The SubSystemNames array didn't correlate with the possible values of
SubSystemType (e.g. index 4 was "Posix" whereas Posix is type 7; Posix
and OS/2 entries were inverted; Windows CUI subsystem (type 3) was
mapped to "Posix"), and the array dereferencing was out of bounds if the
SubSystemType of the image happened to be larger than 8.
I know (strings extraction from debug build of Windows' SMSS.EXE) that
they use that same old'n'broken array. Perhaps a leftover from very old
times (NT 3.1 betas) where the PE format was under work and the
subsystem numbers didn't have their definitive values... (This has
already happened with the NT PDK v1.196 from September 1991.)
Loosely based on the deprecated ReactOS-specific SmExecuteProgram().
On server-side, we lookup into the list of deferred subsystems that
has been initialized at init time.
Dedicated to Justin Miller (The_DarkFire) work on reviving the
POSIX subsystem!
- Not all the wcscpy() / swprintf() calls have been converted to their
string-safe equivalents. Instead I used the string-safe functions only
for places where strings of unknown length were copied into fixed-size
internal buffers. On the contrary, for known-fixed-length strings being
copied or numbers being converted to string representations in large
enough buffers, I kept the original function calls.
- Verify the registry data that has been returned by NtQueryValueKey():
* When expecting (not multi) strings, check whether the data type is
either REG_SZ or REG_EXPAND_SZ.
* When expecting DWORD values, check whether the data type is
REG_DWORD and whether the data length is (greater or) equal to
sizeof(ULONG).
64 MB used to be enough to at least finish 2nd stage, but that does not
always seem to be the case anymore. Leaving this little free space does
not make for a good user experience either way.
256 MB is still not much, but at least provides slightly more usability.
The PROCESS_DEVICEMAP_INFORMATION union has 2 fields, one is a handle, the other one is a structure of 36 bytes (independent of architecture). The handle forces 64 bit alignment on 64 bit builds, making the structure 4 bytes bigger than on 32 bit builds. The site is checked in NtQueryInformationProcess (case ProcessDeviceMap). The expected size on x64 is the size of the Query structure without alignment. autocheck correctly passes the site of the Query union member, while smss passes the full size of PROCESS_DEVICEMAP_INFORMATION. Packing the structure is not an option, since it is defined in public headers without packing. Using the original headers sizeof(PROCESS_DEVICEMAP_INFORMATION) is 0x28, sizeof(PROCESS_DEVICEMAP_INFORMATION::Query) is 0x24.