UINT32 PrvScenarioAppContainerDeleteFwpmObjects() { UINT32 status = NO_ERROR; UINT32 sidSize = 0; HANDLE engineHandle = 0; const GUID pLayerKeys[] = {FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, FWPM_LAYER_ALE_AUTH_CONNECT_V4, FWPM_LAYER_ALE_AUTH_CONNECT_V6}; const UINT32 NUM_OBJECTS = RTL_NUMBER_OF(pLayerKeys); FWPM_FILTER_CONDITION filterCondition = {0}; /// Only App Containers have a valid (non-NULL) SID for the ALE_PACKAGE_ID filterCondition.fieldKey = FWPM_CONDITION_ALE_PACKAGE_ID; filterCondition.matchType = FWP_MATCH_NOT_EQUAL; filterCondition.conditionValue.type = FWP_SID; #pragma warning(push) #pragma warning(disable: 6388) /// filterCondition.conditionValue.sid guaranteed to be 0 due to ZeroMemory call status = HlprSIDGetWellKnown(WinNullSid, &(filterCondition.conditionValue.sid), &sidSize); HLPR_BAIL_ON_FAILURE(status); #pragma warning(pop) status = HlprFwpmEngineOpen(&engineHandle); HLPR_BAIL_ON_FAILURE(status); for(UINT32 objectIndex = 0; objectIndex < NUM_OBJECTS; objectIndex++) { HANDLE enumHandle = 0; UINT32 entryCount = 0; FWPM_FILTER** ppFilters = 0; FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0}; filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER; filterEnumTemplate.layerKey = pLayerKeys[objectIndex]; filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED; filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME | FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED; filterEnumTemplate.numFilterConditions = 1; filterEnumTemplate.filterCondition = &filterCondition; filterEnumTemplate.actionMask = 0xFFFFFFFF; status = HlprFwpmFilterCreateEnumHandle(engineHandle, &filterEnumTemplate, &enumHandle); HLPR_BAIL_ON_FAILURE_WITH_LABEL(status, HLPR_BAIL_LABEL_2); status = HlprFwpmFilterEnum(engineHandle, enumHandle, 0xFFFFFFFF, &ppFilters, &entryCount); HLPR_BAIL_ON_FAILURE_WITH_LABEL(status, HLPR_BAIL_LABEL_2); if(ppFilters) { for(UINT32 filterIndex = 0; filterIndex < entryCount; filterIndex++) { HlprFwpmFilterDeleteByKey(engineHandle, &(ppFilters[filterIndex]->filterKey)); } FwpmFreeMemory((void**)&ppFilters); } HLPR_BAIL_LABEL_2: if(enumHandle) HlprFwpmFilterDestroyEnumHandle(engineHandle, &enumHandle); } HLPR_BAIL_LABEL: HlprSIDDestroy(&(filterCondition.conditionValue.sid)); HlprFwpmEngineClose(&engineHandle); return status; }
UINT32 PrvScenarioAppContainerAddFwpmObjects(_In_ BOOLEAN persistent = TRUE, _In_ BOOLEAN bootTime = FALSE) { UINT32 status = NO_ERROR; UINT32 sidSize = 0; HANDLE engineHandle = 0; const GUID pLayerKeys[] = {FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, FWPM_LAYER_ALE_AUTH_CONNECT_V4, FWPM_LAYER_ALE_AUTH_CONNECT_V6}; const UINT32 NUM_OBJECTS = RTL_NUMBER_OF(pLayerKeys); FWPM_FILTER_CONDITION filterCondition = {0}; FWPM_FILTER pFilters[NUM_OBJECTS] = {0}; /// Only App Containers have a valid (non-NULL) SID for the ALE_PACKAGE_ID filterCondition.fieldKey = FWPM_CONDITION_ALE_PACKAGE_ID; filterCondition.matchType = FWP_MATCH_NOT_EQUAL; filterCondition.conditionValue.type = FWP_SID; #pragma warning(push) #pragma warning(disable: 6388) /// filterCondition.conditionValue.sid guaranteed to be 0 due to ZeroMemory call status = HlprSIDGetWellKnown(WinNullSid, &(filterCondition.conditionValue.sid), &sidSize); HLPR_BAIL_ON_FAILURE(status); #pragma warning(pop) for(UINT32 objectIndex = 0; objectIndex < NUM_OBJECTS; objectIndex++) { status = HlprGUIDPopulate(&(pFilters[objectIndex].filterKey)); HLPR_BAIL_ON_FAILURE(status); pFilters[objectIndex].displayData.name = L"WFPSampler's AppContainer Scenario Filter"; pFilters[objectIndex].displayData.description = L"Trust Windows Service Hardening to handle all App Containers"; pFilters[objectIndex].flags |= FWPM_FILTER_FLAG_PERSISTENT; pFilters[objectIndex].providerKey = (GUID*)&WFPSAMPLER_PROVIDER; pFilters[objectIndex].layerKey = pLayerKeys[objectIndex]; pFilters[objectIndex].subLayerKey = WFPSAMPLER_SUBLAYER; pFilters[objectIndex].weight.type = FWP_UINT8; pFilters[objectIndex].weight.uint8 = 0xF; pFilters[objectIndex].numFilterConditions = 1; pFilters[objectIndex].filterCondition = &filterCondition; pFilters[objectIndex].action.type = FWP_ACTION_PERMIT; if(!persistent) pFilters[objectIndex].flags ^= FWPM_FILTER_FLAG_PERSISTENT; if(bootTime) { if(pFilters[objectIndex].flags & FWPM_FILTER_FLAG_PERSISTENT) pFilters[objectIndex].flags ^= FWPM_FILTER_FLAG_PERSISTENT; pFilters[objectIndex].flags |= FWPM_FILTER_FLAG_BOOTTIME; } } status = HlprFwpmEngineOpen(&engineHandle); HLPR_BAIL_ON_FAILURE(status); status = HlprFwpmTransactionBegin(engineHandle); HLPR_BAIL_ON_FAILURE(status); for(UINT32 objectIndex = 0; objectIndex < NUM_OBJECTS; objectIndex++) { status = HlprFwpmFilterAdd(engineHandle, &(pFilters[objectIndex])); HLPR_BAIL_ON_FAILURE(status); } status = HlprFwpmTransactionCommit(engineHandle); HLPR_BAIL_ON_FAILURE(status); HLPR_BAIL_LABEL: HlprSIDDestroy(&(filterCondition.conditionValue.sid)); if(engineHandle) { if(status != NO_ERROR) HlprFwpmTransactionAbort(engineHandle); HlprFwpmEngineClose(&engineHandle); } return status; }
/** @framework_function="RPCClientInterfaceInitialize" Purpose: Initialize the RPC client interface by creating a fast binding handle. <br> <br> Notes: <br> <br> MSDN_Ref: HTTP://MSDN.Microsoft.com/En-US/Library/Windows/Desktop/AA378651.aspx <br> HTTP://MSDN.Microsoft.com/En-US/Library/Windows/Desktop/AA375587.aspx <br> HTTP://MSDN.Microsoft.com/En-US/Library/Windows/Desktop/AA375583.aspx <br> */ UINT32 RPCClientInterfaceInitialize() { RPC_STATUS status = RPC_S_OK; SID* pLocalSystemSID = 0; SIZE_T sidSize = 0; RPC_SECURITY_QOS_V4 securityQoS = {0}; RPC_BINDING_HANDLE_TEMPLATE_V1 bindingHandleTemplate = {0}; RPC_BINDING_HANDLE_SECURITY_V1 bindingHandleSecurity = {0}; RPC_BINDING_HANDLE_OPTIONS_V1 bindingHandleOptions = {0}; HLPR_NEW(pRPCData, RPC_DATA); HLPR_BAIL_ON_ALLOC_FAILURE(pRPCData, status); status = HlprSIDCreate(&pLocalSystemSID, &sidSize, 0, WinLocalSystemSid); HLPR_BAIL_ON_FAILURE(status); wfpSamplerBindingHandle = 0; pRPCData->rpcClientInterfaceHandle = IWFPSampler_v1_0_c_ifspec; /// MIDL generated Client Interface Handle pRPCData->protocolSequence = RPC_PROTSEQ_LRPC; /// Use Local RPC securityQoS.Version = 4; /// Use RPC_SECURITY_QOS_V4 structure securityQoS.Capabilities = RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH; /// Request mutual authentication from the security provider securityQoS.IdentityTracking = RPC_C_QOS_IDENTITY_STATIC; /// Security context is created only once securityQoS.ImpersonationType = RPC_C_IMP_LEVEL_IDENTIFY; /// Allow server to get client's identity and allow it's impersonation securityQoS.Sid = pLocalSystemSID; /// Security identifier used by Local RPC securityQoS.EffectiveOnly = TRUE; /// only see enabled privileges bindingHandleTemplate.Version = 1; /// Use BINDING_HANDLE_TEMPLATE_V1 structure bindingHandleTemplate.ProtocolSequence = pRPCData->protocolSequence; /// Use Local RPC bindingHandleTemplate.StringEndpoint = (PWSTR)g_pEndpoint; /// String representation of our endpoint bindingHandleSecurity.Version = 1; /// Use BINDING_HANDLE_SECURITY_V1 structure bindingHandleSecurity.AuthnLevel = RPC_C_AUTHN_LEVEL_PKT_PRIVACY; /// Authentication level which causes Local RPC to use a secure channel bindingHandleSecurity.AuthnSvc = RPC_C_AUTHN_WINNT; /// Autherntication service to use bindingHandleSecurity.SecurityQos = (RPC_SECURITY_QOS*)&securityQoS; /// Security Qos Settings to Use bindingHandleOptions.Version = 1; /// Use BINDING_HANDLE_OPTIONS_V1 structure bindingHandleOptions.Flags = RPC_BHO_NONCAUSAL; /// Execute calls in any order bindingHandleOptions.ComTimeout = RPC_C_BINDING_DEFAULT_TIMEOUT; /// Use default communication timeout value status = RpcBindingCreate(&bindingHandleTemplate, /// Core structure of the binding handle &bindingHandleSecurity, /// Security options for the binding handle &bindingHandleOptions, /// Additional options to set on the binding handle &wfpSamplerBindingHandle); /// Created binding handle if(status != RPC_S_OK) { HlprLogError(L"RPCClientInterfaceInitialize : RpcBindingCreate() [status: %#x]", status); HLPR_BAIL; } pRPCData->bindingHandle = wfpSamplerBindingHandle; status = RpcBindingBind(0, /// These RPC calls will be synchronous pRPCData->bindingHandle, /// Binding handle that will be used to make the RPC call pRPCData->rpcClientInterfaceHandle); /// Interface handle that will be used to make the RPC call if(status != RPC_S_OK) { HlprLogError(L"RPCClientInterfaceInitialize : RpcBindingBind() [status: %#x]", status); HLPR_BAIL; } HLPR_BAIL_LABEL: if(status != RPC_S_OK) { HlprLogError(L"[status: %#x]", status); PrvRPCTroubleshootError(); RPCClientInterfaceTerminate(); } if(pLocalSystemSID) HlprSIDDestroy(&pLocalSystemSID); return status; }