void DoStuff()

in PPLGuardDll/dllexploit.cpp [3:110]

• 72 lines of code
• 17 McCabe index (conditional complexity)

void DoStuff()
{
    LPWSTR pwszDllName = NULL;
    BOOL bSuccess = FALSE;

    WCHAR wszEventName[MAX_PATH] = { 0 };
    HANDLE hEvent = NULL;

    //
    // 1. Parse the command line
    //
    ParseCommandLine();

    if (g_bDebug)
        LogToConsole(L"DEBUG mode enabled\n");

    //
    // Signal first Event (DLL loaded)
    //
    StringCchPrintf(wszEventName, MAX_PATH, L"Global\\%ws_DLL_LOADED", g_pwszGuid);
    if (hEvent = OpenEvent(EVENT_MODIFY_STATE, FALSE, wszEventName))
    {
        if (!SetEvent(hEvent))
            LogLastError(L"SetEvent");
        
        CloseHandle(hEvent);
    }
    else
        LogLastError(L"OpenEvent");

    if (g_bVerbose)
        LogToConsole(L"[*] DLL loaded.\n");
    
    //
    // 2. Do some cleanup
    //
    //    First things first, we need to delete the symbolic link that was created in \KnownDlls.
    //    As this code is executed as SYSTEM inside a PPL with the WindowsTCB protection level, it
    //    should not be a problem.
    //
    if (!GetCurrentDllFileName(&pwszDllName))
        goto end;

    if (!DeleteKnownDllEntry(pwszDllName))
        LogToConsole(L"[-] Failed to delete KnownDll entry '%ws'\n", pwszDllName);
    else
    {
        if (g_bVerbose)
            LogToConsole(L"[*] KnownDll entry '%ws' removed.\n", pwszDllName);
    }

    if (g_bHardenAMPPLOnly)
    {
        bSuccess = HardenAntiMalwareServices();
    }
    else
    {
        //
        // 3. Deny SYSTEM write access to \KnownDlls to block future exploits
        //
        if (!MakeKnownDllsReadOnly(L"\\KnownDlls"))
        {
            LogToConsole(L"[-] Failed to lock down KnownDlls entry\n");
        }
        else
        {
            bSuccess = TRUE;

            if (g_bVerbose)
                LogToConsole(L"[*] Successfully locked down KnownDlls.\n");
        }

        //
        // 4. Deny SYSTEM write access to \KnownDlls32 to block future exploits
        //
        if (!MakeKnownDllsReadOnly(L"\\KnownDlls32"))
        {
            LogToConsole(L"[-] Failed to lock down KnownDlls32 entry\n");
        }
        else
        {
            bSuccess = TRUE;

            if (g_bVerbose)
                LogToConsole(L"[*] Successfully locked down KnownDlls32.\n");
        }
    }

    if (bSuccess)
    {
        //
        // Signal second Event (success)
        //
        StringCchPrintf(wszEventName, MAX_PATH, L"Global\\%ws_DLL_SUCCESS", g_pwszGuid);
        if (hEvent = OpenEvent(EVENT_MODIFY_STATE, FALSE, wszEventName))
        {
            if (!SetEvent(hEvent))
                LogLastError(L"SetEvent");
            CloseHandle(hEvent);
        }
        else
            LogLastError(L"OpenEvent");
    }

end:
    if (pwszDllName)
        LocalFree(pwszDllName);
}