#include <ntifs.h>
#include <ndk/exfuncs.h>
#include <ndk/ketypes.h>
#include <pseh/pseh2.h>
#include <ntstrsafe.h>
#include <md4.h>
#include <md5.h>
#include <tomcrypt.h>

Include dependency graph for ksecdd.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes
struct	_KSEC_CONNECTION_INFO

struct	_KSEC_ENTROPY_DATA

Macros
#define	_NO_KSECDD_IMPORT_

#define	STATUS_KSEC_INTERNAL_ERROR ((NTSTATUS)0x80090304)

#define	RTL_ENCRYPT_OPTION_SAME_PROCESS 0

#define	RTL_ENCRYPT_OPTION_CROSS_PROCESS 1

#define	RTL_ENCRYPT_OPTION_SAME_LOGON 2

Typedefs
typedef aes_key	AES_KEY

typedef aes_key *	PAES_KEY

typedef des3_key	DES3_KEY

typedef des3_key *	PDES3_KEY

typedef struct _KSEC_CONNECTION_INFO	KSEC_CONNECTION_INFO

typedef ULONG	KSEC_MACHINE_SPECIFIC_COUNTERS

typedef ULONG *	PKSEC_MACHINE_SPECIFIC_COUNTERS

typedef struct _KSEC_ENTROPY_DATA	KSEC_ENTROPY_DATA

typedef struct _KSEC_ENTROPY_DATA *	PKSEC_ENTROPY_DATA

Functions
NTSTATUS NTAPI	KsecDdDispatch (PDEVICE_OBJECT DeviceObject, PIRP Irp)

NTSTATUS NTAPI	KsecGatherEntropyData (PKSEC_ENTROPY_DATA EntropyData)

NTSTATUS NTAPI	KsecGenRandom (PVOID Buffer, SIZE_T Length)

VOID NTAPI	KsecInitializeEncryptionSupport (VOID)

NTSTATUS NTAPI	KsecEncryptMemory (_Inout_ PVOID Buffer, _In_ ULONG Length, _In_ ULONG OptionFlags)

NTSTATUS NTAPI	KsecDecryptMemory (_Inout_ PVOID Buffer, _In_ ULONG Length, _In_ ULONG OptionFlags)

Variables
PEPROCESS	KsecLsaProcess

HANDLE	KsecLsaProcessHandle

Macro Definition Documentation

◆ _NO_KSECDD_IMPORT_

#define _NO_KSECDD_IMPORT_

Definition at line 9 of file ksecdd.h.

◆ RTL_ENCRYPT_OPTION_CROSS_PROCESS

#define RTL_ENCRYPT_OPTION_CROSS_PROCESS 1

Definition at line 26 of file ksecdd.h.

◆ RTL_ENCRYPT_OPTION_SAME_LOGON

#define RTL_ENCRYPT_OPTION_SAME_LOGON 2

Definition at line 27 of file ksecdd.h.

◆ RTL_ENCRYPT_OPTION_SAME_PROCESS

#define RTL_ENCRYPT_OPTION_SAME_PROCESS 0

Definition at line 25 of file ksecdd.h.

◆ STATUS_KSEC_INTERNAL_ERROR

#define STATUS_KSEC_INTERNAL_ERROR ((NTSTATUS)0x80090304)

Definition at line 22 of file ksecdd.h.

Typedef Documentation

◆ AES_KEY

typedef aes_key AES_KEY

Definition at line 19 of file ksecdd.h.

◆ DES3_KEY

typedef des3_key DES3_KEY

Definition at line 20 of file ksecdd.h.

◆ KSEC_CONNECTION_INFO

typedef struct _KSEC_CONNECTION_INFO KSEC_CONNECTION_INFO

◆ KSEC_ENTROPY_DATA

typedef struct _KSEC_ENTROPY_DATA KSEC_ENTROPY_DATA

◆ KSEC_MACHINE_SPECIFIC_COUNTERS

typedef ULONG KSEC_MACHINE_SPECIFIC_COUNTERS

Definition at line 53 of file ksecdd.h.

◆ PAES_KEY

typedef aes_key * PAES_KEY

Definition at line 19 of file ksecdd.h.

◆ PDES3_KEY

typedef des3_key * PDES3_KEY

Definition at line 20 of file ksecdd.h.

◆ PKSEC_ENTROPY_DATA

typedef struct _KSEC_ENTROPY_DATA * PKSEC_ENTROPY_DATA

◆ PKSEC_MACHINE_SPECIFIC_COUNTERS

typedef ULONG * PKSEC_MACHINE_SPECIFIC_COUNTERS

Definition at line 53 of file ksecdd.h.

Function Documentation

◆ KsecDdDispatch()

NTSTATUS NTAPI KsecDdDispatch	(	PDEVICE_OBJECT	DeviceObject,
		PIRP	Irp
	)

Definition at line 184 of file dispatch.c.

{
    PIO_STACK_LOCATION IoStackLocation;
    ULONG_PTR Information;
    NTSTATUS Status;
    PVOID Buffer;
    SIZE_T InputLength, OutputLength;
    FILE_INFORMATION_CLASS FileInfoClass;
    FS_INFORMATION_CLASS FsInfoClass;
    ULONG IoControlCode;
 
    IoStackLocation = IoGetCurrentIrpStackLocation(Irp);
 
    switch (IoStackLocation->MajorFunction)
    {
        case IRP_MJ_CREATE:
        case IRP_MJ_CLOSE:
 
            /* Just return success */
            Status = STATUS_SUCCESS;
            Information = 0;
            break;
 
        case IRP_MJ_READ:
 
            /* There is nothing to read */
            Status = STATUS_END_OF_FILE;
            Information = 0;
            break;
 
        case IRP_MJ_WRITE:
 
            /* Pretend to have written everything */
            Status = STATUS_SUCCESS;
            Information = IoStackLocation->Parameters.Write.Length;
            break;
 
        case IRP_MJ_QUERY_INFORMATION:
 
            /* Extract the parameters */
            Buffer = Irp->AssociatedIrp.SystemBuffer;
            OutputLength = IoStackLocation->Parameters.QueryFile.Length;
            FileInfoClass = IoStackLocation->Parameters.QueryFile.FileInformationClass;
 
            /* Call the internal function */
            Status = KsecQueryFileInformation(Buffer,
                                              FileInfoClass,
                                              &OutputLength);
            Information = OutputLength;
            break;
 
        case IRP_MJ_QUERY_VOLUME_INFORMATION:
 
            /* Extract the parameters */
            Buffer = Irp->AssociatedIrp.SystemBuffer;
            OutputLength = IoStackLocation->Parameters.QueryVolume.Length;
            FsInfoClass = IoStackLocation->Parameters.QueryVolume.FsInformationClass;
 
            /* Call the internal function */
            Status = KsecQueryVolumeInformation(Buffer,
                                                FsInfoClass,
                                                &OutputLength);
            Information = OutputLength;
            break;
 
        case IRP_MJ_DEVICE_CONTROL:
 
            /* Extract the parameters */
            InputLength = IoStackLocation->Parameters.DeviceIoControl.InputBufferLength;
            OutputLength = IoStackLocation->Parameters.DeviceIoControl.OutputBufferLength;
            IoControlCode = IoStackLocation->Parameters.DeviceIoControl.IoControlCode;
 
            /* Check for METHOD_OUT_DIRECT method */
            if ((METHOD_FROM_CTL_CODE(IoControlCode) == METHOD_OUT_DIRECT) &&
                (OutputLength != 0))
            {
                /* Use the provided MDL */
                OutputLength = Irp->MdlAddress->ByteCount;
                Buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
                                                      NormalPagePriority);
                if (Buffer == NULL)
                {
                    Status = STATUS_INSUFFICIENT_RESOURCES;
                    Information = 0;
                    break;
                }
            }
            else
            {
                /* Otherwise this is METHOD_BUFFERED, use the SystemBuffer */
                Buffer = Irp->AssociatedIrp.SystemBuffer;
            }
 
            /* Call the internal function */
            Status = KsecDeviceControl(IoControlCode,
                                       Buffer,
                                       InputLength,
                                       &OutputLength);
            Information = OutputLength;
            break;
 
        default:
            DPRINT1("Unhandled major function %lu!\n",
                    IoStackLocation->MajorFunction);
            ASSERT(FALSE);
            return STATUS_INVALID_DEVICE_REQUEST;
    }
 
    /* Return the information */
    Irp->IoStatus.Status = Status;
    Irp->IoStatus.Information = Information;
 
    /* Complete the request */
    IoCompleteRequest(Irp, IO_NO_INCREMENT);
 
    return Status;
}

Referenced by DriverEntry().

◆ KsecDecryptMemory()

NTSTATUS NTAPI KsecDecryptMemory	(	_Inout_ PVOID	Buffer,
		_In_ ULONG	Length,
		_In_ ULONG	OptionFlags
	)

Definition at line 328 of file crypt.c.

{
    /* Validate parameter */
    if (OptionFlags > RTL_ENCRYPT_OPTION_SAME_LOGON)
    {
        return STATUS_INVALID_PARAMETER;
    }
 
    /* Check if the length is not 16 bytes aligned */
    if (Length & 15)
    {
        /* Is it at least 8 bytes aligned? */
        if (Length & 7)
        {
            /* No, we can't deal with it! */
            return STATUS_INVALID_PARAMETER;
        }
 
        /* Use triple DES encryption */
        KsecDecryptMemoryDes3(Buffer, Length, OptionFlags);
    }
    else
    {
        /* Use AES encryption */
        KsecDecryptMemoryAes(Buffer, Length, OptionFlags);
    }
 
    return STATUS_SUCCESS;
}

Referenced by KsecDeviceControl().

◆ KsecEncryptMemory()

NTSTATUS NTAPI KsecEncryptMemory	(	_Inout_ PVOID	Buffer,
		_In_ ULONG	Length,
		_In_ ULONG	OptionFlags
	)

Definition at line 293 of file crypt.c.

{
    /* Validate parameter */
    if (OptionFlags > RTL_ENCRYPT_OPTION_SAME_LOGON)
    {
        return STATUS_INVALID_PARAMETER;
    }
 
    /* Check if the length is not 16 bytes aligned */
    if (Length & 15)
    {
        /* Is it at least 8 bytes aligned? */
        if (Length & 7)
        {
            /* No, we can't deal with it! */
            return STATUS_INVALID_PARAMETER;
        }
 
        /* Use triple DES encryption */
        KsecEncryptMemoryDes3(Buffer, Length, OptionFlags);
    }
    else
    {
        /* Use AES encryption */
        KsecEncryptMemoryAes(Buffer, Length, OptionFlags);
    }
 
    return STATUS_SUCCESS;
}

Referenced by KsecDeviceControl().

◆ KsecGatherEntropyData()

NTSTATUS NTAPI KsecGatherEntropyData ( PKSEC_ENTROPY_DATA EntropyData )

See also: http://blogs.msdn.com/b/michael_howard/archive/2005/01/14/353379.aspx (DEAD_LINK)

Definition at line 92 of file random.c.

{
    MD4_CTX Md4Context;
    PTEB Teb;
    PPEB Peb;
    PWSTR String;
    ULONG ReturnLength;
    NTSTATUS Status;
 
    /* Query some generic values */
    EntropyData->CurrentProcessId = PsGetCurrentProcessId();
    EntropyData->CurrentThreadId = PsGetCurrentThreadId();
    KeQueryTickCount(&EntropyData->TickCount);
    KeQuerySystemTime(&EntropyData->SystemTime);
    EntropyData->PerformanceCounter = KeQueryPerformanceCounter(
                                            &EntropyData->PerformanceFrequency);
 
    /* Check if we have a TEB/PEB for the process environment */
    Teb = PsGetCurrentThread()->Tcb.Teb;
    if (Teb != NULL)
    {
        Peb = Teb->ProcessEnvironmentBlock;
 
        /* Initialize the MD4 context */
        MD4Init(&Md4Context);
        _SEH2_TRY
        {
            /* Get the end of the environment */
            String = Peb->ProcessParameters->Environment;
            while (*String)
            {
                String += wcslen(String) + 1;
            }
 
            /* Update the MD4 context from the environment data */
            MD4Update(&Md4Context,
                      (PUCHAR)Peb->ProcessParameters->Environment,
                      (ULONG)((PUCHAR)String - (PUCHAR)Peb->ProcessParameters->Environment));
        }
        _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
        {
            /* Simply ignore the exception */
        }
        _SEH2_END;
 
        /* Finalize and copy the MD4 hash */
        MD4Final(&Md4Context);
        RtlCopyMemory(&EntropyData->EnvironmentHash, Md4Context.digest, 16);
    }
 
    /* Read some machine specific hardware counters */
    KsecReadMachineSpecificCounters(&EntropyData->MachineSpecificCounters);
 
    /* Query processor performance information */
    Status = ZwQuerySystemInformation(SystemProcessorPerformanceInformation,
                                      &EntropyData->SystemProcessorPerformanceInformation,
                                      sizeof(SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION),
                                      &ReturnLength);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }
 
    /* Query system performance information */
    Status = ZwQuerySystemInformation(SystemPerformanceInformation,
                                      &EntropyData->SystemPerformanceInformation,
                                      sizeof(SYSTEM_PERFORMANCE_INFORMATION),
                                      &ReturnLength);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }
 
    /* Query exception information */
    Status = ZwQuerySystemInformation(SystemExceptionInformation,
                                      &EntropyData->SystemExceptionInformation,
                                      sizeof(SYSTEM_EXCEPTION_INFORMATION),
                                      &ReturnLength);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }
 
    /* Query lookaside information */
    Status = ZwQuerySystemInformation(SystemLookasideInformation,
                                      &EntropyData->SystemLookasideInformation,
                                      sizeof(SYSTEM_LOOKASIDE_INFORMATION),
                                      &ReturnLength);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }
 
    /* Query interrupt information */
    Status = ZwQuerySystemInformation(SystemInterruptInformation,
                                      &EntropyData->SystemInterruptInformation,
                                      sizeof(SYSTEM_INTERRUPT_INFORMATION),
                                      &ReturnLength);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }
 
    /* Query process information */
    Status = ZwQuerySystemInformation(SystemProcessInformation,
                                      &EntropyData->SystemProcessInformation,
                                      sizeof(SYSTEM_PROCESS_INFORMATION),
                                      &ReturnLength);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }
 
    return STATUS_SUCCESS;
}

Referenced by KsecInitializeEncryptionSupport().

◆ KsecGenRandom()

NTSTATUS NTAPI KsecGenRandom	(	PVOID	Buffer,
		SIZE_T	Length
	)

Definition at line 26 of file random.c.

{
    LARGE_INTEGER TickCount;
    ULONG i, RandomValue;
    PULONG P;
 
    /* Try to generate a more random seed */
    KeQueryTickCount(&TickCount);
    KsecRandomSeed ^= _rotl(TickCount.LowPart, (KsecRandomSeed % 23));
 
    P = Buffer;
    for (i = 0; i < Length / sizeof(ULONG); i++)
    {
        P[i] = RtlRandomEx(&KsecRandomSeed);
    }
 
    Length &= (sizeof(ULONG) - 1);
    if (Length > 0)
    {
        RandomValue = RtlRandomEx(&KsecRandomSeed);
        RtlCopyMemory(&P[i], &RandomValue, Length);
    }
 
    return STATUS_SUCCESS;
}

Referenced by KsecDeviceControl().

◆ KsecInitializeEncryptionSupport()

VOID NTAPI KsecInitializeEncryptionSupport ( VOID )

Definition at line 44 of file crypt.c.

{
    KSEC_ENTROPY_DATA EntropyData;
    MD5_CTX Md5Context;
    UCHAR KeyDataBuffer[32];
 
    KsecGatherEntropyData(&EntropyData);
    MD5Init(&Md5Context);
    MD5Update(&Md5Context, (PVOID)&EntropyData, sizeof(EntropyData));
    KsecLoadTimeStartMd5s[0] = Md5Context;
    MD5Final(&Md5Context);
    RtlCopyMemory(KeyDataBuffer, &Md5Context.digest, 16);
 
    KsecGatherEntropyData(&EntropyData);
    Md5Context = KsecLoadTimeStartMd5s[0];
    MD5Update(&Md5Context, (PVOID)&EntropyData, sizeof(EntropyData));
    KsecLoadTimeStartMd5s[1] = Md5Context;
    MD5Final(&Md5Context);
    RtlCopyMemory(&KeyDataBuffer[16], &Md5Context.digest, 16);
 
    /* Create the global keys */
    aes_setup(KeyDataBuffer, 32, 0, &KsecGlobalAesKey);
    des3_setup(KeyDataBuffer, 24, 0, &KsecGlobalDes3Key);
 
    /* Erase the temp data */
    RtlSecureZeroMemory(KeyDataBuffer, sizeof(KeyDataBuffer));
    RtlSecureZeroMemory(&Md5Context, sizeof(Md5Context));
}

Referenced by DriverEntry().

Variable Documentation

◆ KsecLsaProcess

PEPROCESS KsecLsaProcess

extern

◆ KsecLsaProcessHandle

HANDLE KsecLsaProcessHandle

extern

Classes

Macros

Typedefs

Functions

Variables

Macro Definition Documentation

◆ _NO_KSECDD_IMPORT_

◆ RTL_ENCRYPT_OPTION_CROSS_PROCESS

◆ RTL_ENCRYPT_OPTION_SAME_LOGON

◆ RTL_ENCRYPT_OPTION_SAME_PROCESS

◆ STATUS_KSEC_INTERNAL_ERROR

Typedef Documentation

◆ AES_KEY

◆ DES3_KEY

◆ KSEC_CONNECTION_INFO

◆ KSEC_ENTROPY_DATA

◆ KSEC_MACHINE_SPECIFIC_COUNTERS

◆ PAES_KEY

◆ PDES3_KEY

◆ PKSEC_ENTROPY_DATA

◆ PKSEC_MACHINE_SPECIFIC_COUNTERS

Function Documentation

◆ KsecDdDispatch()

◆ KsecDecryptMemory()

◆ KsecEncryptMemory()

◆ KsecGatherEntropyData()

◆ KsecGenRandom()

◆ KsecInitializeEncryptionSupport()

Variable Documentation

◆ KsecLsaProcess

◆ KsecLsaProcessHandle