BOOL HookFunctionInIAT(void* pOriginal, void* pNew);
#endif
HANDLE LockExistingFile(LPCWSTR Filename);
-BOOL FindTrustedModuleMD5Hash(void* pHash);
+BOOL FindTrustedModuleSHA1Hash(void* pHash);
BOOL VerifyFileSignature(LPCWSTR Filename);
BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename);
BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash);
#define MAX_TRUSTED_FILENAME_TABLE 16
#define MAX_TRUSTED_MD5_HASH_TABLE 16
+DWORD g_ProcessProtectionLevel;
DWORD g_LockedThread[MAX_LOCKED_THREAD];
WCHAR* g_pTrustedFilenameTable[MAX_TRUSTED_FILENAME_TABLE];
-BYTE g_TrustedMD5HashTable[MAX_TRUSTED_MD5_HASH_TABLE][16];
+BYTE g_TrustedMD5HashTable[MAX_TRUSTED_MD5_HASH_TABLE][20];
// \88È\89º\83t\83b\83N\8aÖ\90\94
// \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82·\8fê\8d\87\82Í\91O\8cã\82ÅSTART_HOOK_FUNCTION\82ÆEND_HOOK_FUNCTION\82ð\8eÀ\8ds\82·\82é\95K\97v\82ª\82 \82é
hLock = LockExistingFile(lpLibFileName);
FreeLibrary(hModule);
}
- if(GetModuleHandleW(lpLibFileName))
+ if((g_ProcessProtectionLevel & PROCESS_PROTECTION_LOADED) && GetModuleHandleW(lpLibFileName))
bTrusted = TRUE;
}
if(!bTrusted)
{
- if(LockThreadLock())
+ if(hLock)
{
- if(hLock)
- {
- if(IsModuleTrusted(lpLibFileName))
- bTrusted = TRUE;
- }
- UnlockThreadLock();
+ if(IsModuleTrusted(lpLibFileName))
+ bTrusted = TRUE;
}
}
if(bTrusted)
}
// DLL\82Ì\83n\83b\83V\83\85\82ð\8c\9f\8dõ
-BOOL FindTrustedModuleMD5Hash(void* pHash)
+BOOL FindTrustedModuleSHA1Hash(void* pHash)
{
BOOL bResult;
int i;
i = 0;
while(i < MAX_TRUSTED_MD5_HASH_TABLE)
{
- if(memcmp(&g_TrustedMD5HashTable[i], pHash, 16) == 0)
+ if(memcmp(&g_TrustedMD5HashTable[i], pHash, 20) == 0)
{
bResult = TRUE;
break;
return bResult;
}
+BOOL VerifyFileSignature_Function(LPCWSTR Filename)
+{
+ BOOL bResult;
+ HCERTSTORE hStore;
+ PCCERT_CONTEXT pcc;
+ CERT_CHAIN_PARA ccp;
+ CERT_CHAIN_CONTEXT* pccc;
+ CERT_CHAIN_POLICY_PARA ccpp;
+ CERT_CHAIN_POLICY_STATUS ccps;
+ bResult = FALSE;
+ if(CryptQueryObject(CERT_QUERY_OBJECT_FILE, Filename, CERT_QUERY_CONTENT_FLAG_ALL, CERT_QUERY_FORMAT_FLAG_ALL, 0, NULL, NULL, NULL, &hStore, NULL, NULL))
+ {
+ pcc = NULL;
+ while(!bResult && (pcc = CertEnumCertificatesInStore(hStore, pcc)))
+ {
+ ZeroMemory(&ccp, sizeof(CERT_CHAIN_PARA));
+ ccp.cbSize = sizeof(CERT_CHAIN_PARA);
+ if(CertGetCertificateChain(NULL, pcc, NULL, NULL, &ccp, 0, NULL, &pccc))
+ {
+ ZeroMemory(&ccpp, sizeof(CERT_CHAIN_POLICY_PARA));
+ ccpp.cbSize = sizeof(CERT_CHAIN_POLICY_PARA);
+ if(g_ProcessProtectionLevel & PROCESS_PROTECTION_EXPIRED)
+ ccpp.dwFlags |= CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG;
+ else if(g_ProcessProtectionLevel & PROCESS_PROTECTION_UNAUTHORIZED)
+ ccpp.dwFlags |= CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG;
+ ZeroMemory(&ccps, sizeof(CERT_CHAIN_POLICY_STATUS));
+ ccps.cbSize = sizeof(CERT_CHAIN_POLICY_STATUS);
+ if(CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_AUTHENTICODE, pccc, &ccpp, &ccps))
+ {
+ if(ccps.dwError == ERROR_SUCCESS)
+ {
+ bResult = TRUE;
+ break;
+ }
+ }
+ CertFreeCertificateChain(pccc);
+ }
+ }
+ while(pcc = CertEnumCertificatesInStore(hStore, pcc))
+ {
+ }
+ CertCloseStore(hStore, 0);
+ }
+ return bResult;
+}
+
// \83t\83@\83C\83\8b\82Ì\8f\90\96¼\82ð\8am\94F
BOOL VerifyFileSignature(LPCWSTR Filename)
{
wd.pFile = &wfi;
if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS)
bResult = TRUE;
+ else
+ bResult = VerifyFileSignature_Function(Filename);
return bResult;
}
}
// DLL\82ð\8am\94F
-// \83n\83b\83V\83\85\82ª\93o\98^\82³\82ê\82Ä\82¢\82é\81AAuthenticode\8f\90\96¼\82ª\82³\82ê\82Ä\82¢\82é\81A\82Ü\82½\82ÍWFP\82É\82æ\82é\95Û\8cì\89º\82É\82 \82é\82±\82Æ\82ð\8am\94F
BOOL IsModuleTrusted(LPCWSTR Filename)
{
BOOL bResult;
- BYTE Hash[16];
+ BYTE Hash[20];
bResult = FALSE;
- if(GetMD5HashOfFile(Filename, &Hash))
+ if(LockThreadLock())
{
- if(FindTrustedModuleMD5Hash(&Hash))
- bResult = TRUE;
- }
- if(!bResult)
- {
- if(VerifyFileSignature(Filename))
- bResult = TRUE;
- }
- if(!bResult)
- {
- if(IsSxsModuleTrusted(Filename))
- bResult = TRUE;
- }
- if(!bResult)
- {
- if(SfcIsFileProtected(NULL, Filename))
- bResult = TRUE;
+ if(GetSHA1HashOfFile(Filename, &Hash))
+ {
+ if(FindTrustedModuleSHA1Hash(&Hash))
+ bResult = TRUE;
+ }
+ if(!bResult)
+ {
+ if((g_ProcessProtectionLevel & PROCESS_PROTECTION_BUILTIN) && VerifyFileSignature(Filename))
+ bResult = TRUE;
+ }
+ if(!bResult)
+ {
+ if((g_ProcessProtectionLevel & PROCESS_PROTECTION_SIDE_BY_SIDE) && IsSxsModuleTrusted(Filename))
+ bResult = TRUE;
+ }
+ if(!bResult)
+ {
+ if((g_ProcessProtectionLevel & PROCESS_PROTECTION_SYSTEM_FILE) && SfcIsFileProtected(NULL, Filename))
+ bResult = TRUE;
+ }
+ UnlockThreadLock();
}
return bResult;
}
return r;
}
-// \83t\83@\83C\83\8b\82ÌMD5\83n\83b\83V\83\85\82ð\8eæ\93¾
-BOOL GetMD5HashOfFile(LPCWSTR Filename, void* pHash)
+void SetProcessProtectionLevel(DWORD Level)
+{
+ g_ProcessProtectionLevel = Level;
+}
+
+// \83t\83@\83C\83\8b\82ÌSHA1\83n\83b\83V\83\85\82ð\8eæ\93¾
+BOOL GetSHA1HashOfFile(LPCWSTR Filename, void* pHash)
{
BOOL bResult;
HCRYPTPROV hProv;
bResult = FALSE;
if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))
{
- if(CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash))
+ if(CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
{
if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
{
{
if(CryptHashData(hHash, (BYTE*)pData, Size, 0))
{
- dw = 16;
+ dw = 20;
if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))
bResult = TRUE;
}
}
// DLL\82Ì\83n\83b\83V\83\85\82ð\93o\98^
-BOOL RegisterTrustedModuleMD5Hash(void* pHash)
+BOOL RegisterTrustedModuleSHA1Hash(void* pHash)
{
BOOL bResult;
- BYTE NullHash[16] = {0};
+ BYTE NullHash[20] = {0};
int i;
bResult = FALSE;
- if(FindTrustedModuleMD5Hash(pHash))
+ if(FindTrustedModuleSHA1Hash(pHash))
bResult = TRUE;
else
{
i = 0;
while(i < MAX_TRUSTED_MD5_HASH_TABLE)
{
- if(memcmp(&g_TrustedMD5HashTable[i], &NullHash, 16) == 0)
+ if(memcmp(&g_TrustedMD5HashTable[i], &NullHash, 20) == 0)
{
- memcpy(&g_TrustedMD5HashTable[i], pHash, 16);
+ memcpy(&g_TrustedMD5HashTable[i], pHash, 20);
bResult = TRUE;
break;
}
}
// DLL\82Ì\83n\83b\83V\83\85\82Ì\93o\98^\82ð\89ð\8f\9c
-BOOL UnregisterTrustedModuleMD5Hash(void* pHash)
+BOOL UnregisterTrustedModuleSHA1Hash(void* pHash)
{
BOOL bResult;
- BYTE NullHash[16] = {0};
+ BYTE NullHash[20] = {0};
int i;
bResult = FALSE;
i = 0;
while(i < MAX_TRUSTED_MD5_HASH_TABLE)
{
- if(memcmp(&g_TrustedMD5HashTable[i], pHash, 16) == 0)
+ if(memcmp(&g_TrustedMD5HashTable[i], pHash, 20) == 0)
{
- memcpy(&g_TrustedMD5HashTable[i], &NullHash, 16);
+ memcpy(&g_TrustedMD5HashTable[i], &NullHash, 20);
bResult = TRUE;
break;
}