From ce7e6dd1663a2ea0e7041868a33663af69e3cb8d Mon Sep 17 00:00:00 2001
From: zeffy <zeffy@users.noreply.github.com>
Date: Thu, 8 Jun 2017 13:44:03 -0700
Subject: [PATCH] more error checking

---
 wufuc/core.c       | 14 ++++++++++++--
 wufuc/entrypoint.c | 31 ++++++++++++++++++++++++++++++-
 wufuc/service.c    | 12 +++++-------
 wufuc/util.c       | 24 ------------------------
 wufuc/util.h       |  2 --
 5 files changed, 47 insertions(+), 36 deletions(-)

diff --git a/wufuc/core.c b/wufuc/core.c
index 1c3fb7c..9dcbec3 100644
--- a/wufuc/core.c
+++ b/wufuc/core.c
@@ -149,10 +149,15 @@ HMODULE WINAPI _LoadLibraryExA(
     _In_       DWORD   dwFlags
 ) {
     HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags);
+    if (!result) {
+        return result;
+    }
     _dbgprintf("Loaded library: %s.", lpFileName);
 
     CHAR path[MAX_PATH + 1];
-    get_svcdllA("wuauserv", path, _countof(path));
+    if (!get_svcdllA("wuauserv", path, _countof(path))) {
+        return result;
+    }
 
     if (!_stricmp(lpFileName, path)) {
         _dbgprintf("%s is wu module, applying patch...", lpFileName);
@@ -167,10 +172,15 @@ HMODULE WINAPI _LoadLibraryExW(
     _In_       DWORD   dwFlags
 ) {
     HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags);
+    if (!result) {
+        return result;
+    }
     _wdbgprintf(L"Loaded library: %s.", lpFileName);
 
     WCHAR path[MAX_PATH + 1];
-    get_svcdllW(L"wuauserv", path, _countof(path));
+    if (!get_svcdllW(L"wuauserv", path, _countof(path))) {
+        return result;
+    }
 
     if (!_wcsicmp(lpFileName, path)) {
         _wdbgprintf(L"%s is wu module, applying patch...", lpFileName);
diff --git a/wufuc/entrypoint.c b/wufuc/entrypoint.c
index b55d860..a37e600 100644
--- a/wufuc/entrypoint.c
+++ b/wufuc/entrypoint.c
@@ -12,6 +12,9 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
         return;
     }
     SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
+    if (!hSCManager) {
+        return;
+    }
     TCHAR lpGroupName[256];
     DWORD dwProcessId;
     BOOL result = get_svcpid(hSCManager, _T("wuauserv"), &dwProcessId);
@@ -24,7 +27,33 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n
     }
     TCHAR lpLibFileName[MAX_PATH + 1];
     GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName));
-    InjectLibrary(dwProcessId, lpLibFileName, _countof(lpLibFileName));
+
+    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
+    if (!hProcess) {
+        return;
+    }
+    LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, _countof(lpLibFileName) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+    if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, _countof(lpLibFileName), NULL)) {
+
+        HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
+        if (hSnap) {
+            MODULEENTRY32 me;
+            me.dwSize = sizeof(me);
+
+            if (Module32First(hSnap, &me)) {
+                do {
+                    if (!_tcsicmp(me.szModule, _T("kernel32.dll"))) {
+                        break;
+                    }
+                } while (Module32Next(hSnap, &me));
+
+                HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, _CRT_STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL);
+                CloseHandle(hThread);
+            }
+            CloseHandle(hSnap);
+        }
+    }
+    CloseHandle(hProcess);
 }
 
 void CALLBACK Rundll32Unload(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
diff --git a/wufuc/service.c b/wufuc/service.c
index 110e77f..58a47c4 100644
--- a/wufuc/service.c
+++ b/wufuc/service.c
@@ -41,7 +41,7 @@ BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessI
     BOOL result = FALSE;
     if (QueryServiceStatusEx(hService, SC_STATUS_PROCESS_INFO, (LPBYTE)&lpBuffer, sizeof(lpBuffer), &cbBytesNeeded)
         && lpBuffer.dwProcessId) {
-        
+
         *lpdwProcessId = lpBuffer.dwProcessId;
         _tdbgprintf(_T("Got pid for service %s: %d."), lpServiceName, *lpdwProcessId);
         result = TRUE;
@@ -100,7 +100,6 @@ BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPat
 BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId) {
     DWORD uBytes = 0x100000;
     LPBYTE pvData = malloc(uBytes);
-
     RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"),
         lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes);
 
@@ -108,12 +107,11 @@ BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwPro
     for (LPTSTR p = (LPTSTR)pvData; *p; p += _tcslen(p) + 1) {
         DWORD dwProcessId;
         TCHAR group[256];
-        if (get_svcpid(hSCManager, p, &dwProcessId)) {
-            get_svcgname(hSCManager, p, group, _countof(group));
-            result = !_tcsicmp(group, lpServiceGroupName);
-        }
-        if (result) {
+        if (get_svcpid(hSCManager, p, &dwProcessId)
+            && (get_svcgname(hSCManager, p, group, _countof(group)) && !_tcsicmp(group, lpServiceGroupName))) {
+
             *lpdwProcessId = dwProcessId;
+            result = TRUE;
             _tdbgprintf(_T("Got pid for service group %s: %d."), lpServiceGroupName, *lpdwProcessId);
             break;
         }
diff --git a/wufuc/util.c b/wufuc/util.c
index 674eb7e..be4dbb5 100644
--- a/wufuc/util.c
+++ b/wufuc/util.c
@@ -80,30 +80,6 @@ BOOL FindPattern(LPCBYTE pvData, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_
     return result;
 }
 
-BOOL InjectLibrary(DWORD dwProcessId, LPCTSTR lpLibFileName, DWORD cb) {
-    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
-    LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, cb, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
-    if (!WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, cb, NULL)) {
-        return FALSE;
-    }
-    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
-    MODULEENTRY32 me;
-    me.dwSize = sizeof(me);
-
-    Module32First(hSnap, &me);
-    do {
-        if (!_tcsicmp(me.szModule, _T("kernel32.dll"))) {
-            break;
-        }
-    } while (Module32Next(hSnap, &me));
-    CloseHandle(hSnap);
-
-    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(me.hModule, _CRT_STRINGIZE(LoadLibrary)), lpBaseAddress, 0, NULL);
-    CloseHandle(hThread);
-    CloseHandle(hProcess);
-    return TRUE;
-}
-
 VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb) {
     HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
     THREADENTRY32 te;
diff --git a/wufuc/util.h b/wufuc/util.h
index 23f30d9..c62c48e 100644
--- a/wufuc/util.h
+++ b/wufuc/util.h
@@ -16,8 +16,6 @@ LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName);
 
 BOOL FindPattern(LPCBYTE lpBytes, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_T nStart, SIZE_T *lpOffset);
 
-BOOL InjectLibrary(DWORD dwProcessId, LPCTSTR lpLibFileName, DWORD cb);
-
 VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb);
 
 VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T dwSize);