\r
// 次の中から1個のみ有効にする\r
// フック先の関数のコードを書き換える\r
-// 全ての呼び出しをフック可能だが原理的に二重呼び出しに対応できない\r
#define USE_CODE_HOOK\r
// フック先の関数のインポートアドレステーブルを書き換える\r
-// 二重呼び出しが可能だが呼び出し方法によってはフックを回避される\r
//#define USE_IAT_HOOK\r
\r
-// フック対象の関数名 %s\r
-// フック対象の型 _%s\r
-// フック対象のポインタ p_%s\r
-// フック用の関数名 h_%s\r
-// フック対象のコードのバックアップ c_%s\r
-\r
#include <tchar.h>\r
#include <windows.h>\r
#include <ntsecapi.h>\r
#include <sfc.h>\r
#include <tlhelp32.h>\r
#include <imagehlp.h>\r
-#ifdef USE_IAT_HOOK\r
-#include <dbghelp.h>\r
-#endif\r
\r
#define DO_NOT_REPLACE\r
#include "protectprocess.h"\r
#endif\r
\r
#ifdef USE_CODE_HOOK\r
-#if defined(_X86_)\r
-#define HOOK_JUMP_CODE_LENGTH 5\r
-#elif defined(_AMD64_)\r
+#if defined(_M_IX86)\r
+//#define HOOK_JUMP_CODE_LENGTH 5\r
+#define HOOK_JUMP_CODE_LENGTH 7\r
+#elif defined(_M_AMD64)\r
#define HOOK_JUMP_CODE_LENGTH 14\r
#endif\r
+typedef struct\r
+{\r
+ void* pCode;\r
+ size_t CodeLength;\r
+ BYTE PatchCode[HOOK_JUMP_CODE_LENGTH];\r
+ BYTE BackupCode[HOOK_JUMP_CODE_LENGTH];\r
+} HOOK_JUMP_CODE_PATCH;\r
#endif\r
-\r
-BOOL LockThreadLock();\r
-BOOL UnlockThreadLock();\r
+typedef struct\r
+{\r
+ DWORD Flags;\r
+ LPCTSTR ModuleName;\r
+ HMODULE hModule;\r
+ LPCSTR ProcName;\r
+ FARPROC Proc;\r
+ FARPROC Hook;\r
+ FARPROC Unhook;\r
#ifdef USE_CODE_HOOK\r
-BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore);\r
+ HOOK_JUMP_CODE_PATCH Patch;\r
#endif\r
-#ifdef USE_IAT_HOOK\r
-BOOL HookFunctionInIAT(void* pOriginal, void* pNew);\r
-#endif\r
-HANDLE LockExistingFile(LPCWSTR Filename);\r
-BOOL FindTrustedModuleSHA1Hash(void* pHash);\r
-BOOL VerifyFileSignature(LPCWSTR Filename);\r
-BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename);\r
-BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash);\r
-BOOL IsModuleTrusted(LPCWSTR Filename);\r
+} HOOK_FUNCTION_INFO;\r
\r
-// 変数の宣言\r
-#ifdef USE_CODE_HOOK\r
-#define HOOK_FUNCTION_VAR(name) _##name p_##name;BYTE c_##name[HOOK_JUMP_CODE_LENGTH * 2];\r
-#endif\r
-#ifdef USE_IAT_HOOK\r
-#define HOOK_FUNCTION_VAR(name) _##name p_##name;\r
-#endif\r
-// 関数ポインタを取得\r
-#define GET_FUNCTION(h, name) p_##name = (_##name)GetProcAddress(h, #name)\r
-// フック対象のコードを置換してフックを開始\r
-#define SET_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, FALSE)\r
-// フック対象を呼び出す前に対象のコードを復元\r
-#define BEGIN_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, &c_##name, TRUE)\r
-// フック対象を呼び出した後に対象のコードを置換\r
-#define END_HOOK_FUNCTION(name) HookFunctionInCode(p_##name, h_##name, NULL, FALSE)\r
+#define HOOK_INITIALIZED 0x00000001\r
+#define HOOK_ENABLED 0x00000002\r
+#define HOOK_USE_GETMODULEHANDLE 0x00000004\r
+#define HOOK_USE_LOADLIBRARY 0x00000008\r
+#define HOOK_USE_GETPROCADDRESS 0x00000010\r
+\r
+typedef HMODULE (WINAPI* _LoadLibraryA)(LPCSTR);\r
+typedef HMODULE (WINAPI* _LoadLibraryW)(LPCWSTR);\r
+typedef HMODULE (WINAPI* _LoadLibraryExA)(LPCSTR, HANDLE, DWORD);\r
+typedef HMODULE (WINAPI* _LoadLibraryExW)(LPCWSTR, HANDLE, DWORD);\r
\r
-HOOK_FUNCTION_VAR(LoadLibraryA)\r
-HOOK_FUNCTION_VAR(LoadLibraryW)\r
-HOOK_FUNCTION_VAR(LoadLibraryExA)\r
-HOOK_FUNCTION_VAR(LoadLibraryExW)\r
+HOOK_FUNCTION_INFO g_LoadLibraryA;\r
+HOOK_FUNCTION_INFO g_LoadLibraryW;\r
+HOOK_FUNCTION_INFO g_LoadLibraryExA;\r
+HOOK_FUNCTION_INFO g_LoadLibraryExW;\r
\r
typedef NTSTATUS (NTAPI* _LdrLoadDll)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);\r
typedef NTSTATUS (NTAPI* _LdrGetDllHandle)(LPCWSTR, DWORD*, UNICODE_STRING*, HMODULE*);\r
BYTE g_TrustedSHA1HashTable[MAX_TRUSTED_SHA1_HASH_TABLE][20];\r
WNDPROC g_PasswordEditControlProc;\r
\r
-// 以下フック関数\r
-// フック対象を呼び出す場合は前後でBEGIN_HOOK_FUNCTIONとEND_HOOK_FUNCTIONを実行する必要がある\r
-\r
-HMODULE WINAPI h_LoadLibraryA(LPCSTR lpLibFileName)\r
-{\r
- HMODULE r = NULL;\r
- wchar_t* pw0 = NULL;\r
- if(pw0 = DuplicateAtoW(lpLibFileName, -1))\r
- r = LoadLibraryExW(pw0, NULL, 0);\r
- FreeDuplicatedString(pw0);\r
- return r;\r
-}\r
-\r
-HMODULE WINAPI h_LoadLibraryW(LPCWSTR lpLibFileName)\r
-{\r
- HMODULE r = NULL;\r
- r = LoadLibraryExW(lpLibFileName, NULL, 0);\r
- return r;\r
-}\r
-\r
-HMODULE WINAPI h_LoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)\r
-{\r
- HMODULE r = NULL;\r
- wchar_t* pw0 = NULL;\r
- if(pw0 = DuplicateAtoW(lpLibFileName, -1))\r
- r = LoadLibraryExW(pw0, hFile, dwFlags);\r
- FreeDuplicatedString(pw0);\r
- return r;\r
-}\r
-\r
-HMODULE WINAPI h_LoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)\r
-{\r
- HMODULE r = NULL;\r
- BOOL bTrusted;\r
- wchar_t* pw0;\r
- HANDLE hLock;\r
- HMODULE hModule;\r
- DWORD Length;\r
- bTrusted = FALSE;\r
- pw0 = NULL;\r
- hLock = NULL;\r
-// if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))\r
- if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | 0x00000020 | 0x00000040))\r
- bTrusted = TRUE;\r
- if(!bTrusted)\r
- {\r
- if(hModule = System_LoadLibrary(lpLibFileName, NULL, DONT_RESOLVE_DLL_REFERENCES))\r
- {\r
- Length = MAX_PATH;\r
- if(pw0 = AllocateStringW(Length))\r
- {\r
- if(GetModuleFileNameW(hModule, pw0, Length) > 0)\r
- {\r
- while(pw0)\r
- {\r
- if(GetModuleFileNameW(hModule, pw0, Length) + 1 <= Length)\r
- {\r
- lpLibFileName = pw0;\r
- break;\r
- }\r
- Length = Length * 2;\r
- FreeDuplicatedString(pw0);\r
- pw0 = AllocateStringW(Length);\r
- }\r
- }\r
- }\r
- hLock = LockExistingFile(lpLibFileName);\r
- FreeLibrary(hModule);\r
- }\r
- if((g_ProcessProtectionLevel & PROCESS_PROTECTION_LOADED) && GetModuleHandleW(lpLibFileName))\r
- bTrusted = TRUE;\r
- }\r
- if(!bTrusted)\r
- {\r
- if(hLock)\r
- {\r
- if(IsModuleTrusted(lpLibFileName))\r
- bTrusted = TRUE;\r
- }\r
- }\r
- if(bTrusted)\r
- r = System_LoadLibrary(lpLibFileName, hFile, dwFlags);\r
- FreeDuplicatedString(pw0);\r
- if(hLock)\r
- CloseHandle(hLock);\r
- return r;\r
-}\r
-\r
-// 以下ヘルパー関数\r
-\r
-BOOL LockThreadLock()\r
-{\r
- BOOL bResult;\r
- DWORD ThreadId;\r
- DWORD i;\r
- bResult = FALSE;\r
- ThreadId = GetCurrentThreadId();\r
- i = 0;\r
- while(i < MAX_LOCKED_THREAD)\r
- {\r
- if(g_LockedThread[i] == ThreadId)\r
- break;\r
- i++;\r
- }\r
- if(i >= MAX_LOCKED_THREAD)\r
- {\r
- i = 0;\r
- while(i < MAX_LOCKED_THREAD)\r
- {\r
- if(g_LockedThread[i] == 0)\r
- {\r
- g_LockedThread[i] = ThreadId;\r
- bResult = TRUE;\r
- break;\r
- }\r
- i++;\r
- }\r
- }\r
- return bResult;\r
-}\r
-\r
-BOOL UnlockThreadLock()\r
-{\r
- BOOL bResult;\r
- DWORD ThreadId;\r
- DWORD i;\r
- bResult = FALSE;\r
- ThreadId = GetCurrentThreadId();\r
- i = 0;\r
- while(i < MAX_LOCKED_THREAD)\r
- {\r
- if(g_LockedThread[i] == ThreadId)\r
- {\r
- g_LockedThread[i] = 0;\r
- bResult = TRUE;\r
- break;\r
- }\r
- i++;\r
- }\r
- return bResult;\r
-}\r
-\r
#ifdef USE_CODE_HOOK\r
-BOOL HookFunctionInCode(void* pOriginal, void* pNew, void* pBackupCode, BOOL bRestore)\r
+BOOL HookFunctionInCode(void* pProc, void* pHook, void** ppUnhook, HOOK_JUMP_CODE_PATCH* pPatch, BOOL bRestore)\r
{\r
BOOL bResult;\r
bResult = FALSE;\r
-#if defined(_X86_)\r
+#if defined(_M_IX86)\r
{\r
- BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xe9, 0x00, 0x00, 0x00, 0x00};\r
- size_t Relative;\r
DWORD Protect;\r
- Relative = (size_t)pNew - (size_t)pOriginal - HOOK_JUMP_CODE_LENGTH;\r
- memcpy(&JumpCode[1], &Relative, 4);\r
+ BYTE* pCode;\r
+ CHAR c;\r
+ LONG l;\r
+ bResult = FALSE;\r
if(bRestore)\r
{\r
- if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))\r
+ if(VirtualProtect(pPatch->pCode, pPatch->CodeLength, PAGE_EXECUTE_READWRITE, &Protect))\r
{\r
- memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);\r
- VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);\r
+ memcpy(pPatch->pCode, &pPatch->BackupCode, pPatch->CodeLength);\r
+ VirtualProtect(pPatch->pCode, pPatch->CodeLength, Protect, &Protect);\r
+ FlushInstructionCache(GetCurrentProcess(), pPatch->pCode, pPatch->CodeLength);\r
bResult = TRUE;\r
}\r
}\r
else\r
{\r
- if(pBackupCode)\r
- memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);\r
- if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))\r
+ if(!pPatch->pCode)\r
{\r
- memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);\r
- VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);\r
+ pCode = (BYTE*)pProc;\r
+ while(pCode[0] == 0xeb)\r
+ {\r
+ memcpy(&c, pCode + 1, 1);\r
+ pCode = pCode + 2 + c;\r
+ }\r
+ if(pCode[0] == 0x8b && pCode[1] == 0xff)\r
+ {\r
+ pCode = pCode - 5;\r
+ pPatch->pCode = pCode;\r
+ pPatch->CodeLength = 7;\r
+ memcpy(&pPatch->BackupCode, pPatch->pCode, pPatch->CodeLength);\r
+ pPatch->PatchCode[0] = 0xe9;\r
+ l = (long)pHook - ((long)pCode + 5);\r
+ memcpy(&pPatch->PatchCode[1], &l, 4);\r
+ pPatch->PatchCode[5] = 0xeb;\r
+ pPatch->PatchCode[6] = 0xf9;\r
+ *ppUnhook = pCode + 7;\r
+ }\r
+ else if(pCode[0] == 0xe9)\r
+ {\r
+ pPatch->pCode = pCode + 1;\r
+ pPatch->CodeLength = 4;\r
+ memcpy(&pPatch->BackupCode, pPatch->pCode, pPatch->CodeLength);\r
+ l = (long)pHook - ((long)pCode + 5);\r
+ memcpy(&pPatch->PatchCode[0], &l, 4);\r
+ memcpy(&l, pCode + 1, 4);\r
+ *ppUnhook = pCode + 5 + l;\r
+ }\r
+ else\r
+ {\r
+ pPatch->pCode = pCode;\r
+ pPatch->CodeLength = 5;\r
+ memcpy(&pPatch->BackupCode, pPatch->pCode, pPatch->CodeLength);\r
+ pPatch->PatchCode[0] = 0xe9;\r
+ l = (long)pHook - ((long)pCode + 5);\r
+ memcpy(&pPatch->PatchCode[1], &l, 4);\r
+ *ppUnhook = NULL;\r
+ }\r
+ }\r
+ if(VirtualProtect(pPatch->pCode, pPatch->CodeLength, PAGE_EXECUTE_READWRITE, &Protect))\r
+ {\r
+ memcpy(pPatch->pCode, &pPatch->PatchCode, pPatch->CodeLength);\r
+ VirtualProtect(pPatch->pCode, pPatch->CodeLength, Protect, &Protect);\r
+ FlushInstructionCache(GetCurrentProcess(), pPatch->pCode, pPatch->CodeLength);\r
bResult = TRUE;\r
}\r
}\r
}\r
-#elif defined(_AMD64_)\r
+#elif defined(_M_AMD64)\r
{\r
- BYTE JumpCode[HOOK_JUMP_CODE_LENGTH] = {0xff, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};\r
- size_t Absolute;\r
DWORD Protect;\r
- Absolute = (size_t)pNew;\r
- memcpy(&JumpCode[6], &Absolute, 8);\r
+ BYTE* pCode;\r
+ CHAR c;\r
+ LONG l;\r
+ LONGLONG ll;\r
bResult = FALSE;\r
if(bRestore)\r
{\r
- if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))\r
+ if(VirtualProtect(pPatch->pCode, pPatch->CodeLength, PAGE_EXECUTE_READWRITE, &Protect))\r
{\r
- memcpy(pOriginal, pBackupCode, HOOK_JUMP_CODE_LENGTH);\r
- VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);\r
+ memcpy(pPatch->pCode, &pPatch->BackupCode, pPatch->CodeLength);\r
+ VirtualProtect(pPatch->pCode, pPatch->CodeLength, Protect, &Protect);\r
+ FlushInstructionCache(GetCurrentProcess(), pPatch->pCode, pPatch->CodeLength);\r
bResult = TRUE;\r
}\r
}\r
else\r
{\r
- if(pBackupCode)\r
- memcpy(pBackupCode, pOriginal, HOOK_JUMP_CODE_LENGTH);\r
- if(VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, PAGE_EXECUTE_READWRITE, &Protect))\r
+ if(!pPatch->pCode)\r
{\r
- memcpy(pOriginal, &JumpCode, HOOK_JUMP_CODE_LENGTH);\r
- VirtualProtect(pOriginal, HOOK_JUMP_CODE_LENGTH, Protect, &Protect);\r
+ pCode = (BYTE*)pProc;\r
+ if(pCode[0] == 0x48)\r
+ pCode = pCode + 1;\r
+ while(pCode[0] == 0xeb || pCode[0] == 0xe9)\r
+ {\r
+ if(pCode[0] == 0xeb)\r
+ {\r
+ memcpy(&c, pCode + 1, 1);\r
+ pCode = pCode + 2 + c;\r
+ }\r
+ else\r
+ {\r
+ memcpy(&l, pCode + 1, 4);\r
+ pCode = pCode + 5 + l;\r
+ }\r
+ if(pCode[0] == 0x48)\r
+ pCode++;\r
+ }\r
+ if(pCode[0] == 0xff && pCode[1] == 0x25)\r
+ {\r
+ memcpy(&l, pCode + 2, 4);\r
+ pPatch->pCode = pCode + 6 + l;\r
+ pPatch->CodeLength = 8;\r
+ memcpy(&pPatch->BackupCode, pPatch->pCode, pPatch->CodeLength);\r
+ memcpy(&pPatch->PatchCode[0], &pHook, 8);\r
+ memcpy(&ll, pCode + 6 + l, 8);\r
+ *ppUnhook = (void*)ll;\r
+ }\r
+ else\r
+ {\r
+ pPatch->pCode = pCode;\r
+ pPatch->CodeLength = 14;\r
+ memcpy(&pPatch->BackupCode, pPatch->pCode, pPatch->CodeLength);\r
+ pPatch->PatchCode[0] = 0xff;\r
+ pPatch->PatchCode[1] = 0x25;\r
+ l = 0;\r
+ memcpy(&pPatch->PatchCode[2], &l, 4);\r
+ memcpy(&pPatch->PatchCode[6], &pHook, 8);\r
+ *ppUnhook = NULL;\r
+ }\r
+ }\r
+ if(VirtualProtect(pPatch->pCode, pPatch->CodeLength, PAGE_EXECUTE_READWRITE, &Protect))\r
+ {\r
+ memcpy(pPatch->pCode, &pPatch->PatchCode, pPatch->CodeLength);\r
+ VirtualProtect(pPatch->pCode, pPatch->CodeLength, Protect, &Protect);\r
+ FlushInstructionCache(GetCurrentProcess(), pPatch->pCode, pPatch->CodeLength);\r
bResult = TRUE;\r
}\r
}\r
#endif\r
\r
#ifdef USE_IAT_HOOK\r
-BOOL HookFunctionInIAT(void* pOriginal, void* pNew)\r
+BOOL HookFunctionInIAT(void* pProc, void* pHook, void** ppUnhook)\r
{\r
BOOL bResult;\r
HANDLE hSnapshot;\r
pitd = (IMAGE_THUNK_DATA*)((BYTE*)me.hModule + piid->FirstThunk);\r
while(!bFound && pitd->u1.Function != 0)\r
{\r
- if((void*)pitd->u1.Function == pOriginal)\r
+ if((void*)pitd->u1.Function == pProc)\r
{\r
bFound = TRUE;\r
if(VirtualProtect(&pitd->u1.Function, sizeof(void*), PAGE_EXECUTE_READWRITE, &Protect))\r
{\r
- memcpy(&pitd->u1.Function, &pNew, sizeof(void*));\r
+ memcpy(&pitd->u1.Function, &pHook, sizeof(void*));\r
VirtualProtect(&pitd->u1.Function, sizeof(void*), Protect, &Protect);\r
+ *ppUnhook = pProc;\r
bResult = TRUE;\r
}\r
}\r
}\r
#endif\r
\r
+BOOL InitializeHookFunction(HOOK_FUNCTION_INFO* pInfo)\r
+{\r
+ BOOL bResult;\r
+ bResult = FALSE;\r
+ if(!(pInfo->Flags & HOOK_INITIALIZED))\r
+ {\r
+ if(pInfo->Flags & HOOK_USE_GETMODULEHANDLE)\r
+ pInfo->hModule = GetModuleHandle(pInfo->ModuleName);\r
+ if(pInfo->Flags & HOOK_USE_LOADLIBRARY)\r
+ pInfo->hModule = LoadLibrary(pInfo->ModuleName);\r
+ if(pInfo->Flags & HOOK_USE_GETPROCADDRESS)\r
+ pInfo->Proc = GetProcAddress(pInfo->hModule, pInfo->ProcName);\r
+ if(pInfo->Proc)\r
+ {\r
+ pInfo->Flags |= HOOK_INITIALIZED;\r
+ bResult = TRUE;\r
+ }\r
+ }\r
+ return bResult;\r
+}\r
+\r
+void UninitializeHookFunction(HOOK_FUNCTION_INFO* pInfo)\r
+{\r
+ if(pInfo->Flags & HOOK_INITIALIZED)\r
+ {\r
+ if(pInfo->Flags & HOOK_USE_LOADLIBRARY)\r
+ FreeLibrary(pInfo->hModule);\r
+ pInfo->Flags &= ~HOOK_INITIALIZED;\r
+ }\r
+}\r
+\r
+BOOL EnableHookFunction(HOOK_FUNCTION_INFO* pInfo, BOOL bEnable)\r
+{\r
+ BOOL bResult;\r
+ bResult = FALSE;\r
+ if(pInfo->Flags & HOOK_INITIALIZED)\r
+ {\r
+ if(bEnable)\r
+ {\r
+ if(!(pInfo->Flags & HOOK_ENABLED))\r
+ {\r
+#ifdef USE_CODE_HOOK\r
+ if(HookFunctionInCode(pInfo->Proc, pInfo->Hook, (void**)&pInfo->Unhook, &pInfo->Patch, FALSE))\r
+ {\r
+ pInfo->Flags |= HOOK_ENABLED;\r
+ bResult = TRUE;\r
+ }\r
+#endif\r
+#ifdef USE_IAT_HOOK\r
+ if(HookFunctionInIAT(pInfo->Proc, pInfo->Hook, (void**)&pInfo->Unhook))\r
+ {\r
+ pInfo->Flags |= HOOK_ENABLED;\r
+ bResult = TRUE;\r
+ }\r
+#endif\r
+ }\r
+ }\r
+ else\r
+ {\r
+ if(pInfo->Flags & HOOK_ENABLED)\r
+ {\r
+#ifdef USE_CODE_HOOK\r
+ if(HookFunctionInCode(pInfo->Proc, pInfo->Hook, (void**)&pInfo->Unhook, &pInfo->Patch, TRUE))\r
+ {\r
+ pInfo->Flags &= ~HOOK_ENABLED;\r
+ bResult = TRUE;\r
+ }\r
+#endif\r
+#ifdef USE_IAT_HOOK\r
+ if(HookFunctionInIAT(pInfo->Hook, pInfo->Proc, (void**)&pInfo->Unhook))\r
+ {\r
+ pInfo->Flags &= ~HOOK_ENABLED;\r
+ bResult = TRUE;\r
+ }\r
+#endif\r
+ }\r
+ }\r
+ }\r
+ return bResult;\r
+}\r
+\r
+BOOL LockThreadLock()\r
+{\r
+ BOOL bResult;\r
+ DWORD ThreadId;\r
+ DWORD i;\r
+ bResult = FALSE;\r
+ ThreadId = GetCurrentThreadId();\r
+ i = 0;\r
+ while(i < MAX_LOCKED_THREAD)\r
+ {\r
+ if(g_LockedThread[i] == ThreadId)\r
+ break;\r
+ i++;\r
+ }\r
+ if(i >= MAX_LOCKED_THREAD)\r
+ {\r
+ i = 0;\r
+ while(i < MAX_LOCKED_THREAD)\r
+ {\r
+ if(g_LockedThread[i] == 0)\r
+ {\r
+ g_LockedThread[i] = ThreadId;\r
+ bResult = TRUE;\r
+ break;\r
+ }\r
+ i++;\r
+ }\r
+ }\r
+ return bResult;\r
+}\r
+\r
+BOOL UnlockThreadLock()\r
+{\r
+ BOOL bResult;\r
+ DWORD ThreadId;\r
+ DWORD i;\r
+ bResult = FALSE;\r
+ ThreadId = GetCurrentThreadId();\r
+ i = 0;\r
+ while(i < MAX_LOCKED_THREAD)\r
+ {\r
+ if(g_LockedThread[i] == ThreadId)\r
+ {\r
+ g_LockedThread[i] = 0;\r
+ bResult = TRUE;\r
+ break;\r
+ }\r
+ i++;\r
+ }\r
+ return bResult;\r
+}\r
+\r
// ファイルを変更不能に設定\r
HANDLE LockExistingFile(LPCWSTR Filename)\r
{\r
return bResult;\r
}\r
\r
+// 以下フック関数\r
+\r
+HMODULE WINAPI h_LoadLibraryA(LPCSTR lpLibFileName)\r
+{\r
+ HMODULE r = NULL;\r
+ wchar_t* pw0 = NULL;\r
+ if(pw0 = DuplicateAtoW(lpLibFileName, -1))\r
+ r = LoadLibraryExW(pw0, NULL, 0);\r
+ FreeDuplicatedString(pw0);\r
+ return r;\r
+}\r
+\r
+HMODULE WINAPI h_LoadLibraryW(LPCWSTR lpLibFileName)\r
+{\r
+ HMODULE r = NULL;\r
+ r = LoadLibraryExW(lpLibFileName, NULL, 0);\r
+ return r;\r
+}\r
+\r
+HMODULE WINAPI h_LoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)\r
+{\r
+ HMODULE r = NULL;\r
+ wchar_t* pw0 = NULL;\r
+ if(pw0 = DuplicateAtoW(lpLibFileName, -1))\r
+ r = LoadLibraryExW(pw0, hFile, dwFlags);\r
+ FreeDuplicatedString(pw0);\r
+ return r;\r
+}\r
+\r
+HMODULE WINAPI h_LoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)\r
+{\r
+ HMODULE r = NULL;\r
+ BOOL bTrusted;\r
+ wchar_t* pw0;\r
+ HANDLE hLock;\r
+ HMODULE hModule;\r
+ DWORD Length;\r
+ bTrusted = FALSE;\r
+ pw0 = NULL;\r
+ hLock = NULL;\r
+// if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))\r
+ if(dwFlags & (DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE | 0x00000020 | 0x00000040))\r
+ bTrusted = TRUE;\r
+ if(!bTrusted)\r
+ {\r
+ if(hModule = System_LoadLibrary(lpLibFileName, NULL, DONT_RESOLVE_DLL_REFERENCES))\r
+ {\r
+ Length = MAX_PATH;\r
+ if(pw0 = AllocateStringW(Length))\r
+ {\r
+ if(GetModuleFileNameW(hModule, pw0, Length) > 0)\r
+ {\r
+ while(pw0)\r
+ {\r
+ if(GetModuleFileNameW(hModule, pw0, Length) + 1 <= Length)\r
+ {\r
+ lpLibFileName = pw0;\r
+ break;\r
+ }\r
+ Length = Length * 2;\r
+ FreeDuplicatedString(pw0);\r
+ pw0 = AllocateStringW(Length);\r
+ }\r
+ }\r
+ }\r
+ hLock = LockExistingFile(lpLibFileName);\r
+ FreeLibrary(hModule);\r
+ }\r
+ if((g_ProcessProtectionLevel & PROCESS_PROTECTION_LOADED) && GetModuleHandleW(lpLibFileName))\r
+ bTrusted = TRUE;\r
+ }\r
+ if(!bTrusted)\r
+ {\r
+ if(hLock)\r
+ {\r
+ if(IsModuleTrusted(lpLibFileName))\r
+ bTrusted = TRUE;\r
+ }\r
+ }\r
+ if(bTrusted)\r
+ r = System_LoadLibrary(lpLibFileName, hFile, dwFlags);\r
+ FreeDuplicatedString(pw0);\r
+ if(hLock)\r
+ CloseHandle(hLock);\r
+ return r;\r
+}\r
+\r
// kernel32.dllのLoadLibraryExW相当の関数\r
// ドキュメントが無いため詳細は不明\r
// 一部のウィルス対策ソフト(Avast!等)がLdrLoadDllをフックしているためLdrLoadDllを書き換えるべきではない\r
HANDLE hDataFile;\r
HANDLE hMapping;\r
DWORD DllFlags;\r
- us.Length = sizeof(wchar_t) * wcslen(lpLibFileName);\r
- us.MaximumLength = sizeof(wchar_t) * (wcslen(lpLibFileName) + 1);\r
+ us.Length = sizeof(wchar_t) * (USHORT)wcslen(lpLibFileName);\r
+ us.MaximumLength = sizeof(wchar_t) * ((USHORT)wcslen(lpLibFileName) + 1);\r
us.Buffer = (PWSTR)lpLibFileName;\r
// if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE))\r
if(dwFlags & (LOAD_LIBRARY_AS_DATAFILE | 0x00000040))\r
g_ProcessProtectionLevel = Level;\r
}\r
\r
-// ã\83\95ã\82¡ã\82¤ã\83«のSHA1ハッシュを取得\r
-BOOL GetSHA1HashOfFile(LPCWSTR Filename, void* pHash)\r
+// ã\83¡ã\83¢ã\83ªのSHA1ハッシュを取得\r
+BOOL GetSHA1HashOfMemory(const void* pData, DWORD Size, void* pHash)\r
{\r
BOOL bResult;\r
HCRYPTPROV hProv;\r
HCRYPTHASH hHash;\r
- HANDLE hFile;\r
- DWORD Size;\r
- void* pData;\r
DWORD dw;\r
bResult = FALSE;\r
if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))\r
{\r
if(CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))\r
{\r
- if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)\r
+ if(CryptHashData(hHash, (BYTE*)pData, Size, 0))\r
{\r
- Size = GetFileSize(hFile, NULL);\r
- if(pData = VirtualAlloc(NULL, Size, MEM_COMMIT, PAGE_READWRITE))\r
- {\r
- VirtualLock(pData, Size);\r
- if(ReadFile(hFile, pData, Size, &dw, NULL))\r
- {\r
- if(CryptHashData(hHash, (BYTE*)pData, Size, 0))\r
- {\r
- dw = 20;\r
- if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))\r
- bResult = TRUE;\r
- }\r
- }\r
- VirtualUnlock(pData, Size);\r
- VirtualFree(pData, Size, MEM_DECOMMIT);\r
- }\r
- CloseHandle(hFile);\r
+ dw = 20;\r
+ if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))\r
+ bResult = TRUE;\r
}\r
CryptDestroyHash(hHash);\r
}\r
return bResult;\r
}\r
\r
+// ファイルのSHA1ハッシュを取得\r
+BOOL GetSHA1HashOfFile(LPCWSTR Filename, void* pHash)\r
+{\r
+ BOOL bResult;\r
+ HANDLE hFile;\r
+ DWORD Size;\r
+ void* pData;\r
+ DWORD dw;\r
+ bResult = FALSE;\r
+ if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)\r
+ {\r
+ Size = GetFileSize(hFile, NULL);\r
+ if(pData = VirtualAlloc(NULL, Size, MEM_COMMIT, PAGE_READWRITE))\r
+ {\r
+ VirtualLock(pData, Size);\r
+ if(ReadFile(hFile, pData, Size, &dw, NULL))\r
+ {\r
+ if(GetSHA1HashOfMemory(pData, Size, pHash))\r
+ bResult = TRUE;\r
+ }\r
+ VirtualUnlock(pData, Size);\r
+ VirtualFree(pData, Size, MEM_DECOMMIT);\r
+ }\r
+ CloseHandle(hFile);\r
+ }\r
+ return bResult;\r
+}\r
+\r
// DLLのハッシュを登録\r
BOOL RegisterTrustedModuleSHA1Hash(void* pHash)\r
{\r
BOOL bResult;\r
HMODULE hModule;\r
bResult = TRUE;\r
- if(!(hModule = GetModuleHandleW(L"kernel32.dll")))\r
+ memset(&g_LoadLibraryA, 0, sizeof(HOOK_FUNCTION_INFO));\r
+ g_LoadLibraryA.Flags = HOOK_USE_GETMODULEHANDLE | HOOK_USE_GETPROCADDRESS;\r
+ g_LoadLibraryA.ModuleName = _T("kernel32.dll");\r
+ g_LoadLibraryA.ProcName = "LoadLibraryA";\r
+ g_LoadLibraryA.Hook = (FARPROC)h_LoadLibraryA;\r
+ if(!InitializeHookFunction(&g_LoadLibraryA))\r
bResult = FALSE;\r
- if(!(GET_FUNCTION(hModule, LoadLibraryA)))\r
+ memset(&g_LoadLibraryW, 0, sizeof(HOOK_FUNCTION_INFO));\r
+ g_LoadLibraryW.Flags = HOOK_USE_GETMODULEHANDLE | HOOK_USE_GETPROCADDRESS;\r
+ g_LoadLibraryW.ModuleName = _T("kernel32.dll");\r
+ g_LoadLibraryW.ProcName = "LoadLibraryW";\r
+ g_LoadLibraryW.Hook = (FARPROC)h_LoadLibraryW;\r
+ if(!InitializeHookFunction(&g_LoadLibraryW))\r
bResult = FALSE;\r
- if(!(GET_FUNCTION(hModule, LoadLibraryW)))\r
+ memset(&g_LoadLibraryExA, 0, sizeof(HOOK_FUNCTION_INFO));\r
+ g_LoadLibraryExA.Flags = HOOK_USE_GETMODULEHANDLE | HOOK_USE_GETPROCADDRESS;\r
+ g_LoadLibraryExA.ModuleName = _T("kernel32.dll");\r
+ g_LoadLibraryExA.ProcName = "LoadLibraryExA";\r
+ g_LoadLibraryExA.Hook = (FARPROC)h_LoadLibraryExA;\r
+ if(!InitializeHookFunction(&g_LoadLibraryExA))\r
bResult = FALSE;\r
- if(!(GET_FUNCTION(hModule, LoadLibraryExA)))\r
- bResult = FALSE;\r
- if(!(GET_FUNCTION(hModule, LoadLibraryExW)))\r
+ memset(&g_LoadLibraryExW, 0, sizeof(HOOK_FUNCTION_INFO));\r
+ g_LoadLibraryExW.Flags = HOOK_USE_GETMODULEHANDLE | HOOK_USE_GETPROCADDRESS;\r
+ g_LoadLibraryExW.ModuleName = _T("kernel32.dll");\r
+ g_LoadLibraryExW.ProcName = "LoadLibraryExW";\r
+ g_LoadLibraryExW.Hook = (FARPROC)h_LoadLibraryExW;\r
+ if(!InitializeHookFunction(&g_LoadLibraryExW))\r
bResult = FALSE;\r
if(!(hModule = GetModuleHandleW(L"ntdll.dll")))\r
bResult = FALSE;\r
- if(!(GET_FUNCTION(hModule, LdrLoadDll)))\r
+ if(!(p_LdrLoadDll = (_LdrLoadDll)GetProcAddress(hModule, "LdrLoadDll")))\r
bResult = FALSE;\r
- if(!(GET_FUNCTION(hModule, LdrGetDllHandle)))\r
+ if(!(p_LdrGetDllHandle = (_LdrGetDllHandle)GetProcAddress(hModule, "LdrGetDllHandle")))\r
bResult = FALSE;\r
- if(!(GET_FUNCTION(hModule, RtlImageNtHeader)))\r
+ if(!(p_RtlImageNtHeader = (_RtlImageNtHeader)GetProcAddress(hModule, "RtlImageNtHeader")))\r
bResult = FALSE;\r
if(!(hModule = LoadLibraryW(L"wintrust.dll")))\r
bResult = FALSE;\r
- if(!(GET_FUNCTION(hModule, CryptCATAdminCalcHashFromFileHandle)))\r
+ if(!(p_CryptCATAdminCalcHashFromFileHandle = (_CryptCATAdminCalcHashFromFileHandle)GetProcAddress(hModule, "CryptCATAdminCalcHashFromFileHandle")))\r
bResult = FALSE;\r
// バグ対策\r
ImageGetDigestStream(NULL, 0, NULL, NULL);\r
BOOL EnableLoadLibraryHook(BOOL bEnable)\r
{\r
BOOL bResult;\r
- bResult = FALSE;\r
- if(bEnable)\r
- {\r
- bResult = TRUE;\r
-#ifdef USE_CODE_HOOK\r
- if(!SET_HOOK_FUNCTION(LoadLibraryA))\r
- bResult = FALSE;\r
- if(!SET_HOOK_FUNCTION(LoadLibraryW))\r
- bResult = FALSE;\r
- if(!SET_HOOK_FUNCTION(LoadLibraryExA))\r
- bResult = FALSE;\r
- if(!SET_HOOK_FUNCTION(LoadLibraryExW))\r
- bResult = FALSE;\r
-#endif\r
-#ifdef USE_IAT_HOOK\r
- if(!HookFunctionInIAT(p_LoadLibraryA, h_LoadLibraryA))\r
- bResult = FALSE;\r
- if(!HookFunctionInIAT(p_LoadLibraryW, h_LoadLibraryW))\r
- bResult = FALSE;\r
- if(!HookFunctionInIAT(p_LoadLibraryExA, h_LoadLibraryExA))\r
- bResult = FALSE;\r
- if(!HookFunctionInIAT(p_LoadLibraryExW, h_LoadLibraryExW))\r
- bResult = FALSE;\r
-#endif\r
- }\r
- else\r
- {\r
- bResult = TRUE;\r
-#ifdef USE_CODE_HOOK\r
- if(!BEGIN_HOOK_FUNCTION(LoadLibraryA))\r
- bResult = FALSE;\r
- if(!BEGIN_HOOK_FUNCTION(LoadLibraryW))\r
- bResult = FALSE;\r
- if(!BEGIN_HOOK_FUNCTION(LoadLibraryExA))\r
- bResult = FALSE;\r
- if(!BEGIN_HOOK_FUNCTION(LoadLibraryExW))\r
- bResult = FALSE;\r
-#endif\r
-#ifdef USE_IAT_HOOK\r
- if(!HookFunctionInIAT(h_LoadLibraryA, p_LoadLibraryA))\r
- bResult = FALSE;\r
- if(!HookFunctionInIAT(h_LoadLibraryW, p_LoadLibraryW))\r
- bResult = FALSE;\r
- if(!HookFunctionInIAT(h_LoadLibraryExA, p_LoadLibraryExA))\r
- bResult = FALSE;\r
- if(!HookFunctionInIAT(h_LoadLibraryExW, p_LoadLibraryExW))\r
- bResult = FALSE;\r
-#endif\r
- }\r
+ bResult = TRUE;\r
+ if(!EnableHookFunction(&g_LoadLibraryA, bEnable))\r
+ bResult = FALSE;\r
+ if(!EnableHookFunction(&g_LoadLibraryW, bEnable))\r
+ bResult = FALSE;\r
+ if(!EnableHookFunction(&g_LoadLibraryExA, bEnable))\r
+ bResult = FALSE;\r
+ if(!EnableHookFunction(&g_LoadLibraryExW, bEnable))\r
+ bResult = FALSE;\r
return bResult;\r
}\r
\r