|
|
/*++
Copyright (c) 2000 Microsoft Corporation
Module Name:
WoWTask.cpp
Abstract:
Functions that retrieve process-history related information from 16-bit environment. This includes the retrieval of the correct __PROCESS_HISTORY that was passed in from the parent (32-bit)process and tracing the process history through WOW
Notes:
History:
10/26/00 VadimB Created
--*/
#include "precomp.h"
IMPLEMENT_SHIM_BEGIN(Win2kPropagateLayer)#include "ShimHookMacro.h"
#include "Win2kPropagateLayer.h"
typedef struct tagFINDWOWTASKDATA { BOOL bFound; DWORD dwProcessId; DWORD dwThreadId; WORD hMod16; WORD hTask16;
} FINDWOWTASKDATA, *PFINDWOWTASKDATA;
//
// Dynamically Linked apis
//
// from WOW32.dll
//
typedef LPVOID (WINAPI *PFNWOWGetVDMPointer)(DWORD vp, DWORD dwBytes, BOOL fProtectedMode);
//
// from vdmdbg.dll - defined in the header file
//
//
typedef INT (WINAPI *PFNVDMEnumTaskWOW)(DWORD dwProcessId, TASKENUMPROC fp, LPARAM lparam);
//
// Api importing -- modules
//
WCHAR g_wszWOW32ModName[] = L"wow32.dll";WCHAR g_wszVdmDbgModName[] = L"VdmDbg.dll";
//
// Api importing - module handles and function pointers
//
HMODULE g_hWow32;HMODULE g_hVdmDbg;BOOL g_bInitialized; // set to true when imports are initialized
PFNWOWGetVDMPointer g_pfnWOWGetVDMPointer;PFNVDMEnumTaskWOW g_pfnVDMEnumTaskWOW;
extern BOOL* g_pSeparateWow;
//
// function in this module to import apis
//
BOOL ImportWowApis(VOID);
//
// Marcro to access 16-bit memory
//
#define SEGPTR(seg,off) ((g_pfnWOWGetVDMPointer)((((ULONG)seg) << 16) | (off), 0, TRUE))
//
// task enum proc, called back from vdmdbg
//
BOOL WINAPI MyTaskEnumProc( DWORD dwThreadId, WORD hMod16, WORD hTask16, LPARAM lParam ){ PFINDWOWTASKDATA pFindData = (PFINDWOWTASKDATA)lParam;
if (dwThreadId == pFindData->dwThreadId) { pFindData->hMod16 = hMod16; pFindData->hTask16 = hTask16; pFindData->bFound = TRUE; return TRUE; }
return FALSE;}
BOOL FindWowTask( DWORD dwProcessId, DWORD dwThreadId, PFINDWOWTASKDATA pFindData ){ RtlZeroMemory(pFindData, sizeof(*pFindData));
pFindData->dwProcessId = dwProcessId; pFindData->dwThreadId = dwThreadId;
g_pfnVDMEnumTaskWOW(dwProcessId, (TASKENUMPROC)MyTaskEnumProc, (LPARAM)pFindData);
return pFindData->bFound;}
//
// get the pointer to task database block from hTask
//
PTDBGetTDB( WORD wTDB ){ PTDB pTDB;
pTDB = (PTDB)SEGPTR(wTDB, 0); if (NULL == pTDB || TDB_SIGNATURE != pTDB->TDB_sig) { LOGN( eDbgLevelError, "[GetTDB] TDB is invalid for task 0x%x", (DWORD)wTDB); return NULL; }
return pTDB;}
//
// GetModName
// wTDB - TDB entry
// szModName - pointer to the buffer that receives module name
// buffer should be at least 9 characters long
//
// returns FALSE if the entry is invalid
BOOLGetModName( WORD wTDB, PCH szModName ){ PTDB pTDB; PCH pch;
pTDB = GetTDB(wTDB); if (NULL == pTDB) { return FALSE; }
RtlCopyMemory(szModName, pTDB->TDB_ModName, 8 * sizeof(CHAR)); // we have modname now
szModName[8] = '\0';
pch = &szModName[8]; while (--pch >= szModName && *pch == ' ') { *pch = 0; }
if( pch < szModName ) { return FALSE; }
return TRUE;}
//
// ShimGetTaskFileName
// IN wTask - 16-bit task handle
// Returns:
// Fully qualified exe that is running in this task's context
//
PSZShimGetTaskFileName( WORD wTask ){ PSZ pszFileName = NULL; PTDB pTDB;
pTDB = GetTDB(wTask); if (NULL == pTDB) { // this is really bad -- the module is invalid, debug output is generated by GetTDB
return pszFileName; }
if (NULL == pTDB->TDB_pModule) { LOGN( eDbgLevelError, "[ShimGetTaskFileName] module pointer is NULL for 0x%x", (DWORD)wTask); return pszFileName; }
pszFileName = (PSZ)SEGPTR(pTDB->TDB_pModule, (*(WORD *)SEGPTR(pTDB->TDB_pModule, 10)) + 8); return pszFileName;}
PSZ ShimGetTaskEnvptr( WORD hTask16 ){ PTDB pTDB = GetTDB(hTask16); PSZ pszEnv = NULL; PDOSPDB pPSP;
if (NULL == pTDB) { LOGN( eDbgLevelError, "[ShimGetTaskEnvptr] Bad TDB entry 0x%x", hTask16); return NULL; } //
// Prepare environment data - this buffer is used when we're starting a new task from the
// root of the chain (as opposed to spawning from an existing 16-bit task)
//
pPSP = (PDOSPDB)SEGPTR(pTDB->TDB_PDB, 0); // psp
if (pPSP != NULL) { pszEnv = (PCH)SEGPTR(pPSP->PDB_environ, 0); }
return pszEnv;}
// IsWowExec
// IN wTDB - entry into the task database
// Returns:
// TRUE if this particular entry points to WOWEXEC
//
// Note:
// WOWEXEC is a special stub module that always runs on NTVDM
// new tasks are spawned by wowexec (in the most typical case)
// it is therefore the "root" module and it's environment's contents
// should not be counted, since we don't know what was ntvdm's parent process
//
BOOLIsWOWExec( WORD wTDB ){ PTDB pTDB; CHAR szModName[9];
pTDB = GetTDB(wTDB); if (NULL == pTDB) { LOGN( eDbgLevelError, "[IsWOWExec] Bad TDB entry 0x%x", (DWORD)wTDB); return FALSE; }
if (!GetModName(wTDB, szModName)) { // can we get modname ?
LOGN( eDbgLevelError, "[IsWOWExec] GetModName failed."); return FALSE; }
return (0 == _strcmpi(szModName, "wowexec")); // is the module named WOWEXEC ?
}
//
// ImportWowApis
// Function imports necessary apis from wow32.dll and vdmdbg.dll
//
//
BOOLImportWowApis( VOID ){ g_hWow32 = LoadLibraryW(g_wszWOW32ModName); if (g_hWow32 == NULL) { LOGN( eDbgLevelError, "[ImportWowApis] Failed to load wow32.dll Error 0x%x", GetLastError()); goto Fail; }
g_pfnWOWGetVDMPointer = (PFNWOWGetVDMPointer)GetProcAddress(g_hWow32, "WOWGetVDMPointer"); if (g_pfnWOWGetVDMPointer == NULL) { LOGN( eDbgLevelError, "[ImportWowApis] Failed to get address of WOWGetVDMPointer Error 0x%x", GetLastError()); goto Fail; }
g_hVdmDbg = LoadLibraryW(g_wszVdmDbgModName); if (g_hVdmDbg == NULL) { LOGN( eDbgLevelError, "[ImportWowApis] Failed to load vdmdbg.dll Error 0x%x", GetLastError()); goto Fail; }
g_pfnVDMEnumTaskWOW = (PFNVDMEnumTaskWOW)GetProcAddress(g_hVdmDbg, "VDMEnumTaskWOW"); if (g_pfnVDMEnumTaskWOW == NULL) { LOGN( eDbgLevelError, "[ImportWowApis] Failed to get address of VDMEnumTaskWOW Error 0x%x", GetLastError()); goto Fail; }
g_bInitialized = TRUE;
return TRUE;
Fail:
if (g_hWow32) { FreeLibrary(g_hWow32); g_hWow32 = NULL; } if (g_hVdmDbg) { FreeLibrary(g_hVdmDbg); g_hVdmDbg = NULL; } g_pfnWOWGetVDMPointer = NULL; g_pfnVDMEnumTaskWOW = NULL;
return FALSE;
}
/////////////////////////////////////////////////////////////////////////////////////////////
//
//
// WOWTaskList
//
// We maintain a shadow list of running wow tasks complete with respective process history and
// inherited process history
//
//
typedef struct tagWOWTASKLISTITEM* PWOWTASKLISTITEM;
typedef struct tagWOWTASKLISTITEM {
WORD hTask16; // 16-bit tdb entry
DWORD dwThreadId; // thread id of the task
WOWENVDATA EnvData; // environment data (process history, compat layer, etc)
PWOWTASKLISTITEM pTaskNext;
} WOWTASKLISTITEM;
PWOWTASKLISTITEM g_pWowTaskList;
/*++
FindWowTaskInfo
IN hTask16 16-bit task's handle IN dwThreadId OPTIONAL 32-bit thread id of the task, might be 0
Returns: pointer to the task information structure
--*/
PWOWTASKLISTITEMFindWowTaskInfo( WORD hTask16, DWORD dwThreadId ){ PWOWTASKLISTITEM pTask = g_pWowTaskList;
while (NULL != pTask) {
if (hTask16 == pTask->hTask16) {
if (dwThreadId == 0 || dwThreadId == pTask->dwThreadId) { break; } }
pTask = pTask->pTaskNext; }
return pTask;}
/*++
UpdateWowTaskList
IN hTask16 16-bit task's handle
Returns: True if the task was added successfully Note: wowexec is not among the "legitimate" tasks
--*/
BOOLUpdateWowTaskList( WORD hTask16 ){ PTDB pTDB; WORD wTaskParent; PWOWTASKLISTITEM pTaskParent = NULL; LPSTR lpszFileName; PSZ pszEnv; WOWENVDATA EnvData; PWOWENVDATA pData = NULL; DWORD dwLength; PWOWTASKLISTITEM pTaskNew; PCH pBuffer; PDOSPDB pPSP; BOOL bSuccess;
//
// see that we are initialized, import apis
//
if (!g_bInitialized) { // first call, link apis
bSuccess = ImportWowApis(); if (!bSuccess) { LOGN( eDbgLevelError, "[UpdateWowTaskList] Failed to import apis."); return FALSE; } }
//
// If this task is WOWEXEC -- just return, it's not an error condition, but we don't need
// wowexec in our list
//
if (IsWOWExec(hTask16)) { // this is ok, we don't want wowexec
return FALSE; }
//
// next, see what the parent item is, to do so -- access it through TDB
//
pTDB = GetTDB(hTask16); if (NULL == pTDB) { LOGN( eDbgLevelError, "[UpdateWowTaskList] Bad TDB entry 0x%x", hTask16); return FALSE; }
//
// Prepare environment data - this buffer is used when we're starting a new task from the
// root of the chain (as opposed to spawning from an existing 16-bit task)
//
RtlZeroMemory(&EnvData, sizeof(EnvData)); pData = &EnvData;
wTaskParent = pTDB->TDB_Parent; if (IsWOWExec(wTaskParent) || GetTDB(wTaskParent) == NULL) { //
// Root task, extract process history, compat layer, etc
//
pszEnv = NULL; pPSP = (PDOSPDB)SEGPTR(pTDB->TDB_PDB, 0); // psp
if (pPSP != NULL) { pszEnv = (PCH)SEGPTR(pPSP->PDB_environ, 0); }
//
// we have a pointer to the current environment here, pData is initialized
//
if (pszEnv != NULL) { pData->pszProcessHistory = ShimFindEnvironmentVar(g_szProcessHistoryVar, pszEnv, &pData->pszProcessHistoryVal); pData->pszCompatLayer = ShimFindEnvironmentVar(g_szCompatLayerVar, pszEnv, &pData->pszCompatLayerVal); pData->pszShimFileLog = ShimFindEnvironmentVar(g_szShimFileLogVar, pszEnv, &pData->pszShimFileLogVal); }
} else { //
// Not a root task, find parent process
//
pTaskParent = FindWowTaskInfo(wTaskParent, 0); // we can't determine which thread owns the task
if (pTaskParent == NULL) { //
// something is very wrong
// we can't inherit
//
LOGN( eDbgLevelError, "[UpdateWowTaskList] Task 0x%x is not root but parent not listed 0x%x", (DWORD)hTask16, (DWORD)wTaskParent); //
// we still allow building up process history. The initial variables will be empty
//
} else { //
// inherit everything from the parent and add it's module name (later)
//
pData = &pTaskParent->EnvData; } }
//
// Get the filename involved
//
//
lpszFileName = ShimGetTaskFileName(hTask16);
//
// now calculate how much space is required to hold all of the data
//
dwLength = sizeof(WOWTASKLISTITEM) + (NULL == pData->pszProcessHistory ? 0 : (strlen(pData->pszProcessHistory) + 1) * sizeof(CHAR)) + (NULL == pData->pszCompatLayer ? 0 : (strlen(pData->pszCompatLayer) + 1) * sizeof(CHAR)) + (NULL == pData->pszShimFileLog ? 0 : (strlen(pData->pszShimFileLog) + 1) * sizeof(CHAR)) + (NULL == pData->pszCurrentProcessHistory ? 0 : (strlen(pData->pszCurrentProcessHistory) + 2) * sizeof(CHAR)) + (NULL == lpszFileName ? 0 : (strlen(lpszFileName) + 1) * sizeof(CHAR));
pTaskNew = (PWOWTASKLISTITEM)ShimMalloc(dwLength); if (pTaskNew == NULL) { LOGN( eDbgLevelError, "[UpdateWowTaskList] failed to allocate 0x%x bytes", dwLength); return FALSE; }
RtlZeroMemory(pTaskNew, dwLength);
//
// now this entry has to be setup
// process history is first
//
pBuffer = (PCH)(pTaskNew + 1); // Keep track of how much of the buffer is left.
size_t cchRemaining = dwLength - sizeof(WOWTASKLISTITEM);
pTaskNew->hTask16 = hTask16; pTaskNew->dwThreadId = GetCurrentThreadId();
if (pData->pszProcessHistory != NULL) {
//
// Copy process history. The processHistoryVal is a pointer into the buffer
// pointed to by pszProcessHistory: __PROCESS_HISTORY=c:\foo;c:\docs~1\install
// then pszProcessHistoryVal will point here ---------^
//
// we are copying the data and moving the pointer using the calculated offset
pTaskNew->EnvData.pszProcessHistory = pBuffer; StringCchCopyExA(pTaskNew->EnvData.pszProcessHistory, cchRemaining, pData->pszProcessHistory, NULL, &cchRemaining, 0); pTaskNew->EnvData.pszProcessHistoryVal = pTaskNew->EnvData.pszProcessHistory + (INT)(pData->pszProcessHistoryVal - pData->pszProcessHistory); //
// There is enough space in the buffer to accomodate all the strings, so
// move pointer past current string to point at the "empty" space
//
pBuffer += strlen(pData->pszProcessHistory) + 1; }
if (pData->pszCompatLayer != NULL) { pTaskNew->EnvData.pszCompatLayer = pBuffer; StringCchCopyExA(pTaskNew->EnvData.pszCompatLayer, cchRemaining, pData->pszCompatLayer, NULL, &cchRemaining, 0); pTaskNew->EnvData.pszCompatLayerVal = pTaskNew->EnvData.pszCompatLayer + (INT)(pData->pszCompatLayerVal - pData->pszCompatLayer); pBuffer += strlen(pData->pszCompatLayer) + 1; }
if (pData->pszShimFileLog != NULL) { pTaskNew->EnvData.pszShimFileLog = pBuffer; StringCchCopyExA(pTaskNew->EnvData.pszShimFileLog, cchRemaining, pData->pszShimFileLog, NULL, &cchRemaining, 0); pTaskNew->EnvData.pszShimFileLogVal = pTaskNew->EnvData.pszShimFileLog + (INT)(pData->pszShimFileLogVal - pData->pszShimFileLog); pBuffer += strlen(pData->pszShimFileLog) + 1; }
if (pData->pszCurrentProcessHistory != NULL || lpszFileName != NULL) { //
// Now process history
//
pTaskNew->EnvData.pszCurrentProcessHistory = pBuffer; if (pData->pszCurrentProcessHistory != NULL) { StringCchCopyExA(pTaskNew->EnvData.pszCurrentProcessHistory, cchRemaining, pData->pszCurrentProcessHistory, NULL, &cchRemaining, 0); if (lpszFileName != NULL ) { StringCchCatExA(pTaskNew->EnvData.pszCurrentProcessHistory, cchRemaining, ";", NULL, &cchRemaining, 0); } } if (lpszFileName != NULL) { StringCchCatA(pTaskNew->EnvData.pszCurrentProcessHistory, cchRemaining, lpszFileName); } }
LOGN( eDbgLevelInfo, "[UpdateWowTaskList] Running : \"%s\"", lpszFileName); LOGN( eDbgLevelInfo, "[UpdateWowTaskList] ProcessHistory : \"%s\"", pTaskNew->EnvData.pszCurrentProcessHistory); LOGN( eDbgLevelInfo, "[UpdateWowTaskList] BaseProcessHistory: \"%s\"", pTaskNew->EnvData.pszProcessHistory); LOGN( eDbgLevelInfo, "[UpdateWowTaskList] CompatLayer : \"%s\"", pTaskNew->EnvData.pszCompatLayer);
//
// We are done, link the entry into the list
//
pTaskNew->pTaskNext = g_pWowTaskList;
g_pWowTaskList = pTaskNew;
return TRUE;}
/*++
CleanupWowTaskList
IN hTask16 16-bit task handle that is to be removed from the list of running tasks
Returns : TRUE if the function succeeds
--*/
BOOLCleanupWowTaskList( WORD hTask16 ){ PWOWTASKLISTITEM pTask = g_pWowTaskList; PWOWTASKLISTITEM pTaskPrev = NULL;
while (pTask != NULL) {
if (pTask->hTask16 == hTask16) { // this is the item
break; }
pTaskPrev = pTask; pTask = pTask->pTaskNext; }
if (pTask == NULL) { LOGN( eDbgLevelError, "[CleanupWowTaskList] Failed to locate task information for 0x%x", (DWORD)hTask16); return FALSE; }
if (pTaskPrev == NULL) {
g_pWowTaskList = pTask->pTaskNext;
} else {
pTaskPrev->pTaskNext = pTask->pTaskNext;
}
ShimFree(pTask);
return TRUE;
}
/*++
ShimRetrieveVariablesEx
IN pData Structure that receives pointers to all the relevant environment information for the calling thread. The threads are scheduled non-preemptively by user and threadid is used to identify the calling 16-bit task All the real work on information retrieval is done in UpdateWowTaskList
Returns: TRUE if success--*/
BOOLShimRetrieveVariablesEx( PWOWENVDATA pData ){ DWORD dwProcessId = GetCurrentProcessId(); DWORD dwThreadId = GetCurrentThreadId(); PWOWTASKLISTITEM pTask; FINDWOWTASKDATA FindData; WORD hTask; BOOL bSuccess;
RtlZeroMemory(pData, sizeof(*pData));
if (!g_bInitialized) { // first call, link apis
bSuccess = ImportWowApis(); if (!bSuccess) { LOGN( eDbgLevelError, "[ShimRetrieveVariablesEx] Failed to import apis."); return FALSE; } }
if (!FindWowTask(dwProcessId, dwThreadId, &FindData)) { LOGN( eDbgLevelError, "[ShimRetrieveVariablesEx] Task not found ProcessId 0x%x ThreadId 0x%x", dwProcessId, dwThreadId); return FALSE; }
hTask = FindData.hTask16;
pTask = FindWowTaskInfo(hTask, dwThreadId); if (pTask == NULL) { LOGN( eDbgLevelError, "[ShimRetrieveVariablesEx] Failed to locate wow task."); return FALSE; }
//
// Found this one. Copy the info.
//
RtlMoveMemory(pData, &pTask->EnvData, sizeof(*pData));
return TRUE;}
/*++
ShimThisProcess
Function invokes Shim Engine for dynamic shimming of the current process Which happens to be ntvdm, naturally. This ntvdm is a separate ntvdm (which is insured through various checks in CheckAndShimNTVDM)
--*/
BOOLShimThisProcess( HMODULE hModShimEngine, HSDB hSDB, SDBQUERYRESULT* pQueryResult ){ typedef BOOL (WINAPI *PFNDynamicShim)(LPCWSTR , HSDB , SDBQUERYRESULT*, LPCSTR, LPDWORD); PFNDynamicShim pfnDynamicShim = NULL; WCHAR wszFileName[MAX_PATH]; DWORD dwLength; DWORD dwDynamicToken = 0;
pfnDynamicShim = (PFNDynamicShim) GetProcAddress(hModShimEngine, "SE_DynamicShim"); if (NULL == pfnDynamicShim) { LOGN( eDbgLevelError, "[ShimThisProcess] failed to obtain dynamic shim proc address\n"); return FALSE; }
dwLength = GetModuleFileNameW(GetModuleHandle(NULL), wszFileName, CHARCOUNT(wszFileName)); if (!dwLength || dwLength == CHARCOUNT(wszFileName)) { LOGN( eDbgLevelError, "[ShimThisProcess] failed to obtain module file name\n"); return FALSE; }
return pfnDynamicShim(wszFileName, hSDB, pQueryResult, NULL, &dwDynamicToken);}
/*++
CheckAndShimNTVDM Procedure checks ntvdm application for having to be shimmed. If an application is located in appcompat database, this ntvdm would have to be running as a separate ntvdm (explorer is shimmed as well, as a result it will have checked the binary first and set the separate vdm flag in CreateProcess)
Further, this call comes through InitTask (intercepted between ntvdm and user32) -- as a parameter it takes hTask16 - which we're able to use to retrieve application's environment and other important information.--*/
BOOLCheckAndShimNTVDM( WORD hTask16 ){ HMODULE hModShimEngine; CString csTaskFileName; PSZ pszEnv = NULL; PTDB pTDB = NULL; PVOID pEnvNew = NULL; BOOL bSuccess = FALSE; BOOL bMatch; BOOL bNewEnv = FALSE; HSDB hSDB; NTSTATUS Status; SDBQUERYRESULT QueryResult; DWORD dwFlags;
hModShimEngine = GetModuleHandle(TEXT("shim.dll")); if (hModShimEngine == NULL) { // impossible -- shim.dll is not injected!!!
return FALSE; } if (g_pSeparateWow != NULL && *g_pSeparateWow == FALSE) { //
// not a separate wow
//
LOGN( eDbgLevelError, "[CheckAndShimNTVDM] running in shared wow, no shimming\n"); return FALSE; }
if (!g_bInitialized) { // first call, link apis
bSuccess = ImportWowApis(); if (!bSuccess) { LOGN( eDbgLevelError, "[CheckAndShimNTVDM] Failed to import apis.\n"); return FALSE; } }
if (IsWOWExec(hTask16)) { LOGN( eDbgLevelError, "[CheckAndShimNTVDM] not touching wowexec\n"); return FALSE; }
csTaskFileName = ShimGetTaskFileName(hTask16); if (csTaskFileName.IsEmpty()) { LOGN( eDbgLevelError, "[CheckAndShimNTVDM] failed to get the filename for task 0x%lx\n", hTask16); return FALSE; } //
// init database
//
hSDB = SdbInitDatabase(0, NULL);
if (hSDB == NULL) { LOGN( eDbgLevelError, "[CheckAndShimNTVDM] failed to init shim database\n"); return FALSE; }
//
// process history please --
// if we end up here, we are a separate ntvdm
// running with a process history in the env, was retrieved in init
//
pTDB = GetTDB(hTask16); if (NULL == pTDB) { LOGN( eDbgLevelError, "[UpdateWowTaskList] Bad TDB entry 0x%x", hTask16); return FALSE; }
//
// Prepare environment data - this buffer is used when we're starting a new task from the
// root of the chain (as opposed to spawning from an existing 16-bit task)
//
pszEnv = ShimGetTaskEnvptr(hTask16); if (NULL != pszEnv) { Status = ShimCloneEnvironment(&pEnvNew, (LPVOID)pszEnv, FALSE); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[CheckAndShimNTVDM] cannot clone environment 0x%lx\n", Status); pEnvNew = NULL; bNewEnv = TRUE; }
//
// if this call has come the way of VDM - we need to carry over our environment stuff
// which is stored separately in this shim
//
// should the call to ShimCloneEnvironment fail, we will have pEnvNew == NULL
// and bNewEnv = TRUE, as a result, we shall try again to clone the environment
dwFlags = CREATE_UNICODE_ENVIRONMENT; pEnvNew = ShimCreateWowEnvironment_U(pEnvNew, &dwFlags, bNewEnv); } //
// run detection please
//
bMatch = SdbGetMatchingExe(hSDB, (LPCWSTR)csTaskFileName, NULL, // we can give out module name as well -- but WHY?
(LPCWSTR)pEnvNew, 0, &QueryResult); if (bMatch) { bSuccess = ShimThisProcess(hModShimEngine, hSDB, &QueryResult); } if (pEnvNew != NULL) { ShimFreeEnvironment(pEnvNew); } return bSuccess;}
IMPLEMENT_SHIM_END
|
