add an extra check for release .sig files

DBKKernel/sigcheck.c

@@ -7,6 +7,7 @@ This is only in case of a signed release build
 #include <windef.h>
 #include <bcrypt.h>
 #include <Ntstrsafe.h>
+#include <ntimage.h>
 
 
 #include "sigcheck.h"
@@ -14,6 +15,10 @@ This is only in case of a signed release build
 
 unsigned char publicKey[]={0x45, 0x43, 0x53, 0x35, 0x42, 0x00, 0x00, 0x00, 0x00, 0x3A, 0xBA, 0x72, 0xCF, 0xA7, 0x79, 0xFA, 0x92, 0x96, 0x15, 0x8E, 0x69, 0x35, 0x19, 0x09, 0x99, 0x3C, 0x97, 0xE8, 0x18, 0x0B, 0xC6, 0x2C, 0x8B, 0x24, 0x5A, 0xD8, 0x1C, 0x86, 0x83, 0x89, 0xE7, 0xA4, 0xA9, 0x47, 0x11, 0x7E, 0x07, 0x74, 0x69, 0x74, 0x33, 0x0B, 0x1A, 0xB8, 0x63, 0x11, 0x51, 0xEA, 0x00, 0xD6, 0x26, 0xE7, 0x7C, 0x6D, 0x77, 0xA5, 0x0E, 0x9F, 0x37, 0x87, 0x7B, 0x79, 0x2F, 0xEE, 0x00, 0x65, 0x7A, 0xBF, 0x44, 0x79, 0xD1, 0x7E, 0x47, 0xBC, 0xF9, 0x6F, 0x31, 0x81, 0x85, 0x70, 0x78, 0x5D, 0xED, 0xA5, 0xC6, 0x15, 0x0F, 0x2C, 0x0A, 0x27, 0x3B, 0x3E, 0x36, 0xEB, 0x53, 0x3E, 0x3E, 0x75, 0xC1, 0xA3, 0x0A, 0xC0, 0xC1, 0x53, 0x3A, 0x77, 0xFB, 0x84, 0x88, 0x35, 0xE8, 0x86, 0xF0, 0xA2, 0x52, 0x86, 0x5D, 0x12, 0x2D, 0x03, 0x88, 0x00, 0x36, 0x2B, 0x8D, 0x21, 0x13, 0x99, 0x7F, 0x62};
 
+NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL);
+NTSYSAPI NTSTATUS NTAPI ZwQueryInformationThread(IN HANDLE ThreadHandle, IN THREADINFOCLASS ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL);
+
+
 NTSTATUS LoadFile(PUNICODE_STRING filename, PVOID *buffer, DWORD *size)
 /*
 Loads the specified file into paged memory
@@ -182,7 +187,57 @@ Calculates a hash from the buffer and then checks the signature
 	return s;
 }
 
-NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
+NTSTATUS TestProcess(PIMAGE_DOS_HEADER buf, DWORD size)
+{
+	UINT_PTR maxAddress = (UINT_PTR)buf + size;
+	if (buf->e_magic != IMAGE_DOS_SIGNATURE)
+		return STATUS_UNSUCCESSFUL;
+
+	if ((DWORD)buf->e_lfanew >= size)
+		return STATUS_UNSUCCESSFUL;
+
+	PIMAGE_NT_HEADERS nth = (PIMAGE_NT_HEADERS)((UINT_PTR)buf + buf->e_lfanew);
+	if (nth->Signature != IMAGE_NT_SIGNATURE)
+		return STATUS_UNSUCCESSFUL;
+
+	PIMAGE_SECTION_HEADER sections = IMAGE_FIRST_SECTION(nth);
+	if ((UINT_PTR)sections >= maxAddress)
+		return STATUS_UNSUCCESSFUL;
+
+	int i;
+	for (i = 0; i < nth->FileHeader.NumberOfSections; i++)
+	{
+		if (strcmp((char *)sections[i].Name, ".text") == 0)
+		{
+			if (((UINT_PTR)buf + sections[i].PointerToRawData + sections[i].SizeOfRawData) >= maxAddress)
+				return STATUS_UNSUCCESSFUL;
+
+			//BSOD on purpose if this isn't a match
+			if (RtlCompareMemory((void*)(0x00400000 + sections[i].VirtualAddress), (void*)((UINT_PTR)buf + sections[i].PointerToRawData), sections[i].SizeOfRawData) == sections[i].SizeOfRawData)
+			{
+				//seems ok. Confirm the caller is from this .text section
+
+				UINT_PTR startaddress;
+				DWORD length;
+				if (ZwQueryInformationThread(ZwCurrentThread(), (THREADINFOCLASS)ThreadQuerySetWin32StartAddress, &startaddress, sizeof(startaddress), &length) == STATUS_SUCCESS)
+				{
+					if ((startaddress >= (0x00400000 + sections[i].VirtualAddress)) && (startaddress < (0x00400000 + sections[i].VirtualAddress + sections[i].SizeOfRawData)))
+						return STATUS_SUCCESS;
+					else
+						return STATUS_UNSUCCESSFUL;
+				}
+				else
+					return STATUS_UNSUCCESSFUL;
+			}
+			else
+				return STATUS_UNSUCCESSFUL;
+		}
+	}
+
+	return STATUS_UNSUCCESSFUL;
+}
+
+NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath, BOOL isProcess)
 {
 	NTSTATUS s=STATUS_UNSUCCESSFUL;
 	PVOID file=NULL;
@@ -195,6 +250,10 @@ NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
 	UNICODE_STRING p;
 	PUNICODE_STRING path=&p;
 
+	DbgPrint("CheckSignatureOfFile: ");
+
+
+
 	p.Buffer=MyBuffer;
 	p.Length=0;
 	p.MaximumLength=MAX_PATH*2;
@@ -210,6 +269,7 @@ NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
 	s=LoadFile(path, &file, &filesize);
 	if (s==STATUS_SUCCESS)
 	{
+
 		s=RtlAppendUnicodeToString(path, L".sig");
 		if (s==STATUS_SUCCESS)
 		{
@@ -219,6 +279,9 @@ NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
 			{
 				s=CheckSignature(file,filesize,sig,sigsize);		
 				ExFreePool(sig);
+
+				if ((s == STATUS_SUCCESS) && isProcess) //one extra check to see if it's actually CE and not just something renamed afterwards
+					s=TestProcess((PIMAGE_DOS_HEADER)file, filesize);				
 			}
 			else
 				DbgPrint("Failure loading %S\n", path->Buffer);
@@ -234,7 +297,7 @@ NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath)
 	return s;
 }
 
-NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(IN HANDLE ProcessHandle,IN PROCESSINFOCLASS ProcessInformationClass,OUT PVOID ProcessInformation,	IN ULONG ProcessInformationLength,	OUT PULONG ReturnLength OPTIONAL);
+
 
 NTSTATUS SecurityCheck(void)
 /*
@@ -250,10 +313,12 @@ Checks the current process for a valid signature
 	if (KeGetCurrentIrql() != PASSIVE_LEVEL)
 		return STATUS_UNSUCCESSFUL;
 
+
+				
 	if (ZwQueryInformationProcess(ZwCurrentProcess(), ProcessImageFileName, buffer, MAX_PATH*2, &length)==STATUS_SUCCESS)
 	{
 		path->MaximumLength=MAX_PATH*2;
-		s=CheckSignatureOfFile(path);
+		s=CheckSignatureOfFile(path,1);
 		//DbgPrint("returning %x\n", s);
 		return s;
 	}

DBKKernel/sigcheck.h

@@ -2,7 +2,7 @@
 #define SIGCHECK_H
 
 NTSTATUS SecurityCheck(void);
-NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath);
+NTSTATUS CheckSignatureOfFile(PUNICODE_STRING originalpath, BOOL isProcess);
 NTSTATUS CheckSignature(PVOID buffer, DWORD buffersize, PVOID sig, DWORD sigsize);
 
 #endif

DBKKernel/vmxoffload.c

@@ -266,7 +266,7 @@ Runs at passive mode
 
 #ifdef TOBESIGNED
 		if (OpenedFile==STATUS_SUCCESS)
-			OpenedFile=CheckSignatureOfFile(&filename);
+			OpenedFile=CheckSignatureOfFile(&filename, FALSE);
 #endif
 
 		if (OpenedFile == STATUS_SUCCESS)