diff --git a/SDK/C/TitanEngine.h b/SDK/C/TitanEngine.h index 9cdc845..9776233 100644 --- a/SDK/C/TitanEngine.h +++ b/SDK/C/TitanEngine.h @@ -13,6 +13,20 @@ // Global.Constant.Structure.Declaration: // Engine.External: +#define UE_STRUCT_PE32STRUCT 1 +#define UE_STRUCT_PE64STRUCT 2 +#define UE_STRUCT_PESTRUCT 3 +#define UE_STRUCT_IMPORTENUMDATA 4 +#define UE_STRUCT_THREAD_ITEM_DATA 5 +#define UE_STRUCT_LIBRARY_ITEM_DATA 6 +#define UE_STRUCT_LIBRARY_ITEM_DATAW 7 +#define UE_STRUCT_PROCESS_ITEM_DATA 8 +#define UE_STRUCT_HANDLERARRAY 9 +#define UE_STRUCT_PLUGININFORMATION 10 +#define UE_STRUCT_HOOK_ENTRY 11 +#define UE_STRUCT_FILE_STATUS_INFO 12 +#define UE_STRUCT_FILE_FIX_INFO 13 + #define UE_ACCESS_READ 0 #define UE_ACCESS_WRITE 1 #define UE_ACCESS_ALL 2 @@ -321,6 +335,13 @@ typedef struct DWORD dwThreadId; void* ThreadStartAddress; void* ThreadLocalBase; + void* TebAddress; + ULONG WaitTime; + LONG Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; typedef struct @@ -920,6 +941,7 @@ __declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies(); __declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack); __declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage); +__declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize); // Global.Engine.Extension.Functions: __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName); __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName); diff --git a/SDK/CPP/TitanEngine.h b/SDK/CPP/TitanEngine.h index 1c0c71d..ae6d57a 100644 --- a/SDK/CPP/TitanEngine.h +++ b/SDK/CPP/TitanEngine.h @@ -13,6 +13,20 @@ // Global.Constant.Structure.Declaration: // Engine.External: +const BYTE UE_STRUCT_PE32STRUCT = 1; +const BYTE UE_STRUCT_PE64STRUCT = 2; +const BYTE UE_STRUCT_PESTRUCT = 3; +const BYTE UE_STRUCT_IMPORTENUMDATA = 4; +const BYTE UE_STRUCT_THREAD_ITEM_DATA = 5; +const BYTE UE_STRUCT_LIBRARY_ITEM_DATA = 6; +const BYTE UE_STRUCT_LIBRARY_ITEM_DATAW = 7; +const BYTE UE_STRUCT_PROCESS_ITEM_DATA = 8; +const BYTE UE_STRUCT_HANDLERARRAY = 9; +const BYTE UE_STRUCT_PLUGININFORMATION = 10; +const BYTE UE_STRUCT_HOOK_ENTRY = 11; +const BYTE UE_STRUCT_FILE_STATUS_INFO = 12; +const BYTE UE_STRUCT_FILE_FIX_INFO = 13; + const BYTE UE_ACCESS_READ = 0; const BYTE UE_ACCESS_WRITE = 1; const BYTE UE_ACCESS_ALL = 2; @@ -321,6 +335,13 @@ typedef struct DWORD dwThreadId; void* ThreadStartAddress; void* ThreadLocalBase; + void* TebAddress; + ULONG WaitTime; + LONG Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; typedef struct @@ -914,6 +935,7 @@ __declspec(dllimport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess __declspec(dllimport) bool TITCALL EngineDeleteCreatedDependencies(); __declspec(dllimport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack); __declspec(dllimport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage); +__declspec(dllimport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize); // Global.Engine.Extension.Functions: __declspec(dllimport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName); __declspec(dllimport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName); diff --git a/SDK/CPP/TitanEngine.hpp b/SDK/CPP/TitanEngine.hpp index a8f8ecf..48148b6 100644 --- a/SDK/CPP/TitanEngine.hpp +++ b/SDK/CPP/TitanEngine.hpp @@ -23,6 +23,23 @@ namespace UE // ---- +enum eStructType : DWORD +{ + UE_STRUCT_PE32STRUCT = UE::UE_STRUCT_PE32STRUCT, + UE_STRUCT_PE64STRUCT = UE::UE_STRUCT_PE64STRUCT, + UE_STRUCT_PESTRUCT = UE::UE_STRUCT_PESTRUCT, + UE_STRUCT_IMPORTENUMDATA = UE::UE_STRUCT_IMPORTENUMDATA, + UE_STRUCT_THREAD_ITEM_DATA = UE::UE_STRUCT_THREAD_ITEM_DATA, + UE_STRUCT_LIBRARY_ITEM_DATA = UE::UE_STRUCT_LIBRARY_ITEM_DATA, + UE_STRUCT_LIBRARY_ITEM_DATAW = UE::UE_STRUCT_LIBRARY_ITEM_DATAW, + UE_STRUCT_PROCESS_ITEM_DATA = UE::UE_STRUCT_PROCESS_ITEM_DATA, + UE_STRUCT_HANDLERARRAY = UE::UE_STRUCT_HANDLERARRAY, + UE_STRUCT_PLUGININFORMATION = UE::UE_STRUCT_PLUGININFORMATION, + UE_STRUCT_HOOK_ENTRY = UE::UE_STRUCT_HOOK_ENTRY, + UE_STRUCT_FILE_STATUS_INFO = UE::UE_STRUCT_FILE_STATUS_INFO, + UE_STRUCT_FILE_FIX_INFO = UE::UE_STRUCT_FILE_FIX_INFO +}; + enum eHideLevel : DWORD { UE_HIDE_PEBONLY = UE::UE_HIDE_PEBONLY, @@ -709,6 +726,8 @@ public: using DumperX::ConvertVAtoFileOffsetEx; using DumperX::ConvertFileOffsetToVA; using DumperX::ConvertFileOffsetToVAEx; + using DumperX::MemoryReadSafe; + using DumperX::MemoryWriteSafe; }; class RealignerA; @@ -2740,6 +2759,10 @@ protected: { return UE::EngineAddUnpackerWindowLogMessage(szLogMessage); } + static bool EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize) + { + return UE::EngineCheckStructAlignment(StructureType, StructureSize); + } }; class EngineA @@ -2773,6 +2796,7 @@ public: using EngineX::DeleteCreatedDependencies; using EngineX::CreateUnpackerWindow; using EngineX::AddUnpackerWindowLogMessage; + using EngineX::EngineCheckStructAlignment; }; class ExtensionManager diff --git a/TitanEngine.sln b/TitanEngine.sln index 69436f8..8b4e093 100644 --- a/TitanEngine.sln +++ b/TitanEngine.sln @@ -3,16 +3,6 @@ Microsoft Visual Studio Solution File, Format Version 11.00 # Visual Studio 2010 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TitanEngine", "TitanEngine\TitanEngine.vcxproj", "{9C7B8246-FDDA-48C7-9634-044969701E40}" EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TitanUnitTest", "TitanUnitTest\TitanUnitTest.vcxproj", "{5B5AB3CD-4D32-43B0-8840-E05C9483381D}" - ProjectSection(ProjectDependencies) = postProject - {9C7B8246-FDDA-48C7-9634-044969701E40} = {9C7B8246-FDDA-48C7-9634-044969701E40} - EndProjectSection -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TitanScriptGui", "TitanScriptGui\TitanScriptGui.vcxproj", "{49C88677-C374-4AE2-B431-8F3B424BF245}" - ProjectSection(ProjectDependencies) = postProject - {9C7B8246-FDDA-48C7-9634-044969701E40} = {9C7B8246-FDDA-48C7-9634-044969701E40} - EndProjectSection -EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Win32 = Debug|Win32 @@ -29,22 +19,6 @@ Global {9C7B8246-FDDA-48C7-9634-044969701E40}.Release|Win32.Build.0 = Release|Win32 {9C7B8246-FDDA-48C7-9634-044969701E40}.Release|x64.ActiveCfg = Release|x64 {9C7B8246-FDDA-48C7-9634-044969701E40}.Release|x64.Build.0 = Release|x64 - {5B5AB3CD-4D32-43B0-8840-E05C9483381D}.Debug|Win32.ActiveCfg = Debug|Win32 - {5B5AB3CD-4D32-43B0-8840-E05C9483381D}.Debug|Win32.Build.0 = Debug|Win32 - {5B5AB3CD-4D32-43B0-8840-E05C9483381D}.Debug|x64.ActiveCfg = Debug|x64 - {5B5AB3CD-4D32-43B0-8840-E05C9483381D}.Debug|x64.Build.0 = Debug|x64 - {5B5AB3CD-4D32-43B0-8840-E05C9483381D}.Release|Win32.ActiveCfg = Release|Win32 - {5B5AB3CD-4D32-43B0-8840-E05C9483381D}.Release|Win32.Build.0 = Release|Win32 - {5B5AB3CD-4D32-43B0-8840-E05C9483381D}.Release|x64.ActiveCfg = Release|x64 - {5B5AB3CD-4D32-43B0-8840-E05C9483381D}.Release|x64.Build.0 = Release|x64 - {49C88677-C374-4AE2-B431-8F3B424BF245}.Debug|Win32.ActiveCfg = Debug|Win32 - {49C88677-C374-4AE2-B431-8F3B424BF245}.Debug|Win32.Build.0 = Debug|Win32 - {49C88677-C374-4AE2-B431-8F3B424BF245}.Debug|x64.ActiveCfg = Debug|x64 - {49C88677-C374-4AE2-B431-8F3B424BF245}.Debug|x64.Build.0 = Debug|x64 - {49C88677-C374-4AE2-B431-8F3B424BF245}.Release|Win32.ActiveCfg = Release|Win32 - {49C88677-C374-4AE2-B431-8F3B424BF245}.Release|Win32.Build.0 = Release|Win32 - {49C88677-C374-4AE2-B431-8F3B424BF245}.Release|x64.ActiveCfg = Release|x64 - {49C88677-C374-4AE2-B431-8F3B424BF245}.Release|x64.Build.0 = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/TitanEngine/Global.Debugger.cpp b/TitanEngine/Global.Debugger.cpp index ba020ad..11dda8f 100644 --- a/TitanEngine/Global.Debugger.cpp +++ b/TitanEngine/Global.Debugger.cpp @@ -25,7 +25,7 @@ DEBUG_EVENT DBGEvent = {}; DEBUG_EVENT TerminateDBGEvent = {}; DWORD ProcessExitCode = 0; HANDLE DBGFileHandle; -ULONG_PTR tlsCallBackList[100]; +std::vector tlsCallBackList; std::vector hListProcess; int engineStepCount = INFINITE; LPVOID engineStepCallBack = NULL; @@ -74,6 +74,11 @@ void ClearProcessList() std::vector().swap(hListProcess); } +void ClearTlsCallBackList() +{ + std::vector().swap(tlsCallBackList); +} + void StepOutStepCallBack() { BYTE cipch = 0x90; diff --git a/TitanEngine/Global.Debugger.h b/TitanEngine/Global.Debugger.h index a00cedb..c8d08b1 100644 --- a/TitanEngine/Global.Debugger.h +++ b/TitanEngine/Global.Debugger.h @@ -25,7 +25,7 @@ extern DEBUG_EVENT DBGEvent; extern DEBUG_EVENT TerminateDBGEvent; extern DWORD ProcessExitCode; extern HANDLE DBGFileHandle; -extern ULONG_PTR tlsCallBackList[100]; +extern std::vector tlsCallBackList; extern std::vector hListProcess; extern int engineStepCount; extern LPVOID engineStepCallBack; @@ -42,6 +42,7 @@ extern LPVOID StepOutCallBack; long DebugLoopInSecondThread(LPVOID InputParameter); void DebuggerReset(); void ClearProcessList(); +void ClearTlsCallBackList(); void StepOutStepCallBack(); #endif //_GLOBAL_DEBUGGER_H diff --git a/TitanEngine/Global.Engine.GUI.cpp b/TitanEngine/Global.Engine.GUI.cpp index 796d594..2770cc5 100644 --- a/TitanEngine/Global.Engine.GUI.cpp +++ b/TitanEngine/Global.Engine.GUI.cpp @@ -55,9 +55,9 @@ long EngineWndProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) if(uMsg == WM_INITDIALOG) { SendMessageA(hwndDlg, WM_SETTEXT, NULL, (LPARAM)&szWindowUnpackerTitle); - HICON hIconLarge = (HICON)LoadImage(engineHandle, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 32, 32, LR_DEFAULTSIZE); - SendMessage(hwndDlg, WM_SETICON, ICON_BIG, (LPARAM)hIconLarge); - HICON hIconSmall = (HICON)LoadImage(engineHandle, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 16, 16, LR_DEFAULTSIZE); + HICON hIconLarge = (HICON)LoadImage(engineHandle, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 32, 32, LR_DEFAULTSIZE); + SendMessage(hwndDlg, WM_SETICON, ICON_BIG, (LPARAM)hIconLarge); + HICON hIconSmall = (HICON)LoadImage(engineHandle, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 16, 16, LR_DEFAULTSIZE); SendMessage(hwndDlg, WM_SETICON, ICON_SMALL, (LPARAM)hIconSmall); SetDlgItemTextA(hwndDlg, IDD_UNPACKERTITLE, szWindowUnpackerLongTitle); SetDlgItemTextA(hwndDlg, IDC_FILENAME, "filename.exe"); diff --git a/TitanEngine/Global.TLS.cpp b/TitanEngine/Global.TLS.cpp index d099d01..9c84954 100644 --- a/TitanEngine/Global.TLS.cpp +++ b/TitanEngine/Global.TLS.cpp @@ -3,4 +3,9 @@ #include "Global.TLS.h" ULONG_PTR engineTLSBreakOnCallBackAddress; -bool engineTLSBreakOnCallBack = false; \ No newline at end of file +bool engineTLSBreakOnCallBack = false; + +void ClearTlsVector(std::vector* vec) +{ + std::vector().swap(*vec); +} \ No newline at end of file diff --git a/TitanEngine/Global.TLS.h b/TitanEngine/Global.TLS.h index 11705de..882ba5a 100644 --- a/TitanEngine/Global.TLS.h +++ b/TitanEngine/Global.TLS.h @@ -1,7 +1,11 @@ #ifndef _GLOBAL_TLS_H #define _GLOBAL_TLS_H +#include + extern ULONG_PTR engineTLSBreakOnCallBackAddress; extern bool engineTLSBreakOnCallBack; +void ClearTlsVector(std::vector* vec); + #endif //_GLOBAL_TLS_H \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Breakpoints.cpp b/TitanEngine/TitanEngine.Breakpoints.cpp index fcd48d8..6b285d3 100644 --- a/TitanEngine/TitanEngine.Breakpoints.cpp +++ b/TitanEngine/TitanEngine.Breakpoints.cpp @@ -13,7 +13,14 @@ static BYTE INT3LongBreakPoint[2] = {0xCD, 0x03}; __declspec(dllexport) void TITCALL SetBPXOptions(long DefaultBreakPointType) { - engineDefaultBreakPointType = DefaultBreakPointType; + if(DefaultBreakPointType == UE_BREAKPOINT_INT3 || DefaultBreakPointType == UE_BREAKPOINT_LONG_INT3 || DefaultBreakPointType == UE_BREAKPOINT_UD2) + engineDefaultBreakPointType = DefaultBreakPointType; + else if(DefaultBreakPointType == UE_BREAKPOINT_TYPE_INT3) + engineDefaultBreakPointType = UE_BREAKPOINT_INT3; + else if(DefaultBreakPointType == UE_BREAKPOINT_TYPE_LONG_INT3) + engineDefaultBreakPointType = UE_BREAKPOINT_LONG_INT3; + else if(DefaultBreakPointType == UE_BREAKPOINT_TYPE_UD2) + engineDefaultBreakPointType = UE_BREAKPOINT_UD2; } __declspec(dllexport) bool TITCALL IsBPXEnabled(ULONG_PTR bpxAddress) @@ -191,13 +198,7 @@ __declspec(dllexport) bool TITCALL SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, L memset(&NewBreakPoint, 0, sizeof(BreakPointDetail)); if(bpxType < UE_BREAKPOINT_TYPE_INT3) { - if(engineDefaultBreakPointType == UE_BREAKPOINT_INT3) - { - SelectedBreakPointType = UE_BREAKPOINT_INT3; - NewBreakPoint.BreakPointSize = 1; - bpxDataPrt = &INT3BreakPoint; - } - else if(engineDefaultBreakPointType == UE_BREAKPOINT_LONG_INT3) + if(engineDefaultBreakPointType == UE_BREAKPOINT_LONG_INT3) { SelectedBreakPointType = UE_BREAKPOINT_LONG_INT3; NewBreakPoint.BreakPointSize = 2; @@ -209,6 +210,12 @@ __declspec(dllexport) bool TITCALL SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, L NewBreakPoint.BreakPointSize = 2; bpxDataPrt = &UD2BreakPoint; } + else //default + { + SelectedBreakPointType = UE_BREAKPOINT_INT3; + NewBreakPoint.BreakPointSize = 1; + bpxDataPrt = &INT3BreakPoint; + } } else { @@ -235,8 +242,6 @@ __declspec(dllexport) bool TITCALL SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, L } //set breakpoint in process bpxDataCmpPtr = (PMEMORY_COMPARE_HANDLER)bpxDataPrt; - VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, NewBreakPoint.BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect); if(ReadProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &NewBreakPoint.OriginalByte[0], NewBreakPoint.BreakPointSize, &NumberOfBytesReadWritten)) { diff --git a/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp b/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp index 41a75e9..203ae8a 100644 --- a/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp +++ b/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp @@ -588,13 +588,9 @@ __declspec(dllexport) void TITCALL DebugLoop() } if(engineTLSBreakOnCallBack) //set TLS callback breakpoints { - int i = NULL; - while(tlsCallBackList[i] != NULL) - { - SetBPX((ULONG_PTR)tlsCallBackList[i], UE_SINGLESHOOT, (LPVOID)engineTLSBreakOnCallBackAddress); - tlsCallBackList[i] = NULL; - i++; - } + for(unsigned int i=0; ie_lfanew); - if((DOSHeader->e_lfanew > 0x500) || (DOSHeader->e_magic != IMAGE_DOS_SIGNATURE) || (PEHeader32->Signature != IMAGE_NT_SIGNATURE)) + if ((DOSHeader->e_lfanew > 0x500) || (DOSHeader->e_magic != IMAGE_DOS_SIGNATURE) || (PEHeader32->Signature != IMAGE_NT_SIGNATURE)) { - if(CalculatedHeaderSize % 0x1000 == NULL) + return false; + } + + CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS64) + (sizeof(IMAGE_SECTION_HEADER) * PEHeader32->FileHeader.NumberOfSections); + + if(CalculatedHeaderSize > 0x1000) + { + if(CalculatedHeaderSize % 0x1000 != NULL) { - AlignedHeaderSize = 0x1000; + AlignedHeaderSize = ((CalculatedHeaderSize / 0x1000) + 1) * 0x1000; } else { diff --git a/TitanEngine/TitanEngine.Engine.cpp b/TitanEngine/TitanEngine.Engine.cpp index c286054..e07ff33 100644 --- a/TitanEngine/TitanEngine.Engine.cpp +++ b/TitanEngine/TitanEngine.Engine.cpp @@ -4,6 +4,7 @@ #include "Global.Mapping.h" #include "Global.Engine.Hook.h" #include "Global.Engine.GUI.h" +#include "Global.Engine.Extension.h" // TitanEngine.Engine.functions: __declspec(dllexport) void TITCALL SetEngineVariable(DWORD VariableId, bool VariableSet) @@ -56,6 +57,7 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependencies(char* szFileN return(NULL); } } + __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szFileName, wchar_t* szOutputFolder, bool LogCreatedFiles) { @@ -226,6 +228,7 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF } return false; } + __declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess) { @@ -236,6 +239,7 @@ __declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess } return false; } + __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies() { @@ -292,9 +296,9 @@ __declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpack return false; } } + __declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage) { - int cSelect; SendMessageA(EngineBoxHandle, LB_ADDSTRING, NULL, (LPARAM)szLogMessage); @@ -302,3 +306,38 @@ __declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLog cSelect--; SendMessageA(EngineBoxHandle, LB_SETCURSEL, (WPARAM)cSelect, NULL); } + +__declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize) +{ + int blub=1; + switch(StructureType) + { + case UE_STRUCT_PE32STRUCT: + return (sizeof(PE32Struct)==StructureSize); + case UE_STRUCT_PE64STRUCT: + return (sizeof(PE64Struct)==StructureSize); + case UE_STRUCT_PESTRUCT: + return (sizeof(PEStruct)==StructureSize); + case UE_STRUCT_IMPORTENUMDATA: + return (sizeof(ImportEnumData)==StructureSize); + case UE_STRUCT_THREAD_ITEM_DATA: + return (sizeof(THREAD_ITEM_DATA)==StructureSize); + case UE_STRUCT_LIBRARY_ITEM_DATA: + return (sizeof(LIBRARY_ITEM_DATA)==StructureSize); + case UE_STRUCT_LIBRARY_ITEM_DATAW: + return (sizeof(LIBRARY_ITEM_DATAW)==StructureSize); + case UE_STRUCT_PROCESS_ITEM_DATA: + return (sizeof(PROCESS_ITEM_DATA)==StructureSize); + case UE_STRUCT_HANDLERARRAY: + return (sizeof(HandlerArray)==StructureSize); + case UE_STRUCT_PLUGININFORMATION: + return (sizeof(PluginInformation)==StructureSize); + case UE_STRUCT_HOOK_ENTRY: + return (sizeof(HOOK_ENTRY)==StructureSize); + case UE_STRUCT_FILE_STATUS_INFO: + return (sizeof(FILE_STATUS_INFO)==StructureSize); + case UE_STRUCT_FILE_FIX_INFO: + return (sizeof(FILE_FIX_INFO)==StructureSize); + } + return false; +} diff --git a/TitanEngine/TitanEngine.Handler.cpp b/TitanEngine/TitanEngine.Handler.cpp index 10fd5c7..17e0b56 100644 --- a/TitanEngine/TitanEngine.Handler.cpp +++ b/TitanEngine/TitanEngine.Handler.cpp @@ -3,117 +3,110 @@ #include "Global.Handle.h" -void NtQuerySysHandleInfo(DynBuf& buf) +bool NtQuerySysHandleInfo(DynBuf& buf) { - DynBuf QSB; ULONG RequiredSize = NULL; - QSB.Allocate(0x2000); - while(NtQuerySystemInformation(SystemHandleInformation, QSB.GetPtr(), QSB.Size(), &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QSB.Allocate(RequiredSize); - } + buf.Allocate(sizeof(SYSTEM_HANDLE_INFORMATION)); + + NtQuerySystemInformation(SystemHandleInformation, buf.GetPtr(), (ULONG)buf.Size(), &RequiredSize); + + buf.Allocate(RequiredSize + sizeof(SYSTEM_HANDLE_INFORMATION)); + + return (NtQuerySystemInformation(SystemHandleInformation, buf.GetPtr(), (ULONG)buf.Size(), &RequiredSize) >= 0); } // TitanEngine.Handler.functions: __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId) { - int HandleCount = 0; - ULONG TotalHandleCount = 0; - PNTDLL_QUERY_HANDLE_INFO HandleInfo; DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + return 0; + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)QuerySystemBuffer; + PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandle = HandleInfo->Handles; - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) + for (ULONG i = 0; i < HandleInfo->NumberOfHandles; i++) { - if(HandleInfo->ProcessId == ProcessId) + if((DWORD)pHandle->UniqueProcessId == ProcessId) { HandleCount++; } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; + + pHandle++; } - return(HandleCount); + return HandleCount; } __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle) { bool HandleActive = false; - ULONG TotalHandleCount = NULL; - PNTDLL_QUERY_HANDLE_INFO HandleInfo; DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + return false; + LPVOID QuerySystemBuffer = hinfo.GetPtr(); - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) + PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)QuerySystemBuffer; + PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandle = HandleInfo->Handles; + + + for (ULONG i = 0; i < HandleInfo->NumberOfHandles; i++) { - if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) + if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)pHandle->HandleValue == hHandle) { HandleActive = true; break; } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; + + pHandle++; } return HandleActive; } -__declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) +__declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { - bool NameFound = false; HANDLE myHandle = NULL; ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + char ObjectNameInfo[0x1000] = {0}; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID tmpHandleFullName = NULL; - DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + { + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + return 0; + } LPVOID QuerySystemBuffer = hinfo.GetPtr(); + PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)QuerySystemBuffer; + PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandle = HandleInfo->Handles; - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) + for (ULONG i = 0; i < HandleInfo->NumberOfHandles; i++) { - if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) + if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)pHandle->HandleValue == hHandle) { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) + if(pHandle->GrantedAccess != 0x0012019F) //Filter, because this GrantedAccess type can cause deadlocks! { - if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, FALSE, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleFullName, 0x1000); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, sizeof(ObjectNameInfo), &RequiredSize); + ZeroMemory(HandleFullName, 0x1000); if(pObjectNameInfo->Name.Length != NULL) { - WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); + wcscpy((wchar_t*)HandleFullName, pObjectNameInfo->Name.Buffer); NameFound = true; if(TranslateName) { - tmpHandleFullName = TranslateNativeName((char*)HandleFullName); + LPVOID tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); if(tmpHandleFullName != NULL) { VirtualFree(HandleFullName, NULL, MEM_RELEASE); @@ -126,8 +119,8 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD } } } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; + + pHandle++; } if(!NameFound) @@ -140,77 +133,20 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD return(HandleFullName); } } -__declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) +__declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { + wchar_t * name = (wchar_t *)HandlerGetHandleNameW(hProcess, ProcessId, hHandle, TranslateName); - bool NameFound = false; - HANDLE myHandle = NULL; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID tmpHandleFullName = NULL; - - DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); - LPVOID QuerySystemBuffer = hinfo.GetPtr(); - - - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) + if (name) { - if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleFullName, 0x1000); - if(pObjectNameInfo->Name.Length != NULL) - { - //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); - NameFound = true; - lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); - if(TranslateName) - { - tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); - if(tmpHandleFullName != NULL) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - HandleFullName = tmpHandleFullName; - } - } - } - EngineCloseHandle(myHandle); - break; - } - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; + LPVOID HandleFullName = VirtualAlloc(NULL, wcslen(name) + 1, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); + WideCharToMultiByte(CP_ACP, NULL, name, -1, (LPSTR)HandleFullName, (int)wcslen(name) + 1, NULL, NULL); + VirtualFree(name, NULL, MEM_RELEASE); + + return HandleFullName; } - if(!NameFound) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - return(NULL); - } - else - { - return(HandleFullName); - } - - return(NULL); + return 0; } __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount) { @@ -222,7 +158,8 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, PNTDLL_QUERY_HANDLE_INFO HandleInfo; DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); @@ -249,7 +186,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + OBJECT_BASIC_INFORMATION ObjectBasicInfo; char HandleFullData[0x1000] = {0}; LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; @@ -258,7 +195,8 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); @@ -270,8 +208,8 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, { if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT) { ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount; @@ -371,16 +309,17 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + OBJECT_BASIC_INFORMATION ObjectBasicInfo; char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; char HandleFullNameB[0x1000] = {0}; LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); LPVOID tmpHandleFullName = NULL; DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); @@ -405,8 +344,8 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); RtlZeroMemory(HandleFullName, 0x1000); @@ -476,9 +415,9 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr ULONG TotalHandleCount = NULL; DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + OBJECT_BASIC_INFORMATION ObjectBasicInfo; char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; char HandleFullNameB[0x1000] = {0}; LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); @@ -486,7 +425,8 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); @@ -511,8 +451,8 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); RtlZeroMemory(HandleFullName, 0x1000); @@ -579,16 +519,17 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + OBJECT_BASIC_INFORMATION ObjectBasicInfo; char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; char HandleFullNameB[0x1000] = {0}; LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); LPVOID tmpHandleFullName = NULL; DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); @@ -613,8 +554,8 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); RtlZeroMemory(HandleFullName, 0x1000); @@ -670,7 +611,8 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); @@ -758,12 +700,11 @@ __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce } __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString) { - - wchar_t uniMutexString[MAX_PATH] = {}; + wchar_t uniMutexString[MAX_PATH] = {0}; if(szMutexString != NULL) { - MultiByteToWideChar(CP_ACP, NULL, szMutexString, lstrlenA(szMutexString)+1, uniMutexString, sizeof(uniMutexString)/(sizeof(uniMutexString[0]))); + MultiByteToWideChar(CP_ACP, NULL, szMutexString, -1, uniMutexString, _countof(uniMutexString)); return(HandlerGetProcessIdWhichCreatedMutexW(uniMutexString)); } else @@ -773,7 +714,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* sz } __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t* szMutexString) { - if(!szMutexString || lstrlenW(szMutexString)>=512) + if(!szMutexString || wcslen(szMutexString) >= 450) return 0; HANDLE hProcess = NULL; DWORD ReturnData = NULL; @@ -786,14 +727,15 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t char HandleNameData[0x1000] = {0}; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; lstrcatW(RealMutexName, szMutexString); DynBuf hinfo; - NtQuerySysHandleInfo(hinfo); + if (!NtQuerySysHandleInfo(hinfo)) + return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); @@ -807,7 +749,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t { EngineCloseHandle(hProcess); } - hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); + hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, FALSE, HandleInfo->ProcessId); LastProcessId = HandleInfo->ProcessId; } if(hProcess != NULL) diff --git a/TitanEngine/TitanEngine.TLS.cpp b/TitanEngine/TitanEngine.TLS.cpp index 5c3e1f4..bb4bc38 100644 --- a/TitanEngine/TitanEngine.TLS.cpp +++ b/TitanEngine/TitanEngine.TLS.cpp @@ -9,72 +9,52 @@ static bool engineBackupTLSx64 = false; static IMAGE_TLS_DIRECTORY32 engineBackupTLSDataX86 = {}; static IMAGE_TLS_DIRECTORY64 engineBackupTLSDataX64 = {}; static DWORD engineBackupNumberOfCallBacks = NULL; -static LPVOID engineBackupArrayOfCallBacks = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); +static std::vector engineBackupArrayOfCallBacks; static DWORD engineBackupTLSAddress = NULL; -// TitanEngine.TLSFixer.functions: +// TitanEngine.TLS.functions: __declspec(dllexport) bool TITCALL TLSBreakOnCallBack(LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks, LPVOID bpxCallBack) { + ULONG_PTR* ReadArrayOfCallBacks = (ULONG_PTR*)ArrayOfCallBacks; - unsigned int i; - LPVOID ReadArrayOfCallBacks = ArrayOfCallBacks; - - if(NumberOfCallBacks > NULL) + if(NumberOfCallBacks && EngineIsValidReadPtrEx(ReadArrayOfCallBacks, sizeof(ULONG_PTR)*NumberOfCallBacks) && bpxCallBack) { - for(i = 0; i < NumberOfCallBacks; i++) - { - RtlMoveMemory(&tlsCallBackList[i], ReadArrayOfCallBacks, sizeof ULONG_PTR); - ReadArrayOfCallBacks = (LPVOID)((ULONG_PTR)ReadArrayOfCallBacks + sizeof ULONG_PTR); - } + ClearTlsCallBackList(); //clear TLS cb list + for(unsigned int i=0; ie_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + DWORD NumberOfTLSCallBacks = 0; + PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + bool FileIs64; if(PEHeader32->OptionalHeader.Magic == 0x10B) { FileIs64 = false; @@ -88,70 +68,84 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return false; } - if(!FileIs64) + if(!FileIs64) //x86 { if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) { - TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); + ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); if(TLSDirectoryX86->AddressOfCallBacks != NULL) { - TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true); + ULONG_PTR TLSCompareData = 0; + ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true); while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) { - RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); - ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); + if(ArrayOfCallBacks) + { + RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); + ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); + } TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; NumberOfTLSCallBacks++; } - *NumberOfCallBacks = NumberOfTLSCallBacks; + if(NumberOfCallBacks) + *NumberOfCallBacks = NumberOfTLSCallBacks; UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return true; } else { - *NumberOfCallBacks = NULL; + if(NumberOfCallBacks) + *NumberOfCallBacks = 0; UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return false; } } else { - *NumberOfCallBacks = NULL; + if(NumberOfCallBacks) + *NumberOfCallBacks = 0; UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return false; } } - else + else //x64 { if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) { - TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); + ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); if(TLSDirectoryX64->AddressOfCallBacks != NULL) { - TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true); + ULONG_PTR TLSCompareData = NULL; + ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true); while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) { - RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); - ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); + if(ArrayOfCallBacks) + { + RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); + ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); + } TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; NumberOfTLSCallBacks++; } - *NumberOfCallBacks = NumberOfTLSCallBacks; + if(NumberOfCallBacks) + *NumberOfCallBacks = NumberOfTLSCallBacks; UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return true; } else { - *NumberOfCallBacks = NULL; + if(NumberOfCallBacks) + *NumberOfCallBacks = 0; UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return false; } } else { - *NumberOfCallBacks = NULL; + if(NumberOfCallBacks) + *NumberOfCallBacks = 0; UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return false; } @@ -159,89 +153,65 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV } else { - *NumberOfCallBacks = NULL; + if(NumberOfCallBacks) + *NumberOfCallBacks = 0; UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return false; } } return false; } + __declspec(dllexport) bool TITCALL TLSBreakOnCallBackEx(char* szFileName, LPVOID bpxCallBack) { - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) + if(szFileName) { MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(TLSBreakOnCallBackExW(uniFileName, bpxCallBack)); - } - else - { - return false; + return TLSBreakOnCallBackExW(uniFileName, bpxCallBack); } + return false; } + __declspec(dllexport) bool TITCALL TLSBreakOnCallBackExW(wchar_t* szFileName, LPVOID bpxCallBack) { - - ULONG_PTR TlsArrayOfCallBacks[100]; - DWORD TlsNumberOfCallBacks; - - RtlZeroMemory(&TlsArrayOfCallBacks, 100 * sizeof ULONG_PTR); - if(szFileName != NULL) + DWORD NumberOfCallBacks; + if(TLSGrabCallBackDataW(szFileName, NULL, &NumberOfCallBacks)) { - if(TLSGrabCallBackDataW(szFileName, &TlsArrayOfCallBacks, &TlsNumberOfCallBacks)) + DynBuf TlsArrayOfCallBacks(NumberOfCallBacks*sizeof(ULONG_PTR)); + if(TLSGrabCallBackDataW(szFileName, TlsArrayOfCallBacks.GetPtr(), &NumberOfCallBacks)) { - TLSBreakOnCallBack(&TlsArrayOfCallBacks, TlsNumberOfCallBacks, bpxCallBack); - return true; - } - else - { - return false; + return TLSBreakOnCallBack(TlsArrayOfCallBacks.GetPtr(), NumberOfCallBacks, bpxCallBack); } } - else - { - return false; - } + return false; } + __declspec(dllexport) bool TITCALL TLSRemoveCallback(char* szFileName) { - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) + if(szFileName) { MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(TLSRemoveCallbackW(uniFileName)); - } - else - { - return false; + return TLSRemoveCallbackW(uniFileName); } + return false; } + __declspec(dllexport) bool TITCALL TLSRemoveCallbackW(wchar_t* szFileName) { - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; HANDLE FileHandle; DWORD FileSize; HANDLE FileMap; ULONG_PTR FileMapVA; - BOOL FileIs64; - PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86; - PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64; - ULONG_PTR TLSDirectoryAddress; - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + bool FileIs64; if(PEHeader32->OptionalHeader.Magic == 0x10B) { FileIs64 = false; @@ -261,8 +231,8 @@ __declspec(dllexport) bool TITCALL TLSRemoveCallbackW(wchar_t* szFileName) { __try { - TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); + ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); if(TLSDirectoryX86->AddressOfCallBacks != NULL) { TLSDirectoryX86->AddressOfCallBacks = NULL; @@ -293,8 +263,8 @@ __declspec(dllexport) bool TITCALL TLSRemoveCallbackW(wchar_t* szFileName) { __try { - TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); + ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); if(TLSDirectoryX64->AddressOfCallBacks != NULL) { TLSDirectoryX64->AddressOfCallBacks = NULL; @@ -328,43 +298,32 @@ __declspec(dllexport) bool TITCALL TLSRemoveCallbackW(wchar_t* szFileName) } return false; } + __declspec(dllexport) bool TITCALL TLSRemoveTable(char* szFileName) { - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) + if(szFileName) { MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(TLSRemoveTableW(uniFileName)); - } - else - { - return false; + return TLSRemoveTableW(uniFileName); } + return false; } + __declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName) { - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; HANDLE FileHandle; DWORD FileSize; HANDLE FileMap; ULONG_PTR FileMapVA; - BOOL FileIs64; - PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86; - PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64; - ULONG_PTR TLSDirectoryAddress; - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + bool FileIs64; if(PEHeader32->OptionalHeader.Magic == 0x10B) { FileIs64 = false; @@ -384,8 +343,8 @@ __declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName) { __try { - TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); + ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; RtlZeroMemory(TLSDirectoryX86, sizeof IMAGE_TLS_DIRECTORY32); @@ -410,8 +369,8 @@ __declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName) { __try { - TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); + ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; RtlZeroMemory(TLSDirectoryX64, sizeof IMAGE_TLS_DIRECTORY64); @@ -439,52 +398,41 @@ __declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName) } return false; } + __declspec(dllexport) bool TITCALL TLSBackupData(char* szFileName) { - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) + if(szFileName) { MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(TLSBackupDataW(uniFileName)); - } - else - { - return false; + return TLSBackupDataW(uniFileName); } + return false; } + __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName) { - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; HANDLE FileHandle; DWORD FileSize; HANDLE FileMap; ULONG_PTR FileMapVA; - BOOL FileIs64; - PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86; - PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64; - ULONG_PTR TLSDirectoryAddress; - ULONG_PTR TLSCallBackAddress; - ULONG_PTR TLSCompareData = NULL; - DWORD NumberOfTLSCallBacks = NULL; - LPVOID ArrayOfCallBacks = &engineBackupArrayOfCallBacks; - LPDWORD NumberOfCallBacks = &engineBackupNumberOfCallBacks; - - engineBackupTLSAddress = NULL; - RtlZeroMemory(engineBackupArrayOfCallBacks, 0x1000); - RtlZeroMemory(&engineBackupTLSDataX86, sizeof IMAGE_TLS_DIRECTORY32); - RtlZeroMemory(&engineBackupTLSDataX64, sizeof IMAGE_TLS_DIRECTORY64); if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + DWORD NumberOfTLSCallBacks = NULL; + engineBackupTLSAddress = NULL; + RtlZeroMemory(&engineBackupTLSDataX86, sizeof IMAGE_TLS_DIRECTORY32); + RtlZeroMemory(&engineBackupTLSDataX64, sizeof IMAGE_TLS_DIRECTORY64); + ClearTlsVector(&engineBackupArrayOfCallBacks); //clear backup array + + std::vector* ArrayOfCallBacks = &engineBackupArrayOfCallBacks; + LPDWORD NumberOfCallBacks = &engineBackupNumberOfCallBacks; + + PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + bool FileIs64; if(PEHeader32->OptionalHeader.Magic == 0x10B) { FileIs64 = false; @@ -498,7 +446,7 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName) UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return false; } - if(!FileIs64) + if(!FileIs64) //x86 { if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) { @@ -506,17 +454,17 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName) { engineBackupTLSx64 = false; engineBackupTLSAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); + ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); RtlMoveMemory(&engineBackupTLSDataX86, (LPVOID)TLSDirectoryX86, sizeof IMAGE_TLS_DIRECTORY32); if(TLSDirectoryX86->AddressOfCallBacks != NULL) { - TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true); + ULONG_PTR TLSCompareData = 0; + ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true); while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) { - RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); - ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); - TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; + ArrayOfCallBacks->push_back(*TLSCallBackAddress); + TLSCallBackAddress++; //next callback NumberOfTLSCallBacks++; } *NumberOfCallBacks = NumberOfTLSCallBacks; @@ -544,7 +492,7 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName) return false; } } - else + else //x64 { if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) { @@ -552,17 +500,17 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName) { engineBackupTLSx64 = true; engineBackupTLSAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); + ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); RtlMoveMemory(&engineBackupTLSDataX64, (LPVOID)TLSDirectoryX64, sizeof IMAGE_TLS_DIRECTORY64); if(TLSDirectoryX64->AddressOfCallBacks != NULL) { - TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true); + ULONG_PTR TLSCompareData = 0; + ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true); while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) { - RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); - ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); - TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; + ArrayOfCallBacks->push_back(*TLSCallBackAddress); + TLSCallBackAddress++; //next callback NumberOfTLSCallBacks++; } *NumberOfCallBacks = NumberOfTLSCallBacks; @@ -593,18 +541,16 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName) } else { - *NumberOfCallBacks = NULL; UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return false; } } return false; } + __declspec(dllexport) bool TITCALL TLSRestoreData() { - ULONG_PTR ueNumberOfBytesRead = NULL; - if(dbgProcessInformation.hProcess != NULL && engineBackupTLSAddress != NULL) { if(engineBackupTLSx64) @@ -613,7 +559,11 @@ __declspec(dllexport) bool TITCALL TLSRestoreData() { if(engineBackupTLSDataX64.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL) { - if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSDataX64.AddressOfCallBacks + GetDebuggedFileBaseAddress()), engineBackupArrayOfCallBacks, sizeof IMAGE_TLS_DIRECTORY64, &ueNumberOfBytesRead)) + DynBuf BackupData(sizeof(ULONG_PTR)*engineBackupArrayOfCallBacks.size()); + ULONG_PTR* Backup=(ULONG_PTR*)BackupData.GetPtr(); + for(unsigned int i=0; ie_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + bool FileIs64; + ULONG_PTR TLSWriteData = StorePlaceRVA; if(PEHeader32->OptionalHeader.Magic == 0x10B) { FileIs64 = false; @@ -684,7 +632,7 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_P { PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA; PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof IMAGE_TLS_DIRECTORY32; - TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)StorePlace; + PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)StorePlace; TLSDirectoryX86->StartAddressOfRawData = (DWORD)TLSWriteData; TLSDirectoryX86->EndAddressOfRawData = (DWORD)TLSWriteData + 0x10; TLSDirectoryX86->AddressOfIndex = (DWORD)TLSWriteData + 0x14; @@ -703,7 +651,7 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_P { PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA; PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof IMAGE_TLS_DIRECTORY64; - TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)StorePlace; + PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)StorePlace; TLSDirectoryX64->StartAddressOfRawData = TLSWriteData; TLSDirectoryX64->EndAddressOfRawData = TLSWriteData + 0x20; TLSDirectoryX64->AddressOfIndex = TLSWriteData + 0x28; @@ -724,39 +672,30 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_P } return false; } + __declspec(dllexport) bool TITCALL TLSBuildNewTableEx(char* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks) { - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) + if(szFileName) { MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(TLSBuildNewTableExW(uniFileName, szSectionName, ArrayOfCallBacks, NumberOfCallBacks)); - } - else - { - return false; + return TLSBuildNewTableExW(uniFileName, szSectionName, ArrayOfCallBacks, NumberOfCallBacks); } + return false; } + __declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks) { - + ULONG_PTR tlsImageBase = (ULONG_PTR)GetPE32DataW(szFileName, NULL, UE_IMAGEBASE); + DWORD NewSectionVO = AddNewSectionW(szFileName, szSectionName, sizeof IMAGE_TLS_DIRECTORY64 * 2); HANDLE FileHandle; DWORD FileSize; HANDLE FileMap; ULONG_PTR FileMapVA; - DWORD NewSectionVO = NULL; - DWORD NewSectionFO = NULL; - bool ReturnValue = false; - ULONG_PTR tlsImageBase; - - tlsImageBase = (ULONG_PTR)GetPE32DataW(szFileName, NULL, UE_IMAGEBASE); - NewSectionVO = AddNewSectionW(szFileName, szSectionName, sizeof IMAGE_TLS_DIRECTORY64 * 2); if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) { - NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + tlsImageBase, true); - ReturnValue = TLSBuildNewTable(FileMapVA, NewSectionFO, NewSectionVO, ArrayOfCallBacks, NumberOfCallBacks); + DWORD NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + tlsImageBase, true); + bool ReturnValue = TLSBuildNewTable(FileMapVA, NewSectionFO, NewSectionVO, ArrayOfCallBacks, NumberOfCallBacks); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); if(ReturnValue) { @@ -767,8 +706,5 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char return false; } } - else - { - return false; - } + return false; } diff --git a/TitanEngine/TitanEngine.Threader.cpp b/TitanEngine/TitanEngine.Threader.cpp index ea75d78..c210b44 100644 --- a/TitanEngine/TitanEngine.Threader.cpp +++ b/TitanEngine/TitanEngine.Threader.cpp @@ -5,36 +5,152 @@ #include "Global.Threader.h" #include "Global.Debugger.h" +void updateThreadList( THREAD_ITEM_DATA* NewThreadData ) +{ + bool notInList = true; + unsigned int count = hListThread.size(); + + for (unsigned int i = 0; i < count; i++) + { + if (hListThread.at(i).dwThreadId == NewThreadData->dwThreadId) + { + notInList = false; + CloseHandle(NewThreadData->hThread); //handle not needed + hListThread.at(i).BasePriority = NewThreadData->BasePriority; + hListThread.at(i).ContextSwitches = NewThreadData->ContextSwitches; + hListThread.at(i).Priority = NewThreadData->Priority; + hListThread.at(i).TebAddress = NewThreadData->TebAddress; + hListThread.at(i).ThreadStartAddress = NewThreadData->ThreadStartAddress; + hListThread.at(i).WaitReason = NewThreadData->WaitReason; + hListThread.at(i).WaitTime = NewThreadData->WaitTime; + hListThread.at(i).ThreadState = NewThreadData->ThreadState; + break; + } + } + + if (notInList) + { + hListThread.push_back(*NewThreadData); + } +} + // TitanEngine.Threader.functions: __declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId) { - if(dbgProcessInformation.hProcess != NULL || ProcessId == NULL) - return false; - std::vector().swap(hListThread); //clear thread list - THREADENTRY32 ThreadEntry = {}; - ThreadEntry.dwSize = sizeof THREADENTRY32; - HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId); - if(hSnapShot != INVALID_HANDLE_VALUE) + bool updateList = false; + DWORD dwProcessId = 0; + + if (ProcessId == NULL && dbgProcessInformation.hProcess != NULL) { - if(Thread32First(hSnapShot, &ThreadEntry)) + updateList = true; + dwProcessId = GetProcessId(dbgProcessInformation.hProcess); + } + else if (ProcessId != NULL && dbgProcessInformation.hProcess != NULL) + { + updateList = true; + dwProcessId = ProcessId; + } + else if (ProcessId != NULL && dbgProcessInformation.hProcess == NULL) + { + updateList = false; + dwProcessId = ProcessId; + } + else if (ProcessId == NULL && dbgProcessInformation.hProcess == NULL) + { + return false; + } + + if (updateList == false) + { + std::vector().swap(hListThread); //clear thread list + } + + + THREAD_ITEM_DATA NewThreadData; + ULONG retLength = 0; + ULONG bufferLength = 1; + PSYSTEM_PROCESS_INFORMATION pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength); + PSYSTEM_PROCESS_INFORMATION pIter; + PSYSTEM_THREAD_INFORMATION pIterThread; + + if (NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) == STATUS_INFO_LENGTH_MISMATCH) + { + free(pBuffer); + bufferLength = retLength + sizeof(SYSTEM_PROCESS_INFORMATION); + pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength); + if (!pBuffer) + return false; + + if (NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) != STATUS_SUCCESS) { - do + return false; + } + } + else + { + return false; + } + + pIter = pBuffer; + + while(TRUE) + { + if (pIter->UniqueProcessId == (HANDLE)dwProcessId) + { + pIterThread = &pIter->Threads[0]; + for (ULONG i = 0; i < pIter->NumberOfThreads; i++) { - if(ThreadEntry.th32OwnerProcessID == ProcessId) + ZeroMemory(&NewThreadData, sizeof(THREAD_ITEM_DATA)); + + NewThreadData.BasePriority = pIterThread->BasePriority; + NewThreadData.ContextSwitches = pIterThread->ContextSwitches; + NewThreadData.Priority = pIterThread->Priority; + NewThreadData.BasePriority = pIterThread->BasePriority; + //NewThreadData.ThreadStartAddress = pIterThread->StartAddress; <- wrong value + NewThreadData.ThreadState = pIterThread->ThreadState; + NewThreadData.WaitReason = pIterThread->WaitReason; + NewThreadData.WaitTime = pIterThread->WaitTime; + NewThreadData.dwThreadId = (DWORD)pIterThread->ClientId.UniqueThread; + + NewThreadData.hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, NewThreadData.dwThreadId); + if (NewThreadData.hThread) + { + NewThreadData.TebAddress = GetTEBLocation(NewThreadData.hThread); + + PVOID startAddress = 0; + if (NtQueryInformationThread(NewThreadData.hThread, ThreadQuerySetWin32StartAddress, &startAddress, sizeof(PVOID), NULL) == STATUS_SUCCESS) + { + NewThreadData.ThreadStartAddress = startAddress; + } + } + + if (updateList == false) { - THREAD_ITEM_DATA NewThreadData; - memset(&NewThreadData, 0, sizeof(THREAD_ITEM_DATA)); - NewThreadData.dwThreadId = ThreadEntry.th32ThreadID; - NewThreadData.hThread = OpenThread(THREAD_ALL_ACCESS, false, NewThreadData.dwThreadId); hListThread.push_back(NewThreadData); } + else + { + updateThreadList(&NewThreadData); + } + + pIterThread++; } - while(Thread32Next(hSnapShot, &ThreadEntry)); + + break; + } + + if (pIter->NextEntryOffset == 0) + { + break; + } + else + { + pIter = (PSYSTEM_PROCESS_INFORMATION)((DWORD_PTR)pIter + (DWORD_PTR)pIter->NextEntryOffset); } - EngineCloseHandle(hSnapShot); - return true; } - return false; + + free(pBuffer); + return (hListThread.size() > 0); } __declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId) @@ -208,9 +324,10 @@ __declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread) if(SuspendThread(hThread)) //if previous suspend count is above 0 (which means thread is suspended) { ResumeThread(hThread); //decrement suspend count - return true; + return false; //meaning the thread is not active } - return false; + ResumeThread(hThread); //decrement suspend count + return true; } __declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive() diff --git a/TitanEngine/TitanEngine.def b/TitanEngine/TitanEngine.def index 8171706..e4db0d0 100644 --- a/TitanEngine/TitanEngine.def +++ b/TitanEngine/TitanEngine.def @@ -390,6 +390,7 @@ EngineCreateMissingDependencies EngineCreateMissingDependenciesW EngineCreateUnpackerWindow EngineAddUnpackerWindowLogMessage +EngineCheckStructAlignment ExtensionManagerIsPluginLoaded ExtensionManagerIsPluginEnabled ExtensionManagerDisablePlugin diff --git a/TitanEngine/TitanEngine.vcxproj.filters b/TitanEngine/TitanEngine.vcxproj.filters index edd5f5b..a3564d6 100644 --- a/TitanEngine/TitanEngine.vcxproj.filters +++ b/TitanEngine/TitanEngine.vcxproj.filters @@ -208,7 +208,7 @@ Source Files\TitanEngine - Source Files + Source Files\TitanEngine diff --git a/TitanEngine/definitions.h b/TitanEngine/definitions.h index 3b868df..ad33cba 100644 --- a/TitanEngine/definitions.h +++ b/TitanEngine/definitions.h @@ -425,6 +425,7 @@ __declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies(); __declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack); __declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage); +__declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize); // Global.Engine.Extension.Functions: __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName); __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName); diff --git a/TitanEngine/ntdll.h b/TitanEngine/ntdll.h index 7ce981f..2701b8c 100644 --- a/TitanEngine/ntdll.h +++ b/TitanEngine/ntdll.h @@ -8,6 +8,8 @@ #pragma comment(lib, "ntdll_x64.lib") #endif +#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) + typedef LONG NTSTATUS; typedef LONG KPRIORITY; @@ -17,6 +19,61 @@ typedef struct _CLIENT_ID HANDLE UniqueThread; } CLIENT_ID, *PCLIENT_ID; +typedef enum _KTHREAD_STATE +{ + Initialized, + Ready, + Running, + Standby, + Terminated, + Waiting, + Transition, + DeferredReady, + GateWait +} KTHREAD_STATE; + +typedef enum _KWAIT_REASON +{ + Executive, + FreePage, + PageIn, + PoolAllocation, + DelayExecution, + Suspended, + UserRequest, + WrExecutive, + WrFreePage, + WrPageIn, + WrPoolAllocation, + WrDelayExecution, + WrSuspended, + WrUserRequest, + WrEventPair, + WrQueue, + WrLpcReceive, + WrLpcReply, + WrVirtualMemory, + WrPageOut, + WrRendezvous, + Spare2, + Spare3, + Spare4, + Spare5, + Spare6, + WrKernel, + WrResource, + WrPushLock, + WrMutex, + WrQuantumEnd, + WrDispatchInt, + WrPreempted, + WrYieldExecution, + WrFastMutex, + WrGuardedMutex, + WrRundown, + MaximumWaitReason +} KWAIT_REASON; + typedef struct _UNICODE_STRING { USHORT Length; @@ -24,16 +81,157 @@ typedef struct _UNICODE_STRING PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; -typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION +typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION +{ + ULONG SessionId; + ULONG SizeOfBuf; + PVOID Buffer; +} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION; + +typedef struct _SYSTEM_THREAD_INFORMATION +{ + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientId; + KPRIORITY Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; +} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO +{ + USHORT UniqueProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeIndex; + UCHAR HandleAttributes; + USHORT HandleValue; + PVOID Object; + ULONG GrantedAccess; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION +{ + SYSTEM_THREAD_INFORMATION ThreadInfo; + PVOID StackBase; + PVOID StackLimit; + PVOID Win32StartAddress; + PVOID TebAddress; /* This is only filled in on Vista and above */ + ULONG_PTR Reserved2; + ULONG_PTR Reserved3; + ULONG_PTR Reserved4; +} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; + +typedef struct _SYSTEM_PROCESS_INFORMATION +{ + ULONG NextEntryOffset; + ULONG NumberOfThreads; + LARGE_INTEGER SpareLi1; + LARGE_INTEGER SpareLi2; + LARGE_INTEGER SpareLi3; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + ULONG HandleCount; + ULONG SessionId; + ULONG_PTR PageDirectoryBase; + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; + SIZE_T PrivatePageCount; + LARGE_INTEGER ReadOperationCount; + LARGE_INTEGER WriteOperationCount; + LARGE_INTEGER OtherOperationCount; + LARGE_INTEGER ReadTransferCount; + LARGE_INTEGER WriteTransferCount; + LARGE_INTEGER OtherTransferCount; + SYSTEM_THREAD_INFORMATION Threads[1]; +} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; + + +typedef struct _OBJECT_BASIC_INFORMATION { ULONG Attributes; ACCESS_MASK GrantedAccess; ULONG HandleCount; ULONG PointerCount; + ULONG PagedPoolCharge; + ULONG NonPagedPoolCharge; + ULONG Reserved[ 3 ]; + ULONG NameInfoSize; + ULONG TypeInfoSize; + ULONG SecurityDescriptorSize; + LARGE_INTEGER CreationTime; +} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; - ULONG Reserved[10]; // reserved for internal use +typedef struct _OBJECT_NAME_INFORMATION +{ + UNICODE_STRING Name; +} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; -} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; +typedef struct _OBJECT_TYPE_INFORMATION +{ + UNICODE_STRING TypeName; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG TotalPagedPoolUsage; + ULONG TotalNonPagedPoolUsage; + ULONG TotalNamePoolUsage; + ULONG TotalHandleTableUsage; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + ULONG HighWaterPagedPoolUsage; + ULONG HighWaterNonPagedPoolUsage; + ULONG HighWaterNamePoolUsage; + ULONG HighWaterHandleTableUsage; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + ULONG PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; +} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; + +typedef struct _OBJECT_TYPES_INFORMATION +{ + ULONG NumberOfTypes; + OBJECT_TYPE_INFORMATION TypeInformation[1]; +} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; + +//typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION +//{ +// ULONG Attributes; +// ACCESS_MASK GrantedAccess; +// ULONG HandleCount; +// ULONG PointerCount; +// +// ULONG Reserved[10]; // reserved for internal use +// +//} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION { @@ -54,8 +252,7 @@ typedef struct _PROCESS_BASIC_INFORMATION } PROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; -typedef struct _THREAD_BASIC_INFORMATION -{ +typedef struct _THREAD_BASIC_INFORMATION { NTSTATUS ExitStatus; PVOID TebBaseAddress; CLIENT_ID ClientId; @@ -365,6 +562,48 @@ NtQueueApcThread ( __in_opt PVOID ApcArgument3 ); +NTSYSCALLAPI +NTSTATUS +NTAPI +RtlGetCompressionWorkSpaceSize ( + IN USHORT CompressionFormatAndEngine, + OUT PULONG CompressBufferWorkSpaceSize, + OUT PULONG CompressFragmentWorkSpaceSize +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +RtlCompressBuffer ( + IN USHORT CompressionFormatAndEngine, + IN PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + OUT PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + IN ULONG UncompressedChunkSize, + OUT PULONG FinalCompressedSize, + IN PVOID WorkSpace +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +RtlDecompressBuffer ( + IN USHORT CompressionFormat, + OUT PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + IN PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + OUT PULONG FinalUncompressedSize +); + +NTSYSCALLAPI +ULONG +NTAPI +RtlNtStatusToDosError ( + NTSTATUS Status +); + #ifdef __cplusplus }; #endif diff --git a/TitanEngine/scylla_wrapper_x64.lib b/TitanEngine/scylla_wrapper_x64.lib index 4ecd7a6..c1a88d2 100644 Binary files a/TitanEngine/scylla_wrapper_x64.lib and b/TitanEngine/scylla_wrapper_x64.lib differ diff --git a/TitanEngine/scylla_wrapper_x86.lib b/TitanEngine/scylla_wrapper_x86.lib index ed1b2bc..18401ae 100644 Binary files a/TitanEngine/scylla_wrapper_x86.lib and b/TitanEngine/scylla_wrapper_x86.lib differ diff --git a/TitanEngine/stdafx.h b/TitanEngine/stdafx.h index ccf8f95..4456e9d 100644 --- a/TitanEngine/stdafx.h +++ b/TitanEngine/stdafx.h @@ -70,6 +70,21 @@ #pragma pack(push) #pragma pack(1) +//EngineCheckStructAlignment +#define UE_STRUCT_PE32STRUCT 1 +#define UE_STRUCT_PE64STRUCT 2 +#define UE_STRUCT_PESTRUCT 3 +#define UE_STRUCT_IMPORTENUMDATA 4 +#define UE_STRUCT_THREAD_ITEM_DATA 5 +#define UE_STRUCT_LIBRARY_ITEM_DATA 6 +#define UE_STRUCT_LIBRARY_ITEM_DATAW 7 +#define UE_STRUCT_PROCESS_ITEM_DATA 8 +#define UE_STRUCT_HANDLERARRAY 9 +#define UE_STRUCT_PLUGININFORMATION 10 +#define UE_STRUCT_HOOK_ENTRY 11 +#define UE_STRUCT_FILE_STATUS_INFO 12 +#define UE_STRUCT_FILE_FIX_INFO 13 + typedef struct { ULONG_PTR BreakPointAddress; @@ -243,6 +258,13 @@ typedef struct DWORD dwThreadId; void* ThreadStartAddress; void* ThreadLocalBase; + void* TebAddress; + ULONG WaitTime; + LONG Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; typedef struct @@ -588,6 +610,12 @@ typedef struct DWORD NumberOfRvaAndSizes; } PE64Struct, *PPE64Struct; +#ifdef _WIN64 +typedef PE64Struct PEStruct; +#else +typedef PE32Struct PEStruct; +#endif + typedef struct { bool NewDll; @@ -756,42 +784,7 @@ typedef struct ACCESS_MASK GrantedAccess; } NTDLL_QUERY_HANDLE_INFO, *PNTDLL_QUERY_HANDLE_INFO; -/*typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION { - ULONG Attributes; - ACCESS_MASK GrantedAccess; - ULONG HandleCount; - ULONG PointerCount; - ULONG PagedPoolUsage; - ULONG NonPagedPoolUsage; - ULONG Reserved[3]; - ULONG NameInformationLength; - ULONG TypeInformationLength; - ULONG SecurityDescriptorLength; - LARGE_INTEGER CreateTime; -} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION;*/ -typedef struct _PUBLIC_OBJECT_NAME_INFORMATION // Information Class 1 -{ - UNICODE_STRING Name; -} PUBLIC_OBJECT_NAME_INFORMATION, *PPUBLIC_OBJECT_NAME_INFORMATION; - -/*typedef struct _PUBLIC_OBJECT_TYPE_INFORMATION { // Information Class 2 - UNICODE_STRING Name; - ULONG ObjectCount; - ULONG HandleCount; - ULONG Reserved1[4]; - ULONG PeakObjectCount; - ULONG PeakHandleCount; - ULONG Reserved2[4]; - ULONG InvalidAttributes; - GENERIC_MAPPING GenericMapping; - ULONG ValidAccess; - UCHAR Unknown; - BOOLEAN MaintainHandleDatabase; - POOL_TYPE PoolType; - ULONG PagedPoolUsage; - ULONG NonPagedPoolUsage; -} PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION;*/ typedef void (*PPEBLOCKROUTINE)( PVOID PebLock diff --git a/TitanScriptGui/MAINICON.ico b/TitanScriptGui/MAINICON.ico deleted file mode 100644 index 3da8e95..0000000 Binary files a/TitanScriptGui/MAINICON.ico and /dev/null differ diff --git a/TitanScriptGui/TitanScript.h b/TitanScriptGui/TitanScript.h deleted file mode 100644 index e9123f8..0000000 --- a/TitanScriptGui/TitanScript.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef TITANSCRIPT_H -#define TITANSCRIPT_H - -#if _MSC_VER > 1000 -//#pragma once -#endif - -#include - -enum eLogType {TS_LOG_NORMAL, TS_LOG_ERROR, TS_LOG_COMMAND, TS_LOG_DEBUG}; -typedef void(*fLogCallback)(const char* szString, eLogType Type); - -typedef bool (*tScripterLoadFileA)(const char*); -typedef bool (*tScripterLoadFileW)(const wchar_t*); -typedef bool (*tScripterLoadBuffer)(const char*); -typedef bool (*tScripterResume)(); -typedef bool (*tScripterPause)(); -typedef bool (*tScripterAutoDebugA)(const char*); -typedef bool (*tScripterAutoDebugW)(const wchar_t*); -typedef void (*tScripterSetLogCallback)(fLogCallback Callback); -typedef bool (*tScripterExecuteWithTitanMistA)(const char*, const char*); -typedef bool (*tScripterExecuteWithTitanMistW)(const wchar_t*, const wchar_t*); - -// use like this: tScripterResume foo = GetTSFunctionPointer(Resume); -#define GetTSFunctionPointer(x) ((tScripter ## x)GetProcAddress(GetModuleHandleA("TitanScript"), "Scripter" #x)) - -#endif /*TITANSCRIPT_H*/ diff --git a/TitanScriptGui/TitanScriptGui.cpp b/TitanScriptGui/TitanScriptGui.cpp deleted file mode 100644 index cc03d5f..0000000 --- a/TitanScriptGui/TitanScriptGui.cpp +++ /dev/null @@ -1,343 +0,0 @@ -#include "stdafx.h" -#include "TitanScriptGui.h" -#include "..\SDK\CPP\TitanEngine.h" -#include "TitanScript.h" - -#define MAX_LOG_LINE_LENGTH 100 -#define MAX_LOG_LINE_COUNT 100 - -#ifdef _WIN64 -const WCHAR WindowTitle[] = L"TitanScriptGUI x64"; -#else -const WCHAR WindowTitle[] = L"TitanScriptGUI x86"; -#endif - -//variables -static HINSTANCE hInst; -static HWND hLogBox; -static HWND hRunBtn; -static bool bRunning; -static TCHAR FileNameTarget[MAX_PATH] = {}; -static TCHAR FileNameScript[MAX_PATH] = {}; -static TCHAR FileNameIni[MAX_PATH] = {}; - -//functions -static INT_PTR CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM); -static bool GetFileDialog(TCHAR[MAX_PATH]); -static void AddLogMessage(const char* szLogMessage, eLogType Type); -static void AddLogMessageW(const wchar_t* szLogMessage, eLogType Type); -static void SettingSet(const TCHAR* name, const TCHAR* value); -static void SettingGet(const TCHAR* name, TCHAR* value, int value_size); -static bool FileExists(LPCTSTR szPath); -static void CreateDummyUnicodeFile(const TCHAR* szFileName); -static DWORD WINAPI TitanScriptExecThread(LPVOID lpParam); - -//TitanScript functions -static tScripterLoadFileW load_file = NULL; -static tScripterExecuteWithTitanMistW exec = NULL; -static tScripterSetLogCallback set_log_callback = NULL; - -int APIENTRY _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow) -{ - UNREFERENCED_PARAMETER(hPrevInstance); - UNREFERENCED_PARAMETER(lpCmdLine); - - hInst = hInstance; - - DialogBox(hInstance, MAKEINTRESOURCE(IDD_MAINWINDOW), NULL, &WndProc); - ExitProcess(NULL); -} - -INT_PTR CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) -{ - switch (message) - { - case WM_INITDIALOG: - { - SetWindowTextW(hWnd, WindowTitle); - - //set icon - HICON hIconLarge = (HICON)LoadImage(hInst, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 32, 32, LR_DEFAULTSIZE); - SendMessage(hWnd, WM_SETICON, ICON_BIG, (LPARAM)hIconLarge); - HICON hIconSmall = (HICON)LoadImage(hInst, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 16, 16, LR_DEFAULTSIZE); - SendMessage(hWnd, WM_SETICON, ICON_SMALL, (LPARAM)hIconSmall); - - //initialize variables - hLogBox = GetDlgItem(hWnd, IDC_LOG); - hRunBtn = GetDlgItem(hWnd, IDC_RUN); - int i = GetModuleFileName(hInst, FileNameIni, _countof(FileNameIni)); - while(FileNameIni[i] != TCHAR('\\') && i) - i--; - if(i) - { - int len = lstrlen(FileNameIni); - while(FileNameIni[i] != TCHAR('.') && i < len) - i++; - if(i+1 < len) - FileNameIni[i] = TCHAR('\0'); - } - lstrcat(FileNameIni, _T(".ini")); - CreateDummyUnicodeFile(FileNameIni); - - //restore last files - SettingGet(_T("Target"), FileNameTarget, _countof(FileNameTarget)); - if(lstrlen(FileNameTarget)) - SetDlgItemText(hWnd, IDC_TARGETPATH, FileNameTarget); - SettingGet(_T("Script"), FileNameScript, _countof(FileNameScript)); - if(lstrlen(FileNameScript)) - SetDlgItemText(hWnd, IDC_SCRIPTPATH, FileNameScript); - - //make sure TitanScript is available - if ( !ExtensionManagerIsPluginLoaded( "TitanScript" ) || !ExtensionManagerIsPluginEnabled( "TitanScript" ) ) - { - AddLogMessageW(L"TitanScript failed to load", TS_LOG_ERROR); -#ifdef _WIN64 - AddLogMessageW(L"Ensure plugins\\x64\\TitanScript.dll exists !", TS_LOG_ERROR); -#else - AddLogMessageW(L"Ensure plugins\\x86\\TitanScript.dll exists !", TS_LOG_ERROR); -#endif //_WIN64 - EnableWindow(GetDlgItem(hWnd, IDC_RUN ), FALSE); - } - else - { - load_file = GetTSFunctionPointer( LoadFileW ); - exec = GetTSFunctionPointer( ExecuteWithTitanMistW ); - set_log_callback = GetTSFunctionPointer( SetLogCallback ); - set_log_callback(&AddLogMessage); - } - - break; - } - - case WM_COMMAND: - { - switch (LOWORD(wParam)) - { - case IDC_BROWSETARGET: - { - if(GetFileDialog(FileNameTarget)) - { - SetDlgItemText(hWnd, IDC_TARGETPATH, FileNameTarget); - SettingSet(_T("Target"), FileNameTarget); - } - break; - } - case IDC_BROWSESCRIPT: - { - if(GetFileDialog(FileNameScript)) - { - SetDlgItemText(hWnd, IDC_SCRIPTPATH, FileNameScript); - SettingSet(_T("Script"), FileNameScript); - } - break; - } - case IDC_RUN: - { - if(!bRunning) - CreateThread(0, 0, TitanScriptExecThread, 0, 0, 0); - else - StopDebug(); - - break; - } - case IDC_COPY: { - //get lines - LRESULT cnt = SendMessageW(hLogBox, LB_GETCOUNT, 0, 0); - - if (cnt != 0 && cnt != LB_ERR) - { - WCHAR * copy = (WCHAR *)calloc(1, sizeof(WCHAR)); - int copyLength = 1; - - for(LRESULT i=0; i') - { - return true; - } - else - { - return false; - } -} - -static void AddLogMessage(const char* szLogMessage, eLogType Type) -{ - if (strlen(szLogMessage) > 0) - { - if (IsValidChar(szLogMessage[0])) - { - TCHAR * buf = (TCHAR *)calloc(strlen(szLogMessage) + 1, sizeof(TCHAR)); - if (buf) - { - mbstowcs(buf, szLogMessage, strlen(szLogMessage) + 1); - AddLogMessageW(buf, Type); - free(buf); - } - } - else - { - AddLogMessageW(L"ERROR INVALID LOG MESSAGE", Type); - } - } -} - -static void SettingSet(const TCHAR* name, const TCHAR* value) -{ - WritePrivateProfileString(_T("Settings"), name, value, FileNameIni); -} - -static void SettingGet(const TCHAR* name, TCHAR* value, int value_size) -{ - GetPrivateProfileString(_T("Settings"), name, _T(""), value, value_size, FileNameIni); -} - -static bool FileExists(LPCTSTR szPath) -{ - DWORD dwAttrib = GetFileAttributes(szPath); - return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); -} - -static void CreateDummyUnicodeFile(const TCHAR* szFileName) -{ - //http://www.codeproject.com/Articles/9071/Using-Unicode-in-INI-files - if (!FileExists(szFileName)) - { - // UTF16-LE BOM(FFFE) - WORD wBOM = 0xFEFF; - DWORD NumberOfBytesWritten; - HANDLE hFile = CreateFile(szFileName, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL); - WriteFile(hFile, &wBOM, sizeof(WORD), &NumberOfBytesWritten, NULL); - CloseHandle(hFile); - } -} - -static DWORD WINAPI TitanScriptExecThread(LPVOID lpParam) -{ - if(!load_file(FileNameScript)) - { - AddLogMessageW(L"Script failed to load", TS_LOG_ERROR); - return 0; - } - SetWindowText(hRunBtn, _T("Stop")); - bRunning = true; - if(!exec(FileNameTarget, L"")) //TitanScript will generate the output filename - { - AddLogMessageW(L"Failed to execute", TS_LOG_ERROR); - } - else - AddLogMessageW(L"Debugging stopped", TS_LOG_NORMAL); - bRunning = false; - SetWindowText(hRunBtn, _T("Run")); - return 0; -} \ No newline at end of file diff --git a/TitanScriptGui/TitanScriptGui.h b/TitanScriptGui/TitanScriptGui.h deleted file mode 100644 index e60f2eb..0000000 --- a/TitanScriptGui/TitanScriptGui.h +++ /dev/null @@ -1,3 +0,0 @@ -#pragma once - -#include "resource.h" diff --git a/TitanScriptGui/TitanScriptGui.rc b/TitanScriptGui/TitanScriptGui.rc deleted file mode 100644 index 2d7a72e..0000000 Binary files a/TitanScriptGui/TitanScriptGui.rc and /dev/null differ diff --git a/TitanScriptGui/TitanScriptGui.vcxproj b/TitanScriptGui/TitanScriptGui.vcxproj deleted file mode 100644 index 5342bbc..0000000 --- a/TitanScriptGui/TitanScriptGui.vcxproj +++ /dev/null @@ -1,188 +0,0 @@ - - - - - Debug - Win32 - - - Debug - x64 - - - Release - Win32 - - - Release - x64 - - - - {49C88677-C374-4AE2-B431-8F3B424BF245} - Win32Proj - TitanScriptGui - - - - Application - true - Unicode - - - Application - true - Unicode - - - Application - false - true - Unicode - - - Application - false - true - Unicode - - - - - - - - - - - - - - - - - - - true - $(SolutionDir)\$(Configuration)\x32\ - $(Configuration)\x32\ - - - true - $(SolutionDir)\$(Configuration)\x64\ - $(Configuration)\x64\ - - - false - $(SolutionDir)\$(Configuration)\x32\ - $(Configuration)\x32\ - - - false - $(SolutionDir)\$(Configuration)\x64\ - $(Configuration)\x64\ - - - - Use - Level3 - Disabled - WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) - - - Windows - true - $(OutDir)TitanEngine.lib;comdlg32.lib;user32.lib - - - manifest.xml - - - - - Use - Level3 - Disabled - WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) - - - Windows - true - $(OutDir)TitanEngine.lib;comdlg32.lib;user32.lib - - - manifest.xml - - - - - Level3 - Use - MaxSpeed - true - true - WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) - MultiThreaded - - - Windows - false - true - true - $(OutDir)TitanEngine.lib;comdlg32.lib;user32.lib - true - - - manifest.xml - - - - - Level3 - Use - MaxSpeed - true - true - WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) - MultiThreaded - - - Windows - false - true - true - $(OutDir)TitanEngine.lib;comdlg32.lib;user32.lib - true - - - manifest.xml - - - - - - - - - - - - - - - - - Create - Create - Create - Create - - - - - - - - - - \ No newline at end of file diff --git a/TitanScriptGui/TitanScriptGui.vcxproj.filters b/TitanScriptGui/TitanScriptGui.vcxproj.filters deleted file mode 100644 index 039b995..0000000 --- a/TitanScriptGui/TitanScriptGui.vcxproj.filters +++ /dev/null @@ -1,64 +0,0 @@ - - - - - {93995380-89BD-4b04-88EB-625FBE52EBFB} - h;hpp;hxx;hm;inl;inc;xsd - - - {4FC737F1-C7A5-4376-A066-2A32D752A2FF} - cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx - - - {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} - rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms - - - {6072cfa4-c101-4f1a-9920-89951ba83a2b} - - - {a0cc27fd-de5f-4551-9fe5-4a45f9ae862c} - - - - - Resource Files\Images - - - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files\SDK - - - Header Files\SDK - - - - - Source Files - - - Source Files - - - - - Resource Files - - - \ No newline at end of file diff --git a/TitanScriptGui/manifest.xml b/TitanScriptGui/manifest.xml deleted file mode 100644 index 618fb8e..0000000 --- a/TitanScriptGui/manifest.xml +++ /dev/null @@ -1,17 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/TitanScriptGui/resource.h b/TitanScriptGui/resource.h deleted file mode 100644 index 28bdea6..0000000 Binary files a/TitanScriptGui/resource.h and /dev/null differ diff --git a/TitanScriptGui/stdafx.cpp b/TitanScriptGui/stdafx.cpp deleted file mode 100644 index 1577c4e..0000000 --- a/TitanScriptGui/stdafx.cpp +++ /dev/null @@ -1 +0,0 @@ -#include "stdafx.h" \ No newline at end of file diff --git a/TitanScriptGui/stdafx.h b/TitanScriptGui/stdafx.h deleted file mode 100644 index dbf3c98..0000000 --- a/TitanScriptGui/stdafx.h +++ /dev/null @@ -1,12 +0,0 @@ -#pragma once -#define _CRT_SECURE_NO_WARNINGS -#include "targetver.h" - -#define WIN32_LEAN_AND_MEAN -#include -#include - -#include -#include -#include -#include diff --git a/TitanScriptGui/targetver.h b/TitanScriptGui/targetver.h deleted file mode 100644 index 2b26ce2..0000000 --- a/TitanScriptGui/targetver.h +++ /dev/null @@ -1,3 +0,0 @@ -#pragma once - -#include diff --git a/TitanUnitTest/README b/TitanUnitTest/README deleted file mode 100644 index a496c61..0000000 --- a/TitanUnitTest/README +++ /dev/null @@ -1,16 +0,0 @@ -Setup: -- Put disasm.dll into Debug/Release folder. -- Put TitanEngine.dll into Debug/Release folder. -- Put TitanScript.dll into plugins/x86/ folder in Debug/Release folder. -(Can be found here https://bitbucket.org/cypherpunk/titanscript-update) - -Usage: -- TitanUnitTest.exe script.osc target.exe - -It understands complete OllyDbgScript language and adds additional TE commands - -Example script: -#log - -GPA "IsDebuggerPresent", "kernel32.dll" -LOG $RESULT \ No newline at end of file diff --git a/TitanUnitTest/TitanScript.h b/TitanUnitTest/TitanScript.h deleted file mode 100644 index 28e5c8c..0000000 --- a/TitanUnitTest/TitanScript.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef TITANSCRIPT_H -#define TITANSCRIPT_H - -#if _MSC_VER > 1000 -//#pragma once -#endif - -#include - -enum eLogType {TS_LOG_NORMAL, TS_LOG_ERROR, TS_LOG_COMMAND, TS_LOG_DEBUG}; -typedef void(*fLogCallback)(const char* szString, eLogType Type); - -typedef bool (*tScripterLoadFileA)(const char*); -typedef bool (*tScripterLoadFileW)(const wchar_t*); -typedef bool (*tScripterLoadBuffer)(const char*); -typedef bool (*tScripterResume)(); -typedef bool (*tScripterPause)(); -typedef bool (*tScripterAutoDebugA)(const char*); -typedef bool (*tScripterAutoDebugW)(const wchar_t*); -typedef void (*tScripterSetLogCallback)(fLogCallback Callback); -typedef bool (*tScripterExecuteWithTitanMistA)(const char*, const char*); - -// use like this: tScripterResume foo = GetTSFunctionPointer(Resume); -#define GetTSFunctionPointer(x) ((tScripter ## x)GetProcAddress(GetModuleHandleA("TitanScript"), "Scripter" #x)) - -#endif /*TITANSCRIPT_H*/ diff --git a/TitanUnitTest/TitanUnitTest.cpp b/TitanUnitTest/TitanUnitTest.cpp deleted file mode 100644 index 176bae1..0000000 --- a/TitanUnitTest/TitanUnitTest.cpp +++ /dev/null @@ -1,43 +0,0 @@ -#include "stdafx.h" -#include "..\SDK\CPP\TitanEngine.h" -#include "TitanScript.h" -#include - -void log_callback( const char* str, eLogType log_type ); - -int main(int argc, char* argv[]) -{ - if(argc < 3) - { - log_callback("Usage: titan_unittest.exe script.osc target.exe", TS_LOG_ERROR); - return -1; - } - - if ( !ExtensionManagerIsPluginLoaded( "TitanScript" ) || !ExtensionManagerIsPluginEnabled( "TitanScript" ) ) - { - throw std::runtime_error( "TitanScript failed to load!" ); - } - - tScripterLoadFileA load_file = GetTSFunctionPointer( LoadFileA ); - tScripterExecuteWithTitanMistA exec = GetTSFunctionPointer( ExecuteWithTitanMistA ); - tScripterSetLogCallback set_log_callback = GetTSFunctionPointer( SetLogCallback ); - - set_log_callback(&log_callback ); - - if(!load_file(argv[1])) - { - log_callback("Error loading script", TS_LOG_ERROR); - return -1; - } - - exec(argv[2], "dump.exe" ); - - return 0; -} - - -void log_callback( const char* str, eLogType log_type ) -{ - std::cout << str << "\n" << std::flush; -} - diff --git a/TitanUnitTest/TitanUnitTest.vcxproj b/TitanUnitTest/TitanUnitTest.vcxproj deleted file mode 100644 index 02edfc5..0000000 --- a/TitanUnitTest/TitanUnitTest.vcxproj +++ /dev/null @@ -1,174 +0,0 @@ - - - - - Debug - Win32 - - - Debug - x64 - - - Release - Win32 - - - Release - x64 - - - - {5B5AB3CD-4D32-43B0-8840-E05C9483381D} - Win32Proj - titan_unittest - - - - Application - true - Unicode - true - - - Application - true - Unicode - true - - - Application - false - true - Unicode - - - Application - false - true - Unicode - - - - - - - - - - - - - - - - - - - true - $(SolutionDir)\$(Configuration)\x32\ - $(Configuration)\x32\ - - - true - $(SolutionDir)\$(Configuration)\x64\ - $(Configuration)\x64\ - - - false - $(SolutionDir)\$(Configuration)\x32\ - $(Configuration)\x32\ - - - false - $(SolutionDir)\$(Configuration)\x64\ - $(Configuration)\x64\ - - - - Use - Level3 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - MultiThreadedDebugDLL - - - Console - true - $(OutDir)TitanEngine.lib;%(AdditionalDependencies) - - - - - - - Use - Level3 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - MultiThreadedDebugDLL - - - Console - true - $(OutDir)TitanEngine.lib;%(AdditionalDependencies) - - - - - - - Level3 - Use - MaxSpeed - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - MultiThreadedDLL - - - Console - true - true - true - $(OutDir)TitanEngine.lib;%(AdditionalDependencies) - - - - - Level3 - Use - MaxSpeed - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - MultiThreadedDLL - - - Console - true - true - true - $(OutDir)TitanEngine.lib;%(AdditionalDependencies) - - - - - - - - - - - - Create - Create - Create - Create - - - - - - - \ No newline at end of file diff --git a/TitanUnitTest/TitanUnitTest.vcxproj.filters b/TitanUnitTest/TitanUnitTest.vcxproj.filters deleted file mode 100644 index 6cccd5b..0000000 --- a/TitanUnitTest/TitanUnitTest.vcxproj.filters +++ /dev/null @@ -1,41 +0,0 @@ - - - - - {4FC737F1-C7A5-4376-A066-2A32D752A2FF} - cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx - - - {93995380-89BD-4b04-88EB-625FBE52EBFB} - h;hpp;hxx;hm;inl;inc;xsd - - - {dcabac3b-acfe-4e79-a827-01d97b369669} - - - - - Source Files - - - Source Files - - - - - Header Files - - - Header Files - - - Header Files - - - Header Files\SDK - - - Header Files\SDK - - - \ No newline at end of file diff --git a/TitanUnitTest/disasm.dll b/TitanUnitTest/disasm.dll deleted file mode 100644 index ef17bf1..0000000 Binary files a/TitanUnitTest/disasm.dll and /dev/null differ diff --git a/TitanUnitTest/stdafx.cpp b/TitanUnitTest/stdafx.cpp deleted file mode 100644 index 1577c4e..0000000 --- a/TitanUnitTest/stdafx.cpp +++ /dev/null @@ -1 +0,0 @@ -#include "stdafx.h" \ No newline at end of file diff --git a/TitanUnitTest/stdafx.h b/TitanUnitTest/stdafx.h deleted file mode 100644 index 45c4afd..0000000 --- a/TitanUnitTest/stdafx.h +++ /dev/null @@ -1,6 +0,0 @@ -#pragma once - -#include "targetver.h" - -#include -#include diff --git a/TitanUnitTest/targetver.h b/TitanUnitTest/targetver.h deleted file mode 100644 index 2b26ce2..0000000 --- a/TitanUnitTest/targetver.h +++ /dev/null @@ -1,3 +0,0 @@ -#pragma once - -#include diff --git a/release_titanscript.bat b/release_titanscript.bat deleted file mode 100644 index e110831..0000000 --- a/release_titanscript.bat +++ /dev/null @@ -1,16 +0,0 @@ -@echo off -IF EXIST TitanScriptRelease rmdir TitanScriptRelease /s /q -mkdir TitanScriptRelease -mkdir .\TitanScriptRelease\x86 -mkdir .\TitanScriptRelease\x64 - -copy .\Release\x32\TitanScriptGui.exe .\TitanScriptRelease\x86\TitanScriptGuix86.exe -copy .\Release\x32\TitanScriptGui.map .\TitanScriptRelease\x86\TitanScriptGuix86.map -copy .\Release\x32\TitanEngine.dll .\TitanScriptRelease\x86\TitanEngine.dll - -copy .\Release\x64\TitanScriptGui.exe .\TitanScriptRelease\x64\TitanScriptGuix64.exe -copy .\Release\x64\TitanScriptGui.map .\TitanScriptRelease\x64\TitanScriptGuix64.map -copy .\Release\x64\TitanEngine.dll .\TitanScriptRelease\x64\TitanEngine.dll - -exit - diff --git a/scylla_integration.txt b/scylla_integration.txt deleted file mode 100644 index 1bd4035..0000000 --- a/scylla_integration.txt +++ /dev/null @@ -1,62 +0,0 @@ -obsolete/removed vars: - -impDLLNumber -impDeltaStart -impDeltaCurrent -impImageBase -impAllocSize -impDLLNumber -impMoveIAT -impDLLDataList -impDLLStringList -impOrdinalList - - -obsolete/removed functions: - -__declspec(dllexport) void TITCALL ImporterCleanup() -__declspec(dllexport) void TITCALL ImporterSetImageBase(ULONG_PTR ImageBase) -__declspec(dllexport) void TITCALL ImporterSetUnknownDelta(ULONG_PTR DeltaAddress) -__declspec(dllexport) long long TITCALL ImporterGetCurrentDelta() -__declspec(dllexport) void TITCALL ImporterInit(DWORD MemorySize, ULONG_PTR ImageBase -__declspec(dllexport) bool TITCALL ImporterRelocateWriteLocation(ULONG_PTR AddValue) -__declspec(dllexport) void TITCALL ImporterMoveIAT() -__declspec(dllexport) void TITCALL getLastAddedDLLName() - -defunct until scylla-enabled: - -* LoadImportTable -* MoveOriginalIAT - - -questionable if working, all proxy to EngineGlobalAPIHandler which is buggy - -GetDLLName -> EngineGlobalAPIHandler -GetAPIName -> EngineGlobalAPIHandler -GetAPINameEx -> EngineGlobalAPIHandler -GetAPIOrdinalNumber -> EngineGlobalAPIHandler -GetRemoteAPIAddress -> EngineGlobalAPIHandler -GetLocalAPIAddress-> EngineGlobalAPIHandler -GetDLLNameFromDebuggee-> EngineGlobalAPIHandler -GetAPIOrdinalNumberFromDebuggee -> EngineGlobalAPIHandler -GetRemoteDLLBase -> EngineGlobalAPIHandler -IsForwardedAPI -> EngineGlobalAPIHandler -GetForwardedAPIName- > EngineGlobalAPIHandler -GetForwardedAPIOrdinalNumber -> EngineGlobalAPIHandler -GetForwardedDLLName -> EngineGlobalAPIHandler -GetNearestAPIAddress -> EngineGlobalAPIHandler -GetNearestAPIName -> EngineGlobalAPIHandler - - -no change required: - -CopyOriginalIAT -GetRemoteAPIAddressEX -GetRemoteDLLBaseEX - - -fixup exception handling: - -- enumaddeddata; around callback call -- autofixiat: around fixer callback -- exportiat \ No newline at end of file