Page MenuHomedesp's stash
Files F225342

FunctionExport.cpp
No OneTemporary
Actions

FunctionExport.cpp
View Options

#include <windows.h>
#include "PeParser.h"
#include "ProcessAccessHelp.h"
#include "Scylla.h"
#include "Architecture.h"
#include "FunctionExport.h"
#include "ProcessLister.h"
#include "ApiReader.h"
#include "IATSearch.h"
#include "ImportRebuilder.h"
#define EXPORT comment(linker, "/EXPORT:" __FUNCTION__ "=" __FUNCDNAME__)
//#define DEBUG_COMMENTS
#include <string>
extern HINSTANCE hDllModule;
const WCHAR * WINAPI ScyllaVersionInformationW()
{
return APPNAME L" " ARCHITECTURE L" " APPVERSION;
}
const char * WINAPI ScyllaVersionInformationA()
{
return APPNAME_S " " ARCHITECTURE_S " " APPVERSION_S;
}
DWORD WINAPI ScyllaVersionInformationDword()
{
return APPVERSIONDWORD;
}
BOOL DumpProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult)
{
PeParser * peFile = 0;
if (fileToDump)
{
peFile = new PeParser(fileToDump, true);
}
else
{
peFile = new PeParser(imagebase, true);
}
bool result = peFile->dumpProcess(imagebase, entrypoint, fileResult);
delete peFile;
return result;
}
BOOL WINAPI ScyllaRebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup)
{
if (createBackup)
{
if (!ProcessAccessHelp::createBackupFile(fileToRebuild))
{
return FALSE;
}
}
PeParser peFile(fileToRebuild, true);
if (peFile.readPeSectionsFromFile())
{
peFile.setDefaultFileAlignment();
if (removeDosStub)
{
peFile.removeDosStub();
}
peFile.alignAllSectionHeaders();
peFile.fixPeHeader();
if (peFile.savePeFileToDisk(fileToRebuild))
{
if (updatePeHeaderChecksum)
{
PeParser::updatePeHeaderChecksum(fileToRebuild, (DWORD)ProcessAccessHelp::getFileSize(fileToRebuild));
}
return TRUE;
}
}
return FALSE;
}
BOOL WINAPI ScyllaRebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup)
{
WCHAR fileToRebuildW[MAX_PATH];
if (MultiByteToWideChar(CP_ACP, 0, fileToRebuild, -1, fileToRebuildW, _countof(fileToRebuildW)) == 0)
{
return FALSE;
}
return ScyllaRebuildFileW(fileToRebuildW, removeDosStub, updatePeHeaderChecksum, createBackup);
}
BOOL WINAPI ScyllaDumpCurrentProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult)
{
ProcessAccessHelp::setCurrentProcessAsTarget();
return DumpProcessW(fileToDump, imagebase, entrypoint, fileResult);
}
BOOL WINAPI ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult)
{
if (ProcessAccessHelp::openProcessHandle((DWORD)pid))
{
return DumpProcessW(fileToDump, imagebase, entrypoint, fileResult);
}
else
{
return FALSE;
}
}
BOOL WINAPI ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult)
{
WCHAR fileToDumpW[MAX_PATH];
WCHAR fileResultW[MAX_PATH];
if (fileResult == 0)
{
return FALSE;
}
if (MultiByteToWideChar(CP_ACP, 0, fileResult, -1, fileResultW, _countof(fileResultW)) == 0)
{
return FALSE;
}
if (fileToDump != 0)
{
if (MultiByteToWideChar(CP_ACP, 0, fileToDump, -1, fileToDumpW, _countof(fileToDumpW)) == 0)
{
return FALSE;
}
return ScyllaDumpCurrentProcessW(fileToDumpW, imagebase, entrypoint, fileResultW);
}
else
{
return ScyllaDumpCurrentProcessW(0, imagebase, entrypoint, fileResultW);
}
}
BOOL WINAPI ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult)
{
WCHAR fileToDumpW[MAX_PATH];
WCHAR fileResultW[MAX_PATH];
if (fileResult == 0)
{
return FALSE;
}
if (MultiByteToWideChar(CP_ACP, 0, fileResult, -1, fileResultW, _countof(fileResultW)) == 0)
{
return FALSE;
}
if (fileToDump != 0)
{
if (MultiByteToWideChar(CP_ACP, 0, fileToDump, -1, fileToDumpW, _countof(fileToDumpW)) == 0)
{
return FALSE;
}
return ScyllaDumpProcessW(pid, fileToDumpW, imagebase, entrypoint, fileResultW);
}
else
{
return ScyllaDumpProcessW(pid, 0, imagebase, entrypoint, fileResultW);
}
}
INT WINAPI ScyllaStartGui(DWORD dwProcessId, HINSTANCE mod, DWORD_PTR entrypoint)
{
GUI_DLL_PARAMETER guiParam;
guiParam.dwProcessId = dwProcessId;
guiParam.mod = mod;
guiParam.entrypoint = entrypoint;
return InitializeGui(hDllModule, (LPARAM)&guiParam);
}
int WINAPI ScyllaIatSearch(DWORD dwProcessId, DWORD_PTR * iatStart, DWORD * iatSize, DWORD_PTR searchStart, BOOL advancedSearch)
{
ApiReader apiReader;
ProcessLister processLister;
Process *processPtr = 0;
IATSearch iatSearch;
std::vector<Process>& processList = processLister.getProcessListSnapshotNative();
for(std::vector<Process>::iterator it = processList.begin(); it != processList.end(); ++it)
{
if(it->PID == dwProcessId)
{
processPtr = &(*it);
break;
}
}
if(!processPtr) return SCY_ERROR_PIDNOTFOUND;
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
if (!ProcessAccessHelp::openProcessHandle(processPtr->PID))
{
return SCY_ERROR_PROCOPEN;
}
ProcessAccessHelp::getProcessModules(ProcessAccessHelp::hProcess, ProcessAccessHelp::moduleList);
ProcessAccessHelp::selectedModule = 0;
ProcessAccessHelp::targetImageBase = processPtr->imageBase;
ProcessAccessHelp::targetSizeOfImage = processPtr->imageSize;
apiReader.readApisFromModuleList();
int retVal = SCY_ERROR_IATNOTFOUND;
if (advancedSearch)
{
if (iatSearch.searchImportAddressTableInProcess(searchStart, iatStart, iatSize, true))
{
retVal = SCY_ERROR_SUCCESS;
}
}
else
{
if (iatSearch.searchImportAddressTableInProcess(searchStart, iatStart, iatSize, false))
{
retVal = SCY_ERROR_SUCCESS;
}
}
processList.clear();
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
return retVal;
}
int WINAPI ScyllaIatFixCurrentAutoW(DWORD_PTR iatAddr, DWORD iatSize, const WCHAR * dumpFile, const WCHAR * iatFixFile, const WCHAR * moduleName)
{
#pragma EXPORT
ApiReader apiReader;
std::map<DWORD_PTR, ImportModuleThunk> moduleList;
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"in ScyllaIatFixCurrentAutoW");
#endif
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
ProcessAccessHelp::setCurrentProcessAsTarget();
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"set current process as target");
#endif
ProcessAccessHelp::getProcessModules(ProcessAccessHelp::hProcess, ProcessAccessHelp::moduleList);
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"got process modules");
#endif
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"got process image information");
#endif
ModuleInfo* moduleInfo = 0;
if (moduleName) {
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"get module");
#endif
for (ModuleInfo info : ProcessAccessHelp::moduleList) {
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(info.getFilename());
#endif
if (wcscmp(info.getFilename(), moduleName) == 0) {
moduleInfo = &info;
break;
}
}
}
ProcessAccessHelp::selectedModule = moduleInfo;
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"set selected module");
#endif
if (moduleInfo) {
ProcessAccessHelp::targetImageBase = moduleInfo->modBaseAddr;
ProcessAccessHelp::targetSizeOfImage = moduleInfo->modBaseSize;
iatAddr = ((DWORD)ProcessAccessHelp::targetImageBase) + iatAddr; // if module use relative iatAddr, since modules image base might shift around
}
else {
Process process;
process.pebAddress = ProcessLister::getPebAddressFromProcess(ProcessAccessHelp::hProcess);
ProcessLister::getProcessImageInformation(ProcessAccessHelp::hProcess, &process);
ProcessAccessHelp::targetImageBase = process.imageBase;
ProcessAccessHelp::targetSizeOfImage = process.imageSize;
}
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(std::to_wstring(ProcessAccessHelp::targetImageBase).c_str());
Scylla::debugLog.log(std::to_wstring(ProcessAccessHelp::targetSizeOfImage).c_str());
Scylla::debugLog.log(std::to_wstring(iatAddr).c_str());
#endif
apiReader.readApisFromModuleList();
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"read api from module list");
#endif
apiReader.readAndParseIAT(iatAddr, iatSize, moduleList);
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"iat");
Scylla::debugLog.log(std::to_wstring(moduleList.size()).c_str());
#endif
//add IAT section to dump
ImportRebuilder importRebuild(dumpFile);
importRebuild.enableOFTSupport();
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"rebuild");
#endif
int retVal = SCY_ERROR_IATWRITE;
if (importRebuild.rebuildImportTable(iatFixFile, moduleList))
{
retVal = SCY_ERROR_SUCCESS;
}
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"finishing");
#endif
moduleList.clear();
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
#ifdef DEBUG_COMMENTS
Scylla::debugLog.log(L"done");
#endif
return retVal;
}
int WINAPI ScyllaIatFixAutoW(DWORD_PTR iatAddr, DWORD iatSize, DWORD dwProcessId, const WCHAR * dumpFile, const WCHAR * iatFixFile)
{
ApiReader apiReader;
ProcessLister processLister;
Process *processPtr = 0;
std::map<DWORD_PTR, ImportModuleThunk> moduleList;
std::vector<Process>& processList = processLister.getProcessListSnapshotNative();
for(std::vector<Process>::iterator it = processList.begin(); it != processList.end(); ++it)
{
if(it->PID == dwProcessId)
{
processPtr = &(*it);
break;
}
}
if(!processPtr) return SCY_ERROR_PIDNOTFOUND;
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
if (!ProcessAccessHelp::openProcessHandle(processPtr->PID))
{
return SCY_ERROR_PROCOPEN;
}
ProcessAccessHelp::getProcessModules(ProcessAccessHelp::hProcess, ProcessAccessHelp::moduleList);
ProcessAccessHelp::selectedModule = 0;
ProcessAccessHelp::targetImageBase = processPtr->imageBase;
ProcessAccessHelp::targetSizeOfImage = processPtr->imageSize;
apiReader.readApisFromModuleList();
apiReader.readAndParseIAT(iatAddr, iatSize, moduleList);
//add IAT section to dump
ImportRebuilder importRebuild(dumpFile);
importRebuild.enableOFTSupport();
int retVal = SCY_ERROR_IATWRITE;
if (importRebuild.rebuildImportTable(iatFixFile, moduleList))
{
retVal = SCY_ERROR_SUCCESS;
}
processList.clear();
moduleList.clear();
ProcessAccessHelp::closeProcessHandle();
apiReader.clearAll();
return retVal;
}

File Metadata

Mime Type
text/x-c
Expires
Sun, Mar 16, 2:13 AM (1 d, 10 h)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
be/a9/310b6f7465ad25bb7ba5692c3f43

Event Timeline

Back to Main Site