firehazard 0.0.0-2022-09-10

Unopinionated low level API bindings focused on soundness, safety, and stronger types over raw FFI.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

use firehazard::*;
use firehazard::process::ThreadAttributeList;



pub struct List<'s> {
    pub mitigation_policy:  process::creation::MitigationPolicy,
    pub child_policy:       process::creation::ChildProcessPolicyFlags,
    pub dab_policy:         process::creation::DesktopAppPolicyFlags,
    pub component_filter:   u32,
    pub job_list:           Vec<job::Handle<'s>>,
    pub inherit:            Vec<handle::Borrowed<'s>>,
    // ...
}

impl<'s> List<'s> {
    pub fn new(target: &crate::settings::Target, job: impl Into<job::Handle<'s>>, inherit: impl IntoIterator<Item = handle::Borrowed<'s>>) -> Self {
        let policy1 = ()
            | process::creation::mitigation_policy::DEP_ENABLE
            //| process::creation::mitigation_policy::DEP_ATL_THUNK_ENABLE
            | process::creation::mitigation_policy::SEHOP_ENABLE
            | process::creation::mitigation_policy::force_relocate_images::ALWAYS_ON_REQ_RELOCS // chrome.exe doesn't bother with this
            | process::creation::mitigation_policy::heap_terminate::ALWAYS_ON
            | process::creation::mitigation_policy::bottom_up_aslr::ALWAYS_ON
            | process::creation::mitigation_policy::high_entropy_aslr::ALWAYS_ON
            | process::creation::mitigation_policy::strict_handle_checks::ALWAYS_ON
            | (!target.allow.same_desktop * process::creation::mitigation_policy::win32k_system_call_disable::ALWAYS_ON) // user32.dll(?) requires access on init
            | process::creation::mitigation_policy::extension_point_disable::ALWAYS_ON
            | (!target.allow.dynamic_code * process::creation::mitigation_policy::prohibit_dynamic_code::ALWAYS_ON)
            | process::creation::mitigation_policy::control_flow_guard::ALWAYS_ON               // Redundant?
            | process::creation::mitigation_policy::control_flow_guard::EXPORT_SUPPRESSION      // https://docs.microsoft.com/en-us/windows/win32/secbp/pe-metadata#export-suppression
            | process::creation::mitigation_policy::block_non_microsoft_binaries::ALWAYS_ON     // Redundant?
            | process::creation::mitigation_policy::block_non_microsoft_binaries::ALLOW_STORE   // ?
            | (!target.allow.same_desktop * process::creation::mitigation_policy::font_disable::ALWAYS_ON) // user32.dll(?) requires access on init
            | process::creation::mitigation_policy::image_load_no_remote::ALWAYS_ON
            | process::creation::mitigation_policy::image_load_no_low_label::ALWAYS_ON
            | process::creation::mitigation_policy::image_load_prefer_system32::ALWAYS_ON
            ;

        let policy2 = None
            | process::creation::mitigation_policy2::loader_integrity_continuity::ALWAYS_ON
            | process::creation::mitigation_policy2::strict_control_flow_guard::ALWAYS_ON
            | process::creation::mitigation_policy2::module_tampering_protection::ALWAYS_ON
            | process::creation::mitigation_policy2::restrict_indirect_branch_prediction::ALWAYS_ON
            | (!target.allow.dynamic_code * process::creation::mitigation_policy2::allow_downgrade_dynamic_code_policy::ALWAYS_OFF)
            | process::creation::mitigation_policy2::speculative_store_bypass_disable::ALWAYS_ON
            | process::creation::mitigation_policy2::cet_user_shadow_stacks::ALWAYS_ON      // Redundant
            | process::creation::mitigation_policy2::cet_user_shadow_stacks::STRICT_MODE
            | process::creation::mitigation_policy2::user_cet_set_context_ip_validation::ALWAYS_ON
            | (!target.allow.missing_cet * process::creation::mitigation_policy2::block_non_cet_binaries::ALWAYS_ON)
            //| process::creation::mitigation_policy2::xtended_control_flow_guard::ALWAYS_ON        // causes ERROR_INVALID_PARAMETER - not built with XFG? see https://connormcgarr.github.io/examining-xfg/ / https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE37dMC
            //| process::creation::mitigation_policy2::pointer_auth_user_ip::ALWAYS_ON              // causes ERROR_INVALID_PARAMETER - ARM64 (not x64/AMD64!) only?
            | process::creation::mitigation_policy2::cet_dynamic_apis_out_of_proc_only::ALWAYS_ON
            //| process::creation::mitigation_policy2::restrict_core_sharing::ALWAYS_ON             // causes ERROR_INVALID_PARAMETER (do I need to specify cores to hog?)
            ;

        let mitigation_policy   = process::creation::MitigationPolicy::from((policy1, policy2));
        let child_policy        = process::creation::child_process::RESTRICTED;
        let dab_policy          = process::creation::desktop_app_breakaway::ENABLE_PROCESS_TREE;
        const COMPONENT_KTM : u32 = 1; // C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\um\winnt.h
        let component_filter    = COMPONENT_KTM;
        let job_list            = vec![job.into()];
        let inherit             = inherit.into_iter().collect();

        Self { mitigation_policy, child_policy, dab_policy, component_filter, job_list, inherit }
    }

    pub fn to_list(&self) -> ThreadAttributeList {
        process::ThreadAttributeList::try_from(&[
            process::ThreadAttributeRef::mitigation_policy(&self.mitigation_policy),
            process::ThreadAttributeRef::child_process_policy(&self.child_policy),
            process::ThreadAttributeRef::desktop_app_policy(&self.dab_policy),
            process::ThreadAttributeRef::component_filter_flags(&self.component_filter),
            #[cfg(nope)] {
                // will cause create_process_as_user_w to fail with ERROR_INVALID_PARAMETER
                // Also completely pointless, as we're almost certainly not running as a protected app ourselves
                const PROTECTION_LEVEL_SAME : u32 = 0xFFFFFFFF;
                process::ThreadAttributeRef::protection_level(&PROTECTION_LEVEL_SAME)
            },
            process::ThreadAttributeRef::job_list(&self.job_list[..]),
            process::ThreadAttributeRef::handle_list(&self.inherit[..]),
            // TODO: ThreadAttributeRef::security_capabilities ? app container / capability sids related: https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-security_capabilities
        ][..]).unwrap()
    }
}