Windows Security: make memory protection enabled by default. Add process mitigation (ASLR, Dynamic code, extension points)
Memory protection can be disabled using registry value "VeraCryptEnableMemoryProtection" under the key "HKLM\SYSTEM\CurrentControlSet\Services\veracrypt"
This commit is contained in:
parent
fb8ae98c73
commit
b1657e88e4
|
@ -418,6 +418,8 @@ typedef struct
|
|||
|
||||
#define VC_ERASE_KEYS_SHUTDOWN DRIVER_STR("VeraCryptEraseKeysShutdown")
|
||||
|
||||
#define VC_ENABLE_MEMORY_PROTECTION DRIVER_STR("VeraCryptEnableMemoryProtection")
|
||||
|
||||
// WARNING: Modifying the following values can introduce incompatibility with previous versions.
|
||||
#define TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD 0x1
|
||||
#define TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD_FOR_SYS_FAVORITES 0x2
|
||||
|
|
|
@ -32,6 +32,9 @@
|
|||
#include <process.h>
|
||||
#include <Tlhelp32.h>
|
||||
#endif
|
||||
#ifdef _WIN32_WINNT >= 0x0602
|
||||
#include "processthreadsapi.h""
|
||||
#endif
|
||||
|
||||
#include "Resource.h"
|
||||
|
||||
|
@ -216,6 +219,9 @@ volatile BOOL NeedPeriodicDeviceListUpdate = FALSE;
|
|||
BOOL DisablePeriodicDeviceListUpdate = FALSE;
|
||||
BOOL EnableMemoryProtection = FALSE;
|
||||
|
||||
BOOL MemoryProtectionActivated = FALSE;
|
||||
BOOL ProcessMitigationsActivated = FALSE;
|
||||
|
||||
BOOL WaitDialogDisplaying = FALSE;
|
||||
|
||||
/* Handle to the device driver */
|
||||
|
@ -3238,6 +3244,17 @@ uint32 ReadEncryptionThreadPoolFreeCpuCountLimit ()
|
|||
return count;
|
||||
}
|
||||
|
||||
BOOL ReadMemoryProtectionConfig ()
|
||||
{
|
||||
DWORD config;
|
||||
|
||||
if (!ReadLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", VC_ENABLE_MEMORY_PROTECTION, &config))
|
||||
{
|
||||
// enabled by default
|
||||
config = 1;
|
||||
}
|
||||
return (config)? TRUE: FALSE;
|
||||
}
|
||||
|
||||
BOOL LoadSysEncSettings ()
|
||||
{
|
||||
|
@ -3431,6 +3448,17 @@ extern "C" {
|
|||
// Force loading dlls from system32 directory only
|
||||
SetDefaultDllDirectoriesFn (LOAD_LIBRARY_SEARCH_SYSTEM32);
|
||||
}
|
||||
|
||||
// activate process mitigations (currently only ASLR, dynamic code and extensions points)
|
||||
ActivateProcessMitigations();
|
||||
|
||||
#ifndef SETUP
|
||||
// call ActivateMemoryProtection if corresponding setting has been enabled (default is enabled)
|
||||
if (ReadMemoryProtectionConfig())
|
||||
{
|
||||
ActivateMemoryProtection();
|
||||
}
|
||||
#endif
|
||||
return wWinMainCRTStartup();
|
||||
}
|
||||
}
|
||||
|
@ -14035,7 +14063,7 @@ BOOL BufferHasPattern (const unsigned char* buffer, size_t bufferLen, const void
|
|||
*
|
||||
* Reduce current user acess rights for this process to the minimum in order to forbid non-admin users from reading the process memory.
|
||||
*/
|
||||
BOOL EnableProcessProtection()
|
||||
BOOL ActivateMemoryProtection()
|
||||
{
|
||||
BOOL bSuccess = FALSE;
|
||||
|
||||
|
@ -14050,7 +14078,10 @@ BOOL EnableProcessProtection()
|
|||
|
||||
// Acces mask
|
||||
DWORD dwAccessMask = SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE; // same as protected process
|
||||
|
||||
|
||||
if (MemoryProtectionActivated)
|
||||
return TRUE;
|
||||
|
||||
if (IsAdmin ())
|
||||
{
|
||||
// if we are running elevated, we allow CreateProcessXXX calls alongside PROCESS_DUP_HANDLE and PROCESS_QUERY_INFORMATION in order to be able
|
||||
|
@ -14113,6 +14144,9 @@ BOOL EnableProcessProtection()
|
|||
NULL // do not change SACL
|
||||
))? TRUE: FALSE;
|
||||
|
||||
if (bSuccess)
|
||||
MemoryProtectionActivated = TRUE;
|
||||
|
||||
Cleanup:
|
||||
|
||||
if (pACL != NULL) {
|
||||
|
@ -14128,6 +14162,97 @@ Cleanup:
|
|||
return bSuccess;
|
||||
}
|
||||
|
||||
// define missing structures Windows 8
|
||||
#if (_WIN32_WINNT < 0x0602)
|
||||
|
||||
typedef struct _PROCESS_MITIGATION_ASLR_POLICY {
|
||||
union {
|
||||
DWORD Flags;
|
||||
struct {
|
||||
DWORD EnableBottomUpRandomization : 1;
|
||||
DWORD EnableForceRelocateImages : 1;
|
||||
DWORD EnableHighEntropy : 1;
|
||||
DWORD DisallowStrippedImages : 1;
|
||||
DWORD ReservedFlags : 28;
|
||||
} DUMMYSTRUCTNAME;
|
||||
} DUMMYUNIONNAME;
|
||||
} PROCESS_MITIGATION_ASLR_POLICY, *PPROCESS_MITIGATION_ASLR_POLICY;
|
||||
|
||||
typedef struct _PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY {
|
||||
union {
|
||||
DWORD Flags;
|
||||
struct {
|
||||
DWORD DisableExtensionPoints : 1;
|
||||
DWORD ReservedFlags : 31;
|
||||
} DUMMYSTRUCTNAME;
|
||||
} DUMMYUNIONNAME;
|
||||
} PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PPROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY;
|
||||
|
||||
typedef struct _PROCESS_MITIGATION_DYNAMIC_CODE_POLICY {
|
||||
union {
|
||||
DWORD Flags;
|
||||
struct {
|
||||
DWORD ProhibitDynamicCode : 1;
|
||||
DWORD AllowThreadOptOut : 1;
|
||||
DWORD AllowRemoteDowngrade : 1;
|
||||
DWORD AuditProhibitDynamicCode : 1;
|
||||
DWORD ReservedFlags : 28;
|
||||
} DUMMYSTRUCTNAME;
|
||||
} DUMMYUNIONNAME;
|
||||
} PROCESS_MITIGATION_DYNAMIC_CODE_POLICY, *PPROCESS_MITIGATION_DYNAMIC_CODE_POLICY;
|
||||
|
||||
typedef enum _PROCESS_MITIGATION_POLICY {
|
||||
ProcessDEPPolicy,
|
||||
ProcessASLRPolicy,
|
||||
ProcessDynamicCodePolicy,
|
||||
ProcessStrictHandleCheckPolicy,
|
||||
ProcessSystemCallDisablePolicy,
|
||||
ProcessMitigationOptionsMask,
|
||||
ProcessExtensionPointDisablePolicy,
|
||||
ProcessControlFlowGuardPolicy,
|
||||
ProcessSignaturePolicy,
|
||||
ProcessFontDisablePolicy,
|
||||
ProcessImageLoadPolicy,
|
||||
ProcessSystemCallFilterPolicy,
|
||||
ProcessPayloadRestrictionPolicy,
|
||||
ProcessChildProcessPolicy,
|
||||
ProcessSideChannelIsolationPolicy,
|
||||
ProcessUserShadowStackPolicy,
|
||||
MaxProcessMitigationPolicy
|
||||
} PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY;
|
||||
|
||||
#endif
|
||||
|
||||
void ActivateProcessMitigations()
|
||||
{
|
||||
if (ProcessMitigationsActivated)
|
||||
return;
|
||||
|
||||
// we load the function pointer of SetProcessMitigationPolicy dynamically because we are building with Windows 7 SDK that does not have the definition of this function
|
||||
typedef BOOL (WINAPI *SetProcessMitigationPolicyFunc) (PROCESS_MITIGATION_POLICY MitigationPolicy, PVOID lpBuffer, SIZE_T dwLength);
|
||||
SetProcessMitigationPolicyFunc SetProcessMitigationPolicy = (SetProcessMitigationPolicyFunc) GetProcAddress (GetModuleHandle (L"kernel32.dll"), "SetProcessMitigationPolicy");
|
||||
if (SetProcessMitigationPolicy)
|
||||
{
|
||||
PROCESS_MITIGATION_ASLR_POLICY aslrPolicy = { 0 };
|
||||
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY dynCodePolicy = { 0 };
|
||||
PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY extensionPointDisablePolicy = { 0 };
|
||||
|
||||
aslrPolicy.EnableBottomUpRandomization = TRUE;
|
||||
aslrPolicy.EnableForceRelocateImages = TRUE;
|
||||
aslrPolicy.EnableHighEntropy = TRUE;
|
||||
|
||||
dynCodePolicy.ProhibitDynamicCode = TRUE;
|
||||
|
||||
extensionPointDisablePolicy.DisableExtensionPoints = TRUE;
|
||||
|
||||
SetProcessMitigationPolicy (ProcessASLRPolicy, &aslrPolicy, sizeof (aslrPolicy));
|
||||
SetProcessMitigationPolicy (ProcessDynamicCodePolicy, &dynCodePolicy, sizeof (dynCodePolicy));
|
||||
SetProcessMitigationPolicy (ProcessExtensionPointDisablePolicy, &extensionPointDisablePolicy, sizeof (extensionPointDisablePolicy));
|
||||
}
|
||||
|
||||
ProcessMitigationsActivated = TRUE;
|
||||
}
|
||||
|
||||
// Based on sample code from:
|
||||
// https://blogs.msdn.microsoft.com/aaron_margosis/2009/06/06/faq-how-do-i-start-a-program-as-the-desktop-user-from-an-elevated-app/
|
||||
// start a program non-elevated as the desktop user from an elevated app
|
||||
|
|
|
@ -349,6 +349,7 @@ BOOL IsTrueCryptInstallerRunning (void);
|
|||
uint32 ReadDriverConfigurationFlags ();
|
||||
uint32 ReadServiceConfigurationFlags ();
|
||||
uint32 ReadEncryptionThreadPoolFreeCpuCountLimit ();
|
||||
BOOL ReadMemoryProtectionConfig ();
|
||||
BOOL LoadSysEncSettings ();
|
||||
int LoadNonSysInPlaceEncSettings (WipeAlgorithmId *wipeAlgorithm);
|
||||
void RemoveNonSysInPlaceEncNotifications (void);
|
||||
|
@ -582,7 +583,8 @@ BOOL VerifyModuleSignature (const wchar_t* path);
|
|||
void GetInstallationPath (HWND hwndDlg, wchar_t* szInstallPath, DWORD cchSize, BOOL* pbInstallPathDetermined);
|
||||
BOOL GetSetupconfigLocation (wchar_t* path, DWORD cchSize);
|
||||
BOOL BufferHasPattern (const unsigned char* buffer, size_t bufferLen, const void* pattern, size_t patternLen);
|
||||
BOOL EnableProcessProtection();
|
||||
void ActivateProcessMitigations();
|
||||
BOOL ActivateMemoryProtection();
|
||||
void SafeOpenURL (LPCWSTR szUrl);
|
||||
BitLockerEncryptionStatus GetBitLockerEncryptionStatus(WCHAR driveLetter);
|
||||
BOOL IsTestSigningModeEnabled ();
|
||||
|
|
|
@ -344,8 +344,12 @@ extern BOOLEAN VC_KeAreAllApcsDisabled (VOID);
|
|||
|
||||
#ifndef TC_LOCAL_WIN32_WINNT_OVERRIDE
|
||||
# undef _WIN32_WINNT
|
||||
#ifdef _M_ARM64
|
||||
# define _WIN32_WINNT 0x0A00
|
||||
#else
|
||||
# define _WIN32_WINNT 0x0601 /* Does not apply to the driver */
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include <windows.h> /* Windows header */
|
||||
#include <commctrl.h> /* The common controls */
|
||||
|
|
|
@ -962,7 +962,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
|
|||
if (EnableMemoryProtection)
|
||||
{
|
||||
/* Protect this process memory from being accessed by non-admin users */
|
||||
EnableProcessProtection ();
|
||||
ActivateMemoryProtection ();
|
||||
}
|
||||
|
||||
InitMainDialog (hwndDlg);
|
||||
|
|
|
@ -6239,7 +6239,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
|
|||
if (EnableMemoryProtection)
|
||||
{
|
||||
/* Protect this process memory from being accessed by non-admin users */
|
||||
EnableProcessProtection ();
|
||||
ActivateMemoryProtection ();
|
||||
}
|
||||
|
||||
if (ComServerMode)
|
||||
|
|
|
@ -7096,7 +7096,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
|
|||
if (EnableMemoryProtection)
|
||||
{
|
||||
/* Protect this process memory from being accessed by non-admin users */
|
||||
EnableProcessProtection ();
|
||||
ActivateMemoryProtection ();
|
||||
}
|
||||
|
||||
if (ComServerMode)
|
||||
|
|
Loading…
Reference in New Issue