21 Jul
2006
21 Jul
'06
4:22 p.m.
On Tue, 11 Jul 2006, Thomas Kho wrote: [...]
A fake notepad.exe is currently created in c:\windows\system32. I don't think there's duplication of CreateProcess because CreateProcess considers the filename of the executable to be the first quoted term in the commandline. In contrast, cmd.exe also considers the first space-separated word of that quoted string as the filename of the executable when the entire quoted term is not an executable.
CreateProcess does that too: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/bas... -- Francois Gouget <fgouget(a)free.fr> http://fgouget.free.fr/ Indifference will certainly be the downfall of mankind, but who cares?