Domito/include/Domito.h

309 lines
7.2 KiB
C

#pragma once
#include <Domito.MinCrypt.h>
/* ___
* / __|___ _ __ _ __ ___ _ _
* | (__/ _ \ ' \| ' \/ _ \ ' \
* \___\___/_|_|_|_|_|_\___/_||_|
*
*/
//
// Library initialization tasks. Call once in your DriverEntry
//
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoInit();
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
void
DomitoShutdown();
/* __ __ __ __ _
* | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_
* | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _|
* |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__|
* |__/ |___/
*/
//
// Allocator function the library uses.
//
typedef
_IRQL_requires_same_
_Function_class_(EVT_DOMITO_ALLOCATE_ROUTINE)
__drv_allocatesMem(mem)
PVOID
NTAPI
EVT_DOMITO_ALLOCATE_ROUTINE(
_In_ SIZE_T ByteSize
);
typedef EVT_DOMITO_ALLOCATE_ROUTINE* PFN_DOMITO_ALLOCATE_ROUTINE;
//
// Freeing function the library uses.
//
typedef
_IRQL_requires_same_
_Function_class_(EVT_DOMITO_FREE_ROUTINE)
void
NTAPI
EVT_DOMITO_FREE_ROUTINE(
_In_ __drv_freesMem(mem) PVOID Memory
);
typedef EVT_DOMITO_FREE_ROUTINE* PFN_DOMITO_FREE_ROUTINE;
//
// Get the original set of Domito memory functions.
//
EXTERN_C
void
DomitoGetOriginalMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
);
//
// Get the current set of Domito memory functions.
//
EXTERN_C
void
DomitoGetMemoryFunctions(
_Out_opt_ PFN_DOMITO_ALLOCATE_ROUTINE* Allocator,
_Out_opt_ PFN_DOMITO_FREE_ROUTINE* Free
);
//
// Replace Domito's memory allocation functions with a custom set
EXTERN_C
void
DomitoSetMemoryFunctions(
_In_opt_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
_In_opt_ PFN_DOMITO_FREE_ROUTINE Free
);
/* ___ _ _
* / __|_ _ _ _ _ __| |_ ___ __ _ _ _ __ _ _ __| |_ _ _
* | (__| '_| || | '_ \ _/ _ \/ _` | '_/ _` | '_ \ ' \ || |
* \___|_| \_, | .__/\__\___/\__, |_| \__,_| .__/_||_\_, |
* |__/|_| |___/ |_| |__/
*/
//
// This structure encapsulates a signature used in verifying executable files.
//
#if !defined(WIN_CERTIFICATE)
typedef struct _WIN_CERTIFICATE
{
DWORD dwLength;
WORD wRevision;
WORD wCertificateType;
BYTE bCertificate[ANYSIZE_ARRAY];
} WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
#endif
//
// UM definitions of WinCrypt.h
//
#if !defined(WIN_CERT_TYPE_X509)
#define WIN_CERT_TYPE_X509 (0x0001) // The bCertificate member contains an X.509 certificate.
#endif
#if !defined(WIN_CERT_TYPE_PKCS_SIGNED_DATA)
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA (0x0002) // The bCertificate member contains a PKCS SignedData structure.
#endif
#if !defined(WIN_CERT_TYPE_PKCS1_SIGN)
#define WIN_CERT_TYPE_PKCS1_SIGN (0x0009) // The bCertificate member contains PKCS1_MODULE_SIGN fields.
#endif
#if !defined(CALG_SHA1)
#define CALG_SHA1 0x8004u
#endif
#if !defined(CALG_SHA256)
#define CALG_SHA256 0x800cu
#endif
#if !defined(CALG_SHA384)
#define CALG_SHA384 0x800du
#endif
#if !defined(CALG_SHA512)
#define CALG_SHA512 0x800eu
#endif
//
// Converts a WinCrypt CALG_ID to a BCRYPT_ALGORITHM identifier.
//
PCWSTR
FORCEINLINE
DOMITO_CALG_TO_BCRYPT_ALGORITHM(
_In_ UINT32 Calg
)
{
switch (Calg)
{
case CALG_SHA1:
return BCRYPT_SHA1_ALGORITHM;
case CALG_SHA256:
return BCRYPT_SHA256_ALGORITHM;
case CALG_SHA384:
return BCRYPT_SHA384_ALGORITHM;
case CALG_SHA512:
return BCRYPT_SHA512_ALGORITHM;
default:
return L"Unknown";
}
}
/* ___ _ ___ _ _ _
* / __|___ __| |___ |_ _|_ _| |_ ___ __ _ _ _(_) |_ _ _
* | (__/ _ \/ _` / -_) | || ' \ _/ -_) _` | '_| | _| || |
* \___\___/\__,_\___| |___|_||_\__\___\__, |_| |_|\__|\_, |
* |___/ |__/
*/
//
// Extracts the CALG_ID from a signed PE that was used to
// calculate the message digest when it was signed
//
_IRQL_requires_max_(DISPATCH_LEVEL)
EXTERN_C
UINT32
DomitoGetPortableExecutableDigestKind(
_In_ PUCHAR pPeBytes,
_In_ PIMAGE_DATA_DIRECTORY pImgDataDirectory
);
//
// Extracts Authenticode signing information and calculates the file digest of a PE file.
//
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoCalculatePortableExecutableDigest(
_In_ PUCHAR pPeBytes,
_In_ ULONG PeSize,
_Out_ PUINT32 pDigestCalgOut,
_Out_ PULONG pDigestSizeOut,
_Out_ PVOID* pDigestOut,
_Outptr_result_maybenull_ LPWIN_CERTIFICATE* pCertOut,
_Out_ PULONG pSizeOfSecurityDirectory
);
//
// Frees the memory allocated by DomitoCalculatePortableExecutableDigest.
//
_IRQL_requires_max_(DISPATCH_LEVEL)
EXTERN_C
void
DomitoFreePortableExecutableDigest(
_In_ PVOID pDigestOut
);
//
// Verifies if the Authenticode signature of a give PE file matches the provided (e.g. SHA1) file digest.
//
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoValidateFileLegacyMode(
_In_ HANDLE FileHandle,
_In_ PVOID Hash,
_In_ UINT32 HashSize,
_In_ ALG_ID HashAlgId,
_In_ const IMAGE_DATA_DIRECTORY* SecurityDirectory,
_Inout_ MINCRYPT_POLICY_INFO* PolicyInfo,
_Out_ LARGE_INTEGER* SigningTime,
_Inout_ MINCRYPT_POLICY_INFO* TimeStampPolicyInfo
);
/* __ __ _
* | \/ (_)___ __
* | |\/| | (_-</ _|_
* |_| |_|_/__/\__(_)
*
*/
//
// Finds the base address of a driver module.
//
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoFindModuleBaseAddress(
_In_ PANSI_STRING ModuleName,
_Inout_opt_ PVOID* ModuleBase
);
//
// Finds the address of an exported function by name.
//
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoFindExportedFunctionAddress(
_In_ PVOID ModuleBase,
_In_ PANSI_STRING FunctionName,
_Inout_opt_ PVOID* FunctionAddress
);
//
// Scans a provided buffer for a memory pattern.
//
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(DISPATCH_LEVEL)
EXTERN_C
NTSTATUS
DomitoMemorySearchPattern(
_In_ PCUCHAR pcPattern,
_In_ UCHAR uWildcard,
_In_ SIZE_T puLen,
_In_ PVOID pcBase,
_In_ SIZE_T puSize,
_Outptr_result_maybenull_ PVOID* ppMatch
);
//
// Reads from the beginning of a file until the end or the buffer size is reached.
//
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoReadFile(
_In_ HANDLE FileHandle,
_Out_ PVOID Buffer,
_In_ ULONG BufferSize
);
//
// Gets the name of the main image of the process identified by PID.
//
_Success_(return == STATUS_SUCCESS)
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
EXTERN_C
NTSTATUS
DomitoGetProcessImageName(
_In_ ULONG ProcessId,
_Inout_ PUNICODE_STRING* ProcessImageName
);