From ffb6de5b5672e59325a0562284b8f778af94ebc0 Mon Sep 17 00:00:00 2001 From: Duncan Ogilvie Date: Thu, 5 Oct 2023 13:12:46 +0200 Subject: [PATCH] Fix an anti-debug trick used by GuLoader Closes #2749 Closes #2504 --- src/dbg/module.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/dbg/module.cpp b/src/dbg/module.cpp index b4d31083..e9546e61 100644 --- a/src/dbg/module.cpp +++ b/src/dbg/module.cpp @@ -864,6 +864,10 @@ bool ModLoad(duint Base, duint Size, const char* FullPath, bool loadSymbols) // Load the physical module from disk if(StaticFileLoadW(wszFullPath.c_str(), UE_ACCESS_READ, false, &info.fileHandle, &info.loadedSize, &info.fileMap, &info.fileMapVA)) { + // Fix an anti-debug trick, which opens exclusive access to the file + CloseHandle(info.fileHandle); + info.fileHandle = (HANDLE)1; // Set to non-zero for TitanEngine compatibility + GetModuleInfo(info, info.fileMapVA); Size = GetPE32DataFromMappedFile(info.fileMapVA, 0, UE_SIZEOFIMAGE);