четверг, 6 апреля 2017 г.

ntdll ProtectedPolicies

It seems that since windows 10 ntdll has security feature called "ProtectedPolicies" - you can query it with RtlQueryProtectedPolicy function. Prototype of this function is:
NTAPI NTSTATUS RtlQueryProtectedPolicy(GUID *, PDWORD out_flag);

Lets see how it works:
loc_6A277EFB:   ; CODE XREF: RtlQueryProtectedPolicy(x,x)+12 j
  push    edi
  mov     edi, offset _RtlpProtectedPoliciesSRWLock
  push    edi
  call    _RtlAcquireSRWLockShared@4    ; RtlAcquireSRWLockShared(x)
  push    offset _RtlpSearchProtectedPolicyEntry ; PtFuncCompare
  push    14h                           ; SizeOfElements
  push    ds:_RtlpProtectedPoliciesActiveCount ; NumOfElements
  push    ds:_RtlpProtectedPolicies     ; Base
  push    [ebp+Key]                     ; Key
  call    _bsearch


That policies stored in array RtlpProtectedPolicies, count located in RtlpProtectedPoliciesActiveCount and size of each policy is 0x14 bytes (0x18 under x64), so each policy looks like struct:
struct protected_policy
{
  IID guid;
  DWORD flag;
};

Lets see from where RtlQueryProtectedPolicy called

ntdll.dll:
  • from RtlpAddVectoredHandler with GUID {1FC98BCA-1BA9-4397-93F9-349EAD41E057}
  • from RtlGuardCheckLongJumpTarget with GUID {4F6AE3A6-8B1B-4623-A293-294CD743BBD1}
kernel32.dll:
  • from CheckForReadOnlyResourceFilter with GUID GUID_BasepAllowResourceConversion {739C343A-F3E1-4ED8-AC66-8435FEB7C5A5}
KernelBase.dll:

1 комментарий: