From aa77523f3a66b7fd3448d26f7714e4e028ace4a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20H=C3=B6glinger-Stelzer?= Date: Mon, 3 Jul 2023 18:04:13 +0200 Subject: [PATCH] Simplified init procedure --- src/Domito.cpp | 47 +++++++++++++++++------------------------------ 1 file changed, 17 insertions(+), 30 deletions(-) diff --git a/src/Domito.cpp b/src/Domito.cpp index bf2d847..bc9cf63 100644 --- a/src/Domito.cpp +++ b/src/Domito.cpp @@ -20,6 +20,10 @@ static STRING G_FN_CiValidateFileObject = RTL_CONSTANT_STRING("CiValidateFileObj DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess"); DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData"); +#ifndef LOG +#define LOG(Format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[Domito][" __FUNCTION__ "] " Format " \n", __VA_ARGS__) +#endif + _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ @@ -37,39 +41,22 @@ DomitoInit() (t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName); STRING ciModuleName = RTL_CONSTANT_STRING("\\SystemRoot\\system32\\CI.dll"); - PVOID driverBaseAddress = NULL, functionAddress = NULL; + PVOID driverBaseAddress = NULL; if (NT_SUCCESS(DomitoFindModuleBaseAddress(&ciModuleName, &driverBaseAddress))) { - if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiFreePolicyInfo, &functionAddress))) - { - G_CI.CiFreePolicyInfo = (t_CiFreePolicyInfo)functionAddress; - } - - if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiCheckSignedFile, &functionAddress))) - { - G_CI.CiCheckSignedFile = (t_CiCheckSignedFile)functionAddress; - } - - if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiVerifyHashInCatalog, &functionAddress))) - { - G_CI.CiVerifyHashInCatalog = (t_CiVerifyHashInCatalog)functionAddress; - } - - if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiGetCertPublisherName, &functionAddress))) - { - G_CI.CiGetCertPublisherName = (t_CiGetCertPublisherName)functionAddress; - } - - if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiSetTrustedOriginClaimId, &functionAddress))) - { - G_CI.CiSetTrustedOriginClaimId = (t_CiSetTrustedOriginClaimId)functionAddress; - } - - if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiValidateFileObject, &functionAddress))) - { - G_CI.CiValidateFileObject = (t_CiValidateFileObject)functionAddress; - } + DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiFreePolicyInfo, (void**)&G_CI.CiFreePolicyInfo); + LOG("CiFreePolicyInfo = 0x%p", G_CI.CiFreePolicyInfo); + DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiCheckSignedFile, (void**)&G_CI.CiCheckSignedFile); + LOG("CiCheckSignedFile = 0x%p", G_CI.CiCheckSignedFile); + DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiVerifyHashInCatalog, (void**)&G_CI.CiVerifyHashInCatalog); + LOG("CiVerifyHashInCatalog = 0x%p", G_CI.CiVerifyHashInCatalog); + DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiGetCertPublisherName, (void**)&G_CI.CiGetCertPublisherName); + LOG("CiGetCertPublisherName = 0x%p", G_CI.CiGetCertPublisherName); + DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiSetTrustedOriginClaimId, (void**)&G_CI.CiSetTrustedOriginClaimId); + LOG("CiSetTrustedOriginClaimId = 0x%p", G_CI.CiSetTrustedOriginClaimId); + DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiValidateFileObject, (void**)&G_CI.CiValidateFileObject); + LOG("CiValidateFileObject = 0x%p", G_CI.CiValidateFileObject); } return STATUS_SUCCESS; // TODO: unused currently