Can I have any way to detect the Driver Signing Policy status? - c++

I have a modified driver and must be installed when driver signing is disabled, so I want to detect this status to remind users to reboot to SafeMode.
I had tried this command : Bcdedit.exe -set TESTSIGNING OFF, but failed and prompted
An error has occurred setting the element data.
The value is protected by Secure Boot policy and cannot be modified or deleted.
Umm..is there any way can do it?
————————
PS:
In fact, my laptop model is MSI GS70 2PE. I don't think it's a cheap one even the lastest published GS73 cannot supported full win10 gestures.And it supports Windows10 but MSI truly doesn't release the lastest driver.If I only modified and use it by myself, nothing worth mentioning.However, I want to share it in forum to help other general users to use.
Am I doing something wrong? Cannot understanding why someone talks about other things.

Use the following code to detect whether or not TESTSIGNING is enabled:
#include <Winternl.h>
#pragma comment(lib, "ntdll.lib")
//Check if testsigning is enabled
SYSTEM_CODEINTEGRITY_INFORMATION sci = {0};
ULONG dwcbSz = 0;
sci.Length = sizeof(sci);
if(NtQuerySystemInformation(
/*SystemCodeIntegrityInformation*/ (SYSTEM_INFORMATION_CLASS)0x67,
&sci,
sizeof(sci),
&dwcbSz) >= 0 &&
dwcbSz == sizeof(sci))
{
BOOL bTestsigningEnabled = !!(sci.CodeIntegrityOptions & /*CODEINTEGRITY_OPTION_TESTSIGN*/ 0x2);
//Note that testsigning will play no role if bit CODEINTEGRITY_OPTION_ENABLED (or 0x1) is not set in sci.CodeIntegrityOptions
}

I would rather wrap this into a nicer function like so:
bool IsSystemCodeIntegrityEnabled() {
typedef NTSTATUS(__stdcall* td_NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
struct SYSTEM_CODEINTEGRITY_INFORMATION {
ULONG Length;
ULONG CodeIntegrityOptions;
};
static td_NtQuerySystemInformation NtQuerySystemInformation = (td_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
SYSTEM_CODEINTEGRITY_INFORMATION Integrity ={ sizeof(SYSTEM_CODEINTEGRITY_INFORMATION), 0 };
NTSTATUS status = NtQuerySystemInformation(103, &Integrity, sizeof(Integrity), NULL);
return (NT_SUCCESS(status) && (Integrity.CodeIntegrityOptions & 1));
}

Related

Find what is the channel using Windows API

I am trying to get the Channel using the windows API. So far, I have tried to use the wlan_intf_opcode_channel_number with the WlanQueryInterface function.
I am not too sure what the reply means on that thread and was hoping someone could clarify.
ULONG channel = 0;
DWORD dwSizeChannel = sizeof(channel);
dwResult = WlanQueryInterface(
hClient,
InterfaceGuid,
wlan_intf_opcode_channel_number,
NULL,
&dwSizeChannel,
(PVOID*)&channel,
NULL);
I am not sure what to do after here. Any help would be appreciated!
After checking i found out that i always get the same value as channel has befor calling the WlanQueryInterface
The MS docs for the op-code seems to be wrong. If you try something similar here:
ULONG *channel = NULL;
DWORD dwSizeChannel = sizeof(*channel);
DWORD rc = WlanQueryInterface (
hClient, InterfaceGuid,
wlan_intf_opcode_channel_number,
NULL, &dwSizeChannel, &channel, NULL);
if (rc == ERROR_SUCCESS && channel) {
printf ("Channel: %lu\n", *channel):
WlanFreeMemory (channel);
}
I do get the expected Channel: 5.
The same goes for wlan_intf_opcode_current_operation_mode and possibly other op-codes that's simply an ULONG.
I tried out WlanQueryInterface with the inputs from the documentation:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms706765(v=vs.85).aspx
When query based on "wlan_intf_opcode_channel_number" was triggered, I got the data as "13". And the frequency could be made out as 2472Mhz from the WLAN information provided by the following wikipedia link:
https://en.wikipedia.org/wiki/List_of_WLAN_channels
Hope this helps.

My code doesn't work on Windows XP

since Win-7 drag and drop implementation has changed, to make it work I need to enable some stuff using ChangeWindowMessageFilter.
There is a problem. ChangeWindowMessageFilter is valid since Vista, however I need solution for XP as well.
Well, you should try call it dynamically, for that you need LoadLibrary and GetProcAddress.
Sample usage
if (/*IsVista()*/)
{
typedef BOOL (WINAPI *ChangeMessageFilter)(UINT message, DWORD dwFlag);
#define MSGFLT_ADD 1
#define MSGFLT_REMOVE 2
BOOL res = FALSE;
HMODULE user32 = LoadLibrary(L"User32.dll");
if (user32 != NULL)
{
ChangeMessageFilter filter = (ChangeMessageFilter)::GetProcAddress(user32, "ChangeWindowMessageFilter");
if (filter != NULL)
{
res = filter(/*your value*/, MSGFLT_ADD);
}
::FreeLibrary(user32);
}
}
Another thing, you should better use ChangeWindowMessageFilterEx as it is enables messages receiving for only one window, not all project.

WNetEnumResource returns incomplete results

i writing a program that lists Windows network shared objects, using WNet functions. i noticed that, on some reason, WNetEnumResource function retrieve just my local shares, although the explorer sees much more objects. what could be causing this?
here's code:
dwResult = WNetOpenEnum(RESOURCE_GLOBALNET, RESOURCETYPE_ANY,
RESOURCEUSAGE_CONNECTABLE | RESOURCEUSAGE_CONTAINER, lpnr, &hEnum);
................
dwResultEnum = WNetEnumResource(hEnum, &cEntries, lpnrLocal, &cbBuffer);
that's what i got:
Microsoft Terminal Services network
Microsoft Windows Network network
WORKGROUP domain
\\MOSKKM server
\\MOSKKM\HP LaserJet 3055 PCL5 share
\\MOSKKM\share share
\\MOSKKM\soft share
\\MOSKKM\tunnel share
Web Client Network network
my system is Win7, i use an administrator account, and no antiviruses or firewalls running. and also on bridged VirtualBox VM hosted on the same machine it works correct (however, for a long time). what's might be wrong? maybe there are some other ways to solve this problem, not using WNet functions?
and also: WNetEnumResource gives up shared objects sorted by alphabet. i can't imagine any approach how to parallelize this process. any ideas?
I think you need to write recursive function to enumerate the network resources,
To enumerate all network resources, an application can begin the enumeration by calling WNetOpenEnum with the lpNetResource parameter set to NULL, and then use the returned handle to call WNetEnumResource to enumerate resources. If one of the resources in the NETRESOURCE array returned by the WNetEnumResource function is a container resource, you can call WNetOpenEnum to open the resource for further enumeration. (MSDN: WNetOpenEnum)
int EnumNetRes(NETRESOURCE *lpNetRes)
{
DWORD dwResult;
DWORD dwCount = -1;
DWORD dwSize = sizeof(NETRESOURCE)*MAX_NET_RESOURCES;
HANDLE hEnum;
dwResult = WNetOpenEnum(RESOURCE_GLOBALNET, RESOURCETYPE_ANY,
RESOURCEUSAGE_CONNECTABLE | RESOURCEUSAGE_CONTAINER, lpNetRes, &hEnum);
if(dwResult != NO_ERROR)
{
cerr << "WNetOpenEnum failed, error: " << dwResult << endl;
//...
return 1;
}
NETRESOURCE NetResources[MAX_NET_RESOURCES]; // #define MAX_NET_RESOURCES 1024
dwResult = WNetEnumResource(hEnum, &dwCount, NetResource, dwSize);
if(dwResult != NO_ERROR)
{
//...
return 1;
}
for( int i=0; i<dwCount; i++){
//...
// retrieve of information about resource
//...
if(NetResources[i].dwUsage & RESOURCEUSAGE_CONTAINER)
EnumNetRes(&NetResources[i]);
}
}

Driver on 64 bit

I have a driver code which works good on 32 bit. On 64 bit i compiled it and also digitally signed it. The driver loads but fails to work properly. The main functionality of the driver to to register process creation and termination to my program in call back. So i have two IOCTL working. The code is as follows..
NTSTATUS DispatchIoctl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
PDEVICE_EXTENSION extension = DeviceObject->DeviceExtension;
PPROCESS_CALLBACK_INFO pProcCallbackInfo;
//
// These IOCTL handlers are the set and get interfaces between
// the driver and the user mode app
//
switch(irpStack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_PROCOBSRV_ACTIVATE_MONITORING:
{
ntStatus = ActivateMonitoringHanlder( Irp );
break;
}
case IOCTL_PROCOBSRV_GET_PROCINFO:
{
if (irpStack->Parameters.DeviceIoControl.OutputBufferLength >= sizeof(PROCESS_CALLBACK_INFO))
{
pProcCallbackInfo = Irp->AssociatedIrp.SystemBuffer;
pProcCallbackInfo->hParentId = extension->hParentId;
pProcCallbackInfo->hProcessId = extension->hProcessId;
pProcCallbackInfo->bCreate = extension->bCreate;
ntStatus = STATUS_SUCCESS;
}
break;
}
default:
break;
}
Irp->IoStatus.Status = ntStatus;
//
// Set number of bytes to copy back to user-mode
//
if(ntStatus == STATUS_SUCCESS)
Irp->IoStatus.Information = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
else
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return ntStatus;
}
when i call
bReturnCode = ::DeviceIoControl(
hDriverFile,
IOCTL_PROCOBSRV_ACTIVATE_MONITORING,
&activateInfo,
sizeof(activateInfo),
NULL,
0,
&dwBytesReturned,
NULL
);
The code succeeds but when i call
bReturnCode = ::DeviceIoControl(
m_hDriverFile,
IOCTL_PROCOBSRV_GET_PROCINFO,
0,
0,
&callbackInfo, sizeof(callbackInfo),
&dwBytesReturned,
&ov
);
getLastError returns 31. Can anyone help me with this. Is it a problem of IOCTL structure with 64 bit? Please help me find a solution to this. Thanks..
If you don't have driver debugging experience, try to diagnose this problem using trace. Add KdPrint lines to your code in all places where it is necessary, for example:
case IOCTL_PROCOBSRV_GET_PROCINFO:
{
KdPrint(("IOCTL_PROCOBSRV_GET_PROCINFO. OutputBufferLength = %d\n", irpStack->Parameters.DeviceIoControl.OutputBufferLength));
KdPrint(("sizeof(PROCESS_CALLBACK_INFO) = %d\n", sizeof(PROCESS_CALLBACK_INFO)));
if (irpStack->Parameters.DeviceIoControl.OutputBufferLength >= sizeof(PROCESS_CALLBACK_INFO))
{
pProcCallbackInfo = Irp->AssociatedIrp.SystemBuffer;
pProcCallbackInfo->hParentId = extension->hParentId;
pProcCallbackInfo->hProcessId = extension->hProcessId;
pProcCallbackInfo->bCreate = extension->bCreate;
KdPrint(("IOCTL_PROCOBSRV_GET_PROCINFO. STATUS_SUCCESS\n"));
ntStatus = STATUS_SUCCESS;
}
break;
}
This is just a sample, add KdPrint lines to all places to understand what happens. Build the driver in checked configuration, install it and run your program. See KdPrint output in DbgView program, with Caprure Kernel option enabled.
You can use DbgPrint instead of KdPrint, in this case it will work also in free driver configuration.
Edit:
How is PROCESS_CALLBACK_INFO defined? What is client code that calls the driver? Is client compiled as 32 or 64 bit? Passing a structure between client and driver, ensure that it doesn't contain bitness-dependent fields (has the same size when compiled both in 32 and 64 bit), and structure padding is the same.
Not too much information here, but you could always check that the size of your own defined structures are the same in the compiled user-mode client and the driver when running 64-bit. There might be packing/alignment issues that can be fixed by using #pragma pack (or whatever your compiler supports) for your structs.
As a general rule also try to set the status code to a more specific value on detected problems, such as e.g. STATUS_BUFFER_TOO_SMALL if you detect that a passed buffer is too small. I suspect that this isn't the actual issue here when using the IOCTL_PROCOBSRV_GET_PROCINFO IOCTL as you are getting back Win32 error 31, but it helps clients to troubleshoot their problems in general.
Update: As the differences actually seem to mismatch judging from your comments, try to surround the struct definitions with packing and then make sure to recompile both the client and driver. Example if you are using the Visual C++ compiler:
#pragma pack(push, 8) // Save current packing and set to 8-byte
typedef struct _PROCESS_CALLBACK_INFO
{
// Whatever ...
} PROCESS_CALLBACK_INFO;
#pragma pack(pop) // Restore previous packing
I found the answer. Thanks to the debugging. As mention earlier the outputBufferLength was less than the structure length due to which the driver was failing.
The outputBufferLength depands on the size of the struct you pass while calling the following function..
bReturnCode = ::DeviceIoControl(
m_hDriverFile,
IOCTL_PROCOBSRV_GET_PROCINFO,
0,
0,
&callbackInfo, sizeof(callbackInfo),
&dwBytesReturned,
&ov
);
So callbackInfo size was 12 so the outputBufferLength = 12. The structure callbackInfo has DWORD datamember which for 64 bit had to be DWORD64. When i changed the datatype of the member in the structure and then called the DeviceIOControl function , the driver worked great and the outputBufferLength was = 24 as expected. Thanks for all your help.

How to get Version of the software?

I am working on getting the version of the Software which is installed on the Computer. I have implemented the logic for reading the Uninstall hive of registry, but i have observed that some of the software are not having version entries in the Uninstall hive of the registry. But i want to show the version of those softwares also.
Can some one help me out in this regard?
Supplying a software version to the registry of Windows is voluntary. If the developer of the software you're looking at chose to not display the version there or was simply unaware of such possibility, I am unable to point you to any other location he would choose to use or be aware of. In fact, the software might not even have a version number/name.
Ask yourself this: Where else is the Version detail of the software available if not in the registry? If it is available somewhere else other than registry, ask us if you could get that detail using C++. I guess this would be a better approach to solve your issue.
Added the information below since OP is looking for file version
See if the below code could help you.
CString GetFileVersionInfo(CString strFile, CString strProperty)
{
int rc;
UINT nLen;
DWORD nSize;
DWORD dwHandle = 0;
CString strBuffer;
CString strValue;
CString strBlock;
void *lpPropertyBuffer;
struct LANGANDCODEPAGE
{
WORD wLanguage;
WORD wCodePage;
} *lpTranslate;
nSize = GetFileVersionInfoSize(strFile.GetBuffer(strFile.GetLength()), &dwHandle);
::GetFileVersionInfo(strFile.GetBuffer(strFile.GetLength()), 0, nSize, strBuffer.GetBuffer(nSize));
// Read the list of languages and code pages.
if (VerQueryValue(strBuffer.GetBuffer(strBuffer.GetLength()), "\\VarFileInfo\\Translation", (LPVOID *) &lpTranslate, &nLen))
{
strBlock.Format("\\StringFileInfo\\%04x%04x\\%s",
lpTranslate->wLanguage,
lpTranslate->wCodePage,
strProperty);
rc = VerQueryValue(strBuffer.GetBuffer(strBuffer.GetLength()), strBlock.GetBuffer(nSize), &lpPropertyBuffer, &nLen);
if (rc != 0 && nLen > 0)
{
strncpy(strValue.GetBuffer(nLen + 1), (char *) lpPropertyBuffer, nLen);
strValue.ReleaseBuffer(nLen);
}
}
return strValue;
}
user version.lib while linking and you might need winver.h for compilation. You can call the function like this
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int nRetCode = 0;
// initialize MFC and print and error on failure
if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
{
// TODO: change error code to suit your needs
cerr << _T("Fatal Error: MFC initialization failed") << endl;
nRetCode = 1;
}
else
{
AfxMessageBox(GetFileVersionInfo("shell32.dll", "ProductVersion"));
}
return nRetCode;
}
I'd say look at the file version information. And you might find this article useful on how the Add/Remove Programs dialog gets its information.
If the software developers chose not to add version information into Uninstall information, then there's no reliable way to get it.
You can try to find where application is installed. But even if you have the path, the application can consist of several .exe files which can have different versions and product names. If you add DLLs into the candidate list for getting version information, your results become even less predictable.