mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
153 lines
3.9 KiB
153 lines
3.9 KiB
#include "priv.h"
|
|
#include <wintrust.h>
|
|
#include "wvtp.h"
|
|
|
|
#define WINTRUST TEXT("wintrust.dll")
|
|
|
|
#ifdef DELAY_LOAD_WVT
|
|
|
|
#ifndef _WVTP_NOCODE_
|
|
Cwvt::Cwvt()
|
|
{
|
|
m_fInited = FALSE;
|
|
}
|
|
|
|
Cwvt::~Cwvt()
|
|
{
|
|
if (m_fInited) {
|
|
FreeLibrary(m_hMod);
|
|
}
|
|
}
|
|
|
|
HRESULT
|
|
Cwvt::Init(void)
|
|
{
|
|
|
|
if (m_fInited) {
|
|
return S_OK;
|
|
}
|
|
|
|
m_hMod = LoadLibrary( WINTRUST );
|
|
|
|
if (NULL == m_hMod) {
|
|
return (HRESULT_FROM_WIN32(ERROR_MOD_NOT_FOUND));
|
|
}
|
|
|
|
|
|
#define CHECKAPI(_fn) \
|
|
*(FARPROC*)&(_pfn##_fn) = GetProcAddress(m_hMod, #_fn); \
|
|
if (!(_pfn##_fn)) { \
|
|
FreeLibrary(m_hMod); \
|
|
return (HRESULT_FROM_WIN32(ERROR_MOD_NOT_FOUND)); \
|
|
}
|
|
|
|
CHECKAPI(WinVerifyTrust);
|
|
|
|
m_fInited = TRUE;
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
#endif // _WVTP_NOCODE_
|
|
#endif // DELAY_LOAD_WVT
|
|
|
|
#define REGSTR_PATH_INFODEL_REST TEXT("Software\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions")
|
|
#define REGSTR_PATH_DOWNLOAD TEXT("Software\\Microsoft\\Internet Explorer\\Download")
|
|
#define REGVAL_UI_REST TEXT("NoWinVerifyTrustUI")
|
|
|
|
BOOL
|
|
IsUIRestricted()
|
|
{
|
|
|
|
HKEY hkeyRest = 0;
|
|
BOOL bUIRest = FALSE;
|
|
DWORD dwValue = 0;
|
|
DWORD dwLen = sizeof(DWORD);
|
|
|
|
// per-machine UI off policy
|
|
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, REGSTR_PATH_INFODEL_REST, 0, KEY_READ, &hkeyRest) == ERROR_SUCCESS) {
|
|
|
|
if (RegQueryValueEx( hkeyRest, REGVAL_UI_REST, NULL, NULL,
|
|
(LPBYTE)&dwValue, &dwLen) == ERROR_SUCCESS && dwValue)
|
|
bUIRest = TRUE;
|
|
|
|
RegCloseKey(hkeyRest);
|
|
}
|
|
|
|
return bUIRest;
|
|
}
|
|
|
|
// FEATURE: move these to corpolicy.h in iedev\inc!!!
|
|
// {D41E4F1F-A407-11d1-8BC9-00C04FA30A41}
|
|
#define COR_POLICY_LOCKDOWN_CHECK \
|
|
{ 0xd41e4f1f, 0xa407, 0x11d1, {0x8b, 0xc9, 0x0, 0xc0, 0x4f, 0xa3, 0xa, 0x41 } }
|
|
|
|
//--------------------------------------------------------------------
|
|
// For COR_POLICY_LOCKDOWN_CHECK:
|
|
// -----------------------------
|
|
|
|
// Structure to pass into WVT
|
|
typedef struct _COR_LOCKDOWN {
|
|
DWORD cbSize; // Size of policy provider
|
|
DWORD flag; // reserved
|
|
BOOL fAllPublishers; // Trust all publishers or just ones in the trusted data base
|
|
} COR_LOCKDOWN, *PCOR_LOCKDOWN;
|
|
|
|
|
|
HRESULT Cwvt::VerifyTrust(HANDLE hFile, HWND hWnd, LPCWSTR szStatusText)
|
|
{
|
|
WINTRUST_DATA sWTD;
|
|
WINTRUST_FILE_INFO sWTFI;
|
|
|
|
GUID gV2 = COR_POLICY_LOCKDOWN_CHECK;
|
|
COR_LOCKDOWN sCorPolicy;
|
|
|
|
HRESULT hr = S_OK;
|
|
|
|
memset(&sCorPolicy, 0, sizeof(COR_LOCKDOWN));
|
|
|
|
sCorPolicy.cbSize = sizeof(COR_LOCKDOWN);
|
|
|
|
if ( (hWnd == INVALID_HANDLE_VALUE) || IsUIRestricted())
|
|
sCorPolicy.fAllPublishers = FALSE; // lockdown to only trusted pubs
|
|
else
|
|
sCorPolicy.fAllPublishers = TRUE; // regular behavior
|
|
|
|
// Set up the winverify provider structures
|
|
memset(&sWTD, 0x00, sizeof(WINTRUST_DATA));
|
|
memset(&sWTFI, 0x00, sizeof(WINTRUST_FILE_INFO));
|
|
|
|
sWTFI.cbStruct = sizeof(WINTRUST_FILE_INFO);
|
|
sWTFI.hFile = hFile;
|
|
sWTFI.pcwszFilePath = szStatusText;
|
|
|
|
sWTD.cbStruct = sizeof(WINTRUST_DATA);
|
|
sWTD.pPolicyCallbackData = &sCorPolicy; // Add in the cor trust information!!
|
|
|
|
//check policy to find out if we should display UI
|
|
|
|
if (SHRegGetBoolUSValue(REGSTR_PATH_DOWNLOAD, TEXT("CheckExeSignatures"),FALSE, FALSE))
|
|
{
|
|
sWTD.dwUIChoice = WTD_UI_ALL; // No bad UI is overridden in COR TRUST provider
|
|
sWTD.dwUnionChoice = WTD_CHOICE_FILE;
|
|
sWTD.pFile = &sWTFI;
|
|
|
|
ULONG_PTR uCookie = 0;
|
|
SHActivateContext(&uCookie);
|
|
|
|
hr = WinVerifyTrust(hWnd, &gV2, &sWTD);
|
|
|
|
if (uCookie)
|
|
{
|
|
SHDeactivateContext(uCookie);
|
|
}
|
|
|
|
// APPCOMPAT: this works around a wvt bug that returns 0x57 (success) when
|
|
// you hit No to an usigned control
|
|
if (SUCCEEDED(hr) && hr != S_OK) {
|
|
hr = TRUST_E_FAIL;
|
|
}
|
|
}
|
|
|
|
return hr;
|
|
}
|