From fdd8b490123534e8a25e9b5f1f56c2f9683f5a3a Mon Sep 17 00:00:00 2001 From: mingkuang Date: Sun, 12 Mar 2023 23:47:03 +0800 Subject: [PATCH] =?UTF-8?q?Fea=20#29,=20=E6=B7=BB=E5=8A=A0GetProcessMitiga?= =?UTF-8?q?tionPolicy=EF=BC=8CSetProcessMitigationPolicy?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ThunksList.md | 2 + src/Shared/km.h | 43 +++- src/Thunks/YY_Thunks.cpp | 1 + src/Thunks/api-ms-win-core-processthreads.hpp | 200 ++++++++++++++++++ 4 files changed, 238 insertions(+), 8 deletions(-) diff --git a/ThunksList.md b/ThunksList.md index beb4404..56e7e48 100644 --- a/ThunksList.md +++ b/ThunksList.md @@ -274,6 +274,8 @@ | OfferVirtualMemory | 不存在时,返回ERROR_SUCCESS。 | ReclaimVirtualMemory | 不存在时,返回ERROR_SUCCESS。 | PrefetchVirtualMemory | 不存在时,返回ERROR_SUCCESS。 +| GetProcessMitigationPolicy | 不存在时,调用NtQueryInformationProcess。 +| SetProcessMitigationPolicy | 不存在时,调用NtSetInformationProcess。 ## mfplat.dll | 函数 | Fallback diff --git a/src/Shared/km.h b/src/Shared/km.h index c64fc6f..1719b58 100644 --- a/src/Shared/km.h +++ b/src/Shared/km.h @@ -1,4 +1,4 @@ -#pragma once +#pragma once #ifndef SDK_KM_H #define SDK_KM_H @@ -1252,7 +1252,7 @@ enum SYSTEM_INFORMATION_CLASS SystemSpecialPoolInformation = 0x57, SystemProcessIdInformation = 0x58, SystemErrorPortInformation = 0x59, - SystemBootEnvironmentInformation = 0x5a, //ϵͳϢ + SystemBootEnvironmentInformation = 0x5a, //系统的启动信息 SystemHypervisorInformation = 0x5b, SystemVerifierInformationEx = 0x5c, SystemTimeZoneInformation = 0x5d, @@ -1260,8 +1260,8 @@ enum SYSTEM_INFORMATION_CLASS SystemCoverageInformation = 0x5f, SystemPrefetchPatchInformation = 0x60, SystemVerifierFaultsInformation = 0x61, - MaxSystemInfoClassWinXP, //WinXPֵ֧˴ - SystemSystemPartitionInformation = 0x62, //ڻȡϵͳϢṹΪUNICODE_STRING + MaxSystemInfoClassWinXP, //WinXP最大支持到此处 + SystemSystemPartitionInformation = 0x62, //用于获取系统分区信息,其结构为UNICODE_STRING SystemSystemDiskInformation = 0x63, SystemProcessorPerformanceDistribution = 0x64, SystemNumaProximityNodeInformation = 0x65, @@ -1908,7 +1908,7 @@ NtQueryDirectoryFile ( ProcessSessionInformation, ProcessForegroundInformation, ProcessWow64Information, - ProcessImageFileName, //ȡ̵NT·ṹΪUNICODE_STRING + ProcessImageFileName, //获取进程的NT路径,结构为UNICODE_STRING ProcessLUIDDeviceMapsEnabled, ProcessBreakOnTermination, ProcessDebugObjectHandle, @@ -1925,7 +1925,7 @@ NtQueryDirectoryFile ( ProcessInstrumentationCallback, ProcessThreadStackAllocation, ProcessWorkingSetWatchEx, - ProcessImageFileNameWin32, //ȡ̵Dos·ṹΪUNICODE_STRING + ProcessImageFileNameWin32, //获取进程的Dos路径,结构为UNICODE_STRING ProcessImageFileMapping, // buffer is a pointer to a file handle open with SYNCHRONIZE | FILE_EXECUTE access, return value is whether the handle is the same used to start the process ProcessAffinityUpdateMode, ProcessMemoryAllocationMode, @@ -1933,9 +1933,18 @@ NtQueryDirectoryFile ( ProcessTokenVirtualizationEnabled, // invalid class ProcessConsoleHostProcess, // retrieves the pid for the process' corresponding conhost process ProcessWindowInformation, // returns the windowflags and windowtitle members of the process' peb->rtl_user_process_params + YY_ProcessPolicy = 52, // 指向 YY_ProcessAslrPolicyInfo MaxProcessInfoClass } PROCESSINFOCLASS; + struct YY_ProcessPolicyInfo + { + // 1 ProcessASLRPolicy + // 3 ProcessStrictHandleCheckPolicy + // 4 ProcessSystemCallDisablePolicy + DWORD Unknow1; + DWORD Flags; + }; struct WOW64_PROCESS_BASIC_INFORMATION { @@ -2660,6 +2669,24 @@ NtQueryDirectoryFile ( OUT PVOID *FunctionAddress ); + typedef struct _KEXECUTE_OPTIONS + { + union + { + DWORD Reserved; + struct + { + UCHAR ExecuteDisable : 1; + UCHAR ExecuteEnable : 1; + UCHAR DisableThunkEmulation : 1; + UCHAR Permanent : 1; + UCHAR ExecuteDispatchEnable : 1; + UCHAR ImageDispatchEnable : 1; + UCHAR Spare : 2; + }; + }; + } KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS; + typedef struct _PROCESS_WINDOW_INFORMATION { ULONG WindowFlags; @@ -4697,7 +4724,7 @@ NtQueryDirectoryFile ( ); #endif - //UEFI֧غ + //UEFI支持相关函数 EXTERN_C NTSYSAPI NTSTATUS NTAPI ZwQueryBootEntryOrder( OUT PULONG Ids, @@ -5049,7 +5076,7 @@ NtReleaseKeyedEvent( IN PLARGE_INTEGER Timeout OPTIONAL ); -//ָʾǷڽ˳ +//指示进程是否正在进行退出。 EXTERN_C NTSYSAPI BOOLEAN diff --git a/src/Thunks/YY_Thunks.cpp b/src/Thunks/YY_Thunks.cpp index a40d900..f264e08 100644 --- a/src/Thunks/YY_Thunks.cpp +++ b/src/Thunks/YY_Thunks.cpp @@ -41,6 +41,7 @@ _APPLY(NtQueryObject, ntdll ) \ _APPLY(NtQueryInformationThread, ntdll ) \ _APPLY(NtQueryInformationProcess, ntdll ) \ + _APPLY(NtSetInformationProcess, ntdll ) \ _APPLY(NtOpenKeyedEvent, ntdll ) \ _APPLY(NtWaitForKeyedEvent, ntdll ) \ _APPLY(NtReleaseKeyedEvent, ntdll ) \ diff --git a/src/Thunks/api-ms-win-core-processthreads.hpp b/src/Thunks/api-ms-win-core-processthreads.hpp index d3d17ed..153f6e9 100644 --- a/src/Thunks/api-ms-win-core-processthreads.hpp +++ b/src/Thunks/api-ms-win-core-processthreads.hpp @@ -699,6 +699,206 @@ namespace YY return TRUE; } #endif + +#if (YY_Thunks_Support_Version < NTDDI_WIN8) + + // 最低受支持的客户端 Windows 8 [桌面应用|UWP 应用] + // 最低受支持的服务器 Windows Server 2012[桌面应用 | UWP 应用] + __DEFINE_THUNK( + kernel32, + 16, + BOOL, + WINAPI, + GetProcessMitigationPolicy, + _In_ HANDLE _hProcess, + _In_ PROCESS_MITIGATION_POLICY _eMitigationPolicy, + _Out_writes_bytes_(_cbLength) PVOID _pBuffer, + _In_ SIZE_T _cbLength + ) + { + if (const auto _pfnGetProcessMitigationPolicy = try_get_GetProcessMitigationPolicy()) + { + return _pfnGetProcessMitigationPolicy(_hProcess, _eMitigationPolicy, _pBuffer, _cbLength); + } + + if (!_pBuffer) + { + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } + + if ((DWORD)_eMitigationPolicy >= (DWORD)MaxProcessMitigationPolicy) + { + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } + const auto _pfnNtQueryInformationProcess = try_get_NtQueryInformationProcess(); + if (!_pfnNtQueryInformationProcess) + { + SetLastError(ERROR_NOT_SUPPORTED); + return FALSE; + } + + if (_eMitigationPolicy == ProcessDEPPolicy) + { + if (_cbLength != sizeof(PROCESS_MITIGATION_DEP_POLICY)) + { + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } + KEXECUTE_OPTIONS _DepOptions = {}; + NTSTATUS _Status = _pfnNtQueryInformationProcess(_hProcess, ProcessExecuteFlags, &_DepOptions, sizeof(_DepOptions), nullptr); + if (_Status >= 0) + { + auto _pDepPolicy = (PROCESS_MITIGATION_DEP_POLICY*)_pBuffer; + _pDepPolicy->Enable = _DepOptions.ExecuteEnable ? 0 : 1; + _pDepPolicy->DisableAtlThunkEmulation = _DepOptions.DisableThunkEmulation; + _pDepPolicy->ReservedFlags = 0; + _pDepPolicy->Permanent = _DepOptions.Permanent; + return TRUE; + } + else if (STATUS_INVALID_INFO_CLASS == _Status || STATUS_NOT_SUPPORTED == _Status) + { + *(DWORD*)_pBuffer = 0; + return TRUE; + } + else + { + internal::BaseSetLastNTError(_Status); + return FALSE; + } + } + else if (_eMitigationPolicy == ProcessMitigationOptionsMask) + { + if (_cbLength < sizeof(UINT64)) + { + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } + + memset(_pBuffer, 0, _cbLength); + return TRUE; + } + else + { + if (_cbLength != sizeof(DWORD)) + { + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } + + YY_ProcessPolicyInfo _Info = { _eMitigationPolicy }; + NTSTATUS _Status = _pfnNtQueryInformationProcess(_hProcess, YY_ProcessPolicy, &_Info, sizeof(_Info), nullptr); + if (_Status >= 0) + { + *(DWORD*)_pBuffer = _Info.Flags; + return TRUE; + } + else if (STATUS_INVALID_INFO_CLASS == _Status || STATUS_NOT_SUPPORTED == _Status) + { + // 如果没有这个特性,那么统一设置为0,表示内部所有环境方案都处于关闭状态 + *(DWORD*)_pBuffer = 0; + return TRUE; + } + else + { + internal::BaseSetLastNTError(_Status); + return FALSE; + } + } + + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } +#endif + +#if (YY_Thunks_Support_Version < NTDDI_WIN8) + + // 最低受支持的客户端 Windows 8 [桌面应用|UWP 应用] + // 最低受支持的服务器 Windows Server 2012[桌面应用 | UWP 应用] + __DEFINE_THUNK( + kernel32, + 12, + BOOL, + WINAPI, + SetProcessMitigationPolicy, + _In_ PROCESS_MITIGATION_POLICY _eMitigationPolicy, + _In_reads_bytes_(_cbLength) PVOID _pBuffer, + _In_ SIZE_T _cbLength + ) + { + if (const auto _pfnSetProcessMitigationPolicy = try_get_SetProcessMitigationPolicy()) + { + return _pfnSetProcessMitigationPolicy(_eMitigationPolicy, _pBuffer, _cbLength); + } + + if (!_pBuffer) + { + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } + + if ((DWORD)_eMitigationPolicy >= (DWORD)MaxProcessMitigationPolicy || _eMitigationPolicy == ProcessMitigationOptionsMask) + { + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } + const auto _pfnNtSetInformationProcess = try_get_NtSetInformationProcess(); + if (!_pfnNtSetInformationProcess) + { + SetLastError(ERROR_NOT_SUPPORTED); + return FALSE; + } + + NTSTATUS _Status; + if (_eMitigationPolicy == ProcessDEPPolicy) + { + if (_cbLength != sizeof(PROCESS_MITIGATION_DEP_POLICY)) + { + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } + + auto& _DepPolicy = *(PROCESS_MITIGATION_DEP_POLICY*)_pBuffer; + + KEXECUTE_OPTIONS _DepOptions = {}; + if (_DepPolicy.Enable) + { + _DepOptions.ExecuteDisable = 1; + } + else + { + _DepOptions.ExecuteEnable = 1; + } + _DepOptions.DisableThunkEmulation = _DepPolicy.DisableAtlThunkEmulation; + _DepOptions.Permanent = _DepPolicy.Permanent; + + _Status = _pfnNtSetInformationProcess(NtCurrentProcess(), YY_ProcessPolicy, &_DepOptions, sizeof(_DepOptions)); + + } + else + { + if (_cbLength != sizeof(DWORD)) + { + SetLastError(ERROR_INVALID_PARAMETER); + return FALSE; + } + + YY_ProcessPolicyInfo _Info = { _eMitigationPolicy, *(DWORD*)_pBuffer }; + _Status = _pfnNtSetInformationProcess(NtCurrentProcess(), YY_ProcessPolicy, &_Info, sizeof(_Info)); + } + + if (_Status >= 0) + { + return TRUE; + } + else + { + internal::BaseSetLastNTError(_Status); + return FALSE; + } + } +#endif }//namespace Thunks } //namespace YY \ No newline at end of file