UINT32 PrvScenarioAppContainerDeleteFwpmObjects()
{
UINT32 status = NO_ERROR;
UINT32 sidSize = 0;
HANDLE engineHandle = 0;
const GUID pLayerKeys[] = {FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4,
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
FWPM_LAYER_ALE_AUTH_CONNECT_V4,
FWPM_LAYER_ALE_AUTH_CONNECT_V6};
const UINT32 NUM_OBJECTS = RTL_NUMBER_OF(pLayerKeys);
FWPM_FILTER_CONDITION filterCondition = {0};
/// Only App Containers have a valid (non-NULL) SID for the ALE_PACKAGE_ID
filterCondition.fieldKey = FWPM_CONDITION_ALE_PACKAGE_ID;
filterCondition.matchType = FWP_MATCH_NOT_EQUAL;
filterCondition.conditionValue.type = FWP_SID;
#pragma warning(push)
#pragma warning(disable: 6388) /// filterCondition.conditionValue.sid guaranteed to be 0 due to ZeroMemory call
status = HlprSIDGetWellKnown(WinNullSid,
&(filterCondition.conditionValue.sid),
&sidSize);
HLPR_BAIL_ON_FAILURE(status);
#pragma warning(pop)
status = HlprFwpmEngineOpen(&engineHandle);
HLPR_BAIL_ON_FAILURE(status);
for(UINT32 objectIndex = 0;
objectIndex < NUM_OBJECTS;
objectIndex++)
{
HANDLE enumHandle = 0;
UINT32 entryCount = 0;
FWPM_FILTER** ppFilters = 0;
FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0};
filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER;
filterEnumTemplate.layerKey = pLayerKeys[objectIndex];
filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED;
filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME |
FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED;
filterEnumTemplate.numFilterConditions = 1;
filterEnumTemplate.filterCondition = &filterCondition;
filterEnumTemplate.actionMask = 0xFFFFFFFF;
status = HlprFwpmFilterCreateEnumHandle(engineHandle,
&filterEnumTemplate,
&enumHandle);
HLPR_BAIL_ON_FAILURE_WITH_LABEL(status,
HLPR_BAIL_LABEL_2);
status = HlprFwpmFilterEnum(engineHandle,
enumHandle,
0xFFFFFFFF,
&ppFilters,
&entryCount);
HLPR_BAIL_ON_FAILURE_WITH_LABEL(status,
HLPR_BAIL_LABEL_2);
if(ppFilters)
{
for(UINT32 filterIndex = 0;
filterIndex < entryCount;
filterIndex++)
{
HlprFwpmFilterDeleteByKey(engineHandle,
&(ppFilters[filterIndex]->filterKey));
}
FwpmFreeMemory((void**)&ppFilters);
}
HLPR_BAIL_LABEL_2:
if(enumHandle)
HlprFwpmFilterDestroyEnumHandle(engineHandle,
&enumHandle);
}
HLPR_BAIL_LABEL:
HlprSIDDestroy(&(filterCondition.conditionValue.sid));
HlprFwpmEngineClose(&engineHandle);
return status;
}
UINT32 PrvScenarioAppContainerAddFwpmObjects(_In_ BOOLEAN persistent = TRUE,
_In_ BOOLEAN bootTime = FALSE)
{
UINT32 status = NO_ERROR;
UINT32 sidSize = 0;
HANDLE engineHandle = 0;
const GUID pLayerKeys[] = {FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4,
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
FWPM_LAYER_ALE_AUTH_CONNECT_V4,
FWPM_LAYER_ALE_AUTH_CONNECT_V6};
const UINT32 NUM_OBJECTS = RTL_NUMBER_OF(pLayerKeys);
FWPM_FILTER_CONDITION filterCondition = {0};
FWPM_FILTER pFilters[NUM_OBJECTS] = {0};
/// Only App Containers have a valid (non-NULL) SID for the ALE_PACKAGE_ID
filterCondition.fieldKey = FWPM_CONDITION_ALE_PACKAGE_ID;
filterCondition.matchType = FWP_MATCH_NOT_EQUAL;
filterCondition.conditionValue.type = FWP_SID;
#pragma warning(push)
#pragma warning(disable: 6388) /// filterCondition.conditionValue.sid guaranteed to be 0 due to ZeroMemory call
status = HlprSIDGetWellKnown(WinNullSid,
&(filterCondition.conditionValue.sid),
&sidSize);
HLPR_BAIL_ON_FAILURE(status);
#pragma warning(pop)
for(UINT32 objectIndex = 0;
objectIndex < NUM_OBJECTS;
objectIndex++)
{
status = HlprGUIDPopulate(&(pFilters[objectIndex].filterKey));
HLPR_BAIL_ON_FAILURE(status);
pFilters[objectIndex].displayData.name = L"WFPSampler's AppContainer Scenario Filter";
pFilters[objectIndex].displayData.description = L"Trust Windows Service Hardening to handle all App Containers";
pFilters[objectIndex].flags |= FWPM_FILTER_FLAG_PERSISTENT;
pFilters[objectIndex].providerKey = (GUID*)&WFPSAMPLER_PROVIDER;
pFilters[objectIndex].layerKey = pLayerKeys[objectIndex];
pFilters[objectIndex].subLayerKey = WFPSAMPLER_SUBLAYER;
pFilters[objectIndex].weight.type = FWP_UINT8;
pFilters[objectIndex].weight.uint8 = 0xF;
pFilters[objectIndex].numFilterConditions = 1;
pFilters[objectIndex].filterCondition = &filterCondition;
pFilters[objectIndex].action.type = FWP_ACTION_PERMIT;
if(!persistent)
pFilters[objectIndex].flags ^= FWPM_FILTER_FLAG_PERSISTENT;
if(bootTime)
{
if(pFilters[objectIndex].flags & FWPM_FILTER_FLAG_PERSISTENT)
pFilters[objectIndex].flags ^= FWPM_FILTER_FLAG_PERSISTENT;
pFilters[objectIndex].flags |= FWPM_FILTER_FLAG_BOOTTIME;
}
}
status = HlprFwpmEngineOpen(&engineHandle);
HLPR_BAIL_ON_FAILURE(status);
status = HlprFwpmTransactionBegin(engineHandle);
HLPR_BAIL_ON_FAILURE(status);
for(UINT32 objectIndex = 0;
objectIndex < NUM_OBJECTS;
objectIndex++)
{
status = HlprFwpmFilterAdd(engineHandle,
&(pFilters[objectIndex]));
HLPR_BAIL_ON_FAILURE(status);
}
status = HlprFwpmTransactionCommit(engineHandle);
HLPR_BAIL_ON_FAILURE(status);
HLPR_BAIL_LABEL:
HlprSIDDestroy(&(filterCondition.conditionValue.sid));
if(engineHandle)
{
if(status != NO_ERROR)
HlprFwpmTransactionAbort(engineHandle);
HlprFwpmEngineClose(&engineHandle);
}
return status;
}
/**
@framework_function="RPCClientInterfaceInitialize"
Purpose: Initialize the RPC client interface by creating a fast binding handle. <br>
<br>
Notes: <br>
<br>
MSDN_Ref: HTTP://MSDN.Microsoft.com/En-US/Library/Windows/Desktop/AA378651.aspx <br>
HTTP://MSDN.Microsoft.com/En-US/Library/Windows/Desktop/AA375587.aspx <br>
HTTP://MSDN.Microsoft.com/En-US/Library/Windows/Desktop/AA375583.aspx <br>
*/
UINT32 RPCClientInterfaceInitialize()
{
RPC_STATUS status = RPC_S_OK;
SID* pLocalSystemSID = 0;
SIZE_T sidSize = 0;
RPC_SECURITY_QOS_V4 securityQoS = {0};
RPC_BINDING_HANDLE_TEMPLATE_V1 bindingHandleTemplate = {0};
RPC_BINDING_HANDLE_SECURITY_V1 bindingHandleSecurity = {0};
RPC_BINDING_HANDLE_OPTIONS_V1 bindingHandleOptions = {0};
HLPR_NEW(pRPCData,
RPC_DATA);
HLPR_BAIL_ON_ALLOC_FAILURE(pRPCData,
status);
status = HlprSIDCreate(&pLocalSystemSID,
&sidSize,
0,
WinLocalSystemSid);
HLPR_BAIL_ON_FAILURE(status);
wfpSamplerBindingHandle = 0;
pRPCData->rpcClientInterfaceHandle = IWFPSampler_v1_0_c_ifspec; /// MIDL generated Client Interface Handle
pRPCData->protocolSequence = RPC_PROTSEQ_LRPC; /// Use Local RPC
securityQoS.Version = 4; /// Use RPC_SECURITY_QOS_V4 structure
securityQoS.Capabilities = RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH; /// Request mutual authentication from the security provider
securityQoS.IdentityTracking = RPC_C_QOS_IDENTITY_STATIC; /// Security context is created only once
securityQoS.ImpersonationType = RPC_C_IMP_LEVEL_IDENTIFY; /// Allow server to get client's identity and allow it's impersonation
securityQoS.Sid = pLocalSystemSID; /// Security identifier used by Local RPC
securityQoS.EffectiveOnly = TRUE; /// only see enabled privileges
bindingHandleTemplate.Version = 1; /// Use BINDING_HANDLE_TEMPLATE_V1 structure
bindingHandleTemplate.ProtocolSequence = pRPCData->protocolSequence; /// Use Local RPC
bindingHandleTemplate.StringEndpoint = (PWSTR)g_pEndpoint; /// String representation of our endpoint
bindingHandleSecurity.Version = 1; /// Use BINDING_HANDLE_SECURITY_V1 structure
bindingHandleSecurity.AuthnLevel = RPC_C_AUTHN_LEVEL_PKT_PRIVACY; /// Authentication level which causes Local RPC to use a secure channel
bindingHandleSecurity.AuthnSvc = RPC_C_AUTHN_WINNT; /// Autherntication service to use
bindingHandleSecurity.SecurityQos = (RPC_SECURITY_QOS*)&securityQoS; /// Security Qos Settings to Use
bindingHandleOptions.Version = 1; /// Use BINDING_HANDLE_OPTIONS_V1 structure
bindingHandleOptions.Flags = RPC_BHO_NONCAUSAL; /// Execute calls in any order
bindingHandleOptions.ComTimeout = RPC_C_BINDING_DEFAULT_TIMEOUT; /// Use default communication timeout value
status = RpcBindingCreate(&bindingHandleTemplate, /// Core structure of the binding handle
&bindingHandleSecurity, /// Security options for the binding handle
&bindingHandleOptions, /// Additional options to set on the binding handle
&wfpSamplerBindingHandle); /// Created binding handle
if(status != RPC_S_OK)
{
HlprLogError(L"RPCClientInterfaceInitialize : RpcBindingCreate() [status: %#x]",
status);
HLPR_BAIL;
}
pRPCData->bindingHandle = wfpSamplerBindingHandle;
status = RpcBindingBind(0, /// These RPC calls will be synchronous
pRPCData->bindingHandle, /// Binding handle that will be used to make the RPC call
pRPCData->rpcClientInterfaceHandle); /// Interface handle that will be used to make the RPC call
if(status != RPC_S_OK)
{
HlprLogError(L"RPCClientInterfaceInitialize : RpcBindingBind() [status: %#x]",
status);
HLPR_BAIL;
}
HLPR_BAIL_LABEL:
if(status != RPC_S_OK)
{
HlprLogError(L"[status: %#x]",
status);
PrvRPCTroubleshootError();
RPCClientInterfaceTerminate();
}
if(pLocalSystemSID)
HlprSIDDestroy(&pLocalSystemSID);
return status;
}
