diff --git a/include/Domito.MinCrypt.h b/include/Domito.MinCrypt.h index 924fd8e..b1d37c9 100644 --- a/include/Domito.MinCrypt.h +++ b/include/Domito.MinCrypt.h @@ -356,10 +356,204 @@ typedef struct _MINCRYPT_POLICY_INFO #include -/* - * Note: function prototypes moved to - * They'll be made available via run-time dynamic linking instead - */ +/** +* Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (ChainInfo) if not null. +* Zeros the entire PolicyInfo struct. +* +* @param PolicyInfo - the struct to reset. +* +* @return the struct which was reset. +*/ +_IRQL_requires_max_(PASSIVE_LEVEL) +EXTERN_C +PVOID +NTAPI +CiFreePolicyInfo( + _Inout_ MINCRYPT_POLICY_INFO* PolicyInfo +); + + +/** +* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10! +* +* Given a file digest and signature of a file, verify the signature and provide information regarding +* the certificates that was used for signing (the entire certificate chain) +* +* @param Hash - buffer containing the digest +* +* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256 +* +* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C) +* +* @param SecurityDirectory - pointer to the start of the security directory +* +* @param SizeOfSecurityDirectory - size the security directory +* +* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain +* +* @param SigningTime[out] - when the file was signed (FILETIME format) +* +* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain +* +* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified. +* Various error values otherwise, for example: +* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature +* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked +* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired +*/ +_IRQL_requires_max_(PASSIVE_LEVEL) +EXTERN_C +NTSTATUS +NTAPI +CiCheckSignedFile( + _In_ PVOID Hash, + _In_ UINT32 HashSize, + _In_ ALG_ID HashAlgId, + _In_ PVOID SecurityDirectory, + _In_ UINT32 SizeOfSecurityDirectory, + _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, + _Out_ LARGE_INTEGER* SigningTime, + _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo +); + + +/** +* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10! +* +* Checks if the SHA-1 message digest is contained within a verified system catalog +* +* @note must be attached to the PsInitialSystemProcess first! +* +* @param Hash - buffer containing the digest +* +* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256 +* +* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C) +* +* @param IsReloadCatalogs - is reload catalogs cache. +* +* @param Always0 - this is for IsReloadCatalogs, Always0 != 0 ? 16 : 24; +* +* @param Always2007F - unknown, always 0x2007F, maybe a mask. +* +* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain. +* +* @param CatalogName[out option] - catalog file name. +* +* @param SigningTime[out] - when the file was signed (FILETIME format) +* +* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain. +* +* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified. +* Various error values otherwise, for example: +* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature +* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked +* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired +*/ +_IRQL_requires_max_(PASSIVE_LEVEL) +EXTERN_C +NTSTATUS +NTAPI +CiVerifyHashInCatalog( + _In_ PVOID Hash, + _In_ UINT32 HashSize, + _In_ ALG_ID HashAlgId, + _In_ BOOLEAN IsReloadCatalogs, + _In_ UINT32 Always0, + _In_ UINT32 Always2007F, + _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, + _Out_opt_ UNICODE_STRING* CatalogName, + _Out_ LARGE_INTEGER* SigningTime, + _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo +); + + +#if (NTDDI_VERSION >= NTDDI_WIN10) + +typedef +_IRQL_requires_same_ +_Function_class_(MINCRYPT_ALLOCATE_ROUTINE) +__drv_allocatesMem(Mem) +PVOID +NTAPI +MINCRYPT_ALLOCATE_ROUTINE( + _In_ SIZE_T ByteSize +); +typedef MINCRYPT_ALLOCATE_ROUTINE* PMINCRYPT_ALLOCATE_ROUTINE; + +/** +* Parse the publisher name from the certificate +* +* @param Certificate - &PolicyInfo.ChainInfo->ChainElements[x].Certificate +* +* @param AllocateRoutine - used to allocate PublisherName buffer. +* +* @param PublisherName[out] - publisher name. +* +* @return buffer length. +*/ +EXTERN_C +NTSTATUS +NTAPI +CiGetCertPublisherName( + _In_ MINCERT_BLOB* Certificate, + _In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine, + _Out_ PUNICODE_STRING PublisherName +); + + +EXTERN_C +VOID +NTAPI +CiSetTrustedOriginClaimId( + _In_ UINT32 ClaimId +); + +/** +* Given a file object, verify the signature and provide information regarding +* the certificates that was used for signing (the entire certificate chain) +* +* @param FileObject - FileObject of the PE in question +* +* @param Unkonwn1 - unknown, 0 is a valid value. (Unkonwn1 and Unkonwn2 together calculate the minimum support algorithm) +* +* @param Unkonwn2 - unknown, 0 is a valid value. (^ the words above refer to 'CipGetHashAlgorithmForLegacyScenario') +* +* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain. +* +* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain. +* +* @param SigningTime[out] - when the file was signed (FILETIME format) +* +* @param Hash - buffer containing the digest +* +* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256 +* +* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C) +* +* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified. +* Various error values otherwise, for example: +* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature +* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked +* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired +*/ +_IRQL_requires_max_(PASSIVE_LEVEL) +EXTERN_C +NTSTATUS +NTAPI +CiValidateFileObject( + _In_ FILE_OBJECT* FileObject, + _In_opt_ UINT32 Unkonwn1, + _In_opt_ UINT32 Unkonwn2, + _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, + _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo, + _Out_ LARGE_INTEGER* SigningTime, + _Out_ UINT8* Hash, + _Inout_ UINT32* HashSize, + _Out_ ALG_ID* HashAlgId +); + +#endif // NTDDI_VERSION >= NTDDI_WIN10 EXTERN_C_END diff --git a/include/Domito.h b/include/Domito.h index 0490f27..a5beacb 100644 --- a/include/Domito.h +++ b/include/Domito.h @@ -162,97 +162,6 @@ DOMITO_CALG_TO_BCRYPT_ALGORITHM( } -/* ___ _ ___ _ _ _ - * / __|___ __| |___ |_ _|_ _| |_ ___ __ _ _ _(_) |_ _ _ - * | (__/ _ \/ _` / -_) | || ' \ _/ -_) _` | '_| | _| || | - * \___\___/\__,_\___| |___|_||_\__\___\__, |_| |_|\__|\_, | - * |___/ |__/ - */ - -_IRQL_requires_max_(PASSIVE_LEVEL) -EXTERN_C -PVOID -DomitoCiFreePolicyInfo( - _Inout_ MINCRYPT_POLICY_INFO* PolicyInfo -); - -_Success_(return == STATUS_SUCCESS) -_Must_inspect_result_ -_IRQL_requires_max_(PASSIVE_LEVEL) -EXTERN_C -NTSTATUS -DomitoCiCheckSignedFile( - _In_ PVOID Hash, - _In_ UINT32 HashSize, - _In_ ALG_ID HashAlgId, - _In_ PVOID SecurityDirectory, - _In_ UINT32 SizeOfSecurityDirectory, - _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, - _Out_ LARGE_INTEGER* SigningTime, - _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo -); - -_Success_(return == STATUS_SUCCESS) -_Must_inspect_result_ -_IRQL_requires_max_(PASSIVE_LEVEL) -EXTERN_C -NTSTATUS -DomitoCiVerifyHashInCatalog( - _In_ PVOID Hash, - _In_ UINT32 HashSize, - _In_ ALG_ID HashAlgId, - _In_ BOOLEAN IsReloadCatalogs, - _In_ UINT32 Always0, - _In_ UINT32 Always2007F, - _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, - _Out_opt_ UNICODE_STRING* CatalogName, - _Out_ LARGE_INTEGER* SigningTime, - _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo -); - -typedef -_IRQL_requires_same_ -_Function_class_(MINCRYPT_ALLOCATE_ROUTINE) -__drv_allocatesMem(Mem) -PVOID -NTAPI -MINCRYPT_ALLOCATE_ROUTINE( - _In_ SIZE_T ByteSize -); -typedef MINCRYPT_ALLOCATE_ROUTINE* PMINCRYPT_ALLOCATE_ROUTINE; - -EXTERN_C -NTSTATUS -DomitoCiGetCertPublisherName( - _In_ MINCERT_BLOB* Certificate, - _In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine, - _Out_ PUNICODE_STRING PublisherName -); - -EXTERN_C -VOID -DomitoCiSetTrustedOriginClaimId( - _In_ UINT32 ClaimId -); - -_Success_(return == STATUS_SUCCESS) -_Must_inspect_result_ -_IRQL_requires_max_(PASSIVE_LEVEL) -EXTERN_C -NTSTATUS -DomitoCiValidateFileObject( - _In_ FILE_OBJECT* FileObject, - _In_opt_ UINT32 Unknown1, - _In_opt_ UINT32 Unknown2, - _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, - _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo, - _Out_ LARGE_INTEGER* SigningTime, - _Out_ UINT8* Hash, - _Inout_ UINT32* HashSize, - _Out_ ALG_ID* HashAlgId -); - - /******************************************************************************** * Library functions * ********************************************************************************/ diff --git a/src/Domito.CodeIntegrity.cpp b/src/Domito.CodeIntegrity.cpp index 9a10909..b4a860e 100644 --- a/src/Domito.CodeIntegrity.cpp +++ b/src/Domito.CodeIntegrity.cpp @@ -20,7 +20,8 @@ DOMITO_CODE_INTEGRITY G_CI = {}; _IRQL_requires_max_(PASSIVE_LEVEL) PVOID -DomitoCiFreePolicyInfo( +NTAPI +CiFreePolicyInfo( _Inout_ MINCRYPT_POLICY_INFO* PolicyInfo ) { @@ -32,19 +33,18 @@ DomitoCiFreePolicyInfo( return NULL; } -_Success_(return == STATUS_SUCCESS) -_Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS -DomitoCiCheckSignedFile( - _In_ PVOID Hash, - _In_ UINT32 HashSize, - _In_ ALG_ID HashAlgId, - _In_ PVOID SecurityDirectory, - _In_ UINT32 SizeOfSecurityDirectory, - _Out_ MINCRYPT_POLICY_INFO * PolicyInfo, - _Out_ LARGE_INTEGER * SigningTime, - _Out_ MINCRYPT_POLICY_INFO * TimeStampPolicyInfo +NTAPI +CiCheckSignedFile( + _In_ PVOID Hash, + _In_ UINT32 HashSize, + _In_ ALG_ID HashAlgId, + _In_ PVOID SecurityDirectory, + _In_ UINT32 SizeOfSecurityDirectory, + _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, + _Out_ LARGE_INTEGER* SigningTime, + _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo ) { if (G_CI.CiCheckSignedFile) @@ -64,21 +64,20 @@ DomitoCiCheckSignedFile( return STATUS_NOT_IMPLEMENTED; } -_Success_(return == STATUS_SUCCESS) -_Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS -DomitoCiVerifyHashInCatalog( - _In_ PVOID Hash, - _In_ UINT32 HashSize, - _In_ ALG_ID HashAlgId, - _In_ BOOLEAN IsReloadCatalogs, - _In_ UINT32 Always0, - _In_ UINT32 Always2007F, - _Out_ MINCRYPT_POLICY_INFO * PolicyInfo, - _Out_opt_ UNICODE_STRING * CatalogName, - _Out_ LARGE_INTEGER * SigningTime, - _Out_ MINCRYPT_POLICY_INFO * TimeStampPolicyInfo +NTAPI +CiVerifyHashInCatalog( + _In_ PVOID Hash, + _In_ UINT32 HashSize, + _In_ ALG_ID HashAlgId, + _In_ BOOLEAN IsReloadCatalogs, + _In_ UINT32 Always0, + _In_ UINT32 Always2007F, + _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, + _Out_opt_ UNICODE_STRING* CatalogName, + _Out_ LARGE_INTEGER* SigningTime, + _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo ) { if (G_CI.CiVerifyHashInCatalog) @@ -101,8 +100,9 @@ DomitoCiVerifyHashInCatalog( } NTSTATUS -DomitoCiGetCertPublisherName( - _In_ MINCERT_BLOB * Certificate, +NTAPI +CiGetCertPublisherName( + _In_ MINCERT_BLOB* Certificate, _In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine, _Out_ PUNICODE_STRING PublisherName ) @@ -120,7 +120,8 @@ DomitoCiGetCertPublisherName( } VOID -DomitoCiSetTrustedOriginClaimId( +NTAPI +CiSetTrustedOriginClaimId( _In_ UINT32 ClaimId ) { @@ -130,28 +131,27 @@ DomitoCiSetTrustedOriginClaimId( } } -_Success_(return == STATUS_SUCCESS) -_Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS -DomitoCiValidateFileObject( - _In_ FILE_OBJECT * FileObject, - _In_opt_ UINT32 Unknown1, - _In_opt_ UINT32 Unknown2, - _Out_ MINCRYPT_POLICY_INFO * PolicyInfo, - _Out_ MINCRYPT_POLICY_INFO * TimeStampPolicyInfo, - _Out_ LARGE_INTEGER * SigningTime, - _Out_ UINT8 * Hash, - _Inout_ UINT32 * HashSize, - _Out_ ALG_ID * HashAlgId +NTAPI +CiValidateFileObject( + _In_ FILE_OBJECT* FileObject, + _In_opt_ UINT32 Unkonwn1, + _In_opt_ UINT32 Unkonwn2, + _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, + _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo, + _Out_ LARGE_INTEGER* SigningTime, + _Out_ UINT8* Hash, + _Inout_ UINT32* HashSize, + _Out_ ALG_ID* HashAlgId ) { if (G_CI.CiValidateFileObject) { return G_CI.CiValidateFileObject( FileObject, - Unknown1, - Unknown2, + Unkonwn1, + Unkonwn2, PolicyInfo, TimeStampPolicyInfo, SigningTime, diff --git a/src/Domito.Internal.h b/src/Domito.Internal.h index 42335a8..8dad77a 100644 --- a/src/Domito.Internal.h +++ b/src/Domito.Internal.h @@ -150,193 +150,12 @@ extern DOMITO_MEMORY G_Memory; * |___/ |__/ */ -/** -* Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (ChainInfo) if not null. -* Zeros the entire PolicyInfo struct. -* -* @param PolicyInfo - the struct to reset. -* -* @return the struct which was reset. -*/ -_IRQL_requires_max_(PASSIVE_LEVEL) -typedef -PVOID -(NTAPI* -t_CiFreePolicyInfo)( - _Inout_ MINCRYPT_POLICY_INFO* PolicyInfo -); - - -/** -* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10! -* -* Given a file digest and signature of a file, verify the signature and provide information regarding -* the certificates that was used for signing (the entire certificate chain) -* -* @param Hash - buffer containing the digest -* -* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256 -* -* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C) -* -* @param SecurityDirectory - pointer to the start of the security directory -* -* @param SizeOfSecurityDirectory - size the security directory -* -* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain -* -* @param SigningTime[out] - when the file was signed (FILETIME format) -* -* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain -* -* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified. -* Various error values otherwise, for example: -* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature -* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked -* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired -*/ -_IRQL_requires_max_(PASSIVE_LEVEL) -typedef -NTSTATUS -(NTAPI* -t_CiCheckSignedFile)( - _In_ PVOID Hash, - _In_ UINT32 HashSize, - _In_ ALG_ID HashAlgId, - _In_ PVOID SecurityDirectory, - _In_ UINT32 SizeOfSecurityDirectory, - _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, - _Out_ LARGE_INTEGER* SigningTime, - _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo -); - - -/** -* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10! -* -* Checks if the SHA-1 message digest is contained within a verified system catalog -* -* @note must be attached to the PsInitialSystemProcess first! -* -* @param Hash - buffer containing the digest -* -* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256 -* -* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C) -* -* @param IsReloadCatalogs - is reload catalogs cache. -* -* @param Always0 - this is for IsReloadCatalogs, Always0 != 0 ? 16 : 24; -* -* @param Always2007F - unknown, always 0x2007F, maybe a mask. -* -* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain. -* -* @param CatalogName[out option] - catalog file name. -* -* @param SigningTime[out] - when the file was signed (FILETIME format) -* -* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain. -* -* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified. -* Various error values otherwise, for example: -* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature -* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked -* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired -*/ -_IRQL_requires_max_(PASSIVE_LEVEL) -typedef -NTSTATUS -(NTAPI* -t_CiVerifyHashInCatalog)( - _In_ PVOID Hash, - _In_ UINT32 HashSize, - _In_ ALG_ID HashAlgId, - _In_ BOOLEAN IsReloadCatalogs, - _In_ UINT32 Always0, - _In_ UINT32 Always2007F, - _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, - _Out_opt_ UNICODE_STRING* CatalogName, - _Out_ LARGE_INTEGER* SigningTime, - _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo -); - - -#if (NTDDI_VERSION >= NTDDI_WIN10) - -/** -* Parse the publisher name from the certificate -* -* @param Certificate - &PolicyInfo.ChainInfo->ChainElements[x].Certificate -* -* @param AllocateRoutine - used to allocate PublisherName buffer. -* -* @param PublisherName[out] - publisher name. -* -* @return buffer length. -*/ -typedef -NTSTATUS -(NTAPI* -t_CiGetCertPublisherName)( - _In_ MINCERT_BLOB* Certificate, - _In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine, - _Out_ PUNICODE_STRING PublisherName -); - - -typedef -VOID -(NTAPI* -t_CiSetTrustedOriginClaimId)( - _In_ UINT32 ClaimId -); - -/** -* Given a file object, verify the signature and provide information regarding -* the certificates that was used for signing (the entire certificate chain) -* -* @param FileObject - FileObject of the PE in question -* -* @param Unknown1 - unknown, 0 is a valid value. (Unknown1 and Unknown2 together calculate the minimum support algorithm) -* -* @param Unknown2 - unknown, 0 is a valid value. (^ the words above refer to 'CipGetHashAlgorithmForLegacyScenario') -* -* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain. -* -* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain. -* -* @param SigningTime[out] - when the file was signed (FILETIME format) -* -* @param Hash - buffer containing the digest -* -* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256 -* -* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C) -* -* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified. -* Various error values otherwise, for example: -* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature -* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked -* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired -*/ -_IRQL_requires_max_(PASSIVE_LEVEL) -typedef -NTSTATUS -(NTAPI* -t_CiValidateFileObject)( - _In_ FILE_OBJECT* FileObject, - _In_opt_ UINT32 Unknown1, - _In_opt_ UINT32 Unknown2, - _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, - _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo, - _Out_ LARGE_INTEGER* SigningTime, - _Out_ UINT8* Hash, - _Inout_ UINT32* HashSize, - _Out_ ALG_ID* HashAlgId -); - -#endif // NTDDI_VERSION >= NTDDI_WIN10 +typedef decltype(&CiFreePolicyInfo) t_CiFreePolicyInfo; +typedef decltype(&CiCheckSignedFile) t_CiCheckSignedFile; +typedef decltype(&CiVerifyHashInCatalog) t_CiVerifyHashInCatalog; +typedef decltype(&CiGetCertPublisherName) t_CiGetCertPublisherName; +typedef decltype(&CiSetTrustedOriginClaimId) t_CiSetTrustedOriginClaimId; +typedef decltype(&CiValidateFileObject) t_CiValidateFileObject; // // Function pointers to CI.dll exports