Index: /trunk/include/VBox/err.h =================================================================== --- /trunk/include/VBox/err.h (revision 53016) +++ /trunk/include/VBox/err.h (revision 53017) @@ -2525,4 +2525,9 @@ * opened by the VM process. */ #define VERR_SUP_VP_STUB_THREAD_OPEN_ERROR (-5672) +/** Process Purification Failure: NtAllocateVirtualMemory failed to get us + * suitable replacement memory for a chunk of executable memory that + * shouldn't be present in our process. (You will only see this message if you + * got potentially fatally buggy anti-virus software installed.) */ +#define VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED (-5673) /** @} */ Index: /trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp (revision 53016) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp (revision 53017) @@ -4063,5 +4063,5 @@ if (RT_SUCCESS(rc)) { - rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_VERIFY_ONLY, + rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_VERIFY_ONLY, 0 /*fFlags*/, NULL /*pcFixes*/, &ErrInfo); if (RT_SUCCESS(rc) && pNtProtect->enmProcessKind >= kSupDrvNtProtectKind_VmProcessUnconfirmed) Index: /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h (revision 53016) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h (revision 53017) @@ -54,5 +54,23 @@ SUPHARDNTVPKIND_32BIT_HACK = 0x7fffffff } SUPHARDNTVPKIND; -DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, +/** @name SUPHARDNTVP_F_XXX - Flags for supHardenedWinVerifyProcess + * @{ */ +/** Replace unwanted executable memory allocations with a new one that's filled + * with zeros (default is just to free it). + * + * This is one way we attempt to work around buggy protection software that + * either result in host BSOD or VBox application malfunction. Here the current + * shit list: + * - Trend Micro's data protection software includes a buggy driver called + * sakfile.sys that has been observed crashing accessing user memory that we + * probably freed. I'd love to report this to Trend Micro, but unfortunately + * they doesn't advertise (or have?) an email address for reporting security + * vulnerabilities in the their software. Having wasted time looking and not + * very sorry for having to disclosing the bug here. + * - Maybe one more. + */ +#define SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ZERO RT_BIT_32(0) +/** @} */ +DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, uint32_t fFlags, uint32_t *pcFixes, PRTERRINFO pErrInfo); DECLHIDDEN(int) supHardNtVpThread(HANDLE hProcess, HANDLE hThread, PRTERRINFO pErrInfo); Index: /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (revision 53016) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (revision 53017) @@ -129,4 +129,6 @@ /** Type of verification to perform. */ SUPHARDNTVPKIND enmKind; + /** Combination of SUPHARDNTVP_F_XXX. */ + uint32_t fFlags; /** The result. */ int rcResult; @@ -1500,4 +1502,21 @@ "NtFreeVirtualMemory (%p LB %#zx) failed: %#x", MemInfo.BaseAddress, MemInfo.RegionSize, rcNt); + /* The Trend Micro sakfile.sys BSOD kludge. */ + if (pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ZERO) + { + pvFree = MemInfo.BaseAddress; + cbFree = MemInfo.RegionSize; + rcNt = NtAllocateVirtualMemory(pThis->hProcess, &pvFree, 0, &cbFree, MEM_COMMIT, PAGE_READWRITE); + if (!NT_SUCCESS(rcNt)) + supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, + "NtAllocateVirtualMemory (%p LB %#zx) failed with rcNt=%#x allocating " + "replacement memory for working around buggy protection software. " + "See VBoxStartup.log for more details", + MemInfo.BaseAddress, MemInfo.RegionSize, rcNt); + if (pvFree != MemInfo.BaseAddress) + supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, + "We wanted NtAllocateVirtualMemory to get us %p LB %#zx, but it returned %p LB %#zx.", + MemInfo.BaseAddress, MemInfo.RegionSize, pvFree, cbFree, rcNt); + } } /* @@ -2124,9 +2143,10 @@ * @param hThread A thread in the process (the caller). * @param enmKind The kind of process verification to perform. + * @param fFlags Valid combination of SUPHARDNTVP_F_XXX flags. * @param pErrInfo Pointer to error info structure. Optional. * @param pcFixes Where to return the number of fixes made during * purification. Optional. */ -DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, +DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, uint32_t fFlags, uint32_t *pcFixes, PRTERRINFO pErrInfo) { @@ -2152,4 +2172,5 @@ { pThis->enmKind = enmKind; + pThis->fFlags = fFlags; pThis->rcResult = VINF_SUCCESS; pThis->hProcess = hProcess; Index: /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (revision 53016) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (revision 53017) @@ -340,20 +340,24 @@ /** TrendMicro OfficeScan and probably others. */ #define SUPHARDNT_ADVERSARY_TRENDMICRO RT_BIT_32(3) +/** TrendMicro potentially buggy sakfile.sys. */ +#define SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE RT_BIT_32(4) /** McAfee. */ -#define SUPHARDNT_ADVERSARY_MCAFEE RT_BIT_32(4) +#define SUPHARDNT_ADVERSARY_MCAFEE RT_BIT_32(5) /** Kaspersky or OEMs of it. */ -#define SUPHARDNT_ADVERSARY_KASPERSKY RT_BIT_32(5) +#define SUPHARDNT_ADVERSARY_KASPERSKY RT_BIT_32(6) /** Malwarebytes Anti-Malware (MBAM). */ -#define SUPHARDNT_ADVERSARY_MBAM RT_BIT_32(6) +#define SUPHARDNT_ADVERSARY_MBAM RT_BIT_32(7) /** AVG Internet Security. */ -#define SUPHARDNT_ADVERSARY_AVG RT_BIT_32(7) +#define SUPHARDNT_ADVERSARY_AVG RT_BIT_32(8) /** Panda Security. */ -#define SUPHARDNT_ADVERSARY_PANDA RT_BIT_32(8) +#define SUPHARDNT_ADVERSARY_PANDA RT_BIT_32(9) /** Microsoft Security Essentials. */ -#define SUPHARDNT_ADVERSARY_MSE RT_BIT_32(9) +#define SUPHARDNT_ADVERSARY_MSE RT_BIT_32(10) /** Comodo. */ -#define SUPHARDNT_ADVERSARY_COMODO RT_BIT_32(10) +#define SUPHARDNT_ADVERSARY_COMODO RT_BIT_32(11) /** Check Point's Zone Alarm (may include Kaspersky). */ -#define SUPHARDNT_ADVERSARY_ZONE_ALARM RT_BIT_32(11) +#define SUPHARDNT_ADVERSARY_ZONE_ALARM RT_BIT_32(12) +/** Digital guardian. */ +#define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN RT_BIT_32(13) /** Unknown adversary detected while waiting on child. */ #define SUPHARDNT_ADVERSARY_UNKNOWN RT_BIT_32(31) @@ -3517,4 +3521,7 @@ cFixes = 0; int rc = supHardenedWinVerifyProcess(pThis->hProcess, pThis->hThread, SUPHARDNTVPKIND_CHILD_PURIFICATION, + g_fSupAdversaries & ( SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE + | SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN) + ? SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ZERO : 0, &cFixes, RTErrInfoInitStatic(&g_ErrInfoStatic)); if (RT_FAILURE(rc)) @@ -4675,5 +4682,5 @@ cFixes = 0; rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_SELF_PURIFICATION, - &cFixes, NULL /*pErrInfo*/); + 0 /*fFlags*/, &cFixes, NULL /*pErrInfo*/); if (RT_FAILURE(rc) || cFixes == 0) break; @@ -5102,4 +5109,5 @@ { SUPHARDNT_ADVERSARY_COMODO, "cmdHlp" }, + { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN, "dgmaster" }, /* Not verified. */ }; @@ -5140,4 +5148,7 @@ { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmeevw.sys" }, { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmciesc.sys" }, + { SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE, L"\\SystemRoot\\System32\\drivers\\sakfile.sys" }, /* Data Loss Prevention, not officescan. */ + { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\sakcd.sys" }, /* Data Loss Prevention, not officescan. */ + { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\cfwids.sys" }, @@ -5211,4 +5222,6 @@ { SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\drivers\\vsdatant.sys" }, { SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\AntiTheftCredentialProvider.dll" }, + + { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN, L"\\SystemRoot\\System32\\drivers\\dgmaster.sys" }, };