Commit Graph

42 Commits

Author SHA1 Message Date
Jason A. Donenfeld
899e085a91 api: build with WDK
Makes builds more reproducable, as we can do our next release using the
EWDK, an all-in-one ISO of build tools from Microsoft.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-23 20:20:43 +02:00
Jason A. Donenfeld
005af4a9c7 api: use SuggestedInstanceId instead of NetSetupAnticipatedInstanceId
All was well with NetSetupAnticipatedInstanceId, until a bug crept into
recent Windows builds that caused old GUIDs not to be properly removed,
resulting in subsequent adapter creations to fail, because NetSetup
AnticipatedInstanceId considers it fatal when the target GUID
already exists, even if in diminished form.

The initial solution was to detect cruft, and then steal a
TrustedInstaller token and sleuth around the registry cleaning things
up. The horror!

Uncomfortable with this, I reopened IDA and had a look around with fresh
eyes, three years after the original discovery of NetSetupAnticipated
InstanceId. There, I found some interesting behavior in
NetSetupSvcDeviceManager::InstallNetworkInterfaces, which amounts to
something like:

    if (IsSet("RetiredNetCfgInstanceId") {
      if (IsSet("NetSetupAnticipatedInstanceId")
        DeleteAdapter(GetValue("RetiredNetCfgInstanceId"));
      else
        Set("NetSetupAnticipatedInstanceId", GetValue("RetiredNetCfgInstanceId"));
      Delete("RetiredNetCfgInstanceId");
    }
    CreateAdapter = TRUE;
    if (IsSet("NetSetupAnticipatedInstanceId")) {
      Guid = GetValue("NetSetupAnticipatedInstanceId");
      if (AdapterAlreadyExists(Guid))
        CreateAdapter = FALSE;
      else
        SetGuidOfNewAdapter(Guid);
      Delete("NetSetupAnticipatedInstanceId");
    } else if (IsSet("SuggestedInstanceId")) {
      Guid = GetValue("SuggestedInstanceId");
      if (!AdapterAlreadyExists(Guid))
        SetGuidOfNewAdapter(Guid);
      Delete("SuggestedInstanceId");
    }

Thus, one appealing strategy would be to set both NetSetupAnticipated
InstanceId and RetiredInstanceId to the same value, and let the service
handle deleting the old one for us before creating the new one.
However, the cleanup of the old adapter winds up being quasi-
asynchronous, and thus we still wind up in the CreateAdapter = FALSE
case.

So, the remaining strategy is to simply use SuggestedInstanceId instead.
This has the behavior that if there's an adapter already in use, it'll
use a new random GUID. The result is that adapter creation won't fail.

That's not great, but the docs have always made it clear that
"requested" is a best-effort sort of thing. Plus, hopefully the creation
of the new adapter will help nudge the bug a bit and cleanup the old
cruft. In some ways, transitioning from our old strategy of "cudgel the
registry until we get the GUID we want" to "ask politely and accept no
for an answer" is a disappointing regression in functionality. But it
also means we don't need to keep crazy token stealing code around, or
fish around in the registry dangerously. This probably also increases
the likelihood that an adapter will be created during edge cases, which
means fewer errors for users, which could be a good thing. On the
downside, we have the perpetual tensions caused by a system that now
"fails open" instead of "fails closed". But so it goes in Windows land.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-09 17:08:28 +02:00
Jason A. Donenfeld
a3a1fa8931 api: delay load remaining dlls to work around forwarder gotchas
RtlGenRandom forwards to cryptbase.dll, which is not in KnownDlls.
Therefore it's not a good idea to link to advapi32.dll at link time. How
many other gotchas of unusual forwarded functions are there? I don't
really want to find out. Therefore, delay load everything else.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-27 14:52:03 +01:00
Jason A. Donenfeld
0d214d7254 api: do not call UpdateDriverForPlugAndPlayDevicesW
This seems to reset a number of device properties, and our update flow
seems to update old adapters without needing to call this.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-09 15:14:33 +01:00
Jason A. Donenfeld
8861fdc316 api: add cfgmgr32.dll to delayed load list
It's in the registry but not in the NT object key.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-05 16:58:43 +01:00
Simon Rozman
b8401ad25b api: upgrade nci.lib and wintun-inf.h building
The additional build steps performed are now attached to the build
process using BeforeTargets/AfterTargets.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-11-04 16:44:01 +01:00
Simon Rozman
0a51e26730 api: include the rundll32 helpers the MSVC-typical way
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-11-04 13:21:42 +01:00
Jason A. Donenfeld
677ba8680f wintun: extract inf driverver at compile time into C header
This requires us to make some insane conversions between INF date,
JavaScript time, and finally Windows file time. The point is to mimic
SystemTimeToFileTime, which is what SpInf.dll's pSetupStringToDriverDate
does on the YYYY-MM-DD from the INF.

The result is that we no longer have to parse an ancient text format in
C at runtime.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-03 18:29:52 +01:00
Jason A. Donenfeld
55345ae386 api: move nci.lib generation to custom step
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-03 16:10:16 +01:00
Jason A. Donenfeld
90a33d9cc6 api: move undocumented ntdll symbols to ntdll.h
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-03 15:28:17 +01:00
Jason A. Donenfeld
04437fd668 api: conditionalize quasi expensive prelinkevent
It would be better to do this only if either nci.def or nci.h are newer
than nci.lib, but who knows if msbuild is expressive enough for this.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-03 11:17:50 +01:00
Jason A. Donenfeld
353cfa562e api: begin to separate rundll32 jumps
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-03 02:25:20 +01:00
Jason A. Donenfeld
9a937c7a49 example: rewrite and replace api's debug rundll32 functionality
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-02 23:42:43 +01:00
Jason A. Donenfeld
724508d61f api: make nci.lib work on x86
This is an appalling hack. We need the lib tool to generate a coff lib
with the "undecorate" parameter. And apparently the only way to do this
with the MSVC tools is by making a stub object, and then rewriting the
symbols using the def file. See Q131313 for Microsoft-sanctioned
details.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-02 11:38:02 +01:00
Simon Rozman
a8f82d5cbf test: introduce a demo client
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-11-01 00:00:14 +01:00
Jason A. Donenfeld
6c40f24498 api: add debugging rundll32 entry point
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-10-31 19:11:56 +01:00
Jason A. Donenfeld
62f21f2fdd api: link to nci.dll at compile time
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-31 19:11:51 +01:00
Jason A. Donenfeld
937eb44727 api: get rid of pch and make headers sane
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-10-31 19:11:51 +01:00
Jason A. Donenfeld
c5b05150c6 api: simplify build settings
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-10-31 19:11:51 +01:00
Jason A. Donenfeld
0faba6c3e8 api: use NT api directly for enumerating kernel modules
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-10-31 19:11:51 +01:00
Jason A. Donenfeld
e7a85b7b28 api: attempt to upgrade currently running adapters
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-10-31 19:11:50 +01:00
Jason A. Donenfeld
f947205cee api: use proper iso atomic semantics
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-10-31 19:11:50 +01:00
Jason A. Donenfeld
7964694e1e api: elevate only when needed for system operations
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-10-31 10:41:49 +01:00
Simon Rozman
779d0e0c38 api: simplify driver selection by always including EV driver
When Windows 7-8.1 support is sunset, there will be no more EV driver
deployment at all.

Suggested-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-31 10:41:49 +01:00
Jason A. Donenfeld
c928ad4de7 api: fix dll hijacking vulns
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-10-31 10:41:48 +01:00
Simon Rozman
abf6962144 api: simplify driver removal
When we install the Wintun driver to the store, we get exact oem<nn>.inf
filename of the driver in the store we just installed. Since the
installation should be only temporarily, we should uninstall only the
driver we installed.

This also eliminates the need for iterating driver store speeding up
things.

The code we removed was inherited from the installer.dll, where it made
perfect sense to remove all installed Wintun drivers in the update
process.

Suggested-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-31 10:41:48 +01:00
Simon Rozman
77459a130a Add ARM driver compilation
This adds the ARM driver to the list of Wintun drivers we compile for
future deployment. Since we're not in position to test it in the real
world, any feedback is greatly appreciated.

Suggested-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-31 10:41:48 +01:00
Simon Rozman
4b8f879fd6 api: add ring management
Rather than every client reinvent the art of using the Wintun and its
ring buffers, we offer helper structs and functions to unify and
simplify Wintun usage.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:51:01 +01:00
Simon Rozman
449876fdfd api: introduce wintun.h
The SDK header for deployment containing datatype and function
declarations for use by C/C++ clients.

As we shall not distribute MSVC wintun.lib files, making clients need to
use GetProcAddress(), this file contains function type declarations
rather then __declspec(dllimport) function declarations.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:51:01 +01:00
Simon Rozman
9a16d4e3cc api: build the bridge from WoW64 to native in
SetupAPI fails to create a device in WoW64 processes. x86 (and arm)
wintun.dll pack the amd64 and arm64 wintun.dll now, and use rundll32 to
create a native process to do the job where required.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:51:00 +01:00
Simon Rozman
b79703bba8 vcxproj: swap configuration and platform subfolder hierarchy
This should allow wintun.dll to simplify referencing same configuration
but different platform wintun.dll for WoW64 support.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:51:00 +01:00
Simon Rozman
16a9737578 api: internal reorganization
Gather adapter management in adapter.h/.c (formerly devmgmt.h/.c) and
unify HwID tests.

Use "Namespace" namespace in all functions from namespace.h/.c.

Fix char strings in LOG_...

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:51:00 +01:00
Simon Rozman
c324d07ffb api: add driver management
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:59 +01:00
Simon Rozman
f316c13b3e api: introduce logging
And other unifications with installer before merging.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:59 +01:00
Simon Rozman
abd20337e2 api: split api.h
As the project grew, api.h got bloated.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:59 +01:00
Simon Rozman
5925f914e4 api: add support for WoW64
Some functions of SetupAPI only work when invoked from a native process.
Registry and filesystem reflection makes them fail on WoW64. For WoW64
processes, a minimum set of rundll32 functions are provided.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:59 +01:00
Simon Rozman
0a986ce9fc api: add pre-compiled header support
...for super-fast compilation.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:58 +01:00
Simon Rozman
7e3740018d api: finish porting from wireguard-go
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:58 +01:00
Simon Rozman
d3a63116ba api: port GetInterface member from wireguard-go
Mind that this also fixes the order of adapter detection checks. A fast
test to eliminate non-Wintun adapters from iteration to speed things up
rendered the method incapable of detecting a non-Wintun adapter with the
name we are looking for.

ERROR_OBJECT_NOT_FOUND was replaced with ERROR_FILE_NOT_FOUND.

Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:58 +01:00
Simon Rozman
3fa45fec71 api: port nci package from wireguard-go
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:58 +01:00
Simon Rozman
6f55786c65 api: port tun\wintun\namespace_windows.go from wireguard-go
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:58 +01:00
Simon Rozman
0ef8578c81 api: add skeleton for wintun.dll
Signed-off-by: Simon Rozman <simon@rozman.si>
2020-10-30 16:50:58 +01:00