win-witr v0.1.7
Pre-release
Pre-release
This adds the "Command:" entry in win-witr! This took unnecessarily longer than it had to because I used undocumented ntdll.dll functions to walk the PEB of a process. This meant I had to manually write support for all of these scenarios:
- ARM64 --> ARM64
- x64 --> x64
- x86 --> x86
- x64 --> x86 (via WoW64)
- x86 --> x64 (this sounds very illegal, but it actually uses another undocumented function that reads the memory "virtually" so you can access it. even then there's still other tricks like Heaven's Gate so it's really not that impossible)
- ARM64 --> WoW64
Most of it was copy-paste, but it took me basically a whole week. The fun part is? This could've been all easily avoided if I had just used WMI like the original witr, which used Get-CimInstance (which is WMI under the hood)! But WMI is notorious for being slow, adding around 200ms for EVERY query, which is a lot. So I did all this work and almost 700 extra lines of code just to scrape off a few hundred milliseconds. Hey, at least it was exciting! MWAHHhAHAHAHAH
Changes
✨ Features
- Add error handling for function pointer retrieval in main.cpp (68c537d)
- read WoW64 from x64 and arm64 (66e342b)
- Address code review issues. Fixed label with undefined block in build.yml. Fixed version number in release.yml and main.cpp. (90a7a56)
- Add PROCESS_BASIC_INFORMATION64 structure and update function pointer for NtWow64QueryInformationProcess64 (8054ef0)
- Add support for reading command line of 32-bit and 64-bit processes in Windows using undocumented ntdll.dll functions. That's right! UNDOCUMENTED!! MWAHHAHAHAH (e586c8e)
- make it so the program actually knows the version (960e7ea)
- add force_ansi env var (5291195)
- Add command entry by reading process PEB (cddb4f6)
🐛 Fixes
- version (29a3138)
- version number embed during compilation (65c6fbd)
- Add error handling for build process in release.yml (bb1be52)
- Improve error handling for function pointer retrieval and memory access in process command line reading (942e314)
- Replace AreWeWoW64 with IsWow64Process because i'm stupid and used teh wrong functions that didn't exis tbecause they don't exist and they don't exist due to the fact that they don't exist since they don't exist in the existence of the existencial nt kernel (5e35271)
- missing bracket (4e70436)
- correct wow64 checking (932b51f)
- add debug log (7d4d552)
- CI TESTS (51d6a74)
- add fail-fast false (1fab362)
- update error messages for Git Bash and add architecture support in GetCommandLine function (c561d7b)
- stdcerr remove (aca3416)
- add missing newline after User entry (8487b74)
- Fix typos and wrong functions (09e2dea)
- Add x64 implementation to manually read process PEB and return command line string (43b0330)
- a (07fce97)
- remove stupid useless defines (13e2ace)
- try changing dword to size_t (f20951d)
- return pointer instead of character and add missing include statement (b66390e)
- try adding #define (3c3df85)
♻️ Refactoring
- Remove debug and error logging statements for function pointer retrieval and memory access SINCE IT FINALLY WORKS NOW (6290464)
🔄 CI/CD
- add provjobd.exe handling to process.bat and create provdjob.bat (6cc86f3)
- add provjobd.exe entries to process.bat (3e3e1a1)
- add hosted-compute-agent to process.bat (151bbfc)
- more tests (038d172)
- Remove wrong or not working tests from process.bat test CI (f27388c)
- add way more process tests ci (3d24e3c)
💄 Style
- made error statements nicer (4e731b5)
📋 Other Changes
- address code review (7ddec09)
- IDK (f82f6f2)
- just add a bunch of debugs for now (3a77bd6)
- Merge branch 'main' into command-and-git-peb (16110ec)
- Merge branch 'main' into command-and-git-peb (ef2601e)
- Merge pull request #63 from supervoidcoder/main (405172c)