From 64e8573d98edd63181e4725cba9b9e0b6a17bc9d Mon Sep 17 00:00:00 2001
From: Valentin Radu <valentin.radu@valinet.ro>
Date: Wed, 6 Oct 2021 02:58:32 +0300
Subject: [PATCH] Start menu is now hooked from explorer.exe

---
 ExplorerPatcher/StartMenu.c | 121 ++++++++++++++++++++++++++++++++++++
 ExplorerPatcher/StartMenu.h |   9 +++
 ExplorerPatcher/dllmain.c   |   9 +++
 3 files changed, 139 insertions(+)

diff --git a/ExplorerPatcher/StartMenu.c b/ExplorerPatcher/StartMenu.c
index ab5461e..b6bb221 100644
--- a/ExplorerPatcher/StartMenu.c
+++ b/ExplorerPatcher/StartMenu.c
@@ -190,3 +190,124 @@ DWORD OpenStartAtLogonThread(OpenStartAtLogonThreadParams* unused)
 
     printf("Ended \"Open Start at Logon\" thread.\n");
 }
+
+DWORD WINAPI HookStartMenu(HookStartMenuParams* params)
+{
+    printf("Started \"Hook Start Menu\" thread.\n");
+
+    TCHAR wszKnownPath[MAX_PATH];
+    GetWindowsDirectoryW(wszKnownPath, MAX_PATH);
+    wcscat_s(wszKnownPath, MAX_PATH, L"\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe");
+
+    while (TRUE)
+    {
+        HANDLE hProcess, hSnapshot;
+        PROCESSENTRY32 pe32;
+        while (TRUE)
+        {
+            hProcess = NULL;
+            hSnapshot = NULL;
+            ZeroMemory(&pe32, sizeof(PROCESSENTRY32));
+            pe32.dwSize = sizeof(PROCESSENTRY32);
+            hSnapshot = CreateToolhelp32Snapshot(
+                TH32CS_SNAPPROCESS,
+                0
+            );
+            if (Process32First(hSnapshot, &pe32) == TRUE)
+            {
+                do
+                {
+                    if (!wcscmp(pe32.szExeFile, TEXT("StartMenuExperienceHost.exe")))
+                    {
+                        hProcess = OpenProcess(
+                            PROCESS_QUERY_LIMITED_INFORMATION |
+                            PROCESS_VM_OPERATION |
+                            PROCESS_VM_READ |
+                            PROCESS_VM_WRITE |
+                            PROCESS_CREATE_THREAD |
+                            SYNCHRONIZE,
+                            FALSE,
+                            pe32.th32ProcessID
+                        );
+                        if (!hProcess)
+                        {
+                            printf("Unable to open handle to StartMenuExperienceHost.exe.\n");
+                            Sleep(params->dwTimeout);
+                        }
+                        TCHAR wszProcessPath[MAX_PATH];
+                        DWORD dwLength = MAX_PATH;
+                        QueryFullProcessImageNameW(
+                            hProcess,
+                            0,
+                            wszProcessPath,
+                            &dwLength
+                        );
+                        if (!_wcsicmp(wszProcessPath, wszKnownPath))
+                        {
+                            break;
+                        }
+                        else
+                        {
+                            CloseHandle(hProcess);
+                            hProcess = NULL;
+                        }
+                    }
+                } while (Process32Next(hSnapshot, &pe32) == TRUE);
+            }
+            CloseHandle(hSnapshot);
+            if (hProcess)
+            {
+                break;
+            }
+            else
+            {
+                Sleep(params->dwTimeout);
+            }
+        }
+        LPVOID lpRemotePath = VirtualAllocEx(
+            hProcess,
+            NULL,
+            MAX_PATH,
+            MEM_COMMIT,
+            PAGE_READWRITE
+        );
+        if (!lpRemotePath)
+        {
+            printf("Unable to allocate path memory.\n");
+            Sleep(1000);
+            continue;
+        }
+        if (!WriteProcessMemory(
+            hProcess,
+            lpRemotePath,
+            (void*)params->wszModulePath,
+            MAX_PATH,
+            NULL
+        ))
+        {
+            printf("Unable to write path.\n");
+            Sleep(params->dwTimeout);
+            continue;
+        }
+        HANDLE hThread = CreateRemoteThread(
+            hProcess,
+            NULL,
+            0,
+            LoadLibraryW,
+            lpRemotePath,
+            0,
+            NULL
+        );
+        if (!hThread)
+        {
+            printf("Unable to inject DLL.\n");
+            Sleep(params->dwTimeout);
+            continue;
+        }
+        WaitForSingleObject(
+            hProcess,
+            INFINITE
+        );
+        CloseHandle(hProcess);
+    }
+}
\ No newline at end of file
diff --git a/ExplorerPatcher/StartMenu.h b/ExplorerPatcher/StartMenu.h
index f4f6ccb..ec6a105 100644
--- a/ExplorerPatcher/StartMenu.h
+++ b/ExplorerPatcher/StartMenu.h
@@ -5,6 +5,7 @@
 #include <windowsx.h>
 #include <Shlwapi.h>
 #pragma comment(lib, "Shlwapi.lib")
+#include <TlHelp32.h>
 
 DEFINE_GUID(CLSID_ImmersiveShell,
     0xc2f03a33,
@@ -174,4 +175,12 @@ DWORD OpenStartOnCurentMonitorThread(OpenStartOnCurentMonitorThreadParams* unuse
 
 typedef DWORD OpenStartAtLogonThreadParams;
 DWORD OpenStartAtLogonThread(OpenStartAtLogonThreadParams* unused);
+
+typedef struct _HookStartMenuParams
+{
+    HMODULE hModule;
+    DWORD dwTimeout;
+    wchar_t wszModulePath[MAX_PATH];
+} HookStartMenuParams;
+DWORD WINAPI HookStartMenu(HookStartMenuParams* params);
 #endif
diff --git a/ExplorerPatcher/dllmain.c b/ExplorerPatcher/dllmain.c
index 9fd35d1..9410201 100644
--- a/ExplorerPatcher/dllmain.c
+++ b/ExplorerPatcher/dllmain.c
@@ -1575,6 +1575,15 @@ __declspec(dllexport) DWORD WINAPI main(
         }
 
 
+
+        HookStartMenuParams* params = calloc(1, sizeof(HookStartMenuParams));
+        params->dwTimeout = 1000;
+        params->hModule = hModule;
+        GetModuleFileNameW(hModule, params->wszModulePath, MAX_PATH);
+        CreateThread(0, 0, HookStartMenu, params, 0, 0);
+
+
+
         // This notifies applications when the taskbar has recomputed its layout
         if (SUCCEEDED(TaskbarCenter_Initialize(hExplorer)))
         {