- removed some useless defines

- added GetPEBLocation64 to the SDK files - GetPEBLocation is also defined on x64, but does nothing there - moved a function to Global.Engine.Hider
2014-03-04 21:31:04 +01:00 · 2014-03-04 21:31:04 +01:00 · e265f498d0
parent 92451cfe42
commit e265f498d0
14 changed files with 315 additions and 427 deletions
--- a/SDK/C/TitanEngine.h
+++ b/SDK/C/TitanEngine.h
@ -189,21 +189,6 @@
 #define UE_PARAMETER_STRING 8
 #define UE_PARAMETER_UNICODE 9
 #define UE_CMP_NOCONDITION 0
 #define UE_CMP_EQUAL 1
 #define UE_CMP_NOTEQUAL 2
 #define UE_CMP_GREATER 3
 #define UE_CMP_GREATEROREQUAL 4
 #define UE_CMP_LOWER 5
 #define UE_CMP_LOWEROREQUAL 6
 #define UE_CMP_REG_EQUAL 7
 #define UE_CMP_REG_NOTEQUAL 8
 #define UE_CMP_REG_GREATER 9
 #define UE_CMP_REG_GREATEROREQUAL 10
 #define UE_CMP_REG_LOWER 11
 #define UE_CMP_REG_LOWEROREQUAL 12
 #define UE_CMP_ALWAYSFALSE 13
 #define UE_EAX 1
 #define UE_EBX 2
 #define UE_ECX 3
@ -598,6 +583,7 @@ __declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap
 __declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA);
 // TitanEngine.Hider.functions:
 __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess);
 __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
 __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
 __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
 // TitanEngine.Relocater.functions:
--- a/SDK/CPP/TitanEngine.h
+++ b/SDK/CPP/TitanEngine.h
@ -189,21 +189,6 @@ const BYTE UE_PARAMETER_PTR_QWORD = 7;
 const BYTE UE_PARAMETER_STRING = 8;
 const BYTE UE_PARAMETER_UNICODE = 9;
 const BYTE UE_CMP_NOCONDITION = 0;
 const BYTE UE_CMP_EQUAL = 1;
 const BYTE UE_CMP_NOTEQUAL = 2;
 const BYTE UE_CMP_GREATER = 3;
 const BYTE UE_CMP_GREATEROREQUAL = 4;
 const BYTE UE_CMP_LOWER = 5;
 const BYTE UE_CMP_LOWEROREQUAL = 6;
 const BYTE UE_CMP_REG_EQUAL = 7;
 const BYTE UE_CMP_REG_NOTEQUAL = 8;
 const BYTE UE_CMP_REG_GREATER = 9;
 const BYTE UE_CMP_REG_GREATEROREQUAL = 10;
 const BYTE UE_CMP_REG_LOWER = 11;
 const BYTE UE_CMP_REG_LOWEROREQUAL = 12;
 const BYTE UE_CMP_ALWAYSFALSE = 13;
 const BYTE UE_EAX = 1;
 const BYTE UE_EBX = 2;
 const BYTE UE_ECX = 3;
@ -597,6 +582,7 @@ __declspec(dllimport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap
 __declspec(dllimport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA);
 // TitanEngine.Hider.functions:
 __declspec(dllimport) void* TITCALL GetPEBLocation(HANDLE hProcess);
 __declspec(dllimport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
 __declspec(dllimport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
 __declspec(dllimport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
 // TitanEngine.Relocater.functions:
--- a/SDK/CPP/TitanEngine.hpp
+++ b/SDK/CPP/TitanEngine.hpp
@ -265,24 +265,6 @@ enum eParameterType : DWORD
    UE_PARAMETER_UNICODE = UE::UE_PARAMETER_UNICODE
 };
 enum eCompareCondition : DWORD
 {
    UE_CMP_NOCONDITION = UE::UE_CMP_NOCONDITION,
    UE_CMP_EQUAL = UE::UE_CMP_EQUAL,
    UE_CMP_NOTEQUAL = UE::UE_CMP_NOTEQUAL,
    UE_CMP_GREATER = UE::UE_CMP_GREATER,
    UE_CMP_GREATEROREQUAL = UE::UE_CMP_GREATEROREQUAL,
    UE_CMP_LOWER = UE::UE_CMP_LOWER,
    UE_CMP_LOWEROREQUAL = UE::UE_CMP_LOWEROREQUAL,
    UE_CMP_REG_EQUAL = UE::UE_CMP_REG_EQUAL,
    UE_CMP_REG_NOTEQUAL = UE::UE_CMP_REG_NOTEQUAL,
    UE_CMP_REG_GREATER = UE::UE_CMP_REG_GREATER,
    UE_CMP_REG_GREATEROREQUAL = UE::UE_CMP_REG_GREATEROREQUAL,
    UE_CMP_REG_LOWER = UE::UE_CMP_REG_LOWER,
    UE_CMP_REG_LOWEROREQUAL = UE::UE_CMP_REG_LOWEROREQUAL,
    UE_CMP_ALWAYSFALSE = UE::UE_CMP_ALWAYSFALSE
 };
 enum eContextData : DWORD
 {
    UE_EAX = UE::UE_EAX,
@ -828,6 +810,10 @@ public:
    static void* GetPEBLocation(HANDLE hProcess)
    {
        return UE::GetPEBLocation(hProcess);
    }
 	static void* GetPEBLocation64(HANDLE hProcess)
    {
        return UE::GetPEBLocation64(hProcess);
    }
    static bool HideDebugger(HANDLE hProcess, eHideLevel PatchAPILevel)
    {
--- a/SDK/Delphi/TitanEngine.pas
+++ b/SDK/Delphi/TitanEngine.pas
@ -284,25 +284,6 @@ const
 	UE_PARAMETER_STRING = 8;
 	UE_PARAMETER_UNICODE = 9;
 	UE_CMP_NOCONDITION = 0;
 	UE_CMP_EQUAL = 1;
 	UE_CMP_NOTEQUAL = 2;
 	UE_CMP_GREATER = 3;
 	UE_CMP_GREATEROREQUAL = 4;
 	UE_CMP_LOWER = 5;
 	UE_CMP_LOWEROREQUAL = 6;
 	UE_CMP_REG_EQUAL = 7;
 	UE_CMP_REG_NOTEQUAL = 8;
 	UE_CMP_REG_GREATER = 9;
 	UE_CMP_REG_GREATEROREQUAL = 10;
 	UE_CMP_REG_LOWER = 11;
 	UE_CMP_REG_LOWEROREQUAL = 12;
 	UE_CMP_ALWAYSFALSE = 13;
 	UE_OPTION_HANDLER_RETURN_HANDLECOUNT = 1;
 	UE_OPTION_HANDLER_RETURN_ACCESS = 2;
 	UE_OPTION_HANDLER_RETURN_FLAGS = 3;
 	UE_OPTION_HANDLER_RETURN_TYPENAME = 4;
 	UE_BREAKPOINT_INT3 = 1;
 	UE_BREAKPOINT_LONG_INT3 = 2;
 	UE_BREAKPOINT_UD2 = 3;
@ -465,6 +446,7 @@ const
  function IsFileDLL(szFileName:PAnsiChar; FileMapVA:LongInt):boolean; stdcall;  external 'TitanEngine.dll' name 'IsFileDLL';
 {TitanEngine.Hider.functions}
  function GetPEBLocation(hProcess:THandle):LongInt; stdcall;  external 'TitanEngine.dll' name 'GetPEBLocation';
  function GetPEBLocation64(hProcess:THandle):LongInt; stdcall;  external 'TitanEngine.dll' name 'GetPEBLocation64';
  function HideDebugger(hProcess:THandle; PatchAPILevel:LongInt):boolean; stdcall;  external 'TitanEngine.dll' name 'HideDebugger';
  function UnHideDebugger(hProcess:THandle; PatchAPILevel:LongInt):boolean; stdcall;  external 'TitanEngine.dll' name 'UnHideDebugger';
 {TitanEngine.Relocater.functions}
--- a/SDK/LUA/TitanEngine.lua
+++ b/SDK/LUA/TitanEngine.lua
@ -183,21 +183,6 @@ UE_PARAMETER_PTR_QWORD = 7
 UE_PARAMETER_STRING = 8
 UE_PARAMETER_UNICODE = 9
 UE_CMP_NOCONDITION = 0
 UE_CMP_EQUAL = 1
 UE_CMP_NOTEQUAL = 2
 UE_CMP_GREATER = 3
 UE_CMP_GREATEROREQUAL = 4
 UE_CMP_LOWER = 5
 UE_CMP_LOWEROREQUAL = 6
 UE_CMP_REG_EQUAL = 7
 UE_CMP_REG_NOTEQUAL = 8
 UE_CMP_REG_GREATER = 9
 UE_CMP_REG_GREATEROREQUAL = 10
 UE_CMP_REG_LOWER = 11
 UE_CMP_REG_LOWEROREQUAL = 12
 UE_CMP_ALWAYSFALSE = 13
 UE_EAX = 1
 UE_EBX = 2
 UE_ECX = 3
@ -620,6 +605,9 @@ PROCESS_INFORMATION = alien.defstruct{
 -- __declspec(dllexport) void* __stdcall GetPEBLocation(HANDLE hProcess);
 	TitanEngine.GetPEBLocation:types {"long",abi="stdcall",ret="pointer"}
 	TE_GetPEBLocation = TitanEngine.GetPEBLocation
 -- __declspec(dllexport) void* __stdcall GetPEBLocation64(HANDLE hProcess);
 	TitanEngine.GetPEBLocation64:types {"long",abi="stdcall",ret="pointer"}
 	TE_GetPEBLocation64 = TitanEngine.GetPEBLocation64
 -- __declspec(dllexport) bool __stdcall HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
 	TitanEngine.HideDebugger:types {"long","long",abi="stdcall",ret="byte"}
 	TE_HideDebugger = TitanEngine.HideDebugger
--- a/SDK/MASM/TitanEngine.INC
+++ b/SDK/MASM/TitanEngine.INC
@ -151,20 +151,6 @@ UE_PARAMETER_PTR_DWORD	EQU	6
 UE_PARAMETER_PTR_QWORD	EQU	7
 UE_PARAMETER_STRING	EQU	8
 UE_PARAMETER_UNICODE	EQU	9
 UE_CMP_NOCONDITION	EQU	0
 UE_CMP_EQUAL	EQU	1
 UE_CMP_NOTEQUAL	EQU	2
 UE_CMP_GREATER	EQU	3
 UE_CMP_GREATEROREQUAL	EQU	4
 UE_CMP_LOWER	EQU	5
 UE_CMP_LOWEROREQUAL	EQU	6
 UE_CMP_REG_EQUAL	EQU	7
 UE_CMP_REG_NOTEQUAL	EQU	8
 UE_CMP_REG_GREATER	EQU	9
 UE_CMP_REG_GREATEROREQUAL	EQU	10
 UE_CMP_REG_LOWER	EQU	11
 UE_CMP_REG_LOWEROREQUAL	EQU	12
 UE_CMP_ALWAYSFALSE	EQU	13
 UE_EAX	EQU	1
 UE_EBX	EQU	2
 UE_ECX	EQU	3
@ -510,6 +496,7 @@ FixBrokenPE32FileExW proto stdcall :ptr WORD, :LPVOID, :LPVOID
 IsFileDLL proto stdcall :ptr SBYTE, :DWORD
 IsFileDLLW proto stdcall :ptr WORD, :DWORD
 GetPEBLocation proto stdcall :HANDLE
 GetPEBLocation64 proto stdcall :HANDLE
 HideDebugger proto stdcall :HANDLE, :DWORD
 UnHideDebugger proto stdcall :HANDLE, :DWORD
 RelocaterCleanup proto stdcall 
--- a/SDK/Python/TitanEngine.py
+++ b/SDK/Python/TitanEngine.py
@ -174,21 +174,6 @@ UE_PARAMETER_PTR_QWORD = 7
 UE_PARAMETER_STRING = 8
 UE_PARAMETER_UNICODE = 9
 UE_CMP_NOCONDITION = 0
 UE_CMP_EQUAL = 1
 UE_CMP_NOTEQUAL = 2
 UE_CMP_GREATER = 3
 UE_CMP_GREATEROREQUAL = 4
 UE_CMP_LOWER = 5
 UE_CMP_LOWEROREQUAL = 6
 UE_CMP_REG_EQUAL = 7
 UE_CMP_REG_NOTEQUAL = 8
 UE_CMP_REG_GREATER = 9
 UE_CMP_REG_GREATEROREQUAL = 10
 UE_CMP_REG_LOWER = 11
 UE_CMP_REG_LOWEROREQUAL = 12
 UE_CMP_ALWAYSFALSE = 13
 UE_EAX = 1
 UE_EBX = 2
 UE_ECX = 3
@ -656,6 +641,7 @@ TE.TranslateNativeNameW.restype = c_wchar_p
 TE.HandlerGetHandleNameW.restype = c_wchar_p
 TE.GetPEBLocation.restype = c_void_p
 TE.GetPEBLocation64.restype = c_void_p
 TE.ThreaderGetThreadInfo.restype = POINTER(THREAD_ITEM_DATA)
 TE.ThreaderGetThreadData.restype = POINTER(THREAD_ITEM_DATA)
--- a/TitanEngine/Global.Engine.Hider.cpp
+++ b/TitanEngine/Global.Engine.Hider.cpp
@ -7,87 +7,91 @@
 // Global.Engine.Hider.functions:
 static bool isAtleastVista()
 {
-	static bool isAtleastVista=false;
+    static bool isAtleastVista=false;
-	static bool isSet=false;
+    static bool isSet=false;
-	if(isSet)
+    if(isSet)
-		return isAtleastVista;
+        return isAtleastVista;
-	OSVERSIONINFO versionInfo= {0};
+    OSVERSIONINFO versionInfo= {0};
-	versionInfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
+    versionInfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);
-	GetVersionEx(&versionInfo);
+    GetVersionEx(&versionInfo);
-	isAtleastVista=versionInfo.dwMajorVersion >= 6;
+    isAtleastVista=versionInfo.dwMajorVersion >= 6;
-	isSet=true;
+    isSet=true;
-	return isAtleastVista;
+    return isAtleastVista;
 }
 static bool isWindows64()
 {
-	SYSTEM_INFO si = {0};
+    SYSTEM_INFO si = {0};
-	typedef void (WINAPI *tGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo);
+    typedef void (WINAPI *tGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo);
-	tGetNativeSystemInfo _GetNativeSystemInfo = (tGetNativeSystemInfo)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
+    tGetNativeSystemInfo _GetNativeSystemInfo = (tGetNativeSystemInfo)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
-	if (_GetNativeSystemInfo)
+    if (_GetNativeSystemInfo)
-	{
+    {
-		_GetNativeSystemInfo(&si);
+        _GetNativeSystemInfo(&si);
-	}
+    }
-	else
+    else
-	{
+    {
-		GetSystemInfo(&si);
+        GetSystemInfo(&si);
-	}
+    }
-	return (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64);
+    return (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64);
 }
 void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide)
 {
-	const BYTE patchCheckRemoteDebuggerPresent[5] = {
+    const BYTE patchCheckRemoteDebuggerPresent[5] =
-		0x33, 0xC0, //XOR EAX,EAX
+    {
-		0xC2, 0x08, 0x00}; //RETN 0x8
+        0x33, 0xC0, //XOR EAX,EAX
        0xC2, 0x08, 0x00
    }; //RETN 0x8
-	const BYTE patchGetTickCount[3] = {
+    const BYTE patchGetTickCount[3] =
-		0x33, 0xC0, //XOR EAX,EAX
+    {
-		0xC3}; //RETN
+        0x33, 0xC0, //XOR EAX,EAX
        0xC3
    }; //RETN
-	ULONG_PTR APIPatchAddress = 0;
+    ULONG_PTR APIPatchAddress = 0;
-	DWORD OldProtect = 0;
+    DWORD OldProtect = 0;
-	SIZE_T ueNumberOfBytesRead = 0;
+    SIZE_T ueNumberOfBytesRead = 0;
-	if(Hide)
+    if(Hide)
-	{
+    {
-		APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
+        APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
-		if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect))
+        if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect))
-		{
+        {
-			WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead);
+            WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead);
-			VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect);
+            VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect);
-		}
+        }
-		APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
+        APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
-		if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect))
+        if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect))
-		{
+        {
-			WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, sizeof(patchGetTickCount), &ueNumberOfBytesRead);
+            WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, sizeof(patchGetTickCount), &ueNumberOfBytesRead);
-			VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect);
+            VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect);
-		}
+        }
-	}
+    }
-	else
+    else
-	{
+    {
-		APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
+        APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
-		if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect))
+        if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect))
-		{
+        {
-			WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead);
+            WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead);
-			VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect);
+            VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect);
-		}
+        }
-		APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
+        APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
-		if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect))
+        if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect))
-		{
+        {
-			WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), sizeof(patchGetTickCount), &ueNumberOfBytesRead);
+            WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), sizeof(patchGetTickCount), &ueNumberOfBytesRead);
-			VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect);
+            VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect);
-		}
+        }
-	}
+    }
 }
@ -99,138 +103,156 @@ void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide)
 int getHeapFlagsOffset()
 {
-	if (isWindows64())
+    if (isWindows64())
-	{
+    {
-		if (isAtleastVista())
+        if (isAtleastVista())
-		{
+        {
-			return 0x70;
+            return 0x70;
-		}
+        }
-		else
+        else
-		{
+        {
-			return 0x14;
+            return 0x14;
-		}
+        }
-	}
+    }
-	else
+    else
-	{
+    {
-		if (isAtleastVista())
+        if (isAtleastVista())
-		{
+        {
-			return 0x40;
+            return 0x40;
-		}
+        }
-		else
+        else
-		{
+        {
-			return 0x0C;
+            return 0x0C;
-		}
+        }
-	}
+    }
 }
 int getHeapForceFlagsOffset()
 {
-	if (isWindows64())
+    if (isWindows64())
-	{
+    {
-		if (isAtleastVista())
+        if (isAtleastVista())
-		{
+        {
-			return 0x74;
+            return 0x74;
-		}
+        }
-		else
+        else
-		{
+        {
-			return 0x18;
+            return 0x18;
-		}
+        }
-	}
+    }
-	else
+    else
-	{
+    {
-		if (isAtleastVista())
+        if (isAtleastVista())
-		{
+        {
-			return 0x44;
+            return 0x44;
-		}
+        }
-		else
+        else
-		{
+        {
-			return 0x10;
+            return 0x10;
-		}
+        }
-	}
+    }
 }
 bool FixPebInProcess(HANDLE hProcess, bool Hide)
 {
-	PEB_CURRENT myPEB = {0};
+    PEB_CURRENT myPEB = {0};
-	SIZE_T ueNumberOfBytesRead = 0;
+    SIZE_T ueNumberOfBytesRead = 0;
-	void * heapFlagsAddress = 0;
+    void * heapFlagsAddress = 0;
-	DWORD heapFlags = 0;
+    DWORD heapFlags = 0;
-	void * heapForceFlagsAddress = 0;
+    void * heapForceFlagsAddress = 0;
-	DWORD heapForceFlags = 0;
+    DWORD heapForceFlags = 0;
 #ifndef _WIN64
-	PEB64 myPEB64 = {0};
+    PEB64 myPEB64 = {0};
-	void * AddressOfPEB64 = GetPEBLocation64(hProcess);
+    void * AddressOfPEB64 = GetPEBLocation64(hProcess);
 #endif
-	void * AddressOfPEB = GetPEBLocation(hProcess);
+    void * AddressOfPEB = GetPEBLocation(hProcess);
-	if (!AddressOfPEB)
+    if (!AddressOfPEB)
-		return false;
+        return false;
-	if(ReadProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
+    if(ReadProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
-	{
+    {
 #ifndef _WIN64
-		if (AddressOfPEB64)
+        if (AddressOfPEB64)
-		{
+        {
-			ReadProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
+            ReadProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
-		}
+        }
 #endif
-		if(Hide)
+        if(Hide)
-		{
+        {
-			myPEB.BeingDebugged = FALSE;
+            myPEB.BeingDebugged = FALSE;
-			myPEB.NtGlobalFlag &= ~0x70;
+            myPEB.NtGlobalFlag &= ~0x70;
 #ifndef _WIN64
-			myPEB64.BeingDebugged = FALSE;
+            myPEB64.BeingDebugged = FALSE;
-			myPEB64.NtGlobalFlag &= ~0x70;
+            myPEB64.NtGlobalFlag &= ~0x70;
 #endif
-			heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset());
+            heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset());
-			heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset());
+            heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset());
-			//TODO finish Heap Flag Anti-Anti-Debug
+            //TODO finish Heap Flag Anti-Anti-Debug
-		}
+        }
-		else
+        else
-		{
+        {
-			myPEB.BeingDebugged = TRUE;
+            myPEB.BeingDebugged = TRUE;
 #ifndef _WIN64
-			myPEB64.BeingDebugged = TRUE;
+            myPEB64.BeingDebugged = TRUE;
 #endif
-		}
+        }
-		if(WriteProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
+        if(WriteProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
-		{
+        {
 #ifndef _WIN64
-			if (AddressOfPEB64)
+            if (AddressOfPEB64)
-			{
+            {
-				WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
+                WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
-			}
+            }
 #endif
-			return true;
+            return true;
-		}
+        }
-	}
+    }
-	return false;
+    return false;
 }
 bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide)
 {
-	if(hProcess)
+    if(hProcess)
-	{
+    {
-		if (FixPebInProcess(hProcess, Hide))
+        if (FixPebInProcess(hProcess, Hide))
-		{
+        {
-			if(PatchAPILevel == UE_HIDE_BASIC)
+            if(PatchAPILevel == UE_HIDE_BASIC)
-			{
+            {
 #ifndef _WIN64
-				FixAntidebugApiInProcess32(hProcess, Hide);
+                FixAntidebugApiInProcess32(hProcess, Hide);
 #endif
-			}
+            }
-			return true;
+            return true;
-		}
+        }
-	}
+    }
-	return false;
+    return false;
 }
 #ifndef _WIN64
 typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process);
 bool IsThisProcessWow64()
 {
    BOOL bIsWow64 = FALSE;
    tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
    if (fnIsWow64Process)
    {
        fnIsWow64Process(GetCurrentProcess(), &bIsWow64);
    }
    return (bIsWow64 != FALSE);
 }
 #endif
--- a/TitanEngine/Global.Engine.Hider.h
+++ b/TitanEngine/Global.Engine.Hider.h
@ -2,5 +2,8 @@
 #define _GLOBAL_ENGINE_HIDER_H
 bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide);
 #ifndef _WIN64
 bool IsThisProcessWow64();
 #endif
 #endif //_GLOBAL_ENGINE_HIDER_H
--- a/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp
+++ b/TitanEngine/TitanEngine.Debugger.DebugLoop.cpp
@ -1223,8 +1223,8 @@ __declspec(dllexport) void TITCALL DebugLoop()
                for(int i=0; i<bpcount; i++)
                {
                    if(BreakPointBuffer.at(i).BreakPointAddress == (ULONG_PTR)DBGEvent.u.Exception.ExceptionRecord.ExceptionAddress &&
-                        (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT) &&
+                            (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT) &&
-                        BreakPointBuffer.at(i).BreakPointActive == UE_BPXACTIVE)
+                            BreakPointBuffer.at(i).BreakPointActive == UE_BPXACTIVE)
                    {
                        FoundBreakPoint=BreakPointBuffer.at(i);
                        bFoundBreakPoint=true;
--- a/TitanEngine/TitanEngine.Hider.cpp
+++ b/TitanEngine/TitanEngine.Hider.cpp
@ -5,12 +5,12 @@
 // TitanEngine.Hider.functions:
 __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
 {
-	typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
+    typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
    ULONG RequiredLen = 0;
-	void * PebAddress = 0;
+    void * PebAddress = 0;
    PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
-    
+
-	if(!myProcessBasicInformation)
+    if(!myProcessBasicInformation)
        return 0;
    fNtQueryInformationProcess cNtQueryInformationProcess = (fNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQueryInformationProcess");
@ -28,43 +28,26 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
                PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
            }
        }
-	}
+    }
-	VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE);
+    VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE);
    return PebAddress;
 }
 #ifndef _WIN64
 typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process);
 static bool IsThisProcessWow64()
 {
 	BOOL bIsWow64 = FALSE;
 	tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
 	if (fnIsWow64Process)
 	{
 		fnIsWow64Process(GetCurrentProcess(), &bIsWow64);
 	}
 	return (bIsWow64 != FALSE);
 }
 __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
 {
-	if (IsThisProcessWow64())
+#ifndef _WIN64
-	{
+    if (IsThisProcessWow64())
-		//Only WOW64 processes have 2 PEBs
+    {
-		DWORD peb32 = (DWORD)GetPEBLocation(hProcess);
+        //Only WOW64 processes have 2 PEBs
-		peb32 += 0x1000; //PEB64 after PEB32
+        DWORD peb32 = (DWORD)GetPEBLocation(hProcess);
-		return (void *)peb32;
+        peb32 += 0x1000; //PEB64 after PEB32
-	}
+        return (void *)peb32;
-
+    }
-	return 0;
+#endif //_WIN64
    return 0;
 }
 #endif
 __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel)
 {
    return ChangeHideDebuggerState(hProcess, PatchAPILevel, true);
@ -73,4 +56,4 @@ __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPIL
 __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel)
 {
    return ChangeHideDebuggerState(hProcess, PatchAPILevel, false);
-}
+}
--- a/TitanEngine/TitanEngine.def
+++ b/TitanEngine/TitanEngine.def
@ -228,6 +228,7 @@ HooksScanModuleMemory
 HooksScanEntireProcessMemory
 HooksScanEntireProcessMemoryEx
 GetPEBLocation
 GetPEBLocation64
 HideDebugger
 UnHideDebugger
 RelocaterInit
--- a/TitanEngine/definitions.h
+++ b/TitanEngine/definitions.h
@ -89,9 +89,7 @@ __declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap
 __declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA);
 // TitanEngine.Hider.functions:
 __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess);
 #ifndef _WIN64
 __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
 #endif
 __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
 __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
 // TitanEngine.Relocater.functions:
--- a/TitanEngine/stdafx.h
+++ b/TitanEngine/stdafx.h
@ -19,10 +19,6 @@
 #endif
 #include "LzmaDec.h"
 #define UE_PLATFORM_x86 1
 #define UE_PLATFORM_x64 2
 #define UE_PLATFORM_ALL 3
 #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
 // Engine.Internal:
@ -436,7 +432,6 @@ typedef struct
    HANDLE hHandle;
 } HandlerArray, *PHandlerArray;
 #define UE_BPXREMOVED 0
 #define UE_BPXACTIVE 1
 #define UE_BPXINACTIVE 2
@ -483,21 +478,6 @@ typedef struct
 #define UE_PARAMETER_STRING 8
 #define UE_PARAMETER_UNICODE 9
 #define UE_CMP_NOCONDITION 0
 #define UE_CMP_EQUAL 1
 #define UE_CMP_NOTEQUAL 2
 #define UE_CMP_GREATER 3
 #define UE_CMP_GREATEROREQUAL 4
 #define UE_CMP_LOWER 5
 #define UE_CMP_LOWEROREQUAL 6
 #define UE_CMP_REG_EQUAL 7
 #define UE_CMP_REG_NOTEQUAL 8
 #define UE_CMP_REG_GREATER 9
 #define UE_CMP_REG_GREATEROREQUAL 10
 #define UE_CMP_REG_LOWER 11
 #define UE_CMP_REG_LOWEROREQUAL 12
 #define UE_CMP_ALWAYSFALSE 13
 #define UE_EAX 1
 #define UE_EBX 2
 #define UE_ECX 3
@ -873,119 +853,119 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS {
 template <class T>
 struct LIST_ENTRY_T
 {
-	T Flink;
+    T Flink;
-	T Blink;
+    T Blink;
 };
 template <class T>
 struct UNICODE_STRING_T
 {
-	union
+    union
-	{
+    {
-		struct
+        struct
-		{
+        {
-			WORD Length;
+            WORD Length;
-			WORD MaximumLength;
+            WORD MaximumLength;
-		};
+        };
-		T dummy;
+        T dummy;
-	};
+    };
-	T _Buffer;
+    T _Buffer;
 };
 template <class T, class NGF, int A>
 struct _PEB_T
 {
-	union
+    union
-	{
+    {
-		struct
+        struct
-		{
+        {
-			BYTE InheritedAddressSpace;
+            BYTE InheritedAddressSpace;
-			BYTE ReadImageFileExecOptions;
+            BYTE ReadImageFileExecOptions;
-			BYTE BeingDebugged;
+            BYTE BeingDebugged;
-			BYTE _SYSTEM_DEPENDENT_01;
+            BYTE _SYSTEM_DEPENDENT_01;
-		};
+        };
-		T dummy01;
+        T dummy01;
-	};
+    };
-	T Mutant;
+    T Mutant;
-	T ImageBaseAddress;
+    T ImageBaseAddress;
-	T Ldr;
+    T Ldr;
-	T ProcessParameters;
+    T ProcessParameters;
-	T SubSystemData;
+    T SubSystemData;
-	T ProcessHeap;
+    T ProcessHeap;
-	T FastPebLock;
+    T FastPebLock;
-	T _SYSTEM_DEPENDENT_02;
+    T _SYSTEM_DEPENDENT_02;
-	T _SYSTEM_DEPENDENT_03;
+    T _SYSTEM_DEPENDENT_03;
-	T _SYSTEM_DEPENDENT_04;
+    T _SYSTEM_DEPENDENT_04;
-	union
+    union
-	{
+    {
-		T KernelCallbackTable;
+        T KernelCallbackTable;
-		T UserSharedInfoPtr;
+        T UserSharedInfoPtr;
-	};
+    };
-	DWORD SystemReserved;
+    DWORD SystemReserved;
-	DWORD _SYSTEM_DEPENDENT_05;
+    DWORD _SYSTEM_DEPENDENT_05;
-	T _SYSTEM_DEPENDENT_06;
+    T _SYSTEM_DEPENDENT_06;
-	T TlsExpansionCounter;
+    T TlsExpansionCounter;
-	T TlsBitmap;
+    T TlsBitmap;
-	DWORD TlsBitmapBits[2];
+    DWORD TlsBitmapBits[2];
-	T ReadOnlySharedMemoryBase;
+    T ReadOnlySharedMemoryBase;
-	T _SYSTEM_DEPENDENT_07;
+    T _SYSTEM_DEPENDENT_07;
-	T ReadOnlyStaticServerData;
+    T ReadOnlyStaticServerData;
-	T AnsiCodePageData;
+    T AnsiCodePageData;
-	T OemCodePageData;
+    T OemCodePageData;
-	T UnicodeCaseTableData;
+    T UnicodeCaseTableData;
-	DWORD NumberOfProcessors;
+    DWORD NumberOfProcessors;
-	union
+    union
-	{
+    {
-		DWORD NtGlobalFlag;
+        DWORD NtGlobalFlag;
-		NGF dummy02;
+        NGF dummy02;
-	};
+    };
-	LARGE_INTEGER CriticalSectionTimeout;
+    LARGE_INTEGER CriticalSectionTimeout;
-	T HeapSegmentReserve;
+    T HeapSegmentReserve;
-	T HeapSegmentCommit;
+    T HeapSegmentCommit;
-	T HeapDeCommitTotalFreeThreshold;
+    T HeapDeCommitTotalFreeThreshold;
-	T HeapDeCommitFreeBlockThreshold;
+    T HeapDeCommitFreeBlockThreshold;
-	DWORD NumberOfHeaps;
+    DWORD NumberOfHeaps;
-	DWORD MaximumNumberOfHeaps;
+    DWORD MaximumNumberOfHeaps;
-	T ProcessHeaps;
+    T ProcessHeaps;
-	T GdiSharedHandleTable;
+    T GdiSharedHandleTable;
-	T ProcessStarterHelper;
+    T ProcessStarterHelper;
-	T GdiDCAttributeList;
+    T GdiDCAttributeList;
-	T LoaderLock;
+    T LoaderLock;
-	DWORD OSMajorVersion;
+    DWORD OSMajorVersion;
-	DWORD OSMinorVersion;
+    DWORD OSMinorVersion;
-	WORD OSBuildNumber;
+    WORD OSBuildNumber;
-	WORD OSCSDVersion;
+    WORD OSCSDVersion;
-	DWORD OSPlatformId;
+    DWORD OSPlatformId;
-	DWORD ImageSubsystem;
+    DWORD ImageSubsystem;
-	DWORD ImageSubsystemMajorVersion;
+    DWORD ImageSubsystemMajorVersion;
-	T ImageSubsystemMinorVersion;
+    T ImageSubsystemMinorVersion;
-	union
+    union
-	{
+    {
-		T ImageProcessAffinityMask;
+        T ImageProcessAffinityMask;
-		T ActiveProcessAffinityMask;
+        T ActiveProcessAffinityMask;
-	};
+    };
-	T GdiHandleBuffer[A];
+    T GdiHandleBuffer[A];
-	T PostProcessInitRoutine;
+    T PostProcessInitRoutine;
-	T TlsExpansionBitmap;
+    T TlsExpansionBitmap;
-	DWORD TlsExpansionBitmapBits[32];
+    DWORD TlsExpansionBitmapBits[32];
-	T SessionId;
+    T SessionId;
-	ULARGE_INTEGER AppCompatFlags;
+    ULARGE_INTEGER AppCompatFlags;
-	ULARGE_INTEGER AppCompatFlagsUser;
+    ULARGE_INTEGER AppCompatFlagsUser;
-	T pShimData;
+    T pShimData;
-	T AppCompatInfo;
+    T AppCompatInfo;
-	UNICODE_STRING_T<T> CSDVersion;
+    UNICODE_STRING_T<T> CSDVersion;
-	T ActivationContextData;
+    T ActivationContextData;
-	T ProcessAssemblyStorageMap;
+    T ProcessAssemblyStorageMap;
-	T SystemDefaultActivationContextData;
+    T SystemDefaultActivationContextData;
-	T SystemAssemblyStorageMap;
+    T SystemAssemblyStorageMap;
-	T MinimumStackCommit;
+    T MinimumStackCommit;
 };
 typedef _PEB_T<DWORD, DWORD64, 34> PEB32;
 typedef _PEB_T<DWORD64, DWORD, 30> PEB64;
 #ifdef _WIN64
-	typedef PEB64 PEB_CURRENT;
+typedef PEB64 PEB_CURRENT;
 #else
-    typedef PEB32 PEB_CURRENT;
+typedef PEB32 PEB_CURRENT;
-#endif
+#endif