/**
* 过滤核心函数
*
*/
NTSTATUS NTAPI BkMapViewOfSection(IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PULONG ViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Protect)
{
PVOID Section = NULL;
ULONG bModuleFilter = MODULE_PASSED;
// 获取Section Object
NTSTATUS Status = ObReferenceObjectByHandle (SectionHandle, 0x00000004, //SECTION_MAP_READ
*MmSectionObjectType, UserMode, (PVOID *)&Section, NULL);
// 如果失败直接返回系统调用
if(NT_SUCCESS(Status))
{
// 通过硬编码值找到FileObject
PVOID Segment = *(PVOID*)((ULONG)Section + g_Offset_SegmentInSection);
if(Segment)
{
PVOID ControlArea = *(PVOID*)((ULONG)Segment + g_Offset_ControlAreaInSegment);
if(ControlArea)
{
PVOID FileObject = *(PVOID*)((ULONG)ControlArea + g_Offset_FileObjectInControlArea);
// 如果是vista或者win7系统,FileObject需要清除最后3个bits
if((g_SysVersion.dwMajorVersion == 6 && g_SysVersion.dwMinorVersion == 1) // Windows 7
|| (g_SysVersion.dwMajorVersion == 6 && g_SysVersion.dwMinorVersion == 0)) // Windows Vista
FileObject = (PVOID)((ULONG)FileObject & 0xFFFFFFF8);
if(FileObject)
{
//KdPrint(("==>BkMapViewOfSection\n"));
// 获取文件路径
POBJECT_NAME_INFORMATION ObjectKernelName = BkQueryNameString((PVOID)FileObject);
if (ObjectKernelName != NULL)
{
//检查文件是否是PE文件,如果是做进一步检查,不是的话通过检查。
if (IsPEFile(&ObjectKernelName->Name))
{
// 检查是否是可信文件hash
if (!CheckIsFileHashSecure(&ObjectKernelName->Name))
{
bModuleFilter = MODULE_FILTERED;
}
}
ExFreePool(ObjectKernelName);
}
//KdPrint(("<==BkMapViewOfSection\n"));
}
}
}
ObDereferenceObject(Section);
if (bModuleFilter == MODULE_FILTERED)
{
//KdPrint(("Module Filtered\n"));
return STATUS_ACCESS_DENIED;
}
}
// 调用原系统服务
NTSTATUS result = NtMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress,
ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition,
AllocationType, Protect);
return result;
}
//
// main
//
int main(int argc, char **argv)
{
dbCursor<LibM> cursor1;
if (argc != 4)
{
printf("Usage: %s target lib_root_path full:0|1\n", argv[0]);
return 0;
}
lib_root_path = argv[2];
bFull = argv[3][0] == '1';
TCHAR *filename = argv[1];
TCHAR filename2[MAX_PATH];
int i;
DeleteFile("LibM.fdb");
if (!db.open("LibM"))
{
return 0;
}
printf("Built on " __DATE__ " " __TIME__ "\nInit db...");
build_instruction_db();
printf("total:%d OK\n", lib_count);
//getch();
InitializeCriticalSection(&cs);
while (1)
{
printf("Loading...\n");
if (!LoadFileR(filename, &stMapFile))
{
cerr << "ERROR FILE!" << endl;
//continue;
break;
}
if (!IsPEFile(stMapFile.ImageBase))
{
cerr << "NOT PE FILE!" << endl;
UnLoadFile(&stMapFile);
//continue;
break;
}
pOH = GetOptionalHeader(stMapFile.ImageBase);
pImageNtH = GetNtHeaders(stMapFile.ImageBase);
int c0 = 0, c1 = 0, c2 = 0, c3 = 0, c4 = 0, count = 0;
// read target function info
wsprintf(filename2, _T("%s.txt"), filename);
ifstream is2(filename2, ios::binary);
if (!is2.is_open())
{
break;
}
int tt;
db.detach();
f_info.clear();
while (!is2.eof())
{
int startEA, endEA;
is2.read((char *)&startEA, sizeof(int));
is2.read((char *)&endEA, sizeof(int));
if (endEA - startEA < MIN_INS_LENGTH)
{
continue;
}
function_info fi;
memset(&fi, 0, sizeof(fi));
fi.startEA = startEA;
fi.len = endEA - startEA;
fi.lib_name[0] = 0;
f_info.push_back(fi);
}
total_function_len = f_info.size();
//sort(f_info.begin(), f_info.end(), myfunction);
printf("OK\n");
tt = GetTickCount();
int thread_num = bMultiThread ? THREAD_NUM : 1;
if (show_dump)
{
thread_num = 1;
}
HANDLE *thread = new HANDLE[thread_num];
for (i = 0; i < thread_num; i++)
{
thread[i] = (HANDLE)_beginthreadex(NULL, 0, bFull ? (&MatchThreadForFull) : (&MatchThread), (void *)i, 0, NULL);
}
WaitForMultipleObjects(thread_num, thread, TRUE, INFINITE);
tt = GetTickCount() - tt;
delete[] thread;
db.attach();
UnLoadFile(&stMapFile);
if (cursor1.select() > 0)
{
do
{
delete (ControlFlowGraph *)cursor1->cfg;
}
while (cursor1.next());
}
DWORD s = 0;
DWORD _r0 = 0, _r1 = 0, _r34 = 0, _r2 = 0, _r5 = 0, _fn = 0;
for (i = 0; i < THREAD_NUM; i++)
{
s += instruction_count[i];
_r0 += r0[i];
_r1 += r1[i];
_r2 += r2[i];
_r34 += r34[i];
_r5 += r5[i];
_fn += fn[i];
}
printf("#fn:%d #instr:%d t:%d found:%d\n", _fn, s, tt, found_c);
printf("r1:\t%d\n", _r1);
printf("r2:\t%d\n", _r2);
printf("r34:\t%d\n", _r34);
printf("r5:\t%d\n", _r5);
printf("r0:\t%d\n", _r0);
printf("fulled:\t%d\n", fulled);
printf("check failed:\t%d\n", check_failed);
printf("END.\n");
break;
}
DeleteCriticalSection(&cs);
db.detach();
#ifdef _DEBUG
cout << "Press ENTER..." << endl;
char c;
c = cin.get();
#endif
return 0;
}
int DetectOverlayedFile(LPCTSTR szFilePath)
{
HANDLE hFile;
DWORD dwReaded;
DWORD dwFileSize;
DWORD dwPEOffset;
DWORD dwSign;
const DWORD dwBufferSize = 4096;
BYTE buffer[4096];
BYTE* pSectionsTable;
WORD wNumberOfSections;
DWORD dwMaxRawSize, dwRawSize;
IMAGE_SECTION_HEADER* pSectionHeader;
int i;
if(!IsPEFile(szFilePath)) return NOT_OVERLAY;
hFile = CreateFile(szFilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) return ERROR_DETECT;
dwFileSize = ::GetFileSize(hFile, NULL);
if (dwFileSize == 0)
{
CloseHandle(hFile);
return ERROR_DETECT;
}
ReadFile(hFile, buffer, dwBufferSize, &dwReaded, NULL);
if (dwReaded != dwBufferSize && dwReaded != dwFileSize)
{
// Cannot read file, return
CloseHandle(hFile);
return ERROR_DETECT;
}
dwSign = *((WORD*)buffer);
if (dwSign != 0x5A4D)
{
// Not MZ
CloseHandle(hFile);
return ERROR_DETECT;
}
dwPEOffset = *((DWORD*)(buffer + 0x3C));
if (dwPEOffset > (dwFileSize))
{
// Offset out of file, return
CloseHandle(hFile);
return ERROR_DETECT;
}
// Move file pointer to the beginning of the PE header
if (SetFilePointer(hFile, dwPEOffset, NULL, FILE_BEGIN) == -1)
{
CloseHandle(hFile);
return ERROR_DETECT;
}
// Read PE header to buffer
ReadFile(hFile, buffer, dwBufferSize, &dwReaded, NULL);
if (dwReaded != dwBufferSize)
{
CloseHandle(hFile);
return ERROR_DETECT;
}
dwSign = *((DWORD*)buffer);
if (dwSign != 0x4550)
{
// Not PE
CloseHandle(hFile);
return ERROR_DETECT;
}
pSectionsTable = buffer + (*(WORD*)(buffer + 0x14)) + 0x18;
wNumberOfSections = *(WORD*)(buffer + 6);
if (wNumberOfSections == 0 || wNumberOfSections >= MAX_SECTIONS) return FALSE;
dwMaxRawSize = 0;
for (i = 0; i < wNumberOfSections; i++)
{
pSectionHeader = (IMAGE_SECTION_HEADER*)(pSectionsTable + 0x28 * i);
dwRawSize = pSectionHeader->PointerToRawData + pSectionHeader->SizeOfRawData;
if (dwMaxRawSize < dwRawSize) dwMaxRawSize = dwRawSize;
}
if(dwMaxRawSize == dwFileSize)
{
CloseHandle(hFile);
return NOT_OVERLAY;
}
if(SetFilePointer(hFile,dwMaxRawSize,NULL,FILE_BEGIN) == -1)
{
CloseHandle(hFile);
return ERROR_DETECT;
}
// Doc va kiem tra MZ, PE
ReadFile(hFile,buffer,dwBufferSize,&dwReaded,NULL);
if(dwReaded <dwBufferSize) return NOT_OVERLAY;
for(i=0; i<dwBufferSize-sizeof(IMAGE_DOS_HEADER);i++)
{
if(buffer[i]=='M' && buffer[i+1]=='Z' && buffer[i+sizeof(IMAGE_DOS_HEADER)]=='P' && buffer[i+1+sizeof(IMAGE_DOS_HEADER)])
{
CloseHandle(hFile);
return OVERLAY_DOUBLE_MZ;
}
}
CloseHandle(hFile);
return OVERLAY_SINGLE_MZ;
// return (dwMaxRawSize < dwFileSize);
}
BOOL CALLBACK StatusDlgProc (HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
HANDLE hThread ;
//DWORD ProtFileThreadID;
UINT ProtFileThreadID;
switch (message)
{
case WM_INITDIALOG:
//创建消息框缓冲
pMessageBuffer = new TCHAR [0x10000];
ZeroMemory(pMessageBuffer, 0x10000); //将消息缓冲区数据清零
hProgress = GetDlgItem(hDlg, IDC_PROGRESS) ;
DragAcceptFiles(hDlg,TRUE);
break;
case WM_DROPFILES://支持文件拖放
if(FALSE==ISWORKING){
ZeroMemory(pMessageBuffer, 0x10000); //将消息缓冲区数据清零
ZeroMemory(szFilePath,MAX_PATH);//清空文件名缓冲
DragQueryFile((HDROP)wParam, 0, szFilePath, sizeof(szFilePath));
DragFinish((HDROP)wParam);
SendDlgItemMessage(hDlg,IDC_MESSAGEBOX_EDIT,WM_SETTEXT,0,0);//清空消息框中的提示
SendDlgItemMessage(hDlg,IDC_FILEPATH_EDIT,WM_SETTEXT,MAX_PATH,(LPARAM)szFilePath);
AddLine(hDlg,szFilePath);
if(!IsPEFile(szFilePath,hDlg))
EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), FALSE);
else
EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), TRUE);
SendMessage(hProgress,PBM_SETPOS, 0, 0);
}
break;
case WM_COMMAND:
switch (LOWORD (wParam))
{
case IDC__EXIT_BUTTON:
SendMessage(GetParent(GetParent(hDlg)), WM_CLOSE, 0, 0);
break;
//置顶
case IDC_ONTOP:
if(SendDlgItemMessage(hDlg, IDC_ONTOP, BM_GETCHECK, 0, 0)==BST_CHECKED)
SetWindowPos(GetParent(GetParent(hDlg)),HWND_TOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE);
else
SetWindowPos(GetParent(GetParent(hDlg)),HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE);
break;
//保护
case IDC_PROT_BUTTON:
EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), FALSE);
EnableWindow(GetDlgItem(hDlg,IDC_OPEN_BUTTON), FALSE);//压缩过程中打开按钮不可用
//ProtTheFile(hDlg);
//创建一个进程来压缩数据
// hThread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ProtTheFile, (VOID *)hDlg, NORMAL_PRIORITY_CLASS, &ProtFileThreadID);
hThread = (HANDLE)_beginthreadex( NULL, 0, (unsigned int (_stdcall*)(void*))&ProtTheFile, (LPVOID)hDlg, 0, &ProtFileThreadID );
CloseHandle(hThread);
break;
//打开预处理
case IDC_OPEN_BUTTON:
if(!OpenFileDlg(szFilePath,hDlg))
break;
SendDlgItemMessage(hDlg,IDC_FILEPATH_EDIT,WM_SETTEXT,MAX_PATH,(LPARAM)szFilePath);
AddLine(hDlg,szFilePath);
if(!IsPEFile(szFilePath,hDlg))
EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), FALSE);
else
EnableWindow(GetDlgItem(hDlg,IDC_PROT_BUTTON), TRUE);
SendMessage(hProgress,PBM_SETPOS, 0, 0);
break;
}
return TRUE;
break;
}
return FALSE;
}
