├── addrinfo.h ├── waitfordisasm.qrc ├── dbg_res.rc ├── main_ico.ico ├── icons ├── Virus-50.ico └── Virus-50.png ├── sdk ├── TitanEngine_x64.a ├── TitanEngine_x86.a ├── memdump.h ├── interfacedisasm.h ├── vm_instruction_set.h ├── old │ └── SDK.h └── SDK.h ├── resources.qrc ├── README.md ├── main.cpp ├── memdump.h ├── types.h ├── dialogboxwaitfordisasm.cpp ├── _global.h ├── dialogboxwaitfordisasm.h ├── interfacedisasm.h ├── interfacememory.h ├── dialogboxwaitfordisasm.ui ├── interfacedisasm.cpp ├── interface_dbg.pro ├── core_decompiler.h ├── interfacememory.cpp ├── mainwindow.h ├── debugger.h ├── vm_instruction_set.h ├── core_decompiler.cpp ├── mainwindow.ui ├── debugger.cpp └── mainwindow.cpp /addrinfo.h: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /waitfordisasm.qrc: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /dbg_res.rc: -------------------------------------------------------------------------------- 1 | IDI_ICON1 ICON DISCARDABLE "main_ico.ico" -------------------------------------------------------------------------------- /main_ico.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uvbs/VMPDBG2/HEAD/main_ico.ico -------------------------------------------------------------------------------- /icons/Virus-50.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uvbs/VMPDBG2/HEAD/icons/Virus-50.ico -------------------------------------------------------------------------------- /icons/Virus-50.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uvbs/VMPDBG2/HEAD/icons/Virus-50.png -------------------------------------------------------------------------------- /sdk/TitanEngine_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uvbs/VMPDBG2/HEAD/sdk/TitanEngine_x64.a -------------------------------------------------------------------------------- /sdk/TitanEngine_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/uvbs/VMPDBG2/HEAD/sdk/TitanEngine_x86.a -------------------------------------------------------------------------------- /sdk/memdump.h: -------------------------------------------------------------------------------- 1 | #ifndef MEMDUMP_H 2 | #define MEMDUMP_H 3 | 4 | #endif // MEMDUMP_H 5 | 6 | -------------------------------------------------------------------------------- /sdk/interfacedisasm.h: -------------------------------------------------------------------------------- 1 | #ifndef INTERFACEDISASM_H 2 | #define INTERFACEDISASM_H 3 | 4 | #endif // INTERFACEDISASM_H 5 | 6 | -------------------------------------------------------------------------------- /sdk/vm_instruction_set.h: -------------------------------------------------------------------------------- 1 | #ifndef VM_INSTRUCTION_SET_H 2 | #define VM_INSTRUCTION_SET_H 3 | 4 | #endif // VM_INSTRUCTION_SET_H 5 | 6 | -------------------------------------------------------------------------------- /resources.qrc: -------------------------------------------------------------------------------- 1 | 2 | 3 | icons/Virus-50.png 4 | icons/Virus-50.ico 5 | 6 | 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # VMPDBG2 2 | 3 | VMPDBG is a (GUI included) debugger and devirtualizer for x86 obfuscted code that was obfuscated by VMProtect. This project was designed only for scientific purposes and / or malware analysis. 4 | -------------------------------------------------------------------------------- /main.cpp: -------------------------------------------------------------------------------- 1 | #include "mainwindow.h" 2 | #include 3 | 4 | int main(int argc, char *argv[]) 5 | { 6 | QApplication a(argc, argv); 7 | MainWindow w; 8 | w.show(); 9 | 10 | return a.exec(); 11 | } 12 | -------------------------------------------------------------------------------- /memdump.h: -------------------------------------------------------------------------------- 1 | #ifndef MEMDUMP_H 2 | #define MEMDUMP_H 3 | 4 | #include 5 | 6 | class memdump{ 7 | public: 8 | uint32_t page_size; 9 | uint32_t current_address; 10 | 11 | }; 12 | 13 | 14 | #endif // MEMDUMP_H 15 | 16 | -------------------------------------------------------------------------------- /types.h: -------------------------------------------------------------------------------- 1 | #ifndef TYPES_H 2 | #define TYPES_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | typedef std::vector type_handler; 11 | typedef std::tuple> hashmap; 12 | #endif // TYPES_H 13 | 14 | -------------------------------------------------------------------------------- /dialogboxwaitfordisasm.cpp: -------------------------------------------------------------------------------- 1 | #include "dialogboxwaitfordisasm.h" 2 | #include "ui_dialogboxwaitfordisasm.h" 3 | 4 | DialogBoxWaitForDisasm::DialogBoxWaitForDisasm(QWidget *parent) : 5 | QDialog(parent), 6 | ui(new Ui::DialogBoxWaitForDisasm) 7 | { 8 | ui->setupUi(this); 9 | } 10 | 11 | DialogBoxWaitForDisasm::~DialogBoxWaitForDisasm() 12 | { 13 | delete ui; 14 | } 15 | -------------------------------------------------------------------------------- /_global.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #ifndef _GLOBAL_H 17 | #define _GLOBAL_H 18 | 19 | #endif // _GLOBAL_H 20 | 21 | -------------------------------------------------------------------------------- /dialogboxwaitfordisasm.h: -------------------------------------------------------------------------------- 1 | #ifndef DIALOGBOXWAITFORDISASM_H 2 | #define DIALOGBOXWAITFORDISASM_H 3 | 4 | #include 5 | 6 | namespace Ui { 7 | class DialogBoxWaitForDisasm; 8 | } 9 | 10 | class DialogBoxWaitForDisasm : public QDialog 11 | { 12 | Q_OBJECT 13 | 14 | public: 15 | explicit DialogBoxWaitForDisasm(QWidget *parent = 0); 16 | ~DialogBoxWaitForDisasm(); 17 | 18 | private: 19 | Ui::DialogBoxWaitForDisasm *ui; 20 | }; 21 | 22 | #endif // DIALOGBOXWAITFORDISASM_H 23 | -------------------------------------------------------------------------------- /interfacedisasm.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "mainwindow.h" 6 | #ifndef INTERFACEDISASM_H 7 | #define INTERFACEDISASM_H 8 | 9 | 10 | class InterfaceDisasm{ 11 | private: 12 | QPlainTextEdit* screen; 13 | QTextCursor current_cursor; 14 | public: 15 | InterfaceDisasm(QPlainTextEdit* _screen); 16 | void HighLighLine(QString addr); 17 | void ToTop(); 18 | }; 19 | 20 | #endif // INTERFACEDISASM_H 21 | 22 | -------------------------------------------------------------------------------- /interfacememory.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "mainwindow.h" 7 | #ifndef INTERFACEMEMORY_H 8 | #define INTERFACEMEMORY_H 9 | 10 | 11 | class InterfaceMemory{ 12 | private: 13 | QPlainTextEdit* screen; 14 | HANDLE hprocess; 15 | public: 16 | InterfaceMemory(QPlainTextEdit* _screen, HANDLE _hprocess); 17 | QString Convert(uint8_t* memory); 18 | int Dump(LPVOID addr); 19 | }; 20 | 21 | #endif // INTERFACEMEMORY_H 22 | 23 | -------------------------------------------------------------------------------- /dialogboxwaitfordisasm.ui: -------------------------------------------------------------------------------- 1 | 2 | 3 | DialogBoxWaitForDisasm 4 | 5 | 6 | 7 | 0 8 | 0 9 | 332 10 | 139 11 | 12 | 13 | 14 | Dialog 15 | 16 | 17 | 18 | 19 | 20 20 | 20 21 | 301 22 | 101 23 | 24 | 25 | 26 | Wait For Event 27 | 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /interfacedisasm.cpp: -------------------------------------------------------------------------------- 1 | #include "interfacedisasm.h" 2 | 3 | InterfaceDisasm::InterfaceDisasm(QPlainTextEdit* _screen) 4 | { 5 | screen=_screen; 6 | current_cursor = _screen->textCursor(); 7 | current_cursor.movePosition(QTextCursor::Start, QTextCursor::MoveAnchor); // moves the cursor to the top 8 | screen->setTextCursor(current_cursor); //sets the pain text edit cursor to the top 9 | 10 | } 11 | void InterfaceDisasm::HighLighLine(QString addr) 12 | { 13 | 14 | screen->setTextCursor(current_cursor); 15 | screen->find(addr); //finds addr string now cursor should be on the found line 16 | current_cursor = screen->textCursor(); 17 | 18 | QList Extra_selections; //create extra selections 19 | QTextEdit::ExtraSelection selection; //selection 20 | 21 | QColor line_color = QColor(Qt::cyan).darker(200); 22 | selection.format.setBackground(line_color); 23 | selection.format.setProperty(QTextFormat::FullWidthSelection, true); 24 | selection.cursor = current_cursor; 25 | selection.cursor.clearSelection(); 26 | Extra_selections.append(selection); 27 | screen->setExtraSelections(Extra_selections); //formats selection stuff and applies to the current_cursor 28 | 29 | } 30 | 31 | void InterfaceDisasm::ToTop(){ 32 | current_cursor.movePosition(QTextCursor::Start, QTextCursor::MoveAnchor); // moves the cursor to the top 33 | screen->setTextCursor(current_cursor); //sets the pain text edit cursor to the top 34 | } 35 | -------------------------------------------------------------------------------- /interface_dbg.pro: -------------------------------------------------------------------------------- 1 | #------------------------------------------------- 2 | # 3 | # Project created by QtCreator 2015-03-04T23:21:52 4 | # 5 | #------------------------------------------------- 6 | 7 | QT += core gui 8 | 9 | RC_FILE = dbg_res.rc 10 | 11 | greaterThan(QT_MAJOR_VERSION, 4): QT += widgets 12 | 13 | TARGET = interface_dbg 14 | TEMPLATE = app 15 | 16 | 17 | SOURCES += main.cpp\ 18 | mainwindow.cpp \ 19 | core_decompiler.cpp \ 20 | debugger.cpp \ 21 | interfacedisasm.cpp \ 22 | interfacememory.cpp \ 23 | dialogboxwaitfordisasm.cpp 24 | 25 | HEADERS += mainwindow.h \ 26 | core_decompiler.h \ 27 | sdk/SDK.h \ 28 | debugger.h \ 29 | vm_instruction_set.h \ 30 | types.h \ 31 | memdump.h \ 32 | interfacedisasm.h \ 33 | _global.h \ 34 | interfacememory.h \ 35 | dialogboxwaitfordisasm.h 36 | 37 | FORMS += mainwindow.ui \ 38 | dialogboxwaitfordisasm.ui 39 | 40 | TITAN_PATH = $$[TITAN_PATH] 41 | isEmpty(TITAN_PATH):TITAN_PATH = "C:/Users/JOAO/Documents/QtProjects/interface_dbg/sdk" 42 | LIBS += -L$$TITAN_PATH -lTitanEngine_x86 43 | INCLUDEPATH += $$TITAN_PATH 44 | 45 | 46 | #win32:CONFIG(release, debug|release): LIBS += -L$$PWD/sdk/ -lTitanEngine_x86 47 | #else:win32:CONFIG(debug, debug|release): LIBS += -L$$PWD/sdk/ -lTitanEngine_x86d 48 | 49 | #INCLUDEPATH += $$PWD/sdk 50 | #DEPENDPATH += $$PWD/sdk 51 | 52 | #win32-g++:CONFIG(release, debug|release): PRE_TARGETDEPS += $$PWD/sdk/libTitanEngine_x86.a 53 | #else:win32-g++:CONFIG(debug, debug|release): PRE_TARGETDEPS += $$PWD/sdk/libTitanEngine_x86d.a 54 | #else:win32:!win32-g++:CONFIG(release, debug|release): PRE_TARGETDEPS += $$PWD/sdk/TitanEngine_x86.lib 55 | #else:win32:!win32-g++:CONFIG(debug, debug|release): PRE_TARGETDEPS += $$PWD/sdk/TitanEngine_x86d.lib 56 | 57 | RESOURCES += \ 58 | resources.qrc 59 | -------------------------------------------------------------------------------- /core_decompiler.h: -------------------------------------------------------------------------------- 1 | #ifndef CORE_DECOMPILER 2 | #define CORE_DECOMPILER 3 | #define _WIN32_WINNT 0x0601 4 | #include 5 | #include 6 | #include "sdk\SDK.h" 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | 18 | typedef unsigned int u32; 19 | typedef unsigned char* memo; 20 | 21 | namespace core_decompiler{ 22 | 23 | void NewDisasm(uint32_t _imagebase, std::string full_path, uint32_t _vm_out, uint32_t _handler_1, uint32_t _handler_2, uint32_t _handler_start); 24 | void MakeDisasm(std::string dump_file); 25 | void Quit(); 26 | QSet GetTotalAddress(); 27 | 28 | 29 | class vm{ 30 | private: 31 | long handler_1; 32 | long handler_2; 33 | long vm_out; 34 | long temp; 35 | long handler_start; 36 | 37 | /* 38 | * handler_f -> Temporary Variable to store the handler trace 39 | * eax_table -> Temporary vector that stores the eax trace result 40 | * current_handler -> just some temporary var 41 | * addresses -> Set of all adresses fetched 42 | * instruction_va -> va of current function 43 | */ 44 | 45 | //instruction control reference 46 | 47 | void print_handler(std::vector handler_to_print); 48 | 49 | //handlers 50 | public: 51 | vm(std::string full_path, uint32_t _vm_out, uint32_t _handler_1, uint32_t _handler_2, uint32_t _handler_start); 52 | vm(uint32_t _imagebase, std::string full_path, uint32_t _vm_out, uint32_t _handler_1, uint32_t _handler_2, uint32_t _handler_start); 53 | void dump_handlers(std::string dump_file); 54 | void dump_instructions(std::string dump_file); 55 | 56 | QSet addresses; 57 | std::vector handler_f; 58 | std::vector eax_table; 59 | uint32_t current_handler; 60 | uint32_t instruction_va; 61 | QSet GetAddr(); 62 | void ReconHandler(); 63 | 64 | long GetEp(){ 65 | return handler_start; 66 | } 67 | 68 | long GetH1(){ 69 | return handler_1; 70 | } 71 | 72 | long GetH2(){ 73 | return handler_2; 74 | } 75 | 76 | long GetVout(){ 77 | return vm_out; 78 | } 79 | 80 | 81 | 82 | }; 83 | 84 | 85 | } 86 | #endif // CORE_DECOMPILER 87 | 88 | -------------------------------------------------------------------------------- /interfacememory.cpp: -------------------------------------------------------------------------------- 1 | #include "interfacememory.h" 2 | #include 3 | InterfaceMemory::InterfaceMemory(QPlainTextEdit* _screen, HANDLE _hprocess) 4 | { 5 | screen=_screen; 6 | hprocess=_hprocess; 7 | } 8 | 9 | QString InterfaceMemory::Convert(uint8_t* memory){ 10 | QString demp=""; 11 | for(int i =0;i<16;i++){ 12 | if (((memory[i] >= 0x30) && (memory[i]<=0x39)) || ((memory[i] >= 'a') && (memory[i]<='z')) || ((memory[i] >= 'A') && (memory[i]<='Z'))) 13 | { 14 | QString chr; 15 | char u[3]; 16 | u[0] = memory[i]; 17 | u[1]=0; 18 | chr.sprintf("%s", &u); 19 | demp+= chr; 20 | } 21 | else 22 | { 23 | 24 | demp+= "."; 25 | } 26 | } 27 | return demp; 28 | } 29 | 30 | int InterfaceMemory::Dump(LPVOID addr) 31 | { 32 | MEMORY_BASIC_INFORMATION meminfo; 33 | uint8_t* memory; 34 | SIZE_T nbytes=0; 35 | QString TextDump = ""; 36 | 37 | if (!VirtualQueryEx(hprocess,addr, &meminfo, sizeof(MEMORY_BASIC_INFORMATION))) 38 | { 39 | return 0; 40 | } 41 | 42 | memory = (uint8_t*)malloc(0x1000); 43 | 44 | if (meminfo.State==MEM_COMMIT) 45 | { 46 | 47 | if (meminfo.Type==MEM_MAPPED || meminfo.Type==MEM_PRIVATE || meminfo.Type==MEM_IMAGE) 48 | { 49 | if(meminfo.RegionSize>0x1000){ 50 | meminfo.RegionSize=0x1000; 51 | } 52 | ReadProcessMemory(hprocess, addr, memory, meminfo.RegionSize,&nbytes); 53 | if (nbytes!=0){ 54 | QString ascii=""; 55 | for(int i=0; i< meminfo.RegionSize; i++) 56 | { 57 | 58 | if((i%16)==0) 59 | { 60 | TextDump+= "| "+ascii; 61 | TextDump+="\n " + QString::number((uint32_t)addr+i,16)+ "|"; 62 | ascii=Convert(memory+i); 63 | } 64 | QString b; 65 | b.sprintf("%02X", memory[i]); 66 | TextDump += " "+b; 67 | 68 | screen->document()->setPlainText(TextDump); 69 | } 70 | free(memory); 71 | return 1; 72 | } 73 | 74 | free(memory); 75 | return 1; 76 | } 77 | 78 | free(memory); 79 | return 0; 80 | } 81 | 82 | 83 | free(memory); 84 | return 0; 85 | } 86 | -------------------------------------------------------------------------------- /mainwindow.h: -------------------------------------------------------------------------------- 1 | #ifndef MAINWINDOW_H 2 | #define MAINWINDOW_H 3 | 4 | #define _WIN32_WINNT 0x0601 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include "core_decompiler.h" 16 | #include "interfacedisasm.h" 17 | #include "interfacememory.h" 18 | #include 19 | 20 | 21 | namespace Ui { 22 | class MainWindow; 23 | } 24 | 25 | class MainWindow : public QMainWindow 26 | { 27 | Q_OBJECT 28 | 29 | public: 30 | explicit MainWindow(QWidget *parent = 0); 31 | ~MainWindow(); 32 | void log(QString logged); 33 | void load_asm(QString file_loc); 34 | void update_view(QString addr); 35 | bool save_project(QString location); 36 | bool restore_project(QString location); 37 | void InitRegs(); 38 | void UpdateRegs(); 39 | 40 | 41 | private slots: 42 | void on_actionOpen_Session_triggered(); 43 | 44 | void on_actionSave_Session_triggered(); 45 | 46 | void on_actionRestore_Session_triggered(); 47 | 48 | void on_actionQuit_triggered(); 49 | 50 | void on_actionStart_Debugg_triggered(); 51 | 52 | void on_actionStop_Debugg_triggered(); 53 | 54 | void on_actionBaby_Step_triggered(); 55 | 56 | void debugMessage(QString msg); 57 | void disasmLine(QString address); 58 | 59 | void on_actionGiant_Step_triggered(); 60 | 61 | void on_actionAbout_triggered(); 62 | 63 | void on_actionDump_Memory_triggered(); 64 | 65 | void on_actionRun_triggered(); 66 | 67 | void on_actionAdd_Breakpoint_triggered(); 68 | 69 | void on_actionRemove_Breakpoint_triggered(); 70 | 71 | private: 72 | 73 | void InitUi(); 74 | bool LoadsOrSaves; 75 | bool debug_stats; 76 | Ui::MainWindow *ui; 77 | uint32_t img_base; 78 | uint32_t machine_entry; 79 | uint32_t handler_1; 80 | uint32_t handler_2; 81 | uint32_t machine_quit; 82 | QSet addresses; 83 | QString bin_loc; 84 | InterfaceDisasm* DisasmInterface; 85 | InterfaceMemory* MemDumper; 86 | 87 | //machine registers (UI); 88 | QTreeWidgetItem* Data_Rtab; 89 | QTreeWidgetItem* Main_rtab; 90 | QTreeWidgetItem* IP; 91 | QTreeWidgetItem* stack; 92 | QTreeWidgetItem* N1; 93 | QTreeWidgetItem* N2; 94 | QTreeWidgetItem* N3; 95 | 96 | QTreeWidgetItem* R0; 97 | QTreeWidgetItem* R1; 98 | QTreeWidgetItem* R2; 99 | QTreeWidgetItem* R3; 100 | QTreeWidgetItem* R4; 101 | QTreeWidgetItem* R5; 102 | QTreeWidgetItem* R6; 103 | QTreeWidgetItem* R7; 104 | QTreeWidgetItem* R8; 105 | QTreeWidgetItem* R9; 106 | QTreeWidgetItem* Ra; 107 | QTreeWidgetItem* Rb; 108 | QTreeWidgetItem* Rc; 109 | QTreeWidgetItem* Rd; 110 | QTreeWidgetItem* Re; 111 | QTreeWidgetItem* Rf; 112 | QTreeWidgetItem* R10; 113 | QTreeWidgetItem* R11; 114 | QTreeWidgetItem* R12; 115 | QTreeWidgetItem* R13; 116 | QTreeWidgetItem* R14; 117 | 118 | }; 119 | 120 | #endif // MAINWINDOW_H 121 | -------------------------------------------------------------------------------- /debugger.h: -------------------------------------------------------------------------------- 1 | #ifndef DEBUGGER_H 2 | #define DEBUGGER_H 3 | #define _WIN32_WINNT 0x0601 4 | #include 5 | #include 6 | #include "sdk\SDK.h" 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include "mainwindow.h" 19 | 20 | 21 | 22 | namespace Debugger { 23 | 24 | extern MainWindow* mainWindow; 25 | 26 | HANDLE GetHandle(); 27 | void Stop(); 28 | void Start(QString file, QSet addr_ref, uint32_t machine_processor, uint32_t machine_halt); 29 | void Step(); 30 | void Run(); 31 | 32 | uint32_t GetRegisterIP(); 33 | uint32_t GetRegisterSTACK(); 34 | 35 | uint32_t GetRegisterN1(); 36 | 37 | uint32_t GetRegisterN2(); 38 | 39 | uint32_t GetRegisterN3(); 40 | 41 | uint32_t GetRegisterR0(); 42 | 43 | uint32_t GetRegisterR1(); 44 | 45 | uint32_t GetRegisterR2(); 46 | 47 | uint32_t GetRegisterR3(); 48 | 49 | uint32_t GetRegisterR4(); 50 | 51 | uint32_t GetRegisterR5(); 52 | 53 | uint32_t GetRegisterR6(); 54 | 55 | uint32_t GetRegisterR7(); 56 | 57 | uint32_t GetRegisterR8(); 58 | 59 | uint32_t GetRegisterR9(); 60 | 61 | uint32_t GetRegisterRa(); 62 | 63 | uint32_t GetRegisterRb(); 64 | 65 | uint32_t GetRegisterRc(); 66 | 67 | uint32_t GetRegisterRd(); 68 | 69 | uint32_t GetRegisterRe(); 70 | 71 | uint32_t GetRegisterRf(); 72 | 73 | uint32_t GetRegisterR10(); 74 | 75 | uint32_t GetRegisterR11(); 76 | 77 | 78 | uint32_t GetRegisterR12(); 79 | 80 | uint32_t GetRegisterR13(); 81 | 82 | uint32_t GetRegisterR14(); 83 | 84 | void AddBp(uint32_t address); 85 | 86 | void RemoveBp(uint32_t address); 87 | 88 | class debug_thread : public QThread{ 89 | Q_OBJECT 90 | public: 91 | debug_thread(QString file, QSet addr_ref, uint32_t machine_processor, uint32_t machine_halt); 92 | void log(QString msg); 93 | void senduiIP(QString addr); 94 | void wait(); 95 | void resume(); 96 | uint32_t GetEp(){ return machine_ep; } 97 | uint32_t GetHaltPoint() { return machine_outpoint; } 98 | 99 | 100 | uint32_t IP=0; 101 | uint32_t stack=0; 102 | uint32_t N1=0; 103 | uint32_t N2=0; 104 | uint32_t N3=0; 105 | 106 | uint32_t R0=0; 107 | uint32_t R1=0; 108 | uint32_t R2=0; 109 | uint32_t R3=0; 110 | uint32_t R4=0; 111 | uint32_t R5=0; 112 | uint32_t R6=0; 113 | uint32_t R7=0; 114 | uint32_t R8=0; 115 | uint32_t R9=0; 116 | uint32_t Ra=0; 117 | uint32_t Rb=0; 118 | uint32_t Rc=0; 119 | uint32_t Rd=0; 120 | uint32_t Re=0; 121 | uint32_t Rf=0; 122 | uint32_t R10=0; 123 | uint32_t R11=0; 124 | uint32_t R12=0; 125 | uint32_t R13=0; 126 | uint32_t R14=0; 127 | void UpdateRegs(); 128 | bool bUpdate() {return _bUpdate;} 129 | void sbUpdate(bool b) { _bUpdate=b;} 130 | 131 | 132 | volatile bool brun; 133 | private: 134 | QString file; 135 | QSet references; 136 | uint32_t machine_ep; 137 | uint32_t machine_outpoint; 138 | uint32_t image_base; 139 | 140 | /*Registers*/ 141 | 142 | uint32_t Load32(uint8_t* value); 143 | uint32_t ReadStack32(int index); 144 | uint32_t ReadDataReg32(int index); 145 | 146 | 147 | 148 | volatile bool bWaiting; 149 | volatile bool _bUpdate; 150 | volatile bool state; 151 | 152 | void run(); 153 | signals: 154 | void message(QString msg); 155 | void InstructionPointer(QString addr); 156 | }; 157 | 158 | } 159 | 160 | 161 | 162 | #endif // CORE_DBG_H 163 | 164 | -------------------------------------------------------------------------------- /vm_instruction_set.h: -------------------------------------------------------------------------------- 1 | #ifndef VM_INSTRUCTION_SET_H 2 | #define VM_INSTRUCTION_SET_H 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "types.h" 10 | 11 | type_handler POP32_REG{ "POP_32 R", "3 4", "MOV EDX, [EBP+0x0]", "ADD EBP, 0x4", "MOV [EAX+EDI], EDX" }; 12 | type_handler PUSH32_INT{ "PUSH_32 ", "2 1", "SUB EBP, 0x4", "MOV [EBP+0x0], EAX" }; 13 | type_handler ADD_N2_N1{ "ADD N2, N1", "", "MOV EAX, [EBP+0x0]", "ADD [EBP+0x4], EAX" }; 14 | type_handler PUSH32_REG{ "PUSH_32 R", "1 4", "MOV EDX, [EAX+EDI]", "SUB EBP, 0x4", "MOV [EBP+0x0], EDX" }; 15 | type_handler NOR32_N2_N1{ "NOR_32 N2, N1 ;CF", "", "MOV EAX, [EBP+0x0]", "MOV EDX, [EBP+0x4]", "NOT EAX", "NOT EDX", "AND EAX, EDX", "MOV [EBP+0x4], EAX" }; 16 | type_handler FETCH_32_N1{ "FETCH32 N1", "", "MOV EAX, [EBP+0x0]", "MOV EAX, [EAX]", "MOV [EBP+0x0], EAX" }; 17 | type_handler FETCH_32_N1_V2{ "FETCH32 N1", "", "MOV EAX, [EBP+0x0]", "MOV EAX, [SS:EAX]", "MOV [EBP+0x0], EAX" }; 18 | type_handler FETCH_N1_N2{ "MOV [N1], N2 //destroy both", "", "MOV EAX, [EBP+0x0]", "MOV EDX, [EBP+0x4]", "ADD EBP, 0x8", "MOV [SS:EAX], EDX" }; 19 | type_handler MOV_N1_WN2{ "MOV [N1], WORD N2", "", "MOV EAX, [EBP+0x0]", "MOV DX, [EBP+0x4]", "ADD EBP, 0x6", "MOV [SS:EAX], DX" }; 20 | type_handler NOR_16{ "NOR_16 ;CF", "", "MOV AX, [EBP+0x0]", "MOV DX, [EBP+0x2]", "NOT AL", "NOT DL", "SUB EBP, 0x2", "AND AL, DL", "MOV [EBP+0x4], AX" }; 21 | type_handler POP_16{ "POP_16 r", "3 4", "MOV DX, [EBP+0x0]", "ADD EBP, 0x2", "MOV [EAX+EDI], DX" }; 22 | type_handler PUSH_8{ "PUSH_8 r", "1 4", "MOV AL, [EAX+EDI]", "SUB EBP, 0x2", "MOV [EBP+0x0], AX" }; 23 | type_handler POP_8{ "POP_8 r", "3 4", "MOV DX, [EBP+0x0]", "ADD EBP, 0x2", "MOV [EAX+EDI], DL" }; 24 | type_handler PUSH_16{ "PUSH_16 r", "1 4", "MOV AX, [EAX+EDI]", "SUB EBP, 0x2", "MOV [EBP+0x0], AX" }; 25 | type_handler SHR_8{ "SHR BYTE N1, BYTE N2 ;CF", "", "MOV AL, [EBP+0x0]", "MOV CL, [EBP+0x2]", "SUB EBP, 0x2", "SHR AL, CL", "MOV [EBP+0x4], AX" }; 26 | type_handler SHL_8{ "SHL BYTE N1, BYTE N2 ;CF", "", "MOV AL, [EBP+0x0]", "MOV CL, [EBP+0x2]", "SUB EBP, 0x2", "SHL AL, CL", "MOV [EBP+0x4], AX" }; 27 | type_handler PUSH_INT_16{ "PUSH_16 ", "2 1", "SUB EBP, 0x2", "MOV [EBP+0x0], AX" }; 28 | type_handler FETCH_16{ "FETCH_16", "", "MOV EAX, [EBP+0x0]", "ADD EBP, 0x2", "MOV AX, [SS:EAX]", "MOV [EBP+0x0], AX" }; 29 | type_handler FETCH_16_2{ "FETCH_16", "", "MOV EAX, [EBP+0x0]", "ADD EBP, 0x2", "MOV AX, [EAX]", "MOV [EBP+0x0], AX" }; 30 | type_handler ADD_16{ "ADD WORD N2, WORD N1", "", "MOV AX, [EBP+0x0]", "SUB EBP, 0x2", "ADD [EBP+0x4], AX" }; 31 | type_handler NAND_N1{ "NAND WORD N1, WORD N2 ;CF", "", "NOT DWORD [EBP+0x0]", "MOV AX, [EBP+0x0]", "SUB EBP, 0x2", "AND [EBP+0x4], AX" }; 32 | type_handler SHR_N1_B_N2{ "SHR N1, BYTE N2", "", "MOV EAX, [EBP+0x0]", "MOV CL, [EBP+0x4]", "SUB EBP, 0x2", "SHR EAX, CL", "MOV [EBP+0x4], EAX" }; 33 | type_handler SHL_N1_B_N2{ "SHL N1, BYTE N2", "", "MOV EAX, [EBP+0x0]", "MOV CL, [EBP+0x4]", "SUB EBP, 0x2", "SHL EAX, CL", "MOV [EBP+0x4], EAX" }; 34 | type_handler JUMP{ "JUMP N1+N2 ", "", "MOV ESI, [EBP+0x0]", "ADD EBP, 0x4", "ADD ESI, [EBP+0x0]" }; 35 | type_handler ADD_8{ "ADD BYTE N1, BYTE N2 ;CF", "", "MOV AL, [EBP+0x0]", "SUB EBP, 0x2", "ADD [EBP+0x4], AL" }; 36 | type_handler ADD_STACK{ "ADD STACK, 4", "", "ADD EBP, 0x4" }; 37 | type_handler MOV_WN2_N1{ "MOV WORD N2, BYTE: [N1] ;stack +2", "", "MOV EDX, [EBP+0x0]", "ADD EBP, 0x2", "MOV AL, [SS:EDX]", "MOV [EBP+0x0], AX" }; 38 | type_handler SHR_WN1_BN2{ "SHR WORD N1, BYTE N2", "", "MOV AX, [EBP+0x0]", "MOV CL, [EBP+0x2]", "SUB EBP, 0x2", "SHR AX, CL", }; 39 | type_handler SHL_WN1_BN2{ "SHL WORD N1, BYTE N2", "", "MOV AX, [EBP+0x0]", "MOV CL, [EBP+0x2]", "SUB EBP, 0x2", "SHL AX, CL", }; 40 | type_handler FETCH_8_N1{ "FETCH_8 N1", "", "MOV EDX, [EBP+0x0]", "ADD EBP, 0x2", "MOV AL, [EDX]", "MOV [EBP+0x0], AX" }; 41 | type_handler TIME_STAMP{ "TIME_STAMP", "", "RDTSC ", "SUB EBP, 0x8", "MOV [EBP+0x0], EDX", "MOV [EBP+0x4], EAX" }; 42 | type_handler DIVIDE{ "DIVIDE WORD N3 ;CF", "", "MOV DX, [EBP+0x0]", "MOV AX, [EBP+0x2]", "MOV CX, [EBP+0x4]", "SUB EBP, 0x2", "DIV CX", "MOV [EBP+0x4], DX", "MOV [EBP+0x6], AX" }; 43 | type_handler SHL_64{ "SHL_64 , BYTE N3", "", "MOV EAX, [EBP+0x0]", "MOV EDX, [EBP+0x4]", "MOV CL, [EBP+0x8]", "ADD EBP, 0x2", "SHLD EAX, EDX, CL", "MOV [EBP+0x4], EAX" }; 44 | type_handler SHR_64{ "SHR_64 , BYTE N3", "", "MOV EAX, [EBP+0x0]", "MOV EDX, [EBP+0x4]", "MOV CL, [EBP+0x8]", "ADD EBP, 0x2", "SHRD EAX, EDX, CL", "MOV [EBP+0x4], EAX" }; 45 | type_handler MUL_16{ "MUL WORD N1, WORD N2 ;CF", "", "MOV DX, [EBP+0x0]", "MOV AX, [EBP+0x2]", "SUB EBP, 0x4", "MUL DX", "MOV [EBP+0x4], DX", "MOV [EBP+0x6], AX" }; 46 | type_handler MUL_32{ "MUL N1, N2","","MOV EDX, [EBP+0x0]", "MOV EAX, [EBP+0x4]", "SUB EBP, 0x4", "IMUL EDX", "MOV [EBP+0x4], EDX", "MOV [EBP+0x8], EAX" }; 47 | type_handler DIV_32{ "DIV N3", "", "MOV EDX, [EBP+0x0]", "MOV EAX, [EBP+0x4]", "DIV DWORD [EBP+0x8]", "MOV [EBP+0x4], EDX", "MOV [EBP+0x8], EAX" }; 48 | type_handler IDIV_32{ "IDIV N3", "", "MOV EDX, [EBP+0x0]", "MOV EAX, [EBP+0x4]", "IDIV DWORD [EBP+0x8]", "MOV [EBP+0x4], EDX", "MOV [EBP+0x8], EAX" }; 49 | type_handler MOV_STACK{ "MOV STACK, N1", "", "MOV EBP, [EBP+0x0]" }; 50 | type_handler MACHINE_ENTER{ "VM_OUTSIDE", "", "MOV ESP, EBP" }; 51 | 52 | std::vector good_handlers{ SHR_64, IDIV_32, MOV_STACK, MUL_32, DIV_32, SHL_8, MUL_16, SHL_64, SHL_WN1_BN2, DIVIDE, SHL_N1_B_N2, TIME_STAMP, FETCH_8_N1, SHR_WN1_BN2, MOV_WN2_N1, ADD_8, JUMP, SHR_N1_B_N2, NAND_N1, ADD_16, FETCH_16_2, FETCH_16, PUSH_INT_16, SHR_8, POP_8, PUSH_16, PUSH_8, POP_16, POP32_REG, PUSH32_INT, ADD_N2_N1, PUSH32_REG, NOR32_N2_N1, FETCH_32_N1, FETCH_32_N1_V2, FETCH_N1_N2, MOV_N1_WN2, NOR_16, MACHINE_ENTER, ADD_STACK }; 53 | std::unordered_map hashtable; 54 | 55 | 56 | #endif // VM_INSTRUCTION_SET_H 57 | 58 | -------------------------------------------------------------------------------- /core_decompiler.cpp: -------------------------------------------------------------------------------- 1 | #define _WIN32_WINNT 0x0601 2 | #include "core_decompiler.h" 3 | #include 4 | #include 5 | #include "sdk\SDK.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include "vm_instruction_set.h" 16 | 17 | //handler declaration 18 | 19 | std::ofstream dump_; 20 | core_decompiler::vm* decompiler; 21 | LPPROCESS_INFORMATION ProcessInfo; 22 | 23 | u32 Load32(memo loc){ 24 | return (loc[3] << (8 * 3)) | (loc[2] << (8 * 2)) | (loc[1] << 8) | loc[0]; 25 | } 26 | 27 | void core_decompiler::NewDisasm(uint32_t _imagebase, std::string full_path, uint32_t _vm_out, uint32_t _handler_1, uint32_t _handler_2, uint32_t _handler_start) 28 | { 29 | decompiler = new core_decompiler::vm(_imagebase,full_path, _vm_out, _handler_1, _handler_2,_handler_start); 30 | } 31 | 32 | void core_decompiler::MakeDisasm(std::string dump_file) 33 | { 34 | if (decompiler != NULL) 35 | { 36 | decompiler->dump_instructions(dump_file); 37 | } 38 | } 39 | 40 | void core_decompiler::Quit() 41 | { 42 | delete decompiler; 43 | 44 | } 45 | 46 | QSet core_decompiler::GetTotalAddress(){ 47 | return decompiler->GetAddr(); 48 | } 49 | 50 | 51 | void cbOnHStart(){ 52 | decompiler->instruction_va= GetContextData(UE_ESI); 53 | } 54 | 55 | 56 | 57 | void cbOn_h1(){ 58 | long next_handler = 0; 59 | unsigned char stack[8]; 60 | 61 | next_handler = (long)GetContextData(UE_ESP); 62 | ReadProcessMemory(ProcessInfo->hProcess, (void*)next_handler, stack, 4, NULL); 63 | dump_ << "handle: " << std::hex << Load32(stack) << std::endl; 64 | } 65 | 66 | void cbOn_h2(){ 67 | long next_handler = 0; 68 | unsigned char stack[8]; 69 | 70 | next_handler = (long)GetContextData(UE_ESP); 71 | ReadProcessMemory(ProcessInfo->hProcess, (void*)next_handler, stack, 4, NULL); 72 | dump_ << "handle: " << std::hex << Load32(stack) << std::endl; 73 | } 74 | 75 | void cbOn_quit(){ 76 | dump_ << "vm_quit" << std::endl; 77 | dump_.close(); 78 | StopDebug(); 79 | } 80 | 81 | 82 | void fetch_handler(){ 83 | 84 | std::string disasm; 85 | static uint32_t eip_control = GetContextData(UE_EIP); 86 | eip_control = GetContextData(UE_EIP); 87 | disasm.assign((const char*)Disassemble((LPVOID)eip_control)); 88 | decompiler->handler_f.push_back(disasm); 89 | decompiler->eax_table.push_back(GetContextData(UE_EAX)); 90 | 91 | 92 | if (eip_control == decompiler->GetVout()+1){ 93 | 94 | cbOn_quit(); 95 | } 96 | 97 | if (eip_control != decompiler->GetEp()){ 98 | StepInto(&fetch_handler); 99 | } 100 | 101 | } 102 | 103 | void cbOn_get_h(){ 104 | unsigned char stack[8]; 105 | 106 | if ( decompiler->handler_f.size() > 2){ 107 | decompiler->ReconHandler(); 108 | } 109 | decompiler->handler_f.clear(); 110 | decompiler->eax_table.clear(); 111 | //reads what is the handler, in case it is unknown: 112 | ReadProcessMemory(ProcessInfo->hProcess, (void*)GetContextData(UE_ESP), stack, 4, NULL); 113 | decompiler->current_handler = Load32(stack); 114 | 115 | dump_ << std::hex << decompiler->instruction_va << "|"; 116 | decompiler->addresses << decompiler->instruction_va; 117 | fetch_handler(); 118 | 119 | } 120 | 121 | 122 | 123 | void cbOnCreate_dump(LPCREATE_PROCESS_DEBUG_INFO lpCreateProcInfo){ 124 | SetCustomHandler(UE_CH_CREATEPROCESS, NULL); 125 | SetBPX(decompiler->GetH1(), UE_BREAKPOINT, &cbOn_h1); 126 | SetBPX(decompiler->GetH2(), UE_BREAKPOINT, &cbOn_h2); 127 | SetBPX(decompiler->GetVout(), UE_BREAKPOINT, &cbOn_quit); 128 | } 129 | 130 | void cbOnCreateDisasm(LPCREATE_PROCESS_DEBUG_INFO lpCreateProcInfo){ 131 | SetCustomHandler(UE_CH_CREATEPROCESS, NULL); 132 | SetBPX(decompiler->GetEp(), UE_BREAKPOINT, &cbOnHStart); 133 | SetBPX(decompiler->GetH1(), UE_BREAKPOINT, &cbOn_get_h); 134 | SetBPX(decompiler->GetH2(), UE_BREAKPOINT, &cbOn_get_h); 135 | SetBPX(decompiler->GetVout(), UE_BREAKPOINT, &cbOn_quit); 136 | } 137 | 138 | 139 | 140 | core_decompiler::vm::vm(uint32_t _imagebase, std::string full_path, uint32_t _vm_out, uint32_t _handler_1, uint32_t _handler_2, uint32_t _handler_start){ 141 | char* c_str = (char*)full_path.c_str(); 142 | ProcessInfo = (LPPROCESS_INFORMATION)InitDebug(c_str, NULL, NULL); 143 | 144 | vm_out = _vm_out+_imagebase; 145 | handler_1 = _handler_1 + _imagebase; 146 | handler_2 = _handler_2 + _imagebase; 147 | handler_start = _handler_start + _imagebase; 148 | temp=0; 149 | handler_f= std::vector{}; 150 | eax_table = std::vector{}; 151 | addresses = QSet{}; 152 | current_handler=0; 153 | instruction_va=0; 154 | addresses.clear(); 155 | } 156 | 157 | core_decompiler::vm::vm(std::string full_path, uint32_t _vm_out, uint32_t _handler_1, uint32_t _handler_2, uint32_t _handler_start){ 158 | char* c_str = (char*)full_path.c_str(); 159 | ProcessInfo = (LPPROCESS_INFORMATION)InitDebug(c_str, NULL, NULL); 160 | 161 | vm_out = _vm_out; 162 | handler_1 = _handler_1; 163 | handler_2 = _handler_2; 164 | handler_start = _handler_start; 165 | 166 | temp=0; 167 | handler_f= std::vector{}; 168 | eax_table = std::vector{}; 169 | addresses = QSet{}; 170 | current_handler=0; 171 | instruction_va=0; 172 | addresses.clear(); 173 | } 174 | 175 | 176 | void core_decompiler::vm::dump_handlers(std::string dump_file){ 177 | dump_.open(dump_file); 178 | SetCustomHandler(UE_CH_CREATEPROCESS, &cbOnCreate_dump); 179 | DebugLoop(); 180 | } 181 | 182 | void core_decompiler::vm::dump_instructions(std::string dump_file){ 183 | dump_.open(dump_file); 184 | SetCustomHandler(UE_CH_CREATEPROCESS, &cbOnCreateDisasm); 185 | DebugLoop(); 186 | } 187 | 188 | 189 | 190 | void core_decompiler::vm::ReconHandler(){ 191 | 192 | std::vector match; 193 | std::vector curr_hand; 194 | std::vector wr; 195 | type_handler found; 196 | std::unordered_map::const_iterator got_from_htable = hashtable.find(current_handler); 197 | 198 | //std::cout << handler_f.size() << std::endl; 199 | 200 | if (got_from_htable != hashtable.end()){ 201 | match = std::get<1>(hashtable[current_handler]); 202 | curr_hand = std::get<0>(hashtable[current_handler]); 203 | dump_ << curr_hand[0]; 204 | if (curr_hand[1] != ""){ 205 | dump_ << std::hex << eax_table[match[atol(curr_hand[1].c_str()) - 1]] / atol(curr_hand[1].c_str() + 2); 206 | } 207 | dump_ << std::endl; 208 | return; 209 | } 210 | 211 | int n_match = 2; 212 | 213 | for (int j = 0; j < good_handlers.size(); j++){ 214 | curr_hand = good_handlers[j]; 215 | n_match = 2; 216 | for (int i = 0; i < handler_f.size() && n_match != curr_hand.size(); i++){ 217 | if (handler_f[i] == curr_hand[n_match]){ 218 | match.push_back(i); 219 | n_match++; 220 | if (n_match == curr_hand.size()){ 221 | dump_ << curr_hand[0]; 222 | if (curr_hand[1] != ""){ 223 | dump_ << std::hex<< eax_table[match[atol(curr_hand[1].c_str()) - 1]] / atol(curr_hand[1].c_str()+2); 224 | } 225 | dump_ << std::endl; 226 | hashtable[current_handler] = hashmap(curr_hand, match); 227 | return; 228 | } 229 | } 230 | } 231 | } 232 | 233 | dump_ << " unknown handler: " < core_decompiler::vm::GetAddr() 237 | { 238 | return addresses; 239 | } 240 | 241 | void core_decompiler::vm::print_handler(std::vector handler_to_print){ 242 | for (int i = 0; i < handler_to_print.size(); i++){ 243 | std::cout << handler_to_print[i] << std::endl; 244 | } 245 | 246 | } 247 | -------------------------------------------------------------------------------- /mainwindow.ui: -------------------------------------------------------------------------------- 1 | 2 | 3 | MainWindow 4 | 5 | 6 | 7 | 0 8 | 0 9 | 745 10 | 518 11 | 12 | 13 | 14 | VMPDBG v0.1.0 (alpha) 15 | 16 | 17 | 18 | main_ico.icomain_ico.ico 19 | 20 | 21 | 22 | 32 23 | 32 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | Qt::Horizontal 32 | 33 | 34 | 35 | 1 36 | 37 | 38 | 39 | Machine 40 | 41 | 42 | 43 | 44 | 45 | Qt::Horizontal 46 | 47 | 48 | 49 | 50 | Courier New 51 | 10 52 | 75 53 | true 54 | 55 | 56 | 57 | true 58 | 59 | 60 | 61 | 62 | 63 | 1 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | Memory 74 | 75 | 76 | 77 | 78 | 79 | 80 | Courier New 81 | 10 82 | 75 83 | true 84 | 85 | 86 | 87 | true 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | Log 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 0 112 | 0 113 | 745 114 | 21 115 | 116 | 117 | 118 | 119 | File 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | Help 130 | 131 | 132 | 133 | 134 | 135 | Debugger 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | Tools 146 | 147 | 148 | 149 | Breakpoints 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | TopToolBarArea 166 | 167 | 168 | false 169 | 170 | 171 | 172 | 173 | 174 | New Session 175 | 176 | 177 | 178 | 179 | Restore Session 180 | 181 | 182 | 183 | 184 | Quit 185 | 186 | 187 | 188 | 189 | 190 | :/Icons/icons/Virus-50.png:/Icons/icons/Virus-50.png 191 | 192 | 193 | About 194 | 195 | 196 | 197 | 198 | Save Session 199 | 200 | 201 | 202 | 203 | Start Debug Session 204 | 205 | 206 | 207 | 208 | Stop Debug Session 209 | 210 | 211 | 212 | 213 | Baby Step 214 | 215 | 216 | F7 217 | 218 | 219 | 220 | 221 | Giant Step 222 | 223 | 224 | F10 225 | 226 | 227 | 228 | 229 | Dump Memory 230 | 231 | 232 | 233 | 234 | Run 235 | 236 | 237 | F9 238 | 239 | 240 | 241 | 242 | Add Breakpoint 243 | 244 | 245 | 246 | 247 | Remove Breakpoint 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | -------------------------------------------------------------------------------- /debugger.cpp: -------------------------------------------------------------------------------- 1 | #include "debugger.h" 2 | #define _WIN32_WINNT 0x0601 3 | #include 4 | #include 5 | #include "sdk\SDK.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include "mainwindow.h" 19 | 20 | 21 | namespace Debugger 22 | { 23 | MainWindow* mainWindow; 24 | debug_thread* debugThread; 25 | PROCESS_INFORMATION* pi; 26 | std::set BreakPoints; 27 | 28 | /*Registers*/ 29 | 30 | HANDLE GetHandle(){ 31 | while(!debugThread->bUpdate()) 32 | { 33 | 34 | } 35 | return pi->hProcess; 36 | } 37 | 38 | uint32_t GetRegisterIP(){ 39 | while(!debugThread->bUpdate()) 40 | { 41 | 42 | } 43 | return debugThread->IP; 44 | } 45 | 46 | uint32_t GetRegisterSTACK(){ 47 | while(!debugThread->bUpdate()) 48 | { 49 | 50 | } 51 | return debugThread->stack; 52 | } 53 | 54 | uint32_t GetRegisterN1(){ 55 | while(!debugThread->bUpdate()) 56 | { 57 | 58 | } 59 | return debugThread->N1; 60 | } 61 | 62 | uint32_t GetRegisterN2(){ 63 | while(!debugThread->bUpdate()) 64 | { 65 | 66 | } 67 | return debugThread->N2; 68 | } 69 | 70 | uint32_t GetRegisterN3(){ 71 | while(!debugThread->bUpdate()) 72 | { 73 | 74 | } 75 | return debugThread->N3; 76 | } 77 | 78 | uint32_t GetRegisterR0(){ 79 | while(!debugThread->bUpdate()) 80 | { 81 | 82 | } 83 | return debugThread->R0; 84 | } 85 | 86 | uint32_t GetRegisterR1(){ 87 | while(!debugThread->bUpdate()) 88 | { 89 | 90 | } 91 | return debugThread->R1; 92 | } 93 | 94 | uint32_t GetRegisterR2(){ 95 | while(!debugThread->bUpdate()) 96 | { 97 | 98 | } 99 | return debugThread->R2; 100 | } 101 | 102 | uint32_t GetRegisterR3(){ 103 | while(!debugThread->bUpdate()) 104 | { 105 | 106 | } 107 | return debugThread->R3; 108 | } 109 | 110 | uint32_t GetRegisterR4(){ 111 | while(!debugThread->bUpdate()) 112 | { 113 | 114 | } 115 | return debugThread->R4; 116 | } 117 | 118 | uint32_t GetRegisterR5(){ 119 | while(!debugThread->bUpdate()) 120 | { 121 | 122 | } 123 | return debugThread->R5; 124 | } 125 | 126 | uint32_t GetRegisterR6(){ 127 | while(!debugThread->bUpdate()) 128 | { 129 | 130 | } 131 | return debugThread->R6; 132 | } 133 | 134 | uint32_t GetRegisterR7(){ 135 | while(!debugThread->bUpdate()) 136 | { 137 | 138 | } 139 | return debugThread->R7; 140 | } 141 | 142 | uint32_t GetRegisterR8(){ 143 | while(!debugThread->bUpdate()) 144 | { 145 | 146 | } 147 | return debugThread->R8; 148 | } 149 | 150 | uint32_t GetRegisterR9(){ 151 | while(!debugThread->bUpdate()) 152 | { 153 | 154 | } 155 | return debugThread->R9; 156 | } 157 | 158 | uint32_t GetRegisterRa(){ 159 | while(!debugThread->bUpdate()) 160 | { 161 | 162 | } 163 | return debugThread->Ra; 164 | } 165 | 166 | uint32_t GetRegisterRb(){ 167 | while(!debugThread->bUpdate()) 168 | { 169 | 170 | } 171 | return debugThread->Rb; 172 | } 173 | 174 | uint32_t GetRegisterRc(){ 175 | while(!debugThread->bUpdate()) 176 | { 177 | 178 | } 179 | return debugThread->Rc; 180 | } 181 | 182 | uint32_t GetRegisterRd(){ 183 | while(!debugThread->bUpdate()) 184 | { 185 | 186 | } 187 | return debugThread->Rd; 188 | } 189 | 190 | uint32_t GetRegisterRe(){ 191 | while(!debugThread->bUpdate()) 192 | { 193 | 194 | } 195 | return debugThread->Re; 196 | } 197 | 198 | uint32_t GetRegisterRf(){ 199 | while(!debugThread->bUpdate()) 200 | { 201 | 202 | } 203 | return debugThread->Rf; 204 | } 205 | 206 | uint32_t GetRegisterR10(){ 207 | while(!debugThread->bUpdate()) 208 | { 209 | 210 | } 211 | return debugThread->R10; 212 | } 213 | 214 | uint32_t GetRegisterR11(){ 215 | while(!debugThread->bUpdate()) 216 | { 217 | 218 | } 219 | return debugThread->R11; 220 | } 221 | 222 | 223 | uint32_t GetRegisterR12(){ 224 | while(!debugThread->bUpdate()) 225 | { 226 | 227 | } 228 | return debugThread->R12; 229 | } 230 | 231 | uint32_t GetRegisterR13(){ 232 | while(!debugThread->bUpdate()) 233 | { 234 | 235 | } 236 | return debugThread->R13; 237 | } 238 | 239 | uint32_t GetRegisterR14(){ 240 | while(!debugThread->bUpdate()) 241 | { 242 | 243 | } 244 | return debugThread->R14; 245 | } 246 | 247 | uint32_t debug_thread::Load32(uint8_t* value){ 248 | return (value[3] << (8 * 3)) | (value[2] << (8 * 2)) | (value[1] << 8) | value[0]; 249 | } 250 | 251 | uint32_t debug_thread::ReadStack32(int index) 252 | { 253 | unsigned char stack[8]; 254 | ReadProcessMemory(pi->hProcess, (void*)(GetContextData(UE_EBP)+index*4), stack, 4, NULL); 255 | return Load32(stack); 256 | } 257 | 258 | uint32_t debug_thread::ReadDataReg32(int index) 259 | { 260 | unsigned char segment[8]; 261 | ReadProcessMemory(pi->hProcess, (void*)(GetContextData(UE_EDI)+index*4), segment, 4, NULL); 262 | return Load32(segment); 263 | } 264 | 265 | void debug_thread::UpdateRegs() 266 | { 267 | //ESI - IP 268 | //EDI - data regs 269 | //EBP - machine stack 270 | /* 271 | while(!debugThread->bUpdate()) 272 | { 273 | Sleep(100); 274 | } 275 | */ 276 | debugThread->IP = GetContextData(UE_ESI); 277 | debugThread->stack = GetContextData(UE_EBP); 278 | debugThread->N1 = ReadStack32(0); 279 | debugThread->N2 = ReadStack32(1); 280 | debugThread->N3 = ReadStack32(2); 281 | 282 | debugThread->R0=ReadDataReg32(0); 283 | 284 | debugThread->R1=ReadDataReg32(1); 285 | 286 | debugThread->R2=ReadDataReg32(2); 287 | 288 | debugThread->R3=ReadDataReg32(3); 289 | 290 | debugThread->R4=ReadDataReg32(4); 291 | 292 | debugThread->R5=ReadDataReg32(5); 293 | 294 | debugThread->R6=ReadDataReg32(6); 295 | 296 | debugThread->R7=ReadDataReg32(7); 297 | 298 | debugThread->R8=ReadDataReg32(8); 299 | 300 | debugThread->R9=ReadDataReg32(9); 301 | 302 | debugThread->Ra=ReadDataReg32(10); 303 | 304 | debugThread->Rb=ReadDataReg32(11); 305 | 306 | debugThread->Rc=ReadDataReg32(12); 307 | 308 | debugThread->Rd=ReadDataReg32(13); 309 | 310 | debugThread->Re=ReadDataReg32(14); 311 | 312 | debugThread->Rf=ReadDataReg32(15); 313 | 314 | debugThread->R10=ReadDataReg32(16); 315 | 316 | debugThread->R11=ReadDataReg32(17); 317 | 318 | debugThread->R12=ReadDataReg32(18); 319 | 320 | debugThread->R13=ReadDataReg32(19); 321 | 322 | debugThread->R14=ReadDataReg32(20); 323 | 324 | // debugThread->sbUpdate(false); 325 | } 326 | 327 | void waitForAction() 328 | { 329 | debugThread->wait(); 330 | } 331 | 332 | 333 | void cbOnVmEp(){ 334 | if(debugThread->brun) 335 | { 336 | uint32_t vm_ptr = GetContextData(UE_ESI); 337 | if (BreakPoints.count(vm_ptr)) 338 | { 339 | debugThread->log("Breakpoint reached."); 340 | debugThread->senduiIP(QString::number(GetContextData(UE_ESI),16)); 341 | debugThread->UpdateRegs(); 342 | debugThread->sbUpdate(true); 343 | debugThread->brun=false; 344 | waitForAction(); 345 | } 346 | return; 347 | } 348 | 349 | debugThread->log("VM at: " + QString::number(GetContextData(UE_ESI),16)); 350 | debugThread->senduiIP(QString::number(GetContextData(UE_ESI),16)); 351 | debugThread->UpdateRegs(); 352 | debugThread->sbUpdate(true); 353 | waitForAction(); 354 | } 355 | 356 | void cbOnVmHalt(){ 357 | debugThread->log("The VM halted."); 358 | StopDebug(); 359 | } 360 | 361 | void cbOnCreateProcess(void* ExceptionData) 362 | { 363 | SetCustomHandler(UE_CH_CREATEPROCESS, NULL); 364 | SetBPX(debugThread->GetEp(), UE_BREAKPOINT, &cbOnVmEp); 365 | SetBPX(debugThread->GetHaltPoint(), UE_BREAKPOINT, &cbOnVmHalt); 366 | debugThread->log("Debugger Started!"); 367 | } 368 | 369 | 370 | debug_thread::debug_thread(QString file, QSet addr_ref, uint32_t machine_processor, uint32_t machine_halt) 371 | { 372 | this->file = file; 373 | this->bWaiting = false; 374 | this->_bUpdate = false; 375 | this->references = addr_ref; 376 | this->image_base = GetPE32Data((char*)file.toUtf8().constData(),0,UE_IMAGEBASE); 377 | this->machine_ep = machine_processor+image_base; 378 | this->machine_outpoint = machine_halt+image_base; 379 | this->state = false; 380 | 381 | } 382 | 383 | void debug_thread::log(QString msg) 384 | { 385 | emit message(msg); 386 | } 387 | 388 | 389 | void debug_thread::senduiIP(QString addr) 390 | { 391 | emit InstructionPointer(addr); 392 | } 393 | 394 | void debug_thread::wait() 395 | { 396 | bWaiting = true; 397 | while(bWaiting) Sleep(100); 398 | } 399 | 400 | void debug_thread::resume() 401 | { 402 | bWaiting = false; 403 | } 404 | 405 | void debug_thread::run() 406 | { 407 | pi=(PROCESS_INFORMATION*)InitDebug((char*)file.toUtf8().constData(), 0, 0); 408 | if(!pi) 409 | log("> InitDebug failed!"); 410 | else 411 | { 412 | log("> " + file + " loaded!"); 413 | SetCustomHandler(UE_CH_CREATEPROCESS, (void*)cbOnCreateProcess); 414 | DebugLoop(); 415 | log("> finished!"); 416 | } 417 | } 418 | 419 | 420 | void Start(QString file, QSet addr_ref, uint32_t machine_processor, uint32_t machine_halt) 421 | { 422 | BreakPoints.clear(); 423 | debugThread = new debug_thread(file, addr_ref, machine_processor, machine_halt); 424 | mainWindow->connect(debugThread, SIGNAL(message(QString)), mainWindow, SLOT(debugMessage(QString))); 425 | mainWindow->connect(debugThread, SIGNAL(InstructionPointer(QString)), mainWindow, SLOT(disasmLine(QString))); 426 | debugThread->start(); 427 | debugThread->brun=false; 428 | } 429 | 430 | void Stop() 431 | { 432 | 433 | StopDebug(); 434 | debugThread->resume(); 435 | } 436 | 437 | void Step() 438 | { 439 | debugThread->sbUpdate(false); 440 | debugThread->resume(); 441 | } 442 | 443 | void Run() 444 | { 445 | 446 | debugThread->brun=true; 447 | debugThread->sbUpdate(false); 448 | debugThread->resume(); 449 | } 450 | 451 | void AddBp(uint32_t address) 452 | { 453 | BreakPoints.insert(address); 454 | 455 | } 456 | 457 | void RemoveBp(uint32_t address) 458 | { 459 | BreakPoints.erase(address); 460 | } 461 | 462 | 463 | } 464 | 465 | -------------------------------------------------------------------------------- /mainwindow.cpp: -------------------------------------------------------------------------------- 1 | #include "mainwindow.h" 2 | #include "ui_mainwindow.h" 3 | #include "debugger.h" 4 | #include "interfacememory.h" 5 | #include "interfacedisasm.h" 6 | #include "dialogboxwaitfordisasm.h" 7 | #include 8 | 9 | MainWindow::MainWindow(QWidget *parent) : 10 | QMainWindow(parent), 11 | ui(new Ui::MainWindow) 12 | { 13 | debug_stats=false; 14 | Debugger::mainWindow=this; 15 | ui->setupUi(this); 16 | InitUi(); 17 | DisasmInterface =new InterfaceDisasm(this->ui->plainTextEdit_ASM); 18 | LoadsOrSaves=false; 19 | } 20 | 21 | void MainWindow::InitUi(){ 22 | 23 | QList Split_sz; 24 | Split_sz << 200 << 50; 25 | ui->splitter_2->setSizes(Split_sz); 26 | /* 27 | QSplitter* mainSplitter = new QSplitter(Qt::Vertical); 28 | mainSplitter->addWidget(ui->tabWidget); 29 | mainSplitter->addWidget(ui->plainTextEditMEMDMP); 30 | mainSplitter->setStretchFactor(3, 1); 31 | setCentralWidget(mainSplitter); 32 | 33 | Split_sz[0]=300; 34 | Split_sz[1]=50; 35 | mainSplitter->setSizes(Split_sz); 36 | 37 | */ 38 | //setting up registers tab: 39 | ui->treeWidget_REGISTERS->setColumnCount(2); 40 | QStringList TreeLabels; 41 | TreeLabels << "Registers" << "Value"; 42 | ui->treeWidget_REGISTERS->setHeaderLabels(TreeLabels); 43 | ui->statusBar->showMessage(tr("Welcome")); 44 | InitRegs(); 45 | 46 | } 47 | 48 | MainWindow::~MainWindow() 49 | { 50 | delete ui; 51 | } 52 | 53 | void MainWindow::UpdateRegs() 54 | { 55 | 56 | IP->setText(1,QString::number(Debugger::GetRegisterIP(),16)); 57 | stack->setText(1,QString::number(Debugger::GetRegisterSTACK(),16)); 58 | N1->setText(1,QString::number(Debugger::GetRegisterN1(),16)); 59 | N2->setText(1,QString::number(Debugger::GetRegisterN2(),16)); 60 | N3->setText(1,QString::number(Debugger::GetRegisterN3(),16)); 61 | R0->setText(1,QString::number(Debugger::GetRegisterR0(),16)); 62 | R1->setText(1,QString::number(Debugger::GetRegisterR1(),16)); 63 | R2->setText(1,QString::number(Debugger::GetRegisterR2(),16)); 64 | R3->setText(1,QString::number(Debugger::GetRegisterR3(),16)); 65 | R4->setText(1,QString::number(Debugger::GetRegisterR4(),16)); 66 | R5->setText(1,QString::number(Debugger::GetRegisterR5(),16)); 67 | R6->setText(1,QString::number(Debugger::GetRegisterR6(),16)); 68 | R7->setText(1,QString::number(Debugger::GetRegisterR7(),16)); 69 | R8->setText(1,QString::number(Debugger::GetRegisterR8(),16)); 70 | R9->setText(1,QString::number(Debugger::GetRegisterR9(),16)); 71 | Ra->setText(1,QString::number(Debugger::GetRegisterRa(),16)); 72 | Rb->setText(1,QString::number(Debugger::GetRegisterRb(),16)); 73 | Rc->setText(1,QString::number(Debugger::GetRegisterRc(),16)); 74 | Rd->setText(1,QString::number(Debugger::GetRegisterRd(),16)); 75 | Re->setText(1,QString::number(Debugger::GetRegisterRe(),16)); 76 | Rf->setText(1,QString::number(Debugger::GetRegisterRf(),16)); 77 | R10->setText(1,QString::number(Debugger::GetRegisterR10(),16)); 78 | R11->setText(1,QString::number(Debugger::GetRegisterR11(),16)); 79 | R12->setText(1,QString::number(Debugger::GetRegisterR12(),16)); 80 | R13->setText(1,QString::number(Debugger::GetRegisterR13(),16)); 81 | R14->setText(1,QString::number(Debugger::GetRegisterR14(),16)); 82 | 83 | 84 | 85 | } 86 | 87 | void MainWindow::InitRegs() 88 | { 89 | Data_Rtab = new QTreeWidgetItem(ui->treeWidget_REGISTERS); 90 | Data_Rtab->setText(0, "DATA REGS"); 91 | Data_Rtab->setText(1, " "); 92 | ui->treeWidget_REGISTERS->addTopLevelItem(Data_Rtab); 93 | 94 | Main_rtab = new QTreeWidgetItem(ui->treeWidget_REGISTERS); 95 | Main_rtab->setText(0, "MAIN REGS"); 96 | Main_rtab->setText(1, " "); 97 | ui->treeWidget_REGISTERS->addTopLevelItem(Main_rtab); 98 | 99 | IP = new QTreeWidgetItem(); 100 | IP->setText(0, "IP "); 101 | IP->setText(1,"0"); 102 | Main_rtab->addChild(IP); 103 | 104 | stack = new QTreeWidgetItem(); 105 | stack->setText(0, "STACK "); 106 | stack->setText(1,"0"); 107 | Main_rtab->addChild(stack); 108 | 109 | N1 = new QTreeWidgetItem(); 110 | N1->setText(0, "N1 "); 111 | N1->setText(1,"0"); 112 | Main_rtab->addChild(N1); 113 | 114 | N2 = new QTreeWidgetItem(); 115 | N2->setText(0, "N2 "); 116 | N2->setText(1,"0"); 117 | Main_rtab->addChild(N2); 118 | 119 | N3 = new QTreeWidgetItem(); 120 | N3->setText(0, "N3 "); 121 | N3->setText(1,"0"); 122 | Main_rtab->addChild(N3); 123 | 124 | R0 = new QTreeWidgetItem(); 125 | R0->setText(0, "R0 "); 126 | R0->setText(1,"0"); 127 | Data_Rtab->addChild(R0); 128 | 129 | R1 = new QTreeWidgetItem(); 130 | R1->setText(0, "R1 "); 131 | R1->setText(1,"0"); 132 | Data_Rtab->addChild(R1); 133 | 134 | R2 = new QTreeWidgetItem(); 135 | R2->setText(0, "R2 "); 136 | R2->setText(1,"0"); 137 | Data_Rtab->addChild(R2); 138 | 139 | R3 = new QTreeWidgetItem(); 140 | R3->setText(0, "R3 "); 141 | R3->setText(1,"0"); 142 | Data_Rtab->addChild(R3); 143 | 144 | R4 = new QTreeWidgetItem(); 145 | R4->setText(0, "R4 "); 146 | R4->setText(1,"0"); 147 | Data_Rtab->addChild(R4); 148 | 149 | R5 = new QTreeWidgetItem(); 150 | R5->setText(0, "R5 "); 151 | R5->setText(1,"0"); 152 | Data_Rtab->addChild(R5); 153 | 154 | R6 = new QTreeWidgetItem(); 155 | R6->setText(0, "R6 "); 156 | R6->setText(1,"0"); 157 | Data_Rtab->addChild(R6); 158 | 159 | R7 = new QTreeWidgetItem(); 160 | R7->setText(0, "R7 "); 161 | R7->setText(1,"0"); 162 | Data_Rtab->addChild(R7); 163 | 164 | R8 = new QTreeWidgetItem(); 165 | R8->setText(0, "R8 "); 166 | R8->setText(1,"0"); 167 | Data_Rtab->addChild(R8); 168 | 169 | R9 = new QTreeWidgetItem(); 170 | R9->setText(0, "R9 "); 171 | R9->setText(1,"0"); 172 | Data_Rtab->addChild(R9); 173 | 174 | Ra = new QTreeWidgetItem(); 175 | Ra->setText(0, "Ra "); 176 | Ra->setText(1,"0"); 177 | Data_Rtab->addChild(Ra); 178 | 179 | Rb = new QTreeWidgetItem(); 180 | Rb->setText(0, "Rb "); 181 | Rb->setText(1,"0"); 182 | Data_Rtab->addChild(Rb); 183 | 184 | Rc = new QTreeWidgetItem(); 185 | Rc->setText(0, "Rc "); 186 | Rc->setText(1,"0"); 187 | Data_Rtab->addChild(Rc); 188 | 189 | Rd = new QTreeWidgetItem(); 190 | Rd->setText(0, "Rd "); 191 | Rd->setText(1,"0"); 192 | Data_Rtab->addChild(Rd); 193 | 194 | Re = new QTreeWidgetItem(); 195 | Re->setText(0, "Re "); 196 | Re->setText(1,"0"); 197 | Data_Rtab->addChild(Re); 198 | 199 | Rf = new QTreeWidgetItem(); 200 | Rf->setText(0, "Rf "); 201 | Rf->setText(1,"0"); 202 | Data_Rtab->addChild(Rf); 203 | 204 | R10 = new QTreeWidgetItem(); 205 | R10->setText(0, "R10 "); 206 | R10->setText(1,"0"); 207 | Data_Rtab->addChild(R10); 208 | 209 | R11 = new QTreeWidgetItem(); 210 | R11->setText(0, "R11 "); 211 | R11->setText(1,"0"); 212 | Data_Rtab->addChild(R11); 213 | 214 | R12 = new QTreeWidgetItem(); 215 | R12->setText(0, "R12 "); 216 | R12->setText(1,"0"); 217 | Data_Rtab->addChild(R12); 218 | 219 | R13 = new QTreeWidgetItem(); 220 | R13->setText(0, "R13 "); 221 | R13->setText(1,"0"); 222 | Data_Rtab->addChild(R13); 223 | 224 | R14 = new QTreeWidgetItem(); 225 | R14->setText(0, "R14 "); 226 | R14->setText(1,"0"); 227 | Data_Rtab->addChild(R14); 228 | 229 | } 230 | 231 | void MainWindow::log(QString logged) 232 | { 233 | ui->plainTextEdit_LOG->appendPlainText(logged); 234 | } 235 | bool MainWindow::restore_project(QString location) 236 | { 237 | QString vm_asm; 238 | QFile project_file(location); 239 | if(!project_file.open(QIODevice::ReadOnly)) 240 | { 241 | return false; 242 | } 243 | QDataStream input(&project_file); 244 | input.setVersion(QDataStream::Qt_5_4); 245 | input >> img_base; 246 | input >> machine_entry; 247 | input >> handler_1; 248 | input >> handler_2; 249 | input >> machine_quit; 250 | input >> vm_asm; 251 | ui->plainTextEdit_ASM->document()->setPlainText(vm_asm); 252 | input >> addresses; 253 | input >> bin_loc; 254 | project_file.close(); 255 | LoadsOrSaves=true; 256 | return true; 257 | } 258 | 259 | bool MainWindow::save_project(QString location) 260 | { 261 | QFile project_file(location); 262 | if(!project_file.open(QIODevice::WriteOnly)) 263 | { 264 | return false; 265 | } 266 | 267 | QDataStream project_out(&project_file); 268 | project_out.setVersion(QDataStream::Qt_5_4); 269 | project_out << img_base << machine_entry << handler_1 << handler_2 << machine_quit; 270 | project_out << ui->plainTextEdit_ASM->document()->toPlainText(); 271 | project_out << addresses; 272 | project_out << bin_loc; 273 | project_file.flush(); 274 | project_file.close(); 275 | LoadsOrSaves=true; 276 | return true; 277 | } 278 | 279 | void MainWindow::load_asm(QString file_loc) 280 | { 281 | QFile asm_dump(file_loc); 282 | if(asm_dump.open(QFile::ReadOnly | QFile::Text)) 283 | { 284 | QTextStream asm_stream(&asm_dump); 285 | QString asm_text = asm_stream.readAll(); 286 | // ui->textEdit_ASM->setText(asm_text); 287 | ui->plainTextEdit_ASM->document()->setPlainText(asm_text); 288 | asm_dump.close(); 289 | } 290 | } 291 | 292 | void MainWindow::update_view(QString addr) 293 | { 294 | DisasmInterface->HighLighLine(addr); 295 | } 296 | 297 | void MainWindow::on_actionOpen_Session_triggered() 298 | { 299 | bool ok = false; 300 | QString read; 301 | std::string file_loc = ""; 302 | QString fileName = QFileDialog::getOpenFileName(this, tr("Open File"), 303 | "/", 304 | tr("Executables (*.exe)")); 305 | 306 | QMessageBox::information(NULL, "Please wait", "please wait while the decompiler works."); 307 | bin_loc = fileName; 308 | 309 | log("loaded file: "+fileName); 310 | file_loc = fileName.toStdString(); 311 | img_base = GetPE32Data((char*)file_loc.data(),0,UE_IMAGEBASE); 312 | log("retrieved PE image base: 0x"+ QString::number(img_base,16)); 313 | 314 | while(ok==false) 315 | { 316 | read = QInputDialog::getText(this, tr("Machine Entry Point: "), 317 | tr("machine ep rva (hex): "), QLineEdit::Normal, 318 | NULL, &ok); 319 | if(read == false){ 320 | return; 321 | } 322 | machine_entry = read.toInt(&ok,16); 323 | } 324 | 325 | log("machine ep (from user): 0x" + QString::number(machine_entry,16)); 326 | ok = false; 327 | QMessageBox::information(this, "Information","Now you will enter the handlers. If there is only one you should enter the second with the same value as the first"); 328 | 329 | while(ok==false) 330 | { 331 | read = QInputDialog::getText(this, tr("Machine Handler #1: "), 332 | tr("machine h_1 rva (hex): "), QLineEdit::Normal, 333 | NULL, &ok); 334 | if (read==false){ 335 | return; 336 | } 337 | handler_1 = read.toInt(&ok,16); 338 | 339 | } 340 | 341 | log("machine handler #1 (from user): 0x" + QString::number(handler_1,16)); 342 | ok =false; 343 | while(ok==false) 344 | { 345 | read = QInputDialog::getText(this, tr("Machine Handler #2: "), 346 | tr("machine h_2 rva (hex): "), QLineEdit::Normal, 347 | NULL, &ok); 348 | if (read == false) 349 | { 350 | return; 351 | } 352 | handler_2 = read.toInt(&ok,16); 353 | } 354 | 355 | log("machine handler #2 (from user): 0x" + QString::number(handler_2,16)); 356 | ok = false; 357 | while(ok==false) 358 | { 359 | read = QInputDialog::getText(this, tr("Machine Exit Address: "), 360 | tr("machine exit rva (hex): "), QLineEdit::Normal, 361 | NULL, &ok); 362 | if (read == false){ 363 | return; 364 | } 365 | machine_quit = read.toInt(&ok,16); 366 | } 367 | 368 | log("machine quit adress (from user): 0x" + QString::number(machine_quit,16)); 369 | log("decompilation process started..."); 370 | 371 | core_decompiler::NewDisasm(img_base,file_loc,machine_quit,handler_1, handler_2, machine_entry); 372 | core_decompiler::MakeDisasm("dump.txt"); 373 | addresses=core_decompiler::GetTotalAddress(); 374 | 375 | 376 | log("decompilation process ended.."); 377 | load_asm("dump.txt"); 378 | core_decompiler::Quit(); 379 | } 380 | 381 | void MainWindow::on_actionSave_Session_triggered() 382 | { 383 | QString sFile = QFileDialog::getSaveFileName(this,"Saving your project"); 384 | if(sFile == NULL) 385 | { 386 | return; 387 | } 388 | if(!save_project(sFile)) 389 | { 390 | QMessageBox::warning(this, "ERROR while saving!","could not save your project file.",QMessageBox::Ok, QMessageBox::Cancel); 391 | } 392 | 393 | } 394 | 395 | void MainWindow::on_actionRestore_Session_triggered() 396 | { 397 | QString opFile = QFileDialog::getOpenFileName(this, "Opening your project"); 398 | if (opFile == NULL) 399 | { 400 | return; 401 | } 402 | 403 | if(!restore_project(opFile)) 404 | { 405 | QMessageBox::warning(this, "ERROR while loading!","could not load your project file.",QMessageBox::Ok, QMessageBox::Cancel); 406 | } 407 | 408 | log("Loaded Project File: " + opFile); 409 | log("machine ep: 0x" + QString::number(machine_entry,16)); 410 | log("machine handler solver #1: 0x" + QString::number(handler_1,16)); 411 | log("machine handler solver #2: 0x" + QString::number(handler_2,16)); 412 | log("machine exit point: 0x" + QString::number(machine_quit,16)); 413 | log("Binary Location: "+bin_loc); 414 | 415 | } 416 | 417 | void MainWindow::on_actionQuit_triggered() 418 | { 419 | MainWindow::close(); 420 | } 421 | 422 | void MainWindow::on_actionStart_Debugg_triggered() 423 | { 424 | 425 | if (!LoadsOrSaves) 426 | { 427 | QMessageBox::information(this, "Warning", "your session must have been saved before you can continue"); 428 | } 429 | 430 | if (debug_stats){ 431 | debugMessage("Debugger already started."); 432 | return; 433 | } 434 | 435 | DisasmInterface->ToTop(); 436 | debug_stats=true; 437 | Debugger::Start(bin_loc,addresses,machine_entry,machine_quit); 438 | this->MemDumper = new InterfaceMemory(ui->plainTextEdit_MEMORY,Debugger::GetHandle()); 439 | 440 | } 441 | 442 | void MainWindow::on_actionStop_Debugg_triggered() 443 | { 444 | if (!debug_stats){ 445 | debugMessage("Debugger not initialized."); 446 | return; 447 | } 448 | debug_stats=false; 449 | Debugger::Stop(); 450 | delete this->MemDumper; 451 | this->MemDumper= NULL; 452 | } 453 | 454 | void MainWindow::on_actionBaby_Step_triggered() 455 | { 456 | if(!debug_stats){ 457 | debugMessage("Debugger not initialized"); 458 | return; 459 | } 460 | Debugger::Step(); 461 | UpdateRegs(); 462 | } 463 | 464 | void MainWindow::debugMessage(QString msg){ 465 | ui->statusBar->showMessage(msg); 466 | } 467 | 468 | void MainWindow::disasmLine(QString address){ 469 | update_view(address); 470 | } 471 | 472 | void MainWindow::on_actionGiant_Step_triggered() 473 | { 474 | if(!debug_stats){ 475 | debugMessage("Debugger not initialized"); 476 | return; 477 | } 478 | 479 | 480 | Debugger::Step(); 481 | UpdateRegs(); 482 | while(!addresses.contains(Debugger::GetRegisterIP())){ 483 | Debugger::Step(); 484 | UpdateRegs(); 485 | } 486 | 487 | } 488 | 489 | void MainWindow::on_actionAbout_triggered() 490 | { 491 | QMessageBox::information(this, 492 | "About VMPDBG", 493 | "Hello, \n This is an early alpha release of VMPDBG. I am sure I will add a lot of\n more code soon. Check the contents of the readme file for more details\n\n -xsrtsect 2015"); 494 | } 495 | 496 | void MainWindow::on_actionDump_Memory_triggered() 497 | { 498 | QString read; 499 | LPVOID VAloc=NULL; 500 | bool ok =false; 501 | 502 | QMessageBox::information(this, "Warning", "Dumping memory will take a while. Please be patient."); 503 | 504 | if (this->MemDumper!=NULL) 505 | { 506 | while(!ok) 507 | { 508 | read = QInputDialog::getText(this, tr("Memory Dumper"), 509 | tr("VA: "), QLineEdit::Normal, 510 | NULL,NULL); 511 | if (read==false){ 512 | return; 513 | } 514 | VAloc = (LPVOID)read.toInt(&ok,16); 515 | } 516 | 517 | this->MemDumper->Dump(VAloc); 518 | 519 | 520 | } 521 | } 522 | 523 | void MainWindow::on_actionRun_triggered() 524 | { 525 | if(!debug_stats){ 526 | debugMessage("Debugger not initialized"); 527 | return; 528 | } 529 | 530 | Debugger::Run(); 531 | UpdateRegs(); 532 | } 533 | 534 | void MainWindow::on_actionAdd_Breakpoint_triggered() 535 | { 536 | QString read; 537 | bool ok = false; 538 | uint32_t vmip_ptr=0; 539 | 540 | read = QInputDialog::getText(this, tr("Insert Breakpoint"), 541 | tr("Address: "), QLineEdit::Normal, 542 | NULL,NULL); 543 | if(read==false) 544 | { 545 | return; 546 | } 547 | vmip_ptr=read.toInt(&ok, 16); 548 | 549 | if (!ok) 550 | { 551 | return; 552 | } 553 | 554 | Debugger::AddBp(vmip_ptr); 555 | QMessageBox::information(this,"Breakpoint Added","The brakpoint has been Added."); 556 | } 557 | 558 | void MainWindow::on_actionRemove_Breakpoint_triggered() 559 | { 560 | QString read; 561 | bool ok = false; 562 | uint32_t vmip_ptr=0; 563 | 564 | read = QInputDialog::getText(this, tr("Insert Breakpoint"), 565 | tr("Address: "), QLineEdit::Normal, 566 | NULL,NULL); 567 | if(read==false) 568 | { 569 | return; 570 | } 571 | vmip_ptr=read.toInt(&ok, 16); 572 | 573 | if (!ok) 574 | { 575 | return; 576 | } 577 | 578 | Debugger::RemoveBp(vmip_ptr); 579 | 580 | QMessageBox::information(this,"Breakpoint Removed","The brakpoint has been removed."); 581 | } 582 | -------------------------------------------------------------------------------- /sdk/old/SDK.h: -------------------------------------------------------------------------------- 1 | #ifndef TITANENGINE 2 | #define TITANENGINE 3 | 4 | #if _MSC_VER > 1000 5 | #pragma once 6 | #endif 7 | 8 | #include 9 | 10 | #pragma pack(push, 1) 11 | 12 | // Engine.Libs: 13 | #define TitanEngineLinkLibs 14 | #define TitanEngineSubFolderSDK // Comment out this line to have SDK in default folder! 15 | 16 | 17 | 18 | // Global.Constant.Structure.Declaration: 19 | // Engine.External: 20 | #define UE_ACCESS_READ 0 21 | #define UE_ACCESS_WRITE 1 22 | #define UE_ACCESS_ALL 2 23 | 24 | #define UE_HIDE_BASIC 1 25 | 26 | #define UE_PLUGIN_CALL_REASON_PREDEBUG 1 27 | #define UE_PLUGIN_CALL_REASON_EXCEPTION 2 28 | #define UE_PLUGIN_CALL_REASON_POSTDEBUG 3 29 | 30 | #define TEE_HOOK_NRM_JUMP 1 31 | #define TEE_HOOK_NRM_CALL 3 32 | #define TEE_HOOK_IAT 5 33 | 34 | #define UE_ENGINE_ALOW_MODULE_LOADING 1 35 | #define UE_ENGINE_AUTOFIX_FORWARDERS 2 36 | #define UE_ENGINE_PASS_ALL_EXCEPTIONS 3 37 | #define UE_ENGINE_NO_CONSOLE_WINDOW 4 38 | #define UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS 5 39 | #define UE_ENGINE_CALL_PLUGIN_CALLBACK 6 40 | #define UE_ENGINE_RESET_CUSTOM_HANDLER 7 41 | #define UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK 8 42 | 43 | #define UE_OPTION_REMOVEALL 1 44 | #define UE_OPTION_DISABLEALL 2 45 | #define UE_OPTION_REMOVEALLDISABLED 3 46 | #define UE_OPTION_REMOVEALLENABLED 4 47 | 48 | #define UE_STATIC_DECRYPTOR_XOR 1 49 | #define UE_STATIC_DECRYPTOR_SUB 2 50 | #define UE_STATIC_DECRYPTOR_ADD 3 51 | 52 | #define UE_STATIC_DECRYPTOR_FOREWARD 1 53 | #define UE_STATIC_DECRYPTOR_BACKWARD 2 54 | 55 | #define UE_STATIC_KEY_SIZE_1 1 56 | #define UE_STATIC_KEY_SIZE_2 2 57 | #define UE_STATIC_KEY_SIZE_4 4 58 | #define UE_STATIC_KEY_SIZE_8 8 59 | 60 | #define UE_STATIC_APLIB 1 61 | #define UE_STATIC_APLIB_DEPACK 2 62 | #define UE_STATIC_LZMA 3 63 | 64 | #define UE_STATIC_HASH_MD5 1 65 | #define UE_STATIC_HASH_SHA1 2 66 | #define UE_STATIC_HASH_CRC32 3 67 | 68 | #define UE_RESOURCE_LANGUAGE_ANY -1 69 | 70 | #define UE_PE_OFFSET 0 71 | #define UE_IMAGEBASE 1 72 | #define UE_OEP 2 73 | #define UE_SIZEOFIMAGE 3 74 | #define UE_SIZEOFHEADERS 4 75 | #define UE_SIZEOFOPTIONALHEADER 5 76 | #define UE_SECTIONALIGNMENT 6 77 | #define UE_IMPORTTABLEADDRESS 7 78 | #define UE_IMPORTTABLESIZE 8 79 | #define UE_RESOURCETABLEADDRESS 9 80 | #define UE_RESOURCETABLESIZE 10 81 | #define UE_EXPORTTABLEADDRESS 11 82 | #define UE_EXPORTTABLESIZE 12 83 | #define UE_TLSTABLEADDRESS 13 84 | #define UE_TLSTABLESIZE 14 85 | #define UE_RELOCATIONTABLEADDRESS 15 86 | #define UE_RELOCATIONTABLESIZE 16 87 | #define UE_TIMEDATESTAMP 17 88 | #define UE_SECTIONNUMBER 18 89 | #define UE_CHECKSUM 19 90 | #define UE_SUBSYSTEM 20 91 | #define UE_CHARACTERISTICS 21 92 | #define UE_NUMBEROFRVAANDSIZES 22 93 | #define UE_SECTIONNAME 23 94 | #define UE_SECTIONVIRTUALOFFSET 24 95 | #define UE_SECTIONVIRTUALSIZE 25 96 | #define UE_SECTIONRAWOFFSET 26 97 | #define UE_SECTIONRAWSIZE 27 98 | #define UE_SECTIONFLAGS 28 99 | 100 | #define UE_CH_BREAKPOINT 1 101 | #define UE_CH_SINGLESTEP 2 102 | #define UE_CH_ACCESSVIOLATION 3 103 | #define UE_CH_ILLEGALINSTRUCTION 4 104 | #define UE_CH_NONCONTINUABLEEXCEPTION 5 105 | #define UE_CH_ARRAYBOUNDSEXCEPTION 6 106 | #define UE_CH_FLOATDENORMALOPERAND 7 107 | #define UE_CH_FLOATDEVIDEBYZERO 8 108 | #define UE_CH_INTEGERDEVIDEBYZERO 9 109 | #define UE_CH_INTEGEROVERFLOW 10 110 | #define UE_CH_PRIVILEGEDINSTRUCTION 11 111 | #define UE_CH_PAGEGUARD 12 112 | #define UE_CH_EVERYTHINGELSE 13 113 | #define UE_CH_CREATETHREAD 14 114 | #define UE_CH_EXITTHREAD 15 115 | #define UE_CH_CREATEPROCESS 16 116 | #define UE_CH_EXITPROCESS 17 117 | #define UE_CH_LOADDLL 18 118 | #define UE_CH_UNLOADDLL 19 119 | #define UE_CH_OUTPUTDEBUGSTRING 20 120 | #define UE_CH_AFTEREXCEPTIONPROCESSING 21 121 | #define UE_CH_ALLEVENTS 22 122 | 123 | #define UE_OPTION_HANDLER_RETURN_HANDLECOUNT 1 124 | #define UE_OPTION_HANDLER_RETURN_ACCESS 2 125 | #define UE_OPTION_HANDLER_RETURN_FLAGS 3 126 | #define UE_OPTION_HANDLER_RETURN_TYPENAME 4 127 | 128 | #define UE_BPXREMOVED 0 129 | #define UE_BPXACTIVE 1 130 | #define UE_BPXINACTIVE 2 131 | 132 | #define UE_BREAKPOINT 0 133 | #define UE_SINGLESHOOT 1 134 | #define UE_HARDWARE 2 135 | #define UE_MEMORY 3 136 | #define UE_MEMORY_READ 4 137 | #define UE_MEMORY_WRITE 5 138 | #define UE_BREAKPOINT_TYPE_INT3 0x10000000 139 | #define UE_BREAKPOINT_TYPE_LONG_INT3 0x20000000 140 | #define UE_BREAKPOINT_TYPE_UD2 0x30000000 141 | 142 | #define UE_HARDWARE_EXECUTE 4 143 | #define UE_HARDWARE_WRITE 5 144 | #define UE_HARDWARE_READWRITE 6 145 | 146 | #define UE_HARDWARE_SIZE_1 7 147 | #define UE_HARDWARE_SIZE_2 8 148 | #define UE_HARDWARE_SIZE_4 9 149 | 150 | #define UE_ON_LIB_LOAD 1 151 | #define UE_ON_LIB_UNLOAD 2 152 | #define UE_ON_LIB_ALL 3 153 | 154 | #define UE_APISTART 0 155 | #define UE_APIEND 1 156 | 157 | #define UE_PLATFORM_x86 1 158 | #define UE_PLATFORM_x64 2 159 | #define UE_PLATFORM_ALL 3 160 | 161 | #define UE_FUNCTION_STDCALL 1 162 | #define UE_FUNCTION_CCALL 2 163 | #define UE_FUNCTION_FASTCALL 3 164 | #define UE_FUNCTION_STDCALL_RET 4 165 | #define UE_FUNCTION_CCALL_RET 5 166 | #define UE_FUNCTION_FASTCALL_RET 6 167 | #define UE_FUNCTION_STDCALL_CALL 7 168 | #define UE_FUNCTION_CCALL_CALL 8 169 | #define UE_FUNCTION_FASTCALL_CALL 9 170 | #define UE_PARAMETER_BYTE 0 171 | #define UE_PARAMETER_WORD 1 172 | #define UE_PARAMETER_DWORD 2 173 | #define UE_PARAMETER_QWORD 3 174 | #define UE_PARAMETER_PTR_BYTE 4 175 | #define UE_PARAMETER_PTR_WORD 5 176 | #define UE_PARAMETER_PTR_DWORD 6 177 | #define UE_PARAMETER_PTR_QWORD 7 178 | #define UE_PARAMETER_STRING 8 179 | #define UE_PARAMETER_UNICODE 9 180 | 181 | #define UE_CMP_NOCONDITION 0 182 | #define UE_CMP_EQUAL 1 183 | #define UE_CMP_NOTEQUAL 2 184 | #define UE_CMP_GREATER 3 185 | #define UE_CMP_GREATEROREQUAL 4 186 | #define UE_CMP_LOWER 5 187 | #define UE_CMP_LOWEROREQUAL 6 188 | #define UE_CMP_REG_EQUAL 7 189 | #define UE_CMP_REG_NOTEQUAL 8 190 | #define UE_CMP_REG_GREATER 9 191 | #define UE_CMP_REG_GREATEROREQUAL 10 192 | #define UE_CMP_REG_LOWER 11 193 | #define UE_CMP_REG_LOWEROREQUAL 12 194 | #define UE_CMP_ALWAYSFALSE 13 195 | 196 | #define UE_EAX 1 197 | #define UE_EBX 2 198 | #define UE_ECX 3 199 | #define UE_EDX 4 200 | #define UE_EDI 5 201 | #define UE_ESI 6 202 | #define UE_EBP 7 203 | #define UE_ESP 8 204 | #define UE_EIP 9 205 | #define UE_EFLAGS 10 206 | #define UE_DR0 11 207 | #define UE_DR1 12 208 | #define UE_DR2 13 209 | #define UE_DR3 14 210 | #define UE_DR6 15 211 | #define UE_DR7 16 212 | #define UE_RAX 17 213 | #define UE_RBX 18 214 | #define UE_RCX 19 215 | #define UE_RDX 20 216 | #define UE_RDI 21 217 | #define UE_RSI 22 218 | #define UE_RBP 23 219 | #define UE_RSP 24 220 | #define UE_RIP 25 221 | #define UE_RFLAGS 26 222 | #define UE_R8 27 223 | #define UE_R9 28 224 | #define UE_R10 29 225 | #define UE_R11 30 226 | #define UE_R12 31 227 | #define UE_R13 32 228 | #define UE_R14 33 229 | #define UE_R15 34 230 | #define UE_CIP 35 231 | #define UE_CSP 36 232 | #define UE_SEG_GS 37 233 | #define UE_SEG_FS 38 234 | #define UE_SEG_ES 39 235 | #define UE_SEG_DS 40 236 | #define UE_SEG_CS 41 237 | #define UE_SEG_SS 42 238 | 239 | typedef struct{ 240 | DWORD PE32Offset; 241 | DWORD ImageBase; 242 | DWORD OriginalEntryPoint; 243 | DWORD NtSizeOfImage; 244 | DWORD NtSizeOfHeaders; 245 | WORD SizeOfOptionalHeaders; 246 | DWORD FileAlignment; 247 | DWORD SectionAligment; 248 | DWORD ImportTableAddress; 249 | DWORD ImportTableSize; 250 | DWORD ResourceTableAddress; 251 | DWORD ResourceTableSize; 252 | DWORD ExportTableAddress; 253 | DWORD ExportTableSize; 254 | DWORD TLSTableAddress; 255 | DWORD TLSTableSize; 256 | DWORD RelocationTableAddress; 257 | DWORD RelocationTableSize; 258 | DWORD TimeDateStamp; 259 | WORD SectionNumber; 260 | DWORD CheckSum; 261 | WORD SubSystem; 262 | WORD Characteristics; 263 | DWORD NumberOfRvaAndSizes; 264 | }PE32Struct, *PPE32Struct; 265 | 266 | typedef struct{ 267 | DWORD PE64Offset; 268 | DWORD64 ImageBase; 269 | DWORD OriginalEntryPoint; 270 | DWORD NtSizeOfImage; 271 | DWORD NtSizeOfHeaders; 272 | WORD SizeOfOptionalHeaders; 273 | DWORD FileAlignment; 274 | DWORD SectionAligment; 275 | DWORD ImportTableAddress; 276 | DWORD ImportTableSize; 277 | DWORD ResourceTableAddress; 278 | DWORD ResourceTableSize; 279 | DWORD ExportTableAddress; 280 | DWORD ExportTableSize; 281 | DWORD TLSTableAddress; 282 | DWORD TLSTableSize; 283 | DWORD RelocationTableAddress; 284 | DWORD RelocationTableSize; 285 | DWORD TimeDateStamp; 286 | WORD SectionNumber; 287 | DWORD CheckSum; 288 | WORD SubSystem; 289 | WORD Characteristics; 290 | DWORD NumberOfRvaAndSizes; 291 | }PE64Struct, *PPE64Struct; 292 | 293 | typedef struct{ 294 | bool NewDll; 295 | int NumberOfImports; 296 | ULONG_PTR ImageBase; 297 | ULONG_PTR BaseImportThunk; 298 | ULONG_PTR ImportThunk; 299 | char* APIName; 300 | char* DLLName; 301 | }ImportEnumData, *PImportEnumData; 302 | 303 | typedef struct{ 304 | HANDLE hThread; 305 | DWORD dwThreadId; 306 | void* ThreadStartAddress; 307 | void* ThreadLocalBase; 308 | }THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; 309 | 310 | typedef struct{ 311 | HANDLE hFile; 312 | void* BaseOfDll; 313 | HANDLE hFileMapping; 314 | void* hFileMappingView; 315 | char szLibraryPath[MAX_PATH]; 316 | char szLibraryName[MAX_PATH]; 317 | }LIBRARY_ITEM_DATA, *PLIBRARY_ITEM_DATA; 318 | 319 | typedef struct{ 320 | HANDLE hFile; 321 | void* BaseOfDll; 322 | HANDLE hFileMapping; 323 | void* hFileMappingView; 324 | wchar_t szLibraryPath[MAX_PATH]; 325 | wchar_t szLibraryName[MAX_PATH]; 326 | }LIBRARY_ITEM_DATAW, *PLIBRARY_ITEM_DATAW; 327 | 328 | typedef struct{ 329 | HANDLE hProcess; 330 | DWORD dwProcessId; 331 | HANDLE hThread; 332 | DWORD dwThreadId; 333 | HANDLE hFile; 334 | void* BaseOfImage; 335 | void* ThreadStartAddress; 336 | void* ThreadLocalBase; 337 | }PROCESS_ITEM_DATA, *PPROCESS_ITEM_DATA; 338 | 339 | typedef struct{ 340 | ULONG ProcessId; 341 | HANDLE hHandle; 342 | }HandlerArray, *PHandlerArray; 343 | 344 | typedef struct{ 345 | char PluginName[64]; 346 | DWORD PluginMajorVersion; 347 | DWORD PluginMinorVersion; 348 | HMODULE PluginBaseAddress; 349 | void* TitanDebuggingCallBack; 350 | void* TitanRegisterPlugin; 351 | void* TitanReleasePlugin; 352 | void* TitanResetPlugin; 353 | bool PluginDisabled; 354 | }PluginInformation, *PPluginInformation; 355 | 356 | #define TEE_MAXIMUM_HOOK_SIZE 14 357 | #define TEE_MAXIMUM_HOOK_RELOCS 7 358 | #if defined(_WIN64) 359 | #define TEE_MAXIMUM_HOOK_INSERT_SIZE 14 360 | #else 361 | #define TEE_MAXIMUM_HOOK_INSERT_SIZE 5 362 | #endif 363 | 364 | typedef struct HOOK_ENTRY{ 365 | bool IATHook; 366 | BYTE HookType; 367 | DWORD HookSize; 368 | void* HookAddress; 369 | void* RedirectionAddress; 370 | BYTE HookBytes[TEE_MAXIMUM_HOOK_SIZE]; 371 | BYTE OriginalBytes[TEE_MAXIMUM_HOOK_SIZE]; 372 | void* IATHookModuleBase; 373 | DWORD IATHookNameHash; 374 | bool HookIsEnabled; 375 | bool HookIsRemote; 376 | void* PatchedEntry; 377 | DWORD RelocationInfo[TEE_MAXIMUM_HOOK_RELOCS]; 378 | int RelocationCount; 379 | }HOOK_ENTRY, *PHOOK_ENTRY; 380 | 381 | #define UE_DEPTH_SURFACE 0 382 | #define UE_DEPTH_DEEP 1 383 | 384 | #define UE_UNPACKER_CONDITION_SEARCH_FROM_EP 1 385 | 386 | #define UE_UNPACKER_CONDITION_LOADLIBRARY 1 387 | #define UE_UNPACKER_CONDITION_GETPROCADDRESS 2 388 | #define UE_UNPACKER_CONDITION_ENTRYPOINTBREAK 3 389 | #define UE_UNPACKER_CONDITION_RELOCSNAPSHOT1 4 390 | #define UE_UNPACKER_CONDITION_RELOCSNAPSHOT2 5 391 | 392 | #define UE_FIELD_OK 0 393 | #define UE_FIELD_BROKEN_NON_FIXABLE 1 394 | #define UE_FIELD_BROKEN_NON_CRITICAL 2 395 | #define UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE 3 396 | #define UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED 4 397 | #define UE_FILED_FIXABLE_NON_CRITICAL 5 398 | #define UE_FILED_FIXABLE_CRITICAL 6 399 | #define UE_FIELD_NOT_PRESET 7 400 | #define UE_FIELD_NOT_PRESET_WARNING 8 401 | 402 | #define UE_RESULT_FILE_OK 10 403 | #define UE_RESULT_FILE_INVALID_BUT_FIXABLE 11 404 | #define UE_RESULT_FILE_INVALID_AND_NON_FIXABLE 12 405 | #define UE_RESULT_FILE_INVALID_FORMAT 13 406 | 407 | typedef struct{ 408 | BYTE OveralEvaluation; 409 | bool EvaluationTerminatedByException; 410 | bool FileIs64Bit; 411 | bool FileIsDLL; 412 | bool FileIsConsole; 413 | bool MissingDependencies; 414 | bool MissingDeclaredAPIs; 415 | BYTE SignatureMZ; 416 | BYTE SignaturePE; 417 | BYTE EntryPoint; 418 | BYTE ImageBase; 419 | BYTE SizeOfImage; 420 | BYTE FileAlignment; 421 | BYTE SectionAlignment; 422 | BYTE ExportTable; 423 | BYTE RelocationTable; 424 | BYTE ImportTable; 425 | BYTE ImportTableSection; 426 | BYTE ImportTableData; 427 | BYTE IATTable; 428 | BYTE TLSTable; 429 | BYTE LoadConfigTable; 430 | BYTE BoundImportTable; 431 | BYTE COMHeaderTable; 432 | BYTE ResourceTable; 433 | BYTE ResourceData; 434 | BYTE SectionTable; 435 | }FILE_STATUS_INFO, *PFILE_STATUS_INFO; 436 | 437 | typedef struct{ 438 | BYTE OveralEvaluation; 439 | bool FixingTerminatedByException; 440 | bool FileFixPerformed; 441 | bool StrippedRelocation; 442 | bool DontFixRelocations; 443 | DWORD OriginalRelocationTableAddress; 444 | DWORD OriginalRelocationTableSize; 445 | bool StrippedExports; 446 | bool DontFixExports; 447 | DWORD OriginalExportTableAddress; 448 | DWORD OriginalExportTableSize; 449 | bool StrippedResources; 450 | bool DontFixResources; 451 | DWORD OriginalResourceTableAddress; 452 | DWORD OriginalResourceTableSize; 453 | bool StrippedTLS; 454 | bool DontFixTLS; 455 | DWORD OriginalTLSTableAddress; 456 | DWORD OriginalTLSTableSize; 457 | bool StrippedLoadConfig; 458 | bool DontFixLoadConfig; 459 | DWORD OriginalLoadConfigTableAddress; 460 | DWORD OriginalLoadConfigTableSize; 461 | bool StrippedBoundImports; 462 | bool DontFixBoundImports; 463 | DWORD OriginalBoundImportTableAddress; 464 | DWORD OriginalBoundImportTableSize; 465 | bool StrippedIAT; 466 | bool DontFixIAT; 467 | DWORD OriginalImportAddressTableAddress; 468 | DWORD OriginalImportAddressTableSize; 469 | bool StrippedCOM; 470 | bool DontFixCOM; 471 | DWORD OriginalCOMTableAddress; 472 | DWORD OriginalCOMTableSize; 473 | }FILE_FIX_INFO, *PFILE_FIX_INFO; 474 | 475 | #if !defined (_WIN64) 476 | #ifdef __cplusplus 477 | extern "C" { 478 | #endif /*__cplusplus*/ 479 | #endif 480 | 481 | // Global.Function.Declaration: 482 | // TitanEngine.Dumper.functions: 483 | __declspec(dllexport) bool __stdcall DumpProcess(HANDLE hProcess, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint); 484 | __declspec(dllexport) bool __stdcall DumpProcessW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint); 485 | __declspec(dllexport) bool __stdcall DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint); 486 | __declspec(dllexport) bool __stdcall DumpProcessExW(DWORD ProcessId, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint); 487 | __declspec(dllexport) bool __stdcall DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName); 488 | __declspec(dllexport) bool __stdcall DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName); 489 | __declspec(dllexport) bool __stdcall DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName); 490 | __declspec(dllexport) bool __stdcall DumpMemoryExW(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName); 491 | __declspec(dllexport) bool __stdcall DumpRegions(HANDLE hProcess, char* szDumpFolder, bool DumpAboveImageBaseOnly); 492 | __declspec(dllexport) bool __stdcall DumpRegionsW(HANDLE hProcess, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly); 493 | __declspec(dllexport) bool __stdcall DumpRegionsEx(DWORD ProcessId, char* szDumpFolder, bool DumpAboveImageBaseOnly); 494 | __declspec(dllexport) bool __stdcall DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly); 495 | __declspec(dllexport) bool __stdcall DumpModule(HANDLE hProcess, LPVOID ModuleBase, char* szDumpFileName); 496 | __declspec(dllexport) bool __stdcall DumpModuleW(HANDLE hProcess, LPVOID ModuleBase, wchar_t* szDumpFileName); 497 | __declspec(dllexport) bool __stdcall DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, char* szDumpFileName); 498 | __declspec(dllexport) bool __stdcall DumpModuleExW(DWORD ProcessId, LPVOID ModuleBase, wchar_t* szDumpFileName); 499 | __declspec(dllexport) bool __stdcall PastePEHeader(HANDLE hProcess, LPVOID ImageBase, char* szDebuggedFileName); 500 | __declspec(dllexport) bool __stdcall PastePEHeaderW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDebuggedFileName); 501 | __declspec(dllexport) bool __stdcall ExtractSection(char* szFileName, char* szDumpFileName, DWORD SectionNumber); 502 | __declspec(dllexport) bool __stdcall ExtractSectionW(wchar_t* szFileName, wchar_t* szDumpFileName, DWORD SectionNumber); 503 | __declspec(dllexport) bool __stdcall ResortFileSections(char* szFileName); 504 | __declspec(dllexport) bool __stdcall ResortFileSectionsW(wchar_t* szFileName); 505 | __declspec(dllexport) bool __stdcall FindOverlay(char* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize); 506 | __declspec(dllexport) bool __stdcall FindOverlayW(wchar_t* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize); 507 | __declspec(dllexport) bool __stdcall ExtractOverlay(char* szFileName, char* szExtactedFileName); 508 | __declspec(dllexport) bool __stdcall ExtractOverlayW(wchar_t* szFileName, wchar_t* szExtactedFileName); 509 | __declspec(dllexport) bool __stdcall AddOverlay(char* szFileName, char* szOverlayFileName); 510 | __declspec(dllexport) bool __stdcall AddOverlayW(wchar_t* szFileName, wchar_t* szOverlayFileName); 511 | __declspec(dllexport) bool __stdcall CopyOverlay(char* szInFileName, char* szOutFileName); 512 | __declspec(dllexport) bool __stdcall CopyOverlayW(wchar_t* szInFileName, wchar_t* szOutFileName); 513 | __declspec(dllexport) bool __stdcall RemoveOverlay(char* szFileName); 514 | __declspec(dllexport) bool __stdcall RemoveOverlayW(wchar_t* szFileName); 515 | __declspec(dllexport) bool __stdcall MakeAllSectionsRWE(char* szFileName); 516 | __declspec(dllexport) bool __stdcall MakeAllSectionsRWEW(wchar_t* szFileName); 517 | __declspec(dllexport) long __stdcall AddNewSectionEx(char* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize); 518 | __declspec(dllexport) long __stdcall AddNewSectionExW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize); 519 | __declspec(dllexport) long __stdcall AddNewSection(char* szFileName, char* szSectionName, DWORD SectionSize); 520 | __declspec(dllexport) long __stdcall AddNewSectionW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize); 521 | __declspec(dllexport) bool __stdcall ResizeLastSection(char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData); 522 | __declspec(dllexport) bool __stdcall ResizeLastSectionW(wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData); 523 | __declspec(dllexport) void __stdcall SetSharedOverlay(char* szFileName); 524 | __declspec(dllexport) void __stdcall SetSharedOverlayW(wchar_t* szFileName); 525 | __declspec(dllexport) char* __stdcall GetSharedOverlay(); 526 | __declspec(dllexport) wchar_t* __stdcall GetSharedOverlayW(); 527 | __declspec(dllexport) bool __stdcall DeleteLastSection(char* szFileName); 528 | __declspec(dllexport) bool __stdcall DeleteLastSectionW(wchar_t* szFileName); 529 | __declspec(dllexport) bool __stdcall DeleteLastSectionEx(char* szFileName, DWORD NumberOfSections); 530 | __declspec(dllexport) bool __stdcall DeleteLastSectionExW(wchar_t* szFileName, DWORD NumberOfSections); 531 | __declspec(dllexport) long long __stdcall GetPE32DataFromMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData); 532 | __declspec(dllexport) long long __stdcall GetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData); 533 | __declspec(dllexport) long long __stdcall GetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData); 534 | __declspec(dllexport) bool __stdcall GetPE32DataFromMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage); 535 | __declspec(dllexport) bool __stdcall GetPE32DataEx(char* szFileName, LPVOID DataStorage); 536 | __declspec(dllexport) bool __stdcall GetPE32DataExW(wchar_t* szFileName, LPVOID DataStorage); 537 | __declspec(dllexport) bool __stdcall SetPE32DataForMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue); 538 | __declspec(dllexport) bool __stdcall SetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue); 539 | __declspec(dllexport) bool __stdcall SetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue); 540 | __declspec(dllexport) bool __stdcall SetPE32DataForMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage); 541 | __declspec(dllexport) bool __stdcall SetPE32DataEx(char* szFileName, LPVOID DataStorage); 542 | __declspec(dllexport) long __stdcall GetPE32SectionNumberFromVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert); 543 | __declspec(dllexport) long long __stdcall ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType); 544 | __declspec(dllexport) long long __stdcall ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType); 545 | __declspec(dllexport) long long __stdcall ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType); 546 | __declspec(dllexport) long long __stdcall ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType); 547 | // TitanEngine.Realigner.functions: 548 | __declspec(dllexport) bool __stdcall FixHeaderCheckSum(char* szFileName); 549 | __declspec(dllexport) bool __stdcall FixHeaderCheckSumW(wchar_t* szFileName); 550 | __declspec(dllexport) long __stdcall RealignPE(ULONG_PTR FileMapVA, DWORD FileSize, DWORD RealingMode); 551 | __declspec(dllexport) long __stdcall RealignPEEx(char* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment); 552 | __declspec(dllexport) long __stdcall RealignPEExW(wchar_t* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment); 553 | __declspec(dllexport) bool __stdcall WipeSection(char* szFileName, int WipeSectionNumber, bool RemovePhysically); 554 | __declspec(dllexport) bool __stdcall WipeSectionW(wchar_t* szFileName, int WipeSectionNumber, bool RemovePhysically); 555 | __declspec(dllexport) bool __stdcall IsPE32FileValidEx(char* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo); 556 | __declspec(dllexport) bool __stdcall IsPE32FileValidExW(wchar_t* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo); 557 | __declspec(dllexport) bool __stdcall FixBrokenPE32FileEx(char* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo); 558 | __declspec(dllexport) bool __stdcall FixBrokenPE32FileExW(wchar_t* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo); 559 | __declspec(dllexport) bool __stdcall IsFileDLL(char* szFileName, ULONG_PTR FileMapVA); 560 | __declspec(dllexport) bool __stdcall IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA); 561 | // TitanEngine.Hider.functions: 562 | __declspec(dllexport) void* __stdcall GetPEBLocation(HANDLE hProcess); 563 | __declspec(dllexport) bool __stdcall HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); 564 | __declspec(dllexport) bool __stdcall UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel); 565 | // TitanEngine.Relocater.functions: 566 | __declspec(dllexport) void __stdcall RelocaterCleanup(); 567 | __declspec(dllexport) void __stdcall RelocaterInit(DWORD MemorySize, ULONG_PTR OldImageBase, ULONG_PTR NewImageBase); 568 | __declspec(dllexport) void __stdcall RelocaterAddNewRelocation(HANDLE hProcess, ULONG_PTR RelocateAddress, DWORD RelocateState); 569 | __declspec(dllexport) long __stdcall RelocaterEstimatedSize(); 570 | __declspec(dllexport) bool __stdcall RelocaterExportRelocation(ULONG_PTR StorePlace, DWORD StorePlaceRVA, ULONG_PTR FileMapVA); 571 | __declspec(dllexport) bool __stdcall RelocaterExportRelocationEx(char* szFileName, char* szSectionName); 572 | __declspec(dllexport) bool __stdcall RelocaterExportRelocationExW(wchar_t* szFileName, char* szSectionName); 573 | __declspec(dllexport) bool __stdcall RelocaterGrabRelocationTable(HANDLE hProcess, ULONG_PTR MemoryStart, DWORD MemorySize); 574 | __declspec(dllexport) bool __stdcall RelocaterGrabRelocationTableEx(HANDLE hProcess, ULONG_PTR MemoryStart, ULONG_PTR MemorySize, DWORD NtSizeOfImage); 575 | __declspec(dllexport) bool __stdcall RelocaterMakeSnapshot(HANDLE hProcess, char* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize); 576 | __declspec(dllexport) bool __stdcall RelocaterMakeSnapshotW(HANDLE hProcess, wchar_t* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize); 577 | __declspec(dllexport) bool __stdcall RelocaterCompareTwoSnapshots(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, char* szDumpFile1, char* szDumpFile2, ULONG_PTR MemStart); 578 | __declspec(dllexport) bool __stdcall RelocaterCompareTwoSnapshotsW(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, wchar_t* szDumpFile1, wchar_t* szDumpFile2, ULONG_PTR MemStart); 579 | __declspec(dllexport) bool __stdcall RelocaterChangeFileBase(char* szFileName, ULONG_PTR NewImageBase); 580 | __declspec(dllexport) bool __stdcall RelocaterChangeFileBaseW(wchar_t* szFileName, ULONG_PTR NewImageBase); 581 | __declspec(dllexport) bool __stdcall RelocaterRelocateMemoryBlock(ULONG_PTR FileMapVA, ULONG_PTR MemoryLocation, void* RelocateMemory, DWORD RelocateMemorySize, ULONG_PTR CurrentLoadedBase, ULONG_PTR RelocateBase); 582 | __declspec(dllexport) bool __stdcall RelocaterWipeRelocationTable(char* szFileName); 583 | __declspec(dllexport) bool __stdcall RelocaterWipeRelocationTableW(wchar_t* szFileName); 584 | // TitanEngine.Resourcer.functions: 585 | __declspec(dllexport) long long __stdcall ResourcerLoadFileForResourceUse(char* szFileName); 586 | __declspec(dllexport) long long __stdcall ResourcerLoadFileForResourceUseW(wchar_t* szFileName); 587 | __declspec(dllexport) bool __stdcall ResourcerFreeLoadedFile(LPVOID LoadedFileBase); 588 | __declspec(dllexport) bool __stdcall ResourcerExtractResourceFromFileEx(ULONG_PTR FileMapVA, char* szResourceType, char* szResourceName, char* szExtractedFileName); 589 | __declspec(dllexport) bool __stdcall ResourcerExtractResourceFromFile(char* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName); 590 | __declspec(dllexport) bool __stdcall ResourcerExtractResourceFromFileW(wchar_t* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName); 591 | __declspec(dllexport) bool __stdcall ResourcerFindResource(char* szFileName, char* szResourceType, DWORD ResourceType, char* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); 592 | __declspec(dllexport) bool __stdcall ResourcerFindResourceW(wchar_t* szFileName, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); 593 | __declspec(dllexport) bool __stdcall ResourcerFindResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); 594 | __declspec(dllexport) void __stdcall ResourcerEnumerateResource(char* szFileName, void* CallBack); 595 | __declspec(dllexport) void __stdcall ResourcerEnumerateResourceW(wchar_t* szFileName, void* CallBack); 596 | __declspec(dllexport) void __stdcall ResourcerEnumerateResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, void* CallBack); 597 | // TitanEngine.Threader.functions: 598 | __declspec(dllexport) bool __stdcall ThreaderImportRunningThreadData(DWORD ProcessId); 599 | __declspec(dllexport) void* __stdcall ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId); 600 | __declspec(dllexport) void __stdcall ThreaderEnumThreadInfo(void* EnumCallBack); 601 | __declspec(dllexport) bool __stdcall ThreaderPauseThread(HANDLE hThread); 602 | __declspec(dllexport) bool __stdcall ThreaderResumeThread(HANDLE hThread); 603 | __declspec(dllexport) bool __stdcall ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode); 604 | __declspec(dllexport) bool __stdcall ThreaderPauseAllThreads(bool LeaveMainRunning); 605 | __declspec(dllexport) bool __stdcall ThreaderResumeAllThreads(bool LeaveMainPaused); 606 | __declspec(dllexport) bool __stdcall ThreaderPauseProcess(); 607 | __declspec(dllexport) bool __stdcall ThreaderResumeProcess(); 608 | __declspec(dllexport) long long __stdcall ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId); 609 | __declspec(dllexport) bool __stdcall ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize); 610 | __declspec(dllexport) long long __stdcall ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId); 611 | __declspec(dllexport) bool __stdcall ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize); 612 | __declspec(dllexport) void __stdcall ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack); 613 | __declspec(dllexport) bool __stdcall ThreaderIsThreadStillRunning(HANDLE hThread); 614 | __declspec(dllexport) bool __stdcall ThreaderIsThreadActive(HANDLE hThread); 615 | __declspec(dllexport) bool __stdcall ThreaderIsAnyThreadActive(); 616 | __declspec(dllexport) bool __stdcall ThreaderExecuteOnlyInjectedThreads(); 617 | __declspec(dllexport) long long __stdcall ThreaderGetOpenHandleForThread(DWORD ThreadId); 618 | __declspec(dllexport) void* __stdcall ThreaderGetThreadData(); 619 | __declspec(dllexport) bool __stdcall ThreaderIsExceptionInMainThread(); 620 | // TitanEngine.Debugger.functions: 621 | __declspec(dllexport) void* __stdcall StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress); 622 | __declspec(dllexport) void* __stdcall StaticDisassemble(LPVOID DisassmAddress); 623 | __declspec(dllexport) void* __stdcall DisassembleEx(HANDLE hProcess, LPVOID DisassmAddress); 624 | __declspec(dllexport) void* __stdcall Disassemble(LPVOID DisassmAddress); 625 | __declspec(dllexport) long __stdcall StaticLengthDisassemble(LPVOID DisassmAddress); 626 | __declspec(dllexport) long __stdcall LengthDisassembleEx(HANDLE hProcess, LPVOID DisassmAddress); 627 | __declspec(dllexport) long __stdcall LengthDisassemble(LPVOID DisassmAddress); 628 | __declspec(dllexport) void* __stdcall InitDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder); 629 | __declspec(dllexport) void* __stdcall InitDebugW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder); 630 | __declspec(dllexport) void* __stdcall InitDebugEx(char* szFileName, char* szCommandLine, char* szCurrentFolder, LPVOID EntryCallBack); 631 | __declspec(dllexport) void* __stdcall InitDebugExW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder, LPVOID EntryCallBack); 632 | __declspec(dllexport) void* __stdcall InitDLLDebug(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, LPVOID EntryCallBack); 633 | __declspec(dllexport) void* __stdcall InitDLLDebugW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, LPVOID EntryCallBack); 634 | __declspec(dllexport) bool __stdcall StopDebug(); 635 | __declspec(dllexport) void __stdcall SetBPXOptions(long DefaultBreakPointType); 636 | __declspec(dllexport) bool __stdcall IsBPXEnabled(ULONG_PTR bpxAddress); 637 | __declspec(dllexport) bool __stdcall EnableBPX(ULONG_PTR bpxAddress); 638 | __declspec(dllexport) bool __stdcall DisableBPX(ULONG_PTR bpxAddress); 639 | __declspec(dllexport) bool __stdcall SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, LPVOID bpxCallBack); 640 | __declspec(dllexport) bool __stdcall SetBPXEx(ULONG_PTR bpxAddress, DWORD bpxType, DWORD NumberOfExecution, DWORD CmpRegister, DWORD CmpCondition, ULONG_PTR CmpValue, LPVOID bpxCallBack, LPVOID bpxCompareCallBack, LPVOID bpxRemoveCallBack); 641 | __declspec(dllexport) bool __stdcall DeleteBPX(ULONG_PTR bpxAddress); 642 | __declspec(dllexport) bool __stdcall SafeDeleteBPX(ULONG_PTR bpxAddress); 643 | __declspec(dllexport) bool __stdcall SetAPIBreakPoint(char* szDLLName, char* szAPIName, DWORD bpxType, DWORD bpxPlace, LPVOID bpxCallBack); 644 | __declspec(dllexport) bool __stdcall DeleteAPIBreakPoint(char* szDLLName, char* szAPIName, DWORD bpxPlace); 645 | __declspec(dllexport) bool __stdcall SafeDeleteAPIBreakPoint(char* szDLLName, char* szAPIName, DWORD bpxPlace); 646 | __declspec(dllexport) bool __stdcall SetMemoryBPX(ULONG_PTR MemoryStart, DWORD SizeOfMemory, LPVOID bpxCallBack); 647 | __declspec(dllexport) bool __stdcall SetMemoryBPXEx(ULONG_PTR MemoryStart, DWORD SizeOfMemory, DWORD BreakPointType, bool RestoreOnHit, LPVOID bpxCallBack); 648 | __declspec(dllexport) bool __stdcall RemoveMemoryBPX(ULONG_PTR MemoryStart, DWORD SizeOfMemory); 649 | __declspec(dllexport) bool __stdcall GetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea); 650 | __declspec(dllexport) long long __stdcall GetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister); 651 | __declspec(dllexport) long long __stdcall GetContextData(DWORD IndexOfRegister); 652 | __declspec(dllexport) bool __stdcall SetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea); 653 | __declspec(dllexport) bool __stdcall SetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister, ULONG_PTR NewRegisterValue); 654 | __declspec(dllexport) bool __stdcall SetContextData(DWORD IndexOfRegister, ULONG_PTR NewRegisterValue); 655 | __declspec(dllexport) void __stdcall ClearExceptionNumber(); 656 | __declspec(dllexport) long __stdcall CurrentExceptionNumber(); 657 | __declspec(dllexport) bool __stdcall MatchPatternEx(HANDLE hProcess, void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard); 658 | __declspec(dllexport) bool __stdcall MatchPattern(void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard); 659 | __declspec(dllexport) long long __stdcall FindEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard); 660 | __declspec(dllexport) long long __stdcall Find(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard); 661 | __declspec(dllexport) bool __stdcall FillEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte); 662 | __declspec(dllexport) bool __stdcall Fill(LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte); 663 | __declspec(dllexport) bool __stdcall PatchEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP); 664 | __declspec(dllexport) bool __stdcall Patch(LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP); 665 | __declspec(dllexport) bool __stdcall ReplaceEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard); 666 | __declspec(dllexport) bool __stdcall Replace(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard); 667 | __declspec(dllexport) void* __stdcall GetDebugData(); 668 | __declspec(dllexport) void* __stdcall GetTerminationData(); 669 | __declspec(dllexport) long __stdcall GetExitCode(); 670 | __declspec(dllexport) long long __stdcall GetDebuggedDLLBaseAddress(); 671 | __declspec(dllexport) long long __stdcall GetDebuggedFileBaseAddress(); 672 | __declspec(dllexport) bool __stdcall GetRemoteString(HANDLE hProcess, LPVOID StringAddress, LPVOID StringStorage, int MaximumStringSize); 673 | __declspec(dllexport) long long __stdcall GetFunctionParameter(HANDLE hProcess, DWORD FunctionType, DWORD ParameterNumber, DWORD ParameterType); 674 | __declspec(dllexport) long long __stdcall GetJumpDestinationEx(HANDLE hProcess, ULONG_PTR InstructionAddress, bool JustJumps); 675 | __declspec(dllexport) long long __stdcall GetJumpDestination(HANDLE hProcess, ULONG_PTR InstructionAddress); 676 | __declspec(dllexport) bool __stdcall IsJumpGoingToExecuteEx(HANDLE hProcess, HANDLE hThread, ULONG_PTR InstructionAddress, ULONG_PTR RegFlags); 677 | __declspec(dllexport) bool __stdcall IsJumpGoingToExecute(); 678 | __declspec(dllexport) void __stdcall SetCustomHandler(DWORD ExceptionId, LPVOID CallBack); 679 | __declspec(dllexport) void __stdcall ForceClose(); 680 | __declspec(dllexport) void __stdcall StepInto(LPVOID traceCallBack); 681 | __declspec(dllexport) void __stdcall StepOver(LPVOID traceCallBack); 682 | __declspec(dllexport) void __stdcall SingleStep(DWORD StepCount, LPVOID StepCallBack); 683 | __declspec(dllexport) bool __stdcall GetUnusedHardwareBreakPointRegister(LPDWORD RegisterIndex); 684 | __declspec(dllexport) bool __stdcall SetHardwareBreakPointEx(HANDLE hActiveThread, ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack, LPDWORD IndexOfSelectedRegister); 685 | __declspec(dllexport) bool __stdcall SetHardwareBreakPoint(ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack); 686 | __declspec(dllexport) bool __stdcall DeleteHardwareBreakPoint(DWORD IndexOfRegister); 687 | __declspec(dllexport) bool __stdcall RemoveAllBreakPoints(DWORD RemoveOption); 688 | __declspec(dllexport) void* __stdcall GetProcessInformation(); 689 | __declspec(dllexport) void* __stdcall GetStartupInformation(); 690 | __declspec(dllexport) void __stdcall DebugLoop(); 691 | __declspec(dllexport) void __stdcall SetDebugLoopTimeOut(DWORD TimeOut); 692 | __declspec(dllexport) void __stdcall SetNextDbgContinueStatus(DWORD SetDbgCode); 693 | __declspec(dllexport) bool __stdcall AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack); 694 | __declspec(dllexport) bool __stdcall DetachDebugger(DWORD ProcessId); 695 | __declspec(dllexport) bool __stdcall DetachDebuggerEx(DWORD ProcessId); 696 | __declspec(dllexport) void __stdcall DebugLoopEx(DWORD TimeOut); 697 | __declspec(dllexport) void __stdcall AutoDebugEx(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack); 698 | __declspec(dllexport) void __stdcall AutoDebugExW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack); 699 | __declspec(dllexport) bool __stdcall IsFileBeingDebugged(); 700 | __declspec(dllexport) void __stdcall SetErrorModel(bool DisplayErrorMessages); 701 | // TitanEngine.FindOEP.functions: 702 | __declspec(dllexport) void __stdcall FindOEPInit(); 703 | __declspec(dllexport) bool __stdcall FindOEPGenerically(char* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack); 704 | __declspec(dllexport) bool __stdcall FindOEPGenericallyW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack); 705 | // TitanEngine.Importer.functions: 706 | __declspec(dllexport) void __stdcall ImporterCleanup(); 707 | __declspec(dllexport) void __stdcall ImporterSetImageBase(ULONG_PTR ImageBase); 708 | __declspec(dllexport) void __stdcall ImporterSetUnknownDelta(ULONG_PTR DeltaAddress); 709 | __declspec(dllexport) long long __stdcall ImporterGetCurrentDelta(); 710 | __declspec(dllexport) void __stdcall ImporterInit(DWORD MemorySize, ULONG_PTR ImageBase); 711 | __declspec(dllexport) void __stdcall ImporterAddNewDll(char* szDLLName, ULONG_PTR FirstThunk); 712 | __declspec(dllexport) void __stdcall ImporterAddNewAPI(char* szAPIName, ULONG_PTR ThunkValue); 713 | __declspec(dllexport) void __stdcall ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue); 714 | __declspec(dllexport) long __stdcall ImporterGetAddedDllCount(); 715 | __declspec(dllexport) long __stdcall ImporterGetAddedAPICount(); 716 | __declspec(dllexport) void* __stdcall ImporterGetLastAddedDLLName(); 717 | __declspec(dllexport) void __stdcall ImporterMoveIAT(); 718 | __declspec(dllexport) bool __stdcall ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); 719 | __declspec(dllexport) long __stdcall ImporterEstimatedSize(); 720 | __declspec(dllexport) bool __stdcall ImporterExportIATEx(char* szExportFileName, char* szSectionName); 721 | __declspec(dllexport) bool __stdcall ImporterExportIATExW(wchar_t* szExportFileName, char* szSectionName); 722 | __declspec(dllexport) long long __stdcall ImporterFindAPIWriteLocation(char* szAPIName); 723 | __declspec(dllexport) long long __stdcall ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber); 724 | __declspec(dllexport) long long __stdcall ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation); 725 | __declspec(dllexport) long long __stdcall ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation); 726 | __declspec(dllexport) void* __stdcall ImporterGetDLLName(ULONG_PTR APIAddress); 727 | __declspec(dllexport) void* __stdcall ImporterGetAPIName(ULONG_PTR APIAddress); 728 | __declspec(dllexport) long long __stdcall ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress); 729 | __declspec(dllexport) void* __stdcall ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); 730 | __declspec(dllexport) long long __stdcall ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress); 731 | __declspec(dllexport) long long __stdcall ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName); 732 | __declspec(dllexport) long long __stdcall ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress); 733 | __declspec(dllexport) void* __stdcall ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress); 734 | __declspec(dllexport) void* __stdcall ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress); 735 | __declspec(dllexport) long long __stdcall ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress); 736 | __declspec(dllexport) long __stdcall ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); 737 | __declspec(dllexport) long __stdcall ImporterGetDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); 738 | __declspec(dllexport) long long __stdcall ImporterGetRemoteDLLBase(HANDLE hProcess, HMODULE LocalModuleBase); 739 | __declspec(dllexport) bool __stdcall ImporterRelocateWriteLocation(ULONG_PTR AddValue); 740 | __declspec(dllexport) bool __stdcall ImporterIsForwardedAPI(HANDLE hProcess, ULONG_PTR APIAddress); 741 | __declspec(dllexport) void* __stdcall ImporterGetForwardedAPIName(HANDLE hProcess, ULONG_PTR APIAddress); 742 | __declspec(dllexport) void* __stdcall ImporterGetForwardedDLLName(HANDLE hProcess, ULONG_PTR APIAddress); 743 | __declspec(dllexport) long __stdcall ImporterGetForwardedDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); 744 | __declspec(dllexport) long long __stdcall ImporterGetForwardedAPIOrdinalNumber(HANDLE hProcess, ULONG_PTR APIAddress); 745 | __declspec(dllexport) long long __stdcall ImporterGetNearestAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress); 746 | __declspec(dllexport) void* __stdcall ImporterGetNearestAPIName(HANDLE hProcess, ULONG_PTR APIAddress); 747 | __declspec(dllexport) bool __stdcall ImporterCopyOriginalIAT(char* szOriginalFile, char* szDumpFile); 748 | __declspec(dllexport) bool __stdcall ImporterCopyOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile); 749 | __declspec(dllexport) bool __stdcall ImporterLoadImportTable(char* szFileName); 750 | __declspec(dllexport) bool __stdcall ImporterLoadImportTableW(wchar_t* szFileName); 751 | __declspec(dllexport) bool __stdcall ImporterMoveOriginalIAT(char* szOriginalFile, char* szDumpFile, char* szSectionName); 752 | __declspec(dllexport) bool __stdcall ImporterMoveOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile, char* szSectionName); 753 | __declspec(dllexport) void __stdcall ImporterAutoSearchIAT(HANDLE hProcess, char* szFileName, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, LPVOID pIATStart, LPVOID pIATSize); 754 | __declspec(dllexport) void __stdcall ImporterAutoSearchIATW(HANDLE hProcess, wchar_t* szFileName, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, LPVOID pIATStart, LPVOID pIATSize); 755 | __declspec(dllexport) void __stdcall ImporterAutoSearchIATEx(HANDLE hProcess, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, LPVOID pIATStart, LPVOID pIATSize); 756 | __declspec(dllexport) void __stdcall ImporterEnumAddedData(LPVOID EnumCallBack); 757 | __declspec(dllexport) long __stdcall ImporterAutoFixIATEx(HANDLE hProcess, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback); 758 | __declspec(dllexport) long __stdcall ImporterAutoFixIATExW(HANDLE hProcess, wchar_t* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback); 759 | __declspec(dllexport) long __stdcall ImporterAutoFixIAT(HANDLE hProcess, char* szDumpedFile, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep); 760 | __declspec(dllexport) long __stdcall ImporterAutoFixIATW(HANDLE hProcess, wchar_t* szDumpedFile, ULONG_PTR ImageBase, ULONG_PTR SearchStart, DWORD SearchSize, DWORD SearchStep); 761 | // Global.Engine.Hook.functions: 762 | __declspec(dllexport) bool __stdcall HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart); 763 | __declspec(dllexport) bool __stdcall HooksSafeTransition(LPVOID HookAddress, bool TransitionStart); 764 | __declspec(dllexport) bool __stdcall HooksIsAddressRedirected(LPVOID HookAddress); 765 | __declspec(dllexport) void* __stdcall HooksGetTrampolineAddress(LPVOID HookAddress); 766 | __declspec(dllexport) void* __stdcall HooksGetHookEntryDetails(LPVOID HookAddress); 767 | __declspec(dllexport) bool __stdcall HooksInsertNewRedirection(LPVOID HookAddress, LPVOID RedirectTo, int HookType); 768 | __declspec(dllexport) bool __stdcall HooksInsertNewIATRedirectionEx(ULONG_PTR FileMapVA, ULONG_PTR LoadedModuleBase, char* szHookFunction, LPVOID RedirectTo); 769 | __declspec(dllexport) bool __stdcall HooksInsertNewIATRedirection(char* szModuleName, char* szHookFunction, LPVOID RedirectTo); 770 | __declspec(dllexport) bool __stdcall HooksRemoveRedirection(LPVOID HookAddress, bool RemoveAll); 771 | __declspec(dllexport) bool __stdcall HooksRemoveRedirectionsForModule(HMODULE ModuleBase); 772 | __declspec(dllexport) bool __stdcall HooksRemoveIATRedirection(char* szModuleName, char* szHookFunction, bool RemoveAll); 773 | __declspec(dllexport) bool __stdcall HooksDisableRedirection(LPVOID HookAddress, bool DisableAll); 774 | __declspec(dllexport) bool __stdcall HooksDisableRedirectionsForModule(HMODULE ModuleBase); 775 | __declspec(dllexport) bool __stdcall HooksDisableIATRedirection(char* szModuleName, char* szHookFunction, bool DisableAll); 776 | __declspec(dllexport) bool __stdcall HooksEnableRedirection(LPVOID HookAddress, bool EnableAll); 777 | __declspec(dllexport) bool __stdcall HooksEnableRedirectionsForModule(HMODULE ModuleBase); 778 | __declspec(dllexport) bool __stdcall HooksEnableIATRedirection(char* szModuleName, char* szHookFunction, bool EnableAll); 779 | __declspec(dllexport) void __stdcall HooksScanModuleMemory(HMODULE ModuleBase, LPVOID CallBack); 780 | __declspec(dllexport) void __stdcall HooksScanEntireProcessMemory(LPVOID CallBack); 781 | __declspec(dllexport) void __stdcall HooksScanEntireProcessMemoryEx(); 782 | // TitanEngine.Tracer.functions: 783 | __declspec(dllexport) void __stdcall TracerInit(); 784 | __declspec(dllexport) long long __stdcall TracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace); 785 | __declspec(dllexport) long long __stdcall HashTracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD InputNumberOfInstructions); 786 | __declspec(dllexport) long __stdcall TracerDetectRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace); 787 | __declspec(dllexport) long long __stdcall TracerFixKnownRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD RedirectionId); 788 | __declspec(dllexport) long __stdcall TracerFixRedirectionViaImpRecPlugin(HANDLE hProcess, char* szPluginName, ULONG_PTR AddressToTrace); 789 | // TitanEngine.Exporter.functions: 790 | __declspec(dllexport) void __stdcall ExporterCleanup(); 791 | __declspec(dllexport) void __stdcall ExporterSetImageBase(ULONG_PTR ImageBase); 792 | __declspec(dllexport) void __stdcall ExporterInit(DWORD MemorySize, ULONG_PTR ImageBase, DWORD ExportOrdinalBase, char* szExportModuleName); 793 | __declspec(dllexport) bool __stdcall ExporterAddNewExport(char* szExportName, DWORD ExportRelativeAddress); 794 | __declspec(dllexport) bool __stdcall ExporterAddNewOrdinalExport(DWORD OrdinalNumber, DWORD ExportRelativeAddress); 795 | __declspec(dllexport) long __stdcall ExporterGetAddedExportCount(); 796 | __declspec(dllexport) long __stdcall ExporterEstimatedSize(); 797 | __declspec(dllexport) bool __stdcall ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); 798 | __declspec(dllexport) bool __stdcall ExporterBuildExportTableEx(char* szExportFileName, char* szSectionName); 799 | __declspec(dllexport) bool __stdcall ExporterBuildExportTableExW(wchar_t* szExportFileName, char* szSectionName); 800 | __declspec(dllexport) bool __stdcall ExporterLoadExportTable(char* szFileName); 801 | __declspec(dllexport) bool __stdcall ExporterLoadExportTableW(wchar_t* szFileName); 802 | // TitanEngine.Librarian.functions: 803 | __declspec(dllexport) bool __stdcall LibrarianSetBreakPoint(char* szLibraryName, DWORD bpxType, bool SingleShoot, LPVOID bpxCallBack); 804 | __declspec(dllexport) bool __stdcall LibrarianRemoveBreakPoint(char* szLibraryName, DWORD bpxType); 805 | __declspec(dllexport) void* __stdcall LibrarianGetLibraryInfo(char* szLibraryName); 806 | __declspec(dllexport) void* __stdcall LibrarianGetLibraryInfoW(wchar_t* szLibraryName); 807 | __declspec(dllexport) void* __stdcall LibrarianGetLibraryInfoEx(void* BaseOfDll); 808 | __declspec(dllexport) void* __stdcall LibrarianGetLibraryInfoExW(void* BaseOfDll); 809 | __declspec(dllexport) void __stdcall LibrarianEnumLibraryInfo(void* EnumCallBack); 810 | __declspec(dllexport) void __stdcall LibrarianEnumLibraryInfoW(void* EnumCallBack); 811 | // TitanEngine.Process.functions: 812 | __declspec(dllexport) long __stdcall GetActiveProcessId(char* szImageName); 813 | __declspec(dllexport) long __stdcall GetActiveProcessIdW(wchar_t* szImageName); 814 | __declspec(dllexport) void __stdcall EnumProcessesWithLibrary(char* szLibraryName, void* EnumFunction); 815 | // TitanEngine.TLSFixer.functions: 816 | __declspec(dllexport) bool __stdcall TLSBreakOnCallBack(LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks, LPVOID bpxCallBack); 817 | __declspec(dllexport) bool __stdcall TLSGrabCallBackData(char* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks); 818 | __declspec(dllexport) bool __stdcall TLSGrabCallBackDataW(wchar_t* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks); 819 | __declspec(dllexport) bool __stdcall TLSBreakOnCallBackEx(char* szFileName, LPVOID bpxCallBack); 820 | __declspec(dllexport) bool __stdcall TLSBreakOnCallBackExW(wchar_t* szFileName, LPVOID bpxCallBack); 821 | __declspec(dllexport) bool __stdcall TLSRemoveCallback(char* szFileName); 822 | __declspec(dllexport) bool __stdcall TLSRemoveCallbackW(wchar_t* szFileName); 823 | __declspec(dllexport) bool __stdcall TLSRemoveTable(char* szFileName); 824 | __declspec(dllexport) bool __stdcall TLSRemoveTableW(wchar_t* szFileName); 825 | __declspec(dllexport) bool __stdcall TLSBackupData(char* szFileName); 826 | __declspec(dllexport) bool __stdcall TLSBackupDataW(wchar_t* szFileName); 827 | __declspec(dllexport) bool __stdcall TLSRestoreData(); 828 | __declspec(dllexport) bool __stdcall TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_PTR StorePlace, ULONG_PTR StorePlaceRVA, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks); 829 | __declspec(dllexport) bool __stdcall TLSBuildNewTableEx(char* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks); 830 | __declspec(dllexport) bool __stdcall TLSBuildNewTableExW(wchar_t* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks); 831 | // TitanEngine.TranslateName.functions: 832 | __declspec(dllexport) void* __stdcall TranslateNativeName(char* szNativeName); 833 | __declspec(dllexport) void* __stdcall TranslateNativeNameW(wchar_t* szNativeName); 834 | // TitanEngine.Handler.functions: 835 | __declspec(dllexport) long __stdcall HandlerGetActiveHandleCount(DWORD ProcessId); 836 | __declspec(dllexport) bool __stdcall HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle); 837 | __declspec(dllexport) void* __stdcall HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName); 838 | __declspec(dllexport) void* __stdcall HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName); 839 | __declspec(dllexport) long __stdcall HandlerEnumerateOpenHandles(DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount); 840 | __declspec(dllexport) long long __stdcall HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn); 841 | __declspec(dllexport) bool __stdcall HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle); 842 | __declspec(dllexport) long __stdcall HandlerEnumerateLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount); 843 | __declspec(dllexport) long __stdcall HandlerEnumerateLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount); 844 | __declspec(dllexport) bool __stdcall HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); 845 | __declspec(dllexport) bool __stdcall HandlerCloseAllLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); 846 | __declspec(dllexport) bool __stdcall HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); 847 | __declspec(dllexport) bool __stdcall HandlerIsFileLockedW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); 848 | // TitanEngine.Handler[Mutex].functions: 849 | __declspec(dllexport) long __stdcall HandlerEnumerateOpenMutexes(HANDLE hProcess, DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount); 850 | __declspec(dllexport) long long __stdcall HandlerGetOpenMutexHandle(HANDLE hProcess, DWORD ProcessId, char* szMutexString); 851 | __declspec(dllexport) long long __stdcall HandlerGetOpenMutexHandleW(HANDLE hProcess, DWORD ProcessId, wchar_t* szMutexString); 852 | __declspec(dllexport) long __stdcall HandlerGetProcessIdWhichCreatedMutex(char* szMutexString); 853 | __declspec(dllexport) long __stdcall HandlerGetProcessIdWhichCreatedMutexW(wchar_t* szMutexString); 854 | // TitanEngine.Injector.functions: 855 | __declspec(dllexport) bool __stdcall RemoteLoadLibrary(HANDLE hProcess, char* szLibraryFile, bool WaitForThreadExit); 856 | __declspec(dllexport) bool __stdcall RemoteLoadLibraryW(HANDLE hProcess, wchar_t* szLibraryFile, bool WaitForThreadExit); 857 | __declspec(dllexport) bool __stdcall RemoteFreeLibrary(HANDLE hProcess, HMODULE hModule, char* szLibraryFile, bool WaitForThreadExit); 858 | __declspec(dllexport) bool __stdcall RemoteFreeLibraryW(HANDLE hProcess, HMODULE hModule, wchar_t* szLibraryFile, bool WaitForThreadExit); 859 | __declspec(dllexport) bool __stdcall RemoteExitProcess(HANDLE hProcess, DWORD ExitCode); 860 | // TitanEngine.StaticUnpacker.functions: 861 | __declspec(dllexport) bool __stdcall StaticFileLoad(char* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA); 862 | __declspec(dllexport) bool __stdcall StaticFileLoadW(wchar_t* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA); 863 | __declspec(dllexport) bool __stdcall StaticFileUnload(char* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA); 864 | __declspec(dllexport) bool __stdcall StaticFileUnloadW(wchar_t* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA); 865 | __declspec(dllexport) bool __stdcall StaticFileOpen(char* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh); 866 | __declspec(dllexport) bool __stdcall StaticFileOpenW(wchar_t* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh); 867 | __declspec(dllexport) bool __stdcall StaticFileGetContent(HANDLE FileHandle, DWORD FilePositionLow, LPDWORD FilePositionHigh, void* Buffer, DWORD Size); 868 | __declspec(dllexport) void __stdcall StaticFileClose(HANDLE FileHandle); 869 | __declspec(dllexport) void __stdcall StaticMemoryDecrypt(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey); 870 | __declspec(dllexport) void __stdcall StaticMemoryDecryptEx(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, void* DecryptionCallBack); 871 | __declspec(dllexport) void __stdcall StaticMemoryDecryptSpecial(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, DWORD SpecDecryptionType, void* DecryptionCallBack); 872 | __declspec(dllexport) void __stdcall StaticSectionDecrypt(ULONG_PTR FileMapVA, DWORD SectionNumber, bool SimulateLoad, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey); 873 | __declspec(dllexport) bool __stdcall StaticMemoryDecompress(void* Source, DWORD SourceSize, void* Destination, DWORD DestinationSize, int Algorithm); 874 | __declspec(dllexport) bool __stdcall StaticRawMemoryCopy(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, char* szDumpFileName); 875 | __declspec(dllexport) bool __stdcall StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, wchar_t* szDumpFileName); 876 | __declspec(dllexport) bool __stdcall StaticRawMemoryCopyEx(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, char* szDumpFileName); 877 | __declspec(dllexport) bool __stdcall StaticRawMemoryCopyExW(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, wchar_t* szDumpFileName); 878 | __declspec(dllexport) bool __stdcall StaticRawMemoryCopyEx64(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, char* szDumpFileName); 879 | __declspec(dllexport) bool __stdcall StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, wchar_t* szDumpFileName); 880 | __declspec(dllexport) bool __stdcall StaticHashMemory(void* MemoryToHash, DWORD SizeOfMemory, void* HashDigest, bool OutputString, int Algorithm); 881 | __declspec(dllexport) bool __stdcall StaticHashFileW(wchar_t* szFileName, char* HashDigest, bool OutputString, int Algorithm); 882 | __declspec(dllexport) bool __stdcall StaticHashFile(char* szFileName, char* HashDigest, bool OutputString, int Algorithm); 883 | // TitanEngine.Engine.functions: 884 | __declspec(dllexport) void __stdcall EngineUnpackerInitialize(char* szFileName, char* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack); 885 | __declspec(dllexport) void __stdcall EngineUnpackerInitializeW(wchar_t* szFileName, wchar_t* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack); 886 | __declspec(dllexport) bool __stdcall EngineUnpackerSetBreakCondition(void* SearchStart, DWORD SearchSize, void* SearchPattern, DWORD PatternSize, DWORD PatternDelta, ULONG_PTR BreakType, bool SingleBreak, DWORD Parameter1, DWORD Parameter2); 887 | __declspec(dllexport) void __stdcall EngineUnpackerSetEntryPointAddress(ULONG_PTR UnpackedEntryPointAddress); 888 | __declspec(dllexport) void __stdcall EngineUnpackerFinalizeUnpacking(); 889 | // TitanEngine.Engine.functions: 890 | __declspec(dllexport) void __stdcall SetEngineVariable(DWORD VariableId, bool VariableSet); 891 | __declspec(dllexport) bool __stdcall EngineCreateMissingDependencies(char* szFileName, char* szOutputFolder, bool LogCreatedFiles); 892 | __declspec(dllexport) bool __stdcall EngineCreateMissingDependenciesW(wchar_t* szFileName, wchar_t* szOutputFolder, bool LogCreatedFiles); 893 | __declspec(dllexport) bool __stdcall EngineFakeMissingDependencies(HANDLE hProcess); 894 | __declspec(dllexport) bool __stdcall EngineDeleteCreatedDependencies(); 895 | __declspec(dllexport) bool __stdcall EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack); 896 | __declspec(dllexport) void __stdcall EngineAddUnpackerWindowLogMessage(char* szLogMessage); 897 | // Global.Engine.Extension.Functions: 898 | __declspec(dllexport) bool __stdcall ExtensionManagerIsPluginLoaded(char* szPluginName); 899 | __declspec(dllexport) bool __stdcall ExtensionManagerIsPluginEnabled(char* szPluginName); 900 | __declspec(dllexport) bool __stdcall ExtensionManagerDisableAllPlugins(); 901 | __declspec(dllexport) bool __stdcall ExtensionManagerDisablePlugin(char* szPluginName); 902 | __declspec(dllexport) bool __stdcall ExtensionManagerEnableAllPlugins(); 903 | __declspec(dllexport) bool __stdcall ExtensionManagerEnablePlugin(char* szPluginName); 904 | __declspec(dllexport) bool __stdcall ExtensionManagerUnloadAllPlugins(); 905 | __declspec(dllexport) bool __stdcall ExtensionManagerUnloadPlugin(char* szPluginName); 906 | __declspec(dllexport) void* __stdcall ExtensionManagerGetPluginInfo(char* szPluginName); 907 | 908 | #if !defined (_WIN64) 909 | #ifdef __cplusplus 910 | } 911 | #endif /*__cplusplus*/ 912 | #endif 913 | 914 | #pragma pack(pop) 915 | 916 | #endif /*TITANENGINE*/ 917 | -------------------------------------------------------------------------------- /sdk/SDK.h: -------------------------------------------------------------------------------- 1 | #ifndef TITANENGINE 2 | #define TITANENGINE 3 | 4 | #define TITCALL 5 | 6 | #if _MSC_VER > 1000 7 | #pragma once 8 | #endif 9 | 10 | #include 11 | #include 12 | 13 | #pragma pack(push, 1) 14 | 15 | // Global.Constant.Structure.Declaration: 16 | // Engine.External: 17 | #define UE_STRUCT_PE32STRUCT 1 18 | #define UE_STRUCT_PE64STRUCT 2 19 | #define UE_STRUCT_PESTRUCT 3 20 | #define UE_STRUCT_IMPORTENUMDATA 4 21 | #define UE_STRUCT_THREAD_ITEM_DATA 5 22 | #define UE_STRUCT_LIBRARY_ITEM_DATA 6 23 | #define UE_STRUCT_LIBRARY_ITEM_DATAW 7 24 | #define UE_STRUCT_PROCESS_ITEM_DATA 8 25 | #define UE_STRUCT_HANDLERARRAY 9 26 | #define UE_STRUCT_PLUGININFORMATION 10 27 | #define UE_STRUCT_HOOK_ENTRY 11 28 | #define UE_STRUCT_FILE_STATUS_INFO 12 29 | #define UE_STRUCT_FILE_FIX_INFO 13 30 | #define UE_STRUCT_X87FPUREGISTER 14 31 | #define UE_STRUCT_X87FPU 15 32 | #define UE_STRUCT_TITAN_ENGINE_CONTEXT 16 33 | 34 | #define UE_ACCESS_READ 0 35 | #define UE_ACCESS_WRITE 1 36 | #define UE_ACCESS_ALL 2 37 | 38 | #define UE_HIDE_PEBONLY 0 39 | #define UE_HIDE_BASIC 1 40 | 41 | #define UE_PLUGIN_CALL_REASON_PREDEBUG 1 42 | #define UE_PLUGIN_CALL_REASON_EXCEPTION 2 43 | #define UE_PLUGIN_CALL_REASON_POSTDEBUG 3 44 | #define UE_PLUGIN_CALL_REASON_UNHANDLEDEXCEPTION 4 45 | 46 | #define TEE_HOOK_NRM_JUMP 1 47 | #define TEE_HOOK_NRM_CALL 3 48 | #define TEE_HOOK_IAT 5 49 | 50 | #define UE_ENGINE_ALOW_MODULE_LOADING 1 51 | #define UE_ENGINE_AUTOFIX_FORWARDERS 2 52 | #define UE_ENGINE_PASS_ALL_EXCEPTIONS 3 53 | #define UE_ENGINE_NO_CONSOLE_WINDOW 4 54 | #define UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS 5 55 | #define UE_ENGINE_CALL_PLUGIN_CALLBACK 6 56 | #define UE_ENGINE_RESET_CUSTOM_HANDLER 7 57 | #define UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK 8 58 | #define UE_ENGINE_SET_DEBUG_PRIVILEGE 9 59 | 60 | #define UE_OPTION_REMOVEALL 1 61 | #define UE_OPTION_DISABLEALL 2 62 | #define UE_OPTION_REMOVEALLDISABLED 3 63 | #define UE_OPTION_REMOVEALLENABLED 4 64 | 65 | #define UE_STATIC_DECRYPTOR_XOR 1 66 | #define UE_STATIC_DECRYPTOR_SUB 2 67 | #define UE_STATIC_DECRYPTOR_ADD 3 68 | 69 | #define UE_STATIC_DECRYPTOR_FOREWARD 1 70 | #define UE_STATIC_DECRYPTOR_BACKWARD 2 71 | 72 | #define UE_STATIC_KEY_SIZE_1 1 73 | #define UE_STATIC_KEY_SIZE_2 2 74 | #define UE_STATIC_KEY_SIZE_4 4 75 | #define UE_STATIC_KEY_SIZE_8 8 76 | 77 | #define UE_STATIC_APLIB 1 78 | #define UE_STATIC_APLIB_DEPACK 2 79 | #define UE_STATIC_LZMA 3 80 | 81 | #define UE_STATIC_HASH_MD5 1 82 | #define UE_STATIC_HASH_SHA1 2 83 | #define UE_STATIC_HASH_CRC32 3 84 | 85 | #define UE_RESOURCE_LANGUAGE_ANY -1 86 | 87 | #define UE_PE_OFFSET 0 88 | #define UE_IMAGEBASE 1 89 | #define UE_OEP 2 90 | #define UE_SIZEOFIMAGE 3 91 | #define UE_SIZEOFHEADERS 4 92 | #define UE_SIZEOFOPTIONALHEADER 5 93 | #define UE_SECTIONALIGNMENT 6 94 | #define UE_IMPORTTABLEADDRESS 7 95 | #define UE_IMPORTTABLESIZE 8 96 | #define UE_RESOURCETABLEADDRESS 9 97 | #define UE_RESOURCETABLESIZE 10 98 | #define UE_EXPORTTABLEADDRESS 11 99 | #define UE_EXPORTTABLESIZE 12 100 | #define UE_TLSTABLEADDRESS 13 101 | #define UE_TLSTABLESIZE 14 102 | #define UE_RELOCATIONTABLEADDRESS 15 103 | #define UE_RELOCATIONTABLESIZE 16 104 | #define UE_TIMEDATESTAMP 17 105 | #define UE_SECTIONNUMBER 18 106 | #define UE_CHECKSUM 19 107 | #define UE_SUBSYSTEM 20 108 | #define UE_CHARACTERISTICS 21 109 | #define UE_NUMBEROFRVAANDSIZES 22 110 | #define UE_BASEOFCODE 23 111 | #define UE_BASEOFDATA 24 112 | //leaving some enum space here for future additions 113 | #define UE_SECTIONNAME 40 114 | #define UE_SECTIONVIRTUALOFFSET 41 115 | #define UE_SECTIONVIRTUALSIZE 42 116 | #define UE_SECTIONRAWOFFSET 43 117 | #define UE_SECTIONRAWSIZE 44 118 | #define UE_SECTIONFLAGS 45 119 | 120 | #define UE_VANOTFOUND = -2; 121 | 122 | #define UE_CH_BREAKPOINT 1 123 | #define UE_CH_SINGLESTEP 2 124 | #define UE_CH_ACCESSVIOLATION 3 125 | #define UE_CH_ILLEGALINSTRUCTION 4 126 | #define UE_CH_NONCONTINUABLEEXCEPTION 5 127 | #define UE_CH_ARRAYBOUNDSEXCEPTION 6 128 | #define UE_CH_FLOATDENORMALOPERAND 7 129 | #define UE_CH_FLOATDEVIDEBYZERO 8 130 | #define UE_CH_INTEGERDEVIDEBYZERO 9 131 | #define UE_CH_INTEGEROVERFLOW 10 132 | #define UE_CH_PRIVILEGEDINSTRUCTION 11 133 | #define UE_CH_PAGEGUARD 12 134 | #define UE_CH_EVERYTHINGELSE 13 135 | #define UE_CH_CREATETHREAD 14 136 | #define UE_CH_EXITTHREAD 15 137 | #define UE_CH_CREATEPROCESS 16 138 | #define UE_CH_EXITPROCESS 17 139 | #define UE_CH_LOADDLL 18 140 | #define UE_CH_UNLOADDLL 19 141 | #define UE_CH_OUTPUTDEBUGSTRING 20 142 | #define UE_CH_AFTEREXCEPTIONPROCESSING 21 143 | #define UE_CH_SYSTEMBREAKPOINT 23 144 | #define UE_CH_UNHANDLEDEXCEPTION 24 145 | #define UE_CH_RIPEVENT 25 146 | #define UE_CH_DEBUGEVENT 26 147 | 148 | #define UE_OPTION_HANDLER_RETURN_HANDLECOUNT 1 149 | #define UE_OPTION_HANDLER_RETURN_ACCESS 2 150 | #define UE_OPTION_HANDLER_RETURN_FLAGS 3 151 | #define UE_OPTION_HANDLER_RETURN_TYPENAME 4 152 | 153 | #define UE_BREAKPOINT_INT3 1 154 | #define UE_BREAKPOINT_LONG_INT3 2 155 | #define UE_BREAKPOINT_UD2 3 156 | 157 | #define UE_BPXREMOVED 0 158 | #define UE_BPXACTIVE 1 159 | #define UE_BPXINACTIVE 2 160 | 161 | #define UE_BREAKPOINT 0 162 | #define UE_SINGLESHOOT 1 163 | #define UE_HARDWARE 2 164 | #define UE_MEMORY 3 165 | #define UE_MEMORY_READ 4 166 | #define UE_MEMORY_WRITE 5 167 | #define UE_MEMORY_EXECUTE 6 168 | #define UE_BREAKPOINT_TYPE_INT3 0x10000000 169 | #define UE_BREAKPOINT_TYPE_LONG_INT3 0x20000000 170 | #define UE_BREAKPOINT_TYPE_UD2 0x30000000 171 | 172 | #define UE_HARDWARE_EXECUTE 4 173 | #define UE_HARDWARE_WRITE 5 174 | #define UE_HARDWARE_READWRITE 6 175 | 176 | #define UE_HARDWARE_SIZE_1 7 177 | #define UE_HARDWARE_SIZE_2 8 178 | #define UE_HARDWARE_SIZE_4 9 179 | #define UE_HARDWARE_SIZE_8 10 180 | 181 | #define UE_ON_LIB_LOAD 1 182 | #define UE_ON_LIB_UNLOAD 2 183 | #define UE_ON_LIB_ALL 3 184 | 185 | #define UE_APISTART 0 186 | #define UE_APIEND 1 187 | 188 | #define UE_PLATFORM_x86 1 189 | #define UE_PLATFORM_x64 2 190 | #define UE_PLATFORM_ALL 3 191 | 192 | #define UE_FUNCTION_STDCALL 1 193 | #define UE_FUNCTION_CCALL 2 194 | #define UE_FUNCTION_FASTCALL 3 195 | #define UE_FUNCTION_STDCALL_RET 4 196 | #define UE_FUNCTION_CCALL_RET 5 197 | #define UE_FUNCTION_FASTCALL_RET 6 198 | #define UE_FUNCTION_STDCALL_CALL 7 199 | #define UE_FUNCTION_CCALL_CALL 8 200 | #define UE_FUNCTION_FASTCALL_CALL 9 201 | #define UE_PARAMETER_BYTE 0 202 | #define UE_PARAMETER_WORD 1 203 | #define UE_PARAMETER_DWORD 2 204 | #define UE_PARAMETER_QWORD 3 205 | #define UE_PARAMETER_PTR_BYTE 4 206 | #define UE_PARAMETER_PTR_WORD 5 207 | #define UE_PARAMETER_PTR_DWORD 6 208 | #define UE_PARAMETER_PTR_QWORD 7 209 | #define UE_PARAMETER_STRING 8 210 | #define UE_PARAMETER_UNICODE 9 211 | 212 | #define UE_EAX 1 213 | #define UE_EBX 2 214 | #define UE_ECX 3 215 | #define UE_EDX 4 216 | #define UE_EDI 5 217 | #define UE_ESI 6 218 | #define UE_EBP 7 219 | #define UE_ESP 8 220 | #define UE_EIP 9 221 | #define UE_EFLAGS 10 222 | #define UE_DR0 11 223 | #define UE_DR1 12 224 | #define UE_DR2 13 225 | #define UE_DR3 14 226 | #define UE_DR6 15 227 | #define UE_DR7 16 228 | #define UE_RAX 17 229 | #define UE_RBX 18 230 | #define UE_RCX 19 231 | #define UE_RDX 20 232 | #define UE_RDI 21 233 | #define UE_RSI 22 234 | #define UE_RBP 23 235 | #define UE_RSP 24 236 | #define UE_RIP 25 237 | #define UE_RFLAGS 26 238 | #define UE_R8 27 239 | #define UE_R9 28 240 | #define UE_R10 29 241 | #define UE_R11 30 242 | #define UE_R12 31 243 | #define UE_R13 32 244 | #define UE_R14 33 245 | #define UE_R15 34 246 | #define UE_CIP 35 247 | #define UE_CSP 36 248 | #ifdef _WIN64 249 | #define UE_CFLAGS UE_RFLAGS 250 | #else 251 | #define UE_CFLAGS UE_EFLAGS 252 | #endif 253 | #define UE_SEG_GS 37 254 | #define UE_SEG_FS 38 255 | #define UE_SEG_ES 39 256 | #define UE_SEG_DS 40 257 | #define UE_SEG_CS 41 258 | #define UE_SEG_SS 42 259 | #define UE_x87_r0 43 260 | #define UE_x87_r1 44 261 | #define UE_x87_r2 45 262 | #define UE_x87_r3 46 263 | #define UE_x87_r4 47 264 | #define UE_x87_r5 48 265 | #define UE_x87_r6 49 266 | #define UE_x87_r7 50 267 | #define UE_X87_STATUSWORD 51 268 | #define UE_X87_CONTROLWORD 52 269 | #define UE_X87_TAGWORD 53 270 | #define UE_MXCSR 54 271 | #define UE_MMX0 55 272 | #define UE_MMX1 56 273 | #define UE_MMX2 57 274 | #define UE_MMX3 58 275 | #define UE_MMX4 59 276 | #define UE_MMX5 60 277 | #define UE_MMX6 61 278 | #define UE_MMX7 62 279 | #define UE_XMM0 63 280 | #define UE_XMM1 64 281 | #define UE_XMM2 65 282 | #define UE_XMM3 66 283 | #define UE_XMM4 67 284 | #define UE_XMM5 68 285 | #define UE_XMM6 69 286 | #define UE_XMM7 70 287 | #define UE_XMM8 71 288 | #define UE_XMM9 72 289 | #define UE_XMM10 73 290 | #define UE_XMM11 74 291 | #define UE_XMM12 75 292 | #define UE_XMM13 76 293 | #define UE_XMM14 77 294 | #define UE_XMM15 78 295 | #define UE_x87_ST0 79 296 | #define UE_x87_ST1 80 297 | #define UE_x87_ST2 81 298 | #define UE_x87_ST3 82 299 | #define UE_x87_ST4 83 300 | #define UE_x87_ST5 84 301 | #define UE_x87_ST6 85 302 | #define UE_x87_ST7 86 303 | #define UE_YMM0 87 304 | #define UE_YMM1 88 305 | #define UE_YMM2 89 306 | #define UE_YMM3 90 307 | #define UE_YMM4 91 308 | #define UE_YMM5 92 309 | #define UE_YMM6 93 310 | #define UE_YMM7 94 311 | #define UE_YMM8 95 312 | #define UE_YMM9 96 313 | #define UE_YMM10 97 314 | #define UE_YMM11 98 315 | #define UE_YMM12 99 316 | #define UE_YMM13 100 317 | #define UE_YMM14 101 318 | #define UE_YMM15 102 319 | 320 | #ifndef CONTEXT_EXTENDED_REGISTERS 321 | #define CONTEXT_EXTENDED_REGISTERS 0 322 | #endif 323 | 324 | typedef struct 325 | { 326 | DWORD PE32Offset; 327 | DWORD ImageBase; 328 | DWORD OriginalEntryPoint; 329 | DWORD BaseOfCode; 330 | DWORD BaseOfData; 331 | DWORD NtSizeOfImage; 332 | DWORD NtSizeOfHeaders; 333 | WORD SizeOfOptionalHeaders; 334 | DWORD FileAlignment; 335 | DWORD SectionAligment; 336 | DWORD ImportTableAddress; 337 | DWORD ImportTableSize; 338 | DWORD ResourceTableAddress; 339 | DWORD ResourceTableSize; 340 | DWORD ExportTableAddress; 341 | DWORD ExportTableSize; 342 | DWORD TLSTableAddress; 343 | DWORD TLSTableSize; 344 | DWORD RelocationTableAddress; 345 | DWORD RelocationTableSize; 346 | DWORD TimeDateStamp; 347 | WORD SectionNumber; 348 | DWORD CheckSum; 349 | WORD SubSystem; 350 | WORD Characteristics; 351 | DWORD NumberOfRvaAndSizes; 352 | } PE32Struct, *PPE32Struct; 353 | 354 | typedef struct 355 | { 356 | DWORD PE64Offset; 357 | DWORD64 ImageBase; 358 | DWORD OriginalEntryPoint; 359 | DWORD BaseOfCode; 360 | DWORD BaseOfData; 361 | DWORD NtSizeOfImage; 362 | DWORD NtSizeOfHeaders; 363 | WORD SizeOfOptionalHeaders; 364 | DWORD FileAlignment; 365 | DWORD SectionAligment; 366 | DWORD ImportTableAddress; 367 | DWORD ImportTableSize; 368 | DWORD ResourceTableAddress; 369 | DWORD ResourceTableSize; 370 | DWORD ExportTableAddress; 371 | DWORD ExportTableSize; 372 | DWORD TLSTableAddress; 373 | DWORD TLSTableSize; 374 | DWORD RelocationTableAddress; 375 | DWORD RelocationTableSize; 376 | DWORD TimeDateStamp; 377 | WORD SectionNumber; 378 | DWORD CheckSum; 379 | WORD SubSystem; 380 | WORD Characteristics; 381 | DWORD NumberOfRvaAndSizes; 382 | } PE64Struct, *PPE64Struct; 383 | 384 | #if defined(_WIN64) 385 | typedef PE64Struct PEStruct; 386 | #else 387 | typedef PE32Struct PEStruct; 388 | #endif 389 | 390 | typedef struct 391 | { 392 | bool NewDll; 393 | int NumberOfImports; 394 | ULONG_PTR ImageBase; 395 | ULONG_PTR BaseImportThunk; 396 | ULONG_PTR ImportThunk; 397 | char* APIName; 398 | char* DLLName; 399 | } ImportEnumData, *PImportEnumData; 400 | 401 | typedef struct 402 | { 403 | HANDLE hThread; 404 | DWORD dwThreadId; 405 | void* ThreadStartAddress; 406 | void* ThreadLocalBase; 407 | void* TebAddress; 408 | ULONG WaitTime; 409 | LONG Priority; 410 | LONG BasePriority; 411 | ULONG ContextSwitches; 412 | ULONG ThreadState; 413 | ULONG WaitReason; 414 | } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; 415 | 416 | typedef struct 417 | { 418 | HANDLE hFile; 419 | void* BaseOfDll; 420 | HANDLE hFileMapping; 421 | void* hFileMappingView; 422 | char szLibraryPath[MAX_PATH]; 423 | char szLibraryName[MAX_PATH]; 424 | } LIBRARY_ITEM_DATA, *PLIBRARY_ITEM_DATA; 425 | 426 | typedef struct 427 | { 428 | HANDLE hFile; 429 | void* BaseOfDll; 430 | HANDLE hFileMapping; 431 | void* hFileMappingView; 432 | wchar_t szLibraryPath[MAX_PATH]; 433 | wchar_t szLibraryName[MAX_PATH]; 434 | } LIBRARY_ITEM_DATAW, *PLIBRARY_ITEM_DATAW; 435 | 436 | typedef struct 437 | { 438 | HANDLE hProcess; 439 | DWORD dwProcessId; 440 | HANDLE hThread; 441 | DWORD dwThreadId; 442 | HANDLE hFile; 443 | void* BaseOfImage; 444 | void* ThreadStartAddress; 445 | void* ThreadLocalBase; 446 | } PROCESS_ITEM_DATA, *PPROCESS_ITEM_DATA; 447 | 448 | typedef struct 449 | { 450 | ULONG ProcessId; 451 | HANDLE hHandle; 452 | } HandlerArray, *PHandlerArray; 453 | 454 | typedef struct 455 | { 456 | char PluginName[64]; 457 | DWORD PluginMajorVersion; 458 | DWORD PluginMinorVersion; 459 | HMODULE PluginBaseAddress; 460 | void* TitanDebuggingCallBack; 461 | void* TitanRegisterPlugin; 462 | void* TitanReleasePlugin; 463 | void* TitanResetPlugin; 464 | bool PluginDisabled; 465 | } PluginInformation, *PPluginInformation; 466 | 467 | #define TEE_MAXIMUM_HOOK_SIZE 14 468 | #define TEE_MAXIMUM_HOOK_RELOCS 7 469 | #if defined(_WIN64) 470 | #define TEE_MAXIMUM_HOOK_INSERT_SIZE 14 471 | #else 472 | #define TEE_MAXIMUM_HOOK_INSERT_SIZE 5 473 | #endif 474 | 475 | typedef struct HOOK_ENTRY 476 | { 477 | bool IATHook; 478 | BYTE HookType; 479 | DWORD HookSize; 480 | void* HookAddress; 481 | void* RedirectionAddress; 482 | BYTE HookBytes[TEE_MAXIMUM_HOOK_SIZE]; 483 | BYTE OriginalBytes[TEE_MAXIMUM_HOOK_SIZE]; 484 | void* IATHookModuleBase; 485 | DWORD IATHookNameHash; 486 | bool HookIsEnabled; 487 | bool HookIsRemote; 488 | void* PatchedEntry; 489 | DWORD RelocationInfo[TEE_MAXIMUM_HOOK_RELOCS]; 490 | int RelocationCount; 491 | } HOOK_ENTRY, *PHOOK_ENTRY; 492 | 493 | #define UE_DEPTH_SURFACE 0 494 | #define UE_DEPTH_DEEP 1 495 | 496 | #define UE_UNPACKER_CONDITION_SEARCH_FROM_EP 1 497 | 498 | #define UE_UNPACKER_CONDITION_LOADLIBRARY 1 499 | #define UE_UNPACKER_CONDITION_GETPROCADDRESS 2 500 | #define UE_UNPACKER_CONDITION_ENTRYPOINTBREAK 3 501 | #define UE_UNPACKER_CONDITION_RELOCSNAPSHOT1 4 502 | #define UE_UNPACKER_CONDITION_RELOCSNAPSHOT2 5 503 | 504 | #define UE_FIELD_OK 0 505 | #define UE_FIELD_BROKEN_NON_FIXABLE 1 506 | #define UE_FIELD_BROKEN_NON_CRITICAL 2 507 | #define UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE 3 508 | #define UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED 4 509 | #define UE_FIELD_FIXABLE_NON_CRITICAL 5 510 | #define UE_FIELD_FIXABLE_CRITICAL 6 511 | #define UE_FIELD_NOT_PRESET 7 512 | #define UE_FIELD_NOT_PRESET_WARNING 8 513 | 514 | #define UE_RESULT_FILE_OK 10 515 | #define UE_RESULT_FILE_INVALID_BUT_FIXABLE 11 516 | #define UE_RESULT_FILE_INVALID_AND_NON_FIXABLE 12 517 | #define UE_RESULT_FILE_INVALID_FORMAT 13 518 | 519 | typedef struct 520 | { 521 | BYTE OveralEvaluation; 522 | bool EvaluationTerminatedByException; 523 | bool FileIs64Bit; 524 | bool FileIsDLL; 525 | bool FileIsConsole; 526 | bool MissingDependencies; 527 | bool MissingDeclaredAPIs; 528 | BYTE SignatureMZ; 529 | BYTE SignaturePE; 530 | BYTE EntryPoint; 531 | BYTE ImageBase; 532 | BYTE SizeOfImage; 533 | BYTE FileAlignment; 534 | BYTE SectionAlignment; 535 | BYTE ExportTable; 536 | BYTE RelocationTable; 537 | BYTE ImportTable; 538 | BYTE ImportTableSection; 539 | BYTE ImportTableData; 540 | BYTE IATTable; 541 | BYTE TLSTable; 542 | BYTE LoadConfigTable; 543 | BYTE BoundImportTable; 544 | BYTE COMHeaderTable; 545 | BYTE ResourceTable; 546 | BYTE ResourceData; 547 | BYTE SectionTable; 548 | } FILE_STATUS_INFO, *PFILE_STATUS_INFO; 549 | 550 | typedef struct 551 | { 552 | BYTE OveralEvaluation; 553 | bool FixingTerminatedByException; 554 | bool FileFixPerformed; 555 | bool StrippedRelocation; 556 | bool DontFixRelocations; 557 | DWORD OriginalRelocationTableAddress; 558 | DWORD OriginalRelocationTableSize; 559 | bool StrippedExports; 560 | bool DontFixExports; 561 | DWORD OriginalExportTableAddress; 562 | DWORD OriginalExportTableSize; 563 | bool StrippedResources; 564 | bool DontFixResources; 565 | DWORD OriginalResourceTableAddress; 566 | DWORD OriginalResourceTableSize; 567 | bool StrippedTLS; 568 | bool DontFixTLS; 569 | DWORD OriginalTLSTableAddress; 570 | DWORD OriginalTLSTableSize; 571 | bool StrippedLoadConfig; 572 | bool DontFixLoadConfig; 573 | DWORD OriginalLoadConfigTableAddress; 574 | DWORD OriginalLoadConfigTableSize; 575 | bool StrippedBoundImports; 576 | bool DontFixBoundImports; 577 | DWORD OriginalBoundImportTableAddress; 578 | DWORD OriginalBoundImportTableSize; 579 | bool StrippedIAT; 580 | bool DontFixIAT; 581 | DWORD OriginalImportAddressTableAddress; 582 | DWORD OriginalImportAddressTableSize; 583 | bool StrippedCOM; 584 | bool DontFixCOM; 585 | DWORD OriginalCOMTableAddress; 586 | DWORD OriginalCOMTableSize; 587 | } FILE_FIX_INFO, *PFILE_FIX_INFO; 588 | 589 | typedef struct DECLSPEC_ALIGN(16) _XmmRegister_t 590 | { 591 | ULONGLONG Low; 592 | LONGLONG High; 593 | } XmmRegister_t; 594 | 595 | typedef struct 596 | { 597 | XmmRegister_t Low; //XMM/SSE part 598 | XmmRegister_t High; //AVX part 599 | } YmmRegister_t; 600 | 601 | typedef struct 602 | { 603 | BYTE data[10]; 604 | int st_value; 605 | int tag; 606 | } x87FPURegister_t; 607 | 608 | typedef struct 609 | { 610 | WORD ControlWord; 611 | WORD StatusWord; 612 | WORD TagWord; 613 | DWORD ErrorOffset; 614 | DWORD ErrorSelector; 615 | DWORD DataOffset; 616 | DWORD DataSelector; 617 | DWORD Cr0NpxState; 618 | } x87FPU_t; 619 | 620 | typedef struct 621 | { 622 | ULONG_PTR cax; 623 | ULONG_PTR ccx; 624 | ULONG_PTR cdx; 625 | ULONG_PTR cbx; 626 | ULONG_PTR csp; 627 | ULONG_PTR cbp; 628 | ULONG_PTR csi; 629 | ULONG_PTR cdi; 630 | #ifdef _WIN64 631 | ULONG_PTR r8; 632 | ULONG_PTR r9; 633 | ULONG_PTR r10; 634 | ULONG_PTR r11; 635 | ULONG_PTR r12; 636 | ULONG_PTR r13; 637 | ULONG_PTR r14; 638 | ULONG_PTR r15; 639 | #endif //_WIN64 640 | ULONG_PTR cip; 641 | ULONG_PTR eflags; 642 | unsigned short gs; 643 | unsigned short fs; 644 | unsigned short es; 645 | unsigned short ds; 646 | unsigned short cs; 647 | unsigned short ss; 648 | ULONG_PTR dr0; 649 | ULONG_PTR dr1; 650 | ULONG_PTR dr2; 651 | ULONG_PTR dr3; 652 | ULONG_PTR dr6; 653 | ULONG_PTR dr7; 654 | BYTE RegisterArea[80]; 655 | x87FPU_t x87fpu; 656 | DWORD MxCsr; 657 | #ifdef _WIN64 658 | XmmRegister_t XmmRegisters[16]; 659 | YmmRegister_t YmmRegisters[16]; 660 | #else // x86 661 | XmmRegister_t XmmRegisters[8]; 662 | YmmRegister_t YmmRegisters[8]; 663 | #endif 664 | } TITAN_ENGINE_CONTEXT_t; 665 | 666 | #ifdef __cplusplus 667 | extern "C" 668 | { 669 | #endif 670 | 671 | // Global.Function.Declaration: 672 | // TitanEngine.Dumper.functions: 673 | __declspec(dllexport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, const char* szDumpFileName, ULONG_PTR EntryPoint); 674 | __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBase, const wchar_t* szDumpFileName, ULONG_PTR EntryPoint); 675 | __declspec(dllexport) bool TITCALL DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, const char* szDumpFileName, ULONG_PTR EntryPoint); 676 | __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageBase, const wchar_t* szDumpFileName, ULONG_PTR EntryPoint); 677 | __declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, const char* szDumpFileName); 678 | __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, const wchar_t* szDumpFileName); 679 | __declspec(dllexport) bool TITCALL DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, const char* szDumpFileName); 680 | __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, const wchar_t* szDumpFileName); 681 | __declspec(dllexport) bool TITCALL DumpRegions(HANDLE hProcess, const char* szDumpFolder, bool DumpAboveImageBaseOnly); 682 | __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, const wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly); 683 | __declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, const char* szDumpFolder, bool DumpAboveImageBaseOnly); 684 | __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, const wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly); 685 | __declspec(dllexport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, const char* szDumpFileName); 686 | __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBase, const wchar_t* szDumpFileName); 687 | __declspec(dllexport) bool TITCALL DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, const char* szDumpFileName); 688 | __declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleBase, const wchar_t* szDumpFileName); 689 | __declspec(dllexport) bool TITCALL PastePEHeader(HANDLE hProcess, LPVOID ImageBase, const char* szDebuggedFileName); 690 | __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageBase, const wchar_t* szDebuggedFileName); 691 | __declspec(dllexport) bool TITCALL ExtractSection(const char* szFileName, const char* szDumpFileName, DWORD SectionNumber); 692 | __declspec(dllexport) bool TITCALL ExtractSectionW(const wchar_t* szFileName, const wchar_t* szDumpFileName, DWORD SectionNumber); 693 | __declspec(dllexport) bool TITCALL ResortFileSections(const char* szFileName); 694 | __declspec(dllexport) bool TITCALL ResortFileSectionsW(const wchar_t* szFileName); 695 | __declspec(dllexport) bool TITCALL FindOverlay(const char* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize); 696 | __declspec(dllexport) bool TITCALL FindOverlayW(const wchar_t* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize); 697 | __declspec(dllexport) bool TITCALL ExtractOverlay(const char* szFileName, const char* szExtactedFileName); 698 | __declspec(dllexport) bool TITCALL ExtractOverlayW(const wchar_t* szFileName, const wchar_t* szExtactedFileName); 699 | __declspec(dllexport) bool TITCALL AddOverlay(const char* szFileName, const char* szOverlayFileName); 700 | __declspec(dllexport) bool TITCALL AddOverlayW(const wchar_t* szFileName, const wchar_t* szOverlayFileName); 701 | __declspec(dllexport) bool TITCALL CopyOverlay(const char* szInFileName, const char* szOutFileName); 702 | __declspec(dllexport) bool TITCALL CopyOverlayW(const wchar_t* szInFileName, const wchar_t* szOutFileName); 703 | __declspec(dllexport) bool TITCALL RemoveOverlay(const char* szFileName); 704 | __declspec(dllexport) bool TITCALL RemoveOverlayW(const wchar_t* szFileName); 705 | __declspec(dllexport) bool TITCALL MakeAllSectionsRWE(const char* szFileName); 706 | __declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(const wchar_t* szFileName); 707 | __declspec(dllexport) long TITCALL AddNewSectionEx(const char* szFileName, const char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize); 708 | __declspec(dllexport) long TITCALL AddNewSectionExW(const wchar_t* szFileName, const char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize); 709 | __declspec(dllexport) long TITCALL AddNewSection(const char* szFileName, const char* szSectionName, DWORD SectionSize); 710 | __declspec(dllexport) long TITCALL AddNewSectionW(const wchar_t* szFileName, const char* szSectionName, DWORD SectionSize); 711 | __declspec(dllexport) bool TITCALL ResizeLastSection(const char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData); 712 | __declspec(dllexport) bool TITCALL ResizeLastSectionW(const wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData); 713 | __declspec(dllexport) void TITCALL SetSharedOverlay(const char* szFileName); 714 | __declspec(dllexport) void TITCALL SetSharedOverlayW(const wchar_t* szFileName); 715 | __declspec(dllexport) char* TITCALL GetSharedOverlay(); 716 | __declspec(dllexport) wchar_t* TITCALL GetSharedOverlayW(); 717 | __declspec(dllexport) bool TITCALL DeleteLastSection(const char* szFileName); 718 | __declspec(dllexport) bool TITCALL DeleteLastSectionW(const wchar_t* szFileName); 719 | __declspec(dllexport) bool TITCALL DeleteLastSectionEx(const char* szFileName, DWORD NumberOfSections); 720 | __declspec(dllexport) bool TITCALL DeleteLastSectionExW(const wchar_t* szFileName, DWORD NumberOfSections); 721 | __declspec(dllexport) ULONG_PTR TITCALL GetPE32DataFromMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData); 722 | __declspec(dllexport) ULONG_PTR TITCALL GetPE32Data(const char* szFileName, DWORD WhichSection, DWORD WhichData); 723 | __declspec(dllexport) ULONG_PTR TITCALL GetPE32DataW(const wchar_t* szFileName, DWORD WhichSection, DWORD WhichData); 724 | __declspec(dllexport) bool TITCALL GetPE32DataFromMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage); 725 | __declspec(dllexport) bool TITCALL GetPE32DataEx(const char* szFileName, LPVOID DataStorage); 726 | __declspec(dllexport) bool TITCALL GetPE32DataExW(const wchar_t* szFileName, LPVOID DataStorage); 727 | __declspec(dllexport) bool TITCALL SetPE32DataForMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue); 728 | __declspec(dllexport) bool TITCALL SetPE32Data(const char* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue); 729 | __declspec(dllexport) bool TITCALL SetPE32DataW(const wchar_t* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue); 730 | __declspec(dllexport) bool TITCALL SetPE32DataForMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage); 731 | __declspec(dllexport) bool TITCALL SetPE32DataEx(const char* szFileName, LPVOID DataStorage); 732 | __declspec(dllexport) bool TITCALL SetPE32DataExW(const wchar_t* szFileName, LPVOID DataStorage); 733 | __declspec(dllexport) long TITCALL GetPE32SectionNumberFromVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert); 734 | __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType); 735 | __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType); 736 | __declspec(dllexport) ULONG_PTR TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType); 737 | __declspec(dllexport) ULONG_PTR TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType); 738 | __declspec(dllexport) bool TITCALL MemoryReadSafe(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead); 739 | __declspec(dllexport) bool TITCALL MemoryWriteSafe(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesWritten); 740 | // TitanEngine.Realigner.functions: 741 | __declspec(dllexport) bool TITCALL FixHeaderCheckSum(const char* szFileName); 742 | __declspec(dllexport) bool TITCALL FixHeaderCheckSumW(const wchar_t* szFileName); 743 | __declspec(dllexport) long TITCALL RealignPE(ULONG_PTR FileMapVA, DWORD FileSize, DWORD RealingMode); 744 | __declspec(dllexport) long TITCALL RealignPEEx(const char* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment); 745 | __declspec(dllexport) long TITCALL RealignPEExW(const wchar_t* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment); 746 | __declspec(dllexport) bool TITCALL WipeSection(const char* szFileName, int WipeSectionNumber, bool RemovePhysically); 747 | __declspec(dllexport) bool TITCALL WipeSectionW(const wchar_t* szFileName, int WipeSectionNumber, bool RemovePhysically); 748 | __declspec(dllexport) bool TITCALL IsPE32FileValidEx(const char* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo); 749 | __declspec(dllexport) bool TITCALL IsPE32FileValidExW(const wchar_t* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo); 750 | __declspec(dllexport) bool TITCALL FixBrokenPE32FileEx(const char* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo); 751 | __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(const wchar_t* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo); 752 | __declspec(dllexport) bool TITCALL IsFileDLL(const char* szFileName, ULONG_PTR FileMapVA); 753 | __declspec(dllexport) bool TITCALL IsFileDLLW(const wchar_t* szFileName, ULONG_PTR FileMapVA); 754 | // TitanEngine.Hider.functions: 755 | __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess); 756 | __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess); 757 | __declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread); 758 | __declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread); 759 | __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); 760 | __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel); 761 | // TitanEngine.Relocater.functions: 762 | __declspec(dllexport) void TITCALL RelocaterCleanup(); 763 | __declspec(dllexport) void TITCALL RelocaterInit(DWORD MemorySize, ULONG_PTR OldImageBase, ULONG_PTR NewImageBase); 764 | __declspec(dllexport) void TITCALL RelocaterAddNewRelocation(HANDLE hProcess, ULONG_PTR RelocateAddress, DWORD RelocateState); 765 | __declspec(dllexport) long TITCALL RelocaterEstimatedSize(); 766 | __declspec(dllexport) bool TITCALL RelocaterExportRelocation(ULONG_PTR StorePlace, DWORD StorePlaceRVA, ULONG_PTR FileMapVA); 767 | __declspec(dllexport) bool TITCALL RelocaterExportRelocationEx(const char* szFileName, const char* szSectionName); 768 | __declspec(dllexport) bool TITCALL RelocaterExportRelocationExW(const wchar_t* szFileName, const char* szSectionName); 769 | __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess, ULONG_PTR MemoryStart, DWORD MemorySize); 770 | __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProcess, ULONG_PTR MemoryStart, ULONG_PTR MemorySize, DWORD NtSizeOfImage); 771 | __declspec(dllexport) bool TITCALL RelocaterMakeSnapshot(HANDLE hProcess, const char* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize); 772 | __declspec(dllexport) bool TITCALL RelocaterMakeSnapshotW(HANDLE hProcess, const wchar_t* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize); 773 | __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshots(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, const char* szDumpFile1, const char* szDumpFile2, ULONG_PTR MemStart); 774 | __declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, const wchar_t* szDumpFile1, const wchar_t* szDumpFile2, ULONG_PTR MemStart); 775 | __declspec(dllexport) bool TITCALL RelocaterChangeFileBase(const char* szFileName, ULONG_PTR NewImageBase); 776 | __declspec(dllexport) bool TITCALL RelocaterChangeFileBaseW(const wchar_t* szFileName, ULONG_PTR NewImageBase); 777 | __declspec(dllexport) bool TITCALL RelocaterRelocateMemoryBlock(ULONG_PTR FileMapVA, ULONG_PTR MemoryLocation, void* RelocateMemory, DWORD RelocateMemorySize, ULONG_PTR CurrentLoadedBase, ULONG_PTR RelocateBase); 778 | __declspec(dllexport) bool TITCALL RelocaterWipeRelocationTable(const char* szFileName); 779 | __declspec(dllexport) bool TITCALL RelocaterWipeRelocationTableW(const wchar_t* szFileName); 780 | // TitanEngine.Resourcer.functions: 781 | __declspec(dllexport) ULONG_PTR TITCALL ResourcerLoadFileForResourceUse(const char* szFileName); 782 | __declspec(dllexport) ULONG_PTR TITCALL ResourcerLoadFileForResourceUseW(const wchar_t* szFileName); 783 | __declspec(dllexport) bool TITCALL ResourcerFreeLoadedFile(LPVOID LoadedFileBase); 784 | __declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileEx(ULONG_PTR FileMapVA, const char* szResourceType, const char* szResourceName, const char* szExtractedFileName); 785 | __declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFile(const char* szFileName, const char* szResourceType, const char* szResourceName, const char* szExtractedFileName); 786 | __declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileW(const wchar_t* szFileName, char* szResourceType, const char* szResourceName, const char* szExtractedFileName); 787 | __declspec(dllexport) bool TITCALL ResourcerFindResource(const char* szFileName, const char* szResourceType, DWORD ResourceType, const char* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); 788 | __declspec(dllexport) bool TITCALL ResourcerFindResourceW(const wchar_t* szFileName, const wchar_t* szResourceType, DWORD ResourceType, const wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); 789 | __declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, const wchar_t* szResourceType, DWORD ResourceType, const wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize); 790 | __declspec(dllexport) void TITCALL ResourcerEnumerateResource(const char* szFileName, void* CallBack); 791 | __declspec(dllexport) void TITCALL ResourcerEnumerateResourceW(const wchar_t* szFileName, void* CallBack); 792 | __declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, void* CallBack); 793 | // TitanEngine.Threader.functions: 794 | __declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId); 795 | __declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId); 796 | __declspec(dllexport) void TITCALL ThreaderEnumThreadInfo(void* EnumCallBack); 797 | __declspec(dllexport) bool TITCALL ThreaderPauseThread(HANDLE hThread); 798 | __declspec(dllexport) bool TITCALL ThreaderResumeThread(HANDLE hThread); 799 | __declspec(dllexport) bool TITCALL ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode); 800 | __declspec(dllexport) bool TITCALL ThreaderPauseAllThreads(bool LeaveMainRunning); 801 | __declspec(dllexport) bool TITCALL ThreaderResumeAllThreads(bool LeaveMainPaused); 802 | __declspec(dllexport) bool TITCALL ThreaderPauseProcess(); 803 | __declspec(dllexport) bool TITCALL ThreaderResumeProcess(); 804 | __declspec(dllexport) ULONG_PTR TITCALL ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId); 805 | __declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize); 806 | __declspec(dllexport) ULONG_PTR TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId); 807 | __declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize); 808 | __declspec(dllexport) void TITCALL ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack); 809 | __declspec(dllexport) bool TITCALL ThreaderIsThreadStillRunning(HANDLE hThread); 810 | __declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread); 811 | __declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive(); 812 | __declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads(); 813 | __declspec(dllexport) ULONG_PTR TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId); 814 | __declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread(); 815 | // TitanEngine.Debugger.functions: 816 | __declspec(dllexport) void* TITCALL StaticDisassembleEx(ULONG_PTR DisassmStart, LPVOID DisassmAddress); 817 | __declspec(dllexport) void* TITCALL StaticDisassemble(LPVOID DisassmAddress); 818 | __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID DisassmAddress, bool ReturnInstructionType); 819 | __declspec(dllexport) void* TITCALL Disassemble(LPVOID DisassmAddress); 820 | __declspec(dllexport) long TITCALL StaticLengthDisassemble(LPVOID DisassmAddress); 821 | __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID DisassmAddress); 822 | __declspec(dllexport) long TITCALL LengthDisassemble(LPVOID DisassmAddress); 823 | __declspec(dllexport) void* TITCALL InitDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder); 824 | __declspec(dllexport) void* TITCALL InitDebugW(const wchar_t* szFileName, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder); 825 | __declspec(dllexport) void* TITCALL InitDebugEx(const char* szFileName, const char* szCommandLine, const char* szCurrentFolder, LPVOID EntryCallBack); 826 | __declspec(dllexport) void* TITCALL InitDebugExW(const wchar_t* szFileName, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder, LPVOID EntryCallBack); 827 | __declspec(dllexport) void* TITCALL InitDLLDebug(const char* szFileName, bool ReserveModuleBase, const char* szCommandLine, const char* szCurrentFolder, LPVOID EntryCallBack); 828 | __declspec(dllexport) void* TITCALL InitDLLDebugW(const wchar_t* szFileName, bool ReserveModuleBase, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder, LPVOID EntryCallBack); 829 | __declspec(dllexport) bool TITCALL StopDebug(); 830 | __declspec(dllexport) void TITCALL SetBPXOptions(long DefaultBreakPointType); 831 | __declspec(dllexport) bool TITCALL IsBPXEnabled(ULONG_PTR bpxAddress); 832 | __declspec(dllexport) bool TITCALL EnableBPX(ULONG_PTR bpxAddress); 833 | __declspec(dllexport) bool TITCALL DisableBPX(ULONG_PTR bpxAddress); 834 | __declspec(dllexport) bool TITCALL SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, LPVOID bpxCallBack); 835 | __declspec(dllexport) bool TITCALL DeleteBPX(ULONG_PTR bpxAddress); 836 | __declspec(dllexport) bool TITCALL SafeDeleteBPX(ULONG_PTR bpxAddress); 837 | __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxType, DWORD bpxPlace, LPVOID bpxCallBack); 838 | __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxPlace); 839 | __declspec(dllexport) bool TITCALL SafeDeleteAPIBreakPoint(const char* szDLLName, const char* szAPIName, DWORD bpxPlace); 840 | __declspec(dllexport) bool TITCALL SetMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, LPVOID bpxCallBack); 841 | __declspec(dllexport) bool TITCALL SetMemoryBPXEx(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory, DWORD BreakPointType, bool RestoreOnHit, LPVOID bpxCallBack); 842 | __declspec(dllexport) bool TITCALL RemoveMemoryBPX(ULONG_PTR MemoryStart, SIZE_T SizeOfMemory); 843 | __declspec(dllexport) bool TITCALL GetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea); 844 | __declspec(dllexport) void TITCALL Getx87FPURegisters(x87FPURegister_t x87FPURegisters[8], TITAN_ENGINE_CONTEXT_t* titcontext); 845 | __declspec(dllexport) void TITCALL GetMMXRegisters(uint64_t mmx[8], TITAN_ENGINE_CONTEXT_t* titcontext); 846 | __declspec(dllexport) bool TITCALL GetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext); 847 | __declspec(dllexport) bool TITCALL SetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext); 848 | __declspec(dllexport) ULONG_PTR TITCALL GetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister); 849 | __declspec(dllexport) ULONG_PTR TITCALL GetContextData(DWORD IndexOfRegister); 850 | __declspec(dllexport) bool TITCALL SetContextFPUDataEx(HANDLE hActiveThread, void* FPUSaveArea); 851 | __declspec(dllexport) bool TITCALL SetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister, ULONG_PTR NewRegisterValue); 852 | __declspec(dllexport) bool TITCALL SetContextData(DWORD IndexOfRegister, ULONG_PTR NewRegisterValue); 853 | __declspec(dllexport) bool TITCALL GetAVXContext(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext); 854 | __declspec(dllexport) bool TITCALL SetAVXContext(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext); 855 | __declspec(dllexport) void TITCALL ClearExceptionNumber(); 856 | __declspec(dllexport) long TITCALL CurrentExceptionNumber(); 857 | __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard); 858 | __declspec(dllexport) bool TITCALL MatchPattern(void* MemoryToCheck, int SizeOfMemoryToCheck, void* PatternToMatch, int SizeOfPatternToMatch, PBYTE WildCard); 859 | __declspec(dllexport) ULONG_PTR TITCALL FindEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard); 860 | extern "C" __declspec(dllexport) ULONG_PTR TITCALL Find(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, LPBYTE WildCard); 861 | __declspec(dllexport) bool TITCALL FillEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte); 862 | __declspec(dllexport) bool TITCALL Fill(LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte); 863 | __declspec(dllexport) bool TITCALL PatchEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP); 864 | __declspec(dllexport) bool TITCALL Patch(LPVOID MemoryStart, DWORD MemorySize, LPVOID ReplacePattern, DWORD ReplaceSize, bool AppendNOP, bool PrependNOP); 865 | __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard); 866 | __declspec(dllexport) bool TITCALL Replace(LPVOID MemoryStart, DWORD MemorySize, LPVOID SearchPattern, DWORD PatternSize, DWORD NumberOfRepetitions, LPVOID ReplacePattern, DWORD ReplaceSize, PBYTE WildCard); 867 | __declspec(dllexport) void* TITCALL GetDebugData(); 868 | __declspec(dllexport) void* TITCALL GetTerminationData(); 869 | __declspec(dllexport) long TITCALL GetExitCode(); 870 | __declspec(dllexport) ULONG_PTR TITCALL GetDebuggedDLLBaseAddress(); 871 | __declspec(dllexport) ULONG_PTR TITCALL GetDebuggedFileBaseAddress(); 872 | __declspec(dllexport) bool TITCALL GetRemoteString(HANDLE hProcess, LPVOID StringAddress, LPVOID StringStorage, int MaximumStringSize); 873 | __declspec(dllexport) ULONG_PTR TITCALL GetFunctionParameter(HANDLE hProcess, DWORD FunctionType, DWORD ParameterNumber, DWORD ParameterType); 874 | __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestinationEx(HANDLE hProcess, ULONG_PTR InstructionAddress, bool JustJumps); 875 | __declspec(dllexport) ULONG_PTR TITCALL GetJumpDestination(HANDLE hProcess, ULONG_PTR InstructionAddress); 876 | __declspec(dllexport) bool TITCALL IsJumpGoingToExecuteEx(HANDLE hProcess, HANDLE hThread, ULONG_PTR InstructionAddress, ULONG_PTR RegFlags); 877 | __declspec(dllexport) bool TITCALL IsJumpGoingToExecute(); 878 | __declspec(dllexport) void TITCALL SetCustomHandler(DWORD ExceptionId, LPVOID CallBack); 879 | __declspec(dllexport) void TITCALL ForceClose(); 880 | __declspec(dllexport) void TITCALL StepInto(LPVOID traceCallBack); 881 | __declspec(dllexport) void TITCALL StepOver(LPVOID traceCallBack); 882 | __declspec(dllexport) void TITCALL StepOut(LPVOID StepOut, bool StepFinal); 883 | __declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack); 884 | __declspec(dllexport) bool TITCALL GetUnusedHardwareBreakPointRegister(LPDWORD RegisterIndex); 885 | __declspec(dllexport) bool TITCALL SetHardwareBreakPointEx(HANDLE hActiveThread, ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack, LPDWORD IndexOfSelectedRegister); 886 | __declspec(dllexport) bool TITCALL SetHardwareBreakPoint(ULONG_PTR bpxAddress, DWORD IndexOfRegister, DWORD bpxType, DWORD bpxSize, LPVOID bpxCallBack); 887 | __declspec(dllexport) bool TITCALL DeleteHardwareBreakPoint(DWORD IndexOfRegister); 888 | __declspec(dllexport) bool TITCALL RemoveAllBreakPoints(DWORD RemoveOption); 889 | __declspec(dllexport) PROCESS_INFORMATION* TITCALL TitanGetProcessInformation(); 890 | __declspec(dllexport) STARTUPINFOW* TITCALL TitanGetStartupInformation(); 891 | __declspec(dllexport) void TITCALL DebugLoop(); 892 | __declspec(dllexport) void TITCALL SetDebugLoopTimeOut(DWORD TimeOut); 893 | __declspec(dllexport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode); 894 | __declspec(dllexport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack); 895 | __declspec(dllexport) bool TITCALL DetachDebugger(DWORD ProcessId); 896 | __declspec(dllexport) bool TITCALL DetachDebuggerEx(DWORD ProcessId); 897 | __declspec(dllexport) void TITCALL DebugLoopEx(DWORD TimeOut); 898 | __declspec(dllexport) void TITCALL AutoDebugEx(const char* szFileName, bool ReserveModuleBase, const char* szCommandLine, const char* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack); 899 | __declspec(dllexport) void TITCALL AutoDebugExW(const wchar_t* szFileName, bool ReserveModuleBase, const wchar_t* szCommandLine, const wchar_t* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack); 900 | __declspec(dllexport) bool TITCALL IsFileBeingDebugged(); 901 | __declspec(dllexport) void TITCALL SetErrorModel(bool DisplayErrorMessages); 902 | // TitanEngine.FindOEP.functions: 903 | __declspec(dllexport) void TITCALL FindOEPInit(); 904 | __declspec(dllexport) bool TITCALL FindOEPGenerically(const char* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack); 905 | __declspec(dllexport) bool TITCALL FindOEPGenericallyW(const wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack); 906 | // TitanEngine.Importer.functions: 907 | __declspec(dllexport) void TITCALL ImporterAddNewDll(const char* szDLLName, ULONG_PTR FirstThunk); 908 | __declspec(dllexport) void TITCALL ImporterAddNewAPI(const char* szAPIName, ULONG_PTR ThunkValue); 909 | __declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue); 910 | __declspec(dllexport) long TITCALL ImporterGetAddedDllCount(); 911 | __declspec(dllexport) long TITCALL ImporterGetAddedAPICount(); 912 | __declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap); 913 | __declspec(dllexport) long TITCALL ImporterEstimatedSize(); 914 | __declspec(dllexport) bool TITCALL ImporterExportIATEx(const char* szDumpFileName, const char* szExportFileName, const char* szSectionName); 915 | __declspec(dllexport) bool TITCALL ImporterExportIATExW(const wchar_t* szDumpFileName, const wchar_t* szExportFileName, const wchar_t* szSectionName = L".RL!TEv2"); 916 | __declspec(dllexport) ULONG_PTR TITCALL ImporterFindAPIWriteLocation(const char* szAPIName); 917 | __declspec(dllexport) ULONG_PTR TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber); 918 | __declspec(dllexport) ULONG_PTR TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation); 919 | __declspec(dllexport) ULONG_PTR TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation); 920 | __declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress); 921 | __declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress); 922 | __declspec(dllexport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress); 923 | __declspec(dllexport) ULONG_PTR TITCALL ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress); 924 | __declspec(dllexport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); 925 | __declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress); 926 | __declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteAPIAddressEx(const char* szDLLName, const char* szAPIName); 927 | __declspec(dllexport) ULONG_PTR TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress); 928 | __declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress); 929 | __declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugeeW(HANDLE hProcess, ULONG_PTR APIAddress); 930 | __declspec(dllexport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress); 931 | __declspec(dllexport) ULONG_PTR TITCALL ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress); 932 | __declspec(dllexport) long TITCALL ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); 933 | __declspec(dllexport) long TITCALL ImporterGetDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); 934 | __declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess, HMODULE LocalModuleBase); 935 | __declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, const char* szModuleName); 936 | __declspec(dllexport) void* TITCALL ImporterGetRemoteDLLBaseExW(HANDLE hProcess, const wchar_t* szModuleName); 937 | __declspec(dllexport) bool TITCALL ImporterIsForwardedAPI(HANDLE hProcess, ULONG_PTR APIAddress); 938 | __declspec(dllexport) void* TITCALL ImporterGetForwardedAPIName(HANDLE hProcess, ULONG_PTR APIAddress); 939 | __declspec(dllexport) void* TITCALL ImporterGetForwardedDLLName(HANDLE hProcess, ULONG_PTR APIAddress); 940 | __declspec(dllexport) long TITCALL ImporterGetForwardedDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList); 941 | __declspec(dllexport) ULONG_PTR TITCALL ImporterGetForwardedAPIOrdinalNumber(HANDLE hProcess, ULONG_PTR APIAddress); 942 | __declspec(dllexport) ULONG_PTR TITCALL ImporterGetNearestAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress); 943 | __declspec(dllexport) void* TITCALL ImporterGetNearestAPIName(HANDLE hProcess, ULONG_PTR APIAddress); 944 | __declspec(dllexport) bool TITCALL ImporterCopyOriginalIAT(const char* szOriginalFile, const char* szDumpFile); 945 | __declspec(dllexport) bool TITCALL ImporterCopyOriginalIATW(const wchar_t* szOriginalFile, const wchar_t* szDumpFile); 946 | __declspec(dllexport) bool TITCALL ImporterLoadImportTable(const char* szFileName); 947 | __declspec(dllexport) bool TITCALL ImporterLoadImportTableW(const wchar_t* szFileName); 948 | __declspec(dllexport) bool TITCALL ImporterMoveOriginalIAT(const char* szOriginalFile, const char* szDumpFile, const char* szSectionName); 949 | __declspec(dllexport) bool TITCALL ImporterMoveOriginalIATW(const wchar_t* szOriginalFile, const wchar_t* szDumpFile, const char* szSectionName); 950 | __declspec(dllexport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, const char* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize); 951 | __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessIds, const wchar_t* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize); 952 | __declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize); 953 | __declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack); 954 | __declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, const char* szDumpedFile, const char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback); 955 | __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, const wchar_t* szDumpedFile, const wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback); 956 | __declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, const char* szDumpedFile, ULONG_PTR SearchStart); 957 | __declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, const wchar_t* szDumpedFile, ULONG_PTR SearchStart); 958 | __declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr); 959 | // Global.Engine.Hook.functions: 960 | __declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart); 961 | __declspec(dllexport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool TransitionStart); 962 | __declspec(dllexport) bool TITCALL HooksIsAddressRedirected(LPVOID HookAddress); 963 | __declspec(dllexport) void* TITCALL HooksGetTrampolineAddress(LPVOID HookAddress); 964 | __declspec(dllexport) void* TITCALL HooksGetHookEntryDetails(LPVOID HookAddress); 965 | __declspec(dllexport) bool TITCALL HooksInsertNewRedirection(LPVOID HookAddress, LPVOID RedirectTo, int HookType); 966 | __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR FileMapVA, ULONG_PTR LoadedModuleBase, const char* szHookFunction, LPVOID RedirectTo); 967 | __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirection(const char* szModuleName, const char* szHookFunction, LPVOID RedirectTo); 968 | __declspec(dllexport) bool TITCALL HooksRemoveRedirection(LPVOID HookAddress, bool RemoveAll); 969 | __declspec(dllexport) bool TITCALL HooksRemoveRedirectionsForModule(HMODULE ModuleBase); 970 | __declspec(dllexport) bool TITCALL HooksRemoveIATRedirection(const char* szModuleName, const char* szHookFunction, bool RemoveAll); 971 | __declspec(dllexport) bool TITCALL HooksDisableRedirection(LPVOID HookAddress, bool DisableAll); 972 | __declspec(dllexport) bool TITCALL HooksDisableRedirectionsForModule(HMODULE ModuleBase); 973 | __declspec(dllexport) bool TITCALL HooksDisableIATRedirection(const char* szModuleName, const char* szHookFunction, bool DisableAll); 974 | __declspec(dllexport) bool TITCALL HooksEnableRedirection(LPVOID HookAddress, bool EnableAll); 975 | __declspec(dllexport) bool TITCALL HooksEnableRedirectionsForModule(HMODULE ModuleBase); 976 | __declspec(dllexport) bool TITCALL HooksEnableIATRedirection(const char* szModuleName, const char* szHookFunction, bool EnableAll); 977 | __declspec(dllexport) void TITCALL HooksScanModuleMemory(HMODULE ModuleBase, LPVOID CallBack); 978 | __declspec(dllexport) void TITCALL HooksScanEntireProcessMemory(LPVOID CallBack); 979 | __declspec(dllexport) void TITCALL HooksScanEntireProcessMemoryEx(); 980 | // TitanEngine.Tracer.functions: 981 | __declspec(dllexport) void TITCALL TracerInit(); 982 | __declspec(dllexport) ULONG_PTR TITCALL TracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace); 983 | __declspec(dllexport) ULONG_PTR TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD InputNumberOfInstructions); 984 | __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace); 985 | __declspec(dllexport) ULONG_PTR TITCALL TracerFixKnownRedirection(HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD RedirectionId); 986 | __declspec(dllexport) ULONG_PTR TITCALL TracerFixRedirectionViaModule(HMODULE hModuleHandle, HANDLE hProcess, ULONG_PTR AddressToTrace, DWORD IdParameter); 987 | __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hProcess, const char* szPluginName, ULONG_PTR AddressToTrace); 988 | // TitanEngine.Exporter.functions: 989 | __declspec(dllexport) void TITCALL ExporterCleanup(); 990 | __declspec(dllexport) void TITCALL ExporterSetImageBase(ULONG_PTR ImageBase); 991 | __declspec(dllexport) void TITCALL ExporterInit(DWORD MemorySize, ULONG_PTR ImageBase, DWORD ExportOrdinalBase, const char* szExportModuleName); 992 | __declspec(dllexport) bool TITCALL ExporterAddNewExport(const char* szExportName, DWORD ExportRelativeAddress); 993 | __declspec(dllexport) bool TITCALL ExporterAddNewOrdinalExport(DWORD OrdinalNumber, DWORD ExportRelativeAddress); 994 | __declspec(dllexport) long TITCALL ExporterGetAddedExportCount(); 995 | __declspec(dllexport) long TITCALL ExporterEstimatedSize(); 996 | __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA); 997 | __declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(const char* szExportFileName, const char* szSectionName); 998 | __declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(const wchar_t* szExportFileName, const char* szSectionName); 999 | __declspec(dllexport) bool TITCALL ExporterLoadExportTable(const char* szFileName); 1000 | __declspec(dllexport) bool TITCALL ExporterLoadExportTableW(const wchar_t* szFileName); 1001 | // TitanEngine.Librarian.functions: 1002 | __declspec(dllexport) bool TITCALL LibrarianSetBreakPoint(const char* szLibraryName, DWORD bpxType, bool SingleShoot, LPVOID bpxCallBack); 1003 | __declspec(dllexport) bool TITCALL LibrarianRemoveBreakPoint(const char* szLibraryName, DWORD bpxType); 1004 | __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfo(const char* szLibraryName); 1005 | __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoW(const wchar_t* szLibraryName); 1006 | __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoEx(void* BaseOfDll); 1007 | __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoExW(void* BaseOfDll); 1008 | __declspec(dllexport) void TITCALL LibrarianEnumLibraryInfo(void* EnumCallBack); 1009 | __declspec(dllexport) void TITCALL LibrarianEnumLibraryInfoW(void* EnumCallBack); 1010 | // TitanEngine.Process.functions: 1011 | __declspec(dllexport) long TITCALL GetActiveProcessId(const char* szImageName); 1012 | __declspec(dllexport) long TITCALL GetActiveProcessIdW(const wchar_t* szImageName); 1013 | __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(const char* szLibraryName, void* EnumFunction); 1014 | __declspec(dllexport) HANDLE TITCALL TitanOpenProcess(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwProcessId); 1015 | // TitanEngine.TLSFixer.functions: 1016 | __declspec(dllexport) bool TITCALL TLSBreakOnCallBack(LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks, LPVOID bpxCallBack); 1017 | __declspec(dllexport) bool TITCALL TLSGrabCallBackData(const char* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks); 1018 | __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(const wchar_t* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks); 1019 | __declspec(dllexport) bool TITCALL TLSBreakOnCallBackEx(const char* szFileName, LPVOID bpxCallBack); 1020 | __declspec(dllexport) bool TITCALL TLSBreakOnCallBackExW(const wchar_t* szFileName, LPVOID bpxCallBack); 1021 | __declspec(dllexport) bool TITCALL TLSRemoveCallback(const char* szFileName); 1022 | __declspec(dllexport) bool TITCALL TLSRemoveCallbackW(const wchar_t* szFileName); 1023 | __declspec(dllexport) bool TITCALL TLSRemoveTable(const char* szFileName); 1024 | __declspec(dllexport) bool TITCALL TLSRemoveTableW(const wchar_t* szFileName); 1025 | __declspec(dllexport) bool TITCALL TLSBackupData(const char* szFileName); 1026 | __declspec(dllexport) bool TITCALL TLSBackupDataW(const wchar_t* szFileName); 1027 | __declspec(dllexport) bool TITCALL TLSRestoreData(); 1028 | __declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_PTR StorePlace, ULONG_PTR StorePlaceRVA, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks); 1029 | __declspec(dllexport) bool TITCALL TLSBuildNewTableEx(const char* szFileName, const char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks); 1030 | __declspec(dllexport) bool TITCALL TLSBuildNewTableExW(const wchar_t* szFileName, const char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks); 1031 | // TitanEngine.TranslateName.functions: 1032 | __declspec(dllexport) void* TITCALL TranslateNativeName(const char* szNativeName); 1033 | __declspec(dllexport) void* TITCALL TranslateNativeNameW(const wchar_t* szNativeName); 1034 | // TitanEngine.Handler.functions: 1035 | __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId); 1036 | __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle); 1037 | __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName); 1038 | __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName); 1039 | __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount); 1040 | __declspec(dllexport) ULONG_PTR TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn); 1041 | __declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle); 1042 | __declspec(dllexport) long TITCALL HandlerEnumerateLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount); 1043 | __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(const wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount); 1044 | __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(const char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); 1045 | __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(const wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); 1046 | __declspec(dllexport) bool TITCALL HandlerIsFileLocked(const char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); 1047 | __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(const wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated); 1048 | // TitanEngine.Handler[Mutex].functions: 1049 | __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount); 1050 | __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandle(HANDLE hProcess, DWORD ProcessId, const char* szMutexString); 1051 | __declspec(dllexport) ULONG_PTR TITCALL HandlerGetOpenMutexHandleW(HANDLE hProcess, DWORD ProcessId, const wchar_t* szMutexString); 1052 | __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(const char* szMutexString); 1053 | __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(const wchar_t* szMutexString); 1054 | // TitanEngine.Injector.functions: 1055 | __declspec(dllexport) bool TITCALL RemoteLoadLibrary(HANDLE hProcess, const char* szLibraryFile, bool WaitForThreadExit); 1056 | __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, const wchar_t* szLibraryFile, bool WaitForThreadExit); 1057 | __declspec(dllexport) bool TITCALL RemoteFreeLibrary(HANDLE hProcess, HMODULE hModule, const char* szLibraryFile, bool WaitForThreadExit); 1058 | __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE hModule, const wchar_t* szLibraryFile, bool WaitForThreadExit); 1059 | __declspec(dllexport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD ExitCode); 1060 | // TitanEngine.StaticUnpacker.functions: 1061 | __declspec(dllexport) bool TITCALL StaticFileLoad(const char* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA); 1062 | __declspec(dllexport) bool TITCALL StaticFileLoadW(const wchar_t* szFileName, DWORD DesiredAccess, bool SimulateLoad, LPHANDLE FileHandle, LPDWORD LoadedSize, LPHANDLE FileMap, PULONG_PTR FileMapVA); 1063 | __declspec(dllexport) bool TITCALL StaticFileUnload(const char* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA); 1064 | __declspec(dllexport) bool TITCALL StaticFileUnloadW(const wchar_t* szFileName, bool CommitChanges, HANDLE FileHandle, DWORD LoadedSize, HANDLE FileMap, ULONG_PTR FileMapVA); 1065 | __declspec(dllexport) bool TITCALL StaticFileOpen(const char* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh); 1066 | __declspec(dllexport) bool TITCALL StaticFileOpenW(const wchar_t* szFileName, DWORD DesiredAccess, LPHANDLE FileHandle, LPDWORD FileSizeLow, LPDWORD FileSizeHigh); 1067 | __declspec(dllexport) bool TITCALL StaticFileGetContent(HANDLE FileHandle, DWORD FilePositionLow, LPDWORD FilePositionHigh, void* Buffer, DWORD Size); 1068 | __declspec(dllexport) void TITCALL StaticFileClose(HANDLE FileHandle); 1069 | __declspec(dllexport) void TITCALL StaticMemoryDecrypt(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey); 1070 | __declspec(dllexport) void TITCALL StaticMemoryDecryptEx(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, void* DecryptionCallBack); 1071 | __declspec(dllexport) void TITCALL StaticMemoryDecryptSpecial(LPVOID MemoryStart, DWORD MemorySize, DWORD DecryptionKeySize, DWORD SpecDecryptionType, void* DecryptionCallBack); 1072 | __declspec(dllexport) void TITCALL StaticSectionDecrypt(ULONG_PTR FileMapVA, DWORD SectionNumber, bool SimulateLoad, DWORD DecryptionType, DWORD DecryptionKeySize, ULONG_PTR DecryptionKey); 1073 | __declspec(dllexport) bool TITCALL StaticMemoryDecompress(void* Source, DWORD SourceSize, void* Destination, DWORD DestinationSize, int Algorithm); 1074 | __declspec(dllexport) bool TITCALL StaticRawMemoryCopy(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, const char* szDumpFileName); 1075 | __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR VitualAddressToCopy, DWORD Size, bool AddressIsRVA, const wchar_t* szDumpFileName); 1076 | __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, const char* szDumpFileName); 1077 | __declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD RawAddressToCopy, DWORD Size, const wchar_t* szDumpFileName); 1078 | __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, const char* szDumpFileName); 1079 | __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD64 RawAddressToCopy, DWORD64 Size, const wchar_t* szDumpFileName); 1080 | __declspec(dllexport) bool TITCALL StaticHashMemory(void* MemoryToHash, DWORD SizeOfMemory, void* HashDigest, bool OutputString, int Algorithm); 1081 | __declspec(dllexport) bool TITCALL StaticHashFileW(const wchar_t* szFileName, char* HashDigest, bool OutputString, int Algorithm); 1082 | __declspec(dllexport) bool TITCALL StaticHashFile(const char* szFileName, char* HashDigest, bool OutputString, int Algorithm); 1083 | // TitanEngine.Engine.functions: 1084 | __declspec(dllexport) void TITCALL EngineUnpackerInitialize(const char* szFileName, const char* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack); 1085 | __declspec(dllexport) void TITCALL EngineUnpackerInitializeW(const wchar_t* szFileName, const wchar_t* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack); 1086 | __declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchStart, DWORD SearchSize, void* SearchPattern, DWORD PatternSize, DWORD PatternDelta, ULONG_PTR BreakType, bool SingleBreak, DWORD Parameter1, DWORD Parameter2); 1087 | __declspec(dllexport) void TITCALL EngineUnpackerSetEntryPointAddress(ULONG_PTR UnpackedEntryPointAddress); 1088 | __declspec(dllexport) void TITCALL EngineUnpackerFinalizeUnpacking(); 1089 | // TitanEngine.Engine.functions: 1090 | __declspec(dllexport) void TITCALL SetEngineVariable(DWORD VariableId, bool VariableSet); 1091 | __declspec(dllexport) bool TITCALL EngineCreateMissingDependencies(const char* szFileName, const char* szOutputFolder, bool LogCreatedFiles); 1092 | __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(const wchar_t* szFileName, const wchar_t* szOutputFolder, bool LogCreatedFiles); 1093 | __declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess); 1094 | __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies(); 1095 | __declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(const char* WindowUnpackerTitle, const char* WindowUnpackerLongTitle, const char* WindowUnpackerName, const char* WindowUnpackerAuthor, void* StartUnpackingCallBack); 1096 | __declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(const char* szLogMessage); 1097 | __declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize); 1098 | // Global.Engine.Extension.Functions: 1099 | __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginLoaded(const char* szPluginName); 1100 | __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginEnabled(const char* szPluginName); 1101 | __declspec(dllexport) bool TITCALL ExtensionManagerDisableAllPlugins(); 1102 | __declspec(dllexport) bool TITCALL ExtensionManagerDisablePlugin(const char* szPluginName); 1103 | __declspec(dllexport) bool TITCALL ExtensionManagerEnableAllPlugins(); 1104 | __declspec(dllexport) bool TITCALL ExtensionManagerEnablePlugin(const char* szPluginName); 1105 | __declspec(dllexport) bool TITCALL ExtensionManagerUnloadAllPlugins(); 1106 | __declspec(dllexport) bool TITCALL ExtensionManagerUnloadPlugin(const char* szPluginName); 1107 | __declspec(dllexport) void* TITCALL ExtensionManagerGetPluginInfo(const char* szPluginName); 1108 | 1109 | #ifdef __cplusplus 1110 | } 1111 | #endif 1112 | 1113 | #pragma pack(pop) 1114 | 1115 | #endif /*TITANENGINE*/ 1116 | --------------------------------------------------------------------------------