* Makefile.in (cygcheck.exe): Don't link to ntdll.
* bloda.cc (pNtQuerySystemInformation): Add. (pRtlAnsiStringToUnicodeString): Add. (get_process_list): Use function pointers for NT functions. (dump_dodgy_apps): Skip dodgy app check on non-NT platforms. Use GetProcAddress for NT-specific functions.
This commit is contained in:
		| @@ -1,3 +1,12 @@ | ||||
| 2007-12-20  Brian Dessent  <brian@dessent.net> | ||||
|  | ||||
| 	* Makefile.in (cygcheck.exe): Don't link to ntdll. | ||||
| 	* bloda.cc (pNtQuerySystemInformation): Add. | ||||
| 	(pRtlAnsiStringToUnicodeString): Add. | ||||
| 	(get_process_list): Use function pointers for NT functions. | ||||
| 	(dump_dodgy_apps): Skip dodgy app check on non-NT platforms. | ||||
| 	Use GetProcAddress for NT-specific functions. | ||||
|  | ||||
| 2007-12-07  Corinna Vinschen  <corinna@vinschen.de> | ||||
|  | ||||
| 	* regtool.cc (opts): Add missing 'W'. | ||||
|   | ||||
| @@ -104,10 +104,10 @@ ifeq "$(libz)" "" | ||||
| 	@echo '*** Building cygcheck without package content checking due to missing mingw libz.a.' | ||||
| endif | ||||
| ifdef VERBOSE | ||||
| 	$(CXX) $(MINGW_CXXFLAGS) -o $@ ${wordlist 1,4,$^} -B$(mingw_build)/ $(MINGW_LDFLAGS) $(libz) -lntdll | ||||
| 	$(CXX) $(MINGW_CXXFLAGS) -o $@ ${wordlist 1,4,$^} -B$(mingw_build)/ $(MINGW_LDFLAGS) $(libz) | ||||
| else | ||||
| 	@echo $(CXX) -o $@ ${wordlist 1,4,$^} ${filter-out -B%, $(MINGW_CXXFLAGS) $(MINGW_LDFLAGS)} $(libz) -lntdll;\ | ||||
| 	$(CXX) $(MINGW_CXXFLAGS) -o $@ ${wordlist 1,4,$^} -B$(mingw_build)/ $(MINGW_LDFLAGS) $(libz) -lntdll | ||||
| 	@echo $(CXX) -o $@ ${wordlist 1,4,$^} ${filter-out -B%, $(MINGW_CXXFLAGS) $(MINGW_LDFLAGS)} $(libz);\ | ||||
| 	$(CXX) $(MINGW_CXXFLAGS) -o $@ ${wordlist 1,4,$^} -B$(mingw_build)/ $(MINGW_LDFLAGS) $(libz) | ||||
| endif | ||||
|  | ||||
| dumper.o: dumper.cc dumper.h | ||||
|   | ||||
| @@ -104,13 +104,20 @@ static const size_t num_of_dodgy_apps = sizeof (big_list_of_dodgy_apps) / sizeof | ||||
|   to be looked up at runtime and called through a pointer.  */ | ||||
| VOID NTAPI (*pRtlFreeUnicodeString)(PUNICODE_STRING) = NULL; | ||||
|  | ||||
| NTSTATUS NTAPI (*pNtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS, | ||||
|                                              PVOID, ULONG, PULONG) = NULL; | ||||
|  | ||||
| NTSTATUS NTAPI (*pRtlAnsiStringToUnicodeString) (PUNICODE_STRING, PANSI_STRING, | ||||
|                                                BOOLEAN) = NULL; | ||||
|  | ||||
|  | ||||
| static PSYSTEM_PROCESSES | ||||
| get_process_list (void) | ||||
| { | ||||
|   int n_procs = 0x100; | ||||
|   PSYSTEM_PROCESSES pslist = (PSYSTEM_PROCESSES) malloc (n_procs * sizeof *pslist); | ||||
|  | ||||
|   while (NtQuerySystemInformation (SystemProcessesAndThreadsInformation, | ||||
|   while (pNtQuerySystemInformation (SystemProcessesAndThreadsInformation, | ||||
|     pslist, n_procs * sizeof *pslist, 0) == STATUS_INFO_LENGTH_MISMATCH) | ||||
|     { | ||||
|       n_procs *= 2; | ||||
| @@ -126,7 +133,7 @@ get_module_list (void) | ||||
|   int modsize = 0x1000; | ||||
|   PSYSTEM_MODULE_INFORMATION modlist = (PSYSTEM_MODULE_INFORMATION) malloc (modsize); | ||||
|  | ||||
|   while (NtQuerySystemInformation (SystemModuleInformation, | ||||
|   while (pNtQuerySystemInformation (SystemModuleInformation, | ||||
|     modlist, modsize, NULL) == STATUS_INFO_LENGTH_MISMATCH) | ||||
|     { | ||||
|       modsize *= 2; | ||||
| @@ -284,19 +291,14 @@ detect_dodgy_app (const struct bad_app_det *det, PSYSTEM_PROCESSES pslist, PSYST | ||||
|       /* Equivalent of RtlInitAnsiString.  */ | ||||
|       ansiname.Length = ansiname.MaximumLength = strlen (det->param); | ||||
|       ansiname.Buffer = (CHAR *) det->param; | ||||
|       rv = RtlAnsiStringToUnicodeString (&unicodename, &ansiname, TRUE); | ||||
|       rv = pRtlAnsiStringToUnicodeString (&unicodename, &ansiname, TRUE); | ||||
|       if (rv != STATUS_SUCCESS) | ||||
|         { | ||||
|           printf ("Ansi to unicode conversion failure $%08x\n", (unsigned int) rv); | ||||
|           break; | ||||
|         } | ||||
|       found = find_process_in_list (pslist, &unicodename); | ||||
|       if (!pRtlFreeUnicodeString) | ||||
|           pRtlFreeUnicodeString = (VOID NTAPI (*)(PUNICODE_STRING)) GetProcAddress (LoadLibrary ("ntdll.dll"), "RtlFreeUnicodeString"); | ||||
|       if (pRtlFreeUnicodeString) | ||||
|         pRtlFreeUnicodeString (&unicodename); | ||||
|       else | ||||
|         printf ("leaking mem...oops\n"); | ||||
|       pRtlFreeUnicodeString (&unicodename); | ||||
|       if (found) | ||||
|         { | ||||
|           dbg_printf (("found!\n")); | ||||
| @@ -337,6 +339,25 @@ dump_dodgy_apps (int verbose) | ||||
|   size_t i, n_det = 0; | ||||
|   PSYSTEM_PROCESSES pslist; | ||||
|   PSYSTEM_MODULE_INFORMATION modlist; | ||||
|   HMODULE ntdll; | ||||
|  | ||||
|   if ((ntdll = LoadLibrary ("ntdll.dll")) == NULL) | ||||
|     { | ||||
|       puts ("Skipping dodgy app check on Win9x/ME."); | ||||
|       return; | ||||
|     } | ||||
|  | ||||
| #define GPA(func,rv) \ | ||||
|       if ((p##func = (rv) GetProcAddress (ntdll, #func)) == NULL) \ | ||||
|         { \ | ||||
|           puts ("Can't GetProcAddress() for " #func ", " \ | ||||
|                 "skipping dodgy app check."); \ | ||||
|           return; \ | ||||
|         } | ||||
|   GPA(NtQuerySystemInformation, NTSTATUS NTAPI (*) (SYSTEM_INFORMATION_CLASS,PVOID,ULONG,PULONG)); | ||||
|   GPA(RtlFreeUnicodeString, VOID NTAPI (*)(PUNICODE_STRING)); | ||||
|   GPA(RtlAnsiStringToUnicodeString, NTSTATUS NTAPI (*)(PUNICODE_STRING,PANSI_STRING,BOOLEAN)); | ||||
| #undef GPA | ||||
|  | ||||
|   /* Read system info for detect testing.  */ | ||||
|   pslist = get_process_list (); | ||||
|   | ||||
		Reference in New Issue
	
	Block a user