nefarius/Domito
1
0
Fork 0
Code Issues 1 Activity

Removed dynamic CI experiments that do not work, possibly due to Patch Guard

Browse Source
This commit is contained in:
Benjamin Höglinger-Stelzer
2023-07-03 20:44:12 +02:00
parent aa77523f3a
commit 6e2fd257c0
4 changed files with 12 additions and 239 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Domito.cpp
-26
View File
@@ -10,13 +10,6 @@
DOMITO_COMMON G_Common = {};
static STRING G_FN_CiFreePolicyInfo = RTL_CONSTANT_STRING("CiFreePolicyInfo");
static STRING G_FN_CiCheckSignedFile = RTL_CONSTANT_STRING("CiCheckSignedFile");
static STRING G_FN_CiVerifyHashInCatalog = RTL_CONSTANT_STRING("CiVerifyHashInCatalog");
static STRING G_FN_CiGetCertPublisherName = RTL_CONSTANT_STRING("CiGetCertPublisherName");
static STRING G_FN_CiSetTrustedOriginClaimId = RTL_CONSTANT_STRING("CiSetTrustedOriginClaimId");
static STRING G_FN_CiValidateFileObject = RTL_CONSTANT_STRING("CiValidateFileObject");
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess");
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData");
@@ -40,25 +33,6 @@ DomitoInit()
G_Common.RtlImageDirectoryEntryToData =
(t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName);
STRING ciModuleName = RTL_CONSTANT_STRING("\\SystemRoot\\system32\\CI.dll");
PVOID driverBaseAddress = NULL;
if (NT_SUCCESS(DomitoFindModuleBaseAddress(&ciModuleName, &driverBaseAddress)))
{
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiFreePolicyInfo, (void**)&G_CI.CiFreePolicyInfo);
LOG("CiFreePolicyInfo = 0x%p", G_CI.CiFreePolicyInfo);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiCheckSignedFile, (void**)&G_CI.CiCheckSignedFile);
LOG("CiCheckSignedFile = 0x%p", G_CI.CiCheckSignedFile);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiVerifyHashInCatalog, (void**)&G_CI.CiVerifyHashInCatalog);
LOG("CiVerifyHashInCatalog = 0x%p", G_CI.CiVerifyHashInCatalog);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiGetCertPublisherName, (void**)&G_CI.CiGetCertPublisherName);
LOG("CiGetCertPublisherName = 0x%p", G_CI.CiGetCertPublisherName);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiSetTrustedOriginClaimId, (void**)&G_CI.CiSetTrustedOriginClaimId);
LOG("CiSetTrustedOriginClaimId = 0x%p", G_CI.CiSetTrustedOriginClaimId);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiValidateFileObject, (void**)&G_CI.CiValidateFileObject);
LOG("CiValidateFileObject = 0x%p", G_CI.CiValidateFileObject);
}
return STATUS_SUCCESS; // TODO: unused currently
}