As reported by KillerInstinct, we were only currently protecting the …

…analyzer directory, not the results directory. Protect this as well so that (for instance) ransomware won't find this directory and end up encrypting files or process dumps inside it. Also fix some code that would have caused the matches on the analyzer directory to fail.

.gitignore

@@ -12,3 +12,5 @@ bson/Release
 objects
 Release
 tests/logging-test.*
+*.suo
+*.opendb

bson/bson.vcxproj

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -26,26 +26,26 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v120</PlatformToolset>
+    <PlatformToolset>v140</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v120</PlatformToolset>
+    <PlatformToolset>v140</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v120_xp</PlatformToolset>
+    <PlatformToolset>v140_xp</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
     <WholeProgramOptimization>true</WholeProgramOptimization>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v120_xp</PlatformToolset>
+    <PlatformToolset>v140_xp</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
     <WholeProgramOptimization>true</WholeProgramOptimization>
   </PropertyGroup>

config.c

@@ -67,8 +67,10 @@ int read_config(void)
 			}
 			else if (!strcmp(key, "results")) {
                 strncpy(g_config.results, value,
-                    ARRAYSIZE(g_config.results));
-            }
+                    ARRAYSIZE(g_config.results) - 1);
+				for (i = 0; i < ARRAYSIZE(g_config.results); i++)
+					g_config.w_results[i] = (wchar_t)(unsigned short)g_config.results[i];
+			}
 			else if (!strcmp(key, "file-of-interest")) {
 				unsigned int len = (unsigned int)strlen(value);
 				if (len > 1) {
@@ -110,13 +112,12 @@ int read_config(void)
 			}
 			else if (!strcmp(key, "analyzer")) {
                 strncpy(g_config.analyzer, value,
-                    ARRAYSIZE(g_config.analyzer)-2);
-				strcat(g_config.analyzer, "\\");
+                    ARRAYSIZE(g_config.analyzer)-1);
 				for (i = 0; i < ARRAYSIZE(g_config.analyzer); i++)
 					g_config.w_analyzer[i] = (wchar_t)(unsigned short)g_config.analyzer[i];
 				wcscpy(g_config.dllpath, g_config.w_analyzer);
-				if (wcslen(g_config.dllpath) < ARRAYSIZE(g_config.dllpath) - 4)
-					wcscat(g_config.dllpath, L"dll\\");
+				if (wcslen(g_config.dllpath) < ARRAYSIZE(g_config.dllpath) - 5)
+					wcscat(g_config.dllpath, L"\\dll\\");
             }
             else if(!strcmp(key, "shutdown-mutex")) {
                 strncpy(g_config.shutdown_mutex, value,

config.h

@@ -25,7 +25,10 @@ struct _g_config {
     // results directory, has to be hidden
     char results[MAX_PATH];
 
-    // analyzer directory, has to be hidden
+	// results directory, has to be hidden
+	wchar_t w_results[MAX_PATH];
+
+	// analyzer directory, has to be hidden
     char analyzer[MAX_PATH];
 
 	// analyzer directory, has to be hidden

hook_file.c

@@ -747,8 +747,11 @@ HOOKDEF(HANDLE, WINAPI, FindFirstFileExA,
     HANDLE ret = Old_FindFirstFileExA(lpFileName, fInfoLevelId,
         lpFindFileData, fSearchOp, lpSearchFilter, dwAdditionalFlags);
 
-	// XXX: change me if we ever move the analyzer dir out of the root directory
-	if (!g_config.no_stealth && ret != INVALID_HANDLE_VALUE && !stricmp(((PWIN32_FIND_DATAA)lpFindFileData)->cFileName, g_config.analyzer + 3)) {
+	// XXX: change me if we ever move the analyzer or results dir out of the root directory
+	if (!g_config.no_stealth && ret != INVALID_HANDLE_VALUE &&
+		(!stricmp(((PWIN32_FIND_DATAA)lpFindFileData)->cFileName, g_config.analyzer + 3) ||
+	     !stricmp(((PWIN32_FIND_DATAA)lpFindFileData)->cFileName, g_config.results + 3))
+		) {
 		lasterror_t lasterror;
 
 		lasterror.Win32Error = 0x00000002;
@@ -788,7 +791,10 @@ HOOKDEF(HANDLE, WINAPI, FindFirstFileExW,
         lpFindFileData, fSearchOp, lpSearchFilter, dwAdditionalFlags);
 
 	// XXX: change me if we ever move the analyzer dir out of the root directory
-	if (!g_config.no_stealth && ret != INVALID_HANDLE_VALUE && !wcsicmp(((PWIN32_FIND_DATAW)lpFindFileData)->cFileName, g_config.w_analyzer + 3)) {
+	if (!g_config.no_stealth && ret != INVALID_HANDLE_VALUE &&
+		(!wcsicmp(((PWIN32_FIND_DATAW)lpFindFileData)->cFileName, g_config.w_analyzer + 3) ||
+	     !wcsicmp(((PWIN32_FIND_DATAW)lpFindFileData)->cFileName, g_config.w_results + 3))
+		) {
 		lasterror_t lasterror;
 
 		lasterror.Win32Error = 0x00000002;
@@ -821,7 +827,8 @@ HOOKDEF(BOOL, WINAPI, FindNextFileW,
 ) {
 	BOOL ret = Old_FindNextFileW(hFindFile, lpFindFileData);
 
-	if (!g_config.no_stealth && ret && !wcsicmp(lpFindFileData->cFileName, g_config.w_analyzer + 3)) {
+	while (!g_config.no_stealth && ret && (!wcsicmp(lpFindFileData->cFileName, g_config.w_analyzer + 3) ||
+		!wcsicmp(lpFindFileData->cFileName, g_config.w_results + 3))) {
 		ret = Old_FindNextFileW(hFindFile, lpFindFileData);
 	}
 

loader/loader/loader.vcxproj

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -27,26 +27,26 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v120_xp</PlatformToolset>
+    <PlatformToolset>v140_xp</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v120_xp</PlatformToolset>
+    <PlatformToolset>v140_xp</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v120_xp</PlatformToolset>
+    <PlatformToolset>v140_xp</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v120_xp</PlatformToolset>
+    <PlatformToolset>v140_xp</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>