Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

241 lines
5.9 KiB

/*++
Copyright (c) 2000 Microsoft Corporation
Module Name:
DerandomizeExeName.cpp
Abstract:
See markder
History:
10/13/1999 markder created.
05/16/2000 robkenny Check for memory alloc failure.
03/12/2001 robkenny Converted to CString
--*/
#include "precomp.h"
IMPLEMENT_SHIM_BEGIN(DeRandomizeExeName)
#include "ShimHookMacro.h"
APIHOOK_ENUM_BEGIN
APIHOOK_ENUM_ENTRY(CreateProcessA)
APIHOOK_ENUM_END
CString * g_csFilePattern = NULL;
CString * g_csNewFileName = NULL;
BOOL
APIHOOK(CreateProcessA)(
LPCSTR lpApplicationName, // name of executable module
LPSTR lpCommandLine, // command line string
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles, // handle inheritance flag
DWORD dwCreationFlags, // creation flags
LPVOID lpEnvironment, // new environment block
LPCSTR lpCurrentDirectory, // current directory name
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
)
{
CSTRING_TRY
{
AppAndCommandLine appAndCommandLine(lpApplicationName, lpCommandLine);
const CString & csOrigAppName = appAndCommandLine.GetApplicationName();
CString fileName;
//
// Grab the filename portion of the string only.
//
csOrigAppName.GetLastPathComponent(fileName);
BOOL bMatchesPattern = fileName.PatternMatch(*g_csFilePattern);
if (bMatchesPattern)
{
//
// Replace the randomized app name with the specified name
//
CString csNewAppName(csOrigAppName);
csNewAppName.Replace(fileName, *g_csNewFileName);
//
// Copy the exe to the specified name.
//
if (CopyFileW(csOrigAppName.Get(), csNewAppName.Get(), FALSE))
{
LOGN(
eDbgLevelInfo,
"[CreateProcessA] Derandomized pathname from (%S) to (%S)",
csOrigAppName.Get(), csNewAppName.Get());
//
// Mark the file for deletion after we reboot,
// otherwise the file will never get removed.
//
MoveFileExW(csNewAppName.Get(), NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
//
// We have successfully copied the exe to a new file with the specified name
// it is now safe to replace the lpApplicationName to our new file.
//
return ORIGINAL_API(CreateProcessA) (
csNewAppName.GetAnsi(),
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
}
}
CSTRING_CATCH
{
// Fall through
}
return ORIGINAL_API(CreateProcessA) (
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
}
#if TEST_MATCH
void
TestMatch(
const char* a,
const char* b
)
{
BOOL bMatch = PatternMatchA(a, b);
if (bMatch)
{
DPFN(
eDbgLevelSpew,
"[TestMatch] (%s) == (%s)\n", a, b);
}
else
{
DPFN(
eDbgLevelSpew,
"[TestMatch] (%s) != (%s)\n", a, b);
}
}
void TestLots()
{
TestMatch("", "");
TestMatch("", "ABC");
TestMatch("*", "");
TestMatch("?", "");
TestMatch("abc", "ABC");
TestMatch("?", "ABC");
TestMatch("?bc", "ABC");
TestMatch("a?c", "ABC");
TestMatch("ab?", "ABC");
TestMatch("a??", "ABC");
TestMatch("?b?", "ABC");
TestMatch("??c", "ABC");
TestMatch("???", "ABC");
TestMatch("*", "ABC");
TestMatch("*.", "ABC");
TestMatch("*.", "ABC.");
TestMatch("*.?", "ABC.");
TestMatch("??*", "ABC");
TestMatch("*??", "ABC");
TestMatch("ABC", "ABC");
TestMatch(".*", "ABC");
TestMatch("?*", "ABC");
TestMatch("???*", "ABC");
TestMatch("*.txt", "ABC.txt");
TestMatch("*.txt", ".txt");
TestMatch("*.txt", ".abc");
TestMatch("*.txt", "txt.abc");
TestMatch("***", "");
TestMatch("***", "a");
TestMatch("***", "ab");
TestMatch("***", "abc");
}
#endif
BOOL
ParseCommandLine(void)
{
CSTRING_TRY
{
CStringToken csTok(COMMAND_LINE, ";");
g_csFilePattern = new CString;
g_csNewFileName = new CString;
if (g_csFilePattern &&
g_csNewFileName &&
csTok.GetToken(*g_csFilePattern) &&
csTok.GetToken(*g_csNewFileName))
{
return TRUE;
}
}
CSTRING_CATCH
{
// Do nothing
}
LOGN(
eDbgLevelError,
"[ParseCommandLine] Illegal command line");
return FALSE;
}
BOOL
NOTIFY_FUNCTION(
DWORD fdwReason
)
{
if (fdwReason == DLL_PROCESS_ATTACH)
{
#if TEST_MATCH
TestLots();
#endif
return ParseCommandLine();
}
return TRUE;
}
HOOK_BEGIN
CALL_NOTIFY_FUNCTION
APIHOOK_ENTRY(KERNEL32.DLL, CreateProcessA)
HOOK_END
IMPLEMENT_SHIM_END