diff --git a/wufuc/core.c b/wufuc/core.c
index 579db39..268abb2 100644
--- a/wufuc/core.c
+++ b/wufuc/core.c
@@ -13,7 +13,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
 	SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
 
 	TCHAR lpBinaryPathName[0x8000];
-	QueryServiceBinaryPathName(hSCManager, _T("wuauserv"), lpBinaryPathName, _countof(lpBinaryPathName));
+	get_svcpath(hSCManager, _T("wuauserv"), lpBinaryPathName, _countof(lpBinaryPathName));
 
 	BOOL result = _tcsicmp(GetCommandLine(), lpBinaryPathName);
 	CloseServiceHandle(hSCManager);
@@ -27,22 +27,23 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
 	ConvertStringSecurityDescriptorToSecurityDescriptor(_T("D:PAI(A;;FA;;;BA)"), SDDL_REVISION_1, &(sa.lpSecurityDescriptor), NULL);
 	sa.bInheritHandle = FALSE;
 
-	HANDLE hEvent = CreateEvent(&sa, FALSE, FALSE, _T("Global\\wufuc_UnloadEvent"));
+	HANDLE hEvent = CreateEvent(&sa, TRUE, FALSE, _T("Global\\wufuc_UnloadEvent"));
 
 	if (!hEvent) {
 		return 0;
 	}
 
+	DWORD dwProcessId = GetCurrentProcessId();
+	DWORD dwThreadId = GetCurrentThreadId();
 	HANDLE lphThreads[0x1000];
 	SIZE_T cb;
-	SuspendProcess(lphThreads, _countof(lphThreads), &cb);
+
+	SuspendProcessThreads(dwProcessId, dwThreadId, lphThreads, _countof(lphThreads), &cb);
 
 	HMODULE hm = GetModuleHandle(NULL);
 	DETOUR_IAT(hm, LoadLibraryExA);
 	DETOUR_IAT(hm, LoadLibraryExW);
 
-	_tdbgprintf(_T("Applied LoadLibraryEx hooks."));
-
 	HMODULE hwu = GetModuleHandle(_T("wuaueng.dll"));
 	if (hwu) {
 		PatchWUModule(hwu);
@@ -50,16 +51,16 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
 	ResumeAndCloseThreads(lphThreads, cb);
 
 	WaitForSingleObject(hEvent, INFINITE);
-	CloseHandle(hEvent);
 
 	_tdbgprintf(_T("Received wufuc_UnloadEvent, removing hooks."));
 
-	SuspendProcess(lphThreads, _countof(lphThreads), &cb);
+	SuspendProcessThreads(dwProcessId, dwThreadId, lphThreads, _countof(lphThreads), &cb);
 	RESTORE_IAT(hm, LoadLibraryExA);
 	RESTORE_IAT(hm, LoadLibraryExW);
 	ResumeAndCloseThreads(lphThreads, cb);
 
 	_tdbgprintf(_T("Unloading library. Cya!"));
+	CloseHandle(hEvent);
 	FreeLibraryAndExitThread(HINST_THISCOMPONENT, 0);
 	return 0;
 }
diff --git a/wufuc/entrypoint.c b/wufuc/entrypoint.c
index 90566b8..041cc9b 100644
--- a/wufuc/entrypoint.c
+++ b/wufuc/entrypoint.c
@@ -14,9 +14,9 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
 	SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
 	TCHAR lpGroupName[256];
 	DWORD dwProcessId;
-	BOOL result = QueryServiceProcessId(hSCManager, _T("wuauserv"), &dwProcessId);
-	if (!result && GetServiceGroupName(hSCManager, _T("wuauserv"), lpGroupName, _countof(lpGroupName))) {
-		result = FindServiceGroupProcessId(hSCManager, lpGroupName, &dwProcessId);
+	BOOL result = get_svcpid(hSCManager, _T("wuauserv"), &dwProcessId);
+	if (!result && get_svcgname(hSCManager, _T("wuauserv"), lpGroupName, _countof(lpGroupName))) {
+		result = get_svcgpid(hSCManager, lpGroupName, &dwProcessId);
 	}
 	CloseServiceHandle(hSCManager);
 	if (!result) {
diff --git a/wufuc/process.c b/wufuc/process.c
deleted file mode 100644
index 13a3c5c..0000000
--- a/wufuc/process.c
+++ /dev/null
@@ -1,139 +0,0 @@
-#include <windows.h>
-#include <stdio.h>
-#include <TlHelp32.h>
-#include <tchar.h>
-#include "util.h"
-#include "process.h"
-
-VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID lpNewAddress) {
-	LPVOID *lpAddress = FindIAT(hModule, lpFuncName);
-	if (!lpAddress || *lpAddress == lpNewAddress) {
-		return;
-	}
-
-	DWORD flOldProtect;
-	DWORD flNewProtect = PAGE_READWRITE;
-	VirtualProtect(lpAddress, sizeof(LPVOID), flNewProtect, &flOldProtect);
-	if (lpOldAddress) {
-		*lpOldAddress = *lpAddress;
-	}
-	_tdbgprintf(_T("%S %p => %p"), lpFuncName, *lpAddress, lpNewAddress);
-	*lpAddress = lpNewAddress;
-	VirtualProtect(lpAddress, sizeof(LPVOID), flOldProtect, &flNewProtect);
-}
-
-LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName) {
-	PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)hModule;
-	PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((LPBYTE)dos + dos->e_lfanew);
-	PIMAGE_IMPORT_DESCRIPTOR desc = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)dos + nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
-
-	for (PIMAGE_IMPORT_DESCRIPTOR iid = desc; iid->Name != 0; iid++) {
-		for (int i = 0; *(i + (LPVOID*)(iid->FirstThunk + (SIZE_T)hModule)) != NULL; i++) {
-			LPSTR name = (LPSTR)(*(i + (SIZE_T*)(iid->OriginalFirstThunk + (SIZE_T)hModule)) + (SIZE_T)hModule + 2);
-			const uintptr_t n = (uintptr_t)name;
-			if (!(n & (sizeof(n) == 4 ? 0x80000000 : 0x8000000000000000)) && !_stricmp(lpFuncName, name)) {
-				return i + (LPVOID*)(iid->FirstThunk + (SIZE_T)hModule);
-			}
-		}
-	}
-	return NULL;
-}
-
-BOOL FindPattern(LPCBYTE lpBytes, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_T nStart, SIZE_T *lpOffset) {
-	SIZE_T nPatternLength = strlen(lpszPattern);
-	SIZE_T nMaskLength = nPatternLength / 2;
-	if (nMaskLength > nNumberOfBytes || nPatternLength % 2) {
-		return FALSE;
-	}
-
-	LPBYTE lpPattern = malloc(nMaskLength * sizeof(BYTE));
-	BOOL *lpbMask = malloc(nMaskLength * sizeof(BOOL));
-
-	LPSTR p = lpszPattern;
-	BOOL valid = TRUE;
-	for (SIZE_T i = 0; i < nMaskLength; i++) {
-		if (lpbMask[i] = strncmp(p, "??", 2)) {
-			if (sscanf_s(p, "%2hhx", &lpPattern[i]) != 1) {
-				valid = FALSE;
-				break;
-			}
-		}
-		p += 2;
-	}
-	BOOL result = FALSE;
-	if (valid) {
-		for (SIZE_T i = nStart; i < nNumberOfBytes - nStart - (nMaskLength - 1); i++) {
-			BOOL found = TRUE;
-			for (SIZE_T j = 0; j < nMaskLength; j++) {
-				if (lpbMask[j] && lpBytes[i + j] != lpPattern[j]) {
-					found = FALSE;
-					break;
-				}
-			}
-			if (found) {
-				*lpOffset = i;
-				result = TRUE;
-				break;
-			}
-		}
-	}
-	free(lpPattern);
-	free(lpbMask);
-	return result;
-}
-
-BOOL InjectLibrary(HANDLE hProcess, LPCTSTR lpLibFileName, DWORD cb) {
-	LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, cb, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
-	if (!WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, cb, NULL)) {
-		return FALSE;
-	}
-	DWORD dwProcessId = GetProcessId(hProcess);
-	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
-	MODULEENTRY32 me;
-	me.dwSize = sizeof(me);
-
-	Module32First(hSnap, &me);
-	do {
-		if (!_tcsicmp(me.szModule, _T("kernel32.dll"))) {
-			break;
-		}
-	} while (Module32Next(hSnap, &me));
-	CloseHandle(hSnap);
-	_tdbgprintf(_T("Injecting %s into process %d"), lpLibFileName, dwProcessId);
-	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, _CRT_STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL);
-	CloseHandle(hThread);
-	return TRUE;
-}
-
-VOID SuspendProcess(HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb) {
-	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
-	THREADENTRY32 te;
-	te.dwSize = sizeof(te);
-	Thread32First(hSnap, &te);
-
-	DWORD dwProcessId = GetCurrentProcessId();
-	DWORD dwThreadId = GetCurrentThreadId();
-
-	SIZE_T count = 0;
-
-	do {
-		if (te.th32OwnerProcessID != dwProcessId || te.th32ThreadID == dwThreadId) {
-			continue;
-		}
-		lphThreads[count] = OpenThread(THREAD_SUSPEND_RESUME, FALSE, te.th32ThreadID);
-		SuspendThread(lphThreads[count]);
-		count++;
-	} while (count < dwSize && Thread32Next(hSnap, &te));
-	CloseHandle(hSnap);
-
-	*lpcb = count;
-	_tdbgprintf(_T("Suspended other threads."));
-}
-
-VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T cb) {
-	for (SIZE_T i = 0; i < cb; i++) {
-		ResumeThread(lphThreads[i]);
-		CloseHandle(lphThreads[i]);
-	}
-	_tdbgprintf(_T("Resumed threads."));
-}
diff --git a/wufuc/process.h b/wufuc/process.h
deleted file mode 100644
index 537a4f7..0000000
--- a/wufuc/process.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#pragma once
-
-VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID lpNewAddress);
-
-#define DETOUR_IAT(x, y) \
-	LPVOID __LPORIGINAL##y; \
-	DetourIAT(x, #y, &__LPORIGINAL##y, &_##y)
-
-#define RESTORE_IAT(x, y) \
-	DetourIAT(x, #y, NULL, __LPORIGINAL##y)
-
-LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName);
-
-BOOL FindPattern(LPCBYTE lpBytes, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_T nStart, SIZE_T *lpOffset);
-
-BOOL InjectLibrary(HANDLE hProcess, LPCTSTR lpLibFileName, DWORD cb);
-
-VOID SuspendProcess(HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb);
-
-VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T dwSize);
diff --git a/wufuc/service.c b/wufuc/service.c
index b59b824..936ab80 100644
--- a/wufuc/service.c
+++ b/wufuc/service.c
@@ -2,8 +2,9 @@
 #include <tchar.h>
 #include "util.h"
 #include "service.h"
+#include "shellapihelper.h"
 
-BOOL QueryServiceBinaryPathName(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize) {
+BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize) {
 	HANDLE hService = OpenService(hSCManager, lpServiceName, SERVICE_QUERY_CONFIG);
 	if (!hService) {
 		return FALSE;
@@ -22,7 +23,7 @@ BOOL QueryServiceBinaryPathName(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPT
 	return result;
 }
 
-BOOL QueryServiceProcessId(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessId) {
+BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessId) {
 	SC_HANDLE hService = OpenService(hSCManager, lpServiceName, SERVICE_QUERY_STATUS);
 	if (!hService) {
 		return FALSE;
@@ -34,15 +35,15 @@ BOOL QueryServiceProcessId(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *l
 	if (QueryServiceStatusEx(hService, SC_STATUS_PROCESS_INFO, (LPBYTE)&lpBuffer, sizeof(lpBuffer), &cbBytesNeeded) && lpBuffer.dwProcessId) {
 		*lpdwProcessId = lpBuffer.dwProcessId;
 		result = TRUE;
-		_tdbgprintf(_T("Found %s pid %d"), lpServiceName, *lpdwProcessId);
+		_tdbgprintf(_T("QueryServiceProcessId: Found %s pid %d"), lpServiceName, *lpdwProcessId);
 	}
 	CloseServiceHandle(hService);
 	return result;
 }
 
-BOOL GetServiceGroupName(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupName, SIZE_T dwSize) {
+BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupName, SIZE_T dwSize) {
 	TCHAR lpBinaryPathName[0x8000];
-	if (!QueryServiceBinaryPathName(hSCManager, lpServiceName, lpBinaryPathName, _countof(lpBinaryPathName))) {
+	if (!get_svcpath(hSCManager, lpServiceName, lpBinaryPathName, _countof(lpBinaryPathName))) {
 		return FALSE;
 	}
 	int numArgs;
@@ -57,7 +58,7 @@ BOOL GetServiceGroupName(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpG
 	BOOL result = FALSE;
 	if (!_tcsicmp(fname, _T("svchost"))) {
 		LPWSTR *p = argv;
-		for (int i = 0; i + 1 < numArgs; i++) {
+		for (int i = 1; i < numArgs; i++) {
 			if (!_tcsicmp(*(p++), _T("-k"))) {
 				_tcscpy_s(lpGroupName, dwSize, *p);
 				result = TRUE;
@@ -69,28 +70,29 @@ BOOL GetServiceGroupName(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpG
 	return result;
 }
 
-BOOL FindServiceGroupProcessId(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) {
+BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) {
 	DWORD uBytes = 0x100000;
 	LPBYTE pvData = malloc(uBytes);
 
 	RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"), lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes);
 
-	LPTSTR ptr = (LPTSTR)pvData;
+	LPTSTR lpSvc = (LPTSTR)pvData;
 
 	BOOL result = FALSE;
-	while (*ptr) {
+	while (*lpSvc) {
 		DWORD dwProcessId;
-		if (QueryServiceProcessId(hSCManager, ptr, &dwProcessId)) {
-			TCHAR group[256];
-			GetServiceGroupName(hSCManager, ptr, group, _countof(group));
+		TCHAR group[256];
+		if (get_svcpid(hSCManager, lpSvc, &dwProcessId)) {
+			get_svcgname(hSCManager, lpSvc, group, _countof(group));
 			result = !_tcsicmp(group, lpServiceGroupName);
+			if (result) {
+			}
 		}
 		if (result) {
-			_tdbgprintf(_T("Found %s pid %d"), lpServiceGroupName, dwProcessId);
 			*lpdwProcessId = dwProcessId;
 			break;
 		}
-		ptr += _tcslen(ptr) + 1;
+		lpSvc += _tcslen(lpSvc) + 1;
 	}
 	LocalFree(pvData);
 	return result;
diff --git a/wufuc/service.h b/wufuc/service.h
index 99090d1..901188a 100644
--- a/wufuc/service.h
+++ b/wufuc/service.h
@@ -1,9 +1,9 @@
 #pragma once
 
-BOOL QueryServiceBinaryPathName(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize);
+BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize);
 
-BOOL QueryServiceProcessId(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessId);
+BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessId);
 
-BOOL GetServiceGroupName(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupName, SIZE_T dwSize);
+BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupName, SIZE_T dwSize);
 
-BOOL FindServiceGroupProcessId(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId);
+BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId);
diff --git a/wufuc/shellapihelper.h b/wufuc/shellapihelper.h
new file mode 100644
index 0000000..c5fec9a
--- /dev/null
+++ b/wufuc/shellapihelper.h
@@ -0,0 +1,7 @@
+#pragma once
+
+#ifdef UNICODE
+#define CommandLineToArgv  CommandLineToArgvW
+#else
+#define CommandLineToArgv  CommandLineToArgvA
+#endif // !UNICODE
diff --git a/wufuc/util.c b/wufuc/util.c
index 983f8e7..60da512 100644
--- a/wufuc/util.c
+++ b/wufuc/util.c
@@ -1,6 +1,7 @@
 #include <Windows.h>
 #include <stdio.h>
 #include <VersionHelpers.h>
+#include <TlHelp32.h>
 #include <tchar.h>
 #include "util.h"
 
@@ -16,6 +17,136 @@ BOOL IsWindows8Point1(void) {
 	return IsWindows8Point1OrGreater() && !IsWindows10OrGreater();
 }
 
+VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID lpNewAddress) {
+	LPVOID *lpAddress = FindIAT(hModule, lpFuncName);
+	if (!lpAddress || *lpAddress == lpNewAddress) {
+		return;
+	}
+
+	DWORD flOldProtect;
+	DWORD flNewProtect = PAGE_READWRITE;
+	VirtualProtect(lpAddress, sizeof(LPVOID), flNewProtect, &flOldProtect);
+	if (lpOldAddress) {
+		*lpOldAddress = *lpAddress;
+	}
+	_tdbgprintf(_T("%S %p => %p"), lpFuncName, *lpAddress, lpNewAddress);
+	*lpAddress = lpNewAddress;
+	VirtualProtect(lpAddress, sizeof(LPVOID), flOldProtect, &flNewProtect);
+}
+
+LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName) {
+	PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)hModule;
+	PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((LPBYTE)dos + dos->e_lfanew);
+	PIMAGE_IMPORT_DESCRIPTOR desc = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)dos + nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
+
+	for (PIMAGE_IMPORT_DESCRIPTOR iid = desc; iid->Name != 0; iid++) {
+		for (int i = 0; *(i + (LPVOID*)(iid->FirstThunk + (SIZE_T)hModule)) != NULL; i++) {
+			LPSTR name = (LPSTR)(*(i + (SIZE_T*)(iid->OriginalFirstThunk + (SIZE_T)hModule)) + (SIZE_T)hModule + 2);
+			const uintptr_t n = (uintptr_t)name;
+			if (!(n & (sizeof(n) == 4 ? 0x80000000 : 0x8000000000000000)) && !_stricmp(lpFuncName, name)) {
+				return i + (LPVOID*)(iid->FirstThunk + (SIZE_T)hModule);
+			}
+		}
+	}
+	return NULL;
+}
+
+BOOL FindPattern(LPCBYTE lpBytes, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_T nStart, SIZE_T *lpOffset) {
+	SIZE_T nPatternLength = strlen(lpszPattern);
+	SIZE_T nMaskLength = nPatternLength / 2;
+	if (nMaskLength > nNumberOfBytes || nPatternLength % 2) {
+		return FALSE;
+	}
+
+	LPBYTE lpPattern = malloc(nMaskLength * sizeof(BYTE));
+	BOOL *lpbMask = malloc(nMaskLength * sizeof(BOOL));
+
+	LPSTR p = lpszPattern;
+	BOOL valid = TRUE;
+	for (SIZE_T i = 0; i < nMaskLength; i++) {
+		if (lpbMask[i] = strncmp(p, "??", 2)) {
+			if (sscanf_s(p, "%2hhx", &lpPattern[i]) != 1) {
+				valid = FALSE;
+				break;
+			}
+		}
+		p += 2;
+	}
+	BOOL result = FALSE;
+	if (valid) {
+		for (SIZE_T i = nStart; i < nNumberOfBytes - nStart - (nMaskLength - 1); i++) {
+			BOOL found = TRUE;
+			for (SIZE_T j = 0; j < nMaskLength; j++) {
+				if (lpbMask[j] && lpBytes[i + j] != lpPattern[j]) {
+					found = FALSE;
+					break;
+				}
+			}
+			if (found) {
+				*lpOffset = i;
+				result = TRUE;
+				break;
+			}
+		}
+	}
+	free(lpPattern);
+	free(lpbMask);
+	return result;
+}
+
+BOOL InjectLibrary(HANDLE hProcess, LPCTSTR lpLibFileName, DWORD cb) {
+	LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, cb, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+	if (!WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, cb, NULL)) {
+		return FALSE;
+	}
+	DWORD dwProcessId = GetProcessId(hProcess);
+	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
+	MODULEENTRY32 me;
+	me.dwSize = sizeof(me);
+
+	Module32First(hSnap, &me);
+	do {
+		if (!_tcsicmp(me.szModule, _T("kernel32.dll"))) {
+			break;
+		}
+	} while (Module32Next(hSnap, &me));
+	CloseHandle(hSnap);
+	_tdbgprintf(_T("Injecting %s into process %d"), lpLibFileName, dwProcessId);
+	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, _CRT_STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL);
+	CloseHandle(hThread);
+	return TRUE;
+}
+
+VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb) {
+	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
+	THREADENTRY32 te;
+	te.dwSize = sizeof(te);
+	Thread32First(hSnap, &te);
+
+	SIZE_T count = 0;
+
+	do {
+		if (te.th32OwnerProcessID != dwProcessId || te.th32ThreadID == dwThreadId) {
+			continue;
+		}
+		lphThreads[count] = OpenThread(THREAD_SUSPEND_RESUME, FALSE, te.th32ThreadID);
+		SuspendThread(lphThreads[count]);
+		count++;
+	} while (count < dwSize && Thread32Next(hSnap, &te));
+	CloseHandle(hSnap);
+
+	*lpcb = count;
+	_tdbgprintf(_T("Suspended other threads."));
+}
+
+VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T cb) {
+	for (SIZE_T i = 0; i < cb; i++) {
+		ResumeThread(lphThreads[i]);
+		CloseHandle(lphThreads[i]);
+	}
+	_tdbgprintf(_T("Resumed threads."));
+}
+
 VOID _wdbgprintf(LPCWSTR format, ...) {
 	WCHAR buffer[0x1000];
 	va_list argptr;
diff --git a/wufuc/util.h b/wufuc/util.h
index 029da36..d5c53c3 100644
--- a/wufuc/util.h
+++ b/wufuc/util.h
@@ -9,6 +9,25 @@ BOOL IsWindows7(void);
 
 BOOL IsWindows8Point1(void);
 
+VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID lpNewAddress);
+
+#define DETOUR_IAT(x, y) \
+	LPVOID __LPORIGINAL##y; \
+	DetourIAT(x, #y, &__LPORIGINAL##y, &_##y)
+
+#define RESTORE_IAT(x, y) \
+	DetourIAT(x, #y, NULL, __LPORIGINAL##y)
+
+LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName);
+
+BOOL FindPattern(LPCBYTE lpBytes, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_T nStart, SIZE_T *lpOffset);
+
+BOOL InjectLibrary(HANDLE hProcess, LPCTSTR lpLibFileName, DWORD cb);
+
+VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb);
+
+VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T dwSize);
+
 VOID _wdbgprintf(LPCWSTR format, ...);
 VOID _dbgprintf(LPCSTR format, ...);
 //#ifdef _DEBUG
@@ -21,8 +40,3 @@ VOID _dbgprintf(LPCSTR format, ...);
 //#define _tdbgprintf(format, ...)
 //#endif // !_DEBUG
 
-#ifdef UNICODE
-#define CommandLineToArgv  CommandLineToArgvW
-#else
-#define CommandLineToArgv  CommandLineToArgvA
-#endif // !UNICODE
diff --git a/wufuc/wufuc.vcxproj b/wufuc/wufuc.vcxproj
index 4bf7759..fc92c11 100644
--- a/wufuc/wufuc.vcxproj
+++ b/wufuc/wufuc.vcxproj
@@ -168,7 +168,6 @@
     <ClCompile Include="core.c" />
     <ClCompile Include="dllmain.c" />
     <ClCompile Include="entrypoint.c" />
-    <ClCompile Include="process.c" />
     <ClCompile Include="service.c" />
     <ClCompile Include="util.c" />
   </ItemGroup>
@@ -177,8 +176,8 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="core.h" />
-    <ClInclude Include="process.h" />
     <ClInclude Include="service.h" />
+    <ClInclude Include="shellapihelper.h" />
     <ClInclude Include="util.h" />
   </ItemGroup>
   <ItemGroup>