nefarius/Domito
1
0
Fork 0
Code Issues Activity

Replaced passing allocator to functions with library global memory management support types

Browse Source
This commit is contained in:
Benjamin Höglinger-Stelzer 2023-07-01 16:33:13 +02:00
parent 0df66bdea2
commit 5541c05d1d
4 changed files with 154 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Domito.sln.DotSettings
View File

@ -4,6 +4,7 @@
<s:Boolean x:Key="/Default/UserDictionary/Words/=CALG/@EntryIndexedValue">True</s:Boolean> <s:Boolean x:Key="/Default/UserDictionary/Words/=CALG/@EntryIndexedValue">True</s:Boolean>
<s:Boolean x:Key="/Default/UserDictionary/Words/=COFF/@EntryIndexedValue">True</s:Boolean> <s:Boolean x:Key="/Default/UserDictionary/Words/=COFF/@EntryIndexedValue">True</s:Boolean>
<s:Boolean x:Key="/Default/UserDictionary/Words/=Domito/@EntryIndexedValue">True</s:Boolean> <s:Boolean x:Key="/Default/UserDictionary/Words/=Domito/@EntryIndexedValue">True</s:Boolean>
<s:Boolean x:Key="/Default/UserDictionary/Words/=Domito_0027s/@EntryIndexedValue">True</s:Boolean>
<s:Boolean x:Key="/Default/UserDictionary/Words/=LPWIN/@EntryIndexedValue">True</s:Boolean> <s:Boolean x:Key="/Default/UserDictionary/Words/=LPWIN/@EntryIndexedValue">True</s:Boolean>
<s:Boolean x:Key="/Default/UserDictionary/Words/=PDOMITO/@EntryIndexedValue">True</s:Boolean> <s:Boolean x:Key="/Default/UserDictionary/Words/=PDOMITO/@EntryIndexedValue">True</s:Boolean>
<s:Boolean x:Key="/Default/UserDictionary/Words/=PKCS/@EntryIndexedValue">True</s:Boolean> <s:Boolean x:Key="/Default/UserDictionary/Words/=PKCS/@EntryIndexedValue">True</s:Boolean>

3
README.md
View File

@ -14,3 +14,6 @@ for Windows NT3.51/NT4/2000/XP/2003/Vista/7/8 kernel mode,
both 32 and 64 bit platforms](http://alter.org.ua/en/docs/nt_kernel/procaddr/) both 32 and 64 bit platforms](http://alter.org.ua/en/docs/nt_kernel/procaddr/)
- [Use ci.dll API for validating Authenticode signature of files](https://github.com/Ido-Moshe-Github/CiDllDemo) - [Use ci.dll API for validating Authenticode signature of files](https://github.com/Ido-Moshe-Github/CiDllDemo)
- [Helper functions for calculating the authenticode digest for a portable executable file](https://github.com/mihaly044/pedigest) - [Helper functions for calculating the authenticode digest for a portable executable file](https://github.com/mihaly044/pedigest)
- Custom memory allocator exposure used by SDL
- [SDL_stdinc.h](https://github.com/libsdl-org/SDL/blob/main/include/SDL3/SDL_stdinc.h)
- [SDL_malloc.c](https://github.com/libsdl-org/SDL/blob/main/src/stdlib/SDL_malloc.c)

56
include/Domito.h
View File

@ -4,16 +4,16 @@
/******************************************************************************** /********************************************************************************
* Memory management, misc. * * Memory management *
********************************************************************************/ ********************************************************************************/
// //
// Custom allocator for function that allocate pool memory. // Allocator function the library uses.
// //
typedef typedef
_IRQL_requires_same_ _IRQL_requires_same_
_Function_class_(EVT_DOMITO_ALLOCATE_ROUTINE) _Function_class_(EVT_DOMITO_ALLOCATE_ROUTINE)
__drv_allocatesMem(Mem) __drv_allocatesMem(mem)
PVOID PVOID
NTAPI NTAPI
EVT_DOMITO_ALLOCATE_ROUTINE( EVT_DOMITO_ALLOCATE_ROUTINE(
@ -21,6 +21,48 @@ EVT_DOMITO_ALLOCATE_ROUTINE(
); );
typedef EVT_DOMITO_ALLOCATE_ROUTINE* PFN_DOMITO_ALLOCATE_ROUTINE; typedef EVT_DOMITO_ALLOCATE_ROUTINE* PFN_DOMITO_ALLOCATE_ROUTINE;
//
// Freeing function the library uses.
//
typedef
_IRQL_requires_same_
_Function_class_(EVT_DOMITO_FREE_ROUTINE)
void
NTAPI
EVT_DOMITO_FREE_ROUTINE(
_In_ __drv_freesMem(mem) PVOID Memory
);
typedef EVT_DOMITO_FREE_ROUTINE* PFN_DOMITO_FREE_ROUTINE;
//
// Get the original set of Domito memory functions.
//
EXTERN_C
void
DomitoGetOriginalMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
);
//
// Get the current set of Domito memory functions.
//
EXTERN_C
void
DomitoGetMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
);
//
// Replace Domito's memory allocation functions with a custom set
EXTERN_C
void
DomitoSetMemoryFunctions(
_In_opt_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_opt_ PFN_DOMITO_FREE_ROUTINE Free
);
/******************************************************************************** /********************************************************************************
* Cryptography * * Cryptography *
@ -104,7 +146,6 @@ _IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C EXTERN_C
NTSTATUS NTSTATUS
DomitoFindModuleBaseAddress( DomitoFindModuleBaseAddress(
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_ STRING ModuleName, _In_ STRING ModuleName,
_Inout_opt_ PVOID* ModuleBase _Inout_opt_ PVOID* ModuleBase
); );
@ -175,7 +216,6 @@ _IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C EXTERN_C
NTSTATUS NTSTATUS
DomitoCalculatePortableExecutableDigest( DomitoCalculatePortableExecutableDigest(
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_ PUCHAR pPeBytes, _In_ PUCHAR pPeBytes,
_In_ ULONG PeSize, _In_ ULONG PeSize,
_Out_ PUINT32 pDigestCalgOut, _Out_ PUINT32 pDigestCalgOut,
@ -194,7 +234,6 @@ _IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C EXTERN_C
NTSTATUS NTSTATUS
DomitoGetProcessImageName( DomitoGetProcessImageName(
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_ ULONG ProcessId, _In_ ULONG ProcessId,
_Inout_ PUNICODE_STRING* ProcessImageName _Inout_ PUNICODE_STRING* ProcessImageName
); );
@ -205,7 +244,6 @@ _IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C EXTERN_C
NTSTATUS NTSTATUS
DomitoValidateFileLegacyMode( DomitoValidateFileLegacyMode(
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_ HANDLE FileHandle, _In_ HANDLE FileHandle,
_In_ PVOID Hash, _In_ PVOID Hash,
_In_ UINT32 HashSize, _In_ UINT32 HashSize,

127
src/Domito.cpp
View File

@ -7,6 +7,10 @@
#include "ci.h" #include "ci.h"
/********************************************************************************
* NtDll and other internal types *
********************************************************************************/
// Structure representing a loaded module // Structure representing a loaded module
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{ {
@ -79,13 +83,96 @@ typedef NTSTATUS(*QUERY_INFO_PROCESS) (
static QUERY_INFO_PROCESS ZwQueryInformationProcess; static QUERY_INFO_PROCESS ZwQueryInformationProcess;
/********************************************************************************
* Memory management *
********************************************************************************/
#define DOMITO_POOL_TAG 'imoD'
static PVOID NTAPI DomitoDefaultMalloc(size_t s)
{
#pragma warning(disable:4996)
return ExAllocatePoolWithTag(NonPagedPool, s, DOMITO_POOL_TAG);
#pragma warninf(default:4996)
}
static void NTAPI DomitoDefaultFree(PVOID p)
{
ExFreePoolWithTag(p, DOMITO_POOL_TAG);
}
static struct
{
PFN_DOMITO_ALLOCATE_ROUTINE Allocate;
PFN_DOMITO_FREE_ROUTINE Free;
} G_Memory = {
DomitoDefaultMalloc,
DomitoDefaultFree
};
void
DomitoGetOriginalMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
)
{
if (Allocator)
{
*Allocator = DomitoDefaultMalloc;
}
if (Free)
{
*Free = DomitoDefaultFree;
}
}
void
DomitoGetMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
)
{
if (Allocator)
{
*Allocator = G_Memory.Allocate;
}
if (Free)
{
*Free = G_Memory.Free;
}
}
void
DomitoSetMemoryFunctions(
_In_opt_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_opt_ PFN_DOMITO_FREE_ROUTINE Free
)
{
if (Allocator)
{
G_Memory.Allocate = Allocator;
}
if (Free)
{
G_Memory.Free = Free;
}
}
/********************************************************************************
* Library functions *
********************************************************************************/
_Success_(return == STATUS_SUCCESS) _Success_(return == STATUS_SUCCESS)
_Must_inspect_result_ _Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS NTSTATUS
DomitoFindModuleBaseAddress( DomitoFindModuleBaseAddress(
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator, _In_ STRING ModuleName,
_In_ STRING ModuleName,
_Inout_opt_ PVOID * ModuleBase _Inout_opt_ PVOID * ModuleBase
) )
{ {
@ -108,7 +195,7 @@ DomitoFindModuleBaseAddress(
} }
// Allocate memory for the module information // Allocate memory for the module information
moduleInfo = (PSYSTEM_MODULE_INFORMATION)Allocator( moduleInfo = (PSYSTEM_MODULE_INFORMATION)G_Memory.Allocate(
bufferSize bufferSize
); );
@ -127,7 +214,7 @@ DomitoFindModuleBaseAddress(
if (!NT_SUCCESS(status)) if (!NT_SUCCESS(status))
{ {
ExFreePool(moduleInfo); G_Memory.Free(moduleInfo);
return status; return status;
} }
@ -152,7 +239,7 @@ DomitoFindModuleBaseAddress(
} }
} }
ExFreePool(moduleInfo); G_Memory.Free(moduleInfo);
return status; return status;
} }
@ -371,7 +458,6 @@ _Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS NTSTATUS
DomitoCalculatePortableExecutableDigest( DomitoCalculatePortableExecutableDigest(
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_ PUCHAR pPeBytes, _In_ PUCHAR pPeBytes,
_In_ ULONG PeSize, _In_ ULONG PeSize,
_Out_ PUINT32 pDigestCalgOut, _Out_ PUINT32 pDigestCalgOut,
@ -424,7 +510,7 @@ DomitoCalculatePortableExecutableDigest(
// TODO: Not sure if 16 * 512 * 512 is right. Do something better! // TODO: Not sure if 16 * 512 * 512 is right. Do something better!
// //
ULONG copySize = phDos->e_lfanew + sizeof(IMAGE_FILE_HEADER) + 4 + 0x40; ULONG copySize = phDos->e_lfanew + sizeof(IMAGE_FILE_HEADER) + 4 + 0x40;
const PUCHAR pBuf = (PUCHAR)Allocator(16 * 512 * 512); const PUCHAR pBuf = (PUCHAR)G_Memory.Allocate(16 * 512 * 512);
if (!pBuf) if (!pBuf)
{ {
return STATUS_INSUFFICIENT_RESOURCES; return STATUS_INSUFFICIENT_RESOURCES;
@ -480,7 +566,7 @@ DomitoCalculatePortableExecutableDigest(
// //
// Allocate a buffer to store the resulting hash // Allocate a buffer to store the resulting hash
// //
pHash = (PUCHAR)Allocator(hashLength); pHash = (PUCHAR)G_Memory.Allocate(hashLength);
if (!pHash) if (!pHash)
{ {
status = STATUS_INSUFFICIENT_RESOURCES; status = STATUS_INSUFFICIENT_RESOURCES;
@ -631,7 +717,7 @@ DomitoCalculatePortableExecutableDigest(
cleanup: cleanup:
if (pBuf) if (pBuf)
{ {
ExFreePool(pBuf); G_Memory.Free(pBuf);
} }
if (hbHash) if (hbHash)
@ -653,7 +739,6 @@ _IRQL_requires_max_(PASSIVE_LEVEL)
#pragma code_seg("PAGED") #pragma code_seg("PAGED")
NTSTATUS NTSTATUS
DomitoGetProcessImageName( DomitoGetProcessImageName(
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_ ULONG ProcessId, _In_ ULONG ProcessId,
_Inout_ PUNICODE_STRING * ProcessImageName _Inout_ PUNICODE_STRING * ProcessImageName
) )
@ -663,20 +748,15 @@ DomitoGetProcessImageName(
HANDLE hProcess = NULL; HANDLE hProcess = NULL;
PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process
if (Allocator == NULL) if (ProcessId == 0 || ProcessId == 4)
{ {
return STATUS_INVALID_PARAMETER_1; return STATUS_INVALID_PARAMETER_1;
} }
if (ProcessId == 0 || ProcessId == 4)
{
return STATUS_INVALID_PARAMETER_2;
}
if (ProcessImageName == NULL) if (ProcessImageName == NULL)
{ {
return STATUS_INVALID_PARAMETER_3; return STATUS_INVALID_PARAMETER_2;
} }
CLIENT_ID cid; CLIENT_ID cid;
@ -730,7 +810,7 @@ DomitoGetProcessImageName(
goto cleanUp; goto cleanUp;
} }
*ProcessImageName = (PUNICODE_STRING)Allocator(returnedLength); *ProcessImageName = (PUNICODE_STRING)G_Memory.Allocate(returnedLength);
if (*ProcessImageName == NULL) if (*ProcessImageName == NULL)
{ {
@ -747,7 +827,7 @@ DomitoGetProcessImageName(
&returnedLength &returnedLength
))) )))
{ {
ExFreePool(*ProcessImageName); G_Memory.Free(*ProcessImageName);
} }
cleanUp: cleanUp:
@ -767,7 +847,6 @@ _IRQL_requires_max_(PASSIVE_LEVEL)
#pragma code_seg("PAGED") #pragma code_seg("PAGED")
NTSTATUS NTSTATUS
DomitoValidateFileLegacyMode( DomitoValidateFileLegacyMode(
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_ HANDLE FileHandle, _In_ HANDLE FileHandle,
_In_ PVOID Hash, _In_ PVOID Hash,
_In_ UINT32 HashSize, _In_ UINT32 HashSize,
@ -800,7 +879,7 @@ DomitoValidateFileLegacyMode(
if (SecurityDirectory->Size != 0u && if (SecurityDirectory->Size != 0u &&
SecurityDirectory->VirtualAddress != 0u) SecurityDirectory->VirtualAddress != 0u)
{ {
certDirectory = Allocator(SecurityDirectory->Size); certDirectory = G_Memory.Allocate(SecurityDirectory->Size);
if (certDirectory == NULL) if (certDirectory == NULL)
{ {
status = STATUS_INSUFFICIENT_RESOURCES; status = STATUS_INSUFFICIENT_RESOURCES;
@ -904,9 +983,9 @@ DomitoValidateFileLegacyMode(
if (certDirectory) if (certDirectory)
{ {
ExFreePool(certDirectory); G_Memory.Free(certDirectory);
} }
return status; return status;
} }
#pragma code_seg() #pragma code_seg()