diff --git a/SDK/C/TitanEngine.h b/SDK/C/TitanEngine.h index 9c65784..04188f8 100644 --- a/SDK/C/TitanEngine.h +++ b/SDK/C/TitanEngine.h @@ -752,7 +752,7 @@ __declspec(dllexport) long TITCALL ImporterGetAddedDllCount(); __declspec(dllexport) long TITCALL ImporterGetAddedAPICount(); __declspec(dllexport) void* TITCALL ImporterGetLastAddedDLLName(); __declspec(dllexport) void TITCALL ImporterMoveIAT(); -__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); +__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap); __declspec(dllexport) long TITCALL ImporterEstimatedSize(); __declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName); __declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2"); diff --git a/SDK/CPP/TitanEngine.h b/SDK/CPP/TitanEngine.h index a5f5778..f2f1b5b 100644 --- a/SDK/CPP/TitanEngine.h +++ b/SDK/CPP/TitanEngine.h @@ -751,7 +751,7 @@ __declspec(dllimport) long TITCALL ImporterGetAddedDllCount(); __declspec(dllimport) long TITCALL ImporterGetAddedAPICount(); __declspec(dllimport) void* TITCALL ImporterGetLastAddedDLLName(); __declspec(dllimport) void TITCALL ImporterMoveIAT(); -__declspec(dllimport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); +__declspec(dllimport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap); __declspec(dllimport) long TITCALL ImporterEstimatedSize(); __declspec(dllimport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName); __declspec(dllimport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2"); diff --git a/SDK/CPP/TitanEngine.hpp b/SDK/CPP/TitanEngine.hpp index 62bd58c..2f526d5 100644 --- a/SDK/CPP/TitanEngine.hpp +++ b/SDK/CPP/TitanEngine.hpp @@ -1693,9 +1693,9 @@ protected: { UE::ImporterMoveIAT(); } - static bool ExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA) + static bool ExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap) { - return UE::ImporterExportIAT(StorePlace, FileMapVA); + return UE::ImporterExportIAT(StorePlace, FileMapVA, hFileMap); } static long EstimatedSize() { diff --git a/TitanEngine/3rdparty-definitions.h b/TitanEngine/3rdparty-definitions.h index a8ecb09..3279df0 100644 --- a/TitanEngine/3rdparty-definitions.h +++ b/TitanEngine/3rdparty-definitions.h @@ -10,11 +10,11 @@ const BYTE SCY_ERROR_IATNOTFOUND = -4; #ifdef __cplusplus extern "C" { #endif /*__cplusplus*/ -//IAT exports int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch); int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid); bool scylla_importsValid(); int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy"); +int scylla_fixMappedDump(DWORD_PTR iatVA, DWORD_PTR FileMapVA, HANDLE hFileMap); #ifdef __cplusplus } #endif /*__cplusplus*/ diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index da29b9e..d0a3fb2 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -18695,10 +18695,13 @@ __declspec(dllexport) void TITCALL ImporterMoveIAT() { impMoveIAT = true; } -__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA) +__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap) { - //TODO this needs an scylla_wrapper update for exporting to a VA - return false; + if(scylla_fixMappedDump(StorePlace, FileMapVA, hFileMap) != SCY_ERROR_SUCCESS) { + return false; + } + + return true; } __declspec(dllexport) long TITCALL ImporterEstimatedSize() { @@ -19418,7 +19421,9 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false); //we also try to automatically read imports so following call to ExportIAT has a chance - scylla_getImports(iatStart, iatSize, ProcessId); + if(iatStart != NULL && iatSize != NULL) { + scylla_getImports(iatStart, iatSize, ProcessId); + } RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR); RtlMoveMemory(pIATSize, &iatSize, sizeof ULONG_PTR); @@ -26903,7 +26908,7 @@ void EngineSimplifyEntryPointCallBack() } if(StaticFileLoadW(szEngineUnpackerOutputFile, UE_ACCESS_ALL, false, &FileHandle, &FileSize, &FileMap, &FileMapVA)) { - if(ImporterExportIAT((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mImportTableOffset, true), FileMapVA)) + if(ImporterExportIAT((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mImportTableOffset, true), FileMapVA, FileHandle)) { if(EngineUnpackerOptionLogData) { diff --git a/TitanEngine/definitions.h b/TitanEngine/definitions.h index 7d3150a..3148be3 100644 --- a/TitanEngine/definitions.h +++ b/TitanEngine/definitions.h @@ -251,7 +251,7 @@ __declspec(dllexport) long TITCALL ImporterGetAddedDllCount(); __declspec(dllexport) long TITCALL ImporterGetAddedAPICount(); __declspec(dllexport) void* TITCALL ImporterGetLastAddedDLLName(); __declspec(dllexport) void TITCALL ImporterMoveIAT(); -__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); +__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap); __declspec(dllexport) long TITCALL ImporterEstimatedSize(); __declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName); __declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2"); diff --git a/TitanEngine/scylla_wrapper_x86.lib b/TitanEngine/scylla_wrapper_x86.lib index d874b6c..2be5f87 100644 Binary files a/TitanEngine/scylla_wrapper_x86.lib and b/TitanEngine/scylla_wrapper_x86.lib differ diff --git a/TitanEngine/scylla_wrapperd_x86.lib b/TitanEngine/scylla_wrapperd_x86.lib index c2927af..eb1f4c4 100644 Binary files a/TitanEngine/scylla_wrapperd_x86.lib and b/TitanEngine/scylla_wrapperd_x86.lib differ