/***********************************************************************
* TASK_CreateMainTask
*
* Create a task for the main (32-bit) process.
*/
void TASK_CreateMainTask(void)
{
TDB *pTask;
STARTUPINFOA startup_info;
UINT cmdShow = 1; /* SW_SHOWNORMAL but we don't want to include winuser.h here */
GetStartupInfoA( &startup_info );
if (startup_info.dwFlags & STARTF_USESHOWWINDOW) cmdShow = startup_info.wShowWindow;
pTask = TASK_Create( NULL, cmdShow, NULL, 0 );
if (!pTask)
{
ERR("could not create task for main process\n");
ExitProcess(1);
}
pTask->flags |= TDBF_WIN32;
pTask->hInstance = 0;
pTask->hPrevInstance = 0;
pTask->teb = NtCurrentTeb();
/* Add the task to the linked list */
/* (no need to get the win16 lock, we are the only thread at this point) */
TASK_LinkTask( pTask->hSelf );
main_task = pTask->hSelf;
}
int
main (int argc, char *argv[], char *environ[])
{
char *szCmd;
STARTUPINFO startinfo;
int nRet;
/* Get the command line passed to the process. */
szCmd = GetCommandLineA ();
GetStartupInfoA (&startinfo);
/* Strip off the name of the application and any leading
* whitespace. */
if (szCmd)
{
while (ISSPACE (*szCmd))
{
szCmd++;
}
/* On my system I always get the app name enclosed
* in quotes... */
if (*szCmd == '\"')
{
do
{
szCmd++;
}
while (*szCmd != '\"' && *szCmd != '\0');
if (*szCmd == '\"')
{
szCmd++;
}
}
else
{
/* If no quotes then assume first token is program
* name. */
while (!ISSPACE (*szCmd) && *szCmd != '\0')
{
szCmd++;
}
}
while (ISSPACE (*szCmd))
{
szCmd++;
}
}
nRet = WinMain (GetModuleHandle (NULL), NULL, szCmd,
(startinfo.dwFlags & STARTF_USESHOWWINDOW) ?
startinfo.wShowWindow : SW_SHOWDEFAULT);
return nRet;
}
void WINAPI CustomGetStartupInfoA(LPSTARTUPINFOA lpStartupInfo)
{
if (!bLoadedPluginsYet)
{
// At the time this is called, the EXE is fully decrypted - we don't need any tricks from the ASI side
LoadPlugins();
bLoadedPluginsYet = true;
}
GetStartupInfoA(lpStartupInfo);
}
static unsigned dbg_start_debuggee(LPSTR cmdLine)
{
PROCESS_INFORMATION info;
STARTUPINFOA startup, current;
DWORD flags;
GetStartupInfoA(¤t);
memset(&startup, 0, sizeof(startup));
startup.cb = sizeof(startup);
startup.dwFlags = STARTF_USESHOWWINDOW;
startup.wShowWindow = (current.dwFlags & STARTF_USESHOWWINDOW) ?
current.wShowWindow : SW_SHOWNORMAL;
/* FIXME: shouldn't need the CREATE_NEW_CONSOLE, but as usual CUI:s need it
* while GUI:s don't
*/
flags = DEBUG_PROCESS | CREATE_NEW_CONSOLE;
if (!DBG_IVAR(AlsoDebugProcChild)) flags |= DEBUG_ONLY_THIS_PROCESS;
if (!CreateProcess(NULL, cmdLine, NULL, NULL, FALSE, flags,
NULL, NULL, &startup, &info))
{
dbg_printf("Couldn't start process '%s'\n", cmdLine);
return FALSE;
}
if (!info.dwProcessId)
{
/* this happens when the program being run is not a Wine binary
* (for example, a shell wrapper around a WineLib app)
*/
/* Current fix: list running processes and let the user attach
* to one of them (sic)
* FIXME: implement a real fix => grab the process (from the
* running processes) from its name
*/
dbg_printf("Debuggee has been started (%s)\n"
"But WineDbg isn't attached to it. Maybe you're trying to debug a winelib wrapper ??\n"
"Try to attach to one of those processes:\n", cmdLine);
/* FIXME: (HACK) we need some time before the wrapper executes the winelib app */
Sleep(100);
info_win32_processes();
return TRUE;
}
dbg_curr_pid = info.dwProcessId;
if (!(dbg_curr_process = dbg_add_process(&be_process_active_io, dbg_curr_pid, 0))) return FALSE;
dbg_curr_process->active_debuggee = TRUE;
return TRUE;
}
void
createDialog(void)
{
STARTUPINFOA startinfo;
WNDCLASSEXA WndClass;
g_hInstance = GetModuleHandle(NULL);
GetStartupInfoA(&startinfo);
WndClass.cbSize = sizeof WndClass;
WndClass.style = 0;
WndClass.lpfnWndProc = WndProc;
WndClass.cbClsExtra = 0;
WndClass.cbWndExtra = 0;
WndClass.hInstance = g_hInstance;
WndClass.hIcon = LoadIcon(g_hInstance, MAKEINTRESOURCE(IDI_MAINICON));
WndClass.hCursor = LoadCursor(NULL, IDC_ARROW);
WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
WndClass.lpszMenuName = MAKEINTRESOURCEA(IDM_MAINMENU);
WndClass.lpszClassName = "DrMingw";
WndClass.hIconSm = LoadIcon(g_hInstance, MAKEINTRESOURCE(IDI_MAINICON));
if (!RegisterClassExA(&WndClass)) {
ErrorMessageBox("RegisterClassEx: %s", LastErrorMessage());
exit(EXIT_FAILURE);
}
g_hWnd = CreateWindowExA(
WS_EX_CLIENTEDGE,
WndClass.lpszClassName,
"Dr. Mingw",
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT,
NULL,
NULL,
g_hInstance,
NULL
);
if (g_hWnd == NULL) {
ErrorMessageBox("CreateWindowEx: %s", LastErrorMessage());
exit(EXIT_FAILURE);
}
ShowWindow(g_hWnd, (startinfo.dwFlags & STARTF_USESHOWWINDOW) ? startinfo.wShowWindow : SW_SHOWDEFAULT);
UpdateWindow(g_hWnd);
}
BOOL MSVCMemoryDump::executeProcess(const std::string & commandLine) {
STARTUPINFOA si;
PROCESS_INFORMATION pi;
GetStartupInfoA(&si);
BOOL success = CreateProcessA(NULL,
(char *) commandLine.c_str(), //Name of app to launch
NULL, //Default process security attributes
NULL, //Default thread security attributes
FALSE, //Don't inherit handles from the parent
0, //Normal priority
NULL, //Use the same environment as the parent
NULL, //Launch in the current directory
&si, //Startup Information
&pi); //Process information stored upon return
return success;
}
VOID WINAPI GetStartupInfoAHook(LPSTARTUPINFOA startupInfo)
{
// put back the original and call it
memcpy(GetStartupInfoA, g_gsiOrig, 5);
GetStartupInfoA(startupInfo);
// analyze the return address for a recommended course of action (GameShield is using a Borland-style compiler, so the only VC CRT here will be Payne)
char* charData = (char*)_ReturnAddress();
if (!memcmp(charData, "\x6A\xFE\x5F\x89\x7D\xFC\xB8\x4D", 8))
{
PEXCEPTION_REGISTRATION_RECORD sehPtr = (PEXCEPTION_REGISTRATION_RECORD)__readfsdword(0);
// and we don't want crt init to use its own exception handler either
__writefsdword(0, (DWORD)sehPtr->Next->Next);
// we also need to unVP the read-only data segments
DWORD oldProtect;
VirtualProtect(GetModuleHandle(nullptr), 0x119e000, PAGE_EXECUTE_READWRITE, &oldProtect);
// this is here *temporarily*
hook::jump(hook::pattern("81 EC 44 02 00 00 55 56 33 F6 33 C0").count(1).get(0).get<void>(), ThisIsActuallyLaunchery);
// mhm
memcpy(GetModuleFileNameA, g_gmfOrig, 5);
memcpy(GetModuleFileNameW, g_gmfOrigW, 5);
if (!g_launcher->PostLoadGame(GetModuleHandle(nullptr), nullptr))
{
ExitProcess(0);
}
// so it can pop itself
//__writefsdword(0, (DWORD)sehPtr);
}
else
{
// hook us back in for the next pass
hook::jump((uintptr_t)GetStartupInfoA, GetStartupInfoAHook);
}
}
LinphoneManager::LinphoneManager()
{
m_linphoneStatus = LINPHONE_STATUS_NOT_INIT;
pthread_mutex_init(&m_linphoneStatusMutex,NULL);
SECURITY_ATTRIBUTES rPipeSa;
SECURITY_ATTRIBUTES wPipeSa;
rPipeSa.nLength = sizeof(SECURITY_ATTRIBUTES);
rPipeSa.lpSecurityDescriptor = NULL;
rPipeSa.bInheritHandle = TRUE;
wPipeSa.nLength = sizeof(SECURITY_ATTRIBUTES);
wPipeSa.lpSecurityDescriptor = NULL;
wPipeSa.bInheritHandle = TRUE;
if(!CreatePipe(&m_pipeRead[0],&m_pipeWrite[0],&rPipeSa,0))
{
log_printf(LOG_ALL_OUT,LOG_LEVEL_ERROR,"error at create pipe\n");
}
if(!CreatePipe(&m_pipeRead[1],&m_pipeWrite[1],&wPipeSa,0))
{
log_printf(LOG_ALL_OUT,LOG_LEVEL_ERROR,"error at create pipe\n");
}
STARTUPINFOA si;
si.cb = sizeof(STARTUPINFOA);
GetStartupInfoA(&si);
si.hStdError = m_pipeWrite[0];
si.hStdOutput = m_pipeWrite[0];
si.hStdInput = m_pipeRead[1];
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
log_printf(LOG_ALL_OUT,LOG_LEVEL_INFO,"start to create linphone process.\n");
if (!CreateProcessA(NULL,LINPHONEC_LOCATION,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&m_linphoneProcess))
{
log_printf(LOG_ALL_OUT,LOG_LEVEL_ERROR,"error at create process\n");
}
CloseHandle(m_pipeWrite[0]);
CloseHandle(m_pipeRead[1]);
SetLinphoneStatus(LINPHONE_STATUS_ON_IDLE);
int ret = pthread_create(&m_readLinphoneOutput,NULL,ReadLinphoneOutputProc,this);
if(0 != ret)
{
log_printf(LOG_ALL_OUT,LOG_LEVEL_ERROR,"Create read linphone output thread failed,%d\n",ret);
}
}
extern "C" int main(int argc, char* argv[]){
if(argc < 2){
std::cout << "No exe specified!\n\n";
std::cout << "Usage: Heapy <exe path> [args to pass to exe]\n\n"
" The first argument specifies the exe to launch.\n"
" Subsequent arguments are passed to launched exe.\n";
return -1;
}
char *injectionTarget = argv[1];
bool win64 = false;
#ifdef _WIN64
win64 = true;
#endif
// Select correct dll name depending on whether x64 or win32 version launched.
std::string heapyInjectDllName;
if(win64)
heapyInjectDllName = "HeapyInject_x64.dll";
else
heapyInjectDllName = "HeapyInject_Win32.dll";
// Assume that the injection payload dll is in the same directory as the exe.
CHAR exePath[MAX_PATH];
GetModuleFileNameA(NULL, exePath, MAX_PATH );
std::string dllPath = getDirectoryOfFile(std::string(exePath)) + "\\" + heapyInjectDllName;
std::string commandLine = injectionTarget;
for(int i = 2; i < argc; ++i){
commandLine += " " + std::string(argv[i]);
}
// Start our new process with a suspended main thread.
std::cout << "Starting process with heap profiling enabled..." << std::endl;
std::cout << "Target exe path: " << injectionTarget << std::endl;
std::cout << "Target execommand line: " << commandLine;
std::cout << "Dll to inject: " << dllPath << std::endl;
DWORD flags = CREATE_SUSPENDED;
PROCESS_INFORMATION pi;
STARTUPINFOA si;
GetStartupInfoA(&si);
// CreatePRocessA can modify input arg so do this to be safe.
std::vector<char> commandLineMutable(commandLine.begin(), commandLine.end());
if(CreateProcessA(NULL, commandLineMutable.data(), NULL, NULL, 0, flags, NULL,
(LPSTR)".", &si, &pi) == 0){
std::cerr << "Error creating process " << injectionTarget << std::endl;
return -1;
}
// Inject our dll.
// This method returns only when injection thread returns.
try{
if(!LoadLibraryInjection(pi.hProcess, dllPath.c_str())){
throw std::runtime_error("LoadLibrary failed!");
}
}catch(const std::exception &e){
std::cerr << "\n";
std::cerr << "Error while injecting process: " << e.what() << "\n\n";
std::cerr << "Check that the hook dll (" << dllPath << " is in the correct location.\n\n";
std::cerr << "Are you trying to inject a " << (win64 ? " 32 bit " : " 64 bit ") << " application using the "
<< (win64 ? " 64 bit " : " 32 bit ") << " injector?\n\n";
// TODO: figure out how to terminate thread. This does not always work.
TerminateProcess(pi.hProcess, 0);
return -1;
}
// Once the injection thread has returned it is safe to resume the main thread.
ResumeThread(pi.hThread);
// Wait for the target application to exit.
// This doesn't matter to much, but makes heapy nicer to use in test scripts.
// (Like the ProfileTestApplication project.)
WaitForSingleObject(pi.hProcess, INFINITE);
return 0;
}
ProcessHandleImpl* ProcessImpl::launchImpl(const std::string& command, const ArgsImpl& args, const std::string& initialDirectory, Pipe* inPipe, Pipe* outPipe, Pipe* errPipe, const EnvImpl& env)
{
std::string commandLine = command;
for (ArgsImpl::const_iterator it = args.begin(); it != args.end(); ++it)
{
commandLine.append(" ");
commandLine.append(*it);
}
STARTUPINFOA startupInfo;
GetStartupInfoA(&startupInfo); // take defaults from current process
startupInfo.cb = sizeof(STARTUPINFOA);
startupInfo.lpReserved = NULL;
startupInfo.lpDesktop = NULL;
startupInfo.lpTitle = NULL;
startupInfo.dwFlags = STARTF_FORCEOFFFEEDBACK;
startupInfo.cbReserved2 = 0;
startupInfo.lpReserved2 = NULL;
HANDLE hProc = GetCurrentProcess();
bool mustInheritHandles = false;
if (inPipe)
{
DuplicateHandle(hProc, inPipe->readHandle(), hProc, &startupInfo.hStdInput, 0, TRUE, DUPLICATE_SAME_ACCESS);
mustInheritHandles = true;
inPipe->close(Pipe::CLOSE_READ);
}
else if (GetStdHandle(STD_INPUT_HANDLE))
{
DuplicateHandle(hProc, GetStdHandle(STD_INPUT_HANDLE), hProc, &startupInfo.hStdInput, 0, TRUE, DUPLICATE_SAME_ACCESS);
mustInheritHandles = true;
}
else
{
startupInfo.hStdInput = 0;
}
// outPipe may be the same as errPipe, so we duplicate first and close later.
if (outPipe)
{
DuplicateHandle(hProc, outPipe->writeHandle(), hProc, &startupInfo.hStdOutput, 0, TRUE, DUPLICATE_SAME_ACCESS);
mustInheritHandles = true;
}
else if (GetStdHandle(STD_OUTPUT_HANDLE))
{
DuplicateHandle(hProc, GetStdHandle(STD_OUTPUT_HANDLE), hProc, &startupInfo.hStdOutput, 0, TRUE, DUPLICATE_SAME_ACCESS);
mustInheritHandles = true;
}
else
{
startupInfo.hStdOutput = 0;
}
if (errPipe)
{
DuplicateHandle(hProc, errPipe->writeHandle(), hProc, &startupInfo.hStdError, 0, TRUE, DUPLICATE_SAME_ACCESS);
mustInheritHandles = true;
}
else if (GetStdHandle(STD_ERROR_HANDLE))
{
DuplicateHandle(hProc, GetStdHandle(STD_ERROR_HANDLE), hProc, &startupInfo.hStdError, 0, TRUE, DUPLICATE_SAME_ACCESS);
mustInheritHandles = true;
}
else
{
startupInfo.hStdError = 0;
}
if (outPipe) outPipe->close(Pipe::CLOSE_WRITE);
if (errPipe) errPipe->close(Pipe::CLOSE_WRITE);
if (mustInheritHandles)
{
startupInfo.dwFlags |= STARTF_USESTDHANDLES;
}
const char* workingDirectory = initialDirectory.empty() ? 0 : initialDirectory.c_str();
const char* pEnv = 0;
std::vector<char> envChars;
if (!env.empty())
{
envChars = getEnvironmentVariablesBuffer(env);
pEnv = &envChars[0];
}
PROCESS_INFORMATION processInfo;
DWORD creationFlags = GetConsoleWindow() ? 0 : CREATE_NO_WINDOW;
BOOL rc = CreateProcessA(
NULL,
const_cast<char*>(commandLine.c_str()),
NULL, // processAttributes
NULL, // threadAttributes
mustInheritHandles,
creationFlags,
(LPVOID) pEnv,
workingDirectory,
&startupInfo,
&processInfo
);
if (startupInfo.hStdInput) CloseHandle(startupInfo.hStdInput);
if (startupInfo.hStdOutput) CloseHandle(startupInfo.hStdOutput);
if (startupInfo.hStdError) CloseHandle(startupInfo.hStdError);
if (rc)
{
CloseHandle(processInfo.hThread);
return new ProcessHandleImpl(processInfo.hProcess, processInfo.dwProcessId);
}
else throw SystemException("Cannot launch process", command);
}
void CommandPromptProcess(ScriptValue &s, ScriptValue* args) {
if (0)
{
char buf[1024]; //i/o buffer
STARTUPINFOA si;
SECURITY_ATTRIBUTES sa;
PROCESS_INFORMATION pi;
HANDLE newstdin,newstdout,read_stdout,write_stdin; //pipe handles
sa.lpSecurityDescriptor = NULL;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = true; //allow inheritable handles
if (!CreatePipe(&newstdin,&write_stdin,&sa,0)) //create stdin pipe
{
return;
}
if (!CreatePipe(&read_stdout,&newstdout,&sa,0)) //create stdout pipe
{
CloseHandle(newstdin);
CloseHandle(write_stdin);
return;
}
GetStartupInfoA(&si); //set startupinfo for the spawned process
/*
The dwFlags member tells CreateProcess how to make the process.
STARTF_USESTDHANDLES validates the hStd* members. STARTF_USESHOWWINDOW
validates the wShowWindow member.
*/
si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
si.hStdOutput = newstdout;
si.hStdError = newstdout; //set the new handles for the child process
si.hStdInput = newstdin;
char app_spawn[] = "C:\\windows\\system32\\ping.exe"; //sample, modify for your
//system
//spawn the child process
if (!CreateProcessA(app_spawn,NULL,NULL,NULL,TRUE,CREATE_NEW_CONSOLE,
NULL,NULL,&si,&pi))
{
CloseHandle(newstdin);
CloseHandle(newstdout);
CloseHandle(read_stdout);
CloseHandle(write_stdin);
return;
}
unsigned long exit=0; //process exit code
unsigned long bread; //bytes read
unsigned long avail; //bytes available
for(;;) //main program loop
{
PeekNamedPipe(read_stdout,buf,1023,&bread,&avail,NULL);
//check to see if there is any data to read from stdout
if (bread != 0)
{
if (avail > 1023)
{
while (bread >= 1023)
{
ReadFile(read_stdout,buf,1023,&bread,NULL); //read the stdout pipe
printf("%s",buf);
}
}
else {
ReadFile(read_stdout,buf,1023,&bread,NULL);
printf("%s",buf);
}
}
GetExitCodeProcess(pi.hProcess,&exit); //while the process is running
if (exit != STILL_ACTIVE)
break;
/*
if (kbhit()) //check for user input.
{
bzero(buf);
*buf = (char)getche();
//printf("%c",*buf);
WriteFile(write_stdin,buf,1,&bread,NULL); //send it to stdin
if (*buf == '\r') {
*buf = '\n';
printf("%c",*buf);
WriteFile(write_stdin,buf,1,&bread,NULL); //send an extra newline char,
//if necessary
}
}
//*/
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
CloseHandle(newstdin); //clean stuff up
CloseHandle(newstdout);
CloseHandle(read_stdout);
CloseHandle(write_stdin);
}
wchar_t *path = ResolvePath(args[0].stringVal->value);
wchar_t *dir = 0;
if (path && (!args[2].stringVal->len || (dir = ResolvePath(args[2].stringVal->value)))) {
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
wchar_t *params = UTF8toUTF16Alloc(args[1].stringVal->value);
ConnectedProcess *cp = 0;
cp = (ConnectedProcess*)calloc(1,sizeof(ConnectedProcess));
if (cp) {
SECURITY_ATTRIBUTES saAttr;
saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
saAttr.bInheritHandle = TRUE;
saAttr.lpSecurityDescriptor = NULL;
static __int64 namedPipes = 0;
char pipeNames[3][100];
sprintf(pipeNames[0], "\\\\.\\pipe\\LCD Miscellany error pipe %I64i", namedPipes);
sprintf(pipeNames[1], "\\\\.\\pipe\\LCD Miscellany out pipe %I64i", namedPipes);
sprintf(pipeNames[2], "\\\\.\\pipe\\LCD Miscellany in pipe %I64i", namedPipes);
namedPipes++;
//*
cp->error[0] = CreateNamedPipeA(pipeNames[0], PIPE_ACCESS_INBOUND, PIPE_TYPE_BYTE | PIPE_WAIT, 1, 1024, 1024, 5000, 0);
cp->error[1] = CreateFileA(pipeNames[0], GENERIC_WRITE, 0, &saAttr, OPEN_EXISTING, 0, 0);
cp->out[0] = CreateNamedPipeA(pipeNames[1], PIPE_ACCESS_INBOUND, PIPE_TYPE_BYTE | PIPE_WAIT, 1, 1024, 1024, 5000, 0);
cp->out[1] = CreateFileA(pipeNames[1], GENERIC_WRITE, 0, &saAttr, OPEN_EXISTING, 0, 0);
cp->in[0] = CreateNamedPipeA(pipeNames[2], PIPE_ACCESS_OUTBOUND, PIPE_TYPE_BYTE | PIPE_WAIT, 1, 1024, 1024, 5000, 0);
cp->in[1] = CreateFileA(pipeNames[2], GENERIC_READ, 0, &saAttr, OPEN_EXISTING, 0, 0);
//*/
//CreatePipe(&cp->error[0], &cp->error[1], &saAttr, 0);
//CreatePipe(&cp->out[0], &cp->out[1], &saAttr, 0);
//CreatePipe(&cp->in[1], &cp->in[0], &saAttr, 0);
int happy = 1;
for (int i=0; i<3; i++) {
if (cp->handles[2*i] == INVALID_HANDLE_VALUE ||
cp->handles[2*i+1] == INVALID_HANDLE_VALUE) {
happy = 0;
}
}
if (happy) {
si.hStdError = cp->out[1];
si.hStdInput = cp->in[1];
si.hStdOutput = cp->out[1];
si.dwFlags = STARTF_USESTDHANDLES;
if (!CreateProcessW(L"c:\\Windows\\System32\\PING.EXE", 0, 0, 0, 1, CREATE_NEW_CONSOLE, 0, dir, &si, &pi)/* && CreateListValue(s, 4)//*/) {
happy = 0;
}
else {
CreateIntValue(s, pi.dwProcessId);
if (si.dwFlags) {
char temp[1000];
{
DWORD bread, avail;
//PeekNamedPipe(read_stdout,temp,1000,&bread,&avail,NULL);
PeekNamedPipe(cp->out[0],temp,1000,&bread,&avail,NULL);
PeekNamedPipe(cp->in[0],temp,1000,&bread,&avail,NULL);
bread = bread;
}
DWORD read = 0;
ReadFile(cp->out[0], temp, 1, &read, 0);
ReadFile(cp->error[0], temp, 1, &read, 0);
ReadFile(cp->in[0], temp, 1000, &read, 0);
read = read;
}
}
}
if (!happy) {
if (cp) {
for (int i=0; i<6; i++) {
if (cp->handles[i] != INVALID_HANDLE_VALUE) {
CloseHandle(cp->handles[i]);
}
}
free(cp);
}
}
}
free(params);
}
free(path);
free(dir);
}
extern "C" int main(int argc, char* argv[]){
if(argc < 2){
std::cout << "No exe specified!\n\n";
std::cout << "Usage: winheaptrack <exe path> [target working dir]\n\n"
" The first argument specifies the exe to launch.\n"
" The second optional argument specifies the working directory\n"
" of the exe to launch (this defaults to directory of exe.)\n";
return -1;
}
char *injectionTarget = argv[1];
std::string injectionTargetWorkingDirectory;
if(argc > 2)
injectionTargetWorkingDirectory = argv[2];
else
injectionTargetWorkingDirectory = getDirectoryOfFile(injectionTarget);
bool win64 = false;
#ifdef _WIN64
win64 = true;
#endif
// Select correct dll name depending on whether x64 or win32 version launched.
std::string winheaptrackInjectDllName;
if(win64)
winheaptrackInjectDllName = "winheaptrack_inject_x64.dll";
else
winheaptrackInjectDllName = "winheaptrack_inject_Win32.dll";
// Assume that the injection payload dll is in the same directory as the exe.
std::string exePath(argv[0]);
std::string dllPath = getDirectoryOfFile(exePath) + "\\" + winheaptrackInjectDllName;
// Start our new process with a suspended main thread.
std::cout << "Starting process with heap profiling enabled..." << std::endl;
std::cout << "Target exe path: " << injectionTarget << std::endl;
std::cout << "Working directory: " << injectionTargetWorkingDirectory << std::endl;
std::cout << "Dll to inject: " << dllPath << std::endl;
DWORD flags = CREATE_SUSPENDED;
PROCESS_INFORMATION pi;
STARTUPINFOA si;
GetStartupInfoA(&si);
if(CreateProcessA(NULL, injectionTarget, NULL, NULL, 0, flags, NULL,
(LPSTR)injectionTargetWorkingDirectory.c_str(), &si, &pi) == 0){
std::cerr << "Error creating process " << injectionTarget << " with working directory " << injectionTargetWorkingDirectory << std::endl;
return -1;
}
// Inject our dll.
// This method returns only when injection thread returns.
try{
if(!LoadLibraryInjection(pi.hProcess, dllPath.c_str())){
throw std::runtime_error("LoadLibrary failed!");
}
}catch(const std::exception &e){
std::cerr << "\n";
std::cerr << "Error while injecting process: " << e.what() << "\n\n";
std::cerr << "Check that the hook dll (" << dllPath << " is in the correct location.\n\n";
std::cerr << "Are you trying to inject a " << (win64 ? " 32 bit " : " 64 bit ") << " application using the "
<< (win64 ? " 64 bit " : " 32 bit ") << " injector?\n\n";
// TODO: figure out how to terminate thread. This does not always work.
TerminateProcess(pi.hProcess, 0);
return -1;
}
// Once the injection thread has returned it is safe to resume the main thread.
ResumeThread(pi.hThread);
// Wait for the target application to exit.
// This doesn't matter to much, but makes winheaptrack nicer to use in test scripts.
// (Like the ProfileTestApplication project.)
WaitForSingleObject(pi.hProcess, INFINITE);
return 0;
}
void fn004019E0(word32 ebp, Eq_3 * fs)
{
word32 * eax_14 = fs->ptr0000;
fs->ptr0000 = fp - 0x00000014;
__set_app_type();
globals->dw40312C = 0xFFFFFFFF;
globals->dw403130 = 0xFFFFFFFF;
__p__fmode();
*eax_14 = globals->dw403120;
__p__commode();
*eax_14 = globals->dw40311C;
Mem46[0x00403128:word32] = Mem43[_adjust_fdiv:word32];
fn00401BE0();
word32 esp_193 = fp + 0xFFFFFF6C;
if (globals->dw403040 == 0x00000000)
{
__setusermatherr();
esp_193 = fp + 0xFFFFFF68;
}
fn00401BB0();
Eq_51 * esp_54 = esp_193 - 0x00000004;
esp_54->dw0000 = 0x00403014;
esp_54->dw0000 = 0x00403010;
_initterm();
esp_54->dw0000 = fp - 0x00000070;
esp_54->dw0000 = globals->dw403114;
esp_54->dw0000 = fp - 0x00000068;
Mem74[esp_54 - 0x00000010:word32] = fp - 0x00000074;
esp_54->dw0000 = fp - 0x00000064;
__getmainargs();
esp_54->dwFFFFFFF8 = 0x0040300C;
esp_54->dwFFFFFFF4 = 0x00403000;
_initterm();
__p__acmdln();
Eq_85 * esi_161 = dwLoc74;
if (dwLoc74->b0000 == 0x22)
{
do
{
esi_161 = esi_161 + 1;
bcu8 al_169 = esi_161->b0000;
} while (al_169 == 0x00 || al_169 == 0x22);
if (esi_161->b0000 == 0x22)
{
esi_161 = esi_161 + 1;
goto l00401AEE;
}
}
while (esi_161->b0000 >u 0x20)
esi_161 = esi_161 + 1;
l00401AEE:
bcu8 al_99 = esi_161->b0000;
while (al_99 != 0x00 && al_99 <=u 0x20)
{
esi_161 = esi_161 + 1;
al_99 = esi_161->b0000;
}
Eq_80 eax_117;
esp_54->tFFFFFFF0 = fp - 0x00000060;
GetStartupInfoA(esp_54->tFFFFFFF0);
if (0x00 != 0x00)
eax_117 = dwLoc30 & 0x0000FFFF;
else
eax_117.u0 = 0x0000000A;
esp_54->tFFFFFFF0 = eax_117;
esp_54->ptrFFFFFFEC = esi_161;
esp_54->dwFFFFFFE8 = 0x00000000;
esp_54->tFFFFFFE4.u0 = 0x00000000;
Eq_80 eax_127 = GetModuleHandleA(esp_54->tFFFFFFE4);
esp_54->tFFFFFFE4 = eax_127;
fn00401BFC(ebp, dwArg00, dwArg04, dwArg08);
esp_54->tFFFFFFF0 = eax_127;
exit(esp_54->tFFFFFFF0);
fp->dwFFFFFFF8 = 0xFFFFFFFF;
fs->ptr0000 = eax_14;
return;
}
// address: 0x1310e09b
int main(int argc, char *argv[], char *envp[]) {
__size8 al; // r8
__size16 ax; // r0
char bl; // r11
__size8 cl; // r9
__size16 cx; // r1
unsigned char dl; // r10
__size16 dx; // r2
unsigned char *eax; // r24
void *eax_1; // r24{45}
__size32 eax_2; // r24{185}
__size32 eax_3; // r24{486}
__size32 ebp; // r29
int ebx; // r27
char *ebx_1; // r27
int ebx_2; // r27{84}
__size32 ecx_1; // r25{18}
unsigned int edi; // r31
char *edi_1; // r31
unsigned int edi_2; // r31{116}
unsigned int edx; // r26
unsigned char *esi; // r30
int esp; // r28
void *esp_1; // r28{67}
void *esp_2; // r28{309}
void *esp_3; // r28{541}
void *esp_4; // r28{559}
__size32 local0; // m[esp - 16]
unsigned int local1; // m[esp - 8]
__size8 local10; // m[esp - 560]
__size8 local11; // m[esp - 562]
__size8 local12; // m[esp - 563]
__size8 local13; // m[esp - 564]
int local14; // m[esp - 572]
unsigned int local15; // m[esp - 580]
unsigned char *local16; // m[esp - 584]
void *local17; // m[esp - 588]
__size32 local18; // m[esp - 596]
unsigned int local19; // m[esp - 600]
unsigned char *local2; // m[esp - 12]
unsigned char *local20; // m[esp - 608]
void *local21; // m[esp - 612]
__size32 local22; // m[esp - 780]
__size32 local23; // m[esp - 784]
int local24; // m[esp - 788]
__size32 local25; // m[esp - 792]
unsigned int local26; // m[esp - 796]
unsigned int local27; // m[esp - 800]
unsigned int local28; // m[esp - 804]
union { void * x151; int x152; } local29; // m[esp - 576]
unsigned int local3; // m[esp - 20]
unsigned int local30; // m[esp - 776]
int local35; // m[esp - 584]
int local4; // m[esp - 24]
char *local5; // m[esp - 28]
unsigned int local58; // m[esp - 8]{573}
__size32 local6; // m[esp - 32]
void *local63; // esp_3{541}
unsigned int local64; // local1{603}
union { unsigned char * x149; int x150; } local65; // local16{607}
union { int x143; __size32 * x144; } local7; // m[esp - 36]
void *local8; // m[esp - 40]
unsigned char *local9; // m[esp - 44]
ecx_1 = SetErrorMode();
WmiReceiveNotificationsA();
GetStartupInfoA();
eax_1 = SafeArrayGetUBound();
local29 = eax_1 - 0x2fe67;
eax = WmiSetSingleInstanceW(); /* Warning: also results in edx, esp_1 */
local63 = esp_1;
if ( !(edx == 0x3ec0000 || eax - 0x7ffbfe67 != eax_1 - 0x2fe67)) {
local13 = -15;
local12 = 28;
local10 = 117;
local29 = eax_1 - 0x6cf61957;
ebx_2 = *(eax_1 - 0x6cf61957);
local14 = ebx_2;
bl = proc1(&ebx_2, esp - 572, 4, &local0, 0, &-15, bl, ebx_2);
local8 = esp;
local11 = -26;
edi_2 = *(eax_1 - 0x6cf61953);
local19 = edi_2;
bl = proc1(&edi_2, (esp - 604), 4, &local0, 4, &-15, bl, esp - 600);
edi = *(eax_1 - 0x6cf6194f);
local3 = edi;
bl = proc1(&edi, esp - 28, 4, &local0, 8, &-15, bl, esp - 28);
local30 = 0;
eax_2 = GetModuleHandleA();
local6 = eax_2;
local18 = eax_2 + 0x1000;
eax = *(eax_1 - 0x6cf6194b);
bl = proc1(&eax, esp - 40, 4, &local0, 12, &-15, bl, esp - 28); /* Warning: also results in ebx */
local5 = eax + eax_2;
esi = *(eax_1 - 0x6cf61947);
local16 = esi;
local27 = esp - 584;
ax = proc1(&esi, esp - 600, 4, &local0, 16, &-15, bl, ebx); /* Warning: also results in cx, dx, al, cl, bl */
local17 = 20;
local7 = eax_1 - 0x6cf61943;
local9 = edi * 8 + 12;
local22 = 64;
local23 = 0x3000;
ebx = edi * 8 + edi_2 + 12;
local24 = ebx + ebx_2;
local25 = 0;
eax = VirtualAlloc(0, ebx + ebx_2, 0x3000, 64); /* Warning: also results in esp_2 */
local63 = esp_2;
local20 = eax;
edi_1 = eax + eax_2 + edi * 8 + 12;
local2 = edi_1;
local15 = edi * 8 + 12;
local21 = edi * 8 + 12;
local1 = 0;
local4 = 0;
}
for(;;) {
esp_3 = local63;
local58 = local1;
local64 = local58;
local65 = local16;
if (local21 != local16) {
goto L0;
}
local1 = local58 + 1;
local64 = local1;
if (local1 == local3) {
*(union { void * x171; int x172; }*)(esp_3 - 4) = esp - 564;
*(unsigned char **)(esp_3 - 8) = local9;
*(union { void * x173; int x174; }*)(esp_3 - 12) = (esp - 568);
*(unsigned int*)(esp_3 - 16) = local19;
ecx = local20 - local9;
*(int*)(esp_3 - 20) = ecx;
*(unsigned char **)(esp_3 - 24) = local20;
eax_3 = proc1(*(esp_3 - 24), *(esp_3 - 20), *(esp_3 - 16), *(esp_3 - 12), *(esp_3 - 8), *(esp_3 - 4), bl, esp - 568); /* Warning: also results in ax, cx, dx, al, cl, bl, edx, edi */
*(void **)(esp_3 - 4) = local8;
*(union { void * x175; int x176; }*)(esp_3 - 8) = esp - 564;
*(unsigned int*)(esp_3 - 12) = local19;
*(int*)(esp_3 - 16) = local14;
*(unsigned char **)(esp_3 - 20) = local20;
esi = local20 + local19;
*(void **)(esp_3 - 24) = esi;
(*local20 + 0xf50)(local28, local27, local26, local25, local24, local23, local22, local30, 0x15000, 0, 0x5d000000, 0xe6000, 0x370000, 0x328000, 0, 0x6c000, 0x12c00, (esp - 660), 0, ecx_1, 0x5c000000, (esp - 544), eax, local20 + 0xf50, local20 + 0xf50, local21, local20, local19, local18, local17, local16, local15, local29, local14, local13, local12, local11, -38, local10, local9, local8, local7, local6, local5, local4, local3, local0, local2, local58 + 1, ebp, argc, argv, envp, ax, cx, dx, al, cl, (unsigned char) local58 + 1, bl, eax_3, local14, edx, local20, esp - 4, esi, edi, ADDFLAGS32(local20, local19, esi), ADDFLAGS32(local20, local19, esi), ADDFLAGS32(local20, local19, esi));
return eax;
}
edx = *local7;
*(union { void * x159; int x160; }*)(esp_3 - 4) = esp - 564;
*(void **)(esp_3 - 8) = local17;
*(union { void * x161; int x162; }*)(esp_3 - 12) = esp - 16;
*(__size32*)(esp_3 - 16) = 4;
esi = esp - local17 - 28;
*(union { unsigned char * x147; int x148; }*)(esp_3 - 20) = esi;
*(union { void * x163; int x164; }*)(esp_3 - 24) = esp - 28;
bl = proc1(*(esp_3 - 24), *(esp_3 - 20), *(esp_3 - 16), *(esp_3 - 12), *(esp_3 - 8), *(esp_3 - 4), bl, esp - 28);
ebx_1 = edx + local6;
local5 = ebx_1;
local17 += 4;
local7 += 4;
ebx = *local7;
local35 = ebx;
*(union { void * x165; int x166; }*)(esp_3 - 4) = esp - 564;
*(void **)(esp_3 - 8) = local17;
*(union { void * x167; int x168; }*)(esp_3 - 12) = esp - 16;
*(__size32*)(esp_3 - 16) = 4;
edi = esp - local17 - 584;
*(int*)(esp_3 - 20) = edi;
*(union { void * x169; int x170; }*)(esp_3 - 24) = esp - 584;
ax = proc1(*(esp_3 - 24), *(esp_3 - 20), *(esp_3 - 16), *(esp_3 - 12), *(esp_3 - 8), *(esp_3 - 4), bl, ebx); /* Warning: also results in cx, dx, al, cl, bl */
local65 = local35;
local17 += 4;
local7 += 4;
local21 = 0;
local2 = ebx_1;
L0:
esp_4 = esp_3;
local1 = local64;
local16 = local65;
ebx_1 = local20 + local4;
dl = *local2;
*(unsigned char*)ebx_1 = dl;
local2++;
local4++;
local21++;
local15++;
local63 = esp_4;
local63 = esp_4;
}
}
/***********************************************************************
* main
*/
int main( int argc, char *argv[] )
{
DWORD count;
HINSTANCE16 instance;
LOADPARAMS16 params;
WORD showCmd[2];
char buffer[MAX_PATH];
STARTUPINFOA info;
char *cmdline, *appname, **first_arg;
char *p;
if (!argv[1]) usage();
if (!strcmp( argv[1], "--app-name" ))
{
if (!(appname = argv[2])) usage();
first_arg = argv + 3;
}
else
{
if (!SearchPathA( NULL, argv[1], ".exe", sizeof(buffer), buffer, NULL ))
{
WINE_MESSAGE( "winevdm: unable to exec '%s': file not found\n", argv[1] );
ExitProcess(1);
}
appname = buffer;
first_arg = argv + 1;
}
if (*first_arg) first_arg++; /* skip program name */
cmdline = build_command_line( first_arg );
if (WINE_TRACE_ON(winevdm))
{
int i;
WINE_TRACE( "GetCommandLine = '%s'\n", GetCommandLineA() );
WINE_TRACE( "appname = '%s'\n", appname );
WINE_TRACE( "cmdline = '%.*s'\n", cmdline[0], cmdline+1 );
for (i = 0; argv[i]; i++) WINE_TRACE( "argv[%d]: '%s'\n", i, argv[i] );
}
GetStartupInfoA( &info );
showCmd[0] = 2;
showCmd[1] = (info.dwFlags & STARTF_USESHOWWINDOW) ? info.wShowWindow : SW_SHOWNORMAL;
params.hEnvironment = 0;
params.cmdLine = MapLS( cmdline );
params.showCmd = MapLS( showCmd );
params.reserved = 0;
RestoreThunkLock(1); /* grab the Win16 lock */
/* some programs assume mmsystem is always present */
LoadLibrary16( "gdi.exe" );
LoadLibrary16( "user.exe" );
LoadLibrary16( "mmsystem.dll" );
if ((instance = LoadModule16( appname, ¶ms )) < 32)
{
if (instance == 11)
{
/* first see if it is a .pif file */
if( ( p = strrchr( appname, '.' )) && !strcasecmp( p, ".pif"))
pif_cmd( appname, cmdline + 1);
else
{
/* try DOS format */
/* loader expects arguments to be regular C strings */
start_dos_exe( appname, cmdline + 1 );
}
/* if we get back here it failed */
instance = GetLastError();
}
WINE_MESSAGE( "winevdm: can't exec '%s': ", appname );
switch (instance)
{
case 2: WINE_MESSAGE("file not found\n" ); break;
case 11: WINE_MESSAGE("invalid program file\n" ); break;
default: WINE_MESSAGE("error=%d\n", instance ); break;
}
ExitProcess(instance);
}
/* wait forever; the process will be killed when the last task exits */
ReleaseThunkLock( &count );
Sleep( INFINITE );
return 0;
}
/**
@brief herp derp.
@private
@bug Sometimes on windows XP, if a process is started up to be
injected into, the process will exit before completing
startup if the DLL unloads itself before process startup
is complete.
**/
int main(int argc, CHAR* argv[])
{
char *dllArg = NULL;
char *programPath = NULL;
char *procArgs = NULL;
WCHAR procNameBuffer[MAX_PATH] = {0};
PWCHAR procName = NULL;
DWORD pid = 0;
DWORD waitMs = 0;
BOOL startProcess;
DWORD injectionMethod = 0;
unsigned char dllCount = 0;
char *dllList[128];
if(argc==1){
Usage();
}
// Get Windows Version Information.
OSVERSIONINFOEX OsInfo = {0};
OsInfo.dwOSVersionInfoSize = sizeof(OsInfo);
GetVersionEx((LPOSVERSIONINFO)&OsInfo);
// These are used later to make decisions on how to do things.
BOOL is2kOrAbove = FALSE;
BOOL isXpOrAbove = FALSE;
BOOL isVistaOrAbove = FALSE;
BOOL is7OrAbove = FALSE;
if(OsInfo.dwMajorVersion >= 6){
isVistaOrAbove = TRUE;
if(OsInfo.dwMinorVersion >= 1){
is7OrAbove = TRUE;
}
}
if(OsInfo.dwMajorVersion >= 5){
is2kOrAbove = TRUE;
if(OsInfo.dwMinorVersion >= 1){
isXpOrAbove = TRUE;
}
}
// This really wont event get shown, the program just crashes when run.
if(isXpOrAbove == FALSE){
printf("ERROR: Injex is not compatible with this version of windows.");
ExitProcess(-1);
}
for(int i=1;i<argc;i++){
if(strcmp(argv[i],"-d") == 0){
// Add the DLL list
dllList[dllCount] = (char*)malloc(MAX_PATH);
// Get the full path to the DLL to inject, the application loading will need this.
GetFullPathNameA(argv[++i],MAX_PATH,dllList[dllCount],NULL);
// Inc the dll count.
dllCount++;
} else if(strcmp(argv[i],"-b") == 0) {
programPath = argv[++i];
startProcess = TRUE;
} else if(strcmp(argv[i],"-p") == 0) {
if(isNumeric(argv[i+1]))
pid = atoi(argv[++i]);
else{
printf("ERROR: Invalid Process Id specified \"%s\"; Process Id should be numeric.\n",argv[i+1]);
Usage();
}
startProcess = FALSE;
} else if(strcmp(argv[i],"-a") == 0) {
procArgs = argv[++i];
} else if(strcmp(argv[i],"-h") == 0) {
Usage();
} else if(strcmp(argv[i],"-w") == 0) {
if(isXpOrAbove == FALSE){
printf("ERROR: Process suspension is only supported on Windows XP/2003 or above.\n");
Usage();
}
waitMs = atoi(argv[++i]);
} else if (strcmp(argv[i],"-n") == 0) {
if(isXpOrAbove == FALSE){
printf("ERROR: Selecting a process by name is only supported on Windows XP or above. Please use process id instead.\n");
Usage();
}
i++;
procName = procNameBuffer;
MultiByteToWideChar(CP_UTF8, 0, argv[i], INT(strlen(argv[i])), procName, MAX_PATH);
startProcess = FALSE;
} else if (strcmp(argv[i],"-i") == 0) {
if(isNumeric(argv[i+1]))
injectionMethod = atoi(argv[++i]);
else{
printf("ERROR: Invalid injection method, injection methods are provided by number.\n");
Usage();
}
} else {
printf("ERROR: Unknown command line option \"%s\"\n",argv[i]);
Usage();
}
}
// Validate their command line options.
if(pid == 0 && programPath == NULL && procName == 0){
printf("ERROR: Please specify either a Process ID, a binary to launch, or the name of a running process.\n");
Usage();
}
// Check to make sure the specified a DLL.
if(dllCount == 0){
printf("ERROR: Please specify a DLL to inject.\n");
Usage();
}
// Ensure that they selected an injection method that is within range.
if(injectionMethod>1){
printf("ERROR: Invalid injection method selected.\n");
Usage();
}
// The handle of the process we will inject into.
HANDLE proc=INVALID_HANDLE_VALUE;
// Used for keeping track of the suspended threads.
DWORD threadCount = 0;
// Assuming 1MB stacks, 2048*1MB =~ 2GB. I am ASSUMING that the thread count in an application will never exceed this due to hardware contraints.
#define MAX_THREADS 2048
HANDLE threads[MAX_THREADS];
// Get the handle to the process to inject into and store it in proc.
if(startProcess){
// startProcess means that we need to start it up...
PROCESS_INFORMATION pi;
STARTUPINFOA si;
GetStartupInfoA(&si);
// Assemble the command line to start the process.
char CommandLine[8191] = {0};
sprintf(CommandLine,"\"%s\"", programPath);
if(procArgs != NULL){
strcat(CommandLine, " ");
strcat(CommandLine, procArgs);
}
DWORD dwFlags = 0;
if(waitMs) dwFlags |= CREATE_SUSPENDED;
printf("Starting new process to inject into:\n%s\n",CommandLine);
if(CreateProcessA(NULL,CommandLine,NULL,NULL,0,dwFlags,NULL,NULL,&si,&pi) == 0)
{
ErrorExit(TEXT("CreateProcessA"), "Check your process path.");
}
if(waitMs){
threadCount = 1;
threads[0] = pi.hThread;
}
proc = pi.hProcess;
}
else{
// The process is already running, we need to get a handle to it with the correct permissions.
if(procName != NULL){
// Open a handle to the process if they specified it with a name.
proc = GetProcessHandleFromName(procName);
if(proc == NULL){
printf("ERROR: Failed to find a process by the name of '%S' that we have permissions to inject into. Make sure that your have proper permissions and the process is running.\n", procName);
ExitProcess(-1);
}
} else {
// Open a handle to the process specified by PID.
proc = GetProcessHandleFromPid(pid);
if(proc == NULL)
{
ErrorExit(TEXT("OpenProcess"), "Check the Process Id that you provided.");
}
}
if(waitMs){
/** @todo Add the ability to suspend already running processes. */
}
}
// Inject each dll listed.
for(DWORD i=0;i<dllCount;i++){
printf("Injecting %s into pid %d.\n", dllList[i], GetProcessId(proc));
DWORD dwThreadExitCode;
switch(injectionMethod){
case 0:
printf("Using LoadLibrary injection (Richter Method).\n");
dwThreadExitCode = LoadLibraryInjection(proc, dllList[i]);
break;
case 1:
printf("Using Thread Hijacking...\n");
dwThreadExitCode = ThreadHijackInjection(proc, dllList[i]);
break;
}
if(dwThreadExitCode == 0){
printf("ERROR: The target process failed to load %s. Check the DLL path you specified.\n",dllList[i]);
printf("DLL Injection Failed!");
} else {
printf("%s Injection Successful!\n",dllList[i]);
}
// Free up that memory...
free(dllList[i]);
}
if(waitMs && startProcess){
printf("Waiting %ims for DLL to lay hooks before resuming the process.\n",waitMs);
Sleep(waitMs);
for(DWORD i=0;i<threadCount;i++){
printf("Resuming threads in process %d...\n", GetProcessId(proc));
ResumeThread(threads[i]);
CloseHandle(threads[i]);
}
}
// No need for this handle anymore.
CloseHandle(proc);
return 0;
}
void fn1310E4E5(Eq_281 * fs)
{
word32 * eax_14 = fs->ptr0000;
fs->ptr0000 = fp - 0x00000014;
__set_app_type();
__p__fmode();
*eax_14 = 0x00000000;
__p__commode();
*eax_14 = 0x00000000;
word32 eax_51 = Mem49[_adjust_fdiv:word32];
fn1310E63E();
word32 esp_193 = fp + 0xFFFFFF68;
if (eax_51 == 0x00000000)
{
__setusermatherr();
esp_193 = fp + 0xFFFFFF64;
}
fn1310E629();
Eq_318 * esp_59 = esp_193 - 0x00000004;
esp_59->dw0000 = fp - 0x00000080;
esp_59->dw0000 = fp - 0x00000080;
_initterm();
esp_59->tFFFFFFF4 = fp - 0x00000070;
esp_59->dwFFFFFFF0 = eax_51;
esp_59->dwFFFFFFEC = fp - 0x00000068;
esp_59->dwFFFFFFE8 = fp - 0x00000074;
esp_59->dwFFFFFFE4 = fp - 0x00000064;
__getmainargs();
esp_59->dwFFFFFFDC = fp - 0x00000080;
esp_59->dwFFFFFFD8 = fp - 0x00000080;
_initterm();
word32 esi_161 = Mem85[_acmdln:word32];
if (esi_161->b0000 == 0x22)
{
l1310E597:
do
{
esi_161 = esi_161 + 1;
bcu8 al_171 = esi_161->b0000;
} while (al_171 == 0x00 || al_171 == 0x22);
if (esi_161->b0000 == 0x22)
{
l1310E5AA:
esi_161 = esi_161 + 1;
l1310E5AE:
bcu8 al_98 = esi_161->b0000;
if (al_98 != 0x00 && al_98 <=u 0x20)
goto l1310E5AA;
}
else
goto l1310E5AE;
}
else
while (esi_161->b0000 >u 0x20)
esi_161 = esi_161 + 1;
Eq_57 eax_113;
esp_59->tFFFFFFF4 = fp - 0x00000060;
GetStartupInfoA(esp_59->tFFFFFFF4);
word32 esp_109 = &esp_59->tFFFFFFF4;
if (0x00 != 0x00)
eax_113 = (word32) wLoc30;
else
{
esp_59->tFFFFFFF4.u0 = 0x0000000A;
eax_113 = esp_59->tFFFFFFF4;
esp_109 = &esp_59->tFFFFFFF4;
}
Eq_439 * esp_115 = esp_109 - 0x00000004;
esp_115->t0000 = eax_113;
Mem118[esp_115 - 0x00000004:word32] = esi_161;
esp_115->t0000.u0 = 0x00000000;
esp_115->t0000.u0 = 0x00000000;
Mem126[esp_115 - 0x0000000C:word32] = GetModuleHandleA(esp_115->t0000);
esp_115->dw0016 = fn1310E09B();
exit(esp_115->dw0016);
word32 ecx_137 = **dwLoc18;
esp_115->ptr0012 = dwLoc18;
esp_115->dw000E = ecx_137;
_XcptFilter();
return;
}
word32 fn1310E09B()
{
SetErrorMode(0x5C000000);
ADVAPI32.dll!WmiReceiveNotificationsA();
GetStartupInfoA(fp + 0xFFFFFD6C);
ADVAPI32.dll!WmiSetSingleInstanceW();
Eq_63 * eax_36 = SafeArrayGetUBound(null, 0x0006C000, (LONG *) 0x00012C00);
if (eax_36 != (Eq_63 *) 0xFC110199 && eax_36 + 0x80010332 == eax_36 + 0xFFFD0199)
{
word32 ebx_303 = eax_36->dw9309E6A9;
fn1310E000(fp + 0xFFFFFDC4, fp + 0xFFFFFDC4, 0x00000004, fp - 0x00000010, 0x00000000, fp + 0xFFFFFDCC);
word32 edi_328 = eax_36->dw9309E6AD;
fn1310E000(fp + 0xFFFFFDA8, fp + 0xFFFFFDA4, 0x00000004, fp - 0x00000010, 0x00000004, fp + 0xFFFFFDCC);
ui32 edi_351 = eax_36->dw9309E6B1;
fn1310E000(fp - 0x00000014, fp - 0x0000001C, 0x00000004, fp - 0x00000010, 0x00000008, fp + 0xFFFFFDCC);
Eq_138 eax_378 = GetModuleHandleA(0x00000000);
word32 eax_386 = eax_36->dw9309E6B5;
fn1310E000(fp - 0x0000001C, fp - 0x00000028, 0x00000004, fp - 0x00000010, 0x0000000C, fp + 0xFFFFFDCC);
dwLoc0248 = eax_36->dw9309E6B9;
fn1310E000(fp + 0xFFFFFDB8, fp + 0xFFFFFDA8, 0x00000004, fp - 0x00000010, 0x00000010, fp + 0xFFFFFDCC);
word32 eax_449 = edi_351 * 0x00000008 + 0x0000000C;
dwLoc0258 = edi_328;
dwLoc14 = edi_351;
dwLoc20 = eax_378;
dwLoc024C = 0x00000014;
dwLoc24 = eax_36 + 0x9309E6BD;
dwLoc2C = eax_449;
dwLoc0260 = VirtualAlloc(0x00000000, eax_449 + edi_328 + ebx_303, 0x00003000, 0x00000040);
dwLoc0C = eax_386 + eax_378 + eax_449;
dwLoc0264 = eax_449;
dwLoc08 = 0x00000000;
dwLoc18 = 0x00000000;
goto l1310E32A;
}
l1310E32A:
while (0x00000001 != 0x00000000)
{
if (dwLoc0264 == dwLoc0248)
{
ui32 edx_221 = dwLoc08 + 0x00000001;
dwLoc08 = edx_221;
if (edx_221 == dwLoc14)
goto l1310E45A;
word32 edx_227 = dwLoc24->dw0000;
fn1310E000(fp - 0x0000001C, fp - 0x0000001C - dwLoc024C, 0x00000004, fp - 0x00000010, dwLoc024C, fp + 0xFFFFFDCC);
Eq_253 * esi_257 = &dwLoc24->t0004;
word32 ebx_254 = dwLoc024C + 0x00000004;
dwLoc0248 = esi_257->dw0000;
fn1310E000(fp + 0xFFFFFDB8, fp + 0xFFFFFDB8 - ebx_254, 0x00000004, fp - 0x00000010, ebx_254, fp + 0xFFFFFDCC);
dwLoc024C = ebx_254 + 0x00000004;
dwLoc24 = esi_257 + 0x00000004;
dwLoc0264 = 0x00000000;
dwLoc0C = edx_227 + dwLoc20;
goto l1310E415;
}
l1310E415:
dwLoc0260->b0000 = dwLoc0C->b0000;
dwLoc0C = dwLoc0C + 1;
dwLoc18 = dwLoc18 + 0x00000001;
dwLoc0264 = dwLoc0264 + 0x00000001;
}
l1310E45A:
word32 eax_147 = fn1310E000(dwLoc0260, dwLoc0260 - dwLoc2C, dwLoc0258, fp + 0xFFFFFDC8, dwLoc2C, fp + 0xFFFFFDCC);
(dwLoc0260 + 0x00000F50)();
return eax_147;
}
