1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
|
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* Generate and check the UserChoice Hash, which protects file and protocol
* associations on Windows 10.
*
* NOTE: This is also used in the WDBA, so it avoids XUL and XPCOM.
*
* References:
* - PS-SFTA by Danysys <https://github.com/DanysysTeam/PS-SFTA>
* - based on a PureBasic version by LMongrain
* <https://github.com/DanysysTeam/SFTA>
* - AssocHashGen by "halfmeasuresdisabled", see bug 1225660 and
* <https://www.reddit.com/r/ReverseEngineering/comments/3t7q9m/assochashgen_a_reverse_engineered_version_of/>
* - SetUserFTA changelog
* <https://kolbi.cz/blog/2017/10/25/setuserfta-userchoice-hash-defeated-set-file-type-associations-per-user/>
*/
#include <windows.h>
#include <sddl.h> // for ConvertSidToStringSidW
#include <wincrypt.h> // for CryptoAPI base64
#include <bcrypt.h> // for CNG MD5
#include <winternl.h> // for NT_SUCCESS()
#include "mozilla/ArrayUtils.h"
#include "mozilla/UniquePtr.h"
#include "nsWindowsHelpers.h"
#include "WindowsUserChoice.h"
using namespace mozilla;
UniquePtr<wchar_t[]> GetCurrentUserStringSid() {
HANDLE rawProcessToken;
if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY,
&rawProcessToken)) {
return nullptr;
}
nsAutoHandle processToken(rawProcessToken);
DWORD userSize = 0;
if (!(!::GetTokenInformation(processToken.get(), TokenUser, nullptr, 0,
&userSize) &&
GetLastError() == ERROR_INSUFFICIENT_BUFFER)) {
return nullptr;
}
auto userBytes = MakeUnique<unsigned char[]>(userSize);
if (!::GetTokenInformation(processToken.get(), TokenUser, userBytes.get(),
userSize, &userSize)) {
return nullptr;
}
wchar_t* rawSid = nullptr;
if (!::ConvertSidToStringSidW(
reinterpret_cast<PTOKEN_USER>(userBytes.get())->User.Sid, &rawSid)) {
return nullptr;
}
UniquePtr<wchar_t, LocalFreeDeleter> sid(rawSid);
// Copy instead of passing UniquePtr<wchar_t, LocalFreeDeleter> back to
// the caller.
int sidLen = ::lstrlenW(sid.get()) + 1;
auto outSid = MakeUnique<wchar_t[]>(sidLen);
memcpy(outSid.get(), sid.get(), sidLen * sizeof(wchar_t));
return outSid;
}
/*
* Create the string which becomes the input to the UserChoice hash.
*
* @see GenerateUserChoiceHash() for parameters.
*
* @return The formatted string, nullptr on failure.
*
* NOTE: This uses the format as of Windows 10 20H2 (latest as of this writing),
* used at least since 1803.
* There was at least one older version, not currently supported: On Win10 RTM
* (build 10240, aka 1507) the hash function is the same, but the timestamp and
* User Experience string aren't included; instead (for protocols) the string
* ends with the exe path. The changelog of SetUserFTA suggests the algorithm
* changed in 1703, so there may be two versions: before 1703, and 1703 to now.
*/
static UniquePtr<wchar_t[]> FormatUserChoiceString(const wchar_t* aExt,
const wchar_t* aUserSid,
const wchar_t* aProgId,
SYSTEMTIME aTimestamp) {
aTimestamp.wSecond = 0;
aTimestamp.wMilliseconds = 0;
FILETIME fileTime = {0};
if (!::SystemTimeToFileTime(&aTimestamp, &fileTime)) {
return nullptr;
}
// This string is built into Windows as part of the UserChoice hash algorithm.
// It might vary across Windows SKUs (e.g. Windows 10 vs. Windows Server), or
// across builds of the same SKU, but this is the only currently known
// version. There isn't any known way of deriving it, so we assume this
// constant value. If we are wrong, we will not be able to generate correct
// UserChoice hashes.
const wchar_t* userExperience =
L"User Choice set via Windows User Experience "
L"{D18B6DD5-6124-4341-9318-804003BAFA0B}";
const wchar_t* userChoiceFmt =
L"%s%s%s"
L"%08lx"
L"%08lx"
L"%s";
int userChoiceLen = _scwprintf(userChoiceFmt, aExt, aUserSid, aProgId,
fileTime.dwHighDateTime,
fileTime.dwLowDateTime, userExperience);
userChoiceLen += 1; // _scwprintf does not include the terminator
auto userChoice = MakeUnique<wchar_t[]>(userChoiceLen);
_snwprintf_s(userChoice.get(), userChoiceLen, _TRUNCATE, userChoiceFmt, aExt,
aUserSid, aProgId, fileTime.dwHighDateTime,
fileTime.dwLowDateTime, userExperience);
::CharLowerW(userChoice.get());
return userChoice;
}
// @return The MD5 hash of the input, nullptr on failure.
static UniquePtr<DWORD[]> CNG_MD5(const unsigned char* bytes, ULONG bytesLen) {
constexpr ULONG MD5_BYTES = 16;
constexpr ULONG MD5_DWORDS = MD5_BYTES / sizeof(DWORD);
UniquePtr<DWORD[]> hash;
BCRYPT_ALG_HANDLE hAlg = nullptr;
if (NT_SUCCESS(::BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_MD5_ALGORITHM,
nullptr, 0))) {
BCRYPT_HASH_HANDLE hHash = nullptr;
// As of Windows 7 the hash handle will manage its own object buffer when
// pbHashObject is nullptr and cbHashObject is 0.
if (NT_SUCCESS(
::BCryptCreateHash(hAlg, &hHash, nullptr, 0, nullptr, 0, 0))) {
// BCryptHashData promises not to modify pbInput.
if (NT_SUCCESS(::BCryptHashData(hHash, const_cast<unsigned char*>(bytes),
bytesLen, 0))) {
hash = MakeUnique<DWORD[]>(MD5_DWORDS);
if (!NT_SUCCESS(::BCryptFinishHash(
hHash, reinterpret_cast<unsigned char*>(hash.get()),
MD5_DWORDS * sizeof(DWORD), 0))) {
hash.reset();
}
}
::BCryptDestroyHash(hHash);
}
::BCryptCloseAlgorithmProvider(hAlg, 0);
}
return hash;
}
// @return The input bytes encoded as base64, nullptr on failure.
static UniquePtr<wchar_t[]> CryptoAPI_Base64Encode(const unsigned char* bytes,
DWORD bytesLen) {
DWORD base64Len = 0;
if (!::CryptBinaryToStringW(bytes, bytesLen,
CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF,
nullptr, &base64Len)) {
return nullptr;
}
auto base64 = MakeUnique<wchar_t[]>(base64Len);
if (!::CryptBinaryToStringW(bytes, bytesLen,
CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF,
base64.get(), &base64Len)) {
return nullptr;
}
return base64;
}
static inline DWORD WordSwap(DWORD v) { return (v >> 16) | (v << 16); }
/*
* Generate the UserChoice Hash.
*
* This implementation is based on the references listed above.
* It is organized to show the logic as clearly as possible, but at some
* point the reasoning is just "this is how it works".
*
* @param inputString A null-terminated string to hash.
*
* @return The base64-encoded hash, or nullptr on failure.
*/
static UniquePtr<wchar_t[]> HashString(const wchar_t* inputString) {
auto inputBytes = reinterpret_cast<const unsigned char*>(inputString);
int inputByteCount = (::lstrlenW(inputString) + 1) * sizeof(wchar_t);
constexpr size_t DWORDS_PER_BLOCK = 2;
constexpr size_t BLOCK_SIZE = sizeof(DWORD) * DWORDS_PER_BLOCK;
// Incomplete blocks are ignored.
int blockCount = inputByteCount / BLOCK_SIZE;
if (blockCount == 0) {
return nullptr;
}
// Compute an MD5 hash. md5[0] and md5[1] will be used as constant multipliers
// in the scramble below.
auto md5 = CNG_MD5(inputBytes, inputByteCount);
if (!md5) {
return nullptr;
}
// The following loop effectively computes two checksums, scrambled like a
// hash after every DWORD is added.
// Constant multipliers for the scramble, one set for each DWORD in a block.
const DWORD C0s[DWORDS_PER_BLOCK][5] = {
{md5[0] | 1, 0xCF98B111uL, 0x87085B9FuL, 0x12CEB96DuL, 0x257E1D83uL},
{md5[1] | 1, 0xA27416F5uL, 0xD38396FFuL, 0x7C932B89uL, 0xBFA49F69uL}};
const DWORD C1s[DWORDS_PER_BLOCK][5] = {
{md5[0] | 1, 0xEF0569FBuL, 0x689B6B9FuL, 0x79F8A395uL, 0xC3EFEA97uL},
{md5[1] | 1, 0xC31713DBuL, 0xDDCD1F0FuL, 0x59C3AF2DuL, 0x35BD1EC9uL}};
// The checksums.
DWORD h0 = 0;
DWORD h1 = 0;
// Accumulated total of the checksum after each DWORD.
DWORD h0Acc = 0;
DWORD h1Acc = 0;
for (int i = 0; i < blockCount; ++i) {
for (size_t j = 0; j < DWORDS_PER_BLOCK; ++j) {
const DWORD* C0 = C0s[j];
const DWORD* C1 = C1s[j];
DWORD input;
memcpy(&input, &inputBytes[(i * DWORDS_PER_BLOCK + j) * sizeof(DWORD)],
sizeof(DWORD));
h0 += input;
// Scramble 0
h0 *= C0[0];
h0 = WordSwap(h0) * C0[1];
h0 = WordSwap(h0) * C0[2];
h0 = WordSwap(h0) * C0[3];
h0 = WordSwap(h0) * C0[4];
h0Acc += h0;
h1 += input;
// Scramble 1
h1 = WordSwap(h1) * C1[1] + h1 * C1[0];
h1 = (h1 >> 16) * C1[2] + h1 * C1[3];
h1 = WordSwap(h1) * C1[4] + h1;
h1Acc += h1;
}
}
DWORD hash[2] = {h0 ^ h1, h0Acc ^ h1Acc};
return CryptoAPI_Base64Encode(reinterpret_cast<const unsigned char*>(hash),
sizeof(hash));
}
UniquePtr<wchar_t[]> GetAssociationKeyPath(const wchar_t* aExt) {
const wchar_t* keyPathFmt;
if (aExt[0] == L'.') {
keyPathFmt =
L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\%s";
} else {
keyPathFmt =
L"SOFTWARE\\Microsoft\\Windows\\Shell\\Associations\\"
L"UrlAssociations\\%s";
}
int keyPathLen = _scwprintf(keyPathFmt, aExt);
keyPathLen += 1; // _scwprintf does not include the terminator
auto keyPath = MakeUnique<wchar_t[]>(keyPathLen);
_snwprintf_s(keyPath.get(), keyPathLen, _TRUNCATE, keyPathFmt, aExt);
return keyPath;
}
UniquePtr<wchar_t[]> GenerateUserChoiceHash(const wchar_t* aExt,
const wchar_t* aUserSid,
const wchar_t* aProgId,
SYSTEMTIME aTimestamp) {
auto userChoice = FormatUserChoiceString(aExt, aUserSid, aProgId, aTimestamp);
if (!userChoice) {
return nullptr;
}
return HashString(userChoice.get());
}
/*
* NOTE: The passed-in current user SID is used here, instead of getting the SID
* for the owner of the key. We are assuming that this key in HKCU is owned by
* the current user, since we want to replace that key ourselves. If the key is
* owned by someone else, then this check will fail; this is ok because we would
* likely not want to replace that other user's key anyway.
*/
CheckUserChoiceHashResult CheckUserChoiceHash(const wchar_t* aExt,
const wchar_t* aUserSid) {
auto keyPath = GetAssociationKeyPath(aExt);
if (!keyPath) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
HKEY rawAssocKey;
if (::RegOpenKeyExW(HKEY_CURRENT_USER, keyPath.get(), 0, KEY_READ,
&rawAssocKey) != ERROR_SUCCESS) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
nsAutoRegKey assocKey(rawAssocKey);
FILETIME lastWriteFileTime;
{
HKEY rawUserChoiceKey;
if (::RegOpenKeyExW(assocKey.get(), L"UserChoice", 0, KEY_READ,
&rawUserChoiceKey) != ERROR_SUCCESS) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
nsAutoRegKey userChoiceKey(rawUserChoiceKey);
if (::RegQueryInfoKeyW(userChoiceKey.get(), nullptr, nullptr, nullptr,
nullptr, nullptr, nullptr, nullptr, nullptr, nullptr,
nullptr, &lastWriteFileTime) != ERROR_SUCCESS) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
}
SYSTEMTIME lastWriteSystemTime;
if (!::FileTimeToSystemTime(&lastWriteFileTime, &lastWriteSystemTime)) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
// Read ProgId
DWORD dataSizeBytes = 0;
if (::RegGetValueW(assocKey.get(), L"UserChoice", L"ProgId", RRF_RT_REG_SZ,
nullptr, nullptr, &dataSizeBytes) != ERROR_SUCCESS) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
// +1 in case dataSizeBytes was odd, +1 to ensure termination
DWORD dataSizeChars = (dataSizeBytes / sizeof(wchar_t)) + 2;
UniquePtr<wchar_t[]> progId(new wchar_t[dataSizeChars]());
if (::RegGetValueW(assocKey.get(), L"UserChoice", L"ProgId", RRF_RT_REG_SZ,
nullptr, progId.get(), &dataSizeBytes) != ERROR_SUCCESS) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
// Read Hash
dataSizeBytes = 0;
if (::RegGetValueW(assocKey.get(), L"UserChoice", L"Hash", RRF_RT_REG_SZ,
nullptr, nullptr, &dataSizeBytes) != ERROR_SUCCESS) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
dataSizeChars = (dataSizeBytes / sizeof(wchar_t)) + 2;
UniquePtr<wchar_t[]> storedHash(new wchar_t[dataSizeChars]());
if (::RegGetValueW(assocKey.get(), L"UserChoice", L"Hash", RRF_RT_REG_SZ,
nullptr, storedHash.get(),
&dataSizeBytes) != ERROR_SUCCESS) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
auto computedHash =
GenerateUserChoiceHash(aExt, aUserSid, progId.get(), lastWriteSystemTime);
if (!computedHash) {
return CheckUserChoiceHashResult::ERR_OTHER;
}
if (::CompareStringOrdinal(computedHash.get(), -1, storedHash.get(), -1,
FALSE) != CSTR_EQUAL) {
return CheckUserChoiceHashResult::ERR_MISMATCH;
}
return CheckUserChoiceHashResult::OK_V1;
}
bool CheckBrowserUserChoiceHashes() {
auto userSid = GetCurrentUserStringSid();
if (!userSid) {
return false;
}
const wchar_t* exts[] = {L"https", L"http", L".html", L".htm"};
for (size_t i = 0; i < ArrayLength(exts); ++i) {
switch (CheckUserChoiceHash(exts[i], userSid.get())) {
case CheckUserChoiceHashResult::OK_V1:
break;
case CheckUserChoiceHashResult::ERR_MISMATCH:
case CheckUserChoiceHashResult::ERR_OTHER:
return false;
}
}
return true;
}
UniquePtr<wchar_t[]> FormatProgID(const wchar_t* aProgIDBase,
const wchar_t* aAumi) {
const wchar_t* progIDFmt = L"%s-%s";
int progIDLen = _scwprintf(progIDFmt, aProgIDBase, aAumi);
progIDLen += 1; // _scwprintf does not include the terminator
auto progID = MakeUnique<wchar_t[]>(progIDLen);
_snwprintf_s(progID.get(), progIDLen, _TRUNCATE, progIDFmt, aProgIDBase,
aAumi);
return progID;
}
bool CheckProgIDExists(const wchar_t* aProgID) {
HKEY key;
if (::RegOpenKeyExW(HKEY_CLASSES_ROOT, aProgID, 0, KEY_READ, &key) !=
ERROR_SUCCESS) {
return false;
}
::RegCloseKey(key);
return true;
}
|