Added DomitoValidateFileLegacyMode
This commit is contained in:
152
src/Domito.cpp
152
src/Domito.cpp
@ -84,8 +84,8 @@ _Must_inspect_result_
|
||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||
NTSTATUS
|
||||
DomitoFindModuleBaseAddress(
|
||||
_In_ STRING ModuleName,
|
||||
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
|
||||
_In_ STRING ModuleName,
|
||||
_Inout_opt_ PVOID * ModuleBase
|
||||
)
|
||||
{
|
||||
@ -760,3 +760,153 @@ cleanUp:
|
||||
return status;
|
||||
}
|
||||
#pragma code_seg()
|
||||
|
||||
_Success_(return == STATUS_SUCCESS)
|
||||
_Must_inspect_result_
|
||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||
#pragma code_seg("PAGED")
|
||||
NTSTATUS
|
||||
DomitoValidateFileLegacyMode(
|
||||
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
|
||||
_In_ HANDLE FileHandle,
|
||||
_In_ PVOID Hash,
|
||||
_In_ UINT32 HashSize,
|
||||
_In_ ALG_ID HashAlgId,
|
||||
_In_ const IMAGE_DATA_DIRECTORY * SecurityDirectory,
|
||||
_Inout_ MINCRYPT_POLICY_INFO * PolicyInfo,
|
||||
_Out_ LARGE_INTEGER * SigningTime,
|
||||
_Inout_ MINCRYPT_POLICY_INFO * TimeStampPolicyInfo
|
||||
)
|
||||
{
|
||||
PAGED_CODE();
|
||||
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
PVOID certDirectory = nullptr;
|
||||
KAPC_STATE systemContext = {};
|
||||
|
||||
do
|
||||
{
|
||||
SigningTime->QuadPart = 0;
|
||||
|
||||
CiFreePolicyInfo(PolicyInfo);
|
||||
CiFreePolicyInfo(TimeStampPolicyInfo);
|
||||
|
||||
if (HashSize != MINCRYPT_SHA1_LENGTH)
|
||||
{
|
||||
status = STATUS_INVALID_IMAGE_HASH;
|
||||
break;
|
||||
}
|
||||
|
||||
if (SecurityDirectory->Size != 0u &&
|
||||
SecurityDirectory->VirtualAddress != 0u)
|
||||
{
|
||||
certDirectory = Allocator(SecurityDirectory->Size);
|
||||
if (certDirectory == NULL)
|
||||
{
|
||||
status = STATUS_INSUFFICIENT_RESOURCES;
|
||||
break;
|
||||
}
|
||||
|
||||
LARGE_INTEGER offset = {};
|
||||
IO_STATUS_BLOCK ioStatusBlock = {};
|
||||
|
||||
offset.LowPart = SecurityDirectory->VirtualAddress;
|
||||
|
||||
status = ZwReadFile(
|
||||
FileHandle,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
&ioStatusBlock,
|
||||
certDirectory,
|
||||
SecurityDirectory->Size,
|
||||
&offset,
|
||||
NULL
|
||||
);
|
||||
|
||||
if (status == STATUS_PENDING)
|
||||
{
|
||||
ZwWaitForSingleObject(
|
||||
FileHandle,
|
||||
FALSE,
|
||||
NULL
|
||||
);
|
||||
|
||||
MemoryBarrier();
|
||||
status = ioStatusBlock.Status;
|
||||
}
|
||||
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
KeStackAttachProcess(PsInitialSystemProcess, &systemContext);
|
||||
{
|
||||
status = CiCheckSignedFile(
|
||||
Hash,
|
||||
HashSize,
|
||||
HashAlgId,
|
||||
certDirectory,
|
||||
SecurityDirectory->Size,
|
||||
PolicyInfo,
|
||||
SigningTime,
|
||||
TimeStampPolicyInfo
|
||||
);
|
||||
}
|
||||
KeUnstackDetachProcess(&systemContext);
|
||||
|
||||
if (NT_SUCCESS(status))
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
if (status != STATUS_INVALID_IMAGE_HASH)
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
KeStackAttachProcess(PsInitialSystemProcess, &systemContext);
|
||||
{
|
||||
status = CiVerifyHashInCatalog(
|
||||
Hash,
|
||||
HashSize,
|
||||
HashAlgId,
|
||||
FALSE,
|
||||
0,
|
||||
0x2007F,
|
||||
PolicyInfo,
|
||||
NULL,
|
||||
SigningTime,
|
||||
TimeStampPolicyInfo
|
||||
);
|
||||
|
||||
if (status == STATUS_INVALID_IMAGE_HASH)
|
||||
{
|
||||
status = CiVerifyHashInCatalog(
|
||||
Hash,
|
||||
HashSize,
|
||||
HashAlgId,
|
||||
TRUE,
|
||||
0,
|
||||
0x2007F,
|
||||
PolicyInfo,
|
||||
NULL,
|
||||
SigningTime,
|
||||
TimeStampPolicyInfo
|
||||
);
|
||||
}
|
||||
}
|
||||
KeUnstackDetachProcess(&systemContext);
|
||||
|
||||
} while (FALSE);
|
||||
|
||||
if (certDirectory)
|
||||
{
|
||||
ExFreePool(certDirectory);
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
#pragma code_seg()
|
||||
|
||||
Reference in New Issue
Block a user