Skip to content

WINOLDAP.MOD On Windows 16 bit On Windows 32 bit Internals

Jump to bottom Edit New page
otya edited this page Jul 29, 2018 · 2 revisions

win32 applicationをLoadModuleで起動してみる

//win16
#include <windows.h>
#include <stdio.h>
typedef struct _LOADPARMS16 {
    WORD      segEnv;
    LPSTR     lpszCmdLine;
    UINT FAR* lpShow;
    UINT FAR* lpReserved;
} LOADPARMS16;
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
    hInstance;hPrevInstance;lpCmdLine;nCmdShow;
    LOADPARMS16 params;
    char buffer[200];
    char buf2[1000] = {0};
    UINT show[2];
    HINSTANCE result;
    show[0] = 0;//unknown
    show[1] = 1;
    params.segEnv = NULL;
    params.lpszCmdLine = "";
    params.lpShow = &show;
    params.lpReserved = NULL;
    while (TRUE)
    {
        result = LoadModule("C:\\WINDOWS\\SYSTEM32\\CALC.EXE", &params);
        GetModuleFileName(result, buf2, sizeof(buf2));
        sprintf(buffer, "%d %s\n", result, buf2);
        MessageBox(NULL, buffer, buffer, NULL);
    }
    return 0;
}

image

これからwin32プログラムを実行して帰ってきたHINSTANCEはWINOLDAP.MODのものであるとわかる

WINOLDAP.MODの引数を調べてみたものの組み込みプログラムの引数はhInst=>hTask=>TDB=>PDB=>cmdLine経由では取得できない?

WINOLDAP.MODを差し替えて引数を調べる

//win16
#include <windows.h>
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
    MessageBox(NULL, lpCmdLine, "", NULL);
    return 0;
}

image

なんか出てくる おそらく-WoAWoW32がprefixで20cが中身

20cはPIDではないため内部ハンドル(HGLOBAL16など)かhProcessなどと考えられる

//win32
#include <windows.h>
#include <winternl.h>
#include <psapi.h>
int main(int argc, char *argv[])
{
    if (argc != 3)
    {
        fprintf(stderr, "argc\n");
        return 1;
    }
    ULONG pid;
    if (RtlCharToInteger(argv[1], 10, &pid))
    {
        fprintf(stderr, "RtlCharToInteger\n");
        return 1;
    }
    ULONG unknown_handle;
    if (RtlCharToInteger(argv[2], 10, &unknown_handle))
    {
        fprintf(stderr, "RtlCharToInteger\n");
        return 1;
    }
    HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid);
    if (!hProcess)
    {
        fprintf(stderr, "OpenProcess\n");
        return 1;
    }
    HANDLE dup = NULL;
    SetLastError(0);
    if (!DuplicateHandle(hProcess, (HANDLE)unknown_handle, GetCurrentProcess(), &dup, 0, FALSE, DUPLICATE_SAME_ACCESS))
    {
        fprintf(stderr, "DuplicateHandle %d\n", GetLastError());
        return 1;
    }
    char buf[1000];
    SetLastError(0);
    if (!K32GetProcessImageFileNameA(dup, buf, sizeof(buf)))
    {
        fprintf(stderr, "K32GetProcessImageFileNameA %d\n", GetLastError());
        CloseHandle(dup);
        CloseHandle(hProcess);
        return 1;
    }
    printf("%.*s\n", 100, buf);
    CloseHandle(dup);
    CloseHandle(hProcess);
    return 0;
}
>ProcessHandleInformation.exe 412 524
\Device\HarddiskVolume1\Windows\System32\calc.exe

普通にhProcessだった(終わり)

Ha Ha!

Who knows?

Clone this wiki locally