Beispiel #1
0
BOOL WINAPI ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult)
{
	WCHAR fileToDumpW[MAX_PATH];
	WCHAR fileResultW[MAX_PATH];

	if (fileResult == 0)
	{
		return FALSE;
	}

	if (MultiByteToWideChar(CP_ACP, 0, fileResult, -1, fileResultW, _countof(fileResultW)) == 0)
	{
		return FALSE;
	}

	if (fileToDump != 0)
	{
		if (MultiByteToWideChar(CP_ACP, 0, fileToDump, -1, fileToDumpW, _countof(fileToDumpW)) == 0)
		{
			return FALSE;
		}

		return ScyllaDumpProcessW(pid, fileToDumpW, imagebase, entrypoint, fileResultW);
	}
	else
	{
		return ScyllaDumpProcessW(pid, 0, imagebase, entrypoint, fileResultW);
	}
}
UINT32 IATAutoFix(DWORD pid, DWORD_PTR oep, WCHAR *outputFile)
{
    INFO("----------------IAT Fixing Test----------------\n");


    DWORD_PTR iatStart = 0;
    DWORD iatSize = 0;
    WCHAR originalExe[MAX_PATH]; // Path of the original PE which as launched the current process
    WCHAR *dumpFile = L"./tmp_dump_file.exe";  //Path of the file where the process will be dumped during the Dumping Process

    //getting the Base Address
    DWORD_PTR hMod = GetExeModuleBase(pid);
    if(!hMod) {
        DEBUG("Can't find PID");
    }
    INFO("GetExeModuleBase %X\n", hMod);



    //Dumping Process
    BOOL success = GetFilePathFromPID(pid,originalExe);
    if(!success) {
        ERRORE("Error in getting original Path from Pid: %d\n",pid);
        return SCYLLA_ERROR_FILE_FROM_PID;
    }
    INFO("Original Exe Path: %S\n",originalExe);

    /* hMod is the reference to the ExE module base */
    success = ScyllaDumpProcessW(pid,originalExe,hMod,oep,dumpFile);
    if(!success) {
        ERRORE("Error Dumping  Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S \n",pid,originalExe,hMod,oep,dumpFile);
        return SCYLLA_ERROR_DUMP;
    }
    INFO("Successfully dumped Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S \n",pid,originalExe,hMod,oep,dumpFile);

    DebugBreak();
    //Searching the IAT
    int error = ScyllaIatSearch(pid, &iatStart, &iatSize, hMod + 0x00001028, TRUE);
    if(error) {
        ERRORE("(IAT SEARCH) error %d \n",error);
        return SCYLLA_ERROR_IAT_NOT_FOUND;
    }
    INFO("(IAT SEARCH) iatStart %X iatSize %X\n",iatStart, iatSize);


    //Fixing the IAT
    INFO("\n\n\n\nFIXING ...... start : %08x\t size : %08x\t pid : %d\t output : %s\n\n\n\n", iatStart,iatSize,pid,dumpFile,outputFile);

    error = ScyllaIatFixAutoW(iatStart,iatSize,pid,dumpFile,outputFile);
    if(error) {
        ERRORE("(IAT FIX) error %d",error);
        return SCYLLA_ERROR_IAT_NOT_FIXED;
    }
    INFO("[IAT FIX] Success");
    return SCYLLA_SUCCESS_FIX;

}
UINT32 IATAutoFix(DWORD pid, DWORD_PTR oep, WCHAR *outputFile, WCHAR * cur_path, WCHAR * tmp_dump)
{

	Log::getInstance()->initLogPath(cur_path);//Initialize the log File NEED TO BE BEFORE ANY INFO(),WARN(),ERROR()


	PRINT("\n\n-------------------------------------------------------------------------------------------------------");
	PRINT("------------------------------------ IAT Fixing at %08x -------------------------------------",oep);
	PRINT("-------------------------------------------------------------------------------------------------------");

	DWORD_PTR iatStart = 0;
	DWORD iatSize = 0;
	WCHAR originalExe[MAX_PATH]; // Path of the original PE which as launched the current process

	//getting the Base Address
	DWORD_PTR hMod = GetExeModuleBase(pid);
	if(!hMod){
		INFO("Can't find PID");
	}
	INFO("GetExeModuleBase %X", hMod);

	//Dumping Process
	BOOL success = GetFilePathFromPID(pid,originalExe);
	if(!success){
		INFO("Error in getting original Path from Pid: %d",pid);
		return SCYLLA_ERROR_FILE_FROM_PID;
	}
	INFO("Original Exe Path: %S",originalExe);
		
	success = ScyllaDumpProcessW(pid,originalExe,hMod,oep,tmp_dump);
	if(!success){
		INFO("[SCYLLA DUMP] Error Dumping  Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S ",pid,originalExe,hMod,oep,tmp_dump);
		return SCYLLA_ERROR_DUMP;
	}
	INFO("[SCYLLA DUMP] Successfully dumped Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S ",pid,originalExe,hMod,oep,tmp_dump);
		
	//DebugBreak();
	//Searching the IAT
	int error = ScyllaIatSearch(pid, &iatStart, &iatSize, hMod + 0x00001028, TRUE);

	//check if ScyllaIATSearch failed and if the result IAT address is readable

	if(error || !isMemoryReadable((void *) iatStart,iatSize)){

		/*Display why the Scylla IAT Search failed: 
			- error in IAT search
			- address found not readable */
		if(error){  
			ERRORE("[SCYLLA ADVANCED SEARCH] error %d  ",error); 
		}
		else{
				ERRORE("[SCYLLA ADVANCED SEARCH] IAT address not readable/mapped iat_start : %08x\t iat_size : %08x\t  ",iatStart,iatSize);
		}
		
		INFO("[SCYLLA SEARCH] Trying basic IAT search");

		//Trying  Basic IAT search
		int error2 = ScyllaIatSearch(pid, &iatStart, &iatSize, hMod + 0x00001028, FALSE);
		if(error2  || !isMemoryReadable((void *) iatStart,iatSize)){

			/*Display why the Scylla IAT Search failed: 
			 - error in IAT search
			 - address found not readable */
			if(error2){  
				ERRORE("[SCYLLA BASIC SEARCH] error %d  ",error2); 
			}
			else{
				 ERRORE("[SCYLLA BASIC SEARCH] IAT address  not readable/mapped iat_start : %08x\t iat_size : %08x\t ",iatStart,iatSize);
			}
			return SCYLLA_ERROR_IAT_NOT_FOUND;
		}
	}

	INFO("[SCYLLA SEARCH] iat_start : %08x\t iat_size : %08x\t pid : %d", iatStart,iatSize,pid,outputFile);
	
	//Fixing the IAT
	error = ScyllaIatFixAutoW(iatStart,iatSize,pid,tmp_dump,outputFile,1,oep,1);
	if(error){
		INFO("[SCYLLA FIX] error %d",error);
		return SCYLLA_ERROR_IAT_NOT_FIXED;
	}

	//Removing the correct dump from the not working directory
	_wremove(tmp_dump);

	INFO("[SCYLLA FIX] Success fixed file at %S",outputFile);
	return SCYLLA_SUCCESS_FIX;
	
}