-
-
Save antonioCoco/706760df95749974b89546fb8d9fa445 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BOOL SlpSetStdHandles( | |
| HANDLE hNewProcess, | |
| HANDLE hCaller, | |
| HANDLE hStdInput, | |
| HANDLE hStdOutput, | |
| HANDLE hStdError) | |
| { | |
| NTSTATUS ntstatus; | |
| int counterDuplicatedHandles; | |
| HANDLE *PebPtrStdHandleTargetProcessX64; | |
| HANDLE *hStdHandleSourceProcess; | |
| HANDLE StdHandleTargetProcessWow64; | |
| PRTL_USER_PROCESS_PARAMETERS32 ProcessParametersWow64; | |
| PPEB32 ppeb32; | |
| HANDLE hDupStdHandle; | |
| PRTL_USER_PROCESS_PARAMETERS ProcessParametersX64; | |
| PPEB ppeb64; | |
| void *hStdInputStack; | |
| PVOID PebPtrStdInputX64; | |
| ULONG *PebPtrStdInputWow64; | |
| HANDLE hStdOutputStack; | |
| PVOID PebPtrStdOutputX64; | |
| ULONG *PebPtrStdOutputWow64; | |
| HANDLE hStdErrorStack; | |
| PVOID PebPtrStdErrorX64; | |
| ULONG *PebPtrStdErrorWow64; | |
| ppeb32 = 0i64; | |
| ntstatus = NtQueryInformationProcess(hNewProcess, ProcessBasicInformation, &ppeb64, 48u, 0i64); | |
| if ( ntstatus < 0 ) | |
| { | |
| RtlNtStatusToDosError(ntstatus); | |
| return 0; | |
| } | |
| if ( ppeb64 | |
| && SlpGetPeb32Address(hNewProcess, &ppeb32) | |
| && ReadProcessMemory(hNewProcess, &ppeb64->ProcessParameters, &ProcessParametersX64, 8ui64, 0i64) ) | |
| { | |
| if ( !ppeb32 ) | |
| { | |
| ProcessParametersWow64 = 0i64; | |
| goto LABEL_10; | |
| } | |
| if ( ReadProcessMemory(hNewProcess, &ppeb32->ProcessParameters, &ProcessParametersWow64, 4ui64, 0i64) ) | |
| { | |
| ProcessParametersWow64 = ProcessParametersWow64; | |
| LABEL_10: | |
| if ( hStdInput >= 0 && hStdOutput >= 0 && hStdError >= 0 ) | |
| { | |
| hStdInputStack = hStdInput; | |
| hStdOutputStack = hStdOutput; | |
| hStdErrorStack = hStdError; | |
| PebPtrStdInputX64 = &ProcessParametersX64->StandardInput; | |
| PebPtrStdOutputX64 = &ProcessParametersX64->StandardOutput; | |
| PebPtrStdErrorX64 = &ProcessParametersX64->StandardError; | |
| if ( ProcessParametersWow64 ) | |
| { | |
| PebPtrStdInputWow64 = &ProcessParametersWow64->StandardInput; | |
| PebPtrStdOutputWow64 = &ProcessParametersWow64->StandardOutput; | |
| PebPtrStdErrorWow64 = &ProcessParametersWow64->StandardError; | |
| } | |
| counterDuplicatedHandles = 0; | |
| for ( PebPtrStdHandleTargetProcessX64 = &PebPtrStdInputX64; ; PebPtrStdHandleTargetProcessX64 += 3 ) | |
| { | |
| hStdHandleSourceProcess = *(PebPtrStdHandleTargetProcessX64 - 1);// based on for iteration = hStdInputStack, hStdOutputStack, hStdErrorStack | |
| if ( hStdHandleSourceProcess ) | |
| { | |
| if ( (*(PebPtrStdHandleTargetProcessX64 - 1) & 0x10000003) != 3 )// *(PebPtrStdHandleTargetProcessX64 - 1) = hStdHandleSourceProcess | |
| { | |
| if ( !DuplicateHandle( | |
| hCaller, | |
| hStdHandleSourceProcess, | |
| hNewProcess, | |
| &hDupStdHandle, | |
| 0, | |
| TRUE, | |
| DUPLICATE_SAME_ACCESS) ) | |
| break; | |
| if ( !WriteProcessMemory(hNewProcess, *PebPtrStdHandleTargetProcessX64, &hDupStdHandle, 8ui64, 0i64) ) | |
| break; | |
| if ( ProcessParametersWow64 ) | |
| { | |
| StdHandleTargetProcessWow64 = PebPtrStdHandleTargetProcessX64[1]; | |
| LODWORD(ProcessParametersWow64) = hDupStdHandle; | |
| if ( !WriteProcessMemory(hNewProcess, StdHandleTargetProcessWow64, &ProcessParametersWow64, 4ui64, 0i64) ) | |
| break; | |
| } | |
| } | |
| } | |
| if ( ++counterDuplicatedHandles >= 3 ) | |
| return 1; | |
| } | |
| } | |
| } | |
| } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment