\r
// プロセス保護\r
#ifdef ENABLE_PROCESS_PROTECTION\r
- BOOL bProtect;\r
+ DWORD ProtectLevel;\r
char* pCommand;\r
char Option[FMAX_PATH+1];\r
- bProtect = FALSE;\r
+ ProtectLevel = PROCESS_PROTECTION_NONE;\r
pCommand = lpszCmdLine;\r
while(pCommand = GetToken(pCommand, Option))\r
{\r
if(strcmp(Option, "--protect") == 0)\r
{\r
- bProtect = TRUE;\r
+ ProtectLevel = PROCESS_PROTECTION_DEFAULT;\r
+ break;\r
+ }\r
+ else if(strcmp(Option, "--protect-high") == 0)\r
+ {\r
+ ProtectLevel = PROCESS_PROTECTION_HIGH;\r
+ break;\r
+ }\r
+ else if(strcmp(Option, "--protect-medium") == 0)\r
+ {\r
+ ProtectLevel = PROCESS_PROTECTION_MEDIUM;\r
+ break;\r
+ }\r
+ else if(strcmp(Option, "--protect-low") == 0)\r
+ {\r
+ ProtectLevel = PROCESS_PROTECTION_LOW;\r
break;\r
}\r
}\r
- if(bProtect)\r
+ if(ProtectLevel != PROCESS_PROTECTION_NONE)\r
{\r
+ SetProcessProtectionLevel(ProtectLevel);\r
if(!InitializeLoadLibraryHook())\r
{\r
MessageBox(NULL, MSGJPN321, "FFFTP", MB_OK | MB_ICONERROR);\r
else if(strcmp(Tmp, "--protect") == 0)\r
{\r
}\r
+ else if(strcmp(Tmp, "--protect-high") == 0)\r
+ {\r
+ }\r
+ else if(strcmp(Tmp, "--protect-medium") == 0)\r
+ {\r
+ }\r
+ else if(strcmp(Tmp, "--protect-low") == 0)\r
+ {\r
+ }\r
#endif\r
else\r
{\r
BOOL HookFunctionInIAT(void* pOriginal, void* pNew);
#endif
HANDLE LockExistingFile(LPCWSTR Filename);
-BOOL FindTrustedModuleMD5Hash(void* pHash);
+BOOL FindTrustedModuleSHA1Hash(void* pHash);
BOOL VerifyFileSignature(LPCWSTR Filename);
BOOL VerifyFileSignatureInCatalog(LPCWSTR Catalog, LPCWSTR Filename);
BOOL GetSHA1HashOfModule(LPCWSTR Filename, void* pHash);
#define MAX_TRUSTED_FILENAME_TABLE 16
#define MAX_TRUSTED_MD5_HASH_TABLE 16
+DWORD g_ProcessProtectionLevel;
DWORD g_LockedThread[MAX_LOCKED_THREAD];
WCHAR* g_pTrustedFilenameTable[MAX_TRUSTED_FILENAME_TABLE];
-BYTE g_TrustedMD5HashTable[MAX_TRUSTED_MD5_HASH_TABLE][16];
+BYTE g_TrustedMD5HashTable[MAX_TRUSTED_MD5_HASH_TABLE][20];
// \88È\89º\83t\83b\83N\8aÖ\90\94
// \83t\83b\83N\91Î\8fÛ\82ð\8cÄ\82Ñ\8fo\82·\8fê\8d\87\82Í\91O\8cã\82ÅSTART_HOOK_FUNCTION\82ÆEND_HOOK_FUNCTION\82ð\8eÀ\8ds\82·\82é\95K\97v\82ª\82 \82é
hLock = LockExistingFile(lpLibFileName);
FreeLibrary(hModule);
}
- if(GetModuleHandleW(lpLibFileName))
+ if((g_ProcessProtectionLevel & PROCESS_PROTECTION_LOADED) && GetModuleHandleW(lpLibFileName))
bTrusted = TRUE;
}
if(!bTrusted)
{
- if(LockThreadLock())
+ if(hLock)
{
- if(hLock)
- {
- if(IsModuleTrusted(lpLibFileName))
- bTrusted = TRUE;
- }
- UnlockThreadLock();
+ if(IsModuleTrusted(lpLibFileName))
+ bTrusted = TRUE;
}
}
if(bTrusted)
}
// DLL\82Ì\83n\83b\83V\83\85\82ð\8c\9f\8dõ
-BOOL FindTrustedModuleMD5Hash(void* pHash)
+BOOL FindTrustedModuleSHA1Hash(void* pHash)
{
BOOL bResult;
int i;
i = 0;
while(i < MAX_TRUSTED_MD5_HASH_TABLE)
{
- if(memcmp(&g_TrustedMD5HashTable[i], pHash, 16) == 0)
+ if(memcmp(&g_TrustedMD5HashTable[i], pHash, 20) == 0)
{
bResult = TRUE;
break;
GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_FILE_INFO wfi;
WINTRUST_DATA wd;
+ LONG Error;
bResult = FALSE;
ZeroMemory(&wfi, sizeof(WINTRUST_FILE_INFO));
wfi.cbStruct = sizeof(WINTRUST_FILE_INFO);
wd.dwUIChoice = WTD_UI_NONE;
wd.dwUnionChoice = WTD_CHOICE_FILE;
wd.pFile = &wfi;
- if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS)
+ Error = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd);
+ if(Error == ERROR_SUCCESS)
+ bResult = TRUE;
+ else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_EXPIRED) && Error == CERT_E_EXPIRED)
+ bResult = TRUE;
+ else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_UNAUTHORIZED) && (Error == CERT_E_UNTRUSTEDROOT || Error == CERT_E_UNTRUSTEDCA))
bResult = TRUE;
return bResult;
}
GUID g = WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_CATALOG_INFO wci;
WINTRUST_DATA wd;
+ LONG Error;
bResult = FALSE;
if(VerifyFileSignature(Catalog))
{
wd.dwUIChoice = WTD_UI_NONE;
wd.dwUnionChoice = WTD_CHOICE_CATALOG;
wd.pCatalog = &wci;
- if(WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd) == ERROR_SUCCESS)
+ Error = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &g, &wd);
+ if(Error == ERROR_SUCCESS)
+ bResult = TRUE;
+ else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_EXPIRED) && Error == CERT_E_EXPIRED)
+ bResult = TRUE;
+ else if((g_ProcessProtectionLevel & PROCESS_PROTECTION_UNAUTHORIZED) && (Error == CERT_E_UNTRUSTEDROOT || Error == CERT_E_UNTRUSTEDCA))
bResult = TRUE;
}
free(wci.pbCalculatedFileHash);
}
// DLL\82ð\8am\94F
-// \83n\83b\83V\83\85\82ª\93o\98^\82³\82ê\82Ä\82¢\82é\81AAuthenticode\8f\90\96¼\82ª\82³\82ê\82Ä\82¢\82é\81A\82Ü\82½\82ÍWFP\82É\82æ\82é\95Û\8cì\89º\82É\82 \82é\82±\82Æ\82ð\8am\94F
BOOL IsModuleTrusted(LPCWSTR Filename)
{
BOOL bResult;
- BYTE Hash[16];
+ BYTE Hash[20];
bResult = FALSE;
- if(GetMD5HashOfFile(Filename, &Hash))
+ if(LockThreadLock())
{
- if(FindTrustedModuleMD5Hash(&Hash))
- bResult = TRUE;
- }
- if(!bResult)
- {
- if(VerifyFileSignature(Filename))
- bResult = TRUE;
- }
- if(!bResult)
- {
- if(IsSxsModuleTrusted(Filename))
- bResult = TRUE;
- }
- if(!bResult)
- {
- if(SfcIsFileProtected(NULL, Filename))
- bResult = TRUE;
+ if(GetSHA1HashOfFile(Filename, &Hash))
+ {
+ if(FindTrustedModuleSHA1Hash(&Hash))
+ bResult = TRUE;
+ }
+ if(!bResult)
+ {
+ if((g_ProcessProtectionLevel & PROCESS_PROTECTION_BUILTIN) && VerifyFileSignature(Filename))
+ bResult = TRUE;
+ }
+ if(!bResult)
+ {
+ if((g_ProcessProtectionLevel & PROCESS_PROTECTION_SIDE_BY_SIDE) && IsSxsModuleTrusted(Filename))
+ bResult = TRUE;
+ }
+ if(!bResult)
+ {
+ if((g_ProcessProtectionLevel & PROCESS_PROTECTION_SYSTEM_FILE) && SfcIsFileProtected(NULL, Filename))
+ bResult = TRUE;
+ }
+ UnlockThreadLock();
}
return bResult;
}
return r;
}
-// \83t\83@\83C\83\8b\82ÌMD5\83n\83b\83V\83\85\82ð\8eæ\93¾
-BOOL GetMD5HashOfFile(LPCWSTR Filename, void* pHash)
+void SetProcessProtectionLevel(DWORD Level)
+{
+ g_ProcessProtectionLevel = Level;
+}
+
+// \83t\83@\83C\83\8b\82ÌSHA1\83n\83b\83V\83\85\82ð\8eæ\93¾
+BOOL GetSHA1HashOfFile(LPCWSTR Filename, void* pHash)
{
BOOL bResult;
HCRYPTPROV hProv;
bResult = FALSE;
if(CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, 0) || CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET))
{
- if(CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash))
+ if(CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
{
if((hFile = CreateFileW(Filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) != INVALID_HANDLE_VALUE)
{
{
if(CryptHashData(hHash, (BYTE*)pData, Size, 0))
{
- dw = 16;
+ dw = 20;
if(CryptGetHashParam(hHash, HP_HASHVAL, (BYTE*)pHash, &dw, 0))
bResult = TRUE;
}
}
// DLL\82Ì\83n\83b\83V\83\85\82ð\93o\98^
-BOOL RegisterTrustedModuleMD5Hash(void* pHash)
+BOOL RegisterTrustedModuleSHA1Hash(void* pHash)
{
BOOL bResult;
- BYTE NullHash[16] = {0};
+ BYTE NullHash[20] = {0};
int i;
bResult = FALSE;
- if(FindTrustedModuleMD5Hash(pHash))
+ if(FindTrustedModuleSHA1Hash(pHash))
bResult = TRUE;
else
{
i = 0;
while(i < MAX_TRUSTED_MD5_HASH_TABLE)
{
- if(memcmp(&g_TrustedMD5HashTable[i], &NullHash, 16) == 0)
+ if(memcmp(&g_TrustedMD5HashTable[i], &NullHash, 20) == 0)
{
- memcpy(&g_TrustedMD5HashTable[i], pHash, 16);
+ memcpy(&g_TrustedMD5HashTable[i], pHash, 20);
bResult = TRUE;
break;
}
}
// DLL\82Ì\83n\83b\83V\83\85\82Ì\93o\98^\82ð\89ð\8f\9c
-BOOL UnregisterTrustedModuleMD5Hash(void* pHash)
+BOOL UnregisterTrustedModuleSHA1Hash(void* pHash)
{
BOOL bResult;
- BYTE NullHash[16] = {0};
+ BYTE NullHash[20] = {0};
int i;
bResult = FALSE;
i = 0;
while(i < MAX_TRUSTED_MD5_HASH_TABLE)
{
- if(memcmp(&g_TrustedMD5HashTable[i], pHash, 16) == 0)
+ if(memcmp(&g_TrustedMD5HashTable[i], pHash, 20) == 0)
{
- memcpy(&g_TrustedMD5HashTable[i], &NullHash, 16);
+ memcpy(&g_TrustedMD5HashTable[i], &NullHash, 20);
bResult = TRUE;
break;
}
#endif
+// \83\8d\81[\83h\8dÏ\82Ý\82Ì\83\82\83W\83\85\81[\83\8b\82Í\8c\9f\8d¸\82ð\83p\83X
+#define PROCESS_PROTECTION_LOADED 0x00000001
+// \83\82\83W\83\85\81[\83\8b\82É\96\84\82ß\8d\9e\82Ü\82ê\82½Authenticode\8f\90\96¼\82ð\8c\9f\8d¸
+#define PROCESS_PROTECTION_BUILTIN 0x00000002
+// \83T\83C\83h\83o\83C\83T\83C\83h\82ÌAuthenticode\8f\90\96¼\82ð\8c\9f\8d¸
+#define PROCESS_PROTECTION_SIDE_BY_SIDE 0x00000004
+// WFP\82É\82æ\82é\95Û\8cì\89º\82É\82 \82é\82©\82ð\8c\9f\8d¸
+#define PROCESS_PROTECTION_SYSTEM_FILE 0x00000008
+// Authenticode\8f\90\96¼\82Ì\97L\8cø\8aú\8cÀ\82ð\96³\8e\8b
+#define PROCESS_PROTECTION_EXPIRED 0x00000010
+// Authenticode\8f\90\96¼\82Ì\94\8ds\8c³\82ð\96³\8e\8b
+#define PROCESS_PROTECTION_UNAUTHORIZED 0x00000020
+
+#define PROCESS_PROTECTION_NONE 0
+#define PROCESS_PROTECTION_DEFAULT PROCESS_PROTECTION_HIGH
+#define PROCESS_PROTECTION_HIGH (PROCESS_PROTECTION_BUILTIN | PROCESS_PROTECTION_SIDE_BY_SIDE | PROCESS_PROTECTION_SYSTEM_FILE)
+#define PROCESS_PROTECTION_MEDIUM (PROCESS_PROTECTION_HIGH | PROCESS_PROTECTION_LOADED | PROCESS_PROTECTION_EXPIRED)
+#define PROCESS_PROTECTION_LOW (PROCESS_PROTECTION_MEDIUM | PROCESS_PROTECTION_UNAUTHORIZED)
+
HMODULE System_LoadLibrary(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags);
-BOOL GetMD5HashOfFile(LPCWSTR Filename, void* pHash);
-BOOL RegisterTrustedModuleMD5Hash(void* pHash);
-BOOL UnregisterTrustedModuleMD5Hash(void* pHash);
+void SetProcessProtectionLevel(DWORD Level);
+BOOL GetSHA1HashOfFile(LPCWSTR Filename, void* pHash);
+BOOL RegisterTrustedModuleSHA1Hash(void* pHash);
+BOOL UnregisterTrustedModuleSHA1Hash(void* pHash);
BOOL UnloadUntrustedModule();
BOOL InitializeLoadLibraryHook();
BOOL EnableLoadLibraryHook(BOOL bEnable);