x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

Compare commits

base: x64dbg:V0002
Branches Tags
x64dbg:x64dbg
x64dbg:vs2010
x64dbg:arm-on-windows
x64dbg:master
x64dbg:dynmem
x64dbg:scylla_lib
x64dbg:dp0bugfix
x64dbg:2025.08.18
x64dbg:2025.07.04
x64dbg:v0012
x64dbg:v0011
x64dbg:v0010
x64dbg:v0009
x64dbg:V0008
x64dbg:V0007
x64dbg:V0006
x64dbg:V0005
x64dbg:V0004
x64dbg:V0003
x64dbg:V0002
x64dbg:V0001
..
compare: x64dbg:x64dbg
Branches Tags
x64dbg:x64dbg
x64dbg:vs2010
x64dbg:arm-on-windows
x64dbg:master
x64dbg:dynmem
x64dbg:scylla_lib
x64dbg:dp0bugfix
x64dbg:2025.08.18
x64dbg:2025.07.04
x64dbg:v0012
x64dbg:v0011
x64dbg:v0010
x64dbg:v0009
x64dbg:V0008
x64dbg:V0007
x64dbg:V0006
x64dbg:V0005
x64dbg:V0004
x64dbg:V0003
x64dbg:V0002
x64dbg:V0001

356 Commits
V0002 ... x64dbg

Author SHA1 Message Date
Duncan Ogilvie ec7a8b9352 Code formatting 2026-04-13 11:41:19 +02:00
Duncan Ogilvie 7a114df3d5 Honor no-console mode for debuggee launch 2026-04-13 11:22:28 +02:00
Duncan Ogilvie a62925db7a Make everything standards-compliant 2026-04-12 17:38:04 +02:00
Duncan Ogilvie 4cdefb80c6 Add CMake project 2026-04-12 15:11:17 +02:00
Duncan Ogilvie 95f332cacd Vendor distorm and scylla_wrapper 2026-04-12 13:49:25 +02:00
Duncan Ogilvie 1232bce7f6
Merge pull request #30 from rafaelrfreitas/fix-writeonly-mem-bps 
fix: ensure write-only breakpoints trigger on Copy-on-Write pages
 2026-03-28 14:35:33 +01:00
Rafael ebdc74d23b fix: ensure write-only breakpoints trigger on Copy-on-Write pages 
- Replaced the implicit bit-shift logic with an explicit mapping
to prevent the OS from silently duplicating pages via Copy-on-Write.

- Added explicit cases for PAGE_WRITECOPY and PAGE_EXECUTE_WRITECOPY.
 2026-03-28 12:03:17 +00:00
Duncan Ogilvie e6570203cc
Merge pull request #29 from 3rdit/fix/breakpoint-deletion-race 
Fix multi-thread breakpoint deletion race condition
 2026-01-10 14:49:38 +01:00
AzuLX 5cc80cf3d9
track deleted breakpoints to handle stale events safely 2026-01-10 12:36:40 +00:00
AzuLX 8072f96a26
fix multi-thread breakpoint deletion race condition 2026-01-05 15:47:03 +00:00
Duncan Ogilvie f6c9698fd7
Merge pull request #28 from 3rdit/fix/hwbp-thread-suspension 
Fix thread suspension when hardware breakpoint is disabled during callback
 2026-01-04 23:42:29 +01:00
AzuLX b4a11cb2df
prevent thread suspension when HWBP is disabled during callback 2026-01-04 21:01:42 +00:00
Duncan Ogilvie ea05d920b7 Fix formatting 2025-08-18 03:29:50 +02:00
Duncan Ogilvie 3db7179373
Merge pull request #26 from micronn/fix-membpx-pageboundary 
Fix memory breakpoints when an access spans an extra page
 2025-08-17 20:28:06 +02:00
Duncan Ogilvie 2d1dcd7e1c
Merge pull request #27 from CXVUSER/x64dbg 
Fix legacy SSE not working on pre-AVX processors
 2025-08-17 20:27:48 +02:00
xcv c7c6956698 Fix legacy SSE not working on pre-AVX processors 2025-08-17 21:56:41 +05:00
micronn 12f896c57e
Fix memory breakpoints when an access spans an extra page 2025-07-05 21:17:19 +02:00
Duncan Ogilvie 158ab56643 Prepare for release 2025-07-04 17:20:04 +02:00
Duncan Ogilvie 02d0be742a Fix crash with AVX-512 on 32-bit 
Closes #25
 2025-07-04 17:17:01 +02:00
Duncan Ogilvie f23d23a5f5
Merge pull request #23 from torusrxxx/AVX512 
Fix clearing wrong structure
 2025-05-24 18:30:41 +02:00
torusrxxx ded0912814 Fix clearing wrong structure 2025-03-31 11:14:47 +08:00
Duncan Ogilvie 2674540368
Merge pull request #22 from torusrxxx/AVX512 
Add support for AVX512
 2025-03-30 12:44:51 +02:00
torusrxxx 1aae30c447 allow using k0 register 2025-03-19 00:23:10 +08:00
torusrxxx c37f9978fb Add support for AVX512 2025-03-11 19:01:16 +08:00
Duncan Ogilvie 49f59781da
Merge pull request #16 from shocoman/memory-read-safe-page-bug 
Fix 'MemoryReadSafe' not restoring original memory protection correctly
 2023-10-28 15:18:43 +02:00
Duncan Ogilvie 5484a49237
Merge pull request #18 from shocoman/proper-membp-3-public 
Implement memory breakpoints that are not page-aligned
 2023-10-28 15:18:23 +02:00
shocoman 4bac132514 Fix 'MemoryReadSafe' not restoring original memory protection correctly 2023-10-20 20:57:14 +07:00
Duncan Ogilvie a19a7935de
Merge pull request #15 from ZehMatt/fix-stepping-state 
Fix the stepping issue
 2023-10-20 14:30:34 +02:00
shocoman 76c1b86250 Implement memory breakpoints that are not page-aligned 2023-10-20 17:48:29 +07:00
ζeh Matt 40395549f9
Reset single stepping state when debugger pauses on exceptions 2023-09-06 23:22:22 +03:00
Duncan Ogilvie 01d0d1854f Remove unnecessary FlushInstructionCache 2023-07-08 13:20:30 +02:00
Duncan Ogilvie 490ce02fb3 Also implement #14 for UD2 breakpoints 2023-07-08 12:50:02 +02:00
Duncan Ogilvie b862c2b36f
Merge pull request #14 from shocoman/fix-double-pushfd-bug 
Fix a bug that could change a stack value after stepping into a PUSHF instruction with a singleshoot breakpoint
 2023-07-08 12:02:41 +02:00
shocoman 7a7530cef1 Fix a bug that can change a stack value after stepping into a PUSHF instruction with a singleshoot breakpoint 2023-06-04 14:27:25 +07:00
Duncan Ogilvie 882bc1bc30 Delete a bunch of unused functionality 2023-03-04 01:38:22 +01:00
Duncan Ogilvie 568334cdd4 Switch to the v141_xp toolset for XP support 2022-10-07 12:19:13 +02:00
Duncan Ogilvie e005ba44b6 Relocate the image with No ASLR 2022-09-11 15:52:18 +02:00
Duncan Ogilvie 259f1e88e3 Improve no ASLR by retrying 2022-09-10 01:13:09 +02:00
Duncan Ogilvie d0b7e5addd Remove a redundant GetThreadContext for synchronized breakpoints 2022-09-09 22:38:16 +02:00
Duncan Ogilvie 8d833fb2e3 Add UE_ENGINE_SAFE_STEP to allow disabling DBG_REPLY_LATER 2022-09-09 13:45:53 +02:00
Duncan Ogilvie 43caf023f8 Remove unused SDKs 2022-09-09 13:44:12 +02:00
Duncan Ogilvie 160d66919e Workaround for a bug in the kernel with x64 emulation on ARM 2022-08-10 18:49:36 +02:00
Duncan Ogilvie fb1babcbb3 Put a critical section around StepInto to make it thread-safe 2021-12-11 23:43:22 +01:00
Duncan Ogilvie 1a76d61ef6 GitHub Actions to build 2021-11-15 03:04:33 +01:00
Duncan Ogilvie fa8c5f7eb5 Upgrade to Visual Studio 2019 2021-11-15 02:58:38 +01:00
Duncan Ogilvie f0832465c6 AStyle formatting 2021-11-15 02:57:37 +01:00
Duncan Ogilvie cda4385d6d Update AStyle formatting tools 2021-11-15 02:57:33 +01:00
Duncan Ogilvie 0f81825ff0 Add UE_ENGINE_DISABLE_ASLR to remap the debuggee image without ASLR 2021-11-15 02:56:34 +01:00
the_janitor 39fe35a09e Fixed a bug in which thread termination froze 2021-09-19 03:05:46 +02:00
Duncan Ogilvie bbab6359b0 Use KUSER_SHARED_DATA for checking the build number 2021-09-18 22:45:39 +02:00
Duncan Ogilvie d4ad8293f7
Merge pull request #9 from thejanit0r/patch-1 
Alternative memory breakpoint (PAGE_NOACCESS)
 2021-09-18 22:23:49 +02:00
Duncan Ogilvie f7ba8c62f4
Merge pull request #10 from thejanit0r/patch-2 
Fix to handle race conditions on multi-threaded applications on multi-core systems
 2021-09-02 12:52:26 +02:00
the_janitor 18a885a703 Added an alternative memory breakpoint method that uses PAGE_NOACCESS instead of PAGE_GUARD 2021-09-02 02:52:14 +02:00
the_janitor 284a782702 Added a fix to handle race conditions on multi-threaded applications on multi-core systems (DBG_REPLY_LATER) 2021-09-02 02:33:06 +02:00
Duncan Ogilvie 8d93135f38
Merge pull request #8 from Mattiwatti/setbpx-check-return 
SetBPX: check return value of VirtualProtectEx before writing
 2021-02-15 21:56:29 +01:00
Matthijs Lavrijsen 9c98cd2436
SetBPX: check return value of VirtualProtectEx before writing 2021-01-12 18:34:09 +01:00
Duncan Ogilvie 8632c68ec9 Do not put full PDB path in the binary 2020-12-15 18:38:26 +01:00
Duncan Ogilvie 089651339b Properly fix the debug privilege functionality 2020-12-15 18:22:03 +01:00
Duncan Ogilvie 0a1c3236b8
Make SafeAttach the default 2020-11-12 04:58:15 +01:00
Duncan Ogilvie 2447a299c8 Improve debug privilege functionality 2020-11-12 04:36:45 +01:00
Duncan Ogilvie ce87d2bea8 Do not create a thread when attaching 2020-11-12 04:36:45 +01:00
Duncan Ogilvie 885e290cc4 Fix detaching 2020-11-12 04:36:45 +01:00
Matthijs Lavrijsen 35fdd5684e Don't call DebugSetProcessKillOnExit if SafeAttach is enabled 2020-09-14 19:13:34 +02:00
Matthijs Lavrijsen 8f83721fd3 Fix EngineSetDebugPrivilege deadlocking the system when trying to debug lsass.exe 2020-08-18 16:33:32 +02:00
Duncan Ogilvie 51ba022c29
Fix a weird exploit when attaching to a process that overwrites its own OptionalHeader.SizeOfStackReserve 2020-04-10 03:56:08 +02:00
Duncan Ogilvie 451c85e465
Do not silently swallow exceptions when detaching 2020-01-21 20:27:24 +01:00
Duncan Ogilvie e76867196e
Allow zero timeouts to be set with SetDebugLoopTimeOut 2020-01-21 20:27:15 +01:00
Mattiwatti 8e79163e4d Fix PE header size check for values of e_lfanew >= 0x10000 2020-01-21 20:22:39 +01:00
Sandor Nemes 247f643cac Updated Python bindings 2019-10-01 10:39:32 +02:00
Mattiwatti 357759757d StepInto: close thread handle after setting context 2019-05-19 23:28:06 +02:00
Duncan Ogilvie 7ad288f30e
Fix debug event timeout feature + add extra check if the debuggee was terminated 
Details: https://github.com/x64dbg/x64dbg/issues/2087
 2018-12-28 16:26:43 +01:00
Duncan Ogilvie 50c0d90fcb
Fix offsets in _PEB_T 2018-12-28 15:34:59 +01:00
Duncan Ogilvie 7976be4edd
Improved version of DbgUiConnectToDbg by Mattiwatti 2018-11-18 15:43:59 +01:00
Duncan Ogilvie 250c44388b
sign LibraryLoader executables 2018-10-31 00:13:20 +01:00
Duncan Ogilvie a260728ad3
improve safe attach option on Vista+ 2018-10-31 00:13:08 +01:00
Duncan Ogilvie f835fc8719
fix safe attach option on 32 bit 2018-10-31 00:12:48 +01:00
Duncan Ogilvie bfec722a12
Add safe attach option 2018-07-19 16:27:43 +02:00
Duncan Ogilvie ab037ef1c5
don't close process and file handles in ForceClose 2018-07-19 15:59:21 +02:00
Mattiwatti ef020ed39d Merged in Mattiwatti/titanengine/x64dbg (pull request #13) 
Fix memory/handle waste caused by mapping every loaded DLL into the debugger process

* Don't create a file mapping for every loaded DLL in LOAD_DLL_DEBUG_EVENT that is not freed until the end of the debug session just to query the DLL filename. GetMappedFileNameW takes a process handle, so just use the debuggee's process and DLL base instead

* Fix double free if TranslateNativeNameW() fails
 2018-03-23 11:25:54 +00:00
Duncan Ogilvie 9b36d32bf6
Correctly handle the TagWord on x64 
https://github.com/x64dbg/x64dbg/issues/1837
 2017-12-17 01:53:25 +01:00
Duncan Ogilvie 02be13641e
Fix the issue with TitanEngine closing invalid handles 
https://x64dbg.com/blog/2017/11/04/the-big-handle-gamble.html
 2017-11-11 11:06:15 +01:00
Duncan Ogilvie f3626c717e
Build scylla_wrapper_dll from source 2017-10-24 00:43:15 +02:00
Duncan Ogilvie 587183f984
Fix a problem with LoadDll.hFile and committing gigabytes of memory on attach 2017-10-24 00:04:56 +02:00
mrexodia 5d1e43bb69
compile on vs2010 + remove over-allocation 2017-07-29 15:23:52 +02:00
Mattiwatti 0f5566b1db Merged in Mattiwatti/titanengine/native-debug-init (pull request #12) 
Add InitNativeDebug API
 2017-07-29 12:27:28 +00:00
Mattiwatti 86fe598475
Make the default command line the quoted image path, to prevent empty command lines in case no arguments were specified 2017-07-29 05:53:47 +02:00
Mattiwatti ef7deb59d4
Add InitNativeDebug and InitNativeDebugW API functions for executables that cannot be started with CreateProcess 2017-07-29 00:37:22 +02:00
Mattiwatti dc0a1c33a8
Update ntdll.h and import libraries (see https://github.com/x64dbg/x64dbg/pull/1620) 2017-07-29 00:31:05 +02:00
mrexodia e2abc789e9
fixed WOW64 PEB address retrival on Windows 10 2017-06-06 21:35:54 +02:00
cypherpunk 7cffd0df6d added a helpful comment for WOW64 PEB64 2017-05-01 16:52:06 +02:00
cypherpunk 0a63361a61 commented PEB64 patches for WOW64 processes to prevent crashes of debuggee since Win10 Creators Update 2017-05-01 16:48:17 +02:00
mrexodia 21e146bc23
directly use thread context manipulation for StepInto 2017-04-28 01:06:58 +02:00
mrexodia d7e66e5ae4
fixed some bugs on WOW64 with thread context manipulation 2017-04-28 01:01:17 +02:00
mrexodia 239df37a5e
removed command line limit 2017-04-20 10:58:43 +02:00
mrexodia 0f7e664a4a
more versatile DLL loader extraction 2017-03-14 06:38:05 +01:00
mrexodia 47f481f5d9
move FlushInstructionCache in DeleteBPX to the correct location 2017-01-11 18:33:31 +01:00
mrexodia c4e6afbd93
enable debug privilege when calling OpenThread too (closes pull request #11) 2017-01-07 16:54:12 +01:00
mrexodia fd47444406
PAGE_EXECUTE_READ instead of PAGE_EXECUTE_READWRITE in MemoryReadSafe 2017-01-02 03:21:34 +01:00
mrexodia 806f81e187
small fixed with MxCsr and other FltSave structures for x64 2016-09-25 17:48:35 +02:00
mrexodia 6dc9dcd3cf
performance improvement in GetContextDataEx 2016-09-03 05:45:11 +02:00
mrexodia 895f80996b
fixed UE_DLLCHARACTERISTICS 2016-08-27 21:32:57 +02:00
mrexodia bdaae76d9d
added UE_DLLCHARACTERISTICS 2016-08-27 21:03:42 +02:00
mrexodia c5be34dc92
removed certain checks for performance improvement (x64dbg only) 2016-06-04 20:23:17 +02:00
mrexodia e089f4af41 fixed some bugs with RVA -> Offset conversion (appears to be working fine for standard exes now) 2016-04-22 21:04:38 +02:00
mrexodia 941f391317 Merged in RaMMicHaeL/titanengine-update/patch1 (pull request #10) 
Fix INVALID_HANDLE exceptions
 2016-03-05 13:16:50 +01:00
RaMMicHaeL c283737b53 These handles are managed by the system; fixes INVALID_HANDLE exceptions when the system tries to close the handles 2016-03-05 14:13:57 +02:00
cypherpunk ea39130ed9 updated C/C++ SDK files for Resourcer::ExtractResourceFromFile fixes 2015-12-20 16:33:30 +01:00
cypherpunk fdbc1aa989 fix Resourcer::EnumerateResource which wasnt sending correct resourceName / resourceType 2015-12-20 16:32:44 +01:00
cypherpunk 758a361df1 fix for using ExtractResourceFromFile from callback of EnumerateResource 2015-12-20 16:31:43 +01:00
cypherpunk a37ce345e2 fixed Resourcer::ExtractResourceFromFile which was broken ever since 2015-12-20 16:30:30 +01:00
mrexodia fb03e9de19 fixed some formatting 2015-12-15 17:10:04 +01:00
mrexodia fa184271cd Merged in Herz3h/titanengine-update (pull request #9) 
Hardware Breakpoint : Fixed a bug where when HW BP is hit and the user deletes the HW BP then resumes the execution, the Trap Flag is still set which make titanengine think the debuggee throwed a SINGLE_STEP Exception.
 2015-12-11 22:20:28 +01:00
Herzeh db1a181193 Changed (1 << 8) to UE_TRAP_FLAG which already exists 2015-12-11 21:34:55 +01:00
Herzeh 92f5d48c85 Hardware Breakpoint : Fixed a bug where when HW BP is hit and the user deletes the HW BP then resumes the execution, the Trap Flag is still set which make titanengine think the debuggee throwed a SINGLE_STEP Exception. 
BP : Fixed a bug where setting a HW BP and a SW BP (could be any combination e.g SW BP then a HW BP) on same address, then removing one of the two BP when program hits the BP will remove all BPs set on that address.
 2015-12-11 12:50:16 +01:00
Mr. eXoDia 51208e22f3 call FlushInstructionCache after changing code (this could bug) 2015-07-30 15:39:09 +02:00
Mr. eXoDia 268c684125 removed exception handlers for callbacks (this is dangerous) 2015-04-17 00:36:47 +02:00
Mr. eXoDia b9dd68f5c7 fixed a bug in LibraryLoader.exe as non-administrator (Global -> Local kernel namespace for the file name to debug) 2015-04-04 03:56:57 +02:00
Mr. eXoDia 3462c000e0 fixed a bug with resetting hardware breakpoints when they are deleted inside the handler (thanks to Demonic Sword!) 2015-02-04 01:16:18 +01:00
Mr. eXoDia aacd8c2eb8 fixed a bug with setting the AVX context overwriting the other registers with zeroes 2014-12-30 03:41:32 +01:00
Mr. eXoDia 9ab24a8d8f fixes 2014-12-30 03:17:03 +01:00
Mr. eXoDia acb0e1aa24 fixed a bug with YMM registers 2014-12-30 03:12:16 +01:00
Mr. eXoDia 6e7778eddb compiler generic XmmRegister types (mingw doesn't like M128A) 2014-12-30 02:01:11 +01:00
Mr. eXoDia 46398eba7b removed useless unlock/relock sequences (CriticalSection objects can be called recursively without problems from the same thread) 2014-12-23 00:19:11 +01:00
Mr. eXoDia f04f96e83d fixed CriticalSectionLocker (thanks to Nukem) 2014-12-22 23:22:59 +01:00
Mr. eXoDia 29f8973700 fixed the 'push ss', 'pop ss' problem (by setting a breakpoint on the next instruction) 2014-12-08 23:55:20 +01:00
Mr. eXoDia c541b9d764 resolved issue #44 (by removing the push ss, pop ss 'fix') + fixed SingleStep 2014-12-08 23:37:59 +01:00
Mr. eXoDia d572dd2bfc Fixed AVX YMM registers 2014-12-08 16:33:04 +01:00
Mr. eXoDia ee9fc93b96 fixed return value of InitXState() 2014-12-08 15:33:54 +01:00
Mr. eXoDia 6f6bae27a6 some cleanups in TitanEngine.Debugger.Context (wip) 2014-12-08 15:30:51 +01:00
Mr. eXoDia 2dedd37950 added more structure alignment checks 2014-12-08 14:42:29 +01:00
Mr. eXoDia e3107e6dd3 hopefully fixed a crash with getting/setting the AVX context on unsupported systems 2014-12-08 02:08:59 +01:00
Mr. eXoDia 60c7a748b4 M128A for mingw 2014-12-01 00:58:08 +01:00
mrexodia 2c886614af Merged in Dreg_fr33project/titanengine-update (pull request #8) 
avx support
 2014-11-13 02:44:56 +01:00
dreg_fr33project 4956d16b65 finish basic AVX support 2014-11-13 02:33:47 +01:00
dreg_fr33project c084a81ba4 Merge branch 'master' of https://bitbucket.org/Dreg_fr33project/titanengine-update 2014-11-11 09:13:49 +01:00
David Reguera Garcia (Dreg) 3309f9c375 Merged mrexodia/titanengine-update into master 2014-11-11 09:13:32 +01:00
dreg_fr33project 191b46e84f last ymm support changes 2014-11-11 09:12:57 +01:00
David Reguera Garcia (Dreg) a8a32117c1 Merged in Dreg_fr33project/titanengine-update (pull request #7) 
eflags fixed and registersview button tunning
 2014-11-02 03:33:42 +01:00
David Reguera Garcia (Dreg) 399ca0742b Merged mrexodia/titanengine-update into master 2014-11-02 03:11:54 +01:00
dreg_fr33project 1a7ebad6b8 eflags fix 2014-11-02 03:11:33 +01:00
mrexodia b421e7e00e Merged in Dreg_fr33project/titanengine-update (pull request #6) 
Basic FPU support
 2014-11-02 02:08:54 +01:00
dreg_fr33project dce958c748 fix a bug in MMX get 2014-11-02 01:45:41 +01:00
David Reguera Garcia (Dreg) 0599f49277 Merged mrexodia/titanengine-update into master 2014-11-02 01:07:14 +01:00
dreg_fr33project 71b5f65fbc last fpu changes - ended basic first version 2014-11-02 00:31:43 +01:00
dreg_fr33project 650bb5a46b las fpu changes 2014-10-27 08:03:11 +01:00
dreg_fr33project 1ef361ba10 last changes 2014-10-26 02:28:20 +02:00
mrexodia 34f7289118 Merged in Dreg_fr33project/titanengine-update (pull request #5) 
FPU support added and new getcontext way
 2014-09-30 15:38:10 +02:00
David Reguera Garcia (Dreg) 17b7cb558e Merged mrexodia/titanengine-update into master 2014-09-30 15:35:36 +02:00
dreg_fr33project db9c67b317 new titanengine with FPU support etc 2014-09-30 15:34:46 +02:00
Mr. eXoDia 8c0aec1879 fixed some const char pointers 2014-09-30 15:27:34 +02:00
David Reguera Garcia (Dreg) f760d8fcda Merged mrexodia/titanengine-update into master 2014-09-14 23:41:15 +02:00
Mr. eXoDia 50379e53e9 update gitignore for coverity builds 2014-09-13 01:45:05 +02:00
Mr. eXoDia c892c567f6 TitanEngine v3.0 2014-08-30 21:35:44 +02:00
Mr. eXoDia 0414a061f7 fucking shit, this has been broken since 2010 + fixed uninitialized buffer 2014-08-26 17:04:47 +02:00
Mr. eXoDia a815753c52 fixed detection when stepping over 'pop ss, pushfd/q' (thanks to firelegend for reporting) 2014-08-20 23:33:42 +02:00
Mr. eXoDia a6a093760a RemoveAllBreakPoints now also works with UE_SINGLESHOOT breakpoints + updated project to have a single instead of double backslash 2014-08-16 20:27:26 +02:00
Mr. eXoDia 0b19438cbc added pre-commit autoformat (run install.bat after cloning) 2014-08-16 20:15:19 +02:00
Mr. eXoDia fe91cd08b4 remove singleshoot breakpoints before the breakpoint callback 2014-08-15 22:21:22 +02:00
Mr. eXoDia 7726d8fcf1 massive formatting 2014-08-05 01:04:23 +02:00
Mr. eXoDia b350775721 formatting 2014-07-25 22:37:28 +02:00
Mr. eXoDia d6cb3e584b fixed a bug with stepping over hardware breakpoints 2014-07-25 22:37:20 +02:00
Mr. eXoDia f44b9b0310 fixed some more detection problems with PUSHFD/PUSHFQ 2014-07-25 21:37:57 +02:00
Mr. eXoDia 3e061ab773 fixed some detection problems with PUSHFD/PUSHFQ 2014-07-25 20:40:47 +02:00
Mr. eXoDia 3c348c7882 added forwarders for renamed functions 2014-07-23 03:47:41 +02:00
Mr. eXoDia 8e21d1072d fixed a bug with attaching (DebugReset would cause the custom callbacks to be reset, which means attaching doesn't work). 2014-07-18 16:37:52 +02:00
Mr. eXoDia 4b54b7bcea GetProcessInformation -> TitanGetProcessInformation + GetStartupInformation -> TitanGetStartupInformation (windows 8 SDK contains GetProcessInformation already) 2014-07-10 13:02:47 +02:00
Mr. eXoDia 978361df33 fixed warnings 2014-07-08 02:55:56 +02:00
Mr. eXoDia 4e4fd592d1 better handling of memory breakpoints 2014-07-08 02:54:24 +02:00
Mr. eXoDia 547af4b582 added LGPLv3 license 2014-07-01 16:59:33 +02:00
Mr. eXoDia 7e1fb26ebe fixed various potential exceptions (ConvertVAtoFileOffset return wasn't checked everywhere) 2014-06-01 14:34:42 +02:00
Mr. eXoDia b89eff37c8 fixed a bug in WipeSection 2014-06-01 04:13:49 +02:00
Mr. eXoDia b06908df98 - better library loaders (file mapping to send the file to debug) 
- fixed module base reserving (before it was always reserved)
- some code refactoring in TitanEngine.Debugger
 2014-05-29 03:19:39 +02:00
Mr. eXoDia adce077e48 fixed dll breakpoints 2014-05-29 02:24:14 +02:00
Mr. eXoDia 8b5a615007 use IMAGE_FIRST_SECTION everywhere 2014-05-18 16:34:56 +02:00
Mr. eXoDia dfbf4a48c5 resolved issue #39 (hardware breakpoints on all threads) 2014-05-18 15:38:38 +02:00
Mr. eXoDia d777ee3590 - resolved issue #42 (fixed the pre/post filters) 
- resolved issue #34 (critical sections lock tested & working)
- dynamic DLLLoader name (avoids detection + you can debug two DLL files in the same directory)
 2014-05-18 02:20:15 +02:00
Mr. eXoDia 51bf507216 critical section locker 2014-05-18 01:07:09 +02:00
Mr. eXoDia aa8e991f08 removed the locks from Debugger.Context, now DBGContext is a local variable everywhere. 2014-05-16 12:32:28 +02:00
Mr. eXoDia cbe59495aa fixed the most ugly bug ever (handle leaks...) 2014-05-10 15:00:59 +02:00
Mr. eXoDia 8ca6c8d869 fixed a bug with UE_SECTIONNAME in x64 2014-05-09 21:52:14 +02:00
Mr. eXoDia c6744a2602 rewrote GetPE32SectionNumberFromVA 2014-05-09 12:41:46 +02:00
Mr. eXoDia 3c8b51aa52 added UE_CH_DEBUGEVENT custom handler, removed UE_CH_ALLEVENTS (since it's not usable anyway) 2014-04-22 19:32:58 +02:00
mr.exodia c6d15d788e fixed a bug with the breakpoint filters 2014-04-20 18:00:54 +02:00
Mr. eXoDia 1ec5796e36 fixed a bug with the process handle being closed before the custom callback was called 2014-04-18 00:51:17 +02:00
Mr. eXoDia 6d5480559a - fixed a massive deadlock when TitanEngine was used in various processes 
- now removes breakpoints before detaching
 2014-04-16 20:31:12 +02:00
Mr. eXoDia bc2240d1c1 added export 'TitanOpenProcess' 2014-04-16 19:11:12 +02:00
Mr. eXoDia 98f71dbad6 - fixed EngineSetDebugPrivilege 
- added function EngineOpenProcess (with debug privilege option)
- added UE_ENGINE_SET_DEBUG_PRIVILEGE
- added debug privileges before CreateProcess and DebugActiveProcess
- remove debug privilege from the child process
- dumper/handler/importer/process now use EngineOpenProcess
 2014-04-16 17:14:20 +02:00
Mr. eXoDia 1ce0b5f838 EngineSetDebugPrivilege function 2014-04-16 16:39:09 +02:00
Mr. eXoDia ddf87c22c0 - replaced all 'long long' with 'ULONG_PTR' 
- fixed various bugs in TitanEngine.Debugger.Context (invalid OpenThread access flags)
- added SDK to the project (for easy editing)
 2014-04-04 14:53:18 +02:00
cypherpunk 46fe89b5c6 update scylla_wrapper to 0.9.6b 2014-04-04 02:22:15 +02:00
Mr. eXoDia 671f03617f fixed 32-bit registers on x64 2014-04-03 16:48:20 +02:00
mrexodia 3ea763aa6d Merged in AVJoKe/titanengine (pull request #4) 
fixed GetContextDataEx and GetContextFPUDataEx
 2014-04-03 16:45:52 +02:00
Johann Kempter d1594305c3 Merge bitbucket.org:AVJoKe/titanengine 2014-04-03 14:15:19 +02:00
Johann Kempter 5f702aa1a0 fixed GetContextDataEx and GetContextFPUDataEx 
fixed preprocessor definitions for x64
 2014-04-03 14:14:41 +02:00
AVJoKe de9270d9e4 Merged mrexodia/titanengine-update into master 2014-04-03 14:09:10 +02:00
NtQuery 2a635dee7e minor handler fixes 2014-03-23 23:31:44 +01:00
NtQuery 2fcbd5d76b fix handler 2014-03-23 17:30:26 +01:00
NtQuery 05531296e3 started bugfixing handler 2014-03-23 16:43:38 +01:00
cypherpunk f82b520428 - updated scylla to 0.9.5a 
- verified it fixes virtual drive bug also for TE now
 2014-03-21 01:08:00 +01:00
NtQuery 808a1c6c22 dumper merge accident fix 2014-03-20 23:37:17 +01:00
mr.exodia db03afaff0 SetBPXOptions supports UE_BREAKPOINT_TYPE_* 2014-03-20 00:22:14 +01:00
mr.exodia 481e7bb8ca added a check to SetBPXOptions 
removed useless VirtualQueryEx
 2014-03-20 00:15:56 +01:00
Mr. eXoDia 05f9b7a3fc - rewrote TitanEngine.TLS (resolved issue #38) (tested&working partially on x32) 2014-03-18 22:38:26 +01:00
cypherpunk 2ddae28d52 scylla_wrapper now also using native calls again 2014-03-18 12:20:50 +01:00
cypherpunk 8827bfe1b8 obsolete now 2014-03-18 12:08:17 +01:00
cypherpunk b4ac4835ff updated scylla to 0.9.5 2014-03-18 11:57:19 +01:00
NtQuery 3eeaaede18 update threadlist 2014-03-16 20:57:13 +01:00
NtQuery b427a1f218 fixed thread start address 2014-03-16 17:21:43 +01:00
NtQuery 2ebf55ebba fixed sdk 2014-03-16 16:51:45 +01:00
NtQuery 17d8b6e09e extended thread info 2014-03-16 16:47:08 +01:00
Mr. eXoDia 4e1685b8ea - fixed ThreaderIsThreadActive (first it suspended the thread when it wasnt suspended already) 2014-03-16 01:12:01 +01:00
Mr. eXoDia 10a7373eb3 - working MemoryReadSafe & MemoryWriteSafe in C++ SDK 2014-03-15 16:27:07 +01:00
Mr. eXoDia 4b352ebb2a - removed titanscript related projects (moved to titanscript-update) 2014-03-14 22:14:08 +01:00
Mr. eXoDia 3047edc22b - added function EngineCheckStructAlignment (resolved issue #33) 2014-03-14 21:43:01 +01:00
NtQuery e57ed84252 new release script 2014-03-14 21:19:00 +01:00
NtQuery ea2850e6ec Merge branch 'master' of https://bitbucket.org/mrexodia/titanengine-update 2014-03-14 21:05:01 +01:00
NtQuery 2dc709b487 unicode logger 2014-03-14 21:03:53 +01:00
mrexodia da82dcfcc4 Merged in AVJoKe/titanengine (pull request #3) 
better loops, style fixes
 2014-03-14 19:56:16 +01:00
Johann Kempter a4ab93e00a better loops 2014-03-14 16:40:35 +01:00
Johann Kempter e0778e2e40 style fixes 2014-03-14 16:17:02 +01:00
NtQuery 55ace2599b char white list 2014-03-14 13:49:21 +01:00
NtQuery a5ed9b685f batch script for releasing 2014-03-14 13:28:14 +01:00
NtQuery aad32594ab do not generate debug info in release mode 2014-03-14 13:18:48 +01:00
NtQuery 0e95295416 bugfix + improvement titanscriptgui 2014-03-14 13:11:19 +01:00
NtQuery 55004da4e3 better loops 2014-03-14 12:49:20 +01:00
NtQuery 216afc27e9 issue #35 2014-03-14 12:45:28 +01:00
Carbon Nobarc fce84f3f33 Merged in AVJoKe/titanengine (pull request #2) 
changed FindEx to use MemoryReadSafe, see #32
 2014-03-14 12:43:32 +01:00
Johann Kempter 3e0950d72e fixed enumeration in LibrarianRemoveBreakPoint 
some style fixes
 2014-03-14 10:56:27 +01:00
Johann Kempter 1ca83942f6 changed FindEx to use MemoryReadSafe, see #32 2014-03-14 08:16:46 +01:00
NtQuery 12ae6dcb9d small bugfix 2014-03-13 21:27:18 +01:00
NtQuery f2123991bd unicode bugfixes 2014-03-13 21:21:11 +01:00
NtQuery b57abe7775 Unicode bugfixes 2014-03-13 21:06:51 +01:00
NtQuery 7d3ebc9405 UNICODE!!! + bugfixes 2014-03-13 20:52:18 +01:00
NtQuery 3f824021eb bugfixing GUI 2014-03-13 18:30:51 +01:00
cypherpunk b4217f1d11 safety first 2014-03-13 17:18:09 +01:00
cypherpunk cd9c5f9bce copy log to clipboard function 2014-03-13 16:41:48 +01:00
mr.exodia 9fc398c76b - threaded dialog, meaning you can see the log when a target is running 
- aligned the GUI elements
 2014-03-13 15:37:21 +01:00
Mr. eXoDia 44ebae8396 - added manifests to make the GUIs look normal on WinXP+ 2014-03-13 14:10:07 +01:00
Mr. eXoDia 0b8ebfd1b1 fixed a bug with the garbage directory 2014-03-13 13:33:04 +01:00
Mr. eXoDia 35d23856fd - AStyle 2014-03-13 13:29:18 +01:00
Mr. eXoDia 2ac41ffb3c - added settings to TitanScriptGui 
- fixed a bug with the dump file name
 2014-03-13 13:17:30 +01:00
Mr. eXoDia 4692f86dfd - better solution configuration (build everything + dependencies) 
- AStyle all over the place
- removed local TitanEngine.lib files (now uses the latest compiled one)
- added icon to TitanScriptGui
- removed local TitanEngine.h files (now uses ..\SDK\CPP\TitanEngine.h)
- english xD
- x64 configurations for TitanUnitTest & TitanScriptGui
 2014-03-13 11:43:03 +01:00
cypherpunk b461e843f0 refactored with winapi. windows forms is crap 2014-03-13 03:16:54 +01:00
cypherpunk 1a716c70f7 fix for correct struct alignment 2014-03-13 00:31:12 +01:00
cypherpunk d4c9bacdbf Merge branch 'master' of bitbucket.org:mrexodia/titanengine-update 2014-03-12 23:29:17 +01:00
cypherpunk 13bcf374e1 fix bug introduced by bad merge 2014-03-12 23:29:05 +01:00
NtQuery bdb311d54e endless loop fix 2014-03-12 22:35:44 +01:00
NtQuery e8da7ec7ad fixed disassembler completed 2014-03-12 22:31:30 +01:00
NtQuery 4abe175c5e fixed bad length disassembler code 2014-03-12 20:59:25 +01:00
cypherpunk 91292f2660 titanscriptgui 2014-03-12 19:55:38 +01:00
cypherpunk 4d4c0be059 fix for CPP SDK header 2014-03-12 18:16:11 +01:00
cypherpunk f8c87fbdeb Merge branch 'master' of bitbucket.org:mrexodia/titanengine-update 2014-03-12 17:54:52 +01:00
cypherpunk 2747236e52 obsolete 2014-03-12 17:53:44 +01:00
Mr. eXoDia 8768d8f6d7 updated TitanEngine.hpp 2014-03-12 16:51:01 +01:00
cypherpunk dbb06c8fd5 initial commit for TitanUnitTest 2014-03-12 15:27:42 +01:00
Mr. eXoDia dcfd71b68d resolved issue #29 2014-03-12 14:51:13 +01:00
Mr. eXoDia fc51e0d144 - added StepOut function 2014-03-12 14:49:36 +01:00
Mr. eXoDia 4230d3c986 ? 2014-03-12 14:40:39 +01:00
Mr. eXoDia 2e37c68d43 fixed Global.Debugger.h 2014-03-12 14:39:12 +01:00
Mr. eXoDia 40bd9878c8 - fixed EngineGetModuleBaseRemote (tested&working) 
- fixed EngineGetAPINameRemote (tested&working)
- added EngineGetAPIOrdinalRemote (tested&working)
- fixed ImporterGetAPIName & ImporterGetAPINameFromDebugee
- fixed ImporterGetAPIOrdinalNumber & ImporterGetAPIOrdinalNumberFromDebugee
 2014-03-12 12:51:22 +01:00
Mr. eXoDia 6dd96b8384 - added function EngineGetAPINameRemote (untested yet) 2014-03-12 11:37:21 +01:00
deep0 3cb15ef49f removed _try..._catch blocks that prevented a successfull compilation with DynBuf 2014-03-12 10:38:24 +01:00
Mr. eXoDia 61fdb34693 - formatting 2014-03-12 09:54:13 +01:00
Mr. eXoDia cf37f2a9e9 resolved some compiling problems 2014-03-12 09:47:49 +01:00
Mr. eXoDia c5e260d7d7 Merge branch 'dynmem' 
Conflicts:
	TitanEngine/TitanEngine.Breakpoints.cpp
	TitanEngine/TitanEngine.Dumper.cpp
	TitanEngine/TitanEngine.Handler.cpp
	TitanEngine/TitanEngine.PE.Overlay.cpp
	TitanEngine/TitanEngine.Static.cpp
	TitanEngine/TitanEngine.vcxproj.filters
 2014-03-12 09:41:14 +01:00
Mr. eXoDia d8f86da5ff resolved issue #29 2014-03-12 09:25:00 +01:00
deep0 d94af70dd0 enable c++ exceptions -> warning-free compile 2014-03-12 02:03:21 +01:00
deep0 5d437ad23d performance 2014-03-12 02:02:55 +01:00
deep0 3718dca0f8 reduce hardcoded buffer sizes 2014-03-12 02:02:38 +01:00
deep0 ef8ad17f62 move external includes to stdafx 2014-03-12 02:02:09 +01:00
deep0 48c8a7820a fix buffer overflow 2014-03-12 02:01:01 +01:00
Mr. eXoDia 7b8f6f4656 - more cleaning of the project 2014-03-12 00:28:05 +01:00
Mr. eXoDia 485be8bbf8 - fixed a small bug in the GUI, taskbar entry should now also have an icon 
- removed useless icon sizes (256x256, 128x128 and 64x64) -> 15kb icon
- removed HEADER.BPM -> saves ~200kb
- cleaned up the project a little
 2014-03-12 00:07:01 +01:00
Mr. eXoDia dd3727a3b3 - optimizations for Release mode (tested&working) 2014-03-11 23:31:42 +01:00
NtQuery ccb750340c Merge branch 'master' of https://bitbucket.org/mrexodia/titanengine-update 2014-03-11 22:45:31 +01:00
NtQuery b476b0cc5b bug fixes, unicode fixes 2014-03-11 22:45:06 +01:00
Mr. eXoDia 781241a85e - removed scylla_wrapperd 2014-03-11 22:43:49 +01:00
Mr. eXoDia 3675215bf3 - added a debug callback reason for plugins -> UE_PLUGIN_CALL_REASON_UNHANDLEDEXCEPTION 
- now plugins are actually registered
- fixed OUTPUT_DEBUG_STRING_EVENT (DBGCode should be set before the callback, so plugins & custom handlers can change it)
 2014-03-11 16:14:49 +01:00
Mr. eXoDia 8adda5ee1e - better PluginInformation structure (normal callback definitions) 2014-03-11 15:57:17 +01:00
Mr. eXoDia b4ca7616c9 Merge branch 'master' of bitbucket.org:mrexodia/titanengine-update 2014-03-11 15:37:49 +01:00
Mr. eXoDia 708485a5ce - renamed EngineGetAPIAddressRemote & EngineGetAPIAddressLocal 
- updated .def file
 2014-03-11 15:36:57 +01:00
cypherpunk 2a5ceba10e Merge branch 'master' of bitbucket.org:mrexodia/titanengine-update 2014-03-11 15:33:02 +01:00
Mr. eXoDia 96d726d156 - fixed ImporterGetRemoteDLLBase 2014-03-11 15:32:46 +01:00
cypherpunk 502b50312a missing leading backslash in plugin path caused plugins not being founds 2014-03-11 15:32:34 +01:00
Mr. eXoDia 085e6ae7a9 - added function ImporterGetDLLNameFromDebugeeW 
- fixed function ImporterGetDLLNameFromDebugee
- added function EngineGetModuleBaseRemote
- added function EngineGetAPIAddressRemote
- added function EngineGetAPIAddressLocal
- fixed a potential bug in SetAPIBreakPoint & DeleteAPIBreakPoint
- fixed ImpoerterGetDLLName (this function is used on the local process)
- fixed function ImporterGetDLLNameW & ImporterGetDLLName
- moved fixed functions up
 2014-03-11 15:25:17 +01:00
Mr. eXoDia 5e5dac1186 - fixed the function EngineGetProcAddressRemote (now supports any number of modules) 
- added the function EngineGetModuleBaseRemote
- added export ImporterGetDLLNameW
- fixed export ImporterGetDLLName
 2014-03-11 14:53:11 +01:00
NtQuery e60e886cf5 UNICODE-FIX engine improvement 2014-03-11 12:48:16 +01:00
NtQuery a742815814 UNICODE-FIX new ImporterGetRemoteDLLBaseExW 2014-03-11 12:33:06 +01:00
Mr. eXoDia 7d8be98087 - fixed a critical bug in the breakpoint filters 
- support for kernel32 -> kernelbase forwarding in SetAPIBreakPoint
 2014-03-11 00:50:09 +01:00
mr.exodia f8b46a7a5c - moved GetProcAddressRemote to Global.Engine.Importer 
- added various GetProcAddressRemote functions (for easier access)
- Use EngineGetProcAddressRemote in Global.Engine.Hider
- changed MAXIMUM_INSTRUCTION_SIZE to the x86 maximum size
- rewrote SetAPIBreakPoint (untested)
- rewrote DeleteAPIBreakPoint (untested)
 2014-03-10 23:37:12 +01:00
NtQuery fd87e8d479 improved ImporterGetRemoteAPIAddressEx 2014-03-10 22:21:21 +01:00
Mr. eXoDia f2d5cec2cc - fixed a bug with plugin loading (plugins were never added to the plugin list) 2014-03-10 21:05:55 +01:00
Mr. eXoDia dcba075a5a renamed NewDebug to Debug 2014-03-10 19:45:13 +01:00
Mr. eXoDia 19dc36d4b0 - NewDebug configuration (temp commit) 2014-03-10 19:37:40 +01:00
Mr. eXoDia 9b21c215c6 - resolved issue #11 2014-03-10 16:47:56 +01:00
cypherpunk b640162cfe fixed typos in SDK headers 2014-03-10 15:40:08 +01:00
Mr. eXoDia 3963d18771 - implemented MemoryWriteSafe 
- renamed FilterBreakPoints
- fixed a bug in EnableBPX (now it re-reads the original bytes)
 2014-03-10 01:23:05 +01:00
Mr. eXoDia 92eb890c7f - MemoryReadSafe now actually filters breakpoints out of the buffer 2014-03-10 00:42:30 +01:00
Mr. eXoDia 93a8582044 - some new idea, see issue #23 
- updated c++ header
 2014-03-09 23:10:42 +01:00
Mr. eXoDia a8628215dc - merge conflicts 2014-03-09 22:48:20 +01:00
Mr. eXoDia 97e00e86a4 - resolved issue #22 (dll debugging not working) 
- resolved hanging functions in TitanEngine.PE.*
- fixed issues with differences between debug and release builds (caused crashes)
 2014-03-09 22:44:13 +01:00
Mr. eXoDia c51b7ac6bb - fixed various project compile/link flags 
- using UE_TRAP_FLAG
 2014-03-09 22:41:38 +01:00
NtQuery a51f2455ba updated some header and def files 2014-03-09 22:18:21 +01:00
NtQuery 1f4b6de250 fixed EnumProcessModules problems, improved dumper, added new function ReadProcessMemoryEnforce 2014-03-09 22:03:45 +01:00
NtQuery d29b17795c fixed DumpProcessW bugs 2014-03-09 16:59:06 +01:00
NtQuery 829c0e77ba kind of fixed Issue #15 https://bitbucket.org/mrexodia/titanengine-update/issue/15/wrong-assumptoin-about-page-size 2014-03-09 16:18:58 +01:00
Mr. eXoDia 6bdbe09afe - renamed Helper to Global.Helper 
- added Global.Helper to the project files
 2014-03-08 20:32:11 +01:00
Mr. eXoDia 64bfce97c1 - more fixes for issue #8 2014-03-08 20:22:20 +01:00
Mr. eXoDia 6d23bb68a6 resolved issue #14 2014-03-08 20:12:15 +01:00
Mr. eXoDia b5433a45b1 - resolved issue #8 2014-03-08 20:03:48 +01:00
cypherpunk f0b9f919ee fixed a critical bug that caused Importer::ExportIATEx to crash 2014-03-08 19:53:15 +01:00
Mr. eXoDia 3bfbece7c1 - cleared up issue #13 2014-03-08 19:55:16 +01:00
Mr. eXoDia a322cabe19 resolved issue #10 2014-03-08 19:50:39 +01:00
Mr. eXoDia bc75cfe305 - resolved issue #20 (problems with MapFileAndCheckSumW) 2014-03-08 19:38:27 +01:00
deepzero 68a5a4b7a0 drop VirtualProtect in favor of a DynamicBuffer 2014-03-08 14:47:04 +01:00
deepzero 772c6dbeda drop VirtualAlloc in favor of local variables 2014-03-08 14:44:30 +01:00
deepzero ec558397a7 fix uninitialized pointer 2014-03-08 14:36:54 +01:00
deepzero 7f05518560 add DynBuf dynamic buffer class and IsStrEqual() (unused) 2014-03-08 14:34:19 +01:00
Mr. eXoDia 41c8fa80c3 - fixed a problem with the ExceptionRecord.ExceptionInformation[0] detection for memory breakpoints 2014-03-07 22:07:43 +01:00
deepzero 7bef35b1cf fix two double frees 2014-03-07 18:04:13 +01:00
deepzero 7f1e44bda7 fix some potential underflows (more to come) 2014-03-07 18:03:59 +01:00
deepzero e7deed5ef4 dont directly compare against TRUE 2014-03-07 18:03:25 +01:00
NtQuery a3384e931f fixed various dumper bugs, openprocess bugs 2014-03-07 13:14:46 +01:00
NtQuery 35c3c618b1 added Teb32 and Teb64 functions 2014-03-06 20:17:14 +01:00
mr.exodia 2770c22838 - TitanEngine.Debugger now uses dynamic lists 
- TitanEngine.Librarian now uses dynamic lists
 2014-03-05 19:57:49 +01:00
mr.exodia bc7906460c - formatting lol 
- rewrote TitanEngine.Threader to use a vector (decreased memory footprint)
- Removed function ThreadGetThreadData
 2014-03-05 17:49:27 +01:00
cypherpunk 4dfc0351f7 updated Scylla wrapper to 0.9.4 2014-03-05 17:26:31 +01:00
NtQuery 9eb47c282d removed ntdll madness 2014-03-05 14:28:08 +01:00
NtQuery 8984545393 update aPLib v1.1.0 + x64 2014-03-05 11:35:22 +01:00
NtQuery 23b12636c2 hider bugfix 2014-03-05 11:15:54 +01:00
mr.exodia 87e9e7c461 - added x64 API patches 2014-03-05 00:01:24 +01:00
mr.exodia 9502654a71 - heap flags are now hidden 2014-03-04 23:31:16 +01:00
mr.exodia e265f498d0 - removed some useless defines 
- added GetPEBLocation64 to the SDK files
- GetPEBLocation is also defined on x64, but does nothing there
- moved a function to Global.Engine.Hider
 2014-03-04 21:31:04 +01:00
mr.exodia 92451cfe42 - removed SetBPXEx (condentional breakpoints are removed now) 
- no more static breakpoint list
- huge refactoring
- bugs fixed in TitanEngine.Breakpoints
 2014-03-04 21:07:07 +01:00
NtQuery ef9ed7ae1f better hidedebugger code, started heap flag 2014-03-04 20:32:26 +01:00
NtQuery 1b3aeeb8bd better hidedebugger code, some fixes 2014-03-04 19:09:39 +01:00
G36KV 8efc8a4b5b better hidedebugger code, new exported function GetPEBLocation64 2014-03-04 18:58:59 +01:00
mr.exodia f65ee470fb - added mutex locker thread 
- thread-safe TitanEngine.Debugger.Context
 2014-03-04 17:14:32 +01:00
mr.exodia d4265de1e4 - repaired hardware breakpoints again 2014-03-03 23:29:12 +01:00
mr.exodia ab7ea510ec - updated CodeBlocks project 2014-03-03 22:57:04 +01:00
mr.exodia 2b850c3032 - done moving stuff 2014-03-03 22:53:16 +01:00
mr.exodia a781684106 - moved DebugLoop 
- moved more breakpoint stuff
- moved more
- moved more
- getting crazy
 2014-03-03 21:31:28 +01:00
mr.exodia 4f4f547d30 - more migration 2014-03-03 20:49:22 +01:00
mr.exodia 381252384f - more separations 2014-03-03 20:20:55 +01:00
mr.exodia 7c33b6de54 - moved TitanEngine.Dumper functions 2014-03-03 16:57:40 +01:00
mr.exodia be9eb03cc1 - separated Global.Engine.Hash 
- separated EngineInit
 2014-03-03 16:51:33 +01:00
mr.exodia f6a155c3d5 - fixed hardware breakpoints (first they used CONTEXT_CONTROL, should be CONTEXT_DEBUG_REGISTERS, thanks to roocoon for reporting!) 2014-02-20 11:20:55 +01:00
mr.exodia 215358f19d more refactoring 2014-02-19 18:00:04 +01:00
mr.exodia a1134258a5 - baby steps in better TitanEngine code 2014-02-19 17:52:38 +01:00
mr.exodia 5f5acc1338 - fixed a definition error (found by cypher_punk) 2014-02-11 17:55:15 +01:00
mr.exodia 2ae7e9e541 - added RipEvent callback 
- removed debug message
 2014-02-08 20:44:07 +01:00
mr.exodia 355fd1bada fixed a massive bug with exception handling (almost all exceptions were swallowed by the debugger) 2014-02-08 20:35:14 +01:00
mr.exodia ba35c43ddc fixed another anti-debug trick (DBG_RIPEXCEPTION) 2014-02-08 20:20:08 +01:00
mr.exodia 7ef9d9ef63 - fixed a switch statement 
- fixed an anti-debug trick using the DBG_PRINTEXCEPTION_C (0x40010006)
 2014-02-08 20:10:37 +01:00
mr.exodia 0590511f5d switch statements in DebugLoop function 2014-02-08 19:33:06 +01:00
mr.exodia 07291f2710 fixed a spelling mistake (thanks to hors) 2014-01-27 17:24:52 +01:00
181 changed files with 66342 additions and 37558 deletions
Show Stats Expand all files Collapse all files

3
.gitattributes vendored Normal file
View File

@ -0,0 +1,3 @@
# cmkr
/**/CMakeLists.txt linguist-generated
/**/cmkr.cmake linguist-vendored

324
.gitignore vendored
View File

@ -1,157 +1,171 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store
*.cscope_file_list
*.bmarks
*.depend
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
Win32/
build/
[Bb]in/
[Oo]bj/
.vs/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store
*.cscope_file_list
*.bmarks
*.depend
*.layout
*.orig
*.cbTemp
cov-*
coverity*
*.user
# Release
deps/
# CMake
build*/
cmake-build*/
CMakeUserPresets.json

241
CMakeLists.txt generated Normal file
View File

@ -0,0 +1,241 @@
# This file is automatically generated from cmake.toml - DO NOT EDIT
# See https://github.com/build-cpp/cmkr for more information
cmake_minimum_required(VERSION 3.15)
if(CMAKE_SOURCE_DIR STREQUAL CMAKE_BINARY_DIR)
message(FATAL_ERROR "In-tree builds are not supported. Run CMake from a separate directory: cmake -B build")
endif()
# Enable support for MSVC_RUNTIME_LIBRARY
cmake_policy(SET CMP0091 NEW)
set(CMKR_ROOT_PROJECT OFF)
if(CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR)
set(CMKR_ROOT_PROJECT ON)
# Bootstrap cmkr and automatically regenerate CMakeLists.txt
include(cmkr.cmake OPTIONAL RESULT_VARIABLE CMKR_INCLUDE_RESULT)
if(CMKR_INCLUDE_RESULT)
cmkr()
endif()
# Enable folder support
set_property(GLOBAL PROPERTY USE_FOLDERS ON)
# Create a configure-time dependency on cmake.toml to improve IDE support
set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS cmake.toml)
if(NOT DEFINED CMAKE_MSVC_RUNTIME_LIBRARY)
set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
endif()
endif()
# Options
option(TITANENGINE_RESOURCES "" ON)
project(TitanEngine
LANGUAGES
C
CXX
)
# Target: distorm
set(distorm_SOURCES
cmake.toml
"distorm/include/distorm.h"
"distorm/include/mnemonics.h"
"distorm/src/distorm.c"
)
add_library(distorm STATIC)
target_sources(distorm PRIVATE ${distorm_SOURCES})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${distorm_SOURCES})
target_include_directories(distorm PUBLIC
"distorm/include"
)
# Target: scylla_wrapper
set(scylla_wrapper_SOURCES
cmake.toml
"scylla_wrapper/ApiReader.cpp"
"scylla_wrapper/ApiReader.h"
"scylla_wrapper/Architecture.cpp"
"scylla_wrapper/Architecture.h"
"scylla_wrapper/DeviceNameResolver.cpp"
"scylla_wrapper/DeviceNameResolver.h"
"scylla_wrapper/IATReferenceScan.cpp"
"scylla_wrapper/IATReferenceScan.h"
"scylla_wrapper/IATSearch.cpp"
"scylla_wrapper/IATSearch.h"
"scylla_wrapper/ImportRebuilder.cpp"
"scylla_wrapper/ImportRebuilder.h"
"scylla_wrapper/NativeWinApi.cpp"
"scylla_wrapper/NativeWinApi.h"
"scylla_wrapper/PeParser.cpp"
"scylla_wrapper/PeParser.h"
"scylla_wrapper/ProcessAccessHelp.cpp"
"scylla_wrapper/ProcessAccessHelp.h"
"scylla_wrapper/ProcessLister.cpp"
"scylla_wrapper/ProcessLister.h"
"scylla_wrapper/StringConversion.cpp"
"scylla_wrapper/StringConversion.h"
"scylla_wrapper/SystemInformation.cpp"
"scylla_wrapper/SystemInformation.h"
"scylla_wrapper/Thunks.cpp"
"scylla_wrapper/Thunks.h"
"scylla_wrapper/include/scylla_wrapper.h"
"scylla_wrapper/mnemonics.h"
"scylla_wrapper/scylla_wrapper.cpp"
"scylla_wrapper/stdafx.cpp"
"scylla_wrapper/stdafx.h"
"scylla_wrapper/targetver.h"
)
add_library(scylla_wrapper STATIC)
target_sources(scylla_wrapper PRIVATE ${scylla_wrapper_SOURCES})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${scylla_wrapper_SOURCES})
target_compile_features(scylla_wrapper PUBLIC
cxx_std_11
)
target_include_directories(scylla_wrapper PUBLIC
"scylla_wrapper/include"
)
if(NOT TARGET distorm)
message(FATAL_ERROR "Target \"distorm\" referenced by \"scylla_wrapper\" does not exist!")
endif()
target_link_libraries(scylla_wrapper PUBLIC
distorm
)
# Target: TitanEngine
set(TitanEngine_SOURCES
"TitanEngine/Global.Breakpoints.cpp"
"TitanEngine/Global.Breakpoints.h"
"TitanEngine/Global.Debugger.cpp"
"TitanEngine/Global.Debugger.h"
"TitanEngine/Global.Engine.Context.cpp"
"TitanEngine/Global.Engine.Context.h"
"TitanEngine/Global.Engine.GUI.cpp"
"TitanEngine/Global.Engine.GUI.h"
"TitanEngine/Global.Engine.Hash.cpp"
"TitanEngine/Global.Engine.Hash.h"
"TitanEngine/Global.Engine.Hider.cpp"
"TitanEngine/Global.Engine.Hider.h"
"TitanEngine/Global.Engine.Hook.cpp"
"TitanEngine/Global.Engine.Hook.h"
"TitanEngine/Global.Engine.Importer.cpp"
"TitanEngine/Global.Engine.Importer.h"
"TitanEngine/Global.Engine.Simplification.cpp"
"TitanEngine/Global.Engine.Simplification.h"
"TitanEngine/Global.Engine.Threading.cpp"
"TitanEngine/Global.Engine.Threading.h"
"TitanEngine/Global.Engine.cpp"
"TitanEngine/Global.Engine.h"
"TitanEngine/Global.Garbage.cpp"
"TitanEngine/Global.Garbage.h"
"TitanEngine/Global.Handle.cpp"
"TitanEngine/Global.Handle.h"
"TitanEngine/Global.Helper.cpp"
"TitanEngine/Global.Helper.h"
"TitanEngine/Global.Injector.cpp"
"TitanEngine/Global.Injector.h"
"TitanEngine/Global.Librarian.cpp"
"TitanEngine/Global.Librarian.h"
"TitanEngine/Global.Mapping.cpp"
"TitanEngine/Global.Mapping.h"
"TitanEngine/Global.OEPFinder.cpp"
"TitanEngine/Global.OEPFinder.h"
"TitanEngine/Global.Realigner.cpp"
"TitanEngine/Global.Realigner.h"
"TitanEngine/Global.TLS.cpp"
"TitanEngine/Global.TLS.h"
"TitanEngine/Global.Threader.cpp"
"TitanEngine/Global.Threader.h"
"TitanEngine/LzmaDec.cpp"
"TitanEngine/LzmaDec.h"
"TitanEngine/LzmaTypes.h"
"TitanEngine/TitanEngine.Breakpoints.cpp"
"TitanEngine/TitanEngine.Debugger.Context.cpp"
"TitanEngine/TitanEngine.Debugger.Control.cpp"
"TitanEngine/TitanEngine.Debugger.Data.cpp"
"TitanEngine/TitanEngine.Debugger.DebugLoop.cpp"
"TitanEngine/TitanEngine.Debugger.Helper.cpp"
"TitanEngine/TitanEngine.Debugger.Memory.cpp"
"TitanEngine/TitanEngine.Debugger.cpp"
"TitanEngine/TitanEngine.Disassembler.cpp"
"TitanEngine/TitanEngine.Dumper.cpp"
"TitanEngine/TitanEngine.Engine.Simplification.cpp"
"TitanEngine/TitanEngine.Engine.cpp"
"TitanEngine/TitanEngine.Exporter.cpp"
"TitanEngine/TitanEngine.Handler.cpp"
"TitanEngine/TitanEngine.Hider.cpp"
"TitanEngine/TitanEngine.Hooks.cpp"
"TitanEngine/TitanEngine.Importer.cpp"
"TitanEngine/TitanEngine.Injector.cpp"
"TitanEngine/TitanEngine.Librarian.cpp"
"TitanEngine/TitanEngine.OEPFinder.cpp"
"TitanEngine/TitanEngine.PE.Convert.cpp"
"TitanEngine/TitanEngine.PE.Data.cpp"
"TitanEngine/TitanEngine.PE.Fixer.cpp"
"TitanEngine/TitanEngine.PE.Overlay.cpp"
"TitanEngine/TitanEngine.PE.Section.cpp"
"TitanEngine/TitanEngine.PE.cpp"
"TitanEngine/TitanEngine.Process.cpp"
"TitanEngine/TitanEngine.Realigner.cpp"
"TitanEngine/TitanEngine.Relocator.cpp"
"TitanEngine/TitanEngine.Resourcer.cpp"
"TitanEngine/TitanEngine.Static.cpp"
"TitanEngine/TitanEngine.TLS.cpp"
"TitanEngine/TitanEngine.Threader.cpp"
"TitanEngine/TitanEngine.Tracer.cpp"
"TitanEngine/TitanEngine.TranslateName.cpp"
"TitanEngine/TitanEngine.cpp"
"TitanEngine/aplib.h"
"TitanEngine/definitions.h"
"TitanEngine/ntdll.h"
"TitanEngine/resource.h"
"TitanEngine/stdafx.cpp"
"TitanEngine/stdafx.h"
"TitanEngine/targetver.h"
cmake.toml
)
if(TITANENGINE_RESOURCES) # TITANENGINE_RESOURCES
list(APPEND TitanEngine_SOURCES
"TitanEngine/TitanEngine.rc"
)
endif()
add_library(TitanEngine SHARED)
target_sources(TitanEngine PRIVATE ${TitanEngine_SOURCES})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${TitanEngine_SOURCES})
if(NOT TARGET scylla_wrapper)
message(FATAL_ERROR "Target \"scylla_wrapper\" referenced by \"TitanEngine\" does not exist!")
endif()
target_link_libraries(TitanEngine PRIVATE
scylla_wrapper
Psapi.lib
)
if(CMAKE_SIZEOF_VOID_P EQUAL 8) # x64
target_link_libraries(TitanEngine PRIVATE
"${CMAKE_CURRENT_SOURCE_DIR}/TitanEngine/ntdll_x64.lib"
)
endif()
if(CMAKE_SIZEOF_VOID_P EQUAL 4) # x32
target_link_libraries(TitanEngine PRIVATE
"${CMAKE_CURRENT_SOURCE_DIR}/TitanEngine/ntdll_x86.lib"
)
endif()

165
LICENSE Normal file
View File

@ -0,0 +1,165 @@
GNU LESSER GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
This version of the GNU Lesser General Public License incorporates
the terms and conditions of version 3 of the GNU General Public
License, supplemented by the additional permissions listed below.
0. Additional Definitions.
As used herein, "this License" refers to version 3 of the GNU Lesser
General Public License, and the "GNU GPL" refers to version 3 of the GNU
General Public License.
"The Library" refers to a covered work governed by this License,
other than an Application or a Combined Work as defined below.
An "Application" is any work that makes use of an interface provided
by the Library, but which is not otherwise based on the Library.
Defining a subclass of a class defined by the Library is deemed a mode
of using an interface provided by the Library.
A "Combined Work" is a work produced by combining or linking an
Application with the Library. The particular version of the Library
with which the Combined Work was made is also called the "Linked
Version".
The "Minimal Corresponding Source" for a Combined Work means the
Corresponding Source for the Combined Work, excluding any source code
for portions of the Combined Work that, considered in isolation, are
based on the Application, and not on the Linked Version.
The "Corresponding Application Code" for a Combined Work means the
object code and/or source code for the Application, including any data
and utility programs needed for reproducing the Combined Work from the
Application, but excluding the System Libraries of the Combined Work.
1. Exception to Section 3 of the GNU GPL.
You may convey a covered work under sections 3 and 4 of this License
without being bound by section 3 of the GNU GPL.
2. Conveying Modified Versions.
If you modify a copy of the Library, and, in your modifications, a
facility refers to a function or data to be supplied by an Application
that uses the facility (other than as an argument passed when the
facility is invoked), then you may convey a copy of the modified
version:
a) under this License, provided that you make a good faith effort to
ensure that, in the event an Application does not supply the
function or data, the facility still operates, and performs
whatever part of its purpose remains meaningful, or
b) under the GNU GPL, with none of the additional permissions of
this License applicable to that copy.
3. Object Code Incorporating Material from Library Header Files.
The object code form of an Application may incorporate material from
a header file that is part of the Library. You may convey such object
code under terms of your choice, provided that, if the incorporated
material is not limited to numerical parameters, data structure
layouts and accessors, or small macros, inline functions and templates
(ten or fewer lines in length), you do both of the following:
a) Give prominent notice with each copy of the object code that the
Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the object code with a copy of the GNU GPL and this license
document.
4. Combined Works.
You may convey a Combined Work under terms of your choice that,
taken together, effectively do not restrict modification of the
portions of the Library contained in the Combined Work and reverse
engineering for debugging such modifications, if you also do each of
the following:
a) Give prominent notice with each copy of the Combined Work that
the Library is used in it and that the Library and its use are
covered by this License.
b) Accompany the Combined Work with a copy of the GNU GPL and this license
document.
c) For a Combined Work that displays copyright notices during
execution, include the copyright notice for the Library among
these notices, as well as a reference directing the user to the
copies of the GNU GPL and this license document.
d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this
License, and the Corresponding Application Code in a form
suitable for, and under terms that permit, the user to
recombine or relink the Application with a modified version of
the Linked Version to produce a modified Combined Work, in the
manner specified by section 6 of the GNU GPL for conveying
Corresponding Source.
1) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (a) uses at run time
a copy of the Library already present on the user's computer
system, and (b) will operate properly with a modified version
of the Library that is interface-compatible with the Linked
Version.
e) Provide Installation Information, but only if you would otherwise
be required to provide such information under section 6 of the
GNU GPL, and only to the extent that such information is
necessary to install and execute a modified version of the
Combined Work produced by recombining or relinking the
Application with a modified version of the Linked Version. (If
you use option 4d0, the Installation Information must accompany
the Minimal Corresponding Source and Corresponding Application
Code. If you use option 4d1, you must provide the Installation
Information in the manner specified by section 6 of the GNU GPL
for conveying Corresponding Source.)
5. Combined Libraries.
You may place library facilities that are a work based on the
Library side by side in a single library together with other library
facilities that are not Applications and are not covered by this
License, and convey such a combined library under terms of your
choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based
on the Library, uncombined with any other library facilities,
conveyed under the terms of this License.
b) Give prominent notice with the combined library that part of it
is a work based on the Library, and explaining where to find the
accompanying uncombined form of the same work.
6. Revised Versions of the GNU Lesser General Public License.
The Free Software Foundation may publish revised and/or new versions
of the GNU Lesser General Public License from time to time. Such new
versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the
Library as you received it specifies that a certain numbered version
of the GNU Lesser General Public License "or any later version"
applies to it, you have the option of following the terms and
conditions either of that published version or of any later version
published by the Free Software Foundation. If the Library as you
received it does not specify a version number of the GNU Lesser
General Public License, you may choose any version of the GNU Lesser
General Public License ever published by the Free Software Foundation.
If the Library as you received it specifies that a proxy can decide
whether future versions of the GNU Lesser General Public License shall
apply, that proxy's public statement of acceptance of any version is
permanent authorization for you to choose that version for the
Library.

946
SDK/C/TitanEngine.h
View File

@ -1,946 +0,0 @@
#ifndef TITANENGINE
#define TITANENGINE
#define TITCALL
#if _MSC_VER > 1000
#pragma once
#endif
#include <windows.h>
#pragma pack(push, 1)
// Global.Constant.Structure.Declaration:
// Engine.External:
#define UE_ACCESS_READ 0
#define UE_ACCESS_WRITE 1
#define UE_ACCESS_ALL 2
#define UE_HIDE_PEBONLY 0
#define UE_HIDE_BASIC 1
#define UE_PLUGIN_CALL_REASON_PREDEBUG 1
#define UE_PLUGIN_CALL_REASON_EXCEPTION 2
#define UE_PLUGIN_CALL_REASON_POSTDEBUG 3
#define TEE_HOOK_NRM_JUMP 1
#define TEE_HOOK_NRM_CALL 3
#define TEE_HOOK_IAT 5
#define UE_ENGINE_ALOW_MODULE_LOADING 1
#define UE_ENGINE_AUTOFIX_FORWARDERS 2
#define UE_ENGINE_PASS_ALL_EXCEPTIONS 3
#define UE_ENGINE_NO_CONSOLE_WINDOW 4
#define UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS 5
#define UE_ENGINE_CALL_PLUGIN_CALLBACK 6
#define UE_ENGINE_RESET_CUSTOM_HANDLER 7
#define UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK 8
#define UE_OPTION_REMOVEALL 1
#define UE_OPTION_DISABLEALL 2
#define UE_OPTION_REMOVEALLDISABLED 3
#define UE_OPTION_REMOVEALLENABLED 4
#define UE_STATIC_DECRYPTOR_XOR 1
#define UE_STATIC_DECRYPTOR_SUB 2
#define UE_STATIC_DECRYPTOR_ADD 3
#define UE_STATIC_DECRYPTOR_FOREWARD 1
#define UE_STATIC_DECRYPTOR_BACKWARD 2
#define UE_STATIC_KEY_SIZE_1 1
#define UE_STATIC_KEY_SIZE_2 2
#define UE_STATIC_KEY_SIZE_4 4
#define UE_STATIC_KEY_SIZE_8 8
#define UE_STATIC_APLIB 1
#define UE_STATIC_APLIB_DEPACK 2
#define UE_STATIC_LZMA 3
#define UE_STATIC_HASH_MD5 1
#define UE_STATIC_HASH_SHA1 2
#define UE_STATIC_HASH_CRC32 3
#define UE_RESOURCE_LANGUAGE_ANY -1
#define UE_PE_OFFSET 0
#define UE_IMAGEBASE 1
#define UE_OEP 2
#define UE_SIZEOFIMAGE 3
#define UE_SIZEOFHEADERS 4
#define UE_SIZEOFOPTIONALHEADER 5
#define UE_SECTIONALIGNMENT 6
#define UE_IMPORTTABLEADDRESS 7
#define UE_IMPORTTABLESIZE 8
#define UE_RESOURCETABLEADDRESS 9
#define UE_RESOURCETABLESIZE 10
#define UE_EXPORTTABLEADDRESS 11
#define UE_EXPORTTABLESIZE 12
#define UE_TLSTABLEADDRESS 13
#define UE_TLSTABLESIZE 14
#define UE_RELOCATIONTABLEADDRESS 15
#define UE_RELOCATIONTABLESIZE 16
#define UE_TIMEDATESTAMP 17
#define UE_SECTIONNUMBER 18
#define UE_CHECKSUM 19
#define UE_SUBSYSTEM 20
#define UE_CHARACTERISTICS 21
#define UE_NUMBEROFRVAANDSIZES 22
#define UE_BASEOFCODE 23
#define UE_BASEOFDATA 24
//leaving some enum space here for future additions
#define UE_SECTIONNAME 40
#define UE_SECTIONVIRTUALOFFSET 41
#define UE_SECTIONVIRTUALSIZE 42
#define UE_SECTIONRAWOFFSET 43
#define UE_SECTIONRAWSIZE 44
#define UE_SECTIONFLAGS 45
#define UE_VANOTFOUND = -2;
#define UE_CH_BREAKPOINT 1
#define UE_CH_SINGLESTEP 2
#define UE_CH_ACCESSVIOLATION 3
#define UE_CH_ILLEGALINSTRUCTION 4
#define UE_CH_NONCONTINUABLEEXCEPTION 5
#define UE_CH_ARRAYBOUNDSEXCEPTION 6
#define UE_CH_FLOATDENORMALOPERAND 7
#define UE_CH_FLOATDEVIDEBYZERO 8
#define UE_CH_INTEGERDEVIDEBYZERO 9
#define UE_CH_INTEGEROVERFLOW 10
#define UE_CH_PRIVILEGEDINSTRUCTION 11
#define UE_CH_PAGEGUARD 12
#define UE_CH_EVERYTHINGELSE 13
#define UE_CH_CREATETHREAD 14
#define UE_CH_EXITTHREAD 15
#define UE_CH_CREATEPROCESS 16
#define UE_CH_EXITPROCESS 17
#define UE_CH_LOADDLL 18
#define UE_CH_UNLOADDLL 19
#define UE_CH_OUTPUTDEBUGSTRING 20
#define UE_CH_AFTEREXCEPTIONPROCESSING 21
#define UE_CH_ALLEVENTS 22
#define UE_CH_SYSTEMBREAKPOINT 23
#define UE_CH_UNHANDLEDEXCEPTION 24
#define UE_OPTION_HANDLER_RETURN_HANDLECOUNT 1
#define UE_OPTION_HANDLER_RETURN_ACCESS 2
#define UE_OPTION_HANDLER_RETURN_FLAGS 3
#define UE_OPTION_HANDLER_RETURN_TYPENAME 4
#define UE_BREAKPOINT_INT3 1
#define UE_BREAKPOINT_LONG_INT3 2
#define UE_BREAKPOINT_UD2 3
#define UE_BPXREMOVED 0
#define UE_BPXACTIVE 1
#define UE_BPXINACTIVE 2
#define UE_BREAKPOINT 0
#define UE_SINGLESHOOT 1
#define UE_HARDWARE 2
#define UE_MEMORY 3
#define UE_MEMORY_READ 4
#define UE_MEMORY_WRITE 5
#define UE_MEMORY_EXECUTE 6
#define UE_BREAKPOINT_TYPE_INT3 0x10000000
#define UE_BREAKPOINT_TYPE_LONG_INT3 0x20000000
#define UE_BREAKPOINT_TYPE_UD2 0x30000000
#define UE_HARDWARE_EXECUTE 4
#define UE_HARDWARE_WRITE 5
#define UE_HARDWARE_READWRITE 6
#define UE_HARDWARE_SIZE_1 7
#define UE_HARDWARE_SIZE_2 8
#define UE_HARDWARE_SIZE_4 9
#define UE_HARDWARE_SIZE_8 10
#define UE_ON_LIB_LOAD 1
#define UE_ON_LIB_UNLOAD 2
#define UE_ON_LIB_ALL 3
#define UE_APISTART 0
#define UE_APIEND 1
#define UE_PLATFORM_x86 1
#define UE_PLATFORM_x64 2
#define UE_PLATFORM_ALL 3
#define UE_FUNCTION_STDCALL 1
#define UE_FUNCTION_CCALL 2
#define UE_FUNCTION_FASTCALL 3
#define UE_FUNCTION_STDCALL_RET 4
#define UE_FUNCTION_CCALL_RET 5
#define UE_FUNCTION_FASTCALL_RET 6
#define UE_FUNCTION_STDCALL_CALL 7
#define UE_FUNCTION_CCALL_CALL 8
#define UE_FUNCTION_FASTCALL_CALL 9
#define UE_PARAMETER_BYTE 0
#define UE_PARAMETER_WORD 1
#define UE_PARAMETER_DWORD 2
#define UE_PARAMETER_QWORD 3
#define UE_PARAMETER_PTR_BYTE 4
#define UE_PARAMETER_PTR_WORD 5
#define UE_PARAMETER_PTR_DWORD 6
#define UE_PARAMETER_PTR_QWORD 7
#define UE_PARAMETER_STRING 8
#define UE_PARAMETER_UNICODE 9
#define UE_CMP_NOCONDITION 0
#define UE_CMP_EQUAL 1
#define UE_CMP_NOTEQUAL 2
#define UE_CMP_GREATER 3
#define UE_CMP_GREATEROREQUAL 4
#define UE_CMP_LOWER 5
#define UE_CMP_LOWEROREQUAL 6
#define UE_CMP_REG_EQUAL 7
#define UE_CMP_REG_NOTEQUAL 8
#define UE_CMP_REG_GREATER 9
#define UE_CMP_REG_GREATEROREQUAL 10
#define UE_CMP_REG_LOWER 11
#define UE_CMP_REG_LOWEROREQUAL 12
#define UE_CMP_ALWAYSFALSE 13
#define UE_EAX 1
#define UE_EBX 2
#define UE_ECX 3
#define UE_EDX 4
#define UE_EDI 5
#define UE_ESI 6
#define UE_EBP 7
#define UE_ESP 8
#define UE_EIP 9
#define UE_EFLAGS 10
#define UE_DR0 11
#define UE_DR1 12
#define UE_DR2 13
#define UE_DR3 14
#define UE_DR6 15
#define UE_DR7 16
#define UE_RAX 17
#define UE_RBX 18
#define UE_RCX 19
#define UE_RDX 20
#define UE_RDI 21
#define UE_RSI 22
#define UE_RBP 23
#define UE_RSP 24
#define UE_RIP 25
#define UE_RFLAGS 26
#define UE_R8 27
#define UE_R9 28
#define UE_R10 29
#define UE_R11 30
#define UE_R12 31
#define UE_R13 32
#define UE_R14 33
#define UE_R15 34
#define UE_CIP 35
#define UE_CSP 36
#ifdef _WIN64
#define UE_CFLAGS UE_RFLAGS
#else
#define UE_CFLAGS UE_EFLAGS
#endif
#define UE_SEG_GS 37
#define UE_SEG_FS 38
#define UE_SEG_ES 39
#define UE_SEG_DS 40
#define UE_SEG_CS 41
#define UE_SEG_SS 42
typedef struct
{
DWORD PE32Offset;
DWORD ImageBase;
DWORD OriginalEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD NtSizeOfImage;
DWORD NtSizeOfHeaders;
WORD SizeOfOptionalHeaders;
DWORD FileAlignment;
DWORD SectionAligment;
DWORD ImportTableAddress;
DWORD ImportTableSize;
DWORD ResourceTableAddress;
DWORD ResourceTableSize;
DWORD ExportTableAddress;
DWORD ExportTableSize;
DWORD TLSTableAddress;
DWORD TLSTableSize;
DWORD RelocationTableAddress;
DWORD RelocationTableSize;
DWORD TimeDateStamp;
WORD SectionNumber;
DWORD CheckSum;
WORD SubSystem;
WORD Characteristics;
DWORD NumberOfRvaAndSizes;
} PE32Struct, *PPE32Struct;
typedef struct
{
DWORD PE64Offset;
DWORD64 ImageBase;
DWORD OriginalEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD NtSizeOfImage;
DWORD NtSizeOfHeaders;
WORD SizeOfOptionalHeaders;
DWORD FileAlignment;
DWORD SectionAligment;
DWORD ImportTableAddress;
DWORD ImportTableSize;
DWORD ResourceTableAddress;
DWORD ResourceTableSize;
DWORD ExportTableAddress;
DWORD ExportTableSize;
DWORD TLSTableAddress;
DWORD TLSTableSize;
DWORD RelocationTableAddress;
DWORD RelocationTableSize;
DWORD TimeDateStamp;
WORD SectionNumber;
DWORD CheckSum;
WORD SubSystem;
WORD Characteristics;
DWORD NumberOfRvaAndSizes;
} PE64Struct, *PPE64Struct;
#if defined(_WIN64)
typedef PE64Struct PEStruct;
#else
typedef PE32Struct PEStruct;
#endif
typedef struct
{
bool NewDll;
int NumberOfImports;
ULONG_PTR ImageBase;
ULONG_PTR BaseImportThunk;
ULONG_PTR ImportThunk;
char* APIName;
char* DLLName;
} ImportEnumData, *PImportEnumData;
typedef struct
{
HANDLE hThread;
DWORD dwThreadId;
void* ThreadStartAddress;
void* ThreadLocalBase;
} THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA;
typedef struct
{
HANDLE hFile;
void* BaseOfDll;
HANDLE hFileMapping;
void* hFileMappingView;
char szLibraryPath[MAX_PATH];
char szLibraryName[MAX_PATH];
} LIBRARY_ITEM_DATA, *PLIBRARY_ITEM_DATA;
typedef struct
{
HANDLE hFile;
void* BaseOfDll;
HANDLE hFileMapping;
void* hFileMappingView;
wchar_t szLibraryPath[MAX_PATH];
wchar_t szLibraryName[MAX_PATH];
} LIBRARY_ITEM_DATAW, *PLIBRARY_ITEM_DATAW;
typedef struct
{
HANDLE hProcess;
DWORD dwProcessId;
HANDLE hThread;
DWORD dwThreadId;
HANDLE hFile;
void* BaseOfImage;
void* ThreadStartAddress;
void* ThreadLocalBase;
} PROCESS_ITEM_DATA, *PPROCESS_ITEM_DATA;
typedef struct
{
ULONG ProcessId;
HANDLE hHandle;
} HandlerArray, *PHandlerArray;
typedef struct
{
char PluginName[64];
DWORD PluginMajorVersion;
DWORD PluginMinorVersion;
HMODULE PluginBaseAddress;
void* TitanDebuggingCallBack;
void* TitanRegisterPlugin;
void* TitanReleasePlugin;
void* TitanResetPlugin;
bool PluginDisabled;
} PluginInformation, *PPluginInformation;
#define TEE_MAXIMUM_HOOK_SIZE 14
#define TEE_MAXIMUM_HOOK_RELOCS 7
#if defined(_WIN64)
#define TEE_MAXIMUM_HOOK_INSERT_SIZE 14
#else
#define TEE_MAXIMUM_HOOK_INSERT_SIZE 5
#endif
typedef struct HOOK_ENTRY
{
bool IATHook;
BYTE HookType;
DWORD HookSize;
void* HookAddress;
void* RedirectionAddress;
BYTE HookBytes[TEE_MAXIMUM_HOOK_SIZE];
BYTE OriginalBytes[TEE_MAXIMUM_HOOK_SIZE];
void* IATHookModuleBase;
DWORD IATHookNameHash;
bool HookIsEnabled;
bool HookIsRemote;
void* PatchedEntry;
DWORD RelocationInfo[TEE_MAXIMUM_HOOK_RELOCS];
int RelocationCount;
} HOOK_ENTRY, *PHOOK_ENTRY;
#define UE_DEPTH_SURFACE 0
#define UE_DEPTH_DEEP 1
#define UE_UNPACKER_CONDITION_SEARCH_FROM_EP 1
#define UE_UNPACKER_CONDITION_LOADLIBRARY 1
#define UE_UNPACKER_CONDITION_GETPROCADDRESS 2
#define UE_UNPACKER_CONDITION_ENTRYPOINTBREAK 3
#define UE_UNPACKER_CONDITION_RELOCSNAPSHOT1 4
#define UE_UNPACKER_CONDITION_RELOCSNAPSHOT2 5
#define UE_FIELD_OK 0
#define UE_FIELD_BROKEN_NON_FIXABLE 1
#define UE_FIELD_BROKEN_NON_CRITICAL 2
#define UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE 3
#define UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED 4
#define UE_FILED_FIXABLE_NON_CRITICAL 5
#define UE_FILED_FIXABLE_CRITICAL 6
#define UE_FIELD_NOT_PRESET 7
#define UE_FIELD_NOT_PRESET_WARNING 8
#define UE_RESULT_FILE_OK 10
#define UE_RESULT_FILE_INVALID_BUT_FIXABLE 11
#define UE_RESULT_FILE_INVALID_AND_NON_FIXABLE 12
#define UE_RESULT_FILE_INVALID_FORMAT 13
typedef struct
{
BYTE OveralEvaluation;
bool EvaluationTerminatedByException;
bool FileIs64Bit;
bool FileIsDLL;
bool FileIsConsole;
bool MissingDependencies;
bool MissingDeclaredAPIs;
BYTE SignatureMZ;
BYTE SignaturePE;
BYTE EntryPoint;
BYTE ImageBase;
BYTE SizeOfImage;
BYTE FileAlignment;
BYTE SectionAlignment;
BYTE ExportTable;
BYTE RelocationTable;
BYTE ImportTable;
BYTE ImportTableSection;
BYTE ImportTableData;
BYTE IATTable;
BYTE TLSTable;
BYTE LoadConfigTable;
BYTE BoundImportTable;
BYTE COMHeaderTable;
BYTE ResourceTable;
BYTE ResourceData;
BYTE SectionTable;
} FILE_STATUS_INFO, *PFILE_STATUS_INFO;
typedef struct
{
BYTE OveralEvaluation;
bool FixingTerminatedByException;
bool FileFixPerformed;
bool StrippedRelocation;
bool DontFixRelocations;
DWORD OriginalRelocationTableAddress;
DWORD OriginalRelocationTableSize;
bool StrippedExports;
bool DontFixExports;
DWORD OriginalExportTableAddress;
DWORD OriginalExportTableSize;
bool StrippedResources;
bool DontFixResources;
DWORD OriginalResourceTableAddress;
DWORD OriginalResourceTableSize;
bool StrippedTLS;
bool DontFixTLS;
DWORD OriginalTLSTableAddress;
DWORD OriginalTLSTableSize;
bool StrippedLoadConfig;
bool DontFixLoadConfig;
DWORD OriginalLoadConfigTableAddress;
DWORD OriginalLoadConfigTableSize;
bool StrippedBoundImports;
bool DontFixBoundImports;
DWORD OriginalBoundImportTableAddress;
DWORD OriginalBoundImportTableSize;
bool StrippedIAT;
bool DontFixIAT;
DWORD OriginalImportAddressTableAddress;
DWORD OriginalImportAddressTableSize;
bool StrippedCOM;
bool DontFixCOM;
DWORD OriginalCOMTableAddress;
DWORD OriginalCOMTableSize;
} FILE_FIX_INFO, *PFILE_FIX_INFO;
#ifdef __cplusplus
extern "C"
{
#endif
// Global.Function.Declaration:
// TitanEngine.Dumper.functions:
__declspec(dllexport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint);
__declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint);
__declspec(dllexport) bool TITCALL DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint);
__declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint);
__declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName);
__declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName);
__declspec(dllexport) bool TITCALL DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName);
__declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName);
__declspec(dllexport) bool TITCALL DumpRegions(HANDLE hProcess, char* szDumpFolder, bool DumpAboveImageBaseOnly);
__declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly);
__declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFolder, bool DumpAboveImageBaseOnly);
__declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly);
__declspec(dllexport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, char* szDumpFileName);
__declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBase, wchar_t* szDumpFileName);
__declspec(dllexport) bool TITCALL DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, char* szDumpFileName);
__declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleBase, wchar_t* szDumpFileName);
__declspec(dllexport) bool TITCALL PastePEHeader(HANDLE hProcess, LPVOID ImageBase, char* szDebuggedFileName);
__declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDebuggedFileName);
__declspec(dllexport) bool TITCALL ExtractSection(char* szFileName, char* szDumpFileName, DWORD SectionNumber);
__declspec(dllexport) bool TITCALL ExtractSectionW(wchar_t* szFileName, wchar_t* szDumpFileName, DWORD SectionNumber);
__declspec(dllexport) bool TITCALL ResortFileSections(char* szFileName);
__declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName);
__declspec(dllexport) bool TITCALL FindOverlay(char* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize);
__declspec(dllexport) bool TITCALL FindOverlayW(wchar_t* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize);
__declspec(dllexport) bool TITCALL ExtractOverlay(char* szFileName, char* szExtactedFileName);
__declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t* szExtactedFileName);
__declspec(dllexport) bool TITCALL AddOverlay(char* szFileName, char* szOverlayFileName);
__declspec(dllexport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szOverlayFileName);
__declspec(dllexport) bool TITCALL CopyOverlay(char* szInFileName, char* szOutFileName);
__declspec(dllexport) bool TITCALL CopyOverlayW(wchar_t* szInFileName, wchar_t* szOutFileName);
__declspec(dllexport) bool TITCALL RemoveOverlay(char* szFileName);
__declspec(dllexport) bool TITCALL RemoveOverlayW(wchar_t* szFileName);
__declspec(dllexport) bool TITCALL MakeAllSectionsRWE(char* szFileName);
__declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(wchar_t* szFileName);
__declspec(dllexport) long TITCALL AddNewSectionEx(char* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
__declspec(dllexport) long TITCALL AddNewSection(char* szFileName, char* szSectionName, DWORD SectionSize);
__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize);
__declspec(dllexport) bool TITCALL ResizeLastSection(char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
__declspec(dllexport) bool TITCALL ResizeLastSectionW(wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
__declspec(dllexport) void TITCALL SetSharedOverlay(char* szFileName);
__declspec(dllexport) void TITCALL SetSharedOverlayW(wchar_t* szFileName);
__declspec(dllexport) char* TITCALL GetSharedOverlay();
__declspec(dllexport) wchar_t* TITCALL GetSharedOverlayW();
__declspec(dllexport) bool TITCALL DeleteLastSection(char* szFileName);
__declspec(dllexport) bool TITCALL DeleteLastSectionW(wchar_t* szFileName);
__declspec(dllexport) bool TITCALL DeleteLastSectionEx(char* szFileName, DWORD NumberOfSections);
__declspec(dllexport) bool TITCALL DeleteLastSectionExW(wchar_t* szFileName, DWORD NumberOfSections);
__declspec(dllexport) long long TITCALL GetPE32DataFromMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData);
__declspec(dllexport) long long TITCALL GetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData);
__declspec(dllexport) long long TITCALL GetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData);
__declspec(dllexport) bool TITCALL GetPE32DataFromMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage);
__declspec(dllexport) bool TITCALL GetPE32DataEx(char* szFileName, LPVOID DataStorage);
__declspec(dllexport) bool TITCALL GetPE32DataExW(wchar_t* szFileName, LPVOID DataStorage);
__declspec(dllexport) bool TITCALL SetPE32DataForMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue);
__declspec(dllexport) bool TITCALL SetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue);
__declspec(dllexport) bool TITCALL SetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue);
__declspec(dllexport) bool TITCALL SetPE32DataForMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage);
__declspec(dllexport) bool TITCALL SetPE32DataEx(char* szFileName, LPVOID DataStorage);
__declspec(dllexport) bool TITCALL SetPE32DataExW(wchar_t* szFileName, LPVOID DataStorage);
__declspec(dllexport) long TITCALL GetPE32SectionNumberFromVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert);
__declspec(dllexport) long long TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType);
__declspec(dllexport) long long TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType);
__declspec(dllexport) long long TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType);
__declspec(dllexport) long long TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType);
// TitanEngine.Realigner.functions:
__declspec(dllexport) bool TITCALL FixHeaderCheckSum(char* szFileName);
__declspec(dllexport) bool TITCALL FixHeaderCheckSumW(wchar_t* szFileName);
__declspec(dllexport) long TITCALL RealignPE(ULONG_PTR FileMapVA, DWORD FileSize, DWORD RealingMode);
__declspec(dllexport) long TITCALL RealignPEEx(char* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment);
__declspec(dllexport) long TITCALL RealignPEExW(wchar_t* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment);
__declspec(dllexport) bool TITCALL WipeSection(char* szFileName, int WipeSectionNumber, bool RemovePhysically);
__declspec(dllexport) bool TITCALL WipeSectionW(wchar_t* szFileName, int WipeSectionNumber, bool RemovePhysically);
__declspec(dllexport) bool TITCALL IsPE32FileValidEx(char* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo);
__declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo);
__declspec(dllexport) bool TITCALL FixBrokenPE32FileEx(char* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo);
__declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo);
__declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMapVA);
__declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA);
// TitanEngine.Hider.functions:
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess);
__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
__declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
// TitanEngine.Relocater.functions:
__declspec(dllexport) void TITCALL RelocaterCleanup();
__declspec(dllexport) void TITCALL RelocaterInit(DWORD MemorySize, ULONG_PTR OldImageBase, ULONG_PTR NewImageBase);
__declspec(dllexport) void TITCALL RelocaterAddNewRelocation(HANDLE hProcess, ULONG_PTR RelocateAddress, DWORD RelocateState);
__declspec(dllexport) long TITCALL RelocaterEstimatedSize();
__declspec(dllexport) bool TITCALL RelocaterExportRelocation(ULONG_PTR StorePlace, DWORD StorePlaceRVA, ULONG_PTR FileMapVA);
__declspec(dllexport) bool TITCALL RelocaterExportRelocationEx(char* szFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL RelocaterExportRelocationExW(wchar_t* szFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess, ULONG_PTR MemoryStart, DWORD MemorySize);
__declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProcess, ULONG_PTR MemoryStart, ULONG_PTR MemorySize, DWORD NtSizeOfImage);
__declspec(dllexport) bool TITCALL RelocaterMakeSnapshot(HANDLE hProcess, char* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize);
__declspec(dllexport) bool TITCALL RelocaterMakeSnapshotW(HANDLE hProcess, wchar_t* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize);
__declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshots(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, char* szDumpFile1, char* szDumpFile2, ULONG_PTR MemStart);
__declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, wchar_t* szDumpFile1, wchar_t* szDumpFile2, ULONG_PTR MemStart);
__declspec(dllexport) bool TITCALL RelocaterChangeFileBase(char* szFileName, ULONG_PTR NewImageBase);
__declspec(dllexport) bool TITCALL RelocaterChangeFileBaseW(wchar_t* szFileName, ULONG_PTR NewImageBase);
__declspec(dllexport) bool TITCALL RelocaterRelocateMemoryBlock(ULONG_PTR FileMapVA, ULONG_PTR MemoryLocation, void* RelocateMemory, DWORD RelocateMemorySize, ULONG_PTR CurrentLoadedBase, ULONG_PTR RelocateBase);
__declspec(dllexport) bool TITCALL RelocaterWipeRelocationTable(char* szFileName);
__declspec(dllexport) bool TITCALL RelocaterWipeRelocationTableW(wchar_t* szFileName);
// TitanEngine.Resourcer.functions:
__declspec(dllexport) long long TITCALL ResourcerLoadFileForResourceUse(char* szFileName);
__declspec(dllexport) long long TITCALL ResourcerLoadFileForResourceUseW(wchar_t* szFileName);
__declspec(dllexport) bool TITCALL ResourcerFreeLoadedFile(LPVOID LoadedFileBase);
__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileEx(ULONG_PTR FileMapVA, char* szResourceType, char* szResourceName, char* szExtractedFileName);
__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFile(char* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName);
__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileW(wchar_t* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName);
__declspec(dllexport) bool TITCALL ResourcerFindResource(char* szFileName, char* szResourceType, DWORD ResourceType, char* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize);
__declspec(dllexport) bool TITCALL ResourcerFindResourceW(wchar_t* szFileName, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize);
__declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize);
__declspec(dllexport) void TITCALL ResourcerEnumerateResource(char* szFileName, void* CallBack);
__declspec(dllexport) void TITCALL ResourcerEnumerateResourceW(wchar_t* szFileName, void* CallBack);
__declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, void* CallBack);
// TitanEngine.Threader.functions:
__declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId);
__declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId);
__declspec(dllexport) void TITCALL ThreaderEnumThreadInfo(void* EnumCallBack);
__declspec(dllexport) bool TITCALL ThreaderPauseThread(HANDLE hThread);
__declspec(dllexport) bool TITCALL ThreaderResumeThread(HANDLE hThread);
__declspec(dllexport) bool TITCALL ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode);
__declspec(dllexport) bool TITCALL ThreaderPauseAllThreads(bool LeaveMainRunning);
__declspec(dllexport) bool TITCALL ThreaderResumeAllThreads(bool LeaveMainPaused);
__declspec(dllexport) bool TITCALL ThreaderPauseProcess();
__declspec(dllexport) bool TITCALL ThreaderResumeProcess();
__declspec(dllexport) long long TITCALL ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId);
__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize);
__declspec(dllexport) long long TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId);
__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize);
__declspec(dllexport) void TITCALL ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack);
__declspec(dllexport) bool TITCALL ThreaderIsThreadStillRunning(HANDLE hThread);
__declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread);
__declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive();
__declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads();
__declspec(dllexport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId);
__declspec(dllexport) void* TITCALL ThreaderGetThreadData();
__declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread();
// TitanEngine.Debugger.functions:
__declspec(dllexport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress);
__declspec(dllexport) void* TITCALL StaticDisassemble(LPVOID DisassmAddress);
__declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID DisassmAddress, bool ReturnInstructionType);
__declspec(dllexport) void* TITCALL Disassemble(LPVOID DisassmAddress);
__declspec(dllexport) long TITCALL StaticLengthDisassemble(LPVOID DisassmAddress);
__declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID DisassmAddress);
__declspec(dllexport) long TITCALL LengthDisassemble(LPVOID DisassmAddress);
__declspec(dllexport) void* TITCALL InitDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder);
__declspec(dllexport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder);
__declspec(dllexport) void* TITCALL InitDebugEx(char* szFileName, char* szCommandLine, char* szCurrentFolder, LPVOID EntryCallBack);
__declspec(dllexport) void* TITCALL InitDebugExW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder, LPVOID EntryCallBack);
__declspec(dllexport) void* TITCALL InitDLLDebug(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, LPVOID EntryCallBack);
__declspec(dllexport) void* TITCALL InitDLLDebugW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, LPVOID EntryCallBack);
__declspec(dllexport) bool TITCALL StopDebug();
__declspec(dllexport) void TITCALL SetBPXOptions(long DefaultBreakPointType);
__declspec(dllexport) bool TITCALL IsBPXEnabled(ULONG_PTR bpxAddress);
__declspec(dllexport) bool TITCALL EnableBPX(ULONG_PTR bpxAddress);
__declspec(dllexport) bool TITCALL DisableBPX(ULONG_PTR bpxAddress);
__declspec(dllexport) bool TITCALL SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, LPVOID bpxCallBack);
__declspec(dllexport) bool TITCALL SetBPXEx(ULONG_PTR bpxAddress, DWORD bpxType, DWORD NumberOfExecution, DWORD CmpRegister, DWORD CmpCondition, ULONG_PTR CmpValue, LPVOID bpxCallBack, LPVOID bpxCompareCallBack, LPVOID bpxRemoveCallBack);
__declspec(dllexport) bool TITCALL DeleteBPX(ULONG_PTR bpxAddress);
__declspec(dllexport) bool TITCALL SafeDeleteBPX(ULONG_PTR bpxAddress);
__declspec(dllexport) bool TITCALL SetAPIBreakPoint(char* szDLLName, char* szAPIName, DWORD bpxType, DWORD bpxPlace, LPVOID bpxCallBack);
__declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(char* szDLLName, char* szAPIName, DWORD bpxPlace);
__declspec(dllexport) bool TITCALL SafeDeleteAPIBreakPoint(char* szDLLName, char* szAPIName, DWORD bpxPlace);
__declspec(dllexport) bool TITCALL SetMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, LPVOID bpxCallBack);
__declspec(dllexport) bool TITCALL SetMemoryBPXEx(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, DWORD BreakPointType, bool RestoreOnHit, LPVOID bpxCallBack);
__declspec(dllexport) bool TITCALL RemoveMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory);
__declspec(dllexport) bool TITCALL GetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea);
__declspec(dllexport) long long TITCALL GetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister);
__declspec(dllexport) long long TITCALL GetContextData(DWORD IndexOfRegister);
__declspec(dllexport) bool TITCALL SetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea);
__declspec(dllexport) bool TITCALL SetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister, ULONG_PTR NewRegisterValue);
__declspec(dllexport) bool TITCALL SetContextData(DWORD IndexOfRegister, ULONG_PTR NewRegisterValue);
__declspec(dllexport) void TITCALL ClearExceptionNumber();
__declspec(dllexport) long TITCALL CurrentExceptionNumber();
__declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard);
__declspec(dllexport) bool TITCALL MatchPattern(void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard);
__declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard);
extern "C" __declspec(dllexport) long long TITCALL Find(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard);
__declspec(dllexport) bool TITCALL FillEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte);
__declspec(dllexport) bool TITCALL Fill(LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte);
__declspec(dllexport) bool TITCALL PatchEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP);
__declspec(dllexport) bool TITCALL Patch(LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP);
__declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard);
__declspec(dllexport) bool TITCALL Replace(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard);
__declspec(dllexport) void* TITCALL GetDebugData();
__declspec(dllexport) void* TITCALL GetTerminationData();
__declspec(dllexport) long TITCALL GetExitCode();
__declspec(dllexport) long long TITCALL GetDebuggedDLLBaseAddress();
__declspec(dllexport) unsigned long long TITCALL GetDebuggedFileBaseAddress();
__declspec(dllexport) bool TITCALL GetRemoteString(HANDLE hProcess, LPVOID StringAddress, LPVOID StringStorage, int MaximumStringSize);
__declspec(dllexport) long long TITCALL GetFunctionParameter(HANDLE hProcess, DWORD FunctionType, DWORD ParameterNumber, DWORD ParameterType);
__declspec(dllexport) long long TITCALL GetJumpDestinationEx(HANDLE hProcess, ULONG_PTR InstructionAddress, bool JustJumps);
__declspec(dllexport) long long TITCALL GetJumpDestination(HANDLE hProcess, ULONG_PTR InstructionAddress);
__declspec(dllexport) bool TITCALL IsJumpGoingToExecuteEx(HANDLE hProcess, HANDLE hThread, ULONG_PTR InstructionAddress, ULONG_PTR RegFlags);
__declspec(dllexport) bool TITCALL IsJumpGoingToExecute();
__declspec(dllexport) void TITCALL SetCustomHandler(DWORD ExceptionId, LPVOID CallBack);
__declspec(dllexport) void TITCALL ForceClose();
__declspec(dllexport) void TITCALL StepInto(LPVOID traceCallBack);
__declspec(dllexport) void TITCALL StepOver(LPVOID traceCallBack);
__declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack);
__declspec(dllexport) bool TITCALL GetUnusedHardwareBreakPointRegister(LPDWORD RegisterIndex);
__declspec(dllexport) bool TITCALL SetHardwareBreakPointEx(HANDLE hActiveThread, ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack, LPDWORD IndexOfSelectedRegister);
__declspec(dllexport) bool TITCALL SetHardwareBreakPoint(ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack);
__declspec(dllexport) bool TITCALL DeleteHardwareBreakPoint(DWORD IndexOfRegister);
__declspec(dllexport) bool TITCALL RemoveAllBreakPoints(DWORD RemoveOption);
__declspec(dllexport) void* TITCALL GetProcessInformation();
__declspec(dllexport) void* TITCALL GetStartupInformation();
__declspec(dllexport) void TITCALL DebugLoop();
__declspec(dllexport) void TITCALL SetDebugLoopTimeOut(DWORD TimeOut);
__declspec(dllexport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode);
__declspec(dllexport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack);
__declspec(dllexport) bool TITCALL DetachDebugger(DWORD ProcessId);
__declspec(dllexport) bool TITCALL DetachDebuggerEx(DWORD ProcessId);
__declspec(dllexport) void TITCALL DebugLoopEx(DWORD TimeOut);
__declspec(dllexport) void TITCALL AutoDebugEx(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack);
__declspec(dllexport) void TITCALL AutoDebugExW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack);
__declspec(dllexport) bool TITCALL IsFileBeingDebugged();
__declspec(dllexport) void TITCALL SetErrorModel(bool DisplayErrorMessages);
// TitanEngine.FindOEP.functions:
__declspec(dllexport) void TITCALL FindOEPInit();
__declspec(dllexport) bool TITCALL FindOEPGenerically(char* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack);
__declspec(dllexport) bool TITCALL FindOEPGenericallyW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack);
// TitanEngine.Importer.functions:
__declspec(dllexport) void TITCALL ImporterAddNewDll(char* szDLLName, ULONG_PTR FirstThunk);
__declspec(dllexport) void TITCALL ImporterAddNewAPI(char* szAPIName, ULONG_PTR ThunkValue);
__declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue);
__declspec(dllexport) long TITCALL ImporterGetAddedDllCount();
__declspec(dllexport) long TITCALL ImporterGetAddedAPICount();
__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap);
__declspec(dllexport) long TITCALL ImporterEstimatedSize();
__declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2");
__declspec(dllexport) long long TITCALL ImporterFindAPIWriteLocation(char* szAPIName);
__declspec(dllexport) long long TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber);
__declspec(dllexport) long long TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllexport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress);
__declspec(dllexport) long long TITCALL ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);
__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName);
__declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) long long TITCALL ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) long TITCALL ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);
__declspec(dllexport) long TITCALL ImporterGetDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);
__declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess, HMODULE LocalModuleBase);
__declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, char* szModuleName);
__declspec(dllexport) bool TITCALL ImporterIsForwardedAPI(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetForwardedAPIName(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetForwardedDLLName(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) long TITCALL ImporterGetForwardedDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);
__declspec(dllexport) long long TITCALL ImporterGetForwardedAPIOrdinalNumber(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) long long TITCALL ImporterGetNearestAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetNearestAPIName(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllexport) bool TITCALL ImporterCopyOriginalIAT(char* szOriginalFile, char* szDumpFile);
__declspec(dllexport) bool TITCALL ImporterCopyOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile);
__declspec(dllexport) bool TITCALL ImporterLoadImportTable(char* szFileName);
__declspec(dllexport) bool TITCALL ImporterLoadImportTableW(wchar_t* szFileName);
__declspec(dllexport) bool TITCALL ImporterMoveOriginalIAT(char* szOriginalFile, char* szDumpFile, char* szSectionName);
__declspec(dllexport) bool TITCALL ImporterMoveOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile, char* szSectionName);
__declspec(dllexport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, char* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessIds, wchar_t* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack);
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart);
__declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart);
__declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr);
// Global.Engine.Hook.functions:
__declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart);
__declspec(dllexport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool TransitionStart);
__declspec(dllexport) bool TITCALL HooksIsAddressRedirected(LPVOID HookAddress);
__declspec(dllexport) void* TITCALL HooksGetTrampolineAddress(LPVOID HookAddress);
__declspec(dllexport) void* TITCALL HooksGetHookEntryDetails(LPVOID HookAddress);
__declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress, LPVOID RedirectTo, int HookType);
__declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR FileMapVA, ULONG_PTR LoadedModuleBase, char* szHookFunction, LPVOID RedirectTo);
__declspec(dllexport) bool TITCALL HooksInsertNewIATRedirection(char* szModuleName, char* szHookFunction, LPVOID RedirectTo);
__declspec(dllexport) bool TITCALL HooksRemoveRedirection(LPVOID HookAddress, bool RemoveAll);
__declspec(dllexport) bool TITCALL HooksRemoveRedirectionsForModule(HMODULE ModuleBase);
__declspec(dllexport) bool TITCALL HooksRemoveIATRedirection(char* szModuleName, char* szHookFunction, bool RemoveAll);
__declspec(dllexport) bool TITCALL HooksDisableRedirection(LPVOID HookAddress, bool DisableAll);
__declspec(dllexport) bool TITCALL HooksDisableRedirectionsForModule(HMODULE ModuleBase);
__declspec(dllexport) bool TITCALL HooksDisableIATRedirection(char* szModuleName, char* szHookFunction, bool DisableAll);
__declspec(dllexport) bool TITCALL HooksEnableRedirection(LPVOID HookAddress, bool EnableAll);
__declspec(dllexport) bool TITCALL HooksEnableRedirectionsForModule(HMODULE ModuleBase);
__declspec(dllexport) bool TITCALL HooksEnableIATRedirection(char* szModuleName, char* szHookFunction, bool EnableAll);
__declspec(dllexport) void TITCALL HooksScanModuleMemory(HMODULE ModuleBase, LPVOID CallBack);
__declspec(dllexport) void TITCALL HooksScanEntireProcessMemory(LPVOID CallBack);
__declspec(dllexport) void TITCALL HooksScanEntireProcessMemoryEx();
// TitanEngine.Tracer.functions:
__declspec(dllexport) void TITCALL TracerInit();
__declspec(dllexport) long long TITCALL TracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace);
__declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD InputNumberOfInstructions);
__declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace);
__declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD RedirectionId);
__declspec(dllexport) long long TITCALL TracerFixRedirectionViaModule(HMODULE hModuleHandle, HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD IdParameter);
__declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hProcess, char* szPluginName, ULONG_PTR AddressToTrace);
// TitanEngine.Exporter.functions:
__declspec(dllexport) void TITCALL ExporterCleanup();
__declspec(dllexport) void TITCALL ExporterSetImageBase(ULONG_PTR ImageBase);
__declspec(dllexport) void TITCALL ExporterInit(DWORD MemorySize, ULONG_PTR ImageBase, DWORD ExportOrdinalBase, char* szExportModuleName);
__declspec(dllexport) bool TITCALL ExporterAddNewExport(char* szExportName, DWORD ExportRelativeAddress);
__declspec(dllexport) bool TITCALL ExporterAddNewOrdinalExport(DWORD OrdinalNumber, DWORD ExportRelativeAddress);
__declspec(dllexport) long TITCALL ExporterGetAddedExportCount();
__declspec(dllexport) long TITCALL ExporterEstimatedSize();
__declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA);
__declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(char* szExportFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL ExporterLoadExportTable(char* szFileName);
__declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName);
// TitanEngine.Librarian.functions:
__declspec(dllexport) bool TITCALL LibrarianSetBreakPoint(char* szLibraryName, DWORD bpxType, bool SingleShoot, LPVOID bpxCallBack);
__declspec(dllexport) bool TITCALL LibrarianRemoveBreakPoint(char* szLibraryName, DWORD bpxType);
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfo(char* szLibraryName);
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoW(wchar_t* szLibraryName);
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoEx(void* BaseOfDll);
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoExW(void* BaseOfDll);
__declspec(dllexport) void TITCALL LibrarianEnumLibraryInfo(void* EnumCallBack);
__declspec(dllexport) void TITCALL LibrarianEnumLibraryInfoW(void* EnumCallBack);
// TitanEngine.Process.functions:
__declspec(dllexport) long TITCALL GetActiveProcessId(char* szImageName);
__declspec(dllexport) long TITCALL GetActiveProcessIdW(wchar_t* szImageName);
__declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName, void* EnumFunction);
// TitanEngine.TLSFixer.functions:
__declspec(dllexport) bool TITCALL TLSBreakOnCallBack(LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks, LPVOID bpxCallBack);
__declspec(dllexport) bool TITCALL TLSGrabCallBackData(char* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks);
__declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks);
__declspec(dllexport) bool TITCALL TLSBreakOnCallBackEx(char* szFileName, LPVOID bpxCallBack);
__declspec(dllexport) bool TITCALL TLSBreakOnCallBackExW(wchar_t* szFileName, LPVOID bpxCallBack);
__declspec(dllexport) bool TITCALL TLSRemoveCallback(char* szFileName);
__declspec(dllexport) bool TITCALL TLSRemoveCallbackW(wchar_t* szFileName);
__declspec(dllexport) bool TITCALL TLSRemoveTable(char* szFileName);
__declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName);
__declspec(dllexport) bool TITCALL TLSBackupData(char* szFileName);
__declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName);
__declspec(dllexport) bool TITCALL TLSRestoreData();
__declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_PTR StorePlace, ULONG_PTR StorePlaceRVA, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks);
__declspec(dllexport) bool TITCALL TLSBuildNewTableEx(char* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks);
__declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks);
// TitanEngine.TranslateName.functions:
__declspec(dllexport) void* TITCALL TranslateNativeName(char* szNativeName);
__declspec(dllexport) void* TITCALL TranslateNativeNameW(wchar_t* szNativeName);
// TitanEngine.Handler.functions:
__declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId);
__declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle);
__declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName);
__declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName);
__declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount);
__declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn);
__declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle);
__declspec(dllexport) long TITCALL HandlerEnumerateLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount);
__declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount);
__declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated);
__declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated);
__declspec(dllexport) bool TITCALL HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated);
__declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated);
// TitanEngine.Handler[Mutex].functions:
__declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount);
__declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandle(HANDLE hProcess, DWORD ProcessId, char* szMutexString);
__declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProcess, DWORD ProcessId, wchar_t* szMutexString);
__declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString);
__declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t* szMutexString);
// TitanEngine.Injector.functions:
__declspec(dllexport) bool TITCALL RemoteLoadLibrary(HANDLE hProcess, char* szLibraryFile, bool WaitForThreadExit);
__declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t* szLibraryFile, bool WaitForThreadExit);
__declspec(dllexport) bool TITCALL RemoteFreeLibrary(HANDLE hProcess, HMODULE hModule, char* szLibraryFile, bool WaitForThreadExit);
__declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE hModule, wchar_t* szLibraryFile, bool WaitForThreadExit);
__declspec(dllexport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD ExitCode);
// TitanEngine.StaticUnpacker.functions:
__declspec(dllexport) bool TITCALL StaticFileLoad(char* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA);
__declspec(dllexport) bool TITCALL StaticFileLoadW(wchar_t* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA);
__declspec(dllexport) bool TITCALL StaticFileUnload(char* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA);
__declspec(dllexport) bool TITCALL StaticFileUnloadW(wchar_t* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA);
__declspec(dllexport) bool TITCALL StaticFileOpen(char* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh);
__declspec(dllexport) bool TITCALL StaticFileOpenW(wchar_t* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh);
__declspec(dllexport) bool TITCALL StaticFileGetContent(HANDLE FileHandle, DWORD FilePositionLow, LPDWORD FilePositionHigh, void* Buffer, DWORD Size);
__declspec(dllexport) void TITCALL StaticFileClose(HANDLE FileHandle);
__declspec(dllexport) void TITCALL StaticMemoryDecrypt(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey);
__declspec(dllexport) void TITCALL StaticMemoryDecryptEx(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, void* DecryptionCallBack);
__declspec(dllexport) void TITCALL StaticMemoryDecryptSpecial(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, DWORD SpecDecryptionType, void* DecryptionCallBack);
__declspec(dllexport) void TITCALL StaticSectionDecrypt(ULONG_PTR FileMapVA, DWORD SectionNumber, bool SimulateLoad, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey);
__declspec(dllexport) bool TITCALL StaticMemoryDecompress(void* Source, DWORD SourceSize, void* Destination, DWORD DestinationSize, int Algorithm);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopy(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, char* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, wchar_t* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, char* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, wchar_t* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, char* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, wchar_t* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticHashMemory(void* MemoryToHash, DWORD SizeOfMemory, void* HashDigest, bool OutputString, int Algorithm);
__declspec(dllexport) bool TITCALL StaticHashFileW(wchar_t* szFileName, char* HashDigest, bool OutputString, int Algorithm);
__declspec(dllexport) bool TITCALL StaticHashFile(char* szFileName, char* HashDigest, bool OutputString, int Algorithm);
// TitanEngine.Engine.functions:
__declspec(dllexport) void TITCALL EngineUnpackerInitialize(char* szFileName, char* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack);
__declspec(dllexport) void TITCALL EngineUnpackerInitializeW(wchar_t* szFileName, wchar_t* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack);
__declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchStart, DWORD SearchSize, void* SearchPattern, DWORD PatternSize, DWORD PatternDelta, ULONG_PTR BreakType, bool SingleBreak, DWORD Parameter1, DWORD Parameter2);
__declspec(dllexport) void TITCALL EngineUnpackerSetEntryPointAddress(ULONG_PTR UnpackedEntryPointAddress);
__declspec(dllexport) void TITCALL EngineUnpackerFinalizeUnpacking();
// TitanEngine.Engine.functions:
__declspec(dllexport) void TITCALL SetEngineVariable(DWORD VariableId, bool VariableSet);
__declspec(dllexport) bool TITCALL EngineCreateMissingDependencies(char* szFileName, char* szOutputFolder, bool LogCreatedFiles);
__declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szFileName, wchar_t* szOutputFolder, bool LogCreatedFiles);
__declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess);
__declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies();
__declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack);
__declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage);
// Global.Engine.Extension.Functions:
__declspec(dllexport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName);
__declspec(dllexport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName);
__declspec(dllexport) bool TITCALL ExtensionManagerDisableAllPlugins();
__declspec(dllexport) bool TITCALL ExtensionManagerDisablePlugin(char* szPluginName);
__declspec(dllexport) bool TITCALL ExtensionManagerEnableAllPlugins();
__declspec(dllexport) bool TITCALL ExtensionManagerEnablePlugin(char* szPluginName);
__declspec(dllexport) bool TITCALL ExtensionManagerUnloadAllPlugins();
__declspec(dllexport) bool TITCALL ExtensionManagerUnloadPlugin(char* szPluginName);
__declspec(dllexport) void* TITCALL ExtensionManagerGetPluginInfo(char* szPluginName);
#ifdef __cplusplus
}
#endif
#pragma pack(pop)
#endif /*TITANENGINE*/

939
SDK/CPP/TitanEngine.h
View File

@ -1,939 +0,0 @@
#ifndef TITANENGINE
#define TITANENGINE
#define TITCALL
#if _MSC_VER > 1000
#pragma once
#endif
#include <windows.h>
#pragma pack(push, 1)
// Global.Constant.Structure.Declaration:
// Engine.External:
const BYTE UE_ACCESS_READ = 0;
const BYTE UE_ACCESS_WRITE = 1;
const BYTE UE_ACCESS_ALL = 2;
const BYTE UE_HIDE_PEBONLY = 0;
const BYTE UE_HIDE_BASIC = 1;
const BYTE UE_PLUGIN_CALL_REASON_PREDEBUG = 1;
const BYTE UE_PLUGIN_CALL_REASON_EXCEPTION = 2;
const BYTE UE_PLUGIN_CALL_REASON_POSTDEBUG = 3;
const BYTE TEE_HOOK_NRM_JUMP = 1;
const BYTE TEE_HOOK_NRM_CALL = 3;
const BYTE TEE_HOOK_IAT = 5;
const BYTE UE_ENGINE_ALOW_MODULE_LOADING = 1;
const BYTE UE_ENGINE_AUTOFIX_FORWARDERS = 2;
const BYTE UE_ENGINE_PASS_ALL_EXCEPTIONS = 3;
const BYTE UE_ENGINE_NO_CONSOLE_WINDOW = 4;
const BYTE UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS = 5;
const BYTE UE_ENGINE_CALL_PLUGIN_CALLBACK = 6;
const BYTE UE_ENGINE_RESET_CUSTOM_HANDLER = 7;
const BYTE UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8;
const BYTE UE_OPTION_REMOVEALL = 1;
const BYTE UE_OPTION_DISABLEALL = 2;
const BYTE UE_OPTION_REMOVEALLDISABLED = 3;
const BYTE UE_OPTION_REMOVEALLENABLED = 4;
const BYTE UE_STATIC_DECRYPTOR_XOR = 1;
const BYTE UE_STATIC_DECRYPTOR_SUB = 2;
const BYTE UE_STATIC_DECRYPTOR_ADD = 3;
const BYTE UE_STATIC_DECRYPTOR_FOREWARD = 1;
const BYTE UE_STATIC_DECRYPTOR_BACKWARD = 2;
const BYTE UE_STATIC_KEY_SIZE_1 = 1;
const BYTE UE_STATIC_KEY_SIZE_2 = 2;
const BYTE UE_STATIC_KEY_SIZE_4 = 4;
const BYTE UE_STATIC_KEY_SIZE_8 = 8;
const BYTE UE_STATIC_APLIB = 1;
const BYTE UE_STATIC_APLIB_DEPACK = 2;
const BYTE UE_STATIC_LZMA = 3;
const BYTE UE_STATIC_HASH_MD5 = 1;
const BYTE UE_STATIC_HASH_SHA1 = 2;
const BYTE UE_STATIC_HASH_CRC32 = 3;
const DWORD UE_RESOURCE_LANGUAGE_ANY = -1;
const BYTE UE_PE_OFFSET = 0;
const BYTE UE_IMAGEBASE = 1;
const BYTE UE_OEP = 2;
const BYTE UE_SIZEOFIMAGE = 3;
const BYTE UE_SIZEOFHEADERS = 4;
const BYTE UE_SIZEOFOPTIONALHEADER = 5;
const BYTE UE_SECTIONALIGNMENT = 6;
const BYTE UE_IMPORTTABLEADDRESS = 7;
const BYTE UE_IMPORTTABLESIZE = 8;
const BYTE UE_RESOURCETABLEADDRESS = 9;
const BYTE UE_RESOURCETABLESIZE = 10;
const BYTE UE_EXPORTTABLEADDRESS = 11;
const BYTE UE_EXPORTTABLESIZE = 12;
const BYTE UE_TLSTABLEADDRESS = 13;
const BYTE UE_TLSTABLESIZE = 14;
const BYTE UE_RELOCATIONTABLEADDRESS = 15;
const BYTE UE_RELOCATIONTABLESIZE = 16;
const BYTE UE_TIMEDATESTAMP = 17;
const BYTE UE_SECTIONNUMBER = 18;
const BYTE UE_CHECKSUM = 19;
const BYTE UE_SUBSYSTEM = 20;
const BYTE UE_CHARACTERISTICS = 21;
const BYTE UE_NUMBEROFRVAANDSIZES = 22;
const BYTE UE_BASEOFCODE = 23;
const BYTE UE_BASEOFDATA = 24;
//leaving some enum space here for future additions
const BYTE UE_SECTIONNAME = 40;
const BYTE UE_SECTIONVIRTUALOFFSET = 41;
const BYTE UE_SECTIONVIRTUALSIZE = 42;
const BYTE UE_SECTIONRAWOFFSET = 43;
const BYTE UE_SECTIONRAWSIZE = 44;
const BYTE UE_SECTIONFLAGS = 45;
const long UE_VANOTFOUND = -2;
const BYTE UE_CH_BREAKPOINT = 1;
const BYTE UE_CH_SINGLESTEP = 2;
const BYTE UE_CH_ACCESSVIOLATION = 3;
const BYTE UE_CH_ILLEGALINSTRUCTION = 4;
const BYTE UE_CH_NONCONTINUABLEEXCEPTION = 5;
const BYTE UE_CH_ARRAYBOUNDSEXCEPTION = 6;
const BYTE UE_CH_FLOATDENORMALOPERAND = 7;
const BYTE UE_CH_FLOATDEVIDEBYZERO = 8;
const BYTE UE_CH_INTEGERDEVIDEBYZERO = 9;
const BYTE UE_CH_INTEGEROVERFLOW = 10;
const BYTE UE_CH_PRIVILEGEDINSTRUCTION = 11;
const BYTE UE_CH_PAGEGUARD = 12;
const BYTE UE_CH_EVERYTHINGELSE = 13;
const BYTE UE_CH_CREATETHREAD = 14;
const BYTE UE_CH_EXITTHREAD = 15;
const BYTE UE_CH_CREATEPROCESS = 16;
const BYTE UE_CH_EXITPROCESS = 17;
const BYTE UE_CH_LOADDLL = 18;
const BYTE UE_CH_UNLOADDLL = 19;
const BYTE UE_CH_OUTPUTDEBUGSTRING = 20;
const BYTE UE_CH_AFTEREXCEPTIONPROCESSING = 21;
const BYTE UE_CH_ALLEVENTS = 22;
const BYTE UE_CH_SYSTEMBREAKPOINT = 23;
const BYTE UE_CH_UNHANDLEDEXCEPTION = 24;
const BYTE UE_OPTION_HANDLER_RETURN_HANDLECOUNT = 1;
const BYTE UE_OPTION_HANDLER_RETURN_ACCESS = 2;
const BYTE UE_OPTION_HANDLER_RETURN_FLAGS = 3;
const BYTE UE_OPTION_HANDLER_RETURN_TYPENAME = 4;
const BYTE UE_BREAKPOINT_INT3 = 1;
const BYTE UE_BREAKPOINT_LONG_INT3 = 2;
const BYTE UE_BREAKPOINT_UD2 = 3;
const BYTE UE_BPXREMOVED = 0;
const BYTE UE_BPXACTIVE = 1;
const BYTE UE_BPXINACTIVE = 2;
const BYTE UE_BREAKPOINT = 0;
const BYTE UE_SINGLESHOOT = 1;
const BYTE UE_HARDWARE = 2;
const BYTE UE_MEMORY = 3;
const BYTE UE_MEMORY_READ = 4;
const BYTE UE_MEMORY_WRITE = 5;
const BYTE UE_MEMORY_EXECUTE = 6;
const DWORD UE_BREAKPOINT_TYPE_INT3 = 0x10000000;
const DWORD UE_BREAKPOINT_TYPE_LONG_INT3 = 0x20000000;
const DWORD UE_BREAKPOINT_TYPE_UD2 = 0x30000000;
const BYTE UE_HARDWARE_EXECUTE = 4;
const BYTE UE_HARDWARE_WRITE = 5;
const BYTE UE_HARDWARE_READWRITE = 6;
const BYTE UE_HARDWARE_SIZE_1 = 7;
const BYTE UE_HARDWARE_SIZE_2 = 8;
const BYTE UE_HARDWARE_SIZE_4 = 9;
const BYTE UE_HARDWARE_SIZE_8 = 10;
const BYTE UE_ON_LIB_LOAD = 1;
const BYTE UE_ON_LIB_UNLOAD = 2;
const BYTE UE_ON_LIB_ALL = 3;
const BYTE UE_APISTART = 0;
const BYTE UE_APIEND = 1;
const BYTE UE_PLATFORM_x86 = 1;
const BYTE UE_PLATFORM_x64 = 2;
const BYTE UE_PLATFORM_ALL = 3;
const BYTE UE_FUNCTION_STDCALL = 1;
const BYTE UE_FUNCTION_CCALL = 2;
const BYTE UE_FUNCTION_FASTCALL = 3;
const BYTE UE_FUNCTION_STDCALL_RET = 4;
const BYTE UE_FUNCTION_CCALL_RET = 5;
const BYTE UE_FUNCTION_FASTCALL_RET = 6;
const BYTE UE_FUNCTION_STDCALL_CALL = 7;
const BYTE UE_FUNCTION_CCALL_CALL = 8;
const BYTE UE_FUNCTION_FASTCALL_CALL = 9;
const BYTE UE_PARAMETER_BYTE = 0;
const BYTE UE_PARAMETER_WORD = 1;
const BYTE UE_PARAMETER_DWORD = 2;
const BYTE UE_PARAMETER_QWORD = 3;
const BYTE UE_PARAMETER_PTR_BYTE = 4;
const BYTE UE_PARAMETER_PTR_WORD = 5;
const BYTE UE_PARAMETER_PTR_DWORD = 6;
const BYTE UE_PARAMETER_PTR_QWORD = 7;
const BYTE UE_PARAMETER_STRING = 8;
const BYTE UE_PARAMETER_UNICODE = 9;
const BYTE UE_CMP_NOCONDITION = 0;
const BYTE UE_CMP_EQUAL = 1;
const BYTE UE_CMP_NOTEQUAL = 2;
const BYTE UE_CMP_GREATER = 3;
const BYTE UE_CMP_GREATEROREQUAL = 4;
const BYTE UE_CMP_LOWER = 5;
const BYTE UE_CMP_LOWEROREQUAL = 6;
const BYTE UE_CMP_REG_EQUAL = 7;
const BYTE UE_CMP_REG_NOTEQUAL = 8;
const BYTE UE_CMP_REG_GREATER = 9;
const BYTE UE_CMP_REG_GREATEROREQUAL = 10;
const BYTE UE_CMP_REG_LOWER = 11;
const BYTE UE_CMP_REG_LOWEROREQUAL = 12;
const BYTE UE_CMP_ALWAYSFALSE = 13;
const BYTE UE_EAX = 1;
const BYTE UE_EBX = 2;
const BYTE UE_ECX = 3;
const BYTE UE_EDX = 4;
const BYTE UE_EDI = 5;
const BYTE UE_ESI = 6;
const BYTE UE_EBP = 7;
const BYTE UE_ESP = 8;
const BYTE UE_EIP = 9;
const BYTE UE_EFLAGS = 10;
const BYTE UE_DR0 = 11;
const BYTE UE_DR1 = 12;
const BYTE UE_DR2 = 13;
const BYTE UE_DR3 = 14;
const BYTE UE_DR6 = 15;
const BYTE UE_DR7 = 16;
const BYTE UE_RAX = 17;
const BYTE UE_RBX = 18;
const BYTE UE_RCX = 19;
const BYTE UE_RDX = 20;
const BYTE UE_RDI = 21;
const BYTE UE_RSI = 22;
const BYTE UE_RBP = 23;
const BYTE UE_RSP = 24;
const BYTE UE_RIP = 25;
const BYTE UE_RFLAGS = 26;
const BYTE UE_R8 = 27;
const BYTE UE_R9 = 28;
const BYTE UE_R10 = 29;
const BYTE UE_R11 = 30;
const BYTE UE_R12 = 31;
const BYTE UE_R13 = 32;
const BYTE UE_R14 = 33;
const BYTE UE_R15 = 34;
const BYTE UE_CIP = 35;
const BYTE UE_CSP = 36;
#ifdef _WIN64
const BYTE UE_CFLAGS = UE_RFLAGS;
#else
const BYTE UE_CFLAGS = UE_EFLAGS;
#endif
const BYTE UE_SEG_GS = 37;
const BYTE UE_SEG_FS = 38;
const BYTE UE_SEG_ES = 39;
const BYTE UE_SEG_DS = 40;
const BYTE UE_SEG_CS = 41;
const BYTE UE_SEG_SS = 42;
typedef struct
{
DWORD PE32Offset;
DWORD ImageBase;
DWORD OriginalEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD NtSizeOfImage;
DWORD NtSizeOfHeaders;
WORD SizeOfOptionalHeaders;
DWORD FileAlignment;
DWORD SectionAligment;
DWORD ImportTableAddress;
DWORD ImportTableSize;
DWORD ResourceTableAddress;
DWORD ResourceTableSize;
DWORD ExportTableAddress;
DWORD ExportTableSize;
DWORD TLSTableAddress;
DWORD TLSTableSize;
DWORD RelocationTableAddress;
DWORD RelocationTableSize;
DWORD TimeDateStamp;
WORD SectionNumber;
DWORD CheckSum;
WORD SubSystem;
WORD Characteristics;
DWORD NumberOfRvaAndSizes;
} PE32Struct, *PPE32Struct;
typedef struct
{
DWORD PE64Offset;
DWORD64 ImageBase;
DWORD OriginalEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD NtSizeOfImage;
DWORD NtSizeOfHeaders;
WORD SizeOfOptionalHeaders;
DWORD FileAlignment;
DWORD SectionAligment;
DWORD ImportTableAddress;
DWORD ImportTableSize;
DWORD ResourceTableAddress;
DWORD ResourceTableSize;
DWORD ExportTableAddress;
DWORD ExportTableSize;
DWORD TLSTableAddress;
DWORD TLSTableSize;
DWORD RelocationTableAddress;
DWORD RelocationTableSize;
DWORD TimeDateStamp;
WORD SectionNumber;
DWORD CheckSum;
WORD SubSystem;
WORD Characteristics;
DWORD NumberOfRvaAndSizes;
} PE64Struct, *PPE64Struct;
#if defined(_WIN64)
typedef PE64Struct PEStruct;
#else
typedef PE32Struct PEStruct;
#endif
typedef struct
{
bool NewDll;
int NumberOfImports;
ULONG_PTR ImageBase;
ULONG_PTR BaseImportThunk;
ULONG_PTR ImportThunk;
char* APIName;
char* DLLName;
} ImportEnumData, *PImportEnumData;
typedef struct
{
HANDLE hThread;
DWORD dwThreadId;
void* ThreadStartAddress;
void* ThreadLocalBase;
} THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA;
typedef struct
{
HANDLE hFile;
void* BaseOfDll;
HANDLE hFileMapping;
void* hFileMappingView;
char szLibraryPath[MAX_PATH];
char szLibraryName[MAX_PATH];
} LIBRARY_ITEM_DATA, *PLIBRARY_ITEM_DATA;
typedef struct
{
HANDLE hFile;
void* BaseOfDll;
HANDLE hFileMapping;
void* hFileMappingView;
wchar_t szLibraryPath[MAX_PATH];
wchar_t szLibraryName[MAX_PATH];
} LIBRARY_ITEM_DATAW, *PLIBRARY_ITEM_DATAW;
typedef struct
{
HANDLE hProcess;
DWORD dwProcessId;
HANDLE hThread;
DWORD dwThreadId;
HANDLE hFile;
void* BaseOfImage;
void* ThreadStartAddress;
void* ThreadLocalBase;
} PROCESS_ITEM_DATA, *PPROCESS_ITEM_DATA;
typedef struct
{
ULONG ProcessId;
HANDLE hHandle;
} HandlerArray, *PHandlerArray;
typedef struct
{
char PluginName[64];
DWORD PluginMajorVersion;
DWORD PluginMinorVersion;
HMODULE PluginBaseAddress;
void* TitanDebuggingCallBack;
void* TitanRegisterPlugin;
void* TitanReleasePlugin;
void* TitanResetPlugin;
bool PluginDisabled;
} PluginInformation, *PPluginInformation;
const size_t TEE_MAXIMUM_HOOK_SIZE = 14;
const size_t TEE_MAXIMUM_HOOK_RELOCS = 7;
#if defined(_WIN64)
const size_t TEE_MAXIMUM_HOOK_INSERT_SIZE = 14;
#else
const size_t TEE_MAXIMUM_HOOK_INSERT_SIZE = 5;
#endif
typedef struct HOOK_ENTRY
{
bool IATHook;
BYTE HookType;
DWORD HookSize;
void* HookAddress;
void* RedirectionAddress;
BYTE HookBytes[TEE_MAXIMUM_HOOK_SIZE];
BYTE OriginalBytes[TEE_MAXIMUM_HOOK_SIZE];
void* IATHookModuleBase;
DWORD IATHookNameHash;
bool HookIsEnabled;
bool HookIsRemote;
void* PatchedEntry;
DWORD RelocationInfo[TEE_MAXIMUM_HOOK_RELOCS];
int RelocationCount;
} HOOK_ENTRY, *PHOOK_ENTRY;
const BYTE UE_DEPTH_SURFACE = 0;
const BYTE UE_DEPTH_DEEP = 1;
const BYTE UE_UNPACKER_CONDITION_SEARCH_FROM_EP = 1;
const BYTE UE_UNPACKER_CONDITION_LOADLIBRARY = 1;
const BYTE UE_UNPACKER_CONDITION_GETPROCADDRESS = 2;
const BYTE UE_UNPACKER_CONDITION_ENTRYPOINTBREAK = 3;
const BYTE UE_UNPACKER_CONDITION_RELOCSNAPSHOT1 = 4;
const BYTE UE_UNPACKER_CONDITION_RELOCSNAPSHOT2 = 5;
const BYTE UE_FIELD_OK = 0;
const BYTE UE_FIELD_BROKEN_NON_FIXABLE = 1;
const BYTE UE_FIELD_BROKEN_NON_CRITICAL = 2;
const BYTE UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE = 3;
const BYTE UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED = 4;
const BYTE UE_FILED_FIXABLE_NON_CRITICAL = 5;
const BYTE UE_FILED_FIXABLE_CRITICAL = 6;
const BYTE UE_FIELD_NOT_PRESET = 7;
const BYTE UE_FIELD_NOT_PRESET_WARNING = 8;
const BYTE UE_RESULT_FILE_OK = 10;
const BYTE UE_RESULT_FILE_INVALID_BUT_FIXABLE = 11;
const BYTE UE_RESULT_FILE_INVALID_AND_NON_FIXABLE = 12;
const BYTE UE_RESULT_FILE_INVALID_FORMAT = 13;
typedef struct
{
BYTE OveralEvaluation;
bool EvaluationTerminatedByException;
bool FileIs64Bit;
bool FileIsDLL;
bool FileIsConsole;
bool MissingDependencies;
bool MissingDeclaredAPIs;
BYTE SignatureMZ;
BYTE SignaturePE;
BYTE EntryPoint;
BYTE ImageBase;
BYTE SizeOfImage;
BYTE FileAlignment;
BYTE SectionAlignment;
BYTE ExportTable;
BYTE RelocationTable;
BYTE ImportTable;
BYTE ImportTableSection;
BYTE ImportTableData;
BYTE IATTable;
BYTE TLSTable;
BYTE LoadConfigTable;
BYTE BoundImportTable;
BYTE COMHeaderTable;
BYTE ResourceTable;
BYTE ResourceData;
BYTE SectionTable;
} FILE_STATUS_INFO, *PFILE_STATUS_INFO;
typedef struct
{
BYTE OveralEvaluation;
bool FixingTerminatedByException;
bool FileFixPerformed;
bool StrippedRelocation;
bool DontFixRelocations;
DWORD OriginalRelocationTableAddress;
DWORD OriginalRelocationTableSize;
bool StrippedExports;
bool DontFixExports;
DWORD OriginalExportTableAddress;
DWORD OriginalExportTableSize;
bool StrippedResources;
bool DontFixResources;
DWORD OriginalResourceTableAddress;
DWORD OriginalResourceTableSize;
bool StrippedTLS;
bool DontFixTLS;
DWORD OriginalTLSTableAddress;
DWORD OriginalTLSTableSize;
bool StrippedLoadConfig;
bool DontFixLoadConfig;
DWORD OriginalLoadConfigTableAddress;
DWORD OriginalLoadConfigTableSize;
bool StrippedBoundImports;
bool DontFixBoundImports;
DWORD OriginalBoundImportTableAddress;
DWORD OriginalBoundImportTableSize;
bool StrippedIAT;
bool DontFixIAT;
DWORD OriginalImportAddressTableAddress;
DWORD OriginalImportAddressTableSize;
bool StrippedCOM;
bool DontFixCOM;
DWORD OriginalCOMTableAddress;
DWORD OriginalCOMTableSize;
} FILE_FIX_INFO, *PFILE_FIX_INFO;
#ifdef __cplusplus
extern "C" {
#endif /*__cplusplus*/
// Global.Function.Declaration:
// TitanEngine.Dumper.functions:
__declspec(dllimport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint);
__declspec(dllimport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint);
__declspec(dllimport) bool TITCALL DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint);
__declspec(dllimport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint);
__declspec(dllimport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName);
__declspec(dllimport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName);
__declspec(dllimport) bool TITCALL DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName);
__declspec(dllimport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName);
__declspec(dllimport) bool TITCALL DumpRegions(HANDLE hProcess, char* szDumpFolder, bool DumpAboveImageBaseOnly);
__declspec(dllimport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly);
__declspec(dllimport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFolder, bool DumpAboveImageBaseOnly);
__declspec(dllimport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly);
__declspec(dllimport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, char* szDumpFileName);
__declspec(dllimport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBase, wchar_t* szDumpFileName);
__declspec(dllimport) bool TITCALL DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, char* szDumpFileName);
__declspec(dllimport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleBase, wchar_t* szDumpFileName);
__declspec(dllimport) bool TITCALL PastePEHeader(HANDLE hProcess, LPVOID ImageBase, char* szDebuggedFileName);
__declspec(dllimport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDebuggedFileName);
__declspec(dllimport) bool TITCALL ExtractSection(char* szFileName, char* szDumpFileName, DWORD SectionNumber);
__declspec(dllimport) bool TITCALL ExtractSectionW(wchar_t* szFileName, wchar_t* szDumpFileName, DWORD SectionNumber);
__declspec(dllimport) bool TITCALL ResortFileSections(char* szFileName);
__declspec(dllimport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName);
__declspec(dllimport) bool TITCALL FindOverlay(char* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize);
__declspec(dllimport) bool TITCALL FindOverlayW(wchar_t* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize);
__declspec(dllimport) bool TITCALL ExtractOverlay(char* szFileName, char* szExtractedFileName);
__declspec(dllimport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t* szExtractedFileName);
__declspec(dllimport) bool TITCALL AddOverlay(char* szFileName, char* szOverlayFileName);
__declspec(dllimport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szOverlayFileName);
__declspec(dllimport) bool TITCALL CopyOverlay(char* szInFileName, char* szOutFileName);
__declspec(dllimport) bool TITCALL CopyOverlayW(wchar_t* szInFileName, wchar_t* szOutFileName);
__declspec(dllimport) bool TITCALL RemoveOverlay(char* szFileName);
__declspec(dllimport) bool TITCALL RemoveOverlayW(wchar_t* szFileName);
__declspec(dllimport) bool TITCALL MakeAllSectionsRWE(char* szFileName);
__declspec(dllimport) bool TITCALL MakeAllSectionsRWEW(wchar_t* szFileName);
__declspec(dllimport) long TITCALL AddNewSectionEx(char* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
__declspec(dllimport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
__declspec(dllimport) long TITCALL AddNewSection(char* szFileName, char* szSectionName, DWORD SectionSize);
__declspec(dllimport) long TITCALL AddNewSectionW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize);
__declspec(dllimport) bool TITCALL ResizeLastSection(char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
__declspec(dllimport) bool TITCALL ResizeLastSectionW(wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
__declspec(dllimport) void TITCALL SetSharedOverlay(char* szFileName);
__declspec(dllimport) void TITCALL SetSharedOverlayW(wchar_t* szFileName);
__declspec(dllimport) char* TITCALL GetSharedOverlay();
__declspec(dllimport) wchar_t* TITCALL GetSharedOverlayW();
__declspec(dllimport) bool TITCALL DeleteLastSection(char* szFileName);
__declspec(dllimport) bool TITCALL DeleteLastSectionW(wchar_t* szFileName);
__declspec(dllimport) bool TITCALL DeleteLastSectionEx(char* szFileName, DWORD NumberOfSections);
__declspec(dllimport) bool TITCALL DeleteLastSectionExW(wchar_t* szFileName, DWORD NumberOfSections);
__declspec(dllimport) long long TITCALL GetPE32DataFromMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData);
__declspec(dllimport) long long TITCALL GetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData);
__declspec(dllimport) long long TITCALL GetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData);
__declspec(dllimport) bool TITCALL GetPE32DataFromMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage);
__declspec(dllimport) bool TITCALL GetPE32DataEx(char* szFileName, LPVOID DataStorage);
__declspec(dllimport) bool TITCALL GetPE32DataExW(wchar_t* szFileName, LPVOID DataStorage);
__declspec(dllimport) bool TITCALL SetPE32DataForMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue);
__declspec(dllimport) bool TITCALL SetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue);
__declspec(dllimport) bool TITCALL SetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue);
__declspec(dllimport) bool TITCALL SetPE32DataForMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage);
__declspec(dllimport) bool TITCALL SetPE32DataEx(char* szFileName, LPVOID DataStorage);
__declspec(dllimport) bool TITCALL SetPE32DataExW(wchar_t* szFileName, LPVOID DataStorage);
__declspec(dllimport) long TITCALL GetPE32SectionNumberFromVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert);
__declspec(dllimport) long long TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType);
__declspec(dllimport) long long TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType);
__declspec(dllimport) long long TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType);
__declspec(dllimport) long long TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType);
// TitanEngine.Realigner.functions:
__declspec(dllimport) bool TITCALL FixHeaderCheckSum(char* szFileName);
__declspec(dllimport) bool TITCALL FixHeaderCheckSumW(wchar_t* szFileName);
__declspec(dllimport) long TITCALL RealignPE(ULONG_PTR FileMapVA, DWORD FileSize, DWORD RealingMode);
__declspec(dllimport) long TITCALL RealignPEEx(char* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment);
__declspec(dllimport) long TITCALL RealignPEExW(wchar_t* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment);
__declspec(dllimport) bool TITCALL WipeSection(char* szFileName, int WipeSectionNumber, bool RemovePhysically);
__declspec(dllimport) bool TITCALL WipeSectionW(wchar_t* szFileName, int WipeSectionNumber, bool RemovePhysically);
__declspec(dllimport) bool TITCALL IsPE32FileValidEx(char* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo);
__declspec(dllimport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo);
__declspec(dllimport) bool TITCALL FixBrokenPE32FileEx(char* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo);
__declspec(dllimport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo);
__declspec(dllimport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMapVA);
__declspec(dllimport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA);
// TitanEngine.Hider.functions:
__declspec(dllimport) void* TITCALL GetPEBLocation(HANDLE hProcess);
__declspec(dllimport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
__declspec(dllimport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
// TitanEngine.Relocater.functions:
__declspec(dllimport) void TITCALL RelocaterCleanup();
__declspec(dllimport) void TITCALL RelocaterInit(DWORD MemorySize, ULONG_PTR OldImageBase, ULONG_PTR NewImageBase);
__declspec(dllimport) void TITCALL RelocaterAddNewRelocation(HANDLE hProcess, ULONG_PTR RelocateAddress, DWORD RelocateState);
__declspec(dllimport) long TITCALL RelocaterEstimatedSize();
__declspec(dllimport) bool TITCALL RelocaterExportRelocation(ULONG_PTR StorePlace, DWORD StorePlaceRVA, ULONG_PTR FileMapVA);
__declspec(dllimport) bool TITCALL RelocaterExportRelocationEx(char* szFileName, char* szSectionName);
__declspec(dllimport) bool TITCALL RelocaterExportRelocationExW(wchar_t* szFileName, char* szSectionName);
__declspec(dllimport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess, ULONG_PTR MemoryStart, DWORD MemorySize);
__declspec(dllimport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProcess, ULONG_PTR MemoryStart, ULONG_PTR MemorySize, DWORD NtSizeOfImage);
__declspec(dllimport) bool TITCALL RelocaterMakeSnapshot(HANDLE hProcess, char* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize);
__declspec(dllimport) bool TITCALL RelocaterMakeSnapshotW(HANDLE hProcess, wchar_t* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize);
__declspec(dllimport) bool TITCALL RelocaterCompareTwoSnapshots(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, char* szDumpFile1, char* szDumpFile2, ULONG_PTR MemStart);
__declspec(dllimport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, wchar_t* szDumpFile1, wchar_t* szDumpFile2, ULONG_PTR MemStart);
__declspec(dllimport) bool TITCALL RelocaterChangeFileBase(char* szFileName, ULONG_PTR NewImageBase);
__declspec(dllimport) bool TITCALL RelocaterChangeFileBaseW(wchar_t* szFileName, ULONG_PTR NewImageBase);
__declspec(dllimport) bool TITCALL RelocaterRelocateMemoryBlock(ULONG_PTR FileMapVA, ULONG_PTR MemoryLocation, void* RelocateMemory, DWORD RelocateMemorySize, ULONG_PTR CurrentLoadedBase, ULONG_PTR RelocateBase);
__declspec(dllimport) bool TITCALL RelocaterWipeRelocationTable(char* szFileName);
__declspec(dllimport) bool TITCALL RelocaterWipeRelocationTableW(wchar_t* szFileName);
// TitanEngine.Resourcer.functions:
__declspec(dllimport) long long TITCALL ResourcerLoadFileForResourceUse(char* szFileName);
__declspec(dllimport) long long TITCALL ResourcerLoadFileForResourceUseW(wchar_t* szFileName);
__declspec(dllimport) bool TITCALL ResourcerFreeLoadedFile(LPVOID LoadedFileBase);
__declspec(dllimport) bool TITCALL ResourcerExtractResourceFromFileEx(ULONG_PTR FileMapVA, char* szResourceType, char* szResourceName, char* szExtractedFileName);
__declspec(dllimport) bool TITCALL ResourcerExtractResourceFromFile(char* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName);
__declspec(dllimport) bool TITCALL ResourcerExtractResourceFromFileW(wchar_t* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName);
__declspec(dllimport) bool TITCALL ResourcerFindResource(char* szFileName, char* szResourceType, DWORD ResourceType, char* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize);
__declspec(dllimport) bool TITCALL ResourcerFindResourceW(wchar_t* szFileName, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize);
__declspec(dllimport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize);
__declspec(dllimport) void TITCALL ResourcerEnumerateResource(char* szFileName, void* CallBack);
__declspec(dllimport) void TITCALL ResourcerEnumerateResourceW(wchar_t* szFileName, void* CallBack);
__declspec(dllimport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, void* CallBack);
// TitanEngine.Threader.functions:
__declspec(dllimport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId);
__declspec(dllimport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId);
__declspec(dllimport) void TITCALL ThreaderEnumThreadInfo(void* EnumCallBack);
__declspec(dllimport) bool TITCALL ThreaderPauseThread(HANDLE hThread);
__declspec(dllimport) bool TITCALL ThreaderResumeThread(HANDLE hThread);
__declspec(dllimport) bool TITCALL ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode);
__declspec(dllimport) bool TITCALL ThreaderPauseAllThreads(bool LeaveMainRunning);
__declspec(dllimport) bool TITCALL ThreaderResumeAllThreads(bool LeaveMainPaused);
__declspec(dllimport) bool TITCALL ThreaderPauseProcess();
__declspec(dllimport) bool TITCALL ThreaderResumeProcess();
__declspec(dllimport) long long TITCALL ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId);
__declspec(dllimport) bool TITCALL ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize);
__declspec(dllimport) long long TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId);
__declspec(dllimport) bool TITCALL ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize);
__declspec(dllimport) void TITCALL ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack);
__declspec(dllimport) bool TITCALL ThreaderIsThreadStillRunning(HANDLE hThread);
__declspec(dllimport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread);
__declspec(dllimport) bool TITCALL ThreaderIsAnyThreadActive();
__declspec(dllimport) bool TITCALL ThreaderExecuteOnlyInjectedThreads();
__declspec(dllimport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId);
__declspec(dllimport) void* TITCALL ThreaderGetThreadData();
__declspec(dllimport) bool TITCALL ThreaderIsExceptionInMainThread();
// TitanEngine.Debugger.functions:
__declspec(dllimport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress);
__declspec(dllimport) void* TITCALL StaticDisassemble(LPVOID DisassmAddress);
__declspec(dllimport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID DisassmAddress, bool ReturnInstructionType);
__declspec(dllimport) void* TITCALL Disassemble(LPVOID DisassmAddress);
__declspec(dllimport) long TITCALL StaticLengthDisassemble(LPVOID DisassmAddress);
__declspec(dllimport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID DisassmAddress);
__declspec(dllimport) long TITCALL LengthDisassemble(LPVOID DisassmAddress);
__declspec(dllimport) void* TITCALL InitDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder);
__declspec(dllimport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder);
__declspec(dllimport) void* TITCALL InitDebugEx(char* szFileName, char* szCommandLine, char* szCurrentFolder, LPVOID EntryCallBack);
__declspec(dllimport) void* TITCALL InitDebugExW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder, LPVOID EntryCallBack);
__declspec(dllimport) void* TITCALL InitDLLDebug(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, LPVOID EntryCallBack);
__declspec(dllimport) void* TITCALL InitDLLDebugW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, LPVOID EntryCallBack);
__declspec(dllimport) bool TITCALL StopDebug();
__declspec(dllimport) void TITCALL SetBPXOptions(long DefaultBreakPointType);
__declspec(dllimport) bool TITCALL IsBPXEnabled(ULONG_PTR bpxAddress);
__declspec(dllimport) bool TITCALL EnableBPX(ULONG_PTR bpxAddress);
__declspec(dllimport) bool TITCALL DisableBPX(ULONG_PTR bpxAddress);
__declspec(dllimport) bool TITCALL SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, LPVOID bpxCallBack);
__declspec(dllimport) bool TITCALL SetBPXEx(ULONG_PTR bpxAddress, DWORD bpxType, DWORD NumberOfExecution, DWORD CmpRegister, DWORD CmpCondition, ULONG_PTR CmpValue, LPVOID bpxCallBack, LPVOID bpxCompareCallBack, LPVOID bpxRemoveCallBack);
__declspec(dllimport) bool TITCALL DeleteBPX(ULONG_PTR bpxAddress);
__declspec(dllimport) bool TITCALL SafeDeleteBPX(ULONG_PTR bpxAddress);
__declspec(dllimport) bool TITCALL SetAPIBreakPoint(char* szDLLName, char* szAPIName, DWORD bpxType, DWORD bpxPlace, LPVOID bpxCallBack);
__declspec(dllimport) bool TITCALL DeleteAPIBreakPoint(char* szDLLName, char* szAPIName, DWORD bpxPlace);
__declspec(dllimport) bool TITCALL SafeDeleteAPIBreakPoint(char* szDLLName, char* szAPIName, DWORD bpxPlace);
__declspec(dllimport) bool TITCALL SetMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, LPVOID bpxCallBack);
__declspec(dllimport) bool TITCALL SetMemoryBPXEx(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, DWORD BreakPointType, bool RestoreOnHit, LPVOID bpxCallBack);
__declspec(dllimport) bool TITCALL RemoveMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory);
__declspec(dllimport) bool TITCALL GetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea);
__declspec(dllimport) long long TITCALL GetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister);
__declspec(dllimport) long long TITCALL GetContextData(DWORD IndexOfRegister);
__declspec(dllimport) bool TITCALL SetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea);
__declspec(dllimport) bool TITCALL SetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister, ULONG_PTR NewRegisterValue);
__declspec(dllimport) bool TITCALL SetContextData(DWORD IndexOfRegister, ULONG_PTR NewRegisterValue);
__declspec(dllimport) void TITCALL ClearExceptionNumber();
__declspec(dllimport) long TITCALL CurrentExceptionNumber();
__declspec(dllimport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard);
__declspec(dllimport) bool TITCALL MatchPattern(void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard);
__declspec(dllimport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard);
__declspec(dllimport) long long TITCALL Find(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard);
__declspec(dllimport) bool TITCALL FillEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte);
__declspec(dllimport) bool TITCALL Fill(LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte);
__declspec(dllimport) bool TITCALL PatchEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP);
__declspec(dllimport) bool TITCALL Patch(LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP);
__declspec(dllimport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard);
__declspec(dllimport) bool TITCALL Replace(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard);
__declspec(dllimport) void* TITCALL GetDebugData();
__declspec(dllimport) void* TITCALL GetTerminationData();
__declspec(dllimport) long TITCALL GetExitCode();
__declspec(dllimport) long long TITCALL GetDebuggedDLLBaseAddress();
__declspec(dllimport) long long TITCALL GetDebuggedFileBaseAddress();
__declspec(dllimport) bool TITCALL GetRemoteString(HANDLE hProcess, LPVOID StringAddress, LPVOID StringStorage, int MaximumStringSize);
__declspec(dllimport) long long TITCALL GetFunctionParameter(HANDLE hProcess, DWORD FunctionType, DWORD ParameterNumber, DWORD ParameterType);
__declspec(dllimport) long long TITCALL GetJumpDestinationEx(HANDLE hProcess, ULONG_PTR InstructionAddress, bool JustJumps);
__declspec(dllimport) long long TITCALL GetJumpDestination(HANDLE hProcess, ULONG_PTR InstructionAddress);
__declspec(dllimport) bool TITCALL IsJumpGoingToExecuteEx(HANDLE hProcess, HANDLE hThread, ULONG_PTR InstructionAddress, ULONG_PTR RegFlags);
__declspec(dllimport) bool TITCALL IsJumpGoingToExecute();
__declspec(dllimport) void TITCALL SetCustomHandler(DWORD ExceptionId, LPVOID CallBack);
__declspec(dllimport) void TITCALL ForceClose();
__declspec(dllimport) void TITCALL StepInto(LPVOID traceCallBack);
__declspec(dllimport) void TITCALL StepOver(LPVOID traceCallBack);
__declspec(dllimport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack);
__declspec(dllimport) bool TITCALL GetUnusedHardwareBreakPointRegister(LPDWORD RegisterIndex);
__declspec(dllimport) bool TITCALL SetHardwareBreakPointEx(HANDLE hActiveThread, ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack, LPDWORD IndexOfSelectedRegister);
__declspec(dllimport) bool TITCALL SetHardwareBreakPoint(ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack);
__declspec(dllimport) bool TITCALL DeleteHardwareBreakPoint(DWORD IndexOfRegister);
__declspec(dllimport) bool TITCALL RemoveAllBreakPoints(DWORD RemoveOption);
__declspec(dllimport) void* TITCALL GetProcessInformation();
__declspec(dllimport) void* TITCALL GetStartupInformation();
__declspec(dllimport) void TITCALL DebugLoop();
__declspec(dllimport) void TITCALL SetDebugLoopTimeOut(DWORD TimeOut);
__declspec(dllimport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode);
__declspec(dllimport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack);
__declspec(dllimport) bool TITCALL DetachDebugger(DWORD ProcessId);
__declspec(dllimport) bool TITCALL DetachDebuggerEx(DWORD ProcessId);
__declspec(dllimport) void TITCALL DebugLoopEx(DWORD TimeOut);
__declspec(dllimport) void TITCALL AutoDebugEx(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack);
__declspec(dllimport) void TITCALL AutoDebugExW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack);
__declspec(dllimport) bool TITCALL IsFileBeingDebugged();
__declspec(dllimport) void TITCALL SetErrorModel(bool DisplayErrorMessages);
// TitanEngine.FindOEP.functions:
__declspec(dllimport) void TITCALL FindOEPInit();
__declspec(dllimport) bool TITCALL FindOEPGenerically(char* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack);
__declspec(dllimport) bool TITCALL FindOEPGenericallyW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack);
// TitanEngine.Importer.functions:
__declspec(dllimport) void TITCALL ImporterAddNewDll(char* szDLLName, ULONG_PTR FirstThunk);
__declspec(dllimport) void TITCALL ImporterAddNewAPI(char* szAPIName, ULONG_PTR ThunkValue);
__declspec(dllimport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue);
__declspec(dllimport) long TITCALL ImporterGetAddedDllCount();
__declspec(dllimport) long TITCALL ImporterGetAddedAPICount();
__declspec(dllimport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap);
__declspec(dllimport) long TITCALL ImporterEstimatedSize();
__declspec(dllimport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName);
__declspec(dllimport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2");
__declspec(dllimport) long long TITCALL ImporterFindAPIWriteLocation(char* szAPIName);
__declspec(dllimport) long long TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber);
__declspec(dllimport) long long TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllimport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllimport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress);
__declspec(dllimport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress);
__declspec(dllimport) long long TITCALL ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress);
__declspec(dllimport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);
__declspec(dllimport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName);
__declspec(dllimport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) long long TITCALL ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) long TITCALL ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);
__declspec(dllimport) long TITCALL ImporterGetDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);
__declspec(dllimport) long long TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess, HMODULE LocalModuleBase);
__declspec(dllimport) bool TITCALL ImporterIsForwardedAPI(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) void* TITCALL ImporterGetForwardedAPIName(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) void* TITCALL ImporterGetForwardedDLLName(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) long TITCALL ImporterGetForwardedDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);
__declspec(dllimport) long long TITCALL ImporterGetForwardedAPIOrdinalNumber(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) long long TITCALL ImporterGetNearestAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) void* TITCALL ImporterGetNearestAPIName(HANDLE hProcess, ULONG_PTR APIAddress);
__declspec(dllimport) bool TITCALL ImporterCopyOriginalIAT(char* szOriginalFile, char* szDumpFile);
__declspec(dllimport) bool TITCALL ImporterCopyOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile);
__declspec(dllimport) bool TITCALL ImporterLoadImportTable(char* szFileName);
__declspec(dllimport) bool TITCALL ImporterLoadImportTableW(wchar_t* szFileName);
__declspec(dllimport) bool TITCALL ImporterMoveOriginalIAT(char* szOriginalFile, char* szDumpFile, char* szSectionName);
__declspec(dllimport) bool TITCALL ImporterMoveOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile, char* szSectionName);
__declspec(dllimport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, char* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllimport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessIds, wchar_t* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllimport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllimport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack);
__declspec(dllimport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllimport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllimport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart);
__declspec(dllimport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart);
__declspec(dllimport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr);
// Global.Engine.Hook.functions:
__declspec(dllimport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart);
__declspec(dllimport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool TransitionStart);
__declspec(dllimport) bool TITCALL HooksIsAddressRedirected(LPVOID HookAddress);
__declspec(dllimport) void* TITCALL HooksGetTrampolineAddress(LPVOID HookAddress);
__declspec(dllimport) void* TITCALL HooksGetHookEntryDetails(LPVOID HookAddress);
__declspec(dllimport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress, LPVOID RedirectTo, int HookType);
__declspec(dllimport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR FileMapVA, ULONG_PTR LoadedModuleBase, char* szHookFunction, LPVOID RedirectTo);
__declspec(dllimport) bool TITCALL HooksInsertNewIATRedirection(char* szModuleName, char* szHookFunction, LPVOID RedirectTo);
__declspec(dllimport) bool TITCALL HooksRemoveRedirection(LPVOID HookAddress, bool RemoveAll);
__declspec(dllimport) bool TITCALL HooksRemoveRedirectionsForModule(HMODULE ModuleBase);
__declspec(dllimport) bool TITCALL HooksRemoveIATRedirection(char* szModuleName, char* szHookFunction, bool RemoveAll);
__declspec(dllimport) bool TITCALL HooksDisableRedirection(LPVOID HookAddress, bool DisableAll);
__declspec(dllimport) bool TITCALL HooksDisableRedirectionsForModule(HMODULE ModuleBase);
__declspec(dllimport) bool TITCALL HooksDisableIATRedirection(char* szModuleName, char* szHookFunction, bool DisableAll);
__declspec(dllimport) bool TITCALL HooksEnableRedirection(LPVOID HookAddress, bool EnableAll);
__declspec(dllimport) bool TITCALL HooksEnableRedirectionsForModule(HMODULE ModuleBase);
__declspec(dllimport) bool TITCALL HooksEnableIATRedirection(char* szModuleName, char* szHookFunction, bool EnableAll);
__declspec(dllimport) void TITCALL HooksScanModuleMemory(HMODULE ModuleBase, LPVOID CallBack);
__declspec(dllimport) void TITCALL HooksScanEntireProcessMemory(LPVOID CallBack);
__declspec(dllimport) void TITCALL HooksScanEntireProcessMemoryEx();
// TitanEngine.Tracer.functions:
__declspec(dllimport) void TITCALL TracerInit();
__declspec(dllimport) long long TITCALL TracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace);
__declspec(dllimport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD InputNumberOfInstructions);
__declspec(dllimport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace);
__declspec(dllimport) long long TITCALL TracerFixKnownRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD RedirectionId);
__declspec(dllimport) long long TITCALL TracerFixRedirectionViaModule(HMODULE hModuleHandle, HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD IdParameter);
__declspec(dllimport) long long TITCALL TracerDetectRedirectionViaModule(HMODULE hModuleHandle, HANDLE hProcess, ULONG_PTR AddressToTrace, PDWORD ReturnedId);
__declspec(dllimport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hProcess, char* szPluginName, ULONG_PTR AddressToTrace);
// TitanEngine.Exporter.functions:
__declspec(dllimport) void TITCALL ExporterCleanup();
__declspec(dllimport) void TITCALL ExporterSetImageBase(ULONG_PTR ImageBase);
__declspec(dllimport) void TITCALL ExporterInit(DWORD MemorySize, ULONG_PTR ImageBase, DWORD ExportOrdinalBase, char* szExportModuleName);
__declspec(dllimport) bool TITCALL ExporterAddNewExport(char* szExportName, DWORD ExportRelativeAddress);
__declspec(dllimport) bool TITCALL ExporterAddNewOrdinalExport(DWORD OrdinalNumber, DWORD ExportRelativeAddress);
__declspec(dllimport) long TITCALL ExporterGetAddedExportCount();
__declspec(dllimport) long TITCALL ExporterEstimatedSize();
__declspec(dllimport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA);
__declspec(dllimport) bool TITCALL ExporterBuildExportTableEx(char* szExportFileName, char* szSectionName);
__declspec(dllimport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, char* szSectionName);
__declspec(dllimport) bool TITCALL ExporterLoadExportTable(char* szFileName);
__declspec(dllimport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName);
// TitanEngine.Librarian.functions:
__declspec(dllimport) bool TITCALL LibrarianSetBreakPoint(char* szLibraryName, DWORD bpxType, bool SingleShoot, LPVOID bpxCallBack);
__declspec(dllimport) bool TITCALL LibrarianRemoveBreakPoint(char* szLibraryName, DWORD bpxType);
__declspec(dllimport) void* TITCALL LibrarianGetLibraryInfo(char* szLibraryName);
__declspec(dllimport) void* TITCALL LibrarianGetLibraryInfoW(wchar_t* szLibraryName);
__declspec(dllimport) void* TITCALL LibrarianGetLibraryInfoEx(void* BaseOfDll);
__declspec(dllimport) void* TITCALL LibrarianGetLibraryInfoExW(void* BaseOfDll);
__declspec(dllimport) void TITCALL LibrarianEnumLibraryInfo(void* EnumCallBack);
__declspec(dllimport) void TITCALL LibrarianEnumLibraryInfoW(void* EnumCallBack);
// TitanEngine.Process.functions:
__declspec(dllimport) long TITCALL GetActiveProcessId(char* szImageName);
__declspec(dllimport) long TITCALL GetActiveProcessIdW(wchar_t* szImageName);
__declspec(dllimport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName, void* EnumFunction);
// TitanEngine.TLSFixer.functions:
__declspec(dllimport) bool TITCALL TLSBreakOnCallBack(LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks, LPVOID bpxCallBack);
__declspec(dllimport) bool TITCALL TLSGrabCallBackData(char* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks);
__declspec(dllimport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks);
__declspec(dllimport) bool TITCALL TLSBreakOnCallBackEx(char* szFileName, LPVOID bpxCallBack);
__declspec(dllimport) bool TITCALL TLSBreakOnCallBackExW(wchar_t* szFileName, LPVOID bpxCallBack);
__declspec(dllimport) bool TITCALL TLSRemoveCallback(char* szFileName);
__declspec(dllimport) bool TITCALL TLSRemoveCallbackW(wchar_t* szFileName);
__declspec(dllimport) bool TITCALL TLSRemoveTable(char* szFileName);
__declspec(dllimport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName);
__declspec(dllimport) bool TITCALL TLSBackupData(char* szFileName);
__declspec(dllimport) bool TITCALL TLSBackupDataW(wchar_t* szFileName);
__declspec(dllimport) bool TITCALL TLSRestoreData();
__declspec(dllimport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_PTR StorePlace, ULONG_PTR StorePlaceRVA, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks);
__declspec(dllimport) bool TITCALL TLSBuildNewTableEx(char* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks);
__declspec(dllimport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks);
// TitanEngine.TranslateName.functions:
__declspec(dllimport) void* TITCALL TranslateNativeName(char* szNativeName);
__declspec(dllimport) void* TITCALL TranslateNativeNameW(wchar_t* szNativeName);
// TitanEngine.Handler.functions:
__declspec(dllimport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId);
__declspec(dllimport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle);
__declspec(dllimport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName);
__declspec(dllimport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName);
__declspec(dllimport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount);
__declspec(dllimport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn);
__declspec(dllimport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle);
__declspec(dllimport) long TITCALL HandlerEnumerateLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount);
__declspec(dllimport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount);
__declspec(dllimport) bool TITCALL HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated);
__declspec(dllimport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated);
__declspec(dllimport) bool TITCALL HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated);
__declspec(dllimport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated);
// TitanEngine.Handler[Mutex].functions:
__declspec(dllimport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount);
__declspec(dllimport) long long TITCALL HandlerGetOpenMutexHandle(HANDLE hProcess, DWORD ProcessId, char* szMutexString);
__declspec(dllimport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProcess, DWORD ProcessId, wchar_t* szMutexString);
__declspec(dllimport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString);
__declspec(dllimport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t* szMutexString);
// TitanEngine.Injector.functions:
__declspec(dllimport) bool TITCALL RemoteLoadLibrary(HANDLE hProcess, char* szLibraryFile, bool WaitForThreadExit);
__declspec(dllimport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t* szLibraryFile, bool WaitForThreadExit);
__declspec(dllimport) bool TITCALL RemoteFreeLibrary(HANDLE hProcess, HMODULE hModule, char* szLibraryFile, bool WaitForThreadExit);
__declspec(dllimport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE hModule, wchar_t* szLibraryFile, bool WaitForThreadExit);
__declspec(dllimport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD ExitCode);
// TitanEngine.StaticUnpacker.functions:
__declspec(dllimport) bool TITCALL StaticFileLoad(char* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA);
__declspec(dllimport) bool TITCALL StaticFileLoadW(wchar_t* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA);
__declspec(dllimport) bool TITCALL StaticFileUnload(char* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA);
__declspec(dllimport) bool TITCALL StaticFileUnloadW(wchar_t* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA);
__declspec(dllimport) bool TITCALL StaticFileOpen(char* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh);
__declspec(dllimport) bool TITCALL StaticFileOpenW(wchar_t* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh);
__declspec(dllimport) bool TITCALL StaticFileGetContent(HANDLE FileHandle, DWORD FilePositionLow, LPDWORD FilePositionHigh, void* Buffer, DWORD Size);
__declspec(dllimport) void TITCALL StaticFileClose(HANDLE FileHandle);
__declspec(dllimport) void TITCALL StaticMemoryDecrypt(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey);
__declspec(dllimport) void TITCALL StaticMemoryDecryptEx(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, void* DecryptionCallBack);
__declspec(dllimport) void TITCALL StaticMemoryDecryptSpecial(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, DWORD SpecDecryptionType, void* DecryptionCallBack);
__declspec(dllimport) void TITCALL StaticSectionDecrypt(ULONG_PTR FileMapVA, DWORD SectionNumber, bool SimulateLoad, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey);
__declspec(dllimport) bool TITCALL StaticMemoryDecompress(void* Source, DWORD SourceSize, void* Destination, DWORD DestinationSize, int Algorithm);
__declspec(dllimport) bool TITCALL StaticRawMemoryCopy(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, char* szDumpFileName);
__declspec(dllimport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, wchar_t* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, char* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, wchar_t* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, char* szDumpFileName);
__declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, wchar_t* szDumpFileName);
__declspec(dllimport) bool TITCALL StaticHashMemory(void* MemoryToHash, DWORD SizeOfMemory, void* HashDigest, bool OutputString, int Algorithm);
__declspec(dllimport) bool TITCALL StaticHashFile(char* szFileName, char* HashDigest, bool OutputString, int Algorithm);
__declspec(dllimport) bool TITCALL StaticHashFileW(wchar_t* szFileName, char* HashDigest, bool OutputString, int Algorithm);
// TitanEngine.Engine.functions:
__declspec(dllimport) void TITCALL SetEngineVariable(DWORD VariableId, bool VariableSet);
__declspec(dllimport) bool TITCALL EngineCreateMissingDependencies(char* szFileName, char* szOutputFolder, bool LogCreatedFiles);
__declspec(dllimport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szFileName, wchar_t* szOutputFolder, bool LogCreatedFiles);
__declspec(dllimport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess);
__declspec(dllimport) bool TITCALL EngineDeleteCreatedDependencies();
__declspec(dllimport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack);
__declspec(dllimport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage);
// Global.Engine.Extension.Functions:
__declspec(dllimport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName);
__declspec(dllimport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName);
__declspec(dllimport) bool TITCALL ExtensionManagerDisableAllPlugins();
__declspec(dllimport) bool TITCALL ExtensionManagerDisablePlugin(char* szPluginName);
__declspec(dllimport) bool TITCALL ExtensionManagerEnableAllPlugins();
__declspec(dllimport) bool TITCALL ExtensionManagerEnablePlugin(char* szPluginName);
__declspec(dllimport) bool TITCALL ExtensionManagerUnloadAllPlugins();
__declspec(dllimport) bool TITCALL ExtensionManagerUnloadPlugin(char* szPluginName);
__declspec(dllimport) void* TITCALL ExtensionManagerGetPluginInfo(char* szPluginName);
#ifdef __cplusplus
}
#endif /*__cplusplus*/
#pragma pack(pop)
#endif /*TITANENGINE*/

2806
SDK/CPP/TitanEngine.hpp
View File

File diff suppressed because it is too large Load Diff

755
SDK/Delphi/TitanEngine.pas
View File

@ -1,755 +0,0 @@
unit TitanEngine;
interface
{TitanEngine Delphi SDK - 2.0.3}
{http://www.reversinglabs.com/}
{Types}
type
PE32Structure = ^PE_32_STRUCT;
PE_32_STRUCT = packed record
PE32Offset : LongInt;
ImageBase : LongInt;
OriginalEntryPoint : LongInt;
NtSizeOfImage : LongInt;
NtSizeOfHeaders : LongInt;
SizeOfOptionalHeaders : SmallInt;
FileAlignment : LongInt;
SectionAligment : LongInt;
ImportTableAddress : LongInt;
ImportTableSize : LongInt;
ResourceTableAddress : LongInt;
ResourceTableSize : LongInt;
ExportTableAddress : LongInt;
ExportTableSize : LongInt;
TLSTableAddress : LongInt;
TLSTableSize : LongInt;
RelocationTableAddress : LongInt;
RelocationTableSize : LongInt;
TimeDateStamp : LongInt;
SectionNumber : SmallInt;
CheckSum : LongInt;
SubSystem : SmallInt;
Characteristics : SmallInt;
NumberOfRvaAndSizes : LongInt;
end;
FileStatusInfo = ^FILE_STATUS_INFO;
FILE_STATUS_INFO = packed record
OveralEvaluation : BYTE;
EvaluationTerminatedByException : boolean;
FileIs64Bit : boolean;
FileIsDLL : boolean;
FileIsConsole : boolean;
MissingDependencies : boolean;
MissingDeclaredAPIs : boolean;
SignatureMZ : BYTE;
SignaturePE : BYTE;
EntryPoint : BYTE;
ImageBase : BYTE;
SizeOfImage : BYTE;
FileAlignment : BYTE;
SectionAlignment : BYTE;
ExportTable : BYTE;
RelocationTable : BYTE;
ImportTable : BYTE;
ImportTableSection : BYTE;
ImportTableData : BYTE;
IATTable : BYTE;
TLSTable : BYTE;
LoadConfigTable : BYTE;
BoundImportTable : BYTE;
COMHeaderTable : BYTE;
ResourceTable : BYTE;
ResourceData : BYTE;
SectionTable : BYTE;
end;
FileFixInfo = ^FILE_FIX_INFO;
FILE_FIX_INFO = packed record
OveralEvaluation : BYTE;
FixingTerminatedByException : boolean;
FileFixPerformed : boolean;
StrippedRelocation : boolean;
DontFixRelocations : boolean;
OriginalRelocationTableAddress : LongInt;
OriginalRelocationTableSize : LongInt;
StrippedExports : boolean;
DontFixExports : boolean;
OriginalExportTableAddress : LongInt;
OriginalExportTableSize : LongInt;
StrippedResources : boolean;
DontFixResources : boolean;
OriginalResourceTableAddress : LongInt;
OriginalResourceTableSize : LongInt;
StrippedTLS : boolean;
DontFixTLS : boolean;
OriginalTLSTableAddress : LongInt;
OriginalTLSTableSize : LongInt;
StrippedLoadConfig : boolean;
DontFixLoadConfig : boolean;
OriginalLoadConfigTableAddress : LongInt;
OriginalLoadConfigTableSize : LongInt;
StrippedBoundImports : boolean;
DontFixBoundImports : boolean;
OriginalBoundImportTableAddress : LongInt;
OriginalBoundImportTableSize : LongInt;
StrippedIAT : boolean;
DontFixIAT : boolean;
OriginalImportAddressTableAddress : LongInt;
OriginalImportAddressTableSize : LongInt;
StrippedCOM : boolean;
DontFixCOM : boolean;
OriginalCOMTableAddress : LongInt;
OriginalCOMTableSize : LongInt;
end;
ImportEnumData = ^IMPORT_ENUM_DATA;
IMPORT_ENUM_DATA = packed record
NewDll : boolean;
NumberOfImports : LongInt;
ImageBase : LongInt;
BaseImportThunk : LongInt;
ImportThunk : LongInt;
APIName : PAnsiChar;
DLLName : PAnsiChar;
end;
ThreadItemData = ^THREAD_ITEM_DATA;
THREAD_ITEM_DATA = packed record
hThread : THandle;
dwThreadId : LongInt;
ThreadStartAddress : LongInt;
ThreadLocalBase : LongInt;
end;
LibraryItemData = ^LIBRARY_ITEM_DATA;
LIBRARY_ITEM_DATA = packed record
hFile : THandle;
BaseOfDll : Pointer;
hFileMapping : THandle;
hFileMappingView : Pointer;
szLibraryPath:array[1..260] of AnsiChar;
szLibraryName:array[1..260] of AnsiChar;
end;
ProcessItemData = ^PROCESS_ITEM_DATA;
PROCESS_ITEM_DATA = packed record
hProcess : THandle;
dwProcessId : LongInt;
hThread : THandle;
dwThreadId : LongInt;
hFile : THandle;
BaseOfImage : Pointer;
ThreadStartAddress : Pointer;
ThreadLocalBase : Pointer;
end;
HandlerArray = ^HANDLER_ARRAY;
HANDLER_ARRAY = packed record
ProcessId : LongInt;
hHandle : THandle;
end;
HookEntry = ^HOOK_ENTRY;
HOOK_ENTRY = packed record
IATHook : boolean;
HookType : BYTE;
HookSize : LongInt;
HookAddress : Pointer;
RedirectionAddress : Pointer;
HookBytes:array[1..14] of BYTE;
OriginalBytes:array[1..14] of BYTE;
IATHookModuleBase : Pointer;
IATHookNameHash : LongInt;
HookIsEnabled : boolean;
HookIsRemote : boolean;
PatchedEntry : Pointer;
RelocationInfo:array[1..7] of LongInt;
RelocationCount : LongInt;
end;
PluginInformation = ^PLUGIN_INFORMATION;
PLUGIN_INFORMATION = packed record
PluginName:array[1..64] of AnsiChar;
PluginMajorVersion : LongInt;
PluginMinorVersion : LongInt;
PluginBaseAddress : LongInt;
TitanDebuggingCallBack : Pointer;
TitanRegisterPlugin : Pointer;
TitanReleasePlugin : Pointer;
TitanResetPlugin : Pointer;
PluginDisabled : boolean;
end;
const
{Registers}
UE_EAX = 1;
UE_EBX = 2;
UE_ECX = 3;
UE_EDX = 4;
UE_EDI = 5;
UE_ESI = 6;
UE_EBP = 7;
UE_ESP = 8;
UE_EIP = 9;
UE_EFLAGS = 10;
UE_DR0 = 11;
UE_DR1 = 12;
UE_DR2 = 13;
UE_DR3 = 14;
UE_DR6 = 15;
UE_DR7 = 16;
UE_CIP = 35;
UE_CSP = 36;
UE_SEG_GS = 37;
UE_SEG_FS = 38;
UE_SEG_ES = 39;
UE_SEG_DS = 40;
UE_SEG_CS = 41;
UE_SEG_SS = 42;
{Constants}
UE_PE_OFFSET = 0;
UE_IMAGEBASE = 1;
UE_OEP = 2;
UE_SIZEOFIMAGE = 3;
UE_SIZEOFHEADERS = 4;
UE_SIZEOFOPTIONALHEADER = 5;
UE_SECTIONALIGNMENT = 6;
UE_IMPORTTABLEADDRESS = 7;
UE_IMPORTTABLESIZE = 8;
UE_RESOURCETABLEADDRESS = 9;
UE_RESOURCETABLESIZE = 10;
UE_EXPORTTABLEADDRESS = 11;
UE_EXPORTTABLESIZE = 12;
UE_TLSTABLEADDRESS = 13;
UE_TLSTABLESIZE = 14;
UE_RELOCATIONTABLEADDRESS = 15;
UE_RELOCATIONTABLESIZE = 16;
UE_TIMEDATESTAMP = 17;
UE_SECTIONNUMBER = 18;
UE_CHECKSUM = 19;
UE_SUBSYSTEM = 20;
UE_CHARACTERISTICS = 21;
UE_NUMBEROFRVAANDSIZES = 22;
UE_SECTIONNAME = 23;
UE_SECTIONVIRTUALOFFSET = 24;
UE_SECTIONVIRTUALSIZE = 25;
UE_SECTIONRAWOFFSET = 26;
UE_SECTIONRAWSIZE = 27;
UE_SECTIONFLAGS = 28;
UE_CH_BREAKPOINT = 1;
UE_CH_SINGLESTEP = 2;
UE_CH_ACCESSVIOLATION = 3;
UE_CH_ILLEGALINSTRUCTION = 4;
UE_CH_NONCONTINUABLEEXCEPTION = 5;
UE_CH_ARRAYBOUNDSEXCEPTION = 6;
UE_CH_FLOATDENORMALOPERAND = 7;
UE_CH_FLOATDEVIDEBYZERO = 8;
UE_CH_INTEGERDEVIDEBYZERO = 9;
UE_CH_INTEGEROVERFLOW = 10;
UE_CH_PRIVILEGEDINSTRUCTION = 11;
UE_CH_PAGEGUARD = 12;
UE_CH_EVERYTHINGELSE = 13;
UE_CH_CREATETHREAD = 14;
UE_CH_EXITTHREAD = 15;
UE_CH_CREATEPROCESS = 16;
UE_CH_EXITPROCESS = 17;
UE_CH_LOADDLL = 18;
UE_CH_UNLOADDLL = 19;
UE_CH_OUTPUTDEBUGSTRING = 20;
UE_CH_AFTEREXCEPTIONPROCESSING = 21;
UE_CH_ALLEVENTS = 22;
UE_CH_SYSTEMBREAKPOINT = 23;
UE_CH_UNHANDLEDEXCEPTION = 24;
UE_FUNCTION_STDCALL = 1;
UE_FUNCTION_CCALL = 2;
UE_FUNCTION_FASTCALL = 3;
UE_FUNCTION_STDCALL_RET = 4;
UE_FUNCTION_CCALL_RET = 5;
UE_FUNCTION_FASTCALL_RET = 6;
UE_FUNCTION_STDCALL_CALL = 7;
UE_FUNCTION_CCALL_CALL = 8;
UE_FUNCTION_FASTCALL_CALL = 9;
UE_PARAMETER_BYTE = 0;
UE_PARAMETER_WORD = 1;
UE_PARAMETER_DWORD = 2;
UE_PARAMETER_QWORD = 3;
UE_PARAMETER_PTR_BYTE = 4;
UE_PARAMETER_PTR_WORD = 5;
UE_PARAMETER_PTR_DWORD = 6;
UE_PARAMETER_PTR_QWORD = 7;
UE_PARAMETER_STRING = 8;
UE_PARAMETER_UNICODE = 9;
UE_CMP_NOCONDITION = 0;
UE_CMP_EQUAL = 1;
UE_CMP_NOTEQUAL = 2;
UE_CMP_GREATER = 3;
UE_CMP_GREATEROREQUAL = 4;
UE_CMP_LOWER = 5;
UE_CMP_LOWEROREQUAL = 6;
UE_CMP_REG_EQUAL = 7;
UE_CMP_REG_NOTEQUAL = 8;
UE_CMP_REG_GREATER = 9;
UE_CMP_REG_GREATEROREQUAL = 10;
UE_CMP_REG_LOWER = 11;
UE_CMP_REG_LOWEROREQUAL = 12;
UE_CMP_ALWAYSFALSE = 13;
UE_OPTION_HANDLER_RETURN_HANDLECOUNT = 1;
UE_OPTION_HANDLER_RETURN_ACCESS = 2;
UE_OPTION_HANDLER_RETURN_FLAGS = 3;
UE_OPTION_HANDLER_RETURN_TYPENAME = 4;
UE_BREAKPOINT_INT3 = 1;
UE_BREAKPOINT_LONG_INT3 = 2;
UE_BREAKPOINT_UD2 = 3;
UE_BPXREMOVED = 0;
UE_BPXACTIVE = 1;
UE_BPXINACTIVE = 2;
UE_BREAKPOINT = 0;
UE_SINGLESHOOT = 1;
UE_HARDWARE = 2;
UE_MEMORY = 3;
UE_MEMORY_READ = 4;
UE_MEMORY_WRITE = 5;
UE_MEMORY_EXECUTE = 6;
UE_BREAKPOINT_TYPE_INT3 = $10000000;
UE_BREAKPOINT_TYPE_LONG_INT3 = $20000000;
UE_BREAKPOINT_TYPE_UD2 = $30000000;
UE_HARDWARE_EXECUTE = 4;
UE_HARDWARE_WRITE = 5;
UE_HARDWARE_READWRITE = 6;
UE_HARDWARE_SIZE_1 = 7;
UE_HARDWARE_SIZE_2 = 8;
UE_HARDWARE_SIZE_4 = 9;
UE_ON_LIB_LOAD = 1;
UE_ON_LIB_UNLOAD = 2;
UE_ON_LIB_ALL = 3;
UE_APISTART = 0;
UE_APIEND = 1;
UE_PLATFORM_x86 = 1;
UE_PLATFORM_x64 = 2;
UE_PLATFORM_ALL = 3;
UE_ACCESS_READ = 0;
UE_ACCESS_WRITE = 1;
UE_ACCESS_ALL = 2;
UE_HIDE_BASIC = 1;
UE_ENGINE_ALOW_MODULE_LOADING = 1;
UE_ENGINE_AUTOFIX_FORWARDERS = 2;
UE_ENGINE_PASS_ALL_EXCEPTIONS = 3;
UE_ENGINE_NO_CONSOLE_WINDOW = 4;
UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS = 5;
UE_ENGINE_CALL_PLUGIN_CALLBACK = 6;
UE_ENGINE_RESET_CUSTOM_HANDLER = 7;
UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8;
UE_OPTION_REMOVEALL = 1;
UE_OPTION_DISABLEALL = 2;
UE_OPTION_REMOVEALLDISABLED = 3;
UE_OPTION_REMOVEALLENABLED = 4;
UE_STATIC_DECRYPTOR_XOR = 1;
UE_STATIC_DECRYPTOR_SUB = 2;
UE_STATIC_DECRYPTOR_ADD = 3;
UE_STATIC_DECRYPTOR_FOREWARD = 1;
UE_STATIC_DECRYPTOR_BACKWARD = 2;
UE_STATIC_KEY_SIZE_1 = 1;
UE_STATIC_KEY_SIZE_2 = 2;
UE_STATIC_KEY_SIZE_4 = 4;
UE_STATIC_KEY_SIZE_8 = 8;
UE_STATIC_APLIB = 1;
UE_STATIC_APLIB_DEPACK = 2;
UE_STATIC_LZMA = 3;
UE_STATIC_HASH_MD5 = 1;
UE_STATIC_HASH_SHA1 = 2;
UE_STATIC_HASH_CRC32 = 3;
UE_RESOURCE_LANGUAGE_ANY = -1;
UE_DEPTH_SURFACE = 0;
UE_DEPTH_DEEP = 1;
UE_UNPACKER_CONDITION_SEARCH_FROM_EP = 1;
UE_UNPACKER_CONDITION_LOADLIBRARY = 1;
UE_UNPACKER_CONDITION_GETPROCADDRESS = 2;
UE_UNPACKER_CONDITION_ENTRYPOINTBREAK = 3;
UE_UNPACKER_CONDITION_RELOCSNAPSHOT1 = 4;
UE_UNPACKER_CONDITION_RELOCSNAPSHOT2 = 5;
UE_FIELD_OK = 0;
UE_FIELD_BROKEN_NON_FIXABLE = 1;
UE_FIELD_BROKEN_NON_CRITICAL = 2;
UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE = 3;
UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED = 4;
UE_FILED_FIXABLE_NON_CRITICAL = 5;
UE_FILED_FIXABLE_CRITICAL = 6;
UE_FIELD_NOT_PRESET = 7;
UE_FIELD_NOT_PRESET_WARNING = 8;
UE_RESULT_FILE_OK = 10;
UE_RESULT_FILE_INVALID_BUT_FIXABLE = 11;
UE_RESULT_FILE_INVALID_AND_NON_FIXABLE = 12;
UE_RESULT_FILE_INVALID_FORMAT = 13;
UE_PLUGIN_CALL_REASON_PREDEBUG = 1;
UE_PLUGIN_CALL_REASON_EXCEPTION = 2;
UE_PLUGIN_CALL_REASON_POSTDEBUG = 3;
TEE_HOOK_NRM_JUMP = 1;
TEE_HOOK_NRM_CALL = 3;
TEE_HOOK_IAT = 5;
{TitanEngine.Dumper.functions}
function DumpProcess(hProcess:THandle; ImageBase:LongInt; szDumpFileName:PAnsiChar; EntryPoint:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'DumpProcess';
function DumpProcessEx(ProcessId:LongInt; ImageBase:LongInt; szDumpFileName:PAnsiChar; EntryPoint:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'DumpProcessEx';
function DumpMemory(hProcess:THandle; MemoryStart,MemorySize:LongInt; szDumpFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'DumpMemory';
function DumpMemoryEx(ProcessId:LongInt; MemoryStart,MemorySize:LongInt; szDumpFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'DumpMemoryEx';
function DumpRegions(hProcess:THandle; szDumpFolder:PAnsiChar; DumpAboveImageBaseOnly:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'DumpRegions';
function DumpRegionsEx(ProcessId:LongInt; szDumpFolder:PAnsiChar; DumpAboveImageBaseOnly:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'DumpRegionsEx';
function DumpModule(hProcess:THandle; ModuleBase:LongInt; szDumpFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'DumpModule';
function DumpModuleEx(ProcessId:LongInt; ModuleBase:LongInt; szDumpFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'DumpModuleEx';
function PastePEHeader(hProcess:THandle; ImageBase:LongInt; szDebuggedFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'PastePEHeader';
function ExtractSection(szFileName,szDumpFileName:PAnsiChar; SectionNumber:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ExtractSection';
function ResortFileSections(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ResortFileSections';
function FindOverlay(szFileName:PAnsiChar; OverlayStart,OverlaySize:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'FindOverlay';
function ExtractOverlay(szFileName,szExtactedFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ExtractOverlay';
function AddOverlay(szFileName,szOverlayFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'AddOverlay';
function CopyOverlay(szInFileName,szOutFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'CopyOverlay';
function RemoveOverlay(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'RemoveOverlay';
function MakeAllSectionsRWE(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'MakeAllSectionsRWE';
function AddNewSectionEx(szFileName,szSectionName:PAnsiChar; SectionSize,SectionAttributes:LongInt; SectionContent:Pointer; ContentSize:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'AddNewSectionEx';
function AddNewSection(szFileName,szSectionName:PAnsiChar; SectionSize:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'AddNewSection';
function ResizeLastSection(szFileName:PAnsiChar; NumberOfExpandBytes:LongInt; AlignResizeData:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'ResizeLastSection';
procedure SetSharedOverlay(szFileName:PAnsiChar); stdcall; external 'TitanEngine.dll' name 'SetSharedOverlay';
function GetSharedOverlay():PAnsiChar; stdcall; external 'TitanEngine.dll' name 'GetSharedOverlay';
function DeleteLastSection(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'DeleteLastSection';
function DeleteLastSectionEx(szFileName:PAnsiChar; NumberOfSections:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'DeleteLastSectionEx';
function GetPE32DataFromMappedFile(FileMapVA,WhichSection,WhichData:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'GetPE32DataFromMappedFile';
function GetPE32Data(szFileName:PAnsiChar; WhichSection,WhichData:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'GetPE32Data';
function GetPE32DataFromMappedFileEx(FileMapVA:LongInt; DataStorage:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'GetPE32DataFromMappedFileEx';
function GetPE32DataEx(szFileName:PAnsiChar; DataStorage:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'GetPE32DataEx';
function SetPE32DataForMappedFile(FileMapVA,WhichSection,WhichData,NewDataValue:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'SetPE32DataForMappedFile';
function SetPE32Data(szFileName:PAnsiChar; WhichSection,WhichData,NewDataValue:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'SetPE32Data';
function SetPE32DataForMappedFileEx(szFileName:PAnsiChar; DataStorage:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'SetPE32DataForMappedFileEx';
function SetPE32DataEx(szFileName:PAnsiChar; DataStorage:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'SetPE32DataEx';
function GetPE32SectionNumberFromVA(FileMapVA,AddressToConvert:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'GetPE32SectionNumberFromVA';
function ConvertVAtoFileOffset(FileMapVA,AddressToConvert:LongInt; ReturnType:boolean):LongInt; stdcall; external 'TitanEngine.dll' name 'ConvertVAtoFileOffset';
function ConvertVAtoFileOffsetEx(FileMapVA,FileSize,ImageBase,AddressToConvert:LongInt; AddressIsRVA,ReturnType:boolean):LongInt; stdcall; external 'TitanEngine.dll' name 'ConvertVAtoFileOffsetEx';
function ConvertFileOffsetToVA(FileMapVA,AddressToConvert:LongInt; ReturnType:boolean):LongInt; stdcall; external 'TitanEngine.dll' name 'ConvertFileOffsetToVA';
function ConvertFileOffsetToVAEx(FileMapVA,FileSize,ImageBase,AddressToConvert:LongInt; ReturnType:boolean):LongInt; stdcall; external 'TitanEngine.dll' name 'ConvertFileOffsetToVAEx';
{TitanEngine.Realigner.functions}
function FixHeaderCheckSum(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'FixHeaderCheckSum';
function RealignPE(FileMapVA,FileSize,RealingMode:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'RealignPE';
function RealignPEEx(szFileName:PAnsiChar; RealingFileSize,ForcedFileAlignment:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'RealignPEEx';
function WipeSection(szFileName:PAnsiChar; WipeSectionNumber:LongInt; RemovePhysically:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'WipeSection';
function IsPE32FileValidEx(szFileName:PAnsiChar; CheckDepth:LongInt; FileStatusInfo:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'IsPE32FileValidEx';
function FixBrokenPE32FileEx(szFileName:PAnsiChar; FileStatusInfo,FileFixInfo:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'FixBrokenPE32FileEx';
function IsFileDLL(szFileName:PAnsiChar; FileMapVA:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'IsFileDLL';
{TitanEngine.Hider.functions}
function GetPEBLocation(hProcess:THandle):LongInt; stdcall; external 'TitanEngine.dll' name 'GetPEBLocation';
function HideDebugger(hProcess:THandle; PatchAPILevel:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'HideDebugger';
function UnHideDebugger(hProcess:THandle; PatchAPILevel:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'UnHideDebugger';
{TitanEngine.Relocater.functions}
procedure RelocaterCleanup(); stdcall; external 'TitanEngine.dll' name 'RelocaterCleanup';
procedure RelocaterInit(MemorySize,OldImageBase,NewImageBase:LongInt); stdcall; external 'TitanEngine.dll' name 'RelocaterInit';
procedure RelocaterAddNewRelocation(hProcess:THandle; RelocateAddress,RelocateState:LongInt); stdcall; external 'TitanEngine.dll' name 'RelocaterAddNewRelocation';
function RelocaterEstimatedSize():LongInt; stdcall; external 'TitanEngine.dll' name 'RelocaterEstimatedSize';
function RelocaterExportRelocation(StorePlace,StorePlaceRVA,FileMapVA:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RelocaterExportRelocation';
function RelocaterExportRelocationEx(szFileName,szSectionName:PAnsiChar; StorePlace,StorePlaceRVA:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RelocaterExportRelocationEx';
function RelocaterGrabRelocationTable(hProcess:THandle; MemoryStart,MemorySize:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RelocaterGrabRelocationTable';
function RelocaterGrabRelocationTableEx(hProcess:THandle; MemoryStart,MemorySize,NtSizeOfImage:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RelocaterGrabRelocationTableEx';
function RelocaterMakeSnapshot(hProcess:THandle; szSaveFileName:PAnsiChar; MemoryStart,MemorySize:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RelocaterMakeSnapshot';
function RelocaterCompareTwoSnapshots(hProcess:THandle; LoadedImageBase,NtSizeOfImage:LongInt; szDumpFile1,szDumpFile2:PAnsiChar; MemStart:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RelocaterCompareTwoSnapshots';
function RelocaterChangeFileBase(szFileName:PAnsiChar; NewImageBase:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RelocaterChangeFileBase';
function RelocaterRelocateMemoryBlock(FileMapVA,MemoryLocation:LongInt; RelocateMemory:Pointer; RelocateMemorySize,CurrentLoadedBase,RelocateBase:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RelocaterRelocateMemoryBlock';
function RelocaterWipeRelocationTable(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'RelocaterWipeRelocationTable';
{TitanEngine.Resourcer.functions}
function ResourcerLoadFileForResourceUse(szFileName:PAnsiChar):LongInt; stdcall; external 'TitanEngine.dll' name 'ResourcerLoadFileForResourceUse';
function ResourcerFreeLoadedFile(LoadedFileBase:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ResourcerFreeLoadedFile';
function ResourcerExtractResourceFromFileEx(FileMapVA:LongInt; szResourceType,szResourceName,szExtractedFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ResourcerExtractResourceFromFileEx';
function ResourcerExtractResourceFromFile(szFileName,szResourceType,szResourceName,szExtractedFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ResourcerExtractResourceFromFile';
function ResourcerFindResource(szFileName,szResourceType:PAnsiChar; ResourceType:LongInt; szResourceName:PAnsiChar; ResourceName,ResourceLanguage:LongInt; pResourceData,pResourceSize:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'ResourcerFindResource';
function ResourcerFindResourceEx(FileMapVA,FileSize:LongInt; szResourceType:PAnsiChar; ResourceType:LongInt; szResourceName:PAnsiChar; ResourceName,ResourceLanguage:LongInt; pResourceData,pResourceSize:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'ResourcerFindResourceEx';
procedure ResourcerEnumerateResource(szFileName:PAnsiChar; CallBack:LongInt); stdcall; external 'TitanEngine.dll' name 'ResourcerEnumerateResource';
procedure ResourcerEnumerateResourceEx(FileMapVA,FileSize:LongInt; CallBack:LongInt); stdcall; external 'TitanEngine.dll' name 'ResourcerEnumerateResourceEx';
{TitanEngine.FindOEP.functions}
procedure FindOEPInit(); stdcall; external 'TitanEngine.dll' name 'FindOEPInit';
procedure FindOEPGenerically(szFileName:PAnsiChar; TraceInitCallBack,CallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'FindOEPGenerically';
{TitanEngine.Threader.functions}
function ThreaderImportRunningThreadData(ProcessId:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderImportRunningThreadData';
function ThreaderGetThreadInfo(hThread:THandle; ThreadId:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'ThreaderGetThreadInfo';
procedure ThreaderEnumThreadInfo(EnumCallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'ThreaderGetThreadInfo';
function ThreaderPauseThread(hThread:THandle):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderPauseThread';
function ThreaderResumeThread(hThread:THandle):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderResumeThread';
function ThreaderTerminateThread(hThread:THandle; ThreadExitCode:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderTerminateThread';
function ThreaderPauseAllThreads(LeaveMainRunning:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderPauseAllThreads';
function ThreaderResumeAllThreads(LeaveMainPaused:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderResumeAllThreads';
function ThreaderPauseProcess():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderPauseProcess';
function ThreaderResumeProcess():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderResumeProcess';
function ThreaderCreateRemoteThread(ThreadStartAddress:LongInt; AutoCloseTheHandle:boolean; ThreadPassParameter,ThreadId:Pointer):LongInt; stdcall; external 'TitanEngine.dll' name 'ThreaderCreateRemoteThread';
function ThreaderInjectAndExecuteCode(InjectCode:Pointer; StartDelta,InjectSize:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderInjectAndExecuteCode';
function ThreaderCreateRemoteThreadEx(hProcess:THandle; ThreadStartAddress:LongInt; AutoCloseTheHandle:boolean; ThreadPassParameter,ThreadId:Pointer):LongInt; stdcall; external 'TitanEngine.dll' name 'ThreaderCreateRemoteThreadEx';
function ThreaderInjectAndExecuteCodeEx(hProcess:THandle; InjectCode:Pointer; StartDelta,InjectSize:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderInjectAndExecuteCodeEx';
procedure ThreaderSetCallBackForNextExitThreadEvent(exitThreadCallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'ThreaderSetCallBackForNextExitThreadEvent';
function ThreaderIsThreadStillRunning(hThread:THandle):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderIsThreadStillRunning';
function ThreaderIsThreadActive(hThread:THandle):boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderIsThreadActive';
function ThreaderIsAnyThreadActive():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderIsAnyThreadActive';
function ThreaderExecuteOnlyInjectedThreads():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderExecuteOnlyInjectedThreads';
function ThreaderGetOpenHandleForThread(ThreadId:LongInt):THandle; stdcall; external 'TitanEngine.dll' name 'ThreaderGetOpenHandleForThread';
function ThreaderGetThreadData():Pointer; stdcall; external 'TitanEngine.dll' name 'ThreaderGetThreadData';
function ThreaderIsExceptionInMainThread():boolean; stdcall; external 'TitanEngine.dll' name 'ThreaderIsExceptionInMainThread';
{TitanEngine.Debugger.functions}
function StaticDisassembleEx(DisassmStart:LongInt; DisassmAddress:Pointer):PAnsiChar; stdcall; external 'TitanEngine.dll' name 'StaticDisassembleEx';
function StaticDisassemble(DisassmAddress:Pointer):PAnsiChar; stdcall; external 'TitanEngine.dll' name 'StaticDisassemble';
function DisassembleEx(hProcess:THandle; DisassmAddress:Pointer):PAnsiChar; stdcall; external 'TitanEngine.dll' name 'DisassembleEx';
function Disassemble(DisassmAddress:Pointer):PAnsiChar; stdcall; external 'TitanEngine.dll' name 'Disassemble';
function StaticLengthDisassemble(DisassmAddress:Pointer):LongInt; stdcall; external 'TitanEngine.dll' name 'StaticLengthDisassemble';
function LengthDisassembleEx(hProcess:THandle; DisassmAddress:Pointer):LongInt; stdcall; external 'TitanEngine.dll' name 'LengthDisassembleEx';
function LengthDisassemble(DisassmAddress:Pointer):LongInt; stdcall; external 'TitanEngine.dll' name 'LengthDisassemble';
function InitDebug(szFileName,szCommandLine,szCurrentFolder:PAnsiChar): Pointer; stdcall; external 'TitanEngine.dll' name 'InitDebug';
function InitDebugEx(szFileName,szCommandLine,szCurrentFolder:PAnsiChar; EntryCallBack:Pointer): Pointer; stdcall; external 'TitanEngine.dll' name 'InitDebugEx';
function InitDLLDebug(szFileName:PAnsiChar; ReserveModuleBase:boolean; szCommandLine,szCurrentFolder:PAnsiChar; EntryCallBack:Pointer): Pointer; stdcall; external 'TitanEngine.dll' name 'InitDLLDebug';
function StopDebug(): Boolean; stdcall; external 'TitanEngine.dll' name 'StopDebug';
procedure SetBPXOptions(DefaultBreakPointType:LongInt); stdcall; external 'TitanEngine.dll' name 'SetBPXOptions';
function IsBPXEnabled(bpxAddress:LongInt): boolean; stdcall; external 'TitanEngine.dll' name 'IsBPXEnabled';
function EnableBPX(bpxAddress:LongInt): boolean; stdcall; external 'TitanEngine.dll' name 'EnableBPX';
function DisableBPX(bpxAddress:LongInt): boolean; stdcall; external 'TitanEngine.dll' name 'DisableBPX';
function SetBPX(bpxAddress,bpxType:LongInt; bpxCallBack:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'SetBPX';
function SetBPXEx(bpxAddress,bpxType,NumberOfExecution,CmpRegister,CmpCondition,CmpValue:LongInt; bpxCallBack,bpxCompareCallBack,bpxRemoveCallBack:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'SetBPXEx';
function DeleteBPX(bpxAddress:LongInt): boolean; stdcall; external 'TitanEngine.dll' name 'DeleteBPX';
function SafeDeleteBPX(bpxAddress:LongInt): boolean; stdcall; external 'TitanEngine.dll' name 'SafeDeleteBPX';
function SetAPIBreakPoint(szDLLName,szAPIName:PAnsiChar; bpxType,bpxPlace:LongInt; bpxCallBack:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'SetAPIBreakPoint';
function DeleteAPIBreakPoint(szDLLName,szAPIName:PAnsiChar; bpxPlace:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'DeleteAPIBreakPoint';
function SafeDeleteAPIBreakPoint(szDLLName,szAPIName:PAnsiChar; bpxPlace:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'SafeDeleteAPIBreakPoint';
function SetMemoryBPX(MemoryStart,SizeOfMemory:LongInt; bpxCallBack:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'SetMemoryBPX';
function SetMemoryBPXEx(MemoryStart,SizeOfMemory,BreakPointType:LongInt; RestoreOnHit:boolean; bpxCallBack:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'SetMemoryBPXEx';
function RemoveMemoryBPX(MemoryStart,SizeOfMemory:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RemoveMemoryBPX';
function GetContextFPUDataEx(hActiveThread:THandle; FPUSaveArea:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'GetContextFPUDataEx';
function GetContextDataEx(hActiveThread:THandle; IndexOfRegister:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'GetContextDataEx';
function GetContextData(IndexOfRegister:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'GetContextData';
function SetContextFPUDataEx(hActiveThread:THandle; FPUSaveArea:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'SetContextFPUDataEx';
function SetContextDataEx(hActiveThread:THandle; IndexOfRegister,NewRegisterValue:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'SetContextDataEx';
function SetContextData(IndexOfRegister,NewRegisterValue:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'SetContextData';
procedure ClearExceptionNumber(); stdcall; external 'TitanEngine.dll' name 'ClearExceptionNumber';
function CurrentExceptionNumber(): LongInt; stdcall; external 'TitanEngine.dll' name 'CurrentExceptionNumber';
function MatchPatternEx(hProcess:THandle; MemoryToCheck,SizeOfMemoryToCheck:LongInt; PatternToMatch:Pointer; SizeOfPatternToMatch:LongInt; WildCard:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'MatchPatternEx';
function MatchPattern(MemoryToCheck,SizeOfMemoryToCheck:LongInt; PatternToMatch:Pointer; SizeOfPatternToMatch:LongInt; WildCard:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'MatchPattern';
function FindEx(hProcess:THandle; MemoryStart,MemorySize:LongInt; SearchPattern:Pointer; PatternSize:LongInt; WildCard:Pointer): LongInt; stdcall; external 'TitanEngine.dll' name 'FindEx';
function Find(MemoryStart,MemorySize:LongInt; SearchPattern:Pointer; PatternSize:LongInt; WildCard:Pointer): LongInt; stdcall; external 'TitanEngine.dll' name 'Find';
function FillEx(hProcess:THandle; MemoryStart,MemorySize:LongInt; FillByte:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'FillEx';
function Fill(MemoryStart,MemorySize:LongInt; FillByte:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'Fill';
function PatchEx(hProcess:THandle; MemoryStart,MemorySize:LongInt; ReplacePattern:Pointer; ReplaceSize:LongInt; AppendNOP,PrependNOP:boolean): boolean; stdcall; external 'TitanEngine.dll' name 'PatchEx';
function Patch(MemoryStart,MemorySize:LongInt; ReplacePattern:Pointer; ReplaceSize:LongInt; AppendNOP,PrependNOP:boolean): boolean; stdcall; external 'TitanEngine.dll' name 'Patch';
function ReplaceEx(hProcess:THandle; MemoryStart,MemorySize:LongInt; SearchPattern:Pointer; PatternSize,NumberOfRepetitions:LongInt; ReplacePattern:Pointer; ReplaceSize:LongInt; WildCard:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'ReplaceEx';
function Replace(MemoryStart,MemorySize:LongInt; SearchPattern:Pointer; PatternSize,NumberOfRepetitions:LongInt; ReplacePattern:Pointer; ReplaceSize:LongInt; WildCard:Pointer): boolean; stdcall; external 'TitanEngine.dll' name 'Replace';
function GetDebugData(): Pointer; stdcall; external 'TitanEngine.dll' name 'GetDebugData';
function GetTerminationData(): Pointer; stdcall; external 'TitanEngine.dll' name 'GetTerminationData';
function GetExitCode():LongInt; stdcall; external 'TitanEngine.dll' name 'GetExitCode';
function GetDebuggedDLLBaseAddress(): LongInt; stdcall; external 'TitanEngine.dll' name 'GetDebuggedDLLBaseAddress';
function GetDebuggedFileBaseAddress(): LongInt; stdcall; external 'TitanEngine.dll' name 'GetDebuggedFileBaseAddress';
function GetRemoteString(hProcess:THandle; StringAddress:LongInt; StringStorage:Pointer; MaximumStringSize:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'GetRemoteString';
function GetFunctionParameter(hProcess:THandle; FunctionType,ParameterNumber,ParameterType:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'GetFunctionParameter';
function GetJumpDestinationEx(hProcess:THandle; InstructionAddress:LongInt; JustJumps:boolean): LongInt; stdcall; external 'TitanEngine.dll' name 'GetJumpDestinationEx';
function GetJumpDestination(hProcess:THandle; InstructionAddress:LongInt; JustJumps:boolean): LongInt; stdcall; external 'TitanEngine.dll' name 'GetJumpDestination';
function IsJumpGoingToExecuteEx(hProcess,hThread:THandle; InstructionAddress,RegFlags:LongInt): boolean; stdcall; external 'TitanEngine.dll' name 'IsJumpGoingToExecuteEx';
function IsJumpGoingToExecute(): boolean; stdcall; external 'TitanEngine.dll' name 'IsJumpGoingToExecute';
procedure SetCustomHandler(WhichException:LongInt; CallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'SetCustomHandler';
procedure ForceClose(); stdcall; external 'TitanEngine.dll' name 'ForceClose';
procedure StepInto(traceCallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'StepInto';
procedure StepOver(traceCallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'StepOver';
procedure SingleStep(StepCount:LongInt; StepCallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'SingleStep';
function GetUnusedHardwareBreakPointRegister(RegisterIndex:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'GetUnusedHardwareBreakPointRegister';
function SetHardwareBreakPointEx(hActiveThread:THandle; bpxAddress,IndexOfRegister,bpxType,bpxSize:LongInt; bpxCallBack,IndexOfSelectedRegister:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'SetHardwareBreakPointEx';
function SetHardwareBreakPoint(bpxAddress,IndexOfRegister,bpxType,bpxSize:LongInt; bpxCallBack:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'SetHardwareBreakPoint';
function DeleteHardwareBreakPoint(IndexOfRegister:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'DeleteHardwareBreakPoint';
function RemoveAllBreakPoints(RemoveOption:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RemoveAllBreakPoints';
function GetProcessInformation(): Pointer; stdcall; external 'TitanEngine.dll' name 'GetProcessInformation';
function GetStartupInformation(): Pointer; stdcall; external 'TitanEngine.dll' name 'GetStartupInformation';
procedure DebugLoop(); stdcall; external 'TitanEngine.dll' name 'DebugLoop';
procedure SetDebugLoopTimeOut(TimeOut:LongInt); stdcall; external 'TitanEngine.dll' name 'SetDebugLoopTimeOut';
procedure SetNextDbgContinueStatus(SetDbgCode:LongInt); stdcall; external 'TitanEngine.dll' name 'SetNextDbgContinueStatus';
function AttachDebugger(ProcessId:LongInt; KillOnExit:Boolean; DebugInfo,CallBack:Pointer): Pointer; stdcall; external 'TitanEngine.dll' name 'AttachDebugger';
function DetachDebugger(ProcessId:LongInt): Pointer; stdcall; external 'TitanEngine.dll' name 'DetachDebugger';
function DetachDebuggerEx(ProcessId:LongInt): Pointer; stdcall; external 'TitanEngine.dll' name 'DetachDebuggerEx';
function DebugLoopEx(TimeOut:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'DebugLoopEx';
procedure AutoDebugEx(szFileName:PAnsiChar; ReserveModuleBase:boolean; szCommandLine,szCurrentFolder:PAnsiChar; TimeOut:LongInt; EntryCallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'AutoDebugEx';
function IsFileBeingDebugged(): boolean; stdcall; external 'TitanEngine.dll' name 'IsFileBeingDebugged';
procedure SetErrorModel(DisplayErrorMessages:boolean); stdcall; external 'TitanEngine.dll' name 'SetErrorModel';
{TitanEngine.Importer.functions}
procedure ImporterCleanup(); stdcall; external 'TitanEngine.dll' name 'ImporterCleanup';
procedure ImporterSetImageBase(ImageBase:LongInt); stdcall; external 'TitanEngine.dll' name 'ImporterSetImageBase';
procedure ImporterSetUnknownDelta(DeltaAddress:LongInt); stdcall; external 'TitanEngine.dll' name 'ImporterSetUnknownDelta';
function ImporterGetCurrentDelta():LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetCurrentDelta';
procedure ImporterInit(MemorySize,ImageBase:LongInt); stdcall; external 'TitanEngine.dll' name 'ImporterInit';
procedure ImporterAddNewDll(DLLName:PAnsiChar; FirstThunk:LongInt); stdcall; external 'TitanEngine.dll' name 'ImporterAddNewDll';
procedure ImporterAddNewAPI(APIName:PAnsiChar; FirstThunk:LongInt); stdcall; external 'TitanEngine.dll' name 'ImporterAddNewAPI';
procedure ImporterAddNewOrdinalAPI(dwAPIName,FirstThunk:LongInt); stdcall; external 'TitanEngine.dll' name 'ImporterAddNewAPI';
function ImporterGetAddedDllCount(): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetAddedDllCount';
function ImporterGetAddedAPICount(): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetAddedAPICount';
function ImporterGetLastAddedDLLName(): PAnsiChar; stdcall; external 'TitanEngine.dll' name 'ImporterGetLastAddedDLLName';
procedure ImporterMoveIAT(); stdcall; external 'TitanEngine.dll' name 'ImporterMoveIAT';
function ImporterExportIAT(StorePlace,FileMap:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ImporterExportIAT';
function ImporterEstimatedSize(): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterEstimatedSize';
function ImporterExportIATEx(szExportFileName,szSectionName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ImporterExportIATEx';
function ImporterFindAPIWriteLocation(szAPIName:PAnsiChar): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterFindAPIWriteLocation';
function ImporterFindOrdinalAPIWriteLocation(OrdinalNumber:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterFindOrdinalAPIWriteLocation';
function ImporterFindAPIByWriteLocation(APIWriteLocation:PAnsiChar): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterFindAPIByWriteLocation';
function ImporterFindDLLByWriteLocation(APIWriteLocation:PAnsiChar): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterFindDLLByWriteLocation';
function ImporterGetDLLName(APIAddress:LongInt): PAnsiChar; stdcall; external 'TitanEngine.dll' name 'ImporterGetDLLName';
function ImporterGetAPIName(APIAddress:LongInt): PAnsiChar; stdcall; external 'TitanEngine.dll' name 'ImporterGetAPIName';
function ImporterGetAPIOrdinalNumber(APIAddress:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetAPIOrdinalNumber';
function ImporterGetAPINameEx(APIAddress:LongInt; pDLLBases:Pointer): PAnsiChar; stdcall; external 'TitanEngine.dll' name 'ImporterGetAPINameEx';
function ImporterGetRemoteAPIAddress(hProcess:THandle; APIAddress:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetRemoteAPIAddress';
function ImporterGetRemoteAPIAddressEx(szDLLName,szAPIName:PAnsiChar): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetRemoteAPIAddressEx';
function ImporterGetLocalAPIAddress(hProcess:THandle; APIAddress:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetLocalAPIAddress';
function ImporterGetDLLNameFromDebugee(hProcess:THandle; APIAddress:LongInt): PAnsiChar; stdcall; external 'TitanEngine.dll' name 'ImporterGetDLLNameFromDebugee';
function ImporterGetAPINameFromDebugee(hProcess:THandle; APIAddress:LongInt): PAnsiChar; stdcall; external 'TitanEngine.dll' name 'ImporterGetAPINameFromDebugee';
function ImporterGetAPIOrdinalNumberFromDebugee(hProcess:THandle; APIAddress:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetAPIOrdinalNumberFromDebugee';
function ImporterGetDLLIndexEx(APIAddress:LongInt; pDLLBases:Pointer): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetDLLIndexEx';
function ImporterGetDLLIndex(hProcess:THandle; APIAddress:LongInt; pDLLBases:Pointer): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetDLLIndex';
function ImporterGetRemoteDLLBase(hProcess:THandle; LocalModuleBase:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetRemoteDLLBase';
function ImporterRelocateWriteLocation(AddValue:LongInt): boolean; stdcall; external 'TitanEngine.dll' name 'ImporterRelocateWriteLocation';
function ImporterIsForwardedAPI(hProcess:THandle; APIAddress:LongInt): boolean; stdcall; external 'TitanEngine.dll' name 'ImporterIsForwardedAPI';
function ImporterGetForwardedAPIName(hProcess:THandle; APIAddress:LongInt): PAnsiChar; stdcall; external 'TitanEngine.dll' name 'ImporterGetForwardedAPIName';
function ImporterGetForwardedDLLName(hProcess:THandle; APIAddress:LongInt): PAnsiChar; stdcall; external 'TitanEngine.dll' name 'ImporterGetForwardedDLLName';
function ImporterGetForwardedDLLIndex(hProcess:THandle; APIAddress:LongInt; pDLLBases:Pointer): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetForwardedDLLIndex';
function ImporterGetForwardedAPIOrdinalNumber(hProcess:THandle; APIAddress:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetForwardedAPIOrdinalNumber';
function ImporterGetNearestAPIAddress(hProcess:THandle; APIAddress:LongInt): LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterGetNearestAPIAddress';
function ImporterGetNearestAPIName(hProcess:THandle; APIAddress:LongInt): PAnsiChar; stdcall; external 'TitanEngine.dll' name 'ImporterGetNearestAPIName';
function ImporterCopyOriginalIAT(szOriginalFile,szDumpFile:PAnsiChar): boolean; stdcall; external 'TitanEngine.dll' name 'ImporterCopyOriginalIAT';
function ImporterLoadImportTable(szFileName:PAnsiChar): boolean; stdcall; external 'TitanEngine.dll' name 'ImporterLoadImportTable';
function ImporterMoveOriginalIAT(szOriginalFile,szDumpFile,szSectionName:PAnsiChar): boolean; stdcall; external 'TitanEngine.dll' name 'ImporterMoveOriginalIAT';
procedure ImporterAutoSearchIAT(pFileName:PAnsiChar;ImageBase,SearchStart,SearchSize:LongInt;pIATStart,pIATSize:Pointer); stdcall; external 'TitanEngine.dll' name 'ImporterAutoSearchIAT';
procedure ImporterAutoSearchIATEx(hProcess:LongInt;ImageBase,SearchStart,SearchSize:LongInt;pIATStart,pIATSize:Pointer); stdcall; external 'TitanEngine.dll' name 'ImporterAutoSearchIATEx';
procedure ImporterEnumAddedData(EnumCallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'ImporterEnumAddedData';
function ImporterAutoFixIAT(hProcess:LongInt;pFileName:PAnsiChar;ImageBase,SearchStart,SearchSize,SearchStep:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterAutoFixIAT';
function ImporterAutoFixIATEx(hProcess:LongInt;pFileName,szSectionName:PAnsiChar;DumpRunningProcess,RealignFile:boolean;EntryPointAddress,ImageBase,SearchStart,SearchSize,SearchStep:LongInt;TryAutoFix,FixEliminations:boolean;UnknownPointerFixCallback:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'ImporterAutoFixIATEx';
{TitanEngine.Hooks.functions}
function HooksSafeTransitionEx(HookAddressArray:Pointer; NumberOfHooks:LongInt; TransitionStart:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HooksSafeTransitionEx';
function HooksSafeTransition(HookAddressArray:Pointer; TransitionStart:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HooksSafeTransition';
function HooksIsAddressRedirected(HookAddressArray:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'HooksIsAddressRedirected';
function HooksGetTrampolineAddress(HookAddressArray:Pointer):Pointer; stdcall; external 'TitanEngine.dll' name 'HooksGetTrampolineAddress';
function HooksGetHookEntryDetails(HookAddressArray:Pointer):Pointer; stdcall; external 'TitanEngine.dll' name 'HooksGetHookEntryDetails';
function HooksInsertNewRedirection(HookAddressArray,RedirectTo:Pointer; HookType:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'HooksInsertNewRedirection';
function HooksInsertNewIATRedirectionEx(FileMapVA,LoadedModuleBase:LongInt; szHookFunction:PAnsiChar; RedirectTo:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'HooksInsertNewIATRedirectionEx';
function HooksInsertNewIATRedirection(szModuleName,szHookFunction:PAnsiChar; RedirectTo:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'HooksInsertNewIATRedirection';
function HooksRemoveRedirection(HookAddressArray:Pointer; RemoveAll:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HooksRemoveRedirection';
function HooksRemoveRedirectionsForModule(ModuleBase:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'HooksRemoveRedirectionsForModule';
function HooksDisableRedirection(HookAddressArray:Pointer; DisableAll:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HooksDisableRedirection';
function HooksDisableRedirectionsForModule(ModuleBase:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'HooksDisableRedirectionsForModule';
function HooksEnableRedirection(HookAddressArray:Pointer; EnableAll:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HooksEnableRedirection';
function HooksEnableRedirectionsForModule(ModuleBase:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'HooksEnableRedirectionsForModule';
function HooksRemoveIATRedirection(szModuleName,szHookFunction:PAnsiChar; RemoveAll:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HooksRemoveIATRedirection';
function HooksDisableIATRedirection(szModuleName,szHookFunction:PAnsiChar; DisableAll:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HooksDisableIATRedirection';
function HooksEnableIATRedirection(szModuleName,szHookFunction:PAnsiChar; EnableAll:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HooksEnableIATRedirection';
procedure HooksScanModuleMemory(ModuleBase:LongInt; CallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'HooksScanModuleMemory';
procedure HooksScanEntireProcessMemory(CallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'HooksScanEntireProcessMemory';
procedure HooksScanEntireProcessMemoryEx(); stdcall; external 'TitanEngine.dll' name 'HooksScanEntireProcessMemoryEx';
{TitanEngine.Tracer.functions}
procedure TracerInit(); stdcall; external 'TitanEngine.dll' name 'TracerInit';
function TracerLevel1(hProcess,APIAddress:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'TracerLevel1';
function HashTracerLevel1(hProcess,APIAddress,NumberOfInstructions:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'HashTracerLevel1';
function TracerDetectRedirection(hProcess,APIAddress:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'TracerDetectRedirection';
function TracerFixKnownRedirection(hProcess,APIAddress,RedirectionId:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'TracerFixKnownRedirection';
function TracerFixRedirectionViaImpRecPlugin(hProcess:LongInt;szPluginName:PAnsiChar;APIAddress:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'TracerFixRedirectionViaImpRecPlugin';
{TitanEngine.Exporter.functions}
procedure ExporterCleanup(); stdcall; external 'TitanEngine.dll' name 'ExporterCleanup';
procedure ExporterSetImageBase(ImageBase:LongInt); stdcall; external 'TitanEngine.dll' name 'ExporterSetImageBase';
procedure ExporterInit(MemorySize,ImageBase,ExportOrdinalBase:LongInt; szExportModuleName:PAnsiChar); stdcall; external 'TitanEngine.dll' name 'ExporterInit';
function ExporterAddNewExport(szExportName:PAnsiChar; ExportRelativeAddress:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ExporterAddNewExport';
function ExporterAddNewOrdinalExport(OrdinalNumber,ExportRelativeAddress:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ExporterAddNewOrdinalExport';
function ExporterGetAddedExportCount():LongInt; stdcall; external 'TitanEngine.dll' name 'ExporterGetAddedExportCount';
function ExporterEstimatedSize():LongInt; stdcall; external 'TitanEngine.dll' name 'ExporterEstimatedSize';
function ExporterBuildExportTable(StorePlace,FileMapVA:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'ExporterBuildExportTable';
function ExporterBuildExportTableEx(szExportFileName,szSectionName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ExporterBuildExportTableEx';
function ExporterLoadExportTable(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ExporterLoadExportTable';
{TitanEngine.Librarian.functions}
function LibrarianSetBreakPoint(szLibraryName:PAnsiChar; bpxType:LongInt; SingleShoot:boolean; bpxCallBack:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'LibrarianSetBreakPoint';
function LibrarianRemoveBreakPoint(szLibraryName:PAnsiChar; bpxType:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'LibrarianRemoveBreakPoint';
function LibrarianGetLibraryInfo(szLibraryName:PAnsiChar):Pointer; stdcall; external 'TitanEngine.dll' name 'LibrarianGetLibraryInfo';
function LibrarianGetLibraryInfoEx(BaseOfDll:Pointer):Pointer; stdcall; external 'TitanEngine.dll' name 'LibrarianGetLibraryInfoEx';
procedure LibrarianEnumLibraryInfo(BaseOfDll:Pointer); stdcall; external 'TitanEngine.dll' name 'LibrarianEnumLibraryInfo';
{TitanEngine.Process.functions}
function GetActiveProcessId(szImageName:PAnsiChar):LongInt; stdcall; external 'TitanEngine.dll' name 'GetActiveProcessId';
function EnumProcessesWithLibrary(szLibraryName:PAnsiChar; EnumFunction:Pointer):LongInt; stdcall; external 'TitanEngine.dll' name 'EnumProcessesWithLibrary';
{TitanEngine.TLSFixer.functions}
function TLSBreakOnCallBack(ArrayOfCallBacks:Pointer; NumberOfCallBacks:LongInt; bpxCallBack:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'TLSBreakOnCallBack';
function TLSGrabCallBackData(szFileName:PAnsiChar; ArrayOfCallBacks,NumberOfCallBacks:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'TLSGrabCallBackData';
function TLSBreakOnCallBackEx(szFileName:PAnsiChar; bpxCallBack:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'TLSBreakOnCallBackEx';
function TLSRemoveCallback(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'TLSRemoveCallback';
function TLSRemoveTable(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'TLSRemoveTable';
function TLSBackupData(szFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'TLSBackupData';
function TLSRestoreData():boolean; stdcall; external 'TitanEngine.dll' name 'TLSRestoreData';
function TLSBuildNewTable(FileMapVA,StorePlace,StorePlaceRVA:LongInt; ArrayOfCallBacks:Pointer; NumberOfCallBacks:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'TLSBuildNewTable';
function TLSBuildNewTableEx(szFileName,szSectionName:PAnsiChar; ArrayOfCallBacks:Pointer; NumberOfCallBacks:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'TLSBuildNewTableEx';
{TitanEngine.TranslateName.functions}
function TranslateNativeName(szNativeName:PAnsiChar):PAnsiChar; stdcall; external 'TitanEngine.dll' name 'TranslateNativeName';
{TitanEngine.Handler.functions}
function HandlerGetActiveHandleCount(ProcessId:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'HandlerGetActiveHandleCount';
function HandlerIsHandleOpen(ProcessId:LongInt; hHandle:THandle):boolean; stdcall; external 'TitanEngine.dll' name 'HandlerIsHandleOpen';
function HandlerGetHandleName(hProcess:THandle; ProcessId:LongInt; hHandle:THandle; TranslateName:boolean):PAnsiChar; stdcall; external 'TitanEngine.dll' name 'HandlerGetHandleName';
function HandlerEnumerateOpenHandles(ProcessId:LongInt; HandleBuffer:Pointer; MaxHandleCount:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'HandlerEnumerateOpenHandles';
function HandlerGetHandleDetails(hProcess:THandle; ProcessId:LongInt; hHandle:THandle; InformationReturn:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'HandlerGetHandleDetails';
function HandlerCloseRemoteHandle(ProcessId:LongInt; hHandle:THandle):boolean; stdcall; external 'TitanEngine.dll' name 'HandlerCloseRemoteHandle';
function HandlerEnumerateLockHandles(szFileOrFolderName:PAnsiChar; NameIsFolder,NameIsTranslated:boolean; HandleDataBuffer:Pointer; MaxHandleCount:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'HandlerEnumerateLockHandles';
function HandlerCloseAllLockHandles(szFileOrFolderName:PAnsiChar; NameIsFolder,NameIsTranslated:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HandlerCloseAllLockHandles';
function HandlerIsFileLocked(szFileOrFolderName:PAnsiChar; NameIsFolder,NameIsTranslated:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'HandlerIsFileLocked';
function HandlerEnumerateOpenMutexes(hProcess:THandle; ProcessId:LongInt; HandleBuffer:Pointer; MaxHandleCount:LongInt):LongInt; stdcall; external 'TitanEngine.dll' name 'HandlerEnumerateOpenMutexes';
function HandlerGetOpenMutexHandle(hProcess:THandle; ProcessId:LongInt; szMutexString:PAnsiChar):LongInt; stdcall; external 'TitanEngine.dll' name 'HandlerGetOpenMutexHandle';
function HandlerGetProcessIdWhichCreatedMutex(szMutexString:PAnsiChar):LongInt; stdcall; external 'TitanEngine.dll' name 'HandlerGetProcessIdWhichCreatedMutex';
{TitanEngine.Injector.functions}
function RemoteLoadLibrary(hProcess:THandle; szLibraryFile:PAnsiChar; WaitForThreadExit:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'RemoteLoadLibrary';
function RemoteFreeLibrary(hProcess:THandle; hModule:LongInt; szLibraryFile:PAnsiChar; WaitForThreadExit:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'RemoteFreeLibrary';
function RemoteExitProcess(hProcess:THandle; ExitCode:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'RemoteExitProcess';
{TitanEngine.StaticUnpacker.functions}
function StaticFileLoad(szFileName:PAnsiChar; DesiredAccess:LongInt; SimulateLoad:boolean; FileHandle,LoadedSize,FileMap,FileMapVA:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'StaticFileLoad';
function StaticFileUnload(szFileName:PAnsiChar; CommitChanges:boolean; FileHandle,LoadedSize,FileMap,FileMapVA:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'StaticFileUnload';
function StaticFileOpen(szFileName:PAnsiChar; DesiredAccess:LongInt; FileHandle,FileSizeLow,FileSizeHigh:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'StaticFileOpen';
function StaticFileGetContent(FileHandle:THandle; FilePositionLow:LongInt; FilePositionHigh,Buffer:Pointer; Size:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'StaticFileGetContent';
procedure StaticFileClose(FileHandle:THandle); stdcall; external 'TitanEngine.dll' name 'StaticFileClose';
procedure StaticMemoryDecrypt(MemoryStart,MemorySize,DecryptionType,DecryptionKeySize,DecryptionKey:LongInt); stdcall; external 'TitanEngine.dll' name 'StaticMemoryDecrypt';
procedure StaticMemoryDecryptEx(MemoryStart,MemorySize,DecryptionKeySize:LongInt; DecryptionCallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'StaticMemoryDecryptEx';
procedure StaticMemoryDecryptSpecial(MemoryStart,MemorySize,DecryptionKeySize,SpecDecryptionType:LongInt; DecryptionCallBack:Pointer); stdcall; external 'TitanEngine.dll' name 'StaticMemoryDecryptSpecial';
procedure StaticSectionDecrypt(FileMapVA,SectionNumber:LongInt; SimulateLoad:boolean; DecryptionType,DecryptionKeySize,DecryptionKey:LongInt); stdcall; external 'TitanEngine.dll' name 'StaticSectionDecrypt';
function StaticMemoryDecompress(Source,SourceSize,Destination,DestinationSize,Algorithm:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'StaticMemoryDecompress';
function StaticRawMemoryCopy(hFile:THandle; FileMapVA,VitualAddressToCopy,Size:LongInt; AddressIsRVA:boolean; szDumpFileName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'StaticRawMemoryCopy';
function StaticHashMemory(MemoryToHash:Pointer; SizeOfMemory:LongInt; HashDigest:Pointer; OutputString:boolean; Algorithm:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'StaticHashMemory';
function StaticHashFile(szFileName,HashDigest:PAnsiChar; OutputString:boolean; Algorithm:LongInt):boolean; stdcall; external 'TitanEngine.dll' name 'StaticHashFile';
{TitanEngine.Engine.functions}
procedure SetEngineVariable(VariableId:LongInt; VariableSet:boolean); stdcall; external 'TitanEngine.dll' name 'SetEngineVariable';
function EngineCreateMissingDependencies(szFileName,szOutputFolder:PAnsiChar; LogCreatedFiles:boolean):boolean; stdcall; external 'TitanEngine.dll' name 'EngineCreateMissingDependencies';
function EngineFakeMissingDependencies(hProcess:THandle):boolean; stdcall; external 'TitanEngine.dll' name 'EngineCreateMissingDependencies';
function EngineDeleteCreatedDependencies():boolean; stdcall; external 'TitanEngine.dll' name 'EngineDeleteCreatedDependencies';
function EngineCreateUnpackerWindow(WindowUnpackerTitle,WindowUnpackerLongTitleWindowUnpackerName,WindowUnpackerAuthor:PChar; StartUnpackingCallBack:Pointer):boolean; stdcall; external 'TitanEngine.dll' name 'EngineCreateUnpackerWindow';
procedure EngineAddUnpackerWindowLogMessage(szLogMessage:PChar); stdcall; external 'TitanEngine.dll' name 'EngineAddUnpackerWindowLogMessage';
{TitanEngine.Extension.functions}
function ExtensionManagerIsPluginLoaded(szPluginName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ExtensionManagerIsPluginLoaded';
function ExtensionManagerIsPluginEnabled(szPluginName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ExtensionManagerIsPluginEnabled';
function ExtensionManagerDisableAllPlugins():boolean; stdcall; external 'TitanEngine.dll' name 'ExtensionManagerDisableAllPlugins';
function ExtensionManagerDisablePlugin(szPluginName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ExtensionManagerDisablePlugin';
function ExtensionManagerEnableAllPlugins():boolean; stdcall; external 'TitanEngine.dll' name 'ExtensionManagerEnableAllPlugins';
function ExtensionManagerEnablePlugin(szPluginName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ExtensionManagerEnablePlugin';
function ExtensionManagerUnloadAllPlugins():boolean; stdcall; external 'TitanEngine.dll' name 'ExtensionManagerUnloadAllPlugins';
function ExtensionManagerUnloadPlugin(szPluginName:PAnsiChar):boolean; stdcall; external 'TitanEngine.dll' name 'ExtensionManagerUnloadPlugin';
function ExtensionManagerGetPluginInfo(szPluginName:PAnsiChar):Pointer; stdcall; external 'TitanEngine.dll' name 'ExtensionManagerGetPluginInfo';
implementation
end.

1489
SDK/LUA/TitanEngine.lua
View File

File diff suppressed because it is too large Load Diff

836
SDK/MASM/TitanEngine.INC
View File

@ -1,836 +0,0 @@
;--- include file created by h2incx v0.99.20 (copyright 2005-2009 japheth)
;--- source file: C:\Users\Administrator\Desktop\h2incx\SDK.h, last modified: 3/8/2010 17:0
;--- cmdline used for creation: -a -b -d3 -y sdk.h
include windows.inc
includelib TitanEngine_x86.lib
UE_ACCESS_READ EQU 0
UE_ACCESS_WRITE EQU 1
UE_ACCESS_ALL EQU 2
UE_HIDE_BASIC EQU 1
UE_PLUGIN_CALL_REASON_PREDEBUG EQU 1
UE_PLUGIN_CALL_REASON_EXCEPTION EQU 2
UE_PLUGIN_CALL_REASON_POSTDEBUG EQU 3
TEE_HOOK_NRM_JUMP EQU 1
TEE_HOOK_NRM_CALL EQU 3
TEE_HOOK_IAT EQU 5
UE_ENGINE_ALOW_MODULE_LOADING EQU 1
UE_ENGINE_AUTOFIX_FORWARDERS EQU 2
UE_ENGINE_PASS_ALL_EXCEPTIONS EQU 3
UE_ENGINE_NO_CONSOLE_WINDOW EQU 4
UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS EQU 5
UE_ENGINE_CALL_PLUGIN_CALLBACK EQU 6
UE_ENGINE_RESET_CUSTOM_HANDLER EQU 7
UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK EQU 8
UE_OPTION_REMOVEALL EQU 1
UE_OPTION_DISABLEALL EQU 2
UE_OPTION_REMOVEALLDISABLED EQU 3
UE_OPTION_REMOVEALLENABLED EQU 4
UE_STATIC_DECRYPTOR_XOR EQU 1
UE_STATIC_DECRYPTOR_SUB EQU 2
UE_STATIC_DECRYPTOR_ADD EQU 3
UE_STATIC_DECRYPTOR_FOREWARD EQU 1
UE_STATIC_DECRYPTOR_BACKWARD EQU 2
UE_STATIC_KEY_SIZE_1 EQU 1
UE_STATIC_KEY_SIZE_2 EQU 2
UE_STATIC_KEY_SIZE_4 EQU 4
UE_STATIC_KEY_SIZE_8 EQU 8
UE_STATIC_APLIB EQU 1
UE_STATIC_APLIB_DEPACK EQU 2
UE_STATIC_LZMA EQU 3
UE_STATIC_HASH_MD5 EQU 1
UE_STATIC_HASH_SHA1 EQU 2
UE_STATIC_HASH_CRC32 EQU 3
UE_RESOURCE_LANGUAGE_ANY EQU - 1
UE_PE_OFFSET EQU 0
UE_IMAGEBASE EQU 1
UE_OEP EQU 2
UE_SIZEOFIMAGE EQU 3
UE_SIZEOFHEADERS EQU 4
UE_SIZEOFOPTIONALHEADER EQU 5
UE_SECTIONALIGNMENT EQU 6
UE_IMPORTTABLEADDRESS EQU 7
UE_IMPORTTABLESIZE EQU 8
UE_RESOURCETABLEADDRESS EQU 9
UE_RESOURCETABLESIZE EQU 10
UE_EXPORTTABLEADDRESS EQU 11
UE_EXPORTTABLESIZE EQU 12
UE_TLSTABLEADDRESS EQU 13
UE_TLSTABLESIZE EQU 14
UE_RELOCATIONTABLEADDRESS EQU 15
UE_RELOCATIONTABLESIZE EQU 16
UE_TIMEDATESTAMP EQU 17
UE_SECTIONNUMBER EQU 18
UE_CHECKSUM EQU 19
UE_SUBSYSTEM EQU 20
UE_CHARACTERISTICS EQU 21
UE_NUMBEROFRVAANDSIZES EQU 22
UE_SECTIONNAME EQU 23
UE_SECTIONVIRTUALOFFSET EQU 24
UE_SECTIONVIRTUALSIZE EQU 25
UE_SECTIONRAWOFFSET EQU 26
UE_SECTIONRAWSIZE EQU 27
UE_SECTIONFLAGS EQU 28
UE_CH_BREAKPOINT EQU 1
UE_CH_SINGLESTEP EQU 2
UE_CH_ACCESSVIOLATION EQU 3
UE_CH_ILLEGALINSTRUCTION EQU 4
UE_CH_NONCONTINUABLEEXCEPTION EQU 5
UE_CH_ARRAYBOUNDSEXCEPTION EQU 6
UE_CH_FLOATDENORMALOPERAND EQU 7
UE_CH_FLOATDEVIDEBYZERO EQU 8
UE_CH_INTEGERDEVIDEBYZERO EQU 9
UE_CH_INTEGEROVERFLOW EQU 10
UE_CH_PRIVILEGEDINSTRUCTION EQU 11
UE_CH_PAGEGUARD EQU 12
UE_CH_EVERYTHINGELSE EQU 13
UE_CH_CREATETHREAD EQU 14
UE_CH_EXITTHREAD EQU 15
UE_CH_CREATEPROCESS EQU 16
UE_CH_EXITPROCESS EQU 17
UE_CH_LOADDLL EQU 18
UE_CH_UNLOADDLL EQU 19
UE_CH_OUTPUTDEBUGSTRING EQU 20
UE_CH_AFTEREXCEPTIONPROCESSING EQU 21
UE_CH_ALLEVENTS EQU 22
UE_CH_SYSTEMBREAKPOINT EQU 23
UE_CH_UNHANDLEDEXCEPTION EQU 24
UE_OPTION_HANDLER_RETURN_HANDLECOUNT EQU 1
UE_OPTION_HANDLER_RETURN_ACCESS EQU 2
UE_OPTION_HANDLER_RETURN_FLAGS EQU 3
UE_OPTION_HANDLER_RETURN_TYPENAME EQU 4
UE_BREAKPOINT_INT3 EQU 1
UE_BREAKPOINT_LONG_INT3 EQU 2
UE_BREAKPOINT_UD2 EQU 3
UE_BPXREMOVED EQU 0
UE_BPXACTIVE EQU 1
UE_BPXINACTIVE EQU 2
UE_BREAKPOINT EQU 0
UE_SINGLESHOOT EQU 1
UE_HARDWARE EQU 2
UE_MEMORY EQU 3
UE_MEMORY_READ EQU 4
UE_MEMORY_WRITE EQU 5
UE_MEMORY_EXECUTE EQU 6
UE_BREAKPOINT_TYPE_INT3 EQU 10000000h
UE_BREAKPOINT_TYPE_LONG_INT3 EQU 20000000h
UE_BREAKPOINT_TYPE_UD2 EQU 30000000h
UE_HARDWARE_EXECUTE EQU 4
UE_HARDWARE_WRITE EQU 5
UE_HARDWARE_READWRITE EQU 6
UE_HARDWARE_SIZE_1 EQU 7
UE_HARDWARE_SIZE_2 EQU 8
UE_HARDWARE_SIZE_4 EQU 9
UE_ON_LIB_LOAD EQU 1
UE_ON_LIB_UNLOAD EQU 2
UE_ON_LIB_ALL EQU 3
UE_APISTART EQU 0
UE_APIEND EQU 1
UE_PLATFORM_x86 EQU 1
UE_PLATFORM_x64 EQU 2
UE_PLATFORM_ALL EQU 3
UE_FUNCTION_STDCALL EQU 1
UE_FUNCTION_CCALL EQU 2
UE_FUNCTION_FASTCALL EQU 3
UE_FUNCTION_STDCALL_RET EQU 4
UE_FUNCTION_CCALL_RET EQU 5
UE_FUNCTION_FASTCALL_RET EQU 6
UE_FUNCTION_STDCALL_CALL EQU 7
UE_FUNCTION_CCALL_CALL EQU 8
UE_FUNCTION_FASTCALL_CALL EQU 9
UE_PARAMETER_BYTE EQU 0
UE_PARAMETER_WORD EQU 1
UE_PARAMETER_DWORD EQU 2
UE_PARAMETER_QWORD EQU 3
UE_PARAMETER_PTR_BYTE EQU 4
UE_PARAMETER_PTR_WORD EQU 5
UE_PARAMETER_PTR_DWORD EQU 6
UE_PARAMETER_PTR_QWORD EQU 7
UE_PARAMETER_STRING EQU 8
UE_PARAMETER_UNICODE EQU 9
UE_CMP_NOCONDITION EQU 0
UE_CMP_EQUAL EQU 1
UE_CMP_NOTEQUAL EQU 2
UE_CMP_GREATER EQU 3
UE_CMP_GREATEROREQUAL EQU 4
UE_CMP_LOWER EQU 5
UE_CMP_LOWEROREQUAL EQU 6
UE_CMP_REG_EQUAL EQU 7
UE_CMP_REG_NOTEQUAL EQU 8
UE_CMP_REG_GREATER EQU 9
UE_CMP_REG_GREATEROREQUAL EQU 10
UE_CMP_REG_LOWER EQU 11
UE_CMP_REG_LOWEROREQUAL EQU 12
UE_CMP_ALWAYSFALSE EQU 13
UE_EAX EQU 1
UE_EBX EQU 2
UE_ECX EQU 3
UE_EDX EQU 4
UE_EDI EQU 5
UE_ESI EQU 6
UE_EBP EQU 7
UE_ESP EQU 8
UE_EIP EQU 9
UE_EFLAGS EQU 10
UE_DR0 EQU 11
UE_DR1 EQU 12
UE_DR2 EQU 13
UE_DR3 EQU 14
UE_DR6 EQU 15
UE_DR7 EQU 16
UE_RAX EQU 17
UE_RBX EQU 18
UE_RCX EQU 19
UE_RDX EQU 20
UE_RDI EQU 21
UE_RSI EQU 22
UE_RBP EQU 23
UE_RSP EQU 24
UE_RIP EQU 25
UE_RFLAGS EQU 26
UE_R8 EQU 27
UE_R9 EQU 28
UE_R10 EQU 29
UE_R11 EQU 30
UE_R12 EQU 31
UE_R13 EQU 32
UE_R14 EQU 33
UE_R15 EQU 34
UE_CIP EQU 35
UE_CSP EQU 36
UE_SEG_GS EQU 37
UE_SEG_FS EQU 38
UE_SEG_ES EQU 39
UE_SEG_DS EQU 40
UE_SEG_CS EQU 41
UE_SEG_SS EQU 42
ifndef @align
@align equ <>
endif
PE32Struct struct @align
PE32Offset DWORD ?
ImageBase DWORD ?
OriginalEntryPoint DWORD ?
NtSizeOfImage DWORD ?
NtSizeOfHeaders DWORD ?
SizeOfOptionalHeaders WORD ?
FileAlignment DWORD ?
SectionAligment DWORD ?
ImportTableAddress DWORD ?
ImportTableSize DWORD ?
ResourceTableAddress DWORD ?
ResourceTableSize DWORD ?
ExportTableAddress DWORD ?
ExportTableSize DWORD ?
TLSTableAddress DWORD ?
TLSTableSize DWORD ?
RelocationTableAddress DWORD ?
RelocationTableSize DWORD ?
TimeDateStamp DWORD ?
SectionNumber WORD ?
CheckSum DWORD ?
SubSystem WORD ?
Characteristics WORD ?
NumberOfRvaAndSizes DWORD ?
PE32Struct ends
PPE32Struct typedef ptr PE32Struct
ImportEnumData struct @align
NewDll bool ?
NumberOfImports DWORD ?
ImageBase DWORD ?
BaseImportThunk DWORD ?
ImportThunk DWORD ?
APIName DWORD ?
DLLName DWORD ?
ImportEnumData ends
PImportEnumData typedef ptr ImportEnumData
THREAD_ITEM_DATA struct @align
hThread HANDLE ?
dwThreadId DWORD ?
ThreadStartAddress DWORD ?
ThreadLocalBase DWORD ?
THREAD_ITEM_DATA ends
PTHREAD_ITEM_DATA typedef ptr THREAD_ITEM_DATA
LIBRARY_ITEM_DATA struct @align
hFile HANDLE ?
BaseOfDll DWORD ?
hFileMapping HANDLE ?
hFileMappingView DWORD ?
szLibraryPath SBYTE MAX_PATH dup (?)
szLibraryName SBYTE MAX_PATH dup (?)
LIBRARY_ITEM_DATA ends
PLIBRARY_ITEM_DATA typedef ptr LIBRARY_ITEM_DATA
LIBRARY_ITEM_DATAW struct @align
hFile HANDLE ?
BaseOfDll DWORD ?
hFileMapping HANDLE ?
hFileMappingView DWORD ?
szLibraryPath WORD MAX_PATH dup (?)
szLibraryName WORD MAX_PATH dup (?)
LIBRARY_ITEM_DATAW ends
PLIBRARY_ITEM_DATAW typedef ptr LIBRARY_ITEM_DATAW
PROCESS_ITEM_DATA struct @align
hProcess HANDLE ?
dwProcessId DWORD ?
hThread HANDLE ?
dwThreadId DWORD ?
hFile HANDLE ?
BaseOfImage DWORD ?
ThreadStartAddress DWORD ?
ThreadLocalBase DWORD ?
PROCESS_ITEM_DATA ends
PPROCESS_ITEM_DATA typedef ptr PROCESS_ITEM_DATA
HandlerArray struct @align
ProcessId DWORD ?
hHandle HANDLE ?
HandlerArray ends
PHandlerArray typedef ptr HandlerArray
PluginInformation struct @align
PluginName SBYTE 64 dup (?)
PluginMajorVersion DWORD ?
PluginMinorVersion DWORD ?
PluginBaseAddress HMODULE ?
TitanDebuggingCallBack DWORD ?
TitanRegisterPlugin DWORD ?
TitanReleasePlugin DWORD ?
TitanResetPlugin DWORD ?
PluginDisabled bool ?
PluginInformation ends
PPluginInformation typedef ptr PluginInformation
TEE_MAXIMUM_HOOK_SIZE EQU 14
TEE_MAXIMUM_HOOK_RELOCS EQU 7
TEE_MAXIMUM_HOOK_INSERT_SIZE EQU 5
HOOK_ENTRY struct @align
IATHook bool ?
HookType BYTE ?
HookSize DWORD ?
HookAddress DWORD ?
RedirectionAddress DWORD ?
HookBytes BYTE TEE_MAXIMUM_HOOK_SIZE dup (?)
OriginalBytes BYTE TEE_MAXIMUM_HOOK_SIZE dup (?)
IATHookModuleBase DWORD ?
IATHookNameHash DWORD ?
HookIsEnabled bool ?
HookIsRemote bool ?
PatchedEntry DWORD ?
RelocationInfo DWORD TEE_MAXIMUM_HOOK_RELOCS dup (?)
RelocationCount DWORD ?
HOOK_ENTRY ends
PHOOK_ENTRY typedef ptr HOOK_ENTRY
UE_DEPTH_SURFACE EQU 0
UE_DEPTH_DEEP EQU 1
UE_UNPACKER_CONDITION_SEARCH_FROM_EP EQU 1
UE_UNPACKER_CONDITION_LOADLIBRARY EQU 1
UE_UNPACKER_CONDITION_GETPROCADDRESS EQU 2
UE_UNPACKER_CONDITION_ENTRYPOINTBREAK EQU 3
UE_UNPACKER_CONDITION_RELOCSNAPSHOT1 EQU 4
UE_UNPACKER_CONDITION_RELOCSNAPSHOT2 EQU 5
UE_FIELD_OK EQU 0
UE_FIELD_BROKEN_NON_FIXABLE EQU 1
UE_FIELD_BROKEN_NON_CRITICAL EQU 2
UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE EQU 3
UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED EQU 4
UE_FILED_FIXABLE_NON_CRITICAL EQU 5
UE_FILED_FIXABLE_CRITICAL EQU 6
UE_FIELD_NOT_PRESET EQU 7
UE_FIELD_NOT_PRESET_WARNING EQU 8
UE_RESULT_FILE_OK EQU 10
UE_RESULT_FILE_INVALID_BUT_FIXABLE EQU 11
UE_RESULT_FILE_INVALID_AND_NON_FIXABLE EQU 12
UE_RESULT_FILE_INVALID_FORMAT EQU 13
FILE_STATUS_INFO struct @align
OveralEvaluation BYTE ?
EvaluationTerminatedByException bool ?
FileIs64Bit bool ?
FileIsDLL bool ?
FileIsConsole bool ?
MissingDependencies bool ?
MissingDeclaredAPIs bool ?
SignatureMZ BYTE ?
SignaturePE BYTE ?
EntryPoint BYTE ?
ImageBase BYTE ?
SizeOfImage BYTE ?
FileAlignment BYTE ?
SectionAlignment BYTE ?
ExportTable BYTE ?
RelocationTable BYTE ?
ImportTable BYTE ?
ImportTableSection BYTE ?
ImportTableData BYTE ?
IATTable BYTE ?
TLSTable BYTE ?
LoadConfigTable BYTE ?
BoundImportTable BYTE ?
COMHeaderTable BYTE ?
ResourceTable BYTE ?
ResourceData BYTE ?
SectionTable BYTE ?
FILE_STATUS_INFO ends
PFILE_STATUS_INFO typedef ptr FILE_STATUS_INFO
FILE_FIX_INFO struct @align
OveralEvaluation BYTE ?
FixingTerminatedByException bool ?
FileFixPerformed bool ?
StrippedRelocation bool ?
DontFixRelocations bool ?
OriginalRelocationTableAddress DWORD ?
OriginalRelocationTableSize DWORD ?
StrippedExports bool ?
DontFixExports bool ?
OriginalExportTableAddress DWORD ?
OriginalExportTableSize DWORD ?
StrippedResources bool ?
DontFixResources bool ?
OriginalResourceTableAddress DWORD ?
OriginalResourceTableSize DWORD ?
StrippedTLS bool ?
DontFixTLS bool ?
OriginalTLSTableAddress DWORD ?
OriginalTLSTableSize DWORD ?
StrippedLoadConfig bool ?
DontFixLoadConfig bool ?
OriginalLoadConfigTableAddress DWORD ?
OriginalLoadConfigTableSize DWORD ?
StrippedBoundImports bool ?
DontFixBoundImports bool ?
OriginalBoundImportTableAddress DWORD ?
OriginalBoundImportTableSize DWORD ?
StrippedIAT bool ?
DontFixIAT bool ?
OriginalImportAddressTableAddress DWORD ?
OriginalImportAddressTableSize DWORD ?
StrippedCOM bool ?
DontFixCOM bool ?
OriginalCOMTableAddress DWORD ?
OriginalCOMTableSize DWORD ?
FILE_FIX_INFO ends
PFILE_FIX_INFO typedef ptr FILE_FIX_INFO
DumpProcess proto stdcall :HANDLE, :LPVOID, :ptr SBYTE, :DWORD
DumpProcessW proto stdcall :HANDLE, :LPVOID, :ptr WORD, :DWORD
DumpProcessEx proto stdcall :DWORD, :LPVOID, :ptr SBYTE, :DWORD
DumpProcessExW proto stdcall :DWORD, :LPVOID, :ptr WORD, :DWORD
DumpMemory proto stdcall :HANDLE, :LPVOID, :DWORD, :ptr SBYTE
DumpMemoryW proto stdcall :HANDLE, :LPVOID, :DWORD, :ptr WORD
DumpMemoryEx proto stdcall :DWORD, :LPVOID, :DWORD, :ptr SBYTE
DumpMemoryExW proto stdcall :DWORD, :LPVOID, :DWORD, :ptr WORD
DumpRegions proto stdcall :HANDLE, :ptr SBYTE, :bool
DumpRegionsW proto stdcall :HANDLE, :ptr WORD, :bool
DumpRegionsEx proto stdcall :DWORD, :ptr SBYTE, :bool
DumpRegionsExW proto stdcall :DWORD, :ptr WORD, :bool
DumpModule proto stdcall :HANDLE, :LPVOID, :ptr SBYTE
DumpModuleW proto stdcall :HANDLE, :LPVOID, :ptr WORD
DumpModuleEx proto stdcall :DWORD, :LPVOID, :ptr SBYTE
DumpModuleExW proto stdcall :DWORD, :LPVOID, :ptr WORD
PastePEHeader proto stdcall :HANDLE, :LPVOID, :ptr SBYTE
PastePEHeaderW proto stdcall :HANDLE, :LPVOID, :ptr WORD
ExtractSection proto stdcall :ptr SBYTE, :ptr SBYTE, :DWORD
ExtractSectionW proto stdcall :ptr WORD, :ptr WORD, :DWORD
ResortFileSections proto stdcall :ptr SBYTE
ResortFileSectionsW proto stdcall :ptr WORD
FindOverlay proto stdcall :ptr SBYTE, :LPDWORD, :LPDWORD
FindOverlayW proto stdcall :ptr WORD, :LPDWORD, :LPDWORD
ExtractOverlay proto stdcall :ptr SBYTE, :ptr SBYTE
ExtractOverlayW proto stdcall :ptr WORD, :ptr WORD
AddOverlay proto stdcall :ptr SBYTE, :ptr SBYTE
AddOverlayW proto stdcall :ptr WORD, :ptr WORD
CopyOverlay proto stdcall :ptr SBYTE, :ptr SBYTE
CopyOverlayW proto stdcall :ptr WORD, :ptr WORD
RemoveOverlay proto stdcall :ptr SBYTE
RemoveOverlayW proto stdcall :ptr WORD
MakeAllSectionsRWE proto stdcall :ptr SBYTE
MakeAllSectionsRWEW proto stdcall :ptr WORD
AddNewSectionEx proto stdcall :ptr SBYTE, :ptr SBYTE, :DWORD, :DWORD, :LPVOID, :DWORD
AddNewSectionExW proto stdcall :ptr WORD, :ptr SBYTE, :DWORD, :DWORD, :LPVOID, :DWORD
AddNewSection proto stdcall :ptr SBYTE, :ptr SBYTE, :DWORD
AddNewSectionW proto stdcall :ptr WORD, :ptr SBYTE, :DWORD
ResizeLastSection proto stdcall :ptr SBYTE, :DWORD, :bool
ResizeLastSectionW proto stdcall :ptr WORD, :DWORD, :bool
SetSharedOverlay proto stdcall :ptr SBYTE
SetSharedOverlayW proto stdcall :ptr WORD
GetSharedOverlay proto stdcall
GetSharedOverlayW proto stdcall
DeleteLastSection proto stdcall :ptr SBYTE
DeleteLastSectionW proto stdcall :ptr WORD
DeleteLastSectionEx proto stdcall :ptr SBYTE, :DWORD
DeleteLastSectionExW proto stdcall :ptr WORD, :DWORD
GetPE32DataFromMappedFile proto stdcall :DWORD, :DWORD, :DWORD
GetPE32Data proto stdcall :ptr SBYTE, :DWORD, :DWORD
GetPE32DataW proto stdcall :ptr WORD, :DWORD, :DWORD
GetPE32DataFromMappedFileEx proto stdcall :DWORD, :LPVOID
GetPE32DataEx proto stdcall :ptr SBYTE, :LPVOID
GetPE32DataExW proto stdcall :ptr WORD, :LPVOID
SetPE32DataForMappedFile proto stdcall :DWORD, :DWORD, :DWORD, :DWORD
SetPE32Data proto stdcall :ptr SBYTE, :DWORD, :DWORD, :DWORD
SetPE32DataW proto stdcall :ptr WORD, :DWORD, :DWORD, :DWORD
SetPE32DataForMappedFileEx proto stdcall :DWORD, :LPVOID
SetPE32DataEx proto stdcall :ptr SBYTE, :LPVOID
GetPE32SectionNumberFromVA proto stdcall :DWORD, :DWORD
ConvertVAtoFileOffset proto stdcall :DWORD, :DWORD, :bool
ConvertVAtoFileOffsetEx proto stdcall :DWORD, :DWORD, :DWORD, :DWORD, :bool, :bool
ConvertFileOffsetToVA proto stdcall :DWORD, :DWORD, :bool
ConvertFileOffsetToVAEx proto stdcall :DWORD, :DWORD, :DWORD, :DWORD, :bool
FixHeaderCheckSum proto stdcall :ptr SBYTE
FixHeaderCheckSumW proto stdcall :ptr WORD
RealignPE proto stdcall :DWORD, :DWORD, :DWORD
RealignPEEx proto stdcall :ptr SBYTE, :DWORD, :DWORD
RealignPEExW proto stdcall :ptr WORD, :DWORD, :DWORD
WipeSection proto stdcall :ptr SBYTE, :DWORD, :bool
WipeSectionW proto stdcall :ptr WORD, :DWORD, :bool
IsPE32FileValidEx proto stdcall :ptr SBYTE, :DWORD, :LPVOID
IsPE32FileValidExW proto stdcall :ptr WORD, :DWORD, :LPVOID
FixBrokenPE32FileEx proto stdcall :ptr SBYTE, :LPVOID, :LPVOID
FixBrokenPE32FileExW proto stdcall :ptr WORD, :LPVOID, :LPVOID
IsFileDLL proto stdcall :ptr SBYTE, :DWORD
IsFileDLLW proto stdcall :ptr WORD, :DWORD
GetPEBLocation proto stdcall :HANDLE
HideDebugger proto stdcall :HANDLE, :DWORD
UnHideDebugger proto stdcall :HANDLE, :DWORD
RelocaterCleanup proto stdcall
RelocaterInit proto stdcall :DWORD, :DWORD, :DWORD
RelocaterAddNewRelocation proto stdcall :HANDLE, :DWORD, :DWORD
RelocaterEstimatedSize proto stdcall
RelocaterExportRelocation proto stdcall :DWORD, :DWORD, :DWORD
RelocaterExportRelocationEx proto stdcall :ptr SBYTE, :ptr SBYTE
RelocaterExportRelocationExW proto stdcall :ptr WORD, :ptr SBYTE
RelocaterGrabRelocationTable proto stdcall :HANDLE, :DWORD, :DWORD
RelocaterGrabRelocationTableEx proto stdcall :HANDLE, :DWORD, :DWORD, :DWORD
RelocaterMakeSnapshot proto stdcall :HANDLE, :ptr SBYTE, :LPVOID, :DWORD
RelocaterMakeSnapshotW proto stdcall :HANDLE, :ptr WORD, :LPVOID, :DWORD
RelocaterCompareTwoSnapshots proto stdcall :HANDLE, :DWORD, :DWORD, :ptr SBYTE, :ptr SBYTE, :DWORD
RelocaterCompareTwoSnapshotsW proto stdcall :HANDLE, :DWORD, :DWORD, :ptr WORD, :ptr WORD, :DWORD
RelocaterChangeFileBase proto stdcall :ptr SBYTE, :DWORD
RelocaterChangeFileBaseW proto stdcall :ptr WORD, :DWORD
RelocaterRelocateMemoryBlock proto stdcall :DWORD, :DWORD, :ptr , :DWORD, :DWORD, :DWORD
RelocaterWipeRelocationTable proto stdcall :ptr SBYTE
RelocaterWipeRelocationTableW proto stdcall :ptr WORD
ResourcerLoadFileForResourceUse proto stdcall :ptr SBYTE
ResourcerLoadFileForResourceUseW proto stdcall :ptr WORD
ResourcerFreeLoadedFile proto stdcall :LPVOID
ResourcerExtractResourceFromFileEx proto stdcall :DWORD, :ptr SBYTE, :ptr SBYTE, :ptr SBYTE
ResourcerExtractResourceFromFile proto stdcall :ptr SBYTE, :ptr SBYTE, :ptr SBYTE, :ptr SBYTE
ResourcerExtractResourceFromFileW proto stdcall :ptr WORD, :ptr SBYTE, :ptr SBYTE, :ptr SBYTE
ResourcerFindResource proto stdcall :ptr SBYTE, :ptr SBYTE, :DWORD, :ptr SBYTE, :DWORD, :DWORD, :ptr DWORD, :LPDWORD
ResourcerFindResourceW proto stdcall :ptr WORD, :ptr WORD, :DWORD, :ptr WORD, :DWORD, :DWORD, :ptr DWORD, :LPDWORD
ResourcerFindResourceEx proto stdcall :DWORD, :DWORD, :ptr WORD, :DWORD, :ptr WORD, :DWORD, :DWORD, :ptr DWORD, :LPDWORD
ResourcerEnumerateResource proto stdcall :ptr SBYTE, :ptr
ResourcerEnumerateResourceW proto stdcall :ptr WORD, :ptr
ResourcerEnumerateResourceEx proto stdcall :DWORD, :DWORD, :ptr
ThreaderImportRunningThreadData proto stdcall :DWORD
ThreaderGetThreadInfo proto stdcall :HANDLE, :DWORD
ThreaderEnumThreadInfo proto stdcall :ptr
ThreaderPauseThread proto stdcall :HANDLE
ThreaderResumeThread proto stdcall :HANDLE
ThreaderTerminateThread proto stdcall :HANDLE, :DWORD
ThreaderPauseAllThreads proto stdcall :bool
ThreaderResumeAllThreads proto stdcall :bool
ThreaderPauseProcess proto stdcall
ThreaderResumeProcess proto stdcall
ThreaderCreateRemoteThread proto stdcall :DWORD, :bool, :LPVOID, :LPDWORD
ThreaderInjectAndExecuteCode proto stdcall :LPVOID, :DWORD, :DWORD
ThreaderCreateRemoteThreadEx proto stdcall :HANDLE, :DWORD, :bool, :LPVOID, :LPDWORD
ThreaderInjectAndExecuteCodeEx proto stdcall :HANDLE, :LPVOID, :DWORD, :DWORD
ThreaderSetCallBackForNextExitThreadEvent proto stdcall :LPVOID
ThreaderIsThreadStillRunning proto stdcall :HANDLE
ThreaderIsThreadActive proto stdcall :HANDLE
ThreaderIsAnyThreadActive proto stdcall
ThreaderExecuteOnlyInjectedThreads proto stdcall
ThreaderGetOpenHandleForThread proto stdcall :DWORD
ThreaderGetThreadData proto stdcall
ThreaderIsExceptionInMainThread proto stdcall
StaticDisassembleEx proto stdcall :DWORD, :LPVOID
StaticDisassemble proto stdcall :LPVOID
DisassembleEx proto stdcall :HANDLE, :LPVOID
Disassemble proto stdcall :LPVOID
StaticLengthDisassemble proto stdcall :LPVOID
LengthDisassembleEx proto stdcall :HANDLE, :LPVOID
LengthDisassemble proto stdcall :LPVOID
InitDebug proto stdcall :ptr SBYTE, :ptr SBYTE, :ptr SBYTE
InitDebugW proto stdcall :ptr WORD, :ptr WORD, :ptr WORD
InitDebugEx proto stdcall :ptr SBYTE, :ptr SBYTE, :ptr SBYTE, :LPVOID
InitDebugExW proto stdcall :ptr WORD, :ptr WORD, :ptr WORD, :LPVOID
InitDLLDebug proto stdcall :ptr SBYTE, :bool, :ptr SBYTE, :ptr SBYTE, :LPVOID
InitDLLDebugW proto stdcall :ptr WORD, :bool, :ptr WORD, :ptr WORD, :LPVOID
StopDebug proto stdcall
SetBPXOptions proto stdcall :SDWORD
IsBPXEnabled proto stdcall :DWORD
EnableBPX proto stdcall :DWORD
DisableBPX proto stdcall :DWORD
SetBPX proto stdcall :DWORD, :DWORD, :LPVOID
SetBPXEx proto stdcall :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :LPVOID, :LPVOID, :LPVOID
DeleteBPX proto stdcall :DWORD
SafeDeleteBPX proto stdcall :DWORD
SetAPIBreakPoint proto stdcall :ptr SBYTE, :ptr SBYTE, :DWORD, :DWORD, :LPVOID
DeleteAPIBreakPoint proto stdcall :ptr SBYTE, :ptr SBYTE, :DWORD
SafeDeleteAPIBreakPoint proto stdcall :ptr SBYTE, :ptr SBYTE, :DWORD
SetMemoryBPX proto stdcall :DWORD, :DWORD, :LPVOID
SetMemoryBPXEx proto stdcall :DWORD, :DWORD, :DWORD, :bool, :LPVOID
RemoveMemoryBPX proto stdcall :DWORD, :DWORD
GetContextFPUDataEx proto stdcall :HANDLE, :ptr
GetContextDataEx proto stdcall :HANDLE, :DWORD
GetContextData proto stdcall :DWORD
SetContextFPUDataEx proto stdcall :HANDLE, :ptr
SetContextDataEx proto stdcall :HANDLE, :DWORD, :DWORD
SetContextData proto stdcall :DWORD, :DWORD
ClearExceptionNumber proto stdcall
CurrentExceptionNumber proto stdcall
MatchPatternEx proto stdcall :HANDLE, :ptr , :DWORD, :ptr , :DWORD, :PBYTE
MatchPattern proto stdcall :ptr , :DWORD, :ptr , :DWORD, :PBYTE
FindEx proto stdcall :HANDLE, :LPVOID, :DWORD, :LPVOID, :DWORD, :LPBYTE
Find proto stdcall :LPVOID, :DWORD, :LPVOID, :DWORD, :LPBYTE
FillEx proto stdcall :HANDLE, :LPVOID, :DWORD, :PBYTE
Fill proto stdcall :LPVOID, :DWORD, :PBYTE
PatchEx proto stdcall :HANDLE, :LPVOID, :DWORD, :LPVOID, :DWORD, :bool, :bool
Patch proto stdcall :LPVOID, :DWORD, :LPVOID, :DWORD, :bool, :bool
ReplaceEx proto stdcall :HANDLE, :LPVOID, :DWORD, :LPVOID, :DWORD, :DWORD, :LPVOID, :DWORD, :PBYTE
Replace proto stdcall :LPVOID, :DWORD, :LPVOID, :DWORD, :DWORD, :LPVOID, :DWORD, :PBYTE
GetDebugData proto stdcall
GetTerminationData proto stdcall
GetExitCode proto stdcall
GetDebuggedDLLBaseAddress proto stdcall
GetDebuggedFileBaseAddress proto stdcall
GetRemoteString proto stdcall :HANDLE, :LPVOID, :LPVOID, :DWORD
GetFunctionParameter proto stdcall :HANDLE, :DWORD, :DWORD, :DWORD
GetJumpDestinationEx proto stdcall :HANDLE, :DWORD, :bool
GetJumpDestination proto stdcall :HANDLE, :DWORD
IsJumpGoingToExecuteEx proto stdcall :HANDLE, :HANDLE, :DWORD, :DWORD
IsJumpGoingToExecute proto stdcall
SetCustomHandler proto stdcall :DWORD, :LPVOID
ForceClose proto stdcall
StepInto proto stdcall :LPVOID
StepOver proto stdcall :LPVOID
SingleStep proto stdcall :DWORD, :LPVOID
GetUnusedHardwareBreakPointRegister proto stdcall :LPDWORD
SetHardwareBreakPointEx proto stdcall :HANDLE, :DWORD, :DWORD, :DWORD, :DWORD, :LPVOID, :LPDWORD
SetHardwareBreakPoint proto stdcall :DWORD, :DWORD, :DWORD, :DWORD, :LPVOID
DeleteHardwareBreakPoint proto stdcall :DWORD
RemoveAllBreakPoints proto stdcall :DWORD
GetProcessInformation proto stdcall
GetStartupInformation proto stdcall
DebugLoop proto stdcall
SetDebugLoopTimeOut proto stdcall :DWORD
SetNextDbgContinueStatus proto stdcall :DWORD
AttachDebugger proto stdcall :DWORD, :bool, :LPVOID, :LPVOID
DetachDebugger proto stdcall :DWORD
DetachDebuggerEx proto stdcall :DWORD
DebugLoopEx proto stdcall :DWORD
AutoDebugEx proto stdcall :ptr SBYTE, :bool, :ptr SBYTE, :ptr SBYTE, :DWORD, :LPVOID
AutoDebugExW proto stdcall :ptr WORD, :bool, :ptr WORD, :ptr WORD, :DWORD, :LPVOID
IsFileBeingDebugged proto stdcall
SetErrorModel proto stdcall :bool
FindOEPInit proto stdcall
FindOEPGenerically proto stdcall :ptr SBYTE, :LPVOID, :LPVOID
FindOEPGenericallyW proto stdcall :ptr WORD, :LPVOID, :LPVOID
ImporterCleanup proto stdcall
ImporterSetImageBase proto stdcall :DWORD
ImporterSetUnknownDelta proto stdcall :DWORD
ImporterGetCurrentDelta proto stdcall
ImporterInit proto stdcall :DWORD, :DWORD
ImporterAddNewDll proto stdcall :ptr SBYTE, :DWORD
ImporterAddNewAPI proto stdcall :ptr SBYTE, :DWORD
ImporterAddNewOrdinalAPI proto stdcall :DWORD, :DWORD
ImporterGetAddedDllCount proto stdcall
ImporterGetAddedAPICount proto stdcall
ImporterGetLastAddedDLLName proto stdcall
ImporterMoveIAT proto stdcall
ImporterExportIAT proto stdcall :DWORD, :DWORD
ImporterEstimatedSize proto stdcall
ImporterExportIATEx proto stdcall :ptr SBYTE, :ptr SBYTE
ImporterExportIATExW proto stdcall :ptr WORD, :ptr SBYTE
ImporterFindAPIWriteLocation proto stdcall :ptr SBYTE
ImporterFindOrdinalAPIWriteLocation proto stdcall :DWORD
ImporterFindAPIByWriteLocation proto stdcall :DWORD
ImporterFindDLLByWriteLocation proto stdcall :DWORD
ImporterGetDLLName proto stdcall :DWORD
ImporterGetAPIName proto stdcall :DWORD
ImporterGetAPIOrdinalNumber proto stdcall :DWORD
ImporterGetAPINameEx proto stdcall :DWORD, :DWORD
ImporterGetRemoteAPIAddress proto stdcall :HANDLE, :DWORD
ImporterGetRemoteAPIAddressEx proto stdcall :ptr SBYTE, :ptr SBYTE
ImporterGetLocalAPIAddress proto stdcall :HANDLE, :DWORD
ImporterGetDLLNameFromDebugee proto stdcall :HANDLE, :DWORD
ImporterGetAPINameFromDebugee proto stdcall :HANDLE, :DWORD
ImporterGetAPIOrdinalNumberFromDebugee proto stdcall :HANDLE, :DWORD
ImporterGetDLLIndexEx proto stdcall :DWORD, :DWORD
ImporterGetDLLIndex proto stdcall :HANDLE, :DWORD, :DWORD
ImporterGetRemoteDLLBase proto stdcall :HANDLE, :HMODULE
ImporterRelocateWriteLocation proto stdcall :DWORD
ImporterIsForwardedAPI proto stdcall :HANDLE, :DWORD
ImporterGetForwardedAPIName proto stdcall :HANDLE, :DWORD
ImporterGetForwardedDLLName proto stdcall :HANDLE, :DWORD
ImporterGetForwardedDLLIndex proto stdcall :HANDLE, :DWORD, :DWORD
ImporterGetForwardedAPIOrdinalNumber proto stdcall :HANDLE, :DWORD
ImporterGetNearestAPIAddress proto stdcall :HANDLE, :DWORD
ImporterGetNearestAPIName proto stdcall :HANDLE, :DWORD
ImporterCopyOriginalIAT proto stdcall :ptr SBYTE, :ptr SBYTE
ImporterCopyOriginalIATW proto stdcall :ptr WORD, :ptr WORD
ImporterLoadImportTable proto stdcall :ptr SBYTE
ImporterLoadImportTableW proto stdcall :ptr WORD
ImporterMoveOriginalIAT proto stdcall :ptr SBYTE, :ptr SBYTE, :ptr SBYTE
ImporterMoveOriginalIATW proto stdcall :ptr WORD, :ptr WORD, :ptr SBYTE
ImporterAutoSearchIAT proto stdcall :HANDLE, :ptr SBYTE, :DWORD, :DWORD, :DWORD, :LPVOID, :LPVOID
ImporterAutoSearchIATW proto stdcall :HANDLE, :ptr WORD, :DWORD, :DWORD, :DWORD, :LPVOID, :LPVOID
ImporterAutoSearchIATEx proto stdcall :HANDLE, :DWORD, :DWORD, :DWORD, :LPVOID, :LPVOID
ImporterEnumAddedData proto stdcall :LPVOID
ImporterAutoFixIATEx proto stdcall :HANDLE, :ptr SBYTE, :ptr SBYTE, :bool, :bool, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :bool, :bool, :LPVOID
ImporterAutoFixIATExW proto stdcall :HANDLE, :ptr WORD, :ptr SBYTE, :bool, :bool, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :bool, :bool, :LPVOID
ImporterAutoFixIAT proto stdcall :HANDLE, :ptr SBYTE, :DWORD, :DWORD, :DWORD, :DWORD
ImporterAutoFixIATW proto stdcall :HANDLE, :ptr WORD, :DWORD, :DWORD, :DWORD, :DWORD
HooksSafeTransitionEx proto stdcall :LPVOID, :DWORD, :bool
HooksSafeTransition proto stdcall :LPVOID, :bool
HooksIsAddressRedirected proto stdcall :LPVOID
HooksGetTrampolineAddress proto stdcall :LPVOID
HooksGetHookEntryDetails proto stdcall :LPVOID
HooksInsertNewRedirection proto stdcall :LPVOID, :LPVOID, :DWORD
HooksInsertNewIATRedirectionEx proto stdcall :DWORD, :DWORD, :ptr SBYTE, :LPVOID
HooksInsertNewIATRedirection proto stdcall :ptr SBYTE, :ptr SBYTE, :LPVOID
HooksRemoveRedirection proto stdcall :LPVOID, :bool
HooksRemoveRedirectionsForModule proto stdcall :HMODULE
HooksRemoveIATRedirection proto stdcall :ptr SBYTE, :ptr SBYTE, :bool
HooksDisableRedirection proto stdcall :LPVOID, :bool
HooksDisableRedirectionsForModule proto stdcall :HMODULE
HooksDisableIATRedirection proto stdcall :ptr SBYTE, :ptr SBYTE, :bool
HooksEnableRedirection proto stdcall :LPVOID, :bool
HooksEnableRedirectionsForModule proto stdcall :HMODULE
HooksEnableIATRedirection proto stdcall :ptr SBYTE, :ptr SBYTE, :bool
HooksScanModuleMemory proto stdcall :HMODULE, :LPVOID
HooksScanEntireProcessMemory proto stdcall :LPVOID
HooksScanEntireProcessMemoryEx proto stdcall
TracerInit proto stdcall
TracerLevel1 proto stdcall :HANDLE, :DWORD
HashTracerLevel1 proto stdcall :HANDLE, :DWORD, :DWORD
TracerDetectRedirection proto stdcall :HANDLE, :DWORD
TracerFixKnownRedirection proto stdcall :HANDLE, :DWORD, :DWORD
TracerFixRedirectionViaImpRecPlugin proto stdcall :HANDLE, :ptr SBYTE, :DWORD
ExporterCleanup proto stdcall
ExporterSetImageBase proto stdcall :DWORD
ExporterInit proto stdcall :DWORD, :DWORD, :DWORD, :ptr SBYTE
ExporterAddNewExport proto stdcall :ptr SBYTE, :DWORD
ExporterAddNewOrdinalExport proto stdcall :DWORD, :DWORD
ExporterGetAddedExportCount proto stdcall
ExporterEstimatedSize proto stdcall
ExporterBuildExportTable proto stdcall :DWORD, :DWORD
ExporterBuildExportTableEx proto stdcall :ptr SBYTE, :ptr SBYTE
ExporterBuildExportTableExW proto stdcall :ptr WORD, :ptr SBYTE
ExporterLoadExportTable proto stdcall :ptr SBYTE
ExporterLoadExportTableW proto stdcall :ptr WORD
LibrarianSetBreakPoint proto stdcall :ptr SBYTE, :DWORD, :bool, :LPVOID
LibrarianRemoveBreakPoint proto stdcall :ptr SBYTE, :DWORD
LibrarianGetLibraryInfo proto stdcall :ptr SBYTE
LibrarianGetLibraryInfoW proto stdcall :ptr WORD
LibrarianGetLibraryInfoEx proto stdcall :ptr
LibrarianGetLibraryInfoExW proto stdcall :ptr
LibrarianEnumLibraryInfo proto stdcall :ptr
LibrarianEnumLibraryInfoW proto stdcall :ptr
GetActiveProcessId proto stdcall :ptr SBYTE
GetActiveProcessIdW proto stdcall :ptr WORD
EnumProcessesWithLibrary proto stdcall :ptr SBYTE, :ptr
TLSBreakOnCallBack proto stdcall :LPVOID, :DWORD, :LPVOID
TLSGrabCallBackData proto stdcall :ptr SBYTE, :LPVOID, :LPDWORD
TLSGrabCallBackDataW proto stdcall :ptr WORD, :LPVOID, :LPDWORD
TLSBreakOnCallBackEx proto stdcall :ptr SBYTE, :LPVOID
TLSBreakOnCallBackExW proto stdcall :ptr WORD, :LPVOID
TLSRemoveCallback proto stdcall :ptr SBYTE
TLSRemoveCallbackW proto stdcall :ptr WORD
TLSRemoveTable proto stdcall :ptr SBYTE
TLSRemoveTableW proto stdcall :ptr WORD
TLSBackupData proto stdcall :ptr SBYTE
TLSBackupDataW proto stdcall :ptr WORD
TLSRestoreData proto stdcall
TLSBuildNewTable proto stdcall :DWORD, :DWORD, :DWORD, :LPVOID, :DWORD
TLSBuildNewTableEx proto stdcall :ptr SBYTE, :ptr SBYTE, :LPVOID, :DWORD
TLSBuildNewTableExW proto stdcall :ptr WORD, :ptr SBYTE, :LPVOID, :DWORD
TranslateNativeName proto stdcall :ptr SBYTE
TranslateNativeNameW proto stdcall :ptr WORD
HandlerGetActiveHandleCount proto stdcall :DWORD
HandlerIsHandleOpen proto stdcall :DWORD, :HANDLE
HandlerGetHandleName proto stdcall :HANDLE, :DWORD, :HANDLE, :bool
HandlerGetHandleNameW proto stdcall :HANDLE, :DWORD, :HANDLE, :bool
HandlerEnumerateOpenHandles proto stdcall :DWORD, :LPVOID, :DWORD
HandlerGetHandleDetails proto stdcall :HANDLE, :DWORD, :HANDLE, :DWORD
HandlerCloseRemoteHandle proto stdcall :HANDLE, :HANDLE
HandlerEnumerateLockHandles proto stdcall :ptr SBYTE, :bool, :bool, :LPVOID, :DWORD
HandlerEnumerateLockHandlesW proto stdcall :ptr WORD, :bool, :bool, :LPVOID, :DWORD
HandlerCloseAllLockHandles proto stdcall :ptr SBYTE, :bool, :bool
HandlerCloseAllLockHandlesW proto stdcall :ptr WORD, :bool, :bool
HandlerIsFileLocked proto stdcall :ptr SBYTE, :bool, :bool
HandlerIsFileLockedW proto stdcall :ptr WORD, :bool, :bool
HandlerEnumerateOpenMutexes proto stdcall :HANDLE, :DWORD, :LPVOID, :DWORD
HandlerGetOpenMutexHandle proto stdcall :HANDLE, :DWORD, :ptr SBYTE
HandlerGetOpenMutexHandleW proto stdcall :HANDLE, :DWORD, :ptr WORD
HandlerGetProcessIdWhichCreatedMutex proto stdcall :ptr SBYTE
HandlerGetProcessIdWhichCreatedMutexW proto stdcall :ptr WORD
RemoteLoadLibrary proto stdcall :HANDLE, :ptr SBYTE, :bool
RemoteLoadLibraryW proto stdcall :HANDLE, :ptr WORD, :bool
RemoteFreeLibrary proto stdcall :HANDLE, :HMODULE, :ptr SBYTE, :bool
RemoteFreeLibraryW proto stdcall :HANDLE, :HMODULE, :ptr WORD, :bool
RemoteExitProcess proto stdcall :HANDLE, :DWORD
StaticFileLoad proto stdcall :ptr SBYTE, :DWORD, :bool, :LPHANDLE, :LPDWORD, :LPHANDLE, :ptr DWORD
StaticFileLoadW proto stdcall :ptr WORD, :DWORD, :bool, :LPHANDLE, :LPDWORD, :LPHANDLE, :ptr DWORD
StaticFileUnload proto stdcall :ptr SBYTE, :bool, :HANDLE, :DWORD, :HANDLE, :DWORD
StaticFileUnloadW proto stdcall :ptr WORD, :bool, :HANDLE, :DWORD, :HANDLE, :DWORD
StaticFileOpen proto stdcall :ptr SBYTE, :DWORD, :LPHANDLE, :LPDWORD, :LPDWORD
StaticFileOpenW proto stdcall :ptr WORD, :DWORD, :LPHANDLE, :LPDWORD, :LPDWORD
StaticFileGetContent proto stdcall :HANDLE, :DWORD, :LPDWORD, :ptr , :DWORD
StaticFileClose proto stdcall :HANDLE
StaticMemoryDecrypt proto stdcall :LPVOID, :DWORD, :DWORD, :DWORD, :DWORD
StaticMemoryDecryptEx proto stdcall :LPVOID, :DWORD, :DWORD, :ptr
StaticMemoryDecryptSpecial proto stdcall :LPVOID, :DWORD, :DWORD, :DWORD, :ptr
StaticSectionDecrypt proto stdcall :DWORD, :DWORD, :bool, :DWORD, :DWORD, :DWORD
StaticMemoryDecompress proto stdcall :ptr , :DWORD, :ptr , :DWORD, :DWORD
StaticRawMemoryCopy proto stdcall :HANDLE, :DWORD, :DWORD, :DWORD, :bool, :ptr SBYTE
StaticRawMemoryCopyW proto stdcall :HANDLE, :DWORD, :DWORD, :DWORD, :bool, :ptr WORD
StaticRawMemoryCopyEx proto stdcall :HANDLE, :DWORD, :DWORD, :ptr SBYTE
StaticRawMemoryCopyExW proto stdcall :HANDLE, :DWORD, :DWORD, :ptr WORD
StaticHashMemory proto stdcall :ptr , :DWORD, :ptr , :bool, :DWORD
StaticHashFileW proto stdcall :ptr WORD, :ptr SBYTE, :bool, :DWORD
StaticHashFile proto stdcall :ptr SBYTE, :ptr SBYTE, :bool, :DWORD
EngineUnpackerInitialize proto stdcall :ptr SBYTE, :ptr SBYTE, :bool, :bool, :bool, :ptr
EngineUnpackerInitializeW proto stdcall :ptr WORD, :ptr WORD, :bool, :bool, :bool, :ptr
EngineUnpackerSetBreakCondition proto stdcall :ptr , :DWORD, :ptr , :DWORD, :DWORD, :DWORD, :bool, :DWORD, :DWORD
EngineUnpackerSetEntryPointAddress proto stdcall :DWORD
EngineUnpackerFinalizeUnpacking proto stdcall
SetEngineVariable proto stdcall :DWORD, :bool
EngineCreateMissingDependencies proto stdcall :ptr SBYTE, :ptr SBYTE, :bool
EngineCreateMissingDependenciesW proto stdcall :ptr WORD, :ptr WORD, :bool
EngineFakeMissingDependencies proto stdcall :HANDLE
EngineDeleteCreatedDependencies proto stdcall
EngineCreateUnpackerWindow proto stdcall :ptr SBYTE, :ptr SBYTE, :ptr SBYTE, :ptr SBYTE, :ptr
EngineAddUnpackerWindowLogMessage proto stdcall :ptr SBYTE
ExtensionManagerIsPluginLoaded proto stdcall :ptr SBYTE
ExtensionManagerIsPluginEnabled proto stdcall :ptr SBYTE
ExtensionManagerDisableAllPlugins proto stdcall
ExtensionManagerDisablePlugin proto stdcall :ptr SBYTE
ExtensionManagerEnableAllPlugins proto stdcall
ExtensionManagerEnablePlugin proto stdcall :ptr SBYTE
ExtensionManagerUnloadAllPlugins proto stdcall
ExtensionManagerUnloadPlugin proto stdcall :ptr SBYTE
ExtensionManagerGetPluginInfo proto stdcall :ptr SBYTE
;--- errors: 0
;--- end of file ---

683
SDK/Python/TitanEngine.py
View File

@ -1,683 +0,0 @@
from ctypes import *
TE = windll.LoadLibrary("TitanEngine.dll")
# check widechar, x64
UE_ACCESS_READ = 0
UE_ACCESS_WRITE = 1
UE_ACCESS_ALL = 2
UE_HIDE_BASIC = 1
UE_PLUGIN_CALL_REASON_PREDEBUG = 1
UE_PLUGIN_CALL_REASON_EXCEPTION = 2
UE_PLUGIN_CALL_REASON_POSTDEBUG = 3
TEE_HOOK_NRM_JUMP = 1
TEE_HOOK_NRM_CALL = 3
TEE_HOOK_IAT = 5
UE_ENGINE_ALOW_MODULE_LOADING = 1
UE_ENGINE_AUTOFIX_FORWARDERS = 2
UE_ENGINE_PASS_ALL_EXCEPTIONS = 3
UE_ENGINE_NO_CONSOLE_WINDOW = 4
UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS = 5
UE_ENGINE_CALL_PLUGIN_CALLBACK = 6
UE_ENGINE_RESET_CUSTOM_HANDLER = 7
UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8
UE_OPTION_REMOVEALL = 1
UE_OPTION_DISABLEALL = 2
UE_OPTION_REMOVEALLDISABLED = 3
UE_OPTION_REMOVEALLENABLED = 4
UE_STATIC_DECRYPTOR_XOR = 1
UE_STATIC_DECRYPTOR_SUB = 2
UE_STATIC_DECRYPTOR_ADD = 3
UE_STATIC_DECRYPTOR_FOREWARD = 1
UE_STATIC_DECRYPTOR_BACKWARD = 2
UE_STATIC_KEY_SIZE_1 = 1
UE_STATIC_KEY_SIZE_2 = 2
UE_STATIC_KEY_SIZE_4 = 4
UE_STATIC_KEY_SIZE_8 = 8
UE_STATIC_APLIB = 1
UE_STATIC_APLIB_DEPACK = 2
UE_STATIC_LZMA = 3
UE_STATIC_HASH_MD5 = 1
UE_STATIC_HASH_SHA1 = 2
UE_STATIC_HASH_CRC32 = 3
UE_RESOURCE_LANGUAGE_ANY = -1
UE_PE_OFFSET = 0
UE_IMAGEBASE = 1
UE_OEP = 2
UE_SIZEOFIMAGE = 3
UE_SIZEOFHEADERS = 4
UE_SIZEOFOPTIONALHEADER = 5
UE_SECTIONALIGNMENT = 6
UE_IMPORTTABLEADDRESS = 7
UE_IMPORTTABLESIZE = 8
UE_RESOURCETABLEADDRESS = 9
UE_RESOURCETABLESIZE = 10
UE_EXPORTTABLEADDRESS = 11
UE_EXPORTTABLESIZE = 12
UE_TLSTABLEADDRESS = 13
UE_TLSTABLESIZE = 14
UE_RELOCATIONTABLEADDRESS = 15
UE_RELOCATIONTABLESIZE = 16
UE_TIMEDATESTAMP = 17
UE_SECTIONNUMBER = 18
UE_CHECKSUM = 19
UE_SUBSYSTEM = 20
UE_CHARACTERISTICS = 21
UE_NUMBEROFRVAANDSIZES = 22
UE_SECTIONNAME = 23
UE_SECTIONVIRTUALOFFSET = 24
UE_SECTIONVIRTUALSIZE = 25
UE_SECTIONRAWOFFSET = 26
UE_SECTIONRAWSIZE = 27
UE_SECTIONFLAGS = 28
UE_CH_BREAKPOINT = 1
UE_CH_SINGLESTEP = 2
UE_CH_ACCESSVIOLATION = 3
UE_CH_ILLEGALINSTRUCTION = 4
UE_CH_NONCONTINUABLEEXCEPTION = 5
UE_CH_ARRAYBOUNDSEXCEPTION = 6
UE_CH_FLOATDENORMALOPERAND = 7
UE_CH_FLOATDEVIDEBYZERO = 8
UE_CH_INTEGERDEVIDEBYZERO = 9
UE_CH_INTEGEROVERFLOW = 10
UE_CH_PRIVILEGEDINSTRUCTION = 11
UE_CH_PAGEGUARD = 12
UE_CH_EVERYTHINGELSE = 13
UE_CH_CREATETHREAD = 14
UE_CH_EXITTHREAD = 15
UE_CH_CREATEPROCESS = 16
UE_CH_EXITPROCESS = 17
UE_CH_LOADDLL = 18
UE_CH_UNLOADDLL = 19
UE_CH_OUTPUTDEBUGSTRING = 20
UE_CH_AFTEREXCEPTIONPROCESSING = 21
UE_CH_ALLEVENTS = 22
UE_CH_SYSTEMBREAKPOINT = 23
UE_CH_UNHANDLEDEXCEPTION = 24
UE_OPTION_HANDLER_RETURN_HANDLECOUNT = 1
UE_OPTION_HANDLER_RETURN_ACCESS = 2
UE_OPTION_HANDLER_RETURN_FLAGS = 3
UE_OPTION_HANDLER_RETURN_TYPENAME = 4
UE_BREAKPOINT_INT3 = 1
UE_BREAKPOINT_LONG_INT3 = 2
UE_BREAKPOINT_UD2 = 3
UE_BPXREMOVED = 0
UE_BPXACTIVE = 1
UE_BPXINACTIVE = 2
UE_BREAKPOINT = 0
UE_SINGLESHOOT = 1
UE_HARDWARE = 2
UE_MEMORY = 3
UE_MEMORY_READ = 4
UE_MEMORY_WRITE = 5
UE_MEMORY_EXECUTE = 6
UE_BREAKPOINT_TYPE_INT3 = 0x10000000
UE_BREAKPOINT_TYPE_LONG_INT3 = 0x20000000
UE_BREAKPOINT_TYPE_UD2 = 0x30000000
UE_HARDWARE_EXECUTE = 4
UE_HARDWARE_WRITE = 5
UE_HARDWARE_READWRITE = 6
UE_HARDWARE_SIZE_1 = 7
UE_HARDWARE_SIZE_2 = 8
UE_HARDWARE_SIZE_4 = 9
UE_ON_LIB_LOAD = 1
UE_ON_LIB_UNLOAD = 2
UE_ON_LIB_ALL = 3
UE_APISTART = 0
UE_APIEND = 1
UE_PLATFORM_x86 = 1
UE_PLATFORM_x64 = 2
UE_PLATFORM_ALL = 3
UE_FUNCTION_STDCALL = 1
UE_FUNCTION_CCALL = 2
UE_FUNCTION_FASTCALL = 3
UE_FUNCTION_STDCALL_RET = 4
UE_FUNCTION_CCALL_RET = 5
UE_FUNCTION_FASTCALL_RET = 6
UE_FUNCTION_STDCALL_CALL = 7
UE_FUNCTION_CCALL_CALL = 8
UE_FUNCTION_FASTCALL_CALL = 9
UE_PARAMETER_BYTE = 0
UE_PARAMETER_WORD = 1
UE_PARAMETER_DWORD = 2
UE_PARAMETER_QWORD = 3
UE_PARAMETER_PTR_BYTE = 4
UE_PARAMETER_PTR_WORD = 5
UE_PARAMETER_PTR_DWORD = 6
UE_PARAMETER_PTR_QWORD = 7
UE_PARAMETER_STRING = 8
UE_PARAMETER_UNICODE = 9
UE_CMP_NOCONDITION = 0
UE_CMP_EQUAL = 1
UE_CMP_NOTEQUAL = 2
UE_CMP_GREATER = 3
UE_CMP_GREATEROREQUAL = 4
UE_CMP_LOWER = 5
UE_CMP_LOWEROREQUAL = 6
UE_CMP_REG_EQUAL = 7
UE_CMP_REG_NOTEQUAL = 8
UE_CMP_REG_GREATER = 9
UE_CMP_REG_GREATEROREQUAL = 10
UE_CMP_REG_LOWER = 11
UE_CMP_REG_LOWEROREQUAL = 12
UE_CMP_ALWAYSFALSE = 13
UE_EAX = 1
UE_EBX = 2
UE_ECX = 3
UE_EDX = 4
UE_EDI = 5
UE_ESI = 6
UE_EBP = 7
UE_ESP = 8
UE_EIP = 9
UE_EFLAGS = 10
UE_DR0 = 11
UE_DR1 = 12
UE_DR2 = 13
UE_DR3 = 14
UE_DR6 = 15
UE_DR7 = 16
UE_RAX = 17
UE_RBX = 18
UE_RCX = 19
UE_RDX = 20
UE_RDI = 21
UE_RSI = 22
UE_RBP = 23
UE_RSP = 24
UE_RIP = 25
UE_RFLAGS = 26
UE_R8 = 27
UE_R9 = 28
UE_R10 = 29
UE_R11 = 30
UE_R12 = 31
UE_R13 = 32
UE_R14 = 33
UE_R15 = 34
UE_CIP = 35
UE_CSP = 36
class PE32Struct(Structure):
_pack_ = 1
_fields_ = [ ("PE32Offset", c_ulong),
("ImageBase", c_ulong),
("OriginalEntryPoint", c_ulong),
("NtSizeOfImage", c_ulong),
("NtSizeOfHeaders", c_ulong),
("SizeOfOptionalHeaders", c_ushort),
("FileAlignment", c_ulong),
("SectionAligment", c_ulong),
("ImportTableAddress", c_ulong),
("ImportTableSize", c_ulong),
("ResourceTableAddress", c_ulong),
("ResourceTableSize", c_ulong),
("ExportTableAddress", c_ulong),
("ExportTableSize", c_ulong),
("TLSTableAddress", c_ulong),
("TLSTableSize", c_ulong),
("RelocationTableAddress", c_ulong),
("RelocationTableSize", c_ulong),
("TimeDateStamp", c_ulong),
("SectionNumber", c_ushort),
("CheckSum", c_ulong),
("SubSystem", c_ushort),
("Characteristics", c_ushort),
("NumberOfRvaAndSizes", c_ulong) ]
class PE64Struct(Structure):
_pack_ = 1
_fields_ = [ ("PE64Offset", c_ulong),
("ImageBase", c_ulonglong),
("OriginalEntryPoint", c_ulong),
("NtSizeOfImage", c_ulong),
("NtSizeOfHeaders", c_ulong),
("SizeOfOptionalHeaders", c_ushort),
("FileAlignment", c_ulong),
("SectionAligment", c_ulong),
("ImportTableAddress", c_ulong),
("ImportTableSize", c_ulong),
("ResourceTableAddress", c_ulong),
("ResourceTableSize", c_ulong),
("ExportTableAddress", c_ulong),
("ExportTableSize", c_ulong),
("TLSTableAddress", c_ulong),
("TLSTableSize", c_ulong),
("RelocationTableAddress", c_ulong),
("RelocationTableSize", c_ulong),
("TimeDateStamp", c_ulong),
("SectionNumber", c_ushort),
("CheckSum", c_ulong),
("SubSystem", c_ushort),
("Characteristics", c_ushort),
("NumberOfRvaAndSizes", c_ulong) ]
class ImportEnumData(Structure):
_pack_ = 1
_fields_ = [ ("NewDll", c_bool),
("NumberOfImports", c_int),
("ImageBase", c_ulong),
("BaseImportThunk", c_ulong),
("ImportThunk", c_ulong),
("APIName", c_char_p),
("DLLName", c_char_p) ]
class THREAD_ITEM_DATA(Structure):
_pack_ = 1
_fields_ = [ ("hThread", c_void_p),
("dwThreadId", c_ulong),
("ThreadStartAddress", c_void_p),
("ThreadLocalBase", c_void_p) ]
MAX_PATH = 260
class LIBRARY_ITEM_DATA(Structure):
_pack_ = 1
_fields_ = [ ("hFile", c_void_p),
("BaseOfDll", c_void_p),
("hFileMapping", c_void_p),
("hFileMappingView", c_void_p),
("szLibraryPath", c_char * MAX_PATH),
("szLibraryName", c_char * MAX_PATH) ]
class LIBRARY_ITEM_DATAW(Structure):
_pack_ = 1
_fields_ = [ ("hFile", c_void_p),
("BaseOfDll", c_void_p),
("hFileMapping", c_void_p),
("hFileMappingView", c_void_p),
("szLibraryPath", c_wchar * MAX_PATH),
("szLibraryName", c_wchar * MAX_PATH) ]
class PROCESS_ITEM_DATA(Structure):
_pack_ = 1
_fields_ = [ ("hProcess", c_void_p),
("dwProcessId", c_ulong),
("hThread", c_void_p),
("dwThreadId", c_ulong),
("hFile", c_void_p),
("BaseOfImage", c_void_p),
("ThreadStartAddress", c_void_p),
("ThreadLocalBase", c_void_p) ]
class HandlerArray(Structure):
_pack_ = 1
_fields_ = [ ("ProcessId", c_ulong),
("hHandle", c_void_p) ]
class PluginInformation(Structure):
_pack_ = 1
_fields_ = [ ("PluginName", c_char * 64),
("PluginMajorVersion", c_ulong),
("PluginMinorVersion", c_ulong),
("PluginBaseAddress", c_void_p),
("TitanDebuggingCallBack", c_void_p),
("TitanRegisterPlugin", c_void_p),
("TitanReleasePlugin", c_void_p),
("TitanResetPlugin", c_void_p),
("PluginDisabled", c_bool) ]
TEE_MAXIMUM_HOOK_SIZE = 14
TEE_MAXIMUM_HOOK_RELOCS = 7
TEE_MAXIMUM_HOOK_INSERT_SIZE = 5
TEE_MAXIMUM_HOOK_INSERT_SIZE64 = 14
class HOOK_ENTRY(Structure):
_pack_ = 1
_fields_ = [ ("IATHook", c_bool),
("HookType", c_ubyte),
("HookSize", c_ulong),
("HookAddress", c_void_p),
("RedirectionAddress", c_void_p),
("HookBytes", c_ubyte * TEE_MAXIMUM_HOOK_SIZE),
("OriginalBytes", c_ubyte * TEE_MAXIMUM_HOOK_SIZE),
("IATHookModuleBase", c_void_p),
("IATHookNameHash", c_ulong),
("HookIsEnabled", c_bool),
("HookIsRemote", c_bool),
("PatchedEntry", c_void_p),
("RelocationInfo", c_ulong * TEE_MAXIMUM_HOOK_RELOCS),
("RelocationCount", c_int) ]
UE_DEPTH_SURFACE = 0
UE_DEPTH_DEEP = 1
UE_UNPACKER_CONDITION_SEARCH_FROM_EP = 1
UE_UNPACKER_CONDITION_LOADLIBRARY = 1
UE_UNPACKER_CONDITION_GETPROCADDRESS = 2
UE_UNPACKER_CONDITION_ENTRYPOINTBREAK = 3
UE_UNPACKER_CONDITION_RELOCSNAPSHOT1 = 4
UE_UNPACKER_CONDITION_RELOCSNAPSHOT2 = 5
UE_FIELD_OK = 0
UE_FIELD_BROKEN_NON_FIXABLE = 1
UE_FIELD_BROKEN_NON_CRITICAL = 2
UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE = 3
UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED = 4
UE_FILED_FIXABLE_NON_CRITICAL = 5
UE_FILED_FIXABLE_CRITICAL = 6
UE_FIELD_NOT_PRESET = 7
UE_FIELD_NOT_PRESET_WARNING = 8
UE_RESULT_FILE_OK = 10
UE_RESULT_FILE_INVALID_BUT_FIXABLE = 11
UE_RESULT_FILE_INVALID_AND_NON_FIXABLE = 12
UE_RESULT_FILE_INVALID_FORMAT = 13
class FILE_STATUS_INFO(Structure):
_pack_ = 1
_fields_ = [ ("OveralEvaluation", c_ubyte),
("EvaluationTerminatedByException", c_bool),
("FileIs64Bit", c_bool),
("FileIsDLL", c_bool),
("FileIsConsole", c_bool),
("MissingDependencies", c_bool),
("MissingDeclaredAPIs", c_bool),
("SignatureMZ", c_ubyte),
("SignaturePE", c_ubyte),
("EntryPoint", c_ubyte),
("ImageBase", c_ubyte),
("SizeOfImage", c_ubyte),
("FileAlignment", c_ubyte),
("SectionAlignment", c_ubyte),
("ExportTable", c_ubyte),
("RelocationTable", c_ubyte),
("ImportTable", c_ubyte),
("ImportTableSection", c_ubyte),
("ImportTableData", c_ubyte),
("IATTable", c_ubyte),
("TLSTable", c_ubyte),
("LoadConfigTable", c_ubyte),
("BoundImportTable", c_ubyte),
("COMHeaderTable", c_ubyte),
("ResourceTable", c_ubyte),
("ResourceData", c_ubyte),
("SectionTable", c_ubyte) ]
class FILE_FIX_INFO(Structure):
_pack_ = 1
_fields_ = [ ("OveralEvaluation", c_ubyte),
("FixingTerminatedByException", c_bool),
("FileFixPerformed", c_bool),
("StrippedRelocation", c_bool),
("DontFixRelocations", c_bool),
("OriginalRelocationTableAddress", c_ulong),
("OriginalRelocationTableSize", c_ulong),
("StrippedExports", c_bool),
("DontFixExports", c_bool),
("OriginalExportTableAddress", c_ulong),
("OriginalExportTableSize", c_ulong),
("StrippedResources", c_bool),
("DontFixResources", c_bool),
("OriginalResourceTableAddress", c_ulong),
("OriginalResourceTableSize", c_ulong),
("StrippedTLS", c_bool),
("DontFixTLS", c_bool),
("OriginalTLSTableAddress", c_ulong),
("OriginalTLSTableSize", c_ulong),
("StrippedLoadConfig", c_bool),
("DontFixLoadConfig", c_bool),
("OriginalLoadConfigTableAddress", c_ulong),
("OriginalLoadConfigTableSize", c_ulong),
("StrippedBoundImports", c_bool),
("DontFixBoundImports", c_bool),
("OriginalBoundImportTableAddress", c_ulong),
("OriginalBoundImportTableSize", c_ulong),
("StrippedIAT", c_bool),
("DontFixIAT", c_bool),
("OriginalImportAddressTableAddress", c_ulong),
("OriginalImportAddressTableSize", c_ulong),
("StrippedCOM", c_bool),
("DontFixCOM", c_bool),
("OriginalCOMTableAddress", c_ulong),
("OriginalCOMTableSize", c_ulong) ]
class PROCESS_INFORMATION(Structure):
_pack_ = 1
_fields_ = [ ("hProcess", c_void_p),
("hThread", c_void_p),
("dwProcessId", c_ulong),
("dwThreadId", c_ulong) ]
EXCEPTION_MAXIMUM_PARAMETERS = 15
class EXCEPTION_RECORD(Structure):
_pack_ = 1
pass
EXCEPTION_RECORD._fields_ = [ ("ExceptionCode", c_ulong),
("ExceptionFlags", c_ulong),
("ExceptionRecord", POINTER(EXCEPTION_RECORD)),
("ExceptionAddress", c_void_p),
("NumberParameters", c_ulong),
("ExceptionInformation", c_ulong * EXCEPTION_MAXIMUM_PARAMETERS) ]
class EXCEPTION_DEBUG_INFO(Structure):
_pack_ = 1
_fields_ = [ ("ExceptionRecord", EXCEPTION_RECORD),
("dwFirstChance", c_ulong) ]
class CREATE_THREAD_DEBUG_INFO(Structure):
_pack_ = 1
_fields_ = [ ("hThread", c_void_p),
("lpThreadLocalBase", c_void_p),
("lpStartAddress", c_void_p) ]
class CREATE_PROCESS_DEBUG_INFO(Structure):
_pack_ = 1
_fields_ = [ ("hFile", c_void_p),
("hProcess", c_void_p),
("hThread", c_void_p),
("dwDebugInfoFileOffset", c_ulong),
("nDebugInfoSize", c_ulong),
("lpThreadLocalBase", c_void_p),
("lpStartAddress", c_void_p),
("lpImageName", c_void_p),
("fUnicode", c_ushort) ]
class EXIT_THREAD_DEBUG_INFO(Structure):
_pack_ = 1
_fields_ = [ ("dwExitCode", c_ulong) ]
class EXIT_PROCESS_DEBUG_INFO(Structure):
_pack_ = 1
_fields_ = [ ("dwExitCode", c_ulong) ]
class LOAD_DLL_DEBUG_INFO(Structure):
_pack_ = 1
_fields_ = [ ("hFile", c_void_p),
("lpBaseOfDll", c_void_p),
("dwDebugInfoFileOffset", c_ulong),
("nDebugInfoSize", c_ulong),
("lpImageName", c_void_p),
("fUnicode", c_ushort) ]
class UNLOAD_DLL_DEBUG_INFO(Structure):
_pack_ = 1
_fields_ = [ ("lpBaseOfDll", c_void_p) ]
class OUTPUT_DEBUG_STRING_INFO(Structure):
_pack_ = 1
_fields_ = [ ("lpDebugStringData", c_char_p),
("fUnicode", c_ushort),
("nDebugStringLength", c_ushort) ]
class RIP_INFO(Structure):
_pack_ = 1
_fields_ = [ ("dwError", c_ulong),
("dwType", c_ulong) ]
class _U(Union):
_pack_ = 1
_fields_ = [ ("Exception", EXCEPTION_DEBUG_INFO),
("CreateThread", CREATE_THREAD_DEBUG_INFO),
("CreateProcessInfo", CREATE_PROCESS_DEBUG_INFO),
("ExitThread", EXIT_THREAD_DEBUG_INFO),
("ExitProcess", EXIT_PROCESS_DEBUG_INFO),
("LoadDll", LOAD_DLL_DEBUG_INFO),
("UnloadDll", UNLOAD_DLL_DEBUG_INFO),
("DebugString", OUTPUT_DEBUG_STRING_INFO),
("RipInfo", RIP_INFO) ]
class DEBUG_EVENT(Structure):
_pack_ = 1
_anonymous_ = ("u",)
_fields_ = [ ("dwDebugEventCode", c_ulong),
("dwProcessId", c_ulong),
("dwThreadId", c_ulong),
("u", _U) ]
class STARTUPINFOW(Structure):
_pack_ = 1
_fields_ = [ ("cb", c_ulong),
("lpReserved", c_wchar_p),
("lpDesktop", c_wchar_p),
("lpTitle", c_wchar_p),
("dwX", c_ulong),
("dwY", c_ulong),
("dwXSize", c_ulong),
("dwYSize", c_ulong),
("dwXCountChars", c_ulong),
("dwYCountChars", c_ulong),
("dwFillAttribute", c_ulong),
("dwFlags", c_ulong),
("wShowWindow", c_ushort),
("cbReserved2", c_ushort),
("lpReserved2", POINTER(c_ubyte)),
("hStdInput", c_void_p),
("hStdOutput", c_void_p),
("hStdError", c_void_p) ]
fImportEnum = WINFUNCTYPE(None, POINTER(ImportEnumData))
fImportFix = WINFUNCTYPE(None, c_void_p)
fResourceEnum = WINFUNCTYPE(None, c_wchar_p, c_ulong, c_wchar_p, c_ulong, c_ulong, c_ulong, c_ulong)
fThreadEnum = WINFUNCTYPE(None, POINTER(THREAD_ITEM_DATA))
fThreadExit = WINFUNCTYPE(None, POINTER(EXIT_THREAD_DEBUG_INFO))
fBreakPoint = WINFUNCTYPE(None)
fCustomHandler = WINFUNCTYPE(None, c_void_p)
fLibraryBreakPoint = WINFUNCTYPE(None, POINTER(LOAD_DLL_DEBUG_INFO))
fLibraryEnum = WINFUNCTYPE(None, POINTER(LIBRARY_ITEM_DATA))
fLibraryEnumW = WINFUNCTYPE(None, POINTER(LIBRARY_ITEM_DATAW))
fHookEnum = WINFUNCTYPE(c_bool, POINTER(HOOK_ENTRY), c_void_p, POINTER(LIBRARY_ITEM_DATA), c_ulong)
fProcessWithLibraryEnum = WINFUNCTYPE(None, c_ulong, c_void_p)
fStaticDecrypt = WINFUNCTYPE(c_bool, c_void_p, c_ulong)
fInitializeDbg = WINFUNCTYPE(None, c_char_p, c_ubyte, c_ubyte)
TE.GetPE32DataFromMappedFile.restype = c_ulonglong
TE.GetPE32Data.restype = c_ulonglong
TE.GetPE32DataW.restype = c_ulonglong
TE.ConvertVAtoFileOffset.restype = c_ulonglong
TE.ConvertVAtoFileOffsetEx.restype = c_ulonglong
TE.ConvertFileOffsetToVA.restype = c_ulonglong
TE.ConvertFileOffsetToVAEx.restype = c_ulonglong
TE.ResourcerLoadFileForResourceUse.restype = c_ulonglong
TE.ResourcerLoadFileForResourceUseW.restype = c_ulonglong
TE.ThreaderCreateRemoteThread.restype = c_ulonglong
TE.ThreaderCreateRemoteThreadEx.restype = c_ulonglong
TE.ThreaderGetOpenHandleForThread.restype = c_ulonglong
TE.GetContextDataEx.restype = c_ulonglong
TE.GetContextData.restype = c_ulonglong
TE.FindEx.restype = c_ulonglong
TE.Find.restype = c_ulonglong
TE.GetDebuggedDLLBaseAddress.restype = c_ulonglong
TE.GetDebuggedFileBaseAddress.restype = c_ulonglong
TE.GetFunctionParameter.restype = c_ulonglong
TE.GetJumpDestinationEx.restype = c_ulonglong
TE.GetJumpDestination.restype = c_ulonglong
TE.ImporterGetCurrentDelta.restype = c_ulonglong
TE.ImporterFindAPIWriteLocation.restype = c_ulonglong
TE.ImporterFindOrdinalAPIWriteLocation.restype = c_ulonglong
TE.ImporterFindAPIByWriteLocation.restype = c_ulonglong
TE.ImporterFindDLLByWriteLocation.restype = c_ulonglong
TE.ImporterGetAPIOrdinalNumber.restype = c_ulonglong
TE.ImporterGetRemoteAPIAddress.restype = c_ulonglong
TE.ImporterGetRemoteAPIAddressEx.restype = c_ulonglong
TE.ImporterGetLocalAPIAddress.restype = c_ulonglong
TE.ImporterGetAPIOrdinalNumberFromDebugee.restype = c_ulonglong
TE.ImporterGetRemoteDLLBase.restype = c_ulonglong
TE.ImporterGetForwardedAPIOrdinalNumber.restype = c_ulonglong
TE.ImporterGetNearestAPIAddress.restype = c_ulonglong
TE.TracerLevel1.restype = c_ulonglong
TE.HashTracerLevel1.restype = c_ulonglong
TE.TracerFixKnownRedirection.restype = c_ulonglong
TE.HandlerGetHandleDetails.restype = c_ulonglong
TE.HandlerGetOpenMutexHandle.restype = c_ulonglong
TE.HandlerGetOpenMutexHandleW.restype = c_ulonglong
TE.GetSharedOverlay.restype = c_char_p
TE.StaticDisassembleEx.restype = c_char_p
TE.StaticDisassemble.restype = c_char_p
TE.DisassembleEx.restype = c_char_p
TE.Disassemble.restype = c_char_p
TE.ImporterGetLastAddedDLLName.restype = c_char_p
TE.ImporterGetDLLName.restype = c_char_p
TE.ImporterGetAPIName.restype = c_char_p
TE.ImporterGetAPINameEx.restype = c_char_p
TE.ImporterGetDLLNameFromDebugee.restype = c_char_p
TE.ImporterGetAPINameFromDebugee.restype = c_char_p
TE.ImporterGetForwardedAPIName.restype = c_char_p
TE.ImporterGetForwardedDLLName.restype = c_char_p
TE.ImporterGetNearestAPIName.restype = c_char_p
TE.TranslateNativeName.restype = c_char_p
TE.HandlerGetHandleName.restype = c_char_p
TE.GetSharedOverlayW.restype = c_wchar_p
TE.TranslateNativeNameW.restype = c_wchar_p
TE.HandlerGetHandleNameW.restype = c_wchar_p
TE.GetPEBLocation.restype = c_void_p
TE.ThreaderGetThreadInfo.restype = POINTER(THREAD_ITEM_DATA)
TE.ThreaderGetThreadData.restype = POINTER(THREAD_ITEM_DATA)
TE.InitDebug.restype = POINTER(PROCESS_INFORMATION)
TE.InitDebugW.restype = POINTER(PROCESS_INFORMATION)
TE.InitDebugEx.restype = POINTER(PROCESS_INFORMATION)
TE.InitDebugExW.restype = POINTER(PROCESS_INFORMATION)
TE.InitDLLDebug.restype = POINTER(PROCESS_INFORMATION)
TE.InitDLLDebugW.restype = POINTER(PROCESS_INFORMATION)
TE.GetDebugData.restype = POINTER(DEBUG_EVENT)
TE.GetTerminationData.restype = POINTER(DEBUG_EVENT)
TE.GetProcessInformation.restype = POINTER(PROCESS_INFORMATION)
TE.GetStartupInformation.restype = POINTER(STARTUPINFOW)
TE.LibrarianGetLibraryInfo.restype = POINTER(LIBRARY_ITEM_DATA)
TE.LibrarianGetLibraryInfoEx.restype = POINTER(LIBRARY_ITEM_DATA)
TE.LibrarianGetLibraryInfoW.restype = POINTER(LIBRARY_ITEM_DATAW)
TE.LibrarianGetLibraryInfoExW.restype = POINTER(LIBRARY_ITEM_DATAW)
TE.HooksGetHookEntryDetails.restype = POINTER(HOOK_ENTRY)
TE.ExtensionManagerGetPluginInfo.restype = POINTER(PluginInformation)

32
TitanEngine.sln
View File

@ -1,7 +1,16 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.14.36915.13 d17.14
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TitanEngine", "TitanEngine\TitanEngine.vcxproj", "{9C7B8246-FDDA-48C7-9634-044969701E40}"
ProjectSection(ProjectDependencies) = postProject
{F874B1B3-8EF7-4DF1-9889-57098E08A51C} = {F874B1B3-8EF7-4DF1-9889-57098E08A51C}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "scylla_wrapper", "scylla_wrapper\scylla_wrapper.vcxproj", "{F874B1B3-8EF7-4DF1-9889-57098E08A51C}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "distorm", "distorm\distorm.vcxproj", "{25FF4A19-7088-4687-AA32-76E61BD62E51}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
@ -19,8 +28,27 @@ Global
{9C7B8246-FDDA-48C7-9634-044969701E40}.Release|Win32.Build.0 = Release|Win32
{9C7B8246-FDDA-48C7-9634-044969701E40}.Release|x64.ActiveCfg = Release|x64
{9C7B8246-FDDA-48C7-9634-044969701E40}.Release|x64.Build.0 = Release|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|Win32.ActiveCfg = Debug|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|Win32.Build.0 = Debug|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|x64.ActiveCfg = Debug|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|x64.Build.0 = Debug|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|Win32.ActiveCfg = Release|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|Win32.Build.0 = Release|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|x64.ActiveCfg = Release|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|x64.Build.0 = Release|x64
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Debug|Win32.ActiveCfg = Debug|Win32
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Debug|Win32.Build.0 = Debug|Win32
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Debug|x64.ActiveCfg = Debug|x64
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Debug|x64.Build.0 = Debug|x64
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Release|Win32.ActiveCfg = Release|Win32
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Release|Win32.Build.0 = Release|Win32
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Release|x64.ActiveCfg = Release|x64
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {6AD826EE-00F0-410E-9586-2B4EC239DC9E}
EndGlobalSection
EndGlobal

295
TitanEngine/Global.Breakpoints.cpp Normal file
View File

@ -0,0 +1,295 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Breakpoints.h"
std::vector<BreakPointDetail> BreakPointBuffer;
std::unordered_map<ULONG_PTR, MemoryBreakpointPageDetail> MemoryBreakpointPages;
std::unordered_set<ULONG_PTR> recentlyDeletedBpx;
ULONG_PTR dr7uint(DR7* dr7)
{
ULONG_PTR ret = 0;
if(BITGET(dr7->HWBP_MODE[0], 0))
BITSET(ret, 0);
if(BITGET(dr7->HWBP_MODE[0], 1))
BITSET(ret, 1);
if(BITGET(dr7->HWBP_MODE[1], 0))
BITSET(ret, 2);
if(BITGET(dr7->HWBP_MODE[1], 1))
BITSET(ret, 3);
if(BITGET(dr7->HWBP_MODE[2], 0))
BITSET(ret, 4);
if(BITGET(dr7->HWBP_MODE[2], 1))
BITSET(ret, 5);
if(BITGET(dr7->HWBP_MODE[3], 0))
BITSET(ret, 6);
if(BITGET(dr7->HWBP_MODE[3], 1))
BITSET(ret, 7);
if(BITGET(dr7->HWBP_TYPE[0], 0))
BITSET(ret, 16);
if(BITGET(dr7->HWBP_TYPE[0], 1))
BITSET(ret, 17);
if(BITGET(dr7->HWBP_SIZE[0], 0))
BITSET(ret, 18);
if(BITGET(dr7->HWBP_SIZE[0], 1))
BITSET(ret, 19);
if(BITGET(dr7->HWBP_TYPE[1], 0))
BITSET(ret, 20);
if(BITGET(dr7->HWBP_TYPE[1], 1))
BITSET(ret, 21);
if(BITGET(dr7->HWBP_SIZE[1], 0))
BITSET(ret, 22);
if(BITGET(dr7->HWBP_SIZE[1], 1))
BITSET(ret, 23);
if(BITGET(dr7->HWBP_TYPE[2], 0))
BITSET(ret, 24);
if(BITGET(dr7->HWBP_TYPE[2], 1))
BITSET(ret, 25);
if(BITGET(dr7->HWBP_SIZE[2], 0))
BITSET(ret, 26);
if(BITGET(dr7->HWBP_SIZE[2], 1))
BITSET(ret, 27);
if(BITGET(dr7->HWBP_TYPE[3], 0))
BITSET(ret, 28);
if(BITGET(dr7->HWBP_TYPE[3], 1))
BITSET(ret, 29);
if(BITGET(dr7->HWBP_SIZE[3], 0))
BITSET(ret, 30);
if(BITGET(dr7->HWBP_SIZE[3], 1))
BITSET(ret, 31);
return ret;
}
void uintdr7(ULONG_PTR dr7, DR7* ret)
{
memset(ret, 0, sizeof(DR7));
if(BITGET(dr7, 0))
BITSET(ret->HWBP_MODE[0], 0);
if(BITGET(dr7, 1))
BITSET(ret->HWBP_MODE[0], 1);
if(BITGET(dr7, 2))
BITSET(ret->HWBP_MODE[1], 0);
if(BITGET(dr7, 3))
BITSET(ret->HWBP_MODE[1], 1);
if(BITGET(dr7, 4))
BITSET(ret->HWBP_MODE[2], 0);
if(BITGET(dr7, 5))
BITSET(ret->HWBP_MODE[2], 1);
if(BITGET(dr7, 6))
BITSET(ret->HWBP_MODE[3], 0);
if(BITGET(dr7, 7))
BITSET(ret->HWBP_MODE[3], 1);
if(BITGET(dr7, 16))
BITSET(ret->HWBP_TYPE[0], 0);
if(BITGET(dr7, 17))
BITSET(ret->HWBP_TYPE[0], 1);
if(BITGET(dr7, 18))
BITSET(ret->HWBP_SIZE[0], 0);
if(BITGET(dr7, 19))
BITSET(ret->HWBP_SIZE[0], 1);
if(BITGET(dr7, 20))
BITSET(ret->HWBP_TYPE[1], 0);
if(BITGET(dr7, 21))
BITSET(ret->HWBP_TYPE[1], 1);
if(BITGET(dr7, 22))
BITSET(ret->HWBP_SIZE[1], 0);
if(BITGET(dr7, 23))
BITSET(ret->HWBP_SIZE[1], 1);
if(BITGET(dr7, 24))
BITSET(ret->HWBP_TYPE[2], 0);
if(BITGET(dr7, 25))
BITSET(ret->HWBP_TYPE[2], 1);
if(BITGET(dr7, 26))
BITSET(ret->HWBP_SIZE[2], 0);
if(BITGET(dr7, 27))
BITSET(ret->HWBP_SIZE[2], 1);
if(BITGET(dr7, 28))
BITSET(ret->HWBP_TYPE[3], 0);
if(BITGET(dr7, 29))
BITSET(ret->HWBP_TYPE[3], 1);
if(BITGET(dr7, 30))
BITSET(ret->HWBP_SIZE[3], 0);
if(BITGET(dr7, 31))
BITSET(ret->HWBP_SIZE[3], 1);
}
void BreakPointPostReadFilter(ULONG_PTR lpBaseAddress, unsigned char* lpBuffer, SIZE_T nSize)
{
CriticalSectionLocker lock(LockBreakPointBuffer);
ULONG_PTR start = lpBaseAddress;
ULONG_PTR end = start + nSize;
int bpcount = (int)BreakPointBuffer.size();
for(int i = 0; i < bpcount; i++)
{
BreakPointDetail* curBp = &BreakPointBuffer.at(i);
//check if the breakpoint is one we should be concerned about
if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
continue;
ULONG_PTR cur_addr = curBp->BreakPointAddress;
for(SIZE_T j = 0; j < curBp->BreakPointSize; j++)
{
if(cur_addr + j >= start && cur_addr + j < end) //breakpoint is in range
{
ULONG_PTR index = cur_addr + j - start; //calculate where to write in the buffer
memcpy(lpBuffer + index, &curBp->OriginalByte[j], sizeof(char));
}
}
}
}
void BreakPointPreWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize)
{
ULONG_PTR start = lpBaseAddress;
ULONG_PTR end = start + nSize;
int bpcount = (int)BreakPointBuffer.size();
for(int i = 0; i < bpcount; i++)
{
BreakPointDetail* curBp = &BreakPointBuffer.at(i);
//check if the breakpoint is one we should be concerned about
if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
continue;
ULONG_PTR cur_addr = curBp->BreakPointAddress;
for(SIZE_T j = 0; j < curBp->BreakPointSize; j++)
{
if(cur_addr + j >= start && cur_addr + j < end) //breakpoint byte is in range
{
DisableBPX(cur_addr);
curBp->BreakPointActive = UE_BPXACTIVE; //little hack
break;
}
}
}
}
void BreakPointPostWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize)
{
ULONG_PTR start = lpBaseAddress;
ULONG_PTR end = start + nSize;
int bpcount = (int)BreakPointBuffer.size();
for(int i = 0; i < bpcount; i++)
{
BreakPointDetail* curBp = &BreakPointBuffer.at(i);
//check if the breakpoint is one we should be concerned about
if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
continue;
ULONG_PTR cur_addr = curBp->BreakPointAddress;
for(SIZE_T j = 0; j < curBp->BreakPointSize; j++)
{
if(cur_addr + j >= start && cur_addr + j < end) //breakpoint byte is in range
{
curBp->BreakPointActive = UE_BPXINACTIVE; //little hack
EnableBPX(cur_addr); //needs a cleaner solution
break;
}
}
}
}
bool IsDepEnabled(bool* outPermanent)
{
bool isEnabled = false;
bool isPermanent = false;
#ifndef _WIN64
ULONG depFlags = 0;
NTSTATUS status = NtQueryInformationProcess(dbgProcessInformation.hProcess, ProcessExecuteFlags, &depFlags, sizeof(depFlags), nullptr);
if(status == STATUS_SUCCESS)
{
isEnabled = (depFlags & 0x1) != 0; // 0x1 is MEM_EXECUTE_OPTION_DISABLE
isPermanent = (depFlags & 0x8) != 0; // 0x8 is MEM_EXECUTE_OPTION_PERMANENT
}
#else
isEnabled = true;
isPermanent = true;
#endif //_WIN64
if(outPermanent != nullptr)
*outPermanent = isPermanent;
return isEnabled;
}
DWORD GetPageProtectionForMemoryBreakpoint(const MemoryBreakpointPageDetail & page)
{
// Memory Protection Constants: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx
// If DEP is disabled or enabled but not permanent (i.e. may be disabled unpredictably in the future),
// we cannot rely on "PAGE_EXECUTE_*" protection options for BPs on execution
// and should use PAGE_GUARD (or PAGE_NOACCESS) instead, a much slower approach:
bool isDepPermanent = false;
bool isDepPermanentlyEnabled = IsDepEnabled(&isDepPermanent) && isDepPermanent;
// for ACCESS and READ breakpoints, apply the "lowest" protection: GUARD_PAGE or PAGE_NOACCESS
if(page.accessBps > 0 || page.readBps > 0 || (page.executeBps > 0 && !isDepPermanentlyEnabled))
{
// GUARD_PAGE is incompatible with PAGE_NOACCESS
if((page.origProtect & 0xFF) == PAGE_NOACCESS || engineMembpAlt)
return (page.origProtect & ~0x7FF) | PAGE_NOACCESS;
else
// erase PAGE_NOCACHE and PAGE_WRITECOMBINE (cannot be used with the PAGE_GUARD)
return (page.origProtect & ~0x700) | PAGE_GUARD;
}
int newProtect = page.origProtect & ~PAGE_GUARD; // erase guard page, just in case
if(page.executeBps > 0 && isDepPermanentlyEnabled)
{
// Remove execute access e.g. PAGE_EXECUTE_READWRITE => PAGE_READWRITE
DWORD dwBase = newProtect & 0xFF;
DWORD dwHigh = newProtect & 0xFFFFFF00;
switch(dwBase)
{
case PAGE_EXECUTE:
newProtect = dwHigh | PAGE_READONLY;
break;
case PAGE_EXECUTE_READ:
case PAGE_EXECUTE_READWRITE:
case PAGE_EXECUTE_WRITECOPY:
newProtect = dwHigh | (dwBase >> 4);
break;
}
}
if(page.writeBps > 0)
{
// Remove write access (and copy-on-write) e.g. PAGE_EXECUTE_READWRITE => PAGE_EXECUTE
DWORD dwBase = newProtect & 0xFF;
switch(dwBase)
{
case PAGE_READWRITE:
case PAGE_WRITECOPY:
newProtect = (newProtect & 0xFFFFFF00) | PAGE_READONLY;
break;
case PAGE_EXECUTE_READWRITE:
case PAGE_EXECUTE_WRITECOPY:
newProtect = (newProtect & 0xFFFFFF00) | PAGE_EXECUTE_READ;
break;
}
}
return newProtect;
}
bool IsMemoryAccessAllowed(DWORD memProtect, ULONG_PTR accessType /*0 (READ), 1 (WRITE), or 8 (EXECUTE)*/)
{
const bool isRead = accessType == 0;
const bool isWrite = accessType == 1;
const bool isExecute = accessType == 8;
switch(memProtect & 0xFF)
{
case PAGE_EXECUTE:
case PAGE_EXECUTE_READ:
return isRead || isExecute;
case PAGE_EXECUTE_READWRITE:
case PAGE_EXECUTE_WRITECOPY:
return true;
case PAGE_READONLY:
return isRead || (isExecute && !IsDepEnabled());
case PAGE_READWRITE:
case PAGE_WRITECOPY:
return isRead || isWrite || (isExecute && !IsDepEnabled());
default:
case PAGE_NOACCESS:
return false;
}
}

27
TitanEngine/Global.Breakpoints.h Normal file
View File

@ -0,0 +1,27 @@
#ifndef _GLOBAL_BREAKPOINTS_H
#define _GLOBAL_BREAKPOINTS_H
#include <vector>
#include <unordered_map>
#include <unordered_set>
#include "Global.Engine.Threading.h"
#include "Global.Engine.h"
#include "Global.Debugger.h"
extern std::vector<BreakPointDetail> BreakPointBuffer;
extern std::unordered_map<ULONG_PTR, MemoryBreakpointPageDetail> MemoryBreakpointPages;
extern std::unordered_set<ULONG_PTR> recentlyDeletedBpx;
void uintdr7(ULONG_PTR dr7, DR7* ret);
ULONG_PTR dr7uint(DR7* dr7);
void BreakPointPostReadFilter(ULONG_PTR lpBaseAddress, unsigned char* lpBuffer, SIZE_T nSize);
void BreakPointPreWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize);
void BreakPointPostWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize);
bool IsDepEnabled(bool* outPermanent = nullptr);
DWORD GetPageProtectionForMemoryBreakpoint(const MemoryBreakpointPageDetail & page);
bool IsMemoryAccessAllowed(DWORD memProtect, ULONG_PTR accessType);
#endif //_GLOBAL_BREAKPOINTS_H

316
TitanEngine/Global.Debugger.cpp Normal file
View File

@ -0,0 +1,316 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Debugger.h"
#include "Global.Engine.h"
#include "Global.Breakpoints.h"
HARDWARE_DATA DebugRegister[4] = {};
PROCESS_INFORMATION dbgProcessInformation = {};
CustomHandler myDBGCustomHandler = {};
PCustomHandler DBGCustomHandler = &myDBGCustomHandler;
ExpertDebug expertDebug = {};
STARTUPINFOW dbgStartupInfo = {};
LPVOID DebugModuleEntryPointCallBack;
LPVOID DebugExeFileEntryPointCallBack;
ULONG_PTR DebugModuleEntryPoint;
ULONG_PTR DebugModuleImageBase;
ULONG_PTR DebugAttachedProcessCallBack = NULL;
ULONG_PTR DebugReserveModuleBase = NULL;
ULONG_PTR DebugDebuggingMainModuleBase = NULL;
ULONG_PTR DebugDebuggingDLLBase = NULL;
HANDLE DebugDLLFileMapping;
bool DebugAttachedToProcess = false;
bool DebugDebuggingDLL = false;
wchar_t* DebugDebuggingDLLFullFileName;
wchar_t* DebugDebuggingDLLFileName;
DEBUG_EVENT DBGEvent = {};
DEBUG_EVENT TerminateDBGEvent = {};
DWORD ProcessExitCode = 0;
HANDLE DBGFileHandle;
std::vector<ULONG_PTR> tlsCallBackList;
std::vector<PROCESS_ITEM_DATA> hListProcess;
DWORD engineStepCount = 0;
LPVOID engineStepCallBack = NULL;
bool engineStepActive = false;
bool engineProcessIsNowDetached = false;
DWORD DBGCode = DBG_CONTINUE;
bool engineFileIsBeingDebugged = false;
ULONG_PTR engineFakeDLLHandle = NULL;
LPVOID engineAttachedProcessDebugInfo = NULL;
wchar_t szDebuggerName[512];
bool DebugStepFinal = false;
LPVOID StepOutCallBack = NULL;
CRITICAL_SECTION engineStepActiveCr;
// Workaround for a bug in the kernel with x64 emulation on ARM
DWORD ContextControlFlags = []
{
DWORD flags = CONTEXT_CONTROL;
typedef BOOL(WINAPI * type_IsWow64Process2)(HANDLE, USHORT*, USHORT*);
auto p_IsWow64Process2 = (type_IsWow64Process2)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "IsWow64Process2");
if(p_IsWow64Process2)
{
USHORT processMachine = 0;
USHORT nativeMachine = 0;
if(p_IsWow64Process2(GetCurrentProcess(), &processMachine, &nativeMachine))
{
#ifndef IMAGE_FILE_MACHINE_ARM64
#define IMAGE_FILE_MACHINE_ARM64 0xAA64
#endif // IMAGE_FILE_MACHINE_ARM64
if(nativeMachine == IMAGE_FILE_MACHINE_ARM || nativeMachine == IMAGE_FILE_MACHINE_ARM64)
{
flags = CONTEXT_ALL;
}
}
}
return flags;
}();
// Global.Debugger.functions:
long DebugLoopInSecondThread(LPVOID InputParameter)
{
if(InputParameter == NULL) //IsFileDll
{
InitDebugExW(expertDebug.szFileName, expertDebug.szCommandLine, expertDebug.szCurrentFolder, expertDebug.EntryCallBack);
}
else
{
InitDLLDebugW(expertDebug.szFileName, expertDebug.ReserveModuleBase, expertDebug.szCommandLine, expertDebug.szCurrentFolder, expertDebug.EntryCallBack);
}
DebugLoop();
return NULL;
}
void DebuggerReset()
{
if(engineResetCustomHandler)
{
RtlZeroMemory(&myDBGCustomHandler, sizeof(CustomHandler));
}
std::vector<BreakPointDetail>().swap(BreakPointBuffer);
std::unordered_map<ULONG_PTR, MemoryBreakpointPageDetail>().swap(MemoryBreakpointPages);
recentlyDeletedBpx.clear();
}
void ClearProcessList()
{
std::vector<PROCESS_ITEM_DATA>().swap(hListProcess);
}
void ClearTlsCallBackList()
{
std::vector<ULONG_PTR>().swap(tlsCallBackList);
}
void StepOutStepCallBack()
{
BYTE cipch = 0x90;
MemoryReadSafe(dbgProcessInformation.hProcess, (void*)GetContextData(UE_CIP), &cipch, sizeof(cipch), 0);
if(cipch == 0xC3 || cipch == 0xC2) //ret
{
if(DebugStepFinal)
StepOver(StepOutCallBack);
else
{
typedef void(TITCALL * fCustomBreakPoint)();
ObjectPointerToCallback<fCustomBreakPoint>(StepOutCallBack)();
}
}
else
StepOver(CallbackToObjectPointer(&StepOutStepCallBack));
}
static DWORD BaseSetLastNTError(IN NTSTATUS Status)
{
DWORD dwErrCode;
dwErrCode = RtlNtStatusToDosError(Status);
SetLastError(dwErrCode);
return dwErrCode;
}
static HANDLE WINAPI ProcessIdToHandle(IN DWORD dwProcessId)
{
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE Handle;
CLIENT_ID ClientId;
/* If we don't have a PID, look it up */
//if (dwProcessId == MAXDWORD) dwProcessId = (DWORD_PTR)CsrGetProcessId();
/* Open a handle to the process */
ClientId.UniqueThread = NULL;
ClientId.UniqueProcess = UlongToHandle(dwProcessId);
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
Status = NtOpenProcess(&Handle,
PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
PROCESS_VM_WRITE | PROCESS_VM_READ |
PROCESS_SUSPEND_RESUME | PROCESS_QUERY_INFORMATION,
&ObjectAttributes,
&ClientId);
if(!NT_SUCCESS(Status))
{
/* Fail */
BaseSetLastNTError(Status);
return 0;
}
/* Return the handle */
return Handle;
}
#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010
#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
static NTSTATUS CreateThreadSkipAttach(IN HANDLE ProcessHandle, IN PUSER_THREAD_START_ROUTINE StartRoutine, IN PVOID Argument)
{
NTSTATUS Status;
HANDLE hThread;
typedef NTSTATUS(NTAPI * t_NtCreateThreadEx)(
PHANDLE /* ThreadHandle */,
ACCESS_MASK /* DesiredAccess */,
POBJECT_ATTRIBUTES /* ObjectAttributes */,
HANDLE /* ProcessHandle */,
PUSER_THREAD_START_ROUTINE /* StartRoutine */,
PVOID /* Argument */,
ULONG /* CreateFlags */,
ULONG_PTR /* ZeroBits */,
SIZE_T /* StackSize */,
SIZE_T /* MaximumStackSize */,
PPS_ATTRIBUTE_LIST /* AttributeList */
);
auto p_NtCreateThreadEx = (t_NtCreateThreadEx)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtCreateThreadEx");
if(p_NtCreateThreadEx)
{
// Based on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/339263/16/client/crashpad_client_win.cc#697
Status = p_NtCreateThreadEx(&hThread,
STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
nullptr,
ProcessHandle,
StartRoutine,
Argument,
THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH,
0,
0x4000 /* PAGE_SIZE * 4 */,
0x4000,
nullptr);
}
else
{
CLIENT_ID ClientId;
Status = RtlCreateUserThread(ProcessHandle,
NULL,
FALSE,
0,
0x4000,
0x4000 /* PAGE_SIZE * 4 */,
StartRoutine,
Argument,
&hThread,
&ClientId);
}
if(NT_SUCCESS(Status))
{
NtClose(hThread);
}
return Status;
}
static NTSTATUS NTAPI DbgUiIssueRemoteBreakin_(IN HANDLE Process)
{
PUSER_THREAD_START_ROUTINE RemoteBreakFunction = (PUSER_THREAD_START_ROUTINE)DbgUiRemoteBreakin;
LPVOID RemoteMemory = VirtualAllocEx(Process, 0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READ);
if(RemoteMemory)
{
SIZE_T written = 0;
unsigned char payload[] = { 0xCC, 0xC3 };
if(WriteProcessMemory(Process, RemoteMemory, payload, sizeof(payload), &written))
{
RemoteBreakFunction = (PUSER_THREAD_START_ROUTINE)RemoteMemory;
}
else
{
VirtualFreeEx(Process, RemoteMemory, 0, MEM_RELEASE);
}
}
/* Create the thread that will perform the breakin (on Vista+ it will skip DllMain and TLS callbacks) */
return CreateThreadSkipAttach(Process, RemoteBreakFunction, NULL);
}
static NTSTATUS NTAPI DbgUiDebugActiveProcess_(IN HANDLE Process)
{
/* Tell the kernel to start debugging */
NTSTATUS Status = NtDebugActiveProcess(Process, NtCurrentTeb()->DbgSsReserved[1]);
return Status;
#if 0
if(NT_SUCCESS(Status))
{
/* Now break-in the process */
Status = DbgUiIssueRemoteBreakin_(Process);
if(!NT_SUCCESS(Status))
{
/* We couldn't break-in, cancel debugging */
DbgUiStopDebugging(Process);
}
}
/* Return status */
return Status;
#endif
}
static NTSTATUS NTAPI DbgUiConnectToDbg_()
{
if(NtCurrentTeb()->DbgSsReserved[1] != NULL)
return STATUS_SUCCESS;
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
return NtCreateDebugObject(&NtCurrentTeb()->DbgSsReserved[1], DEBUG_ALL_ACCESS, &ObjectAttributes, 0);
}
// Source: https://github.com/mirror/reactos/blob/c6d2b35ffc91e09f50dfb214ea58237509329d6b/reactos/dll/win32/kernel32/client/debugger.c#L480
BOOL WINAPI DebugActiveProcess_(IN DWORD dwProcessId)
{
/* Connect to the debugger */
NTSTATUS Status = DbgUiConnectToDbg_();
if(!NT_SUCCESS(Status))
{
BaseSetLastNTError(Status);
return FALSE;
}
/* Get the process handle */
HANDLE Handle = ProcessIdToHandle(dwProcessId);
if(!Handle)
{
return FALSE;
}
/* Now debug the process */
Status = DbgUiDebugActiveProcess_(Handle);
/* Close the handle since we're done */
NtClose(Handle);
/* Check if debugging worked */
if(!NT_SUCCESS(Status))
{
/* Fail */
BaseSetLastNTError(Status);
return FALSE;
}
/* Success */
return TRUE;
}

53
TitanEngine/Global.Debugger.h Normal file
View File

@ -0,0 +1,53 @@
#ifndef _GLOBAL_DEBUGGER_H
#define _GLOBAL_DEBUGGER_H
#include <vector>
#include <Windows.h>
extern HARDWARE_DATA DebugRegister[4];
extern PROCESS_INFORMATION dbgProcessInformation;
extern CustomHandler myDBGCustomHandler;
extern PCustomHandler DBGCustomHandler;
extern ExpertDebug expertDebug;
extern STARTUPINFOW dbgStartupInfo;
extern LPVOID DebugModuleEntryPointCallBack;
extern LPVOID DebugExeFileEntryPointCallBack;
extern ULONG_PTR DebugModuleEntryPoint;
extern ULONG_PTR DebugModuleImageBase;
extern ULONG_PTR DebugAttachedProcessCallBack;
extern bool DebugAttachedToProcess;
extern ULONG_PTR DebugReserveModuleBase;
extern ULONG_PTR DebugDebuggingMainModuleBase;
extern ULONG_PTR DebugDebuggingDLLBase;
extern HANDLE DebugDLLFileMapping;
extern bool DebugDebuggingDLL;
extern wchar_t* DebugDebuggingDLLFullFileName;
extern wchar_t* DebugDebuggingDLLFileName;
extern DEBUG_EVENT DBGEvent;
extern DEBUG_EVENT TerminateDBGEvent;
extern DWORD ProcessExitCode;
extern HANDLE DBGFileHandle;
extern std::vector<ULONG_PTR> tlsCallBackList;
extern std::vector<PROCESS_ITEM_DATA> hListProcess;
extern DWORD engineStepCount;
extern LPVOID engineStepCallBack;
extern bool engineStepActive;
extern bool engineProcessIsNowDetached;
extern DWORD DBGCode;
extern bool engineFileIsBeingDebugged;
extern ULONG_PTR engineFakeDLLHandle;
extern LPVOID engineAttachedProcessDebugInfo;
extern wchar_t szDebuggerName[512];
extern bool DebugStepFinal;
extern LPVOID StepOutCallBack;
extern CRITICAL_SECTION engineStepActiveCr;
extern DWORD ContextControlFlags;
long DebugLoopInSecondThread(LPVOID InputParameter);
void DebuggerReset();
void ClearProcessList();
void ClearTlsCallBackList();
void StepOutStepCallBack();
BOOL WINAPI DebugActiveProcess_(IN DWORD dwProcessId);
#endif //_GLOBAL_DEBUGGER_H

362
TitanEngine/Global.Engine.Context.cpp Normal file
View File

@ -0,0 +1,362 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Context.h"
#ifdef _WIN64
//https://stackoverflow.com/a/869597/1806760
template<typename T> struct identity
{
typedef T type;
};
template<typename Dst> Dst implicit_cast(typename identity<Dst>::type t)
{
return t;
}
//https://github.com/electron/crashpad/blob/4054e6cba3ba023d9c00260518ec2912607ae17c/snapshot/cpu_context.cc
enum
{
kX87TagValid = 0,
kX87TagZero,
kX87TagSpecial,
kX87TagEmpty,
};
typedef uint8_t X87Register[10];
union X87OrMMXRegister
{
struct
{
X87Register st;
uint8_t st_reserved[6];
};
struct
{
uint8_t mm_value[8];
uint8_t mm_reserved[8];
};
};
static_assert(sizeof(X87OrMMXRegister) == sizeof(M128A), "sizeof(X87OrMMXRegister) != sizeof(M128A)");
static uint16_t FxsaveToFsaveTagWord(
uint16_t fsw,
uint8_t fxsave_tag,
const X87OrMMXRegister* st_mm)
{
// The x87 tag word (in both abridged and full form) identifies physical
// registers, but |st_mm| is arranged in logical stack order. In order to map
// physical tag word bits to the logical stack registers they correspond to,
// the "stack top" value from the x87 status word is necessary.
int stack_top = (fsw >> 11) & 0x7;
uint16_t fsave_tag = 0;
for(int physical_index = 0; physical_index < 8; ++physical_index)
{
bool fxsave_bit = (fxsave_tag & (1 << physical_index)) != 0;
uint8_t fsave_bits;
if(fxsave_bit)
{
int st_index = (physical_index + 8 - stack_top) % 8;
const X87Register & st = st_mm[st_index].st;
uint32_t exponent = ((st[9] & 0x7f) << 8) | st[8];
if(exponent == 0x7fff)
{
// Infinity, NaN, pseudo-infinity, or pseudo-NaN. If it was important to
// distinguish between these, the J bit and the M bit (the most
// significant bit of |fraction|) could be consulted.
fsave_bits = kX87TagSpecial;
}
else
{
// The integer bit the "J bit".
bool integer_bit = (st[7] & 0x80) != 0;
if(exponent == 0)
{
uint64_t fraction = ((implicit_cast<uint64_t>(st[7]) & 0x7f) << 56) |
(implicit_cast<uint64_t>(st[6]) << 48) |
(implicit_cast<uint64_t>(st[5]) << 40) |
(implicit_cast<uint64_t>(st[4]) << 32) |
(implicit_cast<uint32_t>(st[3]) << 24) |
(st[2] << 16) | (st[1] << 8) | st[0];
if(!integer_bit && fraction == 0)
{
fsave_bits = kX87TagZero;
}
else
{
// Denormal (if the J bit is clear) or pseudo-denormal.
fsave_bits = kX87TagSpecial;
}
}
else if(integer_bit)
{
fsave_bits = kX87TagValid;
}
else
{
// Unnormal.
fsave_bits = kX87TagSpecial;
}
}
}
else
{
fsave_bits = kX87TagEmpty;
}
fsave_tag |= (fsave_bits << (physical_index * 2));
}
return fsave_tag;
}
static uint8_t FsaveToFxsaveTagWord(uint16_t fsave_tag)
{
uint8_t fxsave_tag = 0;
for(int physical_index = 0; physical_index < 8; ++physical_index)
{
const uint8_t fsave_bits = (fsave_tag >> (physical_index * 2)) & 0x3;
const bool fxsave_bit = fsave_bits != kX87TagEmpty;
fxsave_tag |= fxsave_bit << physical_index;
}
return fxsave_tag;
}
#endif //_WIN64
PGETENABLEDXSTATEFEATURES _GetEnabledXStateFeatures = NULL;
PINITIALIZECONTEXT _InitializeContext = NULL;
PGETXSTATEFEATURESMASK _GetXStateFeaturesMask = NULL;
LOCATEXSTATEFEATURE _LocateXStateFeature = NULL;
SETXSTATEFEATURESMASK _SetXStateFeaturesMask = NULL;
bool _SetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext, bool AVX_PRIORITY)
{
CONTEXT DBGContext;
memset(&DBGContext, 0, sizeof(DBGContext));
DBGContext.ContextFlags = CONTEXT_ALL | CONTEXT_FLOATING_POINT | CONTEXT_EXTENDED_REGISTERS;
if(!GetThreadContext(hActiveThread, &DBGContext))
{
ResumeThread(hActiveThread);
return false;
}
DBGContext.EFlags = (DWORD)titcontext->eflags;
DBGContext.Dr0 = titcontext->dr0;
DBGContext.Dr1 = titcontext->dr1;
DBGContext.Dr2 = titcontext->dr2;
DBGContext.Dr3 = titcontext->dr3;
DBGContext.Dr6 = titcontext->dr6;
DBGContext.Dr7 = titcontext->dr7;
DBGContext.SegGs = titcontext->gs;
DBGContext.SegFs = titcontext->fs;
DBGContext.SegEs = titcontext->es;
DBGContext.SegDs = titcontext->ds;
DBGContext.SegCs = titcontext->cs;
DBGContext.SegSs = titcontext->ss;
#ifdef _WIN64 //x64
DBGContext.Rax = titcontext->cax;
DBGContext.Rbx = titcontext->cbx;
DBGContext.Rcx = titcontext->ccx;
DBGContext.Rdx = titcontext->cdx;
DBGContext.Rdi = titcontext->cdi;
DBGContext.Rsi = titcontext->csi;
DBGContext.Rbp = titcontext->cbp;
DBGContext.Rsp = titcontext->csp;
DBGContext.Rip = titcontext->cip;
DBGContext.R8 = titcontext->r8;
DBGContext.R9 = titcontext->r9;
DBGContext.R10 = titcontext->r10;
DBGContext.R11 = titcontext->r11;
DBGContext.R12 = titcontext->r12;
DBGContext.R13 = titcontext->r13;
DBGContext.R14 = titcontext->r14;
DBGContext.R15 = titcontext->r15;
DBGContext.FltSave.ControlWord = titcontext->x87fpu.ControlWord;
DBGContext.FltSave.StatusWord = titcontext->x87fpu.StatusWord;
DBGContext.FltSave.TagWord = FsaveToFxsaveTagWord(titcontext->x87fpu.TagWord);
DBGContext.FltSave.ErrorSelector = (WORD)titcontext->x87fpu.ErrorSelector;
DBGContext.FltSave.ErrorOffset = titcontext->x87fpu.ErrorOffset;
DBGContext.FltSave.DataSelector = (WORD)titcontext->x87fpu.DataSelector;
DBGContext.FltSave.DataOffset = titcontext->x87fpu.DataOffset;
// Skip titcontext->x87fpu.Cr0NpxState
DBGContext.MxCsr = titcontext->MxCsr;
for(int i = 0; i < 8; i++)
memcpy(& DBGContext.FltSave.FloatRegisters[i], &(titcontext->RegisterArea[i * 10]), 10);
for(int i = 0; i < 16; i++)
memcpy(& (DBGContext.FltSave.XmmRegisters[i]), & (titcontext->XmmRegisters[i]), 16);
#else //x86
DBGContext.Eax = titcontext->cax;
DBGContext.Ebx = titcontext->cbx;
DBGContext.Ecx = titcontext->ccx;
DBGContext.Edx = titcontext->cdx;
DBGContext.Edi = titcontext->cdi;
DBGContext.Esi = titcontext->csi;
DBGContext.Ebp = titcontext->cbp;
DBGContext.Esp = titcontext->csp;
DBGContext.Eip = titcontext->cip;
DBGContext.FloatSave.ControlWord = titcontext->x87fpu.ControlWord;
DBGContext.FloatSave.StatusWord = titcontext->x87fpu.StatusWord;
DBGContext.FloatSave.TagWord = titcontext->x87fpu.TagWord;
DBGContext.FloatSave.ErrorSelector = titcontext->x87fpu.ErrorSelector;
DBGContext.FloatSave.ErrorOffset = titcontext->x87fpu.ErrorOffset;
DBGContext.FloatSave.DataSelector = titcontext->x87fpu.DataSelector;
DBGContext.FloatSave.DataOffset = titcontext->x87fpu.DataOffset;
#ifdef NTDDI_WIN8
DBGContext.FloatSave.Spare0 = titcontext->x87fpu.Cr0NpxState;
#else
DBGContext.FloatSave.Cr0NpxState = titcontext->x87fpu.Cr0NpxState;
#endif
memcpy(DBGContext.FloatSave.RegisterArea, titcontext->RegisterArea, 80);
// MXCSR ExtendedRegisters[24]
memcpy(& (DBGContext.ExtendedRegisters[24]), & titcontext->MxCsr, sizeof(titcontext->MxCsr));
// for x86 copy the 8 Xmm Registers from ExtendedRegisters[(10+n)*16]; (n is the index of the xmm register) to the XMM register
for(int i = 0; i < 8; i++)
memcpy(& DBGContext.ExtendedRegisters[(10 + i) * 16], &(titcontext->XmmRegisters[i]), 16);
#endif
bool returnf = SetThreadContext(hActiveThread, & DBGContext) ? true : false;
if(AVX_PRIORITY)
SetAVXContext(hActiveThread, titcontext);
return returnf;
}
bool _GetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext, bool avx)
{
CONTEXT DBGContext;
memset(&DBGContext, 0, sizeof(CONTEXT));
memset(titcontext, 0, sizeof(TITAN_ENGINE_CONTEXT_t));
DBGContext.ContextFlags = CONTEXT_ALL | CONTEXT_FLOATING_POINT | CONTEXT_EXTENDED_REGISTERS;
if(!GetThreadContext(hActiveThread, &DBGContext))
return false;
titcontext->eflags = DBGContext.EFlags;
titcontext->dr0 = DBGContext.Dr0;
titcontext->dr1 = DBGContext.Dr1;
titcontext->dr2 = DBGContext.Dr2;
titcontext->dr3 = DBGContext.Dr3;
titcontext->dr6 = DBGContext.Dr6;
titcontext->dr7 = DBGContext.Dr7;
titcontext->gs = (unsigned short) DBGContext.SegGs;
titcontext->fs = (unsigned short) DBGContext.SegFs;
titcontext->es = (unsigned short) DBGContext.SegEs;
titcontext->ds = (unsigned short) DBGContext.SegDs;
titcontext->cs = (unsigned short) DBGContext.SegCs;
titcontext->ss = (unsigned short) DBGContext.SegSs;
#ifdef _WIN64 //x64
titcontext->cax = DBGContext.Rax;
titcontext->cbx = DBGContext.Rbx;
titcontext->ccx = DBGContext.Rcx;
titcontext->cdx = DBGContext.Rdx;
titcontext->cdi = DBGContext.Rdi;
titcontext->csi = DBGContext.Rsi;
titcontext->cbp = DBGContext.Rbp;
titcontext->csp = DBGContext.Rsp;
titcontext->cip = DBGContext.Rip;
titcontext->r8 = DBGContext.R8;
titcontext->r9 = DBGContext.R9;
titcontext->r10 = DBGContext.R10;
titcontext->r11 = DBGContext.R11;
titcontext->r12 = DBGContext.R12;
titcontext->r13 = DBGContext.R13;
titcontext->r14 = DBGContext.R14;
titcontext->r15 = DBGContext.R15;
titcontext->x87fpu.ControlWord = DBGContext.FltSave.ControlWord;
titcontext->x87fpu.StatusWord = DBGContext.FltSave.StatusWord;
titcontext->x87fpu.TagWord = FxsaveToFsaveTagWord(DBGContext.FltSave.StatusWord, DBGContext.FltSave.TagWord, (const X87OrMMXRegister*)DBGContext.FltSave.FloatRegisters);
titcontext->x87fpu.ErrorSelector = DBGContext.FltSave.ErrorSelector;
titcontext->x87fpu.ErrorOffset = DBGContext.FltSave.ErrorOffset;
titcontext->x87fpu.DataSelector = DBGContext.FltSave.DataSelector;
titcontext->x87fpu.DataOffset = DBGContext.FltSave.DataOffset;
// Skip titcontext->x87fpu.Cr0NpxState (https://github.com/x64dbg/x64dbg/issues/255)
titcontext->MxCsr = DBGContext.MxCsr;
for(int i = 0; i < 8; i++)
memcpy(&titcontext->RegisterArea[i * 10], &DBGContext.FltSave.FloatRegisters[i], 10);
for(int i = 0; i < 16; i++)
memcpy(&titcontext->XmmRegisters[i], &DBGContext.FltSave.XmmRegisters[i], 16);
#else //x86
titcontext->cax = DBGContext.Eax;
titcontext->cbx = DBGContext.Ebx;
titcontext->ccx = DBGContext.Ecx;
titcontext->cdx = DBGContext.Edx;
titcontext->cdi = DBGContext.Edi;
titcontext->csi = DBGContext.Esi;
titcontext->cbp = DBGContext.Ebp;
titcontext->csp = DBGContext.Esp;
titcontext->cip = DBGContext.Eip;
titcontext->x87fpu.ControlWord = (WORD) DBGContext.FloatSave.ControlWord;
titcontext->x87fpu.StatusWord = (WORD) DBGContext.FloatSave.StatusWord;
titcontext->x87fpu.TagWord = (WORD) DBGContext.FloatSave.TagWord;
titcontext->x87fpu.ErrorSelector = DBGContext.FloatSave.ErrorSelector;
titcontext->x87fpu.ErrorOffset = DBGContext.FloatSave.ErrorOffset;
titcontext->x87fpu.DataSelector = DBGContext.FloatSave.DataSelector;
titcontext->x87fpu.DataOffset = DBGContext.FloatSave.DataOffset;
#ifdef NTDDI_WIN8
titcontext->x87fpu.Cr0NpxState = DBGContext.FloatSave.Spare0;
#else
titcontext->x87fpu.Cr0NpxState = DBGContext.FloatSave.Cr0NpxState;
#endif
memcpy(titcontext->RegisterArea, DBGContext.FloatSave.RegisterArea, 80);
// MXCSR ExtendedRegisters[24]
memcpy(& (titcontext->MxCsr), & (DBGContext.ExtendedRegisters[24]), sizeof(titcontext->MxCsr));
// for x86 copy the 8 Xmm Registers from ExtendedRegisters[(10+n)*16]; (n is the index of the xmm register) to the XMM register
for(int i = 0; i < 8; i++)
memcpy(&(titcontext->XmmRegisters[i]), & DBGContext.ExtendedRegisters[(10 + i) * 16], 16);
#endif
if(avx)
GetAVXContext(hActiveThread, titcontext);
return true;
}
bool InitXState()
{
static bool init = false;
if(!init)
{
init = true;
HMODULE kernel32 = GetModuleHandleW(L"kernel32.dll");
if(kernel32 != NULL)
{
_GetEnabledXStateFeatures = (PGETENABLEDXSTATEFEATURES)GetProcAddress(kernel32, "GetEnabledXStateFeatures");
_InitializeContext = (PINITIALIZECONTEXT)GetProcAddress(kernel32, "InitializeContext");
_GetXStateFeaturesMask = (PGETXSTATEFEATURESMASK)GetProcAddress(kernel32, "GetXStateFeaturesMask");
_LocateXStateFeature = (LOCATEXSTATEFEATURE)GetProcAddress(kernel32, "LocateXStateFeature");
_SetXStateFeaturesMask = (SETXSTATEFEATURESMASK)GetProcAddress(kernel32, "SetXStateFeaturesMask");
}
}
return (_GetEnabledXStateFeatures != NULL &&
_InitializeContext != NULL &&
_GetXStateFeaturesMask != NULL &&
_LocateXStateFeature != NULL &&
_SetXStateFeaturesMask != NULL);
}

31
TitanEngine/Global.Engine.Context.h Normal file
View File

@ -0,0 +1,31 @@
#ifndef _GLOBAL_ENGINE_CONTEXT_H
#define _GLOBAL_ENGINE_CONTEXT_H
#undef CONTEXT_XSTATE
#if defined(_M_X64)
#define CONTEXT_XSTATE (0x00100040)
#else
#define CONTEXT_XSTATE (0x00010040)
#endif
#define XSTATE_AVX (XSTATE_GSSE)
#define XSTATE_MASK_AVX (XSTATE_MASK_GSSE)
typedef DWORD64(WINAPI* PGETENABLEDXSTATEFEATURES)();
typedef BOOL (WINAPI* PINITIALIZECONTEXT)(PVOID Buffer, DWORD ContextFlags, PCONTEXT* Context, PDWORD ContextLength);
typedef BOOL (WINAPI* PGETXSTATEFEATURESMASK)(PCONTEXT Context, PDWORD64 FeatureMask);
typedef PVOID(WINAPI* LOCATEXSTATEFEATURE)(PCONTEXT Context, DWORD FeatureId, PDWORD Length);
typedef BOOL (WINAPI* SETXSTATEFEATURESMASK)(PCONTEXT Context, DWORD64 FeatureMask);
extern PGETENABLEDXSTATEFEATURES _GetEnabledXStateFeatures;
extern PINITIALIZECONTEXT _InitializeContext;
extern PGETXSTATEFEATURESMASK _GetXStateFeaturesMask;
extern LOCATEXSTATEFEATURE _LocateXStateFeature;
extern SETXSTATEFEATURESMASK _SetXStateFeaturesMask;
bool _SetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext, bool AVX_PRIORITY);
bool _GetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext, bool avx);
bool InitXState(void);
#endif //_GLOBAL_ENGINE_CONTEXT_H

114
TitanEngine/Global.Engine.GUI.cpp Normal file
View File

@ -0,0 +1,114 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.GUI.h"
#include "Global.Engine.h"
#define TE_VER_MAJOR 2
#define TE_VER_MIDDLE 1
#define TE_VER_MINOR 0
char szWindowUnpackerName[128];
char szWindowUnpackerTitle[128];
char szWindowUnpackerLongTitle[128];
char szWindowUnpackerAuthor[128];
HWND EngineBoxHandle;
static HWND EngineWindowHandle;
// Global.TitanEngine.Engine.functions:
bool EngineGetFileDialog(char* GlobalBuffer)
{
OPENFILENAMEA sOpenFileName;
char szFilterString[] = "All Files \0*.*\0\0";
char szDialogTitle[] = "TitanEngine2 from Reversing Labs";
RtlZeroMemory(&sOpenFileName, sizeof(OPENFILENAMEA));
sOpenFileName.lStructSize = sizeof(OPENFILENAMEA);
sOpenFileName.lpstrFilter = szFilterString;
sOpenFileName.lpstrFile = GlobalBuffer;
sOpenFileName.nMaxFile = 1024;
sOpenFileName.Flags = OFN_FILEMUSTEXIST | OFN_PATHMUSTEXIST | OFN_LONGNAMES | OFN_EXPLORER | OFN_HIDEREADONLY;
sOpenFileName.lpstrTitle = szDialogTitle;
if(!GetOpenFileNameA(&sOpenFileName))
{
RtlZeroMemory(GlobalBuffer, 1024);
return false;
}
else
{
return true;
}
}
long EngineWndProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
char szAboutTitle[] = "[ About ]";
char szAboutText[] = "%s \r\n\r\n ReversingLabs - http://www.reversinglabs.com \r\n\r\n Minimum engine version needed:\r\n- TitanEngine %i.%i.%i by RevLabs\r\n\r\nUnpacker coded by %s";
typedef void(TITCALL * fStartUnpacking)(char* szInputFile, bool RealignFile, bool CopyOverlay);
fStartUnpacking myStartUnpacking = (fStartUnpacking)EngineStartUnpackingCallBack;
char GlobalBuffer[1024] = {};
char AboutBuffer[1024] = {};
bool bRealignFile = false;
bool bCopyOverlay = false;
if(uMsg == WM_INITDIALOG)
{
SendMessageA(hwndDlg, WM_SETTEXT, NULL, (LPARAM)&szWindowUnpackerTitle);
HICON hIconLarge = (HICON)LoadImage(engineHandle, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 32, 32, LR_DEFAULTSIZE);
SendMessage(hwndDlg, WM_SETICON, ICON_BIG, (LPARAM)hIconLarge);
HICON hIconSmall = (HICON)LoadImage(engineHandle, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 16, 16, LR_DEFAULTSIZE);
SendMessage(hwndDlg, WM_SETICON, ICON_SMALL, (LPARAM)hIconSmall);
SetDlgItemTextA(hwndDlg, IDD_UNPACKERTITLE, szWindowUnpackerLongTitle);
SetDlgItemTextA(hwndDlg, IDC_FILENAME, "filename.exe");
CheckDlgButton(hwndDlg, IDC_REALING, 1);
EngineWindowHandle = hwndDlg;
}
else if(uMsg == WM_DROPFILES)
{
DragQueryFileA((HDROP)wParam, NULL, GlobalBuffer, sizeof(GlobalBuffer));
SetDlgItemTextA(hwndDlg, IDC_FILENAME, GlobalBuffer);
}
else if(uMsg == WM_CLOSE)
{
EndDialog(hwndDlg, NULL);
}
else if(uMsg == WM_COMMAND)
{
if(wParam == IDC_UNPACK)
{
GetDlgItemTextA(hwndDlg, IDC_FILENAME, GlobalBuffer, sizeof(GlobalBuffer));
if(!IsFileBeingDebugged() && EngineFileExists(GlobalBuffer))
{
EngineBoxHandle = GetDlgItem(hwndDlg, IDC_LISTBOX);
SendMessageA(EngineBoxHandle, LB_RESETCONTENT, NULL, NULL);
if(IsDlgButtonChecked(EngineWindowHandle, IDC_REALING))
{
bRealignFile = true;
}
if(IsDlgButtonChecked(EngineWindowHandle, IDC_COPYOVERLAY))
{
bCopyOverlay = true;
}
myStartUnpacking(GlobalBuffer, bRealignFile, bCopyOverlay);
}
}
else if(wParam == IDC_BROWSE)
{
if(EngineGetFileDialog(GlobalBuffer))
{
SetDlgItemTextA(hwndDlg, IDC_FILENAME, GlobalBuffer);
}
}
else if(wParam == IDC_ABOUT)
{
wsprintfA(AboutBuffer, szAboutText, szWindowUnpackerName, TE_VER_MAJOR, TE_VER_MIDDLE, TE_VER_MINOR, szWindowUnpackerAuthor);
MessageBoxA(hwndDlg, AboutBuffer, szAboutTitle, MB_ICONASTERISK);
}
else if(wParam == IDC_EXIT)
{
EndDialog(hwndDlg, NULL);
}
}
return 0;
}

16
TitanEngine/Global.Engine.GUI.h Normal file
View File

@ -0,0 +1,16 @@
#ifndef _GLOBAL_ENGINE_GUI_H
#define _GLOBAL_ENGINE_GUI_H
#include "resource.h"
extern char szWindowUnpackerName[128];
extern char szWindowUnpackerTitle[128];
extern char szWindowUnpackerLongTitle[128];
extern char szWindowUnpackerAuthor[128];
extern HWND EngineBoxHandle;
bool EngineGetFileDialog(char* GlobalBuffer);
long EngineWndProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam);
#endif //_GLOBAL_ENGINE_GUI_H

49
TitanEngine/Global.Engine.Hash.cpp Normal file
View File

@ -0,0 +1,49 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Hash.h"
static unsigned long Crc32Table[256];
// Global.Engine.Hash.functions:
void HashInit()
{
unsigned long ulPolynomial = 0x04C11DB7; //0x04C11DB7 is the official polynomial used by PKZip, WinZip and Ethernet.
// CRC32 table initialization
for(int iCodes = 0; iCodes <= 0xFF; iCodes++)
{
Crc32Table[iCodes] = EngineCrc32Reflect(iCodes, 8) << 24;
for(int iPos = 0; iPos < 8; iPos++)
{
Crc32Table[iCodes] = (Crc32Table[iCodes] << 1) ^ ((Crc32Table[iCodes] & (1 << 31)) ? ulPolynomial : 0);
}
Crc32Table[iCodes] = EngineCrc32Reflect(Crc32Table[iCodes], 32);
}
}
unsigned long EngineCrc32Reflect(unsigned long ulReflect, const char cChar)
{
unsigned long ulValue = 0;
// Swap bit 0 for bit 7, bit 1 For bit 6, etc....
for(int iPos = 1; iPos < (cChar + 1); iPos++)
{
if(ulReflect & 1)
{
ulValue |= (1 << (cChar - iPos));
}
ulReflect >>= 1;
}
return ulValue;
}
void EngineCrc32PartialCRC(unsigned long* ulCRC, const unsigned char* sData, unsigned long ulDataLength)
{
while(ulDataLength--)
{
//If your compiler complains about the following line, try changing each
// occurrence of *ulCRC with "((unsigned long)*ulCRC)" or "*(unsigned long *)ulCRC".
*(unsigned long*)ulCRC = ((*(unsigned long*)ulCRC) >> 8) ^ Crc32Table[((*(unsigned long*)ulCRC) & 0xFF) ^ *sData++];
}
}

8
TitanEngine/Global.Engine.Hash.h Normal file
View File

@ -0,0 +1,8 @@
#ifndef _GLOBAL_ENGINE_HASH_H
#define _GLOBAL_ENGINE_HASH_H
void HashInit();
unsigned long EngineCrc32Reflect(unsigned long ulReflect, const char cChar);
void EngineCrc32PartialCRC(unsigned long* ulCRC, const unsigned char* sData, unsigned long ulDataLength);
#endif //_GLOBAL_ENGINE_HASH_H

304
TitanEngine/Global.Engine.Hider.cpp Normal file
View File

@ -0,0 +1,304 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Hider.h"
#include "Global.Engine.h"
#include "Global.Engine.Importer.h"
#include "Global.Debugger.h"
// Global.Engine.Hider.functions:
static bool isAtleastVista()
{
static bool isAtleastVista = false;
static bool isSet = false;
if(isSet)
return isAtleastVista;
RTL_OSVERSIONINFOW versionInfo = {0};
versionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
typedef NTSTATUS(WINAPI * tRtlGetVersion)(PRTL_OSVERSIONINFOW);
tRtlGetVersion pRtlGetVersion = (tRtlGetVersion)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
if(!pRtlGetVersion || !NT_SUCCESS(pRtlGetVersion(&versionInfo)))
{
isAtleastVista = false;
}
else
{
isAtleastVista = versionInfo.dwMajorVersion >= 6;
}
isSet = true;
return isAtleastVista;
}
//TODO: unclear behaviour, will return true when on wow64, but should not return true, because the system structures are x32 in that case
static bool isWindows64()
{
SYSTEM_INFO si = {0};
typedef void (WINAPI * tGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo);
tGetNativeSystemInfo _GetNativeSystemInfo = (tGetNativeSystemInfo)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
if(_GetNativeSystemInfo)
{
_GetNativeSystemInfo(&si);
}
else
{
GetSystemInfo(&si);
}
return (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64);
}
static void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide, bool x64)
{
const BYTE patchCheckRemoteDebuggerPresent32[5] =
{
0x33, 0xC0, //XOR EAX,EAX
0xC2, 0x08, 0x00 //RETN 0x8
};
const BYTE patchGetTickCount32[3] =
{
0x33, 0xC0, //XOR EAX,EAX
0xC3 //RETN
};
const BYTE patchCheckRemoteDebuggerPresent64[4] =
{
0x48, 0x31, 0xC0, //XOR RAX,RAX
0xC3 //RETN
};
const BYTE patchGetTickCount64[4] =
{
0x48, 0x31, 0xC0, //XOR RAX,RAX
0xC3 //RETN
};
const BYTE* patchCheckRemoteDebuggerPresent;
int patchCheckRemoteDebuggerPresentSize;
const BYTE* patchGetTickCount;
int patchGetTickCountSize;
if(x64) //x64 patches
{
patchCheckRemoteDebuggerPresent = patchCheckRemoteDebuggerPresent64;
patchCheckRemoteDebuggerPresentSize = sizeof(patchCheckRemoteDebuggerPresent64);
patchGetTickCount = patchGetTickCount64;
patchGetTickCountSize = sizeof(patchGetTickCount64);
}
else //x86 patches
{
patchCheckRemoteDebuggerPresent = patchCheckRemoteDebuggerPresent32;
patchCheckRemoteDebuggerPresentSize = sizeof(patchCheckRemoteDebuggerPresent32);
patchGetTickCount = patchGetTickCount32;
patchGetTickCountSize = sizeof(patchGetTickCount32);
}
ULONG_PTR APIPatchAddress = 0;
DWORD OldProtect = 0;
SIZE_T ueNumberOfBytesRead = 0;
if(Hide)
{
APIPatchAddress = EngineGetProcAddressRemote(hProcess, L"kernel32.dll", "CheckRemoteDebuggerPresent");
if(VirtualProtectEx(hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect);
}
APIPatchAddress = EngineGetProcAddressRemote(hProcess, L"kernel32.dll", "GetTickCount");
if(VirtualProtectEx(hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, patchGetTickCountSize, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, OldProtect, &OldProtect);
}
}
else
{
APIPatchAddress = EngineGetProcAddressRemote(hProcess, L"kernel32.dll", "CheckRemoteDebuggerPresent");
if(VirtualProtectEx(hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect);
}
APIPatchAddress = EngineGetProcAddressRemote(hProcess, L"kernel32.dll", "GetTickCount");
if(VirtualProtectEx(hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), patchGetTickCountSize, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, OldProtect, &OldProtect);
}
}
FlushInstructionCache(hProcess, NULL, 0);
}
//Quote from The Ultimate Anti-Debugging Reference by Peter Ferrie
//Flags field exists at offset 0x0C in the heap on the 32-bit versions of Windows NT, Windows 2000, and Windows XP; and at offset 0x40 on the 32-bit versions of Windows Vista and later.
//Flags field exists at offset 0x14 in the heap on the 64-bit versions of Windows XP, and at offset 0x70 in the heap on the 64-bit versions of Windows Vista and later.
//ForceFlags field exists at offset 0x10 in the heap on the 32-bit versions of Windows NT, Windows 2000, and Windows XP; and at offset 0x44 on the 32-bit versions of Windows Vista and later.
//ForceFlags field exists at offset 0x18 in the heap on the 64-bit versions of Windows XP, and at offset 0x74 in the heap on the 64-bit versions of Windows Vista and later.
static int getHeapFlagsOffset(bool x64)
{
if(x64) //x64 offsets
{
if(isAtleastVista())
{
return 0x70;
}
else
{
return 0x14;
}
}
else //x86 offsets
{
if(isAtleastVista())
{
return 0x40;
}
else
{
return 0x0C;
}
}
}
static int getHeapForceFlagsOffset(bool x64)
{
if(x64) //x64 offsets
{
if(isAtleastVista())
{
return 0x74;
}
else
{
return 0x18;
}
}
else //x86 offsets
{
if(isAtleastVista())
{
return 0x44;
}
else
{
return 0x10;
}
}
}
static bool FixPebInProcess(HANDLE hProcess, bool Hide)
{
PEB_CURRENT myPEB = {0};
SIZE_T ueNumberOfBytesRead = 0;
void* heapFlagsAddress = 0;
DWORD heapFlags = 0;
void* heapForceFlagsAddress = 0;
DWORD heapForceFlags = 0;
#ifndef _WIN64
PEB64 myPEB64 = {0};
void* AddressOfPEB64 = GetPEBLocation64(hProcess);
#endif
void* AddressOfPEB = GetPEBLocation(hProcess);
if(!AddressOfPEB)
return false;
if(ReadProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
{
#ifndef _WIN64
if(AddressOfPEB64)
{
ReadProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
}
#endif
if(Hide)
{
//TODO: backup GlobalFlag
myPEB.BeingDebugged = FALSE;
myPEB.NtGlobalFlag &= ~0x70;
#ifndef _WIN64
myPEB64.BeingDebugged = FALSE;
myPEB64.NtGlobalFlag &= ~0x70;
#endif
//TODO: backup heap flags
#ifdef _WIN64
heapFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(true));
heapForceFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(true));
#else
heapFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(false));
heapForceFlagsAddress = (void*)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(false));
#endif //_WIN64
ReadProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0);
ReadProcessMemory(hProcess, heapForceFlagsAddress, &heapForceFlags, sizeof(DWORD), 0);
heapFlags &= HEAP_GROWABLE;
heapForceFlags = 0;
WriteProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0);
WriteProcessMemory(hProcess, heapForceFlagsAddress, &heapForceFlags, sizeof(DWORD), 0);
}
else
{
myPEB.BeingDebugged = TRUE;
#ifndef _WIN64
myPEB64.BeingDebugged = TRUE;
#endif
}
if(WriteProcessMemory(hProcess, AddressOfPEB, (void*)&myPEB, sizeof(PEB_CURRENT), &ueNumberOfBytesRead))
{
#ifndef _WIN64
if(AddressOfPEB64)
{
WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
}
#endif
return true;
}
}
return false;
}
bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide)
{
if(hProcess)
{
if(FixPebInProcess(hProcess, Hide))
{
if(PatchAPILevel == UE_HIDE_BASIC)
{
#ifdef _WIN64
FixAntidebugApiInProcess(hProcess, Hide, true);
#else
FixAntidebugApiInProcess(hProcess, Hide, false);
#endif
}
return true;
}
}
return false;
}
#ifndef _WIN64
bool IsThisProcessWow64()
{
typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess, PBOOL Wow64Process);
BOOL bIsWow64 = FALSE;
tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
if(fnIsWow64Process)
{
fnIsWow64Process(GetCurrentProcess(), &bIsWow64);
}
return (bIsWow64 != FALSE);
}
#endif

9
TitanEngine/Global.Engine.Hider.h Normal file
View File

@ -0,0 +1,9 @@
#ifndef _GLOBAL_ENGINE_HIDER_H
#define _GLOBAL_ENGINE_HIDER_H
bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide);
#ifndef _WIN64
bool IsThisProcessWow64();
#endif
#endif //_GLOBAL_ENGINE_HIDER_H

73
TitanEngine/Global.Engine.Hook.cpp Normal file
View File

@ -0,0 +1,73 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Hook.h"
#include "Global.Debugger.h"
// Global.Engine.Hook.functions:
void EngineFakeLoadLibraryReturn()
{
ULONG_PTR ParameterData;
LPDEBUG_EVENT currentDBGEvent;
HANDLE currentProcess;
currentDBGEvent = (LPDEBUG_EVENT)GetDebugData();
currentProcess = dbgProcessInformation.hProcess;
if(currentProcess != NULL)
{
#if !defined(_WIN64)
ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_STDCALL_RET, 1, UE_PARAMETER_DWORD);
if(ParameterData != NULL)
{
if(engineFakeDLLHandle != NULL)
{
SetContextData(UE_EAX, engineFakeDLLHandle);
}
else
{
SetContextData(UE_EAX, 0x10000000);
}
}
#else
ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_FASTCALL, 1, UE_PARAMETER_QWORD);
if(ParameterData != NULL)
{
if(engineFakeDLLHandle != NULL)
{
SetContextData(UE_RAX, engineFakeDLLHandle);
}
else
{
SetContextData(UE_RAX, 0x10000000);
}
}
#endif
}
}
void EngineFakeGetProcAddressReturn()
{
ULONG_PTR ParameterData;
LPDEBUG_EVENT currentDBGEvent;
HANDLE currentProcess;
currentDBGEvent = (LPDEBUG_EVENT)GetDebugData();
currentProcess = dbgProcessInformation.hProcess;
if(currentProcess != NULL)
{
#if !defined(_WIN64)
ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_STDCALL_RET, 1, UE_PARAMETER_DWORD);
if(ParameterData != NULL)
{
SetContextData(UE_EAX, (ULONG_PTR)ImporterGetRemoteAPIAddress(currentProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess")));
}
#else
ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_FASTCALL, 1, UE_PARAMETER_QWORD);
if(ParameterData != NULL)
{
SetContextData(UE_RAX, (ULONG_PTR)ImporterGetRemoteAPIAddress(currentProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess")));
}
#endif
}
}

7
TitanEngine/Global.Engine.Hook.h Normal file
View File

@ -0,0 +1,7 @@
#ifndef _GLOBAL_ENGINE_HOOK_H
#define _GLOBAL_ENGINE_HOOK_H
void EngineFakeLoadLibraryReturn();
void EngineFakeGetProcAddressReturn();
#endif //_GLOBAL_ENGINE_HOOK_H

352
TitanEngine/Global.Engine.Importer.cpp Normal file
View File

@ -0,0 +1,352 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.h"
#include "Global.Engine.Importer.h"
#include "Global.Debugger.h"
#include "Global.Mapping.h"
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const wchar_t* szDLLName, const char* szAPIName)
{
if(!hProcess) //no process specified
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
}
DWORD cbNeeded = 0;
if(EnumProcessModules(hProcess, 0, 0, &cbNeeded))
{
HMODULE* hMods = (HMODULE*)malloc(cbNeeded * sizeof(HMODULE));
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
for(unsigned int i = 0; i < cbNeeded / sizeof(HMODULE); i++)
{
wchar_t szModuleName[MAX_PATH] = L"";
if(GetModuleFileNameExW(hProcess, hMods[i], szModuleName, _countof(szModuleName)))
{
wchar_t* dllName = wcsrchr(szModuleName, L'\\');
if(dllName)
{
dllName++;
if(!_wcsicmp(dllName, szDLLName))
{
HMODULE hModule = LoadLibraryExW(szModuleName, 0, DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE);
if(hModule)
{
ULONG_PTR funcAddress = (ULONG_PTR)GetProcAddress(hModule, szAPIName);
if(funcAddress)
{
funcAddress -= (ULONG_PTR)hModule; //rva
FreeLibrary(hModule);
return funcAddress + (ULONG_PTR)hMods[i]; //va
}
}
break;
}
}
}
}
}
free(hMods);
}
return 0;
}
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char* szDLLName, const char* szAPIName)
{
WCHAR uniDLLName[MAX_PATH] = {0};
if(MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName)))
{
return EngineGetProcAddressRemote(hProcess, uniDLLName, szAPIName);
}
else
{
return 0;
}
}
ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, ULONG_PTR APIAddress)
{
if(!hProcess) //no process specified
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
}
DWORD cbNeeded = 0;
if(EnumProcessModules(hProcess, 0, 0, &cbNeeded))
{
HMODULE* hMods = (HMODULE*)malloc(cbNeeded * sizeof(HMODULE));
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
for(unsigned int i = 0; i < cbNeeded / sizeof(HMODULE); i++)
{
MODULEINFO modinfo;
memset(&modinfo, 0, sizeof(MODULEINFO));
if(GetModuleInformation(hProcess, hMods[i], &modinfo, sizeof(MODULEINFO)))
{
ULONG_PTR start = (ULONG_PTR)hMods[i];
ULONG_PTR end = start + modinfo.SizeOfImage;
if(APIAddress >= start && APIAddress < end)
return start;
}
}
}
free(hMods);
}
return 0;
}
ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const wchar_t* szDLLName)
{
if(!hProcess) //no process specified
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
}
DWORD cbNeeded = 0;
if(EnumProcessModules(hProcess, 0, 0, &cbNeeded))
{
HMODULE* hMods = (HMODULE*)malloc(cbNeeded * sizeof(HMODULE));
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
for(unsigned int i = 0; i < cbNeeded / sizeof(HMODULE); i++)
{
wchar_t szModuleName[MAX_PATH] = L"";
if(GetModuleFileNameExW(hProcess, hMods[i], szModuleName, _countof(szModuleName)))
{
wchar_t* dllName = wcsrchr(szModuleName, L'\\');
if(dllName)
{
dllName++;
if(!_wcsicmp(dllName, szDLLName))
{
return (ULONG_PTR)hMods[i];
}
}
}
}
}
free(hMods);
}
return 0;
}
ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const char* szDLLName)
{
WCHAR uniDLLName[MAX_PATH] = {0};
if(MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName)))
{
return EngineGetModuleBaseRemote(hProcess, szDLLName);
}
else
{
return 0;
}
}
ULONG_PTR EngineGetAddressRemote(HANDLE hProcess, ULONG_PTR Address)
{
HMODULE localModuleBase = (HMODULE)EngineGetModuleBaseRemote(GetCurrentProcess(), Address);
if(localModuleBase)
{
wchar_t szModuleName[MAX_PATH] = L"";
if(GetModuleFileNameExW(hProcess, localModuleBase, szModuleName, _countof(szModuleName)))
{
wchar_t* dllName = wcsrchr(szModuleName, L'\\');
if(dllName)
{
dllName++;
ULONG_PTR remoteModuleBase = EngineGetModuleBaseRemote(hProcess, dllName);
if(remoteModuleBase)
{
Address -= (ULONG_PTR)localModuleBase; //rva
return Address + remoteModuleBase;
}
}
}
}
return 0;
}
ULONG_PTR EngineGetAddressLocal(HANDLE hProcess, ULONG_PTR Address)
{
HMODULE remoteModuleBase = (HMODULE)EngineGetModuleBaseRemote(hProcess, Address);
if(remoteModuleBase)
{
wchar_t szModuleName[MAX_PATH] = L"";
if(GetModuleFileNameExW(hProcess, remoteModuleBase, szModuleName, _countof(szModuleName)))
{
wchar_t* dllName = wcsrchr(szModuleName, L'\\');
if(dllName)
{
dllName++;
ULONG_PTR localModuleBase = EngineGetModuleBaseRemote(GetCurrentProcess(), dllName);
if(localModuleBase)
{
Address -= (ULONG_PTR)remoteModuleBase; //rva
return Address + localModuleBase;
}
}
}
}
return 0;
}
bool EngineGetAPINameRemote(HANDLE hProcess, ULONG_PTR APIAddress, char* APIName, DWORD APINameSize, DWORD* APINameSizeNeeded)
{
if(!hProcess) //no process specified
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
}
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
ULONG_PTR ModuleBase = EngineGetModuleBaseRemote(hProcess, APIAddress);
if(!ModuleBase)
return false;
wchar_t szModulePath[MAX_PATH] = L"";
if(!GetModuleFileNameExW(hProcess, (HMODULE)ModuleBase, szModulePath, _countof(szModulePath)))
return false;
if(MapFileExW(szModulePath, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, 0))
{
PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
ULONG_PTR ExportDirectoryVA;
DWORD ExportDirectorySize;
ULONG_PTR ImageBase;
if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
ImageBase = PEHeader32->OptionalHeader.ImageBase;
ExportDirectoryVA = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
ExportDirectorySize = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
}
else //x64
{
ImageBase = (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase;
ExportDirectoryVA = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
ExportDirectorySize = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
}
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)ConvertVAtoFileOffset(FileMapVA, ExportDirectoryVA + ImageBase, true);
if(ExportDirectory)
{
DWORD* AddrOfFunctions = (DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions + ImageBase, true);
DWORD* AddrOfNames = (DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNames + ImageBase, true);
SHORT* AddrOfNameOrdinals = (SHORT*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNameOrdinals + ImageBase, true);
if(AddrOfFunctions && AddrOfNames && AddrOfNameOrdinals)
{
unsigned int NumberOfNames = ExportDirectory->NumberOfNames;
for(unsigned int i = 0; i < NumberOfNames; i++)
{
const char* curName = (const char*)ConvertVAtoFileOffset(FileMapVA, AddrOfNames[i] + ImageBase, true);
if(!curName)
continue;
unsigned int curRva = AddrOfFunctions[AddrOfNameOrdinals[i]];
if(curRva < ExportDirectoryVA || curRva >= ExportDirectoryVA + ExportDirectorySize) //non-forwarded exports
{
if(curRva + ModuleBase == APIAddress)
{
if(APIName && APINameSize > strlen(curName))
{
strcpy(APIName, curName);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
if(APINameSizeNeeded)
{
*APINameSizeNeeded = (DWORD)strlen(curName);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
}
}
}
}
}
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
return false;
}
DWORD EngineGetAPIOrdinalRemote(HANDLE hProcess, ULONG_PTR APIAddress)
{
if(!hProcess) //no process specified
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
}
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
ULONG_PTR ModuleBase = EngineGetModuleBaseRemote(hProcess, APIAddress);
if(!ModuleBase)
return 0;
wchar_t szModulePath[MAX_PATH] = L"";
if(!GetModuleFileNameExW(hProcess, (HMODULE)ModuleBase, szModulePath, _countof(szModulePath)))
return 0;
if(MapFileExW(szModulePath, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, 0))
{
PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
ULONG_PTR ExportDirectoryVA;
DWORD ExportDirectorySize;
ULONG_PTR ImageBase;
if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
ImageBase = PEHeader32->OptionalHeader.ImageBase;
ExportDirectoryVA = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
ExportDirectorySize = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
}
else //x64
{
ImageBase = (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase;
ExportDirectoryVA = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
ExportDirectorySize = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
}
PIMAGE_EXPORT_DIRECTORY ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)ConvertVAtoFileOffset(FileMapVA, ExportDirectoryVA + ImageBase, true);
if(ExportDirectory)
{
DWORD* AddrOfFunctions = (DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions + ImageBase, true);
if(AddrOfFunctions)
{
unsigned int NumberOfFunctions = ExportDirectory->NumberOfFunctions;
for(unsigned int i = 0, j = 0; i < NumberOfFunctions; i++)
{
unsigned int curRva = AddrOfFunctions[i];
if(!curRva)
continue;
j++; //ordinal
if(curRva < ExportDirectoryVA || curRva >= ExportDirectoryVA + ExportDirectorySize) //non-forwarded exports
{
if(curRva + ModuleBase == APIAddress)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return j;
}
}
}
}
}
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
return 0;
}

15
TitanEngine/Global.Engine.Importer.h Normal file
View File

@ -0,0 +1,15 @@
#ifndef _GLOBAL_ENGINE_IMPORTER_H
#define _GLOBAL_ENGINE_IMPORTER_H
//EngineGetProcAddressRemote
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const wchar_t* szDLLName, const char* szAPIName);
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char* szDLLName, const char* szAPIName);
ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, ULONG_PTR APIAddress);
ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const wchar_t* szDLLName);
ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const char* szDLLName);
ULONG_PTR EngineGetAddressRemote(HANDLE hProcess, ULONG_PTR APIAddress);
ULONG_PTR EngineGetAddressLocal(HANDLE hProcess, ULONG_PTR APIAddress);
bool EngineGetAPINameRemote(HANDLE hProcess, ULONG_PTR APIAddress, char* APIName, DWORD APINameSize, DWORD* APINameSizeNeeded);
DWORD EngineGetAPIOrdinalRemote(HANDLE hProcess, ULONG_PTR APIAddress);
#endif //_GLOBAL_ENGINE_IMPORTER_H

335
TitanEngine/Global.Engine.Simplification.cpp Normal file
View File

@ -0,0 +1,335 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Simplification.h"
#include "Global.Debugger.h"
// Global.Engine.Simplify
bool EngineUnpackerOptionLogData;
bool EngineUnpackerFileImporterInit;
bool EngineUnpackerOptionRealingFile;
bool EngineUnpackerOptionMoveOverlay;
bool EngineUnpackerOptionRelocationFix;
ULONG_PTR EngineUnpackerOptionUnpackedOEP;
wchar_t szEngineUnpackerInputFile[MAX_PATH];
wchar_t szEngineUnpackerOutputFile[MAX_PATH];
wchar_t szEngineUnpackerSnapShot1[MAX_PATH];
wchar_t szEngineUnpackerSnapShot2[MAX_PATH];
FILE_STATUS_INFO EngineUnpackerFileStatus = {};
LPPROCESS_INFORMATION pEngineUnpackerProcessHandle;
std::vector<UnpackerInformation> EngineUnpackerBreakInfo;
// Global.Engine.Simplification.functions:
void EngineSimplifyLoadLibraryCallBack()
{
ULONG_PTR iParameter1;
char szLogBufferData[MAX_PATH] = {};
char szReadStringData[MAX_PATH] = {};
ULONG_PTR CurrentBreakAddress = (ULONG_PTR)GetContextData(UE_CIP);
if(!EngineUnpackerFileImporterInit)
{
EngineUnpackerFileImporterInit = true;
/* broken since scylla integration but we dont care
if(EngineUnpackerFileStatus.FileIsDLL)
{
ImporterInit(50 * 1024, (ULONG_PTR)GetDebuggedDLLBaseAddress());
}
else
{
ImporterInit(50 * 1024, (ULONG_PTR)GetDebuggedFileBaseAddress());
}*/
}
for(int i = 0; i < (int)EngineUnpackerBreakInfo.size(); i++)
{
if(EngineUnpackerBreakInfo[i].BreakPointAddress == CurrentBreakAddress)
{
iParameter1 = (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter1);
if(EngineUnpackerBreakInfo[i].SingleBreak)
{
EngineUnpackerBreakInfo.erase(EngineUnpackerBreakInfo.begin() + i);
}
if(GetRemoteString(pEngineUnpackerProcessHandle->hProcess, (void*)iParameter1, &szReadStringData[0], MAX_PATH))
{
ImporterAddNewDll(szReadStringData, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData, "[x] LoadLibrary BPX -> %s", szReadStringData);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
break;
}
}
}
void EngineSimplifyGetProcAddressCallBack()
{
ULONG_PTR iParameter1;
char szLogBufferData[MAX_PATH] = {};
char szReadStringData[MAX_PATH] = {};
ULONG_PTR CurrentBreakAddress = (ULONG_PTR)GetContextData(UE_CIP);
for(int i = 0; i < (int)EngineUnpackerBreakInfo.size(); i++)
{
if(EngineUnpackerBreakInfo[i].BreakPointAddress == CurrentBreakAddress)
{
iParameter1 = (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter1);
if(EngineUnpackerBreakInfo[i].SingleBreak)
{
EngineUnpackerBreakInfo.erase(EngineUnpackerBreakInfo.begin() + i);
}
if(EngineUnpackerFileStatus.FileIsDLL)
{
if(iParameter1 > (ULONG_PTR)GetDebuggedDLLBaseAddress())
{
if(GetRemoteString(pEngineUnpackerProcessHandle->hProcess, (void*)iParameter1, &szReadStringData[0], MAX_PATH))
{
ImporterAddNewAPI(szReadStringData, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData, "[x] GetProcAddress BPX -> %s", szReadStringData);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
}
else
{
ImporterAddNewOrdinalAPI(iParameter1, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData, "[x] GetProcAddress BPX -> %08X", iParameter1);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
}
else
{
if(iParameter1 > (ULONG_PTR)GetDebuggedFileBaseAddress())
{
if(GetRemoteString(pEngineUnpackerProcessHandle->hProcess, (void*)iParameter1, &szReadStringData[0], MAX_PATH))
{
ImporterAddNewAPI(szReadStringData, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData, "[x] GetProcAddress BPX -> %s", szReadStringData);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
}
else
{
ImporterAddNewOrdinalAPI(iParameter1, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData, "[x] GetProcAddress BPX -> %08X", iParameter1);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
}
break;
}
}
}
void EngineSimplifyMakeSnapshotCallBack()
{
ULONG_PTR fdLoadedBase;
wchar_t szTempName[MAX_PATH] = {};
wchar_t szTempFolder[MAX_PATH] = {};
ULONG_PTR CurrentBreakAddress = (ULONG_PTR)GetContextData(UE_CIP);
if(EngineUnpackerFileStatus.FileIsDLL)
{
fdLoadedBase = (ULONG_PTR)GetDebuggedDLLBaseAddress();
}
else
{
fdLoadedBase = (ULONG_PTR)GetDebuggedFileBaseAddress();
}
for(int i = 0; i < (int)EngineUnpackerBreakInfo.size(); i++)
{
if(EngineUnpackerBreakInfo[i].BreakPointAddress == CurrentBreakAddress)
{
if(EngineUnpackerBreakInfo[i].SnapShotNumber == 1)
{
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"OverlayTemp", GetTickCount() + 101, szTempName))
{
lstrcpyW(szEngineUnpackerSnapShot1, szTempName);
RelocaterMakeSnapshotW(pEngineUnpackerProcessHandle->hProcess, szEngineUnpackerSnapShot1, (void*)(EngineUnpackerBreakInfo[i].Parameter1 + fdLoadedBase), EngineUnpackerBreakInfo[i].Parameter2);
}
}
}
else
{
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"OverlayTemp", GetTickCount() + 201, szTempName))
{
lstrcpyW(szEngineUnpackerSnapShot2, szTempName);
RelocaterMakeSnapshotW(pEngineUnpackerProcessHandle->hProcess, szEngineUnpackerSnapShot2, (void*)(EngineUnpackerBreakInfo[i].Parameter1 + fdLoadedBase), EngineUnpackerBreakInfo[i].Parameter2);
}
}
}
return;
}
}
}
void EngineSimplifyEntryPointCallBack()
{
int i = 0;
int j = 0;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
HANDLE FileHandle;
long mImportTableOffset;
long mRelocTableOffset;
DWORD pOverlayStart;
DWORD pOverlaySize;
ULONG_PTR fdLoadedBase;
char szLogBufferData[MAX_PATH] = {};
wchar_t szTempFolder[MAX_PATH] = {};
wchar_t szTempName[MAX_PATH] = {};
__try
{
if(EngineUnpackerOptionUnpackedOEP == NULL)
{
EngineUnpackerOptionUnpackedOEP = (ULONG_PTR)GetContextData(UE_CIP);
}
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData, "[x] Entry Point at: %08X", EngineUnpackerOptionUnpackedOEP);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
if(EngineUnpackerFileStatus.FileIsDLL)
{
fdLoadedBase = (ULONG_PTR)GetDebuggedDLLBaseAddress();
RelocaterInit(100 * 1024, (ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_IMAGEBASE), fdLoadedBase);
for(i = 0; i < (int)EngineUnpackerBreakInfo.size(); i++)
{
if(EngineUnpackerBreakInfo[i].SnapShotNumber == 1)
{
j = i;
}
}
if(szEngineUnpackerSnapShot2[0] == 0x00)
{
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"OverlayTemp", GetTickCount() + 301, szTempName))
{
lstrcpyW(szEngineUnpackerSnapShot2, szTempName);
RelocaterMakeSnapshotW(pEngineUnpackerProcessHandle->hProcess, szEngineUnpackerSnapShot2, (void*)(EngineUnpackerBreakInfo[j].Parameter1 + fdLoadedBase), EngineUnpackerBreakInfo[j].Parameter2);
}
}
}
RelocaterCompareTwoSnapshotsW(pEngineUnpackerProcessHandle->hProcess, fdLoadedBase, (ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_SIZEOFIMAGE), szEngineUnpackerSnapShot1, szEngineUnpackerSnapShot2, EngineUnpackerBreakInfo[j].Parameter1 + fdLoadedBase);
EngineUnpackerOptionRelocationFix = true;
}
else
{
fdLoadedBase = (ULONG_PTR)GetDebuggedFileBaseAddress();
}
if(PastePEHeaderW(pEngineUnpackerProcessHandle->hProcess, (void*)fdLoadedBase, szEngineUnpackerInputFile))
{
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Paste PE header");
}
}
DumpProcessW(pEngineUnpackerProcessHandle->hProcess, (void*)fdLoadedBase, szEngineUnpackerOutputFile, EngineUnpackerOptionUnpackedOEP);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Process dumped!");
}
mImportTableOffset = AddNewSectionW(szEngineUnpackerOutputFile, ".TEv2", ImporterEstimatedSize() + 200) + (DWORD)fdLoadedBase;
if(EngineUnpackerOptionRelocationFix)
{
if(EngineUnpackerFileStatus.FileIsDLL)
{
mRelocTableOffset = AddNewSectionW(szEngineUnpackerOutputFile, ".TEv2", RelocaterEstimatedSize() + 200);
}
}
if(StaticFileLoadW(szEngineUnpackerOutputFile, UE_ACCESS_ALL, false, &FileHandle, &FileSize, &FileMap, &FileMapVA))
{
if(ImporterExportIAT((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mImportTableOffset, true), FileMapVA, FileHandle))
{
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] IAT has been fixed!");
}
}
if(EngineUnpackerOptionRelocationFix)
{
if(EngineUnpackerFileStatus.FileIsDLL)
{
RelocaterExportRelocation((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mRelocTableOffset + fdLoadedBase, true), mRelocTableOffset, FileMapVA);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Exporting relocations!");
}
}
}
if(EngineUnpackerOptionRealingFile)
{
FileSize = RealignPE(FileMapVA, FileSize, 2);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Realigning file!");
}
}
StaticFileUnloadW(szEngineUnpackerOutputFile, false, FileHandle, FileSize, FileMap, FileMapVA);
MakeAllSectionsRWEW(szEngineUnpackerOutputFile);
if(EngineUnpackerFileStatus.FileIsDLL)
{
if(RelocaterChangeFileBaseW(szEngineUnpackerOutputFile, (ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_IMAGEBASE)))
{
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Rebase file image!");
}
}
}
if(EngineUnpackerOptionMoveOverlay && FindOverlayW(szEngineUnpackerInputFile, &pOverlayStart, &pOverlaySize))
{
CopyOverlayW(szEngineUnpackerInputFile, szEngineUnpackerOutputFile);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Moving overlay to unpacked file!");
}
}
StopDebug();
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[Success] File has been unpacked!");
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ForceClose();
//broken since scylla integration but we dont care
//ImporterCleanup();
if(FileMapVA > NULL)
{
StaticFileUnloadW(szEngineUnpackerOutputFile, false, FileHandle, FileSize, FileMap, FileMapVA);
}
DeleteFileW(szEngineUnpackerOutputFile);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[Fatal Unpacking Error] Please mail file you tried to unpack to ReversingLabs Corporation!");
}
}
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("-> Unpack ended...");
}
}

25
TitanEngine/Global.Engine.Simplification.h Normal file
View File

@ -0,0 +1,25 @@
#ifndef _GLOBAL_ENGINE_SIMPLIFICATION_H
#define _GLOBAL_ENGINE_SIMPLIFICATION_H
#include <vector>
extern bool EngineUnpackerOptionLogData;
extern bool EngineUnpackerFileImporterInit;
extern bool EngineUnpackerOptionRealingFile;
extern bool EngineUnpackerOptionMoveOverlay;
extern bool EngineUnpackerOptionRelocationFix;
extern ULONG_PTR EngineUnpackerOptionUnpackedOEP;
extern wchar_t szEngineUnpackerInputFile[MAX_PATH];
extern wchar_t szEngineUnpackerOutputFile[MAX_PATH];
extern wchar_t szEngineUnpackerSnapShot1[MAX_PATH];
extern wchar_t szEngineUnpackerSnapShot2[MAX_PATH];
extern FILE_STATUS_INFO EngineUnpackerFileStatus;
extern LPPROCESS_INFORMATION pEngineUnpackerProcessHandle;
extern std::vector<UnpackerInformation> EngineUnpackerBreakInfo;
void EngineSimplifyLoadLibraryCallBack();
void EngineSimplifyGetProcAddressCallBack();
void EngineSimplifyMakeSnapshotCallBack();
void EngineSimplifyEntryPointCallBack();
#endif //_GLOBAL_ENGINE_SIMPLIFICATION_H

54
TitanEngine/Global.Engine.Threading.cpp Normal file
View File

@ -0,0 +1,54 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Threading.h"
CRITICAL_SECTION CriticalSectionLocker::locks[LockLast] = {};
bool CriticalSectionLocker::bInitDone = false;
void CriticalSectionLocker::Initialize()
{
if(bInitDone)
return;
for(int i = 0; i < LockLast; i++)
InitializeCriticalSection(&locks[i]);
bInitDone = true;
}
void CriticalSectionLocker::Deinitialize()
{
if(!bInitDone)
return;
for(int i = 0; i < LockLast; i++)
{
EnterCriticalSection(&locks[i]); //obtain ownership
DeleteCriticalSection(&locks[i]);
}
bInitDone = false;
}
CriticalSectionLocker::CriticalSectionLocker(CriticalSectionLock lock)
{
Initialize(); //initialize critical sections
gLock = lock;
EnterCriticalSection(&locks[gLock]);
Locked = true;
}
CriticalSectionLocker::~CriticalSectionLocker()
{
if(Locked)
LeaveCriticalSection(&locks[gLock]);
}
void CriticalSectionLocker::unlock()
{
Locked = false;
LeaveCriticalSection(&locks[gLock]);
}
void CriticalSectionLocker::relock()
{
EnterCriticalSection(&locks[gLock]);
Locked = true;
}

35
TitanEngine/Global.Engine.Threading.h Normal file
View File

@ -0,0 +1,35 @@
#ifndef _GLOBAL_ENGINE_THREADING_H
#define _GLOBAL_ENGINE_THREADING_H
#define GetSTInTOPStackFromStatusWord(StatusWord) ((StatusWord & 0x3800) >> 11)
#define Getx87r0PositionInRegisterArea(STInTopStack) ((8 - STInTopStack) % 8)
#define Calculatex87registerPositionInRegisterArea(x87r0_position, index) (((x87r0_position + index) % 8))
#define GetRegisterAreaOf87register(register_area, x87r0_position, index) (((char *) register_area) + 10 * Calculatex87registerPositionInRegisterArea(x87r0_position, index) )
#define GetSTValueFromIndex(x87r0_position, index) ((x87r0_position + index) % 8)
enum CriticalSectionLock
{
LockBreakPointBuffer,
LockMemoryProtection,
LockLast
};
class CriticalSectionLocker
{
public:
static void Deinitialize();
CriticalSectionLocker(CriticalSectionLock lock);
~CriticalSectionLocker();
void unlock();
void relock();
private:
static void Initialize();
static bool bInitDone;
static CRITICAL_SECTION locks[LockLast];
CriticalSectionLock gLock;
bool Locked;
};
#endif //_GLOBAL_ENGINE_THREADING_H

2058
TitanEngine/Global.Engine.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

61
TitanEngine/Global.Engine.h Normal file
View File

@ -0,0 +1,61 @@
#ifndef _GLOBAL_ENGINE_H
#define _GLOBAL_ENGINE_H
#include <vector>
//Global.Engine.Variables
extern HMODULE engineHandle;
extern LPVOID engineExitThreadOneShootCallBack;
extern LPVOID engineDependencyFiles;
extern LPVOID engineDependencyFilesCWP;
extern void* EngineStartUnpackingCallBack;
extern bool engineAlowModuleLoading;
extern bool engineCheckForwarders;
extern bool engineBackupForCriticalFunctions;
extern bool engineResumeProcessIfNoThreadIsActive;
extern bool engineResetCustomHandler;
extern bool engineRemoveConsoleForDebugee;
extern bool enginePassAllExceptions;
extern bool engineAutoHideFromDebugger;
extern bool engineEnableDebugPrivilege;
extern bool engineSafeAttach;
extern bool engineMembpAlt;
extern bool engineDisableAslr;
extern bool engineSafeStep;
//Global.Engine.Functions
void EngineInit();
bool EngineIsThereFreeHardwareBreakSlot(LPDWORD FreeRegister);
bool EngineFileExists(char* szFileName);
void EngineCreatePathForFile(char* szFileName);
void EngineCreatePathForFileW(wchar_t* szFileName);
wchar_t* EngineExtractFileNameW(wchar_t* szFileName);
bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr);
int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr);
bool EngineCompareResourceString(wchar_t* String1, wchar_t* String2);
ULONG_PTR EngineEstimateNewSectionRVA(ULONG_PTR FileMapVA);
bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName, LPVOID szFwdAPIName);
bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR FileOffset, DWORD CopySize, LPVOID CopyToMemory);
bool EngineExtractResource(const char* szResourceName, wchar_t* szExtractedFileName);
bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char* szPresentInFolder);
bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFile, wchar_t* szPresentInFolder);
bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize);
bool EngineGetDependencyLocationW(wchar_t* szFileName, wchar_t* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize);
long EngineHashString(char* szStringToHash);
long EngineHashMemory(char* MemoryAddress, int MemorySize, DWORD InitialHashValue);
bool EngineIsValidReadPtrEx(LPVOID DataPointer, DWORD DataSize);
bool EngineValidateResource(HMODULE hModule, LPCTSTR lpszType, LPTSTR lpszName, LONG_PTR lParam);
bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBase, PIMAGE_DOS_HEADER DOSHeader, bool IsFile);
ULONG_PTR EngineSimulateNtLoaderW(wchar_t* szFileName);
ULONG_PTR EngineSimulateNtLoader(char* szFileName);
ULONG_PTR EngineSimulateDllLoader(HANDLE hProcess, char* szFileName);
ULONG_PTR EngineSimulateDllLoaderW(HANDLE hProcess, wchar_t* szFileName);
ULONG_PTR EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName);
bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount);
ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType);
DWORD EngineSetDebugPrivilege(HANDLE hProcess, bool bEnablePrivilege);
HANDLE EngineOpenProcess(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwProcessId);
HANDLE EngineOpenThread(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwThreadId);
#endif //_GLOBAL_ENGINE_H

25
TitanEngine/Global.Garbage.cpp Normal file
View File

@ -0,0 +1,25 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Garbage.h"
#include "Global.Handle.h"
#include "Global.Engine.h"
// Global.Garbage.functions:
bool CreateGarbageItem(void* outGargabeItem, int MaxGargabeStringSize)
{
return false;
}
bool RemoveGarbageItem(wchar_t* szGarbageItem, bool RemoveFolder)
{
return false;
}
bool FillGarbageItem(wchar_t* szGarbageItem, wchar_t* szFileName, void* outGargabeItem, int MaxGargabeStringSize)
{
return false;
}
void EmptyGarbage()
{
}

10
TitanEngine/Global.Garbage.h Normal file
View File

@ -0,0 +1,10 @@
#ifndef _GLOBAL_GARBAGE_H
#define _GLOBAL_GARBAGE_H
// Global.Garbage.functions:
bool CreateGarbageItem(void* outGargabeItem, int MaxGargabeStringSize);
bool RemoveGarbageItem(wchar_t* szGarbageItem, bool RemoveFolder);
bool FillGarbageItem(wchar_t* szGarbageItem, wchar_t* szFileName, void* outGargabeItem, int MaxGargabeStringSize);
void EmptyGarbage();
#endif //_GLOBAL_GARBAGE_H

12
TitanEngine/Global.Handle.cpp Normal file
View File

@ -0,0 +1,12 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Handle.h"
// Global.Handle.functions:
bool EngineCloseHandle(HANDLE myHandle)
{
DWORD HandleFlags;
if(GetHandleInformation(myHandle, &HandleFlags) && (HandleFlags & HANDLE_FLAG_PROTECT_FROM_CLOSE) != HANDLE_FLAG_PROTECT_FROM_CLOSE)
return !!CloseHandle(myHandle);
return false;
}

6
TitanEngine/Global.Handle.h Normal file
View File

@ -0,0 +1,6 @@
#ifndef _GLOBAL_HANDLE_H
#define _GLOBAL_HANDLE_H
bool EngineCloseHandle(HANDLE myHandle);
#endif //_GLOBAL_HANDLE_H

40
TitanEngine/Global.Helper.cpp Normal file
View File

@ -0,0 +1,40 @@
#include "stdafx.h"
#include "Global.Helper.h"
bool IsStrEqual(const char* const a, const char* const b, bool considercase/*=true*/)
{
const int stringlen = (int)std::strlen(a);
if(stringlen != std::strlen(b))
return false; //cheap
if(considercase)
{
//plain old strcmp
return std::strcmp(a, b) == 0;
}
else
{
for(int i = 0; i < stringlen; i++)
{
if(tolower(a[i]) != tolower(b[i]))
return false;
}
return true;
}
}
void* MemAlloc(size_t sz)
{
void* r = malloc(sz);
if(r)
memset(r, 0, sz);
return r;
}
void MemFree(void* mem)
{
free(mem);
}

98
TitanEngine/Global.Helper.h Normal file
View File

@ -0,0 +1,98 @@
#ifndef Helper_h__
#define Helper_h__
#include <string>
#include <vector>
/*
Compares two strings
a : string 1
b : string 2
considercase : casesensitivity
*/
bool IsStrEqual(const char* const a, const char* const b, bool considercase = true);
/*
A basic dynamic buffer, exception free.
*/
class DynBuf
{
public:
DynBuf(size_t sz = 0)
{
Allocate(sz);
}
typedef std::vector<char> DynBufVec;
void* Allocate(size_t sz)
{
void* r = NULL;
try
{
if(Size() < sz)
mem.resize(sz);
if(Size())
r = GetPtr();
if(r && sz)
memset(r, 0, sz);
}
catch(...)
{
}
return r;
}
void* GetPtr()
{
if(Size())
return &mem.front(); //in c++11: .data()
return NULL;
}
void Free()
{
mem.clear();
}
DynBufVec & GetVector()
{
return mem;
}
const DynBufVec & GetVector() const
{
return mem;
}
size_t Size() const
{
return mem.size();
}
protected:
char & operator[](std::size_t idx)
{
return mem[idx];
};
const char & operator[](std::size_t idx) const
{
return mem[idx];
};
DynBufVec mem;
};
//Unused malloc/free wrappers
/*
malloc wrapper
*/
void* MemAlloc(size_t sz);
/*
free wrapper
*/
void MemFree(void* mem);
#endif // Helper_h__

150
TitanEngine/Global.Injector.cpp Normal file
View File

@ -0,0 +1,150 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Injector.h"
HANDLE engineReservedMemoryProcess = NULL;
ULONG_PTR engineReservedMemoryLeft[UE_MAX_RESERVED_MEMORY_LEFT];
long injectedRemoteLoadLibrary(LPVOID Parameter)
{
PInjectCodeData APIData = (PInjectCodeData)Parameter;
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof(InjectCodeData));
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI * fLoadLibraryW)(LPCWSTR fLibraryName);
typedef ULONG_PTR(WINAPI * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#else
typedef ULONG_PTR(__fastcall * fLoadLibraryW)(LPCWSTR fLibraryName);
typedef ULONG_PTR(__fastcall * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#endif
fLoadLibraryW cLoadLibraryW = (fLoadLibraryW)(APIData->fLoadLibrary);
fVirtualFree cVirtualFree = (fVirtualFree)(APIData->fVirtualFree);
long retValue = NULL;
if(cLoadLibraryW((LPCWSTR)Parameter) != NULL)
{
retValue++;
}
cVirtualFree(Parameter, NULL, MEM_RELEASE);
return(retValue);
}
long injectedRemoteFreeLibrary(LPVOID Parameter)
{
PInjectCodeData APIData = (PInjectCodeData)Parameter;
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI * fFreeLibrary)(HMODULE fLibBase);
typedef ULONG_PTR(WINAPI * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#else
typedef ULONG_PTR(__fastcall * fFreeLibrary)(HMODULE fLibBase);
typedef ULONG_PTR(__fastcall * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#endif
fFreeLibrary cFreeLibrary = (fFreeLibrary)(APIData->fFreeLibrary);
fVirtualFree cVirtualFree = (fVirtualFree)(APIData->fVirtualFree);
long retValue = NULL;
if(cFreeLibrary(APIData->fFreeLibraryHandle))
{
retValue++;
}
cVirtualFree(Parameter, NULL, MEM_RELEASE);
return(retValue);
}
long injectedRemoteFreeLibrarySimple(LPVOID Parameter)
{
PInjectCodeData APIData = (PInjectCodeData)Parameter;
LPVOID orgParameter = Parameter;
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof(InjectCodeData));
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI * fFreeLibrary)(HMODULE fLibBase);
typedef HMODULE(WINAPI * fGetModuleHandleW)(LPCWSTR fLibraryName);
typedef ULONG_PTR(WINAPI * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#else
typedef ULONG_PTR(__fastcall * fFreeLibrary)(HMODULE fLibBase);
typedef HMODULE(__fastcall * fGetModuleHandleW)(LPCWSTR fLibraryName);
typedef ULONG_PTR(__fastcall * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#endif
fGetModuleHandleW cGetModuleHandleW = (fGetModuleHandleW)(APIData->fGetModuleHandle);
fFreeLibrary cFreeLibrary = (fFreeLibrary)(APIData->fFreeLibrary);
fVirtualFree cVirtualFree = (fVirtualFree)(APIData->fVirtualFree);
long retValue = NULL;
HMODULE hModule;
hModule = cGetModuleHandleW((LPCWSTR)Parameter);
if(hModule != NULL)
{
if(cFreeLibrary(hModule))
{
retValue++;
}
}
else
{
retValue++;
}
cVirtualFree(orgParameter, NULL, MEM_RELEASE);
return(retValue);
}
long injectedExitProcess(LPVOID Parameter)
{
PInjectCodeData APIData = (PInjectCodeData)Parameter;
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI * fExitProcess)(DWORD fExitCode);
#else
typedef ULONG_PTR(__fastcall * fExitProcess)(DWORD fExitCode);
#endif
fExitProcess cExitProcess = (fExitProcess)(APIData->fExitProcess);
long retValue = NULL;
cExitProcess(APIData->fExitProcessCode);
return(NULL);
}
void injectedTerminator()
{
int i;
for(i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++)
{
if(engineReservedMemoryLeft[i] != NULL)
{
VirtualFreeEx(engineReservedMemoryProcess, (LPVOID)engineReservedMemoryLeft[i], NULL, MEM_RELEASE);
engineReservedMemoryLeft[i] = NULL;
}
}
}
// Global.Injector.functions: {DO NOT REORDER! USE ONLY IN RELEASE MODE!}
long injectedImpRec(LPVOID Parameter)
{
HANDLE hFile;
HANDLE hFileMap;
PInjectImpRecCodeData APIData = (PInjectImpRecCodeData)Parameter;
LPVOID szFileName = (LPVOID)((ULONG_PTR)Parameter + sizeof(InjectImpRecCodeData));
typedef ULONG_PTR(__cdecl * fTrace)(HANDLE hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace, DWORD dwExactCall);
typedef HANDLE(WINAPI * fCreateFileW)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
typedef HANDLE(WINAPI * fCreateFileMappingA)(HANDLE hFile, LPSECURITY_ATTRIBUTES lpFileMappingAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName);
typedef BOOL(__cdecl * fCloseHandle)(HANDLE hHandle);
fTrace cTrace = (fTrace)(APIData->fTrace);
fCreateFileW cCreateFileW = (fCreateFileW)(APIData->fCreateFileA);
fCloseHandle cCloseHandle = (fCloseHandle)(APIData->fCloseHandle);
fCreateFileMappingA cCreateFileMappingA = (fCreateFileMappingA)(APIData->fCreateFileMappingA);
hFile = cCreateFileW((LPCWSTR)szFileName, GENERIC_READ + GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
hFileMap = cCreateFileMappingA(hFile, NULL, 4, NULL, 0x100, NULL);
cTrace(hFileMap, 0x100, -1, (DWORD)APIData->AddressToTrace, NULL);
cCloseHandle(hFile);
return(1);
}
else
{
return(0);
}
}

14
TitanEngine/Global.Injector.h Normal file
View File

@ -0,0 +1,14 @@
#ifndef _GLOBAL_INJECTOR_H
#define _GLOBAL_INJECTOR_H
extern HANDLE engineReservedMemoryProcess;
extern ULONG_PTR engineReservedMemoryLeft[UE_MAX_RESERVED_MEMORY_LEFT];
long injectedRemoteLoadLibrary(LPVOID Parameter);
long injectedRemoteFreeLibrary(LPVOID Parameter);
long injectedRemoteFreeLibrarySimple(LPVOID Parameter);
long injectedExitProcess(LPVOID Parameter);
void injectedTerminator();
long injectedImpRec(LPVOID Parameter);
#endif //_GLOBAL_INJECTOR_H

12
TitanEngine/Global.Librarian.cpp Normal file
View File

@ -0,0 +1,12 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Librarian.h"
// Global.Engine.Librarian:
std::vector<LIBRARY_ITEM_DATAW> hListLibrary;
std::vector<LIBRARY_BREAK_DATA> LibrarianData;
void ClearLibraryList()
{
std::vector<LIBRARY_ITEM_DATAW>().swap(hListLibrary);
}

11
TitanEngine/Global.Librarian.h Normal file
View File

@ -0,0 +1,11 @@
#ifndef _GLOBAL_LIBRARIAN_H
#define _GLOBAL_LIBRARIAN_H
#include <vector>
extern std::vector<LIBRARY_ITEM_DATAW> hListLibrary;
extern std::vector<LIBRARY_BREAK_DATA> LibrarianData;
void ClearLibraryList();
#endif //_GLOBAL_LIBRARIAN_H

138
TitanEngine/Global.Mapping.cpp Normal file
View File

@ -0,0 +1,138 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Mapping.h"
#include "Global.Handle.h"
// Global.Mapping.functions:
bool MapFileEx(const char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier)
{
DWORD FileAccess = 0;
DWORD FileMapType = 0;
DWORD FileMapViewType = 0;
if(ReadOrWrite == UE_ACCESS_READ)
{
FileAccess = GENERIC_READ;
FileMapType = PAGE_READONLY;
FileMapViewType = FILE_MAP_READ;
}
else if(ReadOrWrite == UE_ACCESS_WRITE)
{
FileAccess = GENERIC_WRITE;
FileMapType = PAGE_READWRITE;
FileMapViewType = FILE_MAP_WRITE;
}
else if(ReadOrWrite == UE_ACCESS_ALL)
{
FileAccess = GENERIC_READ + GENERIC_WRITE + GENERIC_EXECUTE;
FileMapType = PAGE_EXECUTE_READWRITE;
FileMapViewType = FILE_MAP_WRITE;
}
else
{
FileAccess = GENERIC_READ + GENERIC_WRITE + GENERIC_EXECUTE;
FileMapType = PAGE_EXECUTE_READWRITE;
FileMapViewType = FILE_MAP_ALL_ACCESS;
}
HANDLE hFile = CreateFileA(szFileName, FileAccess, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
*FileHandle = hFile;
DWORD mfFileSize = GetFileSize(hFile, NULL);
mfFileSize = mfFileSize + SizeModifier;
*FileSize = mfFileSize;
HANDLE mfFileMap = CreateFileMappingA(hFile, NULL, FileMapType, NULL, mfFileSize, NULL);
if(mfFileMap != NULL)
{
*FileMap = mfFileMap;
LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL);
if(mfFileMapVA != NULL)
{
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof(ULONG_PTR));
return true;
}
}
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
*FileHandle = NULL;
*FileSize = NULL;
EngineCloseHandle(hFile);
}
else
{
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
}
return false;
}
bool MapFileExW(const wchar_t* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier)
{
DWORD FileAccess = 0;
DWORD FileMapType = 0;
DWORD FileMapViewType = 0;
if(ReadOrWrite == UE_ACCESS_READ)
{
FileAccess = GENERIC_READ;
FileMapType = PAGE_READONLY;
FileMapViewType = FILE_MAP_READ;
}
else if(ReadOrWrite == UE_ACCESS_WRITE)
{
FileAccess = GENERIC_WRITE;
FileMapType = PAGE_READWRITE;
FileMapViewType = FILE_MAP_WRITE;
}
else if(ReadOrWrite == UE_ACCESS_ALL)
{
FileAccess = GENERIC_READ + GENERIC_WRITE + GENERIC_EXECUTE;
FileMapType = PAGE_EXECUTE_READWRITE;
FileMapViewType = FILE_MAP_WRITE;
}
else
{
FileAccess = GENERIC_READ + GENERIC_WRITE + GENERIC_EXECUTE;
FileMapType = PAGE_EXECUTE_READWRITE;
FileMapViewType = FILE_MAP_ALL_ACCESS;
}
HANDLE hFile = CreateFileW(szFileName, FileAccess, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
*FileHandle = hFile;
DWORD mfFileSize = GetFileSize(hFile, NULL);
mfFileSize = mfFileSize + SizeModifier;
*FileSize = mfFileSize;
HANDLE mfFileMap = CreateFileMappingA(hFile, NULL, FileMapType, NULL, mfFileSize, NULL);
if(mfFileMap != NULL)
{
*FileMap = mfFileMap;
LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL);
if(mfFileMapVA != NULL)
{
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof(ULONG_PTR));
return true;
}
}
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
*FileHandle = NULL;
*FileSize = NULL;
EngineCloseHandle(hFile);
}
else
{
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
}
return false;
}
void UnMapFileEx(HANDLE FileHandle, DWORD FileSize, HANDLE FileMap, ULONG_PTR FileMapVA)
{
if(UnmapViewOfFile((void*)FileMapVA))
{
EngineCloseHandle(FileMap);
SetFilePointer(FileHandle, FileSize, NULL, FILE_BEGIN);
SetEndOfFile(FileHandle);
EngineCloseHandle(FileHandle);
}
}

8
TitanEngine/Global.Mapping.h Normal file
View File

@ -0,0 +1,8 @@
#ifndef _GLOBAL_MAPPING_H
#define _GLOBAL_MAPPING_H
bool MapFileEx(const char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier);
bool MapFileExW(const wchar_t* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier);
void UnMapFileEx(HANDLE FileHandle, DWORD FileSize, HANDLE FileMap, ULONG_PTR FileMapVA);
#endif //_GLOBAL_MAPPING_H

295
TitanEngine/Global.OEPFinder.cpp Normal file
View File

@ -0,0 +1,295 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.OEPFinder.h"
#include "Global.Engine.h"
#include "Global.Breakpoints.h"
#include "Global.Debugger.h"
#include "Global.Mapping.h"
#include "Global.Handle.h"
GenericOEPTracerData glbEntryTracerData = {};
// Global.FindOEP.functions:
void GenericOEPVirtualProtectHit()
{
MEMORY_BASIC_INFORMATION MemInfo;
DWORD MaximumBreakPoints = 0;
DWORD NewProtect = 0;
DWORD OldProtect = 0;
int bpcount = (int)BreakPointBuffer.size();
for(int i = 0; i < bpcount; i++)
{
BreakPointDetail curDetail = BreakPointBuffer.at(i);
if(curDetail.BreakPointType == UE_MEMORY && curDetail.BreakPointActive == UE_BPXACTIVE)
{
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)curDetail.BreakPointAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
OldProtect = MemInfo.Protect;
if(!(OldProtect & PAGE_GUARD))
{
NewProtect = OldProtect ^ PAGE_GUARD;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)curDetail.BreakPointAddress, curDetail.BreakPointSize, NewProtect, &OldProtect);
}
}
MaximumBreakPoints++;
}
}
void GenericOEPTraceHit()
{
char* szInstructionType;
typedef void(TITCALL * fEPCallBack)();
fEPCallBack myEPCallBack = ObjectPointerToCallback<fEPCallBack>(glbEntryTracerData.EPCallBack);
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
glbEntryTracerData.MemoryAccessedFrom = (ULONG_PTR)GetContextData(UE_CIP);
glbEntryTracerData.MemoryAccessed = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[1];
glbEntryTracerData.AccessType = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[0];
szInstructionType = (char*)DisassembleEx(dbgProcessInformation.hProcess, (void*)glbEntryTracerData.MemoryAccessedFrom, true);
StepInto(CallbackToObjectPointer(&GenericOEPTraceHited));
}
void GenericOEPTraceHited()
{
int i;
//void* lpHashBuffer;
char lpHashBuffer[0x1000] = {0};
bool FakeEPDetected = false;
ULONG_PTR NumberOfBytesRW;
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
typedef void(TITCALL * fEPCallBack)();
fEPCallBack myEPCallBack = ObjectPointerToCallback<fEPCallBack>(glbEntryTracerData.EPCallBack);
PMEMORY_COMPARE_HANDLER myCmpHandler;
ULONG_PTR memBpxAddress;
ULONG_PTR memBpxSize;
DWORD originalHash;
DWORD currentHash;
if(myDbgEvent->u.Exception.ExceptionRecord.ExceptionCode == STATUS_SINGLE_STEP)
{
if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed <= glbEntryTracerData.LoadedImageBase + glbEntryTracerData.SizeOfImage)
{
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed < glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
{
if(glbEntryTracerData.AccessType == 1)
{
glbEntryTracerData.SectionData[i].AccessedAlready = true;
}
if(glbEntryTracerData.MemoryAccessedFrom >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessedFrom <= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
{
if(i != glbEntryTracerData.OriginalEntryPointNum)
{
glbEntryTracerData.SectionData[i].AccessedAlready = true;
}
memBpxAddress = (glbEntryTracerData.MemoryAccessed / sizeof(lpHashBuffer)) * sizeof(lpHashBuffer);
memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress;
if(memBpxSize > sizeof(lpHashBuffer))
{
memBpxSize = sizeof(lpHashBuffer);
}
if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW))
{
currentHash = EngineHashMemory((char*)lpHashBuffer, (DWORD)memBpxSize, NULL);
originalHash = EngineHashMemory((char*)((ULONG_PTR)glbEntryTracerData.SectionData[i].AllocatedSection + memBpxAddress - glbEntryTracerData.LoadedImageBase - glbEntryTracerData.SectionData[i].SectionVirtualOffset), (DWORD)memBpxSize, NULL);
if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.CurrentIntructionPointer), lpHashBuffer, MAXIMUM_INSTRUCTION_SIZE, &NumberOfBytesRW))
{
myCmpHandler = (PMEMORY_COMPARE_HANDLER)(lpHashBuffer);
if(myCmpHandler->Array.bArrayEntry[0] == 0xC3) // RET
{
FakeEPDetected = true;
}
else if(myCmpHandler->Array.bArrayEntry[0] == 0x33 && myCmpHandler->Array.bArrayEntry[1] == 0xC0 && myCmpHandler->Array.bArrayEntry[2] == 0xC3) // XOR EAX,EAX; RET
{
FakeEPDetected = true;
}
}
if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false)
{
__try
{
if(glbEntryTracerData.EPCallBack != NULL)
{
glbEntryTracerData.CurrentIntructionPointer = (ULONG_PTR)GetContextData(UE_CIP);
SetContextData(UE_CIP, glbEntryTracerData.MemoryAccessedFrom);
DeleteAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_APIEND);
RemoveAllBreakPoints(UE_OPTION_REMOVEALL);
myEPCallBack();
SetContextData(UE_CIP, glbEntryTracerData.CurrentIntructionPointer);
}
else
{
StopDebug();
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
StopDebug();
}
}
}
}
else
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, CallbackToObjectPointer(&GenericOEPTraceHit));
}
}
else
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, CallbackToObjectPointer(&GenericOEPTraceHit));
}
}
}
}
else
{
StopDebug();
}
}
void GenericOEPLibraryDetailsHit()
{
int i;
bool memBreakPointSet = false;
char szModuleName[2 * MAX_PATH] = {};
#if !defined(_WIN64)
int inReg = UE_EAX;
#else
int inReg = UE_RAX;
#endif
if(GetModuleBaseNameA(dbgProcessInformation.hProcess, (HMODULE)GetContextData(inReg), szModuleName, sizeof(szModuleName)) > NULL)
{
if(lstrcmpiA(szModuleName, "kernel32.dll") != NULL)
{
if(glbEntryTracerData.FileIsDLL)
{
glbEntryTracerData.LoadedImageBase = (ULONG_PTR)GetDebuggedDLLBaseAddress();
}
else
{
glbEntryTracerData.LoadedImageBase = (ULONG_PTR)GetDebuggedFileBaseAddress();
}
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
if(glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_MEM_EXECUTE || glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_CNT_CODE)
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, CallbackToObjectPointer(&GenericOEPTraceHit));
memBreakPointSet = true;
}
}
if(!memBreakPointSet)
{
StopDebug();
}
else
{
DeleteAPIBreakPoint("kernel32.dll", "GetModuleHandleW", UE_APIEND);
DeleteAPIBreakPoint("kernel32.dll", "LoadLibraryExW", UE_APIEND);
}
}
}
}
void GenericOEPTraceInit()
{
int i;
void* lpHashBuffer;
ULONG_PTR NumberOfBytesRW;
typedef void(TITCALL * fInitCallBack)();
fInitCallBack myInitCallBack = ObjectPointerToCallback<fInitCallBack>(glbEntryTracerData.InitCallBack);
if(glbEntryTracerData.FileIsDLL)
{
glbEntryTracerData.LoadedImageBase = (ULONG_PTR)GetDebuggedDLLBaseAddress();
}
else
{
glbEntryTracerData.LoadedImageBase = (ULONG_PTR)GetDebuggedFileBaseAddress();
}
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
lpHashBuffer = VirtualAlloc(NULL, glbEntryTracerData.SectionData[i].SectionVirtualSize, MEM_COMMIT, PAGE_READWRITE);
if(lpHashBuffer != NULL)
{
if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), lpHashBuffer, glbEntryTracerData.SectionData[i].SectionVirtualSize, &NumberOfBytesRW))
{
glbEntryTracerData.SectionData[i].AllocatedSection = lpHashBuffer;
}
}
}
SetAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_BREAKPOINT, UE_APIEND, CallbackToObjectPointer(&GenericOEPVirtualProtectHit));
SetAPIBreakPoint("kernel32.dll", "GetModuleHandleW", UE_BREAKPOINT, UE_APIEND, CallbackToObjectPointer(&GenericOEPLibraryDetailsHit));
SetAPIBreakPoint("kernel32.dll", "LoadLibraryExW", UE_BREAKPOINT, UE_APIEND, CallbackToObjectPointer(&GenericOEPLibraryDetailsHit));
if(glbEntryTracerData.InitCallBack != NULL)
{
__try
{
myInitCallBack();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
StopDebug();
}
}
}
bool GenericOEPFileInitW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack)
{
int i;
#if defined(_WIN64)
PE64Struct PEStruct = {};
#else
PE32Struct PEStruct = {};
#endif
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
if(GetPE32DataFromMappedFileEx(FileMapVA, &PEStruct))
{
RtlZeroMemory(&glbEntryTracerData, sizeof(GenericOEPTracerData));
glbEntryTracerData.OriginalImageBase = PEStruct.ImageBase;
glbEntryTracerData.OriginalEntryPoint = PEStruct.OriginalEntryPoint;
glbEntryTracerData.SizeOfImage = PEStruct.NtSizeOfImage;
glbEntryTracerData.SectionNumber = PEStruct.SectionNumber;
glbEntryTracerData.FileIsDLL = IsFileDLL(NULL, FileMapVA);
glbEntryTracerData.OriginalEntryPointNum = GetPE32SectionNumberFromVA(FileMapVA, glbEntryTracerData.OriginalImageBase + glbEntryTracerData.OriginalEntryPoint);
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
glbEntryTracerData.SectionData[i].SectionVirtualOffset = (DWORD)GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONVIRTUALOFFSET);
glbEntryTracerData.SectionData[i].SectionVirtualSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONVIRTUALSIZE);
if(glbEntryTracerData.SectionData[i].SectionVirtualSize % 0x1000 != 0) //SectionAlignment, the default value is the page size for the system.
{
glbEntryTracerData.SectionData[i].SectionVirtualSize = ((glbEntryTracerData.SectionData[i].SectionVirtualSize / 0x1000) + 1) * 0x1000;
}
glbEntryTracerData.SectionData[i].SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONFLAGS);
}
glbEntryTracerData.EPCallBack = CallBack;
glbEntryTracerData.InitCallBack = TraceInitCallBack;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(glbEntryTracerData.FileIsDLL)
{
return false;
}
else
{
return true;
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
}
return false;
}

13
TitanEngine/Global.OEPFinder.h Normal file
View File

@ -0,0 +1,13 @@
#ifndef _GLOBAL_OEPFINDER_H
#define _GLOBAL_OEPFINDER_H
extern GenericOEPTracerData glbEntryTracerData;
void GenericOEPVirtualProtectHit();
void GenericOEPTraceHit();
void GenericOEPTraceHited();
void GenericOEPLibraryDetailsHit();
void GenericOEPTraceInit();
bool GenericOEPFileInitW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack);
#endif //_GLOBAL_OEPFINDER_H

23
TitanEngine/Global.Realigner.cpp Normal file
View File

@ -0,0 +1,23 @@
#include "stdafx.h"
#include "Global.Realigner.h"
// Global.Realigner.functions:
void SetOverallFileStatus(PFILE_STATUS_INFO myFileInfo, BYTE FiledStatus, bool FiledCritical)
{
if(myFileInfo->OveralEvaluation == UE_RESULT_FILE_OK || myFileInfo->OveralEvaluation == UE_RESULT_FILE_INVALID_BUT_FIXABLE)
{
if(FiledStatus == UE_FIELD_FIXABLE_CRITICAL || FiledStatus == UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE || FiledStatus == UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED)
{
myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_BUT_FIXABLE;
}
else if(FiledStatus == UE_FIELD_BROKEN_NON_FIXABLE && FiledCritical == true)
{
myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_AND_NON_FIXABLE;
}
else if(FiledStatus == UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE)
{
myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_BUT_FIXABLE;
}
}
}

6
TitanEngine/Global.Realigner.h Normal file
View File

@ -0,0 +1,6 @@
#ifndef _GLOBAL_REALIGNER_H
#define _GLOBAL_REALIGNER_H
void SetOverallFileStatus(PFILE_STATUS_INFO myFileInfo, BYTE FiledStatus, bool FiledCritical);
#endif //_GLOBAL_REALIGNER_H

11
TitanEngine/Global.TLS.cpp Normal file
View File

@ -0,0 +1,11 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.TLS.h"
ULONG_PTR engineTLSBreakOnCallBackAddress;
bool engineTLSBreakOnCallBack = false;
void ClearTlsVector(std::vector<ULONG_PTR>* vec)
{
std::vector<ULONG_PTR>().swap(*vec);
}

11
TitanEngine/Global.TLS.h Normal file
View File

@ -0,0 +1,11 @@
#ifndef _GLOBAL_TLS_H
#define _GLOBAL_TLS_H
#include <vector>
extern ULONG_PTR engineTLSBreakOnCallBackAddress;
extern bool engineTLSBreakOnCallBack;
void ClearTlsVector(std::vector<ULONG_PTR>* vec);
#endif //_GLOBAL_TLS_H

10
TitanEngine/Global.Threader.cpp Normal file
View File

@ -0,0 +1,10 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Threader.h"
std::vector<THREAD_ITEM_DATA> hListThread;
void ClearThreadList()
{
std::vector<THREAD_ITEM_DATA>().swap(hListThread);
}

10
TitanEngine/Global.Threader.h Normal file
View File

@ -0,0 +1,10 @@
#ifndef _GLOBAL_THREADER_H
#define _GLOBAL_THREADER_H
#include <vector>
extern std::vector<THREAD_ITEM_DATA> hListThread;
void ClearThreadList();
#endif //_GLOBAL_THREADER_H

BIN
TitanEngine/HEADER.BMP
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 86 KiB

250
TitanEngine/LzmaDec.cpp
View File

@ -135,9 +135,9 @@ Out:
= kMatchSpecLenStart + 2 : State Init Marker
*/
static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte *bufLimit)
static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec* p, SizeT limit, const Byte* bufLimit)
{
CLzmaProb *probs = p->probs;
CLzmaProb* probs = p->probs;
unsigned state = p->state;
UInt32 rep0 = p->reps[0], rep1 = p->reps[1], rep2 = p->reps[2], rep3 = p->reps[3];
@ -145,7 +145,7 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
unsigned lpMask = ((unsigned)1 << (p->prop.lp)) - 1;
unsigned lc = p->prop.lc;
Byte *dic = p->dic;
Byte* dic = p->dic;
SizeT dicBufSize = p->dicBufSize;
SizeT dicPos = p->dicPos;
@ -153,13 +153,13 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
UInt32 checkDicSize = p->checkDicSize;
unsigned len = 0;
const Byte *buf = p->buf;
const Byte* buf = p->buf;
UInt32 range = p->range;
UInt32 code = p->code;
do
{
CLzmaProb *prob;
CLzmaProb* prob;
UInt32 bound;
unsigned ttt;
unsigned posState = processedPos & pbMask;
@ -170,18 +170,18 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
unsigned symbol;
UPDATE_0(prob);
prob = probs + Literal;
if (checkDicSize != 0 || processedPos != 0)
if(checkDicSize != 0 || processedPos != 0)
prob += (LZMA_LIT_SIZE * (((processedPos & lpMask) << lc) +
(dic[(dicPos == 0 ? dicBufSize : dicPos) - 1] >> (8 - lc))));
if (state < kNumLitStates)
if(state < kNumLitStates)
{
symbol = 1;
do
{
GET_BIT(prob + symbol, symbol)
}
while (symbol < 0x100);
while(symbol < 0x100);
}
else
{
@ -191,13 +191,13 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
do
{
unsigned bit;
CLzmaProb *probLit;
CLzmaProb* probLit;
matchByte <<= 1;
bit = (matchByte & offs);
probLit = prob + offs + bit + symbol;
GET_BIT2(probLit, symbol, offs &= ~bit, offs &= bit)
}
while (symbol < 0x100);
while(symbol < 0x100);
}
dic[dicPos++] = (Byte)symbol;
processedPos++;
@ -219,7 +219,7 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
else
{
UPDATE_1(prob);
if (checkDicSize == 0 && processedPos == 0)
if(checkDicSize == 0 && processedPos == 0)
return SZ_ERROR_DATA;
prob = probs + IsRepG0 + state;
IF_BIT_0(prob)
@ -272,7 +272,7 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
}
{
unsigned limit, offset;
CLzmaProb *probLen = prob + LenChoice;
CLzmaProb* probLen = prob + LenChoice;
IF_BIT_0(probLen)
{
UPDATE_0(probLen);
@ -303,18 +303,18 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
len += offset;
}
if (state >= kNumStates)
if(state >= kNumStates)
{
UInt32 distance;
prob = probs + PosSlot +
((len < kNumLenToPosStates ? len : kNumLenToPosStates - 1) << kNumPosSlotBits);
TREE_6_DECODE(prob, distance);
if (distance >= kStartPosModelIndex)
if(distance >= kStartPosModelIndex)
{
unsigned posSlot = (unsigned)distance;
int numDirectBits = (int)(((distance >> 1) - 1));
distance = (2 | (distance & 1));
if (posSlot < kEndPosModelIndex)
if(posSlot < kEndPosModelIndex)
{
distance <<= numDirectBits;
prob = probs + SpecPos + distance - posSlot - 1;
@ -323,10 +323,10 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
unsigned i = 1;
do
{
GET_BIT2(prob + i, i, ; , distance |= mask);
GET_BIT2(prob + i, i, ;, distance |= mask);
mask <<= 1;
}
while (--numDirectBits != 0);
while(--numDirectBits != 0);
}
}
else
@ -353,17 +353,17 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
}
*/
}
while (--numDirectBits != 0);
while(--numDirectBits != 0);
prob = probs + Align;
distance <<= kNumAlignBits;
{
unsigned i = 1;
GET_BIT2(prob + i, i, ; , distance |= 1);
GET_BIT2(prob + i, i, ; , distance |= 2);
GET_BIT2(prob + i, i, ; , distance |= 4);
GET_BIT2(prob + i, i, ; , distance |= 8);
GET_BIT2(prob + i, i, ;, distance |= 1);
GET_BIT2(prob + i, i, ;, distance |= 2);
GET_BIT2(prob + i, i, ;, distance |= 4);
GET_BIT2(prob + i, i, ;, distance |= 8);
}
if (distance == (UInt32)0xFFFFFFFF)
if(distance == (UInt32)0xFFFFFFFF)
{
len += kMatchSpecLenStart;
state -= kNumStates;
@ -375,12 +375,12 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
rep2 = rep1;
rep1 = rep0;
rep0 = distance + 1;
if (checkDicSize == 0)
if(checkDicSize == 0)
{
if (distance >= processedPos)
if(distance >= processedPos)
return SZ_ERROR_DATA;
}
else if (distance >= checkDicSize)
else if(distance >= checkDicSize)
return SZ_ERROR_DATA;
state = (state < kNumStates + kNumLitStates) ? kNumLitStates : kNumLitStates + 3;
/* state = kLiteralNextStates[state]; */
@ -388,7 +388,7 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
len += kMatchMinLen;
if (limit == dicPos)
if(limit == dicPos)
return SZ_ERROR_DATA;
{
SizeT rem = limit - dicPos;
@ -398,30 +398,30 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
processedPos += curLen;
len -= curLen;
if (pos + curLen <= dicBufSize)
if(pos + curLen <= dicBufSize)
{
Byte *dest = dic + dicPos;
Byte* dest = dic + dicPos;
ptrdiff_t src = (ptrdiff_t)pos - (ptrdiff_t)dicPos;
const Byte *lim = dest + curLen;
const Byte* lim = dest + curLen;
dicPos += curLen;
do
*(dest) = (Byte)*(dest + src);
while (++dest != lim);
*(dest) = (Byte) * (dest + src);
while(++dest != lim);
}
else
{
do
{
dic[dicPos++] = dic[pos];
if (++pos == dicBufSize)
if(++pos == dicBufSize)
pos = 0;
}
while (--curLen != 0);
while(--curLen != 0);
}
}
}
}
while (dicPos < limit && buf < bufLimit);
while(dicPos < limit && buf < bufLimit);
NORMALIZE;
p->buf = buf;
p->range = range;
@ -438,24 +438,24 @@ static int MY_FAST_CALL LzmaDec_DecodeReal(CLzmaDec *p, SizeT limit, const Byte
return SZ_OK;
}
static void MY_FAST_CALL LzmaDec_WriteRem(CLzmaDec *p, SizeT limit)
static void MY_FAST_CALL LzmaDec_WriteRem(CLzmaDec* p, SizeT limit)
{
if (p->remainLen != 0 && p->remainLen < kMatchSpecLenStart)
if(p->remainLen != 0 && p->remainLen < kMatchSpecLenStart)
{
Byte *dic = p->dic;
Byte* dic = p->dic;
SizeT dicPos = p->dicPos;
SizeT dicBufSize = p->dicBufSize;
unsigned len = p->remainLen;
UInt32 rep0 = p->reps[0];
if (limit - dicPos < len)
if(limit - dicPos < len)
len = (unsigned)(limit - dicPos);
if (p->checkDicSize == 0 && p->prop.dicSize - p->processedPos <= len)
if(p->checkDicSize == 0 && p->prop.dicSize - p->processedPos <= len)
p->checkDicSize = p->prop.dicSize;
p->processedPos += len;
p->remainLen -= len;
while (len-- != 0)
while(len-- != 0)
{
dic[dicPos] = dic[(dicPos - rep0) + ((dicPos < rep0) ? dicBufSize : 0)];
dicPos++;
@ -464,25 +464,25 @@ static void MY_FAST_CALL LzmaDec_WriteRem(CLzmaDec *p, SizeT limit)
}
}
static int MY_FAST_CALL LzmaDec_DecodeReal2(CLzmaDec *p, SizeT limit, const Byte *bufLimit)
static int MY_FAST_CALL LzmaDec_DecodeReal2(CLzmaDec* p, SizeT limit, const Byte* bufLimit)
{
do
{
SizeT limit2 = limit;
if (p->checkDicSize == 0)
if(p->checkDicSize == 0)
{
UInt32 rem = p->prop.dicSize - p->processedPos;
if (limit - p->dicPos > rem)
if(limit - p->dicPos > rem)
limit2 = p->dicPos + rem;
}
RINOK(LzmaDec_DecodeReal(p, limit2, bufLimit));
if (p->processedPos >= p->prop.dicSize)
if(p->processedPos >= p->prop.dicSize)
p->checkDicSize = p->prop.dicSize;
LzmaDec_WriteRem(p, limit);
}
while (p->dicPos < limit && p->buf < bufLimit && p->remainLen < kMatchSpecLenStart);
while(p->dicPos < limit && p->buf < bufLimit && p->remainLen < kMatchSpecLenStart);
if (p->remainLen > kMatchSpecLenStart)
if(p->remainLen > kMatchSpecLenStart)
{
p->remainLen = kMatchSpecLenStart;
}
@ -497,17 +497,17 @@ typedef enum
DUMMY_REP
} ELzmaDummy;
static ELzmaDummy LzmaDec_TryDummy(const CLzmaDec *p, const Byte *buf, SizeT inSize)
static ELzmaDummy LzmaDec_TryDummy(const CLzmaDec* p, const Byte* buf, SizeT inSize)
{
UInt32 range = p->range;
UInt32 code = p->code;
const Byte *bufLimit = buf + inSize;
CLzmaProb *probs = p->probs;
const Byte* bufLimit = buf + inSize;
CLzmaProb* probs = p->probs;
unsigned state = p->state;
ELzmaDummy res;
{
CLzmaProb *prob;
CLzmaProb* prob;
UInt32 bound;
unsigned ttt;
unsigned posState = (p->processedPos) & ((1 << p->prop.pb) - 1);
@ -520,36 +520,36 @@ static ELzmaDummy LzmaDec_TryDummy(const CLzmaDec *p, const Byte *buf, SizeT inS
/* if (bufLimit - buf >= 7) return DUMMY_LIT; */
prob = probs + Literal;
if (p->checkDicSize != 0 || p->processedPos != 0)
if(p->checkDicSize != 0 || p->processedPos != 0)
prob += (LZMA_LIT_SIZE *
((((p->processedPos) & ((1 << (p->prop.lp)) - 1)) << p->prop.lc) +
(p->dic[(p->dicPos == 0 ? p->dicBufSize : p->dicPos) - 1] >> (8 - p->prop.lc))));
if (state < kNumLitStates)
if(state < kNumLitStates)
{
unsigned symbol = 1;
do
{
GET_BIT_CHECK(prob + symbol, symbol)
}
while (symbol < 0x100);
while(symbol < 0x100);
}
else
{
unsigned matchByte = p->dic[p->dicPos - p->reps[0] +
((p->dicPos < p->reps[0]) ? p->dicBufSize : 0)];
((p->dicPos < p->reps[0]) ? p->dicBufSize : 0)];
unsigned offs = 0x100;
unsigned symbol = 1;
do
{
unsigned bit;
CLzmaProb *probLit;
CLzmaProb* probLit;
matchByte <<= 1;
bit = (matchByte & offs);
probLit = prob + offs + bit + symbol;
GET_BIT2_CHECK(probLit, symbol, offs &= ~bit, offs &= bit)
}
while (symbol < 0x100);
while(symbol < 0x100);
}
res = DUMMY_LIT;
}
@ -613,7 +613,7 @@ static ELzmaDummy LzmaDec_TryDummy(const CLzmaDec *p, const Byte *buf, SizeT inS
}
{
unsigned limit, offset;
CLzmaProb *probLen = prob + LenChoice;
CLzmaProb* probLen = prob + LenChoice;
IF_BIT_0_CHECK(probLen)
{
UPDATE_0_CHECK;
@ -644,20 +644,20 @@ static ELzmaDummy LzmaDec_TryDummy(const CLzmaDec *p, const Byte *buf, SizeT inS
len += offset;
}
if (state < 4)
if(state < 4)
{
unsigned posSlot;
prob = probs + PosSlot +
((len < kNumLenToPosStates ? len : kNumLenToPosStates - 1) <<
kNumPosSlotBits);
TREE_DECODE_CHECK(prob, 1 << kNumPosSlotBits, posSlot);
if (posSlot >= kStartPosModelIndex)
if(posSlot >= kStartPosModelIndex)
{
int numDirectBits = ((posSlot >> 1) - 1);
/* if (bufLimit - buf >= 8) return DUMMY_MATCH; */
if (posSlot < kEndPosModelIndex)
if(posSlot < kEndPosModelIndex)
{
prob = probs + SpecPos + ((2 | (posSlot & 1)) << numDirectBits) - posSlot - 1;
}
@ -671,7 +671,7 @@ static ELzmaDummy LzmaDec_TryDummy(const CLzmaDec *p, const Byte *buf, SizeT inS
code -= range & (((code - range) >> 31) - 1);
/* if (code >= range) code -= range; */
}
while (--numDirectBits != 0);
while(--numDirectBits != 0);
prob = probs + Align;
numDirectBits = kNumAlignBits;
}
@ -681,7 +681,7 @@ static ELzmaDummy LzmaDec_TryDummy(const CLzmaDec *p, const Byte *buf, SizeT inS
{
GET_BIT_CHECK(prob + i, i);
}
while (--numDirectBits != 0);
while(--numDirectBits != 0);
}
}
}
@ -692,49 +692,49 @@ static ELzmaDummy LzmaDec_TryDummy(const CLzmaDec *p, const Byte *buf, SizeT inS
}
static void LzmaDec_InitRc(CLzmaDec *p, const Byte *data)
static void LzmaDec_InitRc(CLzmaDec* p, const Byte* data)
{
p->code = ((UInt32)data[1] << 24) | ((UInt32)data[2] << 16) | ((UInt32)data[3] << 8) | ((UInt32)data[4]);
p->range = 0xFFFFFFFF;
p->needFlush = 0;
}
void LzmaDec_InitDicAndState(CLzmaDec *p, Bool initDic, Bool initState)
void LzmaDec_InitDicAndState(CLzmaDec* p, Bool initDic, Bool initState)
{
p->needFlush = 1;
p->remainLen = 0;
p->tempBufSize = 0;
if (initDic)
if(initDic)
{
p->processedPos = 0;
p->checkDicSize = 0;
p->needInitState = 1;
}
if (initState)
if(initState)
p->needInitState = 1;
}
void LzmaDec_Init(CLzmaDec *p)
void LzmaDec_Init(CLzmaDec* p)
{
p->dicPos = 0;
LzmaDec_InitDicAndState(p, True, True);
}
static void LzmaDec_InitStateReal(CLzmaDec *p)
static void LzmaDec_InitStateReal(CLzmaDec* p)
{
UInt32 numProbs = Literal + ((UInt32)LZMA_LIT_SIZE << (p->prop.lc + p->prop.lp));
UInt32 i;
CLzmaProb *probs = p->probs;
for (i = 0; i < numProbs; i++)
CLzmaProb* probs = p->probs;
for(i = 0; i < numProbs; i++)
probs[i] = kBitModelTotal >> 1;
p->reps[0] = p->reps[1] = p->reps[2] = p->reps[3] = 1;
p->state = 0;
p->needInitState = 0;
}
SRes LzmaDec_DecodeToDic(CLzmaDec *p, SizeT dicLimit, const Byte *src, SizeT *srcLen,
ELzmaFinishMode finishMode, ELzmaStatus *status)
SRes LzmaDec_DecodeToDic(CLzmaDec* p, SizeT dicLimit, const Byte* src, SizeT* srcLen,
ELzmaFinishMode finishMode, ELzmaStatus* status)
{
SizeT inSize = *srcLen;
(*srcLen) = 0;
@ -742,20 +742,20 @@ SRes LzmaDec_DecodeToDic(CLzmaDec *p, SizeT dicLimit, const Byte *src, SizeT *sr
*status = LZMA_STATUS_NOT_SPECIFIED;
while (p->remainLen != kMatchSpecLenStart)
while(p->remainLen != kMatchSpecLenStart)
{
int checkEndMarkNow;
if (p->needFlush != 0)
if(p->needFlush != 0)
{
for (; inSize > 0 && p->tempBufSize < RC_INIT_SIZE; (*srcLen)++, inSize--)
for(; inSize > 0 && p->tempBufSize < RC_INIT_SIZE; (*srcLen)++, inSize--)
p->tempBuf[p->tempBufSize++] = *src++;
if (p->tempBufSize < RC_INIT_SIZE)
if(p->tempBufSize < RC_INIT_SIZE)
{
*status = LZMA_STATUS_NEEDS_MORE_INPUT;
return SZ_OK;
}
if (p->tempBuf[0] != 0)
if(p->tempBuf[0] != 0)
return SZ_ERROR_DATA;
LzmaDec_InitRc(p, p->tempBuf);
@ -763,19 +763,19 @@ SRes LzmaDec_DecodeToDic(CLzmaDec *p, SizeT dicLimit, const Byte *src, SizeT *sr
}
checkEndMarkNow = 0;
if (p->dicPos >= dicLimit)
if(p->dicPos >= dicLimit)
{
if (p->remainLen == 0 && p->code == 0)
if(p->remainLen == 0 && p->code == 0)
{
*status = LZMA_STATUS_MAYBE_FINISHED_WITHOUT_MARK;
return SZ_OK;
}
if (finishMode == LZMA_FINISH_ANY)
if(finishMode == LZMA_FINISH_ANY)
{
*status = LZMA_STATUS_NOT_FINISHED;
return SZ_OK;
}
if (p->remainLen != 0)
if(p->remainLen != 0)
{
*status = LZMA_STATUS_NOT_FINISHED;
return SZ_ERROR_DATA;
@ -783,17 +783,17 @@ SRes LzmaDec_DecodeToDic(CLzmaDec *p, SizeT dicLimit, const Byte *src, SizeT *sr
checkEndMarkNow = 1;
}
if (p->needInitState)
if(p->needInitState)
LzmaDec_InitStateReal(p);
if (p->tempBufSize == 0)
if(p->tempBufSize == 0)
{
SizeT processed;
const Byte *bufLimit;
if (inSize < LZMA_REQUIRED_INPUT_MAX || checkEndMarkNow)
const Byte* bufLimit;
if(inSize < LZMA_REQUIRED_INPUT_MAX || checkEndMarkNow)
{
int dummyRes = LzmaDec_TryDummy(p, src, inSize);
if (dummyRes == DUMMY_ERROR)
if(dummyRes == DUMMY_ERROR)
{
memcpy(p->tempBuf, src, inSize);
p->tempBufSize = (unsigned)inSize;
@ -801,7 +801,7 @@ SRes LzmaDec_DecodeToDic(CLzmaDec *p, SizeT dicLimit, const Byte *src, SizeT *sr
*status = LZMA_STATUS_NEEDS_MORE_INPUT;
return SZ_OK;
}
if (checkEndMarkNow && dummyRes != DUMMY_MATCH)
if(checkEndMarkNow && dummyRes != DUMMY_MATCH)
{
*status = LZMA_STATUS_NOT_FINISHED;
return SZ_ERROR_DATA;
@ -811,7 +811,7 @@ SRes LzmaDec_DecodeToDic(CLzmaDec *p, SizeT dicLimit, const Byte *src, SizeT *sr
else
bufLimit = src + inSize - LZMA_REQUIRED_INPUT_MAX;
p->buf = src;
if (LzmaDec_DecodeReal2(p, dicLimit, bufLimit) != 0)
if(LzmaDec_DecodeReal2(p, dicLimit, bufLimit) != 0)
return SZ_ERROR_DATA;
processed = (SizeT)(p->buf - src);
(*srcLen) += processed;
@ -821,26 +821,26 @@ SRes LzmaDec_DecodeToDic(CLzmaDec *p, SizeT dicLimit, const Byte *src, SizeT *sr
else
{
unsigned rem = p->tempBufSize, lookAhead = 0;
while (rem < LZMA_REQUIRED_INPUT_MAX && lookAhead < inSize)
while(rem < LZMA_REQUIRED_INPUT_MAX && lookAhead < inSize)
p->tempBuf[rem++] = src[lookAhead++];
p->tempBufSize = rem;
if (rem < LZMA_REQUIRED_INPUT_MAX || checkEndMarkNow)
if(rem < LZMA_REQUIRED_INPUT_MAX || checkEndMarkNow)
{
int dummyRes = LzmaDec_TryDummy(p, p->tempBuf, rem);
if (dummyRes == DUMMY_ERROR)
if(dummyRes == DUMMY_ERROR)
{
(*srcLen) += lookAhead;
*status = LZMA_STATUS_NEEDS_MORE_INPUT;
return SZ_OK;
}
if (checkEndMarkNow && dummyRes != DUMMY_MATCH)
if(checkEndMarkNow && dummyRes != DUMMY_MATCH)
{
*status = LZMA_STATUS_NOT_FINISHED;
return SZ_ERROR_DATA;
}
}
p->buf = p->tempBuf;
if (LzmaDec_DecodeReal2(p, dicLimit, p->buf) != 0)
if(LzmaDec_DecodeReal2(p, dicLimit, p->buf) != 0)
return SZ_ERROR_DATA;
lookAhead -= (rem - (unsigned)(p->buf - p->tempBuf));
(*srcLen) += lookAhead;
@ -849,25 +849,25 @@ SRes LzmaDec_DecodeToDic(CLzmaDec *p, SizeT dicLimit, const Byte *src, SizeT *sr
p->tempBufSize = 0;
}
}
if (p->code == 0)
if(p->code == 0)
*status = LZMA_STATUS_FINISHED_WITH_MARK;
return (p->code == 0) ? SZ_OK : SZ_ERROR_DATA;
}
SRes LzmaDec_DecodeToBuf(CLzmaDec *p, Byte *dest, SizeT *destLen, const Byte *src, SizeT *srcLen, ELzmaFinishMode finishMode, ELzmaStatus *status)
SRes LzmaDec_DecodeToBuf(CLzmaDec* p, Byte* dest, SizeT* destLen, const Byte* src, SizeT* srcLen, ELzmaFinishMode finishMode, ELzmaStatus* status)
{
SizeT outSize = *destLen;
SizeT inSize = *srcLen;
*srcLen = *destLen = 0;
for (;;)
for(;;)
{
SizeT inSizeCur = inSize, outSizeCur, dicPos;
ELzmaFinishMode curFinishMode;
SRes res;
if (p->dicPos == p->dicBufSize)
if(p->dicPos == p->dicBufSize)
p->dicPos = 0;
dicPos = p->dicPos;
if (outSize > p->dicBufSize - dicPos)
if(outSize > p->dicBufSize - dicPos)
{
outSizeCur = p->dicBufSize;
curFinishMode = LZMA_FINISH_ANY;
@ -887,47 +887,47 @@ SRes LzmaDec_DecodeToBuf(CLzmaDec *p, Byte *dest, SizeT *destLen, const Byte *sr
dest += outSizeCur;
outSize -= outSizeCur;
*destLen += outSizeCur;
if (res != 0)
if(res != 0)
return res;
if (outSizeCur == 0 || outSize == 0)
if(outSizeCur == 0 || outSize == 0)
return SZ_OK;
}
}
void LzmaDec_FreeProbs(CLzmaDec *p, ISzAlloc *alloc)
void LzmaDec_FreeProbs(CLzmaDec* p, ISzAlloc* alloc)
{
alloc->Free(alloc, p->probs);
p->probs = 0;
}
static void LzmaDec_FreeDict(CLzmaDec *p, ISzAlloc *alloc)
static void LzmaDec_FreeDict(CLzmaDec* p, ISzAlloc* alloc)
{
alloc->Free(alloc, p->dic);
p->dic = 0;
}
void LzmaDec_Free(CLzmaDec *p, ISzAlloc *alloc)
void LzmaDec_Free(CLzmaDec* p, ISzAlloc* alloc)
{
LzmaDec_FreeProbs(p, alloc);
LzmaDec_FreeDict(p, alloc);
}
SRes LzmaProps_Decode(CLzmaProps *p, const Byte *data, unsigned size)
SRes LzmaProps_Decode(CLzmaProps* p, const Byte* data, unsigned size)
{
UInt32 dicSize;
Byte d;
if (size < LZMA_PROPS_SIZE)
if(size < LZMA_PROPS_SIZE)
return SZ_ERROR_UNSUPPORTED;
else
dicSize = data[1] | ((UInt32)data[2] << 8) | ((UInt32)data[3] << 16) | ((UInt32)data[4] << 24);
if (dicSize < LZMA_DIC_MIN)
if(dicSize < LZMA_DIC_MIN)
dicSize = LZMA_DIC_MIN;
p->dicSize = dicSize;
d = data[0];
if (d >= (9 * 5 * 5))
if(d >= (9 * 5 * 5))
return SZ_ERROR_UNSUPPORTED;
p->lc = d % 9;
@ -938,21 +938,21 @@ SRes LzmaProps_Decode(CLzmaProps *p, const Byte *data, unsigned size)
return SZ_OK;
}
static SRes LzmaDec_AllocateProbs2(CLzmaDec *p, const CLzmaProps *propNew, ISzAlloc *alloc)
static SRes LzmaDec_AllocateProbs2(CLzmaDec* p, const CLzmaProps* propNew, ISzAlloc* alloc)
{
UInt32 numProbs = LzmaProps_GetNumProbs(propNew);
if (p->probs == 0 || numProbs != p->numProbs)
if(p->probs == 0 || numProbs != p->numProbs)
{
LzmaDec_FreeProbs(p, alloc);
p->probs = (CLzmaProb *)alloc->Alloc(alloc, numProbs * sizeof(CLzmaProb));
p->probs = (CLzmaProb*)alloc->Alloc(alloc, numProbs * sizeof(CLzmaProb));
p->numProbs = numProbs;
if (p->probs == 0)
if(p->probs == 0)
return SZ_ERROR_MEM;
}
return SZ_OK;
}
SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props, unsigned propsSize, ISzAlloc *alloc)
SRes LzmaDec_AllocateProbs(CLzmaDec* p, const Byte* props, unsigned propsSize, ISzAlloc* alloc)
{
CLzmaProps propNew;
RINOK(LzmaProps_Decode(&propNew, props, propsSize));
@ -961,18 +961,18 @@ SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props, unsigned propsSize, I
return SZ_OK;
}
SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props, unsigned propsSize, ISzAlloc *alloc)
SRes LzmaDec_Allocate(CLzmaDec* p, const Byte* props, unsigned propsSize, ISzAlloc* alloc)
{
CLzmaProps propNew;
SizeT dicBufSize;
RINOK(LzmaProps_Decode(&propNew, props, propsSize));
RINOK(LzmaDec_AllocateProbs2(p, &propNew, alloc));
dicBufSize = propNew.dicSize;
if (p->dic == 0 || dicBufSize != p->dicBufSize)
if(p->dic == 0 || dicBufSize != p->dicBufSize)
{
LzmaDec_FreeDict(p, alloc);
p->dic = (Byte *)alloc->Alloc(alloc, dicBufSize);
if (p->dic == 0)
p->dic = (Byte*)alloc->Alloc(alloc, dicBufSize);
if(p->dic == 0)
{
LzmaDec_FreeProbs(p, alloc);
return SZ_ERROR_MEM;
@ -983,21 +983,21 @@ SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props, unsigned propsSize, ISzAll
return SZ_OK;
}
SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src, SizeT *srcLen,
const Byte *propData, unsigned propSize, ELzmaFinishMode finishMode,
ELzmaStatus *status, ISzAlloc *alloc)
SRes LzmaDecode(Byte* dest, SizeT* destLen, const Byte* src, SizeT* srcLen,
const Byte* propData, unsigned propSize, ELzmaFinishMode finishMode,
ELzmaStatus* status, ISzAlloc* alloc)
{
CLzmaDec p;
SRes res;
SizeT inSize = *srcLen;
SizeT outSize = *destLen;
*srcLen = *destLen = 0;
if (inSize < RC_INIT_SIZE)
if(inSize < RC_INIT_SIZE)
return SZ_ERROR_INPUT_EOF;
LzmaDec_Construct(&p);
res = LzmaDec_AllocateProbs(&p, propData, propSize, alloc);
if (res != 0)
if(res != 0)
return res;
p.dic = dest;
p.dicBufSize = outSize;
@ -1007,7 +1007,7 @@ SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src, SizeT *srcLen,
*srcLen = inSize;
res = LzmaDec_DecodeToDic(&p, outSize, src, srcLen, finishMode, status);
if (res == SZ_OK && *status == LZMA_STATUS_NEEDS_MORE_INPUT)
if(res == SZ_OK && *status == LZMA_STATUS_NEEDS_MORE_INPUT)
res = SZ_ERROR_INPUT_EOF;
(*destLen) = p.dicPos;
@ -1015,12 +1015,12 @@ SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src, SizeT *srcLen,
return res;
}
void* LzmaAllocMem(void *p, size_t size)
void* LzmaAllocMem(void* p, size_t size)
{
return(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
}
void LzmaFreeMem(void *p, void *address)
void LzmaFreeMem(void* p, void* address)
{
VirtualFree(address, NULL, MEM_RELEASE);
}

32
TitanEngine/LzmaDec.h
View File

@ -33,7 +33,7 @@ Returns:
SZ_ERROR_UNSUPPORTED - Unsupported properties
*/
SRes LzmaProps_Decode(CLzmaProps *p, const Byte *data, unsigned size);
SRes LzmaProps_Decode(CLzmaProps* p, const Byte* data, unsigned size);
/* ---------- LZMA Decoder state ---------- */
@ -46,9 +46,9 @@ SRes LzmaProps_Decode(CLzmaProps *p, const Byte *data, unsigned size);
typedef struct
{
CLzmaProps prop;
CLzmaProb *probs;
Byte *dic;
const Byte *buf;
CLzmaProb* probs;
Byte* dic;
const Byte* buf;
UInt32 range, code;
SizeT dicPos;
SizeT dicBufSize;
@ -66,7 +66,7 @@ typedef struct
#define LzmaDec_Construct(p) { (p)->dic = 0; (p)->probs = 0; }
void LzmaDec_Init(CLzmaDec *p);
void LzmaDec_Init(CLzmaDec* p);
/* There are two types of LZMA streams:
0) Stream with end mark. That end mark adds about 6 bytes to compressed size.
@ -127,11 +127,11 @@ LzmaDec_Allocate* can return:
SZ_ERROR_UNSUPPORTED - Unsupported properties
*/
SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props, unsigned propsSize, ISzAlloc *alloc);
void LzmaDec_FreeProbs(CLzmaDec *p, ISzAlloc *alloc);
SRes LzmaDec_AllocateProbs(CLzmaDec* p, const Byte* props, unsigned propsSize, ISzAlloc* alloc);
void LzmaDec_FreeProbs(CLzmaDec* p, ISzAlloc* alloc);
SRes LzmaDec_Allocate(CLzmaDec *state, const Byte *prop, unsigned propsSize, ISzAlloc *alloc);
void LzmaDec_Free(CLzmaDec *state, ISzAlloc *alloc);
SRes LzmaDec_Allocate(CLzmaDec* state, const Byte* prop, unsigned propsSize, ISzAlloc* alloc);
void LzmaDec_Free(CLzmaDec* state, ISzAlloc* alloc);
/* ---------- Dictionary Interface ---------- */
@ -174,8 +174,8 @@ Returns:
SZ_ERROR_DATA - Data error
*/
SRes LzmaDec_DecodeToDic(CLzmaDec *p, SizeT dicLimit,
const Byte *src, SizeT *srcLen, ELzmaFinishMode finishMode, ELzmaStatus *status);
SRes LzmaDec_DecodeToDic(CLzmaDec* p, SizeT dicLimit,
const Byte* src, SizeT* srcLen, ELzmaFinishMode finishMode, ELzmaStatus* status);
/* ---------- Buffer Interface ---------- */
@ -191,8 +191,8 @@ finishMode:
LZMA_FINISH_END - Stream must be finished after (*destLen).
*/
SRes LzmaDec_DecodeToBuf(CLzmaDec *p, Byte *dest, SizeT *destLen,
const Byte *src, SizeT *srcLen, ELzmaFinishMode finishMode, ELzmaStatus *status);
SRes LzmaDec_DecodeToBuf(CLzmaDec* p, Byte* dest, SizeT* destLen,
const Byte* src, SizeT* srcLen, ELzmaFinishMode finishMode, ELzmaStatus* status);
/* ---------- One Call Interface ---------- */
@ -216,8 +216,8 @@ Returns:
SZ_ERROR_INPUT_EOF - It needs more bytes in input buffer (src).
*/
SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src, SizeT *srcLen,
const Byte *propData, unsigned propSize, ELzmaFinishMode finishMode,
ELzmaStatus *status, ISzAlloc *alloc);
SRes LzmaDecode(Byte* dest, SizeT* destLen, const Byte* src, SizeT* srcLen,
const Byte* propData, unsigned propSize, ELzmaFinishMode finishMode,
ELzmaStatus* status, ISzAlloc* alloc);
#endif

54
TitanEngine/LzmaTypes.h
View File

@ -108,19 +108,19 @@ typedef int Bool;
typedef struct
{
SRes (*Read)(void *p, void *buf, size_t *size);
SRes(*Read)(void* p, void* buf, size_t* size);
/* if (input(*size) != 0 && output(*size) == 0) means end_of_stream.
(output(*size) < input(*size)) is allowed */
} ISeqInStream;
/* it can return SZ_ERROR_INPUT_EOF */
SRes SeqInStream_Read(ISeqInStream *stream, void *buf, size_t size);
SRes SeqInStream_Read2(ISeqInStream *stream, void *buf, size_t size, SRes errorType);
SRes SeqInStream_ReadByte(ISeqInStream *stream, Byte *buf);
SRes SeqInStream_Read(ISeqInStream* stream, void* buf, size_t size);
SRes SeqInStream_Read2(ISeqInStream* stream, void* buf, size_t size, SRes errorType);
SRes SeqInStream_ReadByte(ISeqInStream* stream, Byte* buf);
typedef struct
{
size_t (*Write)(void *p, const void *buf, size_t size);
size_t (*Write)(void* p, const void* buf, size_t size);
/* Returns: result - the number of actually written bytes.
(result < size) means error */
} ISeqOutStream;
@ -134,78 +134,78 @@ typedef enum
typedef struct
{
SRes (*Read)(void *p, void *buf, size_t *size); /* same as ISeqInStream::Read */
SRes (*Seek)(void *p, Int64 *pos, ESzSeek origin);
SRes(*Read)(void* p, void* buf, size_t* size); /* same as ISeqInStream::Read */
SRes(*Seek)(void* p, Int64* pos, ESzSeek origin);
} ISeekInStream;
typedef struct
{
SRes (*Look)(void *p, void **buf, size_t *size);
SRes(*Look)(void* p, void** buf, size_t* size);
/* if (input(*size) != 0 && output(*size) == 0) means end_of_stream.
(output(*size) > input(*size)) is not allowed
(output(*size) < input(*size)) is allowed */
SRes (*Skip)(void *p, size_t offset);
SRes(*Skip)(void* p, size_t offset);
/* offset must be <= output(*size) of Look */
SRes (*Read)(void *p, void *buf, size_t *size);
SRes(*Read)(void* p, void* buf, size_t* size);
/* reads directly (without buffer). It's same as ISeqInStream::Read */
SRes (*Seek)(void *p, Int64 *pos, ESzSeek origin);
SRes(*Seek)(void* p, Int64* pos, ESzSeek origin);
} ILookInStream;
SRes LookInStream_LookRead(ILookInStream *stream, void *buf, size_t *size);
SRes LookInStream_SeekTo(ILookInStream *stream, UInt64 offset);
SRes LookInStream_LookRead(ILookInStream* stream, void* buf, size_t* size);
SRes LookInStream_SeekTo(ILookInStream* stream, UInt64 offset);
/* reads via ILookInStream::Read */
SRes LookInStream_Read2(ILookInStream *stream, void *buf, size_t size, SRes errorType);
SRes LookInStream_Read(ILookInStream *stream, void *buf, size_t size);
SRes LookInStream_Read2(ILookInStream* stream, void* buf, size_t size, SRes errorType);
SRes LookInStream_Read(ILookInStream* stream, void* buf, size_t size);
#define LookToRead_BUF_SIZE (1 << 14)
typedef struct
{
ILookInStream s;
ISeekInStream *realStream;
ISeekInStream* realStream;
size_t pos;
size_t size;
Byte buf[LookToRead_BUF_SIZE];
} CLookToRead;
void LookToRead_CreateVTable(CLookToRead *p, int lookahead);
void LookToRead_Init(CLookToRead *p);
void LookToRead_CreateVTable(CLookToRead* p, int lookahead);
void LookToRead_Init(CLookToRead* p);
typedef struct
{
ISeqInStream s;
ILookInStream *realStream;
ILookInStream* realStream;
} CSecToLook;
void SecToLook_CreateVTable(CSecToLook *p);
void SecToLook_CreateVTable(CSecToLook* p);
typedef struct
{
ISeqInStream s;
ILookInStream *realStream;
ILookInStream* realStream;
} CSecToRead;
void SecToRead_CreateVTable(CSecToRead *p);
void SecToRead_CreateVTable(CSecToRead* p);
typedef struct
{
SRes (*Progress)(void *p, UInt64 inSize, UInt64 outSize);
SRes(*Progress)(void* p, UInt64 inSize, UInt64 outSize);
/* Returns: result. (result != SZ_OK) means break.
Value (UInt64)(Int64)-1 for size means unknown value. */
} ICompressProgress;
typedef struct
{
void *(*Alloc)(void *p, size_t size);
void (*Free)(void *p, void *address); /* address can be 0 */
void* (*Alloc)(void* p, size_t size);
void (*Free)(void* p, void* address); /* address can be 0 */
} ISzAlloc;
#define IAlloc_Alloc(p, size) (p)->Alloc((p), size)
#define IAlloc_Free(p, a) (p)->Free((p), a)
void* LzmaAllocMem(void *p, size_t size);
void LzmaFreeMem(void *p, void *address);
void* LzmaAllocMem(void* p, size_t size);
void LzmaFreeMem(void* p, void* address);
#endif

BIN
TitanEngine/MAINICON.ico
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 114 KiB

After

Width:  |  Height:  |  Size: 15 KiB

41
TitanEngine/ReadMe.txt
View File

@ -1,41 +0,0 @@
========================================================================
DYNAMIC LINK LIBRARY : UnpackerEngine Project Overview
========================================================================
AppWizard has created this UnpackerEngine DLL for you.
This file contains a summary of what you will find in each of the files that
make up your UnpackerEngine application.
UnpackerEngine.vcproj
This is the main project file for VC++ projects generated using an Application Wizard.
It contains information about the version of Visual C++ that generated the file, and
information about the platforms, configurations, and project features selected with the
Application Wizard.
UnpackerEngine.cpp
This is the main DLL source file.
When created, this DLL does not export any symbols. As a result, it
will not produce a .lib file when it is built. If you wish this project
to be a project dependency of some other project, you will either need to
add code to export some symbols from the DLL so that an export library
will be produced, or you can set the Ignore Input Library property to Yes
on the General propert page of the Linker folder in the project's Property
Pages dialog box.
/////////////////////////////////////////////////////////////////////////////
Other standard files:
StdAfx.h, StdAfx.cpp
These files are used to build a precompiled header (PCH) file
named UnpackerEngine.pch and a precompiled types file named StdAfx.obj.
/////////////////////////////////////////////////////////////////////////////
Other notes:
AppWizard uses "TODO:" comments to indicate parts of the source code you
should add to or customize.
/////////////////////////////////////////////////////////////////////////////

998
TitanEngine/TitanEngine.Breakpoints.cpp Normal file
View File

@ -0,0 +1,998 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Breakpoints.h"
#include "Global.Debugger.h"
#include "Global.Engine.h"
#include "Global.Engine.Threading.h"
#include "Global.Engine.Importer.h"
#include "Global.Threader.h"
static long engineDefaultBreakPointType = UE_BREAKPOINT_INT3;
static BYTE UD2BreakPoint[2] = {0x0F, 0x0B};
static BYTE INT3BreakPoint = 0xCC;
static BYTE INT3LongBreakPoint[2] = {0xCD, 0x03};
__declspec(dllexport) void TITCALL SetBPXOptions(long DefaultBreakPointType)
{
if(DefaultBreakPointType == UE_BREAKPOINT_INT3 || DefaultBreakPointType == UE_BREAKPOINT_LONG_INT3 || DefaultBreakPointType == UE_BREAKPOINT_UD2)
engineDefaultBreakPointType = DefaultBreakPointType;
else if(DefaultBreakPointType == UE_BREAKPOINT_TYPE_INT3)
engineDefaultBreakPointType = UE_BREAKPOINT_INT3;
else if(DefaultBreakPointType == UE_BREAKPOINT_TYPE_LONG_INT3)
engineDefaultBreakPointType = UE_BREAKPOINT_LONG_INT3;
else if(DefaultBreakPointType == UE_BREAKPOINT_TYPE_UD2)
engineDefaultBreakPointType = UE_BREAKPOINT_UD2;
}
__declspec(dllexport) bool TITCALL IsBPXEnabled(ULONG_PTR bpxAddress)
{
CriticalSectionLocker lock(LockBreakPointBuffer);
ULONG_PTR NumberOfBytesReadWritten = 0;
DWORD MaximumBreakPoints = 0;
BYTE ReadData[10] = {};
int bpcount = (int)BreakPointBuffer.size();
for(int i = 0; i < bpcount; i++)
{
const bool isSoftwareBpx = BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT || BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT;
if(isSoftwareBpx && BreakPointBuffer.at(i).BreakPointAddress == bpxAddress)
{
if(BreakPointBuffer.at(i).BreakPointActive != UE_BPXINACTIVE)
{
if(ReadProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &ReadData[0], UE_MAX_BREAKPOINT_SIZE, &NumberOfBytesReadWritten))
{
if(BreakPointBuffer.at(i).AdvancedBreakPointType == UE_BREAKPOINT_INT3 && ReadData[0] == INT3BreakPoint)
return true;
else if(BreakPointBuffer.at(i).AdvancedBreakPointType == UE_BREAKPOINT_LONG_INT3 && ReadData[0] == INT3LongBreakPoint[0] && ReadData[1] == INT3LongBreakPoint[1])
return true;
else if(BreakPointBuffer.at(i).AdvancedBreakPointType == UE_BREAKPOINT_UD2 && ReadData[0] == UD2BreakPoint[0] && ReadData[1] == UD2BreakPoint[1])
return true;
else //TODO: delete breakpoint from list?
return false;
}
else
return false;
}
else
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL EnableBPX(ULONG_PTR bpxAddress)
{
CriticalSectionLocker lock(LockBreakPointBuffer);
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR NumberOfBytesReadWritten = 0;
DWORD MaximumBreakPoints = 0;
bool testWrite = false;
DWORD OldProtect;
int bpcount = (int)BreakPointBuffer.size();
for(int i = 0; i < bpcount; i++)
{
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress)
{
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
OldProtect = MemInfo.Protect;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect);
if(BreakPointBuffer.at(i).BreakPointActive == UE_BPXINACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT))
{
//re-read original byte(s)
if(ReadProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).OriginalByte, BreakPointBuffer.at(i).BreakPointSize, 0))
{
if(BreakPointBuffer.at(i).AdvancedBreakPointType == UE_BREAKPOINT_INT3)
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &INT3BreakPoint, 1, &NumberOfBytesReadWritten))
{
FlushInstructionCache(dbgProcessInformation.hProcess, NULL, 0);
testWrite = true;
}
}
else if(BreakPointBuffer.at(i).AdvancedBreakPointType == UE_BREAKPOINT_LONG_INT3)
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &INT3LongBreakPoint, 2, &NumberOfBytesReadWritten))
{
FlushInstructionCache(dbgProcessInformation.hProcess, NULL, 0);
testWrite = true;
}
}
else if(BreakPointBuffer.at(i).AdvancedBreakPointType == UE_BREAKPOINT_UD2)
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &UD2BreakPoint, 2, &NumberOfBytesReadWritten))
{
FlushInstructionCache(dbgProcessInformation.hProcess, NULL, 0);
testWrite = true;
}
}
if(testWrite)
{
BreakPointBuffer.at(i).BreakPointActive = UE_BPXACTIVE;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, OldProtect, &OldProtect);
return true;
}
else
{
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, OldProtect, &OldProtect);
return false;
}
}
else
{
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, OldProtect, &OldProtect);
return false;
}
}
else
{
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, OldProtect, &OldProtect);
return false;
}
}
}
return false;
}
__declspec(dllexport) bool TITCALL DisableBPX(ULONG_PTR bpxAddress)
{
CriticalSectionLocker lock(LockBreakPointBuffer);
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR NumberOfBytesReadWritten = 0;
DWORD MaximumBreakPoints = 0;
DWORD OldProtect;
int bpcount = (int)BreakPointBuffer.size();
for(int i = 0; i < bpcount; i++)
{
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress)
{
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
OldProtect = MemInfo.Protect;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect);
if(BreakPointBuffer.at(i).BreakPointActive == UE_BPXACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT))
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &BreakPointBuffer.at(i).OriginalByte[0], BreakPointBuffer.at(i).BreakPointSize, &NumberOfBytesReadWritten))
{
FlushInstructionCache(dbgProcessInformation.hProcess, NULL, 0);
BreakPointBuffer.at(i).BreakPointActive = UE_BPXINACTIVE;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, OldProtect, &OldProtect);
return true;
}
else
{
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, OldProtect, &OldProtect);
return false;
}
}
else
{
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, OldProtect, &OldProtect);
return false;
}
}
}
return false;
}
__declspec(dllexport) bool TITCALL SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, LPVOID bpxCallBack)
{
CriticalSectionLocker lock(LockBreakPointBuffer);
void* bpxDataPrt;
PMEMORY_COMPARE_HANDLER bpxDataCmpPtr;
ULONG_PTR NumberOfBytesReadWritten = 0;
BYTE SelectedBreakPointType;
DWORD checkBpxType;
DWORD OldProtect;
if(bpxCallBack == NULL)
{
return false;
}
int bpcount = (int)BreakPointBuffer.size();
//search for breakpoint
for(int i = 0; i < bpcount; i++)
{
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress && BreakPointBuffer.at(i).BreakPointActive == UE_BPXACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT || BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT))
return false;
else if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress && BreakPointBuffer.at(i).BreakPointActive == UE_BPXINACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT || BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT))
{
lock.unlock();
return EnableBPX(bpxAddress);
}
}
//setup new breakpoint structure
BreakPointDetail NewBreakPoint;
memset(&NewBreakPoint, 0, sizeof(BreakPointDetail));
if(bpxType < UE_BREAKPOINT_TYPE_INT3)
{
if(engineDefaultBreakPointType == UE_BREAKPOINT_LONG_INT3)
{
SelectedBreakPointType = UE_BREAKPOINT_LONG_INT3;
NewBreakPoint.BreakPointSize = 2;
bpxDataPrt = &INT3LongBreakPoint;
}
else if(engineDefaultBreakPointType == UE_BREAKPOINT_UD2)
{
SelectedBreakPointType = UE_BREAKPOINT_UD2;
NewBreakPoint.BreakPointSize = 2;
bpxDataPrt = &UD2BreakPoint;
}
else //default
{
SelectedBreakPointType = UE_BREAKPOINT_INT3;
NewBreakPoint.BreakPointSize = 1;
bpxDataPrt = &INT3BreakPoint;
}
}
else
{
checkBpxType = bpxType >> 24;
checkBpxType = checkBpxType << 24;
if(checkBpxType == UE_BREAKPOINT_TYPE_INT3)
{
SelectedBreakPointType = UE_BREAKPOINT_INT3;
NewBreakPoint.BreakPointSize = 1;
bpxDataPrt = &INT3BreakPoint;
}
else if(checkBpxType == UE_BREAKPOINT_TYPE_LONG_INT3)
{
SelectedBreakPointType = UE_BREAKPOINT_LONG_INT3;
NewBreakPoint.BreakPointSize = 2;
bpxDataPrt = &INT3LongBreakPoint;
}
else if(checkBpxType == UE_BREAKPOINT_TYPE_UD2)
{
SelectedBreakPointType = UE_BREAKPOINT_UD2;
NewBreakPoint.BreakPointSize = 2;
bpxDataPrt = &UD2BreakPoint;
}
}
//set breakpoint in process
bpxDataCmpPtr = (PMEMORY_COMPARE_HANDLER)bpxDataPrt;
if(!VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, NewBreakPoint.BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect))
return false;
if(ReadProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &NewBreakPoint.OriginalByte[0], NewBreakPoint.BreakPointSize, &NumberOfBytesReadWritten))
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, bpxDataPrt, NewBreakPoint.BreakPointSize, &NumberOfBytesReadWritten))
{
FlushInstructionCache(dbgProcessInformation.hProcess, NULL, 0);
//add new breakpoint to the list
NewBreakPoint.AdvancedBreakPointType = SelectedBreakPointType & 0xFF;
NewBreakPoint.BreakPointActive = UE_BPXACTIVE;
NewBreakPoint.BreakPointAddress = bpxAddress;
NewBreakPoint.BreakPointType = bpxType & 0xFF;
NewBreakPoint.ExecuteCallBack = (ULONG_PTR)bpxCallBack;
BreakPointBuffer.push_back(NewBreakPoint);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, NewBreakPoint.BreakPointSize, OldProtect, &OldProtect);
return true;
}
else
{
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, NewBreakPoint.BreakPointSize, OldProtect, &OldProtect);
return false;
}
}
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, NewBreakPoint.BreakPointSize, OldProtect, &OldProtect);
return false;
}
__declspec(dllexport) bool TITCALL DeleteBPX(ULONG_PTR bpxAddress)
{
CriticalSectionLocker lock(LockBreakPointBuffer);
ULONG_PTR NumberOfBytesReadWritten = 0;
DWORD OldProtect;
int bpcount = (int)BreakPointBuffer.size();
int found = -1;
for(int i = 0; i < bpcount; i++)
{
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress && (BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT || BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT))
{
found = i;
break;
}
}
if(found == -1) //not found
return false;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(found).BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect);
if(IsBPXEnabled(bpxAddress))
{
if(!WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &BreakPointBuffer.at(found).OriginalByte[0], BreakPointBuffer.at(found).BreakPointSize, &NumberOfBytesReadWritten))
{
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(found).BreakPointSize, OldProtect, &OldProtect);
return false;
}
}
FlushInstructionCache(dbgProcessInformation.hProcess, NULL, 0);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(found).BreakPointSize, OldProtect, &OldProtect);
BreakPointBuffer.erase(BreakPointBuffer.begin() + found);
recentlyDeletedBpx.insert(bpxAddress);
return true;
}
__declspec(dllexport) bool TITCALL SafeDeleteBPX(ULONG_PTR bpxAddress)
{
//TODO: remove?
return DeleteBPX(bpxAddress);
}
__declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxType, DWORD bpxPlace, LPVOID bpxCallBack)
{
ULONG_PTR APIAddress = NULL;
if(szDLLName && szAPIName)
{
APIAddress = EngineGetProcAddressRemote(0, szDLLName, szAPIName); //get remote proc address
if(APIAddress)
{
if(bpxPlace == UE_APIEND)
{
int i = 0;
int len = 0;
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
if(!_stricmp(szDLLName, "kernel32.dll"))
{
ULONG_PTR APIAddress_ = EngineGetProcAddressRemote(0, "kernelbase.dll", szAPIName);
if(APIAddress_)
{
bool KernelBase = true;
do //search for forwarding indicators
{
i += len;
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress + i), CmdBuffer, sizeof(CmdBuffer), 0))
return false;
if(CmdBuffer[0] == 0xCC || CmdBuffer[0] == 0x90) //padding
{
KernelBase = false; //failed to find forward indicator
break;
}
len = StaticLengthDisassemble(CmdBuffer);
}
#ifdef _WIN64
while(!(CmdBuffer[0] == 0x48 && CmdBuffer[1] == 0xFF && CmdBuffer[2] == 0x25));
#else
while(!(CmdBuffer[0] == 0xFF && CmdBuffer[1] == 0x25));
#endif //_WIN64
if(KernelBase)
APIAddress = APIAddress_;
i = 0;
len = 0;
}
}
do //search for RET
{
i += len;
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress + i), CmdBuffer, sizeof(CmdBuffer), 0))
return false;
len = StaticLengthDisassemble(CmdBuffer);
}
while(CmdBuffer[0] != 0xC3 && CmdBuffer[0] != 0xC2);
APIAddress += i;
}
return SetBPX(APIAddress, bpxType, bpxCallBack);
}
}
return false;
}
__declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxPlace)
{
ULONG_PTR APIAddress = NULL;
if(szDLLName && szAPIName)
{
APIAddress = EngineGetProcAddressRemote(0, szDLLName, szAPIName); //get remote proc address
if(APIAddress)
{
if(bpxPlace == UE_APIEND)
{
int i = 0;
int len = 0;
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
if(!_stricmp(szDLLName, "kernel32.dll"))
{
ULONG_PTR APIAddress_ = EngineGetProcAddressRemote(0, "kernelbase.dll", szAPIName);
if(APIAddress_)
{
bool KernelBase = true;
do //search for forwarding indicators
{
i += len;
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress + i), CmdBuffer, sizeof(CmdBuffer), 0))
return false;
if(CmdBuffer[0] == 0xCC || CmdBuffer[0] == 0x90) //padding
{
KernelBase = false; //failed to find forward indicator
break;
}
len = StaticLengthDisassemble(CmdBuffer);
}
#ifdef _WIN64
while(!(CmdBuffer[0] == 0x48 && CmdBuffer[1] == 0xFF && CmdBuffer[2] == 0x25));
#else
while(!(CmdBuffer[0] == 0xFF && CmdBuffer[1] == 0x25));
#endif //_WIN64
if(KernelBase)
APIAddress = APIAddress_;
i = 0;
len = 0;
}
}
do //search for RET
{
i += len;
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress + i), CmdBuffer, sizeof(CmdBuffer), 0))
return false;
len = StaticLengthDisassemble(CmdBuffer);
}
while(CmdBuffer[0] != 0xC3 && CmdBuffer[0] != 0xC2);
APIAddress += i;
}
return DeleteBPX(APIAddress);
}
}
return false;
}
__declspec(dllexport) bool TITCALL SafeDeleteAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxPlace)
{
//TODO: remove?
return DeleteAPIBreakPoint(szDLLName, szAPIName, bpxPlace);
}
__declspec(dllexport) bool TITCALL SetMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, LPVOID bpxCallBack)
{
return SetMemoryBPXEx(MemoryStart, SizeOfMemory, UE_MEMORY, false, bpxCallBack);
}
__declspec(dllexport) bool TITCALL SetMemoryBPXEx(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, DWORD BreakPointType, bool RestoreOnHit, LPVOID bpxCallBack)
{
struct TempMemoryBreakpointDetails
{
ULONG_PTR addr;
DWORD currentPageProtect;
MemoryBreakpointPageDetail data;
};
CriticalSectionLocker lock(LockBreakPointBuffer);
bool isSuccess = true;
DWORD oldProtect;
// Note: memory breakpoints cannot intersect.
// Check that there are no other MemBPs in the address range [MemoryStart, MemoryStart+SizeOfMemory)
int bpcount = (int)BreakPointBuffer.size();
for(int i = 0; i < bpcount; i++)
{
auto bpAddr = BreakPointBuffer.at(i).BreakPointAddress;
auto bpSize = BreakPointBuffer.at(i).BreakPointSize;
auto bpType = BreakPointBuffer.at(i).BreakPointType;
bool isMem = bpType == UE_MEMORY || bpType == UE_MEMORY_READ || bpType == UE_MEMORY_WRITE || bpType == UE_MEMORY_EXECUTE;
if(isMem && bpAddr < (MemoryStart + SizeOfMemory) && bpAddr + bpSize > MemoryStart)
{
return false; // the place is taken
}
}
// Set a proper protection (e.g. PAGE_GUARD) for all pages in the range
std::vector<TempMemoryBreakpointDetails> breakpointInfos;
MemoryBreakpointPageDetail pageData;
auto pageStart = ALIGN_DOWN_BY(MemoryStart, TITANENGINE_PAGESIZE);
auto pageEnd = ALIGN_UP_BY(MemoryStart + SizeOfMemory, TITANENGINE_PAGESIZE);
for(ULONG_PTR page = pageStart; page < pageEnd; page += TITANENGINE_PAGESIZE)
{
// Save the current page protection in case of a failure
MEMORY_BASIC_INFORMATION memInfo;
if(!VirtualQueryEx(dbgProcessInformation.hProcess, (LPCVOID)page, &memInfo, sizeof(memInfo)))
{
isSuccess = false;
break;
}
// Update page data and increment a BP counter
auto found = MemoryBreakpointPages.find(page);
if(found == MemoryBreakpointPages.end())
{
// It's the first memory BP on this page
pageData.origProtect = memInfo.Protect;
pageData.accessBps = pageData.readBps = pageData.writeBps = pageData.executeBps = 0;
}
else
{
// There are other memory BPs on this page
pageData = found->second; // original protection stays the same
}
switch(BreakPointType)
{
case UE_MEMORY: // READ + WRITE + EXECUTE
pageData.accessBps += 1;
break;
case UE_MEMORY_READ:
pageData.readBps += 1;
break;
case UE_MEMORY_WRITE:
pageData.writeBps += 1;
break;
case UE_MEMORY_EXECUTE:
pageData.executeBps += 1;
break;
default: // unreachable
break;
}
// Get a proper MemBp page protection option and apply it
pageData.newProtect = GetPageProtectionForMemoryBreakpoint(pageData);
if(!VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)page, TITANENGINE_PAGESIZE, pageData.newProtect, &oldProtect))
{
isSuccess = false;
break;
}
TempMemoryBreakpointDetails tempInfo;
tempInfo.addr = page;
tempInfo.currentPageProtect = memInfo.Protect;
tempInfo.data = pageData;
breakpointInfos.push_back(tempInfo);
}
// If changing the page protections failed, attempt to revert the applied protections back
if(!isSuccess)
{
for(const auto & page : breakpointInfos)
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)page.addr, TITANENGINE_PAGESIZE, page.currentPageProtect, &oldProtect);
return false;
}
// Save the page data
for(const auto & page : breakpointInfos)
MemoryBreakpointPages[page.addr] = page.data;
// Add a new breakpoint
BreakPointDetail NewBreakPoint;
memset(&NewBreakPoint, 0, sizeof(BreakPointDetail));
NewBreakPoint.BreakPointActive = UE_BPXACTIVE;
NewBreakPoint.BreakPointAddress = MemoryStart;
NewBreakPoint.BreakPointSize = SizeOfMemory;
NewBreakPoint.BreakPointType = BreakPointType;
NewBreakPoint.MemoryBpxRestoreOnHit = (BYTE)RestoreOnHit;
NewBreakPoint.ExecuteCallBack = (ULONG_PTR)bpxCallBack;
BreakPointBuffer.push_back(NewBreakPoint);
return true;
}
__declspec(dllexport) bool TITCALL RemoveMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory)
{
CriticalSectionLocker lock(LockBreakPointBuffer);
bool isSuccess = true;
// find the breakpoint
int nFoundBp = -1;
size_t bpcount = BreakPointBuffer.size();
for(size_t i = 0; i < bpcount; i++)
{
auto bpAddr = BreakPointBuffer.at(i).BreakPointAddress;
auto bpType = BreakPointBuffer.at(i).BreakPointType;
bool isMem = bpType == UE_MEMORY || bpType == UE_MEMORY_READ || bpType == UE_MEMORY_WRITE || bpType == UE_MEMORY_EXECUTE;
if(isMem && bpAddr == MemoryStart)
{
nFoundBp = (int)i;
break;
}
}
if(nFoundBp == -1)
return false; // not found
int memBpType = BreakPointBuffer.at(nFoundBp).BreakPointType;
SizeOfMemory = BreakPointBuffer.at(nFoundBp).BreakPointSize; // ignore the given size, x64dbg may be lying
//delete the memory breakpoint from the pages
auto pageStart = ALIGN_DOWN_BY(MemoryStart, TITANENGINE_PAGESIZE);
auto pageEnd = ALIGN_UP_BY(MemoryStart + SizeOfMemory, TITANENGINE_PAGESIZE);
for(ULONG_PTR pageAddr = pageStart; pageAddr < pageEnd; pageAddr += TITANENGINE_PAGESIZE)
{
auto foundPageData = MemoryBreakpointPages.find(pageAddr);
if(foundPageData == MemoryBreakpointPages.end())
continue; // should not happen
// Decrement a BP counter
auto & pageData = foundPageData->second;
switch(memBpType)
{
case UE_MEMORY: // READ + WRITE + EXECUTE
pageData.accessBps -= 1;
break;
case UE_MEMORY_READ:
pageData.readBps -= 1;
break;
case UE_MEMORY_WRITE:
pageData.writeBps -= 1;
break;
case UE_MEMORY_EXECUTE:
pageData.executeBps -= 1;
break;
default: // unreachable
break;
}
DWORD newProtect;
const bool noMoreBps = 0 == (pageData.accessBps + pageData.readBps + pageData.writeBps + pageData.executeBps);
if(noMoreBps)
{
// There are no more BPs on this page. Remove the page data.
newProtect = pageData.origProtect;
MemoryBreakpointPages.erase(foundPageData);
}
else
{
// Some BPs are still here. According to their types, reapply page protection.
pageData.newProtect = GetPageProtectionForMemoryBreakpoint(pageData);
newProtect = pageData.newProtect;
}
DWORD oldProtect;
if(!VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)pageAddr, TITANENGINE_PAGESIZE, newProtect, &oldProtect))
isSuccess = false;
}
//remove breakpoint from list
BreakPointBuffer.erase(BreakPointBuffer.begin() + nFoundBp);
return isSuccess;
}
__declspec(dllexport) bool TITCALL GetUnusedHardwareBreakPointRegister(LPDWORD RegisterIndex)
{
return EngineIsThereFreeHardwareBreakSlot(RegisterIndex);
}
__declspec(dllexport) bool TITCALL SetHardwareBreakPoint(ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack)
{
HWBP_SIZE hwbpSize;
HWBP_MODE hwbpMode;
HWBP_TYPE hwbpType;
int hwbpIndex = -1;
DR7 dr7;
switch(bpxSize)
{
case UE_HARDWARE_SIZE_1:
hwbpSize = SIZE_1;
break;
case UE_HARDWARE_SIZE_2:
hwbpSize = SIZE_2;
if((bpxAddress % 2) != 0)
return false;
break;
case UE_HARDWARE_SIZE_4:
hwbpSize = SIZE_4;
if((bpxAddress % 4) != 0)
return false;
break;
case UE_HARDWARE_SIZE_8:
hwbpSize = SIZE_8;
if((bpxAddress % 8) != 0)
return false;
break;
default:
return false;
}
if(!IndexOfRegister)
{
if(!DebugRegister[0].DrxEnabled)
IndexOfRegister = UE_DR0;
else if(!DebugRegister[1].DrxEnabled)
IndexOfRegister = UE_DR1;
else if(!DebugRegister[2].DrxEnabled)
IndexOfRegister = UE_DR2;
else if(!DebugRegister[3].DrxEnabled)
IndexOfRegister = UE_DR3;
else
return false;
}
switch(IndexOfRegister)
{
case UE_DR0:
hwbpIndex = 0;
break;
case UE_DR1:
hwbpIndex = 1;
break;
case UE_DR2:
hwbpIndex = 2;
break;
case UE_DR3:
hwbpIndex = 3;
break;
default:
return false;
}
uintdr7((ULONG_PTR)GetContextData(UE_DR7), &dr7);
DebugRegister[hwbpIndex].DrxExecution = false;
switch(bpxType)
{
case UE_HARDWARE_EXECUTE:
hwbpSize = SIZE_1;
hwbpType = TYPE_EXECUTE;
DebugRegister[hwbpIndex].DrxExecution = true;
break;
case UE_HARDWARE_WRITE:
hwbpType = TYPE_WRITE;
break;
case UE_HARDWARE_READWRITE:
hwbpType = TYPE_READWRITE;
break;
default:
return false;
}
hwbpMode = MODE_LOCAL;
dr7.HWBP_MODE[hwbpIndex] = hwbpMode;
dr7.HWBP_SIZE[hwbpIndex] = hwbpSize;
dr7.HWBP_TYPE[hwbpIndex] = hwbpType;
for(unsigned int i = 0; i < hListThread.size(); i++)
{
SetContextDataEx(hListThread.at(i).hThread, UE_DR7, dr7uint(&dr7)); //NOTE: MUST SET THIS FIRST FOR X64!
SetContextDataEx(hListThread.at(i).hThread, IndexOfRegister, bpxAddress);
}
DebugRegister[hwbpIndex].DrxBreakPointType = bpxType;
DebugRegister[hwbpIndex].DrxBreakPointSize = bpxSize;
DebugRegister[hwbpIndex].DrxEnabled = true;
DebugRegister[hwbpIndex].DrxBreakAddress = (ULONG_PTR)bpxAddress;
DebugRegister[hwbpIndex].DrxCallBack = (ULONG_PTR)bpxCallBack;
return true;
}
__declspec(dllexport) bool TITCALL SetHardwareBreakPointEx(HANDLE hActiveThread, ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack, LPDWORD IndexOfSelectedRegister)
{
HWBP_SIZE hwbpSize;
HWBP_MODE hwbpMode;
HWBP_TYPE hwbpType;
int hwbpIndex = -1;
DR7 dr7;
switch(bpxSize)
{
case UE_HARDWARE_SIZE_1:
hwbpSize = SIZE_1;
break;
case UE_HARDWARE_SIZE_2:
hwbpSize = SIZE_2;
if((bpxAddress % 2) != 0)
return false;
break;
case UE_HARDWARE_SIZE_4:
hwbpSize = SIZE_4;
if((bpxAddress % 4) != 0)
return false;
break;
case UE_HARDWARE_SIZE_8:
hwbpSize = SIZE_8;
if((bpxAddress % 8) != 0)
return false;
break;
default:
return false;
}
if(!IndexOfRegister)
{
if(!DebugRegister[0].DrxEnabled)
IndexOfRegister = UE_DR0;
else if(!DebugRegister[1].DrxEnabled)
IndexOfRegister = UE_DR1;
else if(!DebugRegister[2].DrxEnabled)
IndexOfRegister = UE_DR2;
else if(!DebugRegister[3].DrxEnabled)
IndexOfRegister = UE_DR3;
else
return false;
}
if(IndexOfSelectedRegister)
*IndexOfSelectedRegister = IndexOfRegister;
switch(IndexOfRegister)
{
case UE_DR0:
hwbpIndex = 0;
break;
case UE_DR1:
hwbpIndex = 1;
break;
case UE_DR2:
hwbpIndex = 2;
break;
case UE_DR3:
hwbpIndex = 3;
break;
default:
return false;
}
uintdr7((ULONG_PTR)GetContextDataEx(hActiveThread, UE_DR7), &dr7);
DebugRegister[hwbpIndex].DrxExecution = false;
switch(bpxType)
{
case UE_HARDWARE_EXECUTE:
hwbpSize = SIZE_1;
hwbpType = TYPE_EXECUTE;
DebugRegister[hwbpIndex].DrxExecution = true;
break;
case UE_HARDWARE_WRITE:
hwbpType = TYPE_WRITE;
break;
case UE_HARDWARE_READWRITE:
hwbpType = TYPE_READWRITE;
break;
default:
return false;
}
hwbpMode = MODE_LOCAL;
dr7.HWBP_MODE[hwbpIndex] = hwbpMode;
dr7.HWBP_SIZE[hwbpIndex] = hwbpSize;
dr7.HWBP_TYPE[hwbpIndex] = hwbpType;
SetContextDataEx(hActiveThread, UE_DR7, dr7uint(&dr7));
SetContextDataEx(hActiveThread, IndexOfRegister, (ULONG_PTR)bpxAddress);
DebugRegister[hwbpIndex].DrxBreakPointType = bpxType;
DebugRegister[hwbpIndex].DrxBreakPointSize = bpxSize;
DebugRegister[hwbpIndex].DrxEnabled = true;
DebugRegister[hwbpIndex].DrxBreakAddress = (ULONG_PTR)bpxAddress;
DebugRegister[hwbpIndex].DrxCallBack = (ULONG_PTR)bpxCallBack;
return true;
}
__declspec(dllexport) bool TITCALL DeleteHardwareBreakPoint(DWORD IndexOfRegister)
{
ULONG_PTR HardwareBPX = NULL;
ULONG_PTR bpxAddress = NULL;
if(IndexOfRegister == UE_DR0)
{
HardwareBPX = (ULONG_PTR)GetContextData(UE_DR7);
HardwareBPX = HardwareBPX & ~(1 << 0);
HardwareBPX = HardwareBPX & ~(1 << 1);
for(unsigned int i = 0; i < hListThread.size(); i++)
{
SetContextDataEx(hListThread.at(i).hThread, UE_DR0, bpxAddress);
SetContextDataEx(hListThread.at(i).hThread, UE_DR7, HardwareBPX);
}
DebugRegister[0].DrxEnabled = false;
DebugRegister[0].DrxBreakAddress = NULL;
DebugRegister[0].DrxCallBack = NULL;
return true;
}
else if(IndexOfRegister == UE_DR1)
{
HardwareBPX = (ULONG_PTR)GetContextData(UE_DR7);
HardwareBPX = HardwareBPX & ~(1 << 2);
HardwareBPX = HardwareBPX & ~(1 << 3);
for(unsigned int i = 0; i < hListThread.size(); i++)
{
SetContextDataEx(hListThread.at(i).hThread, UE_DR1, bpxAddress);
SetContextDataEx(hListThread.at(i).hThread, UE_DR7, HardwareBPX);
}
DebugRegister[1].DrxEnabled = false;
DebugRegister[1].DrxBreakAddress = NULL;
DebugRegister[1].DrxCallBack = NULL;
return true;
}
else if(IndexOfRegister == UE_DR2)
{
HardwareBPX = (ULONG_PTR)GetContextData(UE_DR7);
HardwareBPX = HardwareBPX & ~(1 << 4);
HardwareBPX = HardwareBPX & ~(1 << 5);
for(unsigned int i = 0; i < hListThread.size(); i++)
{
SetContextDataEx(hListThread.at(i).hThread, UE_DR2, bpxAddress);
SetContextDataEx(hListThread.at(i).hThread, UE_DR7, HardwareBPX);
}
DebugRegister[2].DrxEnabled = false;
DebugRegister[2].DrxBreakAddress = NULL;
DebugRegister[2].DrxCallBack = NULL;
return true;
}
else if(IndexOfRegister == UE_DR3)
{
HardwareBPX = (ULONG_PTR)GetContextData(UE_DR7);
HardwareBPX = HardwareBPX & ~(1 << 6);
HardwareBPX = HardwareBPX & ~(1 << 7);
for(unsigned int i = 0; i < hListThread.size(); i++)
{
SetContextDataEx(hListThread.at(i).hThread, UE_DR3, bpxAddress);
SetContextDataEx(hListThread.at(i).hThread, UE_DR7, HardwareBPX);
}
DebugRegister[3].DrxEnabled = false;
DebugRegister[3].DrxBreakAddress = NULL;
DebugRegister[3].DrxCallBack = NULL;
return true;
}
else
{
return false;
}
return false;
}
__declspec(dllexport) bool TITCALL RemoveAllBreakPoints(DWORD RemoveOption)
{
CriticalSectionLocker lock(LockBreakPointBuffer);
int bpcount = (int)BreakPointBuffer.size();
if(RemoveOption == UE_OPTION_REMOVEALL)
{
for(int i = bpcount - 1; i > -1; i--)
{
if(BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT)
{
DeleteBPX((ULONG_PTR)BreakPointBuffer.at(i).BreakPointAddress);
}
else if(BreakPointBuffer.at(i).BreakPointType == UE_MEMORY ||
BreakPointBuffer.at(i).BreakPointType == UE_MEMORY_READ ||
BreakPointBuffer.at(i).BreakPointType == UE_MEMORY_WRITE ||
BreakPointBuffer.at(i).BreakPointType == UE_MEMORY_EXECUTE)
{
RemoveMemoryBPX((ULONG_PTR)BreakPointBuffer.at(i).BreakPointAddress, BreakPointBuffer.at(i).BreakPointSize);
}
}
DeleteHardwareBreakPoint(UE_DR0);
DeleteHardwareBreakPoint(UE_DR1);
DeleteHardwareBreakPoint(UE_DR2);
DeleteHardwareBreakPoint(UE_DR3);
return true;
}
else if(RemoveOption == UE_OPTION_DISABLEALL)
{
for(int i = bpcount - 1; i > -1; i--)
{
if((BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT) && BreakPointBuffer.at(i).BreakPointActive == UE_BPXACTIVE)
{
DisableBPX((ULONG_PTR)BreakPointBuffer.at(i).BreakPointAddress);
}
else if(BreakPointBuffer.at(i).BreakPointType == UE_MEMORY ||
BreakPointBuffer.at(i).BreakPointType == UE_MEMORY_READ ||
BreakPointBuffer.at(i).BreakPointType == UE_MEMORY_WRITE ||
BreakPointBuffer.at(i).BreakPointType == UE_MEMORY_EXECUTE)
{
RemoveMemoryBPX((ULONG_PTR)BreakPointBuffer.at(i).BreakPointAddress, BreakPointBuffer.at(i).BreakPointSize);
}
}
return true;
}
else if(RemoveOption == UE_OPTION_REMOVEALLDISABLED)
{
for(int i = bpcount - 1; i > -1; i--)
{
if((BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT) && BreakPointBuffer.at(i).BreakPointActive == UE_BPXINACTIVE)
{
DeleteBPX((ULONG_PTR)BreakPointBuffer.at(i).BreakPointAddress);
}
}
return true;
}
else if(RemoveOption == UE_OPTION_REMOVEALLENABLED)
{
for(int i = bpcount - 1; i > -1; i--)
{
if((BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT) && BreakPointBuffer.at(i).BreakPointActive == UE_BPXACTIVE)
{
DeleteBPX((ULONG_PTR)BreakPointBuffer.at(i).BreakPointAddress);
}
}
return true;
}
return false;
}

1256
TitanEngine/TitanEngine.Debugger.Context.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

109
TitanEngine/TitanEngine.Debugger.Control.cpp Normal file
View File

@ -0,0 +1,109 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Debugger.h"
#include "Global.Handle.h"
#include "Global.Threader.h"
#include "Global.Librarian.h"
#include "Global.Engine.h"
__declspec(dllexport) void TITCALL ForceClose()
{
//manage process list
ClearProcessList();
//manage thread list
ClearThreadList();
//manage library list
int libcount = (int)hListLibrary.size();
for(int i = 0; i < libcount; i++)
{
if(hListLibrary.at(i).hFileMappingView != NULL)
{
UnmapViewOfFile(hListLibrary.at(i).hFileMappingView);
EngineCloseHandle(hListLibrary.at(i).hFileMapping);
}
}
ClearLibraryList();
if(!engineProcessIsNowDetached)
{
StopDebug();
}
RtlZeroMemory(&dbgProcessInformation, sizeof(PROCESS_INFORMATION));
if(DebugDebuggingDLL)
DeleteFileW(szDebuggerName);
DebugDebuggingDLL = false;
DebugExeFileEntryPointCallBack = NULL;
}
__declspec(dllexport) void TITCALL StepInto(LPVOID StepCallBack)
{
EnterCriticalSection(&engineStepActiveCr);
if(!engineStepActive)
{
ULONG_PTR ueCurrentPosition = GetContextData(UE_CIP);
unsigned char instr[16];
MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0);
char* DisassembledString = (char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr);
if(strstr(DisassembledString, "PUSHF"))
StepOver(StepCallBack);
else if(strstr(DisassembledString, "POP SS") || strstr(DisassembledString, "MOV SS")) //prevent the 'PUSH SS', 'POP SS' step trick
{
ueCurrentPosition += StaticLengthDisassemble((void*)instr);
SetBPX(ueCurrentPosition, UE_BREAKPOINT_TYPE_INT3 + UE_SINGLESHOOT, StepCallBack);
}
else
{
CONTEXT myDBGContext;
HANDLE hActiveThread = EngineOpenThread(THREAD_GETSETSUSPEND, false, DBGEvent.dwThreadId);
myDBGContext.ContextFlags = ContextControlFlags;
GetThreadContext(hActiveThread, &myDBGContext);
myDBGContext.EFlags |= UE_TRAP_FLAG;
SetThreadContext(hActiveThread, &myDBGContext);
EngineCloseHandle(hActiveThread);
engineStepActive = true;
engineStepCallBack = StepCallBack;
engineStepCount = 0;
}
}
LeaveCriticalSection(&engineStepActiveCr);
}
__declspec(dllexport) void TITCALL StepOver(LPVOID StepCallBack)
{
ULONG_PTR ueCurrentPosition = GetContextData(UE_CIP);
unsigned char instr[16];
MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0);
char* DisassembledString = (char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr);
if(strstr(DisassembledString, "CALL") || strstr(DisassembledString, "REP") || strstr(DisassembledString, "PUSHF"))
{
ueCurrentPosition += StaticLengthDisassemble((void*)instr);
SetBPX(ueCurrentPosition, UE_BREAKPOINT_TYPE_INT3 + UE_SINGLESHOOT, StepCallBack);
}
else
StepInto(StepCallBack);
}
__declspec(dllexport) void TITCALL StepOut(LPVOID StepOut, bool StepFinal)
{
DebugStepFinal = StepFinal;
StepOutCallBack = StepOut;
StepOver(CallbackToObjectPointer(&StepOutStepCallBack));
}
__declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack)
{
StepInto(StepCallBack);
engineStepCount = StepCount - 1; //We already stepped once
}
__declspec(dllexport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode)
{
if(SetDbgCode != DBG_CONTINUE)
{
DBGCode = DBG_EXCEPTION_NOT_HANDLED;
}
else
{
DBGCode = DBG_CONTINUE;
}
}

173
TitanEngine/TitanEngine.Debugger.Data.cpp Normal file
View File

@ -0,0 +1,173 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Debugger.h"
//TODO: never changed LOL
static DWORD CurrentExceptionsNumber = 0;
__declspec(dllexport) void TITCALL ClearExceptionNumber()
{
CurrentExceptionsNumber = 0;
}
__declspec(dllexport) long TITCALL CurrentExceptionNumber()
{
return(CurrentExceptionsNumber);
}
__declspec(dllexport) void* TITCALL GetDebugData()
{
return(&DBGEvent);
}
__declspec(dllexport) void* TITCALL GetTerminationData()
{
return(&TerminateDBGEvent);
}
__declspec(dllexport) long TITCALL GetExitCode()
{
return(ProcessExitCode);
}
__declspec(dllexport) ULONG_PTR TITCALL GetDebuggedDLLBaseAddress()
{
return((ULONG_PTR)DebugDebuggingDLLBase);
}
__declspec(dllexport) ULONG_PTR TITCALL GetDebuggedFileBaseAddress()
{
return (ULONG_PTR)DebugDebuggingMainModuleBase;
}
__declspec(dllexport) void TITCALL SetCustomHandler(DWORD ExceptionId, LPVOID CallBack)
{
if(ExceptionId == UE_CH_BREAKPOINT)
{
DBGCustomHandler->chBreakPoint = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_SINGLESTEP)
{
DBGCustomHandler->chSingleStep = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_ACCESSVIOLATION)
{
DBGCustomHandler->chAccessViolation = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_ILLEGALINSTRUCTION)
{
DBGCustomHandler->chIllegalInstruction = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_NONCONTINUABLEEXCEPTION)
{
DBGCustomHandler->chNonContinuableException = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_ARRAYBOUNDSEXCEPTION)
{
DBGCustomHandler->chArrayBoundsException = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_FLOATDENORMALOPERAND)
{
DBGCustomHandler->chFloatDenormalOperand = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_FLOATDEVIDEBYZERO)
{
DBGCustomHandler->chFloatDevideByZero = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_INTEGERDEVIDEBYZERO)
{
DBGCustomHandler->chIntegerDevideByZero = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_INTEGEROVERFLOW)
{
DBGCustomHandler->chIntegerOverflow = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_PRIVILEGEDINSTRUCTION)
{
DBGCustomHandler->chPrivilegedInstruction = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_PAGEGUARD)
{
DBGCustomHandler->chPageGuard = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_EVERYTHINGELSE)
{
DBGCustomHandler->chEverythingElse = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_CREATETHREAD)
{
DBGCustomHandler->chCreateThread = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_EXITTHREAD)
{
DBGCustomHandler->chExitThread = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_CREATEPROCESS)
{
DBGCustomHandler->chCreateProcess = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_EXITPROCESS)
{
DBGCustomHandler->chExitProcess = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_LOADDLL)
{
DBGCustomHandler->chLoadDll = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_UNLOADDLL)
{
DBGCustomHandler->chUnloadDll = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_OUTPUTDEBUGSTRING)
{
DBGCustomHandler->chOutputDebugString = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_AFTEREXCEPTIONPROCESSING)
{
DBGCustomHandler->chAfterException = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_SYSTEMBREAKPOINT)
{
DBGCustomHandler->chSystemBreakpoint = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_UNHANDLEDEXCEPTION)
{
DBGCustomHandler->chUnhandledException = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_RIPEVENT)
{
DBGCustomHandler->chRipEvent = (ULONG_PTR)CallBack;
}
else if(ExceptionId == UE_CH_DEBUGEVENT)
{
DBGCustomHandler->chDebugEvent = (ULONG_PTR)CallBack;
}
}
__declspec(dllexport) PROCESS_INFORMATION* TITCALL TitanGetProcessInformation()
{
return(&dbgProcessInformation);
}
__declspec(dllexport) STARTUPINFOW* TITCALL TitanGetStartupInformation()
{
return(&dbgStartupInfo);
}
__declspec(dllexport) bool TITCALL IsFileBeingDebugged()
{
return(engineFileIsBeingDebugged);
}
__declspec(dllexport) void TITCALL SetErrorModel(bool DisplayErrorMessages)
{
if(DisplayErrorMessages)
{
SetErrorMode(NULL);
}
else
{
SetErrorMode(SEM_FAILCRITICALERRORS);
}
}

1393
TitanEngine/TitanEngine.Debugger.DebugLoop.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

822
TitanEngine/TitanEngine.Debugger.Helper.cpp Normal file
View File

@ -0,0 +1,822 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Debugger.h"
static char szParameterString[512];
__declspec(dllexport) bool TITCALL GetRemoteString(HANDLE hProcess, LPVOID StringAddress, LPVOID StringStorage, int MaximumStringSize)
{
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR ueNumberOfBytesRW = NULL;
DWORD StringReadSize = NULL;
if(MaximumStringSize == NULL)
{
MaximumStringSize = 512;
}
VirtualQueryEx(hProcess, (LPVOID)StringAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if((int)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - (ULONG_PTR)StringAddress) < MaximumStringSize)
{
StringReadSize = (DWORD)((ULONG_PTR)StringAddress - (ULONG_PTR)MemInfo.BaseAddress);
VirtualQueryEx(hProcess, (LPVOID)((ULONG_PTR)StringAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if(MemInfo.State == MEM_COMMIT)
{
StringReadSize = MaximumStringSize;
}
}
else
{
StringReadSize = MaximumStringSize;
}
RtlZeroMemory(StringStorage, MaximumStringSize);
if(ReadProcessMemory(hProcess, (LPVOID)StringAddress, StringStorage, StringReadSize, &ueNumberOfBytesRW))
{
return true;
}
else
{
return false;
}
}
__declspec(dllexport) ULONG_PTR TITCALL GetFunctionParameter(HANDLE hProcess, DWORD FunctionType, DWORD ParameterNumber, DWORD ParameterType)
{
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR ueNumberOfBytesRW = NULL;
ULONG_PTR StackReadBuffer = NULL;
ULONG_PTR StackFinalBuffer = NULL;
ULONG_PTR StackReadAddress = NULL;
DWORD StackSecondReadSize = NULL;
DWORD StackReadSize = 512;
DWORD StringReadSize = 512;
bool ValueIsPointer = false;
if(ParameterType == UE_PARAMETER_BYTE)
{
StackReadSize = 1;
}
else if(ParameterType == UE_PARAMETER_WORD)
{
StackReadSize = 2;
}
else if(ParameterType == UE_PARAMETER_DWORD)
{
StackReadSize = 4;
}
else if(ParameterType == UE_PARAMETER_QWORD)
{
StackReadSize = 8;
}
else
{
if(ParameterType >= UE_PARAMETER_PTR_BYTE && ParameterType <= UE_PARAMETER_UNICODE)
{
ValueIsPointer = true;
}
if(ParameterType == UE_PARAMETER_PTR_BYTE)
{
StackSecondReadSize = 1;
}
else if(ParameterType == UE_PARAMETER_PTR_WORD)
{
StackSecondReadSize = 2;
}
else if(ParameterType == UE_PARAMETER_PTR_DWORD)
{
StackSecondReadSize = 4;
}
else if(ParameterType == UE_PARAMETER_PTR_QWORD)
{
StackSecondReadSize = 8;
}
else
{
StackSecondReadSize = 0;
}
StackReadSize = sizeof(ULONG_PTR);
}
if(FunctionType >= UE_FUNCTION_STDCALL && FunctionType <= UE_FUNCTION_CCALL_CALL && FunctionType != UE_FUNCTION_FASTCALL_RET)
{
StackReadAddress = (ULONG_PTR)GetContextData(UE_CSP);
if(FunctionType != UE_FUNCTION_FASTCALL_CALL)
{
StackReadAddress = StackReadAddress + (ParameterNumber * sizeof(ULONG_PTR));
if(FunctionType >= UE_FUNCTION_STDCALL_CALL)
{
StackReadAddress = StackReadAddress - sizeof(ULONG_PTR);
}
}
else
{
if(ParameterNumber <= 4)
{
if(!ValueIsPointer)
{
if(ParameterNumber == 1)
{
return((ULONG_PTR)GetContextData(UE_RCX));
}
else if(ParameterNumber == 2)
{
return((ULONG_PTR)GetContextData(UE_RDX));
}
else if(ParameterNumber == 3)
{
return((ULONG_PTR)GetContextData(UE_R8));
}
else if(ParameterNumber == 4)
{
return((ULONG_PTR)GetContextData(UE_R9));
}
}
else
{
if(ParameterNumber == 1)
{
StackReadAddress = (ULONG_PTR)GetContextData(UE_RCX);
}
else if(ParameterNumber == 2)
{
StackReadAddress = (ULONG_PTR)GetContextData(UE_RDX);
}
else if(ParameterNumber == 3)
{
StackReadAddress = (ULONG_PTR)GetContextData(UE_R8);
}
else if(ParameterNumber == 4)
{
StackReadAddress = (ULONG_PTR)GetContextData(UE_R9);
}
}
}
else
{
StackReadAddress = StackReadAddress + 0x20 + ((ParameterNumber - 4) * sizeof(ULONG_PTR)) - sizeof(ULONG_PTR);
}
}
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof(ULONG_PTR), &ueNumberOfBytesRW))
{
if(!ValueIsPointer)
{
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof(ULONG_PTR) - StackReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof(ULONG_PTR) - StackReadSize), StackReadSize);
}
else
{
StackReadAddress = StackReadBuffer;
if(StackSecondReadSize > NULL)
{
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof(ULONG_PTR), &ueNumberOfBytesRW))
{
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof(ULONG_PTR) - StackSecondReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof(ULONG_PTR) - StackSecondReadSize), StackSecondReadSize);
}
else
{
return(-1);
}
}
else
{
VirtualQueryEx(hProcess, (LPVOID)StackReadAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - StackReadAddress < 512)
{
StringReadSize = (DWORD)((ULONG_PTR)StackReadAddress - (ULONG_PTR)MemInfo.BaseAddress);
VirtualQueryEx(hProcess, (LPVOID)(StackReadAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if(MemInfo.State == MEM_COMMIT)
{
StringReadSize = 512;
}
}
RtlZeroMemory(&szParameterString, 512);
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &szParameterString, StringReadSize, &ueNumberOfBytesRW))
{
return((ULONG_PTR)&szParameterString);
}
else
{
return(-1);
}
}
}
return(StackFinalBuffer);
}
else
{
return(-1);
}
}
return(-1);
}
__declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, ULONG_PTR InstructionAddress, bool JustJumps)
{
char ReadMemory[MAXIMUM_INSTRUCTION_SIZE] = {0};
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR ueNumberOfBytesRead = NULL;
PMEMORY_CMP_HANDLER CompareMemory;
ULONG_PTR TargetedAddress = NULL;
DWORD CurrentInstructionSize;
int ReadMemData = NULL;
BYTE ReadByteData = NULL;
if(hProcess != NULL)
{
VirtualQueryEx(hProcess, (LPVOID)InstructionAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if(MemInfo.RegionSize > NULL)
{
if(ReadProcessMemory(hProcess, (LPVOID)InstructionAddress, ReadMemory, MAXIMUM_INSTRUCTION_SIZE, &ueNumberOfBytesRead))
{
CompareMemory = (PMEMORY_CMP_HANDLER)ReadMemory;
CurrentInstructionSize = StaticLengthDisassemble(ReadMemory);
if(CompareMemory->DataByte[0] == 0xE9 && CurrentInstructionSize == 5)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 1), 4);
TargetedAddress = ReadMemData + InstructionAddress + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0xEB && CurrentInstructionSize == 2)
{
RtlMoveMemory(&ReadByteData, (LPVOID)((ULONG_PTR)ReadMemory + 1), 1);
if(ReadByteData > 0x7F)
{
ReadByteData = 0xFF - ReadByteData;
ReadMemData = NULL - ReadByteData - CurrentInstructionSize + 1;
}
else
{
ReadMemData = ReadByteData;
}
TargetedAddress = InstructionAddress + ReadMemData + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0xE3 && CurrentInstructionSize == 2)
{
RtlMoveMemory(&ReadByteData, (LPVOID)((ULONG_PTR)ReadMemory + 1), 1);
if(ReadByteData > 0x7F)
{
ReadByteData = 0xFF - ReadByteData;
ReadMemData = NULL - ReadByteData - CurrentInstructionSize + 1;
}
else
{
ReadMemData = ReadByteData;
}
TargetedAddress = InstructionAddress + ReadMemData + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] >= 0x71 && CompareMemory->DataByte[0] <= 0x7F && CurrentInstructionSize == 2)
{
RtlMoveMemory(&ReadByteData, (LPVOID)((ULONG_PTR)ReadMemory + 1), 1);
if(ReadByteData > 0x7F)
{
ReadByteData = 0xFF - ReadByteData;
ReadMemData = NULL - ReadByteData - CurrentInstructionSize + 1;
}
TargetedAddress = InstructionAddress + ReadMemData + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] >= 0xE0 && CompareMemory->DataByte[0] <= 0xE2 && CurrentInstructionSize == 2)
{
RtlMoveMemory(&ReadByteData, (LPVOID)((ULONG_PTR)ReadMemory + 1), 1);
if(ReadByteData > 0x7F)
{
ReadByteData = 0xFF - ReadByteData;
ReadMemData = NULL - ReadByteData - CurrentInstructionSize + 1;
}
else
{
ReadMemData = ReadByteData;
}
TargetedAddress = InstructionAddress + ReadMemData + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0x0F && CompareMemory->DataByte[1] >= 0x81 && CompareMemory->DataByte[1] <= 0x8F && CurrentInstructionSize == 6)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 4);
TargetedAddress = ReadMemData + InstructionAddress + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0x0F && CompareMemory->DataByte[1] >= 0x81 && CompareMemory->DataByte[1] <= 0x8F && CurrentInstructionSize == 4)
{
ReadMemData = 0;
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 2);
TargetedAddress = ReadMemData + InstructionAddress + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0xE8 && CurrentInstructionSize == 5 && JustJumps == false)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 1), 4);
TargetedAddress = ReadMemData + InstructionAddress + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0xFF && CompareMemory->DataByte[1] == 0x25 && CurrentInstructionSize == 6)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 4);
TargetedAddress = ReadMemData;
if(sizeof(HANDLE) == 8)
{
TargetedAddress = TargetedAddress + InstructionAddress;
}
}
else if(CompareMemory->DataByte[0] == 0xFF && CompareMemory->DataByte[1] == 0x15 && CurrentInstructionSize == 6 && JustJumps == false)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 4);
TargetedAddress = ReadMemData;
if(sizeof(HANDLE) == 8)
{
TargetedAddress = TargetedAddress + InstructionAddress;
}
}
else if(CompareMemory->DataByte[0] == 0xFF && CompareMemory->DataByte[1] != 0x64 && CompareMemory->DataByte[1] >= 0x60 && CompareMemory->DataByte[1] <= 0x67 && CurrentInstructionSize == 3)
{
ReadMemData = 0;
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 1);
TargetedAddress = ReadMemData;
if(CompareMemory->DataByte[1] == 0x60)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EAX);
}
else if(CompareMemory->DataByte[1] == 0x61)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_ECX);
}
else if(CompareMemory->DataByte[1] == 0x62)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EDX);
}
else if(CompareMemory->DataByte[1] == 0x63)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EBX);
}
else if(CompareMemory->DataByte[1] == 0x65)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EBP);
}
else if(CompareMemory->DataByte[1] == 0x66)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_ESI);
}
else if(CompareMemory->DataByte[1] == 0x67)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EDI);
}
ReadProcessMemory(hProcess, (LPVOID)TargetedAddress, &TargetedAddress, 4, &ueNumberOfBytesRead);
}
}
return((ULONG_PTR)TargetedAddress);
}
return(NULL);
}
else
{
CompareMemory = (PMEMORY_CMP_HANDLER)InstructionAddress;
CurrentInstructionSize = StaticLengthDisassemble((LPVOID)InstructionAddress);
if(CompareMemory->DataByte[0] == 0xE9 && CurrentInstructionSize == 5)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 1), 4);
TargetedAddress = ReadMemData + InstructionAddress + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0xEB && CurrentInstructionSize == 2)
{
RtlMoveMemory(&ReadByteData, (LPVOID)((ULONG_PTR)InstructionAddress + 1), 1);
if(ReadByteData > 0x7F)
{
ReadByteData = 0xFF - ReadByteData;
ReadMemData = NULL - ReadByteData - CurrentInstructionSize + 1;
}
else
{
ReadMemData = ReadByteData;
}
TargetedAddress = InstructionAddress + ReadMemData + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0xE3 && CurrentInstructionSize == 2)
{
RtlMoveMemory(&ReadByteData, (LPVOID)((ULONG_PTR)InstructionAddress + 1), 1);
if(ReadByteData > 0x7F)
{
ReadByteData = 0xFF - ReadByteData;
ReadMemData = NULL - ReadByteData - CurrentInstructionSize + 1;
}
else
{
ReadMemData = ReadByteData;
}
TargetedAddress = InstructionAddress + ReadMemData + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] >= 0x71 && CompareMemory->DataByte[0] <= 0x7F && CurrentInstructionSize == 2)
{
RtlMoveMemory(&ReadByteData, (LPVOID)((ULONG_PTR)InstructionAddress + 1), 1);
if(ReadByteData > 0x7F)
{
ReadByteData = 0xFF - ReadByteData;
ReadMemData = NULL - ReadByteData - CurrentInstructionSize + 1;
}
TargetedAddress = InstructionAddress + ReadMemData + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] >= 0xE0 && CompareMemory->DataByte[0] <= 0xE2 && CurrentInstructionSize == 2)
{
RtlMoveMemory(&ReadByteData, (LPVOID)((ULONG_PTR)InstructionAddress + 1), 1);
if(ReadByteData > 0x7F)
{
ReadByteData = 0xFF - ReadByteData;
ReadMemData = NULL - ReadByteData - CurrentInstructionSize + 1;
}
else
{
ReadMemData = ReadByteData;
}
TargetedAddress = InstructionAddress + ReadMemData + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0x0F && CompareMemory->DataByte[1] >= 0x81 && CompareMemory->DataByte[1] <= 0x8F && CurrentInstructionSize == 6)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 4);
TargetedAddress = ReadMemData + InstructionAddress + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0x0F && CompareMemory->DataByte[1] >= 0x81 && CompareMemory->DataByte[1] <= 0x8F && CurrentInstructionSize == 4)
{
ReadMemData = 0;
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 2);
TargetedAddress = ReadMemData + InstructionAddress + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0xE8 && CurrentInstructionSize == 5 && JustJumps == false)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 1), 4);
TargetedAddress = ReadMemData + InstructionAddress + CurrentInstructionSize;
}
else if(CompareMemory->DataByte[0] == 0xFF && CompareMemory->DataByte[1] == 0x25 && CurrentInstructionSize == 6)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 4);
TargetedAddress = ReadMemData;
if(sizeof(HANDLE) == 8)
{
TargetedAddress = TargetedAddress + InstructionAddress;
}
}
else if(CompareMemory->DataByte[0] == 0xFF && CompareMemory->DataByte[1] == 0x15 && CurrentInstructionSize == 6 && JustJumps == false)
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 4);
TargetedAddress = ReadMemData;
if(sizeof(HANDLE) == 8)
{
TargetedAddress = TargetedAddress + InstructionAddress;
}
}
else if(CompareMemory->DataByte[0] == 0xFF && CompareMemory->DataByte[1] != 0x64 && CompareMemory->DataByte[1] >= 0x60 && CompareMemory->DataByte[1] <= 0x67 && CurrentInstructionSize == 3)
{
ReadMemData = 0;
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 1);
TargetedAddress = ReadMemData;
if(CompareMemory->DataByte[1] == 0x60)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EAX);
}
else if(CompareMemory->DataByte[1] == 0x61)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_ECX);
}
else if(CompareMemory->DataByte[1] == 0x62)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EDX);
}
else if(CompareMemory->DataByte[1] == 0x63)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EBX);
}
else if(CompareMemory->DataByte[1] == 0x65)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EBP);
}
else if(CompareMemory->DataByte[1] == 0x66)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_ESI);
}
else if(CompareMemory->DataByte[1] == 0x67)
{
TargetedAddress = TargetedAddress + (ULONG_PTR)GetContextData(UE_EDI);
}
RtlMoveMemory(&TargetedAddress, (LPVOID)((ULONG_PTR)TargetedAddress), 4);
}
return((ULONG_PTR)TargetedAddress);
}
return(NULL);
}
__declspec(dllexport) ULONG_PTR TITCALL GetJumpDestination(HANDLE hProcess, ULONG_PTR InstructionAddress)
{
return((ULONG_PTR)GetJumpDestinationEx(hProcess, InstructionAddress, false));
}
__declspec(dllexport) bool TITCALL IsJumpGoingToExecuteEx(HANDLE hProcess, HANDLE hThread, ULONG_PTR InstructionAddress, ULONG_PTR RegFlags)
{
ULONG_PTR ThreadCIP = NULL;
DWORD ThreadEflags = NULL;
char* DisassembledString;
bool bCF = false;
bool bPF = false;
bool bAF = false;
bool bZF = false;
bool bSF = false;
bool bTF = false;
bool bIF = false;
bool bDF = false;
bool bOF = false;
if(hProcess != NULL && (hThread || RegFlags))
{
if(InstructionAddress == NULL)
{
ThreadCIP = (ULONG_PTR)GetContextDataEx(hThread, UE_CIP);
}
else
{
ThreadCIP = InstructionAddress;
}
if(RegFlags == NULL)
{
ThreadEflags = (DWORD)GetContextDataEx(hThread, UE_EFLAGS);
}
else
{
ThreadEflags = (DWORD)RegFlags;
}
DisassembledString = (char*)DisassembleEx(hProcess, (LPVOID)ThreadCIP, true);
if(DisassembledString != NULL)
{
if(ThreadEflags & (1 << 0))
{
bCF = true;
}
if(ThreadEflags & (1 << 2))
{
bPF = true;
}
if(ThreadEflags & (1 << 4))
{
bAF = true;
}
if(ThreadEflags & (1 << 6))
{
bZF = true;
}
if(ThreadEflags & (1 << 7))
{
bSF = true;
}
if(ThreadEflags & (1 << 8))
{
bTF = true;
}
if(ThreadEflags & (1 << 9))
{
bIF = true;
}
if(ThreadEflags & (1 << 10))
{
bDF = true;
}
if(ThreadEflags & (1 << 11))
{
bOF = true;
}
if(lstrcmpiA(DisassembledString, "RET") == NULL)
{
return (true);
}
else if(lstrcmpiA(DisassembledString, "RETF") == NULL)
{
return (true);
}
else if(lstrcmpiA(DisassembledString, "JMP") == NULL)
{
return true;
}
else if(lstrcmpiA(DisassembledString, "JA") == NULL)
{
if(bCF == false && bZF == false)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JAE") == NULL)
{
if(!bCF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JB") == NULL)
{
if(bCF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JBE") == NULL)
{
if(bCF == true || bZF == true)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JC") == NULL)
{
if(bCF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JCXZ") == NULL)
{
if((WORD)GetContextDataEx(hThread, UE_ECX) == NULL)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JECXZ") == NULL)
{
if((DWORD)GetContextDataEx(hThread, UE_ECX) == NULL)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JRCXZ") == NULL)
{
if((ULONG_PTR)GetContextDataEx(hThread, UE_RCX) == NULL)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JZ") == NULL)
{
if(bZF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNZ") == NULL)
{
if(!bZF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JE") == NULL)
{
if(bZF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNE") == NULL)
{
if(!bZF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JG") == NULL)
{
if(bZF == false && bSF == bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JGE") == NULL)
{
if(bSF == bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JL") == NULL)
{
if(bSF != bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JLE") == NULL)
{
if(bZF == true || bSF != bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNA") == NULL)
{
if(bCF == true || bZF == true)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNAE") == NULL)
{
if(bCF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNB") == NULL)
{
if(!bCF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNBE") == NULL)
{
if(bCF == false && bZF == false)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNC") == NULL)
{
if(!bCF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNG") == NULL)
{
if(bZF == true || bSF != bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNGE") == NULL)
{
if(bSF != bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNL") == NULL)
{
if(bSF == bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNLE") == NULL)
{
if(bZF == false && bSF == bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNO") == NULL)
{
if(!bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNP") == NULL)
{
if(!bPF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JNS") == NULL)
{
if(!bSF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JO") == NULL)
{
if(bOF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JP") == NULL)
{
if(bPF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JPE") == NULL)
{
if(bPF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JPO") == NULL)
{
if(!bPF)
{
return true;
}
}
else if(lstrcmpiA(DisassembledString, "JS") == NULL)
{
if(bSF)
{
return true;
}
}
}
}
return false;
}
__declspec(dllexport) bool TITCALL IsJumpGoingToExecute()
{
return(IsJumpGoingToExecuteEx(dbgProcessInformation.hProcess, dbgProcessInformation.hThread, NULL, NULL));
}

463
TitanEngine/TitanEngine.Debugger.Memory.cpp Normal file
View File

@ -0,0 +1,463 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Debugger.h"
#include "Global.Breakpoints.h"
__declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard)
{
if(!MemoryToCheck || !PatternToMatch || !SizeOfPatternToMatch || !SizeOfMemoryToCheck)
return false;
BYTE intWildCard = 0;
LPVOID ueReadBuffer = NULL;
DynBuf ueReadBuf;
SIZE_T ueNumberOfBytesRead = 0;
MEMORY_BASIC_INFORMATION memoryInformation = {};
PMEMORY_COMPARE_HANDLER memCmp = (PMEMORY_COMPARE_HANDLER)MemoryToCheck;
PMEMORY_COMPARE_HANDLER memPattern = (PMEMORY_COMPARE_HANDLER)PatternToMatch;
if(WildCard == NULL)
{
WildCard = &intWildCard;
}
if(SizeOfMemoryToCheck >= SizeOfPatternToMatch)
{
if(hProcess != GetCurrentProcess())
{
ueReadBuffer = ueReadBuf.Allocate(SizeOfMemoryToCheck);
if(ueReadBuffer && ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
{
if(ueNumberOfBytesRead == 0)
{
if(VirtualQueryEx(hProcess, MemoryToCheck, &memoryInformation, sizeof(memoryInformation)) != NULL)
{
SizeOfMemoryToCheck = (int)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryToCheck);
if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
{
return false;
}
}
else
{
return false;
}
}
}
memCmp = (PMEMORY_COMPARE_HANDLER)ueReadBuffer;
}
}
if(memCmp)
{
for(int i = 0; i < SizeOfMemoryToCheck && i < SizeOfPatternToMatch; i++)
{
if(memCmp->Array.bArrayEntry[i] != memPattern->Array.bArrayEntry[i] && memPattern->Array.bArrayEntry[i] != *WildCard)
{
return false;
}
}
}
return true;
}
__declspec(dllexport) bool TITCALL MatchPattern(void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard)
{
if(dbgProcessInformation.hProcess != NULL)
{
return(MatchPatternEx(dbgProcessInformation.hProcess, MemoryToCheck, SizeOfMemoryToCheck, PatternToMatch, SizeOfPatternToMatch, WildCard));
}
else
{
return(MatchPatternEx(GetCurrentProcess(), MemoryToCheck, SizeOfMemoryToCheck, PatternToMatch, SizeOfPatternToMatch, WildCard));
}
}
__declspec(dllexport) ULONG_PTR TITCALL FindEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard)
{
if(!hProcess || !MemoryStart || !MemorySize || !SearchPattern || !PatternSize)
return 0;
ULONG_PTR Return = NULL;
LPVOID ueReadBuffer = NULL;
DynBuf ueReadBuf;
PUCHAR SearchBuffer = NULL;
PUCHAR CompareBuffer = NULL;
MEMORY_BASIC_INFORMATION memoryInformation = {};
ULONG_PTR ueNumberOfBytesRead = NULL;
LPVOID currentSearchPosition = NULL;
DWORD currentSizeOfSearch = NULL;
BYTE nWildCard = NULL;
if(WildCard == NULL)
{
WildCard = &nWildCard;
}
if(hProcess != GetCurrentProcess())
{
ueReadBuffer = ueReadBuf.Allocate(MemorySize);
if(ueReadBuffer && !MemoryReadSafe(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
{
if(ueNumberOfBytesRead == NULL)
{
if(VirtualQueryEx(hProcess, MemoryStart, &memoryInformation, sizeof(memoryInformation)) != NULL)
{
MemorySize = (DWORD)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryStart);
if(!MemoryReadSafe(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
{
return 0;
}
}
else
{
return 0;
}
}
}
SearchBuffer = (PUCHAR)ueReadBuffer;
}
else
{
SearchBuffer = (PUCHAR)MemoryStart;
}
CompareBuffer = (PUCHAR)SearchPattern;
DWORD i, j;
for(i = 0; i < MemorySize && Return == NULL; i++)
{
for(j = 0; j < PatternSize; j++)
{
if(CompareBuffer[j] != *(PUCHAR)WildCard && SearchBuffer[i + j] != CompareBuffer[j])
{
break;
}
}
if(j == PatternSize)
{
Return = (ULONG_PTR)MemoryStart + i;
}
}
return Return;
}
extern "C" __declspec(dllexport) ULONG_PTR TITCALL Find(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard)
{
if(dbgProcessInformation.hProcess != NULL)
{
return(FindEx(dbgProcessInformation.hProcess, MemoryStart, MemorySize, SearchPattern, PatternSize, WildCard));
}
else
{
return(FindEx(GetCurrentProcess(), MemoryStart, MemorySize, SearchPattern, PatternSize, WildCard));
}
}
__declspec(dllexport) bool TITCALL FillEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte)
{
unsigned int i;
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR ueNumberOfBytesRead;
BYTE defFillByte = 0x90;
DWORD OldProtect;
if(hProcess != NULL)
{
if(FillByte == NULL)
{
FillByte = &defFillByte;
}
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
OldProtect = MemInfo.Protect;
VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
for(i = 0; i < MemorySize; i++)
{
WriteProcessMemory(hProcess, MemoryStart, FillByte, 1, &ueNumberOfBytesRead);
MemoryStart = (LPVOID)((ULONG_PTR)MemoryStart + 1);
}
VirtualProtectEx(hProcess, MemoryStart, MemorySize, OldProtect, &OldProtect);
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL Fill(LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte)
{
if(dbgProcessInformation.hProcess != NULL)
{
return(FillEx(dbgProcessInformation.hProcess, MemoryStart, MemorySize, FillByte));
}
else
{
return(FillEx(GetCurrentProcess(), MemoryStart, MemorySize, FillByte));
}
}
__declspec(dllexport) bool TITCALL PatchEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP)
{
unsigned int i, recalcSize;
LPVOID lpMemoryStart = MemoryStart;
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR ueNumberOfBytesRead;
BYTE FillByte = 0x90;
DWORD OldProtect;
if(hProcess != NULL)
{
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
OldProtect = MemInfo.Protect;
VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
if(MemorySize - ReplaceSize != NULL)
{
recalcSize = abs((long)(MemorySize - ReplaceSize));
if(AppendNOP)
{
WriteProcessMemory(hProcess, MemoryStart, ReplacePattern, ReplaceSize, &ueNumberOfBytesRead);
lpMemoryStart = (LPVOID)((ULONG_PTR)MemoryStart + ReplaceSize);
for(i = 0; i < recalcSize; i++)
{
WriteProcessMemory(hProcess, lpMemoryStart, &FillByte, 1, &ueNumberOfBytesRead);
lpMemoryStart = (LPVOID)((ULONG_PTR)lpMemoryStart + 1);
}
}
else if(PrependNOP)
{
lpMemoryStart = MemoryStart;
for(i = 0; i < recalcSize; i++)
{
WriteProcessMemory(hProcess, lpMemoryStart, &FillByte, 1, &ueNumberOfBytesRead);
lpMemoryStart = (LPVOID)((ULONG_PTR)lpMemoryStart + 1);
}
WriteProcessMemory(hProcess, lpMemoryStart, ReplacePattern, ReplaceSize, &ueNumberOfBytesRead);
}
else
{
WriteProcessMemory(hProcess, MemoryStart, ReplacePattern, ReplaceSize, &ueNumberOfBytesRead);
}
}
else
{
WriteProcessMemory(hProcess, MemoryStart, ReplacePattern, ReplaceSize, &ueNumberOfBytesRead);
}
VirtualProtectEx(hProcess, MemoryStart, MemorySize, OldProtect, &OldProtect);
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL Patch(LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP)
{
if(dbgProcessInformation.hProcess != NULL)
{
return(PatchEx(dbgProcessInformation.hProcess, MemoryStart, MemorySize, ReplacePattern, ReplaceSize, AppendNOP, PrependNOP));
}
else
{
return(PatchEx(GetCurrentProcess(), MemoryStart, MemorySize, ReplacePattern, ReplaceSize, AppendNOP, PrependNOP));
}
}
__declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard)
{
unsigned int i;
ULONG_PTR ueNumberOfBytesRead;
ULONG_PTR CurrentFoundPattern;
LPVOID cMemoryStart = MemoryStart;
DWORD cMemorySize = MemorySize;
DynBuf lpReadMem;
LPVOID lpReadMemory = lpReadMem.Allocate(PatternSize);
CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard);
NumberOfRepetitions--;
while(CurrentFoundPattern != NULL && NumberOfRepetitions != NULL)
{
if(ReadProcessMemory(hProcess, (LPVOID)CurrentFoundPattern, lpReadMemory, PatternSize, &ueNumberOfBytesRead))
{
for(i = 0; i < ReplaceSize; i++)
{
if(memcmp((LPVOID)((ULONG_PTR)ReplacePattern + i), WildCard, 1) != NULL)
{
RtlMoveMemory((LPVOID)((ULONG_PTR)lpReadMemory + i), (LPVOID)((ULONG_PTR)ReplacePattern + i), 1);
}
}
PatchEx(hProcess, (LPVOID)CurrentFoundPattern, PatternSize, lpReadMemory, ReplaceSize, true, false);
}
cMemoryStart = (LPVOID)(CurrentFoundPattern + PatternSize);
cMemorySize = (DWORD)((ULONG_PTR)MemoryStart + MemorySize - CurrentFoundPattern);
CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard);
NumberOfRepetitions--;
}
if(NumberOfRepetitions != NULL)
{
return false;
}
else
{
return true;
}
}
__declspec(dllexport) bool TITCALL Replace(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard)
{
if(dbgProcessInformation.hProcess != NULL)
{
return(ReplaceEx(dbgProcessInformation.hProcess, MemoryStart, MemorySize, SearchPattern, PatternSize, NumberOfRepetitions, ReplacePattern, ReplaceSize, WildCard));
}
else
{
return(ReplaceEx(GetCurrentProcess(), MemoryStart, MemorySize, SearchPattern, PatternSize, NumberOfRepetitions, ReplacePattern, ReplaceSize, WildCard));
}
}
//what should this function do:
//- do all possible effort to read memory
//- filter out breakpoints
__declspec(dllexport) bool TITCALL MemoryReadSafe(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead)
{
SIZE_T ueNumberOfBytesRead = 0;
SIZE_T* pNumBytes = 0;
DWORD dwProtect = 0;
bool retValue = false;
//read memory
if((hProcess == 0) || (lpBaseAddress == 0) || (lpBuffer == 0) || (nSize == 0))
{
return false;
}
if(!lpNumberOfBytesRead)
{
pNumBytes = &ueNumberOfBytesRead;
}
else
{
pNumBytes = lpNumberOfBytesRead;
}
if(!ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes))
{
CriticalSectionLocker memProtectLock(LockMemoryProtection);
// try to temporarily change the page protections to PAGE_EXECUTE_READ
std::vector<MEMORY_BASIC_INFORMATION> memRegions;
MEMORY_BASIC_INFORMATION memInfo;
ULONG_PTR endAddr = (ULONG_PTR)lpBaseAddress + nSize;
for(ULONG_PTR page = ALIGN_DOWN_BY(lpBaseAddress, TITANENGINE_PAGESIZE); page < endAddr; page += memInfo.RegionSize)
{
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof(memInfo)))
break; // failure ('VirtualProtectEx' will fail too)
memRegions.push_back(memInfo);
}
if(VirtualProtectEx(hProcess, lpBaseAddress, nSize, PAGE_EXECUTE_READ, &dwProtect))
{
if(ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes))
{
retValue = true;
}
for(const auto & info : memRegions)
{
ULONG_PTR size = info.RegionSize;
if(endAddr < (ULONG_PTR)info.BaseAddress + info.RegionSize)
size = endAddr - (ULONG_PTR)info.BaseAddress;
VirtualProtectEx(hProcess, info.BaseAddress, size, info.Protect, &dwProtect);
}
}
}
else
{
retValue = true;
}
//filter breakpoints
if(retValue)
BreakPointPostReadFilter((ULONG_PTR)lpBaseAddress, (unsigned char*)lpBuffer, nSize);
return retValue;
}
//what should this function do:
//- do all possible effort to write memory
//- re-set breakpoints when overwritten
__declspec(dllexport) bool TITCALL MemoryWriteSafe(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesWritten)
{
SIZE_T ueNumberOfBytesWritten = 0;
SIZE_T* pNumBytes = 0;
DWORD dwProtect = 0;
bool retValue = false;
//read memory
if((hProcess == 0) || (lpBaseAddress == 0) || (lpBuffer == 0) || (nSize == 0))
{
return false;
}
CriticalSectionLocker lock(LockBreakPointBuffer); //thread-safe
//disable breakpoints that interfere with the memory to write
BreakPointPreWriteFilter((ULONG_PTR)lpBaseAddress, nSize);
if(!lpNumberOfBytesWritten)
{
pNumBytes = &ueNumberOfBytesWritten;
}
else
{
pNumBytes = lpNumberOfBytesWritten;
}
if(!WriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes) || *pNumBytes < nSize)
{
CriticalSectionLocker memProtectLock(LockMemoryProtection);
// try to temporarily change the page protections to PAGE_EXECUTE_READWRITE
std::vector<MEMORY_BASIC_INFORMATION> memRegions;
MEMORY_BASIC_INFORMATION memInfo;
ULONG_PTR endAddr = (ULONG_PTR)lpBaseAddress + nSize;
for(ULONG_PTR page = ALIGN_DOWN_BY(lpBaseAddress, TITANENGINE_PAGESIZE); page < endAddr; page += memInfo.RegionSize)
{
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof(memInfo)))
break; // failure
memRegions.push_back(memInfo);
}
if(VirtualProtectEx(hProcess, lpBaseAddress, nSize, PAGE_EXECUTE_READWRITE, &dwProtect))
{
if(WriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes))
{
retValue = true;
}
for(const auto & info : memRegions)
{
ULONG_PTR size = info.RegionSize;
if(endAddr < (ULONG_PTR)info.BaseAddress + info.RegionSize)
size = endAddr - (ULONG_PTR)info.BaseAddress;
VirtualProtectEx(hProcess, info.BaseAddress, size, info.Protect, &dwProtect);
}
}
}
else
{
retValue = true;
}
//re-enable breakpoints that interfere with the memory to write
BreakPointPostWriteFilter((ULONG_PTR)lpBaseAddress, nSize);
return retValue;
}

861
TitanEngine/TitanEngine.Debugger.cpp Normal file
View File

@ -0,0 +1,861 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Debugger.h"
#include "Global.Engine.h"
#include "Global.Handle.h"
#include "Global.Threader.h"
#include "Global.Engine.Hider.h"
static wchar_t szBackupDebuggedFileName[512];
// TitanEngine.Debugger.functions:
__declspec(dllexport) void* TITCALL InitDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder)
{
wchar_t* PtrUniFileName = NULL;
wchar_t uniFileName[MAX_PATH] = {};
wchar_t* PtrUniCommandLine = NULL;
wchar_t uniCommandLine[MAX_PATH] = {};
wchar_t* PtrUniCurrentFolder = NULL;
wchar_t uniCurrentFolder[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szCommandLine, lstrlenA(szCommandLine) + 1, uniCommandLine, sizeof(uniCommandLine) / (sizeof(uniCommandLine[0])));
MultiByteToWideChar(CP_ACP, NULL, szCurrentFolder, lstrlenA(szCurrentFolder) + 1, uniCurrentFolder, sizeof(uniCurrentFolder) / (sizeof(uniCurrentFolder[0])));
if(szFileName != NULL)
{
PtrUniFileName = &uniFileName[0];
}
if(szCommandLine != NULL)
{
PtrUniCommandLine = &uniCommandLine[0];
}
if(szCurrentFolder != NULL)
{
PtrUniCurrentFolder = &uniCurrentFolder[0];
}
return(InitDebugW(PtrUniFileName, PtrUniCommandLine, PtrUniCurrentFolder));
}
else
{
return NULL;
}
}
static bool ProcessRelocations(char* imageCopy, ULONG_PTR imageSize, ULONG_PTR newImageBase, ULONG_PTR & oldImageBase)
{
auto pnth = RtlImageNtHeader(imageCopy);
if(pnth == nullptr)
return false;
// Put the new base in the header
oldImageBase = pnth->OptionalHeader.ImageBase;
pnth->OptionalHeader.ImageBase = newImageBase;
// Nothing to do if relocations are stripped
if(pnth->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED)
return true;
// Nothing to do if there are no relocations
const auto & relocDir = pnth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
if(relocDir.Size == 0 || relocDir.VirtualAddress == 0)
return true;
// Process the relocations
auto delta = newImageBase - oldImageBase;
auto relocationItr = (PIMAGE_BASE_RELOCATION)((ULONG_PTR)imageCopy + relocDir.VirtualAddress);
auto relocationEnd = (PIMAGE_BASE_RELOCATION)((ULONG_PTR)relocationItr + relocDir.Size);
while(relocationItr < relocationEnd && relocationItr->SizeOfBlock > 0)
{
auto count = (relocationItr->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(USHORT);
auto address = (ULONG_PTR)imageCopy + relocationItr->VirtualAddress;
auto typeOffset = (PUSHORT)(relocationItr + 1);
relocationItr = LdrProcessRelocationBlock(address, (ULONG)count, typeOffset, delta);
if(relocationItr == nullptr)
return false;
}
return true;
}
static bool RelocateImage(HANDLE hProcess, PVOID imageBase, SIZE_T imageSize)
{
constexpr auto pageSize = 0x1000;
std::vector<bool> writeback(imageSize / pageSize);
// allocate a local copy of the mapped image
auto imageCopy = (char*)VirtualAlloc(0, imageSize, MEM_COMMIT, PAGE_READWRITE);
if(imageCopy == nullptr)
return false;
// read all the pages
for(size_t i = 0; i < writeback.size(); i++)
{
auto offset = i * pageSize;
SIZE_T read = 0;
if(NT_SUCCESS(NtReadVirtualMemory(hProcess, (char*)imageBase + offset, imageCopy + offset, pageSize, &read)))
writeback[i] = true;
}
// perform the actual relocations
ULONG_PTR oldImageBase = 0;
auto success = ProcessRelocations(imageCopy, imageSize, (ULONG_PTR)imageBase, oldImageBase);
// write back the pages
auto memWrite = [hProcess](PVOID ptr, LPCVOID data, SIZE_T size)
{
// Make the page writable
ULONG oldProtect = 0;
if(NT_SUCCESS(NtProtectVirtualMemory(hProcess, &ptr, &size, PAGE_READWRITE, &oldProtect)))
{
// Write the memory
SIZE_T written = 0;
if(NT_SUCCESS(NtWriteVirtualMemory(hProcess, ptr, data, size, &written)))
{
// Restore the old protection
return NT_SUCCESS(NtProtectVirtualMemory(hProcess, &ptr, &size, oldProtect, &oldProtect));
}
}
return false;
};
for(size_t i = 0; i < writeback.size(); i++)
{
if(writeback[i])
{
auto offset = pageSize * i;
if(!memWrite((char*)imageBase + offset, imageCopy + offset, pageSize))
success = false;
}
}
// Create a copy of the header at the original image base
// The kernel uses it in ZwCreateThread to get the stack size for example
if(success)
{
success = false;
auto oldPage = (LPVOID)oldImageBase;
if(VirtualAllocEx(hProcess, oldPage, pageSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE))
{
if(memWrite(oldPage, imageCopy, pageSize))
{
DWORD oldProtect = 0;
if(VirtualProtectEx(hProcess, oldPage, pageSize, PAGE_READONLY, &oldProtect))
success = true;
}
}
}
// Free the copy of the image
VirtualFree(imageCopy, imageSize, MEM_DECOMMIT);
return success;
}
static bool HollowProcessWithoutASLR(const wchar_t* szFileName, PROCESS_INFORMATION & pi)
{
bool success = false;
auto hFile = CreateFileW(szFileName, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
if(hFile != INVALID_HANDLE_VALUE)
{
// Retrieve image base and entry point
DebugModuleImageBase = GetPE32DataW(szFileName, 0, UE_IMAGEBASE);
DebugModuleEntryPoint = GetPE32DataW(szFileName, 0, UE_OEP);
auto hMapping = CreateFileMappingW(hFile, nullptr, SEC_IMAGE | PAGE_READONLY, 0, 0, nullptr);
if(hMapping)
{
CONTEXT ctx;
ctx.ContextFlags = CONTEXT_ALL;
if(GetThreadContext(pi.hThread, &ctx))
{
PVOID imageBase;
// TODO: support wow64 processes
#ifdef _WIN64
auto & pebRegister = ctx.Rdx;
auto & entryPointRegister = ctx.Rcx;
#else
auto & pebRegister = ctx.Ebx;
auto & entryPointRegister = ctx.Eax;
#endif // _WIN64
if(ReadProcessMemory(pi.hProcess, (char*)pebRegister + offsetof(PEB, ImageBaseAddress), &imageBase, sizeof(PVOID), nullptr))
{
if(ULONG_PTR(imageBase) == DebugModuleImageBase)
{
// Already at the right base
success = true;
}
else
{
auto status = NtUnmapViewOfSection(pi.hProcess, imageBase);
if(status == STATUS_SUCCESS)
{
SIZE_T viewSize = 0;
imageBase = PVOID(DebugModuleImageBase);
status = NtMapViewOfSection(hMapping, pi.hProcess, &imageBase, 0, 0, nullptr, &viewSize, ViewUnmap, 0, PAGE_READONLY);
if(status == STATUS_CONFLICTING_ADDRESSES)
{
// Remap in a random location (otherwise the process will crash)
imageBase = 0;
status = NtMapViewOfSection(hMapping, pi.hProcess, &imageBase, 0, 0, nullptr, &viewSize, ViewUnmap, 0, PAGE_READONLY);
}
if(status == STATUS_SUCCESS || status == STATUS_IMAGE_NOT_AT_BASE)
{
auto pebOk = WriteProcessMemory(pi.hProcess, (char*)pebRegister + offsetof(PEB, ImageBaseAddress), &imageBase, sizeof(PVOID), nullptr);
auto relocatedOk = RelocateImage(pi.hProcess, imageBase, viewSize);
if(pebOk && relocatedOk)
{
auto expectedBase = DebugModuleImageBase == ULONG_PTR(imageBase);
DebugModuleImageBase = ULONG_PTR(imageBase);
entryPointRegister = DebugModuleImageBase + DebugModuleEntryPoint;
if(SetThreadContext(pi.hThread, &ctx))
{
success = expectedBase;
#ifndef _WIN64
// For Wow64 processes, also adjust the 64-bit PEB
if(IsThisProcessWow64() && !WriteProcessMemory(pi.hProcess, (char*)pebRegister - 0x1000 + 0x10, &imageBase, sizeof(PVOID), nullptr))
success = false;
#endif // _WIN64
}
}
}
}
}
}
}
CloseHandle(hMapping);
}
CloseHandle(hFile);
}
if(!success)
{
DebugModuleImageBase = 0;
}
return success;
}
__declspec(dllexport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder)
{
int creationFlags = DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS;
if(engineDisableAslr)
creationFlags = CREATE_SUSPENDED;
if(DebugDebuggingDLL)
{
creationFlags |= CREATE_NO_WINDOW;
creationFlags |= CREATE_SUSPENDED;
}
else if(engineRemoveConsoleForDebugee)
{
creationFlags |= CREATE_NO_WINDOW;
}
else
{
creationFlags |= CREATE_NEW_CONSOLE;
}
wchar_t* szFileNameCreateProcess;
wchar_t* szCommandLineCreateProcess;
std::wstring createWithCmdLine;
if(szCommandLine == NULL || !lstrlenW(szCommandLine))
{
szCommandLineCreateProcess = 0;
szFileNameCreateProcess = szFileName;
}
else
{
createWithCmdLine.push_back('\"');
createWithCmdLine.append(szFileName);
createWithCmdLine.push_back('\"');
createWithCmdLine.push_back(' ');
createWithCmdLine.append(szCommandLine);
szCommandLineCreateProcess = (wchar_t*)createWithCmdLine.c_str();
szFileNameCreateProcess = 0;
}
int retries = 0;
retry_no_aslr:
// Temporarily disable the debug privilege so the child doesn't inherit it (this evades debugger detection)
if(engineEnableDebugPrivilege)
EngineSetDebugPrivilege(GetCurrentProcess(), false);
auto createProcessResult = CreateProcessW(szFileNameCreateProcess, szCommandLineCreateProcess, NULL, NULL, false, creationFlags, NULL, szCurrentFolder, &dbgStartupInfo, &dbgProcessInformation);
if(engineEnableDebugPrivilege)
EngineSetDebugPrivilege(GetCurrentProcess(), true);
if(createProcessResult)
{
if(engineDisableAslr)
{
if(!HollowProcessWithoutASLR(szFileName, dbgProcessInformation))
{
TerminateThread(dbgProcessInformation.hThread, STATUS_CONFLICTING_ADDRESSES);
TerminateProcess(dbgProcessInformation.hProcess, STATUS_CONFLICTING_ADDRESSES);
if(retries++ < 10)
goto retry_no_aslr;
memset(&dbgProcessInformation, 0, sizeof(PROCESS_INFORMATION));
return nullptr;
}
else
{
DebugActiveProcess_(dbgProcessInformation.dwProcessId);
DebugSetProcessKillOnExit(TRUE);
ResumeThread(dbgProcessInformation.hThread);
}
}
DebugAttachedToProcess = false;
DebugAttachedProcessCallBack = NULL;
return &dbgProcessInformation;
}
else
{
DWORD lastError = GetLastError();
memset(&dbgProcessInformation, 0, sizeof(PROCESS_INFORMATION));
SetLastError(lastError);
return 0;
}
}
__declspec(dllexport) void* TITCALL InitNativeDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder)
{
wchar_t* PtrUniFileName = NULL;
wchar_t uniFileName[MAX_PATH] = {};
wchar_t* PtrUniCommandLine = NULL;
wchar_t uniCommandLine[MAX_PATH] = {};
wchar_t* PtrUniCurrentFolder = NULL;
wchar_t uniCurrentFolder[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szCommandLine, lstrlenA(szCommandLine) + 1, uniCommandLine, sizeof(uniCommandLine) / (sizeof(uniCommandLine[0])));
MultiByteToWideChar(CP_ACP, NULL, szCurrentFolder, lstrlenA(szCurrentFolder) + 1, uniCurrentFolder, sizeof(uniCurrentFolder) / (sizeof(uniCurrentFolder[0])));
if(szFileName != NULL)
{
PtrUniFileName = &uniFileName[0];
}
if(szCommandLine != NULL)
{
PtrUniCommandLine = &uniCommandLine[0];
}
if(szCurrentFolder != NULL)
{
PtrUniCurrentFolder = &uniCurrentFolder[0];
}
return(InitNativeDebugW(PtrUniFileName, PtrUniCommandLine, PtrUniCurrentFolder));
}
else
{
return NULL;
}
}
__declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder)
{
typedef
NTSTATUS
(NTAPI *
t_RtlCreateProcessParametersEx)(
_Out_ PRTL_USER_PROCESS_PARAMETERS * pProcessParameters,
_In_ PUNICODE_STRING ImagePathName,
_In_opt_ PUNICODE_STRING DllPath,
_In_opt_ PUNICODE_STRING CurrentDirectory,
_In_opt_ PUNICODE_STRING CommandLine,
_In_opt_ PVOID Environment,
_In_opt_ PUNICODE_STRING WindowTitle,
_In_opt_ PUNICODE_STRING DesktopInfo,
_In_opt_ PUNICODE_STRING ShellInfo,
_In_opt_ PUNICODE_STRING RuntimeData,
_In_ ULONG Flags
);
typedef
NTSTATUS
(NTAPI *
t_NtCreateUserProcess)(
_Out_ PHANDLE ProcessHandle,
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK ProcessDesiredAccess,
_In_ ACCESS_MASK ThreadDesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
_In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
_In_ ULONG ProcessFlags,
_In_ ULONG ThreadFlags,
_In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
_Inout_ PPS_CREATE_INFO CreateInfo,
_In_ PPS_ATTRIBUTE_LIST AttributeList
);
HMODULE Ntdll = GetModuleHandleW(L"ntdll.dll");
t_RtlCreateProcessParametersEx fnRtlCreateProcessParametersEx =
(t_RtlCreateProcessParametersEx)GetProcAddress(Ntdll, "RtlCreateProcessParametersEx");
t_NtCreateUserProcess fnNtCreateUserProcess =
(t_NtCreateUserProcess)GetProcAddress(Ntdll, "NtCreateUserProcess");
// NtCreateUserProcess requires Vista or higher
if(fnRtlCreateProcessParametersEx == NULL || fnNtCreateUserProcess == NULL)
{
RtlSetLastWin32Error(ERROR_NOT_SUPPORTED);
return NULL;
}
RtlZeroMemory(&dbgProcessInformation, sizeof(PROCESS_INFORMATION));
HANDLE ProcessHandle = NULL, ThreadHandle = NULL;
UNICODE_STRING CommandLine = { 0 };
PUNICODE_STRING PtrCurrentDirectory = NULL;
OBJECT_ATTRIBUTES ObjectAttributes = {};
HANDLE DebugPort = NULL;
PS_CREATE_INFO CreateInfo = {};
SIZE_T NumAttributes = 0;
SIZE_T AttributesSize = 0;
PPS_ATTRIBUTE_LIST AttributeList = NULL;
ULONG N = 0;
CLIENT_ID Cid = {};
PCLIENT_ID ClientId = NULL;
ULONG NtProcessFlags = 0;
ULONG NtThreadFlags = 0;
// Convert the application path to its NT equivalent
UNICODE_STRING ImagePath, NtImagePath;
RtlInitUnicodeString(&ImagePath, szFileName);
if(!RtlDosPathNameToNtPathName_U(ImagePath.Buffer,
&NtImagePath,
NULL,
NULL))
{
RtlSetLastWin32Error(ERROR_PATH_NOT_FOUND);
return NULL;
}
// Convert command line and directory to UNICODE_STRING if present
SIZE_T ArgumentsLength = szCommandLine != NULL ? lstrlenW(szCommandLine) : 0;
SIZE_T BufferSize = ImagePath.Length + ((ArgumentsLength + 4) * sizeof(wchar_t));
CommandLine.Buffer = (PWSTR)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, BufferSize);
CommandLine.MaximumLength = (USHORT)BufferSize;
RtlAppendUnicodeToString(&CommandLine, L"\"");
RtlAppendUnicodeStringToString(&CommandLine, &ImagePath);
RtlAppendUnicodeToString(&CommandLine, L"\"");
if(ArgumentsLength > 0)
{
RtlAppendUnicodeToString(&CommandLine, L" ");
RtlAppendUnicodeToString(&CommandLine, szCommandLine);
}
if(szCurrentFolder != NULL && lstrlenW(szCurrentFolder) > 0)
{
UNICODE_STRING WorkingDirectory;
RtlInitUnicodeString(&WorkingDirectory, szCurrentFolder);
PtrCurrentDirectory = &WorkingDirectory;
}
// Create the process parameter block
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
PRTL_USER_PROCESS_PARAMETERS OwnParameters = NtCurrentPeb()->ProcessParameters;
NTSTATUS Status = fnRtlCreateProcessParametersEx(&ProcessParameters,
&ImagePath,
NULL, // Create a new DLL path
PtrCurrentDirectory,
&CommandLine,
NULL, // If null, a new environment will be created
&ImagePath, // Window title is the exe path - needed for console apps
&OwnParameters->DesktopInfo, // Copy our desktop name
NULL,
NULL,
RTL_USER_PROCESS_PARAMETERS_NORMALIZED);
if(!NT_SUCCESS(Status))
goto finished;
// Clear the current directory because we're not inheriting handles
ProcessParameters->CurrentDirectory.Handle = NULL;
// Default to CREATE_NEW_CONSOLE behaviour
ProcessParameters->ConsoleHandle = HANDLE_CREATE_NEW_CONSOLE;
ProcessParameters->ShowWindowFlags = STARTF_USESHOWWINDOW | SW_SHOWDEFAULT;
// Create a debug port object
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
Status = NtCreateDebugObject(&DebugPort,
DEBUG_ALL_ACCESS,
&ObjectAttributes,
DEBUG_KILL_ON_CLOSE);
if(!NT_SUCCESS(Status))
{
RtlDestroyProcessParameters(ProcessParameters);
goto finished;
}
// Store the debug port handle in our TEB. The kernel uses this field
NtCurrentTeb()->DbgSsReserved[1] = DebugPort;
// Initialize the PS_CREATE_INFO structure
RtlZeroMemory(&CreateInfo, sizeof(CreateInfo));
CreateInfo.Size = sizeof(CreateInfo);
CreateInfo.State = PsCreateInitialState;
CreateInfo.u1.InitState.u2.s1.WriteOutputOnExit = TRUE;
CreateInfo.u1.InitState.u2.s1.DetectManifest = TRUE;
CreateInfo.u1.InitState.u2.s1.ProhibitedImageCharacteristics = 0; // Normally: IMAGE_FILE_DLL (disallow executing DLLs)
CreateInfo.u1.InitState.AdditionalFileAccess = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
// Initialize the PS_ATTRIBUTE_LIST that contains the process creation attributes
NumAttributes = 3;
AttributesSize = sizeof(SIZE_T) + NumAttributes * sizeof(PS_ATTRIBUTE);
AttributeList = reinterpret_cast<PPS_ATTRIBUTE_LIST>(
RtlAllocateHeap(RtlProcessHeap(),
HEAP_ZERO_MEMORY, // Not optional
AttributesSize));
AttributeList->TotalLength = AttributesSize;
// In: NT style absolute image path. This is the only required attribute
N = 0;
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
AttributeList->Attributes[N].Size = NtImagePath.Length;
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(NtImagePath.Buffer);
// In: debug port
N++;
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_DEBUG_PORT;
AttributeList->Attributes[N].Size = sizeof(HANDLE);
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(DebugPort);
// Out: client ID
N++;
Cid = {};
ClientId = &Cid;
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_CLIENT_ID;
AttributeList->Attributes[N].Size = sizeof(CLIENT_ID);
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(ClientId);
// Set process and thread flags
NtProcessFlags = PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT; // Same as DEBUG_ONLY_THIS_PROCESS. DEBUG_PROCESS is implied by the debug port
NtThreadFlags = THREAD_CREATE_FLAGS_CREATE_SUSPENDED; // Always set this, because we need to do some bookkeeping before resuming
// Create the process
Status = fnNtCreateUserProcess(&ProcessHandle,
&ThreadHandle,
MAXIMUM_ALLOWED,
MAXIMUM_ALLOWED,
NULL,
NULL,
NtProcessFlags,
NtThreadFlags,
ProcessParameters,
&CreateInfo,
AttributeList);
RtlFreeHeap(RtlProcessHeap(), 0, AttributeList);
RtlDestroyProcessParameters(ProcessParameters);
if(!NT_SUCCESS(Status))
goto finished;
// Success. Convert what we got back to a PROCESS_INFORMATION structure
dbgProcessInformation.hProcess = ProcessHandle;
dbgProcessInformation.hThread = ThreadHandle;
dbgProcessInformation.dwProcessId = HandleToULong(ClientId->UniqueProcess);
dbgProcessInformation.dwThreadId = HandleToULong(ClientId->UniqueThread);
finished:
RtlFreeHeap(RtlProcessHeap(), 0, NtImagePath.Buffer);
if(CommandLine.Buffer != NULL)
RtlFreeHeap(RtlProcessHeap(), 0, CommandLine.Buffer);
if(ProcessHandle != NULL)
{
// Close the file and section handles we got back from the kernel
NtClose(CreateInfo.u1.SuccessState.FileHandle);
NtClose(CreateInfo.u1.SuccessState.SectionHandle);
// If we failed, terminate the process
if(!NT_SUCCESS(Status))
{
BOOLEAN CloseDebugPort = DebugPort != NULL &&
((NtThreadFlags & PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT) != 0);
if(CloseDebugPort)
{
NtRemoveProcessDebug(ProcessHandle, DebugPort);
NtClose(DebugPort);
NtCurrentTeb()->DbgSsReserved[1] = NULL;
}
NtTerminateProcess(ProcessHandle, Status);
}
else
{
// Otherwise resume the process now
NtResumeThread(ThreadHandle, NULL);
}
}
DebugAttachedToProcess = false;
DebugAttachedProcessCallBack = NULL;
return &dbgProcessInformation;
}
__declspec(dllexport) void* TITCALL InitDebugEx(char* szFileName, char* szCommandLine, char* szCurrentFolder, LPVOID EntryCallBack)
{
DebugExeFileEntryPointCallBack = EntryCallBack;
return(InitDebug(szFileName, szCommandLine, szCurrentFolder));
}
__declspec(dllexport) void* TITCALL InitDebugExW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder, LPVOID EntryCallBack)
{
DebugExeFileEntryPointCallBack = EntryCallBack;
return(InitDebugW(szFileName, szCommandLine, szCurrentFolder));
}
__declspec(dllexport) void* TITCALL InitDLLDebug(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, LPVOID EntryCallBack)
{
wchar_t* PtrUniFileName = NULL;
wchar_t uniFileName[MAX_PATH] = {};
wchar_t* PtrUniCommandLine = NULL;
wchar_t uniCommandLine[MAX_PATH] = {};
wchar_t* PtrUniCurrentFolder = NULL;
wchar_t uniCurrentFolder[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szCommandLine, lstrlenA(szCommandLine) + 1, uniCommandLine, sizeof(uniCommandLine) / (sizeof(uniCommandLine[0])));
MultiByteToWideChar(CP_ACP, NULL, szCurrentFolder, lstrlenA(szCurrentFolder) + 1, uniCurrentFolder, sizeof(uniCurrentFolder) / (sizeof(uniCurrentFolder[0])));
if(szFileName != NULL)
{
PtrUniFileName = &uniFileName[0];
}
if(szCommandLine != NULL)
{
PtrUniCommandLine = &uniCommandLine[0];
}
if(szCurrentFolder != NULL)
{
PtrUniCurrentFolder = &uniCurrentFolder[0];
}
return(InitDLLDebugW(PtrUniFileName, ReserveModuleBase, PtrUniCommandLine, PtrUniCurrentFolder, EntryCallBack));
}
else
{
return NULL;
}
}
static bool TryExtractDllLoader(bool failedBefore = false)
{
wchar_t* szPath = wcsrchr(szDebuggerName, L'\\');
if(szPath)
szPath[1] = '\0';
wchar_t DLLLoaderName[64] = L"";
#ifdef _WIN64
wsprintfW(DLLLoaderName, L"DLLLoader64_%.4X.exe", GetTickCount() & 0xFFFF);
#else
wsprintfW(DLLLoaderName, L"DLLLoader32_%.4X.exe", GetTickCount() & 0xFFFF);
#endif //_WIN64
lstrcatW(szDebuggerName, DLLLoaderName);
#ifdef _WIN64
if(EngineExtractResource("LOADERX64", szDebuggerName))
#else
if(EngineExtractResource("LOADERX86", szDebuggerName))
#endif //_WIN64
return true;
return !failedBefore &&
GetModuleFileNameW(engineHandle, szDebuggerName, _countof(szDebuggerName)) &&
TryExtractDllLoader(true);
}
__declspec(dllexport) void* TITCALL InitDLLDebugW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, LPVOID EntryCallBack)
{
memset(szDebuggerName, 0, sizeof(szDebuggerName));
if(lstrlenW(szFileName) < sizeof(szDebuggerName))
{
memset(szBackupDebuggedFileName, 0, sizeof(szBackupDebuggedFileName));
lstrcpyW(szBackupDebuggedFileName, szFileName);
szFileName = &szBackupDebuggedFileName[0];
}
lstrcpyW(szDebuggerName, szFileName);
if(TryExtractDllLoader())
{
DebugDebuggingDLL = true;
int i = lstrlenW(szFileName);
while(szFileName[i] != '\\' && i)
i--;
DebugDebuggingDLLBase = NULL;
DebugDebuggingMainModuleBase = NULL;
DebugDebuggingDLLFullFileName = szFileName;
DebugDebuggingDLLFileName = &szFileName[i + 1];
DebugModuleImageBase = (ULONG_PTR)GetPE32DataW(szFileName, NULL, UE_IMAGEBASE);
DebugModuleEntryPoint = (ULONG_PTR)GetPE32DataW(szFileName, NULL, UE_OEP);
DebugModuleEntryPointCallBack = EntryCallBack;
DebugReserveModuleBase = 0;
if(ReserveModuleBase)
DebugReserveModuleBase = DebugModuleImageBase;
PPROCESS_INFORMATION ReturnValue = (PPROCESS_INFORMATION)InitDebugW(szDebuggerName, szCommandLine, szCurrentFolder);
wchar_t szName[256] = L"";
swprintf(szName, 256, L"Local\\szLibraryName%X", (unsigned int)ReturnValue->dwProcessId);
DebugDLLFileMapping = CreateFileMappingW(INVALID_HANDLE_VALUE, 0, PAGE_READWRITE, 0, 512 * sizeof(wchar_t), szName);
if(DebugDLLFileMapping)
{
wchar_t* szLibraryPathMapping = (wchar_t*)MapViewOfFile(DebugDLLFileMapping, FILE_MAP_ALL_ACCESS, 0, 0, 512 * sizeof(wchar_t));
if(szLibraryPathMapping)
{
wcscpy(szLibraryPathMapping, DebugDebuggingDLLFullFileName);
UnmapViewOfFile(szLibraryPathMapping);
}
}
ResumeThread(ReturnValue->hThread);
return ReturnValue;
}
return 0;
}
__declspec(dllexport) bool TITCALL StopDebug()
{
bool result = false;
HANDLE hProcess = TitanOpenProcess(PROCESS_TERMINATE, FALSE, dbgProcessInformation.dwProcessId);
if(hProcess)
{
TerminateProcess(hProcess, 0);
CloseHandle(hProcess);
result = true;
}
HANDLE hThread = TitanOpenThread(THREAD_TERMINATE, FALSE, dbgProcessInformation.dwThreadId);
if(hThread)
{
TerminateThread(hThread, 0);
CloseHandle(hThread);
Sleep(10); //allow thread switching
result = true;
}
return result;
}
__declspec(dllexport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack)
{
LPVOID funcDebugSetProcessKillOnExit = NULL;
if(ProcessId != NULL && dbgProcessInformation.hProcess == NULL)
{
if(DebugActiveProcess_(ProcessId))
{
DebugSetProcessKillOnExit(KillOnExit);
DebugDebuggingDLL = false;
DebugAttachedToProcess = true;
DebugAttachedProcessCallBack = (ULONG_PTR)CallBack;
engineAttachedProcessDebugInfo = DebugInfo;
dbgProcessInformation.dwProcessId = ProcessId;
DebugLoop();
DebugAttachedToProcess = false;
DebugAttachedProcessCallBack = NULL;
return true;
}
}
return false;
}
__declspec(dllexport) bool TITCALL DetachDebugger(DWORD ProcessId)
{
RemoveAllBreakPoints(UE_OPTION_REMOVEALL);
engineProcessIsNowDetached = true; // Request detach
return true;
}
__declspec(dllexport) bool TITCALL DetachDebuggerEx(DWORD ProcessId)
{
ThreaderPauseProcess();
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
{
HANDLE hActiveThread = EngineOpenThread(THREAD_GETSETSUSPEND, false, hListThread.at(i).dwThreadId);
CONTEXT myDBGContext;
myDBGContext.ContextFlags = ContextControlFlags;
GetThreadContext(hActiveThread, &myDBGContext);
myDBGContext.EFlags &= ~UE_TRAP_FLAG;
myDBGContext.EFlags &= ~UE_RESUME_FLAG;
SetThreadContext(hActiveThread, &myDBGContext);
EngineCloseHandle(hActiveThread);
}
ThreaderResumeProcess();
return DetachDebugger(ProcessId);
}
__declspec(dllexport) void TITCALL AutoDebugEx(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack)
{
wchar_t* PtrUniFileName = NULL;
wchar_t uniFileName[MAX_PATH] = {};
wchar_t* PtrUniCommandLine = NULL;
wchar_t uniCommandLine[MAX_PATH] = {};
wchar_t* PtrUniCurrentFolder = NULL;
wchar_t uniCurrentFolder[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szCommandLine, lstrlenA(szCommandLine) + 1, uniCommandLine, sizeof(uniCommandLine) / (sizeof(uniCommandLine[0])));
MultiByteToWideChar(CP_ACP, NULL, szCurrentFolder, lstrlenA(szCurrentFolder) + 1, uniCurrentFolder, sizeof(uniCurrentFolder) / (sizeof(uniCurrentFolder[0])));
if(szFileName != NULL)
{
PtrUniFileName = &uniFileName[0];
}
if(szCommandLine != NULL)
{
PtrUniCommandLine = &uniCommandLine[0];
}
if(szCurrentFolder != NULL)
{
PtrUniCurrentFolder = &uniCurrentFolder[0];
}
return(AutoDebugExW(PtrUniFileName, ReserveModuleBase, PtrUniCommandLine, PtrUniCurrentFolder, TimeOut, EntryCallBack));
}
}
__declspec(dllexport) void TITCALL AutoDebugExW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack)
{
DebugReserveModuleBase = 0;
DWORD ThreadId;
DWORD ExitCode = 0;
HANDLE hSecondThread;
bool FileIsDll = false;
#if !defined(_WIN64)
PE32Struct PEStructure;
#else
PE64Struct PEStructure;
#endif
if(TimeOut == NULL)
{
TimeOut = INFINITE;
}
if(szFileName != NULL)
{
RtlZeroMemory(&expertDebug, sizeof(ExpertDebug));
expertDebug.ExpertModeActive = true;
expertDebug.szFileName = szFileName;
expertDebug.szCommandLine = szCommandLine;
expertDebug.szCurrentFolder = szCurrentFolder;
expertDebug.ReserveModuleBase = ReserveModuleBase;
expertDebug.EntryCallBack = EntryCallBack;
GetPE32DataExW(szFileName, (LPVOID)&PEStructure);
if(PEStructure.Characteristics & 0x2000)
{
FileIsDll = true;
}
SetDebugLoopTimeOut(TimeOut);
hSecondThread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)DebugLoopInSecondThread, (LPVOID)FileIsDll, NULL, &ThreadId);
WaitForSingleObject(hSecondThread, INFINITE);
if(GetExitCodeThread(hSecondThread, &ExitCode))
{
if(ExitCode == -1)
{
ForceClose();
}
}
RtlZeroMemory(&expertDebug, sizeof(ExpertDebug));
SetDebugLoopTimeOut(INFINITE);
}
}

177
TitanEngine/TitanEngine.Disassembler.cpp Normal file
View File

@ -0,0 +1,177 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Debugger.h"
#include "distorm.h"
static char engineDisassembledInstruction[128];
#if !defined(_WIN64)
_DecodeType DecodingType = Decode32Bits;
#else
_DecodeType DecodingType = Decode64Bits;
#endif
SIZE_T IsBadReadPtrRemote(HANDLE hProcess, const VOID* lp, SIZE_T length)
{
MEMORY_BASIC_INFORMATION MemInfo = {0};
ULONG_PTR section = 0;
if(VirtualQueryEx(hProcess, lp, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION)))
{
if(MemInfo.State == MEM_COMMIT)
{
SIZE_T res = (SIZE_T)MemInfo.BaseAddress + (SIZE_T)MemInfo.RegionSize - (SIZE_T)lp;
if(res >= length)
{
return length; //good
}
else
{
section = ((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize);
do
{
if(VirtualQueryEx(hProcess, (LPVOID)section, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION)))
{
if(MemInfo.State == MEM_COMMIT)
{
res += MemInfo.RegionSize;
}
else
{
return res; //this is bad
}
}
else
{
return res; //this is bad
}
section += (ULONG_PTR)MemInfo.RegionSize;
}
while(res < length);
return length; //good
}
}
}
return 0;
}
__declspec(dllexport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress)
{
_DecodedInst engineDecodedInstructions[1];
unsigned int DecodedInstructionsCount = 0;
int MaxDisassmSize = MAXIMUM_INSTRUCTION_SIZE; // (int)IsBadReadPtrRemote(GetCurrentProcess(), DisassmAddress, MAXIMUM_INSTRUCTION_SIZE);
if(MaxDisassmSize)
{
if(distorm_decode((ULONG_PTR)DisassmStart, (const unsigned char*)DisassmAddress, MaxDisassmSize, DecodingType, engineDecodedInstructions, _countof(engineDecodedInstructions), &DecodedInstructionsCount) != DECRES_INPUTERR)
{
RtlZeroMemory(engineDisassembledInstruction, sizeof(engineDisassembledInstruction));
lstrcpyA(engineDisassembledInstruction, (LPCSTR)engineDecodedInstructions[0].mnemonic.p);
if(engineDecodedInstructions[0].size != NULL)
{
lstrcatA(engineDisassembledInstruction, " ");
}
lstrcatA(engineDisassembledInstruction, (LPCSTR)engineDecodedInstructions[0].operands.p);
return((char*)engineDisassembledInstruction);
}
}
return 0;
}
__declspec(dllexport) void* TITCALL StaticDisassemble(LPVOID DisassmAddress)
{
return StaticDisassembleEx((ULONG_PTR)DisassmAddress, DisassmAddress);
}
__declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID DisassmAddress, bool ReturnInstructionType)
{
_DecodedInst engineDecodedInstructions[1];
unsigned int DecodedInstructionsCount = 0;
BYTE readBuffer[MAXIMUM_INSTRUCTION_SIZE] = {0};
if(hProcess != NULL)
{
int MaxDisassmSize = MAXIMUM_INSTRUCTION_SIZE; // (int)IsBadReadPtrRemote(hProcess, DisassmAddress, sizeof(readBuffer));
if(MaxDisassmSize)
{
BOOL rpm = MemoryReadSafe(hProcess, DisassmAddress, readBuffer, MaxDisassmSize, 0);
if(rpm)
{
if(distorm_decode((ULONG_PTR)DisassmAddress, readBuffer, MaxDisassmSize, DecodingType, engineDecodedInstructions, _countof(engineDecodedInstructions), &DecodedInstructionsCount) != DECRES_INPUTERR)
{
RtlZeroMemory(engineDisassembledInstruction, sizeof(engineDisassembledInstruction));
lstrcpyA(engineDisassembledInstruction, (LPCSTR)engineDecodedInstructions[0].mnemonic.p);
if(!ReturnInstructionType)
{
if(engineDecodedInstructions[0].size != NULL)
{
lstrcatA(engineDisassembledInstruction, " ");
}
lstrcatA(engineDisassembledInstruction, (LPCSTR)engineDecodedInstructions[0].operands.p);
}
return((char*)engineDisassembledInstruction);
}
}
}
}
return 0;
}
__declspec(dllexport) void* TITCALL Disassemble(LPVOID DisassmAddress)
{
return(DisassembleEx(dbgProcessInformation.hProcess, DisassmAddress, false));
}
__declspec(dllexport) long TITCALL StaticLengthDisassemble(LPVOID DisassmAddress)
{
return LengthDisassembleEx(GetCurrentProcess(), DisassmAddress);
}
__declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID DisassmAddress)
{
unsigned int DecodedInstructionsCount = 0;
_CodeInfo decomposerCi = {0};
_DInst decomposerResult[1] = {0};
BYTE readBuffer[MAXIMUM_INSTRUCTION_SIZE] = {0}; //The maximum length of an Intel 64 and IA-32 instruction remains 15 bytes, but we are generous
if(hProcess != NULL)
{
int MaxDisassmSize = (int)IsBadReadPtrRemote(hProcess, DisassmAddress, sizeof(readBuffer));
if(MaxDisassmSize && MemoryReadSafe(hProcess, (LPVOID)DisassmAddress, readBuffer, MaxDisassmSize, 0))
{
decomposerCi.code = readBuffer;
decomposerCi.codeLen = MaxDisassmSize;
decomposerCi.dt = DecodingType;
decomposerCi.codeOffset = (LONG_PTR)DisassmAddress;
if(distorm_decompose(&decomposerCi, decomposerResult, _countof(decomposerResult), &DecodedInstructionsCount) != DECRES_INPUTERR)
{
if(decomposerResult[0].flags != FLAG_NOT_DECODABLE)
{
return decomposerResult[0].size;
}
}
}
}
return -1;
}
__declspec(dllexport) long TITCALL LengthDisassemble(LPVOID DisassmAddress)
{
return LengthDisassembleEx(dbgProcessInformation.hProcess, DisassmAddress);
}

549
TitanEngine/TitanEngine.Dumper.cpp Normal file
View File

@ -0,0 +1,549 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.h"
#include "Global.Handle.h"
//TitanEngine.Dumper.functions:
__declspec(dllexport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint)
{
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return DumpProcessW(hProcess, ImageBase, uniDumpFileName, EntryPoint);
}
return false;
}
__declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_DOS_HEADER DOSFixHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_NT_HEADERS32 PEFixHeader32;
PIMAGE_NT_HEADERS64 PEFixHeader64;
PIMAGE_SECTION_HEADER PEFixSection;
ULONG_PTR ueNumberOfBytesRead = 0;
DWORD uedNumberOfBytesRead = 0;
DWORD SizeOfImageDump = 0;
int NumberOfSections = 0;
BOOL FileIs64 = false;
HANDLE hFile = INVALID_HANDLE_VALUE;
DWORD RealignedVirtualSize = 0;
ULONG_PTR ProcReadBase = 0;
LPVOID ReadBase = ImageBase;
SIZE_T CalculatedHeaderSize = NULL;
SIZE_T AlignedHeaderSize = NULL;
DynBuf ueReadBuf, ueCopyBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000);
LPVOID ueCopyBuffer = ueCopyBuf.Allocate(0x2000);
if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead))
{
//ReadProcessMemory
DOSHeader = (PIMAGE_DOS_HEADER)ueReadBuffer;
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if((DOSHeader->e_lfanew > 0x500) || (DOSHeader->e_magic != IMAGE_DOS_SIGNATURE) || (PEHeader32->Signature != IMAGE_NT_SIGNATURE))
{
return false;
}
CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS64) + (sizeof(IMAGE_SECTION_HEADER) * PEHeader32->FileHeader.NumberOfSections);
if(CalculatedHeaderSize > 0x1000)
{
if(CalculatedHeaderSize % 0x1000 != NULL)
{
AlignedHeaderSize = ((CalculatedHeaderSize / 0x1000) + 1) * 0x1000;
}
else
{
AlignedHeaderSize = CalculatedHeaderSize;
}
ueReadBuffer = ueReadBuf.Allocate(AlignedHeaderSize);
ueCopyBuffer = ueCopyBuf.Allocate(AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, AlignedHeaderSize, &ueNumberOfBytesRead))
{
return false;
}
else
{
DOSHeader = (PIMAGE_DOS_HEADER)ueReadBuffer;
}
}
else
{
CalculatedHeaderSize = 0x1000;
AlignedHeaderSize = 0x1000;
}
if(EngineValidateHeader((ULONG_PTR)ueReadBuffer, hProcess, ImageBase, DOSHeader, false))
{
//EngineValidateHeader
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
FileIs64 = true;
}
else
{
return false;
}
if(!FileIs64)
{
//PE32 Handler
NumberOfSections = PEHeader32->FileHeader.NumberOfSections;
NumberOfSections++;
if(PEHeader32->OptionalHeader.SizeOfImage % PEHeader32->OptionalHeader.SectionAlignment == NULL)
{
SizeOfImageDump = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment;
}
else
{
SizeOfImageDump = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment;
}
SizeOfImageDump = SizeOfImageDump - (DWORD)AlignedHeaderSize;
EngineCreatePathForFileW(szDumpFileName);
hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
if(ReadProcessMemory(hProcess, ImageBase, ueCopyBuffer, AlignedHeaderSize, &ueNumberOfBytesRead))
{
if(ueCopyBuffer)
{
DOSFixHeader = (PIMAGE_DOS_HEADER)ueCopyBuffer;
PEFixHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSFixHeader + DOSFixHeader->e_lfanew);
PEFixSection = IMAGE_FIRST_SECTION(PEFixHeader32);
if(PEFixHeader32->OptionalHeader.FileAlignment > 0x200)
{
PEFixHeader32->OptionalHeader.FileAlignment = PEHeader32->OptionalHeader.SectionAlignment;
}
PEFixHeader32->OptionalHeader.AddressOfEntryPoint = (DWORD)(EntryPoint - (ULONG_PTR)ImageBase);
PEFixHeader32->OptionalHeader.ImageBase = (DWORD)((ULONG_PTR)ImageBase);
for(int i = NumberOfSections; i >= 1; i--)
{
PEFixSection->PointerToRawData = PEFixSection->VirtualAddress;
RealignedVirtualSize = (PEFixSection->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment;
if(RealignedVirtualSize < PEFixSection->Misc.VirtualSize)
{
RealignedVirtualSize = RealignedVirtualSize + PEHeader32->OptionalHeader.SectionAlignment;
}
PEFixSection->SizeOfRawData = RealignedVirtualSize;
PEFixSection->Misc.VirtualSize = RealignedVirtualSize;
PEFixSection = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEFixSection + IMAGE_SIZEOF_SECTION_HEADER);
}
WriteFile(hFile, ueCopyBuffer, (DWORD)AlignedHeaderSize, &uedNumberOfBytesRead, NULL);
ReadBase = (LPVOID)((ULONG_PTR)ReadBase + AlignedHeaderSize - TITANENGINE_PAGESIZE);
while(SizeOfImageDump > NULL)
{
ProcReadBase = (ULONG_PTR)ReadBase + TITANENGINE_PAGESIZE;
ReadBase = (LPVOID)ProcReadBase;
if(SizeOfImageDump >= TITANENGINE_PAGESIZE)
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE;
}
else
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = NULL;
}
}
EngineCloseHandle(hFile);
return true;
}
}
}
}//PE32 Handler
else
{
//PE64 Handler
NumberOfSections = PEHeader64->FileHeader.NumberOfSections;
NumberOfSections++;
if(PEHeader64->OptionalHeader.SizeOfImage % PEHeader64->OptionalHeader.SectionAlignment == NULL)
{
SizeOfImageDump = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment)) * PEHeader64->OptionalHeader.SectionAlignment;
}
else
{
SizeOfImageDump = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment;
}
SizeOfImageDump = SizeOfImageDump - (DWORD)AlignedHeaderSize;
EngineCreatePathForFileW(szDumpFileName);
hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
if(ReadProcessMemory(hProcess, ImageBase, ueCopyBuffer, AlignedHeaderSize, &ueNumberOfBytesRead))
{
if(ueCopyBuffer)
{
DOSFixHeader = (PIMAGE_DOS_HEADER)ueCopyBuffer;
PEFixHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSFixHeader + DOSFixHeader->e_lfanew);
PEFixSection = IMAGE_FIRST_SECTION(PEFixHeader64);
if(PEFixHeader64->OptionalHeader.FileAlignment > 0x200)
{
PEFixHeader64->OptionalHeader.FileAlignment = PEHeader64->OptionalHeader.SectionAlignment;
}
PEFixHeader64->OptionalHeader.AddressOfEntryPoint = (DWORD)(EntryPoint - (ULONG_PTR)ImageBase);
PEFixHeader64->OptionalHeader.ImageBase = (DWORD64)((ULONG_PTR)ImageBase);
for(int i = NumberOfSections; i >= 1; i--)
{
PEFixSection->PointerToRawData = PEFixSection->VirtualAddress;
RealignedVirtualSize = (PEFixSection->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment;
if(RealignedVirtualSize < PEFixSection->Misc.VirtualSize)
{
RealignedVirtualSize = RealignedVirtualSize + PEHeader64->OptionalHeader.SectionAlignment;
}
PEFixSection->SizeOfRawData = RealignedVirtualSize;
PEFixSection->Misc.VirtualSize = RealignedVirtualSize;
PEFixSection = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEFixSection + IMAGE_SIZEOF_SECTION_HEADER);
}
WriteFile(hFile, ueCopyBuffer, (DWORD)AlignedHeaderSize, &uedNumberOfBytesRead, NULL);
ReadBase = (LPVOID)((ULONG_PTR)ReadBase + (DWORD)AlignedHeaderSize - TITANENGINE_PAGESIZE);
while(SizeOfImageDump > NULL)
{
ProcReadBase = (ULONG_PTR)ReadBase + TITANENGINE_PAGESIZE;
ReadBase = (LPVOID)ProcReadBase;
if(SizeOfImageDump >= TITANENGINE_PAGESIZE)
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE;
}
else
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = NULL;
}
}
EngineCloseHandle(hFile);
return true;
}
}
}
}//PE64 Handler
}//EngineValidateHeader
}//ReadProcessMemory
if(hFile != INVALID_HANDLE_VALUE)
{
EngineCloseHandle(hFile);
}
return false;
}
__declspec(dllexport) bool TITCALL DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint)
{
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpProcessExW(ProcessId, ImageBase, uniDumpFileName, EntryPoint));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint)
{
HANDLE hProcess = 0;
bool ReturnValue = false;
hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint);
EngineCloseHandle(hProcess);
return ReturnValue;
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName)
{
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpMemoryW(hProcess, MemoryStart, MemorySize, uniDumpFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName)
{
ULONG_PTR ueNumberOfBytesRead = 0;
DWORD uedNumberOfBytesRead = 0;
HANDLE hFile = 0;
LPVOID ReadBase = MemoryStart;
ULONG_PTR ProcReadBase = (ULONG_PTR)ReadBase;
char ueCopyBuffer[0x2000] = {0};
EngineCreatePathForFileW(szDumpFileName);
hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
while(MemorySize > NULL)
{
ReadBase = (LPVOID)ProcReadBase;
if(MemorySize >= 0x1000)
{
RtlZeroMemory(ueCopyBuffer, 0x2000);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, 0x1000, &uedNumberOfBytesRead, NULL);
MemorySize = MemorySize - 0x1000;
}
else
{
RtlZeroMemory(ueCopyBuffer, 0x2000);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, MemorySize, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, (DWORD)MemorySize, &uedNumberOfBytesRead, NULL);
MemorySize = NULL;
}
ProcReadBase = (ULONG_PTR)ReadBase + 0x1000;
}
EngineCloseHandle(hFile);
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName)
{
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpMemoryExW(ProcessId, MemoryStart, MemorySize, uniDumpFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName)
{
HANDLE hProcess = 0;
bool ReturnValue = false;
hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName);
EngineCloseHandle(hProcess);
return ReturnValue;
}
return false;
}
__declspec(dllexport) bool TITCALL DumpRegions(HANDLE hProcess, char* szDumpFolder, bool DumpAboveImageBaseOnly)
{
wchar_t uniDumpFolder[MAX_PATH] = {0};
if(szDumpFolder != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, -1, uniDumpFolder, _countof(uniDumpFolder));
return(DumpRegionsW(hProcess, uniDumpFolder, DumpAboveImageBaseOnly));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly)
{
int i;
DWORD cbNeeded = NULL;
wchar_t szDumpName[MAX_PATH];
wchar_t szDumpFileName[MAX_PATH];
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR DumpAddress = NULL;
HMODULE EnumeratedModules[1024] = {0};
bool AddressIsModuleBase = false;
if(hProcess != NULL)
{
if(!EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
return false;
}
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION)) != NULL)
{
AddressIsModuleBase = false;
for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{
if(EnumeratedModules[i] == (HMODULE)MemInfo.AllocationBase)
{
AddressIsModuleBase = true;
i = 1024;
}
else if(EnumeratedModules[i] == 0)
{
i = 1024;
}
}
if(!(MemInfo.Protect & PAGE_NOACCESS) && AddressIsModuleBase == false)
{
if(DumpAboveImageBaseOnly == false || (DumpAboveImageBaseOnly == true && EnumeratedModules[0] < (HMODULE)MemInfo.BaseAddress))
{
RtlZeroMemory(&szDumpName, MAX_PATH);
RtlZeroMemory(&szDumpFileName, MAX_PATH);
lstrcpyW(szDumpFileName, szDumpFolder);
if(szDumpFileName[lstrlenW(szDumpFileName) - 1] != L'\\')
{
szDumpFileName[lstrlenW(szDumpFileName)] = L'\\';
}
wsprintfW(szDumpName, L"Dump-%x_%x.dmp", (ULONG_PTR)MemInfo.BaseAddress, (ULONG_PTR)MemInfo.RegionSize);
lstrcatW(szDumpFileName, szDumpName);
DumpMemoryW(hProcess, (LPVOID)MemInfo.BaseAddress, (ULONG_PTR)MemInfo.RegionSize, szDumpFileName);
}
}
DumpAddress = DumpAddress + (ULONG_PTR)MemInfo.RegionSize;
}
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFolder, bool DumpAboveImageBaseOnly)
{
wchar_t uniDumpFolder[MAX_PATH] = {0};
if(szDumpFolder != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, -1, uniDumpFolder, _countof(uniDumpFolder));
return(DumpRegionsExW(ProcessId, uniDumpFolder, DumpAboveImageBaseOnly));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly)
{
HANDLE hProcess = 0;
bool ReturnValue = false;
hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly);
EngineCloseHandle(hProcess);
return ReturnValue;
}
return false;
}
__declspec(dllexport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, char* szDumpFileName)
{
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpModuleW(hProcess, ModuleBase, uniDumpFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBase, wchar_t* szDumpFileName)
{
int i;
DWORD cbNeeded = NULL;
MODULEINFO RemoteModuleInfo;
HMODULE EnumeratedModules[1024] = {0};
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{
if(EnumeratedModules[i] == (HMODULE)ModuleBase)
{
if(GetModuleInformation(hProcess, (HMODULE)EnumeratedModules[i], &RemoteModuleInfo, sizeof(MODULEINFO)))
{
return(DumpMemoryW(hProcess, (LPVOID)EnumeratedModules[i], RemoteModuleInfo.SizeOfImage, szDumpFileName));
}
}
}
}
return false;
}
__declspec(dllexport) bool TITCALL DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, char* szDumpFileName)
{
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpModuleExW(ProcessId, ModuleBase, uniDumpFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleBase, wchar_t* szDumpFileName)
{
HANDLE hProcess = 0;
bool ReturnValue = false;
hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError.
{
ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName);
EngineCloseHandle(hProcess);
return ReturnValue;
}
return false;
}

184
TitanEngine/TitanEngine.Engine.Simplification.cpp Normal file
View File

@ -0,0 +1,184 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Simplification.h"
#include "Global.Garbage.h"
// TitanEngine.Engine.Simplification.functions:
__declspec(dllexport) void TITCALL EngineUnpackerInitialize(char* szFileName, char* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack)
{
wchar_t uniFileName[MAX_PATH] = {};
wchar_t uniUnpackedFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
if(szUnpackedFileName == NULL)
{
return EngineUnpackerInitializeW(uniFileName, NULL, DoLogData, DoRealignFile, DoMoveOverlay, EntryCallBack);
}
else
{
MultiByteToWideChar(CP_ACP, NULL, szUnpackedFileName, lstrlenA(szUnpackedFileName) + 1, uniUnpackedFileName, sizeof(uniUnpackedFileName) / (sizeof(uniUnpackedFileName[0])));
EngineUnpackerInitializeW(uniFileName, uniUnpackedFileName, DoLogData, DoRealignFile, DoMoveOverlay, EntryCallBack);
}
}
}
__declspec(dllexport) void TITCALL EngineUnpackerInitializeW(wchar_t* szFileName, wchar_t* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack)
{
int i, j;
wchar_t TempBackBuffer[MAX_PATH] = {};
if(szFileName != NULL)
{
RtlZeroMemory(&szEngineUnpackerSnapShot1[0], MAX_PATH * 2);
RtlZeroMemory(&szEngineUnpackerSnapShot2[0], MAX_PATH * 2);
RtlZeroMemory(&EngineUnpackerFileStatus, sizeof(FILE_STATUS_INFO));
if(IsPE32FileValidExW(szFileName, UE_DEPTH_DEEP, &EngineUnpackerFileStatus))
{
if(!EngineUnpackerFileStatus.FileIsDLL)
{
pEngineUnpackerProcessHandle = (LPPROCESS_INFORMATION)InitDebugExW(szFileName, NULL, NULL, EntryCallBack);
}
else
{
pEngineUnpackerProcessHandle = (LPPROCESS_INFORMATION)InitDLLDebugW(szFileName, true, NULL, NULL, EntryCallBack);
}
if(pEngineUnpackerProcessHandle != NULL)
{
lstrcpyW(szEngineUnpackerInputFile, szFileName);
if(szUnpackedFileName != NULL)
{
lstrcpyW(szEngineUnpackerOutputFile, szUnpackedFileName);
}
else
{
lstrcpyW(TempBackBuffer, szFileName);
i = lstrlenW(TempBackBuffer);
while(TempBackBuffer[i] != 0x2E)
{
i--;
}
TempBackBuffer[i] = 0x00;
j = i + 1;
wsprintfW(szEngineUnpackerOutputFile, L"%s.unpacked.%s", &TempBackBuffer[0], &TempBackBuffer[j]);
}
EngineUnpackerOptionRealingFile = DoRealignFile;
EngineUnpackerOptionMoveOverlay = DoMoveOverlay;
EngineUnpackerOptionRelocationFix = false;
EngineUnpackerOptionLogData = DoLogData;
EngineUnpackerOptionUnpackedOEP = NULL;
EngineUnpackerFileImporterInit = false;
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("-> Unpack started...");
}
EngineUnpackerBreakInfo.clear();
DebugLoop();
}
}
}
}
__declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchStart, DWORD SearchSize, void* SearchPattern, DWORD PatternSize, DWORD PatternDelta, ULONG_PTR BreakType, bool SingleBreak, DWORD Parameter1, DWORD Parameter2)
{
ULONG_PTR fPatternLocation;
DWORD fBreakPointType = UE_BREAKPOINT;
UnpackerInformation fUnpackerInformation = {};
if(SearchStart == (void*)(DWORD_PTR)UE_UNPACKER_CONDITION_SEARCH_FROM_EP)
{
if(EngineUnpackerFileStatus.FileIsDLL)
{
SearchStart = (void*)((ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_OEP) + (ULONG_PTR)GetDebuggedDLLBaseAddress());
}
else
{
SearchStart = (void*)((ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_OEP) + (ULONG_PTR)GetDebuggedFileBaseAddress());
}
}
if(SearchSize == NULL)
{
SearchSize = 0x1000;
}
fPatternLocation = (ULONG_PTR)FindEx(pEngineUnpackerProcessHandle->hProcess, SearchStart, SearchSize, SearchPattern, PatternSize, NULL);
if(fPatternLocation != NULL)
{
if(SingleBreak)
{
fBreakPointType = UE_SINGLESHOOT;
}
fPatternLocation = fPatternLocation + (int)PatternDelta;
fUnpackerInformation.Parameter1 = Parameter1;
fUnpackerInformation.Parameter2 = Parameter2;
fUnpackerInformation.SingleBreak = SingleBreak;
fUnpackerInformation.BreakPointAddress = fPatternLocation;
if(BreakType == UE_UNPACKER_CONDITION_LOADLIBRARY)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyLoadLibraryCallBack)))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;
}
}
else if(BreakType == UE_UNPACKER_CONDITION_GETPROCADDRESS)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyGetProcAddressCallBack)))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;
}
}
else if(BreakType == UE_UNPACKER_CONDITION_ENTRYPOINTBREAK)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyGetProcAddressCallBack)))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;
}
}
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT1)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyMakeSnapshotCallBack)))
{
fUnpackerInformation.SnapShotNumber = 1;
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;
}
}
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT2)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyMakeSnapshotCallBack)))
{
fUnpackerInformation.SnapShotNumber = 2;
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;
}
}
else
{
if(SetBPX(fPatternLocation, fBreakPointType, (void*)(ULONG_PTR)BreakType))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;
}
}
}
return false;
}
__declspec(dllexport) void TITCALL EngineUnpackerSetEntryPointAddress(ULONG_PTR UnpackedEntryPointAddress)
{
EngineUnpackerOptionUnpackedOEP = UnpackedEntryPointAddress;
}
__declspec(dllexport) void TITCALL EngineUnpackerFinalizeUnpacking()
{
EngineSimplifyEntryPointCallBack();
EmptyGarbage();
}

372
TitanEngine/TitanEngine.Engine.cpp Normal file
View File

@ -0,0 +1,372 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.h"
#include "Global.Mapping.h"
#include "Global.Engine.Hook.h"
#include "Global.Engine.GUI.h"
#include "Global.Debugger.h"
// TitanEngine.Engine.functions:
__declspec(dllexport) void TITCALL SetEngineVariable(DWORD VariableId, bool VariableSet)
{
if(VariableId == UE_ENGINE_ALOW_MODULE_LOADING)
{
engineAlowModuleLoading = VariableSet;
}
else if(VariableId == UE_ENGINE_AUTOFIX_FORWARDERS)
{
engineCheckForwarders = VariableSet;
}
else if(VariableId == UE_ENGINE_PASS_ALL_EXCEPTIONS)
{
enginePassAllExceptions = VariableSet;
}
else if(VariableId == UE_ENGINE_NO_CONSOLE_WINDOW)
{
engineRemoveConsoleForDebugee = VariableSet;
}
else if(VariableId == UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS)
{
engineBackupForCriticalFunctions = VariableSet;
}
else if(VariableId == UE_ENGINE_RESET_CUSTOM_HANDLER)
{
engineResetCustomHandler = VariableSet;
}
else if(VariableId == UE_ENGINE_SET_DEBUG_PRIVILEGE)
{
engineEnableDebugPrivilege = VariableSet;
EngineSetDebugPrivilege(GetCurrentProcess(), VariableSet);
}
else if(VariableId == UE_ENGINE_SAFE_ATTACH)
{
engineSafeAttach = VariableSet;
}
else if(VariableId == UE_ENGINE_MEMBP_ALT)
{
engineMembpAlt = VariableSet;
}
else if(VariableId == UE_ENGINE_DISABLE_ASLR)
{
engineDisableAslr = VariableSet;
}
else if(VariableId == UE_ENGINE_SAFE_STEP)
{
engineSafeStep = VariableSet;
}
}
__declspec(dllexport) bool TITCALL EngineCreateMissingDependencies(char* szFileName, char* szOutputFolder, bool LogCreatedFiles)
{
wchar_t uniFileName[MAX_PATH] = {};
wchar_t uniOutputFolder[MAX_PATH] = {};
if(szFileName != NULL && szOutputFolder != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szOutputFolder, lstrlenA(szOutputFolder) + 1, uniOutputFolder, sizeof(uniOutputFolder) / (sizeof(uniOutputFolder[0])));
return(EngineCreateMissingDependenciesW(uniFileName, uniOutputFolder, LogCreatedFiles));
}
else
{
return(NULL);
}
}
__declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szFileName, wchar_t* szOutputFolder, bool LogCreatedFiles)
{
char* ImportDllName;
wchar_t ImportDllNameW[512];
wchar_t BuildExportName[512];
PIMAGE_THUNK_DATA32 ImportThunkX86;
PIMAGE_THUNK_DATA64 ImportThunkX64;
PIMAGE_IMPORT_DESCRIPTOR ImportPointer;
ULONG_PTR ImportTableAddress = NULL;
ULONG_PTR ImportThunkName = NULL;
DWORD ImportThunkAddress = NULL;
ULONG_PTR ImageBase = NULL;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
BOOL FileIs64;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(DOSHeader->e_lfanew < 0x1000 - 108)
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
if(LogCreatedFiles)
{
if(engineDependencyFiles != NULL)
{
VirtualFree(engineDependencyFiles, NULL, MEM_RELEASE);
}
engineDependencyFiles = VirtualAlloc(NULL, 20 * 1024, MEM_COMMIT, PAGE_READWRITE);
engineDependencyFilesCWP = engineDependencyFiles;
}
if(!FileIs64)
{
ImageBase = (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase;
ImportTableAddress = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true);
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress;
while(ImportPointer && ImportPointer->FirstThunk != NULL)
{
ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true));
if(ImportDllName)
{
MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName) + 1, ImportDllNameW, sizeof(ImportDllNameW) / (sizeof(ImportDllNameW[0])));
if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder))
{
RtlZeroMemory(&BuildExportName, sizeof(BuildExportName));
lstrcatW(BuildExportName, szOutputFolder);
if(BuildExportName[lstrlenW(BuildExportName) - 1] != 0x5C)
{
BuildExportName[lstrlenW(BuildExportName)] = 0x5C;
}
lstrcatW(BuildExportName, ImportDllNameW);
if(LogCreatedFiles)
{
RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2);
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2);
}
EngineExtractResource("MODULEx86", BuildExportName);
ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName);
ImportThunkAddress = ImportPointer->FirstThunk;
if(ImportPointer->OriginalFirstThunk != NULL)
{
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true));
}
else
{
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true));
}
while(ImportThunkX86 && ImportThunkX86->u1.Function != NULL)
{
if(ImportThunkX86->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
{
ExporterAddNewOrdinalExport(ImportThunkX86->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32, 0x1000);
}
else
{
ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, ImportThunkX86->u1.AddressOfData + ImageBase, true) + 2);
if(ImportThunkName)
ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000);
}
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ImportThunkX86 + 4);
ImportThunkAddress = ImportThunkAddress + 4;
}
ExporterBuildExportTableExW(BuildExportName, ".export");
}
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
}
}
else
{
ImageBase = (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase;
ImportTableAddress = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true);
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress;
while(ImportPointer && ImportPointer->FirstThunk != NULL)
{
ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true));
if(ImportDllName)
{
MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName) + 1, ImportDllNameW, sizeof(ImportDllNameW) / (sizeof(ImportDllNameW[0])));
if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder))
{
RtlZeroMemory(&BuildExportName, sizeof(BuildExportName));
lstrcatW(BuildExportName, szOutputFolder);
if(BuildExportName[lstrlenW(BuildExportName) - 1] != 0x5C)
{
BuildExportName[lstrlenW(BuildExportName)] = 0x5C;
}
lstrcatW(BuildExportName, ImportDllNameW);
if(LogCreatedFiles)
{
RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2);
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2);
}
EngineExtractResource("MODULEx64", BuildExportName);
ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName);
ImportThunkAddress = ImportPointer->FirstThunk;
if(ImportPointer->OriginalFirstThunk != NULL)
{
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true));
}
else
{
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true));
}
while(ImportThunkX64 && ImportThunkX64->u1.Function != NULL)
{
if(ImportThunkX64->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
{
ExporterAddNewOrdinalExport((DWORD)(ImportThunkX64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64), 0x1000);
}
else
{
ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ImportThunkX64->u1.AddressOfData + ImageBase), true) + 2);
if(ImportThunkName)
ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000);
}
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ImportThunkX64 + 8);
ImportThunkAddress = ImportThunkAddress + 8;
}
ExporterBuildExportTableExW(BuildExportName, ".export");
}
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
}
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess)
{
if(hProcess != NULL)
{
SetAPIBreakPoint("ntdll.dll", "LdrLoadDll", UE_BREAKPOINT, UE_APIEND, (LPVOID)&EngineFakeLoadLibraryReturn);
SetAPIBreakPoint("ntdll.dll", "LdrGetProcedureAddress", UE_BREAKPOINT, UE_APIEND, (LPVOID)&EngineFakeGetProcAddressReturn);
}
return false;
}
__declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies()
{
wchar_t szTempName[MAX_PATH];
wchar_t szTempFolder[MAX_PATH];
if(engineDependencyFiles != NULL)
{
engineDependencyFilesCWP = engineDependencyFiles;
while(*((char*)engineDependencyFilesCWP) != 0)
{
RtlZeroMemory(&szTempName, sizeof(szTempName));
RtlZeroMemory(&szTempFolder, sizeof(szTempFolder));
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"DeleteTempGenFile", GetTickCount(), szTempName))
{
DeleteFileW(szTempName);
if(!MoveFileW((LPCWSTR)engineDependencyFilesCWP, szTempName))
{
DeleteFileW((LPCWSTR)engineDependencyFilesCWP);
}
else
{
DeleteFileW(szTempName);
}
}
}
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW((PWCHAR)engineDependencyFilesCWP) * 2) + 2);
}
VirtualFree(engineDependencyFiles, NULL, MEM_RELEASE);
engineDependencyFiles = NULL;
engineDependencyFilesCWP = NULL;
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack)
{
if(!WindowUnpackerTitle || !WindowUnpackerLongTitle || !WindowUnpackerName || !WindowUnpackerAuthor || !StartUnpackingCallBack)
return false;
EngineStartUnpackingCallBack = StartUnpackingCallBack;
lstrcpyA(szWindowUnpackerTitle, WindowUnpackerTitle);
lstrcpyA(szWindowUnpackerLongTitle, WindowUnpackerLongTitle);
lstrcpyA(szWindowUnpackerAuthor, WindowUnpackerAuthor);
lstrcpyA(szWindowUnpackerName, WindowUnpackerName);
if(DialogBoxParamA((HINSTANCE)engineHandle, MAKEINTRESOURCEA(IDD_MAINWINDOW), NULL, (DLGPROC)EngineWndProc, NULL) != -1)
{
return true;
}
else
{
return false;
}
}
__declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(const char* szLogMessage)
{
int cSelect;
SendMessageA(EngineBoxHandle, LB_ADDSTRING, NULL, (LPARAM)szLogMessage);
cSelect = (int)SendMessageA(EngineBoxHandle, LB_GETCOUNT, NULL, NULL);
cSelect--;
SendMessageA(EngineBoxHandle, LB_SETCURSEL, (WPARAM)cSelect, NULL);
}
__declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize)
{
int blub = 1;
switch(StructureType)
{
case UE_STRUCT_PE32STRUCT:
return (sizeof(PE32Struct) == StructureSize);
case UE_STRUCT_PE64STRUCT:
return (sizeof(PE64Struct) == StructureSize);
case UE_STRUCT_PESTRUCT:
return (sizeof(PEStruct) == StructureSize);
case UE_STRUCT_IMPORTENUMDATA:
return (sizeof(ImportEnumData) == StructureSize);
case UE_STRUCT_THREAD_ITEM_DATA:
return (sizeof(THREAD_ITEM_DATA) == StructureSize);
case UE_STRUCT_LIBRARY_ITEM_DATA:
return (sizeof(LIBRARY_ITEM_DATA) == StructureSize);
case UE_STRUCT_LIBRARY_ITEM_DATAW:
return (sizeof(LIBRARY_ITEM_DATAW) == StructureSize);
case UE_STRUCT_PROCESS_ITEM_DATA:
return (sizeof(PROCESS_ITEM_DATA) == StructureSize);
case UE_STRUCT_HANDLERARRAY:
return (sizeof(HandlerArray) == StructureSize);
case UE_STRUCT_HOOK_ENTRY:
return (sizeof(HOOK_ENTRY) == StructureSize);
case UE_STRUCT_FILE_STATUS_INFO:
return (sizeof(FILE_STATUS_INFO) == StructureSize);
case UE_STRUCT_FILE_FIX_INFO:
return (sizeof(FILE_FIX_INFO) == StructureSize);
case UE_STRUCT_X87FPUREGISTER:
return (sizeof(x87FPURegister_t) == StructureSize);
case UE_STRUCT_X87FPU:
return (sizeof(x87FPU_t) == StructureSize);
case UE_STRUCT_TITAN_ENGINE_CONTEXT:
return (sizeof(TITAN_ENGINE_CONTEXT_t) == StructureSize);
}
return false;
}

458
TitanEngine/TitanEngine.Exporter.cpp Normal file
View File

@ -0,0 +1,458 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Mapping.h"
#include "Global.Engine.h"
static LPVOID expTableData = NULL;
static LPVOID expTableDataCWP = NULL;
static ULONG_PTR expImageBase = 0;
static DWORD expExportNumber = 0;
static bool expNamePresent = false;
static DWORD expExportAddress[1000];
static DWORD expSortedNamePointers[1000];
static ULONG_PTR expNamePointers[1000];
static DWORD expNameHashes[1000];
static WORD expOrdinals[1000];
static IMAGE_EXPORT_DIRECTORY expExportData;
// TitanEngine.Exporter.functions:
__declspec(dllexport) void TITCALL ExporterCleanup()
{
int i = NULL;
for(i = 0; i < 1000; i++)
{
expExportAddress[i] = 0;
expSortedNamePointers[i] = 0;
expNamePointers[i] = 0;
expNameHashes[i] = 0;
expOrdinals[i] = 0;
}
//RtlZeroMemory(&szExportFileName, 512);
RtlZeroMemory(&expExportData, sizeof(IMAGE_EXPORT_DIRECTORY));
VirtualFree(expTableData, NULL, MEM_RELEASE);
expExportNumber = NULL;
expTableData = NULL;
expImageBase = NULL;
}
__declspec(dllexport) void TITCALL ExporterSetImageBase(ULONG_PTR ImageBase)
{
expImageBase = ImageBase;
}
__declspec(dllexport) void TITCALL ExporterInit(DWORD MemorySize, ULONG_PTR ImageBase, DWORD ExportOrdinalBase, char* szExportModuleName)
{
if(expTableData != NULL)
{
ExporterCleanup();
}
expExportData.Base = ExportOrdinalBase;
expTableData = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE);
if(szExportModuleName != NULL)
{
RtlMoveMemory(expTableData, szExportModuleName, lstrlenA(szExportModuleName));
expTableDataCWP = (LPVOID)((ULONG_PTR)expTableData + lstrlenA(szExportModuleName) + 2);
expNamePresent = true;
}
else
{
expTableDataCWP = expTableData;
expNamePresent = false;
}
expImageBase = ImageBase;
}
__declspec(dllexport) bool TITCALL ExporterAddNewExport(char* szExportName, DWORD ExportRelativeAddress)
{
unsigned int i;
DWORD NameHash;
if(expTableDataCWP != NULL && szExportName != NULL)
{
NameHash = (DWORD)EngineHashString(szExportName);
for(i = 0; i < expExportNumber; i++)
{
if(expNameHashes[i] == NameHash)
{
return true;
}
}
expExportAddress[expExportNumber] = ExportRelativeAddress;
expNamePointers[expExportNumber] = (ULONG_PTR)expTableDataCWP;
expNameHashes[expExportNumber] = (DWORD)EngineHashString(szExportName);
expOrdinals[expExportNumber] = (WORD)(expExportNumber);
RtlMoveMemory(expTableDataCWP, szExportName, lstrlenA(szExportName));
expTableDataCWP = (LPVOID)((ULONG_PTR)expTableDataCWP + lstrlenA(szExportName) + 2);
expExportNumber++;
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL ExporterAddNewOrdinalExport(DWORD OrdinalNumber, DWORD ExportRelativeAddress)
{
unsigned int i = NULL;
char szExportFunctionName[512];
RtlZeroMemory(&szExportFunctionName, 512);
if(expTableDataCWP != NULL)
{
if(expExportNumber == NULL)
{
expExportData.Base = OrdinalNumber;
wsprintfA(szExportFunctionName, "Func%d", expExportNumber + 1);
return(ExporterAddNewExport(szExportFunctionName, ExportRelativeAddress));
}
else
{
if(OrdinalNumber == expExportData.Base + expExportNumber - 1)
{
wsprintfA(szExportFunctionName, "Func%d", expExportNumber + 1);
return(ExporterAddNewExport(szExportFunctionName, ExportRelativeAddress));
}
else if(OrdinalNumber > expExportData.Base + expExportNumber - 1)
{
for(i = expExportData.Base + expExportNumber - 1; i <= OrdinalNumber; i++)
{
RtlZeroMemory(&szExportFunctionName, 512);
wsprintfA(szExportFunctionName, "Func%d", expExportNumber + 1);
ExporterAddNewExport(szExportFunctionName, ExportRelativeAddress);
}
return true;
}
else
{
return true;
}
}
}
return false;
}
__declspec(dllexport) long TITCALL ExporterGetAddedExportCount()
{
return(expExportNumber);
}
__declspec(dllexport) long TITCALL ExporterEstimatedSize()
{
DWORD EstimatedSize = NULL;
EstimatedSize = (DWORD)((ULONG_PTR)expTableDataCWP - (ULONG_PTR)expTableData);
EstimatedSize = EstimatedSize + (expExportNumber * 12) + sizeof(IMAGE_EXPORT_DIRECTORY);
return(EstimatedSize);
}
__declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA)
{
unsigned int i = NULL;
unsigned int j = NULL;
LPVOID expBuildExportDataOld;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
LPVOID expBuildExportData;
DynBuf expBuildExportDyn;
LPVOID expBuildExportDataCWP;
DWORD StorePlaceRVA = (DWORD)ConvertFileOffsetToVA(FileMapVA, StorePlace, false);
ULONG_PTR TempULONG;
DWORD TempDWORD;
BOOL FileIs64 = false;
if(expTableDataCWP != NULL)
{
expBuildExportData = expBuildExportDyn.Allocate(ExporterEstimatedSize());
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof(IMAGE_EXPORT_DIRECTORY));
expExportData.NumberOfNames = expExportNumber;
expExportData.NumberOfFunctions = expExportNumber;
for(i = 0; i < expExportNumber; i++)
{
for(j = 0; j < expExportNumber; j++)
{
if(lstrcmpiA((PCHAR)expNamePointers[i], (PCHAR)expNamePointers[j]) < NULL)
{
TempULONG = expNamePointers[j];
expNamePointers[j] = expNamePointers[i];
expNamePointers[i] = TempULONG;
TempDWORD = expExportAddress[j];
expExportAddress[j] = expExportAddress[i];
expExportAddress[i] = TempDWORD;
}
}
}
if(expNamePresent)
{
expExportData.Name = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
RtlMoveMemory(expBuildExportDataCWP, (LPVOID)expTableData, lstrlenA((PCHAR)expTableData));
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + lstrlenA((PCHAR)expTableData) + 2);
}
for(i = 0; i < expExportNumber; i++)
{
RtlMoveMemory(expBuildExportDataCWP, (LPVOID)expNamePointers[i], lstrlenA((PCHAR)expNamePointers[i]));
expBuildExportDataOld = expBuildExportDataCWP;
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + lstrlenA((PCHAR)expNamePointers[i]) + 2);
expSortedNamePointers[i] = (DWORD)((ULONG_PTR)expBuildExportDataOld - (ULONG_PTR)expBuildExportData) + StorePlaceRVA;
}
expExportData.AddressOfFunctions = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
RtlMoveMemory(expBuildExportDataCWP, &expExportAddress, 4 * expExportNumber);
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + 4 * expExportNumber);
expExportData.AddressOfNames = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
RtlMoveMemory(expBuildExportDataCWP, &expSortedNamePointers, 4 * expExportNumber);
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + 4 * expExportNumber);
expExportData.AddressOfNameOrdinals = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
RtlMoveMemory(expBuildExportDataCWP, &expOrdinals, 2 * expExportNumber);
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + 2 * expExportNumber);
RtlMoveMemory(expBuildExportData, &expExportData, sizeof(IMAGE_EXPORT_DIRECTORY));
RtlMoveMemory((LPVOID)StorePlace, expBuildExportData, (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData));
if(FileMapVA != NULL)
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return false;
}
if(!FileIs64)
{
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
}
else
{
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
}
}
}
ExporterCleanup();
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(char* szExportFileName, char* szSectionName)
{
wchar_t uniExportFileName[MAX_PATH] = {};
if(szExportFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szExportFileName, lstrlenA(szExportFileName) + 1, uniExportFileName, sizeof(uniExportFileName) / (sizeof(uniExportFileName[0])));
return(ExporterBuildExportTableExW(uniExportFileName, szSectionName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, const char* szSectionName)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
DWORD NewSectionVO = NULL;
DWORD NewSectionFO = NULL;
bool ReturnValue = false;
if(ExporterGetAddedExportCount() > NULL)
{
NewSectionVO = AddNewSectionW(szExportFileName, szSectionName, ExporterEstimatedSize());
if(MapFileExW(szExportFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true);
if(NewSectionFO)
ReturnValue = ExporterBuildExportTable(NewSectionFO, FileMapVA);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue)
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL ExporterLoadExportTable(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(ExporterLoadExportTableW(uniFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName)
{
unsigned int i = 0;
unsigned int j = 0;
unsigned int n = 0;
unsigned int x = 0;
bool ExportPresent = false;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_EXPORT_DIRECTORY PEExports;
PEXPORTED_DATA ExportedFunctions;
PEXPORTED_DATA ExportedFunctionNames;
PEXPORTED_DATA_WORD ExportedFunctionOrdinals;
char* ExportName = NULL;
BOOL FileIs64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL)
{
PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true));
if(PEExports)
{
ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader32->OptionalHeader.ImageBase), true));
if(ExportedFunctions)
{
ExporterInit(50 * 1024, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->Base, NULL);
ExportPresent = true;
}
}
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL)
{
PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true));
if(PEExports)
{
ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader64->OptionalHeader.ImageBase), true));
if(ExportedFunctions)
{
ExporterInit(50 * 1024, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->Base, NULL);
ExportPresent = true;
}
}
}
}
if(ExportPresent)
{
for(n = 0; n <= PEExports->NumberOfNames; n++)
{
ExportPresent = false;
x = n;
if(!FileIs64)
{
ExportedFunctionNames = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNames + PEHeader32->OptionalHeader.ImageBase), true));
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNameOrdinals + PEHeader32->OptionalHeader.ImageBase), true));
}
else
{
ExportedFunctionNames = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNames + PEHeader64->OptionalHeader.ImageBase), true));
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNameOrdinals + PEHeader64->OptionalHeader.ImageBase), true));
}
if(ExportedFunctionNames && ExportedFunctionOrdinals)
{
for(j = 0; j <= PEExports->NumberOfNames; j++)
{
if(ExportedFunctionOrdinals->OrdinalNumber != x)
{
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2);
}
else
{
ExportPresent = true;
break;
}
}
if(ExportPresent)
{
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4);
if(!FileIs64)
{
ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader32->OptionalHeader.ImageBase), true));
}
else
{
ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader64->OptionalHeader.ImageBase), true));
}
if(ExportName)
ExporterAddNewExport(ExportName, ExportedFunctions->ExportedItem);
}
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4);
}
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
return false;
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}

802
TitanEngine/TitanEngine.Handler.cpp Normal file
View File

@ -0,0 +1,802 @@
#include "stdafx.h"
#include "definitions.h"
static inline HANDLE HandleFromNtHandle(USHORT handle)
{
return (HANDLE)(ULONG_PTR)handle;
}
#include "Global.Handle.h"
#include "Global.Engine.h"
bool NtQuerySysHandleInfo(DynBuf & buf)
{
ULONG RequiredSize = NULL;
buf.Allocate(sizeof(SYSTEM_HANDLE_INFORMATION));
NtQuerySystemInformation(SystemHandleInformation, buf.GetPtr(), (ULONG)buf.Size(), &RequiredSize);
buf.Allocate(RequiredSize + sizeof(SYSTEM_HANDLE_INFORMATION));
return (NtQuerySystemInformation(SystemHandleInformation, buf.GetPtr(), (ULONG)buf.Size(), &RequiredSize) >= 0);
}
// TitanEngine.Handler.functions:
__declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId)
{
int HandleCount = 0;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)QuerySystemBuffer;
PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandle = HandleInfo->Handles;
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
{
if((DWORD)pHandle->UniqueProcessId == ProcessId)
{
HandleCount++;
}
pHandle++;
}
return HandleCount;
}
__declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle)
{
bool HandleActive = false;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return false;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)QuerySystemBuffer;
PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandle = HandleInfo->Handles;
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
{
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)(ULONG_PTR)pHandle->HandleValue == hHandle)
{
HandleActive = true;
break;
}
pHandle++;
}
return HandleActive;
}
__declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName)
{
bool NameFound = false;
HANDLE myHandle = NULL;
ULONG RequiredSize = NULL;
char ObjectNameInfo[0x1000] = {0};
POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
return 0;
}
LPVOID QuerySystemBuffer = hinfo.GetPtr();
PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)QuerySystemBuffer;
PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandle = HandleInfo->Handles;
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
{
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)(ULONG_PTR)pHandle->HandleValue == hHandle)
{
if(pHandle->GrantedAccess != 0x0012019F) //Filter, because this GrantedAccess type can cause deadlocks!
{
if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, FALSE, DUPLICATE_SAME_ACCESS))
{
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, sizeof(ObjectNameInfo), &RequiredSize);
ZeroMemory(HandleFullName, 0x1000);
if(pObjectNameInfo->Name.Length != NULL)
{
wcscpy((wchar_t*)HandleFullName, pObjectNameInfo->Name.Buffer);
NameFound = true;
if(TranslateName)
{
LPVOID tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL)
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
HandleFullName = tmpHandleFullName;
}
}
}
EngineCloseHandle(myHandle);
break;
}
}
}
pHandle++;
}
if(!NameFound)
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
return(NULL);
}
else
{
return(HandleFullName);
}
}
__declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName)
{
wchar_t* name = (wchar_t*)HandlerGetHandleNameW(hProcess, ProcessId, hHandle, TranslateName);
if(name)
{
LPVOID HandleFullName = VirtualAlloc(NULL, wcslen(name) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
WideCharToMultiByte(CP_ACP, NULL, name, -1, (LPSTR)HandleFullName, (int)wcslen(name) + 1, NULL, NULL);
VirtualFree(name, NULL, MEM_RELEASE);
return HandleFullName;
}
return 0;
}
__declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount)
{
HANDLE myHandle = NULL;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
unsigned int HandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount)
{
myHandle = HandleFromNtHandle(HandleInfo->hHandle);
RtlMoveMemory(HandleBuffer, &myHandle, sizeof(HANDLE));
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof(HANDLE));
HandleCount++;
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
TotalHandleCount--;
}
return(HandleCount);
}
__declspec(dllexport) ULONG_PTR TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn)
{
HANDLE myHandle = NULL;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
OBJECT_BASIC_INFORMATION ObjectBasicInfo;
char HandleFullData[0x1000] = {0};
LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
POBJECT_TYPE_INFORMATION pObjectTypeInfo = (POBJECT_TYPE_INFORMATION)HandleFullData;
bool DontFreeStringMemory = false;
ULONG_PTR ReturnData = NULL;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(HandleInfo->ProcessId == ProcessId && HandleFromNtHandle(HandleInfo->hHandle) == hHandle)
{
if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT)
{
ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount;
}
else if(InformationReturn == UE_OPTION_HANDLER_RETURN_ACCESS)
{
ReturnData = (ULONG_PTR)HandleInfo->GrantedAccess;
}
else if(InformationReturn == UE_OPTION_HANDLER_RETURN_FLAGS)
{
ReturnData = (ULONG_PTR)HandleInfo->Flags;
}
else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
if(pObjectTypeInfo->TypeName.Length != NULL)
{
WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
ReturnData = (ULONG_PTR)HandleNameData;
DontFreeStringMemory = true;
}
}
}
else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME_UNICODE)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
if(pObjectTypeInfo->TypeName.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectTypeInfo->TypeName.Buffer);
ReturnData = (ULONG_PTR)HandleNameData;
DontFreeStringMemory = true;
}
}
}
EngineCloseHandle(myHandle);
break;
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
TotalHandleCount--;
}
if(!DontFreeStringMemory)
{
VirtualFree(HandleNameData, NULL, MEM_RELEASE);
}
return(ReturnData);
}
__declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle)
{
HANDLE myHandle;
if(hProcess != NULL)
{
DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_CLOSE_SOURCE);
EngineCloseHandle(myHandle);
}
return false;
}
__declspec(dllexport) long TITCALL HandlerEnumerateLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount)
{
wchar_t uniFileOrFolderName[MAX_PATH] = {};
if(szFileOrFolderName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileOrFolderName, lstrlenA(szFileOrFolderName) + 1, uniFileOrFolderName, sizeof(uniFileOrFolderName) / (sizeof(uniFileOrFolderName[0])));
return(HandlerEnumerateLockHandlesW(uniFileOrFolderName, NameIsFolder, NameIsTranslated, HandleDataBuffer, MaxHandleCount));
}
else
{
return(NULL);
}
}
__declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount)
{
int FoundHandles = NULL;
HANDLE hProcess = NULL;
HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
OBJECT_BASIC_INFORMATION ObjectBasicInfo;
char ObjectNameInfo[0x2000] = {0};
POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo;
char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(LastProcessId != HandleInfo->ProcessId)
{
if(hProcess != NULL)
{
EngineCloseHandle(hProcess);
}
hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId;
}
if(hProcess != NULL)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleFullName, 0x1000);
if(pObjectNameInfo->Name.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(NameIsTranslated)
{
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL)
{
HandleFullName = tmpHandleFullName;
}
}
if(NameIsFolder)
{
if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName)
{
RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2);
}
}
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL && MaxHandleCount > NULL)
{
RtlMoveMemory(HandleDataBuffer, &HandleInfo->ProcessId, sizeof(ULONG));
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof(ULONG));
CopyHandle = HandleFromNtHandle(HandleInfo->hHandle);
RtlMoveMemory(HandleDataBuffer, &CopyHandle, sizeof(HANDLE));
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof(HANDLE));
FoundHandles++;
MaxHandleCount--;
}
}
EngineCloseHandle(myHandle);
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
TotalHandleCount--;
}
return(FoundHandles);
}
__declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated)
{
wchar_t uniFileOrFolderName[MAX_PATH] = {};
if(szFileOrFolderName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileOrFolderName, lstrlenA(szFileOrFolderName) + 1, uniFileOrFolderName, sizeof(uniFileOrFolderName) / (sizeof(uniFileOrFolderName[0])));
return(HandlerCloseAllLockHandlesW(uniFileOrFolderName, NameIsFolder, NameIsTranslated));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated)
{
bool AllHandled = true;
HANDLE hProcess = NULL;
HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
OBJECT_BASIC_INFORMATION ObjectBasicInfo;
char ObjectNameInfo[0x2000] = {0};
POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo;
char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(LastProcessId != HandleInfo->ProcessId)
{
if(hProcess != NULL)
{
EngineCloseHandle(hProcess);
}
hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId;
}
if(hProcess != NULL)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleFullName, 0x1000);
if(pObjectNameInfo->Name.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(NameIsTranslated)
{
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL)
{
HandleFullName = tmpHandleFullName;
}
}
if(NameIsFolder)
{
if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName)
{
RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2);
}
}
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL)
{
if(!HandlerCloseRemoteHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle)))
{
AllHandled = false;
}
}
}
EngineCloseHandle(myHandle);
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
TotalHandleCount--;
}
return AllHandled;
}
__declspec(dllexport) bool TITCALL HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated)
{
wchar_t uniFileOrFolderName[MAX_PATH] = {};
if(szFileOrFolderName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileOrFolderName, lstrlenA(szFileOrFolderName) + 1, uniFileOrFolderName, sizeof(uniFileOrFolderName) / (sizeof(uniFileOrFolderName[0])));
return(HandlerIsFileLockedW(uniFileOrFolderName, NameIsFolder, NameIsTranslated));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated)
{
HANDLE hProcess = NULL;
HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
OBJECT_BASIC_INFORMATION ObjectBasicInfo;
char ObjectNameInfo[0x2000] = {0};
POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo;
char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(LastProcessId != HandleInfo->ProcessId)
{
if(hProcess != NULL)
{
EngineCloseHandle(hProcess);
}
hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId;
}
if(hProcess != NULL)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleFullName, 0x1000);
if(pObjectNameInfo->Name.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(NameIsTranslated)
{
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL)
{
HandleFullName = tmpHandleFullName;
}
}
if(NameIsFolder)
{
if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName)
{
RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2);
}
}
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL)
{
EngineCloseHandle(myHandle);
return true;
}
}
EngineCloseHandle(myHandle);
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
TotalHandleCount--;
}
return false;
}
// TitanEngine.Handler[Mutex].functions:
__declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount)
{
HANDLE myHandle = NULL;
HANDLE copyHandle = NULL;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
unsigned int HandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
char HandleFullData[0x1000] = {0};
char HandleNameDataB[0x1000] = {0};
LPVOID HandleNameData = HandleNameDataB;
POBJECT_TYPE_INFORMATION pObjectTypeInfo = (POBJECT_TYPE_INFORMATION)HandleFullData;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
if(pObjectTypeInfo->TypeName.Length != NULL)
{
WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
if(lstrcmpiA((LPCSTR)HandleNameData, "Mutant") == NULL)
{
copyHandle = HandleFromNtHandle(HandleInfo->hHandle);
RtlMoveMemory(HandleBuffer, &copyHandle, sizeof(HANDLE));
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof(HANDLE));
HandleCount++;
}
}
EngineCloseHandle(myHandle);
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
TotalHandleCount--;
}
return(HandleCount);
}
__declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandle(HANDLE hProcess, DWORD ProcessId, char* szMutexString)
{
wchar_t uniMutexString[MAX_PATH] = {};
if(szMutexString != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szMutexString, lstrlenA(szMutexString) + 1, uniMutexString, sizeof(uniMutexString) / (sizeof(uniMutexString[0])));
return((ULONG_PTR)HandlerGetOpenMutexHandleW(hProcess, ProcessId, uniMutexString));
}
else
{
return(NULL);
}
}
__declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandleW(HANDLE hProcess, DWORD ProcessId, wchar_t* szMutexString)
{
if(!szMutexString || lstrlenW(szMutexString) >= 512)
return 0;
int i;
HANDLE myHandle;
char HandleBuffer[0x1000] = {0};
LPVOID cHandleBuffer = HandleBuffer;
int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof(HANDLE));
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
wchar_t* HandleName;
if(OpenHandleCount > NULL)
{
lstrcatW(RealMutexName, szMutexString);
for(i = 0; i < OpenHandleCount; i++)
{
RtlMoveMemory(&myHandle, cHandleBuffer, sizeof(HANDLE));
HandleName = (wchar_t*)HandlerGetHandleNameW(hProcess, ProcessId, myHandle, true);
if(HandleName != NULL)
{
if(lstrcmpiW(HandleName, RealMutexName) == NULL)
{
return((ULONG_PTR)myHandle);
}
}
cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof(HANDLE));
}
}
return(NULL);
}
__declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString)
{
wchar_t uniMutexString[MAX_PATH] = {0};
if(szMutexString != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szMutexString, -1, uniMutexString, _countof(uniMutexString));
return(HandlerGetProcessIdWhichCreatedMutexW(uniMutexString));
}
else
{
return(NULL);
}
}
__declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t* szMutexString)
{
if(!szMutexString || wcslen(szMutexString) >= 450)
return 0;
HANDLE hProcess = NULL;
DWORD ReturnData = NULL;
HANDLE myHandle = NULL;
ULONG RequiredSize = NULL;
DWORD LastProcessId = NULL;
ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
char HandleFullData[0x1000] = {0};
char HandleNameData[0x1000] = {0};
POBJECT_TYPE_INFORMATION pObjectTypeInfo = (POBJECT_TYPE_INFORMATION)HandleFullData;
char ObjectNameInfo[0x2000] = {0};
POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo;
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
lstrcatW(RealMutexName, szMutexString);
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(LastProcessId != HandleInfo->ProcessId)
{
if(hProcess != NULL)
{
EngineCloseHandle(hProcess);
}
hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, FALSE, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId;
}
if(hProcess != NULL)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, sizeof(HandleNameData));
if(pObjectTypeInfo->TypeName.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(lstrcmpiW((LPCWSTR)HandleNameData, L"Mutant") == NULL)
{
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, sizeof(HandleNameData));
if(pObjectNameInfo->Name.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL)
{
ReturnData = HandleInfo->ProcessId;
break;
}
}
}
}
EngineCloseHandle(myHandle);
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
TotalHandleCount--;
}
return(ReturnData);
}

113
TitanEngine/TitanEngine.Hider.cpp Normal file
View File

@ -0,0 +1,113 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Hider.h"
// TitanEngine.Hider.functions:
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
{
ULONG RequiredLen = 0;
void* PebAddress = 0;
PROCESS_BASIC_INFORMATION myProcessBasicInformation[5] = {0};
if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
{
PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
}
else
{
if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
{
PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
}
}
return PebAddress;
}
__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread)
{
ULONG RequiredLen = 0;
void* TebAddress = 0;
THREAD_BASIC_INFORMATION myThreadBasicInformation[5] = {0};
if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, sizeof(THREAD_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
{
TebAddress = (void*)myThreadBasicInformation->TebBaseAddress;
}
else
{
if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
{
TebAddress = (void*)myThreadBasicInformation->TebBaseAddress;
}
}
return TebAddress;
}
__declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread)
{
//TODO: this might return garbage on Windows 10
#ifndef _WIN64
if(IsThisProcessWow64())
{
//Only WOW64 processes have 2 PEBs and 2 TEBs
DWORD teb32 = (DWORD)GetTEBLocation(hThread);
if(teb32)
{
teb32 -= 0x2000; //TEB64 before TEB32
return (void*)teb32;
}
}
#endif //_WIN64
return 0;
}
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
{
void* PebAddress = 0;
#ifndef _WIN64
if(IsThisProcessWow64())
{
typedef NTSTATUS(WINAPI * t_NtWow64QueryInformationProcess64)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
static auto _NtWow64QueryInformationProcess64 = (t_NtWow64QueryInformationProcess64)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWow64QueryInformationProcess64");
if(_NtWow64QueryInformationProcess64)
{
struct PROCESS_BASIC_INFORMATION64
{
DWORD ExitStatus;
DWORD64 PebBaseAddress;
DWORD64 AffinityMask;
DWORD BasePriority;
DWORD64 UniqueProcessId;
DWORD64 InheritedFromUniqueProcessId;
} myProcessBasicInformation[5];
ULONG RequiredLen = 0;
if(_NtWow64QueryInformationProcess64(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION64), &RequiredLen) == STATUS_SUCCESS)
{
PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
}
else
{
if(_NtWow64QueryInformationProcess64(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
{
PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
}
}
}
}
#endif //_WIN64
return PebAddress;
}
__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel)
{
return ChangeHideDebuggerState(hProcess, PatchAPILevel, true);
}
__declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel)
{
return ChangeHideDebuggerState(hProcess, PatchAPILevel, false);
}

1129
TitanEngine/TitanEngine.Hooks.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

676
TitanEngine/TitanEngine.Importer.cpp Normal file
View File

@ -0,0 +1,676 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Mapping.h"
#include "Global.Engine.h"
#include "Global.Librarian.h"
#include "Global.Engine.Importer.h"
#include "Global.Debugger.h"
#include "scylla_wrapper.h"
// TitanEngine.Importer.functions:
__declspec(dllexport) void TITCALL ImporterAddNewDll(char* szDLLName, ULONG_PTR FirstThunk)
{
wchar_t uniDLLName[MAX_PATH] = {};
MultiByteToWideChar(CP_ACP, NULL, szDLLName, lstrlenA(szDLLName) + 1, uniDLLName, sizeof(uniDLLName) / (sizeof(uniDLLName[0])));
scylla_addModule(uniDLLName, FirstThunk);
}
__declspec(dllexport) void TITCALL ImporterAddNewAPI(char* szAPIName, ULONG_PTR ThunkValue)
{
wchar_t uniAPIName[MAX_PATH] = {};
MultiByteToWideChar(CP_ACP, NULL, szAPIName, lstrlenA(szAPIName) + 1, uniAPIName, sizeof(uniAPIName) / (sizeof(uniAPIName[0])));
scylla_addImport(uniAPIName, ThunkValue);
}
__declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue)
{
ImporterAddNewAPI((char*)(OrdinalNumber & ~IMAGE_ORDINAL_FLAG), ThunkValue);
}
__declspec(dllexport) long TITCALL ImporterGetAddedDllCount()
{
return scylla_getModuleCount();
}
__declspec(dllexport) long TITCALL ImporterGetAddedAPICount()
{
return scylla_getImportCount();
}
__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap)
{
return (scylla_fixMappedDump(StorePlace, FileMapVA, hFileMap) == SCY_ERROR_SUCCESS);
}
__declspec(dllexport) long TITCALL ImporterEstimatedSize()
{
return scylla_estimatedIATSize();
}
__declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName)
{
wchar_t uniExportFileName[MAX_PATH] = {};
wchar_t uniDumpFileName[MAX_PATH] = {};
wchar_t uniSectionName[MAX_PATH] = {};
if(szExportFileName != NULL && szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szExportFileName, lstrlenA(szExportFileName) + 1, uniExportFileName, sizeof(uniExportFileName) / (sizeof(uniExportFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName) + 1, uniDumpFileName, sizeof(uniDumpFileName) / (sizeof(uniDumpFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szSectionName, lstrlenA(szSectionName) + 1, uniSectionName, sizeof(uniSectionName) / (sizeof(uniSectionName[0])));
return ImporterExportIATExW(uniDumpFileName, uniExportFileName, uniSectionName);
}
return false;
}
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, const wchar_t* szSectionName)
{
return (scylla_fixDump(szDumpFileName, szExportFileName, szSectionName) == SCY_ERROR_SUCCESS);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterFindAPIWriteLocation(char* szAPIName)
{
return scylla_findImportWriteLocation(szAPIName);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber)
{
return scylla_findOrdinalImportWriteLocation(OrdinalNumber);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation)
{
return scylla_findImportNameByWriteLocation(APIWriteLocation);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation)
{
return scylla_findModuleNameByWriteLocation(APIWriteLocation);
}
__declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress)
{
return ImporterGetDLLNameFromDebugee(GetCurrentProcess(), APIAddress);
}
__declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress)
{
return ImporterGetDLLNameFromDebugeeW(GetCurrentProcess(), APIAddress);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
{
return EngineGetAddressRemote(hProcess, APIAddress);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName)
{
return EngineGetProcAddressRemote(0, szDLLName, szAPIName);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
{
return EngineGetAddressLocal(hProcess, APIAddress);
}
__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
{
ULONG_PTR moduleBase = EngineGetModuleBaseRemote(hProcess, APIAddress);
if(moduleBase)
{
static char szModuleName[MAX_PATH] = "";
if(GetModuleFileNameExA(hProcess, (HMODULE)moduleBase, szModuleName, _countof(szModuleName)))
return szModuleName;
}
return 0;
}
__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugeeW(HANDLE hProcess, ULONG_PTR APIAddress)
{
ULONG_PTR moduleBase = EngineGetModuleBaseRemote(hProcess, APIAddress);
if(moduleBase)
{
static wchar_t szModuleName[MAX_PATH] = L"";
if(GetModuleFileNameExW(hProcess, (HMODULE)moduleBase, szModuleName, _countof(szModuleName)))
return szModuleName;
}
return 0;
}
__declspec(dllexport) void* TITCALL ImporterGetRemoteDLLBaseExW(HANDLE hProcess, WCHAR* szModuleName)
{
return (void*)EngineGetModuleBaseRemote(hProcess, szModuleName);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, char* szModuleName)
{
return EngineGetModuleBaseRemote(hProcess, szModuleName);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess, HMODULE LocalModuleBase)
{
return EngineGetAddressRemote(hProcess, (ULONG_PTR)LocalModuleBase);
}
__declspec(dllexport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress)
{
return ImporterGetAPINameFromDebugee(GetCurrentProcess(), APIAddress);
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress)
{
return ImporterGetAPIOrdinalNumberFromDebugee(GetCurrentProcess(), APIAddress);
}
__declspec(dllexport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList)
{
//TODO: remove?
return ImporterGetAPIName(APIAddress);
}
__declspec(dllexport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
{
static char APIName[5000] = "";
if(EngineGetAPINameRemote(hProcess, APIAddress, APIName, _countof(APIName), 0))
return APIName;
return 0;
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
{
return EngineGetAPIOrdinalRemote(hProcess, APIAddress);
}
__declspec(dllexport) long TITCALL ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList)
{
//TODO: remove?
return((DWORD)EngineGlobalAPIHandler(NULL, DLLBasesList, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_DLLINDEX));
}
__declspec(dllexport) long TITCALL ImporterGetDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList)
{
//TODO: remove?
return((DWORD)EngineGlobalAPIHandler(hProcess, DLLBasesList, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_DLLINDEX));
}
__declspec(dllexport) bool TITCALL ImporterIsForwardedAPI(HANDLE hProcess, ULONG_PTR APIAddress)
{
if((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX) > NULL)
{
return true;
}
else
{
return false;
}
}
__declspec(dllexport) void* TITCALL ImporterGetForwardedAPIName(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME));
}
__declspec(dllexport) void* TITCALL ImporterGetForwardedDLLName(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME));
}
__declspec(dllexport) long TITCALL ImporterGetForwardedDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList)
{
//TODO: remove?
return((DWORD)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX));
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterGetForwardedAPIOrdinalNumber(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((DWORD)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_API_ORDINAL_NUMBER));
}
__declspec(dllexport) ULONG_PTR TITCALL ImporterGetNearestAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_NEAREST_APIADDRESS));
}
__declspec(dllexport) void* TITCALL ImporterGetNearestAPIName(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_NEAREST_APINAME));
}
__declspec(dllexport) bool TITCALL ImporterCopyOriginalIAT(char* szOriginalFile, char* szDumpFile)
{
wchar_t uniDumpFile[MAX_PATH] = {};
wchar_t uniOriginalFile[MAX_PATH] = {};
if(szOriginalFile != NULL && szDumpFile != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFile, lstrlenA(szDumpFile) + 1, uniDumpFile, sizeof(uniDumpFile) / (sizeof(uniDumpFile[0])));
MultiByteToWideChar(CP_ACP, NULL, szOriginalFile, lstrlenA(szOriginalFile) + 1, uniOriginalFile, sizeof(uniOriginalFile) / (sizeof(uniOriginalFile[0])));
return(ImporterCopyOriginalIATW(uniOriginalFile, uniDumpFile));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL ImporterCopyOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
BOOL FileIs64;
HANDLE FileHandle = 0;
DWORD FileSize;
HANDLE FileMap = 0;
ULONG_PTR FileMapVA;
HANDLE FileHandle1 = 0;
DWORD FileSize1;
HANDLE FileMap1 = 0;
ULONG_PTR FileMapVA1;
ULONG_PTR IATPointer;
ULONG_PTR IATWritePointer;
ULONG_PTR IATCopyStart;
DWORD IATSection;
DWORD IATCopySize;
DWORD IATHeaderData;
if(MapFileExW(szOriginalFile, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
if(MapFileExW(szDumpFile, UE_ACCESS_ALL, &FileHandle1, &FileSize1, &FileMap1, &FileMapVA1, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
return false;
}
if(!FileIs64)
{
IATPointer = (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase);
}
else
{
IATPointer = (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader64->OptionalHeader.ImageBase);
}
IATSection = GetPE32SectionNumberFromVA(FileMapVA, IATPointer);
IATPointer = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, IATPointer, true);
if((int)IATSection >= NULL)
{
IATWritePointer = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA1, IATSection, UE_SECTIONRAWOFFSET) + FileMapVA1;
IATCopyStart = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, IATSection, UE_SECTIONRAWOFFSET) + FileMapVA;
IATCopySize = (DWORD)GetPE32DataFromMappedFile(FileMapVA1, IATSection, UE_SECTIONRAWSIZE);
__try
{
RtlMoveMemory((LPVOID)IATWritePointer, (LPVOID)IATCopyStart, IATCopySize);
IATHeaderData = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMPORTTABLEADDRESS);
SetPE32DataForMappedFile(FileMapVA1, NULL, UE_IMPORTTABLEADDRESS, (ULONG_PTR)IATHeaderData);
IATHeaderData = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMPORTTABLESIZE);
SetPE32DataForMappedFile(FileMapVA1, NULL, UE_IMPORTTABLESIZE, (ULONG_PTR)IATHeaderData);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
return false;
}
}
}
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
return false;
}
__declspec(dllexport) bool TITCALL ImporterLoadImportTable(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(ImporterLoadImportTableW(uniFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL ImporterLoadImportTableW(wchar_t* szFileName)
{
//TODO scylla enable
return false;
/*
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_IMPORT_DESCRIPTOR ImportIID;
PIMAGE_THUNK_DATA32 ThunkData32;
PIMAGE_THUNK_DATA64 ThunkData64;
ULONG_PTR CurrentThunk;
BOOL FileIs64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL)
{
ImporterInit(MAX_IMPORT_ALLOC, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase);
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true);
__try
{
while(ImportIID->FirstThunk != NULL)
{
ImporterAddNewDll((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + PEHeader32->OptionalHeader.ImageBase), true), NULL);
if(ImportIID->OriginalFirstThunk != NULL)
{
ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + PEHeader32->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk;
}
else
{
ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk;
}
while(ThunkData32->u1.AddressOfData != NULL)
{
if(ThunkData32->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
{
ImporterAddNewAPI((char*)(ThunkData32->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32), (ULONG_PTR)CurrentThunk + PEHeader32->OptionalHeader.ImageBase);
}
else
{
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData32->u1.AddressOfData + 2 + PEHeader32->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + PEHeader32->OptionalHeader.ImageBase);
}
CurrentThunk = CurrentThunk + 4;
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof(IMAGE_THUNK_DATA32));
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ImporterCleanup();
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL)
{
ImporterInit(MAX_IMPORT_ALLOC, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase);
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true);
__try
{
while(ImportIID->FirstThunk != NULL)
{
ImporterAddNewDll((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + PEHeader64->OptionalHeader.ImageBase), true), NULL);
if(ImportIID->OriginalFirstThunk != NULL)
{
ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + PEHeader64->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk;
}
else
{
ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader64->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk;
}
while(ThunkData64->u1.AddressOfData != NULL)
{
if(ThunkData64->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
{
ImporterAddNewAPI((char*)(ThunkData64->u1.Ordinal ^ (ULONG_PTR)IMAGE_ORDINAL_FLAG64), (ULONG_PTR)CurrentThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase);
}
else
{
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData64->u1.AddressOfData + 2 + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase);
}
CurrentThunk = CurrentThunk + 8;
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof(IMAGE_THUNK_DATA64));
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ImporterCleanup();
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
return false;
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
*/
}
__declspec(dllexport) bool TITCALL ImporterMoveOriginalIAT(char* szOriginalFile, char* szDumpFile, char* szSectionName)
{
/*
if(ImporterLoadImportTable(szOriginalFile))
{
return(ImporterExportIATEx(szDumpFile, szSectionName));
}*/
return false;
}
__declspec(dllexport) bool TITCALL ImporterMoveOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile, char* szSectionName)
{
/*
if(ImporterLoadImportTableW(szOriginalFile))
{
return(ImporterExportIATExW(szDumpFile, szSectionName));
}*/
return false;
}
__declspec(dllexport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, char* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(ImporterAutoSearchIATW(ProcessId, uniFileName, SearchStart, pIATStart, pIATSize));
}
}
__declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar_t* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize)
{
ULONG_PTR iatStart = NULL;
DWORD iatSize = NULL;
scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false);
//we also try to automatically read imports so following call to ExportIAT has a chance
if(iatStart != NULL && iatSize != NULL)
{
scylla_getImports(iatStart, iatSize, ProcessId);
}
RtlMoveMemory(pIATStart, &iatStart, sizeof(ULONG_PTR));
RtlMoveMemory(pIATSize, &iatSize, sizeof(ULONG_PTR));
return;
}
__declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize)
{
wchar_t szTempName[MAX_PATH];
wchar_t szTempFolder[MAX_PATH];
RtlZeroMemory(&szTempName, sizeof(szTempName));
RtlZeroMemory(&szTempFolder, sizeof(szTempFolder));
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"DumpTemp", GetTickCount() + 102, szTempName))
{
HANDLE hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
DumpProcessW(hProcess, (LPVOID)ImageBase, szTempName, NULL);
ImporterAutoSearchIATW(ProcessId, szTempName, SearchStart, pIATStart, pIATSize);
DeleteFileW(szTempName);
}
}
}
__declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack)
{
return scylla_enumImportTree(EnumCallBack);
}
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, const char* szDumpedFile, const char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
{
wchar_t uniDumpedFile[MAX_PATH] = {};
wchar_t uniSectionName[MAX_PATH] = {};
if(szDumpedFile != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpedFile, lstrlenA(szDumpedFile) + 1, uniDumpedFile, sizeof(uniDumpedFile) / (sizeof(uniDumpedFile[0])));
MultiByteToWideChar(CP_ACP, NULL, szSectionName, lstrlenA(szSectionName) + 1, uniSectionName, sizeof(uniSectionName) / (sizeof(uniSectionName[0])));
return(ImporterAutoFixIATExW(ProcessId, uniDumpedFile, uniSectionName, DumpRunningProcess, RealignFile, EntryPointAddress, ImageBase, SearchStart, TryAutoFix, FixEliminations, UnknownPointerFixCallback));
}
else
{
return(NULL); // Critical error! *just to be safe, but it should never happen!
}
}
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, const wchar_t* szDumpedFile, const wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
ULONG_PTR iatStart = NULL;
DWORD iatSize = NULL;
WCHAR IatFixFileName[MAX_PATH];
WCHAR DumpFileName[MAX_PATH];
lstrcpyW(DumpFileName, szDumpedFile);
WCHAR* Extension = wcsrchr(DumpFileName, L'.');
WCHAR Bak = *Extension;
*Extension = 0;
lstrcpyW(IatFixFileName, DumpFileName);
*Extension = Bak;
lstrcatW(IatFixFileName, L"_scy");
lstrcatW(IatFixFileName, Extension);
lstrcatW(DumpFileName, Extension);
//do we need to dump first?
if(DumpRunningProcess)
{
HANDLE hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(!DumpProcessW(hProcess, (LPVOID)ImageBase, DumpFileName, EntryPointAddress))
{
return(NULL); // Critical error! *just to be safe, but it should never happen!
}
}
//we need to fix iat, thats for sure
int ret = scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false);
if(ret != SCY_ERROR_SUCCESS)
{
if(ret == SCY_ERROR_PROCOPEN)
{
return (0x401); //error proc terminated
}
if(ret == SCY_ERROR_IATNOTFOUND || ret == SCY_ERROR_IATSEARCH)
{
return (0x405); //no API found
}
}
scylla_getImports(iatStart, iatSize, ProcessId, UnknownPointerFixCallback);
if(!scylla_importsValid())
{
return (0x405);
}
ret = scylla_fixDump(szDumpedFile, IatFixFileName, szSectionName);
if(ret == SCY_ERROR_IATWRITE)
{
return (0x407);
}
//do we need to realign ?
if(RealignFile)
{
if(MapFileExW(szDumpedFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
FileSize = RealignPE(FileMapVA, FileSize, NULL);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
else
{
return(0x406); // Success, but realign failed!
}
}
return(0x400); // Success!
}
__declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart)
{
return(ImporterAutoFixIATEx(ProcessId, szDumpedFile, ".RL!TEv2", false, false, NULL, NULL, SearchStart, false, false, NULL));
}
__declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart)
{
return(ImporterAutoFixIATExW(ProcessId, szDumpedFile, L".RL!TEv2", false, false, NULL, NULL, SearchStart, false, false, NULL));
}
__declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr)
{
return scylla_cutImport(apiAddr);
}

262
TitanEngine/TitanEngine.Injector.cpp Normal file
View File

@ -0,0 +1,262 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Injector.h"
// TitanEngine.Injector.functions:
__declspec(dllexport) bool TITCALL RemoteLoadLibrary(HANDLE hProcess, char* szLibraryFile, bool WaitForThreadExit)
{
wchar_t uniLibraryFile[MAX_PATH] = {};
if(szLibraryFile != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szLibraryFile, lstrlenA(szLibraryFile) + 1, uniLibraryFile, sizeof(uniLibraryFile) / (sizeof(uniLibraryFile[0])));
return(RemoteLoadLibraryW(hProcess, uniLibraryFile, WaitForThreadExit));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t* szLibraryFile, bool WaitForThreadExit)
{
int i;
InjectCodeData APIData;
LPVOID remStringData;
LPVOID remCodeData;
ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedRemoteFreeLibrary - (ULONG_PTR)&injectedRemoteLoadLibrary);
ULONG_PTR NumberOfBytesWritten;
DWORD ThreadId;
HANDLE hThread;
DWORD ExitCode;
if(hProcess != NULL)
{
RtlZeroMemory(&APIData, sizeof(InjectCodeData));
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
APIData.fGetProcAddress = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetProcAddress"));
APIData.fVirtualFree = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualFree"));
APIData.fExitProcess = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof(InjectCodeData)), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteLoadLibrary, remInjectSize, &NumberOfBytesWritten);
if(WaitForThreadExit)
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
if(GetExitCodeThread(hThread, &ExitCode))
{
if(ExitCode == NULL)
{
return false;
}
}
}
else
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
for(i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++)
{
if(engineReservedMemoryLeft[i] == NULL)
{
break;
}
}
engineReservedMemoryLeft[i] = (ULONG_PTR)remCodeData;
engineReservedMemoryProcess = hProcess;
ThreaderSetCallBackForNextExitThreadEvent((LPVOID)&injectedTerminator);
}
return true;
}
else
{
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
}
}
return false;
}
__declspec(dllexport) bool TITCALL RemoteFreeLibrary(HANDLE hProcess, HMODULE hModule, char* szLibraryFile, bool WaitForThreadExit)
{
wchar_t uniLibraryFile[MAX_PATH] = {};
if(szLibraryFile != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szLibraryFile, lstrlenA(szLibraryFile) + 1, uniLibraryFile, sizeof(uniLibraryFile) / (sizeof(uniLibraryFile[0])));
return(RemoteFreeLibraryW(hProcess, hModule, uniLibraryFile, WaitForThreadExit));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE hModule, wchar_t* szLibraryFile, bool WaitForThreadExit)
{
int i;
InjectCodeData APIData;
LPVOID remStringData;
LPVOID remCodeData;
ULONG_PTR remInjectSize1 = (ULONG_PTR)((ULONG_PTR)&injectedExitProcess - (ULONG_PTR)&injectedRemoteFreeLibrarySimple);
ULONG_PTR remInjectSize2 = (ULONG_PTR)((ULONG_PTR)&injectedRemoteFreeLibrarySimple - (ULONG_PTR)&injectedRemoteFreeLibrary);
ULONG_PTR NumberOfBytesWritten;
DWORD ThreadId;
HANDLE hThread;
DWORD ExitCode;
if(hProcess != NULL)
{
RtlZeroMemory(&APIData, sizeof(InjectCodeData));
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
APIData.fGetProcAddress = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetProcAddress"));
APIData.fVirtualFree = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualFree"));
APIData.fExitProcess = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
APIData.fFreeLibraryHandle = hModule;
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(hModule == NULL)
{
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof(InjectCodeData)), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrarySimple, remInjectSize1, &NumberOfBytesWritten);
if(WaitForThreadExit)
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
if(GetExitCodeThread(hThread, &ExitCode))
{
if(ExitCode == NULL)
{
return false;
}
}
}
else
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
for(i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++)
{
if(engineReservedMemoryLeft[i] == NULL)
{
break;
}
}
engineReservedMemoryLeft[i] = (ULONG_PTR)remCodeData;
engineReservedMemoryProcess = hProcess;
ThreaderSetCallBackForNextExitThreadEvent((LPVOID)&injectedTerminator);
}
return true;
}
else
{
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
}
}
else
{
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrary, remInjectSize2, &NumberOfBytesWritten);
if(WaitForThreadExit)
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
if(GetExitCodeThread(hThread, &ExitCode))
{
if(ExitCode == NULL)
{
return false;
}
}
}
else
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
for(i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++)
{
if(engineReservedMemoryLeft[i] == NULL)
{
break;
}
}
engineReservedMemoryLeft[i] = (ULONG_PTR)remCodeData;
engineReservedMemoryProcess = hProcess;
ThreaderSetCallBackForNextExitThreadEvent((LPVOID)&injectedTerminator);
}
return true;
}
else
{
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
}
}
}
return false;
}
__declspec(dllexport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD ExitCode)
{
InjectCodeData APIData;
LPVOID remCodeData;
LPVOID remStringData;
ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedTerminator - (ULONG_PTR)&injectedExitProcess);
ULONG_PTR NumberOfBytesWritten;
DWORD ThreadId;
HANDLE hThread;
if(hProcess != NULL)
{
RtlZeroMemory(&APIData, sizeof(InjectCodeData));
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"));
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA"));
APIData.fGetProcAddress = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetProcAddress"));
APIData.fVirtualFree = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualFree"));
APIData.fExitProcess = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
APIData.fExitProcessCode = ExitCode;
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedExitProcess, remInjectSize, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten);
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
return true;
}
else
{
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
}
}
return false;
}

168
TitanEngine/TitanEngine.Librarian.cpp Normal file
View File

@ -0,0 +1,168 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Librarian.h"
static LIBRARY_ITEM_DATA LibraryInfoData = {};
// TitanEngine.Librarian.functions:
__declspec(dllexport) bool TITCALL LibrarianSetBreakPoint(char* szLibraryName, DWORD bpxType, bool SingleShoot, LPVOID bpxCallBack)
{
LIBRARY_BREAK_DATA NewLibrarianData;
memset(&NewLibrarianData, 0, sizeof(LIBRARY_BREAK_DATA));
lstrcpyA(NewLibrarianData.szLibraryName, szLibraryName);
NewLibrarianData.bpxCallBack = bpxCallBack;
NewLibrarianData.bpxSingleShoot = SingleShoot;
NewLibrarianData.bpxType = bpxType;
LibrarianData.push_back(NewLibrarianData);
return true;
}
__declspec(dllexport) bool TITCALL LibrarianRemoveBreakPoint(char* szLibraryName, DWORD bpxType)
{
for(int i = (int)LibrarianData.size() - 1; i >= 0; i--)
{
if(!_stricmp(szLibraryName, LibrarianData.at(i).szLibraryName) && (LibrarianData.at(i).bpxType == bpxType || bpxType == UE_ON_LIB_ALL))
{
LibrarianData.erase(LibrarianData.begin() + i);
}
}
return true;
}
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfo(char* szLibraryName)
{
if(!szLibraryName)
return NULL;
wchar_t uniLibraryName[MAX_PATH] = {};
PLIBRARY_ITEM_DATAW LibInfo;
MultiByteToWideChar(CP_ACP, NULL, szLibraryName, lstrlenA(szLibraryName) + 1, uniLibraryName, sizeof(uniLibraryName) / (sizeof(uniLibraryName[0])));
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoW(uniLibraryName);
if(LibInfo)
{
RtlZeroMemory(&LibraryInfoData, sizeof(LIBRARY_ITEM_DATA));
LibraryInfoData.hFile = LibInfo->hFile;
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof(LibraryInfoData).szLibraryName, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof(LibraryInfoData).szLibraryPath, NULL, NULL);
return((void*)&LibraryInfoData);
}
return NULL;
}
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoW(wchar_t* szLibraryName)
{
static LIBRARY_ITEM_DATAW LibraryInfo;
memset(&LibraryInfo, 0, sizeof(LIBRARY_ITEM_DATAW));
for(unsigned int i = 0; i < hListLibrary.size(); i++)
{
if(hListLibrary.at(i).hFile != INVALID_HANDLE_VALUE && !lstrcmpiW(hListLibrary.at(i).szLibraryName, szLibraryName))
{
memcpy(&LibraryInfo, &hListLibrary.at(i), sizeof(LIBRARY_ITEM_DATAW));
return &LibraryInfo;
}
}
return NULL;
}
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoEx(void* BaseOfDll)
{
PLIBRARY_ITEM_DATAW LibInfo;
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoExW(BaseOfDll);
if(LibInfo)
{
RtlZeroMemory(&LibraryInfoData, sizeof(LIBRARY_ITEM_DATA));
LibraryInfoData.hFile = LibInfo->hFile;
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof(LibraryInfoData).szLibraryName, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof(LibraryInfoData).szLibraryPath, NULL, NULL);
return (void*)&LibraryInfoData;
}
return NULL;
}
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoExW(void* BaseOfDll)
{
static LIBRARY_ITEM_DATAW LibraryData;
memset(&LibraryData, 0, sizeof(LIBRARY_ITEM_DATAW));
for(unsigned int i = 0; i < hListLibrary.size(); i++)
{
if(hListLibrary.at(i).hFile != INVALID_HANDLE_VALUE && hListLibrary.at(i).BaseOfDll == BaseOfDll)
{
memcpy(&LibraryData, &hListLibrary.at(i), sizeof(LIBRARY_ITEM_DATAW));
return &LibraryData;
}
}
return NULL;
}
__declspec(dllexport) void TITCALL LibrarianEnumLibraryInfo(void* EnumCallBack)
{
if(!EnumCallBack)
return;
typedef void(TITCALL * fEnumCallBack)(LPVOID fLibraryDetail);
fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack;
for(unsigned int i = 0; i < hListLibrary.size(); i++)
{
if(hListLibrary.at(i).hFile != INVALID_HANDLE_VALUE)
{
__try
{
LIBRARY_ITEM_DATA myLibraryInfoData;
memset(&myLibraryInfoData, 0, sizeof(LIBRARY_ITEM_DATA));
myLibraryInfoData.hFile = hListLibrary.at(i).hFile;
myLibraryInfoData.BaseOfDll = hListLibrary.at(i).BaseOfDll;
myLibraryInfoData.hFileMapping = hListLibrary.at(i).hFileMapping;
myLibraryInfoData.hFileMappingView = hListLibrary.at(i).hFileMappingView;
WideCharToMultiByte(CP_ACP, NULL, hListLibrary.at(i).szLibraryName, -1, &myLibraryInfoData.szLibraryName[0], sizeof(myLibraryInfoData.szLibraryName), NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, hListLibrary.at(i).szLibraryPath, -1, &myLibraryInfoData.szLibraryPath[0], sizeof(myLibraryInfoData.szLibraryPath), NULL, NULL);
myEnumCallBack(&myLibraryInfoData);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
break;
}
}
}
}
__declspec(dllexport) void TITCALL LibrarianEnumLibraryInfoW(void* EnumCallBack)
{
if(!EnumCallBack)
return;
typedef void(TITCALL * fEnumCallBack)(LPVOID fLibraryDetail);
fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack;
for(unsigned int i = 0; i < hListLibrary.size(); i++)
{
if(hListLibrary.at(i).hFile != INVALID_HANDLE_VALUE)
{
__try
{
myEnumCallBack(&hListLibrary.at(i));
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
break;
}
}
}
}

40
TitanEngine/TitanEngine.OEPFinder.cpp Normal file
View File

@ -0,0 +1,40 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.OEPFinder.h"
// TitanEngine.FindOEP.functions:
__declspec(dllexport) void TITCALL FindOEPInit()
{
RemoveAllBreakPoints(UE_OPTION_REMOVEALL);
}
__declspec(dllexport) bool TITCALL FindOEPGenerically(char* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(FindOEPGenericallyW(uniFileName, TraceInitCallBack, CallBack));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL FindOEPGenericallyW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack)
{
int i;
if(GenericOEPFileInitW(szFileName, TraceInitCallBack, CallBack))
{
InitDebugExW(szFileName, NULL, NULL, CallbackToObjectPointer(&GenericOEPTraceInit));
DebugLoop();
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
VirtualFree(glbEntryTracerData.SectionData[i].AllocatedSection, NULL, MEM_RELEASE);
}
}
return false;
}

537
TitanEngine/TitanEngine.PE.Convert.cpp Normal file
View File

@ -0,0 +1,537 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.h"
__declspec(dllexport) long TITCALL GetPE32SectionNumberFromVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert)
{
if(!FileMapVA)
return -2;
PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
BOOL FileIs64;
if(PEHeader32->OptionalHeader.Magic == 0x10B)
FileIs64 = false;
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
FileIs64 = true;
else
return -2;
if(!FileIs64) //x86
{
__try
{
ULONG_PTR ConvertAddress = AddressToConvert - PEHeader32->OptionalHeader.ImageBase;
PIMAGE_SECTION_HEADER PESections = IMAGE_FIRST_SECTION(PEHeader32);
DWORD SectionNumber = PEHeader32->FileHeader.NumberOfSections;
DWORD FoundInSection = -1;
while(SectionNumber > 0)
{
if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + max(PESections->Misc.VirtualSize, PESections->SizeOfRawData))
{
FoundInSection = PEHeader32->FileHeader.NumberOfSections - SectionNumber;
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
return FoundInSection;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return -2;
}
}
else //x64
{
__try
{
ULONG_PTR ConvertAddress = AddressToConvert - (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase;
PIMAGE_SECTION_HEADER PESections = IMAGE_FIRST_SECTION(PEHeader64);
DWORD SectionNumber = PEHeader64->FileHeader.NumberOfSections;
DWORD FoundInSection = -1;
while(SectionNumber > 0)
{
if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + max(PESections->Misc.VirtualSize, PESections->SizeOfRawData))
{
FoundInSection = PEHeader64->FileHeader.NumberOfSections - SectionNumber;
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
return FoundInSection;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return -2;
}
}
}
return -2;
}
__declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_SECTION_HEADER PESections;
DWORD SectionNumber = 0;
ULONG_PTR ConvertedAddress = 0;
ULONG_PTR ConvertAddress = 0;
BOOL FileIs64;
if(FileMapVA != NULL)
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return(0);
}
if(!FileIs64)
{
ConvertAddress = (DWORD)((DWORD)AddressToConvert - PEHeader32->OptionalHeader.ImageBase);
if(ConvertAddress < PEHeader32->OptionalHeader.SectionAlignment)
{
ConvertedAddress = ConvertAddress;
}
PESections = IMAGE_FIRST_SECTION(PEHeader32);
SectionNumber = PEHeader32->FileHeader.NumberOfSections;
__try
{
while(SectionNumber > 0)
{
if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + max(PESections->Misc.VirtualSize, PESections->SizeOfRawData))
{
if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData)
{
ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress);
}
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
if(ReturnType)
{
if(ConvertedAddress != NULL)
{
ConvertedAddress += FileMapVA;
}
else if(ConvertAddress == NULL)
{
ConvertedAddress = FileMapVA;
}
}
return ConvertedAddress;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(0);
}
}
else
{
ConvertAddress = (DWORD)(AddressToConvert - PEHeader64->OptionalHeader.ImageBase);
if(ConvertAddress < PEHeader64->OptionalHeader.SectionAlignment)
{
ConvertedAddress = ConvertAddress;
}
PESections = IMAGE_FIRST_SECTION(PEHeader64);
SectionNumber = PEHeader64->FileHeader.NumberOfSections;
__try
{
while(SectionNumber > 0)
{
if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + max(PESections->Misc.VirtualSize, PESections->SizeOfRawData))
{
if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData)
{
ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress);
}
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
if(ReturnType)
{
if(ConvertedAddress != NULL)
{
ConvertedAddress += FileMapVA;
}
else if(ConvertAddress == NULL)
{
ConvertedAddress = FileMapVA;
}
}
return(ConvertedAddress);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(0);
}
}
}
else
{
return(0);
}
}
return(0);
}
__declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_SECTION_HEADER PESections;
DWORD SectionNumber = 0;
ULONG_PTR ConvertedAddress = 0;
ULONG_PTR ConvertAddress = 0;
BOOL FileIs64;
if(FileMapVA != NULL)
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return(0);
}
if(!FileIs64)
{
if(!AddressIsRVA)
{
if(ImageBase == NULL)
{
ConvertAddress = (DWORD)((DWORD)AddressToConvert - PEHeader32->OptionalHeader.ImageBase);
}
else
{
ConvertAddress = (DWORD)((DWORD)AddressToConvert - ImageBase);
}
}
else
{
ConvertAddress = (DWORD)AddressToConvert;
}
if(ConvertAddress < PEHeader32->OptionalHeader.SectionAlignment)
{
ConvertedAddress = ConvertAddress;
}
PESections = IMAGE_FIRST_SECTION(PEHeader32);
SectionNumber = PEHeader32->FileHeader.NumberOfSections;
__try
{
while(SectionNumber > 0)
{
if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + max(PESections->Misc.VirtualSize, PESections->SizeOfRawData))
{
if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData)
{
ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress);
}
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
if(ReturnType)
{
if(ConvertedAddress != NULL)
{
ConvertedAddress = ConvertedAddress + FileMapVA;
}
}
if(ReturnType)
{
if(ConvertedAddress >= FileMapVA && ConvertedAddress <= FileMapVA + FileSize)
{
return((ULONG_PTR)ConvertedAddress);
}
else
{
return(NULL);
}
}
else
{
if(ConvertedAddress > NULL && ConvertedAddress <= FileSize)
{
return((ULONG_PTR)ConvertedAddress);
}
else
{
return(NULL);
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(NULL);
}
}
else
{
if(!AddressIsRVA)
{
if(ImageBase == NULL)
{
ConvertAddress = (DWORD)(AddressToConvert - PEHeader64->OptionalHeader.ImageBase);
}
else
{
ConvertAddress = (DWORD)(AddressToConvert - ImageBase);
}
}
else
{
ConvertAddress = (DWORD)AddressToConvert;
}
if(ConvertAddress < PEHeader64->OptionalHeader.SectionAlignment)
{
ConvertedAddress = ConvertAddress;
}
PESections = IMAGE_FIRST_SECTION(PEHeader64);
SectionNumber = PEHeader64->FileHeader.NumberOfSections;
__try
{
while(SectionNumber > 0)
{
if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + max(PESections->Misc.VirtualSize, PESections->SizeOfRawData))
{
if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData)
{
ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress);
}
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
if(ReturnType)
{
if(ConvertedAddress != NULL)
{
ConvertedAddress = ConvertedAddress + FileMapVA;
}
}
if(ReturnType)
{
if(ConvertedAddress >= FileMapVA && ConvertedAddress <= FileMapVA + FileSize)
{
return((ULONG_PTR)ConvertedAddress);
}
else
{
return(NULL);
}
}
else
{
if(ConvertedAddress > NULL && ConvertedAddress <= FileSize)
{
return((ULONG_PTR)ConvertedAddress);
}
else
{
return(NULL);
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(NULL);
}
}
}
else
{
return(0);
}
}
return(0);
}
__declspec(dllexport) ULONG_PTR TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_SECTION_HEADER PESections;
DWORD SectionNumber = 0;
ULONG_PTR ConvertedAddress = 0;
ULONG_PTR ConvertAddress = 0;
BOOL FileIs64;
if(FileMapVA != NULL)
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return(0);
}
if(!FileIs64)
{
ConvertAddress = (DWORD)((DWORD)AddressToConvert - FileMapVA);
if(ConvertAddress < PEHeader32->OptionalHeader.FileAlignment)
{
ConvertedAddress = ConvertAddress;
}
PESections = IMAGE_FIRST_SECTION(PEHeader32);
SectionNumber = PEHeader32->FileHeader.NumberOfSections;
__try
{
while(SectionNumber > 0)
{
if(PESections->PointerToRawData <= ConvertAddress && ConvertAddress <= PESections->PointerToRawData + PESections->SizeOfRawData)
{
ConvertedAddress = PESections->VirtualAddress + (ConvertAddress - PESections->PointerToRawData);
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
if(ReturnType)
{
if(ConvertedAddress != NULL)
{
ConvertedAddress = ConvertedAddress + PEHeader32->OptionalHeader.ImageBase;
}
}
else if(ConvertAddress == NULL)
{
ConvertedAddress = PEHeader32->OptionalHeader.ImageBase;
}
return(ConvertedAddress);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(0);
}
}
else
{
ConvertAddress = (DWORD)(AddressToConvert - FileMapVA);
if(ConvertAddress < PEHeader64->OptionalHeader.FileAlignment)
{
ConvertedAddress = ConvertAddress;
}
PESections = IMAGE_FIRST_SECTION(PEHeader64);
SectionNumber = PEHeader64->FileHeader.NumberOfSections;
__try
{
while(SectionNumber > 0)
{
if(PESections->PointerToRawData <= ConvertAddress && ConvertAddress <= PESections->PointerToRawData + PESections->SizeOfRawData)
{
ConvertedAddress = PESections->VirtualAddress + (ConvertAddress - PESections->PointerToRawData);
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
if(ReturnType)
{
if(ConvertedAddress != NULL)
{
ConvertedAddress = ConvertedAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase;
}
}
else if(ConvertAddress == NULL)
{
ConvertedAddress = (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase;
}
return(ConvertedAddress);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(0);
}
}
}
else
{
return(0);
}
}
return(0);
}
__declspec(dllexport) ULONG_PTR TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType)
{
ULONG_PTR ConvertedAddress = NULL;
DWORD cnvSectionAlignment = NULL;
ULONG_PTR cnvImageBase = NULL;
DWORD cnvSizeOfImage = NULL;
if(FileMapVA != NULL)
{
if(ImageBase == NULL)
{
cnvImageBase = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE);
}
else
{
cnvImageBase = ImageBase;
}
cnvSizeOfImage = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_SIZEOFIMAGE);
cnvSectionAlignment = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_SECTIONALIGNMENT);
ConvertedAddress = (ULONG_PTR)ConvertFileOffsetToVA(FileMapVA, AddressToConvert, ReturnType);
if(ReturnType)
{
if(ConvertedAddress >= cnvImageBase + cnvSectionAlignment && ConvertedAddress <= cnvImageBase + cnvSizeOfImage)
{
return((ULONG_PTR)ConvertedAddress);
}
else
{
return(NULL);
}
}
else
{
if(ConvertedAddress >= cnvSectionAlignment && ConvertedAddress <= cnvSizeOfImage)
{
return((ULONG_PTR)ConvertedAddress);
}
else
{
return(NULL);
}
}
}
return(NULL);
}

1217
TitanEngine/TitanEngine.PE.Data.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

3010
TitanEngine/TitanEngine.PE.Fixer.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

407
TitanEngine/TitanEngine.PE.Overlay.cpp Normal file
View File

@ -0,0 +1,407 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Handle.h"
#include "Global.Mapping.h"
#include "Global.Engine.h"
static char* szSharedOverlay = 0;
static wchar_t* szSharedOverlayW = 0;
__declspec(dllexport) bool TITCALL FindOverlay(char* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(FindOverlayW(uniFileName, OverlayStart, OverlaySize));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL FindOverlayW(wchar_t* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_SECTION_HEADER PESections;
DWORD SectionNumber = 0;
DWORD SectionRawOffset = 0;
DWORD SectionRawSize = 0;
BOOL FileIs64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
if(!FileIs64)
{
PESections = IMAGE_FIRST_SECTION(PEHeader32);
SectionNumber = PEHeader32->FileHeader.NumberOfSections;
__try
{
while(SectionNumber > 0)
{
if(PESections->PointerToRawData >= SectionRawOffset)
{
if(PESections->SizeOfRawData != NULL || (SectionRawOffset != PESections->PointerToRawData))
{
SectionRawSize = PESections->SizeOfRawData;
}
SectionRawOffset = PESections->PointerToRawData;
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(SectionRawOffset + SectionRawSize < FileSize)
{
if(OverlayStart != NULL && OverlaySize != NULL)
{
*OverlayStart = (DWORD)(SectionRawOffset + SectionRawSize);
*OverlaySize = (DWORD)(FileSize - SectionRawOffset - SectionRawSize);
}
return true;
}
else
{
return false;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
PESections = IMAGE_FIRST_SECTION(PEHeader64);
SectionNumber = PEHeader64->FileHeader.NumberOfSections;
__try
{
while(SectionNumber > 0)
{
if(PESections->PointerToRawData >= SectionRawOffset)
{
if(PESections->SizeOfRawData != NULL || (SectionRawOffset != PESections->PointerToRawData))
{
SectionRawSize = PESections->SizeOfRawData;
}
SectionRawOffset = PESections->PointerToRawData;
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
SectionNumber--;
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(SectionRawOffset + SectionRawSize < FileSize)
{
if(OverlayStart != NULL && OverlaySize != NULL)
{
*OverlayStart = (DWORD)(SectionRawOffset + SectionRawSize);
*OverlaySize = (DWORD)(FileSize - SectionRawOffset - SectionRawSize);
}
return true;
}
else
{
return false;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL ExtractOverlay(char* szFileName, char* szExtactedFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
wchar_t uniExtactedFileName[MAX_PATH] = {};
if(szFileName != NULL && szExtactedFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szExtactedFileName, lstrlenA(szExtactedFileName) + 1, uniExtactedFileName, sizeof(uniExtactedFileName) / (sizeof(uniExtactedFileName[0])));
return(ExtractOverlayW(uniFileName, uniExtactedFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t* szExtactedFileName)
{
HANDLE hFile = 0;
HANDLE hFileWrite = 0;
BOOL Return = false;
DWORD OverlayStart = 0;
DWORD OverlaySize = 0;
DWORD ueNumberOfBytesRead = 0;
char ueReadBuffer[0x2000] = {0};
Return = FindOverlayW(szFileName, &OverlayStart, &OverlaySize);
if(Return)
{
hFile = CreateFileW(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
EngineCreatePathForFileW(szExtactedFileName);
hFileWrite = CreateFileW(szExtactedFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFileWrite != INVALID_HANDLE_VALUE)
{
SetFilePointer(hFile, OverlayStart, NULL, FILE_BEGIN);
while(OverlaySize > 0)
{
RtlZeroMemory(ueReadBuffer, sizeof(ueReadBuffer));
if(OverlaySize > 0x1000)
{
if(ReadFile(hFile, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL))
{
if(!WriteFile(hFileWrite, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL))
return false;
}
else
{
return false;
}
OverlaySize = OverlaySize - 0x1000;
}
else
{
if(ReadFile(hFile, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL))
{
if(!WriteFile(hFileWrite, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL))
return false;
}
else
{
return false;
}
OverlaySize = 0;
}
}
EngineCloseHandle(hFile);
EngineCloseHandle(hFileWrite);
return true;
}
else
{
EngineCloseHandle(hFile);
return false;
}
}
}
return false;
}
__declspec(dllexport) bool TITCALL AddOverlay(char* szFileName, char* szOverlayFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
wchar_t uniOverlayFileName[MAX_PATH] = {};
if(szFileName != NULL && szOverlayFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szOverlayFileName, lstrlenA(szOverlayFileName) + 1, uniOverlayFileName, sizeof(uniOverlayFileName) / (sizeof(uniOverlayFileName[0])));
return(AddOverlayW(uniFileName, uniOverlayFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szOverlayFileName)
{
HANDLE hFile = 0;
HANDLE hFileRead = 0;
DWORD FileSize = 0;
DWORD OverlaySize = 0;
ULONG_PTR ueNumberOfBytesRead = 0;
DWORD uedNumberOfBytesRead = 0;
char ueReadBuffer[0x2000] = {0};
hFile = CreateFileW(szFileName, GENERIC_READ + GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
hFileRead = CreateFileW(szOverlayFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFileRead != INVALID_HANDLE_VALUE)
{
FileSize = GetFileSize(hFile, NULL);
OverlaySize = GetFileSize(hFileRead, NULL);
SetFilePointer(hFile, FileSize, NULL, FILE_BEGIN);
while(OverlaySize > 0)
{
RtlZeroMemory(ueReadBuffer, sizeof(ueReadBuffer));
if(OverlaySize > 0x1000)
{
if(ReadFile(hFileRead, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL))
{
if(!WriteFile(hFile, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL))
return false;
}
else
{
return false;
}
OverlaySize = OverlaySize - 0x1000;
}
else
{
if(ReadFile(hFileRead, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL))
{
if(!WriteFile(hFile, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL))
return false;
}
else
{
return false;
}
OverlaySize = 0;
}
}
EngineCloseHandle(hFile);
EngineCloseHandle(hFileRead);
return true;
}
else
{
EngineCloseHandle(hFile);
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL CopyOverlay(char* szInFileName, char* szOutFileName)
{
wchar_t uniInFileName[MAX_PATH] = {};
wchar_t uniOutFileName[MAX_PATH] = {};
if(szInFileName != NULL && szOutFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szInFileName, lstrlenA(szInFileName) + 1, uniInFileName, sizeof(uniInFileName) / (sizeof(uniInFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szOutFileName, lstrlenA(szOutFileName) + 1, uniOutFileName, sizeof(uniOutFileName) / (sizeof(uniOutFileName[0])));
return(CopyOverlayW(uniInFileName, uniOutFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL CopyOverlayW(wchar_t* szInFileName, wchar_t* szOutFileName)
{
wchar_t szTempName[MAX_PATH] = {};
wchar_t szTempFolder[MAX_PATH] = {};
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"OverlayTemp", GetTickCount() + 101, szTempName))
{
if(ExtractOverlayW(szInFileName, szTempName))
{
AddOverlayW(szOutFileName, szTempName);
DeleteFileW(szTempName);
return true;
}
}
}
return false;
}
__declspec(dllexport) bool TITCALL RemoveOverlay(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(RemoveOverlayW(uniFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL RemoveOverlayW(wchar_t* szFileName)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
DWORD OverlayStart = 0;
DWORD OverlaySize = 0;
if(FindOverlayW(szFileName, &OverlayStart, &OverlaySize))
{
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
FileSize = FileSize - OverlaySize;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
}
return false;
}
__declspec(dllexport) void TITCALL SetSharedOverlay(char* szFileName)
{
szSharedOverlay = szFileName;
}
__declspec(dllexport) void TITCALL SetSharedOverlayW(wchar_t* szFileName)
{
szSharedOverlayW = szFileName;
}
__declspec(dllexport) char* TITCALL GetSharedOverlay()
{
return(szSharedOverlay);
}
__declspec(dllexport) wchar_t* TITCALL GetSharedOverlayW()
{
return(szSharedOverlayW);
}

1536
TitanEngine/TitanEngine.PE.Section.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

160
TitanEngine/TitanEngine.PE.cpp Normal file
View File

@ -0,0 +1,160 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Handle.h"
#include "Global.Engine.h"
__declspec(dllexport) bool TITCALL PastePEHeader(HANDLE hProcess, LPVOID ImageBase, char* szDebuggedFileName)
{
wchar_t uniDebuggedFileName[MAX_PATH] = {};
if(szDebuggedFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDebuggedFileName, lstrlenA(szDebuggedFileName) + 1, uniDebuggedFileName, sizeof(uniDebuggedFileName) / (sizeof(uniDebuggedFileName[0])));
return(PastePEHeaderW(hProcess, ImageBase, uniDebuggedFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDebuggedFileName)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
IMAGE_NT_HEADERS32 RemotePEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
IMAGE_NT_HEADERS64 RemotePEHeader64;
ULONG_PTR ueNumberOfBytesRead = 0;
DWORD uedNumberOfBytesRead = 0;
DWORD FileSize = 0;
DWORD PEHeaderSize = 0;
ULONG_PTR dwImageBase = (ULONG_PTR)ImageBase;
BOOL FileIs64 = false;
HANDLE hFile = 0;
SIZE_T CalculatedHeaderSize = NULL;
DynBuf ueReadBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000);
DWORD OldProtect = PAGE_READWRITE;
hFile = CreateFileW(szDebuggedFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
FileSize = GetFileSize(hFile, NULL);
if(FileSize < 0x1000)
{
if(!ReadFile(hFile, ueReadBuffer, FileSize, &uedNumberOfBytesRead, NULL))
return false;
}
else
{
if(!ReadFile(hFile, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL))
return false;
}
if(FileSize > 0x200)
{
DOSHeader = (PIMAGE_DOS_HEADER)ueReadBuffer;
if(EngineValidateHeader((ULONG_PTR)ueReadBuffer, hProcess, ImageBase, DOSHeader, false))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof(IMAGE_DOS_HEADER) + sizeof(IMAGE_NT_HEADERS64);
if(CalculatedHeaderSize > 0x1000)
{
SetFilePointer(hFile, NULL, NULL, FILE_BEGIN);
ueReadBuffer = ueReadBuf.Allocate(CalculatedHeaderSize);
if(!ReadFile(hFile, ueReadBuffer, (DWORD)CalculatedHeaderSize, &uedNumberOfBytesRead, NULL))
{
EngineCloseHandle(hFile);
return false;
}
}
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof(IMAGE_NT_HEADERS32), &ueNumberOfBytesRead))
{
PEHeaderSize = PEHeader32->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4;
FileIs64 = false;
}
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader64, sizeof(IMAGE_NT_HEADERS32), &ueNumberOfBytesRead))
{
PEHeaderSize = PEHeader64->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4;
FileIs64 = true;
}
}
else
{
EngineCloseHandle(hFile);
return false;
}
if(!FileIs64)
{
PEHeader32->OptionalHeader.ImageBase = (DWORD)(dwImageBase);
if(VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, PAGE_READWRITE, &OldProtect))
{
if(WriteProcessMemory(hProcess, ImageBase, ueReadBuffer, PEHeaderSize, &ueNumberOfBytesRead))
{
EngineCloseHandle(hFile);
VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect);
return true;
}
else
{
EngineCloseHandle(hFile);
return false;
}
}
else
{
EngineCloseHandle(hFile);
return false;
}
}
else
{
PEHeader64->OptionalHeader.ImageBase = dwImageBase;
if(VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, PAGE_READWRITE, &OldProtect))
{
if(WriteProcessMemory(hProcess, ImageBase, ueReadBuffer, PEHeaderSize, &ueNumberOfBytesRead))
{
EngineCloseHandle(hFile);
VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect);
return true;
}
else
{
EngineCloseHandle(hFile);
return false;
}
}
else
{
EngineCloseHandle(hFile);
return false;
}
}
}
else
{
EngineCloseHandle(hFile);
return false;
}
}
else
{
EngineCloseHandle(hFile);
return false;
}
}
else
{
EngineCloseHandle(hFile);
return false;
}
return false;
}

143
TitanEngine/TitanEngine.Process.cpp Normal file
View File

@ -0,0 +1,143 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Handle.h"
#include "Global.Engine.h"
// TitanEngine.Process.functions:
__declspec(dllexport) long TITCALL GetActiveProcessId(char* szImageName)
{
wchar_t uniImageName[MAX_PATH] = {0};
if(szImageName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szImageName, -1, uniImageName, _countof(uniImageName));
return(GetActiveProcessIdW(uniImageName));
}
else
{
return(NULL);
}
}
__declspec(dllexport) long TITCALL GetActiveProcessIdW(wchar_t* szImageName)
{
int i;
wchar_t* szTranslatedProcName;
DWORD bProcessId[1024] = {};
wchar_t szProcessPath[1024] = {};
DWORD cbNeeded = NULL;
HANDLE hProcess;
wchar_t* nameOnly = 0;
if(EnumProcesses(bProcessId, sizeof(bProcessId), &cbNeeded))
{
for(i = 0; i < (int)(cbNeeded / sizeof(DWORD)); i++)
{
if(bProcessId[i] != NULL)
{
hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
if(hProcess != NULL)
{
if(GetProcessImageFileNameW(hProcess, szProcessPath, _countof(szProcessPath)) > NULL)
{
szTranslatedProcName = (wchar_t*)TranslateNativeNameW(szProcessPath);
lstrcpyW(szProcessPath, szTranslatedProcName);
VirtualFree((void*)szTranslatedProcName, NULL, MEM_RELEASE);
EngineCloseHandle(hProcess);
if(_wcsicmp(szProcessPath, szImageName) == 0)
{
return(bProcessId[i]);
}
else
{
nameOnly = wcsrchr(szProcessPath, L'\\');
if(nameOnly)
{
nameOnly++;
if(_wcsicmp(nameOnly, szImageName) == 0)
{
return(bProcessId[i]);
}
}
}
}
else
{
EngineCloseHandle(hProcess);
}
}
}
}
}
return(NULL);
}
__declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName, void* EnumFunction)
{
int i;
int j;
typedef void(TITCALL * fEnumFunction)(DWORD ProcessId, HMODULE ModuleBaseAddress);
fEnumFunction myEnumFunction = (fEnumFunction)EnumFunction;
HMODULE EnumeratedModules[1024] = {0};
DWORD bProcessId[1024] = {0};
char szModuleName[1024] = {0};
DWORD pProcessIdCount = NULL;
DWORD cbNeeded = 0;
HANDLE hProcess;
if(EnumFunction != NULL)
{
if(EnumProcesses(bProcessId, sizeof(bProcessId), &pProcessIdCount))
{
for(i = 0; i < (int)(pProcessIdCount / sizeof(DWORD)); i++)
{
if(bProcessId[i] != NULL)
{
hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, 0, bProcessId[i]);
if(hProcess != NULL)
{
RtlZeroMemory(EnumeratedModules, sizeof(EnumeratedModules));
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
for(j = 0; j < (int)(cbNeeded / sizeof(HMODULE)); j++)
{
if(EnumeratedModules[j] != NULL)
{
if(GetModuleBaseNameA(hProcess, EnumeratedModules[j], szModuleName, _countof(szModuleName)) > NULL)
{
if(lstrcmpiA(szModuleName, szLibraryName) == NULL)
{
__try
{
myEnumFunction(bProcessId[i], EnumeratedModules[j]);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
EngineCloseHandle(hProcess);
return;
}
}
}
}
}
}
EngineCloseHandle(hProcess);
}
}
}
}
}
}
__declspec(dllexport) HANDLE TITCALL TitanOpenProcess(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwProcessId)
{
return EngineOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
}
__declspec(dllexport) HANDLE TITCALL TitanOpenThread(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwThreadId)
{
return EngineOpenThread(dwDesiredAccess, bInheritHandle, dwThreadId);
}

478
TitanEngine/TitanEngine.Realigner.cpp Normal file
View File

@ -0,0 +1,478 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.h"
#include "Global.Mapping.h"
#include "Global.Garbage.h"
// TitanEngine.Realigner.functions:
__declspec(dllexport) bool TITCALL FixHeaderCheckSum(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {0};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, -1, uniFileName, _countof(uniFileName));
return FixHeaderCheckSumW(uniFileName);
}
else
{
return 0;
}
}
__declspec(dllexport) bool TITCALL FixHeaderCheckSumW(wchar_t* szFileName)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
bool retVal = false;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, 0))
{
DWORD HeaderSum;
DWORD CheckSum;
if(CheckSumMappedFile((PVOID)FileMapVA, FileSize, &HeaderSum, &CheckSum))
{
retVal = SetPE32DataW(szFileName, NULL, UE_CHECKSUM, (ULONG_PTR)CheckSum);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
return retVal;
}
__declspec(dllexport) long TITCALL RealignPE(ULONG_PTR FileMapVA, DWORD FileSize, DWORD RealingMode)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_SECTION_HEADER PESections;
DWORD NewVirtualSectionSize = 0;
DWORD NewSectionRawPointer = 0;
DWORD OldSectionDataRawPtr = 0;
DWORD OldSectionDataPtr = 0;
DWORD SectionDataPtr = 0;
DWORD SectionNumber = 0;
DWORD CurrentSection = 0;
DWORD FileAlignment = 0;
BOOL FileIs64;
if(FileMapVA != NULL)
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return(-1);
}
if(!FileIs64)
{
PESections = IMAGE_FIRST_SECTION(PEHeader32);
SectionNumber = PEHeader32->FileHeader.NumberOfSections;
FileAlignment = PEHeader32->OptionalHeader.FileAlignment;
if(FileAlignment == 0x1000)
{
FileAlignment = 0x200;
}
__try
{
PEHeader32->OptionalHeader.FileAlignment = FileAlignment;
while(SectionNumber > 0)
{
SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData;
if(PESections->SizeOfRawData > NULL)
{
SectionDataPtr--;
while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData)
{
SectionDataPtr--;
}
}
SectionDataPtr = SectionDataPtr - PESections->PointerToRawData;
OldSectionDataPtr = SectionDataPtr;
SectionDataPtr = (SectionDataPtr / FileAlignment) * FileAlignment;
if(SectionDataPtr < OldSectionDataPtr)
{
SectionDataPtr = SectionDataPtr + FileAlignment;
}
if(CurrentSection == NULL)
{
PEHeader32->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData;
PEHeader32->OptionalHeader.SectionAlignment = PESections->VirtualAddress;
PESections->SizeOfRawData = SectionDataPtr;
}
else
{
OldSectionDataRawPtr = PESections->PointerToRawData;
PESections->SizeOfRawData = SectionDataPtr;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER);
NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
PESections->PointerToRawData = NewSectionRawPointer;
RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr);
}
NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment;
if(NewVirtualSectionSize < PESections->Misc.VirtualSize)
{
NewVirtualSectionSize = NewVirtualSectionSize + PEHeader32->OptionalHeader.SectionAlignment;
}
PESections->Misc.VirtualSize = NewVirtualSectionSize;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
CurrentSection++;
SectionNumber--;
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER);
return(PESections->PointerToRawData + PESections->SizeOfRawData);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(-1);
}
}
else
{
PESections = IMAGE_FIRST_SECTION(PEHeader64);
SectionNumber = PEHeader64->FileHeader.NumberOfSections;
FileAlignment = PEHeader64->OptionalHeader.FileAlignment;
if(FileAlignment == 0x1000)
{
FileAlignment = 0x200;
}
__try
{
PEHeader64->OptionalHeader.FileAlignment = FileAlignment;
while(SectionNumber > 0)
{
SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData;
if(PESections->SizeOfRawData > NULL)
{
SectionDataPtr--;
while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData)
{
SectionDataPtr--;
}
}
SectionDataPtr = SectionDataPtr - PESections->PointerToRawData;
OldSectionDataPtr = SectionDataPtr;
SectionDataPtr = (SectionDataPtr / FileAlignment) * FileAlignment;
if(SectionDataPtr < OldSectionDataPtr)
{
SectionDataPtr = SectionDataPtr + FileAlignment;
}
if(CurrentSection == NULL)
{
PEHeader64->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData;
PEHeader64->OptionalHeader.SectionAlignment = PESections->VirtualAddress;
PESections->SizeOfRawData = SectionDataPtr;
}
else
{
OldSectionDataRawPtr = PESections->PointerToRawData;
PESections->SizeOfRawData = SectionDataPtr;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER);
NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
PESections->PointerToRawData = NewSectionRawPointer;
RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr);
}
NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment;
if(NewVirtualSectionSize < PESections->Misc.VirtualSize)
{
NewVirtualSectionSize = NewVirtualSectionSize + PEHeader64->OptionalHeader.SectionAlignment;
}
PESections->Misc.VirtualSize = NewVirtualSectionSize;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
CurrentSection++;
SectionNumber--;
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER);
return(PESections->PointerToRawData + PESections->SizeOfRawData);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(-1);
}
}
}
else
{
return(-1);
}
}
return(-1);
}
__declspec(dllexport) long TITCALL RealignPEEx(char* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(RealignPEExW(uniFileName, RealingFileSize, ForcedFileAlignment));
}
else
{
return(-1);
}
}
__declspec(dllexport) long TITCALL RealignPEExW(wchar_t* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment)
{
wchar_t szBackupFile[MAX_PATH] = {};
wchar_t szBackupItem[MAX_PATH] = {};
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_SECTION_HEADER PESections;
DWORD NewVirtualSectionSize = 0;
DWORD NewSectionRawPointer = 0;
DWORD OldSectionDataRawPtr = 0;
DWORD OldSectionDataPtr = 0;
DWORD SectionDataPtr = 0;
DWORD SectionNumber = 0;
DWORD CurrentSection = 0;
BOOL FileIs64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
lstrcpyW(szBackupFile, szFileName);
}
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return(-1);
}
if(!FileIs64)
{
PESections = IMAGE_FIRST_SECTION(PEHeader32);
SectionNumber = PEHeader32->FileHeader.NumberOfSections;
if(ForcedFileAlignment == 0x0)
{
ForcedFileAlignment = 0x200;
}
__try
{
PEHeader32->OptionalHeader.FileAlignment = ForcedFileAlignment;
while(SectionNumber > 0)
{
SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData;
if(PESections->SizeOfRawData > NULL)
{
SectionDataPtr--;
while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData)
{
SectionDataPtr--;
}
}
SectionDataPtr = SectionDataPtr - PESections->PointerToRawData;
OldSectionDataPtr = SectionDataPtr;
SectionDataPtr = (SectionDataPtr / ForcedFileAlignment) * ForcedFileAlignment;
if(SectionDataPtr < OldSectionDataPtr)
{
SectionDataPtr = SectionDataPtr + ForcedFileAlignment;
}
if(CurrentSection == NULL)
{
PEHeader32->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData;
PEHeader32->OptionalHeader.SectionAlignment = PESections->VirtualAddress;
PESections->SizeOfRawData = SectionDataPtr;
}
else
{
OldSectionDataRawPtr = PESections->PointerToRawData;
PESections->SizeOfRawData = SectionDataPtr;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER);
NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
PESections->PointerToRawData = NewSectionRawPointer;
RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr);
}
NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment;
if(NewVirtualSectionSize < PESections->Misc.VirtualSize)
{
NewVirtualSectionSize = NewVirtualSectionSize + PEHeader32->OptionalHeader.SectionAlignment;
}
PESections->Misc.VirtualSize = NewVirtualSectionSize;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
CurrentSection++;
SectionNumber--;
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER);
if(RealingFileSize == NULL)
{
FileSize = PESections->PointerToRawData + PESections->SizeOfRawData;
}
else
{
FileSize = RealingFileSize;
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(szBackupItem[0] != NULL)
{
if(CopyFileW(szBackupFile, szFileName, false))
{
RemoveGarbageItem(szBackupItem, true);
return(FileSize);
}
else
{
RemoveGarbageItem(szBackupItem, true);
return(-1);
}
}
else
{
return(FileSize);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return(-1);
}
}
else
{
PESections = IMAGE_FIRST_SECTION(PEHeader64);
SectionNumber = PEHeader64->FileHeader.NumberOfSections;
if(ForcedFileAlignment == 0x0)
{
ForcedFileAlignment = 0x200;
}
__try
{
PEHeader64->OptionalHeader.FileAlignment = ForcedFileAlignment;
while(SectionNumber > 0)
{
SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData;
if(PESections->SizeOfRawData > NULL)
{
SectionDataPtr--;
while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData)
{
SectionDataPtr--;
}
}
SectionDataPtr = SectionDataPtr - PESections->PointerToRawData;
OldSectionDataPtr = SectionDataPtr;
SectionDataPtr = (SectionDataPtr / ForcedFileAlignment) * ForcedFileAlignment;
if(SectionDataPtr < OldSectionDataPtr)
{
SectionDataPtr = SectionDataPtr + ForcedFileAlignment;
}
if(CurrentSection == NULL)
{
PEHeader64->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData;
PEHeader64->OptionalHeader.SectionAlignment = PESections->VirtualAddress;
PESections->SizeOfRawData = SectionDataPtr;
}
else
{
OldSectionDataRawPtr = PESections->PointerToRawData;
PESections->SizeOfRawData = SectionDataPtr;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER);
NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
PESections->PointerToRawData = NewSectionRawPointer;
RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr);
}
NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment;
if(NewVirtualSectionSize < PESections->Misc.VirtualSize)
{
NewVirtualSectionSize = NewVirtualSectionSize + PEHeader64->OptionalHeader.SectionAlignment;
}
PESections->Misc.VirtualSize = NewVirtualSectionSize;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER);
CurrentSection++;
SectionNumber--;
}
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER);
if(RealingFileSize == NULL)
{
FileSize = PESections->PointerToRawData + PESections->SizeOfRawData;
}
else
{
FileSize = RealingFileSize;
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(szBackupItem[0] != NULL)
{
if(CopyFileW(szBackupFile, szFileName, false))
{
RemoveGarbageItem(szBackupItem, true);
return(FileSize);
}
else
{
RemoveGarbageItem(szBackupItem, true);
return(-1);
}
}
else
{
return(FileSize);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return(-1);
}
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return(-1);
}
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return(-1);
}

804
TitanEngine/TitanEngine.Relocator.cpp Normal file
View File

@ -0,0 +1,804 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Mapping.h"
#include "Global.Engine.h"
#include "Global.Garbage.h"
static LPVOID RelocationData = NULL;
LPVOID RelocationLastPage = NULL;
LPVOID RelocationStartPosition = NULL;
LPVOID RelocationWritePosition = NULL;
ULONG_PTR RelocationOldImageBase;
ULONG_PTR RelocationNewImageBase;
// TitanEngine.Relocater.functions:
__declspec(dllexport) void TITCALL RelocaterCleanup()
{
if(RelocationData != NULL)
{
VirtualFree(RelocationData, NULL, MEM_RELEASE);
RelocationLastPage = NULL;
RelocationStartPosition = NULL;
RelocationWritePosition = NULL;
RelocationOldImageBase = NULL;
RelocationNewImageBase = NULL;
}
}
__declspec(dllexport) void TITCALL RelocaterInit(DWORD MemorySize, ULONG_PTR OldImageBase, ULONG_PTR NewImageBase)
{
if(RelocationData != NULL)
{
VirtualFree(RelocationData, NULL, MEM_RELEASE);
}
RelocationData = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE);
RelocationLastPage = NULL;
RelocationStartPosition = RelocationData;
RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationData + 8);
RelocationOldImageBase = OldImageBase;
RelocationNewImageBase = NewImageBase;
}
__declspec(dllexport) void TITCALL RelocaterAddNewRelocation(HANDLE hProcess, ULONG_PTR RelocateAddress, DWORD RelocateState)
{
MEMORY_BASIC_INFORMATION MemInfo;
DWORD CompareDummy = NULL;
DWORD CopyDummy = NULL;
VirtualQueryEx(hProcess, (LPVOID)RelocateAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if(MemInfo.BaseAddress != RelocationLastPage || RelocationLastPage == NULL)
{
RelocationLastPage = MemInfo.BaseAddress;
if(memcmp(RelocationStartPosition, &CompareDummy, 4) == NULL)
{
CopyDummy = (DWORD)((ULONG_PTR)MemInfo.BaseAddress - (ULONG_PTR)RelocationNewImageBase);
RtlMoveMemory(RelocationStartPosition, &CopyDummy, 4);
}
else
{
CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition);
if(CopyDummy % 4 == NULL)
{
RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4);
}
else
{
RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2);
CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition);
if(CopyDummy % 4 == NULL)
{
RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4);
}
else
{
RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2);
CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition);
RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4);
}
}
RelocationStartPosition = RelocationWritePosition;
CopyDummy = (DWORD)((ULONG_PTR)RelocationLastPage - (ULONG_PTR)RelocationNewImageBase);
RtlMoveMemory(RelocationWritePosition, &CopyDummy, 4);
RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 8);
}
}
#if !defined(_WIN64)
CopyDummy = (DWORD)((RelocateAddress - (ULONG_PTR)RelocationLastPage) ^ 0x3000);
#else
CopyDummy = (DWORD)((RelocateAddress - (ULONG_PTR)RelocationLastPage) ^ 0x8000);
#endif
RtlMoveMemory(RelocationWritePosition, &CopyDummy, 2);
RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2);
}
__declspec(dllexport) long TITCALL RelocaterEstimatedSize()
{
return((DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData + 8));
}
__declspec(dllexport) bool TITCALL RelocaterExportRelocation(ULONG_PTR StorePlace, DWORD StorePlaceRVA, ULONG_PTR FileMapVA)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
BOOL FileIs64 = false;
DWORD CopyDummy = NULL;
__try
{
if((ULONG_PTR)RelocationStartPosition != -1)
{
CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition);
if(CopyDummy % 4 == NULL)
{
RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4);
}
else
{
RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2);
CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition);
if(CopyDummy % 4 == NULL)
{
RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4);
}
else
{
RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2);
CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition);
RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4);
}
}
}
RtlMoveMemory((LPVOID)StorePlace, RelocationData, (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData));
VirtualFree(RelocationData, NULL, MEM_RELEASE);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return false;
}
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
RelocationData = NULL;
return false;
}
if(!FileIs64)
{
PEHeader32->OptionalHeader.ImageBase = (DWORD)RelocationNewImageBase;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = StorePlaceRVA;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData);
}
else
{
PEHeader64->OptionalHeader.ImageBase = (ULONG_PTR)RelocationNewImageBase;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = StorePlaceRVA;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData);
}
RelocationData = NULL;
return true;
}
RelocationData = NULL;
return false;
}
__declspec(dllexport) bool TITCALL RelocaterExportRelocationEx(char* szFileName, char* szSectionName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(RelocaterExportRelocationExW(uniFileName, szSectionName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL RelocaterExportRelocationExW(wchar_t* szFileName, char* szSectionName)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
DWORD NewSectionVO = NULL;
DWORD NewSectionFO = NULL;
bool ReturnValue = false;
if(RelocaterEstimatedSize() > NULL)
{
NewSectionVO = AddNewSectionW(szFileName, szSectionName, RelocaterEstimatedSize());
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true);
if(NewSectionFO)
ReturnValue = RelocaterExportRelocation(NewSectionFO, NewSectionVO, FileMapVA);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue)
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess, ULONG_PTR MemoryStart, DWORD MemorySize)
{
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR ueNumberOfBytesRead = NULL;
DWORD OldProtect;
if(RelocationData != NULL)
{
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
OldProtect = MemInfo.Protect;
VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, RelocationData, MemorySize, &ueNumberOfBytesRead))
{
RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationData + MemorySize);
RelocationStartPosition = (LPVOID)(-1);
return true;
}
}
return false;
}
__declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProcess, ULONG_PTR MemoryStart, ULONG_PTR MemorySize, DWORD NtSizeOfImage)
{
MEMORY_BASIC_INFORMATION MemInfo;
LPVOID ReadMemoryStorage = NULL;
LPVOID mReadMemoryStorage = NULL;
ULONG_PTR ueNumberOfBytesRead = NULL;
DWORD CompareDummy = NULL;
DWORD RelocationBase = NULL;
DWORD RelocationSize = NULL;
DWORD OldProtect;
DynBuf mem;
if(RelocationData != NULL)
{
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
OldProtect = MemInfo.Protect;
VirtualQueryEx(hProcess, (LPVOID)MemInfo.BaseAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
if(MemInfo.RegionSize < MemorySize || MemorySize == NULL)
{
MemorySize = MemInfo.RegionSize;
}
VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
ReadMemoryStorage = mem.Allocate(MemorySize);
mReadMemoryStorage = ReadMemoryStorage;
if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, ReadMemoryStorage, MemorySize, &ueNumberOfBytesRead))
{
RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4);
RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4);
while(memcmp(ReadMemoryStorage, &CompareDummy, 4) != NULL && RelocationBase < NtSizeOfImage && RelocationSize < 0x2000)
{
ReadMemoryStorage = (LPVOID)((ULONG_PTR)ReadMemoryStorage + RelocationSize);
RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4);
RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4);
}
return(RelocaterGrabRelocationTable(hProcess, MemoryStart, (DWORD)((ULONG_PTR)ReadMemoryStorage - (ULONG_PTR)mReadMemoryStorage)));
}
else
{
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL RelocaterMakeSnapshot(HANDLE hProcess, char* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize)
{
return(DumpMemory(hProcess, MemoryStart, MemorySize, szSaveFileName));
}
__declspec(dllexport) bool TITCALL RelocaterMakeSnapshotW(HANDLE hProcess, wchar_t* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize)
{
return(DumpMemoryW(hProcess, MemoryStart, MemorySize, szSaveFileName));
}
__declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshots(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, char* szDumpFile1, char* szDumpFile2, ULONG_PTR MemStart)
{
wchar_t uniDumpFile1[MAX_PATH] = {};
wchar_t uniDumpFile2[MAX_PATH] = {};
if(szDumpFile1 != NULL && szDumpFile2 != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFile1, lstrlenA(szDumpFile1) + 1, uniDumpFile1, sizeof(uniDumpFile1) / (sizeof(uniDumpFile1[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFile2, lstrlenA(szDumpFile2) + 1, uniDumpFile2, sizeof(uniDumpFile2) / (sizeof(uniDumpFile2[0])));
return(RelocaterCompareTwoSnapshotsW(hProcess, LoadedImageBase, NtSizeOfImage, uniDumpFile1, uniDumpFile2, MemStart));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, wchar_t* szDumpFile1, wchar_t* szDumpFile2, ULONG_PTR MemStart)
{
int i = NULL;
ULONG_PTR DeltaByte = NULL;
int RelativeBase = NULL;
ULONG_PTR ReadData = NULL;
HANDLE FileHandle1;
DWORD FileSize1;
HANDLE FileMap1;
ULONG_PTR FileMapVA1;
HANDLE FileHandle2;
DWORD FileSize2;
HANDLE FileMap2;
ULONG_PTR FileMapVA2;
DWORD SearchSize;
LPVOID Search1;
LPVOID Search2;
DWORD bkSearchSize;
LPVOID bkSearch1;
LPVOID bkSearch2;
if(MapFileExW(szDumpFile1, UE_ACCESS_READ, &FileHandle1, &FileSize1, &FileMap1, &FileMapVA1, NULL))
{
if(MapFileExW(szDumpFile2, UE_ACCESS_READ, &FileHandle2, &FileSize2, &FileMap2, &FileMapVA2, NULL))
{
if(RelocationOldImageBase != NULL && RelocationNewImageBase != NULL && RelocationOldImageBase != RelocationNewImageBase)
{
__try
{
if(RelocationOldImageBase > RelocationNewImageBase)
{
DeltaByte = (ULONG_PTR)((ULONG_PTR)RelocationOldImageBase - (ULONG_PTR)RelocationNewImageBase);
}
else
{
DeltaByte = (ULONG_PTR)((ULONG_PTR)RelocationNewImageBase - (ULONG_PTR)RelocationOldImageBase);
}
while((BYTE)DeltaByte == NULL)
{
DeltaByte = DeltaByte / 0x10;
i++;
}
DeltaByte = i - 1;
Search1 = (LPVOID)FileMapVA1;
Search2 = (LPVOID)FileMapVA2;
NtSizeOfImage = NtSizeOfImage + LoadedImageBase;
SearchSize = FileSize2;
SearchSize--;
while((int)SearchSize > NULL)
{
if(memcmp(Search1, Search2, 1) != 0)
{
i = sizeof(HANDLE);
RelativeBase = NULL;
bkSearch1 = Search1;
bkSearch2 = Search2;
bkSearchSize = SearchSize;
if(Search1 >= (void*)((ULONG_PTR)FileMapVA1 + DeltaByte))
{
Search1 = (LPVOID)((ULONG_PTR)Search1 - DeltaByte);
Search2 = (LPVOID)((ULONG_PTR)Search2 - DeltaByte);
SearchSize = SearchSize + (DWORD)DeltaByte;
}
while(i > NULL && RelativeBase == NULL)
{
RtlMoveMemory(&ReadData, Search2, sizeof(HANDLE));
if(ReadData >= LoadedImageBase && ReadData <= NtSizeOfImage)
{
RelativeBase++;
}
else
{
Search1 = (LPVOID)((ULONG_PTR)Search1 + 1);
Search2 = (LPVOID)((ULONG_PTR)Search2 + 1);
SearchSize = SearchSize - 1;
i--;
}
}
if(RelativeBase == NULL)
{
Search1 = bkSearch1;
Search2 = bkSearch2;
SearchSize = bkSearchSize;
}
else
{
RelocaterAddNewRelocation(hProcess, MemStart + ((ULONG_PTR)Search2 - (ULONG_PTR)FileMapVA2), NULL);
Search1 = (LPVOID)((ULONG_PTR)Search1 + sizeof(HANDLE) - 1);
Search2 = (LPVOID)((ULONG_PTR)Search2 + sizeof(HANDLE) - 1);
SearchSize = SearchSize - sizeof(HANDLE) + 1;
}
}
Search1 = (LPVOID)((ULONG_PTR)Search1 + 1);
Search2 = (LPVOID)((ULONG_PTR)Search2 + 1);
SearchSize = SearchSize - 1;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
RelocaterCleanup();
UnMapFileEx(FileHandle2, FileSize2, FileMap2, FileMapVA2);
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
return false;
}
}
UnMapFileEx(FileHandle2, FileSize2, FileMap2, FileMapVA2);
}
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL RelocaterChangeFileBase(char* szFileName, ULONG_PTR NewImageBase)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(RelocaterChangeFileBaseW(uniFileName, NewImageBase));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL RelocaterChangeFileBaseW(wchar_t* szFileName, ULONG_PTR NewImageBase)
{
DWORD RelocSize;
ULONG_PTR RelocData;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
BOOL FileIs64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
DWORD CompareDummy = NULL;
DWORD RelocDelta = NULL;
DWORD RelocDeltaSize = NULL;
WORD RelocAddressData = NULL;
ULONG_PTR RelocWriteAddress = NULL;
ULONG_PTR RelocWriteData = NULL;
DWORD64 RelocWriteData64 = NULL;
wchar_t szBackupFile[MAX_PATH] = {};
wchar_t szBackupItem[MAX_PATH] = {};
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
lstrcpyW(szBackupFile, szFileName);
}
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return false;
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.ImageBase == (DWORD)NewImageBase)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return true;
}
RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true);
RelocSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
}
else
{
if((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase == NewImageBase)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return true;
}
RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true);
RelocSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
}
__try
{
while(memcmp((LPVOID)RelocData, &CompareDummy, 4))
{
RtlMoveMemory(&RelocDelta, (LPVOID)RelocData, 4);
RtlMoveMemory(&RelocDeltaSize, (LPVOID)((ULONG_PTR)RelocData + 4), 4);
RelocDeltaSize = RelocDeltaSize - 8;
RelocData = RelocData + 8;
while(RelocDeltaSize > NULL)
{
RtlMoveMemory(&RelocAddressData, (LPVOID)RelocData, 2);
if(RelocAddressData != NULL)
{
if(RelocAddressData & 0x8000)
{
RelocAddressData = RelocAddressData ^ 0x8000;
RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta);
RelocWriteAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((DWORD64)PEHeader64->OptionalHeader.ImageBase + RelocWriteAddress), true);
RtlMoveMemory(&RelocWriteData64, (LPVOID)RelocWriteAddress, 8);
RelocWriteData64 = RelocWriteData64 - (DWORD64)PEHeader64->OptionalHeader.ImageBase + (DWORD64)NewImageBase;
RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData64, 8);
}
else if(RelocAddressData & 0x3000)
{
RelocAddressData = RelocAddressData ^ 0x3000;
RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta);
RelocWriteAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, PEHeader32->OptionalHeader.ImageBase + RelocWriteAddress, true);
RtlMoveMemory(&RelocWriteData, (LPVOID)RelocWriteAddress, 4);
RelocWriteData = RelocWriteData - PEHeader32->OptionalHeader.ImageBase + NewImageBase;
RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData, 4);
}
}
RelocDeltaSize = RelocDeltaSize - 2;
RelocData = RelocData + 2;
}
}
if(!FileIs64)
{
PEHeader32->OptionalHeader.ImageBase = (DWORD)NewImageBase;
}
else
{
PEHeader64->OptionalHeader.ImageBase = (ULONG_PTR)NewImageBase;
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(szBackupItem[0] != NULL)
{
if(CopyFileW(szBackupFile, szFileName, false))
{
RemoveGarbageItem(szBackupItem, true);
return true;
}
else
{
RemoveGarbageItem(szBackupItem, true);
return false;
}
}
else
{
return true;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return false;
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
RemoveGarbageItem(szBackupItem, true);
return false;
}
}
RemoveGarbageItem(szBackupItem, true);
return false;
}
__declspec(dllexport) bool TITCALL RelocaterRelocateMemoryBlock(ULONG_PTR FileMapVA, ULONG_PTR MemoryLocation, void* RelocateMemory, DWORD RelocateMemorySize, ULONG_PTR CurrentLoadedBase, ULONG_PTR RelocateBase)
{
BOOL FileIs64;
DWORD RelocSize;
ULONG_PTR RelocData;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
DWORD CompareDummy = NULL;
DWORD RelocDelta = NULL;
DWORD RelocDeltaSize = NULL;
WORD RelocAddressData = NULL;
ULONG_PTR RelocWriteAddress = NULL;
ULONG_PTR RelocWriteData = NULL;
DWORD64 RelocWriteData64 = NULL;
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
MemoryLocation = MemoryLocation - CurrentLoadedBase;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return false;
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.ImageBase == (DWORD)RelocateBase)
{
return true;
}
RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true);
RelocSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
}
else
{
if((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase == RelocateBase)
{
return true;
}
RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true);
RelocSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
}
__try
{
while(memcmp((LPVOID)RelocData, &CompareDummy, 4))
{
RtlMoveMemory(&RelocDelta, (LPVOID)RelocData, 4);
RtlMoveMemory(&RelocDeltaSize, (LPVOID)((ULONG_PTR)RelocData + 4), 4);
RelocDeltaSize = RelocDeltaSize - 8;
RelocData = RelocData + 8;
while(RelocDeltaSize > NULL)
{
RtlMoveMemory(&RelocAddressData, (LPVOID)RelocData, 2);
if(RelocAddressData != NULL)
{
if(RelocAddressData & 0x8000)
{
RelocAddressData = RelocAddressData ^ 0x8000;
if(RelocAddressData >= MemoryLocation && RelocAddressData < MemoryLocation + RelocateMemorySize)
{
RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta - MemoryLocation + (ULONG_PTR)RelocateMemory);
RtlMoveMemory(&RelocWriteData64, (LPVOID)RelocWriteAddress, 8);
RelocWriteData64 = RelocWriteData64 - (DWORD64)PEHeader64->OptionalHeader.ImageBase + (DWORD64)RelocateBase;
RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData64, 8);
}
}
else if(RelocAddressData & 0x3000)
{
RelocAddressData = RelocAddressData ^ 0x3000;
if(RelocAddressData >= MemoryLocation && RelocAddressData < MemoryLocation + RelocateMemorySize)
{
RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta - MemoryLocation + (ULONG_PTR)RelocateMemory);
RtlMoveMemory(&RelocWriteData, (LPVOID)RelocWriteAddress, 4);
RelocWriteData = RelocWriteData - PEHeader32->OptionalHeader.ImageBase + RelocateBase;
RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData, 4);
}
}
}
RelocDeltaSize = RelocDeltaSize - 2;
RelocData = RelocData + 2;
}
}
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return false;
}
}
else
{
return false;
}
return false;
}
__declspec(dllexport) bool TITCALL RelocaterWipeRelocationTable(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return(RelocaterWipeRelocationTableW(uniFileName));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL RelocaterWipeRelocationTableW(wchar_t* szFileName)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
DWORD WipeSectionNumber = NULL;
ULONG_PTR Characteristics;
BOOL FileIs64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL)
{
Characteristics = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) ^ 1;
SetPE32DataForMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS, Characteristics);
WipeSectionNumber = GetPE32SectionNumberFromVA(FileMapVA, (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase));
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(WipeSectionW(szFileName, (int)WipeSectionNumber, true));
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL)
{
Characteristics = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) ^ 1;
SetPE32DataForMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS, Characteristics);
WipeSectionNumber = GetPE32SectionNumberFromVA(FileMapVA, (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase));
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(WipeSectionW(szFileName, (int)WipeSectionNumber, true));
}
}
}
}
return false;
}

357
TitanEngine/TitanEngine.Resourcer.cpp Normal file
View File

@ -0,0 +1,357 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Mapping.h"
#include "Global.Engine.h"
#include "Global.Handle.h"
// TitanEngine.Resourcer.functions:
__declspec(dllexport) ULONG_PTR TITCALL ResourcerLoadFileForResourceUse(char* szFileName)
{
return((ULONG_PTR)EngineSimulateNtLoader(szFileName));
}
__declspec(dllexport) ULONG_PTR TITCALL ResourcerLoadFileForResourceUseW(wchar_t* szFileName)
{
return((ULONG_PTR)EngineSimulateNtLoaderW(szFileName));
}
__declspec(dllexport) bool TITCALL ResourcerFreeLoadedFile(LPVOID LoadedFileBase)
{
if(VirtualFree(LoadedFileBase, NULL, MEM_RELEASE))
{
return true;
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileEx(HMODULE hFile, char* szResourceType, char* szResourceName, char* szExtractedFileName)
{
HRSRC hResource;
HGLOBAL hResourceGlobal;
DWORD ResourceSize;
LPVOID ResourceData;
DWORD NumberOfBytesWritten;
HANDLE hOutFile;
hResource = FindResourceA(hFile, (LPCSTR)szResourceName, (LPCSTR)szResourceType);
if(hResource != NULL)
{
hResourceGlobal = LoadResource(hFile, hResource);
if(hResourceGlobal != NULL)
{
ResourceSize = SizeofResource(hFile, hResource);
ResourceData = LockResource(hResourceGlobal);
EngineCreatePathForFile(szExtractedFileName);
hOutFile = CreateFileA(szExtractedFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hOutFile != INVALID_HANDLE_VALUE)
{
WriteFile(hOutFile, ResourceData, ResourceSize, &NumberOfBytesWritten, NULL);
EngineCloseHandle(hOutFile);
}
else
{
return false;
}
}
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFile(char* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName)
{
HMODULE hFile = NULL;
bool bReturn;
hFile = LoadLibraryA(szFileName);
if(hFile != NULL)
{
bReturn = ResourcerExtractResourceFromFileEx(hFile, szResourceType, szResourceName, szExtractedFileName);
FreeLibrary(hFile);
if(bReturn)
{
return true;
}
}
return false;
}
__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileW(wchar_t* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName)
{
HMODULE hFile = NULL;
bool bReturn;
hFile = LoadLibraryW(szFileName);
if(hFile != NULL)
{
bReturn = ResourcerExtractResourceFromFileEx(hFile, szResourceType, szResourceName, szExtractedFileName);
FreeLibrary(hFile);
if(bReturn)
{
return true;
}
}
return false;
}
__declspec(dllexport) bool TITCALL ResourcerFindResource(char* szFileName, char* szResourceType, DWORD ResourceType, char* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize)
{
wchar_t uniFileName[MAX_PATH] = {};
wchar_t* PtrResourceType = NULL;
wchar_t uniResourceType[MAX_PATH] = {};
wchar_t* PtrResourceName = NULL;
wchar_t uniResourceName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
if(szResourceName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szResourceName, lstrlenA(szResourceName) + 1, uniResourceName, sizeof(uniResourceName) / (sizeof(uniResourceName[0])));
}
else
{
PtrResourceType = &uniResourceType[0];
}
if(szResourceType != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szResourceType, lstrlenA(szResourceType) + 1, uniResourceType, sizeof(uniResourceType) / (sizeof(uniResourceType[0])));
}
else
{
PtrResourceName = &uniResourceName[0];
}
return(ResourcerFindResourceW(uniFileName, PtrResourceType, ResourceType, PtrResourceName, ResourceName, ResourceLanguage, pResourceData, pResourceSize));
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL ResourcerFindResourceW(wchar_t* szFileName, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize)
{
bool ReturnValue;
ULONG_PTR FileMapVA;
HANDLE FileHandle;
HANDLE FileMap;
DWORD FileSize;
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
ReturnValue = ResourcerFindResourceEx(FileMapVA, FileSize, szResourceType, ResourceType, szResourceName, ResourceName, ResourceLanguage, pResourceData, pResourceSize);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue)
{
return true;
}
}
else
{
return false;
}
return false;
}
__declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize)
{
int i, j, n;
wchar_t* uniResourceName;
wchar_t* uniResourceType;
PIMAGE_RESOURCE_DIRECTORY PEResource;
PIMAGE_RESOURCE_DIRECTORY PEResourcePtr;
PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir;
PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr1;
PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir1;
PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr2;
PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir2;
PIMAGE_RESOURCE_DATA_ENTRY PEResourceItem;
__try
{
if(FileMapVA != NULL && FileSize != NULL)
{
PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true));
if(PEResource != NULL)
{
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof(IMAGE_RESOURCE_DIRECTORY));
i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries;
PEResourcePtr = PEResource;
while(i > NULL)
{
PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof(IMAGE_RESOURCE_DIRECTORY));
j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries;
uniResourceType = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset);
if(((bool)PEResourceDir->NameIsString == true && EngineCompareResourceString(uniResourceType, szResourceType) == true) || ((bool)PEResourceDir->NameIsString == false && PEResourceDir->Id == ResourceType))
{
while(j > NULL)
{
PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof(IMAGE_RESOURCE_DIRECTORY));
n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries;
uniResourceName = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset);
if(((bool)PEResourceDir1->NameIsString == true && EngineCompareResourceString(uniResourceName, szResourceName) == true) || ((bool)PEResourceDir1->NameIsString == false && PEResourceDir1->Id == ResourceName))
{
while(n > NULL)
{
PEResourceItem = (PIMAGE_RESOURCE_DATA_ENTRY)((ULONG_PTR)PEResourcePtr + PEResourceDir2->OffsetToData);
if(ResourceLanguage == UE_RESOURCE_LANGUAGE_ANY || ResourceLanguage == PEResourceDir2->Id)
{
*pResourceData = PEResourceItem->OffsetToData;
*pResourceSize = PEResourceItem->Size;
return true;
}
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
n--;
}
}
else
{
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY) * n);
}
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
j--;
}
}
else
{
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY) * j);
}
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
i--;
}
}
}
else
{
return false;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return false;
}
__declspec(dllexport) void TITCALL ResourcerEnumerateResource(char* szFileName, void* CallBack)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
ResourcerEnumerateResourceW(uniFileName, CallBack);
}
}
__declspec(dllexport) void TITCALL ResourcerEnumerateResourceW(wchar_t* szFileName, void* CallBack)
{
ULONG_PTR FileMapVA;
HANDLE FileHandle;
HANDLE FileMap;
DWORD FileSize;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
ResourcerEnumerateResourceEx(FileMapVA, FileSize, CallBack);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
}
__declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, void* CallBack)
{
int i, j, n;
wchar_t* pUniResourceName;
wchar_t* pUniResourceType;
PIMAGE_RESOURCE_DIRECTORY PEResource;
PIMAGE_RESOURCE_DIRECTORY PEResourcePtr;
PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir;
PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr1;
PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir1;
PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr2;
PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir2;
PIMAGE_RESOURCE_DATA_ENTRY PEResourceItem;
typedef bool(TITCALL * fResourceEnumerator)(wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, DWORD ResourceData, DWORD ResourceSize);
fResourceEnumerator myResourceEnumerator = (fResourceEnumerator)CallBack;
__try
{
if(CallBack != NULL)
{
if(FileMapVA != NULL && FileSize != NULL)
{
PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true));
if(PEResource != NULL)
{
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof(IMAGE_RESOURCE_DIRECTORY));
i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries;
PEResourcePtr = PEResource;
while(i > NULL)
{
PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof(IMAGE_RESOURCE_DIRECTORY));
j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries;
while(j > NULL)
{
PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof(IMAGE_RESOURCE_DIRECTORY));
n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries;
while(n > NULL)
{
wchar_t uniResourceName[MAX_PATH] = {};
wchar_t uniResourceType[MAX_PATH] = {};
PEResourceItem = (PIMAGE_RESOURCE_DATA_ENTRY)((ULONG_PTR)PEResourcePtr + PEResourceDir2->OffsetToData);
if(PEResourceDir->NameIsString)
{
WORD resourceTypeLen = *(WORD*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset);
wcsncpy(uniResourceType, (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset) + 1, resourceTypeLen);
pUniResourceType = uniResourceType;
}
else
{
pUniResourceType = NULL;
}
if(PEResourceDir1->NameIsString)
{
WORD resourceNameLen = *(WORD*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset);
wcsncpy(uniResourceName, (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset) + 1, resourceNameLen);
pUniResourceName = uniResourceName;
}
else
{
pUniResourceName = NULL;
}
if(!myResourceEnumerator(pUniResourceType, PEResourceDir->Id, pUniResourceName, PEResourceDir1->Id, PEResourceDir2->Id, PEResourceItem->OffsetToData, PEResourceItem->Size))
{
return;
}
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
n--;
}
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
j--;
}
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
i--;
}
}
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}

1112
TitanEngine/TitanEngine.Static.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

732
TitanEngine/TitanEngine.TLS.cpp Normal file
View File

@ -0,0 +1,732 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.h"
#include "Global.Mapping.h"
#include "Global.Debugger.h"
#include "Global.TLS.h"
static bool engineBackupTLSx64 = false;
static IMAGE_TLS_DIRECTORY32 engineBackupTLSDataX86 = {};
static IMAGE_TLS_DIRECTORY64 engineBackupTLSDataX64 = {};
static DWORD engineBackupNumberOfCallBacks = NULL;
static std::vector<ULONG_PTR> engineBackupArrayOfCallBacks;
static DWORD engineBackupTLSAddress = NULL;
// TitanEngine.TLS.functions:
__declspec(dllexport) bool TITCALL TLSBreakOnCallBack(LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks, LPVOID bpxCallBack)
{
ULONG_PTR* ReadArrayOfCallBacks = (ULONG_PTR*)ArrayOfCallBacks;
if(NumberOfCallBacks && EngineIsValidReadPtrEx(ReadArrayOfCallBacks, sizeof(ULONG_PTR)*NumberOfCallBacks) && bpxCallBack)
{
ClearTlsCallBackList(); //clear TLS cb list
for(unsigned int i = 0; i < NumberOfCallBacks; i++)
tlsCallBackList.push_back(ReadArrayOfCallBacks[i]);
engineTLSBreakOnCallBackAddress = (ULONG_PTR)bpxCallBack;
engineTLSBreakOnCallBack = true;
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL TLSGrabCallBackData(char* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return TLSGrabCallBackDataW(uniFileName, ArrayOfCallBacks, NumberOfCallBacks);
}
return false;
}
__declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
DWORD NumberOfTLSCallBacks = 0;
PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
bool FileIs64;
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
if(!FileIs64) //x86
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX86 && TLSDirectoryX86->AddressOfCallBacks != NULL)
{
ULONG_PTR TLSCompareData = 0;
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
if(TLSCallBackAddress)
{
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
{
if(ArrayOfCallBacks)
{
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof(ULONG_PTR));
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof(ULONG_PTR));
}
TLSCallBackAddress = TLSCallBackAddress + sizeof(ULONG_PTR);
NumberOfTLSCallBacks++;
}
if(NumberOfCallBacks)
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
if(NumberOfCallBacks)
*NumberOfCallBacks = 0;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
if(NumberOfCallBacks)
*NumberOfCallBacks = 0;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
if(NumberOfCallBacks)
*NumberOfCallBacks = 0;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else //x64
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX64 && TLSDirectoryX64->AddressOfCallBacks != NULL)
{
ULONG_PTR TLSCompareData = NULL;
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
if(TLSCallBackAddress)
{
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
{
if(ArrayOfCallBacks)
{
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof(ULONG_PTR));
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof(ULONG_PTR));
}
TLSCallBackAddress = TLSCallBackAddress + sizeof(ULONG_PTR);
NumberOfTLSCallBacks++;
}
if(NumberOfCallBacks)
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
if(NumberOfCallBacks)
*NumberOfCallBacks = 0;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
if(NumberOfCallBacks)
*NumberOfCallBacks = 0;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
if(NumberOfCallBacks)
*NumberOfCallBacks = 0;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
}
else
{
if(NumberOfCallBacks)
*NumberOfCallBacks = 0;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL TLSBreakOnCallBackEx(char* szFileName, LPVOID bpxCallBack)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return TLSBreakOnCallBackExW(uniFileName, bpxCallBack);
}
return false;
}
__declspec(dllexport) bool TITCALL TLSBreakOnCallBackExW(wchar_t* szFileName, LPVOID bpxCallBack)
{
DWORD NumberOfCallBacks;
if(TLSGrabCallBackDataW(szFileName, NULL, &NumberOfCallBacks))
{
DynBuf TlsArrayOfCallBacks(NumberOfCallBacks * sizeof(ULONG_PTR));
if(TLSGrabCallBackDataW(szFileName, TlsArrayOfCallBacks.GetPtr(), &NumberOfCallBacks))
{
return TLSBreakOnCallBack(TlsArrayOfCallBacks.GetPtr(), NumberOfCallBacks, bpxCallBack);
}
}
return false;
}
__declspec(dllexport) bool TITCALL TLSRemoveCallback(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return TLSRemoveCallbackW(uniFileName);
}
return false;
}
__declspec(dllexport) bool TITCALL TLSRemoveCallbackW(wchar_t* szFileName)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
bool FileIs64;
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX86->AddressOfCallBacks != NULL)
{
TLSDirectoryX86->AddressOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX64->AddressOfCallBacks != NULL)
{
TLSDirectoryX64->AddressOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL TLSRemoveTable(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return TLSRemoveTableW(uniFileName);
}
return false;
}
__declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
bool FileIs64;
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
RtlZeroMemory(TLSDirectoryX86, sizeof(IMAGE_TLS_DIRECTORY32));
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
RtlZeroMemory(TLSDirectoryX64, sizeof(IMAGE_TLS_DIRECTORY64));
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL TLSBackupData(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return TLSBackupDataW(uniFileName);
}
return false;
}
__declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
DWORD NumberOfTLSCallBacks = NULL;
engineBackupTLSAddress = NULL;
RtlZeroMemory(&engineBackupTLSDataX86, sizeof(IMAGE_TLS_DIRECTORY32));
RtlZeroMemory(&engineBackupTLSDataX64, sizeof(IMAGE_TLS_DIRECTORY64));
ClearTlsVector(&engineBackupArrayOfCallBacks); //clear backup array
std::vector<ULONG_PTR>* ArrayOfCallBacks = &engineBackupArrayOfCallBacks;
LPDWORD NumberOfCallBacks = &engineBackupNumberOfCallBacks;
PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
bool FileIs64;
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
if(!FileIs64) //x86
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
engineBackupTLSx64 = false;
engineBackupTLSAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
RtlMoveMemory(&engineBackupTLSDataX86, (LPVOID)TLSDirectoryX86, sizeof(IMAGE_TLS_DIRECTORY32));
if(TLSDirectoryX86->AddressOfCallBacks != NULL)
{
ULONG_PTR TLSCompareData = 0;
ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
{
ArrayOfCallBacks->push_back(*TLSCallBackAddress);
TLSCallBackAddress++; //next callback
NumberOfTLSCallBacks++;
}
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else //x64
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
engineBackupTLSx64 = true;
engineBackupTLSAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
RtlMoveMemory(&engineBackupTLSDataX64, (LPVOID)TLSDirectoryX64, sizeof(IMAGE_TLS_DIRECTORY64));
if(TLSDirectoryX64->AddressOfCallBacks != NULL)
{
ULONG_PTR TLSCompareData = 0;
ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
{
ArrayOfCallBacks->push_back(*TLSCallBackAddress);
TLSCallBackAddress++; //next callback
NumberOfTLSCallBacks++;
}
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL TLSRestoreData()
{
ULONG_PTR ueNumberOfBytesRead = NULL;
if(dbgProcessInformation.hProcess != NULL && engineBackupTLSAddress != NULL)
{
if(engineBackupTLSx64)
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX64, sizeof(IMAGE_TLS_DIRECTORY64), &ueNumberOfBytesRead))
{
if(engineBackupTLSDataX64.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
{
DynBuf BackupData(sizeof(ULONG_PTR)*engineBackupArrayOfCallBacks.size());
ULONG_PTR* Backup = (ULONG_PTR*)BackupData.GetPtr();
for(unsigned int i = 0; i < engineBackupArrayOfCallBacks.size(); i++)
Backup[i] = engineBackupArrayOfCallBacks.at(i);
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSDataX64.AddressOfCallBacks + GetDebuggedFileBaseAddress()), Backup, BackupData.Size(), &ueNumberOfBytesRead))
{
engineBackupTLSAddress = NULL;
return true;
}
}
else
{
engineBackupTLSAddress = NULL;
return true;
}
}
}
else
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX86, sizeof(IMAGE_TLS_DIRECTORY32), &ueNumberOfBytesRead))
{
if(engineBackupTLSDataX86.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
{
DynBuf BackupData(sizeof(ULONG_PTR)*engineBackupArrayOfCallBacks.size());
ULONG_PTR* Backup = (ULONG_PTR*)BackupData.GetPtr();
for(unsigned int i = 0; i < engineBackupArrayOfCallBacks.size(); i++)
Backup[i] = engineBackupArrayOfCallBacks.at(i);
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSDataX86.AddressOfCallBacks + GetDebuggedFileBaseAddress()), Backup, BackupData.Size(), &ueNumberOfBytesRead))
{
engineBackupTLSAddress = NULL;
return true;
}
}
else
{
engineBackupTLSAddress = NULL;
return true;
}
}
}
}
return false;
}
__declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_PTR StorePlace, ULONG_PTR StorePlaceRVA, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks)
{
if(FileMapVA != NULL)
{
PIMAGE_DOS_HEADER DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PIMAGE_NT_HEADERS32 PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PIMAGE_NT_HEADERS64 PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
bool FileIs64;
ULONG_PTR TLSWriteData = StorePlaceRVA;
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return false;
}
if(!FileIs64)
{
__try
{
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof(IMAGE_TLS_DIRECTORY32);
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)StorePlace;
TLSDirectoryX86->StartAddressOfRawData = (DWORD)TLSWriteData;
TLSDirectoryX86->EndAddressOfRawData = (DWORD)TLSWriteData + 0x10;
TLSDirectoryX86->AddressOfIndex = (DWORD)TLSWriteData + 0x14;
TLSDirectoryX86->AddressOfCallBacks = (DWORD)TLSWriteData + sizeof(IMAGE_TLS_DIRECTORY32) + 8;
RtlMoveMemory((LPVOID)(StorePlace + sizeof(IMAGE_TLS_DIRECTORY32) + 8), ArrayOfCallBacks, NumberOfCallBacks * 4);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return false;
}
}
else
{
__try
{
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof(IMAGE_TLS_DIRECTORY64);
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)StorePlace;
TLSDirectoryX64->StartAddressOfRawData = TLSWriteData;
TLSDirectoryX64->EndAddressOfRawData = TLSWriteData + 0x20;
TLSDirectoryX64->AddressOfIndex = TLSWriteData + 0x28;
TLSDirectoryX64->AddressOfCallBacks = TLSWriteData + sizeof(IMAGE_TLS_DIRECTORY64) + 12;
RtlMoveMemory((LPVOID)(StorePlace + sizeof(IMAGE_TLS_DIRECTORY64) + 12), ArrayOfCallBacks, NumberOfCallBacks * 8);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return false;
}
}
}
else
{
return false;
}
}
return false;
}
__declspec(dllexport) bool TITCALL TLSBuildNewTableEx(char* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0])));
return TLSBuildNewTableExW(uniFileName, szSectionName, ArrayOfCallBacks, NumberOfCallBacks);
}
return false;
}
__declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks)
{
ULONG_PTR tlsImageBase = (ULONG_PTR)GetPE32DataW(szFileName, NULL, UE_IMAGEBASE);
DWORD NewSectionVO = AddNewSectionW(szFileName, szSectionName, sizeof(IMAGE_TLS_DIRECTORY64) * 2);
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DWORD NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + tlsImageBase, true);
bool ReturnValue = false;
if(NewSectionFO)
ReturnValue = TLSBuildNewTable(FileMapVA, NewSectionFO, NewSectionVO, ArrayOfCallBacks, NumberOfCallBacks);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue)
{
return true;
}
else
{
return false;
}
}
return false;
}

366
TitanEngine/TitanEngine.Threader.cpp Normal file
View File

@ -0,0 +1,366 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Handle.h"
#include "Global.Engine.h"
#include "Global.Threader.h"
#include "Global.Debugger.h"
void updateThreadList(THREAD_ITEM_DATA* NewThreadData)
{
bool notInList = true;
int count = (int)hListThread.size();
for(int i = 0; i < count; i++)
{
if(hListThread.at(i).dwThreadId == NewThreadData->dwThreadId)
{
notInList = false;
CloseHandle(NewThreadData->hThread); //handle not needed
hListThread.at(i).BasePriority = NewThreadData->BasePriority;
hListThread.at(i).ContextSwitches = NewThreadData->ContextSwitches;
hListThread.at(i).Priority = NewThreadData->Priority;
hListThread.at(i).TebAddress = NewThreadData->TebAddress;
hListThread.at(i).ThreadStartAddress = NewThreadData->ThreadStartAddress;
hListThread.at(i).WaitReason = NewThreadData->WaitReason;
hListThread.at(i).WaitTime = NewThreadData->WaitTime;
hListThread.at(i).ThreadState = NewThreadData->ThreadState;
break;
}
}
if(notInList)
{
hListThread.push_back(*NewThreadData);
}
}
// TitanEngine.Threader.functions:
__declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId)
{
bool updateList = false;
DWORD dwProcessId = 0;
if(ProcessId == NULL && dbgProcessInformation.hProcess != NULL)
{
updateList = true;
dwProcessId = GetProcessId(dbgProcessInformation.hProcess);
}
else if(ProcessId != NULL && dbgProcessInformation.hProcess != NULL)
{
updateList = true;
dwProcessId = ProcessId;
}
else if(ProcessId != NULL && dbgProcessInformation.hProcess == NULL)
{
updateList = false;
dwProcessId = ProcessId;
}
else if(ProcessId == NULL && dbgProcessInformation.hProcess == NULL)
{
return false;
}
if(updateList == false)
{
std::vector<THREAD_ITEM_DATA>().swap(hListThread); //clear thread list
}
THREAD_ITEM_DATA NewThreadData;
ULONG retLength = 0;
ULONG bufferLength = 1;
PSYSTEM_PROCESS_INFORMATION pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength);
PSYSTEM_PROCESS_INFORMATION pIter;
PSYSTEM_THREAD_INFORMATION pIterThread;
if(NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) == STATUS_INFO_LENGTH_MISMATCH)
{
free(pBuffer);
bufferLength = retLength + sizeof(SYSTEM_PROCESS_INFORMATION);
pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength);
if(!pBuffer)
return false;
if(NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) != STATUS_SUCCESS)
{
return false;
}
}
else
{
return false;
}
pIter = pBuffer;
while(TRUE)
{
if(pIter->UniqueProcessId == (HANDLE)(DWORD_PTR)dwProcessId)
{
pIterThread = &pIter->Threads[0];
for(ULONG i = 0; i < pIter->NumberOfThreads; i++)
{
ZeroMemory(&NewThreadData, sizeof(THREAD_ITEM_DATA));
NewThreadData.BasePriority = pIterThread->BasePriority;
NewThreadData.ContextSwitches = pIterThread->ContextSwitches;
NewThreadData.Priority = pIterThread->Priority;
NewThreadData.BasePriority = pIterThread->BasePriority;
//NewThreadData.ThreadStartAddress = pIterThread->StartAddress; <- wrong value
NewThreadData.ThreadState = pIterThread->ThreadState;
NewThreadData.WaitReason = pIterThread->WaitReason;
NewThreadData.WaitTime = pIterThread->WaitTime;
NewThreadData.dwThreadId = (DWORD)(DWORD_PTR)pIterThread->ClientId.UniqueThread;
NewThreadData.hThread = EngineOpenThread(THREAD_ALL_ACCESS, FALSE, NewThreadData.dwThreadId);
if(NewThreadData.hThread)
{
NewThreadData.TebAddress = GetTEBLocation(NewThreadData.hThread);
PVOID startAddress = 0;
if(NtQueryInformationThread(NewThreadData.hThread, ThreadQuerySetWin32StartAddress, &startAddress, sizeof(PVOID), NULL) == STATUS_SUCCESS)
{
NewThreadData.ThreadStartAddress = startAddress;
}
}
if(updateList == false)
{
hListThread.push_back(NewThreadData);
}
else
{
updateThreadList(&NewThreadData);
}
pIterThread++;
}
break;
}
if(pIter->NextEntryOffset == 0)
{
break;
}
else
{
pIter = (PSYSTEM_PROCESS_INFORMATION)((DWORD_PTR)pIter + (DWORD_PTR)pIter->NextEntryOffset);
}
}
free(pBuffer);
return (hListThread.size() > 0);
}
__declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId)
{
if(!hThread && !ThreadId)
return NULL;
static THREAD_ITEM_DATA ThreadData;
memset(&ThreadData, 0, sizeof(THREAD_ITEM_DATA));
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
if(hListThread.at(i).hThread == hThread || hListThread.at(i).dwThreadId == ThreadId)
{
memcpy(&ThreadData, &hListThread.at(i), sizeof(THREAD_ITEM_DATA));
return &ThreadData;
}
return NULL;
}
__declspec(dllexport) void TITCALL ThreaderEnumThreadInfo(void* EnumCallBack)
{
typedef void(TITCALL * fEnumCallBack)(LPVOID fThreadDetail);
fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack;
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
{
__try
{
myEnumCallBack(&hListThread.at(i));
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
break;
}
}
}
__declspec(dllexport) bool TITCALL ThreaderPauseThread(HANDLE hThread)
{
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
if(hListThread.at(i).hThread == hThread && SuspendThread(hThread) != -1)
return true;
return false;
}
__declspec(dllexport) bool TITCALL ThreaderResumeThread(HANDLE hThread)
{
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
if(hListThread.at(i).hThread == hThread && ResumeThread(hThread) != -1)
return true;
return false;
}
__declspec(dllexport) bool TITCALL ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode)
{
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
if(hListThread.at(i).hThread == hThread && TerminateThread(hThread, ThreadExitCode) != NULL)
{
hListThread.erase(hListThread.begin() + i);
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL ThreaderPauseAllThreads(bool LeaveMainRunning)
{
bool ret = true;
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
{
DWORD suspended;
if(LeaveMainRunning && hListThread.at(i).hThread != dbgProcessInformation.hThread)
suspended = SuspendThread(hListThread.at(i).hThread);
else
suspended = SuspendThread(hListThread.at(i).hThread);
if(suspended == -1)
ret = false;
}
return ret;
}
__declspec(dllexport) bool TITCALL ThreaderResumeAllThreads(bool LeaveMainPaused)
{
bool ret = true;
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
{
DWORD resumed;
if(LeaveMainPaused && hListThread.at(i).hThread != dbgProcessInformation.hThread)
resumed = ResumeThread(hListThread.at(i).hThread);
else
resumed = ResumeThread(hListThread.at(i).hThread);
if(resumed == -1)
ret = false;
}
return ret;
}
__declspec(dllexport) bool TITCALL ThreaderPauseProcess()
{
return ThreaderPauseAllThreads(false);
}
__declspec(dllexport) bool TITCALL ThreaderResumeProcess()
{
return ThreaderResumeAllThreads(false);
}
__declspec(dllexport) ULONG_PTR TITCALL ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId)
{
return ThreaderCreateRemoteThreadEx(dbgProcessInformation.hProcess, ThreadStartAddress, AutoCloseTheHandle, ThreadPassParameter, ThreadId);
}
__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize)
{
return ThreaderInjectAndExecuteCodeEx(dbgProcessInformation.hProcess, InjectCode, StartDelta, InjectSize);
}
__declspec(dllexport) ULONG_PTR TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId)
{
if(hProcess != NULL)
{
if(!AutoCloseTheHandle)
{
return (ULONG_PTR)CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId);
}
else
{
HANDLE myThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId);
EngineCloseHandle(myThread);
return NULL;
}
}
return NULL;
}
__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize)
{
if(hProcess != NULL)
{
LPVOID ThreadBase = VirtualAllocEx(hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
ULONG_PTR ueNumberOfBytesRead = 0;
if(WriteProcessMemory(hProcess, ThreadBase, InjectCode, InjectSize, &ueNumberOfBytesRead))
{
ThreaderCreateRemoteThread((ULONG_PTR)((ULONG_PTR)InjectCode + StartDelta), true, NULL, NULL);
return true;
}
else
return false;
}
return false;
}
__declspec(dllexport) void TITCALL ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack)
{
engineExitThreadOneShootCallBack = exitThreadCallBack;
}
__declspec(dllexport) bool TITCALL ThreaderIsThreadStillRunning(HANDLE hThread)
{
CONTEXT myDBGContext;
memset(&myDBGContext, 0, sizeof(CONTEXT));
myDBGContext.ContextFlags = CONTEXT_ALL;
return !!GetThreadContext(hThread, &myDBGContext);
}
__declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread)
{
if(SuspendThread(hThread)) //if previous suspend count is above 0 (which means thread is suspended)
{
ResumeThread(hThread); //decrement suspend count
return false; //meaning the thread is not active
}
ResumeThread(hThread); //decrement suspend count
return true;
}
__declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive()
{
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
if(ThreaderIsThreadActive(hListThread.at(i).hThread))
return true;
return false;
}
__declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads()
{
if(ThreaderPauseProcess())
{
engineResumeProcessIfNoThreadIsActive = true;
return true;
}
return false;
}
__declspec(dllexport) ULONG_PTR TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId)
{
int threadcount = (int)hListThread.size();
for(int i = 0; i < threadcount; i++)
if(hListThread.at(i).dwThreadId == ThreadId)
return (ULONG_PTR)hListThread.at(i).hThread;
return 0;
}
__declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread()
{
LPDEBUG_EVENT myDBGEvent = (LPDEBUG_EVENT)GetDebugData();
return (myDBGEvent->dwThreadId == dbgProcessInformation.dwThreadId);
}

1525
TitanEngine/TitanEngine.Tracer.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

99
TitanEngine/TitanEngine.TranslateName.cpp Normal file
View File

@ -0,0 +1,99 @@
#include "stdafx.h"
#include "definitions.h"
// TitanEngine.TranslateName.functions:
__declspec(dllexport) void* TITCALL TranslateNativeName(char* szNativeName)
{
void* TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); //pointer is returned
char szDeviceName[3] = "A:";
char szDeviceCOMName[5] = "COM0";
int CurrentDeviceLen;
while(szDeviceName[0] <= 0x5A)
{
RtlZeroMemory(TranslatedName, 0x1000);
if(QueryDosDeviceA(szDeviceName, (LPSTR)TranslatedName, 0x1000) > NULL)
{
CurrentDeviceLen = lstrlenA((LPSTR)TranslatedName);
lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen));
if(lstrcmpiA((LPCSTR)TranslatedName, szNativeName) == NULL)
{
RtlZeroMemory(TranslatedName, 0x1000);
lstrcatA((LPSTR)TranslatedName, szDeviceName);
lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen));
return(TranslatedName);
}
}
szDeviceName[0]++;
}
while(szDeviceCOMName[3] <= 0x39)
{
RtlZeroMemory(TranslatedName, 0x1000);
if(QueryDosDeviceA(szDeviceCOMName, (LPSTR)TranslatedName, 0x1000) > NULL)
{
CurrentDeviceLen = lstrlenA((LPSTR)TranslatedName);
lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen));
if(lstrcmpiA((LPCSTR)TranslatedName, szNativeName) == NULL)
{
RtlZeroMemory(TranslatedName, 0x1000);
lstrcatA((LPSTR)TranslatedName, szDeviceCOMName);
lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen));
return(TranslatedName);
}
}
szDeviceCOMName[3]++;
}
VirtualFree(TranslatedName, NULL, MEM_RELEASE);
return NULL;
}
__declspec(dllexport) void* TITCALL TranslateNativeNameW(wchar_t* szNativeName)
{
void* TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); //pointer is returned
wchar_t szDeviceName[3] = L"A:";
wchar_t szDeviceCOMName[5] = L"COM0";
int CurrentDeviceLen;
while(szDeviceName[0] <= 0x5A)
{
RtlZeroMemory(TranslatedName, 0x1000);
if(QueryDosDeviceW(szDeviceName, (LPWSTR)TranslatedName, MAX_PATH * 2) > NULL)
{
CurrentDeviceLen = lstrlenW((LPWSTR)TranslatedName);
lstrcatW((LPWSTR)TranslatedName, (LPCWSTR)(szNativeName + CurrentDeviceLen));
if(lstrcmpiW((LPCWSTR)TranslatedName, szNativeName) == NULL)
{
RtlZeroMemory(TranslatedName, 0x1000);
lstrcatW((LPWSTR)TranslatedName, szDeviceName);
lstrcatW((LPWSTR)TranslatedName, (LPWSTR)(szNativeName + CurrentDeviceLen));
return(TranslatedName);
}
}
szDeviceName[0]++;
}
while(szDeviceCOMName[3] <= 0x39)
{
RtlZeroMemory(TranslatedName, 0x1000);
if(QueryDosDeviceW(szDeviceCOMName, (LPWSTR)TranslatedName, MAX_PATH * 2) > NULL)
{
CurrentDeviceLen = lstrlenW((LPWSTR)TranslatedName);
lstrcatW((LPWSTR)TranslatedName, (LPCWSTR)(szNativeName + CurrentDeviceLen));
if(lstrcmpiW((LPCWSTR)TranslatedName, szNativeName) == NULL)
{
RtlZeroMemory(TranslatedName, 0x1000);
lstrcatW((LPWSTR)TranslatedName, szDeviceCOMName);
lstrcatW((LPWSTR)TranslatedName, (LPWSTR)(szNativeName + CurrentDeviceLen));
return(TranslatedName);
}
}
szDeviceCOMName[3]++;
}
VirtualFree(TranslatedName, NULL, MEM_RELEASE);
return NULL;
}

81
TitanEngine/TitanEngine.cbp
View File

@ -1,81 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<CodeBlocks_project_file>
<FileVersion major="1" minor="6" />
<Project>
<Option title="TitanEngine" />
<Option pch_mode="2" />
<Option compiler="msvc10" />
<Build>
<Target title="x32">
<Option output="../Release/x32/TitanEngine" imp_lib="$(TARGET_OUTPUT_DIR)$(TARGET_OUTPUT_BASENAME).a" def_file="$(TARGET_OUTPUT_DIR)$(TARGET_OUTPUT_BASENAME).def" prefix_auto="1" extension_auto="1" />
<Option object_output="obj/x32" />
<Option type="3" />
<Option compiler="msvc10" />
<Option createDefFile="1" />
<Option createStaticLib="1" />
<Compiler>
<Add option="/DWIN32" />
<Add option="/DNDEBUG" />
<Add option="/D_WINDOWS" />
<Add option="/D_USRDLL" />
<Add option="/DUNPACKERENGINE_EXPORTS" />
</Compiler>
<Linker>
<Add option="/DEF:TitanEngine.def" />
<Add library=".\scylla_wrapper_x86.lib" />
<Add library=".\distorm_x86.lib" />
<Add library="Imagehlp.lib" />
<Add library="psapi.lib" />
</Linker>
</Target>
<Target title="x64">
<Option output="../Release/x64/TitanEngine" imp_lib="$(TARGET_OUTPUT_DIR)$(TARGET_OUTPUT_BASENAME).a" def_file="$(TARGET_OUTPUT_DIR)$(TARGET_OUTPUT_BASENAME).def" prefix_auto="1" extension_auto="1" />
<Option object_output="obj/x64" />
<Option type="3" />
<Option compiler="microsoft_visual_c_2010_x64" />
<Option createDefFile="1" />
<Option createStaticLib="1" />
<Compiler>
<Add option="/DWIN32" />
<Add option="/DNDEBUG" />
<Add option="/D_WINDOWS" />
<Add option="/D_USRDLL" />
<Add option="/DUNPACKERENGINE_EXPORTS" />
</Compiler>
<Linker>
<Add library=".\scylla_wrapper_x64.lib" />
<Add library=".\distorm_x64.lib" />
<Add library="Imagehlp.lib" />
<Add library="psapi.lib" />
</Linker>
</Target>
</Build>
<Linker>
<Add library="user32" />
<Add library="advapi32" />
<Add library="comdlg32" />
<Add library="shell32" />
</Linker>
<Unit filename="3rdparty-definitions.h" />
<Unit filename="LzmaDec.cpp" />
<Unit filename="LzmaDec.h" />
<Unit filename="LzmaTypes.h" />
<Unit filename="TitanEngine.cpp" />
<Unit filename="TitanEngine.rc">
<Option compilerVar="WINDRES" />
</Unit>
<Unit filename="aplib.h" />
<Unit filename="definitions.h" />
<Unit filename="distorm.h" />
<Unit filename="dllmain.cpp" />
<Unit filename="resource.h" />
<Unit filename="stdafx.cpp" />
<Unit filename="stdafx.h" />
<Unit filename="targetver.h" />
<Extensions>
<code_completion />
<envvars />
<debugger />
</Extensions>
</Project>
</CodeBlocks_project_file>

27428
TitanEngine/TitanEngine.cpp
View File

File diff suppressed because it is too large Load Diff

29
TitanEngine/TitanEngine.def
View File

@ -53,6 +53,8 @@ ConvertVAtoFileOffset
ConvertVAtoFileOffsetEx
ConvertFileOffsetToVA
ConvertFileOffsetToVAEx
MemoryReadSafe
MemoryWriteSafe
GetPE32Data
GetPE32DataW
GetPE32DataFromMappedFile
@ -80,6 +82,8 @@ FixHeaderCheckSum
FixHeaderCheckSumW
InitDebug
InitDebugW
InitNativeDebug
InitNativeDebugW
InitDebugEx
InitDebugExW
InitDLLDebug
@ -88,7 +92,6 @@ StopDebug
SetBPXOptions
IsBPXEnabled
SetBPX
SetBPXEx
DisableBPX
EnableBPX
DeleteBPX
@ -152,8 +155,10 @@ GetJumpDestinationEx
IsJumpGoingToExecuteEx
IsJumpGoingToExecute
SetDebugLoopTimeOut
GetProcessInformation
GetStartupInformation
TitanGetProcessInformation
GetProcessInformation = TitanGetProcessInformation
TitanGetStartupInformation
GetStartupInformation = TitanGetStartupInformation
AutoDebugEx
AutoDebugExW
IsFileBeingDebugged
@ -172,6 +177,7 @@ ImporterFindOrdinalAPIWriteLocation
ImporterFindAPIByWriteLocation
ImporterFindDLLByWriteLocation
ImporterGetDLLName
ImporterGetDLLNameW
ImporterGetAPIName
ImporterGetAPINameEx
ImporterGetAPIOrdinalNumber
@ -179,12 +185,14 @@ ImporterGetRemoteAPIAddress
ImporterGetRemoteAPIAddressEx
ImporterGetLocalAPIAddress
ImporterGetDLLNameFromDebugee
ImporterGetDLLNameFromDebugeeW
ImporterGetAPINameFromDebugee
ImporterGetAPIOrdinalNumberFromDebugee
ImporterGetDLLIndexEx
ImporterGetDLLIndex
ImporterGetRemoteDLLBase
ImporterGetRemoteDLLBaseEx
ImporterGetRemoteDLLBaseExW
ImporterIsForwardedAPI
ImporterAutoSearchIAT
ImporterAutoSearchIATW
@ -229,6 +237,9 @@ HooksScanModuleMemory
HooksScanEntireProcessMemory
HooksScanEntireProcessMemoryEx
GetPEBLocation
GetPEBLocation64
GetTEBLocation
GetTEBLocation64
HideDebugger
UnHideDebugger
RelocaterInit
@ -324,7 +335,6 @@ ThreaderIsThreadActive
ThreaderIsAnyThreadActive
ThreaderExecuteOnlyInjectedThreads
ThreaderGetOpenHandleForThread
ThreaderGetThreadData
StaticFileLoad
StaticFileLoadW
StaticFileUnload
@ -378,21 +388,14 @@ FindOEPGenericallyW
GetActiveProcessId
GetActiveProcessIdW
EnumProcessesWithLibrary
TitanOpenProcess
EngineFakeMissingDependencies
EngineDeleteCreatedDependencies
EngineCreateMissingDependencies
EngineCreateMissingDependenciesW
EngineCreateUnpackerWindow
EngineAddUnpackerWindowLogMessage
ExtensionManagerIsPluginLoaded
ExtensionManagerIsPluginEnabled
ExtensionManagerDisablePlugin
ExtensionManagerDisableAllPlugins
ExtensionManagerEnablePlugin
ExtensionManagerEnableAllPlugins
ExtensionManagerUnloadPlugin
ExtensionManagerUnloadAllPlugins
ExtensionManagerGetPluginInfo
EngineCheckStructAlignment
EngineUnpackerInitialize
EngineUnpackerInitializeW
EngineUnpackerSetEntryPointAddress

75
TitanEngine/TitanEngine.rc
View File

@ -2,27 +2,22 @@
//
#include "resource.h"
#include "WinResrc.h"
#define IDC_STATIC (-1)
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
//#include "afxres.h" //MFC
#include "winres.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// English (U.S.) resources
// English (United States) resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
#pragma code_page(1252)
#endif //_WIN32
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
@ -37,7 +32,7 @@ END
2 TEXTINCLUDE
BEGIN
"#include ""afxres.h""\r\n"
"#include ""winres.h""\r\n"
"\0"
END
@ -63,27 +58,26 @@ LOADERX64 BINARY "..\\TitanEngineLoaders\\Library
// Dialog
//
IDD_MAINWINDOW DIALOGEX 0, 0, 255, 206
IDD_MAINWINDOW DIALOGEX 0, 0, 255, 168
STYLE DS_SETFONT | DS_MODALFRAME | DS_3DLOOK | DS_NOFAILCREATE | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_ACCEPTFILES
CAPTION "[ TitanEngine2 ]"
FONT 8, "Verdana", 0, 0, 0x1
BEGIN
CONTROL 130,IDC_STATIC,"Static",SS_BITMAP,0,0,321,38
CONTROL "Realign PE32 file [Recommended, but it can produce invalid files]",IDC_REALING,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,5,156,241,14
EDITTEXT IDC_FILENAME,42,55,163,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER | NOT WS_TABSTOP,WS_EX_STATICEDGE
CTEXT "- TitanEngine2 unpacker -",IDD_UNPACKERTITLE,2,39,250,10,SS_SUNKEN | NOT WS_GROUP,WS_EX_STATICEDGE
LTEXT "[Filename]",112,3,55,36,10
GROUPBOX "Unpack execution messages",113,2,72,250,112
LISTBOX IDC_LISTBOX,5,81,243,75,LBS_NOINTEGRALHEIGHT | NOT WS_BORDER | WS_VSCROLL | WS_HSCROLL | WS_TABSTOP,WS_EX_STATICEDGE
PUSHBUTTON "UnPack",IDC_UNPACK,71,188,60,14,BS_CENTER | BS_VCENTER
PUSHBUTTON "Browse",IDC_BROWSE,210,53,40,14,BS_CENTER | BS_VCENTER
PUSHBUTTON "About",IDC_ABOUT,131,188,60,14
PUSHBUTTON "Exit",IDC_EXIT,191,188,60,14
CONTROL 131,IDC_STATIC,"Static",SS_BITMAP,5,191,46,9
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,6,119,241,14
EDITTEXT IDC_FILENAME,43,18,163,12,ES_AUTOHSCROLL | ES_READONLY | NOT WS_BORDER | NOT WS_TABSTOP,WS_EX_STATICEDGE
CTEXT "- TitanEngine2 unpacker -",IDD_UNPACKERTITLE,3,2,250,10,SS_SUNKEN | NOT WS_GROUP,WS_EX_STATICEDGE
LTEXT "[Filename]",112,3,18,36,10
GROUPBOX "Unpack execution messages",113,3,35,250,112
LISTBOX IDC_LISTBOX,6,44,243,75,LBS_NOINTEGRALHEIGHT | NOT WS_BORDER | WS_VSCROLL | WS_HSCROLL | WS_TABSTOP,WS_EX_STATICEDGE
PUSHBUTTON "UnPack",IDC_UNPACK,71,151,60,14,BS_CENTER | BS_VCENTER
PUSHBUTTON "Browse",IDC_BROWSE,211,16,40,14,BS_CENTER | BS_VCENTER
PUSHBUTTON "About",IDC_ABOUT,131,151,60,14
PUSHBUTTON "Exit",IDC_EXIT,191,151,60,14
CONTROL 131,IDC_STATIC,"Static",SS_BITMAP,6,154,46,9
CONTROL "Copy file overlay [Recommended for all SFX files]",IDC_COPYOVERLAY,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,5,168,241,14
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,6,131,241,14
END
@ -92,7 +86,6 @@ END
// Bitmap
//
IDB_BITMAP1 BITMAP "HEADER.BMP"
IDB_BITMAP2 BITMAP "LOGO.bmp"
/////////////////////////////////////////////////////////////////////////////
@ -101,15 +94,15 @@ IDB_BITMAP2 BITMAP "LOGO.bmp"
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION 2,0,3,0
PRODUCTVERSION 2,0,3,0
FILEFLAGSMASK 0x17L
FILEVERSION 3,0,0,0
PRODUCTVERSION 3,0,0,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
#else
FILEFLAGS 0x0L
#endif
FILEOS 0x4L
FILEOS 0x40004L
FILETYPE 0x0L
FILESUBTYPE 0x0L
BEGIN
@ -117,14 +110,11 @@ BEGIN
BEGIN
BLOCK "040904b0"
BEGIN
VALUE "CompanyName", "ReversingLabs Corporation"
VALUE "FileDescription", "TitanEngine2"
VALUE "FileVersion", "2, 0, 3, 0"
VALUE "InternalName", "TitanEngine"
VALUE "LegalCopyright", "Copyright (C) 2009"
VALUE "OriginalFilename", "TitanEngine.dll"
VALUE "FileDescription", "TitanEngine"
VALUE "FileVersion", "3.0.0.0"
VALUE "LegalCopyright", "Community"
VALUE "ProductName", "TitanEngine"
VALUE "ProductVersion", "2, 0, 3, 0"
VALUE "ProductVersion", "3.0.0.0"
END
END
BLOCK "VarFileInfo"
@ -142,7 +132,22 @@ END
// Icon with lowest ID value placed first to ensure application icon
// remains consistent on all systems.
IDI_ICON2 ICON "MAINICON.ico"
#endif // English (U.S.) resources
/////////////////////////////////////////////////////////////////////////////
//
// DESIGNINFO
//
#ifdef APSTUDIO_INVOKED
GUIDELINES DESIGNINFO
BEGIN
IDD_MAINWINDOW, DIALOG
BEGIN
END
END
#endif // APSTUDIO_INVOKED
#endif // English (United States) resources
/////////////////////////////////////////////////////////////////////////////

521
TitanEngine/TitanEngine.vcproj
View File

@ -1,521 +0,0 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="TitanEngine"
ProjectGUID="{9C7B8246-FDDA-48C7-9634-044969701E40}"
RootNamespace="TitanEngine"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
EnableIntrinsicFunctions="false"
FavorSizeOrSpeed="1"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="0"
StructMemberAlignment="1"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="2"
WarningLevel="3"
DebugInformationFormat="4"
CallingConvention="0"
CompileAs="2"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="&quot;$(ProjectDir)distorm_x86.lib&quot; Imagehlp.lib psapi.lib"
OutputFile="$(OutDir)\TitanEngine.dll"
LinkIncremental="2"
IgnoreAllDefaultLibraries="false"
ModuleDefinitionFile="$(ProjectDir)TitanEngine.def"
AddModuleNamesToAssembly=""
GenerateDebugInformation="true"
GenerateMapFile="false"
MapExports="false"
SubSystem="2"
OptimizeReferences="0"
ResourceOnlyDLL="false"
SetChecksum="false"
TargetMachine="1"
CLRThreadAttribute="0"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
StructMemberAlignment="1"
UsePrecompiledHeader="2"
WarningLevel="3"
DebugInformationFormat="3"
CallingConvention="2"
CompileAs="2"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="&quot;$(ProjectDir)distorm_x64.lib&quot; Imagehlp.lib psapi.lib"
OutputFile="$(OutDir)\TitanEngine.dll"
LinkIncremental="2"
IgnoreAllDefaultLibraries="false"
ModuleDefinitionFile="$(ProjectDir)TitanEngine.def"
GenerateDebugInformation="true"
GenerateMapFile="false"
MapExports="false"
SubSystem="2"
ResourceOnlyDLL="false"
SetChecksum="false"
TargetMachine="17"
CLRThreadAttribute="2"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
EnableIntrinsicFunctions="false"
WholeProgramOptimization="false"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS"
RuntimeLibrary="0"
StructMemberAlignment="1"
EnableFunctionLevelLinking="false"
UsePrecompiledHeader="2"
WarningLevel="3"
DebugInformationFormat="3"
CallingConvention="0"
CompileAs="2"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="&quot;$(ProjectDir)distorm_x86.lib&quot; Imagehlp.lib psapi.lib"
ModuleDefinitionFile="$(ProjectDir)TitanEngine.def"
GenerateDebugInformation="false"
LinkTimeCodeGeneration="0"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS"
RuntimeLibrary="0"
StructMemberAlignment="1"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="2"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="&quot;$(ProjectDir)distorm_x64.lib&quot; Imagehlp.lib psapi.lib"
OutputFile="$(OutDir)\TitanEngine.dll"
LinkIncremental="1"
IgnoreAllDefaultLibraries="false"
ModuleDefinitionFile="$(ProjectDir)TitanEngine.def"
GenerateDebugInformation="false"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
SetChecksum="true"
FixedBaseAddress="1"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\dllmain.cpp"
>
<FileConfiguration
Name="Debug|Win32"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="0"
CompileAsManaged="0"
/>
</FileConfiguration>
<FileConfiguration
Name="Debug|x64"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="0"
CompileAsManaged="0"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|Win32"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="0"
CompileAsManaged="0"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|x64"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="0"
CompileAsManaged="0"
/>
</FileConfiguration>
</File>
<File
RelativePath=".\stdafx.cpp"
>
<FileConfiguration
Name="Debug|Win32"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="1"
/>
</FileConfiguration>
<FileConfiguration
Name="Debug|x64"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="1"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|Win32"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="1"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|x64"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="1"
/>
</FileConfiguration>
</File>
<File
RelativePath=".\TitanEngine.cpp"
>
</File>
<Filter
Name="ThirdParty"
>
<File
RelativePath=".\LzmaDec.cpp"
>
</File>
</Filter>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
<File
RelativePath=".\resource.h"
>
</File>
<File
RelativePath=".\stdafx.h"
>
</File>
<File
RelativePath=".\targetver.h"
>
</File>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
<File
RelativePath=".\TitanEngine.rc"
>
</File>
<Filter
Name="Binary"
>
<File
RelativePath="..\TitanEngineLoaders\LibraryLoader\x64\Release\LibraryLoader.exe"
>
</File>
<File
RelativePath="..\TitanEngineLoaders\LibraryLoader\Release\LibraryLoader.exe"
>
</File>
<File
RelativePath="..\TitanEngineLoaders\ReserveLibrary\Release\ReserveLibrary.dll"
>
</File>
<File
RelativePath="..\TitanEngineLoaders\ReserveLibrary\x64\Release\ReserveLibrary.dll"
>
</File>
</Filter>
<Filter
Name="Images"
>
<File
RelativePath=".\HEADER.BMP"
>
</File>
<File
RelativePath=".\LOGO.bmp"
>
</File>
<File
RelativePath=".\MAINICON.ico"
>
</File>
</Filter>
</Filter>
<File
RelativePath=".\ReadMe.txt"
>
</File>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

Some files were not shown because too many files have changed in this diff Show More