static bool CheckRegKeyExist(RegKeyExistArg* pKeys)
{
bool bFound = false;
typedef LONG (WINAPI* RegOpenKeyExW_t)(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult);
typedef LONG (WINAPI* RegCloseKey_t)(HKEY hKey);
HMODULE hAdvApi = LoadLibrary(L"AdvApi32.dll");
if (hAdvApi)
{
RegOpenKeyExW_t _RegOpenKeyExW = (RegOpenKeyExW_t)GetProcAddress(hAdvApi, "RegOpenKeyExW");
RegCloseKey_t _RegCloseKey = (RegCloseKey_t)GetProcAddress(hAdvApi, "RegCloseKey");
while (pKeys->hkParent)
{
HKEY hk = NULL;
LONG lRc = _RegOpenKeyExW(pKeys->hkParent, pKeys->pszKey, 0, KEY_READ, &hk);
if (hk)
_RegCloseKey(hk);
if (lRc == 0)
{
bFound = true;
break;
}
pKeys++;
}
FreeLibrary(hAdvApi);
}
return bFound;
}
bool FindImageSubsystem(const wchar_t *Module, /*wchar_t* pstrDest,*/ DWORD& ImageSubsystem, DWORD& ImageBits, DWORD& FileAttrs)
{
if (!Module || !*Module)
return false;
bool Result = false;
//ImageSubsystem = IMAGE_SUBSYSTEM_UNKNOWN;
// Исключения нас не интересуют - команда уже сформирована и отдана в CreateProcess!
//// нулевой проход - смотрим исключения
//// Берем "исключения" из реестра, которые должны исполняться директом,
//// например, некоторые внутренние команды ком. процессора.
//string strExcludeCmds;
//GetRegKey(strSystemExecutor,L"ExcludeCmds",strExcludeCmds,L"");
//UserDefinedList ExcludeCmdsList;
//ExcludeCmdsList.Set(strExcludeCmds);
//while (!ExcludeCmdsList.IsEmpty())
//{
// if (!StrCmpI(Module,ExcludeCmdsList.GetNext()))
// {
// ImageSubsystem=IMAGE_SUBSYSTEM_WINDOWS_CUI;
// Result=true;
// break;
// }
//}
//string strFullName=Module;
LPCWSTR ModuleExt = PointToExt(Module);
wchar_t *strPathExt/*[32767]*/ = NULL; //(L".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WSH");
wchar_t *strPathEnv/*[32767]*/ = NULL;
wchar_t *strExpand/*[32767]*/ = NULL;
wchar_t *strTmpName/*[32767]*/ = NULL;
wchar_t *pszFilePart = NULL;
DWORD nPathExtLen = 0;
LPCWSTR pszPathExtEnd = NULL;
LPWSTR Ext = NULL;
typedef LONG (WINAPI *RegOpenKeyExW_t)(HKEY hKey, LPCTSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult);
RegOpenKeyExW_t _RegOpenKeyEx = NULL;
typedef LONG (WINAPI *RegQueryValueExW_t)(HKEY hKey, LPCTSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData);
RegQueryValueExW_t _RegQueryValueEx = NULL;
typedef LONG (WINAPI *RegCloseKey_t)(HKEY hKey);
RegCloseKey_t _RegCloseKey = NULL;
HMODULE hAdvApi = NULL;
int cchstrPathExt = 32767;
strPathExt = (wchar_t*)malloc(cchstrPathExt*sizeof(wchar_t)); *strPathExt = 0;
int cchstrPathEnv = 32767;
strPathEnv = (wchar_t*)malloc(cchstrPathEnv*sizeof(wchar_t)); *strPathEnv = 0;
int cchstrExpand = 32767;
strExpand = (wchar_t*)malloc(cchstrExpand*sizeof(wchar_t)); *strExpand = 0;
int cchstrTmpName = 32767;
strTmpName = (wchar_t*)malloc(cchstrTmpName*sizeof(wchar_t)); *strTmpName = 0;
nPathExtLen = GetEnvironmentVariable(L"PATHEXT", strPathExt, cchstrPathExt-2);
if (!nPathExtLen)
{
_wcscpy_c(strPathExt, cchstrPathExt, L".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WSH");
nPathExtLen = lstrlen(strPathExt);
}
pszPathExtEnd = strPathExt+nPathExtLen;
// Разбить на токены
strPathExt[nPathExtLen] = strPathExt[nPathExtLen+1] = 0;
Ext = wcschr(strPathExt, L';');
while (Ext)
{
*Ext = 0;
Ext = wcschr(Ext+1, L';');
}
TODO("Проверить на превышение длин строк");
// первый проход - в текущем каталоге
LPWSTR pszExtCur = strPathExt;
while (pszExtCur < pszPathExtEnd)
{
Ext = pszExtCur;
pszExtCur = pszExtCur + lstrlen(pszExtCur)+1;
_wcscpyn_c(strTmpName, cchstrTmpName, Module, cchstrTmpName); //-V501
if (!ModuleExt)
{
if (!*Ext)
continue;
_wcscatn_c(strTmpName, cchstrTmpName, Ext, cchstrTmpName);
}
if (GetImageSubsystem(strTmpName, ImageSubsystem, ImageBits/*16/32/64*/, FileAttrs))
{
Result = true;
goto wrap;
}
if (ModuleExt)
{
break;
}
}
// второй проход - по правилам SearchPath
// поиск по переменной PATH
if (GetEnvironmentVariable(L"PATH", strPathEnv, cchstrPathEnv))
{
LPWSTR pszPathEnvEnd = strPathEnv + lstrlen(strPathEnv);
LPWSTR pszPathCur = strPathEnv;
while (pszPathCur && (pszPathCur < pszPathEnvEnd))
{
LPWSTR Path = pszPathCur;
LPWSTR pszPathNext = wcschr(pszPathCur, L';');
if (pszPathNext)
{
*pszPathNext = 0;
pszPathCur = pszPathNext+1;
}
else
{
pszPathCur = pszPathEnvEnd;
}
if (!*Path)
continue;
pszExtCur = strPathExt;
while (pszExtCur < pszPathExtEnd)
{
Ext = pszExtCur;
pszExtCur = pszExtCur + lstrlen(pszExtCur)+1;
if (!*Ext)
continue;
if (SearchPath(Path, Module, Ext, cchstrTmpName, strTmpName, &pszFilePart))
{
if (GetImageSubsystem(strTmpName, ImageSubsystem, ImageBits, FileAttrs))
{
Result = true;
goto wrap;
}
}
}
}
}
pszExtCur = strPathExt;
while (pszExtCur < pszPathExtEnd)
{
Ext = pszExtCur;
pszExtCur = pszExtCur + lstrlen(pszExtCur)+1;
if (!*Ext)
continue;
if (SearchPath(NULL, Module, Ext, cchstrTmpName, strTmpName, &pszFilePart))
{
if (GetImageSubsystem(strTmpName, ImageSubsystem, ImageBits, FileAttrs))
{
Result = true;
goto wrap;
}
}
}
// третий проход - лезем в реестр в "App Paths"
if (!wcschr(Module, L'\\'))
{
hAdvApi = LoadLibrary(L"AdvApi32.dll");
if (!hAdvApi)
goto wrap;
_RegOpenKeyEx = (RegOpenKeyExW_t)GetProcAddress(hAdvApi, "RegOpenKeyExW");
_RegQueryValueEx = (RegQueryValueExW_t)GetProcAddress(hAdvApi, "RegQueryValueExW");
_RegCloseKey = (RegCloseKey_t)GetProcAddress(hAdvApi, "RegCloseKey");
if (!_RegOpenKeyEx || !_RegQueryValueEx || !_RegCloseKey)
goto wrap;
LPCWSTR RegPath = L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\";
// В строке Module заменить исполняемый модуль на полный путь, который
// берется из SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
// Сначала смотрим в HKCU, затем - в HKLM
HKEY RootFindKey[] = {HKEY_CURRENT_USER,HKEY_LOCAL_MACHINE,HKEY_LOCAL_MACHINE};
BOOL lbAddExt = FALSE;
pszExtCur = strPathExt;
while (pszExtCur < pszPathExtEnd)
{
if (!lbAddExt)
{
Ext = NULL;
lbAddExt = TRUE;
}
else
{
Ext = pszExtCur;
pszExtCur = pszExtCur + lstrlen(pszExtCur)+1;
if (!*Ext)
continue;
}
_wcscpy_c(strTmpName, cchstrTmpName, RegPath);
_wcscatn_c(strTmpName, cchstrTmpName, Module, cchstrTmpName);
if (Ext)
_wcscatn_c(strTmpName, cchstrTmpName, Ext, cchstrTmpName);
DWORD samDesired = KEY_QUERY_VALUE;
DWORD RedirectionFlag = 0;
// App Paths key is shared in Windows 7 and above
OSVERSIONINFO osv = {sizeof(OSVERSIONINFO)};
GetVersionEx(&osv);
if (osv.dwMajorVersion < 6 || (osv.dwMajorVersion == 6 && osv.dwMinorVersion < 1))
{
#ifdef _WIN64
RedirectionFlag = KEY_WOW64_32KEY;
#else
RedirectionFlag = IsWindows64() ? KEY_WOW64_64KEY : 0;
#endif
}
for (size_t i = 0; i < countof(RootFindKey); i++)
{
if (i == (countof(RootFindKey)-1))
{
if (RedirectionFlag)
samDesired |= RedirectionFlag;
else
break;
}
HKEY hKey;
if (_RegOpenKeyEx(RootFindKey[i], strTmpName, 0, samDesired, &hKey) == ERROR_SUCCESS)
{
DWORD nType = 0, nSize = sizeof(strTmpName)-2;
int RegResult = _RegQueryValueEx(hKey, L"", NULL, &nType, (LPBYTE)strTmpName, &nSize);
_RegCloseKey(hKey);
if ((RegResult == ERROR_SUCCESS) && (nType == REG_SZ || nType == REG_EXPAND_SZ || nType == REG_MULTI_SZ))
{
strTmpName[(nSize >> 1)+1] = 0;
if (!ExpandEnvironmentStrings(strTmpName, strExpand, cchstrExpand))
_wcscpy_c(strExpand, cchstrExpand, strTmpName);
if (GetImageSubsystem(Unquote(strExpand), ImageSubsystem, ImageBits, FileAttrs))
{
Result = true;
goto wrap;
}
}
}
}
// cmd.exe only!
LONG WINAPI OnRegQueryValueExW(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
{
//typedef LONG (WINAPI* OnRegQueryValueExW_t)(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData);
ORIGINAL_EX(RegQueryValueExW);
LONG lRc = -1;
if (gbIsCmdProcess && hKey && lpValueName)
{
// Allow `CD` to network paths
if (lstrcmpi(lpValueName, L"DisableUNCCheck") == 0)
{
if (lpData)
{
if (lpcbData && *lpcbData >= sizeof(DWORD))
*((LPDWORD)lpData) = gbAllowUncPaths;
else
*lpData = gbAllowUncPaths;
}
if (lpType)
*lpType = REG_DWORD;
if (lpcbData)
*lpcbData = sizeof(DWORD);
lRc = 0;
goto wrap;
}
if (gbIsCmdProcess && hKey && lpValueName
&& (lstrcmpi(lpValueName, L"AutoRun") == 0)
&& InitializeClink())
{
if (gbAllowClinkUsage && gszClinkCmdLine
&& IsInteractive())
{
// Is already loaded?
if (!IsClinkLoaded()
&& !gbClinkInjectRequested)
{
// Do this once, to avoid multiple initializations
gbClinkInjectRequested = true;
// May be it is set up itself?
typedef LONG (WINAPI* RegOpenKeyEx_t)(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult);
typedef LONG (WINAPI* RegCloseKey_t)(HKEY hKey);
HMODULE hAdvApi = LoadLibrary(L"AdvApi32.dll");
if (hAdvApi)
{
RegOpenKeyEx_t _RegOpenKeyEx = (RegOpenKeyEx_t)GetProcAddress(hAdvApi, "RegOpenKeyExW");
RegCloseKey_t _RegCloseKey = (RegCloseKey_t)GetProcAddress(hAdvApi, "RegCloseKey");
if (_RegOpenKeyEx && _RegCloseKey)
{
const DWORD cchMax = 0x3FF0;
const DWORD cbMax = cchMax*2;
wchar_t* pszCmd = (wchar_t*)malloc(cbMax);
if (pszCmd)
{
DWORD cbSize;
bool bClinkInstalled = false;
for (int i = 0; i <= 1 && !bClinkInstalled; i++)
{
HKEY hk;
if (_RegOpenKeyEx(i?HKEY_LOCAL_MACHINE:HKEY_CURRENT_USER, L"Software\\Microsoft\\Command Processor", 0, KEY_READ, &hk))
continue;
if (!F(RegQueryValueExW)(hk, lpValueName, NULL, NULL, (LPBYTE)pszCmd, &(cbSize = cbMax))
&& (cbSize+2) < cbMax)
{
cbSize /= 2; pszCmd[cbSize] = 0;
CharLowerBuffW(pszCmd, cbSize);
if (wcsstr(pszCmd, L"\\clink.bat"))
bClinkInstalled = true;
}
_RegCloseKey(hk);
}
// Not installed via "Autorun"
if (!bClinkInstalled)
{
int iLen = lstrlen(gszClinkCmdLine);
_wcscpy_c(pszCmd, cchMax, gszClinkCmdLine);
_wcscpy_c(pszCmd+iLen, cchMax-iLen, L" & "); // conveyer next command indifferent to %errorlevel%
cbSize = cbMax - (iLen + 3)*sizeof(*pszCmd);
if (F(RegQueryValueExW)(hKey, lpValueName, NULL, NULL, (LPBYTE)(pszCmd + iLen + 3), &cbSize)
|| (pszCmd[iLen+3] == 0))
{
pszCmd[iLen] = 0; // There is no self value in registry
}
cbSize = (lstrlen(pszCmd)+1)*sizeof(*pszCmd);
// Return
lRc = 0;
if (lpData && lpcbData)
{
if (*lpcbData < cbSize)
lRc = ERROR_MORE_DATA;
else
_wcscpy_c((wchar_t*)lpData, (*lpcbData)/2, pszCmd);
}
if (lpcbData)
*lpcbData = cbSize;
free(pszCmd);
FreeLibrary(hAdvApi);
goto wrap;
}
free(pszCmd);
}
}
FreeLibrary(hAdvApi);
}
}
}
}
}
if (F(RegQueryValueExW))
lRc = F(RegQueryValueExW)(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);
wrap:
return lRc;
}
