void ThreadCreate(CREATE_THREAD_DEBUG_INFO* CreateThread) { THREADINFO curInfo; memset(&curInfo, 0, sizeof(THREADINFO)); curInfo.ThreadNumber = ThreadGetCount(); curInfo.Handle = INVALID_HANDLE_VALUE; curInfo.ThreadId = ((DEBUG_EVENT*)GetDebugData())->dwThreadId; curInfo.ThreadStartAddress = (duint)CreateThread->lpStartAddress; curInfo.ThreadLocalBase = (duint)CreateThread->lpThreadLocalBase; // Duplicate the debug thread handle -> thread handle DuplicateHandle(GetCurrentProcess(), CreateThread->hThread, GetCurrentProcess(), &curInfo.Handle, 0, FALSE, DUPLICATE_SAME_ACCESS); // The first thread (#0) is always the main program thread if(curInfo.ThreadNumber <= 0) strcpy_s(curInfo.threadName, "Main Thread"); // Modify global thread list EXCLUSIVE_ACQUIRE(LockThreads); threadList.insert(std::make_pair(curInfo.ThreadId, curInfo)); EXCLUSIVE_RELEASE(); // Notify GUI GuiUpdateThreadView(); }
void GenericOEPTraceHit() { char* szInstructionType; typedef void(TITCALL * fEPCallBack)(); fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack; LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData(); glbEntryTracerData.MemoryAccessedFrom = (ULONG_PTR)GetContextData(UE_CIP); glbEntryTracerData.MemoryAccessed = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[1]; glbEntryTracerData.AccessType = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[0]; szInstructionType = (char*)DisassembleEx(dbgProcessInformation.hProcess, (void*)glbEntryTracerData.MemoryAccessedFrom, true); StepInto(&GenericOEPTraceHited); }
__declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread() { LPDEBUG_EVENT myDBGEvent = (LPDEBUG_EVENT)GetDebugData(); return (myDBGEvent->dwThreadId == dbgProcessInformation.dwThreadId); }
void GenericOEPTraceHited() { int i; //void* lpHashBuffer; char lpHashBuffer[0x1000] = {0}; bool FakeEPDetected = false; ULONG_PTR NumberOfBytesRW; LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData(); typedef void(TITCALL * fEPCallBack)(); fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack; PMEMORY_COMPARE_HANDLER myCmpHandler; ULONG_PTR memBpxAddress; ULONG_PTR memBpxSize; DWORD originalHash; DWORD currentHash; if(myDbgEvent->u.Exception.ExceptionRecord.ExceptionCode == STATUS_SINGLE_STEP) { if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed <= glbEntryTracerData.LoadedImageBase + glbEntryTracerData.SizeOfImage) { for(i = 0; i < glbEntryTracerData.SectionNumber; i++) { if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed < glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase) { if(glbEntryTracerData.AccessType == 1) { glbEntryTracerData.SectionData[i].AccessedAlready = true; } if(glbEntryTracerData.MemoryAccessedFrom >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessedFrom <= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase) { if(i != glbEntryTracerData.OriginalEntryPointNum) { glbEntryTracerData.SectionData[i].AccessedAlready = true; } memBpxAddress = (glbEntryTracerData.MemoryAccessed / sizeof(lpHashBuffer)) * sizeof(lpHashBuffer); memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress; if(memBpxSize > sizeof(lpHashBuffer)) { memBpxSize = sizeof(lpHashBuffer); } if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW)) { currentHash = EngineHashMemory((char*)lpHashBuffer, (DWORD)memBpxSize, NULL); originalHash = EngineHashMemory((char*)((ULONG_PTR)glbEntryTracerData.SectionData[i].AllocatedSection + memBpxAddress - glbEntryTracerData.LoadedImageBase - glbEntryTracerData.SectionData[i].SectionVirtualOffset), (DWORD)memBpxSize, NULL); if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.CurrentIntructionPointer), lpHashBuffer, MAXIMUM_INSTRUCTION_SIZE, &NumberOfBytesRW)) { myCmpHandler = (PMEMORY_COMPARE_HANDLER)(lpHashBuffer); if(myCmpHandler->Array.bArrayEntry[0] == 0xC3) // RET { FakeEPDetected = true; } else if(myCmpHandler->Array.bArrayEntry[0] == 0x33 && myCmpHandler->Array.bArrayEntry[1] == 0xC0 && myCmpHandler->Array.bArrayEntry[2] == 0xC3) // XOR EAX,EAX; RET { FakeEPDetected = true; } } if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false) { __try { if(glbEntryTracerData.EPCallBack != NULL) { glbEntryTracerData.CurrentIntructionPointer = (ULONG_PTR)GetContextData(UE_CIP); SetContextData(UE_CIP, glbEntryTracerData.MemoryAccessedFrom); DeleteAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_APIEND); RemoveAllBreakPoints(UE_OPTION_REMOVEALL); myEPCallBack(); SetContextData(UE_CIP, glbEntryTracerData.CurrentIntructionPointer); } else { StopDebug(); } } __except(EXCEPTION_EXECUTE_HANDLER) { StopDebug(); } } } } else { SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit); } } else {