Fixes

Fix RemoteLoad32 on 64-bit.
Better method to skip logging in ProcessType.

ANSI.c

@@ -197,7 +197,7 @@
   v1.83, 16 February, 2018:
     create the flush thread on first use.
 
-  v1.84-wip, 17 February, 26 April to 8 May, 2018:
+  v1.84-wip, 17 February, 26 April to 9 May, 2018:
     close the flush handles on detach;
     dynamically load WINMM.DLL;
     use sprintf/_snprintf/_snwprintf instead of wsprintf, avoiding USER32.DLL;

ansicon.c

@@ -94,7 +94,7 @@
     import the DLL.
 */
 
-#define PDATE L"8 May, 2018"
+#define PDATE L"9 May, 2018"
 
 #include "ansicon.h"
 #include "version.h"

injdll.c

@@ -90,11 +90,11 @@ void InjectDLL( LPPROCESS_INFORMATION ppi, PBYTE pBase )
       get_os_version() >= 0x602)
   {
 #ifdef _WIN64
-     RemoteLoad64( ppi );
+    RemoteLoad64( ppi );
 #else
-     RemoteLoad32( ppi );
+    RemoteLoad32( ppi );
 #endif
-     return;
+    return;
   }
 
   import_size = sizeof_imports( ppi, pBase, NTHeader.IMPORTDIR.VirtualAddress );
@@ -349,6 +349,7 @@ void RemoteLoad64( LPPROCESS_INFORMATION ppi )
   *ip.pD++ = 0; 			// padding
   *ip.pL++ = pMem + 56; 		// UNICODE_STRING.Buffer
   WriteProcMem( pMem, code, ip.pB - code );
+  *(PDWORD)DllNameType = 0x340036/*L'46'*/;
   WriteProcMem( pMem + (ip.pB - code), DllName, len );
   thread = CreateRemoteThread( ppi->hProcess, NULL, 4096,
 			   (LPTHREAD_START_ROUTINE)(pMem + 8), NULL, 0, NULL );
@@ -414,6 +415,9 @@ void RemoteLoad32( LPPROCESS_INFORMATION ppi )
   *ip.pS++ = (USHORT)len;		// UNICODE_STRING.MaximumLength
   *ip.pD++ = bMem + 28; 		// UNICODE_STRING.Buffer
   WriteProcMem( pMem, code, ip.pB - code );
+#ifdef _WIN64
+  *(PDWORD)DllNameType = 0x320033/*L'23'*/;
+#endif
   WriteProcMem( pMem + (ip.pB - code), DllName, len );
   thread = CreateRemoteThread( ppi->hProcess, NULL, 4096,
 			       (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL );

proctype.c

@@ -48,19 +48,19 @@ int ProcessType( LPPROCESS_INFORMATION ppi, PBYTE* pBase, BOOL* gui )
   IMAGE_NT_HEADERS nt_header;
   PBYTE dummy_base;
   BOOL	dummy_gui;
-  BOOL	skip_log;
+  int	log;
 
-  // There's no need to log if we're only getting one value.
+  // Don't log if we're only getting one value, as it's already been logged.
-  skip_log = FALSE;
+  log = 1;
   if (pBase == NULL)
   {
     pBase = &dummy_base;
-    skip_log = TRUE;
+    log = 128;
   }
   if (gui == NULL)
   {
     gui = &dummy_gui;
-    skip_log = TRUE;
+    log = 128;
   }
 
   *pBase = NULL;
@@ -102,52 +102,48 @@ int ProcessType( LPPROCESS_INFORMATION ppi, PBYTE* pBase, BOOL* gui )
 	    if ((ComHeader.Flags & COMIMAGE_FLAGS_ILONLY) &&
 		!(ComHeader.Flags & COMIMAGE_FLAGS_32BITREQUIRED))
 	    {
-#if defined(_WIN64) || !defined(W32ON64)	// W32ON64 will log due to -P
+	      DEBUGSTR( log, "  AnyCPU %s (base = %q)",
-	      DEBUGSTR( 1, "  AnyCPU %s (base = %q)",
+			     (*gui) ? "GUI" : "console", minfo.BaseAddress );
-			   (*gui) ? "GUI" : "console", minfo.BaseAddress );
-#endif
 #if defined(_WIN64) || defined(W32ON64)
 	      return 48;
 #else
 	      if (ProcessIs64( ppi->hProcess ))
 	      {
-		DEBUGSTR( 1, "  Unsupported (use x64\\ansicon)" );
+		DEBUGSTR( log, "  Unsupported (use x64\\ansicon)" );
 		return 0;
 	      }
 	      return 32;
 #endif
 	    }
 	  }
-	  if (!skip_log)
+	  DEBUGSTR( log, "  32-bit %s (base = %q)",
-	    DEBUGSTR( 1, "  32-bit %s (base = %q)",
 			 (*gui) ? "GUI" : "console", minfo.BaseAddress );
 	  return 32;
 	}
 	if (nt_header.FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
 	{
 #ifdef _WIN64
-	  if (!skip_log)
+	  DEBUGSTR( log, "  64-bit %s (base = %p)",
-	    DEBUGSTR( 1, "  64-bit %s (base = %p)",
 			 (*gui) ? "GUI" : "console", minfo.BaseAddress );
 	  return 64;
 #else
-	  DEBUGSTR( 1, "  64-bit %s (base = %P)",
+	  DEBUGSTR( log, "  64-bit %s (base = %P)",
-		       (*gui) ? "GUI" : "console", minfo.BaseAddress );
+			 (*gui) ? "GUI" : "console", minfo.BaseAddress );
 #if defined(W32ON64)
 	  return 64;
 #else
-	  DEBUGSTR( 1, "  Unsupported (use x64\\ansicon)" );
+	  DEBUGSTR( log, "  Unsupported (use x64\\ansicon)" );
 	  return 0;
 #endif
 #endif
 	}
-	DEBUGSTR( 1, "  Ignoring unsupported machine (0x%X)",
+	DEBUGSTR( log, "  Ignoring unsupported machine (0x%X)",
-		     nt_header.FileHeader.Machine );
+		       nt_header.FileHeader.Machine );
       }
       else
       {
-	DEBUGSTR( 1, "  Ignoring unsupported subsystem (%u)",
+	DEBUGSTR( log, "  Ignoring unsupported subsystem (%u)",
-		     nt_header.OptionalHeader.Subsystem );
+		       nt_header.OptionalHeader.Subsystem );
       }
       return 0;
     }
@@ -157,16 +153,16 @@ int ProcessType( LPPROCESS_INFORMATION ppi, PBYTE* pBase, BOOL* gui )
     if (((DWORD)ptr >> 12) + ((DWORD)minfo.RegionSize >> 12) >= 0x100000)
     {
 #ifdef W32ON64
-      DEBUGSTR( 1, "  Pointer overflow: assuming 64-bit" );
+      DEBUGSTR( log, "  Pointer overflow: assuming 64-bit" );
       return 64;
 #else
-      DEBUGSTR( 1, "  Ignoring apparent 64-bit process (use x64\\ansicon)" );
+      DEBUGSTR( log, "  Ignoring apparent 64-bit process (use x64\\ansicon)" );
       return 0;
 #endif
     }
 #endif
   }
 
-  DEBUGSTR( 1, "  Ignoring non-Windows process" );
+  DEBUGSTR( log, "  Ignoring non-Windows process" );
   return 0;
 }

readme.txt

@@ -339,7 +339,7 @@ Version History
 
     Legend: + added, - bug-fixed, * changed.
 
-    1.84-wip - 8 May, 2018:
+    1.84-wip - 9 May, 2018:
     - close the flush handles on detach;
     - WriteFile wasn't properly testing if its handle was for a console;
     - use remote load on Win8+ if the process has no IAT;
@@ -625,4 +625,4 @@ Distribution
 
 
 ========================
-Jason Hood, 8 May, 2018.
+Jason Hood, 9 May, 2018.