CreateProcesssA 函数工作流程分析:
用IDA打开CreateProcessA跟进,调用流程:
call kernel32!CreateProcesssA
call kernel32!CreateProcessInternalA
call kernel32!CreateProcessInternalW
kernel32!CreateProcessInternal函数 流程图太复杂,代码估计2000行以上, 看起来很晕+_+~+_+~
用IDA插件 把汇编转换成C源码看看, 源码最具有说服力。
大致看一下 CreateProcessInternal调用了
RtlImageNtHeader
NtQueryInformationToken
RtlAllocateHeap
BasepProcessInvalidImage
GetFileAttributesW
SearchPathW 这些函数
最后调用NtCreateUserProcess
该函数 做的事情是 申请内存, 读取磁盘PE文件,做 一系列的检测工作,一切OK,
调用NtCreateUserProcess去创建进程
0:000> u NtCreateUserProcess l10
ntdll!NtCreateUserProcess:
77285860 b85d000000 mov eax,5Dh
77285865 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7728586a ff12 call dword ptr [edx]
7728586c c22c00 ret 2Ch
7728586f 90 nop
_KUSER_SHARED_DATA 区域是些什么内容(User 层和 Kernel 层是一样的),在 windbg 用 dt 命令来查看:
kd> dt _KUSER_SHARED_DATA 0x7ffe0000
ntdll!_KUSER_SHARED_DATA
+0x000 TickCountLowDeprecated : 0
+0x004 TickCountMultiplier : 0xfa00000
+0x008 InterruptTime : _KSYSTEM_TIME
+0x014 SystemTime : _KSYSTEM_TIME
+0x020 TimeZoneBias : _KSYSTEM_TIME
+0x02c ImageNumberLow : 0x14c
+0x02e ImageNumberHigh : 0x14c
+0x030 NtSystemRoot : [260] 0x43
+0x238 MaxStackTraceDepth : 0
+0x23c CryptoExponent : 0
+0x240 TimeZoneId : 0
+0x244 LargePageMinimum : 0x200000
+0x248 Reserved2 : [7] 0
+0x264 NtProductType : 3 ( NtProductServer )
+0x268 ProductTypeIsValid : 0x1 ''
+0x26c NtMajorVersion : 5
+0x270 NtMinorVersion : 2
+0x274 ProcessorFeatures : [64] ""
+0x2b4 Reserved1 : 0x7ffeffff
+0x2b8 Reserved3 : 0x80000000
+0x2bc TimeSlip : 0
+0x2c0 AlternativeArchitecture : 0 ( StandardDesign )
+0x2c8 SystemExpirationDate : _LARGE_INTEGER 0x0
+0x2d0 SuiteMask : 0x112
+0x2d4 KdDebuggerEnabled : 0x3 ''
+0x2d5 NXSupportPolicy : 0x2 ''
+0x2d8 ActiveConsoleId : 0
+0x2dc DismountCount : 0
+0x2e0 ComPlusPackage : 0xffffffff
+0x2e4 LastSystemRITEventTickCount : 0x239f29d
+0x2e8 NumberOfPhysicalPages : 0x17f1b
+0x2ec SafeBootMode : 0 ''
+0x2f0 TraceLogging : 0
+0x2f8 TestRetInstruction : 0xc3
+0x300 SystemCall : 0x7c958458 <--------- System Call stub 函数
+0x304 SystemCallReturn : 0x7c95845c <--------- System Call return 函数
+0x308 SystemCallPad : [3] 0
+0x320 TickCount : _KSYSTEM_TIME
+0x320 TickCountQuad : 0x2481d8
+0x330 Cookie : 0xa4a0f27b
+0x334 Wow64SharedInformation : [16] 0
其中 +0x300 位置上就是 KiFastSystemCall() stub 函数地址,而 +0x304 位置上就是返回函数地址:
ntdll!KiFastSystemCall:
7c958458 8bd4 mov edx,esp ; 传送 caller 的 stack frame pointer
7c95845a 0f34 sysenter ; 快速切入到 kernel
7c95845c c3 ret ; 注意:实际上这是一个独立的 ntdll!KiFastSystemCallRet() 例程
地址 0x7c958458 是 ntdll!KiFastSystemCall() 函数地址,地址 0x7c95845c 是 ntdll!KiFastSystemCallRet() 函数地址。
切入 KiFastCallEntry()在用户层的 stub 函数会使用 sysenter 指令切入到内核层的 KiFastCallEntry() 函数,再由 KiFastCallEntry() 函数分发到相应的系统服务例程执行。
到这里就Ring3流程就完了, 归纳下CreateUserProcessA流程
call kernel32!CreateProcesssA
call kernel32!CreateProcessInternalA
call kernel32!CreateProcessInternalW
call 初始工作
call ntdll!NtCreateUserProcess
call SharedUserData!SystemCallStub
call ntdll!KiFastSystemCall
call ntdll!KiFastCallEntry
1 void __stdcall CreateProcessInternalW(void *a1, _DWORD a2, const wchar_t *a3, int a4, int a5, int a6, int a7, int a8, const WCHAR *a9, int a10, int a11, _DWORD a12) 2 { 3 signed int v12; // eax@130 4 unsigned int v13; // eax@133 5 const wchar_t *v14; // edi@133 6 STRSAFE_LPCWSTR v15; // eax@147 7 const wchar_t v16; // cx@148 8 PVOID v17; // eax@149 9 wchar_t *v18; // esi@149 10 STRSAFE_LPCWSTR v19; // edi@150 11 int v20; // eax@164 12 int v21; // edx@164 13 unsigned int i; // ecx@164 14 HMODULE v23; // eax@175 15 PIMAGE_NT_HEADERS v24; // eax@175 16 _WORD v25; // cx@4 17 HANDLE v26; // ecx@20 18 int v27; // edi@23 19 NTSTATUS v28; // eax@25 20 HANDLE v29; // eax@29 21 PVOID v30; // edi@37 22 DWORD v31; // eax@38 23 DWORD v32; // esi@38 24 DWORD v33; // eax@40 25 int v34; // eax@44 26 ULONG v35; // eax@67 27 int v36; // eax@69 28 struct _RTL_USER_PROCESS_PARAMETERS *v37; // edi@69 29 int v38; // esi@70 30 void *v39; // edi@71 31 NTSTATUS v40; // eax@76 32 int v41; // eax@107 33 NTSTATUS v42; // edi@107 34 int v43; // eax@115 35 NTSTATUS v44; // esi@115 36 HANDLE v45; // eax@116 37 int v46; // esi@118 38 NTSTATUS v47; // eax@183 39 int v48; // esi@213 40 int v49; // eax@214 41 int v50; // eax@248 42 _BYTE v51; // al@261 43 int v52; // edi@268 44 int v53; // esi@271 45 signed int v54; // eax@308 46 NTSTATUS v55; // [sp-4h] [bp-62Ch]@209 47 signed int v56; // [sp-4h] [bp-62Ch]@235 48 NTSTATUS v57; // [sp-4h] [bp-62Ch]@158 49 char v58; // [sp+10h] [bp-618h]@45 50 char v59; // [sp+28h] [bp-600h]@44 51 ULONG v60; // [sp+40h] [bp-5E8h]@27 52 int v61; // [sp+48h] [bp-5E0h]@58 53 int v62; // [sp+6Ch] [bp-5BCh]@34 54 unsigned __int32 v63; // [sp+84h] [bp-5A4h]@205 55 unsigned __int32 v64; // [sp+88h] [bp-5A0h]@153 56 unsigned __int32 v65; // [sp+8Ch] [bp-59Ch]@327 57 unsigned __int32 v66; // [sp+90h] [bp-598h]@185 58 int v67; // [sp+94h] [bp-594h]@69 59 int v68; // [sp+9Ch] [bp-58Ch]@213 60 unsigned __int32 v69; // [sp+A0h] [bp-588h]@144 61 unsigned __int32 v70; // [sp+A4h] [bp-584h]@269 62 PIMAGE_NT_HEADERS v71; // [sp+A8h] [bp-580h]@175 63 unsigned __int32 v72; // [sp+ACh] [bp-57Ch]@149 64 int v73; // [sp+B0h] [bp-578h]@164 65 unsigned __int32 v74; // [sp+B4h] [bp-574h]@185 66 unsigned __int32 v75; // [sp+B8h] [bp-570h]@258 67 unsigned __int32 v76; // [sp+BCh] [bp-56Ch]@141 68 ULONG Arguments; // [sp+C0h] [bp-568h]@277 69 unsigned __int32 v78; // [sp+C8h] [bp-560h]@37 70 WCHAR *v79; // [sp+CCh] [bp-55Ch]@133 71 unsigned __int32 v80; // [sp+D0h] [bp-558h]@276 72 unsigned __int32 v81; // [sp+D4h] [bp-554h]@140 73 char v82; // [sp+D8h] [bp-550h]@19 74 int v83; // [sp+E8h] [bp-540h]@71 75 unsigned __int16 v84; // [sp+ECh] [bp-53Ch]@73 76 unsigned __int16 v85; // [sp+EEh] [bp-53Ah]@73 77 unsigned int v86; // [sp+F6h] [bp-532h]@92 78 unsigned __int16 v87; // [sp+F8h] [bp-530h]@87 79 int v88; // [sp+108h] [bp-520h]@1 80 HANDLE v89; // [sp+10Ch] [bp-51Ch]@1 81 int v90; // [sp+110h] [bp-518h]@110 82 PVOID v91; // [sp+114h] [bp-514h]@110 83 unsigned __int16 v92; // [sp+118h] [bp-510h]@110 84 unsigned __int16 v93; // [sp+11Ah] [bp-50Eh]@110 85 unsigned int v94; // [sp+11Ch] [bp-50Ch]@110 86 int v95; // [sp+120h] [bp-508h]@110 87 int v96; // [sp+128h] [bp-500h]@259 88 int v97; // [sp+12Ch] [bp-4FCh]@259 89 int v98; // [sp+130h] [bp-4F8h]@127 90 ULONG v99; // [sp+134h] [bp-4F4h]@37 91 DWORD v100; // [sp+138h] [bp-4F0h]@40 92 int v101; // [sp+13Ch] [bp-4ECh]@45 93 ULONG ReturnLength; // [sp+140h] [bp-4E8h]@143 94 int v103; // [sp+144h] [bp-4E4h]@118 95 int v104; // [sp+148h] [bp-4E0h]@300 96 DWORD v105; // [sp+14Ch] [bp-4DCh]@38 97 unsigned int v106; // [sp+150h] [bp-4D8h]@271 98 STRING AnsiString; // [sp+154h] [bp-4D4h]@4 99 LPWSTR FilePart; // [sp+15Ch] [bp-4CCh]@4 100 UNICODE_STRING SourceString; // [sp+160h] [bp-4C8h]@4 101 BOOL Result; // [sp+168h] [bp-4C0h]@31 102 ULONG Flags; // [sp+16Ch] [bp-4BCh]@156 103 int TokenInformation; // [sp+170h] [bp-4B8h]@143 104 unsigned int v113; // [sp+174h] [bp-4B4h]@165 105 int v114; // [sp+178h] [bp-4B0h]@86 106 int v115; // [sp+17Ch] [bp-4ACh]@46 107 ULONG MessageBoxResult; // [sp+180h] [bp-4A8h]@277 108 int v117; // [sp+184h] [bp-4A4h]@1 109 int v118; // [sp+188h] [bp-4A0h]@44 110 int v119; // [sp+18Ch] [bp-49Ch]@1 111 ULONG v120; // [sp+190h] [bp-498h]@67 112 int v121; // [sp+194h] [bp-494h]@53 113 int v122; // [sp+198h] [bp-490h]@128 114 void *v123; // [sp+19Ch] [bp-48Ch]@53 115 int v124; // [sp+1A0h] [bp-488h]@58 116 void *v125; // [sp+1A4h] [bp-484h]@71 117 int v126; // [sp+1B8h] [bp-470h]@92 118 int v127; // [sp+1BCh] [bp-46Ch]@83 119 int v128; // [sp+1C0h] [bp-468h]@93 120 int v129; // [sp+1C4h] [bp-464h]@93 121 int v130; // [sp+1CCh] [bp-45Ch]@75 122 int v131; // [sp+1D0h] [bp-458h]@75 123 int v132; // [sp+1D4h] [bp-454h]@75 124 int v133; // [sp+1DCh] [bp-44Ch]@164 125 int v134; // [sp+1E0h] [bp-448h]@164 126 int v135; // [sp+1E4h] [bp-444h]@1 127 int v136; // [sp+1E8h] [bp-440h]@92 128 int v137; // [sp+1ECh] [bp-43Ch]@4 129 int v138; // [sp+1F0h] [bp-438h]@4 130 int v139; // [sp+1F4h] [bp-434h]@4 131 int v140; // [sp+1F8h] [bp-430h]@19 132 int v141; // [sp+1FCh] [bp-42Ch]@93 133 int v142; // [sp+200h] [bp-428h]@203 134 NTSTATUS v143; // [sp+204h] [bp-424h]@203 135 int v144; // [sp+208h] [bp-420h]@51 136 PVOID BaseAddress; // [sp+20Ch] [bp-41Ch]@171 137 int v146; // [sp+210h] [bp-418h]@4 138 char v147[4]; // [sp+214h] [bp-414h]@4 139 unsigned int v148; // [sp+218h] [bp-410h]@1 140 HANDLE v149; // [sp+21Ch] [bp-40Ch]@268 141 int v150; // [sp+220h] [bp-408h]@4 142 int v151; // [sp+224h] [bp-404h]@1 143 int v152; // [sp+228h] [bp-400h]@60 144 int v153; // [sp+230h] [bp-3F8h]@83 145 char v154[4]; // [sp+234h] [bp-3F4h]@4 146 ULONG BufferLength; // [sp+238h] [bp-3F0h]@4 147 int v156; // [sp+23Ch] [bp-3ECh]@4 148 int v157; // [sp+240h] [bp-3E8h]@4 149 LPCWSTR v158; // [sp+244h] [bp-3E4h]@1 150 ULONG v159; // [sp+248h] [bp-3E0h]@51 151 HANDLE v160; // [sp+24Ch] [bp-3DCh]@4 152 PVOID v161; // [sp+250h] [bp-3D8h]@4 153 int v162; // [sp+254h] [bp-3D4h]@1 154 LSA_UNICODE_STRING v163; // [sp+258h] [bp-3D0h]@4 155 int v164; // [sp+260h] [bp-3C8h]@66 156 NTSTATUS v165; // [sp+264h] [bp-3C4h]@69 157 PVOID Environment; // [sp+268h] [bp-3C0h]@1 158 int v167; // [sp+26Ch] [bp-3BCh]@4 159 int v168; // [sp+270h] [bp-3B8h]@1 160 PVOID v169; // [sp+274h] [bp-3B4h]@4 161 PVOID v170; // [sp+278h] [bp-3B0h]@4 162 int v171; // [sp+27Ch] [bp-3ACh]@4 163 int v172; // [sp+284h] [bp-3A4h]@4 164 char v173[4]; // [sp+288h] [bp-3A0h]@4 165 PVOID Buffer; // [sp+28Ch] [bp-39Ch]@4 166 int v175; // [sp+290h] [bp-398h]@1 167 int v176; // [sp+294h] [bp-394h]@4 168 HANDLE v177; // [sp+298h] [bp-390h]@4 169 PVOID v178; // [sp+29Ch] [bp-38Ch]@4 170 PVOID v179; // [sp+2A0h] [bp-388h]@4 171 NTSTATUS ExitStatus; // [sp+2A4h] [bp-384h]@4 172 int v181; // [sp+2A8h] [bp-380h]@70 173 PVOID v182; // [sp+2ACh] [bp-37Ch]@1 174 int v183; // [sp+2B0h] [bp-378h]@4 175 ULONG Size; // [sp+2B4h] [bp-374h]@149 176 LSA_UNICODE_STRING UnicodeString; // [sp+2B8h] [bp-370h]@1 177 LPCWSTR lpPath; // [sp+2C0h] [bp-368h]@1 178 int v187; // [sp+2C4h] [bp-364h]@1 179 int ProcessInformation; // [sp+2C8h] [bp-360h]@88 180 HANDLE TokenHandle; // [sp+2CCh] [bp-35Ch]@1 181 PVOID Address; // [sp+2D0h] [bp-358h]@4 182 int v191; // [sp+2D4h] [bp-354h]@1 183 HANDLE v192; // [sp+2D8h] [bp-350h]@4 184 char v193; // [sp+2DDh] [bp-34Bh]@60 185 char v194; // [sp+2DFh] [bp-349h]@224 186 STRSAFE_LPCWSTR v195; // [sp+2E0h] [bp-348h]@1 187 HANDLE ThreadHandle; // [sp+2E4h] [bp-344h]@4 188 NTSTATUS v197; // [sp+2E8h] [bp-340h]@76 189 int v198; // [sp+2ECh] [bp-33Ch]@4 190 int v199; // [sp+2F0h] [bp-338h]@1 191 HANDLE Handle; // [sp+2F4h] [bp-334h]@4 192 char v201; // [sp+2FAh] [bp-32Eh]@4 193 char v202; // [sp+2FBh] [bp-32Dh]@4 194 STRSAFE_LPCWSTR pszSrc; // [sp+2FCh] [bp-32Ch]@1 195 char Str[6]; // [sp+302h] [bp-326h]@1 196 HANDLE ProcessHandle; // [sp+308h] [bp-320h]@4 197 char v206; // [sp+30Eh] [bp-31Ah]@4 198 char v207; // [sp+30Fh] [bp-319h]@14 199 int v208; // [sp+310h] [bp-318h]@19 200 int v209; // [sp+314h] [bp-314h]@1 201 char Dst; // [sp+318h] [bp-310h]@4 202 int v211; // [sp+418h] [bp-210h]@102 203 NTSTATUS NtStatus; // [sp+438h] [bp-1F0h]@102 204 void *v213; // [sp+440h] [bp-1E8h]@93 205 HANDLE v214; // [sp+444h] [bp-1E4h]@93 206 int v215; // [sp+448h] [bp-1E0h]@93 207 int v216; // [sp+44Ch] [bp-1DCh]@93 208 int v217; // [sp+450h] [bp-1D8h]@93 209 int v218; // [sp+454h] [bp-1D4h]@98 210 int v219; // [sp+458h] [bp-1D0h]@310 211 signed int v220; // [sp+45Ch] [bp-1CCh]@310 212 _DWORD v221; // [sp+460h] [bp-1C8h]@87 213 int v222; // [sp+464h] [bp-1C4h]@92 214 _DWORD v223; // [sp+4C8h] [bp-160h]@107 215 _DWORD v224; // [sp+4D4h] [bp-154h]@110 216 _DWORD v225; // [sp+4E0h] [bp-148h]@107 217 int v226; // [sp+4E8h] [bp-140h]@93 218 int v227; // [sp+4ECh] [bp-13Ch]@93 219 int v228; // [sp+4F0h] [bp-138h]@93 220 _WORD v229; // [sp+4F4h] [bp-134h]@93 221 int v230; // [sp+4F8h] [bp-130h]@70 222 int v231; // [sp+4FCh] [bp-12Ch]@19 223 int v232; // [sp+500h] [bp-128h]@70 224 PWSTR v233; // [sp+504h] [bp-124h]@70 225 int v234; // [sp+508h] [bp-120h]@19 226 int v235; // [sp+50Ch] [bp-11Ch]@19 227 int v236; // [sp+510h] [bp-118h]@19 228 int *v237; // [sp+514h] [bp-114h]@19 229 int v238; // [sp+518h] [bp-110h]@19 230 int v239; // [sp+51Ch] [bp-10Ch]@19 231 int v240; // [sp+520h] [bp-108h]@19 232 char *v241; // [sp+524h] [bp-104h]@19 233 int v242; // [sp+528h] [bp-100h]@19 234 int v243; // [sp+52Ch] [bp-FCh]@252 235 int v244; // [sp+530h] [bp-F8h]@252 236 int v245; // [sp+534h] [bp-F4h]@252 237 int v246; // [sp+538h] [bp-F0h]@252 238 CPPEH_RECORD ms_exc; // [sp+610h] [bp-18h]@23 239 240 TokenHandle = a1; 241 *(_DWORD *)&Str[2] = a2; 242 pszSrc = a3; 243 v119 = a4; 244 v117 = a5; 245 v187 = a8; 246 v158 = a9; 247 v135 = a10; 248 v175 = a11; 249 v209 = 0; 250 v195 = 0; 251 v151 = 0; 252 v168 = 0; 253 v199 = 0; 254 v191 = 0; 255 Environment = 0; 256 v182 = 0; 257 v162 = 0; 258 lpPath = 0; 259 UnicodeString.Length = 0; 260 *(_DWORD *)&UnicodeString.MaximumLength = 0; 261 HIWORD(UnicodeString.Buffer) = 0; 262 v88 = 0; 263 memset(&v89, 0, 0x1Cu); 264 v148 = 0; 265 if ( !a2 && !a3 ) 266 { 267 v57 = -1073741776; 268 LABEL_333: 269 BaseSetLastNTError(v57); 270 return; 271 } 272 if ( !v175 || !v135 ) 273 { 274 v57 = -1073741811; 275 goto LABEL_333; 276 } 277 v192 = 0; 278 Handle = 0; 279 v177 = 0; 280 ProcessHandle = 0; 281 ThreadHandle = 0; 282 v183 = 0; 283 Address = 0; 284 v178 = 0; 285 v172 = 0; 286 v167 = 0; 287 v161 = 0; 288 FilePart = 0; 289 v163.Buffer = 0; 290 Str[0] = 0; 291 v202 = 0; 292 v206 = 0; 293 v201 = 0; 294 v160 = 0; 295 v179 = 0; 296 Buffer = 0; 297 BufferLength = 0; 298 v170 = 0; 299 v156 = 0; 300 v169 = 0; 301 v150 = 0; 302 *(_DWORD *)v173 = 0; 303 *(_DWORD *)v154 = 0; 304 v146 = 0; 305 *(_DWORD *)v147 = 0; 306 v171 = 0; 307 ExitStatus = 0; 308 v198 = 0; 309 v157 = 0; 310 v137 = 0; 311 v138 = 0; 312 v139 = 0; 313 AnsiString.Buffer = 0; 314 SourceString.Buffer = 0; 315 memset(&Dst, 0, 0x100u); 316 v176 = *(_DWORD *)(__readfsdword(24) + 48); 317 v25 = a7; 318 if ( (a7 & 0x18) == 24 ) 319 goto LABEL_242; 320 if ( a7 & 0x800 ) 321 { 322 if ( !(a7 & 0x1000) ) 323 goto LABEL_8; 324 LABEL_242: 325 RtlSetLastWin32Error(87); 326 return; 327 } 328 if ( !(a7 & 0x1000) && *(_BYTE *)(BaseStaticServerData + 1872) ) 329 { 330 v25 = a7 | 0x800; 331 a7 |= 0x800u; 332 } 333 LABEL_8: 334 if ( v25 & 0x40 ) 335 { 336 v207 = 1; 337 } 338 else 339 { 340 if ( v25 & 0x4000 ) 341 { 342 v207 = 5; 343 } 344 else 345 { 346 if ( v25 & 0x20 ) 347 { 348 v207 = 2; 349 } 350 else 351 { 352 if ( v25 & 0x8000 ) 353 { 354 v207 = 6; 355 } 356 else 357 { 358 if ( (char)v25 < 0 ) 359 { 360 v207 = 3; 361 } 362 else 363 { 364 if ( v25 & 0x100 ) 365 v207 = (BasepIsRealtimeAllowed(0, TokenHandle != 0) != 0) + 3; 366 else 367 v207 = 0; 368 } 369 } 370 } 371 } 372 } 373 a7 &= 0xFFFF3E1Fu; 374 if ( a7 & 0x40000 ) 375 v198 = 64; 376 if ( a7 & 0x1000000 ) 377 v198 |= 1u; 378 if ( a7 & 0x10000 ) 379 v198 |= 0x100u; 380 if ( a7 & 3 ) 381 { 382 v50 = DbgUiConnectToDbg(); 383 if ( v50 < 0 ) 384 { 385 v57 = v50; 386 goto LABEL_333; 387 } 388 v183 = DbgUiGetThreadDebugObject(); 389 if ( a7 & 2 ) 390 v198 |= 2u; 391 } 392 v231 = 131077; 393 v234 = 0; 394 v235 = 65539; 395 v236 = 8; 396 v238 = 0; 397 v237 = &v140; 398 v239 = 6; 399 v240 = 48; 400 v242 = 0; 401 v241 = &v82; 402 v208 = 3; 403 if ( v183 ) 404 { 405 v243 = 393217; 406 v244 = 4; 407 v246 = 0; 408 v245 = v183; 409 v208 = 4; 410 } 411 v26 = TokenHandle; 412 if ( TokenHandle ) 413 { 414 *(&v231 + 4 * v208) = 393218; 415 *(&v232 + 4 * v208) = 4; 416 *(&v234 + 4 * v208) = 0; 417 (&v233)[8 * v208++] = (PWSTR)v26; 418 } 419 if ( v207 ) 420 { 421 *(&v231 + 4 * v208) = 131080; 422 *(&v232 + 4 * v208) = 1; 423 *(&v234 + 4 * v208) = 0; 424 (&v233)[8 * v208++] = (PWSTR)&v207; 425 } 426 if ( a7 & 0x4000000 ) 427 { 428 v98 = 1; 429 *(&v231 + 4 * v208) = 131081; 430 *(&v232 + 4 * v208) = 4; 431 *(&v234 + 4 * v208) = 0; 432 (&v233)[8 * v208++] = (PWSTR)&v98; 433 } 434 ms_exc.registration.TryLevel = 0; 435 v27 = v175; 436 *(_DWORD *)v175 = 0; 437 v27 += 4; 438 *(_DWORD *)v27 = 0; 439 v27 += 4; 440 *(_DWORD *)v27 = 0; 441 *(_DWORD *)(v27 + 4) = 0; 442 if ( v187 && !(a7 & 0x400) ) 443 { 444 v28 = RtlCreateEnvironmentEx(v187, &Environment, 1); 445 if ( v28 < 0 ) 446 { 447 BaseSetLastNTError(v28); 448 _local_unwind4(&__security_cookie, &ms_exc.registration, -2); 449 return; 450 } 451 v187 = Environment; 452 a7 |= 0x400u; 453 } 454 memcpy(&v60, (const void *)v135, 0x44u); 455 if ( a7 & 0x80000 ) 456 { 457 if ( v60 != 72 ) 458 { 459 v55 = -1073741811; 460 LABEL_210: 461 BaseSetLastNTError(v55); 462 goto LABEL_211; 463 } 464 v48 = *(_DWORD *)(v135 + 68); 465 v68 = v48; 466 if ( v48 ) 467 { 468 v49 = KernelBaseGetGlobalData(); 469 v34 = (*(int (__stdcall **)(int, _DWORD, int *, HANDLE *, int *, int *, signed int))(v49 + 40))( 470 v48, 471 0, 472 &v157, 473 &v160, 474 &v230, 475 &v208, 476 15); 477 if ( v34 < 0 ) 478 goto LABEL_234; 479 } 480 } 481 if ( !(a7 & 0x800) ) 482 { 483 v29 = v160; 484 if ( !v160 ) 485 v29 = (HANDLE)-1; 486 if ( IsProcessInJob(v29, 0, &Result) && Result ) 487 a7 = a7 & 0xFFFFEFFF | 0x800; 488 } 489 if ( v62 & 0x100 && v62 & 0x600 ) 490 v62 &= 0xFFFFFEFFu; 491 if ( !v158 ) 492 goto LABEL_44; 493 v99 = *(_DWORD *)(KernelBaseGetGlobalData() + 44); 494 v78 = __readfsdword(24); 495 v30 = RtlAllocateHeap(*(HANDLE *)(*(_DWORD *)(v78 + 48) + 24), v99, 0x20Au); 496 v161 = v30; 497 if ( !v30 ) 498 { 499 v55 = -1073741801; 500 goto LABEL_210; 501 } 502 v31 = GetFullPathNameW(v158, 0x103u, (LPWSTR)v30, &FilePart); 503 v32 = v31; 504 v105 = v31; 505 if ( v31 >= 0x104 ) 506 goto LABEL_235; 507 if ( !v31 ) 508 { 509 LABEL_211: 510 v209 = 0; 511 LABEL_121: 512 ms_exc.registration.TryLevel = -2; 513 if ( v178 ) 514 { 515 v65 = __readfsdword(24); 516 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v65 + 48) + 24), 0, v178); 517 } 518 if ( v182 ) 519 { 520 v63 = __readfsdword(24); 521 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v63 + 48) + 24), 0, v182); 522 } 523 RtlFreeUnicodeString(&UnicodeString); 524 if ( !v191 ) 525 BasepReleaseSxsCreateProcessUtilityStruct(&Dst); 526 if ( Environment ) 527 { 528 RtlDestroyEnvironment(Environment); 529 v197 = v47; 530 } 531 if ( v179 ) 532 { 533 v64 = __readfsdword(24); 534 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v64 + 48) + 24), 0, v179); 535 } 536 v74 = __readfsdword(24); 537 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v74 + 48) + 24), 0, Address); 538 v66 = __readfsdword(24); 539 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v66 + 48) + 24), 0, v161); 540 if ( Handle ) 541 v197 = NtClose(Handle); 542 if ( v177 ) 543 v197 = NtClose(v177); 544 if ( ThreadHandle ) 545 { 546 if ( v183 ) 547 NtRemoveProcessDebug(ProcessHandle, v183); 548 NtTerminateProcess(ProcessHandle, ExitStatus); 549 NtWaitForSingleObject(ProcessHandle, 0, 0); 550 v197 = NtClose(ThreadHandle); 551 } 552 if ( ProcessHandle ) 553 v197 = NtClose(ProcessHandle); 554 BasepFreeAppCompatData(Buffer, v170, v169); 555 RtlFreeUnicodeString(&v163); 556 if ( AnsiString.Buffer || SourceString.Buffer ) 557 BaseDestroyVDMEnvironment(&AnsiString, (int)&SourceString); 558 if ( v199 ) 559 { 560 if ( !(v199 & 8) ) 561 { 562 BaseUpdateVDMEntry(0, &v168, v199, v191); 563 if ( v192 ) 564 v197 = NtClose(v192); 565 } 566 } 567 if ( lpPath ) 568 BaseReleaseProcessExePath(lpPath, v162); 569 if ( v172 ) 570 { 571 CsrFreeCaptureBuffer(v172); 572 v172 = 0; 573 } 574 return; 575 } 576 v33 = GetFileAttributesW((LPCWSTR)v30); 577 v100 = v33; 578 if ( v33 == -1 || !(v33 & 0x10) ) 579 { 580 LABEL_235: 581 v56 = 267; 582 LABEL_257: 583 RtlSetLastWin32Error(v56); 584 goto LABEL_211; 585 } 586 if ( *((_WORD *)v30 + v32 - 1) != 92 ) 587 { 588 *((_WORD *)v30 + v32) = 92; 589 v105 = v32 + 1; 590 *((_WORD *)v30 + v32 + 1) = 0; 591 } 592 LABEL_44: 593 v34 = BaseFormatObjectAttributes(&v59, v119, 0, &v118); 594 if ( v34 < 0 || (v34 = BaseFormatObjectAttributes(&v58, v117, 0, &v101), v34 < 0) ) 595 goto LABEL_234; 596 v115 = v208; 597 while ( 1 ) 598 { 599 while ( 1 ) 600 { 601 v208 = v115; 602 if ( Address ) 603 { 604 v81 = __readfsdword(24); 605 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v81 + 48) + 24), 0, Address); 606 Address = 0; 607 } 608 if ( v182 ) 609 { 610 v76 = __readfsdword(24); 611 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v76 + 48) + 24), 0, v182); 612 v182 = 0; 613 } 614 RtlFreeUnicodeString(&UnicodeString); 615 if ( v179 ) 616 { 617 v75 = __readfsdword(24); 618 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v75 + 48) + 24), 0, v179); 619 v179 = 0; 620 } 621 if ( Handle ) 622 { 623 v197 = NtClose(Handle); 624 Handle = 0; 625 } 626 v144 = 0; 627 v159 = 0; 628 if ( a6 ) 629 v198 |= 4u; 630 else 631 v198 &= 0xFFFFFFFBu; 632 memset(&v121, 0, 0x48u); 633 v121 = 72; 634 LOBYTE(v123) = (unsigned __int8)v123 | 2; 635 if ( !v191 && !a6 && !(v62 & 0x100) && !v160 && !(a7 & 0x8000018) ) 636 { 637 v134 = 3; 638 v20 = (v133 & 0xFFFFFFFD | 1) & 0xFFFFFFE3; 639 v133 = (v133 & 0xFFFFFFFD | 1) & 0xFFFFFFE3; 640 v21 = *(_DWORD *)(v176 + 16) + 24; 641 v73 = *(_DWORD *)(v176 + 16) + 24; 642 for ( i = 0; ; ++i ) 643 { 644 v113 = i; 645 if ( i >= 3 ) 646 break; 647 if ( (*(_DWORD *)(v21 + 4 * i) & 0x10000003) == 3 ) 648 { 649 v20 ^= ((unsigned __int8)v20 ^ (unsigned __int8)(v20 | (unsigned __int8)(4 * (1 << i)))) & 0x1C; 650 v133 = v20; 651 } 652 } 653 *(&v230 + 4 * v208 + 1) = 131082; 654 *(&v230 + 4 * v208 + 2) = 8; 655 *(&v230 + 4 * (v208 + 1)) = 0; 656 *(&v230 + 4 * v208++ + 3) = (int)&v133; 657 } 658 if ( v167 ) 659 { 660 *(&v230 + 4 * v208 + 1) = 131079; 661 *(&v230 + 4 * v208 + 2) = 8; 662 *(&v230 + 4 * (v208 + 1)) = 0; 663 *(&v230 + 4 * v208++ + 3) = (int)&v96; 664 v96 = 1; 665 v97 = v167; 666 } 667 if ( a7 & 3 && !*(_BYTE *)(v176 + 1) ) 668 { 669 v51 = BYTE1(v123) & 0xFE | 2; 670 LABEL_263: 671 BYTE1(v123) = v51; 672 goto LABEL_58; 673 } 674 if ( v201 ) 675 { 676 v201 = 0; 677 v51 = BYTE1(v123) & 0xFD | 1; 678 goto LABEL_263; 679 } 680 LABEL_58: 681 LOBYTE(v123) = (unsigned __int8)v123 | 1; 682 HIWORD(v123) = 8192; 683 v124 = 129; 684 if ( !v61 ) 685 v61 = *(_DWORD *)(*(_DWORD *)(v176 + 16) + 124); 686 Str[1] = 0; 687 v193 = 0; 688 v152 = 1; 689 if ( !*(_DWORD *)&Str[2] ) 690 { 691 Flags = *(_DWORD *)(KernelBaseGetGlobalData() + 44); 692 JUMPOUT(*(int *)sub_77E16F12); 693 } 694 if ( !pszSrc || !*pszSrc ) 695 { 696 v193 = 1; 697 pszSrc = *(STRSAFE_LPCWSTR *)&Str[2]; 698 } 699 if ( Str[1] || v193 ) 700 { 701 v15 = pszSrc; 702 do 703 { 704 v16 = *v15; 705 ++v15; 706 } 707 while ( v16 ); 708 Size = 2 * (v15 - (pszSrc + 1)) + 6; 709 v72 = __readfsdword(24); 710 v17 = RtlAllocateHeap(*(HANDLE *)(*(_DWORD *)(v72 + 48) + 24), 0, Size); 711 v18 = v17; 712 v179 = v17; 713 if ( v17 ) 714 { 715 StringCbCopyW((STRSAFE_LPWSTR)v17, Size, L"""); 716 v19 = v195; 717 if ( Str[1] ) 718 { 719 v151 = *v195; 720 *v195 = 0; 721 } 722 StringCbCatW(v18, Size, pszSrc); 723 StringCbCatW(v18, Size, L"""); 724 if ( Str[1] ) 725 { 726 *v19 = v151; 727 StringCbCatW(v18, Size, v19); 728 } 729 pszSrc = v18; 730 } 731 } 732 if ( !RtlDosPathNameToNtPathName_U(*(PWSTR *)&Str[2], &UnicodeString, 0, 0) ) 733 { 734 v56 = 3; 735 goto LABEL_257; 736 } 737 v34 = RtlInitUnicodeStringEx(&v164, *(_DWORD *)&Str[2]); 738 if ( v34 < 0 ) 739 goto LABEL_234; 740 v35 = RtlDetermineDosPathNameType_U(*(PWSTR *)&Str[2]); 741 v120 = v35; 742 if ( v35 != 2 && v35 != 6 && v35 != 7 && v35 != 1 || BasepCheckForInvalidPathSeparator(*(wchar_t **)&Str[2]) ) 743 { 744 v142 = 0; 745 v143 = 0; 746 v34 = RtlGetFullPathName_UstrEx(&v164, 0, &v142, 0, 0, 0, &v120, 0); 747 if ( v34 < 0 ) 748 goto LABEL_234; 749 v164 = v142; 750 v165 = v143; 751 v182 = (PVOID)v143; 752 v143 = 0; 753 } 754 v36 = BasepCreateProcessParameters(*(int *)&Str[2], v165, v161, pszSrc, v187, (int)&v60, a7, a6); 755 v37 = (struct _RTL_USER_PROCESS_PARAMETERS *)v36; 756 v67 = v36; 757 if ( !v36 ) 758 goto LABEL_211; 759 v233 = UnicodeString.Buffer; 760 v232 = UnicodeString.Length; 761 v230 = 16 * v208 + 4; 762 v38 = NtCreateUserProcess( 763 &ProcessHandle, 764 &ThreadHandle, 765 33554432, 766 33554432, 767 v118, 768 v101, 769 v198, 770 1, 771 v36, 772 &v121, 773 &v230); 774 v181 = v38; 775 RtlDestroyProcessParameters(v37); 776 if ( v38 >= 0 ) 777 break; 778 ProcessHandle = 0; 779 ThreadHandle = 0; 780 if ( !v122 ) 781 goto LABEL_209; 782 if ( v122 == 1 ) 783 { 784 if ( !RtlIsDosDeviceName_U(*(PWSTR *)&Str[2]) ) 785 { 786 LABEL_209: 787 v55 = v38; 788 goto LABEL_210; 789 } 790 v56 = 1200; 791 goto LABEL_257; 792 } 793 if ( v122 == 2 ) 794 { 795 Handle = v123; 796 if ( v38 == -1073741790 ) 797 { 798 v56 = 5; 799 goto LABEL_257; 800 } 801 v12 = -1073741521; 802 if ( v206 ) 803 goto LABEL_209; 804 if ( v38 == -1073741521 ) 805 { 806 if ( UnicodeString.Length >= 8u ) 807 { 808 v13 = (unsigned int)UnicodeString.Length >> 1; 809 v14 = &UnicodeString.Buffer[v13 - 4]; 810 v79 = &UnicodeString.Buffer[v13 - 4]; 811 if ( !__wcsnicmp(&UnicodeString.Buffer[v13 - 4], L".bat", 4u) || !__wcsnicmp(v14, L".cmd", 4u) ) 812 { 813 v202 = 1; 814 v209 = BasepQueryAppCompat( 815 0, 816 0, 817 0, 818 0, 819 Handle, 820 UnicodeString.Buffer, 821 v187, 822 &v169, 823 &v150, 824 &v170, 825 &v156, 826 v154, 827 &v146, 828 &v171, 829 &v144, 830 &v159, 831 &v148); 832 if ( !v209 ) 833 goto LABEL_121; 834 if ( !BuildSubSysCommandLine(v152, (int)L"cmd /c", 0, pszSrc, &v163) ) 835 goto LABEL_211; 836 pszSrc = v163.Buffer; 837 *(_DWORD *)&Str[2] = 0; 838 goto LABEL_138; 839 } 840 v12 = -1073741521; 841 } 842 } 843 else 844 { 845 if ( v206 ) 846 goto LABEL_209; 847 } 848 if ( !(a7 & 0x2000000) ) 849 { 850 v194 = 1; 851 if ( v38 != -1073741541 ) 852 { 853 if ( v38 == v12 ) 854 { 855 if ( !BaseIsDosApplication(&UnicodeString, v12) ) 856 goto LABEL_227; 857 } 858 else 859 { 860 if ( v38 <= v12 || v38 > -1073741519 && v38 != -1073741209 ) 861 LABEL_227: 862 v194 = 0; 863 } 864 } 865 if ( v194 ) 866 { 867 v34 = BasepCheckWinSaferRestrictions(TokenHandle, *(_DWORD *)&Str[2], Handle); 868 v114 = v34; 869 if ( v34 < 0 ) 870 goto LABEL_234; 871 } 872 } 873 v209 = BasepProcessInvalidImage( 874 v38, 875 TokenHandle, 876 (LPCWSTR)v165, 877 (int)&Str[2], 878 (NTSTATUS)&pszSrc, 879 v158, 880 (int)&a7, 881 (int)&a6, 882 (int)&UnicodeString, 883 (int)Str, 884 (int)&v187, 885 (ULONG)&v60, 886 (int)&v211, 887 (int)&v168, 888 &v163, 889 &AnsiString, 890 &SourceString, 891 (int)&v199, 892 (int)&v191, 893 (int)&v167, 894 (int)&v192); 895 if ( !v209 ) 896 goto LABEL_121; 897 v45 = v192; 898 if ( v192 ) 899 goto LABEL_117; 900 goto LABEL_138; 901 } 902 if ( v122 == 3 ) 903 goto LABEL_279; 904 if ( v122 == 4 ) 905 { 906 MessageBoxResult = 6; 907 Arguments = (ULONG)&UnicodeString; 908 NtRaiseHardError(1073741859, 1u, 1u, &Arguments, 1u, &MessageBoxResult); 909 if ( *(_DWORD *)(v176 + 184) > 3u ) 910 { 911 v56 = 216; 912 goto LABEL_257; 913 } 914 goto LABEL_279; 915 } 916 if ( v122 != 5 ) 917 break; 918 v149 = v123; 919 v52 = v178; 920 if ( !v178 ) 921 { 922 v70 = __readfsdword(24); 923 v52 = RtlAllocateHeap(*(HANDLE *)(*(_DWORD *)(v70 + 48) + 24), 0, 0x20Au); 924 v178 = (PVOID)v52; 925 if ( !v52 ) 926 { 927 v197 = NtClose(v149); 928 v56 = 8; 929 goto LABEL_257; 930 } 931 } 932 v53 = LdrQueryImageFileKeyOption(v149, L"Debugger", 1, v52, 520, &v106); 933 v197 = NtClose(v149); 934 if ( v53 >= 0 && v106 >= 2 && *(_WORD *)v52 ) 935 { 936 *(_WORD *)(v52 + 520) = 0; 937 if ( !BuildSubSysCommandLine(3, v52, 0, pszSrc, &v163) ) 938 goto LABEL_211; 939 pszSrc = v163.Buffer; 940 *(_DWORD *)&Str[2] = 0; 941 } 942 else 943 { 944 v80 = __readfsdword(24); 945 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v80 + 48) + 24), 0, v178); 946 v178 = 0; 947 v201 = 1; 948 } 949 } 950 Handle = (HANDLE)v124; 951 v39 = v125; 952 v177 = v125; 953 if ( v83 == 2 ) 954 break; 955 if ( v83 == 3 ) 956 break; 957 if ( v83 != 7 ) 958 { 959 v56 = 129; 960 goto LABEL_257; 961 } 962 if ( !BuildSubSysCommandLine(2, (int)L"POSIX /P", *(int *)&Str[2], pszSrc, &v163) ) 963 goto LABEL_211; 964 pszSrc = v163.Buffer; 965 *(_DWORD *)&Str[2] = 0; 966 if ( v183 ) 967 NtRemoveProcessDebug(ProcessHandle, v183); 968 NtTerminateProcess(ProcessHandle, ExitStatus); 969 NtWaitForSingleObject(ProcessHandle, 0, 0); 970 NtClose(ProcessHandle); 971 ProcessHandle = 0; 972 NtClose(ThreadHandle); 973 ThreadHandle = 0; 974 NtClose(v39); 975 v177 = 0; 976 v197 = NtClose(Handle); 977 Handle = 0; 978 LABEL_138: 979 v206 = 1; 980 } 981 if ( !BasepCheckImageVersion(v85, v84) ) 982 { 983 LABEL_279: 984 v56 = 193; 985 goto LABEL_257; 986 } 987 if ( (unsigned __int8)v123 & 8 ) 988 { 989 v137 = v130; 990 v138 = v131; 991 v139 = v132; 992 } 993 v40 = BasepCheckWebBladeHashes(v124); 994 v197 = v40; 995 if ( v40 == -1073741790 ) 996 { 997 v56 = 1277; 998 goto LABEL_257; 999 } 1000 if ( v40 < 0 ) 1001 { 1002 v56 = 1278; 1003 goto LABEL_257; 1004 } 1005 v34 = BasepIsProcessAllowed(*(_DWORD *)&Str[2]); 1006 if ( v34 < 0 ) 1007 goto LABEL_234; 1008 if ( !Str[0] && a7 & 0x800 ) 1009 a7 &= 0xFFFFF7FFu; 1010 if ( v191 ) 1011 { 1012 v192 = ProcessHandle; 1013 if ( !BaseUpdateVDMEntry(1, &v192, v168, v191) ) 1014 { 1015 v192 = 0; 1016 goto LABEL_211; 1017 } 1018 v199 |= 2u; 1019 } 1020 v153 = v127; 1021 if ( Str[0] ) 1022 { 1023 v104 = 2; 1024 NtWriteVirtualMemory(ProcessHandle, (PVOID)(v127 + 180), &v104, 4u, 0); 1025 } 1026 if ( !v206 ) 1027 { 1028 if ( !(a7 & 0x2000000) ) 1029 { 1030 v34 = BasepCheckWinSaferRestrictions(TokenHandle, *(_DWORD *)&Str[2], Handle); 1031 v114 = v34; 1032 if ( v34 < 0 ) 1033 goto LABEL_234; 1034 } 1035 } 1036 memset(&v221, 0, 0x88u); 1037 switch ( v87 ) 1038 { 1039 case 0x14Cu: 1040 ProcessInformation = 0; 1041 break; 1042 case 0x200u: 1043 ProcessInformation = 6; 1044 break; 1045 case 0x8664u: 1046 ProcessInformation = 9; 1047 break; 1048 default: 1049 DbgPrint("Kernel32: No mapping for ImageInformation.Machine == %04x ", v87); 1050 ProcessInformation = 65535; 1051 break; 1052 } 1053 if ( !((unsigned __int8)v123 & 1) ) 1054 { 1055 if ( !v206 1056 && !BasepQueryAppCompat( 1057 v177, 1058 &v82, 1059 ((unsigned int)(unsigned __int8)v123 >> 1) & 1, 1060 ProcessInformation, 1061 Handle, 1062 UnicodeString.Buffer, 1063 v187, 1064 &v169, 1065 &v150, 1066 &v170, 1067 &v156, 1068 v154, 1069 &v146, 1070 &v171, 1071 &v144, 1072 &v159, 1073 &v148) ) 1074 goto LABEL_211; 1075 v136 = v126; 1076 v222 = v126; 1077 v34 = BasepConstructSxsCreateProcessMessage( 1078 (int)&UnicodeString, 1079 (int)&v164, 1080 Handle, 1081 ProcessHandle, 1082 v177, 1083 v144, 1084 v159, 1085 ((unsigned int)(unsigned __int8)v123 >> 2) & 1, 1086 v154[0], 1087 v170, 1088 v156, 1089 (v86 >> 9) & 1, 1090 v153, 1091 v137, 1092 v138, 1093 v139, 1094 (int)&v136, 1095 &v221, 1096 &Dst); 1097 if ( v34 < 0 ) 1098 goto LABEL_234; 1099 } 1100 v228 = v129; 1101 v226 = v127; 1102 v227 = v128; 1103 v213 = ProcessHandle; 1104 v214 = ThreadHandle; 1105 v215 = v140; 1106 v216 = v141; 1107 v229 = ProcessInformation; 1108 v217 = a7 & 0xFFFFFFFC; 1109 if ( v83 == 2 || Str[0] ) 1110 { 1111 v213 = (void *)((_DWORD)ProcessHandle | 2); 1112 v23 = GetModuleHandleA(0); 1113 v24 = RtlImageNtHeader(v23); 1114 v71 = v24; 1115 if ( v24 ) 1116 { 1117 if ( v24->OptionalHeader.Subsystem == 2 ) 1118 v213 = (void *)((unsigned int)v213 | 1); 1119 } 1120 } 1121 if ( TokenHandle ) 1122 { 1123 v34 = NtQueryInformationToken(TokenHandle, TokenSessionId, &TokenInformation, 4u, &ReturnLength); 1124 if ( v34 < 0 ) 1125 goto LABEL_234; 1126 v69 = __readfsdword(24); 1127 if ( TokenInformation != *(_DWORD *)(*(_DWORD *)(v69 + 48) + 468) ) 1128 v214 = (HANDLE)((_DWORD)v214 | 1); 1129 } 1130 if ( v62 & 0x40 ) 1131 v213 = (void *)((unsigned int)v213 | 1); 1132 if ( v62 & 0x80 ) 1133 v213 = (void *)((unsigned int)v213 & 0xFFFFFFFE); 1134 v218 = v191; 1135 if ( v191 ) 1136 { 1137 v54 = v168 ? 0 : *(_DWORD *)(*(_DWORD *)(v176 + 16) + 16); 1138 v220 = v54; 1139 v219 = v168; 1140 } 1141 else 1142 { 1143 if ( v167 ) 1144 v218 = 128; 1145 } 1146 if ( (unsigned __int8)v123 & 1 ) 1147 v214 = (HANDLE)((_DWORD)v214 | 2); 1148 v34 = BasepCsrCaptureSxsMessage(&v221, &v172); 1149 v181 = v34; 1150 if ( v34 < 0 ) 1151 goto LABEL_234; 1152 CsrClientCallServer(&v211, v172, 65536, 184); 1153 if ( NtStatus < 0 ) 1154 { 1155 BaseSetLastNTError(NtStatus); 1156 ExitStatus = NtStatus; 1157 goto LABEL_211; 1158 } 1159 if ( !((unsigned __int8)v123 & 1) ) 1160 { 1161 v136 = v222; 1162 if ( v222 != v126 ) 1163 { 1164 v34 = BasepUpdateProcessParametersFlags(ProcessHandle, v222, (int)&v121); 1165 v181 = v34; 1166 if ( v34 < 0 ) 1167 { 1168 LABEL_234: 1169 v55 = v34; 1170 goto LABEL_210; 1171 } 1172 } 1173 } 1174 if ( !v202 ) 1175 { 1176 if ( !(v157 & 2) ) 1177 { 1178 *(_DWORD *)v173 |= 1u; 1179 v41 = BaseCheckElevation( 1180 ProcessHandle, 1181 v165, 1182 (int)v173, 1183 v146, 1184 v147[0], 1185 (int)&v223, 1186 (int)&v225, 1187 v171, 1188 TokenHandle, 1189 0, 1190 0); 1191 v42 = v41; 1192 v181 = v41; 1193 if ( v41 < 0 ) 1194 { 1195 if ( v41 == -1073740756 && !(v157 & 1) ) 1196 BaseWriteErrorElevationRequiredEvent(); 1197 BaseSetLastNTError(v42); 1198 ExitStatus = v42; 1199 goto LABEL_211; 1200 } 1201 } 1202 } 1203 if ( !((unsigned __int8)v123 & 1) ) 1204 { 1205 BasepGetAppCompatData( 1206 v165, 1207 v173, 1208 v146, 1209 *(_DWORD *)v147, 1210 &v223, 1211 &v225, 1212 v171, 1213 &v82, 1214 ((unsigned int)(unsigned __int8)v123 >> 1) & 1, 1215 ProcessInformation, 1216 &v169, 1217 &v150, 1218 &Buffer, 1219 &BufferLength); 1220 if ( Buffer ) 1221 { 1222 BaseAddress = 0; 1223 Size = BufferLength; 1224 v34 = NtAllocateVirtualMemory(ProcessHandle, &BaseAddress, 0, &Size, 0x1000u, 4u); 1225 if ( v34 < 0 1226 || (v34 = NtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, BufferLength, 0), v34 < 0) 1227 || (v34 = NtWriteVirtualMemory(ProcessHandle, (PVOID)(v153 + 488), &BaseAddress, 4u, 0), v181 = v34, v34 < 0) ) 1228 goto LABEL_234; 1229 } 1230 v88 = *(_DWORD *)&Str[2]; 1231 v90 = v153; 1232 v89 = ProcessHandle; 1233 v91 = Buffer; 1234 v92 = v85; 1235 v93 = v84; 1236 v95 = (int)&v224; 1237 v94 = (v148 >> 6) & 1; 1238 BasepPrepareSwitchContext(&v88); 1239 } 1240 if ( !v202 ) 1241 { 1242 if ( !((unsigned __int8)v123 & 1) ) 1243 { 1244 v34 = BaseElevationPostProcessing(v173[0], ProcessInformation, ProcessHandle); 1245 v181 = v34; 1246 if ( v34 < 0 ) 1247 { 1248 ExitStatus = v34; 1249 goto LABEL_234; 1250 } 1251 } 1252 } 1253 if ( !(a7 & 4) ) 1254 { 1255 v43 = NtResumeThread(ThreadHandle, 0); 1256 v44 = v43; 1257 v181 = v43; 1258 if ( v43 < 0 ) 1259 { 1260 BaseSetLastNTError(v43); 1261 ExitStatus = v44; 1262 goto LABEL_211; 1263 } 1264 } 1265 v45 = v192; 1266 LABEL_117: 1267 v209 = 1; 1268 if ( v199 ) 1269 v199 |= 8u; 1270 ms_exc.registration.TryLevel = 2; 1271 v103 = 1; 1272 v46 = v175; 1273 if ( v45 ) 1274 { 1275 if ( v191 == 32 ) 1276 { 1277 *(_DWORD *)v175 = (_DWORD)v45 | 2; 1278 if ( v199 & 4 ) 1279 { 1280 v140 = 0; 1281 v141 = 0; 1282 } 1283 } 1284 else 1285 { 1286 *(_DWORD *)v175 = (_DWORD)v45 | 1; 1287 } 1288 if ( ProcessHandle ) 1289 v197 = NtClose(ProcessHandle); 1290 } 1291 else 1292 { 1293 *(_DWORD *)v175 = ProcessHandle; 1294 } 1295 *(_DWORD *)(v46 + 4) = ThreadHandle; 1296 *(_DWORD *)(v46 + 8) = v140; 1297 *(_DWORD *)(v46 + 12) = v141; 1298 ProcessHandle = 0; 1299 ThreadHandle = 0; 1300 ms_exc.registration.TryLevel = 1; 1301 v103 = 0; 1302 if ( v103 ) 1303 { 1304 NtClose(ProcessHandle); 1305 v197 = NtClose(ThreadHandle); 1306 ProcessHandle = 0; 1307 ThreadHandle = 0; 1308 if ( v199 ) 1309 v199 &= 0xFFFFFFF7u; 1310 } 1311 }