static
RU32
uninstallService
(
)
{
RU32 res = (RU32)-1;
RNCHAR svcUnload[] = { _SERVICE_UNLOAD };
RNCHAR svcPath[] = { _SERVICE_FILE };
if( 0 != system( svcUnload ) )
{
rpal_debug_warning( "failed to unload service, already unloaded?" );
}
if( !rpal_file_delete( svcPath, FALSE ) )
{
rpal_debug_warning( "failed to delete file from disk, not present?" );
}
else
{
rpal_debug_info( "uninstalled successfully" );
res = 0;
}
return res;
}
static RVOID
relaunchInPermanentLocation
(
)
{
RPWCHAR bootstrapLocations[] = { _WCH( "%SYSTEMDRIVE%\\$Recycle.Bin\\MALWARE_DEMO_WINDOWS_1.exe" ),
_WCH( "%SYSTEMDRIVE%\\RECYCLER\\MALWARE_DEMO_WINDOWS_1.exe" ),
_WCH( "%windir%\\system32\\tasks\\MALWARE_DEMO_WINDOWS_1.exe" ),
_WCH( "%USERPROFILE%\\MALWARE_DEMO_WINDOWS_1.exe" ) };
RU32 i = 0;
STARTUPINFOW startupInfo = {0};
PROCESS_INFORMATION procInfo = {0};
RPWCHAR expandedPath = NULL;
for( i = 0; i < ARRAY_N_ELEM( bootstrapLocations ); i++ )
{
rpal_debug_info( "trying to move to bootstrap location %d...", i );
rpal_file_delete( bootstrapLocations[ i ], FALSE );
if( rpal_file_move( g_self_path, bootstrapLocations[ i ] ) )
{
rpal_debug_info( "successfully moved to bootstrap location!" );
rpal_debug_info( "launching in new location (%ls)...", bootstrapLocations[ i ] );
if( rpal_string_expand( bootstrapLocations[ i ], &expandedPath ) &&
0 != CreateProcessW( expandedPath,
NULL,
NULL,
NULL,
FALSE,
CREATE_NO_WINDOW,
NULL,
NULL,
&startupInfo,
&procInfo ) )
{
rpal_debug_info( "successfully launched from new location." );
}
else
{
rpal_debug_error( "error launching from permanent location: %d.", GetLastError() );
}
if( NULL != expandedPath )
{
rpal_memory_free( expandedPath );
}
break;
}
else
{
rpal_debug_warning( "could not move to new bootstrap location, may not have permission..." );
}
}
}
static
RBOOL
getStoreConf
(
)
{
RBOOL isSuccess = FALSE;
RPU8 storeFile = NULL;
RU32 storeFileSize = 0;
rpHCPIdentStore* storeV2 = NULL;
OBFUSCATIONLIB_DECLARE( store, RP_HCP_CONFIG_IDENT_STORE );
OBFUSCATIONLIB_TOGGLE( store );
if( rpal_file_read( (RPNCHAR)store, (RPVOID)&storeFile, &storeFileSize, FALSE ) )
{
if( sizeof( rpHCPIdentStore ) <= storeFileSize )
{
storeV2 = (rpHCPIdentStore*)storeFile;
if( storeV2->enrollmentTokenSize == storeFileSize - sizeof( rpHCPIdentStore ) )
{
isSuccess = TRUE;
rpal_debug_info( "ident store found" );
if( NULL != ( g_hcpContext.enrollmentToken = rpal_memory_alloc( storeV2->enrollmentTokenSize ) ) )
{
rpal_memory_memcpy( g_hcpContext.enrollmentToken, storeV2->enrollmentToken, storeV2->enrollmentTokenSize );
g_hcpContext.enrollmentTokenSize = storeV2->enrollmentTokenSize;
}
g_hcpContext.currentId = storeV2->agentId;
}
else
{
rpal_debug_warning( "inconsistent ident store, reseting" );
rpal_file_delete( (RPNCHAR)store, FALSE );
}
}
rpal_memory_free( storeFile );
}
OBFUSCATIONLIB_TOGGLE( store );
// Set some always-correct defaults
g_hcpContext.currentId.id.platformId = RP_HCP_ID_MAKE_PLATFORM( RP_HCP_PLATFORM_CURRENT_CPU, RP_HCP_PLATFORM_CURRENT_MAJOR, RP_HCP_PLATFORM_CURRENT_MINOR );
return isSuccess;
}
static
BOOL
ctrlHandler
(
DWORD type
)
{
OBFUSCATIONLIB_DECLARE( store, RP_HCP_CONFIG_CRASH_STORE );
UNREFERENCED_PARAMETER( type );
if( CTRL_SHUTDOWN_EVENT == type )
{
// This is an emergency shutdown.
// Trying to do this cleanly is pointless since Windows
// will kill us very shortly, so let's just clean up
// the CC so we don't report a pointless "crash".
OBFUSCATIONLIB_TOGGLE( store );
rpal_file_delete( (RPWCHAR)store, FALSE );
OBFUSCATIONLIB_TOGGLE( store );
}
// Pass the signal along
return FALSE;
}
RPRIVATE_TESTABLE
RBOOL
upgradeHcp
(
rSequence seq
)
{
RBOOL isSuccess = FALSE;
RPU8 tmpBuff = NULL;
RU32 tmpSize = 0;
RPU8 tmpSig = NULL;
RU32 tmpSigSize = 0;
RPNCHAR currentModulePath = NULL;
RPNCHAR backupPath = NULL;
if( NULL != seq )
{
if( rSequence_getBUFFER( seq,
RP_TAGS_BINARY,
&tmpBuff,
&tmpSize ) &&
rSequence_getBUFFER( seq,
RP_TAGS_SIGNATURE,
&tmpSig,
&tmpSigSize ) &&
CRYPTOLIB_SIGNATURE_SIZE == tmpSigSize )
{
// We got the data, now verify the buffer signature
if( CryptoLib_verify( tmpBuff, tmpSize, getRootPublicKey(), tmpSig ) )
{
if( NULL != ( currentModulePath = processLib_getCurrentModulePath() ) )
{
if( NULL != ( backupPath = rpal_string_strdup( currentModulePath ) ) &&
NULL != ( backupPath = rpal_string_strcatEx( backupPath, _NC( ".old" ) ) ) )
{
rpal_file_delete( backupPath, FALSE );
if( rpal_file_move( currentModulePath, backupPath ) )
{
if( rpal_file_write( currentModulePath, tmpBuff, tmpSize, TRUE ) )
{
rpal_debug_info( "hcp was successfully updated" );
isSuccess = TRUE;
}
else
{
rpal_debug_warning( "failed to write new hcp to disk" );
if( !rpal_file_move( backupPath, currentModulePath ) )
{
rpal_debug_warning( "old hcp was reverted" );
}
else
{
rpal_debug_error( "could not revert old hcp" );
}
}
}
else
{
rpal_debug_warning( "failed to move hcp to backup location" );
}
rpal_memory_free( backupPath );
}
rpal_memory_free( currentModulePath );
}
else
{
rpal_debug_error( "failed to get current module path" );
}
}
else
{
rpal_debug_warning( "New HCP binary signature is invalid." );
}
}
else
{
rpal_debug_warning( "Upgrade command missing or invalid component." );
}
}
return isSuccess;
}
static
RU32
uninstallService
(
)
{
RWCHAR destPath[] = _WCH( "%SYSTEMROOT%\\system32\\rphcp.exe" );
SC_HANDLE hScm = NULL;
SC_HANDLE hSvc = NULL;
RWCHAR svcName[] = { _SERVICE_NAMEW };
SERVICE_STATUS svcStatus = { 0 };
RU32 nRetries = 10;
rpal_debug_info( "uninstalling service" );
if( NULL != ( hScm = OpenSCManagerA( NULL, NULL, SC_MANAGER_ALL_ACCESS ) ) )
{
if( NULL != ( hSvc = OpenServiceW( hScm, svcName, SERVICE_STOP | SERVICE_QUERY_STATUS | DELETE ) ) )
{
if( ControlService( hSvc, SERVICE_CONTROL_STOP, &svcStatus ) )
{
while( SERVICE_STOPPED != svcStatus.dwCurrentState &&
0 != nRetries )
{
rpal_debug_error( "waiting for service to stop..." );
rpal_thread_sleep( 1000 );
if( !QueryServiceStatus( hSvc, &svcStatus ) )
{
break;
}
nRetries--;
}
if( 0 == nRetries )
{
rpal_debug_error( "timed out waiting for service to stop, moving on..." );
}
else
{
rpal_debug_info( "service stopped" );
}
}
else
{
rpal_debug_error( "could not stop service: %d", GetLastError() );
}
if( DeleteService( hSvc ) )
{
rpal_debug_info( "service deleted" );
}
else
{
rpal_debug_error( "could not delete service: %d", GetLastError() );
}
CloseServiceHandle( hSvc );
}
else
{
rpal_debug_error( "could not open service: %d", GetLastError() );
}
CloseServiceHandle( hScm );
}
else
{
rpal_debug_error( "could not open SCM: %d", GetLastError() );
}
rpal_thread_sleep( MSEC_FROM_SEC( 1 ) );
if( rpal_file_delete( destPath, FALSE ) )
{
rpal_debug_info( "service executable deleted" );
}
else
{
rpal_debug_error( "could not delete service executable: %d", GetLastError() );
}
return GetLastError();
}
