CreateProcess流程分析
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
CreateProcess流程分析CreateProcesssA 函数⼯作流程分析:
⽤IDA打开CreateProcessA跟进,调⽤流程:
call kernel32!CreateProcesssA
call kernel32!CreateProcessInternalA
call kernel32!CreateProcessInternalW
kernel32!CreateProcessInternal函数流程图太复杂,代码估计2000⾏以上, 看起来很晕+_+~+_+~
⽤IDA插件把汇编转换成C源码看看, 源码最具有说服⼒。
⼤致看⼀下 CreateProcessInternal调⽤了
RtlImageNtHeader
NtQueryInformationToken
RtlAllocateHeap
BasepProcessInvalidImage
GetFileAttributesW
SearchPathW 这些函数
最后调⽤NtCreateUserProcess
该函数做的事情是申请内存, 读取磁盘PE⽂件,做⼀系列的检测⼯作,⼀切OK,
调⽤NtCreateUserProcess去创建进程
0:000> u NtCreateUserProcess l10
ntdll!NtCreateUserProcess:
77285860 b85d000000 mov eax,5Dh
77285865 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7728586a ff12 call dword ptr [edx]
7728586c c22c00 ret 2Ch
7728586f 90 nop
_KUSER_SHARED_DATA 区域是些什么内容(User 层和 Kernel 层是⼀样的),在 windbg ⽤ dt 命令来查看:kd> dt _KUSER_SHARED_DATA 0x7ffe0000
ntdll!_KUSER_SHARED_DATA
+0x000 TickCountLowDeprecated : 0
+0x004 TickCountMultiplier : 0xfa00000
+0x008 InterruptTime : _KSYSTEM_TIME
+0x014 SystemTime : _KSYSTEM_TIME
+0x020 TimeZoneBias : _KSYSTEM_TIME
+0x02c ImageNumberLow : 0x14c
+0x02e ImageNumberHigh : 0x14c
+0x030 NtSystemRoot : [260] 0x43
+0x238 MaxStackTraceDepth : 0
+0x23c CryptoExponent : 0
+0x240 TimeZoneId : 0
+0x244 LargePageMinimum : 0x200000
+0x248 Reserved2 : [7] 0
+0x264 NtProductType : 3 ( NtProductServer )
+0x268 ProductTypeIsValid : 0x1 ''
+0x26c NtMajorVersion : 5
+0x270 NtMinorVersion : 2
+0x274 ProcessorFeatures : [64] ""
+0x2b4 Reserved1 : 0x7ffeffff
+0x2b8 Reserved3 : 0x80000000
+0x2bc TimeSlip : 0
+0x2c0 AlternativeArchitecture : 0 ( StandardDesign )
+0x2c8 SystemExpirationDate : _LARGE_INTEGER 0x0
+0x2d0 SuiteMask : 0x112
+0x2d4 KdDebuggerEnabled : 0x3 ''
+0x2d5 NXSupportPolicy : 0x2 ''
+0x2e4 LastSystemRITEventTickCount : 0x239f29d
+0x2e8 NumberOfPhysicalPages : 0x17f1b
+0x2ec SafeBootMode : 0 ''
+0x2f0 TraceLogging : 0
+0x2f8 TestRetInstruction : 0xc3
+0x300 SystemCall : 0x7c958458 <--------- System Call stub 函数
+0x304 SystemCallReturn : 0x7c95845c <--------- System Call return 函数
+0x308 SystemCallPad : [3] 0
+0x320 TickCount : _KSYSTEM_TIME
+0x320 TickCountQuad : 0x2481d8
+0x330 Cookie : 0xa4a0f27b
+0x334 Wow64SharedInformation : [16] 0
其中 +0x300 位置上就是 KiFastSystemCall() stub 函数地址,⽽ +0x304 位置上就是返回函数地址:
ntdll!KiFastSystemCall:
7c958458 8bd4 mov edx,esp ; 传送 caller 的 stack frame pointer
7c95845a 0f34 sysenter ; 快速切⼊到 kernel
7c95845c c3 ret ; 注意:实际上这是⼀个独⽴的 ntdll!KiFastSystemCallRet() 例程
地址 0x7c958458 是 ntdll!KiFastSystemCall() 函数地址,地址 0x7c95845c 是 ntdll!KiFastSystemCallRet() 函数地址。
切⼊ KiFastCallEntry()在⽤户层的 stub 函数会使⽤ sysenter 指令切⼊到内核层的 KiFastCallEntry() 函数,再由 KiFastCallEntry() 函数分发到相应的系统服务例程执⾏。
到这⾥就Ring3流程就完了, 归纳下CreateUserProcessA流程
call kernel32!CreateProcesssA
call kernel32!CreateProcessInternalA
call kernel32!CreateProcessInternalW
call 初始⼯作
call ntdll!NtCreateUserProcess
call SharedUserData!SystemCallStub
call ntdll!KiFastSystemCall
call ntdll!KiFastCallEntry
1void __stdcall CreateProcessInternalW(void *a1, _DWORD a2, const wchar_t *a3, int a4, int a5, int a6, int a7, int a8, const WCHAR *a9, int a10, int a11, _DWORD a12)
2 {
3 signed int v12; // eax@130
4 unsigned int v13; // eax@133
5const wchar_t *v14; // edi@133
6 STRSAFE_LPCWSTR v15; // eax@147
7const wchar_t v16; // cx@148
8 PVOID v17; // eax@149
9 wchar_t *v18; // esi@149
10 STRSAFE_LPCWSTR v19; // edi@150
11int v20; // eax@164
12int v21; // edx@164
13 unsigned int i; // ecx@164
14 HMODULE v23; // eax@175
15 PIMAGE_NT_HEADERS v24; // eax@175
16 _WORD v25; // cx@4
17 HANDLE v26; // ecx@20
18int v27; // edi@23
19 NTSTATUS v28; // eax@25
20 HANDLE v29; // eax@29
21 PVOID v30; // edi@37
22 DWORD v31; // eax@38
23 DWORD v32; // esi@38
24 DWORD v33; // eax@40
25int v34; // eax@44
26 ULONG v35; // eax@67
27int v36; // eax@69
28struct _RTL_USER_PROCESS_PARAMETERS *v37; // edi@69
29int v38; // esi@70
30void *v39; // edi@71
31 NTSTATUS v40; // eax@76
32int v41; // eax@107
33 NTSTATUS v42; // edi@107
34int v43; // eax@115
35 NTSTATUS v44; // esi@115
36 HANDLE v45; // eax@116
37int v46; // esi@118
42 _BYTE v51; // al@261
43int v52; // edi@268
44int v53; // esi@271
45 signed int v54; // eax@308
46 NTSTATUS v55; // [sp-4h] [bp-62Ch]@209
47 signed int v56; // [sp-4h] [bp-62Ch]@235
48 NTSTATUS v57; // [sp-4h] [bp-62Ch]@158
49char v58; // [sp+10h] [bp-618h]@45
50char v59; // [sp+28h] [bp-600h]@44
51 ULONG v60; // [sp+40h] [bp-5E8h]@27
52int v61; // [sp+48h] [bp-5E0h]@58
53int v62; // [sp+6Ch] [bp-5BCh]@34
54 unsigned __int32 v63; // [sp+84h] [bp-5A4h]@205
55 unsigned __int32 v64; // [sp+88h] [bp-5A0h]@153
56 unsigned __int32 v65; // [sp+8Ch] [bp-59Ch]@327
57 unsigned __int32 v66; // [sp+90h] [bp-598h]@185
58int v67; // [sp+94h] [bp-594h]@69
59int v68; // [sp+9Ch] [bp-58Ch]@213
60 unsigned __int32 v69; // [sp+A0h] [bp-588h]@144
61 unsigned __int32 v70; // [sp+A4h] [bp-584h]@269
62 PIMAGE_NT_HEADERS v71; // [sp+A8h] [bp-580h]@175
63 unsigned __int32 v72; // [sp+ACh] [bp-57Ch]@149
64int v73; // [sp+B0h] [bp-578h]@164
65 unsigned __int32 v74; // [sp+B4h] [bp-574h]@185
66 unsigned __int32 v75; // [sp+B8h] [bp-570h]@258
67 unsigned __int32 v76; // [sp+BCh] [bp-56Ch]@141
68 ULONG Arguments; // [sp+C0h] [bp-568h]@277
69 unsigned __int32 v78; // [sp+C8h] [bp-560h]@37
70 WCHAR *v79; // [sp+CCh] [bp-55Ch]@133
71 unsigned __int32 v80; // [sp+D0h] [bp-558h]@276
72 unsigned __int32 v81; // [sp+D4h] [bp-554h]@140
73char v82; // [sp+D8h] [bp-550h]@19
74int v83; // [sp+E8h] [bp-540h]@71
75 unsigned __int16 v84; // [sp+ECh] [bp-53Ch]@73
76 unsigned __int16 v85; // [sp+EEh] [bp-53Ah]@73
77 unsigned int v86; // [sp+F6h] [bp-532h]@92
78 unsigned __int16 v87; // [sp+F8h] [bp-530h]@87
79int v88; // [sp+108h] [bp-520h]@1
80 HANDLE v89; // [sp+10Ch] [bp-51Ch]@1
81int v90; // [sp+110h] [bp-518h]@110
82 PVOID v91; // [sp+114h] [bp-514h]@110
83 unsigned __int16 v92; // [sp+118h] [bp-510h]@110
84 unsigned __int16 v93; // [sp+11Ah] [bp-50Eh]@110
85 unsigned int v94; // [sp+11Ch] [bp-50Ch]@110
86int v95; // [sp+120h] [bp-508h]@110
87int v96; // [sp+128h] [bp-500h]@259
88int v97; // [sp+12Ch] [bp-4FCh]@259
89int v98; // [sp+130h] [bp-4F8h]@127
90 ULONG v99; // [sp+134h] [bp-4F4h]@37
91 DWORD v100; // [sp+138h] [bp-4F0h]@40
92int v101; // [sp+13Ch] [bp-4ECh]@45
93 ULONG ReturnLength; // [sp+140h] [bp-4E8h]@143
94int v103; // [sp+144h] [bp-4E4h]@118
95int v104; // [sp+148h] [bp-4E0h]@300
96 DWORD v105; // [sp+14Ch] [bp-4DCh]@38
97 unsigned int v106; // [sp+150h] [bp-4D8h]@271
98 STRING AnsiString; // [sp+154h] [bp-4D4h]@4
99 LPWSTR FilePart; // [sp+15Ch] [bp-4CCh]@4
100 UNICODE_STRING SourceString; // [sp+160h] [bp-4C8h]@4 101 BOOL Result; // [sp+168h] [bp-4C0h]@31
102 ULONG Flags; // [sp+16Ch] [bp-4BCh]@156
103int TokenInformation; // [sp+170h] [bp-4B8h]@143
104 unsigned int v113; // [sp+174h] [bp-4B4h]@165
105int v114; // [sp+178h] [bp-4B0h]@86
106int v115; // [sp+17Ch] [bp-4ACh]@46
107 ULONG MessageBoxResult; // [sp+180h] [bp-4A8h]@277 108int v117; // [sp+184h] [bp-4A4h]@1
109int v118; // [sp+188h] [bp-4A0h]@44
110int v119; // [sp+18Ch] [bp-49Ch]@1
111 ULONG v120; // [sp+190h] [bp-498h]@67
112int v121; // [sp+194h] [bp-494h]@53
113int v122; // [sp+198h] [bp-490h]@128
114void *v123; // [sp+19Ch] [bp-48Ch]@53
115int v124; // [sp+1A0h] [bp-488h]@58
116void *v125; // [sp+1A4h] [bp-484h]@71
117int v126; // [sp+1B8h] [bp-470h]@92
118int v127; // [sp+1BCh] [bp-46Ch]@83
119int v128; // [sp+1C0h] [bp-468h]@93
120int v129; // [sp+1C4h] [bp-464h]@93
121int v130; // [sp+1CCh] [bp-45Ch]@75
122int v131; // [sp+1D0h] [bp-458h]@75
127int v136; // [sp+1E8h] [bp-440h]@92
128int v137; // [sp+1ECh] [bp-43Ch]@4
129int v138; // [sp+1F0h] [bp-438h]@4
130int v139; // [sp+1F4h] [bp-434h]@4
131int v140; // [sp+1F8h] [bp-430h]@19
132int v141; // [sp+1FCh] [bp-42Ch]@93
133int v142; // [sp+200h] [bp-428h]@203
134 NTSTATUS v143; // [sp+204h] [bp-424h]@203
135int v144; // [sp+208h] [bp-420h]@51
136 PVOID BaseAddress; // [sp+20Ch] [bp-41Ch]@171
137int v146; // [sp+210h] [bp-418h]@4
138char v147[4]; // [sp+214h] [bp-414h]@4
139 unsigned int v148; // [sp+218h] [bp-410h]@1
140 HANDLE v149; // [sp+21Ch] [bp-40Ch]@268
141int v150; // [sp+220h] [bp-408h]@4
142int v151; // [sp+224h] [bp-404h]@1
143int v152; // [sp+228h] [bp-400h]@60
144int v153; // [sp+230h] [bp-3F8h]@83
145char v154[4]; // [sp+234h] [bp-3F4h]@4
146 ULONG BufferLength; // [sp+238h] [bp-3F0h]@4
147int v156; // [sp+23Ch] [bp-3ECh]@4
148int v157; // [sp+240h] [bp-3E8h]@4
149 LPCWSTR v158; // [sp+244h] [bp-3E4h]@1
150 ULONG v159; // [sp+248h] [bp-3E0h]@51
151 HANDLE v160; // [sp+24Ch] [bp-3DCh]@4
152 PVOID v161; // [sp+250h] [bp-3D8h]@4
153int v162; // [sp+254h] [bp-3D4h]@1
154 LSA_UNICODE_STRING v163; // [sp+258h] [bp-3D0h]@4
155int v164; // [sp+260h] [bp-3C8h]@66
156 NTSTATUS v165; // [sp+264h] [bp-3C4h]@69
157 PVOID Environment; // [sp+268h] [bp-3C0h]@1
158int v167; // [sp+26Ch] [bp-3BCh]@4
159int v168; // [sp+270h] [bp-3B8h]@1
160 PVOID v169; // [sp+274h] [bp-3B4h]@4
161 PVOID v170; // [sp+278h] [bp-3B0h]@4
162int v171; // [sp+27Ch] [bp-3ACh]@4
163int v172; // [sp+284h] [bp-3A4h]@4
164char v173[4]; // [sp+288h] [bp-3A0h]@4
165 PVOID Buffer; // [sp+28Ch] [bp-39Ch]@4
166int v175; // [sp+290h] [bp-398h]@1
167int v176; // [sp+294h] [bp-394h]@4
168 HANDLE v177; // [sp+298h] [bp-390h]@4
169 PVOID v178; // [sp+29Ch] [bp-38Ch]@4
170 PVOID v179; // [sp+2A0h] [bp-388h]@4
171 NTSTATUS ExitStatus; // [sp+2A4h] [bp-384h]@4
172int v181; // [sp+2A8h] [bp-380h]@70
173 PVOID v182; // [sp+2ACh] [bp-37Ch]@1
174int v183; // [sp+2B0h] [bp-378h]@4
175 ULONG Size; // [sp+2B4h] [bp-374h]@149
176 LSA_UNICODE_STRING UnicodeString; // [sp+2B8h] [bp-370h]@1 177 LPCWSTR lpPath; // [sp+2C0h] [bp-368h]@1
178int v187; // [sp+2C4h] [bp-364h]@1
179int ProcessInformation; // [sp+2C8h] [bp-360h]@88
180 HANDLE TokenHandle; // [sp+2CCh] [bp-35Ch]@1
181 PVOID Address; // [sp+2D0h] [bp-358h]@4
182int v191; // [sp+2D4h] [bp-354h]@1
183 HANDLE v192; // [sp+2D8h] [bp-350h]@4
184char v193; // [sp+2DDh] [bp-34Bh]@60
185char v194; // [sp+2DFh] [bp-349h]@224
186 STRSAFE_LPCWSTR v195; // [sp+2E0h] [bp-348h]@1
187 HANDLE ThreadHandle; // [sp+2E4h] [bp-344h]@4
188 NTSTATUS v197; // [sp+2E8h] [bp-340h]@76
189int v198; // [sp+2ECh] [bp-33Ch]@4
190int v199; // [sp+2F0h] [bp-338h]@1
191 HANDLE Handle; // [sp+2F4h] [bp-334h]@4
192char v201; // [sp+2FAh] [bp-32Eh]@4
193char v202; // [sp+2FBh] [bp-32Dh]@4
194 STRSAFE_LPCWSTR pszSrc; // [sp+2FCh] [bp-32Ch]@1
195char Str[6]; // [sp+302h] [bp-326h]@1
196 HANDLE ProcessHandle; // [sp+308h] [bp-320h]@4
197char v206; // [sp+30Eh] [bp-31Ah]@4
198char v207; // [sp+30Fh] [bp-319h]@14
199int v208; // [sp+310h] [bp-318h]@19
200int v209; // [sp+314h] [bp-314h]@1
201char Dst; // [sp+318h] [bp-310h]@4
202int v211; // [sp+418h] [bp-210h]@102
203 NTSTATUS NtStatus; // [sp+438h] [bp-1F0h]@102
204void *v213; // [sp+440h] [bp-1E8h]@93
205 HANDLE v214; // [sp+444h] [bp-1E4h]@93
206int v215; // [sp+448h] [bp-1E0h]@93
207int v216; // [sp+44Ch] [bp-1DCh]@93
212 _DWORD v221; // [sp+460h] [bp-1C8h]@87
213int v222; // [sp+464h] [bp-1C4h]@92
214 _DWORD v223; // [sp+4C8h] [bp-160h]@107
215 _DWORD v224; // [sp+4D4h] [bp-154h]@110
216 _DWORD v225; // [sp+4E0h] [bp-148h]@107
217int v226; // [sp+4E8h] [bp-140h]@93
218int v227; // [sp+4ECh] [bp-13Ch]@93
219int v228; // [sp+4F0h] [bp-138h]@93
220 _WORD v229; // [sp+4F4h] [bp-134h]@93
221int v230; // [sp+4F8h] [bp-130h]@70
222int v231; // [sp+4FCh] [bp-12Ch]@19
223int v232; // [sp+500h] [bp-128h]@70
224 PWSTR v233; // [sp+504h] [bp-124h]@70
225int v234; // [sp+508h] [bp-120h]@19
226int v235; // [sp+50Ch] [bp-11Ch]@19
227int v236; // [sp+510h] [bp-118h]@19
228int *v237; // [sp+514h] [bp-114h]@19
229int v238; // [sp+518h] [bp-110h]@19
230int v239; // [sp+51Ch] [bp-10Ch]@19
231int v240; // [sp+520h] [bp-108h]@19
232char *v241; // [sp+524h] [bp-104h]@19
233int v242; // [sp+528h] [bp-100h]@19
234int v243; // [sp+52Ch] [bp-FCh]@252
235int v244; // [sp+530h] [bp-F8h]@252
236int v245; // [sp+534h] [bp-F4h]@252
237int v246; // [sp+538h] [bp-F0h]@252
238 CPPEH_RECORD ms_exc; // [sp+610h] [bp-18h]@23 239
240 TokenHandle = a1;
241 *(_DWORD *)&Str[2] = a2;
242 pszSrc = a3;
243 v119 = a4;
244 v117 = a5;
245 v187 = a8;
246 v158 = a9;
247 v135 = a10;
248 v175 = a11;
249 v209 = 0;
250 v195 = 0;
251 v151 = 0;
252 v168 = 0;
253 v199 = 0;
254 v191 = 0;
255 Environment = 0;
256 v182 = 0;
257 v162 = 0;
258 lpPath = 0;
259 UnicodeString.Length = 0;
260 *(_DWORD *)&UnicodeString.MaximumLength = 0;
261 HIWORD(UnicodeString.Buffer) = 0;
262 v88 = 0;
263 memset(&v89, 0, 0x1Cu);
264 v148 = 0;
265if ( !a2 && !a3 )
266 {
267 v57 = -1073741776;
268 LABEL_333:
269 BaseSetLastNTError(v57);
270return;
271 }
272if ( !v175 || !v135 )
273 {
274 v57 = -1073741811;
275goto LABEL_333;
276 }
277 v192 = 0;
278 Handle = 0;
279 v177 = 0;
280 ProcessHandle = 0;
281 ThreadHandle = 0;
282 v183 = 0;
283 Address = 0;
284 v178 = 0;
285 v172 = 0;
286 v167 = 0;
287 v161 = 0;
288 FilePart = 0;
289 v163.Buffer = 0;
290 Str[0] = 0;
291 v202 = 0;
292 v206 = 0;
297 BufferLength = 0;
298 v170 = 0;
299 v156 = 0;
300 v169 = 0;
301 v150 = 0;
302 *(_DWORD *)v173 = 0;
303 *(_DWORD *)v154 = 0;
304 v146 = 0;
305 *(_DWORD *)v147 = 0;
306 v171 = 0;
307 ExitStatus = 0;
308 v198 = 0;
309 v157 = 0;
310 v137 = 0;
311 v138 = 0;
312 v139 = 0;
313 AnsiString.Buffer = 0;
314 SourceString.Buffer = 0;
315 memset(&Dst, 0, 0x100u);
316 v176 = *(_DWORD *)(__readfsdword(24) + 48);
317 v25 = a7;
318if ( (a7 & 0x18) == 24 )
319goto LABEL_242;
320if ( a7 & 0x800 )
321 {
322if ( !(a7 & 0x1000) )
323goto LABEL_8;
324 LABEL_242:
325 RtlSetLastWin32Error(87);
326return;
327 }
328if ( !(a7 & 0x1000) && *(_BYTE *)(BaseStaticServerData + 1872) )
329 {
330 v25 = a7 | 0x800;
331 a7 |= 0x800u;
332 }
333 LABEL_8:
334if ( v25 & 0x40 )
335 {
336 v207 = 1;
337 }
338else
339 {
340if ( v25 & 0x4000 )
341 {
342 v207 = 5;
343 }
344else
345 {
346if ( v25 & 0x20 )
347 {
348 v207 = 2;
349 }
350else
351 {
352if ( v25 & 0x8000 )
353 {
354 v207 = 6;
355 }
356else
357 {
358if ( (char)v25 < 0 )
359 {
360 v207 = 3;
361 }
362else
363 {
364if ( v25 & 0x100 )
365 v207 = (BasepIsRealtimeAllowed(0, TokenHandle != 0) != 0) + 3; 366else
367 v207 = 0;
368 }
369 }
370 }
371 }
372 }
373 a7 &= 0xFFFF3E1Fu;
374if ( a7 & 0x40000 )
375 v198 = 64;
376if ( a7 & 0x1000000 )
377 v198 |= 1u;
382 v50 = DbgUiConnectToDbg();
383if ( v50 < 0 )
384 {
385 v57 = v50;
386goto LABEL_333;
387 }
388 v183 = DbgUiGetThreadDebugObject();
389if ( a7 & 2 )
390 v198 |= 2u;
391 }
392 v231 = 131077;
393 v234 = 0;
394 v235 = 65539;
395 v236 = 8;
396 v238 = 0;
397 v237 = &v140;
398 v239 = 6;
399 v240 = 48;
400 v242 = 0;
401 v241 = &v82;
402 v208 = 3;
403if ( v183 )
404 {
405 v243 = 393217;
406 v244 = 4;
407 v246 = 0;
408 v245 = v183;
409 v208 = 4;
410 }
411 v26 = TokenHandle;
412if ( TokenHandle )
413 {
414 *(&v231 + 4 * v208) = 393218;
415 *(&v232 + 4 * v208) = 4;
416 *(&v234 + 4 * v208) = 0;
417 (&v233)[8 * v208++] = (PWSTR)v26;
418 }
419if ( v207 )
420 {
421 *(&v231 + 4 * v208) = 131080;
422 *(&v232 + 4 * v208) = 1;
423 *(&v234 + 4 * v208) = 0;
424 (&v233)[8 * v208++] = (PWSTR)&v207;
425 }
426if ( a7 & 0x4000000 )
427 {
428 v98 = 1;
429 *(&v231 + 4 * v208) = 131081;
430 *(&v232 + 4 * v208) = 4;
431 *(&v234 + 4 * v208) = 0;
432 (&v233)[8 * v208++] = (PWSTR)&v98;
433 }
434 ms_exc.registration.TryLevel = 0;
435 v27 = v175;
436 *(_DWORD *)v175 = 0;
437 v27 += 4;
438 *(_DWORD *)v27 = 0;
439 v27 += 4;
440 *(_DWORD *)v27 = 0;
441 *(_DWORD *)(v27 + 4) = 0;
442if ( v187 && !(a7 & 0x400) )
443 {
444 v28 = RtlCreateEnvironmentEx(v187, &Environment, 1);
445if ( v28 < 0 )
446 {
447 BaseSetLastNTError(v28);
448 _local_unwind4(&__security_cookie, &ms_exc.registration, -2); 449return;
450 }
451 v187 = Environment;
452 a7 |= 0x400u;
453 }
454 memcpy(&v60, (const void *)v135, 0x44u);
455if ( a7 & 0x80000 )
456 {
457if ( v60 != 72 )
458 {
459 v55 = -1073741811;
460 LABEL_210:
461 BaseSetLastNTError(v55);
462goto LABEL_211;
467 {
468 v49 = KernelBaseGetGlobalData();
469 v34 = (*(int (__stdcall **)(int, _DWORD, int *, HANDLE *, int *, int *, signed int))(v49 + 40))( 470 v48,
4710,
472 &v157,
473 &v160,
474 &v230,
475 &v208,
47615);
477if ( v34 < 0 )
478goto LABEL_234;
479 }
480 }
481if ( !(a7 & 0x800) )
482 {
483 v29 = v160;
484if ( !v160 )
485 v29 = (HANDLE)-1;
486if ( IsProcessInJob(v29, 0, &Result) && Result )
487 a7 = a7 & 0xFFFFEFFF | 0x800;
488 }
489if ( v62 & 0x100 && v62 & 0x600 )
490 v62 &= 0xFFFFFEFFu;
491if ( !v158 )
492goto LABEL_44;
493 v99 = *(_DWORD *)(KernelBaseGetGlobalData() + 44);
494 v78 = __readfsdword(24);
495 v30 = RtlAllocateHeap(*(HANDLE *)(*(_DWORD *)(v78 + 48) + 24), v99, 0x20Au);
496 v161 = v30;
497if ( !v30 )
498 {
499 v55 = -1073741801;
500goto LABEL_210;
501 }
502 v31 = GetFullPathNameW(v158, 0x103u, (LPWSTR)v30, &FilePart);
503 v32 = v31;
504 v105 = v31;
505if ( v31 >= 0x104 )
506goto LABEL_235;
507if ( !v31 )
508 {
509 LABEL_211:
510 v209 = 0;
511 LABEL_121:
512 ms_exc.registration.TryLevel = -2;
513if ( v178 )
514 {
515 v65 = __readfsdword(24);
516 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v65 + 48) + 24), 0, v178);
517 }
518if ( v182 )
519 {
520 v63 = __readfsdword(24);
521 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v63 + 48) + 24), 0, v182);
522 }
523 RtlFreeUnicodeString(&UnicodeString);
524if ( !v191 )
525 BasepReleaseSxsCreateProcessUtilityStruct(&Dst);
526if ( Environment )
527 {
528 RtlDestroyEnvironment(Environment);
529 v197 = v47;
530 }
531if ( v179 )
532 {
533 v64 = __readfsdword(24);
534 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v64 + 48) + 24), 0, v179);
535 }
536 v74 = __readfsdword(24);
537 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v74 + 48) + 24), 0, Address);
538 v66 = __readfsdword(24);
539 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v66 + 48) + 24), 0, v161);
540if ( Handle )
541 v197 = NtClose(Handle);
542if ( v177 )
543 v197 = NtClose(v177);
544if ( ThreadHandle )
545 {
546if ( v183 )
547 NtRemoveProcessDebug(ProcessHandle, v183);
552if ( ProcessHandle )
553 v197 = NtClose(ProcessHandle);
554 BasepFreeAppCompatData(Buffer, v170, v169);
555 RtlFreeUnicodeString(&v163);
556if ( AnsiString.Buffer || SourceString.Buffer )
557 BaseDestroyVDMEnvironment(&AnsiString, (int)&SourceString);
558if ( v199 )
559 {
560if ( !(v199 & 8) )
561 {
562 BaseUpdateVDMEntry(0, &v168, v199, v191);
563if ( v192 )
564 v197 = NtClose(v192);
565 }
566 }
567if ( lpPath )
568 BaseReleaseProcessExePath(lpPath, v162);
569if ( v172 )
570 {
571 CsrFreeCaptureBuffer(v172);
572 v172 = 0;
573 }
574return;
575 }
576 v33 = GetFileAttributesW((LPCWSTR)v30);
577 v100 = v33;
578if ( v33 == -1 || !(v33 & 0x10) )
579 {
580 LABEL_235:
581 v56 = 267;
582 LABEL_257:
583 RtlSetLastWin32Error(v56);
584goto LABEL_211;
585 }
586if ( *((_WORD *)v30 + v32 - 1) != 92 )
587 {
588 *((_WORD *)v30 + v32) = 92;
589 v105 = v32 + 1;
590 *((_WORD *)v30 + v32 + 1) = 0;
591 }
592 LABEL_44:
593 v34 = BaseFormatObjectAttributes(&v59, v119, 0, &v118);
594if ( v34 < 0 || (v34 = BaseFormatObjectAttributes(&v58, v117, 0, &v101), v34 < 0) ) 595goto LABEL_234;
596 v115 = v208;
597while ( 1 )
598 {
599while ( 1 )
600 {
601 v208 = v115;
602if ( Address )
603 {
604 v81 = __readfsdword(24);
605 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v81 + 48) + 24), 0, Address);
606 Address = 0;
607 }
608if ( v182 )
609 {
610 v76 = __readfsdword(24);
611 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v76 + 48) + 24), 0, v182);
612 v182 = 0;
613 }
614 RtlFreeUnicodeString(&UnicodeString);
615if ( v179 )
616 {
617 v75 = __readfsdword(24);
618 RtlFreeHeap(*(HANDLE *)(*(_DWORD *)(v75 + 48) + 24), 0, v179);
619 v179 = 0;
620 }
621if ( Handle )
622 {
623 v197 = NtClose(Handle);
624 Handle = 0;
625 }
626 v144 = 0;
627 v159 = 0;
628if ( a6 )
629 v198 |= 4u;
630else
631 v198 &= 0xFFFFFFFBu;
632 memset(&v121, 0, 0x48u);
637 v134 = 3;
638 v20 = (v133 & 0xFFFFFFFD | 1) & 0xFFFFFFE3;
639 v133 = (v133 & 0xFFFFFFFD | 1) & 0xFFFFFFE3;
640 v21 = *(_DWORD *)(v176 + 16) + 24;
641 v73 = *(_DWORD *)(v176 + 16) + 24;
642for ( i = 0; ; ++i )
643 {
644 v113 = i;
645if ( i >= 3 )
646break;
647if ( (*(_DWORD *)(v21 + 4 * i) & 0x10000003) == 3 )
648 {
649 v20 ^= ((unsigned __int8)v20 ^ (unsigned __int8)(v20 | (unsigned __int8)(4 * (1 << i)))) & 0x1C; 650 v133 = v20;
651 }
652 }
653 *(&v230 + 4 * v208 + 1) = 131082;
654 *(&v230 + 4 * v208 + 2) = 8;
655 *(&v230 + 4 * (v208 + 1)) = 0;
656 *(&v230 + 4 * v208++ + 3) = (int)&v133;
657 }
658if ( v167 )
659 {
660 *(&v230 + 4 * v208 + 1) = 131079;
661 *(&v230 + 4 * v208 + 2) = 8;
662 *(&v230 + 4 * (v208 + 1)) = 0;
663 *(&v230 + 4 * v208++ + 3) = (int)&v96;
664 v96 = 1;
665 v97 = v167;
666 }
667if ( a7 & 3 && !*(_BYTE *)(v176 + 1) )
668 {
669 v51 = BYTE1(v123) & 0xFE | 2;
670 LABEL_263:
671 BYTE1(v123) = v51;
672goto LABEL_58;
673 }
674if ( v201 )
675 {
676 v201 = 0;
677 v51 = BYTE1(v123) & 0xFD | 1;
678goto LABEL_263;
679 }
680 LABEL_58:
681 LOBYTE(v123) = (unsigned __int8)v123 | 1;
682 HIWORD(v123) = 8192;
683 v124 = 129;
684if ( !v61 )
685 v61 = *(_DWORD *)(*(_DWORD *)(v176 + 16) + 124);
686 Str[1] = 0;
687 v193 = 0;
688 v152 = 1;
689if ( !*(_DWORD *)&Str[2] )
690 {
691 Flags = *(_DWORD *)(KernelBaseGetGlobalData() + 44);
692 JUMPOUT(*(int *)sub_77E16F12);
693 }
694if ( !pszSrc || !*pszSrc )
695 {
696 v193 = 1;
697 pszSrc = *(STRSAFE_LPCWSTR *)&Str[2];
698 }
699if ( Str[1] || v193 )
700 {
701 v15 = pszSrc;
702do
703 {
704 v16 = *v15;
705 ++v15;
706 }
707while ( v16 );
708 Size = 2 * (v15 - (pszSrc + 1)) + 6;
709 v72 = __readfsdword(24);
710 v17 = RtlAllocateHeap(*(HANDLE *)(*(_DWORD *)(v72 + 48) + 24), 0, Size);
711 v18 = v17;
712 v179 = v17;
713if ( v17 )
714 {
715 StringCbCopyW((STRSAFE_LPWSTR)v17, Size, L"\"");
716 v19 = v195;
717if ( Str[1] )
722 StringCbCatW(v18, Size, pszSrc);
723 StringCbCatW(v18, Size, L"\"");
724if ( Str[1] )
725 {
726 *v19 = v151;
727 StringCbCatW(v18, Size, v19);
728 }
729 pszSrc = v18;
730 }
731 }
732if ( !RtlDosPathNameToNtPathName_U(*(PWSTR *)&Str[2], &UnicodeString, 0, 0) )
733 {
734 v56 = 3;
735goto LABEL_257;
736 }
737 v34 = RtlInitUnicodeStringEx(&v164, *(_DWORD *)&Str[2]);
738if ( v34 < 0 )
739goto LABEL_234;
740 v35 = RtlDetermineDosPathNameType_U(*(PWSTR *)&Str[2]);
741 v120 = v35;
742if ( v35 != 2 && v35 != 6 && v35 != 7 && v35 != 1 || BasepCheckForInvalidPathSeparator(*(wchar_t **)&Str[2]) ) 743 {
744 v142 = 0;
745 v143 = 0;
746 v34 = RtlGetFullPathName_UstrEx(&v164, 0, &v142, 0, 0, 0, &v120, 0);
747if ( v34 < 0 )
748goto LABEL_234;
749 v164 = v142;
750 v165 = v143;
751 v182 = (PVOID)v143;
752 v143 = 0;
753 }
754 v36 = BasepCreateProcessParameters(*(int *)&Str[2], v165, v161, pszSrc, v187, (int)&v60, a7, a6);
755 v37 = (struct _RTL_USER_PROCESS_PARAMETERS *)v36;
756 v67 = v36;
757if ( !v36 )
758goto LABEL_211;
759 v233 = UnicodeString.Buffer;
760 v232 = UnicodeString.Length;
761 v230 = 16 * v208 + 4;
762 v38 = NtCreateUserProcess(
763 &ProcessHandle,
764 &ThreadHandle,
76533554432,
76633554432,
767 v118,
768 v101,
769 v198,
7701,
771 v36,
772 &v121,
773 &v230);
774 v181 = v38;
775 RtlDestroyProcessParameters(v37);
776if ( v38 >= 0 )
777break;
778 ProcessHandle = 0;
779 ThreadHandle = 0;
780if ( !v122 )
781goto LABEL_209;
782if ( v122 == 1 )
783 {
784if ( !RtlIsDosDeviceName_U(*(PWSTR *)&Str[2]) )
785 {
786 LABEL_209:
787 v55 = v38;
788goto LABEL_210;
789 }
790 v56 = 1200;
791goto LABEL_257;
792 }
793if ( v122 == 2 )
794 {
795 Handle = v123;
796if ( v38 == -1073741790 )
797 {
798 v56 = 5;
799goto LABEL_257;
800 }
801 v12 = -1073741521;
802if ( v206 )
803goto LABEL_209;
804if ( v38 == -1073741521 )
805 {
806if ( UnicodeString.Length >= 8u )
807 {
808 v13 = (unsigned int)UnicodeString.Length >> 1;
809 v14 = &UnicodeString.Buffer[v13 - 4];
810 v79 = &UnicodeString.Buffer[v13 - 4];
811if ( !__wcsnicmp(&UnicodeString.Buffer[v13 - 4], L".bat", 4u) || !__wcsnicmp(v14, L".cmd", 4u) ) 812 {
813 v202 = 1;
814 v209 = BasepQueryAppCompat(
8150,
8160,
8170,
8180,
819 Handle,
820 UnicodeString.Buffer,
821 v187,
822 &v169,
823 &v150,
824 &v170,
825 &v156,
826 v154,
827 &v146,
828 &v171,
829 &v144,
830 &v159,
831 &v148);
832if ( !v209 )
833goto LABEL_121;
834if ( !BuildSubSysCommandLine(v152, (int)L"cmd /c", 0, pszSrc, &v163) )
835goto LABEL_211;
836 pszSrc = v163.Buffer;
837 *(_DWORD *)&Str[2] = 0;
838goto LABEL_138;
839 }
840 v12 = -1073741521;
841 }
842 }
843else
844 {
845if ( v206 )
846goto LABEL_209;
847 }
848if ( !(a7 & 0x2000000) )
849 {
850 v194 = 1;
851if ( v38 != -1073741541 )
852 {
853if ( v38 == v12 )
854 {
855if ( !BaseIsDosApplication(&UnicodeString, v12) )
856goto LABEL_227;
857 }
858else
859 {
860if ( v38 <= v12 || v38 > -1073741519 && v38 != -1073741209 )
861 LABEL_227:
862 v194 = 0;
863 }
864 }
865if ( v194 )
866 {
867 v34 = BasepCheckWinSaferRestrictions(TokenHandle, *(_DWORD *)&Str[2], Handle);
868 v114 = v34;
869if ( v34 < 0 )
870goto LABEL_234;
871 }
872 }
873 v209 = BasepProcessInvalidImage(
874 v38,
875 TokenHandle,
876 (LPCWSTR)v165,
877 (int)&Str[2],
878 (NTSTATUS)&pszSrc,
879 v158,
880 (int)&a7,
881 (int)&a6,
882 (int)&UnicodeString,
883 (int)Str,
884 (int)&v187,
885 (ULONG)&v60,
886 (int)&v211,
887 (int)&v168,
888 &v163,
889 &AnsiString,
890 &SourceString,
891 (int)&v199,。