From 2a45cfbd1e0b4d300f69a2a571882c39740b76e3 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Thu, 4 Jul 2013 13:01:47 -0400 Subject: Get-NtSystemInformation can now query UMCI info Get-NtSystemInformation now returns SystemCodeIntegrityInformation - i.e. user-mode code integrity settings. This required reverse engineering a dll that is only present on Windows 8 ARM devices. --- .../Get-NtSystemInformation.format.ps1xml | 21 +++++++++++++ ReverseEngineering/Get-NtSystemInformation.ps1 | 34 ++++++++++++++++++++++ 2 files changed, 55 insertions(+) diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 10d16d4..41b5280 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -415,5 +415,26 @@ + + CodeIntegrityTypeView + + _SYSTEM_CODEINTEGRITY_INFORMATION + + + + + + + CodeIntegrityOptions + 0x{0:X8} + + + LockdownState + + + + + + \ No newline at end of file diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index 98cdd4d..707dae6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -139,6 +139,10 @@ [Switch] $LockInformation, + [Parameter( ParameterSetName = 'CodeIntegrityInformation' )] + [Switch] + $CodeIntegrityInformation, + [Parameter( ParameterSetName = 'GlobalFlags' )] [Switch] $GlobalFlags @@ -202,6 +206,7 @@ #$EnumBuilder.DefineLiteral('SystemExceptionInformation', [Int32] 0x00000021) | Out-Null #$EnumBuilder.DefineLiteral('SystemRegistryQuotaInformation', [Int32] 0x00000025) | Out-Null #$EnumBuilder.DefineLiteral('SystemLookasideInformation', [Int32] 0x0000002D) | Out-Null + $EnumBuilder.DefineLiteral('SystemCodeIntegrityInformation', [Int32] 0x00000067) | Out-Null $SystemInformationClass = $EnumBuilder.CreateType() } @@ -213,6 +218,15 @@ $NtStatus = $EnumBuilder.CreateType() } + try { $LockdownState = [LOCKDOWN_STATE] } catch [Management.Automation.RuntimeException] + { + $EnumBuilder = $ModuleBuilder.DefineEnum('LOCKDOWN_STATE', 'Public', [Int32]) + $EnumBuilder.DefineLiteral('UMCINONE', [Int32] 0x00000000) | Out-Null + $EnumBuilder.DefineLiteral('UMCIENFORCE', [Int32] 0x00000004) | Out-Null + $EnumBuilder.DefineLiteral('UMCIAUDIT', [Int32] 0xC0000008) | Out-Null + $LockdownState = $EnumBuilder.CreateType() + } + try { $PoolType = [POOL_TYPE] } catch [Management.Automation.RuntimeException] { $EnumBuilder = $ModuleBuilder.DefineEnum('POOL_TYPE', 'Public', [UInt32]) @@ -1019,6 +1033,26 @@ Get-Struct @Arguments } + 'CodeIntegrityInformation' { + $CIStructLength = 8 + $PtrData = [Runtime.InteropServices.Marshal]::AllocHGlobal($CIStructLength) + [Runtime.InteropServices.Marshal]::WriteInt64($PtrData, 0) + [Runtime.InteropServices.Marshal]::WriteByte($PtrData, 8) # The length field in SYSTEM_CODEINTEGRITY_INFORMATION must be set to 8 + $ntdll::NtQuerySystemInformation($SystemInformationClass::SystemCodeIntegrityInformation, $PtrData, $CIStructLength, [Ref] 0) | Out-Null + $CIInfo = [Runtime.InteropServices.Marshal]::ReadInt32(([IntPtr]($PtrData.ToInt64() + 4))) + [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) + + $ResultHashTable = @{ + CodeIntegrityOptions = $CIInfo + LockdownState = ($CIInfo -band 0x1C) -as $LockdownState + } + + $CodeIntegrityType = New-Object PSObject -Property $ResultHashTable + $CodeIntegrityType.PSObject.TypeNames.Insert(0, '_SYSTEM_CODEINTEGRITY_INFORMATION') + + Write-Output $CodeIntegrityType + } + 'GlobalFlags' { $TotalLength = 0 $ReturnedLength = 0 -- cgit v1.2.3