gistfile1.txt

HRESULT scld(_In_ PCWSTR lpApplicationName, _In_ PCWSTR lpCommandLine)
{
	STARTUPINFOW si = { sizeof(si) };
	PROCESS_INFORMATION pi;
	ULONG len = (ULONG)(1 + wcslen(lpCommandLine)) * sizeof(WCHAR), len_ = (len + 7) & ~7;
	
	if (PWSTR buf = (PWSTR)_malloca(len_))
	{
		__stosq((ULONG64*)buf, '*' * 0x0001000100010001, len_ >> 3);

		*(PWSTR)((PBYTE)buf + len - sizeof(WCHAR)) = 0;

		BOOL fOk = CreateProcessW(lpApplicationName, buf, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);
		
		_freea(buf);

		if (fOk)
		{
			PROCESS_BASIC_INFORMATION pbi;
			_RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
			UNICODE_STRING CommandLine;
			NTSTATUS status;

			if (0 <= (status = NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), 0)) &&
				0 <= (status = ZwReadVirtualMemory(pi.hProcess, 
				&reinterpret_cast<_PEB*>(pbi.PebBaseAddress)->ProcessParameters, &ProcessParameters, sizeof(ProcessParameters), 0)) &&
				0 <= (status = ZwReadVirtualMemory(pi.hProcess, &ProcessParameters->CommandLine, &CommandLine, sizeof(CommandLine), 0)))
			{
				if (len <= CommandLine.MaximumLength && CommandLine.Length == len - sizeof(WCHAR))
				{
					status = ZwWriteVirtualMemory(pi.hProcess, CommandLine.Buffer, const_cast<PWSTR>(lpCommandLine), len, 0);
				}
				else
				{
					status = STATUS_INTERNAL_ERROR;
				}
			}
			ResumeThread(pi.hThread);
			NtClose(pi.hThread);
			NtClose(pi.hProcess);

			return status;
		}

		return GetLastError();
	}

	return E_OUTOFMEMORY;
}