Skip to content

Instantly share code, notes, and snippets.

@bopin2020

bopin2020/popen.c

Created July 19, 2024 10:55
Show Gist options
  • Save bopin2020/057e56c68285634c02c659623c2dc717 to your computer and use it in GitHub Desktop.
Save bopin2020/057e56c68285634c02c659623c2dc717 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
popen.c
FILE *__cdecl popen(const char *Command, const char *Mode)
{
FILE *v3; // r12
char v5; // al
char v6; // al
int v7; // r8d
unsigned int v8; // ebx
int *p_FileHandle; // rdi
HANDLE CurrentProcess; // rax
__int64 v11; // r15
errno_t v12; // edi
char *v13; // r15
HANDLE v14; // rax
HANDLE v15; // rdx
unsigned __int64 v16; // rax
unsigned __int64 v17; // rcx
rsize_t v18; // rbx
char *v19; // rax
char *v20; // rdi
int v21; // r13d
int v22; // esi
unsigned __int8 *v23; // rbx
unsigned __int8 *v24; // rcx
errno_t v25; // r14d
char *v26; // rcx
unsigned __int64 v27; // rax
unsigned __int8 *v28; // r14
bool v29; // zf
unsigned __int64 v30; // rax
unsigned __int64 v31; // rcx
FILE **v32; // rcx
int v33; // [rsp+50h] [rbp-118h] BYREF
int v34; // [rsp+54h] [rbp-114h] BYREF
char *Buffer; // [rsp+58h] [rbp-110h] BYREF
char *v36; // [rsp+60h] [rbp-108h] BYREF
HANDLE TargetHandle; // [rsp+68h] [rbp-100h] BYREF
__int64 v38; // [rsp+70h] [rbp-F8h]
FILE **v39; // [rsp+78h] [rbp-F0h]
int *v40; // [rsp+80h] [rbp-E8h]
int *v41; // [rsp+88h] [rbp-E0h]
int *p_PtHandles; // [rsp+90h] [rbp-D8h]
char *v43; // [rsp+98h] [rbp-D0h]
FILE *v44; // [rsp+A0h] [rbp-C8h]
struct _PROCESS_INFORMATION ProcessInformation; // [rsp+A8h] [rbp-C0h] BYREF
struct _STARTUPINFOA StartupInfo; // [rsp+C0h] [rbp-A8h] BYREF
char Modea; // [rsp+170h] [rbp+8h] BYREF
char v48; // [rsp+171h] [rbp+9h]
char v49; // [rsp+172h] [rbp+Ah]
int v50; // [rsp+180h] [rbp+18h]
int PtHandles; // [rsp+188h] [rbp+20h] BYREF
int FileHandle; // [rsp+18Ch] [rbp+24h] BYREF
TargetHandle = 0i64;
v3 = 0i64;
Buffer = 0i64;
v49 = 0;
v50 = 0;
if ( !Command || !Mode )
goto LABEL_2;
while ( 1 )
{
v5 = *Mode;
if ( *Mode != 0x20 )
break;
++Mode;
}
if ( v5 != 0x77 && v5 != 0x72 )
goto LABEL_2;
Modea = *Mode;
do
v6 = *++Mode;
while ( *Mode == 0x20 );
if ( v6 && v6 != 0x74 && v6 != 0x62 )
{
LABEL_2:
*errno() = 0x16;
invalid_parameter(0i64, 0i64, 0i64, 0, 0i64);
}
v48 = *Mode;
if ( v6 == 0x74 )
{
v7 = 0x4000;
}
else
{
v7 = 0;
if ( v6 == 0x62 )
v7 = 0x8000;
}
if ( pipe(&PtHandles, 0x400u, v7 | 0x80) == 0xFFFFFFFF )
return v3;
if ( Modea == 0x77 )
{
v8 = 0;
p_FileHandle = &FileHandle;
v40 = &v34;
p_PtHandles = &FileHandle;
v41 = &v34;
}
else
{
v8 = 1;
p_FileHandle = &PtHandles;
v40 = &v33;
p_PtHandles = &PtHandles;
v41 = &v33;
}
if ( !(unsigned int)mtinitlocknum(9i64) )
{
close(PtHandles);
close(FileHandle);
return 0i64;
}
lock(9i64);
v34 = 1;
v33 = 1;
CurrentProcess = GetCurrentProcess();
v11 = v8;
v38 = v8;
if ( !DuplicateHandle(
CurrentProcess,
*(HANDLE *)(_pioinfo[(__int64)*(&PtHandles + v8) >> 5] + 0x38i64 * (*(&PtHandles + v8) & 0x1F)),
CurrentProcess,
&TargetHandle,
0,
1,
2u) )
goto LABEL_83;
close(*(&PtHandles + v8));
*(&v33 + v8) = 0;
v3 = fdopen(*p_FileHandle, &Modea);
v44 = v3;
if ( !v3 )
goto LABEL_83;
v39 = (FILE **)idtab(0i64);
if ( !v39 )
{
LABEL_82:
fclose(v3);
*v40 = 0;
v3 = 0i64;
v44 = 0i64;
LABEL_83:
if ( *(&v33 + v11) )
close(*(&PtHandles + v11));
if ( *v41 )
close(*p_PtHandles);
goto LABEL_87;
}
v12 = dupenv_s(&Buffer, 0i64, "COMSPEC"); // retrieve cmd.exe path
if ( v12 == 0x16 )
invoke_watson(0i64, 0i64, 0i64, 0, 0i64);
if ( v12 || (v13 = Buffer) == 0i64 )
v13 = "cmd.exe";
memset(&StartupInfo, 0, sizeof(StartupInfo));
StartupInfo.cb = 0x68;
StartupInfo.dwFlags = 0x100;
v14 = TargetHandle;
v15 = TargetHandle;
if ( v8 )
v15 = *(HANDLE *)_pioinfo[0];
StartupInfo.hStdInput = v15;
if ( v8 != 1 )
v14 = *(HANDLE *)(_pioinfo[0] + 0x38);
StartupInfo.hStdOutput = v14;
StartupInfo.hStdError = *(HANDLE *)(_pioinfo[0] + 0x70);
v16 = 0xFFFFFFFFFFFFFFFFui64;
v17 = 0xFFFFFFFFFFFFFFFFui64;
do
++v17;
while ( v13[v17] );
do
++v16;
while ( Command[v16] );
v18 = v17 + v16 + 5;
v19 = (char *)calloc_crt(v18, 1i64);
v20 = v19;
if ( !v19 )
{
LABEL_81:
v11 = v38;
goto LABEL_82;
}
if ( strcpy_s(v19, v18, v13) )
invoke_watson(0i64, 0i64, 0i64, 0, 0i64);
if ( strcat_s(v20, v18, " /c ") )
invoke_watson(0i64, 0i64, 0i64, 0, 0i64);
if ( strcat_s(v20, v18, Command) )
invoke_watson(0i64, 0i64, 0i64, 0, 0i64);
memset(&ProcessInformation, 0, sizeof(ProcessInformation));
v21 = *errno();
if ( !access_s(v13, 0) )
{
v22 = CreateProcessA(v13, v20, 0i64, 0i64, 1, 0, 0i64, 0i64, &StartupInfo, &ProcessInformation);
goto LABEL_76;
}
v36 = 0i64;
v23 = (unsigned __int8 *)calloc_crt(0x104i64, 1i64);
if ( !v23 )
{
v24 = 0i64;
LABEL_49:
free(v24);
free(v20);
free(Buffer);
*errno() = v21;
goto LABEL_81;
}
v25 = dupenv_s(&v36, 0i64, "PATH");
if ( v25 == 0x16 )
invoke_watson(0i64, 0i64, 0i64, 0, 0i64);
v26 = v36;
if ( v25 )
{
free(v36);
v24 = v23;
goto LABEL_49;
}
while ( 1 )
{
v43 = (char *)getpath(v26, v23, 0x103i64);
if ( !v43 || !*v23 )
break;
v27 = 0xFFFFFFFFFFFFFFFFui64;
do
++v27;
while ( v23[v27] );
v28 = &v23[v27 + 0xFFFFFFFF];
if ( *v28 == 0x5C )
v29 = v28 == mbsrchr(v23, 0x5Cu);
else
v29 = *v28 == 0x2F;
if ( !v29 && strcat_s((char *)v23, 0x104ui64, "\\") )
invoke_watson(0i64, 0i64, 0i64, 0, 0i64);
v30 = 0xFFFFFFFFFFFFFFFFui64;
do
++v30;
while ( v13[v30] );
v31 = 0xFFFFFFFFFFFFFFFFui64;
do
++v31;
while ( v23[v31] );
if ( v31 + v30 >= 0x104 )
break;
if ( strcat_s((char *)v23, 0x104ui64, v13) )
invoke_watson(0i64, 0i64, 0i64, 0, 0i64);
if ( !access_s((const char *)v23, 0) )
{
v22 = CreateProcessA((LPCSTR)v23, v20, 0i64, 0i64, 1, 0, 0i64, 0i64, &StartupInfo, &ProcessInformation);
goto LABEL_75;
}
v26 = v43;
}
v22 = v50;
LABEL_75:
free(v36);
free(v23);
LABEL_76:
free(v20);
free(Buffer);
CloseHandle(TargetHandle);
if ( v22 )
CloseHandle(ProcessInformation.hThread);
*errno() = v21;
v32 = v39;
if ( !v22 )
{
*v39 = 0i64;
goto LABEL_81;
}
v39[1] = (FILE *)ProcessInformation.hProcess;
*v32 = v3;
LABEL_87:
unlock(9i64);
return v3;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment