From 86a843c99d726fcf8ad6e668d6f6f1f92c8d96c4 Mon Sep 17 00:00:00 2001 From: Kento Oki Date: Sat, 26 Nov 2022 16:34:20 +0900 Subject: [PATCH 1/5] add missing mitigation policy definitions and tests --- src/um/winnt.rs | 81 ++++++++++++++++++++++++++++++++++++++--- tests/structs_x86_64.rs | 10 +++++ 2 files changed, 85 insertions(+), 6 deletions(-) diff --git a/src/um/winnt.rs b/src/um/winnt.rs index f687489bd..0b7ec7dd1 100644 --- a/src/um/winnt.rs +++ b/src/um/winnt.rs @@ -3104,7 +3104,15 @@ ENUM!{enum PROCESS_MITIGATION_POLICY { ProcessSignaturePolicy, ProcessFontDisablePolicy, ProcessImageLoadPolicy, - MaxProcessMitigationPolicy, + ProcessSystemCallFilterPolicy, + ProcessPayloadRestrictionPolicy, + ProcessChildProcessPolicy, + ProcessSideChannelIsolationPolicy, + ProcessUserShadowStackPolicy, + ProcessRedirectionTrustPolicy, + ProcessUserPointerAuthPolicy, + ProcessSEHOPPolicy, + MaxProcessMitigationPolicy }} pub type PPROCESS_MITIGATION_POLICY = *mut PROCESS_MITIGATION_POLICY; STRUCT!{struct PROCESS_MITIGATION_ASLR_POLICY { @@ -3138,12 +3146,20 @@ BITFIELD!{PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY Flags: DWORD [ ]} pub type PPROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY = *mut PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY; +STRUCT!{struct PROCESS_MITIGATION_SEHOP_POLICY { + Flags: DWORD, +}} +BITFIELD!{PROCESS_MITIGATION_SEHOP_POLICY Flags: DWORD[ + EnableSehop set_EnableSehop[0..1], + ReservedFlags set_ReservedFlags[1..32], +]} STRUCT!{struct PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY { Flags: DWORD, }} BITFIELD!{PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY Flags: DWORD [ DisallowWin32kSystemCalls set_DisallowWin32kSystemCalls[0..1], - ReservedFlags set_ReservedFlags[1..32], + AuditDisallowWin32kSystemCalls set_AuditDisallowWin32kSystemCalls[1..2], + ReservedFlags set_ReservedFlags[2..32], ]} pub type PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY = *mut PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY; @@ -3163,7 +3179,8 @@ BITFIELD!{PROCESS_MITIGATION_DYNAMIC_CODE_POLICY Flags: DWORD [ ProhibitDynamicCode set_ProhibitDynamicCode[0..1], AllowThreadOptOut set_AllowThreadOptOut[1..2], AllowRemoteDowngrade set_AllowRemoteDowngrade[2..3], - ReservedFlags set_ReservedFlags[3..32], + AuditProhibitDynamicCode set_AuditProhibitDynamicCode[3..4], + ReservedFlags set_ReservedFlags[4..32], ]} pub type PPROCESS_MITIGATION_DYNAMIC_CODE_POLICY = *mut PROCESS_MITIGATION_DYNAMIC_CODE_POLICY; STRUCT!{struct PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY { @@ -3173,7 +3190,9 @@ BITFIELD!{PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY Flags: DWORD [ EnableControlFlowGuard set_EnableControlFlowGuard[0..1], EnableExportSuppression set_EnableExportSuppression[1..2], StrictMode set_StrictMode[2..3], - ReservedFlags set_ReservedFlags[3..32], + EnableXfg set_EnableXfg[3..4], + EnableXfgAuditMode set_EnableXfgAuditMode[4..5], + ReservedFlags set_ReservedFlags[5..32], ]} pub type PPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY = *mut PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY; @@ -3184,7 +3203,9 @@ BITFIELD!{PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY Flags: DWORD [ MicrosoftSignedOnly set_MicrosoftSignedOnly[0..1], StoreSignedOnly set_StoreSignedOnly[1..2], MitigationOptIn set_MitigationOptIn[2..3], - ReservedFlags set_ReservedFlags[3..32], + AuditMicrosoftSignedOnly set_AuditMicrosoftSignedOnly[3..4], + AuditStoreSignedOnly set_AuditStoreSignedOnly[4..5], + ReservedFlags set_ReservedFlags[5..32], ]} pub type PPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY = *mut PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY; @@ -3204,7 +3225,9 @@ BITFIELD!{PROCESS_MITIGATION_IMAGE_LOAD_POLICY Flags: DWORD [ NoRemoteImages set_NoRemoteImages[0..1], NoLowMandatoryLabelImages set_NoLowMandatoryLabelImages[1..2], PreferSystem32Images set_PreferSystem32Images[2..3], - ReservedFlags set_ReservedFlags[3..32], + AuditNoRemoteImages set_AuditNoRemoteImages[3..4], + AuditNoLowMandatoryLabelImages set_AuditNoLowMandatoryLabelImages[4..5], + ReservedFlags set_ReservedFlags[5..32], ]} pub type PPROCESS_MITIGATION_IMAGE_LOAD_POLICY = *mut PROCESS_MITIGATION_IMAGE_LOAD_POLICY; STRUCT!{struct PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY { @@ -3246,6 +3269,52 @@ BITFIELD!{PROCESS_MITIGATION_CHILD_PROCESS_POLICY Flags: DWORD [ AllowSecureProcessCreation set_AllowSecureProcessCreation[2..3], ReservedFlags set_ReservedFlags[3..32], ]} +STRUCT!{struct PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY { + Flags: DWORD, +}} +pub type PPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY = *mut PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY; +BITFIELD!{PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY Flags: DWORD [ + EnableUserShadowStack set_EnableUserShadowStack[0..1], + AuditUserShadowStack set_AuditUserShadowStack[1..2], + SetContextIpValidation set_SetContextIpValidation[2..3], + AuditSetContextIpValidation set_AuditSetContextIpValidation[3..4], + EnableUserShadowStackStrictMode set_EnableUserShadowStackStrictMode[4..5], + BlockNonCetBinaries set_BlockNonCetBinaries[5..6], + BlockNonCetBinariesNonEhcont set_BlockNonCetBinariesNonEhcont[6..7], + AuditBlockNonCetBinaries set_AuditBlockNonCetBinaries[7..8], + CetDynamicApisOutOfProcOnly set_CetDynamicApisOutOfProcOnly[8..9], + SetContextIpValidationRelaxedMode set_SetContextIpValidationRelaxedMode[9..10], + ReservedFlags set_ReservedFlags[10..32], +]} +STRUCT!{struct PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY{ + Flags: DWORD, +}} +pub type PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY = *mut PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY; +BITFIELD!{PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY Flags: DWORD [ + SmtBranchTargetIsolation set_SmtBranchTargetIsolation[0..1], + IsolateSecurityDomain set_IsolateSecurityDomain[1..2], + DisablePageCombine set_DisablePageCombine[2..3], + SpeculativeStoreBypassDisable set_SpeculativeStoreBypassDisable[3..4], + RestrictCoreSharing set_RestrictCoreSharing[4..5], + ReservedFlags set_ReservedFlags[5..32], +]} +STRUCT!{struct PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY{ + Flags: DWORD, +}} +pub type PPROCESS_MITIGATION_USER_POINTER_AUTH_POLICY = *mut PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY; +BITFIELD!{PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY Flags: DWORD[ + EnablePointerAuthUserIp set_EnablePointerAuthUserIp[0..1], + ReservedFlags set_ReservedFlags[1..32], +]} +STRUCT!{struct PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY{ + Flags: DWORD, +}} +pub type PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY = *mut PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY; +BITFIELD!{PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY Flags: DWORD[ + EnforceRedirectionTrust set_EnforceRedirectionTrust[0..1], + AuditRedirectionTrust set_AuditRedirectionTrust[1..2], + ReservedFlags set_ReservedFlags[2..32], +]} STRUCT!{struct JOBOBJECT_BASIC_ACCOUNTING_INFORMATION { TotalUserTime: LARGE_INTEGER, TotalKernelTime: LARGE_INTEGER, diff --git a/tests/structs_x86_64.rs b/tests/structs_x86_64.rs index f267b2855..ccf29f010 100644 --- a/tests/structs_x86_64.rs +++ b/tests/structs_x86_64.rs @@ -8458,6 +8458,8 @@ fn um_winnt() { assert_eq!(align_of::(), 4); assert_eq!(size_of::(), 4); assert_eq!(align_of::(), 4); + assert_eq!(size_of::(), 4); + assert_eq!(align_of::(), 4); assert_eq!(size_of::(), 4); assert_eq!(align_of::(), 4); assert_eq!(size_of::(), 4); @@ -8478,6 +8480,14 @@ fn um_winnt() { assert_eq!(align_of::(), 4); assert_eq!(size_of::(), 4); assert_eq!(align_of::(), 4); + assert_eq!(size_of::(), 4); + assert_eq!(align_of::(), 4); + assert_eq!(size_of::(), 4); + assert_eq!(align_of::(), 4); + assert_eq!(size_of::(), 4); + assert_eq!(align_of::(), 4); + assert_eq!(size_of::(), 4); + assert_eq!(align_of::(), 4); assert_eq!(size_of::(), 48); assert_eq!(align_of::(), 8); assert_eq!(size_of::(), 64); From a88b45b0cafde700840c095767a7858ec5c09fe3 Mon Sep 17 00:00:00 2001 From: Kento Oki Date: Sat, 26 Nov 2022 16:45:36 +0900 Subject: [PATCH 2/5] fix format --- src/um/winnt.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/um/winnt.rs b/src/um/winnt.rs index 0b7ec7dd1..48fdeb4e2 100644 --- a/src/um/winnt.rs +++ b/src/um/winnt.rs @@ -3111,7 +3111,7 @@ ENUM!{enum PROCESS_MITIGATION_POLICY { ProcessUserShadowStackPolicy, ProcessRedirectionTrustPolicy, ProcessUserPointerAuthPolicy, - ProcessSEHOPPolicy, + ProcessSEHOPPolicy, MaxProcessMitigationPolicy }} pub type PPROCESS_MITIGATION_POLICY = *mut PROCESS_MITIGATION_POLICY; From 1ca5c117f27bf77adb757870fc796b2456cdfc24 Mon Sep 17 00:00:00 2001 From: Kento Oki Date: Sat, 26 Nov 2022 16:49:07 +0900 Subject: [PATCH 3/5] fix format --- src/um/winnt.rs | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/um/winnt.rs b/src/um/winnt.rs index 48fdeb4e2..28c4f0398 100644 --- a/src/um/winnt.rs +++ b/src/um/winnt.rs @@ -3272,7 +3272,8 @@ BITFIELD!{PROCESS_MITIGATION_CHILD_PROCESS_POLICY Flags: DWORD [ STRUCT!{struct PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY { Flags: DWORD, }} -pub type PPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY = *mut PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY; +pub type PPROCESS_MITIGATION_USER_SHADOW_STACK_POLICY = + *mut PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY; BITFIELD!{PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY Flags: DWORD [ EnableUserShadowStack set_EnableUserShadowStack[0..1], AuditUserShadowStack set_AuditUserShadowStack[1..2], @@ -3289,7 +3290,8 @@ BITFIELD!{PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY Flags: DWORD [ STRUCT!{struct PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY{ Flags: DWORD, }} -pub type PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY = *mut PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY; +pub type PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY = + *mut PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY; BITFIELD!{PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY Flags: DWORD [ SmtBranchTargetIsolation set_SmtBranchTargetIsolation[0..1], IsolateSecurityDomain set_IsolateSecurityDomain[1..2], @@ -3301,7 +3303,8 @@ BITFIELD!{PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY Flags: DWORD [ STRUCT!{struct PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY{ Flags: DWORD, }} -pub type PPROCESS_MITIGATION_USER_POINTER_AUTH_POLICY = *mut PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY; +pub type PPROCESS_MITIGATION_USER_POINTER_AUTH_POLICY = + *mut PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY; BITFIELD!{PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY Flags: DWORD[ EnablePointerAuthUserIp set_EnablePointerAuthUserIp[0..1], ReservedFlags set_ReservedFlags[1..32], @@ -3309,7 +3312,8 @@ BITFIELD!{PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY Flags: DWORD[ STRUCT!{struct PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY{ Flags: DWORD, }} -pub type PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY = *mut PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY; +pub type PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY = + *mut PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY; BITFIELD!{PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY Flags: DWORD[ EnforceRedirectionTrust set_EnforceRedirectionTrust[0..1], AuditRedirectionTrust set_AuditRedirectionTrust[1..2], From 0b31a5d18fa8cb4702b07d2ad9210aeb64fe3017 Mon Sep 17 00:00:00 2001 From: Kento Oki Date: Sat, 26 Nov 2022 16:59:03 +0900 Subject: [PATCH 4/5] fix missing tokens in last enum member --- src/um/winnt.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/um/winnt.rs b/src/um/winnt.rs index 28c4f0398..c246bbd3d 100644 --- a/src/um/winnt.rs +++ b/src/um/winnt.rs @@ -3112,7 +3112,7 @@ ENUM!{enum PROCESS_MITIGATION_POLICY { ProcessRedirectionTrustPolicy, ProcessUserPointerAuthPolicy, ProcessSEHOPPolicy, - MaxProcessMitigationPolicy + MaxProcessMitigationPolicy, }} pub type PPROCESS_MITIGATION_POLICY = *mut PROCESS_MITIGATION_POLICY; STRUCT!{struct PROCESS_MITIGATION_ASLR_POLICY { From 7f789288e24b249d910fbd0eb82172b6c3216f71 Mon Sep 17 00:00:00 2001 From: Kento Oki Date: Sat, 26 Nov 2022 19:44:09 +0900 Subject: [PATCH 5/5] add PROCESS_MITIGATION_SEHOP_POLICY type --- src/um/winnt.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/um/winnt.rs b/src/um/winnt.rs index c246bbd3d..c4c1e3062 100644 --- a/src/um/winnt.rs +++ b/src/um/winnt.rs @@ -3153,6 +3153,7 @@ BITFIELD!{PROCESS_MITIGATION_SEHOP_POLICY Flags: DWORD[ EnableSehop set_EnableSehop[0..1], ReservedFlags set_ReservedFlags[1..32], ]} +pub type PPROCESS_MITIGATION_SEHOP_POLICY = *mut PROCESS_MITIGATION_SEHOP_POLICY; STRUCT!{struct PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY { Flags: DWORD, }}