#pragma once #include /* __ __ __ __ _ * | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_ * | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _| * |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__| * |__/ |___/ */ // // Allocator function the library uses. // typedef _IRQL_requires_same_ _Function_class_(EVT_DOMITO_ALLOCATE_ROUTINE) __drv_allocatesMem(mem) PVOID NTAPI EVT_DOMITO_ALLOCATE_ROUTINE( _In_ SIZE_T ByteSize ); typedef EVT_DOMITO_ALLOCATE_ROUTINE* PFN_DOMITO_ALLOCATE_ROUTINE; // // Freeing function the library uses. // typedef _IRQL_requires_same_ _Function_class_(EVT_DOMITO_FREE_ROUTINE) void NTAPI EVT_DOMITO_FREE_ROUTINE( _In_ __drv_freesMem(mem) PVOID Memory ); typedef EVT_DOMITO_FREE_ROUTINE* PFN_DOMITO_FREE_ROUTINE; // // Get the original set of Domito memory functions. // EXTERN_C void DomitoGetOriginalMemoryFunctions( _Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator, _Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free ); // // Get the current set of Domito memory functions. // EXTERN_C void DomitoGetMemoryFunctions( _Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator, _Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free ); // // Replace Domito's memory allocation functions with a custom set EXTERN_C void DomitoSetMemoryFunctions( _In_opt_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator, _In_opt_ PFN_DOMITO_FREE_ROUTINE Free ); /* ___ _ _ * / __|_ _ _ _ _ __| |_ ___ __ _ _ _ __ _ _ __| |_ _ _ * | (__| '_| || | '_ \ _/ _ \/ _` | '_/ _` | '_ \ ' \ || | * \___|_| \_, | .__/\__\___/\__, |_| \__,_| .__/_||_\_, | * |__/|_| |___/ |_| |__/ */ // // This structure encapsulates a signature used in verifying executable files. // #if !defined(WIN_CERTIFICATE) typedef struct _WIN_CERTIFICATE { DWORD dwLength; WORD wRevision; WORD wCertificateType; BYTE bCertificate[ANYSIZE_ARRAY]; } WIN_CERTIFICATE, *LPWIN_CERTIFICATE; #endif // // UM definitions of WinCrypt.h // #if !defined(WIN_CERT_TYPE_X509) #define WIN_CERT_TYPE_X509 (0x0001) // The bCertificate member contains an X.509 certificate. #endif #if !defined(WIN_CERT_TYPE_PKCS_SIGNED_DATA) #define WIN_CERT_TYPE_PKCS_SIGNED_DATA (0x0002) // The bCertificate member contains a PKCS SignedData structure. #endif #if !defined(WIN_CERT_TYPE_PKCS1_SIGN) #define WIN_CERT_TYPE_PKCS1_SIGN (0x0009) // The bCertificate member contains PKCS1_MODULE_SIGN fields. #endif #if !defined(CALG_SHA1) #define CALG_SHA1 0x8004u #endif #if !defined(CALG_SHA256) #define CALG_SHA256 0x800cu #endif #if !defined(CALG_SHA384) #define CALG_SHA384 0x800du #endif #if !defined(CALG_SHA512) #define CALG_SHA512 0x800eu #endif // // Converts a WinCrypt CALG_ID to a BCRYPT_ALGORITHM identifier. // PCWSTR FORCEINLINE DOMITO_CALG_TO_BCRYPT_ALGORITHM( _In_ UINT32 Calg ) { switch (Calg) { case CALG_SHA1: return BCRYPT_SHA1_ALGORITHM; case CALG_SHA256: return BCRYPT_SHA256_ALGORITHM; case CALG_SHA384: return BCRYPT_SHA384_ALGORITHM; case CALG_SHA512: return BCRYPT_SHA512_ALGORITHM; default: return L"Unknown"; } } /* ___ _ ___ _ _ _ * / __|___ __| |___ |_ _|_ _| |_ ___ __ _ _ _(_) |_ _ _ * | (__/ _ \/ _` / -_) | || ' \ _/ -_) _` | '_| | _| || | * \___\___/\__,_\___| |___|_||_\__\___\__, |_| |_|\__|\_, | * |___/ |__/ */ _IRQL_requires_max_(PASSIVE_LEVEL) EXTERN_C PVOID DomitoCiFreePolicyInfo( _Inout_ MINCRYPT_POLICY_INFO* PolicyInfo ); _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS DomitoCiCheckSignedFile( _In_ PVOID Hash, _In_ UINT32 HashSize, _In_ ALG_ID HashAlgId, _In_ PVOID SecurityDirectory, _In_ UINT32 SizeOfSecurityDirectory, _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, _Out_ LARGE_INTEGER* SigningTime, _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo ); _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS DomitoCiVerifyHashInCatalog( _In_ PVOID Hash, _In_ UINT32 HashSize, _In_ ALG_ID HashAlgId, _In_ BOOLEAN IsReloadCatalogs, _In_ UINT32 Always0, _In_ UINT32 Always2007F, _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, _Out_opt_ UNICODE_STRING* CatalogName, _Out_ LARGE_INTEGER* SigningTime, _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo ); typedef _IRQL_requires_same_ _Function_class_(MINCRYPT_ALLOCATE_ROUTINE) __drv_allocatesMem(Mem) PVOID NTAPI MINCRYPT_ALLOCATE_ROUTINE( _In_ SIZE_T ByteSize ); typedef MINCRYPT_ALLOCATE_ROUTINE* PMINCRYPT_ALLOCATE_ROUTINE; NTSTATUS DomitoCiGetCertPublisherName( _In_ MINCERT_BLOB* Certificate, _In_ PMINCRYPT_ALLOCATE_ROUTINE AllocateRoutine, _Out_ PUNICODE_STRING PublisherName ); VOID DomitoCiSetTrustedOriginClaimId( _In_ UINT32 ClaimId ); _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS DomitoCiValidateFileObject( _In_ FILE_OBJECT* FileObject, _In_opt_ UINT32 Unkonwn1, _In_opt_ UINT32 Unkonwn2, _Out_ MINCRYPT_POLICY_INFO* PolicyInfo, _Out_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo, _Out_ LARGE_INTEGER* SigningTime, _Out_ UINT8* Hash, _Inout_ UINT32* HashSize, _Out_ ALG_ID* HashAlgId ); /******************************************************************************** * Library functions * ********************************************************************************/ // // Finds the base address of a driver module. // _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) EXTERN_C NTSTATUS DomitoFindModuleBaseAddress( _In_ STRING ModuleName, _Inout_opt_ PVOID* ModuleBase ); // // Finds the address of an exported function by name. // _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) EXTERN_C NTSTATUS DomitoFindExportedFunctionAddress( _In_ PVOID ModuleBase, _In_ STRING FunctionName, _Inout_opt_ PVOID* FunctionAddress ); // // Scans a provided buffer for a memory pattern. // _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(DISPATCH_LEVEL) EXTERN_C NTSTATUS DomitoMemorySearchPattern( _In_ PCUCHAR pcPattern, _In_ UCHAR uWildcard, _In_ SIZE_T puLen, _In_ PVOID pcBase, _In_ SIZE_T puSize, _Outptr_result_maybenull_ PVOID* ppMatch ); // // Extracts the CALG_ID from a signed PE that was used to // calculate the message digest when it was signed // _IRQL_requires_max_(DISPATCH_LEVEL) EXTERN_C UINT32 DomitoGetPortableExecutableDigestKind( _In_ PUCHAR pPeBytes, _In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory ); // // Reads from the beginning of a file until the end or the buffer size is reached. // _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) EXTERN_C NTSTATUS DomitoReadFile( _In_ HANDLE FileHandle, _Out_ PVOID Buffer, _In_ ULONG BufferSize ); // // Extracts Authenticode signing information and calculates the file digest of a PE file. // _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) EXTERN_C NTSTATUS DomitoCalculatePortableExecutableDigest( _In_ PUCHAR pPeBytes, _In_ ULONG PeSize, _Out_ PUINT32 pDigestCalgOut, _Out_ PULONG pDigestSizeOut, _Out_ PVOID* pDigestOut, _Outptr_result_maybenull_ LPWIN_CERTIFICATE* pCertOut, _Out_ PULONG pSizeOfSecurityDirectory ); // // Gets the name of the main image of the process identified by PID. // _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) EXTERN_C NTSTATUS DomitoGetProcessImageName( _In_ ULONG ProcessId, _Inout_ PUNICODE_STRING* ProcessImageName ); _Success_(return == STATUS_SUCCESS) _Must_inspect_result_ _IRQL_requires_max_(PASSIVE_LEVEL) EXTERN_C NTSTATUS DomitoValidateFileLegacyMode( _In_ HANDLE FileHandle, _In_ PVOID Hash, _In_ UINT32 HashSize, _In_ ALG_ID HashAlgId, _In_ const IMAGE_DATA_DIRECTORY* SecurityDirectory, _Inout_ MINCRYPT_POLICY_INFO* PolicyInfo, _Out_ LARGE_INTEGER* SigningTime, _Inout_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo );