Add KProcessHacker hashing and verification code

Author: wj32

KProcessHacker/devctrl.c

@@ -53,18 +53,16 @@ NTSTATUS KphDispatchDeviceControl(
     ioControlCode = stackLocation->Parameters.DeviceIoControl.IoControlCode;
     accessMode = Irp->RequestorMode;
 
-    // Make sure we actually have input if the input length
-    // is non-zero.
+    // Make sure we actually have input if the input length is non-zero.
     if (inputLength != 0 && !originalInput)
     {
         status = STATUS_INVALID_BUFFER_SIZE;
         goto ControlEnd;
     }
 
-    // Make sure the caller isn't giving us a huge buffer.
-    // If they are, it can't be correct because we have a
-    // compile-time check that makes sure our buffer can
-    // store the arguments for all the calls.
+    // Make sure the caller isn't giving us a huge buffer. If they are, it can't be correct because
+    // we have a compile-time check that makes sure our buffer can store the arguments for all the
+    // calls.
     if (inputLength > sizeof(capturedInput))
     {
         status = STATUS_INVALID_BUFFER_SIZE;
@@ -116,6 +114,7 @@ NTSTATUS KphDispatchDeviceControl(
                 PHANDLE ProcessHandle;
                 ACCESS_MASK DesiredAccess;
                 PCLIENT_ID ClientId;
+                ULONGLONG Key;
             } *input = capturedInputPointer;
 
             VERIFY_INPUT_LENGTH;
@@ -124,6 +123,7 @@ NTSTATUS KphDispatchDeviceControl(
                 input->ProcessHandle,
                 input->DesiredAccess,
                 input->ClientId,
+                input->Key,
                 accessMode
                 );
         }
@@ -153,13 +153,15 @@ NTSTATUS KphDispatchDeviceControl(
             {
                 HANDLE ProcessHandle;
                 NTSTATUS ExitStatus;
+                ULONGLONG Key;
             } *input = capturedInputPointer;
 
             VERIFY_INPUT_LENGTH;
 
             status = KpiTerminateProcess(
                 input->ProcessHandle,
                 input->ExitStatus,
+                input->Key,
                 accessMode
                 );
         }
@@ -173,6 +175,7 @@ NTSTATUS KphDispatchDeviceControl(
                 PVOID Buffer;
                 SIZE_T BufferSize;
                 PSIZE_T NumberOfBytesRead;
+                ULONGLONG Key;
             } *input = capturedInputPointer;
 
             VERIFY_INPUT_LENGTH;
@@ -183,6 +186,7 @@ NTSTATUS KphDispatchDeviceControl(
                 input->Buffer,
                 input->BufferSize,
                 input->NumberOfBytesRead,
+                input->Key,
                 accessMode
                 );
         }
@@ -238,6 +242,7 @@ NTSTATUS KphDispatchDeviceControl(
                 PHANDLE ThreadHandle;
                 ACCESS_MASK DesiredAccess;
                 PCLIENT_ID ClientId;
+                ULONGLONG Key;
             } *input = capturedInputPointer;
 
             VERIFY_INPUT_LENGTH;
@@ -246,6 +251,7 @@ NTSTATUS KphDispatchDeviceControl(
                 input->ThreadHandle,
                 input->DesiredAccess,
                 input->ClientId,
+                input->Key,
                 accessMode
                 );
         }

KProcessHacker/include/kph.h

@@ -5,6 +5,7 @@
 #define PHNT_MODE PHNT_MODE_KERNEL
 #include <phnt.h>
 #include <ntfill.h>
+#include <bcrypt.h>
 #include <kphapi.h>
 
 // Debugging
@@ -15,6 +16,16 @@
 #define dprintf
 #endif
 
+typedef struct _KPH_CLIENT
+{
+    // Validated process image address range
+    PVOID ValidatedRangeStart;
+    SIZE_T ValidatedRangeSize;
+    // Level 1 and 2 secret keys
+    ULONGLONG L1Key;
+    ULONGLONG L2Key;
+} KPH_CLIENT, *PKPH_CLIENT;
+
 typedef struct _KPH_PARAMETERS
 {
     KPH_SECURITY_LEVEL SecurityLevel;
@@ -30,15 +41,6 @@ NTSTATUS KpiGetFeatures(
     __in KPROCESSOR_MODE AccessMode
     );
 
-NTSTATUS KphEnumerateSystemModules(
-    __out PRTL_PROCESS_MODULES *Modules
-    );
-
-NTSTATUS KphValidateAddressForSystemModules(
-    __in PVOID Address,
-    __in SIZE_T Length
-    );
-
 // devctrl
 
 __drv_dispatchType(IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH KphDispatchDeviceControl;
@@ -137,6 +139,7 @@ NTSTATUS KpiOpenProcess(
     __out PHANDLE ProcessHandle,
     __in ACCESS_MASK DesiredAccess,
     __in PCLIENT_ID ClientId,
+    __in_opt ULONGLONG Key,
     __in KPROCESSOR_MODE AccessMode
     );
 
@@ -150,6 +153,7 @@ NTSTATUS KpiOpenProcessJob(
 NTSTATUS KpiTerminateProcess(
     __in HANDLE ProcessHandle,
     __in NTSTATUS ExitStatus,
+    __in_opt ULONGLONG Key,
     __in KPROCESSOR_MODE AccessMode
     );
 
@@ -201,6 +205,7 @@ NTSTATUS KpiOpenThread(
     __out PHANDLE ThreadHandle,
     __in ACCESS_MASK DesiredAccess,
     __in PCLIENT_ID ClientId,
+    __in_opt ULONGLONG Key,
     __in KPROCESSOR_MODE AccessMode
     );
 
@@ -256,6 +261,40 @@ NTSTATUS KpiSetInformationThread(
     __in KPROCESSOR_MODE AccessMode
     );
 
+// util
+
+VOID KphFreeCapturedUnicodeString(
+    __in PUNICODE_STRING CapturedUnicodeString
+    );
+
+NTSTATUS KphCaptureUnicodeString(
+    __in PUNICODE_STRING UnicodeString,
+    __out PUNICODE_STRING CapturedUnicodeString
+    );
+
+NTSTATUS KphEnumerateSystemModules(
+    __out PRTL_PROCESS_MODULES *Modules
+    );
+
+NTSTATUS KphValidateAddressForSystemModules(
+    __in PVOID Address,
+    __in SIZE_T Length
+    );
+
+// verify
+
+NTSTATUS KphHashFile(
+    __in PUNICODE_STRING FileName,
+    __out PVOID *Hash,
+    __out PULONG HashSize
+    );
+
+NTSTATUS KphVerifyFile(
+    __in PUNICODE_STRING FileName,
+    __in_bcount(SignatureSize) PVOID Signature,
+    __in ULONG SignatureSize
+    );
+
 // vm
 
 NTSTATUS KphCopyVirtualMemory(
@@ -274,76 +313,8 @@ NTSTATUS KpiReadVirtualMemoryUnsafe(
     __out_bcount(BufferSize) PVOID Buffer,
     __in SIZE_T BufferSize,
     __out_opt PSIZE_T NumberOfBytesRead,
+    __in_opt ULONGLONG Key,
     __in KPROCESSOR_MODE AccessMode
     );
 
-// Inline support functions
-
-FORCEINLINE VOID KphFreeCapturedUnicodeString(
-    __in PUNICODE_STRING CapturedUnicodeString
-    )
-{
-    if (CapturedUnicodeString->Buffer)
-        ExFreePoolWithTag(CapturedUnicodeString->Buffer, 'UhpK');
-}
-
-FORCEINLINE NTSTATUS KphCaptureUnicodeString(
-    __in PUNICODE_STRING UnicodeString,
-    __out PUNICODE_STRING CapturedUnicodeString
-    )
-{
-    UNICODE_STRING unicodeString;
-    PWSTR userBuffer;
-
-    __try
-    {
-        ProbeForRead(UnicodeString, sizeof(UNICODE_STRING), sizeof(ULONG));
-        unicodeString.Length = UnicodeString->Length;
-        unicodeString.MaximumLength = unicodeString.Length;
-        unicodeString.Buffer = NULL;
-
-        userBuffer = UnicodeString->Buffer;
-        ProbeForRead(userBuffer, unicodeString.Length, sizeof(WCHAR));
-    }
-    __except (EXCEPTION_EXECUTE_HANDLER)
-    {
-        return GetExceptionCode();
-    }
-
-    if (unicodeString.Length & 1)
-    {
-        return STATUS_INVALID_PARAMETER;
-    }
-
-    if (unicodeString.Length != 0)
-    {
-        unicodeString.Buffer = ExAllocatePoolWithTag(
-            PagedPool,
-            unicodeString.Length,
-            'UhpK'
-            );
-
-        if (!unicodeString.Buffer)
-            return STATUS_INSUFFICIENT_RESOURCES;
-
-        __try
-        {
-            memcpy(
-                unicodeString.Buffer,
-                userBuffer,
-                unicodeString.Length
-                );
-        }
-        __except (EXCEPTION_EXECUTE_HANDLER)
-        {
-            KphFreeCapturedUnicodeString(&unicodeString);
-            return GetExceptionCode();
-        }
-    }
-
-    *CapturedUnicodeString = unicodeString;
-
-    return STATUS_SUCCESS;
-}
-
 #endif

KProcessHacker/main.c

@@ -302,105 +302,3 @@ NTSTATUS KpiGetFeatures(
 
     return STATUS_SUCCESS;
 }
-
-/**
- * Enumerates the modules loaded by the kernel.
- *
- * \param Modules A variable which receives a pointer
- * to a structure containing information about
- * the kernel modules. The structure must be freed with
- * the tag 'ThpK'.
- */
-NTSTATUS KphEnumerateSystemModules(
-    __out PRTL_PROCESS_MODULES *Modules
-    )
-{
-    NTSTATUS status;
-    PVOID buffer;
-    ULONG bufferSize;
-    ULONG attempts;
-
-    bufferSize = 2048;
-    attempts = 8;
-
-    do
-    {
-        buffer = ExAllocatePoolWithTag(PagedPool, bufferSize, 'ThpK');
-
-        if (!buffer)
-        {
-            status = STATUS_INSUFFICIENT_RESOURCES;
-            break;
-        }
-
-        status = ZwQuerySystemInformation(
-            SystemModuleInformation,
-            buffer,
-            bufferSize,
-            &bufferSize
-            );
-
-        if (NT_SUCCESS(status))
-        {
-            *Modules = buffer;
-
-            return status;
-        }
-
-        ExFreePoolWithTag(buffer, 'ThpK');
-
-        if (status != STATUS_INFO_LENGTH_MISMATCH)
-        {
-            break;
-        }
-    } while (--attempts);
-
-    return status;
-}
-
-/**
- * Checks if an address range lies within a kernel module.
- *
- * \param Address The beginning of the address range.
- * \param Length The number of bytes in the address range.
- */
-NTSTATUS KphValidateAddressForSystemModules(
-    __in PVOID Address,
-    __in SIZE_T Length
-    )
-{
-    NTSTATUS status;
-    PRTL_PROCESS_MODULES modules;
-    ULONG i;
-    BOOLEAN valid;
-
-    status = KphEnumerateSystemModules(&modules);
-
-    if (!NT_SUCCESS(status))
-        return status;
-
-    valid = FALSE;
-
-    for (i = 0; i < modules->NumberOfModules; i++)
-    {
-        if (
-            (ULONG_PTR)Address + Length >= (ULONG_PTR)Address &&
-            (ULONG_PTR)Address >= (ULONG_PTR)modules->Modules[i].ImageBase &&
-            (ULONG_PTR)Address + Length <= (ULONG_PTR)modules->Modules[i].ImageBase + modules->Modules[i].ImageSize
-            )
-        {
-            dprintf("Validated address 0x%Ix in %s\n", Address, modules->Modules[i].FullPathName);
-            valid = TRUE;
-            break;
-        }
-    }
-
-    ExFreePoolWithTag(modules, 'ThpK');
-
-    if (valid)
-        status = STATUS_SUCCESS;
-    else
-        status = STATUS_ACCESS_VIOLATION;
-
-    return status;
-}