Created
June 10, 2024 09:02
-
-
Save nefarius/eaa6a0881036cc46626b2824f12f9a00 to your computer and use it in GitHub Desktop.
ValidateFileUsingProcessImagePath
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// Takes a PFILE_OBJECT and validates/grabs the signing information from it | |
// | |
#pragma code_seg("PAGED") | |
_Success_(return == TRUE) | |
_IRQL_requires_max_(PASSIVE_LEVEL) | |
BOOLEAN | |
ValidateFileUsingFileObject( | |
_In_ PFILE_OBJECT FileObject | |
) | |
{ | |
FuncEntry(TRACE_SIGNATURE); | |
PAGED_CODE(); | |
TraceVerbose(TRACE_SIGNATURE, | |
"Will verify - %wZ", &FileObject->FileName); | |
NTSTATUS status = STATUS_SUCCESS; | |
BOOLEAN succeeded = FALSE; | |
UINT8 hash[MINCRYPT_MAX_HASH_LENGTH] = { 0 }; | |
UINT32 hashSize = sizeof(hash); | |
ALG_ID hashAlgId = 0u; | |
LARGE_INTEGER signingTime; | |
MINCRYPT_POLICY_INFO policyInfo; | |
MINCRYPT_POLICY_INFO timeStampPolicyInfo; | |
do | |
{ | |
if (!NT_SUCCESS(status = CiValidateFileObject( | |
FileObject, | |
0, | |
0, | |
&policyInfo, | |
&timeStampPolicyInfo, | |
&signingTime, | |
hash, | |
&hashSize, | |
&hashAlgId | |
))) | |
{ | |
TraceError( | |
TRACE_SIGNATURE, | |
"CiValidateFileObject failed with status %!STATUS!", | |
status | |
); | |
break; | |
} | |
succeeded = CheckPolicyInfo(&policyInfo); | |
CiFreePolicyInfo(&policyInfo); | |
CiFreePolicyInfo(&timeStampPolicyInfo); | |
} while (FALSE); | |
return succeeded; | |
} | |
#pragma code_seg() | |
#pragma code_seg("PAGED") | |
BOOLEAN | |
ValidateFileUsingProcessImagePath( | |
_In_ PUNICODE_STRING ProcessImageName | |
) | |
{ | |
NTSTATUS status; | |
OBJECT_ATTRIBUTES attributes; | |
HANDLE hHandle = NULL; | |
IO_STATUS_BLOCK IoBlk; | |
PFILE_OBJECT fileObject = NULL; | |
BOOLEAN result = FALSE; | |
PAGED_CODE(); | |
InitializeObjectAttributes(&attributes, ProcessImageName, OBJ_INHERIT, 0, NULL); | |
if (!NT_SUCCESS(status = ZwOpenFile( | |
&hHandle, | |
SYNCHRONIZE | FILE_READ_DATA, | |
&attributes, | |
&IoBlk, | |
FILE_SHARE_READ, | |
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | |
))) | |
{ | |
TraceError( | |
TRACE_SIGNATURE, | |
"ZwOpenFile failed with status %!STATUS!", | |
status | |
); | |
goto exit; | |
} | |
if (!NT_SUCCESS(status = ObReferenceObjectByHandle( | |
hHandle, | |
FILE_READ_DATA, | |
*IoFileObjectType, | |
KernelMode, | |
(PVOID*)&fileObject, | |
NULL | |
))) | |
{ | |
TraceError( | |
TRACE_SIGNATURE, | |
"ObReferenceObjectByHandle failed with status %!STATUS!", | |
status | |
); | |
goto exit; | |
} | |
result = ValidateFileUsingFileObject(fileObject); | |
exit: | |
if (fileObject) | |
{ | |
ObDereferenceObject(fileObject); | |
} | |
if (hHandle) | |
{ | |
ZwClose(hHandle); | |
} | |
return result; | |
} | |
#pragma code_seg() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment