summaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/process/ntapi_tt_create_native_process_v1.c89
-rw-r--r--src/process/ntapi_tt_create_native_process_v2.c112
2 files changed, 89 insertions, 112 deletions
diff --git a/src/process/ntapi_tt_create_native_process_v1.c b/src/process/ntapi_tt_create_native_process_v1.c
index 1163092..4c58a99 100644
--- a/src/process/ntapi_tt_create_native_process_v1.c
+++ b/src/process/ntapi_tt_create_native_process_v1.c
@@ -14,6 +14,15 @@
#include <ntapi/ntapi.h>
#include "ntapi_impl.h"
+struct __integral_cmdline {
+ struct pe_guid_str_utf16 guid;
+ wchar16_t space1;
+ wchar16_t rarg[2];
+ wchar16_t space2;
+ wchar16_t addr[2*__SIZEOF_POINTER__];
+ wchar16_t null;
+};
+
static int32_t __tt_create_process_cancel(nt_create_process_params * params, void * hsection, int32_t status)
{
if (params->hprocess) {
@@ -47,20 +56,24 @@ int32_t __stdcall __ntapi_tt_create_native_process_v1(nt_create_process_params *
nt_io_status_block iosb;
nt_section_image_information sii;
-
- wchar16_t * cmd_line_runtime_buffer;
- size_t cmd_line_runtime_buffer_size;
int fresume_thread;
+ struct __integral_cmdline fcmdline = {
+ {
+ '{',{'3','e','4','3','e','c','8','4'},
+ '-',{'1','a','f','1'},
+ '-',{'4','e','d','e'},
+ '-',{'a','c','d','8'},
+ '-',{'c','3','d','9','2','0','a','f','c','8','6','8'},
+ '}'
+ },
#if (__SIZEOF_POINTER__ == 4)
- wchar16_t runtime_arg[12] = {
- ' ','-','r',' ',
- 'i','n','t','e','g','r','a','l'};
+ ' ',{'-','r'},' ',
+ {'i','n','t','e','g','r','a','l'},0};
#elif (__SIZEOF_POINTER__ == 8)
- wchar16_t runtime_arg[20] = {
- ' ','-','r',' ',
- 'i','n','t','e','g','r','a','l',
- '-','r','u','n','t','i','m','e'};
+ ' ',{'-','r'},' ',
+ {'i','n','t','e','g','r','a','l',
+ '-','r','u','n','t','i','m','e'},0};
#endif
/* validation */
@@ -158,49 +171,23 @@ int32_t __stdcall __ntapi_tt_create_native_process_v1(nt_create_process_params *
/* create remote process parameters block */
if (!params->process_params) {
- /* cmd_line */
- if (!params->cmd_line) {
- params->cmd_line = params->image_name;
- }
-
- __ntapi->rtl_init_unicode_string(
- &nt_cmd_line,
- params->cmd_line);
-
- /* rtblock */
- if (params->rtblock) {
- cmd_line_runtime_buffer = (wchar16_t *)0;
- cmd_line_runtime_buffer_size = nt_cmd_line.maxlen
- + sizeof(runtime_arg);
-
- if ((status = __ntapi->zw_allocate_virtual_memory(
- NT_CURRENT_PROCESS_HANDLE,
- (void **)&cmd_line_runtime_buffer,
- 0,&cmd_line_runtime_buffer_size,
- NT_MEM_RESERVE | NT_MEM_COMMIT,
- NT_PAGE_READWRITE)))
- return __tt_create_process_cancel(params,hsection,status);
-
- __ntapi->tt_memcpy_utf16(
- (wchar16_t *)cmd_line_runtime_buffer,
- (wchar16_t *)nt_cmd_line.buffer,
- nt_cmd_line.strlen);
-
- __ntapi->tt_memcpy_utf16(
- (wchar16_t *)pe_va_from_rva(
- cmd_line_runtime_buffer,
- nt_cmd_line.strlen),
- (wchar16_t *)runtime_arg,
- sizeof(runtime_arg));
-
- nt_cmd_line.strlen += sizeof(runtime_arg);
- nt_cmd_line.maxlen += sizeof(runtime_arg);
- nt_cmd_line.buffer = cmd_line_runtime_buffer;
- }
-
/* environment */
- if (!params->environment) {
+ if (!params->environment)
params->environment = __ntapi->tt_get_peb_env_block_utf16();
+
+ /* cmd_line */
+ if (params->rtblock) {
+ nt_cmd_line.strlen = sizeof(fcmdline) - sizeof(fcmdline.null);
+ nt_cmd_line.maxlen = sizeof(fcmdline);
+ nt_cmd_line.buffer = &fcmdline.guid.lbrace;
+ params->cmd_line = &fcmdline.guid.lbrace;
+ } else {
+ if (!params->cmd_line)
+ params->cmd_line = params->image_name;
+
+ __ntapi->rtl_init_unicode_string(
+ &nt_cmd_line,
+ params->cmd_line);
}
}
diff --git a/src/process/ntapi_tt_create_native_process_v2.c b/src/process/ntapi_tt_create_native_process_v2.c
index f20c51f..3b3c059 100644
--- a/src/process/ntapi_tt_create_native_process_v2.c
+++ b/src/process/ntapi_tt_create_native_process_v2.c
@@ -14,6 +14,20 @@
#include <ntapi/ntapi.h>
#include "ntapi_impl.h"
+struct __ext_params {
+ size_t size_in_bytes;
+ nt_create_process_ext_param file_info;
+};
+
+struct __integral_cmdline {
+ struct pe_guid_str_utf16 guid;
+ wchar16_t space1;
+ wchar16_t rarg[2];
+ wchar16_t space2;
+ wchar16_t addr[2*__SIZEOF_POINTER__];
+ wchar16_t null;
+};
+
static int32_t __tt_create_process_cancel(nt_create_process_params * params, int32_t status)
{
if (params->hprocess) {
@@ -31,33 +45,35 @@ static int32_t __tt_create_process_cancel(nt_create_process_params * params, int
int32_t __stdcall __ntapi_tt_create_native_process_v2(
__in_out nt_create_process_params * params)
{
- int32_t status;
+ int32_t status;
- nt_object_attributes oa_process;
- nt_object_attributes oa_thread;
+ nt_object_attributes oa_process;
+ nt_object_attributes oa_thread;
- nt_unicode_string nt_image;
- nt_unicode_string nt_cmd_line;
- wchar16_t * cmd_line_runtime_buffer;
- size_t cmd_line_runtime_buffer_size;
+ nt_unicode_string nt_image;
+ nt_unicode_string nt_cmd_line;
- nt_create_process_info nt_process_info;
- int fresume_thread;
+ nt_create_process_info nt_process_info;
+ int fresume_thread;
- struct {
- size_t size_in_bytes;
- nt_create_process_ext_param file_info;
- } ext_params;
+ struct __ext_params ext_params;
+ struct __integral_cmdline fcmdline = {
+ {
+ '{',{'3','e','4','3','e','c','8','4'},
+ '-',{'1','a','f','1'},
+ '-',{'4','e','d','e'},
+ '-',{'a','c','d','8'},
+ '-',{'c','3','d','9','2','0','a','f','c','8','6','8'},
+ '}'
+ },
#if (__SIZEOF_POINTER__ == 4)
- wchar16_t runtime_arg[12] = {
- ' ','-','r',' ',
- 'i','n','t','e','g','r','a','l'};
+ ' ',{'-','r'},' ',
+ {'i','n','t','e','g','r','a','l'},0};
#elif (__SIZEOF_POINTER__ == 8)
- wchar16_t runtime_arg[20] = {
- ' ','-','r',' ',
- 'i','n','t','e','g','r','a','l',
- '-','r','u','n','t','i','m','e'};
+ ' ',{'-','r'},' ',
+ {'i','n','t','e','g','r','a','l',
+ '-','r','u','n','t','i','m','e'},0};
#endif
/* validation */
@@ -93,51 +109,25 @@ int32_t __stdcall __ntapi_tt_create_native_process_v2(
/* process_params */
if (!params->process_params) {
- /* cmd_line */
- if (!params->cmd_line) {
- params->cmd_line = params->image_name;
- }
-
- __ntapi->rtl_init_unicode_string(
- &nt_cmd_line,
- params->cmd_line);
-
- /* rtdata (alternative to cmd_line) */
- if (params->rtblock) {
- cmd_line_runtime_buffer = (wchar16_t *)0;
- cmd_line_runtime_buffer_size = nt_cmd_line.maxlen
- + sizeof(runtime_arg);
-
- if ((status = __ntapi->zw_allocate_virtual_memory(
- NT_CURRENT_PROCESS_HANDLE,
- (void **)&cmd_line_runtime_buffer,
- 0,&cmd_line_runtime_buffer_size,
- NT_MEM_RESERVE | NT_MEM_COMMIT,
- NT_PAGE_READWRITE)))
- return status;
-
- __ntapi->tt_memcpy_utf16(
- (wchar16_t *)cmd_line_runtime_buffer,
- (wchar16_t *)nt_cmd_line.buffer,
- nt_cmd_line.strlen);
-
- __ntapi->tt_memcpy_utf16(
- (wchar16_t *)pe_va_from_rva(
- cmd_line_runtime_buffer,
- nt_cmd_line.strlen),
- (wchar16_t *)runtime_arg,
- sizeof(runtime_arg));
-
- nt_cmd_line.strlen += sizeof(runtime_arg);
- nt_cmd_line.maxlen += sizeof(runtime_arg);
- nt_cmd_line.buffer = cmd_line_runtime_buffer;
- }
-
-
/* environment */
if (!params->environment)
params->environment = __ntapi->tt_get_peb_env_block_utf16();
+ /* cmd_line */
+ if (params->rtblock) {
+ nt_cmd_line.strlen = sizeof(fcmdline) - sizeof(fcmdline.null);
+ nt_cmd_line.maxlen = sizeof(fcmdline);
+ nt_cmd_line.buffer = &fcmdline.guid.lbrace;
+ params->cmd_line = &fcmdline.guid.lbrace;
+ } else {
+ if (!params->cmd_line)
+ params->cmd_line = params->image_name;
+
+ __ntapi->rtl_init_unicode_string(
+ &nt_cmd_line,
+ params->cmd_line);
+ }
+
if ((status = __ntapi->rtl_create_process_parameters(
&params->process_params,
&nt_image,