From 458bb091bb8e6ffa73a1c7c9736e93b52a0a95d7 Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sat, 10 Jun 2017 18:43:15 +0200 Subject: Windows Driver Security: Use enhanced protection of NX pool under Windows 8 and later. --- src/Driver/DumpFilter.c | 2 +- src/Driver/EncryptedIoQueue.c | 4 ++-- src/Driver/Ntdriver.c | 10 ++++++++++ 3 files changed, 13 insertions(+), 3 deletions(-) (limited to 'src/Driver') diff --git a/src/Driver/DumpFilter.c b/src/Driver/DumpFilter.c index ff570b1e..ca921d27 100644 --- a/src/Driver/DumpFilter.c +++ b/src/Driver/DumpFilter.c @@ -189,7 +189,7 @@ static NTSTATUS DumpFilterWrite (PFILTER_EXTENSION filterExtension, PLARGE_INTEG if ((offset & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0) TC_BUG_CHECK (STATUS_INVALID_PARAMETER); - writeBuffer = MmGetSystemAddressForMdlSafe (writeMdl, HighPagePriority); + writeBuffer = MmGetSystemAddressForMdlSafe (writeMdl, (HighPagePriority | ExDefaultMdlProtection)); if (!writeBuffer) TC_BUG_CHECK (STATUS_INSUFFICIENT_RESOURCES); diff --git a/src/Driver/EncryptedIoQueue.c b/src/Driver/EncryptedIoQueue.c index 7f50ec30..400416b7 100644 --- a/src/Driver/EncryptedIoQueue.c +++ b/src/Driver/EncryptedIoQueue.c @@ -638,7 +638,7 @@ static VOID MainThreadProc (PVOID threadArg) { UINT64_STRUCT dataUnit; - dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, HighPagePriority); + dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, (HighPagePriority | ExDefaultMdlProtection)); if (!dataBuffer) { TCfree (buffer); @@ -758,7 +758,7 @@ static VOID MainThreadProc (PVOID threadArg) continue; } - dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, HighPagePriority); + dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, (HighPagePriority | ExDefaultMdlProtection)); if (dataBuffer == NULL) { diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c index a84ada37..4172a193 100644 --- a/src/Driver/Ntdriver.c +++ b/src/Driver/Ntdriver.c @@ -92,6 +92,9 @@ static BOOL SystemFavoriteVolumeDirty = FALSE; static BOOL PagingFileCreationPrevented = FALSE; static BOOL EnableExtendedIoctlSupport = FALSE; +POOL_TYPE ExDefaultNonPagedPoolType = NonPagedPool; +ULONG ExDefaultMdlProtection = 0; + PDEVICE_OBJECT VirtualVolumeDeviceObjects[MAX_MOUNTED_VOLUME_DRIVE_NUMBER + 1]; @@ -109,6 +112,13 @@ NTSTATUS DriverEntry (PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) Dump ("OsMajorVersion=%d OsMinorVersion=%d\n", OsMajorVersion, OsMinorVersion); + // NX pool support is available starting from Windows 8 + if ((OsMajorVersion > 6) || (OsMajorVersion == 6 && OsMinorVersion >= 2)) + { + ExDefaultNonPagedPoolType = (POOL_TYPE) NonPagedPoolNx; + ExDefaultMdlProtection = MdlMappingNoExecute; + } + // Load dump filter if the main driver is already loaded if (NT_SUCCESS (TCDeviceIoControl (NT_ROOT_PREFIX, TC_IOCTL_GET_DRIVER_VERSION, NULL, 0, &version, sizeof (version)))) return DumpFilterEntry ((PFILTER_EXTENSION) DriverObject, (PFILTER_INITIALIZATION_DATA) RegistryPath); -- cgit v1.2.3