Windows Driver Security: Use enhanced protection of NX pool under Windows 8 and later.

author: Mounir IDRASSI <mounir.idrassi@idrix.fr> 2017-06-10 18:43:15 +0200
committer: Mounir IDRASSI <mounir.idrassi@idrix.fr> 2017-06-10 18:44:49 +0200
commit: 458bb091bb8e6ffa73a1c7c9736e93b52a0a95d7 (patch)
tree: 89310156a81efcddc26062f69a3f5cd523929e41 /src
parent: c7cd89a24a3663cb375f9d6a901d34586d0d9192 (diff)
download: VeraCrypt-458bb091bb8e6ffa73a1c7c9736e93b52a0a95d7.tar.gz
VeraCrypt-458bb091bb8e6ffa73a1c7c9736e93b52a0a95d7.zip
4 files changed, 22 insertions, 4 deletions
diff --git a/src/Common/Tcdefs.h b/src/Common/Tcdefs.h
index 149603a2..7c8382c3 100644
--- a/src/Common/Tcdefs.h
+++ b/src/Common/Tcdefs.h
@@ -235,7 +235,15 @@ void ThrowFatalException(int line);
 #include <ntddk.h>		/* Standard header file for nt drivers */
 #include <ntdddisk.h>		/* Standard I/O control codes  */
 
-#define TCalloc(size) ((void *) ExAllocatePoolWithTag( NonPagedPool, size, 'MMCV' ))
+/* defines needed for using enhanced protection of NX pool under Windows 8 and later */
+#define NonPagedPoolNx  512
+#define MdlMappingNoExecute     0x40000000
+
+/* variables used in the implementation of enhanced protection of NX pool under Windows 8 and later */
+extern POOL_TYPE ExDefaultNonPagedPoolType;
+extern ULONG ExDefaultMdlProtection;
+
+#define TCalloc(size) ((void *) ExAllocatePoolWithTag( ExDefaultNonPagedPoolType, size, 'MMCV' ))
 #define TCfree(memblock) ExFreePoolWithTag( memblock, 'MMCV' )
 
 #define DEVICE_DRIVER
diff --git a/src/Driver/DumpFilter.c b/src/Driver/DumpFilter.c
index ff570b1e..ca921d27 100644
--- a/src/Driver/DumpFilter.c
+++ b/src/Driver/DumpFilter.c
@@ -189,7 +189,7 @@ static NTSTATUS DumpFilterWrite (PFILTER_EXTENSION filterExtension, PLARGE_INTEG
 	if ((offset & (ENCRYPTION_DATA_UNIT_SIZE - 1)) != 0)
 		TC_BUG_CHECK (STATUS_INVALID_PARAMETER);
 
-	writeBuffer = MmGetSystemAddressForMdlSafe (writeMdl, HighPagePriority);
+	writeBuffer = MmGetSystemAddressForMdlSafe (writeMdl, (HighPagePriority | ExDefaultMdlProtection));
 	if (!writeBuffer)
 		TC_BUG_CHECK (STATUS_INSUFFICIENT_RESOURCES);
 
diff --git a/src/Driver/EncryptedIoQueue.c b/src/Driver/EncryptedIoQueue.c
index 7f50ec30..400416b7 100644
--- a/src/Driver/EncryptedIoQueue.c
+++ b/src/Driver/EncryptedIoQueue.c
@@ -638,7 +638,7 @@ static VOID MainThreadProc (PVOID threadArg)
 				{
 					UINT64_STRUCT dataUnit;
 
-					dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, HighPagePriority);
+					dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, (HighPagePriority | ExDefaultMdlProtection));
 					if (!dataBuffer)
 					{
 						TCfree (buffer);
@@ -758,7 +758,7 @@ static VOID MainThreadProc (PVOID threadArg)
 				continue;
 			}
 
-			dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, HighPagePriority);
+			dataBuffer = (PUCHAR) MmGetSystemAddressForMdlSafe (irp->MdlAddress, (HighPagePriority | ExDefaultMdlProtection));
 
 			if (dataBuffer == NULL)
 			{
diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index a84ada37..4172a193 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -92,6 +92,9 @@ static BOOL SystemFavoriteVolumeDirty = FALSE;
 static BOOL PagingFileCreationPrevented = FALSE;
 static BOOL EnableExtendedIoctlSupport = FALSE;
 
+POOL_TYPE ExDefaultNonPagedPoolType = NonPagedPool;
+ULONG ExDefaultMdlProtection = 0;
+
 PDEVICE_OBJECT VirtualVolumeDeviceObjects[MAX_MOUNTED_VOLUME_DRIVE_NUMBER + 1];
 
 
@@ -109,6 +112,13 @@ NTSTATUS DriverEntry (PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 
 	Dump ("OsMajorVersion=%d OsMinorVersion=%d\n", OsMajorVersion, OsMinorVersion);
 
+	// NX pool support is available starting from Windows 8
+	if ((OsMajorVersion > 6) || (OsMajorVersion == 6 && OsMinorVersion >= 2))
+	{
+		ExDefaultNonPagedPoolType = (POOL_TYPE) NonPagedPoolNx;
+		ExDefaultMdlProtection = MdlMappingNoExecute;
+	}
+
 	// Load dump filter if the main driver is already loaded
 	if (NT_SUCCESS (TCDeviceIoControl (NT_ROOT_PREFIX, TC_IOCTL_GET_DRIVER_VERSION, NULL, 0, &version, sizeof (version))))
 		return DumpFilterEntry ((PFILTER_EXTENSION) DriverObject, (PFILTER_INITIALIZATION_DATA) RegistryPath);
author	Mounir IDRASSI <mounir.idrassi@idrix.fr>	2017-06-10 18:43:15 +0200
committer	Mounir IDRASSI <mounir.idrassi@idrix.fr>	2017-06-10 18:44:49 +0200
commit	458bb091bb8e6ffa73a1c7c9736e93b52a0a95d7 (patch)
tree	89310156a81efcddc26062f69a3f5cd523929e41 /src
parent	c7cd89a24a3663cb375f9d6a901d34586d0d9192 (diff)
download	VeraCrypt-458bb091bb8e6ffa73a1c7c9736e93b52a0a95d7.tar.gz VeraCrypt-458bb091bb8e6ffa73a1c7c9736e93b52a0a95d7.zip