static RU32 uninstallService ( ) { RU32 res = (RU32)-1; RNCHAR svcUnload[] = { _SERVICE_UNLOAD }; RNCHAR svcPath[] = { _SERVICE_FILE }; if( 0 != system( svcUnload ) ) { rpal_debug_warning( "failed to unload service, already unloaded?" ); } if( !rpal_file_delete( svcPath, FALSE ) ) { rpal_debug_warning( "failed to delete file from disk, not present?" ); } else { rpal_debug_info( "uninstalled successfully" ); res = 0; } return res; }
static RVOID relaunchInPermanentLocation ( ) { RPWCHAR bootstrapLocations[] = { _WCH( "%SYSTEMDRIVE%\\$Recycle.Bin\\MALWARE_DEMO_WINDOWS_1.exe" ), _WCH( "%SYSTEMDRIVE%\\RECYCLER\\MALWARE_DEMO_WINDOWS_1.exe" ), _WCH( "%windir%\\system32\\tasks\\MALWARE_DEMO_WINDOWS_1.exe" ), _WCH( "%USERPROFILE%\\MALWARE_DEMO_WINDOWS_1.exe" ) }; RU32 i = 0; STARTUPINFOW startupInfo = {0}; PROCESS_INFORMATION procInfo = {0}; RPWCHAR expandedPath = NULL; for( i = 0; i < ARRAY_N_ELEM( bootstrapLocations ); i++ ) { rpal_debug_info( "trying to move to bootstrap location %d...", i ); rpal_file_delete( bootstrapLocations[ i ], FALSE ); if( rpal_file_move( g_self_path, bootstrapLocations[ i ] ) ) { rpal_debug_info( "successfully moved to bootstrap location!" ); rpal_debug_info( "launching in new location (%ls)...", bootstrapLocations[ i ] ); if( rpal_string_expand( bootstrapLocations[ i ], &expandedPath ) && 0 != CreateProcessW( expandedPath, NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &startupInfo, &procInfo ) ) { rpal_debug_info( "successfully launched from new location." ); } else { rpal_debug_error( "error launching from permanent location: %d.", GetLastError() ); } if( NULL != expandedPath ) { rpal_memory_free( expandedPath ); } break; } else { rpal_debug_warning( "could not move to new bootstrap location, may not have permission..." ); } } }
static RBOOL getStoreConf ( ) { RBOOL isSuccess = FALSE; RPU8 storeFile = NULL; RU32 storeFileSize = 0; rpHCPIdentStore* storeV2 = NULL; OBFUSCATIONLIB_DECLARE( store, RP_HCP_CONFIG_IDENT_STORE ); OBFUSCATIONLIB_TOGGLE( store ); if( rpal_file_read( (RPNCHAR)store, (RPVOID)&storeFile, &storeFileSize, FALSE ) ) { if( sizeof( rpHCPIdentStore ) <= storeFileSize ) { storeV2 = (rpHCPIdentStore*)storeFile; if( storeV2->enrollmentTokenSize == storeFileSize - sizeof( rpHCPIdentStore ) ) { isSuccess = TRUE; rpal_debug_info( "ident store found" ); if( NULL != ( g_hcpContext.enrollmentToken = rpal_memory_alloc( storeV2->enrollmentTokenSize ) ) ) { rpal_memory_memcpy( g_hcpContext.enrollmentToken, storeV2->enrollmentToken, storeV2->enrollmentTokenSize ); g_hcpContext.enrollmentTokenSize = storeV2->enrollmentTokenSize; } g_hcpContext.currentId = storeV2->agentId; } else { rpal_debug_warning( "inconsistent ident store, reseting" ); rpal_file_delete( (RPNCHAR)store, FALSE ); } } rpal_memory_free( storeFile ); } OBFUSCATIONLIB_TOGGLE( store ); // Set some always-correct defaults g_hcpContext.currentId.id.platformId = RP_HCP_ID_MAKE_PLATFORM( RP_HCP_PLATFORM_CURRENT_CPU, RP_HCP_PLATFORM_CURRENT_MAJOR, RP_HCP_PLATFORM_CURRENT_MINOR ); return isSuccess; }
static BOOL ctrlHandler ( DWORD type ) { OBFUSCATIONLIB_DECLARE( store, RP_HCP_CONFIG_CRASH_STORE ); UNREFERENCED_PARAMETER( type ); if( CTRL_SHUTDOWN_EVENT == type ) { // This is an emergency shutdown. // Trying to do this cleanly is pointless since Windows // will kill us very shortly, so let's just clean up // the CC so we don't report a pointless "crash". OBFUSCATIONLIB_TOGGLE( store ); rpal_file_delete( (RPWCHAR)store, FALSE ); OBFUSCATIONLIB_TOGGLE( store ); } // Pass the signal along return FALSE; }
RPRIVATE_TESTABLE RBOOL upgradeHcp ( rSequence seq ) { RBOOL isSuccess = FALSE; RPU8 tmpBuff = NULL; RU32 tmpSize = 0; RPU8 tmpSig = NULL; RU32 tmpSigSize = 0; RPNCHAR currentModulePath = NULL; RPNCHAR backupPath = NULL; if( NULL != seq ) { if( rSequence_getBUFFER( seq, RP_TAGS_BINARY, &tmpBuff, &tmpSize ) && rSequence_getBUFFER( seq, RP_TAGS_SIGNATURE, &tmpSig, &tmpSigSize ) && CRYPTOLIB_SIGNATURE_SIZE == tmpSigSize ) { // We got the data, now verify the buffer signature if( CryptoLib_verify( tmpBuff, tmpSize, getRootPublicKey(), tmpSig ) ) { if( NULL != ( currentModulePath = processLib_getCurrentModulePath() ) ) { if( NULL != ( backupPath = rpal_string_strdup( currentModulePath ) ) && NULL != ( backupPath = rpal_string_strcatEx( backupPath, _NC( ".old" ) ) ) ) { rpal_file_delete( backupPath, FALSE ); if( rpal_file_move( currentModulePath, backupPath ) ) { if( rpal_file_write( currentModulePath, tmpBuff, tmpSize, TRUE ) ) { rpal_debug_info( "hcp was successfully updated" ); isSuccess = TRUE; } else { rpal_debug_warning( "failed to write new hcp to disk" ); if( !rpal_file_move( backupPath, currentModulePath ) ) { rpal_debug_warning( "old hcp was reverted" ); } else { rpal_debug_error( "could not revert old hcp" ); } } } else { rpal_debug_warning( "failed to move hcp to backup location" ); } rpal_memory_free( backupPath ); } rpal_memory_free( currentModulePath ); } else { rpal_debug_error( "failed to get current module path" ); } } else { rpal_debug_warning( "New HCP binary signature is invalid." ); } } else { rpal_debug_warning( "Upgrade command missing or invalid component." ); } } return isSuccess; }
static RU32 uninstallService ( ) { RWCHAR destPath[] = _WCH( "%SYSTEMROOT%\\system32\\rphcp.exe" ); SC_HANDLE hScm = NULL; SC_HANDLE hSvc = NULL; RWCHAR svcName[] = { _SERVICE_NAMEW }; SERVICE_STATUS svcStatus = { 0 }; RU32 nRetries = 10; rpal_debug_info( "uninstalling service" ); if( NULL != ( hScm = OpenSCManagerA( NULL, NULL, SC_MANAGER_ALL_ACCESS ) ) ) { if( NULL != ( hSvc = OpenServiceW( hScm, svcName, SERVICE_STOP | SERVICE_QUERY_STATUS | DELETE ) ) ) { if( ControlService( hSvc, SERVICE_CONTROL_STOP, &svcStatus ) ) { while( SERVICE_STOPPED != svcStatus.dwCurrentState && 0 != nRetries ) { rpal_debug_error( "waiting for service to stop..." ); rpal_thread_sleep( 1000 ); if( !QueryServiceStatus( hSvc, &svcStatus ) ) { break; } nRetries--; } if( 0 == nRetries ) { rpal_debug_error( "timed out waiting for service to stop, moving on..." ); } else { rpal_debug_info( "service stopped" ); } } else { rpal_debug_error( "could not stop service: %d", GetLastError() ); } if( DeleteService( hSvc ) ) { rpal_debug_info( "service deleted" ); } else { rpal_debug_error( "could not delete service: %d", GetLastError() ); } CloseServiceHandle( hSvc ); } else { rpal_debug_error( "could not open service: %d", GetLastError() ); } CloseServiceHandle( hScm ); } else { rpal_debug_error( "could not open SCM: %d", GetLastError() ); } rpal_thread_sleep( MSEC_FROM_SEC( 1 ) ); if( rpal_file_delete( destPath, FALSE ) ) { rpal_debug_info( "service executable deleted" ); } else { rpal_debug_error( "could not delete service executable: %d", GetLastError() ); } return GetLastError(); }