Page Menu
Home
desp's stash
Search
Configure Global Search
Log In
Files
F213148
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
11 KB
Subscribers
None
View Options
diff --git a/Scylla/FunctionExport.cpp b/Scylla/FunctionExport.cpp
index 7c27962..bf246ac 100644
--- a/Scylla/FunctionExport.cpp
+++ b/Scylla/FunctionExport.cpp
@@ -1,354 +1,374 @@
#include <windows.h>
#include "PeParser.h"
#include "ProcessAccessHelp.h"
#include "Scylla.h"
#include "Architecture.h"
#include "FunctionExport.h"
#include "ProcessLister.h"
#include "ApiReader.h"
#include "IATSearch.h"
#include "ImportRebuilder.h"
#define EXPORT comment(linker, "/EXPORT:" __FUNCTION__ "=" __FUNCDNAME__)
extern HINSTANCE hDllModule;
const WCHAR * WINAPI ScyllaVersionInformationW()
{
return APPNAME L" " ARCHITECTURE L" " APPVERSION;
}
const char * WINAPI ScyllaVersionInformationA()
{
return APPNAME_S " " ARCHITECTURE_S " " APPVERSION_S;
}
DWORD WINAPI ScyllaVersionInformationDword()
{
return APPVERSIONDWORD;
}
BOOL DumpProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult)
{
PeParser * peFile = 0;
if (fileToDump)
{
peFile = new PeParser(fileToDump, true);
}
else
{
peFile = new PeParser(imagebase, true);
}
bool result = peFile->dumpProcess(imagebase, entrypoint, fileResult);
delete peFile;
return result;
}
BOOL WINAPI ScyllaRebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup)
{
if (createBackup)
{
if (!ProcessAccessHelp::createBackupFile(fileToRebuild))
{
return FALSE;
}
}
PeParser peFile(fileToRebuild, true);
if (peFile.readPeSectionsFromFile())
{
peFile.setDefaultFileAlignment();
if (removeDosStub)
{
peFile.removeDosStub();
}
peFile.alignAllSectionHeaders();
peFile.fixPeHeader();
if (peFile.savePeFileToDisk(fileToRebuild))
{
if (updatePeHeaderChecksum)
{
PeParser::updatePeHeaderChecksum(fileToRebuild, (DWORD)ProcessAccessHelp::getFileSize(fileToRebuild));
}
return TRUE;
}
}
return FALSE;
}
BOOL WINAPI ScyllaRebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup)
{
WCHAR fileToRebuildW[MAX_PATH];
if (MultiByteToWideChar(CP_ACP, 0, fileToRebuild, -1, fileToRebuildW, _countof(fileToRebuildW)) == 0)
{
return FALSE;
}
return ScyllaRebuildFileW(fileToRebuildW, removeDosStub, updatePeHeaderChecksum, createBackup);
}
BOOL WINAPI ScyllaDumpCurrentProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult)
{
ProcessAccessHelp::setCurrentProcessAsTarget();
return DumpProcessW(fileToDump, imagebase, entrypoint, fileResult);
}
BOOL WINAPI ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult)
{
if (ProcessAccessHelp::openProcessHandle((DWORD)pid))
{
return DumpProcessW(fileToDump, imagebase, entrypoint, fileResult);
}
else
{
return FALSE;
}
}
BOOL WINAPI ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult)
{
WCHAR fileToDumpW[MAX_PATH];
WCHAR fileResultW[MAX_PATH];
if (fileResult == 0)
{
return FALSE;
}
if (MultiByteToWideChar(CP_ACP, 0, fileResult, -1, fileResultW, _countof(fileResultW)) == 0)
{
return FALSE;
}
if (fileToDump != 0)
{
if (MultiByteToWideChar(CP_ACP, 0, fileToDump, -1, fileToDumpW, _countof(fileToDumpW)) == 0)
{
return FALSE;
}
return ScyllaDumpCurrentProcessW(fileToDumpW, imagebase, entrypoint, fileResultW);
}
else
{
return ScyllaDumpCurrentProcessW(0, imagebase, entrypoint, fileResultW);
}
}
BOOL WINAPI ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult)
{
WCHAR fileToDumpW[MAX_PATH];
WCHAR fileResultW[MAX_PATH];
if (fileResult == 0)
{
return FALSE;
}
if (MultiByteToWideChar(CP_ACP, 0, fileResult, -1, fileResultW, _countof(fileResultW)) == 0)
{
return FALSE;
}
if (fileToDump != 0)
{
if (MultiByteToWideChar(CP_ACP, 0, fileToDump, -1, fileToDumpW, _countof(fileToDumpW)) == 0)
{
return FALSE;
}
return ScyllaDumpProcessW(pid, fileToDumpW, imagebase, entrypoint, fileResultW);
}
else
{
return ScyllaDumpProcessW(pid, 0, imagebase, entrypoint, fileResultW);
}
}
INT WINAPI ScyllaStartGui(DWORD dwProcessId, HINSTANCE mod, DWORD_PTR entrypoint)
{
GUI_DLL_PARAMETER guiParam;
guiParam.dwProcessId = dwProcessId;
guiParam.mod = mod;
guiParam.entrypoint = entrypoint;
return InitializeGui(hDllModule, (LPARAM)&guiParam);
}
int WINAPI ScyllaIatSearch(DWORD dwProcessId, DWORD_PTR * iatStart, DWORD * iatSize, DWORD_PTR searchStart, BOOL advancedSearch)
{
ApiReader apiReader;
ProcessLister processLister;
Process *processPtr = 0;
IATSearch iatSearch;
std::vector<Process>& processList = processLister.getProcessListSnapshotNative();
for(std::vector<Process>::iterator it = processList.begin(); it != processList.end(); ++it)
{
if(it->PID == dwProcessId)
{
processPtr = &(*it);
break;
}
}
if(!processPtr) return SCY_ERROR_PIDNOTFOUND;
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
if (!ProcessAccessHelp::openProcessHandle(processPtr->PID))
{
return SCY_ERROR_PROCOPEN;
}
ProcessAccessHelp::getProcessModules(ProcessAccessHelp::hProcess, ProcessAccessHelp::moduleList);
ProcessAccessHelp::selectedModule = 0;
ProcessAccessHelp::targetImageBase = processPtr->imageBase;
ProcessAccessHelp::targetSizeOfImage = processPtr->imageSize;
apiReader.readApisFromModuleList();
int retVal = SCY_ERROR_IATNOTFOUND;
if (advancedSearch)
{
if (iatSearch.searchImportAddressTableInProcess(searchStart, iatStart, iatSize, true))
{
retVal = SCY_ERROR_SUCCESS;
}
}
else
{
if (iatSearch.searchImportAddressTableInProcess(searchStart, iatStart, iatSize, false))
{
retVal = SCY_ERROR_SUCCESS;
}
}
processList.clear();
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
return retVal;
}
int WINAPI ScyllaIatFixCurrentAutoW(DWORD_PTR iatAddr, DWORD iatSize, const WCHAR * dumpFile, const WCHAR * iatFixFile)
{
#pragma EXPORT
ApiReader apiReader;
- ProcessLister processLister;
+ Process *processPtr = 0;
std::map<DWORD_PTR, ImportModuleThunk> moduleList;
+#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"in ScyllaIatFixCurrentAutoW");
+#endif
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
ProcessAccessHelp::setCurrentProcessAsTarget();
+#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"set current process as target");
+#endif
ProcessAccessHelp::getProcessModules(ProcessAccessHelp::hProcess, ProcessAccessHelp::moduleList);
+#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"got process modules");
+#endif
+
+ ProcessLister::getProcessImageInformation(ProcessAccessHelp::hProcess, processPtr);
ProcessAccessHelp::selectedModule = 0;
+#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"set selected module");
- ProcessAccessHelp::targetImageBase = 0x0000000140000000;
- ProcessAccessHelp::getSizeOfImageCurrentProcess();
+#endif
+ ProcessAccessHelp::targetImageBase = processPtr->imageBase;
+ ProcessAccessHelp::targetSizeOfImage = processPtr->imageSize;
apiReader.readApisFromModuleList();
+#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"read api from module list");
+#endif
apiReader.readAndParseIAT(iatAddr, iatSize, moduleList);
+#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"iat");
+#endif
//add IAT section to dump
ImportRebuilder importRebuild(dumpFile);
importRebuild.enableOFTSupport();
+#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"rebuild");
+#endif
int retVal = SCY_ERROR_IATWRITE;
if (importRebuild.rebuildImportTable(iatFixFile, moduleList))
{
retVal = SCY_ERROR_SUCCESS;
}
+#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"finishing");
+#endif
moduleList.clear();
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
+#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"done");
+#endif
return retVal;
}
int WINAPI ScyllaIatFixAutoW(DWORD_PTR iatAddr, DWORD iatSize, DWORD dwProcessId, const WCHAR * dumpFile, const WCHAR * iatFixFile)
{
ApiReader apiReader;
ProcessLister processLister;
Process *processPtr = 0;
std::map<DWORD_PTR, ImportModuleThunk> moduleList;
std::vector<Process>& processList = processLister.getProcessListSnapshotNative();
for(std::vector<Process>::iterator it = processList.begin(); it != processList.end(); ++it)
{
if(it->PID == dwProcessId)
{
processPtr = &(*it);
break;
}
}
if(!processPtr) return SCY_ERROR_PIDNOTFOUND;
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
if (!ProcessAccessHelp::openProcessHandle(processPtr->PID))
{
return SCY_ERROR_PROCOPEN;
}
ProcessAccessHelp::getProcessModules(ProcessAccessHelp::hProcess, ProcessAccessHelp::moduleList);
ProcessAccessHelp::selectedModule = 0;
ProcessAccessHelp::targetImageBase = processPtr->imageBase;
ProcessAccessHelp::targetSizeOfImage = processPtr->imageSize;
apiReader.readApisFromModuleList();
apiReader.readAndParseIAT(iatAddr, iatSize, moduleList);
//add IAT section to dump
ImportRebuilder importRebuild(dumpFile);
importRebuild.enableOFTSupport();
int retVal = SCY_ERROR_IATWRITE;
if (importRebuild.rebuildImportTable(iatFixFile, moduleList))
{
retVal = SCY_ERROR_SUCCESS;
}
processList.clear();
moduleList.clear();
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
return retVal;
}
diff --git a/Scylla/ProcessLister.h b/Scylla/ProcessLister.h
index 7437dd2..ddb32f2 100644
--- a/Scylla/ProcessLister.h
+++ b/Scylla/ProcessLister.h
@@ -1,69 +1,69 @@
#pragma once
#include <windows.h>
#include <tlhelp32.h>
#include <vector>
#include <psapi.h>
#include "NativeWinApi.h"
#include "DeviceNameResolver.h"
typedef BOOL (WINAPI *def_IsWow64Process)(HANDLE hProcess,PBOOL Wow64Process);
class Process {
public:
DWORD PID;
DWORD sessionId;
DWORD_PTR imageBase;
DWORD_PTR pebAddress;
DWORD entryPoint; //RVA without imagebase
DWORD imageSize;
WCHAR filename[MAX_PATH];
WCHAR fullPath[MAX_PATH];
Process()
{
PID = 0;
}
};
enum ProcessType {
PROCESS_UNKNOWN,
PROCESS_MISSING_RIGHTS,
PROCESS_32,
PROCESS_64
};
class ProcessLister {
public:
static def_IsWow64Process _IsWow64Process;
ProcessLister()
{
deviceNameResolver = new DeviceNameResolver();
_IsWow64Process = (def_IsWow64Process)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "IsWow64Process");
}
~ProcessLister()
{
delete deviceNameResolver;
}
std::vector<Process>& getProcessList();
static bool isWindows64();
static DWORD setDebugPrivileges();
std::vector<Process>& getProcessListSnapshotNative();
+ static void getProcessImageInformation(HANDLE hProcess, Process* process);
private:
std::vector<Process> processList;
DeviceNameResolver * deviceNameResolver;
ProcessType checkIsProcess64(HANDLE hProcess);
bool getAbsoluteFilePath(HANDLE hProcess, Process * process);
void handleProcessInformationAndAddToList( PSYSTEM_PROCESS_INFORMATION pProcess );
- void getProcessImageInformation( HANDLE hProcess, Process* process );
DWORD_PTR getPebAddressFromProcess( HANDLE hProcess );
};
\ No newline at end of file
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Tue, Jan 7, 12:46 AM (2 h, 45 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
9f/98/6d7c9ae7fd19f3c16e8736c1babf
Attached To
rSCY Scylla
Event Timeline
Log In to Comment