diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-06-25 14:30:35 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-06-25 16:18:03 +0200 |
commit | d33732ab4b76b0fe4a183d5844925d45a678c87f (patch) | |
tree | 1534694845a2f8e21689dbde0a9c0f485e3fff38 /driver/wintun.c | |
parent | driver: build security descriptor from sddl (diff) | |
download | wintun-d33732ab4b76b0fe4a183d5844925d45a678c87f.tar.xz wintun-d33732ab4b76b0fe4a183d5844925d45a678c87f.zip |
driver: hard code security descriptor bytes
This is compatible with old Windows. Generated by:
#include <stdio.h>
#include <windows.h>
#include <sddl.h>
int main(int argc, char *argv[])
{
PSECURITY_DESCRIPTOR sd;
ULONG sd_len;
if (!ConvertStringSecurityDescriptorToSecurityDescriptorA("O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)", SDDL_REVISION_1, &sd, &sd_len))
return 1;
for (ULONG i = 0; i < sd_len; ++i)
printf("0x%02x%s%s", ((unsigned char *)sd)[i], i == sd_len - 1 ? "" : ",", i == sd_len -1 || i % 8 == 7 ? "\n": " ");
return 0;
}
This can be easily checked from kernel space with this ugly snippet:
UNICODE_STRING Func;
RtlInitUnicodeString(&Func, L"SeConvertSecurityDescriptorToStringSecurityDescriptor");
WCHAR *Str = NULL;
((NTSTATUS(NTAPI *)(PSECURITY_DESCRIPTOR, DWORD, DWORD, WCHAR **, DWORD *))MmGetSystemRoutineAddress(&Func))(
TunDispatchSecurityDescriptor, 1, 0x14, &Str, NULL);
DbgPrint("Did it work? %ls\n", Str);
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
-rw-r--r-- | driver/wintun.c | 27 |
1 files changed, 9 insertions, 18 deletions
diff --git a/driver/wintun.c b/driver/wintun.c index d3f2bd9..68037cd 100644 --- a/driver/wintun.c +++ b/driver/wintun.c @@ -184,7 +184,15 @@ static NDIS_HANDLE NdisMiniportDriverHandle; static DRIVER_DISPATCH *NdisDispatchDeviceControl, *NdisDispatchClose; static ERESOURCE TunDispatchCtxGuard, TunDispatchDeviceListLock; static RTL_STATIC_LIST_HEAD(TunDispatchDeviceList); -static SECURITY_DESCRIPTOR *TunDispatchSecurityDescriptor; +/* Binary representation of O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI) */ +static SECURITY_DESCRIPTOR *TunDispatchSecurityDescriptor = (SECURITY_DESCRIPTOR *)(__declspec(align(8)) UCHAR[]){ + 0x01, 0x00, 0x14, 0x90, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, + 0x00, 0x02, 0x00, 0x1c, 0x00, 0x01, 0x00, 0x00, 0x00, 0x11, 0x00, 0x14, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x01, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x30, 0x00, 0x00, 0x02, 0x00, 0x34, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x14, 0x00, 0xff, 0x01, 0x1f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x18, 0x00, 0xff, 0x01, 0x1f, 0x00, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, + 0x00, 0x20, 0x02, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00 +}; _IRQL_requires_max_(DISPATCH_LEVEL) static VOID @@ -836,19 +844,6 @@ cleanup: return DidClose; } -_Must_inspect_result_ -static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID); -#ifdef ALLOC_PRAGMA -# pragma alloc_text(INIT, TunInitializeDispatchSecurityDescriptor) -#endif -_Use_decl_annotations_ -static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID) -{ - UNICODE_STRING Sddl; - RtlInitUnicodeString(&Sddl, L"O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)"); - return SeSddlSecurityDescriptorFromSDDL(&Sddl, FALSE, &TunDispatchSecurityDescriptor); -} - _IRQL_requires_max_(PASSIVE_LEVEL) static VOID TunProcessNotification(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create) @@ -1416,7 +1411,6 @@ TunUnload(PDRIVER_OBJECT DriverObject) NdisMDeregisterMiniportDriver(NdisMiniportDriverHandle); ExDeleteResourceLite(&TunDispatchCtxGuard); ExDeleteResourceLite(&TunDispatchDeviceListLock); - ExFreePool(TunDispatchSecurityDescriptor); } DRIVER_INITIALIZE DriverEntry; @@ -1435,8 +1429,6 @@ DriverEntry(DRIVER_OBJECT *DriverObject, UNICODE_STRING *RegistryPath) if (NdisVersion > NDIS_MINIPORT_VERSION_MAX) NdisVersion = NDIS_MINIPORT_VERSION_MAX; - if (!NT_SUCCESS(Status = TunInitializeDispatchSecurityDescriptor())) - return Status; ExInitializeResourceLite(&TunDispatchCtxGuard); ExInitializeResourceLite(&TunDispatchDeviceListLock); @@ -1492,6 +1484,5 @@ cleanupNotifier: cleanupResources: ExDeleteResourceLite(&TunDispatchCtxGuard); ExDeleteResourceLite(&TunDispatchDeviceListLock); - ExFreePool(TunDispatchSecurityDescriptor); return Status; } |