示例#1
0
//--------------------------------------------------------------------------
// main program
int _tmain(int argc, _TCHAR* argv[])
{
  if (argc<2)
  {
    PrintUsage();
    return 0;
  }

  // get the full path of ropguarddll.dll
  char dllpath[1000];
  char *filename;
  if (!GetModuleFileName(NULL, dllpath, 980))
  {
    printf("Error: could not obtain current executable path\n");
    return 0;
  }
  filename = strrchr(dllpath,'\\');
  if(!filename) {
    printf("Error: could not obtain current executable path\n");
    return 0;
  }
  filename++;
  strcpy(filename, "ropsettings.txt");
  ropSettings = new ROPSettings();
  ReadROPSettings(dllpath);
  strcpy(filename, "ropguarddll.dll");


  //if the first argument is a number it's considered to be a PID
  if (IsNumeric(argv[1]))
  {
    //protect existing process
    GuardExistingProcess(atol(argv[1]), dllpath);
  }
  else
  {
    // create new protected process
    if (GetROPSettings()->waitEntryPoint)
    {
      CreateProcessWithDll(argv[1], dllpath, true);
    }
    else
    {
      CreateProcessWithDll(argv[1], dllpath, false);
    }
  }

  return 0;
}
示例#2
0
//--------------------------------------------------------------------------
// a function that will replace CreateProcessInternalW
// gets called whenever a process creates a child process
DWORD WINAPI CreateProcessInternalGuarded(
  __in         DWORD unknown1,                              // always (?) NULL
  __in_opt     LPCTSTR lpApplicationName,
  __inout_opt  LPTSTR lpCommandLine,
  __in_opt     LPSECURITY_ATTRIBUTES lpProcessAttributes,
  __in_opt     LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in         BOOL bInheritHandles,
  __in         DWORD dwCreationFlags,
  __in_opt     LPVOID lpEnvironment,
  __in_opt     LPCTSTR lpCurrentDirectory,
  __in         LPSTARTUPINFO lpStartupInfo,
  __out        LPPROCESS_INFORMATION lpProcessInformation,
  __in         DWORD unknown2                               // always (?) NULL
)
{
	DWORD ret;
	DWORD newCreationFlags;
	//MessageBoxA(NULL, "Creating new process", "ROPGuard", MB_OK);

	//start new process in suspended state to inject dll into it
	newCreationFlags = dwCreationFlags | CREATE_SUSPENDED;

	ret = (*CreateProcessInternalOriginal)(unknown1,
		lpApplicationName,
		lpCommandLine,
		lpProcessAttributes,
		lpThreadAttributes,
		bInheritHandles,
		newCreationFlags,
		lpEnvironment,
		lpCurrentDirectory,
		lpStartupInfo,
		lpProcessInformation,
		unknown2);

	if(!ret) 
    return ret;

	BOOL parent64,child64;
	IsWow64Process(GetCurrentProcess(),&parent64);
	IsWow64Process(lpProcessInformation->hProcess,&child64);
	if (parent64 != child64) 
  {
		//MessageBoxA(NULL, "Current version of ROPGuard cannot protect 64-bit processes.\nThe process will NOT be protected.", "ROPGuard", MB_OK);
		if((dwCreationFlags&CREATE_SUSPENDED)==0) 
          ResumeThread(lpProcessInformation->hThread);
		return ret;
	}

	//get the path of the ropguard dll
	char dllpath[1000];
	HMODULE dllhandle;
	dllhandle = GetModuleHandle("ropguarddll.dll");
	if((!dllhandle) || (!GetModuleFileName(dllhandle, dllpath, _countof(dllpath)-1))) 
    {
		MessageBoxA(NULL, "Warning: could not obtain ropguarddll path", "ROPGuard", MB_OK);
		if((dwCreationFlags&CREATE_SUSPENDED)==0) ResumeThread(lpProcessInformation->hThread);
		return ret;
	}
	//MessageBoxA(NULL, dllpath, "ROPGuard", MB_OK);

	// inject ropguard dll into the newly created process
	if (((dwCreationFlags&CREATE_SUSPENDED)==0)&&(GetROPSettings()->waitEntryPoint)) 
    {
      PatchEntryPoint(lpProcessInformation->hProcess, lpProcessInformation->hThread, dllpath);
	} 
	else 
	{
      InjectDLL(lpProcessInformation->hProcess, dllpath);
	}

	//resume process if necessary
	if((dwCreationFlags&CREATE_SUSPENDED)==0) 
	  ResumeThread(lpProcessInformation->hThread);

	return ret;
}