From 3efd4eaa8cc0197be9b488a73c474bf585c46aea Mon Sep 17 00:00:00 2001
From: xwings <kj@xandora.net>
Date: Mon, 10 Jan 2022 09:59:27 +0800
Subject: [PATCH] add security coockies back into PE loader for kernel driver

---
 examples/rootfs     |  2 +-
 qiling/loader/pe.py | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/examples/rootfs b/examples/rootfs
index 3a1e3352c..999e5008a 160000
--- a/examples/rootfs
+++ b/examples/rootfs
@@ -1 +1 @@
-Subproject commit 3a1e3352cfa20dfecbd452b5bcdd210408bf2765
+Subproject commit 999e5008aa96f34ebb5c4fa90a072070dfca9742
diff --git a/qiling/loader/pe.py b/qiling/loader/pe.py
index d67248d39..726fc10a1 100644
--- a/qiling/loader/pe.py
+++ b/qiling/loader/pe.py
@@ -3,7 +3,7 @@
 # Cross Platform and Multi Architecture Advanced Binary Emulation Framework
 #
 
-import os, pefile, pickle, traceback
+import os, pefile, pickle, secrets, traceback
 from typing import Any, MutableMapping, Optional, Mapping, Sequence
 
 from qiling import Qiling
@@ -608,6 +608,21 @@ def load(self):
             self.pe.parse_data_directories()
             data = bytearray(self.pe.get_memory_mapped_image())
             self.ql.mem.write(self.pe_image_address, bytes(data))
+            
+            if self.is_driver:
+                # setup IMAGE_LOAD_CONFIG_DIRECTORY
+                if self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG']].VirtualAddress != 0:
+                    SecurityCookie_rva = self.pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.SecurityCookie - self.pe.OPTIONAL_HEADER.ImageBase
+                    SecurityCookie_value = default_security_cookie_value = self.ql.mem.read(self.pe_image_address+SecurityCookie_rva, self.ql.pointersize)
+                    while SecurityCookie_value == default_security_cookie_value:
+                        SecurityCookie_value = secrets.token_bytes(self.ql.pointersize)
+                        # rol     rcx, 10h (rcx: cookie)
+                        # test    cx, 0FFFFh
+                        SecurityCookie_value_array = bytearray(SecurityCookie_value)
+                        # Sanity question: We are always little endian, right?
+                        SecurityCookie_value_array[-2:] = b'\x00\x00'
+                        SecurityCookie_value = bytes(SecurityCookie_value_array)
+                    self.ql.mem.write(self.pe_image_address+SecurityCookie_rva, SecurityCookie_value)
 
             # Add main PE to ldr_data_table
             mod_name = os.path.basename(self.path)