Проблемы с NtCreateUserProcess

[cppjunior]

Через раз отрабатывает NtCreateUserProcess, возвращая 0xc000000d ошибку (Службе или функции был передан недопустимый параметр) Из 10 раз корректно отрабатывает 2-4 раза. В чем ошибка?

UNICODE_STRING NtImagePath;
RtlInitUnicodeString(&NtImagePath, (PWSTR)L"\\??\\C:\\Windows\\System32\\calc.exe");

PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
RtlCreateProcessParametersEx(&ProcessParameters, &NtImagePath, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, RTL_USER_PROCESS_PARAMETERS_NORMALIZED);

PS_CREATE_INFO CreateInfo = { 0 };
CreateInfo.Size = sizeof(CreateInfo);
CreateInfo.State = PsCreateInitialState;

PPS_ATTRIBUTE_LIST AttributeList = (PS_ATTRIBUTE_LIST*)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PS_ATTRIBUTE));
AttributeList->TotalLength = sizeof(PS_ATTRIBUTE_LIST) - sizeof(PS_ATTRIBUTE);
AttributeList->Attributes[0].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
AttributeList->Attributes[0].Size = NtImagePath.Length;
AttributeList->Attributes[0].Value = (ULONG_PTR)NtImagePath.Buffer;

HANDLE hProcess, hThread = NULL;
NTSTATUS status = NtCreateUserProcess(&hProcess, &hThread, PROCESS_ALL_ACCESS, THREAD_ALL_ACCESS, NULL, NULL, NULL, NULL, ProcessParameters, &CreateInfo, AttributeList);

RtlFreeHeap(RtlProcessHeap(), 0, AttributeList);
RtlDestroyProcessParameters(ProcessParameters);

 

[Quake3]

В чем ошибка?

если это код от того тупого пендоса meelo (или как его), то там проблема где-то с AttributeList. Дебажил этот говнокод, оно на этот аргумент ругается, но дальше забил. Код работал при компиляции в 64 бита при запуске 64 битных прог, ну или наоборот, 32 битная ОС 32 битный софт.

 

[arsarsov]

Советую написать старт процесса через CreateProcessA\W, затем в отладчике оттрассировать код и посмотреть как именно там подготавливаются данные перед вызовом NtCreateUserProcess
Вот как выглядит код функции CreateProcessInternalW в библиотеке kernelbase.dll
Для справки когда ты вызываешь CreateProcessA, то вызывается по очереди цепочка этих вот функций
CreateProcessA -> CreateProcessW -> CreateProcessInternalW -> NtCreateUserProcess

Спойлер: Код

__int64 __fastcall CreateProcessInternalW(
        HANDLE a1,
        const WCHAR *a2,
        const wchar_t *a3,
        ULONG_PTR a4,
        __int64 a5,
        ULONG a6,
        int a7,
        __int64 a8,
        const WCHAR *a9,
        __int64 a10,
        _OWORD *a11)
{
  int v12; // ebx
  PVOID ProcessHeap; // r15
  __int64 v14; // rdx
  __int16 v15; // cx
  char v16; // al
  unsigned int v17; // r8d
  int v18; // edx
  int v19; // ecx
  int v20; // ebx
  HANDLE ThreadDebugObject; // rsi
  unsigned int v22; // ecx
  _OWORD *v23; // rax
  int v24; // eax
  __int64 v25; // rcx
  PVOID Heap; // rax
  DWORD FullPathNameW; // eax
  int v28; // eax
  int v29; // r14d
  __int64 v30; // rdx
  __int64 v31; // rax
  HANDLE v32; // rcx
  __int64 v33; // rdx
  __int64 v34; // rcx
  char v35; // r15
  char v36; // r13
  STRSAFE_LPCWSTR v37; // rax
  PVOID v38; // r13
  NTSTATUS ExePath; // eax
  int v40; // ebx
  RTL_PATH_TYPE v41; // eax
  __int64 v42; // rdx
  __int64 v43; // rcx
  struct _PEB *v44; // rax
  HANDLE v45; // r15
  DWORD v46; // eax
  __int64 v47; // rbx
  unsigned int v48; // eax
  __int64 v49; // rdx
  __int64 v50; // rcx
  const WCHAR *v51; // r8
  const WCHAR *v52; // rcx
  struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters; // rsi
  int v54; // eax
  __int64 v55; // rdx
  __int64 v56; // rcx
  int v57; // eax
  __int64 v58; // rdx
  __int64 v59; // rcx
  int v60; // eax
  __int64 v61; // rdx
  __int64 v62; // rcx
  int IsProcessAllowed; // eax
  __int64 v64; // rdx
  __int64 v65; // rcx
  unsigned __int16 v66; // ax
  __int64 v67; // r8
  PUNICODE_STRING *v68; // r8
  ULONG v69; // edx
  __int64 v70; // rdx
  HANDLE v71; // rcx
  int v72; // ebx
  _OWORD *v73; // rbx
  ULONG LastErrorValue; // esi
  const WCHAR *v75; // rax
  STRSAFE_LPCWSTR v76; // rbx
  char v77; // r14
  DWORD v78; // eax
  DWORD FileAttributesW; // eax
  _DWORD *v80; // rbx
  int v81; // eax
  __int64 v82; // rcx
  HMODULE ModuleHandleA; // rax
  PIMAGE_NT_HEADERS v84; // rax
  __int64 v85; // rax
  __int64 v86; // rcx
  __int64 v87; // rax
  int LowBox; // eax
  __int64 v89; // rdx
  __int64 v90; // rcx
  WCHAR *v91; // rax
  _WORD *v92; // rax
  __int64 v93; // rcx
  __int64 v94; // rcx
  int v95; // eax
  int v96; // ecx
  __int64 v97; // rsi
  SIZE_T v98; // rsi
  wchar_t *v99; // rax
  wchar_t *v100; // rbx
  __int64 v101; // rcx
  WCHAR *v102; // rsi
  WCHAR *v103; // rax
  WCHAR *v104; // rbx
  DWORD EnvironmentVariableW; // eax
  __int64 v106; // r8
  const wchar_t *v107; // r8
  __int64 v108; // rcx
  ULONG v109; // ecx
  __int64 v110; // rdx
  __int64 Length; // r14
  PVOID v112; // rax
  const WCHAR *v113; // rbx
  void *v114; // rcx
  BOOL v115; // eax
  HANDLE v116; // r14
  _WORD *v117; // rsi
  NTSTATUS v118; // ebx
  __int64 v119; // r8
  ULONG v120; // ecx
  char v121; // si
  __int64 v122; // rdx
  __int64 v123; // rcx
  unsigned int ProcessInternalW; // eax
  unsigned int v125; // eax
  void *v126; // r14
  signed int AppExecutionAliasPath; // esi
  int v128; // r13d
  HANDLE v129; // r15
  __int64 v130; // rdx
  __int64 v131; // rax
  __int64 v132; // rcx
  SIZE_T v133; // rsi
  wchar_t *v134; // rax
  wchar_t *v135; // rbx
  __int64 v136; // rax
  SIZE_T v137; // rsi
  wchar_t *v138; // rax
  STRSAFE_LPWSTR *v139; // r9
  unsigned int updated; // eax
  int v141; // eax
  __int64 ConsoleHost; // rcx
  LONG PackageActivationTokenForSxS; // eax
  __int64 v144; // r8
  int v145; // esi
  __int64 v146; // rdx
  __int64 v147; // rcx
  _QWORD *v148; // rbx
  HANDLE v149; // rcx
  __int64 v150; // rdx
  __int64 v151; // rcx
  __int64 v153; // rcx
  NTSTATUS v154; // eax
  const WCHAR *v155; // rax
  int v156; // ecx
  int v157; // r8d
  int v158; // r9d
  __int64 v159; // [rsp+B0h] [rbp-1508h] BYREF
  ULONG AllocationType[2]; // [rsp+D0h] [rbp-14E8h]
  ULONG Protect[2]; // [rsp+D8h] [rbp-14E0h]
  RTL_PATH_TYPE *PathType; // [rsp+E0h] [rbp-14D8h]
  PSIZE_T LengthNeeded; // [rsp+E8h] [rbp-14D0h]
  __int64 p_UnicodeString; // [rsp+F0h] [rbp-14C8h]
  __int64 v165; // [rsp+F8h] [rbp-14C0h]
  __int64 v166; // [rsp+100h] [rbp-14B8h]
  __int64 p_Buf1; // [rsp+108h] [rbp-14B0h]
  __int64 p_Buffer; // [rsp+110h] [rbp-14A8h]
  __int64 p_NumberOfBytesToWrite; // [rsp+118h] [rbp-14A0h]
  __int64 v170; // [rsp+120h] [rbp-1498h]
  __int64 v171; // [rsp+128h] [rbp-1490h]
  __int64 v172; // [rsp+130h] [rbp-1488h]
  __int64 v173; // [rsp+138h] [rbp-1480h]
  char v174[8]; // [rsp+140h] [rbp-1478h]
  int *v175; // [rsp+148h] [rbp-1470h]
  HANDLE *v176; // [rsp+150h] [rbp-1468h]
  unsigned int v177; // [rsp+160h] [rbp-1458h]
  unsigned int v178; // [rsp+164h] [rbp-1454h] BYREF
  NTSTATUS InformationProcess; // [rsp+168h] [rbp-1450h]
  PVOID HeapHandle; // [rsp+170h] [rbp-1448h]
  int v181; // [rsp+178h] [rbp-1440h] BYREF
  char v182; // [rsp+180h] [rbp-1438h]
  unsigned __int16 v183; // [rsp+184h] [rbp-1434h]
  HANDLE Handle; // [rsp+188h] [rbp-1430h] BYREF
  char v185; // [rsp+190h] [rbp-1428h]
  char v186; // [rsp+191h] [rbp-1427h] BYREF
  char v187; // [rsp+192h] [rbp-1426h]
  char v188; // [rsp+193h] [rbp-1425h]
  char v189; // [rsp+194h] [rbp-1424h] BYREF
  char v190; // [rsp+195h] [rbp-1423h]
  char v191; // [rsp+196h] [rbp-1422h] BYREF
  bool v192; // [rsp+197h] [rbp-1421h] BYREF
  bool v193; // [rsp+198h] [rbp-1420h] BYREF
  bool v194; // [rsp+199h] [rbp-141Fh] BYREF
  bool v195; // [rsp+19Ah] [rbp-141Eh] BYREF
  bool v196; // [rsp+19Bh] [rbp-141Dh] BYREF
  bool v197; // [rsp+19Ch] [rbp-141Ch] BYREF
  bool v198; // [rsp+19Dh] [rbp-141Bh] BYREF
  unsigned int v199; // [rsp+1A0h] [rbp-1418h] BYREF
  unsigned int v200; // [rsp+1A4h] [rbp-1414h] BYREF
  int v201; // [rsp+1A8h] [rbp-1410h]
  __int64 v202; // [rsp+1B0h] [rbp-1408h] BYREF
  STRSAFE_LPCWSTR pszSrc; // [rsp+1B8h] [rbp-1400h] BYREF
  char v204; // [rsp+1C0h] [rbp-13F8h] BYREF
  char v205; // [rsp+1C1h] [rbp-13F7h]
  PCWSTR DosPathName; // [rsp+1C8h] [rbp-13F0h] BYREF
  char v207; // [rsp+1D0h] [rbp-13E8h]
  NTSTATUS ExitStatus; // [rsp+1D4h] [rbp-13E4h]
  char v209; // [rsp+1D8h] [rbp-13E0h] BYREF
  wchar_t v210; // [rsp+1DCh] [rbp-13DCh]
  char v211; // [rsp+1E0h] [rbp-13D8h]
  __int64 v212; // [rsp+1E8h] [rbp-13D0h] BYREF
  HANDLE ThreadHandle; // [rsp+1F0h] [rbp-13C8h] BYREF
  __int64 v214; // [rsp+1F8h] [rbp-13C0h] BYREF
  char v215; // [rsp+200h] [rbp-13B8h]
  char v216; // [rsp+201h] [rbp-13B7h]
  char ProcessInformation[2]; // [rsp+202h] [rbp-13B6h] BYREF
  __int16 v218; // [rsp+204h] [rbp-13B4h] BYREF
  __int16 v219; // [rsp+208h] [rbp-13B0h] BYREF
  SIZE_T NumberOfBytesToWrite; // [rsp+20Ch] [rbp-13ACh] BYREF
  unsigned int v221; // [rsp+214h] [rbp-13A4h] BYREF
  LPCWSTR lpFileName; // [rsp+218h] [rbp-13A0h]
  HANDLE v223; // [rsp+220h] [rbp-1398h]
  unsigned int v224; // [rsp+228h] [rbp-1390h] BYREF
  STRSAFE_LPCWSTR v225; // [rsp+230h] [rbp-1388h]
  HANDLE v226; // [rsp+238h] [rbp-1380h]
  int v227; // [rsp+240h] [rbp-1378h] BYREF
  int v228; // [rsp+244h] [rbp-1374h] BYREF
  HANDLE DebugObject; // [rsp+248h] [rbp-1370h]
  PCSR_CAPTURE_BUFFER CaptureBuffer; // [rsp+250h] [rbp-1368h] BYREF
  PWSTR Environment; // [rsp+258h] [rbp-1360h] BYREF
  __int64 v232; // [rsp+260h] [rbp-1358h] BYREF
  int v233; // [rsp+268h] [rbp-1350h] BYREF
  unsigned int v234; // [rsp+270h] [rbp-1348h] BYREF
  int v235; // [rsp+274h] [rbp-1344h]
  __int64 v236; // [rsp+278h] [rbp-1340h] BYREF
  PVOID v237; // [rsp+280h] [rbp-1338h]
  PVOID Buffer; // [rsp+288h] [rbp-1330h] BYREF
  HANDLE v239; // [rsp+290h] [rbp-1328h] BYREF
  int v240; // [rsp+298h] [rbp-1320h]
  int v241; // [rsp+29Ch] [rbp-131Ch]
  int v242; // [rsp+2A0h] [rbp-1318h] BYREF
  struct _UNICODE_STRING DestinationString; // [rsp+2B0h] [rbp-1308h] BYREF
  __int64 v244; // [rsp+2C0h] [rbp-12F8h] BYREF
  LPWSTR lpBuffer; // [rsp+2C8h] [rbp-12F0h]
  HANDLE token; // [rsp+2D0h] [rbp-12E8h] BYREF
  HANDLE v247; // [rsp+2D8h] [rbp-12E0h]
  struct _UNICODE_STRING v248; // [rsp+2E0h] [rbp-12D8h] BYREF
  int v249; // [rsp+2F0h] [rbp-12C8h] BYREF
  int v250; // [rsp+2F4h] [rbp-12C4h] BYREF
  unsigned int v251; // [rsp+2F8h] [rbp-12C0h]
  int v252; // [rsp+2FCh] [rbp-12BCh]
  int v253; // [rsp+300h] [rbp-12B8h]
  __int16 v254; // [rsp+304h] [rbp-12B4h] BYREF
  int v255; // [rsp+308h] [rbp-12B0h] BYREF
  WINBOOL Result[2]; // [rsp+310h] [rbp-12A8h] BYREF
  PVOID v257; // [rsp+318h] [rbp-12A0h]
  int v258; // [rsp+320h] [rbp-1298h] BYREF
  STRSAFE_LPWSTR pszDest; // [rsp+328h] [rbp-1290h]
  __int64 v260; // [rsp+330h] [rbp-1288h] BYREF
  int v261; // [rsp+338h] [rbp-1280h] BYREF
  struct _UNICODE_STRING UnicodeString; // [rsp+340h] [rbp-1278h] BYREF
  HANDLE ProcessHandle; // [rsp+350h] [rbp-1268h] BYREF
  HANDLE v264; // [rsp+358h] [rbp-1260h]
  LPCWSTR lpPath; // [rsp+360h] [rbp-1258h] BYREF
  int v266; // [rsp+368h] [rbp-1250h] BYREF
  int v267; // [rsp+36Ch] [rbp-124Ch]
  int v268; // [rsp+370h] [rbp-1248h]
  int v269; // [rsp+374h] [rbp-1244h]
  int v270; // [rsp+378h] [rbp-1240h] BYREF
  STRSAFE_LPCWSTR v271; // [rsp+380h] [rbp-1238h]
  void *TokenHandle; // [rsp+388h] [rbp-1230h] BYREF
  struct _PEB *v273; // [rsp+390h] [rbp-1228h]
  HANDLE v274; // [rsp+398h] [rbp-1220h]
  PVOID P; // [rsp+3A0h] [rbp-1218h]
  __int64 v276; // [rsp+3A8h] [rbp-1210h]
  PVOID v277; // [rsp+3B0h] [rbp-1208h]
  int v278; // [rsp+3B8h] [rbp-1200h]
  int v279; // [rsp+3BCh] [rbp-11FCh] BYREF
  _OWORD *v280; // [rsp+3C0h] [rbp-11F8h]
  __int64 v281; // [rsp+3C8h] [rbp-11F0h]
  PWSTR v282; // [rsp+3D0h] [rbp-11E8h] BYREF
  PVOID v283; // [rsp+3D8h] [rbp-11E0h]
  __int64 v284; // [rsp+3E0h] [rbp-11D8h] BYREF
  PVOID BaseAddress; // [rsp+3E8h] [rbp-11D0h] BYREF
  __int64 v286; // [rsp+3F0h] [rbp-11C8h] BYREF
  ULONG_PTR v287; // [rsp+3F8h] [rbp-11C0h]
  ULONG ReturnLength; // [rsp+400h] [rbp-11B8h] BYREF
  int v289; // [rsp+404h] [rbp-11B4h] BYREF
  ULONG Response; // [rsp+408h] [rbp-11B0h] BYREF
  ULONG ReturnedLength; // [rsp+40Ch] [rbp-11ACh] BYREF
  int v292; // [rsp+410h] [rbp-11A8h] BYREF
  RTL_PATH_TYPE v293; // [rsp+414h] [rbp-11A4h] BYREF
  ULONG v294; // [rsp+418h] [rbp-11A0h]
  int v295; // [rsp+41Ch] [rbp-119Ch]
  unsigned int v296; // [rsp+420h] [rbp-1198h]
  int v297; // [rsp+424h] [rbp-1194h] BYREF
  __int64 v298[2]; // [rsp+428h] [rbp-1190h] BYREF
  _DWORD *v299; // [rsp+438h] [rbp-1180h]
  PVOID v300; // [rsp+440h] [rbp-1178h]
  int TokenInformation; // [rsp+448h] [rbp-1170h] BYREF
  int v302; // [rsp+44Ch] [rbp-116Ch] BYREF
  UINT32 packageFullNameLength; // [rsp+450h] [rbp-1168h] BYREF
  struct _UNICODE_STRING v304; // [rsp+458h] [rbp-1160h] BYREF
  __int64 v305; // [rsp+470h] [rbp-1148h] BYREF
  int v306; // [rsp+478h] [rbp-1140h]
  HANDLE KeyHandle; // [rsp+480h] [rbp-1138h]
  void *v308; // [rsp+488h] [rbp-1130h]
  void *v309; // [rsp+490h] [rbp-1128h]
  int v310; // [rsp+4A4h] [rbp-1114h]
  __int64 v311; // [rsp+4A8h] [rbp-1110h]
  unsigned int v312; // [rsp+4B0h] [rbp-1108h]
  __int64 v313; // [rsp+4B8h] [rbp-1100h]
  int v314; // [rsp+4C0h] [rbp-10F8h]
  __int64 v315; // [rsp+4D0h] [rbp-10E8h]
  __int64 v316; // [rsp+4D8h] [rbp-10E0h]
  __int64 v317; // [rsp+4E0h] [rbp-10D8h] BYREF
  __int64 v318; // [rsp+4E8h] [rbp-10D0h]
  struct _UNICODE_STRING DynamicString; // [rsp+4F0h] [rbp-10C8h] BYREF
  char v320[8]; // [rsp+500h] [rbp-10B8h] BYREF
  __int64 v321; // [rsp+508h] [rbp-10B0h]
  char v322[8]; // [rsp+510h] [rbp-10A8h] BYREF
  __int64 v323; // [rsp+518h] [rbp-10A0h]
  __m128i v324; // [rsp+520h] [rbp-1098h] BYREF
  __int64 v325[2]; // [rsp+530h] [rbp-1088h] BYREF
  __int128 v326; // [rsp+540h] [rbp-1078h]
  __int64 v327; // [rsp+550h] [rbp-1068h]
  ULONG_PTR RegionSize[2]; // [rsp+558h] [rbp-1060h] BYREF
  __int64 v329; // [rsp+568h] [rbp-1050h]
  ULONG_PTR v330; // [rsp+570h] [rbp-1048h]
  __int64 v331; // [rsp+578h] [rbp-1040h]
  __int64 v332; // [rsp+580h] [rbp-1038h] BYREF
  __int64 v333[2]; // [rsp+588h] [rbp-1030h] BYREF
  LPWSTR FilePart; // [rsp+598h] [rbp-1020h] BYREF
  const wchar_t *v335; // [rsp+5A0h] [rbp-1018h]
  __int64 v336; // [rsp+5A8h] [rbp-1010h] BYREF
  struct _RTL_USER_PROCESS_PARAMETERS *v337; // [rsp+5B0h] [rbp-1008h]
  const WCHAR *v338; // [rsp+5B8h] [rbp-1000h]
  int v339; // [rsp+5C0h] [rbp-FF8h] BYREF
  const WCHAR *v340; // [rsp+5C8h] [rbp-FF0h]
  DWORD dwFlags[2]; // [rsp+5D0h] [rbp-FE8h] BYREF
  size_t *pcbRemaining; // [rsp+5D8h] [rbp-FE0h] BYREF
  __int64 v343[2]; // [rsp+5E0h] [rbp-FD8h] BYREF
  __int128 Buf1; // [rsp+5F0h] [rbp-FC8h] BYREF
  __int128 v345; // [rsp+600h] [rbp-FB8h]
  __int128 v346; // [rsp+610h] [rbp-FA8h]
  __int128 v347; // [rsp+620h] [rbp-F98h]
  __int128 v348; // [rsp+630h] [rbp-F88h]
  __int128 v349; // [rsp+640h] [rbp-F78h]
  __int64 v350; // [rsp+650h] [rbp-F68h]
  char v351[32]; // [rsp+660h] [rbp-F58h] BYREF
  int v352; // [rsp+680h] [rbp-F38h]
  unsigned __int16 v353; // [rsp+684h] [rbp-F34h]
  unsigned __int16 v354; // [rsp+686h] [rbp-F32h]
  unsigned __int16 v355; // [rsp+68Eh] [rbp-F2Ah]
  unsigned __int16 v356; // [rsp+690h] [rbp-F28h]
  char v357; // [rsp+6A0h] [rbp-F18h] BYREF
  __int64 *v358; // [rsp+6A8h] [rbp-F10h]
  __int64 v359[2]; // [rsp+6B0h] [rbp-F08h] BYREF
  char v360[8]; // [rsp+6C0h] [rbp-EF8h] BYREF
  unsigned __int64 Parameters; // [rsp+6C8h] [rbp-EF0h] BYREF
  char v362[8]; // [rsp+6D8h] [rbp-EE0h] BYREF
  __int64 v363[2]; // [rsp+6E0h] [rbp-ED8h] BYREF
  __int128 v364; // [rsp+6F0h] [rbp-EC8h]
  __int128 v365; // [rsp+700h] [rbp-EB8h]
  __int64 v366; // [rsp+710h] [rbp-EA8h]
  char v367[96]; // [rsp+720h] [rbp-E98h] BYREF
  int Buf2; // [rsp+780h] [rbp-E38h] BYREF
  char v369[108]; // [rsp+784h] [rbp-E34h] BYREF
  char v370[48]; // [rsp+7F0h] [rbp-DC8h] BYREF
  char v371[48]; // [rsp+820h] [rbp-D98h] BYREF
  __int64 v372; // [rsp+850h] [rbp-D68h] BYREF
  int v373; // [rsp+858h] [rbp-D60h]
  int v374; // [rsp+85Ch] [rbp-D5Ch]
  __int16 v375; // [rsp+860h] [rbp-D58h]
  char v376; // [rsp+862h] [rbp-D56h]
  char v377; // [rsp+863h] [rbp-D55h]
  unsigned __int8 v378; // [rsp+864h] [rbp-D54h]
  char v379; // [rsp+865h] [rbp-D53h]
  __int64 v380; // [rsp+868h] [rbp-D50h]
  __int64 v381[2]; // [rsp+870h] [rbp-D48h] BYREF
  __int64 v382; // [rsp+880h] [rbp-D38h]
  __int64 v383; // [rsp+890h] [rbp-D28h] BYREF
  __int64 v384; // [rsp+898h] [rbp-D20h]
  __int64 v385; // [rsp+8A0h] [rbp-D18h]
  PWSTR v386; // [rsp+8A8h] [rbp-D10h]
  __int64 v387[106]; // [rsp+8B0h] [rbp-D08h]
  char ApiMessage[52]; // [rsp+C00h] [rbp-9B8h] BYREF
  unsigned int v389; // [rsp+C34h] [rbp-984h]
  unsigned __int64 v390; // [rsp+C40h] [rbp-978h]
  unsigned __int64 v391; // [rsp+C48h] [rbp-970h]
  __m128i v392; // [rsp+C50h] [rbp-968h]
  unsigned int v393; // [rsp+C60h] [rbp-958h]
  unsigned int v394; // [rsp+C64h] [rbp-954h]
  int v395; // [rsp+C68h] [rbp-950h]
  __int64 v396; // [rsp+C70h] [rbp-948h]
  int v397; // [rsp+C78h] [rbp-940h] BYREF
  int v398; // [rsp+C7Ch] [rbp-93Ch]
  char v399[16]; // [rsp+C88h] [rbp-930h] BYREF
  char v400; // [rsp+C98h] [rbp-920h] BYREF
  char v401; // [rsp+CC0h] [rbp-8F8h] BYREF
  char v402; // [rsp+CF0h] [rbp-8C8h] BYREF
  char v403[16]; // [rsp+D00h] [rbp-8B8h] BYREF
  char v404[12]; // [rsp+D10h] [rbp-8A8h] BYREF
  __int16 v405[2]; // [rsp+D1Ch] [rbp-89Ch] BYREF
  char v406[16]; // [rsp+D20h] [rbp-898h] BYREF
  __int64 v407; // [rsp+D30h] [rbp-888h] BYREF
  __int16 v408[132]; // [rsp+D38h] [rbp-880h] BYREF
  __int64 v409; // [rsp+E40h] [rbp-778h]
  __int64 v410; // [rsp+E48h] [rbp-770h]
  unsigned __int16 v411; // [rsp+E50h] [rbp-768h]
  char v412[8]; // [rsp+FC0h] [rbp-5F8h] BYREF
  __int64 v413; // [rsp+FC8h] [rbp-5F0h]
  __int64 v414; // [rsp+FD0h] [rbp-5E8h]
  __int64 *v415; // [rsp+FD8h] [rbp-5E0h]
  __int64 v416; // [rsp+FE0h] [rbp-5D8h]
  __int64 v417; // [rsp+FE8h] [rbp-5D0h]
  __int64 v418; // [rsp+FF0h] [rbp-5C8h]
  __int64 *v419; // [rsp+FF8h] [rbp-5C0h]
  __int64 v420; // [rsp+1000h] [rbp-5B8h]
  char v421[32]; // [rsp+1330h] [rbp-288h] BYREF
  char *v422; // [rsp+1350h] [rbp-268h]
  __int64 v423; // [rsp+1358h] [rbp-260h]
  int *v424; // [rsp+1360h] [rbp-258h]
  __int64 v425; // [rsp+1368h] [rbp-250h]
  char *v426; // [rsp+1370h] [rbp-248h]
  __int64 v427; // [rsp+1378h] [rbp-240h]
  char v428[16]; // [rsp+1380h] [rbp-238h] BYREF
  char v429[16]; // [rsp+1390h] [rbp-228h] BYREF
  bool *v430; // [rsp+13A0h] [rbp-218h]
  __int64 v431; // [rsp+13A8h] [rbp-210h]
  bool *v432; // [rsp+13B0h] [rbp-208h]
  __int64 v433; // [rsp+13B8h] [rbp-200h]
  bool *v434; // [rsp+13C0h] [rbp-1F8h]
  __int64 v435; // [rsp+13C8h] [rbp-1F0h]
  bool *v436; // [rsp+13D0h] [rbp-1E8h]
  __int64 v437; // [rsp+13D8h] [rbp-1E0h]
  int *v438; // [rsp+13E0h] [rbp-1D8h]
  __int64 v439; // [rsp+13E8h] [rbp-1D0h]
  bool *v440; // [rsp+13F0h] [rbp-1C8h]
  __int64 v441; // [rsp+13F8h] [rbp-1C0h]
  bool *v442; // [rsp+1400h] [rbp-1B8h]
  __int64 v443; // [rsp+1408h] [rbp-1B0h]
  bool *v444; // [rsp+1410h] [rbp-1A8h]
  __int64 v445; // [rsp+1418h] [rbp-1A0h]
  PUNICODE_STRING MessageStrings[4]; // [rsp+1420h] [rbp-198h] BYREF
  __int64 v447[6]; // [rsp+1440h] [rbp-178h] BYREF
  WCHAR packageFullName[76]; // [rsp+1470h] [rbp-148h] BYREF

  v358 = &v159;
  v287 = a4;
  v12 = a7;
  v226 = a1;
  DosPathName = a2;
  pszSrc = a3;
  v330 = a4;
  RegionSize[1] = a4;
  v281 = a5;
  v331 = a5;
  v333[1] = a5;
  v181 = a7;
  v214 = a8;
  lpFileName = a9;
  v315 = a10;
  v280 = a11;
  v177 = 0;
  v225 = 0i64;
  v210 = 0;
  v221 = 0;
  v199 = 0;
  v200 = 0;
  v282 = 0i64;
  P = 0i64;
  lpPath = 0i64;
  UnicodeString = 0i64;
  v339 = 1310738;
  v340 = L"ntdll.dll";
  v299 = 0i64;
  v254 = 0;
  v218 = 0;
  if ( !a2 && !a3 )
  {
    v153 = 3221225520i64;
LABEL_706:
    BaseSetLastNTError(v153);
    return 0i64;
  }
  if ( !a11 || !a10 )
  {
    v153 = 3221225485i64;
    goto LABEL_706;
  }
  v239 = 0i64;
  v223 = 0i64;
  v264 = 0i64;
  Handle = 0i64;
  ThreadHandle = 0i64;
  DebugObject = 0i64;
  lpBuffer = 0i64;
  v257 = 0i64;
  CaptureBuffer = 0i64;
  v289 = 0;
  v237 = 0i64;
  FilePart = 0i64;
  v277 = 0i64;
  v304.Buffer = 0i64;
  v186 = 0;
  v188 = 0;
  v182 = 0;
  v185 = 0;
  ProcessHandle = 0i64;
  pszDest = 0i64;
  Buffer = 0i64;
  NumberOfBytesToWrite = 0i64;
  v260 = 0i64;
  v244 = 0i64;
  v227 = 0;
  v270 = 0;
  v317 = 0i64;
  v279 = 0;
  v286 = 0i64;
  v249 = 0;
  ExitStatus = 0;
  v233 = 0;
  v316 = 0i64;
  v269 = 0;
  v323 = 0i64;
  v321 = 0i64;
  *(_OWORD *)v343 = 0i64;
  *(_OWORD *)v381 = 0i64;
  v382 = 0i64;
  v284 = 0i64;
  v240 = 0;
  v232 = 0i64;
  v187 = 0;
  v332 = 0i64;
  memset_0(v367, 0, 0x58ui64);
  *(_OWORD *)v325 = 0i64;
  v326 = 0i64;
  v327 = 0i64;
  v273 = NtCurrentPeb();
  ProcessHeap = v273->ProcessHeap;
  HeapHandle = ProcessHeap;
  v298[1] = (__int64)ProcessHeap;
  v207 = 0;
  v248 = 0i64;
  memset_0(packageFullName, 0, 0x100ui64);
  Environment = 0i64;
  v247 = 0i64;
  token = 0i64;
  v236 = 0i64;
  v212 = 0i64;
  v276 = 0i64;
  v209 = 0;
  v228 = 0;
  v202 = 0i64;
  v252 = 0;
  TokenHandle = 0i64;
  v190 = 0;
  v283 = 0i64;
  v300 = 0i64;
  v267 = 0;
  *(_OWORD *)v363 = 0i64;
  v364 = 0i64;
  v365 = 0i64;
  v366 = 0i64;
  *(_OWORD *)v359 = 0i64;
  v333[0] = 0i64;
  if ( (v12 & 0x18) == 24 )
    goto LABEL_704;
  v14 = 2048i64;
  if ( (v12 & 0x800) != 0 )
  {
    if ( (v12 & 0x1000) == 0 )
    {
      v15 = v12;
      goto LABEL_9;
    }
LABEL_704:
    RtlSetLastWin32Error(0x57u);
    return 0i64;
  }
  v15 = v12;
  if ( (v12 & 0x1000) == 0 && *(_BYTE *)(BaseStaticServerData + 2036) )
  {
    v15 = v12 | 0x800;
    v181 = v12 | 0x800;
  }
LABEL_9:
  if ( (v15 & 0x40) != 0 )
  {
    v16 = 1;
  }
  else if ( (v15 & 0x4000) != 0 )
  {
    v16 = 5;
  }
  else if ( (v15 & 0x20) != 0 )
  {
    v16 = 2;
  }
  else if ( (v15 & 0x8000) != 0 )
  {
    v16 = 6;
  }
  else if ( (v15 & 0x80u) != 0 )
  {
    v16 = 3;
  }
  else if ( (v15 & 0x100) != 0 )
  {
    LOBYTE(v14) = a1 != 0i64;
    v16 = (BasepIsRealtimeAllowed(0i64, v14) != 0) + 3;
  }
  else
  {
    v16 = 0;
  }
  v204 = v16;
  v17 = v181 & 0xFFFF3E1F;
  v181 = v17;
  v18 = (v17 >> 12) & 0x40 | 1;
  if ( (v17 & 0x1000000) == 0 )
    v18 = (v17 >> 12) & 0x40;
  v19 = v18 | 0x100;
  if ( (v17 & 0x10000) == 0 )
    v19 = v18;
  v20 = v19 | 0x200;
  if ( (v17 & 4) != 0 )
    v20 = v19;
  v201 = v20;
  if ( (v17 & 3) != 0 )
  {
    v154 = DbgUiConnectToDbg();
    if ( v154 < 0 )
    {
      v153 = (unsigned int)v154;
      goto LABEL_706;
    }
    ThreadDebugObject = DbgUiGetThreadDebugObject();
    DebugObject = ThreadDebugObject;
    v201 = v20;
    if ( (v181 & 2) != 0 )
      v201 = v20 | 2;
  }
  else
  {
    ThreadDebugObject = DebugObject;
  }
  v384 = 131077i64;
  v387[0] = 0i64;
  v387[1] = 65539i64;
  v387[2] = 16i64;
  v387[4] = 0i64;
  v387[3] = (__int64)&v324;
  v387[5] = 6i64;
  v387[6] = 64i64;
  v387[8] = 0i64;
  v387[7] = (__int64)v351;
  v178 = 3;
  v22 = 3;
  if ( ThreadDebugObject )
  {
    v387[9] = 393217i64;
    v387[10] = 8i64;
    v387[12] = 0i64;
    v387[11] = (__int64)ThreadDebugObject;
    v178 = 4;
    v22 = 4;
  }
  if ( v204 )
  {
    *(&v384 + 4 * v22) = 131080i64;
    *(&v385 + 4 * v178) = 1i64;
    v387[4 * v178] = 0i64;
    v387[4 * v178++ - 1] = (__int64)&v204;
    v22 = v178;
  }
  if ( (v181 & 0x4000000) != 0 )
  {
    v297 = 1;
    *(&v384 + 4 * v22) = 131081i64;
    *(&v385 + 4 * v178) = 4i64;
    v387[4 * v178] = 0i64;
    v387[4 * v178++ - 1] = (__int64)&v297;
    v22 = v178;
  }
  if ( (v181 & 0x400000) != 0 )
  {
    *(&v384 + 4 * v22) = 131090i64;
    *(&v385 + 4 * v178) = 8i64;
    v387[4 * v178] = 0i64;
    v387[4 * v178++ - 1] = (__int64)&v332;
  }
  v23 = v280;
  *v280 = 0i64;
  *((_QWORD *)v23 + 2) = 0i64;
  if ( v214 && (v181 & 0x400) == 0 )
  {
    v24 = RtlCreateEnvironmentEx(v214, &v282, 1i64);
    InformationProcess = v24;
    if ( v24 < 0 )
    {
      BaseSetLastNTError((unsigned int)v24);
      local_unwind_1(v358, &loc_18009412A);
LABEL_400:
      v93 = 3221225495i64;
      goto LABEL_401;
    }
    v214 = (__int64)v282;
    v181 |= 0x400u;
  }
  Buf1 = *(_OWORD *)v315;
  v345 = *(_OWORD *)(v315 + 16);
  v346 = *(_OWORD *)(v315 + 32);
  v347 = *(_OWORD *)(v315 + 48);
  v348 = *(_OWORD *)(v315 + 64);
  v349 = *(_OWORD *)(v315 + 80);
  v350 = *(_QWORD *)(v315 + 96);
  if ( (v181 & 0x80000) != 0 )
  {
    if ( (_DWORD)Buf1 != 112 )
      goto LABEL_338;
    v80 = *(_DWORD **)(v315 + 104);
    v299 = v80;
    if ( !v80 )
      goto LABEL_37;
    v28 = BasepConvertWin32AttributeList(
            (int)v80,
            0,
            (int)&v233,
            (int)&v248,
            (__int64)&v236,
            (__int64)&v209,
            (__int64)&ProcessHandle,
            (__int64)v343,
            (__int64)v381,
            (__int64)&v284,
            (__int64)&v286,
            (__int64)v325,
            (__int64)&v232,
            (__int64)v363,
            (__int64)v359,
            (__int64)v333,
            (__int64)&v383,
            (__int64)&v178,
            22);
    InformationProcess = v28;
    if ( v28 < 0 )
    {
LABEL_404:
      v93 = (unsigned int)v28;
      goto LABEL_401;
    }
    if ( (*v80 & 0x100) != 0 )
    {
      v207 = 1;
      if ( v236 )
      {
LABEL_338:
        v93 = 3221225485i64;
LABEL_401:
        BaseSetLastNTError(v93);
        goto LABEL_403;
      }
    }
    v81 = v240;
    if ( (*v80 & 0x80000) != 0 )
      v81 = 1;
    v240 = v81;
    if ( (v233 & 4) != 0 )
      v201 |= 0x400u;
  }
LABEL_37:
  if ( (v181 & 0x800) == 0 )
  {
    v25 = -1i64;
    if ( ProcessHandle )
      v25 = (__int64)ProcessHandle;
    if ( IsProcessInJob((HANDLE)v25, 0i64, Result) && Result[0] )
      v181 = v181 & 0xFFFFE7FF | 0x800;
  }
  if ( (WORD6(v347) & 0x100) != 0 && (WORD6(v347) & 0x600) != 0 )
    HIDWORD(v347) &= ~0x100u;
  if ( !lpFileName )
    goto LABEL_51;
  Heap = RtlAllocateHeap(ProcessHeap, 0, 0x206ui64);
  v237 = Heap;
  if ( !Heap )
    goto LABEL_400;
  FullPathNameW = GetFullPathNameW(lpFileName, 0x103u, (LPWSTR)Heap, &FilePart);
  if ( FullPathNameW >= 0x104 )
  {
    RtlSetLastWin32Error(0x10Bu);
    goto LABEL_403;
  }
  if ( !FullPathNameW )
  {
LABEL_403:
    v177 = 0;
    goto LABEL_621;
  }
  lpFileName = (LPCWSTR)v237;
LABEL_51:
  v28 = BaseFormatObjectAttributes(v370, v287, 0i64, &pcbRemaining);
  InformationProcess = v28;
  if ( v28 < 0 )
    goto LABEL_404;
  v28 = BaseFormatObjectAttributes(v371, v281, 0i64, dwFlags);
  InformationProcess = v28;
  if ( v28 < 0 )
    goto LABEL_404;
  v296 = v178;
  v338 = DosPathName;
  v335 = pszSrc;
  v274 = v226;
  v329 = v214;
  while ( 1 )
  {
    v178 = v296;
    if ( !a6 || (v253 = 1, v209) )
      v253 = 0;
    v29 = v253;
    v295 = v253;
    *(_QWORD *)Result = v274;
    v226 = v274;
    v214 = v329;
    if ( !v202 || *(_DWORD *)(v202 + 32) == 1 )
    {
      if ( token )
      {
        DosPathName = v338;
        pszSrc = v335;
        *(_QWORD *)Result = token;
        v226 = token;
      }
    }
    else
    {
      *(_QWORD *)Result = *(_QWORD *)(v202 + 16);
      v226 = *(HANDLE *)Result;
    }
    if ( lpBuffer )
    {
      RtlFreeHeap(ProcessHeap, 0, lpBuffer);
      lpBuffer = 0i64;
    }
    if ( P )
    {
      RtlFreeHeap(ProcessHeap, 0, P);
      P = 0i64;
    }
    RtlFreeUnicodeString(&UnicodeString);
    if ( pszDest )
    {
      RtlFreeHeap(ProcessHeap, 0, pszDest);
      pszDest = 0i64;
    }
    if ( v223 )
    {
      NtClose(v223);
      v223 = 0i64;
    }
    if ( v247 )
    {
      NtClose(v247);
      v247 = 0i64;
    }
    if ( Environment )
    {
      RtlDestroyEnvironment(Environment);
      Environment = 0i64;
    }
    v31 = v212;
    if ( v212 )
    {
      if ( v276 )
      {
        BasepReleaseAppXContext();
        v31 = v212;
      }
      v276 = v31;
      v212 = 0i64;
    }
    if ( v264 )
    {
      NtClose(v264);
      v264 = 0i64;
    }
    if ( ThreadHandle )
    {
      if ( ThreadDebugObject )
        NtRemoveProcessDebug(Handle, ThreadDebugObject);
      NtTerminateProcess(Handle, -1073741267);
      NtWaitForSingleObject(Handle, 0, 0i64);
      NtClose(ThreadHandle);
      ThreadHandle = 0i64;
    }
    v32 = Handle;
    if ( Handle )
    {
      NtClose(Handle);
      Handle = 0i64;
    }
    if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v32, v30) )
    {
      BasepFreeAppCompatData(Buffer, v260, v244);
      Buffer = 0i64;
      LODWORD(NumberOfBytesToWrite) = 0;
      v260 = 0i64;
      HIDWORD(v232) = 0;
      v244 = 0i64;
      v227 = 0;
    }
    if ( !v200 && (unsigned __int8)IsBasepProcessInvalidImagePresent(v34, v33) )
    {
      BasepReleaseSxsCreateProcessUtilityStruct(v367);
      memset_0(v367, 0, 0x58ui64);
    }
    if ( CaptureBuffer )
    {
      CsrFreeCaptureBuffer(CaptureBuffer);
      CaptureBuffer = 0i64;
    }
    BasepFreeBnoIsolationParameter(v325);
    v35 = 0;
    v215 = 0;
    v36 = 0;
    v205 = 0;
    v251 = 1;
    if ( !DosPathName )
    {
      lpBuffer = (LPWSTR)RtlAllocateHeap(HeapHandle, 0, 0x208ui64);
      if ( !lpBuffer )
      {
LABEL_413:
        v82 = 3221225495i64;
        goto LABEL_267;
      }
      LastErrorValue = 0;
      v294 = 0;
      v75 = pszSrc;
      DosPathName = pszSrc;
      v225 = pszSrc;
      v76 = pszSrc;
      v271 = pszSrc;
      if ( *pszSrc == 34 )
      {
        v77 = 0;
        v211 = 0;
        v76 = pszSrc + 1;
        v271 = pszSrc + 1;
        DosPathName = pszSrc + 1;
        while ( 1 )
        {
          if ( !*v76 )
            goto LABEL_234;
          if ( *v76 == 34 )
            break;
          v271 = ++v76;
          v225 = v76;
        }
        v225 = v76;
        v251 = 0;
        goto LABEL_234;
      }
      v77 = 1;
      v211 = 1;
      while ( 1 )
      {
        DosPathName = v75;
        while ( *v76 )
        {
          if ( *v76 == 32 || *v76 == 9 )
          {
            v225 = v76;
            break;
          }
          v271 = ++v76;
          v225 = v76;
        }
LABEL_234:
        v210 = *v225;
        *v225 = 0;
        if ( lpPath )
        {
          RtlReleasePath();
          lpPath = 0i64;
        }
        ExePath = RtlGetExePath(DosPathName, &lpPath);
        InformationProcess = ExePath;
        if ( ExePath < 0 )
          goto LABEL_415;
        v78 = SearchPathW(lpPath, DosPathName, L".exe", 0x104u, lpBuffer, 0i64);
        ReturnLength = v78;
        if ( v78 )
        {
          if ( v78 >= 0x104 )
          {
            v108 = 3221225734i64;
          }
          else
          {
            FileAttributesW = GetFileAttributesW(lpBuffer);
            if ( FileAttributesW == -1 )
              goto LABEL_392;
            if ( (FileAttributesW & 0x10) == 0 )
            {
              *v225 = v210;
              DosPathName = lpBuffer;
              v37 = pszSrc;
              v29 = v295;
              goto LABEL_87;
            }
            v108 = 3221225658i64;
          }
          BaseSetLastNTError(v108);
        }
LABEL_392:
        if ( !LastErrorValue )
        {
          LastErrorValue = NtCurrentTeb()->LastErrorValue;
          v294 = LastErrorValue;
          v36 = v205;
          v76 = v271;
          v77 = v211;
          *(_QWORD *)Result = v226;
        }
        *v225 = v210;
        if ( !*v76 || !v77 )
        {
          v109 = LastErrorValue;
          goto LABEL_421;
        }
        v271 = ++v76;
        v225 = v76;
        v35 = 1;
        v215 = 1;
        v251 = 0;
        v75 = pszSrc;
      }
    }
    v37 = pszSrc;
    if ( !pszSrc || !*pszSrc )
    {
      v36 = 1;
      v205 = 1;
      v37 = DosPathName;
      pszSrc = DosPathName;
    }
LABEL_87:
    if ( v35 || v36 )
    {
      v97 = -1i64;
      do
        ++v97;
      while ( v37[v97] );
      v98 = 2 * v97 + 6;
      v38 = HeapHandle;
      v99 = (wchar_t *)RtlAllocateHeap(HeapHandle, 0, v98);
      pszDest = v99;
      if ( v99 )
      {
        StringCbCopyW(v99, v98, L"\"");
        if ( v35 )
        {
          v210 = *v225;
          *v225 = 0;
        }
        v100 = pszDest;
        StringCbCatW(pszDest, v98, pszSrc);
        StringCbCatW(v100, v98, L"\"");
        if ( v35 )
        {
          v107 = v225;
          *v225 = v210;
          StringCbCatW(v100, v98, v107);
        }
        pszSrc = pszDest;
      }
    }
    else
    {
      v38 = HeapHandle;
    }
    if ( !RtlDosPathNameToNtPathName_U(DosPathName, &UnicodeString, 0i64, 0i64) )
    {
      v109 = 3;
      goto LABEL_421;
    }
    ExePath = RtlInitUnicodeStringEx(&DestinationString, DosPathName);
    v40 = ExePath;
    InformationProcess = ExePath;
    if ( ExePath < 0 )
      goto LABEL_415;
    v41 = RtlDetermineDosPathNameType_U(DosPathName);
    v293 = v41;
    if ( (unsigned int)(v41 - 1) > 1 && (unsigned int)(v41 - 6) > 1
      || !(unsigned int)BasepAdjustApplicationPath(&DestinationString) )
    {
      *(_QWORD *)&DynamicString.Length = 0i64;
      DynamicString.Buffer = 0i64;
      ExePath = RtlGetFullPathName_UstrEx(&DestinationString, 0i64, &DynamicString, 0i64, 0i64, 0i64, &v293, 0i64);
      v40 = ExePath;
      InformationProcess = ExePath;
      if ( ExePath < 0 )
        goto LABEL_415;
      DestinationString = DynamicString;
      P = (PVOID)_mm_srli_si128((__m128i)DynamicString, 8).m128i_u64[0];
      DynamicString.Buffer = 0i64;
    }
    if ( (v232 & 3) == 3 )
    {
      v82 = 3221225485i64;
      goto LABEL_267;
    }
    v44 = v273;
    if ( (v273->BitField & 0x10) != 0 && !v202 )
    {
      v242 = 720897;
      v95 = AppModelPolicy_GetPolicy_Internal(-6, 11, (unsigned int)&v242, (unsigned int)&v336, (__int64)v360) | 0x10000000;
      v96 = v242;
      if ( v95 >= 0 )
      {
        if ( v242 != 720896 )
          goto LABEL_361;
        if ( (v336 & 0x24) == 36 )
          v96 = 720898;
        v242 = v96;
        v95 = 0;
      }
      if ( v95 < 0 )
        goto LABEL_362;
      if ( v96 == 720896 && (v232 & 6) == 0 )
      {
LABEL_432:
        if ( (unsigned __int8)IsCheckAppXPackageBreakawayPresent() )
        {
          v40 = CheckAppXPackageBreakaway(DestinationString.Buffer, &v228);
          InformationProcess = v40;
          if ( v40 < 0 )
            v228 = 0;
        }
        else
        {
          v40 = -1073741823;
          InformationProcess = -1073741823;
        }
        goto LABEL_362;
      }
LABEL_361:
      if ( v96 == 720898 && (v232 & 5) == 1 )
        goto LABEL_432;
LABEL_362:
      if ( v40 < 0 )
        goto LABEL_266;
      v266 = 2424832;
      if ( (int)AppModelPolicy_GetPolicy_Internal(-6, 37, (unsigned int)&v266, (unsigned int)&v357, (__int64)v362) < 0 )
      {
        v40 = -1073741823;
        InformationProcess = -1073741823;
      }
      else if ( v266 == 2424833 )
      {
        v267 = 1;
      }
      if ( v40 < 0 )
        goto LABEL_266;
      v44 = v273;
    }
    if ( !v228 && (v248.Length || (v44->BitField & 0x10) != 0 && !v267) )
    {
      if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v43, v42) )
      {
        *(_QWORD *)Protect = &Environment;
        *(_QWORD *)AllocationType = &v212;
        ExePath = BasepAppXExtension(*(_QWORD *)Result, &v248, v236, v214);
      }
      else
      {
        ExePath = -1073741823;
      }
      InformationProcess = ExePath;
      if ( ExePath < 0 )
      {
        v212 = 0i64;
        Environment = 0i64;
LABEL_415:
        v82 = (unsigned int)ExePath;
        goto LABEL_267;
      }
      v85 = v214;
      if ( Environment )
        v85 = (__int64)Environment;
      v214 = v85;
      if ( v212 )
      {
        RtlInitUnicodeString(&v248, *(PCWSTR *)(v212 + 24));
        v86 = v212;
        v87 = v236;
        if ( *(_QWORD *)v212 )
          v87 = *(_QWORD *)v212;
        v236 = v87;
        if ( *(_QWORD *)(v212 + 16) && !v202 )
        {
          if ( v237 )
          {
            RtlFreeHeap(v38, 0, v237);
            v237 = 0i64;
            v86 = v212;
          }
          lpFileName = *(LPCWSTR *)(v86 + 16);
        }
      }
      else
      {
        *(_QWORD *)&v248.Length = 0i64;
        v248.Buffer = 0i64;
      }
    }
    if ( v240 )
    {
      if ( v236 || (NtCurrentPeb()->BitField & 0x20) != 0 )
      {
        v82 = 3221225659i64;
        goto LABEL_267;
      }
      v45 = v226;
    }
    else
    {
      v45 = *(HANDLE *)Result;
    }
    ExePath = GetEmbeddedImageMitigationPolicy(v363, v381, &v284, &v292);
    InformationProcess = ExePath;
    if ( v292 )
    {
      if ( ExePath < 0 )
        goto LABEL_415;
      v413 = 131088i64;
      v414 = 24i64;
      v416 = 0i64;
      v415 = v381;
      v110 = 1i64;
      v268 = 1;
      if ( HIDWORD(v284) )
      {
        v417 = 131094i64;
        v418 = 8i64;
        v420 = 0i64;
        v419 = &v284;
        v110 = 2i64;
        v268 = 2;
      }
      BasepAddToOrUpdateAttributesList(v412, v110, &v383, &v178);
    }
    if ( v236 )
    {
      LowBox = BasepCreateLowBox(v45);
      InformationProcess = LowBox;
      if ( LowBox < 0
        || ((v298[0] = 0i64, !(unsigned __int8)IsBasepProcessInvalidImagePresent(v90, v89))
          ? (LowBox = 0)
          : (LowBox = BasepAppContainerEnvironmentExtension(*(_QWORD *)v236, v214, v298)),
            InformationProcess = LowBox,
            LowBox < 0) )
      {
        v247 = 0i64;
LABEL_449:
        BaseSetLastNTError((unsigned int)LowBox);
LABEL_451:
        v177 = 0;
        goto LABEL_269;
      }
      if ( v247 )
        v45 = v247;
      v226 = v45;
      v91 = (WCHAR *)v298[0];
      if ( v298[0] )
      {
        if ( Environment )
        {
          RtlDestroyEnvironment(Environment);
          v91 = (WCHAR *)v298[0];
        }
        Environment = v91;
        v214 = (__int64)v91;
      }
    }
    if ( v240 )
    {
      if ( *((_QWORD *)&v326 + 1) )
      {
        LowBox = -1073741811;
      }
      else
      {
        if ( !(_BYTE)v327 )
        {
          InformationProcess = 0;
          goto LABEL_104;
        }
        if ( !v325[1] )
        {
          LowBox = -1073741811;
          InformationProcess = -1073741811;
          goto LABEL_449;
        }
        LowBox = BasepCreateBnoIsolationObjectDirectories(v45);
      }
      InformationProcess = LowBox;
      if ( LowBox < 0 )
        goto LABEL_449;
    }
LABEL_104:
    if ( lpFileName )
    {
      v46 = GetFileAttributesW(lpFileName);
      if ( v46 == -1 || (v46 & 0x10) == 0 )
      {
        RtlSetLastWin32Error(0x10Bu);
        goto LABEL_451;
      }
    }
    if ( v45 )
    {
      *(&v384 + 4 * v178) = 393218i64;
      *(&v385 + 4 * v178) = 8i64;
      v387[4 * v178] = 0i64;
      v387[4 * v178++ - 1] = (__int64)v45;
    }
    v47 = v212;
    if ( v212 && (*(_BYTE *)(v212 + 80) & 1) != 0 )
    {
      *(&v384 + 4 * v178) = 393233i64;
      *(&v385 + 4 * v178) = 1i64;
      v387[4 * v178] = 0i64;
      v387[4 * v178++ - 1] = 129i64;
      v201 |= 0x40u;
      v47 = v212;
    }
    if ( a6 )
      v201 |= 4u;
    else
      v201 &= ~4u;
    memset_0(&v305, 0, 0x58ui64);
    v305 = 88i64;
    v48 = v200;
    if ( !v200 )
    {
      if ( !v29 && (WORD6(v347) & 0x100) == 0 && !ProcessHandle && (v181 & 0x8000018) == 0 )
      {
        v235 = 3;
        v234 = v234 & 0xFFFFFFE0 | 1;
        *(&v384 + 4 * v178) = 131082i64;
        *(&v385 + 4 * v178) = 8i64;
        v387[4 * v178] = 0i64;
        v387[4 * v178++ - 1] = (__int64)&v234;
        v48 = v200;
        v47 = v212;
      }
      if ( !v48 && !v29 && (WORD6(v347) & 0x100) != 0 && ProcessHandle )
      {
        v235 = 3;
        v234 = v234 & 0xFFFFFFE0 | 2;
        *(&v384 + 4 * v178) = 131082i64;
        *(&v385 + 4 * v178) = 8i64;
        v387[4 * v178] = 0i64;
        v387[4 * v178++ - 1] = (__int64)&v234;
        v47 = v212;
      }
    }
    if ( (v181 & 3) == 0 || v273->ReadImageFileExecOptions )
    {
      if ( v185 )
      {
        v185 = 0;
        LOBYTE(KeyHandle) = (unsigned __int8)KeyHandle | 4;
      }
    }
    else
    {
      LOBYTE(KeyHandle) = (unsigned __int8)KeyHandle | 0xC;
    }
    LOBYTE(KeyHandle) = (unsigned __int8)KeyHandle | 1;
    WORD1(KeyHandle) = 0x2000;
    HIDWORD(KeyHandle) = 129;
    if ( !(_QWORD)v345 )
      *(_QWORD *)&v345 = v273->ProcessParameters->DesktopInfo.Buffer;
    if ( !v47 || (v92 = *(_WORD **)(v47 + 24)) == 0i64 || !*v92 || (*(_BYTE *)(v47 + 80) & 4) != 0 )
      LOBYTE(KeyHandle) = (unsigned __int8)KeyHandle | 2;
    RtlWow64GetProcessMachines(-1i64, &v254, &v218);
    if ( v218 != -21916
      || !(unsigned __int8)IsBasepProcessInvalidImagePresent(v50, v49)
      || (unsigned int)BasepQueryModuleChpeSettings(
                         &v372,
                         32i64,
                         DestinationString.Buffer,
                         &v339,
                         v214,
                         &v248,
                         &v244,
                         &v227,
                         &v260,
                         (char *)&v232 + 4) )
    {
      v372 = 0i64;
      v373 = 0x80000000;
      v374 = 0;
      v375 = 0;
      v376 = 0;
      v377 = 2;
      v378 = 84;
      v379 &= ~1u;
      v380 = 0i64;
    }
    if ( v212 )
      v51 = *(const WCHAR **)(v212 + 88);
    else
      v51 = 0i64;
    if ( v212 )
      v52 = *(const WCHAR **)(v212 + 8);
    else
      v52 = 0i64;
    ProcessParameters = (struct _RTL_USER_PROCESS_PARAMETERS *)BasepCreateProcessParameters(
                                                                 DosPathName,
                                                                 v52,
                                                                 v51,
                                                                 v248.Length != 0,
                                                                 v214,
                                                                 (__int64)&Buf1,
                                                                 v181,
                                                                 v253,
                                                                 v201 | (v228 != 0 ? 0x10000 : 0),
                                                                 (__int64)v343,
                                                                 (__int64)ProcessHandle);
    v337 = ProcessParameters;
    if ( !ProcessParameters )
      goto LABEL_268;
    if ( v212 && (*(_BYTE *)(v212 + 80) & 2) != 0 )
      ProcessParameters->Flags |= 0x8000000u;
    if ( v202 && !lpFileName )
    {
      Length = ProcessParameters->CurrentDirectory.DosPath.Length;
      v112 = RtlAllocateHeap(HeapHandle, 0, Length + 2);
      v237 = v112;
      if ( !v112 )
        goto LABEL_413;
      v113 = (const WCHAR *)v112;
      StringCbCopyW((STRSAFE_LPWSTR)v112, Length + 2, ProcessParameters->CurrentDirectory.DosPath.Buffer);
      lpFileName = v113;
    }
    *(&v384 + 4 * v178) = 393242i64;
    *(&v385 + 4 * v178) = 1i64;
    v387[4 * v178] = 0i64;
    v54 = QueryChpeConfiguration(&UnicodeString, (v378 >> 6) & 1);
    v387[4 * v178++ - 1] = v54;
    v386 = UnicodeString.Buffer;
    v385 = UnicodeString.Length;
    v383 = 32i64 * v178 + 8;
    if ( v202 && *(_DWORD *)(v202 + 32) != 1 )
    {
      if ( NtCurrentTeb()->IsImpersonating )
      {
        IsProcessAllowed = NtOpenThreadToken((HANDLE)0xFFFFFFFFFFFFFFFEi64, 0xCu, 1u, &TokenHandle);
        if ( IsProcessAllowed < 0 )
          goto LABEL_476;
      }
      if ( !ImpersonateLoggedOnUser(*(HANDLE *)(v202 + 16)) )
      {
        v114 = TokenHandle;
        if ( TokenHandle )
LABEL_474:
          NtClose(v114);
LABEL_478:
        v177 = 0;
        goto LABEL_269;
      }
      v252 = 1;
      ProcessParameters = v337;
      v45 = v226;
    }
    LODWORD(LengthNeeded) = 1;
    LODWORD(PathType) = v201;
    v40 = NtCreateUserProcess(
            &Handle,
            &ThreadHandle,
            0x2000000i64,
            0x2000000i64,
            pcbRemaining,
            *(_QWORD *)dwFlags,
            PathType,
            LengthNeeded,
            ProcessParameters,
            &v305,
            &v383);
    InformationProcess = v40;
    if ( v252 == 1 )
    {
      v252 = 0;
      if ( TokenHandle )
      {
        v115 = ImpersonateLoggedOnUser(TokenHandle);
        v114 = TokenHandle;
        if ( !v115 )
          goto LABEL_474;
        NtClose(TokenHandle);
      }
      else
      {
        RevertToSelf();
      }
    }
    RtlDestroyProcessParameters(ProcessParameters);
    if ( v40 >= 0 )
      break;
    Handle = 0i64;
    ThreadHandle = 0i64;
    if ( !v306 )
      goto LABEL_485;
    if ( v306 != 1 )
    {
      v101 = (unsigned int)(v306 - 2);
      if ( v306 != 2 )
      {
        if ( v306 == 3 )
          goto LABEL_504;
        v56 = (unsigned int)(v306 - 4);
        if ( v306 == 4 )
        {
          if ( v218 != -21916 )
          {
            Response = 6;
            Parameters = (unsigned __int64)&UnicodeString;
            NtRaiseHardError(1073741859, 1u, 1u, &Parameters, 1u, &Response);
          }
          v120 = 193;
          if ( v273->ImageSubsystemMajorVersion > 3 )
            v120 = 216;
          goto LABEL_503;
        }
        if ( v306 != 5 )
          break;
        v116 = KeyHandle;
        ProcessHeap = HeapHandle;
        if ( !v257 )
        {
          v257 = RtlAllocateHeap(HeapHandle, 0, 0x20Aui64);
          if ( !v257 )
          {
            NtClose(v116);
            RtlSetLastWin32Error(8u);
            v177 = 0;
            goto LABEL_621;
          }
        }
        v117 = v257;
        v118 = LdrQueryImageFileKeyOption(v116, L"Debugger", 1u, v257, 0x208u, &ReturnedLength);
        InformationProcess = v118;
        NtClose(v116);
        if ( v118 >= 0 && ReturnedLength >= 2 && *v117 )
        {
          v117[260] = 0;
          *(_QWORD *)AllocationType = &v304;
          if ( !(unsigned int)BuildSubSysCommandLine(3i64, v117, v119, pszSrc) )
            goto LABEL_403;
          pszSrc = v304.Buffer;
          DosPathName = 0i64;
        }
        else
        {
          RtlFreeHeap(ProcessHeap, 0, v257);
          v257 = 0i64;
          v185 = 1;
        }
        goto LABEL_391;
      }
      v223 = KeyHandle;
      if ( v40 == -1073741790 )
      {
        RtlSetLastWin32Error(5u);
        v177 = 0;
        ProcessHeap = HeapHandle;
        goto LABEL_621;
      }
      if ( v182 )
      {
LABEL_485:
        v94 = (unsigned int)v40;
        goto LABEL_353;
      }
      if ( v40 == -1073741521 && UnicodeString.Length >= 8u )
      {
        v102 = &UnicodeString.Buffer[(unsigned __int64)UnicodeString.Length >> 1];
        if ( !_wcsnicmp(v102 - 4, L".bat", 4ui64) || !_wcsnicmp(v102 - 4, L".cmd", 4ui64) )
        {
          v188 = 1;
          v103 = (WCHAR *)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, KernelBaseGlobalData, 0x20Eui64);
          v104 = v103;
          v277 = v103;
          if ( !v103 )
          {
            v94 = 3221225495i64;
            goto LABEL_353;
          }
          EnvironmentVariableW = GetEnvironmentVariableW(L"ComSpec", v103, 0x104u);
          if ( EnvironmentVariableW >= 0x104 )
          {
            v94 = 3221225487i64;
            goto LABEL_353;
          }
          if ( !EnvironmentVariableW )
          {
            if ( GetEnvironmentVariableW(L"SystemRoot", v104, 0xF3u) - 1 > 0xF1 )
            {
              v94 = 3221225731i64;
              goto LABEL_353;
            }
            RtlStringCchCatW(v104, 0x104ui64, L"\\system32\\cmd.exe");
          }
          RtlStringCchCatW(v104, 0x107ui64, L" /c");
          *(_QWORD *)AllocationType = &v304;
          if ( !(unsigned int)BuildSubSysCommandLine(v251, v104, v106, pszSrc) )
            goto LABEL_478;
          pszSrc = v304.Buffer;
          DosPathName = 0i64;
          goto LABEL_389;
        }
      }
      if ( (v181 & 0x2000000) != 0 )
      {
LABEL_526:
        if ( v40 == -1073741519 )
        {
          if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v101, v55) )
          {
            p_Buf1 = 0i64;
            v166 = (__int64)v280;
            v165 = v315;
            p_UnicodeString = (__int64)lpFileName;
            LengthNeeded = (PSIZE_T)v214;
            LODWORD(PathType) = v181;
            Protect[0] = a6;
            *(_QWORD *)AllocationType = v281;
            ProcessInternalW = NtVdm64CreateProcessInternalW(v45, DosPathName, pszSrc, v287);
          }
          else
          {
            ProcessInternalW = 0;
          }
          v177 = ProcessInternalW;
          if ( !ProcessInternalW
            && NtCurrentTeb()->LastErrorValue == 216
            && (unsigned __int8)IsBasepProcessInvalidImagePresent(v123, v122) )
          {
            RaiseInvalid16BitExeError(&UnicodeString);
          }
          goto LABEL_269;
        }
        if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v101, v55) )
        {
          v176 = &v239;
          v175 = &v289;
          *(_QWORD *)v174 = &v200;
          v173 = (__int64)&v199;
          v172 = (__int64)v320;
          v171 = (__int64)v322;
          v170 = (__int64)&v304;
          p_NumberOfBytesToWrite = (__int64)&v221;
          p_Buffer = (__int64)ApiMessage;
          p_Buf1 = (__int64)&Buf1;
          v166 = (__int64)&v214;
          v165 = (__int64)&v186;
          p_UnicodeString = (__int64)&UnicodeString;
          LengthNeeded = (PSIZE_T)&a6;
          PathType = (RTL_PATH_TYPE *)&v181;
          *(_QWORD *)Protect = lpFileName;
          *(_QWORD *)AllocationType = &pszSrc;
          v125 = BasepProcessInvalidImage((unsigned int)v40, v45, DestinationString.Buffer, &DosPathName);
        }
        else
        {
          v125 = 0;
        }
        v177 = v125;
        if ( !v125 )
          goto LABEL_269;
        if ( v239 )
          goto LABEL_223;
LABEL_389:
        v182 = 1;
LABEL_390:
        ProcessHeap = HeapHandle;
        goto LABEL_391;
      }
      v121 = 1;
      v216 = 1;
      if ( v40 != -1073741541 )
      {
        if ( v40 == -1073741521 )
        {
          if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v101, v55)
            && (unsigned int)BaseIsDosApplication(&UnicodeString, 3221225775i64) )
          {
            goto LABEL_521;
          }
        }
        else if ( v40 > -1073741521 && (v40 <= -1073741519 || v40 == -1073741209) )
        {
          goto LABEL_521;
        }
        v121 = 0;
        v216 = 0;
      }
LABEL_521:
      if ( v121 )
      {
        IsProcessAllowed = (unsigned __int8)IsBasepProcessInvalidImagePresent(v101, v55)
                         ? BasepCheckWinSaferRestrictions(v45, DosPathName, v223, &v248)
                         : 0;
        if ( IsProcessAllowed < 0 )
          goto LABEL_476;
      }
      goto LABEL_526;
    }
    if ( v202 || v40 != -1073741191 && v40 != -1073741790 || !(unsigned __int8)IsLoadAppExecutionAliasInfoExPresent() )
      goto LABEL_265;
    v126 = 0i64;
    AppExecutionAliasPath = 0;
    v241 = 0;
    if ( v40 != -1073741790 )
    {
      v128 = 0;
LABEL_551:
      v126 = DestinationString.Buffer;
      goto LABEL_552;
    }
    v128 = 1;
    if ( !(unsigned __int8)IsGetAppExecutionAliasPathPresent() )
      goto LABEL_551;
    v224 = 0;
    v129 = v274;
    AppExecutionAliasPath = (unsigned __int16)GetAppExecutionAliasPath(DestinationString.Buffer, v274, 0i64, &v224);
    if ( AppExecutionAliasPath == 122 )
    {
      v126 = RtlAllocateHeap(HeapHandle, 0, 2i64 * v224);
      v300 = v126;
      if ( (unsigned __int16)GetAppExecutionAliasPath(DestinationString.Buffer, v129, v126, &v224) )
        AppExecutionAliasPath = (unsigned __int16)GetAppExecutionAliasPath(DestinationString.Buffer, v274, v126, &v224) | 0xC0070000;
      else
        AppExecutionAliasPath = (unsigned __int16)GetAppExecutionAliasPath(DestinationString.Buffer, v129, v126, &v224);
    }
    else if ( AppExecutionAliasPath )
    {
      AppExecutionAliasPath |= 0xC0070000;
    }
    v241 = AppExecutionAliasPath;
LABEL_552:
    if ( AppExecutionAliasPath >= 0 )
    {
      AppExecutionAliasPath = LoadAppExecutionAliasInfoEx(v126, v274, &v202);
      v241 = AppExecutionAliasPath;
    }
    if ( !v128 || AppExecutionAliasPath < 0 )
      goto LABEL_558;
    v130 = v202;
    if ( v202 )
    {
      AppExecutionAliasPath = ValidateAppXAliasFallback(DestinationString.Buffer);
      v241 = AppExecutionAliasPath;
LABEL_558:
      v130 = v202;
    }
    if ( AppExecutionAliasPath < 0 || !v130 )
    {
      if ( AppExecutionAliasPath == -1073267456 )
        v40 = -1073267456;
      InformationProcess = v40;
LABEL_265:
      if ( !RtlIsDosDeviceName_U(DosPathName) )
      {
LABEL_266:
        v82 = (unsigned int)v40;
LABEL_267:
        BaseSetLastNTError(v82);
LABEL_268:
        v177 = 0;
        goto LABEL_269;
      }
      v109 = 1200;
LABEL_421:
      RtlSetLastWin32Error(v109);
      goto LABEL_268;
    }
    DosPathName = *(PCWSTR *)(v130 + 8);
    v226 = *(HANDLE *)(v130 + 16);
    if ( *(_DWORD *)(v130 + 32) == 1 )
    {
      v131 = -1i64;
      do
        ++v131;
      while ( *(_WORD *)(*(_QWORD *)(v130 + 24) + 2 * v131) );
      v132 = -1i64;
      do
        ++v132;
      while ( pszSrc[v132] );
      v133 = 2 * ((int)v132 + (int)v131) + 4;
      ProcessHeap = HeapHandle;
      v134 = (wchar_t *)RtlAllocateHeap(HeapHandle, 0, v133);
      v135 = v134;
      v283 = v134;
      if ( v134 )
      {
        StringCbCopyW(v134, v133, *(STRSAFE_LPCWSTR *)(v202 + 24));
        StringCbCatW(v135, v133, L" ");
        StringCbCatW(v135, v133, pszSrc);
LABEL_572:
        pszSrc = v135;
      }
    }
    else
    {
      RtlInitUnicodeString(&v248, *(PCWSTR *)v130);
      v228 = 0;
      v136 = -1i64;
      do
        ++v136;
      while ( pszSrc[v136] );
      v137 = 2 * (int)v136 + 2;
      ProcessHeap = HeapHandle;
      v138 = (wchar_t *)RtlAllocateHeap(HeapHandle, 0, v137);
      v135 = v138;
      v283 = v138;
      if ( v138 )
      {
        StringCbCopyExW(v138, v137, pszSrc, v139, *(size_t **)AllocationType, Protect[0]);
        goto LABEL_572;
      }
    }
LABEL_391:
    ThreadDebugObject = DebugObject;
  }
  v223 = v308;
  v264 = v309;
  if ( (unsigned int)(v352 - 2) > 1 )
  {
    v120 = 129;
    goto LABEL_503;
  }
  if ( v354 >= 3u && (v354 != 3 || v353 >= 0xAu) )
  {
    v56 = MEMORY[0x7FFE026C];
    if ( (unsigned int)v354 <= MEMORY[0x7FFE026C]
      && (v354 != MEMORY[0x7FFE026C] || (unsigned int)v353 <= MEMORY[0x7FFE0270]) )
    {
      v57 = 1;
      goto LABEL_142;
    }
LABEL_504:
    v120 = 193;
LABEL_503:
    RtlSetLastWin32Error(v120);
    goto LABEL_478;
  }
  v57 = 0;
LABEL_142:
  if ( !v57 )
    goto LABEL_504;
  if ( ((unsigned __int8)KeyHandle & 8) != 0 )
  {
    v316 = v313;
    v269 = v314;
  }
  if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v56, v353) )
    v60 = BasepCheckWebBladeHashes(v223);
  else
    v60 = 0;
  if ( v60 == -1073741790 )
  {
    v120 = 1277;
    goto LABEL_503;
  }
  if ( v60 < 0 )
  {
    v120 = 1278;
    goto LABEL_503;
  }
  if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v59, v58) )
    IsProcessAllowed = BasepIsProcessAllowed(DosPathName);
  else
    IsProcessAllowed = 0;
  InformationProcess = IsProcessAllowed;
  if ( IsProcessAllowed < 0 )
    goto LABEL_476;
  if ( !v186 && (v181 & 0x800) != 0 )
    v181 &= ~0x800u;
  if ( v200 )
  {
    v239 = Handle;
    if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v62, v61) )
      updated = BaseUpdateVDMEntry(1i64, &v239, v221, v200);
    else
      updated = 0;
    v177 = updated;
    if ( updated )
    {
      v199 |= 2u;
      goto LABEL_156;
    }
    v239 = 0i64;
LABEL_269:
    ProcessHeap = HeapHandle;
    goto LABEL_621;
  }
LABEL_156:
  v318 = v311;
  if ( !v182 && (v181 & 0x2000000) == 0 )
  {
    IsProcessAllowed = (unsigned __int8)IsBasepProcessInvalidImagePresent(v62, v61)
                     ? BasepCheckWinSaferRestrictions(v45, DosPathName, v223, &v248)
                     : 0;
    if ( IsProcessAllowed < 0 )
      goto LABEL_476;
  }
  memset_0(&v397, 0, 0x1C8ui64);
  v64 = v356;
  v65 = (unsigned int)v356 - 332;
  if ( v356 == 332 )
  {
    if ( ((unsigned __int8)KeyHandle & 2) != 0 )
    {
      v66 = MEMORY[0x7FFE026A];
      goto LABEL_166;
    }
LABEL_341:
    v183 = 10;
    goto LABEL_167;
  }
  v65 = (unsigned int)v356 - 452;
  if ( v356 == 452 )
  {
    v183 = 5;
    goto LABEL_167;
  }
  v65 = (unsigned int)v356 - 14948;
  if ( v356 == 14948 )
    goto LABEL_341;
  v65 = (unsigned int)v356 - 34404;
  if ( v356 == 34404 )
  {
    v66 = 9;
    goto LABEL_166;
  }
  if ( v356 == 43620 )
  {
    v183 = 12;
  }
  else
  {
    DbgPrint_0("Kernel32: No mapping for ImageInformation.Machine == %04x\n", v356);
    v66 = -1;
LABEL_166:
    v183 = v66;
  }
LABEL_167:
  if ( (v181 & 0x400000) != 0 )
    goto LABEL_221;
  if ( ((unsigned __int8)KeyHandle & 0x10) != 0 && v212 )
  {
    InformationProcess = NtQueryInformationProcess(
                           Handle,
                           ProcessAffinityUpdateMode|ProcessUserModeIOPL,
                           ProcessInformation,
                           1u,
                           0i64);
    if ( InformationProcess < 0 )
    {
      InformationProcess = 0;
    }
    else if ( ProcessInformation[0] == -127 )
    {
      v187 = 1;
    }
  }
  v219 = 0;
  if ( (((unsigned __int8)KeyHandle & 1) == 0 || v187) && (unsigned __int8)IsBasepProcessInvalidImagePresent(v65, v64) )
  {
    v173 = (__int64)&v249;
    v172 = (__int64)&v286;
    v171 = (__int64)&v219;
    v170 = (__int64)&v279;
    p_NumberOfBytesToWrite = (__int64)&v317;
    p_Buffer = (__int64)&v270;
    p_Buf1 = (__int64)&v232 + 4;
    v166 = (__int64)&v260;
    v165 = (__int64)&v227;
    p_UnicodeString = (__int64)&v244;
    LengthNeeded = (PSIZE_T)&v248;
    PathType = (RTL_PATH_TYPE *)v214;
    *(_QWORD *)Protect = DestinationString.Buffer;
    *(_QWORD *)AllocationType = Handle;
    BasepQueryAppCompat(v351, ((unsigned __int8)KeyHandle >> 1) & 1, v183, v223);
  }
  if ( ((unsigned __int8)KeyHandle & 1) == 0 || ((unsigned __int8)KeyHandle & 0x10) != 0 )
  {
    v250 = v310;
    v398 = v310;
    v405[0] = 0;
    v407 = 0i64;
    if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v65, v64) )
    {
      v67 = !v212 || (*(_BYTE *)(v212 + 80) & 4) != 0 ? 0i64 : *(_QWORD *)(v212 + 16);
      v173 = (__int64)v367;
      v172 = (__int64)&v397;
      v171 = (__int64)&v250;
      LODWORD(v170) = v269;
      p_NumberOfBytesToWrite = v316;
      p_Buffer = v318;
      p_Buf1 = v67;
      LODWORD(v166) = (v355 >> 9) & 1;
      LODWORD(v165) = HIDWORD(v232);
      p_UnicodeString = v260;
      LODWORD(LengthNeeded) = v270;
      LODWORD(PathType) = ((unsigned __int8)KeyHandle >> 2) & 1;
      *(_QWORD *)Protect = v45;
      *(_QWORD *)AllocationType = v264;
      IsProcessAllowed = BasepConstructSxsCreateProcessMessage(&UnicodeString, &DestinationString, v223, Handle);
    }
    else
    {
      IsProcessAllowed = 0;
    }
    InformationProcess = IsProcessAllowed;
    if ( IsProcessAllowed < 0 )
      goto LABEL_476;
  }
  v410 = v312;
  v409 = v311;
  v390 = (unsigned __int64)Handle;
  v391 = (unsigned __int64)ThreadHandle;
  v392 = _mm_loadu_si128(&v324);
  v411 = v183;
  v393 = v181 & 0xFFFFFFFC;
  if ( v352 == 2 || v186 )
  {
    v390 = (unsigned __int64)Handle | 2;
    ModuleHandleA = GetModuleHandleA(0i64);
    v84 = RtlImageNtHeader(ModuleHandleA);
    if ( v84 )
    {
      if ( v84->OptionalHeader.Subsystem == 2 )
        v390 |= 1ui64;
    }
  }
  if ( v45 )
  {
    IsProcessAllowed = NtQueryInformationToken(v45, TokenSessionId, &TokenInformation, 4u, &ReturnLength);
    InformationProcess = IsProcessAllowed;
    if ( IsProcessAllowed < 0 )
      goto LABEL_476;
    if ( TokenInformation != NtCurrentPeb()->SessionId )
      v391 |= 1ui64;
    v45 = v226;
  }
  if ( (BYTE12(v347) & 0x40) != 0 )
    v390 |= 1ui64;
  if ( (SBYTE12(v347) & 0x80u) != 0 )
    v390 &= ~1ui64;
  if ( (HIDWORD(v347) & 0x10000) != 0 )
    v390 &= 0xFFFFFFFFFFFFFFFCui64;
  v394 = v200;
  if ( v200 )
  {
    v141 = v221;
    if ( v221 )
    {
      ConsoleHost = 0i64;
    }
    else
    {
      ConsoleHost = BasepGetConsoleHost();
      v141 = v221;
    }
    v396 = ConsoleHost;
    v395 = v141;
  }
  if ( ((unsigned __int8)KeyHandle & 1) != 0 && ((unsigned __int8)KeyHandle & 0x10) == 0 )
    v391 |= 2ui64;
  IsProcessAllowed = 0;
  v278 = 0;
  CaptureBuffer = 0i64;
  if ( v397 && (v397 & 0x20) == 0 )
  {
    if ( (v397 & 0x40) != 0 )
    {
      MessageStrings[0] = (PUNICODE_STRING)v399;
      MessageStrings[1] = (PUNICODE_STRING)&v400;
      MessageStrings[2] = (PUNICODE_STRING)v403;
      MessageStrings[3] = (PUNICODE_STRING)v406;
      v68 = MessageStrings;
      v69 = 4;
    }
    else
    {
      v447[0] = (__int64)v399;
      v447[1] = (__int64)&v401;
      v447[2] = (__int64)&v402;
      v447[3] = (__int64)v403;
      v447[4] = (__int64)v406;
      v68 = (PUNICODE_STRING *)v447;
      v69 = 5;
    }
    IsProcessAllowed = CsrCaptureMessageMultiUnicodeStringsInPlace(&CaptureBuffer, v69, v68);
    v278 = IsProcessAllowed;
  }
  InformationProcess = IsProcessAllowed;
  if ( IsProcessAllowed < 0 )
    goto LABEL_476;
  CsrClientCallServer(ApiMessage, CaptureBuffer, (CSR_API_NUMBER)0x1001D, 0x218u);
  v71 = (HANDLE)v389;
  if ( (v389 & 0x80000000) != 0 )
  {
    BaseSetLastNTError(v389);
    ExitStatus = v389;
    goto LABEL_478;
  }
  if ( ((unsigned __int8)KeyHandle & 1) == 0 )
  {
    v250 = v398;
    if ( v398 != v310 )
    {
      IsProcessAllowed = BasepUpdateProcessParametersField(Handle, 8i64, 8, (__int64)&v305);
      InformationProcess = IsProcessAllowed;
      if ( IsProcessAllowed < 0 )
        goto LABEL_476;
    }
  }
  if ( !v188 && (v233 & 2) == 0 && !v236 )
  {
    HIDWORD(NumberOfBytesToWrite) |= 1u;
    if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v71, v70) )
    {
      v166 = 0i64;
      v165 = 0i64;
      p_UnicodeString = (__int64)v45;
      LODWORD(LengthNeeded) = v279;
      PathType = (RTL_PATH_TYPE *)v406;
      *(_QWORD *)Protect = v404;
      *(_QWORD *)AllocationType = v317;
      v72 = BaseCheckElevation(Handle, v223, DestinationString.Buffer, (char *)&NumberOfBytesToWrite + 4);
      InformationProcess = v72;
    }
    else
    {
      v72 = 0;
      InformationProcess = 0;
    }
    if ( v72 < 0 )
    {
      if ( v72 == -1073740756 && (v233 & 1) == 0 && (unsigned __int8)IsBasepProcessInvalidImagePresent(v71, v70) )
        BaseWriteErrorElevationRequiredEvent();
      goto LABEL_477;
    }
  }
  if ( v408[0] && !v207 && !v202 && !token )
  {
    PackageActivationTokenForSxS = BasepGetPackageActivationTokenForSxS(v408, v274, &token);
    if ( PackageActivationTokenForSxS )
      goto LABEL_502;
    v71 = token;
    if ( token )
    {
      packageFullNameLength = 128;
      PackageActivationTokenForSxS = GetPackageFullNameFromToken(token, &packageFullNameLength, packageFullName);
      if ( PackageActivationTokenForSxS )
        goto LABEL_502;
      RtlInitUnicodeString(&v248, packageFullName);
      goto LABEL_390;
    }
  }
  if ( ((unsigned __int8)KeyHandle & 1) != 0 )
  {
    if ( !v187 )
      goto LABEL_215;
    if ( !(unsigned __int8)IsBasepProcessInvalidImagePresent(v71, v70) )
      goto LABEL_215;
    if ( !(unsigned __int8)IsBasepProcessInvalidImagePresent(v71, v70) )
      goto LABEL_215;
    p_NumberOfBytesToWrite = (__int64)&NumberOfBytesToWrite;
    p_Buffer = (__int64)&Buffer;
    p_Buf1 = (__int64)&v227;
    v166 = (__int64)&v244;
    LODWORD(v165) = v249;
    p_UnicodeString = v286;
    LOWORD(LengthNeeded) = v219;
    PathType = (RTL_PATH_TYPE *)v351;
    *(_QWORD *)Protect = &v407;
    *(_QWORD *)AllocationType = v405;
    BasepGetAppCompatData(DestinationString.Buffer, v248.Buffer, (char *)&NumberOfBytesToWrite + 4, v404);
    if ( (unsigned int)BasepInitAppCompatData(Handle, Buffer, (unsigned int)NumberOfBytesToWrite) )
      goto LABEL_215;
    InformationProcess = -1073741790;
    v94 = 3221225506i64;
LABEL_353:
    BaseSetLastNTError(v94);
    goto LABEL_478;
  }
  if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v71, v70) )
  {
    p_NumberOfBytesToWrite = (__int64)&NumberOfBytesToWrite;
    p_Buffer = (__int64)&Buffer;
    p_Buf1 = (__int64)&v227;
    v166 = (__int64)&v244;
    LODWORD(v165) = v249;
    p_UnicodeString = v286;
    LOWORD(LengthNeeded) = v219;
    PathType = (RTL_PATH_TYPE *)v351;
    *(_QWORD *)Protect = &v407;
    *(_QWORD *)AllocationType = v405;
    BasepGetAppCompatData(DestinationString.Buffer, v248.Buffer, (char *)&NumberOfBytesToWrite + 4, v404);
  }
  if ( Buffer )
  {
    BaseAddress = 0i64;
    RegionSize[0] = (unsigned int)NumberOfBytesToWrite;
    IsProcessAllowed = NtAllocateVirtualMemory(Handle, &BaseAddress, 0i64, RegionSize, 0x1000u, 4u);
    InformationProcess = IsProcessAllowed;
    if ( IsProcessAllowed < 0 )
      goto LABEL_476;
    IsProcessAllowed = NtWriteVirtualMemory(Handle, BaseAddress, Buffer, (unsigned int)NumberOfBytesToWrite, 0i64);
    InformationProcess = IsProcessAllowed;
    if ( IsProcessAllowed < 0 )
      goto LABEL_476;
    IsProcessAllowed = NtWriteVirtualMemory(Handle, (PVOID)(v318 + 728), &BaseAddress, 8ui64, 0i64);
    InformationProcess = IsProcessAllowed;
    if ( IsProcessAllowed < 0 )
      goto LABEL_476;
    v71 = (HANDLE)v312;
    if ( v312 )
    {
      v302 = (int)BaseAddress;
      IsProcessAllowed = NtWriteVirtualMemory(Handle, (PVOID)(v312 + 488), &v302, 4ui64, 0i64);
      InformationProcess = IsProcessAllowed;
    }
    if ( IsProcessAllowed < 0 )
    {
LABEL_476:
      v94 = (unsigned int)IsProcessAllowed;
      goto LABEL_353;
    }
  }
LABEL_215:
  if ( !v188 && ((unsigned __int8)KeyHandle & 1) == 0 )
  {
    IsProcessAllowed = (unsigned __int8)IsBasepProcessInvalidImagePresent(v71, v70)
                     ? BaseElevationPostProcessing(HIDWORD(NumberOfBytesToWrite), v183, Handle)
                     : 0;
    InformationProcess = IsProcessAllowed;
    if ( IsProcessAllowed < 0 )
      goto LABEL_475;
  }
  if ( !v212 )
    goto LABEL_221;
  IsProcessAllowed = BasepPostSuccessAppXExtension(Handle);
  InformationProcess = IsProcessAllowed;
  if ( IsProcessAllowed < 0 )
    goto LABEL_475;
  if ( *(_QWORD *)(v212 + 72) )
  {
    IsProcessAllowed = BasepUpdateProcessParametersField(Handle, 1024i64, 664, (__int64)&v305);
    InformationProcess = IsProcessAllowed;
  }
  if ( IsProcessAllowed < 0 )
  {
LABEL_475:
    ExitStatus = IsProcessAllowed;
    goto LABEL_476;
  }
  v261 = 0;
  if ( !v202 || (v144 = *(unsigned int *)(v202 + 32), (_DWORD)v144 == 1) )
  {
    if ( !token )
      goto LABEL_335;
    *(_QWORD *)Protect = &v261;
    *(_QWORD *)AllocationType = v45;
    PackageActivationTokenForSxS = BasepFinishPackageActivationForSxS(Handle, ThreadHandle, lpFileName, pszSrc);
    if ( !PackageActivationTokenForSxS )
      goto LABEL_335;
LABEL_502:
    ExitStatus = -1073741823;
    v120 = PackageActivationTokenForSxS;
    goto LABEL_503;
  }
  v190 = 1;
  PathType = (RTL_PATH_TYPE *)&v261;
  *(_QWORD *)Protect = v45;
  *(_QWORD *)AllocationType = pszSrc;
  IsProcessAllowed = CompleteAppExecutionAliasProcessCreationEx(Handle, ThreadHandle, v144, lpFileName);
  InformationProcess = IsProcessAllowed;
  if ( IsProcessAllowed < 0 )
    goto LABEL_475;
LABEL_335:
  if ( (v261 & 1) != 0 )
    v181 |= 4u;
LABEL_221:
  if ( (v181 & 4) == 0 )
  {
    v72 = NtResumeThread(ThreadHandle, 0i64);
    InformationProcess = v72;
    if ( v72 < 0 )
    {
LABEL_477:
      BaseSetLastNTError((unsigned int)v72);
      ExitStatus = v72;
      goto LABEL_478;
    }
  }
LABEL_223:
  v177 = 1;
  if ( v199 )
    v199 |= 8u;
  v73 = v280;
  if ( v239 )
  {
    if ( v200 == 32 )
    {
      *(_QWORD *)v280 = (unsigned __int64)v239 | 2;
      if ( (v199 & 4) != 0 )
        v324 = 0i64;
    }
    else
    {
      *(_QWORD *)v280 = (unsigned __int64)v239 | 1;
    }
    if ( Handle )
      NtClose(Handle);
  }
  else
  {
    *(_QWORD *)v280 = Handle;
  }
  *((_QWORD *)v73 + 1) = ThreadHandle;
  *((_DWORD *)v73 + 4) = v324.m128i_i32[0];
  *((_DWORD *)v73 + 5) = v324.m128i_i32[2];
  Handle = 0i64;
  ThreadHandle = 0i64;
  ProcessHeap = HeapHandle;
LABEL_621:
  v145 = NtCurrentTeb()->LastErrorValue;
  if ( v257 )
    RtlFreeHeap(ProcessHeap, 0, v257);
  if ( P )
    RtlFreeHeap(ProcessHeap, 0, P);
  RtlFreeUnicodeString(&UnicodeString);
  if ( !v200 && (unsigned __int8)IsBasepProcessInvalidImagePresent(v147, v146) )
    BasepReleaseSxsCreateProcessUtilityStruct(v367);
  if ( v282 )
    RtlDestroyEnvironment(v282);
  v148 = (_QWORD *)v202;
  if ( v202 )
  {
    memset_0(v369, 0, 0x64ui64);
    Buf2 = 104;
    if ( (unsigned int)dword_180289228 > 5
      && (qword_180289238 & 0x400000000000i64) != 0
      && (qword_180289240 & 0x400000000000i64) == qword_180289240 )
    {
      v189 = 1;
      v422 = &v189;
      v423 = 1i64;
      v258 = v145;
      v424 = &v258;
      v425 = 4i64;
      v191 = v190;
      v426 = &v191;
      v427 = 1i64;
      tlgCreate1Sz_wchar_t(v428, *v148);
      if ( *(_QWORD *)(v202 + 8) )
        v155 = (const WCHAR *)CentennialActivationRemovePIIfromFilePath_Kernel();
      else
        v155 = &word_1801C3EC4;
      tlgCreate1Sz_wchar_t(v429, v155);
      v192 = v177 == 1;
      v430 = &v192;
      v431 = 1i64;
      v193 = v287 != 0;
      v432 = &v193;
      v433 = 1i64;
      v194 = v281 != 0;
      v434 = &v194;
      v435 = 1i64;
      v195 = a6 == 1;
      v436 = &v195;
      v437 = 1i64;
      v255 = v181;
      v438 = &v255;
      v439 = 4i64;
      v196 = v214 != 0;
      v440 = &v196;
      v441 = 1i64;
      v197 = memcmp_0(&Buf1, &Buf2, 0x68ui64) == 0;
      v442 = &v197;
      v443 = 1i64;
      v198 = v299 == 0i64;
      v444 = &v198;
      v445 = 1i64;
      tlgWriteTransfer_EtwEventWriteTransfer(
        v156,
        (unsigned int)&unk_1802555B5,
        v157,
        v158,
        AllocationType[0],
        (__int64)v421);
      v148 = (_QWORD *)v202;
    }
    if ( !v177 )
    {
      PerformAppxLicenseRundownEx(*v148, v148[2]);
      v148 = (_QWORD *)v202;
    }
    FreeAppExecutionAliasInfoEx(v148);
    v202 = 0i64;
  }
  if ( v212 )
  {
    BasepReleaseAppXContext();
    v212 = 0i64;
  }
  if ( v276 )
    BasepReleaseAppXContext();
  if ( v247 )
    NtClose(v247);
  if ( token )
    NtClose(token);
  if ( Environment )
    RtlDestroyEnvironment(Environment);
  if ( pszDest )
    RtlFreeHeap(ProcessHeap, 0, pszDest);
  if ( lpBuffer )
    RtlFreeHeap(ProcessHeap, 0, lpBuffer);
  if ( v277 )
    RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v277);
  if ( v237 )
    RtlFreeHeap(ProcessHeap, 0, v237);
  if ( v223 )
    NtClose(v223);
  if ( v264 )
    NtClose(v264);
  if ( ThreadHandle )
  {
    if ( DebugObject )
      NtRemoveProcessDebug(Handle, DebugObject);
    NtTerminateProcess(Handle, ExitStatus);
    NtWaitForSingleObject(Handle, 0, 0i64);
    NtClose(ThreadHandle);
  }
  v149 = Handle;
  if ( Handle )
    NtClose(Handle);
  if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v149, v146) )
    BasepFreeAppCompatData(Buffer, v260, v244);
  RtlFreeUnicodeString(&v304);
  if ( (v323 || v321) && (unsigned __int8)IsBasepProcessInvalidImagePresent(v151, v150) )
    BaseDestroyVDMEnvironment(v322, v320);
  if ( v199 && (v199 & 8) == 0 )
  {
    if ( (unsigned __int8)IsBasepProcessInvalidImagePresent(v151, v150) )
      BaseUpdateVDMEntry(0i64, &v221, v199, v200);
    if ( v239 )
      NtClose(v239);
  }
  if ( lpPath )
    RtlReleasePath();
  if ( CaptureBuffer )
  {
    CsrFreeCaptureBuffer(CaptureBuffer);
    CaptureBuffer = 0i64;
  }
  if ( v283 )
    RtlFreeHeap(ProcessHeap, 0, v283);
  if ( v300 )
    RtlFreeHeap(ProcessHeap, 0, v300);
  BasepFreeBnoIsolationParameter(v325);
  NtCurrentTeb()->LastErrorValue = v145;
  return v177;
}

 

[waahoo]

Я с ней дрался когда-то давно, не зашло толи из-за того, что она разнится от системы к системе, толи подготовки много было и проще CreateProcess было дернуть.. Сейчас точно не вспомню, но одно помню точно, это оказался геморой

 

[arsarsov]

Я с ней дрался когда-то давно, не зашло толи из-за того, что она разнится от системы к системе, толи подготовки много было и проще CreateProcess было дернуть.. Сейчас точно не вспомню, но одно помню точно, это оказался геморой

Именно так все и есть, от XP до семерки вроде под капотом CreateProcessA\W идет вызов NtCreateProcess, свыше 7 до 11 дергается NtCreateUserProcess
И были какие-то специфичные билды где еще что-то третье дергалось

UPD: Поправлю себя, вот точные функции которые вызываются
2k ->NtCreateProcess
xp ->NtCreateProcessEx
vista/win7/2008 ->NtCreateUserProcess

 

[Quake3]

Так NtCreateProcess еще более геморная, там нужно вручную создавать поток, посылать уведомление csrss и так далее.

 

[arsarsov]

Так NtCreateProcess еще более геморная, там нужно вручную создавать поток, посылать уведомление csrss и так далее.

В любом случае в разных версиях ОС процесс создается по-разному, и вручную создавать его при помощи NT функций немного нецелесообразно, можно конечно заморочиться, и сделать 3 вида запуска, сверять версию ОС и выбирать нужный, но как по мне проще дернуть CreateProcessW, а если требуется обойти проверку параметров в перехватах АВ, то запускаешь его с флагами не SUSPENDED, при этом хукаешь функцию NtResumeThread, и возвращаешь результат 0, как будто поток был успешно запущен, ну в целом и другие методы есть как вызвать запуск процесса не SUSPENDED, но в итоге сделать SUSPENDEN
Почему привел именно этот пример - потому что часто пытаются использовать Nt функции или даже напрямую сисколы, что бы сделать тихий инжект в процесс, а для этого нужно его запустить как SUSPENDED
Но это просто как частный случай, применений понятное дело гораздо больше