[51770] | 1 | /* $Id: SUPR3HardenedMain-win.cpp 104384 2024-04-19 22:03:10Z vboxsync $ */
|
---|
| 2 | /** @file
|
---|
| 3 | * VirtualBox Support Library - Hardened main(), windows bits.
|
---|
| 4 | */
|
---|
| 5 |
|
---|
| 6 | /*
|
---|
[98103] | 7 | * Copyright (C) 2006-2023 Oracle and/or its affiliates.
|
---|
[51770] | 8 | *
|
---|
[96407] | 9 | * This file is part of VirtualBox base platform packages, as
|
---|
| 10 | * available from https://www.virtualbox.org.
|
---|
[51770] | 11 | *
|
---|
[96407] | 12 | * This program is free software; you can redistribute it and/or
|
---|
| 13 | * modify it under the terms of the GNU General Public License
|
---|
| 14 | * as published by the Free Software Foundation, in version 3 of the
|
---|
| 15 | * License.
|
---|
| 16 | *
|
---|
| 17 | * This program is distributed in the hope that it will be useful, but
|
---|
| 18 | * WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
| 19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
---|
| 20 | * General Public License for more details.
|
---|
| 21 | *
|
---|
| 22 | * You should have received a copy of the GNU General Public License
|
---|
| 23 | * along with this program; if not, see <https://www.gnu.org/licenses>.
|
---|
| 24 | *
|
---|
[51770] | 25 | * The contents of this file may alternatively be used under the terms
|
---|
| 26 | * of the Common Development and Distribution License Version 1.0
|
---|
[96407] | 27 | * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
|
---|
| 28 | * in the VirtualBox distribution, in which case the provisions of the
|
---|
[51770] | 29 | * CDDL are applicable instead of those of the GPL.
|
---|
| 30 | *
|
---|
| 31 | * You may elect to license modified versions of this file under the
|
---|
| 32 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
[96407] | 33 | *
|
---|
| 34 | * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
|
---|
[51770] | 35 | */
|
---|
| 36 |
|
---|
[57358] | 37 |
|
---|
| 38 | /*********************************************************************************************************************************
|
---|
| 39 | * Header Files *
|
---|
| 40 | *********************************************************************************************************************************/
|
---|
[51770] | 41 | #include <iprt/nt/nt-and-windows.h>
|
---|
| 42 | #include <AccCtrl.h>
|
---|
| 43 | #include <AclApi.h>
|
---|
| 44 | #ifndef PROCESS_SET_LIMITED_INFORMATION
|
---|
| 45 | # define PROCESS_SET_LIMITED_INFORMATION 0x2000
|
---|
| 46 | #endif
|
---|
| 47 | #ifndef LOAD_LIBRARY_SEARCH_APPLICATION_DIR
|
---|
[56733] | 48 | # define LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR UINT32_C(0x100)
|
---|
| 49 | # define LOAD_LIBRARY_SEARCH_APPLICATION_DIR UINT32_C(0x200)
|
---|
| 50 | # define LOAD_LIBRARY_SEARCH_USER_DIRS UINT32_C(0x400)
|
---|
| 51 | # define LOAD_LIBRARY_SEARCH_SYSTEM32 UINT32_C(0x800)
|
---|
[51770] | 52 | #endif
|
---|
| 53 |
|
---|
| 54 | #include <VBox/sup.h>
|
---|
| 55 | #include <VBox/err.h>
|
---|
[52403] | 56 | #include <VBox/dis.h>
|
---|
[51770] | 57 | #include <iprt/ctype.h>
|
---|
| 58 | #include <iprt/string.h>
|
---|
| 59 | #include <iprt/initterm.h>
|
---|
| 60 | #include <iprt/param.h>
|
---|
[52204] | 61 | #include <iprt/path.h>
|
---|
[52632] | 62 | #include <iprt/thread.h>
|
---|
[76411] | 63 | #include <iprt/utf16.h>
|
---|
[52139] | 64 | #include <iprt/zero.h>
|
---|
[51770] | 65 |
|
---|
| 66 | #include "SUPLibInternal.h"
|
---|
| 67 | #include "win/SUPHardenedVerify-win.h"
|
---|
[51907] | 68 | #include "../SUPDrvIOC.h"
|
---|
[51770] | 69 |
|
---|
[52204] | 70 | #ifndef IMAGE_SCN_TYPE_NOLOAD
|
---|
| 71 | # define IMAGE_SCN_TYPE_NOLOAD 0x00000002
|
---|
| 72 | #endif
|
---|
[51770] | 73 |
|
---|
[52204] | 74 |
|
---|
[57358] | 75 | /*********************************************************************************************************************************
|
---|
| 76 | * Defined Constants And Macros *
|
---|
| 77 | *********************************************************************************************************************************/
|
---|
[52139] | 78 | /** The first argument of a respawed stub when respawned for the first time.
|
---|
[51770] | 79 | * This just needs to be unique enough to avoid most confusion with real
|
---|
| 80 | * executable names, there are other checks in place to make sure we've respanwed. */
|
---|
[52426] | 81 | #define SUPR3_RESPAWN_1_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-2ndchild"
|
---|
[51770] | 82 |
|
---|
[52139] | 83 | /** The first argument of a respawed stub when respawned for the second time.
|
---|
| 84 | * This just needs to be unique enough to avoid most confusion with real
|
---|
| 85 | * executable names, there are other checks in place to make sure we've respanwed. */
|
---|
[52426] | 86 | #define SUPR3_RESPAWN_2_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild"
|
---|
[52139] | 87 |
|
---|
[51770] | 88 | /** Unconditional assertion. */
|
---|
| 89 | #define SUPR3HARDENED_ASSERT(a_Expr) \
|
---|
| 90 | do { \
|
---|
| 91 | if (!(a_Expr)) \
|
---|
[52632] | 92 | supR3HardenedFatal("%s: %s\n", __FUNCTION__, #a_Expr); \
|
---|
[51770] | 93 | } while (0)
|
---|
| 94 |
|
---|
| 95 | /** Unconditional assertion of NT_SUCCESS. */
|
---|
| 96 | #define SUPR3HARDENED_ASSERT_NT_SUCCESS(a_Expr) \
|
---|
| 97 | do { \
|
---|
| 98 | NTSTATUS rcNtAssert = (a_Expr); \
|
---|
| 99 | if (!NT_SUCCESS(rcNtAssert)) \
|
---|
[52632] | 100 | supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, rcNtAssert); \
|
---|
[51770] | 101 | } while (0)
|
---|
| 102 |
|
---|
| 103 | /** Unconditional assertion of a WIN32 API returning non-FALSE. */
|
---|
| 104 | #define SUPR3HARDENED_ASSERT_WIN32_SUCCESS(a_Expr) \
|
---|
| 105 | do { \
|
---|
| 106 | BOOL fRcAssert = (a_Expr); \
|
---|
| 107 | if (fRcAssert == FALSE) \
|
---|
[52940] | 108 | supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, RtlGetLastWin32Error()); \
|
---|
[51770] | 109 | } while (0)
|
---|
| 110 |
|
---|
| 111 |
|
---|
[57358] | 112 | /*********************************************************************************************************************************
|
---|
| 113 | * Structures and Typedefs *
|
---|
| 114 | *********************************************************************************************************************************/
|
---|
[51770] | 115 | /**
|
---|
| 116 | * Security descriptor cleanup structure.
|
---|
| 117 | */
|
---|
| 118 | typedef struct MYSECURITYCLEANUP
|
---|
| 119 | {
|
---|
| 120 | union
|
---|
| 121 | {
|
---|
| 122 | SID Sid;
|
---|
| 123 | uint8_t abPadding[SECURITY_MAX_SID_SIZE];
|
---|
| 124 | } Everyone, Owner, User, Login;
|
---|
| 125 | union
|
---|
| 126 | {
|
---|
| 127 | ACL AclHdr;
|
---|
| 128 | uint8_t abPadding[1024];
|
---|
| 129 | } Acl;
|
---|
| 130 | PSECURITY_DESCRIPTOR pSecDesc;
|
---|
| 131 | } MYSECURITYCLEANUP;
|
---|
| 132 | /** Pointer to security cleanup structure. */
|
---|
| 133 | typedef MYSECURITYCLEANUP *PMYSECURITYCLEANUP;
|
---|
| 134 |
|
---|
| 135 |
|
---|
| 136 | /**
|
---|
| 137 | * Image verifier cache entry.
|
---|
| 138 | */
|
---|
| 139 | typedef struct VERIFIERCACHEENTRY
|
---|
| 140 | {
|
---|
| 141 | /** Pointer to the next entry with the same hash value. */
|
---|
| 142 | struct VERIFIERCACHEENTRY * volatile pNext;
|
---|
[52403] | 143 | /** Next entry in the WinVerifyTrust todo list. */
|
---|
| 144 | struct VERIFIERCACHEENTRY * volatile pNextTodoWvt;
|
---|
| 145 |
|
---|
[51770] | 146 | /** The file handle. */
|
---|
| 147 | HANDLE hFile;
|
---|
| 148 | /** If fIndexNumber is set, this is an file system internal file identifier. */
|
---|
| 149 | LARGE_INTEGER IndexNumber;
|
---|
| 150 | /** The path hash value. */
|
---|
| 151 | uint32_t uHash;
|
---|
| 152 | /** The verification result. */
|
---|
| 153 | int rc;
|
---|
[53045] | 154 | /** Used for shutting up load and error messages after a while so they don't
|
---|
[64532] | 155 | * flood the log file and fill up the disk. */
|
---|
[53045] | 156 | uint32_t volatile cHits;
|
---|
[52431] | 157 | /** The validation flags (for WinVerifyTrust retry). */
|
---|
| 158 | uint32_t fFlags;
|
---|
[51770] | 159 | /** Whether IndexNumber is valid */
|
---|
| 160 | bool fIndexNumberValid;
|
---|
[52403] | 161 | /** Whether verified by WinVerifyTrust. */
|
---|
| 162 | bool volatile fWinVerifyTrust;
|
---|
[51770] | 163 | /** cwcPath * sizeof(RTUTF16). */
|
---|
| 164 | uint16_t cbPath;
|
---|
| 165 | /** The full path of this entry (variable size). */
|
---|
| 166 | RTUTF16 wszPath[1];
|
---|
| 167 | } VERIFIERCACHEENTRY;
|
---|
| 168 | /** Pointer to an image verifier path entry. */
|
---|
| 169 | typedef VERIFIERCACHEENTRY *PVERIFIERCACHEENTRY;
|
---|
| 170 |
|
---|
| 171 |
|
---|
[52403] | 172 | /**
|
---|
| 173 | * Name of an import DLL that we need to check out.
|
---|
| 174 | */
|
---|
| 175 | typedef struct VERIFIERCACHEIMPORT
|
---|
| 176 | {
|
---|
| 177 | /** Pointer to the next DLL in the list. */
|
---|
| 178 | struct VERIFIERCACHEIMPORT * volatile pNext;
|
---|
| 179 | /** The length of pwszAltSearchDir if available. */
|
---|
| 180 | uint32_t cwcAltSearchDir;
|
---|
| 181 | /** This points the directory containing the DLL needing it, this will be
|
---|
| 182 | * NULL for a System32 DLL. */
|
---|
| 183 | PWCHAR pwszAltSearchDir;
|
---|
| 184 | /** The name of the import DLL (variable length). */
|
---|
| 185 | char szName[1];
|
---|
| 186 | } VERIFIERCACHEIMPORT;
|
---|
| 187 | /** Pointer to a import DLL that needs checking out. */
|
---|
| 188 | typedef VERIFIERCACHEIMPORT *PVERIFIERCACHEIMPORT;
|
---|
| 189 |
|
---|
| 190 |
|
---|
[52943] | 191 | /**
|
---|
[52969] | 192 | * Child requests.
|
---|
[52943] | 193 | */
|
---|
[52969] | 194 | typedef enum SUPR3WINCHILDREQ
|
---|
| 195 | {
|
---|
| 196 | /** Perform child purification and close full access handles (must be zero). */
|
---|
| 197 | kSupR3WinChildReq_PurifyChildAndCloseHandles = 0,
|
---|
| 198 | /** Close the events, we're good on our own from here on. */
|
---|
| 199 | kSupR3WinChildReq_CloseEvents,
|
---|
| 200 | /** Reporting error. */
|
---|
| 201 | kSupR3WinChildReq_Error,
|
---|
| 202 | /** End of valid requests. */
|
---|
| 203 | kSupR3WinChildReq_End
|
---|
| 204 | } SUPR3WINCHILDREQ;
|
---|
| 205 |
|
---|
| 206 | /**
|
---|
| 207 | * Child process parameters.
|
---|
| 208 | */
|
---|
[52943] | 209 | typedef struct SUPR3WINPROCPARAMS
|
---|
| 210 | {
|
---|
| 211 | /** The event semaphore the child will be waiting on. */
|
---|
[52969] | 212 | HANDLE hEvtChild;
|
---|
[52943] | 213 | /** The event semaphore the parent will be waiting on. */
|
---|
[52969] | 214 | HANDLE hEvtParent;
|
---|
[52943] | 215 |
|
---|
[52969] | 216 | /** The address of the NTDLL. This is only valid during the very early
|
---|
| 217 | * initialization as we abuse for thread creation protection. */
|
---|
| 218 | uintptr_t uNtDllAddr;
|
---|
[52943] | 219 |
|
---|
[52969] | 220 | /** The requested operation (set by the child). */
|
---|
| 221 | SUPR3WINCHILDREQ enmRequest;
|
---|
[52943] | 222 | /** The last status. */
|
---|
[52969] | 223 | int32_t rc;
|
---|
[52962] | 224 | /** The init operation the error relates to if message, kSupInitOp_Invalid if
|
---|
| 225 | * not message. */
|
---|
[52969] | 226 | SUPINITOP enmWhat;
|
---|
[52962] | 227 | /** Where if message. */
|
---|
[52969] | 228 | char szWhere[80];
|
---|
[52943] | 229 | /** Error message / path name string space. */
|
---|
[57501] | 230 | char szErrorMsg[16384+1024];
|
---|
[52943] | 231 | } SUPR3WINPROCPARAMS;
|
---|
| 232 |
|
---|
| 233 |
|
---|
[52969] | 234 | /**
|
---|
| 235 | * Child process data structure for use during child process init setup and
|
---|
| 236 | * purification.
|
---|
| 237 | */
|
---|
| 238 | typedef struct SUPR3HARDNTCHILD
|
---|
| 239 | {
|
---|
| 240 | /** Process handle. */
|
---|
| 241 | HANDLE hProcess;
|
---|
| 242 | /** Primary thread handle. */
|
---|
| 243 | HANDLE hThread;
|
---|
| 244 | /** Handle to the parent process, if we're the middle (stub) process. */
|
---|
| 245 | HANDLE hParent;
|
---|
| 246 | /** The event semaphore the child will be waiting on. */
|
---|
| 247 | HANDLE hEvtChild;
|
---|
| 248 | /** The event semaphore the parent will be waiting on. */
|
---|
| 249 | HANDLE hEvtParent;
|
---|
| 250 | /** The address of NTDLL in the child. */
|
---|
| 251 | uintptr_t uNtDllAddr;
|
---|
| 252 | /** The address of NTDLL in this process. */
|
---|
| 253 | uintptr_t uNtDllParentAddr;
|
---|
| 254 | /** Which respawn number this is (1 = stub, 2 = VM). */
|
---|
| 255 | int iWhich;
|
---|
| 256 | /** The basic process info. */
|
---|
| 257 | PROCESS_BASIC_INFORMATION BasicInfo;
|
---|
| 258 | /** The probable size of the PEB. */
|
---|
| 259 | size_t cbPeb;
|
---|
| 260 | /** The pristine process environment block. */
|
---|
| 261 | PEB Peb;
|
---|
| 262 | /** The child process parameters. */
|
---|
| 263 | SUPR3WINPROCPARAMS ProcParams;
|
---|
| 264 | } SUPR3HARDNTCHILD;
|
---|
| 265 | /** Pointer to a child process data structure. */
|
---|
| 266 | typedef SUPR3HARDNTCHILD *PSUPR3HARDNTCHILD;
|
---|
| 267 |
|
---|
| 268 |
|
---|
[57358] | 269 | /*********************************************************************************************************************************
|
---|
| 270 | * Global Variables *
|
---|
| 271 | *********************************************************************************************************************************/
|
---|
[52943] | 272 | /** Process parameters. Specified by parent if VM process, see
|
---|
| 273 | * supR3HardenedVmProcessInit. */
|
---|
[52969] | 274 | static SUPR3WINPROCPARAMS g_ProcParams = { NULL, NULL, 0, (SUPR3WINCHILDREQ)0, 0 };
|
---|
[52949] | 275 | /** Set if supR3HardenedEarlyProcessInit was invoked. */
|
---|
| 276 | bool g_fSupEarlyProcessInit = false;
|
---|
| 277 | /** Set if the stub device has been opened (stub process only). */
|
---|
| 278 | bool g_fSupStubOpened = false;
|
---|
[52943] | 279 |
|
---|
[51770] | 280 | /** @name Global variables initialized by suplibHardenedWindowsMain.
|
---|
| 281 | * @{ */
|
---|
| 282 | /** Combined windows NT version number. See SUP_MAKE_NT_VER_COMBINED. */
|
---|
| 283 | uint32_t g_uNtVerCombined = 0;
|
---|
| 284 | /** Count calls to the special main function for linking santity checks. */
|
---|
| 285 | static uint32_t volatile g_cSuplibHardenedWindowsMainCalls;
|
---|
| 286 | /** The UTF-16 windows path to the executable. */
|
---|
| 287 | RTUTF16 g_wszSupLibHardenedExePath[1024];
|
---|
| 288 | /** The NT path of the executable. */
|
---|
| 289 | SUPSYSROOTDIRBUF g_SupLibHardenedExeNtPath;
|
---|
[56733] | 290 | /** The NT path of the application binary directory. */
|
---|
| 291 | SUPSYSROOTDIRBUF g_SupLibHardenedAppBinNtPath;
|
---|
[51770] | 292 | /** The offset into g_SupLibHardenedExeNtPath of the executable name (WCHAR,
|
---|
| 293 | * not byte). This also gives the length of the exectuable directory path,
|
---|
| 294 | * including a trailing slash. */
|
---|
[56733] | 295 | static uint32_t g_offSupLibHardenedExeNtName;
|
---|
| 296 | /** Set if we need to use the LOAD_LIBRARY_SEARCH_USER_DIRS option. */
|
---|
| 297 | bool g_fSupLibHardenedDllSearchUserDirs = false;
|
---|
[51770] | 298 | /** @} */
|
---|
| 299 |
|
---|
| 300 | /** @name Hook related variables.
|
---|
| 301 | * @{ */
|
---|
| 302 | /** Pointer to the bit of assembly code that will perform the original
|
---|
| 303 | * NtCreateSection operation. */
|
---|
[80212] | 304 | static NTSTATUS (NTAPI *g_pfnNtCreateSectionReal)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,
|
---|
[51770] | 305 | PLARGE_INTEGER, ULONG, ULONG, HANDLE);
|
---|
[52953] | 306 | /** Pointer to the NtCreateSection function in NtDll (for patching purposes). */
|
---|
| 307 | static uint8_t *g_pbNtCreateSection;
|
---|
| 308 | /** The patched NtCreateSection bytes (for restoring). */
|
---|
| 309 | static uint8_t g_abNtCreateSectionPatch[16];
|
---|
[52403] | 310 | /** Pointer to the bit of assembly code that will perform the original
|
---|
| 311 | * LdrLoadDll operation. */
|
---|
[80212] | 312 | static NTSTATUS (NTAPI *g_pfnLdrLoadDllReal)(PWSTR, PULONG, PUNICODE_STRING, PHANDLE);
|
---|
[52953] | 313 | /** Pointer to the LdrLoadDll function in NtDll (for patching purposes). */
|
---|
| 314 | static uint8_t *g_pbLdrLoadDll;
|
---|
| 315 | /** The patched LdrLoadDll bytes (for restoring). */
|
---|
| 316 | static uint8_t g_abLdrLoadDllPatch[16];
|
---|
| 317 |
|
---|
[81118] | 318 | #ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING
|
---|
[80212] | 319 | /** Pointer to the bit of assembly code that will perform the original
|
---|
[81118] | 320 | * KiUserExceptionDispatcher operation. */
|
---|
| 321 | static VOID (NTAPI *g_pfnKiUserExceptionDispatcherReal)(void);
|
---|
| 322 | /** Pointer to the KiUserExceptionDispatcher function in NtDll (for patching purposes). */
|
---|
| 323 | static uint8_t *g_pbKiUserExceptionDispatcher;
|
---|
| 324 | /** The patched KiUserExceptionDispatcher bytes (for restoring). */
|
---|
| 325 | static uint8_t g_abKiUserExceptionDispatcherPatch[16];
|
---|
| 326 | #endif
|
---|
| 327 |
|
---|
| 328 | /** Pointer to the bit of assembly code that will perform the original
|
---|
[80212] | 329 | * KiUserApcDispatcher operation. */
|
---|
| 330 | static VOID (NTAPI *g_pfnKiUserApcDispatcherReal)(void);
|
---|
[81118] | 331 | /** Pointer to the KiUserApcDispatcher function in NtDll (for patching purposes). */
|
---|
[80212] | 332 | static uint8_t *g_pbKiUserApcDispatcher;
|
---|
| 333 | /** The patched KiUserApcDispatcher bytes (for restoring). */
|
---|
| 334 | static uint8_t g_abKiUserApcDispatcherPatch[16];
|
---|
[81118] | 335 |
|
---|
[80212] | 336 | /** Pointer to the LdrInitializeThunk function in NtDll for
|
---|
| 337 | * supR3HardenedMonitor_KiUserApcDispatcher_C() to use for APC vetting. */
|
---|
| 338 | static uintptr_t g_pfnLdrInitializeThunk;
|
---|
| 339 |
|
---|
[51770] | 340 | /** The hash table of verifier cache . */
|
---|
[52431] | 341 | static PVERIFIERCACHEENTRY volatile g_apVerifierCache[128];
|
---|
[52403] | 342 | /** Queue of cached images which needs WinVerifyTrust to check them. */
|
---|
[52431] | 343 | static PVERIFIERCACHEENTRY volatile g_pVerifierCacheTodoWvt = NULL;
|
---|
[52403] | 344 | /** Queue of cached images which needs their imports checked. */
|
---|
[52431] | 345 | static PVERIFIERCACHEIMPORT volatile g_pVerifierCacheTodoImports = NULL;
|
---|
[52947] | 346 |
|
---|
| 347 | /** The windows path to dir \\SystemRoot\\System32 directory (technically
|
---|
[58132] | 348 | * this whatever \\KnownDlls\\KnownDllPath points to). */
|
---|
[52947] | 349 | SUPSYSROOTDIRBUF g_System32WinPath;
|
---|
[86532] | 350 | /** @} */
|
---|
[51770] | 351 |
|
---|
[52953] | 352 | /** Positive if the DLL notification callback has been registered, counts
|
---|
| 353 | * registration attempts as negative. */
|
---|
| 354 | static int g_cDllNotificationRegistered = 0;
|
---|
| 355 | /** The registration cookie of the DLL notification callback. */
|
---|
| 356 | static PVOID g_pvDllNotificationCookie = NULL;
|
---|
[52947] | 357 |
|
---|
[51770] | 358 | /** Static error info structure used during init. */
|
---|
| 359 | static RTERRINFOSTATIC g_ErrInfoStatic;
|
---|
| 360 |
|
---|
[52403] | 361 | /** In the assembly file. */
|
---|
| 362 | extern "C" uint8_t g_abSupHardReadWriteExecPage[PAGE_SIZE];
|
---|
[51770] | 363 |
|
---|
[52523] | 364 | /** Whether we've patched our own LdrInitializeThunk or not. We do this to
|
---|
| 365 | * disable thread creation. */
|
---|
| 366 | static bool g_fSupInitThunkSelfPatched;
|
---|
| 367 | /** The backup of our own LdrInitializeThunk code, for enabling and disabling
|
---|
| 368 | * thread creation in this process. */
|
---|
| 369 | static uint8_t g_abLdrInitThunkSelfBackup[16];
|
---|
[52403] | 370 |
|
---|
[52739] | 371 | /** Mask of adversaries that we've detected (SUPHARDNT_ADVERSARY_XXX). */
|
---|
| 372 | static uint32_t g_fSupAdversaries = 0;
|
---|
| 373 | /** @name SUPHARDNT_ADVERSARY_XXX - Adversaries
|
---|
| 374 | * @{ */
|
---|
| 375 | /** Symantec endpoint protection or similar including SysPlant.sys. */
|
---|
| 376 | #define SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT RT_BIT_32(0)
|
---|
[52741] | 377 | /** Symantec Norton 360. */
|
---|
| 378 | #define SUPHARDNT_ADVERSARY_SYMANTEC_N360 RT_BIT_32(1)
|
---|
[52739] | 379 | /** Avast! */
|
---|
[52741] | 380 | #define SUPHARDNT_ADVERSARY_AVAST RT_BIT_32(2)
|
---|
| 381 | /** TrendMicro OfficeScan and probably others. */
|
---|
| 382 | #define SUPHARDNT_ADVERSARY_TRENDMICRO RT_BIT_32(3)
|
---|
[53017] | 383 | /** TrendMicro potentially buggy sakfile.sys. */
|
---|
| 384 | #define SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE RT_BIT_32(4)
|
---|
[52741] | 385 | /** McAfee. */
|
---|
[53017] | 386 | #define SUPHARDNT_ADVERSARY_MCAFEE RT_BIT_32(5)
|
---|
[52906] | 387 | /** Kaspersky or OEMs of it. */
|
---|
[53017] | 388 | #define SUPHARDNT_ADVERSARY_KASPERSKY RT_BIT_32(6)
|
---|
[52741] | 389 | /** Malwarebytes Anti-Malware (MBAM). */
|
---|
[53017] | 390 | #define SUPHARDNT_ADVERSARY_MBAM RT_BIT_32(7)
|
---|
[52741] | 391 | /** AVG Internet Security. */
|
---|
[53017] | 392 | #define SUPHARDNT_ADVERSARY_AVG RT_BIT_32(8)
|
---|
[52741] | 393 | /** Panda Security. */
|
---|
[53017] | 394 | #define SUPHARDNT_ADVERSARY_PANDA RT_BIT_32(9)
|
---|
[52741] | 395 | /** Microsoft Security Essentials. */
|
---|
[53017] | 396 | #define SUPHARDNT_ADVERSARY_MSE RT_BIT_32(10)
|
---|
[52795] | 397 | /** Comodo. */
|
---|
[53017] | 398 | #define SUPHARDNT_ADVERSARY_COMODO RT_BIT_32(11)
|
---|
[52906] | 399 | /** Check Point's Zone Alarm (may include Kaspersky). */
|
---|
[53017] | 400 | #define SUPHARDNT_ADVERSARY_ZONE_ALARM RT_BIT_32(12)
|
---|
[66484] | 401 | /** Digital guardian, old problematic version. */
|
---|
| 402 | #define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD RT_BIT_32(13)
|
---|
| 403 | /** Digital guardian, new version. */
|
---|
| 404 | #define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_NEW RT_BIT_32(14)
|
---|
[60733] | 405 | /** Cylance protect or something (from googling, no available sample copy). */
|
---|
[66484] | 406 | #define SUPHARDNT_ADVERSARY_CYLANCE RT_BIT_32(15)
|
---|
[60733] | 407 | /** BeyondTrust / PowerBroker / something (googling, no available sample copy). */
|
---|
[66484] | 408 | #define SUPHARDNT_ADVERSARY_BEYONDTRUST RT_BIT_32(16)
|
---|
[60767] | 409 | /** Avecto / Defendpoint / Privilege Guard (details from support guy, hoping to get sample copy). */
|
---|
[66484] | 410 | #define SUPHARDNT_ADVERSARY_AVECTO RT_BIT_32(17)
|
---|
[79642] | 411 | /** Sophos Endpoint Defense. */
|
---|
| 412 | #define SUPHARDNT_ADVERSARY_SOPHOS RT_BIT_32(18)
|
---|
[80212] | 413 | /** VMware horizon view agent. */
|
---|
| 414 | #define SUPHARDNT_ADVERSARY_HORIZON_VIEW_AGENT RT_BIT_32(19)
|
---|
[52739] | 415 | /** Unknown adversary detected while waiting on child. */
|
---|
| 416 | #define SUPHARDNT_ADVERSARY_UNKNOWN RT_BIT_32(31)
|
---|
| 417 | /** @} */
|
---|
[52523] | 418 |
|
---|
[52739] | 419 |
|
---|
[57358] | 420 | /*********************************************************************************************************************************
|
---|
| 421 | * Internal Functions *
|
---|
| 422 | *********************************************************************************************************************************/
|
---|
[53220] | 423 | static NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfAccess, PULONG pfProtect,
|
---|
[52528] | 424 | bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust,
|
---|
[85121] | 425 | bool *pfQuiet) RT_NOTHROW_PROTO;
|
---|
[52967] | 426 | static void supR3HardenedWinRegisterDllNotificationCallback(void);
|
---|
[85121] | 427 | static void supR3HardenedWinReInstallHooks(bool fFirst) RT_NOTHROW_PROTO;
|
---|
[52967] | 428 | DECLASM(void) supR3HardenedEarlyProcessInitThunk(void);
|
---|
[80212] | 429 | DECLASM(void) supR3HardenedMonitor_KiUserApcDispatcher(void);
|
---|
[81118] | 430 | #ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING
|
---|
| 431 | DECLASM(void) supR3HardenedMonitor_KiUserExceptionDispatcher(void);
|
---|
| 432 | #endif
|
---|
[80218] | 433 | extern "C" void __stdcall suplibHardenedWindowsMain(void);
|
---|
[52403] | 434 |
|
---|
[52953] | 435 |
|
---|
[62677] | 436 | #if 0 /* unused */
|
---|
[51770] | 437 |
|
---|
| 438 | /**
|
---|
| 439 | * Simple wide char search routine.
|
---|
| 440 | *
|
---|
| 441 | * @returns Pointer to the first location of @a wcNeedle in @a pwszHaystack.
|
---|
| 442 | * NULL if not found.
|
---|
| 443 | * @param pwszHaystack Pointer to the string that should be searched.
|
---|
| 444 | * @param wcNeedle The character to search for.
|
---|
| 445 | */
|
---|
| 446 | static PRTUTF16 suplibHardenedWStrChr(PCRTUTF16 pwszHaystack, RTUTF16 wcNeedle)
|
---|
| 447 | {
|
---|
| 448 | for (;;)
|
---|
| 449 | {
|
---|
| 450 | RTUTF16 wcCur = *pwszHaystack;
|
---|
| 451 | if (wcCur == wcNeedle)
|
---|
| 452 | return (PRTUTF16)pwszHaystack;
|
---|
| 453 | if (wcCur == '\0')
|
---|
| 454 | return NULL;
|
---|
| 455 | pwszHaystack++;
|
---|
| 456 | }
|
---|
| 457 | }
|
---|
| 458 |
|
---|
| 459 |
|
---|
| 460 | /**
|
---|
| 461 | * Simple wide char string length routine.
|
---|
| 462 | *
|
---|
| 463 | * @returns The number of characters in the given string. (Excludes the
|
---|
| 464 | * terminator.)
|
---|
| 465 | * @param pwsz The string.
|
---|
| 466 | */
|
---|
| 467 | static size_t suplibHardenedWStrLen(PCRTUTF16 pwsz)
|
---|
| 468 | {
|
---|
| 469 | PCRTUTF16 pwszCur = pwsz;
|
---|
| 470 | while (*pwszCur != '\0')
|
---|
| 471 | pwszCur++;
|
---|
| 472 | return pwszCur - pwsz;
|
---|
| 473 | }
|
---|
| 474 |
|
---|
[62677] | 475 | #endif /* unused */
|
---|
[51770] | 476 |
|
---|
[62677] | 477 |
|
---|
[51770] | 478 | /**
|
---|
[52949] | 479 | * Our version of GetTickCount.
|
---|
| 480 | * @returns Millisecond timestamp.
|
---|
| 481 | */
|
---|
| 482 | static uint64_t supR3HardenedWinGetMilliTS(void)
|
---|
| 483 | {
|
---|
| 484 | PKUSER_SHARED_DATA pUserSharedData = (PKUSER_SHARED_DATA)(uintptr_t)0x7ffe0000;
|
---|
| 485 |
|
---|
| 486 | /* use interrupt time */
|
---|
| 487 | LARGE_INTEGER Time;
|
---|
| 488 | do
|
---|
| 489 | {
|
---|
| 490 | Time.HighPart = pUserSharedData->InterruptTime.High1Time;
|
---|
| 491 | Time.LowPart = pUserSharedData->InterruptTime.LowPart;
|
---|
| 492 | } while (pUserSharedData->InterruptTime.High2Time != Time.HighPart);
|
---|
| 493 |
|
---|
| 494 | return (uint64_t)Time.QuadPart / 10000;
|
---|
| 495 | }
|
---|
| 496 |
|
---|
| 497 |
|
---|
[93256] | 498 | /**
|
---|
| 499 | * Called when there is some /GS (or maybe /RTCsu) related stack problem.
|
---|
| 500 | *
|
---|
| 501 | * We don't want the CRT version living in gshandle.obj, as it uses a lot of
|
---|
| 502 | * kernel32 imports, we want to report this error ourselves.
|
---|
| 503 | */
|
---|
| 504 | extern "C" __declspec(noreturn guard(nosspro) guard(nossepi))
|
---|
| 505 | void __cdecl __report_rangecheckfailure(void)
|
---|
| 506 | {
|
---|
| 507 | supR3HardenedFatal("__report_rangecheckfailure called from %p", ASMReturnAddress());
|
---|
| 508 | }
|
---|
[52949] | 509 |
|
---|
[93256] | 510 |
|
---|
[52949] | 511 | /**
|
---|
[93256] | 512 | * Called when there is some /GS problem has been detected.
|
---|
| 513 | *
|
---|
| 514 | * We don't want the CRT version living in gshandle.obj, as it uses a lot of
|
---|
| 515 | * kernel32 imports, we want to report this error ourselves.
|
---|
| 516 | */
|
---|
| 517 | extern "C" __declspec(noreturn guard(nosspro) guard(nossepi))
|
---|
| 518 | #ifdef RT_ARCH_X86
|
---|
| 519 | void __cdecl __report_gsfailure(void)
|
---|
| 520 | #else
|
---|
| 521 | void __report_gsfailure(uintptr_t uCookie)
|
---|
| 522 | #endif
|
---|
| 523 | {
|
---|
| 524 | #ifdef RT_ARCH_X86
|
---|
| 525 | supR3HardenedFatal("__report_gsfailure called from %p", ASMReturnAddress());
|
---|
| 526 | #else
|
---|
| 527 | supR3HardenedFatal("__report_gsfailure called from %p, cookie=%p", ASMReturnAddress(), uCookie);
|
---|
| 528 | #endif
|
---|
| 529 | }
|
---|
| 530 |
|
---|
| 531 |
|
---|
| 532 | /**
|
---|
[51770] | 533 | * Wrapper around LoadLibraryEx that deals with the UTF-8 to UTF-16 conversion
|
---|
| 534 | * and supplies the right flags.
|
---|
| 535 | *
|
---|
| 536 | * @returns Module handle on success, NULL on failure.
|
---|
| 537 | * @param pszName The full path to the DLL.
|
---|
| 538 | * @param fSystem32Only Whether to only look for imports in the system32
|
---|
| 539 | * directory. If set to false, the application
|
---|
| 540 | * directory is also searched.
|
---|
[56746] | 541 | * @param fMainFlags The main flags (giving the location), if the DLL
|
---|
| 542 | * being loaded is loaded from the app bin
|
---|
| 543 | * directory and import other DLLs from there. Pass
|
---|
| 544 | * 0 (= SUPSECMAIN_FLAGS_LOC_APP_BIN) if not
|
---|
| 545 | * applicable. Ignored if @a fSystem32Only is set.
|
---|
| 546 | *
|
---|
| 547 | * This is only needed to load VBoxRT.dll when
|
---|
| 548 | * executing a testcase from the testcase/ subdir.
|
---|
[51770] | 549 | */
|
---|
[56746] | 550 | DECLHIDDEN(void *) supR3HardenedWinLoadLibrary(const char *pszName, bool fSystem32Only, uint32_t fMainFlags)
|
---|
[51770] | 551 | {
|
---|
| 552 | WCHAR wszPath[RTPATH_MAX];
|
---|
| 553 | PRTUTF16 pwszPath = wszPath;
|
---|
| 554 | int rc = RTStrToUtf16Ex(pszName, RTSTR_MAX, &pwszPath, RT_ELEMENTS(wszPath), NULL);
|
---|
| 555 | if (RT_SUCCESS(rc))
|
---|
| 556 | {
|
---|
| 557 | while (*pwszPath)
|
---|
| 558 | {
|
---|
| 559 | if (*pwszPath == '/')
|
---|
| 560 | *pwszPath = '\\';
|
---|
| 561 | pwszPath++;
|
---|
| 562 | }
|
---|
| 563 |
|
---|
| 564 | DWORD fFlags = 0;
|
---|
| 565 | if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0))
|
---|
| 566 | {
|
---|
[56733] | 567 | fFlags |= LOAD_LIBRARY_SEARCH_SYSTEM32;
|
---|
| 568 | if (!fSystem32Only)
|
---|
| 569 | {
|
---|
| 570 | fFlags |= LOAD_LIBRARY_SEARCH_APPLICATION_DIR;
|
---|
| 571 | if (g_fSupLibHardenedDllSearchUserDirs)
|
---|
| 572 | fFlags |= LOAD_LIBRARY_SEARCH_USER_DIRS;
|
---|
[56746] | 573 | if ((fMainFlags & SUPSECMAIN_FLAGS_LOC_MASK) != SUPSECMAIN_FLAGS_LOC_APP_BIN)
|
---|
| 574 | fFlags |= LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR;
|
---|
[56733] | 575 | }
|
---|
[51770] | 576 | }
|
---|
| 577 |
|
---|
| 578 | void *pvRet = (void *)LoadLibraryExW(wszPath, NULL /*hFile*/, fFlags);
|
---|
| 579 |
|
---|
| 580 | /* Vista, W7, W2K8R might not work without KB2533623, so retry with no flags. */
|
---|
| 581 | if ( !pvRet
|
---|
| 582 | && fFlags
|
---|
| 583 | && g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2)
|
---|
[52940] | 584 | && RtlGetLastWin32Error() == ERROR_INVALID_PARAMETER)
|
---|
[51770] | 585 | pvRet = (void *)LoadLibraryExW(wszPath, NULL /*hFile*/, 0);
|
---|
| 586 |
|
---|
| 587 | return pvRet;
|
---|
| 588 | }
|
---|
| 589 | supR3HardenedFatal("RTStrToUtf16Ex failed on '%s': %Rrc", pszName, rc);
|
---|
[62677] | 590 | /* not reached */
|
---|
[51770] | 591 | }
|
---|
| 592 |
|
---|
| 593 |
|
---|
| 594 | /**
|
---|
| 595 | * Gets the internal index number of the file.
|
---|
| 596 | *
|
---|
| 597 | * @returns True if we got an index number, false if not.
|
---|
| 598 | * @param hFile The file in question.
|
---|
| 599 | * @param pIndexNumber where to return the index number.
|
---|
| 600 | */
|
---|
[85121] | 601 | static bool supR3HardenedWinVerifyCacheGetIndexNumber(HANDLE hFile, PLARGE_INTEGER pIndexNumber) RT_NOTHROW_DEF
|
---|
[51770] | 602 | {
|
---|
| 603 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
| 604 | NTSTATUS rcNt = NtQueryInformationFile(hFile, &Ios, pIndexNumber, sizeof(*pIndexNumber), FileInternalInformation);
|
---|
| 605 | if (NT_SUCCESS(rcNt))
|
---|
| 606 | rcNt = Ios.Status;
|
---|
| 607 | #ifdef DEBUG_bird
|
---|
| 608 | if (!NT_SUCCESS(rcNt))
|
---|
| 609 | __debugbreak();
|
---|
| 610 | #endif
|
---|
| 611 | return NT_SUCCESS(rcNt) && pIndexNumber->QuadPart != 0;
|
---|
| 612 | }
|
---|
| 613 |
|
---|
| 614 |
|
---|
| 615 | /**
|
---|
[52403] | 616 | * Calculates the hash value for the given UTF-16 path string.
|
---|
[51770] | 617 | *
|
---|
| 618 | * @returns Hash value.
|
---|
| 619 | * @param pUniStr String to hash.
|
---|
| 620 | */
|
---|
[85121] | 621 | static uint32_t supR3HardenedWinVerifyCacheHashPath(PCUNICODE_STRING pUniStr) RT_NOTHROW_DEF
|
---|
[51770] | 622 | {
|
---|
| 623 | uint32_t uHash = 0;
|
---|
| 624 | unsigned cwcLeft = pUniStr->Length / sizeof(WCHAR);
|
---|
| 625 | PRTUTF16 pwc = pUniStr->Buffer;
|
---|
| 626 |
|
---|
| 627 | while (cwcLeft-- > 0)
|
---|
| 628 | {
|
---|
| 629 | RTUTF16 wc = *pwc++;
|
---|
[52403] | 630 | if (wc < 0x80)
|
---|
| 631 | wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';
|
---|
[51770] | 632 | uHash = wc + (uHash << 6) + (uHash << 16) - uHash;
|
---|
| 633 | }
|
---|
| 634 | return uHash;
|
---|
| 635 | }
|
---|
| 636 |
|
---|
| 637 |
|
---|
| 638 | /**
|
---|
[52403] | 639 | * Calculates the hash value for a directory + filename combo as if they were
|
---|
| 640 | * one single string.
|
---|
| 641 | *
|
---|
| 642 | * @returns Hash value.
|
---|
| 643 | * @param pawcDir The directory name.
|
---|
| 644 | * @param cwcDir The length of the directory name. RTSTR_MAX if
|
---|
| 645 | * not available.
|
---|
| 646 | * @param pszName The import name (UTF-8).
|
---|
| 647 | */
|
---|
[85121] | 648 | static uint32_t supR3HardenedWinVerifyCacheHashDirAndFile(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName) RT_NOTHROW_DEF
|
---|
[52403] | 649 | {
|
---|
| 650 | uint32_t uHash = 0;
|
---|
| 651 | while (cwcDir-- > 0)
|
---|
| 652 | {
|
---|
| 653 | RTUTF16 wc = *pawcDir++;
|
---|
| 654 | if (wc < 0x80)
|
---|
| 655 | wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';
|
---|
| 656 | uHash = wc + (uHash << 6) + (uHash << 16) - uHash;
|
---|
| 657 | }
|
---|
| 658 |
|
---|
| 659 | unsigned char ch = '\\';
|
---|
| 660 | uHash = ch + (uHash << 6) + (uHash << 16) - uHash;
|
---|
| 661 |
|
---|
| 662 | while ((ch = *pszName++) != '\0')
|
---|
| 663 | {
|
---|
| 664 | ch = RT_C_TO_LOWER(ch);
|
---|
| 665 | uHash = ch + (uHash << 6) + (uHash << 16) - uHash;
|
---|
| 666 | }
|
---|
| 667 |
|
---|
| 668 | return uHash;
|
---|
| 669 | }
|
---|
| 670 |
|
---|
| 671 |
|
---|
| 672 | /**
|
---|
| 673 | * Verify string cache compare function.
|
---|
| 674 | *
|
---|
| 675 | * @returns true if the strings match, false if not.
|
---|
| 676 | * @param pawcLeft The left hand string.
|
---|
| 677 | * @param pawcRight The right hand string.
|
---|
| 678 | * @param cwcToCompare The number of chars to compare.
|
---|
| 679 | */
|
---|
[85121] | 680 | static bool supR3HardenedWinVerifyCacheIsMatch(PCRTUTF16 pawcLeft, PCRTUTF16 pawcRight, uint32_t cwcToCompare) RT_NOTHROW_DEF
|
---|
[52403] | 681 | {
|
---|
| 682 | /* Try a quick memory compare first. */
|
---|
| 683 | if (memcmp(pawcLeft, pawcRight, cwcToCompare * sizeof(RTUTF16)) == 0)
|
---|
| 684 | return true;
|
---|
| 685 |
|
---|
| 686 | /* Slow char by char compare. */
|
---|
| 687 | while (cwcToCompare-- > 0)
|
---|
| 688 | {
|
---|
| 689 | RTUTF16 wcLeft = *pawcLeft++;
|
---|
| 690 | RTUTF16 wcRight = *pawcRight++;
|
---|
| 691 | if (wcLeft != wcRight)
|
---|
| 692 | {
|
---|
[52834] | 693 | wcLeft = wcLeft != '/' ? RT_C_TO_LOWER(wcLeft) : '\\';
|
---|
| 694 | wcRight = wcRight != '/' ? RT_C_TO_LOWER(wcRight) : '\\';
|
---|
[52403] | 695 | if (wcLeft != wcRight)
|
---|
| 696 | return false;
|
---|
| 697 | }
|
---|
| 698 | }
|
---|
| 699 |
|
---|
| 700 | return true;
|
---|
| 701 | }
|
---|
| 702 |
|
---|
| 703 |
|
---|
| 704 |
|
---|
| 705 | /**
|
---|
[51770] | 706 | * Inserts the given verifier result into the cache.
|
---|
| 707 | *
|
---|
| 708 | * @param pUniStr The full path of the image.
|
---|
| 709 | * @param hFile The file handle - must either be entered into
|
---|
| 710 | * the cache or closed.
|
---|
| 711 | * @param rc The verifier result.
|
---|
[52403] | 712 | * @param fWinVerifyTrust Whether verified by WinVerifyTrust or not.
|
---|
[52431] | 713 | * @param fFlags The image verification flags.
|
---|
[51770] | 714 | */
|
---|
[52431] | 715 | static void supR3HardenedWinVerifyCacheInsert(PCUNICODE_STRING pUniStr, HANDLE hFile, int rc,
|
---|
[85121] | 716 | bool fWinVerifyTrust, uint32_t fFlags) RT_NOTHROW_DEF
|
---|
[51770] | 717 | {
|
---|
| 718 | /*
|
---|
[52403] | 719 | * Allocate and initalize a new entry.
|
---|
[51770] | 720 | */
|
---|
[52940] | 721 | PVERIFIERCACHEENTRY pEntry = (PVERIFIERCACHEENTRY)RTMemAllocZ(sizeof(VERIFIERCACHEENTRY) + pUniStr->Length);
|
---|
[52403] | 722 | if (pEntry)
|
---|
[51770] | 723 | {
|
---|
[52403] | 724 | pEntry->pNext = NULL;
|
---|
| 725 | pEntry->pNextTodoWvt = NULL;
|
---|
| 726 | pEntry->hFile = hFile;
|
---|
[52528] | 727 | pEntry->uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);
|
---|
[52403] | 728 | pEntry->rc = rc;
|
---|
[52431] | 729 | pEntry->fFlags = fFlags;
|
---|
[53045] | 730 | pEntry->cHits = 0;
|
---|
[52403] | 731 | pEntry->fWinVerifyTrust = fWinVerifyTrust;
|
---|
| 732 | pEntry->cbPath = pUniStr->Length;
|
---|
| 733 | memcpy(pEntry->wszPath, pUniStr->Buffer, pUniStr->Length);
|
---|
| 734 | pEntry->wszPath[pUniStr->Length / sizeof(WCHAR)] = '\0';
|
---|
| 735 | pEntry->fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &pEntry->IndexNumber);
|
---|
| 736 |
|
---|
[51770] | 737 | /*
|
---|
[52403] | 738 | * Try insert it, careful with concurrent code as well as potential duplicates.
|
---|
[51770] | 739 | */
|
---|
[52403] | 740 | uint32_t iHashTab = pEntry->uHash % RT_ELEMENTS(g_apVerifierCache);
|
---|
| 741 | VERIFIERCACHEENTRY * volatile *ppEntry = &g_apVerifierCache[iHashTab];
|
---|
| 742 | for (;;)
|
---|
[51770] | 743 | {
|
---|
[52403] | 744 | if (ASMAtomicCmpXchgPtr(ppEntry, pEntry, NULL))
|
---|
[51770] | 745 | {
|
---|
[52403] | 746 | if (!fWinVerifyTrust)
|
---|
| 747 | do
|
---|
| 748 | pEntry->pNextTodoWvt = g_pVerifierCacheTodoWvt;
|
---|
| 749 | while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pEntry, pEntry->pNextTodoWvt));
|
---|
[52375] | 750 |
|
---|
[52403] | 751 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheInsert: %ls\n", pUniStr->Buffer));
|
---|
| 752 | return;
|
---|
[51770] | 753 | }
|
---|
| 754 |
|
---|
[52403] | 755 | PVERIFIERCACHEENTRY pOther = *ppEntry;
|
---|
| 756 | if (!pOther)
|
---|
| 757 | continue;
|
---|
| 758 | if ( pOther->uHash == pEntry->uHash
|
---|
| 759 | && pOther->cbPath == pEntry->cbPath
|
---|
[52535] | 760 | && supR3HardenedWinVerifyCacheIsMatch(pOther->wszPath, pEntry->wszPath, pEntry->cbPath / sizeof(RTUTF16)))
|
---|
[52403] | 761 | break;
|
---|
| 762 | ppEntry = &pOther->pNext;
|
---|
| 763 | }
|
---|
| 764 |
|
---|
[52431] | 765 | /* Duplicate entry (may happen due to races). */
|
---|
[52940] | 766 | RTMemFree(pEntry);
|
---|
[51770] | 767 | }
|
---|
| 768 | NtClose(hFile);
|
---|
| 769 | }
|
---|
| 770 |
|
---|
| 771 |
|
---|
| 772 | /**
|
---|
| 773 | * Looks up an entry in the verifier hash table.
|
---|
| 774 | *
|
---|
| 775 | * @return Pointer to the entry on if found, NULL if not.
|
---|
| 776 | * @param pUniStr The full path of the image.
|
---|
| 777 | * @param hFile The file handle.
|
---|
| 778 | */
|
---|
[85121] | 779 | static PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookup(PCUNICODE_STRING pUniStr, HANDLE hFile) RT_NOTHROW_DEF
|
---|
[51770] | 780 | {
|
---|
| 781 | PRTUTF16 const pwszPath = pUniStr->Buffer;
|
---|
| 782 | uint16_t const cbPath = pUniStr->Length;
|
---|
| 783 | uint32_t uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);
|
---|
| 784 | uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);
|
---|
| 785 | PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];
|
---|
| 786 | while (pCur)
|
---|
| 787 | {
|
---|
| 788 | if ( pCur->uHash == uHash
|
---|
| 789 | && pCur->cbPath == cbPath
|
---|
[52403] | 790 | && supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pwszPath, cbPath / sizeof(RTUTF16)))
|
---|
[51770] | 791 | {
|
---|
| 792 |
|
---|
| 793 | if (!pCur->fIndexNumberValid)
|
---|
| 794 | return pCur;
|
---|
| 795 | LARGE_INTEGER IndexNumber;
|
---|
| 796 | bool fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &IndexNumber);
|
---|
| 797 | if ( fIndexNumberValid
|
---|
| 798 | && IndexNumber.QuadPart == pCur->IndexNumber.QuadPart)
|
---|
| 799 | return pCur;
|
---|
| 800 | #ifdef DEBUG_bird
|
---|
| 801 | __debugbreak();
|
---|
| 802 | #endif
|
---|
| 803 | }
|
---|
| 804 | pCur = pCur->pNext;
|
---|
| 805 | }
|
---|
| 806 | return NULL;
|
---|
| 807 | }
|
---|
| 808 |
|
---|
| 809 |
|
---|
| 810 | /**
|
---|
[52403] | 811 | * Looks up an import DLL in the verifier hash table.
|
---|
| 812 | *
|
---|
| 813 | * @return Pointer to the entry on if found, NULL if not.
|
---|
| 814 | * @param pawcDir The directory name.
|
---|
| 815 | * @param cwcDir The length of the directory name.
|
---|
| 816 | * @param pszName The import name (UTF-8).
|
---|
| 817 | */
|
---|
| 818 | static PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookupImport(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)
|
---|
| 819 | {
|
---|
| 820 | uint32_t uHash = supR3HardenedWinVerifyCacheHashDirAndFile(pawcDir, cwcDir, pszName);
|
---|
| 821 | uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);
|
---|
| 822 | uint32_t const cbPath = (uint32_t)((cwcDir + 1 + strlen(pszName)) * sizeof(RTUTF16));
|
---|
| 823 | PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];
|
---|
| 824 | while (pCur)
|
---|
| 825 | {
|
---|
| 826 | if ( pCur->uHash == uHash
|
---|
| 827 | && pCur->cbPath == cbPath)
|
---|
| 828 | {
|
---|
| 829 | if (supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pawcDir, cwcDir))
|
---|
| 830 | {
|
---|
| 831 | if (pCur->wszPath[cwcDir] == '\\' || pCur->wszPath[cwcDir] == '/')
|
---|
| 832 | {
|
---|
| 833 | if (RTUtf16ICmpAscii(&pCur->wszPath[cwcDir + 1], pszName))
|
---|
| 834 | {
|
---|
| 835 | return pCur;
|
---|
| 836 | }
|
---|
| 837 | }
|
---|
| 838 | }
|
---|
| 839 | }
|
---|
| 840 |
|
---|
| 841 | pCur = pCur->pNext;
|
---|
| 842 | }
|
---|
| 843 | return NULL;
|
---|
| 844 | }
|
---|
| 845 |
|
---|
| 846 |
|
---|
| 847 | /**
|
---|
| 848 | * Schedules the import DLLs for verification and entry into the cache.
|
---|
| 849 | *
|
---|
| 850 | * @param hLdrMod The loader module which imports should be
|
---|
| 851 | * scheduled for verification.
|
---|
| 852 | * @param pwszName The full NT path of the module.
|
---|
| 853 | */
|
---|
| 854 | DECLHIDDEN(void) supR3HardenedWinVerifyCacheScheduleImports(RTLDRMOD hLdrMod, PCRTUTF16 pwszName)
|
---|
| 855 | {
|
---|
| 856 | /*
|
---|
| 857 | * Any imports?
|
---|
| 858 | */
|
---|
| 859 | uint32_t cImports;
|
---|
| 860 | int rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_COUNT, NULL /*pvBits*/, &cImports, sizeof(cImports), NULL);
|
---|
| 861 | if (RT_SUCCESS(rc))
|
---|
| 862 | {
|
---|
| 863 | if (cImports)
|
---|
| 864 | {
|
---|
| 865 | /*
|
---|
| 866 | * Figure out the DLL directory from pwszName.
|
---|
| 867 | */
|
---|
| 868 | PCRTUTF16 pawcDir = pwszName;
|
---|
| 869 | uint32_t cwcDir = 0;
|
---|
| 870 | uint32_t i = 0;
|
---|
| 871 | RTUTF16 wc;
|
---|
| 872 | while ((wc = pawcDir[i++]) != '\0')
|
---|
| 873 | if ((wc == '\\' || wc == '/' || wc == ':') && cwcDir + 2 != i)
|
---|
| 874 | cwcDir = i - 1;
|
---|
| 875 | if ( g_System32NtPath.UniStr.Length / sizeof(WCHAR) == cwcDir
|
---|
| 876 | && supR3HardenedWinVerifyCacheIsMatch(pawcDir, g_System32NtPath.UniStr.Buffer, cwcDir))
|
---|
| 877 | pawcDir = NULL;
|
---|
| 878 |
|
---|
| 879 | /*
|
---|
| 880 | * Enumerate the imports.
|
---|
| 881 | */
|
---|
| 882 | for (i = 0; i < cImports; i++)
|
---|
| 883 | {
|
---|
| 884 | union
|
---|
| 885 | {
|
---|
| 886 | char szName[256];
|
---|
| 887 | uint32_t iImport;
|
---|
| 888 | } uBuf;
|
---|
| 889 | uBuf.iImport = i;
|
---|
| 890 | rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_MODULE, NULL /*pvBits*/, &uBuf, sizeof(uBuf), NULL);
|
---|
| 891 | if (RT_SUCCESS(rc))
|
---|
| 892 | {
|
---|
| 893 | /*
|
---|
| 894 | * Skip kernel32, ntdll and API set stuff.
|
---|
| 895 | */
|
---|
| 896 | RTStrToLower(uBuf.szName);
|
---|
| 897 | if ( RTStrCmp(uBuf.szName, "kernel32.dll") == 0
|
---|
| 898 | || RTStrCmp(uBuf.szName, "kernelbase.dll") == 0
|
---|
| 899 | || RTStrCmp(uBuf.szName, "ntdll.dll") == 0
|
---|
[57161] | 900 | || RTStrNCmp(uBuf.szName, RT_STR_TUPLE("api-ms-win-")) == 0
|
---|
| 901 | || RTStrNCmp(uBuf.szName, RT_STR_TUPLE("ext-ms-win-")) == 0
|
---|
| 902 | )
|
---|
[52403] | 903 | {
|
---|
| 904 | continue;
|
---|
| 905 | }
|
---|
| 906 |
|
---|
| 907 | /*
|
---|
| 908 | * Skip to the next one if it's already in the cache.
|
---|
| 909 | */
|
---|
| 910 | if (supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,
|
---|
| 911 | g_System32NtPath.UniStr.Length / sizeof(WCHAR),
|
---|
| 912 | uBuf.szName) != NULL)
|
---|
| 913 | {
|
---|
| 914 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for system32\n", uBuf.szName));
|
---|
| 915 | continue;
|
---|
| 916 | }
|
---|
[56733] | 917 | if (supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedAppBinNtPath.UniStr.Buffer,
|
---|
| 918 | g_SupLibHardenedAppBinNtPath.UniStr.Length / sizeof(CHAR),
|
---|
[52403] | 919 | uBuf.szName) != NULL)
|
---|
| 920 | {
|
---|
| 921 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for appdir\n", uBuf.szName));
|
---|
| 922 | continue;
|
---|
| 923 | }
|
---|
| 924 | if (pawcDir && supR3HardenedWinVerifyCacheLookupImport(pawcDir, cwcDir, uBuf.szName) != NULL)
|
---|
| 925 | {
|
---|
| 926 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for dll dir\n", uBuf.szName));
|
---|
| 927 | continue;
|
---|
| 928 | }
|
---|
| 929 |
|
---|
| 930 | /* We could skip already scheduled modules, but that'll require serialization and extra work... */
|
---|
| 931 |
|
---|
| 932 | /*
|
---|
| 933 | * Add it to the todo list.
|
---|
| 934 | */
|
---|
| 935 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: Import todo: #%u '%s'.\n", i, uBuf.szName));
|
---|
| 936 | uint32_t cbName = (uint32_t)strlen(uBuf.szName) + 1;
|
---|
| 937 | uint32_t cbNameAligned = RT_ALIGN_32(cbName, sizeof(RTUTF16));
|
---|
[73097] | 938 | uint32_t cbNeeded = RT_UOFFSETOF_DYN(VERIFIERCACHEIMPORT, szName[cbNameAligned])
|
---|
[52403] | 939 | + (pawcDir ? (cwcDir + 1) * sizeof(RTUTF16) : 0);
|
---|
[52940] | 940 | PVERIFIERCACHEIMPORT pImport = (PVERIFIERCACHEIMPORT)RTMemAllocZ(cbNeeded);
|
---|
[52403] | 941 | if (pImport)
|
---|
| 942 | {
|
---|
| 943 | /* Init it. */
|
---|
| 944 | memcpy(pImport->szName, uBuf.szName, cbName);
|
---|
| 945 | if (!pawcDir)
|
---|
| 946 | {
|
---|
| 947 | pImport->cwcAltSearchDir = 0;
|
---|
| 948 | pImport->pwszAltSearchDir = NULL;
|
---|
| 949 | }
|
---|
| 950 | else
|
---|
| 951 | {
|
---|
| 952 | pImport->cwcAltSearchDir = cwcDir;
|
---|
| 953 | pImport->pwszAltSearchDir = (PRTUTF16)&pImport->szName[cbNameAligned];
|
---|
| 954 | memcpy(pImport->pwszAltSearchDir, pawcDir, cwcDir * sizeof(RTUTF16));
|
---|
| 955 | pImport->pwszAltSearchDir[cwcDir] = '\0';
|
---|
| 956 | }
|
---|
| 957 |
|
---|
| 958 | /* Insert it. */
|
---|
| 959 | do
|
---|
| 960 | pImport->pNext = g_pVerifierCacheTodoImports;
|
---|
| 961 | while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoImports, pImport, pImport->pNext));
|
---|
| 962 | }
|
---|
| 963 | }
|
---|
| 964 | else
|
---|
| 965 | SUP_DPRINTF(("RTLDRPROP_IMPORT_MODULE failed with rc=%Rrc i=%#x on '%ls'\n", rc, i, pwszName));
|
---|
| 966 | }
|
---|
| 967 | }
|
---|
| 968 | else
|
---|
| 969 | SUP_DPRINTF(("'%ls' has no imports\n", pwszName));
|
---|
| 970 | }
|
---|
| 971 | else
|
---|
| 972 | SUP_DPRINTF(("RTLDRPROP_IMPORT_COUNT failed with rc=%Rrc on '%ls'\n", rc, pwszName));
|
---|
| 973 | }
|
---|
| 974 |
|
---|
| 975 |
|
---|
| 976 | /**
|
---|
| 977 | * Processes the list of import todos.
|
---|
| 978 | */
|
---|
| 979 | static void supR3HardenedWinVerifyCacheProcessImportTodos(void)
|
---|
| 980 | {
|
---|
| 981 | /*
|
---|
| 982 | * Work until we've got nothing more todo.
|
---|
| 983 | */
|
---|
| 984 | for (;;)
|
---|
| 985 | {
|
---|
| 986 | PVERIFIERCACHEIMPORT pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoImports, NULL, PVERIFIERCACHEIMPORT);
|
---|
| 987 | if (!pTodo)
|
---|
| 988 | break;
|
---|
| 989 | do
|
---|
| 990 | {
|
---|
| 991 | PVERIFIERCACHEIMPORT pCur = pTodo;
|
---|
| 992 | pTodo = pTodo->pNext;
|
---|
| 993 |
|
---|
| 994 | /*
|
---|
| 995 | * Not in the cached already?
|
---|
| 996 | */
|
---|
| 997 | if ( !supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,
|
---|
| 998 | g_System32NtPath.UniStr.Length / sizeof(WCHAR),
|
---|
| 999 | pCur->szName)
|
---|
[56733] | 1000 | && !supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedAppBinNtPath.UniStr.Buffer,
|
---|
| 1001 | g_SupLibHardenedAppBinNtPath.UniStr.Length / sizeof(WCHAR),
|
---|
[52403] | 1002 | pCur->szName)
|
---|
| 1003 | && ( pCur->cwcAltSearchDir == 0
|
---|
| 1004 | || !supR3HardenedWinVerifyCacheLookupImport(pCur->pwszAltSearchDir, pCur->cwcAltSearchDir, pCur->szName)) )
|
---|
| 1005 | {
|
---|
| 1006 | /*
|
---|
| 1007 | * Try locate the imported DLL and open it.
|
---|
| 1008 | */
|
---|
| 1009 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Processing '%s'...\n", pCur->szName));
|
---|
| 1010 |
|
---|
| 1011 | NTSTATUS rcNt;
|
---|
[52741] | 1012 | NTSTATUS rcNtRedir = 0x22222222;
|
---|
[52403] | 1013 | HANDLE hFile = INVALID_HANDLE_VALUE;
|
---|
| 1014 | RTUTF16 wszPath[260 + 260]; /* Assumes we've limited the import name length to 256. */
|
---|
| 1015 | AssertCompile(sizeof(wszPath) > sizeof(g_System32NtPath));
|
---|
[52627] | 1016 |
|
---|
| 1017 | /*
|
---|
| 1018 | * Check for DLL isolation / redirection / mapping.
|
---|
| 1019 | */
|
---|
| 1020 | size_t cwcName = 260;
|
---|
| 1021 | PRTUTF16 pwszName = &wszPath[0];
|
---|
| 1022 | int rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);
|
---|
| 1023 | if (RT_SUCCESS(rc))
|
---|
[52403] | 1024 | {
|
---|
[52627] | 1025 | UNICODE_STRING UniStrName;
|
---|
| 1026 | UniStrName.Buffer = wszPath;
|
---|
| 1027 | UniStrName.Length = (USHORT)cwcName * sizeof(WCHAR);
|
---|
| 1028 | UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);
|
---|
[52403] | 1029 |
|
---|
[52627] | 1030 | UNICODE_STRING UniStrStatic;
|
---|
| 1031 | UniStrStatic.Buffer = &wszPath[cwcName + 1];
|
---|
| 1032 | UniStrStatic.Length = 0;
|
---|
[52632] | 1033 | UniStrStatic.MaximumLength = (USHORT)(sizeof(wszPath) - cwcName * sizeof(WCHAR) - sizeof(WCHAR));
|
---|
[52627] | 1034 |
|
---|
| 1035 | static UNICODE_STRING const s_DefaultSuffix = RTNT_CONSTANT_UNISTR(L".dll");
|
---|
| 1036 | UNICODE_STRING UniStrDynamic = { 0, 0, NULL };
|
---|
| 1037 | PUNICODE_STRING pUniStrResult = NULL;
|
---|
| 1038 |
|
---|
[52741] | 1039 | rcNtRedir = RtlDosApplyFileIsolationRedirection_Ustr(1 /*fFlags*/,
|
---|
| 1040 | &UniStrName,
|
---|
| 1041 | (PUNICODE_STRING)&s_DefaultSuffix,
|
---|
| 1042 | &UniStrStatic,
|
---|
| 1043 | &UniStrDynamic,
|
---|
| 1044 | &pUniStrResult,
|
---|
| 1045 | NULL /*pNewFlags*/,
|
---|
| 1046 | NULL /*pcbFilename*/,
|
---|
| 1047 | NULL /*pcbNeeded*/);
|
---|
| 1048 | if (NT_SUCCESS(rcNtRedir))
|
---|
[52627] | 1049 | {
|
---|
[52741] | 1050 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
[52627] | 1051 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 1052 | InitializeObjectAttributes(&ObjAttr, pUniStrResult,
|
---|
| 1053 | OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 1054 | rcNt = NtCreateFile(&hFile,
|
---|
| 1055 | FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
|
---|
| 1056 | &ObjAttr,
|
---|
| 1057 | &Ios,
|
---|
| 1058 | NULL /* Allocation Size*/,
|
---|
| 1059 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 1060 | FILE_SHARE_READ,
|
---|
| 1061 | FILE_OPEN,
|
---|
| 1062 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
| 1063 | NULL /*EaBuffer*/,
|
---|
| 1064 | 0 /*EaLength*/);
|
---|
| 1065 | if (NT_SUCCESS(rcNt))
|
---|
| 1066 | rcNt = Ios.Status;
|
---|
[52741] | 1067 | if (NT_SUCCESS(rcNt))
|
---|
| 1068 | {
|
---|
| 1069 | /* For accurate logging. */
|
---|
| 1070 | size_t cwcCopy = RT_MIN(pUniStrResult->Length / sizeof(RTUTF16), RT_ELEMENTS(wszPath) - 1);
|
---|
| 1071 | memcpy(wszPath, pUniStrResult->Buffer, cwcCopy * sizeof(RTUTF16));
|
---|
| 1072 | wszPath[cwcCopy] = '\0';
|
---|
| 1073 | }
|
---|
| 1074 | else
|
---|
[52627] | 1075 | hFile = INVALID_HANDLE_VALUE;
|
---|
| 1076 | RtlFreeUnicodeString(&UniStrDynamic);
|
---|
| 1077 | }
|
---|
[52403] | 1078 | }
|
---|
[52627] | 1079 | else
|
---|
| 1080 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #1 failed: %Rrc\n", rc));
|
---|
[52403] | 1081 |
|
---|
[52627] | 1082 | /*
|
---|
| 1083 | * If not something that gets remapped, do the half normal searching we need.
|
---|
| 1084 | */
|
---|
| 1085 | if (hFile == INVALID_HANDLE_VALUE)
|
---|
[52403] | 1086 | {
|
---|
[52627] | 1087 | struct
|
---|
[52403] | 1088 | {
|
---|
[52627] | 1089 | PRTUTF16 pawcDir;
|
---|
| 1090 | uint32_t cwcDir;
|
---|
| 1091 | } Tmp, aDirs[] =
|
---|
| 1092 | {
|
---|
| 1093 | { g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length / sizeof(WCHAR) },
|
---|
[56733] | 1094 | { g_SupLibHardenedExeNtPath.UniStr.Buffer, g_SupLibHardenedAppBinNtPath.UniStr.Length / sizeof(WCHAR) },
|
---|
[52627] | 1095 | { pCur->pwszAltSearchDir, pCur->cwcAltSearchDir },
|
---|
| 1096 | };
|
---|
| 1097 |
|
---|
| 1098 | /* Search System32 first, unless it's a 'V*' or 'm*' name, the latter for msvcrt. */
|
---|
| 1099 | if ( pCur->szName[0] == 'v'
|
---|
| 1100 | || pCur->szName[0] == 'V'
|
---|
| 1101 | || pCur->szName[0] == 'm'
|
---|
| 1102 | || pCur->szName[0] == 'M')
|
---|
| 1103 | {
|
---|
| 1104 | Tmp = aDirs[0];
|
---|
| 1105 | aDirs[0] = aDirs[1];
|
---|
| 1106 | aDirs[1] = Tmp;
|
---|
| 1107 | }
|
---|
| 1108 |
|
---|
| 1109 | for (uint32_t i = 0; i < RT_ELEMENTS(aDirs); i++)
|
---|
| 1110 | {
|
---|
| 1111 | if (aDirs[i].pawcDir && aDirs[i].cwcDir && aDirs[i].cwcDir < RT_ELEMENTS(wszPath) / 3 * 2)
|
---|
[52403] | 1112 | {
|
---|
[52627] | 1113 | memcpy(wszPath, aDirs[i].pawcDir, aDirs[i].cwcDir * sizeof(RTUTF16));
|
---|
| 1114 | uint32_t cwc = aDirs[i].cwcDir;
|
---|
| 1115 | wszPath[cwc++] = '\\';
|
---|
| 1116 | cwcName = RT_ELEMENTS(wszPath) - cwc;
|
---|
| 1117 | pwszName = &wszPath[cwc];
|
---|
| 1118 | rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);
|
---|
| 1119 | if (RT_SUCCESS(rc))
|
---|
| 1120 | {
|
---|
| 1121 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
| 1122 | UNICODE_STRING NtName;
|
---|
| 1123 | NtName.Buffer = wszPath;
|
---|
| 1124 | NtName.Length = (USHORT)((cwc + cwcName) * sizeof(WCHAR));
|
---|
| 1125 | NtName.MaximumLength = NtName.Length + sizeof(WCHAR);
|
---|
| 1126 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 1127 | InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
[52403] | 1128 |
|
---|
[52627] | 1129 | rcNt = NtCreateFile(&hFile,
|
---|
| 1130 | FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
|
---|
| 1131 | &ObjAttr,
|
---|
| 1132 | &Ios,
|
---|
| 1133 | NULL /* Allocation Size*/,
|
---|
| 1134 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 1135 | FILE_SHARE_READ,
|
---|
| 1136 | FILE_OPEN,
|
---|
| 1137 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
| 1138 | NULL /*EaBuffer*/,
|
---|
| 1139 | 0 /*EaLength*/);
|
---|
| 1140 | if (NT_SUCCESS(rcNt))
|
---|
| 1141 | rcNt = Ios.Status;
|
---|
| 1142 | if (NT_SUCCESS(rcNt))
|
---|
| 1143 | break;
|
---|
| 1144 | hFile = INVALID_HANDLE_VALUE;
|
---|
| 1145 | }
|
---|
| 1146 | else
|
---|
| 1147 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #2 failed: %Rrc\n", rc));
|
---|
[52403] | 1148 | }
|
---|
| 1149 | }
|
---|
| 1150 | }
|
---|
| 1151 |
|
---|
| 1152 | /*
|
---|
| 1153 | * If we successfully opened it, verify it and cache the result.
|
---|
| 1154 | */
|
---|
| 1155 | if (hFile != INVALID_HANDLE_VALUE)
|
---|
| 1156 | {
|
---|
[52741] | 1157 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' -> '%ls' [rcNtRedir=%#x]\n",
|
---|
| 1158 | pCur->szName, wszPath, rcNtRedir));
|
---|
[52403] | 1159 |
|
---|
| 1160 | ULONG fAccess = 0;
|
---|
| 1161 | ULONG fProtect = 0;
|
---|
| 1162 | bool fCallRealApi = false;
|
---|
[53220] | 1163 | rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, false /*fIgnoreArch*/, &fAccess, &fProtect,
|
---|
| 1164 | &fCallRealApi, "Imports", false /*fAvoidWinVerifyTrust*/, NULL /*pfQuiet*/);
|
---|
[52403] | 1165 | NtClose(hFile);
|
---|
| 1166 | }
|
---|
| 1167 | else
|
---|
| 1168 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Failed to locate '%s'\n", pCur->szName));
|
---|
| 1169 | }
|
---|
| 1170 | else
|
---|
| 1171 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' is in the cache.\n", pCur->szName));
|
---|
| 1172 |
|
---|
[52940] | 1173 | RTMemFree(pCur);
|
---|
[52403] | 1174 | } while (pTodo);
|
---|
| 1175 | }
|
---|
| 1176 | }
|
---|
| 1177 |
|
---|
| 1178 |
|
---|
| 1179 | /**
|
---|
[52431] | 1180 | * Processes the list of WinVerifyTrust todos.
|
---|
| 1181 | */
|
---|
| 1182 | static void supR3HardenedWinVerifyCacheProcessWvtTodos(void)
|
---|
| 1183 | {
|
---|
[82006] | 1184 | PVERIFIERCACHEENTRY pReschedule = NULL;
|
---|
| 1185 | PVERIFIERCACHEENTRY volatile *ppReschedLastNext = &pReschedule;
|
---|
[52431] | 1186 |
|
---|
| 1187 | /*
|
---|
| 1188 | * Work until we've got nothing more todo.
|
---|
| 1189 | */
|
---|
| 1190 | for (;;)
|
---|
| 1191 | {
|
---|
| 1192 | if (!supHardenedWinIsWinVerifyTrustCallable())
|
---|
| 1193 | break;
|
---|
| 1194 | PVERIFIERCACHEENTRY pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoWvt, NULL, PVERIFIERCACHEENTRY);
|
---|
| 1195 | if (!pTodo)
|
---|
| 1196 | break;
|
---|
| 1197 | do
|
---|
| 1198 | {
|
---|
| 1199 | PVERIFIERCACHEENTRY pCur = pTodo;
|
---|
| 1200 | pTodo = pTodo->pNextTodoWvt;
|
---|
| 1201 | pCur->pNextTodoWvt = NULL;
|
---|
| 1202 |
|
---|
| 1203 | if ( !pCur->fWinVerifyTrust
|
---|
| 1204 | && RT_SUCCESS(pCur->rc))
|
---|
| 1205 | {
|
---|
| 1206 | bool fWinVerifyTrust = false;
|
---|
| 1207 | int rc = supHardenedWinVerifyImageTrust(pCur->hFile, pCur->wszPath, pCur->fFlags, pCur->rc,
|
---|
| 1208 | &fWinVerifyTrust, NULL /* pErrInfo*/);
|
---|
| 1209 | if (RT_FAILURE(rc) || fWinVerifyTrust)
|
---|
| 1210 | {
|
---|
| 1211 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",
|
---|
| 1212 | rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));
|
---|
| 1213 | pCur->fWinVerifyTrust = true;
|
---|
| 1214 | pCur->rc = rc;
|
---|
| 1215 | }
|
---|
| 1216 | else
|
---|
| 1217 | {
|
---|
| 1218 | /* Retry it at a later time. */
|
---|
| 1219 | SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls' [rescheduled]\n",
|
---|
| 1220 | rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));
|
---|
[82006] | 1221 | *ppReschedLastNext = pCur;
|
---|
| 1222 | ppReschedLastNext = &pCur->pNextTodoWvt;
|
---|
[52431] | 1223 | }
|
---|
| 1224 | }
|
---|
| 1225 | /* else: already processed. */
|
---|
| 1226 | } while (pTodo);
|
---|
| 1227 | }
|
---|
| 1228 |
|
---|
| 1229 | /*
|
---|
| 1230 | * Anything to reschedule.
|
---|
| 1231 | */
|
---|
| 1232 | if (pReschedule)
|
---|
| 1233 | {
|
---|
| 1234 | do
|
---|
| 1235 | *ppReschedLastNext = g_pVerifierCacheTodoWvt;
|
---|
| 1236 | while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pReschedule, *ppReschedLastNext));
|
---|
| 1237 | }
|
---|
| 1238 | }
|
---|
| 1239 |
|
---|
| 1240 |
|
---|
| 1241 | /**
|
---|
[58730] | 1242 | * Translates VBox status code (from supHardenedWinVerifyImageTrust) to an NT
|
---|
| 1243 | * status.
|
---|
| 1244 | *
|
---|
| 1245 | * @returns NT status.
|
---|
| 1246 | * @param rc VBox status code.
|
---|
| 1247 | */
|
---|
[85121] | 1248 | static NTSTATUS supR3HardenedScreenImageCalcStatus(int rc) RT_NOTHROW_DEF
|
---|
[58730] | 1249 | {
|
---|
| 1250 | /* This seems to be what LdrLoadDll returns when loading a 32-bit DLL into
|
---|
| 1251 | a 64-bit process. At least here on windows 10 (2015-11-xx).
|
---|
| 1252 |
|
---|
| 1253 | NtCreateSection probably returns something different, possibly a warning,
|
---|
| 1254 | we currently don't distinguish between the too, so we stick with the
|
---|
| 1255 | LdrLoadDll one as it's definitely an error.*/
|
---|
| 1256 | if (rc == VERR_LDR_ARCH_MISMATCH)
|
---|
| 1257 | return STATUS_INVALID_IMAGE_FORMAT;
|
---|
| 1258 |
|
---|
| 1259 | return STATUS_TRUST_FAILURE;
|
---|
| 1260 | }
|
---|
| 1261 |
|
---|
| 1262 |
|
---|
| 1263 | /**
|
---|
[53220] | 1264 | * Screens an image file or file mapped with execute access.
|
---|
| 1265 | *
|
---|
| 1266 | * @returns NT status code.
|
---|
| 1267 | * @param hFile The file handle.
|
---|
| 1268 | * @param fImage Set if image file mapping being made
|
---|
| 1269 | * (NtCreateSection thing).
|
---|
| 1270 | * @param fIgnoreArch Using the DONT_RESOLVE_DLL_REFERENCES flag,
|
---|
| 1271 | * which also implies that DLL init / term code
|
---|
| 1272 | * isn't called, so the architecture should be
|
---|
| 1273 | * ignored.
|
---|
| 1274 | * @param pfAccess Pointer to the NtCreateSection access flags,
|
---|
| 1275 | * so we can modify them if necessary.
|
---|
| 1276 | * @param pfProtect Pointer to the NtCreateSection protection
|
---|
| 1277 | * flags, so we can modify them if necessary.
|
---|
| 1278 | * @param pfCallRealApi Whether it's ok to go on to the real API.
|
---|
| 1279 | * @param pszCaller Who is calling (for debugging / logging).
|
---|
| 1280 | * @param fAvoidWinVerifyTrust Whether we should avoid WinVerifyTrust.
|
---|
| 1281 | * @param pfQuiet Where to return whether to be quiet about
|
---|
| 1282 | * this image in the log (i.e. we've seen it
|
---|
| 1283 | * lots of times already). Optional.
|
---|
| 1284 | */
|
---|
[85121] | 1285 | static NTSTATUS
|
---|
| 1286 | supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfAccess, PULONG pfProtect,
|
---|
| 1287 | bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust, bool *pfQuiet) RT_NOTHROW_DEF
|
---|
[51770] | 1288 | {
|
---|
[52375] | 1289 | *pfCallRealApi = false;
|
---|
[53045] | 1290 | if (pfQuiet)
|
---|
| 1291 | *pfQuiet = false;
|
---|
[52375] | 1292 |
|
---|
| 1293 | /*
|
---|
| 1294 | * Query the name of the file, making sure to zero terminator the
|
---|
| 1295 | * string. (2nd half of buffer is used for error info, see below.)
|
---|
| 1296 | */
|
---|
| 1297 | union
|
---|
[51770] | 1298 | {
|
---|
[52375] | 1299 | UNICODE_STRING UniStr;
|
---|
| 1300 | uint8_t abBuffer[sizeof(UNICODE_STRING) + 2048 * sizeof(WCHAR)];
|
---|
| 1301 | } uBuf;
|
---|
| 1302 | RT_ZERO(uBuf);
|
---|
| 1303 | ULONG cbNameBuf;
|
---|
| 1304 | NTSTATUS rcNt = NtQueryObject(hFile, ObjectNameInformation, &uBuf, sizeof(uBuf) - sizeof(WCHAR) - 128, &cbNameBuf);
|
---|
| 1305 | if (!NT_SUCCESS(rcNt))
|
---|
| 1306 | {
|
---|
[52403] | 1307 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
| 1308 | "supR3HardenedScreenImage/%s: NtQueryObject -> %#x (fImage=%d fProtect=%#x fAccess=%#x)\n",
|
---|
| 1309 | pszCaller, fImage, *pfProtect, *pfAccess);
|
---|
[52375] | 1310 | return rcNt;
|
---|
| 1311 | }
|
---|
| 1312 |
|
---|
[60480] | 1313 | if (!RTNtPathFindPossible8dot3Name(uBuf.UniStr.Buffer))
|
---|
| 1314 | cbNameBuf += sizeof(WCHAR);
|
---|
| 1315 | else
|
---|
[52375] | 1316 | {
|
---|
| 1317 | uBuf.UniStr.MaximumLength = sizeof(uBuf) - 128;
|
---|
[60480] | 1318 | RTNtPathExpand8dot3Path(&uBuf.UniStr, true /*fPathOnly*/);
|
---|
| 1319 | cbNameBuf = (uintptr_t)uBuf.UniStr.Buffer + uBuf.UniStr.Length + sizeof(WCHAR) - (uintptr_t)&uBuf.abBuffer[0];
|
---|
[52375] | 1320 | }
|
---|
| 1321 |
|
---|
| 1322 | /*
|
---|
| 1323 | * Check the cache.
|
---|
| 1324 | */
|
---|
| 1325 | PVERIFIERCACHEENTRY pCacheHit = supR3HardenedWinVerifyCacheLookup(&uBuf.UniStr, hFile);
|
---|
[52431] | 1326 | if (pCacheHit)
|
---|
[52375] | 1327 | {
|
---|
[53045] | 1328 | /* Do hit accounting and figure whether we need to be quiet or not. */
|
---|
| 1329 | uint32_t cHits = ASMAtomicIncU32(&pCacheHit->cHits);
|
---|
| 1330 | bool const fQuiet = cHits >= 8 && !RT_IS_POWER_OF_TWO(cHits);
|
---|
| 1331 | if (pfQuiet)
|
---|
| 1332 | *pfQuiet = fQuiet;
|
---|
| 1333 |
|
---|
[52431] | 1334 | /* If we haven't done the WinVerifyTrust thing, do it if we can. */
|
---|
| 1335 | if ( !pCacheHit->fWinVerifyTrust
|
---|
| 1336 | && RT_SUCCESS(pCacheHit->rc)
|
---|
| 1337 | && supHardenedWinIsWinVerifyTrustCallable() )
|
---|
| 1338 | {
|
---|
| 1339 | if (!fAvoidWinVerifyTrust)
|
---|
| 1340 | {
|
---|
| 1341 | SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [redoing WinVerifyTrust]\n",
|
---|
| 1342 | pszCaller, pCacheHit->rc, pCacheHit->wszPath));
|
---|
| 1343 |
|
---|
| 1344 | bool fWinVerifyTrust = false;
|
---|
| 1345 | int rc = supHardenedWinVerifyImageTrust(pCacheHit->hFile, pCacheHit->wszPath, pCacheHit->fFlags, pCacheHit->rc,
|
---|
| 1346 | &fWinVerifyTrust, NULL /* pErrInfo*/);
|
---|
| 1347 | if (RT_FAILURE(rc) || fWinVerifyTrust)
|
---|
| 1348 | {
|
---|
| 1349 | SUP_DPRINTF(("supR3HardenedScreenImage/%s: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",
|
---|
| 1350 | pszCaller, rc, pCacheHit->rc, fWinVerifyTrust, pCacheHit->wszPath));
|
---|
| 1351 | pCacheHit->fWinVerifyTrust = true;
|
---|
| 1352 | pCacheHit->rc = rc;
|
---|
| 1353 | }
|
---|
| 1354 | else
|
---|
| 1355 | SUP_DPRINTF(("supR3HardenedScreenImage/%s: WinVerifyTrust not available, rescheduling %ls\n",
|
---|
| 1356 | pszCaller, pCacheHit->wszPath));
|
---|
| 1357 | }
|
---|
| 1358 | else
|
---|
| 1359 | SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [avoiding WinVerifyTrust]\n",
|
---|
| 1360 | pszCaller, pCacheHit->rc, pCacheHit->wszPath));
|
---|
| 1361 | }
|
---|
[53045] | 1362 | else if (!fQuiet || !pCacheHit->fWinVerifyTrust)
|
---|
[52431] | 1363 | SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls%s\n",
|
---|
| 1364 | pszCaller, pCacheHit->rc, pCacheHit->wszPath, pCacheHit->fWinVerifyTrust ? "" : " [lacks WinVerifyTrust]"));
|
---|
| 1365 |
|
---|
| 1366 | /* Return the cached value. */
|
---|
[52375] | 1367 | if (RT_SUCCESS(pCacheHit->rc))
|
---|
[51770] | 1368 | {
|
---|
[52375] | 1369 | *pfCallRealApi = true;
|
---|
| 1370 | return STATUS_SUCCESS;
|
---|
| 1371 | }
|
---|
[52528] | 1372 |
|
---|
[53045] | 1373 | if (!fQuiet)
|
---|
[52528] | 1374 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
[53045] | 1375 | "supR3HardenedScreenImage/%s: cached rc=%Rrc fImage=%d fProtect=%#x fAccess=%#x cHits=%u %ls\n",
|
---|
| 1376 | pszCaller, pCacheHit->rc, fImage, *pfProtect, *pfAccess, cHits, uBuf.UniStr.Buffer);
|
---|
[58730] | 1377 | return supR3HardenedScreenImageCalcStatus(pCacheHit->rc);
|
---|
[52375] | 1378 | }
|
---|
| 1379 |
|
---|
| 1380 | /*
|
---|
| 1381 | * On XP the loader might hand us handles with just FILE_EXECUTE and
|
---|
| 1382 | * SYNCHRONIZE, the means reading will fail later on. Also, we need
|
---|
| 1383 | * READ_CONTROL access to check the file ownership later on, and non
|
---|
| 1384 | * of the OS versions seems be giving us that. So, in effect we
|
---|
| 1385 | * more or less always reopen the file here.
|
---|
| 1386 | */
|
---|
| 1387 | HANDLE hMyFile = NULL;
|
---|
| 1388 | rcNt = NtDuplicateObject(NtCurrentProcess(), hFile, NtCurrentProcess(),
|
---|
| 1389 | &hMyFile,
|
---|
| 1390 | FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
|
---|
| 1391 | 0 /* Handle attributes*/, 0 /* Options */);
|
---|
| 1392 | if (!NT_SUCCESS(rcNt))
|
---|
| 1393 | {
|
---|
| 1394 | if (rcNt == STATUS_ACCESS_DENIED)
|
---|
| 1395 | {
|
---|
| 1396 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
| 1397 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 1398 | InitializeObjectAttributes(&ObjAttr, &uBuf.UniStr, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 1399 |
|
---|
| 1400 | rcNt = NtCreateFile(&hMyFile,
|
---|
| 1401 | FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
|
---|
| 1402 | &ObjAttr,
|
---|
| 1403 | &Ios,
|
---|
| 1404 | NULL /* Allocation Size*/,
|
---|
| 1405 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 1406 | FILE_SHARE_READ,
|
---|
| 1407 | FILE_OPEN,
|
---|
| 1408 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
| 1409 | NULL /*EaBuffer*/,
|
---|
| 1410 | 0 /*EaLength*/);
|
---|
| 1411 | if (NT_SUCCESS(rcNt))
|
---|
| 1412 | rcNt = Ios.Status;
|
---|
[51770] | 1413 | if (!NT_SUCCESS(rcNt))
|
---|
| 1414 | {
|
---|
| 1415 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
[52403] | 1416 | "supR3HardenedScreenImage/%s: Failed to duplicate and open the file: rcNt=%#x hFile=%p %ls\n",
|
---|
| 1417 | pszCaller, rcNt, hFile, uBuf.UniStr.Buffer);
|
---|
[51770] | 1418 | return rcNt;
|
---|
| 1419 | }
|
---|
| 1420 |
|
---|
[52375] | 1421 | /* Check that we've got the same file. */
|
---|
| 1422 | LARGE_INTEGER idMyFile, idInFile;
|
---|
| 1423 | bool fMyValid = supR3HardenedWinVerifyCacheGetIndexNumber(hMyFile, &idMyFile);
|
---|
| 1424 | bool fInValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &idInFile);
|
---|
| 1425 | if ( fMyValid
|
---|
| 1426 | && ( fMyValid != fInValid
|
---|
| 1427 | || idMyFile.QuadPart != idInFile.QuadPart))
|
---|
[52039] | 1428 | {
|
---|
[51770] | 1429 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
[52403] | 1430 | "supR3HardenedScreenImage/%s: Re-opened has different ID that input: %#llx vx %#llx (%ls)\n",
|
---|
| 1431 | pszCaller, rcNt, idMyFile.QuadPart, idInFile.QuadPart, uBuf.UniStr.Buffer);
|
---|
[52375] | 1432 | NtClose(hMyFile);
|
---|
[51770] | 1433 | return STATUS_TRUST_FAILURE;
|
---|
| 1434 | }
|
---|
[52375] | 1435 | }
|
---|
| 1436 | else
|
---|
| 1437 | {
|
---|
[52403] | 1438 | SUP_DPRINTF(("supR3HardenedScreenImage/%s: NtDuplicateObject -> %#x\n", pszCaller, rcNt));
|
---|
[51770] | 1439 | #ifdef DEBUG
|
---|
| 1440 |
|
---|
[52403] | 1441 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
| 1442 | "supR3HardenedScreenImage/%s: NtDuplicateObject(,%#x,) failed: %#x\n", pszCaller, hFile, rcNt);
|
---|
[51770] | 1443 | #endif
|
---|
[52375] | 1444 | hMyFile = hFile;
|
---|
| 1445 | }
|
---|
| 1446 | }
|
---|
[51770] | 1447 |
|
---|
[52375] | 1448 | /*
|
---|
| 1449 | * Special Kludge for Windows XP and W2K3 and their stupid attempts
|
---|
| 1450 | * at mapping a hidden XML file called c:\Windows\WindowsShell.Manifest
|
---|
| 1451 | * with executable access. The image bit isn't set, fortunately.
|
---|
| 1452 | */
|
---|
| 1453 | if ( !fImage
|
---|
| 1454 | && uBuf.UniStr.Length > g_System32NtPath.UniStr.Length - sizeof(L"System32") + sizeof(WCHAR)
|
---|
| 1455 | && memcmp(uBuf.UniStr.Buffer, g_System32NtPath.UniStr.Buffer,
|
---|
| 1456 | g_System32NtPath.UniStr.Length - sizeof(L"System32") + sizeof(WCHAR)) == 0)
|
---|
| 1457 | {
|
---|
| 1458 | PRTUTF16 pwszName = &uBuf.UniStr.Buffer[(g_System32NtPath.UniStr.Length - sizeof(L"System32") + sizeof(WCHAR)) / sizeof(WCHAR)];
|
---|
| 1459 | if (RTUtf16ICmpAscii(pwszName, "WindowsShell.Manifest") == 0)
|
---|
| 1460 | {
|
---|
[51770] | 1461 | /*
|
---|
[52375] | 1462 | * Drop all executable access to the mapping and let it continue.
|
---|
[51770] | 1463 | */
|
---|
[52403] | 1464 | SUP_DPRINTF(("supR3HardenedScreenImage/%s: Applying the drop-exec-kludge for '%ls'\n", pszCaller, uBuf.UniStr.Buffer));
|
---|
[52375] | 1465 | if (*pfAccess & SECTION_MAP_EXECUTE)
|
---|
| 1466 | *pfAccess = (*pfAccess & ~SECTION_MAP_EXECUTE) | SECTION_MAP_READ;
|
---|
| 1467 | if (*pfProtect & PAGE_EXECUTE)
|
---|
| 1468 | *pfProtect = (*pfProtect & ~PAGE_EXECUTE) | PAGE_READONLY;
|
---|
| 1469 | *pfProtect = (*pfProtect & ~UINT32_C(0xf0)) | ((*pfProtect & UINT32_C(0xe0)) >> 4);
|
---|
| 1470 | if (hMyFile != hFile)
|
---|
| 1471 | NtClose(hMyFile);
|
---|
| 1472 | *pfCallRealApi = true;
|
---|
| 1473 | return STATUS_SUCCESS;
|
---|
| 1474 | }
|
---|
| 1475 | }
|
---|
[51770] | 1476 |
|
---|
[52404] | 1477 | #ifndef VBOX_PERMIT_EVEN_MORE
|
---|
[52375] | 1478 | /*
|
---|
| 1479 | * Check the path. We don't allow DLLs to be loaded from just anywhere:
|
---|
[104384] | 1480 | * 1. System32 - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
|
---|
| 1481 | * 2. WinSxS - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
|
---|
| 1482 | * 3. VirtualBox - build with:
|
---|
| 1483 | * - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem.
|
---|
| 1484 | * - kernel code signing cert: kernel code signing and integrity checks.
|
---|
| 1485 | * 4. AppPatchDir - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
|
---|
| 1486 | * 5. Program Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
|
---|
| 1487 | * 6. Common Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem.
|
---|
[52375] | 1488 | * 7. x86 variations of 4 & 5 - ditto.
|
---|
[104384] | 1489 | *
|
---|
| 1490 | * Note! VBOX_WITHOUT_KERNEL_CODE_SIGNING_CERT means the /IntegrityCheck does
|
---|
| 1491 | * work as it doesn't seems like MS has come up with a generally accessible
|
---|
| 1492 | * alternative to the expired kernel code signing scheme for using this
|
---|
| 1493 | * securty enhancement.
|
---|
[52375] | 1494 | */
|
---|
| 1495 | uint32_t fFlags = 0;
|
---|
| 1496 | if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_System32NtPath.UniStr, true /*fCheckSlash*/))
|
---|
[104384] | 1497 | fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
[52375] | 1498 | else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_WinSxSNtPath.UniStr, true /*fCheckSlash*/))
|
---|
[104384] | 1499 | fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
[56733] | 1500 | else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/))
|
---|
[104384] | 1501 | # ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
|
---|
| 1502 | /** @todo r=bird: See SUPHNTVI_F_REQUIRE_BUILD_CERT comment below (in the
|
---|
| 1503 | * code that's actually used). */
|
---|
| 1504 | fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
| 1505 | # else
|
---|
[52375] | 1506 | fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
|
---|
[104381] | 1507 | # endif
|
---|
[52404] | 1508 | # ifdef VBOX_PERMIT_MORE
|
---|
[52375] | 1509 | else if (supHardViIsAppPatchDir(uBuf.UniStr.Buffer, uBuf.UniStr.Length / sizeof(WCHAR)))
|
---|
[104384] | 1510 | fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
[52375] | 1511 | else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesNtPath.UniStr, true /*fCheckSlash*/))
|
---|
[104384] | 1512 | fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
[52375] | 1513 | else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesNtPath.UniStr, true /*fCheckSlash*/))
|
---|
[104384] | 1514 | fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
[52404] | 1515 | # ifdef RT_ARCH_AMD64
|
---|
[52375] | 1516 | else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesX86NtPath.UniStr, true /*fCheckSlash*/))
|
---|
[104384] | 1517 | fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
[52375] | 1518 | else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesX86NtPath.UniStr, true /*fCheckSlash*/))
|
---|
[104384] | 1519 | fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
[52404] | 1520 | # endif
|
---|
[52365] | 1521 | # endif
|
---|
[52404] | 1522 | # ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
|
---|
[52375] | 1523 | /* Hack to allow profiling our code with Visual Studio. */
|
---|
| 1524 | else if ( uBuf.UniStr.Length > sizeof(L"\\SamplingRuntime.dll")
|
---|
| 1525 | && memcmp(uBuf.UniStr.Buffer + (uBuf.UniStr.Length - sizeof(L"\\SamplingRuntime.dll") + sizeof(WCHAR)) / sizeof(WCHAR),
|
---|
| 1526 | L"\\SamplingRuntime.dll", sizeof(L"\\SamplingRuntime.dll") - sizeof(WCHAR)) == 0 )
|
---|
| 1527 | {
|
---|
| 1528 | if (hMyFile != hFile)
|
---|
| 1529 | NtClose(hMyFile);
|
---|
| 1530 | *pfCallRealApi = true;
|
---|
| 1531 | return STATUS_SUCCESS;
|
---|
| 1532 | }
|
---|
[52404] | 1533 | # endif
|
---|
[52375] | 1534 | else
|
---|
| 1535 | {
|
---|
| 1536 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
[52484] | 1537 | "supR3HardenedScreenImage/%s: Not a trusted location: '%ls' (fImage=%d fProtect=%#x fAccess=%#x)\n",
|
---|
[52403] | 1538 | pszCaller, uBuf.UniStr.Buffer, fImage, *pfAccess, *pfProtect);
|
---|
[52375] | 1539 | if (hMyFile != hFile)
|
---|
| 1540 | NtClose(hMyFile);
|
---|
| 1541 | return STATUS_TRUST_FAILURE;
|
---|
| 1542 | }
|
---|
[51770] | 1543 |
|
---|
[52404] | 1544 | #else /* VBOX_PERMIT_EVEN_MORE */
|
---|
[52375] | 1545 | /*
|
---|
[52404] | 1546 | * Require trusted installer + some kind of signature on everything, except
|
---|
[104384] | 1547 | * for the VBox bits where we have extra requirements depending on the signing
|
---|
| 1548 | * certificate used:
|
---|
| 1549 | * - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem.
|
---|
| 1550 | * - kernel code signing cert: kernel code signing and integrity checks.
|
---|
[52404] | 1551 | */
|
---|
| 1552 | uint32_t fFlags = 0;
|
---|
[56733] | 1553 | if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/))
|
---|
[104384] | 1554 | # ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
|
---|
| 1555 | /** @todo r=bird: Since extension packs are installed under
|
---|
| 1556 | * g_SupLibHardenedAppBinNtPath and I'm pretty sure that everything loaded into
|
---|
| 1557 | * a VBox VM process goes thru this validation step at DLL load time, this means
|
---|
| 1558 | * only we can now sign extension packs.
|
---|
| 1559 | *
|
---|
| 1560 | * I suspect we have to relax the signing restrictions on the ExtensionPacks
|
---|
| 1561 | * subdirectory to keep 3rd party extensions working. */
|
---|
| 1562 | fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
| 1563 | # else
|
---|
[52404] | 1564 | fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
|
---|
[104381] | 1565 | # endif
|
---|
[52404] | 1566 | else
|
---|
[104384] | 1567 | fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER;
|
---|
[52404] | 1568 | #endif /* VBOX_PERMIT_EVEN_MORE */
|
---|
| 1569 |
|
---|
| 1570 | /*
|
---|
[52375] | 1571 | * Do the verification. For better error message we borrow what's
|
---|
| 1572 | * left of the path buffer for an RTERRINFO buffer.
|
---|
| 1573 | */
|
---|
[53220] | 1574 | if (fIgnoreArch)
|
---|
| 1575 | fFlags |= SUPHNTVI_F_IGNORE_ARCHITECTURE;
|
---|
[52375] | 1576 | RTERRINFO ErrInfo;
|
---|
| 1577 | RTErrInfoInit(&ErrInfo, (char *)&uBuf.abBuffer[cbNameBuf], sizeof(uBuf) - cbNameBuf);
|
---|
[51770] | 1578 |
|
---|
[52406] | 1579 | int rc;
|
---|
[52403] | 1580 | bool fWinVerifyTrust = false;
|
---|
[52634] | 1581 | rc = supHardenedWinVerifyImageByHandle(hMyFile, uBuf.UniStr.Buffer, fFlags, fAvoidWinVerifyTrust, &fWinVerifyTrust, &ErrInfo);
|
---|
[52375] | 1582 | if (RT_FAILURE(rc))
|
---|
| 1583 | {
|
---|
| 1584 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
[52403] | 1585 | "supR3HardenedScreenImage/%s: rc=%Rrc fImage=%d fProtect=%#x fAccess=%#x %ls: %s\n",
|
---|
| 1586 | pszCaller, rc, fImage, *pfAccess, *pfProtect, uBuf.UniStr.Buffer, ErrInfo.pszMsg);
|
---|
[52375] | 1587 | if (hMyFile != hFile)
|
---|
[52679] | 1588 | supR3HardenedWinVerifyCacheInsert(&uBuf.UniStr, hMyFile, rc, fWinVerifyTrust, fFlags);
|
---|
[58730] | 1589 | return supR3HardenedScreenImageCalcStatus(rc);
|
---|
[52375] | 1590 | }
|
---|
| 1591 |
|
---|
[52403] | 1592 | /*
|
---|
[52431] | 1593 | * Insert into the cache.
|
---|
[52403] | 1594 | */
|
---|
[52431] | 1595 | if (hMyFile != hFile)
|
---|
| 1596 | supR3HardenedWinVerifyCacheInsert(&uBuf.UniStr, hMyFile, rc, fWinVerifyTrust, fFlags);
|
---|
[52403] | 1597 |
|
---|
[52375] | 1598 | *pfCallRealApi = true;
|
---|
| 1599 | return STATUS_SUCCESS;
|
---|
| 1600 | }
|
---|
| 1601 |
|
---|
| 1602 |
|
---|
| 1603 | /**
|
---|
| 1604 | * Preloads a file into the verify cache if possible.
|
---|
| 1605 | *
|
---|
| 1606 | * This is used to avoid known cyclic LoadLibrary issues with WinVerifyTrust.
|
---|
| 1607 | *
|
---|
| 1608 | * @param pwszName The name of the DLL to verify.
|
---|
| 1609 | */
|
---|
| 1610 | DECLHIDDEN(void) supR3HardenedWinVerifyCachePreload(PCRTUTF16 pwszName)
|
---|
| 1611 | {
|
---|
| 1612 | HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
|
---|
| 1613 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
| 1614 |
|
---|
| 1615 | UNICODE_STRING UniStr;
|
---|
| 1616 | UniStr.Buffer = (PWCHAR)pwszName;
|
---|
| 1617 | UniStr.Length = (USHORT)(RTUtf16Len(pwszName) * sizeof(WCHAR));
|
---|
| 1618 | UniStr.MaximumLength = UniStr.Length + sizeof(WCHAR);
|
---|
| 1619 |
|
---|
| 1620 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 1621 | InitializeObjectAttributes(&ObjAttr, &UniStr, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 1622 |
|
---|
| 1623 | NTSTATUS rcNt = NtCreateFile(&hFile,
|
---|
| 1624 | FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
|
---|
| 1625 | &ObjAttr,
|
---|
| 1626 | &Ios,
|
---|
| 1627 | NULL /* Allocation Size*/,
|
---|
| 1628 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 1629 | FILE_SHARE_READ,
|
---|
| 1630 | FILE_OPEN,
|
---|
| 1631 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
| 1632 | NULL /*EaBuffer*/,
|
---|
| 1633 | 0 /*EaLength*/);
|
---|
| 1634 | if (NT_SUCCESS(rcNt))
|
---|
| 1635 | rcNt = Ios.Status;
|
---|
| 1636 | if (!NT_SUCCESS(rcNt))
|
---|
| 1637 | {
|
---|
[52403] | 1638 | SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: Error %#x opening '%ls'.\n", rcNt, pwszName));
|
---|
[52375] | 1639 | return;
|
---|
| 1640 | }
|
---|
| 1641 |
|
---|
| 1642 | ULONG fAccess = 0;
|
---|
| 1643 | ULONG fProtect = 0;
|
---|
| 1644 | bool fCallRealApi;
|
---|
| 1645 | //SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: scanning %ls\n", pwszName));
|
---|
[53220] | 1646 | supR3HardenedScreenImage(hFile, false, false /*fIgnoreArch*/, &fAccess, &fProtect, &fCallRealApi, "preload",
|
---|
| 1647 | false /*fAvoidWinVerifyTrust*/, NULL /*pfQuiet*/);
|
---|
[52375] | 1648 | //SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: done %ls\n", pwszName));
|
---|
| 1649 |
|
---|
| 1650 | NtClose(hFile);
|
---|
| 1651 | }
|
---|
| 1652 |
|
---|
| 1653 |
|
---|
| 1654 |
|
---|
| 1655 | /**
|
---|
| 1656 | * Hook that monitors NtCreateSection calls.
|
---|
| 1657 | *
|
---|
| 1658 | * @returns NT status code.
|
---|
| 1659 | * @param phSection Where to return the section handle.
|
---|
| 1660 | * @param fAccess The desired access.
|
---|
| 1661 | * @param pObjAttribs The object attributes (optional).
|
---|
| 1662 | * @param pcbSection The section size (optional).
|
---|
| 1663 | * @param fProtect The max section protection.
|
---|
| 1664 | * @param fAttribs The section attributes.
|
---|
| 1665 | * @param hFile The file to create a section from (optional).
|
---|
| 1666 | */
|
---|
[93270] | 1667 | __declspec(guard(ignore)) /* don't barf when calling g_pfnNtCreateSectionReal */
|
---|
[52375] | 1668 | static NTSTATUS NTAPI
|
---|
| 1669 | supR3HardenedMonitor_NtCreateSection(PHANDLE phSection, ACCESS_MASK fAccess, POBJECT_ATTRIBUTES pObjAttribs,
|
---|
| 1670 | PLARGE_INTEGER pcbSection, ULONG fProtect, ULONG fAttribs, HANDLE hFile)
|
---|
| 1671 | {
|
---|
[67977] | 1672 | bool fNeedUncChecking = false;
|
---|
[52375] | 1673 | if ( hFile != NULL
|
---|
| 1674 | && hFile != INVALID_HANDLE_VALUE)
|
---|
| 1675 | {
|
---|
| 1676 | bool const fImage = RT_BOOL(fAttribs & (SEC_IMAGE | SEC_PROTECTED_IMAGE));
|
---|
| 1677 | bool const fExecMap = RT_BOOL(fAccess & SECTION_MAP_EXECUTE);
|
---|
| 1678 | bool const fExecProt = RT_BOOL(fProtect & (PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_WRITECOPY
|
---|
| 1679 | | PAGE_EXECUTE_READWRITE));
|
---|
| 1680 | if (fImage || fExecMap || fExecProt)
|
---|
| 1681 | {
|
---|
[67977] | 1682 | fNeedUncChecking = true;
|
---|
[52940] | 1683 | DWORD dwSavedLastError = RtlGetLastWin32Error();
|
---|
[52403] | 1684 |
|
---|
[52375] | 1685 | bool fCallRealApi;
|
---|
| 1686 | //SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: 1\n"));
|
---|
[53220] | 1687 | NTSTATUS rcNt = supR3HardenedScreenImage(hFile, fImage, true /*fIgnoreArch*/, &fAccess, &fProtect, &fCallRealApi,
|
---|
[53045] | 1688 | "NtCreateSection", true /*fAvoidWinVerifyTrust*/, NULL /*pfQuiet*/);
|
---|
[52375] | 1689 | //SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: 2 rcNt=%#x fCallRealApi=%#x\n", rcNt, fCallRealApi));
|
---|
[52403] | 1690 |
|
---|
[52940] | 1691 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52403] | 1692 |
|
---|
[52375] | 1693 | if (!NT_SUCCESS(rcNt))
|
---|
| 1694 | return rcNt;
|
---|
| 1695 | Assert(fCallRealApi);
|
---|
| 1696 | if (!fCallRealApi)
|
---|
[51770] | 1697 | return STATUS_TRUST_FAILURE;
|
---|
[52403] | 1698 |
|
---|
[51770] | 1699 | }
|
---|
| 1700 | }
|
---|
| 1701 |
|
---|
| 1702 | /*
|
---|
| 1703 | * Call checked out OK, call the original.
|
---|
| 1704 | */
|
---|
[67977] | 1705 | NTSTATUS rcNtReal = g_pfnNtCreateSectionReal(phSection, fAccess, pObjAttribs, pcbSection, fProtect, fAttribs, hFile);
|
---|
| 1706 |
|
---|
| 1707 | /*
|
---|
| 1708 | * Check that the image that got mapped bear some resemblance to the one that was
|
---|
| 1709 | * requested. Apparently there are ways to trick the NT cache manager to map a
|
---|
| 1710 | * file different from hFile into memory using local UNC accesses.
|
---|
| 1711 | */
|
---|
| 1712 | if ( NT_SUCCESS(rcNtReal)
|
---|
| 1713 | && fNeedUncChecking)
|
---|
| 1714 | {
|
---|
| 1715 | DWORD dwSavedLastError = RtlGetLastWin32Error();
|
---|
| 1716 |
|
---|
| 1717 | bool fOkay = false;
|
---|
| 1718 |
|
---|
| 1719 | /* To get the name of the file backing the section, we unfortunately have to map it. */
|
---|
| 1720 | SIZE_T cbView = 0;
|
---|
| 1721 | PVOID pvTmpMap = NULL;
|
---|
| 1722 | NTSTATUS rcNt = NtMapViewOfSection(*phSection, NtCurrentProcess(), &pvTmpMap, 0, 0, NULL /*poffSection*/, &cbView,
|
---|
| 1723 | ViewUnmap, MEM_TOP_DOWN, PAGE_EXECUTE);
|
---|
| 1724 | if (NT_SUCCESS(rcNt))
|
---|
| 1725 | {
|
---|
| 1726 | /* Query the name. */
|
---|
| 1727 | union
|
---|
| 1728 | {
|
---|
| 1729 | UNICODE_STRING UniStr;
|
---|
| 1730 | RTUTF16 awcBuf[512];
|
---|
| 1731 | } uBuf;
|
---|
| 1732 | RT_ZERO(uBuf);
|
---|
| 1733 | SIZE_T cbActual = 0;
|
---|
| 1734 | NTSTATUS rcNtQuery = NtQueryVirtualMemory(NtCurrentProcess(), pvTmpMap, MemorySectionName,
|
---|
| 1735 | &uBuf, sizeof(uBuf) - sizeof(RTUTF16), &cbActual);
|
---|
| 1736 |
|
---|
| 1737 | /* Unmap the view. */
|
---|
| 1738 | rcNt = NtUnmapViewOfSection(NtCurrentProcess(), pvTmpMap);
|
---|
| 1739 | if (!NT_SUCCESS(rcNt))
|
---|
| 1740 | SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtUnmapViewOfSection failed on %p (hSection=%p, hFile=%p) with %#x!\n",
|
---|
| 1741 | pvTmpMap, *phSection, hFile, rcNt));
|
---|
| 1742 |
|
---|
| 1743 | /* Process the name query result. */
|
---|
| 1744 | if (NT_SUCCESS(rcNtQuery))
|
---|
| 1745 | {
|
---|
| 1746 | static UNICODE_STRING const s_UncPrefix = RTNT_CONSTANT_UNISTR(L"\\Device\\Mup");
|
---|
| 1747 | if (!supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &s_UncPrefix, true /*fCheckSlash*/))
|
---|
| 1748 | fOkay = true;
|
---|
| 1749 | else
|
---|
| 1750 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
| 1751 | "supR3HardenedMonitor_NtCreateSection: Image section with UNC path is not trusted: '%.*ls'\n",
|
---|
| 1752 | uBuf.UniStr.Length / sizeof(RTUTF16), uBuf.UniStr.Buffer);
|
---|
| 1753 | }
|
---|
| 1754 | else
|
---|
| 1755 | SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtQueryVirtualMemory failed on %p (hFile=%p) with %#x -> STATUS_TRUST_FAILURE\n",
|
---|
| 1756 | *phSection, hFile, rcNt));
|
---|
| 1757 | }
|
---|
| 1758 | else
|
---|
| 1759 | SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtMapViewOfSection failed on %p (hFile=%p) with %#x -> STATUS_TRUST_FAILURE\n",
|
---|
| 1760 | *phSection, hFile, rcNt));
|
---|
| 1761 | if (!fOkay)
|
---|
| 1762 | {
|
---|
| 1763 | NtClose(*phSection);
|
---|
| 1764 | *phSection = INVALID_HANDLE_VALUE;
|
---|
| 1765 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
| 1766 | return STATUS_TRUST_FAILURE;
|
---|
| 1767 | }
|
---|
| 1768 |
|
---|
| 1769 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
| 1770 | }
|
---|
| 1771 | return rcNtReal;
|
---|
[51770] | 1772 | }
|
---|
| 1773 |
|
---|
| 1774 |
|
---|
[52403] | 1775 | /**
|
---|
[67979] | 1776 | * Checks if the given name is a valid ApiSet name.
|
---|
| 1777 | *
|
---|
| 1778 | * This is only called on likely looking names.
|
---|
| 1779 | *
|
---|
| 1780 | * @returns true if ApiSet name, false if not.
|
---|
| 1781 | * @param pName The name to check out.
|
---|
| 1782 | */
|
---|
| 1783 | static bool supR3HardenedIsApiSetDll(PUNICODE_STRING pName)
|
---|
| 1784 | {
|
---|
| 1785 | /*
|
---|
| 1786 | * API added in Windows 8, or so they say.
|
---|
| 1787 | */
|
---|
| 1788 | if (ApiSetQueryApiSetPresence != NULL)
|
---|
| 1789 | {
|
---|
| 1790 | BOOLEAN fPresent = FALSE;
|
---|
| 1791 | NTSTATUS rcNt = ApiSetQueryApiSetPresence(pName, &fPresent);
|
---|
| 1792 | SUP_DPRINTF(("supR3HardenedIsApiSetDll: ApiSetQueryApiSetPresence(%.*ls) -> %#x, fPresent=%d\n",
|
---|
| 1793 | pName->Length / sizeof(WCHAR), pName->Buffer, rcNt, fPresent));
|
---|
| 1794 | return fPresent != 0;
|
---|
| 1795 | }
|
---|
| 1796 |
|
---|
| 1797 | /*
|
---|
| 1798 | * Fallback needed for Windows 7. Fortunately, there aren't too many fake DLLs here.
|
---|
| 1799 | */
|
---|
[67981] | 1800 | if ( g_uNtVerCombined >= SUP_NT_VER_W70
|
---|
| 1801 | && ( supHardViUtf16PathStartsWithEx(pName->Buffer, pName->Length / sizeof(WCHAR),
|
---|
| 1802 | L"api-ms-win-", 11, false /*fCheckSlash*/)
|
---|
| 1803 | || supHardViUtf16PathStartsWithEx(pName->Buffer, pName->Length / sizeof(WCHAR),
|
---|
| 1804 | L"ext-ms-win-", 11, false /*fCheckSlash*/) ))
|
---|
[67979] | 1805 | {
|
---|
| 1806 | #define MY_ENTRY(a) { a, sizeof(a) - 1 }
|
---|
| 1807 | static const struct { const char *psz; size_t cch; } s_aKnownSets[] =
|
---|
| 1808 | {
|
---|
| 1809 | MY_ENTRY("api-ms-win-core-console-l1-1-0 "),
|
---|
| 1810 | MY_ENTRY("api-ms-win-core-datetime-l1-1-0"),
|
---|
| 1811 | MY_ENTRY("api-ms-win-core-debug-l1-1-0"),
|
---|
| 1812 | MY_ENTRY("api-ms-win-core-delayload-l1-1-0"),
|
---|
| 1813 | MY_ENTRY("api-ms-win-core-errorhandling-l1-1-0"),
|
---|
| 1814 | MY_ENTRY("api-ms-win-core-fibers-l1-1-0"),
|
---|
| 1815 | MY_ENTRY("api-ms-win-core-file-l1-1-0"),
|
---|
| 1816 | MY_ENTRY("api-ms-win-core-handle-l1-1-0"),
|
---|
| 1817 | MY_ENTRY("api-ms-win-core-heap-l1-1-0"),
|
---|
| 1818 | MY_ENTRY("api-ms-win-core-interlocked-l1-1-0"),
|
---|
| 1819 | MY_ENTRY("api-ms-win-core-io-l1-1-0"),
|
---|
| 1820 | MY_ENTRY("api-ms-win-core-libraryloader-l1-1-0"),
|
---|
| 1821 | MY_ENTRY("api-ms-win-core-localization-l1-1-0"),
|
---|
| 1822 | MY_ENTRY("api-ms-win-core-localregistry-l1-1-0"),
|
---|
| 1823 | MY_ENTRY("api-ms-win-core-memory-l1-1-0"),
|
---|
| 1824 | MY_ENTRY("api-ms-win-core-misc-l1-1-0"),
|
---|
| 1825 | MY_ENTRY("api-ms-win-core-namedpipe-l1-1-0"),
|
---|
| 1826 | MY_ENTRY("api-ms-win-core-processenvironment-l1-1-0"),
|
---|
| 1827 | MY_ENTRY("api-ms-win-core-processthreads-l1-1-0"),
|
---|
| 1828 | MY_ENTRY("api-ms-win-core-profile-l1-1-0"),
|
---|
| 1829 | MY_ENTRY("api-ms-win-core-rtlsupport-l1-1-0"),
|
---|
| 1830 | MY_ENTRY("api-ms-win-core-string-l1-1-0"),
|
---|
| 1831 | MY_ENTRY("api-ms-win-core-synch-l1-1-0"),
|
---|
| 1832 | MY_ENTRY("api-ms-win-core-sysinfo-l1-1-0"),
|
---|
| 1833 | MY_ENTRY("api-ms-win-core-threadpool-l1-1-0"),
|
---|
| 1834 | MY_ENTRY("api-ms-win-core-ums-l1-1-0"),
|
---|
| 1835 | MY_ENTRY("api-ms-win-core-util-l1-1-0"),
|
---|
| 1836 | MY_ENTRY("api-ms-win-core-xstate-l1-1-0"),
|
---|
| 1837 | MY_ENTRY("api-ms-win-security-base-l1-1-0"),
|
---|
| 1838 | MY_ENTRY("api-ms-win-security-lsalookup-l1-1-0"),
|
---|
| 1839 | MY_ENTRY("api-ms-win-security-sddl-l1-1-0"),
|
---|
| 1840 | MY_ENTRY("api-ms-win-service-core-l1-1-0"),
|
---|
| 1841 | MY_ENTRY("api-ms-win-service-management-l1-1-0"),
|
---|
| 1842 | MY_ENTRY("api-ms-win-service-management-l2-1-0"),
|
---|
| 1843 | MY_ENTRY("api-ms-win-service-winsvc-l1-1-0"),
|
---|
| 1844 | };
|
---|
| 1845 | #undef MY_ENTRY
|
---|
| 1846 |
|
---|
| 1847 | /* drop the dll suffix if present. */
|
---|
| 1848 | PCRTUTF16 pawcName = pName->Buffer;
|
---|
| 1849 | size_t cwcName = pName->Length / sizeof(WCHAR);
|
---|
| 1850 | if ( cwcName > 5
|
---|
| 1851 | && (pawcName[cwcName - 1] == 'l' || pawcName[cwcName - 1] == 'L')
|
---|
| 1852 | && (pawcName[cwcName - 2] == 'l' || pawcName[cwcName - 2] == 'L')
|
---|
| 1853 | && (pawcName[cwcName - 3] == 'd' || pawcName[cwcName - 3] == 'D')
|
---|
| 1854 | && pawcName[cwcName - 4] == '.')
|
---|
| 1855 | cwcName -= 4;
|
---|
| 1856 |
|
---|
| 1857 | /* Search the table. */
|
---|
| 1858 | for (size_t i = 0; i < RT_ELEMENTS(s_aKnownSets); i++)
|
---|
| 1859 | if ( cwcName == s_aKnownSets[i].cch
|
---|
| 1860 | && RTUtf16NICmpAscii(pawcName, s_aKnownSets[i].psz, cwcName) == 0)
|
---|
| 1861 | {
|
---|
| 1862 | SUP_DPRINTF(("supR3HardenedIsApiSetDll: '%.*ls' -> true\n", pName->Length / sizeof(WCHAR)));
|
---|
| 1863 | return true;
|
---|
| 1864 | }
|
---|
| 1865 |
|
---|
| 1866 | SUP_DPRINTF(("supR3HardenedIsApiSetDll: Warning! '%.*ls' looks like an API set, but it's not in the list!\n",
|
---|
| 1867 | pName->Length / sizeof(WCHAR), pName->Buffer));
|
---|
| 1868 | }
|
---|
| 1869 |
|
---|
| 1870 | SUP_DPRINTF(("supR3HardenedIsApiSetDll: '%.*ls' -> false\n", pName->Length / sizeof(WCHAR)));
|
---|
| 1871 | return false;
|
---|
| 1872 | }
|
---|
| 1873 |
|
---|
| 1874 |
|
---|
| 1875 | /**
|
---|
| 1876 | * Checks whether the given unicode string contains a path separator and at
|
---|
| 1877 | * least one dash.
|
---|
| 1878 | *
|
---|
| 1879 | * This is used to check for likely ApiSet name. So far, all the pseudo DLL
|
---|
| 1880 | * names include multiple dashes, so we use that as a criteria for recognizing
|
---|
| 1881 | * them. By happy coincident, most regular DLLs doesn't include dashes.
|
---|
| 1882 | *
|
---|
| 1883 | * @returns true if it contains path separator, false if only a name.
|
---|
| 1884 | * @param pPath The path to check.
|
---|
| 1885 | */
|
---|
| 1886 | static bool supR3HardenedHasDashButNoPath(PUNICODE_STRING pPath)
|
---|
| 1887 | {
|
---|
| 1888 | size_t cDashes = 0;
|
---|
| 1889 | size_t cwcLeft = pPath->Length / sizeof(WCHAR);
|
---|
| 1890 | PCRTUTF16 pwc = pPath->Buffer;
|
---|
| 1891 | while (cwcLeft-- > 0)
|
---|
| 1892 | {
|
---|
| 1893 | RTUTF16 wc = *pwc++;
|
---|
| 1894 | switch (wc)
|
---|
| 1895 | {
|
---|
| 1896 | default:
|
---|
| 1897 | break;
|
---|
| 1898 |
|
---|
| 1899 | case '-':
|
---|
| 1900 | cDashes++;
|
---|
| 1901 | break;
|
---|
| 1902 |
|
---|
| 1903 | case '\\':
|
---|
| 1904 | case '/':
|
---|
| 1905 | case ':':
|
---|
| 1906 | return false;
|
---|
| 1907 | }
|
---|
| 1908 | }
|
---|
| 1909 | return cDashes > 0;
|
---|
| 1910 | }
|
---|
| 1911 |
|
---|
| 1912 |
|
---|
| 1913 | /**
|
---|
[52704] | 1914 | * Helper for supR3HardenedMonitor_LdrLoadDll.
|
---|
| 1915 | *
|
---|
| 1916 | * @returns NT status code.
|
---|
| 1917 | * @param pwszPath The path destination buffer.
|
---|
| 1918 | * @param cwcPath The size of the path buffer.
|
---|
| 1919 | * @param pUniStrResult The result string.
|
---|
| 1920 | * @param pOrgName The orignal name (for errors).
|
---|
| 1921 | * @param pcwc Where to return the actual length.
|
---|
| 1922 | */
|
---|
| 1923 | static NTSTATUS supR3HardenedCopyRedirectionResult(WCHAR *pwszPath, size_t cwcPath, PUNICODE_STRING pUniStrResult,
|
---|
| 1924 | PUNICODE_STRING pOrgName, UINT *pcwc)
|
---|
| 1925 | {
|
---|
| 1926 | UINT cwc;
|
---|
| 1927 | *pcwc = cwc = pUniStrResult->Length / sizeof(WCHAR);
|
---|
| 1928 | if (pUniStrResult->Buffer == pwszPath)
|
---|
| 1929 | pwszPath[cwc] = '\0';
|
---|
| 1930 | else
|
---|
| 1931 | {
|
---|
| 1932 | if (cwc > cwcPath - 1)
|
---|
| 1933 | {
|
---|
| 1934 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
| 1935 | "supR3HardenedMonitor_LdrLoadDll: Name too long: %.*ls -> %.*ls (RtlDosApplyFileIoslationRedirection_Ustr)\n",
|
---|
| 1936 | pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer,
|
---|
| 1937 | pUniStrResult->Length / sizeof(WCHAR), pUniStrResult->Buffer);
|
---|
| 1938 | return STATUS_NAME_TOO_LONG;
|
---|
| 1939 | }
|
---|
| 1940 | memcpy(&pwszPath[0], pUniStrResult->Buffer, pUniStrResult->Length);
|
---|
| 1941 | pwszPath[cwc] = '\0';
|
---|
| 1942 | }
|
---|
| 1943 | return STATUS_SUCCESS;
|
---|
| 1944 | }
|
---|
| 1945 |
|
---|
| 1946 |
|
---|
| 1947 | /**
|
---|
[66525] | 1948 | * Helper for supR3HardenedMonitor_LdrLoadDll that compares the name part of the
|
---|
| 1949 | * input path against a ASCII name string of a given length.
|
---|
| 1950 | *
|
---|
| 1951 | * @returns true if the name part matches
|
---|
| 1952 | * @param pPath The LdrLoadDll input path.
|
---|
| 1953 | * @param pszName The name to try match it with.
|
---|
| 1954 | * @param cchName The name length.
|
---|
| 1955 | */
|
---|
| 1956 | static bool supR3HardenedIsFilenameMatchDll(PUNICODE_STRING pPath, const char *pszName, size_t cchName)
|
---|
| 1957 | {
|
---|
| 1958 | if (pPath->Length < cchName * 2)
|
---|
| 1959 | return false;
|
---|
| 1960 | PCRTUTF16 pwszTmp = &pPath->Buffer[pPath->Length / sizeof(RTUTF16) - cchName];
|
---|
| 1961 | if ( pPath->Length != cchName
|
---|
| 1962 | && pwszTmp[-1] != '\\'
|
---|
| 1963 | && pwszTmp[-1] != '/')
|
---|
| 1964 | return false;
|
---|
| 1965 | return RTUtf16ICmpAscii(pwszTmp, pszName) == 0;
|
---|
| 1966 | }
|
---|
| 1967 |
|
---|
| 1968 |
|
---|
| 1969 | /**
|
---|
[52403] | 1970 | * Hooks that intercepts LdrLoadDll calls.
|
---|
| 1971 | *
|
---|
| 1972 | * Two purposes:
|
---|
| 1973 | * -# Enforce our own search path restrictions.
|
---|
| 1974 | * -# Prevalidate DLLs about to be loaded so we don't upset the loader data
|
---|
| 1975 | * by doing it from within the NtCreateSection hook (WinVerifyTrust
|
---|
| 1976 | * seems to be doing harm there on W7/32).
|
---|
| 1977 | *
|
---|
| 1978 | * @returns
|
---|
| 1979 | * @param pwszSearchPath The search path to use.
|
---|
| 1980 | * @param pfFlags Flags on input. DLL characteristics or something
|
---|
| 1981 | * on return?
|
---|
| 1982 | * @param pName The name of the module.
|
---|
| 1983 | * @param phMod Where the handle of the loaded DLL is to be
|
---|
| 1984 | * returned to the caller.
|
---|
| 1985 | */
|
---|
[93270] | 1986 | __declspec(guard(ignore)) /* don't barf when calling g_pfnLdrLoadDllReal */
|
---|
[52403] | 1987 | static NTSTATUS NTAPI
|
---|
| 1988 | supR3HardenedMonitor_LdrLoadDll(PWSTR pwszSearchPath, PULONG pfFlags, PUNICODE_STRING pName, PHANDLE phMod)
|
---|
| 1989 | {
|
---|
[53051] | 1990 | DWORD dwSavedLastError = RtlGetLastWin32Error();
|
---|
| 1991 | PUNICODE_STRING const pOrgName = pName;
|
---|
| 1992 | NTSTATUS rcNt;
|
---|
[52403] | 1993 |
|
---|
| 1994 | /*
|
---|
[52953] | 1995 | * Make sure the DLL notification callback is registered. If we could, we
|
---|
| 1996 | * would've done this during early process init, but due to lack of heap
|
---|
| 1997 | * and uninitialized loader lock, it's not possible that early on.
|
---|
| 1998 | *
|
---|
| 1999 | * The callback protects our NtDll hooks from getting unhooked by
|
---|
| 2000 | * "friendly" fire from the AV crowd.
|
---|
| 2001 | */
|
---|
| 2002 | supR3HardenedWinRegisterDllNotificationCallback();
|
---|
| 2003 |
|
---|
| 2004 | /*
|
---|
[52431] | 2005 | * Process WinVerifyTrust todo before and after.
|
---|
| 2006 | */
|
---|
| 2007 | supR3HardenedWinVerifyCacheProcessWvtTodos();
|
---|
| 2008 |
|
---|
| 2009 | /*
|
---|
[52403] | 2010 | * Reject things we don't want to deal with.
|
---|
| 2011 | */
|
---|
| 2012 | if (!pName || pName->Length == 0)
|
---|
| 2013 | {
|
---|
| 2014 | supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: name is NULL or have a zero length.\n");
|
---|
[52679] | 2015 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x (pName=%p)\n", STATUS_INVALID_PARAMETER, pName));
|
---|
[52940] | 2016 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52403] | 2017 | return STATUS_INVALID_PARAMETER;
|
---|
| 2018 | }
|
---|
[67977] | 2019 | PCWCHAR const pawcOrgName = pName->Buffer;
|
---|
| 2020 | uint32_t const cwcOrgName = pName->Length / sizeof(WCHAR);
|
---|
| 2021 |
|
---|
[52679] | 2022 | /*SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: pName=%.*ls *pfFlags=%#x pwszSearchPath=%p:%ls\n",
|
---|
[52627] | 2023 | (unsigned)pName->Length / sizeof(WCHAR), pName->Buffer, pfFlags ? *pfFlags : UINT32_MAX, pwszSearchPath,
|
---|
[52679] | 2024 | !((uintptr_t)pwszSearchPath & 1) && (uintptr_t)pwszSearchPath >= 0x2000U ? pwszSearchPath : L"<flags>"));*/
|
---|
[52403] | 2025 |
|
---|
| 2026 | /*
|
---|
| 2027 | * Reject long paths that's close to the 260 limit without looking.
|
---|
| 2028 | */
|
---|
[67977] | 2029 | if (cwcOrgName > 256)
|
---|
[52403] | 2030 | {
|
---|
| 2031 | supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: too long name: %#x bytes\n", pName->Length);
|
---|
[52484] | 2032 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_NAME_TOO_LONG));
|
---|
[52940] | 2033 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52403] | 2034 | return STATUS_NAME_TOO_LONG;
|
---|
| 2035 | }
|
---|
| 2036 |
|
---|
| 2037 | /*
|
---|
[67977] | 2038 | * Reject all UNC-like paths as we cannot trust non-local files at all.
|
---|
| 2039 | * Note! We may have to relax this to deal with long path specifications and NT pass thrus.
|
---|
| 2040 | */
|
---|
| 2041 | if ( cwcOrgName >= 3
|
---|
| 2042 | && RTPATH_IS_SLASH(pawcOrgName[0])
|
---|
| 2043 | && RTPATH_IS_SLASH(pawcOrgName[1])
|
---|
| 2044 | && !RTPATH_IS_SLASH(pawcOrgName[2]))
|
---|
| 2045 | {
|
---|
| 2046 | supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: rejecting UNC name '%.*ls'\n", cwcOrgName, pawcOrgName);
|
---|
| 2047 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_REDIRECTOR_NOT_STARTED));
|
---|
| 2048 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
| 2049 | return STATUS_REDIRECTOR_NOT_STARTED;
|
---|
| 2050 | }
|
---|
| 2051 |
|
---|
| 2052 | /*
|
---|
[60936] | 2053 | * Reject PGHook.dll as it creates a thread from its DllMain that breaks
|
---|
| 2054 | * our preconditions respawning the 2nd process, resulting in
|
---|
| 2055 | * VERR_SUP_VP_THREAD_NOT_ALONE. The DLL is being loaded by a user APC
|
---|
| 2056 | * scheduled during kernel32.dll load notification from a kernel driver,
|
---|
| 2057 | * so failing the load attempt should not upset anyone.
|
---|
| 2058 | */
|
---|
| 2059 | if (g_enmSupR3HardenedMainState == SUPR3HARDENEDMAINSTATE_WIN_EARLY_STUB_DEVICE_OPENED)
|
---|
| 2060 | {
|
---|
| 2061 | static const struct { const char *psz; size_t cch; } s_aUnwantedEarlyDlls[] =
|
---|
| 2062 | {
|
---|
| 2063 | { RT_STR_TUPLE("PGHook.dll") },
|
---|
| 2064 | };
|
---|
| 2065 | for (unsigned i = 0; i < RT_ELEMENTS(s_aUnwantedEarlyDlls); i++)
|
---|
[66525] | 2066 | if (supR3HardenedIsFilenameMatchDll(pName, s_aUnwantedEarlyDlls[i].psz, s_aUnwantedEarlyDlls[i].cch))
|
---|
| 2067 | {
|
---|
| 2068 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: Refusing to load '%.*ls' as it is expected to create undesirable threads that will upset our respawn checks (returning STATUS_TOO_MANY_THREADS)\n",
|
---|
| 2069 | pName->Length / sizeof(RTUTF16), pName->Buffer));
|
---|
| 2070 | return STATUS_TOO_MANY_THREADS;
|
---|
| 2071 | }
|
---|
[60936] | 2072 | }
|
---|
| 2073 |
|
---|
| 2074 | /*
|
---|
[67968] | 2075 | * Resolve the path, copying the result into wszPath
|
---|
[52403] | 2076 | */
|
---|
[53051] | 2077 | NTSTATUS rcNtResolve = STATUS_SUCCESS;
|
---|
[52403] | 2078 | bool fSkipValidation = false;
|
---|
[53821] | 2079 | bool fCheckIfLoaded = false;
|
---|
[52403] | 2080 | WCHAR wszPath[260];
|
---|
[52704] | 2081 | static UNICODE_STRING const s_DefaultSuffix = RTNT_CONSTANT_UNISTR(L".dll");
|
---|
| 2082 | UNICODE_STRING UniStrStatic = { 0, (USHORT)sizeof(wszPath) - sizeof(WCHAR), wszPath };
|
---|
| 2083 | UNICODE_STRING UniStrDynamic = { 0, 0, NULL };
|
---|
| 2084 | PUNICODE_STRING pUniStrResult = NULL;
|
---|
[52403] | 2085 | UNICODE_STRING ResolvedName;
|
---|
[52704] | 2086 |
|
---|
[67968] | 2087 | /*
|
---|
| 2088 | * Process the name a little, checking if it needs a DLL suffix and is pathless.
|
---|
| 2089 | */
|
---|
| 2090 | uint32_t offLastSlash = UINT32_MAX;
|
---|
| 2091 | uint32_t offLastDot = UINT32_MAX;
|
---|
[67977] | 2092 | for (uint32_t i = 0; i < cwcOrgName; i++)
|
---|
| 2093 | switch (pawcOrgName[i])
|
---|
[67968] | 2094 | {
|
---|
| 2095 | case '\\':
|
---|
| 2096 | case '/':
|
---|
| 2097 | offLastSlash = i;
|
---|
| 2098 | offLastDot = UINT32_MAX;
|
---|
| 2099 | break;
|
---|
| 2100 | case '.':
|
---|
| 2101 | offLastDot = i;
|
---|
| 2102 | break;
|
---|
| 2103 | }
|
---|
| 2104 | bool const fNeedDllSuffix = offLastDot == UINT32_MAX;
|
---|
[67977] | 2105 | //bool const fTrailingDot = offLastDot == cwcOrgName - 1;
|
---|
[67968] | 2106 |
|
---|
| 2107 | /*
|
---|
| 2108 | * Absolute path?
|
---|
| 2109 | */
|
---|
[67977] | 2110 | if ( ( cwcOrgName >= 4
|
---|
| 2111 | && RT_C_IS_ALPHA(pawcOrgName[0])
|
---|
| 2112 | && pawcOrgName[1] == ':'
|
---|
| 2113 | && RTPATH_IS_SLASH(pawcOrgName[2]) )
|
---|
| 2114 | || ( cwcOrgName >= 1
|
---|
| 2115 | && RTPATH_IS_SLASH(pawcOrgName[0]) )
|
---|
[52403] | 2116 | )
|
---|
| 2117 | {
|
---|
[53051] | 2118 | rcNtResolve = RtlDosApplyFileIsolationRedirection_Ustr(1 /*fFlags*/,
|
---|
| 2119 | pName,
|
---|
| 2120 | (PUNICODE_STRING)&s_DefaultSuffix,
|
---|
| 2121 | &UniStrStatic,
|
---|
| 2122 | &UniStrDynamic,
|
---|
| 2123 | &pUniStrResult,
|
---|
| 2124 | NULL /*pNewFlags*/,
|
---|
| 2125 | NULL /*pcbFilename*/,
|
---|
| 2126 | NULL /*pcbNeeded*/);
|
---|
| 2127 | if (NT_SUCCESS(rcNtResolve))
|
---|
[52704] | 2128 | {
|
---|
| 2129 | UINT cwc;
|
---|
| 2130 | rcNt = supR3HardenedCopyRedirectionResult(wszPath, RT_ELEMENTS(wszPath), pUniStrResult, pName, &cwc);
|
---|
| 2131 | RtlFreeUnicodeString(&UniStrDynamic);
|
---|
| 2132 | if (!NT_SUCCESS(rcNt))
|
---|
| 2133 | {
|
---|
| 2134 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", rcNt));
|
---|
[52940] | 2135 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52704] | 2136 | return rcNt;
|
---|
| 2137 | }
|
---|
| 2138 |
|
---|
| 2139 | ResolvedName.Buffer = wszPath;
|
---|
| 2140 | ResolvedName.Length = (USHORT)(cwc * sizeof(WCHAR));
|
---|
| 2141 | ResolvedName.MaximumLength = ResolvedName.Length + sizeof(WCHAR);
|
---|
| 2142 |
|
---|
| 2143 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: '%.*ls' -> '%.*ls' [redir]\n",
|
---|
| 2144 | (unsigned)pName->Length / sizeof(WCHAR), pName->Buffer,
|
---|
| 2145 | ResolvedName.Length / sizeof(WCHAR), ResolvedName.Buffer, rcNt));
|
---|
| 2146 | pName = &ResolvedName;
|
---|
| 2147 | }
|
---|
| 2148 | else
|
---|
| 2149 | {
|
---|
[67968] | 2150 | /* Copy the path. */
|
---|
[67977] | 2151 | memcpy(wszPath, pawcOrgName, cwcOrgName * sizeof(WCHAR));
|
---|
| 2152 | if (!fNeedDllSuffix)
|
---|
| 2153 | wszPath[cwcOrgName] = '\0';
|
---|
| 2154 | else
|
---|
[67968] | 2155 | {
|
---|
[67977] | 2156 | if (cwcOrgName + 4 >= RT_ELEMENTS(wszPath))
|
---|
[67968] | 2157 | {
|
---|
| 2158 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
[67977] | 2159 | "supR3HardenedMonitor_LdrLoadDll: Name too long (abs): %.*ls\n", cwcOrgName, pawcOrgName);
|
---|
[67968] | 2160 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_NAME_TOO_LONG));
|
---|
| 2161 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
| 2162 | return STATUS_NAME_TOO_LONG;
|
---|
| 2163 | }
|
---|
[67977] | 2164 | memcpy(&wszPath[cwcOrgName], L".dll", 5 * sizeof(WCHAR));
|
---|
[67968] | 2165 | }
|
---|
[52704] | 2166 | }
|
---|
[52403] | 2167 | }
|
---|
| 2168 | /*
|
---|
[52627] | 2169 | * Not an absolute path. Check if it's one of those special API set DLLs
|
---|
| 2170 | * or something we're known to use but should be taken from WinSxS.
|
---|
[52403] | 2171 | */
|
---|
[67979] | 2172 | else if ( supR3HardenedHasDashButNoPath(pName)
|
---|
| 2173 | && supR3HardenedIsApiSetDll(pName))
|
---|
[52403] | 2174 | {
|
---|
| 2175 | memcpy(wszPath, pName->Buffer, pName->Length);
|
---|
| 2176 | wszPath[pName->Length / sizeof(WCHAR)] = '\0';
|
---|
| 2177 | fSkipValidation = true;
|
---|
| 2178 | }
|
---|
| 2179 | /*
|
---|
| 2180 | * Not an absolute path or special API set. There are two alternatives
|
---|
| 2181 | * now, either there is no path at all or there is a relative path. We
|
---|
| 2182 | * will resolve it to an absolute path in either case, failing the call
|
---|
[52627] | 2183 | * if we can't.
|
---|
[52403] | 2184 | */
|
---|
| 2185 | else
|
---|
| 2186 | {
|
---|
| 2187 | /*
|
---|
| 2188 | * Reject relative paths for now as they might be breakout attempts.
|
---|
| 2189 | */
|
---|
| 2190 | if (offLastSlash != UINT32_MAX)
|
---|
| 2191 | {
|
---|
| 2192 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
| 2193 | "supR3HardenedMonitor_LdrLoadDll: relative name not permitted: %.*ls\n",
|
---|
[67977] | 2194 | cwcOrgName, pawcOrgName);
|
---|
[52484] | 2195 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_OBJECT_NAME_INVALID));
|
---|
[52940] | 2196 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52403] | 2197 | return STATUS_OBJECT_NAME_INVALID;
|
---|
| 2198 | }
|
---|
| 2199 |
|
---|
| 2200 | /*
|
---|
[52627] | 2201 | * Perform dll redirection to WinSxS such. We using an undocumented
|
---|
| 2202 | * API here, which as always is a bit risky... ASSUMES that the API
|
---|
| 2203 | * returns a full DOS path.
|
---|
[52403] | 2204 | */
|
---|
[52704] | 2205 | UINT cwc;
|
---|
[53051] | 2206 | rcNtResolve = RtlDosApplyFileIsolationRedirection_Ustr(1 /*fFlags*/,
|
---|
| 2207 | pName,
|
---|
| 2208 | (PUNICODE_STRING)&s_DefaultSuffix,
|
---|
| 2209 | &UniStrStatic,
|
---|
| 2210 | &UniStrDynamic,
|
---|
| 2211 | &pUniStrResult,
|
---|
| 2212 | NULL /*pNewFlags*/,
|
---|
| 2213 | NULL /*pcbFilename*/,
|
---|
| 2214 | NULL /*pcbNeeded*/);
|
---|
| 2215 | if (NT_SUCCESS(rcNtResolve))
|
---|
[52403] | 2216 | {
|
---|
[52704] | 2217 | rcNt = supR3HardenedCopyRedirectionResult(wszPath, RT_ELEMENTS(wszPath), pUniStrResult, pName, &cwc);
|
---|
| 2218 | RtlFreeUnicodeString(&UniStrDynamic);
|
---|
| 2219 | if (!NT_SUCCESS(rcNt))
|
---|
[52627] | 2220 | {
|
---|
[52704] | 2221 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", rcNt));
|
---|
[52940] | 2222 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52704] | 2223 | return rcNt;
|
---|
[52627] | 2224 | }
|
---|
[52403] | 2225 | }
|
---|
| 2226 | else
|
---|
| 2227 | {
|
---|
[52627] | 2228 | /*
|
---|
| 2229 | * Search for the DLL. Only System32 is allowed as the target of
|
---|
| 2230 | * a search on the API level, all VBox calls will have full paths.
|
---|
[53821] | 2231 | * If the DLL is not in System32, we will resort to check if it's
|
---|
| 2232 | * refering to an already loaded DLL (fCheckIfLoaded).
|
---|
[52627] | 2233 | */
|
---|
[52947] | 2234 | AssertCompile(sizeof(g_System32WinPath.awcBuffer) <= sizeof(wszPath));
|
---|
| 2235 | cwc = g_System32WinPath.UniStr.Length / sizeof(RTUTF16); Assert(cwc > 2);
|
---|
[67977] | 2236 | if (cwc + 1 + cwcOrgName + fNeedDllSuffix * 4 >= RT_ELEMENTS(wszPath))
|
---|
[52627] | 2237 | {
|
---|
| 2238 | supR3HardenedError(VINF_SUCCESS, false,
|
---|
[67977] | 2239 | "supR3HardenedMonitor_LdrLoadDll: Name too long (system32): %.*ls\n", cwcOrgName, pawcOrgName);
|
---|
[52627] | 2240 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_NAME_TOO_LONG));
|
---|
[52940] | 2241 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52627] | 2242 | return STATUS_NAME_TOO_LONG;
|
---|
| 2243 | }
|
---|
[52947] | 2244 | memcpy(wszPath, g_System32WinPath.UniStr.Buffer, cwc * sizeof(RTUTF16));
|
---|
[52627] | 2245 | wszPath[cwc++] = '\\';
|
---|
[67977] | 2246 | memcpy(&wszPath[cwc], pawcOrgName, cwcOrgName * sizeof(WCHAR));
|
---|
| 2247 | cwc += cwcOrgName;
|
---|
[52627] | 2248 | if (!fNeedDllSuffix)
|
---|
| 2249 | wszPath[cwc] = '\0';
|
---|
| 2250 | else
|
---|
| 2251 | {
|
---|
| 2252 | memcpy(&wszPath[cwc], L".dll", 5 * sizeof(WCHAR));
|
---|
| 2253 | cwc += 4;
|
---|
| 2254 | }
|
---|
[53821] | 2255 | fCheckIfLoaded = true;
|
---|
[52403] | 2256 | }
|
---|
| 2257 |
|
---|
| 2258 | ResolvedName.Buffer = wszPath;
|
---|
| 2259 | ResolvedName.Length = (USHORT)(cwc * sizeof(WCHAR));
|
---|
| 2260 | ResolvedName.MaximumLength = ResolvedName.Length + sizeof(WCHAR);
|
---|
| 2261 | pName = &ResolvedName;
|
---|
| 2262 | }
|
---|
| 2263 |
|
---|
[66525] | 2264 | #ifndef IN_SUP_R3_STATIC
|
---|
| 2265 | /*
|
---|
| 2266 | * Reject blacklisted DLLs based on input name.
|
---|
| 2267 | */
|
---|
| 2268 | for (unsigned i = 0; g_aSupNtViBlacklistedDlls[i].psz != NULL; i++)
|
---|
| 2269 | if (supR3HardenedIsFilenameMatchDll(pName, g_aSupNtViBlacklistedDlls[i].psz, g_aSupNtViBlacklistedDlls[i].cch))
|
---|
| 2270 | {
|
---|
| 2271 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: Refusing to load blacklisted DLL: '%.*ls'\n",
|
---|
| 2272 | pName->Length / sizeof(RTUTF16), pName->Buffer));
|
---|
| 2273 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
| 2274 | return STATUS_TOO_MANY_THREADS;
|
---|
| 2275 | }
|
---|
| 2276 | #endif
|
---|
| 2277 |
|
---|
[53051] | 2278 | bool fQuiet = false;
|
---|
[52403] | 2279 | if (!fSkipValidation)
|
---|
| 2280 | {
|
---|
| 2281 | /*
|
---|
| 2282 | * Try open the file. If this fails, never mind, just pass it on to
|
---|
| 2283 | * the real API as we've replaced any searchable name with a full name
|
---|
| 2284 | * and the real API can come up with a fitting status code for it.
|
---|
| 2285 | */
|
---|
[52947] | 2286 | HANDLE hRootDir;
|
---|
| 2287 | UNICODE_STRING NtPathUniStr;
|
---|
| 2288 | int rc = RTNtPathFromWinUtf16Ex(&NtPathUniStr, &hRootDir, wszPath, RTSTR_MAX);
|
---|
| 2289 | if (RT_FAILURE(rc))
|
---|
[52403] | 2290 | {
|
---|
[52947] | 2291 | supR3HardenedError(rc, false,
|
---|
| 2292 | "supR3HardenedMonitor_LdrLoadDll: RTNtPathFromWinUtf16Ex failed on '%ls': %Rrc\n", wszPath, rc);
|
---|
| 2293 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_OBJECT_NAME_INVALID));
|
---|
| 2294 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
| 2295 | return STATUS_OBJECT_NAME_INVALID;
|
---|
| 2296 | }
|
---|
| 2297 |
|
---|
| 2298 | HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
|
---|
| 2299 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
| 2300 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 2301 | InitializeObjectAttributes(&ObjAttr, &NtPathUniStr, OBJ_CASE_INSENSITIVE, hRootDir, NULL /*pSecDesc*/);
|
---|
| 2302 |
|
---|
| 2303 | rcNt = NtCreateFile(&hFile,
|
---|
| 2304 | FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
|
---|
| 2305 | &ObjAttr,
|
---|
| 2306 | &Ios,
|
---|
| 2307 | NULL /* Allocation Size*/,
|
---|
| 2308 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 2309 | FILE_SHARE_READ,
|
---|
| 2310 | FILE_OPEN,
|
---|
| 2311 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
| 2312 | NULL /*EaBuffer*/,
|
---|
| 2313 | 0 /*EaLength*/);
|
---|
| 2314 | if (NT_SUCCESS(rcNt))
|
---|
| 2315 | rcNt = Ios.Status;
|
---|
| 2316 | if (NT_SUCCESS(rcNt))
|
---|
| 2317 | {
|
---|
[52403] | 2318 | ULONG fAccess = 0;
|
---|
| 2319 | ULONG fProtect = 0;
|
---|
| 2320 | bool fCallRealApi = false;
|
---|
[53220] | 2321 | rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, RT_VALID_PTR(pfFlags) && (*pfFlags & 0x2) /*fIgnoreArch*/,
|
---|
| 2322 | &fAccess, &fProtect, &fCallRealApi,
|
---|
[53045] | 2323 | "LdrLoadDll", false /*fAvoidWinVerifyTrust*/, &fQuiet);
|
---|
[52403] | 2324 | NtClose(hFile);
|
---|
| 2325 | if (!NT_SUCCESS(rcNt))
|
---|
| 2326 | {
|
---|
[53045] | 2327 | if (!fQuiet)
|
---|
[52528] | 2328 | {
|
---|
[53051] | 2329 | if (pOrgName != pName)
|
---|
| 2330 | supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: rejecting '%ls': rcNt=%#x\n",
|
---|
| 2331 | wszPath, rcNt);
|
---|
| 2332 | else
|
---|
| 2333 | supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: rejecting '%ls' (%.*ls): rcNt=%#x\n",
|
---|
| 2334 | wszPath, pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer, rcNt);
|
---|
[52528] | 2335 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
|
---|
| 2336 | }
|
---|
[52940] | 2337 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52403] | 2338 | return rcNt;
|
---|
| 2339 | }
|
---|
| 2340 |
|
---|
| 2341 | supR3HardenedWinVerifyCacheProcessImportTodos();
|
---|
| 2342 | }
|
---|
| 2343 | else
|
---|
| 2344 | {
|
---|
[52940] | 2345 | DWORD dwErr = RtlGetLastWin32Error();
|
---|
[53821] | 2346 |
|
---|
| 2347 | /*
|
---|
| 2348 | * Deal with special case where the caller (first case was MS LifeCam)
|
---|
| 2349 | * is using LoadLibrary instead of GetModuleHandle to find a loaded DLL.
|
---|
| 2350 | */
|
---|
| 2351 | NTSTATUS rcNtGetDll = STATUS_SUCCESS;
|
---|
| 2352 | if ( fCheckIfLoaded
|
---|
| 2353 | && ( rcNt == STATUS_OBJECT_NAME_NOT_FOUND
|
---|
| 2354 | || rcNt == STATUS_OBJECT_PATH_NOT_FOUND))
|
---|
| 2355 | {
|
---|
| 2356 | rcNtGetDll = LdrGetDllHandle(NULL /*DllPath*/, NULL /*pfFlags*/, pOrgName, phMod);
|
---|
| 2357 | if (NT_SUCCESS(rcNtGetDll))
|
---|
| 2358 | {
|
---|
[67968] | 2359 | RTNtPathFree(&NtPathUniStr, &hRootDir);
|
---|
[53821] | 2360 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
| 2361 | return rcNtGetDll;
|
---|
| 2362 | }
|
---|
| 2363 | }
|
---|
| 2364 |
|
---|
| 2365 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: error opening '%ls': %u (NtPath=%.*ls; Input=%.*ls; rcNtGetDll=%#x\n",
|
---|
[53051] | 2366 | wszPath, dwErr, NtPathUniStr.Length / sizeof(RTUTF16), NtPathUniStr.Buffer,
|
---|
[53821] | 2367 | pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer, rcNtGetDll));
|
---|
[67968] | 2368 |
|
---|
| 2369 | RTNtPathFree(&NtPathUniStr, &hRootDir);
|
---|
| 2370 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
| 2371 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
|
---|
| 2372 | return rcNt;
|
---|
[52403] | 2373 | }
|
---|
[52947] | 2374 | RTNtPathFree(&NtPathUniStr, &hRootDir);
|
---|
[52403] | 2375 | }
|
---|
| 2376 |
|
---|
| 2377 | /*
|
---|
| 2378 | * Screened successfully enough. Call the real thing.
|
---|
| 2379 | */
|
---|
[53045] | 2380 | if (!fQuiet)
|
---|
[53051] | 2381 | {
|
---|
| 2382 | if (pOrgName != pName)
|
---|
| 2383 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: pName=%.*ls (Input=%.*ls, rcNtResolve=%#x) *pfFlags=%#x pwszSearchPath=%p:%ls [calling]\n",
|
---|
| 2384 | (unsigned)pName->Length / sizeof(WCHAR), pName->Buffer,
|
---|
| 2385 | (unsigned)pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer, rcNtResolve,
|
---|
| 2386 | pfFlags ? *pfFlags : UINT32_MAX, pwszSearchPath,
|
---|
| 2387 | !((uintptr_t)pwszSearchPath & 1) && (uintptr_t)pwszSearchPath >= 0x2000U ? pwszSearchPath : L"<flags>"));
|
---|
| 2388 | else
|
---|
| 2389 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: pName=%.*ls (rcNtResolve=%#x) *pfFlags=%#x pwszSearchPath=%p:%ls [calling]\n",
|
---|
| 2390 | (unsigned)pName->Length / sizeof(WCHAR), pName->Buffer, rcNtResolve,
|
---|
| 2391 | pfFlags ? *pfFlags : UINT32_MAX, pwszSearchPath,
|
---|
| 2392 | !((uintptr_t)pwszSearchPath & 1) && (uintptr_t)pwszSearchPath >= 0x2000U ? pwszSearchPath : L"<flags>"));
|
---|
| 2393 | }
|
---|
| 2394 |
|
---|
[52940] | 2395 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52403] | 2396 | rcNt = g_pfnLdrLoadDllReal(pwszSearchPath, pfFlags, pName, phMod);
|
---|
| 2397 |
|
---|
[52484] | 2398 | /*
|
---|
| 2399 | * Log the result and process pending WinVerifyTrust work if we can.
|
---|
| 2400 | */
|
---|
[52940] | 2401 | dwSavedLastError = RtlGetLastWin32Error();
|
---|
[52484] | 2402 |
|
---|
[52403] | 2403 | if (NT_SUCCESS(rcNt) && phMod)
|
---|
| 2404 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x hMod=%p '%ls'\n", rcNt, *phMod, wszPath));
|
---|
[53045] | 2405 | else if (!NT_SUCCESS(rcNt) || !fQuiet)
|
---|
[52403] | 2406 | SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
|
---|
[52967] | 2407 |
|
---|
[52431] | 2408 | supR3HardenedWinVerifyCacheProcessWvtTodos();
|
---|
[52484] | 2409 |
|
---|
[52940] | 2410 | RtlRestoreLastWin32Error(dwSavedLastError);
|
---|
[52403] | 2411 |
|
---|
| 2412 | return rcNt;
|
---|
| 2413 | }
|
---|
| 2414 |
|
---|
| 2415 |
|
---|
[52953] | 2416 | /**
|
---|
| 2417 | * DLL load and unload notification callback.
|
---|
| 2418 | *
|
---|
| 2419 | * This is a safety against our LdrLoadDll hook being replaced by protection
|
---|
| 2420 | * software. Though, we prefer the LdrLoadDll hook to this one as it allows us
|
---|
| 2421 | * to call WinVerifyTrust more freely.
|
---|
| 2422 | *
|
---|
| 2423 | * @param ulReason The reason we're called, see
|
---|
| 2424 | * LDR_DLL_NOTIFICATION_REASON_XXX.
|
---|
| 2425 | * @param pData Reason specific data. (Format is currently the same for
|
---|
| 2426 | * both load and unload.)
|
---|
| 2427 | * @param pvUser User parameter (ignored).
|
---|
| 2428 | *
|
---|
| 2429 | * @remarks Vista and later.
|
---|
| 2430 | * @remarks The loader lock is held when we're called, at least on Windows 7.
|
---|
| 2431 | */
|
---|
[85121] | 2432 | static VOID CALLBACK
|
---|
| 2433 | supR3HardenedDllNotificationCallback(ULONG ulReason, PCLDR_DLL_NOTIFICATION_DATA pData, PVOID pvUser) RT_NOTHROW_DEF
|
---|
[52953] | 2434 | {
|
---|
| 2435 | NOREF(pvUser);
|
---|
| 2436 |
|
---|
| 2437 | /*
|
---|
| 2438 | * Screen the image on load. We will normally get a verification cache
|
---|
| 2439 | * hit here because of the LdrLoadDll and NtCreateSection hooks, so it
|
---|
| 2440 | * should be relatively cheap to recheck. In case our NtDll patches
|
---|
| 2441 | * got re
|
---|
| 2442 | *
|
---|
| 2443 | * This ASSUMES that we get informed after the fact as indicated by the
|
---|
| 2444 | * available documentation.
|
---|
| 2445 | */
|
---|
| 2446 | if (ulReason == LDR_DLL_NOTIFICATION_REASON_LOADED)
|
---|
| 2447 | {
|
---|
| 2448 | SUP_DPRINTF(("supR3HardenedDllNotificationCallback: load %p LB %#010x %.*ls [fFlags=%#x]\n",
|
---|
| 2449 | pData->Loaded.DllBase, pData->Loaded.SizeOfImage,
|
---|
| 2450 | pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer,
|
---|
| 2451 | pData->Loaded.Flags));
|
---|
| 2452 |
|
---|
| 2453 | /* Convert the windows path to an NT path and open it. */
|
---|
| 2454 | HANDLE hRootDir;
|
---|
| 2455 | UNICODE_STRING NtPathUniStr;
|
---|
| 2456 | int rc = RTNtPathFromWinUtf16Ex(&NtPathUniStr, &hRootDir, pData->Loaded.FullDllName->Buffer,
|
---|
| 2457 | pData->Loaded.FullDllName->Length / sizeof(WCHAR));
|
---|
| 2458 | if (RT_FAILURE(rc))
|
---|
| 2459 | {
|
---|
| 2460 | supR3HardenedFatal("supR3HardenedDllNotificationCallback: RTNtPathFromWinUtf16Ex failed on '%.*ls': %Rrc\n",
|
---|
| 2461 | pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer, rc);
|
---|
| 2462 | return;
|
---|
| 2463 | }
|
---|
| 2464 |
|
---|
| 2465 | HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
|
---|
| 2466 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
| 2467 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 2468 | InitializeObjectAttributes(&ObjAttr, &NtPathUniStr, OBJ_CASE_INSENSITIVE, hRootDir, NULL /*pSecDesc*/);
|
---|
| 2469 |
|
---|
| 2470 | NTSTATUS rcNt = NtCreateFile(&hFile,
|
---|
| 2471 | FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
|
---|
| 2472 | &ObjAttr,
|
---|
| 2473 | &Ios,
|
---|
| 2474 | NULL /* Allocation Size*/,
|
---|
| 2475 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 2476 | FILE_SHARE_READ,
|
---|
| 2477 | FILE_OPEN,
|
---|
| 2478 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
| 2479 | NULL /*EaBuffer*/,
|
---|
| 2480 | 0 /*EaLength*/);
|
---|
| 2481 | if (NT_SUCCESS(rcNt))
|
---|
| 2482 | rcNt = Ios.Status;
|
---|
| 2483 | if (!NT_SUCCESS(rcNt))
|
---|
| 2484 | {
|
---|
| 2485 | supR3HardenedFatal("supR3HardenedDllNotificationCallback: NtCreateFile failed on '%.*ls' / '%.*ls': %#x\n",
|
---|
| 2486 | pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer,
|
---|
| 2487 | NtPathUniStr.Length / sizeof(WCHAR), NtPathUniStr.Buffer, rcNt);
|
---|
[62677] | 2488 | /* not reached */
|
---|
[52953] | 2489 | }
|
---|
| 2490 |
|
---|
| 2491 | /* Do the screening. */
|
---|
| 2492 | ULONG fAccess = 0;
|
---|
| 2493 | ULONG fProtect = 0;
|
---|
| 2494 | bool fCallRealApi = false;
|
---|
| 2495 | bool fQuietFailure = false;
|
---|
[53220] | 2496 | rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, true /*fIgnoreArch*/, &fAccess, &fProtect, &fCallRealApi,
|
---|
[52953] | 2497 | "LdrLoadDll", true /*fAvoidWinVerifyTrust*/, &fQuietFailure);
|
---|
| 2498 | NtClose(hFile);
|
---|
| 2499 | if (!NT_SUCCESS(rcNt))
|
---|
| 2500 | {
|
---|
| 2501 | supR3HardenedFatal("supR3HardenedDllNotificationCallback: supR3HardenedScreenImage failed on '%.*ls' / '%.*ls': %#x\n",
|
---|
| 2502 | pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer,
|
---|
| 2503 | NtPathUniStr.Length / sizeof(WCHAR), NtPathUniStr.Buffer, rcNt);
|
---|
[62677] | 2504 | /* not reached */
|
---|
[52953] | 2505 | }
|
---|
| 2506 | RTNtPathFree(&NtPathUniStr, &hRootDir);
|
---|
| 2507 | }
|
---|
| 2508 | /*
|
---|
| 2509 | * Log the unload call.
|
---|
| 2510 | */
|
---|
| 2511 | else if (ulReason == LDR_DLL_NOTIFICATION_REASON_UNLOADED)
|
---|
| 2512 | {
|
---|
| 2513 | SUP_DPRINTF(("supR3HardenedDllNotificationCallback: Unload %p LB %#010x %.*ls [flags=%#x]\n",
|
---|
| 2514 | pData->Unloaded.DllBase, pData->Unloaded.SizeOfImage,
|
---|
| 2515 | pData->Unloaded.FullDllName->Length / sizeof(WCHAR), pData->Unloaded.FullDllName->Buffer,
|
---|
| 2516 | pData->Unloaded.Flags));
|
---|
| 2517 | }
|
---|
| 2518 | /*
|
---|
| 2519 | * Just log things we don't know and then return without caching anything.
|
---|
| 2520 | */
|
---|
| 2521 | else
|
---|
| 2522 | {
|
---|
| 2523 | static uint32_t s_cLogEntries = 0;
|
---|
| 2524 | if (s_cLogEntries++ < 32)
|
---|
| 2525 | SUP_DPRINTF(("supR3HardenedDllNotificationCallback: ulReason=%u pData=%p\n", ulReason, pData));
|
---|
| 2526 | return;
|
---|
| 2527 | }
|
---|
| 2528 |
|
---|
| 2529 | /*
|
---|
| 2530 | * Use this opportunity to make sure our NtDll patches are still in place,
|
---|
| 2531 | * since they may be replaced by indecent protection software solutions.
|
---|
| 2532 | */
|
---|
| 2533 | supR3HardenedWinReInstallHooks(false /*fFirstCall */);
|
---|
| 2534 | }
|
---|
| 2535 |
|
---|
| 2536 |
|
---|
| 2537 | /**
|
---|
| 2538 | * Registers the DLL notification callback if it hasn't already been registered.
|
---|
| 2539 | */
|
---|
| 2540 | static void supR3HardenedWinRegisterDllNotificationCallback(void)
|
---|
| 2541 | {
|
---|
| 2542 | /*
|
---|
| 2543 | * The notification API was added in Vista, so it's an optional (weak) import.
|
---|
| 2544 | */
|
---|
| 2545 | if ( LdrRegisterDllNotification != NULL
|
---|
| 2546 | && g_cDllNotificationRegistered <= 0
|
---|
| 2547 | && g_cDllNotificationRegistered > -32)
|
---|
| 2548 | {
|
---|
| 2549 | NTSTATUS rcNt = LdrRegisterDllNotification(0, supR3HardenedDllNotificationCallback, NULL, &g_pvDllNotificationCookie);
|
---|
| 2550 | if (NT_SUCCESS(rcNt))
|
---|
| 2551 | {
|
---|
| 2552 | SUP_DPRINTF(("Registered Dll notification callback with NTDLL.\n"));
|
---|
| 2553 | g_cDllNotificationRegistered = 1;
|
---|
| 2554 | }
|
---|
| 2555 | else
|
---|
| 2556 | {
|
---|
| 2557 | supR3HardenedError(rcNt, false /*fFatal*/, "LdrRegisterDllNotification failed: %#x\n", rcNt);
|
---|
| 2558 | g_cDllNotificationRegistered--;
|
---|
| 2559 | }
|
---|
| 2560 | }
|
---|
| 2561 | }
|
---|
| 2562 |
|
---|
| 2563 |
|
---|
[80212] | 2564 | /**
|
---|
| 2565 | * Dummy replacement routine we use for passifying unwanted user APC
|
---|
| 2566 | * callbacks during early process initialization.
|
---|
| 2567 | *
|
---|
| 2568 | * @sa supR3HardenedMonitor_KiUserApcDispatcher_C
|
---|
| 2569 | */
|
---|
| 2570 | static VOID NTAPI supR3HardenedWinDummyApcRoutine(PVOID pvArg1, PVOID pvArg2, PVOID pvArg3)
|
---|
| 2571 | {
|
---|
| 2572 | SUP_DPRINTF(("supR3HardenedWinDummyApcRoutine: pvArg1=%p pvArg2=%p pvArg3=%p\n", pvArg1, pvArg2, pvArg3));
|
---|
| 2573 | RT_NOREF(pvArg1, pvArg2, pvArg3);
|
---|
| 2574 | }
|
---|
| 2575 |
|
---|
| 2576 |
|
---|
| 2577 | /**
|
---|
| 2578 | * This is called when ntdll!KiUserApcDispatcher is invoked (via
|
---|
| 2579 | * supR3HardenedMonitor_KiUserApcDispatcher).
|
---|
| 2580 | *
|
---|
| 2581 | * The parent process hooks KiUserApcDispatcher before the guest starts
|
---|
| 2582 | * executing. There should only be one APC request dispatched while the process
|
---|
| 2583 | * is being initialized, and that's the one calling ntdll!LdrInitializeThunk.
|
---|
| 2584 | *
|
---|
| 2585 | * @returns Where to go to run the original code.
|
---|
| 2586 | * @param pvApcArgs The APC dispatcher arguments.
|
---|
| 2587 | */
|
---|
| 2588 | DECLASM(uintptr_t) supR3HardenedMonitor_KiUserApcDispatcher_C(void *pvApcArgs)
|
---|
| 2589 | {
|
---|
| 2590 | #ifdef RT_ARCH_AMD64
|
---|
| 2591 | PCONTEXT pCtx = (PCONTEXT)pvApcArgs;
|
---|
| 2592 | uintptr_t *ppfnRoutine = (uintptr_t *)&pCtx->P4Home;
|
---|
| 2593 | #else
|
---|
| 2594 | struct X86APCCTX
|
---|
| 2595 | {
|
---|
| 2596 | uintptr_t pfnRoutine;
|
---|
| 2597 | uintptr_t pvCtx;
|
---|
| 2598 | uintptr_t pvUser1;
|
---|
| 2599 | uintptr_t pvUser2;
|
---|
| 2600 | CONTEXT Ctx;
|
---|
| 2601 | } *pCtx = (struct X86APCCTX *)pvApcArgs;
|
---|
| 2602 | uintptr_t *ppfnRoutine = &pCtx->pfnRoutine;
|
---|
| 2603 | #endif
|
---|
| 2604 | uintptr_t pfnRoutine = *ppfnRoutine;
|
---|
| 2605 |
|
---|
| 2606 | if (g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED)
|
---|
| 2607 | {
|
---|
| 2608 | if (pfnRoutine == g_pfnLdrInitializeThunk) /* Note! we could use this to detect thread creation too. */
|
---|
| 2609 | SUP_DPRINTF(("supR3HardenedMonitor_KiUserApcDispatcher_C: pfnRoutine=%p enmState=%d - okay\n",
|
---|
| 2610 | pfnRoutine, g_enmSupR3HardenedMainState));
|
---|
| 2611 | else
|
---|
| 2612 | {
|
---|
| 2613 | *ppfnRoutine = (uintptr_t)supR3HardenedWinDummyApcRoutine;
|
---|
| 2614 | SUP_DPRINTF(("supR3HardenedMonitor_KiUserApcDispatcher_C: pfnRoutine=%p enmState=%d -> supR3HardenedWinDummyApcRoutine\n",
|
---|
| 2615 | pfnRoutine, g_enmSupR3HardenedMainState));
|
---|
| 2616 | }
|
---|
| 2617 | }
|
---|
| 2618 | return (uintptr_t)g_pfnKiUserApcDispatcherReal;
|
---|
| 2619 | }
|
---|
| 2620 |
|
---|
| 2621 |
|
---|
[81118] | 2622 | /**
|
---|
| 2623 | * SUP_DPRINTF on pCtx, with lead-in text.
|
---|
| 2624 | */
|
---|
| 2625 | static void supR3HardNtDprintCtx(PCONTEXT pCtx, const char *pszLeadIn)
|
---|
| 2626 | {
|
---|
| 2627 | #ifdef RT_ARCH_AMD64
|
---|
| 2628 | SUP_DPRINTF(("%s\n"
|
---|
| 2629 | " rax=%016RX64 rbx=%016RX64 rcx=%016RX64 rdx=%016RX64\n"
|
---|
| 2630 | " rsi=%016RX64 rdi=%016RX64 r8 =%016RX64 r9 =%016RX64\n"
|
---|
| 2631 | " r10=%016RX64 r11=%016RX64 r12=%016RX64 r13=%016RX64\n"
|
---|
| 2632 | " r14=%016RX64 r15=%016RX64 P1=%016RX64 P2=%016RX64\n"
|
---|
| 2633 | " rip=%016RX64 rsp=%016RX64 rbp=%016RX64 ctxflags=%08x\n"
|
---|
| 2634 | " cs=%04x ss=%04x ds=%04x es=%04x fs=%04x gs=%04x eflags=%08x mxcrx=%08x\n"
|
---|
| 2635 | " P3=%016RX64 P4=%016RX64 P5=%016RX64 P6=%016RX64\n"
|
---|
| 2636 | " dr0=%016RX64 dr1=%016RX64 dr2=%016RX64 dr3=%016RX64\n"
|
---|
| 2637 | " dr6=%016RX64 dr7=%016RX64 vcr=%016RX64 dcr=%016RX64\n"
|
---|
| 2638 | " lbt=%016RX64 lbf=%016RX64 lxt=%016RX64 lxf=%016RX64\n"
|
---|
| 2639 | ,
|
---|
| 2640 | pszLeadIn,
|
---|
| 2641 | pCtx->Rax, pCtx->Rbx, pCtx->Rcx, pCtx->Rdx,
|
---|
| 2642 | pCtx->Rsi, pCtx->Rdi, pCtx->R8, pCtx->R9,
|
---|
| 2643 | pCtx->R10, pCtx->R11, pCtx->R12, pCtx->R13,
|
---|
| 2644 | pCtx->R14, pCtx->R15, pCtx->P1Home, pCtx->P2Home,
|
---|
| 2645 | pCtx->Rip, pCtx->Rsp, pCtx->Rbp, pCtx->ContextFlags,
|
---|
| 2646 | pCtx->SegCs, pCtx->SegSs, pCtx->SegDs, pCtx->SegEs, pCtx->SegFs, pCtx->SegGs, pCtx->EFlags, pCtx->MxCsr,
|
---|
| 2647 | pCtx->P3Home, pCtx->P4Home, pCtx->P5Home, pCtx->P6Home,
|
---|
| 2648 | pCtx->Dr0, pCtx->Dr1, pCtx->Dr2, pCtx->Dr3,
|
---|
| 2649 | pCtx->Dr6, pCtx->Dr7, pCtx->VectorControl, pCtx->DebugControl,
|
---|
| 2650 | pCtx->LastBranchToRip, pCtx->LastBranchFromRip, pCtx->LastExceptionToRip, pCtx->LastExceptionFromRip ));
|
---|
| 2651 | #elif defined(RT_ARCH_X86)
|
---|
| 2652 | SUP_DPRINTF(("%s\n"
|
---|
| 2653 | " eax=%08RX32 ebx=%08RX32 ecx=%08RX32 edx=%08RX32 esi=%08rx64 edi=%08RX32\n"
|
---|
| 2654 | " eip=%08RX32 esp=%08RX32 ebp=%08RX32 eflags=%08RX32\n"
|
---|
| 2655 | " cs=%04RX16 ds=%04RX16 es=%04RX16 fs=%04RX16 gs=%04RX16\n"
|
---|
| 2656 | " dr0=%08RX32 dr1=%08RX32 dr2=%08RX32 dr3=%08RX32 dr6=%08RX32 dr7=%08RX32\n",
|
---|
[85873] | 2657 | pszLeadIn,
|
---|
[81118] | 2658 | pCtx->Eax, pCtx->Ebx, pCtx->Ecx, pCtx->Edx, pCtx->Esi, pCtx->Edi,
|
---|
| 2659 | pCtx->Eip, pCtx->Esp, pCtx->Ebp, pCtx->EFlags,
|
---|
| 2660 | pCtx->SegCs, pCtx->SegDs, pCtx->SegEs, pCtx->SegFs, pCtx->SegGs,
|
---|
| 2661 | pCtx->Dr0, pCtx->Dr1, pCtx->Dr2, pCtx->Dr3, pCtx->Dr6, pCtx->Dr7));
|
---|
| 2662 | #else
|
---|
| 2663 | # error "Unsupported arch."
|
---|
| 2664 | #endif
|
---|
[85873] | 2665 | RT_NOREF(pCtx, pszLeadIn);
|
---|
[81118] | 2666 | }
|
---|
| 2667 |
|
---|
| 2668 |
|
---|
| 2669 | #ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING
|
---|
| 2670 | /**
|
---|
| 2671 | * This is called when ntdll!KiUserExceptionDispatcher is invoked (via
|
---|
| 2672 | * supR3HardenedMonitor_KiUserExceptionDispatcher).
|
---|
| 2673 | *
|
---|
| 2674 | * For 64-bit processes there is a return and two parameters on the stack.
|
---|
| 2675 | *
|
---|
| 2676 | * @returns Where to go to run the original code.
|
---|
| 2677 | * @param pXcptRec The exception record.
|
---|
| 2678 | * @param pCtx The exception context.
|
---|
| 2679 | */
|
---|
| 2680 | DECLASM(uintptr_t) supR3HardenedMonitor_KiUserExceptionDispatcher_C(PEXCEPTION_RECORD pXcptRec, PCONTEXT pCtx)
|
---|
| 2681 | {
|
---|
| 2682 | /*
|
---|
| 2683 | * Ignore the guard page violation.
|
---|
| 2684 | */
|
---|
| 2685 | if (pXcptRec->ExceptionCode == STATUS_GUARD_PAGE_VIOLATION)
|
---|
| 2686 | return (uintptr_t)g_pfnKiUserExceptionDispatcherReal;
|
---|
| 2687 |
|
---|
| 2688 | /*
|
---|
| 2689 | * Log the exception and context.
|
---|
| 2690 | */
|
---|
| 2691 | char szLeadIn[384];
|
---|
| 2692 | if (pXcptRec->NumberParameters == 0)
|
---|
| 2693 | RTStrPrintf(szLeadIn, sizeof(szLeadIn), "KiUserExceptionDispatcher: %#x @ %p (flags=%#x)",
|
---|
| 2694 | pXcptRec->ExceptionCode, pXcptRec->ExceptionAddress, pXcptRec->ExceptionFlags);
|
---|
| 2695 | else if (pXcptRec->NumberParameters == 1)
|
---|
| 2696 | RTStrPrintf(szLeadIn, sizeof(szLeadIn), "KiUserExceptionDispatcher: %#x (%p) @ %p (flags=%#x)",
|
---|
| 2697 | pXcptRec->ExceptionCode, pXcptRec->ExceptionInformation[0],
|
---|
| 2698 | pXcptRec->ExceptionAddress, pXcptRec->ExceptionFlags);
|
---|
| 2699 | else if (pXcptRec->NumberParameters == 2)
|
---|
| 2700 | RTStrPrintf(szLeadIn, sizeof(szLeadIn), "KiUserExceptionDispatcher: %#x (%p, %p) @ %p (flags=%#x)",
|
---|
| 2701 | pXcptRec->ExceptionCode, pXcptRec->ExceptionInformation[0], pXcptRec->ExceptionInformation[1],
|
---|
| 2702 | pXcptRec->ExceptionAddress, pXcptRec->ExceptionFlags);
|
---|
| 2703 | else if (pXcptRec->NumberParameters == 3)
|
---|
| 2704 | RTStrPrintf(szLeadIn, sizeof(szLeadIn), "KiUserExceptionDispatcher: %#x (%p, %p, %p) @ %p (flags=%#x)",
|
---|
| 2705 | pXcptRec->ExceptionCode, pXcptRec->ExceptionInformation[0], pXcptRec->ExceptionInformation[1],
|
---|
| 2706 | pXcptRec->ExceptionInformation[2], pXcptRec->ExceptionAddress, pXcptRec->ExceptionFlags);
|
---|
| 2707 | else
|
---|
| 2708 | RTStrPrintf(szLeadIn, sizeof(szLeadIn), "KiUserExceptionDispatcher: %#x (#%u: %p, %p, %p, %p, %p, %p, %p, %p, ...) @ %p (flags=%#x)",
|
---|
| 2709 | pXcptRec->ExceptionCode, pXcptRec->NumberParameters,
|
---|
| 2710 | pXcptRec->ExceptionInformation[0], pXcptRec->ExceptionInformation[1],
|
---|
| 2711 | pXcptRec->ExceptionInformation[2], pXcptRec->ExceptionInformation[3],
|
---|
| 2712 | pXcptRec->ExceptionInformation[4], pXcptRec->ExceptionInformation[5],
|
---|
| 2713 | pXcptRec->ExceptionInformation[6], pXcptRec->ExceptionInformation[7],
|
---|
| 2714 | pXcptRec->ExceptionAddress, pXcptRec->ExceptionFlags);
|
---|
| 2715 | supR3HardNtDprintCtx(pCtx, szLeadIn);
|
---|
| 2716 |
|
---|
| 2717 | return (uintptr_t)g_pfnKiUserExceptionDispatcherReal;
|
---|
| 2718 | }
|
---|
| 2719 | #endif /* !VBOX_WITHOUT_HARDENDED_XCPT_LOGGING */
|
---|
| 2720 |
|
---|
| 2721 |
|
---|
[52403] | 2722 | static void supR3HardenedWinHookFailed(const char *pszWhich, uint8_t const *pbPrologue)
|
---|
| 2723 | {
|
---|
| 2724 | supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_NO_MEMORY,
|
---|
| 2725 | "Failed to install %s monitor: %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x\n "
|
---|
| 2726 | #ifdef RT_ARCH_X86
|
---|
| 2727 | "(It is also possible you are running 32-bit VirtualBox under 64-bit windows.)\n"
|
---|
| 2728 | #endif
|
---|
| 2729 | ,
|
---|
| 2730 | pszWhich,
|
---|
| 2731 | pbPrologue[0], pbPrologue[1], pbPrologue[2], pbPrologue[3],
|
---|
| 2732 | pbPrologue[4], pbPrologue[5], pbPrologue[6], pbPrologue[7],
|
---|
| 2733 | pbPrologue[8], pbPrologue[9], pbPrologue[10], pbPrologue[11],
|
---|
| 2734 | pbPrologue[12], pbPrologue[13], pbPrologue[14], pbPrologue[15]);
|
---|
| 2735 | }
|
---|
| 2736 |
|
---|
| 2737 |
|
---|
[51770] | 2738 | /**
|
---|
[52632] | 2739 | * IPRT thread that waits for the parent process to terminate and reacts by
|
---|
| 2740 | * exiting the current process.
|
---|
| 2741 | *
|
---|
| 2742 | * @returns VINF_SUCCESS
|
---|
| 2743 | * @param hSelf The current thread. Ignored.
|
---|
| 2744 | * @param pvUser The handle of the parent process.
|
---|
| 2745 | */
|
---|
| 2746 | static DECLCALLBACK(int) supR3HardenedWinParentWatcherThread(RTTHREAD hSelf, void *pvUser)
|
---|
| 2747 | {
|
---|
| 2748 | HANDLE hProcWait = (HANDLE)pvUser;
|
---|
| 2749 | NOREF(hSelf);
|
---|
| 2750 |
|
---|
| 2751 | /*
|
---|
| 2752 | * Wait for the parent to terminate.
|
---|
| 2753 | */
|
---|
| 2754 | NTSTATUS rcNt;
|
---|
| 2755 | for (;;)
|
---|
| 2756 | {
|
---|
| 2757 | rcNt = NtWaitForSingleObject(hProcWait, TRUE /*Alertable*/, NULL /*pTimeout*/);
|
---|
| 2758 | if ( rcNt == STATUS_WAIT_0
|
---|
| 2759 | || rcNt == STATUS_ABANDONED_WAIT_0)
|
---|
| 2760 | break;
|
---|
| 2761 | if ( rcNt != STATUS_TIMEOUT
|
---|
| 2762 | && rcNt != STATUS_USER_APC
|
---|
| 2763 | && rcNt != STATUS_ALERTED)
|
---|
| 2764 | supR3HardenedFatal("NtWaitForSingleObject returned %#x\n", rcNt);
|
---|
| 2765 | }
|
---|
| 2766 |
|
---|
| 2767 | /*
|
---|
| 2768 | * Proxy the termination code of the child, if it exited already.
|
---|
| 2769 | */
|
---|
| 2770 | PROCESS_BASIC_INFORMATION BasicInfo;
|
---|
| 2771 | NTSTATUS rcNt2 = NtQueryInformationProcess(hProcWait, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
|
---|
| 2772 | if ( !NT_SUCCESS(rcNt2)
|
---|
| 2773 | || BasicInfo.ExitStatus == STATUS_PENDING)
|
---|
| 2774 | BasicInfo.ExitStatus = RTEXITCODE_FAILURE;
|
---|
| 2775 |
|
---|
| 2776 | NtClose(hProcWait);
|
---|
| 2777 | SUP_DPRINTF(("supR3HardenedWinParentWatcherThread: Quitting: ExitCode=%#x rcNt=%#x\n", BasicInfo.ExitStatus, rcNt));
|
---|
| 2778 | suplibHardenedExit((RTEXITCODE)BasicInfo.ExitStatus);
|
---|
[62677] | 2779 | /* not reached */
|
---|
[52632] | 2780 | }
|
---|
| 2781 |
|
---|
| 2782 |
|
---|
| 2783 | /**
|
---|
| 2784 | * Creates the parent watcher thread that will make sure this process exits when
|
---|
| 2785 | * the parent does.
|
---|
| 2786 | *
|
---|
| 2787 | * This is a necessary evil to make VBoxNetDhcp and VBoxNetNat termination from
|
---|
| 2788 | * Main work without too much new magic. It also makes Ctrl-C or similar work
|
---|
| 2789 | * in on the hardened processes in the windows console.
|
---|
| 2790 | *
|
---|
| 2791 | * @param hVBoxRT The VBoxRT.dll handle. We use RTThreadCreate to
|
---|
| 2792 | * spawn the thread to avoid duplicating thread
|
---|
| 2793 | * creation and thread naming code from IPRT.
|
---|
| 2794 | */
|
---|
| 2795 | DECLHIDDEN(void) supR3HardenedWinCreateParentWatcherThread(HMODULE hVBoxRT)
|
---|
| 2796 | {
|
---|
| 2797 | /*
|
---|
| 2798 | * Resolve runtime methods that we need.
|
---|
| 2799 | */
|
---|
| 2800 | PFNRTTHREADCREATE pfnRTThreadCreate = (PFNRTTHREADCREATE)GetProcAddress(hVBoxRT, "RTThreadCreate");
|
---|
| 2801 | SUPR3HARDENED_ASSERT(pfnRTThreadCreate != NULL);
|
---|
| 2802 |
|
---|
| 2803 | /*
|
---|
| 2804 | * Find the parent process ID.
|
---|
| 2805 | */
|
---|
| 2806 | PROCESS_BASIC_INFORMATION BasicInfo;
|
---|
| 2807 | NTSTATUS rcNt = NtQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
|
---|
| 2808 | if (!NT_SUCCESS(rcNt))
|
---|
| 2809 | supR3HardenedFatal("supR3HardenedWinCreateParentWatcherThread: NtQueryInformationProcess failed: %#x\n", rcNt);
|
---|
| 2810 |
|
---|
| 2811 | /*
|
---|
| 2812 | * Open the parent process for waiting and exitcode query.
|
---|
| 2813 | */
|
---|
| 2814 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 2815 | InitializeObjectAttributes(&ObjAttr, NULL, 0, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 2816 |
|
---|
| 2817 | CLIENT_ID ClientId;
|
---|
| 2818 | ClientId.UniqueProcess = (HANDLE)BasicInfo.InheritedFromUniqueProcessId;
|
---|
| 2819 | ClientId.UniqueThread = NULL;
|
---|
[52633] | 2820 |
|
---|
[52632] | 2821 | HANDLE hParent;
|
---|
| 2822 | rcNt = NtOpenProcess(&hParent, SYNCHRONIZE | PROCESS_QUERY_INFORMATION, &ObjAttr, &ClientId);
|
---|
| 2823 | if (!NT_SUCCESS(rcNt))
|
---|
[52633] | 2824 | supR3HardenedFatalMsg("supR3HardenedWinCreateParentWatcherThread", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
|
---|
[52632] | 2825 | "NtOpenProcess(%p.0) failed: %#x\n", ClientId.UniqueProcess, rcNt);
|
---|
| 2826 |
|
---|
| 2827 | /*
|
---|
| 2828 | * Create the thread that should do the waiting.
|
---|
| 2829 | */
|
---|
| 2830 | int rc = pfnRTThreadCreate(NULL, supR3HardenedWinParentWatcherThread, hParent, _64K /* stack */,
|
---|
| 2831 | RTTHREADTYPE_DEFAULT, 0 /*fFlags*/, "ParentWatcher");
|
---|
| 2832 | if (RT_FAILURE(rc))
|
---|
| 2833 | supR3HardenedFatal("supR3HardenedWinCreateParentWatcherThread: RTThreadCreate failed: %Rrc\n", rc);
|
---|
| 2834 | }
|
---|
| 2835 |
|
---|
| 2836 |
|
---|
| 2837 | /**
|
---|
[52954] | 2838 | * Checks if the calling thread is the only one in the process.
|
---|
| 2839 | *
|
---|
| 2840 | * @returns true if we're positive we're alone, false if not.
|
---|
| 2841 | */
|
---|
[85121] | 2842 | static bool supR3HardenedWinAmIAlone(void) RT_NOTHROW_DEF
|
---|
[52954] | 2843 | {
|
---|
| 2844 | ULONG fAmIAlone = 0;
|
---|
| 2845 | ULONG cbIgn = 0;
|
---|
| 2846 | NTSTATUS rcNt = NtQueryInformationThread(NtCurrentThread(), ThreadAmILastThread, &fAmIAlone, sizeof(fAmIAlone), &cbIgn);
|
---|
| 2847 | Assert(NT_SUCCESS(rcNt));
|
---|
| 2848 | return NT_SUCCESS(rcNt) && fAmIAlone != 0;
|
---|
| 2849 | }
|
---|
| 2850 |
|
---|
| 2851 |
|
---|
| 2852 | /**
|
---|
[52940] | 2853 | * Simplify NtProtectVirtualMemory interface.
|
---|
| 2854 | *
|
---|
| 2855 | * Modifies protection for the current process. Caller must know the current
|
---|
| 2856 | * protection as it's not returned.
|
---|
| 2857 | *
|
---|
| 2858 | * @returns NT status code.
|
---|
| 2859 | * @param pvMem The memory to change protection for.
|
---|
| 2860 | * @param cbMem The amount of memory to change.
|
---|
| 2861 | * @param fNewProt The new protection.
|
---|
| 2862 | */
|
---|
[85121] | 2863 | static NTSTATUS supR3HardenedWinProtectMemory(PVOID pvMem, SIZE_T cbMem, ULONG fNewProt) RT_NOTHROW_DEF
|
---|
[52940] | 2864 | {
|
---|
| 2865 | ULONG fOldProt = 0;
|
---|
| 2866 | return NtProtectVirtualMemory(NtCurrentProcess(), &pvMem, &cbMem, fNewProt, &fOldProt);
|
---|
| 2867 | }
|
---|
| 2868 |
|
---|
| 2869 |
|
---|
| 2870 | /**
|
---|
[52953] | 2871 | * Installs or reinstalls the NTDLL patches.
|
---|
| 2872 | */
|
---|
[85121] | 2873 | static void supR3HardenedWinReInstallHooks(bool fFirstCall) RT_NOTHROW_DEF
|
---|
[52953] | 2874 | {
|
---|
| 2875 | struct
|
---|
| 2876 | {
|
---|
| 2877 | size_t cbPatch;
|
---|
| 2878 | uint8_t const *pabPatch;
|
---|
| 2879 | uint8_t **ppbApi;
|
---|
| 2880 | const char *pszName;
|
---|
| 2881 | } const s_aPatches[] =
|
---|
| 2882 | {
|
---|
[81118] | 2883 | { sizeof(g_abNtCreateSectionPatch), g_abNtCreateSectionPatch, &g_pbNtCreateSection, "NtCreateSection" },
|
---|
| 2884 | { sizeof(g_abLdrLoadDllPatch), g_abLdrLoadDllPatch, &g_pbLdrLoadDll, "LdrLoadDll" },
|
---|
| 2885 | { sizeof(g_abKiUserApcDispatcherPatch), g_abKiUserApcDispatcherPatch, &g_pbKiUserApcDispatcher, "KiUserApcDispatcher" },
|
---|
| 2886 | #ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING
|
---|
| 2887 | { sizeof(g_abKiUserExceptionDispatcherPatch), g_abKiUserExceptionDispatcherPatch, &g_pbKiUserExceptionDispatcher, "KiUserExceptionDispatcher" },
|
---|
| 2888 | #endif
|
---|
[52953] | 2889 | };
|
---|
| 2890 |
|
---|
| 2891 | ULONG fAmIAlone = ~(ULONG)0;
|
---|
| 2892 |
|
---|
| 2893 | for (uint32_t i = 0; i < RT_ELEMENTS(s_aPatches); i++)
|
---|
| 2894 | {
|
---|
| 2895 | uint8_t *pbApi = *s_aPatches[i].ppbApi;
|
---|
| 2896 | if (memcmp(pbApi, s_aPatches[i].pabPatch, s_aPatches[i].cbPatch) != 0)
|
---|
| 2897 | {
|
---|
| 2898 | /*
|
---|
| 2899 | * Log the incident if it's not the initial call.
|
---|
| 2900 | */
|
---|
| 2901 | static uint32_t volatile s_cTimes = 0;
|
---|
| 2902 | if (!fFirstCall && s_cTimes < 128)
|
---|
| 2903 | {
|
---|
| 2904 | s_cTimes++;
|
---|
| 2905 | SUP_DPRINTF(("supR3HardenedWinReInstallHooks: Reinstalling %s (%p: %.*Rhxs).\n",
|
---|
| 2906 | s_aPatches[i].pszName, pbApi, s_aPatches[i].cbPatch, pbApi));
|
---|
| 2907 | }
|
---|
| 2908 |
|
---|
| 2909 | Assert(s_aPatches[i].cbPatch >= 4);
|
---|
| 2910 |
|
---|
| 2911 | SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, s_aPatches[i].cbPatch, PAGE_EXECUTE_READWRITE));
|
---|
| 2912 |
|
---|
| 2913 | /*
|
---|
| 2914 | * If we're alone, just memcpy the patch in.
|
---|
| 2915 | */
|
---|
| 2916 |
|
---|
| 2917 | if (fAmIAlone == ~(ULONG)0)
|
---|
[52954] | 2918 | fAmIAlone = supR3HardenedWinAmIAlone();
|
---|
[52953] | 2919 | if (fAmIAlone)
|
---|
| 2920 | memcpy(pbApi, s_aPatches[i].pabPatch, s_aPatches[i].cbPatch);
|
---|
| 2921 | else
|
---|
| 2922 | {
|
---|
| 2923 | /*
|
---|
| 2924 | * Not alone. Start by injecting a JMP $-2, then waste some
|
---|
| 2925 | * CPU cycles to get the other threads a good chance of getting
|
---|
| 2926 | * out of the code before we replace it.
|
---|
| 2927 | */
|
---|
| 2928 | RTUINT32U uJmpDollarMinus;
|
---|
| 2929 | uJmpDollarMinus.au8[0] = 0xeb;
|
---|
| 2930 | uJmpDollarMinus.au8[1] = 0xfe;
|
---|
| 2931 | uJmpDollarMinus.au8[2] = pbApi[2];
|
---|
| 2932 | uJmpDollarMinus.au8[3] = pbApi[3];
|
---|
| 2933 | ASMAtomicXchgU32((uint32_t volatile *)pbApi, uJmpDollarMinus.u);
|
---|
| 2934 |
|
---|
| 2935 | NtYieldExecution();
|
---|
| 2936 | NtYieldExecution();
|
---|
| 2937 |
|
---|
| 2938 | /* Copy in the tail bytes of the patch, then xchg the jmp $-2. */
|
---|
| 2939 | if (s_aPatches[i].cbPatch > 4)
|
---|
| 2940 | memcpy(&pbApi[4], &s_aPatches[i].pabPatch[4], s_aPatches[i].cbPatch - 4);
|
---|
| 2941 | ASMAtomicXchgU32((uint32_t volatile *)pbApi, *(uint32_t *)s_aPatches[i].pabPatch);
|
---|
| 2942 | }
|
---|
| 2943 |
|
---|
| 2944 | SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, s_aPatches[i].cbPatch, PAGE_EXECUTE_READ));
|
---|
| 2945 | }
|
---|
| 2946 | }
|
---|
| 2947 | }
|
---|
| 2948 |
|
---|
| 2949 |
|
---|
| 2950 | /**
|
---|
[51770] | 2951 | * Install hooks for intercepting calls dealing with mapping shared libraries
|
---|
| 2952 | * into the process.
|
---|
| 2953 | *
|
---|
| 2954 | * This allows us to prevent undesirable shared libraries from being loaded.
|
---|
| 2955 | *
|
---|
| 2956 | * @remarks We assume we're alone in this process, so no seralizing trickery is
|
---|
| 2957 | * necessary when installing the patch.
|
---|
[52403] | 2958 | *
|
---|
| 2959 | * @remarks We would normally just copy the prologue sequence somewhere and add
|
---|
| 2960 | * a jump back at the end of it. But because we wish to avoid
|
---|
| 2961 | * allocating executable memory, we need to have preprepared assembly
|
---|
| 2962 | * "copies". This makes the non-system call patching a little tedious
|
---|
| 2963 | * and inflexible.
|
---|
[51770] | 2964 | */
|
---|
[52953] | 2965 | static void supR3HardenedWinInstallHooks(void)
|
---|
[51770] | 2966 | {
|
---|
[52092] | 2967 | NTSTATUS rcNt;
|
---|
| 2968 |
|
---|
[51770] | 2969 | /*
|
---|
[52092] | 2970 | * Disable hard error popups so we can quietly refuse images to be loaded.
|
---|
| 2971 | */
|
---|
| 2972 | ULONG fHardErr = 0;
|
---|
| 2973 | rcNt = NtQueryInformationProcess(NtCurrentProcess(), ProcessDefaultHardErrorMode, &fHardErr, sizeof(fHardErr), NULL);
|
---|
| 2974 | if (!NT_SUCCESS(rcNt))
|
---|
| 2975 | supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
|
---|
| 2976 | "NtQueryInformationProcess/ProcessDefaultHardErrorMode failed: %#x\n", rcNt);
|
---|
| 2977 | if (fHardErr & PROCESS_HARDERR_CRITICAL_ERROR)
|
---|
| 2978 | {
|
---|
| 2979 | fHardErr &= ~PROCESS_HARDERR_CRITICAL_ERROR;
|
---|
| 2980 | rcNt = NtSetInformationProcess(NtCurrentProcess(), ProcessDefaultHardErrorMode, &fHardErr, sizeof(fHardErr));
|
---|
| 2981 | if (!NT_SUCCESS(rcNt))
|
---|
| 2982 | supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
|
---|
| 2983 | "NtSetInformationProcess/ProcessDefaultHardErrorMode failed: %#x\n", rcNt);
|
---|
| 2984 | }
|
---|
| 2985 |
|
---|
| 2986 | /*
|
---|
[52403] | 2987 | * Locate the routines first so we can allocate memory that's near enough.
|
---|
[51770] | 2988 | */
|
---|
[52795] | 2989 | PFNRT pfnNtCreateSection = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "NtCreateSection");
|
---|
[51770] | 2990 | SUPR3HARDENED_ASSERT(pfnNtCreateSection != NULL);
|
---|
[52403] | 2991 | //SUPR3HARDENED_ASSERT(pfnNtCreateSection == (FARPROC)NtCreateSection);
|
---|
[51770] | 2992 |
|
---|
[52795] | 2993 | PFNRT pfnLdrLoadDll = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "LdrLoadDll");
|
---|
[52403] | 2994 | SUPR3HARDENED_ASSERT(pfnLdrLoadDll != NULL);
|
---|
| 2995 | //SUPR3HARDENED_ASSERT(pfnLdrLoadDll == (FARPROC)LdrLoadDll);
|
---|
[51770] | 2996 |
|
---|
[80212] | 2997 | PFNRT pfnKiUserApcDispatcher = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "KiUserApcDispatcher");
|
---|
| 2998 | SUPR3HARDENED_ASSERT(pfnKiUserApcDispatcher != NULL);
|
---|
| 2999 | g_pfnLdrInitializeThunk = (uintptr_t)supR3HardenedWinGetRealDllSymbol("ntdll.dll", "LdrInitializeThunk");
|
---|
| 3000 | SUPR3HARDENED_ASSERT(g_pfnLdrInitializeThunk != NULL);
|
---|
| 3001 |
|
---|
[81118] | 3002 | #ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING
|
---|
| 3003 | PFNRT pfnKiUserExceptionDispatcher = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "KiUserExceptionDispatcher");
|
---|
| 3004 | SUPR3HARDENED_ASSERT(pfnKiUserExceptionDispatcher != NULL);
|
---|
| 3005 | #endif
|
---|
| 3006 |
|
---|
[51770] | 3007 | /*
|
---|
[52967] | 3008 | * Exec page setup & management.
|
---|
[51770] | 3009 | */
|
---|
[52967] | 3010 | uint32_t offExecPage = 0;
|
---|
| 3011 | memset(g_abSupHardReadWriteExecPage, 0xcc, PAGE_SIZE);
|
---|
[51770] | 3012 |
|
---|
| 3013 | /*
|
---|
[52403] | 3014 | * Hook #1 - NtCreateSection.
|
---|
| 3015 | * Purpose: Validate everything that can be mapped into the process before
|
---|
| 3016 | * it's mapped and we still have a file handle to work with.
|
---|
| 3017 | */
|
---|
| 3018 | uint8_t * const pbNtCreateSection = (uint8_t *)(uintptr_t)pfnNtCreateSection;
|
---|
[52953] | 3019 | g_pbNtCreateSection = pbNtCreateSection;
|
---|
| 3020 | memcpy(g_abNtCreateSectionPatch, pbNtCreateSection, sizeof(g_abNtCreateSectionPatch));
|
---|
[52403] | 3021 |
|
---|
[52967] | 3022 | g_pfnNtCreateSectionReal = NtCreateSection; /* our direct syscall */
|
---|
| 3023 |
|
---|
[52403] | 3024 | #ifdef RT_ARCH_AMD64
|
---|
| 3025 | /*
|
---|
[51770] | 3026 | * Patch 64-bit hosts.
|
---|
| 3027 | */
|
---|
| 3028 | /* Pattern #1: XP64/W2K3-64 thru Windows 8.1
|
---|
| 3029 | 0:000> u ntdll!NtCreateSection
|
---|
| 3030 | ntdll!NtCreateSection:
|
---|
| 3031 | 00000000`779f1750 4c8bd1 mov r10,rcx
|
---|
| 3032 | 00000000`779f1753 b847000000 mov eax,47h
|
---|
| 3033 | 00000000`779f1758 0f05 syscall
|
---|
| 3034 | 00000000`779f175a c3 ret
|
---|
| 3035 | 00000000`779f175b 0f1f440000 nop dword ptr [rax+rax]
|
---|
| 3036 | The variant is the value loaded into eax: W2K3=??, Vista=47h?, W7=47h, W80=48h, W81=49h */
|
---|
| 3037 |
|
---|
[52953] | 3038 | /* Assemble the patch. */
|
---|
[52967] | 3039 | g_abNtCreateSectionPatch[0] = 0x48; /* mov rax, qword */
|
---|
| 3040 | g_abNtCreateSectionPatch[1] = 0xb8;
|
---|
| 3041 | *(uint64_t *)&g_abNtCreateSectionPatch[2] = (uint64_t)supR3HardenedMonitor_NtCreateSection;
|
---|
| 3042 | g_abNtCreateSectionPatch[10] = 0xff; /* jmp rax */
|
---|
| 3043 | g_abNtCreateSectionPatch[11] = 0xe0;
|
---|
[52940] | 3044 |
|
---|
[51770] | 3045 | #else
|
---|
| 3046 | /*
|
---|
| 3047 | * Patch 32-bit hosts.
|
---|
| 3048 | */
|
---|
| 3049 | /* Pattern #1: XP thru Windows 7
|
---|
| 3050 | kd> u ntdll!NtCreateSection
|
---|
| 3051 | ntdll!NtCreateSection:
|
---|
| 3052 | 7c90d160 b832000000 mov eax,32h
|
---|
| 3053 | 7c90d165 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
|
---|
| 3054 | 7c90d16a ff12 call dword ptr [edx]
|
---|
| 3055 | 7c90d16c c21c00 ret 1Ch
|
---|
| 3056 | 7c90d16f 90 nop
|
---|
| 3057 | The variable bit is the value loaded into eax: XP=32h, W2K3=34h, Vista=4bh, W7=54h
|
---|
| 3058 |
|
---|
| 3059 | Pattern #2: Windows 8.1
|
---|
| 3060 | 0:000:x86> u ntdll_6a0f0000!NtCreateSection
|
---|
| 3061 | ntdll_6a0f0000!NtCreateSection:
|
---|
| 3062 | 6a15eabc b854010000 mov eax,154h
|
---|
| 3063 | 6a15eac1 e803000000 call ntdll_6a0f0000!NtCreateSection+0xd (6a15eac9)
|
---|
| 3064 | 6a15eac6 c21c00 ret 1Ch
|
---|
| 3065 | 6a15eac9 8bd4 mov edx,esp
|
---|
| 3066 | 6a15eacb 0f34 sysenter
|
---|
| 3067 | 6a15eacd c3 ret
|
---|
[52967] | 3068 | The variable bit is the value loaded into eax: W81=154h */
|
---|
[51770] | 3069 |
|
---|
[52953] | 3070 | /* Assemble the patch. */
|
---|
[52967] | 3071 | g_abNtCreateSectionPatch[0] = 0xe9; /* jmp rel32 */
|
---|
[52953] | 3072 | *(uint32_t *)&g_abNtCreateSectionPatch[1] = (uintptr_t)supR3HardenedMonitor_NtCreateSection
|
---|
| 3073 | - (uintptr_t)&pbNtCreateSection[1+4];
|
---|
[52967] | 3074 |
|
---|
[52403] | 3075 | #endif
|
---|
| 3076 |
|
---|
| 3077 | /*
|
---|
| 3078 | * Hook #2 - LdrLoadDll
|
---|
| 3079 | * Purpose: (a) Enforce LdrLoadDll search path constraints, and (b) pre-validate
|
---|
| 3080 | * DLLs so we can avoid calling WinVerifyTrust from the first hook,
|
---|
| 3081 | * and thus avoiding messing up the loader data on some installations.
|
---|
| 3082 | *
|
---|
| 3083 | * This differs from the above function in that is no a system call and
|
---|
| 3084 | * we're at the mercy of the compiler.
|
---|
| 3085 | */
|
---|
| 3086 | uint8_t * const pbLdrLoadDll = (uint8_t *)(uintptr_t)pfnLdrLoadDll;
|
---|
[52953] | 3087 | g_pbLdrLoadDll = pbLdrLoadDll;
|
---|
| 3088 | memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch));
|
---|
[52403] | 3089 |
|
---|
[52967] | 3090 | DISSTATE Dis;
|
---|
| 3091 | uint32_t cbInstr;
|
---|
| 3092 | uint32_t offJmpBack = 0;
|
---|
| 3093 |
|
---|
[52403] | 3094 | #ifdef RT_ARCH_AMD64
|
---|
| 3095 | /*
|
---|
| 3096 | * Patch 64-bit hosts.
|
---|
| 3097 | */
|
---|
[52967] | 3098 | /* Just use the disassembler to skip 12 bytes or more. */
|
---|
| 3099 | while (offJmpBack < 12)
|
---|
[52403] | 3100 | {
|
---|
| 3101 | cbInstr = 1;
|
---|
| 3102 | int rc = DISInstr(pbLdrLoadDll + offJmpBack, DISCPUMODE_64BIT, &Dis, &cbInstr);
|
---|
| 3103 | if ( RT_FAILURE(rc)
|
---|
| 3104 | || (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW))
|
---|
[101542] | 3105 | || (Dis.x86.ModRM.Bits.Mod == 0 && Dis.x86.ModRM.Bits.Rm == 5 /* wrt RIP */) )
|
---|
[52403] | 3106 | supR3HardenedWinHookFailed("LdrLoadDll", pbLdrLoadDll);
|
---|
| 3107 | offJmpBack += cbInstr;
|
---|
| 3108 | }
|
---|
| 3109 |
|
---|
| 3110 | /* Assemble the code for resuming the call.*/
|
---|
| 3111 | *(PFNRT *)&g_pfnLdrLoadDllReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
|
---|
| 3112 |
|
---|
| 3113 | memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbLdrLoadDll, offJmpBack);
|
---|
| 3114 | offExecPage += offJmpBack;
|
---|
| 3115 |
|
---|
| 3116 | g_abSupHardReadWriteExecPage[offExecPage++] = 0xff; /* jmp qword [$+8 wrt RIP] */
|
---|
| 3117 | g_abSupHardReadWriteExecPage[offExecPage++] = 0x25;
|
---|
| 3118 | *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = RT_ALIGN_32(offExecPage + 4, 8) - (offExecPage + 4);
|
---|
| 3119 | offExecPage = RT_ALIGN_32(offExecPage + 4, 8);
|
---|
| 3120 | *(uint64_t *)&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbLdrLoadDll[offJmpBack];
|
---|
[65782] | 3121 | offExecPage = RT_ALIGN_32(offExecPage + 8, 16);
|
---|
[52403] | 3122 |
|
---|
[52953] | 3123 | /* Assemble the LdrLoadDll patch. */
|
---|
[52967] | 3124 | Assert(offJmpBack >= 12);
|
---|
| 3125 | g_abLdrLoadDllPatch[0] = 0x48; /* mov rax, qword */
|
---|
| 3126 | g_abLdrLoadDllPatch[1] = 0xb8;
|
---|
| 3127 | *(uint64_t *)&g_abLdrLoadDllPatch[2] = (uint64_t)supR3HardenedMonitor_LdrLoadDll;
|
---|
| 3128 | g_abLdrLoadDllPatch[10] = 0xff; /* jmp rax */
|
---|
| 3129 | g_abLdrLoadDllPatch[11] = 0xe0;
|
---|
[52403] | 3130 |
|
---|
| 3131 | #else
|
---|
| 3132 | /*
|
---|
| 3133 | * Patch 32-bit hosts.
|
---|
| 3134 | */
|
---|
[52967] | 3135 | /* Just use the disassembler to skip 5 bytes or more. */
|
---|
[52403] | 3136 | while (offJmpBack < 5)
|
---|
| 3137 | {
|
---|
| 3138 | cbInstr = 1;
|
---|
| 3139 | int rc = DISInstr(pbLdrLoadDll + offJmpBack, DISCPUMODE_32BIT, &Dis, &cbInstr);
|
---|
| 3140 | if ( RT_FAILURE(rc)
|
---|
| 3141 | || (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW)) )
|
---|
| 3142 | supR3HardenedWinHookFailed("LdrLoadDll", pbLdrLoadDll);
|
---|
| 3143 | offJmpBack += cbInstr;
|
---|
| 3144 | }
|
---|
| 3145 |
|
---|
| 3146 | /* Assemble the code for resuming the call.*/
|
---|
| 3147 | *(PFNRT *)&g_pfnLdrLoadDllReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
|
---|
| 3148 |
|
---|
| 3149 | memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbLdrLoadDll, offJmpBack);
|
---|
| 3150 | offExecPage += offJmpBack;
|
---|
| 3151 |
|
---|
[52967] | 3152 | g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9; /* jmp rel32 */
|
---|
[52403] | 3153 | *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbLdrLoadDll[offJmpBack]
|
---|
| 3154 | - (uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage + 4];
|
---|
[65782] | 3155 | offExecPage = RT_ALIGN_32(offExecPage + 4, 16);
|
---|
[52403] | 3156 |
|
---|
[52953] | 3157 | /* Assemble the LdrLoadDll patch. */
|
---|
| 3158 | memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch));
|
---|
[52403] | 3159 | Assert(offJmpBack >= 5);
|
---|
[52953] | 3160 | g_abLdrLoadDllPatch[0] = 0xe9;
|
---|
| 3161 | *(uint32_t *)&g_abLdrLoadDllPatch[1] = (uintptr_t)supR3HardenedMonitor_LdrLoadDll - (uintptr_t)&pbLdrLoadDll[1+4];
|
---|
[51770] | 3162 | #endif
|
---|
| 3163 |
|
---|
[52403] | 3164 | /*
|
---|
[80212] | 3165 | * Hook #3 - KiUserApcDispatcher
|
---|
| 3166 | * Purpose: Prevent user APC to memory we (or our parent) has freed from
|
---|
| 3167 | * crashing the process. Also ensures no code injection via user
|
---|
| 3168 | * APC during process init given the way we're vetting the APCs.
|
---|
| 3169 | *
|
---|
| 3170 | * This differs from the first function in that is no a system call and
|
---|
| 3171 | * we're at the mercy of the handwritten assembly.
|
---|
[80217] | 3172 | *
|
---|
| 3173 | * Note! We depend on all waits up past the patching to be non-altertable,
|
---|
| 3174 | * otherwise an APC might slip by us.
|
---|
[80212] | 3175 | */
|
---|
| 3176 | uint8_t * const pbKiUserApcDispatcher = (uint8_t *)(uintptr_t)pfnKiUserApcDispatcher;
|
---|
| 3177 | g_pbKiUserApcDispatcher = pbKiUserApcDispatcher;
|
---|
| 3178 | memcpy(g_abKiUserApcDispatcherPatch, pbKiUserApcDispatcher, sizeof(g_abKiUserApcDispatcherPatch));
|
---|
| 3179 |
|
---|
| 3180 | #ifdef RT_ARCH_AMD64
|
---|
| 3181 | /*
|
---|
| 3182 | * Patch 64-bit hosts.
|
---|
| 3183 | */
|
---|
| 3184 | /* Just use the disassembler to skip 12 bytes or more. */
|
---|
| 3185 | offJmpBack = 0;
|
---|
| 3186 | while (offJmpBack < 12)
|
---|
| 3187 | {
|
---|
| 3188 | cbInstr = 1;
|
---|
| 3189 | int rc = DISInstr(pbKiUserApcDispatcher + offJmpBack, DISCPUMODE_64BIT, &Dis, &cbInstr);
|
---|
| 3190 | if ( RT_FAILURE(rc)
|
---|
| 3191 | || (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW))
|
---|
[101542] | 3192 | || (Dis.x86.ModRM.Bits.Mod == 0 && Dis.x86.ModRM.Bits.Rm == 5 /* wrt RIP */) )
|
---|
[80212] | 3193 | supR3HardenedWinHookFailed("KiUserApcDispatcher", pbKiUserApcDispatcher);
|
---|
| 3194 | offJmpBack += cbInstr;
|
---|
| 3195 | }
|
---|
| 3196 |
|
---|
| 3197 | /* Assemble the code for resuming the call.*/
|
---|
| 3198 | *(PFNRT *)&g_pfnKiUserApcDispatcherReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
|
---|
| 3199 |
|
---|
| 3200 | memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbKiUserApcDispatcher, offJmpBack);
|
---|
| 3201 | offExecPage += offJmpBack;
|
---|
| 3202 |
|
---|
| 3203 | g_abSupHardReadWriteExecPage[offExecPage++] = 0xff; /* jmp qword [$+8 wrt RIP] */
|
---|
| 3204 | g_abSupHardReadWriteExecPage[offExecPage++] = 0x25;
|
---|
| 3205 | *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = RT_ALIGN_32(offExecPage + 4, 8) - (offExecPage + 4);
|
---|
| 3206 | offExecPage = RT_ALIGN_32(offExecPage + 4, 8);
|
---|
| 3207 | *(uint64_t *)&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbKiUserApcDispatcher[offJmpBack];
|
---|
| 3208 | offExecPage = RT_ALIGN_32(offExecPage + 8, 16);
|
---|
| 3209 |
|
---|
| 3210 | /* Assemble the KiUserApcDispatcher patch. */
|
---|
| 3211 | Assert(offJmpBack >= 12);
|
---|
| 3212 | g_abKiUserApcDispatcherPatch[0] = 0x48; /* mov rax, qword */
|
---|
| 3213 | g_abKiUserApcDispatcherPatch[1] = 0xb8;
|
---|
| 3214 | *(uint64_t *)&g_abKiUserApcDispatcherPatch[2] = (uint64_t)supR3HardenedMonitor_KiUserApcDispatcher;
|
---|
| 3215 | g_abKiUserApcDispatcherPatch[10] = 0xff; /* jmp rax */
|
---|
| 3216 | g_abKiUserApcDispatcherPatch[11] = 0xe0;
|
---|
| 3217 |
|
---|
| 3218 | #else
|
---|
| 3219 | /*
|
---|
| 3220 | * Patch 32-bit hosts.
|
---|
| 3221 | */
|
---|
| 3222 | /* Just use the disassembler to skip 5 bytes or more. */
|
---|
| 3223 | offJmpBack = 0;
|
---|
| 3224 | while (offJmpBack < 5)
|
---|
| 3225 | {
|
---|
| 3226 | cbInstr = 1;
|
---|
| 3227 | int rc = DISInstr(pbKiUserApcDispatcher + offJmpBack, DISCPUMODE_32BIT, &Dis, &cbInstr);
|
---|
| 3228 | if ( RT_FAILURE(rc)
|
---|
| 3229 | || (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW)) )
|
---|
| 3230 | supR3HardenedWinHookFailed("KiUserApcDispatcher", pbKiUserApcDispatcher);
|
---|
| 3231 | offJmpBack += cbInstr;
|
---|
| 3232 | }
|
---|
| 3233 |
|
---|
| 3234 | /* Assemble the code for resuming the call.*/
|
---|
| 3235 | *(PFNRT *)&g_pfnKiUserApcDispatcherReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
|
---|
| 3236 |
|
---|
| 3237 | memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbKiUserApcDispatcher, offJmpBack);
|
---|
| 3238 | offExecPage += offJmpBack;
|
---|
| 3239 |
|
---|
| 3240 | g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9; /* jmp rel32 */
|
---|
| 3241 | *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbKiUserApcDispatcher[offJmpBack]
|
---|
| 3242 | - (uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage + 4];
|
---|
| 3243 | offExecPage = RT_ALIGN_32(offExecPage + 4, 16);
|
---|
| 3244 |
|
---|
| 3245 | /* Assemble the KiUserApcDispatcher patch. */
|
---|
| 3246 | memcpy(g_abKiUserApcDispatcherPatch, pbKiUserApcDispatcher, sizeof(g_abKiUserApcDispatcherPatch));
|
---|
| 3247 | Assert(offJmpBack >= 5);
|
---|
| 3248 | g_abKiUserApcDispatcherPatch[0] = 0xe9;
|
---|
| 3249 | *(uint32_t *)&g_abKiUserApcDispatcherPatch[1] = (uintptr_t)supR3HardenedMonitor_KiUserApcDispatcher - (uintptr_t)&pbKiUserApcDispatcher[1+4];
|
---|
| 3250 | #endif
|
---|
| 3251 |
|
---|
[81118] | 3252 | #ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING
|
---|
[80212] | 3253 | /*
|
---|
[81118] | 3254 | * Hook #4 - KiUserExceptionDispatcher
|
---|
| 3255 | * Purpose: Logging crashes.
|
---|
| 3256 | *
|
---|
| 3257 | * This differs from the first function in that is no a system call and
|
---|
| 3258 | * we're at the mercy of the handwritten assembly. This is not mandatory,
|
---|
| 3259 | * so we ignore failures here.
|
---|
| 3260 | */
|
---|
| 3261 | uint8_t * const pbKiUserExceptionDispatcher = (uint8_t *)(uintptr_t)pfnKiUserExceptionDispatcher;
|
---|
| 3262 | g_pbKiUserExceptionDispatcher = pbKiUserExceptionDispatcher;
|
---|
| 3263 | memcpy(g_abKiUserExceptionDispatcherPatch, pbKiUserExceptionDispatcher, sizeof(g_abKiUserExceptionDispatcherPatch));
|
---|
| 3264 |
|
---|
| 3265 | # ifdef RT_ARCH_AMD64
|
---|
| 3266 | /*
|
---|
| 3267 | * Patch 64-bit hosts.
|
---|
| 3268 | *
|
---|
| 3269 | * Assume the following sequence and replacing the loaded Wow64PrepareForException
|
---|
| 3270 | * function pointer with our callback:
|
---|
| 3271 | * cld
|
---|
| 3272 | * mov rax, Wow64PrepareForException ; Wow64PrepareForException(PCONTEXT, PEXCEPTION_RECORD)
|
---|
| 3273 | * test rax, rax
|
---|
| 3274 | * jz skip_wow64_callout
|
---|
| 3275 | * <do_callout_thru_rax>
|
---|
| 3276 | * (We're not a WOW64 process, so the callout should normally never happen.)
|
---|
| 3277 | */
|
---|
| 3278 | if ( pbKiUserExceptionDispatcher[ 0] == 0xfc /* CLD */
|
---|
| 3279 | && pbKiUserExceptionDispatcher[ 1] == 0x48 /* MOV RAX, symbol wrt rip */
|
---|
| 3280 | && pbKiUserExceptionDispatcher[ 2] == 0x8b
|
---|
| 3281 | && pbKiUserExceptionDispatcher[ 3] == 0x05
|
---|
| 3282 | && pbKiUserExceptionDispatcher[ 8] == 0x48 /* TEST RAX, RAX */
|
---|
| 3283 | && pbKiUserExceptionDispatcher[ 9] == 0x85
|
---|
| 3284 | && pbKiUserExceptionDispatcher[10] == 0xc0
|
---|
| 3285 | && pbKiUserExceptionDispatcher[11] == 0x74)
|
---|
| 3286 | {
|
---|
| 3287 | /* Assemble the KiUserExceptionDispatcher patch. */
|
---|
| 3288 | g_abKiUserExceptionDispatcherPatch[1] = 0x48; /* MOV RAX, supR3HardenedMonitor_KiUserExceptionDispatcher */
|
---|
| 3289 | g_abKiUserExceptionDispatcherPatch[2] = 0xb8;
|
---|
| 3290 | *(uint64_t *)&g_abKiUserExceptionDispatcherPatch[3] = (uint64_t)supR3HardenedMonitor_KiUserExceptionDispatcher;
|
---|
| 3291 | g_abKiUserExceptionDispatcherPatch[11] = 0x90; /* NOP (was JZ) */
|
---|
| 3292 | g_abKiUserExceptionDispatcherPatch[12] = 0x90; /* NOP (was DISP8 of JZ) */
|
---|
| 3293 | }
|
---|
| 3294 | else
|
---|
| 3295 | SUP_DPRINTF(("supR3HardenedWinInstallHooks: failed to patch KiUserExceptionDispatcher (%.20Rhxs)\n",
|
---|
| 3296 | pbKiUserExceptionDispatcher));
|
---|
| 3297 | # else
|
---|
| 3298 | /*
|
---|
| 3299 | * Patch 32-bit hosts.
|
---|
| 3300 | */
|
---|
| 3301 | /* Just use the disassembler to skip 5 bytes or more. */
|
---|
| 3302 | offJmpBack = 0;
|
---|
| 3303 | while (offJmpBack < 5)
|
---|
| 3304 | {
|
---|
| 3305 | cbInstr = 1;
|
---|
| 3306 | int rc = DISInstr(pbKiUserExceptionDispatcher + offJmpBack, DISCPUMODE_32BIT, &Dis, &cbInstr);
|
---|
| 3307 | if ( RT_FAILURE(rc)
|
---|
| 3308 | || (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW)) )
|
---|
| 3309 | {
|
---|
| 3310 | SUP_DPRINTF(("supR3HardenedWinInstallHooks: failed to patch KiUserExceptionDispatcher (off %#x in %.20Rhxs)\n",
|
---|
| 3311 | offJmpBack, pbKiUserExceptionDispatcher));
|
---|
| 3312 | break;
|
---|
| 3313 | }
|
---|
| 3314 | offJmpBack += cbInstr;
|
---|
| 3315 | }
|
---|
| 3316 | if (offJmpBack >= 5)
|
---|
| 3317 | {
|
---|
| 3318 | /* Assemble the code for resuming the call.*/
|
---|
| 3319 | *(PFNRT *)&g_pfnKiUserExceptionDispatcherReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
|
---|
| 3320 |
|
---|
| 3321 | memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbKiUserExceptionDispatcher, offJmpBack);
|
---|
| 3322 | offExecPage += offJmpBack;
|
---|
| 3323 |
|
---|
| 3324 | g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9; /* jmp rel32 */
|
---|
| 3325 | *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbKiUserExceptionDispatcher[offJmpBack]
|
---|
| 3326 | - (uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage + 4];
|
---|
| 3327 | offExecPage = RT_ALIGN_32(offExecPage + 4, 16);
|
---|
| 3328 |
|
---|
| 3329 | /* Assemble the KiUserExceptionDispatcher patch. */
|
---|
| 3330 | memcpy(g_abKiUserExceptionDispatcherPatch, pbKiUserExceptionDispatcher, sizeof(g_abKiUserExceptionDispatcherPatch));
|
---|
| 3331 | Assert(offJmpBack >= 5);
|
---|
| 3332 | g_abKiUserExceptionDispatcherPatch[0] = 0xe9;
|
---|
| 3333 | *(uint32_t *)&g_abKiUserExceptionDispatcherPatch[1] = (uintptr_t)supR3HardenedMonitor_KiUserExceptionDispatcher - (uintptr_t)&pbKiUserExceptionDispatcher[1+4];
|
---|
| 3334 | }
|
---|
| 3335 | # endif
|
---|
| 3336 | #endif /* !VBOX_WITHOUT_HARDENDED_XCPT_LOGGING */
|
---|
| 3337 |
|
---|
| 3338 | /*
|
---|
[52403] | 3339 | * Seal the rwx page.
|
---|
| 3340 | */
|
---|
[52940] | 3341 | SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(g_abSupHardReadWriteExecPage, PAGE_SIZE, PAGE_EXECUTE_READ));
|
---|
[52953] | 3342 |
|
---|
| 3343 | /*
|
---|
| 3344 | * Install the patches.
|
---|
| 3345 | */
|
---|
| 3346 | supR3HardenedWinReInstallHooks(true /*fFirstCall*/);
|
---|
[51770] | 3347 | }
|
---|
| 3348 |
|
---|
| 3349 |
|
---|
[52969] | 3350 |
|
---|
| 3351 |
|
---|
| 3352 |
|
---|
| 3353 |
|
---|
| 3354 | /*
|
---|
| 3355 | *
|
---|
| 3356 | * T h r e a d c r e a t i o n c o n t r o l
|
---|
| 3357 | * T h r e a d c r e a t i o n c o n t r o l
|
---|
| 3358 | * T h r e a d c r e a t i o n c o n t r o l
|
---|
| 3359 | *
|
---|
| 3360 | */
|
---|
| 3361 |
|
---|
| 3362 |
|
---|
[51770] | 3363 | /**
|
---|
[52969] | 3364 | * Common code used for child and parent to make new threads exit immediately.
|
---|
| 3365 | *
|
---|
| 3366 | * This patches the LdrInitializeThunk code to call NtTerminateThread with
|
---|
| 3367 | * STATUS_SUCCESS instead of doing the NTDLL initialization.
|
---|
| 3368 | *
|
---|
| 3369 | * @returns VBox status code.
|
---|
| 3370 | * @param hProcess The process to do this to.
|
---|
| 3371 | * @param pvLdrInitThunk The address of the LdrInitializeThunk code to
|
---|
| 3372 | * override.
|
---|
| 3373 | * @param pvNtTerminateThread The address of the NtTerminateThread function in
|
---|
| 3374 | * the NTDLL instance we're patching. (Must be +/-
|
---|
| 3375 | * 2GB from the thunk code.)
|
---|
| 3376 | * @param pabBackup Where to back up the original instruction bytes
|
---|
| 3377 | * at pvLdrInitThunk.
|
---|
| 3378 | * @param cbBackup The size of the backup area. Must be 16 bytes.
|
---|
| 3379 | * @param pErrInfo Where to return extended error information.
|
---|
| 3380 | * Optional.
|
---|
| 3381 | */
|
---|
| 3382 | static int supR3HardNtDisableThreadCreationEx(HANDLE hProcess, void *pvLdrInitThunk, void *pvNtTerminateThread,
|
---|
| 3383 | uint8_t *pabBackup, size_t cbBackup, PRTERRINFO pErrInfo)
|
---|
| 3384 | {
|
---|
| 3385 | SUP_DPRINTF(("supR3HardNtDisableThreadCreation: pvLdrInitThunk=%p pvNtTerminateThread=%p\n", pvLdrInitThunk, pvNtTerminateThread));
|
---|
| 3386 | SUPR3HARDENED_ASSERT(cbBackup == 16);
|
---|
| 3387 | SUPR3HARDENED_ASSERT(RT_ABS((intptr_t)pvLdrInitThunk - (intptr_t)pvNtTerminateThread) < 16*_1M);
|
---|
| 3388 |
|
---|
| 3389 | /*
|
---|
| 3390 | * Back up the thunk code.
|
---|
| 3391 | */
|
---|
| 3392 | SIZE_T cbIgnored;
|
---|
| 3393 | NTSTATUS rcNt = NtReadVirtualMemory(hProcess, pvLdrInitThunk, pabBackup, cbBackup, &cbIgnored);
|
---|
| 3394 | if (!NT_SUCCESS(rcNt))
|
---|
| 3395 | return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
| 3396 | "supR3HardNtDisableThreadCreation: NtReadVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
|
---|
| 3397 |
|
---|
| 3398 | /*
|
---|
| 3399 | * Cook up replacement code that calls NtTerminateThread.
|
---|
| 3400 | */
|
---|
| 3401 | uint8_t abReplacement[16];
|
---|
| 3402 | memcpy(abReplacement, pabBackup, sizeof(abReplacement));
|
---|
| 3403 |
|
---|
| 3404 | #ifdef RT_ARCH_AMD64
|
---|
| 3405 | abReplacement[0] = 0x31; /* xor ecx, ecx */
|
---|
| 3406 | abReplacement[1] = 0xc9;
|
---|
| 3407 | abReplacement[2] = 0x31; /* xor edx, edx */
|
---|
| 3408 | abReplacement[3] = 0xd2;
|
---|
| 3409 | abReplacement[4] = 0xe8; /* call near NtTerminateThread */
|
---|
| 3410 | *(int32_t *)&abReplacement[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9));
|
---|
| 3411 | abReplacement[9] = 0xcc; /* int3 */
|
---|
| 3412 | #elif defined(RT_ARCH_X86)
|
---|
| 3413 | abReplacement[0] = 0x6a; /* push 0 */
|
---|
| 3414 | abReplacement[1] = 0x00;
|
---|
| 3415 | abReplacement[2] = 0x6a; /* push 0 */
|
---|
| 3416 | abReplacement[3] = 0x00;
|
---|
| 3417 | abReplacement[4] = 0xe8; /* call near NtTerminateThread */
|
---|
| 3418 | *(int32_t *)&abReplacement[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9));
|
---|
| 3419 | abReplacement[9] = 0xcc; /* int3 */
|
---|
| 3420 | #else
|
---|
| 3421 | # error "Unsupported arch."
|
---|
| 3422 | #endif
|
---|
| 3423 |
|
---|
| 3424 | /*
|
---|
| 3425 | * Install the replacment code.
|
---|
| 3426 | */
|
---|
| 3427 | PVOID pvProt = pvLdrInitThunk;
|
---|
| 3428 | SIZE_T cbProt = cbBackup;
|
---|
| 3429 | ULONG fOldProt = 0;
|
---|
| 3430 | rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt);
|
---|
| 3431 | if (!NT_SUCCESS(rcNt))
|
---|
| 3432 | return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
| 3433 | "supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
|
---|
| 3434 |
|
---|
| 3435 | rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, abReplacement, sizeof(abReplacement), &cbIgnored);
|
---|
| 3436 | if (!NT_SUCCESS(rcNt))
|
---|
| 3437 | return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
| 3438 | "supR3HardNtDisableThreadCreationEx: NtWriteVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
|
---|
| 3439 |
|
---|
| 3440 | pvProt = pvLdrInitThunk;
|
---|
| 3441 | cbProt = cbBackup;
|
---|
| 3442 | rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, fOldProt, &fOldProt);
|
---|
| 3443 | if (!NT_SUCCESS(rcNt))
|
---|
| 3444 | return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
| 3445 | "supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk/2 failed: %#x", rcNt);
|
---|
| 3446 |
|
---|
| 3447 | return VINF_SUCCESS;
|
---|
| 3448 | }
|
---|
| 3449 |
|
---|
| 3450 |
|
---|
| 3451 | /**
|
---|
| 3452 | * Undo the effects of supR3HardNtDisableThreadCreationEx.
|
---|
| 3453 | *
|
---|
| 3454 | * @returns VBox status code.
|
---|
| 3455 | * @param hProcess The process to do this to.
|
---|
| 3456 | * @param pvLdrInitThunk The address of the LdrInitializeThunk code to
|
---|
| 3457 | * override.
|
---|
| 3458 | * @param pabBackup Where to back up the original instruction bytes
|
---|
| 3459 | * at pvLdrInitThunk.
|
---|
| 3460 | * @param cbBackup The size of the backup area. Must be 16 bytes.
|
---|
| 3461 | * @param pErrInfo Where to return extended error information.
|
---|
| 3462 | * Optional.
|
---|
| 3463 | */
|
---|
| 3464 | static int supR3HardNtEnableThreadCreationEx(HANDLE hProcess, void *pvLdrInitThunk, uint8_t const *pabBackup, size_t cbBackup,
|
---|
| 3465 | PRTERRINFO pErrInfo)
|
---|
| 3466 | {
|
---|
[80212] | 3467 | SUP_DPRINTF(("supR3HardNtEnableThreadCreationEx:\n"));
|
---|
[52969] | 3468 | SUPR3HARDENED_ASSERT(cbBackup == 16);
|
---|
| 3469 |
|
---|
| 3470 | PVOID pvProt = pvLdrInitThunk;
|
---|
| 3471 | SIZE_T cbProt = cbBackup;
|
---|
| 3472 | ULONG fOldProt = 0;
|
---|
| 3473 | NTSTATUS rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt);
|
---|
| 3474 | if (!NT_SUCCESS(rcNt))
|
---|
| 3475 | return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
[80212] | 3476 | "supR3HardNtEnableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
|
---|
[52969] | 3477 |
|
---|
| 3478 | SIZE_T cbIgnored;
|
---|
| 3479 | rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, pabBackup, cbBackup, &cbIgnored);
|
---|
| 3480 | if (!NT_SUCCESS(rcNt))
|
---|
| 3481 | return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
[80212] | 3482 | "supR3HardNtEnableThreadCreationEx: NtWriteVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
|
---|
[52969] | 3483 | rcNt);
|
---|
| 3484 |
|
---|
| 3485 | pvProt = pvLdrInitThunk;
|
---|
| 3486 | cbProt = cbBackup;
|
---|
| 3487 | rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, fOldProt, &fOldProt);
|
---|
| 3488 | if (!NT_SUCCESS(rcNt))
|
---|
| 3489 | return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
[80212] | 3490 | "supR3HardNtEnableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
|
---|
[52969] | 3491 | rcNt);
|
---|
| 3492 |
|
---|
| 3493 | return VINF_SUCCESS;
|
---|
| 3494 | }
|
---|
| 3495 |
|
---|
| 3496 |
|
---|
| 3497 | /**
|
---|
| 3498 | * Disable thread creation for the current process.
|
---|
| 3499 | *
|
---|
| 3500 | * @remarks Doesn't really disables it, just makes the threads exit immediately
|
---|
| 3501 | * without executing any real code.
|
---|
| 3502 | */
|
---|
| 3503 | static void supR3HardenedWinDisableThreadCreation(void)
|
---|
| 3504 | {
|
---|
| 3505 | /* Cannot use the imported NtTerminateThread as it's pointing to our own
|
---|
| 3506 | syscall assembly code. */
|
---|
| 3507 | static PFNRT s_pfnNtTerminateThread = NULL;
|
---|
| 3508 | if (s_pfnNtTerminateThread == NULL)
|
---|
| 3509 | s_pfnNtTerminateThread = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "NtTerminateThread");
|
---|
| 3510 | SUPR3HARDENED_ASSERT(s_pfnNtTerminateThread);
|
---|
| 3511 |
|
---|
| 3512 | int rc = supR3HardNtDisableThreadCreationEx(NtCurrentProcess(),
|
---|
| 3513 | (void *)(uintptr_t)&LdrInitializeThunk,
|
---|
| 3514 | (void *)(uintptr_t)s_pfnNtTerminateThread,
|
---|
| 3515 | g_abLdrInitThunkSelfBackup, sizeof(g_abLdrInitThunkSelfBackup),
|
---|
| 3516 | NULL /* pErrInfo*/);
|
---|
| 3517 | g_fSupInitThunkSelfPatched = RT_SUCCESS(rc);
|
---|
| 3518 | }
|
---|
| 3519 |
|
---|
| 3520 |
|
---|
| 3521 | /**
|
---|
| 3522 | * Undoes the effects of supR3HardenedWinDisableThreadCreation.
|
---|
| 3523 | */
|
---|
| 3524 | DECLHIDDEN(void) supR3HardenedWinEnableThreadCreation(void)
|
---|
| 3525 | {
|
---|
| 3526 | if (g_fSupInitThunkSelfPatched)
|
---|
| 3527 | {
|
---|
| 3528 | int rc = supR3HardNtEnableThreadCreationEx(NtCurrentProcess(),
|
---|
| 3529 | (void *)(uintptr_t)&LdrInitializeThunk,
|
---|
| 3530 | g_abLdrInitThunkSelfBackup, sizeof(g_abLdrInitThunkSelfBackup),
|
---|
| 3531 | RTErrInfoInitStatic(&g_ErrInfoStatic));
|
---|
| 3532 | if (RT_FAILURE(rc))
|
---|
| 3533 | supR3HardenedError(rc, true /*fFatal*/, "%s", g_ErrInfoStatic.szMsg);
|
---|
| 3534 | g_fSupInitThunkSelfPatched = false;
|
---|
| 3535 | }
|
---|
| 3536 | }
|
---|
| 3537 |
|
---|
| 3538 |
|
---|
| 3539 |
|
---|
| 3540 |
|
---|
| 3541 | /*
|
---|
| 3542 | *
|
---|
| 3543 | * R e s p a w n
|
---|
| 3544 | * R e s p a w n
|
---|
| 3545 | * R e s p a w n
|
---|
| 3546 | *
|
---|
| 3547 | */
|
---|
| 3548 |
|
---|
| 3549 |
|
---|
| 3550 | /**
|
---|
[51770] | 3551 | * Gets the SID of the user associated with the process.
|
---|
| 3552 | *
|
---|
| 3553 | * @returns @c true if we've got a login SID, @c false if not.
|
---|
| 3554 | * @param pSidUser Where to return the user SID.
|
---|
| 3555 | * @param cbSidUser The size of the user SID buffer.
|
---|
| 3556 | * @param pSidLogin Where to return the login SID.
|
---|
| 3557 | * @param cbSidLogin The size of the login SID buffer.
|
---|
| 3558 | */
|
---|
[52969] | 3559 | static bool supR3HardNtChildGetUserAndLogSids(PSID pSidUser, ULONG cbSidUser, PSID pSidLogin, ULONG cbSidLogin)
|
---|
[51770] | 3560 | {
|
---|
| 3561 | HANDLE hToken;
|
---|
[52163] | 3562 | SUPR3HARDENED_ASSERT_NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken));
|
---|
[51770] | 3563 | union
|
---|
| 3564 | {
|
---|
| 3565 | TOKEN_USER UserInfo;
|
---|
| 3566 | TOKEN_GROUPS Groups;
|
---|
| 3567 | uint8_t abPadding[4096];
|
---|
| 3568 | } uBuf;
|
---|
| 3569 | ULONG cbRet = 0;
|
---|
| 3570 | SUPR3HARDENED_ASSERT_NT_SUCCESS(NtQueryInformationToken(hToken, TokenUser, &uBuf, sizeof(uBuf), &cbRet));
|
---|
| 3571 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCopySid(cbSidUser, pSidUser, uBuf.UserInfo.User.Sid));
|
---|
| 3572 |
|
---|
| 3573 | bool fLoginSid = false;
|
---|
| 3574 | NTSTATUS rcNt = NtQueryInformationToken(hToken, TokenLogonSid, &uBuf, sizeof(uBuf), &cbRet);
|
---|
| 3575 | if (NT_SUCCESS(rcNt))
|
---|
| 3576 | {
|
---|
| 3577 | for (DWORD i = 0; i < uBuf.Groups.GroupCount; i++)
|
---|
| 3578 | if ((uBuf.Groups.Groups[i].Attributes & SE_GROUP_LOGON_ID) == SE_GROUP_LOGON_ID)
|
---|
| 3579 | {
|
---|
| 3580 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCopySid(cbSidLogin, pSidLogin, uBuf.Groups.Groups[i].Sid));
|
---|
| 3581 | fLoginSid = true;
|
---|
| 3582 | break;
|
---|
| 3583 | }
|
---|
| 3584 | }
|
---|
| 3585 |
|
---|
| 3586 | SUPR3HARDENED_ASSERT_NT_SUCCESS(NtClose(hToken));
|
---|
| 3587 |
|
---|
| 3588 | return fLoginSid;
|
---|
| 3589 | }
|
---|
| 3590 |
|
---|
| 3591 |
|
---|
| 3592 | /**
|
---|
| 3593 | * Build security attributes for the process or the primary thread (@a fProcess)
|
---|
| 3594 | *
|
---|
| 3595 | * Process DACLs can be bypassed using the SeDebugPrivilege (generally available
|
---|
| 3596 | * to admins, i.e. normal windows users), or by taking ownership and/or
|
---|
| 3597 | * modifying the DACL. However, it restricts
|
---|
| 3598 | *
|
---|
| 3599 | * @param pSecAttrs Where to return the security attributes.
|
---|
| 3600 | * @param pCleanup Cleanup record.
|
---|
| 3601 | * @param fProcess Set if it's for the process, clear if it's for
|
---|
| 3602 | * the primary thread.
|
---|
| 3603 | */
|
---|
[52969] | 3604 | static void supR3HardNtChildInitSecAttrs(PSECURITY_ATTRIBUTES pSecAttrs, PMYSECURITYCLEANUP pCleanup, bool fProcess)
|
---|
[51770] | 3605 | {
|
---|
| 3606 | /*
|
---|
| 3607 | * Safe return values.
|
---|
| 3608 | */
|
---|
| 3609 | suplibHardenedMemSet(pCleanup, 0, sizeof(*pCleanup));
|
---|
| 3610 |
|
---|
| 3611 | pSecAttrs->nLength = sizeof(*pSecAttrs);
|
---|
| 3612 | pSecAttrs->bInheritHandle = FALSE;
|
---|
| 3613 | pSecAttrs->lpSecurityDescriptor = NULL;
|
---|
| 3614 |
|
---|
| 3615 | /** @todo This isn't at all complete, just sketches... */
|
---|
| 3616 |
|
---|
| 3617 | /*
|
---|
| 3618 | * Create an ACL detailing the access of the above groups.
|
---|
| 3619 | */
|
---|
| 3620 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateAcl(&pCleanup->Acl.AclHdr, sizeof(pCleanup->Acl), ACL_REVISION));
|
---|
| 3621 |
|
---|
[52633] | 3622 | ULONG fDeny = DELETE | WRITE_DAC | WRITE_OWNER;
|
---|
[51770] | 3623 | ULONG fAllow = SYNCHRONIZE | READ_CONTROL;
|
---|
| 3624 | ULONG fAllowLogin = SYNCHRONIZE | READ_CONTROL;
|
---|
| 3625 | if (fProcess)
|
---|
| 3626 | {
|
---|
| 3627 | fDeny |= PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION | PROCESS_VM_WRITE
|
---|
| 3628 | | PROCESS_CREATE_PROCESS | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA
|
---|
| 3629 | | PROCESS_SET_INFORMATION | PROCESS_SUSPEND_RESUME;
|
---|
| 3630 | fAllow |= PROCESS_TERMINATE | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION;
|
---|
| 3631 | fAllowLogin |= PROCESS_TERMINATE | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION;
|
---|
| 3632 | if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* Introduced in Vista. */
|
---|
| 3633 | {
|
---|
| 3634 | fAllow |= PROCESS_QUERY_LIMITED_INFORMATION;
|
---|
| 3635 | fAllowLogin |= PROCESS_QUERY_LIMITED_INFORMATION;
|
---|
| 3636 | }
|
---|
| 3637 | if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3)) /* Introduced in Windows 8.1. */
|
---|
| 3638 | fAllow |= PROCESS_SET_LIMITED_INFORMATION;
|
---|
| 3639 | }
|
---|
| 3640 | else
|
---|
| 3641 | {
|
---|
| 3642 | fDeny |= THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT | THREAD_SET_INFORMATION | THREAD_SET_THREAD_TOKEN
|
---|
| 3643 | | THREAD_IMPERSONATE | THREAD_DIRECT_IMPERSONATION;
|
---|
| 3644 | fAllow |= THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION;
|
---|
| 3645 | fAllowLogin |= THREAD_GET_CONTEXT | THREAD_QUERY_INFORMATION;
|
---|
| 3646 | if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* Introduced in Vista. */
|
---|
| 3647 | {
|
---|
| 3648 | fAllow |= THREAD_QUERY_LIMITED_INFORMATION | THREAD_SET_LIMITED_INFORMATION;
|
---|
| 3649 | fAllowLogin |= THREAD_QUERY_LIMITED_INFORMATION;
|
---|
| 3650 | }
|
---|
| 3651 |
|
---|
| 3652 | }
|
---|
| 3653 | fDeny |= ~fAllow & (SPECIFIC_RIGHTS_ALL | STANDARD_RIGHTS_ALL);
|
---|
| 3654 |
|
---|
| 3655 | /* Deny everyone access to bad bits. */
|
---|
| 3656 | #if 1
|
---|
| 3657 | SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
|
---|
| 3658 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlInitializeSid(&pCleanup->Everyone.Sid, &SIDAuthWorld, 1));
|
---|
| 3659 | *RtlSubAuthoritySid(&pCleanup->Everyone.Sid, 0) = SECURITY_WORLD_RID;
|
---|
| 3660 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessDeniedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
|
---|
| 3661 | fDeny, &pCleanup->Everyone.Sid));
|
---|
| 3662 | #endif
|
---|
| 3663 |
|
---|
| 3664 | #if 0
|
---|
| 3665 | /* Grant some access to the owner - doesn't work. */
|
---|
| 3666 | SID_IDENTIFIER_AUTHORITY SIDAuthCreator = SECURITY_CREATOR_SID_AUTHORITY;
|
---|
| 3667 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlInitializeSid(&pCleanup->Owner.Sid, &SIDAuthCreator, 1));
|
---|
| 3668 | *RtlSubAuthoritySid(&pCleanup->Owner.Sid, 0) = SECURITY_CREATOR_OWNER_RID;
|
---|
| 3669 |
|
---|
| 3670 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessDeniedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
|
---|
| 3671 | fDeny, &pCleanup->Owner.Sid));
|
---|
| 3672 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessAllowedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
|
---|
| 3673 | fAllow, &pCleanup->Owner.Sid));
|
---|
| 3674 | #endif
|
---|
| 3675 |
|
---|
| 3676 | #if 1
|
---|
[52969] | 3677 | bool fHasLoginSid = supR3HardNtChildGetUserAndLogSids(&pCleanup->User.Sid, sizeof(pCleanup->User),
|
---|
| 3678 | &pCleanup->Login.Sid, sizeof(pCleanup->Login));
|
---|
[51770] | 3679 |
|
---|
| 3680 | # if 1
|
---|
| 3681 | /* Grant minimal access to the user. */
|
---|
| 3682 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessDeniedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
|
---|
| 3683 | fDeny, &pCleanup->User.Sid));
|
---|
| 3684 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessAllowedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
|
---|
| 3685 | fAllow, &pCleanup->User.Sid));
|
---|
| 3686 | # endif
|
---|
| 3687 |
|
---|
| 3688 | # if 1
|
---|
| 3689 | /* Grant very limited access to the login sid. */
|
---|
| 3690 | if (fHasLoginSid)
|
---|
| 3691 | {
|
---|
| 3692 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessAllowedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
|
---|
| 3693 | fAllowLogin, &pCleanup->Login.Sid));
|
---|
| 3694 | }
|
---|
| 3695 | # endif
|
---|
| 3696 |
|
---|
| 3697 | #endif
|
---|
| 3698 |
|
---|
| 3699 | /*
|
---|
| 3700 | * Create a security descriptor with the above ACL.
|
---|
| 3701 | */
|
---|
[52940] | 3702 | PSECURITY_DESCRIPTOR pSecDesc = (PSECURITY_DESCRIPTOR)RTMemAllocZ(SECURITY_DESCRIPTOR_MIN_LENGTH);
|
---|
[51770] | 3703 | pCleanup->pSecDesc = pSecDesc;
|
---|
| 3704 |
|
---|
| 3705 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateSecurityDescriptor(pSecDesc, SECURITY_DESCRIPTOR_REVISION));
|
---|
| 3706 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlSetDaclSecurityDescriptor(pSecDesc, TRUE /*fDaclPresent*/, &pCleanup->Acl.AclHdr,
|
---|
| 3707 | FALSE /*fDaclDefaulted*/));
|
---|
| 3708 | pSecAttrs->lpSecurityDescriptor = pSecDesc;
|
---|
| 3709 | }
|
---|
| 3710 |
|
---|
| 3711 |
|
---|
| 3712 | /**
|
---|
| 3713 | * Predicate function which tests whether @a ch is a argument separator
|
---|
| 3714 | * character.
|
---|
| 3715 | *
|
---|
| 3716 | * @returns True/false.
|
---|
| 3717 | * @param ch The character to examine.
|
---|
| 3718 | */
|
---|
| 3719 | DECLINLINE(bool) suplibCommandLineIsArgSeparator(int ch)
|
---|
| 3720 | {
|
---|
| 3721 | return ch == ' '
|
---|
| 3722 | || ch == '\t'
|
---|
| 3723 | || ch == '\n'
|
---|
| 3724 | || ch == '\r';
|
---|
| 3725 | }
|
---|
| 3726 |
|
---|
| 3727 |
|
---|
| 3728 | /**
|
---|
[52163] | 3729 | * Construct the new command line.
|
---|
[51770] | 3730 | *
|
---|
[52163] | 3731 | * Since argc/argv are both derived from GetCommandLineW (see
|
---|
| 3732 | * suplibHardenedWindowsMain), we skip the argument by argument UTF-8 -> UTF-16
|
---|
| 3733 | * conversion and quoting by going to the original source.
|
---|
| 3734 | *
|
---|
[51770] | 3735 | * The executable name, though, is replaced in case it's not a fullly
|
---|
| 3736 | * qualified path.
|
---|
| 3737 | *
|
---|
| 3738 | * The re-spawn indicator is added immediately after the executable name
|
---|
| 3739 | * so that we don't get tripped up missing close quote chars in the last
|
---|
| 3740 | * argument.
|
---|
| 3741 | *
|
---|
| 3742 | * @returns Pointer to a command line string (heap).
|
---|
[58339] | 3743 | * @param pString Unicode string structure to initialize to the
|
---|
[52139] | 3744 | * command line. Optional.
|
---|
| 3745 | * @param iWhich Which respawn we're to check for, 1 being the first
|
---|
| 3746 | * one, and 2 the second and final.
|
---|
[51770] | 3747 | */
|
---|
[52969] | 3748 | static PRTUTF16 supR3HardNtChildConstructCmdLine(PUNICODE_STRING pString, int iWhich)
|
---|
[51770] | 3749 | {
|
---|
[52139] | 3750 | SUPR3HARDENED_ASSERT(iWhich == 1 || iWhich == 2);
|
---|
| 3751 |
|
---|
[51770] | 3752 | /*
|
---|
| 3753 | * Get the command line and skip the executable name.
|
---|
| 3754 | */
|
---|
[52163] | 3755 | PUNICODE_STRING pCmdLineStr = &NtCurrentPeb()->ProcessParameters->CommandLine;
|
---|
| 3756 | PCRTUTF16 pawcArgs = pCmdLineStr->Buffer;
|
---|
| 3757 | uint32_t cwcArgs = pCmdLineStr->Length / sizeof(WCHAR);
|
---|
[51770] | 3758 |
|
---|
| 3759 | /* Skip leading space (shouldn't be any, but whatever). */
|
---|
[52163] | 3760 | while (cwcArgs > 0 && suplibCommandLineIsArgSeparator(*pawcArgs) )
|
---|
| 3761 | cwcArgs--, pawcArgs++;
|
---|
| 3762 | SUPR3HARDENED_ASSERT(cwcArgs > 0 && *pawcArgs != '\0');
|
---|
[51770] | 3763 |
|
---|
| 3764 | /* Walk to the end of it. */
|
---|
| 3765 | int fQuoted = false;
|
---|
| 3766 | do
|
---|
| 3767 | {
|
---|
[52163] | 3768 | if (*pawcArgs == '"')
|
---|
[51770] | 3769 | {
|
---|
| 3770 | fQuoted = !fQuoted;
|
---|
[52163] | 3771 | cwcArgs--; pawcArgs++;
|
---|
[51770] | 3772 | }
|
---|
[52163] | 3773 | else if (*pawcArgs != '\\' || (pawcArgs[1] != '\\' && pawcArgs[1] != '"'))
|
---|
| 3774 | cwcArgs--, pawcArgs++;
|
---|
[51770] | 3775 | else
|
---|
| 3776 | {
|
---|
| 3777 | unsigned cSlashes = 0;
|
---|
| 3778 | do
|
---|
[52163] | 3779 | {
|
---|
[51770] | 3780 | cSlashes++;
|
---|
[52163] | 3781 | cwcArgs--;
|
---|
| 3782 | pawcArgs++;
|
---|
| 3783 | }
|
---|
| 3784 | while (cwcArgs > 0 && *pawcArgs == '\\');
|
---|
| 3785 | if (cwcArgs > 0 && *pawcArgs == '"' && (cSlashes & 1))
|
---|
| 3786 | cwcArgs--, pawcArgs++; /* odd number of slashes == escaped quote */
|
---|
[51770] | 3787 | }
|
---|
[52163] | 3788 | } while (cwcArgs > 0 && (fQuoted || !suplibCommandLineIsArgSeparator(*pawcArgs)));
|
---|
[51770] | 3789 |
|
---|
| 3790 | /* Skip trailing spaces. */
|
---|
[52163] | 3791 | while (cwcArgs > 0 && suplibCommandLineIsArgSeparator(*pawcArgs))
|
---|
| 3792 | cwcArgs--, pawcArgs++;
|
---|
[51770] | 3793 |
|
---|
| 3794 | /*
|
---|
| 3795 | * Allocate a new buffer.
|
---|
| 3796 | */
|
---|
[52139] | 3797 | AssertCompile(sizeof(SUPR3_RESPAWN_1_ARG0) == sizeof(SUPR3_RESPAWN_2_ARG0));
|
---|
| 3798 | size_t cwcCmdLine = (sizeof(SUPR3_RESPAWN_1_ARG0) - 1) / sizeof(SUPR3_RESPAWN_1_ARG0[0]) /* Respawn exe name. */
|
---|
[51770] | 3799 | + !!cwcArgs + cwcArgs; /* if arguments present, add space + arguments. */
|
---|
[52139] | 3800 | if (cwcCmdLine * sizeof(WCHAR) >= 0xfff0)
|
---|
[52969] | 3801 | supR3HardenedFatalMsg("supR3HardNtChildConstructCmdLine", kSupInitOp_Misc, VERR_OUT_OF_RANGE,
|
---|
[52139] | 3802 | "Command line is too long (%u chars)!", cwcCmdLine);
|
---|
| 3803 |
|
---|
[52940] | 3804 | PRTUTF16 pwszCmdLine = (PRTUTF16)RTMemAlloc((cwcCmdLine + 1) * sizeof(RTUTF16));
|
---|
[51770] | 3805 | SUPR3HARDENED_ASSERT(pwszCmdLine != NULL);
|
---|
| 3806 |
|
---|
| 3807 | /*
|
---|
| 3808 | * Construct the new command line.
|
---|
| 3809 | */
|
---|
| 3810 | PRTUTF16 pwszDst = pwszCmdLine;
|
---|
[52139] | 3811 | for (const char *pszSrc = iWhich == 1 ? SUPR3_RESPAWN_1_ARG0 : SUPR3_RESPAWN_2_ARG0; *pszSrc; pszSrc++)
|
---|
[51770] | 3812 | *pwszDst++ = *pszSrc;
|
---|
| 3813 |
|
---|
| 3814 | if (cwcArgs)
|
---|
| 3815 | {
|
---|
| 3816 | *pwszDst++ = ' ';
|
---|
[52163] | 3817 | suplibHardenedMemCopy(pwszDst, pawcArgs, cwcArgs * sizeof(RTUTF16));
|
---|
[51770] | 3818 | pwszDst += cwcArgs;
|
---|
| 3819 | }
|
---|
| 3820 |
|
---|
| 3821 | *pwszDst = '\0';
|
---|
[62677] | 3822 | SUPR3HARDENED_ASSERT((uintptr_t)(pwszDst - pwszCmdLine) == cwcCmdLine);
|
---|
[51770] | 3823 |
|
---|
[52139] | 3824 | if (pString)
|
---|
| 3825 | {
|
---|
| 3826 | pString->Buffer = pwszCmdLine;
|
---|
| 3827 | pString->Length = (USHORT)(cwcCmdLine * sizeof(WCHAR));
|
---|
| 3828 | pString->MaximumLength = pString->Length + sizeof(WCHAR);
|
---|
| 3829 | }
|
---|
[51770] | 3830 | return pwszCmdLine;
|
---|
| 3831 | }
|
---|
| 3832 |
|
---|
| 3833 |
|
---|
[52176] | 3834 | /**
|
---|
[52969] | 3835 | * Terminates the child process.
|
---|
[52176] | 3836 | *
|
---|
[52969] | 3837 | * @param hProcess The process handle.
|
---|
| 3838 | * @param pszWhere Who's having child rasing troubles.
|
---|
| 3839 | * @param rc The status code to report.
|
---|
| 3840 | * @param pszFormat The message format string.
|
---|
| 3841 | * @param ... Message format arguments.
|
---|
[52176] | 3842 | */
|
---|
[52969] | 3843 | static void supR3HardenedWinKillChild(HANDLE hProcess, const char *pszWhere, int rc, const char *pszFormat, ...)
|
---|
[52176] | 3844 | {
|
---|
[52969] | 3845 | /*
|
---|
| 3846 | * Terminate the process ASAP and display error.
|
---|
| 3847 | */
|
---|
| 3848 | NtTerminateProcess(hProcess, RTEXITCODE_FAILURE);
|
---|
| 3849 |
|
---|
| 3850 | va_list va;
|
---|
| 3851 | va_start(va, pszFormat);
|
---|
| 3852 | supR3HardenedErrorV(rc, false /*fFatal*/, pszFormat, va);
|
---|
| 3853 | va_end(va);
|
---|
| 3854 |
|
---|
| 3855 | /*
|
---|
| 3856 | * Wait for the process to really go away.
|
---|
| 3857 | */
|
---|
| 3858 | PROCESS_BASIC_INFORMATION BasicInfo;
|
---|
| 3859 | NTSTATUS rcNtExit = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
|
---|
| 3860 | bool fExitOk = NT_SUCCESS(rcNtExit) && BasicInfo.ExitStatus != STATUS_PENDING;
|
---|
| 3861 | if (!fExitOk)
|
---|
[52176] | 3862 | {
|
---|
[52969] | 3863 | NTSTATUS rcNtWait;
|
---|
| 3864 | uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
|
---|
| 3865 | do
|
---|
[52176] | 3866 | {
|
---|
[52969] | 3867 | NtTerminateProcess(hProcess, DBG_TERMINATE_PROCESS);
|
---|
| 3868 |
|
---|
| 3869 | LARGE_INTEGER Timeout;
|
---|
| 3870 | Timeout.QuadPart = -20000000; /* 2 second */
|
---|
| 3871 | rcNtWait = NtWaitForSingleObject(hProcess, TRUE /*Alertable*/, &Timeout);
|
---|
| 3872 |
|
---|
| 3873 | rcNtExit = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
|
---|
| 3874 | fExitOk = NT_SUCCESS(rcNtExit) && BasicInfo.ExitStatus != STATUS_PENDING;
|
---|
| 3875 | } while ( !fExitOk
|
---|
| 3876 | && ( rcNtWait == STATUS_TIMEOUT
|
---|
| 3877 | || rcNtWait == STATUS_USER_APC
|
---|
| 3878 | || rcNtWait == STATUS_ALERTED)
|
---|
| 3879 | && supR3HardenedWinGetMilliTS() - uMsTsStart < 60 * 1000);
|
---|
| 3880 | if (fExitOk)
|
---|
| 3881 | supR3HardenedError(rc, false /*fFatal*/,
|
---|
| 3882 | "NtDuplicateObject failed and we failed to kill child: rc=%u (%#x) rcNtWait=%#x hProcess=%p\n",
|
---|
| 3883 | rc, rc, rcNtWait, hProcess);
|
---|
[52176] | 3884 | }
|
---|
[52139] | 3885 |
|
---|
[52969] | 3886 | /*
|
---|
| 3887 | * Final error message.
|
---|
| 3888 | */
|
---|
| 3889 | va_start(va, pszFormat);
|
---|
| 3890 | supR3HardenedFatalMsgV(pszWhere, kSupInitOp_Misc, rc, pszFormat, va);
|
---|
[62677] | 3891 | /* not reached */
|
---|
[52176] | 3892 | }
|
---|
| 3893 |
|
---|
| 3894 |
|
---|
[52523] | 3895 | /**
|
---|
[52969] | 3896 | * Checks the child process when hEvtParent is signalled.
|
---|
[52523] | 3897 | *
|
---|
[52969] | 3898 | * This will read the request data from the child and check it against expected
|
---|
| 3899 | * request. If an error is signalled, we'll raise it and make sure the child
|
---|
| 3900 | * terminates before terminating the calling process.
|
---|
[52523] | 3901 | *
|
---|
[52969] | 3902 | * @param pThis The child process data structure.
|
---|
| 3903 | * @param enmExpectedRequest The expected child request.
|
---|
| 3904 | * @param pszWhat What we're waiting for.
|
---|
[52523] | 3905 | */
|
---|
[52969] | 3906 | static void supR3HardNtChildProcessRequest(PSUPR3HARDNTCHILD pThis, SUPR3WINCHILDREQ enmExpectedRequest, const char *pszWhat)
|
---|
[52523] | 3907 | {
|
---|
| 3908 | /*
|
---|
[52969] | 3909 | * Read the process parameters from the child.
|
---|
[52523] | 3910 | */
|
---|
[52969] | 3911 | uintptr_t uChildAddr = (uintptr_t)pThis->Peb.ImageBaseAddress
|
---|
| 3912 | + ((uintptr_t)&g_ProcParams - (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
|
---|
| 3913 | SIZE_T cbIgnored = 0;
|
---|
| 3914 | RT_ZERO(pThis->ProcParams);
|
---|
| 3915 | NTSTATUS rcNt = NtReadVirtualMemory(pThis->hProcess, (PVOID)uChildAddr,
|
---|
| 3916 | &pThis->ProcParams, sizeof(pThis->ProcParams), &cbIgnored);
|
---|
[52523] | 3917 | if (!NT_SUCCESS(rcNt))
|
---|
[52969] | 3918 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildProcessRequest", rcNt,
|
---|
| 3919 | "NtReadVirtualMemory(,%p,) failed reading child process status: %#x\n", uChildAddr, rcNt);
|
---|
[52523] | 3920 |
|
---|
| 3921 | /*
|
---|
[52969] | 3922 | * Is it the expected request?
|
---|
[52523] | 3923 | */
|
---|
[52969] | 3924 | if (pThis->ProcParams.enmRequest == enmExpectedRequest)
|
---|
| 3925 | return;
|
---|
[52523] | 3926 |
|
---|
| 3927 | /*
|
---|
[52969] | 3928 | * No, not the expected request. If it's an error request, tell the child
|
---|
| 3929 | * to terminate itself, otherwise we'll have to terminate it.
|
---|
[52523] | 3930 | */
|
---|
[52969] | 3931 | pThis->ProcParams.szErrorMsg[sizeof(pThis->ProcParams.szErrorMsg) - 1] = '\0';
|
---|
| 3932 | pThis->ProcParams.szWhere[sizeof(pThis->ProcParams.szWhere) - 1] = '\0';
|
---|
| 3933 | SUP_DPRINTF(("supR3HardenedWinCheckChild: enmRequest=%d rc=%d enmWhat=%d %s: %s\n",
|
---|
| 3934 | pThis->ProcParams.enmRequest, pThis->ProcParams.rc, pThis->ProcParams.enmWhat,
|
---|
| 3935 | pThis->ProcParams.szWhere, pThis->ProcParams.szErrorMsg));
|
---|
[52523] | 3936 |
|
---|
[52969] | 3937 | if (pThis->ProcParams.enmRequest != kSupR3WinChildReq_Error)
|
---|
| 3938 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinCheckChild", VERR_INVALID_PARAMETER,
|
---|
| 3939 | "Unexpected child request #%d. Was expecting #%d (%s).\n",
|
---|
| 3940 | pThis->ProcParams.enmRequest, enmExpectedRequest, pszWhat);
|
---|
[52523] | 3941 |
|
---|
[52969] | 3942 | rcNt = NtSetEvent(pThis->hEvtChild, NULL);
|
---|
[52523] | 3943 | if (!NT_SUCCESS(rcNt))
|
---|
[52969] | 3944 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildProcessRequest", rcNt, "NtSetEvent failed: %#x\n", rcNt);
|
---|
[52523] | 3945 |
|
---|
[52969] | 3946 | /* Wait for it to terminate. */
|
---|
| 3947 | LARGE_INTEGER Timeout;
|
---|
| 3948 | Timeout.QuadPart = -50000000; /* 5 seconds */
|
---|
| 3949 | rcNt = NtWaitForSingleObject(pThis->hProcess, FALSE /*Alertable*/, &Timeout);
|
---|
| 3950 | if (rcNt != STATUS_WAIT_0)
|
---|
| 3951 | {
|
---|
| 3952 | SUP_DPRINTF(("supR3HardNtChildProcessRequest: Child is taking too long to quit (rcWait=%#x), killing it...\n", rcNt));
|
---|
| 3953 | NtTerminateProcess(pThis->hProcess, DBG_TERMINATE_PROCESS);
|
---|
| 3954 | }
|
---|
| 3955 |
|
---|
| 3956 | /*
|
---|
| 3957 | * Report the error in the same way as it occured in the guest.
|
---|
| 3958 | */
|
---|
| 3959 | if (pThis->ProcParams.enmWhat == kSupInitOp_Invalid)
|
---|
| 3960 | supR3HardenedFatalMsg("supR3HardenedWinCheckChild", kSupInitOp_Misc, pThis->ProcParams.rc,
|
---|
| 3961 | "%s", pThis->ProcParams.szErrorMsg);
|
---|
| 3962 | else
|
---|
| 3963 | supR3HardenedFatalMsg(pThis->ProcParams.szWhere, pThis->ProcParams.enmWhat, pThis->ProcParams.rc,
|
---|
| 3964 | "%s", pThis->ProcParams.szErrorMsg);
|
---|
[52523] | 3965 | }
|
---|
| 3966 |
|
---|
| 3967 |
|
---|
| 3968 | /**
|
---|
[52969] | 3969 | * Waits for the child to make a certain request or terminate.
|
---|
[52523] | 3970 | *
|
---|
[52969] | 3971 | * The stub process will also wait on it's parent to terminate.
|
---|
| 3972 | * This call will only return if the child made the expected request.
|
---|
| 3973 | *
|
---|
| 3974 | * @param pThis The child process data structure.
|
---|
| 3975 | * @param enmExpectedRequest The child request to wait for.
|
---|
| 3976 | * @param cMsTimeout The number of milliseconds to wait (at least).
|
---|
| 3977 | * @param pszWhat What we're waiting for.
|
---|
[52523] | 3978 | */
|
---|
[52969] | 3979 | static void supR3HardNtChildWaitFor(PSUPR3HARDNTCHILD pThis, SUPR3WINCHILDREQ enmExpectedRequest, RTMSINTERVAL cMsTimeout,
|
---|
| 3980 | const char *pszWhat)
|
---|
[52523] | 3981 | {
|
---|
[52969] | 3982 | /*
|
---|
| 3983 | * The wait loop.
|
---|
| 3984 | * Will return when the expected request arrives.
|
---|
| 3985 | * Will break out when one of the processes terminates.
|
---|
| 3986 | */
|
---|
| 3987 | NTSTATUS rcNtWait;
|
---|
| 3988 | LARGE_INTEGER Timeout;
|
---|
| 3989 | uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
|
---|
| 3990 | uint64_t cMsElapsed = 0;
|
---|
| 3991 | for (;;)
|
---|
| 3992 | {
|
---|
| 3993 | /*
|
---|
| 3994 | * Assemble handles to wait for.
|
---|
| 3995 | */
|
---|
| 3996 | ULONG cHandles = 1;
|
---|
| 3997 | HANDLE ahHandles[3];
|
---|
| 3998 | ahHandles[0] = pThis->hProcess;
|
---|
| 3999 | if (pThis->hEvtParent)
|
---|
| 4000 | ahHandles[cHandles++] = pThis->hEvtParent;
|
---|
| 4001 | if (pThis->hParent)
|
---|
| 4002 | ahHandles[cHandles++] = pThis->hParent;
|
---|
[52523] | 4003 |
|
---|
[52969] | 4004 | /*
|
---|
| 4005 | * Do the waiting according to the callers wishes.
|
---|
| 4006 | */
|
---|
| 4007 | if ( enmExpectedRequest == kSupR3WinChildReq_End
|
---|
| 4008 | || cMsTimeout == RT_INDEFINITE_WAIT)
|
---|
| 4009 | rcNtWait = NtWaitForMultipleObjects(cHandles, &ahHandles[0], WaitAnyObject, TRUE /*Alertable*/, NULL /*Timeout*/);
|
---|
| 4010 | else
|
---|
| 4011 | {
|
---|
| 4012 | Timeout.QuadPart = -(int64_t)(cMsTimeout - cMsElapsed) * 10000;
|
---|
| 4013 | rcNtWait = NtWaitForMultipleObjects(cHandles, &ahHandles[0], WaitAnyObject, TRUE /*Alertable*/, &Timeout);
|
---|
| 4014 | }
|
---|
[52523] | 4015 |
|
---|
[52969] | 4016 | /*
|
---|
| 4017 | * Process child request.
|
---|
| 4018 | */
|
---|
| 4019 | if (rcNtWait == STATUS_WAIT_0 + 1 && pThis->hEvtParent != NULL)
|
---|
| 4020 | {
|
---|
| 4021 | supR3HardNtChildProcessRequest(pThis, enmExpectedRequest, pszWhat);
|
---|
| 4022 | SUP_DPRINTF(("supR3HardNtChildWaitFor: Found expected request %d (%s) after %llu ms.\n",
|
---|
| 4023 | enmExpectedRequest, pszWhat, supR3HardenedWinGetMilliTS() - uMsTsStart));
|
---|
| 4024 | return; /* Expected request received. */
|
---|
| 4025 | }
|
---|
[52523] | 4026 |
|
---|
[52969] | 4027 | /*
|
---|
| 4028 | * Process termination?
|
---|
| 4029 | */
|
---|
| 4030 | if ( (ULONG)rcNtWait - (ULONG)STATUS_WAIT_0 < cHandles
|
---|
| 4031 | || (ULONG)rcNtWait - (ULONG)STATUS_ABANDONED_WAIT_0 < cHandles)
|
---|
| 4032 | break;
|
---|
[52523] | 4033 |
|
---|
[52969] | 4034 | /*
|
---|
| 4035 | * Check sanity.
|
---|
| 4036 | */
|
---|
| 4037 | if ( rcNtWait != STATUS_TIMEOUT
|
---|
| 4038 | && rcNtWait != STATUS_USER_APC
|
---|
| 4039 | && rcNtWait != STATUS_ALERTED)
|
---|
| 4040 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildWaitFor", rcNtWait,
|
---|
| 4041 | "NtWaitForMultipleObjects returned %#x waiting for #%d (%s)\n",
|
---|
| 4042 | rcNtWait, enmExpectedRequest, pszWhat);
|
---|
[52523] | 4043 |
|
---|
[52969] | 4044 | /*
|
---|
| 4045 | * Calc elapsed time for the next timeout calculation, checking to see
|
---|
| 4046 | * if we've timed out already.
|
---|
| 4047 | */
|
---|
| 4048 | cMsElapsed = supR3HardenedWinGetMilliTS() - uMsTsStart;
|
---|
| 4049 | if ( cMsElapsed > cMsTimeout
|
---|
| 4050 | && cMsTimeout != RT_INDEFINITE_WAIT
|
---|
| 4051 | && enmExpectedRequest != kSupR3WinChildReq_End)
|
---|
| 4052 | {
|
---|
| 4053 | if (rcNtWait == STATUS_USER_APC || rcNtWait == STATUS_ALERTED)
|
---|
| 4054 | cMsElapsed = cMsTimeout - 1; /* try again */
|
---|
| 4055 | else
|
---|
| 4056 | {
|
---|
| 4057 | /* We timed out. */
|
---|
| 4058 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildWaitFor", rcNtWait,
|
---|
| 4059 | "Timed out after %llu ms waiting for child request #%d (%s).\n",
|
---|
| 4060 | cMsElapsed, enmExpectedRequest, pszWhat);
|
---|
| 4061 | }
|
---|
| 4062 | }
|
---|
| 4063 | }
|
---|
[52523] | 4064 |
|
---|
[52969] | 4065 | /*
|
---|
| 4066 | * Proxy the termination code of the child, if it exited already.
|
---|
| 4067 | */
|
---|
| 4068 | PROCESS_BASIC_INFORMATION BasicInfo;
|
---|
| 4069 | NTSTATUS rcNt1 = NtQueryInformationProcess(pThis->hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
|
---|
| 4070 | NTSTATUS rcNt2 = STATUS_PENDING;
|
---|
| 4071 | NTSTATUS rcNt3 = STATUS_PENDING;
|
---|
| 4072 | if ( !NT_SUCCESS(rcNt1)
|
---|
| 4073 | || BasicInfo.ExitStatus == STATUS_PENDING)
|
---|
| 4074 | {
|
---|
| 4075 | rcNt2 = NtTerminateProcess(pThis->hProcess, RTEXITCODE_FAILURE);
|
---|
| 4076 | Timeout.QuadPart = NT_SUCCESS(rcNt2) ? -20000000 /* 2 sec */ : -1280000 /* 128 ms */;
|
---|
| 4077 | rcNt3 = NtWaitForSingleObject(pThis->hProcess, FALSE /*Alertable*/, NULL /*Timeout*/);
|
---|
| 4078 | BasicInfo.ExitStatus = RTEXITCODE_FAILURE;
|
---|
| 4079 | }
|
---|
[52523] | 4080 |
|
---|
[52969] | 4081 | SUP_DPRINTF(("supR3HardNtChildWaitFor[%d]: Quitting: ExitCode=%#x (rcNtWait=%#x, rcNt1=%#x, rcNt2=%#x, rcNt3=%#x, %llu ms, %s);\n",
|
---|
| 4082 | pThis->iWhich, BasicInfo.ExitStatus, rcNtWait, rcNt1, rcNt2, rcNt3,
|
---|
| 4083 | supR3HardenedWinGetMilliTS() - uMsTsStart, pszWhat));
|
---|
| 4084 | suplibHardenedExit((RTEXITCODE)BasicInfo.ExitStatus);
|
---|
[52523] | 4085 | }
|
---|
| 4086 |
|
---|
| 4087 |
|
---|
| 4088 | /**
|
---|
[52969] | 4089 | * Closes full access child thread and process handles, making a harmless
|
---|
| 4090 | * duplicate of the process handle first.
|
---|
| 4091 | *
|
---|
| 4092 | * The hProcess member of the child process data structure will be change to the
|
---|
| 4093 | * harmless handle, while the hThread will be set to NULL.
|
---|
| 4094 | *
|
---|
| 4095 | * @param pThis The child process data structure.
|
---|
[52523] | 4096 | */
|
---|
[52969] | 4097 | static void supR3HardNtChildCloseFullAccessHandles(PSUPR3HARDNTCHILD pThis)
|
---|
[52523] | 4098 | {
|
---|
[52969] | 4099 | /*
|
---|
| 4100 | * The thread handle.
|
---|
| 4101 | */
|
---|
| 4102 | NTSTATUS rcNt = NtClose(pThis->hThread);
|
---|
| 4103 | if (!NT_SUCCESS(rcNt))
|
---|
| 4104 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinReSpawn", rcNt, "NtClose(hThread) failed: %#x", rcNt);
|
---|
| 4105 | pThis->hThread = NULL;
|
---|
| 4106 |
|
---|
| 4107 | /*
|
---|
| 4108 | * Duplicate the process handle into a harmless one.
|
---|
| 4109 | */
|
---|
| 4110 | HANDLE hProcWait;
|
---|
| 4111 | ULONG fRights = SYNCHRONIZE | PROCESS_TERMINATE | PROCESS_VM_READ;
|
---|
| 4112 | if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* Introduced in Vista. */
|
---|
| 4113 | fRights |= PROCESS_QUERY_LIMITED_INFORMATION;
|
---|
| 4114 | else
|
---|
| 4115 | fRights |= PROCESS_QUERY_INFORMATION;
|
---|
| 4116 | rcNt = NtDuplicateObject(NtCurrentProcess(), pThis->hProcess,
|
---|
| 4117 | NtCurrentProcess(), &hProcWait,
|
---|
| 4118 | fRights, 0 /*HandleAttributes*/, 0);
|
---|
| 4119 | if (rcNt == STATUS_ACCESS_DENIED)
|
---|
[52523] | 4120 | {
|
---|
[52969] | 4121 | supR3HardenedError(rcNt, false /*fFatal*/,
|
---|
| 4122 | "supR3HardenedWinDoReSpawn: NtDuplicateObject(,,,,%#x,,) -> %#x, retrying with only %#x...\n",
|
---|
| 4123 | fRights, rcNt, SYNCHRONIZE);
|
---|
| 4124 | rcNt = NtDuplicateObject(NtCurrentProcess(), pThis->hProcess,
|
---|
| 4125 | NtCurrentProcess(), &hProcWait,
|
---|
| 4126 | SYNCHRONIZE, 0 /*HandleAttributes*/, 0);
|
---|
[52523] | 4127 | }
|
---|
[52969] | 4128 | if (!NT_SUCCESS(rcNt))
|
---|
| 4129 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinReSpawn", rcNt,
|
---|
| 4130 | "NtDuplicateObject failed on child process handle: %#x\n", rcNt);
|
---|
| 4131 | /*
|
---|
| 4132 | * Close the process handle and replace it with the harmless one.
|
---|
| 4133 | */
|
---|
| 4134 | rcNt = NtClose(pThis->hProcess);
|
---|
| 4135 | pThis->hProcess = hProcWait;
|
---|
| 4136 | if (!NT_SUCCESS(rcNt))
|
---|
| 4137 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinReSpawn", VERR_INVALID_NAME,
|
---|
| 4138 | "NtClose failed on child process handle: %#x\n", rcNt);
|
---|
[52523] | 4139 | }
|
---|
| 4140 |
|
---|
| 4141 |
|
---|
[52969] | 4142 | /**
|
---|
| 4143 | * This restores the child PEB and tweaks a couple of fields before we do the
|
---|
| 4144 | * child purification and let the process run normally.
|
---|
| 4145 | *
|
---|
| 4146 | * @param pThis The child process data structure.
|
---|
[52139] | 4147 | */
|
---|
[52969] | 4148 | static void supR3HardNtChildSanitizePeb(PSUPR3HARDNTCHILD pThis)
|
---|
[52139] | 4149 | {
|
---|
| 4150 | /*
|
---|
[52969] | 4151 | * Make a copy of the pre-execution PEB.
|
---|
[52139] | 4152 | */
|
---|
| 4153 | PEB Peb = pThis->Peb;
|
---|
| 4154 |
|
---|
[52969] | 4155 | #if 0
|
---|
| 4156 | /*
|
---|
| 4157 | * There should not be any activation context, so if there is, we scratch the memory associated with it.
|
---|
| 4158 | */
|
---|
| 4159 | int rc = 0;
|
---|
| 4160 | if (RT_SUCCESS(rc) && Peb.pShimData && !((uintptr_t)Peb.pShimData & PAGE_OFFSET_MASK))
|
---|
| 4161 | rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.pShimData, PAGE_SIZE, "pShimData", pErrInfo);
|
---|
| 4162 | if (RT_SUCCESS(rc) && Peb.ActivationContextData && !((uintptr_t)Peb.ActivationContextData & PAGE_OFFSET_MASK))
|
---|
| 4163 | rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.ActivationContextData, PAGE_SIZE, "ActivationContextData", pErrInfo);
|
---|
| 4164 | if (RT_SUCCESS(rc) && Peb.ProcessAssemblyStorageMap && !((uintptr_t)Peb.ProcessAssemblyStorageMap & PAGE_OFFSET_MASK))
|
---|
| 4165 | rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.ProcessAssemblyStorageMap, PAGE_SIZE, "ProcessAssemblyStorageMap", pErrInfo);
|
---|
| 4166 | if (RT_SUCCESS(rc) && Peb.SystemDefaultActivationContextData && !((uintptr_t)Peb.SystemDefaultActivationContextData & PAGE_OFFSET_MASK))
|
---|
| 4167 | rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.ProcessAssemblyStorageMap, PAGE_SIZE, "SystemDefaultActivationContextData", pErrInfo);
|
---|
| 4168 | if (RT_SUCCESS(rc) && Peb.SystemAssemblyStorageMap && !((uintptr_t)Peb.SystemAssemblyStorageMap & PAGE_OFFSET_MASK))
|
---|
| 4169 | rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.SystemAssemblyStorageMap, PAGE_SIZE, "SystemAssemblyStorageMap", pErrInfo);
|
---|
| 4170 | if (RT_FAILURE(rc))
|
---|
| 4171 | return rc;
|
---|
[52139] | 4172 | #endif
|
---|
| 4173 |
|
---|
| 4174 | /*
|
---|
[52969] | 4175 | * Clear compatibility and activation related fields.
|
---|
[52139] | 4176 | */
|
---|
[52969] | 4177 | Peb.AppCompatFlags.QuadPart = 0;
|
---|
| 4178 | Peb.AppCompatFlagsUser.QuadPart = 0;
|
---|
| 4179 | Peb.pShimData = NULL;
|
---|
| 4180 | Peb.AppCompatInfo = NULL;
|
---|
| 4181 | #if 0
|
---|
| 4182 | Peb.ActivationContextData = NULL;
|
---|
| 4183 | Peb.ProcessAssemblyStorageMap = NULL;
|
---|
| 4184 | Peb.SystemDefaultActivationContextData = NULL;
|
---|
| 4185 | Peb.SystemAssemblyStorageMap = NULL;
|
---|
| 4186 | /*Peb.Diff0.W6.IsProtectedProcess = 1;*/
|
---|
| 4187 | #endif
|
---|
| 4188 |
|
---|
| 4189 | /*
|
---|
| 4190 | * Write back the PEB.
|
---|
| 4191 | */
|
---|
[52139] | 4192 | SIZE_T cbActualMem = pThis->cbPeb;
|
---|
| 4193 | NTSTATUS rcNt = NtWriteVirtualMemory(pThis->hProcess, pThis->BasicInfo.PebBaseAddress, &Peb, pThis->cbPeb, &cbActualMem);
|
---|
| 4194 | if (!NT_SUCCESS(rcNt))
|
---|
[52969] | 4195 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildSanitizePeb", rcNt,
|
---|
| 4196 | "NtWriteVirtualMemory/Peb failed: %#x", rcNt);
|
---|
| 4197 |
|
---|
[52139] | 4198 | }
|
---|
| 4199 |
|
---|
| 4200 |
|
---|
[52523] | 4201 | /**
|
---|
[52969] | 4202 | * Purifies the child process after very early init has been performed.
|
---|
[52524] | 4203 | *
|
---|
[52969] | 4204 | * @param pThis The child process data structure.
|
---|
[52524] | 4205 | */
|
---|
[52969] | 4206 | static void supR3HardNtChildPurify(PSUPR3HARDNTCHILD pThis)
|
---|
[52524] | 4207 | {
|
---|
[52969] | 4208 | /*
|
---|
| 4209 | * We loop until we no longer make any fixes. This is similar to what
|
---|
| 4210 | * we do (or used to do, really) in the fAvastKludge case of
|
---|
| 4211 | * supR3HardenedWinInit. We might be up against asynchronous changes,
|
---|
| 4212 | * which we fudge by waiting a short while before earch purification. This
|
---|
| 4213 | * is arguably a fragile technique, but it's currently the best we've got.
|
---|
| 4214 | * Fortunately, most AVs seems to either favor immediate action on initial
|
---|
| 4215 | * load events or (much better for us) later events like kernel32.
|
---|
| 4216 | */
|
---|
[52972] | 4217 | uint64_t uMsTsOuterStart = supR3HardenedWinGetMilliTS();
|
---|
| 4218 | uint32_t cMsFudge = g_fSupAdversaries ? 512 : 256;
|
---|
| 4219 | uint32_t cTotalFixes = 0;
|
---|
[62677] | 4220 | uint32_t cFixes = 0; /* (MSC wrongly thinks this maybe used uninitialized) */
|
---|
[52969] | 4221 | for (uint32_t iLoop = 0; iLoop < 16; iLoop++)
|
---|
[52524] | 4222 | {
|
---|
[52969] | 4223 | /*
|
---|
| 4224 | * Delay.
|
---|
| 4225 | */
|
---|
| 4226 | uint32_t cSleeps = 0;
|
---|
| 4227 | uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
|
---|
| 4228 | do
|
---|
| 4229 | {
|
---|
| 4230 | NtYieldExecution();
|
---|
| 4231 | LARGE_INTEGER Time;
|
---|
| 4232 | Time.QuadPart = -8000000 / 100; /* 8ms in 100ns units, relative time. */
|
---|
| 4233 | NtDelayExecution(FALSE, &Time);
|
---|
| 4234 | cSleeps++;
|
---|
| 4235 | } while ( supR3HardenedWinGetMilliTS() - uMsTsStart <= cMsFudge
|
---|
| 4236 | || cSleeps < 8);
|
---|
[52972] | 4237 | SUP_DPRINTF(("supR3HardNtChildPurify: Startup delay kludge #1/%u: %u ms, %u sleeps\n",
|
---|
[52969] | 4238 | iLoop, supR3HardenedWinGetMilliTS() - uMsTsStart, cSleeps));
|
---|
[52524] | 4239 |
|
---|
[52969] | 4240 | /*
|
---|
| 4241 | * Purify.
|
---|
| 4242 | */
|
---|
| 4243 | cFixes = 0;
|
---|
| 4244 | int rc = supHardenedWinVerifyProcess(pThis->hProcess, pThis->hThread, SUPHARDNTVPKIND_CHILD_PURIFICATION,
|
---|
[53017] | 4245 | g_fSupAdversaries & ( SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE
|
---|
[66484] | 4246 | | SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD)
|
---|
[53021] | 4247 | ? SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW : 0,
|
---|
[52969] | 4248 | &cFixes, RTErrInfoInitStatic(&g_ErrInfoStatic));
|
---|
| 4249 | if (RT_FAILURE(rc))
|
---|
| 4250 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildPurify", rc,
|
---|
[53025] | 4251 | "supHardenedWinVerifyProcess failed with %Rrc: %s", rc, g_ErrInfoStatic.szMsg);
|
---|
[52969] | 4252 | if (cFixes == 0)
|
---|
[52972] | 4253 | {
|
---|
| 4254 | SUP_DPRINTF(("supR3HardNtChildPurify: Done after %llu ms and %u fixes (loop #%u).\n",
|
---|
| 4255 | supR3HardenedWinGetMilliTS() - uMsTsOuterStart, cTotalFixes, iLoop));
|
---|
[52969] | 4256 | return; /* We're probably good. */
|
---|
[52972] | 4257 | }
|
---|
| 4258 | cTotalFixes += cFixes;
|
---|
[52524] | 4259 |
|
---|
[52969] | 4260 | if (!g_fSupAdversaries)
|
---|
| 4261 | g_fSupAdversaries |= SUPHARDNT_ADVERSARY_UNKNOWN;
|
---|
| 4262 | cMsFudge = 512;
|
---|
| 4263 |
|
---|
| 4264 | /*
|
---|
| 4265 | * Log the KiOpPrefetchPatchCount value if available, hoping it might
|
---|
| 4266 | * sched some light on spider38's case.
|
---|
| 4267 | */
|
---|
| 4268 | ULONG cPatchCount = 0;
|
---|
| 4269 | NTSTATUS rcNt = NtQuerySystemInformation(SystemInformation_KiOpPrefetchPatchCount,
|
---|
| 4270 | &cPatchCount, sizeof(cPatchCount), NULL);
|
---|
[52438] | 4271 | if (NT_SUCCESS(rcNt))
|
---|
[52972] | 4272 | SUP_DPRINTF(("supR3HardNtChildPurify: cFixes=%u g_fSupAdversaries=%#x cPatchCount=%#u\n",
|
---|
[52969] | 4273 | cFixes, g_fSupAdversaries, cPatchCount));
|
---|
[52438] | 4274 | else
|
---|
[52972] | 4275 | SUP_DPRINTF(("supR3HardNtChildPurify: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
|
---|
[52438] | 4276 | }
|
---|
[52969] | 4277 |
|
---|
| 4278 | /*
|
---|
| 4279 | * We've given up fixing the child process. Probably fighting someone
|
---|
| 4280 | * that monitors their patches or/and our activities.
|
---|
| 4281 | */
|
---|
| 4282 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildPurify", VERR_TRY_AGAIN,
|
---|
[52972] | 4283 | "Unable to purify child process! After 16 tries over %llu ms, we still %u fix(es) in the last pass.",
|
---|
| 4284 | supR3HardenedWinGetMilliTS() - uMsTsOuterStart, cFixes);
|
---|
[52438] | 4285 | }
|
---|
| 4286 |
|
---|
| 4287 |
|
---|
[51770] | 4288 | /**
|
---|
[52969] | 4289 | * Sets up the early process init.
|
---|
[52139] | 4290 | *
|
---|
[52969] | 4291 | * @param pThis The child process data structure.
|
---|
[52139] | 4292 | */
|
---|
[52969] | 4293 | static void supR3HardNtChildSetUpChildInit(PSUPR3HARDNTCHILD pThis)
|
---|
[52139] | 4294 | {
|
---|
[52969] | 4295 | uintptr_t const uChildExeAddr = (uintptr_t)pThis->Peb.ImageBaseAddress;
|
---|
| 4296 |
|
---|
[52373] | 4297 | /*
|
---|
[52969] | 4298 | * Plant the process parameters. This ASSUMES the handle inheritance is
|
---|
| 4299 | * performed when creating the child process.
|
---|
[52373] | 4300 | */
|
---|
[52969] | 4301 | RT_ZERO(pThis->ProcParams);
|
---|
| 4302 | pThis->ProcParams.hEvtChild = pThis->hEvtChild;
|
---|
| 4303 | pThis->ProcParams.hEvtParent = pThis->hEvtParent;
|
---|
| 4304 | pThis->ProcParams.uNtDllAddr = pThis->uNtDllAddr;
|
---|
| 4305 | pThis->ProcParams.enmRequest = kSupR3WinChildReq_Error;
|
---|
| 4306 | pThis->ProcParams.rc = VINF_SUCCESS;
|
---|
| 4307 |
|
---|
| 4308 | uintptr_t uChildAddr = uChildExeAddr + ((uintptr_t)&g_ProcParams - (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
|
---|
| 4309 | SIZE_T cbIgnored;
|
---|
| 4310 | NTSTATUS rcNt = NtWriteVirtualMemory(pThis->hProcess, (PVOID)uChildAddr, &pThis->ProcParams,
|
---|
| 4311 | sizeof(pThis->ProcParams), &cbIgnored);
|
---|
| 4312 | if (!NT_SUCCESS(rcNt))
|
---|
| 4313 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
|
---|
| 4314 | "NtWriteVirtualMemory(,%p,) failed writing child process parameters: %#x\n", uChildAddr, rcNt);
|
---|
| 4315 |
|
---|
| 4316 | /*
|
---|
| 4317 | * Locate the LdrInitializeThunk address in the child as well as pristine
|
---|
| 4318 | * code bits for it.
|
---|
| 4319 | */
|
---|
[52373] | 4320 | PSUPHNTLDRCACHEENTRY pLdrEntry;
|
---|
[60700] | 4321 | int rc = supHardNtLdrCacheOpen("ntdll.dll", &pLdrEntry, NULL /*pErrInfo*/);
|
---|
[52373] | 4322 | if (RT_FAILURE(rc))
|
---|
[52969] | 4323 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
|
---|
| 4324 | "supHardNtLdrCacheOpen failed on NTDLL: %Rrc\n", rc);
|
---|
[52139] | 4325 |
|
---|
[52969] | 4326 | uint8_t *pbChildNtDllBits;
|
---|
| 4327 | rc = supHardNtLdrCacheEntryGetBits(pLdrEntry, &pbChildNtDllBits, pThis->uNtDllAddr, NULL, NULL, NULL /*pErrInfo*/);
|
---|
| 4328 | if (RT_FAILURE(rc))
|
---|
| 4329 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
|
---|
| 4330 | "supHardNtLdrCacheEntryGetBits failed on NTDLL: %Rrc\n", rc);
|
---|
| 4331 |
|
---|
[52373] | 4332 | RTLDRADDR uLdrInitThunk;
|
---|
[52969] | 4333 | rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbChildNtDllBits, pThis->uNtDllAddr, UINT32_MAX,
|
---|
[52373] | 4334 | "LdrInitializeThunk", &uLdrInitThunk);
|
---|
| 4335 | if (RT_FAILURE(rc))
|
---|
[52969] | 4336 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
|
---|
| 4337 | "Error locating LdrInitializeThunk in NTDLL: %Rrc", rc);
|
---|
[52373] | 4338 | PVOID pvLdrInitThunk = (PVOID)(uintptr_t)uLdrInitThunk;
|
---|
[52969] | 4339 | SUP_DPRINTF(("supR3HardenedWinSetupChildInit: uLdrInitThunk=%p\n", (uintptr_t)uLdrInitThunk));
|
---|
[52373] | 4340 |
|
---|
[52139] | 4341 | /*
|
---|
[52969] | 4342 | * Calculate the address of our code in the child process.
|
---|
[52139] | 4343 | */
|
---|
[52969] | 4344 | uintptr_t uEarlyProcInitEP = uChildExeAddr + ( (uintptr_t)&supR3HardenedEarlyProcessInitThunk
|
---|
| 4345 | - (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
|
---|
[52139] | 4346 |
|
---|
| 4347 | /*
|
---|
[52969] | 4348 | * Compose the LdrInitializeThunk replacement bytes.
|
---|
| 4349 | * Note! The amount of code we replace here must be less or equal to what
|
---|
| 4350 | * the process verification code ignores.
|
---|
[52524] | 4351 | */
|
---|
[52969] | 4352 | uint8_t abNew[16];
|
---|
| 4353 | memcpy(abNew, pbChildNtDllBits + ((uintptr_t)uLdrInitThunk - pThis->uNtDllAddr), sizeof(abNew));
|
---|
| 4354 | #ifdef RT_ARCH_AMD64
|
---|
| 4355 | abNew[0] = 0xff;
|
---|
| 4356 | abNew[1] = 0x25;
|
---|
| 4357 | *(uint32_t *)&abNew[2] = 0;
|
---|
| 4358 | *(uint64_t *)&abNew[6] = uEarlyProcInitEP;
|
---|
| 4359 | #elif defined(RT_ARCH_X86)
|
---|
| 4360 | abNew[0] = 0xe9;
|
---|
| 4361 | *(uint32_t *)&abNew[1] = uEarlyProcInitEP - ((uint32_t)uLdrInitThunk + 5);
|
---|
[52656] | 4362 | #else
|
---|
[52969] | 4363 | # error "Unsupported arch."
|
---|
[52656] | 4364 | #endif
|
---|
[52524] | 4365 |
|
---|
| 4366 | /*
|
---|
[52969] | 4367 | * Install the LdrInitializeThunk replacement code in the child process.
|
---|
[52139] | 4368 | */
|
---|
[52969] | 4369 | PVOID pvProt = pvLdrInitThunk;
|
---|
| 4370 | SIZE_T cbProt = sizeof(abNew);
|
---|
| 4371 | ULONG fOldProt;
|
---|
| 4372 | rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt);
|
---|
| 4373 | if (!NT_SUCCESS(rcNt))
|
---|
| 4374 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
|
---|
| 4375 | "NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
|
---|
[52139] | 4376 |
|
---|
[52969] | 4377 | rcNt = NtWriteVirtualMemory(pThis->hProcess, pvLdrInitThunk, abNew, sizeof(abNew), &cbIgnored);
|
---|
| 4378 | if (!NT_SUCCESS(rcNt))
|
---|
| 4379 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
|
---|
| 4380 | "NtWriteVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
|
---|
[52438] | 4381 |
|
---|
[52969] | 4382 | pvProt = pvLdrInitThunk;
|
---|
| 4383 | cbProt = sizeof(abNew);
|
---|
| 4384 | rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, fOldProt, &fOldProt);
|
---|
| 4385 | if (!NT_SUCCESS(rcNt))
|
---|
| 4386 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
|
---|
| 4387 | "NtProtectVirtualMemory/LdrInitializeThunk[restore] failed: %#x", rcNt);
|
---|
[52438] | 4388 |
|
---|
[80218] | 4389 | /*
|
---|
| 4390 | * Check the sanity of the thread context.
|
---|
| 4391 | */
|
---|
| 4392 | CONTEXT Ctx;
|
---|
| 4393 | RT_ZERO(Ctx);
|
---|
| 4394 | Ctx.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
|
---|
| 4395 | rcNt = NtGetContextThread(pThis->hThread, &Ctx);
|
---|
| 4396 | if (NT_SUCCESS(rcNt))
|
---|
| 4397 | {
|
---|
| 4398 | #ifdef RT_ARCH_AMD64
|
---|
| 4399 | DWORD64 *pPC = &Ctx.Rip;
|
---|
| 4400 | #elif defined(RT_ARCH_X86)
|
---|
| 4401 | DWORD *pPC = &Ctx.Eip;
|
---|
| 4402 | #else
|
---|
| 4403 | # error "Unsupported arch."
|
---|
| 4404 | #endif
|
---|
[81118] | 4405 | supR3HardNtDprintCtx(&Ctx, "supR3HardenedWinSetupChildInit: Initial context:");
|
---|
| 4406 |
|
---|
[80242] | 4407 | /* Entrypoint for the executable: */
|
---|
[80218] | 4408 | uintptr_t const uChildMain = uChildExeAddr + ( (uintptr_t)&suplibHardenedWindowsMain
|
---|
| 4409 | - (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
|
---|
[80242] | 4410 |
|
---|
| 4411 | /* NtDll size and the more recent default thread start entrypoint (Vista+?): */
|
---|
| 4412 | RTLDRADDR uSystemThreadStart;
|
---|
[80218] | 4413 | rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbChildNtDllBits, pThis->uNtDllAddr, UINT32_MAX,
|
---|
[80242] | 4414 | "RtlUserThreadStart", &uSystemThreadStart);
|
---|
[80218] | 4415 | if (RT_FAILURE(rc))
|
---|
[80242] | 4416 | uSystemThreadStart = 0;
|
---|
[80218] | 4417 |
|
---|
[80242] | 4418 | /* Kernel32 for thread start of older windows version, only XP64/W2K3-64 has an actual
|
---|
| 4419 | export for it. Unfortunately, it is not yet loaded into the child, so we have to
|
---|
| 4420 | assume same location as in the parent (safe): */
|
---|
| 4421 | PSUPHNTLDRCACHEENTRY pLdrEntryKernel32;
|
---|
[84394] | 4422 | rc = supHardNtLdrCacheOpen("kernel32.dll", &pLdrEntryKernel32, NULL /*pErrInfo*/);
|
---|
[80242] | 4423 | if (RT_FAILURE(rc))
|
---|
| 4424 | supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
|
---|
| 4425 | "supHardNtLdrCacheOpen failed on KERNEL32: %Rrc\n", rc);
|
---|
| 4426 | size_t const cbKernel32 = RTLdrSize(pLdrEntryKernel32->hLdrMod);
|
---|
| 4427 |
|
---|
| 4428 | #ifdef RT_ARCH_AMD64
|
---|
| 4429 | if (!uSystemThreadStart)
|
---|
| 4430 | {
|
---|
| 4431 | rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbChildNtDllBits, pLdrEntryKernel32->uImageBase, UINT32_MAX,
|
---|
| 4432 | "BaseProcessStart", &uSystemThreadStart);
|
---|
| 4433 | if (RT_FAILURE(rc))
|
---|
| 4434 | uSystemThreadStart = 0;
|
---|
| 4435 | }
|
---|
| 4436 | #endif
|
---|
| 4437 |
|
---|
[80218] | 4438 | bool fUpdateContext = false;
|
---|
| 4439 |
|
---|
[80242] | 4440 | /* Check if the RIP looks half sane, try correct it if it isn't.
|
---|
[80218] | 4441 | It should point to RtlUserThreadStart (Vista and later it seem), though only
|
---|
| 4442 | tested on win10. The first parameter is the executable entrypoint, the 2nd
|
---|
[80242] | 4443 | is probably the PEB. Before Vista it should point to Kernel32!BaseProcessStart,
|
---|
| 4444 | though the symbol is only exported in 5.2/AMD64. */
|
---|
| 4445 | if ( ( uSystemThreadStart
|
---|
| 4446 | ? *pPC == uSystemThreadStart
|
---|
| 4447 | : *pPC - ( pLdrEntryKernel32->uImageBase != ~(uintptr_t)0 ? pLdrEntryKernel32->uImageBase
|
---|
| 4448 | : (uintptr_t)GetModuleHandleW(L"kernel32.dll")) <= cbKernel32)
|
---|
[80218] | 4449 | || *pPC == uChildMain)
|
---|
| 4450 | { }
|
---|
| 4451 | else
|
---|
| 4452 | {
|
---|
[80242] | 4453 | SUP_DPRINTF(("Warning! Bogus RIP: %p (uSystemThreadStart=%p; kernel32 %p LB %p; uChildMain=%p)\n",
|
---|
| 4454 | *pPC, uSystemThreadStart, pLdrEntryKernel32->uImageBase, cbKernel32, uChildMain));
|
---|
| 4455 | if (uSystemThreadStart)
|
---|
[80218] | 4456 | {
|
---|
[80242] | 4457 | SUP_DPRINTF(("Correcting RIP from to %p hoping that it might work...\n", (uintptr_t)uSystemThreadStart));
|
---|
| 4458 | *pPC = uSystemThreadStart;
|
---|
[80218] | 4459 | fUpdateContext = true;
|
---|
| 4460 | }
|
---|
| 4461 | }
|
---|
| 4462 | #ifdef RT_ARCH_AMD64
|
---|
[80242] | 4463 | if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(10, 0)) /* W2K3: CS=33 SS=DS=ES=GS=2b FS=53 */
|
---|
| 4464 | {
|
---|
| 4465 | if (Ctx.SegDs != 0)
|
---|
| 4466 | SUP_DPRINTF(("Warning! Bogus DS: %04x, expected zero\n", Ctx.SegDs));
|
---|
| 4467 | if (Ctx.SegEs != 0)
|
---|
| 4468 | SUP_DPRINTF(("Warning! Bogus ES: %04x, expected zero\n", Ctx.SegEs));
|
---|
| 4469 | if (Ctx.SegFs != 0)
|
---|
| 4470 | SUP_DPRINTF(("Warning! Bogus FS: %04x, expected zero\n", Ctx.SegFs));
|
---|
| 4471 | if (Ctx.SegGs != 0)
|
---|
| 4472 | SUP_DPRINTF(("Warning! Bogus GS: %04x, expected zero\n", Ctx.SegGs));
|
---|
| 4473 | }
|
---|
[80218] | 4474 | if (Ctx.Rcx != uChildMain)
|
---|
| 4475 | SUP_DPRINTF(("Warning! Bogus RCX: %016RX64, expected %016RX64\n", Ctx.Rcx, uChildMain));
|
---|
[80242] | 4476 | if (Ctx.Rdx & PAGE_OFFSET_MASK)
|
---|
| 4477 | SUP_DPRINTF(("Warning! Bogus RDX: %016RX64, expected page aligned\n", Ctx.Rdx)); /* PEB */
|
---|
[80218] | 4478 | if ((Ctx.Rsp & 15) != 8)
|
---|
| 4479 | SUP_DPRINTF(("Warning! Misaligned RSP: %016RX64\n", Ctx.Rsp));
|
---|
| 4480 | #endif
|
---|
| 4481 | if (Ctx.SegCs != ASMGetCS())
|
---|
| 4482 | SUP_DPRINTF(("Warning! Bogus CS: %04x, expected %04x\n", Ctx.SegCs, ASMGetCS()));
|
---|
| 4483 | if (Ctx.SegSs != ASMGetSS())
|
---|
| 4484 | SUP_DPRINTF(("Warning! Bogus SS: %04x, expected %04x\n", Ctx.SegSs, ASMGetSS()));
|
---|
| 4485 | if (Ctx.Dr0 != 0)
|
---|
| 4486 | SUP_DPRINTF(("Warning! Bogus DR0: %016RX64, expected zero\n", Ctx.Dr0));
|
---|
| 4487 | if (Ctx.Dr1 != 0)
|
---|
| 4488 | SUP_DPRINTF(("Warning! Bogus DR1: %016RX64, expected zero\n", Ctx.Dr1));
|
---|
| 4489 | if (Ctx.Dr2 != 0)
|
---|
| 4490 | SUP_DPRINTF(("Warning! Bogus DR2: %016RX64, expected zero\n", Ctx.Dr2));
|
---|
| 4491 | if (Ctx.Dr3 != 0)
|
---|
| 4492 | SUP_DPRINTF(("Warning! Bogus DR3: %016RX64, expected zero\n", Ctx.Dr3));
|
---|
| 4493 | if (Ctx.Dr6 != 0)
|
---|
| 4494 | SUP_DPRINTF(("Warning! Bogus DR6: %016RX64, expected zero\n", Ctx.Dr6));
|
---|
| 4495 | if (Ctx.Dr7 != 0)
|
---|
| 4496 | {
|
---|
| 4497 | SUP_DPRINTF(("Warning! Bogus DR7: %016RX64, expected zero\n", Ctx.Dr7));
|
---|
| 4498 | Ctx.Dr7 = 0;
|
---|
| 4499 | fUpdateContext = true;
|
---|
| 4500 | }
|
---|
| 4501 |
|
---|
| 4502 | if (fUpdateContext)
|
---|
| 4503 | {
|
---|
| 4504 | rcNt = NtSetContextThread(pThis->hThread, &Ctx);
|
---|
| 4505 | if (!NT_SUCCESS(rcNt))
|
---|
| 4506 | SUP_DPRINTF(("Error! NtSetContextThread failed: %#x\n", rcNt));
|
---|
| 4507 | }
|
---|
| 4508 | }
|
---|
| 4509 |
|
---|
[52969] | 4510 | /* Caller starts child execution. */
|
---|
| 4511 | SUP_DPRINTF(("supR3HardenedWinSetupChildInit: Start child.\n"));
|
---|
[52139] | 4512 | }
|
---|
| 4513 |
|
---|
| 4514 |
|
---|
| 4515 |
|
---|
[52969] | 4516 | /**
|
---|
| 4517 | * This messes with the child PEB before we trigger the initial image events.
|
---|
| 4518 | *
|
---|
| 4519 | * @param pThis The child process data structure.
|
---|
| 4520 | */
|
---|
| 4521 | static void supR3HardNtChildScrewUpPebForInitialImageEvents(PSUPR3HARDNTCHILD pThis)
|
---|
[52139] | 4522 | {
|
---|
| 4523 | /*
|
---|
[52969] | 4524 | * Not sure if any of the cracker software uses the PEB at this point, but
|
---|
| 4525 | * just in case they do make some of the PEB fields a little less useful.
|
---|
[52139] | 4526 | */
|
---|
| 4527 | PEB Peb = pThis->Peb;
|
---|
| 4528 |
|
---|
[52969] | 4529 | /* Make ImageBaseAddress useless. */
|
---|
| 4530 | Peb.ImageBaseAddress = (PVOID)((uintptr_t)Peb.ImageBaseAddress ^ UINT32_C(0x5f139000));
|
---|
| 4531 | #ifdef RT_ARCH_AMD64
|
---|
| 4532 | Peb.ImageBaseAddress = (PVOID)((uintptr_t)Peb.ImageBaseAddress | UINT64_C(0x0313000000000000));
|
---|
[52139] | 4533 | #endif
|
---|
| 4534 |
|
---|
| 4535 | /*
|
---|
[52969] | 4536 | * Write the PEB.
|
---|
[52139] | 4537 | */
|
---|
| 4538 | SIZE_T cbActualMem = pThis->cbPeb;
|
---|
| 4539 | NTSTATUS rcNt = NtWriteVirtualMemory(pThis->hProcess, pThis->BasicInfo.PebBaseAddress, &Peb, pThis->cbPeb, &cbActualMem);
|
---|
| 4540 | if (!NT_SUCCESS(rcNt))
|
---|
[52969] | 4541 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildScrewUpPebForInitialImageEvents", rcNt,
|
---|
| 4542 | "NtWriteVirtualMemory/Peb failed: %#x", rcNt);
|
---|
| 4543 | }
|
---|
[52139] | 4544 |
|
---|
[52969] | 4545 |
|
---|
| 4546 | /**
|
---|
| 4547 | * Check if the zero terminated NT unicode string is the path to the given
|
---|
| 4548 | * system32 DLL.
|
---|
| 4549 | *
|
---|
| 4550 | * @returns true if it is, false if not.
|
---|
| 4551 | * @param pUniStr The zero terminated NT unicode string path.
|
---|
| 4552 | * @param pszName The name of the system32 DLL.
|
---|
| 4553 | */
|
---|
| 4554 | static bool supR3HardNtIsNamedSystem32Dll(PUNICODE_STRING pUniStr, const char *pszName)
|
---|
| 4555 | {
|
---|
| 4556 | if (pUniStr->Length > g_System32NtPath.UniStr.Length)
|
---|
| 4557 | {
|
---|
| 4558 | if (memcmp(pUniStr->Buffer, g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length) == 0)
|
---|
| 4559 | {
|
---|
| 4560 | if (pUniStr->Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR)] == '\\')
|
---|
| 4561 | {
|
---|
| 4562 | if (RTUtf16ICmpAscii(&pUniStr->Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR) + 1], pszName) == 0)
|
---|
| 4563 | return true;
|
---|
| 4564 | }
|
---|
| 4565 | }
|
---|
| 4566 | }
|
---|
| 4567 |
|
---|
| 4568 | return false;
|
---|
[52139] | 4569 | }
|
---|
| 4570 |
|
---|
| 4571 |
|
---|
[52969] | 4572 | /**
|
---|
| 4573 | * Worker for supR3HardNtChildGatherData that locates NTDLL in the child
|
---|
| 4574 | * process.
|
---|
| 4575 | *
|
---|
| 4576 | * @param pThis The child process data structure.
|
---|
| 4577 | */
|
---|
| 4578 | static void supR3HardNtChildFindNtdll(PSUPR3HARDNTCHILD pThis)
|
---|
[52156] | 4579 | {
|
---|
| 4580 | /*
|
---|
| 4581 | * Find NTDLL in this process first and take that as a starting point.
|
---|
| 4582 | */
|
---|
| 4583 | pThis->uNtDllParentAddr = (uintptr_t)GetModuleHandleW(L"ntdll.dll");
|
---|
| 4584 | SUPR3HARDENED_ASSERT(pThis->uNtDllParentAddr != 0 && !(pThis->uNtDllParentAddr & PAGE_OFFSET_MASK));
|
---|
| 4585 | pThis->uNtDllAddr = pThis->uNtDllParentAddr;
|
---|
| 4586 |
|
---|
| 4587 | /*
|
---|
| 4588 | * Scan the virtual memory of the child.
|
---|
| 4589 | */
|
---|
| 4590 | uintptr_t cbAdvance = 0;
|
---|
| 4591 | uintptr_t uPtrWhere = 0;
|
---|
| 4592 | for (uint32_t i = 0; i < 1024; i++)
|
---|
| 4593 | {
|
---|
| 4594 | /* Query information. */
|
---|
| 4595 | SIZE_T cbActual = 0;
|
---|
| 4596 | MEMORY_BASIC_INFORMATION MemInfo = { 0, 0, 0, 0, 0, 0, 0 };
|
---|
| 4597 | NTSTATUS rcNt = NtQueryVirtualMemory(pThis->hProcess,
|
---|
| 4598 | (void const *)uPtrWhere,
|
---|
| 4599 | MemoryBasicInformation,
|
---|
| 4600 | &MemInfo,
|
---|
| 4601 | sizeof(MemInfo),
|
---|
| 4602 | &cbActual);
|
---|
| 4603 | if (!NT_SUCCESS(rcNt))
|
---|
| 4604 | break;
|
---|
| 4605 |
|
---|
| 4606 | if ( MemInfo.Type == SEC_IMAGE
|
---|
| 4607 | || MemInfo.Type == SEC_PROTECTED_IMAGE
|
---|
| 4608 | || MemInfo.Type == (SEC_IMAGE | SEC_PROTECTED_IMAGE))
|
---|
| 4609 | {
|
---|
| 4610 | if (MemInfo.BaseAddress == MemInfo.AllocationBase)
|
---|
| 4611 | {
|
---|
| 4612 | /* Get the image name. */
|
---|
| 4613 | union
|
---|
| 4614 | {
|
---|
| 4615 | UNICODE_STRING UniStr;
|
---|
| 4616 | uint8_t abPadding[4096];
|
---|
| 4617 | } uBuf;
|
---|
[84394] | 4618 | rcNt = NtQueryVirtualMemory(pThis->hProcess,
|
---|
| 4619 | MemInfo.BaseAddress,
|
---|
| 4620 | MemorySectionName,
|
---|
| 4621 | &uBuf,
|
---|
| 4622 | sizeof(uBuf) - sizeof(WCHAR),
|
---|
| 4623 | &cbActual);
|
---|
[52156] | 4624 | if (NT_SUCCESS(rcNt))
|
---|
| 4625 | {
|
---|
| 4626 | uBuf.UniStr.Buffer[uBuf.UniStr.Length / sizeof(WCHAR)] = '\0';
|
---|
[52176] | 4627 | if (supR3HardNtIsNamedSystem32Dll(&uBuf.UniStr, "ntdll.dll"))
|
---|
[52156] | 4628 | {
|
---|
[52176] | 4629 | pThis->uNtDllAddr = (uintptr_t)MemInfo.AllocationBase;
|
---|
| 4630 | SUP_DPRINTF(("supR3HardNtPuChFindNtdll: uNtDllParentAddr=%p uNtDllChildAddr=%p\n",
|
---|
| 4631 | pThis->uNtDllParentAddr, pThis->uNtDllAddr));
|
---|
| 4632 | return;
|
---|
[52156] | 4633 | }
|
---|
| 4634 | }
|
---|
| 4635 | }
|
---|
| 4636 | }
|
---|
| 4637 |
|
---|
| 4638 | /*
|
---|
| 4639 | * Advance.
|
---|
| 4640 | */
|
---|
| 4641 | cbAdvance = MemInfo.RegionSize;
|
---|
| 4642 | if (uPtrWhere + cbAdvance <= uPtrWhere)
|
---|
| 4643 | break;
|
---|
| 4644 | uPtrWhere += MemInfo.RegionSize;
|
---|
| 4645 | }
|
---|
| 4646 |
|
---|
[52969] | 4647 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildFindNtdll", VERR_MODULE_NOT_FOUND, "ntdll.dll not found in child process.");
|
---|
[52156] | 4648 | }
|
---|
| 4649 |
|
---|
| 4650 |
|
---|
[52139] | 4651 | /**
|
---|
[52969] | 4652 | * Gather child data.
|
---|
[52947] | 4653 | *
|
---|
[58339] | 4654 | * @param pThis The child process data structure.
|
---|
[52947] | 4655 | */
|
---|
[52969] | 4656 | static void supR3HardNtChildGatherData(PSUPR3HARDNTCHILD pThis)
|
---|
[52947] | 4657 | {
|
---|
| 4658 | /*
|
---|
[52969] | 4659 | * Basic info.
|
---|
[52947] | 4660 | */
|
---|
[52969] | 4661 | ULONG cbActual = 0;
|
---|
| 4662 | NTSTATUS rcNt = NtQueryInformationProcess(pThis->hProcess, ProcessBasicInformation,
|
---|
| 4663 | &pThis->BasicInfo, sizeof(pThis->BasicInfo), &cbActual);
|
---|
| 4664 | if (!NT_SUCCESS(rcNt))
|
---|
| 4665 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildGatherData", rcNt,
|
---|
| 4666 | "NtQueryInformationProcess/ProcessBasicInformation failed: %#x", rcNt);
|
---|
[52947] | 4667 |
|
---|
| 4668 | /*
|
---|
[52969] | 4669 | * If this is the middle (stub) process, we wish to wait for both child
|
---|
| 4670 | * and parent. So open the parent process. Not fatal if we cannnot.
|
---|
[52947] | 4671 | */
|
---|
[52969] | 4672 | if (pThis->iWhich > 1)
|
---|
[52947] | 4673 | {
|
---|
[53027] | 4674 | PROCESS_BASIC_INFORMATION SelfInfo;
|
---|
| 4675 | rcNt = NtQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &SelfInfo, sizeof(SelfInfo), &cbActual);
|
---|
| 4676 | if (NT_SUCCESS(rcNt))
|
---|
| 4677 | {
|
---|
| 4678 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 4679 | InitializeObjectAttributes(&ObjAttr, NULL, 0, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
[52947] | 4680 |
|
---|
[53027] | 4681 | CLIENT_ID ClientId;
|
---|
| 4682 | ClientId.UniqueProcess = (HANDLE)SelfInfo.InheritedFromUniqueProcessId;
|
---|
| 4683 | ClientId.UniqueThread = NULL;
|
---|
[52947] | 4684 |
|
---|
[53027] | 4685 | rcNt = NtOpenProcess(&pThis->hParent, SYNCHRONIZE | PROCESS_QUERY_INFORMATION, &ObjAttr, &ClientId);
|
---|
[52969] | 4686 | #ifdef DEBUG
|
---|
[53027] | 4687 | SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt);
|
---|
[52969] | 4688 | #endif
|
---|
[53027] | 4689 | if (!NT_SUCCESS(rcNt))
|
---|
| 4690 | {
|
---|
| 4691 | pThis->hParent = NULL;
|
---|
| 4692 | SUP_DPRINTF(("supR3HardNtChildGatherData: Failed to open parent process (%#p): %#x\n", ClientId.UniqueProcess, rcNt));
|
---|
| 4693 | }
|
---|
[52969] | 4694 | }
|
---|
[53027] | 4695 |
|
---|
[52947] | 4696 | }
|
---|
| 4697 |
|
---|
| 4698 | /*
|
---|
[52969] | 4699 | * Process environment block.
|
---|
[52947] | 4700 | */
|
---|
[52969] | 4701 | if (g_uNtVerCombined < SUP_NT_VER_W2K3)
|
---|
| 4702 | pThis->cbPeb = PEB_SIZE_W51;
|
---|
| 4703 | else if (g_uNtVerCombined < SUP_NT_VER_VISTA)
|
---|
| 4704 | pThis->cbPeb = PEB_SIZE_W52;
|
---|
| 4705 | else if (g_uNtVerCombined < SUP_NT_VER_W70)
|
---|
| 4706 | pThis->cbPeb = PEB_SIZE_W6;
|
---|
| 4707 | else if (g_uNtVerCombined < SUP_NT_VER_W80)
|
---|
| 4708 | pThis->cbPeb = PEB_SIZE_W7;
|
---|
| 4709 | else if (g_uNtVerCombined < SUP_NT_VER_W81)
|
---|
| 4710 | pThis->cbPeb = PEB_SIZE_W80;
|
---|
[52962] | 4711 | else
|
---|
[52969] | 4712 | pThis->cbPeb = PEB_SIZE_W81;
|
---|
[52947] | 4713 |
|
---|
[52969] | 4714 | SUP_DPRINTF(("supR3HardNtChildGatherData: PebBaseAddress=%p cbPeb=%#x\n",
|
---|
| 4715 | pThis->BasicInfo.PebBaseAddress, pThis->cbPeb));
|
---|
[52947] | 4716 |
|
---|
[52969] | 4717 | SIZE_T cbActualMem;
|
---|
| 4718 | RT_ZERO(pThis->Peb);
|
---|
| 4719 | rcNt = NtReadVirtualMemory(pThis->hProcess, pThis->BasicInfo.PebBaseAddress, &pThis->Peb, sizeof(pThis->Peb), &cbActualMem);
|
---|
[52947] | 4720 | if (!NT_SUCCESS(rcNt))
|
---|
[52969] | 4721 | supR3HardenedWinKillChild(pThis, "supR3HardNtChildGatherData", rcNt,
|
---|
| 4722 | "NtReadVirtualMemory/Peb failed: %#x", rcNt);
|
---|
[52947] | 4723 |
|
---|
| 4724 | /*
|
---|
[52969] | 4725 | * Locate NtDll.
|
---|
[52947] | 4726 | */
|
---|
[52969] | 4727 | supR3HardNtChildFindNtdll(pThis);
|
---|
[52947] | 4728 | }
|
---|
| 4729 |
|
---|
| 4730 |
|
---|
| 4731 | /**
|
---|
[51770] | 4732 | * Does the actually respawning.
|
---|
| 4733 | *
|
---|
[52163] | 4734 | * @returns Never, will call exit or raise fatal error.
|
---|
| 4735 | * @param iWhich Which respawn we're to check for, 1 being the
|
---|
| 4736 | * first one, and 2 the second and final.
|
---|
[51770] | 4737 | */
|
---|
[62677] | 4738 | static DECL_NO_RETURN(void) supR3HardenedWinDoReSpawn(int iWhich)
|
---|
[51770] | 4739 | {
|
---|
[52163] | 4740 | NTSTATUS rcNt;
|
---|
| 4741 | PPEB pPeb = NtCurrentPeb();
|
---|
| 4742 | PRTL_USER_PROCESS_PARAMETERS pParentProcParams = pPeb->ProcessParameters;
|
---|
| 4743 |
|
---|
[51770] | 4744 | SUPR3HARDENED_ASSERT(g_cSuplibHardenedWindowsMainCalls == 1);
|
---|
| 4745 |
|
---|
| 4746 | /*
|
---|
[52969] | 4747 | * Init the child process data structure, creating the child communication
|
---|
| 4748 | * event sempahores.
|
---|
[52947] | 4749 | */
|
---|
[52969] | 4750 | SUPR3HARDNTCHILD This;
|
---|
| 4751 | RT_ZERO(This);
|
---|
| 4752 | This.iWhich = iWhich;
|
---|
| 4753 |
|
---|
[52949] | 4754 | OBJECT_ATTRIBUTES ObjAttrs;
|
---|
[52969] | 4755 | This.hEvtChild = NULL;
|
---|
[52949] | 4756 | InitializeObjectAttributes(&ObjAttrs, NULL /*pName*/, OBJ_INHERIT, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
[52969] | 4757 | SUPR3HARDENED_ASSERT_NT_SUCCESS(NtCreateEvent(&This.hEvtChild, EVENT_ALL_ACCESS, &ObjAttrs, SynchronizationEvent, FALSE));
|
---|
[52949] | 4758 |
|
---|
[52969] | 4759 | This.hEvtParent = NULL;
|
---|
[52949] | 4760 | InitializeObjectAttributes(&ObjAttrs, NULL /*pName*/, OBJ_INHERIT, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
[52969] | 4761 | SUPR3HARDENED_ASSERT_NT_SUCCESS(NtCreateEvent(&This.hEvtParent, EVENT_ALL_ACCESS, &ObjAttrs, SynchronizationEvent, FALSE));
|
---|
[52947] | 4762 |
|
---|
| 4763 | /*
|
---|
[52139] | 4764 | * Set up security descriptors.
|
---|
| 4765 | */
|
---|
| 4766 | SECURITY_ATTRIBUTES ProcessSecAttrs;
|
---|
| 4767 | MYSECURITYCLEANUP ProcessSecAttrsCleanup;
|
---|
[52969] | 4768 | supR3HardNtChildInitSecAttrs(&ProcessSecAttrs, &ProcessSecAttrsCleanup, true /*fProcess*/);
|
---|
[52139] | 4769 |
|
---|
| 4770 | SECURITY_ATTRIBUTES ThreadSecAttrs;
|
---|
| 4771 | MYSECURITYCLEANUP ThreadSecAttrsCleanup;
|
---|
[52969] | 4772 | supR3HardNtChildInitSecAttrs(&ThreadSecAttrs, &ThreadSecAttrsCleanup, false /*fProcess*/);
|
---|
[52139] | 4773 |
|
---|
| 4774 | #if 1
|
---|
| 4775 | /*
|
---|
[51770] | 4776 | * Configure the startup info and creation flags.
|
---|
| 4777 | */
|
---|
[52139] | 4778 | DWORD dwCreationFlags = CREATE_SUSPENDED;
|
---|
[51770] | 4779 |
|
---|
| 4780 | STARTUPINFOEXW SiEx;
|
---|
| 4781 | suplibHardenedMemSet(&SiEx, 0, sizeof(SiEx));
|
---|
| 4782 | if (1)
|
---|
| 4783 | SiEx.StartupInfo.cb = sizeof(SiEx.StartupInfo);
|
---|
| 4784 | else
|
---|
| 4785 | {
|
---|
| 4786 | SiEx.StartupInfo.cb = sizeof(SiEx);
|
---|
| 4787 | dwCreationFlags |= EXTENDED_STARTUPINFO_PRESENT;
|
---|
| 4788 | /** @todo experiment with protected process stuff later on. */
|
---|
| 4789 | }
|
---|
| 4790 |
|
---|
[52668] | 4791 | SiEx.StartupInfo.dwFlags |= pParentProcParams->WindowFlags & STARTF_USESHOWWINDOW;
|
---|
[52665] | 4792 | SiEx.StartupInfo.wShowWindow = (WORD)pParentProcParams->ShowWindowFlags;
|
---|
| 4793 |
|
---|
[51770] | 4794 | SiEx.StartupInfo.dwFlags |= STARTF_USESTDHANDLES;
|
---|
[52163] | 4795 | SiEx.StartupInfo.hStdInput = pParentProcParams->StandardInput;
|
---|
| 4796 | SiEx.StartupInfo.hStdOutput = pParentProcParams->StandardOutput;
|
---|
| 4797 | SiEx.StartupInfo.hStdError = pParentProcParams->StandardError;
|
---|
[51770] | 4798 |
|
---|
| 4799 | /*
|
---|
| 4800 | * Construct the command line and launch the process.
|
---|
| 4801 | */
|
---|
[52969] | 4802 | PRTUTF16 pwszCmdLine = supR3HardNtChildConstructCmdLine(NULL, iWhich);
|
---|
[51770] | 4803 |
|
---|
[52523] | 4804 | supR3HardenedWinEnableThreadCreation();
|
---|
[76502] | 4805 | PROCESS_INFORMATION ProcessInfoW32 = { NULL, NULL, 0, 0 };
|
---|
[51770] | 4806 | if (!CreateProcessW(g_wszSupLibHardenedExePath,
|
---|
| 4807 | pwszCmdLine,
|
---|
| 4808 | &ProcessSecAttrs,
|
---|
| 4809 | &ThreadSecAttrs,
|
---|
| 4810 | TRUE /*fInheritHandles*/,
|
---|
| 4811 | dwCreationFlags,
|
---|
| 4812 | NULL /*pwszzEnvironment*/,
|
---|
| 4813 | NULL /*pwszCurDir*/,
|
---|
| 4814 | &SiEx.StartupInfo,
|
---|
[52139] | 4815 | &ProcessInfoW32))
|
---|
[51770] | 4816 | supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Misc, VERR_INVALID_NAME,
|
---|
| 4817 | "Error relaunching VirtualBox VM process: %u\n"
|
---|
| 4818 | "Command line: '%ls'",
|
---|
[52940] | 4819 | RtlGetLastWin32Error(), pwszCmdLine);
|
---|
[52523] | 4820 | supR3HardenedWinDisableThreadCreation();
|
---|
[51770] | 4821 |
|
---|
[52169] | 4822 | SUP_DPRINTF(("supR3HardenedWinDoReSpawn(%d): New child %x.%x [kernel32].\n",
|
---|
| 4823 | iWhich, ProcessInfoW32.dwProcessId, ProcessInfoW32.dwThreadId));
|
---|
[52969] | 4824 | This.hProcess = ProcessInfoW32.hProcess;
|
---|
| 4825 | This.hThread = ProcessInfoW32.hThread;
|
---|
[52139] | 4826 |
|
---|
| 4827 | #else
|
---|
| 4828 |
|
---|
[51770] | 4829 | /*
|
---|
[52139] | 4830 | * Construct the process parameters.
|
---|
| 4831 | */
|
---|
| 4832 | UNICODE_STRING W32ImageName;
|
---|
| 4833 | W32ImageName.Buffer = g_wszSupLibHardenedExePath; /* Yes the windows name for the process parameters. */
|
---|
| 4834 | W32ImageName.Length = (USHORT)RTUtf16Len(g_wszSupLibHardenedExePath) * sizeof(WCHAR);
|
---|
| 4835 | W32ImageName.MaximumLength = W32ImageName.Length + sizeof(WCHAR);
|
---|
| 4836 |
|
---|
| 4837 | UNICODE_STRING CmdLine;
|
---|
[52969] | 4838 | supR3HardNtChildConstructCmdLine(&CmdLine, iWhich);
|
---|
[52139] | 4839 |
|
---|
| 4840 | PRTL_USER_PROCESS_PARAMETERS pProcParams = NULL;
|
---|
| 4841 | SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateProcessParameters(&pProcParams,
|
---|
| 4842 | &W32ImageName,
|
---|
| 4843 | NULL /* DllPath - inherit from this process */,
|
---|
| 4844 | NULL /* CurrentDirectory - inherit from this process */,
|
---|
| 4845 | &CmdLine,
|
---|
| 4846 | NULL /* Environment - inherit from this process */,
|
---|
| 4847 | NULL /* WindowsTitle - none */,
|
---|
| 4848 | NULL /* DesktopTitle - none. */,
|
---|
| 4849 | NULL /* ShellInfo - none. */,
|
---|
| 4850 | NULL /* RuntimeInfo - none (byte array for MSVCRT file info) */)
|
---|
| 4851 | );
|
---|
| 4852 |
|
---|
| 4853 | /** @todo this doesn't work. :-( */
|
---|
| 4854 | pProcParams->ConsoleHandle = pParentProcParams->ConsoleHandle;
|
---|
| 4855 | pProcParams->ConsoleFlags = pParentProcParams->ConsoleFlags;
|
---|
| 4856 | pProcParams->StandardInput = pParentProcParams->StandardInput;
|
---|
| 4857 | pProcParams->StandardOutput = pParentProcParams->StandardOutput;
|
---|
| 4858 | pProcParams->StandardError = pParentProcParams->StandardError;
|
---|
| 4859 |
|
---|
| 4860 | RTL_USER_PROCESS_INFORMATION ProcessInfoNt = { sizeof(ProcessInfoNt) };
|
---|
[52163] | 4861 | rcNt = RtlCreateUserProcess(&g_SupLibHardenedExeNtPath.UniStr,
|
---|
| 4862 | OBJ_INHERIT | OBJ_CASE_INSENSITIVE /*Attributes*/,
|
---|
| 4863 | pProcParams,
|
---|
| 4864 | NULL, //&ProcessSecAttrs,
|
---|
| 4865 | NULL, //&ThreadSecAttrs,
|
---|
| 4866 | NtCurrentProcess() /* ParentProcess */,
|
---|
| 4867 | FALSE /*fInheritHandles*/,
|
---|
| 4868 | NULL /* DebugPort */,
|
---|
| 4869 | NULL /* ExceptionPort */,
|
---|
| 4870 | &ProcessInfoNt);
|
---|
[52139] | 4871 | if (!NT_SUCCESS(rcNt))
|
---|
| 4872 | supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Misc, VERR_INVALID_NAME,
|
---|
| 4873 | "Error relaunching VirtualBox VM process: %#x\n"
|
---|
| 4874 | "Command line: '%ls'",
|
---|
| 4875 | rcNt, CmdLine.Buffer);
|
---|
| 4876 |
|
---|
[52169] | 4877 | SUP_DPRINTF(("supR3HardenedWinDoReSpawn(%d): New child %x.%x [ntdll].\n",
|
---|
| 4878 | iWhich, ProcessInfo.ClientId.UniqueProcess, ProcessInfo.ClientId.UniqueThread));
|
---|
[52139] | 4879 | RtlDestroyProcessParameters(pProcParams);
|
---|
| 4880 |
|
---|
[52969] | 4881 | This.hProcess = ProcessInfoNt.ProcessHandle;
|
---|
| 4882 | This.hThread = ProcessInfoNt.ThreadHandle;
|
---|
[52139] | 4883 | #endif
|
---|
| 4884 |
|
---|
[52204] | 4885 | #ifndef VBOX_WITHOUT_DEBUGGER_CHECKS
|
---|
| 4886 | /*
|
---|
| 4887 | * Apply anti debugger notification trick to the thread. (Also done in
|
---|
[52974] | 4888 | * supR3HardenedWinInit.) This may fail with STATUS_ACCESS_DENIED and
|
---|
[54139] | 4889 | * maybe other errors. (Unfortunately, recent (SEP 12.1) of symantec's
|
---|
| 4890 | * sysplant.sys driver will cause process deadlocks and a shutdown/reboot
|
---|
| 4891 | * denial of service problem if we hide the initial thread, so we postpone
|
---|
| 4892 | * this action if we've detected SEP.)
|
---|
[52204] | 4893 | */
|
---|
[54139] | 4894 | if (!(g_fSupAdversaries & (SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT | SUPHARDNT_ADVERSARY_SYMANTEC_N360)))
|
---|
| 4895 | {
|
---|
| 4896 | rcNt = NtSetInformationThread(This.hThread, ThreadHideFromDebugger, NULL, 0);
|
---|
| 4897 | if (!NT_SUCCESS(rcNt))
|
---|
| 4898 | SUP_DPRINTF(("supR3HardenedWinReSpawn: NtSetInformationThread/ThreadHideFromDebugger failed: %#x (harmless)\n", rcNt));
|
---|
| 4899 | }
|
---|
[52204] | 4900 | #endif
|
---|
[52169] | 4901 |
|
---|
[52139] | 4902 | /*
|
---|
[52969] | 4903 | * Perform very early child initialization.
|
---|
[52139] | 4904 | */
|
---|
[52969] | 4905 | supR3HardNtChildGatherData(&This);
|
---|
| 4906 | supR3HardNtChildScrewUpPebForInitialImageEvents(&This);
|
---|
| 4907 | supR3HardNtChildSetUpChildInit(&This);
|
---|
[52139] | 4908 |
|
---|
[52969] | 4909 | ULONG cSuspendCount = 0;
|
---|
| 4910 | rcNt = NtResumeThread(This.hThread, &cSuspendCount);
|
---|
| 4911 | if (!NT_SUCCESS(rcNt))
|
---|
| 4912 | supR3HardenedWinKillChild(&This, "supR3HardenedWinDoReSpawn", rcNt, "NtResumeThread failed: %#x", rcNt);
|
---|
| 4913 |
|
---|
[52139] | 4914 | /*
|
---|
[52969] | 4915 | * Santizie the pre-NTDLL child when it's ready.
|
---|
| 4916 | *
|
---|
| 4917 | * AV software and other things injecting themselves into the embryonic
|
---|
| 4918 | * and budding process to intercept API calls and what not. Unfortunately
|
---|
| 4919 | * this is also the behavior of viruses, malware and other unfriendly
|
---|
| 4920 | * software, so we won't stand for it. AV software can scan our image
|
---|
| 4921 | * as they are loaded via kernel hooks, that's sufficient. No need for
|
---|
| 4922 | * patching half of NTDLL or messing with the import table of the
|
---|
| 4923 | * process executable.
|
---|
[52139] | 4924 | */
|
---|
[52969] | 4925 | supR3HardNtChildWaitFor(&This, kSupR3WinChildReq_PurifyChildAndCloseHandles, 2000 /*ms*/, "PurifyChildAndCloseHandles");
|
---|
| 4926 | supR3HardNtChildPurify(&This);
|
---|
| 4927 | supR3HardNtChildSanitizePeb(&This);
|
---|
[52947] | 4928 |
|
---|
[52139] | 4929 | /*
|
---|
[51770] | 4930 | * Close the unrestricted access handles. Since we need to wait on the
|
---|
| 4931 | * child process, we'll reopen the process with limited access before doing
|
---|
| 4932 | * away with the process handle returned by CreateProcess.
|
---|
| 4933 | */
|
---|
[52969] | 4934 | supR3HardNtChildCloseFullAccessHandles(&This);
|
---|
[51770] | 4935 |
|
---|
| 4936 | /*
|
---|
[52969] | 4937 | * Signal the child that we've closed the unrestricted handles and it can
|
---|
| 4938 | * safely try open the driver.
|
---|
[52947] | 4939 | */
|
---|
[52969] | 4940 | rcNt = NtSetEvent(This.hEvtChild, NULL);
|
---|
[52949] | 4941 | if (!NT_SUCCESS(rcNt))
|
---|
[52969] | 4942 | supR3HardenedWinKillChild(&This, "supR3HardenedWinReSpawn", VERR_INVALID_NAME,
|
---|
[52949] | 4943 | "NtSetEvent failed on child process handle: %#x\n", rcNt);
|
---|
[52947] | 4944 |
|
---|
| 4945 | /*
|
---|
[52366] | 4946 | * Ditch the loader cache so we don't sit on too much memory while waiting.
|
---|
| 4947 | */
|
---|
| 4948 | supR3HardenedWinFlushLoaderCache();
|
---|
[52941] | 4949 | supR3HardenedWinCompactHeaps();
|
---|
[52366] | 4950 |
|
---|
| 4951 | /*
|
---|
[52666] | 4952 | * Enable thread creation at this point so Ctrl-C and Ctrl-Break can be processed.
|
---|
| 4953 | */
|
---|
| 4954 | supR3HardenedWinEnableThreadCreation();
|
---|
| 4955 |
|
---|
| 4956 | /*
|
---|
[52969] | 4957 | * Wait for the child to get to suplibHardenedWindowsMain so we can close the handles.
|
---|
[51770] | 4958 | */
|
---|
[52969] | 4959 | supR3HardNtChildWaitFor(&This, kSupR3WinChildReq_CloseEvents, 60000 /*ms*/, "CloseEvents");
|
---|
[52163] | 4960 |
|
---|
[52969] | 4961 | NtClose(This.hEvtChild);
|
---|
| 4962 | NtClose(This.hEvtParent);
|
---|
| 4963 | This.hEvtChild = NULL;
|
---|
| 4964 | This.hEvtParent = NULL;
|
---|
[52163] | 4965 |
|
---|
| 4966 | /*
|
---|
[52969] | 4967 | * Wait for the process to terminate.
|
---|
[52163] | 4968 | */
|
---|
[52969] | 4969 | supR3HardNtChildWaitFor(&This, kSupR3WinChildReq_End, RT_INDEFINITE_WAIT, "the end");
|
---|
[62677] | 4970 | supR3HardenedFatal("supR3HardenedWinDoReSpawn: supR3HardNtChildWaitFor unexpectedly returned!\n");
|
---|
| 4971 | /* not reached*/
|
---|
[51770] | 4972 | }
|
---|
| 4973 |
|
---|
| 4974 |
|
---|
[52139] | 4975 | /**
|
---|
[52709] | 4976 | * Logs the content of the given object directory.
|
---|
| 4977 | *
|
---|
| 4978 | * @returns true if it exists, false if not.
|
---|
| 4979 | * @param pszDir The path of the directory to log (ASCII).
|
---|
| 4980 | */
|
---|
| 4981 | static void supR3HardenedWinLogObjDir(const char *pszDir)
|
---|
| 4982 | {
|
---|
| 4983 | /*
|
---|
| 4984 | * Open the driver object directory.
|
---|
| 4985 | */
|
---|
| 4986 | RTUTF16 wszDir[128];
|
---|
| 4987 | int rc = RTUtf16CopyAscii(wszDir, RT_ELEMENTS(wszDir), pszDir);
|
---|
| 4988 | if (RT_FAILURE(rc))
|
---|
| 4989 | {
|
---|
| 4990 | SUP_DPRINTF(("supR3HardenedWinLogObjDir: RTUtf16CopyAscii -> %Rrc on '%s'\n", rc, pszDir));
|
---|
| 4991 | return;
|
---|
| 4992 | }
|
---|
| 4993 |
|
---|
| 4994 | UNICODE_STRING NtDirName;
|
---|
| 4995 | NtDirName.Buffer = (WCHAR *)wszDir;
|
---|
| 4996 | NtDirName.Length = (USHORT)(RTUtf16Len(wszDir) * sizeof(WCHAR));
|
---|
| 4997 | NtDirName.MaximumLength = NtDirName.Length + sizeof(WCHAR);
|
---|
| 4998 |
|
---|
| 4999 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 5000 | InitializeObjectAttributes(&ObjAttr, &NtDirName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 5001 |
|
---|
| 5002 | HANDLE hDir;
|
---|
| 5003 | NTSTATUS rcNt = NtOpenDirectoryObject(&hDir, DIRECTORY_QUERY | FILE_LIST_DIRECTORY, &ObjAttr);
|
---|
| 5004 | SUP_DPRINTF(("supR3HardenedWinLogObjDir: %ls => %#x\n", wszDir, rcNt));
|
---|
| 5005 | if (!NT_SUCCESS(rcNt))
|
---|
| 5006 | return;
|
---|
| 5007 |
|
---|
| 5008 | /*
|
---|
| 5009 | * Enumerate it, looking for the driver.
|
---|
| 5010 | */
|
---|
| 5011 | ULONG uObjDirCtx = 0;
|
---|
| 5012 | for (;;)
|
---|
| 5013 | {
|
---|
| 5014 | uint32_t abBuffer[_64K + _1K];
|
---|
| 5015 | ULONG cbActual;
|
---|
| 5016 | rcNt = NtQueryDirectoryObject(hDir,
|
---|
| 5017 | abBuffer,
|
---|
| 5018 | sizeof(abBuffer) - 4, /* minus four for string terminator space. */
|
---|
| 5019 | FALSE /*ReturnSingleEntry */,
|
---|
| 5020 | FALSE /*RestartScan*/,
|
---|
| 5021 | &uObjDirCtx,
|
---|
| 5022 | &cbActual);
|
---|
| 5023 | if (!NT_SUCCESS(rcNt) || cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION))
|
---|
| 5024 | {
|
---|
| 5025 | SUP_DPRINTF(("supR3HardenedWinLogObjDir: NtQueryDirectoryObject => rcNt=%#x cbActual=%#x\n", rcNt, cbActual));
|
---|
| 5026 | break;
|
---|
| 5027 | }
|
---|
| 5028 |
|
---|
| 5029 | POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer;
|
---|
| 5030 | while (pObjDir->Name.Length != 0)
|
---|
| 5031 | {
|
---|
| 5032 | SUP_DPRINTF((" %.*ls %.*ls\n",
|
---|
| 5033 | pObjDir->TypeName.Length / sizeof(WCHAR), pObjDir->TypeName.Buffer,
|
---|
| 5034 | pObjDir->Name.Length / sizeof(WCHAR), pObjDir->Name.Buffer));
|
---|
| 5035 |
|
---|
| 5036 | /* Next directory entry. */
|
---|
| 5037 | pObjDir++;
|
---|
| 5038 | }
|
---|
| 5039 | }
|
---|
| 5040 |
|
---|
| 5041 | /*
|
---|
| 5042 | * Clean up and return.
|
---|
| 5043 | */
|
---|
| 5044 | NtClose(hDir);
|
---|
| 5045 | }
|
---|
| 5046 |
|
---|
| 5047 |
|
---|
| 5048 | /**
|
---|
[53002] | 5049 | * Tries to open VBoxDrvErrorInfo and read extra error info from it.
|
---|
| 5050 | *
|
---|
| 5051 | * @returns pszErrorInfo.
|
---|
| 5052 | * @param pszErrorInfo The destination buffer. Will always be
|
---|
| 5053 | * terminated.
|
---|
| 5054 | * @param cbErrorInfo The size of the destination buffer.
|
---|
| 5055 | * @param pszPrefix What to prefix the error info with, if we got
|
---|
| 5056 | * anything.
|
---|
| 5057 | */
|
---|
| 5058 | DECLHIDDEN(char *) supR3HardenedWinReadErrorInfoDevice(char *pszErrorInfo, size_t cbErrorInfo, const char *pszPrefix)
|
---|
| 5059 | {
|
---|
| 5060 | RT_BZERO(pszErrorInfo, cbErrorInfo);
|
---|
| 5061 |
|
---|
| 5062 | /*
|
---|
| 5063 | * Try open the device.
|
---|
| 5064 | */
|
---|
| 5065 | HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
|
---|
| 5066 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
| 5067 | UNICODE_STRING NtName = RTNT_CONSTANT_UNISTR(SUPDRV_NT_DEVICE_NAME_ERROR_INFO);
|
---|
| 5068 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 5069 | InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 5070 | NTSTATUS rcNt = NtCreateFile(&hFile,
|
---|
[53036] | 5071 | GENERIC_READ, /* No SYNCHRONIZE. */
|
---|
[53002] | 5072 | &ObjAttr,
|
---|
| 5073 | &Ios,
|
---|
| 5074 | NULL /* Allocation Size*/,
|
---|
| 5075 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 5076 | FILE_SHARE_READ | FILE_SHARE_WRITE,
|
---|
| 5077 | FILE_OPEN,
|
---|
[53036] | 5078 | FILE_NON_DIRECTORY_FILE, /* No FILE_SYNCHRONOUS_IO_NONALERT. */
|
---|
[53002] | 5079 | NULL /*EaBuffer*/,
|
---|
| 5080 | 0 /*EaLength*/);
|
---|
| 5081 | if (NT_SUCCESS(rcNt))
|
---|
| 5082 | rcNt = Ios.Status;
|
---|
| 5083 | if (NT_SUCCESS(rcNt))
|
---|
| 5084 | {
|
---|
| 5085 | /*
|
---|
| 5086 | * Try read error info.
|
---|
| 5087 | */
|
---|
| 5088 | size_t cchPrefix = strlen(pszPrefix);
|
---|
| 5089 | if (cchPrefix + 3 < cbErrorInfo)
|
---|
| 5090 | {
|
---|
| 5091 | LARGE_INTEGER offRead;
|
---|
| 5092 | offRead.QuadPart = 0;
|
---|
| 5093 | rcNt = NtReadFile(hFile, NULL /*hEvent*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/, &Ios,
|
---|
| 5094 | &pszErrorInfo[cchPrefix], (ULONG)(cbErrorInfo - cchPrefix - 1), &offRead, NULL);
|
---|
[57201] | 5095 | if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status) && Ios.Information > 0)
|
---|
[53002] | 5096 | {
|
---|
| 5097 | memcpy(pszErrorInfo, pszPrefix, cchPrefix);
|
---|
[59811] | 5098 | pszErrorInfo[RT_MIN(cbErrorInfo - 1, cchPrefix + Ios.Information)] = '\0';
|
---|
[53003] | 5099 | SUP_DPRINTF(("supR3HardenedWinReadErrorInfoDevice: '%s'", &pszErrorInfo[cchPrefix]));
|
---|
[53002] | 5100 | }
|
---|
| 5101 | else
|
---|
[53003] | 5102 | {
|
---|
[53002] | 5103 | *pszErrorInfo = '\0';
|
---|
[57201] | 5104 | if (rcNt != STATUS_END_OF_FILE || Ios.Status != STATUS_END_OF_FILE)
|
---|
| 5105 | SUP_DPRINTF(("supR3HardenedWinReadErrorInfoDevice: NtReadFile -> %#x / %#x / %p\n",
|
---|
| 5106 | rcNt, Ios.Status, Ios.Information));
|
---|
[53003] | 5107 | }
|
---|
[53002] | 5108 | }
|
---|
| 5109 | else
|
---|
| 5110 | RTStrCopy(pszErrorInfo, cbErrorInfo, "error info buffer too small");
|
---|
| 5111 | NtClose(hFile);
|
---|
| 5112 | }
|
---|
[53003] | 5113 | else
|
---|
| 5114 | SUP_DPRINTF(("supR3HardenedWinReadErrorInfoDevice: NtCreateFile -> %#x\n", rcNt));
|
---|
| 5115 |
|
---|
[53002] | 5116 | return pszErrorInfo;
|
---|
| 5117 | }
|
---|
| 5118 |
|
---|
| 5119 |
|
---|
| 5120 |
|
---|
| 5121 | /**
|
---|
[52139] | 5122 | * Checks if the driver exists.
|
---|
| 5123 | *
|
---|
| 5124 | * This checks whether the driver is present in the /Driver object directory.
|
---|
| 5125 | * Drivers being initialized or terminated will have an object there
|
---|
| 5126 | * before/after their devices nodes are created/deleted.
|
---|
| 5127 | *
|
---|
| 5128 | * @returns true if it exists, false if not.
|
---|
| 5129 | * @param pszDriver The driver name.
|
---|
| 5130 | */
|
---|
[51945] | 5131 | static bool supR3HardenedWinDriverExists(const char *pszDriver)
|
---|
| 5132 | {
|
---|
| 5133 | /*
|
---|
| 5134 | * Open the driver object directory.
|
---|
| 5135 | */
|
---|
[52438] | 5136 | UNICODE_STRING NtDirName = RTNT_CONSTANT_UNISTR(L"\\Driver");
|
---|
[51945] | 5137 |
|
---|
| 5138 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 5139 | InitializeObjectAttributes(&ObjAttr, &NtDirName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 5140 |
|
---|
| 5141 | HANDLE hDir;
|
---|
| 5142 | NTSTATUS rcNt = NtOpenDirectoryObject(&hDir, DIRECTORY_QUERY | FILE_LIST_DIRECTORY, &ObjAttr);
|
---|
| 5143 | #ifdef VBOX_STRICT
|
---|
| 5144 | SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt);
|
---|
| 5145 | #endif
|
---|
| 5146 | if (!NT_SUCCESS(rcNt))
|
---|
| 5147 | return true;
|
---|
| 5148 |
|
---|
| 5149 | /*
|
---|
| 5150 | * Enumerate it, looking for the driver.
|
---|
| 5151 | */
|
---|
| 5152 | bool fFound = true;
|
---|
| 5153 | ULONG uObjDirCtx = 0;
|
---|
| 5154 | do
|
---|
| 5155 | {
|
---|
| 5156 | uint32_t abBuffer[_64K + _1K];
|
---|
| 5157 | ULONG cbActual;
|
---|
| 5158 | rcNt = NtQueryDirectoryObject(hDir,
|
---|
| 5159 | abBuffer,
|
---|
| 5160 | sizeof(abBuffer) - 4, /* minus four for string terminator space. */
|
---|
| 5161 | FALSE /*ReturnSingleEntry */,
|
---|
| 5162 | FALSE /*RestartScan*/,
|
---|
| 5163 | &uObjDirCtx,
|
---|
| 5164 | &cbActual);
|
---|
| 5165 | if (!NT_SUCCESS(rcNt) || cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION))
|
---|
| 5166 | break;
|
---|
| 5167 |
|
---|
| 5168 | POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer;
|
---|
| 5169 | while (pObjDir->Name.Length != 0)
|
---|
| 5170 | {
|
---|
| 5171 | WCHAR wcSaved = pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)];
|
---|
| 5172 | pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = '\0';
|
---|
| 5173 | if ( pObjDir->Name.Length > 1
|
---|
| 5174 | && RTUtf16ICmpAscii(pObjDir->Name.Buffer, pszDriver) == 0)
|
---|
| 5175 | {
|
---|
| 5176 | fFound = true;
|
---|
| 5177 | break;
|
---|
| 5178 | }
|
---|
| 5179 | pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = wcSaved;
|
---|
| 5180 |
|
---|
| 5181 | /* Next directory entry. */
|
---|
| 5182 | pObjDir++;
|
---|
| 5183 | }
|
---|
| 5184 | } while (!fFound);
|
---|
| 5185 |
|
---|
| 5186 | /*
|
---|
| 5187 | * Clean up and return.
|
---|
| 5188 | */
|
---|
| 5189 | NtClose(hDir);
|
---|
| 5190 |
|
---|
| 5191 | return fFound;
|
---|
| 5192 | }
|
---|
| 5193 |
|
---|
| 5194 |
|
---|
[51770] | 5195 | /**
|
---|
[52139] | 5196 | * Open the stub device before the 2nd respawn.
|
---|
[51770] | 5197 | */
|
---|
[52139] | 5198 | static void supR3HardenedWinOpenStubDevice(void)
|
---|
[51770] | 5199 | {
|
---|
[52949] | 5200 | if (g_fSupStubOpened)
|
---|
| 5201 | return;
|
---|
| 5202 |
|
---|
[51770] | 5203 | /*
|
---|
[52139] | 5204 | * Retry if we think driver might still be initializing (STATUS_NO_SUCH_DEVICE + \Drivers\VBoxDrv).
|
---|
[51770] | 5205 | */
|
---|
[53002] | 5206 | static const WCHAR s_wszName[] = SUPDRV_NT_DEVICE_NAME_STUB;
|
---|
[52949] | 5207 | uint64_t const uMsTsStart = supR3HardenedWinGetMilliTS();
|
---|
[51945] | 5208 | NTSTATUS rcNt;
|
---|
| 5209 | uint32_t iTry;
|
---|
[51770] | 5210 |
|
---|
[51945] | 5211 | for (iTry = 0;; iTry++)
|
---|
| 5212 | {
|
---|
| 5213 | HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
|
---|
| 5214 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
[51770] | 5215 |
|
---|
[51945] | 5216 | UNICODE_STRING NtName;
|
---|
| 5217 | NtName.Buffer = (PWSTR)s_wszName;
|
---|
| 5218 | NtName.Length = sizeof(s_wszName) - sizeof(WCHAR);
|
---|
| 5219 | NtName.MaximumLength = sizeof(s_wszName);
|
---|
| 5220 |
|
---|
| 5221 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 5222 | InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 5223 |
|
---|
| 5224 | rcNt = NtCreateFile(&hFile,
|
---|
[53036] | 5225 | GENERIC_READ | GENERIC_WRITE, /* No SYNCHRONIZE. */
|
---|
[51945] | 5226 | &ObjAttr,
|
---|
| 5227 | &Ios,
|
---|
| 5228 | NULL /* Allocation Size*/,
|
---|
| 5229 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 5230 | FILE_SHARE_READ | FILE_SHARE_WRITE,
|
---|
| 5231 | FILE_OPEN,
|
---|
[53036] | 5232 | FILE_NON_DIRECTORY_FILE, /* No FILE_SYNCHRONOUS_IO_NONALERT. */
|
---|
[51945] | 5233 | NULL /*EaBuffer*/,
|
---|
| 5234 | 0 /*EaLength*/);
|
---|
| 5235 | if (NT_SUCCESS(rcNt))
|
---|
| 5236 | rcNt = Ios.Status;
|
---|
| 5237 |
|
---|
| 5238 | /* The STATUS_NO_SUCH_DEVICE might be returned if the device is not
|
---|
| 5239 | completely initialized. Delay a little bit and try again. */
|
---|
| 5240 | if (rcNt != STATUS_NO_SUCH_DEVICE)
|
---|
| 5241 | break;
|
---|
[52949] | 5242 | if (iTry > 0 && supR3HardenedWinGetMilliTS() - uMsTsStart > 5000) /* 5 sec, at least two tries */
|
---|
[51945] | 5243 | break;
|
---|
| 5244 | if (!supR3HardenedWinDriverExists("VBoxDrv"))
|
---|
| 5245 | {
|
---|
| 5246 | /** @todo Consider starting the VBoxdrv.sys service. Requires 2nd process
|
---|
| 5247 | * though, rather complicated actually as CreateProcess causes all
|
---|
| 5248 | * kind of things to happen to this process which would make it hard to
|
---|
| 5249 | * pass the process verification tests... :-/ */
|
---|
| 5250 | break;
|
---|
| 5251 | }
|
---|
| 5252 |
|
---|
| 5253 | LARGE_INTEGER Time;
|
---|
| 5254 | if (iTry < 8)
|
---|
| 5255 | Time.QuadPart = -1000000 / 100; /* 1ms in 100ns units, relative time. */
|
---|
| 5256 | else
|
---|
| 5257 | Time.QuadPart = -32000000 / 100; /* 32ms in 100ns units, relative time. */
|
---|
| 5258 | NtDelayExecution(TRUE, &Time);
|
---|
| 5259 | }
|
---|
| 5260 |
|
---|
[52949] | 5261 | if (NT_SUCCESS(rcNt))
|
---|
| 5262 | g_fSupStubOpened = true;
|
---|
| 5263 | else
|
---|
[51770] | 5264 | {
|
---|
[52709] | 5265 | /*
|
---|
| 5266 | * Report trouble (fatal). For some errors codes we try gather some
|
---|
| 5267 | * extra information that goes into VBoxStartup.log so that we stand a
|
---|
| 5268 | * better chance resolving the issue.
|
---|
| 5269 | */
|
---|
[57501] | 5270 | char szErrorInfo[16384];
|
---|
[51907] | 5271 | int rc = VERR_OPEN_FAILED;
|
---|
| 5272 | if (SUP_NT_STATUS_IS_VBOX(rcNt)) /* See VBoxDrvNtErr2NtStatus. */
|
---|
[52709] | 5273 | {
|
---|
[51907] | 5274 | rc = SUP_NT_STATUS_TO_VBOX(rcNt);
|
---|
[52709] | 5275 |
|
---|
| 5276 | /*
|
---|
| 5277 | * \Windows\ApiPort open trouble. So far only
|
---|
| 5278 | * STATUS_OBJECT_TYPE_MISMATCH has been observed.
|
---|
| 5279 | */
|
---|
| 5280 | if (rc == VERR_SUPDRV_APIPORT_OPEN_ERROR)
|
---|
| 5281 | {
|
---|
| 5282 | SUP_DPRINTF(("Error opening VBoxDrvStub: VERR_SUPDRV_APIPORT_OPEN_ERROR\n"));
|
---|
| 5283 |
|
---|
| 5284 | uint32_t uSessionId = NtCurrentPeb()->SessionId;
|
---|
| 5285 | SUP_DPRINTF((" SessionID=%#x\n", uSessionId));
|
---|
| 5286 | char szDir[64];
|
---|
| 5287 | if (uSessionId == 0)
|
---|
| 5288 | RTStrCopy(szDir, sizeof(szDir), "\\Windows");
|
---|
| 5289 | else
|
---|
| 5290 | {
|
---|
| 5291 | RTStrPrintf(szDir, sizeof(szDir), "\\Sessions\\%u\\Windows", uSessionId);
|
---|
| 5292 | supR3HardenedWinLogObjDir(szDir);
|
---|
| 5293 | }
|
---|
| 5294 | supR3HardenedWinLogObjDir("\\Windows");
|
---|
| 5295 | supR3HardenedWinLogObjDir("\\Sessions");
|
---|
[53002] | 5296 |
|
---|
[52709] | 5297 | supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Misc, rc,
|
---|
| 5298 | "NtCreateFile(%ls) failed: VERR_SUPDRV_APIPORT_OPEN_ERROR\n"
|
---|
| 5299 | "\n"
|
---|
[96166] | 5300 | "Error getting %s\\ApiPort in the driver from vboxsup.\n"
|
---|
[52709] | 5301 | "\n"
|
---|
| 5302 | "Could be due to security software is redirecting access to it, so please include full "
|
---|
| 5303 | "details of such software in a bug report. VBoxStartup.log may contain details important "
|
---|
[53002] | 5304 | "to resolving the issue.%s"
|
---|
| 5305 | , s_wszName, szDir,
|
---|
| 5306 | supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
|
---|
| 5307 | "\n\nVBoxDrvStub error: "));
|
---|
[52709] | 5308 | }
|
---|
| 5309 |
|
---|
| 5310 | /*
|
---|
| 5311 | * Generic VBox failure message.
|
---|
| 5312 | */
|
---|
| 5313 | supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, rc,
|
---|
[53002] | 5314 | "NtCreateFile(%ls) failed: %Rrc (rcNt=%#x)%s", s_wszName, rc, rcNt,
|
---|
| 5315 | supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
|
---|
[57501] | 5316 | "\nVBoxDrvStub error: "));
|
---|
[52709] | 5317 | }
|
---|
[51770] | 5318 | else
|
---|
[51921] | 5319 | {
|
---|
| 5320 | const char *pszDefine;
|
---|
| 5321 | switch (rcNt)
|
---|
| 5322 | {
|
---|
[51936] | 5323 | case STATUS_NO_SUCH_DEVICE: pszDefine = " STATUS_NO_SUCH_DEVICE"; break;
|
---|
| 5324 | case STATUS_OBJECT_NAME_NOT_FOUND: pszDefine = " STATUS_OBJECT_NAME_NOT_FOUND"; break;
|
---|
| 5325 | case STATUS_ACCESS_DENIED: pszDefine = " STATUS_ACCESS_DENIED"; break;
|
---|
| 5326 | case STATUS_TRUST_FAILURE: pszDefine = " STATUS_TRUST_FAILURE"; break;
|
---|
| 5327 | default: pszDefine = ""; break;
|
---|
[51921] | 5328 | }
|
---|
[52709] | 5329 |
|
---|
| 5330 | /*
|
---|
| 5331 | * Problems opening the device is generally due to driver load/
|
---|
| 5332 | * unload issues. Check whether the driver is loaded and make
|
---|
| 5333 | * suggestions accordingly.
|
---|
| 5334 | */
|
---|
[52949] | 5335 | /** @todo don't fail during early init, wait till later and try load the driver if missing or at least query the service manager for additional information. */
|
---|
[52709] | 5336 | if ( rcNt == STATUS_NO_SUCH_DEVICE
|
---|
| 5337 | || rcNt == STATUS_OBJECT_NAME_NOT_FOUND)
|
---|
| 5338 | {
|
---|
| 5339 | SUP_DPRINTF(("Error opening VBoxDrvStub: %s\n", pszDefine));
|
---|
| 5340 | if (supR3HardenedWinDriverExists("VBoxDrv"))
|
---|
| 5341 | supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, VERR_OPEN_FAILED,
|
---|
| 5342 | "NtCreateFile(%ls) failed: %#x%s (%u retries)\n"
|
---|
| 5343 | "\n"
|
---|
[96138] | 5344 | "Driver is probably stuck stopping/starting. Try 'sc.exe query vboxsup' to get more "
|
---|
[53002] | 5345 | "information about its state. Rebooting may actually help.%s"
|
---|
| 5346 | , s_wszName, rcNt, pszDefine, iTry,
|
---|
| 5347 | supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
|
---|
| 5348 | "\nVBoxDrvStub error: "));
|
---|
[52709] | 5349 | else
|
---|
| 5350 | supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, VERR_OPEN_FAILED,
|
---|
| 5351 | "NtCreateFile(%ls) failed: %#x%s (%u retries)\n"
|
---|
| 5352 | "\n"
|
---|
[96138] | 5353 | "Driver is does not appear to be loaded. Try 'sc.exe start vboxsup', reinstall "
|
---|
[53002] | 5354 | "VirtualBox or reboot.%s"
|
---|
| 5355 | , s_wszName, rcNt, pszDefine, iTry,
|
---|
| 5356 | supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
|
---|
| 5357 | "\nVBoxDrvStub error: "));
|
---|
[52709] | 5358 | }
|
---|
| 5359 |
|
---|
| 5360 | /* Generic NT failure message. */
|
---|
[51770] | 5361 | supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, VERR_OPEN_FAILED,
|
---|
[53002] | 5362 | "NtCreateFile(%ls) failed: %#x%s (%u retries)%s",
|
---|
| 5363 | s_wszName, rcNt, pszDefine, iTry,
|
---|
| 5364 | supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
|
---|
| 5365 | "\nVBoxDrvStub error: "));
|
---|
[51921] | 5366 | }
|
---|
[51770] | 5367 | }
|
---|
[52139] | 5368 | }
|
---|
[51770] | 5369 |
|
---|
[52139] | 5370 |
|
---|
| 5371 | /**
|
---|
| 5372 | * Called by the main code if supR3HardenedWinIsReSpawnNeeded returns @c true.
|
---|
| 5373 | *
|
---|
| 5374 | * @returns Program exit code.
|
---|
| 5375 | */
|
---|
| 5376 | DECLHIDDEN(int) supR3HardenedWinReSpawn(int iWhich)
|
---|
| 5377 | {
|
---|
[51770] | 5378 | /*
|
---|
[52139] | 5379 | * Before the 2nd respawn we set up a child protection deal with the
|
---|
[52949] | 5380 | * support driver via /Devices/VBoxDrvStub. (We tried to do this
|
---|
[96166] | 5381 | * during the early init, but in case we had trouble accessing vboxdrv
|
---|
| 5382 | * (renamed to vboxsup in 7.0 and 6.1.34) we retry it here where we
|
---|
| 5383 | * have kernel32.dll and others to pull in for better diagnostics.)
|
---|
[52139] | 5384 | */
|
---|
| 5385 | if (iWhich == 2)
|
---|
| 5386 | supR3HardenedWinOpenStubDevice();
|
---|
| 5387 |
|
---|
| 5388 | /*
|
---|
[52954] | 5389 | * Make sure we're alone in the stub process before creating the VM process
|
---|
[58405] | 5390 | * and that there aren't any debuggers attached.
|
---|
[52954] | 5391 | */
|
---|
| 5392 | if (iWhich == 2)
|
---|
| 5393 | {
|
---|
| 5394 | int rc = supHardNtVpDebugger(NtCurrentProcess(), RTErrInfoInitStatic(&g_ErrInfoStatic));
|
---|
| 5395 | if (RT_SUCCESS(rc))
|
---|
| 5396 | rc = supHardNtVpThread(NtCurrentProcess(), NtCurrentThread(), RTErrInfoInitStatic(&g_ErrInfoStatic));
|
---|
| 5397 | if (RT_FAILURE(rc))
|
---|
| 5398 | supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Integrity, rc, "%s", g_ErrInfoStatic.szMsg);
|
---|
| 5399 | }
|
---|
| 5400 |
|
---|
| 5401 |
|
---|
| 5402 | /*
|
---|
[51770] | 5403 | * Respawn the process with kernel protection for the new process.
|
---|
| 5404 | */
|
---|
[52969] | 5405 | supR3HardenedWinDoReSpawn(iWhich);
|
---|
[62677] | 5406 | /* not reached! */
|
---|
[51770] | 5407 | }
|
---|
| 5408 |
|
---|
| 5409 |
|
---|
| 5410 | /**
|
---|
| 5411 | * Checks if re-spawning is required, replacing the respawn argument if not.
|
---|
| 5412 | *
|
---|
| 5413 | * @returns true if required, false if not. In the latter case, the first
|
---|
| 5414 | * argument in the vector is replaced.
|
---|
[52139] | 5415 | * @param iWhich Which respawn we're to check for, 1 being the
|
---|
| 5416 | * first one, and 2 the second and final.
|
---|
[51770] | 5417 | * @param cArgs The number of arguments.
|
---|
| 5418 | * @param papszArgs Pointer to the argument vector.
|
---|
| 5419 | */
|
---|
[52139] | 5420 | DECLHIDDEN(bool) supR3HardenedWinIsReSpawnNeeded(int iWhich, int cArgs, char **papszArgs)
|
---|
[51770] | 5421 | {
|
---|
| 5422 | SUPR3HARDENED_ASSERT(g_cSuplibHardenedWindowsMainCalls == 1);
|
---|
[52139] | 5423 | SUPR3HARDENED_ASSERT(iWhich == 1 || iWhich == 2);
|
---|
[51770] | 5424 |
|
---|
| 5425 | if (cArgs < 1)
|
---|
| 5426 | return true;
|
---|
[52139] | 5427 |
|
---|
| 5428 | if (suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_1_ARG0) == 0)
|
---|
| 5429 | {
|
---|
| 5430 | if (iWhich > 1)
|
---|
| 5431 | return true;
|
---|
| 5432 | }
|
---|
| 5433 | else if (suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_2_ARG0) == 0)
|
---|
| 5434 | {
|
---|
| 5435 | if (iWhich < 2)
|
---|
| 5436 | return false;
|
---|
| 5437 | }
|
---|
| 5438 | else
|
---|
[51770] | 5439 | return true;
|
---|
| 5440 |
|
---|
| 5441 | /* Replace the argument. */
|
---|
| 5442 | papszArgs[0] = g_szSupLibHardenedExePath;
|
---|
| 5443 | return false;
|
---|
| 5444 | }
|
---|
| 5445 |
|
---|
| 5446 |
|
---|
| 5447 | /**
|
---|
[52953] | 5448 | * Initializes the windows verficiation bits and other things we're better off
|
---|
| 5449 | * doing after main() has passed on it's data.
|
---|
| 5450 | *
|
---|
[51770] | 5451 | * @param fFlags The main flags.
|
---|
[52943] | 5452 | * @param fAvastKludge Whether to apply the avast kludge.
|
---|
[51770] | 5453 | */
|
---|
[52943] | 5454 | DECLHIDDEN(void) supR3HardenedWinInit(uint32_t fFlags, bool fAvastKludge)
|
---|
[51770] | 5455 | {
|
---|
[52968] | 5456 | NTSTATUS rcNt;
|
---|
| 5457 |
|
---|
[52953] | 5458 | #ifndef VBOX_WITHOUT_DEBUGGER_CHECKS
|
---|
[52947] | 5459 | /*
|
---|
[52953] | 5460 | * Install a anti debugging hack before we continue. This prevents most
|
---|
| 5461 | * notifications from ending up in the debugger. (Also applied to the
|
---|
| 5462 | * child process when respawning.)
|
---|
| 5463 | */
|
---|
| 5464 | rcNt = NtSetInformationThread(NtCurrentThread(), ThreadHideFromDebugger, NULL, 0);
|
---|
| 5465 | if (!NT_SUCCESS(rcNt))
|
---|
| 5466 | supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
|
---|
| 5467 | "NtSetInformationThread/ThreadHideFromDebugger failed: %#x\n", rcNt);
|
---|
| 5468 | #endif
|
---|
| 5469 |
|
---|
| 5470 | /*
|
---|
[52947] | 5471 | * Init the verifier.
|
---|
| 5472 | */
|
---|
[51770] | 5473 | RTErrInfoInitStatic(&g_ErrInfoStatic);
|
---|
| 5474 | int rc = supHardenedWinInitImageVerifier(&g_ErrInfoStatic.Core);
|
---|
| 5475 | if (RT_FAILURE(rc))
|
---|
| 5476 | supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, rc,
|
---|
| 5477 | "supHardenedWinInitImageVerifier failed: %s", g_ErrInfoStatic.szMsg);
|
---|
| 5478 |
|
---|
[52947] | 5479 | /*
|
---|
| 5480 | * Get the windows system directory from the KnownDlls dir.
|
---|
| 5481 | */
|
---|
| 5482 | HANDLE hSymlink = INVALID_HANDLE_VALUE;
|
---|
| 5483 | UNICODE_STRING UniStr = RTNT_CONSTANT_UNISTR(L"\\KnownDlls\\KnownDllPath");
|
---|
| 5484 | OBJECT_ATTRIBUTES ObjAttrs;
|
---|
| 5485 | InitializeObjectAttributes(&ObjAttrs, &UniStr, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
[52968] | 5486 | rcNt = NtOpenSymbolicLinkObject(&hSymlink, SYMBOLIC_LINK_QUERY, &ObjAttrs);
|
---|
[52947] | 5487 | if (!NT_SUCCESS(rcNt))
|
---|
| 5488 | supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, rcNt, "Error opening '%ls': %#x", UniStr.Buffer, rcNt);
|
---|
| 5489 |
|
---|
| 5490 | g_System32WinPath.UniStr.Buffer = g_System32WinPath.awcBuffer;
|
---|
| 5491 | g_System32WinPath.UniStr.Length = 0;
|
---|
| 5492 | g_System32WinPath.UniStr.MaximumLength = sizeof(g_System32WinPath.awcBuffer) - sizeof(RTUTF16);
|
---|
| 5493 | rcNt = NtQuerySymbolicLinkObject(hSymlink, &g_System32WinPath.UniStr, NULL);
|
---|
| 5494 | if (!NT_SUCCESS(rcNt))
|
---|
| 5495 | supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, rcNt, "Error querying '%ls': %#x", UniStr.Buffer, rcNt);
|
---|
| 5496 | g_System32WinPath.UniStr.Buffer[g_System32WinPath.UniStr.Length / sizeof(RTUTF16)] = '\0';
|
---|
| 5497 |
|
---|
| 5498 | SUP_DPRINTF(("KnownDllPath: %ls\n", g_System32WinPath.UniStr.Buffer));
|
---|
| 5499 | NtClose(hSymlink);
|
---|
| 5500 |
|
---|
[52089] | 5501 | if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
|
---|
[52204] | 5502 | {
|
---|
[52943] | 5503 | if (fAvastKludge)
|
---|
[52433] | 5504 | {
|
---|
[52943] | 5505 | /*
|
---|
| 5506 | * Do a self purification to cure avast's weird NtOpenFile write-thru
|
---|
| 5507 | * change in GetBinaryTypeW change in kernel32. Unfortunately, avast
|
---|
| 5508 | * uses a system thread to perform the process modifications, which
|
---|
| 5509 | * means it's hard to make sure it had the chance to make them...
|
---|
| 5510 | *
|
---|
| 5511 | * We have to resort to kludge doing yield and sleep fudging for a
|
---|
| 5512 | * number of milliseconds and schedulings before we can hope that avast
|
---|
| 5513 | * and similar products have done what they need to do. If we do any
|
---|
| 5514 | * fixes, we wait for a while again and redo it until we're clean.
|
---|
| 5515 | *
|
---|
| 5516 | * This is unfortunately kind of fragile.
|
---|
| 5517 | */
|
---|
| 5518 | uint32_t cMsFudge = g_fSupAdversaries ? 512 : 128;
|
---|
| 5519 | uint32_t cFixes;
|
---|
| 5520 | for (uint32_t iLoop = 0; iLoop < 16; iLoop++)
|
---|
[52529] | 5521 | {
|
---|
[52949] | 5522 | uint32_t cSleeps = 0;
|
---|
| 5523 | uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
|
---|
[52943] | 5524 | do
|
---|
| 5525 | {
|
---|
| 5526 | NtYieldExecution();
|
---|
| 5527 | LARGE_INTEGER Time;
|
---|
| 5528 | Time.QuadPart = -8000000 / 100; /* 8ms in 100ns units, relative time. */
|
---|
| 5529 | NtDelayExecution(FALSE, &Time);
|
---|
| 5530 | cSleeps++;
|
---|
[52949] | 5531 | } while ( supR3HardenedWinGetMilliTS() - uMsTsStart <= cMsFudge
|
---|
[52943] | 5532 | || cSleeps < 8);
|
---|
| 5533 | SUP_DPRINTF(("supR3HardenedWinInit: Startup delay kludge #2/%u: %u ms, %u sleeps\n",
|
---|
[52949] | 5534 | iLoop, supR3HardenedWinGetMilliTS() - uMsTsStart, cSleeps));
|
---|
[52433] | 5535 |
|
---|
[52943] | 5536 | cFixes = 0;
|
---|
| 5537 | rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_SELF_PURIFICATION,
|
---|
[53017] | 5538 | 0 /*fFlags*/, &cFixes, NULL /*pErrInfo*/);
|
---|
[52943] | 5539 | if (RT_FAILURE(rc) || cFixes == 0)
|
---|
| 5540 | break;
|
---|
[52204] | 5541 |
|
---|
[52943] | 5542 | if (!g_fSupAdversaries)
|
---|
| 5543 | g_fSupAdversaries |= SUPHARDNT_ADVERSARY_UNKNOWN;
|
---|
| 5544 | cMsFudge = 512;
|
---|
[52875] | 5545 |
|
---|
[52943] | 5546 | /* Log the KiOpPrefetchPatchCount value if available, hoping it might sched some light on spider38's case. */
|
---|
| 5547 | ULONG cPatchCount = 0;
|
---|
[52947] | 5548 | rcNt = NtQuerySystemInformation(SystemInformation_KiOpPrefetchPatchCount,
|
---|
| 5549 | &cPatchCount, sizeof(cPatchCount), NULL);
|
---|
[52943] | 5550 | if (NT_SUCCESS(rcNt))
|
---|
| 5551 | SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x cPatchCount=%#u\n",
|
---|
| 5552 | cFixes, g_fSupAdversaries, cPatchCount));
|
---|
| 5553 | else
|
---|
| 5554 | SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
|
---|
| 5555 | }
|
---|
[52739] | 5556 | }
|
---|
| 5557 |
|
---|
[52433] | 5558 | /*
|
---|
| 5559 | * Install the hooks.
|
---|
| 5560 | */
|
---|
[52089] | 5561 | supR3HardenedWinInstallHooks();
|
---|
[52204] | 5562 | }
|
---|
[80216] | 5563 | else if (fFlags & SUPSECMAIN_FLAGS_FIRST_PROCESS)
|
---|
| 5564 | {
|
---|
| 5565 | /*
|
---|
| 5566 | * Try shake anyone (e.g. easyhook) patching process creation code in
|
---|
[80217] | 5567 | * kernelbase, kernel32 or ntdll so they won't so easily cause the child
|
---|
[80216] | 5568 | * to crash when we respawn and purify it.
|
---|
| 5569 | */
|
---|
[80217] | 5570 | SUP_DPRINTF(("supR3HardenedWinInit: Performing a limited self purification...\n"));
|
---|
[80216] | 5571 | uint32_t cFixes = 0;
|
---|
| 5572 | rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED,
|
---|
| 5573 | 0 /*fFlags*/, &cFixes, NULL /*pErrInfo*/);
|
---|
| 5574 | SUP_DPRINTF(("supR3HardenedWinInit: SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED -> %Rrc, cFixes=%d\n", rc, cFixes));
|
---|
| 5575 | RT_NOREF(rc); /* ignored on purpose */
|
---|
| 5576 | }
|
---|
[52089] | 5577 |
|
---|
[51770] | 5578 | #ifndef VBOX_WITH_VISTA_NO_SP
|
---|
| 5579 | /*
|
---|
| 5580 | * Complain about Vista w/o service pack if we're launching a VM.
|
---|
| 5581 | */
|
---|
| 5582 | if ( !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV)
|
---|
| 5583 | && g_uNtVerCombined >= SUP_NT_VER_VISTA
|
---|
| 5584 | && g_uNtVerCombined < SUP_MAKE_NT_VER_COMBINED(6, 0, 6001, 0, 0))
|
---|
| 5585 | supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, VERR_NOT_SUPPORTED,
|
---|
| 5586 | "Window Vista without any service pack installed is not supported. Please install the latest service pack.");
|
---|
| 5587 | #endif
|
---|
| 5588 | }
|
---|
| 5589 |
|
---|
| 5590 |
|
---|
| 5591 | /**
|
---|
[56733] | 5592 | * Modifies the DLL search path for testcases.
|
---|
| 5593 | *
|
---|
| 5594 | * This makes sure the application binary path is in the search path. When
|
---|
| 5595 | * starting a testcase executable in the testcase/ subdirectory this isn't the
|
---|
| 5596 | * case by default. So, unless we do something about it we won't be able to
|
---|
| 5597 | * import VBox DLLs.
|
---|
| 5598 | *
|
---|
| 5599 | * @param fFlags The main flags (giving the location).
|
---|
| 5600 | * @param pszAppBinPath The path to the application binary directory
|
---|
| 5601 | * (windows style).
|
---|
| 5602 | */
|
---|
| 5603 | DECLHIDDEN(void) supR3HardenedWinModifyDllSearchPath(uint32_t fFlags, const char *pszAppBinPath)
|
---|
| 5604 | {
|
---|
| 5605 | /*
|
---|
| 5606 | * For the testcases to work, we must add the app bin directory to the
|
---|
| 5607 | * DLL search list before the testcase dll is loaded or it won't be
|
---|
| 5608 | * able to find the VBox DLLs. This is done _after_ VBoxRT.dll is
|
---|
| 5609 | * initialized and sets its defaults.
|
---|
| 5610 | */
|
---|
| 5611 | switch (fFlags & SUPSECMAIN_FLAGS_LOC_MASK)
|
---|
| 5612 | {
|
---|
| 5613 | case SUPSECMAIN_FLAGS_LOC_TESTCASE:
|
---|
| 5614 | break;
|
---|
| 5615 | default:
|
---|
| 5616 | return;
|
---|
| 5617 | }
|
---|
| 5618 |
|
---|
| 5619 | /*
|
---|
| 5620 | * Dynamically resolve the two APIs we need (the latter uses forwarders on w7).
|
---|
| 5621 | */
|
---|
| 5622 | HMODULE hModKernel32 = GetModuleHandleW(L"kernel32.dll");
|
---|
| 5623 |
|
---|
| 5624 | typedef BOOL (WINAPI *PFNSETDLLDIRECTORY)(LPCWSTR);
|
---|
| 5625 | PFNSETDLLDIRECTORY pfnSetDllDir;
|
---|
| 5626 | pfnSetDllDir = (PFNSETDLLDIRECTORY)GetProcAddress(hModKernel32, "SetDllDirectoryW");
|
---|
| 5627 |
|
---|
| 5628 | typedef BOOL (WINAPI *PFNSETDEFAULTDLLDIRECTORIES)(DWORD);
|
---|
| 5629 | PFNSETDEFAULTDLLDIRECTORIES pfnSetDefDllDirs;
|
---|
| 5630 | pfnSetDefDllDirs = (PFNSETDEFAULTDLLDIRECTORIES)GetProcAddress(hModKernel32, "SetDefaultDllDirectories");
|
---|
| 5631 |
|
---|
| 5632 | if (pfnSetDllDir != NULL)
|
---|
| 5633 | {
|
---|
| 5634 | /*
|
---|
| 5635 | * Convert the path to UTF-16 and try set it.
|
---|
| 5636 | */
|
---|
| 5637 | PRTUTF16 pwszAppBinPath = NULL;
|
---|
| 5638 | int rc = RTStrToUtf16(pszAppBinPath, &pwszAppBinPath);
|
---|
| 5639 | if (RT_SUCCESS(rc))
|
---|
| 5640 | {
|
---|
| 5641 | if (pfnSetDllDir(pwszAppBinPath))
|
---|
| 5642 | {
|
---|
| 5643 | SUP_DPRINTF(("supR3HardenedWinModifyDllSearchPath: Set dll dir to '%ls'\n", pwszAppBinPath));
|
---|
| 5644 | g_fSupLibHardenedDllSearchUserDirs = true;
|
---|
| 5645 |
|
---|
| 5646 | /*
|
---|
| 5647 | * We set it alright, on W7 and later we also must modify the
|
---|
| 5648 | * default DLL search order. See @bugref{6861} for details on
|
---|
| 5649 | * why we don't do this on Vista (also see init-win.cpp in IPRT).
|
---|
| 5650 | */
|
---|
| 5651 | if ( pfnSetDefDllDirs
|
---|
| 5652 | && g_uNtVerCombined >= SUP_NT_VER_W70)
|
---|
| 5653 | {
|
---|
| 5654 | if (pfnSetDefDllDirs( LOAD_LIBRARY_SEARCH_APPLICATION_DIR
|
---|
| 5655 | | LOAD_LIBRARY_SEARCH_SYSTEM32
|
---|
| 5656 | | LOAD_LIBRARY_SEARCH_USER_DIRS))
|
---|
| 5657 | SUP_DPRINTF(("supR3HardenedWinModifyDllSearchPath: Successfully modified search dirs.\n"));
|
---|
| 5658 | else
|
---|
| 5659 | supR3HardenedFatal("supR3HardenedWinModifyDllSearchPath: SetDllDirectoryW(%ls) failed: %d\n",
|
---|
| 5660 | pwszAppBinPath, RtlGetLastWin32Error());
|
---|
| 5661 | }
|
---|
| 5662 | }
|
---|
| 5663 | else
|
---|
| 5664 | supR3HardenedFatal("supR3HardenedWinModifyDllSearchPath: SetDllDirectoryW(%ls) failed: %d\n",
|
---|
| 5665 | pwszAppBinPath, RtlGetLastWin32Error());
|
---|
| 5666 | RTUtf16Free(pwszAppBinPath);
|
---|
| 5667 | }
|
---|
| 5668 | else
|
---|
| 5669 | supR3HardenedFatal("supR3HardenedWinModifyDllSearchPath: RTStrToUtf16(%s) failed: %d\n", pszAppBinPath, rc);
|
---|
| 5670 | }
|
---|
| 5671 | }
|
---|
| 5672 |
|
---|
| 5673 |
|
---|
| 5674 | /**
|
---|
| 5675 | * Initializes the application binary directory path.
|
---|
| 5676 | *
|
---|
| 5677 | * This is called once or twice.
|
---|
| 5678 | *
|
---|
| 5679 | * @param fFlags The main flags (giving the location).
|
---|
| 5680 | */
|
---|
| 5681 | DECLHIDDEN(void) supR3HardenedWinInitAppBin(uint32_t fFlags)
|
---|
| 5682 | {
|
---|
| 5683 | USHORT cwc = (USHORT)g_offSupLibHardenedExeNtName - 1;
|
---|
| 5684 | g_SupLibHardenedAppBinNtPath.UniStr.Buffer = g_SupLibHardenedAppBinNtPath.awcBuffer;
|
---|
| 5685 | memcpy(g_SupLibHardenedAppBinNtPath.UniStr.Buffer, g_SupLibHardenedExeNtPath.UniStr.Buffer, cwc * sizeof(WCHAR));
|
---|
| 5686 |
|
---|
| 5687 | switch (fFlags & SUPSECMAIN_FLAGS_LOC_MASK)
|
---|
| 5688 | {
|
---|
| 5689 | case SUPSECMAIN_FLAGS_LOC_APP_BIN:
|
---|
| 5690 | break;
|
---|
| 5691 | case SUPSECMAIN_FLAGS_LOC_TESTCASE:
|
---|
| 5692 | {
|
---|
| 5693 | /* Drop one directory level. */
|
---|
| 5694 | USHORT off = cwc;
|
---|
| 5695 | WCHAR wc;
|
---|
| 5696 | while ( off > 1
|
---|
| 5697 | && (wc = g_SupLibHardenedAppBinNtPath.UniStr.Buffer[off - 1]) != '\0')
|
---|
| 5698 | if (wc != '\\' && wc != '/')
|
---|
| 5699 | off--;
|
---|
| 5700 | else
|
---|
| 5701 | {
|
---|
| 5702 | if (g_SupLibHardenedAppBinNtPath.UniStr.Buffer[off - 2] == ':')
|
---|
| 5703 | cwc = off;
|
---|
| 5704 | else
|
---|
| 5705 | cwc = off - 1;
|
---|
| 5706 | break;
|
---|
| 5707 | }
|
---|
| 5708 | break;
|
---|
| 5709 | }
|
---|
| 5710 | default:
|
---|
| 5711 | supR3HardenedFatal("supR3HardenedWinInitAppBin: Unknown program binary location: %#x\n", fFlags);
|
---|
| 5712 | }
|
---|
| 5713 |
|
---|
| 5714 | g_SupLibHardenedAppBinNtPath.UniStr.Buffer[cwc] = '\0';
|
---|
| 5715 | g_SupLibHardenedAppBinNtPath.UniStr.Length = cwc * sizeof(WCHAR);
|
---|
| 5716 | g_SupLibHardenedAppBinNtPath.UniStr.MaximumLength = sizeof(g_SupLibHardenedAppBinNtPath.awcBuffer);
|
---|
| 5717 | SUP_DPRINTF(("supR3HardenedWinInitAppBin(%#x): '%ls'\n", fFlags, g_SupLibHardenedAppBinNtPath.UniStr.Buffer));
|
---|
| 5718 | }
|
---|
| 5719 |
|
---|
| 5720 |
|
---|
| 5721 | /**
|
---|
[51770] | 5722 | * Converts the Windows command line string (UTF-16) to an array of UTF-8
|
---|
| 5723 | * arguments suitable for passing to main().
|
---|
| 5724 | *
|
---|
| 5725 | * @returns Pointer to the argument array.
|
---|
[52163] | 5726 | * @param pawcCmdLine The UTF-16 windows command line to parse.
|
---|
| 5727 | * @param cwcCmdLine The length of the command line.
|
---|
[51770] | 5728 | * @param pcArgs Where to return the number of arguments.
|
---|
| 5729 | */
|
---|
[52163] | 5730 | static char **suplibCommandLineToArgvWStub(PCRTUTF16 pawcCmdLine, size_t cwcCmdLine, int *pcArgs)
|
---|
[51770] | 5731 | {
|
---|
| 5732 | /*
|
---|
| 5733 | * Convert the command line string to UTF-8.
|
---|
| 5734 | */
|
---|
[52163] | 5735 | char *pszCmdLine = NULL;
|
---|
| 5736 | SUPR3HARDENED_ASSERT(RT_SUCCESS(RTUtf16ToUtf8Ex(pawcCmdLine, cwcCmdLine, &pszCmdLine, 0, NULL)));
|
---|
[51770] | 5737 |
|
---|
| 5738 | /*
|
---|
| 5739 | * Parse the command line, carving argument strings out of it.
|
---|
| 5740 | */
|
---|
| 5741 | int cArgs = 0;
|
---|
| 5742 | int cArgsAllocated = 4;
|
---|
[52940] | 5743 | char **papszArgs = (char **)RTMemAllocZ(sizeof(char *) * cArgsAllocated);
|
---|
[51770] | 5744 | char *pszSrc = pszCmdLine;
|
---|
| 5745 | for (;;)
|
---|
| 5746 | {
|
---|
| 5747 | /* skip leading blanks. */
|
---|
| 5748 | char ch = *pszSrc;
|
---|
| 5749 | while (suplibCommandLineIsArgSeparator(ch))
|
---|
| 5750 | ch = *++pszSrc;
|
---|
| 5751 | if (!ch)
|
---|
| 5752 | break;
|
---|
| 5753 |
|
---|
| 5754 | /* Add argument to the vector. */
|
---|
| 5755 | if (cArgs + 2 >= cArgsAllocated)
|
---|
| 5756 | {
|
---|
| 5757 | cArgsAllocated *= 2;
|
---|
[52940] | 5758 | papszArgs = (char **)RTMemRealloc(papszArgs, sizeof(char *) * cArgsAllocated);
|
---|
[51770] | 5759 | }
|
---|
| 5760 | papszArgs[cArgs++] = pszSrc;
|
---|
| 5761 | papszArgs[cArgs] = NULL;
|
---|
| 5762 |
|
---|
| 5763 | /* Unquote and unescape the string. */
|
---|
| 5764 | char *pszDst = pszSrc++;
|
---|
| 5765 | bool fQuoted = false;
|
---|
| 5766 | do
|
---|
| 5767 | {
|
---|
| 5768 | if (ch == '"')
|
---|
| 5769 | fQuoted = !fQuoted;
|
---|
| 5770 | else if (ch != '\\' || (*pszSrc != '\\' && *pszSrc != '"'))
|
---|
| 5771 | *pszDst++ = ch;
|
---|
| 5772 | else
|
---|
| 5773 | {
|
---|
| 5774 | unsigned cSlashes = 0;
|
---|
| 5775 | while ((ch = *pszSrc++) == '\\')
|
---|
| 5776 | cSlashes++;
|
---|
| 5777 | if (ch == '"')
|
---|
| 5778 | {
|
---|
| 5779 | while (cSlashes >= 2)
|
---|
| 5780 | {
|
---|
| 5781 | cSlashes -= 2;
|
---|
| 5782 | *pszDst++ = '\\';
|
---|
| 5783 | }
|
---|
| 5784 | if (cSlashes)
|
---|
| 5785 | *pszDst++ = '"';
|
---|
| 5786 | else
|
---|
| 5787 | fQuoted = !fQuoted;
|
---|
| 5788 | }
|
---|
| 5789 | else
|
---|
| 5790 | {
|
---|
| 5791 | pszSrc--;
|
---|
| 5792 | while (cSlashes-- > 0)
|
---|
| 5793 | *pszDst++ = '\\';
|
---|
| 5794 | }
|
---|
| 5795 | }
|
---|
| 5796 |
|
---|
| 5797 | ch = *pszSrc++;
|
---|
| 5798 | } while (ch != '\0' && (fQuoted || !suplibCommandLineIsArgSeparator(ch)));
|
---|
| 5799 |
|
---|
| 5800 | /* Terminate the argument. */
|
---|
| 5801 | *pszDst = '\0';
|
---|
| 5802 | if (!ch)
|
---|
| 5803 | break;
|
---|
| 5804 | }
|
---|
| 5805 |
|
---|
| 5806 | *pcArgs = cArgs;
|
---|
| 5807 | return papszArgs;
|
---|
| 5808 | }
|
---|
| 5809 |
|
---|
| 5810 |
|
---|
[52739] | 5811 | /**
|
---|
[66484] | 5812 | * Worker for supR3HardenedFindVersionRsrcOffset.
|
---|
[52741] | 5813 | *
|
---|
[66484] | 5814 | * @returns RVA the version resource data, UINT32_MAX if not found.
|
---|
| 5815 | * @param pRootDir The root resource directory. Expects data to
|
---|
| 5816 | * follow.
|
---|
| 5817 | * @param cbBuf The amount of data at pRootDir.
|
---|
| 5818 | * @param offData The offset to the data entry.
|
---|
| 5819 | * @param pcbData Where to return the size of the data.
|
---|
| 5820 | */
|
---|
| 5821 | static uint32_t supR3HardenedGetRvaFromRsrcDataEntry(PIMAGE_RESOURCE_DIRECTORY pRootDir, uint32_t cbBuf, uint32_t offData,
|
---|
| 5822 | uint32_t *pcbData)
|
---|
| 5823 | {
|
---|
| 5824 | if ( offData <= cbBuf
|
---|
| 5825 | && offData + sizeof(IMAGE_RESOURCE_DATA_ENTRY) <= cbBuf)
|
---|
| 5826 | {
|
---|
| 5827 | PIMAGE_RESOURCE_DATA_ENTRY pRsrcData = (PIMAGE_RESOURCE_DATA_ENTRY)((uintptr_t)pRootDir + offData);
|
---|
| 5828 | SUP_DPRINTF((" [Raw version resource data: %#x LB %#x, codepage %#x (reserved %#x)]\n",
|
---|
| 5829 | pRsrcData->OffsetToData, pRsrcData->Size, pRsrcData->CodePage, pRsrcData->Reserved));
|
---|
| 5830 | if (pRsrcData->Size > 0)
|
---|
| 5831 | {
|
---|
| 5832 | *pcbData = pRsrcData->Size;
|
---|
| 5833 | return pRsrcData->OffsetToData;
|
---|
| 5834 | }
|
---|
| 5835 | }
|
---|
| 5836 | else
|
---|
| 5837 | SUP_DPRINTF((" Version resource data (%#x) is outside the buffer (%#x)! :-(\n", offData, cbBuf));
|
---|
| 5838 |
|
---|
| 5839 | *pcbData = 0;
|
---|
| 5840 | return UINT32_MAX;
|
---|
| 5841 | }
|
---|
| 5842 |
|
---|
| 5843 |
|
---|
| 5844 | /** @def SUP_RSRC_DPRINTF
|
---|
| 5845 | * Dedicated debug printf for resource directory parsing.
|
---|
| 5846 | * @sa SUP_DPRINTF
|
---|
| 5847 | */
|
---|
| 5848 | #if 0 /* more details */
|
---|
| 5849 | # define SUP_RSRC_DPRINTF(a) SUP_DPRINTF(a)
|
---|
| 5850 | #else
|
---|
| 5851 | # define SUP_RSRC_DPRINTF(a) do { } while (0)
|
---|
| 5852 | #endif
|
---|
| 5853 |
|
---|
| 5854 | /**
|
---|
| 5855 | * Scans the resource directory for a version resource.
|
---|
| 5856 | *
|
---|
| 5857 | * @returns RVA of the version resource data, UINT32_MAX if not found.
|
---|
| 5858 | * @param pRootDir The root resource directory. Expects data to
|
---|
| 5859 | * follow.
|
---|
| 5860 | * @param cbBuf The amount of data at pRootDir.
|
---|
| 5861 | * @param pcbData Where to return the size of the version data.
|
---|
| 5862 | */
|
---|
| 5863 | static uint32_t supR3HardenedFindVersionRsrcRva(PIMAGE_RESOURCE_DIRECTORY pRootDir, uint32_t cbBuf, uint32_t *pcbData)
|
---|
| 5864 | {
|
---|
| 5865 | SUP_RSRC_DPRINTF((" ResDir: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n",
|
---|
| 5866 | pRootDir->Characteristics,
|
---|
| 5867 | pRootDir->TimeDateStamp,
|
---|
| 5868 | pRootDir->MajorVersion,
|
---|
| 5869 | pRootDir->MinorVersion,
|
---|
| 5870 | pRootDir->NumberOfNamedEntries,
|
---|
| 5871 | pRootDir->NumberOfIdEntries));
|
---|
| 5872 |
|
---|
| 5873 | PIMAGE_RESOURCE_DIRECTORY_ENTRY paEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pRootDir + 1);
|
---|
| 5874 | unsigned cMaxEntries = (cbBuf - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
|
---|
| 5875 | unsigned cEntries = pRootDir->NumberOfNamedEntries + pRootDir->NumberOfIdEntries;
|
---|
| 5876 | if (cEntries > cMaxEntries)
|
---|
| 5877 | cEntries = cMaxEntries;
|
---|
| 5878 | for (unsigned i = 0; i < cEntries; i++)
|
---|
| 5879 | {
|
---|
| 5880 | if (!paEntries[i].NameIsString)
|
---|
| 5881 | {
|
---|
| 5882 | if (!paEntries[i].DataIsDirectory)
|
---|
| 5883 | SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n",
|
---|
| 5884 | i, paEntries[i].Id, paEntries[i].OffsetToData));
|
---|
| 5885 | else
|
---|
| 5886 | SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n",
|
---|
| 5887 | i, paEntries[i].Id, paEntries[i].OffsetToDirectory));
|
---|
| 5888 | }
|
---|
| 5889 | else
|
---|
| 5890 | {
|
---|
| 5891 | if (!paEntries[i].DataIsDirectory)
|
---|
| 5892 | SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n",
|
---|
| 5893 | i, paEntries[i].NameOffset, paEntries[i].OffsetToData));
|
---|
| 5894 | else
|
---|
| 5895 | SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n",
|
---|
| 5896 | i, paEntries[i].NameOffset, paEntries[i].OffsetToDirectory));
|
---|
| 5897 | }
|
---|
| 5898 |
|
---|
| 5899 | /*
|
---|
| 5900 | * Look for the version resource type. Skip to the next entry if not found.
|
---|
| 5901 | */
|
---|
| 5902 | if (paEntries[i].NameIsString)
|
---|
| 5903 | continue;
|
---|
| 5904 | if (paEntries[i].Id != 0x10 /*RT_VERSION*/)
|
---|
| 5905 | continue;
|
---|
| 5906 | if (!paEntries[i].DataIsDirectory)
|
---|
| 5907 | {
|
---|
| 5908 | SUP_DPRINTF((" #%u: ID: #%#06x Data: %#010x - WEIRD!\n", i, paEntries[i].Id, paEntries[i].OffsetToData));
|
---|
| 5909 | continue;
|
---|
| 5910 | }
|
---|
| 5911 | SUP_RSRC_DPRINTF((" Version resource dir entry #%u: dir offset: %#x (cbBuf=%#x)\n",
|
---|
| 5912 | i, paEntries[i].OffsetToDirectory, cbBuf));
|
---|
| 5913 |
|
---|
| 5914 | /*
|
---|
| 5915 | * Locate the sub-resource directory for it.
|
---|
| 5916 | */
|
---|
| 5917 | if (paEntries[i].OffsetToDirectory >= cbBuf)
|
---|
| 5918 | {
|
---|
| 5919 | SUP_DPRINTF((" Version resource dir is outside the buffer! :-(\n"));
|
---|
| 5920 | continue;
|
---|
| 5921 | }
|
---|
| 5922 | uint32_t cbMax = cbBuf - paEntries[i].OffsetToDirectory;
|
---|
| 5923 | if (cbMax < sizeof(IMAGE_RESOURCE_DIRECTORY) + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY))
|
---|
| 5924 | {
|
---|
| 5925 | SUP_DPRINTF((" Version resource dir entry #0 is outside the buffer! :-(\n"));
|
---|
| 5926 | continue;
|
---|
| 5927 | }
|
---|
| 5928 | PIMAGE_RESOURCE_DIRECTORY pVerDir = (PIMAGE_RESOURCE_DIRECTORY)((uintptr_t)pRootDir + paEntries[i].OffsetToDirectory);
|
---|
| 5929 | SUP_RSRC_DPRINTF((" VerDir: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n",
|
---|
| 5930 | pVerDir->Characteristics,
|
---|
| 5931 | pVerDir->TimeDateStamp,
|
---|
| 5932 | pVerDir->MajorVersion,
|
---|
| 5933 | pVerDir->MinorVersion,
|
---|
| 5934 | pVerDir->NumberOfNamedEntries,
|
---|
| 5935 | pVerDir->NumberOfIdEntries));
|
---|
| 5936 | PIMAGE_RESOURCE_DIRECTORY_ENTRY paVerEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pVerDir + 1);
|
---|
| 5937 | unsigned cMaxVerEntries = (cbMax - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
|
---|
| 5938 | unsigned cVerEntries = pVerDir->NumberOfNamedEntries + pVerDir->NumberOfIdEntries;
|
---|
| 5939 | if (cVerEntries > cMaxVerEntries)
|
---|
| 5940 | cVerEntries = cMaxVerEntries;
|
---|
| 5941 | for (unsigned iVer = 0; iVer < cVerEntries; iVer++)
|
---|
| 5942 | {
|
---|
| 5943 | if (!paVerEntries[iVer].NameIsString)
|
---|
| 5944 | {
|
---|
| 5945 | if (!paVerEntries[iVer].DataIsDirectory)
|
---|
| 5946 | SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n",
|
---|
| 5947 | iVer, paVerEntries[iVer].Id, paVerEntries[iVer].OffsetToData));
|
---|
| 5948 | else
|
---|
| 5949 | SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n",
|
---|
| 5950 | iVer, paVerEntries[iVer].Id, paVerEntries[iVer].OffsetToDirectory));
|
---|
| 5951 | }
|
---|
| 5952 | else
|
---|
| 5953 | {
|
---|
| 5954 | if (!paVerEntries[iVer].DataIsDirectory)
|
---|
| 5955 | SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n",
|
---|
| 5956 | iVer, paVerEntries[iVer].NameOffset, paVerEntries[iVer].OffsetToData));
|
---|
| 5957 | else
|
---|
| 5958 | SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n",
|
---|
| 5959 | iVer, paVerEntries[iVer].NameOffset, paVerEntries[iVer].OffsetToDirectory));
|
---|
| 5960 | }
|
---|
| 5961 | if (!paVerEntries[iVer].DataIsDirectory)
|
---|
| 5962 | {
|
---|
| 5963 | SUP_DPRINTF((" [Version info resource found at %#x! (ID/Name: #%#x)]\n",
|
---|
| 5964 | paVerEntries[iVer].OffsetToData, paVerEntries[iVer].Name));
|
---|
| 5965 | return supR3HardenedGetRvaFromRsrcDataEntry(pRootDir, cbBuf, paVerEntries[iVer].OffsetToData, pcbData);
|
---|
| 5966 | }
|
---|
| 5967 |
|
---|
| 5968 | /*
|
---|
| 5969 | * Check out the next directory level.
|
---|
| 5970 | */
|
---|
| 5971 | if (paVerEntries[iVer].OffsetToDirectory >= cbBuf)
|
---|
| 5972 | {
|
---|
| 5973 | SUP_DPRINTF((" Version resource subdir is outside the buffer! :-(\n"));
|
---|
| 5974 | continue;
|
---|
| 5975 | }
|
---|
| 5976 | cbMax = cbBuf - paVerEntries[iVer].OffsetToDirectory;
|
---|
| 5977 | if (cbMax < sizeof(IMAGE_RESOURCE_DIRECTORY) + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY))
|
---|
| 5978 | {
|
---|
| 5979 | SUP_DPRINTF((" Version resource subdir entry #0 is outside the buffer! :-(\n"));
|
---|
| 5980 | continue;
|
---|
| 5981 | }
|
---|
| 5982 | PIMAGE_RESOURCE_DIRECTORY pVerSubDir = (PIMAGE_RESOURCE_DIRECTORY)((uintptr_t)pRootDir + paVerEntries[iVer].OffsetToDirectory);
|
---|
| 5983 | SUP_RSRC_DPRINTF((" VerSubDir#%u: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n",
|
---|
| 5984 | iVer,
|
---|
| 5985 | pVerSubDir->Characteristics,
|
---|
| 5986 | pVerSubDir->TimeDateStamp,
|
---|
| 5987 | pVerSubDir->MajorVersion,
|
---|
| 5988 | pVerSubDir->MinorVersion,
|
---|
| 5989 | pVerSubDir->NumberOfNamedEntries,
|
---|
| 5990 | pVerSubDir->NumberOfIdEntries));
|
---|
| 5991 | PIMAGE_RESOURCE_DIRECTORY_ENTRY paVerSubEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pVerSubDir + 1);
|
---|
| 5992 | unsigned cMaxVerSubEntries = (cbMax - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
|
---|
| 5993 | unsigned cVerSubEntries = pVerSubDir->NumberOfNamedEntries + pVerSubDir->NumberOfIdEntries;
|
---|
| 5994 | if (cVerSubEntries > cMaxVerSubEntries)
|
---|
| 5995 | cVerSubEntries = cMaxVerSubEntries;
|
---|
| 5996 | for (unsigned iVerSub = 0; iVerSub < cVerSubEntries; iVerSub++)
|
---|
| 5997 | {
|
---|
| 5998 | if (!paVerSubEntries[iVerSub].NameIsString)
|
---|
| 5999 | {
|
---|
| 6000 | if (!paVerSubEntries[iVerSub].DataIsDirectory)
|
---|
| 6001 | SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n",
|
---|
| 6002 | iVerSub, paVerSubEntries[iVerSub].Id, paVerSubEntries[iVerSub].OffsetToData));
|
---|
| 6003 | else
|
---|
| 6004 | SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n",
|
---|
| 6005 | iVerSub, paVerSubEntries[iVerSub].Id, paVerSubEntries[iVerSub].OffsetToDirectory));
|
---|
| 6006 | }
|
---|
| 6007 | else
|
---|
| 6008 | {
|
---|
| 6009 | if (!paVerSubEntries[iVerSub].DataIsDirectory)
|
---|
| 6010 | SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n",
|
---|
| 6011 | iVerSub, paVerSubEntries[iVerSub].NameOffset, paVerSubEntries[iVerSub].OffsetToData));
|
---|
| 6012 | else
|
---|
| 6013 | SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n",
|
---|
| 6014 | iVerSub, paVerSubEntries[iVerSub].NameOffset, paVerSubEntries[iVerSub].OffsetToDirectory));
|
---|
| 6015 | }
|
---|
| 6016 | if (!paVerSubEntries[iVerSub].DataIsDirectory)
|
---|
| 6017 | {
|
---|
| 6018 | SUP_DPRINTF((" [Version info resource found at %#x! (ID/Name: %#x; SubID/SubName: %#x)]\n",
|
---|
| 6019 | paVerSubEntries[iVerSub].OffsetToData, paVerEntries[iVer].Name, paVerSubEntries[iVerSub].Name));
|
---|
| 6020 | return supR3HardenedGetRvaFromRsrcDataEntry(pRootDir, cbBuf, paVerSubEntries[iVerSub].OffsetToData, pcbData);
|
---|
| 6021 | }
|
---|
| 6022 | }
|
---|
| 6023 | }
|
---|
| 6024 | }
|
---|
| 6025 |
|
---|
| 6026 | *pcbData = 0;
|
---|
| 6027 | return UINT32_MAX;
|
---|
| 6028 | }
|
---|
| 6029 |
|
---|
| 6030 |
|
---|
| 6031 | /**
|
---|
| 6032 | * Logs information about a file from a protection product or from Windows,
|
---|
| 6033 | * optionally returning the file version.
|
---|
| 6034 | *
|
---|
[52741] | 6035 | * The purpose here is to better see which version of the product is installed
|
---|
| 6036 | * and not needing to depend on the user supplying the correct information.
|
---|
| 6037 | *
|
---|
[66484] | 6038 | * @param pwszFile The NT path to the file.
|
---|
| 6039 | * @param pwszFileVersion Where to return the file version, if found. NULL if
|
---|
| 6040 | * not interested.
|
---|
| 6041 | * @param cwcFileVersion The size of the file version buffer (UTF-16 units).
|
---|
[52741] | 6042 | */
|
---|
[66484] | 6043 | static void supR3HardenedLogFileInfo(PCRTUTF16 pwszFile, PRTUTF16 pwszFileVersion, size_t cwcFileVersion)
|
---|
[52741] | 6044 | {
|
---|
[66484] | 6045 | /*
|
---|
| 6046 | * Make sure the file version is always set when we return.
|
---|
| 6047 | */
|
---|
| 6048 | if (pwszFileVersion && cwcFileVersion)
|
---|
| 6049 | *pwszFileVersion = '\0';
|
---|
[62677] | 6050 |
|
---|
[52741] | 6051 | /*
|
---|
| 6052 | * Open the file.
|
---|
| 6053 | */
|
---|
| 6054 | HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
|
---|
| 6055 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
| 6056 | UNICODE_STRING UniStrName;
|
---|
| 6057 | UniStrName.Buffer = (WCHAR *)pwszFile;
|
---|
| 6058 | UniStrName.Length = (USHORT)(RTUtf16Len(pwszFile) * sizeof(WCHAR));
|
---|
| 6059 | UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);
|
---|
| 6060 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 6061 | InitializeObjectAttributes(&ObjAttr, &UniStrName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 6062 | NTSTATUS rcNt = NtCreateFile(&hFile,
|
---|
[53036] | 6063 | GENERIC_READ | SYNCHRONIZE,
|
---|
[52741] | 6064 | &ObjAttr,
|
---|
| 6065 | &Ios,
|
---|
| 6066 | NULL /* Allocation Size*/,
|
---|
| 6067 | FILE_ATTRIBUTE_NORMAL,
|
---|
| 6068 | FILE_SHARE_READ,
|
---|
| 6069 | FILE_OPEN,
|
---|
[53034] | 6070 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
|
---|
[52741] | 6071 | NULL /*EaBuffer*/,
|
---|
| 6072 | 0 /*EaLength*/);
|
---|
| 6073 | if (NT_SUCCESS(rcNt))
|
---|
| 6074 | rcNt = Ios.Status;
|
---|
| 6075 | if (NT_SUCCESS(rcNt))
|
---|
| 6076 | {
|
---|
| 6077 | SUP_DPRINTF(("%ls:\n", pwszFile));
|
---|
| 6078 | union
|
---|
| 6079 | {
|
---|
| 6080 | uint64_t u64AlignmentInsurance;
|
---|
| 6081 | FILE_BASIC_INFORMATION BasicInfo;
|
---|
| 6082 | FILE_STANDARD_INFORMATION StdInfo;
|
---|
| 6083 | uint8_t abBuf[32768];
|
---|
| 6084 | RTUTF16 awcBuf[16384];
|
---|
| 6085 | IMAGE_DOS_HEADER MzHdr;
|
---|
[66484] | 6086 | IMAGE_RESOURCE_DIRECTORY ResDir;
|
---|
[52741] | 6087 | } u;
|
---|
| 6088 | RTTIMESPEC TimeSpec;
|
---|
| 6089 | char szTmp[64];
|
---|
| 6090 |
|
---|
| 6091 | /*
|
---|
| 6092 | * Print basic file information available via NtQueryInformationFile.
|
---|
| 6093 | */
|
---|
[84394] | 6094 | RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
|
---|
[52741] | 6095 | rcNt = NtQueryInformationFile(hFile, &Ios, &u.BasicInfo, sizeof(u.BasicInfo), FileBasicInformation);
|
---|
| 6096 | if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
|
---|
| 6097 | {
|
---|
| 6098 | SUP_DPRINTF((" CreationTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.CreationTime.QuadPart), szTmp, sizeof(szTmp))));
|
---|
| 6099 | /*SUP_DPRINTF((" LastAccessTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.LastAccessTime.QuadPart), szTmp, sizeof(szTmp))));*/
|
---|
| 6100 | SUP_DPRINTF((" LastWriteTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.LastWriteTime.QuadPart), szTmp, sizeof(szTmp))));
|
---|
| 6101 | SUP_DPRINTF((" ChangeTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.ChangeTime.QuadPart), szTmp, sizeof(szTmp))));
|
---|
| 6102 | SUP_DPRINTF((" FileAttributes: %#x\n", u.BasicInfo.FileAttributes));
|
---|
| 6103 | }
|
---|
| 6104 | else
|
---|
| 6105 | SUP_DPRINTF((" FileBasicInformation -> %#x %#x\n", rcNt, Ios.Status));
|
---|
| 6106 |
|
---|
[84394] | 6107 | RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
|
---|
[52741] | 6108 | rcNt = NtQueryInformationFile(hFile, &Ios, &u.StdInfo, sizeof(u.StdInfo), FileStandardInformation);
|
---|
| 6109 | if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
|
---|
| 6110 | SUP_DPRINTF((" Size: %#llx\n", u.StdInfo.EndOfFile.QuadPart));
|
---|
| 6111 | else
|
---|
| 6112 | SUP_DPRINTF((" FileStandardInformation -> %#x %#x\n", rcNt, Ios.Status));
|
---|
| 6113 |
|
---|
| 6114 | /*
|
---|
| 6115 | * Read the image header and extract the timestamp and other useful info.
|
---|
| 6116 | */
|
---|
| 6117 | RT_ZERO(u);
|
---|
[84394] | 6118 | RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
|
---|
[52741] | 6119 | LARGE_INTEGER offRead;
|
---|
| 6120 | offRead.QuadPart = 0;
|
---|
| 6121 | rcNt = NtReadFile(hFile, NULL /*hEvent*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/, &Ios,
|
---|
| 6122 | &u, (ULONG)sizeof(u), &offRead, NULL);
|
---|
| 6123 | if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
|
---|
| 6124 | {
|
---|
| 6125 | uint32_t offNtHdrs = 0;
|
---|
| 6126 | if (u.MzHdr.e_magic == IMAGE_DOS_SIGNATURE)
|
---|
| 6127 | offNtHdrs = u.MzHdr.e_lfanew;
|
---|
| 6128 | if (offNtHdrs < sizeof(u) - sizeof(IMAGE_NT_HEADERS))
|
---|
| 6129 | {
|
---|
| 6130 | PIMAGE_NT_HEADERS64 pNtHdrs64 = (PIMAGE_NT_HEADERS64)&u.abBuf[offNtHdrs];
|
---|
| 6131 | PIMAGE_NT_HEADERS32 pNtHdrs32 = (PIMAGE_NT_HEADERS32)&u.abBuf[offNtHdrs];
|
---|
| 6132 | if (pNtHdrs64->Signature == IMAGE_NT_SIGNATURE)
|
---|
| 6133 | {
|
---|
| 6134 | SUP_DPRINTF((" NT Headers: %#x\n", offNtHdrs));
|
---|
| 6135 | SUP_DPRINTF((" Timestamp: %#x\n", pNtHdrs64->FileHeader.TimeDateStamp));
|
---|
| 6136 | SUP_DPRINTF((" Machine: %#x%s\n", pNtHdrs64->FileHeader.Machine,
|
---|
| 6137 | pNtHdrs64->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 ? " - i386"
|
---|
| 6138 | : pNtHdrs64->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ? " - amd64" : ""));
|
---|
| 6139 | SUP_DPRINTF((" Timestamp: %#x\n", pNtHdrs64->FileHeader.TimeDateStamp));
|
---|
| 6140 | SUP_DPRINTF((" Image Version: %u.%u\n",
|
---|
| 6141 | pNtHdrs64->OptionalHeader.MajorImageVersion, pNtHdrs64->OptionalHeader.MinorImageVersion));
|
---|
| 6142 | SUP_DPRINTF((" SizeOfImage: %#x (%u)\n", pNtHdrs64->OptionalHeader.SizeOfImage, pNtHdrs64->OptionalHeader.SizeOfImage));
|
---|
| 6143 |
|
---|
| 6144 | /*
|
---|
| 6145 | * Very crude way to extract info from the file version resource.
|
---|
| 6146 | */
|
---|
| 6147 | PIMAGE_SECTION_HEADER paSectHdrs = (PIMAGE_SECTION_HEADER)( (uintptr_t)&pNtHdrs64->OptionalHeader
|
---|
| 6148 | + pNtHdrs64->FileHeader.SizeOfOptionalHeader);
|
---|
| 6149 | IMAGE_DATA_DIRECTORY RsrcDir = { 0, 0 };
|
---|
| 6150 | if ( pNtHdrs64->FileHeader.SizeOfOptionalHeader == sizeof(IMAGE_OPTIONAL_HEADER64)
|
---|
| 6151 | && pNtHdrs64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE)
|
---|
| 6152 | RsrcDir = pNtHdrs64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
|
---|
| 6153 | else if ( pNtHdrs64->FileHeader.SizeOfOptionalHeader == sizeof(IMAGE_OPTIONAL_HEADER32)
|
---|
| 6154 | && pNtHdrs32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE)
|
---|
| 6155 | RsrcDir = pNtHdrs32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
|
---|
| 6156 | SUP_DPRINTF((" Resource Dir: %#x LB %#x\n", RsrcDir.VirtualAddress, RsrcDir.Size));
|
---|
| 6157 | if ( RsrcDir.VirtualAddress > offNtHdrs
|
---|
| 6158 | && RsrcDir.Size > 0
|
---|
| 6159 | && (uintptr_t)&u + sizeof(u) - (uintptr_t)paSectHdrs
|
---|
| 6160 | >= pNtHdrs64->FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER) )
|
---|
| 6161 | {
|
---|
[66484] | 6162 | uint32_t uRvaRsrcSect = 0;
|
---|
| 6163 | uint32_t cbRsrcSect = 0;
|
---|
| 6164 | uint32_t offRsrcSect = 0;
|
---|
[52741] | 6165 | offRead.QuadPart = 0;
|
---|
| 6166 | for (uint32_t i = 0; i < pNtHdrs64->FileHeader.NumberOfSections; i++)
|
---|
[66484] | 6167 | {
|
---|
| 6168 | uRvaRsrcSect = paSectHdrs[i].VirtualAddress;
|
---|
| 6169 | cbRsrcSect = paSectHdrs[i].Misc.VirtualSize;
|
---|
| 6170 | offRsrcSect = paSectHdrs[i].PointerToRawData;
|
---|
| 6171 | if ( RsrcDir.VirtualAddress - uRvaRsrcSect < cbRsrcSect
|
---|
| 6172 | && offRsrcSect > offNtHdrs)
|
---|
[52741] | 6173 | {
|
---|
[66484] | 6174 | offRead.QuadPart = offRsrcSect + (RsrcDir.VirtualAddress - uRvaRsrcSect);
|
---|
[52741] | 6175 | break;
|
---|
| 6176 | }
|
---|
[66484] | 6177 | }
|
---|
[52741] | 6178 | if (offRead.QuadPart > 0)
|
---|
| 6179 | {
|
---|
[84394] | 6180 | RTNT_IO_STATUS_BLOCK_REINIT(&Ios);
|
---|
[52741] | 6181 | RT_ZERO(u);
|
---|
| 6182 | rcNt = NtReadFile(hFile, NULL /*hEvent*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/, &Ios,
|
---|
| 6183 | &u, (ULONG)sizeof(u), &offRead, NULL);
|
---|
[66484] | 6184 | PCRTUTF16 pwcVersionData = &u.awcBuf[0];
|
---|
| 6185 | size_t cbVersionData = sizeof(u);
|
---|
| 6186 |
|
---|
[52741] | 6187 | if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
|
---|
| 6188 | {
|
---|
[66484] | 6189 | /* Make it less crude by try find the version resource data. */
|
---|
| 6190 | uint32_t cbVersion;
|
---|
| 6191 | uint32_t uRvaVersion = supR3HardenedFindVersionRsrcRva(&u.ResDir, sizeof(u), &cbVersion);
|
---|
| 6192 | NOREF(uRvaVersion);
|
---|
| 6193 | if ( uRvaVersion != UINT32_MAX
|
---|
| 6194 | && cbVersion < cbRsrcSect
|
---|
| 6195 | && uRvaVersion - uRvaRsrcSect <= cbRsrcSect - cbVersion)
|
---|
[52741] | 6196 | {
|
---|
[66484] | 6197 | uint32_t const offVersion = uRvaVersion - uRvaRsrcSect;
|
---|
| 6198 | if ( offVersion < sizeof(u)
|
---|
| 6199 | && offVersion + cbVersion <= sizeof(u))
|
---|
| 6200 | {
|
---|
| 6201 | pwcVersionData = (PCRTUTF16)&u.abBuf[offVersion];
|
---|
| 6202 | cbVersionData = cbVersion;
|
---|
| 6203 | }
|
---|
| 6204 | else
|
---|
| 6205 | {
|
---|
| 6206 | offRead.QuadPart = offVersion + offRsrcSect;
|
---|
| 6207 | RT_ZERO(u);
|
---|
| 6208 | rcNt = NtReadFile(hFile, NULL /*hEvent*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/, &Ios,
|
---|
| 6209 | &u, (ULONG)sizeof(u), &offRead, NULL);
|
---|
| 6210 | pwcVersionData = &u.awcBuf[0];
|
---|
| 6211 | cbVersionData = RT_MIN(cbVersion, sizeof(u));
|
---|
| 6212 | }
|
---|
| 6213 | }
|
---|
| 6214 | }
|
---|
| 6215 |
|
---|
| 6216 | if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
|
---|
| 6217 | {
|
---|
| 6218 | static const struct { PCRTUTF16 pwsz; size_t cb; bool fRet; } s_abFields[] =
|
---|
| 6219 | {
|
---|
| 6220 | #define MY_WIDE_STR_TUPLE(a_sz, a_fRet) { L ## a_sz, sizeof(L ## a_sz) - sizeof(RTUTF16), a_fRet }
|
---|
| 6221 | MY_WIDE_STR_TUPLE("ProductName", false),
|
---|
| 6222 | MY_WIDE_STR_TUPLE("ProductVersion", false),
|
---|
| 6223 | MY_WIDE_STR_TUPLE("FileVersion", true),
|
---|
| 6224 | MY_WIDE_STR_TUPLE("SpecialBuild", false),
|
---|
| 6225 | MY_WIDE_STR_TUPLE("PrivateBuild", false),
|
---|
| 6226 | MY_WIDE_STR_TUPLE("FileDescription", false),
|
---|
[52741] | 6227 | #undef MY_WIDE_STR_TUPLE
|
---|
| 6228 | };
|
---|
| 6229 | for (uint32_t i = 0; i < RT_ELEMENTS(s_abFields); i++)
|
---|
| 6230 | {
|
---|
[66484] | 6231 | if (cbVersionData <= s_abFields[i].cb + 10)
|
---|
| 6232 | continue;
|
---|
| 6233 | size_t cwcLeft = (cbVersionData - s_abFields[i].cb - 10) / sizeof(RTUTF16);
|
---|
| 6234 | PCRTUTF16 pwc = pwcVersionData;
|
---|
[52741] | 6235 | RTUTF16 const wcFirst = *s_abFields[i].pwsz;
|
---|
| 6236 | while (cwcLeft-- > 0)
|
---|
| 6237 | {
|
---|
| 6238 | if ( pwc[0] == 1 /* wType == text */
|
---|
| 6239 | && pwc[1] == wcFirst)
|
---|
| 6240 | {
|
---|
| 6241 | if (memcmp(pwc + 1, s_abFields[i].pwsz, s_abFields[i].cb + sizeof(RTUTF16)) == 0)
|
---|
| 6242 | {
|
---|
| 6243 | size_t cwcField = s_abFields[i].cb / sizeof(RTUTF16);
|
---|
| 6244 | pwc += cwcField + 2;
|
---|
| 6245 | cwcLeft -= cwcField + 2;
|
---|
| 6246 | for (uint32_t iPadding = 0; iPadding < 3; iPadding++, pwc++, cwcLeft--)
|
---|
| 6247 | if (*pwc)
|
---|
| 6248 | break;
|
---|
| 6249 | int rc = RTUtf16ValidateEncodingEx(pwc, cwcLeft,
|
---|
| 6250 | RTSTR_VALIDATE_ENCODING_ZERO_TERMINATED);
|
---|
| 6251 | if (RT_SUCCESS(rc))
|
---|
[66484] | 6252 | {
|
---|
[52741] | 6253 | SUP_DPRINTF((" %ls:%*s %ls",
|
---|
| 6254 | s_abFields[i].pwsz, cwcField < 15 ? 15 - cwcField : 0, "", pwc));
|
---|
[66484] | 6255 | if ( s_abFields[i].fRet
|
---|
| 6256 | && pwszFileVersion
|
---|
| 6257 | && cwcFileVersion > 1)
|
---|
| 6258 | RTUtf16Copy(pwszFileVersion, cwcFileVersion, pwc);
|
---|
| 6259 | }
|
---|
[52741] | 6260 | else
|
---|
| 6261 | SUP_DPRINTF((" %ls:%*s rc=%Rrc",
|
---|
| 6262 | s_abFields[i].pwsz, cwcField < 15 ? 15 - cwcField : 0, "", rc));
|
---|
| 6263 |
|
---|
| 6264 | break;
|
---|
| 6265 | }
|
---|
| 6266 | }
|
---|
| 6267 | pwc++;
|
---|
| 6268 | }
|
---|
| 6269 | }
|
---|
| 6270 | }
|
---|
| 6271 | else
|
---|
| 6272 | SUP_DPRINTF((" NtReadFile @%#llx -> %#x %#x\n", offRead.QuadPart, rcNt, Ios.Status));
|
---|
| 6273 | }
|
---|
| 6274 | else
|
---|
| 6275 | SUP_DPRINTF((" Resource section not found.\n"));
|
---|
| 6276 | }
|
---|
| 6277 | }
|
---|
| 6278 | else
|
---|
| 6279 | SUP_DPRINTF((" Nt Headers @%#x: Invalid signature\n", offNtHdrs));
|
---|
| 6280 | }
|
---|
| 6281 | else
|
---|
| 6282 | SUP_DPRINTF((" Nt Headers @%#x: out side buffer\n", offNtHdrs));
|
---|
| 6283 | }
|
---|
| 6284 | else
|
---|
| 6285 | SUP_DPRINTF((" NtReadFile @0 -> %#x %#x\n", rcNt, Ios.Status));
|
---|
| 6286 | NtClose(hFile);
|
---|
| 6287 | }
|
---|
| 6288 | }
|
---|
| 6289 |
|
---|
| 6290 |
|
---|
| 6291 | /**
|
---|
[52739] | 6292 | * Scans the Driver directory for drivers which may invade our processes.
|
---|
| 6293 | *
|
---|
| 6294 | * @returns Mask of SUPHARDNT_ADVERSARY_XXX flags.
|
---|
[52741] | 6295 | *
|
---|
[58157] | 6296 | * @remarks The enumeration of \\Driver normally requires administrator
|
---|
[52741] | 6297 | * privileges. So, the detection we're doing here isn't always gonna
|
---|
| 6298 | * work just based on that.
|
---|
| 6299 | *
|
---|
[58157] | 6300 | * @todo Find drivers in \\FileSystems as well, then we could detect VrNsdDrv
|
---|
[52741] | 6301 | * from ViRobot APT Shield 2.0.
|
---|
[52739] | 6302 | */
|
---|
| 6303 | static uint32_t supR3HardenedWinFindAdversaries(void)
|
---|
| 6304 | {
|
---|
[52741] | 6305 | static const struct
|
---|
| 6306 | {
|
---|
| 6307 | uint32_t fAdversary;
|
---|
| 6308 | const char *pszDriver;
|
---|
| 6309 | } s_aDrivers[] =
|
---|
| 6310 | {
|
---|
[54139] | 6311 | { SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, "SysPlant" },
|
---|
| 6312 |
|
---|
[52741] | 6313 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SRTSPX" },
|
---|
| 6314 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymDS" },
|
---|
| 6315 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymEvent" },
|
---|
| 6316 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymIRON" },
|
---|
| 6317 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymNetS" },
|
---|
| 6318 |
|
---|
| 6319 | { SUPHARDNT_ADVERSARY_AVAST, "aswHwid" },
|
---|
| 6320 | { SUPHARDNT_ADVERSARY_AVAST, "aswMonFlt" },
|
---|
| 6321 | { SUPHARDNT_ADVERSARY_AVAST, "aswRdr2" },
|
---|
| 6322 | { SUPHARDNT_ADVERSARY_AVAST, "aswRvrt" },
|
---|
| 6323 | { SUPHARDNT_ADVERSARY_AVAST, "aswSnx" },
|
---|
| 6324 | { SUPHARDNT_ADVERSARY_AVAST, "aswsp" },
|
---|
| 6325 | { SUPHARDNT_ADVERSARY_AVAST, "aswStm" },
|
---|
| 6326 | { SUPHARDNT_ADVERSARY_AVAST, "aswVmm" },
|
---|
| 6327 |
|
---|
| 6328 | { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmcomm" },
|
---|
| 6329 | { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmactmon" },
|
---|
| 6330 | { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmevtmgr" },
|
---|
| 6331 | { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmtdi" },
|
---|
| 6332 | { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmebc64" }, /* Titanium internet security, not officescan. */
|
---|
| 6333 | { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmeevw" }, /* Titanium internet security, not officescan. */
|
---|
| 6334 | { SUPHARDNT_ADVERSARY_TRENDMICRO, "tmciesc" }, /* Titanium internet security, not officescan. */
|
---|
| 6335 |
|
---|
| 6336 | { SUPHARDNT_ADVERSARY_MCAFEE, "cfwids" },
|
---|
| 6337 | { SUPHARDNT_ADVERSARY_MCAFEE, "McPvDrv" },
|
---|
| 6338 | { SUPHARDNT_ADVERSARY_MCAFEE, "mfeapfk" },
|
---|
| 6339 | { SUPHARDNT_ADVERSARY_MCAFEE, "mfeavfk" },
|
---|
| 6340 | { SUPHARDNT_ADVERSARY_MCAFEE, "mfefirek" },
|
---|
| 6341 | { SUPHARDNT_ADVERSARY_MCAFEE, "mfehidk" },
|
---|
| 6342 | { SUPHARDNT_ADVERSARY_MCAFEE, "mfencbdc" },
|
---|
| 6343 | { SUPHARDNT_ADVERSARY_MCAFEE, "mfewfpk" },
|
---|
| 6344 |
|
---|
| 6345 | { SUPHARDNT_ADVERSARY_KASPERSKY, "kl1" },
|
---|
| 6346 | { SUPHARDNT_ADVERSARY_KASPERSKY, "klflt" },
|
---|
| 6347 | { SUPHARDNT_ADVERSARY_KASPERSKY, "klif" },
|
---|
| 6348 | { SUPHARDNT_ADVERSARY_KASPERSKY, "KLIM6" },
|
---|
| 6349 | { SUPHARDNT_ADVERSARY_KASPERSKY, "klkbdflt" },
|
---|
| 6350 | { SUPHARDNT_ADVERSARY_KASPERSKY, "klmouflt" },
|
---|
| 6351 | { SUPHARDNT_ADVERSARY_KASPERSKY, "kltdi" },
|
---|
| 6352 | { SUPHARDNT_ADVERSARY_KASPERSKY, "kneps" },
|
---|
| 6353 |
|
---|
| 6354 | { SUPHARDNT_ADVERSARY_MBAM, "MBAMWebAccessControl" },
|
---|
| 6355 | { SUPHARDNT_ADVERSARY_MBAM, "mbam" },
|
---|
| 6356 | { SUPHARDNT_ADVERSARY_MBAM, "mbamchameleon" },
|
---|
| 6357 | { SUPHARDNT_ADVERSARY_MBAM, "mwav" },
|
---|
| 6358 | { SUPHARDNT_ADVERSARY_MBAM, "mbamswissarmy" },
|
---|
| 6359 |
|
---|
| 6360 | { SUPHARDNT_ADVERSARY_AVG, "avgfwfd" },
|
---|
| 6361 | { SUPHARDNT_ADVERSARY_AVG, "avgtdia" },
|
---|
| 6362 |
|
---|
| 6363 | { SUPHARDNT_ADVERSARY_PANDA, "PSINAflt" },
|
---|
| 6364 | { SUPHARDNT_ADVERSARY_PANDA, "PSINFile" },
|
---|
| 6365 | { SUPHARDNT_ADVERSARY_PANDA, "PSINKNC" },
|
---|
| 6366 | { SUPHARDNT_ADVERSARY_PANDA, "PSINProc" },
|
---|
| 6367 | { SUPHARDNT_ADVERSARY_PANDA, "PSINProt" },
|
---|
| 6368 | { SUPHARDNT_ADVERSARY_PANDA, "PSINReg" },
|
---|
| 6369 | { SUPHARDNT_ADVERSARY_PANDA, "PSKMAD" },
|
---|
| 6370 | { SUPHARDNT_ADVERSARY_PANDA, "NNSAlpc" },
|
---|
| 6371 | { SUPHARDNT_ADVERSARY_PANDA, "NNSHttp" },
|
---|
| 6372 | { SUPHARDNT_ADVERSARY_PANDA, "NNShttps" },
|
---|
| 6373 | { SUPHARDNT_ADVERSARY_PANDA, "NNSIds" },
|
---|
| 6374 | { SUPHARDNT_ADVERSARY_PANDA, "NNSNAHSL" },
|
---|
| 6375 | { SUPHARDNT_ADVERSARY_PANDA, "NNSpicc" },
|
---|
| 6376 | { SUPHARDNT_ADVERSARY_PANDA, "NNSPihsw" },
|
---|
| 6377 | { SUPHARDNT_ADVERSARY_PANDA, "NNSPop3" },
|
---|
| 6378 | { SUPHARDNT_ADVERSARY_PANDA, "NNSProt" },
|
---|
| 6379 | { SUPHARDNT_ADVERSARY_PANDA, "NNSPrv" },
|
---|
| 6380 | { SUPHARDNT_ADVERSARY_PANDA, "NNSSmtp" },
|
---|
| 6381 | { SUPHARDNT_ADVERSARY_PANDA, "NNSStrm" },
|
---|
| 6382 | { SUPHARDNT_ADVERSARY_PANDA, "NNStlsc" },
|
---|
| 6383 |
|
---|
| 6384 | { SUPHARDNT_ADVERSARY_MSE, "NisDrv" },
|
---|
[52795] | 6385 |
|
---|
| 6386 | /*{ SUPHARDNT_ADVERSARY_COMODO, "cmdguard" }, file system */
|
---|
[60521] | 6387 | { SUPHARDNT_ADVERSARY_COMODO, "inspect" },
|
---|
| 6388 | { SUPHARDNT_ADVERSARY_COMODO, "cmdHlp" },
|
---|
[52795] | 6389 |
|
---|
[66484] | 6390 | { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD, "dgmaster" },
|
---|
[60521] | 6391 |
|
---|
[60733] | 6392 | { SUPHARDNT_ADVERSARY_CYLANCE, "cyprotectdrv" }, /* Not verified. */
|
---|
| 6393 |
|
---|
[79642] | 6394 | { SUPHARDNT_ADVERSARY_BEYONDTRUST, "privman" }, /* Not verified. */
|
---|
| 6395 | { SUPHARDNT_ADVERSARY_BEYONDTRUST, "privmanfi" }, /* Not verified. */
|
---|
[60767] | 6396 |
|
---|
[60936] | 6397 | { SUPHARDNT_ADVERSARY_AVECTO, "PGDriver" },
|
---|
[79642] | 6398 |
|
---|
| 6399 | { SUPHARDNT_ADVERSARY_SOPHOS, "SophosED" }, /* Not verified. */
|
---|
[80212] | 6400 |
|
---|
| 6401 | { SUPHARDNT_ADVERSARY_HORIZON_VIEW_AGENT, "vmwicpdr" },
|
---|
[52741] | 6402 | };
|
---|
| 6403 |
|
---|
| 6404 | static const struct
|
---|
| 6405 | {
|
---|
| 6406 | uint32_t fAdversary;
|
---|
| 6407 | PCRTUTF16 pwszFile;
|
---|
| 6408 | } s_aFiles[] =
|
---|
| 6409 | {
|
---|
[54139] | 6410 | { SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, L"\\SystemRoot\\System32\\drivers\\SysPlant.sys" },
|
---|
| 6411 | { SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, L"\\SystemRoot\\System32\\sysfer.dll" },
|
---|
| 6412 | { SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, L"\\SystemRoot\\System32\\sysferThunk.dll" },
|
---|
[52741] | 6413 |
|
---|
| 6414 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\ccsetx64.sys" },
|
---|
| 6415 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\ironx64.sys" },
|
---|
| 6416 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\srtsp64.sys" },
|
---|
| 6417 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\srtspx64.sys" },
|
---|
| 6418 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symds64.sys" },
|
---|
| 6419 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symefa64.sys" },
|
---|
| 6420 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symelam.sys" },
|
---|
| 6421 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symnets.sys" },
|
---|
| 6422 | { SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\symevent64x86.sys" },
|
---|
| 6423 |
|
---|
| 6424 | { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswHwid.sys" },
|
---|
| 6425 | { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswMonFlt.sys" },
|
---|
| 6426 | { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswRdr2.sys" },
|
---|
| 6427 | { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswRvrt.sys" },
|
---|
| 6428 | { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswSnx.sys" },
|
---|
| 6429 | { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswsp.sys" },
|
---|
| 6430 | { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswStm.sys" },
|
---|
| 6431 | { SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswVmm.sys" },
|
---|
| 6432 |
|
---|
| 6433 | { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmcomm.sys" },
|
---|
| 6434 | { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmactmon.sys" },
|
---|
| 6435 | { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmevtmgr.sys" },
|
---|
| 6436 | { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmtdi.sys" },
|
---|
| 6437 | { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmebc64.sys" },
|
---|
| 6438 | { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmeevw.sys" },
|
---|
| 6439 | { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmciesc.sys" },
|
---|
[53017] | 6440 | { SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE, L"\\SystemRoot\\System32\\drivers\\sakfile.sys" }, /* Data Loss Prevention, not officescan. */
|
---|
| 6441 | { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\sakcd.sys" }, /* Data Loss Prevention, not officescan. */
|
---|
[52741] | 6442 |
|
---|
[53017] | 6443 |
|
---|
[52741] | 6444 | { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\cfwids.sys" },
|
---|
| 6445 | { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\McPvDrv.sys" },
|
---|
| 6446 | { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfeapfk.sys" },
|
---|
| 6447 | { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfeavfk.sys" },
|
---|
| 6448 | { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfefirek.sys" },
|
---|
| 6449 | { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfehidk.sys" },
|
---|
| 6450 | { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfencbdc.sys" },
|
---|
| 6451 | { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfewfpk.sys" },
|
---|
| 6452 |
|
---|
| 6453 | { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kl1.sys" },
|
---|
| 6454 | { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klflt.sys" },
|
---|
| 6455 | { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klif.sys" },
|
---|
| 6456 | { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klim6.sys" },
|
---|
| 6457 | { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klkbdflt.sys" },
|
---|
| 6458 | { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klmouflt.sys" },
|
---|
| 6459 | { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kltdi.sys" },
|
---|
| 6460 | { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kneps.sys" },
|
---|
| 6461 | { SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\klfphc.dll" },
|
---|
| 6462 |
|
---|
| 6463 | { SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\MBAMSwissArmy.sys" },
|
---|
| 6464 | { SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mwac.sys" },
|
---|
| 6465 | { SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mbamchameleon.sys" },
|
---|
| 6466 | { SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mbam.sys" },
|
---|
| 6467 |
|
---|
| 6468 | { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgrkx64.sys" },
|
---|
| 6469 | { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgmfx64.sys" },
|
---|
| 6470 | { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgidsdrivera.sys" },
|
---|
| 6471 | { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgidsha.sys" },
|
---|
| 6472 | { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgtdia.sys" },
|
---|
| 6473 | { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgloga.sys" },
|
---|
| 6474 | { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgldx64.sys" },
|
---|
| 6475 | { SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgdiska.sys" },
|
---|
| 6476 |
|
---|
| 6477 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINAflt.sys" },
|
---|
| 6478 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINFile.sys" },
|
---|
| 6479 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINKNC.sys" },
|
---|
| 6480 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINProc.sys" },
|
---|
| 6481 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINProt.sys" },
|
---|
| 6482 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINReg.sys" },
|
---|
| 6483 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSKMAD.sys" },
|
---|
| 6484 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSAlpc.sys" },
|
---|
| 6485 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSHttp.sys" },
|
---|
| 6486 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNShttps.sys" },
|
---|
| 6487 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSIds.sys" },
|
---|
| 6488 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSNAHSL.sys" },
|
---|
| 6489 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSpicc.sys" },
|
---|
| 6490 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPihsw.sys" },
|
---|
| 6491 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPop3.sys" },
|
---|
| 6492 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSProt.sys" },
|
---|
| 6493 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPrv.sys" },
|
---|
| 6494 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSSmtp.sys" },
|
---|
| 6495 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSStrm.sys" },
|
---|
| 6496 | { SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNStlsc.sys" },
|
---|
| 6497 |
|
---|
| 6498 | { SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\MpFilter.sys" },
|
---|
| 6499 | { SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\NisDrvWFP.sys" },
|
---|
[52795] | 6500 |
|
---|
| 6501 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmdguard.sys" },
|
---|
| 6502 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmderd.sys" },
|
---|
| 6503 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\inspect.sys" },
|
---|
| 6504 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmdhlp.sys" },
|
---|
| 6505 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cfrmd.sys" },
|
---|
| 6506 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\hmd.sys" },
|
---|
| 6507 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\guard64.dll" },
|
---|
| 6508 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdvrt64.dll" },
|
---|
| 6509 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdkbd64.dll" },
|
---|
| 6510 | { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdcsr.dll" },
|
---|
[52906] | 6511 |
|
---|
| 6512 | { SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\drivers\\vsdatant.sys" },
|
---|
| 6513 | { SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\AntiTheftCredentialProvider.dll" },
|
---|
[53017] | 6514 |
|
---|
[66484] | 6515 | { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD, L"\\SystemRoot\\System32\\drivers\\dgmaster.sys" },
|
---|
[60521] | 6516 |
|
---|
[60733] | 6517 | { SUPHARDNT_ADVERSARY_CYLANCE, L"\\SystemRoot\\System32\\drivers\\cyprotectdrv32.sys" },
|
---|
| 6518 | { SUPHARDNT_ADVERSARY_CYLANCE, L"\\SystemRoot\\System32\\drivers\\cyprotectdrv64.sys" },
|
---|
| 6519 |
|
---|
| 6520 | { SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\drivers\\privman.sys" },
|
---|
[79642] | 6521 | { SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\drivers\\privmanfi.sys" },
|
---|
[60733] | 6522 | { SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\privman64.dll" },
|
---|
| 6523 | { SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\privman32.dll" },
|
---|
[60767] | 6524 |
|
---|
| 6525 | { SUPHARDNT_ADVERSARY_AVECTO, L"\\SystemRoot\\System32\\drivers\\PGDriver.sys" },
|
---|
[79642] | 6526 |
|
---|
| 6527 | { SUPHARDNT_ADVERSARY_SOPHOS, L"\\SystemRoot\\System32\\drivers\\SophosED.sys" }, // not verified
|
---|
[80212] | 6528 |
|
---|
| 6529 | { SUPHARDNT_ADVERSARY_HORIZON_VIEW_AGENT, L"\\SystemRoot\\System32\\drivers\\vmwicpdr.sys" },
|
---|
| 6530 | { SUPHARDNT_ADVERSARY_HORIZON_VIEW_AGENT, L"\\SystemRoot\\System32\\drivers\\ftsjail.sys" },
|
---|
[52741] | 6531 | };
|
---|
| 6532 |
|
---|
| 6533 | uint32_t fFound = 0;
|
---|
| 6534 |
|
---|
[52739] | 6535 | /*
|
---|
| 6536 | * Open the driver object directory.
|
---|
| 6537 | */
|
---|
| 6538 | UNICODE_STRING NtDirName = RTNT_CONSTANT_UNISTR(L"\\Driver");
|
---|
| 6539 |
|
---|
| 6540 | OBJECT_ATTRIBUTES ObjAttr;
|
---|
| 6541 | InitializeObjectAttributes(&ObjAttr, &NtDirName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
| 6542 |
|
---|
| 6543 | HANDLE hDir;
|
---|
| 6544 | NTSTATUS rcNt = NtOpenDirectoryObject(&hDir, DIRECTORY_QUERY | FILE_LIST_DIRECTORY, &ObjAttr);
|
---|
| 6545 | #ifdef VBOX_STRICT
|
---|
[64189] | 6546 | if (rcNt != STATUS_ACCESS_DENIED) /* non-admin */
|
---|
| 6547 | SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt);
|
---|
[52739] | 6548 | #endif
|
---|
[52741] | 6549 | if (NT_SUCCESS(rcNt))
|
---|
| 6550 | {
|
---|
| 6551 | /*
|
---|
| 6552 | * Enumerate it, looking for the driver.
|
---|
| 6553 | */
|
---|
| 6554 | ULONG uObjDirCtx = 0;
|
---|
| 6555 | for (;;)
|
---|
| 6556 | {
|
---|
| 6557 | uint32_t abBuffer[_64K + _1K];
|
---|
| 6558 | ULONG cbActual;
|
---|
| 6559 | rcNt = NtQueryDirectoryObject(hDir,
|
---|
| 6560 | abBuffer,
|
---|
| 6561 | sizeof(abBuffer) - 4, /* minus four for string terminator space. */
|
---|
| 6562 | FALSE /*ReturnSingleEntry */,
|
---|
| 6563 | FALSE /*RestartScan*/,
|
---|
| 6564 | &uObjDirCtx,
|
---|
| 6565 | &cbActual);
|
---|
| 6566 | if (!NT_SUCCESS(rcNt) || cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION))
|
---|
| 6567 | break;
|
---|
[52739] | 6568 |
|
---|
[52741] | 6569 | POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer;
|
---|
| 6570 | while (pObjDir->Name.Length != 0)
|
---|
| 6571 | {
|
---|
| 6572 | WCHAR wcSaved = pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)];
|
---|
| 6573 | pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = '\0';
|
---|
| 6574 |
|
---|
| 6575 | for (uint32_t i = 0; i < RT_ELEMENTS(s_aDrivers); i++)
|
---|
| 6576 | if (RTUtf16ICmpAscii(pObjDir->Name.Buffer, s_aDrivers[i].pszDriver) == 0)
|
---|
| 6577 | {
|
---|
| 6578 | fFound |= s_aDrivers[i].fAdversary;
|
---|
| 6579 | SUP_DPRINTF(("Found driver %s (%#x)\n", s_aDrivers[i].pszDriver, s_aDrivers[i].fAdversary));
|
---|
| 6580 | break;
|
---|
| 6581 | }
|
---|
| 6582 |
|
---|
| 6583 | pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = wcSaved;
|
---|
| 6584 |
|
---|
| 6585 | /* Next directory entry. */
|
---|
| 6586 | pObjDir++;
|
---|
| 6587 | }
|
---|
| 6588 | }
|
---|
| 6589 |
|
---|
| 6590 | NtClose(hDir);
|
---|
| 6591 | }
|
---|
| 6592 | else
|
---|
| 6593 | SUP_DPRINTF(("NtOpenDirectoryObject failed on \\Driver: %#x\n", rcNt));
|
---|
| 6594 |
|
---|
[52739] | 6595 | /*
|
---|
[52741] | 6596 | * Look for files.
|
---|
[52739] | 6597 | */
|
---|
[52741] | 6598 | for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++)
|
---|
[52739] | 6599 | {
|
---|
[52741] | 6600 | HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
|
---|
| 6601 | IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
|
---|
| 6602 | UNICODE_STRING UniStrName;
|
---|
| 6603 | UniStrName.Buffer = (WCHAR *)s_aFiles[i].pwszFile;
|
---|
| 6604 | UniStrName.Length = (USHORT)(RTUtf16Len(s_aFiles[i].pwszFile) * sizeof(WCHAR));
|
---|
| 6605 | UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);
|
---|
| 6606 | InitializeObjectAttributes(&ObjAttr, &UniStrName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
|
---|
[53036] | 6607 | rcNt = NtCreateFile(&hFile, GENERIC_READ | SYNCHRONIZE, &ObjAttr, &Ios, NULL /* Allocation Size*/,
|
---|
| 6608 | FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN,
|
---|
| 6609 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL /*EaBuffer*/, 0 /*EaLength*/);
|
---|
[52741] | 6610 | if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
|
---|
[52739] | 6611 | {
|
---|
[52741] | 6612 | fFound |= s_aFiles[i].fAdversary;
|
---|
| 6613 | NtClose(hFile);
|
---|
[52739] | 6614 | }
|
---|
| 6615 | }
|
---|
| 6616 |
|
---|
| 6617 | /*
|
---|
[66484] | 6618 | * Log details and upgrade select adversaries.
|
---|
[52739] | 6619 | */
|
---|
[52741] | 6620 | SUP_DPRINTF(("supR3HardenedWinFindAdversaries: %#x\n", fFound));
|
---|
| 6621 | for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++)
|
---|
[66484] | 6622 | if (s_aFiles[i].fAdversary & fFound)
|
---|
| 6623 | {
|
---|
| 6624 | if (!(s_aFiles[i].fAdversary & SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD))
|
---|
| 6625 | supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, NULL, 0);
|
---|
| 6626 | else
|
---|
| 6627 | {
|
---|
| 6628 | /*
|
---|
| 6629 | * See if it's a newer version of the driver which doesn't BSODs when we free
|
---|
| 6630 | * its memory. To use RTStrVersionCompare we do a rough UTF-16 -> ASCII conversion.
|
---|
| 6631 | */
|
---|
| 6632 | union
|
---|
| 6633 | {
|
---|
| 6634 | char szFileVersion[64];
|
---|
| 6635 | RTUTF16 wszFileVersion[32];
|
---|
| 6636 | } uBuf;
|
---|
| 6637 | supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, uBuf.wszFileVersion, RT_ELEMENTS(uBuf.wszFileVersion));
|
---|
| 6638 | if (uBuf.wszFileVersion[0])
|
---|
| 6639 | {
|
---|
| 6640 | for (uint32_t off = 0; off < RT_ELEMENTS(uBuf.wszFileVersion); off++)
|
---|
| 6641 | {
|
---|
| 6642 | RTUTF16 wch = uBuf.wszFileVersion[off];
|
---|
| 6643 | uBuf.szFileVersion[off] = (char)wch;
|
---|
| 6644 | if (!wch)
|
---|
| 6645 | break;
|
---|
| 6646 | }
|
---|
| 6647 | uBuf.szFileVersion[RT_ELEMENTS(uBuf.wszFileVersion)] = '\0';
|
---|
[66529] | 6648 | #define VER_IN_RANGE(a_pszFirst, a_pszLast) \
|
---|
| 6649 | (RTStrVersionCompare(uBuf.szFileVersion, a_pszFirst) >= 0 && RTStrVersionCompare(uBuf.szFileVersion, a_pszLast) <= 0)
|
---|
[67550] | 6650 | if ( VER_IN_RANGE("7.3.2.0000", "999999999.9.9.9999")
|
---|
[66529] | 6651 | || VER_IN_RANGE("7.3.1.1000", "7.3.1.3000")
|
---|
| 6652 | || VER_IN_RANGE("7.3.0.3000", "7.3.0.999999999")
|
---|
| 6653 | || VER_IN_RANGE("7.2.1.3000", "7.2.999999999.999999999") )
|
---|
[66484] | 6654 | {
|
---|
| 6655 | uint32_t const fOldFound = fFound;
|
---|
| 6656 | fFound = (fOldFound & ~SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD)
|
---|
| 6657 | | SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_NEW;
|
---|
| 6658 | SUP_DPRINTF(("supR3HardenedWinFindAdversaries: Found newer version: %#x -> %#x\n", fOldFound, fFound));
|
---|
| 6659 | }
|
---|
| 6660 | }
|
---|
| 6661 | }
|
---|
| 6662 | }
|
---|
[52739] | 6663 |
|
---|
| 6664 | return fFound;
|
---|
| 6665 | }
|
---|
| 6666 |
|
---|
| 6667 |
|
---|
[51770] | 6668 | extern "C" int main(int argc, char **argv, char **envp);
|
---|
| 6669 |
|
---|
| 6670 | /**
|
---|
| 6671 | * The executable entry point.
|
---|
| 6672 | *
|
---|
| 6673 | * This is normally taken care of by the C runtime library, but we don't want to
|
---|
| 6674 | * get involved with anything as complicated like the CRT in this setup. So, we
|
---|
| 6675 | * it everything ourselves, including parameter parsing.
|
---|
| 6676 | */
|
---|
| 6677 | extern "C" void __stdcall suplibHardenedWindowsMain(void)
|
---|
| 6678 | {
|
---|
[52169] | 6679 | RTEXITCODE rcExit = RTEXITCODE_FAILURE;
|
---|
[51770] | 6680 |
|
---|
| 6681 | g_cSuplibHardenedWindowsMainCalls++;
|
---|
[52941] | 6682 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EP_CALLED;
|
---|
[51770] | 6683 |
|
---|
| 6684 | /*
|
---|
[52356] | 6685 | * Initialize the NTDLL API wrappers. This aims at bypassing patched NTDLL
|
---|
| 6686 | * in all the processes leading up the VM process.
|
---|
| 6687 | */
|
---|
| 6688 | supR3HardenedWinInitImports();
|
---|
[52941] | 6689 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED;
|
---|
[52356] | 6690 |
|
---|
| 6691 | /*
|
---|
[52943] | 6692 | * Notify the parent process that we're probably capable of reporting our
|
---|
| 6693 | * own errors.
|
---|
| 6694 | */
|
---|
| 6695 | if (g_ProcParams.hEvtParent || g_ProcParams.hEvtChild)
|
---|
| 6696 | {
|
---|
[52949] | 6697 | SUPR3HARDENED_ASSERT(g_fSupEarlyProcessInit);
|
---|
[52969] | 6698 |
|
---|
| 6699 | g_ProcParams.enmRequest = kSupR3WinChildReq_CloseEvents;
|
---|
[52943] | 6700 | NtSetEvent(g_ProcParams.hEvtParent, NULL);
|
---|
[52969] | 6701 |
|
---|
[52943] | 6702 | NtClose(g_ProcParams.hEvtParent);
|
---|
| 6703 | NtClose(g_ProcParams.hEvtChild);
|
---|
| 6704 | g_ProcParams.hEvtParent = NULL;
|
---|
| 6705 | g_ProcParams.hEvtChild = NULL;
|
---|
| 6706 | }
|
---|
| 6707 | else
|
---|
[52949] | 6708 | SUPR3HARDENED_ASSERT(!g_fSupEarlyProcessInit);
|
---|
[52943] | 6709 |
|
---|
| 6710 | /*
|
---|
[52523] | 6711 | * After having resolved imports we patch the LdrInitializeThunk code so
|
---|
| 6712 | * that it's more difficult to invade our privacy by CreateRemoteThread.
|
---|
| 6713 | * We'll re-enable this after opening the driver or temporarily while respawning.
|
---|
| 6714 | */
|
---|
| 6715 | supR3HardenedWinDisableThreadCreation();
|
---|
| 6716 |
|
---|
| 6717 | /*
|
---|
[51770] | 6718 | * Init g_uNtVerCombined. (The code is shared with SUPR3.lib and lives in
|
---|
| 6719 | * SUPHardenedVerfiyImage-win.cpp.)
|
---|
| 6720 | */
|
---|
[59810] | 6721 | supR3HardenedWinInitVersion(false /*fEarly*/);
|
---|
[52941] | 6722 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_VERSION_INITIALIZED;
|
---|
[51770] | 6723 |
|
---|
| 6724 | /*
|
---|
[52169] | 6725 | * Convert the arguments to UTF-8 and open the log file if specified.
|
---|
| 6726 | * This must be done as early as possible since the code below may fail.
|
---|
| 6727 | */
|
---|
| 6728 | PUNICODE_STRING pCmdLineStr = &NtCurrentPeb()->ProcessParameters->CommandLine;
|
---|
| 6729 | int cArgs;
|
---|
| 6730 | char **papszArgs = suplibCommandLineToArgvWStub(pCmdLineStr->Buffer, pCmdLineStr->Length / sizeof(WCHAR), &cArgs);
|
---|
| 6731 |
|
---|
| 6732 | supR3HardenedOpenLog(&cArgs, papszArgs);
|
---|
| 6733 |
|
---|
| 6734 | /*
|
---|
[52875] | 6735 | * Log information about important system files.
|
---|
[52739] | 6736 | */
|
---|
[66484] | 6737 | supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\ntdll.dll", NULL /*pwszFileVersion*/, 0 /*cwcFileVersion*/);
|
---|
| 6738 | supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\kernel32.dll", NULL /*pwszFileVersion*/, 0 /*cwcFileVersion*/);
|
---|
| 6739 | supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\KernelBase.dll", NULL /*pwszFileVersion*/, 0 /*cwcFileVersion*/);
|
---|
| 6740 | supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\apisetschema.dll", NULL /*pwszFileVersion*/, 0 /*cwcFileVersion*/);
|
---|
[52875] | 6741 |
|
---|
| 6742 | /*
|
---|
| 6743 | * Scan the system for adversaries, logging information about them.
|
---|
| 6744 | */
|
---|
[52739] | 6745 | g_fSupAdversaries = supR3HardenedWinFindAdversaries();
|
---|
| 6746 |
|
---|
| 6747 | /*
|
---|
[54560] | 6748 | * Get the executable name, make sure it's the long version.
|
---|
[51770] | 6749 | */
|
---|
[52356] | 6750 | DWORD cwcExecName = GetModuleFileNameW(GetModuleHandleW(NULL), g_wszSupLibHardenedExePath,
|
---|
[51770] | 6751 | RT_ELEMENTS(g_wszSupLibHardenedExePath));
|
---|
| 6752 | if (cwcExecName >= RT_ELEMENTS(g_wszSupLibHardenedExePath))
|
---|
| 6753 | supR3HardenedFatalMsg("suplibHardenedWindowsMain", kSupInitOp_Integrity, VERR_BUFFER_OVERFLOW,
|
---|
| 6754 | "The executable path is too long.");
|
---|
| 6755 |
|
---|
[54560] | 6756 | RTUTF16 wszLong[RT_ELEMENTS(g_wszSupLibHardenedExePath)];
|
---|
| 6757 | DWORD cwcLong = GetLongPathNameW(g_wszSupLibHardenedExePath, wszLong, RT_ELEMENTS(wszLong));
|
---|
| 6758 | if (cwcLong > 0)
|
---|
| 6759 | {
|
---|
| 6760 | memcpy(g_wszSupLibHardenedExePath, wszLong, (cwcLong + 1) * sizeof(RTUTF16));
|
---|
| 6761 | cwcExecName = cwcLong;
|
---|
| 6762 | }
|
---|
| 6763 |
|
---|
| 6764 | /* The NT version of it. */
|
---|
[51770] | 6765 | HANDLE hFile = CreateFileW(g_wszSupLibHardenedExePath, GENERIC_READ, FILE_SHARE_READ, NULL /*pSecurityAttributes*/,
|
---|
| 6766 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL /*hTemplateFile*/);
|
---|
| 6767 | if (hFile == NULL || hFile == INVALID_HANDLE_VALUE)
|
---|
[52940] | 6768 | supR3HardenedFatalMsg("suplibHardenedWindowsMain", kSupInitOp_Integrity, RTErrConvertFromWin32(RtlGetLastWin32Error()),
|
---|
| 6769 | "Error opening the executable: %u (%ls).", RtlGetLastWin32Error());
|
---|
[51770] | 6770 | RT_ZERO(g_SupLibHardenedExeNtPath);
|
---|
| 6771 | ULONG cbIgn;
|
---|
| 6772 | NTSTATUS rcNt = NtQueryObject(hFile, ObjectNameInformation, &g_SupLibHardenedExeNtPath,
|
---|
| 6773 | sizeof(g_SupLibHardenedExeNtPath) - sizeof(WCHAR), &cbIgn);
|
---|
| 6774 | if (!NT_SUCCESS(rcNt))
|
---|
| 6775 | supR3HardenedFatalMsg("suplibHardenedWindowsMain", kSupInitOp_Integrity, RTErrConvertFromNtStatus(rcNt),
|
---|
| 6776 | "NtQueryObject -> %#x (on %ls)\n", rcNt, g_wszSupLibHardenedExePath);
|
---|
[52139] | 6777 | NtClose(hFile);
|
---|
[51770] | 6778 |
|
---|
| 6779 | /* The NT executable name offset / dir path length. */
|
---|
| 6780 | g_offSupLibHardenedExeNtName = g_SupLibHardenedExeNtPath.UniStr.Length / sizeof(WCHAR);
|
---|
| 6781 | while ( g_offSupLibHardenedExeNtName > 1
|
---|
| 6782 | && g_SupLibHardenedExeNtPath.UniStr.Buffer[g_offSupLibHardenedExeNtName - 1] != '\\' )
|
---|
| 6783 | g_offSupLibHardenedExeNtName--;
|
---|
| 6784 |
|
---|
| 6785 | /*
|
---|
[56733] | 6786 | * Preliminary app binary path init. May change when SUPR3HardenedMain is
|
---|
| 6787 | * called (via main below).
|
---|
| 6788 | */
|
---|
| 6789 | supR3HardenedWinInitAppBin(SUPSECMAIN_FLAGS_LOC_APP_BIN);
|
---|
| 6790 |
|
---|
| 6791 | /*
|
---|
[52953] | 6792 | * If we've done early init already, register the DLL load notification
|
---|
| 6793 | * callback and reinstall the NtDll patches.
|
---|
| 6794 | */
|
---|
| 6795 | if (g_fSupEarlyProcessInit)
|
---|
| 6796 | {
|
---|
| 6797 | supR3HardenedWinRegisterDllNotificationCallback();
|
---|
| 6798 | supR3HardenedWinReInstallHooks(false /*fFirstCall */);
|
---|
[80212] | 6799 |
|
---|
| 6800 | /*
|
---|
| 6801 | * Flush user APCs before the g_enmSupR3HardenedMainState changes
|
---|
| 6802 | * and disables the APC restrictions.
|
---|
| 6803 | */
|
---|
| 6804 | NtTestAlert();
|
---|
[52953] | 6805 | }
|
---|
| 6806 |
|
---|
| 6807 | /*
|
---|
[52169] | 6808 | * Call the C/C++ main function.
|
---|
[51770] | 6809 | */
|
---|
[52169] | 6810 | SUP_DPRINTF(("Calling main()\n"));
|
---|
[51770] | 6811 | rcExit = (RTEXITCODE)main(cArgs, papszArgs, NULL);
|
---|
| 6812 |
|
---|
| 6813 | /*
|
---|
| 6814 | * Exit the process (never return).
|
---|
| 6815 | */
|
---|
[52169] | 6816 | SUP_DPRINTF(("Terminating the normal way: rcExit=%d\n", rcExit));
|
---|
[51770] | 6817 | suplibHardenedExit(rcExit);
|
---|
| 6818 | }
|
---|
| 6819 |
|
---|
[52943] | 6820 |
|
---|
| 6821 | /**
|
---|
| 6822 | * Reports an error to the parent process via the process parameter structure.
|
---|
| 6823 | *
|
---|
[52962] | 6824 | * @param pszWhere Where this error occured, if fatal message. NULL
|
---|
| 6825 | * if not message.
|
---|
| 6826 | * @param enmWhat Which init operation went wrong if fatal
|
---|
| 6827 | * message. kSupInitOp_Invalid if not message.
|
---|
[52943] | 6828 | * @param rc The status code to report.
|
---|
| 6829 | * @param pszFormat The format string.
|
---|
| 6830 | * @param va The format arguments.
|
---|
| 6831 | */
|
---|
[52962] | 6832 | DECLHIDDEN(void) supR3HardenedWinReportErrorToParent(const char *pszWhere, SUPINITOP enmWhat, int rc,
|
---|
| 6833 | const char *pszFormat, va_list va)
|
---|
[52943] | 6834 | {
|
---|
[52962] | 6835 | if (pszWhere)
|
---|
| 6836 | RTStrCopy(g_ProcParams.szWhere, sizeof(g_ProcParams.szWhere), pszWhere);
|
---|
| 6837 | else
|
---|
| 6838 | g_ProcParams.szWhere[0] = '\0';
|
---|
[52943] | 6839 | RTStrPrintfV(g_ProcParams.szErrorMsg, sizeof(g_ProcParams.szErrorMsg), pszFormat, va);
|
---|
[52962] | 6840 | g_ProcParams.enmWhat = enmWhat;
|
---|
| 6841 | g_ProcParams.rc = RT_SUCCESS(rc) ? VERR_INTERNAL_ERROR_2 : rc;
|
---|
[52969] | 6842 | g_ProcParams.enmRequest = kSupR3WinChildReq_Error;
|
---|
[52943] | 6843 |
|
---|
[52969] | 6844 | NtClearEvent(g_ProcParams.hEvtChild);
|
---|
[52943] | 6845 | NTSTATUS rcNt = NtSetEvent(g_ProcParams.hEvtParent, NULL);
|
---|
| 6846 | if (NT_SUCCESS(rcNt))
|
---|
| 6847 | {
|
---|
| 6848 | LARGE_INTEGER Timeout;
|
---|
| 6849 | Timeout.QuadPart = -300000000; /* 30 second */
|
---|
[62677] | 6850 | /*NTSTATUS rcNt =*/ NtWaitForSingleObject(g_ProcParams.hEvtChild, FALSE /*Alertable*/, &Timeout);
|
---|
[52943] | 6851 | }
|
---|
| 6852 | }
|
---|
| 6853 |
|
---|
| 6854 |
|
---|
| 6855 | /**
|
---|
[52949] | 6856 | * Routine called by the supR3HardenedEarlyProcessInitThunk assembly routine
|
---|
[58363] | 6857 | * when LdrInitializeThunk is executed during process initialization.
|
---|
[52943] | 6858 | *
|
---|
[52949] | 6859 | * This initializes the Stub and VM processes, hooking NTDLL APIs and opening
|
---|
| 6860 | * the device driver before any other DLLs gets loaded into the process. This
|
---|
| 6861 | * greately reduces and controls the trusted code base of the process compared
|
---|
| 6862 | * to opening the driver from SUPR3HardenedMain. It also avoids issues with so
|
---|
| 6863 | * call protection software that is in the habit of patching half of the ntdll
|
---|
| 6864 | * and kernel32 APIs in the process, making it almost indistinguishable from
|
---|
[96166] | 6865 | * software that is up to no good. Once we've opened vboxdrv (renamed to
|
---|
| 6866 | * vboxsup in 7.0 and 6.1.34), the process should be locked down so tightly
|
---|
| 6867 | * that only kernel software and csrss can mess with the process.
|
---|
[52943] | 6868 | */
|
---|
[52949] | 6869 | DECLASM(uintptr_t) supR3HardenedEarlyProcessInit(void)
|
---|
[52943] | 6870 | {
|
---|
| 6871 | /*
|
---|
[52969] | 6872 | * When the first thread gets here we wait for the parent to continue with
|
---|
| 6873 | * the process purifications. The primary thread must execute for image
|
---|
| 6874 | * load notifications to trigger, at least in more recent windows versions.
|
---|
| 6875 | * The old trick of starting a different thread that terminates immediately
|
---|
| 6876 | * thus doesn't work.
|
---|
| 6877 | *
|
---|
| 6878 | * We are not allowed to modify any data at this point because it will be
|
---|
| 6879 | * reset by the child process purification the parent does when we stop. To
|
---|
| 6880 | * sabotage thread creation during purification, and to avoid unnecessary
|
---|
| 6881 | * work for the parent, we reset g_ProcParams before signalling the parent
|
---|
| 6882 | * here.
|
---|
[52943] | 6883 | */
|
---|
[52969] | 6884 | if (g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
|
---|
[52943] | 6885 | {
|
---|
| 6886 | NtTerminateThread(0, 0);
|
---|
[52969] | 6887 | return 0x22; /* crash */
|
---|
[52943] | 6888 | }
|
---|
| 6889 |
|
---|
[52969] | 6890 | /* Retrieve the data we need. */
|
---|
| 6891 | uintptr_t uNtDllAddr = ASMAtomicXchgPtrT(&g_ProcParams.uNtDllAddr, 0, uintptr_t);
|
---|
| 6892 | if (!RT_VALID_PTR(uNtDllAddr))
|
---|
| 6893 | {
|
---|
| 6894 | NtTerminateThread(0, 0);
|
---|
| 6895 | return 0x23; /* crash */
|
---|
| 6896 | }
|
---|
| 6897 |
|
---|
| 6898 | HANDLE hEvtChild = g_ProcParams.hEvtChild;
|
---|
| 6899 | HANDLE hEvtParent = g_ProcParams.hEvtParent;
|
---|
| 6900 | if ( hEvtChild == NULL
|
---|
| 6901 | || hEvtChild == RTNT_INVALID_HANDLE_VALUE
|
---|
| 6902 | || hEvtParent == NULL
|
---|
| 6903 | || hEvtParent == RTNT_INVALID_HANDLE_VALUE)
|
---|
| 6904 | {
|
---|
| 6905 | NtTerminateThread(0, 0);
|
---|
| 6906 | return 0x24; /* crash */
|
---|
| 6907 | }
|
---|
| 6908 |
|
---|
| 6909 | /* Resolve the APIs we need. */
|
---|
| 6910 | PFNNTWAITFORSINGLEOBJECT pfnNtWaitForSingleObject;
|
---|
| 6911 | PFNNTSETEVENT pfnNtSetEvent;
|
---|
| 6912 | supR3HardenedWinGetVeryEarlyImports(uNtDllAddr, &pfnNtWaitForSingleObject, &pfnNtSetEvent);
|
---|
| 6913 |
|
---|
| 6914 | /* Signal the parent that we're ready for purification. */
|
---|
| 6915 | RT_ZERO(g_ProcParams);
|
---|
| 6916 | g_ProcParams.enmRequest = kSupR3WinChildReq_PurifyChildAndCloseHandles;
|
---|
| 6917 | NTSTATUS rcNt = pfnNtSetEvent(hEvtParent, NULL);
|
---|
| 6918 | if (rcNt != STATUS_SUCCESS)
|
---|
| 6919 | return 0x33; /* crash */
|
---|
| 6920 |
|
---|
| 6921 | /* Wait up to 2 mins for the parent to exorcise evil. */
|
---|
| 6922 | LARGE_INTEGER Timeout;
|
---|
| 6923 | Timeout.QuadPart = -1200000000; /* 120 second */
|
---|
[80212] | 6924 | rcNt = pfnNtWaitForSingleObject(hEvtChild, FALSE /*Alertable (never alertable before hooking!) */, &Timeout);
|
---|
[52969] | 6925 | if (rcNt != STATUS_SUCCESS)
|
---|
| 6926 | return 0x34; /* crash */
|
---|
| 6927 |
|
---|
[52943] | 6928 | /*
|
---|
[52969] | 6929 | * We're good to go, work global state and restore process parameters.
|
---|
| 6930 | * Note that we will not restore uNtDllAddr since that is our first defence
|
---|
| 6931 | * against unwanted threads (see above).
|
---|
| 6932 | */
|
---|
| 6933 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_INIT_CALLED;
|
---|
| 6934 | g_fSupEarlyProcessInit = true;
|
---|
| 6935 |
|
---|
| 6936 | g_ProcParams.hEvtChild = hEvtChild;
|
---|
| 6937 | g_ProcParams.hEvtParent = hEvtParent;
|
---|
| 6938 | g_ProcParams.enmRequest = kSupR3WinChildReq_Error;
|
---|
| 6939 | g_ProcParams.rc = VINF_SUCCESS;
|
---|
| 6940 |
|
---|
| 6941 | /*
|
---|
[52943] | 6942 | * Initialize the NTDLL imports that we consider usable before the
|
---|
| 6943 | * process has been initialized.
|
---|
| 6944 | */
|
---|
[52969] | 6945 | supR3HardenedWinInitImportsEarly(uNtDllAddr);
|
---|
[52943] | 6946 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_IMPORTS_RESOLVED;
|
---|
| 6947 |
|
---|
| 6948 | /*
|
---|
| 6949 | * Init g_uNtVerCombined as well as we can at this point.
|
---|
| 6950 | */
|
---|
[59810] | 6951 | supR3HardenedWinInitVersion(true /*fEarly*/);
|
---|
[52943] | 6952 |
|
---|
| 6953 | /*
|
---|
| 6954 | * Convert the arguments to UTF-8 so we can open the log file if specified.
|
---|
[52973] | 6955 | * We may have to normalize the pointer on older windows version (not w7/64 +).
|
---|
[52943] | 6956 | * Note! This leaks memory at present.
|
---|
| 6957 | */
|
---|
[52973] | 6958 | PRTL_USER_PROCESS_PARAMETERS pUserProcParams = NtCurrentPeb()->ProcessParameters;
|
---|
| 6959 | UNICODE_STRING CmdLineStr = pUserProcParams->CommandLine;
|
---|
| 6960 | if ( CmdLineStr.Buffer != NULL
|
---|
| 6961 | && !(pUserProcParams->Flags & RTL_USER_PROCESS_PARAMS_FLAG_NORMALIZED) )
|
---|
| 6962 | CmdLineStr.Buffer = (WCHAR *)((uintptr_t)CmdLineStr.Buffer + (uintptr_t)pUserProcParams);
|
---|
[52943] | 6963 | int cArgs;
|
---|
[52973] | 6964 | char **papszArgs = suplibCommandLineToArgvWStub(CmdLineStr.Buffer, CmdLineStr.Length / sizeof(WCHAR), &cArgs);
|
---|
[52943] | 6965 | supR3HardenedOpenLog(&cArgs, papszArgs);
|
---|
[80218] | 6966 | SUP_DPRINTF(("supR3HardenedVmProcessInit: uNtDllAddr=%p g_uNtVerCombined=%#x (stack ~%p)\n",
|
---|
| 6967 | uNtDllAddr, g_uNtVerCombined, &Timeout));
|
---|
[52943] | 6968 |
|
---|
| 6969 | /*
|
---|
[52967] | 6970 | * Set up the direct system calls so we can more easily hook NtCreateSection.
|
---|
| 6971 | */
|
---|
[60700] | 6972 | RTERRINFOSTATIC ErrInfo;
|
---|
| 6973 | supR3HardenedWinInitSyscalls(true /*fReportErrors*/, RTErrInfoInitStatic(&ErrInfo));
|
---|
[52967] | 6974 |
|
---|
| 6975 | /*
|
---|
[52943] | 6976 | * Determine the executable path and name. Will NOT determine the windows style
|
---|
| 6977 | * executable path here as we don't need it.
|
---|
| 6978 | */
|
---|
| 6979 | SIZE_T cbActual = 0;
|
---|
| 6980 | rcNt = NtQueryVirtualMemory(NtCurrentProcess(), &g_ProcParams, MemorySectionName, &g_SupLibHardenedExeNtPath,
|
---|
| 6981 | sizeof(g_SupLibHardenedExeNtPath) - sizeof(WCHAR), &cbActual);
|
---|
| 6982 | if ( !NT_SUCCESS(rcNt)
|
---|
| 6983 | || g_SupLibHardenedExeNtPath.UniStr.Length == 0
|
---|
| 6984 | || g_SupLibHardenedExeNtPath.UniStr.Length & 1)
|
---|
| 6985 | supR3HardenedFatal("NtQueryVirtualMemory/MemorySectionName failed in supR3HardenedVmProcessInit: %#x\n", rcNt);
|
---|
| 6986 |
|
---|
| 6987 | /* The NT executable name offset / dir path length. */
|
---|
| 6988 | g_offSupLibHardenedExeNtName = g_SupLibHardenedExeNtPath.UniStr.Length / sizeof(WCHAR);
|
---|
| 6989 | while ( g_offSupLibHardenedExeNtName > 1
|
---|
| 6990 | && g_SupLibHardenedExeNtPath.UniStr.Buffer[g_offSupLibHardenedExeNtName - 1] != '\\' )
|
---|
| 6991 | g_offSupLibHardenedExeNtName--;
|
---|
| 6992 |
|
---|
| 6993 | /*
|
---|
[56733] | 6994 | * Preliminary app binary path init. May change when SUPR3HardenedMain is called.
|
---|
| 6995 | */
|
---|
| 6996 | supR3HardenedWinInitAppBin(SUPSECMAIN_FLAGS_LOC_APP_BIN);
|
---|
| 6997 |
|
---|
| 6998 | /*
|
---|
[52943] | 6999 | * Initialize the image verification stuff (hooks LdrLoadDll and NtCreateSection).
|
---|
| 7000 | */
|
---|
| 7001 | supR3HardenedWinInit(0, false /*fAvastKludge*/);
|
---|
| 7002 |
|
---|
| 7003 | /*
|
---|
| 7004 | * Open the driver.
|
---|
| 7005 | */
|
---|
[52949] | 7006 | if (cArgs >= 1 && suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_1_ARG0) == 0)
|
---|
| 7007 | {
|
---|
[96166] | 7008 | SUP_DPRINTF(("supR3HardenedVmProcessInit: Opening vboxsup stub...\n"));
|
---|
[52949] | 7009 | supR3HardenedWinOpenStubDevice();
|
---|
[60936] | 7010 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_STUB_DEVICE_OPENED;
|
---|
[52949] | 7011 | }
|
---|
| 7012 | else if (cArgs >= 1 && suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_2_ARG0) == 0)
|
---|
| 7013 | {
|
---|
[96166] | 7014 | SUP_DPRINTF(("supR3HardenedVmProcessInit: Opening vboxsup...\n"));
|
---|
[52949] | 7015 | supR3HardenedMainOpenDevice();
|
---|
[60936] | 7016 | g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_REAL_DEVICE_OPENED;
|
---|
[52949] | 7017 | }
|
---|
| 7018 | else
|
---|
| 7019 | supR3HardenedFatal("Unexpected first argument '%s'!\n", papszArgs[0]);
|
---|
[52943] | 7020 |
|
---|
| 7021 | /*
|
---|
[52953] | 7022 | * Reinstall the NtDll patches since there is a slight possibility that
|
---|
| 7023 | * someone undid them while we where busy opening the device.
|
---|
| 7024 | */
|
---|
| 7025 | supR3HardenedWinReInstallHooks(false /*fFirstCall */);
|
---|
| 7026 |
|
---|
| 7027 | /*
|
---|
[52943] | 7028 | * Restore the LdrInitializeThunk code so we can initialize the process
|
---|
| 7029 | * normally when we return.
|
---|
| 7030 | */
|
---|
[52969] | 7031 | SUP_DPRINTF(("supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...\n"));
|
---|
[52943] | 7032 | PSUPHNTLDRCACHEENTRY pLdrEntry;
|
---|
[60700] | 7033 | int rc = supHardNtLdrCacheOpen("ntdll.dll", &pLdrEntry, RTErrInfoInitStatic(&ErrInfo));
|
---|
[52943] | 7034 | if (RT_FAILURE(rc))
|
---|
[60700] | 7035 | supR3HardenedFatal("supR3HardenedVmProcessInit: supHardNtLdrCacheOpen failed on NTDLL: %Rrc %s\n",
|
---|
| 7036 | rc, ErrInfo.Core.pszMsg);
|
---|
[52943] | 7037 |
|
---|
[52947] | 7038 | uint8_t *pbBits;
|
---|
[60700] | 7039 | rc = supHardNtLdrCacheEntryGetBits(pLdrEntry, &pbBits, uNtDllAddr, NULL, NULL, RTErrInfoInitStatic(&ErrInfo));
|
---|
[52947] | 7040 | if (RT_FAILURE(rc))
|
---|
[60700] | 7041 | supR3HardenedFatal("supR3HardenedVmProcessInit: supHardNtLdrCacheEntryGetBits failed on NTDLL: %Rrc %s\n",
|
---|
| 7042 | rc, ErrInfo.Core.pszMsg);
|
---|
[52947] | 7043 |
|
---|
[52943] | 7044 | RTLDRADDR uValue;
|
---|
[52969] | 7045 | rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbBits, uNtDllAddr, UINT32_MAX, "LdrInitializeThunk", &uValue);
|
---|
[52943] | 7046 | if (RT_FAILURE(rc))
|
---|
| 7047 | supR3HardenedFatal("supR3HardenedVmProcessInit: Failed to find LdrInitializeThunk (%Rrc).\n", rc);
|
---|
| 7048 |
|
---|
[52947] | 7049 | PVOID pvLdrInitThunk = (PVOID)(uintptr_t)uValue;
|
---|
[52943] | 7050 | SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pvLdrInitThunk, 16, PAGE_EXECUTE_READWRITE));
|
---|
[52969] | 7051 | memcpy(pvLdrInitThunk, pbBits + ((uintptr_t)uValue - uNtDllAddr), 16);
|
---|
[52943] | 7052 | SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pvLdrInitThunk, 16, PAGE_EXECUTE_READ));
|
---|
| 7053 |
|
---|
[52969] | 7054 | SUP_DPRINTF(("supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...\n"));
|
---|
[52943] | 7055 | return (uintptr_t)pvLdrInitThunk;
|
---|
| 7056 | }
|
---|
| 7057 |
|
---|