Skip to content

Commit

Permalink
GH-6: Validate input parameters to avoid crashes
Browse files Browse the repository at this point in the history 
Prevent VirusTotal false positive detections as a result of WerFault.exe being launched as child process
  • Loading branch information
@negrutiu
negrutiu committed Mar 16, 2023
1 parent 12e17df commit ec1cb28
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
8 changes: 8 additions & 0 deletions main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,7 @@ void __cdecl Request(
QUEUE_REQUEST_PARAM Param;
PQUEUE_REQUEST pReq = NULL;

EXDLL_VALID_PARAMS();
EXDLL_INIT();
EXDLL_VALIDATE();

Expand Down Expand Up @@ -268,6 +269,7 @@ void __cdecl QueryGlobal(
ULONG64 iTotalRecvBytes = 0;
ULONG iTotalSpeed = 0;

EXDLL_VALID_PARAMS();
EXDLL_INIT();
EXDLL_VALIDATE();

Expand Down Expand Up @@ -388,6 +390,7 @@ void __cdecl Query(
LPTSTR pParam[30];
int iParamCount = 0, iDropCount = 0, i;

EXDLL_VALID_PARAMS();
EXDLL_INIT();
EXDLL_VALIDATE();

Expand Down Expand Up @@ -587,6 +590,7 @@ void __cdecl Set(
BOOLEAN bRemove = FALSE;
BOOLEAN bAbort = FALSE;

EXDLL_VALID_PARAMS();
EXDLL_INIT();
EXDLL_VALIDATE();

Expand Down Expand Up @@ -680,6 +684,7 @@ void __cdecl Enumerate(
REQUEST_STATUS iStatus = ANY_STATUS;
ULONG iPrio = ANY_PRIORITY;

EXDLL_VALID_PARAMS();
EXDLL_INIT();
EXDLL_VALIDATE();

Expand Down Expand Up @@ -816,6 +821,7 @@ void __cdecl Wait(
LPTSTR psz;
GUI_WAIT_PARAM Param;

EXDLL_VALID_PARAMS();
EXDLL_INIT();
EXDLL_VALIDATE();

Expand Down Expand Up @@ -866,6 +872,7 @@ void __cdecl Transfer(
GUI_WAIT_PARAM WaitParam;
PQUEUE_REQUEST pReq = NULL;

EXDLL_VALID_PARAMS();
EXDLL_INIT();
EXDLL_VALIDATE();

Expand Down Expand Up @@ -938,6 +945,7 @@ void __cdecl Test(
extra_parameters *extra
)
{
EXDLL_VALID_PARAMS();
EXDLL_INIT();
EXDLL_VALIDATE();

Expand Down
9 changes: 9 additions & 0 deletions main.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,15 @@
// --> NSIS plugin API
#include <nsis/pluginapi.h>

// NOTE:
// VirusTotal "detonates" dlls by running `RunDll32.exe "<dll>",<proc>` with no parameters
// If the function expects valid parameters the dll will likely crash creating WerFault.exe as child process
// This is interpreted as a potential launcher, increasing the chances of the file being labeled as malitious
// Validate input parameters to prevent this
#define EXDLL_VALID_PARAMS() \
if (!parent || !IsWindow(parent) || string_size == 0 || !variables || !stacktop || !extra) \
return;

#undef EXDLL_INIT
#define EXDLL_INIT() { \
g_stringsize=string_size; \
Expand Down

0 comments on commit ec1cb28

Please sign in to comment.