public Windows()
{
this.RecalibrationEvent += (target) =>
{
OperatingSystem.Windows wos = target.OperatingSystem as OperatingSystem.Windows;
Windows wapp = target.Application as Windows;
wapp.UserSEHOPPolicy = wapp.UserSEHOPPolicy.EffectivePolicy(wos.UserSEHOPPolicy);
};
}
/// <summary>
/// Inherit the Windows Vista RTM feature set.
/// </summary>
/// <param name="os"></param>
public static void InheritWindowsVistaRTMFeatures(this OperatingSystem.Windows os)
{
os.InheritWindowsXPSP2Features();
os.Features.Add(OperatingSystem.FeatureSet.WindowsVistaRTM);
os.MemoryRegionASLRPolicy[MemoryRegion.UserExeImageBase] = MitigationPolicy.OptIn;
os.MemoryRegionASLRPolicy[MemoryRegion.UserDllImageBase] = MitigationPolicy.OptIn;
os.MemoryRegionASLRPolicy[MemoryRegion.UserThreadStack] = MitigationPolicy.OptIn;
os.MemoryRegionASLRPolicy[MemoryRegion.UserProcessHeap] = MitigationPolicy.On;
os.MemoryRegionASLREntropyBits[MemoryRegion.UserExeImageBase] = 8;
os.MemoryRegionASLREntropyBits[MemoryRegion.UserExeImageCode] = 8;
os.MemoryRegionASLREntropyBits[MemoryRegion.UserExeImageData] = 8;
os.MemoryRegionASLREntropyBits[MemoryRegion.UserDllImageBase] = 8;
os.MemoryRegionASLREntropyBits[MemoryRegion.UserDllImageCode] = 8;
os.MemoryRegionASLREntropyBits[MemoryRegion.UserDllImageData] = 8;
os.MemoryRegionASLREntropyBits[MemoryRegion.UserThreadStack] = 14;
os.MemoryRegionASLREntropyBits[MemoryRegion.UserProcessHeap] = 5;
os.UserHeapPolicy[HeapFeature.HeapBlockHeaderCookies] = MitigationPolicy.On;
os.UserHeapPolicy[HeapFeature.HeapBlockHeaderEncryption] = MitigationPolicy.On;
os.UserHeapPolicy[HeapFeature.HeapEncodeCommitRoutineWithPointerKey] = MitigationPolicy.On;
os.UserHeapPolicy[HeapFeature.HeapTerminateOnCorruption] = MitigationPolicy.OptIn;
os.UserPointerEncodingHeapCommitRoutine = true;
os.DefaultStackProtectionEnabled = true;
os.DefaultStackProtectionVersion = StackProtectionVersion.GS_VC81;
//
// Heap termination is OptOut for 64-bit processes by default.
//
os.RecalibrationEvent += (target) =>
{
OperatingSystem.Windows wos = target.OperatingSystem as OperatingSystem.Windows;
if (wos.AddressBits == 64)
{
wos.DefaultStackProtectionEntropyBits = 48;
}
else
{
wos.DefaultStackProtectionEntropyBits = 32;
}
if (wos.AddressBits == 64 && target.Application.AddressBits == 64)
{
wos.UserHeapPolicy[HeapFeature.HeapTerminateOnCorruption] = MitigationPolicy.OptOut;
}
};
}
/// <summary>
/// Inherit the Windows XP Service Pack 2 feature set.
/// </summary>
/// <param name="os"></param>
public static void InheritWindowsXPSP2Features(this OperatingSystem.Windows os)
{
os.Features.Add(OperatingSystem.FeatureSet.WindowsXPSP2);
foreach (MemoryRegion region in MemoryRegions.UserMode)
{
os.MemoryRegionNXPolicy[region] = MitigationPolicy.OptIn;
}
os.UserSafeSEHPolicy = MitigationPolicy.On;
os.UserHeapPolicy[HeapFeature.HeapFreeSafeUnlinking] = MitigationPolicy.On;
os.UserPointerEncodingUEF = true;
os.UserPointerEncodingPEBFastLockRoutine = true;
os.DefaultStackProtectionEnabled = true;
os.DefaultStackProtectionVersion = StackProtectionVersion.GS_VC7;
os.RecalibrationEvent += (target) =>
{
OperatingSystem.Windows wos = target.OperatingSystem as OperatingSystem.Windows;
wos.DefaultStackProtectionEntropyBits = 16;
//
// PEB/TEB randomization is not in place for Wow64 processes.
//
if (wos.AddressBits == 32 || target.Application.AddressBits == 32)
{
wos.MemoryRegionASLRPolicy[MemoryRegion.UserPEB] = MitigationPolicy.On;
wos.MemoryRegionASLRPolicy[MemoryRegion.UserTEB] = MitigationPolicy.On;
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserPEB] = 4;
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserTEB] = 4;
}
wos.MemoryRegionNXPolicy[MemoryRegion.KernelThreadStack] = MitigationPolicy.On;
wos.MemoryRegionNXPolicy[MemoryRegion.KernelInitialThreadStack] = MitigationPolicy.On;
wos.MemoryRegionNXPolicy[MemoryRegion.KernelHyperspace] = MitigationPolicy.On;
if (wos.AddressBits == 64)
{
wos.MemoryRegionNXPolicy[MemoryRegion.KernelPCR] = MitigationPolicy.On;
wos.MemoryRegionNXPolicy[MemoryRegion.KernelPagedPool] = MitigationPolicy.On;
wos.MemoryRegionNXPolicy[MemoryRegion.KernelSessionPool] = MitigationPolicy.On;
wos.MemoryRegionNXPolicy[MemoryRegion.KernelDriverImage] = MitigationPolicy.On;
}
};
}
/// <summary>
/// Inherit the Windows Vista Service Pack 1 feature set.
/// </summary>
/// <param name="os"></param>
public static void InheritWindowsVistaSP1Features(this OperatingSystem.Windows os)
{
os.InheritWindowsVistaRTMFeatures();
os.Features.Add(OperatingSystem.FeatureSet.WindowsVistaSP1);
os.MemoryRegionASLRPolicy[MemoryRegion.KernelExeImage] = MitigationPolicy.On;
os.MemoryRegionASLRPolicy[MemoryRegion.KernelDriverImage] = MitigationPolicy.On;
os.MemoryRegionASLREntropyBits[MemoryRegion.KernelExeImage] = 5;
os.MemoryRegionASLREntropyBits[MemoryRegion.KernelDriverImage] = 4;
os.UserSEHOPPolicy = MitigationPolicy.OptIn;
}
/// <summary>
/// Inherit default Windows server policies.
/// </summary>
/// <param name="os"></param>
public static void InheritWindowsServerPolicies(this OperatingSystem.Windows os)
{
foreach (MemoryRegion region in Enum.GetValues(typeof(MemoryRegion)))
{
if (os.MemoryRegionNXPolicy[region] == MitigationPolicy.OptIn)
{
os.MemoryRegionNXPolicy[region] = MitigationPolicy.OptOut;
}
}
if (os.UserSEHOPPolicy != MitigationPolicy.NotSupported)
{
os.UserSEHOPPolicy = MitigationPolicy.On;
}
}
/// <summary>
/// Inherit the default Windows operating system settings.
/// </summary>
/// <param name="os"></param>
public static void InheritWindowsDefaults(this OperatingSystem.Windows os)
{
foreach (HeapFeature f in Enum.GetValues(typeof(HeapFeature)))
{
os.KernelPoolPolicies[f] = MitigationPolicy.NotSupported;
}
os.UserSEHOPPolicy = MitigationPolicy.NotSupported;
os.UserSafeSEHPolicy = MitigationPolicy.NotSupported;
os.UserASLRPolicyBottomUpHighEntropy = MitigationPolicy.NotSupported;
os.UserPointerEncodingUEF = false;
os.UserPointerEncodingPEBFastLockRoutine = false;
os.UserPointerEncodingHeapCommitRoutine = false;
}
public IE10()
{
this.RecalibrationEvent += (target) =>
{
//
// We assume that spraying is not possible in 64-bit versions of IE when running
// on Windows 8.
//
if (target.OperatingSystem.Features.Contains(OperatingSystem.FeatureSet.Windows8))
{
OperatingSystem.Windows wos = target.OperatingSystem as OperatingSystem.Windows;
Application.Windows wapp = target.Application as Application.Windows;
if (wapp.AddressBits == 64)
{
wapp.CanInitializeContentViaHeapSpray = false;
wapp.UserASLRPolicyBottomUpHighEntropy = MitigationPolicy.On;
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBU] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBUHE];
wos.RefreshBottomUpEntropyBits();
}
wapp.MemoryRegionASLRPolicy[MemoryRegion.UserForceRelocatedImageBase] = MitigationPolicy.On;
wapp.MemoryRegionASLRPolicy[MemoryRegion.UserForceRelocatedImageCode] = MitigationPolicy.On;
wapp.MemoryRegionASLRPolicy[MemoryRegion.UserForceRelocatedImageData] = MitigationPolicy.On;
}
if (target.OperatingSystem.Features.Contains(OperatingSystem.FeatureSet.Windows7))
{
Application.Windows wapp = target.Application as Application.Windows;
if (target.Application.AddressBits == 32 && target.Application.KernelApplication == false)
{
wapp.UserSEHOPPolicy = MitigationPolicy.On;
}
}
};
}
/// <summary>
/// Inherit the Windows 7 feature set.
/// </summary>
/// <param name="os"></param>
public static void InheritWindowsSevenFeatures(this OperatingSystem.Windows os)
{
os.InheritWindowsVistaSP1Features();
os.Features.Add(OperatingSystem.FeatureSet.Windows7);
os.KernelPoolPolicies[HeapFeature.HeapFreeSafeUnlinking] = MitigationPolicy.On;
os.RecalibrationEvent += (target) =>
{
OperatingSystem.Windows wos = target.OperatingSystem as OperatingSystem.Windows;
if (wos.AddressBits == 64)
{
os.MemoryRegionASLREntropyBits[MemoryRegion.KernelDriverImage] = 8;
}
else if (wos.AddressBits == 32)
{
os.MemoryRegionASLREntropyBits[MemoryRegion.KernelDriverImage] = 6;
}
};
}
/// <summary>
/// Inherit the Windows 8 feature set.
/// </summary>
/// <param name="os"></param>
public static void InheritWindowsEightFeatures(this OperatingSystem.Windows os)
{
os.InheritWindowsSevenFeatures();
os.Features.Add(OperatingSystem.FeatureSet.Windows8);
os.MemoryRegionNXPolicy[MemoryRegion.KernelPageTablePages] = MitigationPolicy.On;
os.MemoryRegionNXPolicy[MemoryRegion.KernelPagedPool] = MitigationPolicy.On;
os.MemoryRegionNXPolicy[MemoryRegion.KernelNonPagedPool] = MitigationPolicy.On;
os.MemoryRegionNXPolicy[MemoryRegion.KernelInitialThreadStack] = MitigationPolicy.On;
os.MemoryRegionNXPolicy[MemoryRegion.KernelPCR] = MitigationPolicy.On;
os.MemoryRegionNXPolicy[MemoryRegion.KernelSharedUserData] = MitigationPolicy.On;
os.MemoryRegionNXPolicy[MemoryRegion.KernelSystemPTE] = MitigationPolicy.On;
os.MemoryRegionNXPolicy[MemoryRegion.KernelSystemCache] = MitigationPolicy.On;
os.MemoryRegionNXPolicy[MemoryRegion.KernelPFNDatabase] = MitigationPolicy.On;
os.MemoryRegionNXPolicy[MemoryRegion.KernelHALReserved] = MitigationPolicy.On;
os.MemoryRegionASLRPolicy[MemoryRegion.UserVirtualAllocBU] = MitigationPolicy.OptIn;
os.MemoryRegionASLRPolicy[MemoryRegion.UserVirtualAllocTD] = MitigationPolicy.On;
os.MemoryRegionASLRPolicy[MemoryRegion.UserPEB] = MitigationPolicy.On;
os.MemoryRegionASLRPolicy[MemoryRegion.UserTEB] = MitigationPolicy.On;
os.MemoryRegionASLRPolicy[MemoryRegion.UserForceRelocatedImageBase] = MitigationPolicy.OptIn;
os.MemoryRegionASLRPolicy[MemoryRegion.UserForceRelocatedImageCode] = MitigationPolicy.OptIn;
os.MemoryRegionASLRPolicy[MemoryRegion.UserForceRelocatedImageBase] = MitigationPolicy.OptIn;
os.UserASLRPolicyBottomUpHighEntropy = MitigationPolicy.OptIn;
os.KernelSMEPPolicy = MitigationPolicy.On;
os.KernelNullDereferencePreventionPolicy = null; // reset to null, On vs. OptOut decided based on HW.
os.KernelPoolPolicies[HeapFeature.KernelPoolQuotaPointerEncoding] = MitigationPolicy.On;
os.KernelPoolPolicies[HeapFeature.KernelPoolLookasideListCookie] = MitigationPolicy.On;
os.UserHeapPolicy[HeapFeature.HeapAllocationOrderRandomization] = MitigationPolicy.On;
os.UserHeapPolicy[HeapFeature.HeapPreventFreeHeapBase] = MitigationPolicy.On;
os.UserHeapPolicy[HeapFeature.HeapBusyBlockIntegrityCheck] = MitigationPolicy.On;
os.UserHeapPolicy[HeapFeature.HeapSegmentReserveGuardPage] = MitigationPolicy.On;
os.UserHeapPolicy[HeapFeature.HeapEncodeCommitRoutineWithPointerKey] = MitigationPolicy.NotSupported;
os.UserHeapPolicy[HeapFeature.HeapEncodeCommitRoutineWithGlobalKey] = MitigationPolicy.On;
os.DefaultStackProtectionEnabled = true;
os.DefaultStackProtectionVersion = StackProtectionVersion.GS_VC10;
//
// The NULL dereference mitigation is OptOut on x86 and on for all other architectures.
//
os.RecalibrationEvent += (target) =>
{
OperatingSystem.Windows wos = target.OperatingSystem as OperatingSystem.Windows;
if (wos.KernelNullDereferencePreventionPolicy == null)
{
if (target.Hardware.ArchitectureFamily == ArchitectureFamily.I386)
{
wos.KernelNullDereferencePreventionPolicy = MitigationPolicy.OptOut;
}
else
{
wos.KernelNullDereferencePreventionPolicy = MitigationPolicy.On;
}
}
};
//
// Set ASLR entropy bits.
//
os.RecalibrationEvent += (target) =>
{
OperatingSystem.Windows wos = target.OperatingSystem as OperatingSystem.Windows;
if (wos.AddressBits == 64 && target.Application.AddressBits == 64)
{
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserDllImageBase] = (target.IsAssumedTrue(AssumptionName.ApplicationLoadsDllBelow4GB)) ? (uint)14 : 19;
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserExeImageBase] = (target.IsAssumedTrue(AssumptionName.ApplicationLoadsExeBelow4GB) == true) ? (uint)8 : 17;
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocTD] = 17;
}
else
{
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserDllImageBase] = 8;
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserExeImageBase] = 8;
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocTD] = 8;
}
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserDllImageCode] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserDllImageCode];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserDllImageData] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserDllImageData];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserExeImageCode] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserExeImageCode];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserExeImageData] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserExeImageData];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBU] = 8;
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBUHE] = 24;
if (wos.AddressBits == 64 && wos.UserASLRPolicyBottomUpHighEntropy != null && wos.UserASLRPolicyBottomUpHighEntropy.Value.IsOn())
{
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBU] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBUHE];
}
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserForceRelocatedImageBase] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBU];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserForceRelocatedImageCode] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserForceRelocatedImageBase];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserForceRelocatedImageData] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserForceRelocatedImageBase];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserThreadStack] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBU];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserProcessHeap] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBU];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserJITCode] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocBU];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserTEB] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocTD];
wos.MemoryRegionASLREntropyBits[MemoryRegion.UserPEB] = wos.MemoryRegionASLREntropyBits[MemoryRegion.UserVirtualAllocTD];
};
//
// Enable mitigations by default for ARM.
//
os.RecalibrationEvent += (target) =>
{
OperatingSystem.Windows wos = target.OperatingSystem as OperatingSystem.Windows;
if (target.Hardware.ArchitectureFamily == ArchitectureFamily.ARM)
{
foreach (MemoryRegion region in Enum.GetValues(typeof(MitigationPolicy)))
{
wos.MemoryRegionNXPolicy[region] = MitigationPolicy.On;
}
wos.MemoryRegionASLRPolicy[MemoryRegion.UserExeImageBase] = MitigationPolicy.On;
wos.MemoryRegionASLRPolicy[MemoryRegion.UserDllImageBase] = MitigationPolicy.On;
wos.MemoryRegionASLRPolicy[MemoryRegion.UserVirtualAllocBU] = MitigationPolicy.On;
wos.MemoryRegionASLRPolicy[MemoryRegion.UserThreadStack] = MitigationPolicy.On;
wos.MemoryRegionASLRPolicy[MemoryRegion.UserForceRelocatedImageBase] = MitigationPolicy.Off;
wos.UserASLRPolicyBottomUpHighEntropy = MitigationPolicy.Off;
wos.UserSEHOPPolicy = MitigationPolicy.NotSupported;
wos.UserHeapPolicy[HeapFeature.HeapTerminateOnCorruption] = MitigationPolicy.OptOut;
}
};
}
