BOOL init_bosskey(LPWNDINFO pInfo) { WCHAR win_titiles[BUFSIZE+1]; while ( !pInfo->hFF ) /* 等待主窗口并获取句柄 */ { HWND hwnd_pre = FindWindowExW( NULL, NULL, L"MozillaWindowClass", NULL ); while (NULL != hwnd_pre) { int n = GetWindowTextW(hwnd_pre, win_titiles, BUFSIZE); if ( n>0 && n < BUFSIZE) { win_titiles[n] = L'\0'; if ( stristrW(win_titiles, L"- Mozilla Thunderbird") ) { /* 获取thunderbird窗体句柄 */ pInfo->hFF = is_thunderbird()?hwnd_pre:NULL; } else { /* 获取firefox窗体句柄 */ pInfo->hFF = is_browser()?hwnd_pre:NULL; } } if (pInfo->hFF) { break; } hwnd_pre = FindWindowExW(NULL, hwnd_pre, L"MozillaWindowClass", NULL); } Sleep(800); } if ( pInfo->hFF ) { WCHAR atom_str[VALUE_LEN+1] = {0}; GetModuleFileNameW(NULL,atom_str,VALUE_LEN); GetWindowThreadProcessId(pInfo->hFF, &pInfo->pFF); pInfo->atom_str = GlobalAddAtomW(atom_str)-0xC000; } return RegisterHotKey(NULL, pInfo->atom_str, pInfo->key_mod, pInfo->key_vk); }
BOOL WINAPI is_specialdll(UINT_PTR callerAddress,LPCWSTR dll_file) { BOOL ret = FALSE; HMODULE hCallerModule = NULL; if (GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCWSTR)callerAddress, &hCallerModule)) { WCHAR szModuleName[VALUE_LEN+1] = {0}; if ( GetModuleFileNameW(hCallerModule, szModuleName, VALUE_LEN) ) { if ( StrChrW(dll_file,L'*') || StrChrW(dll_file,L'?') ) { if ( PathMatchSpecW(szModuleName, dll_file) ) { ret = TRUE; } } else if ( stristrW(szModuleName, dll_file) ) { ret = TRUE; } } } return ret; }
/* 必须使用进程依赖crt的wputenv函数追加环境变量 */ unsigned WINAPI SetPluginPath(void * pParam) { typedef int (__cdecl *_pwrite_env)(LPCWSTR envstring); int ret = 0; HMODULE hCrt =NULL; _pwrite_env write_env = NULL; char msvc_crt[CRT_LEN+1] = {0}; LPWSTR lpstring; if ( !find_msvcrt(msvc_crt,CRT_LEN) ) { return (0); } if ( (hCrt = GetModuleHandleA(msvc_crt)) == NULL ) { return (0); } if ( profile_path[1] != L':' ) { if (!ini_ready(profile_path,MAX_PATH)) { return (0); } } write_env = (_pwrite_env)GetProcAddress(hCrt,"_wputenv"); if ( write_env == NULL ) { return (0); } if ( (lpstring = (LPWSTR)SYS_MALLOC(MAX_ENV_SIZE)) == NULL ) { return (0); } if ( (ret = GetPrivateProfileSectionW(L"Env", lpstring, MAX_ENV_SIZE-1, profile_path)) > 0 ) { LPWSTR strKey = lpstring; while(*strKey != L'\0') { if ( stristrW(strKey, L"NpluginPath") ) { WCHAR lpfile[VALUE_LEN+1]; if ( read_appkey(L"Env",L"NpluginPath",lpfile,sizeof(lpfile)) ) { WCHAR env_string[VALUE_LEN+1] = {0}; PathToCombineW(lpfile, VALUE_LEN); if ( _snwprintf(env_string,VALUE_LEN,L"%ls%ls",L"MOZ_PLUGIN_PATH=",lpfile) > 0) { ret = write_env( (LPCWSTR)env_string ); } } } else if ( stristrW(strKey, L"VimpPentaHome") ) { WCHAR lpfile[VALUE_LEN+1]; if ( read_appkey(L"Env",L"VimpPentaHome",lpfile,sizeof(lpfile)) ) { WCHAR env_string[VALUE_LEN+1] = {0}; if (lpfile[1] != L':') { WCHAR vimp_path[VALUE_LEN+1] = {0}; charTochar(lpfile); if ( PathCombineW(vimp_path,portable_data_path,lpfile) ) { int n = _snwprintf(lpfile,VALUE_LEN,L"%ls",vimp_path); lpfile[n] = L'\0'; } } if ( _snwprintf(env_string,VALUE_LEN,L"%ls%ls",L"HOME=",lpfile) > 0) { ret = write_env( (LPCWSTR)env_string ); } } } else if (stristrW(strKey, L"MOZ_GMP_PATH")) { WCHAR lpfile[VALUE_LEN+1]; if ( read_appkey(L"Env",L"MOZ_GMP_PATH",lpfile,sizeof(lpfile)) ) { WCHAR env_string[VALUE_LEN+1] = {0}; PathToCombineW(lpfile, VALUE_LEN); if ( _snwprintf(env_string,VALUE_LEN,L"%ls%ls",L"MOZ_GMP_PATH=",lpfile) > 0) { ret = write_env( (LPCWSTR)env_string ); } } } else if (stristrW(strKey, L"TmpDataPath")) { /* the PATH environment variable does not exist */ } else { ret = write_env( (LPCWSTR)strKey ); } strKey += wcslen(strKey)+1; } } SYS_FREE(lpstring); return (1); }
BOOL WINAPI HookCreateProcessInternalW (HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, PHANDLE hNewToken) { BOOL ret = FALSE; LPWSTR lpfile = lpCommandLine; BOOL tohook = FALSE; if (lpApplicationName && wcslen(lpApplicationName)>1) { lpfile = (LPWSTR)lpApplicationName; } /* 禁止启动16位程序 */ if (dwCreationFlags&CREATE_SHARED_WOW_VDM || dwCreationFlags&CREATE_SEPARATE_WOW_VDM) { SetLastError(ERROR_INVALID_PARAMETER); return ret; } /* 存在不安全插件,注入保护 */ if ( stristrW(lpfile, L"SumatraPDF.exe") || stristrW(lpfile, L"java.exe") || stristrW(lpfile, L"jp2launcher.exe")) { /* 静态编译时,不能启用远程注入 */ #if !defined(LIBPORTABLE_STATIC) dwCreationFlags |= CREATE_SUSPENDED; tohook = TRUE; #endif } /* 如果启用白名单制度(严格检查) */ else if ( read_appint(L"General",L"EnableWhiteList") > 0 ) { if ( !in_whitelist((LPCWSTR)lpfile) ) { #ifdef _LOGDEBUG logmsg("the process %ls disabled-runes\n",lpfile); #endif SetLastError( TrueRtlNtStatusToDosError(STATUS_ERROR) ); return ret; } } else if ( in_whitelist((LPCWSTR)lpfile) ) { ; } /* 如果不存在于白名单,则自动阻止命令行程序启动 */ else { if ( ProcessIsCUI(lpfile) ) { #ifdef _LOGDEBUG logmsg("%ls process, disabled-runes\n",lpfile); #endif SetLastError( TrueRtlNtStatusToDosError(STATUS_ERROR) ); return ret; } } ret = TrueCreateProcessInternalW(hToken,lpApplicationName,lpCommandLine,lpProcessAttributes, lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory, lpStartupInfo,lpProcessInformation,hNewToken); if ( ret && tohook ) { #ifdef _LOGDEBUG logmsg("InjectDll run .\n"); #endif InjectDll(lpProcessInformation); } return ret; }
BOOL WINAPI in_whitelist(LPCWSTR lpfile) { WCHAR *moz_processes[] = {L"", L"plugin-container.exe", L"plugin-hang-ui.exe", L"webapprt-stub.exe", L"webapp-uninstaller.exe",L"WSEnable.exe",L"uninstall\\helper.exe", L"crashreporter.exe",L"CommandExecuteHandler.exe",L"maintenanceservice.exe", L"maintenanceservice_installer.exe",L"updater.exe" }; static WCHAR white_list[EXCLUDE_NUM][VALUE_LEN+1]; int i = sizeof(moz_processes)/sizeof(moz_processes[0]); LPCWSTR pname = lpfile; BOOL ret = FALSE; if (lpfile[0] == L'"') { pname = &lpfile[1]; } /* 遍历白名单一次,只需遍历一次 */ ret = stristrW(white_list[1],L"plugin-container.exe") != NULL; if ( !ret ) { /* firefox目录下进程的路径 */ int num; WCHAR temp[VALUE_LEN+1]; GetModuleFileNameW(NULL,temp,VALUE_LEN); wcsncpy(white_list[0],(LPCWSTR)temp,VALUE_LEN); PathRemoveFileSpecW(temp); for(num=1; num<i; ++num) { _snwprintf(white_list[num],VALUE_LEN,L"%ls\\%ls", temp, moz_processes[num]); } ret = foreach_section(L"whitelist", &white_list[num], EXCLUDE_NUM-num); } if ( (ret = !ret) == FALSE ) { /* 核对白名单 */ for ( i=0; i<EXCLUDE_NUM ; i++ ) { if (wcslen(white_list[i]) == 0) { continue; } if ( StrChrW(white_list[i],L'*') || StrChrW(white_list[i],L'?') ) { if ( PathMatchSpecW(pname,white_list[i]) ) { ret = TRUE; break; } } else if (white_list[i][1] != L':') { PathToCombineW(white_list[i],VALUE_LEN); } if (_wcsnicmp(white_list[i],pname,wcslen(white_list[i]))==0) { ret = TRUE; break; } } } return ret; }
NTSTATUS WINAPI HookNtCreateUserProcess(PHANDLE ProcessHandle,PHANDLE ThreadHandle, ACCESS_MASK ProcessDesiredAccess,ACCESS_MASK ThreadDesiredAccess, POBJECT_ATTRIBUTES ProcessObjectAttributes, POBJECT_ATTRIBUTES ThreadObjectAttributes, ULONG CreateProcessFlags, ULONG CreateThreadFlags, PRTL_USER_PROCESS_PARAMETERS ProcessParameters, PVOID CreateInfo, PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList) { RTL_USER_PROCESS_PARAMETERS mY_ProcessParameters; PROCESS_INFORMATION ProcessInformation; NTSTATUS status; BOOL tohook = FALSE; fzero(&mY_ProcessParameters,sizeof(RTL_USER_PROCESS_PARAMETERS)); if ( stristrW(ProcessParameters->ImagePathName.Buffer, L"SumatraPDF.exe") || stristrW(ProcessParameters->ImagePathName.Buffer, L"java.exe") || stristrW(ProcessParameters->ImagePathName.Buffer, L"jp2launcher.exe")) { tohook = TRUE; } else if ( read_appint(L"General",L"EnableWhiteList") > 0 ) { if ( ProcessParameters->ImagePathName.Length > 0 && in_whitelist((LPCWSTR)ProcessParameters->ImagePathName.Buffer) ) { #ifdef _LOGDEBUG logmsg("the process %ls in whitelist\n",ProcessParameters->ImagePathName.Buffer); #endif } else { #ifdef _LOGDEBUG logmsg("the process %ls disabled-runes\n",ProcessParameters->ImagePathName.Buffer); #endif ProcessParameters = &mY_ProcessParameters; } } else if ( in_whitelist((LPCWSTR)ProcessParameters->ImagePathName.Buffer) ) { ; } else { if ( !IsGUI((LPCWSTR)ProcessParameters->ImagePathName.Buffer) ) ProcessParameters = &mY_ProcessParameters; } status = TrueNtCreateUserProcess(ProcessHandle, ThreadHandle, ProcessDesiredAccess, ThreadDesiredAccess, ProcessObjectAttributes, ThreadObjectAttributes, CreateProcessFlags, CreateThreadFlags, ProcessParameters, CreateInfo, AttributeList); if ( NT_SUCCESS(status)&&tohook) { ULONG Suspend = 0; fzero(&ProcessInformation,sizeof(PROCESS_INFORMATION)); ProcessInformation.hProcess = *ProcessHandle; ProcessInformation.hThread = *ThreadHandle; /* when tcmalloc enabled or MinGW compile time,InjectDll crash on win8/8.1 */ #if !defined(ENABLE_TCMALLOC) && !defined(__GNUC__) && !defined(LIBPORTABLE_STATIC) if ( NT_SUCCESS(TrueNtSuspendThread(ProcessInformation.hThread,&Suspend)) ) { #ifdef _LOGDEBUG logmsg("NtInjectDll() run .\n"); #endif InjectDll(&ProcessInformation); } #endif } return status; }
/* 必须使用进程依赖crt的wputenv函数追加环境变量 */ unsigned WINAPI SetPluginPath(void * pParam) { typedef int (__cdecl *_pwrite_env)(LPCWSTR envstring); int ret = 0; HMODULE hCrt =NULL; _pwrite_env write_env = NULL; char msvc_crt[CRT_LEN+1] = {0}; LPWSTR lpstring; if ( !find_msvcrt(msvc_crt,CRT_LEN) ) { return ((unsigned)ret); } if ( (hCrt = GetModuleHandleA(msvc_crt)) == NULL ) { return ((unsigned)ret); } if ( profile_path[1] != L':' ) { if (!ini_ready(profile_path,MAX_PATH)) { return ((unsigned)ret); } } write_env = (_pwrite_env)GetProcAddress(hCrt,"_wputenv"); if ( write_env ) { if ( (lpstring = (LPWSTR)SYS_MALLOC(MAX_ENV_SIZE)) != NULL ) { if ( (ret = GetPrivateProfileSectionW(L"Env", lpstring, MAX_ENV_SIZE-1, profile_path)) > 0 ) { LPWSTR strKey = lpstring; while(*strKey != L'\0') { if ( stristrW(strKey, L"NpluginPath") ) { WCHAR lpfile[VALUE_LEN+1]; if ( read_appkey(L"Env",L"NpluginPath",lpfile,sizeof(lpfile)) ) { WCHAR env_string[VALUE_LEN+1] = {0}; PathToCombineW(lpfile, VALUE_LEN); if ( _snwprintf(env_string,VALUE_LEN,L"%ls%ls",L"MOZ_PLUGIN_PATH=",lpfile) > 0) { ret = write_env( (LPCWSTR)env_string ); } } } else if (stristrW(strKey, L"TmpDataPath")) { ; } else { ret = write_env( (LPCWSTR)strKey ); } strKey += wcslen(strKey)+1; } } SYS_FREE(lpstring); } } return ( (unsigned)ret ); }