public static extern NtStatus NtSetCachedSigningLevel(
int Flags,
SigningLevel SigningLevel,
[In] IntPtr[] SourceFiles,
int SourceFileCount,
SafeKernelObjectHandle TargetFile
);
public static extern NtStatus NtGetCachedSigningLevel(
SafeKernelObjectHandle File,
out int Flags,
out SigningLevel SigningLevel,
[Out] byte[] Thumbprint,
ref int ThumbprintSize,
out HashAlgorithm ThumbprintAlgorithm
);
internal CachedSigningLevel(int flags, SigningLevel signing_level, byte[] thumbprint, HashAlgorithm thumbprint_algo)
{
Flags = (CachedSigningLevelFlags)flags;
SigningLevel = signing_level;
ThumbprintBytes = thumbprint;
ThumbprintAlgorithm = thumbprint_algo;
Thumbprint = thumbprint.ToHexString();
}
internal CachedSigningLevelEaBufferV3(int version2, int flags, SigningLevel signing_level,
long usn, long last_blacklist_time, IEnumerable <CachedSigningLevelBlob> extra_data,
HashCachedSigningLevelBlob thumbprint)
: base(flags, signing_level, thumbprint != null ? thumbprint.Hash : new byte[0],
thumbprint != null ? thumbprint.Algorithm : 0)
{
Version = 3;
Version2 = version2;
USNJournalId = usn;
LastBlackListTime = DateTime.FromFileTime(last_blacklist_time);
ExtraData = extra_data;
}
internal CachedSigningLevelEaBufferV2(int version2, int flags, SigningLevel signing_level,
long usn, long last_blacklist_time, long last_timestamp,
byte[] thumbprint, HashAlgorithm thumbprint_algo, byte[] hash, HashAlgorithm hash_algo)
: base(flags, signing_level, thumbprint, thumbprint_algo)
{
Version = 2;
Version2 = version2;
USNJournalId = usn;
LastBlackListTime = DateTime.FromFileTime(last_blacklist_time);
LastTimeStamp = DateTime.FromFileTime(last_timestamp);
Hash = hash.ToHexString();
HashBytes = hash;
HashAlgorithm = hash_algo;
}
/// <summary>
/// Set the cached signing level for a file.
/// </summary>
/// <param name="handle">The handle to the file to set the cache on.</param>
/// <param name="flags">Flags to set for the cache.</param>
/// <param name="signing_level">The signing level to cache</param>
/// <param name="source_files">A list of source file for the cache.</param>
/// <param name="catalog_path">Optional directory path to look for catalog files.</param>
public static void SetCachedSigningLevel(SafeKernelObjectHandle handle,
int flags, SigningLevel signing_level,
IEnumerable <SafeKernelObjectHandle> source_files,
string catalog_path)
{
IntPtr[] handles = source_files?.Select(f => f.DangerousGetHandle()).ToArray();
int handles_count = handles == null ? 0 : handles.Length;
if (catalog_path != null)
{
CachedSigningLevelInformation info = new CachedSigningLevelInformation(catalog_path);
NtSystemCalls.NtSetCachedSigningLevel2(flags, signing_level, handles, handles_count, handle, info).ToNtException();
}
else
{
NtSystemCalls.NtSetCachedSigningLevel(flags, signing_level, handles, handles_count, handle).ToNtException();
}
}
internal MappedFile(IEnumerable <MemoryInformation> sections, SafeKernelObjectHandle process)
{
MemoryInformation first = sections.First();
BaseAddress = first.AllocationBase;
MemoryInformation last = sections.Last();
Size = (last.BaseAddress - BaseAddress) + last.RegionSize;
Sections = sections;
Path = first.MappedImagePath;
IsImage = first.Type == MemoryType.Image;
if (IsImage)
{
var image_info = NtVirtualMemory.QueryImageInformation(process, BaseAddress, false);
if (image_info.IsSuccess)
{
ImageSigningLevel = image_info.Result.ImageSigningLevel;
}
}
}
public static extern NtStatus NtCompareSigningLevel(
SigningLevel CurrentLevel, SigningLevel CheckLevel);
