//--------------------------------------------------------------------------
// creates a new process with command given in commandLine and injects dll whose path is dllName into it
int CreateProcessWithDll(
char *commandLine,
char *dllName,
bool patchEntryPoint)
{
STARTUPINFO startupinfo;
PROCESS_INFORMATION processinfo;
ZeroMemory(&startupinfo, sizeof(startupinfo));
startupinfo.cb = sizeof(startupinfo);
ZeroMemory(&processinfo, sizeof(processinfo));
if (!CreateProcess(NULL, commandLine, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &startupinfo, &processinfo))
{
printf("Error creating process (%d)\n", GetLastError());
return 0;
}
BOOL parent64,child64;
IsWow64Process(GetCurrentProcess(), &parent64);
IsWow64Process(processinfo.hProcess, &child64);
if (parent64 != child64)
{
MessageBoxA(NULL,
"Current version of ROPGuard cannot protect 64-bit processes.\n"
"The process will NOT be protected.",
"ROPGuard", MB_OK);
}
else
{
if (patchEntryPoint)
PatchEntryPoint(processinfo.hProcess, processinfo.hThread, dllName);
else
InjectDLL(processinfo.hProcess, dllName);
}
// resume normal execution
ResumeThread(processinfo.hThread);
// cleanup
CloseHandle(processinfo.hThread);
CloseHandle(processinfo.hProcess);
return 1;
}
// creates a new process with command given in commandLine and injects dll whose path is dllName into it
int CreateNewGuardedProcess(char *commandLine, char *dllName, bool patchEntryPoint)
{
STARTUPINFO startupinfo;
PROCESS_INFORMATION processinfo;
ZeroMemory(&startupinfo, sizeof(startupinfo));
startupinfo.cb = sizeof(startupinfo);
ZeroMemory(&processinfo, sizeof(processinfo));
BOOL result = CreateProcess(
NULL, commandLine, NULL, NULL, FALSE, CREATE_SUSPENDED,
NULL, NULL, &startupinfo, &processinfo);
if(!result){
char buf[1024];
wsprintf(buf, "Error: creating process (%d)", GetLastError());
WriteLog(buf);
return 0;
}
BOOL parent64, child64;
IsWow64Process(GetCurrentProcess(), &parent64);
IsWow64Process(processinfo.hProcess, &child64);
if(parent64 != child64){
WriteLog("Error: Current version of ROPGuard cannot protect 64-bit processes");
}else{
if(patchEntryPoint){
PatchEntryPoint(processinfo.hProcess, processinfo.hThread, dllName);
}else{
InjectDLL(processinfo.hProcess, dllName);
}
}
// resume normal execution
ResumeThread(processinfo.hThread);
// cleanup
CloseHandle(processinfo.hThread);
CloseHandle(processinfo.hProcess);
return 1;
}
// a function that will replace CreateProcessInternalW
// gets called whenever a process creates a child process
DWORD WINAPI CreateProcessInternalGuarded(
__in DWORD unknown1, // always (?) NULL
__in_opt LPCTSTR lpApplicationName,
__inout_opt LPTSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCTSTR lpCurrentDirectory,
__in LPSTARTUPINFO lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation,
__in DWORD unknown2 // always (?) NULL
)
{
DWORD ret;
DWORD newCreationFlags;
// start new process in suspended state to inject dll into it
newCreationFlags = dwCreationFlags | CREATE_SUSPENDED;
ret = (*CreateProcessInternalOriginal)(
unknown1,
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
newCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation,
unknown2);
if(!ret)
return ret;
BOOL parent64, child64;
IsWow64Process(GetCurrentProcess(), &parent64);
IsWow64Process(lpProcessInformation->hProcess, &child64);
if(parent64 != child64){
WriteLog("Error: Current version of ROPGuard cannot protect 64-bit processes");
if((dwCreationFlags & CREATE_SUSPENDED) == 0)
ResumeThread(lpProcessInformation->hThread);
return ret;
}
// get the path of the ropguard dll
char dllpath[2048];
HMODULE dllhandle = GetModuleHandle("ropguard.dll");
if((!dllhandle) || (!GetModuleFileName(dllhandle, dllpath, sizeof(dllpath) - 256))){
WriteLog("Error: could not obtain ropguard.dll path");
if((dwCreationFlags & CREATE_SUSPENDED) == 0)
ResumeThread(lpProcessInformation->hThread);
return ret;
}
// inject ropguard dll into the newly created process
char buf[1024];
if((dwCreationFlags & CREATE_SUSPENDED) == 0){
wsprintf(buf, "Log: create process PID: %d", lpProcessInformation->dwProcessId);
WriteLog(buf);
PatchEntryPoint(lpProcessInformation->hProcess, lpProcessInformation->hThread, dllpath);
}else{
wsprintf(buf, "Log: create process PID: %d", lpProcessInformation->dwProcessId);
WriteLog(buf);
InjectDLL(lpProcessInformation->hProcess, dllpath);
}
// resume process if necessary
if((dwCreationFlags & CREATE_SUSPENDED) == 0)
ResumeThread(lpProcessInformation->hThread);
return ret;
}
//--------------------------------------------------------------------------
// a function that will replace CreateProcessInternalW
// gets called whenever a process creates a child process
DWORD WINAPI CreateProcessInternalGuarded(
__in DWORD unknown1, // always (?) NULL
__in_opt LPCTSTR lpApplicationName,
__inout_opt LPTSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCTSTR lpCurrentDirectory,
__in LPSTARTUPINFO lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation,
__in DWORD unknown2 // always (?) NULL
)
{
DWORD ret;
DWORD newCreationFlags;
//MessageBoxA(NULL, "Creating new process", "ROPGuard", MB_OK);
//start new process in suspended state to inject dll into it
newCreationFlags = dwCreationFlags | CREATE_SUSPENDED;
ret = (*CreateProcessInternalOriginal)(unknown1,
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
newCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation,
unknown2);
if(!ret)
return ret;
BOOL parent64,child64;
IsWow64Process(GetCurrentProcess(),&parent64);
IsWow64Process(lpProcessInformation->hProcess,&child64);
if (parent64 != child64)
{
//MessageBoxA(NULL, "Current version of ROPGuard cannot protect 64-bit processes.\nThe process will NOT be protected.", "ROPGuard", MB_OK);
if((dwCreationFlags&CREATE_SUSPENDED)==0)
ResumeThread(lpProcessInformation->hThread);
return ret;
}
//get the path of the ropguard dll
char dllpath[1000];
HMODULE dllhandle;
dllhandle = GetModuleHandle("ropguarddll.dll");
if((!dllhandle) || (!GetModuleFileName(dllhandle, dllpath, _countof(dllpath)-1)))
{
MessageBoxA(NULL, "Warning: could not obtain ropguarddll path", "ROPGuard", MB_OK);
if((dwCreationFlags&CREATE_SUSPENDED)==0) ResumeThread(lpProcessInformation->hThread);
return ret;
}
//MessageBoxA(NULL, dllpath, "ROPGuard", MB_OK);
// inject ropguard dll into the newly created process
if (((dwCreationFlags&CREATE_SUSPENDED)==0)&&(GetROPSettings()->waitEntryPoint))
{
PatchEntryPoint(lpProcessInformation->hProcess, lpProcessInformation->hThread, dllpath);
}
else
{
InjectDLL(lpProcessInformation->hProcess, dllpath);
}
//resume process if necessary
if((dwCreationFlags&CREATE_SUSPENDED)==0)
ResumeThread(lpProcessInformation->hThread);
return ret;
}
