int main(int argc, char ** argv) { int ret = 0; struct a6o_report report = {0}; PVOID OldValue = NULL; if (argc >= 2 && strncmp(argv[1],"--conf",6) == 0 ) { // TODO :: https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms724072%28v=vs.85%29.aspx //conf_poc_windows( ); return 0; } // Only for test purposes (command line) if (argc >= 2 && strncmp(argv[1], "--disable_rt", 12) == 0) { //disable_onaccess( ); return EXIT_SUCCESS; } if (argc >= 2 && strncmp(argv[1], "--notify", 8) == 0) { a6o_notify_set_handler((a6o_notify_handler_t)send_notif); a6o_notify(NOTIF_INFO,"Service started!"); a6o_notify(NOTIF_WARNING,"Malware detected :: [%s]","TrojanFake"); a6o_notify(NOTIF_ERROR,"An error occured during scan !!"); return EXIT_SUCCESS; } // Only for test purposes (command line) complete test = GUI + driver. if ( argc >=2 && strncmp(argv[1],"--testGUI",9) == 0 ){ DisplayBanner(); a6o_notify_set_handler((a6o_notify_handler_t)send_notif); if (Wow64DisableWow64FsRedirection(&OldValue) == FALSE) { return -1; } /* (FD) added to get all log messages */ a6o_log_set_handler(ARMADITO_LOG_LEVEL_DEBUG, a6o_log_default_handler, NULL); ret = LaunchCmdLineService(GUI_ONLY); if (Wow64RevertWow64FsRedirection(OldValue) == FALSE ){ // Failure to re-enable redirection should be considered // a criticial failure and execution aborted. return -2; } if (ret < 0) { return EXIT_FAILURE; } return EXIT_SUCCESS; } // Only for test purposes (command line) complete test = GUI + driver. if ( argc >=2 && strncmp(argv[1],"--test",6) == 0 ){ DisplayBanner( ); a6o_notify_set_handler((a6o_notify_handler_t)send_notif); ret = LaunchCmdLineService(SVC_MODE); if (ret < 0) { return EXIT_FAILURE; } return EXIT_SUCCESS; } // Only for test purposes (command line) if ( argc >=2 && strncmp(argv[1],"--register",10) == 0 ){ #if 0 ret = register_av( ); if (ret < 0) { return EXIT_FAILURE; } #endif return EXIT_SUCCESS; } // Only for test purposes (command line) if ( argc >=2 && strncmp(argv[1],"--crypt",7) == 0 ){ #if 0 if (argv[2] == NULL) { printf("[-] Error :: --crypt option :: missing parameter [filename]\n"); return EXIT_FAILURE; } ret = verify_file_signature(argv[2],SIGNATURE_FILE); if (ret < 0) { return EXIT_FAILURE; } #endif return EXIT_SUCCESS; } // Only for test purposes (command line) if ( argc >=3 && strncmp(argv[1],"--quarantine",11) == 0 ){ #if 0 ret = MoveFileInQuarantine(argv[2], report); if (ret < 0) { return EXIT_FAILURE; } #endif return EXIT_SUCCESS; } if ( argc >=2 && strncmp(argv[1],"--quarantine",11) == 0 ){ #if 0 ret = EnumQuarantine(); if (ret < 0) { return EXIT_FAILURE; } #endif return EXIT_SUCCESS; } if ( argc >=2 && strncmp(argv[1],"--restore",9) == 0 ){ #if 0 ret = ui_restore_quarantine_file(argv[1]); if (ret < 0) { return EXIT_FAILURE; } #endif return EXIT_SUCCESS; } if ( argc >=3 && strncmp(argv[1],"--restore",9) == 0 ){ #if 0 ret = RestoreFileFromQuarantine(argv[2]); if (ret < 0) { return EXIT_FAILURE; } #endif return EXIT_SUCCESS; } if ( argc >=2 && strncmp(argv[1],"--updatedb",10) == 0 ){ DisplayBanner( ); update_modules_db(NULL); return EXIT_SUCCESS; } if ( argc >=2 && strncmp(argv[1],"--info",6) == 0 ){ if (get_av_info() < 0) { return EXIT_FAILURE; } return EXIT_SUCCESS; } if (argc >= 2 && strncmp(argv[1], "--installboot", 13) == 0){ DisplayBanner(); ret = ServiceInstall(SERVICE_AUTO_START); if (ret < 0) { return EXIT_FAILURE; } return EXIT_SUCCESS; } // command line parameter "--install", install the service. if ( argc >=2 && strncmp(argv[1],"--install",9) == 0 ){ DisplayBanner( ); ret = ServiceInstall(SERVICE_DEMAND_START); if (ret < 0) { return EXIT_FAILURE; } return EXIT_SUCCESS; } // command line parameter "--uninstall", uninstall the service. if ( argc >=2 && strncmp(argv[1],"--uninstall",11) == 0 ){ DisplayBanner( ); ret = ServiceRemove( ); return EXIT_SUCCESS; } // command line parameter "--remove", delete the service. if ( argc >=2 && strncmp(argv[1],"--stop",6) == 0 ){ ServiceStop(); return EXIT_SUCCESS; } if ( argc >=2 && strncmp(argv[1],"--start",7) == 0 ){ ServiceLaunch( ); return EXIT_SUCCESS; } if ( argc >=2 && strncmp(argv[1],"--pause",7) == 0 ){ ServicePause( ); return EXIT_SUCCESS; } if ( argc >=2 && strncmp(argv[1],"--continue",10) == 0 ){ ServiceContinue( ); return EXIT_SUCCESS; } //ServiceLaunchAction( ); // put this part in ServiceLaunchAction function. SERVICE_TABLE_ENTRY DispatchTable[] = { { SVCNAME, (LPSERVICE_MAIN_FUNCTION) ServiceMain }, { NULL, NULL } }; // This call returs when the service has stopped. if (!StartServiceCtrlDispatcher(DispatchTable)) { //SvcReportEvent(TEXT("StartServiceCtrlDispatcher")); //printf("[i] StartServiceCtrlDispatcher :: %d\n",GetLastError()); } return EXIT_SUCCESS; }
/* --------------- Service entry point Must run 3 in ways with the same procedure: 1. Install 2. Start 3. Remove */ int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { ServicesDatabase = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); if(!ServicesDatabase) { RaiseError(ErrServiceDBMsg); return(0); } /* Check if the service is in starting state */ ServiceHandle = OpenService(ServicesDatabase, ServiceName, SERVICE_ALL_ACCESS); if(!ServiceHandle) { /* Call user procedure */ if(ServiceStart()) goto InstallProceed; CloseServiceHandle(ServicesDatabase); return(0); } if(QueryServiceStatus(ServiceHandle, &ServiceStatusTable)) { /* Feed service manager with our thread if starting state */ if(ServiceStatusTable.dwCurrentState == SERVICE_START_PENDING) { CloseServiceHandle(ServiceHandle); CloseServiceHandle(ServicesDatabase); ServiceTable[0].lpServiceName = ServiceName; ServiceTable[0].lpServiceProc = &ServiceMain; if(!StartServiceCtrlDispatcher(&ServiceTable[0])) RaiseError(ErrStartMsg); return(0); } } CloseServiceHandle(ServiceHandle); InstallProceed: GetModuleFileName(0, FileName, MAX_PATH); /* Try to install */ ServiceHandle = CreateService(ServicesDatabase, ServiceName, ServiceName, SERVICE_ALL_ACCESS, ServiceTypeFlag, ServiceStartFlag, SERVICE_ERROR_NORMAL, FileName, NULL, NULL, NULL, NULL, NULL); if(ServiceHandle) { OsVer.dwOSVersionInfoSize = sizeof(OsVer); if(GetVersionEx(&OsVer) != 0) { if(OsVer.dwMajorVersion >= 5) { // Add a description if OS >= Win2k if(OsVer.dwPlatformId == VER_PLATFORM_WIN32_NT) { ServiceDesc.lpDescription = ServiceDescription; ChangeServiceConfig2(ServiceHandle, SERVICE_CONFIG_DESCRIPTION, &ServiceDesc); } } } if(ServiceStartRightNow) StartService(ServiceHandle, 0, 0); CloseServiceHandle(ServiceHandle); CloseServiceHandle(ServicesDatabase); RaiseInformation(ServiceInstalledMsg); return(0); } if(GetLastError() != ERROR_SERVICE_EXISTS) { CloseServiceHandle(ServicesDatabase); RaiseError(ErrCreateServiceMsg); return(0); } /* Perform removal */ ServiceHandle = OpenService(ServicesDatabase, ServiceName, SERVICE_ALL_ACCESS | DELETE); if(!ServiceHandle) { CloseServiceHandle(ServicesDatabase); RaiseError(ErrOpenServiceMsg); return(0); } QueryServiceStatus(ServiceHandle, &ServiceStatusTable); if(ServiceStatusTable.dwCurrentState != SERVICE_STOPPED) { ControlService(ServiceHandle, SERVICE_CONTROL_STOP, &ServiceStatusTable); Sleep(500); } /* Call user procedure */ if(!ServiceRemove()) { CloseServiceHandle(ServiceHandle); CloseServiceHandle(ServicesDatabase); return(0); } if(DeleteService(ServiceHandle)) { CloseServiceHandle(ServiceHandle); CloseServiceHandle(ServicesDatabase); RaiseInformation(ServiceRemovedMsg); return(0); } CloseServiceHandle(ServiceHandle); CloseServiceHandle(ServicesDatabase); RaiseError(ErrRemoveServiceMsg); return(0); }