//--------------------------------------------------------------------------
// main program
int _tmain(int argc, _TCHAR* argv[])
{
if (argc<2)
{
PrintUsage();
return 0;
}
// get the full path of ropguarddll.dll
char dllpath[1000];
char *filename;
if (!GetModuleFileName(NULL, dllpath, 980))
{
printf("Error: could not obtain current executable path\n");
return 0;
}
filename = strrchr(dllpath,'\\');
if(!filename) {
printf("Error: could not obtain current executable path\n");
return 0;
}
filename++;
strcpy(filename, "ropsettings.txt");
ropSettings = new ROPSettings();
ReadROPSettings(dllpath);
strcpy(filename, "ropguarddll.dll");
//if the first argument is a number it's considered to be a PID
if (IsNumeric(argv[1]))
{
//protect existing process
GuardExistingProcess(atol(argv[1]), dllpath);
}
else
{
// create new protected process
if (GetROPSettings()->waitEntryPoint)
{
CreateProcessWithDll(argv[1], dllpath, true);
}
else
{
CreateProcessWithDll(argv[1], dllpath, false);
}
}
return 0;
}
//--------------------------------------------------------------------------
// a function that will replace CreateProcessInternalW
// gets called whenever a process creates a child process
DWORD WINAPI CreateProcessInternalGuarded(
__in DWORD unknown1, // always (?) NULL
__in_opt LPCTSTR lpApplicationName,
__inout_opt LPTSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCTSTR lpCurrentDirectory,
__in LPSTARTUPINFO lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation,
__in DWORD unknown2 // always (?) NULL
)
{
DWORD ret;
DWORD newCreationFlags;
//MessageBoxA(NULL, "Creating new process", "ROPGuard", MB_OK);
//start new process in suspended state to inject dll into it
newCreationFlags = dwCreationFlags | CREATE_SUSPENDED;
ret = (*CreateProcessInternalOriginal)(unknown1,
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
newCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation,
unknown2);
if(!ret)
return ret;
BOOL parent64,child64;
IsWow64Process(GetCurrentProcess(),&parent64);
IsWow64Process(lpProcessInformation->hProcess,&child64);
if (parent64 != child64)
{
//MessageBoxA(NULL, "Current version of ROPGuard cannot protect 64-bit processes.\nThe process will NOT be protected.", "ROPGuard", MB_OK);
if((dwCreationFlags&CREATE_SUSPENDED)==0)
ResumeThread(lpProcessInformation->hThread);
return ret;
}
//get the path of the ropguard dll
char dllpath[1000];
HMODULE dllhandle;
dllhandle = GetModuleHandle("ropguarddll.dll");
if((!dllhandle) || (!GetModuleFileName(dllhandle, dllpath, _countof(dllpath)-1)))
{
MessageBoxA(NULL, "Warning: could not obtain ropguarddll path", "ROPGuard", MB_OK);
if((dwCreationFlags&CREATE_SUSPENDED)==0) ResumeThread(lpProcessInformation->hThread);
return ret;
}
//MessageBoxA(NULL, dllpath, "ROPGuard", MB_OK);
// inject ropguard dll into the newly created process
if (((dwCreationFlags&CREATE_SUSPENDED)==0)&&(GetROPSettings()->waitEntryPoint))
{
PatchEntryPoint(lpProcessInformation->hProcess, lpProcessInformation->hThread, dllpath);
}
else
{
InjectDLL(lpProcessInformation->hProcess, dllpath);
}
//resume process if necessary
if((dwCreationFlags&CREATE_SUSPENDED)==0)
ResumeThread(lpProcessInformation->hThread);
return ret;
}