/* bloda.cc This file is part of Cygwin. This software is a copyrighted work licensed under the terms of the Cygwin license. Please consult the file "CYGWIN_LICENSE" for details. */ #define cygwin_internal cygwin_internal_dontuse #include #include #define WIN32_NO_STATUS /* Disable status codes in winnt.h since we include ntstatus.h for extended status codes below. */ #include #undef WIN32_NO_STATUS #define PSAPI_VERSION 1 #include #include #include #undef cygwin_internal #undef DEBUGGING #ifdef DEBUGGING #define dbg_printf(ARGS) printf ARGS ; fflush (NULL) #else /* !DEBUGGING */ #define dbg_printf(ARGS) do { } while (0) #endif /* ?DEBUGGING */ /* This module detects applications from the Big List of Dodgy Apps, a list of applications that have at some given time been shown to interfere with the operation of cygwin. It detects the presence of applications on the system by looking for any of four traces an installation might leave: 1) registry keys, 2) files on disk 3) running executables 4) loaded dlls or drivers. At the time of writing, the BLODA amounts to:- Sonic Solutions burning software containing DLA component Norton/MacAffee/Symantec antivirus or antispyware Logitech webcam software with "Logitech process monitor" service Kerio, Agnitum or ZoneAlarm Personal Firewall Iolo System Mechanic/AntiVirus/Firewall LanDesk Windows Defender Embassy Trust Suite fingerprint reader software containing wxvault.dll ByteMobile laptop optimization client A live version is now being maintained in the Cygwin FAQ, at http://cygwin.com/faq/faq.using.html#faq.using.bloda */ enum bad_app { SONIC, NORTON, MACAFFEE, SYMANTEC, LOGITECH, KERIO, AGNITUM, ZONEALARM, IOLO, LANDESK, WINDEFENDER, EMBASSYTS, BYTEMOBILE }; struct bad_app_info { enum bad_app app_id; const char *details; char found_it; }; enum bad_app_det_method { HKLMKEY, HKCUKEY, FILENAME, PROCESSNAME, HOOKDLLNAME }; struct bad_app_det { enum bad_app_det_method type; const char *param; enum bad_app app; }; static const struct bad_app_det dodgy_app_detects[] = { { PROCESSNAME, "dlactrlw.exe", SONIC }, { HOOKDLLNAME, "wxvault.dll", EMBASSYTS }, { HKLMKEY, "SYSTEM\\CurrentControlSet\\Services\\vsdatant", ZONEALARM }, { FILENAME, "%windir%\\System32\\vsdatant.sys", ZONEALARM }, { HKLMKEY, "SYSTEM\\CurrentControlSet\\Services\\lvprcsrv", LOGITECH }, { PROCESSNAME, "LVPrcSrv.exe", LOGITECH }, { FILENAME, "%programfiles%\\common files\\logitech\\lvmvfm\\LVPrcSrv.exe", LOGITECH }, { FILENAME, "%windir%\\System32\\bmnet.dll", BYTEMOBILE }, }; static const size_t num_of_detects = sizeof (dodgy_app_detects) / sizeof (dodgy_app_detects[0]); static struct bad_app_info big_list_of_dodgy_apps[] = { { SONIC, "Sonic Solutions burning software containing DLA component" }, { NORTON, "Norton antivirus or antispyware software" }, { MACAFFEE, "Macaffee antivirus or antispyware software" }, { SYMANTEC, "Symantec antivirus or antispyware software" }, { LOGITECH, "Logitech Process Monitor service" }, { KERIO, "Kerio Personal Firewall" }, { AGNITUM, "Agnitum Personal Firewall" }, { ZONEALARM, "ZoneAlarm Personal Firewall" }, { IOLO, "Iolo System Mechanic/AntiVirus/Firewall software" }, { LANDESK, "Landesk" }, { WINDEFENDER, "Windows Defender" }, { EMBASSYTS, "Embassy Trust Suite fingerprint reader software containing wxvault.dll" }, { BYTEMOBILE, "ByteMobile laptop optimization client" }, }; static const size_t num_of_dodgy_apps = sizeof (big_list_of_dodgy_apps) / sizeof (big_list_of_dodgy_apps[0]); struct system_module_list { LONG count; PVOID *pid; PCHAR *name; }; static PSYSTEM_PROCESS_INFORMATION get_process_list (void) { int n_procs = 0x100; PSYSTEM_PROCESS_INFORMATION pslist = (PSYSTEM_PROCESS_INFORMATION) malloc (n_procs * sizeof *pslist); while (NtQuerySystemInformation (SystemProcessInformation, pslist, n_procs * sizeof *pslist, 0) == STATUS_INFO_LENGTH_MISMATCH) { n_procs *= 2; free (pslist); pslist = (PSYSTEM_PROCESS_INFORMATION) malloc (n_procs * sizeof *pslist); } return pslist; } static system_module_list * get_module_list (void) { DWORD modsize = 0; system_module_list *modlist = (system_module_list *) calloc (1, sizeof (system_module_list)); while (!EnumDeviceDrivers (modlist->pid, modsize, &modsize)) { free (modlist->pid); free (modlist->name); modlist->count = modsize / sizeof (PVOID); modlist->pid = (PVOID *) calloc (modlist->count, sizeof (PVOID)); modlist->name = (PCHAR *) calloc (modlist->count, sizeof (PCHAR)); } for (int i = 0; i < modlist->count; ++i) { modlist->name[0] = (PCHAR) calloc (256, sizeof (CHAR)); GetDeviceDriverBaseNameA (modlist->pid[i], modlist->name[i], 256); } return modlist; } static bool find_process_in_list (PSYSTEM_PROCESS_INFORMATION pslist, PUNICODE_STRING psname) { while (1) { if (pslist->ImageName.Length && pslist->ImageName.Buffer) { dbg_printf (("%S\n", pslist->ImageName.Buffer)); if (!_wcsicmp (pslist->ImageName.Buffer, psname->Buffer)) return true; } if (!pslist->NextEntryOffset) break; pslist = (PSYSTEM_PROCESS_INFORMATION)(pslist->NextEntryOffset + (char *)pslist); }; return false; } static bool find_module_in_list (system_module_list * modlist, const char * const modname) { for (int i = 0; i < modlist->count; ++i) { dbg_printf (("name '%s' ", modlist->name[i])); if (!_stricmp (modlist->name[i], modname)) return true; } return false; } static bool expand_path (const char *path, char *outbuf) { char *dst = outbuf; const char *end, *envval; char envvar[MAX_PATH]; size_t len; while ((dst - outbuf) < MAX_PATH) { if (*path != '%') { if ((*dst++ = *path++) != 0) continue; break; } /* Expand an environ var. */ end = path + 1; while (*end != '%') { /* Watch out for unterminated % */ if (*end++ == 0) { end = NULL; break; } } /* If we didn't find the end, can't expand it. */ if ((end == NULL) || (end == (path + 1))) { /* Unterminated % so copy verbatim. */ *dst++ = *path++; continue; } /* Expand the environment var into the new path. */ if ((end - (path + 1)) >= MAX_PATH) return -1; memcpy (envvar, path + 1, end - (path + 1)); envvar[end - (path + 1)] = 0; envval = getenv (envvar); /* If not found, copy env var name verbatim. */ if (envval == NULL) { *dst++ = *path++; continue; } /* Check enough room before copying. */ len = strlen (envval); if ((dst + len - outbuf) >= MAX_PATH) return false; memcpy (dst, envval, len); dst += len; /* And carry on past the end of env var name. */ path = end + 1; } return (dst - outbuf) < MAX_PATH; } static bool detect_dodgy_app (const struct bad_app_det *det, PSYSTEM_PROCESS_INFORMATION pslist, system_module_list * modlist) { HANDLE fh; HKEY hk; UNICODE_STRING unicodename; ANSI_STRING ansiname; NTSTATUS rv; bool found; char expandedname[MAX_PATH]; switch (det->type) { case HKLMKEY: dbg_printf (("Detect reg key hklm '%s'... ", det->param)); if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, det->param, 0, STANDARD_RIGHTS_READ, &hk) == ERROR_SUCCESS) { RegCloseKey (hk); dbg_printf (("found!\n")); return true; } break; case HKCUKEY: dbg_printf (("Detect reg key hkcu '%s'... ", det->param)); if (RegOpenKeyEx (HKEY_CURRENT_USER, det->param, 0, STANDARD_RIGHTS_READ, &hk) == ERROR_SUCCESS) { RegCloseKey (hk); dbg_printf (("found!\n")); return true; } break; case FILENAME: dbg_printf (("Detect filename '%s'... ", det->param)); if (!expand_path (det->param, expandedname)) { printf ("Expansion failure!\n"); break; } dbg_printf (("('%s' after expansion)... ", expandedname)); fh = CreateFile (expandedname, 0, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL); if (fh != INVALID_HANDLE_VALUE) { CloseHandle (fh); dbg_printf (("found!\n")); return true; } break; case PROCESSNAME: dbg_printf (("Detect proc name '%s'... ", det->param)); /* Equivalent of RtlInitAnsiString. */ ansiname.Length = ansiname.MaximumLength = strlen (det->param); ansiname.Buffer = (CHAR *) det->param; rv = RtlAnsiStringToUnicodeString (&unicodename, &ansiname, TRUE); if (rv != STATUS_SUCCESS) { printf ("Ansi to unicode conversion failure $%08x\n", (unsigned int) rv); break; } found = find_process_in_list (pslist, &unicodename); RtlFreeUnicodeString (&unicodename); if (found) { dbg_printf (("found!\n")); return true; } break; case HOOKDLLNAME: dbg_printf (("Detect hookdll '%s'... ", det->param)); if (find_module_in_list (modlist, det->param)) { dbg_printf (("found!\n")); return true; } break; } dbg_printf (("not found.\n")); return false; } static struct bad_app_info * find_dodgy_app_info (enum bad_app which_app) { size_t i; for (i = 0; i < num_of_dodgy_apps; i++) { if (big_list_of_dodgy_apps[i].app_id == which_app) return &big_list_of_dodgy_apps[i]; } return NULL; } /* External entrypoint called from cygcheck.cc/dump_sysinfo. */ void dump_dodgy_apps (int verbose) { size_t i, n_det = 0; PSYSTEM_PROCESS_INFORMATION pslist; system_module_list * modlist; /* Read system info for detect testing. */ pslist = get_process_list (); modlist = get_module_list (); /* Go with builtin list for now; later may enhance to read dodgy apps from a file or download from an URL. */ for (i = 0; i < num_of_dodgy_apps; i++) { big_list_of_dodgy_apps[i].found_it = false; } for (i = 0; i < num_of_detects; i++) { const struct bad_app_det *det = &dodgy_app_detects[i]; struct bad_app_info *found = find_dodgy_app_info (det->app); bool detected = detect_dodgy_app (det, pslist, modlist); /* Not found would mean we coded the lists bad. */ assert (found); if (detected) { ++n_det; found->found_it |= (1 << det->type); } } if (n_det) { printf ("\nPotential app conflicts:\n\n"); for (i = 0; i < num_of_dodgy_apps; i++) { if (big_list_of_dodgy_apps[i].found_it) { printf ("%s%s", big_list_of_dodgy_apps[i].details, verbose ? "\nDetected: " : ".\n"); if (!verbose) continue; const char *sep = ""; if (big_list_of_dodgy_apps[i].found_it & (1 << HKLMKEY)) { printf ("HKLM Registry Key"); sep = ", "; } if (big_list_of_dodgy_apps[i].found_it & (1 << HKCUKEY)) { printf ("%sHKCU Registry Key", sep); sep = ", "; } if (big_list_of_dodgy_apps[i].found_it & (1 << FILENAME)) { printf ("%sNamed file", sep); sep = ", "; } if (big_list_of_dodgy_apps[i].found_it & (1 << PROCESSNAME)) { printf ("%sNamed process", sep); sep = ", "; } if (big_list_of_dodgy_apps[i].found_it & (1 << HOOKDLLNAME)) { printf ("%sLoaded hook DLL", sep); } printf (".\n\n"); } } } /* Tidy up allocations. */ free (pslist); for (int i = 0; i < modlist->count; ++i) free (modlist->name[i]); free (modlist->name); free (modlist->pid); }