diff --git a/TitanEngine/3rdparty-definitions.h b/TitanEngine/3rdparty-definitions.h index 2b56f4c..a7064d3 100644 --- a/TitanEngine/3rdparty-definitions.h +++ b/TitanEngine/3rdparty-definitions.h @@ -10,6 +10,7 @@ const BYTE SCY_ERROR_IATNOTFOUND = -4; #ifdef __cplusplus extern "C" { #endif /*__cplusplus*/ +//iat exports int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch); int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL); bool scylla_addModule(const WCHAR* moduleName, DWORD_PTR firstThunkRVA); @@ -22,6 +23,18 @@ int scylla_getModuleCount(); int scylla_getImportCount(); void scylla_enumImportTree(LPVOID enumCallBack); long scylla_estimatedIATSize(); +DWORD_PTR scylla_findImportWriteLocation(char* importName); +DWORD_PTR scylla_findOrdinalImportWriteLocation(DWORD_PTR ordinalNumber); +DWORD_PTR scylla_findImportNameByWriteLocation(DWORD_PTR thunkVA); +DWORD_PTR scylla_findModuleNameByWriteLocation(DWORD_PTR thunkVA); + +//dumper exports +bool scylla_dumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult); +bool scylla_dumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult); + +//rebuilder exports +bool scylla_rebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup); +bool scylla_rebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup); #ifdef __cplusplus } #endif /*__cplusplus*/ diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index af5de95..116cdd0 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -18657,134 +18657,19 @@ __declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, } __declspec(dllexport) long long TITCALL ImporterFindAPIWriteLocation(char* szAPIName) { - //TODO scylla enable - /* - int i = 0; - int j = 0; - DWORD DLLNumber = NULL; - DWORD NumberOfAPIs = NULL; - LPVOID NameReadPlace = NULL; - ULONG_PTR CurrentAPILocation = NULL; - DWORD APINameRelativeOffset = NULL; - ULONG_PTR APIWriteLocation = NULL; - - if(ImporterGetAddedDllCount() > NULL) - { - if((ULONG_PTR)szAPIName > 0x10000) - { - DLLNumber = impDLLNumber + 1; - while(DLLNumber > NULL) - { - #if !defined(_WIN64) - NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 12); - #else - NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 20); - #endif - RtlMoveMemory(&CurrentAPILocation, (LPVOID)(impDLLDataList[i][0]), sizeof ULONG_PTR); - RtlMoveMemory(&NumberOfAPIs, (LPVOID)(impDLLDataList[i][0] + 2 * sizeof ULONG_PTR), 4); - while(NumberOfAPIs > NULL) - { - RtlMoveMemory(&APINameRelativeOffset, NameReadPlace, 4); - if(lstrcmpiA((LPCSTR)((ULONG_PTR)impDLLStringList[i][0] + APINameRelativeOffset + 2), (LPCSTR)szAPIName) == NULL) - { - APIWriteLocation = CurrentAPILocation; - break; - } - CurrentAPILocation = CurrentAPILocation + sizeof ULONG_PTR; - NameReadPlace = (LPVOID)((ULONG_PTR)NameReadPlace + sizeof ULONG_PTR); - NumberOfAPIs--; - } - DLLNumber--; - i++; - } - return(APIWriteLocation); - } - else - { - for(j = 0; j < 1000; j++) - { - if(impOrdinalList[j][1] == ((ULONG_PTR)szAPIName ^ IMAGE_ORDINAL_FLAG)) - { - return(impOrdinalList[j][0]); - } - } - } - } - */ - return(NULL); + return(scylla_findImportWriteLocation(szAPIName)); } __declspec(dllexport) long long TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber) { - return(ImporterFindAPIWriteLocation((char*)OrdinalNumber)); + return(scylla_findOrdinalImportWriteLocation(OrdinalNumber)); } __declspec(dllexport) long long TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation) { - //TODO scylla enable - /* - int i = 0; - DWORD DLLNumber = NULL; - LPVOID NameReadPlace = NULL; - ULONG_PTR MinAPILocation = NULL; - ULONG_PTR MaxAPILocation = NULL; - DWORD APINameRelativeOffset = NULL; - ULONG_PTR APINameOffset = NULL; - - if(ImporterGetAddedDllCount() > NULL) - { - DLLNumber = impDLLNumber + 1; - while(DLLNumber > NULL) - { - #if !defined(_WIN64) - NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 12); - #else - NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 20); - #endif - RtlMoveMemory(&MinAPILocation, (LPVOID)(impDLLDataList[i][0]), sizeof ULONG_PTR); - RtlMoveMemory(&MaxAPILocation, (LPVOID)(impDLLDataList[i][0] + sizeof ULONG_PTR), sizeof ULONG_PTR); - if(MinAPILocation <= APIWriteLocation && APIWriteLocation <= MaxAPILocation) - { - RtlMoveMemory(&APINameRelativeOffset, (LPVOID)((ULONG_PTR)NameReadPlace + (APIWriteLocation - MinAPILocation)), 4); - return((ULONG_PTR)(impDLLStringList[i][0] + APINameRelativeOffset + 2)); - } - DLLNumber--; - i++; - } - }*/ - return(NULL); + return(scylla_findImportNameByWriteLocation(APIWriteLocation)); } __declspec(dllexport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation) { - //TODO scylla enable - /* - int i = 0; - DWORD DLLNumber = NULL; - LPVOID NameReadPlace = NULL; - ULONG_PTR MinAPILocation = NULL; - ULONG_PTR MaxAPILocation = NULL; - DWORD APINameRelativeOffset = NULL; - ULONG_PTR APINameOffset = NULL; - - if(ImporterGetAddedDllCount() > NULL) - { - DLLNumber = impDLLNumber + 1; - while(DLLNumber > NULL) - { - #if !defined(_WIN64) - NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 12); - #else - NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 20); - #endif - RtlMoveMemory(&MinAPILocation, (LPVOID)(impDLLDataList[i][0]), sizeof ULONG_PTR); - RtlMoveMemory(&MaxAPILocation, (LPVOID)(impDLLDataList[i][0] + sizeof ULONG_PTR), sizeof ULONG_PTR); - if(MinAPILocation <= APIWriteLocation && APIWriteLocation <= MaxAPILocation) - { - return((ULONG_PTR)(impDLLStringList[i][0])); - } - DLLNumber--; - i++; - } - }*/ - return(NULL); + return scylla_findModuleNameByWriteLocation(APIWriteLocation); } __declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress) { @@ -19329,7 +19214,7 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar //we also try to automatically read imports so following call to ExportIAT has a chance if(iatStart != NULL && iatSize != NULL) { - scylla_getImports(0x5f2724, iatSize, ProcessId); + scylla_getImports(iatStart, iatSize, ProcessId); } RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR); diff --git a/TitanEngine/scylla_wrapper_x64.lib b/TitanEngine/scylla_wrapper_x64.lib index 045d734..cf44dd6 100644 Binary files a/TitanEngine/scylla_wrapper_x64.lib and b/TitanEngine/scylla_wrapper_x64.lib differ diff --git a/TitanEngine/scylla_wrapper_x86.lib b/TitanEngine/scylla_wrapper_x86.lib index e18bfd4..66cd68d 100644 Binary files a/TitanEngine/scylla_wrapper_x86.lib and b/TitanEngine/scylla_wrapper_x86.lib differ diff --git a/TitanEngine/scylla_wrapperd_x64.lib b/TitanEngine/scylla_wrapperd_x64.lib index 6bec0f4..60b55c1 100644 Binary files a/TitanEngine/scylla_wrapperd_x64.lib and b/TitanEngine/scylla_wrapperd_x64.lib differ diff --git a/TitanEngine/scylla_wrapperd_x86.lib b/TitanEngine/scylla_wrapperd_x86.lib index 2ddb60f..9157504 100644 Binary files a/TitanEngine/scylla_wrapperd_x86.lib and b/TitanEngine/scylla_wrapperd_x86.lib differ diff --git a/scylla_integration.txt b/scylla_integration.txt index 9f42c78..71c18c7 100644 --- a/scylla_integration.txt +++ b/scylla_integration.txt @@ -16,9 +16,6 @@ GetDLLIndex defunct until scylla-enabled: GetLastAddedDLLName -> no scylla export needed, just rewrite -* FindAPIWriteLocation, FindOrdinalAPIWriteLocation -* FindAPIByWriteLocation -* FindDLLByWriteLocation * LoadImportTable * MoveOriginalIAT @@ -46,4 +43,11 @@ no change required: CopyOriginalIAT GetRemoteAPIAddressEX -GetRemoteDLLBaseEX \ No newline at end of file +GetRemoteDLLBaseEX + + +fixup exception handling: + +- enumaddeddata; around callback call +- autofixiat: around fixer callback +- exportiat \ No newline at end of file