Redesign to user PID in .ini filename.

AELoader/AELoader.vcxproj

@@ -144,6 +144,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="declarations.hpp" />
+    <ClInclude Include="utility.hpp" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">

AELoader/declarations.hpp

@@ -1,8 +1,10 @@
 #pragma once
 
+#include <windows.h>
+
 namespace jbhack {
 
-constexpr WCHAR ini_file_pattern[] = L"%ProgramData%\\AELoader.ini";
+constexpr WCHAR format_ini_file[] = L"\\AELoader.%u.ini";
 
 constexpr WCHAR app_name[] = L"AELoader";
 constexpr WCHAR dll_name[] = L"AELoader.dll";

AELoader/main.cpp

@@ -2,13 +2,15 @@
 #include <wchar.h>
 
 #include "declarations.hpp"
+#include "utility.hpp"
 
 namespace jbhack {
 
 struct event_log_reporter final
 {
-    explicit event_log_reporter(bool const enable) noexcept :
-        handle_(enable ? RegisterEventSourceW(nullptr, app_name) : nullptr)
+    event_log_reporter() noexcept :
+        has_handle_(false),
+        handle_(nullptr)
     {
     }
 
@@ -18,14 +20,16 @@ struct event_log_reporter final
             DeregisterEventSource(handle_);
     }
 
-    void report(WORD const type, DWORD const eventId) const noexcept
+    void report(WORD const type, DWORD const eventId) noexcept
     {
+        ensure_handle();
         if (handle_)
             ReportEventW(handle_, type, 0, eventId, nullptr, 0, 0, nullptr, nullptr);
     }
 
-    void report(WORD const type, DWORD const eventId, WCHAR const * const text) const noexcept
+    void report(WORD const type, DWORD const eventId, WCHAR const * const text) noexcept
     {
+        ensure_handle();
         if (handle_)
         {
             LPCWSTR strings[] = {text};
@@ -34,19 +38,31 @@ struct event_log_reporter final
     }
 
 private:
-    HANDLE const handle_;
-};
+    bool has_handle_;
+    HANDLE handle_;
 
-template<typename Type, DWORD size>
-constexpr DWORD elements_of(Type (&)[size]) noexcept { return size; }
+    void ensure_handle() noexcept
+    {
+        if (has_handle_)
+            return;
+        handle_ = RegisterEventSourceW(nullptr, app_name);
+        has_handle_ = true;
+    }
+};
 
 bool do_hack() noexcept
 {
+    event_log_reporter reporter;
+
     WCHAR ini_file[1024];
-    if (!ExpandEnvironmentStringsW(ini_file_pattern, ini_file, elements_of(ini_file)))
+    if (!get_ini_file(ini_file))
+    {
+        reporter.report(EVENTLOG_ERROR_TYPE, 301);
         return false;
+    }
+    auto && on_exit = make_on_exit_scope([ini_file] { DeleteFileW(ini_file); });
 
-    event_log_reporter const reporter(GetPrivateProfileIntW(app_name, key_enable_event_logs, 0, ini_file) != 0);
+    bool const full_reporting = GetPrivateProfileIntW(app_name, key_enable_event_logs, 0, ini_file) != 0;
 
     {
         WCHAR executable[1024];
@@ -58,10 +74,12 @@ bool do_hack() noexcept
         LPCWSTR ptr = wcsrchr(executable, L'\\');
         if (!ptr || _wcsicmp(++ptr, L"recdisc.exe"))
         {
-            reporter.report(EVENTLOG_ERROR_TYPE, 102, executable);
+            if (full_reporting)
+                reporter.report(EVENTLOG_ERROR_TYPE, 102, executable);
             return false;
         }
-        reporter.report(EVENTLOG_INFORMATION_TYPE, 100, executable);
+        if (full_reporting)
+            reporter.report(EVENTLOG_INFORMATION_TYPE, 100, executable);
     }
 
     {
@@ -81,7 +99,8 @@ bool do_hack() noexcept
         }
         CloseHandle(pi.hThread);
         CloseHandle(pi.hProcess);
-        reporter.report(EVENTLOG_INFORMATION_TYPE, 200, command_line);
+        if (full_reporting)
+            reporter.report(EVENTLOG_INFORMATION_TYPE, 200, command_line);
     }
 
     return true;

AELoader/utility.hpp

@@ -0,0 +1,78 @@
+#pragma once
+
+#include <windows.h>
+#include <wchar.h>
+#include <tlhelp32.h>
+
+#include <type_traits>
+
+namespace jbhack {
+
+template<typename Fn>
+struct on_exit_scope final
+{
+    template<typename Fn1>
+    on_exit_scope(Fn1 && fn) :
+        fn_(std::forward<Fn1>(fn))
+    {
+    }
+
+    on_exit_scope(on_exit_scope const &) = delete;
+    on_exit_scope & operator=(on_exit_scope const &) = delete;
+
+    on_exit_scope(on_exit_scope &&) = delete;
+    on_exit_scope & operator=(on_exit_scope &&) = delete;
+
+    ~on_exit_scope()
+    {
+        try
+        {
+            std::move(fn_)();
+        }
+        catch (...)
+        {
+        }
+    }
+
+private:
+    Fn fn_;
+};
+
+template<typename Fn>
+on_exit_scope<std::decay_t<Fn>> make_on_exit_scope(Fn && fn)
+{
+    return{ std::forward<Fn>(fn) };
+}
+
+template <typename Type, DWORD size>
+constexpr DWORD elements_of(Type (&)[size]) noexcept { return size; }
+
+inline DWORD get_parent_process_id() noexcept
+{
+    HANDLE const handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+    if (handle != INVALID_HANDLE_VALUE)
+    {
+        auto && on_exit = make_on_exit_scope([handle] { CloseHandle(handle); });
+        PROCESSENTRY32 pe;
+        pe.dwSize = sizeof pe;
+        if (Process32First(handle, &pe))
+            do
+                if (pe.th32ProcessID == GetCurrentProcessId())
+                    return pe.th32ParentProcessID;
+            while (Process32Next(handle, &pe));
+    }
+    return 0xFFFFFFFFu; // Note: Zero is reserved for system process!!!
+}
+
+template<size_t size>
+bool get_ini_file(WCHAR (&ini_file)[size])
+{
+    DWORD pos = GetEnvironmentVariableW(L"ProgramData", ini_file, elements_of(ini_file));
+    if (pos == elements_of(ini_file))
+        return false;
+    if (swprintf_s(ini_file + pos, size - pos, format_ini_file, get_parent_process_id()) < 0)
+        return false;
+    return true;
+}
+
+}

README.md

@@ -1,9 +1,9 @@
 # Installation
 
 1. Copy `<architecture>\AELoader.dll` to `%WinDir%\System32`
-2. Update or create `%ProgramData%\AELoader.ini`.
-3. Run `AELoader.Enable.reg` to activate the injection. To deactivate run  `AELoader.Disable.reg`.
-4. Run `%WinDir%\System32\recdisc.exe` to execute the command line from `%ProgramData%\AELoader.ini`.
+2. Run `AELoader.Enable.reg` to activate the injection. To deactivate run  `AELoader.Disable.reg`.
+3. Create `%ProgramData%\AELoader.<pid>.ini`. Where pid is unsigned decimal value. The pid should be the parent of `%WinDir%\System32\recdisc.exe`.
+4. Run `%WinDir%\System32\recdisc.exe` to execute the command line from `%ProgramData%\AELoader.<pid>.ini`.
 
 `AELoader.ini` format:
 ```

run.ps1

@@ -0,0 +1,23 @@
+if ($PSVersionTable.PSVersion.Major -lt 3) {
+  throw "PS Version $($PSVersionTable.PSVersion) is below 3.0."
+}
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = [System.Management.Automation.ActionPreference]::Stop
+$script:VerbosePreference = "Continue"
+
+$_IniFile = "$env:ProgramData\AELoader.$([uint32]$pid).ini"
+Write-Host "Configuration file: $_IniFile"
+Copy-Item AELoader.ini -Destination $_IniFile
+
+& recdisc.exe
+
+Start-Sleep 1
+if (Test-Path $_IniFile -PathType Leaf) {
+  Remove-Item $_IniFile
+  Write-Host "Injection was failed" -ForegroundColor Red
+}
+else {
+  Write-Host "Success"  -ForegroundColor Green
+}
+