From 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 Mon Sep 17 00:00:00 2001 From: tumagonx Date: Tue, 8 Aug 2017 10:54:53 +0700 Subject: initial commit --- boprot.c | 173 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 173 insertions(+) create mode 100644 boprot.c (limited to 'boprot.c') diff --git a/boprot.c b/boprot.c new file mode 100644 index 0000000..b490012 --- /dev/null +++ b/boprot.c @@ -0,0 +1,173 @@ +/* + * Copyright (c) 2004 Security Architects Corporation. All rights reserved. + * + * Module Name: + * + * boport.c + * + * Abstract: + * + * This module implements buffer overflow protection related routines. + * Specifically, kernel32.dll randomization. The rest of buffer overflow + * code is in process.c + * + * Author: + * + * Eugene Tsyrklevich 08-Jun-2004 + * + * Revision History: + * + * None. + */ + + +#include "boprot.h" +#include "hookproc.h" +#include "i386.h" + + +#ifdef ALLOC_PRAGMA +#pragma alloc_text (INIT, InitBufferOverflowProtection) +#endif + + +ULONG Kernel32Offset = 0, User32Offset = 0; + + +/* + * InitBufferOverflowProtection() + * + * Description: + * . + * + * NOTE: Called once during driver initialization (DriverEntry()). + * + * Parameters: + * None. + * + * Returns: + * TRUE to indicate success, FALSE if failed. + */ + +BOOLEAN +InitBufferOverflowProtection() +{ + ULONG addr; + + + if (NTDLL_Base == NULL) + return FALSE; + + + __try + { + LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("searching for kernel32.dll (%x)\n", NTDLL_Base)); + for (addr = (ULONG) NTDLL_Base; addr < 0x77ff9fff; addr++) + { + if (_wcsnicmp((PWSTR) addr, L"kernel32.dll", 12) == 0) + { + LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("InitBufferOverflowProtection: found kernel32.dll string at offset %x\n", addr)); + Kernel32Offset = addr; + if (User32Offset) + break; + } + + if (_wcsnicmp((PWSTR) addr, L"user32.dll", 12) == 0) + { + LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("InitBufferOverflowProtection: found user32.dll string at offset %x\n", addr)); + User32Offset = addr; + if (Kernel32Offset) + break; + } + } + + /* kernel32.dll and user32.dll strings are supposed to follow each other */ + if (!Kernel32Offset || !User32Offset || (abs(User32Offset - Kernel32Offset) > 32)) + { + LOG(LOG_SS_MISC, LOG_PRIORITY_WARNING, ("InitBufferOverflowProtection: incorrect kernel32.dll (%x) and user32.dll (%x) offsets\n", Kernel32Offset, User32Offset)); + Kernel32Offset = 0; + User32Offset = 0; + return FALSE; + } + + if (Kernel32Offset) + { +//XXX convert to use Mdl routines + INTERRUPTS_OFF(); + MEMORY_PROTECTION_OFF(); + + /* overwrite the first WCHAR of L"kernel32.dll" string with a zero */ + * (PWCHAR) Kernel32Offset = 0; + + MEMORY_PROTECTION_ON(); + INTERRUPTS_ON(); + } +#if 0 + if (User32Offset) + { + INTERRUPTS_OFF(); + MEMORY_PROTECTION_OFF(); + + * (PWCHAR) User32Offset = 0; + + MEMORY_PROTECTION_ON(); + INTERRUPTS_ON(); + } +#endif + + } // __try + + __except(EXCEPTION_EXECUTE_HANDLER) + { + NTSTATUS status = GetExceptionCode(); + LOG(LOG_SS_MISC, LOG_PRIORITY_WARNING, ("InitBufferOverflowProtection: caught an exception. status = 0x%x\n", status)); + + return FALSE; + } + + + return TRUE; +} + + + +/* + * ShutdownBufferOverflowProtection() + * + * Description: + * . + * + * Parameters: + * None. + * + * Returns: + * Nothing. + */ + +VOID +ShutdownBufferOverflowProtection() +{ + if (Kernel32Offset) + { + INTERRUPTS_OFF(); + MEMORY_PROTECTION_OFF(); + + /* restore the first WCHAR of L"kernel32.dll" string */ + * (PWCHAR) Kernel32Offset = L'k'; + + MEMORY_PROTECTION_ON(); + INTERRUPTS_ON(); + } +#if 0 + if (User32Offset) + { + INTERRUPTS_OFF(); + MEMORY_PROTECTION_OFF(); + + * (PWCHAR) User32Offset = L'u'; + + MEMORY_PROTECTION_ON(); + INTERRUPTS_ON(); + } +#endif +} -- cgit v1.3