#include <ntifs.h>
#include <ndk/exfuncs.h>
#include <ndk/ketypes.h>
#include <pseh/pseh2.h>
#include <ntstrsafe.h>
#include <md4.h>
#include <md5.h>
#include <tomcrypt.h>

Include dependency graph for ksecdd.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes
struct	_KSEC_CONNECTION_INFO

struct	_KSEC_ENTROPY_DATA

Macros
#define	_NO_KSECDD_IMPORT_

#define	STATUS_KSEC_INTERNAL_ERROR ((NTSTATUS)0x80090304)

#define	RTL_ENCRYPT_OPTION_SAME_PROCESS 0

#define	RTL_ENCRYPT_OPTION_CROSS_PROCESS 1

#define	RTL_ENCRYPT_OPTION_SAME_LOGON 2

Typedefs
typedef aes_key	AES_KEY

typedef aes_key *	PAES_KEY

typedef des3_key	DES3_KEY

typedef des3_key *	PDES3_KEY

typedef struct _KSEC_CONNECTION_INFO	KSEC_CONNECTION_INFO

typedef ULONG	KSEC_MACHINE_SPECIFIC_COUNTERS

typedef ULONG *	PKSEC_MACHINE_SPECIFIC_COUNTERS

typedef struct _KSEC_ENTROPY_DATA	KSEC_ENTROPY_DATA

typedef struct _KSEC_ENTROPY_DATA *	PKSEC_ENTROPY_DATA

Functions
NTSTATUS NTAPI	KsecDdDispatch (PDEVICE_OBJECT DeviceObject, PIRP Irp)

NTSTATUS NTAPI	KsecGatherEntropyData (PKSEC_ENTROPY_DATA EntropyData)

NTSTATUS NTAPI	KsecGenRandom (PVOID Buffer, SIZE_T Length)

VOID NTAPI	KsecInitializeEncryptionSupport (VOID)

NTSTATUS NTAPI	KsecEncryptMemory (_Inout_ PVOID Buffer, _In_ ULONG Length, _In_ ULONG OptionFlags)

NTSTATUS NTAPI	KsecDecryptMemory (_Inout_ PVOID Buffer, _In_ ULONG Length, _In_ ULONG OptionFlags)

Variables
PEPROCESS	KsecLsaProcess

HANDLE	KsecLsaProcessHandle

Macro Definition Documentation

◆ _NO_KSECDD_IMPORT_

#define _NO_KSECDD_IMPORT_

Definition at line 9 of file ksecdd.h.

◆ RTL_ENCRYPT_OPTION_CROSS_PROCESS

#define RTL_ENCRYPT_OPTION_CROSS_PROCESS 1

Definition at line 26 of file ksecdd.h.

◆ RTL_ENCRYPT_OPTION_SAME_LOGON

#define RTL_ENCRYPT_OPTION_SAME_LOGON 2

Definition at line 27 of file ksecdd.h.

◆ RTL_ENCRYPT_OPTION_SAME_PROCESS

#define RTL_ENCRYPT_OPTION_SAME_PROCESS 0

Definition at line 25 of file ksecdd.h.

◆ STATUS_KSEC_INTERNAL_ERROR

#define STATUS_KSEC_INTERNAL_ERROR ((NTSTATUS)0x80090304)

Definition at line 22 of file ksecdd.h.

Typedef Documentation

◆ AES_KEY

typedef aes_key AES_KEY

Definition at line 19 of file ksecdd.h.

◆ DES3_KEY

typedef des3_key DES3_KEY

Definition at line 20 of file ksecdd.h.

◆ KSEC_CONNECTION_INFO

typedef struct _KSEC_CONNECTION_INFO KSEC_CONNECTION_INFO

◆ KSEC_ENTROPY_DATA

typedef struct _KSEC_ENTROPY_DATA KSEC_ENTROPY_DATA

◆ KSEC_MACHINE_SPECIFIC_COUNTERS

typedef ULONG KSEC_MACHINE_SPECIFIC_COUNTERS

Definition at line 53 of file ksecdd.h.

◆ PAES_KEY

typedef aes_key * PAES_KEY

Definition at line 19 of file ksecdd.h.

◆ PDES3_KEY

typedef des3_key * PDES3_KEY

Definition at line 20 of file ksecdd.h.

◆ PKSEC_ENTROPY_DATA

typedef struct _KSEC_ENTROPY_DATA * PKSEC_ENTROPY_DATA

◆ PKSEC_MACHINE_SPECIFIC_COUNTERS

typedef ULONG * PKSEC_MACHINE_SPECIFIC_COUNTERS

Definition at line 53 of file ksecdd.h.

Function Documentation

◆ KsecDdDispatch()

NTSTATUS NTAPI KsecDdDispatch	(	PDEVICE_OBJECT	DeviceObject,
		PIRP	Irp
	)

Definition at line 184 of file dispatch.c.

 {
     PIO_STACK_LOCATION IoStackLocation;
     ULONG_PTR Information;
     NTSTATUS Status;
     PVOID Buffer;
     SIZE_T InputLength, OutputLength;
     FILE_INFORMATION_CLASS FileInfoClass;
     FS_INFORMATION_CLASS FsInfoClass;
     ULONG IoControlCode;
 
     IoStackLocation = IoGetCurrentIrpStackLocation(Irp);
 
     switch (IoStackLocation->MajorFunction)
     {
         case IRP_MJ_CREATE:
         case IRP_MJ_CLOSE:
 
             /* Just return success */
             Status = STATUS_SUCCESS;
             Information = 0;
             break;
 
         case IRP_MJ_READ:
 
             /* There is nothing to read */
             Status = STATUS_END_OF_FILE;
             Information = 0;
             break;
 
         case IRP_MJ_WRITE:
 
             /* Pretend to have written everything */
             Status = STATUS_SUCCESS;
             Information = IoStackLocation->Parameters.Write.Length;
             break;
 
         case IRP_MJ_QUERY_INFORMATION:
 
             /* Extract the parameters */
             Buffer = Irp->AssociatedIrp.SystemBuffer;
             OutputLength = IoStackLocation->Parameters.QueryFile.Length;
             FileInfoClass = IoStackLocation->Parameters.QueryFile.FileInformationClass;
 
             /* Call the internal function */
             Status = KsecQueryFileInformation(Buffer,
                                               FileInfoClass,
                                               &OutputLength);
             Information = OutputLength;
             break;
 
         case IRP_MJ_QUERY_VOLUME_INFORMATION:
 
             /* Extract the parameters */
             Buffer = Irp->AssociatedIrp.SystemBuffer;
             OutputLength = IoStackLocation->Parameters.QueryVolume.Length;
             FsInfoClass = IoStackLocation->Parameters.QueryVolume.FsInformationClass;
 
             /* Call the internal function */
             Status = KsecQueryVolumeInformation(Buffer,
                                                 FsInfoClass,
                                                 &OutputLength);
             Information = OutputLength;
             break;
 
         case IRP_MJ_DEVICE_CONTROL:
 
             /* Extract the parameters */
             InputLength = IoStackLocation->Parameters.DeviceIoControl.InputBufferLength;
             OutputLength = IoStackLocation->Parameters.DeviceIoControl.OutputBufferLength;
             IoControlCode = IoStackLocation->Parameters.DeviceIoControl.IoControlCode;
 
             /* Check for METHOD_OUT_DIRECT method */
             if ((METHOD_FROM_CTL_CODE(IoControlCode) == METHOD_OUT_DIRECT) &&
                 (OutputLength != 0))
             {
                 /* Use the provided MDL */
                 OutputLength = Irp->MdlAddress->ByteCount;
                 Buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
                                                       NormalPagePriority);
                 if (Buffer == NULL)
                 {
                     Status = STATUS_INSUFFICIENT_RESOURCES;
                     Information = 0;
                     break;
                 }
             }
             else
             {
                 /* Otherwise this is METHOD_BUFFERED, use the SystemBuffer */
                 Buffer = Irp->AssociatedIrp.SystemBuffer;
             }
 
             /* Call the internal function */
             Status = KsecDeviceControl(IoControlCode,
                                        Buffer,
                                        InputLength,
                                        &OutputLength);
             Information = OutputLength;
             break;
 
         default:
             DPRINT1("Unhandled major function %lu!\n",
                     IoStackLocation->MajorFunction);
             ASSERT(FALSE);
             return STATUS_INVALID_DEVICE_REQUEST;
     }
 
     /* Return the information */
     Irp->IoStatus.Status = Status;
     Irp->IoStatus.Information = Information;
 
     /* Complete the request */
     IoCompleteRequest(Irp, IO_NO_INCREMENT);
 
     return Status;
 }

Referenced by DriverEntry().

◆ KsecDecryptMemory()

NTSTATUS NTAPI KsecDecryptMemory	(	_Inout_ PVOID	Buffer,
		_In_ ULONG	Length,
		_In_ ULONG	OptionFlags
	)

Definition at line 328 of file crypt.c.

 {
     /* Validate parameter */
     if (OptionFlags > RTL_ENCRYPT_OPTION_SAME_LOGON)
     {
         return STATUS_INVALID_PARAMETER;
     }
 
     /* Check if the length is not 16 bytes aligned */
     if (Length & 15)
     {
         /* Is it at least 8 bytes aligned? */
         if (Length & 7)
         {
             /* No, we can't deal with it! */
             return STATUS_INVALID_PARAMETER;
         }
 
         /* Use triple DES encryption */
         KsecDecryptMemoryDes3(Buffer, Length, OptionFlags);
     }
     else
     {
         /* Use AES encryption */
         KsecDecryptMemoryAes(Buffer, Length, OptionFlags);
     }
 
     return STATUS_SUCCESS;
 }

Referenced by KsecDeviceControl().

◆ KsecEncryptMemory()

NTSTATUS NTAPI KsecEncryptMemory	(	_Inout_ PVOID	Buffer,
		_In_ ULONG	Length,
		_In_ ULONG	OptionFlags
	)

Definition at line 293 of file crypt.c.

 {
     /* Validate parameter */
     if (OptionFlags > RTL_ENCRYPT_OPTION_SAME_LOGON)
     {
         return STATUS_INVALID_PARAMETER;
     }
 
     /* Check if the length is not 16 bytes aligned */
     if (Length & 15)
     {
         /* Is it at least 8 bytes aligned? */
         if (Length & 7)
         {
             /* No, we can't deal with it! */
             return STATUS_INVALID_PARAMETER;
         }
 
         /* Use triple DES encryption */
         KsecEncryptMemoryDes3(Buffer, Length, OptionFlags);
     }
     else
     {
         /* Use AES encryption */
         KsecEncryptMemoryAes(Buffer, Length, OptionFlags);
     }
 
     return STATUS_SUCCESS;
 }

Referenced by KsecDeviceControl().

◆ KsecGatherEntropyData()

NTSTATUS NTAPI KsecGatherEntropyData ( PKSEC_ENTROPY_DATA EntropyData )

See also: http://blogs.msdn.com/b/michael_howard/archive/2005/01/14/353379.aspx

Definition at line 92 of file random.c.

 {
     MD4_CTX Md4Context;
     PTEB Teb;
     PPEB Peb;
     PWSTR String;
     ULONG ReturnLength;
     NTSTATUS Status;
 
     /* Query some generic values */
     EntropyData->CurrentProcessId = PsGetCurrentProcessId();
     EntropyData->CurrentThreadId = PsGetCurrentThreadId();
     KeQueryTickCount(&EntropyData->TickCount);
     KeQuerySystemTime(&EntropyData->SystemTime);
     EntropyData->PerformanceCounter = KeQueryPerformanceCounter(
                                             &EntropyData->PerformanceFrequency);
 
     /* Check if we have a TEB/PEB for the process environment */
     Teb = PsGetCurrentThread()->Tcb.Teb;
     if (Teb != NULL)
     {
         Peb = Teb->ProcessEnvironmentBlock;
 
         /* Initialize the MD4 context */
         MD4Init(&Md4Context);
         _SEH2_TRY
         {
             /* Get the end of the environment */
             String = Peb->ProcessParameters->Environment;
             while (*String)
             {
                 String += wcslen(String) + 1;
             }
 
             /* Update the MD4 context from the environment data */
             MD4Update(&Md4Context,
                       (PUCHAR)Peb->ProcessParameters->Environment,
                       (ULONG)((PUCHAR)String - (PUCHAR)Peb->ProcessParameters->Environment));
         }
         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
         {
             /* Simply ignore the exception */
         }
         _SEH2_END;
 
         /* Finalize and copy the MD4 hash */
         MD4Final(&Md4Context);
         RtlCopyMemory(&EntropyData->EnvironmentHash, Md4Context.digest, 16);
     }
 
     /* Read some machine specific hardware counters */
     KsecReadMachineSpecificCounters(&EntropyData->MachineSpecificCounters);
 
     /* Query processor performance information */
     Status = ZwQuerySystemInformation(SystemProcessorPerformanceInformation,
                                       &EntropyData->SystemProcessorPerformanceInformation,
                                       sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION),
                                       &ReturnLength);
     if (!NT_SUCCESS(Status))
     {
         return Status;
     }
 
     /* Query system performance information */
     Status = ZwQuerySystemInformation(SystemPerformanceInformation,
                                       &EntropyData->SystemPerformanceInformation,
                                       sizeof(SYSTEM_PERFORMANCE_INFORMATION),
                                       &ReturnLength);
     if (!NT_SUCCESS(Status))
     {
         return Status;
     }
 
     /* Query exception information */
     Status = ZwQuerySystemInformation(SystemExceptionInformation,
                                       &EntropyData->SystemExceptionInformation,
                                       sizeof(SYSTEM_EXCEPTION_INFORMATION),
                                       &ReturnLength);
     if (!NT_SUCCESS(Status))
     {
         return Status;
     }
 
     /* Query lookaside information */
     Status = ZwQuerySystemInformation(SystemLookasideInformation,
                                       &EntropyData->SystemLookasideInformation,
                                       sizeof(SYSTEM_LOOKASIDE_INFORMATION),
                                       &ReturnLength);
     if (!NT_SUCCESS(Status))
     {
         return Status;
     }
 
     /* Query interrupt information */
     Status = ZwQuerySystemInformation(SystemInterruptInformation,
                                       &EntropyData->SystemInterruptInformation,
                                       sizeof(SYSTEM_INTERRUPT_INFORMATION),
                                       &ReturnLength);
     if (!NT_SUCCESS(Status))
     {
         return Status;
     }
 
     /* Query process information */
     Status = ZwQuerySystemInformation(SystemProcessInformation,
                                       &EntropyData->SystemProcessInformation,
                                       sizeof(SYSTEM_PROCESS_INFORMATION),
                                       &ReturnLength);
     if (!NT_SUCCESS(Status))
     {
         return Status;
     }
 
     return STATUS_SUCCESS;
 }

Referenced by KsecInitializeEncryptionSupport().

◆ KsecGenRandom()

NTSTATUS NTAPI KsecGenRandom	(	PVOID	Buffer,
		SIZE_T	Length
	)

Definition at line 26 of file random.c.

 {
     LARGE_INTEGER TickCount;
     ULONG i, RandomValue;
     PULONG P;
 
     /* Try to generate a more random seed */
     KeQueryTickCount(&TickCount);
     KsecRandomSeed ^= _rotl(TickCount.LowPart, (KsecRandomSeed % 23));
 
     P = Buffer;
     for (i = 0; i < Length / sizeof(ULONG); i++)
     {
         P[i] = RtlRandomEx(&KsecRandomSeed);
     }
 
     Length &= (sizeof(ULONG) - 1);
     if (Length > 0)
     {
         RandomValue = RtlRandomEx(&KsecRandomSeed);
         RtlCopyMemory(&P[i], &RandomValue, Length);
     }
 
     return STATUS_SUCCESS;
 }

Referenced by KsecDeviceControl().

◆ KsecInitializeEncryptionSupport()

VOID NTAPI KsecInitializeEncryptionSupport ( VOID )

Definition at line 44 of file crypt.c.

 {
     KSEC_ENTROPY_DATA EntropyData;
     MD5_CTX Md5Context;
     UCHAR KeyDataBuffer[32];
 
     KsecGatherEntropyData(&EntropyData);
     MD5Init(&Md5Context);
     MD5Update(&Md5Context, (PVOID)&EntropyData, sizeof(EntropyData));
     KsecLoadTimeStartMd5s[0] = Md5Context;
     MD5Final(&Md5Context);
     RtlCopyMemory(KeyDataBuffer, &Md5Context.digest, 16);
 
     KsecGatherEntropyData(&EntropyData);
     Md5Context = KsecLoadTimeStartMd5s[0];
     MD5Update(&Md5Context, (PVOID)&EntropyData, sizeof(EntropyData));
     KsecLoadTimeStartMd5s[1] = Md5Context;
     MD5Final(&Md5Context);
     RtlCopyMemory(&KeyDataBuffer[16], &Md5Context.digest, 16);
 
     /* Create the global keys */
     aes_setup(KeyDataBuffer, 32, 0, &KsecGlobalAesKey);
     des3_setup(KeyDataBuffer, 24, 0, &KsecGlobalDes3Key);
 
     /* Erase the temp data */
     RtlSecureZeroMemory(KeyDataBuffer, sizeof(KeyDataBuffer));
     RtlSecureZeroMemory(&Md5Context, sizeof(Md5Context));
 }

Referenced by DriverEntry().

Variable Documentation

◆ KsecLsaProcess

PEPROCESS KsecLsaProcess

◆ KsecLsaProcessHandle

HANDLE KsecLsaProcessHandle

Classes

Macros

Typedefs

Functions

Variables

Macro Definition Documentation

◆ _NO_KSECDD_IMPORT_

◆ RTL_ENCRYPT_OPTION_CROSS_PROCESS

◆ RTL_ENCRYPT_OPTION_SAME_LOGON

◆ RTL_ENCRYPT_OPTION_SAME_PROCESS

◆ STATUS_KSEC_INTERNAL_ERROR

Typedef Documentation

◆ AES_KEY

◆ DES3_KEY

◆ KSEC_CONNECTION_INFO

◆ KSEC_ENTROPY_DATA

◆ KSEC_MACHINE_SPECIFIC_COUNTERS

◆ PAES_KEY

◆ PDES3_KEY

◆ PKSEC_ENTROPY_DATA

◆ PKSEC_MACHINE_SPECIFIC_COUNTERS

Function Documentation

◆ KsecDdDispatch()

◆ KsecDecryptMemory()

◆ KsecEncryptMemory()

◆ KsecGatherEntropyData()

◆ KsecGenRandom()

◆ KsecInitializeEncryptionSupport()

Variable Documentation

◆ KsecLsaProcess

◆ KsecLsaProcessHandle