riverar/skype.js

## skype.js
var g_openVerbString = Memory.allocUtf16String("open");

var fn = Module.findExportByName("shell32.dll", "ShellExecuteExW");
Interceptor.attach(fn, {
  onEnter: function(args) {

    // Right now, SHELLEXECUTEINFO presumably looks like:
    // ...
    // lpVerb       = nullptr
    // lpFile       = RUNDLL32.EXE
    // lpParamaters = Shell32.dll,OpenAs_RunDLL [path to image]
    // lpDirectory  = nullptr
    // ...

    var verbPtr = args[0].add(12);
    var filePtr = args[0].add(16);
    var paramsPtr = args[0].add(20);

    // Only fix up if we're dealing with funky OpenAs calls
    var params = Memory.readPointer(paramsPtr);
    if(!params.isNull() && Memory.readUtf16String(params).indexOf("OpenAs_RunDLL") > -1) {

      // Add "open" verb
      Memory.writePointer(verbPtr, g_openVerbString);

      // Replace filePtr with image path sans OpenAs_RunDll mess
      Memory.writePointer(filePtr, params.add(52));

      // Null out paramsPtr
      Memory.writeUInt(paramsPtr, 0);
    }
  }
});
	var g_openVerbString = Memory.allocUtf16String("open");

	var fn = Module.findExportByName("shell32.dll", "ShellExecuteExW");
	Interceptor.attach(fn, {
	onEnter: function(args) {

	// Right now, SHELLEXECUTEINFO presumably looks like:
	// ...
	// lpVerb = nullptr
	// lpFile = RUNDLL32.EXE
	// lpParamaters = Shell32.dll,OpenAs_RunDLL [path to image]
	// lpDirectory = nullptr
	// ...

	var verbPtr = args[0].add(12);
	var filePtr = args[0].add(16);
	var paramsPtr = args[0].add(20);

	// Only fix up if we're dealing with funky OpenAs calls
	var params = Memory.readPointer(paramsPtr);
	if(!params.isNull() && Memory.readUtf16String(params).indexOf("OpenAs_RunDLL") > -1) {

	// Add "open" verb
	Memory.writePointer(verbPtr, g_openVerbString);

	// Replace filePtr with image path sans OpenAs_RunDll mess
	Memory.writePointer(filePtr, params.add(52));

	// Null out paramsPtr
	Memory.writeUInt(paramsPtr, 0);
	}
	}
	});