Context Navigation

SUPR3HardenedMain-win.cpp @ 67981

Revision 67981, 277.4 KB checked in by vboxsync, 3 months ago (diff)
Windows 7+
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`

Line
1	/* $Id$ */
2	/** @file
3	* VirtualBox Support Library - Hardened main(), windows bits.
4	*/
5
6	/*
7	* Copyright (C) 2006-2016 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27
28	/*********************************************************************************************************************************
29	* Header Files *
30	*********************************************************************************************************************************/
31	#include <iprt/nt/nt-and-windows.h>
32	#include <AccCtrl.h>
33	#include <AclApi.h>
34	#ifndef PROCESS_SET_LIMITED_INFORMATION
35	# define PROCESS_SET_LIMITED_INFORMATION 0x2000
36	#endif
37	#ifndef LOAD_LIBRARY_SEARCH_APPLICATION_DIR
38	# define LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR UINT32_C(0x100)
39	# define LOAD_LIBRARY_SEARCH_APPLICATION_DIR UINT32_C(0x200)
40	# define LOAD_LIBRARY_SEARCH_USER_DIRS UINT32_C(0x400)
41	# define LOAD_LIBRARY_SEARCH_SYSTEM32 UINT32_C(0x800)
42	#endif
43
44	#include <VBox/sup.h>
45	#include <VBox/err.h>
46	#include <VBox/dis.h>
47	#include <iprt/ctype.h>
48	#include <iprt/string.h>
49	#include <iprt/initterm.h>
50	#include <iprt/param.h>
51	#include <iprt/path.h>
52	#include <iprt/thread.h>
53	#include <iprt/zero.h>
54
55	#include "SUPLibInternal.h"
56	#include "win/SUPHardenedVerify-win.h"
57	#include "../SUPDrvIOC.h"
58
59	#ifndef IMAGE_SCN_TYPE_NOLOAD
60	# define IMAGE_SCN_TYPE_NOLOAD 0x00000002
61	#endif
62
63
64	/*********************************************************************************************************************************
65	* Defined Constants And Macros *
66	*********************************************************************************************************************************/
67	/** The first argument of a respawed stub when respawned for the first time.
68	* This just needs to be unique enough to avoid most confusion with real
69	* executable names, there are other checks in place to make sure we've respanwed. */
70	#define SUPR3_RESPAWN_1_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-2ndchild"
71
72	/** The first argument of a respawed stub when respawned for the second time.
73	* This just needs to be unique enough to avoid most confusion with real
74	* executable names, there are other checks in place to make sure we've respanwed. */
75	#define SUPR3_RESPAWN_2_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild"
76
77	/** Unconditional assertion. */
78	#define SUPR3HARDENED_ASSERT(a_Expr) \
79	do { \
80	if (!(a_Expr)) \
81	supR3HardenedFatal("%s: %s\n", __FUNCTION__, #a_Expr); \
82	} while (0)
83
84	/** Unconditional assertion of NT_SUCCESS. */
85	#define SUPR3HARDENED_ASSERT_NT_SUCCESS(a_Expr) \
86	do { \
87	NTSTATUS rcNtAssert = (a_Expr); \
88	if (!NT_SUCCESS(rcNtAssert)) \
89	supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, rcNtAssert); \
90	} while (0)
91
92	/** Unconditional assertion of a WIN32 API returning non-FALSE. */
93	#define SUPR3HARDENED_ASSERT_WIN32_SUCCESS(a_Expr) \
94	do { \
95	BOOL fRcAssert = (a_Expr); \
96	if (fRcAssert == FALSE) \
97	supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, RtlGetLastWin32Error()); \
98	} while (0)
99
100
101	/*********************************************************************************************************************************
102	* Structures and Typedefs *
103	*********************************************************************************************************************************/
104	/**
105	* Security descriptor cleanup structure.
106	*/
107	typedef struct MYSECURITYCLEANUP
108	{
109	union
110	{
111	SID Sid;
112	uint8_t abPadding[SECURITY_MAX_SID_SIZE];
113	} Everyone, Owner, User, Login;
114	union
115	{
116	ACL AclHdr;
117	uint8_t abPadding[1024];
118	} Acl;
119	PSECURITY_DESCRIPTOR pSecDesc;
120	} MYSECURITYCLEANUP;
121	/** Pointer to security cleanup structure. */
122	typedef MYSECURITYCLEANUP *PMYSECURITYCLEANUP;
123
124
125	/**
126	* Image verifier cache entry.
127	*/
128	typedef struct VERIFIERCACHEENTRY
129	{
130	/** Pointer to the next entry with the same hash value. */
131	struct VERIFIERCACHEENTRY * volatile pNext;
132	/** Next entry in the WinVerifyTrust todo list. */
133	struct VERIFIERCACHEENTRY * volatile pNextTodoWvt;
134
135	/** The file handle. */
136	HANDLE hFile;
137	/** If fIndexNumber is set, this is an file system internal file identifier. */
138	LARGE_INTEGER IndexNumber;
139	/** The path hash value. */
140	uint32_t uHash;
141	/** The verification result. */
142	int rc;
143	/** Used for shutting up load and error messages after a while so they don't
144	* flood the log file and fill up the disk. */
145	uint32_t volatile cHits;
146	/** The validation flags (for WinVerifyTrust retry). */
147	uint32_t fFlags;
148	/** Whether IndexNumber is valid */
149	bool fIndexNumberValid;
150	/** Whether verified by WinVerifyTrust. */
151	bool volatile fWinVerifyTrust;
152	/** cwcPath * sizeof(RTUTF16). */
153	uint16_t cbPath;
154	/** The full path of this entry (variable size). */
155	RTUTF16 wszPath[1];
156	} VERIFIERCACHEENTRY;
157	/** Pointer to an image verifier path entry. */
158	typedef VERIFIERCACHEENTRY *PVERIFIERCACHEENTRY;
159
160
161	/**
162	* Name of an import DLL that we need to check out.
163	*/
164	typedef struct VERIFIERCACHEIMPORT
165	{
166	/** Pointer to the next DLL in the list. */
167	struct VERIFIERCACHEIMPORT * volatile pNext;
168	/** The length of pwszAltSearchDir if available. */
169	uint32_t cwcAltSearchDir;
170	/** This points the directory containing the DLL needing it, this will be
171	* NULL for a System32 DLL. */
172	PWCHAR pwszAltSearchDir;
173	/** The name of the import DLL (variable length). */
174	char szName[1];
175	} VERIFIERCACHEIMPORT;
176	/** Pointer to a import DLL that needs checking out. */
177	typedef VERIFIERCACHEIMPORT *PVERIFIERCACHEIMPORT;
178
179
180	/**
181	* Child requests.
182	*/
183	typedef enum SUPR3WINCHILDREQ
184	{
185	/** Perform child purification and close full access handles (must be zero). */
186	kSupR3WinChildReq_PurifyChildAndCloseHandles = 0,
187	/** Close the events, we're good on our own from here on. */
188	kSupR3WinChildReq_CloseEvents,
189	/** Reporting error. */
190	kSupR3WinChildReq_Error,
191	/** End of valid requests. */
192	kSupR3WinChildReq_End
193	} SUPR3WINCHILDREQ;
194
195	/**
196	* Child process parameters.
197	*/
198	typedef struct SUPR3WINPROCPARAMS
199	{
200	/** The event semaphore the child will be waiting on. */
201	HANDLE hEvtChild;
202	/** The event semaphore the parent will be waiting on. */
203	HANDLE hEvtParent;
204
205	/** The address of the NTDLL. This is only valid during the very early
206	* initialization as we abuse for thread creation protection. */
207	uintptr_t uNtDllAddr;
208
209	/** The requested operation (set by the child). */
210	SUPR3WINCHILDREQ enmRequest;
211	/** The last status. */
212	int32_t rc;
213	/** The init operation the error relates to if message, kSupInitOp_Invalid if
214	* not message. */
215	SUPINITOP enmWhat;
216	/** Where if message. */
217	char szWhere[80];
218	/** Error message / path name string space. */
219	char szErrorMsg[16384+1024];
220	} SUPR3WINPROCPARAMS;
221
222
223	/**
224	* Child process data structure for use during child process init setup and
225	* purification.
226	*/
227	typedef struct SUPR3HARDNTCHILD
228	{
229	/** Process handle. */
230	HANDLE hProcess;
231	/** Primary thread handle. */
232	HANDLE hThread;
233	/** Handle to the parent process, if we're the middle (stub) process. */
234	HANDLE hParent;
235	/** The event semaphore the child will be waiting on. */
236	HANDLE hEvtChild;
237	/** The event semaphore the parent will be waiting on. */
238	HANDLE hEvtParent;
239	/** The address of NTDLL in the child. */
240	uintptr_t uNtDllAddr;
241	/** The address of NTDLL in this process. */
242	uintptr_t uNtDllParentAddr;
243	/** Which respawn number this is (1 = stub, 2 = VM). */
244	int iWhich;
245	/** The basic process info. */
246	PROCESS_BASIC_INFORMATION BasicInfo;
247	/** The probable size of the PEB. */
248	size_t cbPeb;
249	/** The pristine process environment block. */
250	PEB Peb;
251	/** The child process parameters. */
252	SUPR3WINPROCPARAMS ProcParams;
253	} SUPR3HARDNTCHILD;
254	/** Pointer to a child process data structure. */
255	typedef SUPR3HARDNTCHILD *PSUPR3HARDNTCHILD;
256
257
258	/*********************************************************************************************************************************
259	* Global Variables *
260	*********************************************************************************************************************************/
261	/** Process parameters. Specified by parent if VM process, see
262	* supR3HardenedVmProcessInit. */
263	static SUPR3WINPROCPARAMS g_ProcParams = { NULL, NULL, 0, (SUPR3WINCHILDREQ)0, 0 };
264	/** Set if supR3HardenedEarlyProcessInit was invoked. */
265	bool g_fSupEarlyProcessInit = false;
266	/** Set if the stub device has been opened (stub process only). */
267	bool g_fSupStubOpened = false;
268
269	/** @name Global variables initialized by suplibHardenedWindowsMain.
270	* @{ */
271	/** Combined windows NT version number. See SUP_MAKE_NT_VER_COMBINED. */
272	uint32_t g_uNtVerCombined = 0;
273	/** Count calls to the special main function for linking santity checks. */
274	static uint32_t volatile g_cSuplibHardenedWindowsMainCalls;
275	/** The UTF-16 windows path to the executable. */
276	RTUTF16 g_wszSupLibHardenedExePath[1024];
277	/** The NT path of the executable. */
278	SUPSYSROOTDIRBUF g_SupLibHardenedExeNtPath;
279	/** The NT path of the application binary directory. */
280	SUPSYSROOTDIRBUF g_SupLibHardenedAppBinNtPath;
281	/** The offset into g_SupLibHardenedExeNtPath of the executable name (WCHAR,
282	* not byte). This also gives the length of the exectuable directory path,
283	* including a trailing slash. */
284	static uint32_t g_offSupLibHardenedExeNtName;
285	/** Set if we need to use the LOAD_LIBRARY_SEARCH_USER_DIRS option. */
286	bool g_fSupLibHardenedDllSearchUserDirs = false;
287	/** @} */
288
289	/** @name Hook related variables.
290	* @{ */
291	/** Pointer to the bit of assembly code that will perform the original
292	* NtCreateSection operation. */
293	static NTSTATUS (NTAPI * g_pfnNtCreateSectionReal)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,
294	PLARGE_INTEGER, ULONG, ULONG, HANDLE);
295	/** Pointer to the NtCreateSection function in NtDll (for patching purposes). */
296	static uint8_t *g_pbNtCreateSection;
297	/** The patched NtCreateSection bytes (for restoring). */
298	static uint8_t g_abNtCreateSectionPatch[16];
299	/** Pointer to the bit of assembly code that will perform the original
300	* LdrLoadDll operation. */
301	static NTSTATUS (NTAPI * g_pfnLdrLoadDllReal)(PWSTR, PULONG, PUNICODE_STRING, PHANDLE);
302	/** Pointer to the LdrLoadDll function in NtDll (for patching purposes). */
303	static uint8_t *g_pbLdrLoadDll;
304	/** The patched LdrLoadDll bytes (for restoring). */
305	static uint8_t g_abLdrLoadDllPatch[16];
306
307	/** The hash table of verifier cache . */
308	static PVERIFIERCACHEENTRY volatile g_apVerifierCache[128];
309	/** Queue of cached images which needs WinVerifyTrust to check them. */
310	static PVERIFIERCACHEENTRY volatile g_pVerifierCacheTodoWvt = NULL;
311	/** Queue of cached images which needs their imports checked. */
312	static PVERIFIERCACHEIMPORT volatile g_pVerifierCacheTodoImports = NULL;
313
314	/** The windows path to dir \\SystemRoot\\System32 directory (technically
315	* this whatever \\KnownDlls\\KnownDllPath points to). */
316	SUPSYSROOTDIRBUF g_System32WinPath;
317	/** @ */
318
319	/** Positive if the DLL notification callback has been registered, counts
320	* registration attempts as negative. */
321	static int g_cDllNotificationRegistered = 0;
322	/** The registration cookie of the DLL notification callback. */
323	static PVOID g_pvDllNotificationCookie = NULL;
324
325	/** Static error info structure used during init. */
326	static RTERRINFOSTATIC g_ErrInfoStatic;
327
328	/** In the assembly file. */
329	extern "C" uint8_t g_abSupHardReadWriteExecPage[PAGE_SIZE];
330
331	/** Whether we've patched our own LdrInitializeThunk or not. We do this to
332	* disable thread creation. */
333	static bool g_fSupInitThunkSelfPatched;
334	/** The backup of our own LdrInitializeThunk code, for enabling and disabling
335	* thread creation in this process. */
336	static uint8_t g_abLdrInitThunkSelfBackup[16];
337
338	/** Mask of adversaries that we've detected (SUPHARDNT_ADVERSARY_XXX). */
339	static uint32_t g_fSupAdversaries = 0;
340	/** @name SUPHARDNT_ADVERSARY_XXX - Adversaries
341	* @{ */
342	/** Symantec endpoint protection or similar including SysPlant.sys. */
343	#define SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT RT_BIT_32(0)
344	/** Symantec Norton 360. */
345	#define SUPHARDNT_ADVERSARY_SYMANTEC_N360 RT_BIT_32(1)
346	/** Avast! */
347	#define SUPHARDNT_ADVERSARY_AVAST RT_BIT_32(2)
348	/** TrendMicro OfficeScan and probably others. */
349	#define SUPHARDNT_ADVERSARY_TRENDMICRO RT_BIT_32(3)
350	/** TrendMicro potentially buggy sakfile.sys. */
351	#define SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE RT_BIT_32(4)
352	/** McAfee. */
353	#define SUPHARDNT_ADVERSARY_MCAFEE RT_BIT_32(5)
354	/** Kaspersky or OEMs of it. */
355	#define SUPHARDNT_ADVERSARY_KASPERSKY RT_BIT_32(6)
356	/** Malwarebytes Anti-Malware (MBAM). */
357	#define SUPHARDNT_ADVERSARY_MBAM RT_BIT_32(7)
358	/** AVG Internet Security. */
359	#define SUPHARDNT_ADVERSARY_AVG RT_BIT_32(8)
360	/** Panda Security. */
361	#define SUPHARDNT_ADVERSARY_PANDA RT_BIT_32(9)
362	/** Microsoft Security Essentials. */
363	#define SUPHARDNT_ADVERSARY_MSE RT_BIT_32(10)
364	/** Comodo. */
365	#define SUPHARDNT_ADVERSARY_COMODO RT_BIT_32(11)
366	/** Check Point's Zone Alarm (may include Kaspersky). */
367	#define SUPHARDNT_ADVERSARY_ZONE_ALARM RT_BIT_32(12)
368	/** Digital guardian, old problematic version. */
369	#define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD RT_BIT_32(13)
370	/** Digital guardian, new version. */
371	#define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_NEW RT_BIT_32(14)
372	/** Cylance protect or something (from googling, no available sample copy). */
373	#define SUPHARDNT_ADVERSARY_CYLANCE RT_BIT_32(15)
374	/** BeyondTrust / PowerBroker / something (googling, no available sample copy). */
375	#define SUPHARDNT_ADVERSARY_BEYONDTRUST RT_BIT_32(16)
376	/** Avecto / Defendpoint / Privilege Guard (details from support guy, hoping to get sample copy). */
377	#define SUPHARDNT_ADVERSARY_AVECTO RT_BIT_32(17)
378	/** Unknown adversary detected while waiting on child. */
379	#define SUPHARDNT_ADVERSARY_UNKNOWN RT_BIT_32(31)
380	/** @} */
381
382
383	/*********************************************************************************************************************************
384	* Internal Functions *
385	*********************************************************************************************************************************/
386	static NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfAccess, PULONG pfProtect,
387	bool pfCallRealApi, const char pszCaller, bool fAvoidWinVerifyTrust,
388	bool *pfQuiet);
389	static void supR3HardenedWinRegisterDllNotificationCallback(void);
390	static void supR3HardenedWinReInstallHooks(bool fFirst);
391	DECLASM(void) supR3HardenedEarlyProcessInitThunk(void);
392
393
394	#if 0 /* unused */
395
396	/**
397	* Simple wide char search routine.
398	*
399	* @returns Pointer to the first location of @a wcNeedle in @a pwszHaystack.
400	* NULL if not found.
401	* @param pwszHaystack Pointer to the string that should be searched.
402	* @param wcNeedle The character to search for.
403	*/
404	static PRTUTF16 suplibHardenedWStrChr(PCRTUTF16 pwszHaystack, RTUTF16 wcNeedle)
405	{
406	for (;;)
407	{
408	RTUTF16 wcCur = *pwszHaystack;
409	if (wcCur == wcNeedle)
410	return (PRTUTF16)pwszHaystack;
411	if (wcCur == '\0')
412	return NULL;
413	pwszHaystack++;
414	}
415	}
416
417
418	/**
419	* Simple wide char string length routine.
420	*
421	* @returns The number of characters in the given string. (Excludes the
422	* terminator.)
423	* @param pwsz The string.
424	*/
425	static size_t suplibHardenedWStrLen(PCRTUTF16 pwsz)
426	{
427	PCRTUTF16 pwszCur = pwsz;
428	while (*pwszCur != '\0')
429	pwszCur++;
430	return pwszCur - pwsz;
431	}
432
433	#endif /* unused */
434
435
436	/**
437	* Our version of GetTickCount.
438	* @returns Millisecond timestamp.
439	*/
440	static uint64_t supR3HardenedWinGetMilliTS(void)
441	{
442	PKUSER_SHARED_DATA pUserSharedData = (PKUSER_SHARED_DATA)(uintptr_t)0x7ffe0000;
443
444	/* use interrupt time */
445	LARGE_INTEGER Time;
446	do
447	{
448	Time.HighPart = pUserSharedData->InterruptTime.High1Time;
449	Time.LowPart = pUserSharedData->InterruptTime.LowPart;
450	} while (pUserSharedData->InterruptTime.High2Time != Time.HighPart);
451
452	return (uint64_t)Time.QuadPart / 10000;
453	}
454
455
456
457	/**
458	* Wrapper around LoadLibraryEx that deals with the UTF-8 to UTF-16 conversion
459	* and supplies the right flags.
460	*
461	* @returns Module handle on success, NULL on failure.
462	* @param pszName The full path to the DLL.
463	* @param fSystem32Only Whether to only look for imports in the system32
464	* directory. If set to false, the application
465	* directory is also searched.
466	* @param fMainFlags The main flags (giving the location), if the DLL
467	* being loaded is loaded from the app bin
468	* directory and import other DLLs from there. Pass
469	* 0 (= SUPSECMAIN_FLAGS_LOC_APP_BIN) if not
470	* applicable. Ignored if @a fSystem32Only is set.
471	*
472	* This is only needed to load VBoxRT.dll when
473	* executing a testcase from the testcase/ subdir.
474	*/
475	DECLHIDDEN(void ) supR3HardenedWinLoadLibrary(const char pszName, bool fSystem32Only, uint32_t fMainFlags)
476	{
477	WCHAR wszPath[RTPATH_MAX];
478	PRTUTF16 pwszPath = wszPath;
479	int rc = RTStrToUtf16Ex(pszName, RTSTR_MAX, &pwszPath, RT_ELEMENTS(wszPath), NULL);
480	if (RT_SUCCESS(rc))
481	{
482	while (*pwszPath)
483	{
484	if (*pwszPath == '/')
485	*pwszPath = '\\';
486	pwszPath++;
487	}
488
489	DWORD fFlags = 0;
490	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0))
491	{
492	fFlags \|= LOAD_LIBRARY_SEARCH_SYSTEM32;
493	if (!fSystem32Only)
494	{
495	fFlags \|= LOAD_LIBRARY_SEARCH_APPLICATION_DIR;
496	if (g_fSupLibHardenedDllSearchUserDirs)
497	fFlags \|= LOAD_LIBRARY_SEARCH_USER_DIRS;
498	if ((fMainFlags & SUPSECMAIN_FLAGS_LOC_MASK) != SUPSECMAIN_FLAGS_LOC_APP_BIN)
499	fFlags \|= LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR;
500	}
501	}
502
503	void pvRet = (void )LoadLibraryExW(wszPath, NULL /hFile/, fFlags);
504
505	/* Vista, W7, W2K8R might not work without KB2533623, so retry with no flags. */
506	if ( !pvRet
507	&& fFlags
508	&& g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2)
509	&& RtlGetLastWin32Error() == ERROR_INVALID_PARAMETER)
510	pvRet = (void )LoadLibraryExW(wszPath, NULL /hFile*/, 0);
511
512	return pvRet;
513	}
514	supR3HardenedFatal("RTStrToUtf16Ex failed on '%s': %Rrc", pszName, rc);
515	/* not reached */
516	}
517
518
519	/**
520	* Gets the internal index number of the file.
521	*
522	* @returns True if we got an index number, false if not.
523	* @param hFile The file in question.
524	* @param pIndexNumber where to return the index number.
525	*/
526	static bool supR3HardenedWinVerifyCacheGetIndexNumber(HANDLE hFile, PLARGE_INTEGER pIndexNumber)
527	{
528	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
529	NTSTATUS rcNt = NtQueryInformationFile(hFile, &Ios, pIndexNumber, sizeof(*pIndexNumber), FileInternalInformation);
530	if (NT_SUCCESS(rcNt))
531	rcNt = Ios.Status;
532	#ifdef DEBUG_bird
533	if (!NT_SUCCESS(rcNt))
534	__debugbreak();
535	#endif
536	return NT_SUCCESS(rcNt) && pIndexNumber->QuadPart != 0;
537	}
538
539
540	/**
541	* Calculates the hash value for the given UTF-16 path string.
542	*
543	* @returns Hash value.
544	* @param pUniStr String to hash.
545	*/
546	static uint32_t supR3HardenedWinVerifyCacheHashPath(PCUNICODE_STRING pUniStr)
547	{
548	uint32_t uHash = 0;
549	unsigned cwcLeft = pUniStr->Length / sizeof(WCHAR);
550	PRTUTF16 pwc = pUniStr->Buffer;
551
552	while (cwcLeft-- > 0)
553	{
554	RTUTF16 wc = *pwc++;
555	if (wc < 0x80)
556	wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';
557	uHash = wc + (uHash << 6) + (uHash << 16) - uHash;
558	}
559	return uHash;
560	}
561
562
563	/**
564	* Calculates the hash value for a directory + filename combo as if they were
565	* one single string.
566	*
567	* @returns Hash value.
568	* @param pawcDir The directory name.
569	* @param cwcDir The length of the directory name. RTSTR_MAX if
570	* not available.
571	* @param pszName The import name (UTF-8).
572	*/
573	static uint32_t supR3HardenedWinVerifyCacheHashDirAndFile(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)
574	{
575	uint32_t uHash = 0;
576	while (cwcDir-- > 0)
577	{
578	RTUTF16 wc = *pawcDir++;
579	if (wc < 0x80)
580	wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';
581	uHash = wc + (uHash << 6) + (uHash << 16) - uHash;
582	}
583
584	unsigned char ch = '\\';
585	uHash = ch + (uHash << 6) + (uHash << 16) - uHash;
586
587	while ((ch = *pszName++) != '\0')
588	{
589	ch = RT_C_TO_LOWER(ch);
590	uHash = ch + (uHash << 6) + (uHash << 16) - uHash;
591	}
592
593	return uHash;
594	}
595
596
597	/**
598	* Verify string cache compare function.
599	*
600	* @returns true if the strings match, false if not.
601	* @param pawcLeft The left hand string.
602	* @param pawcRight The right hand string.
603	* @param cwcToCompare The number of chars to compare.
604	*/
605	static bool supR3HardenedWinVerifyCacheIsMatch(PCRTUTF16 pawcLeft, PCRTUTF16 pawcRight, uint32_t cwcToCompare)
606	{
607	/* Try a quick memory compare first. */
608	if (memcmp(pawcLeft, pawcRight, cwcToCompare * sizeof(RTUTF16)) == 0)
609	return true;
610
611	/* Slow char by char compare. */
612	while (cwcToCompare-- > 0)
613	{
614	RTUTF16 wcLeft = *pawcLeft++;
615	RTUTF16 wcRight = *pawcRight++;
616	if (wcLeft != wcRight)
617	{
618	wcLeft = wcLeft != '/' ? RT_C_TO_LOWER(wcLeft) : '\\';
619	wcRight = wcRight != '/' ? RT_C_TO_LOWER(wcRight) : '\\';
620	if (wcLeft != wcRight)
621	return false;
622	}
623	}
624
625	return true;
626	}
627
628
629
630	/**
631	* Inserts the given verifier result into the cache.
632	*
633	* @param pUniStr The full path of the image.
634	* @param hFile The file handle - must either be entered into
635	* the cache or closed.
636	* @param rc The verifier result.
637	* @param fWinVerifyTrust Whether verified by WinVerifyTrust or not.
638	* @param fFlags The image verification flags.
639	*/
640	static void supR3HardenedWinVerifyCacheInsert(PCUNICODE_STRING pUniStr, HANDLE hFile, int rc,
641	bool fWinVerifyTrust, uint32_t fFlags)
642	{
643	/*
644	* Allocate and initalize a new entry.
645	*/
646	PVERIFIERCACHEENTRY pEntry = (PVERIFIERCACHEENTRY)RTMemAllocZ(sizeof(VERIFIERCACHEENTRY) + pUniStr->Length);
647	if (pEntry)
648	{
649	pEntry->pNext = NULL;
650	pEntry->pNextTodoWvt = NULL;
651	pEntry->hFile = hFile;
652	pEntry->uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);
653	pEntry->rc = rc;
654	pEntry->fFlags = fFlags;
655	pEntry->cHits = 0;
656	pEntry->fWinVerifyTrust = fWinVerifyTrust;
657	pEntry->cbPath = pUniStr->Length;
658	memcpy(pEntry->wszPath, pUniStr->Buffer, pUniStr->Length);
659	pEntry->wszPath[pUniStr->Length / sizeof(WCHAR)] = '\0';
660	pEntry->fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &pEntry->IndexNumber);
661
662	/*
663	* Try insert it, careful with concurrent code as well as potential duplicates.
664	*/
665	uint32_t iHashTab = pEntry->uHash % RT_ELEMENTS(g_apVerifierCache);
666	VERIFIERCACHEENTRY * volatile *ppEntry = &g_apVerifierCache[iHashTab];
667	for (;;)
668	{
669	if (ASMAtomicCmpXchgPtr(ppEntry, pEntry, NULL))
670	{
671	if (!fWinVerifyTrust)
672	do
673	pEntry->pNextTodoWvt = g_pVerifierCacheTodoWvt;
674	while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pEntry, pEntry->pNextTodoWvt));
675
676	SUP_DPRINTF(("supR3HardenedWinVerifyCacheInsert: %ls\n", pUniStr->Buffer));
677	return;
678	}
679
680	PVERIFIERCACHEENTRY pOther = *ppEntry;
681	if (!pOther)
682	continue;
683	if ( pOther->uHash == pEntry->uHash
684	&& pOther->cbPath == pEntry->cbPath
685	&& supR3HardenedWinVerifyCacheIsMatch(pOther->wszPath, pEntry->wszPath, pEntry->cbPath / sizeof(RTUTF16)))
686	break;
687	ppEntry = &pOther->pNext;
688	}
689
690	/* Duplicate entry (may happen due to races). */
691	RTMemFree(pEntry);
692	}
693	NtClose(hFile);
694	}
695
696
697	/**
698	* Looks up an entry in the verifier hash table.
699	*
700	* @return Pointer to the entry on if found, NULL if not.
701	* @param pUniStr The full path of the image.
702	* @param hFile The file handle.
703	*/
704	static PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookup(PCUNICODE_STRING pUniStr, HANDLE hFile)
705	{
706	PRTUTF16 const pwszPath = pUniStr->Buffer;
707	uint16_t const cbPath = pUniStr->Length;
708	uint32_t uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);
709	uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);
710	PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];
711	while (pCur)
712	{
713	if ( pCur->uHash == uHash
714	&& pCur->cbPath == cbPath
715	&& supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pwszPath, cbPath / sizeof(RTUTF16)))
716	{
717
718	if (!pCur->fIndexNumberValid)
719	return pCur;
720	LARGE_INTEGER IndexNumber;
721	bool fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &IndexNumber);
722	if ( fIndexNumberValid
723	&& IndexNumber.QuadPart == pCur->IndexNumber.QuadPart)
724	return pCur;
725	#ifdef DEBUG_bird
726	__debugbreak();
727	#endif
728	}
729	pCur = pCur->pNext;
730	}
731	return NULL;
732	}
733
734
735	/**
736	* Looks up an import DLL in the verifier hash table.
737	*
738	* @return Pointer to the entry on if found, NULL if not.
739	* @param pawcDir The directory name.
740	* @param cwcDir The length of the directory name.
741	* @param pszName The import name (UTF-8).
742	*/
743	static PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookupImport(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)
744	{
745	uint32_t uHash = supR3HardenedWinVerifyCacheHashDirAndFile(pawcDir, cwcDir, pszName);
746	uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);
747	uint32_t const cbPath = (uint32_t)((cwcDir + 1 + strlen(pszName)) * sizeof(RTUTF16));
748	PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];
749	while (pCur)
750	{
751	if ( pCur->uHash == uHash
752	&& pCur->cbPath == cbPath)
753	{
754	if (supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pawcDir, cwcDir))
755	{
756	if (pCur->wszPath[cwcDir] == '\\' \|\| pCur->wszPath[cwcDir] == '/')
757	{
758	if (RTUtf16ICmpAscii(&pCur->wszPath[cwcDir + 1], pszName))
759	{
760	return pCur;
761	}
762	}
763	}
764	}
765
766	pCur = pCur->pNext;
767	}
768	return NULL;
769	}
770
771
772	/**
773	* Schedules the import DLLs for verification and entry into the cache.
774	*
775	* @param hLdrMod The loader module which imports should be
776	* scheduled for verification.
777	* @param pwszName The full NT path of the module.
778	*/
779	DECLHIDDEN(void) supR3HardenedWinVerifyCacheScheduleImports(RTLDRMOD hLdrMod, PCRTUTF16 pwszName)
780	{
781	/*
782	* Any imports?
783	*/
784	uint32_t cImports;
785	int rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_COUNT, NULL /pvBits/, &cImports, sizeof(cImports), NULL);
786	if (RT_SUCCESS(rc))
787	{
788	if (cImports)
789	{
790	/*
791	* Figure out the DLL directory from pwszName.
792	*/
793	PCRTUTF16 pawcDir = pwszName;
794	uint32_t cwcDir = 0;
795	uint32_t i = 0;
796	RTUTF16 wc;
797	while ((wc = pawcDir[i++]) != '\0')
798	if ((wc == '\\' \|\| wc == '/' \|\| wc == ':') && cwcDir + 2 != i)
799	cwcDir = i - 1;
800	if ( g_System32NtPath.UniStr.Length / sizeof(WCHAR) == cwcDir
801	&& supR3HardenedWinVerifyCacheIsMatch(pawcDir, g_System32NtPath.UniStr.Buffer, cwcDir))
802	pawcDir = NULL;
803
804	/*
805	* Enumerate the imports.
806	*/
807	for (i = 0; i < cImports; i++)
808	{
809	union
810	{
811	char szName[256];
812	uint32_t iImport;
813	} uBuf;
814	uBuf.iImport = i;
815	rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_MODULE, NULL /pvBits/, &uBuf, sizeof(uBuf), NULL);
816	if (RT_SUCCESS(rc))
817	{
818	/*
819	* Skip kernel32, ntdll and API set stuff.
820	*/
821	RTStrToLower(uBuf.szName);
822	if ( RTStrCmp(uBuf.szName, "kernel32.dll") == 0
823	\|\| RTStrCmp(uBuf.szName, "kernelbase.dll") == 0
824	\|\| RTStrCmp(uBuf.szName, "ntdll.dll") == 0
825	\|\| RTStrNCmp(uBuf.szName, RT_STR_TUPLE("api-ms-win-")) == 0
826	\|\| RTStrNCmp(uBuf.szName, RT_STR_TUPLE("ext-ms-win-")) == 0
827	)
828	{
829	continue;
830	}
831
832	/*
833	* Skip to the next one if it's already in the cache.
834	*/
835	if (supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,
836	g_System32NtPath.UniStr.Length / sizeof(WCHAR),
837	uBuf.szName) != NULL)
838	{
839	SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for system32\n", uBuf.szName));
840	continue;
841	}
842	if (supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedAppBinNtPath.UniStr.Buffer,
843	g_SupLibHardenedAppBinNtPath.UniStr.Length / sizeof(CHAR),
844	uBuf.szName) != NULL)
845	{
846	SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for appdir\n", uBuf.szName));
847	continue;
848	}
849	if (pawcDir && supR3HardenedWinVerifyCacheLookupImport(pawcDir, cwcDir, uBuf.szName) != NULL)
850	{
851	SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for dll dir\n", uBuf.szName));
852	continue;
853	}
854
855	/* We could skip already scheduled modules, but that'll require serialization and extra work... */
856
857	/*
858	* Add it to the todo list.
859	*/
860	SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: Import todo: #%u '%s'.\n", i, uBuf.szName));
861	uint32_t cbName = (uint32_t)strlen(uBuf.szName) + 1;
862	uint32_t cbNameAligned = RT_ALIGN_32(cbName, sizeof(RTUTF16));
863	uint32_t cbNeeded = RT_OFFSETOF(VERIFIERCACHEIMPORT, szName[cbNameAligned])
864	+ (pawcDir ? (cwcDir + 1) * sizeof(RTUTF16) : 0);
865	PVERIFIERCACHEIMPORT pImport = (PVERIFIERCACHEIMPORT)RTMemAllocZ(cbNeeded);
866	if (pImport)
867	{
868	/* Init it. */
869	memcpy(pImport->szName, uBuf.szName, cbName);
870	if (!pawcDir)
871	{
872	pImport->cwcAltSearchDir = 0;
873	pImport->pwszAltSearchDir = NULL;
874	}
875	else
876	{
877	pImport->cwcAltSearchDir = cwcDir;
878	pImport->pwszAltSearchDir = (PRTUTF16)&pImport->szName[cbNameAligned];
879	memcpy(pImport->pwszAltSearchDir, pawcDir, cwcDir * sizeof(RTUTF16));
880	pImport->pwszAltSearchDir[cwcDir] = '\0';
881	}
882
883	/* Insert it. */
884	do
885	pImport->pNext = g_pVerifierCacheTodoImports;
886	while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoImports, pImport, pImport->pNext));
887	}
888	}
889	else
890	SUP_DPRINTF(("RTLDRPROP_IMPORT_MODULE failed with rc=%Rrc i=%#x on '%ls'\n", rc, i, pwszName));
891	}
892	}
893	else
894	SUP_DPRINTF(("'%ls' has no imports\n", pwszName));
895	}
896	else
897	SUP_DPRINTF(("RTLDRPROP_IMPORT_COUNT failed with rc=%Rrc on '%ls'\n", rc, pwszName));
898	}
899
900
901	/**
902	* Processes the list of import todos.
903	*/
904	static void supR3HardenedWinVerifyCacheProcessImportTodos(void)
905	{
906	/*
907	* Work until we've got nothing more todo.
908	*/
909	for (;;)
910	{
911	PVERIFIERCACHEIMPORT pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoImports, NULL, PVERIFIERCACHEIMPORT);
912	if (!pTodo)
913	break;
914	do
915	{
916	PVERIFIERCACHEIMPORT pCur = pTodo;
917	pTodo = pTodo->pNext;
918
919	/*
920	* Not in the cached already?
921	*/
922	if ( !supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,
923	g_System32NtPath.UniStr.Length / sizeof(WCHAR),
924	pCur->szName)
925	&& !supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedAppBinNtPath.UniStr.Buffer,
926	g_SupLibHardenedAppBinNtPath.UniStr.Length / sizeof(WCHAR),
927	pCur->szName)
928	&& ( pCur->cwcAltSearchDir == 0
929	\|\| !supR3HardenedWinVerifyCacheLookupImport(pCur->pwszAltSearchDir, pCur->cwcAltSearchDir, pCur->szName)) )
930	{
931	/*
932	* Try locate the imported DLL and open it.
933	*/
934	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Processing '%s'...\n", pCur->szName));
935
936	NTSTATUS rcNt;
937	NTSTATUS rcNtRedir = 0x22222222;
938	HANDLE hFile = INVALID_HANDLE_VALUE;
939	RTUTF16 wszPath[260 + 260]; /* Assumes we've limited the import name length to 256. */
940	AssertCompile(sizeof(wszPath) > sizeof(g_System32NtPath));
941
942	/*
943	* Check for DLL isolation / redirection / mapping.
944	*/
945	size_t cwcName = 260;
946	PRTUTF16 pwszName = &wszPath[0];
947	int rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);
948	if (RT_SUCCESS(rc))
949	{
950	UNICODE_STRING UniStrName;
951	UniStrName.Buffer = wszPath;
952	UniStrName.Length = (USHORT)cwcName * sizeof(WCHAR);
953	UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);
954
955	UNICODE_STRING UniStrStatic;
956	UniStrStatic.Buffer = &wszPath[cwcName + 1];
957	UniStrStatic.Length = 0;
958	UniStrStatic.MaximumLength = (USHORT)(sizeof(wszPath) - cwcName * sizeof(WCHAR) - sizeof(WCHAR));
959
960	static UNICODE_STRING const s_DefaultSuffix = RTNT_CONSTANT_UNISTR(L".dll");
961	UNICODE_STRING UniStrDynamic = { 0, 0, NULL };
962	PUNICODE_STRING pUniStrResult = NULL;
963
964	rcNtRedir = RtlDosApplyFileIsolationRedirection_Ustr(1 /fFlags/,
965	&UniStrName,
966	(PUNICODE_STRING)&s_DefaultSuffix,
967	&UniStrStatic,
968	&UniStrDynamic,
969	&pUniStrResult,
970	NULL /pNewFlags/,
971	NULL /pcbFilename/,
972	NULL /pcbNeeded/);
973	if (NT_SUCCESS(rcNtRedir))
974	{
975	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
976	OBJECT_ATTRIBUTES ObjAttr;
977	InitializeObjectAttributes(&ObjAttr, pUniStrResult,
978	OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
979	rcNt = NtCreateFile(&hFile,
980	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
981	&ObjAttr,
982	&Ios,
983	NULL /* Allocation Size*/,
984	FILE_ATTRIBUTE_NORMAL,
985	FILE_SHARE_READ,
986	FILE_OPEN,
987	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
988	NULL /EaBuffer/,
989	0 /EaLength/);
990	if (NT_SUCCESS(rcNt))
991	rcNt = Ios.Status;
992	if (NT_SUCCESS(rcNt))
993	{
994	/* For accurate logging. */
995	size_t cwcCopy = RT_MIN(pUniStrResult->Length / sizeof(RTUTF16), RT_ELEMENTS(wszPath) - 1);
996	memcpy(wszPath, pUniStrResult->Buffer, cwcCopy * sizeof(RTUTF16));
997	wszPath[cwcCopy] = '\0';
998	}
999	else
1000	hFile = INVALID_HANDLE_VALUE;
1001	RtlFreeUnicodeString(&UniStrDynamic);
1002	}
1003	}
1004	else
1005	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #1 failed: %Rrc\n", rc));
1006
1007	/*
1008	* If not something that gets remapped, do the half normal searching we need.
1009	*/
1010	if (hFile == INVALID_HANDLE_VALUE)
1011	{
1012	struct
1013	{
1014	PRTUTF16 pawcDir;
1015	uint32_t cwcDir;
1016	} Tmp, aDirs[] =
1017	{
1018	{ g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length / sizeof(WCHAR) },
1019	{ g_SupLibHardenedExeNtPath.UniStr.Buffer, g_SupLibHardenedAppBinNtPath.UniStr.Length / sizeof(WCHAR) },
1020	{ pCur->pwszAltSearchDir, pCur->cwcAltSearchDir },
1021	};
1022
1023	/* Search System32 first, unless it's a 'V' or 'm' name, the latter for msvcrt. */
1024	if ( pCur->szName[0] == 'v'
1025	\|\| pCur->szName[0] == 'V'
1026	\|\| pCur->szName[0] == 'm'
1027	\|\| pCur->szName[0] == 'M')
1028	{
1029	Tmp = aDirs[0];
1030	aDirs[0] = aDirs[1];
1031	aDirs[1] = Tmp;
1032	}
1033
1034	for (uint32_t i = 0; i < RT_ELEMENTS(aDirs); i++)
1035	{
1036	if (aDirs[i].pawcDir && aDirs[i].cwcDir && aDirs[i].cwcDir < RT_ELEMENTS(wszPath) / 3 * 2)
1037	{
1038	memcpy(wszPath, aDirs[i].pawcDir, aDirs[i].cwcDir * sizeof(RTUTF16));
1039	uint32_t cwc = aDirs[i].cwcDir;
1040	wszPath[cwc++] = '\\';
1041	cwcName = RT_ELEMENTS(wszPath) - cwc;
1042	pwszName = &wszPath[cwc];
1043	rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);
1044	if (RT_SUCCESS(rc))
1045	{
1046	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1047	UNICODE_STRING NtName;
1048	NtName.Buffer = wszPath;
1049	NtName.Length = (USHORT)((cwc + cwcName) * sizeof(WCHAR));
1050	NtName.MaximumLength = NtName.Length + sizeof(WCHAR);
1051	OBJECT_ATTRIBUTES ObjAttr;
1052	InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
1053
1054	rcNt = NtCreateFile(&hFile,
1055	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
1056	&ObjAttr,
1057	&Ios,
1058	NULL /* Allocation Size*/,
1059	FILE_ATTRIBUTE_NORMAL,
1060	FILE_SHARE_READ,
1061	FILE_OPEN,
1062	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
1063	NULL /EaBuffer/,
1064	0 /EaLength/);
1065	if (NT_SUCCESS(rcNt))
1066	rcNt = Ios.Status;
1067	if (NT_SUCCESS(rcNt))
1068	break;
1069	hFile = INVALID_HANDLE_VALUE;
1070	}
1071	else
1072	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #2 failed: %Rrc\n", rc));
1073	}
1074	}
1075	}
1076
1077	/*
1078	* If we successfully opened it, verify it and cache the result.
1079	*/
1080	if (hFile != INVALID_HANDLE_VALUE)
1081	{
1082	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' -> '%ls' [rcNtRedir=%#x]\n",
1083	pCur->szName, wszPath, rcNtRedir));
1084
1085	ULONG fAccess = 0;
1086	ULONG fProtect = 0;
1087	bool fCallRealApi = false;
1088	rcNt = supR3HardenedScreenImage(hFile, true /fImage/, false /fIgnoreArch/, &fAccess, &fProtect,
1089	&fCallRealApi, "Imports", false /fAvoidWinVerifyTrust/, NULL /pfQuiet/);
1090	NtClose(hFile);
1091	}
1092	else
1093	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Failed to locate '%s'\n", pCur->szName));
1094	}
1095	else
1096	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' is in the cache.\n", pCur->szName));
1097
1098	RTMemFree(pCur);
1099	} while (pTodo);
1100	}
1101	}
1102
1103
1104	/**
1105	* Processes the list of WinVerifyTrust todos.
1106	*/
1107	static void supR3HardenedWinVerifyCacheProcessWvtTodos(void)
1108	{
1109	PVERIFIERCACHEENTRY pReschedule = NULL;
1110	PVERIFIERCACHEENTRY volatile *ppReschedLastNext = NULL;
1111
1112	/*
1113	* Work until we've got nothing more todo.
1114	*/
1115	for (;;)
1116	{
1117	if (!supHardenedWinIsWinVerifyTrustCallable())
1118	break;
1119	PVERIFIERCACHEENTRY pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoWvt, NULL, PVERIFIERCACHEENTRY);
1120	if (!pTodo)
1121	break;
1122	do
1123	{
1124	PVERIFIERCACHEENTRY pCur = pTodo;
1125	pTodo = pTodo->pNextTodoWvt;
1126	pCur->pNextTodoWvt = NULL;
1127
1128	if ( !pCur->fWinVerifyTrust
1129	&& RT_SUCCESS(pCur->rc))
1130	{
1131	bool fWinVerifyTrust = false;
1132	int rc = supHardenedWinVerifyImageTrust(pCur->hFile, pCur->wszPath, pCur->fFlags, pCur->rc,
1133	&fWinVerifyTrust, NULL /* pErrInfo*/);
1134	if (RT_FAILURE(rc) \|\| fWinVerifyTrust)
1135	{
1136	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",
1137	rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));
1138	pCur->fWinVerifyTrust = true;
1139	pCur->rc = rc;
1140	}
1141	else
1142	{
1143	/* Retry it at a later time. */
1144	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls' [rescheduled]\n",
1145	rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));
1146	if (!pReschedule)
1147	ppReschedLastNext = &pCur->pNextTodoWvt;
1148	pCur->pNextTodoWvt = pReschedule;
1149	}
1150	}
1151	/* else: already processed. */
1152	} while (pTodo);
1153	}
1154
1155	/*
1156	* Anything to reschedule.
1157	*/
1158	if (pReschedule)
1159	{
1160	do
1161	*ppReschedLastNext = g_pVerifierCacheTodoWvt;
1162	while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pReschedule, *ppReschedLastNext));
1163	}
1164	}
1165
1166
1167	/**
1168	* Translates VBox status code (from supHardenedWinVerifyImageTrust) to an NT
1169	* status.
1170	*
1171	* @returns NT status.
1172	* @param rc VBox status code.
1173	*/
1174	static NTSTATUS supR3HardenedScreenImageCalcStatus(int rc)
1175	{
1176	/* This seems to be what LdrLoadDll returns when loading a 32-bit DLL into
1177	a 64-bit process. At least here on windows 10 (2015-11-xx).
1178
1179	NtCreateSection probably returns something different, possibly a warning,
1180	we currently don't distinguish between the too, so we stick with the
1181	LdrLoadDll one as it's definitely an error.*/
1182	if (rc == VERR_LDR_ARCH_MISMATCH)
1183	return STATUS_INVALID_IMAGE_FORMAT;
1184
1185	return STATUS_TRUST_FAILURE;
1186	}
1187
1188
1189	/**
1190	* Screens an image file or file mapped with execute access.
1191	*
1192	* @returns NT status code.
1193	* @param hFile The file handle.
1194	* @param fImage Set if image file mapping being made
1195	* (NtCreateSection thing).
1196	* @param fIgnoreArch Using the DONT_RESOLVE_DLL_REFERENCES flag,
1197	* which also implies that DLL init / term code
1198	* isn't called, so the architecture should be
1199	* ignored.
1200	* @param pfAccess Pointer to the NtCreateSection access flags,
1201	* so we can modify them if necessary.
1202	* @param pfProtect Pointer to the NtCreateSection protection
1203	* flags, so we can modify them if necessary.
1204	* @param pfCallRealApi Whether it's ok to go on to the real API.
1205	* @param pszCaller Who is calling (for debugging / logging).
1206	* @param fAvoidWinVerifyTrust Whether we should avoid WinVerifyTrust.
1207	* @param pfQuiet Where to return whether to be quiet about
1208	* this image in the log (i.e. we've seen it
1209	* lots of times already). Optional.
1210	*/
1211	static NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfAccess, PULONG pfProtect,
1212	bool pfCallRealApi, const char pszCaller, bool fAvoidWinVerifyTrust, bool *pfQuiet)
1213	{
1214	*pfCallRealApi = false;
1215	if (pfQuiet)
1216	*pfQuiet = false;
1217
1218	/*
1219	* Query the name of the file, making sure to zero terminator the
1220	* string. (2nd half of buffer is used for error info, see below.)
1221	*/
1222	union
1223	{
1224	UNICODE_STRING UniStr;
1225	uint8_t abBuffer[sizeof(UNICODE_STRING) + 2048 * sizeof(WCHAR)];
1226	} uBuf;
1227	RT_ZERO(uBuf);
1228	ULONG cbNameBuf;
1229	NTSTATUS rcNt = NtQueryObject(hFile, ObjectNameInformation, &uBuf, sizeof(uBuf) - sizeof(WCHAR) - 128, &cbNameBuf);
1230	if (!NT_SUCCESS(rcNt))
1231	{
1232	supR3HardenedError(VINF_SUCCESS, false,
1233	"supR3HardenedScreenImage/%s: NtQueryObject -> %#x (fImage=%d fProtect=%#x fAccess=%#x)\n",
1234	pszCaller, fImage, pfProtect, pfAccess);
1235	return rcNt;
1236	}
1237
1238	if (!RTNtPathFindPossible8dot3Name(uBuf.UniStr.Buffer))
1239	cbNameBuf += sizeof(WCHAR);
1240	else
1241	{
1242	uBuf.UniStr.MaximumLength = sizeof(uBuf) - 128;
1243	RTNtPathExpand8dot3Path(&uBuf.UniStr, true /fPathOnly/);
1244	cbNameBuf = (uintptr_t)uBuf.UniStr.Buffer + uBuf.UniStr.Length + sizeof(WCHAR) - (uintptr_t)&uBuf.abBuffer[0];
1245	}
1246
1247	/*
1248	* Check the cache.
1249	*/
1250	PVERIFIERCACHEENTRY pCacheHit = supR3HardenedWinVerifyCacheLookup(&uBuf.UniStr, hFile);
1251	if (pCacheHit)
1252	{
1253	/* Do hit accounting and figure whether we need to be quiet or not. */
1254	uint32_t cHits = ASMAtomicIncU32(&pCacheHit->cHits);
1255	bool const fQuiet = cHits >= 8 && !RT_IS_POWER_OF_TWO(cHits);
1256	if (pfQuiet)
1257	*pfQuiet = fQuiet;
1258
1259	/* If we haven't done the WinVerifyTrust thing, do it if we can. */
1260	if ( !pCacheHit->fWinVerifyTrust
1261	&& RT_SUCCESS(pCacheHit->rc)
1262	&& supHardenedWinIsWinVerifyTrustCallable() )
1263	{
1264	if (!fAvoidWinVerifyTrust)
1265	{
1266	SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [redoing WinVerifyTrust]\n",
1267	pszCaller, pCacheHit->rc, pCacheHit->wszPath));
1268
1269	bool fWinVerifyTrust = false;
1270	int rc = supHardenedWinVerifyImageTrust(pCacheHit->hFile, pCacheHit->wszPath, pCacheHit->fFlags, pCacheHit->rc,
1271	&fWinVerifyTrust, NULL /* pErrInfo*/);
1272	if (RT_FAILURE(rc) \|\| fWinVerifyTrust)
1273	{
1274	SUP_DPRINTF(("supR3HardenedScreenImage/%s: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",
1275	pszCaller, rc, pCacheHit->rc, fWinVerifyTrust, pCacheHit->wszPath));
1276	pCacheHit->fWinVerifyTrust = true;
1277	pCacheHit->rc = rc;
1278	}
1279	else
1280	SUP_DPRINTF(("supR3HardenedScreenImage/%s: WinVerifyTrust not available, rescheduling %ls\n",
1281	pszCaller, pCacheHit->wszPath));
1282	}
1283	else
1284	SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [avoiding WinVerifyTrust]\n",
1285	pszCaller, pCacheHit->rc, pCacheHit->wszPath));
1286	}
1287	else if (!fQuiet \|\| !pCacheHit->fWinVerifyTrust)
1288	SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls%s\n",
1289	pszCaller, pCacheHit->rc, pCacheHit->wszPath, pCacheHit->fWinVerifyTrust ? "" : " [lacks WinVerifyTrust]"));
1290
1291	/* Return the cached value. */
1292	if (RT_SUCCESS(pCacheHit->rc))
1293	{
1294	*pfCallRealApi = true;
1295	return STATUS_SUCCESS;
1296	}
1297
1298	if (!fQuiet)
1299	supR3HardenedError(VINF_SUCCESS, false,
1300	"supR3HardenedScreenImage/%s: cached rc=%Rrc fImage=%d fProtect=%#x fAccess=%#x cHits=%u %ls\n",
1301	pszCaller, pCacheHit->rc, fImage, pfProtect, pfAccess, cHits, uBuf.UniStr.Buffer);
1302	return supR3HardenedScreenImageCalcStatus(pCacheHit->rc);
1303	}
1304
1305	/*
1306	* On XP the loader might hand us handles with just FILE_EXECUTE and
1307	* SYNCHRONIZE, the means reading will fail later on. Also, we need
1308	* READ_CONTROL access to check the file ownership later on, and non
1309	* of the OS versions seems be giving us that. So, in effect we
1310	* more or less always reopen the file here.
1311	*/
1312	HANDLE hMyFile = NULL;
1313	rcNt = NtDuplicateObject(NtCurrentProcess(), hFile, NtCurrentProcess(),
1314	&hMyFile,
1315	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
1316	0 /* Handle attributes/, 0 / Options */);
1317	if (!NT_SUCCESS(rcNt))
1318	{
1319	if (rcNt == STATUS_ACCESS_DENIED)
1320	{
1321	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1322	OBJECT_ATTRIBUTES ObjAttr;
1323	InitializeObjectAttributes(&ObjAttr, &uBuf.UniStr, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
1324
1325	rcNt = NtCreateFile(&hMyFile,
1326	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
1327	&ObjAttr,
1328	&Ios,
1329	NULL /* Allocation Size*/,
1330	FILE_ATTRIBUTE_NORMAL,
1331	FILE_SHARE_READ,
1332	FILE_OPEN,
1333	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
1334	NULL /EaBuffer/,
1335	0 /EaLength/);
1336	if (NT_SUCCESS(rcNt))
1337	rcNt = Ios.Status;
1338	if (!NT_SUCCESS(rcNt))
1339	{
1340	supR3HardenedError(VINF_SUCCESS, false,
1341	"supR3HardenedScreenImage/%s: Failed to duplicate and open the file: rcNt=%#x hFile=%p %ls\n",
1342	pszCaller, rcNt, hFile, uBuf.UniStr.Buffer);
1343	return rcNt;
1344	}
1345
1346	/* Check that we've got the same file. */
1347	LARGE_INTEGER idMyFile, idInFile;
1348	bool fMyValid = supR3HardenedWinVerifyCacheGetIndexNumber(hMyFile, &idMyFile);
1349	bool fInValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &idInFile);
1350	if ( fMyValid
1351	&& ( fMyValid != fInValid
1352	\|\| idMyFile.QuadPart != idInFile.QuadPart))
1353	{
1354	supR3HardenedError(VINF_SUCCESS, false,
1355	"supR3HardenedScreenImage/%s: Re-opened has different ID that input: %#llx vx %#llx (%ls)\n",
1356	pszCaller, rcNt, idMyFile.QuadPart, idInFile.QuadPart, uBuf.UniStr.Buffer);
1357	NtClose(hMyFile);
1358	return STATUS_TRUST_FAILURE;
1359	}
1360	}
1361	else
1362	{
1363	SUP_DPRINTF(("supR3HardenedScreenImage/%s: NtDuplicateObject -> %#x\n", pszCaller, rcNt));
1364	#ifdef DEBUG
1365
1366	supR3HardenedError(VINF_SUCCESS, false,
1367	"supR3HardenedScreenImage/%s: NtDuplicateObject(,%#x,) failed: %#x\n", pszCaller, hFile, rcNt);
1368	#endif
1369	hMyFile = hFile;
1370	}
1371	}
1372
1373	/*
1374	* Special Kludge for Windows XP and W2K3 and their stupid attempts
1375	* at mapping a hidden XML file called c:\Windows\WindowsShell.Manifest
1376	* with executable access. The image bit isn't set, fortunately.
1377	*/
1378	if ( !fImage
1379	&& uBuf.UniStr.Length > g_System32NtPath.UniStr.Length - sizeof(L"System32") + sizeof(WCHAR)
1380	&& memcmp(uBuf.UniStr.Buffer, g_System32NtPath.UniStr.Buffer,
1381	g_System32NtPath.UniStr.Length - sizeof(L"System32") + sizeof(WCHAR)) == 0)
1382	{
1383	PRTUTF16 pwszName = &uBuf.UniStr.Buffer[(g_System32NtPath.UniStr.Length - sizeof(L"System32") + sizeof(WCHAR)) / sizeof(WCHAR)];
1384	if (RTUtf16ICmpAscii(pwszName, "WindowsShell.Manifest") == 0)
1385	{
1386	/*
1387	* Drop all executable access to the mapping and let it continue.
1388	*/
1389	SUP_DPRINTF(("supR3HardenedScreenImage/%s: Applying the drop-exec-kludge for '%ls'\n", pszCaller, uBuf.UniStr.Buffer));
1390	if (*pfAccess & SECTION_MAP_EXECUTE)
1391	pfAccess = (pfAccess & ~SECTION_MAP_EXECUTE) \| SECTION_MAP_READ;
1392	if (*pfProtect & PAGE_EXECUTE)
1393	pfProtect = (pfProtect & ~PAGE_EXECUTE) \| PAGE_READONLY;
1394	pfProtect = (pfProtect & ~UINT32_C(0xf0)) \| ((*pfProtect & UINT32_C(0xe0)) >> 4);
1395	if (hMyFile != hFile)
1396	NtClose(hMyFile);
1397	*pfCallRealApi = true;
1398	return STATUS_SUCCESS;
1399	}
1400	}
1401
1402	#ifndef VBOX_PERMIT_EVEN_MORE
1403	/*
1404	* Check the path. We don't allow DLLs to be loaded from just anywhere:
1405	* 1. System32 - normal code or cat signing, owner TrustedInstaller.
1406	* 2. WinSxS - normal code or cat signing, owner TrustedInstaller.
1407	* 3. VirtualBox - kernel code signing and integrity checks.
1408	* 4. AppPatchDir - normal code or cat signing, owner TrustedInstaller.
1409	* 5. Program Files - normal code or cat signing, owner TrustedInstaller.
1410	* 6. Common Files - normal code or cat signing, owner TrustedInstaller.
1411	* 7. x86 variations of 4 & 5 - ditto.
1412	*/
1413	uint32_t fFlags = 0;
1414	if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_System32NtPath.UniStr, true /fCheckSlash/))
1415	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1416	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_WinSxSNtPath.UniStr, true /fCheckSlash/))
1417	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1418	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /fCheckSlash/))
1419	fFlags \|= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING \| SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
1420	# ifdef VBOX_PERMIT_MORE
1421	else if (supHardViIsAppPatchDir(uBuf.UniStr.Buffer, uBuf.UniStr.Length / sizeof(WCHAR)))
1422	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1423	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesNtPath.UniStr, true /fCheckSlash/))
1424	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1425	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesNtPath.UniStr, true /fCheckSlash/))
1426	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1427	# ifdef RT_ARCH_AMD64
1428	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesX86NtPath.UniStr, true /fCheckSlash/))
1429	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1430	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesX86NtPath.UniStr, true /fCheckSlash/))
1431	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1432	# endif
1433	# endif
1434	# ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
1435	/* Hack to allow profiling our code with Visual Studio. */
1436	else if ( uBuf.UniStr.Length > sizeof(L"\\SamplingRuntime.dll")
1437	&& memcmp(uBuf.UniStr.Buffer + (uBuf.UniStr.Length - sizeof(L"\\SamplingRuntime.dll") + sizeof(WCHAR)) / sizeof(WCHAR),
1438	L"\\SamplingRuntime.dll", sizeof(L"\\SamplingRuntime.dll") - sizeof(WCHAR)) == 0 )
1439	{
1440	if (hMyFile != hFile)
1441	NtClose(hMyFile);
1442	*pfCallRealApi = true;
1443	return STATUS_SUCCESS;
1444	}
1445	# endif
1446	else
1447	{
1448	supR3HardenedError(VINF_SUCCESS, false,
1449	"supR3HardenedScreenImage/%s: Not a trusted location: '%ls' (fImage=%d fProtect=%#x fAccess=%#x)\n",
1450	pszCaller, uBuf.UniStr.Buffer, fImage, pfAccess, pfProtect);
1451	if (hMyFile != hFile)
1452	NtClose(hMyFile);
1453	return STATUS_TRUST_FAILURE;
1454	}
1455
1456	#else /* VBOX_PERMIT_EVEN_MORE */
1457	/*
1458	* Require trusted installer + some kind of signature on everything, except
1459	* for the VBox bits where we require kernel code signing and special
1460	* integrity checks.
1461	*/
1462	uint32_t fFlags = 0;
1463	if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /fCheckSlash/))
1464	fFlags \|= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING \| SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
1465	else
1466	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1467	#endif /* VBOX_PERMIT_EVEN_MORE */
1468
1469	/*
1470	* Do the verification. For better error message we borrow what's
1471	* left of the path buffer for an RTERRINFO buffer.
1472	*/
1473	if (fIgnoreArch)
1474	fFlags \|= SUPHNTVI_F_IGNORE_ARCHITECTURE;
1475	RTERRINFO ErrInfo;
1476	RTErrInfoInit(&ErrInfo, (char *)&uBuf.abBuffer[cbNameBuf], sizeof(uBuf) - cbNameBuf);
1477
1478	int rc;
1479	bool fWinVerifyTrust = false;
1480	rc = supHardenedWinVerifyImageByHandle(hMyFile, uBuf.UniStr.Buffer, fFlags, fAvoidWinVerifyTrust, &fWinVerifyTrust, &ErrInfo);
1481	if (RT_FAILURE(rc))
1482	{
1483	supR3HardenedError(VINF_SUCCESS, false,
1484	"supR3HardenedScreenImage/%s: rc=%Rrc fImage=%d fProtect=%#x fAccess=%#x %ls: %s\n",
1485	pszCaller, rc, fImage, pfAccess, pfProtect, uBuf.UniStr.Buffer, ErrInfo.pszMsg);
1486	if (hMyFile != hFile)
1487	supR3HardenedWinVerifyCacheInsert(&uBuf.UniStr, hMyFile, rc, fWinVerifyTrust, fFlags);
1488	return supR3HardenedScreenImageCalcStatus(rc);
1489	}
1490
1491	/*
1492	* Insert into the cache.
1493	*/
1494	if (hMyFile != hFile)
1495	supR3HardenedWinVerifyCacheInsert(&uBuf.UniStr, hMyFile, rc, fWinVerifyTrust, fFlags);
1496
1497	*pfCallRealApi = true;
1498	return STATUS_SUCCESS;
1499	}
1500
1501
1502	/**
1503	* Preloads a file into the verify cache if possible.
1504	*
1505	* This is used to avoid known cyclic LoadLibrary issues with WinVerifyTrust.
1506	*
1507	* @param pwszName The name of the DLL to verify.
1508	*/
1509	DECLHIDDEN(void) supR3HardenedWinVerifyCachePreload(PCRTUTF16 pwszName)
1510	{
1511	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
1512	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1513
1514	UNICODE_STRING UniStr;
1515	UniStr.Buffer = (PWCHAR)pwszName;
1516	UniStr.Length = (USHORT)(RTUtf16Len(pwszName) * sizeof(WCHAR));
1517	UniStr.MaximumLength = UniStr.Length + sizeof(WCHAR);
1518
1519	OBJECT_ATTRIBUTES ObjAttr;
1520	InitializeObjectAttributes(&ObjAttr, &UniStr, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
1521
1522	NTSTATUS rcNt = NtCreateFile(&hFile,
1523	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
1524	&ObjAttr,
1525	&Ios,
1526	NULL /* Allocation Size*/,
1527	FILE_ATTRIBUTE_NORMAL,
1528	FILE_SHARE_READ,
1529	FILE_OPEN,
1530	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
1531	NULL /EaBuffer/,
1532	0 /EaLength/);
1533	if (NT_SUCCESS(rcNt))
1534	rcNt = Ios.Status;
1535	if (!NT_SUCCESS(rcNt))
1536	{
1537	SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: Error %#x opening '%ls'.\n", rcNt, pwszName));
1538	return;
1539	}
1540
1541	ULONG fAccess = 0;
1542	ULONG fProtect = 0;
1543	bool fCallRealApi;
1544	//SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: scanning %ls\n", pwszName));
1545	supR3HardenedScreenImage(hFile, false, false /fIgnoreArch/, &fAccess, &fProtect, &fCallRealApi, "preload",
1546	false /fAvoidWinVerifyTrust/, NULL /pfQuiet/);
1547	//SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: done %ls\n", pwszName));
1548
1549	NtClose(hFile);
1550	}
1551
1552
1553
1554	/**
1555	* Hook that monitors NtCreateSection calls.
1556	*
1557	* @returns NT status code.
1558	* @param phSection Where to return the section handle.
1559	* @param fAccess The desired access.
1560	* @param pObjAttribs The object attributes (optional).
1561	* @param pcbSection The section size (optional).
1562	* @param fProtect The max section protection.
1563	* @param fAttribs The section attributes.
1564	* @param hFile The file to create a section from (optional).
1565	*/
1566	static NTSTATUS NTAPI
1567	supR3HardenedMonitor_NtCreateSection(PHANDLE phSection, ACCESS_MASK fAccess, POBJECT_ATTRIBUTES pObjAttribs,
1568	PLARGE_INTEGER pcbSection, ULONG fProtect, ULONG fAttribs, HANDLE hFile)
1569	{
1570	bool fNeedUncChecking = false;
1571	if ( hFile != NULL
1572	&& hFile != INVALID_HANDLE_VALUE)
1573	{
1574	bool const fImage = RT_BOOL(fAttribs & (SEC_IMAGE \| SEC_PROTECTED_IMAGE));
1575	bool const fExecMap = RT_BOOL(fAccess & SECTION_MAP_EXECUTE);
1576	bool const fExecProt = RT_BOOL(fProtect & (PAGE_EXECUTE \| PAGE_EXECUTE_READ \| PAGE_EXECUTE_WRITECOPY
1577	\| PAGE_EXECUTE_READWRITE));
1578	if (fImage \|\| fExecMap \|\| fExecProt)
1579	{
1580	fNeedUncChecking = true;
1581	DWORD dwSavedLastError = RtlGetLastWin32Error();
1582
1583	bool fCallRealApi;
1584	//SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: 1\n"));
1585	NTSTATUS rcNt = supR3HardenedScreenImage(hFile, fImage, true /fIgnoreArch/, &fAccess, &fProtect, &fCallRealApi,
1586	"NtCreateSection", true /fAvoidWinVerifyTrust/, NULL /pfQuiet/);
1587	//SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: 2 rcNt=%#x fCallRealApi=%#x\n", rcNt, fCallRealApi));
1588
1589	RtlRestoreLastWin32Error(dwSavedLastError);
1590
1591	if (!NT_SUCCESS(rcNt))
1592	return rcNt;
1593	Assert(fCallRealApi);
1594	if (!fCallRealApi)
1595	return STATUS_TRUST_FAILURE;
1596
1597	}
1598	}
1599
1600	/*
1601	* Call checked out OK, call the original.
1602	*/
1603	NTSTATUS rcNtReal = g_pfnNtCreateSectionReal(phSection, fAccess, pObjAttribs, pcbSection, fProtect, fAttribs, hFile);
1604
1605	/*
1606	* Check that the image that got mapped bear some resemblance to the one that was
1607	* requested. Apparently there are ways to trick the NT cache manager to map a
1608	* file different from hFile into memory using local UNC accesses.
1609	*/
1610	if ( NT_SUCCESS(rcNtReal)
1611	&& fNeedUncChecking)
1612	{
1613	DWORD dwSavedLastError = RtlGetLastWin32Error();
1614
1615	bool fOkay = false;
1616
1617	/* To get the name of the file backing the section, we unfortunately have to map it. */
1618	SIZE_T cbView = 0;
1619	PVOID pvTmpMap = NULL;
1620	NTSTATUS rcNt = NtMapViewOfSection(phSection, NtCurrentProcess(), &pvTmpMap, 0, 0, NULL /poffSection*/, &cbView,
1621	ViewUnmap, MEM_TOP_DOWN, PAGE_EXECUTE);
1622	if (NT_SUCCESS(rcNt))
1623	{
1624	/* Query the name. */
1625	union
1626	{
1627	UNICODE_STRING UniStr;
1628	RTUTF16 awcBuf[512];
1629	} uBuf;
1630	RT_ZERO(uBuf);
1631	SIZE_T cbActual = 0;
1632	NTSTATUS rcNtQuery = NtQueryVirtualMemory(NtCurrentProcess(), pvTmpMap, MemorySectionName,
1633	&uBuf, sizeof(uBuf) - sizeof(RTUTF16), &cbActual);
1634
1635	/* Unmap the view. */
1636	rcNt = NtUnmapViewOfSection(NtCurrentProcess(), pvTmpMap);
1637	if (!NT_SUCCESS(rcNt))
1638	SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtUnmapViewOfSection failed on %p (hSection=%p, hFile=%p) with %#x!\n",
1639	pvTmpMap, *phSection, hFile, rcNt));
1640
1641	/* Process the name query result. */
1642	if (NT_SUCCESS(rcNtQuery))
1643	{
1644	static UNICODE_STRING const s_UncPrefix = RTNT_CONSTANT_UNISTR(L"\\Device\\Mup");
1645	if (!supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &s_UncPrefix, true /fCheckSlash/))
1646	fOkay = true;
1647	else
1648	supR3HardenedError(VINF_SUCCESS, false,
1649	"supR3HardenedMonitor_NtCreateSection: Image section with UNC path is not trusted: '%.*ls'\n",
1650	uBuf.UniStr.Length / sizeof(RTUTF16), uBuf.UniStr.Buffer);
1651	}
1652	else
1653	SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtQueryVirtualMemory failed on %p (hFile=%p) with %#x -> STATUS_TRUST_FAILURE\n",
1654	*phSection, hFile, rcNt));
1655	}
1656	else
1657	SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtMapViewOfSection failed on %p (hFile=%p) with %#x -> STATUS_TRUST_FAILURE\n",
1658	*phSection, hFile, rcNt));
1659	if (!fOkay)
1660	{
1661	NtClose(*phSection);
1662	*phSection = INVALID_HANDLE_VALUE;
1663	RtlRestoreLastWin32Error(dwSavedLastError);
1664	return STATUS_TRUST_FAILURE;
1665	}
1666
1667	RtlRestoreLastWin32Error(dwSavedLastError);
1668	}
1669	return rcNtReal;
1670	}
1671
1672
1673	/**
1674	* Checks if the given name is a valid ApiSet name.
1675	*
1676	* This is only called on likely looking names.
1677	*
1678	* @returns true if ApiSet name, false if not.
1679	* @param pName The name to check out.
1680	*/
1681	static bool supR3HardenedIsApiSetDll(PUNICODE_STRING pName)
1682	{
1683	/*
1684	* API added in Windows 8, or so they say.
1685	*/
1686	if (ApiSetQueryApiSetPresence != NULL)
1687	{
1688	BOOLEAN fPresent = FALSE;
1689	NTSTATUS rcNt = ApiSetQueryApiSetPresence(pName, &fPresent);
1690	SUP_DPRINTF(("supR3HardenedIsApiSetDll: ApiSetQueryApiSetPresence(%.*ls) -> %#x, fPresent=%d\n",
1691	pName->Length / sizeof(WCHAR), pName->Buffer, rcNt, fPresent));
1692	return fPresent != 0;
1693	}
1694
1695	/*
1696	* Fallback needed for Windows 7. Fortunately, there aren't too many fake DLLs here.
1697	*/
1698	if ( g_uNtVerCombined >= SUP_NT_VER_W70
1699	&& ( supHardViUtf16PathStartsWithEx(pName->Buffer, pName->Length / sizeof(WCHAR),
1700	L"api-ms-win-", 11, false /fCheckSlash/)
1701	\|\| supHardViUtf16PathStartsWithEx(pName->Buffer, pName->Length / sizeof(WCHAR),
1702	L"ext-ms-win-", 11, false /fCheckSlash/) ))
1703	{
1704	#define MY_ENTRY(a) { a, sizeof(a) - 1 }
1705	static const struct { const char *psz; size_t cch; } s_aKnownSets[] =
1706	{
1707	MY_ENTRY("api-ms-win-core-console-l1-1-0 "),
1708	MY_ENTRY("api-ms-win-core-datetime-l1-1-0"),
1709	MY_ENTRY("api-ms-win-core-debug-l1-1-0"),
1710	MY_ENTRY("api-ms-win-core-delayload-l1-1-0"),
1711	MY_ENTRY("api-ms-win-core-errorhandling-l1-1-0"),
1712	MY_ENTRY("api-ms-win-core-fibers-l1-1-0"),
1713	MY_ENTRY("api-ms-win-core-file-l1-1-0"),
1714	MY_ENTRY("api-ms-win-core-handle-l1-1-0"),
1715	MY_ENTRY("api-ms-win-core-heap-l1-1-0"),
1716	MY_ENTRY("api-ms-win-core-interlocked-l1-1-0"),
1717	MY_ENTRY("api-ms-win-core-io-l1-1-0"),
1718	MY_ENTRY("api-ms-win-core-libraryloader-l1-1-0"),
1719	MY_ENTRY("api-ms-win-core-localization-l1-1-0"),
1720	MY_ENTRY("api-ms-win-core-localregistry-l1-1-0"),
1721	MY_ENTRY("api-ms-win-core-memory-l1-1-0"),
1722	MY_ENTRY("api-ms-win-core-misc-l1-1-0"),
1723	MY_ENTRY("api-ms-win-core-namedpipe-l1-1-0"),
1724	MY_ENTRY("api-ms-win-core-processenvironment-l1-1-0"),
1725	MY_ENTRY("api-ms-win-core-processthreads-l1-1-0"),
1726	MY_ENTRY("api-ms-win-core-profile-l1-1-0"),
1727	MY_ENTRY("api-ms-win-core-rtlsupport-l1-1-0"),
1728	MY_ENTRY("api-ms-win-core-string-l1-1-0"),
1729	MY_ENTRY("api-ms-win-core-synch-l1-1-0"),
1730	MY_ENTRY("api-ms-win-core-sysinfo-l1-1-0"),
1731	MY_ENTRY("api-ms-win-core-threadpool-l1-1-0"),
1732	MY_ENTRY("api-ms-win-core-ums-l1-1-0"),
1733	MY_ENTRY("api-ms-win-core-util-l1-1-0"),
1734	MY_ENTRY("api-ms-win-core-xstate-l1-1-0"),
1735	MY_ENTRY("api-ms-win-security-base-l1-1-0"),
1736	MY_ENTRY("api-ms-win-security-lsalookup-l1-1-0"),
1737	MY_ENTRY("api-ms-win-security-sddl-l1-1-0"),
1738	MY_ENTRY("api-ms-win-service-core-l1-1-0"),
1739	MY_ENTRY("api-ms-win-service-management-l1-1-0"),
1740	MY_ENTRY("api-ms-win-service-management-l2-1-0"),
1741	MY_ENTRY("api-ms-win-service-winsvc-l1-1-0"),
1742	};
1743	#undef MY_ENTRY
1744
1745	/* drop the dll suffix if present. */
1746	PCRTUTF16 pawcName = pName->Buffer;
1747	size_t cwcName = pName->Length / sizeof(WCHAR);
1748	if ( cwcName > 5
1749	&& (pawcName[cwcName - 1] == 'l' \|\| pawcName[cwcName - 1] == 'L')
1750	&& (pawcName[cwcName - 2] == 'l' \|\| pawcName[cwcName - 2] == 'L')
1751	&& (pawcName[cwcName - 3] == 'd' \|\| pawcName[cwcName - 3] == 'D')
1752	&& pawcName[cwcName - 4] == '.')
1753	cwcName -= 4;
1754
1755	/* Search the table. */
1756	for (size_t i = 0; i < RT_ELEMENTS(s_aKnownSets); i++)
1757	if ( cwcName == s_aKnownSets[i].cch
1758	&& RTUtf16NICmpAscii(pawcName, s_aKnownSets[i].psz, cwcName) == 0)
1759	{
1760	SUP_DPRINTF(("supR3HardenedIsApiSetDll: '%.*ls' -> true\n", pName->Length / sizeof(WCHAR)));
1761	return true;
1762	}
1763
1764	SUP_DPRINTF(("supR3HardenedIsApiSetDll: Warning! '%.*ls' looks like an API set, but it's not in the list!\n",
1765	pName->Length / sizeof(WCHAR), pName->Buffer));
1766	}
1767
1768	SUP_DPRINTF(("supR3HardenedIsApiSetDll: '%.*ls' -> false\n", pName->Length / sizeof(WCHAR)));
1769	return false;
1770	}
1771
1772
1773	/**
1774	* Checks whether the given unicode string contains a path separator and at
1775	* least one dash.
1776	*
1777	* This is used to check for likely ApiSet name. So far, all the pseudo DLL
1778	* names include multiple dashes, so we use that as a criteria for recognizing
1779	* them. By happy coincident, most regular DLLs doesn't include dashes.
1780	*
1781	* @returns true if it contains path separator, false if only a name.
1782	* @param pPath The path to check.
1783	*/
1784	static bool supR3HardenedHasDashButNoPath(PUNICODE_STRING pPath)
1785	{
1786	size_t cDashes = 0;
1787	size_t cwcLeft = pPath->Length / sizeof(WCHAR);
1788	PCRTUTF16 pwc = pPath->Buffer;
1789	while (cwcLeft-- > 0)
1790	{
1791	RTUTF16 wc = *pwc++;
1792	switch (wc)
1793	{
1794	default:
1795	break;
1796
1797	case '-':
1798	cDashes++;
1799	break;
1800
1801	case '\\':
1802	case '/':
1803	case ':':
1804	return false;
1805	}
1806	}
1807	return cDashes > 0;
1808	}
1809
1810
1811	/**
1812	* Helper for supR3HardenedMonitor_LdrLoadDll.
1813	*
1814	* @returns NT status code.
1815	* @param pwszPath The path destination buffer.
1816	* @param cwcPath The size of the path buffer.
1817	* @param pUniStrResult The result string.
1818	* @param pOrgName The orignal name (for errors).
1819	* @param pcwc Where to return the actual length.
1820	*/
1821	static NTSTATUS supR3HardenedCopyRedirectionResult(WCHAR *pwszPath, size_t cwcPath, PUNICODE_STRING pUniStrResult,
1822	PUNICODE_STRING pOrgName, UINT *pcwc)
1823	{
1824	UINT cwc;
1825	*pcwc = cwc = pUniStrResult->Length / sizeof(WCHAR);
1826	if (pUniStrResult->Buffer == pwszPath)
1827	pwszPath[cwc] = '\0';
1828	else
1829	{
1830	if (cwc > cwcPath - 1)
1831	{
1832	supR3HardenedError(VINF_SUCCESS, false,
1833	"supR3HardenedMonitor_LdrLoadDll: Name too long: %.ls -> %.ls (RtlDosApplyFileIoslationRedirection_Ustr)\n",
1834	pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer,
1835	pUniStrResult->Length / sizeof(WCHAR), pUniStrResult->Buffer);
1836	return STATUS_NAME_TOO_LONG;
1837	}
1838	memcpy(&pwszPath[0], pUniStrResult->Buffer, pUniStrResult->Length);
1839	pwszPath[cwc] = '\0';
1840	}
1841	return STATUS_SUCCESS;
1842	}
1843
1844
1845	/**
1846	* Helper for supR3HardenedMonitor_LdrLoadDll that compares the name part of the
1847	* input path against a ASCII name string of a given length.
1848	*
1849	* @returns true if the name part matches
1850	* @param pPath The LdrLoadDll input path.
1851	* @param pszName The name to try match it with.
1852	* @param cchName The name length.
1853	*/
1854	static bool supR3HardenedIsFilenameMatchDll(PUNICODE_STRING pPath, const char *pszName, size_t cchName)
1855	{
1856	if (pPath->Length < cchName * 2)
1857	return false;
1858	PCRTUTF16 pwszTmp = &pPath->Buffer[pPath->Length / sizeof(RTUTF16) - cchName];
1859	if ( pPath->Length != cchName
1860	&& pwszTmp[-1] != '\\'
1861	&& pwszTmp[-1] != '/')
1862	return false;
1863	return RTUtf16ICmpAscii(pwszTmp, pszName) == 0;
1864	}
1865
1866
1867	/**
1868	* Hooks that intercepts LdrLoadDll calls.
1869	*
1870	* Two purposes:
1871	* -# Enforce our own search path restrictions.
1872	* -# Prevalidate DLLs about to be loaded so we don't upset the loader data
1873	* by doing it from within the NtCreateSection hook (WinVerifyTrust
1874	* seems to be doing harm there on W7/32).
1875	*
1876	* @returns
1877	* @param pwszSearchPath The search path to use.
1878	* @param pfFlags Flags on input. DLL characteristics or something
1879	* on return?
1880	* @param pName The name of the module.
1881	* @param phMod Where the handle of the loaded DLL is to be
1882	* returned to the caller.
1883	*/
1884	static NTSTATUS NTAPI
1885	supR3HardenedMonitor_LdrLoadDll(PWSTR pwszSearchPath, PULONG pfFlags, PUNICODE_STRING pName, PHANDLE phMod)
1886	{
1887	DWORD dwSavedLastError = RtlGetLastWin32Error();
1888	PUNICODE_STRING const pOrgName = pName;
1889	NTSTATUS rcNt;
1890
1891	/*
1892	* Make sure the DLL notification callback is registered. If we could, we
1893	* would've done this during early process init, but due to lack of heap
1894	* and uninitialized loader lock, it's not possible that early on.
1895	*
1896	* The callback protects our NtDll hooks from getting unhooked by
1897	* "friendly" fire from the AV crowd.
1898	*/
1899	supR3HardenedWinRegisterDllNotificationCallback();
1900
1901	/*
1902	* Process WinVerifyTrust todo before and after.
1903	*/
1904	supR3HardenedWinVerifyCacheProcessWvtTodos();
1905
1906	/*
1907	* Reject things we don't want to deal with.
1908	*/
1909	if (!pName \|\| pName->Length == 0)
1910	{
1911	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: name is NULL or have a zero length.\n");
1912	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x (pName=%p)\n", STATUS_INVALID_PARAMETER, pName));
1913	RtlRestoreLastWin32Error(dwSavedLastError);
1914	return STATUS_INVALID_PARAMETER;
1915	}
1916	PCWCHAR const pawcOrgName = pName->Buffer;
1917	uint32_t const cwcOrgName = pName->Length / sizeof(WCHAR);
1918
1919	/SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: pName=%.ls *pfFlags=%#x pwszSearchPath=%p:%ls\n",
1920	(unsigned)pName->Length / sizeof(WCHAR), pName->Buffer, pfFlags ? *pfFlags : UINT32_MAX, pwszSearchPath,
1921	!((uintptr_t)pwszSearchPath & 1) && (uintptr_t)pwszSearchPath >= 0x2000U ? pwszSearchPath : L"<flags>"));*/
1922
1923	/*
1924	* Reject long paths that's close to the 260 limit without looking.
1925	*/
1926	if (cwcOrgName > 256)
1927	{
1928	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: too long name: %#x bytes\n", pName->Length);
1929	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_NAME_TOO_LONG));
1930	RtlRestoreLastWin32Error(dwSavedLastError);
1931	return STATUS_NAME_TOO_LONG;
1932	}
1933
1934	/*
1935	* Reject all UNC-like paths as we cannot trust non-local files at all.
1936	* Note! We may have to relax this to deal with long path specifications and NT pass thrus.
1937	*/
1938	if ( cwcOrgName >= 3
1939	&& RTPATH_IS_SLASH(pawcOrgName[0])
1940	&& RTPATH_IS_SLASH(pawcOrgName[1])
1941	&& !RTPATH_IS_SLASH(pawcOrgName[2]))
1942	{
1943	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: rejecting UNC name '%.*ls'\n", cwcOrgName, pawcOrgName);
1944	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_REDIRECTOR_NOT_STARTED));
1945	RtlRestoreLastWin32Error(dwSavedLastError);
1946	return STATUS_REDIRECTOR_NOT_STARTED;
1947	}
1948
1949	/*
1950	* Reject PGHook.dll as it creates a thread from its DllMain that breaks
1951	* our preconditions respawning the 2nd process, resulting in
1952	* VERR_SUP_VP_THREAD_NOT_ALONE. The DLL is being loaded by a user APC
1953	* scheduled during kernel32.dll load notification from a kernel driver,
1954	* so failing the load attempt should not upset anyone.
1955	*/
1956	if (g_enmSupR3HardenedMainState == SUPR3HARDENEDMAINSTATE_WIN_EARLY_STUB_DEVICE_OPENED)
1957	{
1958	static const struct { const char *psz; size_t cch; } s_aUnwantedEarlyDlls[] =
1959	{
1960	{ RT_STR_TUPLE("PGHook.dll") },
1961	};
1962	for (unsigned i = 0; i < RT_ELEMENTS(s_aUnwantedEarlyDlls); i++)
1963	if (supR3HardenedIsFilenameMatchDll(pName, s_aUnwantedEarlyDlls[i].psz, s_aUnwantedEarlyDlls[i].cch))
1964	{
1965	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: Refusing to load '%.*ls' as it is expected to create undesirable threads that will upset our respawn checks (returning STATUS_TOO_MANY_THREADS)\n",
1966	pName->Length / sizeof(RTUTF16), pName->Buffer));
1967	return STATUS_TOO_MANY_THREADS;
1968	}
1969	}
1970
1971	/*
1972	* Resolve the path, copying the result into wszPath
1973	*/
1974	NTSTATUS rcNtResolve = STATUS_SUCCESS;
1975	bool fSkipValidation = false;
1976	bool fCheckIfLoaded = false;
1977	WCHAR wszPath[260];
1978	static UNICODE_STRING const s_DefaultSuffix = RTNT_CONSTANT_UNISTR(L".dll");
1979	UNICODE_STRING UniStrStatic = { 0, (USHORT)sizeof(wszPath) - sizeof(WCHAR), wszPath };
1980	UNICODE_STRING UniStrDynamic = { 0, 0, NULL };
1981	PUNICODE_STRING pUniStrResult = NULL;
1982	UNICODE_STRING ResolvedName;
1983
1984	/*
1985	* Process the name a little, checking if it needs a DLL suffix and is pathless.
1986	*/
1987	uint32_t offLastSlash = UINT32_MAX;
1988	uint32_t offLastDot = UINT32_MAX;
1989	for (uint32_t i = 0; i < cwcOrgName; i++)
1990	switch (pawcOrgName[i])
1991	{
1992	case '\\':
1993	case '/':
1994	offLastSlash = i;
1995	offLastDot = UINT32_MAX;
1996	break;
1997	case '.':
1998	offLastDot = i;
1999	break;
2000	}
2001	bool const fNeedDllSuffix = offLastDot == UINT32_MAX;
2002	//bool const fTrailingDot = offLastDot == cwcOrgName - 1;
2003
2004	/*
2005	* Absolute path?
2006	*/
2007	if ( ( cwcOrgName >= 4
2008	&& RT_C_IS_ALPHA(pawcOrgName[0])
2009	&& pawcOrgName[1] == ':'
2010	&& RTPATH_IS_SLASH(pawcOrgName[2]) )
2011	\|\| ( cwcOrgName >= 1
2012	&& RTPATH_IS_SLASH(pawcOrgName[0]) )
2013	)
2014	{
2015	rcNtResolve = RtlDosApplyFileIsolationRedirection_Ustr(1 /fFlags/,
2016	pName,
2017	(PUNICODE_STRING)&s_DefaultSuffix,
2018	&UniStrStatic,
2019	&UniStrDynamic,
2020	&pUniStrResult,
2021	NULL /pNewFlags/,
2022	NULL /pcbFilename/,
2023	NULL /pcbNeeded/);
2024	if (NT_SUCCESS(rcNtResolve))
2025	{
2026	UINT cwc;
2027	rcNt = supR3HardenedCopyRedirectionResult(wszPath, RT_ELEMENTS(wszPath), pUniStrResult, pName, &cwc);
2028	RtlFreeUnicodeString(&UniStrDynamic);
2029	if (!NT_SUCCESS(rcNt))
2030	{
2031	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", rcNt));
2032	RtlRestoreLastWin32Error(dwSavedLastError);
2033	return rcNt;
2034	}
2035
2036	ResolvedName.Buffer = wszPath;
2037	ResolvedName.Length = (USHORT)(cwc * sizeof(WCHAR));
2038	ResolvedName.MaximumLength = ResolvedName.Length + sizeof(WCHAR);
2039
2040	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: '%.ls' -> '%.ls' [redir]\n",
2041	(unsigned)pName->Length / sizeof(WCHAR), pName->Buffer,
2042	ResolvedName.Length / sizeof(WCHAR), ResolvedName.Buffer, rcNt));
2043	pName = &ResolvedName;
2044	}
2045	else
2046	{
2047	/* Copy the path. */
2048	memcpy(wszPath, pawcOrgName, cwcOrgName * sizeof(WCHAR));
2049	if (!fNeedDllSuffix)
2050	wszPath[cwcOrgName] = '\0';
2051	else
2052	{
2053	if (cwcOrgName + 4 >= RT_ELEMENTS(wszPath))
2054	{
2055	supR3HardenedError(VINF_SUCCESS, false,
2056	"supR3HardenedMonitor_LdrLoadDll: Name too long (abs): %.*ls\n", cwcOrgName, pawcOrgName);
2057	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_NAME_TOO_LONG));
2058	RtlRestoreLastWin32Error(dwSavedLastError);
2059	return STATUS_NAME_TOO_LONG;
2060	}
2061	memcpy(&wszPath[cwcOrgName], L".dll", 5 * sizeof(WCHAR));
2062	}
2063	}
2064	}
2065	/*
2066	* Not an absolute path. Check if it's one of those special API set DLLs
2067	* or something we're known to use but should be taken from WinSxS.
2068	*/
2069	else if ( supR3HardenedHasDashButNoPath(pName)
2070	&& supR3HardenedIsApiSetDll(pName))
2071	{
2072	memcpy(wszPath, pName->Buffer, pName->Length);
2073	wszPath[pName->Length / sizeof(WCHAR)] = '\0';
2074	fSkipValidation = true;
2075	}
2076	/*
2077	* Not an absolute path or special API set. There are two alternatives
2078	* now, either there is no path at all or there is a relative path. We
2079	* will resolve it to an absolute path in either case, failing the call
2080	* if we can't.
2081	*/
2082	else
2083	{
2084	/*
2085	* Reject relative paths for now as they might be breakout attempts.
2086	*/
2087	if (offLastSlash != UINT32_MAX)
2088	{
2089	supR3HardenedError(VINF_SUCCESS, false,
2090	"supR3HardenedMonitor_LdrLoadDll: relative name not permitted: %.*ls\n",
2091	cwcOrgName, pawcOrgName);
2092	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_OBJECT_NAME_INVALID));
2093	RtlRestoreLastWin32Error(dwSavedLastError);
2094	return STATUS_OBJECT_NAME_INVALID;
2095	}
2096
2097	/*
2098	* Perform dll redirection to WinSxS such. We using an undocumented
2099	* API here, which as always is a bit risky... ASSUMES that the API
2100	* returns a full DOS path.
2101	*/
2102	UINT cwc;
2103	rcNtResolve = RtlDosApplyFileIsolationRedirection_Ustr(1 /fFlags/,
2104	pName,
2105	(PUNICODE_STRING)&s_DefaultSuffix,
2106	&UniStrStatic,
2107	&UniStrDynamic,
2108	&pUniStrResult,
2109	NULL /pNewFlags/,
2110	NULL /pcbFilename/,
2111	NULL /pcbNeeded/);
2112	if (NT_SUCCESS(rcNtResolve))
2113	{
2114	rcNt = supR3HardenedCopyRedirectionResult(wszPath, RT_ELEMENTS(wszPath), pUniStrResult, pName, &cwc);
2115	RtlFreeUnicodeString(&UniStrDynamic);
2116	if (!NT_SUCCESS(rcNt))
2117	{
2118	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", rcNt));
2119	RtlRestoreLastWin32Error(dwSavedLastError);
2120	return rcNt;
2121	}
2122	}
2123	else
2124	{
2125	/*
2126	* Search for the DLL. Only System32 is allowed as the target of
2127	* a search on the API level, all VBox calls will have full paths.
2128	* If the DLL is not in System32, we will resort to check if it's
2129	* refering to an already loaded DLL (fCheckIfLoaded).
2130	*/
2131	AssertCompile(sizeof(g_System32WinPath.awcBuffer) <= sizeof(wszPath));
2132	cwc = g_System32WinPath.UniStr.Length / sizeof(RTUTF16); Assert(cwc > 2);
2133	if (cwc + 1 + cwcOrgName + fNeedDllSuffix * 4 >= RT_ELEMENTS(wszPath))
2134	{
2135	supR3HardenedError(VINF_SUCCESS, false,
2136	"supR3HardenedMonitor_LdrLoadDll: Name too long (system32): %.*ls\n", cwcOrgName, pawcOrgName);
2137	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_NAME_TOO_LONG));
2138	RtlRestoreLastWin32Error(dwSavedLastError);
2139	return STATUS_NAME_TOO_LONG;
2140	}
2141	memcpy(wszPath, g_System32WinPath.UniStr.Buffer, cwc * sizeof(RTUTF16));
2142	wszPath[cwc++] = '\\';
2143	memcpy(&wszPath[cwc], pawcOrgName, cwcOrgName * sizeof(WCHAR));
2144	cwc += cwcOrgName;
2145	if (!fNeedDllSuffix)
2146	wszPath[cwc] = '\0';
2147	else
2148	{
2149	memcpy(&wszPath[cwc], L".dll", 5 * sizeof(WCHAR));
2150	cwc += 4;
2151	}
2152	fCheckIfLoaded = true;
2153	}
2154
2155	ResolvedName.Buffer = wszPath;
2156	ResolvedName.Length = (USHORT)(cwc * sizeof(WCHAR));
2157	ResolvedName.MaximumLength = ResolvedName.Length + sizeof(WCHAR);
2158	pName = &ResolvedName;
2159	}
2160
2161	#ifndef IN_SUP_R3_STATIC
2162	/*
2163	* Reject blacklisted DLLs based on input name.
2164	*/
2165	for (unsigned i = 0; g_aSupNtViBlacklistedDlls[i].psz != NULL; i++)
2166	if (supR3HardenedIsFilenameMatchDll(pName, g_aSupNtViBlacklistedDlls[i].psz, g_aSupNtViBlacklistedDlls[i].cch))
2167	{
2168	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: Refusing to load blacklisted DLL: '%.*ls'\n",
2169	pName->Length / sizeof(RTUTF16), pName->Buffer));
2170	RtlRestoreLastWin32Error(dwSavedLastError);
2171	return STATUS_TOO_MANY_THREADS;
2172	}
2173	#endif
2174
2175	bool fQuiet = false;
2176	if (!fSkipValidation)
2177	{
2178	/*
2179	* Try open the file. If this fails, never mind, just pass it on to
2180	* the real API as we've replaced any searchable name with a full name
2181	* and the real API can come up with a fitting status code for it.
2182	*/
2183	HANDLE hRootDir;
2184	UNICODE_STRING NtPathUniStr;
2185	int rc = RTNtPathFromWinUtf16Ex(&NtPathUniStr, &hRootDir, wszPath, RTSTR_MAX);
2186	if (RT_FAILURE(rc))
2187	{
2188	supR3HardenedError(rc, false,
2189	"supR3HardenedMonitor_LdrLoadDll: RTNtPathFromWinUtf16Ex failed on '%ls': %Rrc\n", wszPath, rc);
2190	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_OBJECT_NAME_INVALID));
2191	RtlRestoreLastWin32Error(dwSavedLastError);
2192	return STATUS_OBJECT_NAME_INVALID;
2193	}
2194
2195	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
2196	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
2197	OBJECT_ATTRIBUTES ObjAttr;
2198	InitializeObjectAttributes(&ObjAttr, &NtPathUniStr, OBJ_CASE_INSENSITIVE, hRootDir, NULL /pSecDesc/);
2199
2200	rcNt = NtCreateFile(&hFile,
2201	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
2202	&ObjAttr,
2203	&Ios,
2204	NULL /* Allocation Size*/,
2205	FILE_ATTRIBUTE_NORMAL,
2206	FILE_SHARE_READ,
2207	FILE_OPEN,
2208	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
2209	NULL /EaBuffer/,
2210	0 /EaLength/);
2211	if (NT_SUCCESS(rcNt))
2212	rcNt = Ios.Status;
2213	if (NT_SUCCESS(rcNt))
2214	{
2215	ULONG fAccess = 0;
2216	ULONG fProtect = 0;
2217	bool fCallRealApi = false;
2218	rcNt = supR3HardenedScreenImage(hFile, true /fImage/, RT_VALID_PTR(pfFlags) && (pfFlags & 0x2) /fIgnoreArch*/,
2219	&fAccess, &fProtect, &fCallRealApi,
2220	"LdrLoadDll", false /fAvoidWinVerifyTrust/, &fQuiet);
2221	NtClose(hFile);
2222	if (!NT_SUCCESS(rcNt))
2223	{
2224	if (!fQuiet)
2225	{
2226	if (pOrgName != pName)
2227	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: rejecting '%ls': rcNt=%#x\n",
2228	wszPath, rcNt);
2229	else
2230	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: rejecting '%ls' (%.*ls): rcNt=%#x\n",
2231	wszPath, pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer, rcNt);
2232	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
2233	}
2234	RtlRestoreLastWin32Error(dwSavedLastError);
2235	return rcNt;
2236	}
2237
2238	supR3HardenedWinVerifyCacheProcessImportTodos();
2239	}
2240	else
2241	{
2242	DWORD dwErr = RtlGetLastWin32Error();
2243
2244	/*
2245	* Deal with special case where the caller (first case was MS LifeCam)
2246	* is using LoadLibrary instead of GetModuleHandle to find a loaded DLL.
2247	*/
2248	NTSTATUS rcNtGetDll = STATUS_SUCCESS;
2249	if ( fCheckIfLoaded
2250	&& ( rcNt == STATUS_OBJECT_NAME_NOT_FOUND
2251	\|\| rcNt == STATUS_OBJECT_PATH_NOT_FOUND))
2252	{
2253	rcNtGetDll = LdrGetDllHandle(NULL /DllPath/, NULL /pfFlags/, pOrgName, phMod);
2254	if (NT_SUCCESS(rcNtGetDll))
2255	{
2256	RTNtPathFree(&NtPathUniStr, &hRootDir);
2257	RtlRestoreLastWin32Error(dwSavedLastError);
2258	return rcNtGetDll;
2259	}
2260	}
2261
2262	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: error opening '%ls': %u (NtPath=%.ls; Input=%.ls; rcNtGetDll=%#x\n",
2263	wszPath, dwErr, NtPathUniStr.Length / sizeof(RTUTF16), NtPathUniStr.Buffer,
2264	pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer, rcNtGetDll));
2265
2266	RTNtPathFree(&NtPathUniStr, &hRootDir);
2267	RtlRestoreLastWin32Error(dwSavedLastError);
2268	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
2269	return rcNt;
2270	}
2271	RTNtPathFree(&NtPathUniStr, &hRootDir);
2272	}
2273
2274	/*
2275	* Screened successfully enough. Call the real thing.
2276	*/
2277	if (!fQuiet)
2278	{
2279	if (pOrgName != pName)
2280	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: pName=%.ls (Input=%.ls, rcNtResolve=%#x) *pfFlags=%#x pwszSearchPath=%p:%ls [calling]\n",
2281	(unsigned)pName->Length / sizeof(WCHAR), pName->Buffer,
2282	(unsigned)pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer, rcNtResolve,
2283	pfFlags ? *pfFlags : UINT32_MAX, pwszSearchPath,
2284	!((uintptr_t)pwszSearchPath & 1) && (uintptr_t)pwszSearchPath >= 0x2000U ? pwszSearchPath : L"<flags>"));
2285	else
2286	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: pName=%.ls (rcNtResolve=%#x) pfFlags=%#x pwszSearchPath=%p:%ls [calling]\n",
2287	(unsigned)pName->Length / sizeof(WCHAR), pName->Buffer, rcNtResolve,
2288	pfFlags ? *pfFlags : UINT32_MAX, pwszSearchPath,
2289	!((uintptr_t)pwszSearchPath & 1) && (uintptr_t)pwszSearchPath >= 0x2000U ? pwszSearchPath : L"<flags>"));
2290	}
2291
2292	RtlRestoreLastWin32Error(dwSavedLastError);
2293	rcNt = g_pfnLdrLoadDllReal(pwszSearchPath, pfFlags, pName, phMod);
2294
2295	/*
2296	* Log the result and process pending WinVerifyTrust work if we can.
2297	*/
2298	dwSavedLastError = RtlGetLastWin32Error();
2299
2300	if (NT_SUCCESS(rcNt) && phMod)
2301	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x hMod=%p '%ls'\n", rcNt, *phMod, wszPath));
2302	else if (!NT_SUCCESS(rcNt) \|\| !fQuiet)
2303	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
2304
2305	supR3HardenedWinVerifyCacheProcessWvtTodos();
2306
2307	RtlRestoreLastWin32Error(dwSavedLastError);
2308
2309	return rcNt;
2310	}
2311
2312
2313	/**
2314	* DLL load and unload notification callback.
2315	*
2316	* This is a safety against our LdrLoadDll hook being replaced by protection
2317	* software. Though, we prefer the LdrLoadDll hook to this one as it allows us
2318	* to call WinVerifyTrust more freely.
2319	*
2320	* @param ulReason The reason we're called, see
2321	* LDR_DLL_NOTIFICATION_REASON_XXX.
2322	* @param pData Reason specific data. (Format is currently the same for
2323	* both load and unload.)
2324	* @param pvUser User parameter (ignored).
2325	*
2326	* @remarks Vista and later.
2327	* @remarks The loader lock is held when we're called, at least on Windows 7.
2328	*/
2329	static VOID CALLBACK supR3HardenedDllNotificationCallback(ULONG ulReason, PCLDR_DLL_NOTIFICATION_DATA pData, PVOID pvUser)
2330	{
2331	NOREF(pvUser);
2332
2333	/*
2334	* Screen the image on load. We will normally get a verification cache
2335	* hit here because of the LdrLoadDll and NtCreateSection hooks, so it
2336	* should be relatively cheap to recheck. In case our NtDll patches
2337	* got re
2338	*
2339	* This ASSUMES that we get informed after the fact as indicated by the
2340	* available documentation.
2341	*/
2342	if (ulReason == LDR_DLL_NOTIFICATION_REASON_LOADED)
2343	{
2344	SUP_DPRINTF(("supR3HardenedDllNotificationCallback: load %p LB %#010x %.*ls [fFlags=%#x]\n",
2345	pData->Loaded.DllBase, pData->Loaded.SizeOfImage,
2346	pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer,
2347	pData->Loaded.Flags));
2348
2349	/* Convert the windows path to an NT path and open it. */
2350	HANDLE hRootDir;
2351	UNICODE_STRING NtPathUniStr;
2352	int rc = RTNtPathFromWinUtf16Ex(&NtPathUniStr, &hRootDir, pData->Loaded.FullDllName->Buffer,
2353	pData->Loaded.FullDllName->Length / sizeof(WCHAR));
2354	if (RT_FAILURE(rc))
2355	{
2356	supR3HardenedFatal("supR3HardenedDllNotificationCallback: RTNtPathFromWinUtf16Ex failed on '%.*ls': %Rrc\n",
2357	pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer, rc);
2358	return;
2359	}
2360
2361	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
2362	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
2363	OBJECT_ATTRIBUTES ObjAttr;
2364	InitializeObjectAttributes(&ObjAttr, &NtPathUniStr, OBJ_CASE_INSENSITIVE, hRootDir, NULL /pSecDesc/);
2365
2366	NTSTATUS rcNt = NtCreateFile(&hFile,
2367	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
2368	&ObjAttr,
2369	&Ios,
2370	NULL /* Allocation Size*/,
2371	FILE_ATTRIBUTE_NORMAL,
2372	FILE_SHARE_READ,
2373	FILE_OPEN,
2374	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
2375	NULL /EaBuffer/,
2376	0 /EaLength/);
2377	if (NT_SUCCESS(rcNt))
2378	rcNt = Ios.Status;
2379	if (!NT_SUCCESS(rcNt))
2380	{
2381	supR3HardenedFatal("supR3HardenedDllNotificationCallback: NtCreateFile failed on '%.ls' / '%.ls': %#x\n",
2382	pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer,
2383	NtPathUniStr.Length / sizeof(WCHAR), NtPathUniStr.Buffer, rcNt);
2384	/* not reached */
2385	}
2386
2387	/* Do the screening. */
2388	ULONG fAccess = 0;
2389	ULONG fProtect = 0;
2390	bool fCallRealApi = false;
2391	bool fQuietFailure = false;
2392	rcNt = supR3HardenedScreenImage(hFile, true /fImage/, true /fIgnoreArch/, &fAccess, &fProtect, &fCallRealApi,
2393	"LdrLoadDll", true /fAvoidWinVerifyTrust/, &fQuietFailure);
2394	NtClose(hFile);
2395	if (!NT_SUCCESS(rcNt))
2396	{
2397	supR3HardenedFatal("supR3HardenedDllNotificationCallback: supR3HardenedScreenImage failed on '%.ls' / '%.ls': %#x\n",
2398	pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer,
2399	NtPathUniStr.Length / sizeof(WCHAR), NtPathUniStr.Buffer, rcNt);
2400	/* not reached */
2401	}
2402	RTNtPathFree(&NtPathUniStr, &hRootDir);
2403	}
2404	/*
2405	* Log the unload call.
2406	*/
2407	else if (ulReason == LDR_DLL_NOTIFICATION_REASON_UNLOADED)
2408	{
2409	SUP_DPRINTF(("supR3HardenedDllNotificationCallback: Unload %p LB %#010x %.*ls [flags=%#x]\n",
2410	pData->Unloaded.DllBase, pData->Unloaded.SizeOfImage,
2411	pData->Unloaded.FullDllName->Length / sizeof(WCHAR), pData->Unloaded.FullDllName->Buffer,
2412	pData->Unloaded.Flags));
2413	}
2414	/*
2415	* Just log things we don't know and then return without caching anything.
2416	*/
2417	else
2418	{
2419	static uint32_t s_cLogEntries = 0;
2420	if (s_cLogEntries++ < 32)
2421	SUP_DPRINTF(("supR3HardenedDllNotificationCallback: ulReason=%u pData=%p\n", ulReason, pData));
2422	return;
2423	}
2424
2425	/*
2426	* Use this opportunity to make sure our NtDll patches are still in place,
2427	* since they may be replaced by indecent protection software solutions.
2428	*/
2429	supR3HardenedWinReInstallHooks(false /fFirstCall /);
2430	}
2431
2432
2433	/**
2434	* Registers the DLL notification callback if it hasn't already been registered.
2435	*/
2436	static void supR3HardenedWinRegisterDllNotificationCallback(void)
2437	{
2438	/*
2439	* The notification API was added in Vista, so it's an optional (weak) import.
2440	*/
2441	if ( LdrRegisterDllNotification != NULL
2442	&& g_cDllNotificationRegistered <= 0
2443	&& g_cDllNotificationRegistered > -32)
2444	{
2445	NTSTATUS rcNt = LdrRegisterDllNotification(0, supR3HardenedDllNotificationCallback, NULL, &g_pvDllNotificationCookie);
2446	if (NT_SUCCESS(rcNt))
2447	{
2448	SUP_DPRINTF(("Registered Dll notification callback with NTDLL.\n"));
2449	g_cDllNotificationRegistered = 1;
2450	}
2451	else
2452	{
2453	supR3HardenedError(rcNt, false /fFatal/, "LdrRegisterDllNotification failed: %#x\n", rcNt);
2454	g_cDllNotificationRegistered--;
2455	}
2456	}
2457	}
2458
2459
2460	static void supR3HardenedWinHookFailed(const char pszWhich, uint8_t const pbPrologue)
2461	{
2462	supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_NO_MEMORY,
2463	"Failed to install %s monitor: %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x\n "
2464	#ifdef RT_ARCH_X86
2465	"(It is also possible you are running 32-bit VirtualBox under 64-bit windows.)\n"
2466	#endif
2467	,
2468	pszWhich,
2469	pbPrologue[0], pbPrologue[1], pbPrologue[2], pbPrologue[3],
2470	pbPrologue[4], pbPrologue[5], pbPrologue[6], pbPrologue[7],
2471	pbPrologue[8], pbPrologue[9], pbPrologue[10], pbPrologue[11],
2472	pbPrologue[12], pbPrologue[13], pbPrologue[14], pbPrologue[15]);
2473	}
2474
2475
2476	/**
2477	* IPRT thread that waits for the parent process to terminate and reacts by
2478	* exiting the current process.
2479	*
2480	* @returns VINF_SUCCESS
2481	* @param hSelf The current thread. Ignored.
2482	* @param pvUser The handle of the parent process.
2483	*/
2484	static DECLCALLBACK(int) supR3HardenedWinParentWatcherThread(RTTHREAD hSelf, void *pvUser)
2485	{
2486	HANDLE hProcWait = (HANDLE)pvUser;
2487	NOREF(hSelf);
2488
2489	/*
2490	* Wait for the parent to terminate.
2491	*/
2492	NTSTATUS rcNt;
2493	for (;;)
2494	{
2495	rcNt = NtWaitForSingleObject(hProcWait, TRUE /Alertable/, NULL /pTimeout/);
2496	if ( rcNt == STATUS_WAIT_0
2497	\|\| rcNt == STATUS_ABANDONED_WAIT_0)
2498	break;
2499	if ( rcNt != STATUS_TIMEOUT
2500	&& rcNt != STATUS_USER_APC
2501	&& rcNt != STATUS_ALERTED)
2502	supR3HardenedFatal("NtWaitForSingleObject returned %#x\n", rcNt);
2503	}
2504
2505	/*
2506	* Proxy the termination code of the child, if it exited already.
2507	*/
2508	PROCESS_BASIC_INFORMATION BasicInfo;
2509	NTSTATUS rcNt2 = NtQueryInformationProcess(hProcWait, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
2510	if ( !NT_SUCCESS(rcNt2)
2511	\|\| BasicInfo.ExitStatus == STATUS_PENDING)
2512	BasicInfo.ExitStatus = RTEXITCODE_FAILURE;
2513
2514	NtClose(hProcWait);
2515	SUP_DPRINTF(("supR3HardenedWinParentWatcherThread: Quitting: ExitCode=%#x rcNt=%#x\n", BasicInfo.ExitStatus, rcNt));
2516	suplibHardenedExit((RTEXITCODE)BasicInfo.ExitStatus);
2517	/* not reached */
2518	}
2519
2520
2521	/**
2522	* Creates the parent watcher thread that will make sure this process exits when
2523	* the parent does.
2524	*
2525	* This is a necessary evil to make VBoxNetDhcp and VBoxNetNat termination from
2526	* Main work without too much new magic. It also makes Ctrl-C or similar work
2527	* in on the hardened processes in the windows console.
2528	*
2529	* @param hVBoxRT The VBoxRT.dll handle. We use RTThreadCreate to
2530	* spawn the thread to avoid duplicating thread
2531	* creation and thread naming code from IPRT.
2532	*/
2533	DECLHIDDEN(void) supR3HardenedWinCreateParentWatcherThread(HMODULE hVBoxRT)
2534	{
2535	/*
2536	* Resolve runtime methods that we need.
2537	*/
2538	PFNRTTHREADCREATE pfnRTThreadCreate = (PFNRTTHREADCREATE)GetProcAddress(hVBoxRT, "RTThreadCreate");
2539	SUPR3HARDENED_ASSERT(pfnRTThreadCreate != NULL);
2540
2541	/*
2542	* Find the parent process ID.
2543	*/
2544	PROCESS_BASIC_INFORMATION BasicInfo;
2545	NTSTATUS rcNt = NtQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
2546	if (!NT_SUCCESS(rcNt))
2547	supR3HardenedFatal("supR3HardenedWinCreateParentWatcherThread: NtQueryInformationProcess failed: %#x\n", rcNt);
2548
2549	/*
2550	* Open the parent process for waiting and exitcode query.
2551	*/
2552	OBJECT_ATTRIBUTES ObjAttr;
2553	InitializeObjectAttributes(&ObjAttr, NULL, 0, NULL /hRootDir/, NULL /pSecDesc/);
2554
2555	CLIENT_ID ClientId;
2556	ClientId.UniqueProcess = (HANDLE)BasicInfo.InheritedFromUniqueProcessId;
2557	ClientId.UniqueThread = NULL;
2558
2559	HANDLE hParent;
2560	rcNt = NtOpenProcess(&hParent, SYNCHRONIZE \| PROCESS_QUERY_INFORMATION, &ObjAttr, &ClientId);
2561	if (!NT_SUCCESS(rcNt))
2562	supR3HardenedFatalMsg("supR3HardenedWinCreateParentWatcherThread", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
2563	"NtOpenProcess(%p.0) failed: %#x\n", ClientId.UniqueProcess, rcNt);
2564
2565	/*
2566	* Create the thread that should do the waiting.
2567	*/
2568	int rc = pfnRTThreadCreate(NULL, supR3HardenedWinParentWatcherThread, hParent, _64K /* stack */,
2569	RTTHREADTYPE_DEFAULT, 0 /fFlags/, "ParentWatcher");
2570	if (RT_FAILURE(rc))
2571	supR3HardenedFatal("supR3HardenedWinCreateParentWatcherThread: RTThreadCreate failed: %Rrc\n", rc);
2572	}
2573
2574
2575	/**
2576	* Checks if the calling thread is the only one in the process.
2577	*
2578	* @returns true if we're positive we're alone, false if not.
2579	*/
2580	static bool supR3HardenedWinAmIAlone(void)
2581	{
2582	ULONG fAmIAlone = 0;
2583	ULONG cbIgn = 0;
2584	NTSTATUS rcNt = NtQueryInformationThread(NtCurrentThread(), ThreadAmILastThread, &fAmIAlone, sizeof(fAmIAlone), &cbIgn);
2585	Assert(NT_SUCCESS(rcNt));
2586	return NT_SUCCESS(rcNt) && fAmIAlone != 0;
2587	}
2588
2589
2590	/**
2591	* Simplify NtProtectVirtualMemory interface.
2592	*
2593	* Modifies protection for the current process. Caller must know the current
2594	* protection as it's not returned.
2595	*
2596	* @returns NT status code.
2597	* @param pvMem The memory to change protection for.
2598	* @param cbMem The amount of memory to change.
2599	* @param fNewProt The new protection.
2600	*/
2601	static NTSTATUS supR3HardenedWinProtectMemory(PVOID pvMem, SIZE_T cbMem, ULONG fNewProt)
2602	{
2603	ULONG fOldProt = 0;
2604	return NtProtectVirtualMemory(NtCurrentProcess(), &pvMem, &cbMem, fNewProt, &fOldProt);
2605	}
2606
2607
2608	/**
2609	* Installs or reinstalls the NTDLL patches.
2610	*/
2611	static void supR3HardenedWinReInstallHooks(bool fFirstCall)
2612	{
2613	struct
2614	{
2615	size_t cbPatch;
2616	uint8_t const *pabPatch;
2617	uint8_t **ppbApi;
2618	const char *pszName;
2619	} const s_aPatches[] =
2620	{
2621	{ sizeof(g_abNtCreateSectionPatch), g_abNtCreateSectionPatch, &g_pbNtCreateSection, "NtCreateSection" },
2622	{ sizeof(g_abLdrLoadDllPatch), g_abLdrLoadDllPatch, &g_pbLdrLoadDll, "LdrLoadDll" },
2623	};
2624
2625	ULONG fAmIAlone = ~(ULONG)0;
2626
2627	for (uint32_t i = 0; i < RT_ELEMENTS(s_aPatches); i++)
2628	{
2629	uint8_t pbApi = s_aPatches[i].ppbApi;
2630	if (memcmp(pbApi, s_aPatches[i].pabPatch, s_aPatches[i].cbPatch) != 0)
2631	{
2632	/*
2633	* Log the incident if it's not the initial call.
2634	*/
2635	static uint32_t volatile s_cTimes = 0;
2636	if (!fFirstCall && s_cTimes < 128)
2637	{
2638	s_cTimes++;
2639	SUP_DPRINTF(("supR3HardenedWinReInstallHooks: Reinstalling %s (%p: %.*Rhxs).\n",
2640	s_aPatches[i].pszName, pbApi, s_aPatches[i].cbPatch, pbApi));
2641	}
2642
2643	Assert(s_aPatches[i].cbPatch >= 4);
2644
2645	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, s_aPatches[i].cbPatch, PAGE_EXECUTE_READWRITE));
2646
2647	/*
2648	* If we're alone, just memcpy the patch in.
2649	*/
2650
2651	if (fAmIAlone == ~(ULONG)0)
2652	fAmIAlone = supR3HardenedWinAmIAlone();
2653	if (fAmIAlone)
2654	memcpy(pbApi, s_aPatches[i].pabPatch, s_aPatches[i].cbPatch);
2655	else
2656	{
2657	/*
2658	* Not alone. Start by injecting a JMP $-2, then waste some
2659	* CPU cycles to get the other threads a good chance of getting
2660	* out of the code before we replace it.
2661	*/
2662	RTUINT32U uJmpDollarMinus;
2663	uJmpDollarMinus.au8[0] = 0xeb;
2664	uJmpDollarMinus.au8[1] = 0xfe;
2665	uJmpDollarMinus.au8[2] = pbApi[2];
2666	uJmpDollarMinus.au8[3] = pbApi[3];
2667	ASMAtomicXchgU32((uint32_t volatile *)pbApi, uJmpDollarMinus.u);
2668
2669	NtYieldExecution();
2670	NtYieldExecution();
2671
2672	/* Copy in the tail bytes of the patch, then xchg the jmp $-2. */
2673	if (s_aPatches[i].cbPatch > 4)
2674	memcpy(&pbApi[4], &s_aPatches[i].pabPatch[4], s_aPatches[i].cbPatch - 4);
2675	ASMAtomicXchgU32((uint32_t volatile )pbApi, (uint32_t *)s_aPatches[i].pabPatch);
2676	}
2677
2678	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, s_aPatches[i].cbPatch, PAGE_EXECUTE_READ));
2679	}
2680	}
2681	}
2682
2683
2684	/**
2685	* Install hooks for intercepting calls dealing with mapping shared libraries
2686	* into the process.
2687	*
2688	* This allows us to prevent undesirable shared libraries from being loaded.
2689	*
2690	* @remarks We assume we're alone in this process, so no seralizing trickery is
2691	* necessary when installing the patch.
2692	*
2693	* @remarks We would normally just copy the prologue sequence somewhere and add
2694	* a jump back at the end of it. But because we wish to avoid
2695	* allocating executable memory, we need to have preprepared assembly
2696	* "copies". This makes the non-system call patching a little tedious
2697	* and inflexible.
2698	*/
2699	static void supR3HardenedWinInstallHooks(void)
2700	{
2701	NTSTATUS rcNt;
2702
2703	/*
2704	* Disable hard error popups so we can quietly refuse images to be loaded.
2705	*/
2706	ULONG fHardErr = 0;
2707	rcNt = NtQueryInformationProcess(NtCurrentProcess(), ProcessDefaultHardErrorMode, &fHardErr, sizeof(fHardErr), NULL);
2708	if (!NT_SUCCESS(rcNt))
2709	supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
2710	"NtQueryInformationProcess/ProcessDefaultHardErrorMode failed: %#x\n", rcNt);
2711	if (fHardErr & PROCESS_HARDERR_CRITICAL_ERROR)
2712	{
2713	fHardErr &= ~PROCESS_HARDERR_CRITICAL_ERROR;
2714	rcNt = NtSetInformationProcess(NtCurrentProcess(), ProcessDefaultHardErrorMode, &fHardErr, sizeof(fHardErr));
2715	if (!NT_SUCCESS(rcNt))
2716	supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
2717	"NtSetInformationProcess/ProcessDefaultHardErrorMode failed: %#x\n", rcNt);
2718	}
2719
2720	/*
2721	* Locate the routines first so we can allocate memory that's near enough.
2722	*/
2723	PFNRT pfnNtCreateSection = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "NtCreateSection");
2724	SUPR3HARDENED_ASSERT(pfnNtCreateSection != NULL);
2725	//SUPR3HARDENED_ASSERT(pfnNtCreateSection == (FARPROC)NtCreateSection);
2726
2727	PFNRT pfnLdrLoadDll = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "LdrLoadDll");
2728	SUPR3HARDENED_ASSERT(pfnLdrLoadDll != NULL);
2729	//SUPR3HARDENED_ASSERT(pfnLdrLoadDll == (FARPROC)LdrLoadDll);
2730
2731	/*
2732	* Exec page setup & management.
2733	*/
2734	uint32_t offExecPage = 0;
2735	memset(g_abSupHardReadWriteExecPage, 0xcc, PAGE_SIZE);
2736
2737	/*
2738	* Hook #1 - NtCreateSection.
2739	* Purpose: Validate everything that can be mapped into the process before
2740	* it's mapped and we still have a file handle to work with.
2741	*/
2742	uint8_t * const pbNtCreateSection = (uint8_t *)(uintptr_t)pfnNtCreateSection;
2743	g_pbNtCreateSection = pbNtCreateSection;
2744	memcpy(g_abNtCreateSectionPatch, pbNtCreateSection, sizeof(g_abNtCreateSectionPatch));
2745
2746	g_pfnNtCreateSectionReal = NtCreateSection; /* our direct syscall */
2747
2748	#ifdef RT_ARCH_AMD64
2749	/*
2750	* Patch 64-bit hosts.
2751	*/
2752	/* Pattern #1: XP64/W2K3-64 thru Windows 8.1
2753	0:000> u ntdll!NtCreateSection
2754	ntdll!NtCreateSection:
2755	00000000`779f1750 4c8bd1 mov r10,rcx
2756	00000000`779f1753 b847000000 mov eax,47h
2757	00000000`779f1758 0f05 syscall
2758	00000000`779f175a c3 ret
2759	00000000`779f175b 0f1f440000 nop dword ptr [rax+rax]
2760	The variant is the value loaded into eax: W2K3=??, Vista=47h?, W7=47h, W80=48h, W81=49h */
2761
2762	/* Assemble the patch. */
2763	g_abNtCreateSectionPatch[0] = 0x48; /* mov rax, qword */
2764	g_abNtCreateSectionPatch[1] = 0xb8;
2765	(uint64_t )&g_abNtCreateSectionPatch[2] = (uint64_t)supR3HardenedMonitor_NtCreateSection;
2766	g_abNtCreateSectionPatch[10] = 0xff; /* jmp rax */
2767	g_abNtCreateSectionPatch[11] = 0xe0;
2768
2769	#else
2770	/*
2771	* Patch 32-bit hosts.
2772	*/
2773	/* Pattern #1: XP thru Windows 7
2774	kd> u ntdll!NtCreateSection
2775	ntdll!NtCreateSection:
2776	7c90d160 b832000000 mov eax,32h
2777	7c90d165 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
2778	7c90d16a ff12 call dword ptr [edx]
2779	7c90d16c c21c00 ret 1Ch
2780	7c90d16f 90 nop
2781	The variable bit is the value loaded into eax: XP=32h, W2K3=34h, Vista=4bh, W7=54h
2782
2783	Pattern #2: Windows 8.1
2784	0:000:x86> u ntdll_6a0f0000!NtCreateSection
2785	ntdll_6a0f0000!NtCreateSection:
2786	6a15eabc b854010000 mov eax,154h
2787	6a15eac1 e803000000 call ntdll_6a0f0000!NtCreateSection+0xd (6a15eac9)
2788	6a15eac6 c21c00 ret 1Ch
2789	6a15eac9 8bd4 mov edx,esp
2790	6a15eacb 0f34 sysenter
2791	6a15eacd c3 ret
2792	The variable bit is the value loaded into eax: W81=154h */
2793
2794	/* Assemble the patch. */
2795	g_abNtCreateSectionPatch[0] = 0xe9; /* jmp rel32 */
2796	(uint32_t )&g_abNtCreateSectionPatch[1] = (uintptr_t)supR3HardenedMonitor_NtCreateSection
2797	- (uintptr_t)&pbNtCreateSection[1+4];
2798
2799	#endif
2800
2801	/*
2802	* Hook #2 - LdrLoadDll
2803	* Purpose: (a) Enforce LdrLoadDll search path constraints, and (b) pre-validate
2804	* DLLs so we can avoid calling WinVerifyTrust from the first hook,
2805	* and thus avoiding messing up the loader data on some installations.
2806	*
2807	* This differs from the above function in that is no a system call and
2808	* we're at the mercy of the compiler.
2809	*/
2810	uint8_t * const pbLdrLoadDll = (uint8_t *)(uintptr_t)pfnLdrLoadDll;
2811	g_pbLdrLoadDll = pbLdrLoadDll;
2812	memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch));
2813
2814	DISSTATE Dis;
2815	uint32_t cbInstr;
2816	uint32_t offJmpBack = 0;
2817
2818	#ifdef RT_ARCH_AMD64
2819	/*
2820	* Patch 64-bit hosts.
2821	*/
2822	/* Just use the disassembler to skip 12 bytes or more. */
2823	while (offJmpBack < 12)
2824	{
2825	cbInstr = 1;
2826	int rc = DISInstr(pbLdrLoadDll + offJmpBack, DISCPUMODE_64BIT, &Dis, &cbInstr);
2827	if ( RT_FAILURE(rc)
2828	\|\| (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW))
2829	\|\| (Dis.ModRM.Bits.Mod == 0 && Dis.ModRM.Bits.Rm == 5 /* wrt RIP */) )
2830	supR3HardenedWinHookFailed("LdrLoadDll", pbLdrLoadDll);
2831	offJmpBack += cbInstr;
2832	}
2833
2834	/* Assemble the code for resuming the call.*/
2835	(PFNRT )&g_pfnLdrLoadDllReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
2836
2837	memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbLdrLoadDll, offJmpBack);
2838	offExecPage += offJmpBack;
2839
2840	g_abSupHardReadWriteExecPage[offExecPage++] = 0xff; /* jmp qword [$+8 wrt RIP] */
2841	g_abSupHardReadWriteExecPage[offExecPage++] = 0x25;
2842	(uint32_t )&g_abSupHardReadWriteExecPage[offExecPage] = RT_ALIGN_32(offExecPage + 4, 8) - (offExecPage + 4);
2843	offExecPage = RT_ALIGN_32(offExecPage + 4, 8);
2844	(uint64_t )&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbLdrLoadDll[offJmpBack];
2845	offExecPage = RT_ALIGN_32(offExecPage + 8, 16);
2846
2847	/* Assemble the LdrLoadDll patch. */
2848	Assert(offJmpBack >= 12);
2849	g_abLdrLoadDllPatch[0] = 0x48; /* mov rax, qword */
2850	g_abLdrLoadDllPatch[1] = 0xb8;
2851	(uint64_t )&g_abLdrLoadDllPatch[2] = (uint64_t)supR3HardenedMonitor_LdrLoadDll;
2852	g_abLdrLoadDllPatch[10] = 0xff; /* jmp rax */
2853	g_abLdrLoadDllPatch[11] = 0xe0;
2854
2855	#else
2856	/*
2857	* Patch 32-bit hosts.
2858	*/
2859	/* Just use the disassembler to skip 5 bytes or more. */
2860	while (offJmpBack < 5)
2861	{
2862	cbInstr = 1;
2863	int rc = DISInstr(pbLdrLoadDll + offJmpBack, DISCPUMODE_32BIT, &Dis, &cbInstr);
2864	if ( RT_FAILURE(rc)
2865	\|\| (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW)) )
2866	supR3HardenedWinHookFailed("LdrLoadDll", pbLdrLoadDll);
2867	offJmpBack += cbInstr;
2868	}
2869
2870	/* Assemble the code for resuming the call.*/
2871	(PFNRT )&g_pfnLdrLoadDllReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
2872
2873	memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbLdrLoadDll, offJmpBack);
2874	offExecPage += offJmpBack;
2875
2876	g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9; /* jmp rel32 */
2877	(uint32_t )&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbLdrLoadDll[offJmpBack]
2878	- (uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage + 4];
2879	offExecPage = RT_ALIGN_32(offExecPage + 4, 16);
2880
2881	/* Assemble the LdrLoadDll patch. */
2882	memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch));
2883	Assert(offJmpBack >= 5);
2884	g_abLdrLoadDllPatch[0] = 0xe9;
2885	(uint32_t )&g_abLdrLoadDllPatch[1] = (uintptr_t)supR3HardenedMonitor_LdrLoadDll - (uintptr_t)&pbLdrLoadDll[1+4];
2886	#endif
2887
2888	/*
2889	* Seal the rwx page.
2890	*/
2891	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(g_abSupHardReadWriteExecPage, PAGE_SIZE, PAGE_EXECUTE_READ));
2892
2893	/*
2894	* Install the patches.
2895	*/
2896	supR3HardenedWinReInstallHooks(true /fFirstCall/);
2897	}
2898
2899
2900
2901
2902
2903
2904	/*
2905	*
2906	* T h r e a d c r e a t i o n c o n t r o l
2907	* T h r e a d c r e a t i o n c o n t r o l
2908	* T h r e a d c r e a t i o n c o n t r o l
2909	*
2910	*/
2911
2912
2913	/**
2914	* Common code used for child and parent to make new threads exit immediately.
2915	*
2916	* This patches the LdrInitializeThunk code to call NtTerminateThread with
2917	* STATUS_SUCCESS instead of doing the NTDLL initialization.
2918	*
2919	* @returns VBox status code.
2920	* @param hProcess The process to do this to.
2921	* @param pvLdrInitThunk The address of the LdrInitializeThunk code to
2922	* override.
2923	* @param pvNtTerminateThread The address of the NtTerminateThread function in
2924	* the NTDLL instance we're patching. (Must be +/-
2925	* 2GB from the thunk code.)
2926	* @param pabBackup Where to back up the original instruction bytes
2927	* at pvLdrInitThunk.
2928	* @param cbBackup The size of the backup area. Must be 16 bytes.
2929	* @param pErrInfo Where to return extended error information.
2930	* Optional.
2931	*/
2932	static int supR3HardNtDisableThreadCreationEx(HANDLE hProcess, void pvLdrInitThunk, void pvNtTerminateThread,
2933	uint8_t *pabBackup, size_t cbBackup, PRTERRINFO pErrInfo)
2934	{
2935	SUP_DPRINTF(("supR3HardNtDisableThreadCreation: pvLdrInitThunk=%p pvNtTerminateThread=%p\n", pvLdrInitThunk, pvNtTerminateThread));
2936	SUPR3HARDENED_ASSERT(cbBackup == 16);
2937	SUPR3HARDENED_ASSERT(RT_ABS((intptr_t)pvLdrInitThunk - (intptr_t)pvNtTerminateThread) < 16*_1M);
2938
2939	/*
2940	* Back up the thunk code.
2941	*/
2942	SIZE_T cbIgnored;
2943	NTSTATUS rcNt = NtReadVirtualMemory(hProcess, pvLdrInitThunk, pabBackup, cbBackup, &cbIgnored);
2944	if (!NT_SUCCESS(rcNt))
2945	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
2946	"supR3HardNtDisableThreadCreation: NtReadVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
2947
2948	/*
2949	* Cook up replacement code that calls NtTerminateThread.
2950	*/
2951	uint8_t abReplacement[16];
2952	memcpy(abReplacement, pabBackup, sizeof(abReplacement));
2953
2954	#ifdef RT_ARCH_AMD64
2955	abReplacement[0] = 0x31; /* xor ecx, ecx */
2956	abReplacement[1] = 0xc9;
2957	abReplacement[2] = 0x31; /* xor edx, edx */
2958	abReplacement[3] = 0xd2;
2959	abReplacement[4] = 0xe8; /* call near NtTerminateThread */
2960	(int32_t )&abReplacement[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9));
2961	abReplacement[9] = 0xcc; /* int3 */
2962	#elif defined(RT_ARCH_X86)
2963	abReplacement[0] = 0x6a; /* push 0 */
2964	abReplacement[1] = 0x00;
2965	abReplacement[2] = 0x6a; /* push 0 */
2966	abReplacement[3] = 0x00;
2967	abReplacement[4] = 0xe8; /* call near NtTerminateThread */
2968	(int32_t )&abReplacement[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9));
2969	abReplacement[9] = 0xcc; /* int3 */
2970	#else
2971	# error "Unsupported arch."
2972	#endif
2973
2974	/*
2975	* Install the replacment code.
2976	*/
2977	PVOID pvProt = pvLdrInitThunk;
2978	SIZE_T cbProt = cbBackup;
2979	ULONG fOldProt = 0;
2980	rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt);
2981	if (!NT_SUCCESS(rcNt))
2982	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
2983	"supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
2984
2985	rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, abReplacement, sizeof(abReplacement), &cbIgnored);
2986	if (!NT_SUCCESS(rcNt))
2987	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
2988	"supR3HardNtDisableThreadCreationEx: NtWriteVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
2989
2990	pvProt = pvLdrInitThunk;
2991	cbProt = cbBackup;
2992	rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, fOldProt, &fOldProt);
2993	if (!NT_SUCCESS(rcNt))
2994	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
2995	"supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk/2 failed: %#x", rcNt);
2996
2997	return VINF_SUCCESS;
2998	}
2999
3000
3001	/**
3002	* Undo the effects of supR3HardNtDisableThreadCreationEx.
3003	*
3004	* @returns VBox status code.
3005	* @param hProcess The process to do this to.
3006	* @param pvLdrInitThunk The address of the LdrInitializeThunk code to
3007	* override.
3008	* @param pabBackup Where to back up the original instruction bytes
3009	* at pvLdrInitThunk.
3010	* @param cbBackup The size of the backup area. Must be 16 bytes.
3011	* @param pErrInfo Where to return extended error information.
3012	* Optional.
3013	*/
3014	static int supR3HardNtEnableThreadCreationEx(HANDLE hProcess, void pvLdrInitThunk, uint8_t const pabBackup, size_t cbBackup,
3015	PRTERRINFO pErrInfo)
3016	{
3017	SUP_DPRINTF(("supR3HardNtEnableThreadCreation:\n"));
3018	SUPR3HARDENED_ASSERT(cbBackup == 16);
3019
3020	PVOID pvProt = pvLdrInitThunk;
3021	SIZE_T cbProt = cbBackup;
3022	ULONG fOldProt = 0;
3023	NTSTATUS rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt);
3024	if (!NT_SUCCESS(rcNt))
3025	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
3026	"supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
3027
3028	SIZE_T cbIgnored;
3029	rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, pabBackup, cbBackup, &cbIgnored);
3030	if (!NT_SUCCESS(rcNt))
3031	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
3032	"supR3HardNtEnableThreadCreation: NtWriteVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
3033	rcNt);
3034
3035	pvProt = pvLdrInitThunk;
3036	cbProt = cbBackup;
3037	rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, fOldProt, &fOldProt);
3038	if (!NT_SUCCESS(rcNt))
3039	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
3040	"supR3HardNtEnableThreadCreation: NtProtectVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
3041	rcNt);
3042
3043	return VINF_SUCCESS;
3044	}
3045
3046
3047	/**
3048	* Disable thread creation for the current process.
3049	*
3050	* @remarks Doesn't really disables it, just makes the threads exit immediately
3051	* without executing any real code.
3052	*/
3053	static void supR3HardenedWinDisableThreadCreation(void)
3054	{
3055	/* Cannot use the imported NtTerminateThread as it's pointing to our own
3056	syscall assembly code. */
3057	static PFNRT s_pfnNtTerminateThread = NULL;
3058	if (s_pfnNtTerminateThread == NULL)
3059	s_pfnNtTerminateThread = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "NtTerminateThread");
3060	SUPR3HARDENED_ASSERT(s_pfnNtTerminateThread);
3061
3062	int rc = supR3HardNtDisableThreadCreationEx(NtCurrentProcess(),
3063	(void *)(uintptr_t)&LdrInitializeThunk,
3064	(void *)(uintptr_t)s_pfnNtTerminateThread,
3065	g_abLdrInitThunkSelfBackup, sizeof(g_abLdrInitThunkSelfBackup),
3066	NULL /* pErrInfo*/);
3067	g_fSupInitThunkSelfPatched = RT_SUCCESS(rc);
3068	}
3069
3070
3071	/**
3072	* Undoes the effects of supR3HardenedWinDisableThreadCreation.
3073	*/
3074	DECLHIDDEN(void) supR3HardenedWinEnableThreadCreation(void)
3075	{
3076	if (g_fSupInitThunkSelfPatched)
3077	{
3078	int rc = supR3HardNtEnableThreadCreationEx(NtCurrentProcess(),
3079	(void *)(uintptr_t)&LdrInitializeThunk,
3080	g_abLdrInitThunkSelfBackup, sizeof(g_abLdrInitThunkSelfBackup),
3081	RTErrInfoInitStatic(&g_ErrInfoStatic));
3082	if (RT_FAILURE(rc))
3083	supR3HardenedError(rc, true /fFatal/, "%s", g_ErrInfoStatic.szMsg);
3084	g_fSupInitThunkSelfPatched = false;
3085	}
3086	}
3087
3088
3089
3090
3091	/*
3092	*
3093	* R e s p a w n
3094	* R e s p a w n
3095	* R e s p a w n
3096	*
3097	*/
3098
3099
3100	/**
3101	* Gets the SID of the user associated with the process.
3102	*
3103	* @returns @c true if we've got a login SID, @c false if not.
3104	* @param pSidUser Where to return the user SID.
3105	* @param cbSidUser The size of the user SID buffer.
3106	* @param pSidLogin Where to return the login SID.
3107	* @param cbSidLogin The size of the login SID buffer.
3108	*/
3109	static bool supR3HardNtChildGetUserAndLogSids(PSID pSidUser, ULONG cbSidUser, PSID pSidLogin, ULONG cbSidLogin)
3110	{
3111	HANDLE hToken;
3112	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken));
3113	union
3114	{
3115	TOKEN_USER UserInfo;
3116	TOKEN_GROUPS Groups;
3117	uint8_t abPadding[4096];
3118	} uBuf;
3119	ULONG cbRet = 0;
3120	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtQueryInformationToken(hToken, TokenUser, &uBuf, sizeof(uBuf), &cbRet));
3121	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCopySid(cbSidUser, pSidUser, uBuf.UserInfo.User.Sid));
3122
3123	bool fLoginSid = false;
3124	NTSTATUS rcNt = NtQueryInformationToken(hToken, TokenLogonSid, &uBuf, sizeof(uBuf), &cbRet);
3125	if (NT_SUCCESS(rcNt))
3126	{
3127	for (DWORD i = 0; i < uBuf.Groups.GroupCount; i++)
3128	if ((uBuf.Groups.Groups[i].Attributes & SE_GROUP_LOGON_ID) == SE_GROUP_LOGON_ID)
3129	{
3130	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCopySid(cbSidLogin, pSidLogin, uBuf.Groups.Groups[i].Sid));
3131	fLoginSid = true;
3132	break;
3133	}
3134	}
3135
3136	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtClose(hToken));
3137
3138	return fLoginSid;
3139	}
3140
3141
3142	/**
3143	* Build security attributes for the process or the primary thread (@a fProcess)
3144	*
3145	* Process DACLs can be bypassed using the SeDebugPrivilege (generally available
3146	* to admins, i.e. normal windows users), or by taking ownership and/or
3147	* modifying the DACL. However, it restricts
3148	*
3149	* @param pSecAttrs Where to return the security attributes.
3150	* @param pCleanup Cleanup record.
3151	* @param fProcess Set if it's for the process, clear if it's for
3152	* the primary thread.
3153	*/
3154	static void supR3HardNtChildInitSecAttrs(PSECURITY_ATTRIBUTES pSecAttrs, PMYSECURITYCLEANUP pCleanup, bool fProcess)
3155	{
3156	/*
3157	* Safe return values.
3158	*/
3159	suplibHardenedMemSet(pCleanup, 0, sizeof(*pCleanup));
3160
3161	pSecAttrs->nLength = sizeof(*pSecAttrs);
3162	pSecAttrs->bInheritHandle = FALSE;
3163	pSecAttrs->lpSecurityDescriptor = NULL;
3164
3165	/** @todo This isn't at all complete, just sketches... */
3166
3167	/*
3168	* Create an ACL detailing the access of the above groups.
3169	*/
3170	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateAcl(&pCleanup->Acl.AclHdr, sizeof(pCleanup->Acl), ACL_REVISION));
3171
3172	ULONG fDeny = DELETE \| WRITE_DAC \| WRITE_OWNER;
3173	ULONG fAllow = SYNCHRONIZE \| READ_CONTROL;
3174	ULONG fAllowLogin = SYNCHRONIZE \| READ_CONTROL;
3175	if (fProcess)
3176	{
3177	fDeny \|= PROCESS_CREATE_THREAD \| PROCESS_SET_SESSIONID \| PROCESS_VM_OPERATION \| PROCESS_VM_WRITE
3178	\| PROCESS_CREATE_PROCESS \| PROCESS_DUP_HANDLE \| PROCESS_SET_QUOTA
3179	\| PROCESS_SET_INFORMATION \| PROCESS_SUSPEND_RESUME;
3180	fAllow \|= PROCESS_TERMINATE \| PROCESS_VM_READ \| PROCESS_QUERY_INFORMATION;
3181	fAllowLogin \|= PROCESS_TERMINATE \| PROCESS_VM_READ \| PROCESS_QUERY_INFORMATION;
3182	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* Introduced in Vista. */
3183	{
3184	fAllow \|= PROCESS_QUERY_LIMITED_INFORMATION;
3185	fAllowLogin \|= PROCESS_QUERY_LIMITED_INFORMATION;
3186	}
3187	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3)) /* Introduced in Windows 8.1. */
3188	fAllow \|= PROCESS_SET_LIMITED_INFORMATION;
3189	}
3190	else
3191	{
3192	fDeny \|= THREAD_SUSPEND_RESUME \| THREAD_SET_CONTEXT \| THREAD_SET_INFORMATION \| THREAD_SET_THREAD_TOKEN
3193	\| THREAD_IMPERSONATE \| THREAD_DIRECT_IMPERSONATION;
3194	fAllow \|= THREAD_GET_CONTEXT \| THREAD_QUERY_INFORMATION;
3195	fAllowLogin \|= THREAD_GET_CONTEXT \| THREAD_QUERY_INFORMATION;
3196	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* Introduced in Vista. */
3197	{
3198	fAllow \|= THREAD_QUERY_LIMITED_INFORMATION \| THREAD_SET_LIMITED_INFORMATION;
3199	fAllowLogin \|= THREAD_QUERY_LIMITED_INFORMATION;
3200	}
3201
3202	}
3203	fDeny \|= ~fAllow & (SPECIFIC_RIGHTS_ALL \| STANDARD_RIGHTS_ALL);
3204
3205	/* Deny everyone access to bad bits. */
3206	#if 1
3207	SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
3208	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlInitializeSid(&pCleanup->Everyone.Sid, &SIDAuthWorld, 1));
3209	*RtlSubAuthoritySid(&pCleanup->Everyone.Sid, 0) = SECURITY_WORLD_RID;
3210	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessDeniedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3211	fDeny, &pCleanup->Everyone.Sid));
3212	#endif
3213
3214	#if 0
3215	/* Grant some access to the owner - doesn't work. */
3216	SID_IDENTIFIER_AUTHORITY SIDAuthCreator = SECURITY_CREATOR_SID_AUTHORITY;
3217	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlInitializeSid(&pCleanup->Owner.Sid, &SIDAuthCreator, 1));
3218	*RtlSubAuthoritySid(&pCleanup->Owner.Sid, 0) = SECURITY_CREATOR_OWNER_RID;
3219
3220	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessDeniedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3221	fDeny, &pCleanup->Owner.Sid));
3222	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessAllowedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3223	fAllow, &pCleanup->Owner.Sid));
3224	#endif
3225
3226	#if 1
3227	bool fHasLoginSid = supR3HardNtChildGetUserAndLogSids(&pCleanup->User.Sid, sizeof(pCleanup->User),
3228	&pCleanup->Login.Sid, sizeof(pCleanup->Login));
3229
3230	# if 1
3231	/* Grant minimal access to the user. */
3232	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessDeniedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3233	fDeny, &pCleanup->User.Sid));
3234	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessAllowedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3235	fAllow, &pCleanup->User.Sid));
3236	# endif
3237
3238	# if 1
3239	/* Grant very limited access to the login sid. */
3240	if (fHasLoginSid)
3241	{
3242	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessAllowedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3243	fAllowLogin, &pCleanup->Login.Sid));
3244	}
3245	# endif
3246
3247	#endif
3248
3249	/*
3250	* Create a security descriptor with the above ACL.
3251	*/
3252	PSECURITY_DESCRIPTOR pSecDesc = (PSECURITY_DESCRIPTOR)RTMemAllocZ(SECURITY_DESCRIPTOR_MIN_LENGTH);
3253	pCleanup->pSecDesc = pSecDesc;
3254
3255	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateSecurityDescriptor(pSecDesc, SECURITY_DESCRIPTOR_REVISION));
3256	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlSetDaclSecurityDescriptor(pSecDesc, TRUE /fDaclPresent/, &pCleanup->Acl.AclHdr,
3257	FALSE /fDaclDefaulted/));
3258	pSecAttrs->lpSecurityDescriptor = pSecDesc;
3259	}
3260
3261
3262	/**
3263	* Predicate function which tests whether @a ch is a argument separator
3264	* character.
3265	*
3266	* @returns True/false.
3267	* @param ch The character to examine.
3268	*/
3269	DECLINLINE(bool) suplibCommandLineIsArgSeparator(int ch)
3270	{
3271	return ch == ' '
3272	\|\| ch == '\t'
3273	\|\| ch == '\n'
3274	\|\| ch == '\r';
3275	}
3276
3277
3278	/**
3279	* Construct the new command line.
3280	*
3281	* Since argc/argv are both derived from GetCommandLineW (see
3282	* suplibHardenedWindowsMain), we skip the argument by argument UTF-8 -> UTF-16
3283	* conversion and quoting by going to the original source.
3284	*
3285	* The executable name, though, is replaced in case it's not a fullly
3286	* qualified path.
3287	*
3288	* The re-spawn indicator is added immediately after the executable name
3289	* so that we don't get tripped up missing close quote chars in the last
3290	* argument.
3291	*
3292	* @returns Pointer to a command line string (heap).
3293	* @param pString Unicode string structure to initialize to the
3294	* command line. Optional.
3295	* @param iWhich Which respawn we're to check for, 1 being the first
3296	* one, and 2 the second and final.
3297	*/
3298	static PRTUTF16 supR3HardNtChildConstructCmdLine(PUNICODE_STRING pString, int iWhich)
3299	{
3300	SUPR3HARDENED_ASSERT(iWhich == 1 \|\| iWhich == 2);
3301
3302	/*
3303	* Get the command line and skip the executable name.
3304	*/
3305	PUNICODE_STRING pCmdLineStr = &NtCurrentPeb()->ProcessParameters->CommandLine;
3306	PCRTUTF16 pawcArgs = pCmdLineStr->Buffer;
3307	uint32_t cwcArgs = pCmdLineStr->Length / sizeof(WCHAR);
3308
3309	/* Skip leading space (shouldn't be any, but whatever). */
3310	while (cwcArgs > 0 && suplibCommandLineIsArgSeparator(*pawcArgs) )
3311	cwcArgs--, pawcArgs++;
3312	SUPR3HARDENED_ASSERT(cwcArgs > 0 && *pawcArgs != '\0');
3313
3314	/* Walk to the end of it. */
3315	int fQuoted = false;
3316	do
3317	{
3318	if (*pawcArgs == '"')
3319	{
3320	fQuoted = !fQuoted;
3321	cwcArgs--; pawcArgs++;
3322	}
3323	else if (*pawcArgs != '\\' \|\| (pawcArgs[1] != '\\' && pawcArgs[1] != '"'))
3324	cwcArgs--, pawcArgs++;
3325	else
3326	{
3327	unsigned cSlashes = 0;
3328	do
3329	{
3330	cSlashes++;
3331	cwcArgs--;
3332	pawcArgs++;
3333	}
3334	while (cwcArgs > 0 && *pawcArgs == '\\');
3335	if (cwcArgs > 0 && *pawcArgs == '"' && (cSlashes & 1))
3336	cwcArgs--, pawcArgs++; /* odd number of slashes == escaped quote */
3337	}
3338	} while (cwcArgs > 0 && (fQuoted \|\| !suplibCommandLineIsArgSeparator(*pawcArgs)));
3339
3340	/* Skip trailing spaces. */
3341	while (cwcArgs > 0 && suplibCommandLineIsArgSeparator(*pawcArgs))
3342	cwcArgs--, pawcArgs++;
3343
3344	/*
3345	* Allocate a new buffer.
3346	*/
3347	AssertCompile(sizeof(SUPR3_RESPAWN_1_ARG0) == sizeof(SUPR3_RESPAWN_2_ARG0));
3348	size_t cwcCmdLine = (sizeof(SUPR3_RESPAWN_1_ARG0) - 1) / sizeof(SUPR3_RESPAWN_1_ARG0[0]) /* Respawn exe name. */
3349	+ !!cwcArgs + cwcArgs; /* if arguments present, add space + arguments. */
3350	if (cwcCmdLine * sizeof(WCHAR) >= 0xfff0)
3351	supR3HardenedFatalMsg("supR3HardNtChildConstructCmdLine", kSupInitOp_Misc, VERR_OUT_OF_RANGE,
3352	"Command line is too long (%u chars)!", cwcCmdLine);
3353
3354	PRTUTF16 pwszCmdLine = (PRTUTF16)RTMemAlloc((cwcCmdLine + 1) * sizeof(RTUTF16));
3355	SUPR3HARDENED_ASSERT(pwszCmdLine != NULL);
3356
3357	/*
3358	* Construct the new command line.
3359	*/
3360	PRTUTF16 pwszDst = pwszCmdLine;
3361	for (const char pszSrc = iWhich == 1 ? SUPR3_RESPAWN_1_ARG0 : SUPR3_RESPAWN_2_ARG0; pszSrc; pszSrc++)
3362	pwszDst++ = pszSrc;
3363
3364	if (cwcArgs)
3365	{
3366	*pwszDst++ = ' ';
3367	suplibHardenedMemCopy(pwszDst, pawcArgs, cwcArgs * sizeof(RTUTF16));
3368	pwszDst += cwcArgs;
3369	}
3370
3371	*pwszDst = '\0';
3372	SUPR3HARDENED_ASSERT((uintptr_t)(pwszDst - pwszCmdLine) == cwcCmdLine);
3373
3374	if (pString)
3375	{
3376	pString->Buffer = pwszCmdLine;
3377	pString->Length = (USHORT)(cwcCmdLine * sizeof(WCHAR));
3378	pString->MaximumLength = pString->Length + sizeof(WCHAR);
3379	}
3380	return pwszCmdLine;
3381	}
3382
3383
3384	/**
3385	* Terminates the child process.
3386	*
3387	* @param hProcess The process handle.
3388	* @param pszWhere Who's having child rasing troubles.
3389	* @param rc The status code to report.
3390	* @param pszFormat The message format string.
3391	* @param ... Message format arguments.
3392	*/
3393	static void supR3HardenedWinKillChild(HANDLE hProcess, const char pszWhere, int rc, const char pszFormat, ...)
3394	{
3395	/*
3396	* Terminate the process ASAP and display error.
3397	*/
3398	NtTerminateProcess(hProcess, RTEXITCODE_FAILURE);
3399
3400	va_list va;
3401	va_start(va, pszFormat);
3402	supR3HardenedErrorV(rc, false /fFatal/, pszFormat, va);
3403	va_end(va);
3404
3405	/*
3406	* Wait for the process to really go away.
3407	*/
3408	PROCESS_BASIC_INFORMATION BasicInfo;
3409	NTSTATUS rcNtExit = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
3410	bool fExitOk = NT_SUCCESS(rcNtExit) && BasicInfo.ExitStatus != STATUS_PENDING;
3411	if (!fExitOk)
3412	{
3413	NTSTATUS rcNtWait;
3414	uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
3415	do
3416	{
3417	NtTerminateProcess(hProcess, DBG_TERMINATE_PROCESS);
3418
3419	LARGE_INTEGER Timeout;
3420	Timeout.QuadPart = -20000000; /* 2 second */
3421	rcNtWait = NtWaitForSingleObject(hProcess, TRUE /Alertable/, &Timeout);
3422
3423	rcNtExit = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
3424	fExitOk = NT_SUCCESS(rcNtExit) && BasicInfo.ExitStatus != STATUS_PENDING;
3425	} while ( !fExitOk
3426	&& ( rcNtWait == STATUS_TIMEOUT
3427	\|\| rcNtWait == STATUS_USER_APC
3428	\|\| rcNtWait == STATUS_ALERTED)
3429	&& supR3HardenedWinGetMilliTS() - uMsTsStart < 60 * 1000);
3430	if (fExitOk)
3431	supR3HardenedError(rc, false /fFatal/,
3432	"NtDuplicateObject failed and we failed to kill child: rc=%u (%#x) rcNtWait=%#x hProcess=%p\n",
3433	rc, rc, rcNtWait, hProcess);
3434	}
3435
3436	/*
3437	* Final error message.
3438	*/
3439	va_start(va, pszFormat);
3440	supR3HardenedFatalMsgV(pszWhere, kSupInitOp_Misc, rc, pszFormat, va);
3441	/* not reached */
3442	}
3443
3444
3445	/**
3446	* Checks the child process when hEvtParent is signalled.
3447	*
3448	* This will read the request data from the child and check it against expected
3449	* request. If an error is signalled, we'll raise it and make sure the child
3450	* terminates before terminating the calling process.
3451	*
3452	* @param pThis The child process data structure.
3453	* @param enmExpectedRequest The expected child request.
3454	* @param pszWhat What we're waiting for.
3455	*/
3456	static void supR3HardNtChildProcessRequest(PSUPR3HARDNTCHILD pThis, SUPR3WINCHILDREQ enmExpectedRequest, const char *pszWhat)
3457	{
3458	/*
3459	* Read the process parameters from the child.
3460	*/
3461	uintptr_t uChildAddr = (uintptr_t)pThis->Peb.ImageBaseAddress
3462	+ ((uintptr_t)&g_ProcParams - (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
3463	SIZE_T cbIgnored = 0;
3464	RT_ZERO(pThis->ProcParams);
3465	NTSTATUS rcNt = NtReadVirtualMemory(pThis->hProcess, (PVOID)uChildAddr,
3466	&pThis->ProcParams, sizeof(pThis->ProcParams), &cbIgnored);
3467	if (!NT_SUCCESS(rcNt))
3468	supR3HardenedWinKillChild(pThis, "supR3HardNtChildProcessRequest", rcNt,
3469	"NtReadVirtualMemory(,%p,) failed reading child process status: %#x\n", uChildAddr, rcNt);
3470
3471	/*
3472	* Is it the expected request?
3473	*/
3474	if (pThis->ProcParams.enmRequest == enmExpectedRequest)
3475	return;
3476
3477	/*
3478	* No, not the expected request. If it's an error request, tell the child
3479	* to terminate itself, otherwise we'll have to terminate it.
3480	*/
3481	pThis->ProcParams.szErrorMsg[sizeof(pThis->ProcParams.szErrorMsg) - 1] = '\0';
3482	pThis->ProcParams.szWhere[sizeof(pThis->ProcParams.szWhere) - 1] = '\0';
3483	SUP_DPRINTF(("supR3HardenedWinCheckChild: enmRequest=%d rc=%d enmWhat=%d %s: %s\n",
3484	pThis->ProcParams.enmRequest, pThis->ProcParams.rc, pThis->ProcParams.enmWhat,
3485	pThis->ProcParams.szWhere, pThis->ProcParams.szErrorMsg));
3486
3487	if (pThis->ProcParams.enmRequest != kSupR3WinChildReq_Error)
3488	supR3HardenedWinKillChild(pThis, "supR3HardenedWinCheckChild", VERR_INVALID_PARAMETER,
3489	"Unexpected child request #%d. Was expecting #%d (%s).\n",
3490	pThis->ProcParams.enmRequest, enmExpectedRequest, pszWhat);
3491
3492	rcNt = NtSetEvent(pThis->hEvtChild, NULL);
3493	if (!NT_SUCCESS(rcNt))
3494	supR3HardenedWinKillChild(pThis, "supR3HardNtChildProcessRequest", rcNt, "NtSetEvent failed: %#x\n", rcNt);
3495
3496	/* Wait for it to terminate. */
3497	LARGE_INTEGER Timeout;
3498	Timeout.QuadPart = -50000000; /* 5 seconds */
3499	rcNt = NtWaitForSingleObject(pThis->hProcess, FALSE /Alertable/, &Timeout);
3500	if (rcNt != STATUS_WAIT_0)
3501	{
3502	SUP_DPRINTF(("supR3HardNtChildProcessRequest: Child is taking too long to quit (rcWait=%#x), killing it...\n", rcNt));
3503	NtTerminateProcess(pThis->hProcess, DBG_TERMINATE_PROCESS);
3504	}
3505
3506	/*
3507	* Report the error in the same way as it occured in the guest.
3508	*/
3509	if (pThis->ProcParams.enmWhat == kSupInitOp_Invalid)
3510	supR3HardenedFatalMsg("supR3HardenedWinCheckChild", kSupInitOp_Misc, pThis->ProcParams.rc,
3511	"%s", pThis->ProcParams.szErrorMsg);
3512	else
3513	supR3HardenedFatalMsg(pThis->ProcParams.szWhere, pThis->ProcParams.enmWhat, pThis->ProcParams.rc,
3514	"%s", pThis->ProcParams.szErrorMsg);
3515	}
3516
3517
3518	/**
3519	* Waits for the child to make a certain request or terminate.
3520	*
3521	* The stub process will also wait on it's parent to terminate.
3522	* This call will only return if the child made the expected request.
3523	*
3524	* @param pThis The child process data structure.
3525	* @param enmExpectedRequest The child request to wait for.
3526	* @param cMsTimeout The number of milliseconds to wait (at least).
3527	* @param pszWhat What we're waiting for.
3528	*/
3529	static void supR3HardNtChildWaitFor(PSUPR3HARDNTCHILD pThis, SUPR3WINCHILDREQ enmExpectedRequest, RTMSINTERVAL cMsTimeout,
3530	const char *pszWhat)
3531	{
3532	/*
3533	* The wait loop.
3534	* Will return when the expected request arrives.
3535	* Will break out when one of the processes terminates.
3536	*/
3537	NTSTATUS rcNtWait;
3538	LARGE_INTEGER Timeout;
3539	uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
3540	uint64_t cMsElapsed = 0;
3541	for (;;)
3542	{
3543	/*
3544	* Assemble handles to wait for.
3545	*/
3546	ULONG cHandles = 1;
3547	HANDLE ahHandles[3];
3548	ahHandles[0] = pThis->hProcess;
3549	if (pThis->hEvtParent)
3550	ahHandles[cHandles++] = pThis->hEvtParent;
3551	if (pThis->hParent)
3552	ahHandles[cHandles++] = pThis->hParent;
3553
3554	/*
3555	* Do the waiting according to the callers wishes.
3556	*/
3557	if ( enmExpectedRequest == kSupR3WinChildReq_End
3558	\|\| cMsTimeout == RT_INDEFINITE_WAIT)
3559	rcNtWait = NtWaitForMultipleObjects(cHandles, &ahHandles[0], WaitAnyObject, TRUE /Alertable/, NULL /Timeout/);
3560	else
3561	{
3562	Timeout.QuadPart = -(int64_t)(cMsTimeout - cMsElapsed) * 10000;
3563	rcNtWait = NtWaitForMultipleObjects(cHandles, &ahHandles[0], WaitAnyObject, TRUE /Alertable/, &Timeout);
3564	}
3565
3566	/*
3567	* Process child request.
3568	*/
3569	if (rcNtWait == STATUS_WAIT_0 + 1 && pThis->hEvtParent != NULL)
3570	{
3571	supR3HardNtChildProcessRequest(pThis, enmExpectedRequest, pszWhat);
3572	SUP_DPRINTF(("supR3HardNtChildWaitFor: Found expected request %d (%s) after %llu ms.\n",
3573	enmExpectedRequest, pszWhat, supR3HardenedWinGetMilliTS() - uMsTsStart));
3574	return; /* Expected request received. */
3575	}
3576
3577	/*
3578	* Process termination?
3579	*/
3580	if ( (ULONG)rcNtWait - (ULONG)STATUS_WAIT_0 < cHandles
3581	\|\| (ULONG)rcNtWait - (ULONG)STATUS_ABANDONED_WAIT_0 < cHandles)
3582	break;
3583
3584	/*
3585	* Check sanity.
3586	*/
3587	if ( rcNtWait != STATUS_TIMEOUT
3588	&& rcNtWait != STATUS_USER_APC
3589	&& rcNtWait != STATUS_ALERTED)
3590	supR3HardenedWinKillChild(pThis, "supR3HardNtChildWaitFor", rcNtWait,
3591	"NtWaitForMultipleObjects returned %#x waiting for #%d (%s)\n",
3592	rcNtWait, enmExpectedRequest, pszWhat);
3593
3594	/*
3595	* Calc elapsed time for the next timeout calculation, checking to see
3596	* if we've timed out already.
3597	*/
3598	cMsElapsed = supR3HardenedWinGetMilliTS() - uMsTsStart;
3599	if ( cMsElapsed > cMsTimeout
3600	&& cMsTimeout != RT_INDEFINITE_WAIT
3601	&& enmExpectedRequest != kSupR3WinChildReq_End)
3602	{
3603	if (rcNtWait == STATUS_USER_APC \|\| rcNtWait == STATUS_ALERTED)
3604	cMsElapsed = cMsTimeout - 1; /* try again */
3605	else
3606	{
3607	/* We timed out. */
3608	supR3HardenedWinKillChild(pThis, "supR3HardNtChildWaitFor", rcNtWait,
3609	"Timed out after %llu ms waiting for child request #%d (%s).\n",
3610	cMsElapsed, enmExpectedRequest, pszWhat);
3611	}
3612	}
3613	}
3614
3615	/*
3616	* Proxy the termination code of the child, if it exited already.
3617	*/
3618	PROCESS_BASIC_INFORMATION BasicInfo;
3619	NTSTATUS rcNt1 = NtQueryInformationProcess(pThis->hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
3620	NTSTATUS rcNt2 = STATUS_PENDING;
3621	NTSTATUS rcNt3 = STATUS_PENDING;
3622	if ( !NT_SUCCESS(rcNt1)
3623	\|\| BasicInfo.ExitStatus == STATUS_PENDING)
3624	{
3625	rcNt2 = NtTerminateProcess(pThis->hProcess, RTEXITCODE_FAILURE);
3626	Timeout.QuadPart = NT_SUCCESS(rcNt2) ? -20000000 /* 2 sec / : -1280000 / 128 ms */;
3627	rcNt3 = NtWaitForSingleObject(pThis->hProcess, FALSE /Alertable/, NULL /Timeout/);
3628	BasicInfo.ExitStatus = RTEXITCODE_FAILURE;
3629	}
3630
3631	SUP_DPRINTF(("supR3HardNtChildWaitFor[%d]: Quitting: ExitCode=%#x (rcNtWait=%#x, rcNt1=%#x, rcNt2=%#x, rcNt3=%#x, %llu ms, %s);\n",
3632	pThis->iWhich, BasicInfo.ExitStatus, rcNtWait, rcNt1, rcNt2, rcNt3,
3633	supR3HardenedWinGetMilliTS() - uMsTsStart, pszWhat));
3634	suplibHardenedExit((RTEXITCODE)BasicInfo.ExitStatus);
3635	}
3636
3637
3638	/**
3639	* Closes full access child thread and process handles, making a harmless
3640	* duplicate of the process handle first.
3641	*
3642	* The hProcess member of the child process data structure will be change to the
3643	* harmless handle, while the hThread will be set to NULL.
3644	*
3645	* @param pThis The child process data structure.
3646	*/
3647	static void supR3HardNtChildCloseFullAccessHandles(PSUPR3HARDNTCHILD pThis)
3648	{
3649	/*
3650	* The thread handle.
3651	*/
3652	NTSTATUS rcNt = NtClose(pThis->hThread);
3653	if (!NT_SUCCESS(rcNt))
3654	supR3HardenedWinKillChild(pThis, "supR3HardenedWinReSpawn", rcNt, "NtClose(hThread) failed: %#x", rcNt);
3655	pThis->hThread = NULL;
3656
3657	/*
3658	* Duplicate the process handle into a harmless one.
3659	*/
3660	HANDLE hProcWait;
3661	ULONG fRights = SYNCHRONIZE \| PROCESS_TERMINATE \| PROCESS_VM_READ;
3662	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* Introduced in Vista. */
3663	fRights \|= PROCESS_QUERY_LIMITED_INFORMATION;
3664	else
3665	fRights \|= PROCESS_QUERY_INFORMATION;
3666	rcNt = NtDuplicateObject(NtCurrentProcess(), pThis->hProcess,
3667	NtCurrentProcess(), &hProcWait,
3668	fRights, 0 /HandleAttributes/, 0);
3669	if (rcNt == STATUS_ACCESS_DENIED)
3670	{
3671	supR3HardenedError(rcNt, false /fFatal/,
3672	"supR3HardenedWinDoReSpawn: NtDuplicateObject(,,,,%#x,,) -> %#x, retrying with only %#x...\n",
3673	fRights, rcNt, SYNCHRONIZE);
3674	rcNt = NtDuplicateObject(NtCurrentProcess(), pThis->hProcess,
3675	NtCurrentProcess(), &hProcWait,
3676	SYNCHRONIZE, 0 /HandleAttributes/, 0);
3677	}
3678	if (!NT_SUCCESS(rcNt))
3679	supR3HardenedWinKillChild(pThis, "supR3HardenedWinReSpawn", rcNt,
3680	"NtDuplicateObject failed on child process handle: %#x\n", rcNt);
3681	/*
3682	* Close the process handle and replace it with the harmless one.
3683	*/
3684	rcNt = NtClose(pThis->hProcess);
3685	pThis->hProcess = hProcWait;
3686	if (!NT_SUCCESS(rcNt))
3687	supR3HardenedWinKillChild(pThis, "supR3HardenedWinReSpawn", VERR_INVALID_NAME,
3688	"NtClose failed on child process handle: %#x\n", rcNt);
3689	}
3690
3691
3692	/**
3693	* This restores the child PEB and tweaks a couple of fields before we do the
3694	* child purification and let the process run normally.
3695	*
3696	* @param pThis The child process data structure.
3697	*/
3698	static void supR3HardNtChildSanitizePeb(PSUPR3HARDNTCHILD pThis)
3699	{
3700	/*
3701	* Make a copy of the pre-execution PEB.
3702	*/
3703	PEB Peb = pThis->Peb;
3704
3705	#if 0
3706	/*
3707	* There should not be any activation context, so if there is, we scratch the memory associated with it.
3708	*/
3709	int rc = 0;
3710	if (RT_SUCCESS(rc) && Peb.pShimData && !((uintptr_t)Peb.pShimData & PAGE_OFFSET_MASK))
3711	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.pShimData, PAGE_SIZE, "pShimData", pErrInfo);
3712	if (RT_SUCCESS(rc) && Peb.ActivationContextData && !((uintptr_t)Peb.ActivationContextData & PAGE_OFFSET_MASK))
3713	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.ActivationContextData, PAGE_SIZE, "ActivationContextData", pErrInfo);
3714	if (RT_SUCCESS(rc) && Peb.ProcessAssemblyStorageMap && !((uintptr_t)Peb.ProcessAssemblyStorageMap & PAGE_OFFSET_MASK))
3715	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.ProcessAssemblyStorageMap, PAGE_SIZE, "ProcessAssemblyStorageMap", pErrInfo);
3716	if (RT_SUCCESS(rc) && Peb.SystemDefaultActivationContextData && !((uintptr_t)Peb.SystemDefaultActivationContextData & PAGE_OFFSET_MASK))
3717	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.ProcessAssemblyStorageMap, PAGE_SIZE, "SystemDefaultActivationContextData", pErrInfo);
3718	if (RT_SUCCESS(rc) && Peb.SystemAssemblyStorageMap && !((uintptr_t)Peb.SystemAssemblyStorageMap & PAGE_OFFSET_MASK))
3719	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.SystemAssemblyStorageMap, PAGE_SIZE, "SystemAssemblyStorageMap", pErrInfo);
3720	if (RT_FAILURE(rc))
3721	return rc;
3722	#endif
3723
3724	/*
3725	* Clear compatibility and activation related fields.
3726	*/
3727	Peb.AppCompatFlags.QuadPart = 0;
3728	Peb.AppCompatFlagsUser.QuadPart = 0;
3729	Peb.pShimData = NULL;
3730	Peb.AppCompatInfo = NULL;
3731	#if 0
3732	Peb.ActivationContextData = NULL;
3733	Peb.ProcessAssemblyStorageMap = NULL;
3734	Peb.SystemDefaultActivationContextData = NULL;
3735	Peb.SystemAssemblyStorageMap = NULL;
3736	/Peb.Diff0.W6.IsProtectedProcess = 1;/
3737	#endif
3738
3739	/*
3740	* Write back the PEB.
3741	*/
3742	SIZE_T cbActualMem = pThis->cbPeb;
3743	NTSTATUS rcNt = NtWriteVirtualMemory(pThis->hProcess, pThis->BasicInfo.PebBaseAddress, &Peb, pThis->cbPeb, &cbActualMem);
3744	if (!NT_SUCCESS(rcNt))
3745	supR3HardenedWinKillChild(pThis, "supR3HardNtChildSanitizePeb", rcNt,
3746	"NtWriteVirtualMemory/Peb failed: %#x", rcNt);
3747
3748	}
3749
3750
3751	/**
3752	* Purifies the child process after very early init has been performed.
3753	*
3754	* @param pThis The child process data structure.
3755	*/
3756	static void supR3HardNtChildPurify(PSUPR3HARDNTCHILD pThis)
3757	{
3758	/*
3759	* We loop until we no longer make any fixes. This is similar to what
3760	* we do (or used to do, really) in the fAvastKludge case of
3761	* supR3HardenedWinInit. We might be up against asynchronous changes,
3762	* which we fudge by waiting a short while before earch purification. This
3763	* is arguably a fragile technique, but it's currently the best we've got.
3764	* Fortunately, most AVs seems to either favor immediate action on initial
3765	* load events or (much better for us) later events like kernel32.
3766	*/
3767	uint64_t uMsTsOuterStart = supR3HardenedWinGetMilliTS();
3768	uint32_t cMsFudge = g_fSupAdversaries ? 512 : 256;
3769	uint32_t cTotalFixes = 0;
3770	uint32_t cFixes = 0; /* (MSC wrongly thinks this maybe used uninitialized) */
3771	for (uint32_t iLoop = 0; iLoop < 16; iLoop++)
3772	{
3773	/*
3774	* Delay.
3775	*/
3776	uint32_t cSleeps = 0;
3777	uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
3778	do
3779	{
3780	NtYieldExecution();
3781	LARGE_INTEGER Time;
3782	Time.QuadPart = -8000000 / 100; /* 8ms in 100ns units, relative time. */
3783	NtDelayExecution(FALSE, &Time);
3784	cSleeps++;
3785	} while ( supR3HardenedWinGetMilliTS() - uMsTsStart <= cMsFudge
3786	\|\| cSleeps < 8);
3787	SUP_DPRINTF(("supR3HardNtChildPurify: Startup delay kludge #1/%u: %u ms, %u sleeps\n",
3788	iLoop, supR3HardenedWinGetMilliTS() - uMsTsStart, cSleeps));
3789
3790	/*
3791	* Purify.
3792	*/
3793	cFixes = 0;
3794	int rc = supHardenedWinVerifyProcess(pThis->hProcess, pThis->hThread, SUPHARDNTVPKIND_CHILD_PURIFICATION,
3795	g_fSupAdversaries & ( SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE
3796	\| SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD)
3797	? SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW : 0,
3798	&cFixes, RTErrInfoInitStatic(&g_ErrInfoStatic));
3799	if (RT_FAILURE(rc))
3800	supR3HardenedWinKillChild(pThis, "supR3HardNtChildPurify", rc,
3801	"supHardenedWinVerifyProcess failed with %Rrc: %s", rc, g_ErrInfoStatic.szMsg);
3802	if (cFixes == 0)
3803	{
3804	SUP_DPRINTF(("supR3HardNtChildPurify: Done after %llu ms and %u fixes (loop #%u).\n",
3805	supR3HardenedWinGetMilliTS() - uMsTsOuterStart, cTotalFixes, iLoop));
3806	return; /* We're probably good. */
3807	}
3808	cTotalFixes += cFixes;
3809
3810	if (!g_fSupAdversaries)
3811	g_fSupAdversaries \|= SUPHARDNT_ADVERSARY_UNKNOWN;
3812	cMsFudge = 512;
3813
3814	/*
3815	* Log the KiOpPrefetchPatchCount value if available, hoping it might
3816	* sched some light on spider38's case.
3817	*/
3818	ULONG cPatchCount = 0;
3819	NTSTATUS rcNt = NtQuerySystemInformation(SystemInformation_KiOpPrefetchPatchCount,
3820	&cPatchCount, sizeof(cPatchCount), NULL);
3821	if (NT_SUCCESS(rcNt))
3822	SUP_DPRINTF(("supR3HardNtChildPurify: cFixes=%u g_fSupAdversaries=%#x cPatchCount=%#u\n",
3823	cFixes, g_fSupAdversaries, cPatchCount));
3824	else
3825	SUP_DPRINTF(("supR3HardNtChildPurify: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
3826	}
3827
3828	/*
3829	* We've given up fixing the child process. Probably fighting someone
3830	* that monitors their patches or/and our activities.
3831	*/
3832	supR3HardenedWinKillChild(pThis, "supR3HardNtChildPurify", VERR_TRY_AGAIN,
3833	"Unable to purify child process! After 16 tries over %llu ms, we still %u fix(es) in the last pass.",
3834	supR3HardenedWinGetMilliTS() - uMsTsOuterStart, cFixes);
3835	}
3836
3837
3838
3839	/**
3840	* Sets up the early process init.
3841	*
3842	* @param pThis The child process data structure.
3843	*/
3844	static void supR3HardNtChildSetUpChildInit(PSUPR3HARDNTCHILD pThis)
3845	{
3846	uintptr_t const uChildExeAddr = (uintptr_t)pThis->Peb.ImageBaseAddress;
3847
3848	/*
3849	* Plant the process parameters. This ASSUMES the handle inheritance is
3850	* performed when creating the child process.
3851	*/
3852	RT_ZERO(pThis->ProcParams);
3853	pThis->ProcParams.hEvtChild = pThis->hEvtChild;
3854	pThis->ProcParams.hEvtParent = pThis->hEvtParent;
3855	pThis->ProcParams.uNtDllAddr = pThis->uNtDllAddr;
3856	pThis->ProcParams.enmRequest = kSupR3WinChildReq_Error;
3857	pThis->ProcParams.rc = VINF_SUCCESS;
3858
3859	uintptr_t uChildAddr = uChildExeAddr + ((uintptr_t)&g_ProcParams - (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
3860	SIZE_T cbIgnored;
3861	NTSTATUS rcNt = NtWriteVirtualMemory(pThis->hProcess, (PVOID)uChildAddr, &pThis->ProcParams,
3862	sizeof(pThis->ProcParams), &cbIgnored);
3863	if (!NT_SUCCESS(rcNt))
3864	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
3865	"NtWriteVirtualMemory(,%p,) failed writing child process parameters: %#x\n", uChildAddr, rcNt);
3866
3867	/*
3868	* Locate the LdrInitializeThunk address in the child as well as pristine
3869	* code bits for it.
3870	*/
3871	PSUPHNTLDRCACHEENTRY pLdrEntry;
3872	int rc = supHardNtLdrCacheOpen("ntdll.dll", &pLdrEntry, NULL /pErrInfo/);
3873	if (RT_FAILURE(rc))
3874	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
3875	"supHardNtLdrCacheOpen failed on NTDLL: %Rrc\n", rc);
3876
3877	uint8_t *pbChildNtDllBits;
3878	rc = supHardNtLdrCacheEntryGetBits(pLdrEntry, &pbChildNtDllBits, pThis->uNtDllAddr, NULL, NULL, NULL /pErrInfo/);
3879	if (RT_FAILURE(rc))
3880	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
3881	"supHardNtLdrCacheEntryGetBits failed on NTDLL: %Rrc\n", rc);
3882
3883	RTLDRADDR uLdrInitThunk;
3884	rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbChildNtDllBits, pThis->uNtDllAddr, UINT32_MAX,
3885	"LdrInitializeThunk", &uLdrInitThunk);
3886	if (RT_FAILURE(rc))
3887	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
3888	"Error locating LdrInitializeThunk in NTDLL: %Rrc", rc);
3889	PVOID pvLdrInitThunk = (PVOID)(uintptr_t)uLdrInitThunk;
3890	SUP_DPRINTF(("supR3HardenedWinSetupChildInit: uLdrInitThunk=%p\n", (uintptr_t)uLdrInitThunk));
3891
3892	/*
3893	* Calculate the address of our code in the child process.
3894	*/
3895	uintptr_t uEarlyProcInitEP = uChildExeAddr + ( (uintptr_t)&supR3HardenedEarlyProcessInitThunk
3896	- (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
3897
3898	/*
3899	* Compose the LdrInitializeThunk replacement bytes.
3900	* Note! The amount of code we replace here must be less or equal to what
3901	* the process verification code ignores.
3902	*/
3903	uint8_t abNew[16];
3904	memcpy(abNew, pbChildNtDllBits + ((uintptr_t)uLdrInitThunk - pThis->uNtDllAddr), sizeof(abNew));
3905	#ifdef RT_ARCH_AMD64
3906	abNew[0] = 0xff;
3907	abNew[1] = 0x25;
3908	(uint32_t )&abNew[2] = 0;
3909	(uint64_t )&abNew[6] = uEarlyProcInitEP;
3910	#elif defined(RT_ARCH_X86)
3911	abNew[0] = 0xe9;
3912	(uint32_t )&abNew[1] = uEarlyProcInitEP - ((uint32_t)uLdrInitThunk + 5);
3913	#else
3914	# error "Unsupported arch."
3915	#endif
3916
3917	/*
3918	* Install the LdrInitializeThunk replacement code in the child process.
3919	*/
3920	PVOID pvProt = pvLdrInitThunk;
3921	SIZE_T cbProt = sizeof(abNew);
3922	ULONG fOldProt;
3923	rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt);
3924	if (!NT_SUCCESS(rcNt))
3925	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
3926	"NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
3927
3928	rcNt = NtWriteVirtualMemory(pThis->hProcess, pvLdrInitThunk, abNew, sizeof(abNew), &cbIgnored);
3929	if (!NT_SUCCESS(rcNt))
3930	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
3931	"NtWriteVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
3932
3933	pvProt = pvLdrInitThunk;
3934	cbProt = sizeof(abNew);
3935	rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, fOldProt, &fOldProt);
3936	if (!NT_SUCCESS(rcNt))
3937	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
3938	"NtProtectVirtualMemory/LdrInitializeThunk[restore] failed: %#x", rcNt);
3939
3940	/* Caller starts child execution. */
3941	SUP_DPRINTF(("supR3HardenedWinSetupChildInit: Start child.\n"));
3942	}
3943
3944
3945
3946	/**
3947	* This messes with the child PEB before we trigger the initial image events.
3948	*
3949	* @param pThis The child process data structure.
3950	*/
3951	static void supR3HardNtChildScrewUpPebForInitialImageEvents(PSUPR3HARDNTCHILD pThis)
3952	{
3953	/*
3954	* Not sure if any of the cracker software uses the PEB at this point, but
3955	* just in case they do make some of the PEB fields a little less useful.
3956	*/
3957	PEB Peb = pThis->Peb;
3958
3959	/* Make ImageBaseAddress useless. */
3960	Peb.ImageBaseAddress = (PVOID)((uintptr_t)Peb.ImageBaseAddress ^ UINT32_C(0x5f139000));
3961	#ifdef RT_ARCH_AMD64
3962	Peb.ImageBaseAddress = (PVOID)((uintptr_t)Peb.ImageBaseAddress \| UINT64_C(0x0313000000000000));
3963	#endif
3964
3965	/*
3966	* Write the PEB.
3967	*/
3968	SIZE_T cbActualMem = pThis->cbPeb;
3969	NTSTATUS rcNt = NtWriteVirtualMemory(pThis->hProcess, pThis->BasicInfo.PebBaseAddress, &Peb, pThis->cbPeb, &cbActualMem);
3970	if (!NT_SUCCESS(rcNt))
3971	supR3HardenedWinKillChild(pThis, "supR3HardNtChildScrewUpPebForInitialImageEvents", rcNt,
3972	"NtWriteVirtualMemory/Peb failed: %#x", rcNt);
3973	}
3974
3975
3976	/**
3977	* Check if the zero terminated NT unicode string is the path to the given
3978	* system32 DLL.
3979	*
3980	* @returns true if it is, false if not.
3981	* @param pUniStr The zero terminated NT unicode string path.
3982	* @param pszName The name of the system32 DLL.
3983	*/
3984	static bool supR3HardNtIsNamedSystem32Dll(PUNICODE_STRING pUniStr, const char *pszName)
3985	{
3986	if (pUniStr->Length > g_System32NtPath.UniStr.Length)
3987	{
3988	if (memcmp(pUniStr->Buffer, g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length) == 0)
3989	{
3990	if (pUniStr->Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR)] == '\\')
3991	{
3992	if (RTUtf16ICmpAscii(&pUniStr->Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR) + 1], pszName) == 0)
3993	return true;
3994	}
3995	}
3996	}
3997
3998	return false;
3999	}
4000
4001
4002	/**
4003	* Worker for supR3HardNtChildGatherData that locates NTDLL in the child
4004	* process.
4005	*
4006	* @param pThis The child process data structure.
4007	*/
4008	static void supR3HardNtChildFindNtdll(PSUPR3HARDNTCHILD pThis)
4009	{
4010	/*
4011	* Find NTDLL in this process first and take that as a starting point.
4012	*/
4013	pThis->uNtDllParentAddr = (uintptr_t)GetModuleHandleW(L"ntdll.dll");
4014	SUPR3HARDENED_ASSERT(pThis->uNtDllParentAddr != 0 && !(pThis->uNtDllParentAddr & PAGE_OFFSET_MASK));
4015	pThis->uNtDllAddr = pThis->uNtDllParentAddr;
4016
4017	/*
4018	* Scan the virtual memory of the child.
4019	*/
4020	uintptr_t cbAdvance = 0;
4021	uintptr_t uPtrWhere = 0;
4022	for (uint32_t i = 0; i < 1024; i++)
4023	{
4024	/* Query information. */
4025	SIZE_T cbActual = 0;
4026	MEMORY_BASIC_INFORMATION MemInfo = { 0, 0, 0, 0, 0, 0, 0 };
4027	NTSTATUS rcNt = NtQueryVirtualMemory(pThis->hProcess,
4028	(void const *)uPtrWhere,
4029	MemoryBasicInformation,
4030	&MemInfo,
4031	sizeof(MemInfo),
4032	&cbActual);
4033	if (!NT_SUCCESS(rcNt))
4034	break;
4035
4036	if ( MemInfo.Type == SEC_IMAGE
4037	\|\| MemInfo.Type == SEC_PROTECTED_IMAGE
4038	\|\| MemInfo.Type == (SEC_IMAGE \| SEC_PROTECTED_IMAGE))
4039	{
4040	if (MemInfo.BaseAddress == MemInfo.AllocationBase)
4041	{
4042	/* Get the image name. */
4043	union
4044	{
4045	UNICODE_STRING UniStr;
4046	uint8_t abPadding[4096];
4047	} uBuf;
4048	NTSTATUS rcNt = NtQueryVirtualMemory(pThis->hProcess,
4049	MemInfo.BaseAddress,
4050	MemorySectionName,
4051	&uBuf,
4052	sizeof(uBuf) - sizeof(WCHAR),
4053	&cbActual);
4054	if (NT_SUCCESS(rcNt))
4055	{
4056	uBuf.UniStr.Buffer[uBuf.UniStr.Length / sizeof(WCHAR)] = '\0';
4057	if (supR3HardNtIsNamedSystem32Dll(&uBuf.UniStr, "ntdll.dll"))
4058	{
4059	pThis->uNtDllAddr = (uintptr_t)MemInfo.AllocationBase;
4060	SUP_DPRINTF(("supR3HardNtPuChFindNtdll: uNtDllParentAddr=%p uNtDllChildAddr=%p\n",
4061	pThis->uNtDllParentAddr, pThis->uNtDllAddr));
4062	return;
4063	}
4064	}
4065	}
4066	}
4067
4068	/*
4069	* Advance.
4070	*/
4071	cbAdvance = MemInfo.RegionSize;
4072	if (uPtrWhere + cbAdvance <= uPtrWhere)
4073	break;
4074	uPtrWhere += MemInfo.RegionSize;
4075	}
4076
4077	supR3HardenedWinKillChild(pThis, "supR3HardNtChildFindNtdll", VERR_MODULE_NOT_FOUND, "ntdll.dll not found in child process.");
4078	}
4079
4080
4081	/**
4082	* Gather child data.
4083	*
4084	* @param pThis The child process data structure.
4085	*/
4086	static void supR3HardNtChildGatherData(PSUPR3HARDNTCHILD pThis)
4087	{
4088	/*
4089	* Basic info.
4090	*/
4091	ULONG cbActual = 0;
4092	NTSTATUS rcNt = NtQueryInformationProcess(pThis->hProcess, ProcessBasicInformation,
4093	&pThis->BasicInfo, sizeof(pThis->BasicInfo), &cbActual);
4094	if (!NT_SUCCESS(rcNt))
4095	supR3HardenedWinKillChild(pThis, "supR3HardNtChildGatherData", rcNt,
4096	"NtQueryInformationProcess/ProcessBasicInformation failed: %#x", rcNt);
4097
4098	/*
4099	* If this is the middle (stub) process, we wish to wait for both child
4100	* and parent. So open the parent process. Not fatal if we cannnot.
4101	*/
4102	if (pThis->iWhich > 1)
4103	{
4104	PROCESS_BASIC_INFORMATION SelfInfo;
4105	rcNt = NtQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &SelfInfo, sizeof(SelfInfo), &cbActual);
4106	if (NT_SUCCESS(rcNt))
4107	{
4108	OBJECT_ATTRIBUTES ObjAttr;
4109	InitializeObjectAttributes(&ObjAttr, NULL, 0, NULL /hRootDir/, NULL /pSecDesc/);
4110
4111	CLIENT_ID ClientId;
4112	ClientId.UniqueProcess = (HANDLE)SelfInfo.InheritedFromUniqueProcessId;
4113	ClientId.UniqueThread = NULL;
4114
4115	rcNt = NtOpenProcess(&pThis->hParent, SYNCHRONIZE \| PROCESS_QUERY_INFORMATION, &ObjAttr, &ClientId);
4116	#ifdef DEBUG
4117	SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt);
4118	#endif
4119	if (!NT_SUCCESS(rcNt))
4120	{
4121	pThis->hParent = NULL;
4122	SUP_DPRINTF(("supR3HardNtChildGatherData: Failed to open parent process (%#p): %#x\n", ClientId.UniqueProcess, rcNt));
4123	}
4124	}
4125
4126	}
4127
4128	/*
4129	* Process environment block.
4130	*/
4131	if (g_uNtVerCombined < SUP_NT_VER_W2K3)
4132	pThis->cbPeb = PEB_SIZE_W51;
4133	else if (g_uNtVerCombined < SUP_NT_VER_VISTA)
4134	pThis->cbPeb = PEB_SIZE_W52;
4135	else if (g_uNtVerCombined < SUP_NT_VER_W70)
4136	pThis->cbPeb = PEB_SIZE_W6;
4137	else if (g_uNtVerCombined < SUP_NT_VER_W80)
4138	pThis->cbPeb = PEB_SIZE_W7;
4139	else if (g_uNtVerCombined < SUP_NT_VER_W81)
4140	pThis->cbPeb = PEB_SIZE_W80;
4141	else
4142	pThis->cbPeb = PEB_SIZE_W81;
4143
4144	SUP_DPRINTF(("supR3HardNtChildGatherData: PebBaseAddress=%p cbPeb=%#x\n",
4145	pThis->BasicInfo.PebBaseAddress, pThis->cbPeb));
4146
4147	SIZE_T cbActualMem;
4148	RT_ZERO(pThis->Peb);
4149	rcNt = NtReadVirtualMemory(pThis->hProcess, pThis->BasicInfo.PebBaseAddress, &pThis->Peb, sizeof(pThis->Peb), &cbActualMem);
4150	if (!NT_SUCCESS(rcNt))
4151	supR3HardenedWinKillChild(pThis, "supR3HardNtChildGatherData", rcNt,
4152	"NtReadVirtualMemory/Peb failed: %#x", rcNt);
4153
4154	/*
4155	* Locate NtDll.
4156	*/
4157	supR3HardNtChildFindNtdll(pThis);
4158	}
4159
4160
4161	/**
4162	* Does the actually respawning.
4163	*
4164	* @returns Never, will call exit or raise fatal error.
4165	* @param iWhich Which respawn we're to check for, 1 being the
4166	* first one, and 2 the second and final.
4167	*/
4168	static DECL_NO_RETURN(void) supR3HardenedWinDoReSpawn(int iWhich)
4169	{
4170	NTSTATUS rcNt;
4171	PPEB pPeb = NtCurrentPeb();
4172	PRTL_USER_PROCESS_PARAMETERS pParentProcParams = pPeb->ProcessParameters;
4173
4174	SUPR3HARDENED_ASSERT(g_cSuplibHardenedWindowsMainCalls == 1);
4175
4176	/*
4177	* Init the child process data structure, creating the child communication
4178	* event sempahores.
4179	*/
4180	SUPR3HARDNTCHILD This;
4181	RT_ZERO(This);
4182	This.iWhich = iWhich;
4183
4184	OBJECT_ATTRIBUTES ObjAttrs;
4185	This.hEvtChild = NULL;
4186	InitializeObjectAttributes(&ObjAttrs, NULL /pName/, OBJ_INHERIT, NULL /hRootDir/, NULL /pSecDesc/);
4187	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtCreateEvent(&This.hEvtChild, EVENT_ALL_ACCESS, &ObjAttrs, SynchronizationEvent, FALSE));
4188
4189	This.hEvtParent = NULL;
4190	InitializeObjectAttributes(&ObjAttrs, NULL /pName/, OBJ_INHERIT, NULL /hRootDir/, NULL /pSecDesc/);
4191	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtCreateEvent(&This.hEvtParent, EVENT_ALL_ACCESS, &ObjAttrs, SynchronizationEvent, FALSE));
4192
4193	/*
4194	* Set up security descriptors.
4195	*/
4196	SECURITY_ATTRIBUTES ProcessSecAttrs;
4197	MYSECURITYCLEANUP ProcessSecAttrsCleanup;
4198	supR3HardNtChildInitSecAttrs(&ProcessSecAttrs, &ProcessSecAttrsCleanup, true /fProcess/);
4199
4200	SECURITY_ATTRIBUTES ThreadSecAttrs;
4201	MYSECURITYCLEANUP ThreadSecAttrsCleanup;
4202	supR3HardNtChildInitSecAttrs(&ThreadSecAttrs, &ThreadSecAttrsCleanup, false /fProcess/);
4203
4204	#if 1
4205	/*
4206	* Configure the startup info and creation flags.
4207	*/
4208	DWORD dwCreationFlags = CREATE_SUSPENDED;
4209
4210	STARTUPINFOEXW SiEx;
4211	suplibHardenedMemSet(&SiEx, 0, sizeof(SiEx));
4212	if (1)
4213	SiEx.StartupInfo.cb = sizeof(SiEx.StartupInfo);
4214	else
4215	{
4216	SiEx.StartupInfo.cb = sizeof(SiEx);
4217	dwCreationFlags \|= EXTENDED_STARTUPINFO_PRESENT;
4218	/** @todo experiment with protected process stuff later on. */
4219	}
4220
4221	SiEx.StartupInfo.dwFlags \|= pParentProcParams->WindowFlags & STARTF_USESHOWWINDOW;
4222	SiEx.StartupInfo.wShowWindow = (WORD)pParentProcParams->ShowWindowFlags;
4223
4224	SiEx.StartupInfo.dwFlags \|= STARTF_USESTDHANDLES;
4225	SiEx.StartupInfo.hStdInput = pParentProcParams->StandardInput;
4226	SiEx.StartupInfo.hStdOutput = pParentProcParams->StandardOutput;
4227	SiEx.StartupInfo.hStdError = pParentProcParams->StandardError;
4228
4229	/*
4230	* Construct the command line and launch the process.
4231	*/
4232	PRTUTF16 pwszCmdLine = supR3HardNtChildConstructCmdLine(NULL, iWhich);
4233
4234	supR3HardenedWinEnableThreadCreation();
4235	PROCESS_INFORMATION ProcessInfoW32;
4236	if (!CreateProcessW(g_wszSupLibHardenedExePath,
4237	pwszCmdLine,
4238	&ProcessSecAttrs,
4239	&ThreadSecAttrs,
4240	TRUE /fInheritHandles/,
4241	dwCreationFlags,
4242	NULL /pwszzEnvironment/,
4243	NULL /pwszCurDir/,
4244	&SiEx.StartupInfo,
4245	&ProcessInfoW32))
4246	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Misc, VERR_INVALID_NAME,
4247	"Error relaunching VirtualBox VM process: %u\n"
4248	"Command line: '%ls'",
4249	RtlGetLastWin32Error(), pwszCmdLine);
4250	supR3HardenedWinDisableThreadCreation();
4251
4252	SUP_DPRINTF(("supR3HardenedWinDoReSpawn(%d): New child %x.%x [kernel32].\n",
4253	iWhich, ProcessInfoW32.dwProcessId, ProcessInfoW32.dwThreadId));
4254	This.hProcess = ProcessInfoW32.hProcess;
4255	This.hThread = ProcessInfoW32.hThread;
4256
4257	#else
4258
4259	/*
4260	* Construct the process parameters.
4261	*/
4262	UNICODE_STRING W32ImageName;
4263	W32ImageName.Buffer = g_wszSupLibHardenedExePath; /* Yes the windows name for the process parameters. */
4264	W32ImageName.Length = (USHORT)RTUtf16Len(g_wszSupLibHardenedExePath) * sizeof(WCHAR);
4265	W32ImageName.MaximumLength = W32ImageName.Length + sizeof(WCHAR);
4266
4267	UNICODE_STRING CmdLine;
4268	supR3HardNtChildConstructCmdLine(&CmdLine, iWhich);
4269
4270	PRTL_USER_PROCESS_PARAMETERS pProcParams = NULL;
4271	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateProcessParameters(&pProcParams,
4272	&W32ImageName,
4273	NULL /* DllPath - inherit from this process */,
4274	NULL /* CurrentDirectory - inherit from this process */,
4275	&CmdLine,
4276	NULL /* Environment - inherit from this process */,
4277	NULL /* WindowsTitle - none */,
4278	NULL /* DesktopTitle - none. */,
4279	NULL /* ShellInfo - none. */,
4280	NULL /* RuntimeInfo - none (byte array for MSVCRT file info) */)
4281	);
4282
4283	/** @todo this doesn't work. :-( */
4284	pProcParams->ConsoleHandle = pParentProcParams->ConsoleHandle;
4285	pProcParams->ConsoleFlags = pParentProcParams->ConsoleFlags;
4286	pProcParams->StandardInput = pParentProcParams->StandardInput;
4287	pProcParams->StandardOutput = pParentProcParams->StandardOutput;
4288	pProcParams->StandardError = pParentProcParams->StandardError;
4289
4290	RTL_USER_PROCESS_INFORMATION ProcessInfoNt = { sizeof(ProcessInfoNt) };
4291	rcNt = RtlCreateUserProcess(&g_SupLibHardenedExeNtPath.UniStr,
4292	OBJ_INHERIT \| OBJ_CASE_INSENSITIVE /Attributes/,
4293	pProcParams,
4294	NULL, //&ProcessSecAttrs,
4295	NULL, //&ThreadSecAttrs,
4296	NtCurrentProcess() /* ParentProcess */,
4297	FALSE /fInheritHandles/,
4298	NULL /* DebugPort */,
4299	NULL /* ExceptionPort */,
4300	&ProcessInfoNt);
4301	if (!NT_SUCCESS(rcNt))
4302	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Misc, VERR_INVALID_NAME,
4303	"Error relaunching VirtualBox VM process: %#x\n"
4304	"Command line: '%ls'",
4305	rcNt, CmdLine.Buffer);
4306
4307	SUP_DPRINTF(("supR3HardenedWinDoReSpawn(%d): New child %x.%x [ntdll].\n",
4308	iWhich, ProcessInfo.ClientId.UniqueProcess, ProcessInfo.ClientId.UniqueThread));
4309	RtlDestroyProcessParameters(pProcParams);
4310
4311	This.hProcess = ProcessInfoNt.ProcessHandle;
4312	This.hThread = ProcessInfoNt.ThreadHandle;
4313	#endif
4314
4315	#ifndef VBOX_WITHOUT_DEBUGGER_CHECKS
4316	/*
4317	* Apply anti debugger notification trick to the thread. (Also done in
4318	* supR3HardenedWinInit.) This may fail with STATUS_ACCESS_DENIED and
4319	* maybe other errors. (Unfortunately, recent (SEP 12.1) of symantec's
4320	* sysplant.sys driver will cause process deadlocks and a shutdown/reboot
4321	* denial of service problem if we hide the initial thread, so we postpone
4322	* this action if we've detected SEP.)
4323	*/
4324	if (!(g_fSupAdversaries & (SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT \| SUPHARDNT_ADVERSARY_SYMANTEC_N360)))
4325	{
4326	rcNt = NtSetInformationThread(This.hThread, ThreadHideFromDebugger, NULL, 0);
4327	if (!NT_SUCCESS(rcNt))
4328	SUP_DPRINTF(("supR3HardenedWinReSpawn: NtSetInformationThread/ThreadHideFromDebugger failed: %#x (harmless)\n", rcNt));
4329	}
4330	#endif
4331
4332	/*
4333	* Perform very early child initialization.
4334	*/
4335	supR3HardNtChildGatherData(&This);
4336	supR3HardNtChildScrewUpPebForInitialImageEvents(&This);
4337	supR3HardNtChildSetUpChildInit(&This);
4338
4339	ULONG cSuspendCount = 0;
4340	rcNt = NtResumeThread(This.hThread, &cSuspendCount);
4341	if (!NT_SUCCESS(rcNt))
4342	supR3HardenedWinKillChild(&This, "supR3HardenedWinDoReSpawn", rcNt, "NtResumeThread failed: %#x", rcNt);
4343
4344	/*
4345	* Santizie the pre-NTDLL child when it's ready.
4346	*
4347	* AV software and other things injecting themselves into the embryonic
4348	* and budding process to intercept API calls and what not. Unfortunately
4349	* this is also the behavior of viruses, malware and other unfriendly
4350	* software, so we won't stand for it. AV software can scan our image
4351	* as they are loaded via kernel hooks, that's sufficient. No need for
4352	* patching half of NTDLL or messing with the import table of the
4353	* process executable.
4354	*/
4355	supR3HardNtChildWaitFor(&This, kSupR3WinChildReq_PurifyChildAndCloseHandles, 2000 /ms/, "PurifyChildAndCloseHandles");
4356	supR3HardNtChildPurify(&This);
4357	supR3HardNtChildSanitizePeb(&This);
4358
4359	/*
4360	* Close the unrestricted access handles. Since we need to wait on the
4361	* child process, we'll reopen the process with limited access before doing
4362	* away with the process handle returned by CreateProcess.
4363	*/
4364	supR3HardNtChildCloseFullAccessHandles(&This);
4365
4366	/*
4367	* Signal the child that we've closed the unrestricted handles and it can
4368	* safely try open the driver.
4369	*/
4370	rcNt = NtSetEvent(This.hEvtChild, NULL);
4371	if (!NT_SUCCESS(rcNt))
4372	supR3HardenedWinKillChild(&This, "supR3HardenedWinReSpawn", VERR_INVALID_NAME,
4373	"NtSetEvent failed on child process handle: %#x\n", rcNt);
4374
4375	/*
4376	* Ditch the loader cache so we don't sit on too much memory while waiting.
4377	*/
4378	supR3HardenedWinFlushLoaderCache();
4379	supR3HardenedWinCompactHeaps();
4380
4381	/*
4382	* Enable thread creation at this point so Ctrl-C and Ctrl-Break can be processed.
4383	*/
4384	supR3HardenedWinEnableThreadCreation();
4385
4386	/*
4387	* Wait for the child to get to suplibHardenedWindowsMain so we can close the handles.
4388	*/
4389	supR3HardNtChildWaitFor(&This, kSupR3WinChildReq_CloseEvents, 60000 /ms/, "CloseEvents");
4390
4391	NtClose(This.hEvtChild);
4392	NtClose(This.hEvtParent);
4393	This.hEvtChild = NULL;
4394	This.hEvtParent = NULL;
4395
4396	/*
4397	* Wait for the process to terminate.
4398	*/
4399	supR3HardNtChildWaitFor(&This, kSupR3WinChildReq_End, RT_INDEFINITE_WAIT, "the end");
4400	supR3HardenedFatal("supR3HardenedWinDoReSpawn: supR3HardNtChildWaitFor unexpectedly returned!\n");
4401	/* not reached*/
4402	}
4403
4404
4405	/**
4406	* Logs the content of the given object directory.
4407	*
4408	* @returns true if it exists, false if not.
4409	* @param pszDir The path of the directory to log (ASCII).
4410	*/
4411	static void supR3HardenedWinLogObjDir(const char *pszDir)
4412	{
4413	/*
4414	* Open the driver object directory.
4415	*/
4416	RTUTF16 wszDir[128];
4417	int rc = RTUtf16CopyAscii(wszDir, RT_ELEMENTS(wszDir), pszDir);
4418	if (RT_FAILURE(rc))
4419	{
4420	SUP_DPRINTF(("supR3HardenedWinLogObjDir: RTUtf16CopyAscii -> %Rrc on '%s'\n", rc, pszDir));
4421	return;
4422	}
4423
4424	UNICODE_STRING NtDirName;
4425	NtDirName.Buffer = (WCHAR *)wszDir;
4426	NtDirName.Length = (USHORT)(RTUtf16Len(wszDir) * sizeof(WCHAR));
4427	NtDirName.MaximumLength = NtDirName.Length + sizeof(WCHAR);
4428
4429	OBJECT_ATTRIBUTES ObjAttr;
4430	InitializeObjectAttributes(&ObjAttr, &NtDirName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4431
4432	HANDLE hDir;
4433	NTSTATUS rcNt = NtOpenDirectoryObject(&hDir, DIRECTORY_QUERY \| FILE_LIST_DIRECTORY, &ObjAttr);
4434	SUP_DPRINTF(("supR3HardenedWinLogObjDir: %ls => %#x\n", wszDir, rcNt));
4435	if (!NT_SUCCESS(rcNt))
4436	return;
4437
4438	/*
4439	* Enumerate it, looking for the driver.
4440	*/
4441	ULONG uObjDirCtx = 0;
4442	for (;;)
4443	{
4444	uint32_t abBuffer[_64K + _1K];
4445	ULONG cbActual;
4446	rcNt = NtQueryDirectoryObject(hDir,
4447	abBuffer,
4448	sizeof(abBuffer) - 4, /* minus four for string terminator space. */
4449	FALSE /ReturnSingleEntry /,
4450	FALSE /RestartScan/,
4451	&uObjDirCtx,
4452	&cbActual);
4453	if (!NT_SUCCESS(rcNt) \|\| cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION))
4454	{
4455	SUP_DPRINTF(("supR3HardenedWinLogObjDir: NtQueryDirectoryObject => rcNt=%#x cbActual=%#x\n", rcNt, cbActual));
4456	break;
4457	}
4458
4459	POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer;
4460	while (pObjDir->Name.Length != 0)
4461	{
4462	SUP_DPRINTF((" %.ls %.ls\n",
4463	pObjDir->TypeName.Length / sizeof(WCHAR), pObjDir->TypeName.Buffer,
4464	pObjDir->Name.Length / sizeof(WCHAR), pObjDir->Name.Buffer));
4465
4466	/* Next directory entry. */
4467	pObjDir++;
4468	}
4469	}
4470
4471	/*
4472	* Clean up and return.
4473	*/
4474	NtClose(hDir);
4475	}
4476
4477
4478	/**
4479	* Tries to open VBoxDrvErrorInfo and read extra error info from it.
4480	*
4481	* @returns pszErrorInfo.
4482	* @param pszErrorInfo The destination buffer. Will always be
4483	* terminated.
4484	* @param cbErrorInfo The size of the destination buffer.
4485	* @param pszPrefix What to prefix the error info with, if we got
4486	* anything.
4487	*/
4488	DECLHIDDEN(char ) supR3HardenedWinReadErrorInfoDevice(char pszErrorInfo, size_t cbErrorInfo, const char *pszPrefix)
4489	{
4490	RT_BZERO(pszErrorInfo, cbErrorInfo);
4491
4492	/*
4493	* Try open the device.
4494	*/
4495	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
4496	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
4497	UNICODE_STRING NtName = RTNT_CONSTANT_UNISTR(SUPDRV_NT_DEVICE_NAME_ERROR_INFO);
4498	OBJECT_ATTRIBUTES ObjAttr;
4499	InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4500	NTSTATUS rcNt = NtCreateFile(&hFile,
4501	GENERIC_READ, /* No SYNCHRONIZE. */
4502	&ObjAttr,
4503	&Ios,
4504	NULL /* Allocation Size*/,
4505	FILE_ATTRIBUTE_NORMAL,
4506	FILE_SHARE_READ \| FILE_SHARE_WRITE,
4507	FILE_OPEN,
4508	FILE_NON_DIRECTORY_FILE, /* No FILE_SYNCHRONOUS_IO_NONALERT. */
4509	NULL /EaBuffer/,
4510	0 /EaLength/);
4511	if (NT_SUCCESS(rcNt))
4512	rcNt = Ios.Status;
4513	if (NT_SUCCESS(rcNt))
4514	{
4515	/*
4516	* Try read error info.
4517	*/
4518	size_t cchPrefix = strlen(pszPrefix);
4519	if (cchPrefix + 3 < cbErrorInfo)
4520	{
4521	LARGE_INTEGER offRead;
4522	offRead.QuadPart = 0;
4523	rcNt = NtReadFile(hFile, NULL /hEvent/, NULL /ApcRoutine/, NULL /ApcContext/, &Ios,
4524	&pszErrorInfo[cchPrefix], (ULONG)(cbErrorInfo - cchPrefix - 1), &offRead, NULL);
4525	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status) && Ios.Information > 0)
4526	{
4527	memcpy(pszErrorInfo, pszPrefix, cchPrefix);
4528	pszErrorInfo[RT_MIN(cbErrorInfo - 1, cchPrefix + Ios.Information)] = '\0';
4529	SUP_DPRINTF(("supR3HardenedWinReadErrorInfoDevice: '%s'", &pszErrorInfo[cchPrefix]));
4530	}
4531	else
4532	{
4533	*pszErrorInfo = '\0';
4534	if (rcNt != STATUS_END_OF_FILE \|\| Ios.Status != STATUS_END_OF_FILE)
4535	SUP_DPRINTF(("supR3HardenedWinReadErrorInfoDevice: NtReadFile -> %#x / %#x / %p\n",
4536	rcNt, Ios.Status, Ios.Information));
4537	}
4538	}
4539	else
4540	RTStrCopy(pszErrorInfo, cbErrorInfo, "error info buffer too small");
4541	NtClose(hFile);
4542	}
4543	else
4544	SUP_DPRINTF(("supR3HardenedWinReadErrorInfoDevice: NtCreateFile -> %#x\n", rcNt));
4545
4546	return pszErrorInfo;
4547	}
4548
4549
4550
4551	/**
4552	* Checks if the driver exists.
4553	*
4554	* This checks whether the driver is present in the /Driver object directory.
4555	* Drivers being initialized or terminated will have an object there
4556	* before/after their devices nodes are created/deleted.
4557	*
4558	* @returns true if it exists, false if not.
4559	* @param pszDriver The driver name.
4560	*/
4561	static bool supR3HardenedWinDriverExists(const char *pszDriver)
4562	{
4563	/*
4564	* Open the driver object directory.
4565	*/
4566	UNICODE_STRING NtDirName = RTNT_CONSTANT_UNISTR(L"\\Driver");
4567
4568	OBJECT_ATTRIBUTES ObjAttr;
4569	InitializeObjectAttributes(&ObjAttr, &NtDirName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4570
4571	HANDLE hDir;
4572	NTSTATUS rcNt = NtOpenDirectoryObject(&hDir, DIRECTORY_QUERY \| FILE_LIST_DIRECTORY, &ObjAttr);
4573	#ifdef VBOX_STRICT
4574	SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt);
4575	#endif
4576	if (!NT_SUCCESS(rcNt))
4577	return true;
4578
4579	/*
4580	* Enumerate it, looking for the driver.
4581	*/
4582	bool fFound = true;
4583	ULONG uObjDirCtx = 0;
4584	do
4585	{
4586	uint32_t abBuffer[_64K + _1K];
4587	ULONG cbActual;
4588	rcNt = NtQueryDirectoryObject(hDir,
4589	abBuffer,
4590	sizeof(abBuffer) - 4, /* minus four for string terminator space. */
4591	FALSE /ReturnSingleEntry /,
4592	FALSE /RestartScan/,
4593	&uObjDirCtx,
4594	&cbActual);
4595	if (!NT_SUCCESS(rcNt) \|\| cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION))
4596	break;
4597
4598	POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer;
4599	while (pObjDir->Name.Length != 0)
4600	{
4601	WCHAR wcSaved = pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)];
4602	pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = '\0';
4603	if ( pObjDir->Name.Length > 1
4604	&& RTUtf16ICmpAscii(pObjDir->Name.Buffer, pszDriver) == 0)
4605	{
4606	fFound = true;
4607	break;
4608	}
4609	pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = wcSaved;
4610
4611	/* Next directory entry. */
4612	pObjDir++;
4613	}
4614	} while (!fFound);
4615
4616	/*
4617	* Clean up and return.
4618	*/
4619	NtClose(hDir);
4620
4621	return fFound;
4622	}
4623
4624
4625	/**
4626	* Open the stub device before the 2nd respawn.
4627	*/
4628	static void supR3HardenedWinOpenStubDevice(void)
4629	{
4630	if (g_fSupStubOpened)
4631	return;
4632
4633	/*
4634	* Retry if we think driver might still be initializing (STATUS_NO_SUCH_DEVICE + \Drivers\VBoxDrv).
4635	*/
4636	static const WCHAR s_wszName[] = SUPDRV_NT_DEVICE_NAME_STUB;
4637	uint64_t const uMsTsStart = supR3HardenedWinGetMilliTS();
4638	NTSTATUS rcNt;
4639	uint32_t iTry;
4640
4641	for (iTry = 0;; iTry++)
4642	{
4643	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
4644	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
4645
4646	UNICODE_STRING NtName;
4647	NtName.Buffer = (PWSTR)s_wszName;
4648	NtName.Length = sizeof(s_wszName) - sizeof(WCHAR);
4649	NtName.MaximumLength = sizeof(s_wszName);
4650
4651	OBJECT_ATTRIBUTES ObjAttr;
4652	InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4653
4654	rcNt = NtCreateFile(&hFile,
4655	GENERIC_READ \| GENERIC_WRITE, /* No SYNCHRONIZE. */
4656	&ObjAttr,
4657	&Ios,
4658	NULL /* Allocation Size*/,
4659	FILE_ATTRIBUTE_NORMAL,
4660	FILE_SHARE_READ \| FILE_SHARE_WRITE,
4661	FILE_OPEN,
4662	FILE_NON_DIRECTORY_FILE, /* No FILE_SYNCHRONOUS_IO_NONALERT. */
4663	NULL /EaBuffer/,
4664	0 /EaLength/);
4665	if (NT_SUCCESS(rcNt))
4666	rcNt = Ios.Status;
4667
4668	/* The STATUS_NO_SUCH_DEVICE might be returned if the device is not
4669	completely initialized. Delay a little bit and try again. */
4670	if (rcNt != STATUS_NO_SUCH_DEVICE)
4671	break;
4672	if (iTry > 0 && supR3HardenedWinGetMilliTS() - uMsTsStart > 5000) /* 5 sec, at least two tries */
4673	break;
4674	if (!supR3HardenedWinDriverExists("VBoxDrv"))
4675	{
4676	/** @todo Consider starting the VBoxdrv.sys service. Requires 2nd process
4677	* though, rather complicated actually as CreateProcess causes all
4678	* kind of things to happen to this process which would make it hard to
4679	* pass the process verification tests... :-/ */
4680	break;
4681	}
4682
4683	LARGE_INTEGER Time;
4684	if (iTry < 8)
4685	Time.QuadPart = -1000000 / 100; /* 1ms in 100ns units, relative time. */
4686	else
4687	Time.QuadPart = -32000000 / 100; /* 32ms in 100ns units, relative time. */
4688	NtDelayExecution(TRUE, &Time);
4689	}
4690
4691	if (NT_SUCCESS(rcNt))
4692	g_fSupStubOpened = true;
4693	else
4694	{
4695	/*
4696	* Report trouble (fatal). For some errors codes we try gather some
4697	* extra information that goes into VBoxStartup.log so that we stand a
4698	* better chance resolving the issue.
4699	*/
4700	char szErrorInfo[16384];
4701	int rc = VERR_OPEN_FAILED;
4702	if (SUP_NT_STATUS_IS_VBOX(rcNt)) /* See VBoxDrvNtErr2NtStatus. */
4703	{
4704	rc = SUP_NT_STATUS_TO_VBOX(rcNt);
4705
4706	/*
4707	* \Windows\ApiPort open trouble. So far only
4708	* STATUS_OBJECT_TYPE_MISMATCH has been observed.
4709	*/
4710	if (rc == VERR_SUPDRV_APIPORT_OPEN_ERROR)
4711	{
4712	SUP_DPRINTF(("Error opening VBoxDrvStub: VERR_SUPDRV_APIPORT_OPEN_ERROR\n"));
4713
4714	uint32_t uSessionId = NtCurrentPeb()->SessionId;
4715	SUP_DPRINTF((" SessionID=%#x\n", uSessionId));
4716	char szDir[64];
4717	if (uSessionId == 0)
4718	RTStrCopy(szDir, sizeof(szDir), "\\Windows");
4719	else
4720	{
4721	RTStrPrintf(szDir, sizeof(szDir), "\\Sessions\\%u\\Windows", uSessionId);
4722	supR3HardenedWinLogObjDir(szDir);
4723	}
4724	supR3HardenedWinLogObjDir("\\Windows");
4725	supR3HardenedWinLogObjDir("\\Sessions");
4726
4727	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Misc, rc,
4728	"NtCreateFile(%ls) failed: VERR_SUPDRV_APIPORT_OPEN_ERROR\n"
4729	"\n"
4730	"Error getting %s\\ApiPort in the driver from vboxdrv.\n"
4731	"\n"
4732	"Could be due to security software is redirecting access to it, so please include full "
4733	"details of such software in a bug report. VBoxStartup.log may contain details important "
4734	"to resolving the issue.%s"
4735	, s_wszName, szDir,
4736	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4737	"\n\nVBoxDrvStub error: "));
4738	}
4739
4740	/*
4741	* Generic VBox failure message.
4742	*/
4743	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, rc,
4744	"NtCreateFile(%ls) failed: %Rrc (rcNt=%#x)%s", s_wszName, rc, rcNt,
4745	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4746	"\nVBoxDrvStub error: "));
4747	}
4748	else
4749	{
4750	const char *pszDefine;
4751	switch (rcNt)
4752	{
4753	case STATUS_NO_SUCH_DEVICE: pszDefine = " STATUS_NO_SUCH_DEVICE"; break;
4754	case STATUS_OBJECT_NAME_NOT_FOUND: pszDefine = " STATUS_OBJECT_NAME_NOT_FOUND"; break;
4755	case STATUS_ACCESS_DENIED: pszDefine = " STATUS_ACCESS_DENIED"; break;
4756	case STATUS_TRUST_FAILURE: pszDefine = " STATUS_TRUST_FAILURE"; break;
4757	default: pszDefine = ""; break;
4758	}
4759
4760	/*
4761	* Problems opening the device is generally due to driver load/
4762	* unload issues. Check whether the driver is loaded and make
4763	* suggestions accordingly.
4764	*/
4765	/** @todo don't fail during early init, wait till later and try load the driver if missing or at least query the service manager for additional information. */
4766	if ( rcNt == STATUS_NO_SUCH_DEVICE
4767	\|\| rcNt == STATUS_OBJECT_NAME_NOT_FOUND)
4768	{
4769	SUP_DPRINTF(("Error opening VBoxDrvStub: %s\n", pszDefine));
4770	if (supR3HardenedWinDriverExists("VBoxDrv"))
4771	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, VERR_OPEN_FAILED,
4772	"NtCreateFile(%ls) failed: %#x%s (%u retries)\n"
4773	"\n"
4774	"Driver is probably stuck stopping/starting. Try 'sc.exe query vboxdrv' to get more "
4775	"information about its state. Rebooting may actually help.%s"
4776	, s_wszName, rcNt, pszDefine, iTry,
4777	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4778	"\nVBoxDrvStub error: "));
4779	else
4780	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, VERR_OPEN_FAILED,
4781	"NtCreateFile(%ls) failed: %#x%s (%u retries)\n"
4782	"\n"
4783	"Driver is does not appear to be loaded. Try 'sc.exe start vboxdrv', reinstall "
4784	"VirtualBox or reboot.%s"
4785	, s_wszName, rcNt, pszDefine, iTry,
4786	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4787	"\nVBoxDrvStub error: "));
4788	}
4789
4790	/* Generic NT failure message. */
4791	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, VERR_OPEN_FAILED,
4792	"NtCreateFile(%ls) failed: %#x%s (%u retries)%s",
4793	s_wszName, rcNt, pszDefine, iTry,
4794	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4795	"\nVBoxDrvStub error: "));
4796	}
4797	}
4798	}
4799
4800
4801	/**
4802	* Called by the main code if supR3HardenedWinIsReSpawnNeeded returns @c true.
4803	*
4804	* @returns Program exit code.
4805	*/
4806	DECLHIDDEN(int) supR3HardenedWinReSpawn(int iWhich)
4807	{
4808	/*
4809	* Before the 2nd respawn we set up a child protection deal with the
4810	* support driver via /Devices/VBoxDrvStub. (We tried to do this
4811	* during the early init, but in case we had trouble accessing vboxdrv we
4812	* retry it here where we have kernel32.dll and others to pull in for
4813	* better diagnostics.)
4814	*/
4815	if (iWhich == 2)
4816	supR3HardenedWinOpenStubDevice();
4817
4818	/*
4819	* Make sure we're alone in the stub process before creating the VM process
4820	* and that there aren't any debuggers attached.
4821	*/
4822	if (iWhich == 2)
4823	{
4824	int rc = supHardNtVpDebugger(NtCurrentProcess(), RTErrInfoInitStatic(&g_ErrInfoStatic));
4825	if (RT_SUCCESS(rc))
4826	rc = supHardNtVpThread(NtCurrentProcess(), NtCurrentThread(), RTErrInfoInitStatic(&g_ErrInfoStatic));
4827	if (RT_FAILURE(rc))
4828	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Integrity, rc, "%s", g_ErrInfoStatic.szMsg);
4829	}
4830
4831
4832	/*
4833	* Respawn the process with kernel protection for the new process.
4834	*/
4835	supR3HardenedWinDoReSpawn(iWhich);
4836	/* not reached! */
4837	}
4838
4839
4840	/**
4841	* Checks if re-spawning is required, replacing the respawn argument if not.
4842	*
4843	* @returns true if required, false if not. In the latter case, the first
4844	* argument in the vector is replaced.
4845	* @param iWhich Which respawn we're to check for, 1 being the
4846	* first one, and 2 the second and final.
4847	* @param cArgs The number of arguments.
4848	* @param papszArgs Pointer to the argument vector.
4849	*/
4850	DECLHIDDEN(bool) supR3HardenedWinIsReSpawnNeeded(int iWhich, int cArgs, char **papszArgs)
4851	{
4852	SUPR3HARDENED_ASSERT(g_cSuplibHardenedWindowsMainCalls == 1);
4853	SUPR3HARDENED_ASSERT(iWhich == 1 \|\| iWhich == 2);
4854
4855	if (cArgs < 1)
4856	return true;
4857
4858	if (suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_1_ARG0) == 0)
4859	{
4860	if (iWhich > 1)
4861	return true;
4862	}
4863	else if (suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_2_ARG0) == 0)
4864	{
4865	if (iWhich < 2)
4866	return false;
4867	}
4868	else
4869	return true;
4870
4871	/* Replace the argument. */
4872	papszArgs[0] = g_szSupLibHardenedExePath;
4873	return false;
4874	}
4875
4876
4877	/**
4878	* Initializes the windows verficiation bits and other things we're better off
4879	* doing after main() has passed on it's data.
4880	*
4881	* @param fFlags The main flags.
4882	* @param fAvastKludge Whether to apply the avast kludge.
4883	*/
4884	DECLHIDDEN(void) supR3HardenedWinInit(uint32_t fFlags, bool fAvastKludge)
4885	{
4886	NTSTATUS rcNt;
4887
4888	#ifndef VBOX_WITHOUT_DEBUGGER_CHECKS
4889	/*
4890	* Install a anti debugging hack before we continue. This prevents most
4891	* notifications from ending up in the debugger. (Also applied to the
4892	* child process when respawning.)
4893	*/
4894	rcNt = NtSetInformationThread(NtCurrentThread(), ThreadHideFromDebugger, NULL, 0);
4895	if (!NT_SUCCESS(rcNt))
4896	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
4897	"NtSetInformationThread/ThreadHideFromDebugger failed: %#x\n", rcNt);
4898	#endif
4899
4900	/*
4901	* Init the verifier.
4902	*/
4903	RTErrInfoInitStatic(&g_ErrInfoStatic);
4904	int rc = supHardenedWinInitImageVerifier(&g_ErrInfoStatic.Core);
4905	if (RT_FAILURE(rc))
4906	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, rc,
4907	"supHardenedWinInitImageVerifier failed: %s", g_ErrInfoStatic.szMsg);
4908
4909	/*
4910	* Get the windows system directory from the KnownDlls dir.
4911	*/
4912	HANDLE hSymlink = INVALID_HANDLE_VALUE;
4913	UNICODE_STRING UniStr = RTNT_CONSTANT_UNISTR(L"\\KnownDlls\\KnownDllPath");
4914	OBJECT_ATTRIBUTES ObjAttrs;
4915	InitializeObjectAttributes(&ObjAttrs, &UniStr, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4916	rcNt = NtOpenSymbolicLinkObject(&hSymlink, SYMBOLIC_LINK_QUERY, &ObjAttrs);
4917	if (!NT_SUCCESS(rcNt))
4918	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, rcNt, "Error opening '%ls': %#x", UniStr.Buffer, rcNt);
4919
4920	g_System32WinPath.UniStr.Buffer = g_System32WinPath.awcBuffer;
4921	g_System32WinPath.UniStr.Length = 0;
4922	g_System32WinPath.UniStr.MaximumLength = sizeof(g_System32WinPath.awcBuffer) - sizeof(RTUTF16);
4923	rcNt = NtQuerySymbolicLinkObject(hSymlink, &g_System32WinPath.UniStr, NULL);
4924	if (!NT_SUCCESS(rcNt))
4925	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, rcNt, "Error querying '%ls': %#x", UniStr.Buffer, rcNt);
4926	g_System32WinPath.UniStr.Buffer[g_System32WinPath.UniStr.Length / sizeof(RTUTF16)] = '\0';
4927
4928	SUP_DPRINTF(("KnownDllPath: %ls\n", g_System32WinPath.UniStr.Buffer));
4929	NtClose(hSymlink);
4930
4931	if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
4932	{
4933	if (fAvastKludge)
4934	{
4935	/*
4936	* Do a self purification to cure avast's weird NtOpenFile write-thru
4937	* change in GetBinaryTypeW change in kernel32. Unfortunately, avast
4938	* uses a system thread to perform the process modifications, which
4939	* means it's hard to make sure it had the chance to make them...
4940	*
4941	* We have to resort to kludge doing yield and sleep fudging for a
4942	* number of milliseconds and schedulings before we can hope that avast
4943	* and similar products have done what they need to do. If we do any
4944	* fixes, we wait for a while again and redo it until we're clean.
4945	*
4946	* This is unfortunately kind of fragile.
4947	*/
4948	uint32_t cMsFudge = g_fSupAdversaries ? 512 : 128;
4949	uint32_t cFixes;
4950	for (uint32_t iLoop = 0; iLoop < 16; iLoop++)
4951	{
4952	uint32_t cSleeps = 0;
4953	uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
4954	do
4955	{
4956	NtYieldExecution();
4957	LARGE_INTEGER Time;
4958	Time.QuadPart = -8000000 / 100; /* 8ms in 100ns units, relative time. */
4959	NtDelayExecution(FALSE, &Time);
4960	cSleeps++;
4961	} while ( supR3HardenedWinGetMilliTS() - uMsTsStart <= cMsFudge
4962	\|\| cSleeps < 8);
4963	SUP_DPRINTF(("supR3HardenedWinInit: Startup delay kludge #2/%u: %u ms, %u sleeps\n",
4964	iLoop, supR3HardenedWinGetMilliTS() - uMsTsStart, cSleeps));
4965
4966	cFixes = 0;
4967	rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_SELF_PURIFICATION,
4968	0 /fFlags/, &cFixes, NULL /pErrInfo/);
4969	if (RT_FAILURE(rc) \|\| cFixes == 0)
4970	break;
4971
4972	if (!g_fSupAdversaries)
4973	g_fSupAdversaries \|= SUPHARDNT_ADVERSARY_UNKNOWN;
4974	cMsFudge = 512;
4975
4976	/* Log the KiOpPrefetchPatchCount value if available, hoping it might sched some light on spider38's case. */
4977	ULONG cPatchCount = 0;
4978	rcNt = NtQuerySystemInformation(SystemInformation_KiOpPrefetchPatchCount,
4979	&cPatchCount, sizeof(cPatchCount), NULL);
4980	if (NT_SUCCESS(rcNt))
4981	SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x cPatchCount=%#u\n",
4982	cFixes, g_fSupAdversaries, cPatchCount));
4983	else
4984	SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
4985	}
4986	}
4987
4988	/*
4989	* Install the hooks.
4990	*/
4991	supR3HardenedWinInstallHooks();
4992	}
4993
4994	#ifndef VBOX_WITH_VISTA_NO_SP
4995	/*
4996	* Complain about Vista w/o service pack if we're launching a VM.
4997	*/
4998	if ( !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV)
4999	&& g_uNtVerCombined >= SUP_NT_VER_VISTA
5000	&& g_uNtVerCombined < SUP_MAKE_NT_VER_COMBINED(6, 0, 6001, 0, 0))
5001	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, VERR_NOT_SUPPORTED,
5002	"Window Vista without any service pack installed is not supported. Please install the latest service pack.");
5003	#endif
5004	}
5005
5006
5007	/**
5008	* Modifies the DLL search path for testcases.
5009	*
5010	* This makes sure the application binary path is in the search path. When
5011	* starting a testcase executable in the testcase/ subdirectory this isn't the
5012	* case by default. So, unless we do something about it we won't be able to
5013	* import VBox DLLs.
5014	*
5015	* @param fFlags The main flags (giving the location).
5016	* @param pszAppBinPath The path to the application binary directory
5017	* (windows style).
5018	*/
5019	DECLHIDDEN(void) supR3HardenedWinModifyDllSearchPath(uint32_t fFlags, const char *pszAppBinPath)
5020	{
5021	/*
5022	* For the testcases to work, we must add the app bin directory to the
5023	* DLL search list before the testcase dll is loaded or it won't be
5024	* able to find the VBox DLLs. This is done _after_ VBoxRT.dll is
5025	* initialized and sets its defaults.
5026	*/
5027	switch (fFlags & SUPSECMAIN_FLAGS_LOC_MASK)
5028	{
5029	case SUPSECMAIN_FLAGS_LOC_TESTCASE:
5030	break;
5031	default:
5032	return;
5033	}
5034
5035	/*
5036	* Dynamically resolve the two APIs we need (the latter uses forwarders on w7).
5037	*/
5038	HMODULE hModKernel32 = GetModuleHandleW(L"kernel32.dll");
5039
5040	typedef BOOL (WINAPI *PFNSETDLLDIRECTORY)(LPCWSTR);
5041	PFNSETDLLDIRECTORY pfnSetDllDir;
5042	pfnSetDllDir = (PFNSETDLLDIRECTORY)GetProcAddress(hModKernel32, "SetDllDirectoryW");
5043
5044	typedef BOOL (WINAPI *PFNSETDEFAULTDLLDIRECTORIES)(DWORD);
5045	PFNSETDEFAULTDLLDIRECTORIES pfnSetDefDllDirs;
5046	pfnSetDefDllDirs = (PFNSETDEFAULTDLLDIRECTORIES)GetProcAddress(hModKernel32, "SetDefaultDllDirectories");
5047
5048	if (pfnSetDllDir != NULL)
5049	{
5050	/*
5051	* Convert the path to UTF-16 and try set it.
5052	*/
5053	PRTUTF16 pwszAppBinPath = NULL;
5054	int rc = RTStrToUtf16(pszAppBinPath, &pwszAppBinPath);
5055	if (RT_SUCCESS(rc))
5056	{
5057	if (pfnSetDllDir(pwszAppBinPath))
5058	{
5059	SUP_DPRINTF(("supR3HardenedWinModifyDllSearchPath: Set dll dir to '%ls'\n", pwszAppBinPath));
5060	g_fSupLibHardenedDllSearchUserDirs = true;
5061
5062	/*
5063	* We set it alright, on W7 and later we also must modify the
5064	* default DLL search order. See @bugref{6861} for details on
5065	* why we don't do this on Vista (also see init-win.cpp in IPRT).
5066	*/
5067	if ( pfnSetDefDllDirs
5068	&& g_uNtVerCombined >= SUP_NT_VER_W70)
5069	{
5070	if (pfnSetDefDllDirs( LOAD_LIBRARY_SEARCH_APPLICATION_DIR
5071	\| LOAD_LIBRARY_SEARCH_SYSTEM32
5072	\| LOAD_LIBRARY_SEARCH_USER_DIRS))
5073	SUP_DPRINTF(("supR3HardenedWinModifyDllSearchPath: Successfully modified search dirs.\n"));
5074	else
5075	supR3HardenedFatal("supR3HardenedWinModifyDllSearchPath: SetDllDirectoryW(%ls) failed: %d\n",
5076	pwszAppBinPath, RtlGetLastWin32Error());
5077	}
5078	}
5079	else
5080	supR3HardenedFatal("supR3HardenedWinModifyDllSearchPath: SetDllDirectoryW(%ls) failed: %d\n",
5081	pwszAppBinPath, RtlGetLastWin32Error());
5082	RTUtf16Free(pwszAppBinPath);
5083	}
5084	else
5085	supR3HardenedFatal("supR3HardenedWinModifyDllSearchPath: RTStrToUtf16(%s) failed: %d\n", pszAppBinPath, rc);
5086	}
5087	}
5088
5089
5090	/**
5091	* Initializes the application binary directory path.
5092	*
5093	* This is called once or twice.
5094	*
5095	* @param fFlags The main flags (giving the location).
5096	*/
5097	DECLHIDDEN(void) supR3HardenedWinInitAppBin(uint32_t fFlags)
5098	{
5099	USHORT cwc = (USHORT)g_offSupLibHardenedExeNtName - 1;
5100	g_SupLibHardenedAppBinNtPath.UniStr.Buffer = g_SupLibHardenedAppBinNtPath.awcBuffer;
5101	memcpy(g_SupLibHardenedAppBinNtPath.UniStr.Buffer, g_SupLibHardenedExeNtPath.UniStr.Buffer, cwc * sizeof(WCHAR));
5102
5103	switch (fFlags & SUPSECMAIN_FLAGS_LOC_MASK)
5104	{
5105	case SUPSECMAIN_FLAGS_LOC_APP_BIN:
5106	break;
5107	case SUPSECMAIN_FLAGS_LOC_TESTCASE:
5108	{
5109	/* Drop one directory level. */
5110	USHORT off = cwc;
5111	WCHAR wc;
5112	while ( off > 1
5113	&& (wc = g_SupLibHardenedAppBinNtPath.UniStr.Buffer[off - 1]) != '\0')
5114	if (wc != '\\' && wc != '/')
5115	off--;
5116	else
5117	{
5118	if (g_SupLibHardenedAppBinNtPath.UniStr.Buffer[off - 2] == ':')
5119	cwc = off;
5120	else
5121	cwc = off - 1;
5122	break;
5123	}
5124	break;
5125	}
5126	default:
5127	supR3HardenedFatal("supR3HardenedWinInitAppBin: Unknown program binary location: %#x\n", fFlags);
5128	}
5129
5130	g_SupLibHardenedAppBinNtPath.UniStr.Buffer[cwc] = '\0';
5131	g_SupLibHardenedAppBinNtPath.UniStr.Length = cwc * sizeof(WCHAR);
5132	g_SupLibHardenedAppBinNtPath.UniStr.MaximumLength = sizeof(g_SupLibHardenedAppBinNtPath.awcBuffer);
5133	SUP_DPRINTF(("supR3HardenedWinInitAppBin(%#x): '%ls'\n", fFlags, g_SupLibHardenedAppBinNtPath.UniStr.Buffer));
5134	}
5135
5136
5137	/**
5138	* Converts the Windows command line string (UTF-16) to an array of UTF-8
5139	* arguments suitable for passing to main().
5140	*
5141	* @returns Pointer to the argument array.
5142	* @param pawcCmdLine The UTF-16 windows command line to parse.
5143	* @param cwcCmdLine The length of the command line.
5144	* @param pcArgs Where to return the number of arguments.
5145	*/
5146	static char *suplibCommandLineToArgvWStub(PCRTUTF16 pawcCmdLine, size_t cwcCmdLine, int pcArgs)
5147	{
5148	/*
5149	* Convert the command line string to UTF-8.
5150	*/
5151	char *pszCmdLine = NULL;
5152	SUPR3HARDENED_ASSERT(RT_SUCCESS(RTUtf16ToUtf8Ex(pawcCmdLine, cwcCmdLine, &pszCmdLine, 0, NULL)));
5153
5154	/*
5155	* Parse the command line, carving argument strings out of it.
5156	*/
5157	int cArgs = 0;
5158	int cArgsAllocated = 4;
5159	char papszArgs = (char )RTMemAllocZ(sizeof(char ) cArgsAllocated);
5160	char *pszSrc = pszCmdLine;
5161	for (;;)
5162	{
5163	/* skip leading blanks. */
5164	char ch = *pszSrc;
5165	while (suplibCommandLineIsArgSeparator(ch))
5166	ch = *++pszSrc;
5167	if (!ch)
5168	break;
5169
5170	/* Add argument to the vector. */
5171	if (cArgs + 2 >= cArgsAllocated)
5172	{
5173	cArgsAllocated *= 2;
5174	papszArgs = (char *)RTMemRealloc(papszArgs, sizeof(char ) * cArgsAllocated);
5175	}
5176	papszArgs[cArgs++] = pszSrc;
5177	papszArgs[cArgs] = NULL;
5178
5179	/* Unquote and unescape the string. */
5180	char *pszDst = pszSrc++;
5181	bool fQuoted = false;
5182	do
5183	{
5184	if (ch == '"')
5185	fQuoted = !fQuoted;
5186	else if (ch != '\\' \|\| (pszSrc != '\\' && pszSrc != '"'))
5187	*pszDst++ = ch;
5188	else
5189	{
5190	unsigned cSlashes = 0;
5191	while ((ch = *pszSrc++) == '\\')
5192	cSlashes++;
5193	if (ch == '"')
5194	{
5195	while (cSlashes >= 2)
5196	{
5197	cSlashes -= 2;
5198	*pszDst++ = '\\';
5199	}
5200	if (cSlashes)
5201	*pszDst++ = '"';
5202	else
5203	fQuoted = !fQuoted;
5204	}
5205	else
5206	{
5207	pszSrc--;
5208	while (cSlashes-- > 0)
5209	*pszDst++ = '\\';
5210	}
5211	}
5212
5213	ch = *pszSrc++;
5214	} while (ch != '\0' && (fQuoted \|\| !suplibCommandLineIsArgSeparator(ch)));
5215
5216	/* Terminate the argument. */
5217	*pszDst = '\0';
5218	if (!ch)
5219	break;
5220	}
5221
5222	*pcArgs = cArgs;
5223	return papszArgs;
5224	}
5225
5226
5227	/**
5228	* Worker for supR3HardenedFindVersionRsrcOffset.
5229	*
5230	* @returns RVA the version resource data, UINT32_MAX if not found.
5231	* @param pRootDir The root resource directory. Expects data to
5232	* follow.
5233	* @param cbBuf The amount of data at pRootDir.
5234	* @param offData The offset to the data entry.
5235	* @param pcbData Where to return the size of the data.
5236	*/
5237	static uint32_t supR3HardenedGetRvaFromRsrcDataEntry(PIMAGE_RESOURCE_DIRECTORY pRootDir, uint32_t cbBuf, uint32_t offData,
5238	uint32_t *pcbData)
5239	{
5240	if ( offData <= cbBuf
5241	&& offData + sizeof(IMAGE_RESOURCE_DATA_ENTRY) <= cbBuf)
5242	{
5243	PIMAGE_RESOURCE_DATA_ENTRY pRsrcData = (PIMAGE_RESOURCE_DATA_ENTRY)((uintptr_t)pRootDir + offData);
5244	SUP_DPRINTF((" [Raw version resource data: %#x LB %#x, codepage %#x (reserved %#x)]\n",
5245	pRsrcData->OffsetToData, pRsrcData->Size, pRsrcData->CodePage, pRsrcData->Reserved));
5246	if (pRsrcData->Size > 0)
5247	{
5248	*pcbData = pRsrcData->Size;
5249	return pRsrcData->OffsetToData;
5250	}
5251	}
5252	else
5253	SUP_DPRINTF((" Version resource data (%#x) is outside the buffer (%#x)! :-(\n", offData, cbBuf));
5254
5255	*pcbData = 0;
5256	return UINT32_MAX;
5257	}
5258
5259
5260	/** @def SUP_RSRC_DPRINTF
5261	* Dedicated debug printf for resource directory parsing.
5262	* @sa SUP_DPRINTF
5263	*/
5264	#if 0 /* more details */
5265	# define SUP_RSRC_DPRINTF(a) SUP_DPRINTF(a)
5266	#else
5267	# define SUP_RSRC_DPRINTF(a) do { } while (0)
5268	#endif
5269
5270	/**
5271	* Scans the resource directory for a version resource.
5272	*
5273	* @returns RVA of the version resource data, UINT32_MAX if not found.
5274	* @param pRootDir The root resource directory. Expects data to
5275	* follow.
5276	* @param cbBuf The amount of data at pRootDir.
5277	* @param pcbData Where to return the size of the version data.
5278	*/
5279	static uint32_t supR3HardenedFindVersionRsrcRva(PIMAGE_RESOURCE_DIRECTORY pRootDir, uint32_t cbBuf, uint32_t *pcbData)
5280	{
5281	SUP_RSRC_DPRINTF((" ResDir: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n",
5282	pRootDir->Characteristics,
5283	pRootDir->TimeDateStamp,
5284	pRootDir->MajorVersion,
5285	pRootDir->MinorVersion,
5286	pRootDir->NumberOfNamedEntries,
5287	pRootDir->NumberOfIdEntries));
5288
5289	PIMAGE_RESOURCE_DIRECTORY_ENTRY paEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pRootDir + 1);
5290	unsigned cMaxEntries = (cbBuf - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
5291	unsigned cEntries = pRootDir->NumberOfNamedEntries + pRootDir->NumberOfIdEntries;
5292	if (cEntries > cMaxEntries)
5293	cEntries = cMaxEntries;
5294	for (unsigned i = 0; i < cEntries; i++)
5295	{
5296	if (!paEntries[i].NameIsString)
5297	{
5298	if (!paEntries[i].DataIsDirectory)
5299	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n",
5300	i, paEntries[i].Id, paEntries[i].OffsetToData));
5301	else
5302	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n",
5303	i, paEntries[i].Id, paEntries[i].OffsetToDirectory));
5304	}
5305	else
5306	{
5307	if (!paEntries[i].DataIsDirectory)
5308	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n",
5309	i, paEntries[i].NameOffset, paEntries[i].OffsetToData));
5310	else
5311	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n",
5312	i, paEntries[i].NameOffset, paEntries[i].OffsetToDirectory));
5313	}
5314
5315	/*
5316	* Look for the version resource type. Skip to the next entry if not found.
5317	*/
5318	if (paEntries[i].NameIsString)
5319	continue;
5320	if (paEntries[i].Id != 0x10 /RT_VERSION/)
5321	continue;
5322	if (!paEntries[i].DataIsDirectory)
5323	{
5324	SUP_DPRINTF((" #%u: ID: #%#06x Data: %#010x - WEIRD!\n", i, paEntries[i].Id, paEntries[i].OffsetToData));
5325	continue;
5326	}
5327	SUP_RSRC_DPRINTF((" Version resource dir entry #%u: dir offset: %#x (cbBuf=%#x)\n",
5328	i, paEntries[i].OffsetToDirectory, cbBuf));
5329
5330	/*
5331	* Locate the sub-resource directory for it.
5332	*/
5333	if (paEntries[i].OffsetToDirectory >= cbBuf)
5334	{
5335	SUP_DPRINTF((" Version resource dir is outside the buffer! :-(\n"));
5336	continue;
5337	}
5338	uint32_t cbMax = cbBuf - paEntries[i].OffsetToDirectory;
5339	if (cbMax < sizeof(IMAGE_RESOURCE_DIRECTORY) + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY))
5340	{
5341	SUP_DPRINTF((" Version resource dir entry #0 is outside the buffer! :-(\n"));
5342	continue;
5343	}
5344	PIMAGE_RESOURCE_DIRECTORY pVerDir = (PIMAGE_RESOURCE_DIRECTORY)((uintptr_t)pRootDir + paEntries[i].OffsetToDirectory);
5345	SUP_RSRC_DPRINTF((" VerDir: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n",
5346	pVerDir->Characteristics,
5347	pVerDir->TimeDateStamp,
5348	pVerDir->MajorVersion,
5349	pVerDir->MinorVersion,
5350	pVerDir->NumberOfNamedEntries,
5351	pVerDir->NumberOfIdEntries));
5352	PIMAGE_RESOURCE_DIRECTORY_ENTRY paVerEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pVerDir + 1);
5353	unsigned cMaxVerEntries = (cbMax - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
5354	unsigned cVerEntries = pVerDir->NumberOfNamedEntries + pVerDir->NumberOfIdEntries;
5355	if (cVerEntries > cMaxVerEntries)
5356	cVerEntries = cMaxVerEntries;
5357	for (unsigned iVer = 0; iVer < cVerEntries; iVer++)
5358	{
5359	if (!paVerEntries[iVer].NameIsString)
5360	{
5361	if (!paVerEntries[iVer].DataIsDirectory)
5362	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n",
5363	iVer, paVerEntries[iVer].Id, paVerEntries[iVer].OffsetToData));
5364	else
5365	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n",
5366	iVer, paVerEntries[iVer].Id, paVerEntries[iVer].OffsetToDirectory));
5367	}
5368	else
5369	{
5370	if (!paVerEntries[iVer].DataIsDirectory)
5371	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n",
5372	iVer, paVerEntries[iVer].NameOffset, paVerEntries[iVer].OffsetToData));
5373	else
5374	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n",
5375	iVer, paVerEntries[iVer].NameOffset, paVerEntries[iVer].OffsetToDirectory));
5376	}
5377	if (!paVerEntries[iVer].DataIsDirectory)
5378	{
5379	SUP_DPRINTF((" [Version info resource found at %#x! (ID/Name: #%#x)]\n",
5380	paVerEntries[iVer].OffsetToData, paVerEntries[iVer].Name));
5381	return supR3HardenedGetRvaFromRsrcDataEntry(pRootDir, cbBuf, paVerEntries[iVer].OffsetToData, pcbData);
5382	}
5383
5384	/*
5385	* Check out the next directory level.
5386	*/
5387	if (paVerEntries[iVer].OffsetToDirectory >= cbBuf)
5388	{
5389	SUP_DPRINTF((" Version resource subdir is outside the buffer! :-(\n"));
5390	continue;
5391	}
5392	cbMax = cbBuf - paVerEntries[iVer].OffsetToDirectory;
5393	if (cbMax < sizeof(IMAGE_RESOURCE_DIRECTORY) + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY))
5394	{
5395	SUP_DPRINTF((" Version resource subdir entry #0 is outside the buffer! :-(\n"));
5396	continue;
5397	}
5398	PIMAGE_RESOURCE_DIRECTORY pVerSubDir = (PIMAGE_RESOURCE_DIRECTORY)((uintptr_t)pRootDir + paVerEntries[iVer].OffsetToDirectory);
5399	SUP_RSRC_DPRINTF((" VerSubDir#%u: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n",
5400	iVer,
5401	pVerSubDir->Characteristics,
5402	pVerSubDir->TimeDateStamp,
5403	pVerSubDir->MajorVersion,
5404	pVerSubDir->MinorVersion,
5405	pVerSubDir->NumberOfNamedEntries,
5406	pVerSubDir->NumberOfIdEntries));
5407	PIMAGE_RESOURCE_DIRECTORY_ENTRY paVerSubEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pVerSubDir + 1);
5408	unsigned cMaxVerSubEntries = (cbMax - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
5409	unsigned cVerSubEntries = pVerSubDir->NumberOfNamedEntries + pVerSubDir->NumberOfIdEntries;
5410	if (cVerSubEntries > cMaxVerSubEntries)
5411	cVerSubEntries = cMaxVerSubEntries;
5412	for (unsigned iVerSub = 0; iVerSub < cVerSubEntries; iVerSub++)
5413	{
5414	if (!paVerSubEntries[iVerSub].NameIsString)
5415	{
5416	if (!paVerSubEntries[iVerSub].DataIsDirectory)
5417	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n",
5418	iVerSub, paVerSubEntries[iVerSub].Id, paVerSubEntries[iVerSub].OffsetToData));
5419	else
5420	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n",
5421	iVerSub, paVerSubEntries[iVerSub].Id, paVerSubEntries[iVerSub].OffsetToDirectory));
5422	}
5423	else
5424	{
5425	if (!paVerSubEntries[iVerSub].DataIsDirectory)
5426	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n",
5427	iVerSub, paVerSubEntries[iVerSub].NameOffset, paVerSubEntries[iVerSub].OffsetToData));
5428	else
5429	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n",
5430	iVerSub, paVerSubEntries[iVerSub].NameOffset, paVerSubEntries[iVerSub].OffsetToDirectory));
5431	}
5432	if (!paVerSubEntries[iVerSub].DataIsDirectory)
5433	{
5434	SUP_DPRINTF((" [Version info resource found at %#x! (ID/Name: %#x; SubID/SubName: %#x)]\n",
5435	paVerSubEntries[iVerSub].OffsetToData, paVerEntries[iVer].Name, paVerSubEntries[iVerSub].Name));
5436	return supR3HardenedGetRvaFromRsrcDataEntry(pRootDir, cbBuf, paVerSubEntries[iVerSub].OffsetToData, pcbData);
5437	}
5438	}
5439	}
5440	}
5441
5442	*pcbData = 0;
5443	return UINT32_MAX;
5444	}
5445
5446
5447	/**
5448	* Logs information about a file from a protection product or from Windows,
5449	* optionally returning the file version.
5450	*
5451	* The purpose here is to better see which version of the product is installed
5452	* and not needing to depend on the user supplying the correct information.
5453	*
5454	* @param pwszFile The NT path to the file.
5455	* @param pwszFileVersion Where to return the file version, if found. NULL if
5456	* not interested.
5457	* @param cwcFileVersion The size of the file version buffer (UTF-16 units).
5458	*/
5459	static void supR3HardenedLogFileInfo(PCRTUTF16 pwszFile, PRTUTF16 pwszFileVersion, size_t cwcFileVersion)
5460	{
5461	/*
5462	* Make sure the file version is always set when we return.
5463	*/
5464	if (pwszFileVersion && cwcFileVersion)
5465	*pwszFileVersion = '\0';
5466
5467	/*
5468	* Open the file.
5469	*/
5470	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
5471	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
5472	UNICODE_STRING UniStrName;
5473	UniStrName.Buffer = (WCHAR *)pwszFile;
5474	UniStrName.Length = (USHORT)(RTUtf16Len(pwszFile) * sizeof(WCHAR));
5475	UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);
5476	OBJECT_ATTRIBUTES ObjAttr;
5477	InitializeObjectAttributes(&ObjAttr, &UniStrName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
5478	NTSTATUS rcNt = NtCreateFile(&hFile,
5479	GENERIC_READ \| SYNCHRONIZE,
5480	&ObjAttr,
5481	&Ios,
5482	NULL /* Allocation Size*/,
5483	FILE_ATTRIBUTE_NORMAL,
5484	FILE_SHARE_READ,
5485	FILE_OPEN,
5486	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
5487	NULL /EaBuffer/,
5488	0 /EaLength/);
5489	if (NT_SUCCESS(rcNt))
5490	rcNt = Ios.Status;
5491	if (NT_SUCCESS(rcNt))
5492	{
5493	SUP_DPRINTF(("%ls:\n", pwszFile));
5494	union
5495	{
5496	uint64_t u64AlignmentInsurance;
5497	FILE_BASIC_INFORMATION BasicInfo;
5498	FILE_STANDARD_INFORMATION StdInfo;
5499	uint8_t abBuf[32768];
5500	RTUTF16 awcBuf[16384];
5501	IMAGE_DOS_HEADER MzHdr;
5502	IMAGE_RESOURCE_DIRECTORY ResDir;
5503	} u;
5504	RTTIMESPEC TimeSpec;
5505	char szTmp[64];
5506
5507	/*
5508	* Print basic file information available via NtQueryInformationFile.
5509	*/
5510	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
5511	rcNt = NtQueryInformationFile(hFile, &Ios, &u.BasicInfo, sizeof(u.BasicInfo), FileBasicInformation);
5512	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5513	{
5514	SUP_DPRINTF((" CreationTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.CreationTime.QuadPart), szTmp, sizeof(szTmp))));
5515	/SUP_DPRINTF((" LastAccessTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.LastAccessTime.QuadPart), szTmp, sizeof(szTmp))));/
5516	SUP_DPRINTF((" LastWriteTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.LastWriteTime.QuadPart), szTmp, sizeof(szTmp))));
5517	SUP_DPRINTF((" ChangeTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.ChangeTime.QuadPart), szTmp, sizeof(szTmp))));
5518	SUP_DPRINTF((" FileAttributes: %#x\n", u.BasicInfo.FileAttributes));
5519	}
5520	else
5521	SUP_DPRINTF((" FileBasicInformation -> %#x %#x\n", rcNt, Ios.Status));
5522
5523	rcNt = NtQueryInformationFile(hFile, &Ios, &u.StdInfo, sizeof(u.StdInfo), FileStandardInformation);
5524	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5525	SUP_DPRINTF((" Size: %#llx\n", u.StdInfo.EndOfFile.QuadPart));
5526	else
5527	SUP_DPRINTF((" FileStandardInformation -> %#x %#x\n", rcNt, Ios.Status));
5528
5529	/*
5530	* Read the image header and extract the timestamp and other useful info.
5531	*/
5532	RT_ZERO(u);
5533	LARGE_INTEGER offRead;
5534	offRead.QuadPart = 0;
5535	rcNt = NtReadFile(hFile, NULL /hEvent/, NULL /ApcRoutine/, NULL /ApcContext/, &Ios,
5536	&u, (ULONG)sizeof(u), &offRead, NULL);
5537	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5538	{
5539	uint32_t offNtHdrs = 0;
5540	if (u.MzHdr.e_magic == IMAGE_DOS_SIGNATURE)
5541	offNtHdrs = u.MzHdr.e_lfanew;
5542	if (offNtHdrs < sizeof(u) - sizeof(IMAGE_NT_HEADERS))
5543	{
5544	PIMAGE_NT_HEADERS64 pNtHdrs64 = (PIMAGE_NT_HEADERS64)&u.abBuf[offNtHdrs];
5545	PIMAGE_NT_HEADERS32 pNtHdrs32 = (PIMAGE_NT_HEADERS32)&u.abBuf[offNtHdrs];
5546	if (pNtHdrs64->Signature == IMAGE_NT_SIGNATURE)
5547	{
5548	SUP_DPRINTF((" NT Headers: %#x\n", offNtHdrs));
5549	SUP_DPRINTF((" Timestamp: %#x\n", pNtHdrs64->FileHeader.TimeDateStamp));
5550	SUP_DPRINTF((" Machine: %#x%s\n", pNtHdrs64->FileHeader.Machine,
5551	pNtHdrs64->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 ? " - i386"
5552	: pNtHdrs64->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ? " - amd64" : ""));
5553	SUP_DPRINTF((" Timestamp: %#x\n", pNtHdrs64->FileHeader.TimeDateStamp));
5554	SUP_DPRINTF((" Image Version: %u.%u\n",
5555	pNtHdrs64->OptionalHeader.MajorImageVersion, pNtHdrs64->OptionalHeader.MinorImageVersion));
5556	SUP_DPRINTF((" SizeOfImage: %#x (%u)\n", pNtHdrs64->OptionalHeader.SizeOfImage, pNtHdrs64->OptionalHeader.SizeOfImage));
5557
5558	/*
5559	* Very crude way to extract info from the file version resource.
5560	*/
5561	PIMAGE_SECTION_HEADER paSectHdrs = (PIMAGE_SECTION_HEADER)( (uintptr_t)&pNtHdrs64->OptionalHeader
5562	+ pNtHdrs64->FileHeader.SizeOfOptionalHeader);
5563	IMAGE_DATA_DIRECTORY RsrcDir = { 0, 0 };
5564	if ( pNtHdrs64->FileHeader.SizeOfOptionalHeader == sizeof(IMAGE_OPTIONAL_HEADER64)
5565	&& pNtHdrs64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE)
5566	RsrcDir = pNtHdrs64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
5567	else if ( pNtHdrs64->FileHeader.SizeOfOptionalHeader == sizeof(IMAGE_OPTIONAL_HEADER32)
5568	&& pNtHdrs32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE)
5569	RsrcDir = pNtHdrs32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
5570	SUP_DPRINTF((" Resource Dir: %#x LB %#x\n", RsrcDir.VirtualAddress, RsrcDir.Size));
5571	if ( RsrcDir.VirtualAddress > offNtHdrs
5572	&& RsrcDir.Size > 0
5573	&& (uintptr_t)&u + sizeof(u) - (uintptr_t)paSectHdrs
5574	>= pNtHdrs64->FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER) )
5575	{
5576	uint32_t uRvaRsrcSect = 0;
5577	uint32_t cbRsrcSect = 0;
5578	uint32_t offRsrcSect = 0;
5579	offRead.QuadPart = 0;
5580	for (uint32_t i = 0; i < pNtHdrs64->FileHeader.NumberOfSections; i++)
5581	{
5582	uRvaRsrcSect = paSectHdrs[i].VirtualAddress;
5583	cbRsrcSect = paSectHdrs[i].Misc.VirtualSize;
5584	offRsrcSect = paSectHdrs[i].PointerToRawData;
5585	if ( RsrcDir.VirtualAddress - uRvaRsrcSect < cbRsrcSect
5586	&& offRsrcSect > offNtHdrs)
5587	{
5588	offRead.QuadPart = offRsrcSect + (RsrcDir.VirtualAddress - uRvaRsrcSect);
5589	break;
5590	}
5591	}
5592	if (offRead.QuadPart > 0)
5593	{
5594	RT_ZERO(u);
5595	rcNt = NtReadFile(hFile, NULL /hEvent/, NULL /ApcRoutine/, NULL /ApcContext/, &Ios,
5596	&u, (ULONG)sizeof(u), &offRead, NULL);
5597	PCRTUTF16 pwcVersionData = &u.awcBuf[0];
5598	size_t cbVersionData = sizeof(u);
5599
5600	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5601	{
5602	/* Make it less crude by try find the version resource data. */
5603	uint32_t cbVersion;
5604	uint32_t uRvaVersion = supR3HardenedFindVersionRsrcRva(&u.ResDir, sizeof(u), &cbVersion);
5605	NOREF(uRvaVersion);
5606	if ( uRvaVersion != UINT32_MAX
5607	&& cbVersion < cbRsrcSect
5608	&& uRvaVersion - uRvaRsrcSect <= cbRsrcSect - cbVersion)
5609	{
5610	uint32_t const offVersion = uRvaVersion - uRvaRsrcSect;
5611	if ( offVersion < sizeof(u)
5612	&& offVersion + cbVersion <= sizeof(u))
5613	{
5614	pwcVersionData = (PCRTUTF16)&u.abBuf[offVersion];
5615	cbVersionData = cbVersion;
5616	}
5617	else
5618	{
5619	offRead.QuadPart = offVersion + offRsrcSect;
5620	RT_ZERO(u);
5621	rcNt = NtReadFile(hFile, NULL /hEvent/, NULL /ApcRoutine/, NULL /ApcContext/, &Ios,
5622	&u, (ULONG)sizeof(u), &offRead, NULL);
5623	pwcVersionData = &u.awcBuf[0];
5624	cbVersionData = RT_MIN(cbVersion, sizeof(u));
5625	}
5626	}
5627	}
5628
5629	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5630	{
5631	static const struct { PCRTUTF16 pwsz; size_t cb; bool fRet; } s_abFields[] =
5632	{
5633	#define MY_WIDE_STR_TUPLE(a_sz, a_fRet) { L ## a_sz, sizeof(L ## a_sz) - sizeof(RTUTF16), a_fRet }
5634	MY_WIDE_STR_TUPLE("ProductName", false),
5635	MY_WIDE_STR_TUPLE("ProductVersion", false),
5636	MY_WIDE_STR_TUPLE("FileVersion", true),
5637	MY_WIDE_STR_TUPLE("SpecialBuild", false),
5638	MY_WIDE_STR_TUPLE("PrivateBuild", false),
5639	MY_WIDE_STR_TUPLE("FileDescription", false),
5640	#undef MY_WIDE_STR_TUPLE
5641	};
5642	for (uint32_t i = 0; i < RT_ELEMENTS(s_abFields); i++)
5643	{
5644	if (cbVersionData <= s_abFields[i].cb + 10)
5645	continue;
5646	size_t cwcLeft = (cbVersionData - s_abFields[i].cb - 10) / sizeof(RTUTF16);
5647	PCRTUTF16 pwc = pwcVersionData;
5648	RTUTF16 const wcFirst = *s_abFields[i].pwsz;
5649	while (cwcLeft-- > 0)
5650	{
5651	if ( pwc[0] == 1 /* wType == text */
5652	&& pwc[1] == wcFirst)
5653	{
5654	if (memcmp(pwc + 1, s_abFields[i].pwsz, s_abFields[i].cb + sizeof(RTUTF16)) == 0)
5655	{
5656	size_t cwcField = s_abFields[i].cb / sizeof(RTUTF16);
5657	pwc += cwcField + 2;
5658	cwcLeft -= cwcField + 2;
5659	for (uint32_t iPadding = 0; iPadding < 3; iPadding++, pwc++, cwcLeft--)
5660	if (*pwc)
5661	break;
5662	int rc = RTUtf16ValidateEncodingEx(pwc, cwcLeft,
5663	RTSTR_VALIDATE_ENCODING_ZERO_TERMINATED);
5664	if (RT_SUCCESS(rc))
5665	{
5666	SUP_DPRINTF((" %ls:%*s %ls",
5667	s_abFields[i].pwsz, cwcField < 15 ? 15 - cwcField : 0, "", pwc));
5668	if ( s_abFields[i].fRet
5669	&& pwszFileVersion
5670	&& cwcFileVersion > 1)
5671	RTUtf16Copy(pwszFileVersion, cwcFileVersion, pwc);
5672	}
5673	else
5674	SUP_DPRINTF((" %ls:%*s rc=%Rrc",
5675	s_abFields[i].pwsz, cwcField < 15 ? 15 - cwcField : 0, "", rc));
5676
5677	break;
5678	}
5679	}
5680	pwc++;
5681	}
5682	}
5683	}
5684	else
5685	SUP_DPRINTF((" NtReadFile @%#llx -> %#x %#x\n", offRead.QuadPart, rcNt, Ios.Status));
5686	}
5687	else
5688	SUP_DPRINTF((" Resource section not found.\n"));
5689	}
5690	}
5691	else
5692	SUP_DPRINTF((" Nt Headers @%#x: Invalid signature\n", offNtHdrs));
5693	}
5694	else
5695	SUP_DPRINTF((" Nt Headers @%#x: out side buffer\n", offNtHdrs));
5696	}
5697	else
5698	SUP_DPRINTF((" NtReadFile @0 -> %#x %#x\n", rcNt, Ios.Status));
5699	NtClose(hFile);
5700	}
5701	}
5702
5703
5704	/**
5705	* Scans the Driver directory for drivers which may invade our processes.
5706	*
5707	* @returns Mask of SUPHARDNT_ADVERSARY_XXX flags.
5708	*
5709	* @remarks The enumeration of \\Driver normally requires administrator
5710	* privileges. So, the detection we're doing here isn't always gonna
5711	* work just based on that.
5712	*
5713	* @todo Find drivers in \\FileSystems as well, then we could detect VrNsdDrv
5714	* from ViRobot APT Shield 2.0.
5715	*/
5716	static uint32_t supR3HardenedWinFindAdversaries(void)
5717	{
5718	static const struct
5719	{
5720	uint32_t fAdversary;
5721	const char *pszDriver;
5722	} s_aDrivers[] =
5723	{
5724	{ SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, "SysPlant" },
5725
5726	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SRTSPX" },
5727	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymDS" },
5728	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymEvent" },
5729	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymIRON" },
5730	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymNetS" },
5731
5732	{ SUPHARDNT_ADVERSARY_AVAST, "aswHwid" },
5733	{ SUPHARDNT_ADVERSARY_AVAST, "aswMonFlt" },
5734	{ SUPHARDNT_ADVERSARY_AVAST, "aswRdr2" },
5735	{ SUPHARDNT_ADVERSARY_AVAST, "aswRvrt" },
5736	{ SUPHARDNT_ADVERSARY_AVAST, "aswSnx" },
5737	{ SUPHARDNT_ADVERSARY_AVAST, "aswsp" },
5738	{ SUPHARDNT_ADVERSARY_AVAST, "aswStm" },
5739	{ SUPHARDNT_ADVERSARY_AVAST, "aswVmm" },
5740
5741	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmcomm" },
5742	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmactmon" },
5743	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmevtmgr" },
5744	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmtdi" },
5745	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmebc64" }, /* Titanium internet security, not officescan. */
5746	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmeevw" }, /* Titanium internet security, not officescan. */
5747	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmciesc" }, /* Titanium internet security, not officescan. */
5748
5749	{ SUPHARDNT_ADVERSARY_MCAFEE, "cfwids" },
5750	{ SUPHARDNT_ADVERSARY_MCAFEE, "McPvDrv" },
5751	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfeapfk" },
5752	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfeavfk" },
5753	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfefirek" },
5754	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfehidk" },
5755	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfencbdc" },
5756	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfewfpk" },
5757
5758	{ SUPHARDNT_ADVERSARY_KASPERSKY, "kl1" },
5759	{ SUPHARDNT_ADVERSARY_KASPERSKY, "klflt" },
5760	{ SUPHARDNT_ADVERSARY_KASPERSKY, "klif" },
5761	{ SUPHARDNT_ADVERSARY_KASPERSKY, "KLIM6" },
5762	{ SUPHARDNT_ADVERSARY_KASPERSKY, "klkbdflt" },
5763	{ SUPHARDNT_ADVERSARY_KASPERSKY, "klmouflt" },
5764	{ SUPHARDNT_ADVERSARY_KASPERSKY, "kltdi" },
5765	{ SUPHARDNT_ADVERSARY_KASPERSKY, "kneps" },
5766
5767	{ SUPHARDNT_ADVERSARY_MBAM, "MBAMWebAccessControl" },
5768	{ SUPHARDNT_ADVERSARY_MBAM, "mbam" },
5769	{ SUPHARDNT_ADVERSARY_MBAM, "mbamchameleon" },
5770	{ SUPHARDNT_ADVERSARY_MBAM, "mwav" },
5771	{ SUPHARDNT_ADVERSARY_MBAM, "mbamswissarmy" },
5772
5773	{ SUPHARDNT_ADVERSARY_AVG, "avgfwfd" },
5774	{ SUPHARDNT_ADVERSARY_AVG, "avgtdia" },
5775
5776	{ SUPHARDNT_ADVERSARY_PANDA, "PSINAflt" },
5777	{ SUPHARDNT_ADVERSARY_PANDA, "PSINFile" },
5778	{ SUPHARDNT_ADVERSARY_PANDA, "PSINKNC" },
5779	{ SUPHARDNT_ADVERSARY_PANDA, "PSINProc" },
5780	{ SUPHARDNT_ADVERSARY_PANDA, "PSINProt" },
5781	{ SUPHARDNT_ADVERSARY_PANDA, "PSINReg" },
5782	{ SUPHARDNT_ADVERSARY_PANDA, "PSKMAD" },
5783	{ SUPHARDNT_ADVERSARY_PANDA, "NNSAlpc" },
5784	{ SUPHARDNT_ADVERSARY_PANDA, "NNSHttp" },
5785	{ SUPHARDNT_ADVERSARY_PANDA, "NNShttps" },
5786	{ SUPHARDNT_ADVERSARY_PANDA, "NNSIds" },
5787	{ SUPHARDNT_ADVERSARY_PANDA, "NNSNAHSL" },
5788	{ SUPHARDNT_ADVERSARY_PANDA, "NNSpicc" },
5789	{ SUPHARDNT_ADVERSARY_PANDA, "NNSPihsw" },
5790	{ SUPHARDNT_ADVERSARY_PANDA, "NNSPop3" },
5791	{ SUPHARDNT_ADVERSARY_PANDA, "NNSProt" },
5792	{ SUPHARDNT_ADVERSARY_PANDA, "NNSPrv" },
5793	{ SUPHARDNT_ADVERSARY_PANDA, "NNSSmtp" },
5794	{ SUPHARDNT_ADVERSARY_PANDA, "NNSStrm" },
5795	{ SUPHARDNT_ADVERSARY_PANDA, "NNStlsc" },
5796
5797	{ SUPHARDNT_ADVERSARY_MSE, "NisDrv" },
5798
5799	/{ SUPHARDNT_ADVERSARY_COMODO, "cmdguard" }, file system /
5800	{ SUPHARDNT_ADVERSARY_COMODO, "inspect" },
5801	{ SUPHARDNT_ADVERSARY_COMODO, "cmdHlp" },
5802
5803	{ SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD, "dgmaster" },
5804
5805	{ SUPHARDNT_ADVERSARY_CYLANCE, "cyprotectdrv" }, /* Not verified. */
5806
5807	{ SUPHARDNT_ADVERSARY_BEYONDTRUST, "privman" }, /* Not verified. */
5808
5809	{ SUPHARDNT_ADVERSARY_AVECTO, "PGDriver" },
5810	};
5811
5812	static const struct
5813	{
5814	uint32_t fAdversary;
5815	PCRTUTF16 pwszFile;
5816	} s_aFiles[] =
5817	{
5818	{ SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, L"\\SystemRoot\\System32\\drivers\\SysPlant.sys" },
5819	{ SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, L"\\SystemRoot\\System32\\sysfer.dll" },
5820	{ SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, L"\\SystemRoot\\System32\\sysferThunk.dll" },
5821
5822	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\ccsetx64.sys" },
5823	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\ironx64.sys" },
5824	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\srtsp64.sys" },
5825	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\srtspx64.sys" },
5826	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symds64.sys" },
5827	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symefa64.sys" },
5828	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symelam.sys" },
5829	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symnets.sys" },
5830	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\symevent64x86.sys" },
5831
5832	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswHwid.sys" },
5833	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswMonFlt.sys" },
5834	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswRdr2.sys" },
5835	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswRvrt.sys" },
5836	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswSnx.sys" },
5837	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswsp.sys" },
5838	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswStm.sys" },
5839	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswVmm.sys" },
5840
5841	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmcomm.sys" },
5842	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmactmon.sys" },
5843	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmevtmgr.sys" },
5844	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmtdi.sys" },
5845	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmebc64.sys" },
5846	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmeevw.sys" },
5847	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmciesc.sys" },
5848	{ SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE, L"\\SystemRoot\\System32\\drivers\\sakfile.sys" }, /* Data Loss Prevention, not officescan. */
5849	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\sakcd.sys" }, /* Data Loss Prevention, not officescan. */
5850
5851
5852	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\cfwids.sys" },
5853	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\McPvDrv.sys" },
5854	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfeapfk.sys" },
5855	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfeavfk.sys" },
5856	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfefirek.sys" },
5857	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfehidk.sys" },
5858	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfencbdc.sys" },
5859	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfewfpk.sys" },
5860
5861	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kl1.sys" },
5862	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klflt.sys" },
5863	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klif.sys" },
5864	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klim6.sys" },
5865	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klkbdflt.sys" },
5866	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klmouflt.sys" },
5867	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kltdi.sys" },
5868	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kneps.sys" },
5869	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\klfphc.dll" },
5870
5871	{ SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\MBAMSwissArmy.sys" },
5872	{ SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mwac.sys" },
5873	{ SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mbamchameleon.sys" },
5874	{ SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mbam.sys" },
5875
5876	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgrkx64.sys" },
5877	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgmfx64.sys" },
5878	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgidsdrivera.sys" },
5879	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgidsha.sys" },
5880	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgtdia.sys" },
5881	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgloga.sys" },
5882	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgldx64.sys" },
5883	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgdiska.sys" },
5884
5885	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINAflt.sys" },
5886	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINFile.sys" },
5887	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINKNC.sys" },
5888	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINProc.sys" },
5889	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINProt.sys" },
5890	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINReg.sys" },
5891	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSKMAD.sys" },
5892	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSAlpc.sys" },
5893	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSHttp.sys" },
5894	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNShttps.sys" },
5895	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSIds.sys" },
5896	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSNAHSL.sys" },
5897	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSpicc.sys" },
5898	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPihsw.sys" },
5899	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPop3.sys" },
5900	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSProt.sys" },
5901	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPrv.sys" },
5902	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSSmtp.sys" },
5903	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSStrm.sys" },
5904	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNStlsc.sys" },
5905
5906	{ SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\MpFilter.sys" },
5907	{ SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\NisDrvWFP.sys" },
5908
5909	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmdguard.sys" },
5910	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmderd.sys" },
5911	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\inspect.sys" },
5912	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmdhlp.sys" },
5913	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cfrmd.sys" },
5914	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\hmd.sys" },
5915	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\guard64.dll" },
5916	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdvrt64.dll" },
5917	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdkbd64.dll" },
5918	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdcsr.dll" },
5919
5920	{ SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\drivers\\vsdatant.sys" },
5921	{ SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\AntiTheftCredentialProvider.dll" },
5922
5923	{ SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD, L"\\SystemRoot\\System32\\drivers\\dgmaster.sys" },
5924
5925	{ SUPHARDNT_ADVERSARY_CYLANCE, L"\\SystemRoot\\System32\\drivers\\cyprotectdrv32.sys" },
5926	{ SUPHARDNT_ADVERSARY_CYLANCE, L"\\SystemRoot\\System32\\drivers\\cyprotectdrv64.sys" },
5927
5928	{ SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\drivers\\privman.sys" },
5929	{ SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\privman64.dll" },
5930	{ SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\privman32.dll" },
5931
5932	{ SUPHARDNT_ADVERSARY_AVECTO, L"\\SystemRoot\\System32\\drivers\\PGDriver.sys" },
5933	};
5934
5935	uint32_t fFound = 0;
5936
5937	/*
5938	* Open the driver object directory.
5939	*/
5940	UNICODE_STRING NtDirName = RTNT_CONSTANT_UNISTR(L"\\Driver");
5941
5942	OBJECT_ATTRIBUTES ObjAttr;
5943	InitializeObjectAttributes(&ObjAttr, &NtDirName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
5944
5945	HANDLE hDir;
5946	NTSTATUS rcNt = NtOpenDirectoryObject(&hDir, DIRECTORY_QUERY \| FILE_LIST_DIRECTORY, &ObjAttr);
5947	#ifdef VBOX_STRICT
5948	if (rcNt != STATUS_ACCESS_DENIED) /* non-admin */
5949	SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt);
5950	#endif
5951	if (NT_SUCCESS(rcNt))
5952	{
5953	/*
5954	* Enumerate it, looking for the driver.
5955	*/
5956	ULONG uObjDirCtx = 0;
5957	for (;;)
5958	{
5959	uint32_t abBuffer[_64K + _1K];
5960	ULONG cbActual;
5961	rcNt = NtQueryDirectoryObject(hDir,
5962	abBuffer,
5963	sizeof(abBuffer) - 4, /* minus four for string terminator space. */
5964	FALSE /ReturnSingleEntry /,
5965	FALSE /RestartScan/,
5966	&uObjDirCtx,
5967	&cbActual);
5968	if (!NT_SUCCESS(rcNt) \|\| cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION))
5969	break;
5970
5971	POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer;
5972	while (pObjDir->Name.Length != 0)
5973	{
5974	WCHAR wcSaved = pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)];
5975	pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = '\0';
5976
5977	for (uint32_t i = 0; i < RT_ELEMENTS(s_aDrivers); i++)
5978	if (RTUtf16ICmpAscii(pObjDir->Name.Buffer, s_aDrivers[i].pszDriver) == 0)
5979	{
5980	fFound \|= s_aDrivers[i].fAdversary;
5981	SUP_DPRINTF(("Found driver %s (%#x)\n", s_aDrivers[i].pszDriver, s_aDrivers[i].fAdversary));
5982	break;
5983	}
5984
5985	pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = wcSaved;
5986
5987	/* Next directory entry. */
5988	pObjDir++;
5989	}
5990	}
5991
5992	NtClose(hDir);
5993	}
5994	else
5995	SUP_DPRINTF(("NtOpenDirectoryObject failed on \\Driver: %#x\n", rcNt));
5996
5997	/*
5998	* Look for files.
5999	*/
6000	for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++)
6001	{
6002	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
6003	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
6004	UNICODE_STRING UniStrName;
6005	UniStrName.Buffer = (WCHAR *)s_aFiles[i].pwszFile;
6006	UniStrName.Length = (USHORT)(RTUtf16Len(s_aFiles[i].pwszFile) * sizeof(WCHAR));
6007	UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);
6008	InitializeObjectAttributes(&ObjAttr, &UniStrName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
6009	rcNt = NtCreateFile(&hFile, GENERIC_READ \| SYNCHRONIZE, &ObjAttr, &Ios, NULL /* Allocation Size*/,
6010	FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN,
6011	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT, NULL /EaBuffer/, 0 /EaLength/);
6012	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
6013	{
6014	fFound \|= s_aFiles[i].fAdversary;
6015	NtClose(hFile);
6016	}
6017	}
6018
6019	/*
6020	* Log details and upgrade select adversaries.
6021	*/
6022	SUP_DPRINTF(("supR3HardenedWinFindAdversaries: %#x\n", fFound));
6023	for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++)
6024	if (s_aFiles[i].fAdversary & fFound)
6025	{
6026	if (!(s_aFiles[i].fAdversary & SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD))
6027	supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, NULL, 0);
6028	else
6029	{
6030	/*
6031	* See if it's a newer version of the driver which doesn't BSODs when we free
6032	* its memory. To use RTStrVersionCompare we do a rough UTF-16 -> ASCII conversion.
6033	*/
6034	union
6035	{
6036	char szFileVersion[64];
6037	RTUTF16 wszFileVersion[32];
6038	} uBuf;
6039	supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, uBuf.wszFileVersion, RT_ELEMENTS(uBuf.wszFileVersion));
6040	if (uBuf.wszFileVersion[0])
6041	{
6042	for (uint32_t off = 0; off < RT_ELEMENTS(uBuf.wszFileVersion); off++)
6043	{
6044	RTUTF16 wch = uBuf.wszFileVersion[off];
6045	uBuf.szFileVersion[off] = (char)wch;
6046	if (!wch)
6047	break;
6048	}
6049	uBuf.szFileVersion[RT_ELEMENTS(uBuf.wszFileVersion)] = '\0';
6050	#define VER_IN_RANGE(a_pszFirst, a_pszLast) \
6051	(RTStrVersionCompare(uBuf.szFileVersion, a_pszFirst) >= 0 && RTStrVersionCompare(uBuf.szFileVersion, a_pszLast) <= 0)
6052	if ( VER_IN_RANGE("7.3.2.0000", "999999999.9.9.9999")
6053	\|\| VER_IN_RANGE("7.3.1.1000", "7.3.1.3000")
6054	\|\| VER_IN_RANGE("7.3.0.3000", "7.3.0.999999999")
6055	\|\| VER_IN_RANGE("7.2.1.3000", "7.2.999999999.999999999") )
6056	{
6057	uint32_t const fOldFound = fFound;
6058	fFound = (fOldFound & ~SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD)
6059	\| SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_NEW;
6060	SUP_DPRINTF(("supR3HardenedWinFindAdversaries: Found newer version: %#x -> %#x\n", fOldFound, fFound));
6061	}
6062	}
6063	}
6064	}
6065
6066	return fFound;
6067	}
6068
6069
6070	extern "C" int main(int argc, char argv, char envp);
6071
6072	/**
6073	* The executable entry point.
6074	*
6075	* This is normally taken care of by the C runtime library, but we don't want to
6076	* get involved with anything as complicated like the CRT in this setup. So, we
6077	* it everything ourselves, including parameter parsing.
6078	*/
6079	extern "C" void __stdcall suplibHardenedWindowsMain(void)
6080	{
6081	RTEXITCODE rcExit = RTEXITCODE_FAILURE;
6082
6083	g_cSuplibHardenedWindowsMainCalls++;
6084	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EP_CALLED;
6085
6086	/*
6087	* Initialize the NTDLL API wrappers. This aims at bypassing patched NTDLL
6088	* in all the processes leading up the VM process.
6089	*/
6090	supR3HardenedWinInitImports();
6091	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED;
6092
6093	/*
6094	* Notify the parent process that we're probably capable of reporting our
6095	* own errors.
6096	*/
6097	if (g_ProcParams.hEvtParent \|\| g_ProcParams.hEvtChild)
6098	{
6099	SUPR3HARDENED_ASSERT(g_fSupEarlyProcessInit);
6100
6101	g_ProcParams.enmRequest = kSupR3WinChildReq_CloseEvents;
6102	NtSetEvent(g_ProcParams.hEvtParent, NULL);
6103
6104	NtClose(g_ProcParams.hEvtParent);
6105	NtClose(g_ProcParams.hEvtChild);
6106	g_ProcParams.hEvtParent = NULL;
6107	g_ProcParams.hEvtChild = NULL;
6108	}
6109	else
6110	SUPR3HARDENED_ASSERT(!g_fSupEarlyProcessInit);
6111
6112	/*
6113	* After having resolved imports we patch the LdrInitializeThunk code so
6114	* that it's more difficult to invade our privacy by CreateRemoteThread.
6115	* We'll re-enable this after opening the driver or temporarily while respawning.
6116	*/
6117	supR3HardenedWinDisableThreadCreation();
6118
6119	/*
6120	* Init g_uNtVerCombined. (The code is shared with SUPR3.lib and lives in
6121	* SUPHardenedVerfiyImage-win.cpp.)
6122	*/
6123	supR3HardenedWinInitVersion(false /fEarly/);
6124	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_VERSION_INITIALIZED;
6125
6126	/*
6127	* Convert the arguments to UTF-8 and open the log file if specified.
6128	* This must be done as early as possible since the code below may fail.
6129	*/
6130	PUNICODE_STRING pCmdLineStr = &NtCurrentPeb()->ProcessParameters->CommandLine;
6131	int cArgs;
6132	char **papszArgs = suplibCommandLineToArgvWStub(pCmdLineStr->Buffer, pCmdLineStr->Length / sizeof(WCHAR), &cArgs);
6133
6134	supR3HardenedOpenLog(&cArgs, papszArgs);
6135
6136	/*
6137	* Log information about important system files.
6138	*/
6139	supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\ntdll.dll", NULL /pwszFileVersion/, 0 /cwcFileVersion/);
6140	supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\kernel32.dll", NULL /pwszFileVersion/, 0 /cwcFileVersion/);
6141	supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\KernelBase.dll", NULL /pwszFileVersion/, 0 /cwcFileVersion/);
6142	supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\apisetschema.dll", NULL /pwszFileVersion/, 0 /cwcFileVersion/);
6143
6144	/*
6145	* Scan the system for adversaries, logging information about them.
6146	*/
6147	g_fSupAdversaries = supR3HardenedWinFindAdversaries();
6148
6149	/*
6150	* Get the executable name, make sure it's the long version.
6151	*/
6152	DWORD cwcExecName = GetModuleFileNameW(GetModuleHandleW(NULL), g_wszSupLibHardenedExePath,
6153	RT_ELEMENTS(g_wszSupLibHardenedExePath));
6154	if (cwcExecName >= RT_ELEMENTS(g_wszSupLibHardenedExePath))
6155	supR3HardenedFatalMsg("suplibHardenedWindowsMain", kSupInitOp_Integrity, VERR_BUFFER_OVERFLOW,
6156	"The executable path is too long.");
6157
6158	RTUTF16 wszLong[RT_ELEMENTS(g_wszSupLibHardenedExePath)];
6159	DWORD cwcLong = GetLongPathNameW(g_wszSupLibHardenedExePath, wszLong, RT_ELEMENTS(wszLong));
6160	if (cwcLong > 0)
6161	{
6162	memcpy(g_wszSupLibHardenedExePath, wszLong, (cwcLong + 1) * sizeof(RTUTF16));
6163	cwcExecName = cwcLong;
6164	}
6165
6166	/* The NT version of it. */
6167	HANDLE hFile = CreateFileW(g_wszSupLibHardenedExePath, GENERIC_READ, FILE_SHARE_READ, NULL /pSecurityAttributes/,
6168	OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL /hTemplateFile/);
6169	if (hFile == NULL \|\| hFile == INVALID_HANDLE_VALUE)
6170	supR3HardenedFatalMsg("suplibHardenedWindowsMain", kSupInitOp_Integrity, RTErrConvertFromWin32(RtlGetLastWin32Error()),
6171	"Error opening the executable: %u (%ls).", RtlGetLastWin32Error());
6172	RT_ZERO(g_SupLibHardenedExeNtPath);
6173	ULONG cbIgn;
6174	NTSTATUS rcNt = NtQueryObject(hFile, ObjectNameInformation, &g_SupLibHardenedExeNtPath,
6175	sizeof(g_SupLibHardenedExeNtPath) - sizeof(WCHAR), &cbIgn);
6176	if (!NT_SUCCESS(rcNt))
6177	supR3HardenedFatalMsg("suplibHardenedWindowsMain", kSupInitOp_Integrity, RTErrConvertFromNtStatus(rcNt),
6178	"NtQueryObject -> %#x (on %ls)\n", rcNt, g_wszSupLibHardenedExePath);
6179	NtClose(hFile);
6180
6181	/* The NT executable name offset / dir path length. */
6182	g_offSupLibHardenedExeNtName = g_SupLibHardenedExeNtPath.UniStr.Length / sizeof(WCHAR);
6183	while ( g_offSupLibHardenedExeNtName > 1
6184	&& g_SupLibHardenedExeNtPath.UniStr.Buffer[g_offSupLibHardenedExeNtName - 1] != '\\' )
6185	g_offSupLibHardenedExeNtName--;
6186
6187	/*
6188	* Preliminary app binary path init. May change when SUPR3HardenedMain is
6189	* called (via main below).
6190	*/
6191	supR3HardenedWinInitAppBin(SUPSECMAIN_FLAGS_LOC_APP_BIN);
6192
6193	/*
6194	* If we've done early init already, register the DLL load notification
6195	* callback and reinstall the NtDll patches.
6196	*/
6197	if (g_fSupEarlyProcessInit)
6198	{
6199	supR3HardenedWinRegisterDllNotificationCallback();
6200	supR3HardenedWinReInstallHooks(false /fFirstCall /);
6201	}
6202
6203	/*
6204	* Call the C/C++ main function.
6205	*/
6206	SUP_DPRINTF(("Calling main()\n"));
6207	rcExit = (RTEXITCODE)main(cArgs, papszArgs, NULL);
6208
6209	/*
6210	* Exit the process (never return).
6211	*/
6212	SUP_DPRINTF(("Terminating the normal way: rcExit=%d\n", rcExit));
6213	suplibHardenedExit(rcExit);
6214	}
6215
6216
6217	/**
6218	* Reports an error to the parent process via the process parameter structure.
6219	*
6220	* @param pszWhere Where this error occured, if fatal message. NULL
6221	* if not message.
6222	* @param enmWhat Which init operation went wrong if fatal
6223	* message. kSupInitOp_Invalid if not message.
6224	* @param rc The status code to report.
6225	* @param pszFormat The format string.
6226	* @param va The format arguments.
6227	*/
6228	DECLHIDDEN(void) supR3HardenedWinReportErrorToParent(const char *pszWhere, SUPINITOP enmWhat, int rc,
6229	const char *pszFormat, va_list va)
6230	{
6231	if (pszWhere)
6232	RTStrCopy(g_ProcParams.szWhere, sizeof(g_ProcParams.szWhere), pszWhere);
6233	else
6234	g_ProcParams.szWhere[0] = '\0';
6235	RTStrPrintfV(g_ProcParams.szErrorMsg, sizeof(g_ProcParams.szErrorMsg), pszFormat, va);
6236	g_ProcParams.enmWhat = enmWhat;
6237	g_ProcParams.rc = RT_SUCCESS(rc) ? VERR_INTERNAL_ERROR_2 : rc;
6238	g_ProcParams.enmRequest = kSupR3WinChildReq_Error;
6239
6240	NtClearEvent(g_ProcParams.hEvtChild);
6241	NTSTATUS rcNt = NtSetEvent(g_ProcParams.hEvtParent, NULL);
6242	if (NT_SUCCESS(rcNt))
6243	{
6244	LARGE_INTEGER Timeout;
6245	Timeout.QuadPart = -300000000; /* 30 second */
6246	/NTSTATUS rcNt =/ NtWaitForSingleObject(g_ProcParams.hEvtChild, FALSE /Alertable/, &Timeout);
6247	}
6248	}
6249
6250
6251	/**
6252	* Routine called by the supR3HardenedEarlyProcessInitThunk assembly routine
6253	* when LdrInitializeThunk is executed during process initialization.
6254	*
6255	* This initializes the Stub and VM processes, hooking NTDLL APIs and opening
6256	* the device driver before any other DLLs gets loaded into the process. This
6257	* greately reduces and controls the trusted code base of the process compared
6258	* to opening the driver from SUPR3HardenedMain. It also avoids issues with so
6259	* call protection software that is in the habit of patching half of the ntdll
6260	* and kernel32 APIs in the process, making it almost indistinguishable from
6261	* software that is up to no good. Once we've opened vboxdrv, the process
6262	* should be locked down so thighly that only kernel software and csrss can mess
6263	* with the process.
6264	*/
6265	DECLASM(uintptr_t) supR3HardenedEarlyProcessInit(void)
6266	{
6267	/*
6268	* When the first thread gets here we wait for the parent to continue with
6269	* the process purifications. The primary thread must execute for image
6270	* load notifications to trigger, at least in more recent windows versions.
6271	* The old trick of starting a different thread that terminates immediately
6272	* thus doesn't work.
6273	*
6274	* We are not allowed to modify any data at this point because it will be
6275	* reset by the child process purification the parent does when we stop. To
6276	* sabotage thread creation during purification, and to avoid unnecessary
6277	* work for the parent, we reset g_ProcParams before signalling the parent
6278	* here.
6279	*/
6280	if (g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
6281	{
6282	NtTerminateThread(0, 0);
6283	return 0x22; /* crash */
6284	}
6285
6286	/* Retrieve the data we need. */
6287	uintptr_t uNtDllAddr = ASMAtomicXchgPtrT(&g_ProcParams.uNtDllAddr, 0, uintptr_t);
6288	if (!RT_VALID_PTR(uNtDllAddr))
6289	{
6290	NtTerminateThread(0, 0);
6291	return 0x23; /* crash */
6292	}
6293
6294	HANDLE hEvtChild = g_ProcParams.hEvtChild;
6295	HANDLE hEvtParent = g_ProcParams.hEvtParent;
6296	if ( hEvtChild == NULL
6297	\|\| hEvtChild == RTNT_INVALID_HANDLE_VALUE
6298	\|\| hEvtParent == NULL
6299	\|\| hEvtParent == RTNT_INVALID_HANDLE_VALUE)
6300	{
6301	NtTerminateThread(0, 0);
6302	return 0x24; /* crash */
6303	}
6304
6305	/* Resolve the APIs we need. */
6306	PFNNTWAITFORSINGLEOBJECT pfnNtWaitForSingleObject;
6307	PFNNTSETEVENT pfnNtSetEvent;
6308	supR3HardenedWinGetVeryEarlyImports(uNtDllAddr, &pfnNtWaitForSingleObject, &pfnNtSetEvent);
6309
6310	/* Signal the parent that we're ready for purification. */
6311	RT_ZERO(g_ProcParams);
6312	g_ProcParams.enmRequest = kSupR3WinChildReq_PurifyChildAndCloseHandles;
6313	NTSTATUS rcNt = pfnNtSetEvent(hEvtParent, NULL);
6314	if (rcNt != STATUS_SUCCESS)
6315	return 0x33; /* crash */
6316
6317	/* Wait up to 2 mins for the parent to exorcise evil. */
6318	LARGE_INTEGER Timeout;
6319	Timeout.QuadPart = -1200000000; /* 120 second */
6320	rcNt = pfnNtWaitForSingleObject(hEvtChild, FALSE /Alertable/, &Timeout);
6321	if (rcNt != STATUS_SUCCESS)
6322	return 0x34; /* crash */
6323
6324	/*
6325	* We're good to go, work global state and restore process parameters.
6326	* Note that we will not restore uNtDllAddr since that is our first defence
6327	* against unwanted threads (see above).
6328	*/
6329	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_INIT_CALLED;
6330	g_fSupEarlyProcessInit = true;
6331
6332	g_ProcParams.hEvtChild = hEvtChild;
6333	g_ProcParams.hEvtParent = hEvtParent;
6334	g_ProcParams.enmRequest = kSupR3WinChildReq_Error;
6335	g_ProcParams.rc = VINF_SUCCESS;
6336
6337	/*
6338	* Initialize the NTDLL imports that we consider usable before the
6339	* process has been initialized.
6340	*/
6341	supR3HardenedWinInitImportsEarly(uNtDllAddr);
6342	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_IMPORTS_RESOLVED;
6343
6344	/*
6345	* Init g_uNtVerCombined as well as we can at this point.
6346	*/
6347	supR3HardenedWinInitVersion(true /fEarly/);
6348
6349	/*
6350	* Convert the arguments to UTF-8 so we can open the log file if specified.
6351	* We may have to normalize the pointer on older windows version (not w7/64 +).
6352	* Note! This leaks memory at present.
6353	*/
6354	PRTL_USER_PROCESS_PARAMETERS pUserProcParams = NtCurrentPeb()->ProcessParameters;
6355	UNICODE_STRING CmdLineStr = pUserProcParams->CommandLine;
6356	if ( CmdLineStr.Buffer != NULL
6357	&& !(pUserProcParams->Flags & RTL_USER_PROCESS_PARAMS_FLAG_NORMALIZED) )
6358	CmdLineStr.Buffer = (WCHAR *)((uintptr_t)CmdLineStr.Buffer + (uintptr_t)pUserProcParams);
6359	int cArgs;
6360	char **papszArgs = suplibCommandLineToArgvWStub(CmdLineStr.Buffer, CmdLineStr.Length / sizeof(WCHAR), &cArgs);
6361	supR3HardenedOpenLog(&cArgs, papszArgs);
6362	SUP_DPRINTF(("supR3HardenedVmProcessInit: uNtDllAddr=%p g_uNtVerCombined=%#x\n", uNtDllAddr, g_uNtVerCombined));
6363
6364	/*
6365	* Set up the direct system calls so we can more easily hook NtCreateSection.
6366	*/
6367	RTERRINFOSTATIC ErrInfo;
6368	supR3HardenedWinInitSyscalls(true /fReportErrors/, RTErrInfoInitStatic(&ErrInfo));
6369
6370	/*
6371	* Determine the executable path and name. Will NOT determine the windows style
6372	* executable path here as we don't need it.
6373	*/
6374	SIZE_T cbActual = 0;
6375	rcNt = NtQueryVirtualMemory(NtCurrentProcess(), &g_ProcParams, MemorySectionName, &g_SupLibHardenedExeNtPath,
6376	sizeof(g_SupLibHardenedExeNtPath) - sizeof(WCHAR), &cbActual);
6377	if ( !NT_SUCCESS(rcNt)
6378	\|\| g_SupLibHardenedExeNtPath.UniStr.Length == 0
6379	\|\| g_SupLibHardenedExeNtPath.UniStr.Length & 1)
6380	supR3HardenedFatal("NtQueryVirtualMemory/MemorySectionName failed in supR3HardenedVmProcessInit: %#x\n", rcNt);
6381
6382	/* The NT executable name offset / dir path length. */
6383	g_offSupLibHardenedExeNtName = g_SupLibHardenedExeNtPath.UniStr.Length / sizeof(WCHAR);
6384	while ( g_offSupLibHardenedExeNtName > 1
6385	&& g_SupLibHardenedExeNtPath.UniStr.Buffer[g_offSupLibHardenedExeNtName - 1] != '\\' )
6386	g_offSupLibHardenedExeNtName--;
6387
6388	/*
6389	* Preliminary app binary path init. May change when SUPR3HardenedMain is called.
6390	*/
6391	supR3HardenedWinInitAppBin(SUPSECMAIN_FLAGS_LOC_APP_BIN);
6392
6393	/*
6394	* Initialize the image verification stuff (hooks LdrLoadDll and NtCreateSection).
6395	*/
6396	supR3HardenedWinInit(0, false /fAvastKludge/);
6397
6398	/*
6399	* Open the driver.
6400	*/
6401	if (cArgs >= 1 && suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_1_ARG0) == 0)
6402	{
6403	SUP_DPRINTF(("supR3HardenedVmProcessInit: Opening vboxdrv stub...\n"));
6404	supR3HardenedWinOpenStubDevice();
6405	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_STUB_DEVICE_OPENED;
6406	}
6407	else if (cArgs >= 1 && suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_2_ARG0) == 0)
6408	{
6409	SUP_DPRINTF(("supR3HardenedVmProcessInit: Opening vboxdrv...\n"));
6410	supR3HardenedMainOpenDevice();
6411	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_REAL_DEVICE_OPENED;
6412	}
6413	else
6414	supR3HardenedFatal("Unexpected first argument '%s'!\n", papszArgs[0]);
6415
6416	/*
6417	* Reinstall the NtDll patches since there is a slight possibility that
6418	* someone undid them while we where busy opening the device.
6419	*/
6420	supR3HardenedWinReInstallHooks(false /fFirstCall /);
6421
6422	/*
6423	* Restore the LdrInitializeThunk code so we can initialize the process
6424	* normally when we return.
6425	*/
6426	SUP_DPRINTF(("supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...\n"));
6427	PSUPHNTLDRCACHEENTRY pLdrEntry;
6428	int rc = supHardNtLdrCacheOpen("ntdll.dll", &pLdrEntry, RTErrInfoInitStatic(&ErrInfo));
6429	if (RT_FAILURE(rc))
6430	supR3HardenedFatal("supR3HardenedVmProcessInit: supHardNtLdrCacheOpen failed on NTDLL: %Rrc %s\n",
6431	rc, ErrInfo.Core.pszMsg);
6432
6433	uint8_t *pbBits;
6434	rc = supHardNtLdrCacheEntryGetBits(pLdrEntry, &pbBits, uNtDllAddr, NULL, NULL, RTErrInfoInitStatic(&ErrInfo));
6435	if (RT_FAILURE(rc))
6436	supR3HardenedFatal("supR3HardenedVmProcessInit: supHardNtLdrCacheEntryGetBits failed on NTDLL: %Rrc %s\n",
6437	rc, ErrInfo.Core.pszMsg);
6438
6439	RTLDRADDR uValue;
6440	rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbBits, uNtDllAddr, UINT32_MAX, "LdrInitializeThunk", &uValue);
6441	if (RT_FAILURE(rc))
6442	supR3HardenedFatal("supR3HardenedVmProcessInit: Failed to find LdrInitializeThunk (%Rrc).\n", rc);
6443
6444	PVOID pvLdrInitThunk = (PVOID)(uintptr_t)uValue;
6445	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pvLdrInitThunk, 16, PAGE_EXECUTE_READWRITE));
6446	memcpy(pvLdrInitThunk, pbBits + ((uintptr_t)uValue - uNtDllAddr), 16);
6447	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pvLdrInitThunk, 16, PAGE_EXECUTE_READ));
6448
6449	SUP_DPRINTF(("supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...\n"));
6450	return (uintptr_t)pvLdrInitThunk;
6451	}
6452

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: vbox/trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp @ 67981

Download in other formats: