better logging

wufuc/core.c

@@ -52,7 +52,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
 
     WaitForSingleObject(hEvent, INFINITE);
 
-    _tdbgprintf(_T("Received wufuc_UnloadEvent, removing hooks."));
+    _tdbgprintf(_T("Unload event was set, removing hooks."));
 
     SuspendProcessThreads(dwProcessId, dwThreadId, lphThreads, _countof(lphThreads), &cb);
     RESTORE_IAT(hm, LoadLibraryExA);
@@ -110,9 +110,11 @@ BOOL PatchWUModule(HMODULE hModule) {
 
     SIZE_T rva;
     if (!FindPattern(modinfo.lpBaseOfDll, modinfo.SizeOfImage, lpszPattern, 0, &rva)) {
+        _tdbgprintf(_T("Could not match byte pattern. Not good!"));
         return FALSE;
     }
     SIZE_T fpIsDeviceServiceable = (SIZE_T)modinfo.lpBaseOfDll + rva;
+    _tdbgprintf(_T("Matched pattern at %p"), fpIsDeviceServiceable);
 
     BOOL *lpbNotRunOnce = (BOOL *)(fpIsDeviceServiceable + n1 + sizeof(DWORD) + *(DWORD *)(fpIsDeviceServiceable + n1));
     if (*lpbNotRunOnce) {
@@ -121,7 +123,7 @@ BOOL PatchWUModule(HMODULE hModule) {
         VirtualProtect(lpbNotRunOnce, sizeof(BOOL), flNewProtect, &flOldProtect);
         *lpbNotRunOnce = FALSE;
         VirtualProtect(lpbNotRunOnce, sizeof(BOOL), flOldProtect, &flNewProtect);
-        _tdbgprintf(_T("Patched %p=%d"), lpbNotRunOnce, *lpbNotRunOnce);
+        _tdbgprintf(_T("Patched value at %p = %d"), lpbNotRunOnce, *lpbNotRunOnce);
     }
 
     BOOL *lpbCachedResult = (BOOL *)(fpIsDeviceServiceable + n2 + sizeof(DWORD) + *(DWORD *)(fpIsDeviceServiceable + n2));
@@ -131,7 +133,7 @@ BOOL PatchWUModule(HMODULE hModule) {
         VirtualProtect(lpbCachedResult, sizeof(BOOL), flNewProtect, &flOldProtect);
         *lpbCachedResult = TRUE;
         VirtualProtect(lpbCachedResult, sizeof(BOOL), flOldProtect, &flNewProtect);
-        _tdbgprintf(_T("Patched %p=%d"), lpbCachedResult, *lpbCachedResult);
+        _tdbgprintf(_T("Patched value at %p = %d"), lpbCachedResult, *lpbCachedResult);
     }
     return TRUE;
 }
@@ -142,11 +144,13 @@ HMODULE WINAPI _LoadLibraryExA(
     _In_       DWORD   dwFlags
 ) {
     HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags);
+    _dbgprintf("Loaded library: %s.", lpFileName);
 
     CHAR path[MAX_PATH + 1];
     get_svcdllA("wuauserv", path, _countof(path));
 
     if (!_stricmp(lpFileName, path)) {
+        _dbgprintf("%s is wu module, applying patch...", lpFileName);
         PatchWUModule(result);
     }
     return result;
@@ -158,11 +162,13 @@ HMODULE WINAPI _LoadLibraryExW(
     _In_       DWORD   dwFlags
 ) {
     HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags);
+    _wdbgprintf(L"Loaded library: %s.", lpFileName);
 
     WCHAR path[MAX_PATH + 1];
     get_svcdllW(L"wuauserv", path, _countof(path));
 
     if (!_wcsicmp(lpFileName, path)) {
+        _wdbgprintf(L"%s is wu module, applying patch...", lpFileName);
         PatchWUModule(result);
     }
     return result;

wufuc/entrypoint.c

@@ -24,14 +24,13 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
     }
     TCHAR lpLibFileName[MAX_PATH + 1];
     GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName));
-
     InjectLibrary(dwProcessId, lpLibFileName, _countof(lpLibFileName));
 }
 
 void CALLBACK Rundll32Unload(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
     HANDLE hEvent = OpenEvent(EVENT_MODIFY_STATE, FALSE, _T("Global\\wufuc_UnloadEvent"));
     if (hEvent) {
-        _tdbgprintf(_T("Setting wufuc_UnloadEvent..."));
+        _tdbgprintf(_T("Setting unload event..."));
         SetEvent(hEvent);
         CloseHandle(hEvent);
     }

wufuc/service.c

@@ -5,24 +5,6 @@
 #include "service.h"
 #include "shellapihelper.h"
 
-BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize) {
-    HANDLE hService = OpenService(hSCManager, lpServiceName, SERVICE_QUERY_CONFIG);
-    if (!hService) {
-        return FALSE;
-    }
-
-    DWORD cbBytesNeeded;
-    QueryServiceConfig(hService, NULL, 0, &cbBytesNeeded);
-    LPQUERY_SERVICE_CONFIG sc = malloc(cbBytesNeeded);
-    BOOL result = QueryServiceConfig(hService, sc, cbBytesNeeded, &cbBytesNeeded);
-    CloseServiceHandle(hService);
-    if (result) {
-        _tcscpy_s(lpBinaryPathName, dwSize, sc->lpBinaryPathName);
-    }
-    free(sc);
-    return result;
-}
-
 BOOL get_svcdllA(LPCSTR lpServiceName, LPSTR lpServiceDll, DWORD dwSize) {
     CHAR lpSubKey[MAX_PATH + 1];
     sprintf_s(lpSubKey, _countof(lpSubKey), "SYSTEM\\CurrentControlSet\\services\\%s\\Parameters", lpServiceName);
@@ -61,6 +43,7 @@ BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessI
         && lpBuffer.dwProcessId) {
         
         *lpdwProcessId = lpBuffer.dwProcessId;
+        _tdbgprintf(_T("Got pid for service %s: %d."), lpServiceName, *lpdwProcessId);
         result = TRUE;
     }
     CloseServiceHandle(hService);
@@ -88,6 +71,7 @@ BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupNam
             if (!_tcsicmp(*(p++), _T("-k"))) {
                 _tcscpy_s(lpGroupName, dwSize, *p);
                 result = TRUE;
+                _tdbgprintf(_T("Got group name of service %s: %s."), lpServiceName, lpGroupName);
                 break;
             }
         }
@@ -95,6 +79,24 @@ BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupNam
     return result;
 }
 
+BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize) {
+    HANDLE hService = OpenService(hSCManager, lpServiceName, SERVICE_QUERY_CONFIG);
+    if (!hService) {
+        return FALSE;
+    }
+
+    DWORD cbBytesNeeded;
+    QueryServiceConfig(hService, NULL, 0, &cbBytesNeeded);
+    LPQUERY_SERVICE_CONFIG sc = malloc(cbBytesNeeded);
+    BOOL result = QueryServiceConfig(hService, sc, cbBytesNeeded, &cbBytesNeeded);
+    CloseServiceHandle(hService);
+    if (result) {
+        _tcscpy_s(lpBinaryPathName, dwSize, sc->lpBinaryPathName);
+    }
+    free(sc);
+    return result;
+}
+
 BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) {
     DWORD uBytes = 0x100000;
     LPBYTE pvData = malloc(uBytes);
@@ -112,6 +114,7 @@ BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwPro
         }
         if (result) {
             *lpdwProcessId = dwProcessId;
+            _tdbgprintf(_T("Got pid for service group %s: %d."), lpServiceGroupName, *lpdwProcessId);
             break;
         }
     }

wufuc/service.h

@@ -1,6 +1,5 @@
 #pragma once
 
-BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize);
 
 BOOL get_svcdllA(LPCSTR lpServiceName, LPSTR lpServiceDll, DWORD dwSize);
 
@@ -10,4 +9,6 @@ BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessI
 
 BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupName, SIZE_T dwSize);
 
+BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize);
+
 BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId);

wufuc/util.c

@@ -17,7 +17,7 @@ VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID l
     if (lpOldAddress) {
         *lpOldAddress = *lpAddress;
     }
-    _dbgprintf("%s %p => %p", lpFuncName, *lpAddress, lpNewAddress);
+    _dbgprintf("Detoured %s from %p to %p.", lpFuncName, *lpAddress, lpNewAddress);
     *lpAddress = lpNewAddress;
     VirtualProtect(lpAddress, sizeof(LPVOID), flOldProtect, &flNewProtect);
 }
@@ -97,7 +97,7 @@ BOOL InjectLibrary(DWORD dwProcessId, LPCTSTR lpLibFileName, DWORD cb) {
         }
     } while (Module32Next(hSnap, &me));
     CloseHandle(hSnap);
-    _tdbgprintf(_T("Injecting %s into process %d"), lpLibFileName, dwProcessId);
+
     HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, _CRT_STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL);
     CloseHandle(hThread);
     CloseHandle(hProcess);