2 // Copyright (C) 2011 Suguru Kawamoto
3 //
\83v
\83\8d\83Z
\83X
\82Ì
\95Û
\8cì
5 //
\8e\9f\82Ì
\92\86\82©
\82ç1
\8cÂ
\82Ì
\82Ý
\97L
\8cø
\82É
\82·
\82é
6 //
\83t
\83b
\83N
\90æ
\82Ì
\8aÖ
\90\94\82Ì
\83R
\81[
\83h
\82ð
\8f\91\82«
\8a·
\82¦
\82é
7 //
\91S
\82Ä
\82Ì
\8cÄ
\82Ñ
\8fo
\82µ
\82ð
\83t
\83b
\83N
\89Â
\94\
\82¾
\82ª
\8c´
\97\9d\93I
\82É
\93ñ
\8fd
\8cÄ
\82Ñ
\8fo
\82µ
\82É
\91Î
\89\9e\82Å
\82«
\82È
\82¢
9 //
\83t
\83b
\83N
\90æ
\82Ì
\8aÖ
\90\94\82Ì
\83C
\83\93\83|
\81[
\83g
\83A
\83h
\83\8c\83X
\83e
\81[
\83u
\83\8b\82ð
\8f\91\82«
\8a·
\82¦
\82é
10 //
\93ñ
\8fd
\8cÄ
\82Ñ
\8fo
\82µ
\82ª
\89Â
\94\
\82¾
\82ª
\8cÄ
\82Ñ
\8fo
\82µ
\95û
\96@
\82É
\82æ
\82Á
\82Ä
\82Í
\83t
\83b
\83N
\82ð
\89ñ
\94ð
\82³
\82ê
\82é
11 //#define USE_IAT_HOOK
13 //
\83t
\83b
\83N
\91Î
\8fÛ
\82Ì
\8aÖ
\90\94\96¼ %s
14 //
\83t
\83b
\83N
\91Î
\8fÛ
\82Ì
\8c^ _%s
15 //
\83t
\83b
\83N
\91Î
\8fÛ
\82Ì
\83|
\83C
\83\93\83^ p_%s
16 //
\83t
\83b
\83N
\97p
\82Ì
\8aÖ
\90\94\96¼ h_%s
17 //
\83t
\83b
\83N
\91Î
\8fÛ
\82Ì
\83R
\81[
\83h
\82Ì
\83o
\83b
\83N
\83A
\83b
\83v c_%s
33 #define DO_NOT_REPLACE
34 #include "protectprocess.h"
35 #include "mbswrapper.h"
38 #pragma comment(lib, "dbghelp.lib")
43 #define HOOK_JUMP_CODE_LENGTH 5
44 #elif defined(_AMD64_)
45 #define HOOK_JUMP_CODE_LENGTH 14
49 BOOL LockThreadLock();
50 BOOL UnlockThreadLock();
52 BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore);
55 BOOL HookFunctionInIAT(void* pOriginal, void* pNew);
57 HANDLE LockExistingFile(LPCWSTR Filename);
58 BOOL FindTrustedModuleSHA1Hash(void* pHash);
59 BOOL VerifyFileSignature(LPCWSTR Filename);
60 BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename);
61 BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash);
62 BOOL IsModuleTrusted(LPCWSTR Filename);
64 //
\95Ï
\90\94\82Ì
\90é
\8c¾
66 #define HOOK_FUNCTION_VAR(name) _##name p_##name;BYTE c_##name[HOOK_JUMP_CODE_LENGTH * 2];
69 #define HOOK_FUNCTION_VAR(name) _##name p_##name;
71 //
\8aÖ
\90\94\83|
\83C
\83\93\83^
\82ð
\8eæ
\93¾
72 #define GET_FUNCTION(h, name) p_##name = (_##name)GetProcAddress(h, #name)
73 //
\83t
\83b
\83N
\91Î
\8fÛ
\82Ì
\83R
\81[
\83h
\82ð
\92u
\8a·
\82µ
\82Ä
\83t
\83b
\83N
\82ð
\8aJ
\8en
74 #define SET_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, FALSE)
75 //
\83t
\83b
\83N
\91Î
\8fÛ
\82ð
\8cÄ
\82Ñ
\8fo
\82·
\91O
\82É
\91Î
\8fÛ
\82Ì
\83R
\81[
\83h
\82ð
\95\9c\8c³
76 #define START_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, TRUE)
77 //
\83t
\83b
\83N
\91Î
\8fÛ
\82ð
\8cÄ
\82Ñ
\8fo
\82µ
\82½
\8cã
\82É
\91Î
\8fÛ
\82Ì
\83R
\81[
\83h
\82ð
\92u
\8a·
78 #define END_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, NULL, FALSE)
80 HOOK_FUNCTION_VAR(LoadLibraryA)
81 HOOK_FUNCTION_VAR(LoadLibraryW)
82 HOOK_FUNCTION_VAR(LoadLibraryExA)
83 HOOK_FUNCTION_VAR(LoadLibraryExW)
85 typedef NTSTATUS (NTAPI* _LdrLoadDll)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);
86 typedef NTSTATUS (NTAPI* _LdrGetDllHandle)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);
87 typedef PIMAGE_NT_HEADERS (NTAPI* _RtlImageNtHeader)(PVOID);
88 typedef BOOL (WINAPI* _CryptCATAdminCalcHashFromFileHandle)(HANDLE, DWORD*, BYTE*, DWORD);
90 _LdrLoadDll p_LdrLoadDll;
91 _LdrGetDllHandle p_LdrGetDllHandle;
92 _RtlImageNtHeader p_RtlImageNtHeader;
93 _CryptCATAdminCalcHashFromFileHandle p_CryptCATAdminCalcHashFromFileHandle;
95 #define MAX_LOCKED_THREAD 16
96 #define MAX_TRUSTED_FILENAME_TABLE 16
97 #define MAX_TRUSTED_MD5_HASH_TABLE 16
99 DWORD g_ProcessProtectionLevel;
100 DWORD g_LockedThread[MAX_LOCKED_THREAD];
101 WCHAR* g_pTrustedFilenameTable[MAX_TRUSTED_FILENAME_TABLE];
102 BYTE g_TrustedMD5HashTable[MAX_TRUSTED_MD5_HASH_TABLE][20];
104 //
\88È
\89º
\83t
\83b
\83N
\8aÖ
\90\94
105 //
\83t
\83b
\83N
\91Î
\8fÛ
\82ð
\8cÄ
\82Ñ
\8fo
\82·
\8fê
\8d\87\82Í
\91O
\8cã
\82ÅSTART_HOOK_FUNCTION
\82ÆEND_HOOK_FUNCTION
\82ð
\8eÀ
\8ds
\82·
\82é
\95K
\97v
\82ª
\82 \82é
107 HMODULE WINAPI h_LoadLibraryA(LPCSTR lpLibFileName)
111 if(pw0 = DuplicateAtoW(lpLibFileName, -1))
112 r = LoadLibraryExW(pw0, NULL, 0);
113 FreeDuplicatedString(pw0);
117 HMODULE WINAPI h_LoadLibraryW(LPCWSTR lpLibFileName)
120 r = LoadLibraryExW(lpLibFileName, NULL, 0);
124 HMODULE WINAPI h_LoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
128 if(pw0 = DuplicateAtoW(lpLibFileName, -1))
129 r = LoadLibraryExW(pw0, hFile, dwFlags);
130 FreeDuplicatedString(pw0);
134 HMODULE WINAPI h_LoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
145 // if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))
146 if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | 0x00000020 | 0x00000040))
150 if(hModule = System_LoadLibrary(lpLibFileName, NULL, DONT_RESOLVE_DLL_REFERENCES))
153 if(pw0 = AllocateStringW(Length))
155 if(GetModuleFileNameW(hModule, pw0, Length) > 0)
159 if(GetModuleFileNameW(hModule, pw0, Length) + 1 <= Length)
165 FreeDuplicatedString(pw0);
166 pw0 = AllocateStringW(Length);
170 hLock = LockExistingFile(lpLibFileName);
171 FreeLibrary(hModule);
173 if((g_ProcessProtectionLevel & PROCESS_PROTECTION_LOADED) && GetModuleHandleW(lpLibFileName))
180 if(IsModuleTrusted(lpLibFileName))
185 r = System_LoadLibrary(lpLibFileName, hFile, dwFlags);
186 FreeDuplicatedString(pw0);
192 //
\88È
\89º
\83w
\83\8b\83p
\81[
\8aÖ
\90\94
194 BOOL LockThreadLock()
200 ThreadId = GetCurrentThreadId();
202 while(i < MAX_LOCKED_THREAD)
204 if(g_LockedThread[i] == ThreadId)
208 if(i >= MAX_LOCKED_THREAD)
211 while(i < MAX_LOCKED_THREAD)
213 if(g_LockedThread[i] == 0)
215 g_LockedThread[i] = ThreadId;
225 BOOL UnlockThreadLock()
231 ThreadId = GetCurrentThreadId();
233 while(i < MAX_LOCKED_THREAD)
235 if(g_LockedThread[i] == ThreadId)
237 g_LockedThread[i] = 0;
247 BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore)
252 BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xe9, 0x00, 0x00, 0x00, 0x00};
254 Relative = (size_t)pNew - (size_t)pOriginal - HOOK_JUMP_CODE_LENGTH;
255 memcpy(&JumpCode[1], &Relative, 4);
259 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
261 memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);
262 VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
269 memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);
270 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
272 memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);
273 VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
277 #elif defined(_AMD64_)
278 BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xff, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
280 Absolute = (size_t)pOriginal;
281 memcpy(&JumpCode[6], &Absolute, 8);
285 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
287 memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);
288 VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
295 memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);
296 if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))
298 memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);
299 VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);
309 BOOL HookFunctionInIAT(void* pOriginal, void* pNew)
315 IMAGE_IMPORT_DESCRIPTOR* piid;
317 IMAGE_THUNK_DATA* pitd;
320 if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId())) != INVALID_HANDLE_VALUE)
322 me.dwSize = sizeof(MODULEENTRY32);
323 if(Module32First(hSnapshot, &me))
328 if(piid = (IMAGE_IMPORT_DESCRIPTOR*)ImageDirectoryEntryToData(me.hModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size))
330 while(!bFound && piid->Name != 0)
332 pitd = (IMAGE_THUNK_DATA*)((BYTE*)me.hModule + piid->FirstThunk);
333 while(!bFound && pitd->u1.Function != 0)
335 if((void*)pitd->u1.Function == pOriginal)
338 if(VirtualProtect(&pitd->u1.Function, sizeof(void*), PAGE_EXECUTE_READWRITE, &Protect))
340 memcpy(&pitd->u1.Function, &pNew, sizeof(void*));
341 VirtualProtect(&pitd->u1.Function, sizeof(void*), Protect, &Protect);
351 while(!bFound && Module32Next(hSnapshot, &me));
353 CloseHandle(hSnapshot);
359 //
\83t
\83@
\83C
\83\8b\82ð
\95Ï
\8dX
\95s
\94\
\82É
\90Ý
\92è
360 HANDLE LockExistingFile(LPCWSTR Filename)
364 if((hResult = CreateFileW(Filename, 0, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL)) == INVALID_HANDLE_VALUE)
369 // DLL
\82Ì
\83n
\83b
\83V
\83\85\82ð
\8c\9f\8dõ
370 BOOL FindTrustedModuleSHA1Hash(void* pHash)
376 while(i < MAX_TRUSTED_MD5_HASH_TABLE)
378 if(memcmp(&g_TrustedMD5HashTable[i], pHash, 20) == 0)
388 //
\83t
\83@
\83C
\83\8b\82Ì
\8f\90\96¼
\82ð
\8am
\94F
389 BOOL VerifyFileSignature(LPCWSTR Filename)
392 GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2;
393 WINTRUST_FILE_INFO wfi;
397 ZeroMemory(&wfi, sizeof(WINTRUST_FILE_INFO));
398 wfi.cbStruct = sizeof(WINTRUST_FILE_INFO);
399 wfi.pcwszFilePath = Filename;
400 ZeroMemory(&wd, sizeof(WINTRUST_DATA));
401 wd.cbStruct = sizeof(WINTRUST_DATA);
402 wd.dwUIChoice = WTD_UI_NONE;
403 wd.dwUnionChoice = WTD_CHOICE_FILE;
405 Error = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd);
406 if(Error == ERROR_SUCCESS)
408 else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_EXPIRED) && Error == CERT_E_EXPIRED)
410 else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_UNAUTHORIZED) && (Error == CERT_E_UNTRUSTEDROOT || Error == CERT_E_UNTRUSTEDCA))
415 //
\83t
\83@
\83C
\83\8b\82Ì
\8f\90\96¼
\82ð
\83J
\83^
\83\8d\83O
\83t
\83@
\83C
\83\8b\82Å
\8am
\94F
416 BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename)
419 GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2;
420 WINTRUST_CATALOG_INFO wci;
424 if(VerifyFileSignature(Catalog))
426 ZeroMemory(&wci, sizeof(WINTRUST_CATALOG_INFO));
427 wci.cbStruct = sizeof(WINTRUST_CATALOG_INFO);
428 wci.pcwszCatalogFilePath = Catalog;
429 wci.pcwszMemberFilePath = Filename;
430 if((wci.hMemberFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) != INVALID_HANDLE_VALUE)
432 p_CryptCATAdminCalcHashFromFileHandle(wci.hMemberFile, &wci.cbCalculatedFileHash, NULL, 0);
433 if(wci.pbCalculatedFileHash = (BYTE*)malloc(wci.cbCalculatedFileHash))
435 if(p_CryptCATAdminCalcHashFromFileHandle(wci.hMemberFile, &wci.cbCalculatedFileHash, wci.pbCalculatedFileHash, 0))
437 ZeroMemory(&wd, sizeof(WINTRUST_DATA));
438 wd.cbStruct = sizeof(WINTRUST_DATA);
439 wd.dwUIChoice = WTD_UI_NONE;
440 wd.dwUnionChoice = WTD_CHOICE_CATALOG;
442 Error = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd);
443 if(Error == ERROR_SUCCESS)
445 else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_EXPIRED) && Error == CERT_E_EXPIRED)
447 else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_UNAUTHORIZED) && (Error == CERT_E_UNTRUSTEDROOT || Error == CERT_E_UNTRUSTEDCA))
450 free(wci.pbCalculatedFileHash);
452 CloseHandle(wci.hMemberFile);
458 BOOL WINAPI GetSHA1HashOfModule_Function(DIGEST_HANDLE refdata, PBYTE pData, DWORD dwLength)
460 return CryptHashData(*(HCRYPTHASH*)refdata, pData, dwLength, 0);
463 //
\83\82\83W
\83\85\81[
\83\8b\82ÌSHA1
\83n
\83b
\83V
\83\85\82ð
\8eæ
\93¾
464 //
\83}
\83j
\83t
\83F
\83X
\83g
\83t
\83@
\83C
\83\8b\82Ìfile
\97v
\91f
\82Ìhash
\91®
\90«
\82Í
\8eÀ
\8ds
\89Â
\94\
\83t
\83@
\83C
\83\8b\82Ì
\8fê
\8d\87\82ÉImageGetDigestStream
\82Å
\8eZ
\8fo
\82³
\82ê
\82é
465 BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash)
473 if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))
475 if(CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
477 if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
479 if(ImageGetDigestStream(hFile, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, GetSHA1HashOfModule_Function, (DIGEST_HANDLE)&hHash))
482 if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))
487 CryptDestroyHash(hHash);
489 CryptReleaseContext(hProv, 0);
494 BOOL IsSxsModuleTrusted_Function(LPCWSTR Catalog, LPCWSTR Manifest, LPCWSTR Module)
501 static char HexTable[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
508 if(hLock0 = LockExistingFile(Catalog))
510 if(hLock1 = LockExistingFile(Manifest))
512 if(VerifyFileSignatureInCatalog(Catalog, Manifest))
514 if(GetSHA1HashOfModule(Module, &Hash))
516 for(i = 0; i < 20; i++)
518 HashHex[i * 2] = HexTable[(Hash[i] >> 4) & 0x0f];
519 HashHex[i * 2 + 1] = HexTable[Hash[i] & 0x0f];
521 HashHex[i * 2] = '\0';
522 if((hFile = CreateFileW(Manifest, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) != INVALID_HANDLE_VALUE)
524 Size = GetFileSize(hFile, NULL);
525 if(pData = (char*)VirtualAlloc(NULL, Size + 1, MEM_COMMIT, PAGE_READWRITE))
527 VirtualLock(pData, Size + 1);
528 if(ReadFile(hFile, pData, Size, &dw, NULL))
531 if(strstr(pData, HashHex))
534 VirtualUnlock(pData, Size + 1);
535 VirtualFree(pData, Size + 1, MEM_DECOMMIT);
548 //
\83T
\83C
\83h
\83o
\83C
\83T
\83C
\83hDLL
\82ð
\8am
\94F
549 //
\83p
\83X
\82Í"%SystemRoot%\WinSxS"
\88È
\89º
\82ð
\91z
\92è
550 //
\88È
\89º
\82Ì
\83t
\83@
\83C
\83\8b\82ª
\91¶
\8dÝ
\82·
\82é
\82à
\82Ì
\82Æ
\82·
\82é
551 // "\xxx\yyy.dll"
\81A"\manifests\xxx.cat"
\81A"\manifests\xxx.manifest"
\82Ì
\83Z
\83b
\83g
\81iXP
\82Ì
\91S
\82Ä
\82ÌDLL
\81AVista
\88È
\8d~
\82Ì
\88ê
\95\94\82ÌDLL
\81j
552 // "\xxx\yyy.dll"
\81A"\catalogs\zzz.cat"
\81A"\manifests\xxx.manifest"
\82Ì
\83Z
\83b
\83g
\81iVista
\88È
\8d~
\82Ì
\82Ù
\82Æ
\82ñ
\82Ç
\82ÌDLL
\81j
553 //
\8f\90\96¼
\82³
\82ê
\82½
\83J
\83^
\83\8d\83O
\83t
\83@
\83C
\83\8b\82ð
\97p
\82¢
\82Ä
\83}
\83j
\83t
\83F
\83X
\83g
\83t
\83@
\83C
\83\8b\82ª
\89üâ
\82\82³
\82ê
\82Ä
\82¢
\82È
\82¢
\82±
\82Æ
\82ð
\8am
\94F
554 //
\83n
\83b
\83V
\83\85\92l
\82Í
\83}
\83j
\83t
\83F
\83X
\83g
\83t
\83@
\83C
\83\8b\82Ìfile
\97v
\91f
\82Ìhash
\91®
\90«
\82É
\8bL
\8fq
\82³
\82ê
\82Ä
\82¢
\82é
\82à
\82Ì
\82ð
\97p
\82¢
\82é
555 //
\83}
\83j
\83t
\83F
\83X
\83g
\83t
\83@
\83C
\83\8b\93à
\82ÉSHA1
\83n
\83b
\83V
\83\85\92l
\82Ì16
\90i
\90\94\95\
\8bL
\82ð
\92¼
\90Ú
\8c\9f\8dõ
\82µ
\82Ä
\82¢
\82é
\82ª
\8am
\97¦
\93I
\82É
\96â
\91è
\82È
\82µ
556 BOOL IsSxsModuleTrusted(LPCWSTR Filename)
567 WIN32_FIND_DATAW wfd;
569 if(pw0 = AllocateStringW(wcslen(Filename) + 1))
571 wcscpy(pw0, Filename);
572 if(p = wcsrchr(pw0, L'\\'))
575 if(p = wcsrchr(pw0, L'\\'))
578 if(pw1 = AllocateStringW(wcslen(p) + 1))
582 if(pw2 = AllocateStringW(wcslen(pw0) + wcslen(L"manifests\\") + wcslen(pw1) + wcslen(L".cat") + 1))
585 wcscat(pw2, L"manifests\\");
587 if(pw3 = AllocateStringW(wcslen(pw2) + wcslen(L".manifest") + 1))
590 wcscat(pw3, L".manifest");
591 wcscat(pw2, L".cat");
592 if(IsSxsModuleTrusted_Function(pw2, pw3, Filename))
594 FreeDuplicatedString(pw3);
596 FreeDuplicatedString(pw2);
600 if(pw2 = AllocateStringW(wcslen(pw0) + wcslen(L"catalogs\\") + 1))
602 if(pw3 = AllocateStringW(wcslen(pw0) + wcslen(L"manifests\\") + wcslen(pw1) + wcslen(L".manifest") + 1))
605 wcscat(pw2, L"catalogs\\");
607 wcscat(pw3, L"manifests\\");
609 wcscat(pw3, L".manifest");
610 if(pw4 = AllocateStringW(wcslen(pw2) + wcslen(L"*.cat") + 1))
613 wcscat(pw4, L"*.cat");
614 if((hFind = FindFirstFileW(pw4, &wfd)) != INVALID_HANDLE_VALUE)
618 if(pw5 = AllocateStringW(wcslen(pw2) + wcslen(wfd.cFileName) + 1))
621 wcscat(pw5, wfd.cFileName);
622 if(IsSxsModuleTrusted_Function(pw5, pw3, Filename))
624 FreeDuplicatedString(pw5);
627 while(!bResult && FindNextFileW(hFind, &wfd));
630 FreeDuplicatedString(pw4);
632 FreeDuplicatedString(pw3);
634 FreeDuplicatedString(pw2);
637 FreeDuplicatedString(pw1);
641 FreeDuplicatedString(pw0);
647 BOOL IsModuleTrusted(LPCWSTR Filename)
654 if(GetSHA1HashOfFile(Filename, &Hash))
656 if(FindTrustedModuleSHA1Hash(&Hash))
661 if((g_ProcessProtectionLevel & PROCESS_PROTECTION_BUILTIN) && VerifyFileSignature(Filename))
666 if((g_ProcessProtectionLevel & PROCESS_PROTECTION_SIDE_BY_SIDE) && IsSxsModuleTrusted(Filename))
671 if((g_ProcessProtectionLevel & PROCESS_PROTECTION_SYSTEM_FILE) && SfcIsFileProtected(NULL, Filename))
679 // kernel32.dll
\82ÌLoadLibraryExW
\91\8a\93\96\82Ì
\8aÖ
\90\94
680 //
\83h
\83L
\83\85\83\81\83\93\83g
\82ª
\96³
\82¢
\82½
\82ß
\8fÚ
\8d×
\82Í
\95s
\96¾
681 //
\88ê
\95\94\82Ì
\83E
\83B
\83\8b\83X
\91Î
\8dô
\83\
\83t
\83g
\81iAvast!
\93\99\81j
\82ªLdrLoadDll
\82ð
\83t
\83b
\83N
\82µ
\82Ä
\82¢
\82é
\82½
\82ßLdrLoadDll
\82ð
\8f\91\82«
\8a·
\82¦
\82é
\82×
\82«
\82Å
\82Í
\82È
\82¢
682 //
\83J
\81[
\83l
\83\8b\83\82\81[
\83h
\82Ì
\83R
\81[
\83h
\82É
\91Î
\82µ
\82Ä
\82Í
\8cø
\89Ê
\82È
\82µ
683 // SeDebugPrivilege
\82ª
\8eg
\97p
\89Â
\94\
\82È
\83\86\81[
\83U
\81[
\82É
\91Î
\82µ
\82Ä
\82Í
\8cø
\89Ê
\82È
\82µ
684 HMODULE System_LoadLibrary(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
691 us.Length = sizeof(wchar_t) * wcslen(lpLibFileName);
692 us.MaximumLength = sizeof(wchar_t) * (wcslen(lpLibFileName) + 1);
693 us.Buffer = (PWSTR)lpLibFileName;
694 // if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))
695 if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | 0x00000040))
697 // if(p_LdrGetDllHandle(NULL, NULL, &us, &r) == STATUS_SUCCESS)
698 if(p_LdrGetDllHandle(NULL, NULL, &us, &r) == 0)
700 // dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE);
701 dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | 0x00000040);
702 dwFlags |= DONT_RESOLVE_DLL_REFERENCES;
706 // if(dwFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)
707 if(dwFlags & 0x00000040)
708 hDataFile = CreateFileW(lpLibFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
710 hDataFile = CreateFileW(lpLibFileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
711 if(hDataFile != INVALID_HANDLE_VALUE)
713 if(hMapping = CreateFileMappingW(hDataFile, NULL, PAGE_READONLY, 0, 0, NULL))
715 if(r = (HMODULE)MapViewOfFileEx(hMapping, FILE_MAP_READ, 0, 0, 0, NULL))
717 if(p_RtlImageNtHeader(r))
718 r = (HMODULE)((size_t)r | 1);
725 CloseHandle(hMapping);
727 CloseHandle(hDataFile);
731 // dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE);
732 dwFlags &= ~(LOAD_LIBRARY_AS_DATAFILE | 0x00000040);
733 dwFlags |= DONT_RESOLVE_DLL_REFERENCES;
737 // if(!(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)))
738 if(!(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | 0x00000040)))
741 // if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_IMAGE_RESOURCE))
742 if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | 0x00000020))
743 DllFlags |= 0x00000002;
744 // if(p_LdrLoadDll(NULL, &DllFlags, &us, &r) == STATUS_SUCCESS)
745 if(p_LdrLoadDll(NULL, &DllFlags, &us, &r) == 0)
754 void SetProcessProtectionLevel(DWORD Level)
756 g_ProcessProtectionLevel = Level;
759 //
\83t
\83@
\83C
\83\8b\82ÌSHA1
\83n
\83b
\83V
\83\85\82ð
\8eæ
\93¾
760 BOOL GetSHA1HashOfFile(LPCWSTR Filename, void* pHash)
770 if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))
772 if(CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
774 if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
776 Size = GetFileSize(hFile, NULL);
777 if(pData = VirtualAlloc(NULL, Size, MEM_COMMIT, PAGE_READWRITE))
779 VirtualLock(pData, Size);
780 if(ReadFile(hFile, pData, Size, &dw, NULL))
782 if(CryptHashData(hHash, (BYTE*)pData, Size, 0))
785 if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))
789 VirtualUnlock(pData, Size);
790 VirtualFree(pData, Size, MEM_DECOMMIT);
794 CryptDestroyHash(hHash);
796 CryptReleaseContext(hProv, 0);
801 // DLL
\82Ì
\83n
\83b
\83V
\83\85\82ð
\93o
\98^
802 BOOL RegisterTrustedModuleSHA1Hash(void* pHash)
805 BYTE NullHash[20] = {0};
808 if(FindTrustedModuleSHA1Hash(pHash))
813 while(i < MAX_TRUSTED_MD5_HASH_TABLE)
815 if(memcmp(&g_TrustedMD5HashTable[i], &NullHash, 20) == 0)
817 memcpy(&g_TrustedMD5HashTable[i], pHash, 20);
827 // DLL
\82Ì
\83n
\83b
\83V
\83\85\82Ì
\93o
\98^
\82ð
\89ð
\8f\9c
828 BOOL UnregisterTrustedModuleSHA1Hash(void* pHash)
831 BYTE NullHash[20] = {0};
835 while(i < MAX_TRUSTED_MD5_HASH_TABLE)
837 if(memcmp(&g_TrustedMD5HashTable[i], pHash, 20) == 0)
839 memcpy(&g_TrustedMD5HashTable[i], &NullHash, 20);
848 //
\90M
\97\8a\82Å
\82«
\82È
\82¢DLL
\82ð
\83A
\83\93\83\8d\81[
\83h
849 BOOL UnloadUntrustedModule()
858 if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId())) != INVALID_HANDLE_VALUE)
861 me.dwSize = sizeof(MODULEENTRY32);
862 if(Module32First(hSnapshot, &me))
867 FreeDuplicatedString(pw0);
868 if(pw0 = AllocateStringW(Length))
870 if(GetModuleFileNameW(me.hModule, pw0, Length) > 0)
874 if(GetModuleFileNameW(me.hModule, pw0, Length) + 1 <= Length)
877 FreeDuplicatedString(pw0);
878 pw0 = AllocateStringW(Length);
884 if(!IsModuleTrusted(pw0))
886 if(me.hModule != GetModuleHandleW(NULL))
888 while(FreeLibrary(me.hModule))
891 if(GetModuleFileNameW(me.hModule, pw0, Length) > 0)
905 while(Module32Next(hSnapshot, &me));
907 CloseHandle(hSnapshot);
909 FreeDuplicatedString(pw0);
913 //
\8aÖ
\90\94\83|
\83C
\83\93\83^
\82ð
\8eg
\97p
\89Â
\94\
\82È
\8fó
\91Ô
\82É
\8f\89\8aú
\89»
914 BOOL InitializeLoadLibraryHook()
919 if(!(hModule = GetModuleHandleW(L"kernel32.dll")))
921 if(!(GET_FUNCTION(hModule, LoadLibraryA)))
923 if(!(GET_FUNCTION(hModule, LoadLibraryW)))
925 if(!(GET_FUNCTION(hModule, LoadLibraryExA)))
927 if(!(GET_FUNCTION(hModule, LoadLibraryExW)))
929 if(!(hModule = GetModuleHandleW(L"ntdll.dll")))
931 if(!(GET_FUNCTION(hModule, LdrLoadDll)))
933 if(!(GET_FUNCTION(hModule, LdrGetDllHandle)))
935 if(!(GET_FUNCTION(hModule, RtlImageNtHeader)))
937 if(!(hModule = LoadLibraryW(L"wintrust.dll")))
939 if(!(GET_FUNCTION(hModule, CryptCATAdminCalcHashFromFileHandle)))
944 // SetWindowsHookEx
\91Î
\8dô
945 // DLL Injection
\82³
\82ê
\82½
\8fê
\8d\87\82Í
\8fã
\82Ìh_LoadLibrary
\8cn
\8aÖ
\90\94\82Å
\83g
\83\89\83b
\83v
\89Â
\94\
946 BOOL EnableLoadLibraryHook(BOOL bEnable)
954 if(!SET_HOOK_FUNCTION(LoadLibraryA))
956 if(!SET_HOOK_FUNCTION(LoadLibraryW))
958 if(!SET_HOOK_FUNCTION(LoadLibraryExA))
960 if(!SET_HOOK_FUNCTION(LoadLibraryExW))
964 if(!HookFunctionInIAT(p_LoadLibraryA, h_LoadLibraryA))
966 if(!HookFunctionInIAT(p_LoadLibraryW, h_LoadLibraryW))
968 if(!HookFunctionInIAT(p_LoadLibraryExA, h_LoadLibraryExA))
970 if(!HookFunctionInIAT(p_LoadLibraryExW, h_LoadLibraryExW))
978 if(!END_HOOK_FUNCTION(LoadLibraryA))
980 if(!END_HOOK_FUNCTION(LoadLibraryW))
982 if(!END_HOOK_FUNCTION(LoadLibraryExA))
984 if(!END_HOOK_FUNCTION(LoadLibraryExW))
988 if(!HookFunctionInIAT(h_LoadLibraryA, p_LoadLibraryA))
990 if(!HookFunctionInIAT(h_LoadLibraryW, p_LoadLibraryW))
992 if(!HookFunctionInIAT(h_LoadLibraryExA, p_LoadLibraryExA))
994 if(!HookFunctionInIAT(h_LoadLibraryExW, p_LoadLibraryExW))
1001 // ReadProcessMemory
\81AWriteProcessMemory
\81ACreateRemoteThread
\91Î
\8dô
1002 // TerminateProcess
\82Ì
\82Ý
\8b\96\89Â
1003 BOOL RestartProtectedProcess(LPCTSTR Keyword)
1007 SID_IDENTIFIER_AUTHORITY sia = SECURITY_WORLD_SID_AUTHORITY;
1009 SECURITY_DESCRIPTOR sd;
1011 SECURITY_ATTRIBUTES sa;
1013 PROCESS_INFORMATION pi;
1015 if(_tcslen(GetCommandLine()) >= _tcslen(Keyword) && _tcscmp(GetCommandLine() + _tcslen(GetCommandLine()) - _tcslen(Keyword), Keyword) == 0)
1017 if(pACL = (ACL*)malloc(sizeof(ACL) + 1024))
1019 if(InitializeAcl(pACL, sizeof(ACL) + 1024, ACL_REVISION))
1021 if(AllocateAndInitializeSid(&sia, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSID))
1023 if(AddAccessAllowedAce(pACL, ACL_REVISION, PROCESS_TERMINATE, pSID))
1025 if(InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
1027 if(SetSecurityDescriptorDacl(&sd, TRUE, pACL, FALSE))
1029 if(CommandLine = (TCHAR*)malloc(sizeof(TCHAR) * (_tcslen(GetCommandLine()) + _tcslen(Keyword) + 1)))
1031 _tcscpy(CommandLine, GetCommandLine());
1032 _tcscat(CommandLine, Keyword);
1033 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
1034 sa.lpSecurityDescriptor = &sd;
1035 sa.bInheritHandle = FALSE;
1036 GetStartupInfo(&si);
1037 if(CreateProcess(NULL, CommandLine, &sa, NULL, FALSE, 0, NULL, NULL, &si, &pi))
1039 CloseHandle(pi.hThread);
1040 CloseHandle(pi.hProcess);