diff --git a/TitanEngine/Global.Helper.cpp b/TitanEngine/Global.Helper.cpp new file mode 100644 index 0000000..58ffe06 --- /dev/null +++ b/TitanEngine/Global.Helper.cpp @@ -0,0 +1,40 @@ +#include "stdafx.h" +#include "Global.Helper.h" + + + +bool IsStrEqual( const char* const a, const char* const b, bool considercase/*=true*/ ) +{ + const int stringlen = std::strlen(a); + if(stringlen != std::strlen(b)) + return false; //cheap + + if(considercase) + { + //plain old strcmp + return std::strcmp(a, b)==0; + } + else + { + for(int i=0; i +#include + +/* +Compares two strings +a : string 1 +b : string 2 +considercase : casesensitivity +*/ +bool IsStrEqual(const char* const a, const char* const b, bool considercase=true); + +/* +A basic dynamic buffer, exception free. +*/ +class DynBuf +{ +public: + DynBuf(size_t sz=0) + { + Allocate(sz); + } + typedef std::vector DynBufVec; + + void* Allocate(size_t sz) + { + void* r=NULL; + try + { + if(Size() < sz) + mem.resize(sz); + if(Size()) + r = GetPtr(); + if(r && sz) + memset(r, 0, sz); + } + catch(...) + { + } + + return r; + } + void* GetPtr() + { + if(Size()) + return &mem.front(); //in c++11: .data() + return NULL; + } + void Free() + { + mem.clear(); + } + DynBufVec& GetVector() + { + return mem; + } + const DynBufVec& GetVector() const + { + return mem; + } + size_t Size() const + { + return mem.size(); + } + + +protected: + char& operator[](std::size_t idx) + { + return mem[idx]; + }; + const char& operator[](std::size_t idx) const + { + return mem[idx]; + }; + + DynBufVec mem; +}; + + +//Unused malloc/free wrappers + +/* +malloc wrapper +*/ +void* MemAlloc(size_t sz); + +/* +free wrapper +*/ +void MemFree(void* mem); + + + +#endif // Helper_h__ + diff --git a/TitanEngine/Global.OEPFinder.cpp b/TitanEngine/Global.OEPFinder.cpp index d8d01a8..e11a7b9 100644 --- a/TitanEngine/Global.OEPFinder.cpp +++ b/TitanEngine/Global.OEPFinder.cpp @@ -54,7 +54,8 @@ void GenericOEPTraceHited() { int i; - void* lpHashBuffer; + //void* lpHashBuffer; + char lpHashBuffer[0x1000] = {0}; bool FakeEPDetected = false; ULONG_PTR NumberOfBytesRW; LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData(); @@ -84,12 +85,11 @@ void GenericOEPTraceHited() { glbEntryTracerData.SectionData[i].AccessedAlready = true; } - lpHashBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - memBpxAddress = (glbEntryTracerData.MemoryAccessed / 0x1000) * 0x1000; + memBpxAddress = (glbEntryTracerData.MemoryAccessed / sizeof(lpHashBuffer)) * sizeof(lpHashBuffer); memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress; - if(memBpxSize > 0x1000) + if(memBpxSize > sizeof(lpHashBuffer)) { - memBpxSize = 0x1000; + memBpxSize = sizeof(lpHashBuffer); } if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW)) { @@ -107,7 +107,6 @@ void GenericOEPTraceHited() FakeEPDetected = true; } } - VirtualFree(lpHashBuffer, NULL, MEM_RELEASE); if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false) { __try diff --git a/TitanEngine/TitanEngine.Debugger.Helper.cpp b/TitanEngine/TitanEngine.Debugger.Helper.cpp index 49f9aab..65b142c 100644 --- a/TitanEngine/TitanEngine.Debugger.Helper.cpp +++ b/TitanEngine/TitanEngine.Debugger.Helper.cpp @@ -210,7 +210,7 @@ __declspec(dllexport) long long TITCALL GetFunctionParameter(HANDLE hProcess, DW __declspec(dllexport) long long TITCALL GetJumpDestinationEx(HANDLE hProcess, ULONG_PTR InstructionAddress, bool JustJumps) { - LPVOID ReadMemory; + char ReadMemory[MAXIMUM_INSTRUCTION_SIZE] = {0}; MEMORY_BASIC_INFORMATION MemInfo; ULONG_PTR ueNumberOfBytesRead = NULL; PMEMORY_CMP_HANDLER CompareMemory; @@ -224,9 +224,6 @@ __declspec(dllexport) long long TITCALL GetJumpDestinationEx(HANDLE hProcess, UL VirtualQueryEx(hProcess, (LPVOID)InstructionAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); if(MemInfo.RegionSize > NULL) { - ReadMemory = VirtualAlloc(NULL, MAXIMUM_INSTRUCTION_SIZE, MEM_COMMIT, PAGE_READWRITE); - if(!ReadMemory) - return 0; if(ReadProcessMemory(hProcess, (LPVOID)InstructionAddress, ReadMemory, MAXIMUM_INSTRUCTION_SIZE, &ueNumberOfBytesRead)) { CompareMemory = (PMEMORY_CMP_HANDLER)ReadMemory; @@ -358,7 +355,6 @@ __declspec(dllexport) long long TITCALL GetJumpDestinationEx(HANDLE hProcess, UL ReadProcessMemory(hProcess, (LPVOID)TargetedAddress, &TargetedAddress, 4, &ueNumberOfBytesRead); } } - VirtualFree(ReadMemory, NULL, MEM_RELEASE); return((ULONG_PTR)TargetedAddress); } return(NULL); diff --git a/TitanEngine/TitanEngine.Debugger.Memory.cpp b/TitanEngine/TitanEngine.Debugger.Memory.cpp index ca6a758..9a8688e 100644 --- a/TitanEngine/TitanEngine.Debugger.Memory.cpp +++ b/TitanEngine/TitanEngine.Debugger.Memory.cpp @@ -7,9 +7,10 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT { if(!MemoryToCheck || !PatternToMatch) return false; - int i = NULL; - BYTE intWildCard = NULL; + int i = 0; + BYTE intWildCard = 0; LPVOID ueReadBuffer = NULL; + DynBuf ueReadBuf; ULONG_PTR ueNumberOfBytesRead = NULL; MEMORY_BASIC_INFORMATION memoryInformation = {}; PMEMORY_COMPARE_HANDLER memCmp = (PMEMORY_COMPARE_HANDLER)MemoryToCheck; @@ -23,8 +24,8 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT { if(hProcess != GetCurrentProcess()) { - ueReadBuffer = VirtualAlloc(NULL, SizeOfMemoryToCheck, MEM_COMMIT, PAGE_READWRITE); - if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead)) + ueReadBuffer = ueReadBuf.Allocate(SizeOfMemoryToCheck); + if(ueReadBuffer && !ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead)) { if(ueNumberOfBytesRead == NULL) { @@ -33,7 +34,6 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT SizeOfMemoryToCheck = (int)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryToCheck); if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead)) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } else @@ -43,7 +43,6 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -68,12 +67,10 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT SizeOfPatternToMatch--; i++; } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return true; } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } @@ -101,6 +98,7 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta int j = NULL; ULONG_PTR Return = NULL; LPVOID ueReadBuffer = NULL; + DynBuf ueReadBuf; PUCHAR SearchBuffer = NULL; PUCHAR CompareBuffer = NULL; MEMORY_BASIC_INFORMATION memoryInformation = {}; @@ -117,8 +115,8 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta { if(hProcess != GetCurrentProcess()) { - ueReadBuffer = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); - if(!ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead)) + ueReadBuffer = ueReadBuf.Allocate(MemorySize); + if(ueReadBuffer && !ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead)) { if(ueNumberOfBytesRead == NULL) { @@ -127,7 +125,6 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta MemorySize = (DWORD)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryStart); if(!ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead)) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } else @@ -137,7 +134,6 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -172,12 +168,10 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta Return = (ULONG_PTR)MemoryStart + i; } } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(Return); } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -313,7 +307,8 @@ __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart ULONG_PTR CurrentFoundPattern; LPVOID cMemoryStart = MemoryStart; DWORD cMemorySize = MemorySize; - LPVOID lpReadMemory = VirtualAlloc(NULL, PatternSize, MEM_COMMIT, PAGE_READWRITE); + DynBuf lpReadMem; + LPVOID lpReadMemory = lpReadMem.Allocate(PatternSize); CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard); NumberOfRepetitions--; @@ -335,7 +330,6 @@ __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard); NumberOfRepetitions--; } - VirtualFree(lpReadMemory, NULL, MEM_RELEASE); if(NumberOfRepetitions != NULL) { return false; @@ -455,4 +449,4 @@ __declspec(dllexport) bool TITCALL MemoryWriteSafe(HANDLE hProcess, LPVOID lpBas BreakPointPostWriteFilter((ULONG_PTR)lpBaseAddress, nSize, &lock); return retValue; -} \ No newline at end of file +} diff --git a/TitanEngine/TitanEngine.Disassembler.cpp b/TitanEngine/TitanEngine.Disassembler.cpp index 391a7ad..a98f954 100644 --- a/TitanEngine/TitanEngine.Disassembler.cpp +++ b/TitanEngine/TitanEngine.Disassembler.cpp @@ -65,7 +65,8 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass _DecodeType DecodingType = Decode64Bits; #endif ULONG_PTR ueNumberOfBytesRead = 0; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + DynBuf ueReadBuf; + LPVOID ueReadBuffer = ueReadBuf.Allocate(0x1000); MEMORY_BASIC_INFORMATION MemInfo; DWORD MaxDisassmSize; @@ -101,7 +102,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass if(rpm) { DecodingResult = distorm_decode((ULONG_PTR)DisassmAddress, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, engineDecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); RtlZeroMemory(&engineDisassembledInstruction, 128); lstrcpyA(engineDisassembledInstruction, (LPCSTR)engineDecodedInstructions[0].mnemonic.p); if(!ReturnInstructionType) @@ -116,7 +116,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -127,7 +126,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -185,7 +183,8 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D _DecodeType DecodingType = Decode64Bits; #endif ULONG_PTR ueNumberOfBytesRead = 0; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + DynBuf ueReadBuf; + LPVOID ueReadBuffer = ueReadBuf.Allocate(0x1000); MEMORY_BASIC_INFORMATION MemInfo; DWORD MaxDisassmSize; @@ -210,12 +209,10 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D if(ReadProcessMemory(hProcess, (LPVOID)DisassmAddress, ueReadBuffer, MaxDisassmSize, &ueNumberOfBytesRead)) { DecodingResult = distorm_decode(NULL, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, DecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(DecodedInstructions[0].size); } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(-1); } } @@ -226,7 +223,6 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(-1); } } diff --git a/TitanEngine/TitanEngine.Dumper.cpp b/TitanEngine/TitanEngine.Dumper.cpp index 2973df8..ce6de1e 100644 --- a/TitanEngine/TitanEngine.Dumper.cpp +++ b/TitanEngine/TitanEngine.Dumper.cpp @@ -36,8 +36,9 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas LPVOID ReadBase = ImageBase; SIZE_T CalculatedHeaderSize = NULL; SIZE_T AlignedHeaderSize = NULL; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + DynBuf ueReadBuf, ueCopyBuf; + LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000); + LPVOID ueCopyBuffer = ueCopyBuf.Allocate(0x2000); if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead)) { @@ -47,30 +48,18 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas if ((DOSHeader->e_lfanew > 0x500) || (DOSHeader->e_magic != IMAGE_DOS_SIGNATURE) || (PEHeader32->Signature != IMAGE_NT_SIGNATURE)) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); - return false; - } - - CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS64) + (sizeof(IMAGE_SECTION_HEADER) * PEHeader32->FileHeader.NumberOfSections); - if(CalculatedHeaderSize > 0x1000) //SectionAlignment, the default value is the page size for the system. - { - if(CalculatedHeaderSize % 0x1000 != NULL) + if(CalculatedHeaderSize % 0x1000 == NULL) { - AlignedHeaderSize = ((CalculatedHeaderSize / 0x1000) + 1) * 0x1000; + AlignedHeaderSize = 0x1000; } else { AlignedHeaderSize = CalculatedHeaderSize; } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); - ueReadBuffer = VirtualAlloc(NULL, AlignedHeaderSize, MEM_COMMIT, PAGE_READWRITE); - ueCopyBuffer = VirtualAlloc(NULL, AlignedHeaderSize, MEM_COMMIT, PAGE_READWRITE); + ueReadBuffer = ueReadBuf.Allocate(AlignedHeaderSize); + ueCopyBuffer = ueCopyBuf.Allocate(AlignedHeaderSize); if(!ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, AlignedHeaderSize, &ueNumberOfBytesRead)) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } else @@ -98,8 +87,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } if(!FileIs64) @@ -173,8 +160,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas } } EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return true; } __except(EXCEPTION_EXECUTE_HANDLER) @@ -255,13 +240,10 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas } } EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return true; } __except(EXCEPTION_EXECUTE_HANDLER) { - } } } @@ -275,8 +257,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas } if (ueReadBuffer != 0) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); } return false; @@ -339,7 +319,7 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta HANDLE hFile = 0; LPVOID ReadBase = MemoryStart; ULONG_PTR ProcReadBase = (ULONG_PTR)ReadBase; - LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ueCopyBuffer[0x2000] = {0}; EngineCreatePathForFileW(szDumpFileName); hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); @@ -369,10 +349,8 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta ProcReadBase = (ULONG_PTR)ReadBase + 0x1000; } EngineCloseHandle(hFile); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return true; } - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } diff --git a/TitanEngine/TitanEngine.Exporter.cpp b/TitanEngine/TitanEngine.Exporter.cpp index 4454a51..2720c29 100644 --- a/TitanEngine/TitanEngine.Exporter.cpp +++ b/TitanEngine/TitanEngine.Exporter.cpp @@ -152,6 +152,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace PIMAGE_NT_HEADERS32 PEHeader32; PIMAGE_NT_HEADERS64 PEHeader64; LPVOID expBuildExportData; + DynBuf expBuildExportDyn; LPVOID expBuildExportDataCWP; DWORD StorePlaceRVA = (DWORD)ConvertFileOffsetToVA(FileMapVA, StorePlace, false); ULONG_PTR TempULONG; @@ -160,7 +161,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace if(expTableDataCWP != NULL) { - expBuildExportData = VirtualAlloc(NULL, ExporterEstimatedSize(), MEM_COMMIT, PAGE_READWRITE); + expBuildExportData = expBuildExportDyn.Allocate(ExporterEstimatedSize()); expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof IMAGE_EXPORT_DIRECTORY); expExportData.NumberOfNames = expExportNumber; @@ -210,7 +211,6 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(expBuildExportData, NULL, MEM_RELEASE); ExporterCleanup(); return false; } @@ -246,7 +246,6 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace } } } - VirtualFree(expBuildExportData, NULL, MEM_RELEASE); ExporterCleanup(); return true; } diff --git a/TitanEngine/TitanEngine.Handler.cpp b/TitanEngine/TitanEngine.Handler.cpp index f812bc6..10fd5c7 100644 --- a/TitanEngine/TitanEngine.Handler.cpp +++ b/TitanEngine/TitanEngine.Handler.cpp @@ -2,25 +2,33 @@ #include "definitions.h" #include "Global.Handle.h" + +void NtQuerySysHandleInfo(DynBuf& buf) +{ + DynBuf QSB; + ULONG RequiredSize = NULL; + + QSB.Allocate(0x2000); + while(NtQuerySystemInformation(SystemHandleInformation, QSB.GetPtr(), QSB.Size(), &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QSB.Allocate(RequiredSize); + } +} + + // TitanEngine.Handler.functions: __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId) { - int HandleCount = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - + int HandleCount = 0; + ULONG TotalHandleCount = 0; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -33,27 +41,19 @@ __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId) HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - return(HandleCount); - return(NULL); + return(HandleCount); } __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle) { bool HandleActive = false; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -67,38 +67,29 @@ __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE h HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - if(HandleActive) - { - return true; - } - return false; + return HandleActive; } __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { bool NameFound = false; HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); LPVOID tmpHandleFullName = NULL; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -139,9 +130,6 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - if(!NameFound) { VirtualFree(HandleFullName, NULL, MEM_RELEASE); @@ -151,33 +139,26 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD { return(HandleFullName); } - - return(NULL); } __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { bool NameFound = false; HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); LPVOID tmpHandleFullName = NULL; + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -219,9 +200,6 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - if(!NameFound) { VirtualFree(HandleFullName, NULL, MEM_RELEASE); @@ -238,21 +216,15 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, { HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; unsigned int HandleCount = NULL; - ULONG QuerySystemBufferSize = 0x2000; PNTDLL_QUERY_HANDLE_INFO HandleInfo; + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -268,35 +240,27 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); return(HandleCount); - - return(NULL); } __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn) { HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullData[0x1000] = {0}; LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; bool DontFreeStringMemory = false; ULONG_PTR ReturnData = NULL; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -325,7 +289,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ if(HandleInfo->GrantedAccess != 0x0012019F) { - RtlZeroMemory(HandleFullData, 0x1000); + RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, 0x1000); @@ -342,7 +306,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ if(HandleInfo->GrantedAccess != 0x0012019F) { - RtlZeroMemory(HandleFullData, 0x1000); + RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, 0x1000); @@ -366,16 +330,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, { VirtualFree(HandleNameData, NULL, MEM_RELEASE); } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); return(ReturnData); - - if(!DontFreeStringMemory) - { - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - return(NULL); } __declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle) { @@ -411,29 +366,24 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO HANDLE hProcess = NULL; HANDLE myHandle = NULL; HANDLE CopyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; DWORD LastProcessId = NULL; - PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullNameB[0x1000] = {0}; + LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); LPVOID tmpHandleFullName = NULL; + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -469,7 +419,6 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); if(tmpHandleFullName != NULL) { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); HandleFullName = tmpHandleFullName; } } @@ -498,9 +447,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); + return(FoundHandles); } __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) @@ -525,27 +472,24 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr HANDLE hProcess = NULL; HANDLE myHandle = NULL; HANDLE CopyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullNameB[0x1000] = {0}; + LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); LPVOID tmpHandleFullName = NULL; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -581,7 +525,6 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); if(tmpHandleFullName != NULL) { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); HandleFullName = tmpHandleFullName; } } @@ -607,18 +550,8 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - if(AllHandled) - { - return true; - } - else - { - return false; - } + return AllHandled; } __declspec(dllexport) bool TITCALL HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) { @@ -641,27 +574,24 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN HANDLE hProcess = NULL; HANDLE myHandle = NULL; HANDLE CopyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullNameB[0x1000] = {0}; + LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); LPVOID tmpHandleFullName = NULL; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -697,7 +627,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); if(tmpHandleFullName != NULL) { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); HandleFullName = tmpHandleFullName; } } @@ -710,9 +639,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN } if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL) { - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); EngineCloseHandle(myHandle); return true; } @@ -724,9 +650,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); return false; } @@ -736,25 +659,20 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, HANDLE myHandle = NULL; HANDLE copyHandle = NULL; - LPVOID QuerySystemBuffer; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; unsigned int HandleCount = NULL; - ULONG QuerySystemBufferSize = 0x2000; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullData[0x1000] = {0}; + char HandleNameDataB[0x1000] = {0}; + LPVOID HandleNameData = HandleNameDataB; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -767,7 +685,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(HandleFullData, 0x1000); + RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, 0x1000); @@ -789,9 +707,6 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); return(HandleCount); } @@ -816,7 +731,7 @@ __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce return 0; int i; HANDLE myHandle; - LPVOID HandleBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleBuffer[0x1000] = {0}; LPVOID cHandleBuffer = HandleBuffer; int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof HANDLE); wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; @@ -833,14 +748,12 @@ __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce { if(lstrcmpiW(HandleName, RealMutexName) == NULL) { - VirtualFree(HandleBuffer, NULL, MEM_RELEASE); return((ULONG_PTR)myHandle); } } cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof HANDLE); } } - VirtualFree(HandleBuffer, NULL, MEM_RELEASE); return(NULL); } __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString) @@ -865,28 +778,24 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t HANDLE hProcess = NULL; DWORD ReturnData = NULL; HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; ULONG RequiredSize = NULL; DWORD LastProcessId = NULL; ULONG TotalHandleCount = NULL; - ULONG QuerySystemBufferSize = 0x2000; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullData[0x1000] = {0}; + char HandleNameData[0x1000] = {0}; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; lstrcatW(RealMutexName, szMutexString); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -908,10 +817,10 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(HandleFullData, 0x1000); + RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleNameData, 0x1000); + RtlZeroMemory(HandleNameData, sizeof(HandleNameData)); if(pObjectTypeInfo->TypeName.Length != NULL) { //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); @@ -920,10 +829,9 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t { NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleNameData, 0x1000); + RtlZeroMemory(HandleNameData, sizeof(HandleNameData)); if(pObjectNameInfo->Name.Length != NULL) { - RtlZeroMemory(HandleNameData, 0x1000); //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer); if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL) @@ -941,10 +849,6 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); return(ReturnData); } diff --git a/TitanEngine/TitanEngine.Hider.cpp b/TitanEngine/TitanEngine.Hider.cpp index 4714037..bf019ee 100644 --- a/TitanEngine/TitanEngine.Hider.cpp +++ b/TitanEngine/TitanEngine.Hider.cpp @@ -7,10 +7,7 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) { ULONG RequiredLen = 0; void * PebAddress = 0; - PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); - - if(!myProcessBasicInformation) - return 0; + PROCESS_BASIC_INFORMATION myProcessBasicInformation[5] = {0}; if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS) { @@ -24,8 +21,6 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) } } - - VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE); return PebAddress; } @@ -33,10 +28,7 @@ __declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread) { ULONG RequiredLen = 0; void * TebAddress = 0; - PTHREAD_BASIC_INFORMATION myThreadBasicInformation = (PTHREAD_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(THREAD_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); - - if(!myThreadBasicInformation) - return 0; + THREAD_BASIC_INFORMATION myThreadBasicInformation[5] = {0}; if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, sizeof(THREAD_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS) { @@ -50,8 +42,6 @@ __declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread) } } - - VirtualFree(myThreadBasicInformation, 0, MEM_RELEASE); return TebAddress; } diff --git a/TitanEngine/TitanEngine.PE.Overlay.cpp b/TitanEngine/TitanEngine.PE.Overlay.cpp index 89f3b75..f48c5b4 100644 --- a/TitanEngine/TitanEngine.PE.Overlay.cpp +++ b/TitanEngine/TitanEngine.PE.Overlay.cpp @@ -174,7 +174,7 @@ __declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t* DWORD OverlayStart = 0; DWORD OverlaySize = 0; DWORD ueNumberOfBytesRead = 0; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ueReadBuffer[0x2000] = {0}; Return = FindOverlayW(szFileName, &OverlayStart, &OverlaySize); if(Return) @@ -189,7 +189,7 @@ __declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t* SetFilePointer(hFile, OverlayStart, NULL, FILE_BEGIN); while(OverlaySize > 0) { - RtlZeroMemory(ueReadBuffer, 0x2000); + RtlZeroMemory(ueReadBuffer, sizeof(ueReadBuffer)); if(OverlaySize > 0x1000) { @@ -220,20 +220,17 @@ __declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t* OverlaySize = 0; } } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); EngineCloseHandle(hFile); EngineCloseHandle(hFileWrite); return true; } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); EngineCloseHandle(hFile); return false; } } } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } __declspec(dllexport) bool TITCALL AddOverlay(char* szFileName, char* szOverlayFileName) @@ -262,7 +259,7 @@ __declspec(dllexport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szO DWORD OverlaySize = 0; ULONG_PTR ueNumberOfBytesRead = 0; DWORD uedNumberOfBytesRead = 0; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ueReadBuffer[0x2000] = {0}; hFile = CreateFileW(szFileName, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(hFile != INVALID_HANDLE_VALUE) @@ -275,7 +272,7 @@ __declspec(dllexport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szO SetFilePointer(hFile, FileSize, NULL, FILE_BEGIN); while(OverlaySize > 0) { - RtlZeroMemory(ueReadBuffer, 0x2000); + RtlZeroMemory(ueReadBuffer, sizeof(ueReadBuffer)); if(OverlaySize > 0x1000) { diff --git a/TitanEngine/TitanEngine.PE.Section.cpp b/TitanEngine/TitanEngine.PE.Section.cpp index 4f609ef..6ee4bac 100644 --- a/TitanEngine/TitanEngine.PE.Section.cpp +++ b/TitanEngine/TitanEngine.PE.Section.cpp @@ -161,6 +161,7 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) ULONG_PTR fileSectionData[MAXIMUM_SECTION_NUMBER][3]; ULONG_PTR fileSectionTemp; LPVOID sortedFileName; + DynBuf sortedFileNameBuf; if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) { @@ -198,7 +199,7 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) } if(!FileIs64) { - sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); + sortedFileName = sortedFileNameBuf.Allocate(FileSize); __try { RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); @@ -238,7 +239,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) } RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); if(szBackupItem[0] != NULL) { if(CopyFileW(szBackupFile, szFileName, false)) @@ -260,14 +260,13 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) __except(EXCEPTION_EXECUTE_HANDLER) { UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); RemoveGarbageItem(szBackupItem, true); return false; } } else { - sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); + sortedFileName = sortedFileNameBuf.Allocate(FileSize); __try { RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); @@ -307,7 +306,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) } RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); if(szBackupItem[0] != NULL) { if(CopyFileW(szBackupFile, szFileName, false)) @@ -329,7 +327,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) __except(EXCEPTION_EXECUTE_HANDLER) { UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); RemoveGarbageItem(szBackupItem, true); return false; } diff --git a/TitanEngine/TitanEngine.PE.cpp b/TitanEngine/TitanEngine.PE.cpp index bc4d1ee..ab88f74 100644 --- a/TitanEngine/TitanEngine.PE.cpp +++ b/TitanEngine/TitanEngine.PE.cpp @@ -35,7 +35,8 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB BOOL FileIs64 = false; HANDLE hFile = 0; SIZE_T CalculatedHeaderSize = NULL; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + DynBuf ueReadBuf; + LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000); DWORD OldProtect = PAGE_READWRITE; hFile = CreateFileW(szDebuggedFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); @@ -63,12 +64,10 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB if(CalculatedHeaderSize > 0x1000) { SetFilePointer(hFile, NULL, NULL, FILE_BEGIN); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - ueReadBuffer = VirtualAlloc(NULL, CalculatedHeaderSize, MEM_COMMIT, PAGE_READWRITE); + ueReadBuffer = ueReadBuf.Allocate(CalculatedHeaderSize); if(!ReadFile(hFile, ueReadBuffer, (DWORD)CalculatedHeaderSize, &uedNumberOfBytesRead, NULL)) { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } @@ -91,7 +90,6 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } if(!FileIs64) @@ -103,20 +101,17 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB { EngineCloseHandle(hFile); VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return true; } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } @@ -129,20 +124,17 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB { EngineCloseHandle(hFile); VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return true; } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } @@ -150,21 +142,18 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } return false; diff --git a/TitanEngine/TitanEngine.Relocator.cpp b/TitanEngine/TitanEngine.Relocator.cpp index 058c5c7..cd9fa24 100644 --- a/TitanEngine/TitanEngine.Relocator.cpp +++ b/TitanEngine/TitanEngine.Relocator.cpp @@ -258,6 +258,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces DWORD RelocationBase = NULL; DWORD RelocationSize = NULL; DWORD OldProtect; + DynBuf mem; if(RelocationData != NULL) { @@ -269,7 +270,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces MemorySize = MemInfo.RegionSize; } VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); - ReadMemoryStorage = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); + ReadMemoryStorage = mem.Allocate(MemorySize); mReadMemoryStorage = ReadMemoryStorage; if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, ReadMemoryStorage, MemorySize, &ueNumberOfBytesRead)) { @@ -281,12 +282,10 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4); RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4); } - VirtualFree(mReadMemoryStorage, NULL, MEM_RELEASE); return(RelocaterGrabRelocationTable(hProcess, MemoryStart, (DWORD)((ULONG_PTR)ReadMemoryStorage - (ULONG_PTR)mReadMemoryStorage))); } else { - VirtualFree(ReadMemoryStorage, NULL, MEM_RELEASE); return false; } } diff --git a/TitanEngine/TitanEngine.Static.cpp b/TitanEngine/TitanEngine.Static.cpp index cc83aeb..cdc9b1c 100644 --- a/TitanEngine/TitanEngine.Static.cpp +++ b/TitanEngine/TitanEngine.Static.cpp @@ -454,7 +454,8 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR DWORD SizeToRead; HANDLE hReadFile; HANDLE hWriteFile; - LPVOID ueCopyBuffer; + //LPVOID ueCopyBuf; + char ueCopyBuffer[0x1000] = {0}; ULONG_PTR AddressToCopy; DWORD rfNumberOfBytesRead; @@ -473,29 +474,27 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR } if(SetFilePointer(hReadFile, (long)AddressToCopy, NULL, FILE_BEGIN) != INVALID_SET_FILE_POINTER) { - ueCopyBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - if(ueCopyBuffer != NULL) { EngineCreatePathForFileW(szDumpFileName); hWriteFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if(hWriteFile != INVALID_HANDLE_VALUE) { - if(Size < 0x1000) + if(Size < sizeof(ueCopyBuffer)) { SizeToRead = Size; } else { - SizeToRead = 0x1000; + SizeToRead = sizeof(ueCopyBuffer); } while((int)Size > NULL) { if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead) { WriteFile(hWriteFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL); - if(Size > 0x1000) + if(Size > sizeof(ueCopyBuffer)) { - Size = Size - 0x1000; + Size = Size - sizeof(ueCopyBuffer); } else if(SizeToRead != Size) { @@ -524,13 +523,8 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR } EngineCloseHandle(hReadFile); EngineCloseHandle(hWriteFile); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return true; } - else - { - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); - } } } EngineCloseHandle(hReadFile); @@ -559,36 +553,34 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD Ra DWORD SizeToRead; HANDLE hReadFile; HANDLE hWriteFile; - LPVOID ueCopyBuffer; + char ueCopyBuffer[0x1000] = {0}; DWORD rfNumberOfBytesRead; if(DuplicateHandle(GetCurrentProcess(), hFile, GetCurrentProcess(), &hReadFile, NULL, false, DUPLICATE_SAME_ACCESS)) { if(SetFilePointer(hReadFile, (long)(RawAddressToCopy), NULL, FILE_BEGIN) != INVALID_SET_FILE_POINTER) { - ueCopyBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - if(ueCopyBuffer != NULL) { EngineCreatePathForFileW(szDumpFileName); hWriteFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if(hWriteFile != INVALID_HANDLE_VALUE) { - if(Size < 0x1000) + if(Size < sizeof(ueCopyBuffer)) { SizeToRead = Size; } else { - SizeToRead = 0x1000; + SizeToRead = sizeof(ueCopyBuffer); } - while((int)Size > NULL) + while((int)Size > 0) { if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead) { WriteFile(hWriteFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL); - if(Size > 0x1000) + if(Size > sizeof(ueCopyBuffer)) { - Size = Size - 0x1000; + Size = Size - sizeof(ueCopyBuffer); } else if(SizeToRead != Size) { @@ -601,29 +593,24 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD Ra WriteFile(hWriteFile, ueCopyBuffer, rfNumberOfBytesRead, &rfNumberOfBytesRead, NULL); } SizeToRead = Size; - Size = NULL; + Size = 0; } else { SizeToRead = Size; - Size = NULL; + Size = 0; } } else { WriteFile(hWriteFile, ueCopyBuffer, rfNumberOfBytesRead, &rfNumberOfBytesRead, NULL); - Size = NULL; + Size = 0; } } EngineCloseHandle(hReadFile); EngineCloseHandle(hWriteFile); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return true; } - else - { - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); - } } } EngineCloseHandle(hReadFile); @@ -651,7 +638,7 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD6 DWORD SizeToRead; HANDLE hReadFile; HANDLE hWriteFile; - LPVOID ueCopyBuffer; + char ueCopyBuffer[0x1000] = {0}; DWORD rfNumberOfBytesRead; long FilePosLow; long FilePosHigh; @@ -662,8 +649,6 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD6 RtlMoveMemory(&FilePosHigh, (void*)((ULONG_PTR)(&RawAddressToCopy) + 4), 4); if(SetFilePointer(hReadFile, FilePosLow, &FilePosHigh, FILE_BEGIN) != INVALID_SET_FILE_POINTER) { - ueCopyBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - if(ueCopyBuffer != NULL) { EngineCreatePathForFileW(szDumpFileName); hWriteFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); @@ -713,12 +698,8 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD6 } EngineCloseHandle(hReadFile); EngineCloseHandle(hWriteFile); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return true; } - else - { - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); } } } diff --git a/TitanEngine/TitanEngine.Tracer.cpp b/TitanEngine/TitanEngine.Tracer.cpp index f194f00..e9285cd 100644 --- a/TitanEngine/TitanEngine.Tracer.cpp +++ b/TitanEngine/TitanEngine.Tracer.cpp @@ -16,6 +16,7 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo int LengthOfValidInstruction = 0; int CurrentNumberOfInstructions = 0; MEMORY_BASIC_INFORMATION MemInfo; + DynBuf tracmem; LPVOID TraceMemory, cTraceMemory; ULONG_PTR ueNumberOfBytesRead = NULL; DWORD LastPushValue = NULL; @@ -41,7 +42,7 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo { memSize = 0x4000; } - TraceMemory = VirtualAlloc(NULL, memSize, MEM_COMMIT, PAGE_READWRITE); + TraceMemory = tracmem.Allocate(memSize); cTraceMemory = TraceMemory; if(ReadProcessMemory(hProcess, (LPVOID)MemInfo.BaseAddress, TraceMemory, memSize, &ueNumberOfBytesRead)) { @@ -491,7 +492,6 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo } TraceStartAddress = TraceStartAddress + CurrentInstructionSize; } - VirtualFree(TraceMemory, NULL, MEM_RELEASE); if(!HashInstructions) { if(FoundValidAPI == true) @@ -518,7 +518,6 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo } else { - VirtualFree(TraceMemory, NULL, MEM_RELEASE); } } } @@ -716,6 +715,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON DWORD MemoryHash = NULL; DWORD MaximumReadSize = 0; DWORD TestAddressX86; + DynBuf tracemem; LPVOID TraceMemory; bool HashCheck = false; @@ -734,7 +734,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON } if(sizeof HANDLE == 4) { - TraceMemory = VirtualAlloc(NULL, MaximumReadSize, MEM_COMMIT, PAGE_READWRITE); + TraceMemory = tracemem.Allocate(MaximumReadSize); if(!TraceMemory) { return (NULL); @@ -1103,12 +1103,10 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON } } } - VirtualFree(TraceMemory, NULL, MEM_RELEASE); return(KnownRedirectionIndex); } else { - VirtualFree(TraceMemory, NULL, MEM_RELEASE); } } } @@ -1124,10 +1122,8 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces PMEMORY_CMP_HANDLER cMem; MEMORY_BASIC_INFORMATION MemInfo; ULONG_PTR ueNumberOfBytesRead = NULL; - LPVOID TracerReadMemory = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char TracerReadMemory[0x1000] = {0}; DWORD MaximumReadSize=0x1000; - if(!TracerReadMemory) - return (NULL); cMem = (PMEMORY_CMP_HANDLER)TracerReadMemory; VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); @@ -1165,13 +1161,11 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces RtlMoveMemory(&ReadAddressX86, &cMem->DataByte[8], 4); TestAddressX86 = TestAddressX86 + ReadAddressX86; } - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } } @@ -1184,14 +1178,12 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces RtlMoveMemory(&TestAddressX86, &cMem->DataByte[2], 4); if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead)) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } } @@ -1211,14 +1203,12 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces } if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead)) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } } @@ -1267,7 +1257,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces } if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead)) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } @@ -1277,7 +1266,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces RtlMoveMemory(&TestAddressX86, &cMem->DataByte[2], 4); if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead)) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } @@ -1285,7 +1273,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } } @@ -1310,7 +1297,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead)) { TestAddressX86 = TestAddressX86 ^ ReadAddressX86; - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } @@ -1318,7 +1304,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } } @@ -1329,13 +1314,11 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces if(ReadProcessMemory(hProcess, (LPVOID)AddressToTrace, TracerReadMemory, MaximumReadSize, &ueNumberOfBytesRead)) { RtlMoveMemory(&TestAddressX86, &cMem->DataByte[1], 4); - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } } @@ -1356,20 +1339,17 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces { TestAddressX86 = (DWORD)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetCommandLineW")); } - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } else if(cMem->DataByte[0] == 0xC8) { TestAddressX86 = (DWORD)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess")); - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } } @@ -1381,13 +1361,11 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces { cMem = (PMEMORY_CMP_HANDLER)((ULONG_PTR)cMem + 0x34); RtlMoveMemory(&TestAddressX86, &cMem->DataByte[0], 4); - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } } @@ -1432,18 +1410,15 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces { TestAddressX86 = (DWORD)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA")); } - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return((DWORD)TestAddressX86); } } } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } } - VirtualFree(TracerReadMemory, NULL, MEM_RELEASE); return(NULL); } @@ -1456,8 +1431,8 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP ULONG_PTR fImpRecTrace = NULL; PMEMORY_CMP_HANDLER cmpModuleName; ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedRemoteLoadLibrary - (ULONG_PTR)&injectedImpRec); - LPVOID szModuleName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID szGarbageFile = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char szModuleName[0x1100] = {0}; + char szGarbageFile[0x1100] = {0}; LPVOID cModuleName = szModuleName; ULONG_PTR NumberOfBytesWritten; InjectImpRecCodeData APIData; @@ -1473,7 +1448,7 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP HANDLE FileMap; ULONG_PTR FileMapVA; - if(GetModuleFileNameA(engineHandle, (LPCH)szModuleName, 0x1000) > NULL) + if(GetModuleFileNameA(engineHandle, (LPCH)szModuleName, sizeof(szModuleName)-0x100) > NULL) { cModuleName = (LPVOID)((ULONG_PTR)cModuleName + lstrlenA((LPCSTR)szModuleName)); cmpModuleName = (PMEMORY_CMP_HANDLER)(cModuleName); @@ -1546,7 +1521,5 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP } } } - VirtualFree(szModuleName, NULL, MEM_RELEASE); - VirtualFree(szGarbageFile, NULL, MEM_RELEASE); return(TracedAddress); } \ No newline at end of file diff --git a/TitanEngine/TitanEngine.TranslateName.cpp b/TitanEngine/TitanEngine.TranslateName.cpp index 030295c..100c156 100644 --- a/TitanEngine/TitanEngine.TranslateName.cpp +++ b/TitanEngine/TitanEngine.TranslateName.cpp @@ -5,7 +5,7 @@ __declspec(dllexport) void* TITCALL TranslateNativeName(char* szNativeName) { - LPVOID TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + void* TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); //pointer is returned char szDeviceName[3] = "A:"; char szDeviceCOMName[5] = "COM0"; int CurrentDeviceLen; @@ -50,7 +50,7 @@ __declspec(dllexport) void* TITCALL TranslateNativeName(char* szNativeName) __declspec(dllexport) void* TITCALL TranslateNativeNameW(wchar_t* szNativeName) { - LPVOID TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + void* TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); //pointer is returned wchar_t szDeviceName[3] = L"A:"; wchar_t szDeviceCOMName[5] = L"COM0"; int CurrentDeviceLen; diff --git a/TitanEngine/TitanEngine.cbp b/TitanEngine/TitanEngine.cbp index 9ab23f9..18beb3e 100644 --- a/TitanEngine/TitanEngine.cbp +++ b/TitanEngine/TitanEngine.cbp @@ -82,6 +82,8 @@ + + diff --git a/TitanEngine/TitanEngine.vcxproj b/TitanEngine/TitanEngine.vcxproj index 4641ecb..6583444 100644 --- a/TitanEngine/TitanEngine.vcxproj +++ b/TitanEngine/TitanEngine.vcxproj @@ -224,6 +224,7 @@ + @@ -289,6 +290,7 @@ + diff --git a/TitanEngine/TitanEngine.vcxproj.filters b/TitanEngine/TitanEngine.vcxproj.filters index 1f6d5c0..c03fb3c 100644 --- a/TitanEngine/TitanEngine.vcxproj.filters +++ b/TitanEngine/TitanEngine.vcxproj.filters @@ -278,6 +278,12 @@ Header Files + + Header Files\TitanEngine + + + Header Files + Header Files\TitanEngine diff --git a/TitanEngine/stdafx.h b/TitanEngine/stdafx.h index 6b55c12..a4f813f 100644 --- a/TitanEngine/stdafx.h +++ b/TitanEngine/stdafx.h @@ -33,6 +33,8 @@ #include "aplib.h" #include "LzmaDec.h" +#include "Global.Helper.h" + #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth // Engine.Internal: @@ -970,4 +972,4 @@ typedef PEB64 PEB_CURRENT; typedef PEB32 PEB_CURRENT; #endif -#pragma pack(pop) \ No newline at end of file +#pragma pack(pop)