Sync with ReClass.NET changes.

Author: KN4CK3R

PipeServer/MemoryHelper.cpp

@@ -74,7 +74,7 @@ bool WriteMemory(LPVOID address, const std::vector<uint8_t>& buffer)
 	return false;
 }
 //---------------------------------------------------------------------------
-void EnumerateRemoteSectionsAndModules(const std::function<void(RC_Pointer, RC_Pointer, std::wstring&&)>& moduleCallback, const std::function<void(RC_Pointer, RC_Pointer, SectionType, SectionProtection, std::wstring&&, std::wstring&&)>& sectionCallback)
+void EnumerateRemoteSectionsAndModules(const std::function<void(RC_Pointer, RC_Pointer, std::wstring&&)>& moduleCallback, const std::function<void(RC_Pointer, RC_Pointer, SectionType, SectionCategory, SectionProtection, std::wstring&&, std::wstring&&)>& sectionCallback)
 {
 	std::vector<EnumerateRemoteSectionData> sections;
 
@@ -131,6 +131,8 @@ void EnumerateRemoteSectionsAndModules(const std::function<void(RC_Pointer, RC_P
 				break;
 			}
 
+			section.Category = section.Type == SectionType::Private ? SectionCategory::HEAP : SectionCategory::Unknown;
+
 			sections.push_back(std::move(section));
 		}
 		address = (size_t)memInfo.BaseAddress + memInfo.RegionSize;
@@ -212,6 +214,15 @@ void EnumerateRemoteSectionsAndModules(const std::function<void(RC_Pointer, RC_P
 					char buffer[IMAGE_SIZEOF_SHORT_NAME + 1] = { 0 };
 					std::memcpy(buffer, sectionHeader->Name, IMAGE_SIZEOF_SHORT_NAME);
 
+					if (std::strcmp(buffer, ".text") == 0 || std::strcmp(buffer, "code") == 0)
+					{
+						j->Category = SectionCategory::CODE;
+					}
+					else if (std::strcmp(buffer, ".data") == 0 || std::strcmp(buffer, "data") == 0 || std::strcmp(buffer, ".rdata") == 0 || std::strcmp(buffer, ".idata") == 0)
+					{
+						j->Category = SectionCategory::DATA;
+					}
+
 					size_t convertedChars = 0;
 					mbstowcs_s(&convertedChars, j->Name, IMAGE_SIZEOF_SHORT_NAME, buffer, _TRUNCATE);
 					std::memcpy(j->ModulePath, ldr->FullDllName.Buffer, sizeof(EnumerateRemoteSectionData::ModulePath));
@@ -225,7 +236,7 @@ void EnumerateRemoteSectionsAndModules(const std::function<void(RC_Pointer, RC_P
 
 	for (auto&& section : sections)
 	{
-		sectionCallback(section.BaseAddress, (RC_Pointer)section.Size, section.Type, section.Protection, section.Name, section.ModulePath);
+		sectionCallback(section.BaseAddress, (RC_Pointer)section.Size, section.Type, section.Category, section.Protection, section.Name, section.ModulePath);
 	}
 }
 //---------------------------------------------------------------------------

PipeServer/Messages.cpp

@@ -3,7 +3,7 @@
 
 extern bool ReadMemory(LPCVOID, std::vector<uint8_t>&);
 extern bool WriteMemory(LPVOID, const std::vector<uint8_t>&);
-extern void EnumerateRemoteSectionsAndModules(const std::function<void(RC_Pointer, RC_Pointer, std::wstring&&)>&, const std::function<void(RC_Pointer, RC_Pointer, SectionType, SectionProtection, std::wstring&&, std::wstring&&)>&);
+extern void EnumerateRemoteSectionsAndModules(const std::function<void(RC_Pointer, RC_Pointer, std::wstring&&)>&, const std::function<void(RC_Pointer, RC_Pointer, SectionType, SectionCategory, SectionProtection, std::wstring&&, std::wstring&&)>&);
 
 bool OpenProcessMessage::Handle(MessageClient& client)
 {
@@ -56,7 +56,7 @@ bool EnumerateRemoteSectionsAndModulesMessage::Handle(MessageClient& client)
 {
 	EnumerateRemoteSectionsAndModules(
 		[&](auto p1, auto p2, auto p3) { client.Send(EnumerateRemoteModuleCallbackMessage(p1, p2, std::move(p3))); },
-		[&](auto p1, auto p2, auto p3, auto p4, auto p5, auto p6) { client.Send(EnumerateRemoteSectionCallbackMessage(p1, p2, p3, p4, std::move(p5), std::move(p6))); }
+		[&](auto p1, auto p2, auto p3, auto p4, auto p5, auto p6, auto p7) { client.Send(EnumerateRemoteSectionCallbackMessage(p1, p2, p3, p4, p5, std::move(p6), std::move(p7))); }
 	);
 
 	// Report enumeration complete to client.

PipeServer/Messages.hpp

@@ -261,6 +261,7 @@ class EnumerateRemoteSectionCallbackMessage : public IMessage
 	RC_Pointer GetBaseAddress() const { return baseAddress; }
 	RC_Pointer GetRegionSize() const { return size; }
 	SectionType GetType() const { return type; }
+	SectionCategory GetCategory() const { return category; }
 	SectionProtection GetProtection() const { return protection; }
 	const std::wstring& GetName() const { return name; }
 	const std::wstring& GetModulePath() const { return modulePath; }
@@ -269,15 +270,17 @@ class EnumerateRemoteSectionCallbackMessage : public IMessage
 		: baseAddress(0),
 		  size(0),
 		  type(SectionType::Unknown),
+		  category(SectionCategory::Unknown),
 		  protection(SectionProtection::NoAccess)
 	{
 
 	}
 
-	EnumerateRemoteSectionCallbackMessage(RC_Pointer _baseAddress, RC_Pointer _size, SectionType _type, SectionProtection _protection, std::wstring&& _name, std::wstring&& _modulePath)
+	EnumerateRemoteSectionCallbackMessage(RC_Pointer _baseAddress, RC_Pointer _size, SectionType _type, SectionCategory _category, SectionProtection _protection, std::wstring&& _name, std::wstring&& _modulePath)
 		: baseAddress(_baseAddress),
 		  size(_size),
 		  type(_type),
+		  category(_category),
 		  protection(_protection),
 		  name(std::move(_name)),
 		  modulePath(std::move(_modulePath))
@@ -290,6 +293,7 @@ class EnumerateRemoteSectionCallbackMessage : public IMessage
 		baseAddress = reader.ReadIntPtr();
 		size = reader.ReadIntPtr();
 		type = (SectionType)reader.ReadInt32();
+		category = (SectionCategory)reader.ReadInt32();
 		protection = (SectionProtection)reader.ReadInt32();
 		name = reader.ReadString();
 		modulePath = reader.ReadString();
@@ -300,6 +304,7 @@ class EnumerateRemoteSectionCallbackMessage : public IMessage
 		writer.Write(baseAddress);
 		writer.Write(size);
 		writer.Write((int)type);
+		writer.Write((int)category);
 		writer.Write((int)protection);
 		writer.Write(name);
 		writer.Write(modulePath);
@@ -309,6 +314,7 @@ class EnumerateRemoteSectionCallbackMessage : public IMessage
 	RC_Pointer baseAddress;
 	RC_Pointer size;
 	SectionType type;
+	SectionCategory category;
 	SectionProtection protection;
 	std::wstring name;
 	std::wstring modulePath;

PipeServer/ReClassNET_Plugin.hpp

@@ -1,6 +1,7 @@
 #pragma once
 
 #include <type_traits>
+#include <cstdint>
 
 // Types
 
@@ -14,35 +15,13 @@ const int PATH_MAXIMUM_LENGTH = 260;
 
 // Enumerations
 
-enum class RequestFunction
-{
-	IsProcessValid,
-	OpenRemoteProcess,
-	CloseRemoteProcess,
-	ReadRemoteMemory,
-	WriteRemoteMemory,
-	EnumerateProcesses,
-	EnumerateRemoteSectionsAndModules,
-	DisassembleCode,
-	ControlRemoteProcess
-};
-
 enum class ProcessAccess
 {
 	Read,
 	Write,
 	Full
 };
 
-enum class SectionType
-{
-	Unknown,
-
-	Private,
-	Mapped,
-	Image
-};
-
 enum class SectionProtection
 {
 	NoAccess = 0,
@@ -66,19 +45,80 @@ inline SectionProtection& operator|=(SectionProtection& lhs, SectionProtection r
 	using T = std::underlying_type_t<SectionProtection>;
 
 	lhs = static_cast<SectionProtection>(static_cast<T>(lhs) | static_cast<T>(rhs));
-	
+
 	return lhs;
 }
 
+enum class SectionType
+{
+	Unknown,
+
+	Private,
+	Mapped,
+	Image
+};
+
+enum class SectionCategory
+{
+	Unknown,
+	CODE,
+	DATA,
+	HEAP
+};
+
 enum class ControlRemoteProcessAction
 {
 	Suspend,
 	Resume,
 	Terminate
 };
 
+enum class DebugContinueStatus
+{
+	Handled,
+	NotHandled
+};
+
+enum class HardwareBreakpointRegister
+{
+	InvalidRegister,
+
+	Dr0,
+	Dr1,
+	Dr2,
+	Dr3
+};
+
+enum class HardwareBreakpointTrigger
+{
+	Execute,
+	Access,
+	Write,
+};
+
+enum class HardwareBreakpointSize
+{
+	Size1 = 1,
+	Size2 = 2,
+	Size4 = 4,
+	Size8 = 8
+};
+
+enum class DebugEventType
+{
+	CreateProcess,
+	ExitProcess,
+	CreateThread,
+	ExitThread,
+	LoadDll,
+	UnloadDll,
+	Exception
+};
+
 // Structures
 
+#pragma pack(push, 1)
+
 struct EnumerateProcessData
 {
 	RC_Size Id;
@@ -88,6 +128,7 @@ struct EnumerateProcessData
 struct InstructionData
 {
 	int Length;
+	uint8_t Data[15];
 	RC_UnicodeChar Instruction[64];
 };
 
@@ -96,6 +137,7 @@ struct EnumerateRemoteSectionData
 	RC_Pointer BaseAddress;
 	RC_Size Size;
 	SectionType Type;
+	SectionCategory Category;
 	SectionProtection Protection;
 	RC_UnicodeChar Name[16];
 	RC_UnicodeChar ModulePath[PATH_MAXIMUM_LENGTH];
@@ -108,31 +150,110 @@ struct EnumerateRemoteModuleData
 	RC_UnicodeChar Path[PATH_MAXIMUM_LENGTH];
 };
 
-// Callbacks
-
-typedef RC_Pointer(__stdcall *RequestFunctionPtrCallback)(RequestFunction request);
-
-typedef void(__stdcall *EnumerateProcessCallback)(EnumerateProcessData* data);
+struct CreateProcessDebugInfo
+{
+	RC_Pointer FileHandle;
+	RC_Pointer ProcessHandle;
+};
 
-typedef void(__stdcall EnumerateRemoteSectionsCallback)(EnumerateRemoteSectionData* data);
-typedef void(__stdcall EnumerateRemoteModulesCallback)(EnumerateRemoteModuleData* data);
+struct ExitProcessDebugInfo
+{
+	RC_Size ExitCode;
+};
 
-// Delegates
+struct CreateThreadDebugInfo
+{
+	RC_Pointer ThreadHandle;
+};
 
-typedef bool(__stdcall *IsProcessValid_Delegate)(RC_Pointer handle);
+struct ExitThreadDebugInfo
+{
+	RC_Size ExitCode;
+};
 
-typedef RC_Pointer(__stdcall *OpenRemoteProcess_Delegate)(RC_Size processId, ProcessAccess desiredAccess);
+struct LoadDllDebugInfo
+{
+	RC_Pointer FileHandle;
+	RC_Pointer BaseOfDll;
+};
 
-typedef void(__stdcall *CloseRemoteProcess_Delegate)(RC_Pointer handle);
+struct UnloadDllDebugInfo
+{
+	RC_Pointer BaseOfDll;
+};
 
-typedef bool(__stdcall *ReadRemoteMemory_Delegate)(RC_Pointer handle, RC_Pointer address, RC_Pointer buffer, RC_Size size);
+struct ExceptionDebugInfo
+{
+	RC_Size ExceptionCode;
+	RC_Size ExceptionFlags;
+	RC_Pointer ExceptionAddress;
+
+	HardwareBreakpointRegister CausedBy;
+
+	bool IsFirstChance;
+
+	struct RegisterInfo
+	{
+#ifdef _WIN64
+		RC_Pointer Rax;
+		RC_Pointer Rbx;
+		RC_Pointer Rcx;
+		RC_Pointer Rdx;
+		RC_Pointer Rdi;
+		RC_Pointer Rsi;
+		RC_Pointer Rsp;
+		RC_Pointer Rbp;
+		RC_Pointer Rip;
+
+		RC_Pointer R8;
+		RC_Pointer R9;
+		RC_Pointer R10;
+		RC_Pointer R11;
+		RC_Pointer R12;
+		RC_Pointer R13;
+		RC_Pointer R14;
+		RC_Pointer R15;
+#else
+		RC_Pointer Eax;
+		RC_Pointer Ebx;
+		RC_Pointer Ecx;
+		RC_Pointer Edx;
+		RC_Pointer Edi;
+		RC_Pointer Esi;
+		RC_Pointer Esp;
+		RC_Pointer Ebp;
+		RC_Pointer Eip;
+#endif
+	};
+	RegisterInfo Registers;
+};
 
-typedef bool(__stdcall *WriteRemoteMemory_Delegate)(RC_Pointer handle, RC_Pointer address, RC_Pointer buffer, RC_Size size);
+struct DebugEvent
+{
+	DebugContinueStatus ContinueStatus;
+
+	RC_Pointer ProcessId;
+	RC_Pointer ThreadId;
+
+	DebugEventType Type;
+
+	union
+	{
+		CreateProcessDebugInfo CreateProcessInfo;
+		ExitProcessDebugInfo ExitProcessInfo;
+		CreateThreadDebugInfo CreateThreadInfo;
+		ExitThreadDebugInfo ExitThreadInfo;
+		LoadDllDebugInfo LoadDllInfo;
+		UnloadDllDebugInfo UnloadDllInfo;
+		ExceptionDebugInfo ExceptionInfo;
+	};
+};
 
-typedef void(__stdcall *EnumerateProcesses_Delegate)(EnumerateProcessCallback callbackProcess);
+#pragma pack(pop)
 
-typedef void(__stdcall *EnumerateRemoteSectionsAndModules_Delegate)(RC_Pointer handle, EnumerateRemoteSectionsCallback callbackSection, EnumerateRemoteModulesCallback callbackModule);
+// Callbacks
 
-typedef bool(__stdcall *DisassembleCode_Delegate)(RC_Pointer address, RC_Size length, RC_Pointer virtualAddress, InstructionData* instruction);
+typedef void(__stdcall *EnumerateProcessCallback)(EnumerateProcessData* data);
 
-typedef void(__stdcall *ControlRemoteProcess_Delegate)(RC_Pointer handle, ControlRemoteProcessAction action);
+typedef void(__stdcall EnumerateRemoteSectionsCallback)(EnumerateRemoteSectionData* data);
+typedef void(__stdcall EnumerateRemoteModulesCallback)(EnumerateRemoteModuleData* data);

Plugin/MemoryPipePluginExt.cs

@@ -378,6 +378,7 @@ public void EnumerateRemoteSectionsAndModules(IntPtr process, EnumerateRemoteSec
 									BaseAddress = callbackSectionMessage.BaseAddress,
 									Size = callbackSectionMessage.Size,
 									Type = callbackSectionMessage.Type,
+									Category = callbackSectionMessage.Category,
 									Protection = callbackSectionMessage.Protection,
 									Name = callbackSectionMessage.Name,
 									ModulePath = callbackSectionMessage.ModulePath