UINT32 IATAutoFix(DWORD pid, DWORD_PTR oep, WCHAR *outputFile)
{
INFO("----------------IAT Fixing Test----------------\n");
DWORD_PTR iatStart = 0;
DWORD iatSize = 0;
WCHAR originalExe[MAX_PATH]; // Path of the original PE which as launched the current process
WCHAR *dumpFile = L"./tmp_dump_file.exe"; //Path of the file where the process will be dumped during the Dumping Process
//getting the Base Address
DWORD_PTR hMod = GetExeModuleBase(pid);
if(!hMod) {
DEBUG("Can't find PID");
}
INFO("GetExeModuleBase %X\n", hMod);
//Dumping Process
BOOL success = GetFilePathFromPID(pid,originalExe);
if(!success) {
ERRORE("Error in getting original Path from Pid: %d\n",pid);
return SCYLLA_ERROR_FILE_FROM_PID;
}
INFO("Original Exe Path: %S\n",originalExe);
/* hMod is the reference to the ExE module base */
success = ScyllaDumpProcessW(pid,originalExe,hMod,oep,dumpFile);
if(!success) {
ERRORE("Error Dumping Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S \n",pid,originalExe,hMod,oep,dumpFile);
return SCYLLA_ERROR_DUMP;
}
INFO("Successfully dumped Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S \n",pid,originalExe,hMod,oep,dumpFile);
DebugBreak();
//Searching the IAT
int error = ScyllaIatSearch(pid, &iatStart, &iatSize, hMod + 0x00001028, TRUE);
if(error) {
ERRORE("(IAT SEARCH) error %d \n",error);
return SCYLLA_ERROR_IAT_NOT_FOUND;
}
INFO("(IAT SEARCH) iatStart %X iatSize %X\n",iatStart, iatSize);
//Fixing the IAT
INFO("\n\n\n\nFIXING ...... start : %08x\t size : %08x\t pid : %d\t output : %s\n\n\n\n", iatStart,iatSize,pid,dumpFile,outputFile);
error = ScyllaIatFixAutoW(iatStart,iatSize,pid,dumpFile,outputFile);
if(error) {
ERRORE("(IAT FIX) error %d",error);
return SCYLLA_ERROR_IAT_NOT_FIXED;
}
INFO("[IAT FIX] Success");
return SCYLLA_SUCCESS_FIX;
}
void IATAutoFix(DWORD pid, DWORD_PTR oep, WCHAR *outputFile)
{
INFO("----------------IAT Fixing Test----------------\n");
DWORD_PTR iatStart = 0;
DWORD iatSize = 0;
WCHAR originalExe[MAX_PATH]; // Path of the original PE which as launched the current process
WCHAR *dumpFile = L"./tmp_dump_file.exe"; //Path of the file where the process will be dumped during the Dumping Process
//getting the Base Address
DWORD_PTR hMod = GetExeModuleBase(pid);
if(!hMod){
DEBUG("Can't find PID");
}
INFO("GetExeModuleBase %X\n", hMod);
//Dumping Process
BOOL success = GetFilePathFromPID(pid,originalExe);
if(!success){
ERRORE("Error in getting original Path from Pid: %d\n",pid);
return;
}
INFO("Original Exe Path: %S\n",originalExe);
success = ScyllaDumpProcessW(pid,originalExe,hMod,oep,dumpFile);
if(!success){
ERRORE("Error Dumping Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S \n",pid,originalExe,hMod,oep,dumpFile);
return;
}
INFO("Successfully dumped Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S \n",pid,originalExe,hMod,oep,dumpFile);
//Searching the IAT
int error = ScyllaIatSearch(pid, &iatStart, &iatSize, hMod + 0x00001028, TRUE);
if(error){
ERRORE("(IAT SEARCH) error %d \n",error);
return;
}
INFO("(IAT SEARCH) iatStart %X iatSize %X\n",iatStart, iatSize);
//Fixing the IAT
error = ScyllaIatFixAutoW(iatStart,iatSize,pid,dumpFile,outputFile);
if(error){
ERRORE("(IAT FIX) error %d",error);
return;
}
INFO("[IAT FIX] Success");
}
UINT32 IATAutoFix(DWORD pid, DWORD_PTR oep, WCHAR *outputFile, WCHAR * cur_path, WCHAR * tmp_dump)
{
Log::getInstance()->initLogPath(cur_path);//Initialize the log File NEED TO BE BEFORE ANY INFO(),WARN(),ERROR()
PRINT("\n\n-------------------------------------------------------------------------------------------------------");
PRINT("------------------------------------ IAT Fixing at %08x -------------------------------------",oep);
PRINT("-------------------------------------------------------------------------------------------------------");
DWORD_PTR iatStart = 0;
DWORD iatSize = 0;
WCHAR originalExe[MAX_PATH]; // Path of the original PE which as launched the current process
//getting the Base Address
DWORD_PTR hMod = GetExeModuleBase(pid);
if(!hMod){
INFO("Can't find PID");
}
INFO("GetExeModuleBase %X", hMod);
//Dumping Process
BOOL success = GetFilePathFromPID(pid,originalExe);
if(!success){
INFO("Error in getting original Path from Pid: %d",pid);
return SCYLLA_ERROR_FILE_FROM_PID;
}
INFO("Original Exe Path: %S",originalExe);
success = ScyllaDumpProcessW(pid,originalExe,hMod,oep,tmp_dump);
if(!success){
INFO("[SCYLLA DUMP] Error Dumping Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S ",pid,originalExe,hMod,oep,tmp_dump);
return SCYLLA_ERROR_DUMP;
}
INFO("[SCYLLA DUMP] Successfully dumped Pid: %d, FileToDump: %S, Hmod: %X, oep: %X, output: %S ",pid,originalExe,hMod,oep,tmp_dump);
//DebugBreak();
//Searching the IAT
int error = ScyllaIatSearch(pid, &iatStart, &iatSize, hMod + 0x00001028, TRUE);
//check if ScyllaIATSearch failed and if the result IAT address is readable
if(error || !isMemoryReadable((void *) iatStart,iatSize)){
/*Display why the Scylla IAT Search failed:
- error in IAT search
- address found not readable */
if(error){
ERRORE("[SCYLLA ADVANCED SEARCH] error %d ",error);
}
else{
ERRORE("[SCYLLA ADVANCED SEARCH] IAT address not readable/mapped iat_start : %08x\t iat_size : %08x\t ",iatStart,iatSize);
}
INFO("[SCYLLA SEARCH] Trying basic IAT search");
//Trying Basic IAT search
int error2 = ScyllaIatSearch(pid, &iatStart, &iatSize, hMod + 0x00001028, FALSE);
if(error2 || !isMemoryReadable((void *) iatStart,iatSize)){
/*Display why the Scylla IAT Search failed:
- error in IAT search
- address found not readable */
if(error2){
ERRORE("[SCYLLA BASIC SEARCH] error %d ",error2);
}
else{
ERRORE("[SCYLLA BASIC SEARCH] IAT address not readable/mapped iat_start : %08x\t iat_size : %08x\t ",iatStart,iatSize);
}
return SCYLLA_ERROR_IAT_NOT_FOUND;
}
}
INFO("[SCYLLA SEARCH] iat_start : %08x\t iat_size : %08x\t pid : %d", iatStart,iatSize,pid,outputFile);
//Fixing the IAT
error = ScyllaIatFixAutoW(iatStart,iatSize,pid,tmp_dump,outputFile,1,oep,1);
if(error){
INFO("[SCYLLA FIX] error %d",error);
return SCYLLA_ERROR_IAT_NOT_FIXED;
}
//Removing the correct dump from the not working directory
_wremove(tmp_dump);
INFO("[SCYLLA FIX] Success fixed file at %S",outputFile);
return SCYLLA_SUCCESS_FIX;
}