Friday, July 16, 2010

WinExec Intelligent Typo Handling

Apparently kernel32!WinExec has an unusual check for the string "hypertrm.exe\"" in lpCmdLine parameter and when matched, it attempts to execute "hypertrm.exe". A possible ridiculous fix for a typo in some legacy application? Even the kernel32.dll shipped with Vista has similar behavior.

The following IDA shots are taken from XP-SP2's kernel32!WinExec:

....

So if CreateProcessInternalA(..) fails, the code compares lpCmdLine parameter with hardcoded string "hypertrm.exe\"". Notice EBX now points to the string "hypertrm.exe".


.. and finally "hypertrm.exe" is executed in a second call to CreateProcessInternalA(..), notice EBX is pushed as the command line parameter which points to the corrected string "hypertrm.exe".

Finally, the test!

GetEnvironmentVariable("PATH", szEnvPath, sizeof(szEnvPath) - 1);
 _snprintf(szNewEnvPath, sizeof(szNewEnvPath) - 1, "%s;C:\\Program Files\\Windows NT", szEnvPath);
 SetEnvironmentVariable("PATH", szNewEnvPath);

 WinExec("hypertrm.exe\"", 0);

2 comments:

  1. Oh! Yes, this is probably the most common mistake when installing applications. I usually use this file http://fix4dll.com/kernel32_dll and all okay again.

    ReplyDelete
  2. You can acquire the utmost bonus amount when you deposit exactly $1,000 every time in your first 5 deposits. You will get 225% extra on every of them, including $12,250 온라인카지노 extra to your preliminary depositing funds of $5,000. Make a withdrawal by logging into your JackpotCity online on line casino account, deciding on the banking tab, and deciding on the withdrawal possibility. Choose from the record of debit/credit cards and digital wallets and observe the prompts.

    ReplyDelete