From a3d8bb73be2ba9885121b1a10c3cf1621ba8e44b Mon Sep 17 00:00:00 2001 From: Brady McDermott Date: Sun, 28 Jul 2024 01:31:24 -0600 Subject: [PATCH] a good masculine program shares its feelings (error codes) with others (the event log) --- CscdSvc/hook.c | 41 +++++++++++++++++------------------------ CscdSvc/hook.h | 2 -- CscdSvc/svc.c | 7 ++----- 3 files changed, 19 insertions(+), 31 deletions(-) diff --git a/CscdSvc/hook.c b/CscdSvc/hook.c index 2c5bf43..7d56838 100644 --- a/CscdSvc/hook.c +++ b/CscdSvc/hook.c @@ -46,8 +46,11 @@ __declspec(dllexport) BOOL CALLBACK InstallUserHook() OutputDebugString(TEXT("InstallUserHook called\n")); // Unregister before we do anything - // TODO: kill uxtheme kill uxtheme - //UnregisterUserApiHookDelay(); + if (!UnregisterUserApiHookRemote()) + SvcReportEvent(TEXT("InstallUserHook: UnregisterUserApiHookRemote")); + + if (!UnregisterUserApiHookDelay()) + SvcReportEvent(TEXT("InstallUserHook: UnregisterUserApiHookDelay")); // Get the module g_hModule = GetModuleHandle(NULL); @@ -276,9 +279,15 @@ static BOOL WINAPI UnregisterUserApiHookRemote(VOID) // Return if we can't get the snapshot // or if we get an invalid session ID if (hProcessSnapshot == NULL) + { + SvcReportEvent(TEXT("UnregisterUserApiHookRemote: CreateToolhelp32Snapshot")); return FALSE; + } if (dwSessionID == 0xFFFFFFFF) + { + SvcReportEvent(TEXT("UnregisterUserApiHookRemote: WTSGetActiveConsoleSessionId")); return FALSE; + } // Set the size of the structure before using it pe32.dwSize = sizeof(PROCESSENTRY32); @@ -309,7 +318,10 @@ static BOOL WINAPI UnregisterUserApiHookRemote(VOID) hProcess = OpenProcess(0x1FFFFFu, FALSE, dwProcessID); if (hProcess == NULL) + { + SvcReportEvent(TEXT("UnregisterUserApiHookRemote: OpenProcess")); return FALSE; + } // Calculate the size of the UnregisterUserApiHookDelay function... HACK! LONGLONG sizeofUnregisterUserApiHookDelay = (BYTE*)UnregisterUserApiHookRemote - (BYTE*)UnregisterUserApiHookDelay; @@ -319,7 +331,10 @@ static BOOL WINAPI UnregisterUserApiHookRemote(VOID) // Blah blah error checking if (lpvRemoteProcessBuffer == 0) + { + SvcReportEvent(TEXT("UnregisterUserApiHookRemote: VirtualAllocEx")); return FALSE; + } // Write the sauce into Winlogon (not dangerous!) WriteProcessMemory(hProcess, lpvRemoteProcessBuffer, UnregisterUserApiHookRemote, sizeofUnregisterUserApiHookDelay, NULL); @@ -333,25 +348,3 @@ static BOOL WINAPI UnregisterUserApiHookRemote(VOID) return TRUE; } - -/* * * *\ - ExternUnregisterUserApiHookDelay - - Forward function - RETURNS - - TRUE if successful. -\* * * */ -BOOL WINAPI ExternUnregisterUserApiHookDelay(VOID) -{ - UnregisterUserApiHookDelay(); -} - -/* * * *\ - ExternUnregisterUserApiHookRemote - - Forward function - RETURNS - - TRUE if successful. -\* * * */ -BOOL WINAPI ExternUnregisterUserApiHookRemote(VOID) -{ - return UnregisterUserApiHookRemote(); -} diff --git a/CscdSvc/hook.h b/CscdSvc/hook.h index b123cdb..ee25ace 100644 --- a/CscdSvc/hook.h +++ b/CscdSvc/hook.h @@ -31,5 +31,3 @@ __declspec(dllexport) BOOL CALLBACK RemoveUserHook(VOID); BOOL WINAPI RegisterUserApiHookDelay(HINSTANCE hInstance, PUSERAPIHOOKINFO ApiHookInfo); static BOOL WINAPI UnregisterUserApiHookDelay(VOID); static BOOL WINAPI UnregisterUserApiHookRemote(VOID); -BOOL WINAPI ExternUnregisterUserApiHookDelay(VOID); -BOOL WINAPI ExternUnregisterUserApiHookRemote(VOID); diff --git a/CscdSvc/svc.c b/CscdSvc/svc.c index 534e3ed..5cc944d 100644 --- a/CscdSvc/svc.c +++ b/CscdSvc/svc.c @@ -278,13 +278,10 @@ VOID SvcInit(DWORD dwArgc, LPTSTR* lpszArgv) // Report running status when initialization is complete. ReportSvcStatus(SERVICE_RUNNING, NO_ERROR, 0); - // Kill UxTheme for good - ExternUnregisterUserApiHookRemote(); - // Install our user hook, if FALSE then fail. if (!InstallUserHook()) { - SvcMessageEvent(TEXT("RegisterUserApiHook")); + SvcReportEvent(TEXT("RegisterUserApiHook")); ReportSvcStatus(SERVICE_STOPPED, GetLastError(), 0); return; @@ -302,7 +299,7 @@ VOID SvcInit(DWORD dwArgc, LPTSTR* lpszArgv) // Kill the user hook if (!RemoveUserHook()) { - SvcMessageEvent(TEXT("UnregisterUserApiHook")); + SvcReportEvent(TEXT("UnregisterUserApiHook")); ReportSvcStatus(SERVICE_STOPPED, GetLastError(), 0); return;