x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

improved ImporterGetRemoteAPIAddressEx

This commit is contained in:
NtQuery 2014-03-10 22:21:21 +01:00
parent f2d5cec2cc
commit fd87e8d479
3 changed files with 75 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
TitanEngine/Global.Engine.cpp
View File

@ -2039,3 +2039,70 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
}
return(NULL);
}
LONG_PTR GetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, const char* szAPIName)
{
DWORD cbNeeded = 0;
HMODULE EnumeratedModules[1024] = {0};
WCHAR RemoteDLLPath[MAX_PATH] = {0};
HMODULE hModuleLocal = GetModuleHandleW(szDLLName);
WCHAR * dllName;
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{
RemoteDLLPath[0] = 0;
if(GetModuleFileNameExW(hProcess, EnumeratedModules[i], RemoteDLLPath, _countof(RemoteDLLPath)) > 0)
{
dllName = wcsrchr(RemoteDLLPath, L'\\');
if (dllName)
{
dllName++;
if(_wcsicmp(dllName, szDLLName) == 0)
{
LONG_PTR funcAddress = 0;
if (hModuleLocal)
{
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
if (funcAddress)
{
return (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
}
}
else
{
hModuleLocal = LoadLibraryExW(RemoteDLLPath, 0, DONT_RESOLVE_DLL_REFERENCES);
if (hModuleLocal)
{
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
funcAddress = (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
FreeLibrary(hModuleLocal);
return funcAddress;
}
}
break;
}
}
}
}
}
return 0;
}
LONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName)
{
HANDLE hProcess;
if(dbgProcessInformation.hProcess == 0)
{
hProcess = GetCurrentProcess();
}
else
{
hProcess = dbgProcessInformation.hProcess;
}
return GetProcAddressRemote(hProcess, szDLLName, szAPIName);
}

1
TitanEngine/Global.Engine.h
View File

@ -51,5 +51,6 @@ long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName);
long long EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName);
bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount);
long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType);
LONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName);
#endif //_GLOBAL_ENGINE_H

85
TitanEngine/TitanEngine.Importer.cpp
View File

@ -123,92 +123,15 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProc
}
__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName)
{
int i = 0;
int j = 0;
char szAnsiLibraryName[MAX_PATH];
ULONG_PTR APIFoundAddress = 0;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_EXPORT_DIRECTORY PEExports;
PEXPORTED_DATA ExportedFunctions;
PEXPORTED_DATA ExportedFunctionNames;
PEXPORTED_DATA_WORD ExportedFunctionOrdinals;
PLIBRARY_ITEM_DATAW hListLibraryPtr;
bool FileIs64 = false;
int libcount=hListLibrary.size();
for(int i=0; i<libcount; i++)
WCHAR uniDLLName[MAX_PATH] = {0};
if (MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName)))
{
hListLibraryPtr=&hListLibrary.at(i);
WideCharToMultiByte(CP_ACP, NULL, hListLibraryPtr->szLibraryName, -1, szAnsiLibraryName, sizeof szAnsiLibraryName, NULL, NULL);
if(lstrcmpiA(szAnsiLibraryName, szDLLName) == NULL)
{
__try
{
DOSHeader = (PIMAGE_DOS_HEADER)hListLibraryPtr->hFileMappingView;
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
return EngineGetProcAddressRemote(uniDLLName, szAPIName);
}
else
{
return(NULL);
return 0;
}
if(!FileIs64)
{
PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true));
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfFunctions, true, true));
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfNames, true, true));
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfNameOrdinals, true, true));
}
else
{
PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true));
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfFunctions, true, true));
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfNames, true, true));
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfNameOrdinals, true, true));
}
for(j = 0; j <= (int)PEExports->NumberOfNames; j++)
{
if(!FileIs64)
{
if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, ExportedFunctionNames->ExportedItem, true, true))) == NULL)
{
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2);
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4);
APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)hListLibraryPtr->BaseOfDll;
return((ULONG_PTR)APIFoundAddress);
}
}
else
{
if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, ExportedFunctionNames->ExportedItem, true, true))) == NULL)
{
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2);
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4);
APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)hListLibraryPtr->BaseOfDll;
return((ULONG_PTR)APIFoundAddress);
}
}
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4);
}
return(NULL);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(NULL);
}
}
}
return(NULL);
}
__declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
{