assuming the 14 is a line number, the line readsFAsm: Shared\ImpersonateUserRunasHidden.asm
flat assembler version 1.67.26 (xxxx kilobytes memory)
Functions\Shared\ImpersonateUserRunasHidden.asm [14]:
whole asm file:Extrn qword [rsp+296]
Code: Select all
format MS64 COFF
Public Droopy_ImpersonateUserRunasHidden
Extrn SYS_FastAllocateString4
Extrn PB_Left
Extrn SYS_StringEqual
Extrn SYS_CopyString
Extrn SYS_AllocateString4
Extrn PB_OpenLibrary
Extrn PB_GetFunction
Extrn SYS_ToUnicode
Extrn qword [rsp+296]
Extrn PB_CloseLibrary
Extrn SYS_FreeString
Extrn PB_StringBasePosition
Extrn Droopy__S1
Extrn PB_StringBase
Extrn Droopy__S2
Extrn Droopy__S3
Extrn Droopy_v_PasswordG
Extrn Droopy_v_DomainG
Extrn Droopy_v_UsernameG
Extrn Droopy_v_ImpersonateUserRunAsHandle
Extrn Droopy_v_ImpersonateUserRunAsId
section '.text' code readable executable
Droopy_ImpersonateUserRunasHidden:
MOV qword [rsp+8],rcx
MOV qword [rsp+16],rdx
PUSH rbp
PUSH r15
PS40=240
MOV rdx,22
.ClearLoop:
SUB rsp,8
MOV qword [rsp],0
DEC rdx
JNZ .ClearLoop
SUB rsp,40
MOV rdx,[rsp+PS40+0]
LEA rcx,[rsp+40]
SUB rsp,16
CALL SYS_FastAllocateString4
ADD rsp,16
MOV rdx,[rsp+PS40+8]
LEA rcx,[rsp+48]
SUB rsp,16
CALL SYS_FastAllocateString4
ADD rsp,16
;
; Wichtel modifié par Droopy ( n'exécutait pas d'argument de l'exe )
; 16/02/05 / ; PB 3.92
; Execute Runas avec paramètre
; renvoie 0 si : commande inexistante / username ou Password incorrect
; Renvoie 1 si tout s'est bien passé
; 17/04/05 : Modif via L() -> plus simple / Ajout dans la Lib ImpersonateUser
; Runas ne peut être lancé en mode Impersonate actif ( on désactive avant !! )
; 1.31.2: added compilerif's to try and make better with unicode
; 1.31.3 (10/11/06): was giving invalid memory access errors, declared prototype to make it work in unicode and ascii modes
; 1.31.3 - (PB4.01 version) moved globals out of procedure (also done on some other functions)
;1.31.4 - may need full path to exe
;
;
; lpProcessInfo.PROCESS_INFORMATION
LEA rax,[rsp+56]
; lpStartUpInfo.STARTUPINFO
LEA rax,[rsp+80]
;
; Ajoute un espace au début de l'argument
; If Left(Argument,1)<>" "
PUSH qword [PB_StringBasePosition]
ADD rsp,-8
PUSH qword [PB_StringBasePosition]
PUSH qword 1
PUSH qword [rsp+80]
POP rcx
POP rdx
POP r8
ADD rsp,-32
CALL PB_Left
ADD rsp,40
INC qword [PB_StringBasePosition]
MOV rcx,Droopy__S1
POP rdx
MOV qword [PB_StringBasePosition],rdx
ADD rdx,[PB_StringBase]
SUB rsp,16
CALL SYS_StringEqual
ADD rsp,16
OR rax,rax
JNE _EndIf5
; Argument=" "+Argument
PUSH qword [PB_StringBasePosition]
MOV rcx,Droopy__S1
ADD rsp,-40
CALL SYS_CopyString
ADD rsp,40
MOV rcx,qword [rsp+56]
ADD rsp,-40
CALL SYS_CopyString
ADD rsp,40
LEA rcx,[rsp+56]
POP rdx
CALL SYS_AllocateString4
; EndIf
_EndIf5:
;
; retour=0
MOV qword [rsp+184],0
;
; advapi = OpenLibrary(#PB_Any, "ADVAPI32.DLL")
MOV rax,Droopy__S2
PUSH rax
PUSH qword -1
POP rcx
POP rdx
ADD rsp,-32
CALL PB_OpenLibrary
ADD rsp,32
MOV qword [rsp+192],rax
; If advapi
CMP qword [rsp+192],0
JE _EndIf7
; CreateProcessWithLogon.CreateProcessWithLogonW = GetFunction(advapi, "CreateProcessWithLogonW")
MOV rax,Droopy__S3
PUSH rax
PUSH qword [rsp+200]
POP rcx
POP rdx
ADD rsp,-32
CALL PB_GetFunction
ADD rsp,32
MOV qword [rsp+200],rax
; If CreateProcessWithLogon(UsernameG, DomainG, PasswordG, 0,CommandLine,Argument,0,0,#Null,@lpStartUpInfo,@lpProcessInfo) <> 0
ADD rsp,-8
LEA rax,[rsp+64]
MOV rax,rax
PUSH rax
LEA rax,[rsp+96]
MOV rax,rax
PUSH rax
PUSH qword 0
PUSH qword 0
PUSH qword 0
MOV rcx,qword [rsp+96]
SUB rsp,32
CALL SYS_ToUnicode
ADD rsp,32
PUSH rax
MOV rcx,qword [rsp+96]
SUB rsp,40
CALL SYS_ToUnicode
ADD rsp,40
PUSH rax
PUSH qword 0
MOV rcx,qword [Droopy_v_PasswordG]
SUB rsp,40
CALL SYS_ToUnicode
ADD rsp,40
PUSH rax
MOV rcx,qword [Droopy_v_DomainG]
SUB rsp,32
CALL SYS_ToUnicode
ADD rsp,32
PUSH rax
MOV rcx,qword [Droopy_v_UsernameG]
SUB rsp,40
CALL SYS_ToUnicode
ADD rsp,40
PUSH rax
POP rcx
POP rdx
POP r8
POP r9
ADD rsp,-32
CALL qword [rsp+296]
ADD rsp,96
MOV r15,rax
AND r15,r15
JE _EndIf9
; retour=1
MOV qword [rsp+184],1
; EndIf
_EndIf9:
; CloseLibrary(advapi)
PUSH qword [rsp+192]
POP rcx
ADD rsp,-32
CALL PB_CloseLibrary
ADD rsp,32
; EndIf
_EndIf7:
;
;/ Set the Process Handle of the Run Program in ImpersonateUserRunAsHandle (Global)
; ImpersonateUserRunAsHandle= lpProcessInfo\hProcess
LEA rbp,[rsp+56]
PUSH qword [rbp]
POP rax
MOV dword [Droopy_v_ImpersonateUserRunAsHandle],eax
;/ Set the Process id of the Run Program in ImpersonateUserRunAsHandle (Global)
; ImpersonateUserRunAsId.l= lpProcessInfo\dwProcessId
MOVSXD rax,dword [rbp+16]
PUSH rax
POP rax
MOV dword [Droopy_v_ImpersonateUserRunAsId],eax
;
; ProcedureReturn retour
MOV rax,qword [rsp+184]
JMP _EndProcedure41
;
; EndProcedure
XOR rax,rax
_EndProcedure41:
PUSH rax
MOV rcx,qword [rsp+48]
SUB rsp,32
CALL SYS_FreeString
ADD rsp,32
MOV rcx,qword [rsp+56]
SUB rsp,32
CALL SYS_FreeString
ADD rsp,32
POP rax
ADD rsp,216
POP r15
POP rbp
RET