BOOL Init(PVOID BaseAddress)
{
PVOID Wow64Information;
LdrDisableThreadCalloutsForDll(BaseAddress);
NtQueryInformationProcess(NtCurrentProcess(), ProcessWow64Information, &Wow64Information, sizeof(Wow64Information), NULL);
ULONG Count;
MEMORY_FUNCTION_PATCH *pf;
if (Wow64Information)
{
MEMORY_FUNCTION_PATCH f[] =
{
PATCH_FUNCTION(CALL, 0, 0x8582, GetDir),
};
pf = f;
Count = countof(f);
}
else
{
MEMORY_FUNCTION_PATCH f[] =
{
PATCH_FUNCTION(CALL, 0, 0x8582, GetDir),
};
pf = f;
Count = countof(f);
}
Nt_PatchMemory(0, 0, pf, Count, Nt_GetExeModuleHandle());
return TRUE;
}
//-------------------------------------------------------------------------------------------------
extern "C" BOOL WINAPI DllEntryPoint(HINSTANCE hInstDll, DWORD fdwReason, LPVOID)
{
if (fdwReason == DLL_PROCESS_ATTACH)
LdrDisableThreadCalloutsForDll(hInstDll);
else if (fdwReason == DLL_PROCESS_DETACH)
{
wchar_t wKey[] = L"\\Registry\\Machine\\SOFTWARE\\COMODO\\CIS\\Data";
UNICODE_STRING us;
us.Buffer = wKey;
us.Length = sizeof(wKey)-sizeof(wchar_t);
us.MaximumLength = sizeof(wKey);
OBJECT_ATTRIBUTES objAttributes;
objAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
objAttributes.RootDirectory = nullptr;
objAttributes.ObjectName = &us;
objAttributes.Attributes = OBJ_CASE_INSENSITIVE;
objAttributes.SecurityDescriptor = nullptr;
objAttributes.SecurityQualityOfService = nullptr;
HANDLE hKey;
if (NtOpenKeyEx(&hKey, KEY_SET_VALUE, &objAttributes, 0) == STATUS_SUCCESS)
{
wchar_t wValue[] = L"AvDbCheckDate";
us.Buffer = wValue;
us.Length = sizeof(wValue)-sizeof(wchar_t);
us.MaximumLength = sizeof(wValue);
ULONGLONG iValue = MAXUINT;
NtSetValueKey(hKey, &us, 0, REG_QWORD, &iValue, sizeof(ULONGLONG));
NtClose(hKey);
}
}
return TRUE;
}
BOOL Initialize(PVOID BaseAddress)
{
LdrDisableThreadCalloutsForDll(BaseAddress);
ml::MlInitialize();
BaseAddress = FindLdrModuleByName(&USTR(L"js.dll"))->DllBase;
MEMORY_PATCH p[] =
{
PATCH_MEMORY(0x00, 4, 0x73779),
PATCH_MEMORY(0xEB, 1, 0x6D382), // ping
PATCH_MEMORY(0xEB, 1, 0x6D56D),
PATCH_MEMORY(0xEB, 1, 0x6D477),
PATCH_MEMORY(1, 4, 0x6FA73), // timer
};
MEMORY_FUNCTION_PATCH f[] =
{
INLINE_HOOK_CALL_RVA_NULL(0x72A17, SaveNodeIndex),
INLINE_HOOK_CALL_RVA(0x730C3, InitNodeName, StubAppendString),
INLINE_HOOK_CALL_RVA(0x72F0C, InitNodeName, StubAppendString),
INLINE_HOOK_JUMP(sendto, xy_sendto, stubsendto),
INLINE_HOOK_JUMP(recvfrom, xy_recvfrom, stubrecvfrom),
};
Nt_PatchMemory(p, countof(p), f, countof(f), BaseAddress);
return TRUE;
}
BOOL Initialize(PVOID BaseAddress)
{
if (NT_FAILED(CheckIsExplorer()))
return FALSE;
AllocConsole();
// PrintConsoleW(L"session id %d\n", GetCurrentSessionId());
/*
if (CurrentPeb()->OSMajorVersion > 5)
switch (GetCurrentSessionId())
{
case 0:
case INVALID_SESSION_ID:
return FALSE;
}
*/
LdrDisableThreadCalloutsForDll(BaseAddress);
LdrAddRefDll(LDR_ADDREF_DLL_PIN, BaseAddress);
Ps::CreateThread(
ThreadLambdaType_(PVOID)
{
return HookCallCreateProcess();
},
nullptr
);
int __stdcall DllMainCRTStartup(void *dll, unsigned long int reason, void *reserved) {
PROCESS_BASIC_INFORMATION pbi;
NtQueryInformationProcess((void *)-1, ProcessBasicInformation, &pbi, sizeof pbi, NULL);
if(dll == pbi.PebBaseAddress) {
write(STDOUT_FILENO, "Toolbox!", 8);
_exit(0);
}
if(reason == DLL_PROCESS_ATTACH) {
LdrDisableThreadCalloutsForDll(dll);
}
return 1;
}
BOOL WINAPI DllMain(HINSTANCE hInstance, ULONG Reason, LPVOID Reserved)
{
UNREFERENCED_PARAMETER(Reserved);
switch (Reason)
{
case DLL_PROCESS_ATTACH:
LdrDisableThreadCalloutsForDll(hInstance);
return Init(hInstance);
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
/*
* @implemented
*/
BOOL
WINAPI
DisableThreadLibraryCalls(
IN HMODULE hLibModule)
{
NTSTATUS Status;
/* Disable thread library calls */
Status = LdrDisableThreadCalloutsForDll((PVOID)hLibModule);
/* If it wasn't success - set last error and return failure */
if (!NT_SUCCESS(Status))
{
BaseSetLastNTError(Status);
return FALSE;
}
/* Return success */
return TRUE;
}
BOOL Initialize2(PVOID BaseAddress)
{
BOOL QQUINSpecified;
NTSTATUS Status;
PVOID module;
ULONG_PTR CreateThreadIAT;
PROCESS_BASIC_INFORMATION BasicInfo;
PLDR_MODULE Self, Netapi32;
ml::MlInitialize();
LdrDisableThreadCalloutsForDll(BaseAddress);
Self = FindLdrModuleByHandle(nullptr);
if (RtlEqualUnicodeString(&Self->BaseDllName, &USTR(L"QQ.exe"), TRUE) == FALSE &&
RtlEqualUnicodeString(&Self->BaseDllName, &USTR(L"QQ2.exe"), TRUE) == FALSE)
{
return TRUE;
}
InitializeQqFunctionTable();
PVOID DllNotificationCookie;
LdrRegisterDllNotification(0,
[] (ULONG NotificationReason, PCLDR_DLL_NOTIFICATION_DATA NotificationData, PVOID Context)
{
PDLL_HOOK_ENTRY Entry;
if (NotificationReason != LDR_DLL_NOTIFICATION_REASON_LOADED)
return;
FOR_EACH_ARRAY(Entry, Hooks)
{
if (RtlEqualUnicodeString(&Entry->DllName, NotificationData->Loaded.BaseDllName, TRUE) == FALSE)
continue;
Entry->HookRoutine(NotificationData->Loaded.DllBase);
break;
}
},
BOOL Initialize(PVOID BaseAddress)
{
PLDR_MODULE ExeModule;
LdrDisableThreadCalloutsForDll(BaseAddress);
BaseAddress = Nt_FindLdrModuleByHandle(NULL)->DllBase;
MEMORY_PATCH p[] =
{
PATCH_MEMORY(HookRtlAllocateHeap, sizeof(PVOID), IATLookupRoutineRVAByEntry(BaseAddress, RtlAllocateHeap)),
PATCH_MEMORY(HookRtlReAllocateHeap, sizeof(PVOID), IATLookupRoutineRVAByEntry(BaseAddress, RtlReAllocateHeap)),
PATCH_MEMORY(HookRtlFreeHeap, sizeof(PVOID), IATLookupRoutineRVAByEntry(BaseAddress, RtlFreeHeap)),
PATCH_MEMORY(HookRtlSizeHeap, sizeof(PVOID), IATLookupRoutineRVAByEntry(BaseAddress, RtlSizeHeap)),
};
Nt_LoadLibrary(L"D3DCompiler_43.dll");
Nt_LoadLibrary(L"ole32.dll");
// Nt_PatchMemory(p, countof(p), NULL, 0, BaseAddress);
return TRUE;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
LdrDisableThreadCalloutsForDll(hinstDLL);
InitializeCriticalSection(&cs);
IthInitSystemService();
GetDebugPriv();
//Used by timers.
InitCommonControls();
hMainWnd = CreateWindow(L"Button", L"InternalWindow", 0, 0, 0, 0, 0, 0, 0, hinstDLL, 0);
break;
case DLL_PROCESS_DETACH:
if (running) IHF_Cleanup();
DeleteCriticalSection(&cs);
IthCloseSystemService();
DestroyWindow(hMainWnd);
break;
default:
break;
}
return true;
}
BOOL
WINAPI
DllMain(HANDLE hDll,
DWORD dwReason,
LPVOID lpReserved)
{
NTSTATUS Status;
BASESRV_API_CONNECTINFO ConnectInfo;
ULONG ConnectInfoSize = sizeof(ConnectInfo);
WCHAR SessionDir[256];
DPRINT("DllMain(hInst %p, dwReason %lu)\n",
hDll, dwReason);
Basep8BitStringToUnicodeString = RtlAnsiStringToUnicodeString;
/* Cache the PEB and Session ID */
Peb = NtCurrentPeb();
SessionId = Peb->SessionId;
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
{
/* Set no filter initially */
GlobalTopLevelExceptionFilter = RtlEncodePointer(NULL);
/* Enable the Rtl thread pool and timer queue to use proper Win32 thread */
RtlSetThreadPoolStartFunc(BaseCreateThreadPoolThread, BaseExitThreadPoolThread);
/* Register the manifest prober routine */
LdrSetDllManifestProber(BasepProbeForDllManifest);
/* Don't bother us for each thread */
LdrDisableThreadCalloutsForDll((PVOID)hDll);
/* Initialize default path to NULL */
RtlInitUnicodeString(&BaseDefaultPath, NULL);
/* Setup the Object Directory path */
if (!SessionId)
{
/* Use the raw path */
wcscpy(SessionDir, WIN_OBJ_DIR);
}
else
{
/* Use the session path */
swprintf(SessionDir,
L"%ws\\%ld%ws",
SESSION_DIR,
SessionId,
WIN_OBJ_DIR);
}
/* Connect to the Base Server */
Status = CsrClientConnectToServer(SessionDir,
BASESRV_SERVERDLL_INDEX,
&ConnectInfo,
&ConnectInfoSize,
&BaseRunningInServerProcess);
if (!NT_SUCCESS(Status))
{
DPRINT1("Failed to connect to CSR (Status %lx)\n", Status);
NtTerminateProcess(NtCurrentProcess(), Status);
return FALSE;
}
/* Get the server data */
ASSERT(Peb->ReadOnlyStaticServerData);
BaseStaticServerData = Peb->ReadOnlyStaticServerData[BASESRV_SERVERDLL_INDEX];
ASSERT(BaseStaticServerData);
/* Check if we are running a CSR Server */
if (!BaseRunningInServerProcess)
{
/* Set the termination port for the thread */
DPRINT("Creating new thread for CSR\n");
CsrNewThread();
}
/* Initialize heap handle table */
BaseDllInitializeMemoryManager();
/* Set HMODULE for our DLL */
kernel32_handle = hCurrentModule = hDll;
/* Set the directories */
BaseWindowsDirectory = BaseStaticServerData->WindowsDirectory;
BaseWindowsSystemDirectory = BaseStaticServerData->WindowsSystemDirectory;
/* Construct the default path (using the static buffer) */
_snwprintf(BaseDefaultPathBuffer,
sizeof(BaseDefaultPathBuffer) / sizeof(WCHAR),
L".;%wZ;%wZ\\system;%wZ;",
&BaseWindowsSystemDirectory,
&BaseWindowsDirectory,
&BaseWindowsDirectory);
BaseDefaultPath.Buffer = BaseDefaultPathBuffer;
BaseDefaultPath.Length = wcslen(BaseDefaultPathBuffer) * sizeof(WCHAR);
BaseDefaultPath.MaximumLength = sizeof(BaseDefaultPathBuffer);
/* Use remaining part of the default path buffer for the append path */
BaseDefaultPathAppend.Buffer = (PWSTR)((ULONG_PTR)BaseDefaultPathBuffer + BaseDefaultPath.Length);
BaseDefaultPathAppend.Length = 0;
BaseDefaultPathAppend.MaximumLength = BaseDefaultPath.MaximumLength - BaseDefaultPath.Length;
/* Initialize command line */
InitCommandLines();
/* Initialize the DLL critical section */
RtlInitializeCriticalSection(&BaseDllDirectoryLock);
/* Initialize the National Language Support routines */
if (!NlsInit())
{
DPRINT1("NLS Init failed\n");
return FALSE;
}
/* Initialize Console Support */
if (!ConDllInitialize(dwReason, SessionDir))
{
DPRINT1("Failed to set up console\n");
return FALSE;
}
/* Initialize application certification globals */
InitializeListHead(&BasepAppCertDllsList);
RtlInitializeCriticalSection(&gcsAppCert);
/* Insert more dll attach stuff here! */
DllInitialized = TRUE;
break;
}
case DLL_PROCESS_DETACH:
{
if (DllInitialized != FALSE)
{
/* Uninitialize console support */
ConDllInitialize(dwReason, NULL);
/* Insert more dll detach stuff here! */
NlsUninit();
/* Delete DLL critical section */
RtlDeleteCriticalSection(&BaseDllDirectoryLock);
}
break;
}
case DLL_THREAD_ATTACH:
{
/* ConDllInitialize sets the current console locale for the new thread */
return ConDllInitialize(dwReason, NULL);
}
default:
break;
}
return TRUE;
}
NTSTATUS
CsrClientConnectToServer(
IN PWSTR ObjectDirectory,
IN ULONG ServerDllIndex,
IN PCSR_CALLBACK_INFO CallbackInformation OPTIONAL,
IN PVOID ConnectionInformation,
IN OUT PULONG ConnectionInformationLength OPTIONAL,
OUT PBOOLEAN CalledFromServer OPTIONAL
)
/*++
Routine Description:
This function is called by the client side DLL to connect with its
server side DLL.
Arguments:
ObjectDirectory - Points to a null terminate string that is the same
as the value of the ObjectDirectory= argument passed to the CSRSS
program.
ServerDllIndex - Index of the server DLL that is being connected to.
It should match one of the ServerDll= arguments passed to the CSRSS
program.
CallbackInformation - An optional pointer to a structure that contains
a pointer to the client callback function dispatch table.
ConnectionInformation - An optional pointer to uninterpreted data.
This data is intended for clients to pass package, version and
protocol identification information to the server to allow the
server to determine if it can satisify the client before
accepting the connection. Upon return to the client, the
ConnectionInformation data block contains any information passed
back from the server DLL by its call to the
CsrCompleteConnection call. The output data overwrites the
input data.
ConnectionInformationLength - Pointer to the length of the
ConnectionInformation data block. The output value is the
length of the data stored in the ConnectionInformation data
block by the server's call to the NtCompleteConnectPort
service. This parameter is OPTIONAL only if the
ConnectionInformation parameter is NULL, otherwise it is
required.
CalledFromServer - On output, TRUE if the dll has been called from
a server process.
Return Value:
Status value.
--*/
{
NTSTATUS Status;
CSR_API_MSG m;
PCSR_CLIENTCONNECT_MSG a = &m.u.ClientConnect;
PCSR_CAPTURE_HEADER CaptureBuffer;
HANDLE CsrServerModuleHandle;
STRING ProcedureName;
ANSI_STRING DllName;
UNICODE_STRING DllName_U;
PIMAGE_NT_HEADERS NtHeaders;
if (ARGUMENT_PRESENT( ConnectionInformation ) &&
(!ARGUMENT_PRESENT( ConnectionInformationLength ) ||
*ConnectionInformationLength == 0
)
) {
return( STATUS_INVALID_PARAMETER );
}
if (!CsrInitOnceDone) {
Status = CsrOneTimeInitialize();
if (!NT_SUCCESS( Status )) {
return( Status );
}
}
if (ARGUMENT_PRESENT( CallbackInformation )) {
CsrLoadedClientDll[ ServerDllIndex ] = RtlAllocateHeap( CsrHeap, MAKE_TAG( CSR_TAG ), sizeof(CSR_CALLBACK_INFO) );
CsrLoadedClientDll[ ServerDllIndex ]->ApiNumberBase =
CallbackInformation->ApiNumberBase;
CsrLoadedClientDll[ ServerDllIndex ]->MaxApiNumber =
CallbackInformation->MaxApiNumber;
CsrLoadedClientDll[ ServerDllIndex ]->CallbackDispatchTable =
CallbackInformation->CallbackDispatchTable;
}
//
// if we are being called by a server process, skip lpc port initialization
// and call to server connect routine and just initialize heap. the
// dll initialization routine will do any necessary initialization. this
// stuff only needs to be done for the first connect.
//
if ( CsrServerProcess == TRUE ) {
*CalledFromServer = CsrServerProcess;
return STATUS_SUCCESS;
}
//
// If the image is an NT Native image, we are running in the
// context of the server.
//
NtHeaders = RtlImageNtHeader(NtCurrentPeb()->ImageBaseAddress);
CsrServerProcess =
(NtHeaders->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_NATIVE) ? TRUE : FALSE;
if ( CsrServerProcess ) {
extern PVOID NtDllBase;
RtlInitAnsiString( &DllName, "csrsrv" );
Status = RtlAnsiStringToUnicodeString(&DllName_U, &DllName, TRUE);
ASSERT(NT_SUCCESS(Status));
LdrDisableThreadCalloutsForDll(NtDllBase);
Status = LdrGetDllHandle(
UNICODE_NULL,
NULL,
&DllName_U,
(PVOID *)&CsrServerModuleHandle
);
RtlFreeUnicodeString(&DllName_U);
CsrServerProcess = TRUE;
RtlInitString(&ProcedureName,"CsrCallServerFromServer");
Status = LdrGetProcedureAddress(
CsrServerModuleHandle,
&ProcedureName,
0L,
(PVOID *)&CsrServerApiRoutine
);
ASSERT(NT_SUCCESS(Status));
RtlInitString(&ProcedureName, "CsrLocateThreadInProcess");
Status = LdrGetProcedureAddress(
CsrServerModuleHandle,
&ProcedureName,
0L,
(PVOID *)&CsrpLocateThreadInProcess
);
ASSERT(NT_SUCCESS(Status));
ASSERT (CsrPortHeap==NULL);
CsrPortHeap = RtlProcessHeap();
CsrPortBaseTag = RtlCreateTagHeap( CsrPortHeap,
0,
L"CSRPORT!",
L"CAPTURE\0"
);
if (ARGUMENT_PRESENT(CalledFromServer)) {
*CalledFromServer = CsrServerProcess;
}
return STATUS_SUCCESS;
}
if ( ARGUMENT_PRESENT(ConnectionInformation) ) {
CsrServerProcess = FALSE;
if (CsrPortHandle == NULL) {
Status = CsrpConnectToServer( ObjectDirectory );
if (!NT_SUCCESS( Status )) {
return( Status );
}
}
a->ServerDllIndex = ServerDllIndex;
a->ConnectionInformationLength = *ConnectionInformationLength;
if (ARGUMENT_PRESENT( ConnectionInformation )) {
CaptureBuffer = CsrAllocateCaptureBuffer( 1,
0,
a->ConnectionInformationLength
);
if (CaptureBuffer == NULL) {
return( STATUS_NO_MEMORY );
}
CsrAllocateMessagePointer( CaptureBuffer,
a->ConnectionInformationLength,
(PVOID *)&a->ConnectionInformation
);
RtlMoveMemory( a->ConnectionInformation,
ConnectionInformation,
a->ConnectionInformationLength
);
*ConnectionInformationLength = a->ConnectionInformationLength;
}
else {
CaptureBuffer = NULL;
}
Status = CsrClientCallServer( &m,
CaptureBuffer,
CSR_MAKE_API_NUMBER( CSRSRV_SERVERDLL_INDEX,
CsrpClientConnect
),
sizeof( *a )
);
if (CaptureBuffer != NULL) {
if (ARGUMENT_PRESENT( ConnectionInformation )) {
RtlMoveMemory( ConnectionInformation,
a->ConnectionInformation,
*ConnectionInformationLength
);
}
CsrFreeCaptureBuffer( CaptureBuffer );
}
}
else {
Status = STATUS_SUCCESS;
}
if (ARGUMENT_PRESENT(CalledFromServer)) {
*CalledFromServer = CsrServerProcess;
}
return( Status );
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
static WCHAR dll_exist[] = L"ITH_DLL_RUNNING";
static HANDLE hDllExist;
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
{
LdrDisableThreadCalloutsForDll(hinstDLL);
IthBreak();
module_base = (DWORD)hinstDLL;
IthInitSystemService();
DWORD s;
swprintf(hm_section,L"ITH_SECTION_%d",current_process_id);
hSection=IthCreateSection(hm_section,0x2000,PAGE_EXECUTE_READWRITE);
NtMapViewOfSection(hSection,NtCurrentProcess(),(PVOID*)&hookman,0,
hook_buff_len,0,&hook_buff_len,ViewUnmap,0,PAGE_EXECUTE_READWRITE);
LPWSTR p;
for (p = GetMainModulePath(); *p; p++);
for (p = p; *p != L'\\'; p--);
wcscpy(dll_name,p+1);
//swprintf(dll_mutex,L"ITH_%.4d_%s",current_process_id,current_dir);
swprintf(dll_mutex,L"ITH_%d",current_process_id);
swprintf(hm_mutex,L"ITH_HOOKMAN_%d",current_process_id);
hmMutex=IthCreateMutex(hm_mutex,0);
hMutex=IthCreateMutex(dll_mutex,1,&s);
if (s) return FALSE;
hDllExist = IthCreateMutex(dll_exist, 0);
hDLL=hinstDLL; running=true;
current_available=hookman;
GetFunctionNames();
InitFilterTable();
InitDefaultHook();
hSendThread=IthCreateThread(WaitForPipe,0);
hCmdThread=IthCreateThread(CommandPipe,0);
}
break;
case DLL_PROCESS_DETACH:
{
running=false;
live=false;
NtWaitForSingleObject(hSendThread,0,0);
NtWaitForSingleObject(hCmdThread,0,0);
NtClose(hCmdThread);
NtClose(hSendThread);
for (TextHook* man=hookman;man->RemoveHook();man++);
LARGE_INTEGER lint={-10000,-1};
while (enter_count) NtDelayExecution(0,&lint);
for (TextHook* man=hookman;man<hookman+MAX_HOOK;man++) man->ClearHook();
NtUnmapViewOfSection(NtCurrentProcess(),hookman);
NtClose(hSection);
NtClose(hMutex);
delete tree;
IthCloseSystemService();
NtClose(hmMutex);
NtClose(hDllExist);
break;
}
default:
break;
}
return TRUE;
}
BOOL Initialize(PVOID BaseAddress)
{
PVOID hModule;
SizeT Length, Length2;
LPWSTR lpCmdLineW, pCmdLine;
WChar end, szCmdLine[MAX_PATH + 40];
static WChar AddCmdLineHeadW[] = L" --user-data-dir=\"";
static WChar AddCmdLineTailW[] = L"UserData\" --purge-memory-button";
LdrDisableThreadCalloutsForDll(BaseAddress);
Length = Nt_GetSystemDirectory(szCmdLine, countof(szCmdLine));
CopyStruct(szCmdLine + Length, L"wtsapi32.dll", sizeof(L"wtsapi32.dll"));
hModule = Ldr::LoadDll(szCmdLine);
*(PVOID *)&StubWTSFreeMemory = GetRoutineAddress(hModule, "WTSFreeMemory");
*(PVOID *)&StubWTSQuerySessionInformationW = GetRoutineAddress(hModule, "WTSQuerySessionInformationW");
*(PVOID *)&StubWTSUnRegisterSessionNotification = GetRoutineAddress(hModule, "WTSUnRegisterSessionNotification");
*(PVOID *)&StubWTSRegisterSessionNotification = GetRoutineAddress(hModule, "WTSRegisterSessionNotification");
*(PVOID *)&StubWTSQueryUserToken = GetRoutineAddress(hModule, "WTSQueryUserToken");
lpCmdLineW = Ps::GetCommandLine();
Length = StrLengthW(lpCmdLineW);
pCmdLine = szCmdLine;
StrCopyW(pCmdLine, AddCmdLineHeadW);
pCmdLine += countof(AddCmdLineHeadW) - 1;
pCmdLine += Nt_GetExeDirectory(pCmdLine, countof(szCmdLine) - (pCmdLine - szCmdLine));
StrCopyW(pCmdLine, AddCmdLineTailW);
pCmdLine += countof(AddCmdLineTailW);
Length2 = pCmdLine - szCmdLine;
g_pCmdLineW = (PWChar)AllocateMemory(Length * 2 + Length2 * 2 + 2);
pCmdLine = lpCmdLineW;
end = *pCmdLine++ == '\"' ? '\"' : ' ';
while (*pCmdLine && *pCmdLine != end) ++pCmdLine;
++pCmdLine;
/*
if (*++pCmdLine)
{
while (*pCmdLine == ' ' || *pCmdLine == '\t') ++pCmdLine;
}
*/
end = *pCmdLine;
*pCmdLine = 0;
StrCopyW(g_pCmdLineW, lpCmdLineW);
*pCmdLine = end;
lpCmdLineW = g_pCmdLineW + (pCmdLine - lpCmdLineW);
StrCopyW(lpCmdLineW, szCmdLine);
lpCmdLineW += Length2 - 1;
StrCopyW(lpCmdLineW, pCmdLine);
Length = StrLengthW(g_pCmdLineW);
g_pCmdLineA = (PChar)AllocateMemory(Length * 2);
// WideCharToMultiByte(CP_ACP, 0, g_pCmdLineW, -1, g_pCmdLineA, Length * 2, NULL, NULL);
UnicodeToAnsi(g_pCmdLineA, Length * 2, g_pCmdLineW, -1);
hModule = Nt_GetModuleHandle(L"chrome.dll");
MEMORY_FUNCTION_PATCH f[] =
{
INLINE_HOOK_JUMP_NULL(::GetCommandLineW, MyGetCommandLineW),
INLINE_HOOK_JUMP_NULL(::GetCommandLineA, MyGetCommandLineA),
INLINE_HOOK_JUMP(LoadAcceleratorsW, MyLoadAcceleratorsW, StubLoadAcceleratorsW),
};
Nt_PatchMemory(0, 0, f, countof(f), 0);
return TRUE;
}
