Address 32-Bit Fix Library Loading

NoMoreFood · Aug 29, 2023 · e341acf · e341acf
1 parent d420e5e
commit e341acf
Show file tree

Hide file tree

Showing 12 changed files with 64 additions and 25 deletions.
diff --git a/Build/WinPriv-hash.txt b/Build/WinPriv-hash.txt
@@ -1,30 +1,30 @@
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-SHA256          930CA61F8ECE21B75C4EA9F04582A2C02039470C272BBE1AA14AF06E2FA07AF2       x64\WinPriv.exe
-SHA256          4995B5695DD6E60AF31EE0AE7B1F106A9486DD5B498FF55E928B15DF4A13DEA1       x64\WinPrivCmd.exe
-SHA256          C7BA78315521259D7F6416C40F9A4C604DCF28584F966183CC638BA5AF1CEFD0       x86\WinPriv.exe
-SHA256          24FC42033D06CC0F5C2C66982EF2402F6BD317522E3C8F9EB5AD1AD0C67541FF       x86\WinPrivCmd.exe
-SHA256          FD54CBB817AEB8073E7771E1E460D276BD706CA63C3F6E1101C5AE12A9078510       WinPriv.zip
+SHA256          8C37633F28F969D948FC3C352CDD60EC7C8828A751675498276903F433078E16       x64\WinPriv.exe
+SHA256          764373421F043CB02BC6A0BCFB67CA44DEB9B36BEF8E0FC4175D51895F658674       x64\WinPrivCmd.exe
+SHA256          3D8223FC392D84B4D2F564C645DF8800CB8A76320D3B721D307F6807FE39FF3F       x86\WinPriv.exe
+SHA256          E139DCE2DFE7A26EBDF25EF03A64D6E367EF73B7C46EDFAF18CF24F3330680BB       x86\WinPrivCmd.exe
+SHA256          2019F1DBFE4FE5475FEB09F243E53809666A0BF18FC2B54C312D70BD3AA7B61C       WinPriv.zip
 
 
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-SHA1            56DD6FCF835C06343DB5D42D945A2EB675914765                               x64\WinPriv.exe
-SHA1            74AF909D8E2ADFE4459A1291048E81D6BAFA968B                               x64\WinPrivCmd.exe
-SHA1            9C2E48D0625E66180A58EEBD1290F825FE2BA02B                               x86\WinPriv.exe
-SHA1            AF27E934192B633D301F6A193F72675FA3ACFB8C                               x86\WinPrivCmd.exe
-SHA1            14D6143FF1A58D4FC7BF71CBF7AA5C3564404E45                               WinPriv.zip
+SHA1            8CD8302F0207F024192928774F05006F2882353A                               x64\WinPriv.exe
+SHA1            1F33A1C5BE2E5E96B5BC441F660DB86EFB3864CA                               x64\WinPrivCmd.exe
+SHA1            86499F69660D7D5622CADC1F17DAB4DA09E7810E                               x86\WinPriv.exe
+SHA1            01844D137948AB5F31014ABA999CA73B7A5ECE83                               x86\WinPrivCmd.exe
+SHA1            827F748A5FC140D5898D65195E51D1FD5FA04BC3                               WinPriv.zip
 
 
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-MD5             3FA2D490AA1B5F7E0D970A8206811992                                       x64\WinPriv.exe
-MD5             CD518A077EF2F15BF42A208A908FE94A                                       x64\WinPrivCmd.exe
-MD5             E21F9C75B9DDE4DFD73B439BBC5CF03C                                       x86\WinPriv.exe
-MD5             D1F20AEF03A7713EF4262527A1791833                                       x86\WinPrivCmd.exe
-MD5             B7A2CAD1B42845A93482D8F1C5519AC2                                       WinPriv.zip
+MD5             412BF00FED8E36D207023EFB06767587                                       x64\WinPriv.exe
+MD5             D861CC9FC93C4D430EF685D155695B9E                                       x64\WinPrivCmd.exe
+MD5             C4A969CB532082BECD39E91D837A5628                                       x86\WinPriv.exe
+MD5             E3034D9F0AC34C6F2CB1FD370FDEC6E4                                       x86\WinPrivCmd.exe
+MD5             DC1A8C18ECAF6CDF099975D9024A89F4                                       WinPriv.zip
 
 
diff --git a/Build/WinPriv.zip b/Build/WinPriv.zip
diff --git a/Build/x64/WinPriv.exe b/Build/x64/WinPriv.exe
diff --git a/Build/x64/WinPrivCmd.exe b/Build/x64/WinPrivCmd.exe
diff --git a/Build/x86/WinPriv.exe b/Build/x86/WinPriv.exe
diff --git a/Build/x86/WinPrivCmd.exe b/Build/x86/WinPrivCmd.exe
diff --git a/WinPriv/WinPriv.cpp b/WinPriv/WinPriv.cpp
@@ -101,7 +101,7 @@ std::wstring GetLocalLibraryPath(bool bIs64Bit)
 	std::wstring sBasePath = sThisExecutable.substr(0, sThisExecutable.find_last_of(L'\\'));
 
 	// return directory name
-	return sBasePath + (bIs64Bit ? L"\\WinPrivLibrary-x64.dll" : L"\\WinPrivLibrary-x86.dll");
+	return sBasePath + (bIs64Bit ? L"\\WinPrivLibrary-64.dll" : L"\\WinPrivLibrary-32.dll");
 }
 
 int RunProgram(int iArgc, wchar_t *aArgv[])
@@ -342,7 +342,7 @@ int RunProgram(int iArgc, wchar_t *aArgv[])
 			sRegistryOverride += L"REG_DWORD ";
 			sRegistryOverride += (_wcsicmp(sArg.c_str(), L"/FipsOn") == 0) ? L"1 " : L"0 ";
 		}
-		
+
 		// instructs winpriv to block access to popular group policy areas
 		else if (_wcsicmp(sArg.c_str(), L"/PolicyBlock") == 0)
 		{
@@ -359,6 +359,13 @@ int RunProgram(int iArgc, wchar_t *aArgv[])
 			sRegistryOverride += L"N/A REG_BLOCK N/A ";
 		}
 
+		// instructs winpriv to disable amsi scanning
+		else if (_wcsicmp(sArg.c_str(), L"/DisableAmsi") == 0)
+		{
+			// implement the fips override using the registry override capability
+			SetEnvironmentVariable(WINPRIV_EV_DISABLE_AMSI, L"1");
+		}
+
 		// instructs winpriv to override all host name lookups
 		else if (_wcsicmp(sArg.c_str(), L"/HostOverride") == 0)
 		{

diff --git a/WinPriv/WinPrivMisc.cpp b/WinPriv/WinPrivMisc.cpp
@@ -35,7 +35,7 @@ std::map<std::wstring, std::wstring> GetPrivilegeList()
 	}
 
 	// enumerate the privileges that are settable
-	PPOLICY_PRIVILEGE_DEFINITION buffer;
+	PPOLICY_PRIVILEGE_DEFINITION buffer = nullptr;
 	LSA_ENUMERATION_HANDLE enumerationContext = 0;
 	ULONG countReturned = 0;
 	while (LsaEnumeratePrivileges(policyHandle, &enumerationContext,

diff --git a/WinPriv/WinPrivResource.rc b/WinPriv/WinPrivResource.rc
diff --git a/WinPrivLibrary/WinPrivLibraryDetours.cpp b/WinPrivLibrary/WinPrivLibraryDetours.cpp
@@ -22,6 +22,7 @@
 #include <mstcpip.h>
 #include <wincrypt.h>
 #include <sqlext.h>
+#include <amsi.h>
 #include <VersionHelpers.h>
 
 #define _NTDEF_
@@ -44,6 +45,7 @@
 
 #pragma comment(lib,"crypt32.lib")
 #pragma comment(lib,"bcrypt.lib")
+#pragma comment(lib,"amsi.lib")
 
 //   ___         ___     __   __   ___
 //  |__  | |    |__     /  \ |__) |__  |\ |
@@ -71,7 +73,7 @@ bool CloseFileHandle(PUNICODE_STRING sFileNameUnicodeString)
 		const std::wstring sLocalPath = tMatches[3].str();
 
 		// get the real path name using the computer and share name
-		PSHARE_INFO_502 tShareInfo = 0;
+		PSHARE_INFO_502 tShareInfo = nullptr;
 		NetShareGetInfo((LPWSTR)sComputerName.c_str(), (LPWSTR)sShareName.c_str(), 502, (LPBYTE*)& tShareInfo);
 		bool bNeedsBackslash = tShareInfo->shi502_path[wcslen(tShareInfo->shi502_path) - 1] != L'\\';
 		sPath = std::wstring(tShareInfo->shi502_path) + ((bNeedsBackslash) ? L"\\" : L"") + sLocalPath;
@@ -99,7 +101,7 @@ bool CloseFileHandle(PUNICODE_STRING sFileNameUnicodeString)
 	DWORD iReturned = 0;
 	DWORD_PTR hHandle = 0;
 	std::vector<DWORD> tFileIds;
-	PFILE_INFO_3 tFileInfo;
+	PFILE_INFO_3 tFileInfo = nullptr;
 	while ((iStatus = NetFileEnum(sComputerName.length() == 0 ? NULL : (LPWSTR)sComputerName.c_str(),
 		(LPWSTR)sPath.c_str(), NULL, 3, (LPBYTE*) &tFileInfo,
 		MAX_PREFERRED_LENGTH, &iEntriesRead, &iReturned, &hHandle)) == NERR_Success || iStatus == ERROR_MORE_DATA)
@@ -569,6 +571,29 @@ ULONG WINAPI DetourGetAdaptersAddresses(_In_ ULONG Family, _In_ ULONG Flags, _Re
 	return iRet;
 }
 
+//              __        __     __        __        ___ 
+//   /\   |\/| /__` |    |  \ | /__`  /\  |__) |    |__  
+//  /~~\  |  | .__/ |    |__/ | .__/ /~~\ |__) |___ |___ 
+//                                                       
+
+decltype(&AmsiScanBuffer) TrueAmsiScanBuffer = AmsiScanBuffer;
+
+HRESULT DetourAmsiScanBuffer(_In_  HAMSICONTEXT amsiContext, _In_reads_bytes_(length) PVOID buffer, _In_  ULONG length,
+	_In_opt_  LPCWSTR contentName, _In_opt_  HAMSISESSION amsiSession, _Out_ AMSI_RESULT* result)
+{
+	*result = AMSI_RESULT_CLEAN;
+	return S_OK;
+}
+
+decltype(&AmsiScanString) TrueAmsiScanString = AmsiScanString;
+
+HRESULT DetourAmsiScanString(_In_  HAMSICONTEXT amsiContext, _In_  LPCWSTR string, _In_opt_  LPCWSTR contentName,
+	_In_opt_  HAMSISESSION amsiSession,	_Out_ AMSI_RESULT* result)
+{
+	*result = AMSI_RESULT_CLEAN;
+	return S_OK;
+}
+
 //        __   __  ___     __        ___  __   __     __   ___
 //  |__| /  \ /__`  |     /  \ \  / |__  |__) |__) | |  \ |__
 //  |  | \__/ .__/  |     \__/  \/  |___ |  \ |  \ | |__/ |___
@@ -719,7 +744,7 @@ BOOL WINAPI DetourVerifyVersionInfoW(_Inout_ LPOSVERSIONINFOEXW lpVersionInforma
 	if (dwTypeMask == VER_PRODUCT_TYPE)
 	{
 		// quit early if actually running on a server
-		OSVERSIONINFOEXW tInfo;
+		OSVERSIONINFOEXW tInfo = {};
 		tInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEXW);
 		TrueGetVersionExW((LPOSVERSIONINFOW) &tInfo);
 		if ((tInfo.wProductType & VER_NT_WORKSTATION) == 0)
@@ -979,6 +1004,12 @@ EXTERN_C VOID WINAPI DllExtraAttachDetach(bool bAttach)
 		AttachDetech(bAttach, &(PVOID&)TrueNtEnumerateValueKey, DetourNtEnumerateValueKey);
 	}
 
+	if (VariableIsSet(WINPRIV_EV_DISABLE_AMSI, 1))
+	{
+		AttachDetech(bAttach, &(PVOID&)TrueAmsiScanBuffer, DetourAmsiScanBuffer);
+		AttachDetech(bAttach, &(PVOID&)TrueAmsiScanString, DetourAmsiScanString);
+	}
+
 	if (VariableNotEmpty(WINPRIV_EV_HOST_OVERRIDE))
 	{
 		AttachDetech(bAttach, &(PVOID&)TrueWSALookupServiceNextW, DetourWSALookupServiceNextW);

diff --git a/WinPrivShared/WinPrivShared.cpp b/WinPrivShared/WinPrivShared.cpp
@@ -59,7 +59,7 @@ std::vector<std::wstring> EnablePrivs(std::vector<std::wstring> vRequestedPrivs)
 	}
 
 	// get the current user sid out of the token
-	BYTE aBuffer[sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE];
+	BYTE aBuffer[sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE] = {};
 	const PTOKEN_USER tTokenUser = (PTOKEN_USER)(aBuffer);
 	DWORD iBytesFilled = 0;
 	if (GetTokenInformation(hToken, TokenUser, tTokenUser, sizeof(aBuffer), &iBytesFilled) == 0)
@@ -77,7 +77,7 @@ std::vector<std::wstring> EnablePrivs(std::vector<std::wstring> vRequestedPrivs)
 	for (std::wstring sPrivilege : vRequestedPrivs)
 	{
 		// populate the privilege adjustment structure
-		TOKEN_PRIVILEGES tPrivEntry;
+		TOKEN_PRIVILEGES tPrivEntry = {};
 		tPrivEntry.PrivilegeCount = 1;
 		tPrivEntry.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 
@@ -117,7 +117,7 @@ BOOL AlterCurrentUserPrivs(std::vector<std::wstring> vPrivsToGrant, BOOL bAddRig
 	}
 
 	// get the current user sid out of the token
-	BYTE aBuffer[sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE];
+	BYTE aBuffer[sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE] = {};
 	const PTOKEN_USER tTokenUser = (PTOKEN_USER)(aBuffer);
 	DWORD iBytesFilled = 0;
 	const BOOL bRet = GetTokenInformation(hToken, TokenUser, tTokenUser, sizeof(aBuffer), &iBytesFilled);
@@ -149,7 +149,7 @@ BOOL AlterCurrentUserPrivs(std::vector<std::wstring> vPrivsToGrant, BOOL bAddRig
 	for (std::wstring sPrivilege : vPrivsToGrant)
 	{
 		// convert the privilege name to a unicode string format
-		LSA_UNICODE_STRING sUnicodePrivilege;
+		LSA_UNICODE_STRING sUnicodePrivilege = {};
 		sUnicodePrivilege.Buffer = (PWSTR)sPrivilege.c_str();
 		sUnicodePrivilege.Length = (USHORT)(wcslen(sPrivilege.c_str()) * sizeof(WCHAR));
 		sUnicodePrivilege.MaximumLength = (USHORT)((wcslen(sPrivilege.c_str()) + 1) * sizeof(WCHAR));

diff --git a/WinPrivShared/WinPrivShared.h b/WinPrivShared/WinPrivShared.h
@@ -25,6 +25,7 @@ void KillProcess(const std::wstring& sProcessName);
 #define WINPRIV_EV_REG_OVERRIDE L"_WINPRIV_REG_OVERIDE_"
 #define WINPRIV_EV_MAC_OVERRIDE L"_WINPRIV_MAC_OVERIDE_"
 #define WINPRIV_EV_BACKUP_RESTORE L"_WINPRIV_BACKUP_RESTORE_"
+#define WINPRIV_EV_DISABLE_AMSI L"_WINPRIV_DISABLE_AMSI_"
 #define WINPRIV_EV_BREAK_LOCKS L"_WINPRIV_BREAK_LOCKS_"
 #define WINPRIV_EV_PRIVLIST L"_WINPRIV_PRIVILEGE_LIST_"
 #define WINPRIV_EV_PARENT_PID L"_WINPRIV_EV_PARENT_PID_"