diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/process/ntapi_tt_create_native_process_v1.c | 89 | ||||
-rw-r--r-- | src/process/ntapi_tt_create_native_process_v2.c | 112 |
2 files changed, 89 insertions, 112 deletions
diff --git a/src/process/ntapi_tt_create_native_process_v1.c b/src/process/ntapi_tt_create_native_process_v1.c index 1163092..4c58a99 100644 --- a/src/process/ntapi_tt_create_native_process_v1.c +++ b/src/process/ntapi_tt_create_native_process_v1.c @@ -14,6 +14,15 @@ #include <ntapi/ntapi.h> #include "ntapi_impl.h" +struct __integral_cmdline { + struct pe_guid_str_utf16 guid; + wchar16_t space1; + wchar16_t rarg[2]; + wchar16_t space2; + wchar16_t addr[2*__SIZEOF_POINTER__]; + wchar16_t null; +}; + static int32_t __tt_create_process_cancel(nt_create_process_params * params, void * hsection, int32_t status) { if (params->hprocess) { @@ -47,20 +56,24 @@ int32_t __stdcall __ntapi_tt_create_native_process_v1(nt_create_process_params * nt_io_status_block iosb; nt_section_image_information sii; - - wchar16_t * cmd_line_runtime_buffer; - size_t cmd_line_runtime_buffer_size; int fresume_thread; + struct __integral_cmdline fcmdline = { + { + '{',{'3','e','4','3','e','c','8','4'}, + '-',{'1','a','f','1'}, + '-',{'4','e','d','e'}, + '-',{'a','c','d','8'}, + '-',{'c','3','d','9','2','0','a','f','c','8','6','8'}, + '}' + }, #if (__SIZEOF_POINTER__ == 4) - wchar16_t runtime_arg[12] = { - ' ','-','r',' ', - 'i','n','t','e','g','r','a','l'}; + ' ',{'-','r'},' ', + {'i','n','t','e','g','r','a','l'},0}; #elif (__SIZEOF_POINTER__ == 8) - wchar16_t runtime_arg[20] = { - ' ','-','r',' ', - 'i','n','t','e','g','r','a','l', - '-','r','u','n','t','i','m','e'}; + ' ',{'-','r'},' ', + {'i','n','t','e','g','r','a','l', + '-','r','u','n','t','i','m','e'},0}; #endif /* validation */ @@ -158,49 +171,23 @@ int32_t __stdcall __ntapi_tt_create_native_process_v1(nt_create_process_params * /* create remote process parameters block */ if (!params->process_params) { - /* cmd_line */ - if (!params->cmd_line) { - params->cmd_line = params->image_name; - } - - __ntapi->rtl_init_unicode_string( - &nt_cmd_line, - params->cmd_line); - - /* rtblock */ - if (params->rtblock) { - cmd_line_runtime_buffer = (wchar16_t *)0; - cmd_line_runtime_buffer_size = nt_cmd_line.maxlen - + sizeof(runtime_arg); - - if ((status = __ntapi->zw_allocate_virtual_memory( - NT_CURRENT_PROCESS_HANDLE, - (void **)&cmd_line_runtime_buffer, - 0,&cmd_line_runtime_buffer_size, - NT_MEM_RESERVE | NT_MEM_COMMIT, - NT_PAGE_READWRITE))) - return __tt_create_process_cancel(params,hsection,status); - - __ntapi->tt_memcpy_utf16( - (wchar16_t *)cmd_line_runtime_buffer, - (wchar16_t *)nt_cmd_line.buffer, - nt_cmd_line.strlen); - - __ntapi->tt_memcpy_utf16( - (wchar16_t *)pe_va_from_rva( - cmd_line_runtime_buffer, - nt_cmd_line.strlen), - (wchar16_t *)runtime_arg, - sizeof(runtime_arg)); - - nt_cmd_line.strlen += sizeof(runtime_arg); - nt_cmd_line.maxlen += sizeof(runtime_arg); - nt_cmd_line.buffer = cmd_line_runtime_buffer; - } - /* environment */ - if (!params->environment) { + if (!params->environment) params->environment = __ntapi->tt_get_peb_env_block_utf16(); + + /* cmd_line */ + if (params->rtblock) { + nt_cmd_line.strlen = sizeof(fcmdline) - sizeof(fcmdline.null); + nt_cmd_line.maxlen = sizeof(fcmdline); + nt_cmd_line.buffer = &fcmdline.guid.lbrace; + params->cmd_line = &fcmdline.guid.lbrace; + } else { + if (!params->cmd_line) + params->cmd_line = params->image_name; + + __ntapi->rtl_init_unicode_string( + &nt_cmd_line, + params->cmd_line); } } diff --git a/src/process/ntapi_tt_create_native_process_v2.c b/src/process/ntapi_tt_create_native_process_v2.c index f20c51f..3b3c059 100644 --- a/src/process/ntapi_tt_create_native_process_v2.c +++ b/src/process/ntapi_tt_create_native_process_v2.c @@ -14,6 +14,20 @@ #include <ntapi/ntapi.h> #include "ntapi_impl.h" +struct __ext_params { + size_t size_in_bytes; + nt_create_process_ext_param file_info; +}; + +struct __integral_cmdline { + struct pe_guid_str_utf16 guid; + wchar16_t space1; + wchar16_t rarg[2]; + wchar16_t space2; + wchar16_t addr[2*__SIZEOF_POINTER__]; + wchar16_t null; +}; + static int32_t __tt_create_process_cancel(nt_create_process_params * params, int32_t status) { if (params->hprocess) { @@ -31,33 +45,35 @@ static int32_t __tt_create_process_cancel(nt_create_process_params * params, int int32_t __stdcall __ntapi_tt_create_native_process_v2( __in_out nt_create_process_params * params) { - int32_t status; + int32_t status; - nt_object_attributes oa_process; - nt_object_attributes oa_thread; + nt_object_attributes oa_process; + nt_object_attributes oa_thread; - nt_unicode_string nt_image; - nt_unicode_string nt_cmd_line; - wchar16_t * cmd_line_runtime_buffer; - size_t cmd_line_runtime_buffer_size; + nt_unicode_string nt_image; + nt_unicode_string nt_cmd_line; - nt_create_process_info nt_process_info; - int fresume_thread; + nt_create_process_info nt_process_info; + int fresume_thread; - struct { - size_t size_in_bytes; - nt_create_process_ext_param file_info; - } ext_params; + struct __ext_params ext_params; + struct __integral_cmdline fcmdline = { + { + '{',{'3','e','4','3','e','c','8','4'}, + '-',{'1','a','f','1'}, + '-',{'4','e','d','e'}, + '-',{'a','c','d','8'}, + '-',{'c','3','d','9','2','0','a','f','c','8','6','8'}, + '}' + }, #if (__SIZEOF_POINTER__ == 4) - wchar16_t runtime_arg[12] = { - ' ','-','r',' ', - 'i','n','t','e','g','r','a','l'}; + ' ',{'-','r'},' ', + {'i','n','t','e','g','r','a','l'},0}; #elif (__SIZEOF_POINTER__ == 8) - wchar16_t runtime_arg[20] = { - ' ','-','r',' ', - 'i','n','t','e','g','r','a','l', - '-','r','u','n','t','i','m','e'}; + ' ',{'-','r'},' ', + {'i','n','t','e','g','r','a','l', + '-','r','u','n','t','i','m','e'},0}; #endif /* validation */ @@ -93,51 +109,25 @@ int32_t __stdcall __ntapi_tt_create_native_process_v2( /* process_params */ if (!params->process_params) { - /* cmd_line */ - if (!params->cmd_line) { - params->cmd_line = params->image_name; - } - - __ntapi->rtl_init_unicode_string( - &nt_cmd_line, - params->cmd_line); - - /* rtdata (alternative to cmd_line) */ - if (params->rtblock) { - cmd_line_runtime_buffer = (wchar16_t *)0; - cmd_line_runtime_buffer_size = nt_cmd_line.maxlen - + sizeof(runtime_arg); - - if ((status = __ntapi->zw_allocate_virtual_memory( - NT_CURRENT_PROCESS_HANDLE, - (void **)&cmd_line_runtime_buffer, - 0,&cmd_line_runtime_buffer_size, - NT_MEM_RESERVE | NT_MEM_COMMIT, - NT_PAGE_READWRITE))) - return status; - - __ntapi->tt_memcpy_utf16( - (wchar16_t *)cmd_line_runtime_buffer, - (wchar16_t *)nt_cmd_line.buffer, - nt_cmd_line.strlen); - - __ntapi->tt_memcpy_utf16( - (wchar16_t *)pe_va_from_rva( - cmd_line_runtime_buffer, - nt_cmd_line.strlen), - (wchar16_t *)runtime_arg, - sizeof(runtime_arg)); - - nt_cmd_line.strlen += sizeof(runtime_arg); - nt_cmd_line.maxlen += sizeof(runtime_arg); - nt_cmd_line.buffer = cmd_line_runtime_buffer; - } - - /* environment */ if (!params->environment) params->environment = __ntapi->tt_get_peb_env_block_utf16(); + /* cmd_line */ + if (params->rtblock) { + nt_cmd_line.strlen = sizeof(fcmdline) - sizeof(fcmdline.null); + nt_cmd_line.maxlen = sizeof(fcmdline); + nt_cmd_line.buffer = &fcmdline.guid.lbrace; + params->cmd_line = &fcmdline.guid.lbrace; + } else { + if (!params->cmd_line) + params->cmd_line = params->image_name; + + __ntapi->rtl_init_unicode_string( + &nt_cmd_line, + params->cmd_line); + } + if ((status = __ntapi->rtl_create_process_parameters( ¶ms->process_params, &nt_image, |