Launch Process Suspended

malware-analysis, technology 2019-05-01
Do you ... analyze a lot of malware? Dynamically, too? Or do you just want to launch suspended processes? Well either way, although this is really easy to do, my intense web research did not yield satisfactory results. So here you go, this will just take the entire command line that is passed to it and execute it as a new, suspended process: 
#include <Windows.h>
#include <Shlwapi.h>

BOOL ChrIsWhiteSpace(WCHAR x) {
    return x == 32 || (x >= 9 && x <= 13);
}

int WinMainCRTStartup() {
    int ArgCount = 0;
    WCHAR* CommandLine = GetCommandLineW();
    WCHAR** ArgList = CommandLineToArgvW(CommandLine, &ArgCount);
    if (ArgList && ArgCount > 1) {
        WCHAR* PtrRest = StrStrW(CommandLine, ArgList[1]);
        if (PtrRest) {
            STARTUPINFOW StartupInfo;
            PROCESS_INFORMATION ProcessInfo;

            while (!ChrIsWhiteSpace(*PtrRest))
                PtrRest--;

            GetStartupInfoW(&StartupInfo);

            CreateProcessW(
                NULL,
              ++PtrRest,
                NULL,
                NULL,
                FALSE,
                CREATE_SUSPENDED | INHERIT_PARENT_AFFINITY | DETACHED_PROCESS | CREATE_DEFAULT_ERROR_MODE,
                NULL,
                NULL,
                &StartupInfo,
                &ProcessInfo
            );
            CloseHandle(ProcessInfo.hProcess);
            CloseHandle(ProcessInfo.hThread);
        }
        LocalFree(ArgList);
    }
    ExitProcess(0);
}
Here's the Base64 encoded 32bit binary: 
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA1dXZdcRQYDnEUGA5xFBgOFHIZD3YUGA5xFBkOeRQYDgV/EA9wFBgOBX8aD3AUGA5SaWNocRQYDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQMAKczIXAAAAAAAAAAA4AACAQsBDhQAAgAAAAQAAAAAAADcEAAAABAAAAAgAAAAAEAAABAAAAACAAAGAAAAAAAAAAYAAAAAAAAAAEAAAAAEAAAAAAAAAgBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAALCAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAGAAAAAAQAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAB2AQAAABAAAAACAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5pZGF0YQAATAEAAAAgAAAAAgAAAAYAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAABgAAAAAMAAAAAIAAAAIAAAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApzMhcAAAAAA0AAACkAAAAOBAAADgEAAAAAAAAKczIXAAAAAAOAAAAAAAAAAAAAAAAAAAAR0NUTAAQAAA4AAAALnJkYXRhAAA4EAAApAAAAC5yZGF0YSR6enpkYmcAAADcEAAAmgAAAC50ZXh0JG1uAAAAAAAgAAAsAAAALmlkYXRhJDUAAAAALCAAADwAAAAuaWRhdGEkMgAAAABoIAAAFAAAAC5pZGF0YSQzAAAAAHwgAAAsAAAALmlkYXRhJDQAAAAAqCAAAKQAAAAuaWRhdGEkNgAAAABVi+yD7FhTVjPbV4ld/P8VDCBAAIvwjUX8UFb/FRwgQACL+IX/dGuDffwBfmX/dwRW/xUkIEAAi/CF9nROD7cGg/ggdA+D+AlyBYP4DXYFg+4C6+mNRahQ/xUIIEAAjUXsUI1FqFBTU2gMAAEEU1NTjUYCUFP/FQQgQAD/deyLNRAgQAD/1v918P/WV/8VACBAAFP/FRQgQADMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8CAAAAohAAC+IAAA0CAAAOIgAAD8IAAAAAAAACohAAAAAAAAqCAAAAAAAACgIAAAAAAAAAAAAACyIAAAJCAAAHwgAAAAAAAAAAAAABwhAAAAIAAAmCAAAAAAAAAAAAAAQCEAABwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAgAAAKIQAAviAAANAgAADiIAAA/CAAAAAAAAAqIQAAAAAAAKggAAAAAAAAUgFTdHJTdHJXAFNITFdBUEkuZGxsANACR2V0U3RhcnR1cEluZm9XANcBR2V0Q29tbWFuZExpbmVXAIYAQ2xvc2VIYW5kbGUAzwNMb2NhbEZyZWUAXgFFeGl0UHJvY2VzcwDlAENyZWF0ZVByb2Nlc3NXAABLRVJORUwzMi5kbGwAAAcAQ29tbWFuZExpbmVUb0FyZ3ZXAABTSEVMTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAGAAAAOww+TAPMTYxUzFcMWoxcTEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
Enjoy.

Tags: - - - - - - - - -

Leave a Reply

Your email address will not be published. Required fields are marked *

Authors have copyrights. People say these things in footers.
All Hail the Great Yawgmoth, Father of Machines.