Commit Graph

547 Commits

Author SHA1 Message Date
Jason A. Donenfeld
cac40b0629 example: remove overly specific casts
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-10-15 00:41:12 +00:00
Jason A. Donenfeld
194f36f6c0 api: header: fix typo
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-10-14 16:30:24 -06:00
Jason A. Donenfeld
470bdf3e26 api: use proper instance id bounds
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-10-14 06:51:22 +00:00
Jason A. Donenfeld
80aab77c19 api: adapter: handle cases explicitly in dev query callback
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-10-14 05:28:09 +00:00
Jason A. Donenfeld
21958630ed downlevelshim: remove in preparation for full WHQL
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-10-13 17:34:17 +00:00
Jason A. Donenfeld
a6fe84c692 README: correct solution name
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-10-12 22:58:30 -06:00
Jason A. Donenfeld
ef42ddf640 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-10-12 19:10:36 +00:00
Jason A. Donenfeld
d8fe1419fb driver: automatically close long-lived handle
There's only one handle that's likely to be open in a long lived way:
the tun registration handle. So we can force that closed automatically
when the device is about to close, if it's been improperly left open.
Other handles will indeed hold up closing, but if those exist, they're a
sign of a larger bug elsewhere that should be addressed. On the other
hand, tun registration handles might legitimately be open during driver
upgrades. This also saves us the trouble of dereferencing a freed
FileObject as in the general case.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-10-12 18:55:24 +00:00
Jason A. Donenfeld
544fdaaf8f api: rewrite based on SwDevice
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-10-12 18:54:20 +00:00
Simon Rozman
c69ec758d1 proj: remove SDV and DVL support
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-10-11 10:16:18 -06:00
Jason A. Donenfeld
98cf23c410 api: adapter: cleanup wintrust shim if install fails
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-09-28 10:39:47 -06:00
Jason A. Donenfeld
47c8eda1d5 driver: inf: remove LoadOrderGroup
It's useless for PnP drivers.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-09-24 11:52:25 -06:00
Jason A. Donenfeld
a90b308890 driver: allow userspace to write garbage
Not discouraging userspace from skipping checking IP packets seems like
a bad thing, but they skip it anyway, so at least avoid the DoS due to
API misuse.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-09-16 12:08:33 +00:00
Simon Rozman
7e2002283e driver: Replace depreciated ExAllocatePoolWithTag
CodeQL with Windows-Driver-Developer-Supplemental-Tools suggests the
ExAllocatePoolWithTag() should no longer be used. The Static Tools Logo
Test in HLK spots this in the DVL log and fails.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-09-13 08:58:30 +02:00
Jason A. Donenfeld
ef48951654 example: disable dad for faster startup
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-09-09 20:43:25 +00:00
Simon Rozman
3e685569a1 props: inverse SDVHacks logic
SDV is allergic to code analysis. So, when we're doing SDV (SDVHacks is
"true"), we need to turn the code analysis off.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-08-25 12:02:01 +02:00
Simon Rozman
4527f40474 .gitignore: ignore CodeQL output
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-08-25 11:55:43 +02:00
Simon Rozman
b239eb6505 props: unify import .lib of DLLs
This moves downlevelshim.lib and those .lib from any future DLLs in this
repo to the matching IntDir.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-08-10 12:01:26 +02:00
Jason A. Donenfeld
42030404e0 api: rundll32: make empty string if no instance id
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-08-08 16:42:37 +02:00
Jason A. Donenfeld
6cf6f42f07 driver: mark as network driver rather than system driver
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-08-07 15:06:20 +02:00
Jason A. Donenfeld
82a6130341 props: tie code analysis to sdv hacks rather than debug builds
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-08-04 04:09:02 +02:00
Jason A. Donenfeld
73a4cffee0 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-08-02 04:49:14 +02:00
Jason A. Donenfeld
caae8bca33 proj: fix header lines
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-08-02 04:49:13 +02:00
Jason A. Donenfeld
21d8e66e04 api: incorporate new win7 code signing technique
https://git.zx2c4.com/downlevel-driver-enabler/about/

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-08-02 04:49:13 +02:00
Jason A. Donenfeld
8967516baf proj: clean up loose ends
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-08-02 01:04:35 +02:00
Jason A. Donenfeld
acc9ee7f34 api: remove authenticode support
Certificates are no longer valid.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-08-02 00:24:10 +02:00
Jason A. Donenfeld
86521458e3 props: use ForcedTargetVersion for override
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-30 10:40:27 +02:00
Jason A. Donenfeld
0a3799cc3a editorconfig: farewell wix
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-30 10:40:27 +02:00
Jason A. Donenfeld
d0732ca4f8 driver: remove useless defines from resource
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-30 10:40:27 +02:00
Simon Rozman
d675646ab8 api: upgrade
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-28 20:25:27 +02:00
Simon Rozman
d61007297d example: resolve signed/unsigned code analysis warning
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-28 20:22:19 +02:00
Simon Rozman
d30f6754d4 global: upgrade clang-format
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-28 20:22:19 +02:00
Simon Rozman
7dffa4be72 vs: move shared configuration to wintun.props and upgrade
Remember to rename wintun.vcxproj.user file in your local working folder
to wintun.props.user manually.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-28 20:22:18 +02:00
Simon Rozman
7de5d2e6c8 driver: workaround SDV failure with code analysis
SDV is using own CL.EXE which returns error code 2 when code analysis
is turned on. However, we need code analysis results for DVL.

While we could use a new "ReleaseSDV" configuration, we don't really
require limited code analysis in Release builds, as long as we address
all full code analysis warnings in Debug builds.

To make DVL happier, an intermediate Release build was injected with
code analysis turned on.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-27 12:22:26 +02:00
Jason A. Donenfeld
899e085a91 api: build with WDK
Makes builds more reproducable, as we can do our next release using the
EWDK, an all-in-one ISO of build tools from Microsoft.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-23 20:20:43 +02:00
Jason A. Donenfeld
af83574b34 api: remove unused pch file
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-13 15:48:45 +02:00
Simon Rozman
928f21c573 driver: switch to MS-recommended memory alloc
Suggested-by: Static Driver Verifier
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-13 14:33:43 +02:00
Simon Rozman
dccf2085cb driver: cleanup project file
Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-12 10:38:21 +02:00
Simon Rozman
d41ac04565 driver: remove excessive media connection reporting on adapter init
The initial adapter state (including media connection) is provided by
the NDIS_MINIPORT_ADAPTER_GENERAL_ATTRIBUTES.
Additional NdisMIndicateStatusEx() call seems excessive.

Signed-off-by: Simon Rozman <simon@rozman.si>
2021-07-12 10:38:21 +02:00
Jason A. Donenfeld
005af4a9c7 api: use SuggestedInstanceId instead of NetSetupAnticipatedInstanceId
All was well with NetSetupAnticipatedInstanceId, until a bug crept into
recent Windows builds that caused old GUIDs not to be properly removed,
resulting in subsequent adapter creations to fail, because NetSetup
AnticipatedInstanceId considers it fatal when the target GUID
already exists, even if in diminished form.

The initial solution was to detect cruft, and then steal a
TrustedInstaller token and sleuth around the registry cleaning things
up. The horror!

Uncomfortable with this, I reopened IDA and had a look around with fresh
eyes, three years after the original discovery of NetSetupAnticipated
InstanceId. There, I found some interesting behavior in
NetSetupSvcDeviceManager::InstallNetworkInterfaces, which amounts to
something like:

    if (IsSet("RetiredNetCfgInstanceId") {
      if (IsSet("NetSetupAnticipatedInstanceId")
        DeleteAdapter(GetValue("RetiredNetCfgInstanceId"));
      else
        Set("NetSetupAnticipatedInstanceId", GetValue("RetiredNetCfgInstanceId"));
      Delete("RetiredNetCfgInstanceId");
    }
    CreateAdapter = TRUE;
    if (IsSet("NetSetupAnticipatedInstanceId")) {
      Guid = GetValue("NetSetupAnticipatedInstanceId");
      if (AdapterAlreadyExists(Guid))
        CreateAdapter = FALSE;
      else
        SetGuidOfNewAdapter(Guid);
      Delete("NetSetupAnticipatedInstanceId");
    } else if (IsSet("SuggestedInstanceId")) {
      Guid = GetValue("SuggestedInstanceId");
      if (!AdapterAlreadyExists(Guid))
        SetGuidOfNewAdapter(Guid);
      Delete("SuggestedInstanceId");
    }

Thus, one appealing strategy would be to set both NetSetupAnticipated
InstanceId and RetiredInstanceId to the same value, and let the service
handle deleting the old one for us before creating the new one.
However, the cleanup of the old adapter winds up being quasi-
asynchronous, and thus we still wind up in the CreateAdapter = FALSE
case.

So, the remaining strategy is to simply use SuggestedInstanceId instead.
This has the behavior that if there's an adapter already in use, it'll
use a new random GUID. The result is that adapter creation won't fail.

That's not great, but the docs have always made it clear that
"requested" is a best-effort sort of thing. Plus, hopefully the creation
of the new adapter will help nudge the bug a bit and cleanup the old
cruft. In some ways, transitioning from our old strategy of "cudgel the
registry until we get the GUID we want" to "ask politely and accept no
for an answer" is a disappointing regression in functionality. But it
also means we don't need to keep crazy token stealing code around, or
fish around in the registry dangerously. This probably also increases
the likelihood that an adapter will be created during edge cases, which
means fewer errors for users, which could be a good thing. On the
downside, we have the perpetual tensions caused by a system that now
"fails open" instead of "fails closed". But so it goes in Windows land.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-09 17:08:28 +02:00
Jason A. Donenfeld
cf6e441ff5 api: log instance id when object file name is empty
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-08 03:13:14 +02:00
Jason A. Donenfeld
bf5b170101 api: print correct last error when failing
Prior to the conversion, LastError is ERROR_SUCCESS, so move the logging
to be after the conversion.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-07-08 02:50:57 +02:00
Jason A. Donenfeld
48bbaa0be3 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 16:18:03 +02:00
Jason A. Donenfeld
ed2f5cc225 api: don't auto-elevate
There's no longer a need to do this for every API call. This only exists
now for the pnp guid reuse workaround hack.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 16:18:03 +02:00
Jason A. Donenfeld
d33732ab4b driver: hard code security descriptor bytes
This is compatible with old Windows. Generated by:

  #include <stdio.h>
  #include <windows.h>
  #include <sddl.h>

  int main(int argc, char *argv[])
  {
      PSECURITY_DESCRIPTOR sd;
      ULONG sd_len;

      if (!ConvertStringSecurityDescriptorToSecurityDescriptorA("O:SYD:P(A;;FA;;;SY)(A;;FA;;;BA)S:(ML;;NWNRNX;;;HI)", SDDL_REVISION_1, &sd, &sd_len))
          return 1;
      for (ULONG i = 0; i < sd_len; ++i)
          printf("0x%02x%s%s", ((unsigned char *)sd)[i], i == sd_len - 1 ? "" : ",", i == sd_len -1 || i % 8 == 7 ? "\n": " ");
      return 0;
  }

This can be easily checked from kernel space with this ugly snippet:

  UNICODE_STRING Func;
  RtlInitUnicodeString(&Func, L"SeConvertSecurityDescriptorToStringSecurityDescriptor");
  WCHAR *Str = NULL;
  ((NTSTATUS(NTAPI *)(PSECURITY_DESCRIPTOR, DWORD, DWORD, WCHAR **, DWORD *))MmGetSystemRoutineAddress(&Func))(
      TunDispatchSecurityDescriptor, 1, 0x14, &Str, NULL);
  DbgPrint("Did it work? %ls\n", Str);

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 16:18:03 +02:00
Jason A. Donenfeld
6154c73032 driver: build security descriptor from sddl
This is a bit easier to read.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 14:10:50 +02:00
Jason A. Donenfeld
b3bf490434 driver: allow admins but require high integrity label
Might be more reasonable.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 14:09:16 +02:00
Jason A. Donenfeld
59bf6be8b6 driver: specify pnplockdown in inf
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 13:51:58 +02:00
Jason A. Donenfeld
273cbe2d14 driver: format
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-06-25 13:51:57 +02:00
Jason A. Donenfeld
479bbdc50a api: only mark GUID as in-use if Status != NotPresent
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2021-05-11 19:43:34 +02:00