Friday, July 16, 2010

WinExec Intelligent Typo Handling

Apparently kernel32!WinExec has an unusual check for the string "hypertrm.exe\"" in lpCmdLine parameter and when matched, it attempts to execute "hypertrm.exe". A possible ridiculous fix for a typo in some legacy application? Even the kernel32.dll shipped with Vista has similar behavior.

The following IDA shots are taken from XP-SP2's kernel32!WinExec:


So if CreateProcessInternalA(..) fails, the code compares lpCmdLine parameter with hardcoded string "hypertrm.exe\"". Notice EBX now points to the string "hypertrm.exe".

.. and finally "hypertrm.exe" is executed in a second call to CreateProcessInternalA(..), notice EBX is pushed as the command line parameter which points to the corrected string "hypertrm.exe".

Finally, the test!

GetEnvironmentVariable("PATH", szEnvPath, sizeof(szEnvPath) - 1);
 _snprintf(szNewEnvPath, sizeof(szNewEnvPath) - 1, "%s;C:\\Program Files\\Windows NT", szEnvPath);
 SetEnvironmentVariable("PATH", szNewEnvPath);

 WinExec("hypertrm.exe\"", 0);