33ba31ad3c
Windows 10's MSVCRT will only work if the Win32 version in the header is 0 or 10. Some PE's use it for something else, so when the DLL is injected the process fails. Provide custom routines for the C functions used, so the DLL only depends on KERNEL32. With the DLL independent of the CRT that would mean the exe would either also need to be independent, or the source files would need to be built twice (or just remove a linker warning). Another option is to export the functions from the DLL and have the exe import them, which turned out to simplify things quite nicely. A process that has a really long command line would not log properly, so double the heap to accommodate it. If ANSICON_DEF could not be parsed the default attribute would be zero (black on black). Use 7 or -7 instead.
ANSICON 
ANSICON provides ANSI escape sequences for Windows console programs. It
provides much the same functionality as ANSI.SYS does for MS-DOS.
Requirements
- 32-bit: Windows 2000 Professional and later (it won't work with NT or 9X).
- 64-bit: AMD64 (it won't work with IA64).
How it Works
ANSICON injects a DLL into a process, hooking its functions.
Injection
One of three methods is used to inject the DLL.
-
LoadLibraryviaCreateRemoteThreadfor a running process. -
LdrLoadDllviaCreateRemoteThreadfor a 64-bit .NET AnyCPU process. -
Adding the DLL directly to the import table, otherwise.
Hooking
Hooking is achieved by modifying import addresses, or the return value of
GetProcAddress.