x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

- moved GetProcAddressRemote to Global.Engine.Importer 

- added various GetProcAddressRemote functions (for easier access)
- Use EngineGetProcAddressRemote in Global.Engine.Hider
- changed MAXIMUM_INSTRUCTION_SIZE to the x86 maximum size
- rewrote SetAPIBreakPoint (untested)
- rewrote DeleteAPIBreakPoint (untested)
This commit is contained in:
mr.exodia 2014-03-10 23:37:12 +01:00
parent fd87e8d479
commit f8b46a7a5c
12 changed files with 150 additions and 365 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -155,3 +155,4 @@ $RECYCLE.BIN/
*.depend *.depend
*.layout *.layout
*.orig *.orig
*.cbTemp

9
TitanEngine/Global.Engine.Hider.cpp
View File

@ -2,6 +2,7 @@
#include "definitions.h" #include "definitions.h"
#include "Global.Engine.Hider.h" #include "Global.Engine.Hider.h"
#include "Global.Engine.h" #include "Global.Engine.h"
#include "Global.Engine.Importer.h"
#include "Global.Debugger.h" #include "Global.Debugger.h"
// Global.Engine.Hider.functions: // Global.Engine.Hider.functions:
@ -87,14 +88,14 @@ static void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide, bool x64)
if(Hide) if(Hide)
{ {
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); APIPatchAddress = EngineGetProcAddressRemote(hProcess, L"kernel32.dll", "CheckRemoteDebuggerPresent");
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect)) if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{ {
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead); WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect); VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect);
} }
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); APIPatchAddress = EngineGetProcAddressRemote(hProcess, L"kernel32.dll", "GetTickCount");
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect)) if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{ {
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, patchGetTickCountSize, &ueNumberOfBytesRead); WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, patchGetTickCountSize, &ueNumberOfBytesRead);
@ -103,14 +104,14 @@ static void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide, bool x64)
} }
else else
{ {
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); APIPatchAddress = EngineGetProcAddressRemote(hProcess, L"kernel32.dll", "CheckRemoteDebuggerPresent");
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect)) if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{ {
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead); WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect); VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect);
} }
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); APIPatchAddress = EngineGetProcAddressRemote(hProcess, L"kernel32.dll", "GetTickCount");
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect)) if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{ {
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), patchGetTickCountSize, &ueNumberOfBytesRead); WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), patchGetTickCountSize, &ueNumberOfBytesRead);

91
TitanEngine/Global.Engine.Importer.cpp Normal file
View File

@ -0,0 +1,91 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Importer.h"
#include "Global.Debugger.h"
#include <psapi.h>
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, const char* szAPIName)
{
if(!hProcess) //no process specified
{
if(dbgProcessInformation.hProcess == 0)
{
hProcess = GetCurrentProcess();
}
else
{
hProcess = dbgProcessInformation.hProcess;
}
}
DWORD cbNeeded = 0;
HMODULE EnumeratedModules[1024] = {0};
WCHAR RemoteDLLPath[MAX_PATH] = {0};
HMODULE hModuleLocal = GetModuleHandleW(szDLLName);
WCHAR * dllName;
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{
RemoteDLLPath[0] = 0;
if(GetModuleFileNameExW(hProcess, EnumeratedModules[i], RemoteDLLPath, _countof(RemoteDLLPath)) > 0)
{
dllName = wcsrchr(RemoteDLLPath, L'\\');
if (dllName)
{
dllName++;
if(_wcsicmp(dllName, szDLLName) == 0)
{
LONG_PTR funcAddress = 0;
if (hModuleLocal)
{
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
if (funcAddress)
{
return (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
}
}
else
{
hModuleLocal = LoadLibraryExW(RemoteDLLPath, 0, DONT_RESOLVE_DLL_REFERENCES);
if (hModuleLocal)
{
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
funcAddress = (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
FreeLibrary(hModuleLocal);
return funcAddress;
}
}
break;
}
}
}
}
}
return 0;
}
ULONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName)
{
return EngineGetProcAddressRemote(0, szDLLName, szAPIName);
}
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char * szDLLName, const char* szAPIName)
{
WCHAR uniDLLName[MAX_PATH] = {0};
if (MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName)))
{
return EngineGetProcAddressRemote(hProcess, uniDLLName, szAPIName);
}
else
{
return 0;
}
}
ULONG_PTR EngineGetProcAddressRemote(const char * szDLLName, const char* szAPIName)
{
return EngineGetProcAddressRemote(0, szDLLName, szAPIName);
}

10
TitanEngine/Global.Engine.Importer.h Normal file
View File

@ -0,0 +1,10 @@
#ifndef _GLOBAL_ENGINE_IMPORTER_H
#define _GLOBAL_ENGINE_IMPORTER_H
//EngineGetProcAddressRemote
ULONG_PTR EngineGetProcAddressRemote(const char * szDLLName, const char* szAPIName);
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char * szDLLName, const char* szAPIName);
ULONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName);
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, const char* szAPIName);
#endif //_GLOBAL_ENGINE_IMPORTER_H

67
TitanEngine/Global.Engine.cpp
View File

@ -2039,70 +2039,3 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
} }
return(NULL); return(NULL);
} }
LONG_PTR GetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, const char* szAPIName)
{
DWORD cbNeeded = 0;
HMODULE EnumeratedModules[1024] = {0};
WCHAR RemoteDLLPath[MAX_PATH] = {0};
HMODULE hModuleLocal = GetModuleHandleW(szDLLName);
WCHAR * dllName;
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{
RemoteDLLPath[0] = 0;
if(GetModuleFileNameExW(hProcess, EnumeratedModules[i], RemoteDLLPath, _countof(RemoteDLLPath)) > 0)
{
dllName = wcsrchr(RemoteDLLPath, L'\\');
if (dllName)
{
dllName++;
if(_wcsicmp(dllName, szDLLName) == 0)
{
LONG_PTR funcAddress = 0;
if (hModuleLocal)
{
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
if (funcAddress)
{
return (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
}
}
else
{
hModuleLocal = LoadLibraryExW(RemoteDLLPath, 0, DONT_RESOLVE_DLL_REFERENCES);
if (hModuleLocal)
{
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
funcAddress = (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
FreeLibrary(hModuleLocal);
return funcAddress;
}
}
break;
}
}
}
}
}
return 0;
}
LONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName)
{
HANDLE hProcess;
if(dbgProcessInformation.hProcess == 0)
{
hProcess = GetCurrentProcess();
}
else
{
hProcess = dbgProcessInformation.hProcess;
}
return GetProcAddressRemote(hProcess, szDLLName, szAPIName);
}

1
TitanEngine/Global.Engine.h
View File

@ -51,6 +51,5 @@ long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName);
long long EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName); long long EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName);
bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount); bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount);
long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType); long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType);
LONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName);
#endif //_GLOBAL_ENGINE_H #endif //_GLOBAL_ENGINE_H

317
TitanEngine/TitanEngine.Breakpoints.cpp
View File

@ -4,6 +4,7 @@
#include "Global.Debugger.h" #include "Global.Debugger.h"
#include "Global.Engine.h" #include "Global.Engine.h"
#include "Global.Engine.Threading.h" #include "Global.Engine.Threading.h"
#include "Global.Engine.Importer.h"
static long engineDefaultBreakPointType = UE_BREAKPOINT_INT3; static long engineDefaultBreakPointType = UE_BREAKPOINT_INT3;
static BYTE UD2BreakPoint[2] = {0x0F, 0x0B}; static BYTE UD2BreakPoint[2] = {0x0F, 0x0B};
@ -302,323 +303,61 @@ __declspec(dllexport) bool TITCALL SafeDeleteBPX(ULONG_PTR bpxAddress)
__declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxType, DWORD bpxPlace, LPVOID bpxCallBack) __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxType, DWORD bpxPlace, LPVOID bpxCallBack)
{ {
BYTE ReadByte = NULL;
HMODULE hModule = NULL;
DWORD ReadMemSize = NULL;
ULONG_PTR APIAddress = NULL; ULONG_PTR APIAddress = NULL;
ULONG_PTR tryAPIAddress = NULL; if(szDLLName && szAPIName)
ULONG_PTR QueryAPIAddress = NULL;
int i = MAX_RET_SEARCH_INSTRUCTIONS;
ULONG_PTR ueNumberOfReadWrite = NULL;
int currentInstructionLen = NULL;
bool ModuleLoaded = false;
void* CmdBuffer = NULL;
bool RemovedBpx = false;
if(szDLLName != NULL && szAPIName != NULL)
{ {
hModule = GetModuleHandleA(szDLLName); APIAddress = EngineGetProcAddressRemote(szDLLName, szAPIName); //get remote proc address
if(hModule == NULL) if(APIAddress)
{ {
if(engineAlowModuleLoading)
{
hModule = LoadLibraryA(szDLLName);
ModuleLoaded = true;
}
else
{
ReadMemSize = MAX_RET_SEARCH_INSTRUCTIONS * MAXIMUM_INSTRUCTION_SIZE;
APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, NULL, szAPIName, UE_OPTION_IMPORTER_RETURN_APIADDRESS);
if(APIAddress != NULL)
{
CmdBuffer = VirtualAlloc(NULL, ReadMemSize, MEM_COMMIT, PAGE_READWRITE);
while(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite) == false && ReadMemSize > NULL)
{
ReadMemSize = ReadMemSize - (MAXIMUM_INSTRUCTION_SIZE * 10);
}
if(ReadMemSize == NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
APIAddress = NULL;
}
else
{
tryAPIAddress = (ULONG_PTR)CmdBuffer;
}
}
}
}
if(hModule != NULL || APIAddress != NULL)
{
if(hModule != NULL)
{
APIAddress = (ULONG_PTR)GetProcAddress(hModule, szAPIName);
}
if(bpxPlace == UE_APIEND) if(bpxPlace == UE_APIEND)
{ {
if(tryAPIAddress == NULL) int i = 0;
unsigned char ReadByte;
do //search for RET
{ {
tryAPIAddress = APIAddress; unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
} memset(CmdBuffer, 0, sizeof(CmdBuffer));
QueryAPIAddress = APIAddress; if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
RtlMoveMemory(&ReadByte, (LPVOID)tryAPIAddress, 1);
while(i > 0 && ReadByte != 0xC3 && ReadByte != 0xC2)
{
if(engineAlowModuleLoading == false && CmdBuffer != NULL)
{
if(IsBPXEnabled(QueryAPIAddress))
{
DisableBPX(QueryAPIAddress);
ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite);
RemovedBpx = true;
}
}
currentInstructionLen = StaticLengthDisassemble((LPVOID)tryAPIAddress);
tryAPIAddress = tryAPIAddress + currentInstructionLen;
RtlMoveMemory(&ReadByte, (LPVOID)tryAPIAddress, 1);
QueryAPIAddress = QueryAPIAddress + currentInstructionLen;
if(!engineAlowModuleLoading)
{
if(RemovedBpx)
{
EnableBPX(QueryAPIAddress - currentInstructionLen);
}
}
RemovedBpx = false;
i--;
}
if(i != NULL)
{
if((engineAlowModuleLoading == true && ModuleLoaded == true) || (engineAlowModuleLoading == true && ModuleLoaded == false))
{
APIAddress = tryAPIAddress;
}
else if(!engineAlowModuleLoading)
{
if(CmdBuffer != NULL)
{
APIAddress = tryAPIAddress - (ULONG_PTR)CmdBuffer + APIAddress;
}
else
{
APIAddress = tryAPIAddress;
}
}
}
else
{
if(ModuleLoaded)
{
FreeLibrary(hModule);
}
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
return false; return false;
i += StaticLengthDisassemble(CmdBuffer);
ReadByte = *CmdBuffer;
} }
} while(ReadByte != 0xC3 && ReadByte != 0xC2);
if(engineAlowModuleLoading) APIAddress += i;
{
APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
if(ModuleLoaded)
{
FreeLibrary(hModule);
}
}
else
{
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
} }
return SetBPX(APIAddress, bpxType, bpxCallBack); return SetBPX(APIAddress, bpxType, bpxCallBack);
} }
else
{
if(engineAlowModuleLoading)
{
if(ModuleLoaded)
{
FreeLibrary(hModule);
}
}
else
{
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
}
return false;
}
}
else
{
return false;
} }
return false; return false;
} }
__declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxPlace) __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxPlace)
{ {
BYTE ReadByte = NULL;
HMODULE hModule = NULL;
DWORD ReadMemSize = NULL;
ULONG_PTR APIAddress = NULL; ULONG_PTR APIAddress = NULL;
ULONG_PTR tryAPIAddress = NULL; if(szDLLName && szAPIName)
ULONG_PTR QueryAPIAddress = NULL;
int i = MAX_RET_SEARCH_INSTRUCTIONS;
ULONG_PTR ueNumberOfReadWrite = NULL;
int currentInstructionLen = NULL;
bool ModuleLoaded = false;
void* CmdBuffer = NULL;
bool RemovedBpx = false;
if(szDLLName != NULL && szAPIName != NULL)
{ {
hModule = GetModuleHandleA(szDLLName); APIAddress = EngineGetProcAddressRemote(szDLLName, szAPIName); //get remote proc address
if(hModule == NULL) if(APIAddress)
{ {
if(engineAlowModuleLoading)
{
hModule = LoadLibraryA(szDLLName);
ModuleLoaded = true;
}
else
{
ReadMemSize = MAX_RET_SEARCH_INSTRUCTIONS * MAXIMUM_INSTRUCTION_SIZE;
APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, NULL, szAPIName, UE_OPTION_IMPORTER_RETURN_APIADDRESS);
if(APIAddress != NULL)
{
CmdBuffer = VirtualAlloc(NULL, ReadMemSize, MEM_COMMIT, PAGE_READWRITE);
while(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite) == false && ReadMemSize > NULL)
{
ReadMemSize = ReadMemSize - (MAXIMUM_INSTRUCTION_SIZE * 10);
}
if(ReadMemSize == NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
APIAddress = NULL;
}
else
{
tryAPIAddress = (ULONG_PTR)CmdBuffer;
}
}
}
}
if(hModule != NULL || APIAddress != NULL)
{
if(hModule != NULL)
{
APIAddress = (ULONG_PTR)GetProcAddress(hModule, szAPIName);
}
if(bpxPlace == UE_APIEND) if(bpxPlace == UE_APIEND)
{ {
if(tryAPIAddress == NULL) int i = 0;
unsigned char ReadByte;
do //search for RET
{ {
tryAPIAddress = APIAddress; unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
} memset(CmdBuffer, 0, sizeof(CmdBuffer));
QueryAPIAddress = APIAddress; if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
RtlMoveMemory(&ReadByte, (LPVOID)tryAPIAddress, 1);
while(i > 0 && ReadByte != 0xC3 && ReadByte != 0xC2)
{
if(engineAlowModuleLoading == false && CmdBuffer != NULL)
{
if(IsBPXEnabled(QueryAPIAddress))
{
DisableBPX(QueryAPIAddress);
ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite);
RemovedBpx = true;
}
}
currentInstructionLen = StaticLengthDisassemble((LPVOID)tryAPIAddress);
tryAPIAddress = tryAPIAddress + currentInstructionLen;
RtlMoveMemory(&ReadByte, (LPVOID)tryAPIAddress, 1);
QueryAPIAddress = QueryAPIAddress + currentInstructionLen;
if(!engineAlowModuleLoading)
{
if(RemovedBpx)
{
EnableBPX(QueryAPIAddress - currentInstructionLen);
}
}
RemovedBpx = false;
i--;
}
if(i != NULL)
{
if((engineAlowModuleLoading == true && ModuleLoaded == true) || (engineAlowModuleLoading == true && ModuleLoaded == false))
{
APIAddress = tryAPIAddress;
}
else if(!engineAlowModuleLoading)
{
if(CmdBuffer != NULL)
{
APIAddress = tryAPIAddress - (ULONG_PTR)CmdBuffer + APIAddress;
}
else
{
APIAddress = tryAPIAddress;
}
}
}
else
{
if(ModuleLoaded)
{
FreeLibrary(hModule);
}
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
return false; return false;
i += StaticLengthDisassemble(CmdBuffer);
ReadByte = *CmdBuffer;
} }
while(ReadByte != 0xC3 && ReadByte != 0xC2);
APIAddress += i;
} }
if(engineAlowModuleLoading) return DeleteBPX(APIAddress);
{
APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
if(ModuleLoaded)
{
FreeLibrary(hModule);
} }
} }
else
{
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
}
return(DeleteBPX(APIAddress));
}
else
{
if(engineAlowModuleLoading)
{
if(ModuleLoaded)
{
FreeLibrary(hModule);
}
}
else
{
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
}
return false;
}
}
else
{
return false;
}
return false; return false;
} }

3
TitanEngine/TitanEngine.Importer.cpp
View File

@ -3,6 +3,7 @@
#include "Global.Mapping.h" #include "Global.Mapping.h"
#include "Global.Engine.h" #include "Global.Engine.h"
#include "Global.Librarian.h" #include "Global.Librarian.h"
#include "Global.Engine.Importer.h"
#include "scylla_wrapper.h" #include "scylla_wrapper.h"
#include <psapi.h> #include <psapi.h>
@ -126,7 +127,7 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDL
WCHAR uniDLLName[MAX_PATH] = {0}; WCHAR uniDLLName[MAX_PATH] = {0};
if (MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName))) if (MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName)))
{ {
return EngineGetProcAddressRemote(uniDLLName, szAPIName); return EngineGetProcAddressRemote(szDLLName, szAPIName);
} }
else else
{ {

2
TitanEngine/TitanEngine.cbp
View File

@ -70,6 +70,8 @@
<Unit filename="Global.Engine.Hider.h" /> <Unit filename="Global.Engine.Hider.h" />
<Unit filename="Global.Engine.Hook.cpp" /> <Unit filename="Global.Engine.Hook.cpp" />
<Unit filename="Global.Engine.Hook.h" /> <Unit filename="Global.Engine.Hook.h" />
<Unit filename="Global.Engine.Importer.cpp" />
<Unit filename="Global.Engine.Importer.h" />
<Unit filename="Global.Engine.Simplification.cpp" /> <Unit filename="Global.Engine.Simplification.cpp" />
<Unit filename="Global.Engine.Simplification.h" /> <Unit filename="Global.Engine.Simplification.h" />
<Unit filename="Global.Engine.Threading.cpp" /> <Unit filename="Global.Engine.Threading.cpp" />

2
TitanEngine/TitanEngine.vcxproj
View File

@ -217,6 +217,7 @@
<ClCompile Include="Global.Engine.Hash.cpp" /> <ClCompile Include="Global.Engine.Hash.cpp" />
<ClCompile Include="Global.Engine.Hider.cpp" /> <ClCompile Include="Global.Engine.Hider.cpp" />
<ClCompile Include="Global.Engine.Hook.cpp" /> <ClCompile Include="Global.Engine.Hook.cpp" />
<ClCompile Include="Global.Engine.Importer.cpp" />
<ClCompile Include="Global.Engine.Simplification.cpp" /> <ClCompile Include="Global.Engine.Simplification.cpp" />
<ClCompile Include="Global.Engine.Threading.cpp" /> <ClCompile Include="Global.Engine.Threading.cpp" />
<ClCompile Include="Global.Garbage.cpp" /> <ClCompile Include="Global.Garbage.cpp" />
@ -281,6 +282,7 @@
<ClInclude Include="Global.Engine.h" /> <ClInclude Include="Global.Engine.h" />
<ClInclude Include="Global.Engine.Hider.h" /> <ClInclude Include="Global.Engine.Hider.h" />
<ClInclude Include="Global.Engine.Hook.h" /> <ClInclude Include="Global.Engine.Hook.h" />
<ClInclude Include="Global.Engine.Importer.h" />
<ClInclude Include="Global.Engine.Simplification.h" /> <ClInclude Include="Global.Engine.Simplification.h" />
<ClInclude Include="Global.Engine.Threading.h" /> <ClInclude Include="Global.Engine.Threading.h" />
<ClInclude Include="Global.Garbage.h" /> <ClInclude Include="Global.Garbage.h" />

6
TitanEngine/TitanEngine.vcxproj.filters
View File

@ -201,6 +201,9 @@
<ClCompile Include="Global.Engine.Threading.cpp"> <ClCompile Include="Global.Engine.Threading.cpp">
<Filter>Source Files\TitanEngine</Filter> <Filter>Source Files\TitanEngine</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="Global.Engine.Importer.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="resource.h"> <ClInclude Include="resource.h">
@ -287,6 +290,9 @@
<ClInclude Include="ntdll.h"> <ClInclude Include="ntdll.h">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="Global.Engine.Importer.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ResourceCompile Include="TitanEngine.rc"> <ResourceCompile Include="TitanEngine.rc">

2
TitanEngine/stdafx.h
View File

@ -28,7 +28,7 @@
#define MAX_DECODE_INSTRUCTIONS (32) #define MAX_DECODE_INSTRUCTIONS (32)
#define MAX_INSTRUCTIONS (1000) #define MAX_INSTRUCTIONS (1000)
#define MAXIMUM_BREAKPOINTS (1000) #define MAXIMUM_BREAKPOINTS (1000)
#define MAXIMUM_INSTRUCTION_SIZE (40) #define MAXIMUM_INSTRUCTION_SIZE (16) //maximum instruction size == 16
#define MAX_RET_SEARCH_INSTRUCTIONS (100) #define MAX_RET_SEARCH_INSTRUCTIONS (100)
#define UE_TRAP_FLAG (0x100) #define UE_TRAP_FLAG (0x100)