Jump to content
Tuts 4 You

TitanEngine.dll ImporterAutoSearchIATEx error and reason found


White

Recommended Posts

Hi, Mr.eXoDia

I have found a bug in TitanEngine.dll, but this may not be a bug~

 

__declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize);

This api definition comes from file"x64dbg-master\x64_dbg_dbg\TitanEngine\TitanEngine.h".

the first parameter should not be 'ProcessId'  as a 'DWORD', but 'hProcess' as a 'HANDLE' !

The inner routine: ImporterAutoSearchIATEx -> DumpProcessW -> ReadProcessMemory...

 

It(pIATStart) shows nothing when execute script with right parameter, then search a lot, finally got the reason.

So this might be a wrong definition in the header file and confused the newbies like me  :P

 

 

Link to post
cypher

Hi White,

can you elaborate some more or provide some code snippet which proves it failing?

I added the Scylla integration to TitanEngine and one of my (internal) tools is using exactly that API call with DWORD processId and its working just fine ever since.

I also quickly checked the TitanEngine src over here and its using processId consistently.

Did you perhaps find the HANDLE hProcess in the TitanEngine SDK pdf ? because thats partially outdated as it never got updated for the Community Edition (as we called our fork).

Link to post

Ok, the titanEngne.dll version is 2.0.3.

and I see the ImporterAutoSearchIATEx call EngineOpenProcess with the input DWORD ProcessId at here.

HANDLE hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ProcessId);

But there is no else code with it in that routine.

Interner.png

And then, the first parameter is the same as ImporterAutoSearchIATEx, 

and api DumpProcessW call ReadProcessMemory to read Process Memory information with the DWORD ProcessId, so OD tells the last error is ERROR_INVALID_HANDLE.

But then I replace titanEngine.dll with  Scylla.dll with DWORD processId and modify the asm code a little, it works. It calls ZwOpenProcess with it and retruns its Handle.

 

 

Edited by White (see edit history)
Link to post
cypher

so you are saying this line https://bitbucket.org/titanengineupdate/titanengine-update/src/master/TitanEngine/TitanEngine.Importer.cpp?fileviewer=file-view-default#TitanEngine.Importer.cpp-559 fails for you ? You are not getting a valid handle and therefore DumpProcessW/ReadProcessMemory are failing?

As that code is working fine for me, I guess you'd need to debug/trace into EngineOpenProcess in TE dll to find out why.

Also to make sure we are on the same page here, which TitanEngine.dll did you get, from where ? As our last rls is v008 from 2014-05-18. After that one had to compile it yourself to get the latest fixes/updates. The one included in x64dbg should be quite up2date tho.

(I'm not sure if we ever changed the 2.0.3 version string in file information. 2.0.3 was the last version by ReversingLabs, full of bugs and without Scylla integration. They didnt maintain it after they demoed it at BlackHat)

 

Edited by cypher (see edit history)
Link to post

Hi, thanks for your attention,again.

yes,it fails,

after downloading the latest version from bitbucket. Now the Handle problem is solved. but still nothing from returned value.

video.rar

 

Link to post
LCF-AT

Hi,

the problem you got is that ImporterAutoSearchIATEx API does call scylla_searchIAT with AdvancedSearch paramter 0 (false) = result nothing.If you use (true) for AdvancedSearch paramter then it works.

TitanEng.ImporterAutoSearchIATEx

$ ==>    > 100262DF  /CALL to scylla_searchIAT from TitanEng.100262DA
$+4      > 00000E94  |PID = E94 (3732.)
$+8      > 0007EB28  |[IATstart] = 0007EB28
$+C      > 0007EB2C  |[IATsize] = 0007EB2C
$+10     > 01001000  |SearchStart = <&ADVAPI32.RegQueryValueExW>
$+14     > 00000000  \AdvancedSearch = FALSE   <---- Has to use 1

Result after scylla_searchIAT call using AdvancedSearch / 1
0007EB28  01001000  <&ADVAPI32.RegQueryValueExW>
0007EB2C  00000344

Problem is you can't set this parameter with ImporterAutoSearchIATEx API.Better you do use this API first to get the datas.

greetz

  • Like 2
Link to post
cypher

LCF-AT is right. The AdvancedSearch parameter is the difference.

When I changed the TitanEngine IAT APIs logic to use Scylla, I hardcoded it to false for two reasons:

- Most of my tests didnt produce different results for true/false
- I didnt want to change the API definition for not breaking existing code of other people

So I guess for Enigma it really does make a difference.

I'm afraid there is no easy way of telling TE to do advancedSearch unless you compile a custom version.

However you could use my https://bitbucket.org/cypherpunk/scylla_wrapper_dll/src which lets you set advancedSearch. That lib is linked into TitanEngine and is the same thing as Scylla but all GUI stuff stripped out.
Theres also a README on how to use it, also for assembly users.

Hope this helps !

Edited by cypher (see edit history)
  • Like 1
Link to post

@LCF-AT

yeah, change the AdvancedSearch paramter 0 to 1, then got the import data. Thanks for the tip:)

@cypher

Nice, I have a test on scylla_wrapper.dll and it works. Thanks for your code.

The problem has been solved. 

 

  • Like 1
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...