Module Status

Module Name n32zip.exe nbstatus.exe nbxservice nbcctr Status Completed Completed Completed Completed

DeviceIoControl(hDevice,FSCTL_LOCK_VOLUME, NULL,0L,NULL,0L,&dwBytesRet,NULL); OpenEvent(EVENT_MODIFY_STATE, FALSE, SNB_EVENT_XENCADMIN_SUCCESS); SetEvent(hEvent); CloseHandle(hEvent);

OpenEvent SetEvent CloseHandle

PostMessage AfxBeginThread AfxEndThread

PostMessage(WM_THREAD_COMPLETE, iErr); AfxBeginThread( (AFX_THREADPROC) EncryptDisk, (LPVOID) (this)); AfxEndThread(0);

OpenProcessToken LookupPrivilegeValue GetCurrentProcess AdjustTokenPrivileges WinHelp

RegOpenKeyEx RegQueryValueEx ExitWindowsEx

OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) Get the LUID for the shutdown privilege. No Parameter AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES)NULL, 0); WinHelp(::GetForegroundWindow(), szHelpFile,HELP_INDEX,0); RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTE M\\CurrentControlSet\\Services\\nbxservice",0, KEY_ALL_ACCESS,&hk); RegQueryValueEx(hk,"WriteProtectFlag",NULL,NU LL,(BYTE*)&dwPlainHandling,&dwSize); ExitWindowsEx(EWX_REBOOT | EWX_FORCE, 0);

Parameter Usage hDevice - A handle to the device on which the operation is to be performed. The device is typically a volume, directory, file, or stream. To retrieve a device handle, use the CreateFile function. FSCTL_LOCK_VOLUME - The control code for the operation. This value identifies the specific operation to be performed and the type of device on which to perform it. NULL A pointer to the input buffer that contains the data required to perform the operation. The format of this data depends on the value of the dwIoControlCode parameter. This parameter can be NULL if dwIoControlCode specifies an operation that does not require input data. 0L - The size of the input buffer, in bytes. NULL - A pointer to the output buffer that is to receive the data returned by the operation. The format of this data depends on the value of the dwIoControlCode parameter. This parameter can be NULL if dwIoControlCode specifies an operation that does not return data. 0L - The size of the output buffer, in bytes. &dwBytesRet A pointer to a variable that receives the size of the data stored in the output buffer, in bytes. If the output buffer is too small to receive any data, the call fails, GetLastError returns ERROR_INSUFFICIENT_BUFFER, and lpBytesReturned is zero. If the output buffer is too small to hold all of the data but can hold some entries, some drivers will return as much data as fits. In this case, the call OpenEvent(EVENT_MODIFY_STATE, FALSE, SNB_EVENT_XENCADMIN_SUCCESS); SetEvent(hEvent); CloseHandle(hEvent);

PostMessage(WM_THREAD_COMPLETE, iErr); AfxBeginThread( (AFX_THREADPROC) EncryptDisk, (LPVOID) (this)); AfxEndThread(0);

OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) Get the LUID for the shutdown privilege. No Parameter AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES)NULL, 0); WinHelp(::GetForegroundWindow(), szHelpFile,HELP_INDEX,0); RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Ser vices\\nbxservice",0,KEY_ALL_ACCESS,&hk); RegQueryValueEx(hk,"WriteProtectFlag",NULL,NULL,(BYTE*)&dwPlainHandli ng,&dwSize); ExitWindowsEx(EWX_REBOOT | EWX_FORCE, 0);

The DeviceIoControl function is to perform direct input and output operations on, or retrieve information about disk drive. Here its used to Lock and unlock the volume, To start the encryption decryption process and etc., To lock the volume in this context and the use-case is when the drive is Locked, Unlocked, Restore Flags, Clear Flags. if the USB encryption was called by the service, there should be an event object created by the service. Open this object, and set it to signaled, which indicated successful termination of USB encryption. Sets the state of the event to signaled, releasing any waiting threads. Closes an open object handle Places a message in the message queue associated with the thread that created the specified window and returns without waiting for the thread to process the message. Used in auto-install scenario. Creating thread to initiate the encryption process and also used to install the InstallZipEnc, UpdateZipEnc, UninstallZipEnc End the thread

The OpenProcessToken function opens the access token associated with a process. LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid); Retrieves a pseudo handle for the current process Get the shutdown privilege for this process. Launches Windows Help (Winhelp.exe) and passes additional data that indicates the nature of the help requested by the application.

Open the specified registrykey and check for Access Mask Generally, retrieves the type and data for the specified value name associated with an open registry key. Here check against the WriteProtectFlag Logs off the interactive user, shuts down the system, or shuts down and restarts the system

API RegOpenKey RegQueryValueEx RegCloseKey GetWindowsDirectory GetCurrentDirectory GetComputerName

Parameters RegOpenKey( hRegKey,SNB_REG_KEY_GENERAL,&hRegKey); RegQueryValueEx( hRegKey, "StatusLogfilePath", NULL, NULL, (LPBYTE) szLogFile, &u RegCloseKey( hRegKey); GetWindowsDirectory(szLogFile, sizeof(szLogFile)-1) GetCurrentDirectory(sizeof(szLogFile)-1, szLogFile) GetComputerName(szComputerName, &nSize );

NULL, (LPBYTE) szLogFile, &ulBytesCopied);

Retrives the name of the directory where Windows is installed. The windows directory c Retrieves the current directory of a process, 1st parameter is the sizeof the buffer that i

indows directory contains windows-based applications such as notepad nad some of the initializa of the buffer that is to receive the name of the current directory and the 2nd param is the pointe

d nad some of the initialization files like WinHelp too. The first param is the pointer to the buffer he 2nd param is the pointer to the buffer to receive the current directory path; found the logfile p

is the pointer to the buffer that receives the name of the windows directory and the 2nd param is ry path; found the logfile path in the registry

ctory and the 2nd param is the size of the buffer.

CreateEvent WaitForSingleObject CreateThread CloseHandle SendMessage CreateThread ResumeThread



DeviceIoControl StartServiceCtrlDispatcher RegisterServiceCtrlHandler RegisterEventSource

ReportEvent DeregisterEventSource GetModuleFileName


OpenSCManager OpenService ControlService QueryServiceStatus DeleteService SetConsoleCtrlHandler AllocConsole FreeConsole GetStdHandle WriteFile


QueryRegistryValue GetCurrentProcess SetPriorityClass CreateEvent CreateThread

InitializeSecurityDescriptor SetSecurityDescriptorDacl



QueryRegistryValue WaitForSingleObject
CreateThread ResumeThread TerminateThread CloseHandle

RegQueryValueEx SetEvent

DeviceIoControl CloseHandle

Parameters CreateEvent (NULL, // security objects FALSE, // manual reset event FALSE, // Initial state is not signaled szEventName); WaitForSingleObject(hEvent, INFINITE); CreateThread(NULL, 0, DlgBox_Thread, (LPVOID)(psTCS), 0L, &dwThread_ID); CloseHandle(hDlgBoxThread); CreateThread(NULL, 0, Encryption_Thread, (LPVOID)(_psTCS), CREATE_SUSPENDED, &dwThread_ID); ResumeThread(hThread); CreateFile( szDeviceName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); DeviceIoControl( Hdevice, IOCTL_DISK_ENCRYPT_START, // DWORD &sIoStartEnc, // PVOID pMessage, sizeof(IOStartEnc), // DWORD dwMessageSize, NULL, // PVOID pMessageReply, 0L, // DWORD dwReplySize, &dwBytesRet, // PDWORD dw NULL // Overlapped );

DeviceIoControl( hDevice, FSCTL_LOCK_VOLUME, // DWORD NULL, // PVOID pMessage, 0L, // DWORD dwMessageSize, NULL, // PVOID pMessageReply, 0L, // DWORD dwReplySize, &dwBytesRet, // PDWORD dw NULL // Overlapped ); DeviceIoControl( hDevice, FSCTL_UNLOCK_VOLUME, // DWORD NULL, // PVOID pMessage, 0L, // DWORD dwMessageSize, NULL, // PVOID pMessageReply, 0L, // DWORD dwReplySize, &dwBytesRet, // PDWORD dw NULL // Overlapped ); DeviceIoControl( hDevice, IOCTL_DISK_RESTORE_ACCESSFLAGS,// DWORD NULL, // PVOID pMessage, 0L, // DWORD dwMessageSize, NULL, // PVOID pMessageReply, 0L, // DWORD dwReplySize, &cb, // PDWORD dw NULL // Overlapped );

DeviceIoControl( hDevice, IOCTL_DISK_CLEAR_ACCESSFLAGS,// DWORD NULL, // PVOID pMessage, 0L, // DWORD dwMessageSize, NULL, // PVOID pMessageReply, 0L, // DWORD dwReplySize, &cb, // PDWORD dw NULL // Overlapped ); StartServiceCtrlDispatcher(dispatchTable) RegisterServiceCtrlHandler( TEXT(_SZSERVICENAME), Service_Ctrl); RegisterEventSource(NULL, TEXT(_SZSERVICENAME)); ReportEvent(hEventSource, // handle of event source EVENTLOG_ERROR_TYPE, // event type 0, // event category 0, // event ID NULL, // current user's SID 2, // strings in lpszStrings 0, // no bytes of raw data ( const char**)lpszStrings, // array of error strings NULL); // no raw data DeregisterEventSource(hEventSource); GetModuleFileName OpenSCManager( NULL, // machine (NULL == local) NULL, // database (NULL == default) SC_MANAGER_ALL_ACCESS // access required );

CreateService(schSCManager, // SCManager database TEXT(_SZSERVICENAME), // name of service szServiceDisplayName, // name to display SERVICE_ALL_ACCESS, // desired access SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS, // service type SERVICE_AUTO_START, // start type SERVICE_ERROR_NORMAL, // error control type szPath, // service's binary NULL, // no load ordering group NULL, // no tag identifier TEXT(_SZDEPENDENCIES), // dependencies NULL, // LocalSystem account NULL); // no password CloseServiceHandle(schService); OpenSCManager( NULL, // machine (NULL == local) NULL, // database (NULL == default) SC_MANAGER_ALL_ACCESS // access required ); OpenService(schSCManager, TEXT(_SZSERVICENAME), SERVICE_ALL_ACCESS); ControlService( schService, SERVICE_CONTROL_STOP, &ssStatus ) QueryServiceStatus( schService, &ssStatus ) DeleteService(schService) SetConsoleCtrlHandler( ControlHandler, TRUE ); AllocConsole(); FreeConsole(); GetStdHandle(STD_OUTPUT_HANDLE WriteFile(hStdOut, szText, strlen(szText), &dwRc, NULL); QueryRegistryValue (HKEY_LOCAL_MACHINE, REGISTRY_KEY, REGISTRY_VALUE2, &dwType, (LPBYTE)&dwRegValue, &dwDataSize);

QueryRegistryValue (HKEY_LOCAL_MACHINE, REGISTRY_KEY, REGISTRY_VALUE3, &dwType, (LPBYTE)&dwRegValue, &dwDataSize); QueryRegistryValue (HKEY_LOCAL_MACHINE, REGISTRY_KEY, REGISTRY_VALUE, &dwType, (LPBYTE)&dwRegValue, &dwDataSize); GetCurrentProcess(); SetPriorityClass (hProcess, (HIGH_PRIORITY_CLASS-2)); CreateEvent (NULL, FALSE, FALSE, "NBXEVENT"); CreateThread(NULL, 0, DeviceChange_Thread, NULL, 0L, &dwThread_ID);

InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION) SetSecurityDescriptorDacl(pSD, TRUE, (PACL) NULL, FALSE) QueryRegistryValue (HKEY_LOCAL_MACHINE, REGISTRY_KEY, REGISTRY_VALUE2, &dwType, (LPBYTE)&dwRegValue, &dwDataSize); QueryRegistryValue (HKEY_LOCAL_MACHINE, REGISTRY_KEY, REGISTRY_VALUE3, &dwType, (LPBYTE)&dwRegValue, &dwDataSize); QueryRegistryValue (HKEY_LOCAL_MACHINE, REGISTRY_KEY, REGISTRY_VALUE, &dwType, (LPBYTE)&dwRegValue, &dwDataSize); WaitForSingleObject(_hDeviceChangeEvent, INFINITE);
CreateThread(psa, 0, IsVista() ? Start_Dlg_Thread : MsgBox_Thread, (LPVOID)&(_sTCS[i]), CREATE_SUSPENDED, &dwMsgBoxThread_ID); ResumeThread(hThread); TerminateThread ( _sTCS[i].hThreadHandle, 0L ); CloseHandle ( _sTCS[i].hThreadHandle ); RegQueryValueEx( hKeyHandle, // handle to key to set value for lpValueName, // name of the value to set NULL, // reserved lpdwType, // flag for value type lpDataBuffer, // address of value data lpcbData); // size of value data); SetEvent(_hDeviceChangeEvent); DeviceIoControl( hDriver, dwIoControlCode, // operation lpInBuffer, // input data buffer dwInBufferSize, // size of input data buffer lpOutBuffer, // output data buffer dwOutBufferSize, // size of output data buffer &dwRc, // PDWORD dw NULL // Overlapped ); CloseHandle(hDriver);

Event to handle MsgBox_Thread perform IO Control and the IO - control is nonblocking Create Thread for the Dialog-Box. Close all Handles

open the device and read its contents based on the cDriveLetter parameter

The service control manager may be starting the service; so we must call StartServiceCtrlDispatcher to register our service control handler. Use event logging to log the error.

Get full pathname of the service

Open Service Control Manager

Create a new Service Close a service handler

Open SC Manager Open Service try to stop the service Query the service status remove the service Allocate a Console Free the allocated console copies error message text to string Write the error message to the standard output

Query Registry for the 'USBSTOR-Encryption' value. // possible values are: 0 UpperFilter will not be installed // 1 UpperFilter will be installed

Query Registry for the 'PCMCIA-Encryption' value. // possible values are: 0 UpperFilter will not be installed // 1 UpperFilter will be installed Query Registry for the 'DialogOption' value. // possible values are: 0 "Initialencryption"-Button will not be displayed // 1 -- " -will be displayed Force a higher Process Priority Create Event-Semaphore - autoreset, initial nonsignaled Create Thread for the Dialog-Box which receives the // WM_DEVICECHANGE message. create a security descriptor that allows anyone to write to make **/ /** a IO-Control. ACL to the security descriptor. Query Registry for the 'USBSTOR-Encryption' value. // possible values are: 0 "Initialencryption"-Button will not be displayed // 1 -- " -will be displayed Query Registry for the 'PCMCIA-Encryption' value. // possible values are: 0 "Initialencryption"-Button will not be displayed // 1 -- " -will be displayed Query Registry for the 'DialogOption' value. // possible values are: 0 "Initialencryption"-Button will not be displayed // 1 -- " -will be displayed Wait until a WM_DEVICECHANGE message will be received
Create a new thread

Set the DeviceChangeEvent-Semaphore

IO control Close the handle

etter parameter

so we must call StartServiceCtrlDispatcher

API WinHelp GetModuleFileName FindFirstFile SetCurrentDirectory FreeLibrary FindClose CreateProcess ShellExecute

Parameters GetModuleFileName(NULL,szFDEDir,MAX_PATH)

SetCurrentDirectory( pszPath); FreeLibrary(hInst); FindClose(hNBApp); CreateProcess((LPTSTR) (LPCSTR) sProgram,NULL,NULL,NULL,TRUE,CREATE_UNICOD ShellExecute(NULL, "open", m_link, NULL, NULL, SW_SHOWNORMAL);

change current directory

Call ShellExecute to run the file.

