Index: /trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h =================================================================== --- /trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h (revision 52966) +++ /trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h (revision 52967) @@ -449,4 +449,5 @@ DECLHIDDEN(void) supR3HardenedWinInitImports(void); DECLHIDDEN(void) supR3HardenedWinInitImportsEarly(uintptr_t uNtDllAddr); +DECLHIDDEN(void) supR3HardenedWinInitSyscalls(bool fReportErrors); DECLHIDDEN(PFNRT) supR3HardenedWinGetRealDllSymbol(const char *pszDll, const char *pszProcedure); DECLHIDDEN(void) supR3HardenedWinEnableThreadCreation(void); Index: unk/src/VBox/HostDrivers/Support/win/NtCreateSection-template-amd64-syscall-type-1.h =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/NtCreateSection-template-amd64-syscall-type-1.h (revision 52966) +++ (revision ) @@ -1,78 +1,0 @@ -SYSCALL(0x30); -SYSCALL(0x31); -SYSCALL(0x32); -SYSCALL(0x33); -SYSCALL(0x34); -SYSCALL(0x35); -SYSCALL(0x36); -SYSCALL(0x37); -SYSCALL(0x38); -SYSCALL(0x39); -SYSCALL(0x3A); -SYSCALL(0x3B); -SYSCALL(0x3C); -SYSCALL(0x3D); -SYSCALL(0x3E); -SYSCALL(0x3F); -SYSCALL(0x40); -SYSCALL(0x41); -SYSCALL(0x42); -SYSCALL(0x43); -SYSCALL(0x44); -SYSCALL(0x45); -SYSCALL(0x46); -SYSCALL(0x47); /* XP64/W2K3-64, Vista, Windows 7 */ -SYSCALL(0x48); /* Windows 8.0 */ -SYSCALL(0x49); /* windows 8.1 */ -SYSCALL(0x4A); -SYSCALL(0x4B); -SYSCALL(0x4C); -SYSCALL(0x4D); -SYSCALL(0x4E); -SYSCALL(0x4F); -SYSCALL(0x51); -SYSCALL(0x52); -SYSCALL(0x53); -SYSCALL(0x54); -SYSCALL(0x55); -SYSCALL(0x56); -SYSCALL(0x57); -SYSCALL(0x59); -SYSCALL(0x5A); -SYSCALL(0x5B); -SYSCALL(0x5C); -SYSCALL(0x5D); -SYSCALL(0x5E); -SYSCALL(0x5F); -SYSCALL(0x60); -SYSCALL(0x61); -SYSCALL(0x62); -SYSCALL(0x63); -SYSCALL(0x64); -SYSCALL(0x65); -SYSCALL(0x66); -SYSCALL(0x67); -SYSCALL(0x68); -SYSCALL(0x69); -SYSCALL(0x6A); -SYSCALL(0x6B); -SYSCALL(0x6C); -SYSCALL(0x6D); -SYSCALL(0x6E); -SYSCALL(0x6F); -SYSCALL(0x70); -SYSCALL(0x71); -SYSCALL(0x72); -SYSCALL(0x73); -SYSCALL(0x74); -SYSCALL(0x75); -SYSCALL(0x76); -SYSCALL(0x77); -SYSCALL(0x78); -SYSCALL(0x79); -SYSCALL(0x7A); -SYSCALL(0x7B); -SYSCALL(0x7C); -SYSCALL(0x7D); -SYSCALL(0x7E); -SYSCALL(0x7F); Index: unk/src/VBox/HostDrivers/Support/win/NtCreateSection-template-x86-syscall-type-1.h =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/NtCreateSection-template-x86-syscall-type-1.h (revision 52966) +++ (revision ) @@ -1,286 +1,0 @@ -SYSCALL(0x28); -SYSCALL(0x29); -SYSCALL(0x2A); -SYSCALL(0x2B); -SYSCALL(0x2C); -SYSCALL(0x2D); -SYSCALL(0x2E); -SYSCALL(0x2F); -SYSCALL(0x30); -SYSCALL(0x31); - -SYSCALL(0x32); /* WinXP */ -SYSCALL(0x33); - -SYSCALL(0x34); /* W2K3 */ -SYSCALL(0x35); -SYSCALL(0x36); -SYSCALL(0x37); -SYSCALL(0x38); -SYSCALL(0x39); -SYSCALL(0x3A); -SYSCALL(0x3B); -SYSCALL(0x3C); -SYSCALL(0x3D); -SYSCALL(0x3E); -SYSCALL(0x3F); -SYSCALL(0x40); -SYSCALL(0x41); -SYSCALL(0x42); -SYSCALL(0x43); -SYSCALL(0x44); -SYSCALL(0x45); -SYSCALL(0x46); -SYSCALL(0x47); -SYSCALL(0x48); -SYSCALL(0x49); -SYSCALL(0x4A); - -SYSCALL(0x4B); /* Vista */ -SYSCALL(0x4C); -SYSCALL(0x4D); -SYSCALL(0x4E); -SYSCALL(0x4F); -SYSCALL(0x50); -SYSCALL(0x51); -SYSCALL(0x52); -SYSCALL(0x53); - -SYSCALL(0x54); /* Windows 7 */ -SYSCALL(0x55); -SYSCALL(0x56); -SYSCALL(0x57); -SYSCALL(0x59); -SYSCALL(0x5A); -SYSCALL(0x5B); -SYSCALL(0x5C); -SYSCALL(0x5D); -SYSCALL(0x5E); -SYSCALL(0x5F); -SYSCALL(0x60); -SYSCALL(0x61); -SYSCALL(0x62); -SYSCALL(0x63); -SYSCALL(0x64); -SYSCALL(0x65); -SYSCALL(0x66); -SYSCALL(0x67); -SYSCALL(0x68); -SYSCALL(0x69); -SYSCALL(0x6A); -SYSCALL(0x6B); -SYSCALL(0x6C); -SYSCALL(0x6D); -SYSCALL(0x6E); -SYSCALL(0x6F); -SYSCALL(0x70); -SYSCALL(0x71); -SYSCALL(0x72); -SYSCALL(0x73); -SYSCALL(0x74); -SYSCALL(0x75); -SYSCALL(0x76); -SYSCALL(0x77); -SYSCALL(0x78); -SYSCALL(0x79); -SYSCALL(0x7A); -SYSCALL(0x7B); -SYSCALL(0x7C); -SYSCALL(0x7D); -SYSCALL(0x7E); -SYSCALL(0x7F); -SYSCALL(0x80); -SYSCALL(0x81); -SYSCALL(0x82); -SYSCALL(0x83); -SYSCALL(0x84); -SYSCALL(0x85); -SYSCALL(0x86); -SYSCALL(0x87); -SYSCALL(0x88); -SYSCALL(0x89); -SYSCALL(0x8A); -SYSCALL(0x8B); -SYSCALL(0x8C); -SYSCALL(0x8D); -SYSCALL(0x8E); -SYSCALL(0x8F); -SYSCALL(0x90); -SYSCALL(0x91); -SYSCALL(0x92); -SYSCALL(0x93); -SYSCALL(0x94); -SYSCALL(0x95); -SYSCALL(0x96); -SYSCALL(0x97); -SYSCALL(0x98); -SYSCALL(0x99); -SYSCALL(0x9A); -SYSCALL(0x9B); -SYSCALL(0x9C); -SYSCALL(0x9D); -SYSCALL(0x9E); -SYSCALL(0x9F); - -SYSCALL(0x100); -SYSCALL(0x101); -SYSCALL(0x102); -SYSCALL(0x103); -SYSCALL(0x104); -SYSCALL(0x105); -SYSCALL(0x106); -SYSCALL(0x107); -SYSCALL(0x108); -SYSCALL(0x109); -SYSCALL(0x10A); -SYSCALL(0x10B); -SYSCALL(0x10C); -SYSCALL(0x10D); -SYSCALL(0x10E); -SYSCALL(0x10F); -SYSCALL(0x110); -SYSCALL(0x111); -SYSCALL(0x112); -SYSCALL(0x113); -SYSCALL(0x114); -SYSCALL(0x115); -SYSCALL(0x116); -SYSCALL(0x117); -SYSCALL(0x118); -SYSCALL(0x119); -SYSCALL(0x11A); -SYSCALL(0x11B); -SYSCALL(0x11C); -SYSCALL(0x11D); -SYSCALL(0x11E); -SYSCALL(0x11F); -SYSCALL(0x120); -SYSCALL(0x121); -SYSCALL(0x122); -SYSCALL(0x123); -SYSCALL(0x124); -SYSCALL(0x125); -SYSCALL(0x126); -SYSCALL(0x127); -SYSCALL(0x128); -SYSCALL(0x129); -SYSCALL(0x12A); -SYSCALL(0x12B); -SYSCALL(0x12C); -SYSCALL(0x12D); -SYSCALL(0x12E); -SYSCALL(0x12F); -SYSCALL(0x130); -SYSCALL(0x131); -SYSCALL(0x132); -SYSCALL(0x133); -SYSCALL(0x134); -SYSCALL(0x135); -SYSCALL(0x136); -SYSCALL(0x137); -SYSCALL(0x138); -SYSCALL(0x139); -SYSCALL(0x13A); -SYSCALL(0x13B); -SYSCALL(0x13C); -SYSCALL(0x13D); -SYSCALL(0x13E); -SYSCALL(0x13F); -SYSCALL(0x140); -SYSCALL(0x141); -SYSCALL(0x142); -SYSCALL(0x143); -SYSCALL(0x144); -SYSCALL(0x145); -SYSCALL(0x146); -SYSCALL(0x147); -SYSCALL(0x148); -SYSCALL(0x149); -SYSCALL(0x14A); -SYSCALL(0x14B); -SYSCALL(0x14C); -SYSCALL(0x14D); -SYSCALL(0x14E); -SYSCALL(0x14F); -SYSCALL(0x150); -SYSCALL(0x151); -SYSCALL(0x152); -SYSCALL(0x153); - -SYSCALL(0x154); /* Windows 8.1 */ -SYSCALL(0x155); -SYSCALL(0x156); -SYSCALL(0x157); -SYSCALL(0x158); -SYSCALL(0x159); -SYSCALL(0x15A); -SYSCALL(0x15B); -SYSCALL(0x15C); -SYSCALL(0x15D); -SYSCALL(0x15E); -SYSCALL(0x15F); -SYSCALL(0x160); -SYSCALL(0x161); -SYSCALL(0x162); -SYSCALL(0x163); -SYSCALL(0x164); -SYSCALL(0x165); -SYSCALL(0x166); -SYSCALL(0x167); -SYSCALL(0x168); -SYSCALL(0x169); -SYSCALL(0x16A); -SYSCALL(0x16B); -SYSCALL(0x16C); -SYSCALL(0x16D); -SYSCALL(0x16E); -SYSCALL(0x16F); -SYSCALL(0x170); -SYSCALL(0x171); -SYSCALL(0x172); -SYSCALL(0x173); -SYSCALL(0x174); -SYSCALL(0x175); -SYSCALL(0x176); -SYSCALL(0x177); -SYSCALL(0x178); -SYSCALL(0x179); -SYSCALL(0x17A); -SYSCALL(0x17B); -SYSCALL(0x17C); -SYSCALL(0x17D); -SYSCALL(0x17E); -SYSCALL(0x17F); -SYSCALL(0x180); -SYSCALL(0x181); -SYSCALL(0x182); -SYSCALL(0x183); -SYSCALL(0x184); -SYSCALL(0x185); -SYSCALL(0x186); -SYSCALL(0x187); -SYSCALL(0x188); -SYSCALL(0x189); -SYSCALL(0x18A); -SYSCALL(0x18B); -SYSCALL(0x18C); -SYSCALL(0x18D); -SYSCALL(0x18E); -SYSCALL(0x18F); -SYSCALL(0x190); -SYSCALL(0x191); -SYSCALL(0x192); -SYSCALL(0x193); -SYSCALL(0x194); -SYSCALL(0x195); -SYSCALL(0x196); -SYSCALL(0x197); -SYSCALL(0x198); -SYSCALL(0x199); -SYSCALL(0x19A); -SYSCALL(0x19B); -SYSCALL(0x19C); -SYSCALL(0x19D); -SYSCALL(0x19E); -SYSCALL(0x19F); - Index: /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (revision 52966) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (revision 52967) @@ -843,5 +843,5 @@ return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'NtCreateSection': %Rrc", pImage->pszName, rc); aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue; - aSkipAreas[cSkipAreas++].cb = 5 + (ARCH_BITS == 64); + aSkipAreas[cSkipAreas++].cb = ARCH_BITS == 32 ? 5 : 12; /* Ignore our LdrLoadDll hack. */ @@ -850,5 +850,5 @@ return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'LdrLoadDll': %Rrc", pImage->pszName, rc); aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue; - aSkipAreas[cSkipAreas++].cb = 5 + (ARCH_BITS == 64); + aSkipAreas[cSkipAreas++].cb = ARCH_BITS == 32 ? 5 : 12; } Index: /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (revision 52966) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (revision 52967) @@ -228,6 +228,4 @@ /** @name Hook related variables. * @{ */ -/** The jump back address of the patched NtCreateSection. */ -extern "C" PFNRT g_pfnNtCreateSectionJmpBack = NULL; /** Pointer to the bit of assembly code that will perform the original * NtCreateSection operation. */ @@ -238,8 +236,4 @@ /** The patched NtCreateSection bytes (for restoring). */ static uint8_t g_abNtCreateSectionPatch[16]; -#if 0 -/** The jump back address of the patched LdrLoadDll. */ -extern "C" PFNRT g_pfnLdrLoadDllJmpBack = NULL; -#endif /** Pointer to the bit of assembly code that will perform the original * LdrLoadDll operation. */ @@ -320,20 +314,7 @@ bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust, bool *pfQuietFailure); -static void supR3HardenedWinRegisterDllNotificationCallback(void); -static void supR3HardenedWinReInstallHooks(bool fFirst); - - -#ifdef RT_ARCH_AMD64 -# define SYSCALL(a_Num) DECLASM(void) RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num)(void) -# include "NtCreateSection-template-amd64-syscall-type-1.h" -# undef SYSCALL -#endif -#ifdef RT_ARCH_X86 -# define SYSCALL(a_Num) DECLASM(void) RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num)(void) -# include "NtCreateSection-template-x86-syscall-type-1.h" -# undef SYSCALL -#endif - -DECLASM(void) supR3HardenedEarlyProcessInitThunk(void); +static void supR3HardenedWinRegisterDllNotificationCallback(void); +static void supR3HardenedWinReInstallHooks(bool fFirst); +DECLASM(void) supR3HardenedEarlyProcessInitThunk(void); @@ -1989,4 +1970,5 @@ else SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath)); + supR3HardenedWinVerifyCacheProcessWvtTodos(); @@ -2528,23 +2510,9 @@ //SUPR3HARDENED_ASSERT(pfnLdrLoadDll == (FARPROC)LdrLoadDll); - -#ifdef RT_ARCH_AMD64 - /* - * For 64-bit hosts we need some memory within a +/-2GB range of the - * actual function to be able to patch it. - */ - uintptr_t uStart = RT_MAX((uintptr_t)pfnNtCreateSection, (uintptr_t)pfnLdrLoadDll); - size_t cbMem = _4K; - void *pvMem = supR3HardenedWinAllocHookMemory(uStart, uStart - _2G + PAGE_SIZE, -1, cbMem); - if (!pvMem) - { - uintptr_t uStart = RT_MIN((uintptr_t)pfnNtCreateSection, (uintptr_t)pfnLdrLoadDll); - pvMem = supR3HardenedWinAllocHookMemory(uStart, uStart + _2G - PAGE_SIZE, 1, cbMem); - if (!pvMem) - supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_NO_MEMORY, - "Failed to allocate memory within the +/-2GB range from NTDLL.\n"); - } - uintptr_t *puJmpTab = (uintptr_t *)pvMem; -#endif + /* + * Exec page setup & management. + */ + uint32_t offExecPage = 0; + memset(g_abSupHardReadWriteExecPage, 0xcc, PAGE_SIZE); /* @@ -2556,6 +2524,6 @@ g_pbNtCreateSection = pbNtCreateSection; memcpy(g_abNtCreateSectionPatch, pbNtCreateSection, sizeof(g_abNtCreateSectionPatch)); -/** @todo This patch could be simplified iff we had our own syscall operational - * from the get-go. */ + + g_pfnNtCreateSectionReal = NtCreateSection; /* our direct syscall */ #ifdef RT_ARCH_AMD64 @@ -2563,7 +2531,4 @@ * Patch 64-bit hosts. */ - PFNRT pfnCallReal = NULL; - uint8_t offJmpBack = UINT8_MAX; - /* Pattern #1: XP64/W2K3-64 thru Windows 8.1 0:000> u ntdll!NtCreateSection @@ -2575,37 +2540,11 @@ 00000000`779f175b 0f1f440000 nop dword ptr [rax+rax] The variant is the value loaded into eax: W2K3=??, Vista=47h?, W7=47h, W80=48h, W81=49h */ - if ( pbNtCreateSection[ 0] == 0x4c /* mov r10, rcx */ - && pbNtCreateSection[ 1] == 0x8b - && pbNtCreateSection[ 2] == 0xd1 - && pbNtCreateSection[ 3] == 0xb8 /* mov eax, 000000xxh */ - && pbNtCreateSection[ 5] == 0x00 - && pbNtCreateSection[ 6] == 0x00 - && pbNtCreateSection[ 7] == 0x00 - && pbNtCreateSection[ 8] == 0x0f /* syscall */ - && pbNtCreateSection[ 9] == 0x05 - && pbNtCreateSection[10] == 0xc3 /* ret */ - ) - { - offJmpBack = 8; /* the 3rd instruction (syscall). */ - switch (pbNtCreateSection[4]) - { -# define SYSCALL(a_Num) case a_Num: pfnCallReal = RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num); break; -# include "NtCreateSection-template-amd64-syscall-type-1.h" -# undef SYSCALL - } - } - if (!pfnCallReal) - supR3HardenedWinHookFailed("NtCreateSection", pbNtCreateSection); - - g_pfnNtCreateSectionJmpBack = (PFNRT)(uintptr_t)(pbNtCreateSection + offJmpBack); - *(PFNRT *)&g_pfnNtCreateSectionReal = pfnCallReal; /* Assemble the patch. */ - g_abNtCreateSectionPatch[0] = 0xff; - g_abNtCreateSectionPatch[1] = 0x25; - *(uint32_t *)&g_abNtCreateSectionPatch[2] = (uint32_t)((uintptr_t)puJmpTab - (uintptr_t)&pbNtCreateSection[2+4]); - - *puJmpTab = (uintptr_t)supR3HardenedMonitor_NtCreateSection; - puJmpTab++; + g_abNtCreateSectionPatch[0] = 0x48; /* mov rax, qword */ + g_abNtCreateSectionPatch[1] = 0xb8; + *(uint64_t *)&g_abNtCreateSectionPatch[2] = (uint64_t)supR3HardenedMonitor_NtCreateSection; + g_abNtCreateSectionPatch[10] = 0xff; /* jmp rax */ + g_abNtCreateSectionPatch[11] = 0xe0; #else @@ -2613,7 +2552,4 @@ * Patch 32-bit hosts. */ - PFNRT pfnCallReal = NULL; - uint8_t offJmpBack = UINT8_MAX; - /* Pattern #1: XP thru Windows 7 kd> u ntdll!NtCreateSection @@ -2635,55 +2571,12 @@ 6a15eacb 0f34 sysenter 6a15eacd c3 ret - The variable bit is the value loaded into eax: W81=154h - Note! One nice thing here is that we can share code pattern #1. */ - - if ( pbNtCreateSection[ 0] == 0xb8 /* mov eax, 000000xxh*/ - && pbNtCreateSection[ 2] <= 0x02 - && pbNtCreateSection[ 3] == 0x00 - && pbNtCreateSection[ 4] == 0x00 - && ( ( pbNtCreateSection[ 5] == 0xba /* mov edx, offset SharedUserData!SystemCallStub */ - && pbNtCreateSection[ 6] == 0x00 - && pbNtCreateSection[ 7] == 0x03 - && pbNtCreateSection[ 8] == 0xfe - && pbNtCreateSection[ 9] == 0x7f - && pbNtCreateSection[10] == 0xff /* call [edx] */ - && pbNtCreateSection[11] == 0x12 - && pbNtCreateSection[12] == 0xc2 /* ret 1ch */ - && pbNtCreateSection[13] == 0x1c - && pbNtCreateSection[14] == 0x00) - - || ( pbNtCreateSection[ 5] == 0xe8 /* call [$+3] */ - && RT_ABS(*(int32_t *)&pbNtCreateSection[6]) < 0x10 - && pbNtCreateSection[10] == 0xc2 /* ret 1ch */ - && pbNtCreateSection[11] == 0x1c - && pbNtCreateSection[12] == 0x00 ) - ) - ) - { - offJmpBack = 5; /* the 2nd instruction. */ - switch (*(uint32_t const *)&pbNtCreateSection[1]) - { -# define SYSCALL(a_Num) case a_Num: pfnCallReal = RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num); break; -# include "NtCreateSection-template-x86-syscall-type-1.h" -# undef SYSCALL - } - } - if (!pfnCallReal) - supR3HardenedWinHookFailed("NtCreateSection", pbNtCreateSection); - - g_pfnNtCreateSectionJmpBack = (PFNRT)(uintptr_t)(pbNtCreateSection + offJmpBack); - *(PFNRT *)&g_pfnNtCreateSectionReal = pfnCallReal; + The variable bit is the value loaded into eax: W81=154h */ /* Assemble the patch. */ - g_abNtCreateSectionPatch[0] = 0xe9; + g_abNtCreateSectionPatch[0] = 0xe9; /* jmp rel32 */ *(uint32_t *)&g_abNtCreateSectionPatch[1] = (uintptr_t)supR3HardenedMonitor_NtCreateSection - (uintptr_t)&pbNtCreateSection[1+4]; + #endif - - /* - * Exec page setup & management. - */ - uint32_t offExecPage = 0; - memset(g_abSupHardReadWriteExecPage, 0xcc, PAGE_SIZE); /* @@ -2700,13 +2593,14 @@ memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch)); -#ifdef RT_ARCH_AMD64 - /* - * Patch 64-bit hosts. - */ - /* Just use the disassembler to skip 6 bytes or more. */ DISSTATE Dis; uint32_t cbInstr; - offJmpBack = 0; - while (offJmpBack < 6) + uint32_t offJmpBack = 0; + +#ifdef RT_ARCH_AMD64 + /* + * Patch 64-bit hosts. + */ + /* Just use the disassembler to skip 12 bytes or more. */ + while (offJmpBack < 12) { cbInstr = 1; @@ -2733,11 +2627,10 @@ /* Assemble the LdrLoadDll patch. */ - Assert(offJmpBack >= 6); - g_abLdrLoadDllPatch[0] = 0xff; - g_abLdrLoadDllPatch[1] = 0x25; - *(uint32_t *)&g_abLdrLoadDllPatch[2] = (uint32_t)((uintptr_t)puJmpTab - (uintptr_t)&pbLdrLoadDll[2+4]); - - *puJmpTab = (uintptr_t)supR3HardenedMonitor_LdrLoadDll; - puJmpTab++; + Assert(offJmpBack >= 12); + g_abLdrLoadDllPatch[0] = 0x48; /* mov rax, qword */ + g_abLdrLoadDllPatch[1] = 0xb8; + *(uint64_t *)&g_abLdrLoadDllPatch[2] = (uint64_t)supR3HardenedMonitor_LdrLoadDll; + g_abLdrLoadDllPatch[10] = 0xff; /* jmp rax */ + g_abLdrLoadDllPatch[11] = 0xe0; #else @@ -2745,8 +2638,5 @@ * Patch 32-bit hosts. */ - /* Just use the disassembler to skip 6 bytes or more. */ - DISSTATE Dis; - uint32_t cbInstr; - offJmpBack = 0; + /* Just use the disassembler to skip 5 bytes or more. */ while (offJmpBack < 5) { @@ -2765,5 +2655,5 @@ offExecPage += offJmpBack; - g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9; + g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9; /* jmp rel32 */ *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbLdrLoadDll[offJmpBack] - (uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage + 4]; @@ -3524,4 +3414,5 @@ } +#if 0 /* * Map kernel32.dll and kernelbase.dll (if applicable) into the process. @@ -3536,4 +3427,5 @@ ? supR3HardNtPuChMapDllIntoChild(pThis, &NtName3, "KernelBase.dll") : NULL; +#endif /* @@ -3543,4 +3435,5 @@ uint64_t uMsTsStart = supR3HardenedWinGetMilliTS(); uint32_t cMsKludge = (g_fSupAdversaries & SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT) ? 256 : g_fSupAdversaries ? 64 : 16; +cMsKludge = 1024; do { @@ -3553,4 +3446,5 @@ supR3HardenedWinGetMilliTS() - uMsTsStart)); +#if 0 /* * Unmap the image we mapped into the guest above. @@ -3560,4 +3454,5 @@ supR3HardNtPuChUnmapDllFromChild(pThis, pvNtDll2, "ntdll.dll[2nd]"); supR3HardNtPuChUnmapDllFromChild(pThis, pvExe2, "executable[2nd]"); +#endif /* @@ -5641,4 +5536,9 @@ /* + * Set up the direct system calls so we can more easily hook NtCreateSection. + */ + supR3HardenedWinInitSyscalls(true /*fReportErrors*/); + + /* * Determine the executable path and name. Will NOT determine the windows style * executable path here as we don't need it. Index: /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainA-win.asm =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainA-win.asm (revision 52966) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainA-win.asm (revision 52967) @@ -32,7 +32,4 @@ -; External data. -extern NAME(g_pfnNtCreateSectionJmpBack) - ; External code. extern NAME(supR3HardenedEarlyProcessInit) @@ -40,44 +37,4 @@ BEGINCODE - -; -; 64-bit -; -%ifdef RT_ARCH_AMD64 - %macro supR3HardenedJmpBack_NtCreateSection_Xxx 1 - BEGINPROC supR3HardenedJmpBack_NtCreateSection_ %+ %1 - SEH64_END_PROLOGUE - ; The code we replaced. - mov r10, rcx - mov eax, %1 - - ; Jump back to the original code. - jmp [NAME(g_pfnNtCreateSectionJmpBack) wrt RIP] - ENDPROC supR3HardenedJmpBack_NtCreateSection_ %+ %1 - %endm - %define SYSCALL(a_Num) supR3HardenedJmpBack_NtCreateSection_Xxx a_Num - %include "NtCreateSection-template-amd64-syscall-type-1.h" - -%endif - - -; -; 32-bit. -; -%ifdef RT_ARCH_X86 - %macro supR3HardenedJmpBack_NtCreateSection_Xxx 1 - BEGINPROC supR3HardenedJmpBack_NtCreateSection_ %+ %1 - ; The code we replaced. - mov eax, %1 - - ; Jump back to the original code. - jmp [NAME(g_pfnNtCreateSectionJmpBack)] - ENDPROC supR3HardenedJmpBack_NtCreateSection_ %+ %1 - %endm - %define SYSCALL(a_Num) supR3HardenedJmpBack_NtCreateSection_Xxx a_Num - %include "NtCreateSection-template-x86-syscall-type-1.h" - -%endif - Index: /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainImports-win.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainImports-win.cpp (revision 52966) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainImports-win.cpp (revision 52967) @@ -48,8 +48,11 @@ #define VBOX_HARDENED_STUB_WITHOUT_IMPORTS #ifdef VBOX_HARDENED_STUB_WITHOUT_IMPORTS -# define SUPHNTIMP_ERROR(a_id, a_szWhere, a_enmOp, a_rc, ...) \ - do { static const char s_szWhere[] = a_szWhere; *(char *)(uintptr_t)(a_id) += 1; __debugbreak(); } while (0) +# define SUPHNTIMP_ERROR(a_fReportErrors, a_id, a_szWhere, a_enmOp, a_rc, ...) \ + do { \ + if (a_fReportErrors) supR3HardenedFatalMsg(a_szWhere, a_enmOp, a_rc, __VA_ARGS__); \ + else { static const char s_szWhere[] = a_szWhere; *(char *)(uintptr_t)(a_id) += 1; __debugbreak(); } \ + } while (0) #else -# define SUPHNTIMP_ERROR(a_id, a_szWhere, a_enmOp, a_rc, ...) \ +# define SUPHNTIMP_ERROR(a_fReportErrors, a_id, a_szWhere, a_enmOp, a_rc, ...) \ supR3HardenedFatalMsg(a_szWhere, a_enmOp, a_rc, __VA_ARGS__) @@ -268,10 +271,10 @@ pDll->pbImageBase = NULL; /* optional */ else - SUPHNTIMP_ERROR(1, "supR3HardenedFindOrLoadModule", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, + SUPHNTIMP_ERROR(false, 1, "supR3HardenedFindOrLoadModule", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, "Failed to locate %ls", pDll->pwszName); #else HMODULE hmod = GetModuleHandleW(pDll->pwszName); if (RT_UNLIKELY(!hmod && pDll->cImports)) - SUPHNTIMP_ERROR(1, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, + SUPHNTIMP_ERROR(true, 1, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, "Failed to locate %ls", pDll->pwszName); pDll->pbImageBase = (uint8_t *)hmod; @@ -292,5 +295,5 @@ offNtHdrs = pMzHdr->e_lfanew; if (offNtHdrs > _2K) - SUPHNTIMP_ERROR(2, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, + SUPHNTIMP_ERROR(false, 2, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, "%ls: e_lfanew=%#x, expected a lower value", pDll->pwszName, offNtHdrs); } @@ -298,14 +301,14 @@ if (pNtHdrs->Signature != IMAGE_NT_SIGNATURE) - SUPHNTIMP_ERROR(3, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, + SUPHNTIMP_ERROR(false, 3, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, "%ls: Invalid PE signature: %#x", pDll->pwszName, pNtHdrs->Signature); if (pNtHdrs->FileHeader.SizeOfOptionalHeader != sizeof(pNtHdrs->OptionalHeader)) - SUPHNTIMP_ERROR(4, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, + SUPHNTIMP_ERROR(false, 4, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, "%ls: Unexpected optional header size: %#x", pDll->pwszName, pNtHdrs->FileHeader.SizeOfOptionalHeader); if (pNtHdrs->OptionalHeader.Magic != RT_CONCAT3(IMAGE_NT_OPTIONAL_HDR,ARCH_BITS,_MAGIC)) - SUPHNTIMP_ERROR(5, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, + SUPHNTIMP_ERROR(false, 5, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, "%ls: Unexpected optional header magic: %#x", pDll->pwszName, pNtHdrs->OptionalHeader.Magic); if (pNtHdrs->OptionalHeader.NumberOfRvaAndSizes != IMAGE_NUMBEROF_DIRECTORY_ENTRIES) - SUPHNTIMP_ERROR(6, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, + SUPHNTIMP_ERROR(false, 6, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, "%ls: Unexpected number of RVA and sizes: %#x", pDll->pwszName, pNtHdrs->OptionalHeader.NumberOfRvaAndSizes); @@ -324,5 +327,5 @@ || ExpDir.VirtualAddress >= pNtHdrs->OptionalHeader.SizeOfImage || ExpDir.VirtualAddress + ExpDir.Size > pNtHdrs->OptionalHeader.SizeOfImage) - SUPHNTIMP_ERROR(7, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, + SUPHNTIMP_ERROR(false, 7, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, "%ls: Missing or invalid export directory: %#lx LB %#x", pDll->pwszName, ExpDir.VirtualAddress, ExpDir.Size); pDll->offExportDir = ExpDir.VirtualAddress; @@ -335,5 +338,5 @@ || pExpDir->NumberOfNames >= _1M || pExpDir->NumberOfNames < 1) - SUPHNTIMP_ERROR(8, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, + SUPHNTIMP_ERROR(false, 8, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, "%ls: NumberOfNames or/and NumberOfFunctions are outside the expected range: nof=%#x non=%#x\n", pDll->pwszName, pExpDir->NumberOfFunctions, pExpDir->NumberOfNames); @@ -344,5 +347,5 @@ || pExpDir->AddressOfFunctions >= pNtHdrs->OptionalHeader.SizeOfImage || pExpDir->AddressOfFunctions + pDll->cExports * sizeof(uint32_t) > pNtHdrs->OptionalHeader.SizeOfImage) - SUPHNTIMP_ERROR(9, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, + SUPHNTIMP_ERROR(false, 9, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, "%ls: Bad AddressOfFunctions: %#x\n", pDll->pwszName, pExpDir->AddressOfFunctions); pDll->paoffExports = (uint32_t const *)&pDll->pbImageBase[pExpDir->AddressOfFunctions]; @@ -351,5 +354,5 @@ || pExpDir->AddressOfNames >= pNtHdrs->OptionalHeader.SizeOfImage || pExpDir->AddressOfNames + pExpDir->NumberOfNames * sizeof(uint32_t) > pNtHdrs->OptionalHeader.SizeOfImage) - SUPHNTIMP_ERROR(10, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, + SUPHNTIMP_ERROR(false, 10, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, "%ls: Bad AddressOfNames: %#x\n", pDll->pwszName, pExpDir->AddressOfNames); pDll->paoffNamedExports = (uint32_t const *)&pDll->pbImageBase[pExpDir->AddressOfNames]; @@ -358,5 +361,5 @@ || pExpDir->AddressOfNameOrdinals >= pNtHdrs->OptionalHeader.SizeOfImage || pExpDir->AddressOfNameOrdinals + pExpDir->NumberOfNames * sizeof(uint32_t) > pNtHdrs->OptionalHeader.SizeOfImage) - SUPHNTIMP_ERROR(11, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, + SUPHNTIMP_ERROR(false, 11, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE, "%ls: Bad AddressOfNameOrdinals: %#x\n", pDll->pwszName, pExpDir->AddressOfNameOrdinals); pDll->pau16NameOrdinals = (uint16_t const *)&pDll->pbImageBase[pExpDir->AddressOfNameOrdinals]; @@ -364,5 +367,5 @@ -static const char *supR3HardenedResolveImport(PSUPHNTIMPDLL pDll, PCSUPHNTIMPFUNC pImport) +static const char *supR3HardenedResolveImport(PSUPHNTIMPDLL pDll, PCSUPHNTIMPFUNC pImport, bool fReportErrors) { /* @@ -376,5 +379,5 @@ uint32_t offExpName = pDll->paoffNamedExports[iCur]; if (RT_UNLIKELY(offExpName < pDll->offEndSectHdrs || offExpName >= pDll->cbImage)) - SUPHNTIMP_ERROR(12, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_SYMBOL_NOT_FOUND, + SUPHNTIMP_ERROR(fReportErrors, 12, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_SYMBOL_NOT_FOUND, "%ls: Bad export name entry: %#x (iCur=%#x)", pDll->pwszName, offExpName, iCur); @@ -405,5 +408,5 @@ return (const char *)&pDll->pbImageBase[offExport]; } - SUPHNTIMP_ERROR(14, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_BAD_EXE_FORMAT, + SUPHNTIMP_ERROR(fReportErrors, 14, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_BAD_EXE_FORMAT, "%ls: Name ordinal for '%s' is out of bounds: %#x (max %#x)", pDll->pwszName, iExpOrdinal, pDll->cExports); @@ -413,5 +416,5 @@ if (!pImport->fOptional) - SUPHNTIMP_ERROR(15, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_SYMBOL_NOT_FOUND, + SUPHNTIMP_ERROR(fReportErrors, 15, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_SYMBOL_NOT_FOUND, "%ls: Failed to resolve '%s'.", pDll->pwszName, pImport->pszName); *pImport->ppfnImport = NULL; @@ -421,5 +424,5 @@ static void supR3HardenedDirectSyscall(PSUPHNTIMPDLL pDll, PCSUPHNTIMPFUNC pImport, PCSUPHNTIMPSYSCALL pSyscall, - PSUPHNTLDRCACHEENTRY pLdrEntry, uint8_t *pbBits) + PSUPHNTLDRCACHEENTRY pLdrEntry, uint8_t *pbBits, bool fReportErrors) { /* @@ -436,5 +439,5 @@ if (RT_FAILURE(rc)) { - SUPHNTIMP_ERROR(16, "supR3HardenedDirectSyscall", kSupInitOp_Misc, rc, + SUPHNTIMP_ERROR(fReportErrors, 16, "supR3HardenedDirectSyscall", kSupInitOp_Misc, rc, "%s: RTLdrGetSymbolEx failed on %s: %Rrc", pDll->pszName, pImport->pszName, rc); return; @@ -541,96 +544,21 @@ volatile uint8_t abCopy[16]; memcpy((void *)&abCopy[0], pbFunction, sizeof(abCopy)); - SUPHNTIMP_ERROR(17, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc, + SUPHNTIMP_ERROR(fReportErrors, 17, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc, "%ls: supHardNtLdrCacheOpen failed: '%s': %.16Rhxs", - g_aSupNtImpDlls[iDll].pwszName, pImport->pszName, &abCopy[0]); + pDll->pwszName, pImport->pszName, &abCopy[0]); } /** - * Resolves NtDll functions we can trust calling before process init. - * - * @param uNtDllAddr The address of the NTDLL. - */ -DECLHIDDEN(void) supR3HardenedWinInitImportsEarly(uintptr_t uNtDllAddr) -{ - /* - * NTDLL is the first entry in the list. - */ - g_aSupNtImpDlls[0].pbImageBase = (uint8_t const *)uNtDllAddr; - supR3HardenedParseModule(&g_aSupNtImpDlls[0]); - for (uint32_t i = 0; i < g_aSupNtImpDlls[0].cImports; i++) - if (!g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy) - { - const char *pszForwarder = supR3HardenedResolveImport(&g_aSupNtImpDlls[0], &g_aSupNtImpDlls[0].paImports[i]); - if (pszForwarder) - SUPHNTIMP_ERROR(32, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, - "ntdll: Failed to resolve forwarder '%s'.", pszForwarder); - } - else - *g_aSupNtImpDlls[0].paImports[i].ppfnImport = g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy; - - /* - * Pointer the other imports at the early init stubs. - */ - for (uint32_t iDll = 1; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++) - for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++) - if (!g_aSupNtImpDlls[iDll].paImports[i].fOptional) - *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = g_aSupNtImpDlls[iDll].paImports[i].pfnEarlyDummy; - else - *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = NULL; -} - - -/** - * Resolves imported functions, esp. system calls from NTDLL. - * - * This crap is necessary because there are sandboxing products out there that - * will mess with system calls we make, just like any other wannabe userland - * rootkit. Kudos to microsoft for not providing a generic system call hook API - * in the kernel mode, which I guess is what forcing these kind of products to - * do ugly userland hacks that doesn't really hold water. - */ -DECLHIDDEN(void) supR3HardenedWinInitImports(void) -{ - /* - * Find the DLLs we will be needing first (forwarders). - */ - for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++) - { - supR3HardenedFindOrLoadModule(&g_aSupNtImpDlls[iDll]); - if (g_aSupNtImpDlls[iDll].pbImageBase) - supR3HardenedParseModule(&g_aSupNtImpDlls[iDll]); - } - - /* - * Resolve the functions. - */ - for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++) - for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++) - { - const char *pszForwarder = supR3HardenedResolveImport(&g_aSupNtImpDlls[iDll], &g_aSupNtImpDlls[iDll].paImports[i]); - if (pszForwarder) - { - const char *pszDot = strchr(pszForwarder, '.'); - size_t cchDllName = pszDot - pszForwarder; - SUPHNTIMPFUNC Tmp = g_aSupNtImpDlls[iDll].paImports[i]; - Tmp.pszName = pszDot + 1; - if (cchDllName == sizeof("ntdll") - 1 && RTStrNICmp(pszForwarder, RT_STR_TUPLE("ntdll")) == 0) - supR3HardenedResolveImport(&g_aSupNtImpDlls[0], &Tmp); - else if (cchDllName == sizeof("kernelbase") - 1 && RTStrNICmp(pszForwarder, RT_STR_TUPLE("kernelbase")) == 0) - supR3HardenedResolveImport(&g_aSupNtImpDlls[1], &Tmp); - else - SUPHNTIMP_ERROR(18, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, - "%ls: Failed to resolve forwarder '%s'.", g_aSupNtImpDlls[iDll].pwszName, pszForwarder); - } - } - - /* - * Check out system calls and try do them directly if we can. - * In order to do this though, we need to access the DLL on disk as we - * cannot trust the memory content to be unpatched. - * - * Note! It's too early to validate any signatures. - */ + * Check out system calls and do the directly instead of via NtDll. + * + * We need to have access to the on disk NTDLL.DLL file as we do not trust the + * stuff we find in memory. Too early to verify signatures though. + * + * @param fReportErrors Whether we've got the machinery for reporting + * errors going already. + */ +DECLHIDDEN(void) supR3HardenedWinInitSyscalls(bool fReportErrors) +{ for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++) if (g_aSupNtImpDlls[iDll].paSyscalls) @@ -647,14 +575,102 @@ for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++) supR3HardenedDirectSyscall(&g_aSupNtImpDlls[iDll], &g_aSupNtImpDlls[iDll].paImports[i], - &g_aSupNtImpDlls[iDll].paSyscalls[i], pLdrEntry, pbBits); + &g_aSupNtImpDlls[iDll].paSyscalls[i], pLdrEntry, pbBits, fReportErrors); } else - SUPHNTIMP_ERROR(20, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc, + SUPHNTIMP_ERROR(fReportErrors, 20, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc, "%ls: supHardNtLdrCacheEntryGetBits failed: %Rrc '%s'.", g_aSupNtImpDlls[iDll].pwszName, rc); } else - SUPHNTIMP_ERROR(21, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc, + SUPHNTIMP_ERROR(fReportErrors, 21, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc, "%ls: supHardNtLdrCacheOpen failed: %Rrc '%s'.", g_aSupNtImpDlls[iDll].pwszName, rc); } +} + + + +/** + * Resolves NtDll functions we can trust calling before process init. + * + * @param uNtDllAddr The address of the NTDLL. + */ +DECLHIDDEN(void) supR3HardenedWinInitImportsEarly(uintptr_t uNtDllAddr) +{ + /* + * NTDLL is the first entry in the list. + */ + g_aSupNtImpDlls[0].pbImageBase = (uint8_t const *)uNtDllAddr; + supR3HardenedParseModule(&g_aSupNtImpDlls[0]); + for (uint32_t i = 0; i < g_aSupNtImpDlls[0].cImports; i++) + if (!g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy) + { + const char *pszForwarder = supR3HardenedResolveImport(&g_aSupNtImpDlls[0], &g_aSupNtImpDlls[0].paImports[i], false); + if (pszForwarder) + SUPHNTIMP_ERROR(false, 32, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, + "ntdll: Failed to resolve forwarder '%s'.", pszForwarder); + } + else + *g_aSupNtImpDlls[0].paImports[i].ppfnImport = g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy; + + /* + * Pointer the other imports at the early init stubs. + */ + for (uint32_t iDll = 1; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++) + for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++) + if (!g_aSupNtImpDlls[iDll].paImports[i].fOptional) + *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = g_aSupNtImpDlls[iDll].paImports[i].pfnEarlyDummy; + else + *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = NULL; +} + + +/** + * Resolves imported functions, esp. system calls from NTDLL. + * + * This crap is necessary because there are sandboxing products out there that + * will mess with system calls we make, just like any other wannabe userland + * rootkit. Kudos to microsoft for not providing a generic system call hook API + * in the kernel mode, which I guess is what forcing these kind of products to + * do ugly userland hacks that doesn't really hold water. + */ +DECLHIDDEN(void) supR3HardenedWinInitImports(void) +{ + /* + * Find the DLLs we will be needing first (forwarders). + */ + for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++) + { + supR3HardenedFindOrLoadModule(&g_aSupNtImpDlls[iDll]); + if (g_aSupNtImpDlls[iDll].pbImageBase) + supR3HardenedParseModule(&g_aSupNtImpDlls[iDll]); + } + + /* + * Resolve the functions. + */ + for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++) + for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++) + { + const char *pszForwarder = supR3HardenedResolveImport(&g_aSupNtImpDlls[iDll], &g_aSupNtImpDlls[iDll].paImports[i], + false); + if (pszForwarder) + { + const char *pszDot = strchr(pszForwarder, '.'); + size_t cchDllName = pszDot - pszForwarder; + SUPHNTIMPFUNC Tmp = g_aSupNtImpDlls[iDll].paImports[i]; + Tmp.pszName = pszDot + 1; + if (cchDllName == sizeof("ntdll") - 1 && RTStrNICmp(pszForwarder, RT_STR_TUPLE("ntdll")) == 0) + supR3HardenedResolveImport(&g_aSupNtImpDlls[0], &Tmp, false); + else if (cchDllName == sizeof("kernelbase") - 1 && RTStrNICmp(pszForwarder, RT_STR_TUPLE("kernelbase")) == 0) + supR3HardenedResolveImport(&g_aSupNtImpDlls[1], &Tmp, false); + else + SUPHNTIMP_ERROR(false, 18, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND, + "%ls: Failed to resolve forwarder '%s'.", g_aSupNtImpDlls[iDll].pwszName, pszForwarder); + } + } + + /* + * Do system calls directly. + */ + supR3HardenedWinInitSyscalls(false); /*