initial commit

author: tumagonx 2017-08-08 10:54:53 +0700
committer: tumagonx 2017-08-08 10:54:53 +0700
commit: 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree: a8bea139ddd26116d44ea182b0b8436f2162e6e3 /boprot.c
1 files changed, 173 insertions, 0 deletions
diff --git a/boprot.c b/boprot.c
new file mode 100644
index 0000000..b490012
--- /dev/null
+++ b/boprot.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              boport.c
+ *
+ * Abstract:
+ *
+ *              This module implements buffer overflow protection related routines.
+ *              Specifically, kernel32.dll randomization. The rest of buffer overflow
+ *              code is in process.c
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 08-Jun-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include "boprot.h"
+#include "hookproc.h"
+#include "i386.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitBufferOverflowProtection)
+#endif
+ULONG   Kernel32Offset = 0, User32Offset = 0;
+/*
+ * InitBufferOverflowProtection()
+ *
+ * Description:
+ *              .
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitBufferOverflowProtection()
+{
+        ULONG           addr;
+        if (NTDLL_Base == NULL)
+                return FALSE;
+        __try
+        {
+                LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("searching for kernel32.dll (%x)\n", NTDLL_Base));
+                for (addr = (ULONG) NTDLL_Base; addr < 0x77ff9fff; addr++)
+                {
+                        if (_wcsnicmp((PWSTR) addr, L"kernel32.dll", 12) == 0)
+                        {
+                                LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("InitBufferOverflowProtection: found kernel32.dll string at offset %x\n", addr));
+                                Kernel32Offset = addr;
+                                if (User32Offset)
+                                        break;
+                        }
+                        if (_wcsnicmp((PWSTR) addr, L"user32.dll", 12) == 0)
+                        {
+                                LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("InitBufferOverflowProtection: found user32.dll string at offset %x\n", addr));
+                                User32Offset = addr;
+                                if (Kernel32Offset)
+                                        break;
+                        }
+                }
+                /* kernel32.dll and user32.dll strings are supposed to follow each other */
+                if (!Kernel32Offset || !User32Offset || (abs(User32Offset - Kernel32Offset) > 32))
+                {
+                        LOG(LOG_SS_MISC, LOG_PRIORITY_WARNING, ("InitBufferOverflowProtection: incorrect kernel32.dll (%x) and user32.dll (%x) offsets\n", Kernel32Offset, User32Offset));
+                        Kernel32Offset = 0;
+                        User32Offset = 0;
+                        return FALSE;
+                }
+                if (Kernel32Offset)
+                {
+//XXX convert to use Mdl routines
+                        INTERRUPTS_OFF();
+                        MEMORY_PROTECTION_OFF();
+                        /* overwrite the first WCHAR of L"kernel32.dll" string with a zero */
+                        * (PWCHAR) Kernel32Offset = 0;
+                        MEMORY_PROTECTION_ON();
+                        INTERRUPTS_ON();
+                }
+#if 0
+                if (User32Offset)
+                {
+                        INTERRUPTS_OFF();
+                        MEMORY_PROTECTION_OFF();
+                        * (PWCHAR) User32Offset = 0;
+                        MEMORY_PROTECTION_ON();
+                        INTERRUPTS_ON();
+                }
+#endif
+        } // __try
+        __except(EXCEPTION_EXECUTE_HANDLER)
+        {
+                NTSTATUS status = GetExceptionCode();
+                LOG(LOG_SS_MISC, LOG_PRIORITY_WARNING, ("InitBufferOverflowProtection: caught an exception. status = 0x%x\n", status));
+                return FALSE;
+        }
+        return TRUE;
+}
+/*
+ * ShutdownBufferOverflowProtection()
+ *
+ * Description:
+ *              .
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              Nothing.
+ */
+VOID
+ShutdownBufferOverflowProtection()
+{
+        if (Kernel32Offset)
+        {
+                INTERRUPTS_OFF();
+                MEMORY_PROTECTION_OFF();
+                /* restore the first WCHAR of L"kernel32.dll" string */
+                * (PWCHAR) Kernel32Offset = L'k';
+                MEMORY_PROTECTION_ON();
+                INTERRUPTS_ON();
+        }
+#if 0
+        if (User32Offset)
+        {
+                INTERRUPTS_OFF();
+                MEMORY_PROTECTION_OFF();
+                * (PWCHAR) User32Offset = L'u';
+                MEMORY_PROTECTION_ON();
+                INTERRUPTS_ON();
+        }
+#endif
+}
author	tumagonx	2017-08-08 10:54:53 +0700
committer	tumagonx	2017-08-08 10:54:53 +0700
commit	2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree	a8bea139ddd26116d44ea182b0b8436f2162e6e3 /boprot.c

diff --git a/boprot.c b/boprot.c new file mode 100644 index 0000000..b490012 --- /dev/null +++ b/boprot.c
@@ -0,0 +1,173 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* boport.c
	7	*
	8	* Abstract:
	9	*
	10	* This module implements buffer overflow protection related routines.
	11	* Specifically, kernel32.dll randomization. The rest of buffer overflow
	12	* code is in process.c
	13	*
	14	* Author:
	15	*
	16	* Eugene Tsyrklevich 08-Jun-2004
	17	*
	18	* Revision History:
	19	*
	20	* None.
	21	*/
	22
	23
	24	#include "boprot.h"
	25	#include "hookproc.h"
	26	#include "i386.h"
	27
	28
	29	#ifdef ALLOC_PRAGMA
	30	#pragma alloc_text (INIT, InitBufferOverflowProtection)
	31	#endif
	32
	33
	34	ULONG Kernel32Offset = 0, User32Offset = 0;
	35
	36
	37	/*
	38	* InitBufferOverflowProtection()
	39	*
	40	* Description:
	41	* .
	42	*
	43	* NOTE: Called once during driver initialization (DriverEntry()).
	44	*
	45	* Parameters:
	46	* None.
	47	*
	48	* Returns:
	49	* TRUE to indicate success, FALSE if failed.
	50	*/
	51
	52	BOOLEAN
	53	InitBufferOverflowProtection()
	54	{
	55	ULONG addr;
	56
	57
	58	if (NTDLL_Base == NULL)
	59	return FALSE;
	60
	61
	62	__try
	63	{
	64	LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("searching for kernel32.dll (%x)\n", NTDLL_Base));
	65	for (addr = (ULONG) NTDLL_Base; addr < 0x77ff9fff; addr++)
	66	{
	67	if (_wcsnicmp((PWSTR) addr, L"kernel32.dll", 12) == 0)
	68	{
	69	LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("InitBufferOverflowProtection: found kernel32.dll string at offset %x\n", addr));
	70	Kernel32Offset = addr;
	71	if (User32Offset)
	72	break;
	73	}
	74
	75	if (_wcsnicmp((PWSTR) addr, L"user32.dll", 12) == 0)
	76	{
	77	LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("InitBufferOverflowProtection: found user32.dll string at offset %x\n", addr));
	78	User32Offset = addr;
	79	if (Kernel32Offset)
	80	break;
	81	}
	82	}
	83
	84	/* kernel32.dll and user32.dll strings are supposed to follow each other */
	85	if (!Kernel32Offset \|\| !User32Offset \|\| (abs(User32Offset - Kernel32Offset) > 32))
	86	{
	87	LOG(LOG_SS_MISC, LOG_PRIORITY_WARNING, ("InitBufferOverflowProtection: incorrect kernel32.dll (%x) and user32.dll (%x) offsets\n", Kernel32Offset, User32Offset));
	88	Kernel32Offset = 0;
	89	User32Offset = 0;
	90	return FALSE;
	91	}
	92
	93	if (Kernel32Offset)
	94	{
	95	//XXX convert to use Mdl routines
	96	INTERRUPTS_OFF();
	97	MEMORY_PROTECTION_OFF();
	98
	99	/* overwrite the first WCHAR of L"kernel32.dll" string with a zero */
	100	* (PWCHAR) Kernel32Offset = 0;
	101
	102	MEMORY_PROTECTION_ON();
	103	INTERRUPTS_ON();
	104	}
	105	#if 0
	106	if (User32Offset)
	107	{
	108	INTERRUPTS_OFF();
	109	MEMORY_PROTECTION_OFF();
	110
	111	* (PWCHAR) User32Offset = 0;
	112
	113	MEMORY_PROTECTION_ON();
	114	INTERRUPTS_ON();
	115	}
	116	#endif
	117
	118	} // __try
	119
	120	__except(EXCEPTION_EXECUTE_HANDLER)
	121	{
	122	NTSTATUS status = GetExceptionCode();
	123	LOG(LOG_SS_MISC, LOG_PRIORITY_WARNING, ("InitBufferOverflowProtection: caught an exception. status = 0x%x\n", status));
	124
	125	return FALSE;
	126	}
	127
	128
	129	return TRUE;
	130	}
	131
	132
	133
	134	/*
	135	* ShutdownBufferOverflowProtection()
	136	*
	137	* Description:
	138	* .
	139	*
	140	* Parameters:
	141	* None.
	142	*
	143	* Returns:
	144	* Nothing.
	145	*/
	146
	147	VOID
	148	ShutdownBufferOverflowProtection()
	149	{
	150	if (Kernel32Offset)
	151	{
	152	INTERRUPTS_OFF();
	153	MEMORY_PROTECTION_OFF();
	154
	155	/* restore the first WCHAR of L"kernel32.dll" string */
	156	* (PWCHAR) Kernel32Offset = L'k';
	157
	158	MEMORY_PROTECTION_ON();
	159	INTERRUPTS_ON();
	160	}
	161	#if 0
	162	if (User32Offset)
	163	{
	164	INTERRUPTS_OFF();
	165	MEMORY_PROTECTION_OFF();
	166
	167	* (PWCHAR) User32Offset = L'u';
	168
	169	MEMORY_PROTECTION_ON();
	170	INTERRUPTS_ON();
	171	}
	172	#endif
	173	}