White Posted May 5, 2016 Posted May 5, 2016 Hi, Mr.eXoDia I have found a bug in TitanEngine.dll, but this may not be a bug~ __declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize); This api definition comes from file"x64dbg-master\x64_dbg_dbg\TitanEngine\TitanEngine.h". the first parameter should not be 'ProcessId' as a 'DWORD', but 'hProcess' as a 'HANDLE' ! The inner routine: ImporterAutoSearchIATEx -> DumpProcessW -> ReadProcessMemory... It(pIATStart) shows nothing when execute script with right parameter, then search a lot, finally got the reason. So this might be a wrong definition in the header file and confused the newbies like me
cypher Posted May 6, 2016 Posted May 6, 2016 Hi White, can you elaborate some more or provide some code snippet which proves it failing? I added the Scylla integration to TitanEngine and one of my (internal) tools is using exactly that API call with DWORD processId and its working just fine ever since. I also quickly checked the TitanEngine src over here and its using processId consistently. Did you perhaps find the HANDLE hProcess in the TitanEngine SDK pdf ? because thats partially outdated as it never got updated for the Community Edition (as we called our fork).
White Posted May 8, 2016 Author Posted May 8, 2016 (edited) Ok, the titanEngne.dll version is 2.0.3. and I see the ImporterAutoSearchIATEx call EngineOpenProcess with the input DWORD ProcessId at here. HANDLE hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId); But there is no else code with it in that routine. And then, the first parameter is the same as ImporterAutoSearchIATEx, and api DumpProcessW call ReadProcessMemory to read Process Memory information with the DWORD ProcessId, so OD tells the last error is ERROR_INVALID_HANDLE. But then I replace titanEngine.dll with Scylla.dll with DWORD processId and modify the asm code a little, it works. It calls ZwOpenProcess with it and retruns its Handle. Edited May 8, 2016 by White
cypher Posted May 8, 2016 Posted May 8, 2016 (edited) so you are saying this line https://bitbucket.org/titanengineupdate/titanengine-update/src/master/TitanEngine/TitanEngine.Importer.cpp?fileviewer=file-view-default#TitanEngine.Importer.cpp-559 fails for you ? You are not getting a valid handle and therefore DumpProcessW/ReadProcessMemory are failing? As that code is working fine for me, I guess you'd need to debug/trace into EngineOpenProcess in TE dll to find out why. Also to make sure we are on the same page here, which TitanEngine.dll did you get, from where ? As our last rls is v008 from 2014-05-18. After that one had to compile it yourself to get the latest fixes/updates. The one included in x64dbg should be quite up2date tho. (I'm not sure if we ever changed the 2.0.3 version string in file information. 2.0.3 was the last version by ReversingLabs, full of bugs and without Scylla integration. They didnt maintain it after they demoed it at BlackHat) Edited May 8, 2016 by cypher
White Posted May 9, 2016 Author Posted May 9, 2016 Hi, thanks for your attention,again. yes,it fails, after downloading the latest version from bitbucket. Now the Handle problem is solved. but still nothing from returned value. video.rar
LCF-AT Posted May 9, 2016 Posted May 9, 2016 Hi, the problem you got is that ImporterAutoSearchIATEx API does call scylla_searchIAT with AdvancedSearch paramter 0 (false) = result nothing.If you use (true) for AdvancedSearch paramter then it works. TitanEng.ImporterAutoSearchIATEx $ ==> > 100262DF /CALL to scylla_searchIAT from TitanEng.100262DA $+4 > 00000E94 |PID = E94 (3732.) $+8 > 0007EB28 |[IATstart] = 0007EB28 $+C > 0007EB2C |[IATsize] = 0007EB2C $+10 > 01001000 |SearchStart = <&ADVAPI32.RegQueryValueExW> $+14 > 00000000 \AdvancedSearch = FALSE <---- Has to use 1 Result after scylla_searchIAT call using AdvancedSearch / 1 0007EB28 01001000 <&ADVAPI32.RegQueryValueExW> 0007EB2C 00000344 Problem is you can't set this parameter with ImporterAutoSearchIATEx API.Better you do use this API first to get the datas. greetz 2
cypher Posted May 9, 2016 Posted May 9, 2016 (edited) LCF-AT is right. The AdvancedSearch parameter is the difference. When I changed the TitanEngine IAT APIs logic to use Scylla, I hardcoded it to false for two reasons: - Most of my tests didnt produce different results for true/false - I didnt want to change the API definition for not breaking existing code of other people So I guess for Enigma it really does make a difference. I'm afraid there is no easy way of telling TE to do advancedSearch unless you compile a custom version. However you could use my https://bitbucket.org/cypherpunk/scylla_wrapper_dll/src which lets you set advancedSearch. That lib is linked into TitanEngine and is the same thing as Scylla but all GUI stuff stripped out. Theres also a README on how to use it, also for assembly users. Hope this helps ! Edited May 9, 2016 by cypher 1
White Posted May 10, 2016 Author Posted May 10, 2016 @LCF-AT yeah, change the AdvancedSearch paramter 0 to 1, then got the import data. Thanks for the tip @cypher Nice, I have a test on scylla_wrapper.dll and it works. Thanks for your code. The problem has been solved. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now