Simplified CI definitions
This commit is contained in:
parent
ede76264fb
commit
1afdd90b4e
@ -356,10 +356,204 @@ typedef struct _MINCRYPT_POLICY_INFO
|
|||||||
#include <poppack.h>
|
#include <poppack.h>
|
||||||
|
|
||||||
|
|
||||||
/*
|
/**
|
||||||
* Note: function prototypes moved to <Domito.Internal.h>
|
* Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (ChainInfo) if not null.
|
||||||
* They'll be made available via run-time dynamic linking instead
|
* Zeros the entire PolicyInfo struct.
|
||||||
*/
|
*
|
||||||
|
* @param PolicyInfo - the struct to reset.
|
||||||
|
*
|
||||||
|
* @return the struct which was reset.
|
||||||
|
*/
|
||||||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
|
EXTERN_C
|
||||||
|
PVOID
|
||||||
|
NTAPI
|
||||||
|
CiFreePolicyInfo(
|
||||||
|
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10!
|
||||||
|
*
|
||||||
|
* Given a file digest and signature of a file, verify the signature and provide information regarding
|
||||||
|
* the certificates that was used for signing (the entire certificate chain)
|
||||||
|
*
|
||||||
|
* @param Hash - buffer containing the digest
|
||||||
|
*
|
||||||
|
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
|
||||||
|
*
|
||||||
|
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
|
||||||
|
*
|
||||||
|
* @param SecurityDirectory - pointer to the start of the security directory
|
||||||
|
*
|
||||||
|
* @param SizeOfSecurityDirectory - size the security directory
|
||||||
|
*
|
||||||
|
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain
|
||||||
|
*
|
||||||
|
* @param SigningTime[out] - when the file was signed (FILETIME format)
|
||||||
|
*
|
||||||
|
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain
|
||||||
|
*
|
||||||
|
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
|
||||||
|
* Various error values otherwise, for example:
|
||||||
|
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
|
||||||
|
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
|
||||||
|
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
|
||||||
|
*/
|
||||||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
|
EXTERN_C
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
CiCheckSignedFile(
|
||||||
|
_In_ PVOID Hash,
|
||||||
|
_In_ UINT32 HashSize,
|
||||||
|
_In_ ALG_ID HashAlgId,
|
||||||
|
_In_ PVOID SecurityDirectory,
|
||||||
|
_In_ UINT32 SizeOfSecurityDirectory,
|
||||||
|
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
||||||
|
_Out_ LARGE_INTEGER* SigningTime,
|
||||||
|
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10!
|
||||||
|
*
|
||||||
|
* Checks if the SHA-1 message digest is contained within a verified system catalog
|
||||||
|
*
|
||||||
|
* @note must be attached to the PsInitialSystemProcess first!
|
||||||
|
*
|
||||||
|
* @param Hash - buffer containing the digest
|
||||||
|
*
|
||||||
|
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
|
||||||
|
*
|
||||||
|
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
|
||||||
|
*
|
||||||
|
* @param IsReloadCatalogs - is reload catalogs cache.
|
||||||
|
*
|
||||||
|
* @param Always0 - this is for IsReloadCatalogs, Always0 != 0 ? 16 : 24;
|
||||||
|
*
|
||||||
|
* @param Always2007F - unknown, always 0x2007F, maybe a mask.
|
||||||
|
*
|
||||||
|
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain.
|
||||||
|
*
|
||||||
|
* @param CatalogName[out option] - catalog file name.
|
||||||
|
*
|
||||||
|
* @param SigningTime[out] - when the file was signed (FILETIME format)
|
||||||
|
*
|
||||||
|
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain.
|
||||||
|
*
|
||||||
|
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
|
||||||
|
* Various error values otherwise, for example:
|
||||||
|
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
|
||||||
|
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
|
||||||
|
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
|
||||||
|
*/
|
||||||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
|
EXTERN_C
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
CiVerifyHashInCatalog(
|
||||||
|
_In_ PVOID Hash,
|
||||||
|
_In_ UINT32 HashSize,
|
||||||
|
_In_ ALG_ID HashAlgId,
|
||||||
|
_In_ BOOLEAN IsReloadCatalogs,
|
||||||
|
_In_ UINT32 Always0,
|
||||||
|
_In_ UINT32 Always2007F,
|
||||||
|
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
||||||
|
_Out_opt_ UNICODE_STRING* CatalogName,
|
||||||
|
_Out_ LARGE_INTEGER* SigningTime,
|
||||||
|
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
#if (NTDDI_VERSION >= NTDDI_WIN10)
|
||||||
|
|
||||||
|
typedef
|
||||||
|
_IRQL_requires_same_
|
||||||
|
_Function_class_(MINCRYPT_ALLOCATE_ROUTINE)
|
||||||
|
__drv_allocatesMem(Mem)
|
||||||
|
PVOID
|
||||||
|
NTAPI
|
||||||
|
MINCRYPT_ALLOCATE_ROUTINE(
|
||||||
|
_In_ SIZE_T ByteSize
|
||||||
|
);
|
||||||
|
typedef MINCRYPT_ALLOCATE_ROUTINE* PMINCRYPT_ALLOCATE_ROUTINE;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Parse the publisher name from the certificate
|
||||||
|
*
|
||||||
|
* @param Certificate - &PolicyInfo.ChainInfo->ChainElements[x].Certificate
|
||||||
|
*
|
||||||
|
* @param AllocateRoutine - used to allocate PublisherName buffer.
|
||||||
|
*
|
||||||
|
* @param PublisherName[out] - publisher name.
|
||||||
|
*
|
||||||
|
* @return buffer length.
|
||||||
|
*/
|
||||||
|
EXTERN_C
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
CiGetCertPublisherName(
|
||||||
|
_In_ MINCERT_BLOB* Certificate,
|
||||||
|
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
|
||||||
|
_Out_ PUNICODE_STRING PublisherName
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
EXTERN_C
|
||||||
|
VOID
|
||||||
|
NTAPI
|
||||||
|
CiSetTrustedOriginClaimId(
|
||||||
|
_In_ UINT32 ClaimId
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Given a file object, verify the signature and provide information regarding
|
||||||
|
* the certificates that was used for signing (the entire certificate chain)
|
||||||
|
*
|
||||||
|
* @param FileObject - FileObject of the PE in question
|
||||||
|
*
|
||||||
|
* @param Unkonwn1 - unknown, 0 is a valid value. (Unkonwn1 and Unkonwn2 together calculate the minimum support algorithm)
|
||||||
|
*
|
||||||
|
* @param Unkonwn2 - unknown, 0 is a valid value. (^ the words above refer to 'CipGetHashAlgorithmForLegacyScenario')
|
||||||
|
*
|
||||||
|
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain.
|
||||||
|
*
|
||||||
|
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain.
|
||||||
|
*
|
||||||
|
* @param SigningTime[out] - when the file was signed (FILETIME format)
|
||||||
|
*
|
||||||
|
* @param Hash - buffer containing the digest
|
||||||
|
*
|
||||||
|
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
|
||||||
|
*
|
||||||
|
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
|
||||||
|
*
|
||||||
|
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
|
||||||
|
* Various error values otherwise, for example:
|
||||||
|
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
|
||||||
|
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
|
||||||
|
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
|
||||||
|
*/
|
||||||
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
|
EXTERN_C
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
CiValidateFileObject(
|
||||||
|
_In_ FILE_OBJECT* FileObject,
|
||||||
|
_In_opt_ UINT32 Unkonwn1,
|
||||||
|
_In_opt_ UINT32 Unkonwn2,
|
||||||
|
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
||||||
|
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
|
||||||
|
_Out_ LARGE_INTEGER* SigningTime,
|
||||||
|
_Out_ UINT8* Hash,
|
||||||
|
_Inout_ UINT32* HashSize,
|
||||||
|
_Out_ ALG_ID* HashAlgId
|
||||||
|
);
|
||||||
|
|
||||||
|
#endif // NTDDI_VERSION >= NTDDI_WIN10
|
||||||
|
|
||||||
|
|
||||||
EXTERN_C_END
|
EXTERN_C_END
|
||||||
|
@ -162,97 +162,6 @@ DOMITO_CALG_TO_BCRYPT_ALGORITHM(
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* ___ _ ___ _ _ _
|
|
||||||
* / __|___ __| |___ |_ _|_ _| |_ ___ __ _ _ _(_) |_ _ _
|
|
||||||
* | (__/ _ \/ _` / -_) | || ' \ _/ -_) _` | '_| | _| || |
|
|
||||||
* \___\___/\__,_\___| |___|_||_\__\___\__, |_| |_|\__|\_, |
|
|
||||||
* |___/ |__/
|
|
||||||
*/
|
|
||||||
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
||||||
EXTERN_C
|
|
||||||
PVOID
|
|
||||||
DomitoCiFreePolicyInfo(
|
|
||||||
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
|
|
||||||
);
|
|
||||||
|
|
||||||
_Success_(return == STATUS_SUCCESS)
|
|
||||||
_Must_inspect_result_
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
||||||
EXTERN_C
|
|
||||||
NTSTATUS
|
|
||||||
DomitoCiCheckSignedFile(
|
|
||||||
_In_ PVOID Hash,
|
|
||||||
_In_ UINT32 HashSize,
|
|
||||||
_In_ ALG_ID HashAlgId,
|
|
||||||
_In_ PVOID SecurityDirectory,
|
|
||||||
_In_ UINT32 SizeOfSecurityDirectory,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
|
||||||
_Out_ LARGE_INTEGER* SigningTime,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
|
||||||
);
|
|
||||||
|
|
||||||
_Success_(return == STATUS_SUCCESS)
|
|
||||||
_Must_inspect_result_
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
||||||
EXTERN_C
|
|
||||||
NTSTATUS
|
|
||||||
DomitoCiVerifyHashInCatalog(
|
|
||||||
_In_ PVOID Hash,
|
|
||||||
_In_ UINT32 HashSize,
|
|
||||||
_In_ ALG_ID HashAlgId,
|
|
||||||
_In_ BOOLEAN IsReloadCatalogs,
|
|
||||||
_In_ UINT32 Always0,
|
|
||||||
_In_ UINT32 Always2007F,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
|
||||||
_Out_opt_ UNICODE_STRING* CatalogName,
|
|
||||||
_Out_ LARGE_INTEGER* SigningTime,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
|
||||||
);
|
|
||||||
|
|
||||||
typedef
|
|
||||||
_IRQL_requires_same_
|
|
||||||
_Function_class_(MINCRYPT_ALLOCATE_ROUTINE)
|
|
||||||
__drv_allocatesMem(Mem)
|
|
||||||
PVOID
|
|
||||||
NTAPI
|
|
||||||
MINCRYPT_ALLOCATE_ROUTINE(
|
|
||||||
_In_ SIZE_T ByteSize
|
|
||||||
);
|
|
||||||
typedef MINCRYPT_ALLOCATE_ROUTINE* PMINCRYPT_ALLOCATE_ROUTINE;
|
|
||||||
|
|
||||||
EXTERN_C
|
|
||||||
NTSTATUS
|
|
||||||
DomitoCiGetCertPublisherName(
|
|
||||||
_In_ MINCERT_BLOB* Certificate,
|
|
||||||
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
|
|
||||||
_Out_ PUNICODE_STRING PublisherName
|
|
||||||
);
|
|
||||||
|
|
||||||
EXTERN_C
|
|
||||||
VOID
|
|
||||||
DomitoCiSetTrustedOriginClaimId(
|
|
||||||
_In_ UINT32 ClaimId
|
|
||||||
);
|
|
||||||
|
|
||||||
_Success_(return == STATUS_SUCCESS)
|
|
||||||
_Must_inspect_result_
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
||||||
EXTERN_C
|
|
||||||
NTSTATUS
|
|
||||||
DomitoCiValidateFileObject(
|
|
||||||
_In_ FILE_OBJECT* FileObject,
|
|
||||||
_In_opt_ UINT32 Unknown1,
|
|
||||||
_In_opt_ UINT32 Unknown2,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
|
|
||||||
_Out_ LARGE_INTEGER* SigningTime,
|
|
||||||
_Out_ UINT8* Hash,
|
|
||||||
_Inout_ UINT32* HashSize,
|
|
||||||
_Out_ ALG_ID* HashAlgId
|
|
||||||
);
|
|
||||||
|
|
||||||
|
|
||||||
/********************************************************************************
|
/********************************************************************************
|
||||||
* Library functions *
|
* Library functions *
|
||||||
********************************************************************************/
|
********************************************************************************/
|
||||||
|
@ -20,7 +20,8 @@ DOMITO_CODE_INTEGRITY G_CI = {};
|
|||||||
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
PVOID
|
PVOID
|
||||||
DomitoCiFreePolicyInfo(
|
NTAPI
|
||||||
|
CiFreePolicyInfo(
|
||||||
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
|
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
@ -32,19 +33,18 @@ DomitoCiFreePolicyInfo(
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
_Success_(return == STATUS_SUCCESS)
|
|
||||||
_Must_inspect_result_
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
DomitoCiCheckSignedFile(
|
NTAPI
|
||||||
|
CiCheckSignedFile(
|
||||||
_In_ PVOID Hash,
|
_In_ PVOID Hash,
|
||||||
_In_ UINT32 HashSize,
|
_In_ UINT32 HashSize,
|
||||||
_In_ ALG_ID HashAlgId,
|
_In_ ALG_ID HashAlgId,
|
||||||
_In_ PVOID SecurityDirectory,
|
_In_ PVOID SecurityDirectory,
|
||||||
_In_ UINT32 SizeOfSecurityDirectory,
|
_In_ UINT32 SizeOfSecurityDirectory,
|
||||||
_Out_ MINCRYPT_POLICY_INFO * PolicyInfo,
|
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
||||||
_Out_ LARGE_INTEGER * SigningTime,
|
_Out_ LARGE_INTEGER* SigningTime,
|
||||||
_Out_ MINCRYPT_POLICY_INFO * TimeStampPolicyInfo
|
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
if (G_CI.CiCheckSignedFile)
|
if (G_CI.CiCheckSignedFile)
|
||||||
@ -64,21 +64,20 @@ DomitoCiCheckSignedFile(
|
|||||||
return STATUS_NOT_IMPLEMENTED;
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
_Success_(return == STATUS_SUCCESS)
|
|
||||||
_Must_inspect_result_
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
DomitoCiVerifyHashInCatalog(
|
NTAPI
|
||||||
|
CiVerifyHashInCatalog(
|
||||||
_In_ PVOID Hash,
|
_In_ PVOID Hash,
|
||||||
_In_ UINT32 HashSize,
|
_In_ UINT32 HashSize,
|
||||||
_In_ ALG_ID HashAlgId,
|
_In_ ALG_ID HashAlgId,
|
||||||
_In_ BOOLEAN IsReloadCatalogs,
|
_In_ BOOLEAN IsReloadCatalogs,
|
||||||
_In_ UINT32 Always0,
|
_In_ UINT32 Always0,
|
||||||
_In_ UINT32 Always2007F,
|
_In_ UINT32 Always2007F,
|
||||||
_Out_ MINCRYPT_POLICY_INFO * PolicyInfo,
|
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
||||||
_Out_opt_ UNICODE_STRING * CatalogName,
|
_Out_opt_ UNICODE_STRING* CatalogName,
|
||||||
_Out_ LARGE_INTEGER * SigningTime,
|
_Out_ LARGE_INTEGER* SigningTime,
|
||||||
_Out_ MINCRYPT_POLICY_INFO * TimeStampPolicyInfo
|
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
if (G_CI.CiVerifyHashInCatalog)
|
if (G_CI.CiVerifyHashInCatalog)
|
||||||
@ -101,8 +100,9 @@ DomitoCiVerifyHashInCatalog(
|
|||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
DomitoCiGetCertPublisherName(
|
NTAPI
|
||||||
_In_ MINCERT_BLOB * Certificate,
|
CiGetCertPublisherName(
|
||||||
|
_In_ MINCERT_BLOB* Certificate,
|
||||||
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
|
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
|
||||||
_Out_ PUNICODE_STRING PublisherName
|
_Out_ PUNICODE_STRING PublisherName
|
||||||
)
|
)
|
||||||
@ -120,7 +120,8 @@ DomitoCiGetCertPublisherName(
|
|||||||
}
|
}
|
||||||
|
|
||||||
VOID
|
VOID
|
||||||
DomitoCiSetTrustedOriginClaimId(
|
NTAPI
|
||||||
|
CiSetTrustedOriginClaimId(
|
||||||
_In_ UINT32 ClaimId
|
_In_ UINT32 ClaimId
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
@ -130,28 +131,27 @@ DomitoCiSetTrustedOriginClaimId(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
_Success_(return == STATUS_SUCCESS)
|
|
||||||
_Must_inspect_result_
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
DomitoCiValidateFileObject(
|
NTAPI
|
||||||
_In_ FILE_OBJECT * FileObject,
|
CiValidateFileObject(
|
||||||
_In_opt_ UINT32 Unknown1,
|
_In_ FILE_OBJECT* FileObject,
|
||||||
_In_opt_ UINT32 Unknown2,
|
_In_opt_ UINT32 Unkonwn1,
|
||||||
_Out_ MINCRYPT_POLICY_INFO * PolicyInfo,
|
_In_opt_ UINT32 Unkonwn2,
|
||||||
_Out_ MINCRYPT_POLICY_INFO * TimeStampPolicyInfo,
|
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
||||||
_Out_ LARGE_INTEGER * SigningTime,
|
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
|
||||||
_Out_ UINT8 * Hash,
|
_Out_ LARGE_INTEGER* SigningTime,
|
||||||
_Inout_ UINT32 * HashSize,
|
_Out_ UINT8* Hash,
|
||||||
_Out_ ALG_ID * HashAlgId
|
_Inout_ UINT32* HashSize,
|
||||||
|
_Out_ ALG_ID* HashAlgId
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
if (G_CI.CiValidateFileObject)
|
if (G_CI.CiValidateFileObject)
|
||||||
{
|
{
|
||||||
return G_CI.CiValidateFileObject(
|
return G_CI.CiValidateFileObject(
|
||||||
FileObject,
|
FileObject,
|
||||||
Unknown1,
|
Unkonwn1,
|
||||||
Unknown2,
|
Unkonwn2,
|
||||||
PolicyInfo,
|
PolicyInfo,
|
||||||
TimeStampPolicyInfo,
|
TimeStampPolicyInfo,
|
||||||
SigningTime,
|
SigningTime,
|
||||||
|
@ -150,193 +150,12 @@ extern DOMITO_MEMORY G_Memory;
|
|||||||
* |___/ |__/
|
* |___/ |__/
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
typedef decltype(&CiFreePolicyInfo) t_CiFreePolicyInfo;
|
||||||
* Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (ChainInfo) if not null.
|
typedef decltype(&CiCheckSignedFile) t_CiCheckSignedFile;
|
||||||
* Zeros the entire PolicyInfo struct.
|
typedef decltype(&CiVerifyHashInCatalog) t_CiVerifyHashInCatalog;
|
||||||
*
|
typedef decltype(&CiGetCertPublisherName) t_CiGetCertPublisherName;
|
||||||
* @param PolicyInfo - the struct to reset.
|
typedef decltype(&CiSetTrustedOriginClaimId) t_CiSetTrustedOriginClaimId;
|
||||||
*
|
typedef decltype(&CiValidateFileObject) t_CiValidateFileObject;
|
||||||
* @return the struct which was reset.
|
|
||||||
*/
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
||||||
typedef
|
|
||||||
PVOID
|
|
||||||
(NTAPI*
|
|
||||||
t_CiFreePolicyInfo)(
|
|
||||||
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
|
|
||||||
);
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10!
|
|
||||||
*
|
|
||||||
* Given a file digest and signature of a file, verify the signature and provide information regarding
|
|
||||||
* the certificates that was used for signing (the entire certificate chain)
|
|
||||||
*
|
|
||||||
* @param Hash - buffer containing the digest
|
|
||||||
*
|
|
||||||
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
|
|
||||||
*
|
|
||||||
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
|
|
||||||
*
|
|
||||||
* @param SecurityDirectory - pointer to the start of the security directory
|
|
||||||
*
|
|
||||||
* @param SizeOfSecurityDirectory - size the security directory
|
|
||||||
*
|
|
||||||
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain
|
|
||||||
*
|
|
||||||
* @param SigningTime[out] - when the file was signed (FILETIME format)
|
|
||||||
*
|
|
||||||
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain
|
|
||||||
*
|
|
||||||
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
|
|
||||||
* Various error values otherwise, for example:
|
|
||||||
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
|
|
||||||
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
|
|
||||||
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
|
|
||||||
*/
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
||||||
typedef
|
|
||||||
NTSTATUS
|
|
||||||
(NTAPI*
|
|
||||||
t_CiCheckSignedFile)(
|
|
||||||
_In_ PVOID Hash,
|
|
||||||
_In_ UINT32 HashSize,
|
|
||||||
_In_ ALG_ID HashAlgId,
|
|
||||||
_In_ PVOID SecurityDirectory,
|
|
||||||
_In_ UINT32 SizeOfSecurityDirectory,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
|
||||||
_Out_ LARGE_INTEGER* SigningTime,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
|
||||||
);
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Win7SP1-Win8.1 only (KB3033929 installed). Use CiValidateFileObject on Win10!
|
|
||||||
*
|
|
||||||
* Checks if the SHA-1 message digest is contained within a verified system catalog
|
|
||||||
*
|
|
||||||
* @note must be attached to the PsInitialSystemProcess first!
|
|
||||||
*
|
|
||||||
* @param Hash - buffer containing the digest
|
|
||||||
*
|
|
||||||
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
|
|
||||||
*
|
|
||||||
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
|
|
||||||
*
|
|
||||||
* @param IsReloadCatalogs - is reload catalogs cache.
|
|
||||||
*
|
|
||||||
* @param Always0 - this is for IsReloadCatalogs, Always0 != 0 ? 16 : 24;
|
|
||||||
*
|
|
||||||
* @param Always2007F - unknown, always 0x2007F, maybe a mask.
|
|
||||||
*
|
|
||||||
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain.
|
|
||||||
*
|
|
||||||
* @param CatalogName[out option] - catalog file name.
|
|
||||||
*
|
|
||||||
* @param SigningTime[out] - when the file was signed (FILETIME format)
|
|
||||||
*
|
|
||||||
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain.
|
|
||||||
*
|
|
||||||
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
|
|
||||||
* Various error values otherwise, for example:
|
|
||||||
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
|
|
||||||
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
|
|
||||||
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
|
|
||||||
*/
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
||||||
typedef
|
|
||||||
NTSTATUS
|
|
||||||
(NTAPI*
|
|
||||||
t_CiVerifyHashInCatalog)(
|
|
||||||
_In_ PVOID Hash,
|
|
||||||
_In_ UINT32 HashSize,
|
|
||||||
_In_ ALG_ID HashAlgId,
|
|
||||||
_In_ BOOLEAN IsReloadCatalogs,
|
|
||||||
_In_ UINT32 Always0,
|
|
||||||
_In_ UINT32 Always2007F,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
|
||||||
_Out_opt_ UNICODE_STRING* CatalogName,
|
|
||||||
_Out_ LARGE_INTEGER* SigningTime,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
|
|
||||||
);
|
|
||||||
|
|
||||||
|
|
||||||
#if (NTDDI_VERSION >= NTDDI_WIN10)
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Parse the publisher name from the certificate
|
|
||||||
*
|
|
||||||
* @param Certificate - &PolicyInfo.ChainInfo->ChainElements[x].Certificate
|
|
||||||
*
|
|
||||||
* @param AllocateRoutine - used to allocate PublisherName buffer.
|
|
||||||
*
|
|
||||||
* @param PublisherName[out] - publisher name.
|
|
||||||
*
|
|
||||||
* @return buffer length.
|
|
||||||
*/
|
|
||||||
typedef
|
|
||||||
NTSTATUS
|
|
||||||
(NTAPI*
|
|
||||||
t_CiGetCertPublisherName)(
|
|
||||||
_In_ MINCERT_BLOB* Certificate,
|
|
||||||
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
|
|
||||||
_Out_ PUNICODE_STRING PublisherName
|
|
||||||
);
|
|
||||||
|
|
||||||
|
|
||||||
typedef
|
|
||||||
VOID
|
|
||||||
(NTAPI*
|
|
||||||
t_CiSetTrustedOriginClaimId)(
|
|
||||||
_In_ UINT32 ClaimId
|
|
||||||
);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Given a file object, verify the signature and provide information regarding
|
|
||||||
* the certificates that was used for signing (the entire certificate chain)
|
|
||||||
*
|
|
||||||
* @param FileObject - FileObject of the PE in question
|
|
||||||
*
|
|
||||||
* @param Unknown1 - unknown, 0 is a valid value. (Unknown1 and Unknown2 together calculate the minimum support algorithm)
|
|
||||||
*
|
|
||||||
* @param Unknown2 - unknown, 0 is a valid value. (^ the words above refer to 'CipGetHashAlgorithmForLegacyScenario')
|
|
||||||
*
|
|
||||||
* @param PolicyInfo[out] - PolicyInfo containing information about the signer certificate chain.
|
|
||||||
*
|
|
||||||
* @param TimeStampPolicyInfo[out] - PolicyInfo containing information about the timestamping authority (TSA) certificate chain.
|
|
||||||
*
|
|
||||||
* @param SigningTime[out] - when the file was signed (FILETIME format)
|
|
||||||
*
|
|
||||||
* @param Hash - buffer containing the digest
|
|
||||||
*
|
|
||||||
* @param HashSize - size of the digest, e.g. 0x14(160bit) for SHA1, 0x20(256bit) for SHA256
|
|
||||||
*
|
|
||||||
* @param HashAlgId - digest algorithm identifier, e.g. CALG_SHA1(0x8004), CALG_SHA_256(0x800C)
|
|
||||||
*
|
|
||||||
* @return STATUS_SUCCESS if the file digest in the signature matches the given digest and the signer cetificate is verified.
|
|
||||||
* Various error values otherwise, for example:
|
|
||||||
* STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
|
|
||||||
* STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
|
|
||||||
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
|
|
||||||
*/
|
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
||||||
typedef
|
|
||||||
NTSTATUS
|
|
||||||
(NTAPI*
|
|
||||||
t_CiValidateFileObject)(
|
|
||||||
_In_ FILE_OBJECT* FileObject,
|
|
||||||
_In_opt_ UINT32 Unknown1,
|
|
||||||
_In_opt_ UINT32 Unknown2,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
|
|
||||||
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
|
|
||||||
_Out_ LARGE_INTEGER* SigningTime,
|
|
||||||
_Out_ UINT8* Hash,
|
|
||||||
_Inout_ UINT32* HashSize,
|
|
||||||
_Out_ ALG_ID* HashAlgId
|
|
||||||
);
|
|
||||||
|
|
||||||
#endif // NTDDI_VERSION >= NTDDI_WIN10
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// Function pointers to CI.dll exports
|
// Function pointers to CI.dll exports
|
||||||
|
Loading…
Reference in New Issue
Block a user