diff --git a/TitanEngine/Global.Engine.cpp b/TitanEngine/Global.Engine.cpp index 7a7793a..2ba7774 100644 --- a/TitanEngine/Global.Engine.cpp +++ b/TitanEngine/Global.Engine.cpp @@ -2039,3 +2039,70 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa } return(NULL); } + + +LONG_PTR GetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, const char* szAPIName) +{ + DWORD cbNeeded = 0; + HMODULE EnumeratedModules[1024] = {0}; + WCHAR RemoteDLLPath[MAX_PATH] = {0}; + HMODULE hModuleLocal = GetModuleHandleW(szDLLName); + WCHAR * dllName; + + if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded)) + { + for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++) + { + RemoteDLLPath[0] = 0; + if(GetModuleFileNameExW(hProcess, EnumeratedModules[i], RemoteDLLPath, _countof(RemoteDLLPath)) > 0) + { + dllName = wcsrchr(RemoteDLLPath, L'\\'); + if (dllName) + { + dllName++; + if(_wcsicmp(dllName, szDLLName) == 0) + { + LONG_PTR funcAddress = 0; + + if (hModuleLocal) + { + funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName); + if (funcAddress) + { + return (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i]; + } + } + else + { + hModuleLocal = LoadLibraryExW(RemoteDLLPath, 0, DONT_RESOLVE_DLL_REFERENCES); + if (hModuleLocal) + { + funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName); + funcAddress = (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i]; + FreeLibrary(hModuleLocal); + return funcAddress; + } + } + break; + } + } + } + } + } + + return 0; +} + +LONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName) +{ + HANDLE hProcess; + if(dbgProcessInformation.hProcess == 0) + { + hProcess = GetCurrentProcess(); + } + else + { + hProcess = dbgProcessInformation.hProcess; + } + return GetProcAddressRemote(hProcess, szDLLName, szAPIName); +} \ No newline at end of file diff --git a/TitanEngine/Global.Engine.h b/TitanEngine/Global.Engine.h index 7ab62ae..7ba12ea 100644 --- a/TitanEngine/Global.Engine.h +++ b/TitanEngine/Global.Engine.h @@ -51,5 +51,6 @@ long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName); long long EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName); bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount); long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType); +LONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName); #endif //_GLOBAL_ENGINE_H \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Importer.cpp b/TitanEngine/TitanEngine.Importer.cpp index ef53085..8e92ef0 100644 --- a/TitanEngine/TitanEngine.Importer.cpp +++ b/TitanEngine/TitanEngine.Importer.cpp @@ -123,92 +123,15 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProc } __declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName) { - - int i = 0; - int j = 0; - char szAnsiLibraryName[MAX_PATH]; - ULONG_PTR APIFoundAddress = 0; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_EXPORT_DIRECTORY PEExports; - PEXPORTED_DATA ExportedFunctions; - PEXPORTED_DATA ExportedFunctionNames; - PEXPORTED_DATA_WORD ExportedFunctionOrdinals; - PLIBRARY_ITEM_DATAW hListLibraryPtr; - bool FileIs64 = false; - - int libcount=hListLibrary.size(); - for(int i=0; iszLibraryName, -1, szAnsiLibraryName, sizeof szAnsiLibraryName, NULL, NULL); - if(lstrcmpiA(szAnsiLibraryName, szDLLName) == NULL) - { - __try - { - DOSHeader = (PIMAGE_DOS_HEADER)hListLibraryPtr->hFileMappingView; - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(NULL); - } - if(!FileIs64) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true)); - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfFunctions, true, true)); - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfNames, true, true)); - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfNameOrdinals, true, true)); - } - else - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true)); - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfFunctions, true, true)); - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfNames, true, true)); - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfNameOrdinals, true, true)); - } - for(j = 0; j <= (int)PEExports->NumberOfNames; j++) - { - if(!FileIs64) - { - if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, ExportedFunctionNames->ExportedItem, true, true))) == NULL) - { - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2); - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4); - APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)hListLibraryPtr->BaseOfDll; - return((ULONG_PTR)APIFoundAddress); - } - } - else - { - if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, ExportedFunctionNames->ExportedItem, true, true))) == NULL) - { - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2); - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4); - APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)hListLibraryPtr->BaseOfDll; - return((ULONG_PTR)APIFoundAddress); - } - } - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4); - } - return(NULL); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(NULL); - } - } + return EngineGetProcAddressRemote(uniDLLName, szAPIName); + } + else + { + return 0; } - return(NULL); } __declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress) {