Get-NtSystemInformation can now query UMCI info

Get-NtSystemInformation now returns SystemCodeIntegrityInformation - i.e. user-mode code integrity settings. This required reverse engineering a dll that is only present on Windows 8 ARM devices.
author: Matt Graeber <mattgraeber@gmail.com> 2013-07-04 13:01:47 -0400
committer: Matt Graeber <mattgraeber@gmail.com> 2013-07-04 13:01:47 -0400
commit: 2a45cfbd1e0b4d300f69a2a571882c39740b76e3 (patch)
tree: dabd6d3ff7ed38895e05ae63327ef907c6e8dac6
parent: 9de59e9e3f3c3721f7c93e58b60ea2738590fa8e (diff)
download: PowerSploit-2a45cfbd1e0b4d300f69a2a571882c39740b76e3.tar.gz
PowerSploit-2a45cfbd1e0b4d300f69a2a571882c39740b76e3.zip
2 files changed, 55 insertions, 0 deletions
diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml
index 10d16d4..41b5280 100644
--- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml
+++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml
@@ -415,5 +415,26 @@
                 </ListEntries>
             </ListControl>
         </View>
+        <View>
+            <Name>CodeIntegrityTypeView</Name>
+                <ViewSelectedBy>
+		            <TypeName>_SYSTEM_CODEINTEGRITY_INFORMATION</TypeName>
+		        </ViewSelectedBy>
+            <ListControl>
+                <ListEntries>
+                    <ListEntry>
+                        <ListItems>
+                            <ListItem>
+                                <PropertyName>CodeIntegrityOptions</PropertyName>
+                                <FormatString>0x{0:X8}</FormatString>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>LockdownState</PropertyName>
+                            </ListItem>
+                        </ListItems>
+                    </ListEntry>
+                </ListEntries>
+            </ListControl>
+        </View>
     </ViewDefinitions>
 </Configuration>
 \ No newline at end of file
diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1
index 98cdd4d..707dae6 100644
--- a/ReverseEngineering/Get-NtSystemInformation.ps1
+++ b/ReverseEngineering/Get-NtSystemInformation.ps1
@@ -139,6 +139,10 @@
         [Switch]
         $LockInformation,
 
+        [Parameter( ParameterSetName = 'CodeIntegrityInformation' )]
+        [Switch]
+        $CodeIntegrityInformation,
+
         [Parameter( ParameterSetName = 'GlobalFlags' )]
         [Switch]
         $GlobalFlags
@@ -202,6 +206,7 @@
         #$EnumBuilder.DefineLiteral('SystemExceptionInformation', [Int32] 0x00000021) | Out-Null
         #$EnumBuilder.DefineLiteral('SystemRegistryQuotaInformation', [Int32] 0x00000025) | Out-Null
         #$EnumBuilder.DefineLiteral('SystemLookasideInformation', [Int32] 0x0000002D) | Out-Null
+        $EnumBuilder.DefineLiteral('SystemCodeIntegrityInformation', [Int32] 0x00000067) | Out-Null
         $SystemInformationClass = $EnumBuilder.CreateType()
     }
 
@@ -213,6 +218,15 @@
         $NtStatus = $EnumBuilder.CreateType()
     }
 
+    try { $LockdownState = [LOCKDOWN_STATE] } catch [Management.Automation.RuntimeException]
+    {
+        $EnumBuilder = $ModuleBuilder.DefineEnum('LOCKDOWN_STATE', 'Public', [Int32])
+        $EnumBuilder.DefineLiteral('UMCINONE', [Int32] 0x00000000) | Out-Null
+        $EnumBuilder.DefineLiteral('UMCIENFORCE', [Int32] 0x00000004) | Out-Null
+        $EnumBuilder.DefineLiteral('UMCIAUDIT', [Int32] 0xC0000008) | Out-Null
+        $LockdownState = $EnumBuilder.CreateType()
+    }
+
     try { $PoolType = [POOL_TYPE] } catch [Management.Automation.RuntimeException]
     {
         $EnumBuilder = $ModuleBuilder.DefineEnum('POOL_TYPE', 'Public', [UInt32])
@@ -1019,6 +1033,26 @@
             Get-Struct @Arguments
         }
 
+        'CodeIntegrityInformation' {
+            $CIStructLength = 8
+            $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($CIStructLength)
+            [Runtime.InteropServices.Marshal]::WriteInt64($PtrData, 0)
+            [Runtime.InteropServices.Marshal]::WriteByte($PtrData, 8) # The length field in SYSTEM_CODEINTEGRITY_INFORMATION must be set to 8
+            $ntdll::NtQuerySystemInformation($SystemInformationClass::SystemCodeIntegrityInformation, $PtrData, $CIStructLength, [Ref] 0) | Out-Null
+            $CIInfo = [Runtime.InteropServices.Marshal]::ReadInt32(([IntPtr]($PtrData.ToInt64() + 4)))
+            [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData)
+
+            $ResultHashTable = @{
+                CodeIntegrityOptions = $CIInfo
+                LockdownState = ($CIInfo -band 0x1C) -as $LockdownState
+            }
+
+            $CodeIntegrityType = New-Object PSObject -Property $ResultHashTable
+            $CodeIntegrityType.PSObject.TypeNames.Insert(0, '_SYSTEM_CODEINTEGRITY_INFORMATION')
+
+            Write-Output $CodeIntegrityType
+        }
+
         'GlobalFlags' {
             $TotalLength = 0
             $ReturnedLength = 0
author	Matt Graeber <mattgraeber@gmail.com>	2013-07-04 13:01:47 -0400
committer	Matt Graeber <mattgraeber@gmail.com>	2013-07-04 13:01:47 -0400
commit	2a45cfbd1e0b4d300f69a2a571882c39740b76e3 (patch)
tree	dabd6d3ff7ed38895e05ae63327ef907c6e8dac6
parent	9de59e9e3f3c3721f7c93e58b60ea2738590fa8e (diff)
download	PowerSploit-2a45cfbd1e0b4d300f69a2a571882c39740b76e3.tar.gz PowerSploit-2a45cfbd1e0b4d300f69a2a571882c39740b76e3.zip