forked from NtQuery/Scylla
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathScylla_Exports.txt
138 lines (101 loc) · 5.64 KB
/
Scylla_Exports.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
Scylla DLL Export List:
BOOL __stdcall ScyllaDumpCurrentProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
BOOL __stdcall ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
BOOL __stdcall ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
BOOL __stdcall ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
BOOL __stdcall ScyllaRebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
BOOL __stdcall ScyllaRebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
const WCHAR * __stdcall ScyllaVersionInformationW();
const char * __stdcall ScyllaVersionInformationA();
DWORD __stdcall ScyllaVersionInformationDword();
int __stdcall ScyllaStartGui(DWORD dwProcessId, HINSTANCE mod, DWORD_PTR entrypoint);
int __stdcall ScyllaIatSearch(DWORD dwProcessId, DWORD_PTR * iatStart, DWORD * iatSize, DWORD_PTR searchStart, BOOL advancedSearch);
int __stdcall ScyllaIatFixAutoW(DWORD_PTR iatAddr, DWORD iatSize, DWORD dwProcessId, const WCHAR * dumpFile, const WCHAR * iatFixFile);
Prototyps:
----------------------------------------------------------------------------------------------------------------------------------------------------
C/C++:
------------
BOOL __stdcall ScyllaDumpCurrentProcessW(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
BOOL __stdcall ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
BOOL __stdcall ScyllaDumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
BOOL __stdcall ScyllaDumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);
------------
32-Bit assembly e.g. MASM:
------------
ScyllaDumpCurrentProcessW PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
ScyllaDumpCurrentProcessA PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
ScyllaDumpProcessW PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
ScyllaDumpProcessA PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
------------
64-Bit assembly:
------------
ScyllaDumpCurrentProcessW PROTO :QWORD, :QWORD, :QWORD, :QWORD
ScyllaDumpCurrentProcessA PROTO :QWORD, :QWORD, :QWORD, :QWORD
ScyllaDumpProcessW PROTO :QWORD, :QWORD, :QWORD, :QWORD
ScyllaDumpProcessA PROTO :QWORD, :QWORD, :QWORD, :QWORD
fileToDump -> string pointer, this can be 0
imagebase -> imagebase base of target
entrypoint -> entrypoint
fileResult -> string pointer, resulting file
pid -> target process PID
----------------------------------------------------------------------------------------------------------------------------------------------------
C/C++:
------------
BOOL __stdcall ScyllaRebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
BOOL __stdcall ScyllaRebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
------------
32-Bit assembly e.g. MASM:
------------
ScyllaRebuildFileW PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
ScyllaRebuildFileA PROTO STDCALL :DWORD, :DWORD, :DWORD, :DWORD
------------
64-Bit assembly:
------------
ScyllaRebuildFileW PROTO :QWORD, :DWORD, :DWORD, :DWORD
ScyllaRebuildFileA PROTO :QWORD, :DWORD, :DWORD, :DWORD
fileToRebuild - string pointer
removeDosStub - to remove the dos stub -> 1 (TRUE) or 0 (FALSE)
updatePeHeaderChecksum - to update the pe header checksum field -> 1 (TRUE) or 0 (FALSE)
createBackup - create a backup file -> 1 (TRUE) or 0 (FALSE)
----------------------------------------------------------------------------------------------------------------------------------------------------
C/C++:
------------
const WCHAR * __stdcall ScyllaVersionInformationW();
const char * __stdcall ScyllaVersionInformationA();
DWORD __stdcall ScyllaVersionInformationDword();
------------
64-Bit/32-Bit assembly e.g. MASM:
------------
ScyllaVersionInformationW PROTO
ScyllaVersionInformationA PROTO
ScyllaVersionInformationDword PROTO
ScyllaVersionInformation - return value is a pointer to a string e.g. "Scylla x86 v0.7 Beta 6"
ScyllaVersionInformationDword - return value is always a DWORD:
e.g. 0x00007600
0000 -> major version
7600 -> minor version
----------------------------------------------------------------------------------------------------------------------------------------------------
Example:
typedef BOOL (__stdcall * def_ScyllaDumpCurrentProcessW)(const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);
typedef BOOL (__stdcall * def_RebuildFileA)(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup);
HMODULE mod = LoadLibraryA("ScyllaDLL.dll");
def_ScyllaDumpCurrentProcessW ScyllaDumpCurrentProcessW = (def_ScyllaDumpCurrentProcessW)GetProcAddress(mod, "ScyllaDumpCurrentProcessW");
def_RebuildFileA RebuildFileA = (def_RebuildFileA)GetProcAddress(mod, "RebuildFileA");
ScyllaDumpCurrentProcessW(0, (DWORD_PTR)GetModuleHandleA((LPCSTR)0), 0x13370000, L"C:\\dump.exe");
RebuildFileA("some.exe", 1, 1, 1);
MASM:
szScyllaDll db "ScyllaDLL.dll",0h
szRebuildFileA db "RebuildFileA",0h
szTargetExe db "some.exe",0h
push offset szScyllaDll
call LoadLibraryA
push offset szRebuildFileA
push eax
call GetProcAddress
xor ecx, ecx
inc ecx
push ecx
push ecx
push ecx
push offset szTargetExe
call eax