Simplified CI definitions

This commit is contained in:
Benjamin Höglinger-Stelzer 2023-07-03 17:45:57 +02:00
parent ede76264fb
commit 1afdd90b4e
4 changed files with 246 additions and 324 deletions

View File

@ -356,10 +356,204 @@ typedef struct _MINCRYPT_POLICY_INFO
#include <poppack.h> #include <poppack.h>
/* /**
* Note: function prototypes moved to <Domito.Internal.h> * Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (ChainInfo) if not null.
* They'll be made available via run-time dynamic linking instead * Zeros the entire PolicyInfo struct.
*
* @param PolicyInfo - the struct to reset.
*
* @return the struct which was reset.
*/ */
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
PVOID
NTAPI
CiFreePolicyInfo(
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
);
/**
* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10!
*
* Given a file digest and signature of a file, verify the signature and provide information regarding
* the certificates that was used for signing (the entire certificate chain)
*
* @param Hash - buffer containing the digest
*
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
*
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
*
* @param SecurityDirectory - pointer to the start of the security directory
*
* @param SizeOfSecurityDirectory - size the security directory
*
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain
*
* @param SigningTime[out] - when the file was signed (FILETIME format)
*
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain
*
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
* Various error values otherwise, for example:
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
NTAPI
CiCheckSignedFile(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ PVOID SecurityDirectory,
_In_ UINT32 SizeOfSecurityDirectory,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
);
/**
* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10!
*
* Checks if the SHA-1 message digest is contained within a verified system catalog
*
* @note must be attached to the PsInitialSystemProcess first!
*
* @param Hash - buffer containing the digest
*
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
*
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
*
* @param IsReloadCatalogs - is reload catalogs cache.
*
* @param Always0 - this is for IsReloadCatalogs, Always0 != 0 ? 16 : 24;
*
* @param Always2007F - unknown, always 0x2007F, maybe a mask.
*
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain.
*
* @param CatalogName[out option] - catalog file name.
*
* @param SigningTime[out] - when the file was signed (FILETIME format)
*
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain.
*
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
* Various error values otherwise, for example:
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
NTAPI
CiVerifyHashInCatalog(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ BOOLEAN IsReloadCatalogs,
_In_ UINT32 Always0,
_In_ UINT32 Always2007F,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_opt_ UNICODE_STRING* CatalogName,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
);
#if (NTDDI_VERSION >= NTDDI_WIN10)
typedef
_IRQL_requires_same_
_Function_class_(MINCRYPT_ALLOCATE_ROUTINE)
__drv_allocatesMem(Mem)
PVOID
NTAPI
MINCRYPT_ALLOCATE_ROUTINE(
_In_ SIZE_T ByteSize
);
typedef MINCRYPT_ALLOCATE_ROUTINE* PMINCRYPT_ALLOCATE_ROUTINE;
/**
* Parse the publisher name from the certificate
*
* @param Certificate - &PolicyInfo.ChainInfo->ChainElements[x].Certificate
*
* @param AllocateRoutine - used to allocate PublisherName buffer.
*
* @param PublisherName[out] - publisher name.
*
* @return buffer length.
*/
EXTERN_C
NTSTATUS
NTAPI
CiGetCertPublisherName(
_In_ MINCERT_BLOB* Certificate,
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
_Out_ PUNICODE_STRING PublisherName
);
EXTERN_C
VOID
NTAPI
CiSetTrustedOriginClaimId(
_In_ UINT32 ClaimId
);
/**
* Given a file object, verify the signature and provide information regarding
* the certificates that was used for signing (the entire certificate chain)
*
* @param FileObject - FileObject of the PE in question
*
* @param Unkonwn1 - unknown, 0 is a valid value. (Unkonwn1 and Unkonwn2 together calculate the minimum support algorithm)
*
* @param Unkonwn2 - unknown, 0 is a valid value. (^ the words above refer to 'CipGetHashAlgorithmForLegacyScenario')
*
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain.
*
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain.
*
* @param SigningTime[out] - when the file was signed (FILETIME format)
*
* @param Hash - buffer containing the digest
*
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
*
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
*
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
* Various error values otherwise, for example:
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
NTAPI
CiValidateFileObject(
_In_ FILE_OBJECT* FileObject,
_In_opt_ UINT32 Unkonwn1,
_In_opt_ UINT32 Unkonwn2,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ UINT8* Hash,
_Inout_ UINT32* HashSize,
_Out_ ALG_ID* HashAlgId
);
#endif // NTDDI_VERSION >= NTDDI_WIN10
EXTERN_C_END EXTERN_C_END

View File

@ -162,97 +162,6 @@ DOMITO_CALG_TO_BCRYPT_ALGORITHM(
} }
/* ___ _ ___ _ _ _
* / __|___ __| |___ |_ _|_ _| |_ ___ __ _ _ _(_) |_ _ _
* | (__/ _ \/ _` / -_) | || ' \ _/ -_) _` | '_| | _| || |
* \___\___/\__,_\___| |___|_||_\__\___\__, |_| |_|\__|\_, |
* |___/ |__/
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
PVOID
DomitoCiFreePolicyInfo(
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
);
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoCiCheckSignedFile(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ PVOID SecurityDirectory,
_In_ UINT32 SizeOfSecurityDirectory,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
);
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoCiVerifyHashInCatalog(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ BOOLEAN IsReloadCatalogs,
_In_ UINT32 Always0,
_In_ UINT32 Always2007F,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_opt_ UNICODE_STRING* CatalogName,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
);
typedef
_IRQL_requires_same_
_Function_class_(MINCRYPT_ALLOCATE_ROUTINE)
__drv_allocatesMem(Mem)
PVOID
NTAPI
MINCRYPT_ALLOCATE_ROUTINE(
_In_ SIZE_T ByteSize
);
typedef MINCRYPT_ALLOCATE_ROUTINE* PMINCRYPT_ALLOCATE_ROUTINE;
EXTERN_C
NTSTATUS
DomitoCiGetCertPublisherName(
_In_ MINCERT_BLOB* Certificate,
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
_Out_ PUNICODE_STRING PublisherName
);
EXTERN_C
VOID
DomitoCiSetTrustedOriginClaimId(
_In_ UINT32 ClaimId
);
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoCiValidateFileObject(
_In_ FILE_OBJECT* FileObject,
_In_opt_ UINT32 Unknown1,
_In_opt_ UINT32 Unknown2,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ UINT8* Hash,
_Inout_ UINT32* HashSize,
_Out_ ALG_ID* HashAlgId
);
/******************************************************************************** /********************************************************************************
* Library functions * * Library functions *
********************************************************************************/ ********************************************************************************/

View File

@ -20,7 +20,8 @@ DOMITO_CODE_INTEGRITY G_CI = {};
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
PVOID PVOID
DomitoCiFreePolicyInfo( NTAPI
CiFreePolicyInfo(
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo _Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
) )
{ {
@ -32,11 +33,10 @@ DomitoCiFreePolicyInfo(
return NULL; return NULL;
} }
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS NTSTATUS
DomitoCiCheckSignedFile( NTAPI
CiCheckSignedFile(
_In_ PVOID Hash, _In_ PVOID Hash,
_In_ UINT32 HashSize, _In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId, _In_ ALG_ID HashAlgId,
@ -64,11 +64,10 @@ DomitoCiCheckSignedFile(
return STATUS_NOT_IMPLEMENTED; return STATUS_NOT_IMPLEMENTED;
} }
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS NTSTATUS
DomitoCiVerifyHashInCatalog( NTAPI
CiVerifyHashInCatalog(
_In_ PVOID Hash, _In_ PVOID Hash,
_In_ UINT32 HashSize, _In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId, _In_ ALG_ID HashAlgId,
@ -101,7 +100,8 @@ DomitoCiVerifyHashInCatalog(
} }
NTSTATUS NTSTATUS
DomitoCiGetCertPublisherName( NTAPI
CiGetCertPublisherName(
_In_ MINCERT_BLOB* Certificate, _In_ MINCERT_BLOB* Certificate,
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine, _In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
_Out_ PUNICODE_STRING PublisherName _Out_ PUNICODE_STRING PublisherName
@ -120,7 +120,8 @@ DomitoCiGetCertPublisherName(
} }
VOID VOID
DomitoCiSetTrustedOriginClaimId( NTAPI
CiSetTrustedOriginClaimId(
_In_ UINT32 ClaimId _In_ UINT32 ClaimId
) )
{ {
@ -130,14 +131,13 @@ DomitoCiSetTrustedOriginClaimId(
} }
} }
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS NTSTATUS
DomitoCiValidateFileObject( NTAPI
CiValidateFileObject(
_In_ FILE_OBJECT* FileObject, _In_ FILE_OBJECT* FileObject,
_In_opt_ UINT32 Unknown1, _In_opt_ UINT32 Unkonwn1,
_In_opt_ UINT32 Unknown2, _In_opt_ UINT32 Unkonwn2,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo, _Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo, _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
_Out_ LARGE_INTEGER* SigningTime, _Out_ LARGE_INTEGER* SigningTime,
@ -150,8 +150,8 @@ DomitoCiValidateFileObject(
{ {
return G_CI.CiValidateFileObject( return G_CI.CiValidateFileObject(
FileObject, FileObject,
Unknown1, Unkonwn1,
Unknown2, Unkonwn2,
PolicyInfo, PolicyInfo,
TimeStampPolicyInfo, TimeStampPolicyInfo,
SigningTime, SigningTime,

View File

@ -150,193 +150,12 @@ extern DOMITO_MEMORY G_Memory;
* |___/ |__/ * |___/ |__/
*/ */
/** typedef decltype(&CiFreePolicyInfo) t_CiFreePolicyInfo;
* Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (ChainInfo) if not null. typedef decltype(&CiCheckSignedFile) t_CiCheckSignedFile;
* Zeros the entire PolicyInfo struct. typedef decltype(&CiVerifyHashInCatalog) t_CiVerifyHashInCatalog;
* typedef decltype(&CiGetCertPublisherName) t_CiGetCertPublisherName;
* @param PolicyInfo - the struct to reset. typedef decltype(&CiSetTrustedOriginClaimId) t_CiSetTrustedOriginClaimId;
* typedef decltype(&CiValidateFileObject) t_CiValidateFileObject;
* @return the struct which was reset.
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
typedef
PVOID
(NTAPI*
t_CiFreePolicyInfo)(
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
);
/**
* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10!
*
* Given a file digest and signature of a file, verify the signature and provide information regarding
* the certificates that was used for signing (the entire certificate chain)
*
* @param Hash - buffer containing the digest
*
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
*
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
*
* @param SecurityDirectory - pointer to the start of the security directory
*
* @param SizeOfSecurityDirectory - size the security directory
*
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain
*
* @param SigningTime[out] - when the file was signed (FILETIME format)
*
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain
*
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
* Various error values otherwise, for example:
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
typedef
NTSTATUS
(NTAPI*
t_CiCheckSignedFile)(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ PVOID SecurityDirectory,
_In_ UINT32 SizeOfSecurityDirectory,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
);
/**
* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10!
*
* Checks if the SHA-1 message digest is contained within a verified system catalog
*
* @note must be attached to the PsInitialSystemProcess first!
*
* @param Hash - buffer containing the digest
*
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
*
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
*
* @param IsReloadCatalogs - is reload catalogs cache.
*
* @param Always0 - this is for IsReloadCatalogs, Always0 != 0 ? 16 : 24;
*
* @param Always2007F - unknown, always 0x2007F, maybe a mask.
*
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain.
*
* @param CatalogName[out option] - catalog file name.
*
* @param SigningTime[out] - when the file was signed (FILETIME format)
*
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain.
*
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
* Various error values otherwise, for example:
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
typedef
NTSTATUS
(NTAPI*
t_CiVerifyHashInCatalog)(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ BOOLEAN IsReloadCatalogs,
_In_ UINT32 Always0,
_In_ UINT32 Always2007F,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_opt_ UNICODE_STRING* CatalogName,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
);
#if (NTDDI_VERSION >= NTDDI_WIN10)
/**
* Parse the publisher name from the certificate
*
* @param Certificate - &PolicyInfo.ChainInfo->ChainElements[x].Certificate
*
* @param AllocateRoutine - used to allocate PublisherName buffer.
*
* @param PublisherName[out] - publisher name.
*
* @return buffer length.
*/
typedef
NTSTATUS
(NTAPI*
t_CiGetCertPublisherName)(
_In_ MINCERT_BLOB* Certificate,
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
_Out_ PUNICODE_STRING PublisherName
);
typedef
VOID
(NTAPI*
t_CiSetTrustedOriginClaimId)(
_In_ UINT32 ClaimId
);
/**
* Given a file object, verify the signature and provide information regarding
* the certificates that was used for signing (the entire certificate chain)
*
* @param FileObject - FileObject of the PE in question
*
* @param Unknown1 - unknown, 0 is a valid value. (Unknown1 and Unknown2 together calculate the minimum support algorithm)
*
* @param Unknown2 - unknown, 0 is a valid value. (^ the words above refer to 'CipGetHashAlgorithmForLegacyScenario')
*
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain.
*
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain.
*
* @param SigningTime[out] - when the file was signed (FILETIME format)
*
* @param Hash - buffer containing the digest
*
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
*
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
*
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
* Various error values otherwise, for example:
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
typedef
NTSTATUS
(NTAPI*
t_CiValidateFileObject)(
_In_ FILE_OBJECT* FileObject,
_In_opt_ UINT32 Unknown1,
_In_opt_ UINT32 Unknown2,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ UINT8* Hash,
_Inout_ UINT32* HashSize,
_Out_ ALG_ID* HashAlgId
);
#endif // NTDDI_VERSION >= NTDDI_WIN10
// //
// Function pointers to CI.dll exports // Function pointers to CI.dll exports