// TitanEngine.Handler[Mutex].functions:
__declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount)
{
HANDLE myHandle = NULL;
HANDLE copyHandle = NULL;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
unsigned int HandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
char HandleFullData[0x1000] = {0};
char HandleNameDataB[0x1000] = {0};
LPVOID HandleNameData = HandleNameDataB;
PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
if(pObjectTypeInfo->TypeName.Length != NULL)
{
WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
if(lstrcmpiA((LPCSTR)HandleNameData, "Mutant") == NULL)
{
copyHandle = (HANDLE)HandleInfo->hHandle;
RtlMoveMemory(HandleBuffer, ©Handle, sizeof HANDLE);
HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE);
HandleCount++;
}
}
EngineCloseHandle(myHandle);
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
return(HandleCount);
}
__declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle)
{
HANDLE myHandle;
if(hProcess != NULL)
{
DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_CLOSE_SOURCE);
EngineCloseHandle(myHandle);
}
return false;
}
__declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly)
{
HANDLE hProcess = 0;
bool ReturnValue = false;
hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly);
EngineCloseHandle(hProcess);
return ReturnValue;
}
return false;
}
__declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName)
{
HANDLE hProcess = 0;
bool ReturnValue = false;
hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName);
EngineCloseHandle(hProcess);
return ReturnValue;
}
return false;
}
__declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleBase, wchar_t* szDumpFileName)
{
HANDLE hProcess = 0;
bool ReturnValue = false;
hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError.
{
ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName);
EngineCloseHandle(hProcess);
return ReturnValue;
}
return false;
}
__declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint)
{
HANDLE hProcess = 0;
bool ReturnValue = false;
hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint);
EngineCloseHandle(hProcess);
return ReturnValue;
}
else
{
return false;
}
}
__declspec(dllexport) ULONG_PTR TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId)
{
if(hProcess != NULL)
{
if(!AutoCloseTheHandle)
{
return (ULONG_PTR)CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId);
}
else
{
HANDLE myThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId);
EngineCloseHandle(myThread);
return NULL;
}
}
return NULL;
}
__declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName)
{
ULONG_PTR ueNumberOfBytesRead = 0;
DWORD uedNumberOfBytesRead = 0;
HANDLE hFile = 0;
LPVOID ReadBase = MemoryStart;
ULONG_PTR ProcReadBase = (ULONG_PTR)ReadBase;
char ueCopyBuffer[0x2000] = {0};
EngineCreatePathForFileW(szDumpFileName);
hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
while(MemorySize > NULL)
{
ReadBase = (LPVOID)ProcReadBase;
if(MemorySize >= 0x1000)
{
RtlZeroMemory(ueCopyBuffer,0x2000);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead);
WriteFile(hFile,ueCopyBuffer, 0x1000, &uedNumberOfBytesRead, NULL);
MemorySize = MemorySize - 0x1000;
}
else
{
RtlZeroMemory(ueCopyBuffer,0x2000);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, MemorySize, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, (DWORD)MemorySize, &uedNumberOfBytesRead, NULL);
MemorySize = NULL;
}
ProcReadBase = (ULONG_PTR)ReadBase + 0x1000;
}
EngineCloseHandle(hFile);
return true;
}
return false;
}
__declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_DOS_HEADER DOSFixHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_NT_HEADERS32 PEFixHeader32;
PIMAGE_NT_HEADERS64 PEFixHeader64;
PIMAGE_SECTION_HEADER PEFixSection;
ULONG_PTR ueNumberOfBytesRead = 0;
DWORD uedNumberOfBytesRead = 0;
DWORD SizeOfImageDump = 0;
int NumberOfSections = 0;
BOOL FileIs64 = false;
HANDLE hFile = INVALID_HANDLE_VALUE;
DWORD RealignedVirtualSize = 0;
ULONG_PTR ProcReadBase = 0;
LPVOID ReadBase = ImageBase;
SIZE_T CalculatedHeaderSize = NULL;
SIZE_T AlignedHeaderSize = NULL;
DynBuf ueReadBuf, ueCopyBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000);
LPVOID ueCopyBuffer = ueCopyBuf.Allocate(0x2000);
if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead))
{
//ReadProcessMemory
DOSHeader = (PIMAGE_DOS_HEADER)ueReadBuffer;
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if ((DOSHeader->e_lfanew > 0x500) || (DOSHeader->e_magic != IMAGE_DOS_SIGNATURE) || (PEHeader32->Signature != IMAGE_NT_SIGNATURE))
{
return false;
}
CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS64) + (sizeof(IMAGE_SECTION_HEADER) * PEHeader32->FileHeader.NumberOfSections);
if(CalculatedHeaderSize > 0x1000)
{
if(CalculatedHeaderSize % 0x1000 != NULL)
{
AlignedHeaderSize = ((CalculatedHeaderSize / 0x1000) + 1) * 0x1000;
}
else
{
AlignedHeaderSize = CalculatedHeaderSize;
}
ueReadBuffer = ueReadBuf.Allocate(AlignedHeaderSize);
ueCopyBuffer = ueCopyBuf.Allocate(AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, AlignedHeaderSize, &ueNumberOfBytesRead))
{
return false;
}
else
{
DOSHeader = (PIMAGE_DOS_HEADER)ueReadBuffer;
}
}
else
{
CalculatedHeaderSize = 0x1000;
AlignedHeaderSize = 0x1000;
}
if(EngineValidateHeader((ULONG_PTR)ueReadBuffer, hProcess, ImageBase, DOSHeader, false))
{
//EngineValidateHeader
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
FileIs64 = true;
}
else
{
return false;
}
if(!FileIs64)
{
//PE32 Handler
NumberOfSections = PEHeader32->FileHeader.NumberOfSections;
NumberOfSections++;
if(PEHeader32->OptionalHeader.SizeOfImage % PEHeader32->OptionalHeader.SectionAlignment == NULL)
{
SizeOfImageDump = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment;
}
else
{
SizeOfImageDump = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment;
}
SizeOfImageDump = SizeOfImageDump - (DWORD)AlignedHeaderSize;
EngineCreatePathForFileW(szDumpFileName);
hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
if(ReadProcessMemory(hProcess, ImageBase, ueCopyBuffer, AlignedHeaderSize, &ueNumberOfBytesRead))
{
if(ueCopyBuffer)
{
DOSFixHeader = (PIMAGE_DOS_HEADER)ueCopyBuffer;
PEFixHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSFixHeader + DOSFixHeader->e_lfanew);
PEFixSection = IMAGE_FIRST_SECTION(PEFixHeader32);
if(PEFixHeader32->OptionalHeader.FileAlignment > 0x200)
{
PEFixHeader32->OptionalHeader.FileAlignment = PEHeader32->OptionalHeader.SectionAlignment;
}
PEFixHeader32->OptionalHeader.AddressOfEntryPoint = (DWORD)(EntryPoint - (ULONG_PTR)ImageBase);
PEFixHeader32->OptionalHeader.ImageBase = (DWORD)((ULONG_PTR)ImageBase);
for(int i=NumberOfSections; i>=1; i--)
{
PEFixSection->PointerToRawData = PEFixSection->VirtualAddress;
RealignedVirtualSize = (PEFixSection->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment;
if(RealignedVirtualSize < PEFixSection->Misc.VirtualSize)
{
RealignedVirtualSize = RealignedVirtualSize + PEHeader32->OptionalHeader.SectionAlignment;
}
PEFixSection->SizeOfRawData = RealignedVirtualSize;
PEFixSection->Misc.VirtualSize = RealignedVirtualSize;
PEFixSection = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEFixSection + IMAGE_SIZEOF_SECTION_HEADER);
}
WriteFile(hFile, ueCopyBuffer, (DWORD)AlignedHeaderSize, &uedNumberOfBytesRead, NULL);
ReadBase = (LPVOID)((ULONG_PTR)ReadBase + AlignedHeaderSize - TITANENGINE_PAGESIZE);
while(SizeOfImageDump > NULL)
{
ProcReadBase = (ULONG_PTR)ReadBase + TITANENGINE_PAGESIZE;
ReadBase = (LPVOID)ProcReadBase;
if(SizeOfImageDump >= TITANENGINE_PAGESIZE)
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE;
}
else
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = NULL;
}
}
EngineCloseHandle(hFile);
return true;
}
}
}
}//PE32 Handler
else
{
//PE64 Handler
NumberOfSections = PEHeader64->FileHeader.NumberOfSections;
NumberOfSections++;
if(PEHeader64->OptionalHeader.SizeOfImage % PEHeader64->OptionalHeader.SectionAlignment == NULL)
{
SizeOfImageDump = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment)) * PEHeader64->OptionalHeader.SectionAlignment;
}
else
{
SizeOfImageDump = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment;
}
SizeOfImageDump = SizeOfImageDump - (DWORD)AlignedHeaderSize;
EngineCreatePathForFileW(szDumpFileName);
hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
if(ReadProcessMemory(hProcess, ImageBase, ueCopyBuffer, AlignedHeaderSize, &ueNumberOfBytesRead))
{
if(ueCopyBuffer)
{
DOSFixHeader = (PIMAGE_DOS_HEADER)ueCopyBuffer;
PEFixHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSFixHeader + DOSFixHeader->e_lfanew);
PEFixSection = IMAGE_FIRST_SECTION(PEFixHeader64);
if(PEFixHeader64->OptionalHeader.FileAlignment > 0x200)
{
PEFixHeader64->OptionalHeader.FileAlignment = PEHeader64->OptionalHeader.SectionAlignment;
}
PEFixHeader64->OptionalHeader.AddressOfEntryPoint = (DWORD)(EntryPoint - (ULONG_PTR)ImageBase);
PEFixHeader64->OptionalHeader.ImageBase = (DWORD64)((ULONG_PTR)ImageBase);
for(int i=NumberOfSections; i>=1; i--)
{
PEFixSection->PointerToRawData = PEFixSection->VirtualAddress;
RealignedVirtualSize = (PEFixSection->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment;
if(RealignedVirtualSize < PEFixSection->Misc.VirtualSize)
{
RealignedVirtualSize = RealignedVirtualSize + PEHeader64->OptionalHeader.SectionAlignment;
}
PEFixSection->SizeOfRawData = RealignedVirtualSize;
PEFixSection->Misc.VirtualSize = RealignedVirtualSize;
PEFixSection = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEFixSection + IMAGE_SIZEOF_SECTION_HEADER);
}
WriteFile(hFile,ueCopyBuffer, (DWORD)AlignedHeaderSize, &uedNumberOfBytesRead, NULL);
ReadBase = (LPVOID)((ULONG_PTR)ReadBase + (DWORD)AlignedHeaderSize - TITANENGINE_PAGESIZE);
while(SizeOfImageDump > NULL)
{
ProcReadBase = (ULONG_PTR)ReadBase + TITANENGINE_PAGESIZE;
ReadBase = (LPVOID)ProcReadBase;
if(SizeOfImageDump >= TITANENGINE_PAGESIZE)
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE;
}
else
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = NULL;
}
}
EngineCloseHandle(hFile);
return true;
}
}
}
}//PE64 Handler
}//EngineValidateHeader
}//ReadProcessMemory
if (hFile != INVALID_HANDLE_VALUE)
{
EngineCloseHandle(hFile);
}
return false;
}
__declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName)
{
bool NameFound = false;
HANDLE myHandle = NULL;
ULONG RequiredSize = NULL;
char ObjectNameInfo[0x1000] = {0};
POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
return 0;
}
LPVOID QuerySystemBuffer = hinfo.GetPtr();
PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)QuerySystemBuffer;
PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandle = HandleInfo->Handles;
for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++)
{
if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)pHandle->HandleValue == hHandle)
{
if(pHandle->GrantedAccess != 0x0012019F) //Filter, because this GrantedAccess type can cause deadlocks!
{
if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, FALSE, DUPLICATE_SAME_ACCESS))
{
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, sizeof(ObjectNameInfo), &RequiredSize);
ZeroMemory(HandleFullName, 0x1000);
if(pObjectNameInfo->Name.Length != NULL)
{
wcscpy((wchar_t*)HandleFullName, pObjectNameInfo->Name.Buffer);
NameFound = true;
if(TranslateName)
{
LPVOID tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL)
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
HandleFullName = tmpHandleFullName;
}
}
}
EngineCloseHandle(myHandle);
break;
}
}
}
pHandle++;
}
if(!NameFound)
{
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
return(NULL);
}
else
{
return(HandleFullName);
}
}
__declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t* szMutexString)
{
if(!szMutexString || wcslen(szMutexString) >= 450)
return 0;
HANDLE hProcess = NULL;
DWORD ReturnData = NULL;
HANDLE myHandle = NULL;
ULONG RequiredSize = NULL;
DWORD LastProcessId = NULL;
ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
char HandleFullData[0x1000] = {0};
char HandleNameData[0x1000] = {0};
PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData;
char ObjectNameInfo[0x2000] = {0};
POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo;
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
lstrcatW(RealMutexName, szMutexString);
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(LastProcessId != HandleInfo->ProcessId)
{
if(hProcess != NULL)
{
EngineCloseHandle(hProcess);
}
hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, FALSE, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId;
}
if(hProcess != NULL)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, sizeof(HandleNameData));
if(pObjectTypeInfo->TypeName.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(lstrcmpiW((LPCWSTR)HandleNameData, L"Mutant") == NULL)
{
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, sizeof(HandleNameData));
if(pObjectNameInfo->Name.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL)
{
ReturnData = HandleInfo->ProcessId;
break;
}
}
}
}
EngineCloseHandle(myHandle);
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
return(ReturnData);
}
__declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated)
{
HANDLE hProcess = NULL;
HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
OBJECT_BASIC_INFORMATION ObjectBasicInfo;
char ObjectNameInfo[0x2000] = {0};
POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo;
char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(LastProcessId != HandleInfo->ProcessId)
{
if(hProcess != NULL)
{
EngineCloseHandle(hProcess);
}
hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId;
}
if(hProcess != NULL)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleFullName, 0x1000);
if(pObjectNameInfo->Name.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(NameIsTranslated)
{
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL)
{
HandleFullName = tmpHandleFullName;
}
}
if(NameIsFolder)
{
if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName)
{
RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2);
}
}
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL)
{
EngineCloseHandle(myHandle);
return true;
}
}
EngineCloseHandle(myHandle);
}
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
return false;
}
__declspec(dllexport) ULONG_PTR TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn)
{
HANDLE myHandle = NULL;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo;
OBJECT_BASIC_INFORMATION ObjectBasicInfo;
char HandleFullData[0x1000] = {0};
LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData;
bool DontFreeStringMemory = false;
ULONG_PTR ReturnData = NULL;
DynBuf hinfo;
if(!NtQuerySysHandleInfo(hinfo))
return 0;
LPVOID QuerySystemBuffer = hinfo.GetPtr();
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
while(TotalHandleCount > NULL)
{
if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle)
{
if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{
RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION);
NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize);
if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT)
{
ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount;
}
else if(InformationReturn == UE_OPTION_HANDLER_RETURN_ACCESS)
{
ReturnData = (ULONG_PTR)HandleInfo->GrantedAccess;
}
else if(InformationReturn == UE_OPTION_HANDLER_RETURN_FLAGS)
{
ReturnData = (ULONG_PTR)HandleInfo->Flags;
}
else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
if(pObjectTypeInfo->TypeName.Length != NULL)
{
WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
ReturnData = (ULONG_PTR)HandleNameData;
DontFreeStringMemory = true;
}
}
}
else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME_UNICODE)
{
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F)
{
RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000);
if(pObjectTypeInfo->TypeName.Length != NULL)
{
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectTypeInfo->TypeName.Buffer);
ReturnData = (ULONG_PTR)HandleNameData;
DontFreeStringMemory = true;
}
}
}
EngineCloseHandle(myHandle);
break;
}
}
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--;
}
if(!DontFreeStringMemory)
{
VirtualFree(HandleNameData, NULL, MEM_RELEASE);
}
return(ReturnData);
}
