nefarius/ValidateFileUsingProcessImagePath.c Secret

## ValidateFileUsingProcessImagePath.c
//
// Takes a PFILE_OBJECT and validates/grabs the signing information from it
//
#pragma code_seg("PAGED")
_Success_(return == TRUE)
_IRQL_requires_max_(PASSIVE_LEVEL)
BOOLEAN
ValidateFileUsingFileObject(
    _In_ PFILE_OBJECT FileObject
)
{
    FuncEntry(TRACE_SIGNATURE);

    PAGED_CODE();

    TraceVerbose(TRACE_SIGNATURE,
        "Will verify - %wZ", &FileObject->FileName);

    NTSTATUS status = STATUS_SUCCESS;
    BOOLEAN succeeded = FALSE;

    UINT8 hash[MINCRYPT_MAX_HASH_LENGTH] = { 0 };
    UINT32 hashSize = sizeof(hash);
    ALG_ID hashAlgId = 0u;

    LARGE_INTEGER signingTime;
    MINCRYPT_POLICY_INFO policyInfo;
    MINCRYPT_POLICY_INFO timeStampPolicyInfo;

    do
    {
        if (!NT_SUCCESS(status = CiValidateFileObject(
            FileObject,
            0,
            0,
            &policyInfo,
            &timeStampPolicyInfo,
            &signingTime,
            hash,
            &hashSize,
            &hashAlgId
        )))
        {
            TraceError(
                TRACE_SIGNATURE,
                "CiValidateFileObject failed with status %!STATUS!",
                status
            );
            break;
        }

        succeeded = CheckPolicyInfo(&policyInfo);

        CiFreePolicyInfo(&policyInfo);
        CiFreePolicyInfo(&timeStampPolicyInfo);

    } while (FALSE);

    return succeeded;
}
#pragma code_seg()

#pragma code_seg("PAGED")
BOOLEAN
ValidateFileUsingProcessImagePath(
    _In_ PUNICODE_STRING ProcessImageName
)
{
    NTSTATUS status;
    OBJECT_ATTRIBUTES attributes;
    HANDLE hHandle = NULL;
    IO_STATUS_BLOCK IoBlk;
    PFILE_OBJECT fileObject = NULL;
    BOOLEAN result = FALSE;

    PAGED_CODE();

    InitializeObjectAttributes(&attributes, ProcessImageName, OBJ_INHERIT, 0, NULL);

    if (!NT_SUCCESS(status = ZwOpenFile(
        &hHandle,
        SYNCHRONIZE | FILE_READ_DATA,
        &attributes,
        &IoBlk,
        FILE_SHARE_READ,
        FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT
    )))
    {
        TraceError(
            TRACE_SIGNATURE,
            "ZwOpenFile failed with status %!STATUS!",
            status
        );
        goto exit;
    }

    if (!NT_SUCCESS(status = ObReferenceObjectByHandle(
        hHandle,
        FILE_READ_DATA,
        *IoFileObjectType,
        KernelMode,
        (PVOID*)&fileObject,
        NULL
    )))
    {
        TraceError(
            TRACE_SIGNATURE,
            "ObReferenceObjectByHandle failed with status %!STATUS!",
            status
        );
        goto exit;
    }

    result = ValidateFileUsingFileObject(fileObject);

exit:
    if (fileObject)
    {
        ObDereferenceObject(fileObject);
    }

    if (hHandle)
    {
        ZwClose(hHandle);
    }

    return result;
}
#pragma code_seg()
	//
	// Takes a PFILE_OBJECT and validates/grabs the signing information from it
	//
	#pragma code_seg("PAGED")
	_Success_(return == TRUE)
	_IRQL_requires_max_(PASSIVE_LEVEL)
	BOOLEAN
	ValidateFileUsingFileObject(
	_In_ PFILE_OBJECT FileObject
	)
	{
	FuncEntry(TRACE_SIGNATURE);

	PAGED_CODE();

	TraceVerbose(TRACE_SIGNATURE,
	"Will verify - %wZ", &FileObject->FileName);

	NTSTATUS status = STATUS_SUCCESS;
	BOOLEAN succeeded = FALSE;

	UINT8 hash[MINCRYPT_MAX_HASH_LENGTH] = { 0 };
	UINT32 hashSize = sizeof(hash);
	ALG_ID hashAlgId = 0u;

	LARGE_INTEGER signingTime;
	MINCRYPT_POLICY_INFO policyInfo;
	MINCRYPT_POLICY_INFO timeStampPolicyInfo;

	do
	{
	if (!NT_SUCCESS(status = CiValidateFileObject(
	FileObject,
	0,
	0,
	&policyInfo,
	&timeStampPolicyInfo,
	&signingTime,
	hash,
	&hashSize,
	&hashAlgId
	)))
	{
	TraceError(
	TRACE_SIGNATURE,
	"CiValidateFileObject failed with status %!STATUS!",
	status
	);
	break;
	}

	succeeded = CheckPolicyInfo(&policyInfo);

	CiFreePolicyInfo(&policyInfo);
	CiFreePolicyInfo(&timeStampPolicyInfo);

	} while (FALSE);

	return succeeded;
	}
	#pragma code_seg()

	#pragma code_seg("PAGED")
	BOOLEAN
	ValidateFileUsingProcessImagePath(
	_In_ PUNICODE_STRING ProcessImageName
	)
	{
	NTSTATUS status;
	OBJECT_ATTRIBUTES attributes;
	HANDLE hHandle = NULL;
	IO_STATUS_BLOCK IoBlk;
	PFILE_OBJECT fileObject = NULL;
	BOOLEAN result = FALSE;

	PAGED_CODE();

	InitializeObjectAttributes(&attributes, ProcessImageName, OBJ_INHERIT, 0, NULL);

	if (!NT_SUCCESS(status = ZwOpenFile(
	&hHandle,
	SYNCHRONIZE \| FILE_READ_DATA,
	&attributes,
	&IoBlk,
	FILE_SHARE_READ,
	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT
	)))
	{
	TraceError(
	TRACE_SIGNATURE,
	"ZwOpenFile failed with status %!STATUS!",
	status
	);
	goto exit;
	}

	if (!NT_SUCCESS(status = ObReferenceObjectByHandle(
	hHandle,
	FILE_READ_DATA,
	*IoFileObjectType,
	KernelMode,
	(PVOID*)&fileObject,
	NULL
	)))
	{
	TraceError(
	TRACE_SIGNATURE,
	"ObReferenceObjectByHandle failed with status %!STATUS!",
	status
	);
	goto exit;
	}

	result = ValidateFileUsingFileObject(fileObject);

	exit:
	if (fileObject)
	{
	ObDereferenceObject(fileObject);
	}

	if (hHandle)
	{
	ZwClose(hHandle);
	}

	return result;
	}
	#pragma code_seg()