mirror of https://github.com/x64dbg/TitanEngine
improved ImporterGetRemoteAPIAddressEx
This commit is contained in:
NtQuery
parent
f2d5cec2cc
commit
fd87e8d479
|
|
@ -2039,3 +2039,70 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
|
||||||
}
|
}
|
||||||
return(NULL);
|
return(NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
LONG_PTR GetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, const char* szAPIName)
|
||||||
|
{
|
||||||
|
DWORD cbNeeded = 0;
|
||||||
|
HMODULE EnumeratedModules[1024] = {0};
|
||||||
|
WCHAR RemoteDLLPath[MAX_PATH] = {0};
|
||||||
|
HMODULE hModuleLocal = GetModuleHandleW(szDLLName);
|
||||||
|
WCHAR * dllName;
|
||||||
|
|
||||||
|
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
|
||||||
|
{
|
||||||
|
for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
|
||||||
|
{
|
||||||
|
RemoteDLLPath[0] = 0;
|
||||||
|
if(GetModuleFileNameExW(hProcess, EnumeratedModules[i], RemoteDLLPath, _countof(RemoteDLLPath)) > 0)
|
||||||
|
{
|
||||||
|
dllName = wcsrchr(RemoteDLLPath, L'\\');
|
||||||
|
if (dllName)
|
||||||
|
{
|
||||||
|
dllName++;
|
||||||
|
if(_wcsicmp(dllName, szDLLName) == 0)
|
||||||
|
{
|
||||||
|
LONG_PTR funcAddress = 0;
|
||||||
|
|
||||||
|
if (hModuleLocal)
|
||||||
|
{
|
||||||
|
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
|
||||||
|
if (funcAddress)
|
||||||
|
{
|
||||||
|
return (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
hModuleLocal = LoadLibraryExW(RemoteDLLPath, 0, DONT_RESOLVE_DLL_REFERENCES);
|
||||||
|
if (hModuleLocal)
|
||||||
|
{
|
||||||
|
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
|
||||||
|
funcAddress = (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
|
||||||
|
FreeLibrary(hModuleLocal);
|
||||||
|
return funcAddress;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
LONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName)
|
||||||
|
{
|
||||||
|
HANDLE hProcess;
|
||||||
|
if(dbgProcessInformation.hProcess == 0)
|
||||||
|
{
|
||||||
|
hProcess = GetCurrentProcess();
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
hProcess = dbgProcessInformation.hProcess;
|
||||||
|
}
|
||||||
|
return GetProcAddressRemote(hProcess, szDLLName, szAPIName);
|
||||||
|
}
|
||||||
|
|
@ -51,5 +51,6 @@ long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName);
|
||||||
long long EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName);
|
long long EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName);
|
||||||
bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount);
|
bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount);
|
||||||
long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType);
|
long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType);
|
||||||
|
LONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName);
|
||||||
|
|
||||||
#endif //_GLOBAL_ENGINE_H
|
#endif //_GLOBAL_ENGINE_H
|
||||||
|
|
@ -123,92 +123,15 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProc
|
||||||
}
|
}
|
||||||
__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName)
|
__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName)
|
||||||
{
|
{
|
||||||
|
WCHAR uniDLLName[MAX_PATH] = {0};
|
||||||
int i = 0;
|
if (MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName)))
|
||||||
int j = 0;
|
|
||||||
char szAnsiLibraryName[MAX_PATH];
|
|
||||||
ULONG_PTR APIFoundAddress = 0;
|
|
||||||
PIMAGE_DOS_HEADER DOSHeader;
|
|
||||||
PIMAGE_NT_HEADERS32 PEHeader32;
|
|
||||||
PIMAGE_NT_HEADERS64 PEHeader64;
|
|
||||||
PIMAGE_EXPORT_DIRECTORY PEExports;
|
|
||||||
PEXPORTED_DATA ExportedFunctions;
|
|
||||||
PEXPORTED_DATA ExportedFunctionNames;
|
|
||||||
PEXPORTED_DATA_WORD ExportedFunctionOrdinals;
|
|
||||||
PLIBRARY_ITEM_DATAW hListLibraryPtr;
|
|
||||||
bool FileIs64 = false;
|
|
||||||
|
|
||||||
int libcount=hListLibrary.size();
|
|
||||||
for(int i=0; i<libcount; i++)
|
|
||||||
{
|
{
|
||||||
hListLibraryPtr=&hListLibrary.at(i);
|
return EngineGetProcAddressRemote(uniDLLName, szAPIName);
|
||||||
WideCharToMultiByte(CP_ACP, NULL, hListLibraryPtr->szLibraryName, -1, szAnsiLibraryName, sizeof szAnsiLibraryName, NULL, NULL);
|
}
|
||||||
if(lstrcmpiA(szAnsiLibraryName, szDLLName) == NULL)
|
else
|
||||||
{
|
{
|
||||||
__try
|
return 0;
|
||||||
{
|
|
||||||
DOSHeader = (PIMAGE_DOS_HEADER)hListLibraryPtr->hFileMappingView;
|
|
||||||
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
|
||||||
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
|
|
||||||
if(PEHeader32->OptionalHeader.Magic == 0x10B)
|
|
||||||
{
|
|
||||||
FileIs64 = false;
|
|
||||||
}
|
|
||||||
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
|
|
||||||
{
|
|
||||||
FileIs64 = true;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
return(NULL);
|
|
||||||
}
|
|
||||||
if(!FileIs64)
|
|
||||||
{
|
|
||||||
PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true));
|
|
||||||
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfFunctions, true, true));
|
|
||||||
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfNames, true, true));
|
|
||||||
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfNameOrdinals, true, true));
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true));
|
|
||||||
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfFunctions, true, true));
|
|
||||||
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfNames, true, true));
|
|
||||||
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfNameOrdinals, true, true));
|
|
||||||
}
|
|
||||||
for(j = 0; j <= (int)PEExports->NumberOfNames; j++)
|
|
||||||
{
|
|
||||||
if(!FileIs64)
|
|
||||||
{
|
|
||||||
if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, ExportedFunctionNames->ExportedItem, true, true))) == NULL)
|
|
||||||
{
|
|
||||||
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2);
|
|
||||||
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4);
|
|
||||||
APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)hListLibraryPtr->BaseOfDll;
|
|
||||||
return((ULONG_PTR)APIFoundAddress);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, ExportedFunctionNames->ExportedItem, true, true))) == NULL)
|
|
||||||
{
|
|
||||||
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2);
|
|
||||||
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4);
|
|
||||||
APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)hListLibraryPtr->BaseOfDll;
|
|
||||||
return((ULONG_PTR)APIFoundAddress);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4);
|
|
||||||
}
|
|
||||||
return(NULL);
|
|
||||||
}
|
|
||||||
__except(EXCEPTION_EXECUTE_HANDLER)
|
|
||||||
{
|
|
||||||
return(NULL);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return(NULL);
|
|
||||||
}
|
}
|
||||||
__declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
|
__declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue