fixed ExportIAT to work for FileMapping with Scylla

2014-01-14 18:00:11 +01:00 · 2014-01-14 18:00:11 +01:00 · cfb052280e
parent 2c1639d6cc
commit cfb052280e
8 changed files with 16 additions and 11 deletions
--- a/SDK/C/TitanEngine.h
+++ b/SDK/C/TitanEngine.h
@ -752,7 +752,7 @@ __declspec(dllexport) long TITCALL ImporterGetAddedDllCount();
 __declspec(dllexport) long TITCALL ImporterGetAddedAPICount();
 __declspec(dllexport) void* TITCALL ImporterGetLastAddedDLLName();
 __declspec(dllexport) void TITCALL ImporterMoveIAT();
-__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA);
+__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap);
 __declspec(dllexport) long TITCALL ImporterEstimatedSize();
 __declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName);
 __declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2");
--- a/SDK/CPP/TitanEngine.h
+++ b/SDK/CPP/TitanEngine.h
@ -751,7 +751,7 @@ __declspec(dllimport) long TITCALL ImporterGetAddedDllCount();
 __declspec(dllimport) long TITCALL ImporterGetAddedAPICount();
 __declspec(dllimport) void* TITCALL ImporterGetLastAddedDLLName();
 __declspec(dllimport) void TITCALL ImporterMoveIAT();
-__declspec(dllimport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA);
+__declspec(dllimport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap);
 __declspec(dllimport) long TITCALL ImporterEstimatedSize();
 __declspec(dllimport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName);
 __declspec(dllimport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2");
--- a/SDK/CPP/TitanEngine.hpp
+++ b/SDK/CPP/TitanEngine.hpp
@ -1693,9 +1693,9 @@ protected:
 	{
 		UE::ImporterMoveIAT();
 	}
-	static bool ExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA)
+	static bool ExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap)
 	{
-		return UE::ImporterExportIAT(StorePlace, FileMapVA);
+		return UE::ImporterExportIAT(StorePlace, FileMapVA, hFileMap);
 	}
 	static long EstimatedSize()
 	{
--- a/TitanEngine/3rdparty-definitions.h
+++ b/TitanEngine/3rdparty-definitions.h
@ -10,11 +10,11 @@ const BYTE SCY_ERROR_IATNOTFOUND = -4;
 #ifdef __cplusplus
 extern "C" {
 #endif /*__cplusplus*/
-//IAT exports
 int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch);
 int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid);
 bool scylla_importsValid();
 int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy");
+int scylla_fixMappedDump(DWORD_PTR iatVA, DWORD_PTR FileMapVA, HANDLE hFileMap); 
 #ifdef __cplusplus
 }
 #endif /*__cplusplus*/
--- a/TitanEngine/TitanEngine.cpp
+++ b/TitanEngine/TitanEngine.cpp
@ -18695,11 +18695,14 @@ __declspec(dllexport) void TITCALL ImporterMoveIAT()
 {
    impMoveIAT = true;
 }
-__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA)
+__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap)
 {
-    //TODO this needs an scylla_wrapper update for exporting to a VA
+    if(scylla_fixMappedDump(StorePlace, FileMapVA, hFileMap) != SCY_ERROR_SUCCESS) {
        return false;
    }
+
+    return true;
+}
 __declspec(dllexport) long TITCALL ImporterEstimatedSize()
 {

@ -19418,7 +19421,9 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar
    scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false);
    
    //we also try to automatically read imports so following call to ExportIAT has a chance 
+    if(iatStart != NULL && iatSize != NULL) {
        scylla_getImports(iatStart, iatSize, ProcessId);
+    }

    RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR);
    RtlMoveMemory(pIATSize, &iatSize, sizeof ULONG_PTR);
@ -26903,7 +26908,7 @@ void EngineSimplifyEntryPointCallBack()
        }
        if(StaticFileLoadW(szEngineUnpackerOutputFile, UE_ACCESS_ALL, false, &FileHandle, &FileSize, &FileMap, &FileMapVA))
        {
-            if(ImporterExportIAT((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mImportTableOffset, true), FileMapVA))
+            if(ImporterExportIAT((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mImportTableOffset, true), FileMapVA, FileHandle))
            {
                if(EngineUnpackerOptionLogData)
                {
--- a/TitanEngine/definitions.h
+++ b/TitanEngine/definitions.h
@ -251,7 +251,7 @@ __declspec(dllexport) long TITCALL ImporterGetAddedDllCount();
 __declspec(dllexport) long TITCALL ImporterGetAddedAPICount();
 __declspec(dllexport) void* TITCALL ImporterGetLastAddedDLLName();
 __declspec(dllexport) void TITCALL ImporterMoveIAT();
-__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA);
+__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap);
 __declspec(dllexport) long TITCALL ImporterEstimatedSize();
 __declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName);
 __declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2");
--- a/TitanEngine/scylla_wrapper_x86.lib
+++ b/TitanEngine/scylla_wrapper_x86.lib
--- a/TitanEngine/scylla_wrapperd_x86.lib
+++ b/TitanEngine/scylla_wrapperd_x86.lib