2023-07-02 19:35:01 +02:00
|
|
|
/* ___ _ ___ _ _ _
|
|
|
|
|
* / __|___ __| |___ |_ _|_ _| |_ ___ __ _ _ _(_) |_ _ _
|
2023-07-02 18:51:02 +02:00
|
|
|
* | (__/ _ \/ _` / -_) | || ' \ _/ -_) _` | '_| | _| || |
|
|
|
|
|
* \___\___/\__,_\___| |___|_||_\__\___\__, |_| |_|\__|\_, |
|
2023-07-02 19:35:01 +02:00
|
|
|
* |___/ |__/
|
2023-07-02 18:51:02 +02:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "Domito.Internal.h"
|
|
|
|
|
#include "Domito.MinCrypt.h"
|
|
|
|
|
|
2023-07-02 19:35:01 +02:00
|
|
|
DOMITO_CODE_INTEGRITY G_CI = {};
|
|
|
|
|
|
2023-07-02 18:51:02 +02:00
|
|
|
|
2023-07-03 00:24:31 +02:00
|
|
|
/* ___ ___ __ __
|
|
|
|
|
* / __|_ _| \ \ / / _ __ _ _ __ _ __ ___ _ _ ___
|
|
|
|
|
* | (__ | | \ \/\/ / '_/ _` | '_ \ '_ \/ -_) '_(_-<
|
|
|
|
|
* \___|___| \_/\_/|_| \__,_| .__/ .__/\___|_| /__/
|
|
|
|
|
* |_| |_|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
|
PVOID
|
2023-07-03 17:45:57 +02:00
|
|
|
NTAPI
|
|
|
|
|
CiFreePolicyInfo(
|
2023-07-03 00:24:31 +02:00
|
|
|
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
if (G_CI.CiFreePolicyInfo)
|
|
|
|
|
{
|
|
|
|
|
return G_CI.CiFreePolicyInfo(PolicyInfo);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
|
NTSTATUS
|
2023-07-03 17:45:57 +02:00
|
|
|
NTAPI
|
|
|
|
|
CiCheckSignedFile(
|
|
|
|
|
_In_ PVOID Hash,
|
|
|
|
|
_In_ UINT32 HashSize,
|
|
|
|
|
_In_ ALG_ID HashAlgId,
|
|
|
|
|
_In_ PVOID SecurityDirectory,
|
|
|
|
|
_In_ UINT32 SizeOfSecurityDirectory,
|
|
|
|
|
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
|
|
|
|
_Out_ LARGE_INTEGER* SigningTime,
|
|
|
|
|
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
2023-07-03 00:24:31 +02:00
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
if (G_CI.CiCheckSignedFile)
|
|
|
|
|
{
|
|
|
|
|
return G_CI.CiCheckSignedFile(
|
|
|
|
|
Hash,
|
|
|
|
|
HashSize,
|
|
|
|
|
HashAlgId,
|
|
|
|
|
SecurityDirectory,
|
|
|
|
|
SizeOfSecurityDirectory,
|
|
|
|
|
PolicyInfo,
|
|
|
|
|
SigningTime,
|
|
|
|
|
TimeStampPolicyInfo
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return STATUS_NOT_IMPLEMENTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
|
NTSTATUS
|
2023-07-03 17:45:57 +02:00
|
|
|
NTAPI
|
|
|
|
|
CiVerifyHashInCatalog(
|
|
|
|
|
_In_ PVOID Hash,
|
|
|
|
|
_In_ UINT32 HashSize,
|
|
|
|
|
_In_ ALG_ID HashAlgId,
|
|
|
|
|
_In_ BOOLEAN IsReloadCatalogs,
|
|
|
|
|
_In_ UINT32 Always0,
|
|
|
|
|
_In_ UINT32 Always2007F,
|
|
|
|
|
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
|
|
|
|
_Out_opt_ UNICODE_STRING* CatalogName,
|
|
|
|
|
_Out_ LARGE_INTEGER* SigningTime,
|
|
|
|
|
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
2023-07-03 00:24:31 +02:00
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
if (G_CI.CiVerifyHashInCatalog)
|
|
|
|
|
{
|
|
|
|
|
return G_CI.CiVerifyHashInCatalog(
|
|
|
|
|
Hash,
|
|
|
|
|
HashSize,
|
|
|
|
|
HashAlgId,
|
|
|
|
|
IsReloadCatalogs,
|
|
|
|
|
Always0,
|
|
|
|
|
Always2007F,
|
|
|
|
|
PolicyInfo,
|
|
|
|
|
CatalogName,
|
|
|
|
|
SigningTime,
|
|
|
|
|
TimeStampPolicyInfo
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return STATUS_NOT_IMPLEMENTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
2023-07-03 17:45:57 +02:00
|
|
|
NTAPI
|
|
|
|
|
CiGetCertPublisherName(
|
|
|
|
|
_In_ MINCERT_BLOB* Certificate,
|
2023-07-03 00:24:31 +02:00
|
|
|
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
|
|
|
|
|
_Out_ PUNICODE_STRING PublisherName
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
if (G_CI.CiGetCertPublisherName)
|
|
|
|
|
{
|
2023-07-03 02:02:45 +02:00
|
|
|
return G_CI.CiGetCertPublisherName(
|
2023-07-03 00:24:31 +02:00
|
|
|
Certificate,
|
|
|
|
|
AllocateRoutine,
|
|
|
|
|
PublisherName
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return STATUS_NOT_IMPLEMENTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
VOID
|
2023-07-03 17:45:57 +02:00
|
|
|
NTAPI
|
|
|
|
|
CiSetTrustedOriginClaimId(
|
2023-07-03 00:24:31 +02:00
|
|
|
_In_ UINT32 ClaimId
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
if (G_CI.CiSetTrustedOriginClaimId)
|
|
|
|
|
{
|
|
|
|
|
G_CI.CiSetTrustedOriginClaimId(ClaimId);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
|
NTSTATUS
|
2023-07-03 17:45:57 +02:00
|
|
|
NTAPI
|
|
|
|
|
CiValidateFileObject(
|
|
|
|
|
_In_ FILE_OBJECT* FileObject,
|
|
|
|
|
_In_opt_ UINT32 Unkonwn1,
|
|
|
|
|
_In_opt_ UINT32 Unkonwn2,
|
|
|
|
|
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
|
|
|
|
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
|
|
|
|
|
_Out_ LARGE_INTEGER* SigningTime,
|
|
|
|
|
_Out_ UINT8* Hash,
|
|
|
|
|
_Inout_ UINT32* HashSize,
|
|
|
|
|
_Out_ ALG_ID* HashAlgId
|
2023-07-03 00:24:31 +02:00
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
if (G_CI.CiValidateFileObject)
|
|
|
|
|
{
|
2023-07-03 02:02:45 +02:00
|
|
|
return G_CI.CiValidateFileObject(
|
2023-07-03 00:24:31 +02:00
|
|
|
FileObject,
|
2023-07-03 17:45:57 +02:00
|
|
|
Unkonwn1,
|
|
|
|
|
Unkonwn2,
|
2023-07-03 00:24:31 +02:00
|
|
|
PolicyInfo,
|
|
|
|
|
TimeStampPolicyInfo,
|
|
|
|
|
SigningTime,
|
|
|
|
|
Hash,
|
|
|
|
|
HashSize,
|
|
|
|
|
HashAlgId
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return STATUS_NOT_IMPLEMENTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* _ _ _ _ _ _ _ ___ _ _
|
|
|
|
|
* | | | | |_(_) (_) |_ _ _ | __| _ _ _ __| |_(_)___ _ _ ___
|
|
|
|
|
* | |_| | _| | | | _| || | | _| || | ' \/ _| _| / _ \ ' \(_-<
|
|
|
|
|
* \___/ \__|_|_|_|\__|\_, | |_| \_,_|_||_\__|\__|_\___/_||_/__/
|
|
|
|
|
* |__/
|
|
|
|
|
*/
|
|
|
|
|
|
2023-07-02 18:51:02 +02:00
|
|
|
_IRQL_requires_max_(DISPATCH_LEVEL)
|
|
|
|
|
UINT32
|
|
|
|
|
DomitoGetPortableExecutableDigestKind(
|
|
|
|
|
_In_ PUCHAR pPeBytes,
|
|
|
|
|
_In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
if (!pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress)
|
|
|
|
|
{
|
|
|
|
|
return CALG_SHA1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const PVOID pBase = pPeBytes + pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress;
|
|
|
|
|
const LPWIN_CERTIFICATE pCert = (WIN_CERTIFICATE*)pBase;
|
|
|
|
|
PUCHAR pMatch = NULL;
|
|
|
|
|
|
|
|
|
|
if (NT_SUCCESS(DomitoMemorySearchPattern(
|
|
|
|
|
(const PUCHAR)"\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14",
|
|
|
|
|
0x00,
|
|
|
|
|
15,
|
|
|
|
|
pBase,
|
|
|
|
|
pCert->dwLength,
|
|
|
|
|
(PVOID*)&pMatch
|
|
|
|
|
)))
|
|
|
|
|
{
|
|
|
|
|
return CALG_SHA1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (NT_SUCCESS(DomitoMemorySearchPattern(
|
|
|
|
|
(const PUCHAR)"\x30\xcc\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\xcc\x05\x00\x04\xcc",
|
|
|
|
|
0xcc,
|
|
|
|
|
19,
|
|
|
|
|
pBase,
|
|
|
|
|
pCert->dwLength,
|
|
|
|
|
(PVOID*)&pMatch
|
|
|
|
|
)))
|
|
|
|
|
{
|
|
|
|
|
if (pMatch == NULL)
|
|
|
|
|
{
|
|
|
|
|
return CALG_SHA1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pMatch[1] == 0x31 && pMatch[14] == 0x01 && pMatch[18] == 0x20)
|
|
|
|
|
{
|
|
|
|
|
return CALG_SHA256;
|
|
|
|
|
}
|
|
|
|
|
else if (pMatch[1] == 0x41 && pMatch[14] == 0x02 && pMatch[18] == 0x30)
|
|
|
|
|
{
|
|
|
|
|
return CALG_SHA384;
|
|
|
|
|
}
|
|
|
|
|
else if (pMatch[1] == 0x51 && pMatch[14] == 0x03 && pMatch[18] == 0x40)
|
|
|
|
|
{
|
|
|
|
|
return CALG_SHA512;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return CALG_SHA1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_Success_(return == STATUS_SUCCESS)
|
|
|
|
|
_Must_inspect_result_
|
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
|
NTSTATUS
|
|
|
|
|
DomitoCalculatePortableExecutableDigest(
|
|
|
|
|
_In_ PUCHAR pPeBytes,
|
|
|
|
|
_In_ ULONG PeSize,
|
|
|
|
|
_Out_ PUINT32 pDigestCalgOut,
|
|
|
|
|
_Out_ PULONG pDigestSizeOut,
|
|
|
|
|
_Out_ PVOID * pDigestOut,
|
|
|
|
|
_Outptr_result_maybenull_ LPWIN_CERTIFICATE * pCertOut,
|
|
|
|
|
_Out_ PULONG pSizeOfSecurityDirectory
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
PIMAGE_DATA_DIRECTORY pImgDataDirectory;
|
|
|
|
|
BOOLEAN is64Bit;
|
|
|
|
|
PUCHAR pHash = nullptr;
|
|
|
|
|
NTSTATUS status;
|
|
|
|
|
BCRYPT_ALG_HANDLE hbAlg = nullptr;
|
|
|
|
|
BCRYPT_HASH_HANDLE hbHash = nullptr;
|
|
|
|
|
UINT32 hashLength = 0;
|
|
|
|
|
ULONG resultLength;
|
|
|
|
|
ULONG fileOffset = 0;
|
|
|
|
|
|
|
|
|
|
const PIMAGE_DOS_HEADER phDos = (IMAGE_DOS_HEADER*)pPeBytes;
|
|
|
|
|
if (phDos->e_magic != IMAGE_DOS_SIGNATURE)
|
|
|
|
|
{
|
|
|
|
|
// Not an executable
|
|
|
|
|
return STATUS_INVALID_IMAGE_NOT_MZ;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const PIMAGE_NT_HEADERS phNt = (PIMAGE_NT_HEADERS)(pPeBytes + phDos->e_lfanew);
|
|
|
|
|
if (phNt->Signature != IMAGE_NT_SIGNATURE)
|
|
|
|
|
{
|
|
|
|
|
// Not a PE image
|
|
|
|
|
return STATUS_INVALID_IMAGE_FORMAT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Check if PE is 32 or 64 bits
|
|
|
|
|
//
|
|
|
|
|
switch (phNt->OptionalHeader.Magic)
|
|
|
|
|
{
|
|
|
|
|
case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
|
|
|
|
|
is64Bit = FALSE;
|
|
|
|
|
break;
|
|
|
|
|
case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
|
|
|
|
|
is64Bit = TRUE;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return STATUS_INVALID_IMAGE_FORMAT; // Unsupported architecture
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// TODO: Not sure if 16 * 512 * 512 is right. Do something better!
|
|
|
|
|
//
|
|
|
|
|
ULONG copySize = phDos->e_lfanew + sizeof(IMAGE_FILE_HEADER) + 4 + 0x40;
|
2023-07-03 01:54:12 +02:00
|
|
|
#pragma warning(disable:4996)
|
|
|
|
|
const PUCHAR pBuf = (PUCHAR)ExAllocatePoolWithTag(
|
|
|
|
|
NonPagedPool,
|
|
|
|
|
16 * 512 * 512,
|
|
|
|
|
DOMITO_POOL_TAG
|
|
|
|
|
);
|
|
|
|
|
#pragma warning(default:4996)
|
2023-07-02 18:51:02 +02:00
|
|
|
if (!pBuf)
|
|
|
|
|
{
|
|
|
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Fetch the data directory from the PE.
|
|
|
|
|
// Note that we can also use RtlImageDirectoryEntryToData to fetch
|
|
|
|
|
// only the security directory entry but why not do it manually
|
|
|
|
|
// when we have the full PE image anyway
|
|
|
|
|
//
|
|
|
|
|
if (is64Bit == TRUE)
|
|
|
|
|
{
|
|
|
|
|
pImgDataDirectory = ((PIMAGE_NT_HEADERS64)phNt)->OptionalHeader.DataDirectory;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
pImgDataDirectory = ((PIMAGE_NT_HEADERS32)phNt)->OptionalHeader.DataDirectory;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Check if the PE file contains a signature
|
|
|
|
|
//
|
|
|
|
|
const BOOLEAN hasEmbeddedSig = pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress != 0;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Boring bcrypt boilerplate code
|
|
|
|
|
//
|
|
|
|
|
const UINT32 peDigestKind = DomitoGetPortableExecutableDigestKind(pPeBytes, pImgDataDirectory);
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status = BCryptOpenAlgorithmProvider(
|
|
|
|
|
&hbAlg,
|
|
|
|
|
DOMITO_CALG_TO_BCRYPT_ALGORITHM(peDigestKind), // bcrypt doesn't understand standard WinCrypt CALG IDs
|
|
|
|
|
MS_PRIMITIVE_PROVIDER,
|
|
|
|
|
0
|
|
|
|
|
)))
|
|
|
|
|
{
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status = BCryptGetProperty(
|
|
|
|
|
hbAlg,
|
|
|
|
|
BCRYPT_HASH_LENGTH,
|
|
|
|
|
(PUCHAR)&hashLength, // put the length of the hash into hashLength
|
|
|
|
|
sizeof(hashLength),
|
|
|
|
|
&resultLength,
|
|
|
|
|
0
|
|
|
|
|
)))
|
|
|
|
|
{
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Allocate a buffer to store the resulting hash
|
|
|
|
|
//
|
2023-07-03 01:54:12 +02:00
|
|
|
#pragma warning(disable:4996)
|
|
|
|
|
pHash = (PUCHAR)ExAllocatePoolWithTag(NonPagedPool, hashLength, DOMITO_POOL_TAG);
|
|
|
|
|
#pragma warning(default:4996)
|
2023-07-02 18:51:02 +02:00
|
|
|
if (!pHash)
|
|
|
|
|
{
|
|
|
|
|
status = STATUS_INSUFFICIENT_RESOURCES;
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
RtlZeroMemory(pHash, hashLength);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Create a handle to the resulting hash
|
|
|
|
|
//
|
|
|
|
|
if (!NT_SUCCESS(status = BCryptCreateHash(
|
|
|
|
|
hbAlg,
|
|
|
|
|
&hbHash,
|
|
|
|
|
NULL,
|
|
|
|
|
0,
|
|
|
|
|
NULL,
|
|
|
|
|
0,
|
|
|
|
|
0
|
|
|
|
|
)))
|
|
|
|
|
{
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Ok, if we haven't BSODed yet, we're ready to continue
|
|
|
|
|
// parsing the PE/COFF and hash the needed values
|
|
|
|
|
//
|
|
|
|
|
memcpy(pBuf, pPeBytes, copySize);
|
|
|
|
|
fileOffset += copySize;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Hash everything up to the Checksum then skip it
|
|
|
|
|
//
|
|
|
|
|
status = BCryptHashData(
|
|
|
|
|
hbHash,
|
|
|
|
|
pBuf,
|
|
|
|
|
copySize,
|
|
|
|
|
0
|
|
|
|
|
);
|
|
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
|
{
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fileOffset += 4; // Skipping the checksum field here
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Reach the security directory information.
|
|
|
|
|
// For x64 PEs it's 10 bytes further
|
|
|
|
|
//
|
|
|
|
|
copySize = 0x3C;
|
|
|
|
|
if (is64Bit == TRUE)
|
|
|
|
|
{
|
|
|
|
|
copySize += 0x10;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memcpy(pBuf, pPeBytes + fileOffset, copySize);
|
|
|
|
|
fileOffset += copySize;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Again, hash everything up to here then skip the ignored field.
|
|
|
|
|
//
|
|
|
|
|
status = BCryptHashData(
|
|
|
|
|
hbHash,
|
|
|
|
|
pBuf,
|
|
|
|
|
copySize,
|
|
|
|
|
0
|
|
|
|
|
);
|
|
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
|
{
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fileOffset += 8; // Skipping an other ignored field here
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Now hash everything else in the file up to the certificate data.
|
|
|
|
|
//
|
|
|
|
|
ULONG remaining = hasEmbeddedSig
|
|
|
|
|
? pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress - fileOffset
|
|
|
|
|
: PeSize - fileOffset;
|
|
|
|
|
|
|
|
|
|
while (remaining > 0)
|
|
|
|
|
{
|
|
|
|
|
const ULONG chunkSize = min(remaining, 4096);
|
|
|
|
|
ULONG readBytes;
|
|
|
|
|
memset(pBuf, 0, chunkSize);
|
|
|
|
|
|
|
|
|
|
if (fileOffset + chunkSize > PeSize)
|
|
|
|
|
{
|
|
|
|
|
readBytes = PeSize - chunkSize;
|
|
|
|
|
memcpy(pBuf, pPeBytes + fileOffset, readBytes);
|
|
|
|
|
fileOffset += readBytes;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
memcpy(pBuf, pPeBytes + fileOffset, chunkSize);
|
|
|
|
|
readBytes = chunkSize;
|
|
|
|
|
fileOffset += readBytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status = BCryptHashData(
|
|
|
|
|
hbHash,
|
|
|
|
|
pBuf,
|
|
|
|
|
readBytes,
|
|
|
|
|
0
|
|
|
|
|
)))
|
|
|
|
|
{
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
remaining -= readBytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Finish up the hash here
|
|
|
|
|
//
|
|
|
|
|
if (!NT_SUCCESS(status = BCryptFinishHash(
|
|
|
|
|
hbHash,
|
|
|
|
|
pHash,
|
|
|
|
|
hashLength,
|
|
|
|
|
0
|
|
|
|
|
)))
|
|
|
|
|
{
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Supply the results to the caller
|
|
|
|
|
//
|
|
|
|
|
*pDigestCalgOut = peDigestKind;
|
|
|
|
|
*pDigestSizeOut = hashLength;
|
|
|
|
|
*pDigestOut = pHash;
|
|
|
|
|
if (hasEmbeddedSig == TRUE)
|
|
|
|
|
{
|
|
|
|
|
*pCertOut = (LPWIN_CERTIFICATE)(pPeBytes + pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress);
|
|
|
|
|
*pSizeOfSecurityDirectory = pImgDataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
*pCertOut = NULL;
|
|
|
|
|
*pSizeOfSecurityDirectory = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
status = STATUS_SUCCESS;
|
|
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
|
if (pBuf)
|
|
|
|
|
{
|
2023-07-03 01:54:12 +02:00
|
|
|
ExFreePoolWithTag(pBuf, DOMITO_POOL_TAG);
|
2023-07-02 18:51:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (hbHash)
|
|
|
|
|
{
|
|
|
|
|
BCryptDestroyHash(hbHash);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (hbAlg)
|
|
|
|
|
{
|
|
|
|
|
BCryptCloseAlgorithmProvider(hbAlg, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_Success_(return == STATUS_SUCCESS)
|
|
|
|
|
_Must_inspect_result_
|
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
|
#pragma code_seg("PAGED")
|
|
|
|
|
NTSTATUS
|
|
|
|
|
DomitoValidateFileLegacyMode(
|
|
|
|
|
_In_ HANDLE FileHandle,
|
|
|
|
|
_In_ PVOID Hash,
|
|
|
|
|
_In_ UINT32 HashSize,
|
|
|
|
|
_In_ ALG_ID HashAlgId,
|
|
|
|
|
_In_ const IMAGE_DATA_DIRECTORY * SecurityDirectory,
|
|
|
|
|
_Inout_ MINCRYPT_POLICY_INFO * PolicyInfo,
|
|
|
|
|
_Out_ LARGE_INTEGER * SigningTime,
|
|
|
|
|
_Inout_ MINCRYPT_POLICY_INFO * TimeStampPolicyInfo
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
NTSTATUS status = STATUS_SUCCESS;
|
|
|
|
|
PVOID certDirectory = nullptr;
|
|
|
|
|
KAPC_STATE systemContext = {};
|
|
|
|
|
|
|
|
|
|
do
|
|
|
|
|
{
|
2023-07-02 19:35:01 +02:00
|
|
|
if (!G_CI.CiFreePolicyInfo || !G_CI.CiCheckSignedFile || !G_CI.CiVerifyHashInCatalog)
|
|
|
|
|
{
|
|
|
|
|
status = STATUS_NOT_IMPLEMENTED;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-02 18:51:02 +02:00
|
|
|
SigningTime->QuadPart = 0;
|
|
|
|
|
|
2023-07-02 19:35:01 +02:00
|
|
|
G_CI.CiFreePolicyInfo(PolicyInfo);
|
|
|
|
|
G_CI.CiFreePolicyInfo(TimeStampPolicyInfo);
|
2023-07-02 18:51:02 +02:00
|
|
|
|
2023-07-02 19:35:01 +02:00
|
|
|
if (HashSize != MINCRYPT_SHA1_LENGTH && HashSize != MINCRYPT_SHA256_LENGTH)
|
2023-07-02 18:51:02 +02:00
|
|
|
{
|
|
|
|
|
status = STATUS_INVALID_IMAGE_HASH;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (SecurityDirectory->Size != 0u &&
|
|
|
|
|
SecurityDirectory->VirtualAddress != 0u)
|
|
|
|
|
{
|
2023-07-03 01:54:12 +02:00
|
|
|
#pragma warning(disable:4996)
|
|
|
|
|
certDirectory = ExAllocatePoolWithTag(
|
|
|
|
|
PagedPool,
|
|
|
|
|
SecurityDirectory->Size,
|
|
|
|
|
DOMITO_POOL_TAG
|
|
|
|
|
);
|
|
|
|
|
#pragma warning(default:4996)
|
2023-07-02 18:51:02 +02:00
|
|
|
if (certDirectory == NULL)
|
|
|
|
|
{
|
|
|
|
|
status = STATUS_INSUFFICIENT_RESOURCES;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
LARGE_INTEGER offset = {};
|
|
|
|
|
IO_STATUS_BLOCK ioStatusBlock = {};
|
|
|
|
|
|
|
|
|
|
offset.LowPart = SecurityDirectory->VirtualAddress;
|
|
|
|
|
|
|
|
|
|
status = ZwReadFile(
|
|
|
|
|
FileHandle,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
&ioStatusBlock,
|
|
|
|
|
certDirectory,
|
|
|
|
|
SecurityDirectory->Size,
|
|
|
|
|
&offset,
|
|
|
|
|
NULL
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (status == STATUS_PENDING)
|
|
|
|
|
{
|
|
|
|
|
ZwWaitForSingleObject(
|
|
|
|
|
FileHandle,
|
|
|
|
|
FALSE,
|
|
|
|
|
NULL
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
MemoryBarrier();
|
|
|
|
|
status = ioStatusBlock.Status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
|
{
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
KeStackAttachProcess(PsInitialSystemProcess, &systemContext);
|
|
|
|
|
{
|
2023-07-02 19:35:01 +02:00
|
|
|
status = G_CI.CiCheckSignedFile(
|
2023-07-02 18:51:02 +02:00
|
|
|
Hash,
|
|
|
|
|
HashSize,
|
|
|
|
|
HashAlgId,
|
|
|
|
|
certDirectory,
|
|
|
|
|
SecurityDirectory->Size,
|
|
|
|
|
PolicyInfo,
|
|
|
|
|
SigningTime,
|
|
|
|
|
TimeStampPolicyInfo
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
KeUnstackDetachProcess(&systemContext);
|
|
|
|
|
|
|
|
|
|
if (NT_SUCCESS(status))
|
|
|
|
|
{
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (status != STATUS_INVALID_IMAGE_HASH)
|
|
|
|
|
{
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
KeStackAttachProcess(PsInitialSystemProcess, &systemContext);
|
|
|
|
|
{
|
2023-07-02 19:35:01 +02:00
|
|
|
status = G_CI.CiVerifyHashInCatalog(
|
2023-07-02 18:51:02 +02:00
|
|
|
Hash,
|
|
|
|
|
HashSize,
|
|
|
|
|
HashAlgId,
|
|
|
|
|
FALSE,
|
|
|
|
|
0,
|
|
|
|
|
0x2007F,
|
|
|
|
|
PolicyInfo,
|
|
|
|
|
NULL,
|
|
|
|
|
SigningTime,
|
|
|
|
|
TimeStampPolicyInfo
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (status == STATUS_INVALID_IMAGE_HASH)
|
|
|
|
|
{
|
2023-07-02 19:35:01 +02:00
|
|
|
status = G_CI.CiVerifyHashInCatalog(
|
2023-07-02 18:51:02 +02:00
|
|
|
Hash,
|
|
|
|
|
HashSize,
|
|
|
|
|
HashAlgId,
|
|
|
|
|
TRUE,
|
|
|
|
|
0,
|
|
|
|
|
0x2007F,
|
|
|
|
|
PolicyInfo,
|
|
|
|
|
NULL,
|
|
|
|
|
SigningTime,
|
|
|
|
|
TimeStampPolicyInfo
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
KeUnstackDetachProcess(&systemContext);
|
|
|
|
|
|
|
|
|
|
} while (FALSE);
|
|
|
|
|
|
|
|
|
|
if (certDirectory)
|
|
|
|
|
{
|
2023-07-03 01:54:12 +02:00
|
|
|
ExFreePoolWithTag(certDirectory, DOMITO_POOL_TAG);
|
2023-07-02 18:51:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
#pragma code_seg()
|
