x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

- formatting lol 

- rewrote TitanEngine.Threader to use a vector (decreased memory footprint)
- Removed function ThreadGetThreadData
This commit is contained in:
mr.exodia 2014-03-05 17:48:06 +01:00
parent 4dfc0351f7
commit bc7906460c
23 changed files with 1386 additions and 1716 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SDK/C/TitanEngine.h
View File

@ -639,7 +639,6 @@ __declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread);
__declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive(); __declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive();
__declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads(); __declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads();
__declspec(dllexport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId); __declspec(dllexport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId);
__declspec(dllexport) void* TITCALL ThreaderGetThreadData();
__declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread(); __declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread();
// TitanEngine.Debugger.functions: // TitanEngine.Debugger.functions:
__declspec(dllexport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress); __declspec(dllexport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress);

1
SDK/CPP/TitanEngine.h
View File

@ -638,7 +638,6 @@ __declspec(dllimport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread);
__declspec(dllimport) bool TITCALL ThreaderIsAnyThreadActive(); __declspec(dllimport) bool TITCALL ThreaderIsAnyThreadActive();
__declspec(dllimport) bool TITCALL ThreaderExecuteOnlyInjectedThreads(); __declspec(dllimport) bool TITCALL ThreaderExecuteOnlyInjectedThreads();
__declspec(dllimport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId); __declspec(dllimport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId);
__declspec(dllimport) void* TITCALL ThreaderGetThreadData();
__declspec(dllimport) bool TITCALL ThreaderIsExceptionInMainThread(); __declspec(dllimport) bool TITCALL ThreaderIsExceptionInMainThread();
// TitanEngine.Debugger.functions: // TitanEngine.Debugger.functions:
__declspec(dllimport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress); __declspec(dllimport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress);

4
SDK/CPP/TitanEngine.hpp
View File

@ -1122,10 +1122,6 @@ public:
{ {
return UE::ThreaderGetOpenHandleForThread(ThreadId); return UE::ThreaderGetOpenHandleForThread(ThreadId);
} }
static const THREAD_ITEM_DATA* GetThreadData()
{
return (const THREAD_ITEM_DATA*)UE::ThreaderGetThreadData();
}
static bool IsExceptionInMainThread() static bool IsExceptionInMainThread()
{ {
return UE::ThreaderIsExceptionInMainThread(); return UE::ThreaderIsExceptionInMainThread();

1
SDK/Delphi/TitanEngine.pas
View File

@ -496,7 +496,6 @@ const
function ThreaderIsAnyThreadActive():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderIsAnyThreadActive'; function ThreaderIsAnyThreadActive():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderIsAnyThreadActive';
function ThreaderExecuteOnlyInjectedThreads():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderExecuteOnlyInjectedThreads'; function ThreaderExecuteOnlyInjectedThreads():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderExecuteOnlyInjectedThreads';
function ThreaderGetOpenHandleForThread(ThreadId:LongInt):THandle; stdcall; external 'TitanEngine.dll' name 'ThreaderGetOpenHandleForThread'; function ThreaderGetOpenHandleForThread(ThreadId:LongInt):THandle; stdcall; external 'TitanEngine.dll' name 'ThreaderGetOpenHandleForThread';
function ThreaderGetThreadData():Pointer; stdcall; external 'TitanEngine.dll' name 'ThreaderGetThreadData';
function ThreaderIsExceptionInMainThread():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderIsExceptionInMainThread'; function ThreaderIsExceptionInMainThread():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderIsExceptionInMainThread';
{TitanEngine.Debugger.functions} {TitanEngine.Debugger.functions}
function StaticDisassembleEx(DisassmStart:LongInt; DisassmAddress:Pointer):PAnsiChar; stdcall; external 'TitanEngine.dll' name 'StaticDisassembleEx'; function StaticDisassembleEx(DisassmStart:LongInt; DisassmAddress:Pointer):PAnsiChar; stdcall; external 'TitanEngine.dll' name 'StaticDisassembleEx';

3
SDK/LUA/TitanEngine.lua
View File

@ -747,9 +747,6 @@ PROCESS_INFORMATION = alien.defstruct{
-- __declspec(dllexport) long long __stdcall ThreaderGetOpenHandleForThread(DWORD ThreadId); -- __declspec(dllexport) long long __stdcall ThreaderGetOpenHandleForThread(DWORD ThreadId);
TitanEngine.ThreaderGetOpenHandleForThread:types {"long",abi="stdcall",ret="long"} TitanEngine.ThreaderGetOpenHandleForThread:types {"long",abi="stdcall",ret="long"}
TE_ThreaderGetOpenHandleForThread = TitanEngine.ThreaderGetOpenHandleForThread TE_ThreaderGetOpenHandleForThread = TitanEngine.ThreaderGetOpenHandleForThread
-- __declspec(dllexport) void* __stdcall ThreaderGetThreadData();
TitanEngine.ThreaderGetThreadData:types {abi="stdcall",ret="pointer"}
TE_ThreaderGetThreadData = TitanEngine.ThreaderGetThreadData
-- __declspec(dllexport) bool __stdcall ThreaderIsExceptionInMainThread(); -- __declspec(dllexport) bool __stdcall ThreaderIsExceptionInMainThread();
TitanEngine.ThreaderIsExceptionInMainThread:types {abi="stdcall",ret="byte"} TitanEngine.ThreaderIsExceptionInMainThread:types {abi="stdcall",ret="byte"}
TE_ThreaderIsExceptionInMainThread = TitanEngine.ThreaderIsExceptionInMainThread TE_ThreaderIsExceptionInMainThread = TitanEngine.ThreaderIsExceptionInMainThread

1
SDK/MASM/TitanEngine.INC
View File

@ -549,7 +549,6 @@ ThreaderIsThreadActive proto stdcall :HANDLE
ThreaderIsAnyThreadActive proto stdcall ThreaderIsAnyThreadActive proto stdcall
ThreaderExecuteOnlyInjectedThreads proto stdcall ThreaderExecuteOnlyInjectedThreads proto stdcall
ThreaderGetOpenHandleForThread proto stdcall :DWORD ThreaderGetOpenHandleForThread proto stdcall :DWORD
ThreaderGetThreadData proto stdcall
ThreaderIsExceptionInMainThread proto stdcall ThreaderIsExceptionInMainThread proto stdcall
StaticDisassembleEx proto stdcall :DWORD, :LPVOID StaticDisassembleEx proto stdcall :DWORD, :LPVOID
StaticDisassemble proto stdcall :LPVOID StaticDisassemble proto stdcall :LPVOID

1
SDK/Python/TitanEngine.py
View File

@ -644,7 +644,6 @@ TE.GetPEBLocation.restype = c_void_p
TE.GetPEBLocation64.restype = c_void_p TE.GetPEBLocation64.restype = c_void_p
TE.ThreaderGetThreadInfo.restype = POINTER(THREAD_ITEM_DATA) TE.ThreaderGetThreadInfo.restype = POINTER(THREAD_ITEM_DATA)
TE.ThreaderGetThreadData.restype = POINTER(THREAD_ITEM_DATA)
TE.InitDebug.restype = POINTER(PROCESS_INFORMATION) TE.InitDebug.restype = POINTER(PROCESS_INFORMATION)
TE.InitDebugW.restype = POINTER(PROCESS_INFORMATION) TE.InitDebugW.restype = POINTER(PROCESS_INFORMATION)

7
TitanEngine/Global.Threader.cpp
View File

@ -2,4 +2,9 @@
#include "definitions.h" #include "definitions.h"
#include "Global.Threader.h" #include "Global.Threader.h"
LPVOID hListThread = 0; std::vector<THREAD_ITEM_DATA> hListThread;
void ClearThreadList()
{
std::vector<THREAD_ITEM_DATA>().swap(hListThread);
}

6
TitanEngine/Global.Threader.h
View File

@ -1,6 +1,10 @@
#ifndef _GLOBAL_THREADER_H #ifndef _GLOBAL_THREADER_H
#define _GLOBAL_THREADER_H #define _GLOBAL_THREADER_H
extern LPVOID hListThread; #include <vector>
extern std::vector<THREAD_ITEM_DATA> hListThread;
void ClearThreadList();
#endif //_GLOBAL_THREADER_H #endif //_GLOBAL_THREADER_H

56
TitanEngine/TitanEngine.Debugger.Control.cpp
View File

@ -4,6 +4,7 @@
#include "Global.Handle.h" #include "Global.Handle.h"
#include "Global.Threader.h" #include "Global.Threader.h"
#include "Global.Librarian.h" #include "Global.Librarian.h"
#include <vector>
__declspec(dllexport) void TITCALL ForceClose() __declspec(dllexport) void TITCALL ForceClose()
{ {
@ -12,7 +13,7 @@ __declspec(dllexport) void TITCALL ForceClose()
PPROCESS_ITEM_DATA hListProcessPtr = NULL; PPROCESS_ITEM_DATA hListProcessPtr = NULL;
PTHREAD_ITEM_DATA hListThreadPtr = NULL; PTHREAD_ITEM_DATA hListThreadPtr = NULL;
PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL; PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL;
//manage lists
if(hListProcess != NULL) if(hListProcess != NULL)
{ {
hListProcessPtr = (PPROCESS_ITEM_DATA)hListProcess; hListProcessPtr = (PPROCESS_ITEM_DATA)hListProcess;
@ -31,35 +32,12 @@ __declspec(dllexport) void TITCALL ForceClose()
} }
RtlZeroMemory(hListProcess, MAX_DEBUG_DATA * sizeof PROCESS_ITEM_DATA); RtlZeroMemory(hListProcess, MAX_DEBUG_DATA * sizeof PROCESS_ITEM_DATA);
} }
if(hListThread != NULL)
{ int threadcount=hListThread.size();
hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; for(int i=threadcount-1; i>-1; i--)
while(hListThreadPtr->hThread != NULL) EngineCloseHandle(hListThread.at(i).hThread);
{ ClearThreadList();
if(hListThreadPtr->hThread != (HANDLE)-1)
{
__try
{
if(EngineCloseHandle(hListThreadPtr->hThread))
{
hListThreadPtr->hThread = NULL;
hListThreadPtr->dwThreadId = NULL;
hListThreadPtr->ThreadLocalBase = NULL;
hListThreadPtr->ThreadStartAddress = NULL;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
hListThreadPtr->hThread = NULL;
hListThreadPtr->dwThreadId = NULL;
hListThreadPtr->ThreadLocalBase = NULL;
hListThreadPtr->ThreadStartAddress = NULL;
}
}
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
RtlZeroMemory(hListThread, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA);
}
if(hListLibrary != NULL) if(hListLibrary != NULL)
{ {
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)hListLibrary; hListLibraryPtr = (PLIBRARY_ITEM_DATAW)hListLibrary;
@ -70,23 +48,9 @@ __declspec(dllexport) void TITCALL ForceClose()
if(hListLibraryPtr->hFileMappingView != NULL) if(hListLibraryPtr->hFileMappingView != NULL)
{ {
UnmapViewOfFile(hListLibraryPtr->hFileMappingView); UnmapViewOfFile(hListLibraryPtr->hFileMappingView);
__try EngineCloseHandle(hListLibraryPtr->hFileMapping);
{
EngineCloseHandle(hListLibraryPtr->hFileMapping);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}
__try
{
EngineCloseHandle(hListLibraryPtr->hFile);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
} }
EngineCloseHandle(hListLibraryPtr->hFile);
} }
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)((ULONG_PTR)hListLibraryPtr + sizeof LIBRARY_ITEM_DATAW); hListLibraryPtr = (PLIBRARY_ITEM_DATAW)((ULONG_PTR)hListLibraryPtr + sizeof LIBRARY_ITEM_DATAW);
} }

157
TitanEngine/TitanEngine.Debugger.DebugLoop.cpp
View File

@ -32,7 +32,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
bool hListThreadFirst = true; bool hListThreadFirst = true;
bool hListLibraryFirst = true; bool hListLibraryFirst = true;
PPROCESS_ITEM_DATA hListProcessPtr = NULL; PPROCESS_ITEM_DATA hListProcessPtr = NULL;
PTHREAD_ITEM_DATA hListThreadPtr = NULL; //PTHREAD_ITEM_DATA hListThreadPtr = NULL;
PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL; PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL;
PLIBRARY_ITEM_DATAW hLoadedLibData = NULL; PLIBRARY_ITEM_DATAW hLoadedLibData = NULL;
PLIBRARY_BREAK_DATA ptrLibrarianData = NULL; PLIBRARY_BREAK_DATA ptrLibrarianData = NULL;
@ -142,17 +142,9 @@ __declspec(dllexport) void TITCALL DebugLoop()
RtlZeroMemory(hListProcess, MAX_DEBUG_DATA * sizeof PROCESS_ITEM_DATA); RtlZeroMemory(hListProcess, MAX_DEBUG_DATA * sizeof PROCESS_ITEM_DATA);
} }
} }
if(hListThread == NULL) if(hListThreadFirst) //clear thread list
{ ClearThreadList();
hListThread = VirtualAlloc(NULL, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA, MEM_COMMIT, PAGE_READWRITE);
}
else
{
if(hListThreadFirst == true)
{
RtlZeroMemory(hListThread, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA);
}
}
hListProcessPtr = (PPROCESS_ITEM_DATA)hListProcess; hListProcessPtr = (PPROCESS_ITEM_DATA)hListProcess;
hListProcessPtr->hFile = DBGEvent.u.CreateProcessInfo.hFile; hListProcessPtr->hFile = DBGEvent.u.CreateProcessInfo.hFile;
hListProcessPtr->hProcess = DBGEvent.u.CreateProcessInfo.hProcess; hListProcessPtr->hProcess = DBGEvent.u.CreateProcessInfo.hProcess;
@ -163,11 +155,13 @@ __declspec(dllexport) void TITCALL DebugLoop()
hListProcessPtr->ThreadStartAddress = (void*)DBGEvent.u.CreateProcessInfo.lpStartAddress; hListProcessPtr->ThreadStartAddress = (void*)DBGEvent.u.CreateProcessInfo.lpStartAddress;
hListProcessPtr->ThreadLocalBase = (void*)DBGEvent.u.CreateProcessInfo.lpThreadLocalBase; hListProcessPtr->ThreadLocalBase = (void*)DBGEvent.u.CreateProcessInfo.lpThreadLocalBase;
hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; THREAD_ITEM_DATA NewThreadData;
hListThreadPtr->dwThreadId = DBGEvent.dwThreadId; memset(&NewThreadData, 0, sizeof(THREAD_ITEM_DATA));
hListThreadPtr->hThread = DBGEvent.u.CreateProcessInfo.hThread; NewThreadData.dwThreadId = DBGEvent.dwThreadId;
hListThreadPtr->ThreadStartAddress = (void*)DBGEvent.u.CreateProcessInfo.lpStartAddress; NewThreadData.hThread = DBGEvent.u.CreateProcessInfo.hThread;
hListThreadPtr->ThreadLocalBase = (void*)DBGEvent.u.CreateProcessInfo.lpThreadLocalBase; NewThreadData.ThreadStartAddress = (void*)DBGEvent.u.CreateProcessInfo.lpStartAddress;
NewThreadData.ThreadLocalBase = (void*)DBGEvent.u.CreateProcessInfo.lpThreadLocalBase;
hListThread.push_back(NewThreadData);
hListThreadFirst = false; hListThreadFirst = false;
} }
else //we have a valid handle already (which means a child process started) else //we have a valid handle already (which means a child process started)
@ -233,26 +227,13 @@ __declspec(dllexport) void TITCALL DebugLoop()
case CREATE_THREAD_DEBUG_EVENT: case CREATE_THREAD_DEBUG_EVENT:
{ {
//maintain thread list //maintain thread list
if(hListThread == NULL) THREAD_ITEM_DATA NewThreadData;
{ memset(&NewThreadData, 0, sizeof(THREAD_ITEM_DATA));
hListThread = VirtualAlloc(NULL, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA, MEM_COMMIT, PAGE_READWRITE); NewThreadData.dwThreadId = DBGEvent.dwThreadId;
} NewThreadData.hThread = DBGEvent.u.CreateThread.hThread;
hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; NewThreadData.ThreadStartAddress = (void*)DBGEvent.u.CreateThread.lpStartAddress;
__try NewThreadData.ThreadLocalBase = (void*)DBGEvent.u.CreateThread.lpThreadLocalBase;
{ hListThread.push_back(NewThreadData);
while(hListThreadPtr->hThread != NULL)
{
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
hListThreadPtr->dwThreadId = DBGEvent.dwThreadId;
hListThreadPtr->hThread = DBGEvent.u.CreateThread.hThread;
hListThreadPtr->ThreadStartAddress = (void*)DBGEvent.u.CreateThread.lpStartAddress;
hListThreadPtr->ThreadLocalBase = (void*)DBGEvent.u.CreateThread.lpThreadLocalBase;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
//custom handler //custom handler
if(DBGCustomHandler->chCreateThread != NULL) if(DBGCustomHandler->chCreateThread != NULL)
@ -300,17 +281,15 @@ __declspec(dllexport) void TITCALL DebugLoop()
} }
//maintain thread list //maintain thread list
hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; int threadcount=hListThread.size();
while(hListThreadPtr->hThread != NULL && hListThreadPtr->dwThreadId != DBGEvent.dwThreadId) for(int i=0; i<threadcount; i++)
{ {
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); if(hListThread.at(i).dwThreadId == DBGEvent.dwThreadId) //found the thread to remove
} {
if(hListThreadPtr->dwThreadId == DBGEvent.dwThreadId) //TODO: close handle?
{ hListThread.erase(hListThread.begin()+i);
hListThreadPtr->hThread = (HANDLE)-1; break;
hListThreadPtr->dwThreadId = NULL; }
hListThreadPtr->ThreadLocalBase = NULL;
hListThreadPtr->ThreadStartAddress = NULL;
} }
} }
break; break;
@ -590,16 +569,8 @@ __declspec(dllexport) void TITCALL DebugLoop()
myDBGContext.ContextFlags = CONTEXT_CONTROL; myDBGContext.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hActiveThread, &myDBGContext); GetThreadContext(hActiveThread, &myDBGContext);
if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT) if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
{ myDBGContext.EFlags |= UE_TRAP_FLAG;
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_RESUME_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
}
if(!(myDBGContext.EFlags & 0x10000))
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x10000;
}
#if defined(_WIN64) #if defined(_WIN64)
myDBGContext.Rip = myDBGContext.Rip - FoundBreakPoint.BreakPointSize; myDBGContext.Rip = myDBGContext.Rip - FoundBreakPoint.BreakPointSize;
#else #else
@ -748,10 +719,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
hActiveThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, false, DBGEvent.dwThreadId); hActiveThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, false, DBGEvent.dwThreadId);
myDBGContext.ContextFlags = CONTEXT_CONTROL; myDBGContext.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hActiveThread, &myDBGContext); GetThreadContext(hActiveThread, &myDBGContext);
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
EngineCloseHandle(hActiveThread); EngineCloseHandle(hActiveThread);
} }
@ -846,10 +814,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
if(DebugRegister[0].DrxEnabled) if(DebugRegister[0].DrxEnabled)
{ {
DBGCode = DBG_CONTINUE; DBGCode = DBG_CONTINUE;
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
myCustomHandler = (fCustomHandler)(DebugRegister[0].DrxCallBack); myCustomHandler = (fCustomHandler)(DebugRegister[0].DrxCallBack);
__try __try
@ -876,10 +841,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
if(DebugRegister[1].DrxEnabled) if(DebugRegister[1].DrxEnabled)
{ {
DBGCode = DBG_CONTINUE; DBGCode = DBG_CONTINUE;
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
myCustomHandler = (fCustomHandler)(DebugRegister[1].DrxCallBack); myCustomHandler = (fCustomHandler)(DebugRegister[1].DrxCallBack);
__try __try
@ -906,10 +868,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
if(DebugRegister[2].DrxEnabled) if(DebugRegister[2].DrxEnabled)
{ {
DBGCode = DBG_CONTINUE; DBGCode = DBG_CONTINUE;
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
myCustomHandler = (fCustomHandler)(DebugRegister[2].DrxCallBack); myCustomHandler = (fCustomHandler)(DebugRegister[2].DrxCallBack);
__try __try
@ -936,10 +895,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
if(DebugRegister[3].DrxEnabled) if(DebugRegister[3].DrxEnabled)
{ {
DBGCode = DBG_CONTINUE; DBGCode = DBG_CONTINUE;
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
myCustomHandler = (fCustomHandler)(DebugRegister[3].DrxCallBack); myCustomHandler = (fCustomHandler)(DebugRegister[3].DrxCallBack);
__try __try
@ -1023,10 +979,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
} }
else else
{ {
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress; ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress;
ResetMemBPXSize = FoundBreakPoint.BreakPointSize; ResetMemBPXSize = FoundBreakPoint.BreakPointSize;
@ -1051,10 +1004,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
} }
else //restore the memory breakpoint else //restore the memory breakpoint
{ {
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress; ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress;
ResetMemBPXSize = FoundBreakPoint.BreakPointSize; ResetMemBPXSize = FoundBreakPoint.BreakPointSize;
@ -1074,10 +1024,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
} }
else //no read operation, restore breakpoint else //no read operation, restore breakpoint
{ {
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress; ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress;
ResetMemBPXSize = FoundBreakPoint.BreakPointSize; ResetMemBPXSize = FoundBreakPoint.BreakPointSize;
@ -1093,10 +1040,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
} }
else //restore breakpoint after trap flag else //restore breakpoint after trap flag
{ {
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress; ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress;
ResetMemBPXSize = FoundBreakPoint.BreakPointSize; ResetMemBPXSize = FoundBreakPoint.BreakPointSize;
@ -1116,10 +1060,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
} }
else //no write operation, restore breakpoint else //no write operation, restore breakpoint
{ {
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress; ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress;
ResetMemBPXSize = FoundBreakPoint.BreakPointSize; ResetMemBPXSize = FoundBreakPoint.BreakPointSize;
@ -1136,10 +1077,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
} }
else else
{ {
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress; ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress;
ResetMemBPXSize = FoundBreakPoint.BreakPointSize; ResetMemBPXSize = FoundBreakPoint.BreakPointSize;
@ -1160,10 +1098,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
} }
else //no execute operation, restore breakpoint else //no execute operation, restore breakpoint
{ {
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_TRAP_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress; ResetMemBPXAddress = FoundBreakPoint.BreakPointAddress;
ResetMemBPXSize = FoundBreakPoint.BreakPointSize; ResetMemBPXSize = FoundBreakPoint.BreakPointSize;
@ -1241,16 +1176,8 @@ __declspec(dllexport) void TITCALL DebugLoop()
myDBGContext.ContextFlags = CONTEXT_CONTROL; myDBGContext.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hActiveThread, &myDBGContext); GetThreadContext(hActiveThread, &myDBGContext);
if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT) if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
{ myDBGContext.EFlags |= UE_TRAP_FLAG;
if(!(myDBGContext.EFlags & 0x100)) myDBGContext.EFlags |= UE_RESUME_FLAG;
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
}
if(!(myDBGContext.EFlags & 0x10000))
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x10000;
}
SetThreadContext(hActiveThread, &myDBGContext); SetThreadContext(hActiveThread, &myDBGContext);
EngineCloseHandle(hActiveThread); EngineCloseHandle(hActiveThread);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)FoundBreakPoint.BreakPointAddress, FoundBreakPoint.BreakPointSize, OldProtect, &OldProtect); VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)FoundBreakPoint.BreakPointAddress, FoundBreakPoint.BreakPointSize, OldProtect, &OldProtect);

45
TitanEngine/TitanEngine.Debugger.cpp
View File

@ -307,39 +307,22 @@ __declspec(dllexport) bool TITCALL DetachDebugger(DWORD ProcessId)
__declspec(dllexport) bool TITCALL DetachDebuggerEx(DWORD ProcessId) __declspec(dllexport) bool TITCALL DetachDebuggerEx(DWORD ProcessId)
{ {
ThreaderPauseProcess();
HANDLE hActiveThread; int threadcount=hListThread.size();
CONTEXT myDBGContext; for(int i=0; i<threadcount; i++)
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread;
if(hListThreadPtr != NULL)
{ {
ThreaderPauseProcess(); HANDLE hActiveThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT, false, hListThread.at(i).dwThreadId);
while(hListThreadPtr->hThread != NULL) CONTEXT myDBGContext;
{ myDBGContext.ContextFlags = CONTEXT_CONTROL;
hActiveThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, false, hListThreadPtr->dwThreadId); GetThreadContext(hActiveThread, &myDBGContext);
myDBGContext.ContextFlags = CONTEXT_CONTROL; myDBGContext.EFlags &= ~UE_TRAP_FLAG;
GetThreadContext(hActiveThread, &myDBGContext); myDBGContext.EFlags &= ~UE_RESUME_FLAG;
if((myDBGContext.EFlags & 0x100)) SetThreadContext(hActiveThread, &myDBGContext);
{ EngineCloseHandle(hActiveThread);
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
if(!(myDBGContext.EFlags & 0x10000))
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x10000;
}
SetThreadContext(hActiveThread, &myDBGContext);
EngineCloseHandle(hActiveThread);
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
ContinueDebugEvent(DBGEvent.dwProcessId, DBGEvent.dwThreadId, DBG_CONTINUE);
ThreaderResumeProcess();
return(DetachDebugger(ProcessId));
}
else
{
return false;
} }
ContinueDebugEvent(DBGEvent.dwProcessId, DBGEvent.dwThreadId, DBG_CONTINUE);
ThreaderResumeProcess();
return DetachDebugger(ProcessId);
} }
__declspec(dllexport) void TITCALL AutoDebugEx(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack) __declspec(dllexport) void TITCALL AutoDebugEx(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack)

1668
TitanEngine/TitanEngine.Handler.cpp
View File

File diff suppressed because it is too large Load Diff

46
TitanEngine/TitanEngine.Hider.cpp
View File

@ -5,28 +5,28 @@
// TitanEngine.Hider.functions: // TitanEngine.Hider.functions:
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
{ {
ULONG RequiredLen = 0; ULONG RequiredLen = 0;
void * PebAddress = 0; void * PebAddress = 0;
PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
if(!myProcessBasicInformation) if(!myProcessBasicInformation)
return 0; return 0;
if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS) if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
{ {
PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
} }
else else
{ {
if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
{ {
PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
} }
} }
VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE); VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE);
return PebAddress; return PebAddress;
} }
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess) __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
@ -36,11 +36,11 @@ __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
{ {
//Only WOW64 processes have 2 PEBs //Only WOW64 processes have 2 PEBs
DWORD peb32 = (DWORD)GetPEBLocation(hProcess); DWORD peb32 = (DWORD)GetPEBLocation(hProcess);
if (peb32) if (peb32)
{ {
peb32 += 0x1000; //PEB64 after PEB32 peb32 += 0x1000; //PEB64 after PEB32
return (void *)peb32; return (void *)peb32;
} }
} }
#endif //_WIN64 #endif //_WIN64
return 0; return 0;

71
TitanEngine/TitanEngine.Hooks.cpp
View File

@ -28,66 +28,51 @@ static bool ProcessHookScanAddNewHook(PHOOK_ENTRY HookDetails, void* ptrOriginal
// Global.Engine.Hook.functions: // Global.Engine.Hook.functions:
__declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart) __declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart)
{ {
if(dbgProcessInformation.hProcess == NULL) //TODO: check
int i;
ULONG_PTR CurrentIP;
ULONG_PTR HookAddress;
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread;
PMEMORY_COMPARE_HANDLER myHookAddressArray;
if(dbgProcessInformation.hProcess == NULL)
{ {
if(!TransitionStart || ThreaderImportRunningThreadData(GetCurrentProcessId())) if(!TransitionStart || ThreaderImportRunningThreadData(GetCurrentProcessId()))
{ {
hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; int threadcount=hListThread.size();
if(hListThreadPtr != NULL) for(int i=0; i<threadcount; i++)
{ {
while(hListThreadPtr->hThread != NULL) PTHREAD_ITEM_DATA hListThreadPtr=&hListThread.at(i);
if(hListThreadPtr->hThread != INVALID_HANDLE_VALUE)
{ {
if(hListThreadPtr->hThread != INVALID_HANDLE_VALUE) if(TransitionStart)
{ {
if(TransitionStart) if(hListThreadPtr->dwThreadId != GetCurrentThreadId())
{ {
if(hListThreadPtr->dwThreadId != GetCurrentThreadId()) SuspendThread(hListThreadPtr->hThread);
ULONG_PTR CurrentIP = (ULONG_PTR)GetContextDataEx(hListThreadPtr->hThread, UE_CIP);
PMEMORY_COMPARE_HANDLER myHookAddressArray = (PMEMORY_COMPARE_HANDLER)HookAddressArray;
for(int j=0; j<NumberOfHooks; j++)
{ {
SuspendThread(hListThreadPtr->hThread);
CurrentIP = (ULONG_PTR)GetContextDataEx(hListThreadPtr->hThread, UE_CIP);
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)HookAddressArray;
for(i = 0; i < NumberOfHooks; i++)
{
#if defined (_WIN64) #if defined (_WIN64)
HookAddress = (ULONG_PTR)myHookAddressArray->Array.qwArrayEntry[0]; ULONG_PTR HookAddress = (ULONG_PTR)myHookAddressArray->Array.qwArrayEntry[0];
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof ULONG_PTR); myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof ULONG_PTR);
#else #else
HookAddress = (ULONG_PTR)myHookAddressArray->Array.dwArrayEntry[0]; ULONG_PTR HookAddress = (ULONG_PTR)myHookAddressArray->Array.dwArrayEntry[0];
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof ULONG_PTR); myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof ULONG_PTR);
#endif #endif
while(CurrentIP >= (ULONG_PTR)HookAddress && CurrentIP <= (ULONG_PTR)HookAddress + 5) while(CurrentIP >= (ULONG_PTR)HookAddress && CurrentIP <= (ULONG_PTR)HookAddress + 5)
{ {
ResumeThread(hListThreadPtr->hThread); ResumeThread(hListThreadPtr->hThread);
Sleep(5); Sleep(5);
SuspendThread(hListThreadPtr->hThread); SuspendThread(hListThreadPtr->hThread);
CurrentIP = (ULONG_PTR)GetContextDataEx(hListThreadPtr->hThread, UE_CIP); CurrentIP = (ULONG_PTR)GetContextDataEx(hListThreadPtr->hThread, UE_CIP);
i = 0; j = 0;
}
} }
} }
} }
else
{
ResumeThread(hListThreadPtr->hThread);
EngineCloseHandle(hListThreadPtr->hThread);
}
} }
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); else
{
ResumeThread(hListThreadPtr->hThread);
EngineCloseHandle(hListThreadPtr->hThread);
}
} }
if(!TransitionStart)
{
VirtualFree(hListThread, NULL, MEM_RELEASE);
hListThread = NULL;
}
return true;
} }
return true;
} }
else else
{ {

2
TitanEngine/TitanEngine.Injector.cpp
View File

@ -185,7 +185,7 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
if(WaitForThreadExit) if(WaitForThreadExit)
{ {
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId); hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL); NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
ResumeThread(hThread); ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE); WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE); VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);

462
TitanEngine/TitanEngine.Threader.cpp
View File

@ -9,365 +9,201 @@
// TitanEngine.Threader.functions: // TitanEngine.Threader.functions:
__declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId) __declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId)
{ {
if(dbgProcessInformation.hProcess != NULL || ProcessId == NULL)
HANDLE hSnapShot; return false;
std::vector<THREAD_ITEM_DATA>().swap(hListThread); //clear thread list
THREADENTRY32 ThreadEntry = {}; THREADENTRY32 ThreadEntry = {};
PTHREAD_ITEM_DATA hListThreadPtr = NULL; ThreadEntry.dwSize = sizeof THREADENTRY32;
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId);
if(dbgProcessInformation.hProcess == NULL && ProcessId != NULL) if(hSnapShot != INVALID_HANDLE_VALUE)
{ {
if(hListThread == NULL) if(Thread32First(hSnapShot, &ThreadEntry))
{ {
hListThread = VirtualAlloc(NULL, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA, MEM_COMMIT, PAGE_READWRITE); do
}
else
{
RtlZeroMemory(hListThread, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA);
}
ThreadEntry.dwSize = sizeof THREADENTRY32;
hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId);
if(hSnapShot != INVALID_HANDLE_VALUE)
{
if(Thread32First(hSnapShot, &ThreadEntry))
{ {
do if(ThreadEntry.th32OwnerProcessID == ProcessId)
{ {
if(ThreadEntry.th32OwnerProcessID == ProcessId) THREAD_ITEM_DATA NewThreadData;
{ memset(&NewThreadData, 0, sizeof(THREAD_ITEM_DATA));
hListThreadPtr->dwThreadId = ThreadEntry.th32ThreadID; NewThreadData.dwThreadId = ThreadEntry.th32ThreadID;
hListThreadPtr->hThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION|THREAD_SUSPEND_RESUME, false, hListThreadPtr->dwThreadId); NewThreadData.hThread = OpenThread(THREAD_ALL_ACCESS, false, NewThreadData.dwThreadId);
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); hListThread.push_back(NewThreadData);
}
} }
while(Thread32Next(hSnapShot, &ThreadEntry));
} }
EngineCloseHandle(hSnapShot); while(Thread32Next(hSnapShot, &ThreadEntry));
return true;
} }
EngineCloseHandle(hSnapShot);
return true;
} }
return false; return false;
} }
__declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId) __declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId)
{ {
if(!hThread && !ThreadId)
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; return NULL;
static THREAD_ITEM_DATA ThreadData;
if(hListThreadPtr != NULL) memset(&ThreadData, 0, sizeof(THREAD_ITEM_DATA));
{ int threadcount=hListThread.size();
if(hThread != NULL) for(int i=0; i<threadcount; i++)
if(hListThread.at(i).hThread == hThread || hListThread.at(i).dwThreadId == ThreadId)
{ {
while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) memcpy(&ThreadData, &hListThread.at(i), sizeof(THREAD_ITEM_DATA));
{ return &ThreadData;
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
if(hListThreadPtr->hThread == hThread)
{
return((void*)hListThreadPtr);
}
} }
else if(ThreadId != NULL) return NULL;
{
while(hListThreadPtr->hThread != NULL && hListThreadPtr->dwThreadId != ThreadId)
{
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
if(hListThreadPtr->dwThreadId == ThreadId)
{
return((void*)hListThreadPtr);
}
}
}
return(NULL);
} }
__declspec(dllexport) void TITCALL ThreaderEnumThreadInfo(void* EnumCallBack) __declspec(dllexport) void TITCALL ThreaderEnumThreadInfo(void* EnumCallBack)
{ {
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread;
typedef void(TITCALL *fEnumCallBack)(LPVOID fThreadDetail); typedef void(TITCALL *fEnumCallBack)(LPVOID fThreadDetail);
fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack; fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack;
int threadcount=hListThread.size();
if(hListThreadPtr != NULL) for(int i=0; i<threadcount; i++)
{ {
while(EnumCallBack != NULL && hListThreadPtr->hThread != NULL) __try
{ {
if(hListThreadPtr->hThread != NULL) myEnumCallBack(&hListThread.at(i));
{ }
__try __except(EXCEPTION_EXECUTE_HANDLER)
{ {
myEnumCallBack((void*)hListThreadPtr); break;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
EnumCallBack = NULL;
}
}
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
} }
} }
} }
__declspec(dllexport) bool TITCALL ThreaderPauseThread(HANDLE hThread) __declspec(dllexport) bool TITCALL ThreaderPauseThread(HANDLE hThread)
{ {
int threadcount=hListThread.size();
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; for(int i=0; i<threadcount; i++)
if(hListThread.at(i).hThread == hThread && SuspendThread(hThread) != -1)
if(hListThreadPtr != NULL) return true;
{
if(hThread != NULL)
{
while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread)
{
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
if(hListThreadPtr->hThread == hThread)
{
if(SuspendThread(hThread) != -1)
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
}
}
return false; return false;
} }
__declspec(dllexport) bool TITCALL ThreaderResumeThread(HANDLE hThread) __declspec(dllexport) bool TITCALL ThreaderResumeThread(HANDLE hThread)
{ {
int threadcount=hListThread.size();
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; for(int i=0; i<threadcount; i++)
if(hListThread.at(i).hThread == hThread && ResumeThread(hThread) != -1)
if(hListThreadPtr != NULL) return true;
{
if(hThread != NULL)
{
while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread)
{
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
if(hListThreadPtr->hThread == hThread)
{
if(ResumeThread(hThread) != -1)
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
}
}
return false; return false;
} }
__declspec(dllexport) bool TITCALL ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode) __declspec(dllexport) bool TITCALL ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode)
{ {
int threadcount=hListThread.size();
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; for(int i=0; i<threadcount; i++)
if(hListThread.at(i).hThread == hThread && TerminateThread(hThread, ThreadExitCode) != NULL)
if(hListThreadPtr != NULL)
{
if(hThread != NULL)
{ {
while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) hListThread.erase(hListThread.begin()+i);
{
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
if(hListThreadPtr->hThread == hThread)
{
if(TerminateThread(hThread, ThreadExitCode) != NULL)
{
hListThreadPtr->hThread = (HANDLE)-1;
hListThreadPtr->dwThreadId = NULL;
hListThreadPtr->ThreadLocalBase = NULL;
hListThreadPtr->ThreadStartAddress = NULL;
return true;
}
else
{
return false;
}
}
else
{
return false;
}
}
}
return false;
}
__declspec(dllexport) bool TITCALL ThreaderPauseAllThreads(bool LeaveMainRunning)
{
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread;
if(hListThreadPtr != NULL)
{
while(hListThreadPtr->hThread != NULL)
{
if(LeaveMainRunning)
{
if(hListThreadPtr->hThread != dbgProcessInformation.hThread)
{
SuspendThread((HANDLE)hListThreadPtr->hThread);
}
}
else
{
SuspendThread(hListThreadPtr->hThread);
}
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL ThreaderResumeAllThreads(bool LeaveMainPaused)
{
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread;
if(hListThreadPtr != NULL)
{
while(hListThreadPtr->hThread != NULL)
{
if(LeaveMainPaused)
{
if(hListThreadPtr->hThread != dbgProcessInformation.hThread)
{
ResumeThread(hListThreadPtr->hThread);
}
}
else
{
ResumeThread(hListThreadPtr->hThread);
}
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL ThreaderPauseProcess()
{
return(ThreaderPauseAllThreads(false));
}
__declspec(dllexport) bool TITCALL ThreaderResumeProcess()
{
return(ThreaderResumeAllThreads(false));
}
__declspec(dllexport) long long TITCALL ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId)
{
HANDLE myThread;
if(dbgProcessInformation.hProcess != NULL)
{
if(!AutoCloseTheHandle)
{
return((ULONG_PTR)CreateRemoteThread(dbgProcessInformation.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId));
}
else
{
myThread = CreateRemoteThread(dbgProcessInformation.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId);
EngineCloseHandle(myThread);
return(NULL);
}
}
return(NULL);
}
__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize)
{
LPVOID ThreadBase = 0;
ULONG_PTR ueNumberOfBytesRead = 0;
if(dbgProcessInformation.hProcess != NULL)
{
ThreadBase = VirtualAllocEx(dbgProcessInformation.hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(WriteProcessMemory(dbgProcessInformation.hProcess, ThreadBase, InjectCode, InjectSize, &ueNumberOfBytesRead))
{
ThreaderCreateRemoteThread((ULONG_PTR)((ULONG_PTR)InjectCode + StartDelta), true, NULL, NULL);
return true; return true;
} }
else
{
return false;
}
}
return false; return false;
} }
__declspec(dllexport) bool TITCALL ThreaderPauseAllThreads(bool LeaveMainRunning)
{
bool ret=true;
int threadcount=hListThread.size();
for(int i=0; i<threadcount; i++)
{
DWORD suspended;
if(LeaveMainRunning && hListThread.at(i).hThread != dbgProcessInformation.hThread)
suspended=SuspendThread(hListThread.at(i).hThread);
else
suspended=SuspendThread(hListThread.at(i).hThread);
if(suspended==-1)
ret=false;
}
return ret;
}
__declspec(dllexport) bool TITCALL ThreaderResumeAllThreads(bool LeaveMainPaused)
{
bool ret=true;
int threadcount=hListThread.size();
for(int i=0; i<threadcount; i++)
{
DWORD resumed;
if(LeaveMainPaused && hListThread.at(i).hThread != dbgProcessInformation.hThread)
resumed=ResumeThread(hListThread.at(i).hThread);
else
resumed=ResumeThread(hListThread.at(i).hThread);
if(resumed==-1)
ret=false;
}
return ret;
}
__declspec(dllexport) bool TITCALL ThreaderPauseProcess()
{
return ThreaderPauseAllThreads(false);
}
__declspec(dllexport) bool TITCALL ThreaderResumeProcess()
{
return ThreaderResumeAllThreads(false);
}
__declspec(dllexport) long long TITCALL ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId)
{
return ThreaderCreateRemoteThreadEx(dbgProcessInformation.hProcess, ThreadStartAddress, AutoCloseTheHandle, ThreadPassParameter, ThreadId);
}
__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize)
{
return ThreaderInjectAndExecuteCodeEx(dbgProcessInformation.hProcess, InjectCode, StartDelta, InjectSize);
}
__declspec(dllexport) long long TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId) __declspec(dllexport) long long TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId)
{ {
HANDLE myThread;
if(hProcess != NULL) if(hProcess != NULL)
{ {
if(!AutoCloseTheHandle) if(!AutoCloseTheHandle)
{ {
return((ULONG_PTR)CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId)); return (ULONG_PTR)CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId);
} }
else else
{ {
myThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId); HANDLE myThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId);
EngineCloseHandle(myThread); EngineCloseHandle(myThread);
return(NULL); return NULL;
} }
} }
return(NULL); return NULL;
} }
__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize) __declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize)
{ {
LPVOID ThreadBase = 0;
ULONG_PTR ueNumberOfBytesRead = 0;
if(hProcess != NULL) if(hProcess != NULL)
{ {
ThreadBase = VirtualAllocEx(hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); LPVOID ThreadBase = VirtualAllocEx(hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
ULONG_PTR ueNumberOfBytesRead = 0;
if(WriteProcessMemory(hProcess, ThreadBase, InjectCode, InjectSize, &ueNumberOfBytesRead)) if(WriteProcessMemory(hProcess, ThreadBase, InjectCode, InjectSize, &ueNumberOfBytesRead))
{ {
ThreaderCreateRemoteThread((ULONG_PTR)((ULONG_PTR)InjectCode + StartDelta), true, NULL, NULL); ThreaderCreateRemoteThread((ULONG_PTR)((ULONG_PTR)InjectCode + StartDelta), true, NULL, NULL);
return true; return true;
} }
else else
{
return false; return false;
}
} }
return false; return false;
} }
__declspec(dllexport) void TITCALL ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack) __declspec(dllexport) void TITCALL ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack)
{ {
engineExitThreadOneShootCallBack = exitThreadCallBack; engineExitThreadOneShootCallBack = exitThreadCallBack;
} }
__declspec(dllexport) bool TITCALL ThreaderIsThreadStillRunning(HANDLE hThread) __declspec(dllexport) bool TITCALL ThreaderIsThreadStillRunning(HANDLE hThread)
{ {
CONTEXT myDBGContext; CONTEXT myDBGContext;
memset(&myDBGContext, 0, sizeof(CONTEXT));
RtlZeroMemory(&myDBGContext, sizeof CONTEXT);
myDBGContext.ContextFlags = CONTEXT_ALL; myDBGContext.ContextFlags = CONTEXT_ALL;
if(GetThreadContext(hThread, &myDBGContext)) return GetThreadContext(hThread, &myDBGContext);
{
return true;
}
else
{
return false;
}
} }
__declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread) __declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread)
{ {
if(SuspendThread(hThread)) //if previous suspend count is above 0 (which means thread is suspended) if(SuspendThread(hThread)) //if previous suspend count is above 0 (which means thread is suspended)
@ -377,30 +213,18 @@ __declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread)
} }
return false; return false;
} }
__declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive() __declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive()
{ {
int threadcount=hListThread.size();
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; for(int i=0; i<threadcount; i++)
if(ThreaderIsThreadActive(hListThread.at(i).hThread))
if(hListThreadPtr != NULL) return true;
{ return false;
while(hListThreadPtr->hThread != NULL)
{
if(hListThreadPtr->hThread != (HANDLE)-1)
{
if(ThreaderIsThreadActive(hListThreadPtr->hThread))
{
return true;
}
}
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
}
return false;
} }
__declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads() __declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads()
{ {
if(ThreaderPauseProcess()) if(ThreaderPauseProcess())
{ {
engineResumeProcessIfNoThreadIsActive = true; engineResumeProcessIfNoThreadIsActive = true;
@ -408,37 +232,19 @@ __declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads()
} }
return false; return false;
} }
__declspec(dllexport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId) __declspec(dllexport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId)
{ {
int threadcount=hListThread.size();
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; for(int i=0; i<threadcount; i++)
if(hListThread.at(i).dwThreadId == ThreadId)
if(hListThread != NULL) return (ULONG_PTR)hListThread.at(i).hThread;
{ return 0;
while(hListThreadPtr->hThread != NULL)
{
if(hListThreadPtr->hThread != (HANDLE)-1 && hListThreadPtr->dwThreadId == ThreadId)
{
return((ULONG_PTR)hListThreadPtr->hThread);
}
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
}
return(NULL);
}
__declspec(dllexport) void* TITCALL ThreaderGetThreadData()
{
return(hListThread);
} }
__declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread() __declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread()
{ {
LPDEBUG_EVENT myDBGEvent; LPDEBUG_EVENT myDBGEvent;
myDBGEvent = (LPDEBUG_EVENT)GetDebugData(); myDBGEvent = (LPDEBUG_EVENT)GetDebugData();
if(myDBGEvent->dwThreadId == dbgProcessInformation.dwThreadId) return (myDBGEvent->dwThreadId == dbgProcessInformation.dwThreadId);
{
return true;
}
return false;
} }

1
TitanEngine/TitanEngine.cbp
View File

@ -139,6 +139,7 @@
<Unit filename="aplib.h" /> <Unit filename="aplib.h" />
<Unit filename="definitions.h" /> <Unit filename="definitions.h" />
<Unit filename="distorm.h" /> <Unit filename="distorm.h" />
<Unit filename="ntdll.h" />
<Unit filename="resource.h" /> <Unit filename="resource.h" />
<Unit filename="scylla_wrapper.h" /> <Unit filename="scylla_wrapper.h" />
<Unit filename="stdafx.cpp" /> <Unit filename="stdafx.cpp" />

1
TitanEngine/TitanEngine.def
View File

@ -324,7 +324,6 @@ ThreaderIsThreadActive
ThreaderIsAnyThreadActive ThreaderIsAnyThreadActive
ThreaderExecuteOnlyInjectedThreads ThreaderExecuteOnlyInjectedThreads
ThreaderGetOpenHandleForThread ThreaderGetOpenHandleForThread
ThreaderGetThreadData
StaticFileLoad StaticFileLoad
StaticFileLoadW StaticFileLoadW
StaticFileUnload StaticFileUnload

32
TitanEngine/aplib.h
View File

@ -29,11 +29,11 @@ extern "C" {
#endif #endif
unsigned int APLIB_CONVENTION aP_pack(const void *source, unsigned int APLIB_CONVENTION aP_pack(const void *source,
void *destination, void *destination,
unsigned int length, unsigned int length,
void *workmem, void *workmem,
int (__cdecl *callback)(unsigned int, unsigned int, unsigned int, void *), int (__cdecl *callback)(unsigned int, unsigned int, unsigned int, void *),
void *cbparam); void *cbparam);
unsigned int APLIB_CONVENTION aP_workmem_size(unsigned int inputsize); unsigned int APLIB_CONVENTION aP_workmem_size(unsigned int inputsize);
@ -44,27 +44,27 @@ unsigned int APLIB_CONVENTION aP_depack_asm(const void *source, void *destinatio
unsigned int APLIB_CONVENTION aP_depack_asm_fast(const void *source, void *destination); unsigned int APLIB_CONVENTION aP_depack_asm_fast(const void *source, void *destination);
unsigned int APLIB_CONVENTION aP_depack_asm_safe(const void *source, unsigned int APLIB_CONVENTION aP_depack_asm_safe(const void *source,
unsigned int srclen, unsigned int srclen,
void *destination, void *destination,
unsigned int dstlen); unsigned int dstlen);
unsigned int APLIB_CONVENTION aP_crc32(const void *source, unsigned int length); unsigned int APLIB_CONVENTION aP_crc32(const void *source, unsigned int length);
unsigned int APLIB_CONVENTION aPsafe_pack(const void *source, unsigned int APLIB_CONVENTION aPsafe_pack(const void *source,
void *destination, void *destination,
unsigned int length, unsigned int length,
void *workmem, void *workmem,
int (__cdecl *callback)(unsigned int, unsigned int, unsigned int, void *), int (__cdecl *callback)(unsigned int, unsigned int, unsigned int, void *),
void *cbparam); void *cbparam);
unsigned int APLIB_CONVENTION aPsafe_check(const void *source); unsigned int APLIB_CONVENTION aPsafe_check(const void *source);
unsigned int APLIB_CONVENTION aPsafe_get_orig_size(const void *source); unsigned int APLIB_CONVENTION aPsafe_get_orig_size(const void *source);
unsigned int APLIB_CONVENTION aPsafe_depack(const void *source, unsigned int APLIB_CONVENTION aPsafe_depack(const void *source,
unsigned int srclen, unsigned int srclen,
void *destination, void *destination,
unsigned int dstlen); unsigned int dstlen);
#ifdef __cplusplus #ifdef __cplusplus
} /* extern "C" */ } /* extern "C" */

1
TitanEngine/definitions.h
View File

@ -145,7 +145,6 @@ __declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread);
__declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive(); __declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive();
__declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads(); __declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads();
__declspec(dllexport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId); __declspec(dllexport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId);
__declspec(dllexport) void* TITCALL ThreaderGetThreadData();
__declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread(); __declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread();
// TitanEngine.Debugger.functions: // TitanEngine.Debugger.functions:
__declspec(dllexport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress); __declspec(dllexport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress);

434
TitanEngine/ntdll.h
View File

@ -8,204 +8,210 @@
#pragma comment(lib, "ntdll_x64.lib") #pragma comment(lib, "ntdll_x64.lib")
#endif #endif
typedef LONG NTSTATUS; typedef LONG NTSTATUS;
typedef struct _UNICODE_STRING { typedef struct _UNICODE_STRING
USHORT Length; {
USHORT MaximumLength; USHORT Length;
PWSTR Buffer; USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING; } UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION { typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION
ULONG Attributes; {
ACCESS_MASK GrantedAccess; ULONG Attributes;
ULONG HandleCount; ACCESS_MASK GrantedAccess;
ULONG PointerCount; ULONG HandleCount;
ULONG PointerCount;
ULONG Reserved[10]; // reserved for internal use ULONG Reserved[10]; // reserved for internal use
} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; } PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION;
typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION { typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION
{
UNICODE_STRING TypeName; UNICODE_STRING TypeName;
ULONG Reserved [22]; // reserved for internal use ULONG Reserved [22]; // reserved for internal use
} PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION; } PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION;
typedef struct _PROCESS_BASIC_INFORMATION { typedef struct _PROCESS_BASIC_INFORMATION
PVOID Reserved1; {
PVOID PebBaseAddress; PVOID Reserved1;
PVOID Reserved2[2]; PVOID PebBaseAddress;
ULONG_PTR UniqueProcessId; PVOID Reserved2[2];
PVOID Reserved3; ULONG_PTR UniqueProcessId;
PVOID Reserved3;
} PROCESS_BASIC_INFORMATION; } PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
typedef enum _PROCESSINFOCLASS { typedef enum _PROCESSINFOCLASS
ProcessBasicInformation, {
ProcessQuotaLimits, ProcessBasicInformation,
ProcessIoCounters, ProcessQuotaLimits,
ProcessVmCounters, ProcessIoCounters,
ProcessTimes, ProcessVmCounters,
ProcessBasePriority, ProcessTimes,
ProcessRaisePriority, ProcessBasePriority,
ProcessDebugPort, ProcessRaisePriority,
ProcessExceptionPort, ProcessDebugPort,
ProcessAccessToken, ProcessExceptionPort,
ProcessLdtInformation, ProcessAccessToken,
ProcessLdtSize, ProcessLdtInformation,
ProcessDefaultHardErrorMode, ProcessLdtSize,
ProcessIoPortHandlers, // Note: this is kernel mode only ProcessDefaultHardErrorMode,
ProcessPooledUsageAndLimits, ProcessIoPortHandlers, // Note: this is kernel mode only
ProcessWorkingSetWatch, ProcessPooledUsageAndLimits,
ProcessUserModeIOPL, ProcessWorkingSetWatch,
ProcessEnableAlignmentFaultFixup, ProcessUserModeIOPL,
ProcessPriorityClass, ProcessEnableAlignmentFaultFixup,
ProcessWx86Information, ProcessPriorityClass,
ProcessHandleCount, ProcessWx86Information,
ProcessAffinityMask, ProcessHandleCount,
ProcessPriorityBoost, ProcessAffinityMask,
ProcessDeviceMap, ProcessPriorityBoost,
ProcessSessionInformation, ProcessDeviceMap,
ProcessForegroundInformation, ProcessSessionInformation,
ProcessWow64Information, ProcessForegroundInformation,
ProcessImageFileName, ProcessWow64Information,
ProcessLUIDDeviceMapsEnabled, ProcessImageFileName,
ProcessBreakOnTermination, ProcessLUIDDeviceMapsEnabled,
ProcessDebugObjectHandle, ProcessBreakOnTermination,
ProcessDebugFlags, ProcessDebugObjectHandle,
ProcessHandleTracing, ProcessDebugFlags,
ProcessIoPriority, ProcessHandleTracing,
ProcessExecuteFlags, ProcessIoPriority,
ProcessResourceManagement, ProcessExecuteFlags,
ProcessCookie, ProcessResourceManagement,
ProcessImageInformation, ProcessCookie,
MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum ProcessImageInformation,
MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum
} PROCESSINFOCLASS; } PROCESSINFOCLASS;
typedef enum _SYSTEM_INFORMATION_CLASS { typedef enum _SYSTEM_INFORMATION_CLASS
SystemBasicInformation, {
SystemProcessorInformation, // obsolete...delete SystemBasicInformation,
SystemPerformanceInformation, SystemProcessorInformation, // obsolete...delete
SystemTimeOfDayInformation, SystemPerformanceInformation,
SystemPathInformation, SystemTimeOfDayInformation,
SystemProcessInformation, SystemPathInformation,
SystemCallCountInformation, SystemProcessInformation,
SystemDeviceInformation, SystemCallCountInformation,
SystemProcessorPerformanceInformation, SystemDeviceInformation,
SystemFlagsInformation, SystemProcessorPerformanceInformation,
SystemCallTimeInformation, SystemFlagsInformation,
SystemModuleInformation, SystemCallTimeInformation,
SystemLocksInformation, SystemModuleInformation,
SystemStackTraceInformation, SystemLocksInformation,
SystemPagedPoolInformation, SystemStackTraceInformation,
SystemNonPagedPoolInformation, SystemPagedPoolInformation,
SystemHandleInformation, SystemNonPagedPoolInformation,
SystemObjectInformation, SystemHandleInformation,
SystemPageFileInformation, SystemObjectInformation,
SystemVdmInstemulInformation, SystemPageFileInformation,
SystemVdmBopInformation, SystemVdmInstemulInformation,
SystemFileCacheInformation, SystemVdmBopInformation,
SystemPoolTagInformation, SystemFileCacheInformation,
SystemInterruptInformation, SystemPoolTagInformation,
SystemDpcBehaviorInformation, SystemInterruptInformation,
SystemFullMemoryInformation, SystemDpcBehaviorInformation,
SystemLoadGdiDriverInformation, SystemFullMemoryInformation,
SystemUnloadGdiDriverInformation, SystemLoadGdiDriverInformation,
SystemTimeAdjustmentInformation, SystemUnloadGdiDriverInformation,
SystemSummaryMemoryInformation, SystemTimeAdjustmentInformation,
SystemMirrorMemoryInformation, SystemSummaryMemoryInformation,
SystemPerformanceTraceInformation, SystemMirrorMemoryInformation,
SystemObsolete0, SystemPerformanceTraceInformation,
SystemExceptionInformation, SystemObsolete0,
SystemCrashDumpStateInformation, SystemExceptionInformation,
SystemKernelDebuggerInformation, SystemCrashDumpStateInformation,
SystemContextSwitchInformation, SystemKernelDebuggerInformation,
SystemRegistryQuotaInformation, SystemContextSwitchInformation,
SystemExtendServiceTableInformation, SystemRegistryQuotaInformation,
SystemPrioritySeperation, SystemExtendServiceTableInformation,
SystemVerifierAddDriverInformation, SystemPrioritySeperation,
SystemVerifierRemoveDriverInformation, SystemVerifierAddDriverInformation,
SystemProcessorIdleInformation, SystemVerifierRemoveDriverInformation,
SystemLegacyDriverInformation, SystemProcessorIdleInformation,
SystemCurrentTimeZoneInformation, SystemLegacyDriverInformation,
SystemLookasideInformation, SystemCurrentTimeZoneInformation,
SystemTimeSlipNotification, SystemLookasideInformation,
SystemSessionCreate, SystemTimeSlipNotification,
SystemSessionDetach, SystemSessionCreate,
SystemSessionInformation, SystemSessionDetach,
SystemRangeStartInformation, SystemSessionInformation,
SystemVerifierInformation, SystemRangeStartInformation,
SystemVerifierThunkExtend, SystemVerifierInformation,
SystemSessionProcessInformation, SystemVerifierThunkExtend,
SystemLoadGdiDriverInSystemSpace, SystemSessionProcessInformation,
SystemNumaProcessorMap, SystemLoadGdiDriverInSystemSpace,
SystemPrefetcherInformation, SystemNumaProcessorMap,
SystemExtendedProcessInformation, SystemPrefetcherInformation,
SystemRecommendedSharedDataAlignment, SystemExtendedProcessInformation,
SystemComPlusPackage, SystemRecommendedSharedDataAlignment,
SystemNumaAvailableMemory, SystemComPlusPackage,
SystemProcessorPowerInformation, SystemNumaAvailableMemory,
SystemEmulationBasicInformation, SystemProcessorPowerInformation,
SystemEmulationProcessorInformation, SystemEmulationBasicInformation,
SystemExtendedHandleInformation, SystemEmulationProcessorInformation,
SystemLostDelayedWriteInformation, SystemExtendedHandleInformation,
SystemBigPoolInformation, SystemLostDelayedWriteInformation,
SystemSessionPoolTagInformation, SystemBigPoolInformation,
SystemSessionMappedViewInformation, SystemSessionPoolTagInformation,
SystemHotpatchInformation, SystemSessionMappedViewInformation,
SystemObjectSecurityMode, SystemHotpatchInformation,
SystemWatchdogTimerHandler, SystemObjectSecurityMode,
SystemWatchdogTimerInformation, SystemWatchdogTimerHandler,
SystemLogicalProcessorInformation, SystemWatchdogTimerInformation,
SystemWow64SharedInformation, SystemLogicalProcessorInformation,
SystemRegisterFirmwareTableInformationHandler, SystemWow64SharedInformation,
SystemFirmwareTableInformation, SystemRegisterFirmwareTableInformationHandler,
SystemModuleInformationEx, SystemFirmwareTableInformation,
SystemVerifierTriageInformation, SystemModuleInformationEx,
SystemSuperfetchInformation, SystemVerifierTriageInformation,
SystemMemoryListInformation, SystemSuperfetchInformation,
SystemFileCacheInformationEx, SystemMemoryListInformation,
MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum SystemFileCacheInformationEx,
MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS; } SYSTEM_INFORMATION_CLASS;
typedef enum _OBJECT_INFORMATION_CLASS { typedef enum _OBJECT_INFORMATION_CLASS
ObjectBasicInformation, {
ObjectNameInformation, ObjectBasicInformation,
ObjectTypeInformation, ObjectNameInformation,
ObjectTypesInformation, ObjectTypeInformation,
ObjectHandleFlagInformation, ObjectTypesInformation,
ObjectSessionInformation, ObjectHandleFlagInformation,
MaxObjectInfoClass // MaxObjectInfoClass should always be the last enum ObjectSessionInformation,
MaxObjectInfoClass // MaxObjectInfoClass should always be the last enum
} OBJECT_INFORMATION_CLASS; } OBJECT_INFORMATION_CLASS;
typedef enum _THREADINFOCLASS { typedef enum _THREADINFOCLASS
ThreadBasicInformation, {
ThreadTimes, ThreadBasicInformation,
ThreadPriority, ThreadTimes,
ThreadBasePriority, ThreadPriority,
ThreadAffinityMask, ThreadBasePriority,
ThreadImpersonationToken, ThreadAffinityMask,
ThreadDescriptorTableEntry, ThreadImpersonationToken,
ThreadEnableAlignmentFaultFixup, ThreadDescriptorTableEntry,
ThreadEventPair_Reusable, ThreadEnableAlignmentFaultFixup,
ThreadQuerySetWin32StartAddress, ThreadEventPair_Reusable,
ThreadZeroTlsCell, ThreadQuerySetWin32StartAddress,
ThreadPerformanceCount, ThreadZeroTlsCell,
ThreadAmILastThread, ThreadPerformanceCount,
ThreadIdealProcessor, ThreadAmILastThread,
ThreadPriorityBoost, ThreadIdealProcessor,
ThreadSetTlsArrayAddress, ThreadPriorityBoost,
ThreadIsIoPending, ThreadSetTlsArrayAddress,
ThreadHideFromDebugger, ThreadIsIoPending,
ThreadBreakOnTermination, ThreadHideFromDebugger,
ThreadSwitchLegacyState, ThreadBreakOnTermination,
ThreadIsTerminated, ThreadSwitchLegacyState,
MaxThreadInfoClass ThreadIsTerminated,
MaxThreadInfoClass
} THREADINFOCLASS; } THREADINFOCLASS;
@ -213,47 +219,47 @@ typedef enum _THREADINFOCLASS {
extern "C" { extern "C" {
#endif #endif
NTSYSCALLAPI NTSYSCALLAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
NtQueryInformationProcess ( NtQueryInformationProcess (
__in HANDLE ProcessHandle, __in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass, __in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation, __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength, __in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength __out_opt PULONG ReturnLength
); );
NTSYSCALLAPI NTSYSCALLAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
NtQueryObject ( NtQueryObject (
__in HANDLE Handle, __in HANDLE Handle,
__in OBJECT_INFORMATION_CLASS ObjectInformationClass, __in OBJECT_INFORMATION_CLASS ObjectInformationClass,
__out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation, __out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation,
__in ULONG ObjectInformationLength, __in ULONG ObjectInformationLength,
__out_opt PULONG ReturnLength __out_opt PULONG ReturnLength
); );
NTSYSCALLAPI NTSYSCALLAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
NtQuerySystemInformation ( NtQuerySystemInformation (
__in SYSTEM_INFORMATION_CLASS SystemInformationClass, __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__out_bcount_opt(SystemInformationLength) PVOID SystemInformation, __out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
__in ULONG SystemInformationLength, __in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength __out_opt PULONG ReturnLength
); );
NTSYSCALLAPI NTSYSCALLAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
NtSetInformationThread ( NtSetInformationThread (
__in HANDLE ThreadHandle, __in HANDLE ThreadHandle,
__in THREADINFOCLASS ThreadInformationClass, __in THREADINFOCLASS ThreadInformationClass,
__in_bcount(ThreadInformationLength) PVOID ThreadInformation, __in_bcount(ThreadInformationLength) PVOID ThreadInformation,
__in ULONG ThreadInformationLength __in ULONG ThreadInformationLength
); );
#ifdef __cplusplus #ifdef __cplusplus
}; };

5
TitanEngine/stdafx.h
View File

@ -31,6 +31,9 @@
#define MAXIMUM_INSTRUCTION_SIZE (40) #define MAXIMUM_INSTRUCTION_SIZE (40)
#define MAX_RET_SEARCH_INSTRUCTIONS (100) #define MAX_RET_SEARCH_INSTRUCTIONS (100)
#define UE_TRAP_FLAG (0x100)
#define UE_RESUME_FLAG (0x10000)
#define UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS 0 #define UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS 0
#define UE_OPTION_IMPORTER_REALIGN_APIADDRESS 1 #define UE_OPTION_IMPORTER_REALIGN_APIADDRESS 1
#define UE_OPTION_IMPORTER_RETURN_APINAME 2 //no kernelbase #define UE_OPTION_IMPORTER_RETURN_APINAME 2 //no kernelbase
@ -923,7 +926,7 @@ struct _PEB_T
T ProcessHeaps; T ProcessHeaps;
//FULL PEB not needed //FULL PEB not needed
/* T GdiSharedHandleTable; /* T GdiSharedHandleTable;
T ProcessStarterHelper; T ProcessStarterHelper;
T GdiDCAttributeList; T GdiDCAttributeList;
T LoaderLock; T LoaderLock;