Page Menu
Home
desp's stash
Search
Configure Global Search
Log In
Files
F352075
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
11 KB
Subscribers
None
View Options
diff --git a/Scylla/FunctionExport.cpp b/Scylla/FunctionExport.cpp
index aed9e87..63285fe 100644
--- a/Scylla/FunctionExport.cpp
+++ b/Scylla/FunctionExport.cpp
@@ -1,147 +1,178 @@
#include <windows.h>
#include "PeParser.h"
#include "ProcessAccessHelp.h"
+#include "Scylla.h"
+#include "Architecture.h"
BOOL DumpProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
BOOL WINAPI ScyllaDumpCurrentProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
BOOL WINAPI ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
BOOL WINAPI ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
BOOL WINAPI ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
-BOOL WINAPI RebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum);
-BOOL WINAPI RebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum);
+BOOL WINAPI ScyllaRebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
+BOOL WINAPI ScyllaRebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
+
+WCHAR * WINAPI ScyllaVersionInformationW();
+char * WINAPI ScyllaVersionInformationA();
+DWORD WINAPI ScyllaVersionInformationDword();
+
+
+WCHAR * WINAPI ScyllaVersionInformationW()
+{
+ return APPNAME L" " ARCHITECTURE L" " APPVERSION;
+}
+
+char * WINAPI ScyllaVersionInformationA()
+{
+ return APPNAME_S " " ARCHITECTURE_S " " APPVERSION_S;
+}
+
+DWORD WINAPI ScyllaVersionInformationDword()
+{
+ return APPVERSIONDWORD;
+}
BOOL DumpProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult)
{
PeParser * peFile = 0;
if (fileToDump)
{
peFile = new PeParser(fileToDump, true);
}
else
{
peFile = new PeParser(imagebase, true);
}
return peFile->dumpProcess(imagebase, entrypoint, fileResult);
}
-BOOL WINAPI RebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum)
+BOOL WINAPI ScyllaRebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup)
{
+
+ if (createBackup)
+ {
+ if (!ProcessAccessHelp::createBackupFile(fileToRebuild))
+ {
+ return FALSE;
+ }
+ }
+
PeParser peFile(fileToRebuild, true);
if (peFile.readPeSectionsFromFile())
{
peFile.setDefaultFileAlignment();
if (removeDosStub)
{
peFile.removeDosStub();
}
peFile.alignAllSectionHeaders();
peFile.fixPeHeader();
if (peFile.savePeFileToDisk(fileToRebuild))
{
if (updatePeHeaderChecksum)
{
PeParser::updatePeHeaderChecksum(fileToRebuild, (DWORD)ProcessAccessHelp::getFileSize(fileToRebuild));
}
return TRUE;
}
}
return FALSE;
}
-BOOL WINAPI RebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum)
+BOOL WINAPI ScyllaRebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup)
{
WCHAR fileToRebuildW[MAX_PATH];
if (MultiByteToWideChar(CP_ACP, 0, fileToRebuild, -1, fileToRebuildW, _countof(fileToRebuildW)) == 0)
{
return FALSE;
}
- return RebuildFileW(fileToRebuildW, removeDosStub, updatePeHeaderChecksum);
+ return ScyllaRebuildFileW(fileToRebuildW, removeDosStub, updatePeHeaderChecksum, createBackup);
}
BOOL WINAPI ScyllaDumpCurrentProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult)
{
ProcessAccessHelp::setCurrentProcessAsTarget();
return DumpProcessW(fileToDump, imagebase, entrypoint, fileResult);
}
BOOL WINAPI ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult)
{
if (ProcessAccessHelp::openProcessHandle((DWORD)pid))
{
return DumpProcessW(fileToDump, imagebase, entrypoint, fileResult);
}
else
{
return FALSE;
}
}
BOOL WINAPI ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult)
{
WCHAR fileToDumpW[MAX_PATH];
WCHAR fileResultW[MAX_PATH];
if (fileResult == 0)
{
return FALSE;
}
if (MultiByteToWideChar(CP_ACP, 0, fileResult, -1, fileResultW, _countof(fileResultW)) == 0)
{
return FALSE;
}
if (fileToDump != 0)
{
if (MultiByteToWideChar(CP_ACP, 0, fileToDump, -1, fileToDumpW, _countof(fileToDumpW)) == 0)
{
return FALSE;
}
return ScyllaDumpCurrentProcessW(fileToDumpW, imagebase, entrypoint, fileResultW);
}
else
{
return ScyllaDumpCurrentProcessW(0, imagebase, entrypoint, fileResultW);
}
}
BOOL WINAPI ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult)
{
WCHAR fileToDumpW[MAX_PATH];
WCHAR fileResultW[MAX_PATH];
if (fileResult == 0)
{
return FALSE;
}
if (MultiByteToWideChar(CP_ACP, 0, fileResult, -1, fileResultW, _countof(fileResultW)) == 0)
{
return FALSE;
}
if (fileToDump != 0)
{
if (MultiByteToWideChar(CP_ACP, 0, fileToDump, -1, fileToDumpW, _countof(fileToDumpW)) == 0)
{
return FALSE;
}
return ScyllaDumpProcessW(pid, fileToDumpW, imagebase, entrypoint, fileResultW);
}
else
{
return ScyllaDumpProcessW(pid, 0, imagebase, entrypoint, fileResultW);
}
}
diff --git a/Scylla/Scylla.h b/Scylla/Scylla.h
index da32931..9e445ea 100644
--- a/Scylla/Scylla.h
+++ b/Scylla/Scylla.h
@@ -1,31 +1,32 @@
#pragma once
#include "ConfigurationHolder.h"
#include "PluginLoader.h"
#include "ProcessLister.h"
#include "Logger.h"
#define APPNAME_S "Scylla"
-#define APPVERSION_S "v0.7 Beta 5"
+#define APPVERSION_S "v0.7 Beta 6"
+#define APPVERSIONDWORD 0x00007600
#define APPNAME TEXT(APPNAME_S)
#define APPVERSION TEXT(APPVERSION_S)
class Scylla
{
public:
static void init();
static ConfigurationHolder config;
static PluginLoader plugins;
static ProcessLister processLister;
static FileLog debugLog;
static ListboxLog windowLog;
private:
static const WCHAR DEBUG_LOG_FILENAME[];
};
diff --git a/Scylla/scylla_export_functions.def b/Scylla/scylla_export_functions.def
index 6aaa5e6..2695344 100644
--- a/Scylla/scylla_export_functions.def
+++ b/Scylla/scylla_export_functions.def
@@ -1,7 +1,10 @@
EXPORTS
ScyllaDumpCurrentProcessW @1
ScyllaDumpCurrentProcessA @2
ScyllaDumpProcessW @3
ScyllaDumpProcessA @4
- RebuildFileW @5
- RebuildFileA @6
\ No newline at end of file
+ ScyllaRebuildFileW @5
+ ScyllaRebuildFileA @6
+ ScyllaVersionInformationW @7
+ ScyllaVersionInformationA @8
+ ScyllaVersionInformationDword @9
diff --git a/Scylla_Exports.txt b/Scylla_Exports.txt
new file mode 100644
index 0000000..fd94992
--- /dev/null
+++ b/Scylla_Exports.txt
@@ -0,0 +1,118 @@
+
+Prototyps:
+----------------------------------------------------------------------------------------------------------------------------------------------------
+C/C++:
+------------
+BOOL __stdcall ScyllaDumpCurrentProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
+BOOL __stdcall ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
+
+BOOL __stdcall ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
+BOOL __stdcall ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
+
+------------
+32-Bit assembly e.g. MASM:
+------------
+ScyllaDumpCurrentProcessW PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
+ScyllaDumpCurrentProcessA PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
+ScyllaDumpProcessW PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
+ScyllaDumpProcessA PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
+
+------------
+64-Bit assembly:
+------------
+ScyllaDumpCurrentProcessW PROTO :QWORD, :QWORD, :QWORD, :QWORD
+ScyllaDumpCurrentProcessA PROTO :QWORD, :QWORD, :QWORD, :QWORD
+ScyllaDumpProcessW PROTO :QWORD, :QWORD, :QWORD, :QWORD
+ScyllaDumpProcessA PROTO :QWORD, :QWORD, :QWORD, :QWORD
+
+
+fileToDump -> string pointer, this can be 0
+imagebase -> imagebase base of target
+entrypoint -> entrypoint
+fileResult -> string pointer, resulting file
+pid -> target process PID
+
+----------------------------------------------------------------------------------------------------------------------------------------------------
+C/C++:
+------------
+BOOL __stdcall ScyllaRebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
+BOOL __stdcall ScyllaRebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
+
+------------
+32-Bit assembly e.g. MASM:
+------------
+ScyllaRebuildFileW PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
+ScyllaRebuildFileA PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
+------------
+64-Bit assembly:
+------------
+ScyllaRebuildFileW PROTO :QWORD, :DWORD, :DWORD, :DWORD
+ScyllaRebuildFileA PROTO :QWORD, :DWORD, :DWORD, :DWORD
+
+
+fileToRebuild - string pointer
+removeDosStub - to remove the dos stub -> 1 (TRUE) or 0 (FALSE)
+updatePeHeaderChecksum - to update the pe header checksum field -> 1 (TRUE) or 0 (FALSE)
+createBackup - create a backup file -> 1 (TRUE) or 0 (FALSE)
+
+----------------------------------------------------------------------------------------------------------------------------------------------------
+C/C++:
+------------
+WCHAR * __stdcall ScyllaVersionInformationW();
+char * __stdcall ScyllaVersionInformationA();
+DWORD __stdcall ScyllaVersionInformationDword();
+
+------------
+64-Bit/32-Bit assembly e.g. MASM:
+------------
+ScyllaVersionInformationW PROTO
+ScyllaVersionInformationA PROTO
+ScyllaVersionInformationDword PROTO
+
+ScyllaVersionInformation - return value is a pointer to a string e.g. "Scylla x86 v0.7 Beta 6"
+
+ScyllaVersionInformationDword - return value is always a DWORD:
+
+e.g. 0x00007600
+0000 -> major version
+7600 -> minor version
+
+----------------------------------------------------------------------------------------------------------------------------------------------------
+
+
+Example:
+
+
+typedef BOOL (__stdcall * def_ScyllaDumpCurrentProcessW)(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
+typedef BOOL (__stdcall * def_RebuildFileA)(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
+
+HMODULE mod = LoadLibraryA("ScyllaDLL.dll");
+
+def_ScyllaDumpCurrentProcessW ScyllaDumpCurrentProcessW = (def_ScyllaDumpCurrentProcessW)GetProcAddress(mod, "ScyllaDumpCurrentProcessW");
+def_RebuildFileA RebuildFileA = (def_RebuildFileA)GetProcAddress(mod, "RebuildFileA");
+
+ScyllaDumpCurrentProcessW(0, (DWORD_PTR)GetModuleHandleA((LPCSTR)0), 0x13370000, L"C:\\dump.exe");
+RebuildFileA("some.exe", 1, 1, 1);
+
+
+MASM:
+
+szScyllaDll db "ScyllaDLL.dll",0h
+szRebuildFileA db "RebuildFileA",0h
+szTargetExe db "some.exe",0h
+
+push offset szScyllaDll
+call LoadLibraryA
+push offset szRebuildFileA
+push eax
+call GetProcAddress
+xor ecx, ecx
+inc ecx
+push ecx
+push ecx
+push ecx
+push offset szTargetExe
+call eax
+
+
+
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Tue, May 27, 5:26 AM (1 d, 10 h)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
e2/57/bb6538dccc57d079601d35459c6a
Attached To
rSCY Scylla
Event Timeline
Log In to Comment