x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

fixed ExportIAT to work for FileMapping with Scylla

This commit is contained in:
cypherpunk 2014-01-14 18:00:11 +01:00
parent 2c1639d6cc
commit cfb052280e
8 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SDK/C/TitanEngine.h
View File

@ -752,7 +752,7 @@ __declspec(dllexport) long TITCALL ImporterGetAddedDllCount();
__declspec(dllexport) long TITCALL ImporterGetAddedAPICount(); __declspec(dllexport) long TITCALL ImporterGetAddedAPICount();
__declspec(dllexport) void* TITCALL ImporterGetLastAddedDLLName(); __declspec(dllexport) void* TITCALL ImporterGetLastAddedDLLName();
__declspec(dllexport) void TITCALL ImporterMoveIAT(); __declspec(dllexport) void TITCALL ImporterMoveIAT();
__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap);
__declspec(dllexport) long TITCALL ImporterEstimatedSize(); __declspec(dllexport) long TITCALL ImporterEstimatedSize();
__declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName); __declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2"); __declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2");

2
SDK/CPP/TitanEngine.h
View File

@ -751,7 +751,7 @@ __declspec(dllimport) long TITCALL ImporterGetAddedDllCount();
__declspec(dllimport) long TITCALL ImporterGetAddedAPICount(); __declspec(dllimport) long TITCALL ImporterGetAddedAPICount();
__declspec(dllimport) void* TITCALL ImporterGetLastAddedDLLName(); __declspec(dllimport) void* TITCALL ImporterGetLastAddedDLLName();
__declspec(dllimport) void TITCALL ImporterMoveIAT(); __declspec(dllimport) void TITCALL ImporterMoveIAT();
__declspec(dllimport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); __declspec(dllimport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap);
__declspec(dllimport) long TITCALL ImporterEstimatedSize(); __declspec(dllimport) long TITCALL ImporterEstimatedSize();
__declspec(dllimport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName); __declspec(dllimport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName);
__declspec(dllimport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2"); __declspec(dllimport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2");

4
SDK/CPP/TitanEngine.hpp
View File

@ -1693,9 +1693,9 @@ protected:
{ {
UE::ImporterMoveIAT(); UE::ImporterMoveIAT();
} }
static bool ExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA) static bool ExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap)
{ {
return UE::ImporterExportIAT(StorePlace, FileMapVA); return UE::ImporterExportIAT(StorePlace, FileMapVA, hFileMap);
} }
static long EstimatedSize() static long EstimatedSize()
{ {

2
TitanEngine/3rdparty-definitions.h
View File

@ -10,11 +10,11 @@ const BYTE SCY_ERROR_IATNOTFOUND = -4;
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
#endif /*__cplusplus*/ #endif /*__cplusplus*/
//IAT exports
int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch); int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch);
int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid); int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid);
bool scylla_importsValid(); bool scylla_importsValid();
int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy"); int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy");
int scylla_fixMappedDump(DWORD_PTR iatVA, DWORD_PTR FileMapVA, HANDLE hFileMap);
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif /*__cplusplus*/ #endif /*__cplusplus*/

11
TitanEngine/TitanEngine.cpp
View File

@ -18695,11 +18695,14 @@ __declspec(dllexport) void TITCALL ImporterMoveIAT()
{ {
impMoveIAT = true; impMoveIAT = true;
} }
__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA) __declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap)
{ {
//TODO this needs an scylla_wrapper update for exporting to a VA if(scylla_fixMappedDump(StorePlace, FileMapVA, hFileMap) != SCY_ERROR_SUCCESS) {
return false; return false;
} }
return true;
}
__declspec(dllexport) long TITCALL ImporterEstimatedSize() __declspec(dllexport) long TITCALL ImporterEstimatedSize()
{ {
@ -19418,7 +19421,9 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar
scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false); scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false);
//we also try to automatically read imports so following call to ExportIAT has a chance //we also try to automatically read imports so following call to ExportIAT has a chance
if(iatStart != NULL && iatSize != NULL) {
scylla_getImports(iatStart, iatSize, ProcessId); scylla_getImports(iatStart, iatSize, ProcessId);
}
RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR); RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR);
RtlMoveMemory(pIATSize, &iatSize, sizeof ULONG_PTR); RtlMoveMemory(pIATSize, &iatSize, sizeof ULONG_PTR);
@ -26903,7 +26908,7 @@ void EngineSimplifyEntryPointCallBack()
} }
if(StaticFileLoadW(szEngineUnpackerOutputFile, UE_ACCESS_ALL, false, &FileHandle, &FileSize, &FileMap, &FileMapVA)) if(StaticFileLoadW(szEngineUnpackerOutputFile, UE_ACCESS_ALL, false, &FileHandle, &FileSize, &FileMap, &FileMapVA))
{ {
if(ImporterExportIAT((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mImportTableOffset, true), FileMapVA)) if(ImporterExportIAT((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mImportTableOffset, true), FileMapVA, FileHandle))
{ {
if(EngineUnpackerOptionLogData) if(EngineUnpackerOptionLogData)
{ {

2
TitanEngine/definitions.h
View File

@ -251,7 +251,7 @@ __declspec(dllexport) long TITCALL ImporterGetAddedDllCount();
__declspec(dllexport) long TITCALL ImporterGetAddedAPICount(); __declspec(dllexport) long TITCALL ImporterGetAddedAPICount();
__declspec(dllexport) void* TITCALL ImporterGetLastAddedDLLName(); __declspec(dllexport) void* TITCALL ImporterGetLastAddedDLLName();
__declspec(dllexport) void TITCALL ImporterMoveIAT(); __declspec(dllexport) void TITCALL ImporterMoveIAT();
__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); __declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap);
__declspec(dllexport) long TITCALL ImporterEstimatedSize(); __declspec(dllexport) long TITCALL ImporterEstimatedSize();
__declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName); __declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2"); __declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2");

BIN
TitanEngine/scylla_wrapper_x86.lib
View File

Binary file not shown.

BIN
TitanEngine/scylla_wrapperd_x86.lib
View File

Binary file not shown.