Various fixes (TCHAR/WCHAR confusions & handle leaks)

2026-06-11 01:41:20 +00:00 · 2023-11-23 17:14:42 +01:00
parent ea27242fa2
commit 0e2b725590
6 changed files with 53 additions and 38 deletions
@@ -13,4 +13,5 @@ typedef BOOL(WINAPI* _MiniDumpWriteDump)(HANDLE hProcess, DWORD ProcessId, HANDL
 DWORD WINAPI dumpProcess(LPTSTR processName, TCHAR* outputDumpFile);
-DWORD WINAPI dumpProcessFromThread(PVOID* args);
+DWORD WINAPI dumpProcessFromThread(PVOID* args);
 BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
@@ -6,7 +6,7 @@
 #include "Undoc.h"
 #include "time.h"
-VOID getUnicodeStringFromTCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* tcharString);
+VOID getUnicodeStringFromWCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* tcharString);
 TCHAR* generateRandomString(TCHAR* str, size_t size);
 TCHAR* allocAndGenerateRandomString(size_t length);
@@ -8,8 +8,6 @@ DWORD SandGetProcessPID(HANDLE hProcess);
 PUNICODE_STRING SandGetProcessImage(HANDLE hProcess);
-DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, TCHAR* ImageFileName, DWORD  nSize);
+DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, LPWSTR ImageFileName, DWORD  nSize);
-DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid);
+DWORD SandFindProcessPidByName(LPCWSTR targetProcessName, DWORD* pPid);
 BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
@@ -396,7 +396,7 @@ DWORD SandMiniDumpWriteDump(TCHAR* targetProcessName, WCHAR* dumpFilePath) {
    UNICODE_STRING dumpFilePathAsUnicodeStr = { 0 };
    wcscat_s(FilePath, _countof(FilePath), dumpFilePath);
-    getUnicodeStringFromTCHAR(&dumpFilePathAsUnicodeStr, FilePath);
+    getUnicodeStringFromWCHAR(&dumpFilePathAsUnicodeStr, FilePath);
    // Create the dump file to validate that the output path is correct beforing accessing the process to dump memory.
    InitializeObjectAttributes(&ObjectAttributesDumpFile, &dumpFilePathAsUnicodeStr, OBJ_CASE_INSENSITIVE, NULL, NULL);
@@ -31,9 +31,9 @@
 //    return TRUE;
 //}
-VOID getUnicodeStringFromTCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* wcharString) {
+VOID getUnicodeStringFromWCHAR(OUT PUNICODE_STRING unicodeString, IN WCHAR* wcharString) {
    unicodeString->Buffer = wcharString;
-    unicodeString->Length = (WORD)_tcslen(unicodeString->Buffer) * sizeof(WCHAR);
+    unicodeString->Length = (WORD)wcslen(unicodeString->Buffer) * sizeof(WCHAR);
    unicodeString->MaximumLength = unicodeString->Length + sizeof(WCHAR);
 }
@@ -18,7 +18,7 @@ DWORD SandGetProcessPID(HANDLE hProcess) {
        return 0;
    }
-    return (DWORD) basicInformation.UniqueProcessId;
+    return (DWORD)basicInformation.UniqueProcessId;
 }
 // Retrieve a given process image (PE full path).
@@ -28,7 +28,7 @@ PUNICODE_STRING SandGetProcessImage(HANDLE hProcess) {
    PUNICODE_STRING ProcessImageBuffer = NULL;
    do {
-        ProcessImageBuffer = calloc(ProcessImageLength, sizeof(TCHAR));
+        ProcessImageBuffer = calloc(ProcessImageLength, sizeof(WCHAR));
        if (!ProcessImageBuffer) {
            _tprintf_or_not(TEXT("[-] Couldn't allocate memory for process image\n"));
            return NULL;
@@ -44,50 +44,54 @@ PUNICODE_STRING SandGetProcessImage(HANDLE hProcess) {
    } while (status == STATUS_INFO_LENGTH_MISMATCH);
    if (!ProcessImageBuffer) {
-        _tprintf_or_not(TEXT("[-] Failed to retrieve process image\n"));
+        _tprintf_or_not(TEXT("[-] Failed to retrieve process image: %08x\n"), status);
        return NULL;
    }
-    
+
    return ProcessImageBuffer;
 }
 // Extract filename from process image full path.
-DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, TCHAR* ImageFileName, DWORD nSize) {
+DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, LPWSTR ImageFileName, DWORD nSize) {
    if (ProcessImageUnicodeStr->Length == 0) {
        return 0;
    }
    // Process name will be /binary.exe.
-    TCHAR* ProcessName = _tcsrchr(ProcessImageUnicodeStr->Buffer, TEXT('\\'));
+    WCHAR* ProcessName = wcsrchr(ProcessImageUnicodeStr->Buffer, L'\\');
    if (!ProcessName) {
        return 0;
    }
    // Skip the /.
    ProcessName = &ProcessName[1];
-    
+
-    DWORD ProcessNameLength = (DWORD)_tcslen(ProcessName);
+    DWORD ProcessNameLength = (DWORD)wcslen(ProcessName);
    if (ProcessNameLength > nSize) {
        _tprintf_or_not(TEXT("[-] Input buffer size is too small for file name\n"));
        return 0;
    }
-    
+
-    _tcsncat_s(ImageFileName, nSize, ProcessName, _TRUNCATE);
+    wcsncat_s(ImageFileName, nSize, ProcessName, _TRUNCATE);
    return ProcessNameLength;
 }
 // Find a process PID using its filename.
-DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid) {
+DWORD SandFindProcessPidByName(LPCWSTR targetProcessName, DWORD* pPid) {
    DWORD status = STATUS_UNSUCCESSFUL;
    HANDLE hProcess = NULL;
    HANDLE hOldProcess = NULL;
    PUNICODE_STRING currentProcessImage = NULL;
-    TCHAR* currentProcessName = NULL;
+    LPWSTR currentProcessName = NULL;
    DWORD currentProcessNameSz = 0;
-    
+
    *pPid = 0;
    while (*pPid == 0) {
-        status = NtGetNextProcess(hProcess, MAXIMUM_ALLOWED, 0, 0, &hProcess);
+        status = NtGetNextProcess(hOldProcess, MAXIMUM_ALLOWED, 0, 0, &hProcess);
        if (hOldProcess) {
            NtClose(hOldProcess);
        }
        if (status == STATUS_NO_MORE_ENTRIES) {
            _tprintf_or_not(TEXT("[-] The process '%s' was not found\n"), targetProcessName);
@@ -99,24 +103,36 @@ DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid) {
        }
        currentProcessImage = SandGetProcessImage(hProcess);
-        currentProcessName = calloc(currentProcessImage->MaximumLength, sizeof(TCHAR));
+        if (currentProcessImage) {
-        if (!currentProcessName) {
+            currentProcessName = calloc(currentProcessImage->MaximumLength, sizeof(WCHAR));
-            _tprintf_or_not(TEXT("[-] Couldn't allocate memory for process filename\n"));
+            if (!currentProcessName) {
-            return STATUS_UNSUCCESSFUL;
+                _tprintf_or_not(TEXT("[-] Couldn't allocate memory for process filename\n"));
-        }
+                return STATUS_UNSUCCESSFUL;
-        currentProcessNameSz = SandGetProcessFilename(currentProcessImage, currentProcessName, currentProcessImage->MaximumLength);
+            }
            _putws(currentProcessImage->Buffer);
            currentProcessNameSz = SandGetProcessFilename(currentProcessImage, currentProcessName, currentProcessImage->MaximumLength);
-        if (currentProcessNameSz != 0 && !_tcsicmp(targetProcessName, currentProcessName)) {
+            if (currentProcessNameSz != 0 && !_tcsicmp(targetProcessName, currentProcessName)) {
-            *pPid = SandGetProcessPID(hProcess);
+                *pPid = SandGetProcessPID(hProcess);
-            break;
+                break;
-        }
+            }
-        free(currentProcessImage);
+            free(currentProcessImage);
-        currentProcessImage = NULL;
+            currentProcessImage = NULL;
-        free(currentProcessName);
+            free(currentProcessName);
-        currentProcessName = NULL;
+            currentProcessName = NULL;
        }
        hOldProcess = hProcess;
    }
    if (currentProcessImage) {
        free(currentProcessImage);
    }
    if (currentProcessName) {
        free(currentProcessName);
    }
    if (hProcess) {
        NtClose(hProcess);
    }
    if (*pPid) {
        return STATUS_SUCCES;
    }