OSDN Git Service

Change UI to enter a new master password.
[ffftp/ffftp.git] / protectprocess.c
1 // protectprocess.c
2 // Copyright (C) 2011 Suguru Kawamoto
3 // \83v\83\8d\83Z\83X\82Ì\95Û\8cì
4
5 // \8e\9f\82Ì\92\86\82©\82ç1\8cÂ\82Ì\82Ý\97L\8cø\82É\82·\82é
6 // \83t\83b\83N\90æ\82Ì\8aÖ\90\94\82Ì\83R\81[\83h\82ð\8f\91\82«\8a·\82¦\82é
7 // \91S\82Ä\82Ì\8cÄ\82Ñ\8fo\82µ\82ð\83t\83b\83N\89Â\94\\82¾\82ª\8c´\97\9d\93I\82É\93ñ\8fd\8cÄ\82Ñ\8fo\82µ\82É\91Î\89\9e\82Å\82«\82È\82¢
8 #define USE_CODE_HOOK
9 // \83t\83b\83N\90æ\82Ì\8aÖ\90\94\82Ì\83C\83\93\83|\81[\83g\83A\83h\83\8c\83X\83e\81[\83u\83\8b\82ð\8f\91\82«\8a·\82¦\82é
10 // \93ñ\8fd\8cÄ\82Ñ\8fo\82µ\82ª\89Â\94\\82¾\82ª\8cÄ\82Ñ\8fo\82µ\95û\96@\82É\82æ\82Á\82Ä\82Í\83t\83b\83N\82ð\89ñ\94ð\82³\82ê\82é
11 //#define USE_IAT_HOOK
12
13 // \83t\83b\83N\91Î\8fÛ\82Ì\8aÖ\90\94\96¼ %s
14 // \83t\83b\83N\91Î\8fÛ\82Ì\8c^ _%s
15 // \83t\83b\83N\91Î\8fÛ\82Ì\83|\83C\83\93\83^ p_%s
16 // \83t\83b\83N\97p\82Ì\8aÖ\90\94\96¼ h_%s
17 // \83t\83b\83N\91Î\8fÛ\82Ì\83R\81[\83h\82Ì\83o\83b\83N\83A\83b\83v c_%s
18
19 #include <tchar.h>
20 #include <windows.h>
21 #include <ntsecapi.h>
22 #include <wincrypt.h>
23 #include <wintrust.h>
24 #include <softpub.h>
25 #include <aclapi.h>
26 #include <sfc.h>
27 #include <tlhelp32.h>
28 #include <imagehlp.h>
29 #ifdef USE_IAT_HOOK
30 #include <dbghelp.h>
31 #endif
32
33 #define DO_NOT_REPLACE
34 #include "protectprocess.h"
35 #include "mbswrapper.h"
36
37 #ifdef USE_IAT_HOOK
38 #pragma comment(lib, "dbghelp.lib")
39 #endif
40
41 #ifdef USE_CODE_HOOK
42 #if defined(_X86_)
43 #define HOOK_JUMP_CODE_LENGTH 5
44 #elif defined(_AMD64_)
45 #define HOOK_JUMP_CODE_LENGTH 14
46 #endif
47 #endif
48
49 BOOL LockThreadLock();
50 BOOL UnlockThreadLock();
51 #ifdef USE_CODE_HOOK
52 BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore);
53 #endif
54 #ifdef USE_IAT_HOOK
55 BOOL HookFunctionInIAT(void* pOriginal, void* pNew);
56 #endif
57 HANDLE LockExistingFile(LPCWSTR Filename);
58 BOOL FindTrustedModuleSHA1Hash(void* pHash);
59 BOOL VerifyFileSignature(LPCWSTR Filename);
60 BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename);
61 BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash);
62 BOOL IsModuleTrusted(LPCWSTR Filename);
63
64 // \95Ï\90\94\82Ì\90é\8c¾
65 #ifdef USE_CODE_HOOK
66 #define HOOK_FUNCTION_VAR(name) _##name p_##name;BYTE c_##name[HOOK_JUMP_CODE_LENGTH * 2];
67 #endif
68 #ifdef USE_IAT_HOOK
69 #define HOOK_FUNCTION_VAR(name) _##name p_##name;
70 #endif
71 // \8aÖ\90\94\83|\83C\83\93\83^\82ð\8eæ\93¾
72 #define GET_FUNCTION(h, name) p_##name = (_##name)GetProcAddress(h, #name)
73 // \83t\83b\83N\91Î\8fÛ\82Ì\83R\81[\83h\82ð\92u\8a·\82µ\82Ä\83t\83b\83N\82ð\8aJ\8en
74 #define SET_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, FALSE)
75 // \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82·\91O\82É\91Î\8fÛ\82Ì\83R\81[\83h\82ð\95\9c\8c³
76 #define START_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, TRUE)
77 // \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82µ\82½\8cã\82É\91Î\8fÛ\82Ì\83R\81[\83h\82ð\92u\8a·
78 #define END_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, NULL, FALSE)
79
80 HOOK_FUNCTION_VAR(LoadLibraryA)
81 HOOK_FUNCTION_VAR(LoadLibraryW)
82 HOOK_FUNCTION_VAR(LoadLibraryExA)
83 HOOK_FUNCTION_VAR(LoadLibraryExW)
84
85 typedef NTSTATUS (NTAPI* _LdrLoadDll)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);
86 typedef NTSTATUS (NTAPI* _LdrGetDllHandle)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);
87 typedef PIMAGE_NT_HEADERS (NTAPI* _RtlImageNtHeader)(PVOID);
88 typedef BOOL (WINAPI* _CryptCATAdminCalcHashFromFileHandle)(HANDLE, DWORD*, BYTE*, DWORD);
89
90 _LdrLoadDll p_LdrLoadDll;
91 _LdrGetDllHandle p_LdrGetDllHandle;
92 _RtlImageNtHeader p_RtlImageNtHeader;
93 _CryptCATAdminCalcHashFromFileHandle p_CryptCATAdminCalcHashFromFileHandle;
94
95 #define MAX_LOCKED_THREAD 16
96 #define MAX_TRUSTED_FILENAME_TABLE 16
97 #define MAX_TRUSTED_MD5_HASH_TABLE 16
98
99 DWORD g_ProcessProtectionLevel;
100 DWORD g_LockedThread[MAX_LOCKED_THREAD];
101 WCHAR* g_pTrustedFilenameTable[MAX_TRUSTED_FILENAME_TABLE];
102 BYTE g_TrustedMD5HashTable[MAX_TRUSTED_MD5_HASH_TABLE][20];
103
104 // \88È\89º\83t\83b\83N\8aÖ\90\94
105 // \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82·\8fê\8d\87\82Í\91O\8cã\82ÅSTART_HOOK_FUNCTION\82ÆEND_HOOK_FUNCTION\82ð\8eÀ\8ds\82·\82é\95K\97v\82ª\82 \82é
106
107 HMODULE WINAPI h_LoadLibraryA(LPCSTR lpLibFileName)
108 {
109         HMODULE r = NULL;
110         wchar_t* pw0 = NULL;
111         if(pw0 = DuplicateAtoW(lpLibFileName, -1))
112                 r = LoadLibraryExW(pw0, NULL, 0);
113         FreeDuplicatedString(pw0);
114         return r;
115 }
116
117 HMODULE WINAPI h_LoadLibraryW(LPCWSTR lpLibFileName)
118 {
119         HMODULE r = NULL;
120         r = LoadLibraryExW(lpLibFileName, NULL, 0);
121         return r;
122 }
123
124 HMODULE WINAPI h_LoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
125 {
126         HMODULE r = NULL;
127         wchar_t* pw0 = NULL;
128         if(pw0 = DuplicateAtoW(lpLibFileName, -1))
129                 r = LoadLibraryExW(pw0, hFile, dwFlags);
130         FreeDuplicatedString(pw0);
131         return r;
132 }
133
134 HMODULE WINAPI h_LoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
135 {
136         HMODULE r = NULL;
137         BOOL bTrusted;
138         wchar_t* pw0;
139         HANDLE hLock;
140         HMODULE hModule;
141         DWORD Length;
142         bTrusted = FALSE;
143         pw0 = NULL;
144         hLock = NULL;
145 //      if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))
146         if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | 0x00000020 | 0x00000040))
147                 bTrusted = TRUE;
148         if(!bTrusted)
149         {
150                 if(hModule = System_LoadLibrary(lpLibFileName, NULL, DONT_RESOLVE_DLL_REFERENCES))
151                 {
152                         Length = MAX_PATH;
153                         if(pw0 = AllocateStringW(Length))
154                         {
155                                 if(GetModuleFileNameW(hModule, pw0, Length) > 0)
156                                 {
157                                         while(pw0)
158                                         {
159                                                 if(GetModuleFileNameW(hModule, pw0, Length) + 1 <= Length)
160                                                 {
161                                                         lpLibFileName = pw0;
162                                                         break;
163                                                 }
164                                                 Length = Length * 2;
165                                                 FreeDuplicatedString(pw0);
166                                                 pw0 = AllocateStringW(Length);
167                                         }
168                                 }
169                         }
170                         hLock = LockExistingFile(lpLibFileName);
171                         FreeLibrary(hModule);
172                 }
173                 if((g_ProcessProtectionLevel & PROCESS_PROTECTION_LOADED) && GetModuleHandleW(lpLibFileName))
174                         bTrusted = TRUE;
175         }
176         if(!bTrusted)
177         {
178                 if(hLock)
179                 {
180                         if(IsModuleTrusted(lpLibFileName))
181                                 bTrusted = TRUE;
182                 }
183         }
184         if(bTrusted)
185                 r = System_LoadLibrary(lpLibFileName, hFile, dwFlags);
186         FreeDuplicatedString(pw0);
187         if(hLock)
188                 CloseHandle(hLock);
189         return r;
190 }
191
192 // \88È\89º\83w\83\8b\83p\81[\8aÖ\90\94
193
194 BOOL LockThreadLock()
195 {
196         BOOL bResult;
197         DWORD ThreadId;
198         DWORD i;
199         bResult = FALSE;
200         ThreadId = GetCurrentThreadId();
201         i = 0;
202         while(i < MAX_LOCKED_THREAD)
203         {
204                 if(g_LockedThread[i] == ThreadId)
205                         break;
206                 i++;
207         }
208         if(i >= MAX_LOCKED_THREAD)
209         {
210                 i = 0;
211                 while(i < MAX_LOCKED_THREAD)
212                 {
213                         if(g_LockedThread[i] == 0)
214                         {
215                                 g_LockedThread[i] = ThreadId;
216                                 bResult = TRUE;
217                                 break;
218                         }
219                         i++;
220                 }
221         }
222         return bResult;
223 }
224
225 BOOL UnlockThreadLock()
226 {
227         BOOL bResult;
228         DWORD ThreadId;
229         DWORD i;
230         bResult = FALSE;
231         ThreadId = GetCurrentThreadId();
232         i = 0;
233         while(i < MAX_LOCKED_THREAD)
234         {
235                 if(g_LockedThread[i] == ThreadId)
236                 {
237                         g_LockedThread[i] = 0;
238                         bResult = TRUE;
239                         break;
240                 }
241                 i++;
242         }
243         return bResult;
244 }
245
246 #ifdef USE_CODE_HOOK
247 BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore)
248 {
249         BOOL bResult;
250         DWORD Protect;
251 #if defined(_X86_)
252         BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xe9, 0x00, 0x00, 0x00, 0x00};
253         size_t Relative;
254         Relative = (size_t)pNew - (size_t)pOriginal - HOOK_JUMP_CODE_LENGTH;
255         memcpy(&JumpCode[1], &Relative, 4);
256         bResult = FALSE;
257         if(bRestore)
258         {
259                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
260                 {
261                         memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);
262                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
263                         bResult = TRUE;
264                 }
265         }
266         else
267         {
268                 if(pBackupCode)
269                         memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);
270                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
271                 {
272                         memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);
273                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
274                         bResult = TRUE;
275                 }
276         }
277 #elif defined(_AMD64_)
278         BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xff, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
279         size_t Absolute;
280         Absolute = (size_t)pOriginal;
281         memcpy(&JumpCode[6], &Absolute, 8);
282         bResult = FALSE;
283         if(bRestore)
284         {
285                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
286                 {
287                         memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);
288                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
289                         bResult = TRUE;
290                 }
291         }
292         else
293         {
294                 if(pBackupCode)
295                         memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);
296                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
297                 {
298                         memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);
299                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
300                         bResult = TRUE;
301                 }
302         }
303 #endif
304         return bResult;
305 }
306 #endif
307
308 #ifdef USE_IAT_HOOK
309 BOOL HookFunctionInIAT(void* pOriginal, void* pNew)
310 {
311         BOOL bResult;
312         HANDLE hSnapshot;
313         MODULEENTRY32 me;
314         BOOL bFound;
315         IMAGE_IMPORT_DESCRIPTOR* piid;
316         ULONG Size;
317         IMAGE_THUNK_DATA* pitd;
318         DWORD Protect;
319         bResult = FALSE;
320         if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId())) != INVALID_HANDLE_VALUE)
321         {
322                 me.dwSize = sizeof(MODULEENTRY32);
323                 if(Module32First(hSnapshot, &me))
324                 {
325                         bFound = FALSE;
326                         do
327                         {
328                                 if(piid = (IMAGE_IMPORT_DESCRIPTOR*)ImageDirectoryEntryToData(me.hModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size))
329                                 {
330                                         while(!bFound && piid->Name != 0)
331                                         {
332                                                 pitd = (IMAGE_THUNK_DATA*)((BYTE*)me.hModule + piid->FirstThunk);
333                                                 while(!bFound && pitd->u1.Function != 0)
334                                                 {
335                                                         if((void*)pitd->u1.Function == pOriginal)
336                                                         {
337                                                                 bFound = TRUE;
338                                                                 if(VirtualProtect(&pitd->u1.Function, sizeof(void*), PAGE_EXECUTE_READWRITE, &Protect))
339                                                                 {
340                                                                         memcpy(&pitd->u1.Function, &pNew, sizeof(void*));
341                                                                         VirtualProtect(&pitd->u1.Function, sizeof(void*), Protect, &Protect);
342                                                                         bResult = TRUE;
343                                                                 }
344                                                         }
345                                                         pitd++;
346                                                 }
347                                                 piid++;
348                                         }
349                                 }
350                         }
351                         while(!bFound && Module32Next(hSnapshot, &me));
352                 }
353                 CloseHandle(hSnapshot);
354         }
355         return bResult;
356 }
357 #endif
358
359 // \83t\83@\83C\83\8b\82ð\95Ï\8dX\95s\94\\82É\90Ý\92è
360 HANDLE LockExistingFile(LPCWSTR Filename)
361 {
362         HANDLE hResult;
363         hResult = NULL;
364         if((hResult = CreateFileW(Filename, 0, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL)) == INVALID_HANDLE_VALUE)
365                 hResult = NULL;
366         return hResult;
367 }
368
369 // DLL\82Ì\83n\83b\83V\83\85\82ð\8c\9f\8dõ
370 BOOL FindTrustedModuleSHA1Hash(void* pHash)
371 {
372         BOOL bResult;
373         int i;
374         bResult = FALSE;
375         i = 0;
376         while(i < MAX_TRUSTED_MD5_HASH_TABLE)
377         {
378                 if(memcmp(&g_TrustedMD5HashTable[i], pHash, 20) == 0)
379                 {
380                         bResult = TRUE;
381                         break;
382                 }
383                 i++;
384         }
385         return bResult;
386 }
387
388 // \83t\83@\83C\83\8b\82Ì\8f\90\96¼\82ð\8am\94F
389 BOOL VerifyFileSignature(LPCWSTR Filename)
390 {
391 //      BOOL bResult;
392 //      GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2;
393 //      WINTRUST_FILE_INFO wfi;
394 //      WINTRUST_DATA wd;
395 //      LONG Error;
396 //      bResult = FALSE;
397 //      ZeroMemory(&wfi, sizeof(WINTRUST_FILE_INFO));
398 //      wfi.cbStruct = sizeof(WINTRUST_FILE_INFO);
399 //      wfi.pcwszFilePath = Filename;
400 //      ZeroMemory(&wd, sizeof(WINTRUST_DATA));
401 //      wd.cbStruct = sizeof(WINTRUST_DATA);
402 //      wd.dwUIChoice = WTD_UI_NONE;
403 //      wd.dwUnionChoice = WTD_CHOICE_FILE;
404 //      wd.pFile = &wfi;
405 //      Error = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd);
406 //      if(Error == ERROR_SUCCESS)
407 //              bResult = TRUE;
408 //      else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_EXPIRED) && Error == CERT_E_EXPIRED)
409 //              bResult = TRUE;
410 //      else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_UNAUTHORIZED) && (Error == CERT_E_UNTRUSTEDROOT || Error == CERT_E_UNTRUSTEDCA))
411 //              bResult = TRUE;
412 //      return bResult;
413         BOOL bResult;
414         HCERTSTORE hStore;
415         PCCERT_CONTEXT pcc;
416         CERT_CHAIN_PARA ccp;
417         CERT_CHAIN_CONTEXT* pccc;
418         CERT_CHAIN_POLICY_PARA ccpp;
419         CERT_CHAIN_POLICY_STATUS ccps;
420         bResult = FALSE;
421         if(CryptQueryObject(CERT_QUERY_OBJECT_FILE, Filename, CERT_QUERY_CONTENT_FLAG_ALL, CERT_QUERY_FORMAT_FLAG_ALL, 0, NULL, NULL, NULL, &hStore, NULL, NULL))
422         {
423                 pcc = NULL;
424                 while(!bResult && (pcc = CertEnumCertificatesInStore(hStore, pcc)))
425                 {
426                         ZeroMemory(&ccp, sizeof(CERT_CHAIN_PARA));
427                         ccp.cbSize = sizeof(CERT_CHAIN_PARA);
428                         if(CertGetCertificateChain(NULL, pcc, NULL, NULL, &ccp, 0, NULL, &pccc))
429                         {
430                                 ZeroMemory(&ccpp, sizeof(CERT_CHAIN_POLICY_PARA));
431                                 ccpp.cbSize = sizeof(CERT_CHAIN_POLICY_PARA);
432                                 if(g_ProcessProtectionLevel & PROCESS_PROTECTION_EXPIRED)
433                                         ccpp.dwFlags |= CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG;
434                                 else if(g_ProcessProtectionLevel & PROCESS_PROTECTION_UNAUTHORIZED)
435                                         ccpp.dwFlags |= CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG;
436                                 ZeroMemory(&ccps, sizeof(CERT_CHAIN_POLICY_STATUS));
437                                 ccps.cbSize = sizeof(CERT_CHAIN_POLICY_STATUS);
438                                 if(CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_AUTHENTICODE, pccc, &ccpp, &ccps))
439                                 {
440                                         if(ccps.dwError == ERROR_SUCCESS)
441                                         {
442                                                 bResult = TRUE;
443                                                 break;
444                                         }
445                                 }
446                                 CertFreeCertificateChain(pccc);
447                         }
448                 }
449                 while(pcc = CertEnumCertificatesInStore(hStore, pcc))
450                 {
451                 }
452                 CertCloseStore(hStore, 0);
453         }
454         return bResult;
455 }
456
457 // \83t\83@\83C\83\8b\82Ì\8f\90\96¼\82ð\83J\83^\83\8d\83O\83t\83@\83C\83\8b\82Å\8am\94F
458 BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename)
459 {
460         BOOL bResult;
461         GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2;
462         WINTRUST_CATALOG_INFO wci;
463         WINTRUST_DATA wd;
464         bResult = FALSE;
465         if(VerifyFileSignature(Catalog))
466         {
467                 ZeroMemory(&wci, sizeof(WINTRUST_CATALOG_INFO));
468                 wci.cbStruct = sizeof(WINTRUST_CATALOG_INFO);
469                 wci.pcwszCatalogFilePath = Catalog;
470                 wci.pcwszMemberFilePath = Filename;
471                 if((wci.hMemberFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) != INVALID_HANDLE_VALUE)
472                 {
473                         p_CryptCATAdminCalcHashFromFileHandle(wci.hMemberFile, &wci.cbCalculatedFileHash, NULL, 0);
474                         if(wci.pbCalculatedFileHash = (BYTE*)malloc(wci.cbCalculatedFileHash))
475                         {
476                                 if(p_CryptCATAdminCalcHashFromFileHandle(wci.hMemberFile, &wci.cbCalculatedFileHash, wci.pbCalculatedFileHash, 0))
477                                 {
478                                         ZeroMemory(&wd, sizeof(WINTRUST_DATA));
479                                         wd.cbStruct = sizeof(WINTRUST_DATA);
480                                         wd.dwUIChoice = WTD_UI_NONE;
481                                         wd.dwUnionChoice = WTD_CHOICE_CATALOG;
482                                         wd.pCatalog = &wci;
483                                         if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS)
484                                                 bResult = TRUE;
485                                 }
486                                 free(wci.pbCalculatedFileHash);
487                         }
488                         CloseHandle(wci.hMemberFile);
489                 }
490         }
491         return bResult;
492 }
493
494 BOOL WINAPI GetSHA1HashOfModule_Function(DIGEST_HANDLE refdata, PBYTE pData, DWORD dwLength)
495 {
496         return CryptHashData(*(HCRYPTHASH*)refdata, pData, dwLength, 0);
497 }
498
499 // \83\82\83W\83\85\81[\83\8b\82ÌSHA1\83n\83b\83V\83\85\82ð\8eæ\93¾
500 // \83}\83j\83t\83F\83X\83g\83t\83@\83C\83\8b\82Ìfile\97v\91f\82Ìhash\91®\90«\82Í\8eÀ\8ds\89Â\94\\83t\83@\83C\83\8b\82Ì\8fê\8d\87\82ÉImageGetDigestStream\82Å\8eZ\8fo\82³\82ê\82é
501 BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash)
502 {
503         BOOL bResult;
504         HCRYPTPROV hProv;
505         HCRYPTHASH hHash;
506         HANDLE hFile;
507         DWORD dw;
508         bResult = FALSE;
509         if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))
510         {
511                 if(CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
512                 {
513                         if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
514                         {
515                                 if(ImageGetDigestStream(hFile, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, GetSHA1HashOfModule_Function, (DIGEST_HANDLE)&hHash))
516                                 {
517                                         dw = 20;
518                                         if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))
519                                                 bResult = TRUE;
520                                 }
521                                 CloseHandle(hFile);
522                         }
523                         CryptDestroyHash(hHash);
524                 }
525                 CryptReleaseContext(hProv, 0);
526         }
527         return bResult;
528 }
529
530 BOOL IsSxsModuleTrusted_Function(LPCWSTR Catalog, LPCWSTR Manifest, LPCWSTR Module)
531 {
532         BOOL bResult;
533         HANDLE hLock0;
534         HANDLE hLock1;
535         BYTE Hash[20];
536         int i;
537         static char HexTable[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
538         char HashHex[41];
539         HANDLE hFile;
540         DWORD Size;
541         char* pData;
542         DWORD dw;
543         bResult = FALSE;
544         if(hLock0 = LockExistingFile(Catalog))
545         {
546                 if(hLock1 = LockExistingFile(Manifest))
547                 {
548                         if(VerifyFileSignatureInCatalog(Catalog, Manifest))
549                         {
550                                 if(GetSHA1HashOfModule(Module, &Hash))
551                                 {
552                                         for(i = 0; i < 20; i++)
553                                         {
554                                                 HashHex[i * 2] = HexTable[(Hash[i] >> 4) & 0x0f];
555                                                 HashHex[i * 2 + 1] = HexTable[Hash[i] & 0x0f];
556                                         }
557                                         HashHex[i * 2] = '\0';
558                                         if((hFile = CreateFileW(Manifest, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) != INVALID_HANDLE_VALUE)
559                                         {
560                                                 Size = GetFileSize(hFile, NULL);
561                                                 if(pData = (char*)VirtualAlloc(NULL, Size + 1, MEM_COMMIT, PAGE_READWRITE))
562                                                 {
563                                                         VirtualLock(pData, Size + 1);
564                                                         if(ReadFile(hFile, pData, Size, &dw, NULL))
565                                                         {
566                                                                 pData[dw] = '\0';
567                                                                 if(strstr(pData, HashHex))
568                                                                         bResult = TRUE;
569                                                         }
570                                                         VirtualUnlock(pData, Size + 1);
571                                                         VirtualFree(pData, Size + 1, MEM_DECOMMIT);
572                                                 }
573                                                 CloseHandle(hFile);
574                                         }
575                                 }
576                         }
577                         CloseHandle(hLock1);
578                 }
579                 CloseHandle(hLock0);
580         }
581         return bResult;
582 }
583
584 // \83T\83C\83h\83o\83C\83T\83C\83hDLL\82ð\8am\94F
585 // \83p\83X\82Í"%SystemRoot%\WinSxS"\88È\89º\82ð\91z\92è
586 // \88È\89º\82Ì\83t\83@\83C\83\8b\82ª\91\8dÝ\82·\82é\82à\82Ì\82Æ\82·\82é
587 // "\xxx\yyy.dll"\81A"\manifests\xxx.cat"\81A"\manifests\xxx.manifest"\82Ì\83Z\83b\83g\81iXP\82Ì\91S\82Ä\82ÌDLL\81AVista\88È\8d~\82Ì\88ê\95\94\82ÌDLL\81j
588 // "\xxx\yyy.dll"\81A"\catalogs\zzz.cat"\81A"\manifests\xxx.manifest"\82Ì\83Z\83b\83g\81iVista\88È\8d~\82Ì\82Ù\82Æ\82ñ\82Ç\82ÌDLL\81j
589 // \8f\90\96¼\82³\82ê\82½\83J\83^\83\8d\83O\83t\83@\83C\83\8b\82ð\97p\82¢\82Ä\83}\83j\83t\83F\83X\83g\83t\83@\83C\83\8b\82ª\89üâ\82\82³\82ê\82Ä\82¢\82È\82¢\82±\82Æ\82ð\8am\94F
590 // \83n\83b\83V\83\85\92l\82Í \83}\83j\83t\83F\83X\83g\83t\83@\83C\83\8b\82Ìfile\97v\91f\82Ìhash\91®\90«\82É\8bL\8fq\82³\82ê\82Ä\82¢\82é\82à\82Ì\82ð\97p\82¢\82é
591 // \83}\83j\83t\83F\83X\83g\83t\83@\83C\83\8b\93à\82ÉSHA1\83n\83b\83V\83\85\92l\82Ì16\90i\90\94\95\\8bL\82ð\92¼\90Ú\8c\9f\8dõ\82µ\82Ä\82¢\82é\82ª\8am\97¦\93I\82É\96â\91è\82È\82µ
592 BOOL IsSxsModuleTrusted(LPCWSTR Filename)
593 {
594         BOOL bResult;
595         wchar_t* pw0;
596         wchar_t* pw1;
597         wchar_t* pw2;
598         wchar_t* pw3;
599         wchar_t* pw4;
600         wchar_t* pw5;
601         wchar_t* p;
602         HANDLE hFind;
603         WIN32_FIND_DATAW wfd;
604         bResult = FALSE;
605         if(pw0 = AllocateStringW(wcslen(Filename) + 1))
606         {
607                 wcscpy(pw0, Filename);
608                 if(p = wcsrchr(pw0, L'\\'))
609                 {
610                         wcscpy(p, L"");
611                         if(p = wcsrchr(pw0, L'\\'))
612                         {
613                                 p++;
614                                 if(pw1 = AllocateStringW(wcslen(p) + 1))
615                                 {
616                                         wcscpy(pw1, p);
617                                         wcscpy(p, L"");
618                                         if(pw2 = AllocateStringW(wcslen(pw0) + wcslen(L"manifests\\") + wcslen(pw1) + wcslen(L".cat") + 1))
619                                         {
620                                                 wcscpy(pw2, pw0);
621                                                 wcscat(pw2, L"manifests\\");
622                                                 wcscat(pw2, pw1);
623                                                 if(pw3 = AllocateStringW(wcslen(pw2) + wcslen(L".manifest") + 1))
624                                                 {
625                                                         wcscpy(pw3, pw2);
626                                                         wcscat(pw3, L".manifest");
627                                                         wcscat(pw2, L".cat");
628                                                         if(IsSxsModuleTrusted_Function(pw2, pw3, Filename))
629                                                                 bResult = TRUE;
630                                                         FreeDuplicatedString(pw3);
631                                                 }
632                                                 FreeDuplicatedString(pw2);
633                                         }
634                                         if(!bResult)
635                                         {
636                                                 if(pw2 = AllocateStringW(wcslen(pw0) + wcslen(L"catalogs\\") + 1))
637                                                 {
638                                                         if(pw3 = AllocateStringW(wcslen(pw0) + wcslen(L"manifests\\") + wcslen(pw1) + wcslen(L".manifest") + 1))
639                                                         {
640                                                                 wcscpy(pw2, pw0);
641                                                                 wcscat(pw2, L"catalogs\\");
642                                                                 wcscpy(pw3, pw0);
643                                                                 wcscat(pw3, L"manifests\\");
644                                                                 wcscat(pw3, pw1);
645                                                                 wcscat(pw3, L".manifest");
646                                                                 if(pw4 = AllocateStringW(wcslen(pw2) + wcslen(L"*.cat") + 1))
647                                                                 {
648                                                                         wcscpy(pw4, pw2);
649                                                                         wcscat(pw4, L"*.cat");
650                                                                         if((hFind = FindFirstFileW(pw4, &wfd)) != INVALID_HANDLE_VALUE)
651                                                                         {
652                                                                                 do
653                                                                                 {
654                                                                                         if(pw5 = AllocateStringW(wcslen(pw2) + wcslen(wfd.cFileName) + 1))
655                                                                                         {
656                                                                                                 wcscpy(pw5, pw2);
657                                                                                                 wcscat(pw5, wfd.cFileName);
658                                                                                                 if(IsSxsModuleTrusted_Function(pw5, pw3, Filename))
659                                                                                                         bResult = TRUE;
660                                                                                                 FreeDuplicatedString(pw5);
661                                                                                         }
662                                                                                 }
663                                                                                 while(!bResult && FindNextFileW(hFind, &wfd));
664                                                                                 FindClose(hFind);
665                                                                         }
666                                                                         FreeDuplicatedString(pw4);
667                                                                 }
668                                                                 FreeDuplicatedString(pw3);
669                                                         }
670                                                         FreeDuplicatedString(pw2);
671                                                 }
672                                         }
673                                         FreeDuplicatedString(pw1);
674                                 }
675                         }
676                 }
677                 FreeDuplicatedString(pw0);
678         }
679         return bResult;
680 }
681
682 // DLL\82ð\8am\94F
683 BOOL IsModuleTrusted(LPCWSTR Filename)
684 {
685         BOOL bResult;
686         BYTE Hash[20];
687         bResult = FALSE;
688         if(LockThreadLock())
689         {
690                 if(GetSHA1HashOfFile(Filename, &Hash))
691                 {
692                         if(FindTrustedModuleSHA1Hash(&Hash))
693                                 bResult = TRUE;
694                 }
695                 if(!bResult)
696                 {
697                         if((g_ProcessProtectionLevel & PROCESS_PROTECTION_BUILTIN) && VerifyFileSignature(Filename))
698                                 bResult = TRUE;
699                 }
700                 if(!bResult)
701                 {
702                         if((g_ProcessProtectionLevel & PROCESS_PROTECTION_SIDE_BY_SIDE) && IsSxsModuleTrusted(Filename))
703                                 bResult = TRUE;
704                 }
705                 if(!bResult)
706                 {
707                         if((g_ProcessProtectionLevel & PROCESS_PROTECTION_SYSTEM_FILE) && SfcIsFileProtected(NULL, Filename))
708                                 bResult = TRUE;
709                 }
710                 UnlockThreadLock();
711         }
712         return bResult;
713 }
714
715 // kernel32.dll\82ÌLoadLibraryExW\91\8a\93\96\82Ì\8aÖ\90\94
716 // \83h\83L\83\85\83\81\83\93\83g\82ª\96³\82¢\82½\82ß\8fÚ\8d×\82Í\95s\96¾
717 // \88ê\95\94\82Ì\83E\83B\83\8b\83X\91Î\8dô\83\\83t\83g\81iAvast!\93\99\81j\82ªLdrLoadDll\82ð\83t\83b\83N\82µ\82Ä\82¢\82é\82½\82ßLdrLoadDll\82ð\8f\91\82«\8a·\82¦\82é\82×\82«\82Å\82Í\82È\82¢
718 // \83J\81[\83l\83\8b\83\82\81[\83h\82Ì\83R\81[\83h\82É\91Î\82µ\82Ä\82Í\8cø\89Ê\82È\82µ
719 // SeDebugPrivilege\82ª\8eg\97p\89Â\94\\82È\83\86\81[\83U\81[\82É\91Î\82µ\82Ä\82Í\8cø\89Ê\82È\82µ
720 HMODULE System_LoadLibrary(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
721 {
722         HMODULE r = NULL;
723         UNICODE_STRING us;
724         HANDLE hDataFile;
725         HANDLE hMapping;
726         DWORD DllFlags;
727         us.Length = sizeof(wchar_t) * wcslen(lpLibFileName);
728         us.MaximumLength = sizeof(wchar_t) * (wcslen(lpLibFileName) + 1);
729         us.Buffer = (PWSTR)lpLibFileName;
730 //      if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))
731         if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | 0x00000040))
732         {
733 //              if(p_LdrGetDllHandle(NULL, NULL, &us, &r) == STATUS_SUCCESS)
734                 if(p_LdrGetDllHandle(NULL, NULL, &us, &r) == 0)
735                 {
736 //                      dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE);
737                         dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | 0x00000040);
738                         dwFlags |= DONT_RESOLVE_DLL_REFERENCES;
739                 }
740                 else
741                 {
742 //                      if(dwFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)
743                         if(dwFlags & 0x00000040)
744                                 hDataFile = CreateFileW(lpLibFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
745                         else
746                                 hDataFile = CreateFileW(lpLibFileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
747                         if(hDataFile != INVALID_HANDLE_VALUE)
748                         {
749                                 if(hMapping = CreateFileMappingW(hDataFile, NULL, PAGE_READONLY, 0, 0, NULL))
750                                 {
751                                         if(r = (HMODULE)MapViewOfFileEx(hMapping, FILE_MAP_READ, 0, 0, 0, NULL))
752                                         {
753                                                 if(p_RtlImageNtHeader(r))
754                                                         r = (HMODULE)((size_t)r | 1);
755                                                 else
756                                                 {
757                                                         UnmapViewOfFile(r);
758                                                         r = NULL;
759                                                 }
760                                         }
761                                         CloseHandle(hMapping);
762                                 }
763                                 CloseHandle(hDataFile);
764                         }
765                         else
766                         {
767 //                              dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE);
768                                 dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | 0x00000040);
769                                 dwFlags |= DONT_RESOLVE_DLL_REFERENCES;
770                         }
771                 }
772         }
773 //      if(!(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)))
774         if(!(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | 0x00000040)))
775         {
776                 DllFlags = 0;
777 //              if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
778                 if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | 0x00000020))
779                         DllFlags |= 0x00000002;
780 //              if(p_LdrLoadDll(NULL, &DllFlags, &us, &r) == STATUS_SUCCESS)
781                 if(p_LdrLoadDll(NULL, &DllFlags, &us, &r) == 0)
782                 {
783                 }
784                 else
785                         r = NULL;
786         }
787         return r;
788 }
789
790 void SetProcessProtectionLevel(DWORD Level)
791 {
792         g_ProcessProtectionLevel = Level;
793 }
794
795 // \83t\83@\83C\83\8b\82ÌSHA1\83n\83b\83V\83\85\82ð\8eæ\93¾
796 BOOL GetSHA1HashOfFile(LPCWSTR Filename, void* pHash)
797 {
798         BOOL bResult;
799         HCRYPTPROV hProv;
800         HCRYPTHASH hHash;
801         HANDLE hFile;
802         DWORD Size;
803         void* pData;
804         DWORD dw;
805         bResult = FALSE;
806         if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))
807         {
808                 if(CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
809                 {
810                         if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
811                         {
812                                 Size = GetFileSize(hFile, NULL);
813                                 if(pData = VirtualAlloc(NULL, Size, MEM_COMMIT, PAGE_READWRITE))
814                                 {
815                                         VirtualLock(pData, Size);
816                                         if(ReadFile(hFile, pData, Size, &dw, NULL))
817                                         {
818                                                 if(CryptHashData(hHash, (BYTE*)pData, Size, 0))
819                                                 {
820                                                         dw = 20;
821                                                         if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))
822                                                                 bResult = TRUE;
823                                                 }
824                                         }
825                                         VirtualUnlock(pData, Size);
826                                         VirtualFree(pData, Size, MEM_DECOMMIT);
827                                 }
828                                 CloseHandle(hFile);
829                         }
830                         CryptDestroyHash(hHash);
831                 }
832                 CryptReleaseContext(hProv, 0);
833         }
834         return bResult;
835 }
836
837 // DLL\82Ì\83n\83b\83V\83\85\82ð\93o\98^
838 BOOL RegisterTrustedModuleSHA1Hash(void* pHash)
839 {
840         BOOL bResult;
841         BYTE NullHash[20] = {0};
842         int i;
843         bResult = FALSE;
844         if(FindTrustedModuleSHA1Hash(pHash))
845                 bResult = TRUE;
846         else
847         {
848                 i = 0;
849                 while(i < MAX_TRUSTED_MD5_HASH_TABLE)
850                 {
851                         if(memcmp(&g_TrustedMD5HashTable[i], &NullHash, 20) == 0)
852                         {
853                                 memcpy(&g_TrustedMD5HashTable[i], pHash, 20);
854                                 bResult = TRUE;
855                                 break;
856                         }
857                         i++;
858                 }
859         }
860         return bResult;
861 }
862
863 // DLL\82Ì\83n\83b\83V\83\85\82Ì\93o\98^\82ð\89ð\8f\9c
864 BOOL UnregisterTrustedModuleSHA1Hash(void* pHash)
865 {
866         BOOL bResult;
867         BYTE NullHash[20] = {0};
868         int i;
869         bResult = FALSE;
870         i = 0;
871         while(i < MAX_TRUSTED_MD5_HASH_TABLE)
872         {
873                 if(memcmp(&g_TrustedMD5HashTable[i], pHash, 20) == 0)
874                 {
875                         memcpy(&g_TrustedMD5HashTable[i], &NullHash, 20);
876                         bResult = TRUE;
877                         break;
878                 }
879                 i++;
880         }
881         return bResult;
882 }
883
884 // \90M\97\8a\82Å\82«\82È\82¢DLL\82ð\83A\83\93\83\8d\81[\83h
885 BOOL UnloadUntrustedModule()
886 {
887         BOOL bResult;
888         wchar_t* pw0;
889         HANDLE hSnapshot;
890         MODULEENTRY32 me;
891         DWORD Length;
892         bResult = FALSE;
893         pw0 = NULL;
894         if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId())) != INVALID_HANDLE_VALUE)
895         {
896                 bResult = TRUE;
897                 me.dwSize = sizeof(MODULEENTRY32);
898                 if(Module32First(hSnapshot, &me))
899                 {
900                         do
901                         {
902                                 Length = MAX_PATH;
903                                 FreeDuplicatedString(pw0);
904                                 if(pw0 = AllocateStringW(Length))
905                                 {
906                                         if(GetModuleFileNameW(me.hModule, pw0, Length) > 0)
907                                         {
908                                                 while(pw0)
909                                                 {
910                                                         if(GetModuleFileNameW(me.hModule, pw0, Length) + 1 <= Length)
911                                                                 break;
912                                                         Length = Length * 2;
913                                                         FreeDuplicatedString(pw0);
914                                                         pw0 = AllocateStringW(Length);
915                                                 }
916                                         }
917                                 }
918                                 if(pw0)
919                                 {
920                                         if(!IsModuleTrusted(pw0))
921                                         {
922                                                 if(me.hModule != GetModuleHandleW(NULL))
923                                                 {
924                                                         while(FreeLibrary(me.hModule))
925                                                         {
926                                                         }
927                                                         if(GetModuleFileNameW(me.hModule, pw0, Length) > 0)
928                                                         {
929                                                                 bResult = FALSE;
930                                                                 break;
931                                                         }
932                                                 }
933                                         }
934                                 }
935                                 else
936                                 {
937                                         bResult = FALSE;
938                                         break;
939                                 }
940                         }
941                         while(Module32Next(hSnapshot, &me));
942                 }
943                 CloseHandle(hSnapshot);
944         }
945         FreeDuplicatedString(pw0);
946         return bResult;
947 }
948
949 // \8aÖ\90\94\83|\83C\83\93\83^\82ð\8eg\97p\89Â\94\\82È\8fó\91Ô\82É\8f\89\8aú\89»
950 BOOL InitializeLoadLibraryHook()
951 {
952         BOOL bResult;
953         HMODULE hModule;
954         bResult = TRUE;
955         if(!(hModule = GetModuleHandleW(L"kernel32.dll")))
956                 bResult = FALSE;
957         if(!(GET_FUNCTION(hModule, LoadLibraryA)))
958                 bResult = FALSE;
959         if(!(GET_FUNCTION(hModule, LoadLibraryW)))
960                 bResult = FALSE;
961         if(!(GET_FUNCTION(hModule, LoadLibraryExA)))
962                 bResult = FALSE;
963         if(!(GET_FUNCTION(hModule, LoadLibraryExW)))
964                 bResult = FALSE;
965         if(!(hModule = GetModuleHandleW(L"ntdll.dll")))
966                 bResult = FALSE;
967         if(!(GET_FUNCTION(hModule, LdrLoadDll)))
968                 bResult = FALSE;
969         if(!(GET_FUNCTION(hModule, LdrGetDllHandle)))
970                 bResult = FALSE;
971         if(!(GET_FUNCTION(hModule, RtlImageNtHeader)))
972                 bResult = FALSE;
973         if(!(hModule = LoadLibraryW(L"wintrust.dll")))
974                 bResult = FALSE;
975         if(!(GET_FUNCTION(hModule, CryptCATAdminCalcHashFromFileHandle)))
976                 bResult = FALSE;
977         return bResult;
978 }
979
980 // SetWindowsHookEx\91Î\8dô
981 // DLL Injection\82³\82ê\82½\8fê\8d\87\82Í\8fã\82Ìh_LoadLibrary\8cn\8aÖ\90\94\82Å\83g\83\89\83b\83v\89Â\94\
982 BOOL EnableLoadLibraryHook(BOOL bEnable)
983 {
984         BOOL bResult;
985         bResult = FALSE;
986         if(bEnable)
987         {
988                 bResult = TRUE;
989 #ifdef USE_CODE_HOOK
990                 if(!SET_HOOK_FUNCTION(LoadLibraryA))
991                         bResult = FALSE;
992                 if(!SET_HOOK_FUNCTION(LoadLibraryW))
993                         bResult = FALSE;
994                 if(!SET_HOOK_FUNCTION(LoadLibraryExA))
995                         bResult = FALSE;
996                 if(!SET_HOOK_FUNCTION(LoadLibraryExW))
997                         bResult = FALSE;
998 #endif
999 #ifdef USE_IAT_HOOK
1000                 if(!HookFunctionInIAT(p_LoadLibraryA, h_LoadLibraryA))
1001                         bResult = FALSE;
1002                 if(!HookFunctionInIAT(p_LoadLibraryW, h_LoadLibraryW))
1003                         bResult = FALSE;
1004                 if(!HookFunctionInIAT(p_LoadLibraryExA, h_LoadLibraryExA))
1005                         bResult = FALSE;
1006                 if(!HookFunctionInIAT(p_LoadLibraryExW, h_LoadLibraryExW))
1007                         bResult = FALSE;
1008 #endif
1009         }
1010         else
1011         {
1012                 bResult = TRUE;
1013 #ifdef USE_CODE_HOOK
1014                 if(!END_HOOK_FUNCTION(LoadLibraryA))
1015                         bResult = FALSE;
1016                 if(!END_HOOK_FUNCTION(LoadLibraryW))
1017                         bResult = FALSE;
1018                 if(!END_HOOK_FUNCTION(LoadLibraryExA))
1019                         bResult = FALSE;
1020                 if(!END_HOOK_FUNCTION(LoadLibraryExW))
1021                         bResult = FALSE;
1022 #endif
1023 #ifdef USE_IAT_HOOK
1024                 if(!HookFunctionInIAT(h_LoadLibraryA, p_LoadLibraryA))
1025                         bResult = FALSE;
1026                 if(!HookFunctionInIAT(h_LoadLibraryW, p_LoadLibraryW))
1027                         bResult = FALSE;
1028                 if(!HookFunctionInIAT(h_LoadLibraryExA, p_LoadLibraryExA))
1029                         bResult = FALSE;
1030                 if(!HookFunctionInIAT(h_LoadLibraryExW, p_LoadLibraryExW))
1031                         bResult = FALSE;
1032 #endif
1033         }
1034         return bResult;
1035 }
1036
1037 // ReadProcessMemory\81AWriteProcessMemory\81ACreateRemoteThread\91Î\8dô
1038 // TerminateProcess\82Ì\82Ý\8b\96\89Â
1039 BOOL RestartProtectedProcess(LPCTSTR Keyword)
1040 {
1041         BOOL bResult;
1042         ACL* pACL;
1043         SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
1044         PSID pSID;
1045         SECURITY_DESCRIPTOR sd;
1046         TCHAR* CommandLine;
1047         SECURITY_ATTRIBUTES sa;
1048         STARTUPINFO si;
1049         PROCESS_INFORMATION pi;
1050         bResult = FALSE;
1051         if(_tcslen(GetCommandLine()) >= _tcslen(Keyword) && _tcscmp(GetCommandLine() + _tcslen(GetCommandLine()) - _tcslen(Keyword), Keyword) == 0)
1052                 return FALSE;
1053         if(pACL = (ACL*)malloc(sizeof(ACL) + 1024))
1054         {
1055                 if(InitializeAcl(pACL, sizeof(ACL) + 1024, ACL_REVISION))
1056                 {
1057                         if(AllocateAndInitializeSid(&sia, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSID))
1058                         {
1059                                 if(AddAccessAllowedAce(pACL, ACL_REVISION, PROCESS_TERMINATE, pSID))
1060                                 {
1061                                         if(InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
1062                                         {
1063                                                 if(SetSecurityDescriptorDacl(&sd, TRUE, pACL, FALSE))
1064                                                 {
1065                                                         if(CommandLine = (TCHAR*)malloc(sizeof(TCHAR) * (_tcslen(GetCommandLine()) + _tcslen(Keyword) + 1)))
1066                                                         {
1067                                                                 _tcscpy(CommandLine, GetCommandLine());
1068                                                                 _tcscat(CommandLine, Keyword);
1069                                                                 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
1070                                                                 sa.lpSecurityDescriptor = &sd;
1071                                                                 sa.bInheritHandle = FALSE;
1072                                                                 GetStartupInfo(&si);
1073                                                                 if(CreateProcess(NULL, CommandLine, &sa, NULL, FALSE, 0, NULL, NULL, &si, &pi))
1074                                                                 {
1075                                                                         CloseHandle(pi.hThread);
1076                                                                         CloseHandle(pi.hProcess);
1077                                                                         bResult = TRUE;
1078                                                                 }
1079                                                                 free(CommandLine);
1080                                                         }
1081                                                 }
1082                                         }
1083                                 }
1084                                 FreeSid(pSID);
1085                         }
1086                 }
1087                 free(pACL);
1088         }
1089         return bResult;
1090 }
1091