首页 > 系统相关 >Windows驱动中使用数字签名验证控制设备访问权限

Windows驱动中使用数字签名验证控制设备访问权限

时间:2023-12-04 09:12:44浏览次数:49  
标签:struct certificate 数字签名 Windows int ntStatus 权限 digest pIrp

1. 背景

  在一般的驱动开发时,创建了符号链接后在应用层就可以访问打开我们的设备并进行通讯。

  但我们有时候不希望非自己的进程访问我们的设备并进行交互,虽然可以使用 IoCreateDeviceSecure 来创建有安全描述符的设备,但大数的用户账户为了方便都是管理员,因此该方法不太完整。

 

2. 一般方法

  一般情况下进行限制的方法是允许打开设备,但在打开设备后做一些校验,如果不通过,之后的其它请求都拒绝。

  例如 Dell 在一个漏洞驱动 pcdsrvc_x64.pkms 中处理如下(IDA逆向代码):

__int64 __fastcall DeviceIoControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
        _IO_STACK_LOCATION* pIosp; // r9
        unsigned int nBytesReturn; // edx
        ULONG nIoControlCode; // ecx
        unsigned int ntStatus; // ebx
        DWORD* dwInitailizeCode; // rax
 
        pIosp = pIrp->Tail.Overlay.CurrentStackLocation;
        nBytesReturn = 0;
        nIoControlCode = pIosp->Parameters.DeviceIoControl.IoControlCode;
        if (nIoControlCode != 0x222004 && !bInitialized)
        {
                ntStatus = 0xC0000022;
                pIrp->IoStatus.Information = 0i64;
        LABEL_18:
                LOBYTE(nBytesReturn) = 0;
                goto LABEL_36;
        }
        if (nIoControlCode - 0x222000 <= 0x7C)
        {
                ntStatus = 0;
                if (nIoControlCode == 0x222000)
                {
                        if (pIosp->Parameters.DeviceIoControl.OutputBufferLength >= 4)
                        {
                                *(_DWORD*)pIrp->AssociatedIrp.SystemBuffer = 0x6020300;
                        LABEL_16:
                                nBytesReturn = 4;
                                goto LABEL_17;
                        }
                }
                else
                {
                        if (nIoControlCode != 0x222004)
                        {
                                ntStatus = 0xC0000010;
                        LABEL_17:
                                pIrp->IoStatus.Information = nBytesReturn;
                                goto LABEL_18;
                        }
                        if (pIosp->Parameters.DeviceIoControl.InputBufferLength >= 4
                                && pIosp->Parameters.DeviceIoControl.OutputBufferLength >= 4)// 初始化驱动
                        {
                                dwInitailizeCode = (DWORD*)pIrp->AssociatedIrp.SystemBuffer;
                                if (*dwInitailizeCode == 0xA1B2C3D4)
                                {
                                        bInitialized = 1;
                                        *dwInitailizeCode = 0;
                                }
                                else
                                {
                                        *dwInitailizeCode = 1;
                                }
                                goto LABEL_16;
                        }
                }
                ntStatus = 0xC000000D;
                goto LABEL_17;
        }
    ......
}

  按照原逻辑是在打开使用后发送一个 0x222004 的请求码,并传入 0xA1B2C3D4,至此以后就相当于初始化了,之后的请求都可以正常进行;如果没有这个初始化的请求,之后的请求都是拒绝的。

  虽然这个方法可行,但稍微懂点逆向的相当于可以看到源代码逻辑,这样只要稍作处理这个方法就失效了。

 

3. 使用验证数字签名

  使用该方法可以在设备打开的逻辑中验证操作进程的数字签名,如果为允许的签名就返回成功,打开设备也就成功;否则返回失败也就打开失败。

  驱动中验证PE的数字签名见《Windows驱动中校验数字签名(使用 ci.dll)》。里边有两种方法,一种是 CiValidateFileObject,另一种是 CiCheckSignedFile。

  其中 CiCheckSignedFile 更为严格,需要指定签名算法和摘要,此摘要是 PE 文件签名后的摘要,因此随时 PE 文件的不同摘要也不同,这里并不太方便。

  因此本文用的是 CiValidateFileObject,首先它可以验证签名是否有效,即签名后文件进行了篡改后验证是不通过的;假的数字签名证书也不能通过验证。再者它可以返回证书链以及每个证书的摘要,我们可在在这里判断证书的摘要,如果是我们指定的证书则通过验证,即使是用的同一证书签名不同的文件,也可以一次代码,多次使用。

 

4. 代码

4.1 驱动代码:

4.1.1 ci.h

#pragma once

#include <wdm.h>
#include <minwindef.h>

#if DBG
#define KDPRINT(projectName, format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,\
																						  projectName "::【" __FUNCTION__  "】" ##format, \
																						  ##__VA_ARGS__ ) 
#else
#define KDPRINT(format, ...)
#endif

/**
*  This struct was copied from <wintrust.h> and encapsulates a signature used in verifying executable files.
*/
typedef struct _WIN_CERTIFICATE {
    DWORD dwLength;                         // Specifies the length, in bytes, of the signature
    WORD  wRevision;                        // Specifies the certificate revision
    WORD  wCertificateType;                 // Specifies the type of certificate
    BYTE  bCertificate[ANYSIZE_ARRAY];      // An array of certificates
} WIN_CERTIFICATE, * LPWIN_CERTIFICATE;


/**
*  Describes the location (address) and size of a ASN.1 blob within a buffer.
*
*  @note  The data itself is not contained in the struct.
*/
typedef struct _Asn1BlobPtr
{
    int size;               // size of the ASN.1 blob
    PVOID ptrToData;        // where the ASN.1 blob starts
} Asn1BlobPtr, * pAsn1BlobPtr;


/**
*  Describes the location (address) and size of a certificate subject/issuer name, within a buffer.
*
*  @note  The data itself (name) is not contained in the struct.
*
*  @note  the reason for separating these fields into their own struct was to match the padding we
*         observed in CertChainMember struct after the second 'short' field - once you enclose it 
*         into a struct, on x64 bit machines there will be a padding of 4 bytes at the end of the struct,
*         because the largest member of the struct is of size 8 and it dictates the alignment of the struct.
*/
typedef struct _CertificatePartyName
{
    PVOID pointerToName;
    short nameLen;
    short unknown;
} CertificatePartyName, * pCertificatePartyName;


/**
*  Contains various data about a specific certificate in the chain and also points to the actual certificate.
*
*  @note  the digest described in this struct is the digest that was used to create the certificate - not for
*         signing the file.
*
*  @note  The size reserved for digest is 64 byte regardless of the digest type, in order to accomodate SHA2/3's
*         max size of 512bit. The memory is not zeroed, so we must take the actual digestSize into account when
*         reading it.
*/
typedef struct _CertChainMember
{
    int digestIdetifier;                // e.g. 0x800c for SHA256
    int digestSize;                     // e.g. 0x20 for SHA256
    BYTE digestBuffer[64];              // contains the digest itself, where the digest size is dictated by digestSize

    CertificatePartyName subjectName;   // pointer to the subject name
    CertificatePartyName issuerName;    // pointer to the issuer name

    Asn1BlobPtr certificate;            // ptr to actual cert in ASN.1 - including the public key
} CertChainMember, * pCertChainMember;


/**
*  Describes the format of certChainInfo buffer member of PolicyInfo struct. This header maps the types,
*  locations, and quantities of the data which is contained in the buffer.
*
*  @note  when using this struct make sure to check its size first (bufferSize) because it's not guaranteed
*         that all the fields below will exist.
*/
typedef struct _CertChainInfoHeader
{
    // The size of the dynamically allocated buffer
    int bufferSize;

    // points to the start of a series of Asn1Blobs which contain the public keys of the certificates in the chain
    pAsn1BlobPtr ptrToPublicKeys;
    int numberOfPublicKeys;
    
    // points to the start of a series of Asn1Blobs which contain the EKUs
    pAsn1BlobPtr ptrToEkus;
    int numberOfEkus;

    // points to the start of a series of CertChainMembers
    pCertChainMember ptrToCertChainMembers;
    int numberOfCertChainMembers;

    int unknown;

    // ASN.1 blob of authenticated attributes - spcSpOpusInfo, contentType, etc.
    Asn1BlobPtr variousAuthenticodeAttributes;
} CertChainInfoHeader, * pCertChainInfoHeader;


/**
*  Contains information regarding the certificates that were used for signing/timestamping
*
*  @note  you must check structSize before accessing the other members, since some members were added later.
*
*  @note  all structs members, including the length, are populated by ci functions - no need
*         to fill them in adavnce.
*/
typedef struct _PolicyInfo
{
    int structSize;
    NTSTATUS verificationStatus;
    int flags;
    pCertChainInfoHeader certChainInfo; // if not null - contains info about certificate chain
    FILETIME revocationTime;            // when was the certificate revoked (if applicable)
    FILETIME notBeforeTime;             // the certificate is not valid before this time
    FILETIME notAfterTime;              // the certificate is not valid before this time
} PolicyInfo, *pPolicyInfo;


/**
*  Given a file digest and signature of a file, verify the signature and provide information regarding
*  the certificates that was used for signing (the entire certificate chain)
*
*  @note  the function allocates a buffer from the paged pool --> can be used only where IRQL < DISPATCH_LEVEL
*
*  @param  digestBuffer - buffer containing the digest
*
*  @param  digestSize - size of the digest, e.g. 0x20 for SHA256, 0x14 for SHA1
*
*  @param  digestIdentifier - digest algorithm identifier, e.g. 0x800c for SHA256, 0x8004 for SHA1
*
*  @param  winCert - pointer to the start of the security directory
*
*  @param  sizeOfSecurityDirectory - size the security directory
*
*  @param  policyInfoForSigner[out] - PolicyInfo containing information about the signer certificate chain
*
*  @param  signingTime[out] - when the file was signed (FILETIME format)
*
*  @param  policyInfoForTimestampingAuthority[out] - PolicyInfo containing information about the timestamping 
*          authority (TSA) certificate chain
*
*  @return  0 if the file digest in the signature matches the given digest and the signer cetificate is verified.
*           Various error values otherwise, for example:
*           STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
*           STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
*           STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/
extern "C" __declspec(dllimport) NTSTATUS _stdcall CiCheckSignedFile(
    const PVOID digestBuffer,
    int digestSize,
    int digestIdentifier,
    const LPWIN_CERTIFICATE winCert,
    int sizeOfSecurityDirectory,
    PolicyInfo* policyInfoForSigner,
    LARGE_INTEGER* signingTime,
    PolicyInfo* policyInfoForTimestampingAuthority);


/**
*  Resets a PolicyInfo struct - frees the dynamically allocated buffer in PolicyInfo (certChainInfo) if not null.
*  Zeros the entire PolicyInfo struct.
*
*  @param  policyInfo - the struct to reset.
*
*  @return  the struct which was reset.
*/
extern "C" __declspec(dllimport) PVOID _stdcall CiFreePolicyInfo(PolicyInfo* policyInfo);


/**
*  Given a file object, verify the signature and provide information regarding
*  the certificates that was used for signing (the entire certificate chain)
*
*  @note  the function allocates memory from the paged pool --> can be used only where IRQL < DISPATCH_LEVEL
*
*  @param  fileObject[in] - fileObject of the PE in question
*
*  @param  a2[in] - unknown, needs to be reversed. 0 is a valid value.
*
*  @param  a3[in] - unknown, needs to be reversed. 0 is a valid value.
*
*  @param  policyInfoForSigner[out] - PolicyInfo containing information about the signer certificate chain
*
*  @param  signingTime[out] - when the file was signed
*
*  @param  policyInfoForTimestampingAuthority[out] - PolicyInfo containing information about the timestamping
*          authority (TSA) certificate chain
*
*  @param  digestBuffer[out] - buffer to be filled with the digest, must be at least 64 bytes
*
*  @param  digestSize[inout] - size of the digest. Must be at leat 64 and will be changed by the function to 
*                              reflect the actual digest length.
*
*  @param  digestIdentifier[out] - digest algorithm identifier, e.g. 0x800c for SHA256, 0x8004 for SHA1
*
*  @return  0 if the file digest in the signature matches the given digest and the signer cetificate is verified.
*           Various error values otherwise, for example:
*           STATUS_INVALID_IMAGE_HASH - the digest does not match the digest in the signature
*           STATUS_IMAGE_CERT_REVOKED - the certificate used for signing the file is revoked
*           STATUS_IMAGE_CERT_EXPIRED - the certificate used for signing the file has expired
*/
extern "C" __declspec(dllimport) NTSTATUS _stdcall CiValidateFileObject(
    struct _FILE_OBJECT* fileObject,
    int a2,
    int a3,
    PolicyInfo* policyInfoForSigner,
    PolicyInfo* policyInfoForTimestampingAuthority,
    LARGE_INTEGER* signingTime,
    BYTE* digestBuffer,
    int* digestSize,
    int* digestIdentifier
);

4.1.2 SignatureCheck.h

#pragma once

#include <wdm.h>
#include <minwindef.h>

#define SHA1_IDENTIFIER 0x8004
#define SHA1_DEGIST_LENGTH  20
#define SHA256_IDENTIFIER 0x800C
#define SHA256_DEGIST_LENGTH  32
#define IMAGE_DIRECTORY_ENTRY_SECURITY  4
#define PRINT_DIGEST true

BOOLEAN ValidateFileUsingCiValidateFileObject(PFILE_OBJECT fileObject, const BYTE crtDigest[], UINT nLength);

4.1.3 SignatureCheck.cpp

#include "SignatureCheck.h"
#include "ci.h"



UCHAR HexToChar(UCHAR temp)
{
        UCHAR dst;
        if (temp == ' ')
        {
                // do nothing 
                dst = temp;
        }
        else if (temp < 10) {
                dst = temp + '0';
        }
        else {
                dst = temp - 10 + 'A';
        }
        return dst;
}


BOOLEAN ValidateFileUsingCiValidateFileObject(PFILE_OBJECT fileObject , const BYTE crtDigest[], UINT nLength)
{

        KDPRINT("【IrpCertCheck】", "Validating file using CiValidateFileObject...\n");
        NT_ASSERT(KeGetCurrentIrql() < DISPATCH_LEVEL);

        PolicyInfo signerPolicyInfo = {0};
        PolicyInfo timestampingAuthorityPolicyInfo = {0};
        LARGE_INTEGER signingTime = {0};
        int digestSize = 64;  //大小必须为64,否则返回缓冲区大小太小
        int digestIdentifier = 0;
        BYTE digestBuffer[64] = {0}; //大小必须为64,否则返回缓冲区大小太小
        BOOLEAN bValidate = false;
        const NTSTATUS status = CiValidateFileObject(
                fileObject,
                0,
                0,
                &signerPolicyInfo,
                &timestampingAuthorityPolicyInfo,
                &signingTime,
                digestBuffer,
                &digestSize,
                &digestIdentifier
        );
       
        KDPRINT("【IrpCertCheck】", "CiValidateFileObject returned 0x%08X\n", status);
        if (NT_SUCCESS(status))
        {
#if PRINT_DIGEST 
                CHAR digestTempBuffer[98] = { 0 };
                for (int i = 0; i < 32; i++)
                {
                        digestTempBuffer[3 * i] = signerPolicyInfo.certChainInfo->ptrToCertChainMembers->digestBuffer[i] >> 4;
                        digestTempBuffer[3 * i + 1] = signerPolicyInfo.certChainInfo->ptrToCertChainMembers->digestBuffer[i] & 0xf;
                        digestTempBuffer[3 * i + 2] = ' ';
                }
                for (int i = 0; i < 96; i++)
                {
                        digestTempBuffer[i] = HexToChar(digestTempBuffer[i]);
                }
                KDPRINT("【IrpCertCheck】", "Signer certificate:\n digest algorithm - 0x%x\n digest size - %d\r\n digest - %s\n",
                        digestIdentifier, digestSize, digestTempBuffer);
#endif
                if (RtlCompareMemory(signerPolicyInfo.certChainInfo->ptrToCertChainMembers->digestBuffer, crtDigest, nLength) == nLength)
                {
                        bValidate =  true;
                }
        }
        CiFreePolicyInfo(&signerPolicyInfo);
        CiFreePolicyInfo(&timestampingAuthorityPolicyInfo);
        return bValidate;
}

4.1.4 main.cpp

#include <ntddk.h> // PsSetCreateProcessNotifyRoutineEx
#include <wdm.h>
#include <wdmsec.h>

#include "SignatureCheck.h"
#include "ci.h"
#pragma comment(lib, "Wdmsec.lib")

#define IRP_CERT_CHECK_DEVICE_NAME      (L"\\Device\\IrpCertCheck")
#define IRP_CERT_CHECK_DEVICE_SYMBOLIC_NAME      (L"\\??\\IrpCertCheck")
#define CTL_CODE_TEST  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1000, METHOD_BUFFERED, FILE_ANY_ACCESS)

EXTERN_C
NTKERNELAPI
NTSTATUS
PsReferenceProcessFilePointer(
        IN PEPROCESS Process,
        OUT PVOID* pFilePointer
);
EXTERN_C
NTKERNELAPI
NTSTATUS
IoQueryFileDosDeviceName(
        _In_  PFILE_OBJECT FileObject,
        _Out_ POBJECT_NAME_INFORMATION* ObjectNameInformation
);
DRIVER_UNLOAD Unload;
PDEVICE_OBJECT g_pDeviceObject = NULL;

const static BYTE Cert256Digest[SHA256_DEGIST_LENGTH] = {
        0xD6, 0x43, 0x45, 0x88, 0x65, 0x45, 0x27, 0x40, 0x44, 0xDD,
        0x87, 0xD8, 0xCF, 0x67, 0x4B, 0x34, 0x78, 0x42, 0xE5, 0xA3,
        0x70, 0x35, 0x05, 0xB8, 0x90, 0x15, 0xD4, 0xA4, 0xB7, 0x7F,
        0xBA, 0x31 };

NTSTATUS
DeviceIoControl(
        IN PDEVICE_OBJECT pDeviceObject,
        IN PIRP pIrp
)
{
        UNREFERENCED_PARAMETER(pDeviceObject);
        NTSTATUS ntStatus = STATUS_INVALID_PARAMETER;
        PIO_STACK_LOCATION pIosp = IoGetCurrentIrpStackLocation(pIrp);
        if (pIosp->Parameters.DeviceIoControl.IoControlCode == CTL_CODE_TEST)
        {
                KDPRINT("【IrpCertCheck】", "This Is Test Control Code\n");
                ntStatus = STATUS_SUCCESS;
        }
        pIrp->IoStatus.Information = 0;
        pIrp->IoStatus.Status = ntStatus;
        IoCompleteRequest(pIrp, IO_NO_INCREMENT);
        return ntStatus;
}


NTSTATUS CommonDispatchRoutine(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
        UNREFERENCED_PARAMETER(pDeviceObject);
        NTSTATUS ntStatus = STATUS_NOT_IMPLEMENTED;
        pIrp->IoStatus.Information = 0;
        pIrp->IoStatus.Status = ntStatus;
        IoCompleteRequest(pIrp, IO_NO_INCREMENT);
        return ntStatus;
}

NTSTATUS
Create(
        IN PDEVICE_OBJECT pDeviceObject,
        IN PIRP pIrp
)
{
        UNREFERENCED_PARAMETER(pDeviceObject);
        BOOLEAN bAllow = false;
        NTSTATUS ntStatus = STATUS_ACCESS_DENIED;
        PEPROCESS pCurrentProcess = PsGetCurrentProcess();
        PFILE_OBJECT pFileObject = NULL;
        ntStatus = PsReferenceProcessFilePointer(pCurrentProcess, (PVOID*)&pFileObject);
        if (NT_SUCCESS(ntStatus))
        {
                POBJECT_NAME_INFORMATION name =NULL;
                ntStatus = IoQueryFileDosDeviceName(pFileObject, &name);
                if (NT_SUCCESS(ntStatus))
                {
                        KDPRINT("【IrpCertCheck】", "Operation Process Name:%wZ\n", &name->Name);
                        HANDLE hFile = NULL;
                        WCHAR szBuffer[MAX_PATH] = { 0 };
                        UNICODE_STRING usFileDosPath = { 0 };
                        usFileDosPath.MaximumLength = MAX_PATH * 2;
                        usFileDosPath.Buffer = szBuffer;
                        RtlAppendUnicodeToString(&usFileDosPath, L"\\??\\");
                        RtlAppendUnicodeStringToString(&usFileDosPath, &name->Name);

                        OBJECT_ATTRIBUTES oba = { 0 };
                        InitializeObjectAttributes(&oba, &usFileDosPath, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL);
                        IO_STATUS_BLOCK iosb = { 0 };
                        ntStatus = ZwOpenFile(&hFile, GENERIC_READ, &oba, &iosb, FILE_SHARE_READ, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT);
                        if (NT_SUCCESS(ntStatus))
                        {
                                PFILE_OBJECT pFileRef = NULL;
                                ntStatus = ObReferenceObjectByHandle(hFile, GENERIC_READ, *IoFileObjectType, KernelMode, (PVOID*)&pFileRef, NULL);
                                if (NT_SUCCESS(ntStatus))
                                {

                                        //第一个参数的 PFILE_OBJECT 不能直接使用 PsReferenceProcessFilePointer返回的,可能
                                        //因为映射的方式不同,需要重新打开对应的文件取得 PFILE_OBJECT
                                        if (ValidateFileUsingCiValidateFileObject(pFileRef, Cert256Digest, SHA256_DEGIST_LENGTH))
                                        { 
                                                bAllow = true;
                                                KDPRINT("【IrpCertCheck】", "ValidateFileUsingCiValidateFileObject Pass\n");
                                        }
                                        else
                                        {
                                                KDPRINT("【IrpCertCheck】", "ValidateFileUsingCiValidateFileObject Failed\n");
                                        }
                                        ObDereferenceObject(pFileRef);
                                }
                                ZwClose(hFile);
                        }
                }
                ObDereferenceObject(pFileObject);
        }
        else
        {
                KDPRINT("【IrpCertCheck】", "PsReferenceProcessFilePointer failed, code:0x%08x\n", ntStatus);
        }
        if (bAllow)
        {
                ntStatus = STATUS_SUCCESS;
        }
        else
        {
                ntStatus = STATUS_ACCESS_DENIED;
        }
        pIrp->IoStatus.Information = 0;
        pIrp->IoStatus.Status = ntStatus;
        IoCompleteRequest(pIrp, IO_NO_INCREMENT);
        return ntStatus;
}

extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
        UNREFERENCED_PARAMETER(DriverObject);
        UNREFERENCED_PARAMETER(RegistryPath);
        DriverObject->DriverUnload = Unload;
        KDPRINT("【IrpCertCheck】", "IrpCertCheck Enter...\n");
        UNICODE_STRING usDeviceName = RTL_CONSTANT_STRING(IRP_CERT_CHECK_DEVICE_NAME);
        UNICODE_STRING usSddl = RTL_CONSTANT_STRING(L"D:P(A;;GA;;;WD)");
        //NTSTATUS ntStatus = IoCreateDeviceSecure(
        //        DriverObject,
        //        0,
        //        &usDeviceName,
        //        FILE_DEVICE_UNKNOWN,
        //        FILE_DEVICE_SECURE_OPEN,
        //        false,
        //        &usSddl,
        //        NULL,
        //        &g_pDeviceObject);
        NTSTATUS ntStatus = IoCreateDevice(
                DriverObject,
                0,
                &usDeviceName,
                FILE_DEVICE_UNKNOWN,
                FILE_DEVICE_SECURE_OPEN,
                false,
                &g_pDeviceObject);
        if (NT_SUCCESS(ntStatus))
        {
                UNICODE_STRING usSymbolic = RTL_CONSTANT_STRING(IRP_CERT_CHECK_DEVICE_SYMBOLIC_NAME);
                ntStatus = IoCreateSymbolicLink(&usSymbolic, &usDeviceName);
                if (NT_SUCCESS(ntStatus))
                {
                        for (int i = 0 ; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
                        {
                                DriverObject->MajorFunction[i] = CommonDispatchRoutine;
                        }
                        DriverObject->MajorFunction[IRP_MJ_CREATE] = Create;
                        DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIoControl;
                }
                else
                {
                        KDPRINT("【IrpCertCheck】", "IoCreateSymbolicLink failed, code:0x%08x\n", ntStatus);
                }
        }
        else
        {
                KDPRINT("【IrpCertCheck】", "IoCreateDevice failed, code:0x%08x\n", ntStatus);
        }

        return ntStatus;
}

VOID Unload(_In_ struct _DRIVER_OBJECT* DriverObject)
{
        UNREFERENCED_PARAMETER(DriverObject);
        KDPRINT("【IrpCertCheck】", "IrpCertCheck Enter..\n");
        UNICODE_STRING usSymbolic = RTL_CONSTANT_STRING(IRP_CERT_CHECK_DEVICE_SYMBOLIC_NAME);
        IoDeleteSymbolicLink(&usSymbolic);
        if (g_pDeviceObject)
        {
                IoDeleteDevice(g_pDeviceObject);
                g_pDeviceObject = NULL;
        }
}

 

4.2 应用层代码

#include <iostream>
#include <windows.h>
#include <iomanip>
#define CTL_CODE_TEST  CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1000, METHOD_BUFFERED, FILE_ANY_ACCESS)
int main()
{
        HANDLE hDevice = CreateFile(L"\\\\.\\IrpCertCheck", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
        if (hDevice == INVALID_HANDLE_VALUE)
        {
                std::string strInfo = "打开设备失败, 错误码:0x";
                std::cout << strInfo << std::setbase(16) << std::setfill('0') <<std::setw(8) << GetLastError() << std::endl;
        }
        else
        {
                DWORD nByteRetuen = 0;
                bool bOK = DeviceIoControl(hDevice, CTL_CODE_TEST, nullptr, 0, NULL, 0, &nByteRetuen, NULL);
                if (bOK)
                {
                        std::string strInfo = "发送控制码成功";
                        std::cout << strInfo <<std::endl;
                }
                else
                {
                        std::string strInfo = "发送控制码失败, 错误码:0x";
                        std::cout << strInfo << std::setbase(16) << std::setfill('0') << std::setw(8) << GetLastError() << std::endl;
                }
        }
}

 

5. 代码逻辑及注意事项

 

  • 驱动中 IRP_MJ_CREATE 对应的 Create 函数调用 ValidateFileUsingCiValidateFileObject 来判断数字签名是否是允许的,不允许情况下直接返回失败,对应的应用层打开设备也就失败。
  • 驱动中 IRP_MJ_CREATE 对应的 Create 函数调用 ValidateFileUsingCiValidateFileObject 的第一个参数 fileObject 不能直接使用 PsReferenceProcessFilePointer 返回的 FILE_OBJECT,原因可能是返回的 FILE_OBJECT 对应的文件映射方式不同,需要再次使用 ZwOpenFile 返回的文件对象。
  • SignatureCheck.cpp 中的 ValidateFileUsingCiValidateFileObject 函数第 52 行至 66 行打印了验证返回的数字证书摘要,此摘要为证书的摘要而非 PE 文件的摘要,而此证书为整个证书链最顶层的证书。这个打印逻辑可以用来先获取证书摘要 ,再通过 第67 至 70 行的判断来决定证书是否通过验证。
  • main.cpp 中的 Cert256Digest 的数据即是上一条方法中获取的证书摘要。
  • 应用层逻辑为打开设备成功后送一个控制请求。

 

6. 实验效果

  使用代码中 Cert256Digest 摘要对应的数字证书签名应用层程序,如下:

  

  加载驱动后运行应用层程序,效果如下:

  

  可以看到验证通过,应用层控制码也发送成功,main.cpp 中的 Cert256Digest 数据即为图中红框所标部分。

  之后换掉用层程序的数字签名(SHA256 改为 SHA1)后验证如下:

  

  

  可以发现数字证书虽然验证成功,但证书不是我们指定证书,最终还是返回失败,应用层打开设备直接返回拒绝访问,目的达到。

7.注意事项

 

  •   CiValidateFileObject 由 ci.dll 导出,编译驱动时需要链接 ci.dll, 具体方法见《Windows驱动中校验数字签名(使用 ci.dll)》
  •   在多重数字签名的情况下,CiValidateFileObject 只能返回一个签名的摘要,因此需要应用层只有一个数字签名。

 

标签:struct,certificate,数字签名,Windows,int,ntStatus,权限,digest,pIrp
From: https://www.cnblogs.com/ImprisonedSoul/p/17873463.html

相关文章

  • android 申请相机权限没有弹出授权对话框怎么办?
    当您在Android应用程序中申请相机权限时,如果没有弹出授权对话框,可能是由于以下几个原因导致的:权限已被授权:在某些情况下,如果用户先前已经授予了相机权限,系统将自动授予权限,而不会再次显示授权对话框。您可以在应用程序的设置中查看权限状态,或者在设备的应用程序设置中查看您的应用......
  • Linux学习之文件权限
    一:基本权限UGO4.1.1UGO设置文件属性与权限chown:修改文件属主,属组chgrp:修改文件属组chmod:修改文件权限将文件属主root改成qfeduchownqfedufile1修改属主,只需在属主和属组之间加入“.”或“。”即可chownqfedu1.linuxfile1添加-R参数即可将某个目录下的所有子目录或者......
  • Linux和Windows时间不一致问题
    问题描述装过双系统或者虚拟机装Linux的人都知道,Linux的时间和Windows往往是不同步的,在编写跨平台程序的时候特别是对时间敏感的代码就带来很大的困扰解决办法这个问题可以在Linux下解决先用命令查看时区timedatectl如果系统刚刚装好,没有设置好时区,有可能默认的是America/L......
  • 2023年更新整理Windows11专业工作站版激活密钥
    微软Windows11官方ISO镜像下载地址:https://www.microsoft.com/zh-cn/software-download/windows11激活密钥(整理自互联网,不保证可用性):MJN6F-M8XD9-R84JM-P8P8W-J8C9KP2Q5A-B6C8D-F9G1H-J3K7L-N4M6PR7T1Y-U2V5W-X4Z8A-D6E9F-K3G7HL9N2D-H3P7Q-V8R4X-U5C1S-J6K9MS4W6J-K7U9L-C3V8X-Y1Z......
  • Windows驱动中数字签名认证(使用 ci.dll)
    1.背景  对于常规应用程序来说,在应用层可以使用WinVerifyTrust,在驱动层使用常规的API无法使用,自己分析数据又太麻烦。  但在内核中ci.dll包装了数据签名验证相关的功能,我们可以使用该dll来实现我们的数字签名验证。  详细的分析见《内核中的代码完整性:深入分析ci......
  • Windows 下安装和配置 Redis (图文教程)
    ......
  • 解决「因更新而导致的Windows11进入系统桌面后白屏闪烁」的故障
    故障描述白屏闪烁,无法正常使用桌面及资源管理器。解决思路卸载Windows更新解决步骤进入安全模式重新启动计算机。在登录屏幕中,按住Shift键并单击电源>重新启动。在计算机重新启动进入选择选项屏幕后,选择疑难解答>高级选项>启动设置>重新启动。计算机......
  • Linux中文件权限和所有权
    在Linux中,设计与文件和目录相关联的权限的目的是防止用户访问其他用户的私有文件以及保护重要的系统文件。针对每个文件的权限所分配的九位(权限位)定义了你和其他用户对你文件的访问权。普通文件的权限通常为-rwxrwxrwx。对于不同的项目,前面的“-”是不同的,有可能看到d(针对目录)、l......
  • 第四章文件权限(ACL权限....)
    一、基本权限ACL1、ACL基本用法getfacl/home/test.txt  查看home目录下test.txt文件的ACL权限setfacl-mu:hr:rw/home/test.txt为组hr增加rw权限;设置ACL权限setdacl-xu:hr/home/test.txt 删除用户对文件的所有权限setfacl-b/home/test.txt 删除所有扩展ACL权......
  • mysql 安装时报找不到 MSVCP120.dll windows
     解决方法:下载VisualC++RedistributablePackagesforVisualStudio2013https://www.microsoft.com/zh-cn/download/details.aspx?id=40784VisualC++RedistributablePackagesforVisualStudio2013......