[reactos] 01/01: [FREELDR] Set LDRP_IMAGE_INTEGRITY_FORCED if necessary. (Part of PR #1905) - Ros-diffs

13 Oct 2019

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=43a8d871bfacb42e3758e4...
commit 43a8d871bfacb42e3758e4f647ad5e8d9bf5fc5e
Author:     Mark Harmstone mark@harmstone.com
AuthorDate: Wed Oct 9 21:28:33 2019 +0100
Commit:     Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org
CommitDate: Mon Oct 14 00:49:00 2019 +0200
[FREELDR] Set LDRP_IMAGE_INTEGRITY_FORCED if necessary. (Part of PR #1905)
+ Add extra information.
    Co-authored-by: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org
---
 boot/freeldr/freeldr/lib/peloader.c | 24 ++++++++++++++++++++++++
 sdk/include/ndk/ldrtypes.h          |  1 +
 2 files changed, 25 insertions(+)

diff --git a/boot/freeldr/freeldr/lib/peloader.c b/boot/freeldr/freeldr/lib/peloader.c
index 5a7cfa60a86..2c981cefe91 100644
--- a/boot/freeldr/freeldr/lib/peloader.c
+++ b/boot/freeldr/freeldr/lib/peloader.c
@@ -658,6 +658,24 @@ PeLdrAllocateDataTableEntry(
     DataTableEntry->Flags = LDRP_ENTRY_PROCESSED;
     DataTableEntry->LoadCount = 1;
+    /* Honour the FORCE_INTEGRITY flag */
+    if (NtHeaders->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)
+    {
+        /*
+         * On Vista and above, the LDRP_IMAGE_INTEGRITY_FORCED flag must be set
+         * if IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY is set in the image header.
+         * This is done after the image has been loaded and the digital signature
+         * check has passed successfully. (We do not do it yet!)
+         *
+         * Several OS functionality depend on the presence of this flag.
+         * For example, when using Object-Manager callbacks the latter will call
+         * MmVerifyCallbackFunction() to verify whether the flag is present.
+         * If not callbacks will not work.
+         * (See Windows Internals Part 1, 6th edition, p. 176.)
+         */
+        DataTableEntry->Flags |= LDRP_IMAGE_INTEGRITY_FORCED;
+    }
+
     /* Insert this DTE to a list in the LPB */
     InsertTailList(ModuleListHead, &DataTableEntry->InLoadOrderLinks);
     TRACE("Inserting DTE %p, name='%.*S' DllBase=%p \n", DataTableEntry,
@@ -783,6 +801,12 @@ PeLdrLoadImage(
         return FALSE;
     }
+    /*
+     * On Vista and above, a digital signature check is performed when the image
+     * has the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag set in its header.
+     * (We of course do not perform this check yet!)
+     */
+
     /* Reload the NT Header */
     NtHeaders = RtlImageNtHeader(PhysicalBase);
diff --git a/sdk/include/ndk/ldrtypes.h b/sdk/include/ndk/ldrtypes.h
index fd5dd125943..41385ba39be 100644
--- a/sdk/include/ndk/ldrtypes.h
+++ b/sdk/include/ndk/ldrtypes.h
@@ -38,6 +38,7 @@ Author:
 #define LDRP_STATIC_LINK                        0x00000002
 #define LDRP_IMAGE_DLL                          0x00000004
 #define LDRP_SHIMENG_SUPPRESSED_ENTRY           0x00000008
+#define LDRP_IMAGE_INTEGRITY_FORCED             0x00000020
 #define LDRP_LOAD_IN_PROGRESS                   0x00001000
 #define LDRP_UNLOAD_IN_PROGRESS                 0x00002000
 #define LDRP_ENTRY_PROCESSED                    0x00004000

    