OSDN Git Service

Add support for process protection (prevents from loading untrustworthy DLLs with...
[ffftp/ffftp.git] / protectprocess.c
1 // protectprocess.c
2 // Copyright (C) 2011 Suguru Kawamoto
3 // \83v\83\8d\83Z\83X\82Ì\95Û\8cì
4
5 // \8e\9f\82Ì\92\86\82©\82ç1\8cÂ\82Ì\82Ý\97L\8cø\82É\82·\82é
6 // \83t\83b\83N\90æ\82Ì\8aÖ\90\94\82Ì\83R\81[\83h\82ð\8f\91\82«\8a·\82¦\82é
7 // \91S\82Ä\82Ì\8cÄ\82Ñ\8fo\82µ\82ð\83t\83b\83N\89Â\94\\82¾\82ª\8c´\97\9d\93I\82É\93ñ\8fd\8cÄ\82Ñ\8fo\82µ\82É\91Î\89\9e\82Å\82«\82È\82¢
8 #define USE_CODE_HOOK
9 // \83t\83b\83N\90æ\82Ì\8aÖ\90\94\82Ì\83C\83\93\83|\81[\83g\83A\83h\83\8c\83X\83e\81[\83u\83\8b\82ð\8f\91\82«\8a·\82¦\82é
10 // \93ñ\8fd\8cÄ\82Ñ\8fo\82µ\82ª\89Â\94\\82¾\82ª\8cÄ\82Ñ\8fo\82µ\95û\96@\82É\82æ\82Á\82Ä\82Í\83t\83b\83N\82ð\89ñ\94ð\82³\82ê\82é
11 //#define USE_IAT_HOOK
12
13 // \83t\83b\83N\91Î\8fÛ\82Ì\8aÖ\90\94\96¼ %s
14 // \83t\83b\83N\91Î\8fÛ\82Ì\8c^ _%s
15 // \83t\83b\83N\91Î\8fÛ\82Ì\83|\83C\83\93\83^ p_%s
16 // \83t\83b\83N\97p\82Ì\8aÖ\90\94\96¼ h_%s
17 // \83t\83b\83N\91Î\8fÛ\82Ì\83R\81[\83h\82Ì\83o\83b\83N\83A\83b\83v c_%s
18
19 #define _WIN32_WINNT 0x0600
20
21 #include <tchar.h>
22 #include <windows.h>
23 #include <ntsecapi.h>
24 #include <wincrypt.h>
25 #include <wintrust.h>
26 #include <softpub.h>
27 #include <aclapi.h>
28 #include <sfc.h>
29 #ifdef USE_IAT_HOOK
30 #include <tlhelp32.h>
31 #include <dbghelp.h>
32 #endif
33
34 #define DO_NOT_REPLACE
35 #include "protectprocess.h"
36 #include "mbswrapper.h"
37
38 #ifdef USE_IAT_HOOK
39 #pragma comment(lib, "dbghelp.lib")
40 #endif
41
42 #ifdef USE_CODE_HOOK
43 #if defined(_X86_)
44 #define HOOK_JUMP_CODE_LENGTH 5
45 #elif defined(_AMD64_)
46 #define HOOK_JUMP_CODE_LENGTH 14
47 #endif
48 #endif
49
50 BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore);
51
52 // \95Ï\90\94\82Ì\90é\8c¾
53 #ifdef USE_CODE_HOOK
54 #define HOOK_FUNCTION_VAR(name) _##name p_##name;BYTE c_##name[HOOK_JUMP_CODE_LENGTH * 2];
55 #endif
56 #ifdef USE_IAT_HOOK
57 #define HOOK_FUNCTION_VAR(name) _##name p_##name;
58 #endif
59 // \8aÖ\90\94\83|\83C\83\93\83^\82ð\8eæ\93¾
60 #define GET_FUNCTION(h, name) p_##name = (_##name)GetProcAddress(h, #name)
61 // \83t\83b\83N\91Î\8fÛ\82Ì\83R\81[\83h\82ð\92u\8a·\82µ\82Ä\83t\83b\83N\82ð\8aJ\8en
62 #define SET_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, FALSE)
63 // \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82·\91O\82É\91Î\8fÛ\82Ì\83R\81[\83h\82ð\95\9c\8c³
64 #define START_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, TRUE)
65 // \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82µ\82½\8cã\82É\91Î\8fÛ\82Ì\83R\81[\83h\82ð\92u\8a·
66 #define END_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, NULL, FALSE)
67
68 HOOK_FUNCTION_VAR(LoadLibraryA)
69 HOOK_FUNCTION_VAR(LoadLibraryW)
70 HOOK_FUNCTION_VAR(LoadLibraryExA)
71 HOOK_FUNCTION_VAR(LoadLibraryExW)
72
73 // \83h\83L\83\85\83\81\83\93\83g\82ª\96³\82¢\82½\82ß\8c´\88ö\82Í\95s\96¾\82¾\82ª\91æ2\88ø\90\94\82Í\83|\83C\83\93\83^\82Å\82È\82¢\82Æ\83G\83\89\81[\82É\82È\82é\8fê\8d\87\82ª\82 \82é
74 //typedef NTSTATUS (WINAPI* _LdrLoadDll)(LPCWSTR, DWORD, UNICODE_STRING*, HMODULE*);
75 typedef NTSTATUS (WINAPI* _LdrLoadDll)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);
76 // \83h\83L\83\85\83\81\83\93\83g\82ª\96³\82¢\82½\82ß\8c´\88ö\82Í\95s\96¾\82¾\82ª\91æ2\88ø\90\94\82Í\83|\83C\83\93\83^\82Å\82È\82¢\82Æ\83G\83\89\81[\82É\82È\82é\8fê\8d\87\82ª\82 \82é
77 //typedef NTSTATUS (WINAPI* _LdrGetDllHandle)(LPCWSTR, DWORD, UNICODE_STRING*, HMODULE*);
78 typedef NTSTATUS (WINAPI* _LdrGetDllHandle)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);
79 typedef NTSTATUS (WINAPI* _LdrAddRefDll)(DWORD, HMODULE);
80
81 _LdrLoadDll p_LdrLoadDll;
82 _LdrGetDllHandle p_LdrGetDllHandle;
83 _LdrAddRefDll p_LdrAddRefDll;
84
85 #define MAX_MD5_HASH_TABLE 16
86
87 BYTE g_MD5HashTable[MAX_MD5_HASH_TABLE][16];
88
89 // \88È\89º\83t\83b\83N\8aÖ\90\94
90 // \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82·\8fê\8d\87\82Í\91O\8cã\82ÅSTART_HOOK_FUNCTION\82ÆEND_HOOK_FUNCTION\82ð\8eÀ\8ds\82·\82é\95K\97v\82ª\82 \82é
91
92 HMODULE WINAPI h_LoadLibraryA(LPCSTR lpLibFileName)
93 {
94         HMODULE r = NULL;
95         if(GetModuleHandleA(lpLibFileName) || IsModuleTrustedA(lpLibFileName))
96         {
97                 wchar_t* pw0 = NULL;
98                 pw0 = DuplicateAtoW(lpLibFileName, -1);
99                 r = System_LoadLibrary(pw0, NULL, 0);
100                 FreeDuplicatedString(pw0);
101         }
102         return r;
103 }
104
105 HMODULE WINAPI h_LoadLibraryW(LPCWSTR lpLibFileName)
106 {
107         HMODULE r = NULL;
108         if(GetModuleHandleW(lpLibFileName) || IsModuleTrustedW(lpLibFileName))
109                 r = System_LoadLibrary(lpLibFileName, NULL, 0);
110         return r;
111 }
112
113 HMODULE WINAPI h_LoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
114 {
115         HMODULE r = NULL;
116         if(GetModuleHandleA(lpLibFileName) || IsModuleTrustedA(lpLibFileName))
117         {
118                 wchar_t* pw0 = NULL;
119                 pw0 = DuplicateAtoW(lpLibFileName, -1);
120                 r = System_LoadLibrary(pw0, hFile, dwFlags);
121                 FreeDuplicatedString(pw0);
122         }
123         return r;
124 }
125
126 HMODULE WINAPI h_LoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
127 {
128         HMODULE r = NULL;
129         if(GetModuleHandleW(lpLibFileName) || IsModuleTrustedW(lpLibFileName))
130                 r = System_LoadLibrary(lpLibFileName, hFile, dwFlags);
131         return r;
132 }
133
134 // \88È\89º\83w\83\8b\83p\81[\8aÖ\90\94
135
136 BOOL GetMD5HashOfFile(LPCWSTR Filename, void* pHash)
137 {
138         BOOL bResult;
139         HCRYPTPROV hProv;
140         HCRYPTHASH hHash;
141         HANDLE hFile;
142         DWORD Size;
143         void* pData;
144         DWORD dw;
145         bResult = FALSE;
146         if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))
147         {
148                 if(CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash))
149                 {
150                         if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
151                         {
152                                 Size = GetFileSize(hFile, NULL);
153                                 if(pData = VirtualAlloc(NULL, Size, MEM_COMMIT, PAGE_READWRITE))
154                                 {
155                                         VirtualLock(pData, Size);
156                                         if(ReadFile(hFile, pData, Size, &dw, NULL))
157                                         {
158                                                 if(CryptHashData(hHash, (BYTE*)pData, Size, 0))
159                                                 {
160                                                         dw = 16;
161                                                         if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))
162                                                                 bResult = TRUE;
163                                                 }
164                                         }
165                                         VirtualUnlock(pData, Size);
166                                         VirtualFree(pData, Size, MEM_DECOMMIT);
167                                 }
168                                 CloseHandle(hFile);
169                         }
170                         CryptDestroyHash(hHash);
171                 }
172                 CryptReleaseContext(hProv, 0);
173         }
174         return bResult;
175 }
176
177 #ifdef USE_CODE_HOOK
178 BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore)
179 {
180         BOOL bResult;
181         DWORD Protect;
182 #if defined(_X86_)
183         BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xe9, 0x00, 0x00, 0x00, 0x00};
184         size_t Relative;
185         Relative = (size_t)pNew - (size_t)pOriginal - HOOK_JUMP_CODE_LENGTH;
186         memcpy(&JumpCode[1], &Relative, 4);
187         bResult = FALSE;
188         if(bRestore)
189         {
190                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
191                 {
192                         memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);
193                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
194                         bResult = TRUE;
195                 }
196         }
197         else
198         {
199                 if(pBackupCode)
200                         memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);
201                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
202                 {
203                         memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);
204                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
205                         bResult = TRUE;
206                 }
207         }
208 #elif defined(_AMD64_)
209         BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xff, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
210         size_t Absolute;
211         Absolute = (size_t)pOriginal;
212         memcpy(&JumpCode[6], &Absolute, 8);
213         bResult = FALSE;
214         if(bRestore)
215         {
216                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
217                 {
218                         memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);
219                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
220                         bResult = TRUE;
221                 }
222         }
223         else
224         {
225                 if(pBackupCode)
226                         memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);
227                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
228                 {
229                         memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);
230                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
231                         bResult = TRUE;
232                 }
233         }
234 #endif
235         return bResult;
236 }
237 #endif
238
239 #ifdef USE_IAT_HOOK
240 BOOL HookFunctionInIAT(void* pOriginal, void* pNew)
241 {
242         BOOL bResult;
243         HANDLE hSnapshot;
244         MODULEENTRY32 me;
245         BOOL bFound;
246         IMAGE_IMPORT_DESCRIPTOR* piid;
247         ULONG Size;
248         IMAGE_THUNK_DATA* pitd;
249         DWORD Protect;
250         bResult = FALSE;
251         if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId())) != INVALID_HANDLE_VALUE)
252         {
253                 me.dwSize = sizeof(MODULEENTRY32);
254                 if(Module32First(hSnapshot, &me))
255                 {
256                         bFound = FALSE;
257                         do
258                         {
259                                 if(piid = (IMAGE_IMPORT_DESCRIPTOR*)ImageDirectoryEntryToData(me.hModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size))
260                                 {
261                                         while(!bFound && piid->Name != 0)
262                                         {
263                                                 pitd = (IMAGE_THUNK_DATA*)((BYTE*)me.hModule + piid->FirstThunk);
264                                                 while(!bFound && pitd->u1.Function != 0)
265                                                 {
266                                                         if((void*)pitd->u1.Function == pOriginal)
267                                                         {
268                                                                 bFound = TRUE;
269                                                                 if(VirtualProtect(&pitd->u1.Function, sizeof(void*), PAGE_EXECUTE_READWRITE, &Protect))
270                                                                 {
271                                                                         memcpy(&pitd->u1.Function, &pNew, sizeof(void*));
272                                                                         VirtualProtect(&pitd->u1.Function, sizeof(void*), Protect, &Protect);
273                                                                         bResult = TRUE;
274                                                                 }
275                                                         }
276                                                         pitd++;
277                                                 }
278                                                 piid++;
279                                         }
280                                 }
281                         }
282                         while(!bFound && Module32Next(hSnapshot, &me));
283                 }
284                 CloseHandle(hSnapshot);
285         }
286         return bResult;
287 }
288 #endif
289
290 // kernel32.dll\82ÌLoadLibraryExW\91\8a\93\96\82Ì\8aÖ\90\94
291 HMODULE System_LoadLibrary(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
292 {
293         HMODULE r = NULL;
294         UNICODE_STRING us;
295         us.Length = sizeof(wchar_t) * wcslen(lpLibFileName);
296         us.MaximumLength = sizeof(wchar_t) * (wcslen(lpLibFileName) + 1);
297         us.Buffer = (PWSTR)lpLibFileName;
298         if(dwFlags & LOAD_LIBRARY_AS_DATAFILE)
299         {
300 //              if(p_LdrGetDllHandle(NULL, dwFlags, &us, &r) == 0)
301                 if(p_LdrGetDllHandle(NULL, &dwFlags, &us, &r) == 0)
302                 {
303                         if(p_LdrAddRefDll)
304                                 p_LdrAddRefDll(0, r);
305                 }
306                 else
307                 {
308                         dwFlags |= DONT_RESOLVE_DLL_REFERENCES;
309 //                      if(p_LdrLoadDll(NULL, dwFlags, &us, &r) == 0)
310                         if(p_LdrLoadDll(NULL, &dwFlags, &us, &r) == 0)
311                         {
312                         }
313                         else
314                                 r = NULL;
315                 }
316         }
317         else
318         {
319 //              if(p_LdrGetDllHandle(NULL, dwFlags, &us, &r) == 0)
320                 if(p_LdrGetDllHandle(NULL, &dwFlags, &us, &r) == 0)
321                 {
322                         if(p_LdrAddRefDll)
323                                 p_LdrAddRefDll(0, r);
324                 }
325 //              else if(p_LdrLoadDll(NULL, dwFlags, &us, &r) == 0)
326                 else if(p_LdrLoadDll(NULL, &dwFlags, &us, &r) == 0)
327                 {
328                 }
329                 else
330                         r = NULL;
331         }
332         return r;
333 }
334
335 // DLL\82Ì\83n\83b\83V\83\85\82ð\93o\98^
336 BOOL RegisterModuleMD5Hash(void* pHash)
337 {
338         BOOL bResult;
339         BYTE NullHash[16] = {0};
340         int i;
341         bResult = FALSE;
342         if(FindModuleMD5Hash(pHash))
343                 bResult = TRUE;
344         else
345         {
346                 i = 0;
347                 while(i < MAX_MD5_HASH_TABLE)
348                 {
349                         if(memcmp(&g_MD5HashTable[i], &NullHash, 16) == 0)
350                         {
351                                 memcpy(&g_MD5HashTable[i], pHash, 16);
352                                 bResult = TRUE;
353                                 break;
354                         }
355                         i++;
356                 }
357         }
358         return bResult;
359 }
360
361 // DLL\82Ì\83n\83b\83V\83\85\82Ì\93o\98^\82ð\89ð\8f\9c
362 BOOL UnregisterModuleMD5Hash(void* pHash)
363 {
364         BOOL bResult;
365         BYTE NullHash[16] = {0};
366         int i;
367         bResult = FALSE;
368         i = 0;
369         while(i < MAX_MD5_HASH_TABLE)
370         {
371                 if(memcmp(&g_MD5HashTable[i], pHash, 16) == 0)
372                 {
373                         memcpy(&g_MD5HashTable[i], &NullHash, 16);
374                         bResult = TRUE;
375                         break;
376                 }
377                 i++;
378         }
379         return bResult;
380 }
381
382 // DLL\82Ì\83n\83b\83V\83\85\82ð\8c\9f\8dõ
383 BOOL FindModuleMD5Hash(void* pHash)
384 {
385         BOOL bResult;
386         int i;
387         bResult = FALSE;
388         i = 0;
389         while(i < MAX_MD5_HASH_TABLE)
390         {
391                 if(memcmp(&g_MD5HashTable[i], pHash, 16) == 0)
392                 {
393                         bResult = TRUE;
394                         break;
395                 }
396                 i++;
397         }
398         return bResult;
399 }
400
401 // DLL\82ð\8am\94F
402 // \83n\83b\83V\83\85\82ª\93o\98^\82³\82ê\82Ä\82¢\82é\81AAuthenticode\8f\90\96¼\82ª\82³\82ê\82Ä\82¢\82é\81A\82Ü\82½\82ÍWFP\82É\82æ\82é\95Û\8cì\89º\82É\82 \82é\82±\82Æ\82ð\8am\94F
403 BOOL IsModuleTrustedA(LPCSTR Filename)
404 {
405         BOOL r = FALSE;
406         wchar_t* pw0 = NULL;
407         pw0 = DuplicateAtoW(Filename, -1);
408         r = IsModuleTrustedW(pw0);
409         FreeDuplicatedString(pw0);
410         return r;
411 }
412
413 // DLL\82ð\8am\94F
414 // \83n\83b\83V\83\85\82ª\93o\98^\82³\82ê\82Ä\82¢\82é\81AAuthenticode\8f\90\96¼\82ª\82³\82ê\82Ä\82¢\82é\81A\82Ü\82½\82ÍWFP\82É\82æ\82é\95Û\8cì\89º\82É\82 \82é\82±\82Æ\82ð\8am\94F
415 BOOL IsModuleTrustedW(LPCWSTR Filename)
416 {
417         BOOL bResult;
418         WCHAR Path[MAX_PATH];
419         LPWSTR p;
420         BYTE Hash[16];
421         GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2;
422         WINTRUST_FILE_INFO wfi;
423         WINTRUST_DATA wd;
424         bResult = FALSE;
425         if(wcsrchr(Filename, '.') > wcsrchr(Filename, '\\'))
426         {
427                 if(SearchPathW(NULL, Filename, NULL, MAX_PATH, Path, &p) > 0)
428                         Filename = Path;
429         }
430         else
431         {
432                 if(SearchPathW(NULL, Filename, L".dll", MAX_PATH, Path, &p) > 0)
433                         Filename = Path;
434         }
435         if(GetMD5HashOfFile(Filename, &Hash))
436         {
437                 if(FindModuleMD5Hash(&Hash))
438                         bResult = TRUE;
439         }
440         if(!bResult)
441         {
442                 ZeroMemory(&wfi, sizeof(WINTRUST_FILE_INFO));
443                 wfi.cbStruct = sizeof(WINTRUST_FILE_INFO);
444                 wfi.pcwszFilePath = Filename;
445                 ZeroMemory(&wd, sizeof(WINTRUST_DATA));
446                 wd.cbStruct = sizeof(WINTRUST_DATA);
447                 wd.dwUIChoice = WTD_UI_NONE;
448                 wd.dwUnionChoice = WTD_CHOICE_FILE;
449                 wd.pFile = &wfi;
450                 if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS)
451                         bResult = TRUE;
452         }
453         if(!bResult)
454         {
455                 if(SfcIsFileProtected(NULL, Filename))
456                         bResult = TRUE;
457         }
458 //      if(!bResult)
459 //      {
460 //              WCHAR Temp[MAX_PATH + 128];
461 //              _swprintf(Temp, L"Untrusted module was detected! \"%s\"\n", Filename);
462 //              OutputDebugStringW(Temp);
463 //      }
464         return bResult;
465 }
466
467 // \8aÖ\90\94\83|\83C\83\93\83^\82ð\8eg\97p\89Â\94\\82È\8fó\91Ô\82É\8f\89\8aú\89»
468 BOOL InitializeLoadLibraryHook()
469 {
470         HMODULE hModule;
471         hModule = GetModuleHandleW(L"kernel32.dll");
472         GET_FUNCTION(hModule, LoadLibraryA);
473         GET_FUNCTION(hModule, LoadLibraryW);
474         GET_FUNCTION(hModule, LoadLibraryExA);
475         GET_FUNCTION(hModule, LoadLibraryExW);
476         hModule = GetModuleHandleW(L"ntdll.dll");
477         GET_FUNCTION(hModule, LdrLoadDll);
478         GET_FUNCTION(hModule, LdrGetDllHandle);
479         GET_FUNCTION(hModule, LdrAddRefDll);
480         return TRUE;
481 }
482
483 // SetWindowsHookEx\91Î\8dô
484 // DLL Injection\82³\82ê\82½\8fê\8d\87\82Í\8fã\82Ìh_LoadLibrary\8cn\8aÖ\90\94\82Å\83g\83\89\83b\83v\89Â\94\
485 BOOL EnableLoadLibraryHook(BOOL bEnable)
486 {
487         if(bEnable)
488         {
489                 // \8c\9f\8fØ\82É\95K\97v\82ÈDLL\82Ì\92x\89\84\93Ç\82Ý\8d\9e\82Ý\89ñ\94ð
490                 IsModuleTrustedA("");
491 #ifdef USE_CODE_HOOK
492                 SET_HOOK_FUNCTION(LoadLibraryA);
493                 SET_HOOK_FUNCTION(LoadLibraryW);
494                 SET_HOOK_FUNCTION(LoadLibraryExA);
495                 SET_HOOK_FUNCTION(LoadLibraryExW);
496 #endif
497 #ifdef USE_IAT_HOOK
498                 HookFunctionInIAT(p_LoadLibraryA, h_LoadLibraryA);
499                 HookFunctionInIAT(p_LoadLibraryW, h_LoadLibraryW);
500                 HookFunctionInIAT(p_LoadLibraryExA, h_LoadLibraryExA);
501                 HookFunctionInIAT(p_LoadLibraryExW, h_LoadLibraryExW);
502 #endif
503         }
504         else
505         {
506 #ifdef USE_CODE_HOOK
507                 END_HOOK_FUNCTION(LoadLibraryA);
508                 END_HOOK_FUNCTION(LoadLibraryW);
509                 END_HOOK_FUNCTION(LoadLibraryExA);
510                 END_HOOK_FUNCTION(LoadLibraryExW);
511 #endif
512 #ifdef USE_IAT_HOOK
513                 HookFunctionInIAT(h_LoadLibraryA, p_LoadLibraryA);
514                 HookFunctionInIAT(h_LoadLibraryW, p_LoadLibraryW);
515                 HookFunctionInIAT(h_LoadLibraryExA, p_LoadLibraryExA);
516                 HookFunctionInIAT(h_LoadLibraryExW, p_LoadLibraryExW);
517 #endif
518         }
519         return TRUE;
520 }
521
522 // ReadProcessMemory\81AWriteProcessMemory\81ACreateRemoteThread\91Î\8dô
523 // TerminateProcess\82Ì\82Ý\8b\96\89Â
524 BOOL RestartProtectedProcess(LPCTSTR Keyword)
525 {
526         BOOL bResult;
527         ACL* pACL;
528         SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
529         PSID pSID;
530         SECURITY_DESCRIPTOR sd;
531         TCHAR* CommandLine;
532         SECURITY_ATTRIBUTES sa;
533         STARTUPINFO si;
534         PROCESS_INFORMATION pi;
535         bResult = FALSE;
536         if(_tcslen(GetCommandLine()) >= _tcslen(Keyword) && _tcscmp(GetCommandLine() + _tcslen(GetCommandLine()) - _tcslen(Keyword), Keyword) == 0)
537                 return FALSE;
538         if(pACL = (ACL*)malloc(sizeof(ACL) + 1024))
539         {
540                 if(InitializeAcl(pACL, sizeof(ACL) + 1024, ACL_REVISION))
541                 {
542                         if(AllocateAndInitializeSid(&sia, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSID))
543                         {
544                                 if(AddAccessAllowedAce(pACL, ACL_REVISION, PROCESS_TERMINATE, pSID))
545                                 {
546                                         if(InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
547                                         {
548                                                 if(SetSecurityDescriptorDacl(&sd, TRUE, pACL, FALSE))
549                                                 {
550                                                         if(CommandLine = (TCHAR*)malloc(sizeof(TCHAR) * (_tcslen(GetCommandLine()) + _tcslen(Keyword) + 1)))
551                                                         {
552                                                                 _tcscpy(CommandLine, GetCommandLine());
553                                                                 _tcscat(CommandLine, Keyword);
554                                                                 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
555                                                                 sa.lpSecurityDescriptor = &sd;
556                                                                 sa.bInheritHandle = FALSE;
557                                                                 GetStartupInfo(&si);
558                                                                 if(CreateProcess(NULL, CommandLine, &sa, NULL, FALSE, 0, NULL, NULL, &si, &pi))
559                                                                 {
560                                                                         CloseHandle(pi.hThread);
561                                                                         CloseHandle(pi.hProcess);
562                                                                         bResult = TRUE;
563                                                                 }
564                                                                 free(CommandLine);
565                                                         }
566                                                 }
567                                         }
568                                 }
569                                 FreeSid(pSID);
570                         }
571                 }
572                 free(pACL);
573         }
574         return bResult;
575 }
576