Skip to content

Commit

Permalink
add an extra check for release .sig files
Browse files Browse the repository at this point in the history
  • Loading branch information
@cheat-engine
cheat-engine committed Sep 2, 2020
1 parent 366668e commit b10754d
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 5 deletions.
71 changes: 68 additions & 3 deletions DBKKernel/sigcheck.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,18 @@ This is only in case of a signed release build
#include <windef.h>
#include <bcrypt.h>
#include <Ntstrsafe.h>
#include <ntimage.h>


#include "sigcheck.h"


unsigned char publicKey[]={0x45, 0x43, 0x53, 0x35, 0x42, 0x00, 0x00, 0x00, 0x00, 0x3A, 0xBA, 0x72, 0xCF, 0xA7, 0x79, 0xFA, 0x92, 0x96, 0x15, 0x8E, 0x69, 0x35, 0x19, 0x09, 0x99, 0x3C, 0x97, 0xE8, 0x18, 0x0B, 0xC6, 0x2C, 0x8B, 0x24, 0x5A, 0xD8, 0x1C, 0x86, 0x83, 0x89, 0xE7, 0xA4, 0xA9, 0x47, 0x11, 0x7E, 0x07, 0x74, 0x69, 0x74, 0x33, 0x0B, 0x1A, 0xB8, 0x63, 0x11, 0x51, 0xEA, 0x00, 0xD6, 0x26, 0xE7, 0x7C, 0x6D, 0x77, 0xA5, 0x0E, 0x9F, 0x37, 0x87, 0x7B, 0x79, 0x2F, 0xEE, 0x00, 0x65, 0x7A, 0xBF, 0x44, 0x79, 0xD1, 0x7E, 0x47, 0xBC, 0xF9, 0x6F, 0x31, 0x81, 0x85, 0x70, 0x78, 0x5D, 0xED, 0xA5, 0xC6, 0x15, 0x0F, 0x2C, 0x0A, 0x27, 0x3B, 0x3E, 0x36, 0xEB, 0x53, 0x3E, 0x3E, 0x75, 0xC1, 0xA3, 0x0A, 0xC0, 0xC1, 0x53, 0x3A, 0x77, 0xFB, 0x84, 0x88, 0x35, 0xE8, 0x86, 0xF0, 0xA2, 0x52, 0x86, 0x5D, 0x12, 0x2D, 0x03, 0x88, 0x00, 0x36, 0x2B, 0x8D, 0x21, 0x13, 0x99, 0x7F, 0x62};

NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL);
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationThread(IN HANDLE ThreadHandle, IN THREADINFOCLASS ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL);


NTSTATUS LoadFile(PUNICODE_STRING filename, PVOID *buffer, DWORD *size)
/*
Loads the specified file into paged memory
Expand Down Expand Up @@ -182,7 +187,57 @@ Calculates a hash from the buffer and then checks the signature
return s;
}

NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
NTSTATUS TestProcess(PIMAGE_DOS_HEADER buf, DWORD size)
{
UINT_PTR maxAddress = (UINT_PTR)buf + size;
if (buf->e_magic != IMAGE_DOS_SIGNATURE)
return STATUS_UNSUCCESSFUL;

if ((DWORD)buf->e_lfanew >= size)
return STATUS_UNSUCCESSFUL;

PIMAGE_NT_HEADERS nth = (PIMAGE_NT_HEADERS)((UINT_PTR)buf + buf->e_lfanew);
if (nth->Signature != IMAGE_NT_SIGNATURE)
return STATUS_UNSUCCESSFUL;

PIMAGE_SECTION_HEADER sections = IMAGE_FIRST_SECTION(nth);
if ((UINT_PTR)sections >= maxAddress)
return STATUS_UNSUCCESSFUL;

int i;
for (i = 0; i < nth->FileHeader.NumberOfSections; i++)
{
if (strcmp((char *)sections[i].Name, ".text") == 0)
{
if (((UINT_PTR)buf + sections[i].PointerToRawData + sections[i].SizeOfRawData) >= maxAddress)
return STATUS_UNSUCCESSFUL;

//BSOD on purpose if this isn't a match
if (RtlCompareMemory((void*)(0x00400000 + sections[i].VirtualAddress), (void*)((UINT_PTR)buf + sections[i].PointerToRawData), sections[i].SizeOfRawData) == sections[i].SizeOfRawData)
{
//seems ok. Confirm the caller is from this .text section

UINT_PTR startaddress;
DWORD length;
if (ZwQueryInformationThread(ZwCurrentThread(), (THREADINFOCLASS)ThreadQuerySetWin32StartAddress, &startaddress, sizeof(startaddress), &length) == STATUS_SUCCESS)
{
if ((startaddress >= (0x00400000 + sections[i].VirtualAddress)) && (startaddress < (0x00400000 + sections[i].VirtualAddress + sections[i].SizeOfRawData)))
return STATUS_SUCCESS;
else
return STATUS_UNSUCCESSFUL;
}
else
return STATUS_UNSUCCESSFUL;
}
else
return STATUS_UNSUCCESSFUL;
}
}

return STATUS_UNSUCCESSFUL;
}

NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath, BOOL isProcess)
{
NTSTATUS s=STATUS_UNSUCCESSFUL;
PVOID file=NULL;
Expand All @@ -195,6 +250,10 @@ NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
UNICODE_STRING p;
PUNICODE_STRING path=&p;

DbgPrint("CheckSignatureOfFile: ");



p.Buffer=MyBuffer;
p.Length=0;
p.MaximumLength=MAX_PATH*2;
Expand All @@ -210,6 +269,7 @@ NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
s=LoadFile(path, &file, &filesize);
if (s==STATUS_SUCCESS)
{

s=RtlAppendUnicodeToString(path, L".sig");
if (s==STATUS_SUCCESS)
{
Expand All @@ -219,6 +279,9 @@ NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
{
s=CheckSignature(file,filesize,sig,sigsize);
ExFreePool(sig);

if ((s == STATUS_SUCCESS) && isProcess) //one extra check to see if it's actually CE and not just something renamed afterwards
s=TestProcess((PIMAGE_DOS_HEADER)file, filesize);
}
else
DbgPrint("Failure loading %S\n", path->Buffer);
Expand All @@ -234,7 +297,7 @@ NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
return s;
}

NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(IN HANDLE ProcessHandle,IN PROCESSINFOCLASS ProcessInformationClass,OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL);


NTSTATUS SecurityCheck(void)
/*
Expand All @@ -249,11 +312,13 @@ Checks the current process for a valid signature

if (KeGetCurrentIrql() != PASSIVE_LEVEL)
return STATUS_UNSUCCESSFUL;



if (ZwQueryInformationProcess(ZwCurrentProcess(), ProcessImageFileName, buffer, MAX_PATH*2, &length)==STATUS_SUCCESS)
{
path->MaximumLength=MAX_PATH*2;
s=CheckSignatureOfFile(path);
s=CheckSignatureOfFile(path,1);
//DbgPrint("returning %x\n", s);
return s;
}
Expand Down
2 changes: 1 addition & 1 deletion DBKKernel/sigcheck.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
#define SIGCHECK_H

NTSTATUS SecurityCheck(void);
NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath);
NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath, BOOL isProcess);
NTSTATUS CheckSignature(PVOID buffer, DWORD buffersize, PVOID sig, DWORD sigsize);

#endif
2 changes: 1 addition & 1 deletion DBKKernel/vmxoffload.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@ Runs at passive mode

#ifdef TOBESIGNED
if (OpenedFile==STATUS_SUCCESS)
OpenedFile=CheckSignatureOfFile(&filename);
OpenedFile=CheckSignatureOfFile(&filename, FALSE);
#endif

if (OpenedFile == STATUS_SUCCESS)
Expand Down

0 comments on commit b10754d

Please sign in to comment.