From 6e2fd257c04c561376e4784b508b38386b35aaa8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20H=C3=B6glinger-Stelzer?= Date: Mon, 3 Jul 2023 20:44:12 +0200 Subject: [PATCH] Removed dynamic CI experiments that do not work, possibly due to Patch Guard --- include/Domito.MinCrypt.h | 14 +-- src/Domito.CodeIntegrity.cpp | 172 +---------------------------------- src/Domito.Internal.h | 39 -------- src/Domito.cpp | 26 ------ 4 files changed, 12 insertions(+), 239 deletions(-) diff --git a/include/Domito.MinCrypt.h b/include/Domito.MinCrypt.h index b1d37c9..63d1596 100644 --- a/include/Domito.MinCrypt.h +++ b/include/Domito.MinCrypt.h @@ -356,6 +356,7 @@ typedef struct _MINCRYPT_POLICY_INFO #include + /** * Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (ChainInfo) if not null. * Zeros the entire PolicyInfo struct. @@ -365,7 +366,7 @@ typedef struct _MINCRYPT_POLICY_INFO * @return the struct which was reset. */ _IRQL_requires_max_(PASSIVE_LEVEL) -EXTERN_C +MINCRYPTAPI PVOID NTAPI CiFreePolicyInfo( @@ -402,7 +403,7 @@ CiFreePolicyInfo( * STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired */ _IRQL_requires_max_(PASSIVE_LEVEL) -EXTERN_C +MINCRYPTAPI NTSTATUS NTAPI CiCheckSignedFile( @@ -451,7 +452,7 @@ CiCheckSignedFile( * STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired */ _IRQL_requires_max_(PASSIVE_LEVEL) -EXTERN_C +MINCRYPTAPI NTSTATUS NTAPI CiVerifyHashInCatalog( @@ -492,7 +493,7 @@ typedef MINCRYPT_ALLOCATE_ROUTINE* PMINCRYPT_ALLOCATE_ROUTINE; * * @return buffer length. */ -EXTERN_C +MINCRYPTAPI NTSTATUS NTAPI CiGetCertPublisherName( @@ -502,7 +503,7 @@ CiGetCertPublisherName( ); -EXTERN_C +MINCRYPTAPI VOID NTAPI CiSetTrustedOriginClaimId( @@ -538,7 +539,7 @@ CiSetTrustedOriginClaimId( * STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired */ _IRQL_requires_max_(PASSIVE_LEVEL) -EXTERN_C +MINCRYPTAPI NTSTATUS NTAPI CiValidateFileObject( @@ -555,7 +556,6 @@ CiValidateFileObject( #endif // NTDDI_VERSION >= NTDDI_WIN10 - EXTERN_C_END #if _MSC_VER >= 1200 diff --git a/src/Domito.CodeIntegrity.cpp b/src/Domito.CodeIntegrity.cpp index b4a860e..a03ac59 100644 --- a/src/Domito.CodeIntegrity.cpp +++ b/src/Domito.CodeIntegrity.cpp @@ -8,162 +8,6 @@ #include "Domito.Internal.h" #include "Domito.MinCrypt.h" -DOMITO_CODE_INTEGRITY G_CI = {}; - - -/* ___ ___ __ __ - * / __|_ _| \ \ / / _ __ _ _ __ _ __ ___ _ _ ___ - * | (__ | | \ \/\/ / '_/ _` | '_ \ '_ \/ -_) '_(_-< - * \___|___| \_/\_/|_| \__,_| .__/ .__/\___|_| /__/ - * |_| |_| - */ - -_IRQL_requires_max_(PASSIVE_LEVEL) -PVOID -NTAPI -CiFreePolicyInfo( - _Inout_ MINCRYPT_POLICY_INFO* PolicyInfo -) -{ - if (G_CI.CiFreePolicyInfo) - { - return G_CI.CiFreePolicyInfo(PolicyInfo); - } - - return NULL; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -NTSTATUS -NTAPI -CiCheckSignedFile( - _In_ PVOID Hash, - _In_ UINT32 HashSize, - _In_ ALG_ID HashAlgId, - _In_ PVOID SecurityDirectory, - _In_ UINT32 SizeOfSecurityDirectory, - _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, - _Out_ LARGE_INTEGER* SigningTime, - _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo -) -{ - if (G_CI.CiCheckSignedFile) - { - return G_CI.CiCheckSignedFile( - Hash, - HashSize, - HashAlgId, - SecurityDirectory, - SizeOfSecurityDirectory, - PolicyInfo, - SigningTime, - TimeStampPolicyInfo - ); - } - - return STATUS_NOT_IMPLEMENTED; -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -NTSTATUS -NTAPI -CiVerifyHashInCatalog( - _In_ PVOID Hash, - _In_ UINT32 HashSize, - _In_ ALG_ID HashAlgId, - _In_ BOOLEAN IsReloadCatalogs, - _In_ UINT32 Always0, - _In_ UINT32 Always2007F, - _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, - _Out_opt_ UNICODE_STRING* CatalogName, - _Out_ LARGE_INTEGER* SigningTime, - _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo -) -{ - if (G_CI.CiVerifyHashInCatalog) - { - return G_CI.CiVerifyHashInCatalog( - Hash, - HashSize, - HashAlgId, - IsReloadCatalogs, - Always0, - Always2007F, - PolicyInfo, - CatalogName, - SigningTime, - TimeStampPolicyInfo - ); - } - - return STATUS_NOT_IMPLEMENTED; -} - -NTSTATUS -NTAPI -CiGetCertPublisherName( - _In_ MINCERT_BLOB* Certificate, - _In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine, - _Out_ PUNICODE_STRING PublisherName -) -{ - if (G_CI.CiGetCertPublisherName) - { - return G_CI.CiGetCertPublisherName( - Certificate, - AllocateRoutine, - PublisherName - ); - } - - return STATUS_NOT_IMPLEMENTED; -} - -VOID -NTAPI -CiSetTrustedOriginClaimId( - _In_ UINT32 ClaimId -) -{ - if (G_CI.CiSetTrustedOriginClaimId) - { - G_CI.CiSetTrustedOriginClaimId(ClaimId); - } -} - -_IRQL_requires_max_(PASSIVE_LEVEL) -NTSTATUS -NTAPI -CiValidateFileObject( - _In_ FILE_OBJECT* FileObject, - _In_opt_ UINT32 Unkonwn1, - _In_opt_ UINT32 Unkonwn2, - _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, - _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo, - _Out_ LARGE_INTEGER* SigningTime, - _Out_ UINT8* Hash, - _Inout_ UINT32* HashSize, - _Out_ ALG_ID* HashAlgId -) -{ - if (G_CI.CiValidateFileObject) - { - return G_CI.CiValidateFileObject( - FileObject, - Unkonwn1, - Unkonwn2, - PolicyInfo, - TimeStampPolicyInfo, - SigningTime, - Hash, - HashSize, - HashAlgId - ); - } - - return STATUS_NOT_IMPLEMENTED; -} - /* _ _ _ _ _ _ _ ___ _ _ * | | | | |_(_) (_) |_ _ _ | __| _ _ _ __| |_(_)___ _ _ ___ @@ -543,16 +387,10 @@ DomitoValidateFileLegacyMode( do { - if (!G_CI.CiFreePolicyInfo || !G_CI.CiCheckSignedFile || !G_CI.CiVerifyHashInCatalog) - { - status = STATUS_NOT_IMPLEMENTED; - break; - } - SigningTime->QuadPart = 0; - G_CI.CiFreePolicyInfo(PolicyInfo); - G_CI.CiFreePolicyInfo(TimeStampPolicyInfo); + CiFreePolicyInfo(PolicyInfo); + CiFreePolicyInfo(TimeStampPolicyInfo); if (HashSize != MINCRYPT_SHA1_LENGTH && HashSize != MINCRYPT_SHA256_LENGTH) { @@ -612,7 +450,7 @@ DomitoValidateFileLegacyMode( KeStackAttachProcess(PsInitialSystemProcess, &systemContext); { - status = G_CI.CiCheckSignedFile( + status = CiCheckSignedFile( Hash, HashSize, HashAlgId, @@ -638,7 +476,7 @@ DomitoValidateFileLegacyMode( KeStackAttachProcess(PsInitialSystemProcess, &systemContext); { - status = G_CI.CiVerifyHashInCatalog( + status = CiVerifyHashInCatalog( Hash, HashSize, HashAlgId, @@ -653,7 +491,7 @@ DomitoValidateFileLegacyMode( if (status == STATUS_INVALID_IMAGE_HASH) { - status = G_CI.CiVerifyHashInCatalog( + status = CiVerifyHashInCatalog( Hash, HashSize, HashAlgId, diff --git a/src/Domito.Internal.h b/src/Domito.Internal.h index 8dad77a..024aa89 100644 --- a/src/Domito.Internal.h +++ b/src/Domito.Internal.h @@ -141,42 +141,3 @@ typedef struct // Global instance, individual field can be adjusted by the caller // extern DOMITO_MEMORY G_Memory; - - -/* ___ _ ___ _ _ _ - * / __|___ __| |___ |_ _|_ _| |_ ___ __ _ _ _(_) |_ _ _ - * | (__/ _ \/ _` / -_) | || ' \ _/ -_) _` | '_| | _| || | - * \___\___/\__,_\___| |___|_||_\__\___\__, |_| |_|\__|\_, | - * |___/ |__/ - */ - -typedef decltype(&CiFreePolicyInfo) t_CiFreePolicyInfo; -typedef decltype(&CiCheckSignedFile) t_CiCheckSignedFile; -typedef decltype(&CiVerifyHashInCatalog) t_CiVerifyHashInCatalog; -typedef decltype(&CiGetCertPublisherName) t_CiGetCertPublisherName; -typedef decltype(&CiSetTrustedOriginClaimId) t_CiSetTrustedOriginClaimId; -typedef decltype(&CiValidateFileObject) t_CiValidateFileObject; - -// -// Function pointers to CI.dll exports -// -typedef struct -{ - t_CiFreePolicyInfo CiFreePolicyInfo; - - t_CiCheckSignedFile CiCheckSignedFile; - - t_CiVerifyHashInCatalog CiVerifyHashInCatalog; - - t_CiGetCertPublisherName CiGetCertPublisherName; - - t_CiSetTrustedOriginClaimId CiSetTrustedOriginClaimId; - - t_CiValidateFileObject CiValidateFileObject; - -} DOMITO_CODE_INTEGRITY; - -// -// Global instance -// -extern DOMITO_CODE_INTEGRITY G_CI; diff --git a/src/Domito.cpp b/src/Domito.cpp index bc9cf63..b79ec9e 100644 --- a/src/Domito.cpp +++ b/src/Domito.cpp @@ -10,13 +10,6 @@ DOMITO_COMMON G_Common = {}; -static STRING G_FN_CiFreePolicyInfo = RTL_CONSTANT_STRING("CiFreePolicyInfo"); -static STRING G_FN_CiCheckSignedFile = RTL_CONSTANT_STRING("CiCheckSignedFile"); -static STRING G_FN_CiVerifyHashInCatalog = RTL_CONSTANT_STRING("CiVerifyHashInCatalog"); -static STRING G_FN_CiGetCertPublisherName = RTL_CONSTANT_STRING("CiGetCertPublisherName"); -static STRING G_FN_CiSetTrustedOriginClaimId = RTL_CONSTANT_STRING("CiSetTrustedOriginClaimId"); -static STRING G_FN_CiValidateFileObject = RTL_CONSTANT_STRING("CiValidateFileObject"); - DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess"); DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData"); @@ -40,25 +33,6 @@ DomitoInit() G_Common.RtlImageDirectoryEntryToData = (t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName); - STRING ciModuleName = RTL_CONSTANT_STRING("\\SystemRoot\\system32\\CI.dll"); - PVOID driverBaseAddress = NULL; - - if (NT_SUCCESS(DomitoFindModuleBaseAddress(&ciModuleName, &driverBaseAddress))) - { - DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiFreePolicyInfo, (void**)&G_CI.CiFreePolicyInfo); - LOG("CiFreePolicyInfo = 0x%p", G_CI.CiFreePolicyInfo); - DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiCheckSignedFile, (void**)&G_CI.CiCheckSignedFile); - LOG("CiCheckSignedFile = 0x%p", G_CI.CiCheckSignedFile); - DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiVerifyHashInCatalog, (void**)&G_CI.CiVerifyHashInCatalog); - LOG("CiVerifyHashInCatalog = 0x%p", G_CI.CiVerifyHashInCatalog); - DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiGetCertPublisherName, (void**)&G_CI.CiGetCertPublisherName); - LOG("CiGetCertPublisherName = 0x%p", G_CI.CiGetCertPublisherName); - DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiSetTrustedOriginClaimId, (void**)&G_CI.CiSetTrustedOriginClaimId); - LOG("CiSetTrustedOriginClaimId = 0x%p", G_CI.CiSetTrustedOriginClaimId); - DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiValidateFileObject, (void**)&G_CI.CiValidateFileObject); - LOG("CiValidateFileObject = 0x%p", G_CI.CiValidateFileObject); - } - return STATUS_SUCCESS; // TODO: unused currently }