OSDN Git Service

Fix bugs process protection.
[ffftp/ffftp.git] / protectprocess.c
1 // protectprocess.c
2 // Copyright (C) 2011 Suguru Kawamoto
3 // \83v\83\8d\83Z\83X\82Ì\95Û\8cì
4
5 // \8e\9f\82Ì\92\86\82©\82ç1\8cÂ\82Ì\82Ý\97L\8cø\82É\82·\82é
6 // \83t\83b\83N\90æ\82Ì\8aÖ\90\94\82Ì\83R\81[\83h\82ð\8f\91\82«\8a·\82¦\82é
7 // \91S\82Ä\82Ì\8cÄ\82Ñ\8fo\82µ\82ð\83t\83b\83N\89Â\94\\82¾\82ª\8c´\97\9d\93I\82É\93ñ\8fd\8cÄ\82Ñ\8fo\82µ\82É\91Î\89\9e\82Å\82«\82È\82¢
8 #define USE_CODE_HOOK
9 // \83t\83b\83N\90æ\82Ì\8aÖ\90\94\82Ì\83C\83\93\83|\81[\83g\83A\83h\83\8c\83X\83e\81[\83u\83\8b\82ð\8f\91\82«\8a·\82¦\82é
10 // \93ñ\8fd\8cÄ\82Ñ\8fo\82µ\82ª\89Â\94\\82¾\82ª\8cÄ\82Ñ\8fo\82µ\95û\96@\82É\82æ\82Á\82Ä\82Í\83t\83b\83N\82ð\89ñ\94ð\82³\82ê\82é
11 //#define USE_IAT_HOOK
12
13 // \83t\83b\83N\91Î\8fÛ\82Ì\8aÖ\90\94\96¼ %s
14 // \83t\83b\83N\91Î\8fÛ\82Ì\8c^ _%s
15 // \83t\83b\83N\91Î\8fÛ\82Ì\83|\83C\83\93\83^ p_%s
16 // \83t\83b\83N\97p\82Ì\8aÖ\90\94\96¼ h_%s
17 // \83t\83b\83N\91Î\8fÛ\82Ì\83R\81[\83h\82Ì\83o\83b\83N\83A\83b\83v c_%s
18
19 #include <tchar.h>
20 #include <windows.h>
21 #include <ntsecapi.h>
22 #include <wincrypt.h>
23 #include <wintrust.h>
24 #include <softpub.h>
25 #include <aclapi.h>
26 #include <sfc.h>
27 #include <tlhelp32.h>
28 #include <imagehlp.h>
29 #ifdef USE_IAT_HOOK
30 #include <dbghelp.h>
31 #endif
32
33 #define DO_NOT_REPLACE
34 #include "protectprocess.h"
35 #include "mbswrapper.h"
36
37 #ifdef USE_IAT_HOOK
38 #pragma comment(lib, "dbghelp.lib")
39 #endif
40
41 #ifdef USE_CODE_HOOK
42 #if defined(_X86_)
43 #define HOOK_JUMP_CODE_LENGTH 5
44 #elif defined(_AMD64_)
45 #define HOOK_JUMP_CODE_LENGTH 14
46 #endif
47 #endif
48
49 BOOL LockThreadLock();
50 BOOL UnlockThreadLock();
51 #ifdef USE_CODE_HOOK
52 BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore);
53 #endif
54 #ifdef USE_IAT_HOOK
55 BOOL HookFunctionInIAT(void* pOriginal, void* pNew);
56 #endif
57 HANDLE LockExistingFile(LPCWSTR Filename);
58 BOOL FindTrustedModuleMD5Hash(void* pHash);
59 BOOL VerifyFileSignature(LPCWSTR Filename);
60 BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename);
61 BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash);
62 BOOL IsModuleTrusted(LPCWSTR Filename);
63
64 // \95Ï\90\94\82Ì\90é\8c¾
65 #ifdef USE_CODE_HOOK
66 #define HOOK_FUNCTION_VAR(name) _##name p_##name;BYTE c_##name[HOOK_JUMP_CODE_LENGTH * 2];
67 #endif
68 #ifdef USE_IAT_HOOK
69 #define HOOK_FUNCTION_VAR(name) _##name p_##name;
70 #endif
71 // \8aÖ\90\94\83|\83C\83\93\83^\82ð\8eæ\93¾
72 #define GET_FUNCTION(h, name) p_##name = (_##name)GetProcAddress(h, #name)
73 // \83t\83b\83N\91Î\8fÛ\82Ì\83R\81[\83h\82ð\92u\8a·\82µ\82Ä\83t\83b\83N\82ð\8aJ\8en
74 #define SET_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, FALSE)
75 // \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82·\91O\82É\91Î\8fÛ\82Ì\83R\81[\83h\82ð\95\9c\8c³
76 #define START_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, TRUE)
77 // \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82µ\82½\8cã\82É\91Î\8fÛ\82Ì\83R\81[\83h\82ð\92u\8a·
78 #define END_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, NULL, FALSE)
79
80 HOOK_FUNCTION_VAR(LoadLibraryA)
81 HOOK_FUNCTION_VAR(LoadLibraryW)
82 HOOK_FUNCTION_VAR(LoadLibraryExA)
83 HOOK_FUNCTION_VAR(LoadLibraryExW)
84
85 typedef NTSTATUS (NTAPI* _LdrLoadDll)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);
86 typedef NTSTATUS (NTAPI* _LdrGetDllHandle)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);
87 typedef PIMAGE_NT_HEADERS (NTAPI* _RtlImageNtHeader)(PVOID);
88 typedef BOOL (WINAPI* _CryptCATAdminCalcHashFromFileHandle)(HANDLE, DWORD*, BYTE*, DWORD);
89
90 _LdrLoadDll p_LdrLoadDll;
91 _LdrGetDllHandle p_LdrGetDllHandle;
92 _RtlImageNtHeader p_RtlImageNtHeader;
93 _CryptCATAdminCalcHashFromFileHandle p_CryptCATAdminCalcHashFromFileHandle;
94
95 #define MAX_LOCKED_THREAD 16
96 #define MAX_TRUSTED_FILENAME_TABLE 16
97 #define MAX_TRUSTED_MD5_HASH_TABLE 16
98
99 DWORD g_LockedThread[MAX_LOCKED_THREAD];
100 WCHAR* g_pTrustedFilenameTable[MAX_TRUSTED_FILENAME_TABLE];
101 BYTE g_TrustedMD5HashTable[MAX_TRUSTED_MD5_HASH_TABLE][16];
102
103 // \88È\89º\83t\83b\83N\8aÖ\90\94
104 // \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82·\8fê\8d\87\82Í\91O\8cã\82ÅSTART_HOOK_FUNCTION\82ÆEND_HOOK_FUNCTION\82ð\8eÀ\8ds\82·\82é\95K\97v\82ª\82 \82é
105
106 HMODULE WINAPI h_LoadLibraryA(LPCSTR lpLibFileName)
107 {
108         HMODULE r = NULL;
109         wchar_t* pw0 = NULL;
110         if(pw0 = DuplicateAtoW(lpLibFileName, -1))
111                 r = LoadLibraryExW(pw0, NULL, 0);
112         FreeDuplicatedString(pw0);
113         return r;
114 }
115
116 HMODULE WINAPI h_LoadLibraryW(LPCWSTR lpLibFileName)
117 {
118         HMODULE r = NULL;
119         r = LoadLibraryExW(lpLibFileName, NULL, 0);
120         return r;
121 }
122
123 HMODULE WINAPI h_LoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
124 {
125         HMODULE r = NULL;
126         wchar_t* pw0 = NULL;
127         if(pw0 = DuplicateAtoW(lpLibFileName, -1))
128                 r = LoadLibraryExW(pw0, hFile, dwFlags);
129         FreeDuplicatedString(pw0);
130         return r;
131 }
132
133 HMODULE WINAPI h_LoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
134 {
135         HMODULE r = NULL;
136         BOOL bTrusted;
137         wchar_t* pw0;
138         HANDLE hLock;
139         HMODULE hModule;
140         DWORD Length;
141         bTrusted = FALSE;
142         pw0 = NULL;
143         hLock = NULL;
144 //      if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))
145         if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | 0x00000020 | 0x00000040))
146                 bTrusted = TRUE;
147         if(!bTrusted)
148         {
149                 if(hModule = System_LoadLibrary(lpLibFileName, NULL, DONT_RESOLVE_DLL_REFERENCES))
150                 {
151                         Length = MAX_PATH;
152                         if(pw0 = AllocateStringW(Length))
153                         {
154                                 if(GetModuleFileNameW(hModule, pw0, Length) > 0)
155                                 {
156                                         while(pw0)
157                                         {
158                                                 if(GetModuleFileNameW(hModule, pw0, Length) + 1 <= Length)
159                                                 {
160                                                         lpLibFileName = pw0;
161                                                         break;
162                                                 }
163                                                 Length = Length * 2;
164                                                 FreeDuplicatedString(pw0);
165                                                 pw0 = AllocateStringW(Length);
166                                         }
167                                 }
168                         }
169                         hLock = LockExistingFile(lpLibFileName);
170                         FreeLibrary(hModule);
171                 }
172                 if(GetModuleHandleW(lpLibFileName))
173                         bTrusted = TRUE;
174         }
175         if(!bTrusted)
176         {
177                 if(LockThreadLock())
178                 {
179                         if(hLock)
180                         {
181                                 if(IsModuleTrusted(lpLibFileName))
182                                         bTrusted = TRUE;
183                         }
184                         UnlockThreadLock();
185                 }
186         }
187         if(bTrusted)
188                 r = System_LoadLibrary(lpLibFileName, hFile, dwFlags);
189         FreeDuplicatedString(pw0);
190         if(hLock)
191                 CloseHandle(hLock);
192         return r;
193 }
194
195 // \88È\89º\83w\83\8b\83p\81[\8aÖ\90\94
196
197 BOOL LockThreadLock()
198 {
199         BOOL bResult;
200         DWORD ThreadId;
201         DWORD i;
202         bResult = FALSE;
203         ThreadId = GetCurrentThreadId();
204         i = 0;
205         while(i < MAX_LOCKED_THREAD)
206         {
207                 if(g_LockedThread[i] == ThreadId)
208                         break;
209                 i++;
210         }
211         if(i >= MAX_LOCKED_THREAD)
212         {
213                 i = 0;
214                 while(i < MAX_LOCKED_THREAD)
215                 {
216                         if(g_LockedThread[i] == 0)
217                         {
218                                 g_LockedThread[i] = ThreadId;
219                                 bResult = TRUE;
220                                 break;
221                         }
222                         i++;
223                 }
224         }
225         return bResult;
226 }
227
228 BOOL UnlockThreadLock()
229 {
230         BOOL bResult;
231         DWORD ThreadId;
232         DWORD i;
233         bResult = FALSE;
234         ThreadId = GetCurrentThreadId();
235         i = 0;
236         while(i < MAX_LOCKED_THREAD)
237         {
238                 if(g_LockedThread[i] == ThreadId)
239                 {
240                         g_LockedThread[i] = 0;
241                         bResult = TRUE;
242                         break;
243                 }
244                 i++;
245         }
246         return bResult;
247 }
248
249 #ifdef USE_CODE_HOOK
250 BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore)
251 {
252         BOOL bResult;
253         DWORD Protect;
254 #if defined(_X86_)
255         BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xe9, 0x00, 0x00, 0x00, 0x00};
256         size_t Relative;
257         Relative = (size_t)pNew - (size_t)pOriginal - HOOK_JUMP_CODE_LENGTH;
258         memcpy(&JumpCode[1], &Relative, 4);
259         bResult = FALSE;
260         if(bRestore)
261         {
262                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
263                 {
264                         memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);
265                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
266                         bResult = TRUE;
267                 }
268         }
269         else
270         {
271                 if(pBackupCode)
272                         memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);
273                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
274                 {
275                         memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);
276                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
277                         bResult = TRUE;
278                 }
279         }
280 #elif defined(_AMD64_)
281         BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xff, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
282         size_t Absolute;
283         Absolute = (size_t)pOriginal;
284         memcpy(&JumpCode[6], &Absolute, 8);
285         bResult = FALSE;
286         if(bRestore)
287         {
288                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
289                 {
290                         memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);
291                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
292                         bResult = TRUE;
293                 }
294         }
295         else
296         {
297                 if(pBackupCode)
298                         memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);
299                 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
300                 {
301                         memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);
302                         VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
303                         bResult = TRUE;
304                 }
305         }
306 #endif
307         return bResult;
308 }
309 #endif
310
311 #ifdef USE_IAT_HOOK
312 BOOL HookFunctionInIAT(void* pOriginal, void* pNew)
313 {
314         BOOL bResult;
315         HANDLE hSnapshot;
316         MODULEENTRY32 me;
317         BOOL bFound;
318         IMAGE_IMPORT_DESCRIPTOR* piid;
319         ULONG Size;
320         IMAGE_THUNK_DATA* pitd;
321         DWORD Protect;
322         bResult = FALSE;
323         if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId())) != INVALID_HANDLE_VALUE)
324         {
325                 me.dwSize = sizeof(MODULEENTRY32);
326                 if(Module32First(hSnapshot, &me))
327                 {
328                         bFound = FALSE;
329                         do
330                         {
331                                 if(piid = (IMAGE_IMPORT_DESCRIPTOR*)ImageDirectoryEntryToData(me.hModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size))
332                                 {
333                                         while(!bFound && piid->Name != 0)
334                                         {
335                                                 pitd = (IMAGE_THUNK_DATA*)((BYTE*)me.hModule + piid->FirstThunk);
336                                                 while(!bFound && pitd->u1.Function != 0)
337                                                 {
338                                                         if((void*)pitd->u1.Function == pOriginal)
339                                                         {
340                                                                 bFound = TRUE;
341                                                                 if(VirtualProtect(&pitd->u1.Function, sizeof(void*), PAGE_EXECUTE_READWRITE, &Protect))
342                                                                 {
343                                                                         memcpy(&pitd->u1.Function, &pNew, sizeof(void*));
344                                                                         VirtualProtect(&pitd->u1.Function, sizeof(void*), Protect, &Protect);
345                                                                         bResult = TRUE;
346                                                                 }
347                                                         }
348                                                         pitd++;
349                                                 }
350                                                 piid++;
351                                         }
352                                 }
353                         }
354                         while(!bFound && Module32Next(hSnapshot, &me));
355                 }
356                 CloseHandle(hSnapshot);
357         }
358         return bResult;
359 }
360 #endif
361
362 // \83t\83@\83C\83\8b\82ð\95Ï\8dX\95s\94\\82É\90Ý\92è
363 HANDLE LockExistingFile(LPCWSTR Filename)
364 {
365         HANDLE hResult;
366         hResult = NULL;
367         if((hResult = CreateFileW(Filename, 0, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL)) == INVALID_HANDLE_VALUE)
368                 hResult = NULL;
369         return hResult;
370 }
371
372 // DLL\82Ì\83n\83b\83V\83\85\82ð\8c\9f\8dõ
373 BOOL FindTrustedModuleMD5Hash(void* pHash)
374 {
375         BOOL bResult;
376         int i;
377         bResult = FALSE;
378         i = 0;
379         while(i < MAX_TRUSTED_MD5_HASH_TABLE)
380         {
381                 if(memcmp(&g_TrustedMD5HashTable[i], pHash, 16) == 0)
382                 {
383                         bResult = TRUE;
384                         break;
385                 }
386                 i++;
387         }
388         return bResult;
389 }
390
391 // \83t\83@\83C\83\8b\82Ì\8f\90\96¼\82ð\8am\94F
392 BOOL VerifyFileSignature(LPCWSTR Filename)
393 {
394         BOOL bResult;
395         GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2;
396         WINTRUST_FILE_INFO wfi;
397         WINTRUST_DATA wd;
398         bResult = FALSE;
399         ZeroMemory(&wfi, sizeof(WINTRUST_FILE_INFO));
400         wfi.cbStruct = sizeof(WINTRUST_FILE_INFO);
401         wfi.pcwszFilePath = Filename;
402         ZeroMemory(&wd, sizeof(WINTRUST_DATA));
403         wd.cbStruct = sizeof(WINTRUST_DATA);
404         wd.dwUIChoice = WTD_UI_NONE;
405         wd.dwUnionChoice = WTD_CHOICE_FILE;
406         wd.pFile = &wfi;
407         if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS)
408                 bResult = TRUE;
409         return bResult;
410 }
411
412 // \83t\83@\83C\83\8b\82Ì\8f\90\96¼\82ð\83J\83^\83\8d\83O\83t\83@\83C\83\8b\82Å\8am\94F
413 BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename)
414 {
415         BOOL bResult;
416         GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2;
417         WINTRUST_CATALOG_INFO wci;
418         WINTRUST_DATA wd;
419         bResult = FALSE;
420         if(VerifyFileSignature(Catalog))
421         {
422                 ZeroMemory(&wci, sizeof(WINTRUST_CATALOG_INFO));
423                 wci.cbStruct = sizeof(WINTRUST_CATALOG_INFO);
424                 wci.pcwszCatalogFilePath = Catalog;
425                 wci.pcwszMemberFilePath = Filename;
426                 if((wci.hMemberFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) != INVALID_HANDLE_VALUE)
427                 {
428                         p_CryptCATAdminCalcHashFromFileHandle(wci.hMemberFile, &wci.cbCalculatedFileHash, NULL, 0);
429                         if(wci.pbCalculatedFileHash = (BYTE*)malloc(wci.cbCalculatedFileHash))
430                         {
431                                 if(p_CryptCATAdminCalcHashFromFileHandle(wci.hMemberFile, &wci.cbCalculatedFileHash, wci.pbCalculatedFileHash, 0))
432                                 {
433                                         ZeroMemory(&wd, sizeof(WINTRUST_DATA));
434                                         wd.cbStruct = sizeof(WINTRUST_DATA);
435                                         wd.dwUIChoice = WTD_UI_NONE;
436                                         wd.dwUnionChoice = WTD_CHOICE_CATALOG;
437                                         wd.pCatalog = &wci;
438                                         if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS)
439                                                 bResult = TRUE;
440                                 }
441                                 free(wci.pbCalculatedFileHash);
442                         }
443                         CloseHandle(wci.hMemberFile);
444                 }
445         }
446         return bResult;
447 }
448
449 BOOL WINAPI GetSHA1HashOfModule_Function(DIGEST_HANDLE refdata, PBYTE pData, DWORD dwLength)
450 {
451         return CryptHashData(*(HCRYPTHASH*)refdata, pData, dwLength, 0);
452 }
453
454 // \83\82\83W\83\85\81[\83\8b\82ÌSHA1\83n\83b\83V\83\85\82ð\8eæ\93¾
455 // \83}\83j\83t\83F\83X\83g\83t\83@\83C\83\8b\82Ìfile\97v\91f\82Ìhash\91®\90«\82Í\8eÀ\8ds\89Â\94\\83t\83@\83C\83\8b\82Ì\8fê\8d\87\82ÉImageGetDigestStream\82Å\8eZ\8fo\82³\82ê\82é
456 BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash)
457 {
458         BOOL bResult;
459         HCRYPTPROV hProv;
460         HCRYPTHASH hHash;
461         HANDLE hFile;
462         DWORD dw;
463         bResult = FALSE;
464         if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))
465         {
466                 if(CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
467                 {
468                         if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
469                         {
470                                 if(ImageGetDigestStream(hFile, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, GetSHA1HashOfModule_Function, (DIGEST_HANDLE)&hHash))
471                                 {
472                                         dw = 20;
473                                         if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))
474                                                 bResult = TRUE;
475                                 }
476                                 CloseHandle(hFile);
477                         }
478                         CryptDestroyHash(hHash);
479                 }
480                 CryptReleaseContext(hProv, 0);
481         }
482         return bResult;
483 }
484
485 BOOL IsSxsModuleTrusted_Function(LPCWSTR Catalog, LPCWSTR Manifest, LPCWSTR Module)
486 {
487         BOOL bResult;
488         HANDLE hLock0;
489         HANDLE hLock1;
490         BYTE Hash[20];
491         int i;
492         static char HexTable[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
493         char HashHex[41];
494         HANDLE hFile;
495         DWORD Size;
496         char* pData;
497         DWORD dw;
498         bResult = FALSE;
499         if(hLock0 = LockExistingFile(Catalog))
500         {
501                 if(hLock1 = LockExistingFile(Manifest))
502                 {
503                         if(VerifyFileSignatureInCatalog(Catalog, Manifest))
504                         {
505                                 if(GetSHA1HashOfModule(Module, &Hash))
506                                 {
507                                         for(i = 0; i < 20; i++)
508                                         {
509                                                 HashHex[i * 2] = HexTable[(Hash[i] >> 4) & 0x0f];
510                                                 HashHex[i * 2 + 1] = HexTable[Hash[i] & 0x0f];
511                                         }
512                                         HashHex[i * 2] = '\0';
513                                         if((hFile = CreateFileW(Manifest, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) != INVALID_HANDLE_VALUE)
514                                         {
515                                                 Size = GetFileSize(hFile, NULL);
516                                                 if(pData = (char*)VirtualAlloc(NULL, Size + 1, MEM_COMMIT, PAGE_READWRITE))
517                                                 {
518                                                         VirtualLock(pData, Size + 1);
519                                                         if(ReadFile(hFile, pData, Size, &dw, NULL))
520                                                         {
521                                                                 pData[dw] = '\0';
522                                                                 if(strstr(pData, HashHex))
523                                                                         bResult = TRUE;
524                                                         }
525                                                         VirtualUnlock(pData, Size + 1);
526                                                         VirtualFree(pData, Size + 1, MEM_DECOMMIT);
527                                                 }
528                                                 CloseHandle(hFile);
529                                         }
530                                 }
531                         }
532                         CloseHandle(hLock1);
533                 }
534                 CloseHandle(hLock0);
535         }
536         return bResult;
537 }
538
539 // \83T\83C\83h\83o\83C\83T\83C\83hDLL\82ð\8am\94F
540 // \83p\83X\82Í"%SystemRoot%\WinSxS"\88È\89º\82ð\91z\92è
541 // \88È\89º\82Ì\83t\83@\83C\83\8b\82ª\91\8dÝ\82·\82é\82à\82Ì\82Æ\82·\82é
542 // "\xxx\yyy.dll"\81A"\manifests\xxx.cat"\81A"\manifests\xxx.manifest"\82Ì\83Z\83b\83g\81iXP\82Ì\91S\82Ä\82ÌDLL\81AVista\88È\8d~\82Ì\88ê\95\94\82ÌDLL\81j
543 // "\xxx\yyy.dll"\81A"\catalogs\zzz.cat"\81A"\manifests\xxx.manifest"\82Ì\83Z\83b\83g\81iVista\88È\8d~\82Ì\82Ù\82Æ\82ñ\82Ç\82ÌDLL\81j
544 // \8f\90\96¼\82³\82ê\82½\83J\83^\83\8d\83O\83t\83@\83C\83\8b\82ð\97p\82¢\82Ä\83}\83j\83t\83F\83X\83g\83t\83@\83C\83\8b\82ª\89üâ\82\82³\82ê\82Ä\82¢\82È\82¢\82±\82Æ\82ð\8am\94F
545 // \83n\83b\83V\83\85\92l\82Í \83}\83j\83t\83F\83X\83g\83t\83@\83C\83\8b\82Ìfile\97v\91f\82Ìhash\91®\90«\82É\8bL\8fq\82³\82ê\82Ä\82¢\82é\82à\82Ì\82ð\97p\82¢\82é
546 // \83}\83j\83t\83F\83X\83g\83t\83@\83C\83\8b\93à\82ÉSHA1\83n\83b\83V\83\85\92l\82Ì16\90i\90\94\95\\8bL\82ð\92¼\90Ú\8c\9f\8dõ\82µ\82Ä\82¢\82é\82ª\8am\97¦\93I\82É\96â\91è\82È\82µ
547 BOOL IsSxsModuleTrusted(LPCWSTR Filename)
548 {
549         BOOL bResult;
550         wchar_t* pw0;
551         wchar_t* pw1;
552         wchar_t* pw2;
553         wchar_t* pw3;
554         wchar_t* pw4;
555         wchar_t* pw5;
556         wchar_t* p;
557         HANDLE hFind;
558         WIN32_FIND_DATAW wfd;
559         bResult = FALSE;
560         if(pw0 = AllocateStringW(wcslen(Filename) + 1))
561         {
562                 wcscpy(pw0, Filename);
563                 if(p = wcsrchr(pw0, L'\\'))
564                 {
565                         wcscpy(p, L"");
566                         if(p = wcsrchr(pw0, L'\\'))
567                         {
568                                 p++;
569                                 if(pw1 = AllocateStringW(wcslen(p) + 1))
570                                 {
571                                         wcscpy(pw1, p);
572                                         wcscpy(p, L"");
573                                         if(pw2 = AllocateStringW(wcslen(pw0) + wcslen(L"manifests\\") + wcslen(pw1) + wcslen(L".cat") + 1))
574                                         {
575                                                 wcscpy(pw2, pw0);
576                                                 wcscat(pw2, L"manifests\\");
577                                                 wcscat(pw2, pw1);
578                                                 if(pw3 = AllocateStringW(wcslen(pw2) + wcslen(L".manifest") + 1))
579                                                 {
580                                                         wcscpy(pw3, pw2);
581                                                         wcscat(pw3, L".manifest");
582                                                         wcscat(pw2, L".cat");
583                                                         if(IsSxsModuleTrusted_Function(pw2, pw3, Filename))
584                                                                 bResult = TRUE;
585                                                         FreeDuplicatedString(pw3);
586                                                 }
587                                                 FreeDuplicatedString(pw2);
588                                         }
589                                         if(!bResult)
590                                         {
591                                                 if(pw2 = AllocateStringW(wcslen(pw0) + wcslen(L"catalogs\\") + 1))
592                                                 {
593                                                         if(pw3 = AllocateStringW(wcslen(pw0) + wcslen(L"manifests\\") + wcslen(pw1) + wcslen(L".manifest") + 1))
594                                                         {
595                                                                 wcscpy(pw2, pw0);
596                                                                 wcscat(pw2, L"catalogs\\");
597                                                                 wcscpy(pw3, pw0);
598                                                                 wcscat(pw3, L"manifests\\");
599                                                                 wcscat(pw3, pw1);
600                                                                 wcscat(pw3, L".manifest");
601                                                                 if(pw4 = AllocateStringW(wcslen(pw2) + wcslen(L"*.cat") + 1))
602                                                                 {
603                                                                         wcscpy(pw4, pw2);
604                                                                         wcscat(pw4, L"*.cat");
605                                                                         if((hFind = FindFirstFileW(pw4, &wfd)) != INVALID_HANDLE_VALUE)
606                                                                         {
607                                                                                 do
608                                                                                 {
609                                                                                         if(pw5 = AllocateStringW(wcslen(pw2) + wcslen(wfd.cFileName) + 1))
610                                                                                         {
611                                                                                                 wcscpy(pw5, pw2);
612                                                                                                 wcscat(pw5, wfd.cFileName);
613                                                                                                 if(IsSxsModuleTrusted_Function(pw5, pw3, Filename))
614                                                                                                         bResult = TRUE;
615                                                                                                 FreeDuplicatedString(pw5);
616                                                                                         }
617                                                                                 }
618                                                                                 while(!bResult && FindNextFileW(hFind, &wfd));
619                                                                                 FindClose(hFind);
620                                                                         }
621                                                                         FreeDuplicatedString(pw4);
622                                                                 }
623                                                                 FreeDuplicatedString(pw3);
624                                                         }
625                                                         FreeDuplicatedString(pw2);
626                                                 }
627                                         }
628                                         FreeDuplicatedString(pw1);
629                                 }
630                         }
631                 }
632                 FreeDuplicatedString(pw0);
633         }
634         return bResult;
635 }
636
637 // DLL\82ð\8am\94F
638 // \83n\83b\83V\83\85\82ª\93o\98^\82³\82ê\82Ä\82¢\82é\81AAuthenticode\8f\90\96¼\82ª\82³\82ê\82Ä\82¢\82é\81A\82Ü\82½\82ÍWFP\82É\82æ\82é\95Û\8cì\89º\82É\82 \82é\82±\82Æ\82ð\8am\94F
639 BOOL IsModuleTrusted(LPCWSTR Filename)
640 {
641         BOOL bResult;
642         BYTE Hash[16];
643         bResult = FALSE;
644         if(GetMD5HashOfFile(Filename, &Hash))
645         {
646                 if(FindTrustedModuleMD5Hash(&Hash))
647                         bResult = TRUE;
648         }
649         if(!bResult)
650         {
651                 if(VerifyFileSignature(Filename))
652                         bResult = TRUE;
653         }
654         if(!bResult)
655         {
656                 if(IsSxsModuleTrusted(Filename))
657                         bResult = TRUE;
658         }
659         if(!bResult)
660         {
661                 if(SfcIsFileProtected(NULL, Filename))
662                         bResult = TRUE;
663         }
664         return bResult;
665 }
666
667 // kernel32.dll\82ÌLoadLibraryExW\91\8a\93\96\82Ì\8aÖ\90\94
668 // \83h\83L\83\85\83\81\83\93\83g\82ª\96³\82¢\82½\82ß\8fÚ\8d×\82Í\95s\96¾
669 // \88ê\95\94\82Ì\83E\83B\83\8b\83X\91Î\8dô\83\\83t\83g\81iAvast!\93\99\81j\82ªLdrLoadDll\82ð\83t\83b\83N\82µ\82Ä\82¢\82é\82½\82ßLdrLoadDll\82ð\8f\91\82«\8a·\82¦\82é\82×\82«\82Å\82Í\82È\82¢
670 // \83J\81[\83l\83\8b\83\82\81[\83h\82Ì\83R\81[\83h\82É\91Î\82µ\82Ä\82Í\8cø\89Ê\82È\82µ
671 // SeDebugPrivilege\82ª\8eg\97p\89Â\94\\82È\83\86\81[\83U\81[\82É\91Î\82µ\82Ä\82Í\8cø\89Ê\82È\82µ
672 HMODULE System_LoadLibrary(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
673 {
674         HMODULE r = NULL;
675         UNICODE_STRING us;
676         HANDLE hDataFile;
677         HANDLE hMapping;
678         DWORD DllFlags;
679         us.Length = sizeof(wchar_t) * wcslen(lpLibFileName);
680         us.MaximumLength = sizeof(wchar_t) * (wcslen(lpLibFileName) + 1);
681         us.Buffer = (PWSTR)lpLibFileName;
682 //      if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))
683         if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | 0x00000040))
684         {
685 //              if(p_LdrGetDllHandle(NULL, NULL, &us, &r) == STATUS_SUCCESS)
686                 if(p_LdrGetDllHandle(NULL, NULL, &us, &r) == 0)
687                 {
688 //                      dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE);
689                         dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | 0x00000040);
690                         dwFlags |= DONT_RESOLVE_DLL_REFERENCES;
691                 }
692                 else
693                 {
694 //                      if(dwFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)
695                         if(dwFlags & 0x00000040)
696                                 hDataFile = CreateFileW(lpLibFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
697                         else
698                                 hDataFile = CreateFileW(lpLibFileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
699                         if(hDataFile != INVALID_HANDLE_VALUE)
700                         {
701                                 if(hMapping = CreateFileMappingW(hDataFile, NULL, PAGE_READONLY, 0, 0, NULL))
702                                 {
703                                         if(r = (HMODULE)MapViewOfFileEx(hMapping, FILE_MAP_READ, 0, 0, 0, NULL))
704                                         {
705                                                 if(p_RtlImageNtHeader(r))
706                                                         r = (HMODULE)((size_t)r | 1);
707                                                 else
708                                                 {
709                                                         UnmapViewOfFile(r);
710                                                         r = NULL;
711                                                 }
712                                         }
713                                         CloseHandle(hMapping);
714                                 }
715                                 CloseHandle(hDataFile);
716                         }
717                         else
718                         {
719 //                              dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE);
720                                 dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | 0x00000040);
721                                 dwFlags |= DONT_RESOLVE_DLL_REFERENCES;
722                         }
723                 }
724         }
725 //      if(!(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)))
726         if(!(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | 0x00000040)))
727         {
728                 DllFlags = 0;
729 //              if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
730                 if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | 0x00000020))
731                         DllFlags |= 0x00000002;
732 //              if(p_LdrLoadDll(NULL, &DllFlags, &us, &r) == STATUS_SUCCESS)
733                 if(p_LdrLoadDll(NULL, &DllFlags, &us, &r) == 0)
734                 {
735                 }
736                 else
737                         r = NULL;
738         }
739         return r;
740 }
741
742 // \83t\83@\83C\83\8b\82ÌMD5\83n\83b\83V\83\85\82ð\8eæ\93¾
743 BOOL GetMD5HashOfFile(LPCWSTR Filename, void* pHash)
744 {
745         BOOL bResult;
746         HCRYPTPROV hProv;
747         HCRYPTHASH hHash;
748         HANDLE hFile;
749         DWORD Size;
750         void* pData;
751         DWORD dw;
752         bResult = FALSE;
753         if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))
754         {
755                 if(CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash))
756                 {
757                         if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
758                         {
759                                 Size = GetFileSize(hFile, NULL);
760                                 if(pData = VirtualAlloc(NULL, Size, MEM_COMMIT, PAGE_READWRITE))
761                                 {
762                                         VirtualLock(pData, Size);
763                                         if(ReadFile(hFile, pData, Size, &dw, NULL))
764                                         {
765                                                 if(CryptHashData(hHash, (BYTE*)pData, Size, 0))
766                                                 {
767                                                         dw = 16;
768                                                         if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))
769                                                                 bResult = TRUE;
770                                                 }
771                                         }
772                                         VirtualUnlock(pData, Size);
773                                         VirtualFree(pData, Size, MEM_DECOMMIT);
774                                 }
775                                 CloseHandle(hFile);
776                         }
777                         CryptDestroyHash(hHash);
778                 }
779                 CryptReleaseContext(hProv, 0);
780         }
781         return bResult;
782 }
783
784 // DLL\82Ì\83n\83b\83V\83\85\82ð\93o\98^
785 BOOL RegisterTrustedModuleMD5Hash(void* pHash)
786 {
787         BOOL bResult;
788         BYTE NullHash[16] = {0};
789         int i;
790         bResult = FALSE;
791         if(FindTrustedModuleMD5Hash(pHash))
792                 bResult = TRUE;
793         else
794         {
795                 i = 0;
796                 while(i < MAX_TRUSTED_MD5_HASH_TABLE)
797                 {
798                         if(memcmp(&g_TrustedMD5HashTable[i], &NullHash, 16) == 0)
799                         {
800                                 memcpy(&g_TrustedMD5HashTable[i], pHash, 16);
801                                 bResult = TRUE;
802                                 break;
803                         }
804                         i++;
805                 }
806         }
807         return bResult;
808 }
809
810 // DLL\82Ì\83n\83b\83V\83\85\82Ì\93o\98^\82ð\89ð\8f\9c
811 BOOL UnregisterTrustedModuleMD5Hash(void* pHash)
812 {
813         BOOL bResult;
814         BYTE NullHash[16] = {0};
815         int i;
816         bResult = FALSE;
817         i = 0;
818         while(i < MAX_TRUSTED_MD5_HASH_TABLE)
819         {
820                 if(memcmp(&g_TrustedMD5HashTable[i], pHash, 16) == 0)
821                 {
822                         memcpy(&g_TrustedMD5HashTable[i], &NullHash, 16);
823                         bResult = TRUE;
824                         break;
825                 }
826                 i++;
827         }
828         return bResult;
829 }
830
831 // \90M\97\8a\82Å\82«\82È\82¢DLL\82ð\83A\83\93\83\8d\81[\83h
832 BOOL UnloadUntrustedModule()
833 {
834         BOOL bResult;
835         wchar_t* pw0;
836         HANDLE hSnapshot;
837         MODULEENTRY32 me;
838         DWORD Length;
839         bResult = FALSE;
840         pw0 = NULL;
841         if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId())) != INVALID_HANDLE_VALUE)
842         {
843                 bResult = TRUE;
844                 me.dwSize = sizeof(MODULEENTRY32);
845                 if(Module32First(hSnapshot, &me))
846                 {
847                         do
848                         {
849                                 Length = MAX_PATH;
850                                 FreeDuplicatedString(pw0);
851                                 if(pw0 = AllocateStringW(Length))
852                                 {
853                                         if(GetModuleFileNameW(me.hModule, pw0, Length) > 0)
854                                         {
855                                                 while(pw0)
856                                                 {
857                                                         if(GetModuleFileNameW(me.hModule, pw0, Length) + 1 <= Length)
858                                                                 break;
859                                                         Length = Length * 2;
860                                                         FreeDuplicatedString(pw0);
861                                                         pw0 = AllocateStringW(Length);
862                                                 }
863                                         }
864                                 }
865                                 if(pw0)
866                                 {
867                                         if(!IsModuleTrusted(pw0))
868                                         {
869                                                 if(me.hModule != GetModuleHandleW(NULL))
870                                                 {
871                                                         while(FreeLibrary(me.hModule))
872                                                         {
873                                                         }
874                                                         if(GetModuleFileNameW(me.hModule, pw0, Length) > 0)
875                                                         {
876                                                                 bResult = FALSE;
877                                                                 break;
878                                                         }
879                                                 }
880                                         }
881                                 }
882                                 else
883                                 {
884                                         bResult = FALSE;
885                                         break;
886                                 }
887                         }
888                         while(Module32Next(hSnapshot, &me));
889                 }
890                 CloseHandle(hSnapshot);
891         }
892         FreeDuplicatedString(pw0);
893         return bResult;
894 }
895
896 // \8aÖ\90\94\83|\83C\83\93\83^\82ð\8eg\97p\89Â\94\\82È\8fó\91Ô\82É\8f\89\8aú\89»
897 BOOL InitializeLoadLibraryHook()
898 {
899         BOOL bResult;
900         HMODULE hModule;
901         bResult = TRUE;
902         if(!(hModule = GetModuleHandleW(L"kernel32.dll")))
903                 bResult = FALSE;
904         if(!(GET_FUNCTION(hModule, LoadLibraryA)))
905                 bResult = FALSE;
906         if(!(GET_FUNCTION(hModule, LoadLibraryW)))
907                 bResult = FALSE;
908         if(!(GET_FUNCTION(hModule, LoadLibraryExA)))
909                 bResult = FALSE;
910         if(!(GET_FUNCTION(hModule, LoadLibraryExW)))
911                 bResult = FALSE;
912         if(!(hModule = GetModuleHandleW(L"ntdll.dll")))
913                 bResult = FALSE;
914         if(!(GET_FUNCTION(hModule, LdrLoadDll)))
915                 bResult = FALSE;
916         if(!(GET_FUNCTION(hModule, LdrGetDllHandle)))
917                 bResult = FALSE;
918         if(!(GET_FUNCTION(hModule, RtlImageNtHeader)))
919                 bResult = FALSE;
920         if(!(hModule = LoadLibraryW(L"wintrust.dll")))
921                 bResult = FALSE;
922         if(!(GET_FUNCTION(hModule, CryptCATAdminCalcHashFromFileHandle)))
923                 bResult = FALSE;
924         return bResult;
925 }
926
927 // SetWindowsHookEx\91Î\8dô
928 // DLL Injection\82³\82ê\82½\8fê\8d\87\82Í\8fã\82Ìh_LoadLibrary\8cn\8aÖ\90\94\82Å\83g\83\89\83b\83v\89Â\94\
929 BOOL EnableLoadLibraryHook(BOOL bEnable)
930 {
931         BOOL bResult;
932         bResult = FALSE;
933         if(bEnable)
934         {
935                 bResult = TRUE;
936 #ifdef USE_CODE_HOOK
937                 if(!SET_HOOK_FUNCTION(LoadLibraryA))
938                         bResult = FALSE;
939                 if(!SET_HOOK_FUNCTION(LoadLibraryW))
940                         bResult = FALSE;
941                 if(!SET_HOOK_FUNCTION(LoadLibraryExA))
942                         bResult = FALSE;
943                 if(!SET_HOOK_FUNCTION(LoadLibraryExW))
944                         bResult = FALSE;
945 #endif
946 #ifdef USE_IAT_HOOK
947                 if(!HookFunctionInIAT(p_LoadLibraryA, h_LoadLibraryA))
948                         bResult = FALSE;
949                 if(!HookFunctionInIAT(p_LoadLibraryW, h_LoadLibraryW))
950                         bResult = FALSE;
951                 if(!HookFunctionInIAT(p_LoadLibraryExA, h_LoadLibraryExA))
952                         bResult = FALSE;
953                 if(!HookFunctionInIAT(p_LoadLibraryExW, h_LoadLibraryExW))
954                         bResult = FALSE;
955 #endif
956         }
957         else
958         {
959                 bResult = TRUE;
960 #ifdef USE_CODE_HOOK
961                 if(!END_HOOK_FUNCTION(LoadLibraryA))
962                         bResult = FALSE;
963                 if(!END_HOOK_FUNCTION(LoadLibraryW))
964                         bResult = FALSE;
965                 if(!END_HOOK_FUNCTION(LoadLibraryExA))
966                         bResult = FALSE;
967                 if(!END_HOOK_FUNCTION(LoadLibraryExW))
968                         bResult = FALSE;
969 #endif
970 #ifdef USE_IAT_HOOK
971                 if(!HookFunctionInIAT(h_LoadLibraryA, p_LoadLibraryA))
972                         bResult = FALSE;
973                 if(!HookFunctionInIAT(h_LoadLibraryW, p_LoadLibraryW))
974                         bResult = FALSE;
975                 if(!HookFunctionInIAT(h_LoadLibraryExA, p_LoadLibraryExA))
976                         bResult = FALSE;
977                 if(!HookFunctionInIAT(h_LoadLibraryExW, p_LoadLibraryExW))
978                         bResult = FALSE;
979 #endif
980         }
981         return bResult;
982 }
983
984 // ReadProcessMemory\81AWriteProcessMemory\81ACreateRemoteThread\91Î\8dô
985 // TerminateProcess\82Ì\82Ý\8b\96\89Â
986 BOOL RestartProtectedProcess(LPCTSTR Keyword)
987 {
988         BOOL bResult;
989         ACL* pACL;
990         SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
991         PSID pSID;
992         SECURITY_DESCRIPTOR sd;
993         TCHAR* CommandLine;
994         SECURITY_ATTRIBUTES sa;
995         STARTUPINFO si;
996         PROCESS_INFORMATION pi;
997         bResult = FALSE;
998         if(_tcslen(GetCommandLine()) >= _tcslen(Keyword) && _tcscmp(GetCommandLine() + _tcslen(GetCommandLine()) - _tcslen(Keyword), Keyword) == 0)
999                 return FALSE;
1000         if(pACL = (ACL*)malloc(sizeof(ACL) + 1024))
1001         {
1002                 if(InitializeAcl(pACL, sizeof(ACL) + 1024, ACL_REVISION))
1003                 {
1004                         if(AllocateAndInitializeSid(&sia, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSID))
1005                         {
1006                                 if(AddAccessAllowedAce(pACL, ACL_REVISION, PROCESS_TERMINATE, pSID))
1007                                 {
1008                                         if(InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
1009                                         {
1010                                                 if(SetSecurityDescriptorDacl(&sd, TRUE, pACL, FALSE))
1011                                                 {
1012                                                         if(CommandLine = (TCHAR*)malloc(sizeof(TCHAR) * (_tcslen(GetCommandLine()) + _tcslen(Keyword) + 1)))
1013                                                         {
1014                                                                 _tcscpy(CommandLine, GetCommandLine());
1015                                                                 _tcscat(CommandLine, Keyword);
1016                                                                 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
1017                                                                 sa.lpSecurityDescriptor = &sd;
1018                                                                 sa.bInheritHandle = FALSE;
1019                                                                 GetStartupInfo(&si);
1020                                                                 if(CreateProcess(NULL, CommandLine, &sa, NULL, FALSE, 0, NULL, NULL, &si, &pi))
1021                                                                 {
1022                                                                         CloseHandle(pi.hThread);
1023                                                                         CloseHandle(pi.hProcess);
1024                                                                         bResult = TRUE;
1025                                                                 }
1026                                                                 free(CommandLine);
1027                                                         }
1028                                                 }
1029                                         }
1030                                 }
1031                                 FreeSid(pSID);
1032                         }
1033                 }
1034                 free(pACL);
1035         }
1036         return bResult;
1037 }
1038