optimize dll injection and fix memory leaks

- use ZeroMemory where applicable
- fixed a couple memory leaks
- optimized dll injection (before it would allocate+write
MAX_PATH*sizeof(TCHAR) bytes to svchost.exe, now it will only
allocate+write what is needed to fit the dll path)

wufuc/core.c

@@ -22,6 +22,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
     }
 
     SECURITY_ATTRIBUTES sa;
+    ZeroMemory(&sa, sizeof(SECURITY_ATTRIBUTES));
     sa.nLength = sizeof(SECURITY_ATTRIBUTES);
     ConvertStringSecurityDescriptorToSecurityDescriptor(_T("D:PAI(A;;FA;;;BA)"), SDDL_REVISION_1, &sa.lpSecurityDescriptor, NULL);
     sa.bInheritHandle = FALSE;

wufuc/patternfind.c

@@ -63,6 +63,7 @@ SIZE_T patternfind(LPCBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR patt
     SIZE_T result = -1;
     SIZE_T searchpatternsize = strlen(pattern);
     LPPATTERNBYTE searchpattern = calloc(searchpatternsize, sizeof(PATTERNBYTE));
+    
     if (patterntransform(pattern, searchpattern, &searchpatternsize)) {
         for (SIZE_T i = startindex, j = 0; i < datasize; i++) //search for the pattern
         {
@@ -79,6 +80,7 @@ SIZE_T patternfind(LPCBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR patt
             }
         }
     }
+    free(searchpattern);
     return result;
 }
 
@@ -100,12 +102,12 @@ VOID patternwrite(LPBYTE data, SIZE_T datasize, LPCSTR pattern) {
         writepatternsize = datasize;
     }
     LPPATTERNBYTE writepattern = calloc(writepatternsize, sizeof(PATTERNBYTE));
-    if (!patterntransform(pattern, writepattern, &writepatternsize)) {
+    if (patterntransform(pattern, writepattern, &writepatternsize)) {
-        return;
+        for (size_t i = 0; i < writepatternsize; i++) {
-    }
+            patternwritebyte(&data[i], &writepattern[i]);
-    for (size_t i = 0; i < writepatternsize; i++) {
+        }
-        patternwritebyte(&data[i], &writepattern[i]);
     }
+    free(writepattern);
 }
 
 SIZE_T patternsnr(LPBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR searchpattern, LPCSTR replacepattern) {

wufuc/rundll32.c

@@ -50,15 +50,19 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
     if (!result) {
         return;
     }
-    TCHAR lpLibFileName[MAX_PATH];
-    GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName));
 
     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
     if (!hProcess) {
         return;
     }
-    LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(lpLibFileName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+    
-    if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, sizeof(lpLibFileName), NULL)) {
+    TCHAR lpLibFileName[MAX_PATH];
+    GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName));
+
+    SIZE_T size = (_tcslen(lpLibFileName) + 1) * sizeof(TCHAR);
+
+    LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+    if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, size, NULL)) {
 
         HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, 
             (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), 

wufuc/util.c

@@ -55,6 +55,7 @@ VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID l
 VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb) {
     HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
     THREADENTRY32 te;
+    ZeroMemory(&te, sizeof(THREADENTRY32));
     te.dwSize = sizeof(te);
     Thread32First(hSnap, &te);