bool CommandLineParser::HasContradictoryOptions() const { if(IsSilent() && IsQuiet()) return true; int iActions=0; if (IsInstall()) iActions++; if (IsUninstall()) iActions++; if (IsReinstall()) iActions++; if (IsRepair()) iActions++; if(IsUserInit()) iActions++; if (iActions!=1) return true; if (IsInstall() || IsReinstall() || IsUserInit()) { return false; } return false; }
CommandLineParser::CommandLineParser(CStdString sCommandLineOptions) : m_bInstall(false), m_bUninstall(false), m_bRepair(false), m_bReinstall(false), m_bIsSilent(false), m_bSeenBadParams(false), m_bFirstToken(true), m_bShowDemoError(false), m_bIsQuiet(false), m_sEmailProvider(_T("none")), m_bUserInit(false), m_bInstallWordMacro(false), m_bSkipCheck(false), m_modulesMask(true), m_bInstallShortcuts(true), m_bHygiene(false), m_bShowWelcomeScreenAfterInstall(true), m_bTreatErrorsAsWarnings(false), m_bIsFirstModuleSwitch(true), m_bConfigureDmsOnly(false), m_bModulesSpecifiedOnCmdLine(false) { m_sOrigCommandLine = m_sCommandLine = sCommandLineOptions; CStdString s; while (!(s = GetNextToken()).IsEmpty()) { ParseToken(s); } if (!IsReinstall() && !IsInstall() && !IsUninstall() && !IsUserInit()) m_bRepair = true; }
void Install() { if (IsInstall())//判断服务是否已经注册 { printf("Service has Exists\n"); return; } //注册服务 SC_HANDLE pSC = ::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); if(pSC == NULL) { printf("Open SCManager failed!\n"); return; } _TCHAR szFilePath[MAX_PATH]; ::GetModuleFileName(NULL,szFilePath,MAX_PATH);//path for the file containing the current process SC_HANDLE pService = ::CreateService(pSC,PServiceManage::Instance()->ServiceName(),PServiceManage::Instance()->DisPlayName(),SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_AUTO_START, SERVICE_ERROR_NORMAL,szFilePath, NULL,NULL,_T(""),NULL,NULL); if (pService == NULL) { ::CloseServiceHandle(pSC); printf("Install Service failed!"); return; } ::CloseServiceHandle(pService); ::CloseServiceHandle(pSC); //注册表,用于记录系统日志 _TCHAR szKey[MAX_PATH]; wsprintf(szKey,_T("%s\\%s"),SYSTEMLOG,PServiceManage::Instance()->ServiceName()); HKEY hKey; UINT f = EVENTLOG_ERROR_TYPE|EVENTLOG_WARNING_TYPE|EVENTLOG_INFORMATION_TYPE;//支持的事件类型 if (RegCreateKey(HKEY_LOCAL_MACHINE,szKey,&hKey) == ERROR_SUCCESS) { wchar_t logPath[MAX_PATH]; memset(logPath,0,MAX_PATH*2); DWORD length = GetModuleFileName(NULL,logPath,MAX_PATH); RegSetValueEx(hKey,_T("TypesSupported"),0,REG_DWORD,(BYTE*)&f,sizeof(DWORD)); RegSetValueEx(hKey,_T("EventMessageFile"),0,REG_SZ,(BYTE*)logPath,length*2); RegCloseKey(hKey); } }
void Remove() { if (!IsInstall())// { printf(("Service isn't exists !\n")); return; } SC_HANDLE pSC = ::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); if (pSC == NULL) { printf("Open SCManager failed!\n"); return; } SC_HANDLE pService = ::OpenService(pSC,PServiceManage::Instance()->ServiceName(),SERVICE_STOP | DELETE);//打开服务的权限(进行停止和删除操作) if (pService == NULL) { ::CloseServiceHandle(pSC); printf("Open Service Failed\n"); return; } SERVICE_STATUS pStatus; ::ControlService(pService,SERVICE_CONTROL_STOP,&pStatus);//给pService 发送停止服务的请求, 前提是pService打开服务的时候要有停止服务的权限 //删除服务 BOOL pDelete = ::DeleteService(pService); ::CloseServiceHandle(pSC); ::CloseServiceHandle(pService); if (!pDelete) printf("Service Delete failed!\n"); else { //删除注册记录 HKEY hKey; if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,SYSTEMLOG,0,KEY_ALL_ACCESS,&hKey) == ERROR_SUCCESS) { RegDeleteKey(hKey,PServiceManage::Instance()->ServiceName()); RegCloseKey(hKey); } printf("Service Delete Success!\n"); } return; }
/** * 先检测黑名单,如果在黑名单内,直接拒,否则放行。 如果不在黑名单,则检查白名单,在白名单内,无操作。 如果不在白名单内,则将文件全路径及hash值传递到上层 * @param filename 文件全路径。 * return 如果文件安全则返回true,否则返回false。 */ bool CheckIsFileHashSecure(const PUNICODE_STRING filename) { /////////////////////////////////////////////比较已经过滤的文件名 if(IsInBlackCache(filename) == true) return false; if( MODULE_FILTERED == GetModuleFilter((ULONG)PsGetCurrentProcessId(),filename) ) return true; /////////////////////////////////////// HANDLE hFile; OBJECT_ATTRIBUTES oaFile; InitializeObjectAttributes(&oaFile, filename, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); // 读权限打开文件,如果失败则认为文件不安全,返回false。 IO_STATUS_BLOCK ioStatus; NTSTATUS status = ZwOpenFile(&hFile, GENERIC_READ, &oaFile, &ioStatus, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT); if(!NT_SUCCESS(status)) { KdPrint(("VerifyModule: ZwOpenFile: %ws %08x\n", filename->Buffer, status)); return false; } unsigned char* fileBuf = (unsigned char*)ExAllocatePoolWithTag(PagedPool, FILE_BUFFER_SIZE, 'knab'); if(fileBuf == NULL) { ZwClose(hFile); return false; } // 获取文件hash。 MD5_CTX md5; MD5Init(&md5); ULONG sizeAll=0; FILE_STANDARD_INFORMATION fsi; ZwQueryInformationFile(hFile,&ioStatus,&fsi,sizeof(FILE_STANDARD_INFORMATION),FileStandardInformation); while(1) { NTSTATUS status = ZwReadFile(hFile, NULL, NULL, NULL, &ioStatus, fileBuf, FILE_BUFFER_SIZE, NULL, NULL); if(!NT_SUCCESS(status)) break; if(ioStatus.Information == 0) break; sizeAll += ioStatus.Information; MD5Update(&md5, fileBuf, ioStatus.Information); } ExFreePoolWithTag(fileBuf, 'knab'); unsigned char final[16]; MD5Final(final, &md5); ZwClose(hFile); //黑白名单校验 // bool bOK = IsHashBlack(final); // // if( bOK ) // { // if(!IsInBlackCache(filename)) // { // WriteSysLog(LOG_TYPE_DEBUG,L" Fileter Module :%s", filename->Buffer); // AddBlackCache(filename); // } // return false; // } // else if( !IsHashSecure(final) )//传递到上层 // { // if( setData(filename->Buffer,filename->Length,final,16) ) // setSigned(); // } bool bOK = IsHashBlack(final); bool bReturn = true; if( bOK ) { if(!IsInBlackCache(filename)) { WriteSysLog(LOG_TYPE_INFO,L" Fileter Module :%s", filename->Buffer); AddBlackCache(filename); } bReturn = false; } else if( !IsHashSecure(final) )//传递到上层 { if( !IsInstall() ) { if( setData(filename->Buffer,filename->Length,final,16) ) setSigned(); LARGE_INTEGER lWaitTimeOuts; lWaitTimeOuts.QuadPart = -10 * 1000 * 1000; //DbgPrint("###kernel wait event!"); WriteSysLog(LOG_TYPE_INFO,L" kernel is waitint for event signal!"); if( STATUS_TIMEOUT == KeWaitForSingleObject(g_pEventFilterGo, Executive, KernelMode, FALSE, &lWaitTimeOuts) ) { IsInstall(true); if( GetPIDNumber() > 2) bReturn = false; else bReturn = true; } else bReturn = g_bPassFilter; //DbgPrint("###kernel continue: file path : %ws is %ws \n", filename->Buffer, bReturn? L"pass":L"noPass"); WriteSysLog(LOG_TYPE_INFO,L" kernel continue: file path : %ws is %ws", filename->Buffer, bReturn? L"pass":L"noPass"); if( bReturn ) if( MODULE_FILTERED != GetModuleFilter((ULONG)PsGetCurrentProcessId(),filename) && (GetPIDNumber() > 2) ) SetModuleFilter((ULONG)PsGetCurrentProcessId(), filename, true); } } // return bReturn; }