Index: /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h (revision 52953) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h (revision 52954) @@ -56,4 +56,7 @@ DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, uint32_t *pcFixes, PRTERRINFO pErrInfo); +DECLHIDDEN(int) supHardNtVpThread(HANDLE hProcess, HANDLE hThread, PRTERRINFO pErrInfo); +DECLHIDDEN(int) supHardNtVpDebugger(HANDLE hProcess, PRTERRINFO pErrInfo); + DECLHIDDEN(bool) supHardViUtf16PathIsEqualEx(PCRTUTF16 pawcLeft, size_t cwcLeft, const char *pszRight); Index: /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (revision 52953) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (revision 52954) @@ -1033,5 +1033,5 @@ * @param pErrInfo Pointer to error info structure. Optional. */ -static int supHardNtVpThread(HANDLE hProcess, HANDLE hThread, PRTERRINFO pErrInfo) +DECLHIDDEN(int) supHardNtVpThread(HANDLE hProcess, HANDLE hThread, PRTERRINFO pErrInfo) { /* @@ -1056,5 +1056,4 @@ -#ifndef VBOX_WITHOUT_DEBUGGER_CHECKS /** * Verifies that there isn't a debugger attached to the process. @@ -1064,6 +1063,7 @@ * @param pErrInfo Pointer to error info structure. Optional. */ -static int supHardNtVpDebugger(HANDLE hProcess, PRTERRINFO pErrInfo) -{ +DECLHIDDEN(int) supHardNtVpDebugger(HANDLE hProcess, PRTERRINFO pErrInfo) +{ +#ifndef VBOX_WITHOUT_DEBUGGER_CHECKS /* * Use the ProcessDebugPort request to check there is no debugger @@ -1081,7 +1081,7 @@ return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_DEBUGGED, "Debugger attached (%#zx)", uPtr); +#endif /* !VBOX_WITHOUT_DEBUGGER_CHECKS */ return VINF_SUCCESS; } -#endif /* !VBOX_WITHOUT_DEBUGGER_CHECKS */ @@ -2140,8 +2140,6 @@ if (enmKind != SUPHARDNTVPKIND_CHILD_PURIFICATION) rc = supHardNtVpThread(hProcess, hThread, pErrInfo); -#ifndef VBOX_WITHOUT_DEBUGGER_CHECKS if (RT_SUCCESS(rc)) rc = supHardNtVpDebugger(hProcess, pErrInfo); -#endif if (RT_SUCCESS(rc)) { Index: /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (revision 52953) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (revision 52954) @@ -2368,4 +2368,19 @@ /** + * Checks if the calling thread is the only one in the process. + * + * @returns true if we're positive we're alone, false if not. + */ +static bool supR3HardenedWinAmIAlone(void) +{ + ULONG fAmIAlone = 0; + ULONG cbIgn = 0; + NTSTATUS rcNt = NtQueryInformationThread(NtCurrentThread(), ThreadAmILastThread, &fAmIAlone, sizeof(fAmIAlone), &cbIgn); + Assert(NT_SUCCESS(rcNt)); + return NT_SUCCESS(rcNt) && fAmIAlone != 0; +} + + +/** * Simplify NtProtectVirtualMemory interface. * @@ -2428,15 +2443,6 @@ */ -#if 0 /* For testing purposes. */ if (fAmIAlone == ~(ULONG)0) - { - ULONG cbIgn = 0; - NTSTATUS rcNt = NtQueryInformationThread(NtCurrentThread(), ThreadAmILastThread, - &fAmIAlone, sizeof(fAmIAlone), &cbIgn); - fAmIAlone = NT_SUCCESS(rcNt) && fAmIAlone != 0; - } -#else - fAmIAlone = 0; -#endif + fAmIAlone = supR3HardenedWinAmIAlone(); if (fAmIAlone) memcpy(pbApi, s_aPatches[i].pabPatch, s_aPatches[i].cbPatch); @@ -4626,4 +4632,18 @@ if (iWhich == 2) supR3HardenedWinOpenStubDevice(); + + /* + * Make sure we're alone in the stub process before creating the VM process + * and that there isn't any debuggers attached. + */ + if (iWhich == 2) + { + int rc = supHardNtVpDebugger(NtCurrentProcess(), RTErrInfoInitStatic(&g_ErrInfoStatic)); + if (RT_SUCCESS(rc)) + rc = supHardNtVpThread(NtCurrentProcess(), NtCurrentThread(), RTErrInfoInitStatic(&g_ErrInfoStatic)); + if (RT_FAILURE(rc)) + supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Integrity, rc, "%s", g_ErrInfoStatic.szMsg); + } + /*