mirror of https://github.com/x64dbg/TitanEngine
- removed some useless defines
- added GetPEBLocation64 to the SDK files - GetPEBLocation is also defined on x64, but does nothing there - moved a function to Global.Engine.Hider
This commit is contained in:
parent
92451cfe42
commit
e265f498d0
|
|
@ -189,21 +189,6 @@
|
|||
#define UE_PARAMETER_STRING 8
|
||||
#define UE_PARAMETER_UNICODE 9
|
||||
|
||||
#define UE_CMP_NOCONDITION 0
|
||||
#define UE_CMP_EQUAL 1
|
||||
#define UE_CMP_NOTEQUAL 2
|
||||
#define UE_CMP_GREATER 3
|
||||
#define UE_CMP_GREATEROREQUAL 4
|
||||
#define UE_CMP_LOWER 5
|
||||
#define UE_CMP_LOWEROREQUAL 6
|
||||
#define UE_CMP_REG_EQUAL 7
|
||||
#define UE_CMP_REG_NOTEQUAL 8
|
||||
#define UE_CMP_REG_GREATER 9
|
||||
#define UE_CMP_REG_GREATEROREQUAL 10
|
||||
#define UE_CMP_REG_LOWER 11
|
||||
#define UE_CMP_REG_LOWEROREQUAL 12
|
||||
#define UE_CMP_ALWAYSFALSE 13
|
||||
|
||||
#define UE_EAX 1
|
||||
#define UE_EBX 2
|
||||
#define UE_ECX 3
|
||||
|
|
@ -598,6 +583,7 @@ __declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap
|
|||
__declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA);
|
||||
// TitanEngine.Hider.functions:
|
||||
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess);
|
||||
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
|
||||
__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
||||
__declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
||||
// TitanEngine.Relocater.functions:
|
||||
|
|
|
|||
|
|
@ -189,21 +189,6 @@ const BYTE UE_PARAMETER_PTR_QWORD = 7;
|
|||
const BYTE UE_PARAMETER_STRING = 8;
|
||||
const BYTE UE_PARAMETER_UNICODE = 9;
|
||||
|
||||
const BYTE UE_CMP_NOCONDITION = 0;
|
||||
const BYTE UE_CMP_EQUAL = 1;
|
||||
const BYTE UE_CMP_NOTEQUAL = 2;
|
||||
const BYTE UE_CMP_GREATER = 3;
|
||||
const BYTE UE_CMP_GREATEROREQUAL = 4;
|
||||
const BYTE UE_CMP_LOWER = 5;
|
||||
const BYTE UE_CMP_LOWEROREQUAL = 6;
|
||||
const BYTE UE_CMP_REG_EQUAL = 7;
|
||||
const BYTE UE_CMP_REG_NOTEQUAL = 8;
|
||||
const BYTE UE_CMP_REG_GREATER = 9;
|
||||
const BYTE UE_CMP_REG_GREATEROREQUAL = 10;
|
||||
const BYTE UE_CMP_REG_LOWER = 11;
|
||||
const BYTE UE_CMP_REG_LOWEROREQUAL = 12;
|
||||
const BYTE UE_CMP_ALWAYSFALSE = 13;
|
||||
|
||||
const BYTE UE_EAX = 1;
|
||||
const BYTE UE_EBX = 2;
|
||||
const BYTE UE_ECX = 3;
|
||||
|
|
@ -597,6 +582,7 @@ __declspec(dllimport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap
|
|||
__declspec(dllimport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA);
|
||||
// TitanEngine.Hider.functions:
|
||||
__declspec(dllimport) void* TITCALL GetPEBLocation(HANDLE hProcess);
|
||||
__declspec(dllimport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
|
||||
__declspec(dllimport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
||||
__declspec(dllimport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
||||
// TitanEngine.Relocater.functions:
|
||||
|
|
|
|||
|
|
@ -265,24 +265,6 @@ enum eParameterType : DWORD
|
|||
UE_PARAMETER_UNICODE = UE::UE_PARAMETER_UNICODE
|
||||
};
|
||||
|
||||
enum eCompareCondition : DWORD
|
||||
{
|
||||
UE_CMP_NOCONDITION = UE::UE_CMP_NOCONDITION,
|
||||
UE_CMP_EQUAL = UE::UE_CMP_EQUAL,
|
||||
UE_CMP_NOTEQUAL = UE::UE_CMP_NOTEQUAL,
|
||||
UE_CMP_GREATER = UE::UE_CMP_GREATER,
|
||||
UE_CMP_GREATEROREQUAL = UE::UE_CMP_GREATEROREQUAL,
|
||||
UE_CMP_LOWER = UE::UE_CMP_LOWER,
|
||||
UE_CMP_LOWEROREQUAL = UE::UE_CMP_LOWEROREQUAL,
|
||||
UE_CMP_REG_EQUAL = UE::UE_CMP_REG_EQUAL,
|
||||
UE_CMP_REG_NOTEQUAL = UE::UE_CMP_REG_NOTEQUAL,
|
||||
UE_CMP_REG_GREATER = UE::UE_CMP_REG_GREATER,
|
||||
UE_CMP_REG_GREATEROREQUAL = UE::UE_CMP_REG_GREATEROREQUAL,
|
||||
UE_CMP_REG_LOWER = UE::UE_CMP_REG_LOWER,
|
||||
UE_CMP_REG_LOWEROREQUAL = UE::UE_CMP_REG_LOWEROREQUAL,
|
||||
UE_CMP_ALWAYSFALSE = UE::UE_CMP_ALWAYSFALSE
|
||||
};
|
||||
|
||||
enum eContextData : DWORD
|
||||
{
|
||||
UE_EAX = UE::UE_EAX,
|
||||
|
|
@ -828,6 +810,10 @@ public:
|
|||
static void* GetPEBLocation(HANDLE hProcess)
|
||||
{
|
||||
return UE::GetPEBLocation(hProcess);
|
||||
}
|
||||
static void* GetPEBLocation64(HANDLE hProcess)
|
||||
{
|
||||
return UE::GetPEBLocation64(hProcess);
|
||||
}
|
||||
static bool HideDebugger(HANDLE hProcess, eHideLevel PatchAPILevel)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -284,25 +284,6 @@ const
|
|||
UE_PARAMETER_STRING = 8;
|
||||
UE_PARAMETER_UNICODE = 9;
|
||||
|
||||
UE_CMP_NOCONDITION = 0;
|
||||
UE_CMP_EQUAL = 1;
|
||||
UE_CMP_NOTEQUAL = 2;
|
||||
UE_CMP_GREATER = 3;
|
||||
UE_CMP_GREATEROREQUAL = 4;
|
||||
UE_CMP_LOWER = 5;
|
||||
UE_CMP_LOWEROREQUAL = 6;
|
||||
UE_CMP_REG_EQUAL = 7;
|
||||
UE_CMP_REG_NOTEQUAL = 8;
|
||||
UE_CMP_REG_GREATER = 9;
|
||||
UE_CMP_REG_GREATEROREQUAL = 10;
|
||||
UE_CMP_REG_LOWER = 11;
|
||||
UE_CMP_REG_LOWEROREQUAL = 12;
|
||||
UE_CMP_ALWAYSFALSE = 13;
|
||||
UE_OPTION_HANDLER_RETURN_HANDLECOUNT = 1;
|
||||
UE_OPTION_HANDLER_RETURN_ACCESS = 2;
|
||||
UE_OPTION_HANDLER_RETURN_FLAGS = 3;
|
||||
UE_OPTION_HANDLER_RETURN_TYPENAME = 4;
|
||||
|
||||
UE_BREAKPOINT_INT3 = 1;
|
||||
UE_BREAKPOINT_LONG_INT3 = 2;
|
||||
UE_BREAKPOINT_UD2 = 3;
|
||||
|
|
@ -465,6 +446,7 @@ const
|
|||
function IsFileDLL(szFileName:PAnsiChar; FileMapVA:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'IsFileDLL';
|
||||
{TitanEngine.Hider.functions}
|
||||
function GetPEBLocation(hProcess:THandle):LongInt; stdcall; external 'TitanEngine.dll' name 'GetPEBLocation';
|
||||
function GetPEBLocation64(hProcess:THandle):LongInt; stdcall; external 'TitanEngine.dll' name 'GetPEBLocation64';
|
||||
function HideDebugger(hProcess:THandle; PatchAPILevel:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'HideDebugger';
|
||||
function UnHideDebugger(hProcess:THandle; PatchAPILevel:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'UnHideDebugger';
|
||||
{TitanEngine.Relocater.functions}
|
||||
|
|
|
|||
|
|
@ -183,21 +183,6 @@ UE_PARAMETER_PTR_QWORD = 7
|
|||
UE_PARAMETER_STRING = 8
|
||||
UE_PARAMETER_UNICODE = 9
|
||||
|
||||
UE_CMP_NOCONDITION = 0
|
||||
UE_CMP_EQUAL = 1
|
||||
UE_CMP_NOTEQUAL = 2
|
||||
UE_CMP_GREATER = 3
|
||||
UE_CMP_GREATEROREQUAL = 4
|
||||
UE_CMP_LOWER = 5
|
||||
UE_CMP_LOWEROREQUAL = 6
|
||||
UE_CMP_REG_EQUAL = 7
|
||||
UE_CMP_REG_NOTEQUAL = 8
|
||||
UE_CMP_REG_GREATER = 9
|
||||
UE_CMP_REG_GREATEROREQUAL = 10
|
||||
UE_CMP_REG_LOWER = 11
|
||||
UE_CMP_REG_LOWEROREQUAL = 12
|
||||
UE_CMP_ALWAYSFALSE = 13
|
||||
|
||||
UE_EAX = 1
|
||||
UE_EBX = 2
|
||||
UE_ECX = 3
|
||||
|
|
@ -620,6 +605,9 @@ PROCESS_INFORMATION = alien.defstruct{
|
|||
-- __declspec(dllexport) void* __stdcall GetPEBLocation(HANDLE hProcess);
|
||||
TitanEngine.GetPEBLocation:types {"long",abi="stdcall",ret="pointer"}
|
||||
TE_GetPEBLocation = TitanEngine.GetPEBLocation
|
||||
-- __declspec(dllexport) void* __stdcall GetPEBLocation64(HANDLE hProcess);
|
||||
TitanEngine.GetPEBLocation64:types {"long",abi="stdcall",ret="pointer"}
|
||||
TE_GetPEBLocation64 = TitanEngine.GetPEBLocation64
|
||||
-- __declspec(dllexport) bool __stdcall HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
||||
TitanEngine.HideDebugger:types {"long","long",abi="stdcall",ret="byte"}
|
||||
TE_HideDebugger = TitanEngine.HideDebugger
|
||||
|
|
|
|||
|
|
@ -151,20 +151,6 @@ UE_PARAMETER_PTR_DWORD EQU 6
|
|||
UE_PARAMETER_PTR_QWORD EQU 7
|
||||
UE_PARAMETER_STRING EQU 8
|
||||
UE_PARAMETER_UNICODE EQU 9
|
||||
UE_CMP_NOCONDITION EQU 0
|
||||
UE_CMP_EQUAL EQU 1
|
||||
UE_CMP_NOTEQUAL EQU 2
|
||||
UE_CMP_GREATER EQU 3
|
||||
UE_CMP_GREATEROREQUAL EQU 4
|
||||
UE_CMP_LOWER EQU 5
|
||||
UE_CMP_LOWEROREQUAL EQU 6
|
||||
UE_CMP_REG_EQUAL EQU 7
|
||||
UE_CMP_REG_NOTEQUAL EQU 8
|
||||
UE_CMP_REG_GREATER EQU 9
|
||||
UE_CMP_REG_GREATEROREQUAL EQU 10
|
||||
UE_CMP_REG_LOWER EQU 11
|
||||
UE_CMP_REG_LOWEROREQUAL EQU 12
|
||||
UE_CMP_ALWAYSFALSE EQU 13
|
||||
UE_EAX EQU 1
|
||||
UE_EBX EQU 2
|
||||
UE_ECX EQU 3
|
||||
|
|
@ -510,6 +496,7 @@ FixBrokenPE32FileExW proto stdcall :ptr WORD, :LPVOID, :LPVOID
|
|||
IsFileDLL proto stdcall :ptr SBYTE, :DWORD
|
||||
IsFileDLLW proto stdcall :ptr WORD, :DWORD
|
||||
GetPEBLocation proto stdcall :HANDLE
|
||||
GetPEBLocation64 proto stdcall :HANDLE
|
||||
HideDebugger proto stdcall :HANDLE, :DWORD
|
||||
UnHideDebugger proto stdcall :HANDLE, :DWORD
|
||||
RelocaterCleanup proto stdcall
|
||||
|
|
|
|||
|
|
@ -174,21 +174,6 @@ UE_PARAMETER_PTR_QWORD = 7
|
|||
UE_PARAMETER_STRING = 8
|
||||
UE_PARAMETER_UNICODE = 9
|
||||
|
||||
UE_CMP_NOCONDITION = 0
|
||||
UE_CMP_EQUAL = 1
|
||||
UE_CMP_NOTEQUAL = 2
|
||||
UE_CMP_GREATER = 3
|
||||
UE_CMP_GREATEROREQUAL = 4
|
||||
UE_CMP_LOWER = 5
|
||||
UE_CMP_LOWEROREQUAL = 6
|
||||
UE_CMP_REG_EQUAL = 7
|
||||
UE_CMP_REG_NOTEQUAL = 8
|
||||
UE_CMP_REG_GREATER = 9
|
||||
UE_CMP_REG_GREATEROREQUAL = 10
|
||||
UE_CMP_REG_LOWER = 11
|
||||
UE_CMP_REG_LOWEROREQUAL = 12
|
||||
UE_CMP_ALWAYSFALSE = 13
|
||||
|
||||
UE_EAX = 1
|
||||
UE_EBX = 2
|
||||
UE_ECX = 3
|
||||
|
|
@ -656,6 +641,7 @@ TE.TranslateNativeNameW.restype = c_wchar_p
|
|||
TE.HandlerGetHandleNameW.restype = c_wchar_p
|
||||
|
||||
TE.GetPEBLocation.restype = c_void_p
|
||||
TE.GetPEBLocation64.restype = c_void_p
|
||||
|
||||
TE.ThreaderGetThreadInfo.restype = POINTER(THREAD_ITEM_DATA)
|
||||
TE.ThreaderGetThreadData.restype = POINTER(THREAD_ITEM_DATA)
|
||||
|
|
|
|||
|
|
@ -39,13 +39,17 @@ static bool isWindows64()
|
|||
|
||||
void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide)
|
||||
{
|
||||
const BYTE patchCheckRemoteDebuggerPresent[5] = {
|
||||
const BYTE patchCheckRemoteDebuggerPresent[5] =
|
||||
{
|
||||
0x33, 0xC0, //XOR EAX,EAX
|
||||
0xC2, 0x08, 0x00}; //RETN 0x8
|
||||
0xC2, 0x08, 0x00
|
||||
}; //RETN 0x8
|
||||
|
||||
const BYTE patchGetTickCount[3] = {
|
||||
const BYTE patchGetTickCount[3] =
|
||||
{
|
||||
0x33, 0xC0, //XOR EAX,EAX
|
||||
0xC3}; //RETN
|
||||
0xC3
|
||||
}; //RETN
|
||||
|
||||
ULONG_PTR APIPatchAddress = 0;
|
||||
DWORD OldProtect = 0;
|
||||
|
|
@ -234,3 +238,21 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide)
|
|||
|
||||
return false;
|
||||
}
|
||||
|
||||
#ifndef _WIN64
|
||||
typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process);
|
||||
|
||||
bool IsThisProcessWow64()
|
||||
{
|
||||
BOOL bIsWow64 = FALSE;
|
||||
tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
|
||||
|
||||
if (fnIsWow64Process)
|
||||
{
|
||||
fnIsWow64Process(GetCurrentProcess(), &bIsWow64);
|
||||
}
|
||||
|
||||
return (bIsWow64 != FALSE);
|
||||
}
|
||||
|
||||
#endif
|
||||
|
|
@ -2,5 +2,8 @@
|
|||
#define _GLOBAL_ENGINE_HIDER_H
|
||||
|
||||
bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide);
|
||||
#ifndef _WIN64
|
||||
bool IsThisProcessWow64();
|
||||
#endif
|
||||
|
||||
#endif //_GLOBAL_ENGINE_HIDER_H
|
||||
|
|
@ -34,24 +34,9 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
|
|||
return PebAddress;
|
||||
}
|
||||
|
||||
#ifndef _WIN64
|
||||
typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process);
|
||||
|
||||
static bool IsThisProcessWow64()
|
||||
{
|
||||
BOOL bIsWow64 = FALSE;
|
||||
tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
|
||||
|
||||
if (fnIsWow64Process)
|
||||
{
|
||||
fnIsWow64Process(GetCurrentProcess(), &bIsWow64);
|
||||
}
|
||||
|
||||
return (bIsWow64 != FALSE);
|
||||
}
|
||||
|
||||
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
|
||||
{
|
||||
#ifndef _WIN64
|
||||
if (IsThisProcessWow64())
|
||||
{
|
||||
//Only WOW64 processes have 2 PEBs
|
||||
|
|
@ -59,12 +44,10 @@ __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
|
|||
peb32 += 0x1000; //PEB64 after PEB32
|
||||
return (void *)peb32;
|
||||
}
|
||||
|
||||
#endif //_WIN64
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel)
|
||||
{
|
||||
return ChangeHideDebuggerState(hProcess, PatchAPILevel, true);
|
||||
|
|
|
|||
|
|
@ -228,6 +228,7 @@ HooksScanModuleMemory
|
|||
HooksScanEntireProcessMemory
|
||||
HooksScanEntireProcessMemoryEx
|
||||
GetPEBLocation
|
||||
GetPEBLocation64
|
||||
HideDebugger
|
||||
UnHideDebugger
|
||||
RelocaterInit
|
||||
|
|
|
|||
|
|
@ -89,9 +89,7 @@ __declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMap
|
|||
__declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA);
|
||||
// TitanEngine.Hider.functions:
|
||||
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess);
|
||||
#ifndef _WIN64
|
||||
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
|
||||
#endif
|
||||
__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
||||
__declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
||||
// TitanEngine.Relocater.functions:
|
||||
|
|
|
|||
|
|
@ -19,10 +19,6 @@
|
|||
#endif
|
||||
#include "LzmaDec.h"
|
||||
|
||||
#define UE_PLATFORM_x86 1
|
||||
#define UE_PLATFORM_x64 2
|
||||
#define UE_PLATFORM_ALL 3
|
||||
|
||||
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
|
||||
|
||||
// Engine.Internal:
|
||||
|
|
@ -436,7 +432,6 @@ typedef struct
|
|||
HANDLE hHandle;
|
||||
} HandlerArray, *PHandlerArray;
|
||||
|
||||
#define UE_BPXREMOVED 0
|
||||
#define UE_BPXACTIVE 1
|
||||
#define UE_BPXINACTIVE 2
|
||||
|
||||
|
|
@ -483,21 +478,6 @@ typedef struct
|
|||
#define UE_PARAMETER_STRING 8
|
||||
#define UE_PARAMETER_UNICODE 9
|
||||
|
||||
#define UE_CMP_NOCONDITION 0
|
||||
#define UE_CMP_EQUAL 1
|
||||
#define UE_CMP_NOTEQUAL 2
|
||||
#define UE_CMP_GREATER 3
|
||||
#define UE_CMP_GREATEROREQUAL 4
|
||||
#define UE_CMP_LOWER 5
|
||||
#define UE_CMP_LOWEROREQUAL 6
|
||||
#define UE_CMP_REG_EQUAL 7
|
||||
#define UE_CMP_REG_NOTEQUAL 8
|
||||
#define UE_CMP_REG_GREATER 9
|
||||
#define UE_CMP_REG_GREATEROREQUAL 10
|
||||
#define UE_CMP_REG_LOWER 11
|
||||
#define UE_CMP_REG_LOWEROREQUAL 12
|
||||
#define UE_CMP_ALWAYSFALSE 13
|
||||
|
||||
#define UE_EAX 1
|
||||
#define UE_EBX 2
|
||||
#define UE_ECX 3
|
||||
|
|
|
|||
Loading…
Reference in New Issue