public static extern NtStatus NtSetCachedSigningLevel( int Flags, SigningLevel SigningLevel, [In] IntPtr[] SourceFiles, int SourceFileCount, SafeKernelObjectHandle TargetFile );
public static extern NtStatus NtGetCachedSigningLevel( SafeKernelObjectHandle File, out int Flags, out SigningLevel SigningLevel, [Out] byte[] Thumbprint, ref int ThumbprintSize, out HashAlgorithm ThumbprintAlgorithm );
internal CachedSigningLevel(int flags, SigningLevel signing_level, byte[] thumbprint, HashAlgorithm thumbprint_algo) { Flags = (CachedSigningLevelFlags)flags; SigningLevel = signing_level; ThumbprintBytes = thumbprint; ThumbprintAlgorithm = thumbprint_algo; Thumbprint = thumbprint.ToHexString(); }
internal CachedSigningLevelEaBufferV3(int version2, int flags, SigningLevel signing_level, long usn, long last_blacklist_time, IEnumerable <CachedSigningLevelBlob> extra_data, HashCachedSigningLevelBlob thumbprint) : base(flags, signing_level, thumbprint != null ? thumbprint.Hash : new byte[0], thumbprint != null ? thumbprint.Algorithm : 0) { Version = 3; Version2 = version2; USNJournalId = usn; LastBlackListTime = DateTime.FromFileTime(last_blacklist_time); ExtraData = extra_data; }
internal CachedSigningLevelEaBufferV2(int version2, int flags, SigningLevel signing_level, long usn, long last_blacklist_time, long last_timestamp, byte[] thumbprint, HashAlgorithm thumbprint_algo, byte[] hash, HashAlgorithm hash_algo) : base(flags, signing_level, thumbprint, thumbprint_algo) { Version = 2; Version2 = version2; USNJournalId = usn; LastBlackListTime = DateTime.FromFileTime(last_blacklist_time); LastTimeStamp = DateTime.FromFileTime(last_timestamp); Hash = hash.ToHexString(); HashBytes = hash; HashAlgorithm = hash_algo; }
/// <summary> /// Set the cached signing level for a file. /// </summary> /// <param name="handle">The handle to the file to set the cache on.</param> /// <param name="flags">Flags to set for the cache.</param> /// <param name="signing_level">The signing level to cache</param> /// <param name="source_files">A list of source file for the cache.</param> /// <param name="catalog_path">Optional directory path to look for catalog files.</param> public static void SetCachedSigningLevel(SafeKernelObjectHandle handle, int flags, SigningLevel signing_level, IEnumerable <SafeKernelObjectHandle> source_files, string catalog_path) { IntPtr[] handles = source_files?.Select(f => f.DangerousGetHandle()).ToArray(); int handles_count = handles == null ? 0 : handles.Length; if (catalog_path != null) { CachedSigningLevelInformation info = new CachedSigningLevelInformation(catalog_path); NtSystemCalls.NtSetCachedSigningLevel2(flags, signing_level, handles, handles_count, handle, info).ToNtException(); } else { NtSystemCalls.NtSetCachedSigningLevel(flags, signing_level, handles, handles_count, handle).ToNtException(); } }
internal MappedFile(IEnumerable <MemoryInformation> sections, SafeKernelObjectHandle process) { MemoryInformation first = sections.First(); BaseAddress = first.AllocationBase; MemoryInformation last = sections.Last(); Size = (last.BaseAddress - BaseAddress) + last.RegionSize; Sections = sections; Path = first.MappedImagePath; IsImage = first.Type == MemoryType.Image; if (IsImage) { var image_info = NtVirtualMemory.QueryImageInformation(process, BaseAddress, false); if (image_info.IsSuccess) { ImageSigningLevel = image_info.Result.ImageSigningLevel; } } }
public static extern NtStatus NtCompareSigningLevel( SigningLevel CurrentLevel, SigningLevel CheckLevel);