From c210ef9f596f3cb3260e84775098634ca388c140 Mon Sep 17 00:00:00 2001 From: Alistair Leslie-Hughes Date: Fri, 4 Aug 2023 14:19:06 +1000 Subject: [PATCH] Updated fltmgr.sys-FltBuildDefaultSecurityDescriptor patchset --- ...ment-FltBuildDefaultSecurityDescript.patch | 57 +++++++++++-------- ...002-fltmgr.sys-Create-import-library.patch | 6 +- ...-FltBuildDefaultSecurityDescriptor-t.patch | 18 +++--- 3 files changed, 46 insertions(+), 35 deletions(-) diff --git a/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0001-fltmgr.sys-Implement-FltBuildDefaultSecurityDescript.patch b/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0001-fltmgr.sys-Implement-FltBuildDefaultSecurityDescript.patch index e3832d19..20e57531 100644 --- a/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0001-fltmgr.sys-Implement-FltBuildDefaultSecurityDescript.patch +++ b/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0001-fltmgr.sys-Implement-FltBuildDefaultSecurityDescript.patch @@ -1,15 +1,15 @@ -From f9da0ca4c7012918b5c8660ebe8a9ea0c74f05b0 Mon Sep 17 00:00:00 2001 +From 93d33e5934d8d71db35025f5046d8d44ac1182cc Mon Sep 17 00:00:00 2001 From: Alistair Leslie-Hughes Date: Sun, 29 Aug 2021 13:26:53 +1000 -Subject: [PATCH] fltmgr.sys: Implement FltBuildDefaultSecurityDescriptor +Subject: [PATCH 1/3] fltmgr.sys: Implement FltBuildDefaultSecurityDescriptor Signed-off-by: Alistair Leslie-Hughes --- dlls/fltmgr.sys/Makefile.in | 1 + dlls/fltmgr.sys/fltmgr.sys.spec | 4 +- - dlls/fltmgr.sys/main.c | 71 +++++++++++++++++++++++++++++++++ + dlls/fltmgr.sys/main.c | 75 ++++++++++++++++++++++++++++++++- include/ddk/fltkernel.h | 3 +- - 4 files changed, 76 insertions(+), 3 deletions(-) + 4 files changed, 79 insertions(+), 4 deletions(-) diff --git a/dlls/fltmgr.sys/Makefile.in b/dlls/fltmgr.sys/Makefile.in index ba106a43831..bb1f34b4896 100644 @@ -45,10 +45,18 @@ index 39ce6798178..8943b9f85cf 100644 @ stub FltGetBottomInstance @ stub FltGetContexts diff --git a/dlls/fltmgr.sys/main.c b/dlls/fltmgr.sys/main.c -index e1016a4989c..ea9685b4308 100644 +index e1016a4989c..79f810570da 100644 --- a/dlls/fltmgr.sys/main.c +++ b/dlls/fltmgr.sys/main.c -@@ -93,3 +93,74 @@ void* WINAPI FltGetRoutineAddress(LPCSTR name) +@@ -23,7 +23,6 @@ + #include "ntstatus.h" + #define WIN32_NO_STATUS + #include "windef.h" +-#include "winbase.h" + #include "winternl.h" + #include "ddk/fltkernel.h" + +@@ -93,3 +92,77 @@ void* WINAPI FltGetRoutineAddress(LPCSTR name) return func; } @@ -57,28 +65,34 @@ index e1016a4989c..ea9685b4308 100644 +{ + PACL dacl; + NTSTATUS ret = STATUS_INSUFFICIENT_RESOURCES; -+ ULONG sid_len; -+ PSID sid; -+ PSID sid_system; ++ DWORD sid_len; ++ SID *sid; ++ SID *sid_system = NULL; + PSECURITY_DESCRIPTOR sec_desc = NULL; + SID_IDENTIFIER_AUTHORITY auth = { SECURITY_NULL_SID_AUTHORITY }; + + *descriptor = NULL; + -+ ret = RtlAllocateAndInitializeSid(&auth, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_GROUP_RID_ADMINS, -+ 0, 0, 0, 0, 0, 0, &sid); -+ if (ret != STATUS_SUCCESS) ++ sid_len = RtlLengthRequiredSid(2); ++ sid = ExAllocatePool(PagedPool, sid_len); ++ if (!sid) + goto done; ++ RtlInitializeSid(sid, &auth, 2); ++ sid->SubAuthority[1] = DOMAIN_GROUP_RID_ADMINS; ++ sid->SubAuthority[0] = SECURITY_BUILTIN_DOMAIN_RID; + -+ ret = RtlAllocateAndInitializeSid(&auth, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &sid_system); -+ if (ret != STATUS_SUCCESS) ++ sid_len = RtlLengthRequiredSid(1); ++ sid_system = ExAllocatePool(PagedPool, sid_len); ++ if (!sid_system) + goto done; ++ RtlInitializeSid(sid_system, &auth, 1); ++ sid_system->SubAuthority[0] = SECURITY_LOCAL_SYSTEM_RID; + + sid_len = SECURITY_DESCRIPTOR_MIN_LENGTH + sizeof(ACL) + + sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(sid) + + sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(sid_system); + -+ sec_desc = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, sid_len); ++ sec_desc = ExAllocatePool(PagedPool, sid_len); + if (!sec_desc) + { + ret = STATUS_NO_MEMORY; @@ -107,14 +121,11 @@ index e1016a4989c..ea9685b4308 100644 + *descriptor = sec_desc; + +done: -+ if (ret != STATUS_SUCCESS && sec_desc != NULL) -+ RtlFreeHeap(GetProcessHeap(), 0, sec_desc); ++ if (ret != STATUS_SUCCESS) ++ ExFreePool(sec_desc); + -+ if (sid != NULL) -+ RtlFreeHeap(GetProcessHeap(), 0, sid); -+ -+ if (sid_system != NULL) -+ RtlFreeHeap(GetProcessHeap(), 0, sid_system); ++ ExFreePool(sid); ++ ExFreePool(sid_system); + + return ret; +} @@ -139,5 +150,5 @@ index 8ebebfa2e81..9ece0990810 100644 NTSTATUS WINAPI FltRegisterFilter(PDRIVER_OBJECT, const FLT_REGISTRATION *, PFLT_FILTER *); NTSTATUS WINAPI FltStartFiltering(PFLT_FILTER); -- -2.33.0 +2.40.1 diff --git a/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0002-fltmgr.sys-Create-import-library.patch b/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0002-fltmgr.sys-Create-import-library.patch index 57aab8bc..fc75d971 100644 --- a/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0002-fltmgr.sys-Create-import-library.patch +++ b/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0002-fltmgr.sys-Create-import-library.patch @@ -1,7 +1,7 @@ -From 36bb7032734a97c5b9d01ef96d595973ea16eb95 Mon Sep 17 00:00:00 2001 +From 9cb5114cbf5af7c360ffb653fc286b8bf9e21db3 Mon Sep 17 00:00:00 2001 From: Alistair Leslie-Hughes Date: Mon, 30 Aug 2021 15:15:35 +1000 -Subject: [PATCH] fltmgr.sys: Create import library +Subject: [PATCH 2/3] fltmgr.sys: Create import library Signed-off-by: Alistair Leslie-Hughes --- @@ -19,5 +19,5 @@ index bb1f34b4896..5540df35d6a 100644 IMPORTS = ntoskrnl -- -2.33.0 +2.40.1 diff --git a/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0003-ntoskrnl.exe-Add-FltBuildDefaultSecurityDescriptor-t.patch b/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0003-ntoskrnl.exe-Add-FltBuildDefaultSecurityDescriptor-t.patch index c539204a..c6c03c31 100644 --- a/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0003-ntoskrnl.exe-Add-FltBuildDefaultSecurityDescriptor-t.patch +++ b/patches/fltmgr.sys-FltBuildDefaultSecurityDescriptor/0003-ntoskrnl.exe-Add-FltBuildDefaultSecurityDescriptor-t.patch @@ -1,4 +1,4 @@ -From bc1d0962b58a45949c91367e84e6f71beb9f698b Mon Sep 17 00:00:00 2001 +From 8d12d4dac0cbc7194d11e398b4d3371bef8a1952 Mon Sep 17 00:00:00 2001 From: Alistair Leslie-Hughes Date: Mon, 30 Aug 2021 15:16:06 +1000 Subject: [PATCH] ntoskrnl.exe: Add FltBuildDefaultSecurityDescriptor test @@ -23,7 +23,7 @@ index ab1db85adbb..9c89e44e70a 100644 driver2_IMPORTS = winecrt0 ntoskrnl hal driver2_EXTRADLLFLAGS = -nodefaultlibs -nostartfiles -Wl,--subsystem,native diff --git a/dlls/ntoskrnl.exe/tests/driver.c b/dlls/ntoskrnl.exe/tests/driver.c -index 18f2920759d..569007d435e 100644 +index c8797e8d8e0..168b47941e8 100644 --- a/dlls/ntoskrnl.exe/tests/driver.c +++ b/dlls/ntoskrnl.exe/tests/driver.c @@ -32,6 +32,7 @@ @@ -34,7 +34,7 @@ index 18f2920759d..569007d435e 100644 #include "driver.h" -@@ -2374,6 +2375,69 @@ static void test_default_modules(void) +@@ -2372,6 +2373,69 @@ static void test_default_modules(void) ok(dxgmms1, "Failed to find dxgmms1.sys\n"); } @@ -66,12 +66,12 @@ index 18f2920759d..569007d435e 100644 + ok(acl != NULL, "acl is NULL\n"); + ok(acl->AceCount == 2, "got %d\n", acl->AceCount); + -+ sid1 = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, RtlLengthRequiredSid(2)); ++ sid1 = ExAllocatePool(NonPagedPool, RtlLengthRequiredSid(2)); + RtlInitializeSid(sid1, &auth, 2); + *RtlSubAuthoritySid(sid1, 0) = SECURITY_BUILTIN_DOMAIN_RID; + *RtlSubAuthoritySid(sid1, 1) = DOMAIN_GROUP_RID_ADMINS; + -+ sid2 = RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, RtlLengthRequiredSid(1)); ++ sid2 = ExAllocatePool(NonPagedPool, RtlLengthRequiredSid(1)); + RtlInitializeSid(sid2, &auth, 1); + *RtlSubAuthoritySid(sid2, 0) = SECURITY_LOCAL_SYSTEM_RID; + @@ -95,8 +95,8 @@ index 18f2920759d..569007d435e 100644 + + ok(RtlEqualSid(sid2, (PSID)&ace->SidStart), "SID not equal\n"); + -+ RtlFreeHeap(GetProcessHeap(), 0, sid1); -+ RtlFreeHeap(GetProcessHeap(), 0, sid2); ++ ExFreePool(sid1); ++ ExFreePool(sid2); + + FltFreeSecurityDescriptor(sd); +} @@ -104,7 +104,7 @@ index 18f2920759d..569007d435e 100644 static NTSTATUS main_test(DEVICE_OBJECT *device, IRP *irp, IO_STACK_LOCATION *stack) { void *buffer = irp->AssociatedIrp.SystemBuffer; -@@ -2419,6 +2483,7 @@ static NTSTATUS main_test(DEVICE_OBJECT *device, IRP *irp, IO_STACK_LOCATION *st +@@ -2417,6 +2481,7 @@ static NTSTATUS main_test(DEVICE_OBJECT *device, IRP *irp, IO_STACK_LOCATION *st test_process_memory(test_input); test_permanence(); test_driver_object_extension(); @@ -113,5 +113,5 @@ index 18f2920759d..569007d435e 100644 IoMarkIrpPending(irp); IoQueueWorkItem(work_item, main_test_task, DelayedWorkQueue, irp); -- -2.39.2 +2.40.1