x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

Compare commits

base: x64dbg:x64dbg
Branches Tags
x64dbg:x64dbg
x64dbg:vs2010
x64dbg:arm-on-windows
x64dbg:master
x64dbg:dynmem
x64dbg:scylla_lib
x64dbg:dp0bugfix
x64dbg:2025.08.18
x64dbg:2025.07.04
x64dbg:v0012
x64dbg:v0011
x64dbg:v0010
x64dbg:v0009
x64dbg:V0008
x64dbg:V0007
x64dbg:V0006
x64dbg:V0005
x64dbg:V0004
x64dbg:V0003
x64dbg:V0002
x64dbg:V0001
..
compare: x64dbg:v0012
Branches Tags
x64dbg:x64dbg
x64dbg:vs2010
x64dbg:arm-on-windows
x64dbg:master
x64dbg:dynmem
x64dbg:scylla_lib
x64dbg:dp0bugfix
x64dbg:2025.08.18
x64dbg:2025.07.04
x64dbg:v0012
x64dbg:v0011
x64dbg:v0010
x64dbg:v0009
x64dbg:V0008
x64dbg:V0007
x64dbg:V0006
x64dbg:V0005
x64dbg:V0004
x64dbg:V0003
x64dbg:V0002
x64dbg:V0001

No commits in common. "x64dbg" and "v0012" have entirely different histories.
x64dbg ... v0012

100 changed files with 2911 additions and 27266 deletions
Show Stats Expand all files Collapse all files

3
.gitattributes vendored
View File

@ -1,3 +0,0 @@
# cmkr
/**/CMakeLists.txt linguist-generated
/**/cmkr.cmake linguist-vendored

43
.github/workflows/build.yml vendored Normal file
View File

@ -0,0 +1,43 @@
name: Visual Studio
on: [push, pull_request]
jobs:
build:
# Skip building pull requests from the same repository
if: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) }}
runs-on: windows-2019
steps:
- name: Checkout
uses: actions/checkout@v2
with:
submodules: recursive
- name: Add msbuild to PATH
uses: microsoft/setup-msbuild@v1.0.2
- name: Build
run: |
msbuild.exe ${{ github.event.repository.name }}.sln /m /verbosity:minimal /t:Rebuild /p:Configuration=Release /p:Platform=x64
msbuild.exe ${{ github.event.repository.name }}.sln /m /verbosity:minimal /t:Rebuild /p:Configuration=Release /p:Platform=Win32
- uses: actions/upload-artifact@v2
with:
name: ${{ github.event.repository.name }}-${{ github.sha }}
path: Release/
- name: Compress artifacts
uses: papeloto/action-zip@v1
if: ${{ startsWith(github.ref, 'refs/tags/') }}
with:
files: Release/
dest: ${{ github.event.repository.name }}-${{ github.sha }}.zip
- name: Release
uses: softprops/action-gh-release@v1
if: ${{ startsWith(github.ref, 'refs/tags/') }}
with:
prerelease: ${{ !startsWith(github.ref, 'refs/tags/v') || contains(github.ref, '-pre') }}
files: ${{ github.event.repository.name }}-${{ github.sha }}.zip
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

332
.gitignore vendored
View File

@ -1,171 +1,163 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
Win32/
build/
[Bb]in/
[Oo]bj/
.vs/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store
*.cscope_file_list
*.bmarks
*.depend
*.layout
*.orig
*.cbTemp
cov-*
coverity*
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
Win32/
build/
[Bb]in/
[Oo]bj/
.vs/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store
*.cscope_file_list
*.bmarks
*.depend
*.layout
*.orig
*.cbTemp
cov-*
coverity*
*.user
# Release
deps/
# CMake
build*/
cmake-build*/
CMakeUserPresets.json

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "scylla_wrapper_dll"]
path = scylla_wrapper_dll
url = https://bitbucket.org/cypherpunk/scylla_wrapper_dll

241
CMakeLists.txt
View File

@ -1,241 +0,0 @@
# This file is automatically generated from cmake.toml - DO NOT EDIT
# See https://github.com/build-cpp/cmkr for more information
cmake_minimum_required(VERSION 3.15)
if(CMAKE_SOURCE_DIR STREQUAL CMAKE_BINARY_DIR)
message(FATAL_ERROR "In-tree builds are not supported. Run CMake from a separate directory: cmake -B build")
endif()
# Enable support for MSVC_RUNTIME_LIBRARY
cmake_policy(SET CMP0091 NEW)
set(CMKR_ROOT_PROJECT OFF)
if(CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_SOURCE_DIR)
set(CMKR_ROOT_PROJECT ON)
# Bootstrap cmkr and automatically regenerate CMakeLists.txt
include(cmkr.cmake OPTIONAL RESULT_VARIABLE CMKR_INCLUDE_RESULT)
if(CMKR_INCLUDE_RESULT)
cmkr()
endif()
# Enable folder support
set_property(GLOBAL PROPERTY USE_FOLDERS ON)
# Create a configure-time dependency on cmake.toml to improve IDE support
set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS cmake.toml)
if(NOT DEFINED CMAKE_MSVC_RUNTIME_LIBRARY)
set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
endif()
endif()
# Options
option(TITANENGINE_RESOURCES "" ON)
project(TitanEngine
LANGUAGES
C
CXX
)
# Target: distorm
set(distorm_SOURCES
cmake.toml
"distorm/include/distorm.h"
"distorm/include/mnemonics.h"
"distorm/src/distorm.c"
)
add_library(distorm STATIC)
target_sources(distorm PRIVATE ${distorm_SOURCES})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${distorm_SOURCES})
target_include_directories(distorm PUBLIC
"distorm/include"
)
# Target: scylla_wrapper
set(scylla_wrapper_SOURCES
cmake.toml
"scylla_wrapper/ApiReader.cpp"
"scylla_wrapper/ApiReader.h"
"scylla_wrapper/Architecture.cpp"
"scylla_wrapper/Architecture.h"
"scylla_wrapper/DeviceNameResolver.cpp"
"scylla_wrapper/DeviceNameResolver.h"
"scylla_wrapper/IATReferenceScan.cpp"
"scylla_wrapper/IATReferenceScan.h"
"scylla_wrapper/IATSearch.cpp"
"scylla_wrapper/IATSearch.h"
"scylla_wrapper/ImportRebuilder.cpp"
"scylla_wrapper/ImportRebuilder.h"
"scylla_wrapper/NativeWinApi.cpp"
"scylla_wrapper/NativeWinApi.h"
"scylla_wrapper/PeParser.cpp"
"scylla_wrapper/PeParser.h"
"scylla_wrapper/ProcessAccessHelp.cpp"
"scylla_wrapper/ProcessAccessHelp.h"
"scylla_wrapper/ProcessLister.cpp"
"scylla_wrapper/ProcessLister.h"
"scylla_wrapper/StringConversion.cpp"
"scylla_wrapper/StringConversion.h"
"scylla_wrapper/SystemInformation.cpp"
"scylla_wrapper/SystemInformation.h"
"scylla_wrapper/Thunks.cpp"
"scylla_wrapper/Thunks.h"
"scylla_wrapper/include/scylla_wrapper.h"
"scylla_wrapper/mnemonics.h"
"scylla_wrapper/scylla_wrapper.cpp"
"scylla_wrapper/stdafx.cpp"
"scylla_wrapper/stdafx.h"
"scylla_wrapper/targetver.h"
)
add_library(scylla_wrapper STATIC)
target_sources(scylla_wrapper PRIVATE ${scylla_wrapper_SOURCES})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${scylla_wrapper_SOURCES})
target_compile_features(scylla_wrapper PUBLIC
cxx_std_11
)
target_include_directories(scylla_wrapper PUBLIC
"scylla_wrapper/include"
)
if(NOT TARGET distorm)
message(FATAL_ERROR "Target \"distorm\" referenced by \"scylla_wrapper\" does not exist!")
endif()
target_link_libraries(scylla_wrapper PUBLIC
distorm
)
# Target: TitanEngine
set(TitanEngine_SOURCES
"TitanEngine/Global.Breakpoints.cpp"
"TitanEngine/Global.Breakpoints.h"
"TitanEngine/Global.Debugger.cpp"
"TitanEngine/Global.Debugger.h"
"TitanEngine/Global.Engine.Context.cpp"
"TitanEngine/Global.Engine.Context.h"
"TitanEngine/Global.Engine.GUI.cpp"
"TitanEngine/Global.Engine.GUI.h"
"TitanEngine/Global.Engine.Hash.cpp"
"TitanEngine/Global.Engine.Hash.h"
"TitanEngine/Global.Engine.Hider.cpp"
"TitanEngine/Global.Engine.Hider.h"
"TitanEngine/Global.Engine.Hook.cpp"
"TitanEngine/Global.Engine.Hook.h"
"TitanEngine/Global.Engine.Importer.cpp"
"TitanEngine/Global.Engine.Importer.h"
"TitanEngine/Global.Engine.Simplification.cpp"
"TitanEngine/Global.Engine.Simplification.h"
"TitanEngine/Global.Engine.Threading.cpp"
"TitanEngine/Global.Engine.Threading.h"
"TitanEngine/Global.Engine.cpp"
"TitanEngine/Global.Engine.h"
"TitanEngine/Global.Garbage.cpp"
"TitanEngine/Global.Garbage.h"
"TitanEngine/Global.Handle.cpp"
"TitanEngine/Global.Handle.h"
"TitanEngine/Global.Helper.cpp"
"TitanEngine/Global.Helper.h"
"TitanEngine/Global.Injector.cpp"
"TitanEngine/Global.Injector.h"
"TitanEngine/Global.Librarian.cpp"
"TitanEngine/Global.Librarian.h"
"TitanEngine/Global.Mapping.cpp"
"TitanEngine/Global.Mapping.h"
"TitanEngine/Global.OEPFinder.cpp"
"TitanEngine/Global.OEPFinder.h"
"TitanEngine/Global.Realigner.cpp"
"TitanEngine/Global.Realigner.h"
"TitanEngine/Global.TLS.cpp"
"TitanEngine/Global.TLS.h"
"TitanEngine/Global.Threader.cpp"
"TitanEngine/Global.Threader.h"
"TitanEngine/LzmaDec.cpp"
"TitanEngine/LzmaDec.h"
"TitanEngine/LzmaTypes.h"
"TitanEngine/TitanEngine.Breakpoints.cpp"
"TitanEngine/TitanEngine.Debugger.Context.cpp"
"TitanEngine/TitanEngine.Debugger.Control.cpp"
"TitanEngine/TitanEngine.Debugger.Data.cpp"
"TitanEngine/TitanEngine.Debugger.DebugLoop.cpp"
"TitanEngine/TitanEngine.Debugger.Helper.cpp"
"TitanEngine/TitanEngine.Debugger.Memory.cpp"
"TitanEngine/TitanEngine.Debugger.cpp"
"TitanEngine/TitanEngine.Disassembler.cpp"
"TitanEngine/TitanEngine.Dumper.cpp"
"TitanEngine/TitanEngine.Engine.Simplification.cpp"
"TitanEngine/TitanEngine.Engine.cpp"
"TitanEngine/TitanEngine.Exporter.cpp"
"TitanEngine/TitanEngine.Handler.cpp"
"TitanEngine/TitanEngine.Hider.cpp"
"TitanEngine/TitanEngine.Hooks.cpp"
"TitanEngine/TitanEngine.Importer.cpp"
"TitanEngine/TitanEngine.Injector.cpp"
"TitanEngine/TitanEngine.Librarian.cpp"
"TitanEngine/TitanEngine.OEPFinder.cpp"
"TitanEngine/TitanEngine.PE.Convert.cpp"
"TitanEngine/TitanEngine.PE.Data.cpp"
"TitanEngine/TitanEngine.PE.Fixer.cpp"
"TitanEngine/TitanEngine.PE.Overlay.cpp"
"TitanEngine/TitanEngine.PE.Section.cpp"
"TitanEngine/TitanEngine.PE.cpp"
"TitanEngine/TitanEngine.Process.cpp"
"TitanEngine/TitanEngine.Realigner.cpp"
"TitanEngine/TitanEngine.Relocator.cpp"
"TitanEngine/TitanEngine.Resourcer.cpp"
"TitanEngine/TitanEngine.Static.cpp"
"TitanEngine/TitanEngine.TLS.cpp"
"TitanEngine/TitanEngine.Threader.cpp"
"TitanEngine/TitanEngine.Tracer.cpp"
"TitanEngine/TitanEngine.TranslateName.cpp"
"TitanEngine/TitanEngine.cpp"
"TitanEngine/aplib.h"
"TitanEngine/definitions.h"
"TitanEngine/ntdll.h"
"TitanEngine/resource.h"
"TitanEngine/stdafx.cpp"
"TitanEngine/stdafx.h"
"TitanEngine/targetver.h"
cmake.toml
)
if(TITANENGINE_RESOURCES) # TITANENGINE_RESOURCES
list(APPEND TitanEngine_SOURCES
"TitanEngine/TitanEngine.rc"
)
endif()
add_library(TitanEngine SHARED)
target_sources(TitanEngine PRIVATE ${TitanEngine_SOURCES})
source_group(TREE ${CMAKE_CURRENT_SOURCE_DIR} FILES ${TitanEngine_SOURCES})
if(NOT TARGET scylla_wrapper)
message(FATAL_ERROR "Target \"scylla_wrapper\" referenced by \"TitanEngine\" does not exist!")
endif()
target_link_libraries(TitanEngine PRIVATE
scylla_wrapper
Psapi.lib
)
if(CMAKE_SIZEOF_VOID_P EQUAL 8) # x64
target_link_libraries(TitanEngine PRIVATE
"${CMAKE_CURRENT_SOURCE_DIR}/TitanEngine/ntdll_x64.lib"
)
endif()
if(CMAKE_SIZEOF_VOID_P EQUAL 4) # x32
target_link_libraries(TitanEngine PRIVATE
"${CMAKE_CURRENT_SOURCE_DIR}/TitanEngine/ntdll_x86.lib"
)
endif()

1113
SDK/C/TitanEngine.h Normal file
View File

File diff suppressed because it is too large Load Diff

34
TitanEngine.sln
View File

@ -1,16 +1,12 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.14.36915.13 d17.14
MinimumVisualStudioVersion = 10.0.40219.1
Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TitanEngine", "TitanEngine\TitanEngine.vcxproj", "{9C7B8246-FDDA-48C7-9634-044969701E40}"
ProjectSection(ProjectDependencies) = postProject
{F874B1B3-8EF7-4DF1-9889-57098E08A51C} = {F874B1B3-8EF7-4DF1-9889-57098E08A51C}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "scylla_wrapper", "scylla_wrapper\scylla_wrapper.vcxproj", "{F874B1B3-8EF7-4DF1-9889-57098E08A51C}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "distorm", "distorm\distorm.vcxproj", "{25FF4A19-7088-4687-AA32-76E61BD62E51}"
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "scylla_wrapper", "scylla_wrapper_dll\scylla_wrapper\scylla_wrapper.vcxproj", "{F874B1B3-8EF7-4DF1-9889-57098E08A51C}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
@ -28,22 +24,14 @@ Global
{9C7B8246-FDDA-48C7-9634-044969701E40}.Release|Win32.Build.0 = Release|Win32
{9C7B8246-FDDA-48C7-9634-044969701E40}.Release|x64.ActiveCfg = Release|x64
{9C7B8246-FDDA-48C7-9634-044969701E40}.Release|x64.Build.0 = Release|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|Win32.ActiveCfg = Debug|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|Win32.Build.0 = Debug|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|x64.ActiveCfg = Debug|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|x64.Build.0 = Debug|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|Win32.ActiveCfg = Release|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|Win32.Build.0 = Release|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|x64.ActiveCfg = Release|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|x64.Build.0 = Release|x64
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Debug|Win32.ActiveCfg = Debug|Win32
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Debug|Win32.Build.0 = Debug|Win32
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Debug|x64.ActiveCfg = Debug|x64
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Debug|x64.Build.0 = Debug|x64
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Release|Win32.ActiveCfg = Release|Win32
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Release|Win32.Build.0 = Release|Win32
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Release|x64.ActiveCfg = Release|x64
{25FF4A19-7088-4687-AA32-76E61BD62E51}.Release|x64.Build.0 = Release|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|Win32.ActiveCfg = Release-Lib|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|Win32.Build.0 = Release-Lib|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|x64.ActiveCfg = Release-Lib|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|x64.Build.0 = Release-Lib|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|Win32.ActiveCfg = Release-Lib|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|Win32.Build.0 = Release-Lib|Win32
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|x64.ActiveCfg = Release-Lib|x64
{F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|x64.Build.0 = Release-Lib|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

9
TitanEngine/Global.Breakpoints.cpp
View File

@ -4,7 +4,6 @@
std::vector<BreakPointDetail> BreakPointBuffer;
std::unordered_map<ULONG_PTR, MemoryBreakpointPageDetail> MemoryBreakpointPages;
std::unordered_set<ULONG_PTR> recentlyDeletedBpx;
ULONG_PTR dr7uint(DR7* dr7)
{
@ -251,17 +250,13 @@ DWORD GetPageProtectionForMemoryBreakpoint(const MemoryBreakpointPageDetail & pa
if(page.writeBps > 0)
{
// Remove write access (and copy-on-write) e.g. PAGE_EXECUTE_READWRITE => PAGE_EXECUTE
// Remove write access e.g. PAGE_EXECUTE_READWRITE => PAGE_EXECUTE
DWORD dwBase = newProtect & 0xFF;
switch(dwBase)
{
case PAGE_READWRITE:
case PAGE_WRITECOPY:
newProtect = (newProtect & 0xFFFFFF00) | PAGE_READONLY;
break;
case PAGE_EXECUTE_READWRITE:
case PAGE_EXECUTE_WRITECOPY:
newProtect = (newProtect & 0xFFFFFF00) | PAGE_EXECUTE_READ;
newProtect = (newProtect & 0xFFFFFF00) | (dwBase >> 1);
break;
}
}

2
TitanEngine/Global.Breakpoints.h
View File

@ -3,7 +3,6 @@
#include <vector>
#include <unordered_map>
#include <unordered_set>
#include "Global.Engine.Threading.h"
#include "Global.Engine.h"
@ -12,7 +11,6 @@
extern std::vector<BreakPointDetail> BreakPointBuffer;
extern std::unordered_map<ULONG_PTR, MemoryBreakpointPageDetail> MemoryBreakpointPages;
extern std::unordered_set<ULONG_PTR> recentlyDeletedBpx;
void uintdr7(ULONG_PTR dr7, DR7* ret);
ULONG_PTR dr7uint(DR7* dr7);

15
TitanEngine/Global.Debugger.cpp
View File

@ -46,18 +46,18 @@ CRITICAL_SECTION engineStepActiveCr;
DWORD ContextControlFlags = []
{
DWORD flags = CONTEXT_CONTROL;
typedef BOOL(WINAPI * type_IsWow64Process2)(HANDLE, USHORT*, USHORT*);
typedef BOOL(WINAPI *type_IsWow64Process2)(HANDLE, USHORT*, USHORT*);
auto p_IsWow64Process2 = (type_IsWow64Process2)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "IsWow64Process2");
if(p_IsWow64Process2)
if (p_IsWow64Process2)
{
USHORT processMachine = 0;
USHORT nativeMachine = 0;
if(p_IsWow64Process2(GetCurrentProcess(), &processMachine, &nativeMachine))
if (p_IsWow64Process2(GetCurrentProcess(), &processMachine, &nativeMachine))
{
#ifndef IMAGE_FILE_MACHINE_ARM64
#define IMAGE_FILE_MACHINE_ARM64 0xAA64
#endif // IMAGE_FILE_MACHINE_ARM64
if(nativeMachine == IMAGE_FILE_MACHINE_ARM || nativeMachine == IMAGE_FILE_MACHINE_ARM64)
if (nativeMachine == IMAGE_FILE_MACHINE_ARM || nativeMachine == IMAGE_FILE_MACHINE_ARM64)
{
flags = CONTEXT_ALL;
}
@ -85,11 +85,10 @@ void DebuggerReset()
{
if(engineResetCustomHandler)
{
RtlZeroMemory(&myDBGCustomHandler, sizeof(CustomHandler));
RtlZeroMemory(&myDBGCustomHandler, sizeof CustomHandler);
}
std::vector<BreakPointDetail>().swap(BreakPointBuffer);
std::unordered_map<ULONG_PTR, MemoryBreakpointPageDetail>().swap(MemoryBreakpointPages);
recentlyDeletedBpx.clear();
}
void ClearProcessList()
@ -113,11 +112,11 @@ void StepOutStepCallBack()
else
{
typedef void(TITCALL * fCustomBreakPoint)();
ObjectPointerToCallback<fCustomBreakPoint>(StepOutCallBack)();
((fCustomBreakPoint)StepOutCallBack)();
}
}
else
StepOver(CallbackToObjectPointer(&StepOutStepCallBack));
StepOver(StepOutStepCallBack);
}
static DWORD BaseSetLastNTError(IN NTSTATUS Status)

16
TitanEngine/Global.Engine.Hider.cpp
View File

@ -12,18 +12,10 @@ static bool isAtleastVista()
static bool isSet = false;
if(isSet)
return isAtleastVista;
RTL_OSVERSIONINFOW versionInfo = {0};
versionInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
typedef NTSTATUS(WINAPI * tRtlGetVersion)(PRTL_OSVERSIONINFOW);
tRtlGetVersion pRtlGetVersion = (tRtlGetVersion)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
if(!pRtlGetVersion || !NT_SUCCESS(pRtlGetVersion(&versionInfo)))
{
isAtleastVista = false;
}
else
{
isAtleastVista = versionInfo.dwMajorVersion >= 6;
}
OSVERSIONINFO versionInfo = {0};
versionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&versionInfo);
isAtleastVista = versionInfo.dwMajorVersion >= 6;
isSet = true;
return isAtleastVista;
}

42
TitanEngine/Global.Engine.cpp
View File

@ -145,7 +145,7 @@ wchar_t* EngineExtractFileNameW(wchar_t* szFileName)
int x = 0;
i = lstrlenW(szFileName);
RtlZeroMemory(&engineExtractedFileNameW, sizeof(engineExtractedFileNameW));
RtlZeroMemory(&engineExtractedFileNameW, sizeof engineExtractedFileNameW);
while(i > 0 && szFileName[i] != 0x5C)
{
i--;
@ -175,13 +175,13 @@ bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr)
DWORD MaxDisassmSize = 512;
BYTE TestChar;
VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT)
{
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512)
{
MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1);
VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State != MEM_COMMIT)
{
i = MaxDisassmSize;
@ -228,13 +228,13 @@ int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr)
DWORD MaxDisassmSize = 512;
BYTE TestChar;
VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT)
{
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512)
{
MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1);
VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State != MEM_COMMIT)
{
i = MaxDisassmSize;
@ -403,7 +403,7 @@ bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR F
return !!ReadFile(hFile, CopyToMemory, CopySize, &rfNumberOfBytesRead, NULL);
}
bool EngineExtractResource(const char* szResourceName, wchar_t* szExtractedFileName)
bool EngineExtractResource(char* szResourceName, wchar_t* szExtractedFileName)
{
HRSRC hResource;
@ -727,7 +727,7 @@ bool EngineIsValidReadPtrEx(LPVOID DataPointer, DWORD DataSize)
while(DataSize > NULL)
{
VirtualQuery(DataPointer, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQuery(DataPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.AllocationProtect == MEM_FREE || MemInfo.AllocationProtect == MEM_PRIVATE)
{
return false;
@ -814,7 +814,7 @@ bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBas
}
else
{
RtlZeroMemory(&ModuleInfo, sizeof(MODULEINFO));
RtlZeroMemory(&ModuleInfo, sizeof MODULEINFO);
GetModuleInformation(hFileProc, (HMODULE)ImageBase, &ModuleInfo, sizeof(MODULEINFO));
PESize = ModuleInfo.SizeOfImage;
__try
@ -1404,9 +1404,9 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
{
if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_APIADDRESS)
{
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof(MODULEINFO));
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO);
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
if(APIAddress >= LoadedModules[i][1] && APIAddress <= LoadedModules[i][1] + RemoteModuleInfo.SizeOfImage)
{
GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512);
@ -1418,8 +1418,8 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
}
else if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS)
{
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage)
{
GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512);
@ -1441,8 +1441,8 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
}
else if(ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APIADDRESS || ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APINAME)
{
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage)
{
DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1];
@ -1520,10 +1520,10 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
if((ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER || (ReturnType > UE_OPTION_IMPORTER_REALIGN_APIADDRESS && ReturnType < UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME)) && ReturnType != UE_OPTION_IMPORTER_RETURN_DLLBASE && LoadedModules[i][1] != NULL)
{
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1];
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof(MODULEINFO));
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO);
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage)
{
if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false))
@ -1637,9 +1637,9 @@ ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
if(FileMapVA != NULL)
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof(MODULEINFO));
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof(MODULEINFO));
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
//GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO);
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO);
if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false))
{
__try

2
TitanEngine/Global.Engine.h
View File

@ -37,7 +37,7 @@ bool EngineCompareResourceString(wchar_t* String1, wchar_t* String2);
ULONG_PTR EngineEstimateNewSectionRVA(ULONG_PTR FileMapVA);
bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName, LPVOID szFwdAPIName);
bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR FileOffset, DWORD CopySize, LPVOID CopyToMemory);
bool EngineExtractResource(const char* szResourceName, wchar_t* szExtractedFileName);
bool EngineExtractResource(char* szResourceName, wchar_t* szExtractedFileName);
bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char* szPresentInFolder);
bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFile, wchar_t* szPresentInFolder);
bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize);

10
TitanEngine/Global.Injector.cpp
View File

@ -8,7 +8,7 @@ ULONG_PTR engineReservedMemoryLeft[UE_MAX_RESERVED_MEMORY_LEFT];
long injectedRemoteLoadLibrary(LPVOID Parameter)
{
PInjectCodeData APIData = (PInjectCodeData)Parameter;
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof(InjectCodeData));
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectCodeData);
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI * fLoadLibraryW)(LPCWSTR fLibraryName);
typedef ULONG_PTR(WINAPI * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
@ -56,7 +56,7 @@ long injectedRemoteFreeLibrarySimple(LPVOID Parameter)
PInjectCodeData APIData = (PInjectCodeData)Parameter;
LPVOID orgParameter = Parameter;
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof(InjectCodeData));
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectCodeData);
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI * fFreeLibrary)(HMODULE fLibBase);
typedef HMODULE(WINAPI * fGetModuleHandleW)(LPCWSTR fLibraryName);
@ -125,8 +125,8 @@ long injectedImpRec(LPVOID Parameter)
HANDLE hFile;
HANDLE hFileMap;
PInjectImpRecCodeData APIData = (PInjectImpRecCodeData)Parameter;
LPVOID szFileName = (LPVOID)((ULONG_PTR)Parameter + sizeof(InjectImpRecCodeData));
typedef ULONG_PTR(__cdecl * fTrace)(HANDLE hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace, DWORD dwExactCall);
LPVOID szFileName = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectImpRecCodeData);
typedef ULONG_PTR(__cdecl * fTrace)(DWORD hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace, DWORD dwExactCall);
typedef HANDLE(WINAPI * fCreateFileW)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
typedef HANDLE(WINAPI * fCreateFileMappingA)(HANDLE hFile, LPSECURITY_ATTRIBUTES lpFileMappingAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName);
typedef BOOL(__cdecl * fCloseHandle)(HANDLE hHandle);
@ -139,7 +139,7 @@ long injectedImpRec(LPVOID Parameter)
if(hFile != INVALID_HANDLE_VALUE)
{
hFileMap = cCreateFileMappingA(hFile, NULL, 4, NULL, 0x100, NULL);
cTrace(hFileMap, 0x100, -1, (DWORD)APIData->AddressToTrace, NULL);
cTrace((DWORD)hFileMap, 0x100, -1, (DWORD)APIData->AddressToTrace, NULL);
cCloseHandle(hFile);
return(1);
}

12
TitanEngine/Global.Mapping.cpp
View File

@ -49,18 +49,18 @@ bool MapFileEx(const char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, L
LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL);
if(mfFileMapVA != NULL)
{
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof(ULONG_PTR));
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR);
return true;
}
}
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
RtlZeroMemory(FileMapVA, sizeof ULONG_PTR);
*FileHandle = NULL;
*FileSize = NULL;
EngineCloseHandle(hFile);
}
else
{
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
RtlZeroMemory(FileMapVA, sizeof ULONG_PTR);
}
return false;
}
@ -110,18 +110,18 @@ bool MapFileExW(const wchar_t* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandl
LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL);
if(mfFileMapVA != NULL)
{
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof(ULONG_PTR));
RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR);
return true;
}
}
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
RtlZeroMemory(FileMapVA, sizeof ULONG_PTR);
*FileHandle = NULL;
*FileSize = NULL;
EngineCloseHandle(hFile);
}
else
{
RtlZeroMemory(FileMapVA, sizeof(ULONG_PTR));
RtlZeroMemory(FileMapVA, sizeof ULONG_PTR);
}
return false;
}

26
TitanEngine/Global.OEPFinder.cpp
View File

@ -23,7 +23,7 @@ void GenericOEPVirtualProtectHit()
BreakPointDetail curDetail = BreakPointBuffer.at(i);
if(curDetail.BreakPointType == UE_MEMORY && curDetail.BreakPointActive == UE_BPXACTIVE)
{
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)curDetail.BreakPointAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)curDetail.BreakPointAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
if(!(OldProtect & PAGE_GUARD))
{
@ -40,14 +40,14 @@ void GenericOEPTraceHit()
char* szInstructionType;
typedef void(TITCALL * fEPCallBack)();
fEPCallBack myEPCallBack = ObjectPointerToCallback<fEPCallBack>(glbEntryTracerData.EPCallBack);
fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
glbEntryTracerData.MemoryAccessedFrom = (ULONG_PTR)GetContextData(UE_CIP);
glbEntryTracerData.MemoryAccessed = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[1];
glbEntryTracerData.AccessType = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[0];
szInstructionType = (char*)DisassembleEx(dbgProcessInformation.hProcess, (void*)glbEntryTracerData.MemoryAccessedFrom, true);
StepInto(CallbackToObjectPointer(&GenericOEPTraceHited));
StepInto(&GenericOEPTraceHited);
}
void GenericOEPTraceHited()
@ -60,7 +60,7 @@ void GenericOEPTraceHited()
ULONG_PTR NumberOfBytesRW;
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
typedef void(TITCALL * fEPCallBack)();
fEPCallBack myEPCallBack = ObjectPointerToCallback<fEPCallBack>(glbEntryTracerData.EPCallBack);
fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
PMEMORY_COMPARE_HANDLER myCmpHandler;
ULONG_PTR memBpxAddress;
ULONG_PTR memBpxSize;
@ -134,12 +134,12 @@ void GenericOEPTraceHited()
}
else
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, CallbackToObjectPointer(&GenericOEPTraceHit));
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
}
}
else
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, CallbackToObjectPointer(&GenericOEPTraceHit));
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
}
}
}
@ -162,7 +162,7 @@ void GenericOEPLibraryDetailsHit()
int inReg = UE_RAX;
#endif
if(GetModuleBaseNameA(dbgProcessInformation.hProcess, (HMODULE)GetContextData(inReg), szModuleName, sizeof(szModuleName)) > NULL)
if(GetModuleBaseNameA(dbgProcessInformation.hProcess, (HMODULE)GetContextData(inReg), szModuleName, sizeof szModuleName) > NULL)
{
if(lstrcmpiA(szModuleName, "kernel32.dll") != NULL)
{
@ -178,7 +178,7 @@ void GenericOEPLibraryDetailsHit()
{
if(glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_MEM_EXECUTE || glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_CNT_CODE)
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, CallbackToObjectPointer(&GenericOEPTraceHit));
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
memBreakPointSet = true;
}
}
@ -202,7 +202,7 @@ void GenericOEPTraceInit()
void* lpHashBuffer;
ULONG_PTR NumberOfBytesRW;
typedef void(TITCALL * fInitCallBack)();
fInitCallBack myInitCallBack = ObjectPointerToCallback<fInitCallBack>(glbEntryTracerData.InitCallBack);
fInitCallBack myInitCallBack = (fInitCallBack)glbEntryTracerData.InitCallBack;
if(glbEntryTracerData.FileIsDLL)
{
@ -223,9 +223,9 @@ void GenericOEPTraceInit()
}
}
}
SetAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_BREAKPOINT, UE_APIEND, CallbackToObjectPointer(&GenericOEPVirtualProtectHit));
SetAPIBreakPoint("kernel32.dll", "GetModuleHandleW", UE_BREAKPOINT, UE_APIEND, CallbackToObjectPointer(&GenericOEPLibraryDetailsHit));
SetAPIBreakPoint("kernel32.dll", "LoadLibraryExW", UE_BREAKPOINT, UE_APIEND, CallbackToObjectPointer(&GenericOEPLibraryDetailsHit));
SetAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_BREAKPOINT, UE_APIEND, &GenericOEPVirtualProtectHit);
SetAPIBreakPoint("kernel32.dll", "GetModuleHandleW", UE_BREAKPOINT, UE_APIEND, &GenericOEPLibraryDetailsHit);
SetAPIBreakPoint("kernel32.dll", "LoadLibraryExW", UE_BREAKPOINT, UE_APIEND, &GenericOEPLibraryDetailsHit);
if(glbEntryTracerData.InitCallBack != NULL)
{
__try
@ -257,7 +257,7 @@ bool GenericOEPFileInitW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID C
{
if(GetPE32DataFromMappedFileEx(FileMapVA, &PEStruct))
{
RtlZeroMemory(&glbEntryTracerData, sizeof(GenericOEPTracerData));
RtlZeroMemory(&glbEntryTracerData, sizeof GenericOEPTracerData);
glbEntryTracerData.OriginalImageBase = PEStruct.ImageBase;
glbEntryTracerData.OriginalEntryPoint = PEStruct.OriginalEntryPoint;
glbEntryTracerData.SizeOfImage = PEStruct.NtSizeOfImage;

7
TitanEngine/TitanEngine.Breakpoints.cpp
View File

@ -72,7 +72,7 @@ __declspec(dllexport) bool TITCALL EnableBPX(ULONG_PTR bpxAddress)
{
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress)
{
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect);
if(BreakPointBuffer.at(i).BreakPointActive == UE_BPXINACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT))
@ -144,7 +144,7 @@ __declspec(dllexport) bool TITCALL DisableBPX(ULONG_PTR bpxAddress)
{
if(BreakPointBuffer.at(i).BreakPointAddress == bpxAddress)
{
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(i).BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect);
if(BreakPointBuffer.at(i).BreakPointActive == UE_BPXACTIVE && (BreakPointBuffer.at(i).BreakPointType == UE_BREAKPOINT || BreakPointBuffer.at(i).BreakPointType == UE_SINGLESHOOT))
@ -303,7 +303,6 @@ __declspec(dllexport) bool TITCALL DeleteBPX(ULONG_PTR bpxAddress)
FlushInstructionCache(dbgProcessInformation.hProcess, NULL, 0);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer.at(found).BreakPointSize, OldProtect, &OldProtect);
BreakPointBuffer.erase(BreakPointBuffer.begin() + found);
recentlyDeletedBpx.insert(bpxAddress);
return true;
}
@ -463,7 +462,7 @@ __declspec(dllexport) bool TITCALL SetMemoryBPXEx(ULONG_PTR MemoryStart, SIZE_T
auto bpType = BreakPointBuffer.at(i).BreakPointType;
bool isMem = bpType == UE_MEMORY || bpType == UE_MEMORY_READ || bpType == UE_MEMORY_WRITE || bpType == UE_MEMORY_EXECUTE;
if(isMem && bpAddr < (MemoryStart + SizeOfMemory) && bpAddr + bpSize > MemoryStart)
if (isMem && bpAddr < (MemoryStart + SizeOfMemory) && bpAddr + bpSize > MemoryStart)
{
return false; // the place is taken
}

231
TitanEngine/TitanEngine.Debugger.Context.cpp
View File

@ -929,6 +929,10 @@ __declspec(dllexport) bool TITCALL SetAVXContext(HANDLE hActiveThread, TITAN_ENG
if(InitXState() == false)
return false;
DWORD64 FeatureMask = _GetEnabledXStateFeatures();
if((FeatureMask & XSTATE_MASK_AVX) == 0)
return false;
DWORD ContextSize = 0;
BOOL Success = _InitializeContext(NULL,
CONTEXT_ALL | CONTEXT_XSTATE,
@ -952,15 +956,11 @@ __declspec(dllexport) bool TITCALL SetAVXContext(HANDLE hActiveThread, TITAN_ENG
return false;
if(_SetXStateFeaturesMask(Context, XSTATE_MASK_AVX) == FALSE)
{
if(_SetXStateFeaturesMask(Context, XSTATE_MASK_LEGACY_SSE) == FALSE)
return false;
}
return false;
if(GetThreadContext(hActiveThread, Context) == FALSE)
return false;
DWORD64 FeatureMask;
if(_GetXStateFeaturesMask(Context, &FeatureMask) == FALSE)
return false;
@ -989,6 +989,10 @@ __declspec(dllexport) bool TITCALL GetAVXContext(HANDLE hActiveThread, TITAN_ENG
if(InitXState() == false)
return false;
DWORD64 FeatureMask = _GetEnabledXStateFeatures();
if((FeatureMask & XSTATE_MASK_AVX) == 0)
return false;
DWORD ContextSize = 0;
BOOL Success = _InitializeContext(NULL,
CONTEXT_ALL | CONTEXT_XSTATE,
@ -1012,15 +1016,11 @@ __declspec(dllexport) bool TITCALL GetAVXContext(HANDLE hActiveThread, TITAN_ENG
return false;
if(_SetXStateFeaturesMask(Context, XSTATE_MASK_AVX) == FALSE)
{
if(_SetXStateFeaturesMask(Context, XSTATE_MASK_LEGACY_SSE) == FALSE)
return false;
}
return false;
if(GetThreadContext(hActiveThread, Context) == FALSE)
return false;
DWORD64 FeatureMask;
if(_GetXStateFeaturesMask(Context, &FeatureMask) == FALSE)
return false;
@ -1043,214 +1043,3 @@ __declspec(dllexport) bool TITCALL GetAVXContext(HANDLE hActiveThread, TITAN_ENG
return true;
}
// AVX-512 constants
#ifndef XSTATE_MASK_AVX512
#define XSTATE_AVX512_KMASK (5)
#define XSTATE_AVX512_ZMM_H (6)
#define XSTATE_AVX512_ZMM (7)
#define XSTATE_MASK_AVX512 ((1ui64 << (XSTATE_AVX512_KMASK)) | \
(1ui64 << (XSTATE_AVX512_ZMM_H)) | \
(1ui64 << (XSTATE_AVX512_ZMM)))
#endif
static bool SetAVX512ContextFallbackToAVX(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_AVX512_t* titcontext)
{
// Fall back to using AVX and ignore the rest
TITAN_ENGINE_CONTEXT_t Avx;
memset(&Avx, 0, sizeof(Avx));
for(int i = 0; i < _countof(Avx.YmmRegisters); i++)
{
Avx.YmmRegisters[i] = titcontext->ZmmRegisters[i].Low;
}
return SetAVXContext(hActiveThread, &Avx);
}
__declspec(dllexport) bool TITCALL SetAVX512Context(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_AVX512_t* titcontext)
{
if(InitXState() == false)
return false;
DWORD64 FeatureMask = _GetEnabledXStateFeatures();
if((FeatureMask & XSTATE_MASK_AVX512) == 0)
return SetAVX512ContextFallbackToAVX(hActiveThread, titcontext);
DWORD ContextSize = 0;
BOOL Success = _InitializeContext(NULL,
CONTEXT_ALL | CONTEXT_XSTATE,
NULL,
&ContextSize);
if((Success == TRUE) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER))
return false;
DynBuf dataBuffer(ContextSize);
PVOID Buffer = dataBuffer.GetPtr();
if(Buffer == NULL)
return false;
PCONTEXT Context;
Success = _InitializeContext(Buffer,
CONTEXT_ALL | CONTEXT_XSTATE,
&Context,
&ContextSize);
if(Success == FALSE)
return false;
if(_SetXStateFeaturesMask(Context, XSTATE_MASK_AVX | XSTATE_MASK_AVX512) == FALSE)
return SetAVX512ContextFallbackToAVX(hActiveThread, titcontext);
if(GetThreadContext(hActiveThread, Context) == FALSE)
return false;
if(_GetXStateFeaturesMask(Context, &FeatureMask) == FALSE)
return false;
DWORD FeatureLengthSse;
DWORD FeatureLengthAvx;
DWORD FeatureLengthAvx512_KMASK;
DWORD FeatureLengthAvx512_ZMM_H;
DWORD FeatureLengthAvx512_ZMM;
XmmRegister_t* Sse = (XmmRegister_t*)_LocateXStateFeature(Context, XSTATE_LEGACY_SSE, &FeatureLengthSse);
XmmRegister_t* Avx = (XmmRegister_t*)_LocateXStateFeature(Context, XSTATE_AVX, &FeatureLengthAvx);
ULONGLONG* Avx512_KMASK = (ULONGLONG*)_LocateXStateFeature(Context, XSTATE_AVX512_KMASK, &FeatureLengthAvx512_KMASK);
ZmmRegister_t* Avx512_ZMM = (ZmmRegister_t*)_LocateXStateFeature(Context, XSTATE_AVX512_ZMM, &FeatureLengthAvx512_ZMM);
YmmRegister_t* Avx512_ZMM_H = (YmmRegister_t*)_LocateXStateFeature(Context, XSTATE_AVX512_ZMM_H, &FeatureLengthAvx512_ZMM_H);
if(Sse != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthSse / sizeof(XmmRegister_t), _countof(titcontext->ZmmRegisters)); i++)
Sse[i] = titcontext->ZmmRegisters[i].Low.Low;
}
if(Avx != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthAvx / sizeof(XmmRegister_t), _countof(titcontext->ZmmRegisters)); i++)
Avx[i] = titcontext->ZmmRegisters[i].Low.High;
}
if(Avx512_ZMM_H != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthAvx512_ZMM_H / sizeof(YmmRegister_t), _countof(titcontext->ZmmRegisters)); i++)
Avx512_ZMM_H[i] = titcontext->ZmmRegisters[i].High;
}
#ifdef _WIN64
if(Avx512_ZMM != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthAvx512_ZMM / sizeof(ZmmRegister_t), _countof(titcontext->ZmmRegisters) - FeatureLengthAvx / sizeof(XmmRegister_t)); i++)
Avx512_ZMM[i] = titcontext->ZmmRegisters[i + FeatureLengthAvx / sizeof(XmmRegister_t)];
}
#endif // _WIN64
if(Avx512_KMASK != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthAvx512_KMASK / sizeof(ULONGLONG), _countof(titcontext->Opmask)); i++)
Avx512_KMASK[i] = titcontext->Opmask[i];
}
return (SetThreadContext(hActiveThread, Context) == TRUE);
}
static bool GetAVX512ContextFallbackToAVX(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_AVX512_t* titcontext)
{
// Fall back to using AVX and fill the rest with 0
TITAN_ENGINE_CONTEXT_t Avx;
memset(titcontext, 0, sizeof(*titcontext));
if(GetAVXContext(hActiveThread, &Avx))
{
for(int i = 0; i < _countof(Avx.YmmRegisters); i++)
titcontext->ZmmRegisters[i].Low = Avx.YmmRegisters[i];
return true;
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL GetAVX512Context(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_AVX512_t* titcontext)
{
if(InitXState() == false)
return false;
DWORD64 FeatureMask = _GetEnabledXStateFeatures();
if((FeatureMask & XSTATE_MASK_AVX512) == 0) //XSTATE_MASK_AVX512
return GetAVX512ContextFallbackToAVX(hActiveThread, titcontext);
DWORD ContextSize = 0;
BOOL Success = _InitializeContext(NULL,
CONTEXT_ALL | CONTEXT_XSTATE,
NULL,
&ContextSize);
if((Success == TRUE) || (GetLastError() != ERROR_INSUFFICIENT_BUFFER))
return false;
DynBuf dataBuffer(ContextSize);
PVOID Buffer = dataBuffer.GetPtr();
if(Buffer == NULL)
return false;
PCONTEXT Context;
Success = _InitializeContext(Buffer,
CONTEXT_ALL | CONTEXT_XSTATE,
&Context,
&ContextSize);
if(Success == FALSE)
return false;
if(_SetXStateFeaturesMask(Context, XSTATE_MASK_AVX | XSTATE_MASK_AVX512) == FALSE)
return GetAVX512ContextFallbackToAVX(hActiveThread, titcontext);
if(GetThreadContext(hActiveThread, Context) == FALSE)
return false;
if(_GetXStateFeaturesMask(Context, &FeatureMask) == FALSE)
return false;
DWORD FeatureLengthSse;
DWORD FeatureLengthAvx;
DWORD FeatureLengthAvx512_KMASK;
DWORD FeatureLengthAvx512_ZMM_H;
DWORD FeatureLengthAvx512_ZMM;
XmmRegister_t* Sse = (XmmRegister_t*)_LocateXStateFeature(Context, XSTATE_LEGACY_SSE, &FeatureLengthSse);
XmmRegister_t* Avx = (XmmRegister_t*)_LocateXStateFeature(Context, XSTATE_AVX, &FeatureLengthAvx);
ULONGLONG* Avx512_KMASK = (ULONGLONG*)_LocateXStateFeature(Context, XSTATE_AVX512_KMASK, &FeatureLengthAvx512_KMASK);
ZmmRegister_t* Avx512_ZMM = (ZmmRegister_t*)_LocateXStateFeature(Context, XSTATE_AVX512_ZMM, &FeatureLengthAvx512_ZMM);
YmmRegister_t* Avx512_ZMM_H = (YmmRegister_t*)_LocateXStateFeature(Context, XSTATE_AVX512_ZMM_H, &FeatureLengthAvx512_ZMM_H);
if(Sse != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthSse / sizeof(XmmRegister_t), _countof(titcontext->ZmmRegisters)); i++)
titcontext->ZmmRegisters[i].Low.Low = Sse[i];
}
if(Avx != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthAvx / sizeof(XmmRegister_t), _countof(titcontext->ZmmRegisters)); i++)
titcontext->ZmmRegisters[i].Low.High = Avx[i];
}
if(Avx512_ZMM_H != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthAvx512_ZMM_H / sizeof(YmmRegister_t), _countof(titcontext->ZmmRegisters)); i++)
titcontext->ZmmRegisters[i].High = Avx512_ZMM_H[i];
}
#ifdef _WIN64
if(Avx512_ZMM != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthAvx512_ZMM / sizeof(ZmmRegister_t), _countof(titcontext->ZmmRegisters) - FeatureLengthAvx / sizeof(XmmRegister_t)); i++)
titcontext->ZmmRegisters[i + FeatureLengthAvx / sizeof(XmmRegister_t)] = Avx512_ZMM[i];
}
#endif // _WIN64
if(Avx512_KMASK != NULL) //If the feature is unsupported by the processor it will return NULL
{
for(int i = 0; i < MIN(FeatureLengthAvx512_KMASK / sizeof(ULONGLONG), _countof(titcontext->Opmask)); i++)
titcontext->Opmask[i] = Avx512_KMASK[i];
}
return true;
}

10
TitanEngine/TitanEngine.Debugger.Control.cpp
View File

@ -28,7 +28,7 @@ __declspec(dllexport) void TITCALL ForceClose()
{
StopDebug();
}
RtlZeroMemory(&dbgProcessInformation, sizeof(PROCESS_INFORMATION));
RtlZeroMemory(&dbgProcessInformation, sizeof PROCESS_INFORMATION);
if(DebugDebuggingDLL)
DeleteFileW(szDebuggerName);
DebugDebuggingDLL = false;
@ -38,15 +38,15 @@ __declspec(dllexport) void TITCALL ForceClose()
__declspec(dllexport) void TITCALL StepInto(LPVOID StepCallBack)
{
EnterCriticalSection(&engineStepActiveCr);
if(!engineStepActive)
if (!engineStepActive)
{
ULONG_PTR ueCurrentPosition = GetContextData(UE_CIP);
unsigned char instr[16];
MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0);
char* DisassembledString = (char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr);
if(strstr(DisassembledString, "PUSHF"))
if (strstr(DisassembledString, "PUSHF"))
StepOver(StepCallBack);
else if(strstr(DisassembledString, "POP SS") || strstr(DisassembledString, "MOV SS")) //prevent the 'PUSH SS', 'POP SS' step trick
else if (strstr(DisassembledString, "POP SS") || strstr(DisassembledString, "MOV SS")) //prevent the 'PUSH SS', 'POP SS' step trick
{
ueCurrentPosition += StaticLengthDisassemble((void*)instr);
SetBPX(ueCurrentPosition, UE_BREAKPOINT_TYPE_INT3 + UE_SINGLESHOOT, StepCallBack);
@ -87,7 +87,7 @@ __declspec(dllexport) void TITCALL StepOut(LPVOID StepOut, bool StepFinal)
{
DebugStepFinal = StepFinal;
StepOutCallBack = StepOut;
StepOver(CallbackToObjectPointer(&StepOutStepCallBack));
StepOver(StepOutStepCallBack);
}
__declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack)

91
TitanEngine/TitanEngine.Debugger.DebugLoop.cpp
View File

@ -16,12 +16,12 @@
static void engineStep()
{
EnterCriticalSection(&engineStepActiveCr);
if(engineStepActive)
if (engineStepActive)
{
DBGCode = DBG_CONTINUE;
if(engineStepCount == 0)
if (engineStepCount == 0)
{
typedef void(TITCALL * fCustomBreakPoint)(void);
typedef void(TITCALL* fCustomBreakPoint)(void);
auto cbStep = fCustomBreakPoint(engineStepCallBack);
engineStepActive = false;
engineStepCallBack = NULL;
@ -62,7 +62,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
SIZE_T ResetBPXSize = 0;
ULONG_PTR ResetBPXAddressTo = 0;
std::function<void()> ResetMemBpxCallback;
std::function<void()> ResetMemBpxExtraCallback = nullptr;
ULONG_PTR NumberOfBytesReadWritten = 0;
HANDLE hActiveThread;
DWORD OldProtect;
@ -101,8 +100,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
memset(&DLLDebugFileName, 0, sizeof(DLLDebugFileName));
engineFileIsBeingDebugged = true;
uint32_t consecutiveTimeouts = 0;
while(!BreakDBG) //actual debug loop
{
bool synchronizedStep = false;
@ -126,17 +123,10 @@ __declspec(dllexport) void TITCALL DebugLoop()
else
{
// Regular timeout, wait again
// After 2 consecutive timeouts, clear recently deleted breakpoints
consecutiveTimeouts++;
if(consecutiveTimeouts >= 2)
recentlyDeletedBpx.clear();
continue;
}
}
// Event received, reset timeout counter
consecutiveTimeouts = 0;
if(IsDbgReplyLaterSupported)
{
if(DBGEvent.dwDebugEventCode == EXCEPTION_DEBUG_EVENT)
@ -184,7 +174,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
{
startAddress -= ULONG_PTR(DBGEvent.u.CreateProcessInfo.lpBaseOfImage);
startAddress += DebugModuleImageBase;
DBGEvent.u.CreateProcessInfo.lpStartAddress = reinterpret_cast<LPTHREAD_START_ROUTINE>(reinterpret_cast<LPVOID>(startAddress));
DBGEvent.u.CreateProcessInfo.lpStartAddress = LPTHREAD_START_ROUTINE(startAddress);
}
DBGEvent.u.CreateProcessInfo.lpBaseOfImage = LPVOID(DebugModuleImageBase);
}
@ -192,7 +182,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
bool attachBreakpoint = false;
if(DBGFileHandle == NULL) //we didn't set the handle yet (initial process)
{
DBGEntryPoint = CallbackToObjectPointer(DBGEvent.u.CreateProcessInfo.lpStartAddress);
DBGEntryPoint = DBGEvent.u.CreateProcessInfo.lpStartAddress;
DBGFileHandle = DBGEvent.u.CreateProcessInfo.hFile;
DebugDebuggingMainModuleBase = (ULONG_PTR) DBGEvent.u.CreateProcessInfo.lpBaseOfImage;
if(DebugAttachedToProcess) //we attached, set information
@ -202,7 +192,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
dbgProcessInformation.dwThreadId = NULL;
if(engineAttachedProcessDebugInfo != NULL)
{
RtlMoveMemory(engineAttachedProcessDebugInfo, &dbgProcessInformation, sizeof(PROCESS_INFORMATION));
RtlMoveMemory(engineAttachedProcessDebugInfo, &dbgProcessInformation, sizeof PROCESS_INFORMATION);
}
attachBreakpoint = true;
}
@ -394,7 +384,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
VirtualFree((void*)szTranslatedNativeName, NULL, MEM_RELEASE);
}
RtlZeroMemory(szAnsiLibraryName, sizeof(szAnsiLibraryName));
WideCharToMultiByte(CP_ACP, NULL, NewLibraryData.szLibraryName, -1, szAnsiLibraryName, sizeof(szAnsiLibraryName), NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, NewLibraryData.szLibraryName, -1, szAnsiLibraryName, sizeof szAnsiLibraryName, NULL, NULL);
//library breakpoint
for(int i = (int)LibrarianData.size() - 1; i >= 0; i--)
@ -444,7 +434,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
if(hLoadedLibData)
{
RtlZeroMemory(szAnsiLibraryName, sizeof(szAnsiLibraryName));
WideCharToMultiByte(CP_ACP, NULL, hLoadedLibData->szLibraryName, -1, szAnsiLibraryName, sizeof(szAnsiLibraryName), NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, hLoadedLibData->szLibraryName, -1, szAnsiLibraryName, sizeof szAnsiLibraryName, NULL, NULL);
for(int i = (int)LibrarianData.size() - 1; i >= 0; i--)
{
@ -514,11 +504,11 @@ __declspec(dllexport) void TITCALL DebugLoop()
{
DBGCode = DBG_EXCEPTION_NOT_HANDLED; //let debuggee handle the exception
}
RtlMoveMemory(&TerminateDBGEvent, &DBGEvent, sizeof(DEBUG_EVENT));
RtlMoveMemory(&TerminateDBGEvent, &DBGEvent, sizeof DEBUG_EVENT);
}
//handle different exception codes
switch((LONG)DBGEvent.u.Exception.ExceptionRecord.ExceptionCode)
switch(DBGEvent.u.Exception.ExceptionRecord.ExceptionCode)
{
case STATUS_BREAKPOINT:
{
@ -547,7 +537,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
CONTEXT myDBGContext;
myDBGContext.ContextFlags = ContextControlFlags;
GetThreadContext(hActiveThread, &myDBGContext);
if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
if (FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
{
myDBGContext.EFlags |= UE_TRAP_FLAG;
synchronizedStep = true;
@ -598,36 +588,11 @@ __declspec(dllexport) void TITCALL DebugLoop()
{
if(DebugAttachedToProcess || !FirstBPX) //program generated a breakpoint exception
{
ULONG_PTR exceptionAddress = (ULONG_PTR)DBGEvent.u.Exception.ExceptionRecord.ExceptionAddress;
if(recentlyDeletedBpx.find(exceptionAddress) != recentlyDeletedBpx.end())
DBGCode = DBG_EXCEPTION_NOT_HANDLED;
if(DBGCustomHandler->chBreakPoint != NULL)
{
//breakpoint was recently deleted - handle the stale event gracefully
hActiveThread = EngineOpenThread(THREAD_GETSETSUSPEND, false, DBGEvent.dwThreadId);
if(hActiveThread != NULL)
{
CONTEXT myDBGContext;
myDBGContext.ContextFlags = ContextControlFlags;
GetThreadContext(hActiveThread, &myDBGContext);
#if defined(_WIN64)
myDBGContext.Rip = exceptionAddress;
#else
myDBGContext.Eip = (DWORD)exceptionAddress;
#endif
SetThreadContext(hActiveThread, &myDBGContext);
EngineCloseHandle(hActiveThread);
DBGCode = DBG_CONTINUE;
}
}
else
{
//not a recently deleted breakpoint - pass to debuggee
DBGCode = DBG_EXCEPTION_NOT_HANDLED;
if(DBGCustomHandler->chBreakPoint != NULL)
{
myCustomHandler = (fCustomHandler)((LPVOID)DBGCustomHandler->chBreakPoint);
myCustomHandler(&DBGEvent.u.Exception.ExceptionRecord);
}
myCustomHandler = (fCustomHandler)((LPVOID)DBGCustomHandler->chBreakPoint);
myCustomHandler(&DBGEvent.u.Exception.ExceptionRecord);
}
}
else //system breakpoint
@ -719,11 +684,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
{
ResetMemBPX = false;
ResetMemBpxCallback();
if(ResetMemBpxExtraCallback != nullptr)
{
ResetMemBpxExtraCallback();
ResetMemBpxExtraCallback = nullptr;
}
engineStep();
}
}
@ -758,7 +718,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
GetThreadContext(hActiveThread, &myDBGContext);
myDBGContext.EFlags &= ~UE_TRAP_FLAG;
SetThreadContext(hActiveThread, &myDBGContext);
synchronizedStep = false;
}
}
else
@ -790,7 +749,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
GetThreadContext(hActiveThread, &myDBGContext);
myDBGContext.EFlags &= ~UE_TRAP_FLAG;
SetThreadContext(hActiveThread, &myDBGContext);
synchronizedStep = false;
}
}
else
@ -822,7 +780,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
GetThreadContext(hActiveThread, &myDBGContext);
myDBGContext.EFlags &= ~UE_TRAP_FLAG;
SetThreadContext(hActiveThread, &myDBGContext);
synchronizedStep = false;
}
}
else
@ -854,7 +811,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
GetThreadContext(hActiveThread, &myDBGContext);
myDBGContext.EFlags &= ~UE_TRAP_FLAG;
SetThreadContext(hActiveThread, &myDBGContext);
synchronizedStep = false;
}
}
else
@ -903,14 +859,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
// - restore the protection if there are still our BPs on this page OR pass the exception to the debuggee
DBGCode = DBG_EXCEPTION_NOT_HANDLED;
// If the access is at page boundary, it can span an extra page before the internal step is run
if(ResetMemBPX)
{
ResetMemBpxExtraCallback = ResetMemBpxCallback;
ResetMemBPX = false;
}
ResetMemBPX = false;
bool bCallUserCallback = false; // when we hit a correct BP
// Access Types: 0 - read, 1 - write, 8 - execute (dep violation)
@ -1155,7 +1104,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
CONTEXT myDBGContext;
myDBGContext.ContextFlags = ContextControlFlags;
GetThreadContext(hActiveThread, &myDBGContext);
if(FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
if (FoundBreakPoint.BreakPointType != UE_SINGLESHOOT)
{
myDBGContext.EFlags |= UE_TRAP_FLAG;
synchronizedStep = true;
@ -1336,10 +1285,10 @@ __declspec(dllexport) void TITCALL DebugLoop()
continue;
// Check if the thread is already suspended
if(SuspendedThreads.count(Thread.dwThreadId) != 0)
if (SuspendedThreads.count(Thread.dwThreadId) != 0)
continue;
if(SuspendThread(Thread.hThread) != -1)
if (SuspendThread(Thread.hThread) != -1)
SuspendedThreads.emplace(Thread.dwThreadId, Thread);
}
}
@ -1373,7 +1322,7 @@ continue_dbg_event:
if(!SecondChance) //debugger didn't close with a second chance exception (normal exit)
{
RtlMoveMemory(&TerminateDBGEvent, &DBGEvent, sizeof(DEBUG_EVENT));
RtlMoveMemory(&TerminateDBGEvent, &DBGEvent, sizeof DEBUG_EVENT);
}
ForceClose();
engineFileIsBeingDebugged = false;

34
TitanEngine/TitanEngine.Debugger.Helper.cpp
View File

@ -15,11 +15,11 @@ __declspec(dllexport) bool TITCALL GetRemoteString(HANDLE hProcess, LPVOID Strin
{
MaximumStringSize = 512;
}
VirtualQueryEx(hProcess, (LPVOID)StringAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)StringAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if((int)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - (ULONG_PTR)StringAddress) < MaximumStringSize)
{
StringReadSize = (DWORD)((ULONG_PTR)StringAddress - (ULONG_PTR)MemInfo.BaseAddress);
VirtualQueryEx(hProcess, (LPVOID)((ULONG_PTR)StringAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)((ULONG_PTR)StringAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT)
{
StringReadSize = MaximumStringSize;
@ -94,17 +94,17 @@ __declspec(dllexport) ULONG_PTR TITCALL GetFunctionParameter(HANDLE hProcess, DW
{
StackSecondReadSize = 0;
}
StackReadSize = sizeof(ULONG_PTR);
StackReadSize = sizeof ULONG_PTR;
}
if(FunctionType >= UE_FUNCTION_STDCALL && FunctionType <= UE_FUNCTION_CCALL_CALL && FunctionType != UE_FUNCTION_FASTCALL_RET)
{
StackReadAddress = (ULONG_PTR)GetContextData(UE_CSP);
if(FunctionType != UE_FUNCTION_FASTCALL_CALL)
{
StackReadAddress = StackReadAddress + (ParameterNumber * sizeof(ULONG_PTR));
StackReadAddress = StackReadAddress + (ParameterNumber * sizeof ULONG_PTR);
if(FunctionType >= UE_FUNCTION_STDCALL_CALL)
{
StackReadAddress = StackReadAddress - sizeof(ULONG_PTR);
StackReadAddress = StackReadAddress - sizeof ULONG_PTR;
}
}
else
@ -152,23 +152,23 @@ __declspec(dllexport) ULONG_PTR TITCALL GetFunctionParameter(HANDLE hProcess, DW
}
else
{
StackReadAddress = StackReadAddress + 0x20 + ((ParameterNumber - 4) * sizeof(ULONG_PTR)) - sizeof(ULONG_PTR);
StackReadAddress = StackReadAddress + 0x20 + ((ParameterNumber - 4) * sizeof ULONG_PTR) - sizeof ULONG_PTR;
}
}
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof(ULONG_PTR), &ueNumberOfBytesRW))
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof ULONG_PTR, &ueNumberOfBytesRW))
{
if(!ValueIsPointer)
{
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof(ULONG_PTR) - StackReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof(ULONG_PTR) - StackReadSize), StackReadSize);
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof ULONG_PTR - StackReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof ULONG_PTR - StackReadSize), StackReadSize);
}
else
{
StackReadAddress = StackReadBuffer;
if(StackSecondReadSize > NULL)
{
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof(ULONG_PTR), &ueNumberOfBytesRW))
if(ReadProcessMemory(hProcess, (LPVOID)StackReadAddress, &StackReadBuffer, sizeof ULONG_PTR, &ueNumberOfBytesRW))
{
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof(ULONG_PTR) - StackSecondReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof(ULONG_PTR) - StackSecondReadSize), StackSecondReadSize);
RtlMoveMemory((LPVOID)((ULONG_PTR)&StackFinalBuffer + sizeof ULONG_PTR - StackSecondReadSize), (LPVOID)((ULONG_PTR)&StackReadBuffer + sizeof ULONG_PTR - StackSecondReadSize), StackSecondReadSize);
}
else
{
@ -177,11 +177,11 @@ __declspec(dllexport) ULONG_PTR TITCALL GetFunctionParameter(HANDLE hProcess, DW
}
else
{
VirtualQueryEx(hProcess, (LPVOID)StackReadAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)StackReadAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - StackReadAddress < 512)
{
StringReadSize = (DWORD)((ULONG_PTR)StackReadAddress - (ULONG_PTR)MemInfo.BaseAddress);
VirtualQueryEx(hProcess, (LPVOID)(StackReadAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)(StackReadAddress + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.State == MEM_COMMIT)
{
StringReadSize = 512;
@ -221,7 +221,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
if(hProcess != NULL)
{
VirtualQueryEx(hProcess, (LPVOID)InstructionAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)InstructionAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.RegionSize > NULL)
{
if(ReadProcessMemory(hProcess, (LPVOID)InstructionAddress, ReadMemory, MAXIMUM_INSTRUCTION_SIZE, &ueNumberOfBytesRead))
@ -305,7 +305,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 4);
TargetedAddress = ReadMemData;
if(sizeof(HANDLE) == 8)
if(sizeof HANDLE == 8)
{
TargetedAddress = TargetedAddress + InstructionAddress;
}
@ -314,7 +314,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)ReadMemory + 2), 4);
TargetedAddress = ReadMemData;
if(sizeof(HANDLE) == 8)
if(sizeof HANDLE == 8)
{
TargetedAddress = TargetedAddress + InstructionAddress;
}
@ -440,7 +440,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 4);
TargetedAddress = ReadMemData;
if(sizeof(HANDLE) == 8)
if(sizeof HANDLE == 8)
{
TargetedAddress = TargetedAddress + InstructionAddress;
}
@ -449,7 +449,7 @@ __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, UL
{
RtlMoveMemory(&ReadMemData, (LPVOID)((ULONG_PTR)InstructionAddress + 2), 4);
TargetedAddress = ReadMemData;
if(sizeof(HANDLE) == 8)
if(sizeof HANDLE == 8)
{
TargetedAddress = TargetedAddress + InstructionAddress;
}

12
TitanEngine/TitanEngine.Debugger.Memory.cpp
View File

@ -30,7 +30,7 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
{
if(ueNumberOfBytesRead == 0)
{
if(VirtualQueryEx(hProcess, MemoryToCheck, &memoryInformation, sizeof(memoryInformation)) != NULL)
if(VirtualQueryEx(hProcess, MemoryToCheck, &memoryInformation, sizeof memoryInformation) != NULL)
{
SizeOfMemoryToCheck = (int)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryToCheck);
if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
@ -104,7 +104,7 @@ __declspec(dllexport) ULONG_PTR TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
{
if(ueNumberOfBytesRead == NULL)
{
if(VirtualQueryEx(hProcess, MemoryStart, &memoryInformation, sizeof(memoryInformation)) != NULL)
if(VirtualQueryEx(hProcess, MemoryStart, &memoryInformation, sizeof memoryInformation) != NULL)
{
MemorySize = (DWORD)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryStart);
if(!MemoryReadSafe(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
@ -175,7 +175,7 @@ __declspec(dllexport) bool TITCALL FillEx(HANDLE hProcess, LPVOID MemoryStart, D
{
FillByte = &defFillByte;
}
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
for(i = 0; i < MemorySize; i++)
@ -214,7 +214,7 @@ __declspec(dllexport) bool TITCALL PatchEx(HANDLE hProcess, LPVOID MemoryStart,
if(hProcess != NULL)
{
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
@ -358,7 +358,7 @@ __declspec(dllexport) bool TITCALL MemoryReadSafe(HANDLE hProcess, LPVOID lpBase
ULONG_PTR endAddr = (ULONG_PTR)lpBaseAddress + nSize;
for(ULONG_PTR page = ALIGN_DOWN_BY(lpBaseAddress, TITANENGINE_PAGESIZE); page < endAddr; page += memInfo.RegionSize)
{
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof(memInfo)))
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof memInfo))
break; // failure ('VirtualProtectEx' will fail too)
memRegions.push_back(memInfo);
}
@ -430,7 +430,7 @@ __declspec(dllexport) bool TITCALL MemoryWriteSafe(HANDLE hProcess, LPVOID lpBas
ULONG_PTR endAddr = (ULONG_PTR)lpBaseAddress + nSize;
for(ULONG_PTR page = ALIGN_DOWN_BY(lpBaseAddress, TITANENGINE_PAGESIZE); page < endAddr; page += memInfo.RegionSize)
{
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof(memInfo)))
if(0 == VirtualQueryEx(hProcess, (LPCVOID)page, &memInfo, sizeof memInfo))
break; // failure
memRegions.push_back(memInfo);
}

95
TitanEngine/TitanEngine.Debugger.cpp
View File

@ -156,31 +156,31 @@ static bool HollowProcessWithoutASLR(const wchar_t* szFileName, PROCESS_INFORMAT
{
bool success = false;
auto hFile = CreateFileW(szFileName, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
if(hFile != INVALID_HANDLE_VALUE)
if (hFile != INVALID_HANDLE_VALUE)
{
// Retrieve image base and entry point
DebugModuleImageBase = GetPE32DataW(szFileName, 0, UE_IMAGEBASE);
DebugModuleEntryPoint = GetPE32DataW(szFileName, 0, UE_OEP);
auto hMapping = CreateFileMappingW(hFile, nullptr, SEC_IMAGE | PAGE_READONLY, 0, 0, nullptr);
if(hMapping)
if (hMapping)
{
CONTEXT ctx;
ctx.ContextFlags = CONTEXT_ALL;
if(GetThreadContext(pi.hThread, &ctx))
if (GetThreadContext(pi.hThread, &ctx))
{
PVOID imageBase;
// TODO: support wow64 processes
#ifdef _WIN64
auto & pebRegister = ctx.Rdx;
auto & entryPointRegister = ctx.Rcx;
auto& pebRegister = ctx.Rdx;
auto& entryPointRegister = ctx.Rcx;
#else
auto & pebRegister = ctx.Ebx;
auto & entryPointRegister = ctx.Eax;
auto& pebRegister = ctx.Ebx;
auto& entryPointRegister = ctx.Eax;
#endif // _WIN64
if(ReadProcessMemory(pi.hProcess, (char*)pebRegister + offsetof(PEB, ImageBaseAddress), &imageBase, sizeof(PVOID), nullptr))
if (ReadProcessMemory(pi.hProcess, (char*)pebRegister + offsetof(PEB, ImageBaseAddress), &imageBase, sizeof(PVOID), nullptr))
{
if(ULONG_PTR(imageBase) == DebugModuleImageBase)
if (ULONG_PTR(imageBase) == DebugModuleImageBase)
{
// Already at the right base
success = true;
@ -188,32 +188,32 @@ static bool HollowProcessWithoutASLR(const wchar_t* szFileName, PROCESS_INFORMAT
else
{
auto status = NtUnmapViewOfSection(pi.hProcess, imageBase);
if(status == STATUS_SUCCESS)
if (status == STATUS_SUCCESS)
{
SIZE_T viewSize = 0;
imageBase = PVOID(DebugModuleImageBase);
status = NtMapViewOfSection(hMapping, pi.hProcess, &imageBase, 0, 0, nullptr, &viewSize, ViewUnmap, 0, PAGE_READONLY);
if(status == STATUS_CONFLICTING_ADDRESSES)
if (status == STATUS_CONFLICTING_ADDRESSES)
{
// Remap in a random location (otherwise the process will crash)
imageBase = 0;
status = NtMapViewOfSection(hMapping, pi.hProcess, &imageBase, 0, 0, nullptr, &viewSize, ViewUnmap, 0, PAGE_READONLY);
}
if(status == STATUS_SUCCESS || status == STATUS_IMAGE_NOT_AT_BASE)
if (status == STATUS_SUCCESS || status == STATUS_IMAGE_NOT_AT_BASE)
{
auto pebOk = WriteProcessMemory(pi.hProcess, (char*)pebRegister + offsetof(PEB, ImageBaseAddress), &imageBase, sizeof(PVOID), nullptr);
auto relocatedOk = RelocateImage(pi.hProcess, imageBase, viewSize);
if(pebOk && relocatedOk)
if (pebOk && relocatedOk)
{
auto expectedBase = DebugModuleImageBase == ULONG_PTR(imageBase);
DebugModuleImageBase = ULONG_PTR(imageBase);
entryPointRegister = DebugModuleImageBase + DebugModuleEntryPoint;
if(SetThreadContext(pi.hThread, &ctx))
if (SetThreadContext(pi.hThread, &ctx))
{
success = expectedBase;
#ifndef _WIN64
// For Wow64 processes, also adjust the 64-bit PEB
if(IsThisProcessWow64() && !WriteProcessMemory(pi.hProcess, (char*)pebRegister - 0x1000 + 0x10, &imageBase, sizeof(PVOID), nullptr))
if (IsThisProcessWow64() && !WriteProcessMemory(pi.hProcess, (char*)pebRegister - 0x1000 + 0x10, &imageBase, sizeof(PVOID), nullptr))
success = false;
#endif // _WIN64
}
@ -240,10 +240,7 @@ static bool HollowProcessWithoutASLR(const wchar_t* szFileName, PROCESS_INFORMAT
__declspec(dllexport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder)
{
int creationFlags = DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS;
if(engineDisableAslr)
creationFlags = CREATE_SUSPENDED;
int creationFlags = CREATE_NEW_CONSOLE | DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS;
if(DebugDebuggingDLL)
{
@ -254,9 +251,9 @@ __declspec(dllexport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szC
{
creationFlags |= CREATE_NO_WINDOW;
}
else
else if(engineDisableAslr)
{
creationFlags |= CREATE_NEW_CONSOLE;
creationFlags = CREATE_NEW_CONSOLE | CREATE_SUSPENDED;
}
wchar_t* szFileNameCreateProcess;
@ -289,11 +286,11 @@ retry_no_aslr:
{
if(engineDisableAslr)
{
if(!HollowProcessWithoutASLR(szFileName, dbgProcessInformation))
if (!HollowProcessWithoutASLR(szFileName, dbgProcessInformation))
{
TerminateThread(dbgProcessInformation.hThread, STATUS_CONFLICTING_ADDRESSES);
TerminateProcess(dbgProcessInformation.hProcess, STATUS_CONFLICTING_ADDRESSES);
if(retries++ < 10)
if (retries++ < 10)
goto retry_no_aslr;
memset(&dbgProcessInformation, 0, sizeof(PROCESS_INFORMATION));
return nullptr;
@ -405,17 +402,6 @@ __declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_
HANDLE ProcessHandle = NULL, ThreadHandle = NULL;
UNICODE_STRING CommandLine = { 0 };
PUNICODE_STRING PtrCurrentDirectory = NULL;
OBJECT_ATTRIBUTES ObjectAttributes = {};
HANDLE DebugPort = NULL;
PS_CREATE_INFO CreateInfo = {};
SIZE_T NumAttributes = 0;
SIZE_T AttributesSize = 0;
PPS_ATTRIBUTE_LIST AttributeList = NULL;
ULONG N = 0;
CLIENT_ID Cid = {};
PCLIENT_ID ClientId = NULL;
ULONG NtProcessFlags = 0;
ULONG NtThreadFlags = 0;
// Convert the application path to its NT equivalent
UNICODE_STRING ImagePath, NtImagePath;
@ -475,7 +461,9 @@ __declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_
ProcessParameters->ShowWindowFlags = STARTF_USESHOWWINDOW | SW_SHOWDEFAULT;
// Create a debug port object
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
HANDLE DebugPort = NULL;
Status = NtCreateDebugObject(&DebugPort,
DEBUG_ALL_ACCESS,
&ObjectAttributes,
@ -490,25 +478,26 @@ __declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_
NtCurrentTeb()->DbgSsReserved[1] = DebugPort;
// Initialize the PS_CREATE_INFO structure
PS_CREATE_INFO CreateInfo;
RtlZeroMemory(&CreateInfo, sizeof(CreateInfo));
CreateInfo.Size = sizeof(CreateInfo);
CreateInfo.State = PsCreateInitialState;
CreateInfo.u1.InitState.u2.s1.WriteOutputOnExit = TRUE;
CreateInfo.u1.InitState.u2.s1.DetectManifest = TRUE;
CreateInfo.u1.InitState.u2.s1.ProhibitedImageCharacteristics = 0; // Normally: IMAGE_FILE_DLL (disallow executing DLLs)
CreateInfo.u1.InitState.AdditionalFileAccess = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
CreateInfo.InitState.u1.s1.WriteOutputOnExit = TRUE;
CreateInfo.InitState.u1.s1.DetectManifest = TRUE;
CreateInfo.InitState.u1.s1.ProhibitedImageCharacteristics = 0; // Normally: IMAGE_FILE_DLL (disallow executing DLLs)
CreateInfo.InitState.AdditionalFileAccess = FILE_READ_ATTRIBUTES | FILE_READ_DATA;
// Initialize the PS_ATTRIBUTE_LIST that contains the process creation attributes
NumAttributes = 3;
AttributesSize = sizeof(SIZE_T) + NumAttributes * sizeof(PS_ATTRIBUTE);
AttributeList = reinterpret_cast<PPS_ATTRIBUTE_LIST>(
RtlAllocateHeap(RtlProcessHeap(),
HEAP_ZERO_MEMORY, // Not optional
AttributesSize));
const SIZE_T NumAttributes = 3;
const SIZE_T AttributesSize = sizeof(SIZE_T) + NumAttributes * sizeof(PS_ATTRIBUTE);
PPS_ATTRIBUTE_LIST AttributeList = reinterpret_cast<PPS_ATTRIBUTE_LIST>(
RtlAllocateHeap(RtlProcessHeap(),
HEAP_ZERO_MEMORY, // Not optional
AttributesSize));
AttributeList->TotalLength = AttributesSize;
// In: NT style absolute image path. This is the only required attribute
N = 0;
ULONG N = 0;
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
AttributeList->Attributes[N].Size = NtImagePath.Length;
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(NtImagePath.Buffer);
@ -521,15 +510,15 @@ __declspec(dllexport) void* TITCALL InitNativeDebugW(wchar_t* szFileName, wchar_
// Out: client ID
N++;
Cid = {};
ClientId = &Cid;
CLIENT_ID Cid;
PCLIENT_ID ClientId = &Cid;
AttributeList->Attributes[N].Attribute = PS_ATTRIBUTE_CLIENT_ID;
AttributeList->Attributes[N].Size = sizeof(CLIENT_ID);
AttributeList->Attributes[N].Value = reinterpret_cast<ULONG_PTR>(ClientId);
// Set process and thread flags
NtProcessFlags = PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT; // Same as DEBUG_ONLY_THIS_PROCESS. DEBUG_PROCESS is implied by the debug port
NtThreadFlags = THREAD_CREATE_FLAGS_CREATE_SUSPENDED; // Always set this, because we need to do some bookkeeping before resuming
ULONG NtProcessFlags = PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT; // Same as DEBUG_ONLY_THIS_PROCESS. DEBUG_PROCESS is implied by the debug port
ULONG NtThreadFlags = THREAD_CREATE_FLAGS_CREATE_SUSPENDED; // Always set this, because we need to do some bookkeeping before resuming
// Create the process
Status = fnNtCreateUserProcess(&ProcessHandle,
@ -565,8 +554,8 @@ finished:
if(ProcessHandle != NULL)
{
// Close the file and section handles we got back from the kernel
NtClose(CreateInfo.u1.SuccessState.FileHandle);
NtClose(CreateInfo.u1.SuccessState.SectionHandle);
NtClose(CreateInfo.SuccessState.FileHandle);
NtClose(CreateInfo.SuccessState.SectionHandle);
// If we failed, terminate the process
if(!NT_SUCCESS(Status))
@ -833,7 +822,7 @@ __declspec(dllexport) void TITCALL AutoDebugExW(wchar_t* szFileName, bool Reserv
if(szFileName != NULL)
{
RtlZeroMemory(&expertDebug, sizeof(ExpertDebug));
RtlZeroMemory(&expertDebug, sizeof ExpertDebug);
expertDebug.ExpertModeActive = true;
expertDebug.szFileName = szFileName;
expertDebug.szCommandLine = szCommandLine;
@ -855,7 +844,7 @@ __declspec(dllexport) void TITCALL AutoDebugExW(wchar_t* szFileName, bool Reserv
ForceClose();
}
}
RtlZeroMemory(&expertDebug, sizeof(ExpertDebug));
RtlZeroMemory(&expertDebug, sizeof ExpertDebug);
SetDebugLoopTimeOut(INFINITE);
}
}

2
TitanEngine/TitanEngine.Dumper.cpp
View File

@ -408,7 +408,7 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
return false;
}
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION)) != NULL)
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL)
{
AddressIsModuleBase = false;
for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)

16
TitanEngine/TitanEngine.Engine.Simplification.cpp
View File

@ -33,7 +33,7 @@ __declspec(dllexport) void TITCALL EngineUnpackerInitializeW(wchar_t* szFileName
{
RtlZeroMemory(&szEngineUnpackerSnapShot1[0], MAX_PATH * 2);
RtlZeroMemory(&szEngineUnpackerSnapShot2[0], MAX_PATH * 2);
RtlZeroMemory(&EngineUnpackerFileStatus, sizeof(FILE_STATUS_INFO));
RtlZeroMemory(&EngineUnpackerFileStatus, sizeof FILE_STATUS_INFO);
if(IsPE32FileValidExW(szFileName, UE_DEPTH_DEEP, &EngineUnpackerFileStatus))
{
if(!EngineUnpackerFileStatus.FileIsDLL)
@ -86,7 +86,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
DWORD fBreakPointType = UE_BREAKPOINT;
UnpackerInformation fUnpackerInformation = {};
if(SearchStart == (void*)(DWORD_PTR)UE_UNPACKER_CONDITION_SEARCH_FROM_EP)
if((int)SearchStart == UE_UNPACKER_CONDITION_SEARCH_FROM_EP)
{
if(EngineUnpackerFileStatus.FileIsDLL)
{
@ -119,7 +119,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
if(BreakType == UE_UNPACKER_CONDITION_LOADLIBRARY)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyLoadLibraryCallBack)))
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyLoadLibraryCallBack))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;
@ -127,7 +127,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
}
else if(BreakType == UE_UNPACKER_CONDITION_GETPROCADDRESS)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyGetProcAddressCallBack)))
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyGetProcAddressCallBack))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;
@ -135,7 +135,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
}
else if(BreakType == UE_UNPACKER_CONDITION_ENTRYPOINTBREAK)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyGetProcAddressCallBack)))
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyGetProcAddressCallBack))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;
@ -143,7 +143,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
}
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT1)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyMakeSnapshotCallBack)))
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyMakeSnapshotCallBack))
{
fUnpackerInformation.SnapShotNumber = 1;
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
@ -152,7 +152,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
}
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT2)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, CallbackToObjectPointer(&EngineSimplifyMakeSnapshotCallBack)))
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyMakeSnapshotCallBack))
{
fUnpackerInformation.SnapShotNumber = 2;
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
@ -161,7 +161,7 @@ __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchS
}
else
{
if(SetBPX(fPatternLocation, fBreakPointType, (void*)(ULONG_PTR)BreakType))
if(SetBPX(fPatternLocation, fBreakPointType, (void*)BreakType))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return true;

12
TitanEngine/TitanEngine.Engine.cpp
View File

@ -51,7 +51,7 @@ __declspec(dllexport) void TITCALL SetEngineVariable(DWORD VariableId, bool Vari
{
engineDisableAslr = VariableSet;
}
else if(VariableId == UE_ENGINE_SAFE_STEP)
else if (VariableId == UE_ENGINE_SAFE_STEP)
{
engineSafeStep = VariableSet;
}
@ -180,7 +180,7 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF
}
ExporterBuildExportTableExW(BuildExportName, ".export");
}
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
}
}
@ -238,7 +238,7 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF
}
ExporterBuildExportTableExW(BuildExportName, ".export");
}
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
}
}
@ -276,8 +276,8 @@ __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies()
engineDependencyFilesCWP = engineDependencyFiles;
while(*((char*)engineDependencyFilesCWP) != 0)
{
RtlZeroMemory(&szTempName, sizeof(szTempName));
RtlZeroMemory(&szTempFolder, sizeof(szTempFolder));
RtlZeroMemory(&szTempName, sizeof szTempName);
RtlZeroMemory(&szTempFolder, sizeof szTempFolder);
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"DeleteTempGenFile", GetTickCount(), szTempName))
@ -322,7 +322,7 @@ __declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpack
}
}
__declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(const char* szLogMessage)
__declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage)
{
int cSelect;

10
TitanEngine/TitanEngine.Exporter.cpp
View File

@ -30,7 +30,7 @@ __declspec(dllexport) void TITCALL ExporterCleanup()
expOrdinals[i] = 0;
}
//RtlZeroMemory(&szExportFileName, 512);
RtlZeroMemory(&expExportData, sizeof(IMAGE_EXPORT_DIRECTORY));
RtlZeroMemory(&expExportData, sizeof IMAGE_EXPORT_DIRECTORY);
VirtualFree(expTableData, NULL, MEM_RELEASE);
expExportNumber = NULL;
expTableData = NULL;
@ -139,7 +139,7 @@ __declspec(dllexport) long TITCALL ExporterEstimatedSize()
DWORD EstimatedSize = NULL;
EstimatedSize = (DWORD)((ULONG_PTR)expTableDataCWP - (ULONG_PTR)expTableData);
EstimatedSize = EstimatedSize + (expExportNumber * 12) + sizeof(IMAGE_EXPORT_DIRECTORY);
EstimatedSize = EstimatedSize + (expExportNumber * 12) + sizeof IMAGE_EXPORT_DIRECTORY;
return(EstimatedSize);
}
__declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA)
@ -162,7 +162,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
if(expTableDataCWP != NULL)
{
expBuildExportData = expBuildExportDyn.Allocate(ExporterEstimatedSize());
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof(IMAGE_EXPORT_DIRECTORY));
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof IMAGE_EXPORT_DIRECTORY);
expExportData.NumberOfNames = expExportNumber;
expExportData.NumberOfFunctions = expExportNumber;
@ -204,7 +204,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
expExportData.AddressOfNameOrdinals = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
RtlMoveMemory(expBuildExportDataCWP, &expOrdinals, 2 * expExportNumber);
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + 2 * expExportNumber);
RtlMoveMemory(expBuildExportData, &expExportData, sizeof(IMAGE_EXPORT_DIRECTORY));
RtlMoveMemory(expBuildExportData, &expExportData, sizeof IMAGE_EXPORT_DIRECTORY);
RtlMoveMemory((LPVOID)StorePlace, expBuildExportData, (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData));
@ -259,7 +259,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(char* szExportFile
return false;
}
}
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, const char* szSectionName)
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, char* szSectionName)
{
HANDLE FileHandle;

96
TitanEngine/TitanEngine.Handler.cpp
View File

@ -1,11 +1,5 @@
#include "stdafx.h"
#include "definitions.h"
static inline HANDLE HandleFromNtHandle(USHORT handle)
{
return (HANDLE)(ULONG_PTR)handle;
}
#include "Global.Handle.h"
#include "Global.Engine.h"
@ -65,7 +59,7 @@ __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE h
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
{
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)(ULONG_PTR)pHandle->HandleValue == hHandle)
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)pHandle->HandleValue == hHandle)
{
HandleActive = true;
break;
@ -98,7 +92,7 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
{
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)(ULONG_PTR)pHandle->HandleValue == hHandle)
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)pHandle->HandleValue == hHandle)
{
if(pHandle->GrantedAccess != 0x0012019F) //Filter, because this GrantedAccess type can cause deadlocks!
{
@ -168,19 +162,19 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId,
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount)
{
myHandle = HandleFromNtHandle(HandleInfo->hHandle);
RtlMoveMemory(HandleBuffer, &myHandle, sizeof(HANDLE));
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof(HANDLE));
myHandle = (HANDLE)HandleInfo->hHandle;
RtlMoveMemory(HandleBuffer, &myHandle, sizeof HANDLE);
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE);
HandleCount++;
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
return(HandleCount);
@ -205,17 +199,17 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetHandleDetails(HANDLE hProcess,
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(HandleInfo->ProcessId == ProcessId && HandleFromNtHandle(HandleInfo->hHandle) == hHandle)
if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle)
{
if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT)
{
ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount;
@ -267,7 +261,7 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetHandleDetails(HANDLE hProcess,
break;
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
if(!DontFreeStringMemory)
@ -329,7 +323,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
@ -348,10 +342,10 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleFullName, 0x1000);
@ -376,11 +370,11 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
}
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL && MaxHandleCount > NULL)
{
RtlMoveMemory(HandleDataBuffer, &HandleInfo->ProcessId, sizeof(ULONG));
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof(ULONG));
CopyHandle = HandleFromNtHandle(HandleInfo->hHandle);
RtlMoveMemory(HandleDataBuffer, &CopyHandle, sizeof(HANDLE));
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof(HANDLE));
RtlMoveMemory(HandleDataBuffer, &HandleInfo->ProcessId, sizeof ULONG);
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof ULONG);
CopyHandle = (HANDLE)HandleInfo->hHandle;
RtlMoveMemory(HandleDataBuffer, &CopyHandle, sizeof HANDLE);
HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof HANDLE);
FoundHandles++;
MaxHandleCount--;
}
@ -389,7 +383,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
@ -436,7 +430,7 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
@ -455,10 +449,10 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleFullName, 0x1000);
@ -483,7 +477,7 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
}
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL)
{
if(!HandlerCloseRemoteHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle)))
if(!HandlerCloseRemoteHandle(hProcess, (HANDLE)HandleInfo->hHandle))
{
AllHandled = false;
}
@ -493,7 +487,7 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
@ -539,7 +533,7 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
@ -558,10 +552,10 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION));
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize);
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleFullName, 0x1000);
@ -594,7 +588,7 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
return false;
@ -621,7 +615,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
@ -631,7 +625,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
@ -642,9 +636,9 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
if(lstrcmpiA((LPCSTR)HandleNameData, "Mutant") == NULL)
{
copyHandle = HandleFromNtHandle(HandleInfo->hHandle);
RtlMoveMemory(HandleBuffer, &copyHandle, sizeof(HANDLE));
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof(HANDLE));
copyHandle = (HANDLE)HandleInfo->hHandle;
RtlMoveMemory(HandleBuffer, &copyHandle, sizeof HANDLE);
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE);
HandleCount++;
}
}
@ -652,7 +646,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
return(HandleCount);
@ -681,7 +675,7 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
HANDLE myHandle;
char HandleBuffer[0x1000] = {0};
LPVOID cHandleBuffer = HandleBuffer;
int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof(HANDLE));
int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof HANDLE);
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
wchar_t* HandleName;
@ -690,7 +684,7 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
lstrcatW(RealMutexName, szMutexString);
for(i = 0; i < OpenHandleCount; i++)
{
RtlMoveMemory(&myHandle, cHandleBuffer, sizeof(HANDLE));
RtlMoveMemory(&myHandle, cHandleBuffer, sizeof HANDLE);
HandleName = (wchar_t*)HandlerGetHandleNameW(hProcess, ProcessId, myHandle, true);
if(HandleName != NULL)
{
@ -699,7 +693,7 @@ __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
return((ULONG_PTR)myHandle);
}
}
cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof(HANDLE));
cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof HANDLE);
}
}
return(NULL);
@ -744,7 +738,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof(ULONG));
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
@ -763,7 +757,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, HandleFromNtHandle(HandleInfo->hHandle), GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
@ -794,7 +788,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof(NTDLL_QUERY_HANDLE_INFO));
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
return(ReturnData);

68
TitanEngine/TitanEngine.Hooks.cpp
View File

@ -17,7 +17,7 @@ static bool ProcessHookScanAddNewHook(PHOOK_ENTRY HookDetails, void* ptrOriginal
{
HOOK_ENTRY MyhookEntry = {};
RtlMoveMemory(&MyhookEntry, HookDetails, sizeof(HOOK_ENTRY));
RtlMoveMemory(&MyhookEntry, HookDetails, sizeof HOOK_ENTRY);
hookEntry.push_back(MyhookEntry);
return true;
}
@ -46,10 +46,10 @@ __declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray
{
#if defined (_WIN64)
ULONG_PTR HookAddress = (ULONG_PTR)myHookAddressArray->Array.qwArrayEntry[0];
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof(ULONG_PTR));
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof ULONG_PTR);
#else
ULONG_PTR HookAddress = (ULONG_PTR)myHookAddressArray->Array.dwArrayEntry[0];
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof(ULONG_PTR));
myHookAddressArray = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)myHookAddressArray + sizeof ULONG_PTR);
#endif
while(CurrentIP >= (ULONG_PTR)HookAddress && CurrentIP <= (ULONG_PTR)HookAddress + 5)
{
@ -84,7 +84,7 @@ __declspec(dllexport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool
void* aHookAddress[1];
aHookAddress[0] = HookAddress;
return(HooksSafeTransitionEx(&aHookAddress[0], sizeof(aHookAddress), TransitionStart));
return(HooksSafeTransitionEx(&aHookAddress[0], sizeof aHookAddress, TransitionStart));
}
__declspec(dllexport) bool TITCALL HooksIsAddressRedirected(LPVOID HookAddress)
@ -176,22 +176,22 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
if(CompareMemory->Array.bArrayEntry[0] == 0xE9 && CurrentInstructionSize == 5)
{
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
}
else if(CompareMemory->Array.bArrayEntry[0] >= 0x70 && CompareMemory->Array.bArrayEntry[0] <= 0x7F && CurrentInstructionSize == 2)
{
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
}
else if(CompareMemory->Array.bArrayEntry[0] == 0x0F && CompareMemory->Array.bArrayEntry[1] >= 0x80 && CompareMemory->Array.bArrayEntry[1] <= 0x8F && CurrentInstructionSize == 6)
{
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
}
else if(CompareMemory->Array.bArrayEntry[0] == 0xE8 && CurrentInstructionSize == 5)
{
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)RelocateMemory - CurrentInstructionSize);
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&RelocateMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
}
}
}
@ -236,7 +236,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
}
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
WriteMemory->Array.bArrayEntry[0] = 0xE9;
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
myHook.RelocationCount++;
@ -245,7 +245,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
{
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - 5);
WriteMemory->Array.bArrayEntry[0] = 0xE9;
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 5);
myHook.RelocationCount++;
@ -256,7 +256,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - 6);
WriteMemory->Array.bArrayEntry[0] = 0x0F;
WriteMemory->Array.bArrayEntry[1] = CompareMemory->Array.bArrayEntry[0] + 0x10;
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 6);
myHook.RelocationCount++;
@ -269,7 +269,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
WriteMemory->Array.bArrayEntry[4] = 0xFF;
WriteMemory->Array.bArrayEntry[5] = 0x25;
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[6], 4);
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[10], &x64CalculatedRealingJump, sizeof(x64CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[10], &x64CalculatedRealingJump, sizeof x64CalculatedRealingJump);
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 18);
#endif
}
@ -278,7 +278,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
#if !defined(_WIN64)
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[0], &CompareMemory->Array.bArrayEntry[0], 2);
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
myHook.RelocationCount++;
@ -295,7 +295,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
WriteMemory->Array.bArrayEntry[8] = 0xFF;
WriteMemory->Array.bArrayEntry[9] = 0x25;
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[10], 4);
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[14], &x64CalculatedRealingJump, sizeof(x64CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[14], &x64CalculatedRealingJump, sizeof x64CalculatedRealingJump);
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 22);
#endif
}
@ -303,7 +303,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
{
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
WriteMemory->Array.bArrayEntry[0] = 0xE8;
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
myHook.RelocationInfo[myHook.RelocationCount] = (DWORD)((ULONG_PTR)WriteMemory - (ULONG_PTR)buffPatchedEntry);
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
myHook.RelocationCount++;
@ -313,7 +313,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
{
CalculatedRealingJump = (DWORD)((ULONG_PTR)RealignAddressTarget - (ULONG_PTR)WriteMemory - CurrentInstructionSize);
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[0], &CompareMemory->Array.bArrayEntry[0], 2);
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + CurrentInstructionSize);
#endif
}
@ -340,9 +340,9 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
#else
CalculatedRealingJump = NULL;
#endif
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &cHookAddress, sizeof(CalculatedRealingJump));
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 6 + sizeof(ULONG_PTR));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[2], &CalculatedRealingJump, sizeof CalculatedRealingJump);
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &cHookAddress, sizeof CalculatedRealingJump);
WriteMemory = (PMEMORY_COMPARE_HANDLER)((ULONG_PTR)WriteMemory + 6 + sizeof ULONG_PTR);
myHook.HookIsEnabled = true;
myHook.HookType = (BYTE)HookType;
myHook.HookAddress = HookAddress;
@ -360,7 +360,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
if(VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteMemory->Array.bArrayEntry[0] = 0xE9;
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
hookEntry.push_back(myHook);
@ -372,7 +372,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
WriteMemory->Array.bArrayEntry[0] = 0xFF;
WriteMemory->Array.bArrayEntry[1] = 0x25;
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[2], 4);
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &RedirectTo, sizeof(RedirectTo));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &RedirectTo, sizeof RedirectTo);
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
hookEntry.push_back(myHook);
@ -387,7 +387,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
if(VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteMemory->Array.bArrayEntry[0] = 0xE8;
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof(CalculatedRealingJump));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[1], &CalculatedRealingJump, sizeof CalculatedRealingJump);
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
hookEntry.push_back(myHook);
@ -399,7 +399,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress,
WriteMemory->Array.bArrayEntry[0] = 0xFF;
WriteMemory->Array.bArrayEntry[1] = 0x15;
RtlZeroMemory(&WriteMemory->Array.bArrayEntry[2], 4);
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &RedirectTo, sizeof(RedirectTo));
RtlMoveMemory(&WriteMemory->Array.bArrayEntry[6], &RedirectTo, sizeof RedirectTo);
RtlMoveMemory(&myHook.HookBytes[0], HookAddress, TEE_MAXIMUM_HOOK_SIZE);
VirtualProtect(HookAddress, TEE_MAXIMUM_HOOK_SIZE, OldProtect, &OldProtect);
hookEntry.push_back(myHook);
@ -430,7 +430,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File
myHook.IATHook = true;
myHook.HookIsEnabled = true;
myHook.HookType = TEE_HOOK_IAT;
myHook.HookSize = sizeof(ULONG_PTR);
myHook.HookSize = sizeof ULONG_PTR;
myHook.RedirectionAddress = RedirectTo;
myHook.IATHookModuleBase = (void*)LoadedModuleBase;
myHook.IATHookNameHash = EngineHashString(szHookFunction);
@ -488,9 +488,9 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File
}
}
CurrentThunk = CurrentThunk + 4;
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof(IMAGE_THUNK_DATA32));
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
return true;
}
@ -537,9 +537,9 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File
}
}
CurrentThunk = CurrentThunk + 8;
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof(IMAGE_THUNK_DATA64));
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
return true;
}
@ -634,7 +634,7 @@ __declspec(dllexport) bool TITCALL HooksRemoveRedirectionsForModule(HMODULE Modu
DWORD OldProtect = PAGE_READONLY;
MODULEINFO RemoteModuleInfo;
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof(MODULEINFO)))
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof MODULEINFO))
{
while(i > NULL)
{
@ -731,7 +731,7 @@ __declspec(dllexport) bool TITCALL HooksDisableRedirectionsForModule(HMODULE Mod
DWORD OldProtect = PAGE_READONLY;
MODULEINFO RemoteModuleInfo;
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof(MODULEINFO)))
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof MODULEINFO))
{
while(i > NULL)
{
@ -831,7 +831,7 @@ __declspec(dllexport) bool TITCALL HooksEnableRedirectionsForModule(HMODULE Modu
DWORD OldProtect = PAGE_READONLY;
MODULEINFO RemoteModuleInfo;
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof(MODULEINFO)))
if(GetModuleInformation(GetCurrentProcess(), ModuleBase, &RemoteModuleInfo, sizeof MODULEINFO))
{
while(i > NULL)
{
@ -950,12 +950,12 @@ __declspec(dllexport) void TITCALL HooksScanModuleMemory(HMODULE ModuleBase, LPV
}
else
{
RtlMoveMemory(&RemoteLibInfo, pRemoteLibInfo, sizeof(LIBRARY_ITEM_DATA));
RtlMoveMemory(&RemoteLibInfo, pRemoteLibInfo, sizeof LIBRARY_ITEM_DATA);
}
if(!FileError)
{
hSize = GetFileSize(RemoteLibInfo.hFile, NULL);
GetModuleInformation(hProcess, ModuleBase, &ModuleInfo, sizeof(MODULEINFO));
GetModuleInformation(hProcess, ModuleBase, &ModuleInfo, sizeof MODULEINFO);
DOSHeader = (PIMAGE_DOS_HEADER)RemoteLibInfo.hFileMappingView;
__try
{
@ -1125,5 +1125,5 @@ __declspec(dllexport) void TITCALL HooksScanEntireProcessMemory(LPVOID CallBack)
__declspec(dllexport) void TITCALL HooksScanEntireProcessMemoryEx()
{
HooksScanEntireProcessMemory(CallbackToObjectPointer(&ProcessHookScanAddNewHook));
HooksScanEntireProcessMemory(&ProcessHookScanAddNewHook);
}

24
TitanEngine/TitanEngine.Importer.cpp
View File

@ -66,7 +66,7 @@ __declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, cha
return false;
}
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, const wchar_t* szSectionName)
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName)
{
return (scylla_fixDump(szDumpFileName, szExportFileName, szSectionName) == SCY_ERROR_SUCCESS);
}
@ -420,9 +420,9 @@ __declspec(dllexport) bool TITCALL ImporterLoadImportTableW(wchar_t* szFileName)
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData32->u1.AddressOfData + 2 + PEHeader32->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + PEHeader32->OptionalHeader.ImageBase);
}
CurrentThunk = CurrentThunk + 4;
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof(IMAGE_THUNK_DATA32));
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
@ -467,9 +467,9 @@ __declspec(dllexport) bool TITCALL ImporterLoadImportTableW(wchar_t* szFileName)
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData64->u1.AddressOfData + 2 + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase);
}
CurrentThunk = CurrentThunk + 8;
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof(IMAGE_THUNK_DATA64));
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
@ -539,8 +539,8 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar
scylla_getImports(iatStart, iatSize, ProcessId);
}
RtlMoveMemory(pIATStart, &iatStart, sizeof(ULONG_PTR));
RtlMoveMemory(pIATSize, &iatSize, sizeof(ULONG_PTR));
RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR);
RtlMoveMemory(pIATSize, &iatSize, sizeof ULONG_PTR);
return;
}
@ -550,8 +550,8 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULON
wchar_t szTempName[MAX_PATH];
wchar_t szTempFolder[MAX_PATH];
RtlZeroMemory(&szTempName, sizeof(szTempName));
RtlZeroMemory(&szTempFolder, sizeof(szTempFolder));
RtlZeroMemory(&szTempName, sizeof szTempName);
RtlZeroMemory(&szTempFolder, sizeof szTempFolder);
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"DumpTemp", GetTickCount() + 102, szTempName))
@ -568,7 +568,7 @@ __declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack)
{
return scylla_enumImportTree(EnumCallBack);
}
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, const char* szDumpedFile, const char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
{
wchar_t uniDumpedFile[MAX_PATH] = {};
@ -585,7 +585,7 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, const c
return(NULL); // Critical error! *just to be safe, but it should never happen!
}
}
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, const wchar_t* szDumpedFile, const wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
{
HANDLE FileHandle;
DWORD FileSize;
@ -612,7 +612,7 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, const
{
HANDLE hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(!DumpProcessW(hProcess, (LPVOID)ImageBase, DumpFileName, EntryPointAddress))
if(!DumpProcessW(hProcess, (LPVOID)ImageBase, szDumpedFile, EntryPointAddress))
{
return(NULL); // Critical error! *just to be safe, but it should never happen!
}

18
TitanEngine/TitanEngine.Injector.cpp
View File

@ -34,7 +34,7 @@ __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t*
if(hProcess != NULL)
{
RtlZeroMemory(&APIData, sizeof(InjectCodeData));
RtlZeroMemory(&APIData, sizeof InjectCodeData);
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
@ -43,9 +43,9 @@ __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t*
APIData.fExitProcess = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof(InjectCodeData)), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectCodeData), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteLoadLibrary, remInjectSize, &NumberOfBytesWritten);
if(WaitForThreadExit)
{
@ -120,7 +120,7 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
if(hProcess != NULL)
{
RtlZeroMemory(&APIData, sizeof(InjectCodeData));
RtlZeroMemory(&APIData, sizeof InjectCodeData);
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
@ -132,9 +132,9 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
if(hModule == NULL)
{
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof(InjectCodeData)), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectCodeData), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrarySimple, remInjectSize1, &NumberOfBytesWritten);
if(WaitForThreadExit)
{
@ -179,7 +179,7 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
else
{
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten))
if(WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrary, remInjectSize2, &NumberOfBytesWritten);
if(WaitForThreadExit)
@ -235,7 +235,7 @@ __declspec(dllexport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD Exit
if(hProcess != NULL)
{
RtlZeroMemory(&APIData, sizeof(InjectCodeData));
RtlZeroMemory(&APIData, sizeof InjectCodeData);
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"));
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA"));
@ -247,7 +247,7 @@ __declspec(dllexport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD Exit
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedExitProcess, remInjectSize, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectCodeData), &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten);
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
return true;

12
TitanEngine/TitanEngine.Librarian.cpp
View File

@ -42,13 +42,13 @@ __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfo(char* szLibraryName)
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoW(uniLibraryName);
if(LibInfo)
{
RtlZeroMemory(&LibraryInfoData, sizeof(LIBRARY_ITEM_DATA));
RtlZeroMemory(&LibraryInfoData, sizeof LIBRARY_ITEM_DATA);
LibraryInfoData.hFile = LibInfo->hFile;
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof(LibraryInfoData).szLibraryName, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof(LibraryInfoData).szLibraryPath, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof LibraryInfoData.szLibraryName, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof LibraryInfoData.szLibraryPath, NULL, NULL);
return((void*)&LibraryInfoData);
}
@ -79,13 +79,13 @@ __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoEx(void* BaseOfDll)
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoExW(BaseOfDll);
if(LibInfo)
{
RtlZeroMemory(&LibraryInfoData, sizeof(LIBRARY_ITEM_DATA));
RtlZeroMemory(&LibraryInfoData, sizeof LIBRARY_ITEM_DATA);
LibraryInfoData.hFile = LibInfo->hFile;
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof(LibraryInfoData).szLibraryName, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof(LibraryInfoData).szLibraryPath, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof LibraryInfoData.szLibraryName, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof LibraryInfoData.szLibraryPath, NULL, NULL);
return (void*)&LibraryInfoData;
}

2
TitanEngine/TitanEngine.OEPFinder.cpp
View File

@ -29,7 +29,7 @@ __declspec(dllexport) bool TITCALL FindOEPGenericallyW(wchar_t* szFileName, LPVO
if(GenericOEPFileInitW(szFileName, TraceInitCallBack, CallBack))
{
InitDebugExW(szFileName, NULL, NULL, CallbackToObjectPointer(&GenericOEPTraceInit));
InitDebugExW(szFileName, NULL, NULL, &GenericOEPTraceInit);
DebugLoop();
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{

44
TitanEngine/TitanEngine.PE.Fixer.cpp
View File

@ -57,7 +57,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
ULONG_PTR FileMapVA;
WORD ResourceNamesTable[22] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 22, 23, 24};
RtlZeroMemory(&myFileStatusInfo, sizeof(FILE_STATUS_INFO));
RtlZeroMemory(&myFileStatusInfo, sizeof FILE_STATUS_INFO);
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
@ -81,7 +81,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE;
if(FileStatusInfo != NULL)
{
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
@ -489,7 +489,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
}
}
CurrentThunk = CurrentThunk + 4;
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof(IMAGE_THUNK_DATA32));
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32);
}
}
else
@ -500,7 +500,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
{
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
}
}
@ -630,7 +630,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
{
myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL;
}
BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof IMAGE_BOUND_IMPORT_DESCRIPTOR);
}
}
}
@ -750,7 +750,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
}
if(NumberOfSections > 1)
{
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof(IMAGE_SECTION_HEADER));
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER);
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
{
myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL;
@ -804,7 +804,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
*/
if(FileStatusInfo != NULL)
{
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK)
@ -819,7 +819,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE;
if(FileStatusInfo != NULL)
{
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
@ -1228,7 +1228,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
}
}
CurrentThunk = CurrentThunk + 8;
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof(IMAGE_THUNK_DATA64));
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64);
}
}
else
@ -1239,7 +1239,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
{
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
}
}
@ -1369,7 +1369,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
{
myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL;
}
BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR));
BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof IMAGE_BOUND_IMPORT_DESCRIPTOR);
}
}
}
@ -1489,7 +1489,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
}
if(NumberOfSections > 1)
{
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof(IMAGE_SECTION_HEADER));
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER);
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
{
myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL;
@ -1543,7 +1543,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
*/
if(FileStatusInfo != NULL)
{
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK)
@ -1558,7 +1558,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE;
if(FileStatusInfo != NULL)
{
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
@ -1571,7 +1571,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
myFileStatusInfo.SignatureMZ = UE_FIELD_BROKEN_NON_FIXABLE;
if(FileStatusInfo != NULL)
{
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
@ -1579,7 +1579,7 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD
}
if(FileStatusInfo != NULL)
{
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof(FILE_STATUS_INFO));
RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO);
}
return false;
}
@ -1811,14 +1811,14 @@ __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPV
}
}
CurrentThunk = CurrentThunk + 4;
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof(IMAGE_THUNK_DATA32));
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32);
}
}
if(hLoadedModuleSimulated)
{
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
}
}
@ -2230,7 +2230,7 @@ __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPV
}
if(NumberOfSections > 1)
{
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof(IMAGE_SECTION_HEADER));
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER);
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
{
PESections->Misc.VirtualSize = SectionVirtualSizeFixed;
@ -2404,14 +2404,14 @@ __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPV
}
}
CurrentThunk = CurrentThunk + 8;
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof(IMAGE_THUNK_DATA64));
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64);
}
}
if(hLoadedModuleSimulated)
{
VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof(IMAGE_IMPORT_DESCRIPTOR));
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
}
}
@ -2823,7 +2823,7 @@ __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPV
}
if(NumberOfSections > 1)
{
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof(IMAGE_SECTION_HEADER));
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER);
if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress)
{
PESections->Misc.VirtualSize = SectionVirtualSizeFixed;

64
TitanEngine/TitanEngine.PE.Section.cpp
View File

@ -160,17 +160,17 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
LPVOID sortedFileName;
DynBuf sortedFileNameBuf;
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
@ -370,17 +370,17 @@ __declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(wchar_t* szFileName)
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
@ -509,7 +509,7 @@ __declspec(dllexport) long TITCALL AddNewSectionEx(char* szFileName, char* szSec
}
}
__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize)
__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize)
{
bool OverlayHasBeenRemoved = false;
wchar_t szBackupOverlayFile[MAX_PATH] = {};
@ -544,18 +544,18 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const c
SectionSize = ContentSize;
}
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
if(FindOverlayW(szBackupFile, NULL, NULL))
{
if(!FillGarbageItem(szBackupItem, NULL, &szBackupOverlayFile, sizeof(szBackupItem)))
if(!FillGarbageItem(szBackupItem, NULL, &szBackupOverlayFile, sizeof szBackupItem))
{
RtlZeroMemory(&szBackupOverlayFile, sizeof(szBackupOverlayFile));
RtlZeroMemory(&szBackupOverlayFile, sizeof szBackupOverlayFile);
}
else
{
@ -568,7 +568,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const c
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
@ -608,7 +608,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const c
{
SectionSize = alignedSectionSize;
}
SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof(IMAGE_NT_HEADERS32);
SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof IMAGE_NT_HEADERS32;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER);
LastSectionRawSize = (PESections->SizeOfRawData / PEHeader32->OptionalHeader.FileAlignment) * PEHeader32->OptionalHeader.FileAlignment;
if(LastSectionRawSize < PESections->SizeOfRawData)
@ -641,7 +641,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const c
{
SectionSize = alignedSectionSize;
}
SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof(IMAGE_NT_HEADERS64);
SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof IMAGE_NT_HEADERS64;
PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER);
LastSectionRawSize = (PESections->SizeOfRawData / PEHeader64->OptionalHeader.FileAlignment) * PEHeader64->OptionalHeader.FileAlignment;
if(LastSectionRawSize < PESections->SizeOfRawData)
@ -746,7 +746,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const c
{
if(CopyFileW(szBackupFile, szFileName, false))
{
if(OverlayHasBeenRemoved && !AddOverlayW((wchar_t*)szFileName, szBackupOverlayFile))
if(OverlayHasBeenRemoved && !AddOverlayW(szFileName, szBackupOverlayFile))
{
RemoveGarbageItem(szBackupItem, true);
return(0);
@ -828,7 +828,7 @@ __declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const c
{
if(CopyFileW(szBackupFile, szFileName, false))
{
if(OverlayHasBeenRemoved && !AddOverlayW((wchar_t*)szFileName, szBackupOverlayFile))
if(OverlayHasBeenRemoved && !AddOverlayW(szFileName, szBackupOverlayFile))
{
RemoveGarbageItem(szBackupItem, true);
return(0);
@ -872,7 +872,7 @@ __declspec(dllexport) long TITCALL AddNewSection(char* szFileName, char* szSecti
return AddNewSectionEx(szFileName, szSectionName, SectionSize, NULL, NULL, NULL);
}
__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, const char* szSectionName, DWORD SectionSize)
__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize)
{
return AddNewSectionExW(szFileName, szSectionName, SectionSize, NULL, NULL, NULL);
}
@ -908,17 +908,17 @@ __declspec(dllexport) bool TITCALL ResizeLastSectionW(wchar_t* szFileName, DWORD
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NumberOfExpandBytes))
@ -1125,17 +1125,17 @@ __declspec(dllexport) bool TITCALL DeleteLastSectionW(wchar_t* szFileName)
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
@ -1322,17 +1322,17 @@ __declspec(dllexport) bool TITCALL WipeSectionW(wchar_t* szFileName, int WipeSec
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))

6
TitanEngine/TitanEngine.PE.cpp
View File

@ -60,7 +60,7 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof(IMAGE_DOS_HEADER) + sizeof(IMAGE_NT_HEADERS64);
CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof IMAGE_NT_HEADERS64;
if(CalculatedHeaderSize > 0x1000)
{
SetFilePointer(hFile, NULL, NULL, FILE_BEGIN);
@ -73,7 +73,7 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
}
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof(IMAGE_NT_HEADERS32), &ueNumberOfBytesRead))
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof IMAGE_NT_HEADERS32, &ueNumberOfBytesRead))
{
PEHeaderSize = PEHeader32->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4;
FileIs64 = false;
@ -81,7 +81,7 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader64, sizeof(IMAGE_NT_HEADERS32), &ueNumberOfBytesRead))
if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader64, sizeof IMAGE_NT_HEADERS32, &ueNumberOfBytesRead))
{
PEHeaderSize = PEHeader64->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4;
FileIs64 = true;

8
TitanEngine/TitanEngine.Realigner.cpp
View File

@ -250,17 +250,17 @@ __declspec(dllexport) long TITCALL RealignPEExW(wchar_t* szFileName, DWORD Reali
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))

26
TitanEngine/TitanEngine.Relocator.cpp
View File

@ -48,7 +48,7 @@ __declspec(dllexport) void TITCALL RelocaterAddNewRelocation(HANDLE hProcess, UL
DWORD CompareDummy = NULL;
DWORD CopyDummy = NULL;
VirtualQueryEx(hProcess, (LPVOID)RelocateAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)RelocateAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.BaseAddress != RelocationLastPage || RelocationLastPage == NULL)
{
RelocationLastPage = MemInfo.BaseAddress;
@ -243,7 +243,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess,
if(RelocationData != NULL)
{
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, RelocationData, MemorySize, &ueNumberOfBytesRead))
@ -271,9 +271,9 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces
if(RelocationData != NULL)
{
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
VirtualQueryEx(hProcess, (LPVOID)MemInfo.BaseAddress, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)MemInfo.BaseAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.RegionSize < MemorySize || MemorySize == NULL)
{
MemorySize = MemInfo.RegionSize;
@ -382,7 +382,7 @@ __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess
{
if(memcmp(Search1, Search2, 1) != 0)
{
i = sizeof(HANDLE);
i = sizeof HANDLE;
RelativeBase = NULL;
bkSearch1 = Search1;
bkSearch2 = Search2;
@ -395,7 +395,7 @@ __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess
}
while(i > NULL && RelativeBase == NULL)
{
RtlMoveMemory(&ReadData, Search2, sizeof(HANDLE));
RtlMoveMemory(&ReadData, Search2, sizeof HANDLE);
if(ReadData >= LoadedImageBase && ReadData <= NtSizeOfImage)
{
RelativeBase++;
@ -417,9 +417,9 @@ __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess
else
{
RelocaterAddNewRelocation(hProcess, MemStart + ((ULONG_PTR)Search2 - (ULONG_PTR)FileMapVA2), NULL);
Search1 = (LPVOID)((ULONG_PTR)Search1 + sizeof(HANDLE) - 1);
Search2 = (LPVOID)((ULONG_PTR)Search2 + sizeof(HANDLE) - 1);
SearchSize = SearchSize - sizeof(HANDLE) + 1;
Search1 = (LPVOID)((ULONG_PTR)Search1 + sizeof HANDLE - 1);
Search2 = (LPVOID)((ULONG_PTR)Search2 + sizeof HANDLE - 1);
SearchSize = SearchSize - sizeof HANDLE + 1;
}
}
Search1 = (LPVOID)((ULONG_PTR)Search1 + 1);
@ -482,17 +482,17 @@ __declspec(dllexport) bool TITCALL RelocaterChangeFileBaseW(wchar_t* szFileName,
wchar_t szBackupFile[MAX_PATH] = {};
wchar_t szBackupItem[MAX_PATH] = {};
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof(szBackupItem)))
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof(szBackupItem)))
if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem))
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
}
else
{
RtlZeroMemory(&szBackupItem, sizeof(szBackupItem));
RtlZeroMemory(&szBackupItem, sizeof szBackupItem);
lstrcpyW(szBackupFile, szFileName);
}
if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))

28
TitanEngine/TitanEngine.Resourcer.cpp
View File

@ -181,13 +181,13 @@ __declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA,
PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true));
if(PEResource != NULL)
{
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof(IMAGE_RESOURCE_DIRECTORY));
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof IMAGE_RESOURCE_DIRECTORY);
i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries;
PEResourcePtr = PEResource;
while(i > NULL)
{
PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof(IMAGE_RESOURCE_DIRECTORY));
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof IMAGE_RESOURCE_DIRECTORY);
j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries;
uniResourceType = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset);
if(((bool)PEResourceDir->NameIsString == true && EngineCompareResourceString(uniResourceType, szResourceType) == true) || ((bool)PEResourceDir->NameIsString == false && PEResourceDir->Id == ResourceType))
@ -195,7 +195,7 @@ __declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA,
while(j > NULL)
{
PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof(IMAGE_RESOURCE_DIRECTORY));
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof IMAGE_RESOURCE_DIRECTORY);
n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries;
uniResourceName = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset);
if(((bool)PEResourceDir1->NameIsString == true && EngineCompareResourceString(uniResourceName, szResourceName) == true) || ((bool)PEResourceDir1->NameIsString == false && PEResourceDir1->Id == ResourceName))
@ -209,23 +209,23 @@ __declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA,
*pResourceSize = PEResourceItem->Size;
return true;
}
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
n--;
}
}
else
{
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY) * n);
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY * n);
}
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
j--;
}
}
else
{
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY) * j);
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY * j);
}
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
i--;
}
}
@ -295,18 +295,18 @@ __declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMa
PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true));
if(PEResource != NULL)
{
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof(IMAGE_RESOURCE_DIRECTORY));
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof IMAGE_RESOURCE_DIRECTORY);
i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries;
PEResourcePtr = PEResource;
while(i > NULL)
{
PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof(IMAGE_RESOURCE_DIRECTORY));
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof IMAGE_RESOURCE_DIRECTORY);
j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries;
while(j > NULL)
{
PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY));
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof(IMAGE_RESOURCE_DIRECTORY));
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof IMAGE_RESOURCE_DIRECTORY);
n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries;
while(n > NULL)
{
@ -337,13 +337,13 @@ __declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMa
{
return;
}
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
n--;
}
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
j--;
}
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY));
PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY);
i--;
}
}

14
TitanEngine/TitanEngine.Static.cpp
View File

@ -89,11 +89,7 @@ __declspec(dllexport) bool TITCALL StaticFileUnloadW(wchar_t* szFileName, bool C
if(FileHandle != NULL && FileMap != NULL)
{
// HACK: compatibility with x64dbg
if(FileHandle != (HANDLE) - 1)
{
UnMapFileEx(FileHandle, LoadedSize, FileMap, FileMapVA);
}
UnMapFileEx(FileHandle, LoadedSize, FileMap, FileMapVA);
return true;
}
@ -452,9 +448,7 @@ __declspec(dllexport) bool TITCALL StaticMemoryDecompress(void* Source, DWORD So
}
else if(Algorithm == UE_STATIC_LZMA)
{
size_t destLen = DestinationSize;
size_t srcLen = SourceSize;
if(LzmaDecode((unsigned char*)Destination, &destLen, (unsigned char*)Source, &srcLen, (unsigned char*)&lzProps, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, &lzStatus, &lzAlloc) == SZ_OK)
if(LzmaDecode((unsigned char*)Destination, (size_t*)DestinationSize, (unsigned char*)Source, (size_t*)SourceSize, (unsigned char*)&lzProps, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, &lzStatus, &lzAlloc) == SZ_OK)
{
return true;
}
@ -886,7 +880,7 @@ __declspec(dllexport) bool TITCALL StaticHashMemory(void* MemoryToHash, DWORD Si
}
else
{
RtlMoveMemory(HashDigest, &crc32, sizeof(crc32));
RtlMoveMemory(HashDigest, &crc32, sizeof crc32);
}
return true;
@ -1098,7 +1092,7 @@ __declspec(dllexport) bool TITCALL StaticHashFileW(wchar_t* szFileName, char* Ha
}
else
{
RtlMoveMemory(HashDigest, &crc32, sizeof(crc32));
RtlMoveMemory(HashDigest, &crc32, sizeof crc32);
}
CloseHandle(hFile);

50
TitanEngine/TitanEngine.TLS.cpp
View File

@ -80,14 +80,14 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
if(TLSCallBackAddress)
{
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{
if(ArrayOfCallBacks)
{
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof(ULONG_PTR));
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof(ULONG_PTR));
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
}
TLSCallBackAddress = TLSCallBackAddress + sizeof(ULONG_PTR);
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
NumberOfTLSCallBacks++;
}
if(NumberOfCallBacks)
@ -131,14 +131,14 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
if(TLSCallBackAddress)
{
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{
if(ArrayOfCallBacks)
{
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof(ULONG_PTR));
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof(ULONG_PTR));
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
}
TLSCallBackAddress = TLSCallBackAddress + sizeof(ULONG_PTR);
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
NumberOfTLSCallBacks++;
}
if(NumberOfCallBacks)
@ -367,7 +367,7 @@ __declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName)
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
RtlZeroMemory(TLSDirectoryX86, sizeof(IMAGE_TLS_DIRECTORY32));
RtlZeroMemory(TLSDirectoryX86, sizeof IMAGE_TLS_DIRECTORY32);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
@ -393,7 +393,7 @@ __declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName)
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
RtlZeroMemory(TLSDirectoryX64, sizeof(IMAGE_TLS_DIRECTORY64));
RtlZeroMemory(TLSDirectoryX64, sizeof IMAGE_TLS_DIRECTORY64);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
@ -443,8 +443,8 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName)
{
DWORD NumberOfTLSCallBacks = NULL;
engineBackupTLSAddress = NULL;
RtlZeroMemory(&engineBackupTLSDataX86, sizeof(IMAGE_TLS_DIRECTORY32));
RtlZeroMemory(&engineBackupTLSDataX64, sizeof(IMAGE_TLS_DIRECTORY64));
RtlZeroMemory(&engineBackupTLSDataX86, sizeof IMAGE_TLS_DIRECTORY32);
RtlZeroMemory(&engineBackupTLSDataX64, sizeof IMAGE_TLS_DIRECTORY64);
ClearTlsVector(&engineBackupArrayOfCallBacks); //clear backup array
std::vector<ULONG_PTR>* ArrayOfCallBacks = &engineBackupArrayOfCallBacks;
@ -476,12 +476,12 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName)
engineBackupTLSAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
RtlMoveMemory(&engineBackupTLSDataX86, (LPVOID)TLSDirectoryX86, sizeof(IMAGE_TLS_DIRECTORY32));
RtlMoveMemory(&engineBackupTLSDataX86, (LPVOID)TLSDirectoryX86, sizeof IMAGE_TLS_DIRECTORY32);
if(TLSDirectoryX86->AddressOfCallBacks != NULL)
{
ULONG_PTR TLSCompareData = 0;
ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{
ArrayOfCallBacks->push_back(*TLSCallBackAddress);
TLSCallBackAddress++; //next callback
@ -522,12 +522,12 @@ __declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName)
engineBackupTLSAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
RtlMoveMemory(&engineBackupTLSDataX64, (LPVOID)TLSDirectoryX64, sizeof(IMAGE_TLS_DIRECTORY64));
RtlMoveMemory(&engineBackupTLSDataX64, (LPVOID)TLSDirectoryX64, sizeof IMAGE_TLS_DIRECTORY64);
if(TLSDirectoryX64->AddressOfCallBacks != NULL)
{
ULONG_PTR TLSCompareData = 0;
ULONG_PTR* TLSCallBackAddress = (ULONG_PTR*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof(ULONG_PTR)) != NULL)
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{
ArrayOfCallBacks->push_back(*TLSCallBackAddress);
TLSCallBackAddress++; //next callback
@ -575,7 +575,7 @@ __declspec(dllexport) bool TITCALL TLSRestoreData()
{
if(engineBackupTLSx64)
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX64, sizeof(IMAGE_TLS_DIRECTORY64), &ueNumberOfBytesRead))
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX64, sizeof IMAGE_TLS_DIRECTORY64, &ueNumberOfBytesRead))
{
if(engineBackupTLSDataX64.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
{
@ -598,7 +598,7 @@ __declspec(dllexport) bool TITCALL TLSRestoreData()
}
else
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX86, sizeof(IMAGE_TLS_DIRECTORY32), &ueNumberOfBytesRead))
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX86, sizeof IMAGE_TLS_DIRECTORY32, &ueNumberOfBytesRead))
{
if(engineBackupTLSDataX86.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
{
@ -651,13 +651,13 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_P
__try
{
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof(IMAGE_TLS_DIRECTORY32);
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof IMAGE_TLS_DIRECTORY32;
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)StorePlace;
TLSDirectoryX86->StartAddressOfRawData = (DWORD)TLSWriteData;
TLSDirectoryX86->EndAddressOfRawData = (DWORD)TLSWriteData + 0x10;
TLSDirectoryX86->AddressOfIndex = (DWORD)TLSWriteData + 0x14;
TLSDirectoryX86->AddressOfCallBacks = (DWORD)TLSWriteData + sizeof(IMAGE_TLS_DIRECTORY32) + 8;
RtlMoveMemory((LPVOID)(StorePlace + sizeof(IMAGE_TLS_DIRECTORY32) + 8), ArrayOfCallBacks, NumberOfCallBacks * 4);
TLSDirectoryX86->AddressOfCallBacks = (DWORD)TLSWriteData + sizeof IMAGE_TLS_DIRECTORY32 + 8;
RtlMoveMemory((LPVOID)(StorePlace + sizeof IMAGE_TLS_DIRECTORY32 + 8), ArrayOfCallBacks, NumberOfCallBacks * 4);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
@ -670,13 +670,13 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_P
__try
{
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof(IMAGE_TLS_DIRECTORY64);
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof IMAGE_TLS_DIRECTORY64;
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)StorePlace;
TLSDirectoryX64->StartAddressOfRawData = TLSWriteData;
TLSDirectoryX64->EndAddressOfRawData = TLSWriteData + 0x20;
TLSDirectoryX64->AddressOfIndex = TLSWriteData + 0x28;
TLSDirectoryX64->AddressOfCallBacks = TLSWriteData + sizeof(IMAGE_TLS_DIRECTORY64) + 12;
RtlMoveMemory((LPVOID)(StorePlace + sizeof(IMAGE_TLS_DIRECTORY64) + 12), ArrayOfCallBacks, NumberOfCallBacks * 8);
TLSDirectoryX64->AddressOfCallBacks = TLSWriteData + sizeof IMAGE_TLS_DIRECTORY64 + 12;
RtlMoveMemory((LPVOID)(StorePlace + sizeof IMAGE_TLS_DIRECTORY64 + 12), ArrayOfCallBacks, NumberOfCallBacks * 8);
return true;
}
__except(EXCEPTION_EXECUTE_HANDLER)
@ -707,7 +707,7 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTableEx(char* szFileName, char* sz
__declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks)
{
ULONG_PTR tlsImageBase = (ULONG_PTR)GetPE32DataW(szFileName, NULL, UE_IMAGEBASE);
DWORD NewSectionVO = AddNewSectionW(szFileName, szSectionName, sizeof(IMAGE_TLS_DIRECTORY64) * 2);
DWORD NewSectionVO = AddNewSectionW(szFileName, szSectionName, sizeof IMAGE_TLS_DIRECTORY64 * 2);
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;

4
TitanEngine/TitanEngine.Threader.cpp
View File

@ -95,7 +95,7 @@ __declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD Process
while(TRUE)
{
if(pIter->UniqueProcessId == (HANDLE)(DWORD_PTR)dwProcessId)
if(pIter->UniqueProcessId == (HANDLE)dwProcessId)
{
pIterThread = &pIter->Threads[0];
for(ULONG i = 0; i < pIter->NumberOfThreads; i++)
@ -110,7 +110,7 @@ __declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD Process
NewThreadData.ThreadState = pIterThread->ThreadState;
NewThreadData.WaitReason = pIterThread->WaitReason;
NewThreadData.WaitTime = pIterThread->WaitTime;
NewThreadData.dwThreadId = (DWORD)(DWORD_PTR)pIterThread->ClientId.UniqueThread;
NewThreadData.dwThreadId = (DWORD)pIterThread->ClientId.UniqueThread;
NewThreadData.hThread = EngineOpenThread(THREAD_ALL_ACCESS, FALSE, NewThreadData.dwThreadId);
if(NewThreadData.hThread)

28
TitanEngine/TitanEngine.Tracer.cpp
View File

@ -33,7 +33,7 @@ static ULONG_PTR EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
bool SkipHashing = false;
BYTE EmptyCall[5] = {0xE8, 0x00, 0x00, 0x00, 0x00};
if(VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION)) != NULL)
if(VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL)
{
if(MemInfo.RegionSize > NULL)
{
@ -640,8 +640,8 @@ __declspec(dllexport) ULONG_PTR TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_
if(!FoundAPI)
{
DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1];
RtlZeroMemory(&RemoteModuleInfo, sizeof(MODULEINFO));
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof(MODULEINFO));
RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO);
GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO);
if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], hProcess, RemoteModuleInfo.lpBaseOfDll, DOSHeader, false))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
@ -719,7 +719,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
LPVOID TraceMemory;
bool HashCheck = false;
VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.RegionSize > NULL)
{
MaximumReadSize = (DWORD)((ULONG_PTR)MemInfo.AllocationBase + MemInfo.RegionSize - AddressToTrace);
@ -732,7 +732,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
{
HashCheck = true;
}
if(sizeof(HANDLE) == 4)
if(sizeof HANDLE == 4)
{
TraceMemory = tracemem.Allocate(MaximumReadSize);
if(!TraceMemory)
@ -1126,7 +1126,7 @@ __declspec(dllexport) ULONG_PTR TITCALL TracerFixKnownRedirection(HANDLE hProces
DWORD MaximumReadSize = 0x1000;
cMem = (PMEMORY_CMP_HANDLER)TracerReadMemory;
VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof(MEMORY_BASIC_INFORMATION));
VirtualQueryEx(hProcess, (LPVOID)AddressToTrace, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
if(MemInfo.RegionSize > NULL)
{
MaximumReadSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + MemInfo.RegionSize - AddressToTrace);
@ -1176,7 +1176,7 @@ __declspec(dllexport) ULONG_PTR TITCALL TracerFixKnownRedirection(HANDLE hProces
if(ReadProcessMemory(hProcess, (LPVOID)AddressToTrace, TracerReadMemory, MaximumReadSize, &ueNumberOfBytesRead))
{
RtlMoveMemory(&TestAddressX86, &cMem->DataByte[2], 4);
if(ReadProcessMemory(hProcess, (LPVOID)(DWORD_PTR)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
return((DWORD)TestAddressX86);
}
@ -1201,7 +1201,7 @@ __declspec(dllexport) ULONG_PTR TITCALL TracerFixKnownRedirection(HANDLE hProces
{
RtlMoveMemory(&TestAddressX86, &cMem->DataByte[3], 4);
}
if(ReadProcessMemory(hProcess, (LPVOID)(DWORD_PTR)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
return((DWORD)TestAddressX86);
}
@ -1255,7 +1255,7 @@ __declspec(dllexport) ULONG_PTR TITCALL TracerFixKnownRedirection(HANDLE hProces
{
RtlMoveMemory(&TestAddressX86, &cMem->DataByte[2], 4);
}
if(ReadProcessMemory(hProcess, (LPVOID)(DWORD_PTR)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
return((DWORD)TestAddressX86);
}
@ -1264,7 +1264,7 @@ __declspec(dllexport) ULONG_PTR TITCALL TracerFixKnownRedirection(HANDLE hProces
{
cMem = (PMEMORY_CMP_HANDLER)((ULONG_PTR)cMem - 6);
RtlMoveMemory(&TestAddressX86, &cMem->DataByte[2], 4);
if(ReadProcessMemory(hProcess, (LPVOID)(DWORD_PTR)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
return((DWORD)TestAddressX86);
}
@ -1294,7 +1294,7 @@ __declspec(dllexport) ULONG_PTR TITCALL TracerFixKnownRedirection(HANDLE hProces
RtlMoveMemory(&ReadAddressX86, &cMem->DataByte[0x10], 4);
RtlMoveMemory(&TestAddressX86, &cMem->DataByte[0], 4);
TestAddressX86 = TestAddressX86 + 0x18;
if(ReadProcessMemory(hProcess, (LPVOID)(DWORD_PTR)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
if(ReadProcessMemory(hProcess, (LPVOID)TestAddressX86, &TestAddressX86, 4, &ueNumberOfBytesRead))
{
TestAddressX86 = TestAddressX86 ^ ReadAddressX86;
return((DWORD)TestAddressX86);
@ -1475,7 +1475,7 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
fImpRecTrace = fImpRecTrace - (ULONG_PTR)hImpRecModule;
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_READWRITE);
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
RtlZeroMemory(&APIData, sizeof(InjectImpRecCodeData));
RtlZeroMemory(&APIData, sizeof InjectImpRecCodeData);
APIData.fTrace = fImpRecTrace + (ULONG_PTR)ImporterGetRemoteDLLBase(hProcess, hImpRecModule);
APIData.AddressToTrace = (ULONG_PTR)TraceAddress;
APIData.fCreateFileA = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateFileA"));
@ -1483,8 +1483,8 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
APIData.fCloseHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CloseHandle"));
if(WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedImpRec, remInjectSize, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof(InjectImpRecCodeData), &NumberOfBytesWritten);
WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof(InjectImpRecCodeData)), (LPCVOID)szGarbageFile, lstrlenA((LPSTR)szGarbageFile), &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectImpRecCodeData, &NumberOfBytesWritten);
WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectImpRecCodeData), (LPCVOID)szGarbageFile, lstrlenA((LPSTR)szGarbageFile), &NumberOfBytesWritten);
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);

158
TitanEngine/TitanEngine.cbp Normal file
View File

@ -0,0 +1,158 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<CodeBlocks_project_file>
<FileVersion major="1" minor="6" />
<Project>
<Option title="TitanEngine" />
<Option pch_mode="2" />
<Option compiler="msvc10" />
<Build>
<Target title="x32">
<Option output="../Release/x32/TitanEngine" imp_lib="$(TARGET_OUTPUT_DIR)$(TARGET_OUTPUT_BASENAME).a" def_file="$(TARGET_OUTPUT_DIR)$(TARGET_OUTPUT_BASENAME).def" prefix_auto="1" extension_auto="1" />
<Option object_output="obj/x32" />
<Option type="3" />
<Option compiler="msvc10" />
<Option createDefFile="1" />
<Option createStaticLib="1" />
<Compiler>
<Add option="/DWIN32" />
<Add option="/DNDEBUG" />
<Add option="/D_WINDOWS" />
<Add option="/D_USRDLL" />
<Add option="/DUNPACKERENGINE_EXPORTS" />
</Compiler>
<Linker>
<Add option="/DEF:TitanEngine.def" />
<Add library=".\scylla_wrapper_x86.lib" />
<Add library=".\distorm_x86.lib" />
<Add library="Imagehlp.lib" />
<Add library="psapi.lib" />
</Linker>
</Target>
<Target title="x64">
<Option output="../Release/x64/TitanEngine" imp_lib="$(TARGET_OUTPUT_DIR)$(TARGET_OUTPUT_BASENAME).a" def_file="$(TARGET_OUTPUT_DIR)$(TARGET_OUTPUT_BASENAME).def" prefix_auto="1" extension_auto="1" />
<Option object_output="obj/x64" />
<Option type="3" />
<Option compiler="microsoft_visual_c_2010_x64" />
<Option createDefFile="1" />
<Option createStaticLib="1" />
<Compiler>
<Add option="/DWIN32" />
<Add option="/DNDEBUG" />
<Add option="/D_WINDOWS" />
<Add option="/D_USRDLL" />
<Add option="/DUNPACKERENGINE_EXPORTS" />
</Compiler>
<Linker>
<Add library=".\scylla_wrapper_x64.lib" />
<Add library=".\distorm_x64.lib" />
<Add library="Imagehlp.lib" />
<Add library="psapi.lib" />
</Linker>
</Target>
</Build>
<Linker>
<Add library="user32" />
<Add library="advapi32" />
<Add library="comdlg32" />
<Add library="shell32" />
</Linker>
<Unit filename="Global.Breakpoints.cpp" />
<Unit filename="Global.Breakpoints.h" />
<Unit filename="Global.Debugger.cpp" />
<Unit filename="Global.Debugger.h" />
<Unit filename="Global.Engine.Extension.cpp" />
<Unit filename="Global.Engine.Extension.h" />
<Unit filename="Global.Engine.GUI.cpp" />
<Unit filename="Global.Engine.GUI.h" />
<Unit filename="Global.Engine.Hash.cpp" />
<Unit filename="Global.Engine.Hash.h" />
<Unit filename="Global.Engine.Hider.cpp" />
<Unit filename="Global.Engine.Hider.h" />
<Unit filename="Global.Engine.Hook.cpp" />
<Unit filename="Global.Engine.Hook.h" />
<Unit filename="Global.Engine.Importer.cpp" />
<Unit filename="Global.Engine.Importer.h" />
<Unit filename="Global.Engine.Simplification.cpp" />
<Unit filename="Global.Engine.Simplification.h" />
<Unit filename="Global.Engine.Threading.cpp" />
<Unit filename="Global.Engine.Threading.h" />
<Unit filename="Global.Engine.cpp" />
<Unit filename="Global.Engine.h" />
<Unit filename="Global.Garbage.cpp" />
<Unit filename="Global.Garbage.h" />
<Unit filename="Global.Handle.cpp" />
<Unit filename="Global.Handle.h" />
<Unit filename="Global.Helper.cpp" />
<Unit filename="Global.Helper.h" />
<Unit filename="Global.Injector.cpp" />
<Unit filename="Global.Injector.h" />
<Unit filename="Global.Librarian.cpp" />
<Unit filename="Global.Librarian.h" />
<Unit filename="Global.Mapping.cpp" />
<Unit filename="Global.Mapping.h" />
<Unit filename="Global.OEPFinder.cpp" />
<Unit filename="Global.OEPFinder.h" />
<Unit filename="Global.Realigner.cpp" />
<Unit filename="Global.Realigner.h" />
<Unit filename="Global.TLS.cpp" />
<Unit filename="Global.TLS.h" />
<Unit filename="Global.Threader.cpp" />
<Unit filename="Global.Threader.h" />
<Unit filename="LzmaDec.cpp" />
<Unit filename="LzmaDec.h" />
<Unit filename="LzmaTypes.h" />
<Unit filename="TitanEngine.Breakpoints.cpp" />
<Unit filename="TitanEngine.Debugger.Context.cpp" />
<Unit filename="TitanEngine.Debugger.Control.cpp" />
<Unit filename="TitanEngine.Debugger.Data.cpp" />
<Unit filename="TitanEngine.Debugger.DebugLoop.cpp" />
<Unit filename="TitanEngine.Debugger.Helper.cpp" />
<Unit filename="TitanEngine.Debugger.Memory.cpp" />
<Unit filename="TitanEngine.Debugger.cpp" />
<Unit filename="TitanEngine.Disassembler.cpp" />
<Unit filename="TitanEngine.Dumper.cpp" />
<Unit filename="TitanEngine.Engine.Simplification.cpp" />
<Unit filename="TitanEngine.Engine.cpp" />
<Unit filename="TitanEngine.Exporter.cpp" />
<Unit filename="TitanEngine.Handler.cpp" />
<Unit filename="TitanEngine.Hider.cpp" />
<Unit filename="TitanEngine.Hooks.cpp" />
<Unit filename="TitanEngine.Importer.cpp" />
<Unit filename="TitanEngine.Injector.cpp" />
<Unit filename="TitanEngine.Librarian.cpp" />
<Unit filename="TitanEngine.OEPFinder.cpp" />
<Unit filename="TitanEngine.PE.Convert.cpp" />
<Unit filename="TitanEngine.PE.Data.cpp" />
<Unit filename="TitanEngine.PE.Fixer.cpp" />
<Unit filename="TitanEngine.PE.Overlay.cpp" />
<Unit filename="TitanEngine.PE.Section.cpp" />
<Unit filename="TitanEngine.PE.cpp" />
<Unit filename="TitanEngine.Process.cpp" />
<Unit filename="TitanEngine.Realigner.cpp" />
<Unit filename="TitanEngine.Relocator.cpp" />
<Unit filename="TitanEngine.Resourcer.cpp" />
<Unit filename="TitanEngine.Static.cpp" />
<Unit filename="TitanEngine.TLS.cpp" />
<Unit filename="TitanEngine.Threader.cpp" />
<Unit filename="TitanEngine.Tracer.cpp" />
<Unit filename="TitanEngine.TranslateName.cpp" />
<Unit filename="TitanEngine.cpp" />
<Unit filename="TitanEngine.rc">
<Option compilerVar="WINDRES" />
</Unit>
<Unit filename="aplib.h" />
<Unit filename="definitions.h" />
<Unit filename="distorm.h" />
<Unit filename="ntdll.h" />
<Unit filename="resource.h" />
<Unit filename="scylla_wrapper.h" />
<Unit filename="stdafx.cpp" />
<Unit filename="stdafx.h" />
<Unit filename="targetver.h" />
<Extensions>
<code_completion />
<envvars />
<debugger />
</Extensions>
</Project>
</CodeBlocks_project_file>

521
TitanEngine/TitanEngine.vcproj Normal file
View File

@ -0,0 +1,521 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="TitanEngine"
ProjectGUID="{9C7B8246-FDDA-48C7-9634-044969701E40}"
RootNamespace="TitanEngine"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
EnableIntrinsicFunctions="false"
FavorSizeOrSpeed="1"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="0"
StructMemberAlignment="1"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="2"
WarningLevel="3"
DebugInformationFormat="4"
CallingConvention="0"
CompileAs="2"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="&quot;$(ProjectDir)distorm_x86.lib&quot; Imagehlp.lib psapi.lib"
OutputFile="$(OutDir)\TitanEngine.dll"
LinkIncremental="2"
IgnoreAllDefaultLibraries="false"
ModuleDefinitionFile="$(ProjectDir)TitanEngine.def"
AddModuleNamesToAssembly=""
GenerateDebugInformation="true"
GenerateMapFile="false"
MapExports="false"
SubSystem="2"
OptimizeReferences="0"
ResourceOnlyDLL="false"
SetChecksum="false"
TargetMachine="1"
CLRThreadAttribute="0"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
StructMemberAlignment="1"
UsePrecompiledHeader="2"
WarningLevel="3"
DebugInformationFormat="3"
CallingConvention="2"
CompileAs="2"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="&quot;$(ProjectDir)distorm_x64.lib&quot; Imagehlp.lib psapi.lib"
OutputFile="$(OutDir)\TitanEngine.dll"
LinkIncremental="2"
IgnoreAllDefaultLibraries="false"
ModuleDefinitionFile="$(ProjectDir)TitanEngine.def"
GenerateDebugInformation="true"
GenerateMapFile="false"
MapExports="false"
SubSystem="2"
ResourceOnlyDLL="false"
SetChecksum="false"
TargetMachine="17"
CLRThreadAttribute="2"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
EnableIntrinsicFunctions="false"
WholeProgramOptimization="false"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS"
RuntimeLibrary="0"
StructMemberAlignment="1"
EnableFunctionLevelLinking="false"
UsePrecompiledHeader="2"
WarningLevel="3"
DebugInformationFormat="3"
CallingConvention="0"
CompileAs="2"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="&quot;$(ProjectDir)distorm_x86.lib&quot; Imagehlp.lib psapi.lib"
ModuleDefinitionFile="$(ProjectDir)TitanEngine.def"
GenerateDebugInformation="false"
LinkTimeCodeGeneration="0"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="1"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS"
RuntimeLibrary="0"
StructMemberAlignment="1"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="2"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="&quot;$(ProjectDir)distorm_x64.lib&quot; Imagehlp.lib psapi.lib"
OutputFile="$(OutDir)\TitanEngine.dll"
LinkIncremental="1"
IgnoreAllDefaultLibraries="false"
ModuleDefinitionFile="$(ProjectDir)TitanEngine.def"
GenerateDebugInformation="false"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
SetChecksum="true"
FixedBaseAddress="1"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\dllmain.cpp"
>
<FileConfiguration
Name="Debug|Win32"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="0"
CompileAsManaged="0"
/>
</FileConfiguration>
<FileConfiguration
Name="Debug|x64"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="0"
CompileAsManaged="0"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|Win32"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="0"
CompileAsManaged="0"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|x64"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="0"
CompileAsManaged="0"
/>
</FileConfiguration>
</File>
<File
RelativePath=".\stdafx.cpp"
>
<FileConfiguration
Name="Debug|Win32"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="1"
/>
</FileConfiguration>
<FileConfiguration
Name="Debug|x64"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="1"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|Win32"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="1"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|x64"
>
<Tool
Name="VCCLCompilerTool"
UsePrecompiledHeader="1"
/>
</FileConfiguration>
</File>
<File
RelativePath=".\TitanEngine.cpp"
>
</File>
<Filter
Name="ThirdParty"
>
<File
RelativePath=".\LzmaDec.cpp"
>
</File>
</Filter>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
<File
RelativePath=".\resource.h"
>
</File>
<File
RelativePath=".\stdafx.h"
>
</File>
<File
RelativePath=".\targetver.h"
>
</File>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
<File
RelativePath=".\TitanEngine.rc"
>
</File>
<Filter
Name="Binary"
>
<File
RelativePath="..\TitanEngineLoaders\LibraryLoader\x64\Release\LibraryLoader.exe"
>
</File>
<File
RelativePath="..\TitanEngineLoaders\LibraryLoader\Release\LibraryLoader.exe"
>
</File>
<File
RelativePath="..\TitanEngineLoaders\ReserveLibrary\Release\ReserveLibrary.dll"
>
</File>
<File
RelativePath="..\TitanEngineLoaders\ReserveLibrary\x64\Release\ReserveLibrary.dll"
>
</File>
</Filter>
<Filter
Name="Images"
>
<File
RelativePath=".\HEADER.BMP"
>
</File>
<File
RelativePath=".\LOGO.bmp"
>
</File>
<File
RelativePath=".\MAINICON.ico"
>
</File>
</Filter>
</Filter>
<File
RelativePath=".\ReadMe.txt"
>
</File>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

51
TitanEngine/TitanEngine.vcxproj
View File

@ -22,7 +22,7 @@
<ProjectGuid>{9C7B8246-FDDA-48C7-9634-044969701E40}</ProjectGuid>
<RootNamespace>TitanEngine</RootNamespace>
<Keyword>Win32Proj</Keyword>
<WindowsTargetPlatformVersion>7.0</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
@ -67,14 +67,14 @@
<PropertyGroup Label="UserMacros" />
<PropertyGroup>
<_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Release|x64'">$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Release|x64'">$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(IntDir)x32\</OutDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)\$(IntDir)x32\</OutDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(Configuration)\x32\</IntDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(Configuration)\x32\</IntDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Release|x64'">$(SolutionDir)$(Configuration)\x64\</OutDir>
<OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(SolutionDir)\$(Configuration)\x64\</OutDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Release|x64'">$(Configuration)\x64\</IntDir>
<IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">$(Configuration)\x64\</IntDir>
<LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
<LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</LinkIncremental>
<CodeAnalysisRuleSet Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">AllRules.ruleset</CodeAnalysisRuleSet>
@ -92,18 +92,6 @@
<LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
<LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<IncludePath>$(SolutionDir)distorm\include;$(SolutionDir)scylla_wrapper\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<IncludePath>$(SolutionDir)distorm\include;$(SolutionDir)scylla_wrapper\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<IncludePath>$(SolutionDir)distorm\include;$(SolutionDir)scylla_wrapper\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<IncludePath>$(SolutionDir)distorm\include;$(SolutionDir)scylla_wrapper\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<Optimization>Full</Optimization>
@ -125,12 +113,11 @@
<AdditionalOptions>/Zc:threadSafeInit- %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<AdditionalDependencies>$(ProjectDir)ntdll_x86.lib;Imagehlp.lib;psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>$(ProjectDir)ntdll_x86.lib;$(SolutionDir)$(Platform)\Release-Lib\scylla_wrapper_x86.lib;$(ProjectDir)distorm_x86.lib;Imagehlp.lib;psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(ProjectDir)TitanEngine.def</ModuleDefinitionFile>
<GenerateDebugInformation>true</GenerateDebugInformation>
<LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
<AdditionalOptions>/ignore:4197 /PDBALTPATH:%_PDB% %(AdditionalOptions)</AdditionalOptions>
<SubSystem>Windows</SubSystem>
</Link>
<Manifest>
<AdditionalManifestFiles>manifest.xml</AdditionalManifestFiles>
@ -141,7 +128,7 @@
<Optimization>Disabled</Optimization>
<WholeProgramOptimization>true</WholeProgramOptimization>
<PreprocessorDefinitions>WINVER=0x0501;_WIN32_WINNT=0x0501;NTDDI_VERSION=0x05010000;WIN32;NDEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<StructMemberAlignment>Default</StructMemberAlignment>
<FunctionLevelLinking>false</FunctionLevelLinking>
<PrecompiledHeader>Use</PrecompiledHeader>
@ -156,12 +143,11 @@
<AdditionalOptions>/Zc:threadSafeInit- %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<AdditionalDependencies>$(ProjectDir)ntdll_x86.lib;Imagehlp.lib;psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>$(ProjectDir)ntdll_x86.lib;$(SolutionDir)$(Platform)\Release-Lib\scylla_wrapper_x86.lib;$(ProjectDir)distorm_x86.lib;Imagehlp.lib;psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>$(ProjectDir)TitanEngine.def</ModuleDefinitionFile>
<GenerateDebugInformation>true</GenerateDebugInformation>
<LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
<AdditionalOptions>/ignore:4197 /PDBALTPATH:%_PDB% %(AdditionalOptions)</AdditionalOptions>
<SubSystem>Windows</SubSystem>
</Link>
<Manifest>
<AdditionalManifestFiles>manifest.xml</AdditionalManifestFiles>
@ -187,7 +173,7 @@
<AdditionalOptions>/Zc:threadSafeInit- %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<AdditionalDependencies>$(ProjectDir)ntdll_x64.lib;Imagehlp.lib;psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>$(ProjectDir)ntdll_x64.lib;$(SolutionDir)$(Platform)\Release-Lib\scylla_wrapper_x64.lib;$(ProjectDir)distorm_x64.lib;Imagehlp.lib;psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)TitanEngine.dll</OutputFile>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<ModuleDefinitionFile>$(ProjectDir)TitanEngine.def</ModuleDefinitionFile>
@ -214,7 +200,7 @@
<ClCompile>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WINVER=0x0502;_WIN32_WINNT=0x0502;NTDDI_VERSION=0x05020000;_AMD64_;_WIN64;NDEBUG;_WINDOWS;_USRDLL;UNPACKERENGINE_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<StructMemberAlignment>Default</StructMemberAlignment>
<FunctionLevelLinking>true</FunctionLevelLinking>
<PrecompiledHeader>Use</PrecompiledHeader>
@ -226,7 +212,7 @@
<AdditionalOptions>/Zc:threadSafeInit- %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
<Link>
<AdditionalDependencies>$(ProjectDir)ntdll_x64.lib;Imagehlp.lib;psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>$(ProjectDir)ntdll_x64.lib;$(SolutionDir)$(Platform)\Release-Lib\scylla_wrapper_x64.lib;$(ProjectDir)distorm_x64.lib;Imagehlp.lib;psapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<OutputFile>$(OutDir)TitanEngine.dll</OutputFile>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
<ModuleDefinitionFile>$(ProjectDir)TitanEngine.def</ModuleDefinitionFile>
@ -314,6 +300,7 @@
<ClInclude Include="..\SDK\C\TitanEngine.h" />
<ClInclude Include="aplib.h" />
<ClInclude Include="definitions.h" />
<ClInclude Include="distorm.h" />
<ClInclude Include="Global.Breakpoints.h" />
<ClInclude Include="Global.Debugger.h" />
<ClInclude Include="Global.Engine.Context.h" />
@ -338,6 +325,7 @@
<ClInclude Include="LzmaTypes.h" />
<ClInclude Include="ntdll.h" />
<ClInclude Include="resource.h" />
<ClInclude Include="scylla_wrapper.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
@ -362,10 +350,7 @@
</ClCompile>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\distorm\distorm.vcxproj">
<Project>{25ff4a19-7088-4687-aa32-76e61bd62e51}</Project>
</ProjectReference>
<ProjectReference Include="..\scylla_wrapper\scylla_wrapper.vcxproj">
<ProjectReference Include="..\scylla_wrapper_dll\scylla_wrapper\scylla_wrapper.vcxproj">
<Project>{f874b1b3-8ef7-4df1-9889-57098e08a51c}</Project>
</ProjectReference>
</ItemGroup>

6
TitanEngine/TitanEngine.vcxproj.filters
View File

@ -296,12 +296,18 @@
<ClInclude Include="aplib.h">
<Filter>Header Files\ThirdParty</Filter>
</ClInclude>
<ClInclude Include="distorm.h">
<Filter>Header Files\ThirdParty</Filter>
</ClInclude>
<ClInclude Include="LzmaDec.h">
<Filter>Header Files\ThirdParty</Filter>
</ClInclude>
<ClInclude Include="LzmaTypes.h">
<Filter>Header Files\ThirdParty</Filter>
</ClInclude>
<ClInclude Include="scylla_wrapper.h">
<Filter>Header Files\ThirdParty</Filter>
</ClInclude>
<ClInclude Include="..\SDK\C\TitanEngine.h">
<Filter>Header Files\SDK\C</Filter>
</ClInclude>

4
TitanEngine/aplib.h
View File

@ -42,7 +42,7 @@ inline unsigned int APLIB_CONVENTION aP_depack_asm_safe(const void* source,
void* destination,
unsigned int dstlen)
{
return APLIB_ERROR;
return 0;
}
unsigned int APLIB_CONVENTION aP_crc32(const void* source, unsigned int length);
@ -63,7 +63,7 @@ inline unsigned int APLIB_CONVENTION aPsafe_depack(const void* source,
void* destination,
unsigned int dstlen)
{
return APLIB_ERROR;
return 0;
}
#ifdef __cplusplus

BIN
TitanEngine/aplib_x64.lib Normal file
View File

Binary file not shown.

BIN
TitanEngine/aplib_x86.lib Normal file
View File

Binary file not shown.

16
TitanEngine/definitions.h
View File

@ -43,9 +43,9 @@ __declspec(dllexport) bool TITCALL RemoveOverlayW(wchar_t* szFileName);
__declspec(dllexport) bool TITCALL MakeAllSectionsRWE(char* szFileName);
__declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(wchar_t* szFileName);
__declspec(dllexport) long TITCALL AddNewSectionEx(char* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, const char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize);
__declspec(dllexport) long TITCALL AddNewSection(char* szFileName, char* szSectionName, DWORD SectionSize);
__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, const char* szSectionName, DWORD SectionSize);
__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize);
__declspec(dllexport) bool TITCALL ResizeLastSection(char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
__declspec(dllexport) bool TITCALL ResizeLastSectionW(wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData);
__declspec(dllexport) void TITCALL SetSharedOverlay(char* szFileName);
@ -189,8 +189,6 @@ __declspec(dllexport) ULONG_PTR TITCALL GetContextDataEx(HANDLE hActiveThread, D
__declspec(dllexport) ULONG_PTR TITCALL GetContextData(DWORD IndexOfRegister);
__declspec(dllexport) bool TITCALL SetAVXContext(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext);
__declspec(dllexport) bool TITCALL GetAVXContext(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext);
__declspec(dllexport) bool TITCALL GetAVX512Context(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_AVX512_t* titcontext);
__declspec(dllexport) bool TITCALL SetAVX512Context(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_AVX512_t* titcontext);
__declspec(dllexport) bool TITCALL SetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea);
__declspec(dllexport) bool TITCALL SetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister, ULONG_PTR NewRegisterValue);
__declspec(dllexport) bool TITCALL SetContextData(DWORD IndexOfRegister, ULONG_PTR NewRegisterValue);
@ -254,7 +252,7 @@ __declspec(dllexport) long TITCALL ImporterGetAddedAPICount();
__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap);
__declspec(dllexport) long TITCALL ImporterEstimatedSize();
__declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, const wchar_t* szSectionName = L".RL!TEv2");
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName = L".RL!TEv2");
__declspec(dllexport) ULONG_PTR TITCALL ImporterFindAPIWriteLocation(char* szAPIName);
__declspec(dllexport) ULONG_PTR TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber);
__declspec(dllexport) ULONG_PTR TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation);
@ -293,8 +291,8 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, char*
__declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessIds, wchar_t* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);
__declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack);
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, const char* szDumpedFile, const char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, const wchar_t* szDumpedFile, const wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
__declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart);
__declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart);
__declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr);
@ -337,7 +335,7 @@ __declspec(dllexport) long TITCALL ExporterGetAddedExportCount();
__declspec(dllexport) long TITCALL ExporterEstimatedSize();
__declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA);
__declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(char* szExportFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, const char* szSectionName);
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, char* szSectionName);
__declspec(dllexport) bool TITCALL ExporterLoadExportTable(char* szFileName);
__declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName);
// TitanEngine.Librarian.functions:
@ -436,7 +434,7 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF
__declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess);
__declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies();
__declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack);
__declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(const char* szLogMessage);
__declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage);
__declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize);
#ifdef __cplusplus

166
distorm/include/distorm.h → TitanEngine/distorm.h
View File

@ -1,4 +1,4 @@
/* diStorm 3.5.3 */
/* diStorm3 3.3 */
/*
distorm.h
@ -6,8 +6,20 @@ distorm.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2021 Gil Dabah
This library is licensed under the BSD license. See the file COPYING.
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
@ -33,27 +45,29 @@ This library is licensed under the BSD license. See the file COPYING.
#undef SUPPORT_64BIT_OFFSET
#endif
#ifndef _MSC_VER
#include <stdint.h>
#else
/* Since MSVC < 2010 isn't shipped with stdint.h,
* here are those from MSVC 2017, which also match
* those in tinycc/libc. */
typedef signed char int8_t;
typedef short int16_t;
typedef int int32_t;
typedef long long int64_t;
typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;
typedef unsigned long long uint64_t;
#endif
/* If your compiler doesn't support stdint.h, define your own 64 bits type. */
#ifdef SUPPORT_64BIT_OFFSET
#ifdef _MSC_VER
#define OFFSET_INTEGER unsigned __int64
#else
#include <stdint.h>
#define OFFSET_INTEGER uint64_t
#endif
#else
/* 32 bit offsets are used. */
#define OFFSET_INTEGER uint32_t
#define OFFSET_INTEGER unsigned long
#endif
#ifdef _MSC_VER
/* Since MSVC isn't shipped with stdint.h, we will have our own: */
typedef signed __int64 int64_t;
typedef unsigned __int64 uint64_t;
typedef signed __int32 int32_t;
typedef unsigned __int32 uint32_t;
typedef signed __int16 int16_t;
typedef unsigned __int16 uint16_t;
typedef signed __int8 int8_t;
typedef unsigned __int8 uint8_t;
#endif
/* Support C++ compilers */
@ -65,10 +79,10 @@ extern "C" {
/* *** Helper Macros *** */
/* Get the ISC of the instruction, used with the definitions below. */
#define META_GET_ISC(meta) (((meta) >> 8) & 0x1f)
#define META_SET_ISC(di, isc) (((di)->meta) |= ((isc) << 8))
#define META_GET_ISC(meta) (((meta) >> 3) & 0x1f)
#define META_SET_ISC(di, isc) (((di)->meta) |= ((isc) << 3))
/* Get the flow control flags of the instruction, see 'features for decompose' below. */
#define META_GET_FC(meta) ((meta) & 0xf)
#define META_GET_FC(meta) ((meta) & 0x7)
/* Get the target address of a branching instruction. O_PC operand type. */
#define INSTRUCTION_GET_TARGET(di) ((_OffsetType)(((di)->addr + (di)->imm.addr + (di)->size)))
@ -77,10 +91,10 @@ extern "C" {
/*
* Operand Size or Adderss size are stored inside the flags:
* 00 - 16 bits
* 01 - 32 bits
* 10 - 64 bits
* 11 - reserved
* 0 - 16 bits
* 1 - 32 bits
* 2 - 64 bits
* 3 - reserved
*
* If you call these set-macros more than once, you will have to clean the bits before doing so.
*/
@ -89,28 +103,29 @@ extern "C" {
#define FLAG_GET_OPSIZE(flags) (((flags) >> 8) & 3)
#define FLAG_GET_ADDRSIZE(flags) (((flags) >> 10) & 3)
/* To get the LOCK/REPNZ/REP prefixes. */
#define FLAG_GET_PREFIX(flags) (((unsigned int)((int16_t)flags)) & 7)
/* Indicates whether the instruction is privileged. */
#define FLAG_GET_PRIVILEGED(flags) (((flags) & FLAG_PRIVILEGED_INSTRUCTION) != 0)
#define FLAG_GET_PREFIX(flags) ((flags) & 7)
/*
* Macros to extract segment registers from 'segment':
*/
#define SEGMENT_DEFAULT 0x80
#define SEGMENT_SET(di, seg) ((di->segment) |= seg)
#define SEGMENT_GET(segment) (((segment) == R_NONE) ? R_NONE : ((segment) & 0x7f))
#define SEGMENT_GET_UNSAFE(segment) ((segment) & 0x7f)
#define SEGMENT_IS_DEFAULT(segment) (((int8_t)segment) < -1) /* Quick check it's a negative number that isn't -1, so it's (0x80 | SEGREG). */
#define SEGMENT_IS_DEFAULT_OR_NONE(segment) (((uint8_t)(segment)) > 0x80)
#define SEGMENT_IS_DEFAULT(segment) (((segment) & SEGMENT_DEFAULT) == SEGMENT_DEFAULT)
/* Decodes modes of the disassembler, 16 bits or 32 bits or 64 bits for AMD64, x86-64. */
typedef enum { Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2 } _DecodeType;
typedef enum
{
Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2
}
_DecodeType;
typedef OFFSET_INTEGER _OffsetType;
typedef struct
{
_OffsetType codeOffset, addrMask;
_OffsetType nextOffset; /* nextOffset is OUT only. */
_OffsetType codeOffset, nextOffset; /* nextOffset is OUT only. */
const uint8_t* code;
int codeLen; /* Using signed integer makes it easier to detect an underflow. */
_DecodeType dt;
@ -173,7 +188,7 @@ typedef struct
*/
uint8_t index;
/* Size in bits of:
/* Size of:
O_REG: register
O_IMM: instruction.imm
O_IMM1: instruction.imm.ex.i1
@ -200,18 +215,13 @@ typedef struct
#define FLAG_HINT_TAKEN (1 << 3)
/* Indicates there is a hint non-taken for Jcc instructions only. */
#define FLAG_HINT_NOT_TAKEN (1 << 4)
/* The Imm value is signed extended (E.G in 64 bit decoding mode, a 32 bit imm is usually sign extended into 64 bit imm). */
/* The Imm value is signed extended. */
#define FLAG_IMM_SIGNED (1 << 5)
/* The destination operand is writable. */
#define FLAG_DST_WR (1 << 6)
/* The instruction uses RIP-relative indirection. */
#define FLAG_RIP_RELATIVE (1 << 7)
/* See flag FLAG_GET_XXX macros above. */
/* The instruction is privileged and can only be used from Ring0. */
#define FLAG_PRIVILEGED_INSTRUCTION (1 << 15)
/* No register was defined. */
#define R_NONE ((uint8_t)-1)
@ -243,14 +253,12 @@ typedef struct
/* Unused prefixes mask, for each bit that is set that prefix is not used (LSB is byte [addr + 0]). */
uint16_t unusedPrefixesMask;
/* Mask of registers that were used in the operands, only used for quick look up, in order to know *some* operand uses that register class. */
uint32_t usedRegistersMask;
uint16_t usedRegistersMask;
/* ID of opcode in the global opcode table. Use for mnemonic look up. */
uint16_t opcode;
/* Up to four operands per instruction, ignored if ops[n].type == O_NONE. */
_Operand ops[OPERANDS_NO];
/* Number of valid ops entries. */
uint8_t opsNo;
/* Size of the whole instruction in bytes. */
/* Size of the whole instruction. */
uint8_t size;
/* Segment information of memory indirection, default segment, or overriden one, can be -1. Use SEGMENT macros. */
uint8_t segment;
@ -258,9 +266,9 @@ typedef struct
uint8_t base, scale;
uint8_t dispSize;
/* Meta defines the instruction set class, and the flow control flags. Use META macros. */
uint16_t meta;
/* The CPU flags that the instruction operates upon, set only with DF_FILL_EFLAGS enabled, otherwise 0. */
uint16_t modifiedFlagsMask, testedFlagsMask, undefinedFlagsMask;
uint8_t meta;
/* The CPU flags that the instruction operates upon. */
uint8_t modifiedFlagsMask, testedFlagsMask, undefinedFlagsMask;
} _DInst;
#ifndef DISTORM_LIGHT
@ -280,11 +288,11 @@ typedef struct
*/
typedef struct
{
_OffsetType offset; /* Start offset of the decoded instruction. */
unsigned int size; /* Size of decoded instruction in bytes. */
_WString mnemonic; /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */
_WString operands; /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */
_WString instructionHex; /* Hex dump - little endian, including prefixes. */
unsigned int size; /* Size of decoded instruction. */
_OffsetType offset; /* Start offset of the decoded instruction. */
} _DecodedInst;
#endif /* DISTORM_LIGHT */
@ -304,30 +312,20 @@ typedef struct
#define RM_AVX 0x800 /* YMM0 - YMM15 */
#define RM_CR 0x1000 /* CR0, CR2, CR3, CR4, CR8 */
#define RM_DR 0x2000 /* DR0, DR1, DR2, DR3, DR6, DR7 */
#define RM_R8 0x4000 /* R8B, R8W, R8D, R8 */
#define RM_R9 0x8000 /* R9B, R9W, R9D, R9 */
#define RM_R10 0x10000 /* R10B, R10W, R10D, R10 */
#define RM_R11 0x20000 /* R11B, R11W, R11D, R11 */
#define RM_R12 0x40000 /* R12B, R12W, R12D, R12 */
#define RM_R13 0x80000 /* R13B, R13W, R13D, R13 */
#define RM_R14 0x100000 /* R14B, R14W, R14D, R14 */
#define RM_R15 0x200000 /* R15B, R15W, R15D, R15 */
#define RM_SEG 0x400000 /* CS, SS, DS, ES, FS, GS */
/* RIP should be checked using the 'flags' field and FLAG_RIP_RELATIVE.
* Segments should be checked using the segment macros.
* For now R8 - R15 are not supported and non general purpose registers map into same RM.
*/
/* CPU flags that instructions modify, test or undefine (are EFLAGS compatible!). */
#define D_CF 1 /* Carry */
#define D_PF 4 /* Parity */
#define D_AF 0x10 /* Auxiliary */
#define D_ZF 0x40 /* Zero */
#define D_SF 0x80 /* Sign */
#define D_IF 0x200 /* Interrupt */
#define D_DF 0x400 /* Direction */
#define D_OF 0x800 /* Overflow */
/* CPU Flags that instructions modify, test or undefine. */
#define D_ZF 1 /* Zero */
#define D_SF 2 /* Sign */
#define D_CF 4 /* Carry */
#define D_OF 8 /* Overflow */
#define D_PF 0x10 /* Parity */
#define D_AF 0x20 /* Auxilary */
#define D_DF 0x40 /* Direction */
#define D_IF 0x80 /* Interrupt */
/*
* Instructions Set classes:
@ -394,21 +392,8 @@ typedef struct
#define DF_STOP_ON_INT 0x100
/* The decoder will stop and return to the caller when any of the 'CMOVxx' instruction was decoded. */
#define DF_STOP_ON_CMOV 0x200
/* The decoder will stop and return to the caller when it encounters the HLT instruction. */
#define DF_STOP_ON_HLT 0x400
/* The decoder will stop and return to the caller when it encounters a privileged instruction. */
#define DF_STOP_ON_PRIVILEGED 0x800
/* The decoder will stop and return to the caller when an instruction couldn't be decoded. */
#define DF_STOP_ON_UNDECODEABLE 0x1000
/* The decoder will not synchronize to the next byte after the previosuly decoded instruction, instead it will start decoding at the next byte. */
#define DF_SINGLE_BYTE_STEP 0x2000
/* The decoder will fill in the eflags fields for the decoded instruction. */
#define DF_FILL_EFLAGS 0x4000
/* The decoder will use the addrMask in CodeInfo structure instead of DF_MAXIMUM_ADDR16/32. */
#define DF_USE_ADDR_MASK 0x8000
/* The decoder will stop and return to the caller when any flow control instruction was decoded. */
#define DF_STOP_ON_FLOW_CONTROL (DF_STOP_ON_CALL | DF_STOP_ON_RET | DF_STOP_ON_SYS | DF_STOP_ON_UNC_BRANCH | DF_STOP_ON_CND_BRANCH | DF_STOP_ON_INT | DF_STOP_ON_CMOV | DF_STOP_ON_HLT)
#define DF_STOP_ON_FLOW_CONTROL (DF_STOP_ON_CALL | DF_STOP_ON_RET | DF_STOP_ON_SYS | DF_STOP_ON_UNC_BRANCH | DF_STOP_ON_CND_BRANCH | DF_STOP_ON_INT | DF_STOP_ON_CMOV)
/* Indicates the instruction is not a flow-control instruction. */
#define FC_NONE 0
@ -429,11 +414,9 @@ typedef struct
#define FC_INT 6
/* Indicates the instruction is one of: CMOVxx. */
#define FC_CMOV 7
/* Indicates the instruction is HLT. */
#define FC_HLT 8
/* Return code of the decoding function. */
typedef enum { DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR } _DecodeResult;
typedef enum { DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR, DECRES_FILTERED } _DecodeResult;
/* Define the following interface functions only for outer projects. */
#if !(defined(DISTORM_STATIC) || defined(DISTORM_DYNAMIC))
@ -456,11 +439,6 @@ typedef enum { DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR }
* Notes: 1)The minimal size of maxInstructions is 15.
* 2)You will have to synchronize the offset,code and length by yourself if you pass code fragments and not a complete code block!
*/
/* distorm_decompose
* See more documentation online at the GitHub project's wiki.
*
*/
#ifdef SUPPORT_64BIT_OFFSET
_DecodeResult distorm_decompose64(_CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
@ -496,7 +474,7 @@ void distorm_format32(const _CodeInfo* ci, const _DInst* di, _DecodedInst* resul
*
* Output: unsigned int - version of compiled library.
*/
unsigned int distorm_version(void);
unsigned int distorm_version();
#endif /* DISTORM_STATIC */

0
scylla_wrapper/distorm_x64.lib → TitanEngine/distorm_x64.lib
View File

0
scylla_wrapper/distorm_x86.lib → TitanEngine/distorm_x86.lib
View File

2587
TitanEngine/ntdll.h
View File

File diff suppressed because it is too large Load Diff

61
scylla_wrapper/include/scylla_wrapper.h → TitanEngine/scylla_wrapper.h
View File

@ -1,59 +1,29 @@
/*
*
* Copyright (c) 2014
*
* cypher <the.cypher@gmail.com>
#include "stdafx.h"
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3 as
published by the Free Software Foundation.
/* Scylla definitions */
const BYTE SCY_ERROR_SUCCESS = 0;
const BYTE SCY_ERROR_PROCOPEN = -1;
const BYTE SCY_ERROR_IATWRITE = -2;
const BYTE SCY_ERROR_IATSEARCH = -3;
const BYTE SCY_ERROR_IATNOTFOUND = -4;
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
//packing set to 1 needed because TitanEngine uses same
#pragma pack(push, 1)
typedef enum
{
SCY_ERROR_SUCCESS = 0,
SCY_ERROR_PROCOPEN = -1,
SCY_ERROR_IATWRITE = -2,
SCY_ERROR_IATSEARCH = -3,
SCY_ERROR_IATNOTFOUND = -4
} ScyllaErrorCode;;
typedef struct
{
bool NewDll;
int NumberOfImports;
ULONG_PTR ImageBase;
ULONG_PTR BaseImportThunk;
ULONG_PTR ImportThunk;
char* APIName;
char* DLLName;
} ScyllaImportEnumData, *PScyllaImportEnumData;
//IAT exports
#ifdef __cplusplus
extern "C" {
#endif /*__cplusplus*/
//iat exports
int scylla_searchIAT(DWORD pid, DWORD_PTR & iatStart, DWORD & iatSize, DWORD_PTR searchStart, bool advancedSearch);
int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL);
bool scylla_addModule(const WCHAR* moduleName, DWORD_PTR firstThunkRVA);
bool scylla_addImport(const WCHAR* importName, DWORD_PTR thunkVA);
bool scylla_importsValid();
bool scylla_cutImport(DWORD_PTR apiAddr);
int scylla_fixDump(const WCHAR* dumpFile, const WCHAR* iatFixFile, const WCHAR* sectionName = L".scy");
int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy");
int scylla_fixMappedDump(DWORD_PTR iatVA, DWORD_PTR FileMapVA, HANDLE hFileMap);
int scylla_getModuleCount();
int scylla_getImportCount();
void scylla_enumImportTree(LPVOID enumCallBack);
long scylla_estimatedIATSize();
DWORD_PTR scylla_findImportWriteLocation(const char* importName);
DWORD_PTR scylla_findImportWriteLocation(char* importName);
DWORD_PTR scylla_findOrdinalImportWriteLocation(DWORD_PTR ordinalNumber);
DWORD_PTR scylla_findImportNameByWriteLocation(DWORD_PTR thunkVA);
DWORD_PTR scylla_findModuleNameByWriteLocation(DWORD_PTR thunkVA);
@ -65,5 +35,8 @@ bool scylla_dumpProcessA(DWORD_PTR pid, const char* fileToDump, DWORD_PTR imageb
//rebuilder exports
bool scylla_rebuildFileW(const WCHAR* fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
bool scylla_rebuildFileA(const char* fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
#ifdef __cplusplus
}
#endif /*__cplusplus*/
#pragma pack(pop)
/* Scylla definitions */

30
TitanEngine/stdafx.h
View File

@ -37,20 +37,6 @@
#define _Out_writes_opt_(x)
#endif
// Utility helpers for legacy TitanEngine callback APIs that use void* handles
// for callbacks while still allowing typed function pointer usage internally.
template<typename T>
static inline LPVOID CallbackToObjectPointer(T functionPointer)
{
return reinterpret_cast<LPVOID>(reinterpret_cast<ULONG_PTR>(functionPointer));
}
template<typename T>
static inline T ObjectPointerToCallback(LPVOID callbackData)
{
return reinterpret_cast<T>(reinterpret_cast<ULONG_PTR>(callbackData));
}
#ifndef _In_reads_
#define _In_reads_(x)
#endif
@ -139,12 +125,6 @@ typedef struct
XmmRegister_t High; //AVX part
} YmmRegister_t;
typedef struct
{
YmmRegister_t Low; //AVX part
YmmRegister_t High; //AVX-512 part
} ZmmRegister_t;
typedef struct
{
BYTE data[10];
@ -210,16 +190,6 @@ typedef struct
#endif
} TITAN_ENGINE_CONTEXT_t;
typedef struct
{
#ifdef _WIN64
ZmmRegister_t ZmmRegisters[32];
#else // x86
ZmmRegister_t ZmmRegisters[8];
#endif
ULONGLONG Opmask[8];
} TITAN_ENGINE_CONTEXT_AVX512_t;
typedef struct
{
ULONG_PTR BreakPointAddress;

29
cmake.toml
View File

@ -1,29 +0,0 @@
[project]
name = "TitanEngine"
msvc-runtime = "static"
[options]
TITANENGINE_RESOURCES = true
[target.distorm]
type = "static"
sources = ["distorm/src/*.c"]
headers = ["distorm/src/*.h", "distorm/include/*.h"]
include-directories = ["distorm/include"]
[target.scylla_wrapper]
type = "static"
sources = ["scylla_wrapper/*.cpp"]
headers = ["scylla_wrapper/*.h", "scylla_wrapper/include/*.h"]
link-libraries = ["::distorm"]
include-directories = ["scylla_wrapper/include"]
compile-features = ["cxx_std_11"]
[target.TitanEngine]
type = "shared"
sources = ["TitanEngine/*.cpp"]
headers = ["TitanEngine/*.h"]
private-link-libraries = ["::scylla_wrapper", "Psapi.lib"]
x64.private-link-libraries = ["TitanEngine/ntdll_x64.lib"]
x32.private-link-libraries = ["TitanEngine/ntdll_x86.lib"]
TITANENGINE_RESOURCES.sources = ["TitanEngine/TitanEngine.rc"]

260
cmkr.cmake
View File

@ -1,260 +0,0 @@
include_guard()
# Change these defaults to point to your infrastructure if desired
set(CMKR_REPO "https://github.com/build-cpp/cmkr" CACHE STRING "cmkr git repository" FORCE)
set(CMKR_TAG "v0.2.46" CACHE STRING "cmkr git tag (this needs to be available forever)" FORCE)
set(CMKR_COMMIT_HASH "" CACHE STRING "cmkr git commit hash (optional)" FORCE)
# To bootstrap/generate a cmkr project: cmake -P cmkr.cmake
if(CMAKE_SCRIPT_MODE_FILE)
set(CMAKE_BINARY_DIR "${CMAKE_BINARY_DIR}/build")
set(CMAKE_CURRENT_BINARY_DIR "${CMAKE_BINARY_DIR}")
file(MAKE_DIRECTORY "${CMAKE_BINARY_DIR}")
endif()
# Set these from the command line to customize for development/debugging purposes
set(CMKR_EXECUTABLE "" CACHE FILEPATH "cmkr executable")
set(CMKR_SKIP_GENERATION OFF CACHE BOOL "skip automatic cmkr generation")
set(CMKR_BUILD_TYPE "Debug" CACHE STRING "cmkr build configuration")
mark_as_advanced(CMKR_REPO CMKR_TAG CMKR_COMMIT_HASH CMKR_EXECUTABLE CMKR_SKIP_GENERATION CMKR_BUILD_TYPE)
# Disable cmkr if generation is disabled
if(DEFINED ENV{CI} OR CMKR_SKIP_GENERATION OR CMKR_BUILD_SKIP_GENERATION)
message(STATUS "[cmkr] Skipping automatic cmkr generation")
unset(CMKR_BUILD_SKIP_GENERATION CACHE)
macro(cmkr)
endmacro()
return()
endif()
# Disable cmkr if no cmake.toml file is found
if(NOT CMAKE_SCRIPT_MODE_FILE AND NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/cmake.toml")
message(AUTHOR_WARNING "[cmkr] Not found: ${CMAKE_CURRENT_SOURCE_DIR}/cmake.toml")
macro(cmkr)
endmacro()
return()
endif()
# Convert a Windows native path to CMake path
if(CMKR_EXECUTABLE MATCHES "\\\\")
string(REPLACE "\\" "/" CMKR_EXECUTABLE_CMAKE "${CMKR_EXECUTABLE}")
set(CMKR_EXECUTABLE "${CMKR_EXECUTABLE_CMAKE}" CACHE FILEPATH "" FORCE)
unset(CMKR_EXECUTABLE_CMAKE)
endif()
# Helper macro to execute a process (COMMAND_ERROR_IS_FATAL ANY is 3.19 and higher)
function(cmkr_exec)
execute_process(COMMAND ${ARGV} RESULT_VARIABLE CMKR_EXEC_RESULT)
if(NOT CMKR_EXEC_RESULT EQUAL 0)
message(FATAL_ERROR "cmkr_exec(${ARGV}) failed (exit code ${CMKR_EXEC_RESULT})")
endif()
endfunction()
# Windows-specific hack (CMAKE_EXECUTABLE_PREFIX is not set at the moment)
if(WIN32)
set(CMKR_EXECUTABLE_NAME "cmkr.exe")
else()
set(CMKR_EXECUTABLE_NAME "cmkr")
endif()
# Use cached cmkr if found
if(DEFINED ENV{CMKR_CACHE})
set(CMKR_DIRECTORY_PREFIX "$ENV{CMKR_CACHE}")
string(REPLACE "\\" "/" CMKR_DIRECTORY_PREFIX "${CMKR_DIRECTORY_PREFIX}")
if(CMKR_DIRECTORY_PREFIX MATCHES "^~")
if(WIN32)
string(REGEX REPLACE "^~" "$ENV{USERPROFILE}" CMKR_DIRECTORY_PREFIX "${CMKR_DIRECTORY_PREFIX}")
elseif(UNIX)
string(REGEX REPLACE "^~" "$ENV{HOME}" CMKR_DIRECTORY_PREFIX "${CMKR_DIRECTORY_PREFIX}")
endif()
endif()
if(NOT CMKR_DIRECTORY_PREFIX MATCHES "\\/$")
set(CMKR_DIRECTORY_PREFIX "${CMKR_DIRECTORY_PREFIX}/")
endif()
# Build in release mode for the cache
set(CMKR_BUILD_TYPE "Release")
else()
set(CMKR_DIRECTORY_PREFIX "${CMAKE_CURRENT_BINARY_DIR}/_cmkr_")
endif()
set(CMKR_DIRECTORY "${CMKR_DIRECTORY_PREFIX}${CMKR_TAG}")
set(CMKR_CACHED_EXECUTABLE "${CMKR_DIRECTORY}/bin/${CMKR_EXECUTABLE_NAME}")
# Helper function to check if a string starts with a prefix
# Cannot use MATCHES, see: https://github.com/build-cpp/cmkr/issues/61
function(cmkr_startswith str prefix result)
string(LENGTH "${prefix}" prefix_length)
string(LENGTH "${str}" str_length)
if(prefix_length LESS_EQUAL str_length)
string(SUBSTRING "${str}" 0 ${prefix_length} str_prefix)
if(prefix STREQUAL str_prefix)
set("${result}" ON PARENT_SCOPE)
return()
endif()
endif()
set("${result}" OFF PARENT_SCOPE)
endfunction()
# Handle upgrading logic
if(CMKR_EXECUTABLE AND NOT CMKR_CACHED_EXECUTABLE STREQUAL CMKR_EXECUTABLE)
cmkr_startswith("${CMKR_EXECUTABLE}" "${CMAKE_CURRENT_BINARY_DIR}/_cmkr" CMKR_STARTSWITH_BUILD)
cmkr_startswith("${CMKR_EXECUTABLE}" "${CMKR_DIRECTORY_PREFIX}" CMKR_STARTSWITH_CACHE)
if(CMKR_STARTSWITH_BUILD)
if(DEFINED ENV{CMKR_CACHE})
message(AUTHOR_WARNING "[cmkr] Switching to cached cmkr: '${CMKR_CACHED_EXECUTABLE}'")
if(EXISTS "${CMKR_CACHED_EXECUTABLE}")
set(CMKR_EXECUTABLE "${CMKR_CACHED_EXECUTABLE}" CACHE FILEPATH "Full path to cmkr executable" FORCE)
else()
unset(CMKR_EXECUTABLE CACHE)
endif()
else()
message(AUTHOR_WARNING "[cmkr] Upgrading '${CMKR_EXECUTABLE}' to '${CMKR_CACHED_EXECUTABLE}'")
unset(CMKR_EXECUTABLE CACHE)
endif()
elseif(DEFINED ENV{CMKR_CACHE} AND CMKR_STARTSWITH_CACHE)
message(AUTHOR_WARNING "[cmkr] Upgrading cached '${CMKR_EXECUTABLE}' to '${CMKR_CACHED_EXECUTABLE}'")
unset(CMKR_EXECUTABLE CACHE)
endif()
endif()
if(CMKR_EXECUTABLE AND EXISTS "${CMKR_EXECUTABLE}")
message(VERBOSE "[cmkr] Found cmkr: '${CMKR_EXECUTABLE}'")
elseif(CMKR_EXECUTABLE AND NOT CMKR_EXECUTABLE STREQUAL CMKR_CACHED_EXECUTABLE)
message(FATAL_ERROR "[cmkr] '${CMKR_EXECUTABLE}' not found")
elseif(NOT CMKR_EXECUTABLE AND EXISTS "${CMKR_CACHED_EXECUTABLE}")
set(CMKR_EXECUTABLE "${CMKR_CACHED_EXECUTABLE}" CACHE FILEPATH "Full path to cmkr executable" FORCE)
message(STATUS "[cmkr] Found cached cmkr: '${CMKR_EXECUTABLE}'")
else()
set(CMKR_EXECUTABLE "${CMKR_CACHED_EXECUTABLE}" CACHE FILEPATH "Full path to cmkr executable" FORCE)
message(VERBOSE "[cmkr] Bootstrapping '${CMKR_EXECUTABLE}'")
message(STATUS "[cmkr] Fetching cmkr...")
if(EXISTS "${CMKR_DIRECTORY}")
cmkr_exec("${CMAKE_COMMAND}" -E rm -rf "${CMKR_DIRECTORY}")
endif()
find_package(Git QUIET REQUIRED)
cmkr_exec("${GIT_EXECUTABLE}"
clone
--config advice.detachedHead=false
--branch ${CMKR_TAG}
--depth 1
${CMKR_REPO}
"${CMKR_DIRECTORY}"
)
if(CMKR_COMMIT_HASH)
execute_process(
COMMAND "${GIT_EXECUTABLE}" checkout -q "${CMKR_COMMIT_HASH}"
RESULT_VARIABLE CMKR_EXEC_RESULT
WORKING_DIRECTORY "${CMKR_DIRECTORY}"
)
if(NOT CMKR_EXEC_RESULT EQUAL 0)
message(FATAL_ERROR "Tag '${CMKR_TAG}' hash is not '${CMKR_COMMIT_HASH}'")
endif()
endif()
message(STATUS "[cmkr] Building cmkr (using system compiler)...")
cmkr_exec("${CMAKE_COMMAND}"
--no-warn-unused-cli
"${CMKR_DIRECTORY}"
"-B${CMKR_DIRECTORY}/build"
"-DCMAKE_BUILD_TYPE=${CMKR_BUILD_TYPE}"
"-DCMAKE_UNITY_BUILD=ON"
"-DCMAKE_INSTALL_PREFIX=${CMKR_DIRECTORY}"
"-DCMKR_GENERATE_DOCUMENTATION=OFF"
)
cmkr_exec("${CMAKE_COMMAND}"
--build "${CMKR_DIRECTORY}/build"
--config "${CMKR_BUILD_TYPE}"
--parallel
)
cmkr_exec("${CMAKE_COMMAND}"
--install "${CMKR_DIRECTORY}/build"
--config "${CMKR_BUILD_TYPE}"
--prefix "${CMKR_DIRECTORY}"
--component cmkr
)
if(NOT EXISTS ${CMKR_EXECUTABLE})
message(FATAL_ERROR "[cmkr] Failed to bootstrap '${CMKR_EXECUTABLE}'")
endif()
cmkr_exec("${CMKR_EXECUTABLE}" version)
message(STATUS "[cmkr] Bootstrapped ${CMKR_EXECUTABLE}")
endif()
execute_process(COMMAND "${CMKR_EXECUTABLE}" version
RESULT_VARIABLE CMKR_EXEC_RESULT
)
if(NOT CMKR_EXEC_RESULT EQUAL 0)
message(FATAL_ERROR "[cmkr] Failed to get version, try clearing the cache and rebuilding")
endif()
# Use cmkr.cmake as a script
if(CMAKE_SCRIPT_MODE_FILE)
if(NOT EXISTS "${CMAKE_SOURCE_DIR}/cmake.toml")
execute_process(COMMAND "${CMKR_EXECUTABLE}" init
RESULT_VARIABLE CMKR_EXEC_RESULT
)
if(NOT CMKR_EXEC_RESULT EQUAL 0)
message(FATAL_ERROR "[cmkr] Failed to bootstrap cmkr project. Please report an issue: https://github.com/build-cpp/cmkr/issues/new")
else()
message(STATUS "[cmkr] Modify cmake.toml and then configure using: cmake -B build")
endif()
else()
execute_process(COMMAND "${CMKR_EXECUTABLE}" gen
RESULT_VARIABLE CMKR_EXEC_RESULT
)
if(NOT CMKR_EXEC_RESULT EQUAL 0)
message(FATAL_ERROR "[cmkr] Failed to generate project.")
else()
message(STATUS "[cmkr] Configure using: cmake -B build")
endif()
endif()
endif()
# This is the macro that contains black magic
macro(cmkr)
# When this macro is called from the generated file, fake some internal CMake variables
get_source_file_property(CMKR_CURRENT_LIST_FILE "${CMAKE_CURRENT_LIST_FILE}" CMKR_CURRENT_LIST_FILE)
if(CMKR_CURRENT_LIST_FILE)
set(CMAKE_CURRENT_LIST_FILE "${CMKR_CURRENT_LIST_FILE}")
get_filename_component(CMAKE_CURRENT_LIST_DIR "${CMAKE_CURRENT_LIST_FILE}" DIRECTORY)
endif()
# File-based include guard (include_guard is not documented to work)
get_source_file_property(CMKR_INCLUDE_GUARD "${CMAKE_CURRENT_LIST_FILE}" CMKR_INCLUDE_GUARD)
if(NOT CMKR_INCLUDE_GUARD)
set_source_files_properties("${CMAKE_CURRENT_LIST_FILE}" PROPERTIES CMKR_INCLUDE_GUARD TRUE)
file(SHA256 "${CMAKE_CURRENT_LIST_FILE}" CMKR_LIST_FILE_SHA256_PRE)
# Generate CMakeLists.txt
cmkr_exec("${CMKR_EXECUTABLE}" gen
WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
)
file(SHA256 "${CMAKE_CURRENT_LIST_FILE}" CMKR_LIST_FILE_SHA256_POST)
# Delete the temporary file if it was left for some reason
set(CMKR_TEMP_FILE "${CMAKE_CURRENT_SOURCE_DIR}/CMakerLists.txt")
if(EXISTS "${CMKR_TEMP_FILE}")
file(REMOVE "${CMKR_TEMP_FILE}")
endif()
if(NOT CMKR_LIST_FILE_SHA256_PRE STREQUAL CMKR_LIST_FILE_SHA256_POST)
# Copy the now-generated CMakeLists.txt to CMakerLists.txt
# This is done because you cannot include() a file you are currently in
configure_file(CMakeLists.txt "${CMKR_TEMP_FILE}" COPYONLY)
# Add the macro required for the hack at the start of the cmkr macro
set_source_files_properties("${CMKR_TEMP_FILE}" PROPERTIES
CMKR_CURRENT_LIST_FILE "${CMAKE_CURRENT_LIST_FILE}"
)
# 'Execute' the newly-generated CMakeLists.txt
include("${CMKR_TEMP_FILE}")
# Delete the generated file
file(REMOVE "${CMKR_TEMP_FILE}")
# Do not execute the rest of the original CMakeLists.txt
return()
endif()
# Resume executing the unmodified CMakeLists.txt
endif()
endmacro()

26
distorm/COPYING
View File

@ -1,26 +0,0 @@
:[diStorm3}:
The ultimate disassembler library.
Copyright (c) 2003-2021, Gil Dabah
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the Gil Dabah nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL GIL DABAH BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

157
distorm/distorm.vcxproj
View File

@ -1,157 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<ItemGroup>
<ClInclude Include="include\distorm.h" />
<ClInclude Include="include\mnemonics.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="src\distorm.c" />
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>17.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{25ff4a19-7088-4687-aa32-76e61bd62e51}</ProjectGuid>
<RootNamespace>distorm</RootNamespace>
<WindowsTargetPlatformVersion>7.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141_xp</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141_xp</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141_xp</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141_xp</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<OutDir>$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<OutDir>$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

30
distorm/distorm.vcxproj.filters
View File

@ -1,30 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="include\distorm.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="include\mnemonics.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="src\distorm.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

305
distorm/include/mnemonics.h
View File

@ -1,305 +0,0 @@
/*
mnemonics.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2021 Gil Dabah
This library is licensed under the BSD license. See the file COPYING.
*/
#ifndef MNEMONICS_H
#define MNEMONICS_H
#ifdef __cplusplus
extern "C" {
#endif
#ifndef DISTORM_LIGHT
typedef struct WMnemonic
{
unsigned char length;
unsigned char p[1]; /* p is a null terminated string, which contains 'length' characters. */
} _WMnemonic;
typedef struct WRegister
{
unsigned int length;
unsigned char p[6]; /* p is a null terminated string. */
} _WRegister;
extern const unsigned char _MNEMONICS[];
extern const _WRegister _REGISTERS[];
#endif /* DISTORM_LIGHT */
#ifdef __cplusplus
} /* End Of Extern */
#endif
#define GET_REGISTER_NAME(r) (unsigned char*)_REGISTERS[(r)].p
#define GET_MNEMONIC_NAME(m) ((_WMnemonic*)&_MNEMONICS[(m)])->p
typedef enum
{
I_UNDEFINED = 0, I_AAA = 66, I_AAD = 388, I_AAM = 383, I_AAS = 76, I_ADC = 31, I_ADD = 11, I_ADDPD = 3143,
I_ADDPS = 3136, I_ADDSD = 3157, I_ADDSS = 3150, I_ADDSUBPD = 6427, I_ADDSUBPS = 6437,
I_AESDEC = 9242, I_AESDECLAST = 9259, I_AESENC = 9200, I_AESENCLAST = 9217,
I_AESIMC = 9183, I_AESKEYGENASSIST = 9828, I_AND = 41, I_ANDNPD = 3054, I_ANDNPS = 3046,
I_ANDPD = 3023, I_ANDPS = 3016, I_ARPL = 111, I_BLENDPD = 9405, I_BLENDPS = 9386,
I_BLENDVPD = 7652, I_BLENDVPS = 7642, I_BOUND = 104, I_BSF = 4379, I_BSR = 4391,
I_BSWAP = 959, I_BT = 871, I_BTC = 933, I_BTR = 911, I_BTS = 886, I_CALL = 455,
I_CALL_FAR = 260, I_CBW = 228, I_CDQ = 250, I_CDQE = 239, I_CLAC = 1786, I_CLC = 491,
I_CLD = 511, I_CLFLUSH = 4362, I_CLGI = 1866, I_CLI = 501, I_CLTS = 540, I_CMC = 486,
I_CMOVA = 693, I_CMOVAE = 662, I_CMOVB = 655, I_CMOVBE = 685, I_CMOVG = 753,
I_CMOVGE = 737, I_CMOVL = 730, I_CMOVLE = 745, I_CMOVNO = 647, I_CMOVNP = 722,
I_CMOVNS = 707, I_CMOVNZ = 677, I_CMOVO = 640, I_CMOVP = 715, I_CMOVS = 700,
I_CMOVZ = 670, I_CMP = 71, I_CMPEQPD = 4482, I_CMPEQPS = 4403, I_CMPEQSD = 4640,
I_CMPEQSS = 4561, I_CMPLEPD = 4500, I_CMPLEPS = 4421, I_CMPLESD = 4658, I_CMPLESS = 4579,
I_CMPLTPD = 4491, I_CMPLTPS = 4412, I_CMPLTSD = 4649, I_CMPLTSS = 4570, I_CMPNEQPD = 4521,
I_CMPNEQPS = 4442, I_CMPNEQSD = 4679, I_CMPNEQSS = 4600, I_CMPNLEPD = 4541,
I_CMPNLEPS = 4462, I_CMPNLESD = 4699, I_CMPNLESS = 4620, I_CMPNLTPD = 4531,
I_CMPNLTPS = 4452, I_CMPNLTSD = 4689, I_CMPNLTSS = 4610, I_CMPORDPD = 4551,
I_CMPORDPS = 4472, I_CMPORDSD = 4709, I_CMPORDSS = 4630, I_CMPS = 301, I_CMPUNORDPD = 4509,
I_CMPUNORDPS = 4430, I_CMPUNORDSD = 4667, I_CMPUNORDSS = 4588, I_CMPXCHG = 897,
I_CMPXCHG16B = 6406, I_CMPXCHG8B = 6395, I_COMISD = 2812, I_COMISS = 2804,
I_CPUID = 864, I_CQO = 255, I_CRC32 = 9291, I_CVTDQ2PD = 6820, I_CVTDQ2PS = 3340,
I_CVTPD2DQ = 6830, I_CVTPD2PI = 2714, I_CVTPD2PS = 3266, I_CVTPH2PS = 4194,
I_CVTPI2PD = 2528, I_CVTPI2PS = 2518, I_CVTPS2DQ = 3350, I_CVTPS2PD = 3256,
I_CVTPS2PH = 4204, I_CVTPS2PI = 2704, I_CVTSD2SI = 2734, I_CVTSD2SS = 3286,
I_CVTSI2SD = 2548, I_CVTSI2SS = 2538, I_CVTSS2SD = 3276, I_CVTSS2SI = 2724,
I_CVTTPD2DQ = 6809, I_CVTTPD2PI = 2647, I_CVTTPS2DQ = 3360, I_CVTTPS2PI = 2636,
I_CVTTSD2SI = 2669, I_CVTTSS2SI = 2658, I_CWD = 245, I_CWDE = 233, I_DAA = 46,
I_DAS = 56, I_DEC = 86, I_DIV = 1645, I_DIVPD = 3532, I_DIVPS = 3525, I_DIVSD = 3546,
I_DIVSS = 3539, I_DPPD = 9648, I_DPPS = 9635, I_EMMS = 4133, I_ENTER = 340,
I_EXTRACTPS = 9513, I_EXTRQ = 4169, I_F2XM1 = 1191, I_FABS = 1122, I_FADD = 1022,
I_FADDP = 1548, I_FBLD = 1600, I_FBSTP = 1606, I_FCHS = 1116, I_FCLEX = 7322,
I_FCMOVB = 1375, I_FCMOVBE = 1391, I_FCMOVE = 1383, I_FCMOVNB = 1444, I_FCMOVNBE = 1462,
I_FCMOVNE = 1453, I_FCMOVNU = 1472, I_FCMOVU = 1400, I_FCOM = 1034, I_FCOMI = 1511,
I_FCOMIP = 1622, I_FCOMP = 1040, I_FCOMPP = 1562, I_FCOS = 1310, I_FDECSTP = 1237,
I_FDIV = 1060, I_FDIVP = 1593, I_FDIVR = 1066, I_FDIVRP = 1585, I_FEDISI = 1487,
I_FEMMS = 573, I_FENI = 1481, I_FFREE = 1526, I_FIADD = 1316, I_FICOM = 1330,
I_FICOMP = 1337, I_FIDIV = 1360, I_FIDIVR = 1367, I_FILD = 1417, I_FIMUL = 1323,
I_FINCSTP = 1246, I_FINIT = 7337, I_FIST = 1431, I_FISTP = 1437, I_FISTTP = 1423,
I_FISUB = 1345, I_FISUBR = 1352, I_FLD = 1073, I_FLD1 = 1140, I_FLDCW = 1097,
I_FLDENV = 1089, I_FLDL2E = 1154, I_FLDL2T = 1146, I_FLDLG2 = 1169, I_FLDLN2 = 1177,
I_FLDPI = 1162, I_FLDZ = 1185, I_FMUL = 1028, I_FMULP = 1555, I_FNCLEX = 7314,
I_FNINIT = 7329, I_FNOP = 1110, I_FNSAVE = 7344, I_FNSTCW = 7299, I_FNSTENV = 7282,
I_FNSTSW = 7359, I_FPATAN = 1212, I_FPREM = 1255, I_FPREM1 = 1229, I_FPTAN = 1205,
I_FRNDINT = 1287, I_FRSTOR = 1518, I_FSAVE = 7352, I_FSCALE = 1296, I_FSETPM = 1495,
I_FSIN = 1304, I_FSINCOS = 1278, I_FSQRT = 1271, I_FST = 1078, I_FSTCW = 7307,
I_FSTENV = 7291, I_FSTP = 1083, I_FSTSW = 7367, I_FSUB = 1047, I_FSUBP = 1578,
I_FSUBR = 1053, I_FSUBRP = 1570, I_FTST = 1128, I_FUCOM = 1533, I_FUCOMI = 1503,
I_FUCOMIP = 1613, I_FUCOMP = 1540, I_FUCOMPP = 1408, I_FXAM = 1134, I_FXCH = 1104,
I_FXRSTOR = 9925, I_FXRSTOR64 = 9934, I_FXSAVE = 9897, I_FXSAVE64 = 9905,
I_FXTRACT = 1220, I_FYL2X = 1198, I_FYL2XP1 = 1262, I_GETSEC = 632, I_HADDPD = 4214,
I_HADDPS = 4222, I_HLT = 481, I_HSUBPD = 4248, I_HSUBPS = 4256, I_IDIV = 1650,
I_IMUL = 117, I_IN = 446, I_INC = 81, I_INS = 123, I_INSERTPS = 9580, I_INSERTQ = 4176,
I_INT = 366, I_INT1 = 475, I_INT3 = 360, I_INTO = 371, I_INVD = 554, I_INVEPT = 8317,
I_INVLPG = 1726, I_INVLPGA = 1880, I_INVPCID = 8334, I_INVVPID = 8325, I_IRET = 377,
I_JA = 166, I_JAE = 147, I_JB = 143, I_JBE = 161, I_JCXZ = 426, I_JECXZ = 432,
I_JG = 202, I_JGE = 192, I_JL = 188, I_JLE = 197, I_JMP = 461, I_JMP_FAR = 466,
I_JNO = 138, I_JNP = 183, I_JNS = 174, I_JNZ = 156, I_JO = 134, I_JP = 179,
I_JRCXZ = 439, I_JS = 170, I_JZ = 152, I_LAHF = 289, I_LAR = 521, I_LDDQU = 7027,
I_LDMXCSR = 9955, I_LDS = 335, I_LEA = 223, I_LEAVE = 347, I_LES = 330, I_LFENCE = 4298,
I_LFS = 916, I_LGDT = 1702, I_LGS = 921, I_LIDT = 1708, I_LLDT = 1667, I_LMSW = 1720,
I_LODS = 313, I_LOOP = 420, I_LOOPNZ = 405, I_LOOPZ = 413, I_LSL = 526, I_LSS = 906,
I_LTR = 1673, I_LZCNT = 4396, I_MASKMOVDQU = 7152, I_MASKMOVQ = 7142, I_MAXPD = 3592,
I_MAXPS = 3585, I_MAXSD = 3606, I_MAXSS = 3599, I_MFENCE = 4324, I_MINPD = 3472,
I_MINPS = 3465, I_MINSD = 3486, I_MINSS = 3479, I_MONITOR = 1770, I_MOV = 218,
I_MOVAPD = 2492, I_MOVAPS = 2484, I_MOVBE = 9284, I_MOVD = 3953, I_MOVDDUP = 2219,
I_MOVDQ2Q = 6555, I_MOVDQA = 3979, I_MOVDQU = 3987, I_MOVHLPS = 2184, I_MOVHPD = 2378,
I_MOVHPS = 2370, I_MOVLHPS = 2361, I_MOVLPD = 2201, I_MOVLPS = 2193, I_MOVMSKPD = 2848,
I_MOVMSKPS = 2838, I_MOVNTDQ = 6882, I_MOVNTDQA = 7928, I_MOVNTI = 951, I_MOVNTPD = 2589,
I_MOVNTPS = 2580, I_MOVNTQ = 6874, I_MOVNTSD = 2607, I_MOVNTSS = 2598, I_MOVQ = 3959,
I_MOVQ2DQ = 6546, I_MOVS = 295, I_MOVSD = 2143, I_MOVSHDUP = 2386, I_MOVSLDUP = 2209,
I_MOVSS = 2136, I_MOVSX = 938, I_MOVSXD = 10038, I_MOVUPD = 2128, I_MOVUPS = 2120,
I_MOVZX = 926, I_MPSADBW = 9661, I_MUL = 1640, I_MULPD = 3203, I_MULPS = 3196,
I_MULSD = 3217, I_MULSS = 3210, I_MWAIT = 1779, I_NEG = 1635, I_NOP = 580,
I_NOT = 1630, I_OR = 27, I_ORPD = 3086, I_ORPS = 3080, I_OUT = 450, I_OUTS = 128,
I_PABSB = 7721, I_PABSD = 7751, I_PABSW = 7736, I_PACKSSDW = 3882, I_PACKSSWB = 3714,
I_PACKUSDW = 7949, I_PACKUSWB = 3792, I_PADDB = 7237, I_PADDD = 7267, I_PADDQ = 6514,
I_PADDSB = 6963, I_PADDSW = 6980, I_PADDUSB = 6653, I_PADDUSW = 6672, I_PADDW = 7252,
I_PALIGNR = 9443, I_PAND = 6640, I_PANDN = 6698, I_PAUSE = 10046, I_PAVGB = 6713,
I_PAVGUSB = 2111, I_PAVGW = 6758, I_PBLENDVB = 7632, I_PBLENDW = 9424, I_PCLMULQDQ = 9680,
I_PCMPEQB = 4076, I_PCMPEQD = 4114, I_PCMPEQQ = 7909, I_PCMPEQW = 4095, I_PCMPESTRI = 9759,
I_PCMPESTRM = 9736, I_PCMPGTB = 3735, I_PCMPGTD = 3773, I_PCMPGTQ = 8120,
I_PCMPGTW = 3754, I_PCMPISTRI = 9805, I_PCMPISTRM = 9782, I_PEXTRB = 9462,
I_PEXTRD = 9479, I_PEXTRQ = 9487, I_PEXTRW = 6344, I_PF2ID = 1947, I_PF2IW = 1940,
I_PFACC = 2061, I_PFADD = 2010, I_PFCMPEQ = 2068, I_PFCMPGE = 1971, I_PFCMPGT = 2017,
I_PFMAX = 2026, I_PFMIN = 1980, I_PFMUL = 2077, I_PFNACC = 1954, I_PFPNACC = 1962,
I_PFRCP = 1987, I_PFRCPIT1 = 2033, I_PFRCPIT2 = 2084, I_PFRSQIT1 = 2043, I_PFRSQRT = 1994,
I_PFSUB = 2003, I_PFSUBR = 2053, I_PHADDD = 7408, I_PHADDSW = 7425, I_PHADDW = 7391,
I_PHMINPOSUW = 8292, I_PHSUBD = 7484, I_PHSUBSW = 7501, I_PHSUBW = 7467, I_PI2FD = 1933,
I_PI2FW = 1926, I_PINSRB = 9563, I_PINSRD = 9601, I_PINSRQ = 9609, I_PINSRW = 6327,
I_PMADDUBSW = 7444, I_PMADDWD = 7106, I_PMAXSB = 8207, I_PMAXSD = 8224, I_PMAXSW = 6997,
I_PMAXUB = 6681, I_PMAXUD = 8258, I_PMAXUW = 8241, I_PMINSB = 8139, I_PMINSD = 8156,
I_PMINSW = 6935, I_PMINUB = 6623, I_PMINUD = 8190, I_PMINUW = 8173, I_PMOVMSKB = 6564,
I_PMOVSXBD = 7787, I_PMOVSXBQ = 7808, I_PMOVSXBW = 7766, I_PMOVSXDQ = 7871,
I_PMOVSXWD = 7829, I_PMOVSXWQ = 7850, I_PMOVZXBD = 8015, I_PMOVZXBQ = 8036,
I_PMOVZXBW = 7994, I_PMOVZXDQ = 8099, I_PMOVZXWD = 8057, I_PMOVZXWQ = 8078,
I_PMULDQ = 7892, I_PMULHRSW = 7571, I_PMULHRW = 2094, I_PMULHUW = 6773, I_PMULHW = 6792,
I_PMULLD = 8275, I_PMULLW = 6529, I_PMULUDQ = 7087, I_POP = 22, I_POPA = 98,
I_POPCNT = 4371, I_POPF = 277, I_POR = 6952, I_PREFETCH = 1905, I_PREFETCHNTA = 2435,
I_PREFETCHT0 = 2448, I_PREFETCHT1 = 2460, I_PREFETCHT2 = 2472, I_PREFETCHW = 1915,
I_PSADBW = 7125, I_PSHUFB = 7374, I_PSHUFD = 4021, I_PSHUFHW = 4029, I_PSHUFLW = 4038,
I_PSHUFW = 4013, I_PSIGNB = 7520, I_PSIGND = 7554, I_PSIGNW = 7537, I_PSLLD = 7057,
I_PSLLDQ = 9880, I_PSLLQ = 7072, I_PSLLW = 7042, I_PSRAD = 6743, I_PSRAW = 6728,
I_PSRLD = 6484, I_PSRLDQ = 9863, I_PSRLQ = 6499, I_PSRLW = 6469, I_PSUBB = 7177,
I_PSUBD = 7207, I_PSUBQ = 7222, I_PSUBSB = 6901, I_PSUBSW = 6918, I_PSUBUSB = 6585,
I_PSUBUSW = 6604, I_PSUBW = 7192, I_PSWAPD = 2103, I_PTEST = 7662, I_PUNPCKHBW = 3813,
I_PUNPCKHDQ = 3859, I_PUNPCKHQDQ = 3928, I_PUNPCKHWD = 3836, I_PUNPCKLBW = 3645,
I_PUNPCKLDQ = 3691, I_PUNPCKLQDQ = 3903, I_PUNPCKLWD = 3668, I_PUSH = 16,
I_PUSHA = 91, I_PUSHF = 270, I_PXOR = 7014, I_RCL = 976, I_RCPPS = 2986, I_RCPSS = 2993,
I_RCR = 981, I_RDFSBASE = 9915, I_RDGSBASE = 9945, I_RDMSR = 599, I_RDPMC = 606,
I_RDRAND = 10059, I_RDTSC = 592, I_RDTSCP = 1897, I_RET = 325, I_RETF = 354,
I_ROL = 966, I_ROR = 971, I_ROUNDPD = 9329, I_ROUNDPS = 9310, I_ROUNDSD = 9367,
I_ROUNDSS = 9348, I_RSM = 881, I_RSQRTPS = 2948, I_RSQRTSS = 2957, I_SAHF = 283,
I_SAL = 996, I_SALC = 393, I_SAR = 1001, I_SBB = 36, I_SCAS = 319, I_SETA = 806,
I_SETAE = 779, I_SETB = 773, I_SETBE = 799, I_SETG = 858, I_SETGE = 844, I_SETL = 838,
I_SETLE = 851, I_SETNO = 766, I_SETNP = 831, I_SETNS = 818, I_SETNZ = 792,
I_SETO = 760, I_SETP = 825, I_SETS = 812, I_SETZ = 786, I_SFENCE = 4354, I_SGDT = 1690,
I_SHL = 986, I_SHLD = 875, I_SHR = 991, I_SHRD = 891, I_SHUFPD = 6369, I_SHUFPS = 6361,
I_SIDT = 1696, I_SKINIT = 1872, I_SLDT = 1656, I_SMSW = 1714, I_SQRTPD = 2888,
I_SQRTPS = 2880, I_SQRTSD = 2904, I_SQRTSS = 2896, I_STAC = 1792, I_STC = 496,
I_STD = 516, I_STGI = 1860, I_STI = 506, I_STMXCSR = 9984, I_STOS = 307, I_STR = 1662,
I_SUB = 51, I_SUBPD = 3412, I_SUBPS = 3405, I_SUBSD = 3426, I_SUBSS = 3419,
I_SWAPGS = 1889, I_SYSCALL = 531, I_SYSENTER = 613, I_SYSEXIT = 623, I_SYSRET = 546,
I_TEST = 206, I_TZCNT = 4384, I_UCOMISD = 2775, I_UCOMISS = 2766, I_UD2 = 568,
I_UNPCKHPD = 2329, I_UNPCKHPS = 2319, I_UNPCKLPD = 2287, I_UNPCKLPS = 2277,
I_VADDPD = 3172, I_VADDPS = 3164, I_VADDSD = 3188, I_VADDSS = 3180, I_VADDSUBPD = 6447,
I_VADDSUBPS = 6458, I_VAESDEC = 9250, I_VAESDECLAST = 9271, I_VAESENC = 9208,
I_VAESENCLAST = 9229, I_VAESIMC = 9191, I_VAESKEYGENASSIST = 9845, I_VANDNPD = 3071,
I_VANDNPS = 3062, I_VANDPD = 3038, I_VANDPS = 3030, I_VBLENDPD = 9414, I_VBLENDPS = 9395,
I_VBLENDVPD = 9714, I_VBLENDVPS = 9703, I_VBROADCASTF128 = 7705, I_VBROADCASTSD = 7691,
I_VBROADCASTSS = 7677, I_VCMPEQPD = 5121, I_VCMPEQPS = 4719, I_VCMPEQSD = 5925,
I_VCMPEQSS = 5523, I_VCMPEQ_OSPD = 5302, I_VCMPEQ_OSPS = 4900, I_VCMPEQ_OSSD = 6106,
I_VCMPEQ_OSSS = 5704, I_VCMPEQ_UQPD = 5208, I_VCMPEQ_UQPS = 4806, I_VCMPEQ_UQSD = 6012,
I_VCMPEQ_UQSS = 5610, I_VCMPEQ_USPD = 5411, I_VCMPEQ_USPS = 5009, I_VCMPEQ_USSD = 6215,
I_VCMPEQ_USSS = 5813, I_VCMPFALSEPD = 5243, I_VCMPFALSEPS = 4841, I_VCMPFALSESD = 6047,
I_VCMPFALSESS = 5645, I_VCMPFALSE_OSPD = 5452, I_VCMPFALSE_OSPS = 5050, I_VCMPFALSE_OSSD = 6256,
I_VCMPFALSE_OSSS = 5854, I_VCMPGEPD = 5270, I_VCMPGEPS = 4868, I_VCMPGESD = 6074,
I_VCMPGESS = 5672, I_VCMPGE_OQPD = 5482, I_VCMPGE_OQPS = 5080, I_VCMPGE_OQSD = 6286,
I_VCMPGE_OQSS = 5884, I_VCMPGTPD = 5280, I_VCMPGTPS = 4878, I_VCMPGTSD = 6084,
I_VCMPGTSS = 5682, I_VCMPGT_OQPD = 5495, I_VCMPGT_OQPS = 5093, I_VCMPGT_OQSD = 6299,
I_VCMPGT_OQSS = 5897, I_VCMPLEPD = 5141, I_VCMPLEPS = 4739, I_VCMPLESD = 5945,
I_VCMPLESS = 5543, I_VCMPLE_OQPD = 5328, I_VCMPLE_OQPS = 4926, I_VCMPLE_OQSD = 6132,
I_VCMPLE_OQSS = 5730, I_VCMPLTPD = 5131, I_VCMPLTPS = 4729, I_VCMPLTSD = 5935,
I_VCMPLTSS = 5533, I_VCMPLT_OQPD = 5315, I_VCMPLT_OQPS = 4913, I_VCMPLT_OQSD = 6119,
I_VCMPLT_OQSS = 5717, I_VCMPNEQPD = 5164, I_VCMPNEQPS = 4762, I_VCMPNEQSD = 5968,
I_VCMPNEQSS = 5566, I_VCMPNEQ_OQPD = 5256, I_VCMPNEQ_OQPS = 4854, I_VCMPNEQ_OQSD = 6060,
I_VCMPNEQ_OQSS = 5658, I_VCMPNEQ_OSPD = 5468, I_VCMPNEQ_OSPS = 5066, I_VCMPNEQ_OSSD = 6272,
I_VCMPNEQ_OSSS = 5870, I_VCMPNEQ_USPD = 5356, I_VCMPNEQ_USPS = 4954, I_VCMPNEQ_USSD = 6160,
I_VCMPNEQ_USSS = 5758, I_VCMPNGEPD = 5221, I_VCMPNGEPS = 4819, I_VCMPNGESD = 6025,
I_VCMPNGESS = 5623, I_VCMPNGE_UQPD = 5424, I_VCMPNGE_UQPS = 5022, I_VCMPNGE_UQSD = 6228,
I_VCMPNGE_UQSS = 5826, I_VCMPNGTPD = 5232, I_VCMPNGTPS = 4830, I_VCMPNGTSD = 6036,
I_VCMPNGTSS = 5634, I_VCMPNGT_UQPD = 5438, I_VCMPNGT_UQPS = 5036, I_VCMPNGT_UQSD = 6242,
I_VCMPNGT_UQSS = 5840, I_VCMPNLEPD = 5186, I_VCMPNLEPS = 4784, I_VCMPNLESD = 5990,
I_VCMPNLESS = 5588, I_VCMPNLE_UQPD = 5384, I_VCMPNLE_UQPS = 4982, I_VCMPNLE_UQSD = 6188,
I_VCMPNLE_UQSS = 5786, I_VCMPNLTPD = 5175, I_VCMPNLTPS = 4773, I_VCMPNLTSD = 5979,
I_VCMPNLTSS = 5577, I_VCMPNLT_UQPD = 5370, I_VCMPNLT_UQPS = 4968, I_VCMPNLT_UQSD = 6174,
I_VCMPNLT_UQSS = 5772, I_VCMPORDPD = 5197, I_VCMPORDPS = 4795, I_VCMPORDSD = 6001,
I_VCMPORDSS = 5599, I_VCMPORD_SPD = 5398, I_VCMPORD_SPS = 4996, I_VCMPORD_SSD = 6202,
I_VCMPORD_SSS = 5800, I_VCMPTRUEPD = 5290, I_VCMPTRUEPS = 4888, I_VCMPTRUESD = 6094,
I_VCMPTRUESS = 5692, I_VCMPTRUE_USPD = 5508, I_VCMPTRUE_USPS = 5106, I_VCMPTRUE_USSD = 6312,
I_VCMPTRUE_USSS = 5910, I_VCMPUNORDPD = 5151, I_VCMPUNORDPS = 4749, I_VCMPUNORDSD = 5955,
I_VCMPUNORDSS = 5553, I_VCMPUNORD_SPD = 5341, I_VCMPUNORD_SPS = 4939, I_VCMPUNORD_SSD = 6145,
I_VCMPUNORD_SSS = 5743, I_VCOMISD = 2829, I_VCOMISS = 2820, I_VCVTDQ2PD = 6852,
I_VCVTDQ2PS = 3371, I_VCVTPD2DQ = 6863, I_VCVTPD2PS = 3307, I_VCVTPS2DQ = 3382,
I_VCVTPS2PD = 3296, I_VCVTSD2SI = 2755, I_VCVTSD2SS = 3329, I_VCVTSI2SD = 2569,
I_VCVTSI2SS = 2558, I_VCVTSS2SD = 3318, I_VCVTSS2SI = 2744, I_VCVTTPD2DQ = 6840,
I_VCVTTPS2DQ = 3393, I_VCVTTSD2SI = 2692, I_VCVTTSS2SI = 2680, I_VDIVPD = 3561,
I_VDIVPS = 3553, I_VDIVSD = 3577, I_VDIVSS = 3569, I_VDPPD = 9654, I_VDPPS = 9641,
I_VERR = 1678, I_VERW = 1684, I_VEXTRACTF128 = 9549, I_VEXTRACTPS = 9524,
I_VFMADD132PD = 8420, I_VFMADD132PS = 8407, I_VFMADD132SD = 8446, I_VFMADD132SS = 8433,
I_VFMADD213PD = 8700, I_VFMADD213PS = 8687, I_VFMADD213SD = 8726, I_VFMADD213SS = 8713,
I_VFMADD231PD = 8980, I_VFMADD231PS = 8967, I_VFMADD231SD = 9006, I_VFMADD231SS = 8993,
I_VFMADDSUB132PD = 8359, I_VFMADDSUB132PS = 8343, I_VFMADDSUB213PD = 8639,
I_VFMADDSUB213PS = 8623, I_VFMADDSUB231PD = 8919, I_VFMADDSUB231PS = 8903,
I_VFMSUB132PD = 8472, I_VFMSUB132PS = 8459, I_VFMSUB132SD = 8498, I_VFMSUB132SS = 8485,
I_VFMSUB213PD = 8752, I_VFMSUB213PS = 8739, I_VFMSUB213SD = 8778, I_VFMSUB213SS = 8765,
I_VFMSUB231PD = 9032, I_VFMSUB231PS = 9019, I_VFMSUB231SD = 9058, I_VFMSUB231SS = 9045,
I_VFMSUBADD132PD = 8391, I_VFMSUBADD132PS = 8375, I_VFMSUBADD213PD = 8671,
I_VFMSUBADD213PS = 8655, I_VFMSUBADD231PD = 8951, I_VFMSUBADD231PS = 8935,
I_VFNMADD132PD = 8525, I_VFNMADD132PS = 8511, I_VFNMADD132SD = 8553, I_VFNMADD132SS = 8539,
I_VFNMADD213PD = 8805, I_VFNMADD213PS = 8791, I_VFNMADD213SD = 8833, I_VFNMADD213SS = 8819,
I_VFNMADD231PD = 9085, I_VFNMADD231PS = 9071, I_VFNMADD231SD = 9113, I_VFNMADD231SS = 9099,
I_VFNMSUB132PD = 8581, I_VFNMSUB132PS = 8567, I_VFNMSUB132SD = 8609, I_VFNMSUB132SS = 8595,
I_VFNMSUB213PD = 8861, I_VFNMSUB213PS = 8847, I_VFNMSUB213SD = 8889, I_VFNMSUB213SS = 8875,
I_VFNMSUB231PD = 9141, I_VFNMSUB231PS = 9127, I_VFNMSUB231SD = 9169, I_VFNMSUB231SS = 9155,
I_VHADDPD = 4230, I_VHADDPS = 4239, I_VHSUBPD = 4264, I_VHSUBPS = 4273, I_VINSERTF128 = 9536,
I_VINSERTPS = 9590, I_VLDDQU = 7034, I_VLDMXCSR = 9974, I_VMASKMOVDQU = 7164,
I_VMASKMOVPD = 7982, I_VMASKMOVPS = 7970, I_VMAXPD = 3621, I_VMAXPS = 3613,
I_VMAXSD = 3637, I_VMAXSS = 3629, I_VMCALL = 1734, I_VMCLEAR = 10022, I_VMFUNC = 1814,
I_VMINPD = 3501, I_VMINPS = 3493, I_VMINSD = 3517, I_VMINSS = 3509, I_VMLAUNCH = 1742,
I_VMLOAD = 1844, I_VMMCALL = 1835, I_VMOVAPD = 2509, I_VMOVAPS = 2500, I_VMOVD = 3965,
I_VMOVDDUP = 2267, I_VMOVDQA = 3995, I_VMOVDQU = 4004, I_VMOVHLPS = 2228,
I_VMOVHPD = 2415, I_VMOVHPS = 2406, I_VMOVLHPS = 2396, I_VMOVLPD = 2247, I_VMOVLPS = 2238,
I_VMOVMSKPD = 2869, I_VMOVMSKPS = 2858, I_VMOVNTDQ = 6891, I_VMOVNTDQA = 7938,
I_VMOVNTPD = 2626, I_VMOVNTPS = 2616, I_VMOVQ = 3972, I_VMOVSD = 2176, I_VMOVSHDUP = 2424,
I_VMOVSLDUP = 2256, I_VMOVSS = 2168, I_VMOVUPD = 2159, I_VMOVUPS = 2150, I_VMPSADBW = 9670,
I_VMPTRLD = 10013, I_VMPTRST = 6418, I_VMREAD = 4161, I_VMRESUME = 1752, I_VMRUN = 1828,
I_VMSAVE = 1852, I_VMULPD = 3232, I_VMULPS = 3224, I_VMULSD = 3248, I_VMULSS = 3240,
I_VMWRITE = 4185, I_VMXOFF = 1762, I_VMXON = 10031, I_VORPD = 3099, I_VORPS = 3092,
I_VPABSB = 7728, I_VPABSD = 7758, I_VPABSW = 7743, I_VPACKSSDW = 3892, I_VPACKSSWB = 3724,
I_VPACKUSDW = 7959, I_VPACKUSWB = 3802, I_VPADDB = 7244, I_VPADDD = 7274,
I_VPADDQ = 6521, I_VPADDSB = 6971, I_VPADDSW = 6988, I_VPADDUSW = 6662, I_VPADDW = 7259,
I_VPALIGNR = 9452, I_VPAND = 6646, I_VPANDN = 6705, I_VPAVGB = 6720, I_VPAVGW = 6765,
I_VPBLENDVB = 9725, I_VPBLENDW = 9433, I_VPCLMULQDQ = 9691, I_VPCMPEQB = 4085,
I_VPCMPEQD = 4123, I_VPCMPEQQ = 7918, I_VPCMPEQW = 4104, I_VPCMPESTRI = 9770,
I_VPCMPESTRM = 9747, I_VPCMPGTB = 3744, I_VPCMPGTD = 3782, I_VPCMPGTQ = 8129,
I_VPCMPGTW = 3763, I_VPCMPISTRI = 9816, I_VPCMPISTRM = 9793, I_VPERM2F128 = 9298,
I_VPERMILPD = 7603, I_VPERMILPS = 7592, I_VPEXTRB = 9470, I_VPEXTRD = 9495,
I_VPEXTRQ = 9504, I_VPEXTRW = 6352, I_VPHADDD = 7416, I_VPHADDSW = 7434, I_VPHADDW = 7399,
I_VPHMINPOSUW = 8304, I_VPHSUBD = 7492, I_VPHSUBSW = 7510, I_VPHSUBW = 7475,
I_VPINSRB = 9571, I_VPINSRD = 9617, I_VPINSRQ = 9626, I_VPINSRW = 6335, I_VPMADDUBSW = 7455,
I_VPMADDWD = 7115, I_VPMAXSB = 8215, I_VPMAXSD = 8232, I_VPMAXSW = 7005, I_VPMAXUB = 6689,
I_VPMAXUD = 8266, I_VPMAXUW = 8249, I_VPMINSB = 8147, I_VPMINSD = 8164, I_VPMINSW = 6943,
I_VPMINUB = 6631, I_VPMINUD = 8198, I_VPMINUW = 8181, I_VPMOVMSKB = 6574,
I_VPMOVSXBD = 7797, I_VPMOVSXBQ = 7818, I_VPMOVSXBW = 7776, I_VPMOVSXDQ = 7881,
I_VPMOVSXWD = 7839, I_VPMOVSXWQ = 7860, I_VPMOVZXBD = 8025, I_VPMOVZXBQ = 8046,
I_VPMOVZXBW = 8004, I_VPMOVZXDQ = 8109, I_VPMOVZXWD = 8067, I_VPMOVZXWQ = 8088,
I_VPMULDQ = 7900, I_VPMULHRSW = 7581, I_VPMULHUW = 6782, I_VPMULHW = 6800,
I_VPMULLD = 8283, I_VPMULLW = 6537, I_VPMULUDQ = 7096, I_VPOR = 6957, I_VPSADBW = 7133,
I_VPSHUFB = 7382, I_VPSHUFD = 4047, I_VPSHUFHW = 4056, I_VPSHUFLW = 4066,
I_VPSIGNB = 7528, I_VPSIGND = 7562, I_VPSIGNW = 7545, I_VPSLLD = 7064, I_VPSLLDQ = 9888,
I_VPSLLQ = 7079, I_VPSLLW = 7049, I_VPSRAD = 6750, I_VPSRAW = 6735, I_VPSRLD = 6491,
I_VPSRLDQ = 9871, I_VPSRLQ = 6506, I_VPSRLW = 6476, I_VPSUBB = 7184, I_VPSUBD = 7214,
I_VPSUBQ = 7229, I_VPSUBSB = 6909, I_VPSUBSW = 6926, I_VPSUBUSB = 6594, I_VPSUBUSW = 6613,
I_VPSUBW = 7199, I_VPTEST = 7669, I_VPUNPCKHBW = 3824, I_VPUNPCKHDQ = 3870,
I_VPUNPCKHQDQ = 3940, I_VPUNPCKHWD = 3847, I_VPUNPCKLBW = 3656, I_VPUNPCKLDQ = 3702,
I_VPUNPCKLQDQ = 3915, I_VPUNPCKLWD = 3679, I_VPXOR = 7020, I_VRCPPS = 3000,
I_VRCPSS = 3008, I_VROUNDPD = 9338, I_VROUNDPS = 9319, I_VROUNDSD = 9376,
I_VROUNDSS = 9357, I_VRSQRTPS = 2966, I_VRSQRTSS = 2976, I_VSHUFPD = 6386,
I_VSHUFPS = 6377, I_VSQRTPD = 2921, I_VSQRTPS = 2912, I_VSQRTSD = 2939, I_VSQRTSS = 2930,
I_VSTMXCSR = 10003, I_VSUBPD = 3441, I_VSUBPS = 3433, I_VSUBSD = 3457, I_VSUBSS = 3449,
I_VTESTPD = 7623, I_VTESTPS = 7614, I_VUCOMISD = 2794, I_VUCOMISS = 2784,
I_VUNPCKHPD = 2350, I_VUNPCKHPS = 2339, I_VUNPCKLPD = 2308, I_VUNPCKLPS = 2297,
I_VXORPD = 3128, I_VXORPS = 3120, I_VZEROALL = 4151, I_VZEROUPPER = 4139,
I_WAIT = 10053, I_WBINVD = 560, I_WRFSBASE = 9964, I_WRGSBASE = 9993, I_WRMSR = 585,
I_XABORT = 1006, I_XADD = 945, I_XBEGIN = 1014, I_XCHG = 212, I_XEND = 1822,
I_XGETBV = 1798, I_XLAT = 399, I_XOR = 61, I_XORPD = 3113, I_XORPS = 3106,
I_XRSTOR = 4306, I_XRSTOR64 = 4314, I_XSAVE = 4282, I_XSAVE64 = 4289, I_XSAVEOPT = 4332,
I_XSAVEOPT64 = 4342, I_XSETBV = 1806, I__3DNOW = 10067
} _InstructionType;
typedef enum
{
R_RAX, R_RCX, R_RDX, R_RBX, R_RSP, R_RBP, R_RSI, R_RDI, R_R8, R_R9, R_R10, R_R11, R_R12, R_R13, R_R14, R_R15,
R_EAX, R_ECX, R_EDX, R_EBX, R_ESP, R_EBP, R_ESI, R_EDI, R_R8D, R_R9D, R_R10D, R_R11D, R_R12D, R_R13D, R_R14D, R_R15D,
R_AX, R_CX, R_DX, R_BX, R_SP, R_BP, R_SI, R_DI, R_R8W, R_R9W, R_R10W, R_R11W, R_R12W, R_R13W, R_R14W, R_R15W,
R_AL, R_CL, R_DL, R_BL, R_AH, R_CH, R_DH, R_BH, R_R8B, R_R9B, R_R10B, R_R11B, R_R12B, R_R13B, R_R14B, R_R15B,
R_SPL, R_BPL, R_SIL, R_DIL,
R_ES, R_CS, R_SS, R_DS, R_FS, R_GS,
R_RIP,
R_ST0, R_ST1, R_ST2, R_ST3, R_ST4, R_ST5, R_ST6, R_ST7,
R_MM0, R_MM1, R_MM2, R_MM3, R_MM4, R_MM5, R_MM6, R_MM7,
R_XMM0, R_XMM1, R_XMM2, R_XMM3, R_XMM4, R_XMM5, R_XMM6, R_XMM7, R_XMM8, R_XMM9, R_XMM10, R_XMM11, R_XMM12, R_XMM13, R_XMM14, R_XMM15,
R_YMM0, R_YMM1, R_YMM2, R_YMM3, R_YMM4, R_YMM5, R_YMM6, R_YMM7, R_YMM8, R_YMM9, R_YMM10, R_YMM11, R_YMM12, R_YMM13, R_YMM14, R_YMM15,
R_CR0, R_UNUSED0, R_CR2, R_CR3, R_CR4, R_UNUSED1, R_UNUSED2, R_UNUSED3, R_CR8,
R_DR0, R_DR1, R_DR2, R_DR3, R_UNUSED4, R_UNUSED5, R_DR6, R_DR7
} _RegisterType;
#endif /* MNEMONICS_H */

13911
distorm/src/distorm.c
View File

File diff suppressed because it is too large Load Diff

16
release.bat
View File

@ -1,16 +0,0 @@
@echo off
setlocal enableextensions
set "SRC32=bin\Release\Win32"
if not exist "%SRC32%\TitanEngine.dll" set "SRC32=Release\x32"
set "SRC64=bin\Release\x64"
if not exist "%SRC64%\TitanEngine.dll" set "SRC64=Release\x64"
if exist deps rmdir /s /q deps
mkdir deps\x32
mkdir deps\x64
copy /y "%SRC32%\TitanEngine.dll" deps\x32\TitanEngine.dll
copy /y "%SRC32%\TitanEngine.pdb" deps\x32\TitanEngine.pdb
copy /y "%SRC64%\TitanEngine.dll" deps\x64\TitanEngine.dll
copy /y "%SRC64%\TitanEngine.pdb" deps\x64\TitanEngine.pdb

1218
scylla_wrapper/ApiReader.cpp
View File

File diff suppressed because it is too large Load Diff

74
scylla_wrapper/ApiReader.h
View File

@ -1,74 +0,0 @@
#pragma once
#include <windows.h>
#include <map>
#include <unordered_map>
#include "ProcessAccessHelp.h"
#include "Thunks.h"
typedef std::pair<DWORD_PTR, ApiInfo*> API_Pair;
class ApiReader : public ProcessAccessHelp
{
public:
static std::unordered_multimap<DWORD_PTR, ApiInfo*> apiList; //api look up table
static std::map<DWORD_PTR, ImportModuleThunk>* moduleThunkList; //store found apis
static DWORD_PTR minApiAddress;
static DWORD_PTR maxApiAddress;
/*
* Read all APIs from target process
*/
void readApisFromModuleList();
bool isApiAddressValid(DWORD_PTR virtualAddress);
ApiInfo* getApiByVirtualAddress(DWORD_PTR virtualAddress, bool* isSuspect);
void readAndParseIAT(DWORD_PTR addressIAT, DWORD sizeIAT, std::map<DWORD_PTR, ImportModuleThunk> & moduleListNew);
void addFoundApiToModuleList(DWORD_PTR iatAddress, ApiInfo* apiFound, bool isNewModule, bool isSuspect);
bool addModuleToModuleList(const WCHAR* moduleName, DWORD_PTR firstThunk);
void clearAll();
bool isInvalidMemoryForIat(DWORD_PTR address);
private:
bool readExportTableAlwaysFromDisk;
void parseIAT(DWORD_PTR addressIAT, BYTE* iatBuffer, SIZE_T size);
void addApi(char* functionName, WORD hint, WORD ordinal, DWORD_PTR va, DWORD_PTR rva, bool isForwarded, ModuleInfo* moduleInfo);
void addApiWithoutName(WORD ordinal, DWORD_PTR va, DWORD_PTR rva, bool isForwarded, ModuleInfo* moduleInfo);
inline bool isApiForwarded(DWORD_PTR rva, PIMAGE_NT_HEADERS pNtHeader);
void handleForwardedApi(DWORD_PTR vaStringPointer, char* functionNameParent, DWORD_PTR rvaParent, WORD ordinalParent, ModuleInfo* moduleParent);
void parseModule(ModuleInfo* module);
void parseModuleWithProcess(ModuleInfo* module);
void parseExportTable(ModuleInfo* module, PIMAGE_NT_HEADERS pNtHeader, PIMAGE_EXPORT_DIRECTORY pExportDir, DWORD_PTR deltaAddress);
ModuleInfo* findModuleByName(WCHAR* name);
void findApiByModuleAndOrdinal(ModuleInfo* module, WORD ordinal, DWORD_PTR* vaApi, DWORD_PTR* rvaApi);
void findApiByModuleAndName(ModuleInfo* module, char* searchFunctionName, DWORD_PTR* vaApi, DWORD_PTR* rvaApi);
void findApiByModule(ModuleInfo* module, char* searchFunctionName, WORD ordinal, DWORD_PTR* vaApi, DWORD_PTR* rvaApi);
bool isModuleLoadedInOwnProcess(ModuleInfo* module);
void parseModuleWithOwnProcess(ModuleInfo* module);
bool isPeAndExportTableValid(PIMAGE_NT_HEADERS pNtHeader);
void findApiInProcess(ModuleInfo* module, char* searchFunctionName, WORD ordinal, DWORD_PTR* vaApi, DWORD_PTR* rvaApi);
bool findApiInExportTable(ModuleInfo* module, PIMAGE_EXPORT_DIRECTORY pExportDir, DWORD_PTR deltaAddress, char* searchFunctionName, WORD ordinal, DWORD_PTR* vaApi, DWORD_PTR* rvaApi);
BYTE* getHeaderFromProcess(ModuleInfo* module);
BYTE* getExportTableFromProcess(ModuleInfo* module, PIMAGE_NT_HEADERS pNtHeader);
void setModulePriority(ModuleInfo* module);
void setMinMaxApiAddress(DWORD_PTR virtualAddress);
void parseModuleWithMapping(ModuleInfo* moduleInfo); //not used
bool addFunctionToModuleList(ApiInfo* apiFound, DWORD_PTR va, DWORD_PTR rva, WORD ordinal, bool valid, bool suspect);
bool addNotFoundApiToModuleList(DWORD_PTR iatAddressVA, DWORD_PTR apiAddress);
void addUnknownModuleToModuleList(DWORD_PTR firstThunk);
bool isApiBlacklisted(const char* functionName);
bool isWinSxSModule(ModuleInfo* module);
ApiInfo* getScoredApi(std::unordered_map<DWORD_PTR, ApiInfo*>::iterator it1, size_t countDuplicates, bool hasName, bool hasUnicodeAnsiName, bool hasNoUnderlineInName, bool hasPrioDll, bool hasPrio0Dll, bool hasPrio1Dll, bool hasPrio2Dll, bool firstWin);
};

24
scylla_wrapper/Architecture.cpp
View File

@ -1,24 +0,0 @@
#include "stdafx.h"
#include "Architecture.h"
/*
#ifdef _WIN64
const WCHAR Architecture::NAME[] = L"x64";
const WCHAR Architecture::PRINTF_DWORD_PTR[] = L"%I64X";
const WCHAR Architecture::PRINTF_DWORD_PTR_FULL[] = L"%016I64X";
const WCHAR Architecture::PRINTF_DWORD_PTR_HALF[] = L"%08I64X";
const WCHAR Architecture::PRINTF_INTEGER[] = L"%I64u";
#else
const WCHAR Architecture::NAME[] = L"x86";
const WCHAR Architecture::PRINTF_DWORD_PTR[] = L"%X";
const WCHAR Architecture::PRINTF_DWORD_PTR_FULL[] = L"%08X";
const WCHAR Architecture::PRINTF_DWORD_PTR_HALF[] = L"%08X";
const WCHAR Architecture::PRINTF_INTEGER[] = L"%u";
#endif
*/

27
scylla_wrapper/Architecture.h
View File

@ -1,27 +0,0 @@
#pragma once
#include <windows.h>
#ifdef _WIN64
#define ARCHITECTURE_S "x64"
#define PRINTF_DWORD_PTR_S "%I64X"
#define PRINTF_DWORD_PTR_FULL_S "%016I64X"
#define PRINTF_DWORD_PTR_HALF_S "%08I64X"
#define PRINTF_INTEGER_S "%I64u"
#else
#define ARCHITECTURE_S "x86"
#define PRINTF_DWORD_PTR_S "%X"
#define PRINTF_DWORD_PTR_FULL_S "%08X"
#define PRINTF_DWORD_PTR_HALF_S "%08X"
#define PRINTF_INTEGER_S "%u"
#endif
#define ARCHITECTURE TEXT(ARCHITECTURE_S)
#define PRINTF_DWORD_PTR TEXT(PRINTF_DWORD_PTR_S)
#define PRINTF_DWORD_PTR_FULL TEXT(PRINTF_DWORD_PTR_FULL_S)
#define PRINTF_DWORD_PTR_HALF TEXT(PRINTF_DWORD_PTR_HALF_S)
#define PRINTF_INTEGER TEXT(PRINTF_INTEGER_S)

103
scylla_wrapper/DeviceNameResolver.cpp
View File

@ -1,103 +0,0 @@
#include "stdafx.h"
#include "DeviceNameResolver.h"
#include "NativeWinApi.h"
DeviceNameResolver::DeviceNameResolver()
{
NativeWinApi::initialize();
initDeviceNameList();
}
DeviceNameResolver::~DeviceNameResolver()
{
deviceNameList.clear();
}
void DeviceNameResolver::initDeviceNameList()
{
WCHAR shortName[3] = {0};
WCHAR longName[MAX_PATH] = {0};
HardDisk hardDisk;
shortName[1] = TEXT(':');
deviceNameList.reserve(3);
for(WCHAR shortD = TEXT('a'); shortD < TEXT('z'); shortD++)
{
shortName[0] = shortD;
if(QueryDosDeviceW(shortName, longName, MAX_PATH) > 0)
{
hardDisk.shortName[0] = towupper(shortD);
hardDisk.shortName[1] = TEXT(':');
hardDisk.shortName[2] = 0;
hardDisk.longNameLength = wcslen(longName);
wcscpy_s(hardDisk.longName, longName);
deviceNameList.push_back(hardDisk);
}
}
fixVirtualDevices();
}
bool DeviceNameResolver::resolveDeviceLongNameToShort(const WCHAR* sourcePath, WCHAR* targetPath)
{
for(unsigned int i = 0; i < deviceNameList.size(); i++)
{
if(!_wcsnicmp(deviceNameList[i].longName, sourcePath, deviceNameList[i].longNameLength))
{
wcscpy_s(targetPath, MAX_PATH, deviceNameList[i].shortName);
wcscpy_s(targetPath, MAX_PATH, deviceNameList[i].shortName);
wcscat_s(targetPath, MAX_PATH, sourcePath + deviceNameList[i].longNameLength);
return true;
}
}
return false;
}
void DeviceNameResolver::fixVirtualDevices()
{
const USHORT BufferSize = MAX_PATH * 2 * sizeof(WCHAR);
WCHAR longCopy[MAX_PATH] = {0};
OBJECT_ATTRIBUTES oa = {0};
UNICODE_STRING unicodeInput = {0};
UNICODE_STRING unicodeOutput = {0};
HANDLE hFile = 0;
ULONG retLen = 0;
HardDisk hardDisk;
unicodeOutput.Buffer = (PWSTR)malloc(BufferSize);
if(!unicodeOutput.Buffer)
return;
for(unsigned int i = 0; i < deviceNameList.size(); i++)
{
wcscpy_s(longCopy, deviceNameList[i].longName);
NativeWinApi::RtlInitUnicodeString(&unicodeInput, longCopy);
InitializeObjectAttributes(&oa, &unicodeInput, 0, 0, 0);
if(NT_SUCCESS(NativeWinApi::NtOpenSymbolicLinkObject(&hFile, SYMBOLIC_LINK_QUERY, &oa)))
{
unicodeOutput.Length = BufferSize;
unicodeOutput.MaximumLength = unicodeOutput.Length;
ZeroMemory(unicodeOutput.Buffer, unicodeOutput.Length);
if(NT_SUCCESS(NativeWinApi::NtQuerySymbolicLinkObject(hFile, &unicodeOutput, &retLen)))
{
hardDisk.longNameLength = wcslen(unicodeOutput.Buffer);
wcscpy_s(hardDisk.shortName, deviceNameList[i].shortName);
wcscpy_s(hardDisk.longName, unicodeOutput.Buffer);
deviceNameList.push_back(hardDisk);
}
NativeWinApi::NtClose(hFile);
}
}
free(unicodeOutput.Buffer);
}

30
scylla_wrapper/DeviceNameResolver.h
View File

@ -1,30 +0,0 @@
#include <Windows.h>
#pragma once
#include <Windows.h>
#include <vector>
class HardDisk
{
public:
WCHAR shortName[3];
WCHAR longName[MAX_PATH];
size_t longNameLength;
};
class DeviceNameResolver
{
public:
DeviceNameResolver();
~DeviceNameResolver();
bool resolveDeviceLongNameToShort(const WCHAR* sourcePath, WCHAR* targetPath);
private:
std::vector<HardDisk> deviceNameList;
void initDeviceNameList();
void fixVirtualDevices();
};

738
scylla_wrapper/IATReferenceScan.cpp
View File

@ -1,738 +0,0 @@
#include "stdafx.h"
#include "IATReferenceScan.h"
#include "Architecture.h"
#include <set>
//#define DEBUG_COMMENTS
//FileLog IATReferenceScan::directImportLog(L"Scylla_direct_imports.log");
int IATReferenceScan::numberOfFoundDirectImports()
{
return (int)iatDirectImportList.size();
}
int IATReferenceScan::numberOfFoundUniqueDirectImports()
{
std::set<DWORD_PTR> apiPointers;
for(std::vector<IATReference>::iterator iter = iatDirectImportList.begin(); iter != iatDirectImportList.end(); iter++)
{
IATReference* ref = &(*iter);
apiPointers.insert(ref->targetAddressInIat);
}
return (int)apiPointers.size();
}
int IATReferenceScan::numberOfDirectImportApisNotInIat()
{
std::set<DWORD_PTR> apiPointers;
for(std::vector<IATReference>::iterator iter = iatDirectImportList.begin(); iter != iatDirectImportList.end(); iter++)
{
IATReference* ref = &(*iter);
if(ref->targetPointer == 0)
{
apiPointers.insert(ref->targetAddressInIat);
}
}
return (int)apiPointers.size();
}
int IATReferenceScan::getSizeInBytesOfJumpTableInSection()
{
return (numberOfFoundUniqueDirectImports() * 6); //for x86 and x64 the same size, FF25 00000000
}
void IATReferenceScan::startScan(DWORD_PTR imageBase, DWORD imageSize, DWORD_PTR iatAddress, DWORD iatSize)
{
MEMORY_BASIC_INFORMATION memBasic = {0};
IatAddressVA = iatAddress;
IatSize = iatSize;
ImageBase = imageBase;
ImageSize = imageSize;
if(ScanForNormalImports)
{
iatReferenceList.clear();
iatReferenceList.reserve(200);
}
if(ScanForDirectImports)
{
iatDirectImportList.clear();
iatDirectImportList.reserve(50);
}
DWORD_PTR section = imageBase;
do
{
if(!VirtualQueryEx(ProcessAccessHelp::hProcess, (LPCVOID)section, &memBasic, sizeof(MEMORY_BASIC_INFORMATION)))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"VirtualQueryEx failed %d", GetLastError());
#endif
break;
}
else
{
if(ProcessAccessHelp::isPageExecutable(memBasic.Protect))
{
//do read and scan
scanMemoryPage(memBasic.BaseAddress, memBasic.RegionSize);
}
}
section = (DWORD_PTR)((SIZE_T)section + memBasic.RegionSize);
}
while(section < (imageBase + imageSize));
}
//void IATReferenceScan::patchNewIatBaseMemory(DWORD_PTR newIatBaseAddress)
//{
// NewIatAddressVA = newIatBaseAddress;
//
// for (std::vector<IATReference>::iterator iter = iatReferenceList.begin(); iter != iatReferenceList.end(); iter++)
// {
// patchReferenceInMemory(&(*iter));
// }
//}
//
//void IATReferenceScan::patchNewIatBaseFile(DWORD_PTR newIatBaseAddress)
//{
// NewIatAddressVA = newIatBaseAddress;
//
// for (std::vector<IATReference>::iterator iter = iatReferenceList.begin(); iter != iatReferenceList.end(); iter++)
// {
// patchReferenceInFile(&(*iter));
// }
//}
void IATReferenceScan::patchDirectImportsMemory(bool junkByteAfterInstruction)
{
JunkByteAfterInstruction = junkByteAfterInstruction;
for(std::vector<IATReference>::iterator iter = iatDirectImportList.begin(); iter != iatDirectImportList.end(); iter++)
{
patchDirectImportInMemory(&(*iter));
}
}
void IATReferenceScan::scanMemoryPage(PVOID BaseAddress, SIZE_T RegionSize)
{
BYTE* dataBuffer = (BYTE*)calloc(RegionSize, 1);
BYTE* currentPos = dataBuffer;
int currentSize = (int)RegionSize;
DWORD_PTR currentOffset = (DWORD_PTR)BaseAddress;
_DecodeResult res;
unsigned int instructionsCount = 0, next = 0;
if(!dataBuffer)
return;
if(ProcessAccessHelp::readMemoryFromProcess((DWORD_PTR)BaseAddress, RegionSize, (LPVOID)dataBuffer))
{
while(1)
{
ZeroMemory(&ProcessAccessHelp::decomposerCi, sizeof(_CodeInfo));
ProcessAccessHelp::decomposerCi.code = currentPos;
ProcessAccessHelp::decomposerCi.codeLen = currentSize;
ProcessAccessHelp::decomposerCi.dt = ProcessAccessHelp::dt;
ProcessAccessHelp::decomposerCi.codeOffset = currentOffset;
instructionsCount = 0;
res = distorm_decompose(&ProcessAccessHelp::decomposerCi, ProcessAccessHelp::decomposerResult, sizeof(ProcessAccessHelp::decomposerResult) / sizeof(ProcessAccessHelp::decomposerResult[0]), &instructionsCount);
if(res == DECRES_INPUTERR)
{
break;
}
for(unsigned int i = 0; i < instructionsCount; i++)
{
if(ProcessAccessHelp::decomposerResult[i].flags != FLAG_NOT_DECODABLE)
{
analyzeInstruction(&ProcessAccessHelp::decomposerResult[i]);
}
}
if(res == DECRES_SUCCESS) break; // All instructions were decoded.
else if(instructionsCount == 0) break;
next = (unsigned long)(ProcessAccessHelp::decomposerResult[instructionsCount - 1].addr - ProcessAccessHelp::decomposerResult[0].addr);
if(ProcessAccessHelp::decomposerResult[instructionsCount - 1].flags != FLAG_NOT_DECODABLE)
{
next += ProcessAccessHelp::decomposerResult[instructionsCount - 1].size;
}
currentPos += next;
currentOffset += next;
currentSize -= next;
}
}
free(dataBuffer);
}
void IATReferenceScan::analyzeInstruction(_DInst* instruction)
{
if(ScanForNormalImports)
{
findNormalIatReference(instruction);
}
if(ScanForDirectImports)
{
findDirectIatReferenceMov(instruction);
#ifndef _WIN64
findDirectIatReferenceCallJmp(instruction);
findDirectIatReferenceLea(instruction);
findDirectIatReferencePush(instruction);
#endif
}
}
void IATReferenceScan::findNormalIatReference(_DInst* instruction)
{
#ifdef DEBUG_COMMENTS
_DecodedInst inst;
#endif
IATReference ref;
if(META_GET_FC(instruction->meta) == FC_CALL || META_GET_FC(instruction->meta) == FC_UNC_BRANCH)
{
if(instruction->size >= 5)
{
if(META_GET_FC(instruction->meta) == FC_CALL)
{
ref.type = IAT_REFERENCE_PTR_CALL;
}
else
{
ref.type = IAT_REFERENCE_PTR_JMP;
}
ref.addressVA = (DWORD_PTR)instruction->addr;
ref.instructionSize = instruction->size;
#ifdef _WIN64
if(instruction->flags & FLAG_RIP_RELATIVE)
{
#ifdef DEBUG_COMMENTS
distorm_format(&ProcessAccessHelp::decomposerCi, instruction, &inst);
Scylla::debugLog.log(PRINTF_DWORD_PTR_FULL L" " PRINTF_DWORD_PTR_FULL L" %S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, (DWORD_PTR)instruction->addr, ImageBase, inst.mnemonic.p, inst.operands.p, instruction->ops[0].type, instruction->size, INSTRUCTION_GET_RIP_TARGET(instruction));
#endif
if(INSTRUCTION_GET_RIP_TARGET(instruction) >= IatAddressVA && INSTRUCTION_GET_RIP_TARGET(instruction) < (IatAddressVA + IatSize))
{
ref.targetPointer = INSTRUCTION_GET_RIP_TARGET(instruction);
getIatEntryAddress(&ref);
//Scylla::debugLog.log(L"iat entry "PRINTF_DWORD_PTR_FULL,ref.targetAddressInIat);
iatReferenceList.push_back(ref);
}
}
#else
if(instruction->ops[0].type == O_DISP)
{
//jmp dword ptr || call dword ptr
#ifdef DEBUG_COMMENTS
distorm_format(&ProcessAccessHelp::decomposerCi, instruction, &inst);
Scylla::debugLog.log(PRINTF_DWORD_PTR_FULL L" " PRINTF_DWORD_PTR_FULL L" %S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, (DWORD_PTR)instruction->addr, ImageBase, inst.mnemonic.p, inst.operands.p, instruction->ops[0].type, instruction->size, instruction->disp);
#endif
if(instruction->disp >= IatAddressVA && instruction->disp < (IatAddressVA + IatSize))
{
ref.targetPointer = (DWORD_PTR)instruction->disp;
getIatEntryAddress(&ref);
//Scylla::debugLog.log(L"iat entry "PRINTF_DWORD_PTR_FULL,ref.targetAddressInIat);
iatReferenceList.push_back(ref);
}
}
#endif
}
}
}
void IATReferenceScan::getIatEntryAddress(IATReference* ref)
{
if(!ProcessAccessHelp::readMemoryFromProcess(ref->targetPointer, sizeof(DWORD_PTR), &ref->targetAddressInIat))
{
ref->targetAddressInIat = 0;
}
}
bool IATReferenceScan::isAddressValidImageMemory(DWORD_PTR address)
{
MEMORY_BASIC_INFORMATION memBasic = {0};
if(!VirtualQueryEx(ProcessAccessHelp::hProcess, (LPCVOID)address, &memBasic, sizeof(MEMORY_BASIC_INFORMATION)))
{
return false;
}
return (memBasic.Type == MEM_IMAGE && ProcessAccessHelp::isPageExecutable(memBasic.Protect));
}
void IATReferenceScan::patchReferenceInMemory(IATReference* ref)
{
DWORD_PTR newIatAddressPointer = ref->targetPointer - IatAddressVA + NewIatAddressRVA;
DWORD patchBytes = 0;
#ifdef _WIN64
patchBytes = (DWORD)(newIatAddressPointer - ref->addressVA - 6);
#else
patchBytes = newIatAddressPointer;
#endif
ProcessAccessHelp::writeMemoryToProcess(ref->addressVA + 2, sizeof(DWORD), &patchBytes);
}
void IATReferenceScan::patchDirectImportInMemory(IATReference* ref)
{
DWORD patchBytes = 0;
BYTE patchPreBytes[2];
if(ref->targetPointer)
{
patchPreBytes[0] = 0xFF;
if(ref->type == IAT_REFERENCE_DIRECT_CALL) //FF15
{
patchPreBytes[1] = 0x15;
}
else if(ref->type == IAT_REFERENCE_DIRECT_JMP) //FF25
{
patchPreBytes[1] = 0x25;
}
else
{
return;
}
if(!JunkByteAfterInstruction)
{
ref->addressVA -= 1;
}
ProcessAccessHelp::writeMemoryToProcess(ref->addressVA, 2, patchPreBytes);
#ifdef _WIN64
patchBytes = (DWORD)(ref->targetPointer - ref->addressVA - 6);
#else
patchBytes = ref->targetPointer;
#endif
ProcessAccessHelp::writeMemoryToProcess(ref->addressVA + 2, sizeof(DWORD), &patchBytes);
}
}
DWORD_PTR IATReferenceScan::lookUpIatForPointer(DWORD_PTR addr)
{
if(!iatBackup)
{
iatBackup = (DWORD_PTR*)calloc(IatSize + sizeof(DWORD_PTR), 1);
if(!iatBackup)
{
return 0;
}
if(!ProcessAccessHelp::readMemoryFromProcess(IatAddressVA, IatSize, iatBackup))
{
free(iatBackup);
iatBackup = 0;
return 0;
}
}
for(int i = 0; i < ((int)IatSize / (int)sizeof(DWORD_PTR)); i++)
{
if(iatBackup[i] == addr)
{
return (DWORD_PTR)&iatBackup[i] - (DWORD_PTR)iatBackup + IatAddressVA;
}
}
return 0;
}
void IATReferenceScan::patchNewIat(DWORD_PTR stdImagebase, DWORD_PTR newIatBaseAddress, PeParser* peParser)
{
NewIatAddressRVA = newIatBaseAddress;
DWORD patchBytes = 0;
for(std::vector<IATReference>::iterator iter = iatReferenceList.begin(); iter != iatReferenceList.end(); iter++)
{
IATReference* ref = &(*iter);
DWORD_PTR newIatAddressPointer = (ref->targetPointer - IatAddressVA) + NewIatAddressRVA + stdImagebase;
#ifdef _WIN64
patchBytes = (DWORD)(newIatAddressPointer - (ref->addressVA - ImageBase + stdImagebase) - 6);
#else
patchBytes = newIatAddressPointer;
#endif
DWORD_PTR patchOffset = peParser->convertRVAToOffsetRelative(ref->addressVA - ImageBase);
int index = peParser->convertRVAToOffsetVectorIndex(ref->addressVA - ImageBase);
BYTE* memory = peParser->getSectionMemoryByIndex(index);
DWORD memorySize = peParser->getSectionMemorySizeByIndex(index);
if(memorySize < (DWORD)(patchOffset + 6))
{
// Scylla::debugLog.log(L"Error - Cannot fix IAT reference RVA: " PRINTF_DWORD_PTR_FULL, ref->addressVA - ImageBase);
}
else
{
memory += patchOffset + 2;
*((DWORD*)memory) = patchBytes;
}
//Scylla::debugLog.log(L"address %X old %X new %X",ref->addressVA, ref->targetPointer, newIatAddressPointer);
}
}
void IATReferenceScan::printDirectImportLog()
{
// IATReferenceScan::directImportLog.log(L"------------------------------------------------------------");
// IATReferenceScan::directImportLog.log(L"ImageBase " PRINTF_DWORD_PTR_FULL L" ImageSize %08X IATAddress " PRINTF_DWORD_PTR_FULL L" IATSize 0x%X", ImageBase, ImageSize, IatAddressVA, IatSize);
int count = 0;
bool isSuspect = false;
for(std::vector<IATReference>::iterator iter = iatDirectImportList.begin(); iter != iatDirectImportList.end(); iter++)
{
IATReference* ref = &(*iter);
ApiInfo* apiInfo = apiReader->getApiByVirtualAddress(ref->targetAddressInIat, &isSuspect);
count++;
const WCHAR* type = L"U";
if(ref->type == IAT_REFERENCE_DIRECT_CALL)
{
type = L"CALL";
}
else if(ref->type == IAT_REFERENCE_DIRECT_JMP)
{
type = L"JMP";
}
else if(ref->type == IAT_REFERENCE_DIRECT_MOV)
{
type = L"MOV";
}
else if(ref->type == IAT_REFERENCE_DIRECT_PUSH)
{
type = L"PUSH";
}
else if(ref->type == IAT_REFERENCE_DIRECT_LEA)
{
type = L"LEA";
}
//IATReferenceScan::directImportLog.log(L"%04d AddrVA " PRINTF_DWORD_PTR_FULL L" Type %s Value " PRINTF_DWORD_PTR_FULL L" IatRefPointer " PRINTF_DWORD_PTR_FULL L" Api %s %S", count, ref->addressVA, type, ref->targetAddressInIat, ref->targetPointer,apiInfo->module->getFilename(), apiInfo->name);
}
//IATReferenceScan::directImportLog.log(L"------------------------------------------------------------");
}
void IATReferenceScan::findDirectIatReferenceCallJmp(_DInst* instruction)
{
IATReference ref;
if(META_GET_FC(instruction->meta) == FC_CALL || META_GET_FC(instruction->meta) == FC_UNC_BRANCH)
{
if((instruction->size >= 5) && (instruction->ops[0].type == O_PC)) //CALL/JMP 0x00000000
{
if(META_GET_FC(instruction->meta) == FC_CALL)
{
ref.type = IAT_REFERENCE_DIRECT_CALL;
}
else
{
ref.type = IAT_REFERENCE_DIRECT_JMP;
}
ref.targetAddressInIat = (DWORD_PTR)INSTRUCTION_GET_TARGET(instruction);
checkMemoryRangeAndAddToList(&ref, instruction);
}
}
}
void IATReferenceScan::findDirectIatReferenceMov(_DInst* instruction)
{
IATReference ref;
ref.type = IAT_REFERENCE_DIRECT_MOV;
if(instruction->opcode == I_MOV)
{
#ifdef _WIN64
if(instruction->size >= 7) //MOV REGISTER, 0xFFFFFFFFFFFFFFFF
#else
if(instruction->size >= 5) //MOV REGISTER, 0xFFFFFFFF
#endif
{
if(instruction->ops[0].type == O_REG && instruction->ops[1].type == O_IMM)
{
ref.targetAddressInIat = (DWORD_PTR)instruction->imm.qword;
checkMemoryRangeAndAddToList(&ref, instruction);
}
}
}
}
void IATReferenceScan::findDirectIatReferencePush(_DInst* instruction)
{
IATReference ref;
ref.type = IAT_REFERENCE_DIRECT_PUSH;
if(instruction->size >= 5 && instruction->opcode == I_PUSH)
{
ref.targetAddressInIat = (DWORD_PTR)instruction->imm.qword;
checkMemoryRangeAndAddToList(&ref, instruction);
}
}
void IATReferenceScan::findDirectIatReferenceLea(_DInst* instruction)
{
IATReference ref;
ref.type = IAT_REFERENCE_DIRECT_LEA;
if(instruction->size >= 5 && instruction->opcode == I_LEA)
{
if(instruction->ops[0].type == O_REG && instruction->ops[1].type == O_DISP) //LEA EDX, [0xb58bb8]
{
ref.targetAddressInIat = (DWORD_PTR)instruction->disp;
checkMemoryRangeAndAddToList(&ref, instruction);
}
}
}
void IATReferenceScan::checkMemoryRangeAndAddToList(IATReference* ref, _DInst* instruction)
{
#ifdef DEBUG_COMMENTS
_DecodedInst inst;
#endif
if(ref->targetAddressInIat > 0x000FFFFF && ref->targetAddressInIat != (DWORD_PTR) - 1)
{
if((ref->targetAddressInIat < ImageBase) || (ref->targetAddressInIat > (ImageBase + ImageSize))) //outside pe image
{
//if (isAddressValidImageMemory(ref->targetAddressInIat))
{
bool isSuspect = false;
if(apiReader->getApiByVirtualAddress(ref->targetAddressInIat, &isSuspect) != 0)
{
ref->addressVA = (DWORD_PTR)instruction->addr;
ref->instructionSize = instruction->size;
ref->targetPointer = lookUpIatForPointer(ref->targetAddressInIat);
#ifdef DEBUG_COMMENTS
distorm_format(&ProcessAccessHelp::decomposerCi, instruction, &inst);
Scylla::debugLog.log(PRINTF_DWORD_PTR_FULL L" " PRINTF_DWORD_PTR_FULL L" %S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, (DWORD_PTR)instruction->addr, ImageBase, inst.mnemonic.p, inst.operands.p, instruction->ops[0].type, instruction->size, ref->targetAddressInIat);
#endif
iatDirectImportList.push_back(*ref);
}
}
}
}
}
void IATReferenceScan::patchDirectJumpTableEntry(DWORD_PTR targetIatPointer, DWORD_PTR stdImagebase, DWORD directImportsJumpTableRVA, PeParser* peParser, BYTE* jmpTableMemory, DWORD newIatBase)
{
DWORD patchBytes = 0;
for(std::vector<IATReference>::iterator iter = iatDirectImportList.begin(); iter != iatDirectImportList.end(); iter++)
{
IATReference* ref = &(*iter);
//only one jmp in table for different direct imports with same iat address
if(ref->targetPointer == targetIatPointer)
{
//patch dump
DWORD patchOffset = (DWORD)peParser->convertRVAToOffsetRelative(ref->addressVA - ImageBase);
int index = peParser->convertRVAToOffsetVectorIndex(ref->addressVA - ImageBase);
BYTE* memory = peParser->getSectionMemoryByIndex(index);
DWORD memorySize = peParser->getSectionMemorySizeByIndex(index);
DWORD sectionRVA = peParser->getSectionAddressRVAByIndex(index);
if(ref->type == IAT_REFERENCE_DIRECT_CALL || ref->type == IAT_REFERENCE_DIRECT_JMP)
{
#ifndef _WIN64
if(ref->instructionSize == 5)
{
patchBytes = directImportsJumpTableRVA - (ref->addressVA - ImageBase) - 5;
patchDirectImportInDump32(1, 5, patchBytes, memory, memorySize, false, patchOffset, sectionRVA);
}
#endif
}
else if(ref->type == IAT_REFERENCE_DIRECT_PUSH || ref->type == IAT_REFERENCE_DIRECT_MOV)
{
#ifndef _WIN64
if(ref->instructionSize == 5) //for x86
{
patchBytes = directImportsJumpTableRVA + stdImagebase;
patchDirectImportInDump32(1, 5, patchBytes, memory, memorySize, true, patchOffset, sectionRVA);
}
#else
if(ref->instructionSize == 10) //for x64
{
DWORD_PTR patchBytes64 = directImportsJumpTableRVA + stdImagebase;
patchDirectImportInDump64(2, 10, patchBytes64, memory, memorySize, true, patchOffset, sectionRVA);
}
#endif
}
else if(ref->type == IAT_REFERENCE_DIRECT_LEA)
{
#ifndef _WIN64
if(ref->instructionSize == 6)
{
patchBytes = directImportsJumpTableRVA + stdImagebase;
patchDirectImportInDump32(2, 6, patchBytes, memory, memorySize, true, patchOffset, sectionRVA);
}
#endif
}
}
}
}
void IATReferenceScan::patchDirectJumpTable(DWORD_PTR stdImagebase, DWORD directImportsJumpTableRVA, PeParser* peParser, BYTE* jmpTableMemory, DWORD newIatBase)
{
std::set<DWORD_PTR> apiPointers;
for(std::vector<IATReference>::iterator iter = iatDirectImportList.begin(); iter != iatDirectImportList.end(); iter++)
{
IATReference* ref = &(*iter);
apiPointers.insert(ref->targetPointer);
}
DWORD patchBytes;
for(std::set<DWORD_PTR>::iterator apiIter = apiPointers.begin(); apiIter != apiPointers.end(); apiIter++)
{
DWORD_PTR refTargetPointer = *apiIter;
if(newIatBase) //create new iat in section
{
refTargetPointer = (*apiIter - IatAddressVA) + newIatBase + ImageBase;
}
//create jump table in section
DWORD_PTR newIatAddressPointer = refTargetPointer - ImageBase + stdImagebase;
#ifdef _WIN64
patchBytes = (DWORD)(newIatAddressPointer - (directImportsJumpTableRVA + stdImagebase) - 6);
#else
patchBytes = newIatAddressPointer;
DWORD relocOffset = (directImportsJumpTableRVA + 2);
//directImportLog.log(L"Relocation direct imports fix: Base RVA %08X Type HIGHLOW Offset %04X RelocTableEntry %04X", relocOffset & 0xFFFFF000, relocOffset & 0x00000FFF, (IMAGE_REL_BASED_HIGHLOW << 12) + (relocOffset & 0x00000FFF));
#endif
jmpTableMemory[0] = 0xFF;
jmpTableMemory[1] = 0x25;
*((DWORD*)&jmpTableMemory[2]) = patchBytes;
patchDirectJumpTableEntry(*apiIter, stdImagebase, directImportsJumpTableRVA, peParser, jmpTableMemory, newIatBase);
jmpTableMemory += 6;
directImportsJumpTableRVA += 6;
}
}
void IATReferenceScan::patchDirectImportInDump32(int patchPreFixBytes, int instructionSize, DWORD patchBytes, BYTE* memory, DWORD memorySize, bool generateReloc, DWORD patchOffset, DWORD sectionRVA)
{
if(memorySize < (DWORD)(patchOffset + instructionSize))
{
//Scylla::debugLog.log(L"Error - Cannot fix direct import reference RVA: %X", sectionRVA + patchOffset);
}
else
{
memory += patchOffset + patchPreFixBytes;
if(generateReloc)
{
DWORD relocOffset = sectionRVA + patchOffset + patchPreFixBytes;
// directImportLog.log(L"Relocation direct imports fix: Base RVA %08X Type HIGHLOW Offset %04X RelocTableEntry %04X", relocOffset & 0xFFFFF000, relocOffset & 0x00000FFF, (IMAGE_REL_BASED_HIGHLOW << 12) + (relocOffset & 0x00000FFF));
}
*((DWORD*)memory) = patchBytes;
}
}
void IATReferenceScan::patchDirectImportInDump64(int patchPreFixBytes, int instructionSize, DWORD_PTR patchBytes, BYTE* memory, DWORD memorySize, bool generateReloc, DWORD patchOffset, DWORD sectionRVA)
{
if(memorySize < (DWORD)(patchOffset + instructionSize))
{
// Scylla::debugLog.log(L"Error - Cannot fix direct import reference RVA: %X", sectionRVA + patchOffset);
}
else
{
memory += patchOffset + patchPreFixBytes;
if(generateReloc)
{
DWORD relocOffset = sectionRVA + patchOffset + patchPreFixBytes;
// directImportLog.log(L"Relocation direct imports fix: Base RVA %08X Type DIR64 Offset %04X RelocTableEntry %04X", relocOffset & 0xFFFFF000, relocOffset & 0x00000FFF, (IMAGE_REL_BASED_DIR64 << 12) + (relocOffset & 0x00000FFF));
}
*((DWORD_PTR*)memory) = patchBytes;
}
}
DWORD IATReferenceScan::addAdditionalApisToList()
{
std::set<DWORD_PTR> apiPointers;
for(std::vector<IATReference>::iterator iter = iatDirectImportList.begin(); iter != iatDirectImportList.end(); iter++)
{
IATReference* ref = &(*iter);
if(ref->targetPointer == 0)
{
apiPointers.insert(ref->targetAddressInIat);
}
}
DWORD_PTR iatAddy = IatAddressVA + IatSize;
DWORD newIatSize = IatSize;
bool isSuspect = false;
for(std::set<DWORD_PTR>::iterator apiIter = apiPointers.begin(); apiIter != apiPointers.end(); apiIter++)
{
for(std::vector<IATReference>::iterator iter = iatDirectImportList.begin(); iter != iatDirectImportList.end(); iter++)
{
IATReference* ref = &(*iter);
if(ref->targetPointer == 0 && ref->targetAddressInIat == *apiIter)
{
ref->targetPointer = iatAddy;
ApiInfo* apiInfo = apiReader->getApiByVirtualAddress(ref->targetAddressInIat, &isSuspect);
apiReader->addFoundApiToModuleList(iatAddy, apiInfo, true, isSuspect);
}
}
iatAddy += sizeof(DWORD_PTR);
newIatSize += sizeof(DWORD_PTR);
}
return newIatSize;
}

126
scylla_wrapper/IATReferenceScan.h
View File

@ -1,126 +0,0 @@
#pragma once
#include <vector>
#include "ProcessAccessHelp.h"
#include "PeParser.h"
#include "ApiReader.h"
enum IATReferenceType
{
IAT_REFERENCE_PTR_JMP,
IAT_REFERENCE_PTR_CALL,
IAT_REFERENCE_DIRECT_JMP,
IAT_REFERENCE_DIRECT_CALL,
IAT_REFERENCE_DIRECT_MOV,
IAT_REFERENCE_DIRECT_PUSH,
IAT_REFERENCE_DIRECT_LEA
};
class IATReference
{
public:
DWORD_PTR addressVA; //Address of reference
DWORD_PTR targetPointer; //Place inside IAT
DWORD_PTR targetAddressInIat; //WIN API?
BYTE instructionSize;
IATReferenceType type;
};
class IATReferenceScan
{
public:
IATReferenceScan()
{
apiReader = 0;
IatAddressVA = 0;
IatSize = 0;
ImageBase = 0;
ImageSize = 0;
iatBackup = 0;
ScanForDirectImports = false;
ScanForNormalImports = true;
}
~IATReferenceScan()
{
iatReferenceList.clear();
iatDirectImportList.clear();
if(iatBackup)
{
free(iatBackup);
}
}
bool ScanForDirectImports;
bool ScanForNormalImports;
bool JunkByteAfterInstruction;
ApiReader* apiReader;
void startScan(DWORD_PTR imageBase, DWORD imageSize, DWORD_PTR iatAddress, DWORD iatSize);
//void patchNewIatBaseMemory(DWORD_PTR newIatBaseAddress);
//void patchNewIatBaseFile(DWORD_PTR newIatBaseAddress);
void patchNewIat(DWORD_PTR stdImagebase, DWORD_PTR newIatBaseAddress, PeParser* peParser);
void patchDirectJumpTable(DWORD_PTR imageBase, DWORD directImportsJumpTableRVA, PeParser* peParser, BYTE* jmpTableMemory, DWORD newIatBase);
void patchDirectImportsMemory(bool junkByteAfterInstruction);
int numberOfFoundDirectImports();
int numberOfFoundUniqueDirectImports();
int numberOfDirectImportApisNotInIat();
int getSizeInBytesOfJumpTableInSection();
//static FileLog directImportLog;
void printDirectImportLog();
void changeIatBaseOfDirectImports(DWORD newIatBaseAddressRVA);
DWORD addAdditionalApisToList();
private:
DWORD_PTR NewIatAddressRVA;
DWORD_PTR IatAddressVA;
DWORD IatSize;
DWORD_PTR ImageBase;
DWORD ImageSize;
DWORD_PTR* iatBackup;
std::vector<IATReference> iatReferenceList;
std::vector<IATReference> iatDirectImportList;
void scanMemoryPage(PVOID BaseAddress, SIZE_T RegionSize);
void analyzeInstruction(_DInst* instruction);
void findNormalIatReference(_DInst* instruction);
void getIatEntryAddress(IATReference* ref);
void findDirectIatReferenceCallJmp(_DInst* instruction);
bool isAddressValidImageMemory(DWORD_PTR address);
void patchReferenceInMemory(IATReference* ref);
void patchReferenceInFile(IATReference* ref);
void patchDirectImportInMemory(IATReference* iter);
DWORD_PTR lookUpIatForPointer(DWORD_PTR addr);
void findDirectIatReferenceMov(_DInst* instruction);
void findDirectIatReferencePush(_DInst* instruction);
void checkMemoryRangeAndAddToList(IATReference* ref, _DInst* instruction);
void findDirectIatReferenceLea(_DInst* instruction);
void patchDirectImportInDump32(int patchPreFixBytes, int instructionSize, DWORD patchBytes, BYTE* memory, DWORD memorySize, bool generateReloc, DWORD patchOffset, DWORD sectionRVA);
void patchDirectImportInDump64(int patchPreFixBytes, int instructionSize, DWORD_PTR patchBytes, BYTE* memory, DWORD memorySize, bool generateReloc, DWORD patchOffset, DWORD sectionRVA);
void patchDirectJumpTableEntry(DWORD_PTR targetIatPointer, DWORD_PTR stdImagebase, DWORD directImportsJumpTableRVA, PeParser* peParser, BYTE* jmpTableMemory, DWORD newIatBase);
};
/*
PE64
----------
000000013FF82D87 FF15 137C0A00 CALL QWORD [RIP+0xA7C13]
Result: 000000014002A9A0
000000013F65C952 FF25 F8EA0B00 JMP QWORD [RIP+0xBEAF8]
Result: 000000013F71B450
PE32
----------
0120FFA5 FF15 8C6D2601 CALL DWORD [0x01266D8C]
0120FF52 FF25 D4722601 JMP DWORD [0x012672D4]
*/

547
scylla_wrapper/IATSearch.cpp
View File

@ -1,547 +0,0 @@
#include "stdafx.h"
#include "IATSearch.h"
#include "Architecture.h"
//#define DEBUG_COMMENTS
bool IATSearch::searchImportAddressTableInProcess(DWORD_PTR startAddress, DWORD_PTR* addressIAT, DWORD* sizeIAT, bool advanced)
{
DWORD_PTR addressInIAT = 0;
*addressIAT = 0;
*sizeIAT = 0;
if(advanced)
{
return findIATAdvanced(startAddress, addressIAT, sizeIAT);
}
addressInIAT = findAPIAddressInIAT(startAddress);
if(!addressInIAT)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"searchImportAddressTableInProcess :: addressInIAT not found, startAddress " PRINTF_DWORD_PTR_FULL, startAddress);
#endif
return false;
}
else
{
return findIATStartAndSize(addressInIAT, addressIAT, sizeIAT);
}
}
bool IATSearch::findIATAdvanced(DWORD_PTR startAddress, DWORD_PTR* addressIAT, DWORD* sizeIAT)
{
BYTE* dataBuffer;
DWORD_PTR baseAddress;
SIZE_T memorySize;
findExecutableMemoryPagesByStartAddress(startAddress, &baseAddress, &memorySize);
if(memorySize == 0)
return false;
dataBuffer = new BYTE[memorySize];
if(!readMemoryFromProcess((DWORD_PTR)baseAddress, memorySize, dataBuffer))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"findAPIAddressInIAT2 :: error reading memory");
#endif
return false;
}
std::set<DWORD_PTR> iatPointers;
DWORD_PTR next;
BYTE* tempBuf = dataBuffer;
while(decomposeMemory(tempBuf, memorySize, (DWORD_PTR)baseAddress) && decomposerInstructionsCount != 0)
{
findIATPointers(iatPointers);
next = (DWORD_PTR)(decomposerResult[decomposerInstructionsCount - 1].addr - baseAddress);
next += decomposerResult[decomposerInstructionsCount - 1].size;
// Advance ptr and recalc offset.
tempBuf += next;
if(memorySize <= next)
{
break;
}
memorySize -= next;
baseAddress += next;
}
if(iatPointers.size() == 0)
return false;
filterIATPointersList(iatPointers);
*addressIAT = *(iatPointers.begin());
*sizeIAT = (DWORD)(*(--iatPointers.end()) - * (iatPointers.begin()) + sizeof(DWORD_PTR));
//Scylla::windowLog.log(L"IAT Search Advanced: Found %d (0x%X) possible IAT entries.", iatPointers.size(), iatPointers.size());
//Scylla::windowLog.log(L"IAT Search Advanced: Possible IAT first " PRINTF_DWORD_PTR_FULL L" last " PRINTF_DWORD_PTR_FULL L" entry.", *(iatPointers.begin()), *(--iatPointers.end()));
delete [] dataBuffer;
return true;
}
DWORD_PTR IATSearch::findAPIAddressInIAT(DWORD_PTR startAddress)
{
const size_t MEMORY_READ_SIZE = 200;
BYTE dataBuffer[MEMORY_READ_SIZE];
DWORD_PTR iatPointer = 0;
int counter = 0;
// to detect stolen api
memoryAddress = 0;
memorySize = 0;
do
{
counter++;
if(!readMemoryFromProcess(startAddress, sizeof(dataBuffer), dataBuffer))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"findAPIAddressInIAT :: error reading memory " PRINTF_DWORD_PTR_FULL, startAddress);
#endif
return 0;
}
if(decomposeMemory(dataBuffer, sizeof(dataBuffer), startAddress))
{
iatPointer = findIATPointer();
if(iatPointer)
{
if(isIATPointerValid(iatPointer, true))
{
return iatPointer;
}
}
}
startAddress = findNextFunctionAddress();
//printf("startAddress %08X\n",startAddress);
}
while(startAddress != 0 && counter != 8);
return 0;
}
DWORD_PTR IATSearch::findNextFunctionAddress()
{
#ifdef DEBUG_COMMENTS
_DecodedInst inst;
#endif
for(unsigned int i = 0; i < decomposerInstructionsCount; i++)
{
if(decomposerResult[i].flags != FLAG_NOT_DECODABLE)
{
if(META_GET_FC(decomposerResult[i].meta) == FC_CALL || META_GET_FC(decomposerResult[i].meta) == FC_UNC_BRANCH)
{
if(decomposerResult[i].size >= 5)
{
if(decomposerResult[i].ops[0].type == O_PC)
{
#ifdef DEBUG_COMMENTS
distorm_format(&decomposerCi, &decomposerResult[i], &inst);
Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, INSTRUCTION_GET_TARGET(&decomposerResult[i]));
#endif
return (DWORD_PTR)INSTRUCTION_GET_TARGET(&decomposerResult[i]);
}
}
}
}
}
return 0;
}
DWORD_PTR IATSearch::findIATPointer()
{
#ifdef DEBUG_COMMENTS
_DecodedInst inst;
#endif
for(unsigned int i = 0; i < decomposerInstructionsCount; i++)
{
if(decomposerResult[i].flags != FLAG_NOT_DECODABLE)
{
if(META_GET_FC(decomposerResult[i].meta) == FC_CALL || META_GET_FC(decomposerResult[i].meta) == FC_UNC_BRANCH)
{
if(decomposerResult[i].size >= 5)
{
#ifdef _WIN64
if(decomposerResult[i].flags & FLAG_RIP_RELATIVE)
{
#ifdef DEBUG_COMMENTS
distorm_format(&decomposerCi, &decomposerResult[i], &inst);
Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, INSTRUCTION_GET_RIP_TARGET(&decomposerResult[i]));
#endif
return INSTRUCTION_GET_RIP_TARGET(&decomposerResult[i]);
}
#else
if(decomposerResult[i].ops[0].type == O_DISP)
{
//jmp dword ptr || call dword ptr
#ifdef DEBUG_COMMENTS
distorm_format(&decomposerCi, &decomposerResult[i], &inst);
Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, decomposerResult[i].disp);
#endif
return (DWORD_PTR)decomposerResult[i].disp;
}
#endif
}
}
}
}
return 0;
}
bool IATSearch::isIATPointerValid(DWORD_PTR iatPointer, bool checkRedirects)
{
DWORD_PTR apiAddress = 0;
if(!readMemoryFromProcess(iatPointer, sizeof(DWORD_PTR), &apiAddress))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"isIATPointerValid :: error reading memory");
#endif
return false;
}
//printf("Win api ? %08X\n",apiAddress);
if(isApiAddressValid(apiAddress) != 0)
{
return true;
}
else
{
if(checkRedirects)
{
//maybe redirected import?
//if the address is 2 times inside a memory region it is possible a redirected api
if(apiAddress > memoryAddress && apiAddress < (memoryAddress + memorySize))
{
return true;
}
else
{
getMemoryRegionFromAddress(apiAddress, &memoryAddress, &memorySize);
}
}
}
return false;
}
bool IATSearch::findIATStartAndSize(DWORD_PTR address, DWORD_PTR* addressIAT, DWORD* sizeIAT)
{
BYTE* dataBuffer = 0;
DWORD_PTR baseAddress = 0;
DWORD baseSize = 0;
getMemoryBaseAndSizeForIat(address, &baseAddress, &baseSize);
if(!baseAddress)
return false;
dataBuffer = new BYTE[baseSize * (sizeof(DWORD_PTR) * 3)];
if(!dataBuffer)
return false;
ZeroMemory(dataBuffer, baseSize * (sizeof(DWORD_PTR) * 3));
if(!readMemoryFromProcess(baseAddress, baseSize, dataBuffer))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"findIATStartAddress :: error reading memory");
#endif
return false;
}
//printf("address %X memBasic.BaseAddress %X memBasic.RegionSize %X\n",address,memBasic.BaseAddress,memBasic.RegionSize);
*addressIAT = findIATStartAddress(baseAddress, address, dataBuffer);
*sizeIAT = findIATSize(baseAddress, *addressIAT, dataBuffer, baseSize);
delete [] dataBuffer;
return true;
}
DWORD_PTR IATSearch::findIATStartAddress(DWORD_PTR baseAddress, DWORD_PTR startAddress, BYTE* dataBuffer)
{
DWORD_PTR* pIATAddress = 0;
pIATAddress = (DWORD_PTR*)((startAddress - baseAddress) + (DWORD_PTR)dataBuffer);
while((DWORD_PTR)pIATAddress != (DWORD_PTR)dataBuffer)
{
if(isInvalidMemoryForIat(*pIATAddress))
{
if((DWORD_PTR)(pIATAddress - 1) >= (DWORD_PTR)dataBuffer)
{
if(isInvalidMemoryForIat(*(pIATAddress - 1)))
{
if((DWORD_PTR)(pIATAddress - 2) >= (DWORD_PTR)dataBuffer)
{
if(!isApiAddressValid(*(pIATAddress - 2)))
{
return (((DWORD_PTR)pIATAddress - (DWORD_PTR)dataBuffer) + baseAddress);
}
}
}
}
}
pIATAddress--;
}
return baseAddress;
}
DWORD IATSearch::findIATSize(DWORD_PTR baseAddress, DWORD_PTR iatAddress, BYTE* dataBuffer, DWORD bufferSize)
{
DWORD_PTR* pIATAddress = 0;
pIATAddress = (DWORD_PTR*)((iatAddress - baseAddress) + (DWORD_PTR)dataBuffer);
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"findIATSize :: baseAddress %X iatAddress %X dataBuffer %X pIATAddress %X", baseAddress, iatAddress, dataBuffer, pIATAddress);
#endif
while((DWORD_PTR)pIATAddress < ((DWORD_PTR)dataBuffer + bufferSize - 1))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"findIATSize :: %X %X %X", pIATAddress, *pIATAddress, *(pIATAddress + 1));
#endif
if(isInvalidMemoryForIat(*pIATAddress)) //normal is 0
{
if(isInvalidMemoryForIat(*(pIATAddress + 1)))
{
//IAT end
if(!isApiAddressValid(*(pIATAddress + 2)))
{
return (DWORD)((DWORD_PTR)pIATAddress - (DWORD_PTR)dataBuffer - (iatAddress - baseAddress));
}
}
}
pIATAddress++;
}
return bufferSize;
}
void IATSearch::findIATPointers(std::set<DWORD_PTR> & iatPointers)
{
#ifdef DEBUG_COMMENTS
_DecodedInst inst;
#endif
for(unsigned int i = 0; i < decomposerInstructionsCount; i++)
{
if(decomposerResult[i].flags != FLAG_NOT_DECODABLE)
{
if(META_GET_FC(decomposerResult[i].meta) == FC_CALL || META_GET_FC(decomposerResult[i].meta) == FC_UNC_BRANCH)
{
if(decomposerResult[i].size >= 5)
{
#ifdef _WIN64
if(decomposerResult[i].flags & FLAG_RIP_RELATIVE)
{
#ifdef DEBUG_COMMENTS
distorm_format(&decomposerCi, &decomposerResult[i], &inst);
Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, INSTRUCTION_GET_RIP_TARGET(&decomposerResult[i]));
#endif
iatPointers.insert(INSTRUCTION_GET_RIP_TARGET(&decomposerResult[i]));
}
#else
if(decomposerResult[i].ops[0].type == O_DISP)
{
//jmp dword ptr || call dword ptr
#ifdef DEBUG_COMMENTS
distorm_format(&decomposerCi, &decomposerResult[i], &inst);
Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, decomposerResult[i].disp);
#endif
iatPointers.insert((DWORD_PTR)decomposerResult[i].disp);
}
#endif
}
}
}
}
}
void IATSearch::findExecutableMemoryPagesByStartAddress(DWORD_PTR startAddress, DWORD_PTR* baseAddress, SIZE_T* memorySize)
{
MEMORY_BASIC_INFORMATION memBasic = {0};
DWORD_PTR tempAddress;
*memorySize = 0;
*baseAddress = 0;
if(VirtualQueryEx(hProcess, (LPCVOID)startAddress, &memBasic, sizeof(MEMORY_BASIC_INFORMATION)) != sizeof(MEMORY_BASIC_INFORMATION))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"findIATStartAddress :: VirtualQueryEx error %u", GetLastError());
#endif
return;
}
//search down
do
{
*memorySize = memBasic.RegionSize;
*baseAddress = (DWORD_PTR)memBasic.BaseAddress;
tempAddress = (DWORD_PTR)memBasic.BaseAddress - 1;
if(VirtualQueryEx(hProcess, (LPCVOID)tempAddress, &memBasic, sizeof(MEMORY_BASIC_INFORMATION)) != sizeof(MEMORY_BASIC_INFORMATION))
{
break;
}
}
while(isPageExecutable(memBasic.Protect));
tempAddress = *baseAddress;
memBasic.RegionSize = *memorySize;
*memorySize = 0;
//search up
do
{
tempAddress += memBasic.RegionSize;
*memorySize += memBasic.RegionSize;
if(VirtualQueryEx(hProcess, (LPCVOID)tempAddress, &memBasic, sizeof(MEMORY_BASIC_INFORMATION)) != sizeof(MEMORY_BASIC_INFORMATION))
{
break;
}
}
while(isPageExecutable(memBasic.Protect));
}
void IATSearch::filterIATPointersList(std::set<DWORD_PTR> & iatPointers)
{
std::set<DWORD_PTR>::iterator iter;
if(iatPointers.size() <= 2)
{
return;
}
iter = iatPointers.begin();
std::advance(iter, iatPointers.size() / 2); //start in the middle, important!
DWORD_PTR lastPointer = *iter;
iter++;
for(; iter != iatPointers.end(); iter++)
{
if((*iter - lastPointer) > 0x100) //check difference
{
if(isIATPointerValid(lastPointer, false) == false || isIATPointerValid(*iter, false) == false)
{
iatPointers.erase(iter, iatPointers.end());
break;
}
else
{
lastPointer = *iter;
}
}
else
{
lastPointer = *iter;
}
}
bool erased = true;
while(erased)
{
iter = iatPointers.begin();
lastPointer = *iter;
iter++;
for(; iter != iatPointers.end(); iter++)
{
if((*iter - lastPointer) > 0x100) //check difference
{
if(isIATPointerValid(lastPointer, false) == false || isIATPointerValid(*iter, false) == false)
{
iter--;
iatPointers.erase(iter);
erased = true;
break;
}
else
{
erased = false;
lastPointer = *iter;
}
}
else
{
erased = false;
lastPointer = *iter;
}
}
}
}
void IATSearch::getMemoryBaseAndSizeForIat(DWORD_PTR address, DWORD_PTR* baseAddress, DWORD* baseSize)
{
MEMORY_BASIC_INFORMATION memBasic1 = {0};
MEMORY_BASIC_INFORMATION memBasic2 = {0};
MEMORY_BASIC_INFORMATION memBasic3 = {0};
DWORD_PTR start = 0, end = 0;
*baseAddress = 0;
*baseSize = 0;
if(!VirtualQueryEx(hProcess, (LPCVOID)address, &memBasic2, sizeof(MEMORY_BASIC_INFORMATION)))
{
return;
}
*baseAddress = (DWORD_PTR)memBasic2.BaseAddress;
*baseSize = (DWORD)memBasic2.RegionSize;
//Get the neighbours
if(!VirtualQueryEx(hProcess, (LPCVOID)((DWORD_PTR)memBasic2.BaseAddress - 1), &memBasic1, sizeof(MEMORY_BASIC_INFORMATION)))
{
return;
}
if(!VirtualQueryEx(hProcess, (LPCVOID)((DWORD_PTR)memBasic2.BaseAddress + (DWORD_PTR)memBasic2.RegionSize), &memBasic3, sizeof(MEMORY_BASIC_INFORMATION)))
{
return;
}
if(memBasic3.State != MEM_COMMIT || memBasic1.State != MEM_COMMIT)
{
return;
}
start = (DWORD_PTR)memBasic1.BaseAddress;
end = (DWORD_PTR)memBasic3.BaseAddress + (DWORD_PTR)memBasic3.RegionSize;
*baseAddress = start;
*baseSize = (DWORD)(end - start);
}

34
scylla_wrapper/IATSearch.h
View File

@ -1,34 +0,0 @@
#pragma once
#include "ApiReader.h"
#include <set>
class IATSearch : protected ApiReader
{
public:
DWORD_PTR memoryAddress;
SIZE_T memorySize;
bool searchImportAddressTableInProcess(DWORD_PTR startAddress, DWORD_PTR* addressIAT, DWORD* sizeIAT, bool advanced);
private:
DWORD_PTR findAPIAddressInIAT(DWORD_PTR startAddress);
bool findIATAdvanced(DWORD_PTR startAddress, DWORD_PTR* addressIAT, DWORD* sizeIAT);
DWORD_PTR findNextFunctionAddress();
DWORD_PTR findIATPointer();
//DWORD_PTR findAddressFromWORDString(char * stringBuffer);
//DWORD_PTR findAddressFromNormalCALLString(char * stringBuffer);
bool isIATPointerValid(DWORD_PTR iatPointer, bool checkRedirects);
bool findIATStartAndSize(DWORD_PTR address, DWORD_PTR* addressIAT, DWORD* sizeIAT);
DWORD_PTR findIATStartAddress(DWORD_PTR baseAddress, DWORD_PTR startAddress, BYTE* dataBuffer);
DWORD findIATSize(DWORD_PTR baseAddress, DWORD_PTR iatAddress, BYTE* dataBuffer, DWORD bufferSize);
void findIATPointers(std::set<DWORD_PTR> & iatPointers);
void findExecutableMemoryPagesByStartAddress(DWORD_PTR startAddress, DWORD_PTR* baseAddress, SIZE_T* memorySize);
void filterIATPointersList(std::set<DWORD_PTR> & iatPointers);
void getMemoryBaseAndSizeForIat(DWORD_PTR address, DWORD_PTR* baseAddress, DWORD* baseSize);
};

550
scylla_wrapper/ImportRebuilder.cpp
View File

@ -1,550 +0,0 @@
#include "stdafx.h"
#include "ImportRebuilder.h"
#include "StringConversion.h"
//#define DEBUG_COMMENTS
/*
New Scylla section contains:
1. (optional) direct imports jump table
2. (optional) new iat
3. (optional) OFT
4. Normal IAT entries
*/
bool ImportRebuilder::rebuildImportTable(const WCHAR* newFilePath, std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
{
bool retValue = false;
std::map<DWORD_PTR, ImportModuleThunk> copyModule;
copyModule.insert(moduleList.begin(), moduleList.end());
if(isValidPeFile())
{
if(readPeSectionsFromFile())
{
setDefaultFileAlignment();
retValue = buildNewImportTable(copyModule);
if(retValue)
{
alignAllSectionHeaders();
fixPeHeader();
if(newIatInSection)
{
patchFileForNewIatLocation();
}
if(BuildDirectImportsJumpTable)
{
patchFileForDirectImportJumpTable();
}
retValue = savePeFileToDisk(newFilePath);
}
}
}
return retValue;
}
bool ImportRebuilder::rebuildMappedImportTable(DWORD_PTR iatVA, std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
{
bool retValue = false;
if(isValidPeFile())
{
if(readPeSectionsFromMappedFile())
{
retValue = buildNewMappedImportTable(moduleList);
//destructor of PEParser deletes .data so we need to remove our pointer to FileMapping
for(WORD i = 0; i < getNumberOfSections(); i++)
{
listPeSection[i].data = NULL;
}
}
}
return retValue;
}
bool ImportRebuilder::buildNewImportTable(std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
{
createNewImportSection(moduleList);
importSectionIndex = listPeSection.size() - 1;
if(BuildDirectImportsJumpTable)
{
directImportsJumpTableRVA = listPeSection[importSectionIndex].sectionHeader.VirtualAddress;
JMPTableMemory = listPeSection[importSectionIndex].data;
}
if(newIatInSection)
{
newIatBaseAddressRVA = listPeSection[importSectionIndex].sectionHeader.VirtualAddress;
if(BuildDirectImportsJumpTable)
{
newIatBaseAddressRVA += iatReferenceScan->getSizeInBytesOfJumpTableInSection();
}
changeIatBaseAddress(moduleList);
}
DWORD dwSize = fillImportSection(moduleList);
if(!dwSize)
{
return false;
}
setFlagToIATSection((*moduleList.begin()).second.firstThunk);
DWORD vaImportAddress = listPeSection[importSectionIndex].sectionHeader.VirtualAddress;
if(useOFT)
{
//OFT array is at the beginning of the import section
vaImportAddress += (DWORD)sizeOfOFTArray;
}
if(newIatInSection)
{
vaImportAddress += (DWORD)IatSize;
}
if(BuildDirectImportsJumpTable)
{
vaImportAddress += (DWORD)iatReferenceScan->getSizeInBytesOfJumpTableInSection();
}
if(isPE32())
{
pNTHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = vaImportAddress;
pNTHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)(numberOfImportDescriptors * sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
else
{
pNTHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = vaImportAddress;
pNTHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)(numberOfImportDescriptors * sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
return true;
}
bool ImportRebuilder::buildNewMappedImportTable(std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
{
calculateImportSizes(moduleList);
importSectionIndex = listPeSection.size() - 1;
DWORD dwSize = fillImportSection(moduleList);
if(!dwSize)
{
return false;
}
DWORD vaImportAddress = listPeSection[importSectionIndex].sectionHeader.VirtualAddress;
if(useOFT)
{
//OFT array is at the beginning of the import section
vaImportAddress += (DWORD)sizeOfOFTArray;
}
DWORD headerOffset = sizeof(IMAGE_DOS_HEADER);
if(dosStubSize && pDosStub)
{
headerOffset += dosStubSize;
}
if(isPE32())
{
PIMAGE_NT_HEADERS32 pMappedNTHeader32 = (PIMAGE_NT_HEADERS32)(fileMapVA + headerOffset);
pMappedNTHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = vaImportAddress;
pMappedNTHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)(numberOfImportDescriptors * sizeof(IMAGE_IMPORT_DESCRIPTOR));
headerOffset += sizeof(IMAGE_NT_HEADERS32);
}
else
{
PIMAGE_NT_HEADERS64 pMappedNTHeader64 = (PIMAGE_NT_HEADERS64)(fileMapVA + headerOffset);
pMappedNTHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = vaImportAddress;
pMappedNTHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)(numberOfImportDescriptors * sizeof(IMAGE_IMPORT_DESCRIPTOR));
headerOffset += sizeof(IMAGE_NT_HEADERS64);
}
//setFlagToIATSection
headerOffset += (DWORD)(sizeof(IMAGE_SECTION_HEADER) * importSectionIndex);
PIMAGE_SECTION_HEADER pImportSection = (PIMAGE_SECTION_HEADER)(fileMapVA + headerOffset);
pImportSection->Characteristics |= IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;
return true;
}
bool ImportRebuilder::createNewImportSection(std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
{
char sectionName[IMAGE_SIZEOF_SHORT_NAME + 1] = {0};
StringConversion::ToASCII(this->sectionName, sectionName, IMAGE_SIZEOF_SHORT_NAME + 1);
calculateImportSizes(moduleList);
if(newIatInSection)
{
sizeOfImportSection += IatSize;
}
if(BuildDirectImportsJumpTable)
{
sizeOfImportSection += iatReferenceScan->getSizeInBytesOfJumpTableInSection();
}
return addNewLastSection(sectionName, (DWORD)sizeOfImportSection, 0);
}
void ImportRebuilder::setFlagToIATSection(DWORD_PTR iatAddress)
{
for(size_t i = 0; i < listPeSection.size(); i++)
{
if((listPeSection[i].sectionHeader.VirtualAddress <= iatAddress) && ((listPeSection[i].sectionHeader.VirtualAddress + listPeSection[i].sectionHeader.Misc.VirtualSize) > iatAddress))
{
//section must be read and writeable
listPeSection[i].sectionHeader.Characteristics |= IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;
}
}
}
DWORD ImportRebuilder::fillImportSection(std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator mapIt;
std::map<DWORD_PTR, ImportThunk>::iterator mapIt2;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = 0;
PIMAGE_IMPORT_BY_NAME pImportByName = 0;
PIMAGE_THUNK_DATA pThunk = 0;
ImportModuleThunk* importModuleThunk = 0;
ImportThunk* importThunk = 0;
size_t stringLength = 0;
DWORD_PTR lastRVA = 0;
BYTE* sectionData = listPeSection[importSectionIndex].data;
DWORD offset = 0;
DWORD offsetOFTArray = 0;
/*
New Scylla section contains:
1. (optional) direct imports jump table
2. (optional) new iat
3. (optional) OFT
4. Normal IAT entries
*/
if(BuildDirectImportsJumpTable)
{
offset += iatReferenceScan->getSizeInBytesOfJumpTableInSection();
offsetOFTArray += iatReferenceScan->getSizeInBytesOfJumpTableInSection();
}
if(newIatInSection)
{
offset += IatSize; //new iat at the beginning
offsetOFTArray += IatSize;
memset(sectionData, 0xFF, offset);
}
if(useOFT)
{
offset += (DWORD)sizeOfOFTArray; //size includes null termination
}
pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD_PTR)sectionData + offset);
//skip the IMAGE_IMPORT_DESCRIPTOR
offset += (DWORD)(numberOfImportDescriptors * sizeof(IMAGE_IMPORT_DESCRIPTOR));
for(mapIt = moduleList.begin() ; mapIt != moduleList.end(); mapIt++)
{
importModuleThunk = &((*mapIt).second);
stringLength = addImportDescriptor(importModuleThunk, offset, offsetOFTArray);
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"fillImportSection :: importDesc.Name %X", pImportDescriptor->Name);
#endif
offset += (DWORD)stringLength; //stringLength has null termination char
pImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)sectionData + offset);
//pThunk = (PIMAGE_THUNK_DATA)(getMemoryPointerFromRVA(importModuleThunk->firstThunk));
lastRVA = importModuleThunk->firstThunk - sizeof(DWORD_PTR);
for(mapIt2 = (*mapIt).second.thunkList.begin() ; mapIt2 != (*mapIt).second.thunkList.end(); mapIt2++)
{
importThunk = &((*mapIt2).second);
if(useOFT)
{
pThunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)sectionData + offsetOFTArray);
offsetOFTArray += sizeof(DWORD_PTR); //increase OFT array index
}
else
{
pThunk = (PIMAGE_THUNK_DATA)(getMemoryPointerFromRVA(importThunk->rva));
}
//check wrong iat pointer
if(!pThunk)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"fillImportSection :: Failed to get pThunk RVA: %X", importThunk->rva);
#endif
return 0;
}
if((lastRVA + sizeof(DWORD_PTR)) != importThunk->rva)
{
//add additional import desc
addSpecialImportDescriptor(importThunk->rva, offsetOFTArray);
if(useOFT)
{
pThunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)sectionData + offsetOFTArray);
offsetOFTArray += sizeof(DWORD_PTR); //increase OFT array index, next module
}
}
lastRVA = importThunk->rva;
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"fillImportSection :: importThunk %X pThunk %X pImportByName %X offset %X", importThunk, pThunk, pImportByName, offset);
#endif
stringLength = addImportToImportTable(importThunk, pThunk, pImportByName, offset);
offset += (DWORD)stringLength; //is 0 bei import by ordinal
pImportByName = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)pImportByName + stringLength);
}
offsetOFTArray += sizeof(DWORD_PTR); //increase OFT array index, next module
pImportDescriptor++;
}
return offset;
}
size_t ImportRebuilder::addImportDescriptor(ImportModuleThunk* pImportModule, DWORD sectionOffset, DWORD sectionOffsetOFTArray)
{
char dllName[MAX_PATH];
StringConversion::ToASCII(pImportModule->moduleName, dllName, _countof(dllName));
size_t stringLength = strlen(dllName) + 1;
/*
Warning: stringLength MUST include null termination char
*/
memcpy((listPeSection[importSectionIndex].data + sectionOffset), dllName, stringLength); //copy module name to section
pImportDescriptor->FirstThunk = (DWORD)pImportModule->firstThunk;
pImportDescriptor->Name = (DWORD)convertOffsetToRVAVector(listPeSection[importSectionIndex].sectionHeader.PointerToRawData + sectionOffset);
if(useOFT)
{
pImportDescriptor->OriginalFirstThunk = (DWORD)convertOffsetToRVAVector(listPeSection[importSectionIndex].sectionHeader.PointerToRawData + sectionOffsetOFTArray);
}
return stringLength;
}
void ImportRebuilder::addSpecialImportDescriptor(DWORD_PTR rvaFirstThunk, DWORD sectionOffsetOFTArray)
{
PIMAGE_IMPORT_DESCRIPTOR oldID = pImportDescriptor;
pImportDescriptor++;
pImportDescriptor->FirstThunk = (DWORD)rvaFirstThunk;
pImportDescriptor->Name = oldID->Name;
if(useOFT)
{
pImportDescriptor->OriginalFirstThunk = (DWORD)convertOffsetToRVAVector(listPeSection[importSectionIndex].sectionHeader.PointerToRawData + sectionOffsetOFTArray);
}
}
void ImportRebuilder::calculateImportSizes(std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator mapIt;
std::map<DWORD_PTR, ImportThunk>::iterator mapIt2;
DWORD_PTR lastRVA = 0;
sizeOfImportSection = 0;
sizeOfApiAndModuleNames = 0;
sizeOfOFTArray = 0;
numberOfImportDescriptors = moduleList.size() + 1; //last is zero'd
for(mapIt = moduleList.begin() ; mapIt != moduleList.end(); mapIt++)
{
lastRVA = (*mapIt).second.firstThunk - sizeof(DWORD_PTR);
sizeOfApiAndModuleNames += (DWORD)(wcslen((*mapIt).second.moduleName) + 1);
for(mapIt2 = (*mapIt).second.thunkList.begin() ; mapIt2 != (*mapIt).second.thunkList.end(); mapIt2++)
{
if((lastRVA + sizeof(DWORD_PTR)) != (*mapIt2).second.rva)
{
numberOfImportDescriptors++; //add additional import desc
sizeOfOFTArray += sizeof(DWORD_PTR) + sizeof(DWORD_PTR);
}
if((*mapIt2).second.name[0] != '\0')
{
sizeOfApiAndModuleNames += sizeof(WORD); //Hint from IMAGE_IMPORT_BY_NAME
sizeOfApiAndModuleNames += (DWORD)(strlen((*mapIt2).second.name) + 1);
}
//OriginalFirstThunk Array in Import Section: value
sizeOfOFTArray += sizeof(DWORD_PTR);
lastRVA = (*mapIt2).second.rva;
}
//OriginalFirstThunk Array in Import Section: NULL termination
sizeOfOFTArray += sizeof(DWORD_PTR);
}
sizeOfImportSection = sizeOfOFTArray + sizeOfApiAndModuleNames + (numberOfImportDescriptors * sizeof(IMAGE_IMPORT_DESCRIPTOR));
}
size_t ImportRebuilder::addImportToImportTable(ImportThunk* pImport, PIMAGE_THUNK_DATA pThunk, PIMAGE_IMPORT_BY_NAME pImportByName, DWORD sectionOffset)
{
size_t stringLength = 0;
if(pImport->name[0] == '\0')
{
pThunk->u1.AddressOfData = (IMAGE_ORDINAL(pImport->ordinal) | IMAGE_ORDINAL_FLAG);
}
else
{
pImportByName->Hint = pImport->hint;
stringLength = strlen(pImport->name) + 1;
memcpy(pImportByName->Name, pImport->name, stringLength);
pThunk->u1.AddressOfData = convertOffsetToRVAVector(listPeSection[importSectionIndex].sectionHeader.PointerToRawData + sectionOffset);
if(!pThunk->u1.AddressOfData)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"addImportToImportTable :: failed to get AddressOfData %X %X", listPeSection[importSectionIndex].sectionHeader.PointerToRawData, sectionOffset);
#endif
}
//next import should be nulled
pThunk++;
pThunk->u1.AddressOfData = 0;
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"addImportToImportTable :: pThunk->u1.AddressOfData %X %X %X", pThunk->u1.AddressOfData, pThunk, listPeSection[importSectionIndex].sectionHeader.PointerToRawData + sectionOffset);
#endif
stringLength += sizeof(WORD);
}
return stringLength;
}
BYTE* ImportRebuilder::getMemoryPointerFromRVA(DWORD_PTR dwRVA)
{
int peSectionIndex = convertRVAToOffsetVectorIndex(dwRVA);
if(peSectionIndex == -1)
{
return 0;
}
DWORD rvaPointer = ((DWORD)dwRVA - listPeSection[peSectionIndex].sectionHeader.VirtualAddress);
DWORD minSectionSize = rvaPointer + (sizeof(DWORD_PTR) * 2); //add space for 1 IAT address
if(listPeSection[peSectionIndex].data == 0 || listPeSection[peSectionIndex].dataSize == 0)
{
listPeSection[peSectionIndex].dataSize = minSectionSize;
listPeSection[peSectionIndex].normalSize = minSectionSize;
listPeSection[peSectionIndex].data = new BYTE[listPeSection[peSectionIndex].dataSize];
listPeSection[peSectionIndex].sectionHeader.SizeOfRawData = listPeSection[peSectionIndex].dataSize;
}
else if(listPeSection[peSectionIndex].dataSize < minSectionSize)
{
BYTE* temp = new BYTE[minSectionSize];
memcpy(temp, listPeSection[peSectionIndex].data, listPeSection[peSectionIndex].dataSize);
delete [] listPeSection[peSectionIndex].data;
listPeSection[peSectionIndex].data = temp;
listPeSection[peSectionIndex].dataSize = minSectionSize;
listPeSection[peSectionIndex].normalSize = minSectionSize;
listPeSection[peSectionIndex].sectionHeader.SizeOfRawData = listPeSection[peSectionIndex].dataSize;
}
return (BYTE*)((DWORD_PTR)listPeSection[peSectionIndex].data + rvaPointer);
}
void ImportRebuilder::enableOFTSupport()
{
useOFT = true;
}
void ImportRebuilder::enableNewIatInSection(DWORD_PTR iatAddress, DWORD iatSize)
{
newIatInSection = true;
IatAddress = iatAddress;
IatSize = iatSize;
iatReferenceScan->ScanForDirectImports = false;
iatReferenceScan->ScanForNormalImports = true;
iatReferenceScan->startScan(ProcessAccessHelp::targetImageBase, (DWORD)ProcessAccessHelp::targetSizeOfImage, IatAddress, IatSize);
}
void ImportRebuilder::patchFileForNewIatLocation()
{
iatReferenceScan->patchNewIat(getStandardImagebase(), newIatBaseAddressRVA, (PeParser*)this);
}
void ImportRebuilder::changeIatBaseAddress(std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator mapIt;
std::map<DWORD_PTR, ImportThunk>::iterator mapIt2;
DWORD_PTR oldIatRva = IatAddress - ProcessAccessHelp::targetImageBase;
for(mapIt = moduleList.begin() ; mapIt != moduleList.end(); mapIt++)
{
(*mapIt).second.firstThunk = (*mapIt).second.firstThunk - oldIatRva + newIatBaseAddressRVA;
for(mapIt2 = (*mapIt).second.thunkList.begin() ; mapIt2 != (*mapIt).second.thunkList.end(); mapIt2++)
{
(*mapIt2).second.rva = (*mapIt2).second.rva - oldIatRva + newIatBaseAddressRVA;
}
}
}
void ImportRebuilder::patchFileForDirectImportJumpTable()
{
if(newIatInSection)
{
iatReferenceScan->patchDirectJumpTable(getStandardImagebase(), directImportsJumpTableRVA, (PeParser*)this, JMPTableMemory, newIatBaseAddressRVA);
}
else
{
iatReferenceScan->patchDirectJumpTable(getStandardImagebase(), directImportsJumpTableRVA, (PeParser*)this, JMPTableMemory, 0);
}
}

101
scylla_wrapper/ImportRebuilder.h
View File

@ -1,101 +0,0 @@
#pragma once
#include <map>
#include "PeParser.h"
#include "Thunks.h"
#include "IATReferenceScan.h"
class ImportRebuilder : public PeParser
{
public:
ImportRebuilder(const WCHAR* file, const WCHAR* sectionName) : PeParser(file, true)
{
pImportDescriptor = 0;
pThunkData = 0;
pImportByName = 0;
numberOfImportDescriptors = 0;
sizeOfImportSection = 0;
sizeOfApiAndModuleNames = 0;
importSectionIndex = 0;
useOFT = false;
sizeOfOFTArray = 0;
newIatInSection = false;
BuildDirectImportsJumpTable = false;
sizeOfJumpTable = 0;
this->sectionName = (WCHAR*)sectionName;
}
ImportRebuilder(const DWORD_PTR iatVA, const DWORD_PTR FileMapVA, const HANDLE hFileMap, const WCHAR* sectionName) : PeParser(iatVA, FileMapVA, hFileMap, true)
{
pImportDescriptor = 0;
pThunkData = 0;
pImportByName = 0;
numberOfImportDescriptors = 0;
sizeOfImportSection = 0;
sizeOfApiAndModuleNames = 0;
importSectionIndex = 0;
useOFT = false;
sizeOfOFTArray = 0;
newIatInSection = false;
BuildDirectImportsJumpTable = false;
sizeOfJumpTable = 0;
this->sectionName = (WCHAR*)sectionName;
}
bool rebuildImportTable(const WCHAR* newFilePath, std::map<DWORD_PTR, ImportModuleThunk> & moduleList);
bool rebuildMappedImportTable(DWORD_PTR iatVA, std::map<DWORD_PTR, ImportModuleThunk> & moduleList);
void enableOFTSupport();
void enableNewIatInSection(DWORD_PTR iatAddress, DWORD iatSize);
int getIATSectionSize(std::map<DWORD_PTR, ImportModuleThunk> & moduleList)
{
this->calculateImportSizes(moduleList);
return (int)this->sizeOfImportSection;
} ;
IATReferenceScan* iatReferenceScan;
bool BuildDirectImportsJumpTable;
private:
PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor;
PIMAGE_THUNK_DATA pThunkData;
PIMAGE_IMPORT_BY_NAME pImportByName;
size_t numberOfImportDescriptors;
size_t sizeOfImportSection;
size_t sizeOfApiAndModuleNames;
size_t importSectionIndex;
WCHAR* sectionName;
//OriginalFirstThunk Array in Import Section
size_t sizeOfOFTArray;
bool useOFT;
bool newIatInSection;
DWORD_PTR IatAddress;
DWORD IatSize;
DWORD sizeOfJumpTable;
DWORD directImportsJumpTableRVA;
BYTE* JMPTableMemory;
DWORD newIatBaseAddressRVA;
DWORD fillImportSection(std::map<DWORD_PTR, ImportModuleThunk> & moduleList);
BYTE* getMemoryPointerFromRVA(DWORD_PTR dwRVA);
bool createNewImportSection(std::map<DWORD_PTR, ImportModuleThunk> & moduleList);
bool buildNewImportTable(std::map<DWORD_PTR, ImportModuleThunk> & moduleList);
bool buildNewMappedImportTable(std::map<DWORD_PTR, ImportModuleThunk> & moduleList);
void setFlagToIATSection(DWORD_PTR iatAddress);
size_t addImportToImportTable(ImportThunk* pImport, PIMAGE_THUNK_DATA pThunk, PIMAGE_IMPORT_BY_NAME pImportByName, DWORD sectionOffset);
size_t addImportDescriptor(ImportModuleThunk* pImportModule, DWORD sectionOffset, DWORD sectionOffsetOFTArray);
void calculateImportSizes(std::map<DWORD_PTR, ImportModuleThunk> & moduleList);
void addSpecialImportDescriptor(DWORD_PTR rvaFirstThunk, DWORD sectionOffsetOFTArray);
void patchFileForNewIatLocation();
void changeIatBaseAddress(std::map<DWORD_PTR, ImportModuleThunk> & moduleList);
void patchFileForDirectImportJumpTable();
};

84
scylla_wrapper/NativeWinApi.cpp
View File

@ -1,84 +0,0 @@
#include "stdafx.h"
#include "NativeWinApi.h"
def_NtCreateThreadEx NativeWinApi::NtCreateThreadEx = 0;
def_NtDuplicateObject NativeWinApi::NtDuplicateObject = 0;
def_NtOpenProcess NativeWinApi::NtOpenProcess = 0;
def_NtOpenThread NativeWinApi::NtOpenThread = 0;
def_NtQueryObject NativeWinApi::NtQueryObject = 0;
def_NtQueryInformationFile NativeWinApi::NtQueryInformationFile = 0;
def_NtQueryInformationProcess NativeWinApi::NtQueryInformationProcess = 0;
def_NtQueryInformationThread NativeWinApi::NtQueryInformationThread = 0;
def_NtQuerySystemInformation NativeWinApi::NtQuerySystemInformation = 0;
def_NtQueryVirtualMemory NativeWinApi::NtQueryVirtualMemory = 0;
def_NtResumeProcess NativeWinApi::NtResumeProcess = 0;
def_NtResumeThread NativeWinApi::NtResumeThread = 0;
def_NtSetInformationThread NativeWinApi::NtSetInformationThread = 0;
def_NtSuspendProcess NativeWinApi::NtSuspendProcess = 0;
def_NtTerminateProcess NativeWinApi::NtTerminateProcess = 0;
def_NtOpenSymbolicLinkObject NativeWinApi::NtOpenSymbolicLinkObject = 0;
def_NtQuerySymbolicLinkObject NativeWinApi::NtQuerySymbolicLinkObject = 0;
def_RtlNtStatusToDosError NativeWinApi::RtlNtStatusToDosError = 0;
def_NtClose NativeWinApi::NtClose = 0;
void NativeWinApi::initialize()
{
if(RtlNtStatusToDosError)
{
return;
}
HMODULE hModuleNtdll = GetModuleHandleW(L"ntdll.dll");
if(!hModuleNtdll)
{
return;
}
NtCreateThreadEx = (def_NtCreateThreadEx)GetProcAddress(hModuleNtdll, "NtCreateThreadEx");
NtDuplicateObject = (def_NtDuplicateObject)GetProcAddress(hModuleNtdll, "NtDuplicateObject");
NtOpenProcess = (def_NtOpenProcess)GetProcAddress(hModuleNtdll, "NtOpenProcess");
NtOpenThread = (def_NtOpenThread)GetProcAddress(hModuleNtdll, "NtOpenThread");
NtQueryObject = (def_NtQueryObject)GetProcAddress(hModuleNtdll, "NtQueryObject");
NtQueryInformationFile = (def_NtQueryInformationFile)GetProcAddress(hModuleNtdll, "NtQueryInformationFile");
NtQueryInformationProcess = (def_NtQueryInformationProcess)GetProcAddress(hModuleNtdll, "NtQueryInformationProcess");
NtQueryInformationThread = (def_NtQueryInformationThread)GetProcAddress(hModuleNtdll, "NtQueryInformationThread");
NtQuerySystemInformation = (def_NtQuerySystemInformation)GetProcAddress(hModuleNtdll, "NtQuerySystemInformation");
NtQueryVirtualMemory = (def_NtQueryVirtualMemory)GetProcAddress(hModuleNtdll, "NtQueryVirtualMemory");
NtResumeProcess = (def_NtResumeProcess)GetProcAddress(hModuleNtdll, "NtResumeProcess");
NtResumeThread = (def_NtResumeThread)GetProcAddress(hModuleNtdll, "NtResumeThread");
NtSetInformationThread = (def_NtSetInformationThread)GetProcAddress(hModuleNtdll, "NtSetInformationThread");
NtSuspendProcess = (def_NtSuspendProcess)GetProcAddress(hModuleNtdll, "NtSuspendProcess");
NtTerminateProcess = (def_NtTerminateProcess)GetProcAddress(hModuleNtdll, "NtTerminateProcess");
NtOpenSymbolicLinkObject = (def_NtOpenSymbolicLinkObject)GetProcAddress(hModuleNtdll, "NtOpenSymbolicLinkObject");
NtQuerySymbolicLinkObject = (def_NtQuerySymbolicLinkObject)GetProcAddress(hModuleNtdll, "NtQuerySymbolicLinkObject");
RtlNtStatusToDosError = (def_RtlNtStatusToDosError)GetProcAddress(hModuleNtdll, "RtlNtStatusToDosError");
NtClose = (def_NtClose)GetProcAddress(hModuleNtdll, "NtClose");
}
PPEB NativeWinApi::getCurrentProcessEnvironmentBlock()
{
return getProcessEnvironmentBlockAddress(GetCurrentProcess());
}
PPEB NativeWinApi::getProcessEnvironmentBlockAddress(HANDLE processHandle)
{
ULONG lReturnLength = 0;
PROCESS_BASIC_INFORMATION processBasicInformation;
if((NtQueryInformationProcess(processHandle, ProcessBasicInformation, &processBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &lReturnLength) >= 0) && (lReturnLength == sizeof(PROCESS_BASIC_INFORMATION)))
{
//printf("NtQueryInformationProcess success %d\n",sizeof(PROCESS_BASIC_INFORMATION));
return processBasicInformation.PebBaseAddress;
}
else
{
//printf("NtQueryInformationProcess failed %d vs %d\n",lReturnLength,sizeof(PROCESS_BASIC_INFORMATION));
return 0;
}
}

502
scylla_wrapper/NativeWinApi.h
View File

@ -1,502 +0,0 @@
#pragma once
#include <windows.h>
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define DUPLICATE_SAME_ATTRIBUTES 0x00000004
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
typedef LONG KPRIORITY;
typedef LONG NTSTATUS;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemNextEventIdInformation,
SystemEventIdsInformation,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemPlugPlayBusInformation,
SystemDockInformation,
SystemPowerInformation2,
SystemProcessorSpeedInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS;
typedef struct _IO_STATUS_BLOCK
{
union
{
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _FILE_NAME_INFORMATION // Information Classes 9 and 21
{
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION;
typedef enum _FILE_INFORMATION_CLASS
{
FileNameInformation = 9,
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
#define InitializeObjectAttributes(p,n,a,r,s) \
{ \
(p)->Length = sizeof(OBJECT_ATTRIBUTES); \
(p)->ObjectName = n; \
(p)->Attributes = a; \
(p)->RootDirectory = r; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
PVOID RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef struct _MEMORY_REGION_INFORMATION
{
PVOID AllocationBase; //Imagebase
ULONG AllocationProtect;
ULONG RegionType;
SIZE_T RegionSize; //Size of image
} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;
typedef enum _OBJECT_INFORMATION_CLASS
{
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllInformation,
ObjectDataInformation
} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
typedef enum _THREADINFOCLASS
{
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
MaxThreadInfoClass
} THREADINFOCLASS;
//
// Memory Information Classes for NtQueryVirtualMemory
//
typedef enum _MEMORY_INFORMATION_CLASS
{
MemoryBasicInformation,
MemoryWorkingSetInformation,
MemoryMappedFilenameInformation, //MemorySectionName, UNICODE_STRING, Wrapper: GetMappedFileNameW
MemoryRegionInformation, //MemoryBasicVlmInformation, MEMORY_REGION_INFORMATION
MemoryWorkingSetExInformation
} MEMORY_INFORMATION_CLASS;
typedef enum _PROCESSINFOCLASS
{
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers,
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap,
ProcessSessionInformation,
ProcessForegroundInformation,
ProcessWow64Information,
ProcessImageFileName,
ProcessLUIDDeviceMapsEnabled,
ProcessBreakOnTermination,
ProcessDebugObjectHandle,
ProcessDebugFlags,
ProcessHandleTracing,
ProcessIoPriority,
ProcessExecuteFlags,
ProcessResourceManagement,
ProcessCookie,
ProcessImageInformation,
MaxProcessInfoClass
} PROCESSINFOCLASS;
typedef struct _PEB_LDR_DATA
{
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _RTL_USER_PROCESS_PARAMETERS
{
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB
{
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PVOID PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, *PPEB;
typedef struct _PROCESS_BASIC_INFORMATION
{
PVOID Reserved1;
PPEB PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;
} PROCESS_BASIC_INFORMATION;
typedef struct _MEMORY_WORKING_SET_LIST
{
ULONG NumberOfPages;
ULONG WorkingSetList[1];
} MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST;
typedef struct _MEMORY_SECTION_NAME
{
UNICODE_STRING SectionFileName;
} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;
typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION
{
ULONG SessionId;
ULONG SizeOfBuf;
PVOID Buffer;
} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION;
typedef struct _SYSTEM_THREAD_INFORMATION
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION
{
SYSTEM_THREAD_INFORMATION ThreadInfo;
PVOID StackBase;
PVOID StackLimit;
PVOID Win32StartAddress;
PVOID TebAddress; /* This is only filled in on Vista and above */
ULONG_PTR Reserved2;
ULONG_PTR Reserved3;
ULONG_PTR Reserved4;
} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER SpareLi1;
LARGE_INTEGER SpareLi2;
LARGE_INTEGER SpareLi3;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR PageDirectoryBase;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
///////////////////////////////////////////////////////////////////////////////////////
//Evolution of Process Environment Block (PEB) http://blog.rewolf.pl/blog/?p=573
//March 2, 2013 / ReWolf posted in programming, reverse engineering, source code, x64 /
#pragma pack(push)
#pragma pack(1)
template <class T>
struct LIST_ENTRY_T
{
T Flink;
T Blink;
};
template <class T>
struct UNICODE_STRING_T
{
union
{
struct
{
WORD Length;
WORD MaximumLength;
};
T dummy;
};
T _Buffer;
};
template <class T, class NGF, int A>
struct _PEB_T
{
union
{
struct
{
BYTE InheritedAddressSpace;
BYTE ReadImageFileExecOptions;
BYTE BeingDebugged;
BYTE _SYSTEM_DEPENDENT_01;
};
T dummy01;
};
T Mutant;
T ImageBaseAddress;
T Ldr;
T ProcessParameters;
T SubSystemData;
T ProcessHeap;
T FastPebLock;
T _SYSTEM_DEPENDENT_02;
T _SYSTEM_DEPENDENT_03;
T _SYSTEM_DEPENDENT_04;
union
{
T KernelCallbackTable;
T UserSharedInfoPtr;
};
DWORD SystemReserved;
DWORD _SYSTEM_DEPENDENT_05;
T _SYSTEM_DEPENDENT_06;
T TlsExpansionCounter;
T TlsBitmap;
DWORD TlsBitmapBits[2];
T ReadOnlySharedMemoryBase;
T _SYSTEM_DEPENDENT_07;
T ReadOnlyStaticServerData;
T AnsiCodePageData;
T OemCodePageData;
T UnicodeCaseTableData;
DWORD NumberOfProcessors;
union
{
DWORD NtGlobalFlag;
NGF dummy02;
};
LARGE_INTEGER CriticalSectionTimeout;
T HeapSegmentReserve;
T HeapSegmentCommit;
T HeapDeCommitTotalFreeThreshold;
T HeapDeCommitFreeBlockThreshold;
DWORD NumberOfHeaps;
DWORD MaximumNumberOfHeaps;
T ProcessHeaps;
};
typedef _PEB_T<DWORD, DWORD64, 34> PEB32;
typedef _PEB_T<DWORD64, DWORD, 30> PEB64;
#ifdef _WIN64
typedef PEB64 PEB_CURRENT;
#else
typedef PEB32 PEB_CURRENT;
#endif
#pragma pack(pop)
typedef NTSTATUS(WINAPI* def_NtTerminateProcess)(HANDLE ProcessHandle, NTSTATUS ExitStatus);
typedef NTSTATUS(WINAPI* def_NtQueryObject)(HANDLE Handle, OBJECT_INFORMATION_CLASS ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength);
typedef NTSTATUS(WINAPI* def_NtDuplicateObject)(HANDLE SourceProcessHandle, HANDLE SourceHandle, HANDLE TargetProcessHandle, PHANDLE TargetHandle, ACCESS_MASK DesiredAccess, BOOLEAN InheritHandle, ULONG Options);
typedef NTSTATUS(WINAPI* def_NtQueryInformationFile)(HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
typedef NTSTATUS(WINAPI* def_NtQueryInformationThread)(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength, PULONG ReturnLength);
typedef NTSTATUS(WINAPI* def_NtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
typedef NTSTATUS(WINAPI* def_NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(WINAPI* def_NtQueryVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID Buffer, SIZE_T MemoryInformationLength, PSIZE_T ReturnLength);
typedef NTSTATUS(WINAPI* def_NtOpenProcess)(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, PVOID ObjectAttributes, PCLIENT_ID ClientId);
typedef NTSTATUS(WINAPI* def_NtOpenThread)(PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
typedef NTSTATUS(WINAPI* def_NtResumeThread)(HANDLE ThreadHandle, PULONG SuspendCount);
typedef NTSTATUS(WINAPI* def_NtSetInformationThread)(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength);
typedef NTSTATUS(WINAPI* def_NtCreateThreadEx)(PHANDLE hThread, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, int CreateFlags, ULONG StackZeroBits, LPVOID SizeOfStackCommit, LPVOID SizeOfStackReserve, LPVOID lpBytesBuffer);
typedef NTSTATUS(WINAPI* def_NtSuspendProcess)(HANDLE ProcessHandle);
typedef NTSTATUS(WINAPI* def_NtResumeProcess)(HANDLE ProcessHandle);
typedef NTSTATUS(WINAPI* def_NtOpenSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSTATUS(WINAPI* def_NtQuerySymbolicLinkObject)(HANDLE LinkHandle, PUNICODE_STRING LinkTarget, PULONG ReturnedLength);
typedef ULONG(WINAPI* def_RtlNtStatusToDosError)(NTSTATUS Status);
typedef NTSTATUS(WINAPI* def_NtClose)(HANDLE Handle);
//Flags from waliedassar
#define NtCreateThreadExFlagCreateSuspended 0x1
#define NtCreateThreadExFlagSuppressDllMains 0x2
#define NtCreateThreadExFlagHideFromDebugger 0x4
#define SYMBOLIC_LINK_QUERY (0x0001)
class NativeWinApi
{
public:
static def_NtCreateThreadEx NtCreateThreadEx;
static def_NtDuplicateObject NtDuplicateObject;
static def_NtOpenProcess NtOpenProcess;
static def_NtOpenThread NtOpenThread;
static def_NtQueryObject NtQueryObject;
static def_NtQueryInformationFile NtQueryInformationFile;
static def_NtQueryInformationProcess NtQueryInformationProcess;
static def_NtQueryInformationThread NtQueryInformationThread;
static def_NtQuerySystemInformation NtQuerySystemInformation;
static def_NtQueryVirtualMemory NtQueryVirtualMemory;
static def_NtResumeProcess NtResumeProcess;
static def_NtResumeThread NtResumeThread;
static def_NtSetInformationThread NtSetInformationThread;
static def_NtSuspendProcess NtSuspendProcess;
static def_NtTerminateProcess NtTerminateProcess;
static def_NtOpenSymbolicLinkObject NtOpenSymbolicLinkObject;
static def_NtQuerySymbolicLinkObject NtQuerySymbolicLinkObject;
static def_NtClose NtClose;
static def_RtlNtStatusToDosError RtlNtStatusToDosError;
static void RtlInitUnicodeString(PUNICODE_STRING DestinationString, PWSTR SourceString)
{
DestinationString->Buffer = SourceString;
DestinationString->MaximumLength = DestinationString->Length = (USHORT)wcslen(SourceString) * sizeof(WCHAR);
}
static void initialize();
static PPEB getCurrentProcessEnvironmentBlock();
static PPEB getProcessEnvironmentBlockAddress(HANDLE processHandle);
};

1379
scylla_wrapper/PeParser.cpp
View File

File diff suppressed because it is too large Load Diff

167
scylla_wrapper/PeParser.h
View File

@ -1,167 +0,0 @@
#pragma once
#include <windows.h>
#include <vector>
class PeSection
{
public:
WCHAR name[IMAGE_SIZEOF_SHORT_NAME + 1];
DWORD_PTR virtualAddress;
DWORD virtualSize;
DWORD rawAddress;
DWORD rawSize;
DWORD characteristics;
bool isDumped;
//highlight big virtual sizes -> anti-dump protection
bool highlightVirtualSize()
{
return (virtualSize > 0x2000000);
};
};
class PeFileSection
{
public:
IMAGE_SECTION_HEADER sectionHeader;
BYTE* data;
DWORD dataSize;
DWORD normalSize;
PeFileSection()
{
ZeroMemory(&sectionHeader, sizeof(IMAGE_SECTION_HEADER));
data = 0;
dataSize = 0;
normalSize = 0;
}
};
class PeParser
{
public:
PeParser(const WCHAR* file, bool readSectionHeaders = true);
PeParser(const DWORD_PTR moduleBase, bool readSectionHeaders = true);
PeParser(const DWORD_PTR iatVA, const DWORD_PTR FileMapVA, const HANDLE hFileMap, bool readSectionHeaders = true);
~PeParser();
bool isValidPeFile();
bool isPE64();
bool isPE32();
bool isTargetFileSamePeFormat();
WORD getNumberOfSections();
std::vector<PeFileSection> & getSectionHeaderList();
bool hasExportDirectory();
bool hasTLSDirectory();
bool hasRelocationDirectory();
bool hasOverlayData();
DWORD getEntryPoint();
bool getSectionNameUnicode(const int sectionIndex, WCHAR* output, const int outputLen);
DWORD getSectionHeaderBasedFileSize();
DWORD getSectionHeaderBasedSizeOfImage();
bool readPeSectionsFromProcess();
bool readPeSectionsFromFile();
bool readPeSectionsFromMappedFile();
bool savePeFileToDisk(const WCHAR* newFile);
void removeDosStub();
void alignAllSectionHeaders();
void fixPeHeader();
void setDefaultFileAlignment();
bool dumpProcess(DWORD_PTR modBase, DWORD_PTR entryPoint, const WCHAR* dumpFilePath);
bool dumpProcess(DWORD_PTR modBase, DWORD_PTR entryPoint, const WCHAR* dumpFilePath, std::vector<PeSection> & sectionList);
void setEntryPointVa(DWORD_PTR entryPoint);
void setEntryPointRva(DWORD entryPoint);
static bool updatePeHeaderChecksum(const WCHAR* targetFile, DWORD fileSize);
BYTE* getSectionMemoryByIndex(int index);
DWORD getSectionMemorySizeByIndex(int index);
int convertRVAToOffsetVectorIndex(DWORD_PTR dwRVA);
DWORD_PTR convertOffsetToRVAVector(DWORD_PTR dwOffset);
DWORD_PTR convertRVAToOffsetVector(DWORD_PTR dwRVA);
DWORD_PTR convertRVAToOffsetRelative(DWORD_PTR dwRVA);
DWORD getSectionAddressRVAByIndex(int index);
PIMAGE_NT_HEADERS getCurrentNtHeader();
protected:
PeParser();
static const DWORD FileAlignmentConstant = 0x200;
const WCHAR* filename;
DWORD_PTR moduleBaseAddress;
DWORD_PTR fileMapVA;
/************************************************************************/
/* PE FILE */
/* */
/* IMAGE_DOS_HEADER 64 0x40 */
/* IMAGE_NT_HEADERS32 248 0xF8 */
/* IMAGE_NT_HEADERS64 264 0x108 */
/* IMAGE_SECTION_HEADER 40 0x28 */
/************************************************************************/
PIMAGE_DOS_HEADER pDosHeader;
BYTE* pDosStub; //between dos header and section header
DWORD dosStubSize;
PIMAGE_NT_HEADERS32 pNTHeader32;
PIMAGE_NT_HEADERS64 pNTHeader64;
std::vector<PeFileSection> listPeSection;
BYTE* overlayData;
DWORD overlaySize;
/************************************************************************/
BYTE* fileMemory;
BYTE* headerMemory;
HANDLE hFile;
DWORD fileSize;
bool readPeHeaderFromFile(bool readSectionHeaders);
bool readPeHeaderFromFileMapping(bool readSectionHeaders);
bool readPeHeaderFromProcess(bool readSectionHeaders);
bool hasDirectory(const int directoryIndex);
bool getSectionHeaders();
void getDosAndNtHeader(BYTE* memory, LONG size);
DWORD calcCorrectPeHeaderSize(bool readSectionHeaders);
DWORD getInitialHeaderReadSize(bool readSectionHeaders);
bool openFileHandle();
void closeFileHandle();
void initClass();
DWORD isMemoryNotNull(BYTE* data, int dataSize);
bool openWriteFileHandle(const WCHAR* newFile);
bool writeZeroMemoryToFile(HANDLE hFile, DWORD fileOffset, DWORD size);
bool readPeSectionFromFile(DWORD readOffset, PeFileSection & peFileSection);
bool readPeSectionFromProcess(DWORD_PTR readOffset, PeFileSection & peFileSection);
bool readPeSectionFromFileMapping(DWORD readOffset, PeFileSection & peFileSection);
bool readSectionFromProcess(const DWORD_PTR readOffset, PeFileSection & peFileSection);
bool readSectionFromFile(const DWORD readOffset, PeFileSection & peFileSection);
bool readSectionFrom(const DWORD_PTR readOffset, PeFileSection & peFileSection, const bool isProcess);
DWORD_PTR getStandardImagebase();
bool addNewLastSection(const CHAR* sectionName, DWORD sectionSize, BYTE* sectionData);
DWORD alignValue(DWORD badValue, DWORD alignTo);
void setNumberOfSections(WORD numberOfSections);
void removeIatDirectory();
bool getFileOverlay();
};

963
scylla_wrapper/ProcessAccessHelp.cpp
View File

@ -1,963 +0,0 @@
#include "stdafx.h"
#include "ProcessAccessHelp.h"
#include "DeviceNameResolver.h"
#include <Psapi.h>
#include "PeParser.h"
#include "NativeWinApi.h"
HANDLE ProcessAccessHelp::hProcess = 0;
ModuleInfo* ProcessAccessHelp::selectedModule;
DWORD_PTR ProcessAccessHelp::targetImageBase = 0;
DWORD_PTR ProcessAccessHelp::targetSizeOfImage = 0;
DWORD_PTR ProcessAccessHelp::maxValidAddress = 0;
std::vector<ModuleInfo> ProcessAccessHelp::moduleList; //target process module list
std::vector<ModuleInfo> ProcessAccessHelp::ownModuleList; //own module list
_DInst ProcessAccessHelp::decomposerResult[MAX_INSTRUCTIONS];
unsigned int ProcessAccessHelp::decomposerInstructionsCount = 0;
_CodeInfo ProcessAccessHelp::decomposerCi = {0};
_DecodedInst ProcessAccessHelp::decodedInstructions[MAX_INSTRUCTIONS];
unsigned int ProcessAccessHelp::decodedInstructionsCount = 0;
BYTE ProcessAccessHelp::fileHeaderFromDisk[PE_HEADER_BYTES_COUNT];
//#define DEBUG_COMMENTS
bool ProcessAccessHelp::openProcessHandle(DWORD dwPID)
{
if(dwPID > 0)
{
if(hProcess)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"openProcessHandle :: There is already a process handle, HANDLE %X", hProcess);
#endif
return false;
}
else
{
//hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE, 0, dwPID);
//if (!NT_SUCCESS(NativeWinApi::NtOpenProcess(&hProcess,PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE,&ObjectAttributes, &cid)))
hProcess = NativeOpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_SUSPEND_RESUME | PROCESS_TERMINATE, dwPID);
if(hProcess)
{
return true;
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"openProcessHandle :: Failed to open handle, PID %X", dwPID);
#endif
return false;
}
}
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"openProcessHandle :: Wrong PID, PID %X", dwPID);
#endif
return false;
}
}
HANDLE ProcessAccessHelp::NativeOpenProcess(DWORD dwDesiredAccess, DWORD dwProcessId)
{
HANDLE hProcess = 0;
CLIENT_ID cid = {0};
OBJECT_ATTRIBUTES ObjectAttributes;
NTSTATUS ntStatus = 0;
InitializeObjectAttributes(&ObjectAttributes, 0, 0, 0, 0);
cid.UniqueProcess = (HANDLE)(DWORD_PTR)dwProcessId;
ntStatus = NativeWinApi::NtOpenProcess(&hProcess, dwDesiredAccess, &ObjectAttributes, &cid);
if(NT_SUCCESS(ntStatus))
{
return hProcess;
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"NativeOpenProcess :: Failed to open handle, PID %X Error 0x%X", dwProcessId, NativeWinApi::RtlNtStatusToDosError(ntStatus));
#endif
return 0;
}
}
void ProcessAccessHelp::closeProcessHandle()
{
if(hProcess)
{
CloseHandle(hProcess);
hProcess = 0;
}
moduleList.clear();
targetImageBase = 0;
selectedModule = 0;
}
bool ProcessAccessHelp::readMemoryPartlyFromProcess(DWORD_PTR address, SIZE_T size, LPVOID dataBuffer)
{
DWORD_PTR addressPart = 0;
DWORD_PTR readBytes = 0;
DWORD_PTR bytesToRead = 0;
MEMORY_BASIC_INFORMATION memBasic = {0};
bool returnValue = false;
if(!hProcess)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryPartlyFromProcess :: hProcess == NULL");
#endif
return returnValue;
}
if(!readMemoryFromProcess(address, size, dataBuffer))
{
addressPart = address;
do
{
if(!VirtualQueryEx(ProcessAccessHelp::hProcess, (LPCVOID)addressPart, &memBasic, sizeof(memBasic)))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryPartlyFromProcess :: Error VirtualQueryEx %X %X err: %u", addressPart, size, GetLastError());
#endif
break;
}
bytesToRead = memBasic.RegionSize;
if((readBytes + bytesToRead) > size)
{
bytesToRead = size - readBytes;
}
if(memBasic.State == MEM_COMMIT)
{
if(!readMemoryFromProcess(addressPart, bytesToRead, (LPVOID)((DWORD_PTR)dataBuffer + readBytes)))
{
break;
}
}
else
{
ZeroMemory((LPVOID)((DWORD_PTR)dataBuffer + readBytes), bytesToRead);
}
readBytes += bytesToRead;
addressPart += memBasic.RegionSize;
}
while(readBytes < size);
if(readBytes == size)
{
returnValue = true;
}
}
else
{
returnValue = true;
}
return returnValue;
}
bool ProcessAccessHelp::writeMemoryToProcess(DWORD_PTR address, SIZE_T size, LPVOID dataBuffer)
{
SIZE_T lpNumberOfBytesWritten = 0;
if(!hProcess)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryFromProcess :: hProcess == NULL");
#endif
return false;
}
return (WriteProcessMemory(hProcess, (LPVOID)address, dataBuffer, size, &lpNumberOfBytesWritten) != FALSE);
}
bool ProcessAccessHelp::readMemoryFromProcess(DWORD_PTR address, SIZE_T size, LPVOID dataBuffer)
{
SIZE_T lpNumberOfBytesRead = 0;
DWORD dwProtect = 0;
bool returnValue = false;
if(!hProcess)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryFromProcess :: hProcess == NULL");
#endif
return returnValue;
}
if(!ReadProcessMemory(hProcess, (LPVOID)address, dataBuffer, size, &lpNumberOfBytesRead))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryFromProcess :: Error ReadProcessMemory %X %X err: %u", address, size, GetLastError());
#endif
if(!VirtualProtectEx(hProcess, (LPVOID)address, size, PAGE_READWRITE, &dwProtect))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryFromProcess :: Error VirtualProtectEx %X %X err: %u", address, size, GetLastError());
#endif
returnValue = false;
}
else
{
if(!ReadProcessMemory(hProcess, (LPVOID)address, dataBuffer, size, &lpNumberOfBytesRead))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryFromProcess :: Error ReadProcessMemory %X %X err: %u", address, size, GetLastError());
#endif
returnValue = false;
}
else
{
returnValue = true;
}
VirtualProtectEx(hProcess, (LPVOID)address, size, dwProtect, &dwProtect);
}
}
else
{
returnValue = true;
}
if(returnValue)
{
if(size != lpNumberOfBytesRead)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryFromProcess :: Error ReadProcessMemory read %d bytes requested %d bytes", lpNumberOfBytesRead, size);
#endif
returnValue = false;
}
else
{
returnValue = true;
}
}
return returnValue;
}
bool ProcessAccessHelp::decomposeMemory(BYTE* dataBuffer, SIZE_T bufferSize, DWORD_PTR startAddress)
{
ZeroMemory(&decomposerCi, sizeof(_CodeInfo));
decomposerCi.code = dataBuffer;
decomposerCi.codeLen = (int)bufferSize;
decomposerCi.dt = dt;
decomposerCi.codeOffset = startAddress;
decomposerInstructionsCount = 0;
if(distorm_decompose(&decomposerCi, decomposerResult, sizeof(decomposerResult) / sizeof(decomposerResult[0]), &decomposerInstructionsCount) == DECRES_INPUTERR)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"decomposeMemory :: distorm_decompose == DECRES_INPUTERR");
#endif
return false;
}
else
{
return true;
}
}
bool ProcessAccessHelp::disassembleMemory(BYTE* dataBuffer, SIZE_T bufferSize, DWORD_PTR startOffset)
{
// Holds the result of the decoding.
_DecodeResult res;
// next is used for instruction's offset synchronization.
// decodedInstructionsCount holds the count of filled instructions' array by the decoder.
decodedInstructionsCount = 0;
_OffsetType offset = startOffset;
res = distorm_decode(offset, dataBuffer, (int)bufferSize, dt, decodedInstructions, MAX_INSTRUCTIONS, &decodedInstructionsCount);
/* for (unsigned int i = 0; i < decodedInstructionsCount; i++) {
#ifdef SUPPORT_64BIT_OFFSET
printf("%0*I64x (%02d) %-24s %s%s%s\n", dt != Decode64Bits ? 8 : 16, decodedInstructions[i].offset, decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p);
#else
printf("%08x (%02d) %-24s %s%s%s\n", decodedInstructions[i].offset, decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p);
#endif
}*/
if(res == DECRES_INPUTERR)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"disassembleMemory :: res == DECRES_INPUTERR");
#endif
return false;
}
else if(res == DECRES_SUCCESS)
{
//printf("disassembleMemory :: res == DECRES_SUCCESS\n");
return true;
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"disassembleMemory :: res == %d", res);
#endif
return true; //not all instructions fit in buffer
}
}
DWORD_PTR ProcessAccessHelp::findPattern(DWORD_PTR startOffset, DWORD size, BYTE* pattern, const char* mask)
{
DWORD pos = 0;
size_t searchLen = strlen(mask) - 1;
for(DWORD_PTR retAddress = startOffset; retAddress < startOffset + size; retAddress++)
{
if(*(BYTE*)retAddress == pattern[pos] || mask[pos] == '?')
{
if(mask[pos + 1] == 0x00)
{
return (retAddress - searchLen);
}
pos++;
}
else
{
pos = 0;
}
}
return 0;
}
bool ProcessAccessHelp::readHeaderFromCurrentFile(const WCHAR* filePath)
{
return readHeaderFromFile(fileHeaderFromDisk, sizeof(fileHeaderFromDisk), filePath);
}
LONGLONG ProcessAccessHelp::getFileSize(const WCHAR* filePath)
{
LONGLONG fileSize = 0;
HANDLE hFile = CreateFileW(filePath, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0);
if(hFile != INVALID_HANDLE_VALUE)
{
fileSize = getFileSize(hFile);
CloseHandle(hFile);
}
return fileSize;
}
LONGLONG ProcessAccessHelp::getFileSize(HANDLE hFile)
{
LARGE_INTEGER lpFileSize = {0};
if((hFile != INVALID_HANDLE_VALUE) && (hFile != 0))
{
if(!GetFileSizeEx(hFile, &lpFileSize))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"ProcessAccessHelp::getFileSize :: GetFileSizeEx failed %u", GetLastError());
#endif
return 0;
}
else
{
return lpFileSize.QuadPart;
}
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"ProcessAccessHelp::getFileSize hFile invalid");
#endif
return 0;
}
}
bool ProcessAccessHelp::readMemoryFromFile(HANDLE hFile, LONG offset, DWORD size, LPVOID dataBuffer)
{
DWORD lpNumberOfBytesRead = 0;
DWORD retValue = 0;
DWORD dwError = 0;
if(hFile != INVALID_HANDLE_VALUE)
{
retValue = SetFilePointer(hFile, offset, NULL, FILE_BEGIN);
dwError = GetLastError();
if((retValue == INVALID_SET_FILE_POINTER) && (dwError != NO_ERROR))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryFromFile :: SetFilePointer failed error %u", dwError);
#endif
return false;
}
else
{
if(ReadFile(hFile, dataBuffer, size, &lpNumberOfBytesRead, 0))
{
return true;
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryFromFile :: ReadFile failed - size %d - error %u", size, GetLastError());
#endif
return false;
}
}
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readMemoryFromFile :: hFile invalid");
#endif
return false;
}
}
bool ProcessAccessHelp::writeMemoryToNewFile(const WCHAR* file, DWORD size, LPCVOID dataBuffer)
{
HANDLE hFile = CreateFileW(file, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, 0);
if(hFile != INVALID_HANDLE_VALUE)
{
bool resultValue = writeMemoryToFile(hFile, 0, size, dataBuffer);
CloseHandle(hFile);
return resultValue;
}
else
{
return false;
}
}
bool ProcessAccessHelp::writeMemoryToFile(HANDLE hFile, LONG offset, DWORD size, LPCVOID dataBuffer)
{
DWORD lpNumberOfBytesWritten = 0;
DWORD retValue = 0;
DWORD dwError = 0;
if((hFile != INVALID_HANDLE_VALUE) && dataBuffer)
{
retValue = SetFilePointer(hFile, offset, NULL, FILE_BEGIN);
dwError = GetLastError();
if((retValue == INVALID_SET_FILE_POINTER) && (dwError != NO_ERROR))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"writeMemoryToFile :: SetFilePointer failed error %u", dwError);
#endif
return false;
}
else
{
if(WriteFile(hFile, dataBuffer, size, &lpNumberOfBytesWritten, 0))
{
return true;
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"writeMemoryToFile :: WriteFile failed - size %d - error %u", size, GetLastError());
#endif
return false;
}
}
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"writeMemoryToFile :: hFile invalid");
#endif
return false;
}
}
bool ProcessAccessHelp::writeMemoryToFileEnd(HANDLE hFile, DWORD size, LPCVOID dataBuffer)
{
DWORD lpNumberOfBytesWritten = 0;
DWORD retValue = 0;
if((hFile != INVALID_HANDLE_VALUE) && (hFile != 0))
{
SetFilePointer(hFile, 0, 0, FILE_END);
if(WriteFile(hFile, dataBuffer, size, &lpNumberOfBytesWritten, 0))
{
return true;
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"writeMemoryToFileEnd :: WriteFile failed - size %d - error %u", size, GetLastError());
#endif
return false;
}
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"writeMemoryToFileEnd :: hFile invalid");
#endif
return false;
}
}
bool ProcessAccessHelp::readHeaderFromFile(BYTE* buffer, DWORD bufferSize, const WCHAR* filePath)
{
DWORD lpNumberOfBytesRead = 0;
LONGLONG fileSize = 0;
DWORD dwSize = 0;
bool returnValue = 0;
HANDLE hFile = CreateFileW(filePath, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0);
if(hFile == INVALID_HANDLE_VALUE)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"readHeaderFromFile :: INVALID_HANDLE_VALUE %u", GetLastError());
#endif
returnValue = false;
}
else
{
fileSize = getFileSize(hFile);
if(fileSize > 0)
{
if(fileSize > bufferSize)
{
dwSize = bufferSize;
}
else
{
dwSize = (DWORD)(fileSize - 1);
}
returnValue = readMemoryFromFile(hFile, 0, dwSize, buffer);
}
CloseHandle(hFile);
}
return returnValue;
}
LPVOID ProcessAccessHelp::createFileMappingViewRead(const WCHAR* filePath)
{
return createFileMappingView(filePath, GENERIC_READ, PAGE_READONLY | SEC_IMAGE, FILE_MAP_READ);
}
LPVOID ProcessAccessHelp::createFileMappingViewFull(const WCHAR* filePath)
{
return createFileMappingView(filePath, GENERIC_ALL, PAGE_EXECUTE_READWRITE, FILE_MAP_ALL_ACCESS);
}
LPVOID ProcessAccessHelp::createFileMappingView(const WCHAR* filePath, DWORD accessFile, DWORD flProtect, DWORD accessMap)
{
HANDLE hFile = CreateFileW(filePath, accessFile, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0);
if(hFile == INVALID_HANDLE_VALUE)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"createFileMappingView :: INVALID_HANDLE_VALUE %u", GetLastError());
#endif
return NULL;
}
HANDLE hMappedFile = CreateFileMapping(hFile, NULL, flProtect, 0, 0, NULL);
CloseHandle(hFile);
if(hMappedFile == NULL)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"createFileMappingView :: hMappedFile == NULL");
#endif
return NULL;
}
if(GetLastError() == ERROR_ALREADY_EXISTS)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"createFileMappingView :: GetLastError() == ERROR_ALREADY_EXISTS");
#endif
return NULL;
}
LPVOID addrMappedDll = MapViewOfFile(hMappedFile, accessMap, 0, 0, 0);
if(addrMappedDll == NULL)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"createFileMappingView :: addrMappedDll == NULL");
#endif
CloseHandle(hMappedFile);
return NULL;
}
CloseHandle(hMappedFile);
return addrMappedDll;
}
DWORD ProcessAccessHelp::getProcessByName(const WCHAR* processName)
{
DWORD dwPID = 0;
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32W pe32;
pe32.dwSize = sizeof(PROCESSENTRY32W);
if(!Process32FirstW(hProcessSnap, &pe32))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getProcessByName :: Error getting first Process");
#endif
CloseHandle(hProcessSnap);
return 0;
}
do
{
if(!_wcsicmp(pe32.szExeFile, processName))
{
dwPID = pe32.th32ProcessID;
break;
}
}
while(Process32NextW(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return dwPID;
}
bool ProcessAccessHelp::getProcessModules(HANDLE hProcess, std::vector<ModuleInfo> & moduleList)
{
ModuleInfo module;
WCHAR filename[MAX_PATH * 2] = {0};
DWORD cbNeeded = 0;
bool retVal = false;
DeviceNameResolver deviceNameResolver;
moduleList.reserve(20);
EnumProcessModules(hProcess, 0, 0, &cbNeeded);
HMODULE* hMods = (HMODULE*)malloc(cbNeeded * sizeof(HMODULE));
if(hMods)
{
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
for(unsigned int i = 1; i < (cbNeeded / sizeof(HMODULE)); i++) //skip first module!
{
module.modBaseAddr = (DWORD_PTR)hMods[i];
module.modBaseSize = (DWORD)getSizeOfImageProcess(hProcess, module.modBaseAddr);
module.isAlreadyParsed = false;
module.parsing = false;
filename[0] = 0;
module.fullPath[0] = 0;
if(GetMappedFileNameW(hProcess, (LPVOID)module.modBaseAddr, filename, _countof(filename)) > 0)
{
if(!deviceNameResolver.resolveDeviceLongNameToShort(filename, module.fullPath))
{
if(!GetModuleFileNameExW(hProcess, (HMODULE)module.modBaseAddr, module.fullPath, _countof(module.fullPath)))
{
wcscpy_s(module.fullPath, filename);
}
}
}
else
{
GetModuleFileNameExW(hProcess, (HMODULE)module.modBaseAddr, module.fullPath, _countof(module.fullPath));
}
moduleList.push_back(module);
}
retVal = true;
}
free(hMods);
}
return retVal;
}
bool ProcessAccessHelp::getMemoryRegionFromAddress(DWORD_PTR address, DWORD_PTR* memoryRegionBase, SIZE_T* memoryRegionSize)
{
MEMORY_BASIC_INFORMATION memBasic;
if(VirtualQueryEx(hProcess, (LPCVOID)address, &memBasic, sizeof(MEMORY_BASIC_INFORMATION)) != sizeof(MEMORY_BASIC_INFORMATION))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getMemoryRegionFromAddress :: VirtualQueryEx error %u", GetLastError());
#endif
return false;
}
else
{
*memoryRegionBase = (DWORD_PTR)memBasic.BaseAddress;
*memoryRegionSize = memBasic.RegionSize;
return true;
}
}
bool ProcessAccessHelp::getSizeOfImageCurrentProcess()
{
DWORD_PTR newSizeOfImage = getSizeOfImageProcess(ProcessAccessHelp::hProcess, ProcessAccessHelp::targetImageBase);
if(newSizeOfImage != 0)
{
ProcessAccessHelp::targetSizeOfImage = newSizeOfImage;
return true;
}
else
{
return false;
}
}
SIZE_T ProcessAccessHelp::getSizeOfImageProcess(HANDLE processHandle, DWORD_PTR moduleBase)
{
SIZE_T sizeOfImage = 0, sizeOfImageNative = 0;
MEMORY_BASIC_INFORMATION lpBuffer = {0};
sizeOfImageNative = getSizeOfImageProcessNative(processHandle, moduleBase);
if(sizeOfImageNative)
{
return sizeOfImageNative;
}
WCHAR filenameOriginal[MAX_PATH * 2] = {0};
WCHAR filenameTest[MAX_PATH * 2] = {0};
GetMappedFileNameW(processHandle, (LPVOID)moduleBase, filenameOriginal, _countof(filenameOriginal));
do
{
moduleBase = (DWORD_PTR)((SIZE_T)moduleBase + lpBuffer.RegionSize);
sizeOfImage += lpBuffer.RegionSize;
if(!VirtualQueryEx(processHandle, (LPCVOID)moduleBase, &lpBuffer, sizeof(MEMORY_BASIC_INFORMATION)))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getSizeOfImageProcess :: VirtualQuery failed %X", GetLastError());
#endif
lpBuffer.Type = 0;
sizeOfImage = 0;
}
GetMappedFileNameW(processHandle, (LPVOID)moduleBase, filenameTest, _countof(filenameTest));
if(_wcsicmp(filenameOriginal, filenameTest) != 0)//problem: 2 modules without free space
{
break;
}
}
while(lpBuffer.Type == MEM_IMAGE);
//if (sizeOfImage != sizeOfImageNative)
//{
// WCHAR temp[1000] = {0};
// wsprintfW(temp, L"0x%X sizeofimage\n0x%X sizeOfImageNative", sizeOfImage, sizeOfImageNative);
// MessageBoxW(0, temp, L"Test", 0);
//}
return sizeOfImage;
}
DWORD ProcessAccessHelp::getEntryPointFromFile(const WCHAR* filePath)
{
PeParser peFile(filePath, false);
return peFile.getEntryPoint();
}
bool ProcessAccessHelp::createBackupFile(const WCHAR* filePath)
{
size_t fileNameLength = wcslen(filePath) + 5; //.bak + null
BOOL retValue = 0;
WCHAR* backupFile = new WCHAR[fileNameLength];
wcscpy_s(backupFile, fileNameLength, filePath);
wcscat_s(backupFile, fileNameLength, L".bak");
retValue = CopyFileW(filePath, backupFile, FALSE);
if(!retValue)
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"createBackupFile :: CopyFile failed with error 0x%X", GetLastError());
#endif
}
delete [] backupFile;
return retValue != 0;
}
DWORD ProcessAccessHelp::getModuleHandlesFromProcess(const HANDLE hProcess, HMODULE** hMods)
{
DWORD count = 30;
DWORD cbNeeded = 0;
bool notEnough = true;
*hMods = new HMODULE[count];
do
{
if(!EnumProcessModules(hProcess, *hMods, count * sizeof(HMODULE), &cbNeeded))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getModuleHandlesFromProcess :: EnumProcessModules failed count %d", count);
#endif
delete [] *hMods;
return 0;
}
if((count * sizeof(HMODULE)) < cbNeeded)
{
delete [] *hMods;
count = cbNeeded / sizeof(HMODULE);
*hMods = new HMODULE[count];
}
else
{
notEnough = false;
}
}
while(notEnough);
return cbNeeded / sizeof(HMODULE);
}
void ProcessAccessHelp::setCurrentProcessAsTarget()
{
ProcessAccessHelp::hProcess = GetCurrentProcess();
}
bool ProcessAccessHelp::suspendProcess()
{
if(NativeWinApi::NtSuspendProcess)
{
if(NT_SUCCESS(NativeWinApi::NtSuspendProcess(ProcessAccessHelp::hProcess)))
{
return true;
}
}
return false;
}
bool ProcessAccessHelp::resumeProcess()
{
if(NativeWinApi::NtResumeProcess)
{
if(NT_SUCCESS(NativeWinApi::NtResumeProcess(ProcessAccessHelp::hProcess)))
{
return true;
}
}
return false;
}
bool ProcessAccessHelp::terminateProcess()
{
if(NativeWinApi::NtTerminateProcess)
{
if(NT_SUCCESS(NativeWinApi::NtTerminateProcess(ProcessAccessHelp::hProcess, 0)))
{
return true;
}
}
return false;
}
bool ProcessAccessHelp::isPageAccessable(DWORD Protect)
{
if(Protect & PAGE_NOCACHE) Protect ^= PAGE_NOCACHE;
if(Protect & PAGE_GUARD) Protect ^= PAGE_GUARD;
if(Protect & PAGE_WRITECOMBINE) Protect ^= PAGE_WRITECOMBINE;
if(Protect != PAGE_NOACCESS)
{
return true;
}
else
{
return false;
}
}
bool ProcessAccessHelp::isPageExecutable(DWORD Protect)
{
if(Protect & PAGE_NOCACHE) Protect ^= PAGE_NOCACHE;
if(Protect & PAGE_GUARD) Protect ^= PAGE_GUARD;
if(Protect & PAGE_WRITECOMBINE) Protect ^= PAGE_WRITECOMBINE;
switch(Protect)
{
case PAGE_EXECUTE:
{
return true;
}
case PAGE_EXECUTE_READ:
{
return true;
}
case PAGE_EXECUTE_READWRITE:
{
return true;
}
case PAGE_EXECUTE_WRITECOPY:
{
return true;
}
default:
return false;
}
}
SIZE_T ProcessAccessHelp::getSizeOfImageProcessNative(HANDLE processHandle, DWORD_PTR moduleBase)
{
MEMORY_REGION_INFORMATION memRegion = {0};
SIZE_T retLen = 0;
if(NativeWinApi::NtQueryVirtualMemory(processHandle, (PVOID)moduleBase, MemoryRegionInformation, &memRegion, sizeof(MEMORY_REGION_INFORMATION), &retLen) == STATUS_SUCCESS)
{
return memRegion.RegionSize;
}
return 0;
}

230
scylla_wrapper/ProcessAccessHelp.h
View File

@ -1,230 +0,0 @@
#pragma once
#include <windows.h>
#include <tlhelp32.h>
#include <vector>
/************************************************************************/
/* distorm */
/************************************************************************/
#include "distorm.h"
#include "mnemonics.h"
// The number of the array of instructions the decoder function will use to return the disassembled instructions.
// Play with this value for performance...
#define MAX_INSTRUCTIONS (200)
/************************************************************************/
class ApiInfo;
class ModuleInfo
{
public:
WCHAR fullPath[MAX_PATH];
DWORD_PTR modBaseAddr;
DWORD modBaseSize;
bool isAlreadyParsed;
bool parsing;
/*
for iat rebuilding with duplicate entries:
ntdll = low priority
kernelbase = low priority
SHLWAPI = low priority
kernel32 = high priority
priority = 1 -> normal/high priority
priority = 0 -> low priority
*/
int priority;
std::vector<ApiInfo*> apiList;
ModuleInfo()
{
modBaseAddr = 0;
modBaseSize = 0;
priority = 1;
isAlreadyParsed = false;
parsing = false;
}
const WCHAR* getFilename() const
{
const WCHAR* slash = wcsrchr(fullPath, L'\\');
if(slash)
{
return slash + 1;
}
return fullPath;
}
};
class ApiInfo
{
public:
char name[MAX_PATH];
WORD hint;
DWORD_PTR va;
DWORD_PTR rva;
WORD ordinal;
bool isForwarded;
ModuleInfo* module;
};
class ProcessAccessHelp
{
public:
static HANDLE hProcess; //OpenProcess handle to target process
static DWORD_PTR targetImageBase;
static DWORD_PTR targetSizeOfImage;
static DWORD_PTR maxValidAddress;
static ModuleInfo* selectedModule;
static std::vector<ModuleInfo> moduleList; //target process module list
static std::vector<ModuleInfo> ownModuleList; //own module list
static const size_t PE_HEADER_BYTES_COUNT = 2000;
static BYTE fileHeaderFromDisk[PE_HEADER_BYTES_COUNT];
//for decomposer
static _DInst decomposerResult[MAX_INSTRUCTIONS];
static unsigned int decomposerInstructionsCount;
static _CodeInfo decomposerCi;
//distorm :: Decoded instruction information.
static _DecodedInst decodedInstructions[MAX_INSTRUCTIONS];
static unsigned int decodedInstructionsCount;
#ifdef _WIN64
static const _DecodeType dt = Decode64Bits;
#else
static const _DecodeType dt = Decode32Bits;
#endif
/*
* Open a new process handle
*/
static bool openProcessHandle(DWORD dwPID);
static HANDLE NativeOpenProcess(DWORD dwDesiredAccess, DWORD dwProcessId);
static void closeProcessHandle();
/*
* Get all modules from a process
*/
static bool getProcessModules(HANDLE hProcess, std::vector<ModuleInfo> & moduleList);
/*
* file mapping view with different access level
*/
static LPVOID createFileMappingViewRead(const WCHAR* filePath);
static LPVOID createFileMappingViewFull(const WCHAR* filePath);
/*
* Create a file mapping view of a file
*/
static LPVOID createFileMappingView(const WCHAR* filePath, DWORD accessFile, DWORD flProtect, DWORD accessMap);
/*
* Read memory from target process
*/
static bool readMemoryFromProcess(DWORD_PTR address, SIZE_T size, LPVOID dataBuffer);
static bool writeMemoryToProcess(DWORD_PTR address, SIZE_T size, LPVOID dataBuffer);
/*
* Read memory from target process and ignore no data pages
*/
static bool readMemoryPartlyFromProcess(DWORD_PTR address, SIZE_T size, LPVOID dataBuffer);
/*
* Read memory from file
*/
static bool readMemoryFromFile(HANDLE hFile, LONG offset, DWORD size, LPVOID dataBuffer);
/*
* Write memory to file
*/
static bool writeMemoryToFile(HANDLE hFile, LONG offset, DWORD size, LPCVOID dataBuffer);
/*
* Write memory to new file
*/
static bool writeMemoryToNewFile(const WCHAR* file, DWORD size, LPCVOID dataBuffer);
/*
* Write memory to file end
*/
static bool writeMemoryToFileEnd(HANDLE hFile, DWORD size, LPCVOID dataBuffer);
/*
* Disassemble Memory
*/
static bool disassembleMemory(BYTE* dataBuffer, SIZE_T bufferSize, DWORD_PTR startOffset);
static bool decomposeMemory(BYTE* dataBuffer, SIZE_T bufferSize, DWORD_PTR startAddress);
/*
* Search for pattern
*/
static DWORD_PTR findPattern(DWORD_PTR startOffset, DWORD size, BYTE* pattern, const char* mask);
/*
* Get process ID by process name
*/
static DWORD getProcessByName(const WCHAR* processName);
/*
* Get memory region from address
*/
static bool getMemoryRegionFromAddress(DWORD_PTR address, DWORD_PTR* memoryRegionBase, SIZE_T* memoryRegionSize);
/*
* Read PE Header from file
*/
static bool readHeaderFromFile(BYTE* buffer, DWORD bufferSize, const WCHAR* filePath);
static bool readHeaderFromCurrentFile(const WCHAR* filePath);
/*
* Get real sizeOfImage value
*/
static SIZE_T getSizeOfImageProcess(HANDLE processHandle, DWORD_PTR moduleBase);
/*
* Get real sizeOfImage value current process
*/
static bool getSizeOfImageCurrentProcess();
static LONGLONG getFileSize(HANDLE hFile);
static LONGLONG getFileSize(const WCHAR* filePath);
static DWORD getEntryPointFromFile(const WCHAR* filePath);
static bool createBackupFile(const WCHAR* filePath);
static DWORD getModuleHandlesFromProcess(const HANDLE hProcess, HMODULE** hMods);
static void setCurrentProcessAsTarget();
static bool suspendProcess();
static bool resumeProcess();
static bool terminateProcess();
static bool isPageExecutable(DWORD Protect);
static bool isPageAccessable(DWORD Protect);
static SIZE_T getSizeOfImageProcessNative(HANDLE processHandle, DWORD_PTR moduleBase);
};

291
scylla_wrapper/ProcessLister.cpp
View File

@ -1,291 +0,0 @@
#include "stdafx.h"
#include "ProcessLister.h"
#include "SystemInformation.h"
#include "ProcessAccessHelp.h"
#include <algorithm>
//#define DEBUG_COMMENTS
def_IsWow64Process ProcessLister::_IsWow64Process = 0;
std::vector<Process> & ProcessLister::getProcessList()
{
return processList;
}
bool ProcessLister::isWindows64()
{
#ifdef _WIN64
//compiled 64bit application
return true;
#else
//32bit exe, check wow64
BOOL bIsWow64 = FALSE;
//not available in all windows operating systems
//Minimum supported client: Windows Vista, Windows XP with SP2
//Minimum supported server: Windows Server 2008, Windows Server 2003 with SP1
if(_IsWow64Process)
{
_IsWow64Process(GetCurrentProcess(), &bIsWow64);
if(bIsWow64 != FALSE)
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
#endif
}
//only needed in windows xp
DWORD ProcessLister::setDebugPrivileges()
{
DWORD err = 0;
HANDLE hToken = 0;
TOKEN_PRIVILEGES Debug_Privileges = {0};
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Debug_Privileges.Privileges[0].Luid))
{
return GetLastError();
}
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
err = GetLastError();
if(hToken) CloseHandle(hToken);
return err;
}
Debug_Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
Debug_Privileges.PrivilegeCount = 1;
AdjustTokenPrivileges(hToken, false, &Debug_Privileges, 0, NULL, NULL);
CloseHandle(hToken);
return GetLastError();
}
/************************************************************************/
/* Check if a process is 32 or 64bit */
/************************************************************************/
ProcessType ProcessLister::checkIsProcess64(HANDLE hProcess)
{
BOOL bIsWow64 = FALSE;
if(!hProcess)
{
return PROCESS_MISSING_RIGHTS;
}
if(!isWindows64())
{
//32bit win can only run 32bit process
return PROCESS_32;
}
_IsWow64Process(hProcess, &bIsWow64);
if(bIsWow64 == FALSE)
{
//process not running under wow
return PROCESS_64;
}
else
{
//process running under wow -> 32bit
return PROCESS_32;
}
}
bool ProcessLister::getAbsoluteFilePath(HANDLE hProcess, Process* process)
{
WCHAR processPath[MAX_PATH];
bool retVal = false;
wcscpy_s(process->fullPath, L"Unknown path");
if(!hProcess)
{
//missing rights
return false;
}
if(GetProcessImageFileNameW(hProcess, processPath, _countof(processPath)) > 0)
{
if(!deviceNameResolver->resolveDeviceLongNameToShort(processPath, process->fullPath))
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getAbsoluteFilePath :: resolveDeviceLongNameToShort failed with path %s", processPath);
#endif
//some virtual volumes
if(GetModuleFileNameExW(hProcess, 0, process->fullPath, _countof(process->fullPath)) != 0)
{
retVal = true;
}
}
else
{
retVal = true;
}
}
else
{
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"getAbsoluteFilePath :: GetProcessImageFileName failed %u", GetLastError());
#endif
if(GetModuleFileNameExW(hProcess, 0, process->fullPath, _countof(process->fullPath)) != 0)
{
retVal = true;
}
}
return retVal;
}
std::vector<Process> & ProcessLister::getProcessListSnapshotNative()
{
ULONG retLength = 0;
ULONG bufferLength = 1;
PSYSTEM_PROCESS_INFORMATION pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength);
PSYSTEM_PROCESS_INFORMATION pIter;
if(!processList.empty())
{
//clear elements, but keep reversed memory
processList.clear();
}
else
{
//first time, reserve memory
processList.reserve(34);
}
if(NativeWinApi::NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) == STATUS_INFO_LENGTH_MISMATCH)
{
free(pBuffer);
bufferLength = retLength + sizeof(SYSTEM_PROCESS_INFORMATION);
pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength);
if(!pBuffer)
return processList;
if(NativeWinApi::NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) != STATUS_SUCCESS)
{
return processList;
}
}
else
{
return processList;
}
pIter = pBuffer;
while(TRUE)
{
if(pIter->UniqueProcessId > (HANDLE)4) //small filter
{
handleProcessInformationAndAddToList(pIter);
}
if(pIter->NextEntryOffset == 0)
{
break;
}
else
{
pIter = (PSYSTEM_PROCESS_INFORMATION)((DWORD_PTR)pIter + (DWORD_PTR)pIter->NextEntryOffset);
}
}
std::reverse(processList.begin(), processList.end()); //reverse process list
free(pBuffer);
return processList;
}
void ProcessLister::handleProcessInformationAndAddToList(PSYSTEM_PROCESS_INFORMATION pProcess)
{
Process process;
WCHAR tempProcessName[MAX_PATH * 2] = {0};
process.PID = (DWORD)(DWORD_PTR)pProcess->UniqueProcessId;
HANDLE hProcess = ProcessAccessHelp::NativeOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, process.PID);
if(hProcess)
{
ProcessType processType = checkIsProcess64(hProcess);
#ifdef _WIN64
if(processType == PROCESS_64)
#else
if(processType == PROCESS_32)
#endif
{
process.sessionId = pProcess->SessionId;
memcpy(tempProcessName, pProcess->ImageName.Buffer, pProcess->ImageName.Length);
wcscpy_s(process.filename, tempProcessName);
getAbsoluteFilePath(hProcess, &process);
process.pebAddress = getPebAddressFromProcess(hProcess);
getProcessImageInformation(hProcess, &process);
processList.push_back(process);
}
CloseHandle(hProcess);
}
}
void ProcessLister::getProcessImageInformation(HANDLE hProcess, Process* process)
{
DWORD_PTR readImagebase = 0;
process->imageBase = 0;
process->imageSize = 0;
if(hProcess && process->pebAddress)
{
PEB_CURRENT* peb = (PEB_CURRENT*)process->pebAddress;
if(ReadProcessMemory(hProcess, &peb->ImageBaseAddress, &readImagebase, sizeof(DWORD_PTR), 0))
{
process->imageBase = readImagebase;
process->imageSize = (DWORD)ProcessAccessHelp::getSizeOfImageProcess(hProcess, process->imageBase);
}
}
}
DWORD_PTR ProcessLister::getPebAddressFromProcess(HANDLE hProcess)
{
if(hProcess)
{
ULONG RequiredLen = 0;
void* PebAddress = 0;
PROCESS_BASIC_INFORMATION myProcessBasicInformation[5] = {0};
if(NativeWinApi::NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
{
PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
}
else
{
if(NativeWinApi::NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
{
PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
}
}
return (DWORD_PTR)PebAddress;
}
return 0;
}

72
scylla_wrapper/ProcessLister.h
View File

@ -1,72 +0,0 @@
#pragma once
#include <windows.h>
#include <tlhelp32.h>
#include <vector>
#include <Psapi.h>
#include "NativeWinApi.h"
#include "DeviceNameResolver.h"
typedef BOOL (WINAPI* def_IsWow64Process)(HANDLE hProcess, PBOOL Wow64Process);
class Process
{
public:
DWORD PID;
DWORD sessionId;
DWORD_PTR imageBase;
DWORD_PTR pebAddress;
DWORD entryPoint; //RVA without imagebase
DWORD imageSize;
WCHAR filename[MAX_PATH];
WCHAR fullPath[MAX_PATH];
Process()
{
PID = 0;
}
};
enum ProcessType
{
PROCESS_UNKNOWN,
PROCESS_MISSING_RIGHTS,
PROCESS_32,
PROCESS_64
};
class ProcessLister
{
public:
static def_IsWow64Process _IsWow64Process;
ProcessLister()
{
deviceNameResolver = new DeviceNameResolver();
_IsWow64Process = (def_IsWow64Process)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "IsWow64Process");
}
~ProcessLister()
{
delete deviceNameResolver;
}
std::vector<Process> & getProcessList();
static bool isWindows64();
static DWORD setDebugPrivileges();
std::vector<Process> & getProcessListSnapshotNative();
private:
std::vector<Process> processList;
DeviceNameResolver* deviceNameResolver;
ProcessType checkIsProcess64(HANDLE hProcess);
bool getAbsoluteFilePath(HANDLE hProcess, Process* process);
void handleProcessInformationAndAddToList(PSYSTEM_PROCESS_INFORMATION pProcess);
void getProcessImageInformation(HANDLE hProcess, Process* process);
DWORD_PTR getPebAddressFromProcess(HANDLE hProcess);
};

122
scylla_wrapper/README.md
View File

@ -1,122 +0,0 @@
Source: https://bitbucket.org/cypherpunk/scylla_wrapper_dll
```
This is a wrapper around Scylla.
It exports functions for IAT fixing, dumping and PE rebuilding.
based on http://github.com/NtQuery/Scylla commit 0f6b7198be (v0.9.6b)
What has been changed:
- stripped all WTL/ATL dependencies
- stripped GUI (obviously)
```
## Exports ##
:::c++
//searches IAT, writes to iatStart, iatSize
int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch);
//reads the imports, iatAddr is VA
int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL);
//add a module manually, in case auto-search didnt get it, e.g scattered IAT
bool scylla_addModule(const WCHAR* moduleName, DWORD_PTR firstThunkRVA);
//add API manually, in case auto-search didnt get it, e.g scattered IAT
bool scylla_addImport(const WCHAR* importName, DWORD_PTR thunkVA);
//are all imports valid?
bool scylla_importsValid();
//cut an Import, because its invalid or whatever reason. Calling this from within the invalidImportCallback will crash!
//Call it after scylla_getImports call returned !
bool scylla_cutImport(DWORD_PTR apiAddr);
//fix the dump
int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy");
//fix a mapped dump
int scylla_fixMappedDump(DWORD_PTR iatVA, DWORD_PTR FileMapVA, HANDLE hFileMap);
//get imported DLL count
int scylla_getModuleCount();
//get total API Imports count
int scylla_getImportCount();
//enumerate imports tree
void scylla_enumImportTree(LPVOID enumCallBack);
//size which the new IAT will consume
long scylla_estimatedIATSize();
//get thunkVA by API name
DWORD_PTR scylla_findImportWriteLocation(char* importName);
//get thunkVA by ordinal
DWORD_PTR scylla_findOrdinalImportWriteLocation(DWORD_PTR ordinalNumber);
//get API name by thunkVA, cast return to char*
DWORD_PTR scylla_findImportNameByWriteLocation(DWORD_PTR thunkVA);
//get DLL name by thunkVA, cast return to char*
DWORD_PTR scylla_findModuleNameByWriteLocation(DWORD_PTR thunkVA);
//dumps a process
bool scylla_dumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
bool scylla_dumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
//rebuilds a files PE header
bool scylla_rebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
bool scylla_rebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
## Return Codes ##
:::c++
const BYTE SCY_ERROR_SUCCESS = 0;
const BYTE SCY_ERROR_PROCOPEN = -1;
const BYTE SCY_ERROR_IATWRITE = -2;
const BYTE SCY_ERROR_IATSEARCH = -3;
const BYTE SCY_ERROR_IATNOTFOUND = -4;
## Usage ##
:::c++
typedef int (*SEARCHIAT) (DWORD, DWORD_PTR &, DWORD &, DWORD_PTR, bool);
typedef int (*GETIMPORTS) (DWORD_PTR, DWORD, DWORD, LPVOID);
typedef bool (*IMPORTSVALID) ();
typedef int (*FIXDUMP) (WCHAR*, WCHAR*);
HMODULE lib = LoadLibrary(_T("scylla_wrapper"));
SEARCHIAT searchIAT = (SEARCHIAT) GetProcAddress(lib, "scylla_searchIAT");
GETIMPORTS getImports = (GETIMPORTS) GetProcAddress(lib, "scylla_getImports");
IMPORTSVALID importsValid = (IMPORTSVALID) GetProcAddress(lib, "scylla_importsValid");
FIXDUMP fixDump = (FIXDUMP) GetProcAddress(lib, "scylla_fixDump");
DWORD iatStart = 0xDEADBEEF;
DWORD iatSize = 0xDEADBEEF;
int search = searchIAT(fdProcessInfo->dwProcessId, iatStart, iatSize, eip, false);
if(search==0) int imports = getImports(iatStart, iatSize, pid);
bool valid = importsValid();
if(valid) int fix = fixDump(dumpFileName, IatFixFileName);
## Definitions ##
:::c++
typedef void*(*fCallback)(LPVOID invalidImport);
//e.g.
void* cbInvalidImport(void* apiAddr)
typedef void(*fCallback)(LPVOID importDetail);
typedef struct
{
bool NewDll;
int NumberOfImports;
ULONG_PTR ImageBase;
ULONG_PTR BaseImportThunk;
ULONG_PTR ImportThunk;
char* APIName;
char* DLLName;
} ImportEnumData
//e.g. pointer on this struct used in scylla_enumImportTree as argument
void cbEnumImports(void* importDetail)
{
ImportEnumData* data = (ImportEnumData*)importDetail;
}
## Notes ##
```
The pre-compiled binaries and project standard uses _cdecl calling convention.
For assembly users, this means you have to push arguments from right-to-left onto the stack
and clean the stack yourself after calling.
#pragma pack(push,1) or compiler flag /Zp1 is needed for the struct members to be aligned correctly
```

19
scylla_wrapper/StringConversion.cpp
View File

@ -1,19 +0,0 @@
#include "stdafx.h"
#include "StringConversion.h"
#include <cstdlib>
//#include <atlbase.h>
//#include <atlconv.h>
const char* StringConversion::ToASCII(const wchar_t* str, char* buf, size_t bufsize)
{
size_t charsConverted = 0;
wcstombs_s(&charsConverted, buf, bufsize, str, _TRUNCATE);
return buf;
}
const wchar_t* StringConversion::ToUTF16(const char* str, wchar_t* buf, size_t bufsize)
{
size_t charsConverted = 0;
mbstowcs_s(&charsConverted, buf, bufsize, str, _TRUNCATE);
return buf;
}

9
scylla_wrapper/StringConversion.h
View File

@ -1,9 +0,0 @@
#pragma once
class StringConversion
{
public:
static const char* ToASCII(const wchar_t* str, char* buf, size_t bufsize);
static const wchar_t* ToUTF16(const char* str, wchar_t* buf, size_t bufsize);
};

80
scylla_wrapper/SystemInformation.cpp
View File

@ -1,80 +0,0 @@
#include "stdafx.h"
#include "SystemInformation.h"
OPERATING_SYSTEM SystemInformation::currenOS = UNKNOWN_OS;
bool SystemInformation::getSystemInformation()
{
RTL_OSVERSIONINFOW osvi = {0};
osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
SYSTEM_INFO si = {0};
def_GetNativeSystemInfo _GetNativeSystemInfo = 0;
typedef LONG(WINAPI * tRtlGetVersion)(PRTL_OSVERSIONINFOW);
tRtlGetVersion pRtlGetVersion = (tRtlGetVersion)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
if(!pRtlGetVersion)
return false;
if(pRtlGetVersion(&osvi) != 0)
return false;
if((osvi.dwMajorVersion < 5) || ((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 0)))
{
return false;
}
_GetNativeSystemInfo = (def_GetNativeSystemInfo)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetNativeSystemInfo");
if(_GetNativeSystemInfo)
{
_GetNativeSystemInfo(&si);
}
else
{
GetSystemInfo(&si);
}
bool isX64 = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64;
bool isX86 = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL;
DWORD major = osvi.dwMajorVersion;
DWORD minor = osvi.dwMinorVersion;
if(isX64 && major == 5 && minor == 2)
{
currenOS = WIN_XP_64;
}
else if(isX86 && major == 5 && minor == 1)
{
currenOS = WIN_XP_32;
}
else if(isX64 && major == 6 && minor == 0)
{
currenOS = WIN_VISTA_64;
}
else if(isX86 && major == 6 && minor == 0)
{
currenOS = WIN_VISTA_32;
}
else if(isX64 && major == 6 && minor == 1)
{
currenOS = WIN_7_64;
}
else if(isX86 && major == 6 && minor == 1)
{
currenOS = WIN_7_32;
}
else if(isX64 && major == 6 && minor == 2)
{
currenOS = WIN_8_64;
}
else if(isX86 && major == 6 && minor == 2)
{
currenOS = WIN_8_32;
}
else
{
currenOS = UNKNOWN_OS;
}
return (currenOS != UNKNOWN_OS);
}

26
scylla_wrapper/SystemInformation.h
View File

@ -1,26 +0,0 @@
#pragma once
#include <windows.h>
enum OPERATING_SYSTEM
{
UNKNOWN_OS,
WIN_XP_32,
WIN_XP_64,
WIN_VISTA_32,
WIN_VISTA_64,
WIN_7_32,
WIN_7_64,
WIN_8_32,
WIN_8_64
};
typedef void (WINAPI* def_GetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo);
class SystemInformation
{
public:
static OPERATING_SYSTEM currenOS;
static bool getSystemInformation();
};

40
scylla_wrapper/Thunks.cpp
View File

@ -1,40 +0,0 @@
#include "stdafx.h"
#include "Thunks.h"
void ImportThunk::invalidate()
{
ordinal = 0;
hint = 0;
valid = false;
suspect = false;
moduleName[0] = 0;
name[0] = 0;
}
bool ImportModuleThunk::isValid() const
{
std::map<DWORD_PTR, ImportThunk>::const_iterator iterator = thunkList.begin();
while(iterator != thunkList.end())
{
if(iterator->second.valid == false)
{
return false;
}
iterator++;
}
return true;
}
DWORD_PTR ImportModuleThunk::getFirstThunk() const
{
if(thunkList.size() > 0)
{
const std::map<DWORD_PTR, ImportThunk>::const_iterator iterator = thunkList.begin();
return iterator->first;
}
else
{
return 0;
}
}

36
scylla_wrapper/Thunks.h
View File

@ -1,36 +0,0 @@
#pragma once
#include <windows.h>
#include <map>
class ImportThunk
{
public:
WCHAR moduleName[MAX_PATH];
char name[MAX_PATH];
DWORD_PTR va;
DWORD_PTR rva;
WORD ordinal;
DWORD_PTR apiAddressVA;
WORD hint;
bool valid;
bool suspect;
DWORD_PTR key;
void invalidate();
};
class ImportModuleThunk
{
public:
WCHAR moduleName[MAX_PATH];
std::map<DWORD_PTR, ImportThunk> thunkList;
DWORD_PTR firstThunk;
DWORD_PTR key;
DWORD_PTR getFirstThunk() const;
bool isValid() const;
};

316
scylla_wrapper/mnemonics.h
View File

@ -1,316 +0,0 @@
/*
mnemonics.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef MNEMONICS_H
#define MNEMONICS_H
#ifdef __cplusplus
extern "C" {
#endif
#ifndef DISTORM_LIGHT
typedef struct WMnemonic
{
unsigned char length;
unsigned char p[1]; /* p is a null terminated string, which contains 'length' characters. */
} _WMnemonic;
typedef struct WRegister
{
unsigned int length;
unsigned char p[6]; /* p is a null terminated string. */
} _WRegister;
extern const unsigned char _MNEMONICS[];
extern const _WRegister _REGISTERS[];
#endif /* DISTORM_LIGHT */
#ifdef __cplusplus
} /* End Of Extern */
#endif
#define GET_REGISTER_NAME(r) (unsigned char*)_REGISTERS[(r)].p
#define GET_MNEMONIC_NAME(m) ((_WMnemonic*)&_MNEMONICS[(m)])->p
typedef enum
{
I_UNDEFINED = 0, I_AAA = 66, I_AAD = 389, I_AAM = 384, I_AAS = 76, I_ADC = 31, I_ADD = 11, I_ADDPD = 3110,
I_ADDPS = 3103, I_ADDSD = 3124, I_ADDSS = 3117, I_ADDSUBPD = 6394, I_ADDSUBPS = 6404,
I_AESDEC = 9209, I_AESDECLAST = 9226, I_AESENC = 9167, I_AESENCLAST = 9184,
I_AESIMC = 9150, I_AESKEYGENASSIST = 9795, I_AND = 41, I_ANDNPD = 3021, I_ANDNPS = 3013,
I_ANDPD = 2990, I_ANDPS = 2983, I_ARPL = 111, I_BLENDPD = 9372, I_BLENDPS = 9353,
I_BLENDVPD = 7619, I_BLENDVPS = 7609, I_BOUND = 104, I_BSF = 4346, I_BSR = 4358,
I_BSWAP = 960, I_BT = 872, I_BTC = 934, I_BTR = 912, I_BTS = 887, I_CALL = 456,
I_CALL_FAR = 260, I_CBW = 228, I_CDQ = 250, I_CDQE = 239, I_CLC = 492, I_CLD = 512,
I_CLFLUSH = 4329, I_CLGI = 1833, I_CLI = 502, I_CLTS = 541, I_CMC = 487, I_CMOVA = 694,
I_CMOVAE = 663, I_CMOVB = 656, I_CMOVBE = 686, I_CMOVG = 754, I_CMOVGE = 738,
I_CMOVL = 731, I_CMOVLE = 746, I_CMOVNO = 648, I_CMOVNP = 723, I_CMOVNS = 708,
I_CMOVNZ = 678, I_CMOVO = 641, I_CMOVP = 716, I_CMOVS = 701, I_CMOVZ = 671,
I_CMP = 71, I_CMPEQPD = 4449, I_CMPEQPS = 4370, I_CMPEQSD = 4607, I_CMPEQSS = 4528,
I_CMPLEPD = 4467, I_CMPLEPS = 4388, I_CMPLESD = 4625, I_CMPLESS = 4546, I_CMPLTPD = 4458,
I_CMPLTPS = 4379, I_CMPLTSD = 4616, I_CMPLTSS = 4537, I_CMPNEQPD = 4488, I_CMPNEQPS = 4409,
I_CMPNEQSD = 4646, I_CMPNEQSS = 4567, I_CMPNLEPD = 4508, I_CMPNLEPS = 4429,
I_CMPNLESD = 4666, I_CMPNLESS = 4587, I_CMPNLTPD = 4498, I_CMPNLTPS = 4419,
I_CMPNLTSD = 4656, I_CMPNLTSS = 4577, I_CMPORDPD = 4518, I_CMPORDPS = 4439,
I_CMPORDSD = 4676, I_CMPORDSS = 4597, I_CMPS = 301, I_CMPUNORDPD = 4476, I_CMPUNORDPS = 4397,
I_CMPUNORDSD = 4634, I_CMPUNORDSS = 4555, I_CMPXCHG = 898, I_CMPXCHG16B = 6373,
I_CMPXCHG8B = 6362, I_COMISD = 2779, I_COMISS = 2771, I_CPUID = 865, I_CQO = 255,
I_CRC32 = 9258, I_CVTDQ2PD = 6787, I_CVTDQ2PS = 3307, I_CVTPD2DQ = 6797, I_CVTPD2PI = 2681,
I_CVTPD2PS = 3233, I_CVTPH2PS = 4161, I_CVTPI2PD = 2495, I_CVTPI2PS = 2485,
I_CVTPS2DQ = 3317, I_CVTPS2PD = 3223, I_CVTPS2PH = 4171, I_CVTPS2PI = 2671,
I_CVTSD2SI = 2701, I_CVTSD2SS = 3253, I_CVTSI2SD = 2515, I_CVTSI2SS = 2505,
I_CVTSS2SD = 3243, I_CVTSS2SI = 2691, I_CVTTPD2DQ = 6776, I_CVTTPD2PI = 2614,
I_CVTTPS2DQ = 3327, I_CVTTPS2PI = 2603, I_CVTTSD2SI = 2636, I_CVTTSS2SI = 2625,
I_CWD = 245, I_CWDE = 233, I_DAA = 46, I_DAS = 56, I_DEC = 86, I_DIV = 1630,
I_DIVPD = 3499, I_DIVPS = 3492, I_DIVSD = 3513, I_DIVSS = 3506, I_DPPD = 9615,
I_DPPS = 9602, I_EMMS = 4100, I_ENTER = 340, I_EXTRACTPS = 9480, I_EXTRQ = 4136,
I_F2XM1 = 1176, I_FABS = 1107, I_FADD = 1007, I_FADDP = 1533, I_FBLD = 1585,
I_FBSTP = 1591, I_FCHS = 1101, I_FCLEX = 7289, I_FCMOVB = 1360, I_FCMOVBE = 1376,
I_FCMOVE = 1368, I_FCMOVNB = 1429, I_FCMOVNBE = 1447, I_FCMOVNE = 1438, I_FCMOVNU = 1457,
I_FCMOVU = 1385, I_FCOM = 1019, I_FCOMI = 1496, I_FCOMIP = 1607, I_FCOMP = 1025,
I_FCOMPP = 1547, I_FCOS = 1295, I_FDECSTP = 1222, I_FDIV = 1045, I_FDIVP = 1578,
I_FDIVR = 1051, I_FDIVRP = 1570, I_FEDISI = 1472, I_FEMMS = 574, I_FENI = 1466,
I_FFREE = 1511, I_FIADD = 1301, I_FICOM = 1315, I_FICOMP = 1322, I_FIDIV = 1345,
I_FIDIVR = 1352, I_FILD = 1402, I_FIMUL = 1308, I_FINCSTP = 1231, I_FINIT = 7304,
I_FIST = 1416, I_FISTP = 1422, I_FISTTP = 1408, I_FISUB = 1330, I_FISUBR = 1337,
I_FLD = 1058, I_FLD1 = 1125, I_FLDCW = 1082, I_FLDENV = 1074, I_FLDL2E = 1139,
I_FLDL2T = 1131, I_FLDLG2 = 1154, I_FLDLN2 = 1162, I_FLDPI = 1147, I_FLDZ = 1170,
I_FMUL = 1013, I_FMULP = 1540, I_FNCLEX = 7281, I_FNINIT = 7296, I_FNOP = 1095,
I_FNSAVE = 7311, I_FNSTCW = 7266, I_FNSTENV = 7249, I_FNSTSW = 7326, I_FPATAN = 1197,
I_FPREM = 1240, I_FPREM1 = 1214, I_FPTAN = 1190, I_FRNDINT = 1272, I_FRSTOR = 1503,
I_FSAVE = 7319, I_FSCALE = 1281, I_FSETPM = 1480, I_FSIN = 1289, I_FSINCOS = 1263,
I_FSQRT = 1256, I_FST = 1063, I_FSTCW = 7274, I_FSTENV = 7258, I_FSTP = 1068,
I_FSTSW = 7334, I_FSUB = 1032, I_FSUBP = 1563, I_FSUBR = 1038, I_FSUBRP = 1555,
I_FTST = 1113, I_FUCOM = 1518, I_FUCOMI = 1488, I_FUCOMIP = 1598, I_FUCOMP = 1525,
I_FUCOMPP = 1393, I_FXAM = 1119, I_FXCH = 1089, I_FXRSTOR = 9892, I_FXRSTOR64 = 9901,
I_FXSAVE = 9864, I_FXSAVE64 = 9872, I_FXTRACT = 1205, I_FYL2X = 1183, I_FYL2XP1 = 1247,
I_GETSEC = 633, I_HADDPD = 4181, I_HADDPS = 4189, I_HLT = 482, I_HSUBPD = 4215,
I_HSUBPS = 4223, I_IDIV = 1635, I_IMUL = 117, I_IN = 447, I_INC = 81, I_INS = 123,
I_INSERTPS = 9547, I_INSERTQ = 4143, I_INT = 367, I_INT_3 = 360, I_INT1 = 476,
I_INTO = 372, I_INVD = 555, I_INVEPT = 8284, I_INVLPG = 1711, I_INVLPGA = 1847,
I_INVPCID = 8301, I_INVVPID = 8292, I_IRET = 378, I_JA = 166, I_JAE = 147,
I_JB = 143, I_JBE = 161, I_JCXZ = 427, I_JECXZ = 433, I_JG = 202, I_JGE = 192,
I_JL = 188, I_JLE = 197, I_JMP = 462, I_JMP_FAR = 467, I_JNO = 138, I_JNP = 183,
I_JNS = 174, I_JNZ = 156, I_JO = 134, I_JP = 179, I_JRCXZ = 440, I_JS = 170,
I_JZ = 152, I_LAHF = 289, I_LAR = 522, I_LDDQU = 6994, I_LDMXCSR = 9922, I_LDS = 335,
I_LEA = 223, I_LEAVE = 347, I_LES = 330, I_LFENCE = 4265, I_LFS = 917, I_LGDT = 1687,
I_LGS = 922, I_LIDT = 1693, I_LLDT = 1652, I_LMSW = 1705, I_LODS = 313, I_LOOP = 421,
I_LOOPNZ = 406, I_LOOPZ = 414, I_LSL = 527, I_LSS = 907, I_LTR = 1658, I_LZCNT = 4363,
I_MASKMOVDQU = 7119, I_MASKMOVQ = 7109, I_MAXPD = 3559, I_MAXPS = 3552, I_MAXSD = 3573,
I_MAXSS = 3566, I_MFENCE = 4291, I_MINPD = 3439, I_MINPS = 3432, I_MINSD = 3453,
I_MINSS = 3446, I_MONITOR = 1755, I_MOV = 218, I_MOVAPD = 2459, I_MOVAPS = 2451,
I_MOVBE = 9251, I_MOVD = 3920, I_MOVDDUP = 2186, I_MOVDQ2Q = 6522, I_MOVDQA = 3946,
I_MOVDQU = 3954, I_MOVHLPS = 2151, I_MOVHPD = 2345, I_MOVHPS = 2337, I_MOVLHPS = 2328,
I_MOVLPD = 2168, I_MOVLPS = 2160, I_MOVMSKPD = 2815, I_MOVMSKPS = 2805, I_MOVNTDQ = 6849,
I_MOVNTDQA = 7895, I_MOVNTI = 952, I_MOVNTPD = 2556, I_MOVNTPS = 2547, I_MOVNTQ = 6841,
I_MOVNTSD = 2574, I_MOVNTSS = 2565, I_MOVQ = 3926, I_MOVQ2DQ = 6513, I_MOVS = 295,
I_MOVSD = 2110, I_MOVSHDUP = 2353, I_MOVSLDUP = 2176, I_MOVSS = 2103, I_MOVSX = 939,
I_MOVSXD = 10013, I_MOVUPD = 2095, I_MOVUPS = 2087, I_MOVZX = 927, I_MPSADBW = 9628,
I_MUL = 1625, I_MULPD = 3170, I_MULPS = 3163, I_MULSD = 3184, I_MULSS = 3177,
I_MWAIT = 1764, I_NEG = 1620, I_NOP = 581, I_NOT = 1615, I_OR = 27, I_ORPD = 3053,
I_ORPS = 3047, I_OUT = 451, I_OUTS = 128, I_PABSB = 7688, I_PABSD = 7718, I_PABSW = 7703,
I_PACKSSDW = 3849, I_PACKSSWB = 3681, I_PACKUSDW = 7916, I_PACKUSWB = 3759,
I_PADDB = 7204, I_PADDD = 7234, I_PADDQ = 6481, I_PADDSB = 6930, I_PADDSW = 6947,
I_PADDUSB = 6620, I_PADDUSW = 6639, I_PADDW = 7219, I_PALIGNR = 9410, I_PAND = 6607,
I_PANDN = 6665, I_PAUSE = 10021, I_PAVGB = 6680, I_PAVGUSB = 2078, I_PAVGW = 6725,
I_PBLENDVB = 7599, I_PBLENDW = 9391, I_PCLMULQDQ = 9647, I_PCMPEQB = 4043,
I_PCMPEQD = 4081, I_PCMPEQQ = 7876, I_PCMPEQW = 4062, I_PCMPESTRI = 9726,
I_PCMPESTRM = 9703, I_PCMPGTB = 3702, I_PCMPGTD = 3740, I_PCMPGTQ = 8087,
I_PCMPGTW = 3721, I_PCMPISTRI = 9772, I_PCMPISTRM = 9749, I_PEXTRB = 9429,
I_PEXTRD = 9446, I_PEXTRQ = 9454, I_PEXTRW = 6311, I_PF2ID = 1914, I_PF2IW = 1907,
I_PFACC = 2028, I_PFADD = 1977, I_PFCMPEQ = 2035, I_PFCMPGE = 1938, I_PFCMPGT = 1984,
I_PFMAX = 1993, I_PFMIN = 1947, I_PFMUL = 2044, I_PFNACC = 1921, I_PFPNACC = 1929,
I_PFRCP = 1954, I_PFRCPIT1 = 2000, I_PFRCPIT2 = 2051, I_PFRSQIT1 = 2010, I_PFRSQRT = 1961,
I_PFSUB = 1970, I_PFSUBR = 2020, I_PHADDD = 7375, I_PHADDSW = 7392, I_PHADDW = 7358,
I_PHMINPOSUW = 8259, I_PHSUBD = 7451, I_PHSUBSW = 7468, I_PHSUBW = 7434, I_PI2FD = 1900,
I_PI2FW = 1893, I_PINSRB = 9530, I_PINSRD = 9568, I_PINSRQ = 9576, I_PINSRW = 6294,
I_PMADDUBSW = 7411, I_PMADDWD = 7073, I_PMAXSB = 8174, I_PMAXSD = 8191, I_PMAXSW = 6964,
I_PMAXUB = 6648, I_PMAXUD = 8225, I_PMAXUW = 8208, I_PMINSB = 8106, I_PMINSD = 8123,
I_PMINSW = 6902, I_PMINUB = 6590, I_PMINUD = 8157, I_PMINUW = 8140, I_PMOVMSKB = 6531,
I_PMOVSXBD = 7754, I_PMOVSXBQ = 7775, I_PMOVSXBW = 7733, I_PMOVSXDQ = 7838,
I_PMOVSXWD = 7796, I_PMOVSXWQ = 7817, I_PMOVZXBD = 7982, I_PMOVZXBQ = 8003,
I_PMOVZXBW = 7961, I_PMOVZXDQ = 8066, I_PMOVZXWD = 8024, I_PMOVZXWQ = 8045,
I_PMULDQ = 7859, I_PMULHRSW = 7538, I_PMULHRW = 2061, I_PMULHUW = 6740, I_PMULHW = 6759,
I_PMULLD = 8242, I_PMULLW = 6496, I_PMULUDQ = 7054, I_POP = 22, I_POPA = 98,
I_POPCNT = 4338, I_POPF = 277, I_POR = 6919, I_PREFETCH = 1872, I_PREFETCHNTA = 2402,
I_PREFETCHT0 = 2415, I_PREFETCHT1 = 2427, I_PREFETCHT2 = 2439, I_PREFETCHW = 1882,
I_PSADBW = 7092, I_PSHUFB = 7341, I_PSHUFD = 3988, I_PSHUFHW = 3996, I_PSHUFLW = 4005,
I_PSHUFW = 3980, I_PSIGNB = 7487, I_PSIGND = 7521, I_PSIGNW = 7504, I_PSLLD = 7024,
I_PSLLDQ = 9847, I_PSLLQ = 7039, I_PSLLW = 7009, I_PSRAD = 6710, I_PSRAW = 6695,
I_PSRLD = 6451, I_PSRLDQ = 9830, I_PSRLQ = 6466, I_PSRLW = 6436, I_PSUBB = 7144,
I_PSUBD = 7174, I_PSUBQ = 7189, I_PSUBSB = 6868, I_PSUBSW = 6885, I_PSUBUSB = 6552,
I_PSUBUSW = 6571, I_PSUBW = 7159, I_PSWAPD = 2070, I_PTEST = 7629, I_PUNPCKHBW = 3780,
I_PUNPCKHDQ = 3826, I_PUNPCKHQDQ = 3895, I_PUNPCKHWD = 3803, I_PUNPCKLBW = 3612,
I_PUNPCKLDQ = 3658, I_PUNPCKLQDQ = 3870, I_PUNPCKLWD = 3635, I_PUSH = 16,
I_PUSHA = 91, I_PUSHF = 270, I_PXOR = 6981, I_RCL = 977, I_RCPPS = 2953, I_RCPSS = 2960,
I_RCR = 982, I_RDFSBASE = 9882, I_RDGSBASE = 9912, I_RDMSR = 600, I_RDPMC = 607,
I_RDRAND = 9980, I_RDTSC = 593, I_RDTSCP = 1864, I_RET = 325, I_RETF = 354,
I_ROL = 967, I_ROR = 972, I_ROUNDPD = 9296, I_ROUNDPS = 9277, I_ROUNDSD = 9334,
I_ROUNDSS = 9315, I_RSM = 882, I_RSQRTPS = 2915, I_RSQRTSS = 2924, I_SAHF = 283,
I_SAL = 997, I_SALC = 394, I_SAR = 1002, I_SBB = 36, I_SCAS = 319, I_SETA = 807,
I_SETAE = 780, I_SETB = 774, I_SETBE = 800, I_SETG = 859, I_SETGE = 845, I_SETL = 839,
I_SETLE = 852, I_SETNO = 767, I_SETNP = 832, I_SETNS = 819, I_SETNZ = 793,
I_SETO = 761, I_SETP = 826, I_SETS = 813, I_SETZ = 787, I_SFENCE = 4321, I_SGDT = 1675,
I_SHL = 987, I_SHLD = 876, I_SHR = 992, I_SHRD = 892, I_SHUFPD = 6336, I_SHUFPS = 6328,
I_SIDT = 1681, I_SKINIT = 1839, I_SLDT = 1641, I_SMSW = 1699, I_SQRTPD = 2855,
I_SQRTPS = 2847, I_SQRTSD = 2871, I_SQRTSS = 2863, I_STC = 497, I_STD = 517,
I_STGI = 1827, I_STI = 507, I_STMXCSR = 9951, I_STOS = 307, I_STR = 1647, I_SUB = 51,
I_SUBPD = 3379, I_SUBPS = 3372, I_SUBSD = 3393, I_SUBSS = 3386, I_SWAPGS = 1856,
I_SYSCALL = 532, I_SYSENTER = 614, I_SYSEXIT = 624, I_SYSRET = 547, I_TEST = 206,
I_TZCNT = 4351, I_UCOMISD = 2742, I_UCOMISS = 2733, I_UD2 = 569, I_UNPCKHPD = 2296,
I_UNPCKHPS = 2286, I_UNPCKLPD = 2254, I_UNPCKLPS = 2244, I_VADDPD = 3139,
I_VADDPS = 3131, I_VADDSD = 3155, I_VADDSS = 3147, I_VADDSUBPD = 6414, I_VADDSUBPS = 6425,
I_VAESDEC = 9217, I_VAESDECLAST = 9238, I_VAESENC = 9175, I_VAESENCLAST = 9196,
I_VAESIMC = 9158, I_VAESKEYGENASSIST = 9812, I_VANDNPD = 3038, I_VANDNPS = 3029,
I_VANDPD = 3005, I_VANDPS = 2997, I_VBLENDPD = 9381, I_VBLENDPS = 9362, I_VBLENDVPD = 9681,
I_VBLENDVPS = 9670, I_VBROADCASTF128 = 7672, I_VBROADCASTSD = 7658, I_VBROADCASTSS = 7644,
I_VCMPEQPD = 5088, I_VCMPEQPS = 4686, I_VCMPEQSD = 5892, I_VCMPEQSS = 5490,
I_VCMPEQ_OSPD = 5269, I_VCMPEQ_OSPS = 4867, I_VCMPEQ_OSSD = 6073, I_VCMPEQ_OSSS = 5671,
I_VCMPEQ_UQPD = 5175, I_VCMPEQ_UQPS = 4773, I_VCMPEQ_UQSD = 5979, I_VCMPEQ_UQSS = 5577,
I_VCMPEQ_USPD = 5378, I_VCMPEQ_USPS = 4976, I_VCMPEQ_USSD = 6182, I_VCMPEQ_USSS = 5780,
I_VCMPFALSEPD = 5210, I_VCMPFALSEPS = 4808, I_VCMPFALSESD = 6014, I_VCMPFALSESS = 5612,
I_VCMPFALSE_OSPD = 5419, I_VCMPFALSE_OSPS = 5017, I_VCMPFALSE_OSSD = 6223,
I_VCMPFALSE_OSSS = 5821, I_VCMPGEPD = 5237, I_VCMPGEPS = 4835, I_VCMPGESD = 6041,
I_VCMPGESS = 5639, I_VCMPGE_OQPD = 5449, I_VCMPGE_OQPS = 5047, I_VCMPGE_OQSD = 6253,
I_VCMPGE_OQSS = 5851, I_VCMPGTPD = 5247, I_VCMPGTPS = 4845, I_VCMPGTSD = 6051,
I_VCMPGTSS = 5649, I_VCMPGT_OQPD = 5462, I_VCMPGT_OQPS = 5060, I_VCMPGT_OQSD = 6266,
I_VCMPGT_OQSS = 5864, I_VCMPLEPD = 5108, I_VCMPLEPS = 4706, I_VCMPLESD = 5912,
I_VCMPLESS = 5510, I_VCMPLE_OQPD = 5295, I_VCMPLE_OQPS = 4893, I_VCMPLE_OQSD = 6099,
I_VCMPLE_OQSS = 5697, I_VCMPLTPD = 5098, I_VCMPLTPS = 4696, I_VCMPLTSD = 5902,
I_VCMPLTSS = 5500, I_VCMPLT_OQPD = 5282, I_VCMPLT_OQPS = 4880, I_VCMPLT_OQSD = 6086,
I_VCMPLT_OQSS = 5684, I_VCMPNEQPD = 5131, I_VCMPNEQPS = 4729, I_VCMPNEQSD = 5935,
I_VCMPNEQSS = 5533, I_VCMPNEQ_OQPD = 5223, I_VCMPNEQ_OQPS = 4821, I_VCMPNEQ_OQSD = 6027,
I_VCMPNEQ_OQSS = 5625, I_VCMPNEQ_OSPD = 5435, I_VCMPNEQ_OSPS = 5033, I_VCMPNEQ_OSSD = 6239,
I_VCMPNEQ_OSSS = 5837, I_VCMPNEQ_USPD = 5323, I_VCMPNEQ_USPS = 4921, I_VCMPNEQ_USSD = 6127,
I_VCMPNEQ_USSS = 5725, I_VCMPNGEPD = 5188, I_VCMPNGEPS = 4786, I_VCMPNGESD = 5992,
I_VCMPNGESS = 5590, I_VCMPNGE_UQPD = 5391, I_VCMPNGE_UQPS = 4989, I_VCMPNGE_UQSD = 6195,
I_VCMPNGE_UQSS = 5793, I_VCMPNGTPD = 5199, I_VCMPNGTPS = 4797, I_VCMPNGTSD = 6003,
I_VCMPNGTSS = 5601, I_VCMPNGT_UQPD = 5405, I_VCMPNGT_UQPS = 5003, I_VCMPNGT_UQSD = 6209,
I_VCMPNGT_UQSS = 5807, I_VCMPNLEPD = 5153, I_VCMPNLEPS = 4751, I_VCMPNLESD = 5957,
I_VCMPNLESS = 5555, I_VCMPNLE_UQPD = 5351, I_VCMPNLE_UQPS = 4949, I_VCMPNLE_UQSD = 6155,
I_VCMPNLE_UQSS = 5753, I_VCMPNLTPD = 5142, I_VCMPNLTPS = 4740, I_VCMPNLTSD = 5946,
I_VCMPNLTSS = 5544, I_VCMPNLT_UQPD = 5337, I_VCMPNLT_UQPS = 4935, I_VCMPNLT_UQSD = 6141,
I_VCMPNLT_UQSS = 5739, I_VCMPORDPD = 5164, I_VCMPORDPS = 4762, I_VCMPORDSD = 5968,
I_VCMPORDSS = 5566, I_VCMPORD_SPD = 5365, I_VCMPORD_SPS = 4963, I_VCMPORD_SSD = 6169,
I_VCMPORD_SSS = 5767, I_VCMPTRUEPD = 5257, I_VCMPTRUEPS = 4855, I_VCMPTRUESD = 6061,
I_VCMPTRUESS = 5659, I_VCMPTRUE_USPD = 5475, I_VCMPTRUE_USPS = 5073, I_VCMPTRUE_USSD = 6279,
I_VCMPTRUE_USSS = 5877, I_VCMPUNORDPD = 5118, I_VCMPUNORDPS = 4716, I_VCMPUNORDSD = 5922,
I_VCMPUNORDSS = 5520, I_VCMPUNORD_SPD = 5308, I_VCMPUNORD_SPS = 4906, I_VCMPUNORD_SSD = 6112,
I_VCMPUNORD_SSS = 5710, I_VCOMISD = 2796, I_VCOMISS = 2787, I_VCVTDQ2PD = 6819,
I_VCVTDQ2PS = 3338, I_VCVTPD2DQ = 6830, I_VCVTPD2PS = 3274, I_VCVTPS2DQ = 3349,
I_VCVTPS2PD = 3263, I_VCVTSD2SI = 2722, I_VCVTSD2SS = 3296, I_VCVTSI2SD = 2536,
I_VCVTSI2SS = 2525, I_VCVTSS2SD = 3285, I_VCVTSS2SI = 2711, I_VCVTTPD2DQ = 6807,
I_VCVTTPS2DQ = 3360, I_VCVTTSD2SI = 2659, I_VCVTTSS2SI = 2647, I_VDIVPD = 3528,
I_VDIVPS = 3520, I_VDIVSD = 3544, I_VDIVSS = 3536, I_VDPPD = 9621, I_VDPPS = 9608,
I_VERR = 1663, I_VERW = 1669, I_VEXTRACTF128 = 9516, I_VEXTRACTPS = 9491,
I_VFMADD132PD = 8387, I_VFMADD132PS = 8374, I_VFMADD132SD = 8413, I_VFMADD132SS = 8400,
I_VFMADD213PD = 8667, I_VFMADD213PS = 8654, I_VFMADD213SD = 8693, I_VFMADD213SS = 8680,
I_VFMADD231PD = 8947, I_VFMADD231PS = 8934, I_VFMADD231SD = 8973, I_VFMADD231SS = 8960,
I_VFMADDSUB132PD = 8326, I_VFMADDSUB132PS = 8310, I_VFMADDSUB213PD = 8606,
I_VFMADDSUB213PS = 8590, I_VFMADDSUB231PD = 8886, I_VFMADDSUB231PS = 8870,
I_VFMSUB132PD = 8439, I_VFMSUB132PS = 8426, I_VFMSUB132SD = 8465, I_VFMSUB132SS = 8452,
I_VFMSUB213PD = 8719, I_VFMSUB213PS = 8706, I_VFMSUB213SD = 8745, I_VFMSUB213SS = 8732,
I_VFMSUB231PD = 8999, I_VFMSUB231PS = 8986, I_VFMSUB231SD = 9025, I_VFMSUB231SS = 9012,
I_VFMSUBADD132PD = 8358, I_VFMSUBADD132PS = 8342, I_VFMSUBADD213PD = 8638,
I_VFMSUBADD213PS = 8622, I_VFMSUBADD231PD = 8918, I_VFMSUBADD231PS = 8902,
I_VFNMADD132PD = 8492, I_VFNMADD132PS = 8478, I_VFNMADD132SD = 8520, I_VFNMADD132SS = 8506,
I_VFNMADD213PD = 8772, I_VFNMADD213PS = 8758, I_VFNMADD213SD = 8800, I_VFNMADD213SS = 8786,
I_VFNMADD231PD = 9052, I_VFNMADD231PS = 9038, I_VFNMADD231SD = 9080, I_VFNMADD231SS = 9066,
I_VFNMSUB132PD = 8548, I_VFNMSUB132PS = 8534, I_VFNMSUB132SD = 8576, I_VFNMSUB132SS = 8562,
I_VFNMSUB213PD = 8828, I_VFNMSUB213PS = 8814, I_VFNMSUB213SD = 8856, I_VFNMSUB213SS = 8842,
I_VFNMSUB231PD = 9108, I_VFNMSUB231PS = 9094, I_VFNMSUB231SD = 9136, I_VFNMSUB231SS = 9122,
I_VHADDPD = 4197, I_VHADDPS = 4206, I_VHSUBPD = 4231, I_VHSUBPS = 4240, I_VINSERTF128 = 9503,
I_VINSERTPS = 9557, I_VLDDQU = 7001, I_VLDMXCSR = 9941, I_VMASKMOVDQU = 7131,
I_VMASKMOVPD = 7949, I_VMASKMOVPS = 7937, I_VMAXPD = 3588, I_VMAXPS = 3580,
I_VMAXSD = 3604, I_VMAXSS = 3596, I_VMCALL = 1719, I_VMCLEAR = 9997, I_VMFUNC = 1787,
I_VMINPD = 3468, I_VMINPS = 3460, I_VMINSD = 3484, I_VMINSS = 3476, I_VMLAUNCH = 1727,
I_VMLOAD = 1811, I_VMMCALL = 1802, I_VMOVAPD = 2476, I_VMOVAPS = 2467, I_VMOVD = 3932,
I_VMOVDDUP = 2234, I_VMOVDQA = 3962, I_VMOVDQU = 3971, I_VMOVHLPS = 2195,
I_VMOVHPD = 2382, I_VMOVHPS = 2373, I_VMOVLHPS = 2363, I_VMOVLPD = 2214, I_VMOVLPS = 2205,
I_VMOVMSKPD = 2836, I_VMOVMSKPS = 2825, I_VMOVNTDQ = 6858, I_VMOVNTDQA = 7905,
I_VMOVNTPD = 2593, I_VMOVNTPS = 2583, I_VMOVQ = 3939, I_VMOVSD = 2143, I_VMOVSHDUP = 2391,
I_VMOVSLDUP = 2223, I_VMOVSS = 2135, I_VMOVUPD = 2126, I_VMOVUPS = 2117, I_VMPSADBW = 9637,
I_VMPTRLD = 9988, I_VMPTRST = 6385, I_VMREAD = 4128, I_VMRESUME = 1737, I_VMRUN = 1795,
I_VMSAVE = 1819, I_VMULPD = 3199, I_VMULPS = 3191, I_VMULSD = 3215, I_VMULSS = 3207,
I_VMWRITE = 4152, I_VMXOFF = 1747, I_VMXON = 10006, I_VORPD = 3066, I_VORPS = 3059,
I_VPABSB = 7695, I_VPABSD = 7725, I_VPABSW = 7710, I_VPACKSSDW = 3859, I_VPACKSSWB = 3691,
I_VPACKUSDW = 7926, I_VPACKUSWB = 3769, I_VPADDB = 7211, I_VPADDD = 7241,
I_VPADDQ = 6488, I_VPADDSB = 6938, I_VPADDSW = 6955, I_VPADDUSW = 6629, I_VPADDW = 7226,
I_VPALIGNR = 9419, I_VPAND = 6613, I_VPANDN = 6672, I_VPAVGB = 6687, I_VPAVGW = 6732,
I_VPBLENDVB = 9692, I_VPBLENDW = 9400, I_VPCLMULQDQ = 9658, I_VPCMPEQB = 4052,
I_VPCMPEQD = 4090, I_VPCMPEQQ = 7885, I_VPCMPEQW = 4071, I_VPCMPESTRI = 9737,
I_VPCMPESTRM = 9714, I_VPCMPGTB = 3711, I_VPCMPGTD = 3749, I_VPCMPGTQ = 8096,
I_VPCMPGTW = 3730, I_VPCMPISTRI = 9783, I_VPCMPISTRM = 9760, I_VPERM2F128 = 9265,
I_VPERMILPD = 7570, I_VPERMILPS = 7559, I_VPEXTRB = 9437, I_VPEXTRD = 9462,
I_VPEXTRQ = 9471, I_VPEXTRW = 6319, I_VPHADDD = 7383, I_VPHADDSW = 7401, I_VPHADDW = 7366,
I_VPHMINPOSUW = 8271, I_VPHSUBD = 7459, I_VPHSUBSW = 7477, I_VPHSUBW = 7442,
I_VPINSRB = 9538, I_VPINSRD = 9584, I_VPINSRQ = 9593, I_VPINSRW = 6302, I_VPMADDUBSW = 7422,
I_VPMADDWD = 7082, I_VPMAXSB = 8182, I_VPMAXSD = 8199, I_VPMAXSW = 6972, I_VPMAXUB = 6656,
I_VPMAXUD = 8233, I_VPMAXUW = 8216, I_VPMINSB = 8114, I_VPMINSD = 8131, I_VPMINSW = 6910,
I_VPMINUB = 6598, I_VPMINUD = 8165, I_VPMINUW = 8148, I_VPMOVMSKB = 6541,
I_VPMOVSXBD = 7764, I_VPMOVSXBQ = 7785, I_VPMOVSXBW = 7743, I_VPMOVSXDQ = 7848,
I_VPMOVSXWD = 7806, I_VPMOVSXWQ = 7827, I_VPMOVZXBD = 7992, I_VPMOVZXBQ = 8013,
I_VPMOVZXBW = 7971, I_VPMOVZXDQ = 8076, I_VPMOVZXWD = 8034, I_VPMOVZXWQ = 8055,
I_VPMULDQ = 7867, I_VPMULHRSW = 7548, I_VPMULHUW = 6749, I_VPMULHW = 6767,
I_VPMULLD = 8250, I_VPMULLW = 6504, I_VPMULUDQ = 7063, I_VPOR = 6924, I_VPSADBW = 7100,
I_VPSHUFB = 7349, I_VPSHUFD = 4014, I_VPSHUFHW = 4023, I_VPSHUFLW = 4033,
I_VPSIGNB = 7495, I_VPSIGND = 7529, I_VPSIGNW = 7512, I_VPSLLD = 7031, I_VPSLLDQ = 9855,
I_VPSLLQ = 7046, I_VPSLLW = 7016, I_VPSRAD = 6717, I_VPSRAW = 6702, I_VPSRLD = 6458,
I_VPSRLDQ = 9838, I_VPSRLQ = 6473, I_VPSRLW = 6443, I_VPSUBB = 7151, I_VPSUBD = 7181,
I_VPSUBQ = 7196, I_VPSUBSB = 6876, I_VPSUBSW = 6893, I_VPSUBUSB = 6561, I_VPSUBUSW = 6580,
I_VPSUBW = 7166, I_VPTEST = 7636, I_VPUNPCKHBW = 3791, I_VPUNPCKHDQ = 3837,
I_VPUNPCKHQDQ = 3907, I_VPUNPCKHWD = 3814, I_VPUNPCKLBW = 3623, I_VPUNPCKLDQ = 3669,
I_VPUNPCKLQDQ = 3882, I_VPUNPCKLWD = 3646, I_VPXOR = 6987, I_VRCPPS = 2967,
I_VRCPSS = 2975, I_VROUNDPD = 9305, I_VROUNDPS = 9286, I_VROUNDSD = 9343,
I_VROUNDSS = 9324, I_VRSQRTPS = 2933, I_VRSQRTSS = 2943, I_VSHUFPD = 6353,
I_VSHUFPS = 6344, I_VSQRTPD = 2888, I_VSQRTPS = 2879, I_VSQRTSD = 2906, I_VSQRTSS = 2897,
I_VSTMXCSR = 9970, I_VSUBPD = 3408, I_VSUBPS = 3400, I_VSUBSD = 3424, I_VSUBSS = 3416,
I_VTESTPD = 7590, I_VTESTPS = 7581, I_VUCOMISD = 2761, I_VUCOMISS = 2751,
I_VUNPCKHPD = 2317, I_VUNPCKHPS = 2306, I_VUNPCKLPD = 2275, I_VUNPCKLPS = 2264,
I_VXORPD = 3095, I_VXORPS = 3087, I_VZEROALL = 4118, I_VZEROUPPER = 4106,
I_WAIT = 10028, I_WBINVD = 561, I_WRFSBASE = 9931, I_WRGSBASE = 9960, I_WRMSR = 586,
I_XADD = 946, I_XCHG = 212, I_XGETBV = 1771, I_XLAT = 400, I_XOR = 61, I_XORPD = 3080,
I_XORPS = 3073, I_XRSTOR = 4273, I_XRSTOR64 = 4281, I_XSAVE = 4249, I_XSAVE64 = 4256,
I_XSAVEOPT = 4299, I_XSAVEOPT64 = 4309, I_XSETBV = 1779, I__3DNOW = 10034
} _InstructionType;
typedef enum
{
R_RAX, R_RCX, R_RDX, R_RBX, R_RSP, R_RBP, R_RSI, R_RDI, R_R8, R_R9, R_R10, R_R11, R_R12, R_R13, R_R14, R_R15,
R_EAX, R_ECX, R_EDX, R_EBX, R_ESP, R_EBP, R_ESI, R_EDI, R_R8D, R_R9D, R_R10D, R_R11D, R_R12D, R_R13D, R_R14D, R_R15D,
R_AX, R_CX, R_DX, R_BX, R_SP, R_BP, R_SI, R_DI, R_R8W, R_R9W, R_R10W, R_R11W, R_R12W, R_R13W, R_R14W, R_R15W,
R_AL, R_CL, R_DL, R_BL, R_AH, R_CH, R_DH, R_BH, R_R8B, R_R9B, R_R10B, R_R11B, R_R12B, R_R13B, R_R14B, R_R15B,
R_SPL, R_BPL, R_SIL, R_DIL,
R_ES, R_CS, R_SS, R_DS, R_FS, R_GS,
R_RIP,
R_ST0, R_ST1, R_ST2, R_ST3, R_ST4, R_ST5, R_ST6, R_ST7,
R_MM0, R_MM1, R_MM2, R_MM3, R_MM4, R_MM5, R_MM6, R_MM7,
R_XMM0, R_XMM1, R_XMM2, R_XMM3, R_XMM4, R_XMM5, R_XMM6, R_XMM7, R_XMM8, R_XMM9, R_XMM10, R_XMM11, R_XMM12, R_XMM13, R_XMM14, R_XMM15,
R_YMM0, R_YMM1, R_YMM2, R_YMM3, R_YMM4, R_YMM5, R_YMM6, R_YMM7, R_YMM8, R_YMM9, R_YMM10, R_YMM11, R_YMM12, R_YMM13, R_YMM14, R_YMM15,
R_CR0, R_UNUSED0, R_CR2, R_CR3, R_CR4, R_UNUSED1, R_UNUSED2, R_UNUSED3, R_CR8,
R_DR0, R_DR1, R_DR2, R_DR3, R_UNUSED4, R_UNUSED5, R_DR6, R_DR7
} _RegisterType;
#endif /* MNEMONICS_H */

660
scylla_wrapper/scylla_wrapper.cpp
View File

@ -1,660 +0,0 @@
/*
*
* Copyright (c) 2014
*
* cypher <the.cypher@gmail.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3 as
published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "stdafx.h"
#include "scylla_wrapper.h"
#include "ApiReader.h"
#include "ProcessLister.h"
#include "ImportRebuilder.h"
#include "IATSearch.h"
#include "StringConversion.h"
#include "SystemInformation.h"
static std::map<DWORD_PTR, ImportModuleThunk> moduleList;
static int moduleCount = 0;
static int importCount = 0;
void updateCounts()
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator it_module;
std::map<DWORD_PTR, ImportThunk>::iterator it_import;
moduleCount = 0;
importCount = 0;
it_module = moduleList.begin();
while(it_module != moduleList.end())
{
ImportModuleThunk & moduleThunk = it_module->second;
it_import = moduleThunk.thunkList.begin();
while(it_import != moduleThunk.thunkList.end())
{
ImportThunk & importThunk = it_import->second;
importCount++;
it_import++;
}
moduleCount++;
it_module++;
}
}
int scylla_searchIAT(DWORD pid, DWORD_PTR & iatStart, DWORD & iatSize, DWORD_PTR searchStart = 0xDEADBEEF, bool advancedSearch = false)
{
ApiReader apiReader;
DWORD_PTR searchAddress = 0;
DWORD_PTR addressIAT = 0, addressIATAdv = 0;
DWORD sizeIAT = 0, sizeIATAdv = 0;
IATSearch iatSearch;
ProcessLister processLister;
NativeWinApi::initialize();
SystemInformation::getSystemInformation();
//need to find correct process by PID
Process* processPtr = 0;
std::vector<Process> & processList = processLister.getProcessListSnapshotNative();
for(std::vector<Process>::iterator it = processList.begin(); it != processList.end(); ++it)
{
if(it->PID == pid)
{
processPtr = &(*it);
break;
}
}
if(!processPtr) return SCY_ERROR_PROCOPEN;
//init process access
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
if(!ProcessAccessHelp::openProcessHandle(processPtr->PID))
{
return SCY_ERROR_PROCOPEN;
}
ProcessAccessHelp::getProcessModules(ProcessAccessHelp::hProcess, ProcessAccessHelp::moduleList);
ProcessAccessHelp::selectedModule = 0;
ProcessAccessHelp::targetSizeOfImage = ProcessAccessHelp::getSizeOfImageProcess(ProcessAccessHelp::hProcess, ProcessAccessHelp::targetImageBase);
ProcessAccessHelp::targetImageBase = processPtr->imageBase;
apiReader.readApisFromModuleList();
int retVal = SCY_ERROR_IATNOTFOUND;
//now actually do some searching
if(searchStart != 0xDEADBEEF)
{
searchAddress = searchStart;
if(searchAddress)
{
if(advancedSearch)
{
if(iatSearch.searchImportAddressTableInProcess(searchAddress, &addressIATAdv, &sizeIATAdv, true))
{
//Scylla::windowLog.log(L"IAT Search Advanced: IAT VA " PRINTF_DWORD_PTR_FULL L" RVA " PRINTF_DWORD_PTR_FULL L" Size 0x%04X (%d)", addressIATAdv, addressIATAdv - ProcessAccessHelp::targetImageBase, sizeIATAdv, sizeIATAdv);
iatStart = addressIATAdv;
iatSize = sizeIATAdv;
retVal = SCY_ERROR_SUCCESS;
}
}
if(iatSearch.searchImportAddressTableInProcess(searchAddress, &addressIAT, &sizeIAT, false))
{
//Scylla::windowLog.log(L"IAT Search Normal: IAT VA " PRINTF_DWORD_PTR_FULL L" RVA " PRINTF_DWORD_PTR_FULL L" Size 0x%04X (%d)", addressIAT, addressIAT - ProcessAccessHelp::targetImageBase, sizeIAT, sizeIAT);
iatStart = addressIAT;
iatSize = sizeIAT;
retVal = SCY_ERROR_SUCCESS;
}
}
}
else
{
return SCY_ERROR_IATSEARCH;
}
processList.clear();
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
return retVal;
}
int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback)
{
//some things we need
ApiReader apiReader;
ProcessLister processLister;
typedef void* (*fCallback)(LPVOID invalidImport);
fCallback myCallback = (fCallback)invalidImportCallback;
NativeWinApi::initialize();
SystemInformation::getSystemInformation();
//need to find correct process by PID
Process* processPtr = 0;
std::vector<Process> & processList = processLister.getProcessListSnapshotNative();
for(std::vector<Process>::iterator it = processList.begin(); it != processList.end(); ++it)
{
if(it->PID == pid)
{
processPtr = &(*it);
break;
}
}
if(!processPtr) return SCY_ERROR_PROCOPEN;
//init process access
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
if(!ProcessAccessHelp::openProcessHandle(processPtr->PID))
{
return SCY_ERROR_PROCOPEN;
}
ProcessAccessHelp::getProcessModules(ProcessAccessHelp::hProcess, ProcessAccessHelp::moduleList);
ProcessAccessHelp::selectedModule = 0;
ProcessAccessHelp::targetSizeOfImage = ProcessAccessHelp::getSizeOfImageProcess(ProcessAccessHelp::hProcess, ProcessAccessHelp::targetImageBase);
ProcessAccessHelp::targetImageBase = processPtr->imageBase;
apiReader.readApisFromModuleList();
//parse IAT
apiReader.readAndParseIAT(iatAddr, iatSize, moduleList);
//callback for invalid imports
if(invalidImportCallback != NULL)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator it_module;
std::map<DWORD_PTR, ImportThunk>::iterator it_import;
it_module = moduleList.begin();
while(it_module != moduleList.end())
{
ImportModuleThunk & moduleThunk = it_module->second;
it_import = moduleThunk.thunkList.begin();
while(it_import != moduleThunk.thunkList.end())
{
ImportThunk & importThunk = it_import->second;
if(!importThunk.valid)
{
DWORD_PTR apiAddr = (DWORD_PTR)myCallback((LPVOID)importThunk.apiAddressVA);
//we trust the users return value
if(apiAddr != NULL)
{
importThunk.apiAddressVA = apiAddr;
importThunk.valid = true;
}
}
it_import++;
}
it_module++;
}
}
updateCounts();
return SCY_ERROR_SUCCESS;
}
bool scylla_addModule(const WCHAR* moduleName, DWORD_PTR firstThunk)
{
ApiReader apiReader;
return apiReader.addModuleToModuleList(moduleName, firstThunk);
}
bool scylla_addImport(const WCHAR* importName, DWORD_PTR thunkVA)
{
ApiReader apiReader;
ApiInfo* apiFound = 0;
DWORD apiVA = 0;
bool suspect = false;
if(ProcessAccessHelp::readMemoryFromProcess(thunkVA, sizeof(DWORD_PTR), (LPVOID)&apiVA))
{
apiFound = apiReader.getApiByVirtualAddress(apiVA, &suspect);
apiReader.addFoundApiToModuleList(thunkVA, apiFound, false, suspect);
return true;
}
return false;
}
bool scylla_importsValid()
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator it_module;
std::map<DWORD_PTR, ImportThunk>::iterator it_import;
bool valid = true;
it_module = moduleList.begin();
while(it_module != moduleList.end())
{
ImportModuleThunk & moduleThunk = it_module->second;
it_import = moduleThunk.thunkList.begin();
while(it_import != moduleThunk.thunkList.end())
{
ImportThunk & importThunk = it_import->second;
if(!importThunk.valid)
{
valid = false;
break;;
}
it_import++;
}
it_module++;
}
return valid;
}
bool scylla_cutImport(DWORD_PTR apiAddr)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator it_module;
std::map<DWORD_PTR, ImportThunk>::iterator it_import;
it_module = moduleList.begin();
while(it_module != moduleList.end())
{
ImportModuleThunk & moduleThunk = it_module->second;
it_import = moduleThunk.thunkList.begin();
while(it_import != moduleThunk.thunkList.end())
{
ImportThunk & importThunk = it_import->second;
//we found the API Addr to be cut
if(importThunk.apiAddressVA == apiAddr)
{
moduleThunk.thunkList.erase(it_import);
//whole module empty now?
if(moduleThunk.thunkList.empty())
{
moduleList.erase(it_module);
}
else //maybe the module is valid now?
{
if(moduleThunk.isValid() && moduleThunk.moduleName[0] == L'?')
{
//update module name
wcscpy_s(moduleThunk.moduleName, moduleThunk.thunkList.begin()->second.moduleName);
}
moduleThunk.firstThunk = moduleThunk.thunkList.begin()->second.rva;
}
updateCounts();
return true;
}
it_import++;
}
it_module++;
}
return false;
}
int scylla_fixDump(const WCHAR* dumpFile, const WCHAR* iatFixFile, const WCHAR* sectionName)
{
WCHAR dumpedFilePath[MAX_PATH];
WCHAR fixedFilePath[MAX_PATH];
wcscpy_s(fixedFilePath, iatFixFile);
wcscpy_s(dumpedFilePath, dumpFile);
//add IAT section to dump
ImportRebuilder importRebuild(dumpedFilePath, sectionName);
importRebuild.enableOFTSupport();
if(importRebuild.rebuildImportTable(fixedFilePath, moduleList))
{
return SCY_ERROR_SUCCESS;
}
else
{
return SCY_ERROR_IATWRITE;
}
}
int scylla_fixMappedDump(DWORD_PTR iatVA, DWORD_PTR FileMapVA, HANDLE hFileMap)
{
ImportRebuilder importRebuild(iatVA, FileMapVA, hFileMap, L".test");
importRebuild.enableOFTSupport();
if(importRebuild.rebuildMappedImportTable(iatVA, moduleList))
{
return SCY_ERROR_SUCCESS;
}
else
{
return SCY_ERROR_IATWRITE;
}
return SCY_ERROR_SUCCESS;
}
int scylla_getModuleCount()
{
return moduleCount;
}
int scylla_getImportCount()
{
return importCount;
}
void scylla_enumImportTree(LPVOID enumCallback)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator it_module;
std::map<DWORD_PTR, ImportThunk>::iterator it_import;
typedef void(*fCallback)(LPVOID importDetail);
fCallback myCallback = (fCallback)enumCallback;
ScyllaImportEnumData myImportEnumData;
myImportEnumData.DLLName = (char*)malloc(sizeof(char) * MAX_PATH);
myImportEnumData.APIName = (char*)malloc(sizeof(char) * MAX_PATH);
if(enumCallback == NULL || moduleList.empty())
{
return;
}
it_module = moduleList.begin();
while(it_module != moduleList.end())
{
ImportModuleThunk & moduleThunk = it_module->second;
//module
myImportEnumData.NewDll = true;
myImportEnumData.NumberOfImports = (int)moduleThunk.thunkList.size();
StringConversion::ToASCII(moduleThunk.moduleName, myImportEnumData.DLLName, sizeof(char)*MAX_PATH);
myImportEnumData.BaseImportThunk = moduleThunk.firstThunk;
it_import = moduleThunk.thunkList.begin();
while(it_import != moduleThunk.thunkList.end())
{
ImportThunk & importThunk = it_import->second;
//import
myImportEnumData.ImageBase = 0;
myImportEnumData.ImportThunk = importThunk.apiAddressVA;
strcpy_s(myImportEnumData.APIName, sizeof(char)*MAX_PATH, importThunk.name);
myCallback(&myImportEnumData);
myImportEnumData.NewDll = false;
it_import++;
}
it_module++;
}
}
long scylla_estimatedIATSize()
{
//faking a file to be rebuild
ImportRebuilder importRebuild(L"", L"");
return importRebuild.getIATSectionSize(moduleList);
}
DWORD_PTR scylla_findImportWriteLocation(const char* importName)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator it_module;
std::map<DWORD_PTR, ImportThunk>::iterator it_import;
it_module = moduleList.begin();
while(it_module != moduleList.end())
{
ImportModuleThunk & moduleThunk = it_module->second;
it_import = moduleThunk.thunkList.begin();
while(it_import != moduleThunk.thunkList.end())
{
ImportThunk & importThunk = it_import->second;
if(_stricmp(importName, importThunk.name))
{
//returns VA
return importThunk.va;
}
}
it_import++;
}
it_module++;
return NULL;
}
DWORD_PTR scylla_findOrdinalImportWriteLocation(DWORD_PTR ordinalNumber)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator it_module;
std::map<DWORD_PTR, ImportThunk>::iterator it_import;
it_module = moduleList.begin();
while(it_module != moduleList.end())
{
ImportModuleThunk & moduleThunk = it_module->second;
it_import = moduleThunk.thunkList.begin();
while(it_import != moduleThunk.thunkList.end())
{
ImportThunk & importThunk = it_import->second;
if(importThunk.ordinal == ordinalNumber)
{
return importThunk.va;
}
}
it_import++;
}
it_module++;
return NULL;
}
DWORD_PTR scylla_findImportNameByWriteLocation(DWORD_PTR thunkVA)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator it_module;
std::map<DWORD_PTR, ImportThunk>::iterator it_import;
it_module = moduleList.begin();
while(it_module != moduleList.end())
{
ImportModuleThunk & moduleThunk = it_module->second;
it_import = moduleThunk.thunkList.begin();
while(it_import != moduleThunk.thunkList.end())
{
ImportThunk & importThunk = it_import->second;
if(importThunk.va == thunkVA)
{
return (DWORD_PTR)importThunk.name;
}
}
it_import++;
}
it_module++;
return NULL;
}
DWORD_PTR scylla_findModuleNameByWriteLocation(DWORD_PTR thunkVA)
{
std::map<DWORD_PTR, ImportModuleThunk>::iterator it_module;
std::map<DWORD_PTR, ImportThunk>::iterator it_import;
it_module = moduleList.begin();
while(it_module != moduleList.end())
{
ImportModuleThunk & moduleThunk = it_module->second;
it_import = moduleThunk.thunkList.begin();
while(it_import != moduleThunk.thunkList.end())
{
ImportThunk & importThunk = it_import->second;
if(importThunk.va == thunkVA)
{
return (DWORD_PTR)importThunk.moduleName;
}
}
it_import++;
}
it_module++;
return NULL;
}
BOOL DumpProcessW(const WCHAR* fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR* fileResult)
{
PeParser* peFile = 0;
if(fileToDump)
{
peFile = new PeParser(fileToDump, true);
}
else
{
peFile = new PeParser(imagebase, true);
}
return peFile->dumpProcess(imagebase, entrypoint, fileResult);
}
bool scylla_dumpProcessW(DWORD_PTR pid, const WCHAR* fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR* fileResult)
{
//BUGFiX: You need to initialize native WinAPIs before you can actually call them.
//Without this line of code you need to call some other dummy function in order to dump.
NativeWinApi::initialize();
if(ProcessAccessHelp::openProcessHandle((DWORD)pid))
{
return DumpProcessW(fileToDump, imagebase, entrypoint, fileResult);
}
else
{
return FALSE;
}
}
bool scylla_dumpProcessA(DWORD_PTR pid, const char* fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char* fileResult)
{
WCHAR fileToDumpW[MAX_PATH];
WCHAR fileResultW[MAX_PATH];
if(fileResult == 0)
{
return FALSE;
}
if(MultiByteToWideChar(CP_ACP, 0, fileResult, -1, fileResultW, _countof(fileResultW)) == 0)
{
return FALSE;
}
if(fileToDump != 0)
{
if(MultiByteToWideChar(CP_ACP, 0, fileToDump, -1, fileToDumpW, _countof(fileToDumpW)) == 0)
{
return FALSE;
}
return scylla_dumpProcessW(pid, fileToDumpW, imagebase, entrypoint, fileResultW);
}
else
{
return scylla_dumpProcessW(pid, 0, imagebase, entrypoint, fileResultW);
}
}
bool scylla_rebuildFileW(const WCHAR* fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup)
{
if(createBackup)
{
if(!ProcessAccessHelp::createBackupFile(fileToRebuild))
{
return FALSE;
}
}
PeParser peFile(fileToRebuild, true);
if(peFile.readPeSectionsFromFile())
{
peFile.setDefaultFileAlignment();
if(removeDosStub)
{
peFile.removeDosStub();
}
peFile.alignAllSectionHeaders();
peFile.fixPeHeader();
if(peFile.savePeFileToDisk(fileToRebuild))
{
if(updatePeHeaderChecksum)
{
PeParser::updatePeHeaderChecksum(fileToRebuild, (DWORD)ProcessAccessHelp::getFileSize(fileToRebuild));
}
return TRUE;
}
}
return FALSE;
}
bool scylla_rebuildFileA(const char* fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup)
{
WCHAR fileToRebuildW[MAX_PATH];
if(MultiByteToWideChar(CP_ACP, 0, fileToRebuild, -1, fileToRebuildW, _countof(fileToRebuildW)) == 0)
{
return FALSE;
}
return scylla_rebuildFileW(fileToRebuildW, removeDosStub, updatePeHeaderChecksum, createBackup);
}

215
scylla_wrapper/scylla_wrapper.vcxproj
View File

@ -1,215 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{F874B1B3-8EF7-4DF1-9889-57098E08A51C}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>scylla_iatfix</RootNamespace>
<ProjectName>scylla_wrapper</ProjectName>
<WindowsTargetPlatformVersion>7.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v141_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v141_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v141_xp</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v141_xp</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
<IncludePath>$(SolutionDir)distorm\include;$(SolutionDir)scylla_wrapper\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
<IncludePath>$(SolutionDir)distorm\include;$(SolutionDir)scylla_wrapper\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
<IncludePath>$(SolutionDir)distorm\include;$(SolutionDir)scylla_wrapper\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>$(SolutionDir)bin\$(Configuration)\$(Platform)\</OutDir>
<IntDir>$(SolutionDir)obj\$(MSBuildProjectName)\$(Configuration)\$(Platform)\</IntDir>
<IncludePath>$(SolutionDir)distorm\include;$(SolutionDir)scylla_wrapper\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<OmitDefaultLibName>false</OmitDefaultLibName>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>distorm.lib;PSAPI.LIB;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<OmitDefaultLibName>false</OmitDefaultLibName>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>distorm.lib;PSAPI.LIB;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>distorm.lib;PSAPI.LIB;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>distorm.lib;PSAPI.LIB;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="ApiReader.h" />
<ClInclude Include="Architecture.h" />
<ClInclude Include="DeviceNameResolver.h" />
<ClInclude Include="IATReferenceScan.h" />
<ClInclude Include="IATSearch.h" />
<ClInclude Include="ImportRebuilder.h" />
<ClInclude Include="include\scylla_wrapper.h" />
<ClInclude Include="mnemonics.h" />
<ClInclude Include="NativeWinApi.h" />
<ClInclude Include="PeParser.h" />
<ClInclude Include="ProcessAccessHelp.h" />
<ClInclude Include="ProcessLister.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="StringConversion.h" />
<ClInclude Include="SystemInformation.h" />
<ClInclude Include="targetver.h" />
<ClInclude Include="Thunks.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="ApiReader.cpp" />
<ClCompile Include="Architecture.cpp" />
<ClCompile Include="DeviceNameResolver.cpp" />
<ClCompile Include="IATReferenceScan.cpp" />
<ClCompile Include="IATSearch.cpp" />
<ClCompile Include="ImportRebuilder.cpp" />
<ClCompile Include="NativeWinApi.cpp" />
<ClCompile Include="PeParser.cpp" />
<ClCompile Include="ProcessAccessHelp.cpp" />
<ClCompile Include="ProcessLister.cpp" />
<ClCompile Include="scylla_wrapper.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
<ClCompile Include="StringConversion.cpp" />
<ClCompile Include="SystemInformation.cpp" />
<ClCompile Include="Thunks.cpp" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\distorm\distorm.vcxproj">
<Project>{25ff4a19-7088-4687-aa32-76e61bd62e51}</Project>
</ProjectReference>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

120
scylla_wrapper/scylla_wrapper.vcxproj.filters
View File

@ -1,120 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="stdafx.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ApiReader.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Architecture.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="SystemInformation.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ProcessAccessHelp.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Thunks.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="NativeWinApi.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="PeParser.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="StringConversion.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="DeviceNameResolver.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ImportRebuilder.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ProcessLister.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="IATSearch.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="IATReferenceScan.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="mnemonics.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="include\scylla_wrapper.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="stdafx.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="ApiReader.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Architecture.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="SystemInformation.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="ProcessAccessHelp.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="NativeWinApi.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="PeParser.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="StringConversion.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="DeviceNameResolver.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="ImportRebuilder.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="ProcessLister.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="IATSearch.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Thunks.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="scylla_wrapper.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="IATReferenceScan.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

8
scylla_wrapper/stdafx.cpp
View File

@ -1,8 +0,0 @@
// stdafx.cpp : Quelldatei, die nur die Standard-Includes einbindet.
// scylla_iatfix.pch ist der vorkompilierte Header.
// stdafx.obj enth<74>lt die vorkompilierten Typinformationen.
#include "stdafx.h"
// TODO: Auf zus<75>tzliche Header verweisen, die in STDAFX.H
// und nicht in dieser Datei erforderlich sind.

8
scylla_wrapper/stdafx.h
View File

@ -1,8 +0,0 @@
#pragma once
#include "targetver.h"
#define WIN32_LEAN_AND_MEAN
#include <windows.h>

8
scylla_wrapper/targetver.h
View File

@ -1,8 +0,0 @@
#pragma once
// Durch Einbeziehen von"SDKDDKVer.h" wird die h<>chste verf<72>gbare Windows-Plattform definiert.
// Wenn Sie die Anwendung f<>r eine fr<66>here Windows-Plattform erstellen m<>chten, schlie<69>en Sie "WinSDKVer.h" ein, und
// legen Sie das _WIN32_WINNT-Makro auf die zu unterst<73>tzende Plattform fest, bevor Sie "SDKDDKVer.h" einschlie<69>en.
#include <SDKDDKVer.h>

1
scylla_wrapper_dll Submodule

@ -0,0 +1 @@
Subproject commit 4f7892b43dfcf4fda041b03b992541cac1367c2c