bool CommandLineParser::HasContradictoryOptions() const
{
if(IsSilent() && IsQuiet())
return true;
int iActions=0;
if (IsInstall())
iActions++;
if (IsUninstall())
iActions++;
if (IsReinstall())
iActions++;
if (IsRepair())
iActions++;
if(IsUserInit())
iActions++;
if (iActions!=1)
return true;
if (IsInstall() || IsReinstall() || IsUserInit())
{
return false;
}
return false;
}
CommandLineParser::CommandLineParser(CStdString sCommandLineOptions)
: m_bInstall(false),
m_bUninstall(false),
m_bRepair(false),
m_bReinstall(false),
m_bIsSilent(false),
m_bSeenBadParams(false),
m_bFirstToken(true),
m_bShowDemoError(false),
m_bIsQuiet(false),
m_sEmailProvider(_T("none")),
m_bUserInit(false),
m_bInstallWordMacro(false),
m_bSkipCheck(false),
m_modulesMask(true),
m_bInstallShortcuts(true),
m_bHygiene(false),
m_bShowWelcomeScreenAfterInstall(true),
m_bTreatErrorsAsWarnings(false),
m_bIsFirstModuleSwitch(true),
m_bConfigureDmsOnly(false),
m_bModulesSpecifiedOnCmdLine(false)
{
m_sOrigCommandLine = m_sCommandLine = sCommandLineOptions;
CStdString s;
while (!(s = GetNextToken()).IsEmpty())
{
ParseToken(s);
}
if (!IsReinstall() && !IsInstall() && !IsUninstall() && !IsUserInit())
m_bRepair = true;
}
void Install()
{
if (IsInstall())//判断服务是否已经注册
{
printf("Service has Exists\n");
return;
}
//注册服务
SC_HANDLE pSC = ::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if(pSC == NULL)
{
printf("Open SCManager failed!\n");
return;
}
_TCHAR szFilePath[MAX_PATH];
::GetModuleFileName(NULL,szFilePath,MAX_PATH);//path for the file containing the current process
SC_HANDLE pService = ::CreateService(pSC,PServiceManage::Instance()->ServiceName(),PServiceManage::Instance()->DisPlayName(),SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,szFilePath,
NULL,NULL,_T(""),NULL,NULL);
if (pService == NULL)
{
::CloseServiceHandle(pSC);
printf("Install Service failed!");
return;
}
::CloseServiceHandle(pService);
::CloseServiceHandle(pSC);
//注册表,用于记录系统日志
_TCHAR szKey[MAX_PATH];
wsprintf(szKey,_T("%s\\%s"),SYSTEMLOG,PServiceManage::Instance()->ServiceName());
HKEY hKey;
UINT f = EVENTLOG_ERROR_TYPE|EVENTLOG_WARNING_TYPE|EVENTLOG_INFORMATION_TYPE;//支持的事件类型
if (RegCreateKey(HKEY_LOCAL_MACHINE,szKey,&hKey) == ERROR_SUCCESS)
{
wchar_t logPath[MAX_PATH];
memset(logPath,0,MAX_PATH*2);
DWORD length = GetModuleFileName(NULL,logPath,MAX_PATH);
RegSetValueEx(hKey,_T("TypesSupported"),0,REG_DWORD,(BYTE*)&f,sizeof(DWORD));
RegSetValueEx(hKey,_T("EventMessageFile"),0,REG_SZ,(BYTE*)logPath,length*2);
RegCloseKey(hKey);
}
}
void Remove()
{
if (!IsInstall())//
{
printf(("Service isn't exists !\n"));
return;
}
SC_HANDLE pSC = ::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (pSC == NULL)
{
printf("Open SCManager failed!\n");
return;
}
SC_HANDLE pService = ::OpenService(pSC,PServiceManage::Instance()->ServiceName(),SERVICE_STOP | DELETE);//打开服务的权限(进行停止和删除操作)
if (pService == NULL)
{
::CloseServiceHandle(pSC);
printf("Open Service Failed\n");
return;
}
SERVICE_STATUS pStatus;
::ControlService(pService,SERVICE_CONTROL_STOP,&pStatus);//给pService 发送停止服务的请求, 前提是pService打开服务的时候要有停止服务的权限
//删除服务
BOOL pDelete = ::DeleteService(pService);
::CloseServiceHandle(pSC);
::CloseServiceHandle(pService);
if (!pDelete)
printf("Service Delete failed!\n");
else
{
//删除注册记录
HKEY hKey;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,SYSTEMLOG,0,KEY_ALL_ACCESS,&hKey) == ERROR_SUCCESS)
{
RegDeleteKey(hKey,PServiceManage::Instance()->ServiceName());
RegCloseKey(hKey);
}
printf("Service Delete Success!\n");
}
return;
}
/**
* 先检测黑名单,如果在黑名单内,直接拒,否则放行。
如果不在黑名单,则检查白名单,在白名单内,无操作。
如果不在白名单内,则将文件全路径及hash值传递到上层
* @param filename 文件全路径。
* return 如果文件安全则返回true,否则返回false。
*/
bool CheckIsFileHashSecure(const PUNICODE_STRING filename)
{
/////////////////////////////////////////////比较已经过滤的文件名
if(IsInBlackCache(filename) == true)
return false;
if( MODULE_FILTERED == GetModuleFilter((ULONG)PsGetCurrentProcessId(),filename) )
return true;
///////////////////////////////////////
HANDLE hFile;
OBJECT_ATTRIBUTES oaFile;
InitializeObjectAttributes(&oaFile, filename, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
// 读权限打开文件,如果失败则认为文件不安全,返回false。
IO_STATUS_BLOCK ioStatus;
NTSTATUS status = ZwOpenFile(&hFile, GENERIC_READ, &oaFile, &ioStatus, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
if(!NT_SUCCESS(status))
{
KdPrint(("VerifyModule: ZwOpenFile: %ws %08x\n", filename->Buffer, status));
return false;
}
unsigned char* fileBuf = (unsigned char*)ExAllocatePoolWithTag(PagedPool, FILE_BUFFER_SIZE, 'knab');
if(fileBuf == NULL)
{
ZwClose(hFile);
return false;
}
// 获取文件hash。
MD5_CTX md5;
MD5Init(&md5);
ULONG sizeAll=0;
FILE_STANDARD_INFORMATION fsi;
ZwQueryInformationFile(hFile,&ioStatus,&fsi,sizeof(FILE_STANDARD_INFORMATION),FileStandardInformation);
while(1)
{
NTSTATUS status = ZwReadFile(hFile, NULL, NULL, NULL, &ioStatus, fileBuf,
FILE_BUFFER_SIZE, NULL, NULL);
if(!NT_SUCCESS(status))
break;
if(ioStatus.Information == 0)
break;
sizeAll += ioStatus.Information;
MD5Update(&md5, fileBuf, ioStatus.Information);
}
ExFreePoolWithTag(fileBuf, 'knab');
unsigned char final[16];
MD5Final(final, &md5);
ZwClose(hFile);
//黑白名单校验
// bool bOK = IsHashBlack(final);
//
// if( bOK )
// {
// if(!IsInBlackCache(filename))
// {
// WriteSysLog(LOG_TYPE_DEBUG,L" Fileter Module :%s", filename->Buffer);
// AddBlackCache(filename);
// }
// return false;
// }
// else if( !IsHashSecure(final) )//传递到上层
// {
// if( setData(filename->Buffer,filename->Length,final,16) )
// setSigned();
// }
bool bOK = IsHashBlack(final);
bool bReturn = true;
if( bOK )
{
if(!IsInBlackCache(filename))
{
WriteSysLog(LOG_TYPE_INFO,L" Fileter Module :%s", filename->Buffer);
AddBlackCache(filename);
}
bReturn = false;
}
else if( !IsHashSecure(final) )//传递到上层
{
if( !IsInstall() )
{
if( setData(filename->Buffer,filename->Length,final,16) )
setSigned();
LARGE_INTEGER lWaitTimeOuts;
lWaitTimeOuts.QuadPart = -10 * 1000 * 1000;
//DbgPrint("###kernel wait event!");
WriteSysLog(LOG_TYPE_INFO,L" kernel is waitint for event signal!");
if( STATUS_TIMEOUT == KeWaitForSingleObject(g_pEventFilterGo, Executive, KernelMode, FALSE, &lWaitTimeOuts) )
{
IsInstall(true);
if( GetPIDNumber() > 2)
bReturn = false;
else
bReturn = true;
}
else
bReturn = g_bPassFilter;
//DbgPrint("###kernel continue: file path : %ws is %ws \n", filename->Buffer, bReturn? L"pass":L"noPass");
WriteSysLog(LOG_TYPE_INFO,L" kernel continue: file path : %ws is %ws", filename->Buffer, bReturn? L"pass":L"noPass");
if( bReturn )
if( MODULE_FILTERED != GetModuleFilter((ULONG)PsGetCurrentProcessId(),filename) && (GetPIDNumber() > 2) )
SetModuleFilter((ULONG)PsGetCurrentProcessId(), filename, true);
}
}
//
return bReturn;
}
