nefarius/Domito
1
0
Fork 0
Code Issues 1 Activity

Populated DomitoInit

Browse Source
This commit is contained in:
Benjamin Höglinger-Stelzer
2023-07-02 19:51:44 +02:00
parent 24bec1ffea
commit ccc04f5b93
2 changed files with 76 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
src/Domito.cpp
View File

@ -10,6 +10,61 @@
static QUERY_INFO_PROCESS ZwQueryInformationProcess;
static STRING G_FN_CiFreePolicyInfo = RTL_CONSTANT_STRING("CiFreePolicyInfo");
static STRING G_FN_CiCheckSignedFile = RTL_CONSTANT_STRING("CiCheckSignedFile");
static STRING G_FN_CiVerifyHashInCatalog = RTL_CONSTANT_STRING("CiVerifyHashInCatalog");
static STRING G_FN_CiGetCertPublisherName = RTL_CONSTANT_STRING("CiGetCertPublisherName");
static STRING G_FN_CiSetTrustedOriginClaimId = RTL_CONSTANT_STRING("CiSetTrustedOriginClaimId");
static STRING G_FN_CiValidateFileObject = RTL_CONSTANT_STRING("CiValidateFileObject");
_IRQL_requires_max_(PASSIVE_LEVEL)
void
DomitoInit()
{
const STRING ciModuleName = RTL_CONSTANT_STRING("\\SystemRoot\\system32\\CI.dll");
PVOID driverBaseAddress = NULL, functionAddress = NULL;
if (NT_SUCCESS(DomitoFindModuleBaseAddress(ciModuleName, &driverBaseAddress)))
{
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, G_FN_CiFreePolicyInfo, &functionAddress)))
{
G_CI.CiFreePolicyInfo = (t_CiFreePolicyInfo)functionAddress;
}
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, G_FN_CiCheckSignedFile, &functionAddress)))
{
G_CI.CiCheckSignedFile = (t_CiCheckSignedFile)functionAddress;
}
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, G_FN_CiVerifyHashInCatalog, &functionAddress)))
{
G_CI.CiVerifyHashInCatalog = (t_CiVerifyHashInCatalog)functionAddress;
}
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, G_FN_CiGetCertPublisherName, &functionAddress)))
{
G_CI.CiGetCertPublisherName = (t_CiGetCertPublisherName)functionAddress;
}
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, G_FN_CiSetTrustedOriginClaimId, &functionAddress)))
{
G_CI.CiSetTrustedOriginClaimId = (t_CiSetTrustedOriginClaimId)functionAddress;
}
if (NT_SUCCESS(DomitoFindExportedFunctionAddress(driverBaseAddress, G_FN_CiValidateFileObject, &functionAddress)))
{
G_CI.CiValidateFileObject = (t_CiValidateFileObject)functionAddress;
}
}
}
_IRQL_requires_max_(PASSIVE_LEVEL)
void
DomitoShutdown()
{
}
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_