// TitanEngine.Handler[Mutex].functions: __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount) { HANDLE myHandle = NULL; HANDLE copyHandle = NULL; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; unsigned int HandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; char HandleFullData[0x1000] = {0}; char HandleNameDataB[0x1000] = {0}; LPVOID HandleNameData = HandleNameDataB; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; DynBuf hinfo; if(!NtQuerySysHandleInfo(hinfo)) return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; while(TotalHandleCount > NULL) { if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount) { //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ if(HandleInfo->GrantedAccess != 0x0012019F) { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, 0x1000); if(pObjectTypeInfo->TypeName.Length != NULL) { WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); if(lstrcmpiA((LPCSTR)HandleNameData, "Mutant") == NULL) { copyHandle = (HANDLE)HandleInfo->hHandle; RtlMoveMemory(HandleBuffer, ©Handle, sizeof HANDLE); HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE); HandleCount++; } } EngineCloseHandle(myHandle); } } } HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } return(HandleCount); }
__declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle) { HANDLE myHandle; if(hProcess != NULL) { DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_CLOSE_SOURCE); EngineCloseHandle(myHandle); } return false; }
__declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly) { HANDLE hProcess = 0; bool ReturnValue = false; hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); if(hProcess) { ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly); EngineCloseHandle(hProcess); return ReturnValue; } return false; }
__declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName) { HANDLE hProcess = 0; bool ReturnValue = false; hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); if(hProcess) { ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName); EngineCloseHandle(hProcess); return ReturnValue; } return false; }
__declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleBase, wchar_t* szDumpFileName) { HANDLE hProcess = 0; bool ReturnValue = false; hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError. { ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName); EngineCloseHandle(hProcess); return ReturnValue; } return false; }
__declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint) { HANDLE hProcess = 0; bool ReturnValue = false; hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); if(hProcess) { ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint); EngineCloseHandle(hProcess); return ReturnValue; } else { return false; } }
__declspec(dllexport) ULONG_PTR TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId) { if(hProcess != NULL) { if(!AutoCloseTheHandle) { return (ULONG_PTR)CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId); } else { HANDLE myThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId); EngineCloseHandle(myThread); return NULL; } } return NULL; }
__declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName) { ULONG_PTR ueNumberOfBytesRead = 0; DWORD uedNumberOfBytesRead = 0; HANDLE hFile = 0; LPVOID ReadBase = MemoryStart; ULONG_PTR ProcReadBase = (ULONG_PTR)ReadBase; char ueCopyBuffer[0x2000] = {0}; EngineCreatePathForFileW(szDumpFileName); hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if(hFile != INVALID_HANDLE_VALUE) { while(MemorySize > NULL) { ReadBase = (LPVOID)ProcReadBase; if(MemorySize >= 0x1000) { RtlZeroMemory(ueCopyBuffer,0x2000); MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead); WriteFile(hFile,ueCopyBuffer, 0x1000, &uedNumberOfBytesRead, NULL); MemorySize = MemorySize - 0x1000; } else { RtlZeroMemory(ueCopyBuffer,0x2000); MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, MemorySize, &ueNumberOfBytesRead); WriteFile(hFile, ueCopyBuffer, (DWORD)MemorySize, &uedNumberOfBytesRead, NULL); MemorySize = NULL; } ProcReadBase = (ULONG_PTR)ReadBase + 0x1000; } EngineCloseHandle(hFile); return true; } return false; }
__declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDumpFileName, ULONG_PTR EntryPoint) { PIMAGE_DOS_HEADER DOSHeader; PIMAGE_DOS_HEADER DOSFixHeader; PIMAGE_NT_HEADERS32 PEHeader32; PIMAGE_NT_HEADERS64 PEHeader64; PIMAGE_NT_HEADERS32 PEFixHeader32; PIMAGE_NT_HEADERS64 PEFixHeader64; PIMAGE_SECTION_HEADER PEFixSection; ULONG_PTR ueNumberOfBytesRead = 0; DWORD uedNumberOfBytesRead = 0; DWORD SizeOfImageDump = 0; int NumberOfSections = 0; BOOL FileIs64 = false; HANDLE hFile = INVALID_HANDLE_VALUE; DWORD RealignedVirtualSize = 0; ULONG_PTR ProcReadBase = 0; LPVOID ReadBase = ImageBase; SIZE_T CalculatedHeaderSize = NULL; SIZE_T AlignedHeaderSize = NULL; DynBuf ueReadBuf, ueCopyBuf; LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000); LPVOID ueCopyBuffer = ueCopyBuf.Allocate(0x2000); if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead)) { //ReadProcessMemory DOSHeader = (PIMAGE_DOS_HEADER)ueReadBuffer; PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); if ((DOSHeader->e_lfanew > 0x500) || (DOSHeader->e_magic != IMAGE_DOS_SIGNATURE) || (PEHeader32->Signature != IMAGE_NT_SIGNATURE)) { return false; } CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS64) + (sizeof(IMAGE_SECTION_HEADER) * PEHeader32->FileHeader.NumberOfSections); if(CalculatedHeaderSize > 0x1000) { if(CalculatedHeaderSize % 0x1000 != NULL) { AlignedHeaderSize = ((CalculatedHeaderSize / 0x1000) + 1) * 0x1000; } else { AlignedHeaderSize = CalculatedHeaderSize; } ueReadBuffer = ueReadBuf.Allocate(AlignedHeaderSize); ueCopyBuffer = ueCopyBuf.Allocate(AlignedHeaderSize); if(!ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, AlignedHeaderSize, &ueNumberOfBytesRead)) { return false; } else { DOSHeader = (PIMAGE_DOS_HEADER)ueReadBuffer; } } else { CalculatedHeaderSize = 0x1000; AlignedHeaderSize = 0x1000; } if(EngineValidateHeader((ULONG_PTR)ueReadBuffer, hProcess, ImageBase, DOSHeader, false)) { //EngineValidateHeader PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { FileIs64 = false; } else if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) { FileIs64 = true; } else { return false; } if(!FileIs64) { //PE32 Handler NumberOfSections = PEHeader32->FileHeader.NumberOfSections; NumberOfSections++; if(PEHeader32->OptionalHeader.SizeOfImage % PEHeader32->OptionalHeader.SectionAlignment == NULL) { SizeOfImageDump = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment; } else { SizeOfImageDump = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; } SizeOfImageDump = SizeOfImageDump - (DWORD)AlignedHeaderSize; EngineCreatePathForFileW(szDumpFileName); hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if(hFile != INVALID_HANDLE_VALUE) { if(ReadProcessMemory(hProcess, ImageBase, ueCopyBuffer, AlignedHeaderSize, &ueNumberOfBytesRead)) { if(ueCopyBuffer) { DOSFixHeader = (PIMAGE_DOS_HEADER)ueCopyBuffer; PEFixHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSFixHeader + DOSFixHeader->e_lfanew); PEFixSection = IMAGE_FIRST_SECTION(PEFixHeader32); if(PEFixHeader32->OptionalHeader.FileAlignment > 0x200) { PEFixHeader32->OptionalHeader.FileAlignment = PEHeader32->OptionalHeader.SectionAlignment; } PEFixHeader32->OptionalHeader.AddressOfEntryPoint = (DWORD)(EntryPoint - (ULONG_PTR)ImageBase); PEFixHeader32->OptionalHeader.ImageBase = (DWORD)((ULONG_PTR)ImageBase); for(int i=NumberOfSections; i>=1; i--) { PEFixSection->PointerToRawData = PEFixSection->VirtualAddress; RealignedVirtualSize = (PEFixSection->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; if(RealignedVirtualSize < PEFixSection->Misc.VirtualSize) { RealignedVirtualSize = RealignedVirtualSize + PEHeader32->OptionalHeader.SectionAlignment; } PEFixSection->SizeOfRawData = RealignedVirtualSize; PEFixSection->Misc.VirtualSize = RealignedVirtualSize; PEFixSection = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEFixSection + IMAGE_SIZEOF_SECTION_HEADER); } WriteFile(hFile, ueCopyBuffer, (DWORD)AlignedHeaderSize, &uedNumberOfBytesRead, NULL); ReadBase = (LPVOID)((ULONG_PTR)ReadBase + AlignedHeaderSize - TITANENGINE_PAGESIZE); while(SizeOfImageDump > NULL) { ProcReadBase = (ULONG_PTR)ReadBase + TITANENGINE_PAGESIZE; ReadBase = (LPVOID)ProcReadBase; if(SizeOfImageDump >= TITANENGINE_PAGESIZE) { RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead); WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL); SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE; } else { RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead); WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL); SizeOfImageDump = NULL; } } EngineCloseHandle(hFile); return true; } } } }//PE32 Handler else { //PE64 Handler NumberOfSections = PEHeader64->FileHeader.NumberOfSections; NumberOfSections++; if(PEHeader64->OptionalHeader.SizeOfImage % PEHeader64->OptionalHeader.SectionAlignment == NULL) { SizeOfImageDump = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment)) * PEHeader64->OptionalHeader.SectionAlignment; } else { SizeOfImageDump = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment; } SizeOfImageDump = SizeOfImageDump - (DWORD)AlignedHeaderSize; EngineCreatePathForFileW(szDumpFileName); hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if(hFile != INVALID_HANDLE_VALUE) { if(ReadProcessMemory(hProcess, ImageBase, ueCopyBuffer, AlignedHeaderSize, &ueNumberOfBytesRead)) { if(ueCopyBuffer) { DOSFixHeader = (PIMAGE_DOS_HEADER)ueCopyBuffer; PEFixHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSFixHeader + DOSFixHeader->e_lfanew); PEFixSection = IMAGE_FIRST_SECTION(PEFixHeader64); if(PEFixHeader64->OptionalHeader.FileAlignment > 0x200) { PEFixHeader64->OptionalHeader.FileAlignment = PEHeader64->OptionalHeader.SectionAlignment; } PEFixHeader64->OptionalHeader.AddressOfEntryPoint = (DWORD)(EntryPoint - (ULONG_PTR)ImageBase); PEFixHeader64->OptionalHeader.ImageBase = (DWORD64)((ULONG_PTR)ImageBase); for(int i=NumberOfSections; i>=1; i--) { PEFixSection->PointerToRawData = PEFixSection->VirtualAddress; RealignedVirtualSize = (PEFixSection->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; if(RealignedVirtualSize < PEFixSection->Misc.VirtualSize) { RealignedVirtualSize = RealignedVirtualSize + PEHeader64->OptionalHeader.SectionAlignment; } PEFixSection->SizeOfRawData = RealignedVirtualSize; PEFixSection->Misc.VirtualSize = RealignedVirtualSize; PEFixSection = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEFixSection + IMAGE_SIZEOF_SECTION_HEADER); } WriteFile(hFile,ueCopyBuffer, (DWORD)AlignedHeaderSize, &uedNumberOfBytesRead, NULL); ReadBase = (LPVOID)((ULONG_PTR)ReadBase + (DWORD)AlignedHeaderSize - TITANENGINE_PAGESIZE); while(SizeOfImageDump > NULL) { ProcReadBase = (ULONG_PTR)ReadBase + TITANENGINE_PAGESIZE; ReadBase = (LPVOID)ProcReadBase; if(SizeOfImageDump >= TITANENGINE_PAGESIZE) { RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead); WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL); SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE; } else { RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); MemoryReadSafe(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead); WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL); SizeOfImageDump = NULL; } } EngineCloseHandle(hFile); return true; } } } }//PE64 Handler }//EngineValidateHeader }//ReadProcessMemory if (hFile != INVALID_HANDLE_VALUE) { EngineCloseHandle(hFile); } return false; }
__declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { bool NameFound = false; HANDLE myHandle = NULL; ULONG RequiredSize = NULL; char ObjectNameInfo[0x1000] = {0}; POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); DynBuf hinfo; if(!NtQuerySysHandleInfo(hinfo)) { VirtualFree(HandleFullName, NULL, MEM_RELEASE); return 0; } LPVOID QuerySystemBuffer = hinfo.GetPtr(); PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)QuerySystemBuffer; PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandle = HandleInfo->Handles; for(ULONG i = 0; i < HandleInfo->NumberOfHandles; i++) { if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)pHandle->HandleValue == hHandle) { if(pHandle->GrantedAccess != 0x0012019F) //Filter, because this GrantedAccess type can cause deadlocks! { if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, FALSE, DUPLICATE_SAME_ACCESS)) { NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, sizeof(ObjectNameInfo), &RequiredSize); ZeroMemory(HandleFullName, 0x1000); if(pObjectNameInfo->Name.Length != NULL) { wcscpy((wchar_t*)HandleFullName, pObjectNameInfo->Name.Buffer); NameFound = true; if(TranslateName) { LPVOID tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); if(tmpHandleFullName != NULL) { VirtualFree(HandleFullName, NULL, MEM_RELEASE); HandleFullName = tmpHandleFullName; } } } EngineCloseHandle(myHandle); break; } } } pHandle++; } if(!NameFound) { VirtualFree(HandleFullName, NULL, MEM_RELEASE); return(NULL); } else { return(HandleFullName); } }
__declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t* szMutexString) { if(!szMutexString || wcslen(szMutexString) >= 450) return 0; HANDLE hProcess = NULL; DWORD ReturnData = NULL; HANDLE myHandle = NULL; ULONG RequiredSize = NULL; DWORD LastProcessId = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; char HandleFullData[0x1000] = {0}; char HandleNameData[0x1000] = {0}; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; char ObjectNameInfo[0x2000] = {0}; POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; lstrcatW(RealMutexName, szMutexString); DynBuf hinfo; if(!NtQuerySysHandleInfo(hinfo)) return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; while(TotalHandleCount > NULL) { if(LastProcessId != HandleInfo->ProcessId) { if(hProcess != NULL) { EngineCloseHandle(hProcess); } hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, FALSE, HandleInfo->ProcessId); LastProcessId = HandleInfo->ProcessId; } if(hProcess != NULL) { //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ if(HandleInfo->GrantedAccess != 0x0012019F) { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, sizeof(HandleNameData)); if(pObjectTypeInfo->TypeName.Length != NULL) { //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer); if(lstrcmpiW((LPCWSTR)HandleNameData, L"Mutant") == NULL) { NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, sizeof(HandleNameData)); if(pObjectNameInfo->Name.Length != NULL) { //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer); if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL) { ReturnData = HandleInfo->ProcessId; break; } } } } EngineCloseHandle(myHandle); } } } HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } return(ReturnData); }
__declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) { HANDLE hProcess = NULL; HANDLE myHandle = NULL; HANDLE CopyHandle = NULL; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; OBJECT_BASIC_INFORMATION ObjectBasicInfo; char ObjectNameInfo[0x2000] = {0}; POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; char HandleFullNameB[0x1000] = {0}; LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); LPVOID tmpHandleFullName = NULL; DynBuf hinfo; if(!NtQuerySysHandleInfo(hinfo)) return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; while(TotalHandleCount > NULL) { if(LastProcessId != HandleInfo->ProcessId) { if(hProcess != NULL) { EngineCloseHandle(hProcess); } hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); LastProcessId = HandleInfo->ProcessId; } if(hProcess != NULL) { //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ if(HandleInfo->GrantedAccess != 0x0012019F) { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); RtlZeroMemory(HandleFullName, 0x1000); if(pObjectNameInfo->Name.Length != NULL) { //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); if(NameIsTranslated) { tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); if(tmpHandleFullName != NULL) { HandleFullName = tmpHandleFullName; } } if(NameIsFolder) { if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName) { RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2); } } if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL) { EngineCloseHandle(myHandle); return true; } } EngineCloseHandle(myHandle); } } } HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } return false; }
__declspec(dllexport) ULONG_PTR TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn) { HANDLE myHandle = NULL; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; OBJECT_BASIC_INFORMATION ObjectBasicInfo; char HandleFullData[0x1000] = {0}; LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; bool DontFreeStringMemory = false; ULONG_PTR ReturnData = NULL; DynBuf hinfo; if(!NtQuerySysHandleInfo(hinfo)) return 0; LPVOID QuerySystemBuffer = hinfo.GetPtr(); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; while(TotalHandleCount > NULL) { if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) { if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT) { ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount; } else if(InformationReturn == UE_OPTION_HANDLER_RETURN_ACCESS) { ReturnData = (ULONG_PTR)HandleInfo->GrantedAccess; } else if(InformationReturn == UE_OPTION_HANDLER_RETURN_FLAGS) { ReturnData = (ULONG_PTR)HandleInfo->Flags; } else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME) { //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ if(HandleInfo->GrantedAccess != 0x0012019F) { RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, 0x1000); if(pObjectTypeInfo->TypeName.Length != NULL) { WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); ReturnData = (ULONG_PTR)HandleNameData; DontFreeStringMemory = true; } } } else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME_UNICODE) { //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ if(HandleInfo->GrantedAccess != 0x0012019F) { RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, 0x1000); if(pObjectTypeInfo->TypeName.Length != NULL) { //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectTypeInfo->TypeName.Buffer); ReturnData = (ULONG_PTR)HandleNameData; DontFreeStringMemory = true; } } } EngineCloseHandle(myHandle); break; } } HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } if(!DontFreeStringMemory) { VirtualFree(HandleNameData, NULL, MEM_RELEASE); } return(ReturnData); }