x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

Merge branch 'dynmem' 

Conflicts:
	TitanEngine/TitanEngine.Breakpoints.cpp
	TitanEngine/TitanEngine.Dumper.cpp
	TitanEngine/TitanEngine.Handler.cpp
	TitanEngine/TitanEngine.PE.Overlay.cpp
	TitanEngine/TitanEngine.Static.cpp
	TitanEngine/TitanEngine.vcxproj.filters
This commit is contained in:
Mr. eXoDia 2014-03-12 09:41:14 +01:00
parent d8f86da5ff 6bdbe09afe
commit c5e260d7d7
21 changed files with 314 additions and 372 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
TitanEngine/Global.Helper.cpp Normal file
View File

@ -0,0 +1,40 @@
#include "stdafx.h"
#include "Global.Helper.h"
bool IsStrEqual( const char* const a, const char* const b, bool considercase/*=true*/ )
{
const int stringlen = std::strlen(a);
if(stringlen != std::strlen(b))
return false; //cheap
if(considercase)
{
//plain old strcmp
return std::strcmp(a, b)==0;
}
else
{
for(int i=0; i<stringlen; i++)
{
if (tolower(a[i]) != tolower(b[i]))
return false;
}
return true;
}
}
void* MemAlloc( size_t sz )
{
void* r = malloc(sz);
if(r)
memset(r, 0, sz);
return r;
}
void MemFree( void* mem )
{
free(mem);
}

98
TitanEngine/Global.Helper.h Normal file
View File

@ -0,0 +1,98 @@
#ifndef Helper_h__
#define Helper_h__
#include <string>
#include <vector>
/*
Compares two strings
a : string 1
b : string 2
considercase : casesensitivity
*/
bool IsStrEqual(const char* const a, const char* const b, bool considercase=true);
/*
A basic dynamic buffer, exception free.
*/
class DynBuf
{
public:
DynBuf(size_t sz=0)
{
Allocate(sz);
}
typedef std::vector<char> DynBufVec;
void* Allocate(size_t sz)
{
void* r=NULL;
try
{
if(Size() < sz)
mem.resize(sz);
if(Size())
r = GetPtr();
if(r && sz)
memset(r, 0, sz);
}
catch(...)
{
}
return r;
}
void* GetPtr()
{
if(Size())
return &mem.front(); //in c++11: .data()
return NULL;
}
void Free()
{
mem.clear();
}
DynBufVec& GetVector()
{
return mem;
}
const DynBufVec& GetVector() const
{
return mem;
}
size_t Size() const
{
return mem.size();
}
protected:
char& operator[](std::size_t idx)
{
return mem[idx];
};
const char& operator[](std::size_t idx) const
{
return mem[idx];
};
DynBufVec mem;
};
//Unused malloc/free wrappers
/*
malloc wrapper
*/
void* MemAlloc(size_t sz);
/*
free wrapper
*/
void MemFree(void* mem);
#endif // Helper_h__

11
TitanEngine/Global.OEPFinder.cpp
View File

@ -54,7 +54,8 @@ void GenericOEPTraceHited()
{
int i;
void* lpHashBuffer;
//void* lpHashBuffer;
char lpHashBuffer[0x1000] = {0};
bool FakeEPDetected = false;
ULONG_PTR NumberOfBytesRW;
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
@ -84,12 +85,11 @@ void GenericOEPTraceHited()
{
glbEntryTracerData.SectionData[i].AccessedAlready = true;
}
lpHashBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
memBpxAddress = (glbEntryTracerData.MemoryAccessed / 0x1000) * 0x1000;
memBpxAddress = (glbEntryTracerData.MemoryAccessed / sizeof(lpHashBuffer)) * sizeof(lpHashBuffer);
memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress;
if(memBpxSize > 0x1000)
if(memBpxSize > sizeof(lpHashBuffer))
{
memBpxSize = 0x1000;
memBpxSize = sizeof(lpHashBuffer);
}
if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW))
{
@ -107,7 +107,6 @@ void GenericOEPTraceHited()
FakeEPDetected = true;
}
}
VirtualFree(lpHashBuffer, NULL, MEM_RELEASE);
if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false)
{
__try

6
TitanEngine/TitanEngine.Debugger.Helper.cpp
View File

@ -210,7 +210,7 @@ __declspec(dllexport) long long TITCALL GetFunctionParameter(HANDLE hProcess, DW
__declspec(dllexport) long long TITCALL GetJumpDestinationEx(HANDLE hProcess, ULONG_PTR InstructionAddress, bool JustJumps)
{
LPVOID ReadMemory;
char ReadMemory[MAXIMUM_INSTRUCTION_SIZE] = {0};
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR ueNumberOfBytesRead = NULL;
PMEMORY_CMP_HANDLER CompareMemory;
@ -224,9 +224,6 @@ __declspec(dllexport) long long TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
VirtualQueryEx(hProcess, (LPVOID)InstructionAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.RegionSize > NULL)
{
ReadMemory = VirtualAlloc(NULL, MAXIMUM_INSTRUCTION_SIZE, MEM_COMMIT, PAGE_READWRITE);
if(!ReadMemory)
return 0;
if(ReadProcessMemory(hProcess, (LPVOID)InstructionAddress, ReadMemory, MAXIMUM_INSTRUCTION_SIZE, &ueNumberOfBytesRead))
{
CompareMemory = (PMEMORY_CMP_HANDLER)ReadMemory;
@ -358,7 +355,6 @@ __declspec(dllexport) long long TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
ReadProcessMemory(hProcess, (LPVOID)TargetedAddress, &TargetedAddress, 4, &ueNumberOfBytesRead);
}
}
VirtualFree(ReadMemory, NULL, MEM_RELEASE);
return((ULONG_PTR)TargetedAddress);
}
return(NULL);

26
TitanEngine/TitanEngine.Debugger.Memory.cpp
View File

@ -7,9 +7,10 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
{
if(!MemoryToCheck || !PatternToMatch)
return false;
int i = NULL;
BYTE intWildCard = NULL;
int i = 0;
BYTE intWildCard = 0;
LPVOID ueReadBuffer = NULL;
DynBuf ueReadBuf;
ULONG_PTR ueNumberOfBytesRead = NULL;
MEMORY_BASIC_INFORMATION memoryInformation = {};
PMEMORY_COMPARE_HANDLER memCmp = (PMEMORY_COMPARE_HANDLER)MemoryToCheck;
@ -23,8 +24,8 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
{
if(hProcess != GetCurrentProcess())
{
ueReadBuffer = VirtualAlloc(NULL, SizeOfMemoryToCheck, MEM_COMMIT, PAGE_READWRITE);
if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
ueReadBuffer = ueReadBuf.Allocate(SizeOfMemoryToCheck);
if(ueReadBuffer && !ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
{
if(ueNumberOfBytesRead == NULL)
{
@ -33,7 +34,6 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
SizeOfMemoryToCheck = (int)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryToCheck);
if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL);
}
else
@ -43,7 +43,6 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
}
else
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -68,12 +67,10 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
SizeOfPatternToMatch--;
i++;
}
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
}
@ -101,6 +98,7 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
int j = NULL;
ULONG_PTR Return = NULL;
LPVOID ueReadBuffer = NULL;
DynBuf ueReadBuf;
PUCHAR SearchBuffer = NULL;
PUCHAR CompareBuffer = NULL;
MEMORY_BASIC_INFORMATION memoryInformation = {};
@ -117,8 +115,8 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
{
if(hProcess != GetCurrentProcess())
{
ueReadBuffer = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE);
if(!ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
ueReadBuffer = ueReadBuf.Allocate(MemorySize);
if(ueReadBuffer && !ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
{
if(ueNumberOfBytesRead == NULL)
{
@ -127,7 +125,6 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
MemorySize = (DWORD)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryStart);
if(!ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL);
}
else
@ -137,7 +134,6 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
}
else
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -172,12 +168,10 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
Return = (ULONG_PTR)MemoryStart + i;
}
}
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(Return);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -313,7 +307,8 @@ __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart
ULONG_PTR CurrentFoundPattern;
LPVOID cMemoryStart = MemoryStart;
DWORD cMemorySize = MemorySize;
LPVOID lpReadMemory = VirtualAlloc(NULL, PatternSize, MEM_COMMIT, PAGE_READWRITE);
DynBuf lpReadMem;
LPVOID lpReadMemory = lpReadMem.Allocate(PatternSize);
CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard);
NumberOfRepetitions--;
@ -335,7 +330,6 @@ __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart
CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard);
NumberOfRepetitions--;
}
VirtualFree(lpReadMemory, NULL, MEM_RELEASE);
if(NumberOfRepetitions != NULL)
{
return false;

12
TitanEngine/TitanEngine.Disassembler.cpp
View File

@ -65,7 +65,8 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass
_DecodeType DecodingType = Decode64Bits;
#endif
ULONG_PTR ueNumberOfBytesRead = 0;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
DynBuf ueReadBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x1000);
MEMORY_BASIC_INFORMATION MemInfo;
DWORD MaxDisassmSize;
@ -101,7 +102,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass
if(rpm)
{
DecodingResult = distorm_decode((ULONG_PTR)DisassmAddress, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, engineDecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
RtlZeroMemory(&engineDisassembledInstruction, 128);
lstrcpyA(engineDisassembledInstruction, (LPCSTR)engineDecodedInstructions[0].mnemonic.p);
if(!ReturnInstructionType)
@ -116,7 +116,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass
}
else
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -127,7 +126,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass
}
else
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -185,7 +183,8 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D
_DecodeType DecodingType = Decode64Bits;
#endif
ULONG_PTR ueNumberOfBytesRead = 0;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
DynBuf ueReadBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x1000);
MEMORY_BASIC_INFORMATION MemInfo;
DWORD MaxDisassmSize;
@ -210,12 +209,10 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D
if(ReadProcessMemory(hProcess, (LPVOID)DisassmAddress, ueReadBuffer, MaxDisassmSize, &ueNumberOfBytesRead))
{
DecodingResult = distorm_decode(NULL, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, DecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(DecodedInstructions[0].size);
}
else
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(-1);
}
}
@ -226,7 +223,6 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D
}
else
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(-1);
}
}

38
TitanEngine/TitanEngine.Dumper.cpp
View File

@ -36,8 +36,9 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
LPVOID ReadBase = ImageBase;
SIZE_T CalculatedHeaderSize = NULL;
SIZE_T AlignedHeaderSize = NULL;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
DynBuf ueReadBuf, ueCopyBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000);
LPVOID ueCopyBuffer = ueCopyBuf.Allocate(0x2000);
if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead))
{
@ -47,30 +48,18 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
if ((DOSHeader->e_lfanew > 0x500) || (DOSHeader->e_magic != IMAGE_DOS_SIGNATURE) || (PEHeader32->Signature != IMAGE_NT_SIGNATURE))
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false;
}
CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS64) + (sizeof(IMAGE_SECTION_HEADER) * PEHeader32->FileHeader.NumberOfSections);
if(CalculatedHeaderSize > 0x1000) //SectionAlignment, the default value is the page size for the system.
if(CalculatedHeaderSize % 0x1000 == NULL)
{
if(CalculatedHeaderSize % 0x1000 != NULL)
{
AlignedHeaderSize = ((CalculatedHeaderSize / 0x1000) + 1) * 0x1000;
AlignedHeaderSize = 0x1000;
}
else
{
AlignedHeaderSize = CalculatedHeaderSize;
}
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
ueReadBuffer = VirtualAlloc(NULL, AlignedHeaderSize, MEM_COMMIT, PAGE_READWRITE);
ueCopyBuffer = VirtualAlloc(NULL, AlignedHeaderSize, MEM_COMMIT, PAGE_READWRITE);
ueReadBuffer = ueReadBuf.Allocate(AlignedHeaderSize);
ueCopyBuffer = ueCopyBuf.Allocate(AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, AlignedHeaderSize, &ueNumberOfBytesRead))
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false;
}
else
@ -98,8 +87,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
}
else
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false;
}
if(!FileIs64)
@ -173,8 +160,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
}
}
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
@ -255,13 +240,10 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
}
}
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}
}
@ -275,8 +257,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
}
if (ueReadBuffer != 0)
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
}
return false;
@ -339,7 +319,7 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta
HANDLE hFile = 0;
LPVOID ReadBase = MemoryStart;
ULONG_PTR ProcReadBase = (ULONG_PTR)ReadBase;
LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
char ueCopyBuffer[0x2000] = {0};
EngineCreatePathForFileW(szDumpFileName);
hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
@ -369,10 +349,8 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta
ProcReadBase = (ULONG_PTR)ReadBase + 0x1000;
}
EngineCloseHandle(hFile);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return true;
}
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false;
}

5
TitanEngine/TitanEngine.Exporter.cpp
View File

@ -152,6 +152,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
LPVOID expBuildExportData;
DynBuf expBuildExportDyn;
LPVOID expBuildExportDataCWP;
DWORD StorePlaceRVA = (DWORD)ConvertFileOffsetToVA(FileMapVA, StorePlace, false);
ULONG_PTR TempULONG;
@ -160,7 +161,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
if(expTableDataCWP != NULL)
{
expBuildExportData = VirtualAlloc(NULL, ExporterEstimatedSize(), MEM_COMMIT, PAGE_READWRITE);
expBuildExportData = expBuildExportDyn.Allocate(ExporterEstimatedSize());
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof IMAGE_EXPORT_DIRECTORY);
expExportData.NumberOfNames = expExportNumber;
@ -210,7 +211,6 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(expBuildExportData, NULL, MEM_RELEASE);
ExporterCleanup();
return false;
}
@ -246,7 +246,6 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
}
}
}
VirtualFree(expBuildExportData, NULL, MEM_RELEASE);
ExporterCleanup();
return true;
}

280
TitanEngine/TitanEngine.Handler.cpp
View File

@ -2,25 +2,33 @@
#include "definitions.h"
#include "Global.Handle.h"
void NtQuerySysHandleInfo(DynBuf& buf)
{
DynBuf QSB;
ULONG RequiredSize = NULL;
QSB.Allocate(0x2000);
while(NtQuerySystemInformation(SystemHandleInformation, QSB.GetPtr(), QSB.Size(), &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QSB.Allocate(RequiredSize);
}
}
// TitanEngine.Handler.functions:
__declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId)
{
int HandleCount = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
int HandleCount = 0;
ULONG TotalHandleCount = 0;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -33,27 +41,19 @@ __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId)
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(HandleCount);
return(NULL);
return(HandleCount);
}
__declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle)
{
bool HandleActive = false;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -67,38 +67,29 @@ __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE h
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
if(HandleActive)
{
return true;
}
return false;
return HandleActive;
}
__declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName)
{
bool NameFound = false;
HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
LPVOID tmpHandleFullName = NULL;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -139,9 +130,6 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD
TotalHandleCount--;
}
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
if(!NameFound)
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
@ -151,33 +139,26 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD
{
return(HandleFullName);
}
return(NULL);
}
__declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName)
{
bool NameFound = false;
HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
LPVOID tmpHandleFullName = NULL;
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -219,9 +200,6 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD
TotalHandleCount--;
}
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
if(!NameFound)
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
@ -238,21 +216,15 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId,
{
HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
unsigned int HandleCount = NULL;
ULONG QuerySystemBufferSize = 0x2000;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -268,35 +240,27 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId,
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(HandleCount);
return(NULL);
}
__declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn)
{
HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char HandleFullData[0x1000] = {0};
LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData;
bool DontFreeStringMemory = false;
ULONG_PTR ReturnData = NULL;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -325,7 +289,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess,
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
RtlZeroMemory(HandleFullData, 0x1000);
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
@ -342,7 +306,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess,
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
RtlZeroMemory(HandleFullData, 0x1000);
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
@ -366,16 +330,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess,
{
VirtualFree(HandleNameData, NULL, MEM_RELEASE);
}
VirtualFree(HandleFullData, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(ReturnData);
if(!DontFreeStringMemory)
{
VirtualFree(HandleNameData, NULL, MEM_RELEASE);
}
VirtualFree(HandleFullData, NULL, MEM_RELEASE);
return(NULL);
}
__declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle)
{
@ -411,29 +366,24 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
HANDLE hProcess = NULL;
HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL;
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -469,7 +419,6 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL)
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
HandleFullName = tmpHandleFullName;
}
}
@ -498,9 +447,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
return(FoundHandles);
}
__declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated)
@ -525,27 +472,24 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
HANDLE hProcess = NULL;
HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -581,7 +525,6 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL)
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
HandleFullName = tmpHandleFullName;
}
}
@ -607,18 +550,8 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
if(AllHandled)
{
return true;
}
else
{
return false;
}
return AllHandled;
}
__declspec(dllexport) bool TITCALL HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated)
{
@ -641,27 +574,24 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
HANDLE hProcess = NULL;
HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -697,7 +627,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL)
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
HandleFullName = tmpHandleFullName;
}
}
@ -710,9 +639,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
}
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL)
{
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
EngineCloseHandle(myHandle);
return true;
}
@ -724,9 +650,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
return false;
}
@ -736,25 +659,20 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
HANDLE myHandle = NULL;
HANDLE copyHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
unsigned int HandleCount = NULL;
ULONG QuerySystemBufferSize = 0x2000;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char HandleFullData[0x1000] = {0};
char HandleNameDataB[0x1000] = {0};
LPVOID HandleNameData = HandleNameDataB;
PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData;
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -767,7 +685,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
{
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(HandleFullData, 0x1000);
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
@ -789,9 +707,6 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
VirtualFree(HandleFullData, NULL, MEM_RELEASE);
VirtualFree(HandleNameData, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(HandleCount);
}
@ -816,7 +731,7 @@ __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
return 0;
int i;
HANDLE myHandle;
LPVOID HandleBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char HandleBuffer[0x1000] = {0};
LPVOID cHandleBuffer = HandleBuffer;
int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof HANDLE);
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
@ -833,14 +748,12 @@ __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
{
if(lstrcmpiW(HandleName, RealMutexName) == NULL)
{
VirtualFree(HandleBuffer, NULL, MEM_RELEASE);
return((ULONG_PTR)myHandle);
}
}
cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof HANDLE);
}
}
VirtualFree(HandleBuffer, NULL, MEM_RELEASE);
return(NULL);
}
__declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString)
@ -865,28 +778,24 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
HANDLE hProcess = NULL;
DWORD ReturnData = NULL;
HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG RequiredSize = NULL;
DWORD LastProcessId = NULL;
ULONG TotalHandleCount = NULL;
ULONG QuerySystemBufferSize = 0x2000;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char HandleFullData[0x1000] = {0};
char HandleNameData[0x1000] = {0};
PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
lstrcatW(RealMutexName, szMutexString);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -908,10 +817,10 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
{
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(HandleFullData, 0x1000);
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
RtlZeroMemory(HandleNameData, sizeof(HandleNameData));
if(pObjectTypeInfo->TypeName.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
@ -920,10 +829,9 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
{
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
RtlZeroMemory(HandleNameData, sizeof(HandleNameData));
if(pObjectNameInfo->Name.Length != NULL)
{
RtlZeroMemory(HandleNameData, 0x1000);
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL)
@ -941,10 +849,6 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
VirtualFree(HandleFullData, NULL, MEM_RELEASE);
VirtualFree(HandleNameData, NULL, MEM_RELEASE);
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(ReturnData);
}

14
TitanEngine/TitanEngine.Hider.cpp
View File

@ -7,10 +7,7 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
{
ULONG RequiredLen = 0;
void * PebAddress = 0;
PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
if(!myProcessBasicInformation)
return 0;
PROCESS_BASIC_INFORMATION myProcessBasicInformation[5] = {0};
if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
{
@ -24,8 +21,6 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
}
}
VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE);
return PebAddress;
}
@ -33,10 +28,7 @@ __declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread)
{
ULONG RequiredLen = 0;
void * TebAddress = 0;
PTHREAD_BASIC_INFORMATION myThreadBasicInformation = (PTHREAD_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(THREAD_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
if(!myThreadBasicInformation)
return 0;
THREAD_BASIC_INFORMATION myThreadBasicInformation[5] = {0};
if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, sizeof(THREAD_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
{
@ -50,8 +42,6 @@ __declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread)
}
}
VirtualFree(myThreadBasicInformation, 0, MEM_RELEASE);
return TebAddress;
}

11
TitanEngine/TitanEngine.PE.Overlay.cpp
View File

@ -174,7 +174,7 @@ __declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t*
DWORD OverlayStart = 0;
DWORD OverlaySize = 0;
DWORD ueNumberOfBytesRead = 0;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
char ueReadBuffer[0x2000] = {0};
Return = FindOverlayW(szFileName, &OverlayStart, &OverlaySize);
if(Return)
@ -189,7 +189,7 @@ __declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t*
SetFilePointer(hFile, OverlayStart, NULL, FILE_BEGIN);
while(OverlaySize > 0)
{
RtlZeroMemory(ueReadBuffer, 0x2000);
RtlZeroMemory(ueReadBuffer, sizeof(ueReadBuffer));
if(OverlaySize > 0x1000)
{
@ -220,20 +220,17 @@ __declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t*
OverlaySize = 0;
}
}
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
EngineCloseHandle(hFile);
EngineCloseHandle(hFileWrite);
return true;
}
else
{
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
EngineCloseHandle(hFile);
return false;
}
}
}
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
__declspec(dllexport) bool TITCALL AddOverlay(char* szFileName, char* szOverlayFileName)
@ -262,7 +259,7 @@ __declspec(dllexport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szO
DWORD OverlaySize = 0;
ULONG_PTR ueNumberOfBytesRead = 0;
DWORD uedNumberOfBytesRead = 0;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
char ueReadBuffer[0x2000] = {0};
hFile = CreateFileW(szFileName, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
@ -275,7 +272,7 @@ __declspec(dllexport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szO
SetFilePointer(hFile, FileSize, NULL, FILE_BEGIN);
while(OverlaySize > 0)
{
RtlZeroMemory(ueReadBuffer, 0x2000);
RtlZeroMemory(ueReadBuffer, sizeof(ueReadBuffer));
if(OverlaySize > 0x1000)
{

9
TitanEngine/TitanEngine.PE.Section.cpp
View File

@ -161,6 +161,7 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
ULONG_PTR fileSectionData[MAXIMUM_SECTION_NUMBER][3];
ULONG_PTR fileSectionTemp;
LPVOID sortedFileName;
DynBuf sortedFileNameBuf;
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{
@ -198,7 +199,7 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
}
if(!FileIs64)
{
sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE);
sortedFileName = sortedFileNameBuf.Allocate(FileSize);
__try
{
RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize);
@ -238,7 +239,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
}
RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
VirtualFree(sortedFileName, NULL, MEM_RELEASE);
if(szBackupItem[0] != NULL)
{
if(CopyFileW(szBackupFile, szFileName, false))
@ -260,14 +260,13 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
VirtualFree(sortedFileName, NULL, MEM_RELEASE);
RemoveGarbageItem(szBackupItem, true);
return false;
}
}
else
{
sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE);
sortedFileName = sortedFileNameBuf.Allocate(FileSize);
__try
{
RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize);
@ -307,7 +306,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
}
RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
VirtualFree(sortedFileName, NULL, MEM_RELEASE);
if(szBackupItem[0] != NULL)
{
if(CopyFileW(szBackupFile, szFileName, false))
@ -329,7 +327,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
VirtualFree(sortedFileName, NULL, MEM_RELEASE);
RemoveGarbageItem(szBackupItem, true);
return false;
}

17
TitanEngine/TitanEngine.PE.cpp
View File

@ -35,7 +35,8 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
BOOL FileIs64 = false;
HANDLE hFile = 0;
SIZE_T CalculatedHeaderSize = NULL;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
DynBuf ueReadBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000);
DWORD OldProtect = PAGE_READWRITE;
hFile = CreateFileW(szDebuggedFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
@ -63,12 +64,10 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
if(CalculatedHeaderSize > 0x1000)
{
SetFilePointer(hFile, NULL, NULL, FILE_BEGIN);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
ueReadBuffer = VirtualAlloc(NULL, CalculatedHeaderSize, MEM_COMMIT, PAGE_READWRITE);
ueReadBuffer = ueReadBuf.Allocate(CalculatedHeaderSize);
if(!ReadFile(hFile, ueReadBuffer, (DWORD)CalculatedHeaderSize, &uedNumberOfBytesRead, NULL))
{
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
}
@ -91,7 +90,6 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
else
{
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
if(!FileIs64)
@ -103,20 +101,17 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
{
EngineCloseHandle(hFile);
VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return true;
}
else
{
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
}
else
{
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
}
@ -129,20 +124,17 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
{
EngineCloseHandle(hFile);
VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return true;
}
else
{
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
}
else
{
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
}
@ -150,21 +142,18 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
else
{
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
}
else
{
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
}
else
{
EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false;
}
return false;

5
TitanEngine/TitanEngine.Relocator.cpp
View File

@ -258,6 +258,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces
DWORD RelocationBase = NULL;
DWORD RelocationSize = NULL;
DWORD OldProtect;
DynBuf mem;
if(RelocationData != NULL)
{
@ -269,7 +270,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces
MemorySize = MemInfo.RegionSize;
}
VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
ReadMemoryStorage = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE);
ReadMemoryStorage = mem.Allocate(MemorySize);
mReadMemoryStorage = ReadMemoryStorage;
if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, ReadMemoryStorage, MemorySize, &ueNumberOfBytesRead))
{
@ -281,12 +282,10 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces
RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4);
RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4);
}
VirtualFree(mReadMemoryStorage, NULL, MEM_RELEASE);
return(RelocaterGrabRelocationTable(hProcess, MemoryStart, (DWORD)((ULONG_PTR)ReadMemoryStorage - (ULONG_PTR)mReadMemoryStorage)));
}
else
{
VirtualFree(ReadMemoryStorage, NULL, MEM_RELEASE);
return false;
}
}

51
TitanEngine/TitanEngine.Static.cpp
View File

@ -454,7 +454,8 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR
DWORD SizeToRead;
HANDLE hReadFile;
HANDLE hWriteFile;
LPVOID ueCopyBuffer;
//LPVOID ueCopyBuf;
char ueCopyBuffer[0x1000] = {0};
ULONG_PTR AddressToCopy;
DWORD rfNumberOfBytesRead;
@ -473,29 +474,27 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR
}
if(SetFilePointer(hReadFile, (long)AddressToCopy, NULL, FILE_BEGIN) != INVALID_SET_FILE_POINTER)
{
ueCopyBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(ueCopyBuffer != NULL)
{
EngineCreatePathForFileW(szDumpFileName);
hWriteFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hWriteFile != INVALID_HANDLE_VALUE)
{
if(Size < 0x1000)
if(Size < sizeof(ueCopyBuffer))
{
SizeToRead = Size;
}
else
{
SizeToRead = 0x1000;
SizeToRead = sizeof(ueCopyBuffer);
}
while((int)Size > NULL)
{
if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead)
{
WriteFile(hWriteFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL);
if(Size > 0x1000)
if(Size > sizeof(ueCopyBuffer))
{
Size = Size - 0x1000;
Size = Size - sizeof(ueCopyBuffer);
}
else if(SizeToRead != Size)
{
@ -524,13 +523,8 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR
}
EngineCloseHandle(hReadFile);
EngineCloseHandle(hWriteFile);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return true;
}
else
{
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
}
}
}
EngineCloseHandle(hReadFile);
@ -559,36 +553,34 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD Ra
DWORD SizeToRead;
HANDLE hReadFile;
HANDLE hWriteFile;
LPVOID ueCopyBuffer;
char ueCopyBuffer[0x1000] = {0};
DWORD rfNumberOfBytesRead;
if(DuplicateHandle(GetCurrentProcess(), hFile, GetCurrentProcess(), &hReadFile, NULL, false, DUPLICATE_SAME_ACCESS))
{
if(SetFilePointer(hReadFile, (long)(RawAddressToCopy), NULL, FILE_BEGIN) != INVALID_SET_FILE_POINTER)
{
ueCopyBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(ueCopyBuffer != NULL)
{
EngineCreatePathForFileW(szDumpFileName);
hWriteFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hWriteFile != INVALID_HANDLE_VALUE)
{
if(Size < 0x1000)
if(Size < sizeof(ueCopyBuffer))
{
SizeToRead = Size;
}
else
{
SizeToRead = 0x1000;
SizeToRead = sizeof(ueCopyBuffer);
}
while((int)Size > NULL)
while((int)Size > 0)
{
if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead)
{
WriteFile(hWriteFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL);
if(Size > 0x1000)
if(Size > sizeof(ueCopyBuffer))
{
Size = Size - 0x1000;
Size = Size - sizeof(ueCopyBuffer);
}
else if(SizeToRead != Size)
{
@ -601,29 +593,24 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD Ra
WriteFile(hWriteFile, ueCopyBuffer, rfNumberOfBytesRead, &rfNumberOfBytesRead, NULL);
}
SizeToRead = Size;
Size = NULL;
Size = 0;
}
else
{
SizeToRead = Size;
Size = NULL;
Size = 0;
}
}
else
{
WriteFile(hWriteFile, ueCopyBuffer, rfNumberOfBytesRead, &rfNumberOfBytesRead, NULL);
Size = NULL;
Size = 0;
}
}
EngineCloseHandle(hReadFile);
EngineCloseHandle(hWriteFile);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return true;
}
else
{
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
}
}
}
EngineCloseHandle(hReadFile);
@ -651,7 +638,7 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD6
DWORD SizeToRead;
HANDLE hReadFile;
HANDLE hWriteFile;
LPVOID ueCopyBuffer;
char ueCopyBuffer[0x1000] = {0};
DWORD rfNumberOfBytesRead;
long FilePosLow;
long FilePosHigh;
@ -662,8 +649,6 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD6
RtlMoveMemory(&FilePosHigh, (void*)((ULONG_PTR)(&RawAddressToCopy) + 4), 4);
if(SetFilePointer(hReadFile, FilePosLow, &FilePosHigh, FILE_BEGIN) != INVALID_SET_FILE_POINTER)
{
ueCopyBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(ueCopyBuffer != NULL)
{
EngineCreatePathForFileW(szDumpFileName);
hWriteFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
@ -713,12 +698,8 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD6
}
EngineCloseHandle(hReadFile);
EngineCloseHandle(hWriteFile);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return true;
}
else
{
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
}
}
}

43
TitanEngine/TitanEngine.Tracer.cpp
View File

@ -16,6 +16,7 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
int LengthOfValidInstruction = 0;
int CurrentNumberOfInstructions = 0;
MEMORY_BASIC_INFORMATION MemInfo;
DynBuf tracmem;
LPVOID TraceMemory, cTraceMemory;
ULONG_PTR ueNumberOfBytesRead = NULL;
DWORD LastPushValue = NULL;
@ -41,7 +42,7 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
{
memSize = 0x4000;
}
TraceMemory = VirtualAlloc(NULL, memSize, MEM_COMMIT, PAGE_READWRITE);
TraceMemory = tracmem.Allocate(memSize);
cTraceMemory = TraceMemory;
if(ReadProcessMemory(hProcess, (LPVOID)MemInfo.BaseAddress, TraceMemory, memSize, &ueNumberOfBytesRead))
{
@ -491,7 +492,6 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
}
TraceStartAddress = TraceStartAddress + CurrentInstructionSize;
}
VirtualFree(TraceMemory, NULL, MEM_RELEASE);
if(!HashInstructions)
{
if(FoundValidAPI == true)
@ -518,7 +518,6 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
}
else
{
VirtualFree(TraceMemory, NULL, MEM_RELEASE);
}
}
}
@ -716,6 +715,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
DWORD MemoryHash = NULL;
DWORD MaximumReadSize = 0;
DWORD TestAddressX86;
DynBuf tracemem;
LPVOID TraceMemory;
bool HashCheck = false;
@ -734,7 +734,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
}
if(sizeof HANDLE == 4)
{
TraceMemory = VirtualAlloc(NULL, MaximumReadSize, MEM_COMMIT, PAGE_READWRITE);
TraceMemory = tracemem.Allocate(MaximumReadSize);
if(!TraceMemory)
{
return (NULL);
@ -1103,12 +1103,10 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
}
}
}
VirtualFree(TraceMemory, NULL, MEM_RELEASE);
return(KnownRedirectionIndex);
}
else
{
VirtualFree(TraceMemory, NULL, MEM_RELEASE);
}
}
}
@ -1124,10 +1122,8 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
PMEMORY_CMP_HANDLER cMem;
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR ueNumberOfBytesRead = NULL;
LPVOID TracerReadMemory = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char TracerReadMemory[0x1000] = {0};
DWORD MaximumReadSize=0x1000;
if(!TracerReadMemory)
return (NULL);
cMem = (PMEMORY_CMP_HANDLER)TracerReadMemory;
VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
@ -1165,13 +1161,11 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
RtlMoveMemory(&ReadAddressX86, &cMem->DataByte[8], 4);
TestAddressX86 = TestAddressX86 + ReadAddressX86;
}
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -1184,14 +1178,12 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
RtlMoveMemory(&TestAddressX86, &cMem->DataByte[2], 4);
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -1211,14 +1203,12 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
}
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -1267,7 +1257,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
}
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
@ -1277,7 +1266,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
RtlMoveMemory(&TestAddressX86, &cMem->DataByte[2], 4);
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
@ -1285,7 +1273,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -1310,7 +1297,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
TestAddressX86 = TestAddressX86 ^ ReadAddressX86;
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
@ -1318,7 +1304,6 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -1329,13 +1314,11 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
if(ReadProcessMemory(hProcess, (LPVOID)AddressToTrace, TracerReadMemory, MaximumReadSize, &ueNumberOfBytesRead))
{
RtlMoveMemory(&TestAddressX86, &cMem->DataByte[1], 4);
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -1356,20 +1339,17 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
{
TestAddressX86 = (DWORD)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetCommandLineW"));
}
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
else if(cMem->DataByte[0] == 0xC8)
{
TestAddressX86 = (DWORD)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -1381,13 +1361,11 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
{
cMem = (PMEMORY_CMP_HANDLER)((ULONG_PTR)cMem + 0x34);
RtlMoveMemory(&TestAddressX86, &cMem->DataByte[0], 4);
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
}
@ -1432,18 +1410,15 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces
{
TestAddressX86 = (DWORD)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA"));
}
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return((DWORD)TestAddressX86);
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
}
VirtualFree(TracerReadMemory, NULL, MEM_RELEASE);
return(NULL);
}
@ -1456,8 +1431,8 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
ULONG_PTR fImpRecTrace = NULL;
PMEMORY_CMP_HANDLER cmpModuleName;
ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedRemoteLoadLibrary - (ULONG_PTR)&injectedImpRec);
LPVOID szModuleName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
LPVOID szGarbageFile = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char szModuleName[0x1100] = {0};
char szGarbageFile[0x1100] = {0};
LPVOID cModuleName = szModuleName;
ULONG_PTR NumberOfBytesWritten;
InjectImpRecCodeData APIData;
@ -1473,7 +1448,7 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(GetModuleFileNameA(engineHandle, (LPCH)szModuleName, 0x1000) > NULL)
if(GetModuleFileNameA(engineHandle, (LPCH)szModuleName, sizeof(szModuleName)-0x100) > NULL)
{
cModuleName = (LPVOID)((ULONG_PTR)cModuleName + lstrlenA((LPCSTR)szModuleName));
cmpModuleName = (PMEMORY_CMP_HANDLER)(cModuleName);
@ -1546,7 +1521,5 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
}
}
}
VirtualFree(szModuleName, NULL, MEM_RELEASE);
VirtualFree(szGarbageFile, NULL, MEM_RELEASE);
return(TracedAddress);
}

4
TitanEngine/TitanEngine.TranslateName.cpp
View File

@ -5,7 +5,7 @@
__declspec(dllexport) void* TITCALL TranslateNativeName(char* szNativeName)
{
LPVOID TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
void* TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); //pointer is returned
char szDeviceName[3] = "A:";
char szDeviceCOMName[5] = "COM0";
int CurrentDeviceLen;
@ -50,7 +50,7 @@ __declspec(dllexport) void* TITCALL TranslateNativeName(char* szNativeName)
__declspec(dllexport) void* TITCALL TranslateNativeNameW(wchar_t* szNativeName)
{
LPVOID TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
void* TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); //pointer is returned
wchar_t szDeviceName[3] = L"A:";
wchar_t szDeviceCOMName[5] = L"COM0";
int CurrentDeviceLen;

2
TitanEngine/TitanEngine.cbp
View File

@ -82,6 +82,8 @@
<Unit filename="Global.Garbage.h" />
<Unit filename="Global.Handle.cpp" />
<Unit filename="Global.Handle.h" />
<Unit filename="Global.Helper.cpp" />
<Unit filename="Global.Helper.h" />
<Unit filename="Global.Injector.cpp" />
<Unit filename="Global.Injector.h" />
<Unit filename="Global.Librarian.cpp" />

2
TitanEngine/TitanEngine.vcxproj
View File

@ -224,6 +224,7 @@
<ClCompile Include="Global.Engine.Threading.cpp" />
<ClCompile Include="Global.Garbage.cpp" />
<ClCompile Include="Global.Handle.cpp" />
<ClCompile Include="Global.Helper.cpp" />
<ClCompile Include="Global.Injector.cpp" />
<ClCompile Include="Global.Librarian.cpp" />
<ClCompile Include="Global.Mapping.cpp" />
@ -289,6 +290,7 @@
<ClInclude Include="Global.Engine.Threading.h" />
<ClInclude Include="Global.Garbage.h" />
<ClInclude Include="Global.Handle.h" />
<ClInclude Include="Global.Helper.h" />
<ClInclude Include="Global.Injector.h" />
<ClInclude Include="Global.Librarian.h" />
<ClInclude Include="Global.Mapping.h" />

6
TitanEngine/TitanEngine.vcxproj.filters
View File

@ -278,6 +278,12 @@
<ClInclude Include="ntdll.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Global.Helper.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>
<ClInclude Include="ntdll.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Global.Engine.Importer.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>

2
TitanEngine/stdafx.h
View File

@ -33,6 +33,8 @@
#include "aplib.h"
#include "LzmaDec.h"
#include "Global.Helper.h"
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
// Engine.Internal: