x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

refactored functions to use scylla: 

ImporterAutoSearchIAT(DWORD ProcessId
ImporterAutoSearchIATW(DWORD ProcessId
ImporterAutoSearchIATEx(DWORD ProcessId

- these now have process ID as first param, not handle

ImporterAutoFixIATEx
ImporterAutoFixIATExW
ImporterAutoFixIAT
ImporterAutoFixIATW
- first param now DWORD pid
- params imagebase, searchSize, searchStep now obsolete
This commit is contained in:
cypherpunk 2014-01-12 16:24:45 +01:00
parent 52aade33ba
commit c74ac34963
2 changed files with 70 additions and 681 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

725
TitanEngine/TitanEngine.cpp
View File

@ -19572,16 +19572,13 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, char*
} }
__declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar_t* szFileName, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, LPVOID pIATStart, LPVOID pIATSize) __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar_t* szFileName, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, LPVOID pIATStart, LPVOID pIATSize)
{ {
HANDLE hProcess = 0; ULONG_PTR iatStart = NULL;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); ULONG_PTR iatSize = NULL;
DWORD iatStart = 0xDEADBEEF;
DWORD iatSize = 0xDEADBEEF;
if(hProcess!=0) {
scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false); scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false);
} RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR);
RtlMoveMemory(pIATSize, &iatSize, sizeof ULONG_PTR);
return; return;
} }
@ -19597,7 +19594,9 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULON
{ {
if(GetTempFileNameW(szTempFolder, L"DumpTemp", GetTickCount() + 102, szTempName)) if(GetTempFileNameW(szTempFolder, L"DumpTemp", GetTickCount() + 102, szTempName))
{ {
//DumpProcessW(ProcessId, (LPVOID)ImageBase, szTempName, NULL); //TODO //HANDLE hProcess = 0;
//hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
//DumpProcessW(ProcessId, (LPVOID)ImageBase, szTempName, NULL); TODO
ImporterAutoSearchIATW(ProcessId, szTempName, ImageBase, SearchStart, SearchSize, pIATStart, pIATSize); ImporterAutoSearchIATW(ProcessId, szTempName, ImageBase, SearchStart, SearchSize, pIATStart, pIATSize);
DeleteFileW(szTempName); DeleteFileW(szTempName);
} }
@ -19683,7 +19682,7 @@ __declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack)
} }
} }
} }
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(HANDLE hProcess, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback) __declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
{ {
wchar_t uniDumpedFile[MAX_PATH] = {}; wchar_t uniDumpedFile[MAX_PATH] = {};
@ -19691,663 +19690,71 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATEx(HANDLE hProcess, char* s
if(szDumpedFile != NULL) if(szDumpedFile != NULL)
{ {
MultiByteToWideChar(CP_ACP, NULL, szDumpedFile, lstrlenA(szDumpedFile)+1, uniDumpedFile, sizeof(uniDumpedFile)/(sizeof(uniDumpedFile[0]))); MultiByteToWideChar(CP_ACP, NULL, szDumpedFile, lstrlenA(szDumpedFile)+1, uniDumpedFile, sizeof(uniDumpedFile)/(sizeof(uniDumpedFile[0])));
return(ImporterAutoFixIATExW(hProcess, uniDumpedFile, szSectionName, DumpRunningProcess, RealignFile, EntryPointAddress, ImageBase, SearchStart, SearchSize, SearchStep, TryAutoFix, FixEliminations, UnknownPointerFixCallback)); return(ImporterAutoFixIATExW(ProcessId, uniDumpedFile, szSectionName, DumpRunningProcess, RealignFile, EntryPointAddress, SearchStart, TryAutoFix, FixEliminations, UnknownPointerFixCallback));
} }
else else
{ {
return(NULL); // Critical error! *just to be safe, but it should never happen! return(NULL); // Critical error! *just to be safe, but it should never happen!
} }
} }
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(HANDLE hProcess, wchar_t* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback) __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
{ {
int i;
int j;
int delta;
int currentSectionSize;
#if !defined(_WIN64)
PE32Struct PEStructure;
#else
PE64Struct PEStructure;
#endif
typedef void*(TITCALL *fFixerCallback)(LPVOID fIATPointer);
fFixerCallback myFixerCallback = (fFixerCallback)UnknownPointerFixCallback;
MEMORY_BASIC_INFORMATION MemInfo;
DWORD SectionFlags;
HANDLE FileHandle; HANDLE FileHandle;
DWORD FileSize; DWORD FileSize;
HANDLE FileMap; HANDLE FileMap;
ULONG_PTR FileMapVA; ULONG_PTR FileMapVA;
LPVOID aSearchMemory; ULONG_PTR iatStart = NULL;
LPVOID cSearchMemory; ULONG_PTR iatSize = NULL;
LPVOID aEnumeratedModules; TCHAR IatFixFileName[MAX_PATH];
ULONG_PTR ueNumberOfBytesRead; TCHAR DumpFileName[MAX_PATH];
DWORD dwPossibleIATPointer;
ULONG_PTR qwPossibleIATPointer;
ULONG_PTR PossibleIATPointer;
ULONG_PTR TracedIATPointer;
PMEMORY_COMPARE_HANDLER currentSearchPos;
DWORD SetionVirtualOffset;
ULONG_PTR TestReadData;
DWORD LastDllId = 1024;
bool FileIs64 = false;
bool PossibleThunk = false;
bool UpdateJump = false;
DWORD CurrentDllId;
char* szDLLName;
char* szAPIName;
DWORD TraceIndex;
DWORD Dummy;
if(hProcess == NULL) lstrcpy(DumpFileName, szDumpedFile);
{
return(0x401); // Error, process terminated TCHAR* Extension = wcsrchr(DumpFileName, L'.');
} TCHAR Bak = *Extension;
if(SearchStep == NULL) *Extension = 0;
{ lstrcpy(IatFixFileName, DumpFileName);
SearchStep++; *Extension = Bak;
} lstrcat(IatFixFileName, L"_");
lstrcat(IatFixFileName, Extension);
lstrcat(DumpFileName, Extension);
//do we need to dump first?
/* TODO
if(DumpRunningProcess) if(DumpRunningProcess)
{ {
if(!DumpProcessW(hProcess, (LPVOID)ImageBase, szDumpedFile, EntryPointAddress)) if(!DumpProcessW(hProcess, (LPVOID)ImageBase, szDumpedFile, EntryPointAddress))
{ {
return(NULL); // Critical error! *just to be safe, but it should never happen! return(NULL); // Critical error! *just to be safe, but it should never happen!
} }
}*/
//we need to fix iat, thats for sure
int ret = scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false);
if(ret != SCY_ERROR_SUCCESS) {
if(ret == SCY_ERROR_PROCOPEN) {
return (0x401); //error proc terminated
}
if(ret == SCY_ERROR_IATNOTFOUND || ret == SCY_ERROR_IATSEARCH) {
return (0x405); //no API found
}
} }
aEnumeratedModules = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); scylla_getImports(iatStart, iatSize, ProcessId);
if(EnumProcessModules(hProcess, (HMODULE*)aEnumeratedModules, 0x2000, &Dummy))
{ if(!scylla_importsValid()) {
aSearchMemory = VirtualAlloc(NULL, SearchSize, MEM_COMMIT, PAGE_READWRITE); //TODO call UnknownPointerFixCallback for every bad import, scylla_wrapper needs to be enhanced tho
cSearchMemory = aSearchMemory; return (0x405);
__try }
{
if(SearchStart == NULL || ReadProcessMemory(hProcess, (LPVOID)SearchStart, aSearchMemory, SearchSize, &ueNumberOfBytesRead)) ret = scylla_fixDump(szDumpedFile, IatFixFileName);
{
ImporterInit(MAX_IMPORT_ALLOC, ImageBase); if(ret == SCY_ERROR_IATWRITE) {
if(SearchStart != NULL) return (0x407);
{ }
//SearchSize = SearchSize / SearchStep;
while((int)SearchSize > NULL) //do we need to realign ?
{
RtlMoveMemory(&PossibleIATPointer, cSearchMemory, sizeof ULONG_PTR);
if(ReadProcessMemory(hProcess, (LPVOID)PossibleIATPointer, &TestReadData, sizeof ULONG_PTR, &ueNumberOfBytesRead))
{
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
if(CurrentDllId == NULL && TryAutoFix == true)
{
TraceIndex = TracerDetectRedirection(hProcess, PossibleIATPointer);
if(TraceIndex > NULL)
{
PossibleIATPointer = (ULONG_PTR)TracerFixKnownRedirection(hProcess, PossibleIATPointer, TraceIndex);
if(PossibleIATPointer != NULL)
{
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
}
else
{
TracedIATPointer = (ULONG_PTR)TracerLevel1(hProcess, PossibleIATPointer);
if(TracedIATPointer > 0x1000)
{
PossibleIATPointer = TracedIATPointer;
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
else
{
if(TracedIATPointer != NULL)
{
TracedIATPointer = (ULONG_PTR)HashTracerLevel1(hProcess, PossibleIATPointer, (DWORD)TracedIATPointer);
if(TracedIATPointer != NULL)
{
PossibleIATPointer = TracedIATPointer;
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
}
}
}
}
if(CurrentDllId == NULL && UnknownPointerFixCallback != NULL)
{
__try
{
PossibleIATPointer = (ULONG_PTR)myFixerCallback((LPVOID)PossibleIATPointer);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnknownPointerFixCallback = NULL;
PossibleIATPointer = NULL;
}
if(PossibleIATPointer != NULL)
{
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
}
if(CurrentDllId != NULL)
{
if(LastDllId != CurrentDllId)
{
LastDllId = CurrentDllId;
szDLLName = (char*)ImporterGetDLLNameFromDebugee(hProcess, PossibleIATPointer);
szAPIName = (char*)ImporterGetAPINameFromDebugee(hProcess, PossibleIATPointer);
if(szDLLName != NULL && szAPIName != NULL)
{
ImporterAddNewDll(szDLLName, (ULONG_PTR)((ULONG_PTR)cSearchMemory - (ULONG_PTR)aSearchMemory + SearchStart));
ImporterAddNewAPI(szAPIName, (ULONG_PTR)((ULONG_PTR)cSearchMemory - (ULONG_PTR)aSearchMemory + SearchStart));
}
else if(szDLLName != NULL && szAPIName == NULL)
{
ImporterAddNewDll(szDLLName, (ULONG_PTR)((ULONG_PTR)cSearchMemory - (ULONG_PTR)aSearchMemory + SearchStart));
ImporterAddNewAPI((char*)ImporterGetAPIOrdinalNumberFromDebugee(hProcess, PossibleIATPointer), (ULONG_PTR)((ULONG_PTR)cSearchMemory - (ULONG_PTR)aSearchMemory + SearchStart));
}
}
else
{
szAPIName = (char*)ImporterGetAPINameFromDebugee(hProcess, PossibleIATPointer);
if(szAPIName != NULL)
{
ImporterAddNewAPI(szAPIName, (ULONG_PTR)((ULONG_PTR)cSearchMemory - (ULONG_PTR)aSearchMemory + SearchStart));
}
else
{
szAPIName = (char*)ImporterGetAPIOrdinalNumberFromDebugee(hProcess, PossibleIATPointer);
if(szAPIName != NULL)
{
ImporterAddNewAPI(szAPIName, (ULONG_PTR)((ULONG_PTR)cSearchMemory - (ULONG_PTR)aSearchMemory + SearchStart));
}
}
}
}
}
else
{
if(PossibleIATPointer == NULL)
{
LastDllId = NULL;
}
}
cSearchMemory = (LPVOID)((ULONG_PTR)cSearchMemory + SearchStep);
SearchSize = SearchSize - SearchStep;
}
}
if(FixEliminations)
{
LastDllId = 1024;
if(ImporterGetAddedDllCount() == NULL)
{
ImporterCleanup();
ImporterInit(MAX_IMPORT_ALLOC, ImageBase);
}
if(GetPE32DataExW(szDumpedFile, &PEStructure))
{
if(MapFileExW(szDumpedFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
ImporterMoveIAT();
ImporterSetUnknownDelta((ULONG_PTR)EngineEstimateNewSectionRVA(FileMapVA));
for(i = 0; i < PEStructure.SectionNumber; i++)
{
if(GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONRAWSIZE) > 4)
{
SectionFlags = (DWORD)GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONFLAGS);
SetionVirtualOffset = (DWORD)GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONVIRTUALOFFSET);
if(SectionFlags & IMAGE_SCN_MEM_EXECUTE || SectionFlags & IMAGE_SCN_CNT_CODE || SectionFlags & IMAGE_SCN_MEM_WRITE || SectionFlags & IMAGE_SCN_CNT_INITIALIZED_DATA)
{
currentSearchPos = (PMEMORY_COMPARE_HANDLER)(FileMapVA + GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONRAWOFFSET));
currentSectionSize = (int)GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONRAWSIZE) - 6;
for(j = 0; j < currentSectionSize; j++)
{
if(!FileIs64)
{
// x86
delta = 0;
PossibleThunk = false;
UpdateJump = false;
if(currentSearchPos->Array.bArrayEntry[0] == 0xFF && (currentSearchPos->Array.bArrayEntry[1] == 0x15 || currentSearchPos->Array.bArrayEntry[1] == 0x25))
{
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + 2);
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0];
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos - 2);
if(PossibleIATPointer > PEStructure.ImageBase && PossibleIATPointer < PEStructure.ImageBase + PEStructure.NtSizeOfImage)
{
PossibleThunk = true;
delta = 2;
}
else
{
VirtualQueryEx(hProcess, (LPVOID)PossibleIATPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT && (MemInfo.Protect & PAGE_READWRITE || MemInfo.Protect & PAGE_EXECUTE_READWRITE || MemInfo.Protect & PAGE_EXECUTE))
{
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0];
PossibleThunk = true;
delta = 2;
}
}
}
else if(currentSearchPos->Array.bArrayEntry[0] == 0xE8 || currentSearchPos->Array.bArrayEntry[0] == 0xE9)
{
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + 1);
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0] + j + SetionVirtualOffset + ImageBase;
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos - 1);
if(PossibleIATPointer > PEStructure.ImageBase && PossibleIATPointer < PEStructure.ImageBase + PEStructure.NtSizeOfImage)
{
PossibleThunk = true;
UpdateJump = true;
delta = 1;
}
else
{
VirtualQueryEx(hProcess, (LPVOID)PossibleIATPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT && (MemInfo.Protect & PAGE_READWRITE || MemInfo.Protect & PAGE_EXECUTE_READWRITE || MemInfo.Protect & PAGE_EXECUTE))
{
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0];
PossibleThunk = true;
UpdateJump = true;
delta = 1;
}
}
}
else if(currentSearchPos->Array.dwArrayEntry[0] > PEStructure.ImageBase && currentSearchPos->Array.dwArrayEntry[0] < PEStructure.ImageBase + PEStructure.NtSizeOfImage)
{
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0];
PossibleThunk = true;
delta = 0;
}
else
{
VirtualQueryEx(hProcess, (LPVOID)currentSearchPos->Array.dwArrayEntry[0], &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT && (MemInfo.Protect & PAGE_READWRITE || MemInfo.Protect & PAGE_EXECUTE_READWRITE || MemInfo.Protect & PAGE_EXECUTE))
{
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0];
PossibleThunk = true;
delta = 0;
}
}
if(PossibleThunk)
{
if(ReadProcessMemory(hProcess, (LPVOID)PossibleIATPointer, &dwPossibleIATPointer, 4, &ueNumberOfBytesRead))
{
VirtualQueryEx(hProcess, (LPVOID)dwPossibleIATPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT && (MemInfo.Protect >= PAGE_READONLY || MemInfo.Protect <= PAGE_EXECUTE_READWRITE))
{
PossibleIATPointer = (ULONG_PTR)dwPossibleIATPointer;
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
if(CurrentDllId == NULL && TryAutoFix == true)
{
TraceIndex = TracerDetectRedirection(hProcess, PossibleIATPointer);
if(TraceIndex > NULL)
{
PossibleIATPointer = (ULONG_PTR)TracerFixKnownRedirection(hProcess, PossibleIATPointer, TraceIndex);
if(PossibleIATPointer != NULL)
{
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
}
else
{
TracedIATPointer = (ULONG_PTR)TracerLevel1(hProcess, PossibleIATPointer);
if(TracedIATPointer > 0x1000)
{
PossibleIATPointer = TracedIATPointer;
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
else
{
if(TracedIATPointer != NULL)
{
TracedIATPointer = (ULONG_PTR)HashTracerLevel1(hProcess, PossibleIATPointer, (DWORD)TracedIATPointer);
if(TracedIATPointer != NULL)
{
PossibleIATPointer = TracedIATPointer;
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
}
}
}
}
if(CurrentDllId == NULL && UnknownPointerFixCallback != NULL)
{
__try
{
PossibleIATPointer = (ULONG_PTR)myFixerCallback((LPVOID)PossibleIATPointer);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnknownPointerFixCallback = NULL;
PossibleIATPointer = NULL;
}
if(PossibleIATPointer != NULL)
{
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
}
if(CurrentDllId != NULL)
{
szDLLName = (char*)ImporterGetDLLNameFromDebugee(hProcess, PossibleIATPointer);
szAPIName = (char*)ImporterGetAPINameFromDebugee(hProcess, PossibleIATPointer);
if(szAPIName == NULL)
{
szAPIName = (char*)ImporterGetAPIOrdinalNumberFromDebugee(hProcess, PossibleIATPointer);
}
if(szDLLName != NULL && szAPIName != NULL)
{
if(ImporterGetAddedDllCount() > NULL)
{
PossibleIATPointer = (ULONG_PTR)ImporterFindAPIWriteLocation(szAPIName);
}
else
{
PossibleIATPointer = NULL;
}
if(PossibleIATPointer != NULL)
{
dwPossibleIATPointer = (DWORD)(PossibleIATPointer);
if(!UpdateJump)
{
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &dwPossibleIATPointer, 4);
}
else
{
dwPossibleIATPointer = dwPossibleIATPointer - (j + SetionVirtualOffset) - (DWORD)ImageBase - 5;
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &dwPossibleIATPointer, 4);
}
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + delta + 4 - 1);
}
else
{
if(CurrentDllId != LastDllId)
{
LastDllId = CurrentDllId;
ImporterAddNewDll(szDLLName, NULL);
dwPossibleIATPointer = (DWORD)(ImporterGetCurrentDelta());
if(!UpdateJump)
{
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &dwPossibleIATPointer, 4);
}
else
{
dwPossibleIATPointer = dwPossibleIATPointer - (j + SetionVirtualOffset) - (DWORD)ImageBase - 5;
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &dwPossibleIATPointer, 4);
}
ImporterAddNewAPI(szAPIName, NULL);
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + delta + 4 - 1);
}
else
{
dwPossibleIATPointer = (DWORD)(ImporterGetCurrentDelta());
if(!UpdateJump)
{
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &dwPossibleIATPointer, 4);
}
else
{
dwPossibleIATPointer = dwPossibleIATPointer - (j + SetionVirtualOffset) - (DWORD)ImageBase - 5;
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &dwPossibleIATPointer, 4);
}
ImporterAddNewAPI(szAPIName, NULL);
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + delta + 4 - 1);
}
}
}
}
}
}
else
{
if(PossibleIATPointer == NULL)
{
LastDllId = NULL;
}
}
}
}
else
{
// x64
delta = 0;
PossibleThunk = false;
UpdateJump = false;
if(currentSearchPos->Array.bArrayEntry[0] == 0xFF && (currentSearchPos->Array.bArrayEntry[1] == 0x15 || currentSearchPos->Array.bArrayEntry[1] == 0x25))
{
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + 2);
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0] + j + SetionVirtualOffset + ImageBase;
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos - 2);
if(PossibleIATPointer > PEStructure.ImageBase && PossibleIATPointer < PEStructure.ImageBase + PEStructure.NtSizeOfImage)
{
PossibleThunk = true;
delta = 2;
}
else
{
VirtualQueryEx(hProcess, (LPVOID)PossibleIATPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT && (MemInfo.Protect & PAGE_READWRITE || MemInfo.Protect & PAGE_EXECUTE_READWRITE || MemInfo.Protect & PAGE_EXECUTE))
{
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0];
PossibleThunk = true;
delta = 2;
}
}
}
else if(currentSearchPos->Array.bArrayEntry[0] == 0xE8 || currentSearchPos->Array.bArrayEntry[0] == 0xE9)
{
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + 1);
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0] + j + SetionVirtualOffset + ImageBase;
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos - 1);
if(PossibleIATPointer > PEStructure.ImageBase && PossibleIATPointer < PEStructure.ImageBase + PEStructure.NtSizeOfImage)
{
PossibleThunk = true;
UpdateJump = true;
delta = 1;
}
else
{
VirtualQueryEx(hProcess, (LPVOID)PossibleIATPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT && (MemInfo.Protect & PAGE_READWRITE || MemInfo.Protect & PAGE_EXECUTE_READWRITE || MemInfo.Protect & PAGE_EXECUTE))
{
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0];
PossibleThunk = true;
UpdateJump = true;
delta = 1;
}
}
}
else if(currentSearchPos->Array.dwArrayEntry[0] + j + SetionVirtualOffset > PEStructure.ImageBase && currentSearchPos->Array.dwArrayEntry[0] + j + SetionVirtualOffset < PEStructure.ImageBase + PEStructure.NtSizeOfImage)
{
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0] + j + SetionVirtualOffset + ImageBase;
PossibleThunk = true;
delta = 0;
}
else
{
VirtualQueryEx(hProcess, (LPVOID)(currentSearchPos->Array.dwArrayEntry[0] + j + SetionVirtualOffset), &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT && (MemInfo.Protect & PAGE_READWRITE || MemInfo.Protect & PAGE_EXECUTE_READWRITE || MemInfo.Protect & PAGE_EXECUTE))
{
PossibleIATPointer = currentSearchPos->Array.dwArrayEntry[0] + j + SetionVirtualOffset + ImageBase;
PossibleThunk = true;
delta = 0;
}
}
if(PossibleThunk)
{
if(ReadProcessMemory(hProcess, (LPVOID)PossibleIATPointer, &qwPossibleIATPointer, 8, &ueNumberOfBytesRead))
{
VirtualQueryEx(hProcess, (LPVOID)qwPossibleIATPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT && (MemInfo.Protect >= PAGE_READONLY || MemInfo.Protect <= PAGE_EXECUTE_READWRITE))
{
PossibleIATPointer = qwPossibleIATPointer;
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
if(CurrentDllId == NULL && TryAutoFix == true)
{
TraceIndex = TracerDetectRedirection(hProcess, PossibleIATPointer);
if(TraceIndex > NULL)
{
PossibleIATPointer = (ULONG_PTR)TracerFixKnownRedirection(hProcess, PossibleIATPointer, TraceIndex);
if(PossibleIATPointer != NULL)
{
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
}
else
{
TracedIATPointer = (ULONG_PTR)TracerLevel1(hProcess, PossibleIATPointer);
if(TracedIATPointer > 0x1000)
{
PossibleIATPointer = TracedIATPointer;
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
else
{
if(TracedIATPointer != NULL)
{
TracedIATPointer = (ULONG_PTR)HashTracerLevel1(hProcess, PossibleIATPointer, (DWORD)TracedIATPointer);
if(TracedIATPointer != NULL)
{
PossibleIATPointer = TracedIATPointer;
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
}
}
}
}
if(CurrentDllId == NULL && UnknownPointerFixCallback != NULL)
{
__try
{
PossibleIATPointer = (ULONG_PTR)myFixerCallback((LPVOID)PossibleIATPointer);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnknownPointerFixCallback = NULL;
PossibleIATPointer = NULL;
}
if(PossibleIATPointer != NULL)
{
//CurrentDllId = ImporterGetDLLIndexEx(PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
CurrentDllId = ImporterGetDLLIndex(hProcess, PossibleIATPointer, (ULONG_PTR)aEnumeratedModules);
}
}
if(CurrentDllId != NULL)
{
szDLLName = (char*)ImporterGetDLLNameFromDebugee(hProcess, PossibleIATPointer);
szAPIName = (char*)ImporterGetAPINameFromDebugee(hProcess, PossibleIATPointer);
if(szAPIName == NULL)
{
szAPIName = (char*)ImporterGetAPIOrdinalNumberFromDebugee(hProcess, PossibleIATPointer);
}
if(szDLLName != NULL && szAPIName != NULL)
{
if(ImporterGetAddedDllCount() > NULL)
{
PossibleIATPointer = (ULONG_PTR)ImporterFindAPIWriteLocation(szAPIName);
}
else
{
PossibleIATPointer = NULL;
}
if(PossibleIATPointer != NULL)
{
if(!UpdateJump)
{
dwPossibleIATPointer = (DWORD)(PossibleIATPointer - j - SetionVirtualOffset - ImageBase);
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &dwPossibleIATPointer, 4);
}
else
{
dwPossibleIATPointer = (DWORD)(PossibleIATPointer);
dwPossibleIATPointer = (DWORD)(dwPossibleIATPointer - (j + SetionVirtualOffset) - (ULONG_PTR)ImageBase - 5);
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &dwPossibleIATPointer, 4);
}
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + delta + 4 - 1);
}
else
{
if(CurrentDllId != LastDllId)
{
LastDllId = CurrentDllId;
ImporterAddNewDll(szDLLName, NULL);
qwPossibleIATPointer = (ULONG_PTR)(ImporterGetCurrentDelta());
if(!UpdateJump)
{
qwPossibleIATPointer = (DWORD)(qwPossibleIATPointer - j - SetionVirtualOffset - ImageBase);
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &qwPossibleIATPointer, 4);
}
else
{
qwPossibleIATPointer = (DWORD)(qwPossibleIATPointer - j - SetionVirtualOffset - ImageBase - 5);
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &qwPossibleIATPointer, 4);
}
ImporterAddNewAPI(szAPIName, NULL);
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + delta + 4 - 1);
}
else
{
qwPossibleIATPointer = (ULONG_PTR)(ImporterGetCurrentDelta());
if(!UpdateJump)
{
qwPossibleIATPointer = (DWORD)(qwPossibleIATPointer - j - SetionVirtualOffset - ImageBase);
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &qwPossibleIATPointer, 4);
}
else
{
qwPossibleIATPointer = (DWORD)(qwPossibleIATPointer - j - SetionVirtualOffset - ImageBase - 5);
RtlMoveMemory(&currentSearchPos->Array.dwArrayEntry[0 + delta], &qwPossibleIATPointer, 4);
}
ImporterAddNewAPI(szAPIName, NULL);
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + delta + 4 - 1);
}
}
}
}
}
}
else
{
if(PossibleIATPointer == NULL)
{
LastDllId = NULL;
}
}
}
}
currentSearchPos = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)currentSearchPos + 1);
}
}
}
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
else
{
return(0x405); // Error, no API found!
}
}
}
VirtualFree(aEnumeratedModules, NULL, MEM_RELEASE);
VirtualFree(aSearchMemory, NULL, MEM_RELEASE);
if(ImporterGetAddedDllCount() > NULL && ImporterGetAddedAPICount() > NULL)
{
if(!ImporterExportIATExW(szDumpedFile, szSectionName))
{
return(NULL); // Critical error! *just to be safe, but it should never happen!
}
}
else
{
return(0x405); // Error, no API found!
}
if(RealignFile) if(RealignFile)
{ {
if(MapFileExW(szDumpedFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) if(MapFileExW(szDumpedFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
@ -20362,31 +19769,13 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(HANDLE hProcess, wchar_
} }
return(0x400); // Success! return(0x400); // Success!
} }
else __declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart)
{ {
VirtualFree(aEnumeratedModules, NULL, MEM_RELEASE); return(ImporterAutoFixIATEx(ProcessId, szDumpedFile, ".RL!TEv2", false, false, NULL, SearchStart, false, false, NULL));
VirtualFree(aSearchMemory, NULL, MEM_RELEASE);
return(0x404); // Error, memory could not be read!
} }
} __declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart)
__except(EXCEPTION_EXECUTE_HANDLER)
{ {
ImporterCleanup(); return(ImporterAutoFixIATExW(ProcessId, szDumpedFile, ".RL!TEv2", false, false, NULL, SearchStart, false, false, NULL));
VirtualFree(aEnumeratedModules, NULL, MEM_RELEASE);
VirtualFree(aSearchMemory, NULL, MEM_RELEASE);
return(NULL); // Critical error! *just to be safe, but it should never happen!
}
}
VirtualFree(aEnumeratedModules, NULL, MEM_RELEASE);
return(NULL); // Critical error! *just te bo safe, but it should never happen!
}
__declspec(dllexport) long TITCALL ImporterAutoFixIAT(HANDLE hProcess, char* szDumpedFile, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep)
{
return(ImporterAutoFixIATEx(hProcess, szDumpedFile, ".RL!TEv2", false, false, NULL, ImageBase, SearchStart, SearchSize, SearchStep, false, false, NULL));
}
__declspec(dllexport) long TITCALL ImporterAutoFixIATW(HANDLE hProcess, wchar_t* szDumpedFile, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep)
{
return(ImporterAutoFixIATExW(hProcess, szDumpedFile, ".RL!TEv2", false, false, NULL, ImageBase, SearchStart, SearchSize, SearchStep, false, false, NULL));
} }
// Internal.Engine.Hook.functions: // Internal.Engine.Hook.functions:
bool ProcessHookScanAddNewHook(PHOOK_ENTRY HookDetails, void* ptrOriginalInstructions, PLIBRARY_ITEM_DATAW ModuleInformation, DWORD SizeOfImage) bool ProcessHookScanAddNewHook(PHOOK_ENTRY HookDetails, void* ptrOriginalInstructions, PLIBRARY_ITEM_DATAW ModuleInformation, DWORD SizeOfImage)

8
TitanEngine/definitions.h
View File

@ -291,10 +291,10 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, char*
__declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar_t* szFileName, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, LPVOID pIATStart, LPVOID pIATSize); __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar_t* szFileName, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, LPVOID pIATStart, LPVOID pIATSize); __declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack); __declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack);
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(HANDLE hProcess, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback); __declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(HANDLE hProcess, wchar_t* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback); __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllexport) long TITCALL ImporterAutoFixIAT(HANDLE hProcess, char* szDumpedFile, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep); __declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart);
__declspec(dllexport) long TITCALL ImporterAutoFixIATW(HANDLE hProcess, wchar_t* szDumpedFile, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep); __declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart);
// Global.Engine.Hook.functions: // Global.Engine.Hook.functions:
__declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart); __declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart);
__declspec(dllexport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool TransitionStart); __declspec(dllexport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool TransitionStart);