Various fixes (TCHAR/WCHAR confusions & handle leaks)

EDRSandblast/Includes/ProcessDump.h

@@ -14,3 +14,4 @@ typedef BOOL(WINAPI* _MiniDumpWriteDump)(HANDLE hProcess, DWORD ProcessId, HANDL
 
 DWORD WINAPI dumpProcess(LPTSTR processName, TCHAR* outputDumpFile);
 DWORD WINAPI dumpProcessFromThread(PVOID* args);
+BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);

EDRSandblast/Includes/StringUtils.h

@@ -6,7 +6,7 @@
 #include "Undoc.h"
 #include "time.h"
 
-VOID getUnicodeStringFromTCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* tcharString);
+VOID getUnicodeStringFromWCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* tcharString);
 
 TCHAR* generateRandomString(TCHAR* str, size_t size);
 TCHAR* allocAndGenerateRandomString(size_t length);

EDRSandblast/Includes/SyscallProcessUtils.h

@@ -8,8 +8,6 @@ DWORD SandGetProcessPID(HANDLE hProcess);
 
 PUNICODE_STRING SandGetProcessImage(HANDLE hProcess);
 
-DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, TCHAR* ImageFileName, DWORD  nSize);
+DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, LPWSTR ImageFileName, DWORD  nSize);
 
-DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid);
+DWORD SandFindProcessPidByName(LPCWSTR targetProcessName, DWORD* pPid);
-
-BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);

EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c

@@ -396,7 +396,7 @@ DWORD SandMiniDumpWriteDump(TCHAR* targetProcessName, WCHAR* dumpFilePath) {
     UNICODE_STRING dumpFilePathAsUnicodeStr = { 0 };
     wcscat_s(FilePath, _countof(FilePath), dumpFilePath);
 
-    getUnicodeStringFromTCHAR(&dumpFilePathAsUnicodeStr, FilePath);
+    getUnicodeStringFromWCHAR(&dumpFilePathAsUnicodeStr, FilePath);
     
     // Create the dump file to validate that the output path is correct beforing accessing the process to dump memory.
     InitializeObjectAttributes(&ObjectAttributesDumpFile, &dumpFilePathAsUnicodeStr, OBJ_CASE_INSENSITIVE, NULL, NULL);

EDRSandblast/Utils/StringUtils.c

@@ -31,9 +31,9 @@
 //    return TRUE;
 //}
 
-VOID getUnicodeStringFromTCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* wcharString) {
+VOID getUnicodeStringFromWCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* wcharString) {
     unicodeString->Buffer = wcharString;
-    unicodeString->Length = (WORD)_tcslen(unicodeString->Buffer) * sizeof(WCHAR);
+    unicodeString->Length = (WORD)wcslen(unicodeString->Buffer) * sizeof(WCHAR);
     unicodeString->MaximumLength = unicodeString->Length + sizeof(WCHAR);
 }
 

EDRSandblast/Utils/SyscallProcessUtils.c

@@ -18,7 +18,7 @@ DWORD SandGetProcessPID(HANDLE hProcess) {
         return 0;
     }
 
-    return (DWORD) basicInformation.UniqueProcessId;
+    return (DWORD)basicInformation.UniqueProcessId;
 }
 
 // Retrieve a given process image (PE full path).
@@ -28,7 +28,7 @@ PUNICODE_STRING SandGetProcessImage(HANDLE hProcess) {
     PUNICODE_STRING ProcessImageBuffer = NULL;
 
     do {
-        ProcessImageBuffer = calloc(ProcessImageLength, sizeof(TCHAR));
+        ProcessImageBuffer = calloc(ProcessImageLength, sizeof(WCHAR));
         if (!ProcessImageBuffer) {
             _tprintf_or_not(TEXT("[-] Couldn't allocate memory for process image\n"));
             return NULL;
@@ -44,7 +44,7 @@ PUNICODE_STRING SandGetProcessImage(HANDLE hProcess) {
     } while (status == STATUS_INFO_LENGTH_MISMATCH);
 
     if (!ProcessImageBuffer) {
-        _tprintf_or_not(TEXT("[-] Failed to retrieve process image\n"));
+        _tprintf_or_not(TEXT("[-] Failed to retrieve process image: %08x\n"), status);
         return NULL;
     }
 
@@ -52,13 +52,13 @@ PUNICODE_STRING SandGetProcessImage(HANDLE hProcess) {
 }
 
 // Extract filename from process image full path.
-DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, TCHAR* ImageFileName, DWORD nSize) {
+DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, LPWSTR ImageFileName, DWORD nSize) {
     if (ProcessImageUnicodeStr->Length == 0) {
         return 0;
     }
 
     // Process name will be /binary.exe.
-    TCHAR* ProcessName = _tcsrchr(ProcessImageUnicodeStr->Buffer, TEXT('\\'));
+    WCHAR* ProcessName = wcsrchr(ProcessImageUnicodeStr->Buffer, L'\\');
     if (!ProcessName) {
         return 0;
     }
@@ -66,28 +66,32 @@ DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, TCHAR* Imag
     // Skip the /.
     ProcessName = &ProcessName[1];
 
-    DWORD ProcessNameLength = (DWORD)_tcslen(ProcessName);
+    DWORD ProcessNameLength = (DWORD)wcslen(ProcessName);
     if (ProcessNameLength > nSize) {
         _tprintf_or_not(TEXT("[-] Input buffer size is too small for file name\n"));
         return 0;
     }
 
-    _tcsncat_s(ImageFileName, nSize, ProcessName, _TRUNCATE);
+    wcsncat_s(ImageFileName, nSize, ProcessName, _TRUNCATE);
     return ProcessNameLength;
 }
 
 // Find a process PID using its filename.
-DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid) {
+DWORD SandFindProcessPidByName(LPCWSTR targetProcessName, DWORD* pPid) {
     DWORD status = STATUS_UNSUCCESSFUL;
     HANDLE hProcess = NULL;
+    HANDLE hOldProcess = NULL;
     PUNICODE_STRING currentProcessImage = NULL;
-    TCHAR* currentProcessName = NULL;
+    LPWSTR currentProcessName = NULL;
     DWORD currentProcessNameSz = 0;
 
     *pPid = 0;
 
     while (*pPid == 0) {
-        status = NtGetNextProcess(hProcess, MAXIMUM_ALLOWED, 0, 0, &hProcess);
+        status = NtGetNextProcess(hOldProcess, MAXIMUM_ALLOWED, 0, 0, &hProcess);
+        if (hOldProcess) {
+            NtClose(hOldProcess);
+        }
 
         if (status == STATUS_NO_MORE_ENTRIES) {
             _tprintf_or_not(TEXT("[-] The process '%s' was not found\n"), targetProcessName);
@@ -99,24 +103,36 @@ DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid) {
         }
 
         currentProcessImage = SandGetProcessImage(hProcess);
-        currentProcessName = calloc(currentProcessImage->MaximumLength, sizeof(TCHAR));
+        if (currentProcessImage) {
-        if (!currentProcessName) {
+            currentProcessName = calloc(currentProcessImage->MaximumLength, sizeof(WCHAR));
-            _tprintf_or_not(TEXT("[-] Couldn't allocate memory for process filename\n"));
+            if (!currentProcessName) {
-            return STATUS_UNSUCCESSFUL;
+                _tprintf_or_not(TEXT("[-] Couldn't allocate memory for process filename\n"));
-        }
+                return STATUS_UNSUCCESSFUL;
-        currentProcessNameSz = SandGetProcessFilename(currentProcessImage, currentProcessName, currentProcessImage->MaximumLength);
+            }
+            _putws(currentProcessImage->Buffer);
+            currentProcessNameSz = SandGetProcessFilename(currentProcessImage, currentProcessName, currentProcessImage->MaximumLength);
 
-        if (currentProcessNameSz != 0 && !_tcsicmp(targetProcessName, currentProcessName)) {
+            if (currentProcessNameSz != 0 && !_tcsicmp(targetProcessName, currentProcessName)) {
-            *pPid = SandGetProcessPID(hProcess);
+                *pPid = SandGetProcessPID(hProcess);
-            break;
+                break;
-        }
+            }
 
-        free(currentProcessImage);
+            free(currentProcessImage);
-        currentProcessImage = NULL;
+            currentProcessImage = NULL;
-        free(currentProcessName);
+            free(currentProcessName);
-        currentProcessName = NULL;
+            currentProcessName = NULL;
+        }
+        hOldProcess = hProcess;
+    }
+    if (currentProcessImage) {
+        free(currentProcessImage);
+    }
+    if (currentProcessName) {
+        free(currentProcessName);
+    }
+    if (hProcess) {
+        NtClose(hProcess);
     }
-
     if (*pPid) {
         return STATUS_SUCCES;
     }