--- /dev/null
+/* bloda.cc
+
+ Copyright 2007 Red Hat, Inc.
+
+ This file is part of Cygwin.
+
+ This software is a copyrighted work licensed under the terms of the
+ Cygwin license. Please consult the file "CYGWIN_LICENSE" for
+ details. */
+
+#define cygwin_internal cygwin_internal_dontuse
+#include <stdio.h>
+#include <assert.h>
+#include <windows.h>
+#include <ntdef.h>
+#include <ddk/ntstatus.h>
+#include <ddk/ntapi.h>
+#undef cygwin_internal
+
+#undef DEBUGGING
+#ifdef DEBUGGING
+#define dbg_printf(ARGS) printf ARGS ; fflush (NULL)
+#else /* !DEBUGGING */
+#define dbg_printf(ARGS) do { } while (0)
+#endif /* ?DEBUGGING */
+
+/* This module detects applications from the Big List of Dodgy Apps,
+ a list of applications that have at some given time been shown to
+ interfere with the operation of cygwin. It detects the presence of
+ applications on the system by looking for any of four traces an
+ installation might leave: 1) registry keys, 2) files on disk
+ 3) running executables 4) loaded dlls or drivers.
+
+ At the time of writing, the BLODA amounts to:-
+
+ Sonic Solutions burning software containing DLA component
+ Norton/MacAffee/Symantec antivirus or antispyware
+ Logitech webcam software with "Logitech process monitor" service
+ Kerio, Agnitum or ZoneAlarm Personal Firewall
+ Iolo System Mechanic/AntiVirus/Firewall
+ LanDesk
+ Windows Defender
+ Embassy Trust Suite fingerprint reader software containing wxvault.dll
+*/
+
+enum bad_app
+{
+ SONIC, NORTON, MACAFFEE, SYMANTEC,
+ LOGITECH, KERIO, AGNITUM, ZONEALARM,
+ IOLO, LANDESK, WINDEFENDER, EMBASSYTS
+};
+
+struct bad_app_info
+{
+ enum bad_app app_id;
+ const char *details;
+ char found_it;
+};
+
+enum bad_app_det_method
+{
+ HKLMKEY, HKCUKEY, FILENAME, PROCESSNAME, HOOKDLLNAME
+};
+
+struct bad_app_det
+{
+ enum bad_app_det_method type;
+ const char *param;
+ enum bad_app app;
+};
+
+static const struct bad_app_det dodgy_app_detects[] =
+{
+ { PROCESSNAME, "dlactrlw.exe", SONIC },
+ { HOOKDLLNAME, "wxvault.dll", EMBASSYTS },
+ { HKLMKEY, "SYSTEM\\CurrentControlSet\\Services\\vsdatant", ZONEALARM },
+ { FILENAME, "%windir%\\System32\\vsdatant.sys", ZONEALARM },
+ { HKLMKEY, "SYSTEM\\CurrentControlSet\\Services\\lvprcsrv", LOGITECH },
+ { PROCESSNAME, "LVPrcSrv.exe", LOGITECH },
+ { FILENAME, "%programfiles%\\common files\\logitech\\lvmvfm\\LVPrcSrv.exe", LOGITECH },
+};
+
+static const size_t num_of_detects = sizeof (dodgy_app_detects) / sizeof (dodgy_app_detects[0]);
+
+static struct bad_app_info big_list_of_dodgy_apps[] =
+{
+ { SONIC, "Sonic Solutions burning software containing DLA component" },
+ { NORTON, "Norton antivirus or antispyware software" },
+ { MACAFFEE, "Macaffee antivirus or antispyware software" },
+ { SYMANTEC, "Symantec antivirus or antispyware software" },
+ { LOGITECH, "Logitech Process Monitor service" },
+ { KERIO, "Kerio Personal Firewall" },
+ { AGNITUM, "Agnitum Personal Firewall" },
+ { ZONEALARM, "ZoneAlarm Personal Firewall" },
+ { IOLO, "Iolo System Mechanic/AntiVirus/Firewall software" },
+ { LANDESK, "Landesk" },
+ { WINDEFENDER, "Windows Defender" },
+ { EMBASSYTS, "Embassy Trust Suite fingerprint reader software containing wxvault.dll" },
+};
+
+static const size_t num_of_dodgy_apps = sizeof (big_list_of_dodgy_apps) / sizeof (big_list_of_dodgy_apps[0]);
+
+/* This function is not in the ntdll export lib, so it has
+ to be looked up at runtime and called through a pointer. */
+VOID NTAPI (*pRtlFreeUnicodeString)(PUNICODE_STRING) = NULL;
+
+static PSYSTEM_PROCESSES
+get_process_list (void)
+{
+ int n_procs = 0x100;
+ PSYSTEM_PROCESSES pslist = (PSYSTEM_PROCESSES) malloc (n_procs * sizeof *pslist);
+
+ while (NtQuerySystemInformation (SystemProcessesAndThreadsInformation,
+ pslist, n_procs * sizeof *pslist, 0) == STATUS_INFO_LENGTH_MISMATCH)
+ {
+ n_procs *= 2;
+ free (pslist);
+ pslist = (PSYSTEM_PROCESSES) malloc (n_procs * sizeof *pslist);
+ }
+ return pslist;
+}
+
+static PSYSTEM_MODULE_INFORMATION
+get_module_list (void)
+{
+ int modsize = 0x1000;
+ PSYSTEM_MODULE_INFORMATION modlist = (PSYSTEM_MODULE_INFORMATION) malloc (modsize);
+
+ while (NtQuerySystemInformation (SystemModuleInformation,
+ modlist, modsize, NULL) == STATUS_INFO_LENGTH_MISMATCH)
+ {
+ modsize *= 2;
+ free (modlist);
+ modlist = (PSYSTEM_MODULE_INFORMATION) malloc (modsize);
+ }
+ return modlist;
+}
+
+static bool
+find_process_in_list (PSYSTEM_PROCESSES pslist, PUNICODE_STRING psname)
+{
+ while (1)
+ {
+ if (pslist->ProcessName.Length && pslist->ProcessName.Buffer)
+ {
+ dbg_printf (("%S\n", pslist->ProcessName.Buffer));
+ if (!_wcsicmp (pslist->ProcessName.Buffer, psname->Buffer))
+ return true;
+ }
+ if (!pslist->NextEntryDelta)
+ break;
+ pslist = (PSYSTEM_PROCESSES)(pslist->NextEntryDelta + (char *)pslist);
+ };
+ return false;
+}
+
+static bool
+find_module_in_list (PSYSTEM_MODULE_INFORMATION modlist, const char * const modname)
+{
+ PSYSTEM_MODULE_INFORMATION_ENTRY modptr = &modlist->Module[0];
+ DWORD count = modlist->Count;
+ while (count--)
+ {
+ dbg_printf (("name '%s' offset %d ", &modptr->ImageName[0], modptr->PathLength));
+ dbg_printf (("= '%s'\n", &modptr->ImageName[modptr->PathLength]));
+ if (!_stricmp (&modptr->ImageName[modptr->PathLength], modname))
+ return true;
+ modptr++;
+ }
+ return false;
+}
+
+static bool
+expand_path (const char *path, char *outbuf)
+{
+ char *dst = outbuf;
+ const char *end, *envval;
+ char envvar[MAX_PATH];
+ size_t len;
+
+ while ((dst - outbuf) < MAX_PATH)
+ {
+ if (*path != '%')
+ {
+ if ((*dst++ = *path++) != 0)
+ continue;
+ break;
+ }
+ /* Expand an environ var. */
+ end = path + 1;
+ while (*end != '%')
+ {
+ /* Watch out for unterminated % */
+ if (*end++ == 0)
+ {
+ end = NULL;
+ break;
+ }
+ }
+ /* If we didn't find the end, can't expand it. */
+ if ((end == NULL) || (end == (path + 1)))
+ {
+ /* Unterminated % so copy verbatim. */
+ *dst++ = *path++;
+ continue;
+ }
+ /* Expand the environment var into the new path. */
+ if ((end - (path + 1)) >= MAX_PATH)
+ return -1;
+ memcpy (envvar, path + 1, end - (path + 1));
+ envvar[end - (path + 1)] = 0;
+ envval = getenv (envvar);
+ /* If not found, copy env var name verbatim. */
+ if (envval == NULL)
+ {
+ *dst++ = *path++;
+ continue;
+ }
+ /* Check enough room before copying. */
+ len = strlen (envval);
+ if ((dst + len - outbuf) >= MAX_PATH)
+ return false;
+ memcpy (dst, envval, len);
+ dst += len;
+ /* And carry on past the end of env var name. */
+ path = end + 1;
+ }
+ return (dst - outbuf) < MAX_PATH;
+}
+
+static bool
+detect_dodgy_app (const struct bad_app_det *det, PSYSTEM_PROCESSES pslist, PSYSTEM_MODULE_INFORMATION modlist)
+{
+ HANDLE fh;
+ HKEY hk;
+ UNICODE_STRING unicodename;
+ ANSI_STRING ansiname;
+ NTSTATUS rv;
+ bool found;
+ char expandedname[MAX_PATH];
+
+ switch (det->type)
+ {
+ case HKLMKEY:
+ dbg_printf (("Detect reg key hklm '%s'... ", det->param));
+ if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, det->param, 0, STANDARD_RIGHTS_READ, &hk) == ERROR_SUCCESS)
+ {
+ RegCloseKey (hk);
+ dbg_printf (("found!\n"));
+ return true;
+ }
+ break;
+
+ case HKCUKEY:
+ dbg_printf (("Detect reg key hkcu '%s'... ", det->param));
+ if (RegOpenKeyEx (HKEY_CURRENT_USER, det->param, 0, STANDARD_RIGHTS_READ, &hk) == ERROR_SUCCESS)
+ {
+ RegCloseKey (hk);
+ dbg_printf (("found!\n"));
+ return true;
+ }
+ break;
+
+ case FILENAME:
+ dbg_printf (("Detect filename '%s'... ", det->param));
+ if (!expand_path (det->param, expandedname))
+ {
+ printf ("Expansion failure!\n");
+ break;
+ }
+ dbg_printf (("('%s' after expansion)... ", expandedname));
+ fh = CreateFile (expandedname, 0, FILE_SHARE_READ | FILE_SHARE_WRITE
+ | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
+ if (fh != INVALID_HANDLE_VALUE)
+ {
+ CloseHandle (fh);
+ dbg_printf (("found!\n"));
+ return true;
+ }
+ break;
+
+ case PROCESSNAME:
+ dbg_printf (("Detect proc name '%s'... ", det->param));
+ /* Equivalent of RtlInitAnsiString. */
+ ansiname.Length = ansiname.MaximumLength = strlen (det->param);
+ ansiname.Buffer = (CHAR *) det->param;
+ rv = RtlAnsiStringToUnicodeString (&unicodename, &ansiname, TRUE);
+ if (rv != STATUS_SUCCESS)
+ {
+ printf ("Ansi to unicode conversion failure $%08x\n", (unsigned int) rv);
+ break;
+ }
+ found = find_process_in_list (pslist, &unicodename);
+ if (!pRtlFreeUnicodeString)
+ pRtlFreeUnicodeString = (VOID NTAPI (*)(PUNICODE_STRING)) GetProcAddress (LoadLibrary ("ntdll.dll"), "RtlFreeUnicodeString");
+ if (pRtlFreeUnicodeString)
+ pRtlFreeUnicodeString (&unicodename);
+ else
+ printf ("leaking mem...oops\n");
+ if (found)
+ {
+ dbg_printf (("found!\n"));
+ return true;
+ }
+ break;
+
+ case HOOKDLLNAME:
+ dbg_printf (("Detect hookdll '%s'... ", det->param));
+ if (find_module_in_list (modlist, det->param))
+ {
+ dbg_printf (("found!\n"));
+ return true;
+ }
+ break;
+
+ }
+ dbg_printf (("not found.\n"));
+ return false;
+}
+
+static struct bad_app_info *
+find_dodgy_app_info (enum bad_app which_app)
+{
+ size_t i;
+ for (i = 0; i < num_of_dodgy_apps; i++)
+ {
+ if (big_list_of_dodgy_apps[i].app_id == which_app)
+ return &big_list_of_dodgy_apps[i];
+ }
+ return NULL;
+}
+
+/* External entrypoint called from cygcheck.cc/dump_sysinfo. */
+void
+dump_dodgy_apps (int verbose)
+{
+ size_t i, n_det = 0;
+ PSYSTEM_PROCESSES pslist;
+ PSYSTEM_MODULE_INFORMATION modlist;
+
+ /* Read system info for detect testing. */
+ pslist = get_process_list ();
+ modlist = get_module_list ();
+
+ /* Go with builtin list for now; later may enhance to
+ read dodgy apps from a file or download from an URL. */
+ for (i = 0; i < num_of_dodgy_apps; i++)
+ {
+ big_list_of_dodgy_apps[i].found_it = false;
+ }
+
+ for (i = 0; i < num_of_detects; i++)
+ {
+ const struct bad_app_det *det = &dodgy_app_detects[i];
+ struct bad_app_info *found = find_dodgy_app_info (det->app);
+ bool detected = detect_dodgy_app (det, pslist, modlist);
+
+ /* Not found would mean we coded the lists bad. */
+ assert (found);
+ if (detected)
+ {
+ ++n_det;
+ found->found_it |= (1 << det->type);
+ }
+ }
+ if (n_det)
+ {
+ printf ("\nPotential app conflicts:\n\n");
+ for (i = 0; i < num_of_dodgy_apps; i++)
+ {
+ if (big_list_of_dodgy_apps[i].found_it)
+ {
+ printf ("%s%s", big_list_of_dodgy_apps[i].details,
+ verbose ? "\nDetected: " : ".\n");
+ if (!verbose)
+ continue;
+ const char *sep = "";
+ if (big_list_of_dodgy_apps[i].found_it & (1 << HKLMKEY))
+ {
+ printf ("HKLM Registry Key");
+ sep = ", ";
+ }
+ if (big_list_of_dodgy_apps[i].found_it & (1 << HKCUKEY))
+ {
+ printf ("%sHKCU Registry Key", sep);
+ sep = ", ";
+ }
+ if (big_list_of_dodgy_apps[i].found_it & (1 << FILENAME))
+ {
+ printf ("%sNamed file", sep);
+ sep = ", ";
+ }
+ if (big_list_of_dodgy_apps[i].found_it & (1 << PROCESSNAME))
+ {
+ printf ("%sNamed process", sep);
+ sep = ", ";
+ }
+ if (big_list_of_dodgy_apps[i].found_it & (1 << HOOKDLLNAME))
+ {
+ printf ("%sLoaded hook DLL", sep);
+ }
+ printf (".\n\n");
+ }
+ }
+ }
+ /* Tidy up allocations. */
+ free (pslist);
+ free (modlist);
+}
+
git://sourceware.org / newlib-cygwin.git / commitdiff