ansicon/ansicon.h

/*
  ansicon.h - Header file for common definitions.

  Jason Hood, 12 December, 2010 (originally injdll.h, 20 June, 2009).
*/

#ifndef ANSICON_H
#define ANSICON_H

#ifndef UNICODE
# define UNICODE
#endif

#define WIN32_LEAN_AND_MEAN
#ifdef _WIN64
#define _WIN32_WINNT 0x0501	// at least XP required
#else
#define _WIN32_WINNT 0x0500	// at least Windows 2000 required
#endif
#define WINVER _WIN32_WINNT
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <stdlib.h>

#ifndef LOAD_LIBRARY_AS_IMAGE_RESOURCE
#define LOAD_LIBRARY_AS_IMAGE_RESOURCE 0x20
#endif
#ifndef LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE
#define LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE 0x20
#endif
#ifndef TH32CS_SNAPMODULE32
#define TH32CS_SNAPMODULE32 0x10
#endif
#if !defined(HandleToULong) && !defined(_WIN64)
#define HandleToULong HandleToUlong
#endif

#ifndef __IMAGE_COR20_HEADER_DEFINED__
#define COMIMAGE_FLAGS_ILONLY	     1
#define COMIMAGE_FLAGS_32BITREQUIRED 2

// CLR 2.0 header structure.
typedef struct IMAGE_COR20_HEADER
{
    DWORD                   cb;
    WORD                    MajorRuntimeVersion;
    WORD                    MinorRuntimeVersion;
    IMAGE_DATA_DIRECTORY    MetaData;
    DWORD                   Flags;
    union {
        DWORD               EntryPointToken;
        DWORD               EntryPointRVA;
    } DUMMYUNIONNAME;
    IMAGE_DATA_DIRECTORY    Resources;
    IMAGE_DATA_DIRECTORY    StrongNameSignature;
    IMAGE_DATA_DIRECTORY    CodeManagerTable;
    IMAGE_DATA_DIRECTORY    VTableFixups;
    IMAGE_DATA_DIRECTORY    ExportAddressTableJumps;
    IMAGE_DATA_DIRECTORY    ManagedNativeHeader;
} IMAGE_COR20_HEADER, *PIMAGE_COR20_HEADER;
#endif

#define lenof(array) (sizeof(array)/sizeof(*(array)))
#define TSIZE(size)  ((size) * sizeof(TCHAR))
#define PTRSZ	     sizeof(PVOID)

// Macro for adding pointers/DWORDs together without C arithmetic interfering
#define MakeVA( cast, offset ) (cast)((DWORD_PTR)pDosHeader + (DWORD)(offset))

#define DATADIRS  OptionalHeader.NumberOfRvaAndSizes
#define EXPORTDIR OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]
#define IMPORTDIR OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
#define BOUNDDIR  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
#define IATDIR	  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT]
#define COMDIR	  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]

// Reduce the verbosity of some functions (assuming variable names).
#define ReadProcVar(a, b)     ReadProcMem( a, b, sizeof(*(b)) )
#define WriteProcVar(a, b)    WriteProcMem( a, b, sizeof(*(b)) )
#define ReadProcMem(a, b, c)  ReadProcessMemory( ppi->hProcess, a, b, c, NULL )
#define WriteProcMem(a, b, c) WriteProcessMemory( ppi->hProcess, a, b, c, NULL )
#define VirtProtVar(a, b)     VirtualProtectEx( ppi->hProcess, a, sizeof(*(a)), b, &pr )


#ifdef PDATE	       // i.e. from ansicon.c
#define EXTERN __declspec(dllimport) extern
#else
#define EXTERN __declspec(dllexport) extern
#endif

EXTERN int ProcessType( LPPROCESS_INFORMATION, PBYTE*, BOOL* );
BOOL   Wow64Process( HANDLE );

#ifdef _WIN64
EXTERN
#endif
void   InjectDLL( LPPROCESS_INFORMATION, PBYTE );
void   RemoteLoad32( LPPROCESS_INFORMATION );
#ifdef _WIN64
void   InjectDLL32( LPPROCESS_INFORMATION, PBYTE );
EXTERN void  RemoteLoad64( LPPROCESS_INFORMATION );
EXTERN DWORD GetProcRVA( LPCTSTR, LPCSTR, int );
#else
EXTERN DWORD GetProcRVA( LPCTSTR, LPCSTR );
#endif

extern HANDLE hHeap;

EXTERN TCHAR  prog_path[MAX_PATH];
extern LPTSTR prog;
LPTSTR get_program_name( LPTSTR );

EXTERN TCHAR  DllName[MAX_PATH];
EXTERN LPTSTR DllNameType;
extern char   ansi_dll[MAX_PATH];
extern DWORD  ansi_len;
extern char*  ansi_bits;
void   set_ansi_dll( void );
DWORD  get_os_version( void );

EXTERN int  log_level;
EXTERN void DEBUGSTR( int level, LPCSTR szFormat, ... );

// Replacements for C runtime functions.
#undef RtlFillMemory
#undef RtlMoveMemory
#undef RtlZeroMemory
void WINAPI RtlFillMemory( PVOID, SIZE_T, BYTE );
void WINAPI RtlMoveMemory( PVOID, const VOID*, SIZE_T );
void WINAPI RtlZeroMemory( PVOID, SIZE_T );

#define arrcpy( dst, src ) RtlMoveMemory( dst, src, sizeof(dst) )

unsigned long ac_wcstoul( const wchar_t*, wchar_t**, int );
int	      ac_wtoi( const wchar_t* );
long	      ac_wcstol( const wchar_t*, wchar_t**, int );
wchar_t*      ac_wcspbrk( const wchar_t*, const wchar_t* );
wchar_t*      ac_wcsrchr( const wchar_t*, wchar_t );
int	      ac_strnicmp( const char*, const char*, size_t );
int	      ac_sprintf( char*, const char*, ... );
int	      ac_wprintf( wchar_t*, const char*, ... );

#endif
Improvements 2010-12-12 21:58:35 +10:00			`/*`
			`ansicon.h - Header file for common definitions.`

			`Jason Hood, 12 December, 2010 (originally injdll.h, 20 June, 2009).`
			`*/`

			`#ifndef ANSICON_H`
			`#define ANSICON_H`

			`#ifndef UNICODE`
			`# define UNICODE`
			`#endif`

			`#define WIN32_LEAN_AND_MEAN`
New method to obtain 32-bit LoadLibraryW from 64-bit code, eliminating the need for ANSI-LLW.exe. Set the code page so ansicon.exe can display some strings properly. Expand wildcards for -t. VC6 can now compile the 32-bit version; use it for the release binaries. Improvements to the VC makefile. Describe the sequences in a bit more detail. 2012-11-24 23:41:29 +10:00			`#ifdef _WIN64`
Attributes and saved position are local to each console window. 2014-02-08 18:30:53 +10:00			`#define _WIN32_WINNT 0x0501 // at least XP required`
New method to obtain 32-bit LoadLibraryW from 64-bit code, eliminating the need for ANSI-LLW.exe. Set the code page so ansicon.exe can display some strings properly. Expand wildcards for -t. VC6 can now compile the 32-bit version; use it for the release binaries. Improvements to the VC makefile. Describe the sequences in a bit more detail. 2012-11-24 23:41:29 +10:00			`#else`
Attributes and saved position are local to each console window. 2014-02-08 18:30:53 +10:00			`#define _WIN32_WINNT 0x0500 // at least Windows 2000 required`
New method to obtain 32-bit LoadLibraryW from 64-bit code, eliminating the need for ANSI-LLW.exe. Set the code page so ansicon.exe can display some strings properly. Expand wildcards for -t. VC6 can now compile the 32-bit version; use it for the release binaries. Improvements to the VC makefile. Describe the sequences in a bit more detail. 2012-11-24 23:41:29 +10:00			`#endif`
Fix compiling with MinGW and TDM MinGW lacks some definitions; TDM wants WINVER defined. Assume a default `CC=cc` should really be `CC=gcc`. 2017-11-21 11:46:58 +10:00			`#define WINVER _WIN32_WINNT`
Improvements 2010-12-12 21:58:35 +10:00			`#include <windows.h>`
Fix compiling with MinGW and TDM MinGW lacks some definitions; TDM wants WINVER defined. Assume a default `CC=cc` should really be `CC=gcc`. 2017-11-21 11:46:58 +10:00			`#include <tlhelp32.h>`
Improvements 2010-12-12 21:58:35 +10:00			`#include <stdio.h>`
			`#include <stdlib.h>`

LoadLibrary hooking improvements. Don't hook ourself from LoadLibrary or LoadLibraryEx. Test additional LoadLibraryEx flags before deciding to hook. 2014-01-25 23:43:41 +10:00			`#ifndef LOAD_LIBRARY_AS_IMAGE_RESOURCE`
			`#define LOAD_LIBRARY_AS_IMAGE_RESOURCE 0x20`
			`#endif`
			`#ifndef LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE`
			`#define LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE 0x20`
			`#endif`
Fix compiling with MinGW and TDM MinGW lacks some definitions; TDM wants WINVER defined. Assume a default `CC=cc` should really be `CC=gcc`. 2017-11-21 11:46:58 +10:00			`#ifndef TH32CS_SNAPMODULE32`
			`#define TH32CS_SNAPMODULE32 0x10`
			`#endif`
			`#if !defined(HandleToULong) && !defined(_WIN64)`
			`#define HandleToULong HandleToUlong`
			`#endif`

			`#ifndef __IMAGE_COR20_HEADER_DEFINED__`
			`#define COMIMAGE_FLAGS_ILONLY 1`
			`#define COMIMAGE_FLAGS_32BITREQUIRED 2`

			`// CLR 2.0 header structure.`
			`typedef struct IMAGE_COR20_HEADER`
			`{`
			`DWORD cb;`
			`WORD MajorRuntimeVersion;`
			`WORD MinorRuntimeVersion;`
			`IMAGE_DATA_DIRECTORY MetaData;`
			`DWORD Flags;`
			`union {`
			`DWORD EntryPointToken;`
			`DWORD EntryPointRVA;`
			`} DUMMYUNIONNAME;`
			`IMAGE_DATA_DIRECTORY Resources;`
			`IMAGE_DATA_DIRECTORY StrongNameSignature;`
			`IMAGE_DATA_DIRECTORY CodeManagerTable;`
			`IMAGE_DATA_DIRECTORY VTableFixups;`
			`IMAGE_DATA_DIRECTORY ExportAddressTableJumps;`
			`IMAGE_DATA_DIRECTORY ManagedNativeHeader;`
			`} IMAGE_COR20_HEADER, *PIMAGE_COR20_HEADER;`
			`#endif`
LoadLibrary hooking improvements. Don't hook ourself from LoadLibrary or LoadLibraryEx. Test additional LoadLibraryEx flags before deciding to hook. 2014-01-25 23:43:41 +10:00
Work with 64-bit AnyCPU; copy original IDT to IAT; log improvements. 2014-02-08 01:10:51 +10:00			`#define lenof(array) (sizeof(array)/sizeof(*(array)))`
			`#define TSIZE(size) ((size) * sizeof(TCHAR))`
			`#define PTRSZ sizeof(PVOID)`

			`// Macro for adding pointers/DWORDs together without C arithmetic interfering`
			`#define MakeVA( cast, offset ) (cast)((DWORD_PTR)pDosHeader + (DWORD)(offset))`

Many changes, bad programmer! Just copying the history from the source: recognize the standard handle defines in WriteFile; minor speed improvement by caching GetConsoleMode; keep track of three handles (ostensibly stdout, stderr and a file); test a DOS header exists before writing to e_oemid; more flexible/robust handling of data directories; files writing to the console will always succeed; log: use API file functions and a custom printf; add a blank line between processes; set function name for MyWriteConsoleA; scan imports from "kernel32" (without extension); added dynamic environment variable CLICOLOR; removed _hwrite (it's the same address as _lwrite); join multibyte characters split across separate writes; remove wcstok, avoiding potential interference with the host; similarly, use a private heap instead of malloc. 2017-07-25 18:18:34 +10:00			`#define DATADIRS OptionalHeader.NumberOfRvaAndSizes`
Inject by adding to the Import Directory Table. -p uses CreateRemoteThread, determining kernel32.dll & LLW dynamically. Loading via LoadLibrary will remember the current attributes, restoring them on unload. Tweaked log output (remove quotes around CreateProcess command line; add an underscore to 64-bit addresses). ansicon.exe will really output (to the console) strings as Unicode. Fixed ansicon.exe, if installed, restoring the default attributes, not current. ansicon.exe will start with ANSICON_DEF (if defined and -m not used). 2014-02-05 00:21:42 +10:00			`#define EXPORTDIR OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]`
			`#define IMPORTDIR OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]`
			`#define BOUNDDIR OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]`
			`#define IATDIR OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT]`
			`#define COMDIR OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]`

			`// Reduce the verbosity of some functions (assuming variable names).`
			`#define ReadProcVar(a, b) ReadProcMem( a, b, sizeof(*(b)) )`
			`#define WriteProcVar(a, b) WriteProcMem( a, b, sizeof(*(b)) )`
			`#define ReadProcMem(a, b, c) ReadProcessMemory( ppi->hProcess, a, b, c, NULL )`
			`#define WriteProcMem(a, b, c) WriteProcessMemory( ppi->hProcess, a, b, c, NULL )`
			`#define VirtProtVar(a, b) VirtualProtectEx( ppi->hProcess, a, sizeof(*(a)), b, &pr )`

Improvements 2010-12-12 21:58:35 +10:00
Remove dependence on the CRT; import DLL; fixes Windows 10's MSVCRT will only work if the Win32 version in the header is 0 or 10. Some PE's use it for something else, so when the DLL is injected the process fails. Provide custom routines for the C functions used, so the DLL only depends on KERNEL32. With the DLL independent of the CRT that would mean the exe would either also need to be independent, or the source files would need to be built twice (or just remove a linker warning). Another option is to export the functions from the DLL and have the exe import them, which turned out to simplify things quite nicely. A process that has a really long command line would not log properly, so double the heap to accommodate it. If ANSICON_DEF could not be parsed the default attribute would be zero (black on black). Use 7 or -7 instead. 2018-05-07 10:31:41 +10:00			`#ifdef PDATE // i.e. from ansicon.c`
			`#define EXTERN __declspec(dllimport) extern`
			`#else`
			`#define EXTERN __declspec(dllexport) extern`
			`#endif`

			`EXTERN int ProcessType( LPPROCESS_INFORMATION, PBYTE, BOOL );`
Work with 64-bit AnyCPU; copy original IDT to IAT; log improvements. 2014-02-08 01:10:51 +10:00			`BOOL Wow64Process( HANDLE );`
Inject by adding to the Import Directory Table. -p uses CreateRemoteThread, determining kernel32.dll & LLW dynamically. Loading via LoadLibrary will remember the current attributes, restoring them on unload. Tweaked log output (remove quotes around CreateProcess command line; add an underscore to 64-bit addresses). ansicon.exe will really output (to the console) strings as Unicode. Fixed ansicon.exe, if installed, restoring the default attributes, not current. ansicon.exe will start with ANSICON_DEF (if defined and -m not used). 2014-02-05 00:21:42 +10:00
Remove dependence on the CRT; import DLL; fixes Windows 10's MSVCRT will only work if the Win32 version in the header is 0 or 10. Some PE's use it for something else, so when the DLL is injected the process fails. Provide custom routines for the C functions used, so the DLL only depends on KERNEL32. With the DLL independent of the CRT that would mean the exe would either also need to be independent, or the source files would need to be built twice (or just remove a linker warning). Another option is to export the functions from the DLL and have the exe import them, which turned out to simplify things quite nicely. A process that has a really long command line would not log properly, so double the heap to accommodate it. If ANSICON_DEF could not be parsed the default attribute would be zero (black on black). Use 7 or -7 instead. 2018-05-07 10:31:41 +10:00			`#ifdef _WIN64`
			`EXTERN`
			`#endif`
Work with 64-bit AnyCPU; copy original IDT to IAT; log improvements. 2014-02-08 01:10:51 +10:00			`void InjectDLL( LPPROCESS_INFORMATION, PBYTE );`
Inject by remote load if there's no IAT on Win8+ Windows 8 and later require the IDT to be within a section when there's no IAT. This prevents relocated imports from working, so we cannot add ourself to the import table. Use `LdrLoadDll` via `CreateRemoteThread` for such a situation. 2018-05-04 11:45:10 +10:00			`void RemoteLoad32( LPPROCESS_INFORMATION );`
Work with 64-bit AnyCPU; copy original IDT to IAT; log improvements. 2014-02-08 01:10:51 +10:00			`#ifdef _WIN64`
			`void InjectDLL32( LPPROCESS_INFORMATION, PBYTE );`
Remove dependence on the CRT; import DLL; fixes Windows 10's MSVCRT will only work if the Win32 version in the header is 0 or 10. Some PE's use it for something else, so when the DLL is injected the process fails. Provide custom routines for the C functions used, so the DLL only depends on KERNEL32. With the DLL independent of the CRT that would mean the exe would either also need to be independent, or the source files would need to be built twice (or just remove a linker warning). Another option is to export the functions from the DLL and have the exe import them, which turned out to simplify things quite nicely. A process that has a really long command line would not log properly, so double the heap to accommodate it. If ANSICON_DEF could not be parsed the default attribute would be zero (black on black). Use 7 or -7 instead. 2018-05-07 10:31:41 +10:00			`EXTERN void RemoteLoad64( LPPROCESS_INFORMATION );`
			`EXTERN DWORD GetProcRVA( LPCTSTR, LPCSTR, int );`
Work with 64-bit AnyCPU; copy original IDT to IAT; log improvements. 2014-02-08 01:10:51 +10:00			`#else`
Remove dependence on the CRT; import DLL; fixes Windows 10's MSVCRT will only work if the Win32 version in the header is 0 or 10. Some PE's use it for something else, so when the DLL is injected the process fails. Provide custom routines for the C functions used, so the DLL only depends on KERNEL32. With the DLL independent of the CRT that would mean the exe would either also need to be independent, or the source files would need to be built twice (or just remove a linker warning). Another option is to export the functions from the DLL and have the exe import them, which turned out to simplify things quite nicely. A process that has a really long command line would not log properly, so double the heap to accommodate it. If ANSICON_DEF could not be parsed the default attribute would be zero (black on black). Use 7 or -7 instead. 2018-05-07 10:31:41 +10:00			`EXTERN DWORD GetProcRVA( LPCTSTR, LPCSTR );`
Work with 64-bit AnyCPU; copy original IDT to IAT; log improvements. 2014-02-08 01:10:51 +10:00			`#endif`
Inject by adding to the Import Directory Table. -p uses CreateRemoteThread, determining kernel32.dll & LLW dynamically. Loading via LoadLibrary will remember the current attributes, restoring them on unload. Tweaked log output (remove quotes around CreateProcess command line; add an underscore to 64-bit addresses). ansicon.exe will really output (to the console) strings as Unicode. Fixed ansicon.exe, if installed, restoring the default attributes, not current. ansicon.exe will start with ANSICON_DEF (if defined and -m not used). 2014-02-05 00:21:42 +10:00
Many changes, bad programmer! Just copying the history from the source: recognize the standard handle defines in WriteFile; minor speed improvement by caching GetConsoleMode; keep track of three handles (ostensibly stdout, stderr and a file); test a DOS header exists before writing to e_oemid; more flexible/robust handling of data directories; files writing to the console will always succeed; log: use API file functions and a custom printf; add a blank line between processes; set function name for MyWriteConsoleA; scan imports from "kernel32" (without extension); added dynamic environment variable CLICOLOR; removed _hwrite (it's the same address as _lwrite); join multibyte characters split across separate writes; remove wcstok, avoiding potential interference with the host; similarly, use a private heap instead of malloc. 2017-07-25 18:18:34 +10:00			`extern HANDLE hHeap;`
Improvements 2010-12-12 21:58:35 +10:00
Remove dependence on the CRT; import DLL; fixes Windows 10's MSVCRT will only work if the Win32 version in the header is 0 or 10. Some PE's use it for something else, so when the DLL is injected the process fails. Provide custom routines for the C functions used, so the DLL only depends on KERNEL32. With the DLL independent of the CRT that would mean the exe would either also need to be independent, or the source files would need to be built twice (or just remove a linker warning). Another option is to export the functions from the DLL and have the exe import them, which turned out to simplify things quite nicely. A process that has a really long command line would not log properly, so double the heap to accommodate it. If ANSICON_DEF could not be parsed the default attribute would be zero (black on black). Use 7 or -7 instead. 2018-05-07 10:31:41 +10:00			`EXTERN TCHAR prog_path[MAX_PATH];`
Exclude modules from being hooked; hook only selected GUI programs. Added environment variable ANSICON_EXC to specify modules that should not be hooked. This should work around the nvd3d9wrap.dll issue. Since it helps to know what the modules are, logging is now always available, controlled by -l or ANSICON_LOG. A side-effect caused debugstr.c to move to util.c. GUI programs are once again not hooked, unless run by "ansicon" directly or in the ANSICON_GUI environment variable. Since not hooking still leaves ANSICON in the environment, created ANSICON_VER as a dynamic-only variable, which can also serve as a version check. Due to an email requesting a reverse video option, realised I always take the current attributes as default. This means if you turned on reverse and ran a program, it would take the reverse as its default. Created ANSICON_DEF variable to explicitly set the default attribute, using the current if it doesn't exist. The reverse video option is done via a "negative" attribute (e.g. "-m-f0" is reversed black on white, meaning you'll get white on black, with foreground sequences changing the background). (The difference from "\e[7m" is that it won't be reset on "\e[m".) A child program will inherit the parent's modes (but not shift); the parent will read the child's modes on exit (but not unload). The exception is "ansicon", which will always start with the default modes and leave the parent unchanged. Improved the AutoRun entry, only running "ansicon" if ANSICON_VER doesn't exist. The "ansicon" command is always first. Stopped -u implying -p; return the program's exit code; don't restore the original color when just using -p; output error messages to stderr. 2011-12-14 20:53:51 +10:00			`extern LPTSTR prog;`
			`LPTSTR get_program_name( LPTSTR );`
Improvements 2010-12-12 21:58:35 +10:00
Remove dependence on the CRT; import DLL; fixes Windows 10's MSVCRT will only work if the Win32 version in the header is 0 or 10. Some PE's use it for something else, so when the DLL is injected the process fails. Provide custom routines for the C functions used, so the DLL only depends on KERNEL32. With the DLL independent of the CRT that would mean the exe would either also need to be independent, or the source files would need to be built twice (or just remove a linker warning). Another option is to export the functions from the DLL and have the exe import them, which turned out to simplify things quite nicely. A process that has a really long command line would not log properly, so double the heap to accommodate it. If ANSICON_DEF could not be parsed the default attribute would be zero (black on black). Use 7 or -7 instead. 2018-05-07 10:31:41 +10:00			`EXTERN TCHAR DllName[MAX_PATH];`
			`EXTERN LPTSTR DllNameType;`
Work with 64-bit AnyCPU; copy original IDT to IAT; log improvements. 2014-02-08 01:10:51 +10:00			`extern char ansi_dll[MAX_PATH];`
			`extern DWORD ansi_len;`
			`extern char* ansi_bits;`
			`void set_ansi_dll( void );`
Inject by remote load if there's no IAT on Win8+ Windows 8 and later require the IDT to be within a section when there's no IAT. This prevents relocated imports from working, so we cannot add ourself to the import table. Use `LdrLoadDll` via `CreateRemoteThread` for such a situation. 2018-05-04 11:45:10 +10:00			`DWORD get_os_version( void );`
Inject by adding to the Import Directory Table. -p uses CreateRemoteThread, determining kernel32.dll & LLW dynamically. Loading via LoadLibrary will remember the current attributes, restoring them on unload. Tweaked log output (remove quotes around CreateProcess command line; add an underscore to 64-bit addresses). ansicon.exe will really output (to the console) strings as Unicode. Fixed ansicon.exe, if installed, restoring the default attributes, not current. ansicon.exe will start with ANSICON_DEF (if defined and -m not used). 2014-02-05 00:21:42 +10:00
Remove dependence on the CRT; import DLL; fixes Windows 10's MSVCRT will only work if the Win32 version in the header is 0 or 10. Some PE's use it for something else, so when the DLL is injected the process fails. Provide custom routines for the C functions used, so the DLL only depends on KERNEL32. With the DLL independent of the CRT that would mean the exe would either also need to be independent, or the source files would need to be built twice (or just remove a linker warning). Another option is to export the functions from the DLL and have the exe import them, which turned out to simplify things quite nicely. A process that has a really long command line would not log properly, so double the heap to accommodate it. If ANSICON_DEF could not be parsed the default attribute would be zero (black on black). Use 7 or -7 instead. 2018-05-07 10:31:41 +10:00			`EXTERN int log_level;`
			`EXTERN void DEBUGSTR( int level, LPCSTR szFormat, ... );`

			`// Replacements for C runtime functions.`
			`#undef RtlFillMemory`
			`#undef RtlMoveMemory`
			`#undef RtlZeroMemory`
			`void WINAPI RtlFillMemory( PVOID, SIZE_T, BYTE );`
			`void WINAPI RtlMoveMemory( PVOID, const VOID*, SIZE_T );`
			`void WINAPI RtlZeroMemory( PVOID, SIZE_T );`

			`#define arrcpy( dst, src ) RtlMoveMemory( dst, src, sizeof(dst) )`

			`unsigned long ac_wcstoul( const wchar_t, wchar_t*, int );`
			`int ac_wtoi( const wchar_t* );`
			`long ac_wcstol( const wchar_t, wchar_t*, int );`
			`wchar_t* ac_wcspbrk( const wchar_t, const wchar_t );`
			`wchar_t* ac_wcsrchr( const wchar_t*, wchar_t );`
			`int ac_strnicmp( const char, const char, size_t );`
			`int ac_sprintf( char, const char, ... );`
			`int ac_wprintf( wchar_t, const char, ... );`
Improvements 2010-12-12 21:58:35 +10:00
			`#endif`