BOOL HardenAntiMalwareServices()

in PPLGuardDll/dllexploit.cpp [539:587]

• 41 lines of code
• 8 McCabe index (conditional complexity)

BOOL HardenAntiMalwareServices()
{
    BOOL bResult = FALSE;
    HANDLE hSnapshot = NULL;
    HANDLE hProcess = NULL;
    PROCESSENTRY32 processEntry = { 0, };

    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (INVALID_HANDLE_VALUE == hSnapshot)
    {
        goto end;
    }

    processEntry.dwSize = sizeof(processEntry);
    if (!Process32FirstW(hSnapshot, &processEntry))
    {
        goto end;
    }

    do
    {
        if (hProcess)
        {
            CloseHandle(hProcess);
        }
        hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processEntry.th32ProcessID);
        if (!hProcess)
        {
            continue;
        }

        if (!ProcessIsAMPPL(hProcess))
        {
            continue;
        }

        LogToConsole(L"Hardening token of AM-PPL service: %ws (PID %u)\n", processEntry.szExeFile, processEntry.th32ProcessID);

        bResult = HardenAntiMalwareServiceToken(hProcess);

    } while (Process32Next(hSnapshot, &processEntry));

end:
    if (INVALID_HANDLE_VALUE != hSnapshot)
    {
        CloseHandle(hSnapshot);
    }
    return bResult;
}