newlib-cygwin/winsup/utils/bloda.cc

411 lines
13 KiB
C++
Raw Normal View History

/* bloda.cc
Copyright 2007 Red Hat, Inc.
This file is part of Cygwin.
This software is a copyrighted work licensed under the terms of the
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
details. */
#define cygwin_internal cygwin_internal_dontuse
#include <stdio.h>
#include <assert.h>
#include <windows.h>
#include <ntdef.h>
#include <ddk/ntstatus.h>
#include <ddk/ntapi.h>
#undef cygwin_internal
#undef DEBUGGING
#ifdef DEBUGGING
#define dbg_printf(ARGS) printf ARGS ; fflush (NULL)
#else /* !DEBUGGING */
#define dbg_printf(ARGS) do { } while (0)
#endif /* ?DEBUGGING */
/* This module detects applications from the Big List of Dodgy Apps,
a list of applications that have at some given time been shown to
interfere with the operation of cygwin. It detects the presence of
applications on the system by looking for any of four traces an
installation might leave: 1) registry keys, 2) files on disk
3) running executables 4) loaded dlls or drivers.
At the time of writing, the BLODA amounts to:-
Sonic Solutions burning software containing DLA component
Norton/MacAffee/Symantec antivirus or antispyware
Logitech webcam software with "Logitech process monitor" service
Kerio, Agnitum or ZoneAlarm Personal Firewall
Iolo System Mechanic/AntiVirus/Firewall
LanDesk
Windows Defender
Embassy Trust Suite fingerprint reader software containing wxvault.dll
*/
enum bad_app
{
SONIC, NORTON, MACAFFEE, SYMANTEC,
LOGITECH, KERIO, AGNITUM, ZONEALARM,
IOLO, LANDESK, WINDEFENDER, EMBASSYTS
};
struct bad_app_info
{
enum bad_app app_id;
const char *details;
char found_it;
};
enum bad_app_det_method
{
HKLMKEY, HKCUKEY, FILENAME, PROCESSNAME, HOOKDLLNAME
};
struct bad_app_det
{
enum bad_app_det_method type;
const char *param;
enum bad_app app;
};
static const struct bad_app_det dodgy_app_detects[] =
{
{ PROCESSNAME, "dlactrlw.exe", SONIC },
{ HOOKDLLNAME, "wxvault.dll", EMBASSYTS },
{ HKLMKEY, "SYSTEM\\CurrentControlSet\\Services\\vsdatant", ZONEALARM },
{ FILENAME, "%windir%\\System32\\vsdatant.sys", ZONEALARM },
{ HKLMKEY, "SYSTEM\\CurrentControlSet\\Services\\lvprcsrv", LOGITECH },
{ PROCESSNAME, "LVPrcSrv.exe", LOGITECH },
{ FILENAME, "%programfiles%\\common files\\logitech\\lvmvfm\\LVPrcSrv.exe", LOGITECH },
};
static const size_t num_of_detects = sizeof (dodgy_app_detects) / sizeof (dodgy_app_detects[0]);
static struct bad_app_info big_list_of_dodgy_apps[] =
{
{ SONIC, "Sonic Solutions burning software containing DLA component" },
{ NORTON, "Norton antivirus or antispyware software" },
{ MACAFFEE, "Macaffee antivirus or antispyware software" },
{ SYMANTEC, "Symantec antivirus or antispyware software" },
{ LOGITECH, "Logitech Process Monitor service" },
{ KERIO, "Kerio Personal Firewall" },
{ AGNITUM, "Agnitum Personal Firewall" },
{ ZONEALARM, "ZoneAlarm Personal Firewall" },
{ IOLO, "Iolo System Mechanic/AntiVirus/Firewall software" },
{ LANDESK, "Landesk" },
{ WINDEFENDER, "Windows Defender" },
{ EMBASSYTS, "Embassy Trust Suite fingerprint reader software containing wxvault.dll" },
};
static const size_t num_of_dodgy_apps = sizeof (big_list_of_dodgy_apps) / sizeof (big_list_of_dodgy_apps[0]);
/* This function is not in the ntdll export lib, so it has
to be looked up at runtime and called through a pointer. */
VOID NTAPI (*pRtlFreeUnicodeString)(PUNICODE_STRING) = NULL;
static PSYSTEM_PROCESSES
get_process_list (void)
{
int n_procs = 0x100;
PSYSTEM_PROCESSES pslist = (PSYSTEM_PROCESSES) malloc (n_procs * sizeof *pslist);
while (NtQuerySystemInformation (SystemProcessesAndThreadsInformation,
pslist, n_procs * sizeof *pslist, 0) == STATUS_INFO_LENGTH_MISMATCH)
{
n_procs *= 2;
free (pslist);
pslist = (PSYSTEM_PROCESSES) malloc (n_procs * sizeof *pslist);
}
return pslist;
}
static PSYSTEM_MODULE_INFORMATION
get_module_list (void)
{
int modsize = 0x1000;
PSYSTEM_MODULE_INFORMATION modlist = (PSYSTEM_MODULE_INFORMATION) malloc (modsize);
while (NtQuerySystemInformation (SystemModuleInformation,
modlist, modsize, NULL) == STATUS_INFO_LENGTH_MISMATCH)
{
modsize *= 2;
free (modlist);
modlist = (PSYSTEM_MODULE_INFORMATION) malloc (modsize);
}
return modlist;
}
static bool
find_process_in_list (PSYSTEM_PROCESSES pslist, PUNICODE_STRING psname)
{
while (1)
{
if (pslist->ProcessName.Length && pslist->ProcessName.Buffer)
{
dbg_printf (("%S\n", pslist->ProcessName.Buffer));
if (!_wcsicmp (pslist->ProcessName.Buffer, psname->Buffer))
return true;
}
if (!pslist->NextEntryDelta)
break;
pslist = (PSYSTEM_PROCESSES)(pslist->NextEntryDelta + (char *)pslist);
};
return false;
}
static bool
find_module_in_list (PSYSTEM_MODULE_INFORMATION modlist, const char * const modname)
{
PSYSTEM_MODULE_INFORMATION_ENTRY modptr = &modlist->Module[0];
DWORD count = modlist->Count;
while (count--)
{
dbg_printf (("name '%s' offset %d ", &modptr->ImageName[0], modptr->PathLength));
dbg_printf (("= '%s'\n", &modptr->ImageName[modptr->PathLength]));
if (!_stricmp (&modptr->ImageName[modptr->PathLength], modname))
return true;
modptr++;
}
return false;
}
static bool
expand_path (const char *path, char *outbuf)
{
char *dst = outbuf;
const char *end, *envval;
char envvar[MAX_PATH];
size_t len;
while ((dst - outbuf) < MAX_PATH)
{
if (*path != '%')
{
if ((*dst++ = *path++) != 0)
continue;
break;
}
/* Expand an environ var. */
end = path + 1;
while (*end != '%')
{
/* Watch out for unterminated % */
if (*end++ == 0)
{
end = NULL;
break;
}
}
/* If we didn't find the end, can't expand it. */
if ((end == NULL) || (end == (path + 1)))
{
/* Unterminated % so copy verbatim. */
*dst++ = *path++;
continue;
}
/* Expand the environment var into the new path. */
if ((end - (path + 1)) >= MAX_PATH)
return -1;
memcpy (envvar, path + 1, end - (path + 1));
envvar[end - (path + 1)] = 0;
envval = getenv (envvar);
/* If not found, copy env var name verbatim. */
if (envval == NULL)
{
*dst++ = *path++;
continue;
}
/* Check enough room before copying. */
len = strlen (envval);
if ((dst + len - outbuf) >= MAX_PATH)
return false;
memcpy (dst, envval, len);
dst += len;
/* And carry on past the end of env var name. */
path = end + 1;
}
return (dst - outbuf) < MAX_PATH;
}
static bool
detect_dodgy_app (const struct bad_app_det *det, PSYSTEM_PROCESSES pslist, PSYSTEM_MODULE_INFORMATION modlist)
{
HANDLE fh;
HKEY hk;
UNICODE_STRING unicodename;
ANSI_STRING ansiname;
NTSTATUS rv;
bool found;
char expandedname[MAX_PATH];
switch (det->type)
{
case HKLMKEY:
dbg_printf (("Detect reg key hklm '%s'... ", det->param));
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, det->param, 0, STANDARD_RIGHTS_READ, &hk) == ERROR_SUCCESS)
{
RegCloseKey (hk);
dbg_printf (("found!\n"));
return true;
}
break;
case HKCUKEY:
dbg_printf (("Detect reg key hkcu '%s'... ", det->param));
if (RegOpenKeyEx (HKEY_CURRENT_USER, det->param, 0, STANDARD_RIGHTS_READ, &hk) == ERROR_SUCCESS)
{
RegCloseKey (hk);
dbg_printf (("found!\n"));
return true;
}
break;
case FILENAME:
dbg_printf (("Detect filename '%s'... ", det->param));
if (!expand_path (det->param, expandedname))
{
printf ("Expansion failure!\n");
break;
}
dbg_printf (("('%s' after expansion)... ", expandedname));
fh = CreateFile (expandedname, 0, FILE_SHARE_READ | FILE_SHARE_WRITE
| FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
if (fh != INVALID_HANDLE_VALUE)
{
CloseHandle (fh);
dbg_printf (("found!\n"));
return true;
}
break;
case PROCESSNAME:
dbg_printf (("Detect proc name '%s'... ", det->param));
/* Equivalent of RtlInitAnsiString. */
ansiname.Length = ansiname.MaximumLength = strlen (det->param);
ansiname.Buffer = (CHAR *) det->param;
rv = RtlAnsiStringToUnicodeString (&unicodename, &ansiname, TRUE);
if (rv != STATUS_SUCCESS)
{
printf ("Ansi to unicode conversion failure $%08x\n", (unsigned int) rv);
break;
}
found = find_process_in_list (pslist, &unicodename);
if (!pRtlFreeUnicodeString)
pRtlFreeUnicodeString = (VOID NTAPI (*)(PUNICODE_STRING)) GetProcAddress (LoadLibrary ("ntdll.dll"), "RtlFreeUnicodeString");
if (pRtlFreeUnicodeString)
pRtlFreeUnicodeString (&unicodename);
else
printf ("leaking mem...oops\n");
if (found)
{
dbg_printf (("found!\n"));
return true;
}
break;
case HOOKDLLNAME:
dbg_printf (("Detect hookdll '%s'... ", det->param));
if (find_module_in_list (modlist, det->param))
{
dbg_printf (("found!\n"));
return true;
}
break;
}
dbg_printf (("not found.\n"));
return false;
}
static struct bad_app_info *
find_dodgy_app_info (enum bad_app which_app)
{
size_t i;
for (i = 0; i < num_of_dodgy_apps; i++)
{
if (big_list_of_dodgy_apps[i].app_id == which_app)
return &big_list_of_dodgy_apps[i];
}
return NULL;
}
/* External entrypoint called from cygcheck.cc/dump_sysinfo. */
void
dump_dodgy_apps (int verbose)
{
size_t i, n_det = 0;
PSYSTEM_PROCESSES pslist;
PSYSTEM_MODULE_INFORMATION modlist;
/* Read system info for detect testing. */
pslist = get_process_list ();
modlist = get_module_list ();
/* Go with builtin list for now; later may enhance to
read dodgy apps from a file or download from an URL. */
for (i = 0; i < num_of_dodgy_apps; i++)
{
big_list_of_dodgy_apps[i].found_it = false;
}
for (i = 0; i < num_of_detects; i++)
{
const struct bad_app_det *det = &dodgy_app_detects[i];
struct bad_app_info *found = find_dodgy_app_info (det->app);
bool detected = detect_dodgy_app (det, pslist, modlist);
/* Not found would mean we coded the lists bad. */
assert (found);
if (detected)
{
++n_det;
found->found_it |= (1 << det->type);
}
}
if (n_det)
{
printf ("\nPotential app conflicts:\n\n");
for (i = 0; i < num_of_dodgy_apps; i++)
{
if (big_list_of_dodgy_apps[i].found_it)
{
printf ("%s%s", big_list_of_dodgy_apps[i].details,
verbose ? "\nDetected: " : ".\n");
if (!verbose)
continue;
const char *sep = "";
if (big_list_of_dodgy_apps[i].found_it & (1 << HKLMKEY))
{
printf ("HKLM Registry Key");
sep = ", ";
}
if (big_list_of_dodgy_apps[i].found_it & (1 << HKCUKEY))
{
printf ("%sHKCU Registry Key", sep);
sep = ", ";
}
if (big_list_of_dodgy_apps[i].found_it & (1 << FILENAME))
{
printf ("%sNamed file", sep);
sep = ", ";
}
if (big_list_of_dodgy_apps[i].found_it & (1 << PROCESSNAME))
{
printf ("%sNamed process", sep);
sep = ", ";
}
if (big_list_of_dodgy_apps[i].found_it & (1 << HOOKDLLNAME))
{
printf ("%sLoaded hook DLL", sep);
}
printf (".\n\n");
}
}
}
/* Tidy up allocations. */
free (pslist);
free (modlist);
}