nefarius/Domito
1
0
Fork 0
Code Issues Activity

Simplified init procedure

Browse Source
This commit is contained in:
Benjamin Höglinger-Stelzer 2023-07-03 18:04:13 +02:00
parent 1afdd90b4e
commit aa77523f3a
1 changed files with 17 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
src/Domito.cpp
View File

@ -20,6 +20,10 @@ static STRING G_FN_CiValidateFileObject = RTL_CONSTANT_STRING("CiValidateFileObj
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess"); DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess");
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData"); DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData");
#ifndef LOG
#define LOG(Format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[Domito][" __FUNCTION__ "] " Format " \n", __VA_ARGS__)
#endif
_Success_(return == STATUS_SUCCESS) _Success_(return == STATUS_SUCCESS)
_Must_inspect_result_ _Must_inspect_result_
@ -37,39 +41,22 @@ DomitoInit()
(t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName); (t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName);
STRING ciModuleName = RTL_CONSTANT_STRING("\\SystemRoot\\system32\\CI.dll"); STRING ciModuleName = RTL_CONSTANT_STRING("\\SystemRoot\\system32\\CI.dll");
PVOID driverBaseAddress = NULL, functionAddress = NULL; PVOID driverBaseAddress = NULL;
if (NT_SUCCESS(DomitoFindModuleBaseAddress(&ciModuleName, &driverBaseAddress))) if (NT_SUCCESS(DomitoFindModuleBaseAddress(&ciModuleName, &driverBaseAddress)))
{ {
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiFreePolicyInfo, &functionAddress))) DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiFreePolicyInfo, (void**)&G_CI.CiFreePolicyInfo);
{ LOG("CiFreePolicyInfo = 0x%p", G_CI.CiFreePolicyInfo);
G_CI.CiFreePolicyInfo = (t_CiFreePolicyInfo)functionAddress; DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiCheckSignedFile, (void**)&G_CI.CiCheckSignedFile);
} LOG("CiCheckSignedFile = 0x%p", G_CI.CiCheckSignedFile);
DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiVerifyHashInCatalog, (void**)&G_CI.CiVerifyHashInCatalog);
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiCheckSignedFile, &functionAddress))) LOG("CiVerifyHashInCatalog = 0x%p", G_CI.CiVerifyHashInCatalog);
{ DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiGetCertPublisherName, (void**)&G_CI.CiGetCertPublisherName);
G_CI.CiCheckSignedFile = (t_CiCheckSignedFile)functionAddress; LOG("CiGetCertPublisherName = 0x%p", G_CI.CiGetCertPublisherName);
} DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiSetTrustedOriginClaimId, (void**)&G_CI.CiSetTrustedOriginClaimId);
LOG("CiSetTrustedOriginClaimId = 0x%p", G_CI.CiSetTrustedOriginClaimId);
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiVerifyHashInCatalog, &functionAddress))) DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiValidateFileObject, (void**)&G_CI.CiValidateFileObject);
{ LOG("CiValidateFileObject = 0x%p", G_CI.CiValidateFileObject);
G_CI.CiVerifyHashInCatalog = (t_CiVerifyHashInCatalog)functionAddress;
}
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiGetCertPublisherName, &functionAddress)))
{
G_CI.CiGetCertPublisherName = (t_CiGetCertPublisherName)functionAddress;
}
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiSetTrustedOriginClaimId, &functionAddress)))
{
G_CI.CiSetTrustedOriginClaimId = (t_CiSetTrustedOriginClaimId)functionAddress;
}
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, &G_FN_CiValidateFileObject, &functionAddress)))
{
G_CI.CiValidateFileObject = (t_CiValidateFileObject)functionAddress;
}
} }
return STATUS_SUCCESS; // TODO: unused currently return STATUS_SUCCESS; // TODO: unused currently