)pHandle->HandleValue == hHandle)
|
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)(ULONG_PTR)pHandle->HandleValue == hHandle)
|
||||||
{
|
{
|
||||||
HandleActive = true;
|
HandleActive = true;
|
||||||
break;
|
break;
|
||||||
|
|
@ -92,7 +98,7 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD
|
||||||
|
|
||||||
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
|
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
|
||||||
{
|
{
|
||||||
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)pHandle->HandleValue == hHandle)
|
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)(ULONG_PTR)pHandle->HandleValue == hHandle)
|
||||||
{
|
{
|
||||||
if(pHandle->GrantedAccess != 0x0012019F) //Filter, because this GrantedAccess type can cause deadlocks!
|
if(pHandle->GrantedAccess != 0x0012019F) //Filter, because this GrantedAccess type can cause deadlocks!
|
||||||
{
|
{
|
||||||
|
|
@ -162,19 +168,19 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId,
|
||||||
return 0;
|
return 0;
|
||||||
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
||||||
|
|
||||||
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
|
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
|
||||||
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
||||||
while(TotalHandleCount > NULL)
|
while(TotalHandleCount > NULL)
|
||||||
{
|
{
|
||||||
if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount)
|
if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount)
|
||||||
{
|
{
|
||||||
myHandle = (HANDLE)HandleInfo->hHandle;
|
myHandle = HandleFromNtHandle(HandleInfo->hHandle);
|
||||||
RtlMoveMemory(HandleBuffer, &myHandle, sizeof HANDLE);
|
RtlMoveMemory(HandleBuffer, &myHandle, sizeof(HANDLE));
|
||||||
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE);
|
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof(HANDLE));
|
||||||
HandleCount++;
|
HandleCount++;
|
||||||
}
|
}
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
|
||||||
TotalHandleCount--;
|
TotalHandleCount--;
|
||||||
}
|
}
|
||||||
return(HandleCount);
|
return(HandleCount);
|
||||||
|
|
@ -199,17 +205,17 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetHandleDetails(HANDLE hProcess,
|
||||||
return 0;
|
return 0;
|
||||||
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
||||||
|
|
||||||
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
|
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
|
||||||
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
||||||
while(TotalHandleCount > NULL)
|
while(TotalHandleCount > NULL)
|
||||||
{
|
{
|
||||||
if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle)
|
if(HandleInfo->ProcessId == ProcessId && HandleFromNtHandle(HandleInfo->hHandle) == hHandle)
|
||||||
{
|
{
|
||||||
if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
|
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
|
||||||
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
|
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
|
||||||
if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT)
|
if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT)
|
||||||
{
|
{
|
||||||
ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount;
|
ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount;
|
||||||
|
|
@ -261,7 +267,7 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetHandleDetails(HANDLE hProcess,
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
|
||||||
TotalHandleCount--;
|
TotalHandleCount--;
|
||||||
}
|
}
|
||||||
if(!DontFreeStringMemory)
|
if(!DontFreeStringMemory)
|
||||||
|
|
@ -323,7 +329,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
|
||||||
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
||||||
|
|
||||||
|
|
||||||
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
|
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
|
||||||
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
||||||
while(TotalHandleCount > NULL)
|
while(TotalHandleCount > NULL)
|
||||||
|
|
@ -342,10 +348,10 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
|
||||||
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
||||||
if(HandleInfo->GrantedAccess != 0x0012019F)
|
if(HandleInfo->GrantedAccess != 0x0012019F)
|
||||||
{
|
{
|
||||||
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
|
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
|
||||||
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
|
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
|
||||||
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
|
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
|
||||||
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
|
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
|
||||||
RtlZeroMemory(HandleFullName, 0x1000);
|
RtlZeroMemory(HandleFullName, 0x1000);
|
||||||
|
|
@ -370,11 +376,11 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
|
||||||
}
|
}
|
||||||
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL && MaxHandleCount > NULL)
|
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL && MaxHandleCount > NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(HandleDataBuffer, &HandleInfo->ProcessId, sizeof ULONG);
|
RtlMoveMemory(HandleDataBuffer, &HandleInfo->ProcessId, sizeof(ULONG));
|
||||||
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof ULONG);
|
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof(ULONG));
|
||||||
CopyHandle = (HANDLE)HandleInfo->hHandle;
|
CopyHandle = HandleFromNtHandle(HandleInfo->hHandle);
|
||||||
RtlMoveMemory(HandleDataBuffer, &CopyHandle, sizeof HANDLE);
|
RtlMoveMemory(HandleDataBuffer, &CopyHandle, sizeof(HANDLE));
|
||||||
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof HANDLE);
|
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof(HANDLE));
|
||||||
FoundHandles++;
|
FoundHandles++;
|
||||||
MaxHandleCount--;
|
MaxHandleCount--;
|
||||||
}
|
}
|
||||||
|
|
@ -383,7 +389,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
|
||||||
TotalHandleCount--;
|
TotalHandleCount--;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -430,7 +436,7 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
|
||||||
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
||||||
|
|
||||||
|
|
||||||
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
|
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
|
||||||
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
||||||
while(TotalHandleCount > NULL)
|
while(TotalHandleCount > NULL)
|
||||||
|
|
@ -449,10 +455,10 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
|
||||||
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
||||||
if(HandleInfo->GrantedAccess != 0x0012019F)
|
if(HandleInfo->GrantedAccess != 0x0012019F)
|
||||||
{
|
{
|
||||||
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
|
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
|
||||||
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
|
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
|
||||||
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
|
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
|
||||||
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
|
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
|
||||||
RtlZeroMemory(HandleFullName, 0x1000);
|
RtlZeroMemory(HandleFullName, 0x1000);
|
||||||
|
|
@ -477,7 +483,7 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
|
||||||
}
|
}
|
||||||
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL)
|
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL)
|
||||||
{
|
{
|
||||||
if(!HandlerCloseRemoteHandle(hProcess, (HANDLE)HandleInfo->hHandle))
|
if(!HandlerCloseRemoteHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle)))
|
||||||
{
|
{
|
||||||
AllHandled = false;
|
AllHandled = false;
|
||||||
}
|
}
|
||||||
|
|
@ -487,7 +493,7 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
|
||||||
TotalHandleCount--;
|
TotalHandleCount--;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -533,7 +539,7 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
|
||||||
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
||||||
|
|
||||||
|
|
||||||
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
|
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
|
||||||
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
||||||
while(TotalHandleCount > NULL)
|
while(TotalHandleCount > NULL)
|
||||||
|
|
@ -552,10 +558,10 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
|
||||||
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
||||||
if(HandleInfo->GrantedAccess != 0x0012019F)
|
if(HandleInfo->GrantedAccess != 0x0012019F)
|
||||||
{
|
{
|
||||||
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
|
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
|
||||||
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
|
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
|
||||||
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
|
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
|
||||||
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
|
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
|
||||||
RtlZeroMemory(HandleFullName, 0x1000);
|
RtlZeroMemory(HandleFullName, 0x1000);
|
||||||
|
|
@ -588,7 +594,7 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
|
||||||
TotalHandleCount--;
|
TotalHandleCount--;
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -615,7 +621,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
|
||||||
return 0;
|
return 0;
|
||||||
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
||||||
|
|
||||||
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
|
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
|
||||||
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
||||||
while(TotalHandleCount > NULL)
|
while(TotalHandleCount > NULL)
|
||||||
|
|
@ -625,7 +631,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
|
||||||
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
||||||
if(HandleInfo->GrantedAccess != 0x0012019F)
|
if(HandleInfo->GrantedAccess != 0x0012019F)
|
||||||
{
|
{
|
||||||
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
|
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
|
||||||
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
|
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
|
||||||
|
|
@ -636,9 +642,9 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
|
||||||
WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
|
WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
|
||||||
if(lstrcmpiA((LPCSTR)HandleNameData, "Mutant") == NULL)
|
if(lstrcmpiA((LPCSTR)HandleNameData, "Mutant") == NULL)
|
||||||
{
|
{
|
||||||
copyHandle = (HANDLE)HandleInfo->hHandle;
|
copyHandle = HandleFromNtHandle(HandleInfo->hHandle);
|
||||||
RtlMoveMemory(HandleBuffer, ©Handle, sizeof HANDLE);
|
RtlMoveMemory(HandleBuffer, ©Handle, sizeof(HANDLE));
|
||||||
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE);
|
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof(HANDLE));
|
||||||
HandleCount++;
|
HandleCount++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -646,7 +652,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
|
||||||
TotalHandleCount--;
|
TotalHandleCount--;
|
||||||
}
|
}
|
||||||
return(HandleCount);
|
return(HandleCount);
|
||||||
|
|
@ -675,7 +681,7 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
|
||||||
HANDLE myHandle;
|
HANDLE myHandle;
|
||||||
char HandleBuffer[0x1000] = {0};
|
char HandleBuffer[0x1000] = {0};
|
||||||
LPVOID cHandleBuffer = HandleBuffer;
|
LPVOID cHandleBuffer = HandleBuffer;
|
||||||
int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof HANDLE);
|
int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof(HANDLE));
|
||||||
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
|
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
|
||||||
wchar_t* HandleName;
|
wchar_t* HandleName;
|
||||||
|
|
||||||
|
|
@ -684,7 +690,7 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
|
||||||
lstrcatW(RealMutexName, szMutexString);
|
lstrcatW(RealMutexName, szMutexString);
|
||||||
for(i = 0; i < OpenHandleCount; i++)
|
for(i = 0; i < OpenHandleCount; i++)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(&myHandle, cHandleBuffer, sizeof HANDLE);
|
RtlMoveMemory(&myHandle, cHandleBuffer, sizeof(HANDLE));
|
||||||
HandleName = (wchar_t*)HandlerGetHandleNameW(hProcess, ProcessId, myHandle, true);
|
HandleName = (wchar_t*)HandlerGetHandleNameW(hProcess, ProcessId, myHandle, true);
|
||||||
if(HandleName != NULL)
|
if(HandleName != NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -693,7 +699,7 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
|
||||||
return((ULONG_PTR)myHandle);
|
return((ULONG_PTR)myHandle);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof HANDLE);
|
cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof(HANDLE));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return(NULL);
|
return(NULL);
|
||||||
|
|
@ -738,7 +744,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
|
||||||
return 0;
|
return 0;
|
||||||
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
LPVOID QuerySystemBuffer = hinfo.GetPtr();
|
||||||
|
|
||||||
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
|
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
|
||||||
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
|
||||||
while(TotalHandleCount > NULL)
|
while(TotalHandleCount > NULL)
|
||||||
|
|
@ -757,7 +763,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
|
||||||
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
|
||||||
if(HandleInfo->GrantedAccess != 0x0012019F)
|
if(HandleInfo->GrantedAccess != 0x0012019F)
|
||||||
{
|
{
|
||||||
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
|
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
|
||||||
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
|
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
|
||||||
|
|
@ -788,7 +794,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
|
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
|
||||||
TotalHandleCount--;
|
TotalHandleCount--;
|
||||||
}
|
}
|
||||||
return(ReturnData);
|
return(ReturnData);
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ static bool ProcessHookScanAddNewHook(PHOOK_ENTRY HookDetails, void* ptrOriginal
|
||||||
{
|
{
|
||||||
HOOK_ENTRY MyhookEntry = {};
|
HOOK_ENTRY MyhookEntry = {};
|
||||||
|
|
||||||
RtlMoveMemory(&MyhookEntry, HookDetails, sizeof HOOK_ENTRY);
|
RtlMoveMemory(&MyhookEntry, HookDetails, sizeof(HOOK_ENTRY));
|
||||||
hookEntry.push_back(MyhookEntry);
|
hookEntry.push_back(MyhookEntry);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
@ -46,10 +46,10 @@ __declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray
|
||||||
{
|
{
|
||||||
#if defined (_WIN64)
|
#if defined (_WIN64)
|
||||||
ULONG_PTR HookAddress = (ULONG_PTR)myHookAddressArray->Array.qwArrayEntry[0];
|
ULONG_PTR HookAddress = (ULONG_PTR)myHookAddressArray->Array.qwArrayEntry[0];
|
||||||
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof ULONG_PTR);
|
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof(ULONG_PTR));
|
||||||
#else
|
#else
|
||||||
ULONG_PTR HookAddress = (ULONG_PTR)myHookAddressArray->Array.dwArrayEntry[0];
|
ULONG_PTR HookAddress = (ULONG_PTR)myHookAddressArray->Array.dwArrayEntry[0];
|
||||||
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof ULONG_PTR);
|
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof(ULONG_PTR));
|
||||||
#endif
|
#endif
|
||||||
while(CurrentIP >= (ULONG_PTR)HookAddress && CurrentIP <= (ULONG_PTR)HookAddress + 5)
|
while(CurrentIP >= (ULONG_PTR)HookAddress && CurrentIP <= (ULONG_PTR)HookAddress + 5)
|
||||||
{
|
{
|
||||||
|
|
@ -84,7 +84,7 @@ __declspec(dllexport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool
|
||||||
void* aHookAddress[1];
|
void* aHookAddress[1];
|
||||||
aHookAddress[0] = HookAddress;
|
aHookAddress[0] = HookAddress;
|
||||||
|
|
||||||
return(HooksSafeTransitionEx(&aHookAddress[0], sizeof aHookAddress, TransitionStart));
|
return(HooksSafeTransitionEx(&aHookAddress[0], sizeof(aHookAddress), TransitionStart));
|
||||||
}
|
}
|
||||||
|
|
||||||
__declspec(dllexport) bool TITCALL HooksIsAddressRedirected(LPVOID HookAddress)
|
__declspec(dllexport) bool TITCALL HooksIsAddressRedirected(LPVOID HookAddress)
|
||||||
|
|
@ -176,22 +176,22 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
if(CompareMemory->Array.bArrayEntry[0] == 0xE9 && CurrentInstructionSize == 5)
|
if(CompareMemory->Array.bArrayEntry[0] == 0xE9 && CurrentInstructionSize == 5)
|
||||||
{
|
{
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
|
||||||
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
}
|
}
|
||||||
else if(CompareMemory->Array.bArrayEntry[0] >= 0x70 && CompareMemory->Array.bArrayEntry[0] <= 0x7F && CurrentInstructionSize == 2)
|
else if(CompareMemory->Array.bArrayEntry[0] >= 0x70 && CompareMemory->Array.bArrayEntry[0] <= 0x7F && CurrentInstructionSize == 2)
|
||||||
{
|
{
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
|
||||||
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
}
|
}
|
||||||
else if(CompareMemory->Array.bArrayEntry[0] == 0x0F && CompareMemory->Array.bArrayEntry[1] >= 0x80 && CompareMemory->Array.bArrayEntry[1] <= 0x8F && CurrentInstructionSize == 6)
|
else if(CompareMemory->Array.bArrayEntry[0] == 0x0F && CompareMemory->Array.bArrayEntry[1] >= 0x80 && CompareMemory->Array.bArrayEntry[1] <= 0x8F && CurrentInstructionSize == 6)
|
||||||
{
|
{
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
|
||||||
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
}
|
}
|
||||||
else if(CompareMemory->Array.bArrayEntry[0] == 0xE8 && CurrentInstructionSize == 5)
|
else if(CompareMemory->Array.bArrayEntry[0] == 0xE8 && CurrentInstructionSize == 5)
|
||||||
{
|
{
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
|
||||||
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -236,7 +236,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
}
|
}
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
|
||||||
WriteMemory->Array.bArrayEntry[0] = 0xE9;
|
WriteMemory->Array.bArrayEntry[0] = 0xE9;
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
||||||
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
|
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
|
||||||
myHook.RelocationCount++;
|
myHook.RelocationCount++;
|
||||||
|
|
@ -245,7 +245,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
{
|
{
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - 5);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - 5);
|
||||||
WriteMemory->Array.bArrayEntry[0] = 0xE9;
|
WriteMemory->Array.bArrayEntry[0] = 0xE9;
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
||||||
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 5);
|
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 5);
|
||||||
myHook.RelocationCount++;
|
myHook.RelocationCount++;
|
||||||
|
|
@ -256,7 +256,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - 6);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - 6);
|
||||||
WriteMemory->Array.bArrayEntry[0] = 0x0F;
|
WriteMemory->Array.bArrayEntry[0] = 0x0F;
|
||||||
WriteMemory->Array.bArrayEntry[1] = CompareMemory->Array.bArrayEntry[0] + 0x10;
|
WriteMemory->Array.bArrayEntry[1] = CompareMemory->Array.bArrayEntry[0] + 0x10;
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
||||||
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 6);
|
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 6);
|
||||||
myHook.RelocationCount++;
|
myHook.RelocationCount++;
|
||||||
|
|
@ -269,7 +269,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
WriteMemory->Array.bArrayEntry[4] = 0xFF;
|
WriteMemory->Array.bArrayEntry[4] = 0xFF;
|
||||||
WriteMemory->Array.bArrayEntry[5] = 0x25;
|
WriteMemory->Array.bArrayEntry[5] = 0x25;
|
||||||
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[6], 4);
|
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[6], 4);
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[10], &x64CalculatedRealingJump, sizeof x64CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[10], &x64CalculatedRealingJump, sizeof(x64CalculatedRealingJump));
|
||||||
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 18);
|
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 18);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
@ -278,7 +278,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
#if !defined(_WIN64)
|
#if !defined(_WIN64)
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[0], &CompareMemory->Array.bArrayEntry[0], 2);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[0], &CompareMemory->Array.bArrayEntry[0], 2);
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
||||||
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
|
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
|
||||||
myHook.RelocationCount++;
|
myHook.RelocationCount++;
|
||||||
|
|
@ -295,7 +295,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
WriteMemory->Array.bArrayEntry[8] = 0xFF;
|
WriteMemory->Array.bArrayEntry[8] = 0xFF;
|
||||||
WriteMemory->Array.bArrayEntry[9] = 0x25;
|
WriteMemory->Array.bArrayEntry[9] = 0x25;
|
||||||
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[10], 4);
|
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[10], 4);
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[14], &x64CalculatedRealingJump, sizeof x64CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[14], &x64CalculatedRealingJump, sizeof(x64CalculatedRealingJump));
|
||||||
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 22);
|
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 22);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
@ -303,7 +303,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
{
|
{
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
|
||||||
WriteMemory->Array.bArrayEntry[0] = 0xE8;
|
WriteMemory->Array.bArrayEntry[0] = 0xE8;
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
|
||||||
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
|
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
|
||||||
myHook.RelocationCount++;
|
myHook.RelocationCount++;
|
||||||
|
|
@ -313,7 +313,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
{
|
{
|
||||||
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
|
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[0], &CompareMemory->Array.bArrayEntry[0], 2);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[0], &CompareMemory->Array.bArrayEntry[0], 2);
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
|
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
@ -340,9 +340,9 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
#else
|
#else
|
||||||
CalculatedRealingJump = NULL;
|
CalculatedRealingJump = NULL;
|
||||||
#endif
|
#endif
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &cHookAddress, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &cHookAddress, sizeof(CalculatedRealingJump));
|
||||||
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 6 + sizeof ULONG_PTR);
|
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 6 + sizeof(ULONG_PTR));
|
||||||
myHook.HookIsEnabled = true;
|
myHook.HookIsEnabled = true;
|
||||||
myHook.HookType = (BYTE)HookType;
|
myHook.HookType = (BYTE)HookType;
|
||||||
myHook.HookAddress = HookAddress;
|
myHook.HookAddress = HookAddress;
|
||||||
|
|
@ -360,7 +360,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
if(VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, PAGE_EXECUTE_READWRITE, &OldProtect))
|
if(VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, PAGE_EXECUTE_READWRITE, &OldProtect))
|
||||||
{
|
{
|
||||||
WriteMemory->Array.bArrayEntry[0] = 0xE9;
|
WriteMemory->Array.bArrayEntry[0] = 0xE9;
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
|
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
|
||||||
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
|
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
|
||||||
hookEntry.push_back(myHook);
|
hookEntry.push_back(myHook);
|
||||||
|
|
@ -372,7 +372,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
WriteMemory->Array.bArrayEntry[0] = 0xFF;
|
WriteMemory->Array.bArrayEntry[0] = 0xFF;
|
||||||
WriteMemory->Array.bArrayEntry[1] = 0x25;
|
WriteMemory->Array.bArrayEntry[1] = 0x25;
|
||||||
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[2], 4);
|
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[2], 4);
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &RedirectTo, sizeof RedirectTo);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &RedirectTo, sizeof(RedirectTo));
|
||||||
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
|
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
|
||||||
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
|
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
|
||||||
hookEntry.push_back(myHook);
|
hookEntry.push_back(myHook);
|
||||||
|
|
@ -387,7 +387,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
if(VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, PAGE_EXECUTE_READWRITE, &OldProtect))
|
if(VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, PAGE_EXECUTE_READWRITE, &OldProtect))
|
||||||
{
|
{
|
||||||
WriteMemory->Array.bArrayEntry[0] = 0xE8;
|
WriteMemory->Array.bArrayEntry[0] = 0xE8;
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
|
||||||
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
|
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
|
||||||
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
|
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
|
||||||
hookEntry.push_back(myHook);
|
hookEntry.push_back(myHook);
|
||||||
|
|
@ -399,7 +399,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
|
||||||
WriteMemory->Array.bArrayEntry[0] = 0xFF;
|
WriteMemory->Array.bArrayEntry[0] = 0xFF;
|
||||||
WriteMemory->Array.bArrayEntry[1] = 0x15;
|
WriteMemory->Array.bArrayEntry[1] = 0x15;
|
||||||
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[2], 4);
|
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[2], 4);
|
||||||
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &RedirectTo, sizeof RedirectTo);
|
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &RedirectTo, sizeof(RedirectTo));
|
||||||
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
|
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
|
||||||
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
|
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
|
||||||
hookEntry.push_back(myHook);
|
hookEntry.push_back(myHook);
|
||||||
|
|
@ -430,7 +430,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File
|
||||||
myHook.IATHook = true;
|
myHook.IATHook = true;
|
||||||
myHook.HookIsEnabled = true;
|
myHook.HookIsEnabled = true;
|
||||||
myHook.HookType = TEE_HOOK_IAT;
|
myHook.HookType = TEE_HOOK_IAT;
|
||||||
myHook.HookSize = sizeof ULONG_PTR;
|
myHook.HookSize = sizeof(ULONG_PTR);
|
||||||
myHook.RedirectionAddress = RedirectTo;
|
myHook.RedirectionAddress = RedirectTo;
|
||||||
myHook.IATHookModuleBase = (void*)LoadedModuleBase;
|
myHook.IATHookModuleBase = (void*)LoadedModuleBase;
|
||||||
myHook.IATHookNameHash = EngineHashString(szHookFunction);
|
myHook.IATHookNameHash = EngineHashString(szHookFunction);
|
||||||
|
|
@ -488,9 +488,9 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
CurrentThunk = CurrentThunk + 4;
|
CurrentThunk = CurrentThunk + 4;
|
||||||
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32);
|
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof(IMAGE_THUNK_DATA32));
|
||||||
}
|
}
|
||||||
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
@ -537,9 +537,9 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
CurrentThunk = CurrentThunk + 8;
|
CurrentThunk = CurrentThunk + 8;
|
||||||
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64);
|
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof(IMAGE_THUNK_DATA64));
|
||||||
}
|
}
|
||||||
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
@ -634,7 +634,7 @@ __declspec(dllexport) bool TITCALL HooksRemoveRedirectionsForModule(HMODULE Modu
|
||||||
DWORD OldProtect = PAGE_READONLY;
|
DWORD OldProtect = PAGE_READONLY;
|
||||||
MODULEINFO RemoteModuleInfo;
|
MODULEINFO RemoteModuleInfo;
|
||||||
|
|
||||||
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof MODULEINFO))
|
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof(MODULEINFO)))
|
||||||
{
|
{
|
||||||
while(i > NULL)
|
while(i > NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -731,7 +731,7 @@ __declspec(dllexport) bool TITCALL HooksDisableRedirectionsForModule(HMODULE Mod
|
||||||
DWORD OldProtect = PAGE_READONLY;
|
DWORD OldProtect = PAGE_READONLY;
|
||||||
MODULEINFO RemoteModuleInfo;
|
MODULEINFO RemoteModuleInfo;
|
||||||
|
|
||||||
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof MODULEINFO))
|
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof(MODULEINFO)))
|
||||||
{
|
{
|
||||||
while(i > NULL)
|
while(i > NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -831,7 +831,7 @@ __declspec(dllexport) bool TITCALL HooksEnableRedirectionsForModule(HMODULE Modu
|
||||||
DWORD OldProtect = PAGE_READONLY;
|
DWORD OldProtect = PAGE_READONLY;
|
||||||
MODULEINFO RemoteModuleInfo;
|
MODULEINFO RemoteModuleInfo;
|
||||||
|
|
||||||
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof MODULEINFO))
|
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof(MODULEINFO)))
|
||||||
{
|
{
|
||||||
while(i > NULL)
|
while(i > NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -950,12 +950,12 @@ __declspec(dllexport) void TITCALL HooksScanModuleMemory(HMODULE ModuleBase, LPV
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlMoveMemory(&RemoteLibInfo, pRemoteLibInfo, sizeof LIBRARY_ITEM_DATA);
|
RtlMoveMemory(&RemoteLibInfo, pRemoteLibInfo, sizeof(LIBRARY_ITEM_DATA));
|
||||||
}
|
}
|
||||||
if(!FileError)
|
if(!FileError)
|
||||||
{
|
{
|
||||||
hSize = GetFileSize(RemoteLibInfo.hFile, NULL);
|
hSize = GetFileSize(RemoteLibInfo.hFile, NULL);
|
||||||
GetModuleInformation(hProcess, ModuleBase, &ModuleInfo, sizeof MODULEINFO);
|
GetModuleInformation(hProcess, ModuleBase, &ModuleInfo, sizeof(MODULEINFO));
|
||||||
DOSHeader = (PIMAGE_DOS_HEADER)RemoteLibInfo.hFileMappingView;
|
DOSHeader = (PIMAGE_DOS_HEADER)RemoteLibInfo.hFileMappingView;
|
||||||
__try
|
__try
|
||||||
{
|
{
|
||||||
|
|
@ -1125,5 +1125,5 @@ __declspec(dllexport) void TITCALL HooksScanEntireProcessMemory(LPVOID CallBack)
|
||||||
|
|
||||||
__declspec(dllexport) void TITCALL HooksScanEntireProcessMemoryEx()
|
__declspec(dllexport) void TITCALL HooksScanEntireProcessMemoryEx()
|
||||||
{
|
{
|
||||||
HooksScanEntireProcessMemory(&ProcessHookScanAddNewHook);
|
HooksScanEntireProcessMemory(CallbackToObjectPointer(&ProcessHookScanAddNewHook));
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -420,9 +420,9 @@ __declspec(dllexport) bool TITCALL ImporterLoadImportTableW(wchar_t* szFileName)
|
||||||
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData32->u1.AddressOfData + 2 + PEHeader32->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + PEHeader32->OptionalHeader.ImageBase);
|
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData32->u1.AddressOfData + 2 + PEHeader32->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + PEHeader32->OptionalHeader.ImageBase);
|
||||||
}
|
}
|
||||||
CurrentThunk = CurrentThunk + 4;
|
CurrentThunk = CurrentThunk + 4;
|
||||||
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32);
|
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof(IMAGE_THUNK_DATA32));
|
||||||
}
|
}
|
||||||
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
return true;
|
return true;
|
||||||
|
|
@ -467,9 +467,9 @@ __declspec(dllexport) bool TITCALL ImporterLoadImportTableW(wchar_t* szFileName)
|
||||||
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData64->u1.AddressOfData + 2 + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase);
|
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData64->u1.AddressOfData + 2 + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase);
|
||||||
}
|
}
|
||||||
CurrentThunk = CurrentThunk + 8;
|
CurrentThunk = CurrentThunk + 8;
|
||||||
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64);
|
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof(IMAGE_THUNK_DATA64));
|
||||||
}
|
}
|
||||||
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
return true;
|
return true;
|
||||||
|
|
@ -539,8 +539,8 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar
|
||||||
scylla_getImports(iatStart, iatSize, ProcessId);
|
scylla_getImports(iatStart, iatSize, ProcessId);
|
||||||
}
|
}
|
||||||
|
|
||||||
RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR);
|
RtlMoveMemory(pIATStart, &iatStart, sizeof(ULONG_PTR));
|
||||||
RtlMoveMemory(pIATSize, &iatSize, sizeof ULONG_PTR);
|
RtlMoveMemory(pIATSize, &iatSize, sizeof(ULONG_PTR));
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
@ -550,8 +550,8 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULON
|
||||||
wchar_t szTempName[MAX_PATH];
|
wchar_t szTempName[MAX_PATH];
|
||||||
wchar_t szTempFolder[MAX_PATH];
|
wchar_t szTempFolder[MAX_PATH];
|
||||||
|
|
||||||
RtlZeroMemory(&szTempName, sizeof szTempName);
|
RtlZeroMemory(&szTempName, sizeof(szTempName));
|
||||||
RtlZeroMemory(&szTempFolder, sizeof szTempFolder);
|
RtlZeroMemory(&szTempFolder, sizeof(szTempFolder));
|
||||||
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
|
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
|
||||||
{
|
{
|
||||||
if(GetTempFileNameW(szTempFolder, L"DumpTemp", GetTickCount() + 102, szTempName))
|
if(GetTempFileNameW(szTempFolder, L"DumpTemp", GetTickCount() + 102, szTempName))
|
||||||
|
|
@ -568,7 +568,7 @@ __declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack)
|
||||||
{
|
{
|
||||||
return scylla_enumImportTree(EnumCallBack);
|
return scylla_enumImportTree(EnumCallBack);
|
||||||
}
|
}
|
||||||
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
|
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, const char* szDumpedFile, const char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
|
||||||
{
|
{
|
||||||
|
|
||||||
wchar_t uniDumpedFile[MAX_PATH] = {};
|
wchar_t uniDumpedFile[MAX_PATH] = {};
|
||||||
|
|
@ -585,7 +585,7 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* s
|
||||||
return(NULL); // Critical error! *just to be safe, but it should never happen!
|
return(NULL); // Critical error! *just to be safe, but it should never happen!
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
|
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, const wchar_t* szDumpedFile, const wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
|
||||||
{
|
{
|
||||||
HANDLE FileHandle;
|
HANDLE FileHandle;
|
||||||
DWORD FileSize;
|
DWORD FileSize;
|
||||||
|
|
@ -612,7 +612,7 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_
|
||||||
{
|
{
|
||||||
HANDLE hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
|
HANDLE hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
|
||||||
|
|
||||||
if(!DumpProcessW(hProcess, (LPVOID)ImageBase, szDumpedFile, EntryPointAddress))
|
if(!DumpProcessW(hProcess, (LPVOID)ImageBase, DumpFileName, EntryPointAddress))
|
||||||
{
|
{
|
||||||
return(NULL); // Critical error! *just to be safe, but it should never happen!
|
return(NULL); // Critical error! *just to be safe, but it should never happen!
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,7 @@ __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t*
|
||||||
|
|
||||||
if(hProcess != NULL)
|
if(hProcess != NULL)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&APIData, sizeof InjectCodeData);
|
RtlZeroMemory(&APIData, sizeof(InjectCodeData));
|
||||||
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
|
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
|
||||||
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
|
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
|
||||||
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
|
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
|
||||||
|
|
@ -43,9 +43,9 @@ __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t*
|
||||||
APIData.fExitProcess = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
|
APIData.fExitProcess = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
|
||||||
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
||||||
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectCodeData), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
|
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof(InjectCodeData)), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
|
||||||
{
|
{
|
||||||
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten);
|
||||||
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteLoadLibrary, remInjectSize, &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteLoadLibrary, remInjectSize, &NumberOfBytesWritten);
|
||||||
if(WaitForThreadExit)
|
if(WaitForThreadExit)
|
||||||
{
|
{
|
||||||
|
|
@ -120,7 +120,7 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
|
||||||
|
|
||||||
if(hProcess != NULL)
|
if(hProcess != NULL)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&APIData, sizeof InjectCodeData);
|
RtlZeroMemory(&APIData, sizeof(InjectCodeData));
|
||||||
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
|
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
|
||||||
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
|
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
|
||||||
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
|
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
|
||||||
|
|
@ -132,9 +132,9 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
|
||||||
if(hModule == NULL)
|
if(hModule == NULL)
|
||||||
{
|
{
|
||||||
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
||||||
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectCodeData), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
|
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof(InjectCodeData)), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
|
||||||
{
|
{
|
||||||
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten);
|
||||||
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrarySimple, remInjectSize1, &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrarySimple, remInjectSize1, &NumberOfBytesWritten);
|
||||||
if(WaitForThreadExit)
|
if(WaitForThreadExit)
|
||||||
{
|
{
|
||||||
|
|
@ -179,7 +179,7 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
||||||
if(WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten))
|
if(WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten))
|
||||||
{
|
{
|
||||||
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrary, remInjectSize2, &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrary, remInjectSize2, &NumberOfBytesWritten);
|
||||||
if(WaitForThreadExit)
|
if(WaitForThreadExit)
|
||||||
|
|
@ -235,7 +235,7 @@ __declspec(dllexport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD Exit
|
||||||
|
|
||||||
if(hProcess != NULL)
|
if(hProcess != NULL)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&APIData, sizeof InjectCodeData);
|
RtlZeroMemory(&APIData, sizeof(InjectCodeData));
|
||||||
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"));
|
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"));
|
||||||
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
|
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
|
||||||
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA"));
|
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA"));
|
||||||
|
|
@ -247,7 +247,7 @@ __declspec(dllexport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD Exit
|
||||||
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
if(WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedExitProcess, remInjectSize, &NumberOfBytesWritten))
|
if(WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedExitProcess, remInjectSize, &NumberOfBytesWritten))
|
||||||
{
|
{
|
||||||
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten);
|
||||||
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
|
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
|
||||||
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
|
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
|
||||||
return true;
|
return true;
|
||||||
|
|
|
||||||
|
|
@ -42,13 +42,13 @@ __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfo(char* szLibraryName)
|
||||||
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoW(uniLibraryName);
|
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoW(uniLibraryName);
|
||||||
if(LibInfo)
|
if(LibInfo)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&LibraryInfoData, sizeof LIBRARY_ITEM_DATA);
|
RtlZeroMemory(&LibraryInfoData, sizeof(LIBRARY_ITEM_DATA));
|
||||||
LibraryInfoData.hFile = LibInfo->hFile;
|
LibraryInfoData.hFile = LibInfo->hFile;
|
||||||
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
|
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
|
||||||
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
|
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
|
||||||
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
|
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
|
||||||
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof LibraryInfoData.szLibraryName, NULL, NULL);
|
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof(LibraryInfoData).szLibraryName, NULL, NULL);
|
||||||
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof LibraryInfoData.szLibraryPath, NULL, NULL);
|
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof(LibraryInfoData).szLibraryPath, NULL, NULL);
|
||||||
|
|
||||||
return((void*)&LibraryInfoData);
|
return((void*)&LibraryInfoData);
|
||||||
}
|
}
|
||||||
|
|
@ -79,13 +79,13 @@ __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoEx(void* BaseOfDll)
|
||||||
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoExW(BaseOfDll);
|
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoExW(BaseOfDll);
|
||||||
if(LibInfo)
|
if(LibInfo)
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&LibraryInfoData, sizeof LIBRARY_ITEM_DATA);
|
RtlZeroMemory(&LibraryInfoData, sizeof(LIBRARY_ITEM_DATA));
|
||||||
LibraryInfoData.hFile = LibInfo->hFile;
|
LibraryInfoData.hFile = LibInfo->hFile;
|
||||||
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
|
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
|
||||||
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
|
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
|
||||||
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
|
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
|
||||||
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof LibraryInfoData.szLibraryName, NULL, NULL);
|
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof(LibraryInfoData).szLibraryName, NULL, NULL);
|
||||||
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof LibraryInfoData.szLibraryPath, NULL, NULL);
|
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof(LibraryInfoData).szLibraryPath, NULL, NULL);
|
||||||
|
|
||||||
return (void*)&LibraryInfoData;
|
return (void*)&LibraryInfoData;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@ __declspec(dllexport) bool TITCALL FindOEPGenericallyW(wchar_t* szFileName, LPVO
|
||||||
|
|
||||||
if(GenericOEPFileInitW(szFileName, TraceInitCallBack, CallBack))
|
if(GenericOEPFileInitW(szFileName, TraceInitCallBack, CallBack))
|
||||||
{
|
{
|
||||||
InitDebugExW(szFileName, NULL, NULL, &GenericOEPTraceInit);
|
InitDebugExW(szFileName, NULL, NULL, CallbackToObjectPointer(&GenericOEPTraceInit));
|
||||||
DebugLoop();
|
DebugLoop();
|
||||||
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
|
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -57,7 +57,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
ULONG_PTR FileMapVA;
|
ULONG_PTR FileMapVA;
|
||||||
WORD ResourceNamesTable[22] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 22, 23, 24};
|
WORD ResourceNamesTable[22] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 22, 23, 24};
|
||||||
|
|
||||||
RtlZeroMemory(&myFileStatusInfo, sizeof FILE_STATUS_INFO);
|
RtlZeroMemory(&myFileStatusInfo, sizeof(FILE_STATUS_INFO));
|
||||||
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
||||||
{
|
{
|
||||||
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
|
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
|
||||||
|
|
@ -81,7 +81,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE;
|
myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE;
|
||||||
if(FileStatusInfo != NULL)
|
if(FileStatusInfo != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
|
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
|
||||||
}
|
}
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -489,7 +489,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
CurrentThunk = CurrentThunk + 4;
|
CurrentThunk = CurrentThunk + 4;
|
||||||
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32);
|
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof(IMAGE_THUNK_DATA32));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|
@ -500,7 +500,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
{
|
{
|
||||||
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
|
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
|
||||||
}
|
}
|
||||||
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -630,7 +630,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
{
|
{
|
||||||
myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL;
|
myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL;
|
||||||
}
|
}
|
||||||
BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof IMAGE_BOUND_IMPORT_DESCRIPTOR);
|
BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -750,7 +750,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
}
|
}
|
||||||
if(NumberOfSections > 1)
|
if(NumberOfSections > 1)
|
||||||
{
|
{
|
||||||
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER);
|
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof(IMAGE_SECTION_HEADER));
|
||||||
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
|
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
|
||||||
{
|
{
|
||||||
myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL;
|
myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL;
|
||||||
|
|
@ -804,7 +804,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
*/
|
*/
|
||||||
if(FileStatusInfo != NULL)
|
if(FileStatusInfo != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
|
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
|
||||||
}
|
}
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK)
|
if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK)
|
||||||
|
|
@ -819,7 +819,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE;
|
myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE;
|
||||||
if(FileStatusInfo != NULL)
|
if(FileStatusInfo != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
|
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
|
||||||
}
|
}
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -1228,7 +1228,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
CurrentThunk = CurrentThunk + 8;
|
CurrentThunk = CurrentThunk + 8;
|
||||||
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64);
|
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof(IMAGE_THUNK_DATA64));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|
@ -1239,7 +1239,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
{
|
{
|
||||||
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
|
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
|
||||||
}
|
}
|
||||||
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -1369,7 +1369,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
{
|
{
|
||||||
myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL;
|
myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL;
|
||||||
}
|
}
|
||||||
BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof IMAGE_BOUND_IMPORT_DESCRIPTOR);
|
BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -1489,7 +1489,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
}
|
}
|
||||||
if(NumberOfSections > 1)
|
if(NumberOfSections > 1)
|
||||||
{
|
{
|
||||||
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER);
|
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof(IMAGE_SECTION_HEADER));
|
||||||
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
|
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
|
||||||
{
|
{
|
||||||
myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL;
|
myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL;
|
||||||
|
|
@ -1543,7 +1543,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
*/
|
*/
|
||||||
if(FileStatusInfo != NULL)
|
if(FileStatusInfo != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
|
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
|
||||||
}
|
}
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK)
|
if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK)
|
||||||
|
|
@ -1558,7 +1558,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE;
|
myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE;
|
||||||
if(FileStatusInfo != NULL)
|
if(FileStatusInfo != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
|
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
|
||||||
}
|
}
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -1571,7 +1571,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
myFileStatusInfo.SignatureMZ = UE_FIELD_BROKEN_NON_FIXABLE;
|
myFileStatusInfo.SignatureMZ = UE_FIELD_BROKEN_NON_FIXABLE;
|
||||||
if(FileStatusInfo != NULL)
|
if(FileStatusInfo != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
|
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
|
||||||
}
|
}
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -1579,7 +1579,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
|
||||||
}
|
}
|
||||||
if(FileStatusInfo != NULL)
|
if(FileStatusInfo != NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
|
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -1811,14 +1811,14 @@ __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPV
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
CurrentThunk = CurrentThunk + 4;
|
CurrentThunk = CurrentThunk + 4;
|
||||||
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32);
|
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof(IMAGE_THUNK_DATA32));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if(hLoadedModuleSimulated)
|
if(hLoadedModuleSimulated)
|
||||||
{
|
{
|
||||||
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
|
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
|
||||||
}
|
}
|
||||||
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -2230,7 +2230,7 @@ __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPV
|
||||||
}
|
}
|
||||||
if(NumberOfSections > 1)
|
if(NumberOfSections > 1)
|
||||||
{
|
{
|
||||||
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER);
|
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof(IMAGE_SECTION_HEADER));
|
||||||
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
|
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
|
||||||
{
|
{
|
||||||
PESections->Misc.VirtualSize = SectionVirtualSizeFixed;
|
PESections->Misc.VirtualSize = SectionVirtualSizeFixed;
|
||||||
|
|
@ -2404,14 +2404,14 @@ __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPV
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
CurrentThunk = CurrentThunk + 8;
|
CurrentThunk = CurrentThunk + 8;
|
||||||
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64);
|
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof(IMAGE_THUNK_DATA64));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if(hLoadedModuleSimulated)
|
if(hLoadedModuleSimulated)
|
||||||
{
|
{
|
||||||
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
|
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
|
||||||
}
|
}
|
||||||
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
|
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -2823,7 +2823,7 @@ __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPV
|
||||||
}
|
}
|
||||||
if(NumberOfSections > 1)
|
if(NumberOfSections > 1)
|
||||||
{
|
{
|
||||||
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER);
|
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof(IMAGE_SECTION_HEADER));
|
||||||
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
|
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
|
||||||
{
|
{
|
||||||
PESections->Misc.VirtualSize = SectionVirtualSizeFixed;
|
PESections->Misc.VirtualSize = SectionVirtualSizeFixed;
|
||||||
|
|
|
||||||
|
|
@ -160,17 +160,17 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
|
||||||
LPVOID sortedFileName;
|
LPVOID sortedFileName;
|
||||||
DynBuf sortedFileNameBuf;
|
DynBuf sortedFileNameBuf;
|
||||||
|
|
||||||
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
|
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
|
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
||||||
|
|
@ -370,17 +370,17 @@ __declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(wchar_t* szFileName)
|
||||||
HANDLE FileMap;
|
HANDLE FileMap;
|
||||||
ULONG_PTR FileMapVA;
|
ULONG_PTR FileMapVA;
|
||||||
|
|
||||||
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
|
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
|
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
||||||
|
|
@ -509,7 +509,7 @@ __declspec(dllexport) long TITCALL AddNewSectionEx(char* szFileName, char* szSec
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize)
|
__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize)
|
||||||
{
|
{
|
||||||
bool OverlayHasBeenRemoved = false;
|
bool OverlayHasBeenRemoved = false;
|
||||||
wchar_t szBackupOverlayFile[MAX_PATH] = {};
|
wchar_t szBackupOverlayFile[MAX_PATH] = {};
|
||||||
|
|
@ -544,18 +544,18 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* s
|
||||||
SectionSize = ContentSize;
|
SectionSize = ContentSize;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
|
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
|
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
if(FindOverlayW(szBackupFile, NULL, NULL))
|
if(FindOverlayW(szBackupFile, NULL, NULL))
|
||||||
{
|
{
|
||||||
if(!FillGarbageItem(szBackupItem, NULL, &szBackupOverlayFile, sizeof szBackupItem))
|
if(!FillGarbageItem(szBackupItem, NULL, &szBackupOverlayFile, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupOverlayFile, sizeof szBackupOverlayFile);
|
RtlZeroMemory(&szBackupOverlayFile, sizeof(szBackupOverlayFile));
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
@ -568,7 +568,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* s
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
if(MapFileExW(szBackupFile, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
if(MapFileExW(szBackupFile, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
||||||
|
|
@ -608,7 +608,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* s
|
||||||
{
|
{
|
||||||
SectionSize = alignedSectionSize;
|
SectionSize = alignedSectionSize;
|
||||||
}
|
}
|
||||||
SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof IMAGE_NT_HEADERS32;
|
SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof(IMAGE_NT_HEADERS32);
|
||||||
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER);
|
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER);
|
||||||
LastSectionRawSize = (PESections->SizeOfRawData / PEHeader32->OptionalHeader.FileAlignment) * PEHeader32->OptionalHeader.FileAlignment;
|
LastSectionRawSize = (PESections->SizeOfRawData / PEHeader32->OptionalHeader.FileAlignment) * PEHeader32->OptionalHeader.FileAlignment;
|
||||||
if(LastSectionRawSize < PESections->SizeOfRawData)
|
if(LastSectionRawSize < PESections->SizeOfRawData)
|
||||||
|
|
@ -641,7 +641,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* s
|
||||||
{
|
{
|
||||||
SectionSize = alignedSectionSize;
|
SectionSize = alignedSectionSize;
|
||||||
}
|
}
|
||||||
SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof IMAGE_NT_HEADERS64;
|
SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof(IMAGE_NT_HEADERS64);
|
||||||
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER);
|
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER);
|
||||||
LastSectionRawSize = (PESections->SizeOfRawData / PEHeader64->OptionalHeader.FileAlignment) * PEHeader64->OptionalHeader.FileAlignment;
|
LastSectionRawSize = (PESections->SizeOfRawData / PEHeader64->OptionalHeader.FileAlignment) * PEHeader64->OptionalHeader.FileAlignment;
|
||||||
if(LastSectionRawSize < PESections->SizeOfRawData)
|
if(LastSectionRawSize < PESections->SizeOfRawData)
|
||||||
|
|
@ -746,7 +746,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* s
|
||||||
{
|
{
|
||||||
if(CopyFileW(szBackupFile, szFileName, false))
|
if(CopyFileW(szBackupFile, szFileName, false))
|
||||||
{
|
{
|
||||||
if(OverlayHasBeenRemoved && !AddOverlayW(szFileName, szBackupOverlayFile))
|
if(OverlayHasBeenRemoved && !AddOverlayW((wchar_t*)szFileName, szBackupOverlayFile))
|
||||||
{
|
{
|
||||||
RemoveGarbageItem(szBackupItem, true);
|
RemoveGarbageItem(szBackupItem, true);
|
||||||
return(0);
|
return(0);
|
||||||
|
|
@ -828,7 +828,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* s
|
||||||
{
|
{
|
||||||
if(CopyFileW(szBackupFile, szFileName, false))
|
if(CopyFileW(szBackupFile, szFileName, false))
|
||||||
{
|
{
|
||||||
if(OverlayHasBeenRemoved && !AddOverlayW(szFileName, szBackupOverlayFile))
|
if(OverlayHasBeenRemoved && !AddOverlayW((wchar_t*)szFileName, szBackupOverlayFile))
|
||||||
{
|
{
|
||||||
RemoveGarbageItem(szBackupItem, true);
|
RemoveGarbageItem(szBackupItem, true);
|
||||||
return(0);
|
return(0);
|
||||||
|
|
@ -872,7 +872,7 @@ __declspec(dllexport) long TITCALL AddNewSection(char* szFileName, char* szSecti
|
||||||
return AddNewSectionEx(szFileName, szSectionName, SectionSize, NULL, NULL, NULL);
|
return AddNewSectionEx(szFileName, szSectionName, SectionSize, NULL, NULL, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize)
|
__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, const char* szSectionName, DWORD SectionSize)
|
||||||
{
|
{
|
||||||
return AddNewSectionExW(szFileName, szSectionName, SectionSize, NULL, NULL, NULL);
|
return AddNewSectionExW(szFileName, szSectionName, SectionSize, NULL, NULL, NULL);
|
||||||
}
|
}
|
||||||
|
|
@ -908,17 +908,17 @@ __declspec(dllexport) bool TITCALL ResizeLastSectionW(wchar_t* szFileName, DWORD
|
||||||
HANDLE FileMap;
|
HANDLE FileMap;
|
||||||
ULONG_PTR FileMapVA;
|
ULONG_PTR FileMapVA;
|
||||||
|
|
||||||
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
|
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
|
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NumberOfExpandBytes))
|
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NumberOfExpandBytes))
|
||||||
|
|
@ -1125,17 +1125,17 @@ __declspec(dllexport) bool TITCALL DeleteLastSectionW(wchar_t* szFileName)
|
||||||
HANDLE FileMap;
|
HANDLE FileMap;
|
||||||
ULONG_PTR FileMapVA;
|
ULONG_PTR FileMapVA;
|
||||||
|
|
||||||
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
|
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
|
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
||||||
|
|
@ -1322,17 +1322,17 @@ __declspec(dllexport) bool TITCALL WipeSectionW(wchar_t* szFileName, int WipeSec
|
||||||
HANDLE FileMap;
|
HANDLE FileMap;
|
||||||
ULONG_PTR FileMapVA;
|
ULONG_PTR FileMapVA;
|
||||||
|
|
||||||
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
|
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
|
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
||||||
|
|
|
||||||
|
|
@ -60,7 +60,7 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
|
||||||
{
|
{
|
||||||
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
||||||
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
||||||
CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof IMAGE_NT_HEADERS64;
|
CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof(IMAGE_DOS_HEADER) + sizeof(IMAGE_NT_HEADERS64);
|
||||||
if(CalculatedHeaderSize > 0x1000)
|
if(CalculatedHeaderSize > 0x1000)
|
||||||
{
|
{
|
||||||
SetFilePointer(hFile, NULL, NULL, FILE_BEGIN);
|
SetFilePointer(hFile, NULL, NULL, FILE_BEGIN);
|
||||||
|
|
@ -73,7 +73,7 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
|
||||||
}
|
}
|
||||||
if(PEHeader32->OptionalHeader.Magic == 0x10B)
|
if(PEHeader32->OptionalHeader.Magic == 0x10B)
|
||||||
{
|
{
|
||||||
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof IMAGE_NT_HEADERS32, &ueNumberOfBytesRead))
|
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof(IMAGE_NT_HEADERS32), &ueNumberOfBytesRead))
|
||||||
{
|
{
|
||||||
PEHeaderSize = PEHeader32->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4;
|
PEHeaderSize = PEHeader32->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4;
|
||||||
FileIs64 = false;
|
FileIs64 = false;
|
||||||
|
|
@ -81,7 +81,7 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
|
||||||
}
|
}
|
||||||
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
|
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
|
||||||
{
|
{
|
||||||
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader64, sizeof IMAGE_NT_HEADERS32, &ueNumberOfBytesRead))
|
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader64, sizeof(IMAGE_NT_HEADERS32), &ueNumberOfBytesRead))
|
||||||
{
|
{
|
||||||
PEHeaderSize = PEHeader64->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4;
|
PEHeaderSize = PEHeader64->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4;
|
||||||
FileIs64 = true;
|
FileIs64 = true;
|
||||||
|
|
|
||||||
|
|
@ -250,17 +250,17 @@ __declspec(dllexport) long TITCALL RealignPEExW(wchar_t* szFileName, DWORD Reali
|
||||||
HANDLE FileMap;
|
HANDLE FileMap;
|
||||||
ULONG_PTR FileMapVA;
|
ULONG_PTR FileMapVA;
|
||||||
|
|
||||||
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
|
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
|
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,7 @@ __declspec(dllexport) void TITCALL RelocaterAddNewRelocation(HANDLE hProcess, UL
|
||||||
DWORD CompareDummy = NULL;
|
DWORD CompareDummy = NULL;
|
||||||
DWORD CopyDummy = NULL;
|
DWORD CopyDummy = NULL;
|
||||||
|
|
||||||
VirtualQueryEx(hProcess, (LPVOID)RelocateAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)RelocateAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.BaseAddress != RelocationLastPage || RelocationLastPage == NULL)
|
if(MemInfo.BaseAddress != RelocationLastPage || RelocationLastPage == NULL)
|
||||||
{
|
{
|
||||||
RelocationLastPage = MemInfo.BaseAddress;
|
RelocationLastPage = MemInfo.BaseAddress;
|
||||||
|
|
@ -243,7 +243,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess,
|
||||||
|
|
||||||
if(RelocationData != NULL)
|
if(RelocationData != NULL)
|
||||||
{
|
{
|
||||||
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
OldProtect = MemInfo.Protect;
|
OldProtect = MemInfo.Protect;
|
||||||
VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
|
||||||
if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, RelocationData, MemorySize, &ueNumberOfBytesRead))
|
if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, RelocationData, MemorySize, &ueNumberOfBytesRead))
|
||||||
|
|
@ -271,9 +271,9 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces
|
||||||
|
|
||||||
if(RelocationData != NULL)
|
if(RelocationData != NULL)
|
||||||
{
|
{
|
||||||
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
OldProtect = MemInfo.Protect;
|
OldProtect = MemInfo.Protect;
|
||||||
VirtualQueryEx(hProcess, (LPVOID)MemInfo.BaseAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)MemInfo.BaseAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.RegionSize < MemorySize || MemorySize == NULL)
|
if(MemInfo.RegionSize < MemorySize || MemorySize == NULL)
|
||||||
{
|
{
|
||||||
MemorySize = MemInfo.RegionSize;
|
MemorySize = MemInfo.RegionSize;
|
||||||
|
|
@ -382,7 +382,7 @@ __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess
|
||||||
{
|
{
|
||||||
if(memcmp(Search1, Search2, 1) != 0)
|
if(memcmp(Search1, Search2, 1) != 0)
|
||||||
{
|
{
|
||||||
i = sizeof HANDLE;
|
i = sizeof(HANDLE);
|
||||||
RelativeBase = NULL;
|
RelativeBase = NULL;
|
||||||
bkSearch1 = Search1;
|
bkSearch1 = Search1;
|
||||||
bkSearch2 = Search2;
|
bkSearch2 = Search2;
|
||||||
|
|
@ -395,7 +395,7 @@ __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess
|
||||||
}
|
}
|
||||||
while(i > NULL && RelativeBase == NULL)
|
while(i > NULL && RelativeBase == NULL)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(&ReadData, Search2, sizeof HANDLE);
|
RtlMoveMemory(&ReadData, Search2, sizeof(HANDLE));
|
||||||
if(ReadData >= LoadedImageBase && ReadData <= NtSizeOfImage)
|
if(ReadData >= LoadedImageBase && ReadData <= NtSizeOfImage)
|
||||||
{
|
{
|
||||||
RelativeBase++;
|
RelativeBase++;
|
||||||
|
|
@ -417,9 +417,9 @@ __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RelocaterAddNewRelocation(hProcess, MemStart + ((ULONG_PTR)Search2 - (ULONG_PTR)FileMapVA2), NULL);
|
RelocaterAddNewRelocation(hProcess, MemStart + ((ULONG_PTR)Search2 - (ULONG_PTR)FileMapVA2), NULL);
|
||||||
Search1 = (LPVOID)((ULONG_PTR)Search1 + sizeof HANDLE - 1);
|
Search1 = (LPVOID)((ULONG_PTR)Search1 + sizeof(HANDLE) - 1);
|
||||||
Search2 = (LPVOID)((ULONG_PTR)Search2 + sizeof HANDLE - 1);
|
Search2 = (LPVOID)((ULONG_PTR)Search2 + sizeof(HANDLE) - 1);
|
||||||
SearchSize = SearchSize - sizeof HANDLE + 1;
|
SearchSize = SearchSize - sizeof(HANDLE) + 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Search1 = (LPVOID)((ULONG_PTR)Search1 + 1);
|
Search1 = (LPVOID)((ULONG_PTR)Search1 + 1);
|
||||||
|
|
@ -482,17 +482,17 @@ __declspec(dllexport) bool TITCALL RelocaterChangeFileBaseW(wchar_t* szFileName,
|
||||||
wchar_t szBackupFile[MAX_PATH] = {};
|
wchar_t szBackupFile[MAX_PATH] = {};
|
||||||
wchar_t szBackupItem[MAX_PATH] = {};
|
wchar_t szBackupItem[MAX_PATH] = {};
|
||||||
|
|
||||||
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
|
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
|
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
|
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
|
||||||
lstrcpyW(szBackupFile, szFileName);
|
lstrcpyW(szBackupFile, szFileName);
|
||||||
}
|
}
|
||||||
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
|
||||||
|
|
|
||||||
|
|
@ -181,13 +181,13 @@ __declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA,
|
||||||
PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true));
|
PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true));
|
||||||
if(PEResource != NULL)
|
if(PEResource != NULL)
|
||||||
{
|
{
|
||||||
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof IMAGE_RESOURCE_DIRECTORY);
|
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof(IMAGE_RESOURCE_DIRECTORY));
|
||||||
i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries;
|
i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries;
|
||||||
PEResourcePtr = PEResource;
|
PEResourcePtr = PEResource;
|
||||||
while(i > NULL)
|
while(i > NULL)
|
||||||
{
|
{
|
||||||
PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
|
PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
|
||||||
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof IMAGE_RESOURCE_DIRECTORY);
|
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof(IMAGE_RESOURCE_DIRECTORY));
|
||||||
j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries;
|
j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries;
|
||||||
uniResourceType = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset);
|
uniResourceType = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset);
|
||||||
if(((bool)PEResourceDir->NameIsString == true && EngineCompareResourceString(uniResourceType, szResourceType) == true) || ((bool)PEResourceDir->NameIsString == false && PEResourceDir->Id == ResourceType))
|
if(((bool)PEResourceDir->NameIsString == true && EngineCompareResourceString(uniResourceType, szResourceType) == true) || ((bool)PEResourceDir->NameIsString == false && PEResourceDir->Id == ResourceType))
|
||||||
|
|
@ -195,7 +195,7 @@ __declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA,
|
||||||
while(j > NULL)
|
while(j > NULL)
|
||||||
{
|
{
|
||||||
PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
|
PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
|
||||||
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof IMAGE_RESOURCE_DIRECTORY);
|
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof(IMAGE_RESOURCE_DIRECTORY));
|
||||||
n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries;
|
n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries;
|
||||||
uniResourceName = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset);
|
uniResourceName = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset);
|
||||||
if(((bool)PEResourceDir1->NameIsString == true && EngineCompareResourceString(uniResourceName, szResourceName) == true) || ((bool)PEResourceDir1->NameIsString == false && PEResourceDir1->Id == ResourceName))
|
if(((bool)PEResourceDir1->NameIsString == true && EngineCompareResourceString(uniResourceName, szResourceName) == true) || ((bool)PEResourceDir1->NameIsString == false && PEResourceDir1->Id == ResourceName))
|
||||||
|
|
@ -209,23 +209,23 @@ __declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA,
|
||||||
*pResourceSize = PEResourceItem->Size;
|
*pResourceSize = PEResourceItem->Size;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
|
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
|
||||||
n--;
|
n--;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY * n);
|
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY) * n);
|
||||||
}
|
}
|
||||||
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
|
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
|
||||||
j--;
|
j--;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY * j);
|
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY) * j);
|
||||||
}
|
}
|
||||||
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
|
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
|
||||||
i--;
|
i--;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -295,18 +295,18 @@ __declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMa
|
||||||
PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true));
|
PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true));
|
||||||
if(PEResource != NULL)
|
if(PEResource != NULL)
|
||||||
{
|
{
|
||||||
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof IMAGE_RESOURCE_DIRECTORY);
|
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof(IMAGE_RESOURCE_DIRECTORY));
|
||||||
i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries;
|
i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries;
|
||||||
PEResourcePtr = PEResource;
|
PEResourcePtr = PEResource;
|
||||||
while(i > NULL)
|
while(i > NULL)
|
||||||
{
|
{
|
||||||
PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
|
PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
|
||||||
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof IMAGE_RESOURCE_DIRECTORY);
|
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof(IMAGE_RESOURCE_DIRECTORY));
|
||||||
j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries;
|
j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries;
|
||||||
while(j > NULL)
|
while(j > NULL)
|
||||||
{
|
{
|
||||||
PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
|
PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
|
||||||
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof IMAGE_RESOURCE_DIRECTORY);
|
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof(IMAGE_RESOURCE_DIRECTORY));
|
||||||
n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries;
|
n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries;
|
||||||
while(n > NULL)
|
while(n > NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -337,13 +337,13 @@ __declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMa
|
||||||
{
|
{
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
|
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
|
||||||
n--;
|
n--;
|
||||||
}
|
}
|
||||||
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
|
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
|
||||||
j--;
|
j--;
|
||||||
}
|
}
|
||||||
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
|
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
|
||||||
i--;
|
i--;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -88,8 +88,12 @@ __declspec(dllexport) bool TITCALL StaticFileUnloadW(wchar_t* szFileName, bool C
|
||||||
ULONG_PTR myFileMapVA;
|
ULONG_PTR myFileMapVA;
|
||||||
|
|
||||||
if(FileHandle != NULL && FileMap != NULL)
|
if(FileHandle != NULL && FileMap != NULL)
|
||||||
|
{
|
||||||
|
// HACK: compatibility with x64dbg
|
||||||
|
if(FileHandle != (HANDLE)-1)
|
||||||
{
|
{
|
||||||
UnMapFileEx(FileHandle, LoadedSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, LoadedSize, FileMap, FileMapVA);
|
||||||
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
@ -882,7 +886,7 @@ __declspec(dllexport) bool TITCALL StaticHashMemory(void* MemoryToHash, DWORD Si
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlMoveMemory(HashDigest, &crc32, sizeof crc32);
|
RtlMoveMemory(HashDigest, &crc32, sizeof(crc32));
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
|
@ -1094,7 +1098,7 @@ __declspec(dllexport) bool TITCALL StaticHashFileW(wchar_t* szFileName, char* Ha
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
RtlMoveMemory(HashDigest, &crc32, sizeof crc32);
|
RtlMoveMemory(HashDigest, &crc32, sizeof(crc32));
|
||||||
}
|
}
|
||||||
|
|
||||||
CloseHandle(hFile);
|
CloseHandle(hFile);
|
||||||
|
|
|
||||||
|
|
@ -80,14 +80,14 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV
|
||||||
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
|
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
|
||||||
if(TLSCallBackAddress)
|
if(TLSCallBackAddress)
|
||||||
{
|
{
|
||||||
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
|
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
|
||||||
{
|
{
|
||||||
if(ArrayOfCallBacks)
|
if(ArrayOfCallBacks)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
|
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof(ULONG_PTR));
|
||||||
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
|
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof(ULONG_PTR));
|
||||||
}
|
}
|
||||||
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
|
TLSCallBackAddress = TLSCallBackAddress + sizeof(ULONG_PTR);
|
||||||
NumberOfTLSCallBacks++;
|
NumberOfTLSCallBacks++;
|
||||||
}
|
}
|
||||||
if(NumberOfCallBacks)
|
if(NumberOfCallBacks)
|
||||||
|
|
@ -131,14 +131,14 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV
|
||||||
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
|
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
|
||||||
if(TLSCallBackAddress)
|
if(TLSCallBackAddress)
|
||||||
{
|
{
|
||||||
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
|
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
|
||||||
{
|
{
|
||||||
if(ArrayOfCallBacks)
|
if(ArrayOfCallBacks)
|
||||||
{
|
{
|
||||||
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
|
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof(ULONG_PTR));
|
||||||
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
|
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof(ULONG_PTR));
|
||||||
}
|
}
|
||||||
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
|
TLSCallBackAddress = TLSCallBackAddress + sizeof(ULONG_PTR);
|
||||||
NumberOfTLSCallBacks++;
|
NumberOfTLSCallBacks++;
|
||||||
}
|
}
|
||||||
if(NumberOfCallBacks)
|
if(NumberOfCallBacks)
|
||||||
|
|
@ -367,7 +367,7 @@ __declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName)
|
||||||
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
|
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
|
||||||
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
|
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
|
||||||
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
|
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
|
||||||
RtlZeroMemory(TLSDirectoryX86, sizeof IMAGE_TLS_DIRECTORY32);
|
RtlZeroMemory(TLSDirectoryX86, sizeof(IMAGE_TLS_DIRECTORY32));
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
@ -393,7 +393,7 @@ __declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName)
|
||||||
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
|
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
|
||||||
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
|
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
|
||||||
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
|
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
|
||||||
RtlZeroMemory(TLSDirectoryX64, sizeof IMAGE_TLS_DIRECTORY64);
|
RtlZeroMemory(TLSDirectoryX64, sizeof(IMAGE_TLS_DIRECTORY64));
|
||||||
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
@ -443,8 +443,8 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName)
|
||||||
{
|
{
|
||||||
DWORD NumberOfTLSCallBacks = NULL;
|
DWORD NumberOfTLSCallBacks = NULL;
|
||||||
engineBackupTLSAddress = NULL;
|
engineBackupTLSAddress = NULL;
|
||||||
RtlZeroMemory(&engineBackupTLSDataX86, sizeof IMAGE_TLS_DIRECTORY32);
|
RtlZeroMemory(&engineBackupTLSDataX86, sizeof(IMAGE_TLS_DIRECTORY32));
|
||||||
RtlZeroMemory(&engineBackupTLSDataX64, sizeof IMAGE_TLS_DIRECTORY64);
|
RtlZeroMemory(&engineBackupTLSDataX64, sizeof(IMAGE_TLS_DIRECTORY64));
|
||||||
ClearTlsVector(&engineBackupArrayOfCallBacks); //clear backup array
|
ClearTlsVector(&engineBackupArrayOfCallBacks); //clear backup array
|
||||||
|
|
||||||
std::vector<ULONG_PTR>* ArrayOfCallBacks = &engineBackupArrayOfCallBacks;
|
std::vector<ULONG_PTR>* ArrayOfCallBacks = &engineBackupArrayOfCallBacks;
|
||||||
|
|
@ -476,12 +476,12 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName)
|
||||||
engineBackupTLSAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
|
engineBackupTLSAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
|
||||||
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
|
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
|
||||||
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
|
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
|
||||||
RtlMoveMemory(&engineBackupTLSDataX86, (LPVOID)TLSDirectoryX86, sizeof IMAGE_TLS_DIRECTORY32);
|
RtlMoveMemory(&engineBackupTLSDataX86, (LPVOID)TLSDirectoryX86, sizeof(IMAGE_TLS_DIRECTORY32));
|
||||||
if(TLSDirectoryX86->AddressOfCallBacks != NULL)
|
if(TLSDirectoryX86->AddressOfCallBacks != NULL)
|
||||||
{
|
{
|
||||||
ULONG_PTR TLSCompareData = 0;
|
ULONG_PTR TLSCompareData = 0;
|
||||||
ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
|
ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
|
||||||
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
|
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
|
||||||
{
|
{
|
||||||
ArrayOfCallBacks->push_back(*TLSCallBackAddress);
|
ArrayOfCallBacks->push_back(*TLSCallBackAddress);
|
||||||
TLSCallBackAddress++; //next callback
|
TLSCallBackAddress++; //next callback
|
||||||
|
|
@ -522,12 +522,12 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName)
|
||||||
engineBackupTLSAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
|
engineBackupTLSAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
|
||||||
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
|
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
|
||||||
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
|
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
|
||||||
RtlMoveMemory(&engineBackupTLSDataX64, (LPVOID)TLSDirectoryX64, sizeof IMAGE_TLS_DIRECTORY64);
|
RtlMoveMemory(&engineBackupTLSDataX64, (LPVOID)TLSDirectoryX64, sizeof(IMAGE_TLS_DIRECTORY64));
|
||||||
if(TLSDirectoryX64->AddressOfCallBacks != NULL)
|
if(TLSDirectoryX64->AddressOfCallBacks != NULL)
|
||||||
{
|
{
|
||||||
ULONG_PTR TLSCompareData = 0;
|
ULONG_PTR TLSCompareData = 0;
|
||||||
ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
|
ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
|
||||||
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
|
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
|
||||||
{
|
{
|
||||||
ArrayOfCallBacks->push_back(*TLSCallBackAddress);
|
ArrayOfCallBacks->push_back(*TLSCallBackAddress);
|
||||||
TLSCallBackAddress++; //next callback
|
TLSCallBackAddress++; //next callback
|
||||||
|
|
@ -575,7 +575,7 @@ __declspec(dllexport) bool TITCALL TLSRestoreData()
|
||||||
{
|
{
|
||||||
if(engineBackupTLSx64)
|
if(engineBackupTLSx64)
|
||||||
{
|
{
|
||||||
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX64, sizeof IMAGE_TLS_DIRECTORY64, &ueNumberOfBytesRead))
|
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX64, sizeof(IMAGE_TLS_DIRECTORY64), &ueNumberOfBytesRead))
|
||||||
{
|
{
|
||||||
if(engineBackupTLSDataX64.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
|
if(engineBackupTLSDataX64.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -598,7 +598,7 @@ __declspec(dllexport) bool TITCALL TLSRestoreData()
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX86, sizeof IMAGE_TLS_DIRECTORY32, &ueNumberOfBytesRead))
|
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX86, sizeof(IMAGE_TLS_DIRECTORY32), &ueNumberOfBytesRead))
|
||||||
{
|
{
|
||||||
if(engineBackupTLSDataX86.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
|
if(engineBackupTLSDataX86.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -651,13 +651,13 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_P
|
||||||
__try
|
__try
|
||||||
{
|
{
|
||||||
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
|
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
|
||||||
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof IMAGE_TLS_DIRECTORY32;
|
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof(IMAGE_TLS_DIRECTORY32);
|
||||||
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)StorePlace;
|
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)StorePlace;
|
||||||
TLSDirectoryX86->StartAddressOfRawData = (DWORD)TLSWriteData;
|
TLSDirectoryX86->StartAddressOfRawData = (DWORD)TLSWriteData;
|
||||||
TLSDirectoryX86->EndAddressOfRawData = (DWORD)TLSWriteData + 0x10;
|
TLSDirectoryX86->EndAddressOfRawData = (DWORD)TLSWriteData + 0x10;
|
||||||
TLSDirectoryX86->AddressOfIndex = (DWORD)TLSWriteData + 0x14;
|
TLSDirectoryX86->AddressOfIndex = (DWORD)TLSWriteData + 0x14;
|
||||||
TLSDirectoryX86->AddressOfCallBacks = (DWORD)TLSWriteData + sizeof IMAGE_TLS_DIRECTORY32 + 8;
|
TLSDirectoryX86->AddressOfCallBacks = (DWORD)TLSWriteData + sizeof(IMAGE_TLS_DIRECTORY32) + 8;
|
||||||
RtlMoveMemory((LPVOID)(StorePlace + sizeof IMAGE_TLS_DIRECTORY32 + 8), ArrayOfCallBacks, NumberOfCallBacks * 4);
|
RtlMoveMemory((LPVOID)(StorePlace + sizeof(IMAGE_TLS_DIRECTORY32) + 8), ArrayOfCallBacks, NumberOfCallBacks * 4);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
__except(EXCEPTION_EXECUTE_HANDLER)
|
__except(EXCEPTION_EXECUTE_HANDLER)
|
||||||
|
|
@ -670,13 +670,13 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_P
|
||||||
__try
|
__try
|
||||||
{
|
{
|
||||||
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
|
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
|
||||||
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof IMAGE_TLS_DIRECTORY64;
|
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof(IMAGE_TLS_DIRECTORY64);
|
||||||
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)StorePlace;
|
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)StorePlace;
|
||||||
TLSDirectoryX64->StartAddressOfRawData = TLSWriteData;
|
TLSDirectoryX64->StartAddressOfRawData = TLSWriteData;
|
||||||
TLSDirectoryX64->EndAddressOfRawData = TLSWriteData + 0x20;
|
TLSDirectoryX64->EndAddressOfRawData = TLSWriteData + 0x20;
|
||||||
TLSDirectoryX64->AddressOfIndex = TLSWriteData + 0x28;
|
TLSDirectoryX64->AddressOfIndex = TLSWriteData + 0x28;
|
||||||
TLSDirectoryX64->AddressOfCallBacks = TLSWriteData + sizeof IMAGE_TLS_DIRECTORY64 + 12;
|
TLSDirectoryX64->AddressOfCallBacks = TLSWriteData + sizeof(IMAGE_TLS_DIRECTORY64) + 12;
|
||||||
RtlMoveMemory((LPVOID)(StorePlace + sizeof IMAGE_TLS_DIRECTORY64 + 12), ArrayOfCallBacks, NumberOfCallBacks * 8);
|
RtlMoveMemory((LPVOID)(StorePlace + sizeof(IMAGE_TLS_DIRECTORY64) + 12), ArrayOfCallBacks, NumberOfCallBacks * 8);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
__except(EXCEPTION_EXECUTE_HANDLER)
|
__except(EXCEPTION_EXECUTE_HANDLER)
|
||||||
|
|
@ -707,7 +707,7 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTableEx(char* szFileName, char* sz
|
||||||
__declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks)
|
__declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks)
|
||||||
{
|
{
|
||||||
ULONG_PTR tlsImageBase = (ULONG_PTR)GetPE32DataW(szFileName, NULL, UE_IMAGEBASE);
|
ULONG_PTR tlsImageBase = (ULONG_PTR)GetPE32DataW(szFileName, NULL, UE_IMAGEBASE);
|
||||||
DWORD NewSectionVO = AddNewSectionW(szFileName, szSectionName, sizeof IMAGE_TLS_DIRECTORY64 * 2);
|
DWORD NewSectionVO = AddNewSectionW(szFileName, szSectionName, sizeof(IMAGE_TLS_DIRECTORY64) * 2);
|
||||||
HANDLE FileHandle;
|
HANDLE FileHandle;
|
||||||
DWORD FileSize;
|
DWORD FileSize;
|
||||||
HANDLE FileMap;
|
HANDLE FileMap;
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@ static ULONG_PTR EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
|
||||||
bool SkipHashing = false;
|
bool SkipHashing = false;
|
||||||
BYTE EmptyCall[5] = {0xE8, 0x00, 0x00, 0x00, 0x00};
|
BYTE EmptyCall[5] = {0xE8, 0x00, 0x00, 0x00, 0x00};
|
||||||
|
|
||||||
if(VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL)
|
if(VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION)) != NULL)
|
||||||
{
|
{
|
||||||
if(MemInfo.RegionSize > NULL)
|
if(MemInfo.RegionSize > NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -640,8 +640,8 @@ __declspec(dllexport) ULONG_PTR TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_
|
||||||
if(!FoundAPI)
|
if(!FoundAPI)
|
||||||
{
|
{
|
||||||
DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1];
|
DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1];
|
||||||
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
|
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO);
|
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof(MODULEINFO));
|
||||||
if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], hProcess, RemoteModuleInfo.lpBaseOfDll, DOSHeader, false))
|
if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], hProcess, RemoteModuleInfo.lpBaseOfDll, DOSHeader, false))
|
||||||
{
|
{
|
||||||
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
||||||
|
|
@ -719,7 +719,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
|
||||||
LPVOID TraceMemory;
|
LPVOID TraceMemory;
|
||||||
bool HashCheck = false;
|
bool HashCheck = false;
|
||||||
|
|
||||||
VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.RegionSize > NULL)
|
if(MemInfo.RegionSize > NULL)
|
||||||
{
|
{
|
||||||
MaximumReadSize = (DWORD)((ULONG_PTR)MemInfo.AllocationBase + MemInfo.RegionSize - AddressToTrace);
|
MaximumReadSize = (DWORD)((ULONG_PTR)MemInfo.AllocationBase + MemInfo.RegionSize - AddressToTrace);
|
||||||
|
|
@ -732,7 +732,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
|
||||||
{
|
{
|
||||||
HashCheck = true;
|
HashCheck = true;
|
||||||
}
|
}
|
||||||
if(sizeof HANDLE == 4)
|
if(sizeof(HANDLE) == 4)
|
||||||
{
|
{
|
||||||
TraceMemory = tracemem.Allocate(MaximumReadSize);
|
TraceMemory = tracemem.Allocate(MaximumReadSize);
|
||||||
if(!TraceMemory)
|
if(!TraceMemory)
|
||||||
|
|
@ -1126,7 +1126,7 @@ __declspec(dllexport) ULONG_PTR TITCALL TracerFixKnownRedirection(HANDLE hProces
|
||||||
DWORD MaximumReadSize = 0x1000;
|
DWORD MaximumReadSize = 0x1000;
|
||||||
cMem = (PMEMORY_CMP_HANDLER)TracerReadMemory;
|
cMem = (PMEMORY_CMP_HANDLER)TracerReadMemory;
|
||||||
|
|
||||||
VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
|
VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
|
||||||
if(MemInfo.RegionSize > NULL)
|
if(MemInfo.RegionSize > NULL)
|
||||||
{
|
{
|
||||||
MaximumReadSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + MemInfo.RegionSize - AddressToTrace);
|
MaximumReadSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + MemInfo.RegionSize - AddressToTrace);
|
||||||
|
|
@ -1475,7 +1475,7 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
|
||||||
fImpRecTrace = fImpRecTrace - (ULONG_PTR)hImpRecModule;
|
fImpRecTrace = fImpRecTrace - (ULONG_PTR)hImpRecModule;
|
||||||
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_READWRITE);
|
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_READWRITE);
|
||||||
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
||||||
RtlZeroMemory(&APIData, sizeof InjectImpRecCodeData);
|
RtlZeroMemory(&APIData, sizeof(InjectImpRecCodeData));
|
||||||
APIData.fTrace = fImpRecTrace + (ULONG_PTR)ImporterGetRemoteDLLBase(hProcess, hImpRecModule);
|
APIData.fTrace = fImpRecTrace + (ULONG_PTR)ImporterGetRemoteDLLBase(hProcess, hImpRecModule);
|
||||||
APIData.AddressToTrace = (ULONG_PTR)TraceAddress;
|
APIData.AddressToTrace = (ULONG_PTR)TraceAddress;
|
||||||
APIData.fCreateFileA = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateFileA"));
|
APIData.fCreateFileA = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateFileA"));
|
||||||
|
|
@ -1483,8 +1483,8 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
|
||||||
APIData.fCloseHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CloseHandle"));
|
APIData.fCloseHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CloseHandle"));
|
||||||
if(WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedImpRec, remInjectSize, &NumberOfBytesWritten))
|
if(WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedImpRec, remInjectSize, &NumberOfBytesWritten))
|
||||||
{
|
{
|
||||||
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectImpRecCodeData, &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectImpRecCodeData), &NumberOfBytesWritten);
|
||||||
WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectImpRecCodeData), (LPCVOID)szGarbageFile, lstrlenA((LPSTR)szGarbageFile), &NumberOfBytesWritten);
|
WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof(InjectImpRecCodeData)), (LPCVOID)szGarbageFile, lstrlenA((LPSTR)szGarbageFile), &NumberOfBytesWritten);
|
||||||
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
|
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
|
||||||
|
|
||||||
NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
|
NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
|
||||||
|
|
|
||||||
|
|
@ -43,9 +43,9 @@ __declspec(dllexport) bool TITCALL RemoveOverlayW(wchar_t* szFileName);
|
||||||
__declspec(dllexport) bool TITCALL MakeAllSectionsRWE(char* szFileName);
|
__declspec(dllexport) bool TITCALL MakeAllSectionsRWE(char* szFileName);
|
||||||
__declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(wchar_t* szFileName);
|
__declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(wchar_t* szFileName);
|
||||||
__declspec(dllexport) long TITCALL AddNewSectionEx(char* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
|
__declspec(dllexport) long TITCALL AddNewSectionEx(char* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
|
||||||
__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
|
__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
|
||||||
__declspec(dllexport) long TITCALL AddNewSection(char* szFileName, char* szSectionName, DWORD SectionSize);
|
__declspec(dllexport) long TITCALL AddNewSection(char* szFileName, char* szSectionName, DWORD SectionSize);
|
||||||
__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize);
|
__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, const char* szSectionName, DWORD SectionSize);
|
||||||
__declspec(dllexport) bool TITCALL ResizeLastSection(char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
|
__declspec(dllexport) bool TITCALL ResizeLastSection(char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
|
||||||
__declspec(dllexport) bool TITCALL ResizeLastSectionW(wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
|
__declspec(dllexport) bool TITCALL ResizeLastSectionW(wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
|
||||||
__declspec(dllexport) void TITCALL SetSharedOverlay(char* szFileName);
|
__declspec(dllexport) void TITCALL SetSharedOverlay(char* szFileName);
|
||||||
|
|
@ -293,8 +293,8 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, char*
|
||||||
__declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessIds, wchar_t* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
|
__declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessIds, wchar_t* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
|
||||||
__declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
|
__declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
|
||||||
__declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack);
|
__declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack);
|
||||||
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
|
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, const char* szDumpedFile, const char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
|
||||||
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
|
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, const wchar_t* szDumpedFile, const wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
|
||||||
__declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart);
|
__declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart);
|
||||||
__declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart);
|
__declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart);
|
||||||
__declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr);
|
__declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr);
|
||||||
|
|
@ -337,7 +337,7 @@ __declspec(dllexport) long TITCALL ExporterGetAddedExportCount();
|
||||||
__declspec(dllexport) long TITCALL ExporterEstimatedSize();
|
__declspec(dllexport) long TITCALL ExporterEstimatedSize();
|
||||||
__declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA);
|
__declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA);
|
||||||
__declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(char* szExportFileName, char* szSectionName);
|
__declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(char* szExportFileName, char* szSectionName);
|
||||||
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, char* szSectionName);
|
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, const char* szSectionName);
|
||||||
__declspec(dllexport) bool TITCALL ExporterLoadExportTable(char* szFileName);
|
__declspec(dllexport) bool TITCALL ExporterLoadExportTable(char* szFileName);
|
||||||
__declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName);
|
__declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName);
|
||||||
// TitanEngine.Librarian.functions:
|
// TitanEngine.Librarian.functions:
|
||||||
|
|
|
||||||
|
|
@ -37,6 +37,20 @@
|
||||||
#define _Out_writes_opt_(x)
|
#define _Out_writes_opt_(x)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
// Utility helpers for legacy TitanEngine callback APIs that use void* handles
|
||||||
|
// for callbacks while still allowing typed function pointer usage internally.
|
||||||
|
template<typename T>
|
||||||
|
static inline LPVOID CallbackToObjectPointer(T functionPointer)
|
||||||
|
{
|
||||||
|
return reinterpret_cast<LPVOID>(reinterpret_cast<ULONG_PTR>(functionPointer));
|
||||||
|
}
|
||||||
|
|
||||||
|
template<typename T>
|
||||||
|
static inline T ObjectPointerToCallback(LPVOID callbackData)
|
||||||
|
{
|
||||||
|
return reinterpret_cast<T>(reinterpret_cast<ULONG_PTR>(callbackData));
|
||||||
|
}
|
||||||
|
|
||||||
#ifndef _In_reads_
|
#ifndef _In_reads_
|
||||||
#define _In_reads_(x)
|
#define _In_reads_(x)
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,7 @@ sources = ["scylla_wrapper/*.cpp"]
|
||||||
headers = ["scylla_wrapper/*.h", "scylla_wrapper/include/*.h"]
|
headers = ["scylla_wrapper/*.h", "scylla_wrapper/include/*.h"]
|
||||||
link-libraries = ["::distorm"]
|
link-libraries = ["::distorm"]
|
||||||
include-directories = ["scylla_wrapper/include"]
|
include-directories = ["scylla_wrapper/include"]
|
||||||
|
compile-features = ["cxx_std_11"]
|
||||||
|
|
||||||
[target.TitanEngine]
|
[target.TitanEngine]
|
||||||
type = "shared"
|
type = "shared"
|
||||||
|
|
|
||||||
|
|
@ -453,7 +453,7 @@ void ApiReader::findApiByModule(ModuleInfo* module, char* searchFunctionName, WO
|
||||||
{
|
{
|
||||||
if(ordinal)
|
if(ordinal)
|
||||||
{
|
{
|
||||||
*vaApi = (DWORD_PTR)GetProcAddress(hModule, (LPCSTR)ordinal);
|
*vaApi = (DWORD_PTR)GetProcAddress(hModule, (LPCSTR)MAKEINTRESOURCEA(ordinal));
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -185,7 +185,7 @@ bool ImportRebuilder::buildNewMappedImportTable(std::map<DWORD_PTR, ImportModule
|
||||||
}
|
}
|
||||||
|
|
||||||
//setFlagToIATSection
|
//setFlagToIATSection
|
||||||
headerOffset += sizeof(IMAGE_SECTION_HEADER) * importSectionIndex;
|
headerOffset += (DWORD)(sizeof(IMAGE_SECTION_HEADER) * importSectionIndex);
|
||||||
|
|
||||||
PIMAGE_SECTION_HEADER pImportSection = (PIMAGE_SECTION_HEADER)(fileMapVA + headerOffset);
|
PIMAGE_SECTION_HEADER pImportSection = (PIMAGE_SECTION_HEADER)(fileMapVA + headerOffset);
|
||||||
pImportSection->Characteristics |= IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;
|
pImportSection->Characteristics |= IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,7 @@ public:
|
||||||
int getIATSectionSize(std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
|
int getIATSectionSize(std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
|
||||||
{
|
{
|
||||||
this->calculateImportSizes(moduleList);
|
this->calculateImportSizes(moduleList);
|
||||||
return this->sizeOfImportSection;
|
return (int)this->sizeOfImportSection;
|
||||||
} ;
|
} ;
|
||||||
|
|
||||||
IATReferenceScan* iatReferenceScan;
|
IATReferenceScan* iatReferenceScan;
|
||||||
|
|
|
||||||
|
|
@ -986,7 +986,8 @@ DWORD_PTR PeParser::getStandardImagebase()
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
return pNTHeader64->OptionalHeader.ImageBase;
|
// NOTE: this is broken, but code is never executed
|
||||||
|
return (DWORD_PTR)pNTHeader64->OptionalHeader.ImageBase;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -6,22 +6,14 @@
|
||||||
|
|
||||||
const char* StringConversion::ToASCII(const wchar_t* str, char* buf, size_t bufsize)
|
const char* StringConversion::ToASCII(const wchar_t* str, char* buf, size_t bufsize)
|
||||||
{
|
{
|
||||||
wcstombs(buf, str, bufsize);
|
size_t charsConverted = 0;
|
||||||
/*
|
wcstombs_s(&charsConverted, buf, bufsize, str, _TRUNCATE);
|
||||||
ATL::CW2A str_a = str;
|
|
||||||
strncpy_s(buf, bufsize, str_a, bufsize);
|
|
||||||
buf[bufsize - 1] = '\0';
|
|
||||||
*/
|
|
||||||
return buf;
|
return buf;
|
||||||
}
|
}
|
||||||
|
|
||||||
const wchar_t* StringConversion::ToUTF16(const char* str, wchar_t* buf, size_t bufsize)
|
const wchar_t* StringConversion::ToUTF16(const char* str, wchar_t* buf, size_t bufsize)
|
||||||
{
|
{
|
||||||
mbstowcs(buf, str, bufsize);
|
size_t charsConverted = 0;
|
||||||
/*
|
mbstowcs_s(&charsConverted, buf, bufsize, str, _TRUNCATE);
|
||||||
ATL::CA2W str_w = str;
|
|
||||||
wcsncpy_s(buf, bufsize, str_w, bufsize);
|
|
||||||
buf[bufsize - 1] = L'\0';
|
|
||||||
*/
|
|
||||||
return buf;
|
return buf;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -5,15 +5,17 @@ OPERATING_SYSTEM SystemInformation::currenOS = UNKNOWN_OS;
|
||||||
|
|
||||||
bool SystemInformation::getSystemInformation()
|
bool SystemInformation::getSystemInformation()
|
||||||
{
|
{
|
||||||
OSVERSIONINFOEX osvi = {0};
|
RTL_OSVERSIONINFOW osvi = {0};
|
||||||
|
osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
|
||||||
SYSTEM_INFO si = {0};
|
SYSTEM_INFO si = {0};
|
||||||
def_GetNativeSystemInfo _GetNativeSystemInfo = 0;
|
def_GetNativeSystemInfo _GetNativeSystemInfo = 0;
|
||||||
|
typedef LONG (WINAPI* tRtlGetVersion)(PRTL_OSVERSIONINFOW);
|
||||||
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
|
tRtlGetVersion pRtlGetVersion = (tRtlGetVersion)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
|
||||||
if(!GetVersionEx((OSVERSIONINFO*) &osvi))
|
if(!pRtlGetVersion)
|
||||||
{
|
return false;
|
||||||
|
|
||||||
|
if(pRtlGetVersion(&osvi) != 0)
|
||||||
return false;
|
return false;
|
||||||
}
|
|
||||||
|
|
||||||
if((osvi.dwMajorVersion < 5) || ((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 0)))
|
if((osvi.dwMajorVersion < 5) || ((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 0)))
|
||||||
{
|
{
|
||||||
|
|
@ -33,6 +35,7 @@ bool SystemInformation::getSystemInformation()
|
||||||
bool isX64 = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64;
|
bool isX64 = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64;
|
||||||
bool isX86 = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL;
|
bool isX86 = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL;
|
||||||
|
|
||||||
|
|
||||||
DWORD major = osvi.dwMajorVersion;
|
DWORD major = osvi.dwMajorVersion;
|
||||||
DWORD minor = osvi.dwMinorVersion;
|
DWORD minor = osvi.dwMinorVersion;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -405,7 +405,7 @@ void scylla_enumImportTree(LPVOID enumCallback)
|
||||||
|
|
||||||
//module
|
//module
|
||||||
myImportEnumData.NewDll = true;
|
myImportEnumData.NewDll = true;
|
||||||
myImportEnumData.NumberOfImports = moduleThunk.thunkList.size();
|
myImportEnumData.NumberOfImports = (int)moduleThunk.thunkList.size();
|
||||||
StringConversion::ToASCII(moduleThunk.moduleName, myImportEnumData.DLLName, sizeof(char)*MAX_PATH);
|
StringConversion::ToASCII(moduleThunk.moduleName, myImportEnumData.DLLName, sizeof(char)*MAX_PATH);
|
||||||
myImportEnumData.BaseImportThunk = moduleThunk.firstThunk;
|
myImportEnumData.BaseImportThunk = moduleThunk.firstThunk;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue