Changeset 51977 in vbox
- Timestamp:
- Jul 11, 2014 2:20:36 AM (10 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
-
include/VBox/err.h (modified) (1 diff)
-
src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (modified) (1 diff)
-
src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (modified) (53 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/include/VBox/err.h
r51797 r51977 2489 2489 /** The image is required to force integrity checks. */ 2490 2490 #define VERR_SUP_VP_SIGNATURE_CHECKS_NOT_ENFORCED (-5661) 2491 /** Process Verficiation Failure: Symantec Endpoint Protection must be 2492 * disabled for the VirtualBox VM processes. 2493 * http://www.symantec.com/connect/articles/creating-application-control-exclusions-symantec-endpoint-protection-121 */ 2494 #define VERR_SUP_VP_SYSFER_DLL (-5662) 2495 2491 2496 2492 2497 /** @} */ -
trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp
r51972 r51977 570 570 return IS_W70() ? VINF_LDRVI_NOT_SIGNED : rc; 571 571 if (supHardViUtf16PathIsEqual(pwsz, "apphelp.dll")) 572 return uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 4) ? VINF_LDRVI_NOT_SIGNED : rc; 573 if (supHardViUtf16PathIsEqual(pwsz, "sfc.dll")) 572 574 return uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 4) ? VINF_LDRVI_NOT_SIGNED : rc; 573 575 -
trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp
r51911 r51977 115 115 typedef struct SUPHNTVPSTATE 116 116 { 117 /** The result. */ 118 int rcResult; 117 119 /** Number of images in aImages. */ 118 uint32_t cImages;120 uint32_t cImages; 119 121 /** Images found in the process. 120 122 * The array is large enough to hold the executable, all allowed DLLs, and one 121 123 * more so we can get the image name of the first unwanted DLL. */ 122 SUPHNTVPIMAGE aImages[1+5+1];124 SUPHNTVPIMAGE aImages[1+6+1]; 123 125 /** Memory compare scratch buffer.*/ 124 126 uint8_t abMemory[_4K]; … … 127 129 /** Section headers for use when comparing file and loaded image. */ 128 130 IMAGE_SECTION_HEADER aSecHdrs[16]; 129 131 /** Pointer to the error info. */ 132 PRTERRINFO pErrInfo; 130 133 } SUPHNTVPSTATE; 131 134 /** Pointer to stat information of a virtual address space scan. */ … … 146 149 "kernelbase.dll", 147 150 "apphelp.dll", 148 "apisetschema.dll" 151 "apisetschema.dll", 152 "sfc.dll" 149 153 }; 150 154 … … 189 193 * 190 194 * @returns @a rc. 191 * @param pErrInfo Pointer to the exten ed error info structure.195 * @param pErrInfo Pointer to the extended error info structure. 192 196 * Can be NULL. 193 197 * @param pszErr Where to return error details. … … 197 201 * @param ... The arguments for the format string. 198 202 */ 199 static int supHardNtVpSetInfo (PRTERRINFO pErrInfo, int rc, const char *pszMsg, ...)203 static int supHardNtVpSetInfo1(PRTERRINFO pErrInfo, int rc, const char *pszMsg, ...) 200 204 { 201 205 va_list va; … … 211 215 212 216 return rc; 217 } 218 219 220 /** 221 * Fills in error information. 222 * 223 * @returns @a rc. 224 * @param pThis The process validator instance. 225 * @param pszErr Where to return error details. 226 * @param cbErr Size of the buffer @a pszErr points to. 227 * @param rc The status to return. 228 * @param pszMsg The format string for the message. 229 * @param ... The arguments for the format string. 230 */ 231 static int supHardNtVpSetInfo2(PSUPHNTVPSTATE pThis, int rc, const char *pszMsg, ...) 232 { 233 va_list va; 234 #ifdef IN_RING3 235 va_start(va, pszMsg); 236 supR3HardenedError(rc, false /*fFatal*/, "%N\n", pszMsg, &va); 237 va_end(va); 238 #endif 239 240 va_start(va, pszMsg); 241 #ifdef IN_RING0 242 RTErrInfoSetV(pThis->pErrInfo, rc, pszMsg, va); 243 pThis->rcResult = rc; 244 #else 245 if (RT_SUCCESS(pThis->rcResult)) 246 { 247 RTErrInfoSetV(pThis->pErrInfo, rc, pszMsg, va); 248 pThis->rcResult = rc; 249 } 250 else 251 { 252 RTErrInfoAddF(pThis->pErrInfo, rc, " \n[rc=%d] ", rc); 253 RTErrInfoAddV(pThis->pErrInfo, rc, pszMsg, va); 254 } 255 #endif 256 va_end(va); 257 258 return pThis->rcResult; 213 259 } 214 260 … … 254 300 255 301 256 static int supHardNtVpFileMemCompare( const void *pvFile, const void *pvMemory, size_t cbToCompare,257 PSUPHNTVPIMAGE pImage, uint32_t uRva , PRTERRINFO pErrInfo)302 static int supHardNtVpFileMemCompare(PSUPHNTVPSTATE pThis, const void *pvFile, const void *pvMemory, size_t cbToCompare, 303 PSUPHNTVPIMAGE pImage, uint32_t uRva) 258 304 { 259 305 if (suplibHardenedMemComp(pvFile, pvMemory, cbToCompare) == 0) … … 271 317 } 272 318 273 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_MEMORY_VS_FILE_MISMATCH,274 "%s: memory compare at %#x failed: %#x != %#x\n", pImage->pszName, uRva, *pbFile, *pbMemory);275 } 276 277 278 static int supHardNtVpCheckSectionProtection(PSUPHNTVP IMAGE pImage, uint32_t uRva, uint32_t cb, uint32_t fProt,279 PRTERRINFO pErrInfo)319 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_MEMORY_VS_FILE_MISMATCH, 320 "%s: memory compare at %#x failed: %#x != %#x\n", pImage->pszName, uRva, *pbFile, *pbMemory); 321 } 322 323 324 static int supHardNtVpCheckSectionProtection(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, 325 uint32_t uRva, uint32_t cb, uint32_t fProt) 280 326 { 281 327 uint32_t const cbOrg = cb; … … 292 338 && ( fProt != PAGE_READWRITE 293 339 || pImage->aRegions[i].fProt != PAGE_WRITECOPY)) 294 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_SECTION_PROTECTION_MISMATCH,295 "%s: RVA range %#x-%#x protection is %#x, expected %#x. (cb=%#x)",296 pImage->pszName, uRva, uRva + cbLeft - 1, pImage->aRegions[i].fProt, fProt, cb);340 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_SECTION_PROTECTION_MISMATCH, 341 "%s: RVA range %#x-%#x protection is %#x, expected %#x. (cb=%#x)", 342 pImage->pszName, uRva, uRva + cbLeft - 1, pImage->aRegions[i].fProt, fProt, cb); 297 343 if (cbLeft >= cb) 298 344 return VINF_SUCCESS; … … 314 360 } 315 361 316 return supHardNtVpSetInfo (pErrInfo, cbOrg == cb ? VERR_SUP_VP_SECTION_NOT_MAPPED : VERR_SUP_VP_SECTION_NOT_FULLY_MAPPED,317 "%s: RVA range %#x-%#x is not mapped?", pImage->pszName, uRva, uRva + cb - 1);362 return supHardNtVpSetInfo2(pThis, cbOrg == cb ? VERR_SUP_VP_SECTION_NOT_MAPPED : VERR_SUP_VP_SECTION_NOT_FULLY_MAPPED, 363 "%s: RVA range %#x-%#x is not mapped?", pImage->pszName, uRva, uRva + cb - 1); 318 364 } 319 365 … … 339 385 NTSTATUS rcNt = supHardNtVpReadFile(hFile, 0, pThis->abFile, sizeof(pThis->abFile)); 340 386 if (!NT_SUCCESS(rcNt)) 341 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_IMAGE_HDR_READ_ERROR,342 "%s: Error reading image header: %#x", pImage->pszName, rcNt);387 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_IMAGE_HDR_READ_ERROR, 388 "%s: Error reading image header: %#x", pImage->pszName, rcNt); 343 389 344 390 uint32_t offNtHdrs = 0; … … 348 394 offNtHdrs = pDosHdr->e_lfanew; 349 395 if (offNtHdrs > 512 || offNtHdrs < sizeof(*pDosHdr)) 350 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_MZ_OFFSET,351 "%s: Unexpected e_lfanew value: %#x", pImage->pszName, offNtHdrs);396 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_MZ_OFFSET, 397 "%s: Unexpected e_lfanew value: %#x", pImage->pszName, offNtHdrs); 352 398 } 353 399 PIMAGE_NT_HEADERS pNtHdrs = (PIMAGE_NT_HEADERS)&pThis->abFile[offNtHdrs]; 354 400 if (pNtHdrs->Signature != IMAGE_NT_SIGNATURE) 355 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_IMAGE_SIGNATURE,356 "%s: No PE signature at %#x: %#x", pImage->pszName, offNtHdrs, pNtHdrs->Signature);401 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIGNATURE, 402 "%s: No PE signature at %#x: %#x", pImage->pszName, offNtHdrs, pNtHdrs->Signature); 357 403 358 404 /* … … 364 410 if (pNtHdrs->FileHeader.Machine != IMAGE_FILE_MACHINE_I386) 365 411 #endif 366 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_UNEXPECTED_IMAGE_MACHINE,367 "%s: Unexpected machine: %#x", pImage->pszName, pNtHdrs->FileHeader.Machine);412 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNEXPECTED_IMAGE_MACHINE, 413 "%s: Unexpected machine: %#x", pImage->pszName, pNtHdrs->FileHeader.Machine); 368 414 369 415 if (pNtHdrs->FileHeader.SizeOfOptionalHeader != sizeof(pNtHdrs->OptionalHeader)) 370 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_OPTIONAL_HEADER,371 "%s: Unexpected optional header size: %#x",372 pImage->pszName, pNtHdrs->FileHeader.SizeOfOptionalHeader);416 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER, 417 "%s: Unexpected optional header size: %#x", 418 pImage->pszName, pNtHdrs->FileHeader.SizeOfOptionalHeader); 373 419 374 420 if (pNtHdrs->OptionalHeader.Magic != RT_CONCAT3(IMAGE_NT_OPTIONAL_HDR,ARCH_BITS,_MAGIC)) 375 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_OPTIONAL_HEADER,376 "%s: Unexpected optional header magic: %#x", pImage->pszName, pNtHdrs->OptionalHeader.Magic);421 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER, 422 "%s: Unexpected optional header magic: %#x", pImage->pszName, pNtHdrs->OptionalHeader.Magic); 377 423 if (pNtHdrs->OptionalHeader.NumberOfRvaAndSizes != IMAGE_NUMBEROF_DIRECTORY_ENTRIES) 378 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_OPTIONAL_HEADER,379 "%s: Unexpected data dirs: %#x", pImage->pszName, pNtHdrs->OptionalHeader.NumberOfRvaAndSizes);424 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER, 425 "%s: Unexpected data dirs: %#x", pImage->pszName, pNtHdrs->OptionalHeader.NumberOfRvaAndSizes); 380 426 381 427 /* … … 384 430 uint32_t const cSections = pNtHdrs->FileHeader.NumberOfSections; 385 431 if (cSections > RT_ELEMENTS(pThis->aSecHdrs)) 386 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_TOO_MANY_SECTIONS,387 "%s: Too many section headers: %#x", pImage->pszName, cSections);432 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_SECTIONS, 433 "%s: Too many section headers: %#x", pImage->pszName, cSections); 388 434 suplibHardenedMemCopy(pThis->aSecHdrs, pNtHdrs + 1, cSections * sizeof(IMAGE_SECTION_HEADER)); 389 435 390 436 uintptr_t const uImageBase = pNtHdrs->OptionalHeader.ImageBase; 391 437 if (uImageBase & PAGE_OFFSET_MASK) 392 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_IMAGE_BASE,393 "%s: Invalid image base: %p", pImage->pszName, uImageBase);438 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_BASE, 439 "%s: Invalid image base: %p", pImage->pszName, uImageBase); 394 440 395 441 uint32_t const cbImage = pNtHdrs->OptionalHeader.SizeOfImage; 396 442 if (RT_ALIGN_32(pImage->cbImage, PAGE_SIZE) != RT_ALIGN_32(cbImage, PAGE_SIZE) && !pImage->fApiSetSchemaOnlySection1) 397 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_IMAGE_SIZE,398 "%s: SizeOfImage (%#x) isn't close enough to the mapping size (%#x)",399 pImage->pszName, cbImage, pImage->cbImage);443 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE, 444 "%s: SizeOfImage (%#x) isn't close enough to the mapping size (%#x)", 445 pImage->pszName, cbImage, pImage->cbImage); 400 446 401 447 uint32_t const cbSectAlign = pNtHdrs->OptionalHeader.SectionAlignment; … … 403 449 || cbSectAlign < PAGE_SIZE 404 450 || cbSectAlign > (pImage->fApiSetSchemaOnlySection1 ? _64K : (uint32_t)PAGE_SIZE) ) 405 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_SECTION_ALIGNMENT_VALUE,406 "%s: Unexpected SectionAlignment value: %#x", pImage->pszName, cbSectAlign);451 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_ALIGNMENT_VALUE, 452 "%s: Unexpected SectionAlignment value: %#x", pImage->pszName, cbSectAlign); 407 453 408 454 uint32_t const cbFileAlign = pNtHdrs->OptionalHeader.FileAlignment; 409 455 if (!RT_IS_POWER_OF_TWO(cbFileAlign) || cbFileAlign < 512 || cbFileAlign > PAGE_SIZE || cbFileAlign > cbSectAlign) 410 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_FILE_ALIGNMENT_VALUE,411 "%s: Unexpected FileAlignment value: %#x (cbSectAlign=%#x)",412 pImage->pszName, cbFileAlign, cbSectAlign);456 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_FILE_ALIGNMENT_VALUE, 457 "%s: Unexpected FileAlignment value: %#x (cbSectAlign=%#x)", 458 pImage->pszName, cbFileAlign, cbSectAlign); 413 459 414 460 uint32_t const cbHeaders = pNtHdrs->OptionalHeader.SizeOfHeaders; 415 461 uint32_t const cbMinHdrs = offNtHdrs + sizeof(*pNtHdrs) + sizeof(IMAGE_SECTION_HEADER) * cSections; 416 462 if (cbHeaders < cbMinHdrs) 417 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_SIZE_OF_HEADERS,418 "%s: Headers are too small: %#x < %#x (cSections=%#x)",419 pImage->pszName, cbHeaders, cbMinHdrs, cSections);463 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SIZE_OF_HEADERS, 464 "%s: Headers are too small: %#x < %#x (cSections=%#x)", 465 pImage->pszName, cbHeaders, cbMinHdrs, cSections); 420 466 uint32_t const cbHdrsFile = RT_ALIGN_32(cbHeaders, cbFileAlign); 421 467 if (cbHdrsFile > sizeof(pThis->abFile)) 422 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_SIZE_OF_HEADERS,423 "%s: Headers are larger than expected: %#x/%#x (expected max %zx)",424 pImage->pszName, cbHeaders, cbHdrsFile, sizeof(pThis->abFile));468 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SIZE_OF_HEADERS, 469 "%s: Headers are larger than expected: %#x/%#x (expected max %zx)", 470 pImage->pszName, cbHeaders, cbHdrsFile, sizeof(pThis->abFile)); 425 471 426 472 /* … … 433 479 rcNt = supHardNtVpReadMem(hProcess, pImage->uImageBase, pThis->abMemory, cbHdrsFile); 434 480 if (!NT_SUCCESS(rcNt)) 435 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_MEMORY_READ_ERROR,436 "%s: Error reading image header from memory: %#x", pImage->pszName, rcNt);481 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_MEMORY_READ_ERROR, 482 "%s: Error reading image header from memory: %#x", pImage->pszName, rcNt); 437 483 if (uImageBase != pImage->uImageBase) 438 484 pNtHdrs->OptionalHeader.ImageBase = pImage->uImageBase; 439 485 440 rc = supHardNtVpFileMemCompare(pThis ->abFile, pThis->abMemory, cbHeaders, pImage, 0 /*uRva*/, pErrInfo);486 rc = supHardNtVpFileMemCompare(pThis, pThis->abFile, pThis->abMemory, cbHeaders, pImage, 0 /*uRva*/); 441 487 if (RT_FAILURE(rc)) 442 488 return rc; 443 rc = supHardNtVpCheckSectionProtection(p Image, 0 /*uRva*/, cbHdrsFile, PAGE_READONLY, pErrInfo);489 rc = supHardNtVpCheckSectionProtection(pThis, pImage, 0 /*uRva*/, cbHdrsFile, PAGE_READONLY); 444 490 if (RT_FAILURE(rc)) 445 491 return rc; … … 461 507 uint32_t uSectRva = pThis->aSecHdrs[i].VirtualAddress; 462 508 if (uSectRva < uRva || uSectRva > cbImage || RT_ALIGN_32(uSectRva, cbSectAlign) != uSectRva) 463 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_SECTION_RVA,464 "%s: Section %u: Invalid virtual address: %#x (uRva=%#x, cbImage=%#x, cbSectAlign=%#x)",465 pImage->pszName, i, uSectRva, uRva, cbImage, cbSectAlign);509 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_RVA, 510 "%s: Section %u: Invalid virtual address: %#x (uRva=%#x, cbImage=%#x, cbSectAlign=%#x)", 511 pImage->pszName, i, uSectRva, uRva, cbImage, cbSectAlign); 466 512 uint32_t cbMap = pThis->aSecHdrs[i].Misc.VirtualSize; 467 513 if (cbMap > cbImage || uRva + cbMap > cbImage) 468 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_SECTION_VIRTUAL_SIZE,469 "%s: Section %u: Invalid virtual size: %#x (uSectRva=%#x, uRva=%#x, cbImage=%#x)",470 pImage->pszName, i, cbMap, uSectRva, uRva, cbImage);514 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_VIRTUAL_SIZE, 515 "%s: Section %u: Invalid virtual size: %#x (uSectRva=%#x, uRva=%#x, cbImage=%#x)", 516 pImage->pszName, i, cbMap, uSectRva, uRva, cbImage); 471 517 uint32_t cbFile = pThis->aSecHdrs[i].SizeOfRawData; 472 518 if (cbFile != RT_ALIGN_32(cbFile, cbFileAlign) || cbFile > RT_ALIGN_32(cbMap, cbSectAlign)) 473 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_BAD_SECTION_FILE_SIZE,474 "%s: Section %u: Invalid file size: %#x (cbMap=%#x, uSectRva=%#x)",475 pImage->pszName, i, cbFile, cbMap, uSectRva);519 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_FILE_SIZE, 520 "%s: Section %u: Invalid file size: %#x (cbMap=%#x, uSectRva=%#x)", 521 pImage->pszName, i, cbFile, cbMap, uSectRva); 476 522 477 523 /* Validate the protection. */ … … 503 549 break; 504 550 default: 505 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_UNEXPECTED_SECTION_FLAGS,506 "%s: Section %u: Unexpected characteristics: %#x (uSectRva=%#x, cbMap=%#x)",507 pImage->pszName, i, pThis->aSecHdrs[i].Characteristics, uSectRva, cbMap);551 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNEXPECTED_SECTION_FLAGS, 552 "%s: Section %u: Unexpected characteristics: %#x (uSectRva=%#x, cbMap=%#x)", 553 pImage->pszName, i, pThis->aSecHdrs[i].Characteristics, uSectRva, cbMap); 508 554 509 555 } 510 rc = supHardNtVpCheckSectionProtection(p Image, uSectRva, RT_ALIGN_32(cbMap, PAGE_SIZE), fProt, pErrInfo);556 rc = supHardNtVpCheckSectionProtection(pThis, pImage, uSectRva, RT_ALIGN_32(cbMap, PAGE_SIZE), fProt); 511 557 if (RT_FAILURE(rc)) 512 558 return rc; … … 547 593 * @param hProcess Handle to the process. 548 594 * @param hFile Handle to the image file. 549 * @param pErrInfo Pointer to error info structure. Optional. 550 */ 551 static int supHardNtVpVerifyImage(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, HANDLE hProcess, PRTERRINFO pErrInfo) 595 */ 596 static int supHardNtVpVerifyImage(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, HANDLE hProcess) 552 597 { 553 598 /* … … 577 622 rcNt = Ios.Status; 578 623 if (!NT_SUCCESS(rcNt)) 579 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_IMAGE_FILE_OPEN_ERROR,624 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_IMAGE_FILE_OPEN_ERROR, 580 625 "Error opening image for scanning: %#x (name %ls)", rcNt, pImage->Name.UniStr.Buffer); 581 626 … … 586 631 int rc = supHardenedWinVerifyImageByHandle(hFile, pImage->Name.UniStr.Buffer, 587 632 pImage->fDll ? 0 : SUPHNTVI_F_REQUIRE_BUILD_CERT, 588 NULL /*pfCacheable*/, p ErrInfo);633 NULL /*pfCacheable*/, pThis->pErrInfo); 589 634 if (RT_SUCCESS(rc)) 590 rc = supHardNtVpVerifyImageCompareMemory(pThis, pImage, hProcess, hFile, p ErrInfo);635 rc = supHardNtVpVerifyImageCompareMemory(pThis, pImage, hProcess, hFile, pThis->pErrInfo); 591 636 592 637 /* … … 595 640 rcNt = NtClose(hFile); 596 641 if (!NT_SUCCESS(rcNt) && RT_SUCCESS(rc)) 597 rc = supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_IMAGE_FILE_CLOSE_ERROR,642 rc = supHardNtVpSetInfo2(pThis, VERR_SUP_VP_IMAGE_FILE_CLOSE_ERROR, 598 643 "Error closing image after scanning: %#x (name %ls)", rcNt, pImage->Name.UniStr.Buffer); 599 644 return rc; … … 619 664 NTSTATUS rcNt = NtQueryInformationThread(hThread, ThreadAmILastThread, &fAmI, sizeof(fAmI), &cbIgn); 620 665 if (!NT_SUCCESS(rcNt)) 621 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NT_QI_THREAD_ERROR,622 666 return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_NT_QI_THREAD_ERROR, 667 "NtQueryInformationThread/ThreadAmILastThread -> %#x", rcNt); 623 668 if (!fAmI) 624 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_THREAD_NOT_ALONE,625 669 return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_THREAD_NOT_ALONE, 670 "More than one thread in process"); 626 671 627 672 /** @todo Would be nice to verify the relation ship between hProcess and hThread … … 651 696 &uPtr, sizeof(uPtr), &cbIgn); 652 697 if (!NT_SUCCESS(rcNt)) 653 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NT_QI_PROCESS_DBG_PORT_ERROR,654 698 return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_NT_QI_PROCESS_DBG_PORT_ERROR, 699 "NtQueryInformationProcess/ProcessDebugPort -> %#x", rcNt); 655 700 if (uPtr != 0) 656 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_DEBUGGED,657 701 return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_DEBUGGED, 702 "Debugger attached (%#zx)", uPtr); 658 703 return VINF_SUCCESS; 659 704 } … … 675 720 PSUPHNTVPSTATE pThis = (PSUPHNTVPSTATE)suplibHardenedAllocZ(sizeof(*pThis)); 676 721 if (pThis) 722 { 723 pThis->rcResult = VINF_SUCCESS; 724 pThis->pErrInfo = pErrInfo; 677 725 return pThis; 678 supHardNtVpSetInfo(pErrInfo, VERR_NO_MEMORY, "Failed to allocate %zu bytes for state structures.", sizeof(*pThis)); 726 } 727 supHardNtVpSetInfo1(pErrInfo, VERR_NO_MEMORY, "Failed to allocate %zu bytes for state structures.", sizeof(*pThis)); 679 728 return NULL; 680 729 } … … 726 775 * 727 776 * @returns VBox status code. 777 * @param pThis The process scanning state structure. 728 778 * @param pImage The new image structure. Only the unicode name 729 779 * buffer is valid. 730 780 * @param pMemInfo The memory information for the image. 731 * @param pErrInfo Pointer to error info structure. Optional. 732 */ 733 static int supHardNtVpNewImage(PSUPHNTVPIMAGE pImage, PMEMORY_BASIC_INFORMATION pMemInfo, PRTERRINFO pErrInfo) 781 */ 782 static int supHardNtVpNewImage(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, PMEMORY_BASIC_INFORMATION pMemInfo) 734 783 { 735 784 /* … … 747 796 } 748 797 if (!*pwszFilename) 749 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NO_IMAGE_MAPPING_NAME,750 "Empty filename (len=%u) for image at %p.", pImage->Name.UniStr.Length, pMemInfo->BaseAddress);798 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_IMAGE_MAPPING_NAME, 799 "Empty filename (len=%u) for image at %p.", pImage->Name.UniStr.Length, pMemInfo->BaseAddress); 751 800 752 801 /* … … 773 822 g_System32NtPath.UniStr.Buffer, 774 823 cwcDirName * sizeof(WCHAR))) 775 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NON_SYSTEM32_DLL,776 "Expected %ls to be loaded from %ls.",777 pImage->Name.UniStr.Buffer, g_System32NtPath.UniStr.Buffer);824 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NON_SYSTEM32_DLL, 825 "Expected %ls to be loaded from %ls.", 826 pImage->Name.UniStr.Buffer, g_System32NtPath.UniStr.Buffer); 778 827 779 828 break; … … 793 842 } 794 843 if (!pImage->pszName) 795 return supHardNtVpSetInfo(pErrInfo, VERR_SUP_VP_NOT_KNOWN_DLL_OR_EXE, 796 "Unknown image file %ls at %p.", pImage->Name.UniStr.Buffer, pMemInfo->BaseAddress); 844 { 845 if ( pMemInfo->AllocationBase == pMemInfo->BaseAddress 846 && ( supHardNtVpAreNamesEqual("sysfer.dll", pwszFilename) 847 || supHardNtVpAreNamesEqual("sysfer32.dll", pwszFilename) 848 || supHardNtVpAreNamesEqual("sysfer64.dll", pwszFilename)) ) 849 { 850 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_SYSFER_DLL, 851 "Found %ls at %p - This is probably part of Symantec Endpoint Protection. \n" 852 "You or your admin need to add and exception to the Application and Device Control (ADC) " 853 "component (or disable it) to prevent ADC from injecting itself into the VirtualBox VM processes. " 854 "See http://www.symantec.com/connect/articles/creating-application-control-exclusions-symantec-endpoint-protection-121" 855 , pImage->Name.UniStr.Buffer, pMemInfo->BaseAddress); 856 return pThis->rcResult = VERR_SUP_VP_SYSFER_DLL; /* Try make sure this is what the user sees first! */ 857 } 858 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NOT_KNOWN_DLL_OR_EXE, 859 "Unknown image file %ls at %p.", pImage->Name.UniStr.Buffer, pMemInfo->BaseAddress); 860 } 797 861 798 862 /* … … 800 864 */ 801 865 if (pMemInfo->AllocationBase != pMemInfo->BaseAddress) 802 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_IMAGE_MAPPING_BASE_ERROR,803 "Invalid AllocationBase/BaseAddress for %s: %p vs %p.",804 pImage->pszName, pMemInfo->AllocationBase, pMemInfo->BaseAddress);866 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_IMAGE_MAPPING_BASE_ERROR, 867 "Invalid AllocationBase/BaseAddress for %s: %p vs %p.", 868 pImage->pszName, pMemInfo->AllocationBase, pMemInfo->BaseAddress); 805 869 806 870 /* … … 808 872 */ 809 873 if (pMemInfo->RegionSize >= _2G) 810 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_TOO_LARGE_REGION,811 "Region 0 of image %s is too large: %p.", pImage->pszName, pMemInfo->RegionSize);874 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_LARGE_REGION, 875 "Region 0 of image %s is too large: %p.", pImage->pszName, pMemInfo->RegionSize); 812 876 813 877 /* … … 829 893 * 830 894 * @returns VBox status code. 895 * @param pThis The process scanning state structure. 831 896 * @param pImage The image. 832 897 * @param pMemInfo The memory information for the region. 833 * @param pErrInfo Pointer to error info structure. Optional. 834 */ 835 static int supHardNtVpAddRegion(PSUPHNTVPIMAGE pImage, PMEMORY_BASIC_INFORMATION pMemInfo, PRTERRINFO pErrInfo) 898 */ 899 static int supHardNtVpAddRegion(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, PMEMORY_BASIC_INFORMATION pMemInfo) 836 900 { 837 901 /* … … 839 903 */ 840 904 if (pImage->uImageBase != (uintptr_t)pMemInfo->AllocationBase) 841 return supHardNtVpSetInfo (pErrInfo, VERR_SUPLIB_NT_PROCESS_UNTRUSTED_3,842 "Base address mismatch for %s: have %p, found %p for region %p LB %#zx.",843 pImage->pszName, pImage->uImageBase, pMemInfo->AllocationBase,844 pMemInfo->BaseAddress, pMemInfo->RegionSize);905 return supHardNtVpSetInfo2(pThis, VERR_SUPLIB_NT_PROCESS_UNTRUSTED_3, 906 "Base address mismatch for %s: have %p, found %p for region %p LB %#zx.", 907 pImage->pszName, pImage->uImageBase, pMemInfo->AllocationBase, 908 pMemInfo->BaseAddress, pMemInfo->RegionSize); 845 909 846 910 /* … … 849 913 uintptr_t uRva = (uintptr_t)pMemInfo->BaseAddress - pImage->uImageBase; 850 914 if (pMemInfo->RegionSize >= _2G) 851 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_TOO_LARGE_REGION,852 "Region %u of image %s is too large: %p/%p.", pImage->pszName, pMemInfo->RegionSize, uRva);915 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_LARGE_REGION, 916 "Region %u of image %s is too large: %p/%p.", pImage->pszName, pMemInfo->RegionSize, uRva); 853 917 if (uRva >= _2G) 854 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_TOO_HIGH_REGION_RVA,855 "Region %u of image %s is too high: %p/%p.", pImage->pszName, pMemInfo->RegionSize, uRva);918 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_HIGH_REGION_RVA, 919 "Region %u of image %s is too high: %p/%p.", pImage->pszName, pMemInfo->RegionSize, uRva); 856 920 857 921 … … 861 925 uint32_t iRegion = pImage->cRegions; 862 926 if (iRegion + 1 >= RT_ELEMENTS(pImage->aRegions)) 863 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_TOO_MANY_IMAGE_REGIONS,864 "Too many regions for %s.", pImage->pszName);927 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_IMAGE_REGIONS, 928 "Too many regions for %s.", pImage->pszName); 865 929 pImage->aRegions[iRegion].uRva = (uint32_t)uRva; 866 930 pImage->aRegions[iRegion].cb = (uint32_t)pMemInfo->RegionSize; … … 883 947 * about images are added to this. 884 948 * @param hProcess The process to verify. 885 * @param pErrInfo Pointer to error info structure. Optional. 886 */ 887 static int supHardNtVpScanVirtualMemory(PSUPHNTVPSTATE pThis, HANDLE hProcess, PRTERRINFO pErrInfo) 949 */ 950 static int supHardNtVpScanVirtualMemory(PSUPHNTVPSTATE pThis, HANDLE hProcess) 888 951 { 889 952 uint32_t cXpExceptions = 0; … … 903 966 { 904 967 if (rcNt == STATUS_INVALID_PARAMETER) 905 return VINF_SUCCESS;906 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NT_QI_VIRTUAL_MEMORY_ERROR,907 "NtQueryVirtualMemory failed for %p: %#x", uPtrWhere, rcNt);968 return pThis->rcResult; 969 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_QI_VIRTUAL_MEMORY_ERROR, 970 "NtQueryVirtualMemory failed for %p: %#x", uPtrWhere, rcNt); 908 971 } 909 972 … … 923 986 &cbActual); 924 987 if (!NT_SUCCESS(rcNt)) 925 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NT_QI_VIRTUAL_MEMORY_NM_ERROR,926 "NtQueryVirtualMemory/MemorySectionName failed for %p: %#x", uPtrWhere, rcNt);988 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_QI_VIRTUAL_MEMORY_NM_ERROR, 989 "NtQueryVirtualMemory/MemorySectionName failed for %p: %#x", uPtrWhere, rcNt); 927 990 pThis->aImages[iImg].Name.UniStr.Buffer[pThis->aImages[iImg].Name.UniStr.Length / sizeof(WCHAR)] = '\0'; 928 991 … … 933 996 if (supHardNtVpAreUniStringsEqual(&pThis->aImages[iSearch].Name.UniStr, &pThis->aImages[iImg].Name.UniStr)) 934 997 { 935 int rc = supHardNtVpAddRegion( &pThis->aImages[iSearch], &MemInfo, pErrInfo);998 int rc = supHardNtVpAddRegion(pThis, &pThis->aImages[iSearch], &MemInfo); 936 999 if (RT_FAILURE(rc)) 937 1000 return rc; … … 940 1003 } 941 1004 else if (pThis->aImages[iSearch].uImageBase == (uintptr_t)MemInfo.AllocationBase) 942 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NT_MAPPING_NAME_CHANGED,943 "Unexpected base address match");1005 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_MAPPING_NAME_CHANGED, 1006 "Unexpected base address match"); 944 1007 945 1008 if (fNew) 946 1009 { 947 int rc = supHardNtVpNewImage(&pThis->aImages[iImg], &MemInfo, pErrInfo); 948 if (RT_FAILURE(rc)) 1010 int rc = supHardNtVpNewImage(pThis, &pThis->aImages[iImg], &MemInfo); 1011 if (RT_SUCCESS(rc)) 1012 { 1013 pThis->cImages++; 1014 if (pThis->cImages >= RT_ELEMENTS(pThis->aImages)) 1015 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_DLLS_LOADED, 1016 "Internal error: aImages is full.\n"); 1017 } 1018 #ifdef IN_RING3 /* Continue and add more information if unknown DLLs are found. */ 1019 else if (rc != VERR_SUP_VP_NOT_KNOWN_DLL_OR_EXE && rc != VERR_SUP_VP_NON_SYSTEM32_DLL) 949 1020 return rc; 950 pThis->cImages++; 951 if (pThis->cImages >= RT_ELEMENTS(pThis->aImages))952 return supHardNtVpSetInfo(pErrInfo, VERR_SUP_VP_TOO_MANY_DLLS_LOADED,953 "Internal error: aImages is full.\n"); 1021 #else 1022 else 1023 return rc; 1024 #endif 954 1025 } 955 1026 } … … 968 1039 */ 969 1040 else if (MemInfo.Protect & (PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)) 970 return supHardNtVpSetInfo(pErrInfo, VERR_SUP_VP_FOUND_EXEC_MEMORY, 971 "Found executable memory at %p (%p LB %#zx): type=%#x prot=%#x state=%#x aprot=%#x abase=%p", 972 uPtrWhere, 973 MemInfo.BaseAddress, 974 MemInfo.RegionSize, 975 MemInfo.Type, 976 MemInfo.Protect, 977 MemInfo.State, 978 MemInfo.AllocationBase, 979 MemInfo.AllocationProtect); 1041 { 1042 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FOUND_EXEC_MEMORY, 1043 "Found executable memory at %p (%p LB %#zx): type=%#x prot=%#x state=%#x aprot=%#x abase=%p", 1044 uPtrWhere, 1045 MemInfo.BaseAddress, 1046 MemInfo.RegionSize, 1047 MemInfo.Type, 1048 MemInfo.Protect, 1049 MemInfo.State, 1050 MemInfo.AllocationBase, 1051 MemInfo.AllocationProtect); 1052 #ifdef IN_RING3 1053 /* Continue add more information about the problematic process. */ 1054 #else 1055 return pThis->rcResult; 1056 #endif 1057 } 980 1058 981 1059 /* … … 984 1062 cbAdvance = MemInfo.RegionSize; 985 1063 if (uPtrWhere + cbAdvance <= uPtrWhere) 986 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_EMPTY_REGION_TOO_LARGE,987 "Empty region at %p.", uPtrWhere);1064 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EMPTY_REGION_TOO_LARGE, 1065 "Empty region at %p.", uPtrWhere); 988 1066 uPtrWhere += MemInfo.RegionSize; 989 1067 } 990 1068 991 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_TOO_MANY_MEMORY_REGIONS,992 "Too many virtual memory regions.\n");1069 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_MEMORY_REGIONS, 1070 "Too many virtual memory regions.\n"); 993 1071 } 994 1072 … … 1001 1079 * about images are added to this. 1002 1080 * @param hProcess The process to verify. 1003 * @param pErrInfo Pointer to error info structure. Optional. 1004 */ 1005 static int supHardNtVpCheckExe(PSUPHNTVPSTATE pThis, HANDLE hProcess, PRTERRINFO pErrInfo) 1081 */ 1082 static int supHardNtVpCheckExe(PSUPHNTVPSTATE pThis, HANDLE hProcess) 1006 1083 { 1007 1084 /* … … 1020 1097 } 1021 1098 if (cExecs == 0) 1022 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NO_FOUND_NO_EXE_MAPPING,1023 "No executable mapping found in the virtual address space.");1099 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_FOUND_NO_EXE_MAPPING, 1100 "No executable mapping found in the virtual address space."); 1024 1101 if (cExecs != 1) 1025 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_FOUND_MORE_THAN_ONE_EXE_MAPPING,1026 "Found more than one executable mapping in the virtual address space.");1102 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FOUND_MORE_THAN_ONE_EXE_MAPPING, 1103 "Found more than one executable mapping in the virtual address space."); 1027 1104 PSUPHNTVPIMAGE pImage = &pThis->aImages[iExe]; 1028 1105 … … 1034 1111 PUNICODE_STRING pUniStr = (PUNICODE_STRING)suplibHardenedAllocZ(cbUniStr); 1035 1112 if (!pUniStr) 1036 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NO_MEMORY,1113 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_MEMORY, 1037 1114 "Error allocating %zu bytes for process name.", cbUniStr); 1038 1115 ULONG cbIgn = 0; … … 1045 1122 { 1046 1123 pUniStr->Buffer[pUniStr->Length / sizeof(WCHAR)] = '\0'; 1047 rc = supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_EXE_VS_PROC_NAME_MISMATCH,1048 "Process image name does not match the exectuable we found: %ls vs %ls.",1049 pUniStr->Buffer, pImage->Name.UniStr.Buffer);1124 rc = supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_VS_PROC_NAME_MISMATCH, 1125 "Process image name does not match the exectuable we found: %ls vs %ls.", 1126 pUniStr->Buffer, pImage->Name.UniStr.Buffer); 1050 1127 } 1051 1128 } 1052 1129 else 1053 rc = supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NT_QI_PROCESS_NM_ERROR,1054 "NtQueryInformationProcess/ProcessImageFileName failed: %#x", rcNt);1130 rc = supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_QI_PROCESS_NM_ERROR, 1131 "NtQueryInformationProcess/ProcessImageFileName failed: %#x", rcNt); 1055 1132 suplibHardenedFree(pUniStr); 1056 1133 if (RT_FAILURE(rc)) … … 1061 1138 * This will load the fDllCharecteristics and fImageCharecteristics members we use below. 1062 1139 */ 1063 rc = supHardNtVpVerifyImage(pThis, pImage, hProcess , pErrInfo);1140 rc = supHardNtVpVerifyImage(pThis, pImage, hProcess); 1064 1141 if (RT_FAILURE(rc)) 1065 1142 return rc; … … 1071 1148 rcNt = NtQueryInformationProcess(hProcess, ProcessImageInformation, &ImageInfo, sizeof(ImageInfo), NULL); 1072 1149 if (!NT_SUCCESS(rcNt)) 1073 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NT_QI_PROCESS_IMG_INFO_ERROR,1074 "NtQueryInformationProcess/ProcessImageInformation failed: %#x", rcNt);1150 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_QI_PROCESS_IMG_INFO_ERROR, 1151 "NtQueryInformationProcess/ProcessImageInformation failed: %#x", rcNt); 1075 1152 if ( !(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)) 1076 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_EXE_MISSING_FORCE_INTEGRITY,1077 "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY to be set.",1078 ImageInfo.DllCharacteristics);1153 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_FORCE_INTEGRITY, 1154 "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY to be set.", 1155 ImageInfo.DllCharacteristics); 1079 1156 if (!(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)) 1080 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_EXE_MISSING_DYNAMIC_BASE,1081 "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE to be set.",1082 ImageInfo.DllCharacteristics);1157 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_DYNAMIC_BASE, 1158 "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE to be set.", 1159 ImageInfo.DllCharacteristics); 1083 1160 if (!(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT)) 1084 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_EXE_MISSING_NX_COMPAT,1085 "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_NX_COMPAT to be set.",1086 ImageInfo.DllCharacteristics);1161 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_NX_COMPAT, 1162 "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_NX_COMPAT to be set.", 1163 ImageInfo.DllCharacteristics); 1087 1164 1088 1165 if (pImage->fDllCharecteristics != ImageInfo.DllCharacteristics) 1089 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_DLL_CHARECTERISTICS_MISMATCH,1090 "EXE Info.DllCharacteristics=%#x fDllCharecteristics=%#x.",1091 ImageInfo.DllCharacteristics, pImage->fDllCharecteristics);1166 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_DLL_CHARECTERISTICS_MISMATCH, 1167 "EXE Info.DllCharacteristics=%#x fDllCharecteristics=%#x.", 1168 ImageInfo.DllCharacteristics, pImage->fDllCharecteristics); 1092 1169 1093 1170 if (pImage->fImageCharecteristics != ImageInfo.ImageCharacteristics) 1094 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_DLL_CHARECTERISTICS_MISMATCH,1095 "EXE Info.ImageCharacteristics=%#x fImageCharecteristics=%#x.",1096 ImageInfo.ImageCharacteristics, pImage->fImageCharecteristics);1171 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_DLL_CHARECTERISTICS_MISMATCH, 1172 "EXE Info.ImageCharacteristics=%#x fImageCharecteristics=%#x.", 1173 ImageInfo.ImageCharacteristics, pImage->fImageCharecteristics); 1097 1174 1098 1175 return VINF_SUCCESS; … … 1107 1184 * about images are added to this. 1108 1185 * @param hProcess The process to verify. 1109 * @param pErrInfo Pointer to error info structure. Optional. 1110 */ 1111 static int supHardNtVpCheckDlls(PSUPHNTVPSTATE pThis, HANDLE hProcess, PRTERRINFO pErrInfo) 1186 */ 1187 static int supHardNtVpCheckDlls(PSUPHNTVPSTATE pThis, HANDLE hProcess) 1112 1188 { 1113 1189 /* … … 1121 1197 while (j-- > 0) 1122 1198 if (pThis->aImages[j].pszName == pszName) 1123 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_DUPLICATE_DLL_MAPPING,1124 "Duplicate image entries for %s: %ls and %ls",1125 pszName, pThis->aImages[i].Name.UniStr.Buffer, pThis->aImages[j].Name.UniStr.Buffer);1199 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_DUPLICATE_DLL_MAPPING, 1200 "Duplicate image entries for %s: %ls and %ls", 1201 pszName, pThis->aImages[i].Name.UniStr.Buffer, pThis->aImages[j].Name.UniStr.Buffer); 1126 1202 } 1127 1203 … … 1142 1218 iApiSetSchema = i; 1143 1219 if (iNtDll == UINT32_MAX) 1144 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NO_NTDLL_MAPPING,1145 "The process has no NTDLL.DLL.");1220 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_NTDLL_MAPPING, 1221 "The process has no NTDLL.DLL."); 1146 1222 if (iKernel32 == UINT32_MAX) 1147 return supHardNtVpSetInfo (pErrInfo, VERR_SUP_VP_NO_KERNEL32_MAPPING,1148 "The process has no KERNEL32.DLL.");1223 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_KERNEL32_MAPPING, 1224 "The process has no KERNEL32.DLL."); 1149 1225 1150 1226 … … 1158 1234 pThis->aImages[i].fApiSetSchemaOnlySection1 = i == iApiSetSchema && pThis->aImages[i].cRegions == 1; 1159 1235 1160 int rc = supHardNtVpVerifyImage(pThis, &pThis->aImages[i], hProcess , pErrInfo);1236 int rc = supHardNtVpVerifyImage(pThis, &pThis->aImages[i], hProcess); 1161 1237 if (RT_FAILURE(rc)) 1162 1238 return rc; … … 1198 1274 if (pThis) 1199 1275 { 1200 rc = supHardNtVpScanVirtualMemory(pThis, hProcess , pErrInfo);1276 rc = supHardNtVpScanVirtualMemory(pThis, hProcess); 1201 1277 if (RT_SUCCESS(rc)) 1202 rc = supHardNtVpCheckExe(pThis, hProcess , pErrInfo);1278 rc = supHardNtVpCheckExe(pThis, hProcess); 1203 1279 if (RT_SUCCESS(rc)) 1204 rc = supHardNtVpCheckDlls(pThis, hProcess , pErrInfo);1280 rc = supHardNtVpCheckDlls(pThis, hProcess); 1205 1281 1206 1282 suplibHardenedFree(pThis);
Note:
See TracChangeset
for help on using the changeset viewer.
