/*********************************************************************** * TASK_CreateMainTask * * Create a task for the main (32-bit) process. */ void TASK_CreateMainTask(void) { TDB *pTask; STARTUPINFOA startup_info; UINT cmdShow = 1; /* SW_SHOWNORMAL but we don't want to include winuser.h here */ GetStartupInfoA( &startup_info ); if (startup_info.dwFlags & STARTF_USESHOWWINDOW) cmdShow = startup_info.wShowWindow; pTask = TASK_Create( NULL, cmdShow, NULL, 0 ); if (!pTask) { ERR("could not create task for main process\n"); ExitProcess(1); } pTask->flags |= TDBF_WIN32; pTask->hInstance = 0; pTask->hPrevInstance = 0; pTask->teb = NtCurrentTeb(); /* Add the task to the linked list */ /* (no need to get the win16 lock, we are the only thread at this point) */ TASK_LinkTask( pTask->hSelf ); main_task = pTask->hSelf; }
int main (int argc, char *argv[], char *environ[]) { char *szCmd; STARTUPINFO startinfo; int nRet; /* Get the command line passed to the process. */ szCmd = GetCommandLineA (); GetStartupInfoA (&startinfo); /* Strip off the name of the application and any leading * whitespace. */ if (szCmd) { while (ISSPACE (*szCmd)) { szCmd++; } /* On my system I always get the app name enclosed * in quotes... */ if (*szCmd == '\"') { do { szCmd++; } while (*szCmd != '\"' && *szCmd != '\0'); if (*szCmd == '\"') { szCmd++; } } else { /* If no quotes then assume first token is program * name. */ while (!ISSPACE (*szCmd) && *szCmd != '\0') { szCmd++; } } while (ISSPACE (*szCmd)) { szCmd++; } } nRet = WinMain (GetModuleHandle (NULL), NULL, szCmd, (startinfo.dwFlags & STARTF_USESHOWWINDOW) ? startinfo.wShowWindow : SW_SHOWDEFAULT); return nRet; }
void WINAPI CustomGetStartupInfoA(LPSTARTUPINFOA lpStartupInfo) { if (!bLoadedPluginsYet) { // At the time this is called, the EXE is fully decrypted - we don't need any tricks from the ASI side LoadPlugins(); bLoadedPluginsYet = true; } GetStartupInfoA(lpStartupInfo); }
static unsigned dbg_start_debuggee(LPSTR cmdLine) { PROCESS_INFORMATION info; STARTUPINFOA startup, current; DWORD flags; GetStartupInfoA(¤t); memset(&startup, 0, sizeof(startup)); startup.cb = sizeof(startup); startup.dwFlags = STARTF_USESHOWWINDOW; startup.wShowWindow = (current.dwFlags & STARTF_USESHOWWINDOW) ? current.wShowWindow : SW_SHOWNORMAL; /* FIXME: shouldn't need the CREATE_NEW_CONSOLE, but as usual CUI:s need it * while GUI:s don't */ flags = DEBUG_PROCESS | CREATE_NEW_CONSOLE; if (!DBG_IVAR(AlsoDebugProcChild)) flags |= DEBUG_ONLY_THIS_PROCESS; if (!CreateProcess(NULL, cmdLine, NULL, NULL, FALSE, flags, NULL, NULL, &startup, &info)) { dbg_printf("Couldn't start process '%s'\n", cmdLine); return FALSE; } if (!info.dwProcessId) { /* this happens when the program being run is not a Wine binary * (for example, a shell wrapper around a WineLib app) */ /* Current fix: list running processes and let the user attach * to one of them (sic) * FIXME: implement a real fix => grab the process (from the * running processes) from its name */ dbg_printf("Debuggee has been started (%s)\n" "But WineDbg isn't attached to it. Maybe you're trying to debug a winelib wrapper ??\n" "Try to attach to one of those processes:\n", cmdLine); /* FIXME: (HACK) we need some time before the wrapper executes the winelib app */ Sleep(100); info_win32_processes(); return TRUE; } dbg_curr_pid = info.dwProcessId; if (!(dbg_curr_process = dbg_add_process(&be_process_active_io, dbg_curr_pid, 0))) return FALSE; dbg_curr_process->active_debuggee = TRUE; return TRUE; }
void createDialog(void) { STARTUPINFOA startinfo; WNDCLASSEXA WndClass; g_hInstance = GetModuleHandle(NULL); GetStartupInfoA(&startinfo); WndClass.cbSize = sizeof WndClass; WndClass.style = 0; WndClass.lpfnWndProc = WndProc; WndClass.cbClsExtra = 0; WndClass.cbWndExtra = 0; WndClass.hInstance = g_hInstance; WndClass.hIcon = LoadIcon(g_hInstance, MAKEINTRESOURCE(IDI_MAINICON)); WndClass.hCursor = LoadCursor(NULL, IDC_ARROW); WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1); WndClass.lpszMenuName = MAKEINTRESOURCEA(IDM_MAINMENU); WndClass.lpszClassName = "DrMingw"; WndClass.hIconSm = LoadIcon(g_hInstance, MAKEINTRESOURCE(IDI_MAINICON)); if (!RegisterClassExA(&WndClass)) { ErrorMessageBox("RegisterClassEx: %s", LastErrorMessage()); exit(EXIT_FAILURE); } g_hWnd = CreateWindowExA( WS_EX_CLIENTEDGE, WndClass.lpszClassName, "Dr. Mingw", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, g_hInstance, NULL ); if (g_hWnd == NULL) { ErrorMessageBox("CreateWindowEx: %s", LastErrorMessage()); exit(EXIT_FAILURE); } ShowWindow(g_hWnd, (startinfo.dwFlags & STARTF_USESHOWWINDOW) ? startinfo.wShowWindow : SW_SHOWDEFAULT); UpdateWindow(g_hWnd); }
BOOL MSVCMemoryDump::executeProcess(const std::string & commandLine) { STARTUPINFOA si; PROCESS_INFORMATION pi; GetStartupInfoA(&si); BOOL success = CreateProcessA(NULL, (char *) commandLine.c_str(), //Name of app to launch NULL, //Default process security attributes NULL, //Default thread security attributes FALSE, //Don't inherit handles from the parent 0, //Normal priority NULL, //Use the same environment as the parent NULL, //Launch in the current directory &si, //Startup Information &pi); //Process information stored upon return return success; }
VOID WINAPI GetStartupInfoAHook(LPSTARTUPINFOA startupInfo) { // put back the original and call it memcpy(GetStartupInfoA, g_gsiOrig, 5); GetStartupInfoA(startupInfo); // analyze the return address for a recommended course of action (GameShield is using a Borland-style compiler, so the only VC CRT here will be Payne) char* charData = (char*)_ReturnAddress(); if (!memcmp(charData, "\x6A\xFE\x5F\x89\x7D\xFC\xB8\x4D", 8)) { PEXCEPTION_REGISTRATION_RECORD sehPtr = (PEXCEPTION_REGISTRATION_RECORD)__readfsdword(0); // and we don't want crt init to use its own exception handler either __writefsdword(0, (DWORD)sehPtr->Next->Next); // we also need to unVP the read-only data segments DWORD oldProtect; VirtualProtect(GetModuleHandle(nullptr), 0x119e000, PAGE_EXECUTE_READWRITE, &oldProtect); // this is here *temporarily* hook::jump(hook::pattern("81 EC 44 02 00 00 55 56 33 F6 33 C0").count(1).get(0).get<void>(), ThisIsActuallyLaunchery); // mhm memcpy(GetModuleFileNameA, g_gmfOrig, 5); memcpy(GetModuleFileNameW, g_gmfOrigW, 5); if (!g_launcher->PostLoadGame(GetModuleHandle(nullptr), nullptr)) { ExitProcess(0); } // so it can pop itself //__writefsdword(0, (DWORD)sehPtr); } else { // hook us back in for the next pass hook::jump((uintptr_t)GetStartupInfoA, GetStartupInfoAHook); } }
LinphoneManager::LinphoneManager() { m_linphoneStatus = LINPHONE_STATUS_NOT_INIT; pthread_mutex_init(&m_linphoneStatusMutex,NULL); SECURITY_ATTRIBUTES rPipeSa; SECURITY_ATTRIBUTES wPipeSa; rPipeSa.nLength = sizeof(SECURITY_ATTRIBUTES); rPipeSa.lpSecurityDescriptor = NULL; rPipeSa.bInheritHandle = TRUE; wPipeSa.nLength = sizeof(SECURITY_ATTRIBUTES); wPipeSa.lpSecurityDescriptor = NULL; wPipeSa.bInheritHandle = TRUE; if(!CreatePipe(&m_pipeRead[0],&m_pipeWrite[0],&rPipeSa,0)) { log_printf(LOG_ALL_OUT,LOG_LEVEL_ERROR,"error at create pipe\n"); } if(!CreatePipe(&m_pipeRead[1],&m_pipeWrite[1],&wPipeSa,0)) { log_printf(LOG_ALL_OUT,LOG_LEVEL_ERROR,"error at create pipe\n"); } STARTUPINFOA si; si.cb = sizeof(STARTUPINFOA); GetStartupInfoA(&si); si.hStdError = m_pipeWrite[0]; si.hStdOutput = m_pipeWrite[0]; si.hStdInput = m_pipeRead[1]; si.wShowWindow = SW_HIDE; si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; log_printf(LOG_ALL_OUT,LOG_LEVEL_INFO,"start to create linphone process.\n"); if (!CreateProcessA(NULL,LINPHONEC_LOCATION,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&m_linphoneProcess)) { log_printf(LOG_ALL_OUT,LOG_LEVEL_ERROR,"error at create process\n"); } CloseHandle(m_pipeWrite[0]); CloseHandle(m_pipeRead[1]); SetLinphoneStatus(LINPHONE_STATUS_ON_IDLE); int ret = pthread_create(&m_readLinphoneOutput,NULL,ReadLinphoneOutputProc,this); if(0 != ret) { log_printf(LOG_ALL_OUT,LOG_LEVEL_ERROR,"Create read linphone output thread failed,%d\n",ret); } }
extern "C" int main(int argc, char* argv[]){ if(argc < 2){ std::cout << "No exe specified!\n\n"; std::cout << "Usage: Heapy <exe path> [args to pass to exe]\n\n" " The first argument specifies the exe to launch.\n" " Subsequent arguments are passed to launched exe.\n"; return -1; } char *injectionTarget = argv[1]; bool win64 = false; #ifdef _WIN64 win64 = true; #endif // Select correct dll name depending on whether x64 or win32 version launched. std::string heapyInjectDllName; if(win64) heapyInjectDllName = "HeapyInject_x64.dll"; else heapyInjectDllName = "HeapyInject_Win32.dll"; // Assume that the injection payload dll is in the same directory as the exe. CHAR exePath[MAX_PATH]; GetModuleFileNameA(NULL, exePath, MAX_PATH ); std::string dllPath = getDirectoryOfFile(std::string(exePath)) + "\\" + heapyInjectDllName; std::string commandLine = injectionTarget; for(int i = 2; i < argc; ++i){ commandLine += " " + std::string(argv[i]); } // Start our new process with a suspended main thread. std::cout << "Starting process with heap profiling enabled..." << std::endl; std::cout << "Target exe path: " << injectionTarget << std::endl; std::cout << "Target execommand line: " << commandLine; std::cout << "Dll to inject: " << dllPath << std::endl; DWORD flags = CREATE_SUSPENDED; PROCESS_INFORMATION pi; STARTUPINFOA si; GetStartupInfoA(&si); // CreatePRocessA can modify input arg so do this to be safe. std::vector<char> commandLineMutable(commandLine.begin(), commandLine.end()); if(CreateProcessA(NULL, commandLineMutable.data(), NULL, NULL, 0, flags, NULL, (LPSTR)".", &si, &pi) == 0){ std::cerr << "Error creating process " << injectionTarget << std::endl; return -1; } // Inject our dll. // This method returns only when injection thread returns. try{ if(!LoadLibraryInjection(pi.hProcess, dllPath.c_str())){ throw std::runtime_error("LoadLibrary failed!"); } }catch(const std::exception &e){ std::cerr << "\n"; std::cerr << "Error while injecting process: " << e.what() << "\n\n"; std::cerr << "Check that the hook dll (" << dllPath << " is in the correct location.\n\n"; std::cerr << "Are you trying to inject a " << (win64 ? " 32 bit " : " 64 bit ") << " application using the " << (win64 ? " 64 bit " : " 32 bit ") << " injector?\n\n"; // TODO: figure out how to terminate thread. This does not always work. TerminateProcess(pi.hProcess, 0); return -1; } // Once the injection thread has returned it is safe to resume the main thread. ResumeThread(pi.hThread); // Wait for the target application to exit. // This doesn't matter to much, but makes heapy nicer to use in test scripts. // (Like the ProfileTestApplication project.) WaitForSingleObject(pi.hProcess, INFINITE); return 0; }
ProcessHandleImpl* ProcessImpl::launchImpl(const std::string& command, const ArgsImpl& args, const std::string& initialDirectory, Pipe* inPipe, Pipe* outPipe, Pipe* errPipe, const EnvImpl& env) { std::string commandLine = command; for (ArgsImpl::const_iterator it = args.begin(); it != args.end(); ++it) { commandLine.append(" "); commandLine.append(*it); } STARTUPINFOA startupInfo; GetStartupInfoA(&startupInfo); // take defaults from current process startupInfo.cb = sizeof(STARTUPINFOA); startupInfo.lpReserved = NULL; startupInfo.lpDesktop = NULL; startupInfo.lpTitle = NULL; startupInfo.dwFlags = STARTF_FORCEOFFFEEDBACK; startupInfo.cbReserved2 = 0; startupInfo.lpReserved2 = NULL; HANDLE hProc = GetCurrentProcess(); bool mustInheritHandles = false; if (inPipe) { DuplicateHandle(hProc, inPipe->readHandle(), hProc, &startupInfo.hStdInput, 0, TRUE, DUPLICATE_SAME_ACCESS); mustInheritHandles = true; inPipe->close(Pipe::CLOSE_READ); } else if (GetStdHandle(STD_INPUT_HANDLE)) { DuplicateHandle(hProc, GetStdHandle(STD_INPUT_HANDLE), hProc, &startupInfo.hStdInput, 0, TRUE, DUPLICATE_SAME_ACCESS); mustInheritHandles = true; } else { startupInfo.hStdInput = 0; } // outPipe may be the same as errPipe, so we duplicate first and close later. if (outPipe) { DuplicateHandle(hProc, outPipe->writeHandle(), hProc, &startupInfo.hStdOutput, 0, TRUE, DUPLICATE_SAME_ACCESS); mustInheritHandles = true; } else if (GetStdHandle(STD_OUTPUT_HANDLE)) { DuplicateHandle(hProc, GetStdHandle(STD_OUTPUT_HANDLE), hProc, &startupInfo.hStdOutput, 0, TRUE, DUPLICATE_SAME_ACCESS); mustInheritHandles = true; } else { startupInfo.hStdOutput = 0; } if (errPipe) { DuplicateHandle(hProc, errPipe->writeHandle(), hProc, &startupInfo.hStdError, 0, TRUE, DUPLICATE_SAME_ACCESS); mustInheritHandles = true; } else if (GetStdHandle(STD_ERROR_HANDLE)) { DuplicateHandle(hProc, GetStdHandle(STD_ERROR_HANDLE), hProc, &startupInfo.hStdError, 0, TRUE, DUPLICATE_SAME_ACCESS); mustInheritHandles = true; } else { startupInfo.hStdError = 0; } if (outPipe) outPipe->close(Pipe::CLOSE_WRITE); if (errPipe) errPipe->close(Pipe::CLOSE_WRITE); if (mustInheritHandles) { startupInfo.dwFlags |= STARTF_USESTDHANDLES; } const char* workingDirectory = initialDirectory.empty() ? 0 : initialDirectory.c_str(); const char* pEnv = 0; std::vector<char> envChars; if (!env.empty()) { envChars = getEnvironmentVariablesBuffer(env); pEnv = &envChars[0]; } PROCESS_INFORMATION processInfo; DWORD creationFlags = GetConsoleWindow() ? 0 : CREATE_NO_WINDOW; BOOL rc = CreateProcessA( NULL, const_cast<char*>(commandLine.c_str()), NULL, // processAttributes NULL, // threadAttributes mustInheritHandles, creationFlags, (LPVOID) pEnv, workingDirectory, &startupInfo, &processInfo ); if (startupInfo.hStdInput) CloseHandle(startupInfo.hStdInput); if (startupInfo.hStdOutput) CloseHandle(startupInfo.hStdOutput); if (startupInfo.hStdError) CloseHandle(startupInfo.hStdError); if (rc) { CloseHandle(processInfo.hThread); return new ProcessHandleImpl(processInfo.hProcess, processInfo.dwProcessId); } else throw SystemException("Cannot launch process", command); }
void CommandPromptProcess(ScriptValue &s, ScriptValue* args) { if (0) { char buf[1024]; //i/o buffer STARTUPINFOA si; SECURITY_ATTRIBUTES sa; PROCESS_INFORMATION pi; HANDLE newstdin,newstdout,read_stdout,write_stdin; //pipe handles sa.lpSecurityDescriptor = NULL; sa.nLength = sizeof(SECURITY_ATTRIBUTES); sa.bInheritHandle = true; //allow inheritable handles if (!CreatePipe(&newstdin,&write_stdin,&sa,0)) //create stdin pipe { return; } if (!CreatePipe(&read_stdout,&newstdout,&sa,0)) //create stdout pipe { CloseHandle(newstdin); CloseHandle(write_stdin); return; } GetStartupInfoA(&si); //set startupinfo for the spawned process /* The dwFlags member tells CreateProcess how to make the process. STARTF_USESTDHANDLES validates the hStd* members. STARTF_USESHOWWINDOW validates the wShowWindow member. */ si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW; si.wShowWindow = SW_HIDE; si.hStdOutput = newstdout; si.hStdError = newstdout; //set the new handles for the child process si.hStdInput = newstdin; char app_spawn[] = "C:\\windows\\system32\\ping.exe"; //sample, modify for your //system //spawn the child process if (!CreateProcessA(app_spawn,NULL,NULL,NULL,TRUE,CREATE_NEW_CONSOLE, NULL,NULL,&si,&pi)) { CloseHandle(newstdin); CloseHandle(newstdout); CloseHandle(read_stdout); CloseHandle(write_stdin); return; } unsigned long exit=0; //process exit code unsigned long bread; //bytes read unsigned long avail; //bytes available for(;;) //main program loop { PeekNamedPipe(read_stdout,buf,1023,&bread,&avail,NULL); //check to see if there is any data to read from stdout if (bread != 0) { if (avail > 1023) { while (bread >= 1023) { ReadFile(read_stdout,buf,1023,&bread,NULL); //read the stdout pipe printf("%s",buf); } } else { ReadFile(read_stdout,buf,1023,&bread,NULL); printf("%s",buf); } } GetExitCodeProcess(pi.hProcess,&exit); //while the process is running if (exit != STILL_ACTIVE) break; /* if (kbhit()) //check for user input. { bzero(buf); *buf = (char)getche(); //printf("%c",*buf); WriteFile(write_stdin,buf,1,&bread,NULL); //send it to stdin if (*buf == '\r') { *buf = '\n'; printf("%c",*buf); WriteFile(write_stdin,buf,1,&bread,NULL); //send an extra newline char, //if necessary } } //*/ } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(newstdin); //clean stuff up CloseHandle(newstdout); CloseHandle(read_stdout); CloseHandle(write_stdin); } wchar_t *path = ResolvePath(args[0].stringVal->value); wchar_t *dir = 0; if (path && (!args[2].stringVal->len || (dir = ResolvePath(args[2].stringVal->value)))) { STARTUPINFO si; PROCESS_INFORMATION pi; memset(&si, 0, sizeof(si)); si.cb = sizeof(si); wchar_t *params = UTF8toUTF16Alloc(args[1].stringVal->value); ConnectedProcess *cp = 0; cp = (ConnectedProcess*)calloc(1,sizeof(ConnectedProcess)); if (cp) { SECURITY_ATTRIBUTES saAttr; saAttr.nLength = sizeof(SECURITY_ATTRIBUTES); saAttr.bInheritHandle = TRUE; saAttr.lpSecurityDescriptor = NULL; static __int64 namedPipes = 0; char pipeNames[3][100]; sprintf(pipeNames[0], "\\\\.\\pipe\\LCD Miscellany error pipe %I64i", namedPipes); sprintf(pipeNames[1], "\\\\.\\pipe\\LCD Miscellany out pipe %I64i", namedPipes); sprintf(pipeNames[2], "\\\\.\\pipe\\LCD Miscellany in pipe %I64i", namedPipes); namedPipes++; //* cp->error[0] = CreateNamedPipeA(pipeNames[0], PIPE_ACCESS_INBOUND, PIPE_TYPE_BYTE | PIPE_WAIT, 1, 1024, 1024, 5000, 0); cp->error[1] = CreateFileA(pipeNames[0], GENERIC_WRITE, 0, &saAttr, OPEN_EXISTING, 0, 0); cp->out[0] = CreateNamedPipeA(pipeNames[1], PIPE_ACCESS_INBOUND, PIPE_TYPE_BYTE | PIPE_WAIT, 1, 1024, 1024, 5000, 0); cp->out[1] = CreateFileA(pipeNames[1], GENERIC_WRITE, 0, &saAttr, OPEN_EXISTING, 0, 0); cp->in[0] = CreateNamedPipeA(pipeNames[2], PIPE_ACCESS_OUTBOUND, PIPE_TYPE_BYTE | PIPE_WAIT, 1, 1024, 1024, 5000, 0); cp->in[1] = CreateFileA(pipeNames[2], GENERIC_READ, 0, &saAttr, OPEN_EXISTING, 0, 0); //*/ //CreatePipe(&cp->error[0], &cp->error[1], &saAttr, 0); //CreatePipe(&cp->out[0], &cp->out[1], &saAttr, 0); //CreatePipe(&cp->in[1], &cp->in[0], &saAttr, 0); int happy = 1; for (int i=0; i<3; i++) { if (cp->handles[2*i] == INVALID_HANDLE_VALUE || cp->handles[2*i+1] == INVALID_HANDLE_VALUE) { happy = 0; } } if (happy) { si.hStdError = cp->out[1]; si.hStdInput = cp->in[1]; si.hStdOutput = cp->out[1]; si.dwFlags = STARTF_USESTDHANDLES; if (!CreateProcessW(L"c:\\Windows\\System32\\PING.EXE", 0, 0, 0, 1, CREATE_NEW_CONSOLE, 0, dir, &si, &pi)/* && CreateListValue(s, 4)//*/) { happy = 0; } else { CreateIntValue(s, pi.dwProcessId); if (si.dwFlags) { char temp[1000]; { DWORD bread, avail; //PeekNamedPipe(read_stdout,temp,1000,&bread,&avail,NULL); PeekNamedPipe(cp->out[0],temp,1000,&bread,&avail,NULL); PeekNamedPipe(cp->in[0],temp,1000,&bread,&avail,NULL); bread = bread; } DWORD read = 0; ReadFile(cp->out[0], temp, 1, &read, 0); ReadFile(cp->error[0], temp, 1, &read, 0); ReadFile(cp->in[0], temp, 1000, &read, 0); read = read; } } } if (!happy) { if (cp) { for (int i=0; i<6; i++) { if (cp->handles[i] != INVALID_HANDLE_VALUE) { CloseHandle(cp->handles[i]); } } free(cp); } } } free(params); } free(path); free(dir); }
extern "C" int main(int argc, char* argv[]){ if(argc < 2){ std::cout << "No exe specified!\n\n"; std::cout << "Usage: winheaptrack <exe path> [target working dir]\n\n" " The first argument specifies the exe to launch.\n" " The second optional argument specifies the working directory\n" " of the exe to launch (this defaults to directory of exe.)\n"; return -1; } char *injectionTarget = argv[1]; std::string injectionTargetWorkingDirectory; if(argc > 2) injectionTargetWorkingDirectory = argv[2]; else injectionTargetWorkingDirectory = getDirectoryOfFile(injectionTarget); bool win64 = false; #ifdef _WIN64 win64 = true; #endif // Select correct dll name depending on whether x64 or win32 version launched. std::string winheaptrackInjectDllName; if(win64) winheaptrackInjectDllName = "winheaptrack_inject_x64.dll"; else winheaptrackInjectDllName = "winheaptrack_inject_Win32.dll"; // Assume that the injection payload dll is in the same directory as the exe. std::string exePath(argv[0]); std::string dllPath = getDirectoryOfFile(exePath) + "\\" + winheaptrackInjectDllName; // Start our new process with a suspended main thread. std::cout << "Starting process with heap profiling enabled..." << std::endl; std::cout << "Target exe path: " << injectionTarget << std::endl; std::cout << "Working directory: " << injectionTargetWorkingDirectory << std::endl; std::cout << "Dll to inject: " << dllPath << std::endl; DWORD flags = CREATE_SUSPENDED; PROCESS_INFORMATION pi; STARTUPINFOA si; GetStartupInfoA(&si); if(CreateProcessA(NULL, injectionTarget, NULL, NULL, 0, flags, NULL, (LPSTR)injectionTargetWorkingDirectory.c_str(), &si, &pi) == 0){ std::cerr << "Error creating process " << injectionTarget << " with working directory " << injectionTargetWorkingDirectory << std::endl; return -1; } // Inject our dll. // This method returns only when injection thread returns. try{ if(!LoadLibraryInjection(pi.hProcess, dllPath.c_str())){ throw std::runtime_error("LoadLibrary failed!"); } }catch(const std::exception &e){ std::cerr << "\n"; std::cerr << "Error while injecting process: " << e.what() << "\n\n"; std::cerr << "Check that the hook dll (" << dllPath << " is in the correct location.\n\n"; std::cerr << "Are you trying to inject a " << (win64 ? " 32 bit " : " 64 bit ") << " application using the " << (win64 ? " 64 bit " : " 32 bit ") << " injector?\n\n"; // TODO: figure out how to terminate thread. This does not always work. TerminateProcess(pi.hProcess, 0); return -1; } // Once the injection thread has returned it is safe to resume the main thread. ResumeThread(pi.hThread); // Wait for the target application to exit. // This doesn't matter to much, but makes winheaptrack nicer to use in test scripts. // (Like the ProfileTestApplication project.) WaitForSingleObject(pi.hProcess, INFINITE); return 0; }
void fn004019E0(word32 ebp, Eq_3 * fs) { word32 * eax_14 = fs->ptr0000; fs->ptr0000 = fp - 0x00000014; __set_app_type(); globals->dw40312C = 0xFFFFFFFF; globals->dw403130 = 0xFFFFFFFF; __p__fmode(); *eax_14 = globals->dw403120; __p__commode(); *eax_14 = globals->dw40311C; Mem46[0x00403128:word32] = Mem43[_adjust_fdiv:word32]; fn00401BE0(); word32 esp_193 = fp + 0xFFFFFF6C; if (globals->dw403040 == 0x00000000) { __setusermatherr(); esp_193 = fp + 0xFFFFFF68; } fn00401BB0(); Eq_51 * esp_54 = esp_193 - 0x00000004; esp_54->dw0000 = 0x00403014; esp_54->dw0000 = 0x00403010; _initterm(); esp_54->dw0000 = fp - 0x00000070; esp_54->dw0000 = globals->dw403114; esp_54->dw0000 = fp - 0x00000068; Mem74[esp_54 - 0x00000010:word32] = fp - 0x00000074; esp_54->dw0000 = fp - 0x00000064; __getmainargs(); esp_54->dwFFFFFFF8 = 0x0040300C; esp_54->dwFFFFFFF4 = 0x00403000; _initterm(); __p__acmdln(); Eq_85 * esi_161 = dwLoc74; if (dwLoc74->b0000 == 0x22) { do { esi_161 = esi_161 + 1; bcu8 al_169 = esi_161->b0000; } while (al_169 == 0x00 || al_169 == 0x22); if (esi_161->b0000 == 0x22) { esi_161 = esi_161 + 1; goto l00401AEE; } } while (esi_161->b0000 >u 0x20) esi_161 = esi_161 + 1; l00401AEE: bcu8 al_99 = esi_161->b0000; while (al_99 != 0x00 && al_99 <=u 0x20) { esi_161 = esi_161 + 1; al_99 = esi_161->b0000; } Eq_80 eax_117; esp_54->tFFFFFFF0 = fp - 0x00000060; GetStartupInfoA(esp_54->tFFFFFFF0); if (0x00 != 0x00) eax_117 = dwLoc30 & 0x0000FFFF; else eax_117.u0 = 0x0000000A; esp_54->tFFFFFFF0 = eax_117; esp_54->ptrFFFFFFEC = esi_161; esp_54->dwFFFFFFE8 = 0x00000000; esp_54->tFFFFFFE4.u0 = 0x00000000; Eq_80 eax_127 = GetModuleHandleA(esp_54->tFFFFFFE4); esp_54->tFFFFFFE4 = eax_127; fn00401BFC(ebp, dwArg00, dwArg04, dwArg08); esp_54->tFFFFFFF0 = eax_127; exit(esp_54->tFFFFFFF0); fp->dwFFFFFFF8 = 0xFFFFFFFF; fs->ptr0000 = eax_14; return; }
// address: 0x1310e09b int main(int argc, char *argv[], char *envp[]) { __size8 al; // r8 __size16 ax; // r0 char bl; // r11 __size8 cl; // r9 __size16 cx; // r1 unsigned char dl; // r10 __size16 dx; // r2 unsigned char *eax; // r24 void *eax_1; // r24{45} __size32 eax_2; // r24{185} __size32 eax_3; // r24{486} __size32 ebp; // r29 int ebx; // r27 char *ebx_1; // r27 int ebx_2; // r27{84} __size32 ecx_1; // r25{18} unsigned int edi; // r31 char *edi_1; // r31 unsigned int edi_2; // r31{116} unsigned int edx; // r26 unsigned char *esi; // r30 int esp; // r28 void *esp_1; // r28{67} void *esp_2; // r28{309} void *esp_3; // r28{541} void *esp_4; // r28{559} __size32 local0; // m[esp - 16] unsigned int local1; // m[esp - 8] __size8 local10; // m[esp - 560] __size8 local11; // m[esp - 562] __size8 local12; // m[esp - 563] __size8 local13; // m[esp - 564] int local14; // m[esp - 572] unsigned int local15; // m[esp - 580] unsigned char *local16; // m[esp - 584] void *local17; // m[esp - 588] __size32 local18; // m[esp - 596] unsigned int local19; // m[esp - 600] unsigned char *local2; // m[esp - 12] unsigned char *local20; // m[esp - 608] void *local21; // m[esp - 612] __size32 local22; // m[esp - 780] __size32 local23; // m[esp - 784] int local24; // m[esp - 788] __size32 local25; // m[esp - 792] unsigned int local26; // m[esp - 796] unsigned int local27; // m[esp - 800] unsigned int local28; // m[esp - 804] union { void * x151; int x152; } local29; // m[esp - 576] unsigned int local3; // m[esp - 20] unsigned int local30; // m[esp - 776] int local35; // m[esp - 584] int local4; // m[esp - 24] char *local5; // m[esp - 28] unsigned int local58; // m[esp - 8]{573} __size32 local6; // m[esp - 32] void *local63; // esp_3{541} unsigned int local64; // local1{603} union { unsigned char * x149; int x150; } local65; // local16{607} union { int x143; __size32 * x144; } local7; // m[esp - 36] void *local8; // m[esp - 40] unsigned char *local9; // m[esp - 44] ecx_1 = SetErrorMode(); WmiReceiveNotificationsA(); GetStartupInfoA(); eax_1 = SafeArrayGetUBound(); local29 = eax_1 - 0x2fe67; eax = WmiSetSingleInstanceW(); /* Warning: also results in edx, esp_1 */ local63 = esp_1; if ( !(edx == 0x3ec0000 || eax - 0x7ffbfe67 != eax_1 - 0x2fe67)) { local13 = -15; local12 = 28; local10 = 117; local29 = eax_1 - 0x6cf61957; ebx_2 = *(eax_1 - 0x6cf61957); local14 = ebx_2; bl = proc1(&ebx_2, esp - 572, 4, &local0, 0, &-15, bl, ebx_2); local8 = esp; local11 = -26; edi_2 = *(eax_1 - 0x6cf61953); local19 = edi_2; bl = proc1(&edi_2, (esp - 604), 4, &local0, 4, &-15, bl, esp - 600); edi = *(eax_1 - 0x6cf6194f); local3 = edi; bl = proc1(&edi, esp - 28, 4, &local0, 8, &-15, bl, esp - 28); local30 = 0; eax_2 = GetModuleHandleA(); local6 = eax_2; local18 = eax_2 + 0x1000; eax = *(eax_1 - 0x6cf6194b); bl = proc1(&eax, esp - 40, 4, &local0, 12, &-15, bl, esp - 28); /* Warning: also results in ebx */ local5 = eax + eax_2; esi = *(eax_1 - 0x6cf61947); local16 = esi; local27 = esp - 584; ax = proc1(&esi, esp - 600, 4, &local0, 16, &-15, bl, ebx); /* Warning: also results in cx, dx, al, cl, bl */ local17 = 20; local7 = eax_1 - 0x6cf61943; local9 = edi * 8 + 12; local22 = 64; local23 = 0x3000; ebx = edi * 8 + edi_2 + 12; local24 = ebx + ebx_2; local25 = 0; eax = VirtualAlloc(0, ebx + ebx_2, 0x3000, 64); /* Warning: also results in esp_2 */ local63 = esp_2; local20 = eax; edi_1 = eax + eax_2 + edi * 8 + 12; local2 = edi_1; local15 = edi * 8 + 12; local21 = edi * 8 + 12; local1 = 0; local4 = 0; } for(;;) { esp_3 = local63; local58 = local1; local64 = local58; local65 = local16; if (local21 != local16) { goto L0; } local1 = local58 + 1; local64 = local1; if (local1 == local3) { *(union { void * x171; int x172; }*)(esp_3 - 4) = esp - 564; *(unsigned char **)(esp_3 - 8) = local9; *(union { void * x173; int x174; }*)(esp_3 - 12) = (esp - 568); *(unsigned int*)(esp_3 - 16) = local19; ecx = local20 - local9; *(int*)(esp_3 - 20) = ecx; *(unsigned char **)(esp_3 - 24) = local20; eax_3 = proc1(*(esp_3 - 24), *(esp_3 - 20), *(esp_3 - 16), *(esp_3 - 12), *(esp_3 - 8), *(esp_3 - 4), bl, esp - 568); /* Warning: also results in ax, cx, dx, al, cl, bl, edx, edi */ *(void **)(esp_3 - 4) = local8; *(union { void * x175; int x176; }*)(esp_3 - 8) = esp - 564; *(unsigned int*)(esp_3 - 12) = local19; *(int*)(esp_3 - 16) = local14; *(unsigned char **)(esp_3 - 20) = local20; esi = local20 + local19; *(void **)(esp_3 - 24) = esi; (*local20 + 0xf50)(local28, local27, local26, local25, local24, local23, local22, local30, 0x15000, 0, 0x5d000000, 0xe6000, 0x370000, 0x328000, 0, 0x6c000, 0x12c00, (esp - 660), 0, ecx_1, 0x5c000000, (esp - 544), eax, local20 + 0xf50, local20 + 0xf50, local21, local20, local19, local18, local17, local16, local15, local29, local14, local13, local12, local11, -38, local10, local9, local8, local7, local6, local5, local4, local3, local0, local2, local58 + 1, ebp, argc, argv, envp, ax, cx, dx, al, cl, (unsigned char) local58 + 1, bl, eax_3, local14, edx, local20, esp - 4, esi, edi, ADDFLAGS32(local20, local19, esi), ADDFLAGS32(local20, local19, esi), ADDFLAGS32(local20, local19, esi)); return eax; } edx = *local7; *(union { void * x159; int x160; }*)(esp_3 - 4) = esp - 564; *(void **)(esp_3 - 8) = local17; *(union { void * x161; int x162; }*)(esp_3 - 12) = esp - 16; *(__size32*)(esp_3 - 16) = 4; esi = esp - local17 - 28; *(union { unsigned char * x147; int x148; }*)(esp_3 - 20) = esi; *(union { void * x163; int x164; }*)(esp_3 - 24) = esp - 28; bl = proc1(*(esp_3 - 24), *(esp_3 - 20), *(esp_3 - 16), *(esp_3 - 12), *(esp_3 - 8), *(esp_3 - 4), bl, esp - 28); ebx_1 = edx + local6; local5 = ebx_1; local17 += 4; local7 += 4; ebx = *local7; local35 = ebx; *(union { void * x165; int x166; }*)(esp_3 - 4) = esp - 564; *(void **)(esp_3 - 8) = local17; *(union { void * x167; int x168; }*)(esp_3 - 12) = esp - 16; *(__size32*)(esp_3 - 16) = 4; edi = esp - local17 - 584; *(int*)(esp_3 - 20) = edi; *(union { void * x169; int x170; }*)(esp_3 - 24) = esp - 584; ax = proc1(*(esp_3 - 24), *(esp_3 - 20), *(esp_3 - 16), *(esp_3 - 12), *(esp_3 - 8), *(esp_3 - 4), bl, ebx); /* Warning: also results in cx, dx, al, cl, bl */ local65 = local35; local17 += 4; local7 += 4; local21 = 0; local2 = ebx_1; L0: esp_4 = esp_3; local1 = local64; local16 = local65; ebx_1 = local20 + local4; dl = *local2; *(unsigned char*)ebx_1 = dl; local2++; local4++; local21++; local15++; local63 = esp_4; local63 = esp_4; } }
/*********************************************************************** * main */ int main( int argc, char *argv[] ) { DWORD count; HINSTANCE16 instance; LOADPARAMS16 params; WORD showCmd[2]; char buffer[MAX_PATH]; STARTUPINFOA info; char *cmdline, *appname, **first_arg; char *p; if (!argv[1]) usage(); if (!strcmp( argv[1], "--app-name" )) { if (!(appname = argv[2])) usage(); first_arg = argv + 3; } else { if (!SearchPathA( NULL, argv[1], ".exe", sizeof(buffer), buffer, NULL )) { WINE_MESSAGE( "winevdm: unable to exec '%s': file not found\n", argv[1] ); ExitProcess(1); } appname = buffer; first_arg = argv + 1; } if (*first_arg) first_arg++; /* skip program name */ cmdline = build_command_line( first_arg ); if (WINE_TRACE_ON(winevdm)) { int i; WINE_TRACE( "GetCommandLine = '%s'\n", GetCommandLineA() ); WINE_TRACE( "appname = '%s'\n", appname ); WINE_TRACE( "cmdline = '%.*s'\n", cmdline[0], cmdline+1 ); for (i = 0; argv[i]; i++) WINE_TRACE( "argv[%d]: '%s'\n", i, argv[i] ); } GetStartupInfoA( &info ); showCmd[0] = 2; showCmd[1] = (info.dwFlags & STARTF_USESHOWWINDOW) ? info.wShowWindow : SW_SHOWNORMAL; params.hEnvironment = 0; params.cmdLine = MapLS( cmdline ); params.showCmd = MapLS( showCmd ); params.reserved = 0; RestoreThunkLock(1); /* grab the Win16 lock */ /* some programs assume mmsystem is always present */ LoadLibrary16( "gdi.exe" ); LoadLibrary16( "user.exe" ); LoadLibrary16( "mmsystem.dll" ); if ((instance = LoadModule16( appname, ¶ms )) < 32) { if (instance == 11) { /* first see if it is a .pif file */ if( ( p = strrchr( appname, '.' )) && !strcasecmp( p, ".pif")) pif_cmd( appname, cmdline + 1); else { /* try DOS format */ /* loader expects arguments to be regular C strings */ start_dos_exe( appname, cmdline + 1 ); } /* if we get back here it failed */ instance = GetLastError(); } WINE_MESSAGE( "winevdm: can't exec '%s': ", appname ); switch (instance) { case 2: WINE_MESSAGE("file not found\n" ); break; case 11: WINE_MESSAGE("invalid program file\n" ); break; default: WINE_MESSAGE("error=%d\n", instance ); break; } ExitProcess(instance); } /* wait forever; the process will be killed when the last task exits */ ReleaseThunkLock( &count ); Sleep( INFINITE ); return 0; }
/** @brief herp derp. @private @bug Sometimes on windows XP, if a process is started up to be injected into, the process will exit before completing startup if the DLL unloads itself before process startup is complete. **/ int main(int argc, CHAR* argv[]) { char *dllArg = NULL; char *programPath = NULL; char *procArgs = NULL; WCHAR procNameBuffer[MAX_PATH] = {0}; PWCHAR procName = NULL; DWORD pid = 0; DWORD waitMs = 0; BOOL startProcess; DWORD injectionMethod = 0; unsigned char dllCount = 0; char *dllList[128]; if(argc==1){ Usage(); } // Get Windows Version Information. OSVERSIONINFOEX OsInfo = {0}; OsInfo.dwOSVersionInfoSize = sizeof(OsInfo); GetVersionEx((LPOSVERSIONINFO)&OsInfo); // These are used later to make decisions on how to do things. BOOL is2kOrAbove = FALSE; BOOL isXpOrAbove = FALSE; BOOL isVistaOrAbove = FALSE; BOOL is7OrAbove = FALSE; if(OsInfo.dwMajorVersion >= 6){ isVistaOrAbove = TRUE; if(OsInfo.dwMinorVersion >= 1){ is7OrAbove = TRUE; } } if(OsInfo.dwMajorVersion >= 5){ is2kOrAbove = TRUE; if(OsInfo.dwMinorVersion >= 1){ isXpOrAbove = TRUE; } } // This really wont event get shown, the program just crashes when run. if(isXpOrAbove == FALSE){ printf("ERROR: Injex is not compatible with this version of windows."); ExitProcess(-1); } for(int i=1;i<argc;i++){ if(strcmp(argv[i],"-d") == 0){ // Add the DLL list dllList[dllCount] = (char*)malloc(MAX_PATH); // Get the full path to the DLL to inject, the application loading will need this. GetFullPathNameA(argv[++i],MAX_PATH,dllList[dllCount],NULL); // Inc the dll count. dllCount++; } else if(strcmp(argv[i],"-b") == 0) { programPath = argv[++i]; startProcess = TRUE; } else if(strcmp(argv[i],"-p") == 0) { if(isNumeric(argv[i+1])) pid = atoi(argv[++i]); else{ printf("ERROR: Invalid Process Id specified \"%s\"; Process Id should be numeric.\n",argv[i+1]); Usage(); } startProcess = FALSE; } else if(strcmp(argv[i],"-a") == 0) { procArgs = argv[++i]; } else if(strcmp(argv[i],"-h") == 0) { Usage(); } else if(strcmp(argv[i],"-w") == 0) { if(isXpOrAbove == FALSE){ printf("ERROR: Process suspension is only supported on Windows XP/2003 or above.\n"); Usage(); } waitMs = atoi(argv[++i]); } else if (strcmp(argv[i],"-n") == 0) { if(isXpOrAbove == FALSE){ printf("ERROR: Selecting a process by name is only supported on Windows XP or above. Please use process id instead.\n"); Usage(); } i++; procName = procNameBuffer; MultiByteToWideChar(CP_UTF8, 0, argv[i], INT(strlen(argv[i])), procName, MAX_PATH); startProcess = FALSE; } else if (strcmp(argv[i],"-i") == 0) { if(isNumeric(argv[i+1])) injectionMethod = atoi(argv[++i]); else{ printf("ERROR: Invalid injection method, injection methods are provided by number.\n"); Usage(); } } else { printf("ERROR: Unknown command line option \"%s\"\n",argv[i]); Usage(); } } // Validate their command line options. if(pid == 0 && programPath == NULL && procName == 0){ printf("ERROR: Please specify either a Process ID, a binary to launch, or the name of a running process.\n"); Usage(); } // Check to make sure the specified a DLL. if(dllCount == 0){ printf("ERROR: Please specify a DLL to inject.\n"); Usage(); } // Ensure that they selected an injection method that is within range. if(injectionMethod>1){ printf("ERROR: Invalid injection method selected.\n"); Usage(); } // The handle of the process we will inject into. HANDLE proc=INVALID_HANDLE_VALUE; // Used for keeping track of the suspended threads. DWORD threadCount = 0; // Assuming 1MB stacks, 2048*1MB =~ 2GB. I am ASSUMING that the thread count in an application will never exceed this due to hardware contraints. #define MAX_THREADS 2048 HANDLE threads[MAX_THREADS]; // Get the handle to the process to inject into and store it in proc. if(startProcess){ // startProcess means that we need to start it up... PROCESS_INFORMATION pi; STARTUPINFOA si; GetStartupInfoA(&si); // Assemble the command line to start the process. char CommandLine[8191] = {0}; sprintf(CommandLine,"\"%s\"", programPath); if(procArgs != NULL){ strcat(CommandLine, " "); strcat(CommandLine, procArgs); } DWORD dwFlags = 0; if(waitMs) dwFlags |= CREATE_SUSPENDED; printf("Starting new process to inject into:\n%s\n",CommandLine); if(CreateProcessA(NULL,CommandLine,NULL,NULL,0,dwFlags,NULL,NULL,&si,&pi) == 0) { ErrorExit(TEXT("CreateProcessA"), "Check your process path."); } if(waitMs){ threadCount = 1; threads[0] = pi.hThread; } proc = pi.hProcess; } else{ // The process is already running, we need to get a handle to it with the correct permissions. if(procName != NULL){ // Open a handle to the process if they specified it with a name. proc = GetProcessHandleFromName(procName); if(proc == NULL){ printf("ERROR: Failed to find a process by the name of '%S' that we have permissions to inject into. Make sure that your have proper permissions and the process is running.\n", procName); ExitProcess(-1); } } else { // Open a handle to the process specified by PID. proc = GetProcessHandleFromPid(pid); if(proc == NULL) { ErrorExit(TEXT("OpenProcess"), "Check the Process Id that you provided."); } } if(waitMs){ /** @todo Add the ability to suspend already running processes. */ } } // Inject each dll listed. for(DWORD i=0;i<dllCount;i++){ printf("Injecting %s into pid %d.\n", dllList[i], GetProcessId(proc)); DWORD dwThreadExitCode; switch(injectionMethod){ case 0: printf("Using LoadLibrary injection (Richter Method).\n"); dwThreadExitCode = LoadLibraryInjection(proc, dllList[i]); break; case 1: printf("Using Thread Hijacking...\n"); dwThreadExitCode = ThreadHijackInjection(proc, dllList[i]); break; } if(dwThreadExitCode == 0){ printf("ERROR: The target process failed to load %s. Check the DLL path you specified.\n",dllList[i]); printf("DLL Injection Failed!"); } else { printf("%s Injection Successful!\n",dllList[i]); } // Free up that memory... free(dllList[i]); } if(waitMs && startProcess){ printf("Waiting %ims for DLL to lay hooks before resuming the process.\n",waitMs); Sleep(waitMs); for(DWORD i=0;i<threadCount;i++){ printf("Resuming threads in process %d...\n", GetProcessId(proc)); ResumeThread(threads[i]); CloseHandle(threads[i]); } } // No need for this handle anymore. CloseHandle(proc); return 0; }
void fn1310E4E5(Eq_281 * fs) { word32 * eax_14 = fs->ptr0000; fs->ptr0000 = fp - 0x00000014; __set_app_type(); __p__fmode(); *eax_14 = 0x00000000; __p__commode(); *eax_14 = 0x00000000; word32 eax_51 = Mem49[_adjust_fdiv:word32]; fn1310E63E(); word32 esp_193 = fp + 0xFFFFFF68; if (eax_51 == 0x00000000) { __setusermatherr(); esp_193 = fp + 0xFFFFFF64; } fn1310E629(); Eq_318 * esp_59 = esp_193 - 0x00000004; esp_59->dw0000 = fp - 0x00000080; esp_59->dw0000 = fp - 0x00000080; _initterm(); esp_59->tFFFFFFF4 = fp - 0x00000070; esp_59->dwFFFFFFF0 = eax_51; esp_59->dwFFFFFFEC = fp - 0x00000068; esp_59->dwFFFFFFE8 = fp - 0x00000074; esp_59->dwFFFFFFE4 = fp - 0x00000064; __getmainargs(); esp_59->dwFFFFFFDC = fp - 0x00000080; esp_59->dwFFFFFFD8 = fp - 0x00000080; _initterm(); word32 esi_161 = Mem85[_acmdln:word32]; if (esi_161->b0000 == 0x22) { l1310E597: do { esi_161 = esi_161 + 1; bcu8 al_171 = esi_161->b0000; } while (al_171 == 0x00 || al_171 == 0x22); if (esi_161->b0000 == 0x22) { l1310E5AA: esi_161 = esi_161 + 1; l1310E5AE: bcu8 al_98 = esi_161->b0000; if (al_98 != 0x00 && al_98 <=u 0x20) goto l1310E5AA; } else goto l1310E5AE; } else while (esi_161->b0000 >u 0x20) esi_161 = esi_161 + 1; Eq_57 eax_113; esp_59->tFFFFFFF4 = fp - 0x00000060; GetStartupInfoA(esp_59->tFFFFFFF4); word32 esp_109 = &esp_59->tFFFFFFF4; if (0x00 != 0x00) eax_113 = (word32) wLoc30; else { esp_59->tFFFFFFF4.u0 = 0x0000000A; eax_113 = esp_59->tFFFFFFF4; esp_109 = &esp_59->tFFFFFFF4; } Eq_439 * esp_115 = esp_109 - 0x00000004; esp_115->t0000 = eax_113; Mem118[esp_115 - 0x00000004:word32] = esi_161; esp_115->t0000.u0 = 0x00000000; esp_115->t0000.u0 = 0x00000000; Mem126[esp_115 - 0x0000000C:word32] = GetModuleHandleA(esp_115->t0000); esp_115->dw0016 = fn1310E09B(); exit(esp_115->dw0016); word32 ecx_137 = **dwLoc18; esp_115->ptr0012 = dwLoc18; esp_115->dw000E = ecx_137; _XcptFilter(); return; }
word32 fn1310E09B() { SetErrorMode(0x5C000000); ADVAPI32.dll!WmiReceiveNotificationsA(); GetStartupInfoA(fp + 0xFFFFFD6C); ADVAPI32.dll!WmiSetSingleInstanceW(); Eq_63 * eax_36 = SafeArrayGetUBound(null, 0x0006C000, (LONG *) 0x00012C00); if (eax_36 != (Eq_63 *) 0xFC110199 && eax_36 + 0x80010332 == eax_36 + 0xFFFD0199) { word32 ebx_303 = eax_36->dw9309E6A9; fn1310E000(fp + 0xFFFFFDC4, fp + 0xFFFFFDC4, 0x00000004, fp - 0x00000010, 0x00000000, fp + 0xFFFFFDCC); word32 edi_328 = eax_36->dw9309E6AD; fn1310E000(fp + 0xFFFFFDA8, fp + 0xFFFFFDA4, 0x00000004, fp - 0x00000010, 0x00000004, fp + 0xFFFFFDCC); ui32 edi_351 = eax_36->dw9309E6B1; fn1310E000(fp - 0x00000014, fp - 0x0000001C, 0x00000004, fp - 0x00000010, 0x00000008, fp + 0xFFFFFDCC); Eq_138 eax_378 = GetModuleHandleA(0x00000000); word32 eax_386 = eax_36->dw9309E6B5; fn1310E000(fp - 0x0000001C, fp - 0x00000028, 0x00000004, fp - 0x00000010, 0x0000000C, fp + 0xFFFFFDCC); dwLoc0248 = eax_36->dw9309E6B9; fn1310E000(fp + 0xFFFFFDB8, fp + 0xFFFFFDA8, 0x00000004, fp - 0x00000010, 0x00000010, fp + 0xFFFFFDCC); word32 eax_449 = edi_351 * 0x00000008 + 0x0000000C; dwLoc0258 = edi_328; dwLoc14 = edi_351; dwLoc20 = eax_378; dwLoc024C = 0x00000014; dwLoc24 = eax_36 + 0x9309E6BD; dwLoc2C = eax_449; dwLoc0260 = VirtualAlloc(0x00000000, eax_449 + edi_328 + ebx_303, 0x00003000, 0x00000040); dwLoc0C = eax_386 + eax_378 + eax_449; dwLoc0264 = eax_449; dwLoc08 = 0x00000000; dwLoc18 = 0x00000000; goto l1310E32A; } l1310E32A: while (0x00000001 != 0x00000000) { if (dwLoc0264 == dwLoc0248) { ui32 edx_221 = dwLoc08 + 0x00000001; dwLoc08 = edx_221; if (edx_221 == dwLoc14) goto l1310E45A; word32 edx_227 = dwLoc24->dw0000; fn1310E000(fp - 0x0000001C, fp - 0x0000001C - dwLoc024C, 0x00000004, fp - 0x00000010, dwLoc024C, fp + 0xFFFFFDCC); Eq_253 * esi_257 = &dwLoc24->t0004; word32 ebx_254 = dwLoc024C + 0x00000004; dwLoc0248 = esi_257->dw0000; fn1310E000(fp + 0xFFFFFDB8, fp + 0xFFFFFDB8 - ebx_254, 0x00000004, fp - 0x00000010, ebx_254, fp + 0xFFFFFDCC); dwLoc024C = ebx_254 + 0x00000004; dwLoc24 = esi_257 + 0x00000004; dwLoc0264 = 0x00000000; dwLoc0C = edx_227 + dwLoc20; goto l1310E415; } l1310E415: dwLoc0260->b0000 = dwLoc0C->b0000; dwLoc0C = dwLoc0C + 1; dwLoc18 = dwLoc18 + 0x00000001; dwLoc0264 = dwLoc0264 + 0x00000001; } l1310E45A: word32 eax_147 = fn1310E000(dwLoc0260, dwLoc0260 - dwLoc2C, dwLoc0258, fp + 0xFFFFFDC8, dwLoc2C, fp + 0xFFFFFDCC); (dwLoc0260 + 0x00000F50)(); return eax_147; }