|
|
/*++
Copyright (c) 2001 Microsoft Corporation
Module Name:
SecurityChecks.cpp
Abstract:
This AppVerifier shim hooks CreateProcess, CreateProcessAsUser, and WinExec and checks to see if some conditions exist that might allow trojan horse behavior to occur. Notes:
This is a general purpose shim.
History:
12/13/2001 rparsons Created
--*/
#include "precomp.h"
IMPLEMENT_SHIM_BEGIN(SecurityChecks)#include "ShimHookMacro.h"
//
// verifier log entries
//
BEGIN_DEFINE_VERIFIER_LOG(SecurityChecks) VERIFIER_LOG_ENTRY(VLOG_SECURITYCHECKS_BADARGUMENTS) VERIFIER_LOG_ENTRY(VLOG_SECURITYCHECKS_WINEXEC) VERIFIER_LOG_ENTRY(VLOG_SECURITYCHECKS_NULL_DACL) VERIFIER_LOG_ENTRY(VLOG_SECURITYCHECKS_WORLDWRITE_DACL)END_DEFINE_VERIFIER_LOG(SecurityChecks)
INIT_VERIFIER_LOG(SecurityChecks);
APIHOOK_ENUM_BEGIN APIHOOK_ENUM_ENTRY(CreateProcessA) APIHOOK_ENUM_ENTRY(CreateProcessW) APIHOOK_ENUM_ENTRY(CreateProcessAsUserA) APIHOOK_ENUM_ENTRY(CreateProcessAsUserW) APIHOOK_ENUM_ENTRY(WinExec)
APIHOOK_ENUM_ENTRY(CreateFileA) APIHOOK_ENUM_ENTRY(CreateFileW) APIHOOK_ENUM_ENTRY(CreateDesktopA) APIHOOK_ENUM_ENTRY(CreateDesktopW) APIHOOK_ENUM_ENTRY(CreateWindowStationA) APIHOOK_ENUM_ENTRY(CreateWindowStationW) APIHOOK_ENUM_ENTRY(RegCreateKeyExA) APIHOOK_ENUM_ENTRY(RegCreateKeyExW) APIHOOK_ENUM_ENTRY(RegSaveKeyA) APIHOOK_ENUM_ENTRY(RegSaveKeyW) APIHOOK_ENUM_ENTRY(RegSaveKeyExA) APIHOOK_ENUM_ENTRY(RegSaveKeyExW)
APIHOOK_ENUM_ENTRY(CreateFileMappingA) APIHOOK_ENUM_ENTRY(CreateFileMappingW) APIHOOK_ENUM_ENTRY(CreateJobObjectA) APIHOOK_ENUM_ENTRY(CreateJobObjectW) APIHOOK_ENUM_ENTRY(CreateThread) APIHOOK_ENUM_ENTRY(CreateRemoteThread)
APIHOOK_ENUM_ENTRY(CreateDirectoryA) APIHOOK_ENUM_ENTRY(CreateDirectoryW) APIHOOK_ENUM_ENTRY(CreateDirectoryExA) APIHOOK_ENUM_ENTRY(CreateDirectoryExW) APIHOOK_ENUM_ENTRY(CreateHardLinkA) APIHOOK_ENUM_ENTRY(CreateHardLinkW) APIHOOK_ENUM_ENTRY(CreateMailslotA) APIHOOK_ENUM_ENTRY(CreateMailslotW) APIHOOK_ENUM_ENTRY(CreateNamedPipeA) APIHOOK_ENUM_ENTRY(CreateNamedPipeW) APIHOOK_ENUM_ENTRY(CreatePipe) APIHOOK_ENUM_ENTRY(CreateMutexA) APIHOOK_ENUM_ENTRY(CreateMutexW) APIHOOK_ENUM_ENTRY(CreateSemaphoreA) APIHOOK_ENUM_ENTRY(CreateSemaphoreW) APIHOOK_ENUM_ENTRY(CreateWaitableTimerA) APIHOOK_ENUM_ENTRY(CreateWaitableTimerW)
//APIHOOK_ENUM_ENTRY(ClusterRegCreateKey)
//APIHOOK_ENUM_ENTRY(CreateNtmsMediaPoolA)
//APIHOOK_ENUM_ENTRY(CreateNtmsMediaPoolW)
APIHOOK_ENUM_END
BYTE g_ajSidBuffer[SECURITY_MAX_SID_SIZE];PSID g_pWorldSid = NULL;
WCHAR g_wszWinDir[MAX_PATH];DWORD g_dwWinDirLen = 0;
voidInitWorldSid( void ){ DWORD dwSidSize = sizeof(g_ajSidBuffer);
if (CreateWellKnownSid(WinWorldSid, NULL, g_ajSidBuffer, &dwSidSize)) { g_pWorldSid = g_ajSidBuffer; } else { g_pWorldSid = NULL; }}
voidCheckSecurityDescriptor( PSECURITY_DESCRIPTOR pSecurityDescriptor, LPCWSTR szCaller, LPCWSTR szParam, LPCWSTR szName ){ BOOL bDaclPresent = FALSE; BOOL bDaclDefaulted = FALSE; PACL pDacl = NULL;
if (!pSecurityDescriptor || !szName || !szName[0]) { //
// there's no attributes, so they get the default, which is fine,
// or the object doesn't have a name, so it can't be highjacked
//
return; }
if (GetSecurityDescriptorDacl(pSecurityDescriptor, &bDaclPresent, &pDacl, &bDaclDefaulted)) { if (bDaclPresent) { if (!pDacl) { //
// we have a NULL dacl -- log a problem
//
VLOG(VLOG_LEVEL_ERROR, VLOG_SECURITYCHECKS_NULL_DACL, "Called %ls, and specified a NULL DACL in %ls for object '%ls.'", szCaller, szParam, szName); return; }
if (!g_pWorldSid) { //
// we never were able to get the world Sid
//
return; }
for (DWORD i = 0; i < pDacl->AceCount; ++i) { PACE_HEADER pAceHeader = NULL; PSID pSID; ACCESS_MASK dwAccessMask;
if (!GetAce(pDacl, i, (LPVOID*)&pAceHeader)) { continue; }
//
// if it's not some form of ACCESS_ALLOWED ACE, we aren't interested
//
if (pAceHeader->AceType == ACCESS_ALLOWED_ACE_TYPE) {
pSID = &(((PACCESS_ALLOWED_ACE)pAceHeader)->SidStart); dwAccessMask = ((PACCESS_ALLOWED_ACE)pAceHeader)->Mask;
} else if (pAceHeader->AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE) {
PACCESS_ALLOWED_OBJECT_ACE pAAOAce = (PACCESS_ALLOWED_OBJECT_ACE)pAceHeader;
//
// who the heck came up with this system? The Sid starts at a different place
// depending on the flags. Anyone ever heard of multiple structs? Sigh.
//
if ((pAAOAce->Flags & ACE_OBJECT_TYPE_PRESENT) && (pAAOAce->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT)) {
pSID = &(pAAOAce->SidStart);
} else if ((pAAOAce->Flags & ACE_OBJECT_TYPE_PRESENT) || (pAAOAce->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT)){
pSID = (PSID)&(pAAOAce->InheritedObjectType);
} else {
pSID = (PSID)&(pAAOAce->ObjectType); }
dwAccessMask = ((PACCESS_ALLOWED_OBJECT_ACE)pAceHeader)->Mask;
} else { continue; }
//
// check the validity of the SID, just to be safe
//
if (!IsValidSid(pSID)) {
continue; }
//
// if the SID is the world, and the access mask allows WRITE_DAC and WRITE_OWNER, we have a problem
//
if ((dwAccessMask & (WRITE_DAC | WRITE_OWNER)) && EqualSid(pSID, g_pWorldSid)) { VLOG(VLOG_LEVEL_ERROR, VLOG_SECURITYCHECKS_WORLDWRITE_DACL, "Called %ls, and specified a DACL with WRITE_DAC and/or WRITE_OWNER for WORLD in %ls for object '%ls.'", szCaller, szParam, szName); return; }
}
}
}
}
voidCheckSecurityAttributes( LPSECURITY_ATTRIBUTES pSecurityAttrib, LPCWSTR szCaller, LPCWSTR szParam, LPCWSTR szName ){ PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
if (!pSecurityAttrib) { //
// there's no attributes, so they get the default, which is fine
//
return; }
pSecurityDescriptor = (PSECURITY_DESCRIPTOR)pSecurityAttrib->lpSecurityDescriptor;
CheckSecurityDescriptor(pSecurityDescriptor, szCaller, szParam, szName);}
voidCheckCreateProcess( LPCWSTR pwszApplicationName, LPCWSTR pwszCommandLine, LPCWSTR pwszCaller ){ //
// if applicationname is non-null, there's no problem
//
if (pwszApplicationName) { return; }
//
// if there's no command line, there's a problem, but not one we want to solve
//
if (!pwszCommandLine) { return; }
//
// if there are no spaces, no problem
//
LPWSTR pSpaceLoc = wcschr(pwszCommandLine, L' '); if (!pSpaceLoc) { return; }
//
// if the beginning of the command line is quoted, no problem
//
if (pwszCommandLine[0] == L'\"') { return; }
//
// if the phrase '.exe ' appears before the first space, we'll call that good
//
LPWSTR pExeLoc = wcsistr(pwszCommandLine, L".exe "); if (pExeLoc && pExeLoc < pSpaceLoc) { return; }
//
// if the first part of the command line is windir, we'll call that good
//
if (g_dwWinDirLen && _wcsnicmp(pwszCommandLine, g_wszWinDir, g_dwWinDirLen) == 0) { return; }
if (_wcsicmp(pwszCaller, L"winexec") == 0) { VLOG(VLOG_LEVEL_ERROR, VLOG_SECURITYCHECKS_BADARGUMENTS, "Called %ls with command line '%ls'. The command line has spaces, and the exe name is not in quotes.", pwszCaller, pwszCommandLine); } else { VLOG(VLOG_LEVEL_ERROR, VLOG_SECURITYCHECKS_BADARGUMENTS, "Called %ls with command line '%ls'. The lpApplicationName argument is NULL, lpCommandLine has spaces, and the exe name is not in quotes.", pwszCaller, pwszCommandLine); }}
voidCheckForNoPathInFileName( LPCWSTR pwszFilePath, LPCWSTR pwszCaller ){ if (!pwszFilePath || !pwszCaller) { return; }
//
// skip quotes and space if necessary
//
DWORD dwBegin = 0; while (pwszFilePath[dwBegin] == L'\"' || pwszFilePath[dwBegin] == L' ') { dwBegin++; }
//
// if there's nothing left of the string, get out
//
if (!pwszFilePath[dwBegin] || !pwszFilePath[dwBegin + 1]) { return; }
//
// check for DOS (x:...) and UNC (\\...) full paths
//
if (pwszFilePath[dwBegin + 1] == L':' || (pwszFilePath[dwBegin] == L'\\' && pwszFilePath[dwBegin + 1] == L'\\')) { //
// full path
//
return; }
VLOG(VLOG_LEVEL_ERROR, VLOG_SECURITYCHECKS_BADARGUMENTS, "Called '%ls' with '%ls' specified. Use a full path to the file to ensure that you get the executable you want, and not a malicious exe with the same name.", pwszCaller, pwszFilePath);}
BOOL APIHOOK(CreateProcessA)( LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ){ LPWSTR pwszApplicationName = ToUnicode(lpApplicationName); LPWSTR pwszCommandLine = ToUnicode(lpCommandLine);
CheckCreateProcess(pwszApplicationName, pwszCommandLine, L"CreateProcess");
if (pwszApplicationName) { CheckForNoPathInFileName(pwszApplicationName, L"CreateProcess"); CheckSecurityAttributes(lpProcessAttributes, L"CreateProcess", L"lpProcessAttributes", pwszApplicationName); CheckSecurityAttributes(lpThreadAttributes, L"CreateProcess", L"lpThreadAttributes", pwszApplicationName); } else { CheckForNoPathInFileName(pwszCommandLine, L"CreateProcess"); CheckSecurityAttributes(lpProcessAttributes, L"CreateProcess", L"lpProcessAttributes", pwszCommandLine); CheckSecurityAttributes(lpThreadAttributes, L"CreateProcess", L"lpThreadAttributes", pwszCommandLine); }
if (pwszApplicationName) { free(pwszApplicationName); pwszApplicationName = NULL; } if (pwszCommandLine) { free(pwszCommandLine); pwszCommandLine = NULL; }
return ORIGINAL_API(CreateProcessA)(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);}
BOOL APIHOOK(CreateProcessW)( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ){ CheckCreateProcess(lpApplicationName, lpCommandLine, L"CreateProcess");
if (lpApplicationName) { CheckForNoPathInFileName(lpApplicationName, L"CreateProcess"); CheckSecurityAttributes(lpProcessAttributes, L"CreateProcess", L"lpProcessAttributes", lpApplicationName); CheckSecurityAttributes(lpThreadAttributes, L"CreateProcess", L"lpThreadAttributes", lpApplicationName); } else { CheckForNoPathInFileName(lpCommandLine, L"CreateProcess"); CheckSecurityAttributes(lpProcessAttributes, L"CreateProcess", L"lpProcessAttributes", lpCommandLine); CheckSecurityAttributes(lpThreadAttributes, L"CreateProcess", L"lpThreadAttributes", lpCommandLine); }
return ORIGINAL_API(CreateProcessW)(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);}
BOOL APIHOOK(CreateProcessAsUserA)( HANDLE hToken, LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ){ LPWSTR pwszApplicationName = ToUnicode(lpApplicationName); LPWSTR pwszCommandLine = ToUnicode(lpCommandLine);
CheckCreateProcess(pwszApplicationName, pwszCommandLine, L"CreateProcessAsUser");
if (pwszApplicationName) { CheckForNoPathInFileName(pwszApplicationName, L"CreateProcessAsUser");
CheckSecurityAttributes(lpProcessAttributes, L"CreateProcessAsUser", L"lpProcessAttributes", pwszApplicationName); CheckSecurityAttributes(lpThreadAttributes, L"CreateProcessAsUser", L"lpThreadAttributes", pwszApplicationName); } else { CheckForNoPathInFileName(pwszCommandLine, L"CreateProcessAsUser"); CheckSecurityAttributes(lpProcessAttributes, L"CreateProcessAsUser", L"lpProcessAttributes", pwszCommandLine); CheckSecurityAttributes(lpThreadAttributes, L"CreateProcessAsUser", L"lpThreadAttributes", pwszCommandLine); }
if (pwszApplicationName) { free(pwszApplicationName); pwszApplicationName = NULL; } if (pwszCommandLine) { free(pwszCommandLine); pwszCommandLine = NULL; }
return ORIGINAL_API(CreateProcessAsUserA)(hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);}
BOOL APIHOOK(CreateProcessAsUserW)( HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ){ CheckCreateProcess(lpApplicationName, lpCommandLine, L"CreateProcessAsUser");
if (lpApplicationName) { CheckForNoPathInFileName(lpApplicationName, L"CreateProcessAsUser"); CheckSecurityAttributes(lpProcessAttributes, L"CreateProcessAsUser", L"lpProcessAttributes", lpApplicationName); CheckSecurityAttributes(lpThreadAttributes, L"CreateProcessAsUser", L"lpThreadAttributes", lpApplicationName); } else { CheckForNoPathInFileName(lpCommandLine, L"CreateProcessAsUser"); CheckSecurityAttributes(lpProcessAttributes, L"CreateProcessAsUser", L"lpProcessAttributes", lpCommandLine); CheckSecurityAttributes(lpThreadAttributes, L"CreateProcessAsUser", L"lpThreadAttributes", lpCommandLine); }
return ORIGINAL_API(CreateProcessAsUserW)(hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);}
UINT APIHOOK(WinExec)( LPCSTR lpCmdLine, UINT uCmdShow ){ LPWSTR pwszCmdLine = ToUnicode(lpCmdLine);
VLOG(VLOG_LEVEL_ERROR, VLOG_SECURITYCHECKS_WINEXEC, "Called WinExec.");
CheckForNoPathInFileName(pwszCmdLine, L"WinExec");
CheckCreateProcess(NULL, pwszCmdLine, L"WinExec");
if (pwszCmdLine) { free(pwszCmdLine); pwszCmdLine = NULL; }
return ORIGINAL_API(WinExec)(lpCmdLine, uCmdShow);}
HANDLEAPIHOOK(CreateFileA)( LPCSTR lpFileName, // file name
DWORD dwDesiredAccess, // access mode
DWORD dwShareMode, // share mode
LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD
DWORD dwCreationDisposition, // how to create
DWORD dwFlagsAndAttributes, // file attributes
HANDLE hTemplateFile // handle to template file
){ LPWSTR pwszName = ToUnicode(lpFileName);
CheckSecurityAttributes(lpSecurityAttributes, L"CreateFile", L"lpSecurityAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateFileA)(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
HANDLEAPIHOOK(CreateFileW)( LPCWSTR lpFileName, // file name
DWORD dwDesiredAccess, // access mode
DWORD dwShareMode, // share mode
LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD
DWORD dwCreationDisposition, // how to create
DWORD dwFlagsAndAttributes, // file attributes
HANDLE hTemplateFile // handle to template file
){ CheckSecurityAttributes(lpSecurityAttributes, L"CreateFile", L"lpSecurityAttributes", lpFileName); return ORIGINAL_API(CreateFileW)(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);}
HDESK APIHOOK(CreateDesktopA)( LPCSTR lpszDesktop, // name of new desktop
LPCSTR lpszDevice, // reserved; must be NULL
LPDEVMODEA pDevmode, // reserved; must be NULL
DWORD dwFlags, // desktop interaction
ACCESS_MASK dwDesiredAccess, // access of returned handle
LPSECURITY_ATTRIBUTES lpsa // security attributes
){ LPWSTR pwszName = ToUnicode(lpszDesktop);
CheckSecurityAttributes(lpsa, L"CreateDesktop", L"lpsa", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateDesktopA)(lpszDesktop, lpszDevice, pDevmode, dwFlags, dwDesiredAccess, lpsa);}
HDESK APIHOOK(CreateDesktopW)( LPCWSTR lpszDesktop, // name of new desktop
LPCWSTR lpszDevice, // reserved; must be NULL
LPDEVMODEW pDevmode, // reserved; must be NULL
DWORD dwFlags, // desktop interaction
ACCESS_MASK dwDesiredAccess, // access of returned handle
LPSECURITY_ATTRIBUTES lpsa // security attributes
){ CheckSecurityAttributes(lpsa, L"CreateDesktop", L"lpsa", lpszDesktop);
return ORIGINAL_API(CreateDesktopW)(lpszDesktop, lpszDevice, pDevmode, dwFlags, dwDesiredAccess, lpsa);}
HWINSTA APIHOOK(CreateWindowStationA)( LPSTR lpwinsta, // new window station name
DWORD dwReserved, // reserved; must be zero
ACCESS_MASK dwDesiredAccess, // requested access
LPSECURITY_ATTRIBUTES lpsa // security attributes
){ LPWSTR pwszName = ToUnicode(lpwinsta);
CheckSecurityAttributes(lpsa, L"CreateWindowStation", L"lpsa", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateWindowStationA)(lpwinsta, dwReserved, dwDesiredAccess, lpsa);}
HWINSTA APIHOOK(CreateWindowStationW)( LPWSTR lpwinsta, // new window station name
DWORD dwReserved, // reserved; must be zero
ACCESS_MASK dwDesiredAccess, // requested access
LPSECURITY_ATTRIBUTES lpsa // security attributes
){ CheckSecurityAttributes(lpsa, L"CreateWindowStation", L"lpsa", lpwinsta);
return ORIGINAL_API(CreateWindowStationW)(lpwinsta, dwReserved, dwDesiredAccess, lpsa);}
LONG APIHOOK(RegCreateKeyExA)( HKEY hKey, LPCSTR lpSubKey, DWORD Reserved, LPSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition ){ LPWSTR pwszName = ToUnicode(lpSubKey);
CheckSecurityAttributes(lpSecurityAttributes, L"RegCreateKeyEx", L"lpSecurityAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(RegCreateKeyExA)(hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);}
LONG APIHOOK(RegCreateKeyExW)( HKEY hKey, LPCWSTR lpSubKey, DWORD Reserved, LPWSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition ){ CheckSecurityAttributes(lpSecurityAttributes, L"RegCreateKeyEx", L"lpSecurityAttributes", lpSubKey); return ORIGINAL_API(RegCreateKeyExW)(hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);}
LONG APIHOOK(RegSaveKeyA)( HKEY hKey, // handle to key
LPCSTR lpFile, // data file
LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD
){ LPWSTR pwszName = ToUnicode(lpFile);
CheckSecurityAttributes(lpSecurityAttributes, L"RegSaveKey", L"lpSecurityAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(RegSaveKeyA)(hKey, lpFile, lpSecurityAttributes);}
LONG APIHOOK(RegSaveKeyW)( HKEY hKey, // handle to key
LPCWSTR lpFile, // data file
LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD
){ CheckSecurityAttributes(lpSecurityAttributes, L"RegSaveKey", L"lpSecurityAttributes", lpFile); return ORIGINAL_API(RegSaveKeyW)(hKey, lpFile, lpSecurityAttributes);}
LONG APIHOOK(RegSaveKeyExA)( HKEY hKey, // handle to key
LPCSTR lpFile, // data file
LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD
DWORD Flags ){ LPWSTR pwszName = ToUnicode(lpFile);
CheckSecurityAttributes(lpSecurityAttributes, L"RegSaveKeyEx", L"lpSecurityAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(RegSaveKeyExA)(hKey, lpFile, lpSecurityAttributes, Flags);}
LONG APIHOOK(RegSaveKeyExW)( HKEY hKey, // handle to key
LPCWSTR lpFile, // data file
LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD
DWORD Flags ){ CheckSecurityAttributes(lpSecurityAttributes, L"RegSaveKeyEx", L"lpSecurityAttributes", lpFile); return ORIGINAL_API(RegSaveKeyExW)(hKey, lpFile, lpSecurityAttributes, Flags);}
HANDLE APIHOOK(CreateFileMappingA)( HANDLE hFile, LPSECURITY_ATTRIBUTES lpAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName ){ LPWSTR pwszName = ToUnicode(lpName);
CheckSecurityAttributes(lpAttributes, L"CreateFileMapping", L"lpAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateFileMappingA)(hFile, lpAttributes, flProtect, dwMaximumSizeHigh, dwMaximumSizeLow, lpName);}
HANDLE APIHOOK(CreateFileMappingW)( HANDLE hFile, LPSECURITY_ATTRIBUTES lpAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCWSTR lpName ){ CheckSecurityAttributes(lpAttributes, L"CreateFileMapping", L"lpAttributes", lpName); return ORIGINAL_API(CreateFileMappingW)(hFile, lpAttributes, flProtect, dwMaximumSizeHigh, dwMaximumSizeLow, lpName);}
HANDLE APIHOOK(CreateJobObjectA)( LPSECURITY_ATTRIBUTES lpJobAttributes, // SD
LPCSTR lpName // job name
){ LPWSTR pwszName = ToUnicode(lpName);
CheckSecurityAttributes(lpJobAttributes, L"CreateJobObject", L"lpJobAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateJobObjectA)(lpJobAttributes, lpName);}
HANDLE APIHOOK(CreateJobObjectW)( LPSECURITY_ATTRIBUTES lpJobAttributes, // SD
LPCWSTR lpName // job name
){ CheckSecurityAttributes(lpJobAttributes, L"CreateJobObject", L"lpJobAttributes", lpName); return ORIGINAL_API(CreateJobObjectW)(lpJobAttributes, lpName);}
HANDLEAPIHOOK(CreateThread)( LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
SIZE_T dwStackSize, // initial stack size
LPTHREAD_START_ROUTINE lpStartAddress, // thread function
LPVOID lpParameter, // thread argument
DWORD dwCreationFlags, // creation option
LPDWORD lpThreadId // thread identifier
){ CheckSecurityAttributes(lpThreadAttributes, L"CreateThread", L"lpThreadAttributes", L"Unnamed thread"); return ORIGINAL_API(CreateThread)(lpThreadAttributes, (DWORD)dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId); }
HANDLE APIHOOK(CreateRemoteThread)( HANDLE hProcess, // handle to process
LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
SIZE_T dwStackSize, // initial stack size
LPTHREAD_START_ROUTINE lpStartAddress, // thread function
LPVOID lpParameter, // thread argument
DWORD dwCreationFlags, // creation option
LPDWORD lpThreadId // thread identifier
){ CheckSecurityAttributes(lpThreadAttributes, L"CreateRemoteThread", L"lpThreadAttributes", L"Unnamed thread"); return ORIGINAL_API(CreateRemoteThread)(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId); }
BOOLAPIHOOK(CreateDirectoryA)( LPCSTR lpPathName, // directory name
LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD
){ LPWSTR pwszName = ToUnicode(lpPathName);
CheckSecurityAttributes(lpSecurityAttributes, L"CreateDirectory", L"lpSecurityAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateDirectoryA)(lpPathName, lpSecurityAttributes);}
BOOLAPIHOOK(CreateDirectoryW)( LPCWSTR lpPathName, // directory name
LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD
){ CheckSecurityAttributes(lpSecurityAttributes, L"CreateDirectory", L"lpSecurityAttributes", lpPathName); return ORIGINAL_API(CreateDirectoryW)(lpPathName, lpSecurityAttributes);}
BOOLAPIHOOK(CreateDirectoryExA)( LPCSTR lpTemplateDirectory, // template directory
LPCSTR lpNewDirectory, // directory name
LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD
){ LPWSTR pwszName = ToUnicode(lpNewDirectory);
CheckSecurityAttributes(lpSecurityAttributes, L"CreateDirectoryEx", L"lpSecurityAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateDirectoryExA)(lpTemplateDirectory, lpNewDirectory, lpSecurityAttributes);
}
BOOLAPIHOOK(CreateDirectoryExW)( LPCWSTR lpTemplateDirectory, // template directory
LPCWSTR lpNewDirectory, // directory name
LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD
){ CheckSecurityAttributes(lpSecurityAttributes, L"CreateDirectoryEx", L"lpSecurityAttributes", lpNewDirectory); return ORIGINAL_API(CreateDirectoryExW)(lpTemplateDirectory, lpNewDirectory, lpSecurityAttributes);
}
BOOL APIHOOK(CreateHardLinkA)( LPCSTR lpFileName, // link name name
LPCSTR lpExistingFileName, // target file name
LPSECURITY_ATTRIBUTES lpSecurityAttributes ){ LPWSTR pwszName = ToUnicode(lpFileName);
CheckSecurityAttributes(lpSecurityAttributes, L"CreateHardLink", L"lpSecurityAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateHardLinkA)(lpFileName, lpExistingFileName, lpSecurityAttributes);
}
BOOL APIHOOK(CreateHardLinkW)( LPCWSTR lpFileName, // link name name
LPCWSTR lpExistingFileName, // target file name
LPSECURITY_ATTRIBUTES lpSecurityAttributes ){ CheckSecurityAttributes(lpSecurityAttributes, L"CreateHardLink", L"lpSecurityAttributes", lpFileName); return ORIGINAL_API(CreateHardLinkW)(lpFileName, lpExistingFileName, lpSecurityAttributes);
}
HANDLE APIHOOK(CreateMailslotA)( LPCSTR lpName, // mailslot name
DWORD nMaxMessageSize, // maximum message size
DWORD lReadTimeout, // read time-out interval
LPSECURITY_ATTRIBUTES lpSecurityAttributes // inheritance option
){ LPWSTR pwszName = ToUnicode(lpName);
CheckSecurityAttributes(lpSecurityAttributes, L"CreateMailslot", L"lpSecurityAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateMailslotA)(lpName, nMaxMessageSize, lReadTimeout, lpSecurityAttributes);}
HANDLE APIHOOK(CreateMailslotW)( LPCWSTR lpName, // mailslot name
DWORD nMaxMessageSize, // maximum message size
DWORD lReadTimeout, // read time-out interval
LPSECURITY_ATTRIBUTES lpSecurityAttributes // inheritance option
){ CheckSecurityAttributes(lpSecurityAttributes, L"CreateMailslot", L"lpSecurityAttributes", lpName); return ORIGINAL_API(CreateMailslotW)(lpName, nMaxMessageSize, lReadTimeout, lpSecurityAttributes);}
HANDLE APIHOOK(CreateNamedPipeA)( LPCSTR lpName, // pipe name
DWORD dwOpenMode, // pipe open mode
DWORD dwPipeMode, // pipe-specific modes
DWORD nMaxInstances, // maximum number of instances
DWORD nOutBufferSize, // output buffer size
DWORD nInBufferSize, // input buffer size
DWORD nDefaultTimeOut, // time-out interval
LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD
){ LPWSTR pwszName = ToUnicode(lpName);
CheckSecurityAttributes(lpSecurityAttributes, L"CreateNamedPipe", L"lpSecurityAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateNamedPipeA)(lpName, dwOpenMode, dwPipeMode, nMaxInstances, nOutBufferSize, nInBufferSize, nDefaultTimeOut, lpSecurityAttributes);}
HANDLE APIHOOK(CreateNamedPipeW)( LPCWSTR lpName, // pipe name
DWORD dwOpenMode, // pipe open mode
DWORD dwPipeMode, // pipe-specific modes
DWORD nMaxInstances, // maximum number of instances
DWORD nOutBufferSize, // output buffer size
DWORD nInBufferSize, // input buffer size
DWORD nDefaultTimeOut, // time-out interval
LPSECURITY_ATTRIBUTES lpSecurityAttributes // SD
){ CheckSecurityAttributes(lpSecurityAttributes, L"CreateNamedPipe", L"lpSecurityAttributes", lpName); return ORIGINAL_API(CreateNamedPipeW)(lpName, dwOpenMode, dwPipeMode, nMaxInstances, nOutBufferSize, nInBufferSize, nDefaultTimeOut, lpSecurityAttributes);}
BOOL APIHOOK(CreatePipe)( PHANDLE hReadPipe, // read handle
PHANDLE hWritePipe, // write handle
LPSECURITY_ATTRIBUTES lpPipeAttributes, // security attributes
DWORD nSize // pipe size
){ CheckSecurityAttributes(lpPipeAttributes, L"CreatePipe", L"lpPipeAttributes", L"Unnamed pipe"); return ORIGINAL_API(CreatePipe)(hReadPipe, hWritePipe, lpPipeAttributes, nSize);}
HANDLE APIHOOK(CreateMutexA)( LPSECURITY_ATTRIBUTES lpMutexAttributes, // SD
BOOL bInitialOwner, // initial owner
LPCSTR lpName // object name
){ LPWSTR pwszName = ToUnicode(lpName);
CheckSecurityAttributes(lpMutexAttributes, L"CreateMutex", L"lpMutexAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateMutexA)(lpMutexAttributes, bInitialOwner, lpName);}
HANDLE APIHOOK(CreateMutexW)( LPSECURITY_ATTRIBUTES lpMutexAttributes, // SD
BOOL bInitialOwner, // initial owner
LPCWSTR lpName // object name
){ CheckSecurityAttributes(lpMutexAttributes, L"CreateMutex", L"lpMutexAttributes", lpName); return ORIGINAL_API(CreateMutexW)(lpMutexAttributes, bInitialOwner, lpName);}
HANDLE APIHOOK(CreateSemaphoreA)( LPSECURITY_ATTRIBUTES lpSemaphoreAttributes, // SD
LONG lInitialCount, // initial count
LONG lMaximumCount, // maximum count
LPCSTR lpName // object name
){ LPWSTR pwszName = ToUnicode(lpName);
CheckSecurityAttributes(lpSemaphoreAttributes, L"CreateSemaphore", L"lpSemaphoreAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateSemaphoreA)(lpSemaphoreAttributes, lInitialCount, lMaximumCount, lpName);}
HANDLE APIHOOK(CreateSemaphoreW)( LPSECURITY_ATTRIBUTES lpSemaphoreAttributes, // SD
LONG lInitialCount, // initial count
LONG lMaximumCount, // maximum count
LPCWSTR lpName // object name
){ CheckSecurityAttributes(lpSemaphoreAttributes, L"CreateSemaphore", L"lpSemaphoreAttributes", lpName); return ORIGINAL_API(CreateSemaphoreW)(lpSemaphoreAttributes, lInitialCount, lMaximumCount, lpName);}
HANDLEAPIHOOK(CreateWaitableTimerA)( IN LPSECURITY_ATTRIBUTES lpTimerAttributes, IN BOOL bManualReset, IN LPCSTR lpTimerName ){ LPWSTR pwszName = ToUnicode(lpTimerName);
CheckSecurityAttributes(lpTimerAttributes, L"CreateWaitableTimer", L"lpTimerAttributes", pwszName);
if (pwszName) { free(pwszName); pwszName = NULL; } return ORIGINAL_API(CreateWaitableTimerA)(lpTimerAttributes, bManualReset, lpTimerName);}
HANDLEAPIHOOK(CreateWaitableTimerW)( IN LPSECURITY_ATTRIBUTES lpTimerAttributes, IN BOOL bManualReset, IN LPCWSTR lpTimerName ){ CheckSecurityAttributes(lpTimerAttributes, L"CreateWaitableTimer", L"lpTimerAttributes", lpTimerName); return ORIGINAL_API(CreateWaitableTimerW)(lpTimerAttributes, bManualReset, lpTimerName);}
#if 0
LONG WINAPI APIHOOK(ClusterRegCreateKey)( HKEY hKey, LPCWSTR lpszSubKey, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition ){ CheckSecurityAttributes(lpSecurityAttributes, L"ClusterRegCreateKey", L"lpSecurityAttributes"); return ORIGINAL_API(ClusterRegCreateKey)(hKey, lpszSubKey, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);}
DWORD WINAPI APIHOOK(CreateNtmsMediaPoolA)( HANDLE hSession, LPCSTR lpPoolName, LPNTMS_GUID lpMediaType, DWORD dwAction, LPSECURITY_ATTRIBUTES lpSecurityAttributes, LPNTMS_GUID lpPoolId // OUT
){ CheckSecurityAttributes(lpSecurityAttributes, L"CreateNtmsMediaPool", L"lpSecurityAttributes"); return ORIGINAL_API(CreateNtmsMediaPoolA)(hSession, lpPoolName, lpMediaType, dwAction, lpSecurityAttributes, lpPoolId);
}
DWORD WINAPI APIHOOK(CreateNtmsMediaPoolW)( HANDLE hSession, LPCWSTR lpPoolName, LPNTMS_GUID lpMediaType, DWORD dwAction, LPSECURITY_ATTRIBUTES lpSecurityAttributes, LPNTMS_GUID lpPoolId // OUT
){ CheckSecurityAttributes(lpSecurityAttributes, L"CreateNtmsMediaPool", L"lpSecurityAttributes"); return ORIGINAL_API(CreateNtmsMediaPoolW)(hSession, lpPoolName, lpMediaType, dwAction, lpSecurityAttributes, lpPoolId);}
#endif
SHIM_INFO_BEGIN()
SHIM_INFO_DESCRIPTION(AVS_SECURITYCHECKS_DESC) SHIM_INFO_FRIENDLY_NAME(AVS_SECURITYCHECKS_FRIENDLY) SHIM_INFO_FLAGS(0) SHIM_INFO_GROUPS(0) SHIM_INFO_VERSION(2, 3) SHIM_INFO_INCLUDE_EXCLUDE("I:*")
SHIM_INFO_END()
/*++
Register hooked functions.
--*/HOOK_BEGIN
if (fdwReason == DLL_PROCESS_ATTACH) { DWORD dwSize;
InitWorldSid();
dwSize = GetSystemWindowsDirectoryW(g_wszWinDir, ARRAYSIZE(g_wszWinDir)); if (dwSize == 0 || dwSize > ARRAYSIZE(g_wszWinDir)) { g_wszWinDir[0] = 0; } g_dwWinDirLen = wcslen(g_wszWinDir); }
DUMP_VERIFIER_LOG_ENTRY(VLOG_SECURITYCHECKS_BADARGUMENTS, AVS_SECURITYCHECKS_BADARGUMENTS, AVS_SECURITYCHECKS_BADARGUMENTS_R, AVS_SECURITYCHECKS_BADARGUMENTS_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_SECURITYCHECKS_WINEXEC, AVS_SECURITYCHECKS_WINEXEC, AVS_SECURITYCHECKS_WINEXEC_R, AVS_SECURITYCHECKS_WINEXEC_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_SECURITYCHECKS_NULL_DACL, AVS_SECURITYCHECKS_NULL_DACL, AVS_SECURITYCHECKS_NULL_DACL_R, AVS_SECURITYCHECKS_NULL_DACL_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_SECURITYCHECKS_WORLDWRITE_DACL, AVS_SECURITYCHECKS_WORLDWRITE_DACL, AVS_SECURITYCHECKS_WORLDWRITE_DACL_R, AVS_SECURITYCHECKS_WORLDWRITE_DACL_URL)
APIHOOK_ENTRY(KERNEL32.DLL, CreateProcessA) APIHOOK_ENTRY(KERNEL32.DLL, CreateProcessW) APIHOOK_ENTRY(ADVAPI32.DLL, CreateProcessAsUserA) APIHOOK_ENTRY(ADVAPI32.DLL, CreateProcessAsUserW) APIHOOK_ENTRY(KERNEL32.DLL, WinExec)
APIHOOK_ENTRY(KERNEL32.DLL, CreateFileA) APIHOOK_ENTRY(KERNEL32.DLL, CreateFileW) APIHOOK_ENTRY(USER32.DLL, CreateDesktopA) APIHOOK_ENTRY(USER32.DLL, CreateDesktopW) APIHOOK_ENTRY(USER32.DLL, CreateWindowStationA) APIHOOK_ENTRY(USER32.DLL, CreateWindowStationW)
APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyExA) APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyExW) APIHOOK_ENTRY(ADVAPI32.DLL, RegSaveKeyA) APIHOOK_ENTRY(ADVAPI32.DLL, RegSaveKeyW) APIHOOK_ENTRY(ADVAPI32.DLL, RegSaveKeyExA) APIHOOK_ENTRY(ADVAPI32.DLL, RegSaveKeyExW)
APIHOOK_ENTRY(KERNEL32.DLL, CreateFileMappingA) APIHOOK_ENTRY(KERNEL32.DLL, CreateFileMappingW) APIHOOK_ENTRY(KERNEL32.DLL, CreateJobObjectA) APIHOOK_ENTRY(KERNEL32.DLL, CreateJobObjectW) APIHOOK_ENTRY(KERNEL32.DLL, CreateThread) APIHOOK_ENTRY(KERNEL32.DLL, CreateRemoteThread) APIHOOK_ENTRY(KERNEL32.DLL, CreateDirectoryA) APIHOOK_ENTRY(KERNEL32.DLL, CreateDirectoryW) APIHOOK_ENTRY(KERNEL32.DLL, CreateDirectoryExA) APIHOOK_ENTRY(KERNEL32.DLL, CreateDirectoryExW) APIHOOK_ENTRY(KERNEL32.DLL, CreateHardLinkA) APIHOOK_ENTRY(KERNEL32.DLL, CreateHardLinkW) APIHOOK_ENTRY(KERNEL32.DLL, CreateMailslotA) APIHOOK_ENTRY(KERNEL32.DLL, CreateMailslotW) APIHOOK_ENTRY(KERNEL32.DLL, CreateNamedPipeA) APIHOOK_ENTRY(KERNEL32.DLL, CreateNamedPipeW) APIHOOK_ENTRY(KERNEL32.DLL, CreatePipe) APIHOOK_ENTRY(KERNEL32.DLL, CreateMutexA) APIHOOK_ENTRY(KERNEL32.DLL, CreateMutexW) APIHOOK_ENTRY(KERNEL32.DLL, CreateSemaphoreA) APIHOOK_ENTRY(KERNEL32.DLL, CreateSemaphoreW) APIHOOK_ENTRY(KERNEL32.DLL, CreateWaitableTimerA) APIHOOK_ENTRY(KERNEL32.DLL, CreateWaitableTimerW)
HOOK_END
IMPLEMENT_SHIM_END
|
