mirror of
git://sourceware.org/git/newlib-cygwin.git
synced 2025-01-20 13:29:24 +08:00
9a231073a5
The default PSAPI_VERSION is controlled by WIN32_WINNT, which we set to 0x0a00 when building utils since 48a76190 (and is the default in w32api >= 9.0.0) In order for the built executables to run on Windows Vista, we must also define PSAPI_VERSION as 1 (otherwise '#define GetModuleFileNameExA K32GetModuleFileNameExA' causes a 'The procedure entry point K32GetModuleFilenameExA could not be located in the dynamic link library kernel32.dll' error at run time). Also drop uneeded psapi.h from dlfcn.cc (31ddf45d), resource.cc (34a6eeab) and ps.cc (1def2148).
424 lines
12 KiB
C++
424 lines
12 KiB
C++
/* bloda.cc
|
|
|
|
This file is part of Cygwin.
|
|
|
|
This software is a copyrighted work licensed under the terms of the
|
|
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
|
|
details. */
|
|
|
|
#define cygwin_internal cygwin_internal_dontuse
|
|
#include <stdio.h>
|
|
#include <assert.h>
|
|
#define WIN32_NO_STATUS /* Disable status codes in winnt.h since we include
|
|
ntstatus.h for extended status codes below. */
|
|
#include <windows.h>
|
|
#undef WIN32_NO_STATUS
|
|
#define PSAPI_VERSION 1
|
|
#include <psapi.h>
|
|
#include <winternl.h>
|
|
#include <ntstatus.h>
|
|
#undef cygwin_internal
|
|
|
|
#undef DEBUGGING
|
|
#ifdef DEBUGGING
|
|
#define dbg_printf(ARGS) printf ARGS ; fflush (NULL)
|
|
#else /* !DEBUGGING */
|
|
#define dbg_printf(ARGS) do { } while (0)
|
|
#endif /* ?DEBUGGING */
|
|
|
|
/* This module detects applications from the Big List of Dodgy Apps,
|
|
a list of applications that have at some given time been shown to
|
|
interfere with the operation of cygwin. It detects the presence of
|
|
applications on the system by looking for any of four traces an
|
|
installation might leave: 1) registry keys, 2) files on disk
|
|
3) running executables 4) loaded dlls or drivers.
|
|
|
|
At the time of writing, the BLODA amounts to:-
|
|
|
|
Sonic Solutions burning software containing DLA component
|
|
Norton/MacAffee/Symantec antivirus or antispyware
|
|
Logitech webcam software with "Logitech process monitor" service
|
|
Kerio, Agnitum or ZoneAlarm Personal Firewall
|
|
Iolo System Mechanic/AntiVirus/Firewall
|
|
LanDesk
|
|
Windows Defender
|
|
Embassy Trust Suite fingerprint reader software containing wxvault.dll
|
|
ByteMobile laptop optimization client
|
|
|
|
A live version is now being maintained in the Cygwin FAQ, at
|
|
http://cygwin.com/faq/faq.using.html#faq.using.bloda
|
|
|
|
*/
|
|
|
|
enum bad_app
|
|
{
|
|
SONIC, NORTON, MACAFFEE, SYMANTEC,
|
|
LOGITECH, KERIO, AGNITUM, ZONEALARM,
|
|
IOLO, LANDESK, WINDEFENDER, EMBASSYTS,
|
|
BYTEMOBILE
|
|
};
|
|
|
|
struct bad_app_info
|
|
{
|
|
enum bad_app app_id;
|
|
const char *details;
|
|
char found_it;
|
|
};
|
|
|
|
enum bad_app_det_method
|
|
{
|
|
HKLMKEY, HKCUKEY, FILENAME, PROCESSNAME, HOOKDLLNAME
|
|
};
|
|
|
|
struct bad_app_det
|
|
{
|
|
enum bad_app_det_method type;
|
|
const char *param;
|
|
enum bad_app app;
|
|
};
|
|
|
|
static const struct bad_app_det dodgy_app_detects[] =
|
|
{
|
|
{ PROCESSNAME, "dlactrlw.exe", SONIC },
|
|
{ HOOKDLLNAME, "wxvault.dll", EMBASSYTS },
|
|
{ HKLMKEY, "SYSTEM\\CurrentControlSet\\Services\\vsdatant", ZONEALARM },
|
|
{ FILENAME, "%windir%\\System32\\vsdatant.sys", ZONEALARM },
|
|
{ HKLMKEY, "SYSTEM\\CurrentControlSet\\Services\\lvprcsrv", LOGITECH },
|
|
{ PROCESSNAME, "LVPrcSrv.exe", LOGITECH },
|
|
{ FILENAME, "%programfiles%\\common files\\logitech\\lvmvfm\\LVPrcSrv.exe", LOGITECH },
|
|
{ FILENAME, "%windir%\\System32\\bmnet.dll", BYTEMOBILE },
|
|
};
|
|
|
|
static const size_t num_of_detects = sizeof (dodgy_app_detects) / sizeof (dodgy_app_detects[0]);
|
|
|
|
static struct bad_app_info big_list_of_dodgy_apps[] =
|
|
{
|
|
{ SONIC, "Sonic Solutions burning software containing DLA component" },
|
|
{ NORTON, "Norton antivirus or antispyware software" },
|
|
{ MACAFFEE, "Macaffee antivirus or antispyware software" },
|
|
{ SYMANTEC, "Symantec antivirus or antispyware software" },
|
|
{ LOGITECH, "Logitech Process Monitor service" },
|
|
{ KERIO, "Kerio Personal Firewall" },
|
|
{ AGNITUM, "Agnitum Personal Firewall" },
|
|
{ ZONEALARM, "ZoneAlarm Personal Firewall" },
|
|
{ IOLO, "Iolo System Mechanic/AntiVirus/Firewall software" },
|
|
{ LANDESK, "Landesk" },
|
|
{ WINDEFENDER, "Windows Defender" },
|
|
{ EMBASSYTS, "Embassy Trust Suite fingerprint reader software containing wxvault.dll" },
|
|
{ BYTEMOBILE, "ByteMobile laptop optimization client" },
|
|
};
|
|
|
|
static const size_t num_of_dodgy_apps = sizeof (big_list_of_dodgy_apps) / sizeof (big_list_of_dodgy_apps[0]);
|
|
|
|
struct system_module_list
|
|
{
|
|
LONG count;
|
|
PVOID *pid;
|
|
PCHAR *name;
|
|
};
|
|
|
|
static PSYSTEM_PROCESS_INFORMATION
|
|
get_process_list (void)
|
|
{
|
|
int n_procs = 0x100;
|
|
PSYSTEM_PROCESS_INFORMATION pslist = (PSYSTEM_PROCESS_INFORMATION) malloc (n_procs * sizeof *pslist);
|
|
|
|
while (NtQuerySystemInformation (SystemProcessInformation,
|
|
pslist, n_procs * sizeof *pslist, 0) == STATUS_INFO_LENGTH_MISMATCH)
|
|
{
|
|
n_procs *= 2;
|
|
free (pslist);
|
|
pslist = (PSYSTEM_PROCESS_INFORMATION) malloc (n_procs * sizeof *pslist);
|
|
}
|
|
return pslist;
|
|
}
|
|
|
|
static system_module_list *
|
|
get_module_list (void)
|
|
{
|
|
DWORD modsize = 0;
|
|
system_module_list *modlist = (system_module_list *)
|
|
calloc (1, sizeof (system_module_list));
|
|
while (!EnumDeviceDrivers (modlist->pid, modsize, &modsize))
|
|
{
|
|
free (modlist->pid);
|
|
free (modlist->name);
|
|
modlist->count = modsize / sizeof (PVOID);
|
|
modlist->pid = (PVOID *) calloc (modlist->count, sizeof (PVOID));
|
|
modlist->name = (PCHAR *) calloc (modlist->count, sizeof (PCHAR));
|
|
}
|
|
for (int i = 0; i < modlist->count; ++i)
|
|
{
|
|
modlist->name[0] = (PCHAR) calloc (256, sizeof (CHAR));
|
|
GetDeviceDriverBaseNameA (modlist->pid[i], modlist->name[i], 256);
|
|
}
|
|
return modlist;
|
|
}
|
|
|
|
static bool
|
|
find_process_in_list (PSYSTEM_PROCESS_INFORMATION pslist, PUNICODE_STRING psname)
|
|
{
|
|
while (1)
|
|
{
|
|
if (pslist->ImageName.Length && pslist->ImageName.Buffer)
|
|
{
|
|
dbg_printf (("%S\n", pslist->ImageName.Buffer));
|
|
if (!_wcsicmp (pslist->ImageName.Buffer, psname->Buffer))
|
|
return true;
|
|
}
|
|
if (!pslist->NextEntryOffset)
|
|
break;
|
|
pslist = (PSYSTEM_PROCESS_INFORMATION)(pslist->NextEntryOffset + (char *)pslist);
|
|
};
|
|
return false;
|
|
}
|
|
|
|
static bool
|
|
find_module_in_list (system_module_list * modlist, const char * const modname)
|
|
{
|
|
for (int i = 0; i < modlist->count; ++i)
|
|
{
|
|
dbg_printf (("name '%s' ", modlist->name[i]));
|
|
if (!_stricmp (modlist->name[i], modname))
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
static bool
|
|
expand_path (const char *path, char *outbuf)
|
|
{
|
|
char *dst = outbuf;
|
|
const char *end, *envval;
|
|
char envvar[MAX_PATH];
|
|
size_t len;
|
|
|
|
while ((dst - outbuf) < MAX_PATH)
|
|
{
|
|
if (*path != '%')
|
|
{
|
|
if ((*dst++ = *path++) != 0)
|
|
continue;
|
|
break;
|
|
}
|
|
/* Expand an environ var. */
|
|
end = path + 1;
|
|
while (*end != '%')
|
|
{
|
|
/* Watch out for unterminated % */
|
|
if (*end++ == 0)
|
|
{
|
|
end = NULL;
|
|
break;
|
|
}
|
|
}
|
|
/* If we didn't find the end, can't expand it. */
|
|
if ((end == NULL) || (end == (path + 1)))
|
|
{
|
|
/* Unterminated % so copy verbatim. */
|
|
*dst++ = *path++;
|
|
continue;
|
|
}
|
|
/* Expand the environment var into the new path. */
|
|
if ((end - (path + 1)) >= MAX_PATH)
|
|
return -1;
|
|
memcpy (envvar, path + 1, end - (path + 1));
|
|
envvar[end - (path + 1)] = 0;
|
|
envval = getenv (envvar);
|
|
/* If not found, copy env var name verbatim. */
|
|
if (envval == NULL)
|
|
{
|
|
*dst++ = *path++;
|
|
continue;
|
|
}
|
|
/* Check enough room before copying. */
|
|
len = strlen (envval);
|
|
if ((dst + len - outbuf) >= MAX_PATH)
|
|
return false;
|
|
memcpy (dst, envval, len);
|
|
dst += len;
|
|
/* And carry on past the end of env var name. */
|
|
path = end + 1;
|
|
}
|
|
return (dst - outbuf) < MAX_PATH;
|
|
}
|
|
|
|
static bool
|
|
detect_dodgy_app (const struct bad_app_det *det, PSYSTEM_PROCESS_INFORMATION pslist, system_module_list * modlist)
|
|
{
|
|
HANDLE fh;
|
|
HKEY hk;
|
|
UNICODE_STRING unicodename;
|
|
ANSI_STRING ansiname;
|
|
NTSTATUS rv;
|
|
bool found;
|
|
char expandedname[MAX_PATH];
|
|
|
|
switch (det->type)
|
|
{
|
|
case HKLMKEY:
|
|
dbg_printf (("Detect reg key hklm '%s'... ", det->param));
|
|
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, det->param, 0, STANDARD_RIGHTS_READ, &hk) == ERROR_SUCCESS)
|
|
{
|
|
RegCloseKey (hk);
|
|
dbg_printf (("found!\n"));
|
|
return true;
|
|
}
|
|
break;
|
|
|
|
case HKCUKEY:
|
|
dbg_printf (("Detect reg key hkcu '%s'... ", det->param));
|
|
if (RegOpenKeyEx (HKEY_CURRENT_USER, det->param, 0, STANDARD_RIGHTS_READ, &hk) == ERROR_SUCCESS)
|
|
{
|
|
RegCloseKey (hk);
|
|
dbg_printf (("found!\n"));
|
|
return true;
|
|
}
|
|
break;
|
|
|
|
case FILENAME:
|
|
dbg_printf (("Detect filename '%s'... ", det->param));
|
|
if (!expand_path (det->param, expandedname))
|
|
{
|
|
printf ("Expansion failure!\n");
|
|
break;
|
|
}
|
|
dbg_printf (("('%s' after expansion)... ", expandedname));
|
|
fh = CreateFile (expandedname, 0, FILE_SHARE_READ | FILE_SHARE_WRITE
|
|
| FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
|
|
if (fh != INVALID_HANDLE_VALUE)
|
|
{
|
|
CloseHandle (fh);
|
|
dbg_printf (("found!\n"));
|
|
return true;
|
|
}
|
|
break;
|
|
|
|
case PROCESSNAME:
|
|
dbg_printf (("Detect proc name '%s'... ", det->param));
|
|
/* Equivalent of RtlInitAnsiString. */
|
|
ansiname.Length = ansiname.MaximumLength = strlen (det->param);
|
|
ansiname.Buffer = (CHAR *) det->param;
|
|
rv = RtlAnsiStringToUnicodeString (&unicodename, &ansiname, TRUE);
|
|
if (rv != STATUS_SUCCESS)
|
|
{
|
|
printf ("Ansi to unicode conversion failure $%08x\n", (unsigned int) rv);
|
|
break;
|
|
}
|
|
found = find_process_in_list (pslist, &unicodename);
|
|
RtlFreeUnicodeString (&unicodename);
|
|
if (found)
|
|
{
|
|
dbg_printf (("found!\n"));
|
|
return true;
|
|
}
|
|
break;
|
|
|
|
case HOOKDLLNAME:
|
|
dbg_printf (("Detect hookdll '%s'... ", det->param));
|
|
if (find_module_in_list (modlist, det->param))
|
|
{
|
|
dbg_printf (("found!\n"));
|
|
return true;
|
|
}
|
|
break;
|
|
|
|
}
|
|
dbg_printf (("not found.\n"));
|
|
return false;
|
|
}
|
|
|
|
static struct bad_app_info *
|
|
find_dodgy_app_info (enum bad_app which_app)
|
|
{
|
|
size_t i;
|
|
for (i = 0; i < num_of_dodgy_apps; i++)
|
|
{
|
|
if (big_list_of_dodgy_apps[i].app_id == which_app)
|
|
return &big_list_of_dodgy_apps[i];
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/* External entrypoint called from cygcheck.cc/dump_sysinfo. */
|
|
void
|
|
dump_dodgy_apps (int verbose)
|
|
{
|
|
size_t i, n_det = 0;
|
|
PSYSTEM_PROCESS_INFORMATION pslist;
|
|
system_module_list * modlist;
|
|
|
|
/* Read system info for detect testing. */
|
|
pslist = get_process_list ();
|
|
modlist = get_module_list ();
|
|
|
|
/* Go with builtin list for now; later may enhance to
|
|
read dodgy apps from a file or download from an URL. */
|
|
for (i = 0; i < num_of_dodgy_apps; i++)
|
|
{
|
|
big_list_of_dodgy_apps[i].found_it = false;
|
|
}
|
|
|
|
for (i = 0; i < num_of_detects; i++)
|
|
{
|
|
const struct bad_app_det *det = &dodgy_app_detects[i];
|
|
struct bad_app_info *found = find_dodgy_app_info (det->app);
|
|
bool detected = detect_dodgy_app (det, pslist, modlist);
|
|
|
|
/* Not found would mean we coded the lists bad. */
|
|
assert (found);
|
|
if (detected)
|
|
{
|
|
++n_det;
|
|
found->found_it |= (1 << det->type);
|
|
}
|
|
}
|
|
if (n_det)
|
|
{
|
|
printf ("\nPotential app conflicts:\n\n");
|
|
for (i = 0; i < num_of_dodgy_apps; i++)
|
|
{
|
|
if (big_list_of_dodgy_apps[i].found_it)
|
|
{
|
|
printf ("%s%s", big_list_of_dodgy_apps[i].details,
|
|
verbose ? "\nDetected: " : ".\n");
|
|
if (!verbose)
|
|
continue;
|
|
const char *sep = "";
|
|
if (big_list_of_dodgy_apps[i].found_it & (1 << HKLMKEY))
|
|
{
|
|
printf ("HKLM Registry Key");
|
|
sep = ", ";
|
|
}
|
|
if (big_list_of_dodgy_apps[i].found_it & (1 << HKCUKEY))
|
|
{
|
|
printf ("%sHKCU Registry Key", sep);
|
|
sep = ", ";
|
|
}
|
|
if (big_list_of_dodgy_apps[i].found_it & (1 << FILENAME))
|
|
{
|
|
printf ("%sNamed file", sep);
|
|
sep = ", ";
|
|
}
|
|
if (big_list_of_dodgy_apps[i].found_it & (1 << PROCESSNAME))
|
|
{
|
|
printf ("%sNamed process", sep);
|
|
sep = ", ";
|
|
}
|
|
if (big_list_of_dodgy_apps[i].found_it & (1 << HOOKDLLNAME))
|
|
{
|
|
printf ("%sLoaded hook DLL", sep);
|
|
}
|
|
printf (".\n\n");
|
|
}
|
|
}
|
|
}
|
|
/* Tidy up allocations. */
|
|
free (pslist);
|
|
for (int i = 0; i < modlist->count; ++i)
|
|
free (modlist->name[i]);
|
|
free (modlist->name);
|
|
free (modlist->pid);
|
|
}
|
|
|