Need help to get hThread parameter etc

[LCF-AT]

Hi guys,

I got a short question about TitanEngine dll.So I did long time no more work with it and now I wanna test a function and have problems with some push parameter which I need to use this function.Sorry I forgot it already...

IsJumpGoingToExecuteEx determines whether or not the targeted jump is  going to execute. IsJumpGoingToExecuteEx allows you to specify which process and which thread to check.

bool __stdcall IsJumpGoingToExecuteEx( HANDLE hProcess,  HANDLE hThread,  ULONG_PTR InstructionAddress,  ULONG_PTR RegFlags );

Parameters hProcess  [in] Handle of the process in which the jump resides. hThread  [in] Handle of the thread from which EFLAGS/RFLAGS will be read. InstructionAddress  [in]  Address on which the jump is located. Optional parameter,if it is not specified instruction at EIP/RIP will be targeted. RegFlags  [in]  Used to override current EFLAGS/RFLAGS.Used only if EIP/RIP isn’t attargeted instruction.Optional parameter,if not specified EFLAGS/RFLAGS will be  read from the specified thread.

Return value Returns TRUE if jump would execute if execution continues or FALSE if not.

So I wanna check now is this for exsample:

010073B9  | 75 1F  |  JNZ SHORT 010073DA   ; EFL = 246Address: 010073B9EFL: 246JNZ: Does not jump with this EFL value

Ok so now I wanna use this titan function with these parameters and now I have the problem with the "hThread" parameter so I don't remember anymore how to get this now quickly with any API xy.

push 246      ; My xy EFL which I wanna use to testpush 010073B9 ; instruction address if jumppush hThread  ; Hmmm?push hProcess ; ProcessIDcall IsJumpGoingToExecuteEx

So is this right now or not and how to get this hThread again with API/PEB etc quickly?Maybe you can tell me if possible.

Thank you

[Aguila]

push 246 ; My xy EFL which I wanna use to test
push 010073B9 ; instruction address if jump
push -2 ; CurrentThread
push -1 ; CurrentProcess
call IsJumpGoingToExecuteEx

 

if you want to look for another thread, it is really difficult.

[LCF-AT]

Hi Aguila,

uhmmmmm! Toll!Thank you of course for your quick help also if the solution was so simple in that case. Ok so if I see it right then I can ALWAYS just use -2 for hThread and -1 for hProcess if I debug the same process where I did load the dll and work right?I try to keep this in my mind now.

So I don't need to call this APIs for exsample anymore right.

GetCurrentThread   PUSH -2                   POP EAX                     RETNGetCurrentProcess   OR EAX,FFFFFFFF                    RETN

Ok so thank you again Aguila for this info.

PS: Yes I just need to get the infos of the same process at the moment so in this case your infos should be enough so far.

greetz

[cypher]

Hi LCF-AT,

 

early in your unpacker  (InitializeUnpacker for instance) do

const PROCESS_INFORMATION* fdProcessInfo = NULL;......fdProcessInfo = Debugger::InitDebug(szFileName, NULL, NULL);

and then you have Handles and PIDs for the debugged process.

 

typedef struct _PROCESS_INFORMATION {
    HANDLE hProcess;
    HANDLE hThread;
    DWORD dwProcessId;
    DWORD dwThreadId;
}

[LCF-AT]

Hi cypher,

so I am no coder and only write codes with MultiASM = directly in Olly so that means I have to do any single step / command by myself.I can't do something like..

const PROCESS_INFORMATION* fdProcessInfo = NULL;......fdProcessInfo = Debugger::InitDebug(szFileName, NULL, NULL);

...you know.

So in this case I have to use GetStartupInfo & CreateProcess = Filled PROCESS_INFORMATION struct of xy process.

greetz

[cypher]

Well TitanEngine mimics the work of manual unpacking or how you would write an OllyScript. (Infact you can run ollyscript with TitanMist and enhance it with simple commands like dnf , dumpnfix)

 

So let me give you a rough example of how you do TitanEngine tools (actually thats pretty much how the examples in the SDK show it):

typedef void* pvoid;
fdProcessInfo = Debugger::InitDebug(szFileName, NULL, NULL);
if(fdProcessInfo) {

    //hook the target startup, cbTargetCreated callback gets called when target gets created

    Debugger::SetCustomHandler(UE_CH_CREATEPROCESS, &cbTargetCreated);

    // start debugging aka F9 in Olly

    Debugger::DebugLoop();

}
//debugged process is created hook

void cbTargetCreated(void* lpCreateProcInfo)

{

	fdLoadedBase = (long)((CREATE_PROCESS_DEBUG_INFO*)lpCreateProcInfo)->lpBaseOfImage;

	Debugger::SetCustomHandler(UE_CH_CREATEPROCESS, NULL);

        //BP EP

	Debugger::SetBPX(fdLoadedBase + fdEntryPoint, UE_BREAKPOINT, cbEntryPoint);

}
//callback for EP BP is hit

void cbEntryPoint()

{

        // EP is hit so BP whatever API or instruction you need in your unpacking chain

	Debugger::SetAPIBreakPoint("kernel32.dll", "CreateProcessA", UE_BREAKPOINT, UE_APISTART, &cbCreateProcess);

}
//callback for CreateProcessA

void cbCreateProcess()

{

	Debugger::DeleteAPIBreakPoint("kernel32", "CreateProcessA", UE_APISTART);

        //get function parameters from the Stack, 10 being the 10th argument

	ShellProcessInfoPtr = Debugger::GetFunctionParameter(fdProcessInfo->hProcess, UE_FUNCTION_STDCALL, 10, UE_PARAMETER_DWORD);

       //now copy the remote process info struct pointed to by 10th argument to local process info variable

       //this is the same way you would copy ANY data. stolenBytes, XOR Maps etc, IAT redirect info....

       PROCESS_INFORMATION ShellProcessInfo;

       Debugger::GetRemoteString(fdProcessInfo->hProcess, pvoid(ShellProcessInfoPtr), &ShellProcessInfo, sizeof(ShellProcessInfo));
        //set next BP or tamper registers etc and in next Callback do the same and cerate new BPs or singlestep/ stepover etc..

	Debugger::SetAPIBreakPoint("kernel32.dll", "WriteProcessMemory", UE_BREAKPOINT, UE_APISTART, &cbWriteProcessMemory);

}

finally in your last callback do 	
//stop entire debug session

	Debugger::StopDebug();

I hope I could guide you into the right direction. I could also send you a simple Unpacker of mine. However I dont want to post it publicly due to legal reasons...

 

And as I said you can easily mimic an OllyScript to TitanEngine. It has all the same functions like setting BP, clearing BP, getting module base or API info, single step, step over, disassemble, patch etc.. Also all functions needed for easy dumping and IAT fixing..

 

 

And to get back to your initial question: The hprocess Handle of the target process is needed by alot of Titan functions. Thats why you get that info early with the InitDebug() function. So just BP with callbacks and step tracing near your JNZ location and then use your mentioned function

The callbacks in TitanEngine act like BPGOTO in OllyScript, if a BP callback is set, its executed as soon as the BP is hit. And when the callback function is finished, the target runs on like you F9. So make sure you have a new Callback set before you leave you last callback or your target will run and you have no control over it anymore.

Edited October 6, 2013 by cypher

[LCF-AT]

Hi again and thanks so far,

so the main problem is that I only use some TitanEngine function sometimes to prevent writing own code etc which I then use for some scripts etc.So about TitanMist I have not really a clue how to use this.So I did read the description of it and have seen the similar script commands etc but how to compile this stuff into a own exe file who can execute these steps which I wrote as script etc you know what I mean?So I think there are just missing some easy exsamples how to do it etc. So if I remember right then I found sometime some videos about it [using any Template GUI + compiling a TM script to it or so etc] but this did not work etc so its already a longer time ago.

So if you have some simple exsample stuff about it then you can show me or us if others do also not understand how to use it etc.

greetz

[cypher]

Maybe I misunderstood you. I thought you wanted to write a complete unpacker with TitanEngine but you are more likely only calling certain functions from within multiASM ? In that case Aguilas reply is probably the best..

 

Concerning TitanMist: IMHO Its not meant to compile your scripts into an exe but you put your scripts in its folders and then run TitanMist CLI against a target.

[cypher]

Oh LCF-AT,

 

you can also get the PROCESS_INFORMATION anytime by calling

GetProcessInformation function

The GetProcessInformation function retrieves a pointer to the PROCESS_INFORMATION structure that contains the initialization data for the debugged process.

So if you are just calling certain Titan functions from within multiASM then call this function to get PROCESS_INFORMATION struct which contains the handle you are looking for.