Fea #29, 添加GetProcessMitigationPolicy，SetProcessMitigationPolicy

ThunksList.md

@@ -274,6 +274,8 @@
 | OfferVirtualMemory                         | 不存在时，返回ERROR_SUCCESS。
 | ReclaimVirtualMemory                       | 不存在时，返回ERROR_SUCCESS。
 | PrefetchVirtualMemory                      | 不存在时，返回ERROR_SUCCESS。
+| GetProcessMitigationPolicy                 | 不存在时，调用NtQueryInformationProcess。
+| SetProcessMitigationPolicy                 | 不存在时，调用NtSetInformationProcess。
 
 ## mfplat.dll
 | 函数                                       | Fallback

src/Shared/km.h

@@ -1,4 +1,4 @@
-#pragma once
+#pragma once
 
 #ifndef SDK_KM_H
 #define SDK_KM_H
@@ -1252,16 +1252,16 @@ enum SYSTEM_INFORMATION_CLASS
 	SystemSpecialPoolInformation = 0x57,
 	SystemProcessIdInformation = 0x58,
 	SystemErrorPortInformation = 0x59,
-	SystemBootEnvironmentInformation = 0x5a,			//系统的启动信息
+	SystemBootEnvironmentInformation = 0x5a,			//系统的启动信息
 	SystemHypervisorInformation = 0x5b,
 	SystemVerifierInformationEx = 0x5c,
 	SystemTimeZoneInformation = 0x5d,
 	SystemImageFileExecutionOptionsInformation = 0x5e,
 	SystemCoverageInformation = 0x5f,
 	SystemPrefetchPatchInformation = 0x60,
 	SystemVerifierFaultsInformation = 0x61,
-	MaxSystemInfoClassWinXP,                 //WinXP最大支持到此处
-	SystemSystemPartitionInformation = 0x62,	//用于获取系统分区信息，其结构为UNICODE_STRING
+	MaxSystemInfoClassWinXP,                 //WinXP最大支持到此处
+	SystemSystemPartitionInformation = 0x62,	//用于获取系统分区信息，其结构为UNICODE_STRING
 	SystemSystemDiskInformation = 0x63,
 	SystemProcessorPerformanceDistribution = 0x64,
 	SystemNumaProximityNodeInformation = 0x65,
@@ -1908,7 +1908,7 @@ NtQueryDirectoryFile (
 		ProcessSessionInformation,
 		ProcessForegroundInformation,
 		ProcessWow64Information,
-		ProcessImageFileName,			//获取进程的NT路径，结构为UNICODE_STRING
+		ProcessImageFileName,			//获取进程的NT路径，结构为UNICODE_STRING
 		ProcessLUIDDeviceMapsEnabled,
 		ProcessBreakOnTermination,
 		ProcessDebugObjectHandle,
@@ -1925,17 +1925,26 @@ NtQueryDirectoryFile (
 		ProcessInstrumentationCallback,
 		ProcessThreadStackAllocation,
 		ProcessWorkingSetWatchEx,
-		ProcessImageFileNameWin32,			//获取进程的Dos路径，结构为UNICODE_STRING
+		ProcessImageFileNameWin32,			//获取进程的Dos路径，结构为UNICODE_STRING
 		ProcessImageFileMapping,			// buffer is a pointer to a file handle open with SYNCHRONIZE | FILE_EXECUTE access, return value is whether the handle is the same used to start the process
 		ProcessAffinityUpdateMode,
 		ProcessMemoryAllocationMode,
 		ProcessGroupInformation,
 		ProcessTokenVirtualizationEnabled,	// invalid class
 		ProcessConsoleHostProcess,			// retrieves the pid for the process' corresponding conhost process
 		ProcessWindowInformation,			// returns the windowflags and windowtitle members of the process' peb->rtl_user_process_params
+		YY_ProcessPolicy = 52, // 指向 YY_ProcessAslrPolicyInfo
 		MaxProcessInfoClass
 	} PROCESSINFOCLASS;
 
+	struct YY_ProcessPolicyInfo
+	{
+		// 1 ProcessASLRPolicy
+		// 3 ProcessStrictHandleCheckPolicy
+		// 4 ProcessSystemCallDisablePolicy
+		DWORD Unknow1;
+		DWORD Flags;
+	};
 
 	struct WOW64_PROCESS_BASIC_INFORMATION
 	{
@@ -2660,6 +2669,24 @@ NtQueryDirectoryFile (
 		OUT PVOID *FunctionAddress
 		);
 
+	 typedef struct _KEXECUTE_OPTIONS
+	 {
+		 union
+		 {
+			 DWORD Reserved;
+			 struct
+			 {
+				 UCHAR ExecuteDisable : 1;
+				 UCHAR ExecuteEnable : 1;
+				 UCHAR DisableThunkEmulation : 1;
+				 UCHAR Permanent : 1;
+				 UCHAR ExecuteDispatchEnable : 1;
+				 UCHAR ImageDispatchEnable : 1;
+				 UCHAR Spare : 2;
+			 };
+		 };
+	 } KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS;
+
 	typedef struct _PROCESS_WINDOW_INFORMATION
 	{
 		ULONG WindowFlags;
@@ -4697,7 +4724,7 @@ NtQueryDirectoryFile (
 		);
 #endif
 
-	//UEFI支持相关函数
+	//UEFI支持相关函数
 
 	EXTERN_C NTSYSAPI NTSTATUS NTAPI ZwQueryBootEntryOrder(
 			OUT PULONG Ids,
@@ -5049,7 +5076,7 @@ NtReleaseKeyedEvent(
 	IN PLARGE_INTEGER       Timeout OPTIONAL
 	);
 
-//指示进程是否正在进行退出。
+//指示进程是否正在进行退出。
 EXTERN_C
 NTSYSAPI
 BOOLEAN

src/Thunks/YY_Thunks.cpp

@@ -41,6 +41,7 @@
     _APPLY(NtQueryObject,                                ntdll                                         ) \
     _APPLY(NtQueryInformationThread,                     ntdll                                         ) \
     _APPLY(NtQueryInformationProcess,                    ntdll                                         ) \
+    _APPLY(NtSetInformationProcess,                      ntdll                                         ) \
     _APPLY(NtOpenKeyedEvent,                             ntdll                                         ) \
     _APPLY(NtWaitForKeyedEvent,                          ntdll                                         ) \
     _APPLY(NtReleaseKeyedEvent,                          ntdll                                         ) \

src/Thunks/api-ms-win-core-processthreads.hpp

@@ -699,6 +699,206 @@ namespace YY
 			return TRUE;
 		}
 #endif
+
+#if (YY_Thunks_Support_Version < NTDDI_WIN8)
+
+		// 最低受支持的客户端	Windows 8 [桌面应用|UWP 应用]
+		// 最低受支持的服务器	Windows Server 2012[桌面应用 | UWP 应用]
+		__DEFINE_THUNK(
+		kernel32,
+		16,
+		BOOL,
+		WINAPI,
+		GetProcessMitigationPolicy,
+			_In_ HANDLE _hProcess,
+			_In_ PROCESS_MITIGATION_POLICY _eMitigationPolicy,
+			_Out_writes_bytes_(_cbLength) PVOID _pBuffer,
+			_In_ SIZE_T _cbLength
+			)
+		{
+			if (const auto _pfnGetProcessMitigationPolicy = try_get_GetProcessMitigationPolicy())
+			{
+				return _pfnGetProcessMitigationPolicy(_hProcess, _eMitigationPolicy, _pBuffer, _cbLength);
+			}
+
+			if (!_pBuffer)
+			{
+				SetLastError(ERROR_INVALID_PARAMETER);
+				return FALSE;
+			}
+
+			if ((DWORD)_eMitigationPolicy >= (DWORD)MaxProcessMitigationPolicy)
+			{
+				SetLastError(ERROR_INVALID_PARAMETER);
+				return FALSE;
+			}
+			const auto _pfnNtQueryInformationProcess = try_get_NtQueryInformationProcess();
+			if (!_pfnNtQueryInformationProcess)
+			{
+				SetLastError(ERROR_NOT_SUPPORTED);
+				return FALSE;
+			}
+
+			if (_eMitigationPolicy == ProcessDEPPolicy)
+			{
+				if (_cbLength != sizeof(PROCESS_MITIGATION_DEP_POLICY))
+				{
+					SetLastError(ERROR_INVALID_PARAMETER);
+					return FALSE;
+				}
+				KEXECUTE_OPTIONS _DepOptions = {};
+				NTSTATUS _Status = _pfnNtQueryInformationProcess(_hProcess, ProcessExecuteFlags, &_DepOptions, sizeof(_DepOptions), nullptr);
+				if (_Status >= 0)
+				{
+					auto _pDepPolicy = (PROCESS_MITIGATION_DEP_POLICY*)_pBuffer;
+					_pDepPolicy->Enable = _DepOptions.ExecuteEnable ? 0 : 1;
+					_pDepPolicy->DisableAtlThunkEmulation = _DepOptions.DisableThunkEmulation;
+					_pDepPolicy->ReservedFlags = 0;
+					_pDepPolicy->Permanent = _DepOptions.Permanent;
+					return TRUE;
+				}
+				else if (STATUS_INVALID_INFO_CLASS == _Status || STATUS_NOT_SUPPORTED == _Status)
+				{
+					*(DWORD*)_pBuffer = 0;
+					return TRUE;
+				}
+				else
+				{
+					internal::BaseSetLastNTError(_Status);
+					return FALSE;
+				}
+			}
+			else if (_eMitigationPolicy == ProcessMitigationOptionsMask)
+			{
+				if (_cbLength < sizeof(UINT64))
+				{
+					SetLastError(ERROR_INVALID_PARAMETER);
+					return FALSE;
+				}
+
+				memset(_pBuffer, 0, _cbLength);
+				return TRUE;
+			}
+			else
+			{
+				if (_cbLength != sizeof(DWORD))
+				{
+					SetLastError(ERROR_INVALID_PARAMETER);
+					return FALSE;
+				}
+
+				YY_ProcessPolicyInfo _Info = { _eMitigationPolicy };
+				NTSTATUS _Status = _pfnNtQueryInformationProcess(_hProcess, YY_ProcessPolicy, &_Info, sizeof(_Info), nullptr);
+				if (_Status >= 0)
+				{
+					*(DWORD*)_pBuffer = _Info.Flags;
+					return TRUE;
+				}
+				else if (STATUS_INVALID_INFO_CLASS == _Status || STATUS_NOT_SUPPORTED == _Status)
+				{
+					// 如果没有这个特性，那么统一设置为0，表示内部所有环境方案都处于关闭状态
+					*(DWORD*)_pBuffer = 0;
+					return TRUE;
+				}
+				else
+				{
+					internal::BaseSetLastNTError(_Status);
+					return FALSE;
+				}
+			}
+
+			SetLastError(ERROR_INVALID_PARAMETER);
+			return FALSE;
+		}
+#endif
+
+#if (YY_Thunks_Support_Version < NTDDI_WIN8)
+
+		// 最低受支持的客户端	Windows 8 [桌面应用|UWP 应用]
+		// 最低受支持的服务器	Windows Server 2012[桌面应用 | UWP 应用]
+		__DEFINE_THUNK(
+		kernel32,
+		12,
+		BOOL,
+		WINAPI,
+		SetProcessMitigationPolicy,
+			_In_ PROCESS_MITIGATION_POLICY _eMitigationPolicy,
+			_In_reads_bytes_(_cbLength) PVOID _pBuffer,
+			_In_ SIZE_T _cbLength
+			)
+		{
+			if (const auto _pfnSetProcessMitigationPolicy = try_get_SetProcessMitigationPolicy())
+			{
+				return _pfnSetProcessMitigationPolicy(_eMitigationPolicy, _pBuffer, _cbLength);
+			}
+
+			if (!_pBuffer)
+			{
+				SetLastError(ERROR_INVALID_PARAMETER);
+				return FALSE;
+			}
+
+			if ((DWORD)_eMitigationPolicy >= (DWORD)MaxProcessMitigationPolicy || _eMitigationPolicy == ProcessMitigationOptionsMask)
+			{
+				SetLastError(ERROR_INVALID_PARAMETER);
+				return FALSE;
+			}
+			const auto _pfnNtSetInformationProcess = try_get_NtSetInformationProcess();
+			if (!_pfnNtSetInformationProcess)
+			{
+				SetLastError(ERROR_NOT_SUPPORTED);
+				return FALSE;
+			}
+
+			NTSTATUS _Status;
+			if (_eMitigationPolicy == ProcessDEPPolicy)
+			{
+				if (_cbLength != sizeof(PROCESS_MITIGATION_DEP_POLICY))
+				{
+					SetLastError(ERROR_INVALID_PARAMETER);
+					return FALSE;
+				}
+
+				auto& _DepPolicy = *(PROCESS_MITIGATION_DEP_POLICY*)_pBuffer;
+
+				KEXECUTE_OPTIONS _DepOptions = {};
+				if (_DepPolicy.Enable)
+				{
+					_DepOptions.ExecuteDisable = 1;
+				}
+				else
+				{
+					_DepOptions.ExecuteEnable = 1;
+				}
+				_DepOptions.DisableThunkEmulation = _DepPolicy.DisableAtlThunkEmulation;
+				_DepOptions.Permanent = _DepPolicy.Permanent;
+
+				_Status = _pfnNtSetInformationProcess(NtCurrentProcess(), YY_ProcessPolicy, &_DepOptions, sizeof(_DepOptions));
+
+			}
+			else
+			{
+				if (_cbLength != sizeof(DWORD))
+				{
+					SetLastError(ERROR_INVALID_PARAMETER);
+					return FALSE;
+				}
+
+				YY_ProcessPolicyInfo _Info = { _eMitigationPolicy, *(DWORD*)_pBuffer };
+				_Status = _pfnNtSetInformationProcess(NtCurrentProcess(), YY_ProcessPolicy, &_Info, sizeof(_Info));
+			}
+
+			if (_Status >= 0)
+			{
+				return TRUE;
+			}
+			else
+			{
+				internal::BaseSetLastNTError(_Status);
+				return FALSE;
+			}
+		}
+#endif
 	}//namespace Thunks
 
 } //namespace YY