simplified some code, security improvements, etc

wufuc/core.c

@@ -43,7 +43,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
     DETOUR_IAT(hm, LoadLibraryExA);
     DETOUR_IAT(hm, LoadLibraryExW);
 
-    TCHAR lpServiceDll[MAX_PATH + 1];
+    TCHAR lpServiceDll[MAX_PATH];
     get_svcdll(_T("wuauserv"), lpServiceDll, _countof(lpServiceDll));
 
     HMODULE hwu = GetModuleHandle(lpServiceDll);
@@ -130,7 +130,7 @@ HMODULE WINAPI _LoadLibraryExA(
     HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags);
     if (result) {
         dwprintf(L"Loaded library: %S", lpFileName);
-        CHAR path[MAX_PATH + 1];
+        CHAR path[MAX_PATH];
         if (!get_svcdllA("wuauserv", path, _countof(path))) {
             return result;
         }
@@ -149,7 +149,7 @@ HMODULE WINAPI _LoadLibraryExW(
     HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags);
     if (result) {
         dwprintf(L"Loaded library: %s", lpFileName);
-        WCHAR path[MAX_PATH + 1];
+        WCHAR path[MAX_PATH];
         if (!get_svcdllW(L"wuauserv", path, _countof(path))) {
             return result;
         }

wufuc/rundll32.c

@@ -36,6 +36,7 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
     }
     dwprintf(L"Processor: %S", brand + i);
 
+
     SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
     if (!hSCManager) {
         return;
@@ -50,34 +51,26 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
     if (!result) {
         return;
     }
-    TCHAR lpLibFileName[MAX_PATH + 1];
+    TCHAR lpLibFileName[MAX_PATH];
     GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName));
 
     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
     if (!hProcess) {
         return;
     }
-    LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, _countof(lpLibFileName) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+    LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(lpLibFileName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
     if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, _countof(lpLibFileName), NULL)) {
 
-        HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
-        if (hSnap) {
-            MODULEENTRY32 me;
-            me.dwSize = sizeof(me);
-
-            if (Module32First(hSnap, &me)) {
-                do {
-                    if (!_tcsicmp(me.szModule, _T("kernel32.dll"))) {
-                        break;
-                    }
-                } while (Module32Next(hSnap, &me));
-
-                HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL);
-                CloseHandle(hThread);
-            }
-            CloseHandle(hSnap);
-        }
+        HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, 
+            (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), 
+            STRINGIZE(LoadLibrary)), 
+            lpBaseAddress, 0, NULL
+        );
+        WaitForSingleObject(hThread, INFINITE);
+        dwprintf(L"Injected into process: %d", dwProcessId);
+        CloseHandle(hThread);
     }
+    VirtualFreeEx(hProcess, lpBaseAddress, 0, MEM_RELEASE);
     CloseHandle(hProcess);
     close_log();
 }

wufuc/service.c

@@ -6,27 +6,24 @@
 #include "service.h"
 
 BOOL get_svcdllA(LPCSTR lpServiceName, LPSTR lpServiceDll, DWORD dwSize) {
-    CHAR lpSubKey[MAX_PATH + 1];
+    CHAR lpSubKey[257];
     sprintf_s(lpSubKey, _countof(lpSubKey), "SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName);
-
-    DWORD uBytes = _MAX_PATH + 1;
-    LPBYTE pvData = malloc(uBytes);
-
-    RegGetValueA(HKEY_LOCAL_MACHINE, lpSubKey, "ServiceDll", RRF_RT_REG_EXPAND_SZ | RRF_NOEXPAND, NULL, pvData, &uBytes);
-
-    ExpandEnvironmentStringsA((LPSTR)pvData, lpServiceDll, dwSize);
+    DWORD cb = dwSize;
+    if (RegGetValueA(HKEY_LOCAL_MACHINE, lpSubKey, "ServiceDll", RRF_RT_REG_SZ, NULL, (PVOID)lpServiceDll, &cb)) {
+        return FALSE;
+    }
+    dwprintf(L"Service \"%S\" DLL path: %S", lpServiceName, lpServiceDll);
     return TRUE;
 }
 
 BOOL get_svcdllW(LPCWSTR lpServiceName, LPWSTR lpServiceDll, DWORD dwSize) {
-    WCHAR lpSubKey[MAX_PATH + 1];
+    WCHAR lpSubKey[257];
     swprintf_s(lpSubKey, _countof(lpSubKey), L"SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName);
-
-    DWORD uBytes = _MAX_PATH + 1;
-    LPBYTE pvData = malloc(uBytes);
-    RegGetValueW(HKEY_LOCAL_MACHINE, lpSubKey, L"ServiceDll", RRF_RT_REG_EXPAND_SZ | RRF_NOEXPAND, NULL, pvData, &uBytes);
-
-    ExpandEnvironmentStringsW((LPWSTR)pvData, lpServiceDll, dwSize);
+    DWORD cb = dwSize;
+    if (RegGetValueW(HKEY_LOCAL_MACHINE, lpSubKey, L"ServiceDll", RRF_RT_REG_SZ, NULL, (PVOID)lpServiceDll, &cb)) {
+        return FALSE;
+    }
+    dwprintf(L"Service \"%s\" DLL path: %s", lpServiceName, lpServiceDll);
     return TRUE;
 }
 
@@ -59,6 +56,7 @@ BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupNam
     if (!get_svcpath(hSCManager, lpServiceName, lpBinaryPathName, _countof(lpBinaryPathName))) {
         return FALSE;
     }
+    
     int numArgs;
     LPWSTR *argv = CommandLineToArgv(lpBinaryPathName, &numArgs);
     if (numArgs < 3) {
@@ -105,7 +103,7 @@ BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPat
 }
 
 BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) {
-    DWORD uBytes = 0x100000;
+    DWORD uBytes = 1 << 20;
     LPBYTE pvData = malloc(uBytes);
     RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"),
         lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes);

wufuc/util.c

@@ -157,12 +157,12 @@ BOOL init_log(void) {
     if (log_fp) {
         return TRUE;
     }
-    WCHAR filename[MAX_PATH + 1];
+    WCHAR filename[MAX_PATH];
     GetModuleFileNameW(HINST_THISCOMPONENT, filename, _countof(filename));
     WCHAR drive[_MAX_DRIVE], dir[_MAX_DIR], fname[_MAX_FNAME];
     _wsplitpath_s(filename, drive, _countof(drive), dir, _countof(dir), fname, _countof(fname), NULL, 0);
 
-    WCHAR basename[MAX_PATH + 1];
+    WCHAR basename[MAX_PATH];
     GetModuleBaseNameW(GetCurrentProcess(), NULL, basename, _countof(basename));
     wcscat_s(fname, _countof(fname), L".");
     wcscat_s(fname, _countof(fname), basename);