diff --git a/SDK/C/TitanEngine.h b/SDK/C/TitanEngine.h index 7e68fa6..3cbbcfb 100644 --- a/SDK/C/TitanEngine.h +++ b/SDK/C/TitanEngine.h @@ -189,21 +189,6 @@ #define UE_PARAMETER_STRING 8 #define UE_PARAMETER_UNICODE 9 -#define UE_CMP_NOCONDITION 0 -#define UE_CMP_EQUAL 1 -#define UE_CMP_NOTEQUAL 2 -#define UE_CMP_GREATER 3 -#define UE_CMP_GREATEROREQUAL 4 -#define UE_CMP_LOWER 5 -#define UE_CMP_LOWEROREQUAL 6 -#define UE_CMP_REG_EQUAL 7 -#define UE_CMP_REG_NOTEQUAL 8 -#define UE_CMP_REG_GREATER 9 -#define UE_CMP_REG_GREATEROREQUAL 10 -#define UE_CMP_REG_LOWER 11 -#define UE_CMP_REG_LOWEROREQUAL 12 -#define UE_CMP_ALWAYSFALSE 13 - #define UE_EAX 1 #define UE_EBX 2 #define UE_ECX 3 @@ -598,6 +583,7 @@ __declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap __declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA); // TitanEngine.Hider.functions: __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess); +__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess); __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel); // TitanEngine.Relocater.functions: diff --git a/SDK/CPP/TitanEngine.h b/SDK/CPP/TitanEngine.h index 3d8c491..a99eb31 100644 --- a/SDK/CPP/TitanEngine.h +++ b/SDK/CPP/TitanEngine.h @@ -189,21 +189,6 @@ const BYTE UE_PARAMETER_PTR_QWORD = 7; const BYTE UE_PARAMETER_STRING = 8; const BYTE UE_PARAMETER_UNICODE = 9; -const BYTE UE_CMP_NOCONDITION = 0; -const BYTE UE_CMP_EQUAL = 1; -const BYTE UE_CMP_NOTEQUAL = 2; -const BYTE UE_CMP_GREATER = 3; -const BYTE UE_CMP_GREATEROREQUAL = 4; -const BYTE UE_CMP_LOWER = 5; -const BYTE UE_CMP_LOWEROREQUAL = 6; -const BYTE UE_CMP_REG_EQUAL = 7; -const BYTE UE_CMP_REG_NOTEQUAL = 8; -const BYTE UE_CMP_REG_GREATER = 9; -const BYTE UE_CMP_REG_GREATEROREQUAL = 10; -const BYTE UE_CMP_REG_LOWER = 11; -const BYTE UE_CMP_REG_LOWEROREQUAL = 12; -const BYTE UE_CMP_ALWAYSFALSE = 13; - const BYTE UE_EAX = 1; const BYTE UE_EBX = 2; const BYTE UE_ECX = 3; @@ -597,6 +582,7 @@ __declspec(dllimport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap __declspec(dllimport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA); // TitanEngine.Hider.functions: __declspec(dllimport) void* TITCALL GetPEBLocation(HANDLE hProcess); +__declspec(dllimport) void* TITCALL GetPEBLocation64(HANDLE hProcess); __declspec(dllimport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); __declspec(dllimport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel); // TitanEngine.Relocater.functions: diff --git a/SDK/CPP/TitanEngine.hpp b/SDK/CPP/TitanEngine.hpp index 8cd6a0d..ab3d763 100644 --- a/SDK/CPP/TitanEngine.hpp +++ b/SDK/CPP/TitanEngine.hpp @@ -265,24 +265,6 @@ enum eParameterType : DWORD UE_PARAMETER_UNICODE = UE::UE_PARAMETER_UNICODE }; -enum eCompareCondition : DWORD -{ - UE_CMP_NOCONDITION = UE::UE_CMP_NOCONDITION, - UE_CMP_EQUAL = UE::UE_CMP_EQUAL, - UE_CMP_NOTEQUAL = UE::UE_CMP_NOTEQUAL, - UE_CMP_GREATER = UE::UE_CMP_GREATER, - UE_CMP_GREATEROREQUAL = UE::UE_CMP_GREATEROREQUAL, - UE_CMP_LOWER = UE::UE_CMP_LOWER, - UE_CMP_LOWEROREQUAL = UE::UE_CMP_LOWEROREQUAL, - UE_CMP_REG_EQUAL = UE::UE_CMP_REG_EQUAL, - UE_CMP_REG_NOTEQUAL = UE::UE_CMP_REG_NOTEQUAL, - UE_CMP_REG_GREATER = UE::UE_CMP_REG_GREATER, - UE_CMP_REG_GREATEROREQUAL = UE::UE_CMP_REG_GREATEROREQUAL, - UE_CMP_REG_LOWER = UE::UE_CMP_REG_LOWER, - UE_CMP_REG_LOWEROREQUAL = UE::UE_CMP_REG_LOWEROREQUAL, - UE_CMP_ALWAYSFALSE = UE::UE_CMP_ALWAYSFALSE -}; - enum eContextData : DWORD { UE_EAX = UE::UE_EAX, @@ -828,6 +810,10 @@ public: static void* GetPEBLocation(HANDLE hProcess) { return UE::GetPEBLocation(hProcess); + } + static void* GetPEBLocation64(HANDLE hProcess) + { + return UE::GetPEBLocation64(hProcess); } static bool HideDebugger(HANDLE hProcess, eHideLevel PatchAPILevel) { diff --git a/SDK/Delphi/TitanEngine.pas b/SDK/Delphi/TitanEngine.pas index 29ae1d9..bfa36ab 100644 --- a/SDK/Delphi/TitanEngine.pas +++ b/SDK/Delphi/TitanEngine.pas @@ -284,25 +284,6 @@ const UE_PARAMETER_STRING = 8; UE_PARAMETER_UNICODE = 9; - UE_CMP_NOCONDITION = 0; - UE_CMP_EQUAL = 1; - UE_CMP_NOTEQUAL = 2; - UE_CMP_GREATER = 3; - UE_CMP_GREATEROREQUAL = 4; - UE_CMP_LOWER = 5; - UE_CMP_LOWEROREQUAL = 6; - UE_CMP_REG_EQUAL = 7; - UE_CMP_REG_NOTEQUAL = 8; - UE_CMP_REG_GREATER = 9; - UE_CMP_REG_GREATEROREQUAL = 10; - UE_CMP_REG_LOWER = 11; - UE_CMP_REG_LOWEROREQUAL = 12; - UE_CMP_ALWAYSFALSE = 13; - UE_OPTION_HANDLER_RETURN_HANDLECOUNT = 1; - UE_OPTION_HANDLER_RETURN_ACCESS = 2; - UE_OPTION_HANDLER_RETURN_FLAGS = 3; - UE_OPTION_HANDLER_RETURN_TYPENAME = 4; - UE_BREAKPOINT_INT3 = 1; UE_BREAKPOINT_LONG_INT3 = 2; UE_BREAKPOINT_UD2 = 3; @@ -465,6 +446,7 @@ const function IsFileDLL(szFileName:PAnsiChar; FileMapVA:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'IsFileDLL'; {TitanEngine.Hider.functions} function GetPEBLocation(hProcess:THandle):LongInt; stdcall; external 'TitanEngine.dll' name 'GetPEBLocation'; + function GetPEBLocation64(hProcess:THandle):LongInt; stdcall; external 'TitanEngine.dll' name 'GetPEBLocation64'; function HideDebugger(hProcess:THandle; PatchAPILevel:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'HideDebugger'; function UnHideDebugger(hProcess:THandle; PatchAPILevel:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'UnHideDebugger'; {TitanEngine.Relocater.functions} diff --git a/SDK/LUA/TitanEngine.lua b/SDK/LUA/TitanEngine.lua index ca35707..4321b73 100644 --- a/SDK/LUA/TitanEngine.lua +++ b/SDK/LUA/TitanEngine.lua @@ -183,21 +183,6 @@ UE_PARAMETER_PTR_QWORD = 7 UE_PARAMETER_STRING = 8 UE_PARAMETER_UNICODE = 9 -UE_CMP_NOCONDITION = 0 -UE_CMP_EQUAL = 1 -UE_CMP_NOTEQUAL = 2 -UE_CMP_GREATER = 3 -UE_CMP_GREATEROREQUAL = 4 -UE_CMP_LOWER = 5 -UE_CMP_LOWEROREQUAL = 6 -UE_CMP_REG_EQUAL = 7 -UE_CMP_REG_NOTEQUAL = 8 -UE_CMP_REG_GREATER = 9 -UE_CMP_REG_GREATEROREQUAL = 10 -UE_CMP_REG_LOWER = 11 -UE_CMP_REG_LOWEROREQUAL = 12 -UE_CMP_ALWAYSFALSE = 13 - UE_EAX = 1 UE_EBX = 2 UE_ECX = 3 @@ -620,6 +605,9 @@ PROCESS_INFORMATION = alien.defstruct{ -- __declspec(dllexport) void* __stdcall GetPEBLocation(HANDLE hProcess); TitanEngine.GetPEBLocation:types {"long",abi="stdcall",ret="pointer"} TE_GetPEBLocation = TitanEngine.GetPEBLocation +-- __declspec(dllexport) void* __stdcall GetPEBLocation64(HANDLE hProcess); + TitanEngine.GetPEBLocation64:types {"long",abi="stdcall",ret="pointer"} + TE_GetPEBLocation64 = TitanEngine.GetPEBLocation64 -- __declspec(dllexport) bool __stdcall HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); TitanEngine.HideDebugger:types {"long","long",abi="stdcall",ret="byte"} TE_HideDebugger = TitanEngine.HideDebugger diff --git a/SDK/MASM/TitanEngine.INC b/SDK/MASM/TitanEngine.INC index 4693d4e..8d80c59 100644 --- a/SDK/MASM/TitanEngine.INC +++ b/SDK/MASM/TitanEngine.INC @@ -151,20 +151,6 @@ UE_PARAMETER_PTR_DWORD EQU 6 UE_PARAMETER_PTR_QWORD EQU 7 UE_PARAMETER_STRING EQU 8 UE_PARAMETER_UNICODE EQU 9 -UE_CMP_NOCONDITION EQU 0 -UE_CMP_EQUAL EQU 1 -UE_CMP_NOTEQUAL EQU 2 -UE_CMP_GREATER EQU 3 -UE_CMP_GREATEROREQUAL EQU 4 -UE_CMP_LOWER EQU 5 -UE_CMP_LOWEROREQUAL EQU 6 -UE_CMP_REG_EQUAL EQU 7 -UE_CMP_REG_NOTEQUAL EQU 8 -UE_CMP_REG_GREATER EQU 9 -UE_CMP_REG_GREATEROREQUAL EQU 10 -UE_CMP_REG_LOWER EQU 11 -UE_CMP_REG_LOWEROREQUAL EQU 12 -UE_CMP_ALWAYSFALSE EQU 13 UE_EAX EQU 1 UE_EBX EQU 2 UE_ECX EQU 3 @@ -510,6 +496,7 @@ FixBrokenPE32FileExW proto stdcall :ptr WORD, :LPVOID, :LPVOID IsFileDLL proto stdcall :ptr SBYTE, :DWORD IsFileDLLW proto stdcall :ptr WORD, :DWORD GetPEBLocation proto stdcall :HANDLE +GetPEBLocation64 proto stdcall :HANDLE HideDebugger proto stdcall :HANDLE, :DWORD UnHideDebugger proto stdcall :HANDLE, :DWORD RelocaterCleanup proto stdcall diff --git a/SDK/Python/TitanEngine.py b/SDK/Python/TitanEngine.py index b028592..bac2fd2 100644 --- a/SDK/Python/TitanEngine.py +++ b/SDK/Python/TitanEngine.py @@ -174,21 +174,6 @@ UE_PARAMETER_PTR_QWORD = 7 UE_PARAMETER_STRING = 8 UE_PARAMETER_UNICODE = 9 -UE_CMP_NOCONDITION = 0 -UE_CMP_EQUAL = 1 -UE_CMP_NOTEQUAL = 2 -UE_CMP_GREATER = 3 -UE_CMP_GREATEROREQUAL = 4 -UE_CMP_LOWER = 5 -UE_CMP_LOWEROREQUAL = 6 -UE_CMP_REG_EQUAL = 7 -UE_CMP_REG_NOTEQUAL = 8 -UE_CMP_REG_GREATER = 9 -UE_CMP_REG_GREATEROREQUAL = 10 -UE_CMP_REG_LOWER = 11 -UE_CMP_REG_LOWEROREQUAL = 12 -UE_CMP_ALWAYSFALSE = 13 - UE_EAX = 1 UE_EBX = 2 UE_ECX = 3 @@ -656,6 +641,7 @@ TE.TranslateNativeNameW.restype = c_wchar_p TE.HandlerGetHandleNameW.restype = c_wchar_p TE.GetPEBLocation.restype = c_void_p +TE.GetPEBLocation64.restype = c_void_p TE.ThreaderGetThreadInfo.restype = POINTER(THREAD_ITEM_DATA) TE.ThreaderGetThreadData.restype = POINTER(THREAD_ITEM_DATA) diff --git a/TitanEngine/Global.Engine.Hider.cpp b/TitanEngine/Global.Engine.Hider.cpp index 0093101..7e7f97e 100644 --- a/TitanEngine/Global.Engine.Hider.cpp +++ b/TitanEngine/Global.Engine.Hider.cpp @@ -7,87 +7,91 @@ // Global.Engine.Hider.functions: static bool isAtleastVista() { - static bool isAtleastVista=false; - static bool isSet=false; - if(isSet) - return isAtleastVista; - OSVERSIONINFO versionInfo= {0}; - versionInfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); - GetVersionEx(&versionInfo); - isAtleastVista=versionInfo.dwMajorVersion >= 6; - isSet=true; - return isAtleastVista; + static bool isAtleastVista=false; + static bool isSet=false; + if(isSet) + return isAtleastVista; + OSVERSIONINFO versionInfo= {0}; + versionInfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); + GetVersionEx(&versionInfo); + isAtleastVista=versionInfo.dwMajorVersion >= 6; + isSet=true; + return isAtleastVista; } static bool isWindows64() { - SYSTEM_INFO si = {0}; - typedef void (WINAPI *tGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo); - tGetNativeSystemInfo _GetNativeSystemInfo = (tGetNativeSystemInfo)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo"); + SYSTEM_INFO si = {0}; + typedef void (WINAPI *tGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo); + tGetNativeSystemInfo _GetNativeSystemInfo = (tGetNativeSystemInfo)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo"); - if (_GetNativeSystemInfo) - { - _GetNativeSystemInfo(&si); - } - else - { - GetSystemInfo(&si); - } + if (_GetNativeSystemInfo) + { + _GetNativeSystemInfo(&si); + } + else + { + GetSystemInfo(&si); + } - return (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64); + return (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64); } void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide) { - const BYTE patchCheckRemoteDebuggerPresent[5] = { - 0x33, 0xC0, //XOR EAX,EAX - 0xC2, 0x08, 0x00}; //RETN 0x8 + const BYTE patchCheckRemoteDebuggerPresent[5] = + { + 0x33, 0xC0, //XOR EAX,EAX + 0xC2, 0x08, 0x00 + }; //RETN 0x8 - const BYTE patchGetTickCount[3] = { - 0x33, 0xC0, //XOR EAX,EAX - 0xC3}; //RETN + const BYTE patchGetTickCount[3] = + { + 0x33, 0xC0, //XOR EAX,EAX + 0xC3 + }; //RETN - ULONG_PTR APIPatchAddress = 0; - DWORD OldProtect = 0; - SIZE_T ueNumberOfBytesRead = 0; + ULONG_PTR APIPatchAddress = 0; + DWORD OldProtect = 0; + SIZE_T ueNumberOfBytesRead = 0; - if(Hide) - { - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + if(Hide) + { + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect)) - { - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead); - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect); - } + if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect)) + { + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead); + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect); + } - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect)) - { - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, sizeof(patchGetTickCount), &ueNumberOfBytesRead); - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect); - } - } - else - { - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect)) + { + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, sizeof(patchGetTickCount), &ueNumberOfBytesRead); + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect); + } + } + else + { + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect)) - { - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead); - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect); - } + if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect)) + { + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead); + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect); + } - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect)) - { - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), sizeof(patchGetTickCount), &ueNumberOfBytesRead); - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect); - } - } + if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect)) + { + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), sizeof(patchGetTickCount), &ueNumberOfBytesRead); + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect); + } + } } @@ -99,138 +103,156 @@ void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide) int getHeapFlagsOffset() { - if (isWindows64()) - { - if (isAtleastVista()) - { - return 0x70; - } - else - { - return 0x14; - } - } - else - { - if (isAtleastVista()) - { - return 0x40; - } - else - { - return 0x0C; - } - } + if (isWindows64()) + { + if (isAtleastVista()) + { + return 0x70; + } + else + { + return 0x14; + } + } + else + { + if (isAtleastVista()) + { + return 0x40; + } + else + { + return 0x0C; + } + } } int getHeapForceFlagsOffset() { - if (isWindows64()) - { - if (isAtleastVista()) - { - return 0x74; - } - else - { - return 0x18; - } - } - else - { - if (isAtleastVista()) - { - return 0x44; - } - else - { - return 0x10; - } - } + if (isWindows64()) + { + if (isAtleastVista()) + { + return 0x74; + } + else + { + return 0x18; + } + } + else + { + if (isAtleastVista()) + { + return 0x44; + } + else + { + return 0x10; + } + } } bool FixPebInProcess(HANDLE hProcess, bool Hide) { - PEB_CURRENT myPEB = {0}; - SIZE_T ueNumberOfBytesRead = 0; - void * heapFlagsAddress = 0; - DWORD heapFlags = 0; - void * heapForceFlagsAddress = 0; - DWORD heapForceFlags = 0; + PEB_CURRENT myPEB = {0}; + SIZE_T ueNumberOfBytesRead = 0; + void * heapFlagsAddress = 0; + DWORD heapFlags = 0; + void * heapForceFlagsAddress = 0; + DWORD heapForceFlags = 0; #ifndef _WIN64 - PEB64 myPEB64 = {0}; - void * AddressOfPEB64 = GetPEBLocation64(hProcess); + PEB64 myPEB64 = {0}; + void * AddressOfPEB64 = GetPEBLocation64(hProcess); #endif - void * AddressOfPEB = GetPEBLocation(hProcess); + void * AddressOfPEB = GetPEBLocation(hProcess); - if (!AddressOfPEB) - return false; + if (!AddressOfPEB) + return false; - if(ReadProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead)) - { + if(ReadProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead)) + { #ifndef _WIN64 - if (AddressOfPEB64) - { - ReadProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead); - } + if (AddressOfPEB64) + { + ReadProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead); + } #endif - if(Hide) - { - myPEB.BeingDebugged = FALSE; - myPEB.NtGlobalFlag &= ~0x70; + if(Hide) + { + myPEB.BeingDebugged = FALSE; + myPEB.NtGlobalFlag &= ~0x70; #ifndef _WIN64 - myPEB64.BeingDebugged = FALSE; - myPEB64.NtGlobalFlag &= ~0x70; + myPEB64.BeingDebugged = FALSE; + myPEB64.NtGlobalFlag &= ~0x70; #endif - heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset()); - heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset()); - //TODO finish Heap Flag Anti-Anti-Debug - } - else - { - myPEB.BeingDebugged = TRUE; + heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset()); + heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset()); + //TODO finish Heap Flag Anti-Anti-Debug + } + else + { + myPEB.BeingDebugged = TRUE; #ifndef _WIN64 - myPEB64.BeingDebugged = TRUE; + myPEB64.BeingDebugged = TRUE; #endif - } + } - if(WriteProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead)) - { + if(WriteProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead)) + { #ifndef _WIN64 - if (AddressOfPEB64) - { - WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead); - } + if (AddressOfPEB64) + { + WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead); + } #endif - return true; - } - } + return true; + } + } - return false; + return false; } bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide) { - if(hProcess) - { - if (FixPebInProcess(hProcess, Hide)) - { - if(PatchAPILevel == UE_HIDE_BASIC) - { + if(hProcess) + { + if (FixPebInProcess(hProcess, Hide)) + { + if(PatchAPILevel == UE_HIDE_BASIC) + { #ifndef _WIN64 - FixAntidebugApiInProcess32(hProcess, Hide); + FixAntidebugApiInProcess32(hProcess, Hide); #endif - } + } - return true; - } - } + return true; + } + } - return false; + return false; } + +#ifndef _WIN64 +typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process); + +bool IsThisProcessWow64() +{ + BOOL bIsWow64 = FALSE; + tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process"); + + if (fnIsWow64Process) + { + fnIsWow64Process(GetCurrentProcess(), &bIsWow64); + } + + return (bIsWow64 != FALSE); +} + +#endif \ No newline at end of file diff --git a/TitanEngine/Global.Engine.Hider.h b/TitanEngine/Global.Engine.Hider.h index 033d214..9bdb6c4 100644 --- a/TitanEngine/Global.Engine.Hider.h +++ b/TitanEngine/Global.Engine.Hider.h @@ -2,5 +2,8 @@ #define _GLOBAL_ENGINE_HIDER_H bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide); +#ifndef _WIN64 +bool IsThisProcessWow64(); +#endif #endif //_GLOBAL_ENGINE_HIDER_H \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp b/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp index 5138b81..c752272 100644 --- a/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp +++ b/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp @@ -1223,8 +1223,8 @@ __declspec(dllexport) void TITCALL DebugLoop() for(int i=0; iPebBaseAddress; } } - } + } - VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE); + VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE); return PebAddress; } -#ifndef _WIN64 -typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process); - -static bool IsThisProcessWow64() -{ - BOOL bIsWow64 = FALSE; - tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process"); - - if (fnIsWow64Process) - { - fnIsWow64Process(GetCurrentProcess(), &bIsWow64); - } - - return (bIsWow64 != FALSE); -} - __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess) { - if (IsThisProcessWow64()) - { - //Only WOW64 processes have 2 PEBs - DWORD peb32 = (DWORD)GetPEBLocation(hProcess); - peb32 += 0x1000; //PEB64 after PEB32 - return (void *)peb32; - } - - return 0; +#ifndef _WIN64 + if (IsThisProcessWow64()) + { + //Only WOW64 processes have 2 PEBs + DWORD peb32 = (DWORD)GetPEBLocation(hProcess); + peb32 += 0x1000; //PEB64 after PEB32 + return (void *)peb32; + } +#endif //_WIN64 + return 0; } -#endif - __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel) { return ChangeHideDebuggerState(hProcess, PatchAPILevel, true); @@ -73,4 +56,4 @@ __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPIL __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel) { return ChangeHideDebuggerState(hProcess, PatchAPILevel, false); -} \ No newline at end of file +} diff --git a/TitanEngine/TitanEngine.def b/TitanEngine/TitanEngine.def index bdbf405..75eb787 100644 --- a/TitanEngine/TitanEngine.def +++ b/TitanEngine/TitanEngine.def @@ -228,6 +228,7 @@ HooksScanModuleMemory HooksScanEntireProcessMemory HooksScanEntireProcessMemoryEx GetPEBLocation +GetPEBLocation64 HideDebugger UnHideDebugger RelocaterInit diff --git a/TitanEngine/definitions.h b/TitanEngine/definitions.h index 6b8d0de..80757cc 100644 --- a/TitanEngine/definitions.h +++ b/TitanEngine/definitions.h @@ -89,9 +89,7 @@ __declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap __declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA); // TitanEngine.Hider.functions: __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess); -#ifndef _WIN64 __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess); -#endif __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel); // TitanEngine.Relocater.functions: diff --git a/TitanEngine/stdafx.h b/TitanEngine/stdafx.h index 367d798..3856c6d 100644 --- a/TitanEngine/stdafx.h +++ b/TitanEngine/stdafx.h @@ -19,10 +19,6 @@ #endif #include "LzmaDec.h" -#define UE_PLATFORM_x86 1 -#define UE_PLATFORM_x64 2 -#define UE_PLATFORM_ALL 3 - #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth // Engine.Internal: @@ -436,7 +432,6 @@ typedef struct HANDLE hHandle; } HandlerArray, *PHandlerArray; -#define UE_BPXREMOVED 0 #define UE_BPXACTIVE 1 #define UE_BPXINACTIVE 2 @@ -483,21 +478,6 @@ typedef struct #define UE_PARAMETER_STRING 8 #define UE_PARAMETER_UNICODE 9 -#define UE_CMP_NOCONDITION 0 -#define UE_CMP_EQUAL 1 -#define UE_CMP_NOTEQUAL 2 -#define UE_CMP_GREATER 3 -#define UE_CMP_GREATEROREQUAL 4 -#define UE_CMP_LOWER 5 -#define UE_CMP_LOWEROREQUAL 6 -#define UE_CMP_REG_EQUAL 7 -#define UE_CMP_REG_NOTEQUAL 8 -#define UE_CMP_REG_GREATER 9 -#define UE_CMP_REG_GREATEROREQUAL 10 -#define UE_CMP_REG_LOWER 11 -#define UE_CMP_REG_LOWEROREQUAL 12 -#define UE_CMP_ALWAYSFALSE 13 - #define UE_EAX 1 #define UE_EBX 2 #define UE_ECX 3 @@ -873,119 +853,119 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS { template struct LIST_ENTRY_T { - T Flink; - T Blink; + T Flink; + T Blink; }; template struct UNICODE_STRING_T { - union - { - struct - { - WORD Length; - WORD MaximumLength; - }; - T dummy; - }; - T _Buffer; + union + { + struct + { + WORD Length; + WORD MaximumLength; + }; + T dummy; + }; + T _Buffer; }; template struct _PEB_T { - union - { - struct - { - BYTE InheritedAddressSpace; - BYTE ReadImageFileExecOptions; - BYTE BeingDebugged; - BYTE _SYSTEM_DEPENDENT_01; - }; - T dummy01; - }; - T Mutant; - T ImageBaseAddress; - T Ldr; - T ProcessParameters; - T SubSystemData; - T ProcessHeap; - T FastPebLock; - T _SYSTEM_DEPENDENT_02; - T _SYSTEM_DEPENDENT_03; - T _SYSTEM_DEPENDENT_04; - union - { - T KernelCallbackTable; - T UserSharedInfoPtr; - }; - DWORD SystemReserved; - DWORD _SYSTEM_DEPENDENT_05; - T _SYSTEM_DEPENDENT_06; - T TlsExpansionCounter; - T TlsBitmap; - DWORD TlsBitmapBits[2]; - T ReadOnlySharedMemoryBase; - T _SYSTEM_DEPENDENT_07; - T ReadOnlyStaticServerData; - T AnsiCodePageData; - T OemCodePageData; - T UnicodeCaseTableData; - DWORD NumberOfProcessors; - union - { - DWORD NtGlobalFlag; - NGF dummy02; - }; - LARGE_INTEGER CriticalSectionTimeout; - T HeapSegmentReserve; - T HeapSegmentCommit; - T HeapDeCommitTotalFreeThreshold; - T HeapDeCommitFreeBlockThreshold; - DWORD NumberOfHeaps; - DWORD MaximumNumberOfHeaps; - T ProcessHeaps; - T GdiSharedHandleTable; - T ProcessStarterHelper; - T GdiDCAttributeList; - T LoaderLock; - DWORD OSMajorVersion; - DWORD OSMinorVersion; - WORD OSBuildNumber; - WORD OSCSDVersion; - DWORD OSPlatformId; - DWORD ImageSubsystem; - DWORD ImageSubsystemMajorVersion; - T ImageSubsystemMinorVersion; - union - { - T ImageProcessAffinityMask; - T ActiveProcessAffinityMask; - }; - T GdiHandleBuffer[A]; - T PostProcessInitRoutine; - T TlsExpansionBitmap; - DWORD TlsExpansionBitmapBits[32]; - T SessionId; - ULARGE_INTEGER AppCompatFlags; - ULARGE_INTEGER AppCompatFlagsUser; - T pShimData; - T AppCompatInfo; - UNICODE_STRING_T CSDVersion; - T ActivationContextData; - T ProcessAssemblyStorageMap; - T SystemDefaultActivationContextData; - T SystemAssemblyStorageMap; - T MinimumStackCommit; + union + { + struct + { + BYTE InheritedAddressSpace; + BYTE ReadImageFileExecOptions; + BYTE BeingDebugged; + BYTE _SYSTEM_DEPENDENT_01; + }; + T dummy01; + }; + T Mutant; + T ImageBaseAddress; + T Ldr; + T ProcessParameters; + T SubSystemData; + T ProcessHeap; + T FastPebLock; + T _SYSTEM_DEPENDENT_02; + T _SYSTEM_DEPENDENT_03; + T _SYSTEM_DEPENDENT_04; + union + { + T KernelCallbackTable; + T UserSharedInfoPtr; + }; + DWORD SystemReserved; + DWORD _SYSTEM_DEPENDENT_05; + T _SYSTEM_DEPENDENT_06; + T TlsExpansionCounter; + T TlsBitmap; + DWORD TlsBitmapBits[2]; + T ReadOnlySharedMemoryBase; + T _SYSTEM_DEPENDENT_07; + T ReadOnlyStaticServerData; + T AnsiCodePageData; + T OemCodePageData; + T UnicodeCaseTableData; + DWORD NumberOfProcessors; + union + { + DWORD NtGlobalFlag; + NGF dummy02; + }; + LARGE_INTEGER CriticalSectionTimeout; + T HeapSegmentReserve; + T HeapSegmentCommit; + T HeapDeCommitTotalFreeThreshold; + T HeapDeCommitFreeBlockThreshold; + DWORD NumberOfHeaps; + DWORD MaximumNumberOfHeaps; + T ProcessHeaps; + T GdiSharedHandleTable; + T ProcessStarterHelper; + T GdiDCAttributeList; + T LoaderLock; + DWORD OSMajorVersion; + DWORD OSMinorVersion; + WORD OSBuildNumber; + WORD OSCSDVersion; + DWORD OSPlatformId; + DWORD ImageSubsystem; + DWORD ImageSubsystemMajorVersion; + T ImageSubsystemMinorVersion; + union + { + T ImageProcessAffinityMask; + T ActiveProcessAffinityMask; + }; + T GdiHandleBuffer[A]; + T PostProcessInitRoutine; + T TlsExpansionBitmap; + DWORD TlsExpansionBitmapBits[32]; + T SessionId; + ULARGE_INTEGER AppCompatFlags; + ULARGE_INTEGER AppCompatFlagsUser; + T pShimData; + T AppCompatInfo; + UNICODE_STRING_T CSDVersion; + T ActivationContextData; + T ProcessAssemblyStorageMap; + T SystemDefaultActivationContextData; + T SystemAssemblyStorageMap; + T MinimumStackCommit; }; typedef _PEB_T PEB32; typedef _PEB_T PEB64; #ifdef _WIN64 - typedef PEB64 PEB_CURRENT; +typedef PEB64 PEB_CURRENT; #else - typedef PEB32 PEB_CURRENT; -#endif +typedef PEB32 PEB_CURRENT; +#endif