bool TerminateProcessFromPathFilename ( const SString& strPathFilename )
{
DWORD dwProcessIDs[250];
DWORD pBytesReturned = 0;
if ( EnumProcesses ( dwProcessIDs, 250 * sizeof(DWORD), &pBytesReturned ) )
{
DWORD id1 = GetCurrentProcessId();
for ( unsigned int i = 0; i < pBytesReturned / sizeof ( DWORD ); i++ )
{
DWORD id2 = dwProcessIDs[i];
if ( id2 == id1 )
continue;
// Skip 64 bit processes to avoid errors
if ( !Is32bitProcess ( dwProcessIDs[i] ) )
continue;
// Open the process
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessIDs[i]);
if ( hProcess )
{
HMODULE pModule;
DWORD cbNeeded;
if ( EnumProcessModules ( hProcess, &pModule, sizeof ( HMODULE ), &cbNeeded ) )
{
WCHAR szModuleName[MAX_PATH*2] = L"";
if ( GetModuleFileNameExW( hProcess, pModule, szModuleName, NUMELMS(szModuleName) ) )
{
SString strModuleName = ToUTF8( szModuleName );
if ( stricmp ( strModuleName, strPathFilename ) == 0 )
{
TerminateProcess ( hProcess, 0 );
CloseHandle ( hProcess );
return true;
}
}
}
// Close the process
CloseHandle ( hProcess );
}
}
}
return false;
}
void *Ploopgrab(LPVOID args)
{
DEBUG_EVENT dbg;
DWORD cont = DBG_CONTINUE, size = 0;
TCHAR pszFilename[MAX_PATH+1];
DWORD64 mod;
struct proc_uc *tmp = args;
struct ps_prochandle *P = tmp->ps;
int first_execp = 0;
BOOL wow = 0;
char *s;
DWORD Options = SymGetOptions();
if (DebugActiveProcess(P->pid) == 0) {
dprintf( "failed to debug process (%d): %d\n", P->pid, GetLastError() );
pthread_mutex_lock(&P->mutex);
P->status = PS_STOP;
P->flags = CREATE_FAILED;
if (P->status == PS_STOP)
pthread_cond_signal(&P->cond);
pthread_mutex_unlock(&P->mutex);
return NULL;
}
DebugSetProcessKillOnExit(FALSE);
P->wstat = 0;
P->exitcode = 0;
P->event = CreateEvent(NULL,FALSE,FALSE,NULL);
P->dll_load_order = 1;
SymSetOptions(Options|SYMOPT_INCLUDE_32BIT_MODULES|SYMOPT_DEFERRED_LOADS|SYMOPT_DEBUG);
while (1) {
if (WaitForDebugEvent(&dbg, INFINITE) == 0) {
return NULL;
}
cont = DBG_CONTINUE;
pthread_mutex_lock(&P->mutex);
switch (dbg.dwDebugEventCode) {
case CREATE_PROCESS_DEBUG_EVENT:
P->thandle = dbg.u.CreateProcessInfo.hThread;
P->phandle = dbg.u.CreateProcessInfo.hProcess;
if ((SymInitialize(P->phandle, 0, FALSE) == FALSE)) {
dprintf("SymInitialize failed (%d): %d\n", P->pid, GetLastError());
break;
}
s = GetFileNameFromHandle(dbg.u.CreateProcessInfo.hFile, pszFilename);
addmodule(P, dbg.u.CreateProcessInfo.hFile, s, dbg.u.CreateProcessInfo.lpBaseOfImage, PE_TYPE_EXE, P->dll_load_order);
size = GetFileSize(dbg.u.CreateProcessInfo.hFile, NULL);
if (size == INVALID_FILE_SIZE) {
size = 0;
}
if ((mod = SymLoadModuleEx(P->phandle, dbg.u.CreateProcessInfo.hFile, s, NULL,
(ULONG_PTR) dbg.u.CreateProcessInfo.lpBaseOfImage, size, NULL, 0)) == FALSE) {
dprintf("SymLoadModule64 Failed for %s: %d\n", s, GetLastError());
break;
}
#if __amd64__
if (Is32bitProcess(P->phandle)) {
P->model = PR_MODEL_ILP32;
wow = 1;
} else
P->model = PR_MODEL_ILP64;
#else
P->model = PR_MODEL_ILP32;
#endif
CloseHandle(dbg.u.CreateProcessInfo.hFile);
P->status = PS_RUN;
P->msg.type = 0;
break;
case CREATE_THREAD_DEBUG_EVENT:
P->status = PS_RUN;
P->msg.type = 0;
break;
case LOAD_DLL_DEBUG_EVENT:
s = GetFileNameFromHandle(dbg.u.LoadDll.hFile, pszFilename);
if (first_execp) {
P->dll_load_order++;
}
addmodule(P, dbg.u.LoadDll.hFile, s, dbg.u.LoadDll.lpBaseOfDll, PE_TYPE_DLL, P->dll_load_order);
size = GetFileSize(dbg.u.CreateProcessInfo.hFile, NULL);
if (size == INVALID_FILE_SIZE) {
size = 0;
}
#if __amd64__
/* Not tracing 64 bit dlls for 32 bit process */
if (P->model == PR_MODEL_ILP32 && is64bitmodule(dbg.u.LoadDll.lpBaseOfDll, s)) {
CloseHandle(dbg.u.LoadDll.hFile );
break;
}
#endif
if ((mod = SymLoadModuleEx(P->phandle, dbg.u.LoadDll.hFile, s, NULL,
(ULONG_PTR) dbg.u.LoadDll.lpBaseOfDll, size, NULL, 0)) == FALSE) {
dprintf("SymLoadModule64 failed for %s: %d\n", s, GetLastError());
break;
}
CloseHandle(dbg.u.LoadDll.hFile );
if (first_execp == 0) {
P->status = PS_RUN;
P->msg.type = RD_DLACTIVITY;
} else {
P->status = PS_STOP;
P->msg.type = RD_DLACTIVITY;
}
break;
case UNLOAD_DLL_DEBUG_EVENT:
if (SymUnloadModule64(P->phandle, (ULONG_PTR) dbg.u.UnloadDll.lpBaseOfDll) == FALSE) {
dprintf("SymUnloadModule64 failed-Imagebase %p: %d\n", dbg.u.UnloadDll.lpBaseOfDll, GetLastError());
break;
}
delmodule(P, (ULONG64) dbg.u.UnloadDll.lpBaseOfDll);
P->status = PS_RUN;
P->msg.type = RD_DLACTIVITY;
break;
case EXIT_PROCESS_DEBUG_EVENT:
P->exitcode = dbg.u.ExitProcess.dwExitCode;
P->status = PS_UNDEAD;
P->msg.type = RD_NONE;
//SymCleanup(P->phandle);
break;
case EXIT_THREAD_DEBUG_EVENT:
P->status = PS_RUN;
P->msg.type = 0;
break;
case EXCEPTION_DEBUG_EVENT:
switch(dbg.u.Exception.ExceptionRecord.ExceptionCode) {
case EXCEPTION_BREAKPOINT:
if (first_execp++ == 0) {
pthread_cond_signal(&P->cond);
}
P->status = PS_STOP;
P->msg.type = 0;
break;
default:
if (dbg.u.Exception.dwFirstChance == 0)
P->wstat = dbg.u.Exception.ExceptionRecord.ExceptionCode;
P->status = PS_RUN;
cont = DBG_EXCEPTION_NOT_HANDLED;
break;
}
break;
default:
P->status = PS_RUN;
dprintf("Debug Event not processed: %d\n", dbg.dwDebugEventCode);
break;
}
if (P->status != PS_RUN)
SetEvent(P->event);
while (P->status == PS_STOP)
pthread_cond_wait(&P->cond, &P->mutex);
pthread_mutex_unlock(&P->mutex);
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, cont);
}
}
static void *Ploopcreate(LPVOID args)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
DEBUG_EVENT dbg;
DWORD cont;
BOOL wow = 0;
DWORD Options = SymGetOptions(), excep, size = 0;
TCHAR pszFilename[MAX_PATH+1];
struct proc_uc *tmp = args;
struct ps_prochandle *P = tmp->ps;
int first_execp = 0;
char *s, targs[256], *ctmp;
char *const *argv = tmp->args;
int len;
ctmp = targs;
while (*argv != NULL) {
len = strlen(*argv);
sprintf(ctmp, "%s ", *argv);
ctmp = ctmp + len + 1;
argv++;
}
*ctmp = '\0';
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
if(!CreateProcess( NULL, // module name
targs, // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
DEBUG_ONLY_THIS_PROCESS, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi ) // Pointer to PROCESS_INFORMATION structure
) {
pthread_mutex_lock(&P->mutex);
P->status = PS_STOP;
P->flags = CREATE_FAILED;
pthread_cond_signal(&P->cond);
pthread_mutex_unlock(&P->mutex);
return NULL;
}
P->pid = pi.dwProcessId;
P->tid = pi.dwThreadId;
P->wstat = 0;
P->exitcode = 0;
P->event = CreateEvent(NULL,FALSE,FALSE,NULL);
P->dll_load_order = 1;
#if __amd64__
/* There seems to be a bug in 64 bit version of dbghelp.dll
* when SYMOPT_DEFERRED_LOADS is set,
* dtrace -n "pid$target:kernel32::entry, pid$target:KernelBase::entry" -c test.exe,
* when SymEnumSymbols (Psymbol_iter_by_addr) is called on this two dll,
* the second call (KernelBase) will enumerate the
* symbols from the previous enumurated (kernel32) dll (from the first call).
* This behaviour is not present in 32 bit.
*/
Options &= ~SYMOPT_DEFERRED_LOADS;
#endif
SymSetOptions(Options|SYMOPT_INCLUDE_32BIT_MODULES|SYMOPT_DEBUG);
while (1) {
if (WaitForDebugEvent(&dbg, INFINITE) == 0) {
return NULL;
}
cont = DBG_CONTINUE;
pthread_mutex_lock(&P->mutex);
switch (dbg.dwDebugEventCode) {
case CREATE_PROCESS_DEBUG_EVENT:
P->phandle = dbg.u.CreateProcessInfo.hProcess;
P->thandle = dbg.u.CreateProcessInfo.hThread;
if ((SymInitialize(P->phandle, 0, FALSE) == FALSE)) {
dprintf("SymInitialize failed: %d\n", GetLastError());
break;
}
s = GetFileNameFromHandle(dbg.u.CreateProcessInfo.hFile, pszFilename);
addmodule(P, dbg.u.CreateProcessInfo.hFile, s, dbg.u.CreateProcessInfo.lpBaseOfImage,
PE_TYPE_EXE, P->dll_load_order);
size = GetFileSize(dbg.u.CreateProcessInfo.hFile, NULL);
if (size == INVALID_FILE_SIZE) {
size = 0;
}
if (SymLoadModuleEx(P->phandle, dbg.u.CreateProcessInfo.hFile, s, NULL,
(ULONG_PTR) dbg.u.CreateProcessInfo.lpBaseOfImage, size, NULL, 0) == 0) {
dprintf("SymLoadModule64 failed for %s:%d\n", s, GetLastError());
break;
}
#if __amd64__
if (Is32bitProcess(P->phandle)) {
P->model = PR_MODEL_ILP32;
wow = 1;
} else
P->model = PR_MODEL_ILP64;
#else
P->model = PR_MODEL_ILP32;
#endif
P->status = PS_STOP;
P->msg.type = 0;
CloseHandle(dbg.u.CreateProcessInfo.hFile);
pthread_cond_signal(&P->cond);
break;
case CREATE_THREAD_DEBUG_EVENT:
P->status = PS_RUN;
P->msg.type = 0;
break;
case LOAD_DLL_DEBUG_EVENT:
s = GetFileNameFromHandle(dbg.u.LoadDll.hFile, pszFilename);
if (first_execp == 2) {
P->dll_load_order++;
}
addmodule(P, dbg.u.LoadDll.hFile, s, dbg.u.LoadDll.lpBaseOfDll, PE_TYPE_DLL, P->dll_load_order);
size = GetFileSize(dbg.u.LoadDll.hFile, NULL);
if (size == INVALID_FILE_SIZE) {
size = 0;
}
#if __amd64__
/* Not tracing 64 bit dlls for 32 bit process */
if (P->model == PR_MODEL_ILP32 && is64bitmodule(dbg.u.LoadDll.lpBaseOfDll, s)) {
CloseHandle(dbg.u.LoadDll.hFile );
break;
}
#endif
if (SymLoadModuleEx(P->phandle, dbg.u.LoadDll.hFile, s, NULL,
(ULONG_PTR) dbg.u.LoadDll.lpBaseOfDll, size, NULL, 0) == FALSE) {
dprintf("SymLoadModule64 dailed for %s:%d\n", s, GetLastError());
break;
}
CloseHandle(dbg.u.LoadDll.hFile );
P->status = PS_STOP;
P->msg.type = RD_DLACTIVITY;
break;
case UNLOAD_DLL_DEBUG_EVENT:
if (SymUnloadModule64(P->phandle, (ULONG_PTR) dbg.u.UnloadDll.lpBaseOfDll) == FALSE) {
dprintf("SymUnloadModule64 failed-Imagebase %p:%d\n", dbg.u.UnloadDll.lpBaseOfDll, GetLastError());
break;
}
delmodule(P, (ULONG64) dbg.u.UnloadDll.lpBaseOfDll);
P->status = PS_RUN;
P->msg.type = RD_DLACTIVITY;
break;
case EXIT_PROCESS_DEBUG_EVENT:
P->exitcode = dbg.u.ExitProcess.dwExitCode;
P->status = PS_UNDEAD;
P->msg.type = RD_NONE;
break;
case EXIT_THREAD_DEBUG_EVENT:
P->status = PS_RUN;
P->msg.type = 0;
break;
case EXCEPTION_DEBUG_EVENT:
switch(excep = dbg.u.Exception.ExceptionRecord.ExceptionCode) {
case EXCEPTION_BREAKPOINT:
case 0x4000001F: /* WOW64 exception breakpoint */
/* NOTE: Dtrace sets a BP at main (entry point of the process), which is implemented
* with Psetbkpt, Pdelbkpt & Pexecbkpt. But I have implemnted it here.
*/
if ((excep == EXCEPTION_BREAKPOINT && first_execp == 0 && wow == 0) ||
(excep == 0x4000001F && first_execp == 0 && wow == 1) ) {
SYMBOL_INFO *Symbol;
GElf_Sym sym;
ULONG64 buffer[(sizeof(SYMBOL_INFO) + MAX_SYM_NAME * sizeof(TCHAR) + sizeof(ULONG64) - 1) / sizeof(ULONG64)];
Symbol = (SYMBOL_INFO *) buffer;
Symbol->SizeOfStruct= sizeof(SYMBOL_INFO );
Symbol->MaxNameLen = MAX_SYM_NAME;
if (Pxlookup_by_name(P, LM_ID_BASE, "a.out", "main", &sym, NULL) != 0 &&
Pxlookup_by_name(P, LM_ID_BASE, "a.out", "WinMain", &sym, NULL) != 0) {
dprintf("failed to find entry point (main):%d\n", GetLastError());
break;
}
if (setbkpt(P, (uintptr_t) sym.st_value) != 0) {
dprintf("failed to set breakpoint for %s at address %p\n", Symbol->Name, Symbol->Address);
break;
}
first_execp = 1;
P->status = PS_RUN;
P->msg.type = 0;
break;
}
if (dbg.u.Exception.ExceptionRecord.ExceptionAddress != (PVOID) P->addr) {
dprintf("expecting execption at %p:but recived from %p\n", P->addr,
dbg.u.Exception.ExceptionRecord.ExceptionAddress);
P->status = PS_RUN;
cont = DBG_EXCEPTION_NOT_HANDLED;
break;
}
if (delbkpt(P, P->addr) != 0) {
dprintf("failed to delete brk point at %p:(main)\n", P->addr);
break;
}
if (adjbkpt(P, wow) != 0) {
dprintf("failed to normalize brk point (main)\n");
break;
}
first_execp = 2;
P->status = PS_STOP;
P->msg.type = RD_MAININIT;
break;/*
if (first_execp == 0) {
P->status = PS_STOP;
P->msg.type = RD_MAININIT;
first_execp = 2;
} else {
P->status = PS_RUN;
cont = DBG_EXCEPTION_NOT_HANDLED;
}
break;*/
default:
if (dbg.u.Exception.dwFirstChance == 0)
P->wstat = dbg.u.Exception.ExceptionRecord.ExceptionCode;
P->status = PS_RUN;
cont = DBG_EXCEPTION_NOT_HANDLED;
break;
}
break;
default:
P->status = PS_RUN;
dprintf("Debug Event not processed: %d\n", dbg.dwDebugEventCode);
break;
}
if (P->status != PS_RUN)
SetEvent(P->event);
while (P->status == PS_STOP)
pthread_cond_wait(&P->cond, &P->mutex);
pthread_mutex_unlock(&P->mutex);
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, cont);
}
}
//////////////////////////////////////////////////////////
//
// CheckAntiVirusStatus
//
// Maybe warn user if no anti-virus running
//
//////////////////////////////////////////////////////////
void CheckAntiVirusStatus( void )
{
// Get data from WMI
std::vector < SString > enabledList;
std::vector < SString > disabledList;
GetWMIAntiVirusStatus( enabledList, disabledList );
// Get status from WSC
WSC_SECURITY_PROVIDER_HEALTH health = (WSC_SECURITY_PROVIDER_HEALTH)-1;
if ( _WscGetSecurityProviderHealth )
{
_WscGetSecurityProviderHealth( WSC_SECURITY_PROVIDER_ANTIVIRUS, &health );
}
// Dump results
SString strStatus( "AV health: %s (%d)", *EnumToString( health ), health );
for ( uint i = 0 ; i < enabledList.size() ; i++ )
strStatus += SString( " [Ena%d:%s]", i, *enabledList[i] );
for ( uint i = 0 ; i < disabledList.size() ; i++ )
strStatus += SString( " [Dis%d:%s]", i, *disabledList[i] );
WriteDebugEvent( strStatus );
// Maybe show dialog if av not found
if ( enabledList.empty() && health != WSC_SECURITY_PROVIDER_HEALTH_GOOD )
{
bool bEnableScaremongering = ( health != WSC_SECURITY_PROVIDER_HEALTH_NOTMONITORED );
if ( bEnableScaremongering )
{
const char* avProducts[] = { "antivirus", "anti-virus", "Avast", "AVG", "Avira",
"NOD32", "ESET", "F-Secure", "Faronics", "Kaspersky",
"McAfee", "Norton", "Symantec", "Panda", "Trend Micro", };
// Check for anti-virus helper dlls before actual scaremongering
HMODULE aModules[1024];
DWORD cbNeeded;
if ( EnumProcessModules( GetCurrentProcess(), aModules, sizeof(aModules), &cbNeeded) )
{
DWORD cModules = cbNeeded / sizeof(HMODULE);
for ( uint i = 0 ; i < cModules ; i++ )
{
if( aModules[i] != 0 )
{
WCHAR szModulePathFileName[1024] = L"";
GetModuleFileNameExW ( GetCurrentProcess(), aModules[i], szModulePathFileName, NUMELMS(szModulePathFileName) );
SLibVersionInfo libVersionInfo;
GetLibVersionInfo ( ToUTF8( szModulePathFileName ), &libVersionInfo );
for( uint i = 0 ; i < NUMELMS( avProducts ) ; i++ )
{
if ( libVersionInfo.strCompanyName.ContainsI( avProducts[i] )
|| libVersionInfo.strProductName.ContainsI( avProducts[i] ) )
{
bEnableScaremongering = false;
WriteDebugEvent( SString( "AV (module) maybe found %s [%d](%s,%s)", *WStringX( szModulePathFileName ).ToAnsi(), i, *libVersionInfo.strCompanyName, *libVersionInfo.strProductName ) );
}
}
}
}
if ( bEnableScaremongering )
WriteDebugEvent( SString( "AV Searched %d dlls, but could not find av helper", cModules ) );
}
if ( bEnableScaremongering )
{
std::vector < DWORD > processIdList = MyEnumProcesses();
for ( uint i = 0; i < processIdList.size (); i++ )
{
DWORD processId = processIdList[i];
// Skip 64 bit processes to avoid errors
if ( !Is32bitProcess ( processId ) )
continue;
std::vector < SString > filenameList = GetPossibleProcessPathFilenames ( processId );
for ( uint i = 0; i < filenameList.size (); i++ )
{
const SString& strProcessPathFileName = filenameList[i];
SLibVersionInfo libVersionInfo;
if ( GetLibVersionInfo ( strProcessPathFileName, &libVersionInfo ) )
{
for( uint i = 0 ; i < NUMELMS( avProducts ) ; i++ )
{
if ( libVersionInfo.strCompanyName.ContainsI( avProducts[i] )
|| libVersionInfo.strProductName.ContainsI( avProducts[i] ) )
{
bEnableScaremongering = false;
WriteDebugEvent( SString( "AV (process) maybe found %s [%d](%s,%s)", *strProcessPathFileName, i, *libVersionInfo.strCompanyName, *libVersionInfo.strProductName ) );
}
}
}
}
}
if ( bEnableScaremongering )
WriteDebugEvent( SString( "AV Searched %d processes, but could not find av helper", processIdList.size() ) );
}
}
ShowNoAvDialog( g_hInstance, bEnableScaremongering );
HideNoAvDialog ();
}
}
