nefarius/Domito
1
0
Fork 0
Code Issues Activity

Removed dynamic CI experiments that do not work, possibly due to Patch Guard

Browse Source
This commit is contained in:
Benjamin Höglinger-Stelzer 2023-07-03 20:44:12 +02:00
parent aa77523f3a
commit 6e2fd257c0
4 changed files with 12 additions and 239 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
include/Domito.MinCrypt.h
View File

@ -356,6 +356,7 @@ typedef struct _MINCRYPT_POLICY_INFO
#include <poppack.h> #include <poppack.h>
/** /**
* Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (ChainInfo) if not null. * Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (ChainInfo) if not null.
* Zeros the entire PolicyInfo struct. * Zeros the entire PolicyInfo struct.
@ -365,7 +366,7 @@ typedef struct _MINCRYPT_POLICY_INFO
* @return the struct which was reset. * @return the struct which was reset.
*/ */
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C MINCRYPTAPI
PVOID PVOID
NTAPI NTAPI
CiFreePolicyInfo( CiFreePolicyInfo(
@ -402,7 +403,7 @@ CiFreePolicyInfo(
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired * STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/ */
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C MINCRYPTAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
CiCheckSignedFile( CiCheckSignedFile(
@ -451,7 +452,7 @@ CiCheckSignedFile(
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired * STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/ */
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C MINCRYPTAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
CiVerifyHashInCatalog( CiVerifyHashInCatalog(
@ -492,7 +493,7 @@ typedef MINCRYPT_ALLOCATE_ROUTINE* PMINCRYPT_ALLOCATE_ROUTINE;
* *
* @return buffer length. * @return buffer length.
*/ */
EXTERN_C MINCRYPTAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
CiGetCertPublisherName( CiGetCertPublisherName(
@ -502,7 +503,7 @@ CiGetCertPublisherName(
); );
EXTERN_C MINCRYPTAPI
VOID VOID
NTAPI NTAPI
CiSetTrustedOriginClaimId( CiSetTrustedOriginClaimId(
@ -538,7 +539,7 @@ CiSetTrustedOriginClaimId(
* STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired * STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/ */
_IRQL_requires_max_(PASSIVE_LEVEL) _IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C MINCRYPTAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
CiValidateFileObject( CiValidateFileObject(
@ -555,7 +556,6 @@ CiValidateFileObject(
#endif // NTDDI_VERSION >= NTDDI_WIN10 #endif // NTDDI_VERSION >= NTDDI_WIN10
EXTERN_C_END EXTERN_C_END
#if _MSC_VER >= 1200 #if _MSC_VER >= 1200

172
src/Domito.CodeIntegrity.cpp
View File

@ -8,162 +8,6 @@
#include "Domito.Internal.h" #include "Domito.Internal.h"
#include "Domito.MinCrypt.h" #include "Domito.MinCrypt.h"
DOMITO_CODE_INTEGRITY G_CI = {};
/* ___ ___ __ __
* / __|_ _| \ \ / / _ __ _ _ __ _ __ ___ _ _ ___
* | (__ | | \ \/\/ / '_/ _` | '_ \ '_ \/ -_) '_(_-<
* \___|___| \_/\_/|_| \__,_| .__/ .__/\___|_| /__/
* |_| |_|
*/
_IRQL_requires_max_(PASSIVE_LEVEL)
PVOID
NTAPI
CiFreePolicyInfo(
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo
)
{
if (G_CI.CiFreePolicyInfo)
{
return G_CI.CiFreePolicyInfo(PolicyInfo);
}
return NULL;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
NTAPI
CiCheckSignedFile(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ PVOID SecurityDirectory,
_In_ UINT32 SizeOfSecurityDirectory,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
)
{
if (G_CI.CiCheckSignedFile)
{
return G_CI.CiCheckSignedFile(
Hash,
HashSize,
HashAlgId,
SecurityDirectory,
SizeOfSecurityDirectory,
PolicyInfo,
SigningTime,
TimeStampPolicyInfo
);
}
return STATUS_NOT_IMPLEMENTED;
}
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
NTAPI
CiVerifyHashInCatalog(
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ BOOLEAN IsReloadCatalogs,
_In_ UINT32 Always0,
_In_ UINT32 Always2007F,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_opt_ UNICODE_STRING* CatalogName,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
)
{
if (G_CI.CiVerifyHashInCatalog)
{
return G_CI.CiVerifyHashInCatalog(
Hash,
HashSize,
HashAlgId,
IsReloadCatalogs,
Always0,
Always2007F,
PolicyInfo,
CatalogName,
SigningTime,
TimeStampPolicyInfo
);
}
return STATUS_NOT_IMPLEMENTED;
}
NTSTATUS
NTAPI
CiGetCertPublisherName(
_In_ MINCERT_BLOB* Certificate,
_In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine,
_Out_ PUNICODE_STRING PublisherName
)
{
if (G_CI.CiGetCertPublisherName)
{
return G_CI.CiGetCertPublisherName(
Certificate,
AllocateRoutine,
PublisherName
);
}
return STATUS_NOT_IMPLEMENTED;
}
VOID
NTAPI
CiSetTrustedOriginClaimId(
_In_ UINT32 ClaimId
)
{
if (G_CI.CiSetTrustedOriginClaimId)
{
G_CI.CiSetTrustedOriginClaimId(ClaimId);
}
}
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSTATUS
NTAPI
CiValidateFileObject(
_In_ FILE_OBJECT* FileObject,
_In_opt_ UINT32 Unkonwn1,
_In_opt_ UINT32 Unkonwn2,
_Out_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Out_ UINT8* Hash,
_Inout_ UINT32* HashSize,
_Out_ ALG_ID* HashAlgId
)
{
if (G_CI.CiValidateFileObject)
{
return G_CI.CiValidateFileObject(
FileObject,
Unkonwn1,
Unkonwn2,
PolicyInfo,
TimeStampPolicyInfo,
SigningTime,
Hash,
HashSize,
HashAlgId
);
}
return STATUS_NOT_IMPLEMENTED;
}
/* _ _ _ _ _ _ _ ___ _ _ /* _ _ _ _ _ _ _ ___ _ _
* | | | | |_(_) (_) |_ _ _ | __| _ _ _ __| |_(_)___ _ _ ___ * | | | | |_(_) (_) |_ _ _ | __| _ _ _ __| |_(_)___ _ _ ___
@ -543,16 +387,10 @@ DomitoValidateFileLegacyMode(
do do
{ {
if (!G_CI.CiFreePolicyInfo || !G_CI.CiCheckSignedFile || !G_CI.CiVerifyHashInCatalog)
{
status = STATUS_NOT_IMPLEMENTED;
break;
}
SigningTime->QuadPart = 0; SigningTime->QuadPart = 0;
G_CI.CiFreePolicyInfo(PolicyInfo); CiFreePolicyInfo(PolicyInfo);
G_CI.CiFreePolicyInfo(TimeStampPolicyInfo); CiFreePolicyInfo(TimeStampPolicyInfo);
if (HashSize != MINCRYPT_SHA1_LENGTH && HashSize != MINCRYPT_SHA256_LENGTH) if (HashSize != MINCRYPT_SHA1_LENGTH && HashSize != MINCRYPT_SHA256_LENGTH)
{ {
@ -612,7 +450,7 @@ DomitoValidateFileLegacyMode(
KeStackAttachProcess(PsInitialSystemProcess, &systemContext); KeStackAttachProcess(PsInitialSystemProcess, &systemContext);
{ {
status = G_CI.CiCheckSignedFile( status = CiCheckSignedFile(
Hash, Hash,
HashSize, HashSize,
HashAlgId, HashAlgId,
@ -638,7 +476,7 @@ DomitoValidateFileLegacyMode(
KeStackAttachProcess(PsInitialSystemProcess, &systemContext); KeStackAttachProcess(PsInitialSystemProcess, &systemContext);
{ {
status = G_CI.CiVerifyHashInCatalog( status = CiVerifyHashInCatalog(
Hash, Hash,
HashSize, HashSize,
HashAlgId, HashAlgId,
@ -653,7 +491,7 @@ DomitoValidateFileLegacyMode(
if (status == STATUS_INVALID_IMAGE_HASH) if (status == STATUS_INVALID_IMAGE_HASH)
{ {
status = G_CI.CiVerifyHashInCatalog( status = CiVerifyHashInCatalog(
Hash, Hash,
HashSize, HashSize,
HashAlgId, HashAlgId,

39
src/Domito.Internal.h
View File

@ -141,42 +141,3 @@ typedef struct
// Global instance, individual field can be adjusted by the caller // Global instance, individual field can be adjusted by the caller
// //
extern DOMITO_MEMORY G_Memory; extern DOMITO_MEMORY G_Memory;
/* ___ _ ___ _ _ _
* / __|___ __| |___ |_ _|_ _| |_ ___ __ _ _ _(_) |_ _ _
* | (__/ _ \/ _` / -_) | || ' \ _/ -_) _` | '_| | _| || |
* \___\___/\__,_\___| |___|_||_\__\___\__, |_| |_|\__|\_, |
* |___/ |__/
*/
typedef decltype(&CiFreePolicyInfo) t_CiFreePolicyInfo;
typedef decltype(&CiCheckSignedFile) t_CiCheckSignedFile;
typedef decltype(&CiVerifyHashInCatalog) t_CiVerifyHashInCatalog;
typedef decltype(&CiGetCertPublisherName) t_CiGetCertPublisherName;
typedef decltype(&CiSetTrustedOriginClaimId) t_CiSetTrustedOriginClaimId;
typedef decltype(&CiValidateFileObject) t_CiValidateFileObject;
//
// Function pointers to CI.dll exports
//
typedef struct
{
t_CiFreePolicyInfo CiFreePolicyInfo;
t_CiCheckSignedFile CiCheckSignedFile;
t_CiVerifyHashInCatalog CiVerifyHashInCatalog;
t_CiGetCertPublisherName CiGetCertPublisherName;
t_CiSetTrustedOriginClaimId CiSetTrustedOriginClaimId;
t_CiValidateFileObject CiValidateFileObject;
} DOMITO_CODE_INTEGRITY;
//
// Global instance
//
extern DOMITO_CODE_INTEGRITY G_CI;

26
src/Domito.cpp
View File

@ -10,13 +10,6 @@
DOMITO_COMMON G_Common = {}; DOMITO_COMMON G_Common = {};
static STRING G_FN_CiFreePolicyInfo = RTL_CONSTANT_STRING("CiFreePolicyInfo");
static STRING G_FN_CiCheckSignedFile = RTL_CONSTANT_STRING("CiCheckSignedFile");
static STRING G_FN_CiVerifyHashInCatalog = RTL_CONSTANT_STRING("CiVerifyHashInCatalog");
static STRING G_FN_CiGetCertPublisherName = RTL_CONSTANT_STRING("CiGetCertPublisherName");
static STRING G_FN_CiSetTrustedOriginClaimId = RTL_CONSTANT_STRING("CiSetTrustedOriginClaimId");
static STRING G_FN_CiValidateFileObject = RTL_CONSTANT_STRING("CiValidateFileObject");
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess"); DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess");
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData"); DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData");
@ -40,25 +33,6 @@ DomitoInit()
G_Common.RtlImageDirectoryEntryToData = G_Common.RtlImageDirectoryEntryToData =
(t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName); (t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName);
STRING ciModuleName = RTL_CONSTANT_STRING("\\SystemRoot\\system32\\CI.dll");
PVOID driverBaseAddress = NULL;
if (NT_SUCCESS(DomitoFindModuleBaseAddress(&ciModuleName, &driverBaseAddress)))
{
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiFreePolicyInfo, (void**)&G_CI.CiFreePolicyInfo);
LOG("CiFreePolicyInfo = 0x%p", G_CI.CiFreePolicyInfo);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiCheckSignedFile, (void**)&G_CI.CiCheckSignedFile);
LOG("CiCheckSignedFile = 0x%p", G_CI.CiCheckSignedFile);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiVerifyHashInCatalog, (void**)&G_CI.CiVerifyHashInCatalog);
LOG("CiVerifyHashInCatalog = 0x%p", G_CI.CiVerifyHashInCatalog);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiGetCertPublisherName, (void**)&G_CI.CiGetCertPublisherName);
LOG("CiGetCertPublisherName = 0x%p", G_CI.CiGetCertPublisherName);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiSetTrustedOriginClaimId, (void**)&G_CI.CiSetTrustedOriginClaimId);
LOG("CiSetTrustedOriginClaimId = 0x%p", G_CI.CiSetTrustedOriginClaimId);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiValidateFileObject, (void**)&G_CI.CiValidateFileObject);
LOG("CiValidateFileObject = 0x%p", G_CI.CiValidateFileObject);
}
return STATUS_SUCCESS; // TODO: unused currently return STATUS_SUCCESS; // TODO: unused currently
} }