summaryrefslogtreecommitdiff
path: root/boprot.c
diff options
context:
space:
mode:
Diffstat (limited to 'boprot.c')
-rw-r--r--boprot.c173
1 files changed, 173 insertions, 0 deletions
diff --git a/boprot.c b/boprot.c
new file mode 100644
index 0000000..b490012
--- /dev/null
+++ b/boprot.c
@@ -0,0 +1,173 @@
1/*
2 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
3 *
4 * Module Name:
5 *
6 * boport.c
7 *
8 * Abstract:
9 *
10 * This module implements buffer overflow protection related routines.
11 * Specifically, kernel32.dll randomization. The rest of buffer overflow
12 * code is in process.c
13 *
14 * Author:
15 *
16 * Eugene Tsyrklevich 08-Jun-2004
17 *
18 * Revision History:
19 *
20 * None.
21 */
22
23
24#include "boprot.h"
25#include "hookproc.h"
26#include "i386.h"
27
28
29#ifdef ALLOC_PRAGMA
30#pragma alloc_text (INIT, InitBufferOverflowProtection)
31#endif
32
33
34ULONG Kernel32Offset = 0, User32Offset = 0;
35
36
37/*
38 * InitBufferOverflowProtection()
39 *
40 * Description:
41 * .
42 *
43 * NOTE: Called once during driver initialization (DriverEntry()).
44 *
45 * Parameters:
46 * None.
47 *
48 * Returns:
49 * TRUE to indicate success, FALSE if failed.
50 */
51
52BOOLEAN
53InitBufferOverflowProtection()
54{
55 ULONG addr;
56
57
58 if (NTDLL_Base == NULL)
59 return FALSE;
60
61
62 __try
63 {
64 LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("searching for kernel32.dll (%x)\n", NTDLL_Base));
65 for (addr = (ULONG) NTDLL_Base; addr < 0x77ff9fff; addr++)
66 {
67 if (_wcsnicmp((PWSTR) addr, L"kernel32.dll", 12) == 0)
68 {
69 LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("InitBufferOverflowProtection: found kernel32.dll string at offset %x\n", addr));
70 Kernel32Offset = addr;
71 if (User32Offset)
72 break;
73 }
74
75 if (_wcsnicmp((PWSTR) addr, L"user32.dll", 12) == 0)
76 {
77 LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("InitBufferOverflowProtection: found user32.dll string at offset %x\n", addr));
78 User32Offset = addr;
79 if (Kernel32Offset)
80 break;
81 }
82 }
83
84 /* kernel32.dll and user32.dll strings are supposed to follow each other */
85 if (!Kernel32Offset || !User32Offset || (abs(User32Offset - Kernel32Offset) > 32))
86 {
87 LOG(LOG_SS_MISC, LOG_PRIORITY_WARNING, ("InitBufferOverflowProtection: incorrect kernel32.dll (%x) and user32.dll (%x) offsets\n", Kernel32Offset, User32Offset));
88 Kernel32Offset = 0;
89 User32Offset = 0;
90 return FALSE;
91 }
92
93 if (Kernel32Offset)
94 {
95//XXX convert to use Mdl routines
96 INTERRUPTS_OFF();
97 MEMORY_PROTECTION_OFF();
98
99 /* overwrite the first WCHAR of L"kernel32.dll" string with a zero */
100 * (PWCHAR) Kernel32Offset = 0;
101
102 MEMORY_PROTECTION_ON();
103 INTERRUPTS_ON();
104 }
105#if 0
106 if (User32Offset)
107 {
108 INTERRUPTS_OFF();
109 MEMORY_PROTECTION_OFF();
110
111 * (PWCHAR) User32Offset = 0;
112
113 MEMORY_PROTECTION_ON();
114 INTERRUPTS_ON();
115 }
116#endif
117
118 } // __try
119
120 __except(EXCEPTION_EXECUTE_HANDLER)
121 {
122 NTSTATUS status = GetExceptionCode();
123 LOG(LOG_SS_MISC, LOG_PRIORITY_WARNING, ("InitBufferOverflowProtection: caught an exception. status = 0x%x\n", status));
124
125 return FALSE;
126 }
127
128
129 return TRUE;
130}
131
132
133
134/*
135 * ShutdownBufferOverflowProtection()
136 *
137 * Description:
138 * .
139 *
140 * Parameters:
141 * None.
142 *
143 * Returns:
144 * Nothing.
145 */
146
147VOID
148ShutdownBufferOverflowProtection()
149{
150 if (Kernel32Offset)
151 {
152 INTERRUPTS_OFF();
153 MEMORY_PROTECTION_OFF();
154
155 /* restore the first WCHAR of L"kernel32.dll" string */
156 * (PWCHAR) Kernel32Offset = L'k';
157
158 MEMORY_PROTECTION_ON();
159 INTERRUPTS_ON();
160 }
161#if 0
162 if (User32Offset)
163 {
164 INTERRUPTS_OFF();
165 MEMORY_PROTECTION_OFF();
166
167 * (PWCHAR) User32Offset = L'u';
168
169 MEMORY_PROTECTION_ON();
170 INTERRUPTS_ON();
171 }
172#endif
173}