nefarius/Domito
1
0
Fork 0
Code Issues 1 Activity

Removed dynamic CI experiments that do not work, possibly due to Patch Guard

Browse Source
This commit is contained in:
Benjamin Höglinger-Stelzer
2023-07-03 20:44:12 +02:00
parent aa77523f3a
commit 6e2fd257c0
4 changed files with 12 additions and 239 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Domito.CodeIntegrity.cpp
+5 -167
View File
@@ -8,162 +8,6 @@
#include "Domito.Internal.h"
#include "Domito.MinCrypt.h"
DOMITO_CODE_INTEGRITY G_CI = {};
/* ___ ___ __ __
* / __|_ _| \ \ / / _ __ _ _ __ _ __ ___ _ _ ___
* | (__ | | \ \/\/ / '_/ _` | '_ \ '_ \/ -_) '_(_-<
* \___|___| \_/\_/|_| \__,_| .__/ .__/\___|_| /__/
* |_| |_|
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
PVOID
NTAPI
CiFreePolicyInfo(
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
)
{
if (G_CI.CiFreePolicyInfo)
{
return G_CI.CiFreePolicyInfo(PolicyInfo);
}
return NULL;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
NTAPI
CiCheckSignedFile(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ PVOID SecurityDirectory,
_In_ UINT32 SizeOfSecurityDirectory,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
)
{
if (G_CI.CiCheckSignedFile)
{
return G_CI.CiCheckSignedFile(
Hash,
HashSize,
HashAlgId,
SecurityDirectory,
SizeOfSecurityDirectory,
PolicyInfo,
SigningTime,
TimeStampPolicyInfo
);
}
return STATUS_NOT_IMPLEMENTED;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
NTAPI
CiVerifyHashInCatalog(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ BOOLEAN IsReloadCatalogs,
_In_ UINT32 Always0,
_In_ UINT32 Always2007F,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_opt_ UNICODE_STRING* CatalogName,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
)
{
if (G_CI.CiVerifyHashInCatalog)
{
return G_CI.CiVerifyHashInCatalog(
Hash,
HashSize,
HashAlgId,
IsReloadCatalogs,
Always0,
Always2007F,
PolicyInfo,
CatalogName,
SigningTime,
TimeStampPolicyInfo
);
}
return STATUS_NOT_IMPLEMENTED;
}
NTSTATUS
NTAPI
CiGetCertPublisherName(
_In_ MINCERT_BLOB* Certificate,
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
_Out_ PUNICODE_STRING PublisherName
)
{
if (G_CI.CiGetCertPublisherName)
{
return G_CI.CiGetCertPublisherName(
Certificate,
AllocateRoutine,
PublisherName
);
}
return STATUS_NOT_IMPLEMENTED;
}
VOID
NTAPI
CiSetTrustedOriginClaimId(
_In_ UINT32 ClaimId
)
{
if (G_CI.CiSetTrustedOriginClaimId)
{
G_CI.CiSetTrustedOriginClaimId(ClaimId);
}
}
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
NTAPI
CiValidateFileObject(
_In_ FILE_OBJECT* FileObject,
_In_opt_ UINT32 Unkonwn1,
_In_opt_ UINT32 Unkonwn2,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ UINT8* Hash,
_Inout_ UINT32* HashSize,
_Out_ ALG_ID* HashAlgId
)
{
if (G_CI.CiValidateFileObject)
{
return G_CI.CiValidateFileObject(
FileObject,
Unkonwn1,
Unkonwn2,
PolicyInfo,
TimeStampPolicyInfo,
SigningTime,
Hash,
HashSize,
HashAlgId
);
}
return STATUS_NOT_IMPLEMENTED;
}
/* _ _ _ _ _ _ _ ___ _ _
* | | | | |_(_) (_) |_ _ _ | __| _ _ _ __| |_(_)___ _ _ ___
@@ -543,16 +387,10 @@ DomitoValidateFileLegacyMode(
do
{
if (!G_CI.CiFreePolicyInfo || !G_CI.CiCheckSignedFile || !G_CI.CiVerifyHashInCatalog)
{
status = STATUS_NOT_IMPLEMENTED;
break;
}
SigningTime->QuadPart = 0;
G_CI.CiFreePolicyInfo(PolicyInfo);
G_CI.CiFreePolicyInfo(TimeStampPolicyInfo);
CiFreePolicyInfo(PolicyInfo);
CiFreePolicyInfo(TimeStampPolicyInfo);
if (HashSize != MINCRYPT_SHA1_LENGTH && HashSize != MINCRYPT_SHA256_LENGTH)
{
@@ -612,7 +450,7 @@ DomitoValidateFileLegacyMode(
KeStackAttachProcess(PsInitialSystemProcess, &systemContext);
{
status = G_CI.CiCheckSignedFile(
status = CiCheckSignedFile(
Hash,
HashSize,
HashAlgId,
@@ -638,7 +476,7 @@ DomitoValidateFileLegacyMode(
KeStackAttachProcess(PsInitialSystemProcess, &systemContext);
{
status = G_CI.CiVerifyHashInCatalog(
status = CiVerifyHashInCatalog(
Hash,
HashSize,
HashAlgId,
@@ -653,7 +491,7 @@ DomitoValidateFileLegacyMode(
if (status == STATUS_INVALID_IMAGE_HASH)
{
status = G_CI.CiVerifyHashInCatalog(
status = CiVerifyHashInCatalog(
Hash,
HashSize,
HashAlgId,