From 458bb091bb8e6ffa73a1c7c9736e93b52a0a95d7 Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sat, 10 Jun 2017 18:43:15 +0200 Subject: Windows Driver Security: Use enhanced protection of NX pool under Windows 8 and later. --- src/Common/Tcdefs.h | 10 +++++++++- src/Driver/DumpFilter.c | 2 +- src/Driver/EncryptedIoQueue.c | 4 ++-- src/Driver/Ntdriver.c | 10 ++++++++++ 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/src/Common/Tcdefs.h b/src/Common/Tcdefs.h index 149603a2..7c8382c3 100644 --- a/src/Common/Tcdefs.h +++ b/src/Common/Tcdefs.h @@ -235,7 +235,15 @@ void ThrowFatalException(int line); #include /* Standard header file for nt drivers */ #include /* Standard I/O control codes */ -#define TCalloc(size) ((void *) ExAllocatePoolWithTag( NonPagedPool, size, 'MMCV' )) +/* defines needed for using enhanced protection of NX pool under Windows 8 and later */ +#define NonPagedPoolNx 512 +#define MdlMappingNoExecute 0x40000000 + +/* variables used in the implementation of enhanced protection of NX pool under Windows 8 and later */ +extern POOL_TYPE ExDefaultNonPagedPoolType; +extern ULONG ExDefaultMdlProtection; + +#define TCalloc(size) ((void *) ExAllocatePoolWithTag( ExDefaultNonPagedPoolType, size, 'MMCV' )) #define TCfree(memblock) ExFreePoolWithTag( memblock, 'MMCV' ) #define DEVICE_DRIVER diff --git a/src/Driver/DumpFilter.c b/src/Driver/DumpFilter.c index ff570b1e..ca921d27 100644 --- a/src/Driver/DumpFilter.c +++ b/src/Driver/DumpFilter.c @@ -189,7 +189,7 @@ static NTSTATUS DumpFilterWrite (PFILTER_EXTENSION filterExtension, PLARGE_INTEG if ((offset & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0) TC_BUG_CHECK (STATUS_INVALID_PARAMETER); - writeBuffer = MmGetSystemAddressForMdlSafe (writeMdl, HighPagePriority); + writeBuffer = MmGetSystemAddressForMdlSafe (writeMdl, (HighPagePriority | ExDefaultMdlProtection)); if (!writeBuffer) TC_BUG_CHECK (STATUS_INSUFFICIENT_RESOURCES); diff --git a/src/Driver/EncryptedIoQueue.c b/src/Driver/EncryptedIoQueue.c index 7f50ec30..400416b7 100644 --- a/src/Driver/EncryptedIoQueue.c +++ b/src/Driver/EncryptedIoQueue.c @@ -638,7 +638,7 @@ static VOID MainThreadProc (PVOID threadArg) { UINT64_STRUCT dataUnit; - dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, HighPagePriority); + dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, (HighPagePriority | ExDefaultMdlProtection)); if (!dataBuffer) { TCfree (buffer); @@ -758,7 +758,7 @@ static VOID MainThreadProc (PVOID threadArg) continue; } - dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, HighPagePriority); + dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, (HighPagePriority | ExDefaultMdlProtection)); if (dataBuffer == NULL) { diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c index a84ada37..4172a193 100644 --- a/src/Driver/Ntdriver.c +++ b/src/Driver/Ntdriver.c @@ -92,6 +92,9 @@ static BOOL SystemFavoriteVolumeDirty = FALSE; static BOOL PagingFileCreationPrevented = FALSE; static BOOL EnableExtendedIoctlSupport = FALSE; +POOL_TYPE ExDefaultNonPagedPoolType = NonPagedPool; +ULONG ExDefaultMdlProtection = 0; + PDEVICE_OBJECT VirtualVolumeDeviceObjects[MAX_MOUNTED_VOLUME_DRIVE_NUMBER + 1]; @@ -109,6 +112,13 @@ NTSTATUS DriverEntry (PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) Dump ("OsMajorVersion=%d OsMinorVersion=%d\n", OsMajorVersion, OsMinorVersion); + // NX pool support is available starting from Windows 8 + if ((OsMajorVersion > 6) || (OsMajorVersion == 6 && OsMinorVersion >= 2)) + { + ExDefaultNonPagedPoolType = (POOL_TYPE) NonPagedPoolNx; + ExDefaultMdlProtection = MdlMappingNoExecute; + } + // Load dump filter if the main driver is already loaded if (NT_SUCCESS (TCDeviceIoControl (NT_ROOT_PREFIX, TC_IOCTL_GET_DRIVER_VERSION, NULL, 0, &version, sizeof (version)))) return DumpFilterEntry ((PFILTER_EXTENSION) DriverObject, (PFILTER_INITIALIZATION_DATA) RegistryPath); -- cgit v1.2.3