fixed FindAPIWriteLocation, findOrdinalWriteLocation, FindDLLByWriteLocation, FindAPIByWriteLocation tow rok with scylla

TitanEngine/3rdparty-definitions.h

@@ -10,6 +10,7 @@ const BYTE SCY_ERROR_IATNOTFOUND = -4;
 #ifdef __cplusplus
 extern "C" {
 #endif /*__cplusplus*/
+//iat exports
 int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch);
 int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL);
 bool scylla_addModule(const WCHAR* moduleName, DWORD_PTR firstThunkRVA);
@@ -22,6 +23,18 @@ int scylla_getModuleCount();
 int scylla_getImportCount();
 void scylla_enumImportTree(LPVOID enumCallBack);
 long scylla_estimatedIATSize();
+DWORD_PTR scylla_findImportWriteLocation(char* importName);
+DWORD_PTR scylla_findOrdinalImportWriteLocation(DWORD_PTR ordinalNumber);
+DWORD_PTR scylla_findImportNameByWriteLocation(DWORD_PTR thunkVA);
+DWORD_PTR scylla_findModuleNameByWriteLocation(DWORD_PTR thunkVA);
+
+//dumper exports
+bool scylla_dumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
+bool scylla_dumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
+
+//rebuilder exports
+bool scylla_rebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
+bool scylla_rebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
 #ifdef __cplusplus
 }
 #endif /*__cplusplus*/

TitanEngine/TitanEngine.cpp

@@ -18657,134 +18657,19 @@ __declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName,
 }
 __declspec(dllexport) long long TITCALL ImporterFindAPIWriteLocation(char* szAPIName)
 {
-    //TODO scylla enable
+    return(scylla_findImportWriteLocation(szAPIName));
-    /*
-    int i = 0;
-    int j = 0;
-    DWORD DLLNumber = NULL;
-    DWORD NumberOfAPIs = NULL;
-    LPVOID NameReadPlace = NULL;
-    ULONG_PTR CurrentAPILocation = NULL;
-    DWORD APINameRelativeOffset = NULL;
-    ULONG_PTR APIWriteLocation = NULL;
-
-    if(ImporterGetAddedDllCount() > NULL)
-    {
-        if((ULONG_PTR)szAPIName > 0x10000)
-        {
-            DLLNumber = impDLLNumber + 1;
-            while(DLLNumber > NULL)
-            {
-    #if !defined(_WIN64)
-                NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 12);
-    #else
-                NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 20);
-    #endif
-                RtlMoveMemory(&CurrentAPILocation, (LPVOID)(impDLLDataList[i][0]), sizeof ULONG_PTR);
-                RtlMoveMemory(&NumberOfAPIs, (LPVOID)(impDLLDataList[i][0] + 2 * sizeof ULONG_PTR), 4);
-                while(NumberOfAPIs > NULL)
-                {
-                    RtlMoveMemory(&APINameRelativeOffset, NameReadPlace, 4);
-                    if(lstrcmpiA((LPCSTR)((ULONG_PTR)impDLLStringList[i][0] + APINameRelativeOffset + 2), (LPCSTR)szAPIName) == NULL)
-                    {
-                        APIWriteLocation = CurrentAPILocation;
-                        break;
-                    }
-                    CurrentAPILocation = CurrentAPILocation + sizeof ULONG_PTR;
-                    NameReadPlace = (LPVOID)((ULONG_PTR)NameReadPlace + sizeof ULONG_PTR);
-                    NumberOfAPIs--;
-                }
-                DLLNumber--;
-                i++;
-            }
-            return(APIWriteLocation);
-        }
-        else
-        {
-            for(j = 0; j < 1000; j++)
-            {
-                if(impOrdinalList[j][1] == ((ULONG_PTR)szAPIName ^ IMAGE_ORDINAL_FLAG))
-                {
-                    return(impOrdinalList[j][0]);
-                }
-            }
-        }
-    }
-    */
-    return(NULL);
 }
 __declspec(dllexport) long long TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber)
 {
-    return(ImporterFindAPIWriteLocation((char*)OrdinalNumber));
+    return(scylla_findOrdinalImportWriteLocation(OrdinalNumber));
 }
 __declspec(dllexport) long long TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation)
 {
-    //TODO scylla enable
+    return(scylla_findImportNameByWriteLocation(APIWriteLocation));
-    /*
-    int i = 0;
-    DWORD DLLNumber = NULL;
-    LPVOID NameReadPlace = NULL;
-    ULONG_PTR MinAPILocation = NULL;
-    ULONG_PTR MaxAPILocation = NULL;
-    DWORD APINameRelativeOffset = NULL;
-    ULONG_PTR APINameOffset = NULL;
-
-    if(ImporterGetAddedDllCount() > NULL)
-    {
-        DLLNumber = impDLLNumber + 1;
-        while(DLLNumber > NULL)
-        {
-    #if !defined(_WIN64)
-            NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 12);
-    #else
-            NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 20);
-    #endif
-            RtlMoveMemory(&MinAPILocation, (LPVOID)(impDLLDataList[i][0]), sizeof ULONG_PTR);
-            RtlMoveMemory(&MaxAPILocation, (LPVOID)(impDLLDataList[i][0] + sizeof ULONG_PTR), sizeof ULONG_PTR);
-            if(MinAPILocation <= APIWriteLocation && APIWriteLocation <= MaxAPILocation)
-            {
-                RtlMoveMemory(&APINameRelativeOffset, (LPVOID)((ULONG_PTR)NameReadPlace + (APIWriteLocation - MinAPILocation)), 4);
-                return((ULONG_PTR)(impDLLStringList[i][0] + APINameRelativeOffset + 2));
-            }
-            DLLNumber--;
-            i++;
-        }
-    }*/
-    return(NULL);
 }
 __declspec(dllexport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation)
 {
-    //TODO scylla enable
+    return scylla_findModuleNameByWriteLocation(APIWriteLocation);
-    /*
-    int i = 0;
-    DWORD DLLNumber = NULL;
-    LPVOID NameReadPlace = NULL;
-    ULONG_PTR MinAPILocation = NULL;
-    ULONG_PTR MaxAPILocation = NULL;
-    DWORD APINameRelativeOffset = NULL;
-    ULONG_PTR APINameOffset = NULL;
-
-    if(ImporterGetAddedDllCount() > NULL)
-    {
-        DLLNumber = impDLLNumber + 1;
-        while(DLLNumber > NULL)
-        {
-    #if !defined(_WIN64)
-            NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 12);
-    #else
-            NameReadPlace = (LPVOID)(impDLLDataList[i][0] + 20);
-    #endif
-            RtlMoveMemory(&MinAPILocation, (LPVOID)(impDLLDataList[i][0]), sizeof ULONG_PTR);
-            RtlMoveMemory(&MaxAPILocation, (LPVOID)(impDLLDataList[i][0] + sizeof ULONG_PTR), sizeof ULONG_PTR);
-            if(MinAPILocation <= APIWriteLocation && APIWriteLocation <= MaxAPILocation)
-            {
-                return((ULONG_PTR)(impDLLStringList[i][0]));
-            }
-            DLLNumber--;
-            i++;
-        }
-    }*/
-    return(NULL);
 }
 __declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress)
 {
@@ -19329,7 +19214,7 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar
     //we also try to automatically read imports so following call to ExportIAT has a chance
     if(iatStart != NULL && iatSize != NULL)
     {
-        scylla_getImports(0x5f2724, iatSize, ProcessId);
+        scylla_getImports(iatStart, iatSize, ProcessId);
     }
 
     RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR);

scylla_integration.txt

@@ -16,9 +16,6 @@ GetDLLIndex
 defunct until scylla-enabled:
 
 GetLastAddedDLLName -> no scylla export needed, just rewrite
-* FindAPIWriteLocation, FindOrdinalAPIWriteLocation
-* FindAPIByWriteLocation
-* FindDLLByWriteLocation
 * LoadImportTable
 * MoveOriginalIAT
 
@@ -46,4 +43,11 @@ no change required:
 
 CopyOriginalIAT
 GetRemoteAPIAddressEX
-GetRemoteDLLBaseEX
+GetRemoteDLLBaseEX
+
+
+fixup exception handling:
+
+- enumaddeddata; around callback call
+- autofixiat: around fixer callback
+- exportiat