From: s_kawamoto Date: Mon, 3 Oct 2011 14:17:55 +0000 (+0900) Subject: Fix bugs process protection. X-Git-Url: http://git.sourceforge.jp/view?p=ffftp%2Fffftp.git;a=commitdiff_plain;h=c30cc851b60a7c4006cd02b4718d9738a6c4049a;ds=sidebyside Fix bugs process protection. Add support for process protection on Vista/7. Fix bugs of UTF-8 to UTF-16 API bridge. Fix inconsistent WINVER, _WIN32_WINNT and _WIN32_IE. --- diff --git a/FFFTP.vc90.vcproj b/FFFTP.vc90.vcproj index ba3fc8b..9ff821a 100644 --- a/FFFTP.vc90.vcproj +++ b/FFFTP.vc90.vcproj @@ -47,7 +47,7 @@ Name="VCCLCompilerTool" Optimization="0" AdditionalIncludeDirectories="Resource" - PreprocessorDefinitions="WIN32,_DEBUG,_WINDOWS,_WIN32_IE=0x300,_CRT_SECURE_NO_WARNINGS" + PreprocessorDefinitions="WIN32,_DEBUG,_WINDOWS,WINVER=0x0500,_WIN32_WINNT=0x0500,_WIN32_IE=0x0400,_CRT_SECURE_NO_WARNINGS" RuntimeLibrary="1" PrecompiledHeaderFile=".\Debug\FFFTP.pch" AssemblerListingLocation=".\Debug\" @@ -71,12 +71,12 @@ diff --git a/filelist.c b/filelist.c index e9f2a1c..74d943c 100644 --- a/filelist.c +++ b/filelist.c @@ -27,7 +27,8 @@ / THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. /============================================================================*/ -#define _WIN32_WINNT 0x400 +// UTF-8対応 +//#define _WIN32_WINNT 0x400 #define STRICT #include diff --git a/hostman.c b/hostman.c index b79519f..fdecf28 100644 --- a/hostman.c +++ b/hostman.c @@ -1531,6 +1531,10 @@ static int DispHostSetDlg(HWND hDlg) PROPSHEETPAGE psp[7]; PROPSHEETHEADER psh; + // 変数が未初期化のバグ修正 + memset(&psp, 0, sizeof(psp)); + memset(&psh, 0, sizeof(psh)); + psp[0].dwSize = sizeof(PROPSHEETPAGE); psp[0].dwFlags = PSP_USETITLE | PSP_HASHELP; psp[0].hInstance = GetFtpInst(); diff --git a/main.c b/main.c index b6cef18..2f3eacb 100644 --- a/main.c +++ b/main.c @@ -247,17 +247,37 @@ int PASCAL WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLi break; } } - InitializeLoadLibraryHook(); if(bProtect) { + if(!InitializeLoadLibraryHook()) + { + MessageBox(NULL, MSGJPN321, "FFFTP", MB_OK | MB_ICONERROR); + return 0; + } #ifndef _DEBUG - if(IsDebuggerPresent() || RestartProtectedProcess(" --restart")) + if(IsDebuggerPresent()) + { + MessageBox(NULL, MSGJPN322, "FFFTP", MB_OK | MB_ICONERROR); return 0; + } #endif - // DLLの検証の前にロードされている必要があるDLL - LoadLibrary("shell32.dll"); - EnableLoadLibraryHook(TRUE); + if(!UnloadUntrustedModule()) + { + MessageBox(NULL, MSGJPN323, "FFFTP", MB_OK | MB_ICONERROR); + return 0; + } +#ifndef _DEBUG + if(RestartProtectedProcess(" --restart")) + return 0; +#endif + if(!EnableLoadLibraryHook(TRUE)) + { + MessageBox(NULL, MSGJPN324, "FFFTP", MB_OK | MB_ICONERROR); + return 0; + } } + else + InitializeLoadLibraryHook(); #endif #ifdef DISABLE_MULTI_CPUS diff --git a/mbswrapper.c b/mbswrapper.c index 74a63d9..d65022e 100644 --- a/mbswrapper.c +++ b/mbswrapper.c @@ -6,9 +6,6 @@ #define UNICODE #define _UNICODE -#define _WIN32_WINNT 0x0600 -#undef _WIN32_IE -#define _WIN32_IE 0x0400 #include #include @@ -262,6 +259,7 @@ char* AllocateStringA(int size) } // メモリを確保してマルチバイト文字列からワイド文字列へ変換 +// リソースIDならば元の値を返す wchar_t* DuplicateMtoW(LPCSTR lpString, int c) { wchar_t* p; @@ -280,6 +278,7 @@ wchar_t* DuplicateMtoW(LPCSTR lpString, int c) } // 指定したサイズのメモリを確保してマルチバイト文字列からワイド文字列へ変換 +// リソースIDならば元の値を返す wchar_t* DuplicateMtoWBuffer(LPCSTR lpString, int c, int size) { wchar_t* p; @@ -298,6 +297,7 @@ wchar_t* DuplicateMtoWBuffer(LPCSTR lpString, int c, int size) } // メモリを確保してNULL区切りマルチバイト文字列からワイド文字列へ変換 +// リソースIDならば元の値を返す wchar_t* DuplicateMtoWMultiString(LPCSTR lpString) { int count; @@ -312,6 +312,7 @@ wchar_t* DuplicateMtoWMultiString(LPCSTR lpString) } // 指定したサイズのメモリを確保してNULL区切りマルチバイト文字列からワイド文字列へ変換 +// リソースIDならば元の値を返す wchar_t* DuplicateMtoWMultiStringBuffer(LPCSTR lpString, int size) { int count; @@ -330,6 +331,7 @@ wchar_t* DuplicateMtoWMultiStringBuffer(LPCSTR lpString, int size) } // メモリを確保してワイド文字列からマルチバイト文字列へ変換 +// リソースIDならば元の値を返す char* DuplicateWtoM(LPCWSTR lpString, int c) { char* p; @@ -348,6 +350,7 @@ char* DuplicateWtoM(LPCWSTR lpString, int c) } // メモリを確保してShift_JIS文字列からワイド文字列へ変換 +// リソースIDならば元の値を返す wchar_t* DuplicateAtoW(LPCSTR lpString, int c) { wchar_t* p; @@ -366,6 +369,7 @@ wchar_t* DuplicateAtoW(LPCSTR lpString, int c) } // メモリを確保してワイド文字列からShift_JIS文字列へ変換 +// リソースIDならば元の値を返す char* DuplicateWtoA(LPCWSTR lpString, int c) { char* p; @@ -384,6 +388,7 @@ char* DuplicateWtoA(LPCWSTR lpString, int c) } // 文字列用に確保したメモリを開放 +// リソースIDならば何もしない void FreeDuplicatedString(void* p) { if(p < (void*)0x00010000 || p == (void*)~0) @@ -984,18 +989,6 @@ END_ROUTINE return r; } -BOOL SetDllDirectoryM(LPCSTR lpPathName) -{ - BOOL r = FALSE; - wchar_t* pw0 = NULL; -START_ROUTINE - pw0 = DuplicateMtoW(lpPathName, -1); - r = SetDllDirectoryW(pw0); -END_ROUTINE - FreeDuplicatedString(pw0); - return r; -} - DWORD GetTempPathM(DWORD nBufferLength, LPSTR lpBuffer) { DWORD r = 0; @@ -1184,56 +1177,79 @@ START_ROUTINE a0.hIcon = v0->hIcon; a0.pszCaption = DuplicateMtoW(v0->pszCaption, -1); a0.nPages = v0->nPages; - a0.pStartPage = DuplicateMtoW(v0->pStartPage, -1); - if(v0->ppsp && (pwPage = (PROPSHEETPAGEW*)malloc(sizeof(PROPSHEETPAGEW) * v0->nPages))) + if(v0->dwFlags & PSH_USEPSTARTPAGE) + a0.pStartPage = DuplicateMtoW(v0->pStartPage, -1); + else + a0.nStartPage = v0->nStartPage; + if(v0->dwFlags & PSH_PROPSHEETPAGE) { - for(i = 0; i < v0->nPages; i++) + if(v0->ppsp && (pwPage = (PROPSHEETPAGEW*)malloc(sizeof(PROPSHEETPAGEW) * v0->nPages))) { - pwPage[i].dwSize = sizeof(PROPSHEETPAGEW); - pwPage[i].dwFlags = v0->ppsp[i].dwFlags; - pwPage[i].hInstance = v0->ppsp[i].hInstance; - pwPage[i].pszTemplate = DuplicateMtoW(v0->ppsp[i].pszTemplate, -1); - if(v0->ppsp[i].dwFlags & PSP_USEICONID) - pwPage[i].pszIcon = DuplicateMtoW(v0->ppsp[i].pszIcon, -1); - else - pwPage[i].hIcon = v0->ppsp[i].hIcon; - if(v0->ppsp[i].dwFlags & PSP_USETITLE) - pwPage[i].pszTitle = DuplicateMtoW(v0->ppsp[i].pszTitle, -1); - pwPage[i].pfnDlgProc = v0->ppsp[i].pfnDlgProc; - pwPage[i].lParam = v0->ppsp[i].lParam; - // TODO: pfnCallback - pwPage[i].pfnCallback = (LPFNPSPCALLBACKW)v0->ppsp[i].pfnCallback; - pwPage[i].pcRefParent = v0->ppsp[i].pcRefParent; -// pwPage[i].pszHeaderTitle = DuplicateMtoW(v0->ppsp[i].pszHeaderTitle, -1); -// pwPage[i].pszHeaderSubTitle = DuplicateMtoW(v0->ppsp[i].pszHeaderSubTitle, -1); - pwPage[i].hActCtx = v0->ppsp[i].hActCtx; -// pwPage[i].pszbmHeader = DuplicateMtoW(v0->ppsp[i].pszbmHeader, -1); + for(i = 0; i < v0->nPages; i++) + { + pwPage[i].dwSize = sizeof(PROPSHEETPAGEW); + pwPage[i].dwFlags = v0->ppsp[i].dwFlags; + pwPage[i].hInstance = v0->ppsp[i].hInstance; + if(v0->ppsp[i].dwFlags & PSP_DLGINDIRECT) + pwPage[i].pResource = v0->ppsp[i].pResource; + else + pwPage[i].pszTemplate = DuplicateMtoW(v0->ppsp[i].pszTemplate, -1); + if(v0->ppsp[i].dwFlags & PSP_USEICONID) + pwPage[i].pszIcon = DuplicateMtoW(v0->ppsp[i].pszIcon, -1); + else + pwPage[i].hIcon = v0->ppsp[i].hIcon; + if(v0->ppsp[i].dwFlags & PSP_USETITLE) + pwPage[i].pszTitle = DuplicateMtoW(v0->ppsp[i].pszTitle, -1); + pwPage[i].pfnDlgProc = v0->ppsp[i].pfnDlgProc; + pwPage[i].lParam = v0->ppsp[i].lParam; + // TODO: pfnCallback + pwPage[i].pfnCallback = (LPFNPSPCALLBACKW)v0->ppsp[i].pfnCallback; + pwPage[i].pcRefParent = v0->ppsp[i].pcRefParent; + if(v0->ppsp[i].dwFlags & PSP_USEHEADERTITLE) + pwPage[i].pszHeaderTitle = DuplicateMtoW(v0->ppsp[i].pszHeaderTitle, -1); + if(v0->ppsp[i].dwFlags & PSP_USEHEADERSUBTITLE) + pwPage[i].pszHeaderSubTitle = DuplicateMtoW(v0->ppsp[i].pszHeaderSubTitle, -1); + } } + else + pwPage = NULL; + a0.ppsp = pwPage; } else - pwPage = NULL; - a0.ppsp = pwPage; + a0.phpage = v0->phpage; a0.pfnCallback = v0->pfnCallback; + if(v0->dwFlags & PSH_USEHBMWATERMARK) + a0.hbmWatermark = v0->hbmWatermark; + else + a0.pszbmWatermark = DuplicateMtoW(v0->pszbmWatermark, -1); r = PropertySheetW(&a0); if(a0.dwFlags & PSH_USEICONID) FreeDuplicatedString((void*)a0.pszIcon); FreeDuplicatedString((void*)a0.pszCaption); - FreeDuplicatedString((void*)a0.pStartPage); - if(pwPage) + if(v0->dwFlags & PSH_USEPSTARTPAGE) + FreeDuplicatedString((void*)a0.pStartPage); + if(v0->dwFlags & PSH_PROPSHEETPAGE) { - for(i = 0; i < v0->nPages; i++) + if(pwPage) { - FreeDuplicatedString((void*)pwPage[i].pszTemplate); - if(pwPage[i].dwFlags & PSP_USEICONID) - FreeDuplicatedString((void*)pwPage[i].pszIcon); - if(pwPage[i].dwFlags & PSP_USETITLE) - FreeDuplicatedString((void*)pwPage[i].pszTitle); -// FreeDuplicatedString((void*)pwPage[i].pszHeaderTitle); -// FreeDuplicatedString((void*)pwPage[i].pszHeaderSubTitle); -// FreeDuplicatedString((void*)pwPage[i].pszbmHeader); + for(i = 0; i < v0->nPages; i++) + { + if(!(v0->ppsp[i].dwFlags & PSP_DLGINDIRECT)) + FreeDuplicatedString((void*)pwPage[i].pszTemplate); + if(v0->ppsp[i].dwFlags & PSP_USEICONID) + FreeDuplicatedString((void*)pwPage[i].pszIcon); + if(v0->ppsp[i].dwFlags & PSP_USETITLE) + FreeDuplicatedString((void*)pwPage[i].pszTitle); + if(v0->ppsp[i].dwFlags & PSP_USEHEADERTITLE) + FreeDuplicatedString((void*)pwPage[i].pszHeaderTitle); + if(v0->ppsp[i].dwFlags & PSP_USEHEADERSUBTITLE) + FreeDuplicatedString((void*)pwPage[i].pszHeaderSubTitle); + } + free(pwPage); } - free(pwPage); } + if(!(v0->dwFlags & PSH_USEHBMWATERMARK)) + FreeDuplicatedString((void*)a0.pszbmWatermark); END_ROUTINE return r; } @@ -1521,7 +1537,8 @@ START_ROUTINE wFileOp.fFlags = lpFileOp->fFlags; wFileOp.fAnyOperationsAborted = lpFileOp->fAnyOperationsAborted; wFileOp.hNameMappings = lpFileOp->hNameMappings; - pw2 = DuplicateMtoW(lpFileOp->lpszProgressTitle, -1); + if(lpFileOp->fFlags & FOF_SIMPLEPROGRESS) + pw2 = DuplicateMtoW(lpFileOp->lpszProgressTitle, -1); r = SHFileOperationW(&wFileOp); lpFileOp->fAnyOperationsAborted = wFileOp.fAnyOperationsAborted; END_ROUTINE @@ -1563,9 +1580,13 @@ START_ROUTINE wmii.hbmpChecked = lpmii->hbmpChecked; wmii.hbmpUnchecked = lpmii->hbmpUnchecked; wmii.dwItemData = lpmii->dwItemData; - pw0 = DuplicateMtoWBuffer(lpmii->dwTypeData, -1, lpmii->cch * 4); - wmii.dwTypeData = pw0; - wmii.cch = lpmii->cch * 4; + if(lpmii->fMask & MIIM_TYPE) + { + pw0 = DuplicateMtoWBuffer(lpmii->dwTypeData, -1, lpmii->cch * 4); + wmii.dwTypeData = pw0; + wmii.cch = lpmii->cch * 4; + } + wmii.hbmpItem = lpmii->hbmpItem; r = GetMenuItemInfoW(hmenu, item, fByPosition, &wmii); lpmii->fType = wmii.fType; lpmii->fState = wmii.fState; diff --git a/mbswrapper.h b/mbswrapper.h index 3ca2f26..80a0848 100644 --- a/mbswrapper.h +++ b/mbswrapper.h @@ -74,9 +74,6 @@ DWORD GetCurrentDirectoryM(DWORD nBufferLength, LPSTR lpBuffer); #undef SetCurrentDirectory #define SetCurrentDirectory SetCurrentDirectoryM BOOL SetCurrentDirectoryM(LPCSTR lpPathName); -#undef SetDllDirectory -#define SetDllDirectory SetDllDirectoryM -BOOL SetDllDirectoryM(LPCSTR lpPathName); #undef GetTempPath #define GetTempPath GetTempPathM DWORD GetTempPathM(DWORD nBufferLength, LPSTR lpBuffer); diff --git a/mesg-eng.h b/mesg-eng.h index e441fed..59386b6 100644 --- a/mesg-eng.h +++ b/mesg-eng.h @@ -318,3 +318,7 @@ #define MSGJPN318 "OpenSSL is loaded." #define MSGJPN319 "OpenSSL is not installed.\r\nCommunication will not be encrypted." #define MSGJPN320 "Feature" +#define MSGJPN321 "Failed to get required functions to protect the process." +#define MSGJPN322 "Debugger was detected." +#define MSGJPN323 "Failed to unload untrustworthy DLLs." +#define MSGJPN324 "Failed to hook required functions to protect the process." diff --git a/mesg-eng.old.h b/mesg-eng.old.h index cb35a21..405dfd8 100644 --- a/mesg-eng.old.h +++ b/mesg-eng.old.h @@ -318,3 +318,7 @@ #define MSGJPN318 "OpenSSL is loaded." #define MSGJPN319 "OpenSSL is not installed.\r\nCommunication will not be encrypted." #define MSGJPN320 "Feature" +#define MSGJPN321 "Failed to get required functions to protect the process." +#define MSGJPN322 "Debugger was detected." +#define MSGJPN323 "Failed to unload untrustworthy DLLs." +#define MSGJPN324 "Failed to hook required functions to protect the process." diff --git a/mesg-jpn.h b/mesg-jpn.h index 0b1b071..b9345d8 100644 --- a/mesg-jpn.h +++ b/mesg-jpn.h @@ -318,3 +318,7 @@ #define MSGJPN318 "OpenSSL\xE3\x81\x8C\xE8\xAA\xAD\xE3\x81\xBF\xE8\xBE\xBC\xE3\x81\xBE\xE3\x82\x8C\xE3\x81\xBE\xE3\x81\x97\xE3\x81\x9F." #define MSGJPN319 "OpenSSL\xE3\x81\x8C\xE3\x82\xA4\xE3\x83\xB3\xE3\x82\xB9\xE3\x83\x88\xE3\x83\xBC\xE3\x83\xAB\xE3\x81\x95\xE3\x82\x8C\xE3\x81\xA6\xE3\x81\x84\xE3\x81\xBE\xE3\x81\x9B\xE3\x82\x93.\r\n\xE9\x80\x9A\xE4\xBF\xA1\xE3\x81\xAE\xE6\x9A\x97\xE5\x8F\xB7\xE5\x8C\x96\xE3\x81\xAF\xE8\xA1\x8C\xE3\x82\x8F\xE3\x82\x8C\xE3\x81\xBE\xE3\x81\x9B\xE3\x82\x93." #define MSGJPN320 "\xE7\x89\xB9\xE6\xAE\x8A\xE6\xA9\x9F\xE8\x83\xBD" +#define MSGJPN321 "\xE3\x83\x97\xE3\x83\xAD\xE3\x82\xBB\xE3\x82\xB9\xE3\x81\xAE\xE4\xBF\x9D\xE8\xAD\xB7\xE3\x81\xAB\xE5\xBF\x85\xE8\xA6\x81\xE3\x81\xAA\xE9\x96\xA2\xE6\x95\xB0\xE3\x82\x92\xE5\x8F\x96\xE5\xBE\x97\xE3\x81\xA7\xE3\x81\x8D\xE3\x81\xBE\xE3\x81\x9B\xE3\x82\x93\xE3\x81\xA7\xE3\x81\x97\xE3\x81\x9F." +#define MSGJPN322 "\xE3\x83\x87\xE3\x83\x90\xE3\x83\x83\xE3\x82\xAC\xE3\x81\x8C\xE6\xA4\x9C\xE5\x87\xBA\xE3\x81\x95\xE3\x82\x8C\xE3\x81\xBE\xE3\x81\x97\xE3\x81\x9F." +#define MSGJPN323 "\xE4\xBF\xA1\xE9\xA0\xBC\xE3\x81\xA7\xE3\x81\x8D\xE3\x81\xAA\xE3\x81\x84\x44LL\xE3\x82\x92\xE3\x82\xA2\xE3\x83\xB3\xE3\x83\xAD\xE3\x83\xBC\xE3\x83\x89\xE3\x81\xA7\xE3\x81\x8D\xE3\x81\xBE\xE3\x81\x9B\xE3\x82\x93\xE3\x81\xA7\xE3\x81\x97\xE3\x81\x9F." +#define MSGJPN324 "\xE3\x83\x97\xE3\x83\xAD\xE3\x82\xBB\xE3\x82\xB9\xE3\x81\xAE\xE4\xBF\x9D\xE8\xAD\xB7\xE3\x81\xAB\xE5\xBF\x85\xE8\xA6\x81\xE3\x81\xAA\xE9\x96\xA2\xE6\x95\xB0\xE3\x82\x92\xE3\x83\x95\xE3\x83\x83\xE3\x82\xAF\xE3\x81\xA7\xE3\x81\x8D\xE3\x81\xBE\xE3\x81\x9B\xE3\x82\x93\xE3\x81\xA7\xE3\x81\x97\xE3\x81\x9F." diff --git a/mesg-jpn.old.h b/mesg-jpn.old.h index 3b4b7ef..49442f5 100644 --- a/mesg-jpn.old.h +++ b/mesg-jpn.old.h @@ -318,3 +318,7 @@ #define MSGJPN318 "OpenSSL‚ª“ǂݍž‚Ü‚ê‚Ü‚µ‚½." #define MSGJPN319 "OpenSSL‚ªƒCƒ“ƒXƒg[ƒ‹‚³‚ê‚Ä‚¢‚Ü‚¹‚ñ.\r\n’ʐM‚̈͆‰»‚͍s‚í‚ê‚Ü‚¹‚ñ." #define MSGJPN320 "“ÁŽê‹@”\" +#define MSGJPN321 "ƒvƒƒZƒX‚Ì•ÛŒì‚É•K—v‚Ȋ֐”‚ðŽæ“¾‚Å‚«‚Ü‚¹‚ñ‚Å‚µ‚½." +#define MSGJPN322 "ƒfƒoƒbƒK‚ªŒŸo‚³‚ê‚Ü‚µ‚½." +#define MSGJPN323 "M—Š‚Å‚«‚È‚¢DLL‚ðƒAƒ“ƒ[ƒh‚Å‚«‚Ü‚¹‚ñ‚Å‚µ‚½." +#define MSGJPN324 "ƒvƒƒZƒX‚Ì•ÛŒì‚É•K—v‚Ȋ֐”‚ðƒtƒbƒN‚Å‚«‚Ü‚¹‚ñ‚Å‚µ‚½." diff --git a/option.c b/option.c index 9edd32a..2f7e00f 100644 --- a/option.c +++ b/option.c @@ -163,6 +163,10 @@ void SetOption(int Start) PROPSHEETPAGE psp[12]; PROPSHEETHEADER psh; + // 変数が未初期化のバグ修正 + memset(&psp, 0, sizeof(psp)); + memset(&psh, 0, sizeof(psh)); + psp[0].dwSize = sizeof(PROPSHEETPAGE); psp[0].dwFlags = PSP_USETITLE | PSP_HASHELP; psp[0].hInstance = GetFtpInst(); diff --git a/protectprocess.c b/protectprocess.c index 1492bc6..6865912 100644 --- a/protectprocess.c +++ b/protectprocess.c @@ -16,8 +16,6 @@ // ƒtƒbƒN—p‚̊֐”–¼ h_%s // ƒtƒbƒN‘Ώۂ̃R[ƒh‚̃oƒbƒNƒAƒbƒv c_%s -#define _WIN32_WINNT 0x0600 - #include #include #include @@ -26,8 +24,9 @@ #include #include #include -#ifdef USE_IAT_HOOK #include +#include +#ifdef USE_IAT_HOOK #include #endif @@ -47,7 +46,20 @@ #endif #endif +BOOL LockThreadLock(); +BOOL UnlockThreadLock(); +#ifdef USE_CODE_HOOK BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore); +#endif +#ifdef USE_IAT_HOOK +BOOL HookFunctionInIAT(void* pOriginal, void* pNew); +#endif +HANDLE LockExistingFile(LPCWSTR Filename); +BOOL FindTrustedModuleMD5Hash(void* pHash); +BOOL VerifyFileSignature(LPCWSTR Filename); +BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename); +BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash); +BOOL IsModuleTrusted(LPCWSTR Filename); // •Ï”‚̐錾 #ifdef USE_CODE_HOOK @@ -70,21 +82,23 @@ HOOK_FUNCTION_VAR(LoadLibraryW) HOOK_FUNCTION_VAR(LoadLibraryExA) HOOK_FUNCTION_VAR(LoadLibraryExW) -// ƒhƒLƒ…ƒƒ“ƒg‚ª–³‚¢‚½‚ߌ´ˆö‚Í•s–¾‚¾‚ª‘æ2ˆø”‚̓|ƒCƒ“ƒ^‚Å‚È‚¢‚ƃGƒ‰[‚É‚È‚éê‡‚ª‚ ‚é -//typedef NTSTATUS (WINAPI* _LdrLoadDll)(LPCWSTR, DWORD, UNICODE_STRING*, HMODULE*); -typedef NTSTATUS (WINAPI* _LdrLoadDll)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*); -// ƒhƒLƒ…ƒƒ“ƒg‚ª–³‚¢‚½‚ߌ´ˆö‚Í•s–¾‚¾‚ª‘æ2ˆø”‚̓|ƒCƒ“ƒ^‚Å‚È‚¢‚ƃGƒ‰[‚É‚È‚éê‡‚ª‚ ‚é -//typedef NTSTATUS (WINAPI* _LdrGetDllHandle)(LPCWSTR, DWORD, UNICODE_STRING*, HMODULE*); -typedef NTSTATUS (WINAPI* _LdrGetDllHandle)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*); -typedef NTSTATUS (WINAPI* _LdrAddRefDll)(DWORD, HMODULE); +typedef NTSTATUS (NTAPI* _LdrLoadDll)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*); +typedef NTSTATUS (NTAPI* _LdrGetDllHandle)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*); +typedef PIMAGE_NT_HEADERS (NTAPI* _RtlImageNtHeader)(PVOID); +typedef BOOL (WINAPI* _CryptCATAdminCalcHashFromFileHandle)(HANDLE, DWORD*, BYTE*, DWORD); _LdrLoadDll p_LdrLoadDll; _LdrGetDllHandle p_LdrGetDllHandle; -_LdrAddRefDll p_LdrAddRefDll; +_RtlImageNtHeader p_RtlImageNtHeader; +_CryptCATAdminCalcHashFromFileHandle p_CryptCATAdminCalcHashFromFileHandle; -#define MAX_MD5_HASH_TABLE 16 +#define MAX_LOCKED_THREAD 16 +#define MAX_TRUSTED_FILENAME_TABLE 16 +#define MAX_TRUSTED_MD5_HASH_TABLE 16 -BYTE g_MD5HashTable[MAX_MD5_HASH_TABLE][16]; +DWORD g_LockedThread[MAX_LOCKED_THREAD]; +WCHAR* g_pTrustedFilenameTable[MAX_TRUSTED_FILENAME_TABLE]; +BYTE g_TrustedMD5HashTable[MAX_TRUSTED_MD5_HASH_TABLE][16]; // ˆÈ‰ºƒtƒbƒNŠÖ” // ƒtƒbƒN‘ΏۂðŒÄ‚яo‚·ê‡‚Í‘OŒã‚ÅSTART_HOOK_FUNCTION‚ÆEND_HOOK_FUNCTION‚ðŽÀs‚·‚é•K—v‚ª‚ ‚é @@ -92,84 +106,142 @@ BYTE g_MD5HashTable[MAX_MD5_HASH_TABLE][16]; HMODULE WINAPI h_LoadLibraryA(LPCSTR lpLibFileName) { HMODULE r = NULL; - if(GetModuleHandleA(lpLibFileName) || IsModuleTrustedA(lpLibFileName)) - { - wchar_t* pw0 = NULL; - pw0 = DuplicateAtoW(lpLibFileName, -1); - r = System_LoadLibrary(pw0, NULL, 0); - FreeDuplicatedString(pw0); - } + wchar_t* pw0 = NULL; + if(pw0 = DuplicateAtoW(lpLibFileName, -1)) + r = LoadLibraryExW(pw0, NULL, 0); + FreeDuplicatedString(pw0); return r; } HMODULE WINAPI h_LoadLibraryW(LPCWSTR lpLibFileName) { HMODULE r = NULL; - if(GetModuleHandleW(lpLibFileName) || IsModuleTrustedW(lpLibFileName)) - r = System_LoadLibrary(lpLibFileName, NULL, 0); + r = LoadLibraryExW(lpLibFileName, NULL, 0); return r; } HMODULE WINAPI h_LoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) { HMODULE r = NULL; - if(GetModuleHandleA(lpLibFileName) || IsModuleTrustedA(lpLibFileName)) - { - wchar_t* pw0 = NULL; - pw0 = DuplicateAtoW(lpLibFileName, -1); - r = System_LoadLibrary(pw0, hFile, dwFlags); - FreeDuplicatedString(pw0); - } + wchar_t* pw0 = NULL; + if(pw0 = DuplicateAtoW(lpLibFileName, -1)) + r = LoadLibraryExW(pw0, hFile, dwFlags); + FreeDuplicatedString(pw0); return r; } HMODULE WINAPI h_LoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) { HMODULE r = NULL; - if(GetModuleHandleW(lpLibFileName) || IsModuleTrustedW(lpLibFileName)) + BOOL bTrusted; + wchar_t* pw0; + HANDLE hLock; + HMODULE hModule; + DWORD Length; + bTrusted = FALSE; + pw0 = NULL; + hLock = NULL; +// if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)) + if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | 0x00000020 | 0x00000040)) + bTrusted = TRUE; + if(!bTrusted) + { + if(hModule = System_LoadLibrary(lpLibFileName, NULL, DONT_RESOLVE_DLL_REFERENCES)) + { + Length = MAX_PATH; + if(pw0 = AllocateStringW(Length)) + { + if(GetModuleFileNameW(hModule, pw0, Length) > 0) + { + while(pw0) + { + if(GetModuleFileNameW(hModule, pw0, Length) + 1 <= Length) + { + lpLibFileName = pw0; + break; + } + Length = Length * 2; + FreeDuplicatedString(pw0); + pw0 = AllocateStringW(Length); + } + } + } + hLock = LockExistingFile(lpLibFileName); + FreeLibrary(hModule); + } + if(GetModuleHandleW(lpLibFileName)) + bTrusted = TRUE; + } + if(!bTrusted) + { + if(LockThreadLock()) + { + if(hLock) + { + if(IsModuleTrusted(lpLibFileName)) + bTrusted = TRUE; + } + UnlockThreadLock(); + } + } + if(bTrusted) r = System_LoadLibrary(lpLibFileName, hFile, dwFlags); + FreeDuplicatedString(pw0); + if(hLock) + CloseHandle(hLock); return r; } // ˆÈ‰ºƒwƒ‹ƒp[ŠÖ” -BOOL GetMD5HashOfFile(LPCWSTR Filename, void* pHash) +BOOL LockThreadLock() { BOOL bResult; - HCRYPTPROV hProv; - HCRYPTHASH hHash; - HANDLE hFile; - DWORD Size; - void* pData; - DWORD dw; + DWORD ThreadId; + DWORD i; bResult = FALSE; - if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) + ThreadId = GetCurrentThreadId(); + i = 0; + while(i < MAX_LOCKED_THREAD) { - if(CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash)) + if(g_LockedThread[i] == ThreadId) + break; + i++; + } + if(i >= MAX_LOCKED_THREAD) + { + i = 0; + while(i < MAX_LOCKED_THREAD) { - if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE) + if(g_LockedThread[i] == 0) { - Size = GetFileSize(hFile, NULL); - if(pData = VirtualAlloc(NULL, Size, MEM_COMMIT, PAGE_READWRITE)) - { - VirtualLock(pData, Size); - if(ReadFile(hFile, pData, Size, &dw, NULL)) - { - if(CryptHashData(hHash, (BYTE*)pData, Size, 0)) - { - dw = 16; - if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0)) - bResult = TRUE; - } - } - VirtualUnlock(pData, Size); - VirtualFree(pData, Size, MEM_DECOMMIT); - } - CloseHandle(hFile); + g_LockedThread[i] = ThreadId; + bResult = TRUE; + break; } - CryptDestroyHash(hHash); + i++; } - CryptReleaseContext(hProv, 0); + } + return bResult; +} + +BOOL UnlockThreadLock() +{ + BOOL bResult; + DWORD ThreadId; + DWORD i; + bResult = FALSE; + ThreadId = GetCurrentThreadId(); + i = 0; + while(i < MAX_LOCKED_THREAD) + { + if(g_LockedThread[i] == ThreadId) + { + g_LockedThread[i] = 0; + bResult = TRUE; + break; + } + i++; } return bResult; } @@ -287,43 +359,378 @@ BOOL HookFunctionInIAT(void* pOriginal, void* pNew) } #endif +// ƒtƒ@ƒCƒ‹‚ð•ÏX•s”\‚ɐݒè +HANDLE LockExistingFile(LPCWSTR Filename) +{ + HANDLE hResult; + hResult = NULL; + if((hResult = CreateFileW(Filename, 0, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL)) == INVALID_HANDLE_VALUE) + hResult = NULL; + return hResult; +} + +// DLL‚̃nƒbƒVƒ…‚ðŒŸõ +BOOL FindTrustedModuleMD5Hash(void* pHash) +{ + BOOL bResult; + int i; + bResult = FALSE; + i = 0; + while(i < MAX_TRUSTED_MD5_HASH_TABLE) + { + if(memcmp(&g_TrustedMD5HashTable[i], pHash, 16) == 0) + { + bResult = TRUE; + break; + } + i++; + } + return bResult; +} + +// ƒtƒ@ƒCƒ‹‚̏–¼‚ðŠm”F +BOOL VerifyFileSignature(LPCWSTR Filename) +{ + BOOL bResult; + GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2; + WINTRUST_FILE_INFO wfi; + WINTRUST_DATA wd; + bResult = FALSE; + ZeroMemory(&wfi, sizeof(WINTRUST_FILE_INFO)); + wfi.cbStruct = sizeof(WINTRUST_FILE_INFO); + wfi.pcwszFilePath = Filename; + ZeroMemory(&wd, sizeof(WINTRUST_DATA)); + wd.cbStruct = sizeof(WINTRUST_DATA); + wd.dwUIChoice = WTD_UI_NONE; + wd.dwUnionChoice = WTD_CHOICE_FILE; + wd.pFile = &wfi; + if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS) + bResult = TRUE; + return bResult; +} + +// ƒtƒ@ƒCƒ‹‚̏–¼‚ðƒJƒ^ƒƒOƒtƒ@ƒCƒ‹‚ÅŠm”F +BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename) +{ + BOOL bResult; + GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2; + WINTRUST_CATALOG_INFO wci; + WINTRUST_DATA wd; + bResult = FALSE; + if(VerifyFileSignature(Catalog)) + { + ZeroMemory(&wci, sizeof(WINTRUST_CATALOG_INFO)); + wci.cbStruct = sizeof(WINTRUST_CATALOG_INFO); + wci.pcwszCatalogFilePath = Catalog; + wci.pcwszMemberFilePath = Filename; + if((wci.hMemberFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) != INVALID_HANDLE_VALUE) + { + p_CryptCATAdminCalcHashFromFileHandle(wci.hMemberFile, &wci.cbCalculatedFileHash, NULL, 0); + if(wci.pbCalculatedFileHash = (BYTE*)malloc(wci.cbCalculatedFileHash)) + { + if(p_CryptCATAdminCalcHashFromFileHandle(wci.hMemberFile, &wci.cbCalculatedFileHash, wci.pbCalculatedFileHash, 0)) + { + ZeroMemory(&wd, sizeof(WINTRUST_DATA)); + wd.cbStruct = sizeof(WINTRUST_DATA); + wd.dwUIChoice = WTD_UI_NONE; + wd.dwUnionChoice = WTD_CHOICE_CATALOG; + wd.pCatalog = &wci; + if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS) + bResult = TRUE; + } + free(wci.pbCalculatedFileHash); + } + CloseHandle(wci.hMemberFile); + } + } + return bResult; +} + +BOOL WINAPI GetSHA1HashOfModule_Function(DIGEST_HANDLE refdata, PBYTE pData, DWORD dwLength) +{ + return CryptHashData(*(HCRYPTHASH*)refdata, pData, dwLength, 0); +} + +// ƒ‚ƒWƒ…[ƒ‹‚ÌSHA1ƒnƒbƒVƒ…‚ðŽæ“¾ +// ƒ}ƒjƒtƒFƒXƒgƒtƒ@ƒCƒ‹‚Ìfile—v‘f‚Ìhash‘®«‚ÍŽÀs‰Â”\ƒtƒ@ƒCƒ‹‚̏ꍇ‚ÉImageGetDigestStream‚ÅŽZo‚³‚ê‚é +BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash) +{ + BOOL bResult; + HCRYPTPROV hProv; + HCRYPTHASH hHash; + HANDLE hFile; + DWORD dw; + bResult = FALSE; + if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) + { + if(CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash)) + { + if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE) + { + if(ImageGetDigestStream(hFile, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, GetSHA1HashOfModule_Function, (DIGEST_HANDLE)&hHash)) + { + dw = 20; + if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0)) + bResult = TRUE; + } + CloseHandle(hFile); + } + CryptDestroyHash(hHash); + } + CryptReleaseContext(hProv, 0); + } + return bResult; +} + +BOOL IsSxsModuleTrusted_Function(LPCWSTR Catalog, LPCWSTR Manifest, LPCWSTR Module) +{ + BOOL bResult; + HANDLE hLock0; + HANDLE hLock1; + BYTE Hash[20]; + int i; + static char HexTable[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; + char HashHex[41]; + HANDLE hFile; + DWORD Size; + char* pData; + DWORD dw; + bResult = FALSE; + if(hLock0 = LockExistingFile(Catalog)) + { + if(hLock1 = LockExistingFile(Manifest)) + { + if(VerifyFileSignatureInCatalog(Catalog, Manifest)) + { + if(GetSHA1HashOfModule(Module, &Hash)) + { + for(i = 0; i < 20; i++) + { + HashHex[i * 2] = HexTable[(Hash[i] >> 4) & 0x0f]; + HashHex[i * 2 + 1] = HexTable[Hash[i] & 0x0f]; + } + HashHex[i * 2] = '\0'; + if((hFile = CreateFileW(Manifest, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) != INVALID_HANDLE_VALUE) + { + Size = GetFileSize(hFile, NULL); + if(pData = (char*)VirtualAlloc(NULL, Size + 1, MEM_COMMIT, PAGE_READWRITE)) + { + VirtualLock(pData, Size + 1); + if(ReadFile(hFile, pData, Size, &dw, NULL)) + { + pData[dw] = '\0'; + if(strstr(pData, HashHex)) + bResult = TRUE; + } + VirtualUnlock(pData, Size + 1); + VirtualFree(pData, Size + 1, MEM_DECOMMIT); + } + CloseHandle(hFile); + } + } + } + CloseHandle(hLock1); + } + CloseHandle(hLock0); + } + return bResult; +} + +// ƒTƒCƒhƒoƒCƒTƒCƒhDLL‚ðŠm”F +// ƒpƒX‚Í"%SystemRoot%\WinSxS"ˆÈ‰º‚ð‘z’è +// ˆÈ‰º‚̃tƒ@ƒCƒ‹‚ª‘¶Ý‚·‚é‚à‚Ì‚Æ‚·‚é +// "\xxx\yyy.dll"A"\manifests\xxx.cat"A"\manifests\xxx.manifest"‚̃ZƒbƒgiXP‚Ì‘S‚Ä‚ÌDLLAVistaˆÈ~‚̈ꕔ‚ÌDLLj +// "\xxx\yyy.dll"A"\catalogs\zzz.cat"A"\manifests\xxx.manifest"‚̃ZƒbƒgiVistaˆÈ~‚Ì‚Ù‚Æ‚ñ‚Ç‚ÌDLLj +// –¼‚³‚ꂽƒJƒ^ƒƒOƒtƒ@ƒCƒ‹‚ð—p‚¢‚ă}ƒjƒtƒFƒXƒgƒtƒ@ƒCƒ‹‚ª‰ü₂³‚ê‚Ä‚¢‚È‚¢‚±‚Æ‚ðŠm”F +// ƒnƒbƒVƒ…’l‚Í ƒ}ƒjƒtƒFƒXƒgƒtƒ@ƒCƒ‹‚Ìfile—v‘f‚Ìhash‘®«‚É‹Lq‚³‚ê‚Ä‚¢‚é‚à‚Ì‚ð—p‚¢‚é +// ƒ}ƒjƒtƒFƒXƒgƒtƒ@ƒCƒ‹“à‚ÉSHA1ƒnƒbƒVƒ…’l‚Ì16i”•\‹L‚𒼐ڌŸõ‚µ‚Ä‚¢‚邪Šm—¦“I‚É–â‘è‚È‚µ +BOOL IsSxsModuleTrusted(LPCWSTR Filename) +{ + BOOL bResult; + wchar_t* pw0; + wchar_t* pw1; + wchar_t* pw2; + wchar_t* pw3; + wchar_t* pw4; + wchar_t* pw5; + wchar_t* p; + HANDLE hFind; + WIN32_FIND_DATAW wfd; + bResult = FALSE; + if(pw0 = AllocateStringW(wcslen(Filename) + 1)) + { + wcscpy(pw0, Filename); + if(p = wcsrchr(pw0, L'\\')) + { + wcscpy(p, L""); + if(p = wcsrchr(pw0, L'\\')) + { + p++; + if(pw1 = AllocateStringW(wcslen(p) + 1)) + { + wcscpy(pw1, p); + wcscpy(p, L""); + if(pw2 = AllocateStringW(wcslen(pw0) + wcslen(L"manifests\\") + wcslen(pw1) + wcslen(L".cat") + 1)) + { + wcscpy(pw2, pw0); + wcscat(pw2, L"manifests\\"); + wcscat(pw2, pw1); + if(pw3 = AllocateStringW(wcslen(pw2) + wcslen(L".manifest") + 1)) + { + wcscpy(pw3, pw2); + wcscat(pw3, L".manifest"); + wcscat(pw2, L".cat"); + if(IsSxsModuleTrusted_Function(pw2, pw3, Filename)) + bResult = TRUE; + FreeDuplicatedString(pw3); + } + FreeDuplicatedString(pw2); + } + if(!bResult) + { + if(pw2 = AllocateStringW(wcslen(pw0) + wcslen(L"catalogs\\") + 1)) + { + if(pw3 = AllocateStringW(wcslen(pw0) + wcslen(L"manifests\\") + wcslen(pw1) + wcslen(L".manifest") + 1)) + { + wcscpy(pw2, pw0); + wcscat(pw2, L"catalogs\\"); + wcscpy(pw3, pw0); + wcscat(pw3, L"manifests\\"); + wcscat(pw3, pw1); + wcscat(pw3, L".manifest"); + if(pw4 = AllocateStringW(wcslen(pw2) + wcslen(L"*.cat") + 1)) + { + wcscpy(pw4, pw2); + wcscat(pw4, L"*.cat"); + if((hFind = FindFirstFileW(pw4, &wfd)) != INVALID_HANDLE_VALUE) + { + do + { + if(pw5 = AllocateStringW(wcslen(pw2) + wcslen(wfd.cFileName) + 1)) + { + wcscpy(pw5, pw2); + wcscat(pw5, wfd.cFileName); + if(IsSxsModuleTrusted_Function(pw5, pw3, Filename)) + bResult = TRUE; + FreeDuplicatedString(pw5); + } + } + while(!bResult && FindNextFileW(hFind, &wfd)); + FindClose(hFind); + } + FreeDuplicatedString(pw4); + } + FreeDuplicatedString(pw3); + } + FreeDuplicatedString(pw2); + } + } + FreeDuplicatedString(pw1); + } + } + } + FreeDuplicatedString(pw0); + } + return bResult; +} + +// DLL‚ðŠm”F +// ƒnƒbƒVƒ…‚ª“o˜^‚³‚ê‚Ä‚¢‚éAAuthenticode–¼‚ª‚³‚ê‚Ä‚¢‚éA‚Ü‚½‚ÍWFP‚É‚æ‚é•ÛŒì‰º‚É‚ ‚邱‚Æ‚ðŠm”F +BOOL IsModuleTrusted(LPCWSTR Filename) +{ + BOOL bResult; + BYTE Hash[16]; + bResult = FALSE; + if(GetMD5HashOfFile(Filename, &Hash)) + { + if(FindTrustedModuleMD5Hash(&Hash)) + bResult = TRUE; + } + if(!bResult) + { + if(VerifyFileSignature(Filename)) + bResult = TRUE; + } + if(!bResult) + { + if(IsSxsModuleTrusted(Filename)) + bResult = TRUE; + } + if(!bResult) + { + if(SfcIsFileProtected(NULL, Filename)) + bResult = TRUE; + } + return bResult; +} + // kernel32.dll‚ÌLoadLibraryExW‘Š“–‚̊֐” +// ƒhƒLƒ…ƒƒ“ƒg‚ª–³‚¢‚½‚ߏڍׂ͕s–¾ +// ˆê•”‚̃EƒBƒ‹ƒX‘΍ôƒ\ƒtƒgiAvast!“™j‚ªLdrLoadDll‚ðƒtƒbƒN‚µ‚Ä‚¢‚邽‚ßLdrLoadDll‚ð‘‚«Š·‚¦‚é‚ׂ«‚Å‚Í‚È‚¢ +// ƒJ[ƒlƒ‹ƒ‚[ƒh‚̃R[ƒh‚ɑ΂µ‚Ä‚ÍŒø‰Ê‚È‚µ +// SeDebugPrivilege‚ªŽg—p‰Â”\‚ȃ†[ƒU[‚ɑ΂µ‚Ä‚ÍŒø‰Ê‚È‚µ HMODULE System_LoadLibrary(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) { HMODULE r = NULL; UNICODE_STRING us; + HANDLE hDataFile; + HANDLE hMapping; + DWORD DllFlags; us.Length = sizeof(wchar_t) * wcslen(lpLibFileName); us.MaximumLength = sizeof(wchar_t) * (wcslen(lpLibFileName) + 1); us.Buffer = (PWSTR)lpLibFileName; - if(dwFlags & LOAD_LIBRARY_AS_DATAFILE) +// if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)) + if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | 0x00000040)) { -// if(p_LdrGetDllHandle(NULL, dwFlags, &us, &r) == 0) - if(p_LdrGetDllHandle(NULL, &dwFlags, &us, &r) == 0) +// if(p_LdrGetDllHandle(NULL, NULL, &us, &r) == STATUS_SUCCESS) + if(p_LdrGetDllHandle(NULL, NULL, &us, &r) == 0) { - if(p_LdrAddRefDll) - p_LdrAddRefDll(0, r); +// dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE); + dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | 0x00000040); + dwFlags |= DONT_RESOLVE_DLL_REFERENCES; } else { - dwFlags |= DONT_RESOLVE_DLL_REFERENCES; -// if(p_LdrLoadDll(NULL, dwFlags, &us, &r) == 0) - if(p_LdrLoadDll(NULL, &dwFlags, &us, &r) == 0) +// if(dwFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE) + if(dwFlags & 0x00000040) + hDataFile = CreateFileW(lpLibFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); + else + hDataFile = CreateFileW(lpLibFileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL); + if(hDataFile != INVALID_HANDLE_VALUE) { + if(hMapping = CreateFileMappingW(hDataFile, NULL, PAGE_READONLY, 0, 0, NULL)) + { + if(r = (HMODULE)MapViewOfFileEx(hMapping, FILE_MAP_READ, 0, 0, 0, NULL)) + { + if(p_RtlImageNtHeader(r)) + r = (HMODULE)((size_t)r | 1); + else + { + UnmapViewOfFile(r); + r = NULL; + } + } + CloseHandle(hMapping); + } + CloseHandle(hDataFile); } else - r = NULL; + { +// dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE); + dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | 0x00000040); + dwFlags |= DONT_RESOLVE_DLL_REFERENCES; + } } } - else +// if(!(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))) + if(!(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | 0x00000040))) { -// if(p_LdrGetDllHandle(NULL, dwFlags, &us, &r) == 0) - if(p_LdrGetDllHandle(NULL, &dwFlags, &us, &r) == 0) - { - if(p_LdrAddRefDll) - p_LdrAddRefDll(0, r); - } -// else if(p_LdrLoadDll(NULL, dwFlags, &us, &r) == 0) - else if(p_LdrLoadDll(NULL, &dwFlags, &us, &r) == 0) + DllFlags = 0; +// if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_IMAGE_RESOURCE)) + if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | 0x00000020)) + DllFlags |= 0x00000002; +// if(p_LdrLoadDll(NULL, &DllFlags, &us, &r) == STATUS_SUCCESS) + if(p_LdrLoadDll(NULL, &DllFlags, &us, &r) == 0) { } else @@ -332,23 +739,65 @@ HMODULE System_LoadLibrary(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) return r; } +// ƒtƒ@ƒCƒ‹‚ÌMD5ƒnƒbƒVƒ…‚ðŽæ“¾ +BOOL GetMD5HashOfFile(LPCWSTR Filename, void* pHash) +{ + BOOL bResult; + HCRYPTPROV hProv; + HCRYPTHASH hHash; + HANDLE hFile; + DWORD Size; + void* pData; + DWORD dw; + bResult = FALSE; + if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET)) + { + if(CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash)) + { + if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE) + { + Size = GetFileSize(hFile, NULL); + if(pData = VirtualAlloc(NULL, Size, MEM_COMMIT, PAGE_READWRITE)) + { + VirtualLock(pData, Size); + if(ReadFile(hFile, pData, Size, &dw, NULL)) + { + if(CryptHashData(hHash, (BYTE*)pData, Size, 0)) + { + dw = 16; + if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0)) + bResult = TRUE; + } + } + VirtualUnlock(pData, Size); + VirtualFree(pData, Size, MEM_DECOMMIT); + } + CloseHandle(hFile); + } + CryptDestroyHash(hHash); + } + CryptReleaseContext(hProv, 0); + } + return bResult; +} + // DLL‚̃nƒbƒVƒ…‚ð“o˜^ -BOOL RegisterModuleMD5Hash(void* pHash) +BOOL RegisterTrustedModuleMD5Hash(void* pHash) { BOOL bResult; BYTE NullHash[16] = {0}; int i; bResult = FALSE; - if(FindModuleMD5Hash(pHash)) + if(FindTrustedModuleMD5Hash(pHash)) bResult = TRUE; else { i = 0; - while(i < MAX_MD5_HASH_TABLE) + while(i < MAX_TRUSTED_MD5_HASH_TABLE) { - if(memcmp(&g_MD5HashTable[i], &NullHash, 16) == 0) + if(memcmp(&g_TrustedMD5HashTable[i], &NullHash, 16) == 0) { - memcpy(&g_MD5HashTable[i], pHash, 16); + memcpy(&g_TrustedMD5HashTable[i], pHash, 16); bResult = TRUE; break; } @@ -359,18 +808,18 @@ BOOL RegisterModuleMD5Hash(void* pHash) } // DLL‚̃nƒbƒVƒ…‚Ì“o˜^‚ð‰ðœ -BOOL UnregisterModuleMD5Hash(void* pHash) +BOOL UnregisterTrustedModuleMD5Hash(void* pHash) { BOOL bResult; BYTE NullHash[16] = {0}; int i; bResult = FALSE; i = 0; - while(i < MAX_MD5_HASH_TABLE) + while(i < MAX_TRUSTED_MD5_HASH_TABLE) { - if(memcmp(&g_MD5HashTable[i], pHash, 16) == 0) + if(memcmp(&g_TrustedMD5HashTable[i], pHash, 16) == 0) { - memcpy(&g_MD5HashTable[i], &NullHash, 16); + memcpy(&g_TrustedMD5HashTable[i], &NullHash, 16); bResult = TRUE; break; } @@ -379,144 +828,157 @@ BOOL UnregisterModuleMD5Hash(void* pHash) return bResult; } -// DLL‚̃nƒbƒVƒ…‚ðŒŸõ -BOOL FindModuleMD5Hash(void* pHash) +// M—Š‚Å‚«‚È‚¢DLL‚ðƒAƒ“ƒ[ƒh +BOOL UnloadUntrustedModule() { BOOL bResult; - int i; + wchar_t* pw0; + HANDLE hSnapshot; + MODULEENTRY32 me; + DWORD Length; bResult = FALSE; - i = 0; - while(i < MAX_MD5_HASH_TABLE) + pw0 = NULL; + if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId())) != INVALID_HANDLE_VALUE) { - if(memcmp(&g_MD5HashTable[i], pHash, 16) == 0) + bResult = TRUE; + me.dwSize = sizeof(MODULEENTRY32); + if(Module32First(hSnapshot, &me)) { - bResult = TRUE; - break; + do + { + Length = MAX_PATH; + FreeDuplicatedString(pw0); + if(pw0 = AllocateStringW(Length)) + { + if(GetModuleFileNameW(me.hModule, pw0, Length) > 0) + { + while(pw0) + { + if(GetModuleFileNameW(me.hModule, pw0, Length) + 1 <= Length) + break; + Length = Length * 2; + FreeDuplicatedString(pw0); + pw0 = AllocateStringW(Length); + } + } + } + if(pw0) + { + if(!IsModuleTrusted(pw0)) + { + if(me.hModule != GetModuleHandleW(NULL)) + { + while(FreeLibrary(me.hModule)) + { + } + if(GetModuleFileNameW(me.hModule, pw0, Length) > 0) + { + bResult = FALSE; + break; + } + } + } + } + else + { + bResult = FALSE; + break; + } + } + while(Module32Next(hSnapshot, &me)); } - i++; + CloseHandle(hSnapshot); } - return bResult; -} - -// DLL‚ðŠm”F -// ƒnƒbƒVƒ…‚ª“o˜^‚³‚ê‚Ä‚¢‚éAAuthenticode–¼‚ª‚³‚ê‚Ä‚¢‚éA‚Ü‚½‚ÍWFP‚É‚æ‚é•ÛŒì‰º‚É‚ ‚邱‚Æ‚ðŠm”F -BOOL IsModuleTrustedA(LPCSTR Filename) -{ - BOOL r = FALSE; - wchar_t* pw0 = NULL; - pw0 = DuplicateAtoW(Filename, -1); - r = IsModuleTrustedW(pw0); FreeDuplicatedString(pw0); - return r; -} - -// DLL‚ðŠm”F -// ƒnƒbƒVƒ…‚ª“o˜^‚³‚ê‚Ä‚¢‚éAAuthenticode–¼‚ª‚³‚ê‚Ä‚¢‚éA‚Ü‚½‚ÍWFP‚É‚æ‚é•ÛŒì‰º‚É‚ ‚邱‚Æ‚ðŠm”F -BOOL IsModuleTrustedW(LPCWSTR Filename) -{ - BOOL bResult; - WCHAR Path[MAX_PATH]; - LPWSTR p; - BYTE Hash[16]; - GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2; - WINTRUST_FILE_INFO wfi; - WINTRUST_DATA wd; - bResult = FALSE; - if(wcsrchr(Filename, '.') > wcsrchr(Filename, '\\')) - { - if(SearchPathW(NULL, Filename, NULL, MAX_PATH, Path, &p) > 0) - Filename = Path; - } - else - { - if(SearchPathW(NULL, Filename, L".dll", MAX_PATH, Path, &p) > 0) - Filename = Path; - } - if(GetMD5HashOfFile(Filename, &Hash)) - { - if(FindModuleMD5Hash(&Hash)) - bResult = TRUE; - } - if(!bResult) - { - ZeroMemory(&wfi, sizeof(WINTRUST_FILE_INFO)); - wfi.cbStruct = sizeof(WINTRUST_FILE_INFO); - wfi.pcwszFilePath = Filename; - ZeroMemory(&wd, sizeof(WINTRUST_DATA)); - wd.cbStruct = sizeof(WINTRUST_DATA); - wd.dwUIChoice = WTD_UI_NONE; - wd.dwUnionChoice = WTD_CHOICE_FILE; - wd.pFile = &wfi; - if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS) - bResult = TRUE; - } - if(!bResult) - { - if(SfcIsFileProtected(NULL, Filename)) - bResult = TRUE; - } -// if(!bResult) -// { -// WCHAR Temp[MAX_PATH + 128]; -// _swprintf(Temp, L"Untrusted module was detected! \"%s\"\n", Filename); -// OutputDebugStringW(Temp); -// } return bResult; } // ŠÖ”ƒ|ƒCƒ“ƒ^‚ðŽg—p‰Â”\‚ȏó‘Ԃɏ‰Šú‰» BOOL InitializeLoadLibraryHook() { + BOOL bResult; HMODULE hModule; - hModule = GetModuleHandleW(L"kernel32.dll"); - GET_FUNCTION(hModule, LoadLibraryA); - GET_FUNCTION(hModule, LoadLibraryW); - GET_FUNCTION(hModule, LoadLibraryExA); - GET_FUNCTION(hModule, LoadLibraryExW); - hModule = GetModuleHandleW(L"ntdll.dll"); - GET_FUNCTION(hModule, LdrLoadDll); - GET_FUNCTION(hModule, LdrGetDllHandle); - GET_FUNCTION(hModule, LdrAddRefDll); - return TRUE; + bResult = TRUE; + if(!(hModule = GetModuleHandleW(L"kernel32.dll"))) + bResult = FALSE; + if(!(GET_FUNCTION(hModule, LoadLibraryA))) + bResult = FALSE; + if(!(GET_FUNCTION(hModule, LoadLibraryW))) + bResult = FALSE; + if(!(GET_FUNCTION(hModule, LoadLibraryExA))) + bResult = FALSE; + if(!(GET_FUNCTION(hModule, LoadLibraryExW))) + bResult = FALSE; + if(!(hModule = GetModuleHandleW(L"ntdll.dll"))) + bResult = FALSE; + if(!(GET_FUNCTION(hModule, LdrLoadDll))) + bResult = FALSE; + if(!(GET_FUNCTION(hModule, LdrGetDllHandle))) + bResult = FALSE; + if(!(GET_FUNCTION(hModule, RtlImageNtHeader))) + bResult = FALSE; + if(!(hModule = LoadLibraryW(L"wintrust.dll"))) + bResult = FALSE; + if(!(GET_FUNCTION(hModule, CryptCATAdminCalcHashFromFileHandle))) + bResult = FALSE; + return bResult; } // SetWindowsHookEx‘΍ô // DLL Injection‚³‚ꂽê‡‚͏ã‚Ìh_LoadLibraryŒnŠÖ”‚Ńgƒ‰ƒbƒv‰Â”\ BOOL EnableLoadLibraryHook(BOOL bEnable) { + BOOL bResult; + bResult = FALSE; if(bEnable) { - // ŒŸØ‚É•K—v‚ÈDLL‚Ì’x‰„“ǂݍž‚݉ñ”ð - IsModuleTrustedA(""); + bResult = TRUE; #ifdef USE_CODE_HOOK - SET_HOOK_FUNCTION(LoadLibraryA); - SET_HOOK_FUNCTION(LoadLibraryW); - SET_HOOK_FUNCTION(LoadLibraryExA); - SET_HOOK_FUNCTION(LoadLibraryExW); + if(!SET_HOOK_FUNCTION(LoadLibraryA)) + bResult = FALSE; + if(!SET_HOOK_FUNCTION(LoadLibraryW)) + bResult = FALSE; + if(!SET_HOOK_FUNCTION(LoadLibraryExA)) + bResult = FALSE; + if(!SET_HOOK_FUNCTION(LoadLibraryExW)) + bResult = FALSE; #endif #ifdef USE_IAT_HOOK - HookFunctionInIAT(p_LoadLibraryA, h_LoadLibraryA); - HookFunctionInIAT(p_LoadLibraryW, h_LoadLibraryW); - HookFunctionInIAT(p_LoadLibraryExA, h_LoadLibraryExA); - HookFunctionInIAT(p_LoadLibraryExW, h_LoadLibraryExW); + if(!HookFunctionInIAT(p_LoadLibraryA, h_LoadLibraryA)) + bResult = FALSE; + if(!HookFunctionInIAT(p_LoadLibraryW, h_LoadLibraryW)) + bResult = FALSE; + if(!HookFunctionInIAT(p_LoadLibraryExA, h_LoadLibraryExA)) + bResult = FALSE; + if(!HookFunctionInIAT(p_LoadLibraryExW, h_LoadLibraryExW)) + bResult = FALSE; #endif } else { + bResult = TRUE; #ifdef USE_CODE_HOOK - END_HOOK_FUNCTION(LoadLibraryA); - END_HOOK_FUNCTION(LoadLibraryW); - END_HOOK_FUNCTION(LoadLibraryExA); - END_HOOK_FUNCTION(LoadLibraryExW); + if(!END_HOOK_FUNCTION(LoadLibraryA)) + bResult = FALSE; + if(!END_HOOK_FUNCTION(LoadLibraryW)) + bResult = FALSE; + if(!END_HOOK_FUNCTION(LoadLibraryExA)) + bResult = FALSE; + if(!END_HOOK_FUNCTION(LoadLibraryExW)) + bResult = FALSE; #endif #ifdef USE_IAT_HOOK - HookFunctionInIAT(h_LoadLibraryA, p_LoadLibraryA); - HookFunctionInIAT(h_LoadLibraryW, p_LoadLibraryW); - HookFunctionInIAT(h_LoadLibraryExA, p_LoadLibraryExA); - HookFunctionInIAT(h_LoadLibraryExW, p_LoadLibraryExW); + if(!HookFunctionInIAT(h_LoadLibraryA, p_LoadLibraryA)) + bResult = FALSE; + if(!HookFunctionInIAT(h_LoadLibraryW, p_LoadLibraryW)) + bResult = FALSE; + if(!HookFunctionInIAT(h_LoadLibraryExA, p_LoadLibraryExA)) + bResult = FALSE; + if(!HookFunctionInIAT(h_LoadLibraryExW, p_LoadLibraryExW)) + bResult = FALSE; #endif } - return TRUE; + return bResult; } // ReadProcessMemoryAWriteProcessMemoryACreateRemoteThread‘΍ô diff --git a/protectprocess.h b/protectprocess.h index 2cff761..fe6b4ef 100644 --- a/protectprocess.h +++ b/protectprocess.h @@ -45,11 +45,10 @@ EXTERN_HOOK_FUNCTION_VAR(LoadLibraryExW) #endif HMODULE System_LoadLibrary(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags); -BOOL RegisterModuleMD5Hash(void* pHash); -BOOL UnregisterModuleMD5Hash(void* pHash); -BOOL FindModuleMD5Hash(void* pHash); -BOOL IsModuleTrustedA(LPCSTR Filename); -BOOL IsModuleTrustedW(LPCWSTR Filename); +BOOL GetMD5HashOfFile(LPCWSTR Filename, void* pHash); +BOOL RegisterTrustedModuleMD5Hash(void* pHash); +BOOL UnregisterTrustedModuleMD5Hash(void* pHash); +BOOL UnloadUntrustedModule(); BOOL InitializeLoadLibraryHook(); BOOL EnableLoadLibraryHook(BOOL bEnable); BOOL RestartProtectedProcess(LPCTSTR Keyword); diff --git a/ras.c b/ras.c index 4ad591c..ebcb896 100644 --- a/ras.c +++ b/ras.c @@ -29,7 +29,8 @@ #define STRICT -#define WINVER 0x400 +// UTF-8対応 +//#define WINVER 0x400 #include #include diff --git a/socketwrapper.c b/socketwrapper.c index 68382dc..a819e26 100644 --- a/socketwrapper.c +++ b/socketwrapper.c @@ -5,8 +5,6 @@ // コンパイルにはOpenSSLのヘッダーファイルが必要 // 実行にはOpenSSLのDLLが必要 -#define _WIN32_WINNT 0x0600 - #include #include #include @@ -71,9 +69,9 @@ BOOL LoadOpenSSL() #ifdef ENABLE_PROCESS_PROTECTION // ssleay32.dll 1.0.0e // libssl32.dll 1.0.0e - RegisterModuleMD5Hash("\x8B\xA3\xB7\xB3\xCE\x2E\x4F\x07\x8C\xB8\x93\x7D\x77\xE1\x09\x3A"); + RegisterTrustedModuleMD5Hash("\x8B\xA3\xB7\xB3\xCE\x2E\x4F\x07\x8C\xB8\x93\x7D\x77\xE1\x09\x3A"); // libeay32.dll 1.0.0e - RegisterModuleMD5Hash("\xA6\x4C\xAF\x9E\xF3\xDC\xFC\x68\xAE\xCA\xCC\x61\xD2\xF6\x70\x8B"); + RegisterTrustedModuleMD5Hash("\xA6\x4C\xAF\x9E\xF3\xDC\xFC\x68\xAE\xCA\xCC\x61\xD2\xF6\x70\x8B"); #endif g_hOpenSSL = LoadLibrary("ssleay32.dll"); if(!g_hOpenSSL)