SUPDrv-win.cpp@ 52374

Last change on this file since 52374 was 52353, checked in by vboxsync, 11 years ago
SUPDrv-win.cpp: drop mymemcmp, we've got an assembly memcmp implementation from the runtime available now.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 148.2 KB

Line
1	/* $Id: SUPDrv-win.cpp 52353 2014-08-11 19:16:55Z vboxsync $ */
2	/** @file
3	* VBoxDrv - The VirtualBox Support Driver - Windows NT specifics.
4	*/
5
6	/*
7	* Copyright (C) 2006-2012 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27	/*******************************************************************************
28	* Header Files *
29	*******************************************************************************/
30	#define IPRT_NT_MAP_TO_ZW
31	#define LOG_GROUP LOG_GROUP_SUP_DRV
32	#include "../SUPDrvInternal.h"
33	#include <excpt.h>
34	#include <ntimage.h>
35
36	#include <iprt/assert.h>
37	#include <iprt/avl.h>
38	#include <iprt/ctype.h>
39	#include <iprt/initterm.h>
40	#include <iprt/mem.h>
41	#include <iprt/process.h>
42	#include <iprt/power.h>
43	#include <iprt/spinlock.h>
44	#include <iprt/string.h>
45	#include <VBox/log.h>
46	#include <VBox/err.h>
47
48	#include <iprt/asm-amd64-x86.h>
49
50	#ifdef VBOX_WITH_HARDENING
51	# include "SUPHardenedVerify-win.h"
52	#endif
53
54
55	/*******************************************************************************
56	* Defined Constants And Macros *
57	*******************************************************************************/
58	/** The support service name. */
59	#define SERVICE_NAME "VBoxDrv"
60	/** The Pool tag (VBox). */
61	#define SUPDRV_NT_POOL_TAG 'xoBV'
62
63	/** NT device name for system access. */
64	#define DEVICE_NAME_NT_SYS L"\\Device\\VBoxDrv"
65	/** NT device name for user access. */
66	#define DEVICE_NAME_NT_USR L"\\Device\\VBoxDrvU"
67	#ifdef VBOX_WITH_HARDENING
68	/** NT device name for hardened stub access. */
69	# define DEVICE_NAME_NT_STUB L"\\Device\\VBoxDrvStub"
70
71	/** Macro for checking for deflecting calls to the stub device. */
72	# define VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_DEV(a_pDevObj, a_pIrp) \
73	do { if ((a_pDevObj) == g_pDevObjStub) supdrvNtCompleteRequest(STATUS_ACCESS_DENIED, a_pIrp); } while (0)
74	#else
75	# define VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_DEV(a_pDevObj, a_pIrp) do {} while (0)
76	#endif
77
78	/** Enables the fast I/O control code path. */
79	#define VBOXDRV_WITH_FAST_IO
80
81
82	/*******************************************************************************
83	* Structures and Typedefs *
84	*******************************************************************************/
85	/**
86	* Device extension used by VBoxDrvU.
87	*/
88	typedef struct SUPDRVDEVEXTUSR
89	{
90	/** Global cookie (same location as in SUPDRVDEVEXT, different value). */
91	uint32_t u32Cookie;
92	/** Pointer to the main driver extension. */
93	PSUPDRVDEVEXT pMainDrvExt;
94	} SUPDRVDEVEXTUSR;
95	AssertCompileMembersAtSameOffset(SUPDRVDEVEXT, u32Cookie, SUPDRVDEVEXTUSR, u32Cookie);
96	/** Pointer to the VBoxDrvU device extension. */
97	typedef SUPDRVDEVEXTUSR *PSUPDRVDEVEXTUSR;
98	/** Value of SUPDRVDEVEXTUSR::u32Cookie. */
99	#define SUPDRVDEVEXTUSR_COOKIE UINT32_C(0x12345678)
100
101	/** Get the main device extension. */
102	#define SUPDRVNT_GET_DEVEXT(pDevObj) \
103	( pDevObj != g_pDevObjUsr \
104	? (PSUPDRVDEVEXT)pDevObj->DeviceExtension \
105	: ((PSUPDRVDEVEXTUSR)pDevObj->DeviceExtension)->pMainDrvExt )
106
107	#ifdef VBOX_WITH_HARDENING
108
109	/**
110	* Device extension used by VBoxDrvS.
111	*/
112	typedef struct SUPDRVDEVEXTSTUB
113	{
114	/** Common header. */
115	SUPDRVDEVEXTUSR Common;
116	} SUPDRVDEVEXTSTUB;
117	/** Pointer to the VBoxDrvS device extension. */
118	typedef SUPDRVDEVEXTSTUB *PSUPDRVDEVEXTSTUB;
119	/** Value of SUPDRVDEVEXTSTUB::Common.u32Cookie. */
120	#define SUPDRVDEVEXTSTUB_COOKIE UINT32_C(0x90abcdef)
121
122
123	/**
124	* The kind of process we're protecting.
125	*/
126	typedef enum SUPDRVNTPROTECTKIND
127	{
128	kSupDrvNtProtectKind_Invalid = 0,
129
130	/** Stub process protection while performing process verification.
131	* Next: StubSpawning (or free) */
132	kSupDrvNtProtectKind_StubUnverified,
133	/** Stub process protection before it creates the VM process.
134	* Next: StubParent, StubDead. */
135	kSupDrvNtProtectKind_StubSpawning,
136	/** Stub process protection while having a VM process as child.
137	* Next: StubDead */
138	kSupDrvNtProtectKind_StubParent,
139	/** Dead stub process. */
140	kSupDrvNtProtectKind_StubDead,
141
142	/** Potential VM process.
143	* Next: VmProcessConfirmed, VmProcessDead. */
144	kSupDrvNtProtectKind_VmProcessUnconfirmed,
145	/** Confirmed VM process.
146	* Next: VmProcessDead. */
147	kSupDrvNtProtectKind_VmProcessConfirmed,
148	/** Dead VM process. */
149	kSupDrvNtProtectKind_VmProcessDead,
150
151	/** End of valid protection kinds. */
152	kSupDrvNtProtectKind_End
153	} SUPDRVNTPROTECTKIND;
154
155	/**
156	* A NT process protection structure.
157	*/
158	typedef struct SUPDRVNTPROTECT
159	{
160	/** The AVL node core structure. The process ID is the pid. */
161	AVLPVNODECORE AvlCore;
162	/** Magic value (SUPDRVNTPROTECT_MAGIC). */
163	uint32_t volatile u32Magic;
164	/** Reference counter. */
165	uint32_t volatile cRefs;
166	/** The kind of process we're protecting. */
167	SUPDRVNTPROTECTKIND volatile enmProcessKind;
168	/** Vista, 7 & 8: Hack to allow more rights to the handle returned by
169	* NtCreateUserProcess. Only applicable to VmProcessUnconfirmed. */
170	bool fFirstProcessCreateHandle : 1;
171	/** Vista, 7 & 8: Hack to allow more rights to the handle returned by
172	* NtCreateUserProcess. Only applicable to VmProcessUnconfirmed. */
173	bool fFirstThreadCreateHandle : 1;
174	/** 8.1: Hack to allow more rights to the handle returned by
175	* NtCreateUserProcess. Only applicable to VmProcessUnconfirmed. */
176	bool fCsrssFirstProcessCreateHandle : 1;
177	/** Vista, 7 & 8: Hack to allow more rights to the handle duplicated by CSR
178	* during process creation. Only applicable to VmProcessUnconfirmed. */
179	bool fCsrssFirstProcessDuplicateHandle : 1;
180	/** 7,: Hack to allow the supid themes service duplicate handle privileges to
181	* our process. */
182	bool fThemesFirstProcessCreateHandle : 1;
183
184	/** The parent PID for VM processes, otherwise NULL. */
185	HANDLE hParentPid;
186	/** The PID of the CSRSS process associated with this process. */
187	HANDLE hCsrssPid;
188	/** Pointer to the CSRSS process structure (referenced). */
189	PEPROCESS pCsrssProcess;
190	/** State dependent data. */
191	union
192	{
193	/** A stub process in the StubParent state will keep a reference to a child
194	* while it's in the VmProcessUnconfirmed state so that it can be cleaned up
195	* correctly if things doesn't work out. */
196	struct SUPDRVNTPROTECT *pChild;
197	/** A process in the VmProcessUnconfirmed state will keep a weak
198	* reference to the parent's protection structure so it can clean up the pChild
199	* refernece the parent has to it. */
200	struct SUPDRVNTPROTECT *pParent;
201	} u;
202	} SUPDRVNTPROTECT;
203	/** Pointer to a NT process protection record. */
204	typedef SUPDRVNTPROTECT *PSUPDRVNTPROTECT;
205	/** The SUPDRVNTPROTECT::u32Magic value (Robert A. Heinlein). */
206	# define SUPDRVNTPROTECT_MAGIC UINT32_C(0x19070707)
207	/** The SUPDRVNTPROTECT::u32Magic value of a dead structure. */
208	# define SUPDRVNTPROTECT_MAGIC_DEAD UINT32_C(0x19880508)
209
210	/** Pointer to ObRegisterCallbacks. */
211	typedef NTSTATUS (NTAPI PFNOBREGISTERCALLBACKS)(POB_CALLBACK_REGISTRATION, PVOID );
212	/** Pointer to ObUnregisterCallbacks. */
213	typedef VOID (NTAPI *PFNOBUNREGISTERCALLBACKS)(PVOID);
214	/** Pointer to PsSetCreateProcessNotifyRoutineEx. */
215	typedef NTSTATUS (NTAPI *PFNPSSETCREATEPROCESSNOTIFYROUTINEEX)(PCREATE_PROCESS_NOTIFY_ROUTINE_EX, BOOLEAN);
216	/** Pointer to PsReferenceProcessFilePointer. */
217	typedef NTSTATUS (NTAPI PFNPSREFERENCEPROCESSFILEPOINTER)(PEPROCESS, PFILE_OBJECT );
218	/** Pointer to PsIsProtectedProcessLight. */
219	typedef BOOLEAN (NTAPI *PFNPSISPROTECTEDPROCESSLIGHT)(PEPROCESS);
220
221	#endif /* VBOX_WITH_HARDENINIG */
222
223
224	/*******************************************************************************
225	* Internal Functions *
226	*******************************************************************************/
227	static void _stdcall VBoxDrvNtUnload(PDRIVER_OBJECT pDrvObj);
228	static NTSTATUS _stdcall VBoxDrvNtCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp);
229	static NTSTATUS _stdcall VBoxDrvNtCleanup(PDEVICE_OBJECT pDevObj, PIRP pIrp);
230	static NTSTATUS _stdcall VBoxDrvNtClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);
231	#ifdef VBOXDRV_WITH_FAST_IO
232	static BOOLEAN _stdcall VBoxDrvNtFastIoDeviceControl(PFILE_OBJECT pFileObj, BOOLEAN fWait, PVOID pvInput, ULONG cbInput,
233	PVOID pvOutput, ULONG cbOutput, ULONG uCmd,
234	PIO_STATUS_BLOCK pIoStatus, PDEVICE_OBJECT pDevObj);
235	#endif
236	static NTSTATUS _stdcall VBoxDrvNtDeviceControl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
237	static int VBoxDrvNtDeviceControlSlow(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, PIRP pIrp, PIO_STACK_LOCATION pStack);
238	static NTSTATUS _stdcall VBoxDrvNtInternalDeviceControl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
239	static VOID _stdcall VBoxPowerDispatchCallback(PVOID pCallbackContext, PVOID pArgument1, PVOID pArgument2);
240	static NTSTATUS _stdcall VBoxDrvNtNotSupportedStub(PDEVICE_OBJECT pDevObj, PIRP pIrp);
241	static NTSTATUS VBoxDrvNtErr2NtStatus(int rc);
242	#ifdef VBOX_WITH_HARDENING
243	static NTSTATUS supdrvNtProtectInit(void);
244	static void supdrvNtProtectTerm(void);
245	static int supdrvNtProtectCreate(PSUPDRVNTPROTECT *ppNtProtect, HANDLE hPid,
246	SUPDRVNTPROTECTKIND enmProcessKind, bool fLink);
247	static void supdrvNtProtectRelease(PSUPDRVNTPROTECT pNtProtect);
248	static PSUPDRVNTPROTECT supdrvNtProtectLookup(HANDLE hPid);
249	static int supdrvNtProtectFindAssociatedCsrss(PSUPDRVNTPROTECT pNtProtect);
250	static int supdrvNtProtectVerifyProcess(PSUPDRVNTPROTECT pNtProtect);
251
252	static bool supdrvNtIsDebuggerAttached(void);
253	#endif
254
255
256	/*******************************************************************************
257	* Exported Functions *
258	*******************************************************************************/
259	RT_C_DECLS_BEGIN
260	ULONG _stdcall DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath);
261	RT_C_DECLS_END
262
263
264	/*******************************************************************************
265	* Global Variables *
266	*******************************************************************************/
267	/** Pointer to the system device instance. */
268	static PDEVICE_OBJECT g_pDevObjSys = NULL;
269	/** Pointer to the user device instance. */
270	static PDEVICE_OBJECT g_pDevObjUsr = NULL;
271	#ifdef VBOXDRV_WITH_FAST_IO
272	/** Fast I/O dispatch table. */
273	static FAST_IO_DISPATCH const g_VBoxDrvFastIoDispatch =
274	{
275	/* .SizeOfFastIoDispatch = */ sizeof(g_VBoxDrvFastIoDispatch),
276	/* .FastIoCheckIfPossible = */ NULL,
277	/* .FastIoRead = */ NULL,
278	/* .FastIoWrite = */ NULL,
279	/* .FastIoQueryBasicInfo = */ NULL,
280	/* .FastIoQueryStandardInfo = */ NULL,
281	/* .FastIoLock = */ NULL,
282	/* .FastIoUnlockSingle = */ NULL,
283	/* .FastIoUnlockAll = */ NULL,
284	/* .FastIoUnlockAllByKey = */ NULL,
285	/* .FastIoDeviceControl = */ VBoxDrvNtFastIoDeviceControl,
286	/* .AcquireFileForNtCreateSection = */ NULL,
287	/* .ReleaseFileForNtCreateSection = */ NULL,
288	/* .FastIoDetachDevice = */ NULL,
289	/* .FastIoQueryNetworkOpenInfo = */ NULL,
290	/* .AcquireForModWrite = */ NULL,
291	/* .MdlRead = */ NULL,
292	/* .MdlReadComplete = */ NULL,
293	/* .PrepareMdlWrite = */ NULL,
294	/* .MdlWriteComplete = */ NULL,
295	/* .FastIoReadCompressed = */ NULL,
296	/* .FastIoWriteCompressed = */ NULL,
297	/* .MdlReadCompleteCompressed = */ NULL,
298	/* .MdlWriteCompleteCompressed = */ NULL,
299	/* .FastIoQueryOpen = */ NULL,
300	/* .ReleaseForModWrite = */ NULL,
301	/* .AcquireForCcFlush = */ NULL,
302	/* .ReleaseForCcFlush = */ NULL,
303	};
304	#endif /* VBOXDRV_WITH_FAST_IO */
305
306	#ifdef VBOX_WITH_HARDENING
307	/** Pointer to the stub device instance. */
308	static PDEVICE_OBJECT g_pDevObjStub = NULL;
309	/** Spinlock protecting g_NtProtectTree as well as the releasing of protection
310	* structures. */
311	static RTSPINLOCK g_hNtProtectLock = NIL_RTSPINLOCK;
312	/** AVL tree of SUPDRVNTPROTECT structures. */
313	static AVLPVTREE g_NtProtectTree = NULL;
314	/** Cookie returned by ObRegisterCallbacks for the callbacks. */
315	static PVOID g_pvObCallbacksCookie = NULL;
316	/** Combined windows NT version number. See SUP_MAKE_NT_VER_COMBINED. */
317	uint32_t g_uNtVerCombined = 0;
318	/** Pointer to ObRegisterCallbacks if available.. */
319	static PFNOBREGISTERCALLBACKS g_pfnObRegisterCallbacks = NULL;
320	/** Pointer to ObUnregisterCallbacks if available.. */
321	static PFNOBUNREGISTERCALLBACKS g_pfnObUnRegisterCallbacks = NULL;
322	/** Pointer to PsSetCreateProcessNotifyRoutineEx if available.. */
323	static PFNPSSETCREATEPROCESSNOTIFYROUTINEEX g_pfnPsSetCreateProcessNotifyRoutineEx = NULL;
324	/** Pointer to PsReferenceProcessFilePointer if available. */
325	static PFNPSREFERENCEPROCESSFILEPOINTER g_pfnPsReferenceProcessFilePointer = NULL;
326	/** Pointer to PsIsProtectedProcessLight. */
327	static PFNPSISPROTECTEDPROCESSLIGHT g_pfnPsIsProtectedProcessLight = NULL;
328
329	# ifdef RT_ARCH_AMD64
330	extern "C" {
331	/** Pointer to KiServiceLinkage (used to fake missing ZwQueryVirtualMemory on
332	* XP64 / W2K3-64). */
333	PFNRT g_pfnKiServiceLinkage = NULL;
334	/** Pointer to KiServiceInternal (used to fake missing ZwQueryVirtualMemory on
335	* XP64 / W2K3-64) */
336	PFNRT g_pfnKiServiceInternal = NULL;
337	}
338	# endif
339	#endif
340
341
342	/**
343	* Takes care of creating the devices and their symbolic links.
344	*
345	* @returns NT status code.
346	* @param pDrvObj Pointer to driver object.
347	*/
348	static NTSTATUS vboxdrvNtCreateDevices(PDRIVER_OBJECT pDrvObj)
349	{
350	/*
351	* System device.
352	*/
353	UNICODE_STRING DevName;
354	RtlInitUnicodeString(&DevName, DEVICE_NAME_NT_SYS);
355	NTSTATUS rcNt = IoCreateDevice(pDrvObj, sizeof(SUPDRVDEVEXT), &DevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &g_pDevObjSys);
356	if (NT_SUCCESS(rcNt))
357	{
358	/*
359	* User device.
360	*/
361	RtlInitUnicodeString(&DevName, DEVICE_NAME_NT_USR);
362	rcNt = IoCreateDevice(pDrvObj, sizeof(SUPDRVDEVEXTUSR), &DevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &g_pDevObjUsr);
363	if (NT_SUCCESS(rcNt))
364	{
365	PSUPDRVDEVEXTUSR pDevExtUsr = (PSUPDRVDEVEXTUSR)g_pDevObjUsr->DeviceExtension;
366	pDevExtUsr->pMainDrvExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
367	pDevExtUsr->u32Cookie = SUPDRVDEVEXTUSR_COOKIE;
368
369	#ifdef VBOX_WITH_HARDENING
370	/*
371	* Hardened stub device.
372	*/
373	RtlInitUnicodeString(&DevName, DEVICE_NAME_NT_STUB);
374	rcNt = IoCreateDevice(pDrvObj, sizeof(SUPDRVDEVEXTSTUB), &DevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &g_pDevObjStub);
375	if (NT_SUCCESS(rcNt))
376	{
377	if (NT_SUCCESS(rcNt))
378	{
379	PSUPDRVDEVEXTSTUB pDevExtStub = (PSUPDRVDEVEXTSTUB)g_pDevObjStub->DeviceExtension;
380	pDevExtStub->Common.pMainDrvExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
381	pDevExtStub->Common.u32Cookie = SUPDRVDEVEXTSTUB_COOKIE;
382	#endif
383
384	/* Done. */
385	return rcNt;
386	#ifdef VBOX_WITH_HARDENING
387	}
388
389	/* Bail out. */
390	IoDeleteDevice(g_pDevObjStub);
391	g_pDevObjUsr = NULL;
392	}
393	#endif
394	IoDeleteDevice(g_pDevObjUsr);
395	g_pDevObjUsr = NULL;
396	}
397	IoDeleteDevice(g_pDevObjSys);
398	g_pDevObjSys = NULL;
399	}
400	return rcNt;
401	}
402
403	/**
404	* Destroys the devices and links created by vboxdrvNtCreateDevices.
405	*/
406	static void vboxdrvNtDestroyDevices(void)
407	{
408	if (g_pDevObjUsr)
409	{
410	PSUPDRVDEVEXTUSR pDevExtUsr = (PSUPDRVDEVEXTUSR)g_pDevObjUsr->DeviceExtension;
411	pDevExtUsr->pMainDrvExt = NULL;
412	}
413	#ifdef VBOX_WITH_HARDENING
414	if (g_pDevObjStub)
415	{
416	PSUPDRVDEVEXTSTUB pDevExtStub = (PSUPDRVDEVEXTSTUB)g_pDevObjStub->DeviceExtension;
417	pDevExtStub->Common.pMainDrvExt = NULL;
418	}
419	#endif
420
421	#ifdef VBOX_WITH_HARDENING
422	IoDeleteDevice(g_pDevObjStub);
423	g_pDevObjStub = NULL;
424	#endif
425	IoDeleteDevice(g_pDevObjUsr);
426	g_pDevObjUsr = NULL;
427	IoDeleteDevice(g_pDevObjSys);
428	g_pDevObjSys = NULL;
429	}
430
431
432	/**
433	* Driver entry point.
434	*
435	* @returns appropriate status code.
436	* @param pDrvObj Pointer to driver object.
437	* @param pRegPath Registry base path.
438	*/
439	ULONG _stdcall DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath)
440	{
441	/*
442	* Sanity checks.
443	*/
444	#ifdef VBOXDRV_WITH_FAST_IO
445	if (g_VBoxDrvFastIoDispatch.FastIoDeviceControl != VBoxDrvNtFastIoDeviceControl)
446	{
447	DbgPrint("VBoxDrv: FastIoDeviceControl=%p instead of %p\n",
448	g_VBoxDrvFastIoDispatch.FastIoDeviceControl, VBoxDrvNtFastIoDeviceControl);
449	return STATUS_INTERNAL_ERROR;
450	}
451	#endif
452
453	/*
454	* Initialize the runtime (IPRT).
455	*/
456	NTSTATUS rcNt;
457	int vrc = RTR0Init(0);
458	if (RT_SUCCESS(vrc))
459	{
460	Log(("VBoxDrv::DriverEntry\n"));
461
462	#ifdef VBOX_WITH_HARDENING
463	/*
464	* Initialize process protection.
465	*/
466	rcNt = supdrvNtProtectInit();
467	if (NT_SUCCESS(rcNt))
468	#endif
469	{
470	/*
471	* Create device.
472	* (That means creating a device object and a symbolic link so the DOS
473	* subsystems (OS/2, win32, ++) can access the device.)
474	*/
475	rcNt = vboxdrvNtCreateDevices(pDrvObj);
476	if (NT_SUCCESS(rcNt))
477	{
478	/*
479	* Initialize the device extension.
480	*/
481	PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
482	memset(pDevExt, 0, sizeof(*pDevExt));
483
484	vrc = supdrvInitDevExt(pDevExt, sizeof(SUPDRVSESSION));
485	if (!vrc)
486	{
487	/*
488	* Setup the driver entry points in pDrvObj.
489	*/
490	pDrvObj->DriverUnload = VBoxDrvNtUnload;
491	pDrvObj->MajorFunction[IRP_MJ_CREATE] = VBoxDrvNtCreate;
492	pDrvObj->MajorFunction[IRP_MJ_CLEANUP] = VBoxDrvNtCleanup;
493	pDrvObj->MajorFunction[IRP_MJ_CLOSE] = VBoxDrvNtClose;
494	pDrvObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = VBoxDrvNtDeviceControl;
495	pDrvObj->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = VBoxDrvNtInternalDeviceControl;
496	pDrvObj->MajorFunction[IRP_MJ_READ] = VBoxDrvNtNotSupportedStub;
497	pDrvObj->MajorFunction[IRP_MJ_WRITE] = VBoxDrvNtNotSupportedStub;
498
499	#ifdef VBOXDRV_WITH_FAST_IO
500	/* Fast I/O to speed up guest execution roundtrips. */
501	pDrvObj->FastIoDispatch = (PFAST_IO_DISPATCH)&g_VBoxDrvFastIoDispatch;
502	#endif
503
504	/*
505	* Register ourselves for power state changes. We don't
506	* currently care if this fails.
507	*/
508	UNICODE_STRING CallbackName;
509	RtlInitUnicodeString(&CallbackName, L"\\Callback\\PowerState");
510
511	OBJECT_ATTRIBUTES Attr;
512	InitializeObjectAttributes(&Attr, &CallbackName, OBJ_CASE_INSENSITIVE, NULL, NULL);
513
514	rcNt = ExCreateCallback(&pDevExt->pObjPowerCallback, &Attr, TRUE, TRUE);
515	if (rcNt == STATUS_SUCCESS)
516	pDevExt->hPowerCallback = ExRegisterCallback(pDevExt->pObjPowerCallback,
517	VBoxPowerDispatchCallback,
518	g_pDevObjSys);
519
520	/*
521	* Done! Returning success!
522	*/
523	Log(("VBoxDrv::DriverEntry returning STATUS_SUCCESS\n"));
524	return STATUS_SUCCESS;
525	}
526
527	Log(("supdrvInitDevExit failed with vrc=%d!\n", vrc));
528	rcNt = VBoxDrvNtErr2NtStatus(vrc);
529
530	vboxdrvNtDestroyDevices();
531	}
532	#ifdef VBOX_WITH_HARDENING
533	supdrvNtProtectTerm();
534	#endif
535	}
536	RTTermRunCallbacks(RTTERMREASON_UNLOAD, 0);
537	RTR0Term();
538	}
539	else
540	{
541	Log(("RTR0Init failed with vrc=%d!\n", vrc));
542	rcNt = VBoxDrvNtErr2NtStatus(vrc);
543	}
544	if (NT_SUCCESS(rcNt))
545	rcNt = STATUS_INVALID_PARAMETER;
546	return rcNt;
547	}
548
549
550	/**
551	* Unload the driver.
552	*
553	* @param pDrvObj Driver object.
554	*/
555	void _stdcall VBoxDrvNtUnload(PDRIVER_OBJECT pDrvObj)
556	{
557	PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
558
559	Log(("VBoxDrvNtUnload at irql %d\n", KeGetCurrentIrql()));
560
561	/* Clean up the power callback registration. */
562	if (pDevExt->hPowerCallback)
563	ExUnregisterCallback(pDevExt->hPowerCallback);
564	if (pDevExt->pObjPowerCallback)
565	ObDereferenceObject(pDevExt->pObjPowerCallback);
566
567	/*
568	* We ASSUME that it's not possible to unload a driver with open handles.
569	*/
570	supdrvDeleteDevExt(pDevExt);
571	#ifdef VBOX_WITH_HARDENING
572	supdrvNtProtectTerm();
573	#endif
574	RTTermRunCallbacks(RTTERMREASON_UNLOAD, 0);
575	RTR0Term();
576	vboxdrvNtDestroyDevices();
577
578	NOREF(pDrvObj);
579	}
580
581
582	/**
583	* For simplifying request completion into a simple return statement, extended
584	* version.
585	*
586	* @returns rcNt
587	* @param rcNt The status code.
588	* @param uInfo Extra info value.
589	* @param pIrp The IRP.
590	*/
591	DECLINLINE(NTSTATUS) supdrvNtCompleteRequestEx(NTSTATUS rcNt, ULONG_PTR uInfo, PIRP pIrp)
592	{
593	pIrp->IoStatus.Status = rcNt;
594	pIrp->IoStatus.Information = uInfo;
595	IoCompleteRequest(pIrp, IO_NO_INCREMENT);
596	return rcNt;
597	}
598
599
600	/**
601	* For simplifying request completion into a simple return statement.
602	*
603	* @returns rcNt
604	* @param rcNt The status code.
605	* @param pIrp The IRP.
606	*/
607	DECLINLINE(NTSTATUS) supdrvNtCompleteRequest(NTSTATUS rcNt, PIRP pIrp)
608	{
609	return supdrvNtCompleteRequestEx(rcNt, 0 /uInfo/, pIrp);
610	}
611
612
613	/**
614	* Create (i.e. Open) file entry point.
615	*
616	* @param pDevObj Device object.
617	* @param pIrp Request packet.
618	*/
619	NTSTATUS _stdcall VBoxDrvNtCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
620	{
621	Log(("VBoxDrvNtCreate: RequestorMode=%d\n", pIrp->RequestorMode));
622	PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
623	PFILE_OBJECT pFileObj = pStack->FileObject;
624	PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
625
626	/*
627	* We are not remotely similar to a directory...
628	* (But this is possible.)
629	*/
630	if (pStack->Parameters.Create.Options & FILE_DIRECTORY_FILE)
631	return supdrvNtCompleteRequest(STATUS_NOT_A_DIRECTORY, pIrp);
632
633	/*
634	* Don't create a session for kernel clients, they'll close the handle
635	* immediately and work with the file object via
636	* VBoxDrvNtInternalDeviceControl. The first request will be one to
637	* create a session.
638	*/
639	NTSTATUS rcNt;
640	if (pIrp->RequestorMode == KernelMode)
641	{
642	if (pDevObj == g_pDevObjSys)
643	return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
644
645	rcNt = STATUS_ACCESS_DENIED;
646	}
647	else
648	{
649	#if defined(VBOX_WITH_HARDENING) && !defined(VBOX_WITHOUT_DEBUGGER_CHECKS)
650	/*
651	* Make sure no debuggers are attached to non-user processes.
652	*/
653	if ( pDevObj != g_pDevObjUsr
654	&& supdrvNtIsDebuggerAttached())
655	{
656	LogRel(("vboxdrv: Process %p is being debugged, access to vboxdrv / vboxdrvu declined.\n",
657	PsGetProcessId(PsGetCurrentProcess())));
658	rcNt = STATUS_TRUST_FAILURE;
659	}
660	else
661	#endif
662	{
663	int rc = VINF_SUCCESS;
664
665	#ifdef VBOX_WITH_HARDENING
666	/*
667	* Access to the stub device is only granted to processes which
668	* passes verification.
669	*
670	* Note! The stub device has no need for a SUPDRVSESSION structure,
671	* so the it uses the SUPDRVNTPROTECT directly instead.
672	*/
673	if (pDevObj == g_pDevObjStub)
674	{
675	PSUPDRVNTPROTECT pNtProtect = NULL;
676	rc = supdrvNtProtectCreate(&pNtProtect, PsGetProcessId(PsGetCurrentProcess()),
677	kSupDrvNtProtectKind_StubUnverified, true /fLink/);
678	if (RT_SUCCESS(rc))
679	{
680	rc = supdrvNtProtectFindAssociatedCsrss(pNtProtect);
681	if (RT_SUCCESS(rc))
682	rc = supdrvNtProtectVerifyProcess(pNtProtect);
683	if (RT_SUCCESS(rc))
684	{
685	pFileObj->FsContext = pNtProtect; /* Keeps reference. */
686	return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
687	}
688
689	supdrvNtProtectRelease(pNtProtect);
690	}
691	LogRel(("vboxdrv: Declined %p access to VBoxDrvStub: rc=%d\n", PsGetProcessId(PsGetCurrentProcess()), rc));
692	}
693	/*
694	* Unrestricted access is only granted to a process in the
695	* VmProcessUnconfirmed state that checks out correctly and is
696	* allowed to transition to VmProcessConfirmed. Again, only one
697	* session per process.
698	*/
699	else if (pDevObj != g_pDevObjUsr)
700	{
701	PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(PsGetProcessId(PsGetCurrentProcess()));
702	if (pNtProtect)
703	{
704	if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
705	{
706	rc = supdrvNtProtectVerifyProcess(pNtProtect);
707	if (RT_SUCCESS(rc))
708	{
709	/* Create a session. */
710	PSUPDRVSESSION pSession;
711	rc = supdrvCreateSession(pDevExt, true /fUser/, pDevObj == g_pDevObjSys /fUnrestricted/,
712	&pSession);
713	if (RT_SUCCESS(rc))
714	{
715	rc = supdrvSessionHashTabInsert(pDevExt, pSession, (PSUPDRVSESSION *)&pFileObj->FsContext, NULL);
716	supdrvSessionRelease(pSession);
717	if (RT_SUCCESS(rc))
718	{
719	pSession->pNtProtect = pNtProtect; /* Keeps reference. */
720	return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
721	}
722	}
723
724	/* No second attempt. */
725	RTSpinlockAcquire(g_hNtProtectLock);
726	if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessConfirmed)
727	pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
728	RTSpinlockRelease(g_hNtProtectLock);
729
730	LogRel(("vboxdrv: supdrvCreateSession failed for process %p: rc=%d.\n",
731	PsGetProcessId(PsGetCurrentProcess()), rc));
732	}
733	else
734	LogRel(("vboxdrv: Process %p failed process verification: rc=%d.\n",
735	PsGetProcessId(PsGetCurrentProcess()), rc));
736	}
737	else
738	{
739	LogRel(("vboxdrv: %p is not a budding VM process (enmProcessKind=%d).\n",
740	PsGetProcessId(PsGetCurrentProcess()), pNtProtect->enmProcessKind));
741	rc = VERR_ACCESS_DENIED;
742	}
743	supdrvNtProtectRelease(pNtProtect);
744	}
745	else
746	{
747	LogRel(("vboxdrv: %p is not a budding VM process.\n", PsGetProcessId(PsGetCurrentProcess())));
748	rc = VERR_ACCESS_DENIED;
749	}
750	}
751	/*
752	* Call common code to create an unprivileged session.
753	*/
754	else
755	{
756	PSUPDRVSESSION pSession;
757	rc = supdrvCreateSession(pDevExt, true /fUser/, false /fUnrestricted/, &pSession);
758	if (RT_SUCCESS(rc))
759	{
760	rc = supdrvSessionHashTabInsert(pDevExt, pSession, (PSUPDRVSESSION *)&pFileObj->FsContext, NULL);
761	supdrvSessionRelease(pSession);
762	if (RT_SUCCESS(rc))
763	{
764	pFileObj->FsContext = pSession; /* Keeps reference. No race. */
765	pSession->pNtProtect = NULL;
766	return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
767	}
768	}
769	}
770
771	#else /* !VBOX_WITH_HARDENING */
772	/*
773	* Call common code to create a session.
774	*/
775	pFileObj->FsContext = NULL;
776	PSUPDRVSESSION pSession;
777	rc = supdrvCreateSession(pDevExt, true /fUser/, pDevObj == g_pDevObjSys /fUnrestricted/, &pSession);
778	if (RT_SUCCESS(rc))
779	{
780	rc = supdrvSessionHashTabInsert(pDevExt, pSession, (PSUPDRVSESSION *)&pFileObj->FsContext, NULL);
781	supdrvSessionRelease(pSession);
782	if (RT_SUCCESS(rc))
783	return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
784
785	}
786	#endif /* !VBOX_WITH_HARDENING */
787
788	/* bail out */
789	rcNt = VBoxDrvNtErr2NtStatus(rc);
790	}
791	}
792
793	Assert(!NT_SUCCESS(rcNt));
794	pFileObj->FsContext = NULL;
795	return supdrvNtCompleteRequest(rcNt, pIrp); /* Note. the IoStatus is completely ignored on error. */
796	}
797
798
799	/**
800	* Clean up file handle entry point.
801	*
802	* @param pDevObj Device object.
803	* @param pIrp Request packet.
804	*/
805	NTSTATUS _stdcall VBoxDrvNtCleanup(PDEVICE_OBJECT pDevObj, PIRP pIrp)
806	{
807	PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
808	PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
809	PFILE_OBJECT pFileObj = pStack->FileObject;
810
811	#ifdef VBOX_WITH_HARDENING
812	if (pDevObj == g_pDevObjStub)
813	{
814	PSUPDRVNTPROTECT pNtProtect = (PSUPDRVNTPROTECT)pFileObj->FsContext;
815	Log(("VBoxDrvNtCleanup: pDevExt=%p pFileObj=%p pNtProtect=%p\n", pDevExt, pFileObj, pNtProtect));
816	if (pNtProtect)
817	{
818	supdrvNtProtectRelease(pNtProtect);
819	pFileObj->FsContext = NULL;
820	}
821	}
822	else
823	#endif
824	{
825	PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, RTProcSelf(), RTR0ProcHandleSelf(),
826	(PSUPDRVSESSION *)&pFileObj->FsContext);
827	Log(("VBoxDrvNtCleanup: pDevExt=%p pFileObj=%p pSession=%p\n", pDevExt, pFileObj, pSession));
828	if (pSession)
829	{
830	supdrvSessionHashTabRemove(pDevExt, pSession, NULL);
831	supdrvSessionRelease(pSession); /* Drops the reference from supdrvSessionHashTabLookup. */
832	}
833	}
834
835	return supdrvNtCompleteRequest(STATUS_SUCCESS, pIrp);
836	}
837
838
839	/**
840	* Close file entry point.
841	*
842	* @param pDevObj Device object.
843	* @param pIrp Request packet.
844	*/
845	NTSTATUS _stdcall VBoxDrvNtClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
846	{
847	PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
848	PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
849	PFILE_OBJECT pFileObj = pStack->FileObject;
850
851	#ifdef VBOX_WITH_HARDENING
852	if (pDevObj == g_pDevObjStub)
853	{
854	PSUPDRVNTPROTECT pNtProtect = (PSUPDRVNTPROTECT)pFileObj->FsContext;
855	Log(("VBoxDrvNtClose: pDevExt=%p pFileObj=%p pNtProtect=%p\n", pDevExt, pFileObj, pNtProtect));
856	if (pNtProtect)
857	{
858	supdrvNtProtectRelease(pNtProtect);
859	pFileObj->FsContext = NULL;
860	}
861	}
862	else
863	#endif
864	{
865	PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, RTProcSelf(), RTR0ProcHandleSelf(),
866	(PSUPDRVSESSION *)&pFileObj->FsContext);
867	Log(("VBoxDrvNtCleanup: pDevExt=%p pFileObj=%p pSession=%p\n", pDevExt, pFileObj, pSession));
868	if (pSession)
869	{
870	supdrvSessionHashTabRemove(pDevExt, pSession, NULL);
871	supdrvSessionRelease(pSession); /* Drops the reference from supdrvSessionHashTabLookup. */
872	}
873	}
874
875	return supdrvNtCompleteRequest(STATUS_SUCCESS, pIrp);
876	}
877
878
879	#ifdef VBOXDRV_WITH_FAST_IO
880	/**
881	* Fast I/O device control callback.
882	*
883	* This performs no buffering, neither on the way in or out.
884	*
885	* @returns TRUE if handled, FALSE if the normal I/O control routine should be
886	* called.
887	* @param pFileObj The file object.
888	* @param fWait Whether it's a blocking call
889	* @param pvInput The input buffer as specified by the user.
890	* @param cbInput The size of the input buffer.
891	* @param pvOutput The output buffer as specfied by the user.
892	* @param cbOutput The size of the output buffer.
893	* @param uFunction The function.
894	* @param pIoStatus Where to return the status of the operation.
895	* @param pDevObj The device object..
896	*/
897	static BOOLEAN _stdcall VBoxDrvNtFastIoDeviceControl(PFILE_OBJECT pFileObj, BOOLEAN fWait, PVOID pvInput, ULONG cbInput,
898	PVOID pvOutput, ULONG cbOutput, ULONG uCmd,
899	PIO_STATUS_BLOCK pIoStatus, PDEVICE_OBJECT pDevObj)
900	{
901	PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
902
903	/*
904	* Check the input a little bit and get a the session references.
905	*/
906	PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, RTProcSelf(), RTR0ProcHandleSelf(),
907	(PSUPDRVSESSION *)&pFileObj->FsContext);
908	if (!pSession)
909	{
910	pIoStatus->Status = STATUS_TRUST_FAILURE;
911	pIoStatus->Information = 0;
912	return TRUE;
913	}
914
915	if (pSession->fUnrestricted)
916	{
917	#if defined(VBOX_WITH_HARDENING) && !defined(VBOX_WITHOUT_DEBUGGER_CHECKS)
918	if (supdrvNtIsDebuggerAttached())
919	{
920	pIoStatus->Status = STATUS_TRUST_FAILURE;
921	pIoStatus->Information = 0;
922	supdrvSessionRelease(pSession);
923	return TRUE;
924	}
925	#endif
926
927	/*
928	* Deal with the 2-3 high-speed IOCtl that takes their arguments from
929	* the session and iCmd, and does not return anything.
930	*/
931	if ( uCmd == SUP_IOCTL_FAST_DO_RAW_RUN
932	\|\| uCmd == SUP_IOCTL_FAST_DO_HM_RUN
933	\|\| uCmd == SUP_IOCTL_FAST_DO_NOP)
934	{
935	int rc = supdrvIOCtlFast(uCmd, (unsigned)(uintptr_t)pvOutput/* VMCPU id */, pDevExt, pSession);
936	pIoStatus->Status = RT_SUCCESS(rc) ? STATUS_SUCCESS : STATUS_INVALID_PARAMETER;
937	pIoStatus->Information = 0; /* Could be used to pass rc if we liked. */
938	supdrvSessionRelease(pSession);
939	return TRUE;
940	}
941	}
942
943	/*
944	* The normal path.
945	*/
946	NTSTATUS rcNt;
947	unsigned cbOut = 0;
948	int rc = 0;
949	Log2(("VBoxDrvNtFastIoDeviceControl(%p): ioctl=%#x pvIn=%p cbIn=%#x pvOut=%p cbOut=%#x pSession=%p\n",
950	pDevExt, uCmd, pvInput, cbInput, pvOutput, cbOutput, pSession));
951
952	# ifdef RT_ARCH_AMD64
953	/* Don't allow 32-bit processes to do any I/O controls. */
954	if (!IoIs32bitProcess(NULL))
955	# endif
956	{
957	/*
958	* In this fast I/O device control path we have to do our own buffering.
959	*/
960	/* Verify that the I/O control function matches our pattern. */
961	if ((uCmd & 0x3) == METHOD_BUFFERED)
962	{
963	/* Get the header so we can validate it a little bit against the
964	parameters before allocating any memory kernel for the reqest. */
965	SUPREQHDR Hdr;
966	if (cbInput >= sizeof(Hdr) && cbOutput >= sizeof(Hdr))
967	{
968	__try
969	{
970	RtlCopyMemory(&Hdr, pvInput, sizeof(Hdr));
971	rcNt = STATUS_SUCCESS;
972	}
973	__except(EXCEPTION_EXECUTE_HANDLER)
974	{
975	rcNt = GetExceptionCode();
976	}
977	}
978	else
979	rcNt = STATUS_INVALID_PARAMETER;
980	if (NT_SUCCESS(rcNt))
981	{
982	/* Verify that the sizes in the request header are correct. */
983	ULONG cbBuf = RT_MAX(cbInput, cbOutput);
984	if ( cbInput == Hdr.cbIn
985	&& cbOutput == Hdr.cbOut
986	&& cbBuf < _1M*16)
987	{
988	/* Allocate a buffer and copy all the input into it. */
989	PSUPREQHDR pHdr = (PSUPREQHDR)ExAllocatePoolWithTag(NonPagedPool, cbBuf, 'VBox');
990	if (pHdr)
991	{
992	__try
993	{
994	RtlCopyMemory(pHdr, pvInput, cbInput);
995	if (cbInput < cbBuf)
996	RtlZeroMemory((uint8_t *)pHdr + cbInput, cbBuf - cbInput);
997	rcNt = STATUS_SUCCESS;
998	}
999	__except(EXCEPTION_EXECUTE_HANDLER)
1000	{
1001	rcNt = GetExceptionCode();
1002	}
1003	}
1004	else
1005	rcNt = STATUS_NO_MEMORY;
1006	if (NT_SUCCESS(rcNt))
1007	{
1008	/*
1009	* Now call the common code to do the real work.
1010	*/
1011	rc = supdrvIOCtl(uCmd, pDevExt, pSession, pHdr);
1012	if (RT_SUCCESS(rc))
1013	{
1014	/*
1015	* Copy back the result.
1016	*/
1017	cbOut = pHdr->cbOut;
1018	if (cbOut > cbOutput)
1019	{
1020	cbOut = cbOutput;
1021	OSDBGPRINT(("VBoxDrvNtFastIoDeviceControl: too much output! %#x > %#x; uCmd=%#x!\n",
1022	pHdr->cbOut, cbOut, uCmd));
1023	}
1024	if (cbOut)
1025	{
1026	__try
1027	{
1028	RtlCopyMemory(pvOutput, pHdr, cbOut);
1029	rcNt = STATUS_SUCCESS;
1030	}
1031	__except(EXCEPTION_EXECUTE_HANDLER)
1032	{
1033	rcNt = GetExceptionCode();
1034	}
1035	}
1036	else
1037	rcNt = STATUS_SUCCESS;
1038	}
1039	else if (rc == VERR_INVALID_PARAMETER)
1040	rcNt = STATUS_INVALID_PARAMETER;
1041	else
1042	rcNt = STATUS_NOT_SUPPORTED;
1043	Log2(("VBoxDrvNtFastIoDeviceControl: returns %#x cbOut=%d rc=%#x\n", rcNt, cbOut, rc));
1044	}
1045	ExFreePoolWithTag(pHdr, 'VBox');
1046	}
1047	else
1048	{
1049	Log(("VBoxDrvNtFastIoDeviceControl: Mismatching sizes (%#x) - Hdr=%#lx/%#lx Irp=%#lx/%#lx!\n",
1050	uCmd, Hdr.cbIn, Hdr.cbOut, cbInput, cbOutput));
1051	rcNt = STATUS_INVALID_PARAMETER;
1052	}
1053	}
1054	}
1055	else
1056	{
1057	Log(("VBoxDrvNtFastIoDeviceControl: not buffered request (%#x) - not supported\n", uCmd));
1058	rcNt = STATUS_NOT_SUPPORTED;
1059	}
1060	}
1061	# ifdef RT_ARCH_AMD64
1062	else
1063	{
1064	Log(("VBoxDrvNtFastIoDeviceControl: WOW64 req - not supported\n"));
1065	rcNt = STATUS_NOT_SUPPORTED;
1066	}
1067	# endif
1068
1069	/* complete the request. */
1070	pIoStatus->Status = rcNt;
1071	pIoStatus->Information = cbOut;
1072	supdrvSessionRelease(pSession);
1073	return TRUE; /* handled. */
1074	}
1075	#endif /* VBOXDRV_WITH_FAST_IO */
1076
1077
1078	/**
1079	* Device I/O Control entry point.
1080	*
1081	* @param pDevObj Device object.
1082	* @param pIrp Request packet.
1083	*/
1084	NTSTATUS _stdcall VBoxDrvNtDeviceControl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
1085	{
1086	VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_DEV(pDevObj, pIrp);
1087
1088	PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
1089	PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
1090	PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, RTProcSelf(), RTR0ProcHandleSelf(),
1091	(PSUPDRVSESSION *)&pStack->FileObject->FsContext);
1092
1093	if (!RT_VALID_PTR(pSession))
1094	return supdrvNtCompleteRequest(STATUS_TRUST_FAILURE, pIrp);
1095
1096	/*
1097	* Deal with the 2-3 high-speed IOCtl that takes their arguments from
1098	* the session and iCmd, and does not return anything.
1099	*/
1100	if (pSession->fUnrestricted)
1101	{
1102	#if defined(VBOX_WITH_HARDENING) && !defined(VBOX_WITHOUT_DEBUGGER_CHECKS)
1103	if (supdrvNtIsDebuggerAttached())
1104	{
1105	supdrvSessionRelease(pSession);
1106	return supdrvNtCompleteRequest(STATUS_TRUST_FAILURE, pIrp);
1107	}
1108	#endif
1109
1110	ULONG ulCmd = pStack->Parameters.DeviceIoControl.IoControlCode;
1111	if ( ulCmd == SUP_IOCTL_FAST_DO_RAW_RUN
1112	\|\| ulCmd == SUP_IOCTL_FAST_DO_HM_RUN
1113	\|\| ulCmd == SUP_IOCTL_FAST_DO_NOP)
1114	{
1115	int rc = supdrvIOCtlFast(ulCmd, (unsigned)(uintptr_t)pIrp->UserBuffer /* VMCPU id */, pDevExt, pSession);
1116
1117	/* Complete the I/O request. */
1118	supdrvSessionRelease(pSession);
1119	return supdrvNtCompleteRequest(RT_SUCCESS(rc) ? STATUS_SUCCESS : STATUS_INVALID_PARAMETER, pIrp);
1120	}
1121	}
1122
1123	return VBoxDrvNtDeviceControlSlow(pDevExt, pSession, pIrp, pStack);
1124	}
1125
1126
1127	/**
1128	* Worker for VBoxDrvNtDeviceControl that takes the slow IOCtl functions.
1129	*
1130	* @returns NT status code.
1131	*
1132	* @param pDevObj Device object.
1133	* @param pSession The session.
1134	* @param pIrp Request packet.
1135	* @param pStack The stack location containing the DeviceControl parameters.
1136	*/
1137	static int VBoxDrvNtDeviceControlSlow(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, PIRP pIrp, PIO_STACK_LOCATION pStack)
1138	{
1139	NTSTATUS rcNt;
1140	unsigned cbOut = 0;
1141	int rc = 0;
1142	Log2(("VBoxDrvNtDeviceControlSlow(%p,%p): ioctl=%#x pBuf=%p cbIn=%#x cbOut=%#x pSession=%p\n",
1143	pDevExt, pIrp, pStack->Parameters.DeviceIoControl.IoControlCode,
1144	pIrp->AssociatedIrp.SystemBuffer, pStack->Parameters.DeviceIoControl.InputBufferLength,
1145	pStack->Parameters.DeviceIoControl.OutputBufferLength, pSession));
1146
1147	#ifdef RT_ARCH_AMD64
1148	/* Don't allow 32-bit processes to do any I/O controls. */
1149	if (!IoIs32bitProcess(pIrp))
1150	#endif
1151	{
1152	/* Verify that it's a buffered CTL. */
1153	if ((pStack->Parameters.DeviceIoControl.IoControlCode & 0x3) == METHOD_BUFFERED)
1154	{
1155	/* Verify that the sizes in the request header are correct. */
1156	PSUPREQHDR pHdr = (PSUPREQHDR)pIrp->AssociatedIrp.SystemBuffer;
1157	if ( pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr)
1158	&& pStack->Parameters.DeviceIoControl.InputBufferLength == pHdr->cbIn
1159	&& pStack->Parameters.DeviceIoControl.OutputBufferLength == pHdr->cbOut)
1160	{
1161	/*
1162	* Do the job.
1163	*/
1164	rc = supdrvIOCtl(pStack->Parameters.DeviceIoControl.IoControlCode, pDevExt, pSession, pHdr);
1165	if (!rc)
1166	{
1167	rcNt = STATUS_SUCCESS;
1168	cbOut = pHdr->cbOut;
1169	if (cbOut > pStack->Parameters.DeviceIoControl.OutputBufferLength)
1170	{
1171	cbOut = pStack->Parameters.DeviceIoControl.OutputBufferLength;
1172	OSDBGPRINT(("VBoxDrvLinuxIOCtl: too much output! %#x > %#x; uCmd=%#x!\n",
1173	pHdr->cbOut, cbOut, pStack->Parameters.DeviceIoControl.IoControlCode));
1174	}
1175	}
1176	else
1177	rcNt = STATUS_INVALID_PARAMETER;
1178	Log2(("VBoxDrvNtDeviceControlSlow: returns %#x cbOut=%d rc=%#x\n", rcNt, cbOut, rc));
1179	}
1180	else
1181	{
1182	Log(("VBoxDrvNtDeviceControlSlow: Mismatching sizes (%#x) - Hdr=%#lx/%#lx Irp=%#lx/%#lx!\n",
1183	pStack->Parameters.DeviceIoControl.IoControlCode,
1184	pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr) ? pHdr->cbIn : 0,
1185	pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr) ? pHdr->cbOut : 0,
1186	pStack->Parameters.DeviceIoControl.InputBufferLength,
1187	pStack->Parameters.DeviceIoControl.OutputBufferLength));
1188	rcNt = STATUS_INVALID_PARAMETER;
1189	}
1190	}
1191	else
1192	{
1193	Log(("VBoxDrvNtDeviceControlSlow: not buffered request (%#x) - not supported\n",
1194	pStack->Parameters.DeviceIoControl.IoControlCode));
1195	rcNt = STATUS_NOT_SUPPORTED;
1196	}
1197	}
1198	#ifdef RT_ARCH_AMD64
1199	else
1200	{
1201	Log(("VBoxDrvNtDeviceControlSlow: WOW64 req - not supported\n"));
1202	rcNt = STATUS_NOT_SUPPORTED;
1203	}
1204	#endif
1205
1206	/* complete the request. */
1207	pIrp->IoStatus.Status = rcNt;
1208	pIrp->IoStatus.Information = cbOut;
1209	supdrvSessionRelease(pSession);
1210	IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1211	return rcNt;
1212	}
1213
1214
1215	/**
1216	* Internal Device I/O Control entry point, used for IDC.
1217	*
1218	* @param pDevObj Device object.
1219	* @param pIrp Request packet.
1220	*/
1221	NTSTATUS _stdcall VBoxDrvNtInternalDeviceControl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
1222	{
1223	VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_DEV(pDevObj, pIrp);
1224
1225	PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
1226	PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
1227	PFILE_OBJECT pFileObj = pStack ? pStack->FileObject : NULL;
1228	PSUPDRVSESSION pSession = pFileObj ? (PSUPDRVSESSION)pFileObj->FsContext : NULL;
1229	NTSTATUS rcNt;
1230	unsigned cbOut = 0;
1231	int rc = 0;
1232	Log2(("VBoxDrvNtInternalDeviceControl(%p,%p): ioctl=%#x pBuf=%p cbIn=%#x cbOut=%#x pSession=%p\n",
1233	pDevExt, pIrp, pStack->Parameters.DeviceIoControl.IoControlCode,
1234	pIrp->AssociatedIrp.SystemBuffer, pStack->Parameters.DeviceIoControl.InputBufferLength,
1235	pStack->Parameters.DeviceIoControl.OutputBufferLength, pSession));
1236
1237	/* Verify that it's a buffered CTL. */
1238	if ((pStack->Parameters.DeviceIoControl.IoControlCode & 0x3) == METHOD_BUFFERED)
1239	{
1240	/* Verify the pDevExt in the session. */
1241	if ( pStack->Parameters.DeviceIoControl.IoControlCode != SUPDRV_IDC_REQ_CONNECT
1242	? VALID_PTR(pSession) && pSession->pDevExt == pDevExt
1243	: !pSession
1244	)
1245	{
1246	/* Verify that the size in the request header is correct. */
1247	PSUPDRVIDCREQHDR pHdr = (PSUPDRVIDCREQHDR)pIrp->AssociatedIrp.SystemBuffer;
1248	if ( pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr)
1249	&& pStack->Parameters.DeviceIoControl.InputBufferLength == pHdr->cb
1250	&& pStack->Parameters.DeviceIoControl.OutputBufferLength == pHdr->cb)
1251	{
1252	/*
1253	* Call the generic code.
1254	*
1255	* Note! Connect and disconnect requires some extra attention
1256	* in order to get the session handling right.
1257	*/
1258	if (pStack->Parameters.DeviceIoControl.IoControlCode == SUPDRV_IDC_REQ_DISCONNECT)
1259	pFileObj->FsContext = NULL;
1260
1261	rc = supdrvIDC(pStack->Parameters.DeviceIoControl.IoControlCode, pDevExt, pSession, pHdr);
1262	if (!rc)
1263	{
1264	if (pStack->Parameters.DeviceIoControl.IoControlCode == SUPDRV_IDC_REQ_CONNECT)
1265	pFileObj->FsContext = ((PSUPDRVIDCREQCONNECT)pHdr)->u.Out.pSession;
1266
1267	rcNt = STATUS_SUCCESS;
1268	cbOut = pHdr->cb;
1269	}
1270	else
1271	{
1272	rcNt = STATUS_INVALID_PARAMETER;
1273	if (pStack->Parameters.DeviceIoControl.IoControlCode == SUPDRV_IDC_REQ_DISCONNECT)
1274	pFileObj->FsContext = pSession;
1275	}
1276	Log2(("VBoxDrvNtInternalDeviceControl: returns %#x/rc=%#x\n", rcNt, rc));
1277	}
1278	else
1279	{
1280	Log(("VBoxDrvNtInternalDeviceControl: Mismatching sizes (%#x) - Hdr=%#lx Irp=%#lx/%#lx!\n",
1281	pStack->Parameters.DeviceIoControl.IoControlCode,
1282	pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr) ? pHdr->cb : 0,
1283	pStack->Parameters.DeviceIoControl.InputBufferLength,
1284	pStack->Parameters.DeviceIoControl.OutputBufferLength));
1285	rcNt = STATUS_INVALID_PARAMETER;
1286	}
1287	}
1288	else
1289	rcNt = STATUS_NOT_SUPPORTED;
1290	}
1291	else
1292	{
1293	Log(("VBoxDrvNtInternalDeviceControl: not buffered request (%#x) - not supported\n",
1294	pStack->Parameters.DeviceIoControl.IoControlCode));
1295	rcNt = STATUS_NOT_SUPPORTED;
1296	}
1297
1298	/* complete the request. */
1299	pIrp->IoStatus.Status = rcNt;
1300	pIrp->IoStatus.Information = cbOut;
1301	IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1302	return rcNt;
1303	}
1304
1305
1306	/**
1307	* Stub function for functions we don't implemented.
1308	*
1309	* @returns STATUS_NOT_SUPPORTED
1310	* @param pDevObj Device object.
1311	* @param pIrp IRP.
1312	*/
1313	NTSTATUS _stdcall VBoxDrvNtNotSupportedStub(PDEVICE_OBJECT pDevObj, PIRP pIrp)
1314	{
1315	Log(("VBoxDrvNtNotSupportedStub\n"));
1316	NOREF(pDevObj);
1317
1318	pIrp->IoStatus.Information = 0;
1319	pIrp->IoStatus.Status = STATUS_NOT_SUPPORTED;
1320	IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1321
1322	return STATUS_NOT_SUPPORTED;
1323	}
1324
1325
1326	/**
1327	* ExRegisterCallback handler for power events
1328	*
1329	* @param pCallbackContext User supplied parameter (pDevObj)
1330	* @param pArgument1 First argument
1331	* @param pArgument2 Second argument
1332	*/
1333	VOID _stdcall VBoxPowerDispatchCallback(PVOID pCallbackContext, PVOID pArgument1, PVOID pArgument2)
1334	{
1335	PDEVICE_OBJECT pDevObj = (PDEVICE_OBJECT)pCallbackContext;
1336
1337	Log(("VBoxPowerDispatchCallback: %x %x\n", pArgument1, pArgument2));
1338
1339	/* Power change imminent? */
1340	if ((unsigned)pArgument1 == PO_CB_SYSTEM_STATE_LOCK)
1341	{
1342	if ((unsigned)pArgument2 == 0)
1343	Log(("VBoxPowerDispatchCallback: about to go into suspend mode!\n"));
1344	else
1345	Log(("VBoxPowerDispatchCallback: resumed!\n"));
1346
1347	/* Inform any clients that have registered themselves with IPRT. */
1348	RTPowerSignalEvent(((unsigned)pArgument2 == 0) ? RTPOWEREVENT_SUSPEND : RTPOWEREVENT_RESUME);
1349	}
1350	}
1351
1352
1353	/**
1354	* Called to clean up the session structure before it's freed.
1355	*
1356	* @param pDevExt The device globals.
1357	* @param pSession The session that's being cleaned up.
1358	*/
1359	void VBOXCALL supdrvOSCleanupSession(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession)
1360	{
1361	#ifdef VBOX_WITH_HARDENING
1362	if (pSession->pNtProtect)
1363	{
1364	supdrvNtProtectRelease(pSession->pNtProtect);
1365	pSession->pNtProtect = NULL;
1366	}
1367	#endif
1368	}
1369
1370
1371	void VBOXCALL supdrvOSSessionHashTabInserted(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, void *pvUser)
1372	{
1373	NOREF(pDevExt); NOREF(pSession); NOREF(pvUser);
1374	}
1375
1376
1377	void VBOXCALL supdrvOSSessionHashTabRemoved(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, void *pvUser)
1378	{
1379	NOREF(pDevExt); NOREF(pSession); NOREF(pvUser);
1380	}
1381
1382
1383	/**
1384	* Initializes any OS specific object creator fields.
1385	*/
1386	void VBOXCALL supdrvOSObjInitCreator(PSUPDRVOBJ pObj, PSUPDRVSESSION pSession)
1387	{
1388	NOREF(pObj);
1389	NOREF(pSession);
1390	}
1391
1392
1393	/**
1394	* Checks if the session can access the object.
1395	*
1396	* @returns true if a decision has been made.
1397	* @returns false if the default access policy should be applied.
1398	*
1399	* @param pObj The object in question.
1400	* @param pSession The session wanting to access the object.
1401	* @param pszObjName The object name, can be NULL.
1402	* @param prc Where to store the result when returning true.
1403	*/
1404	bool VBOXCALL supdrvOSObjCanAccess(PSUPDRVOBJ pObj, PSUPDRVSESSION pSession, const char pszObjName, int prc)
1405	{
1406	NOREF(pObj);
1407	NOREF(pSession);
1408	NOREF(pszObjName);
1409	NOREF(prc);
1410	return false;
1411	}
1412
1413
1414	/**
1415	* Force async tsc mode (stub).
1416	*/
1417	bool VBOXCALL supdrvOSGetForcedAsyncTscMode(PSUPDRVDEVEXT pDevExt)
1418	{
1419	return false;
1420	}
1421
1422
1423	#define MY_SystemLoadGdiDriverInSystemSpaceInformation 54
1424	#define MY_SystemUnloadGdiDriverInformation 27
1425
1426	typedef struct MYSYSTEMGDIDRIVERINFO
1427	{
1428	UNICODE_STRING Name; /*< In: image file name. /
1429	PVOID ImageAddress; /*< Out: the load address. /
1430	PVOID SectionPointer; /*< Out: section object. /
1431	PVOID EntryPointer; /*< Out: entry point address. /
1432	PVOID ExportSectionPointer; /*< Out: export directory/section. /
1433	ULONG ImageLength; /*< Out: SizeOfImage. /
1434	} MYSYSTEMGDIDRIVERINFO;
1435
1436	extern "C" __declspec(dllimport) NTSTATUS NTAPI ZwSetSystemInformation(ULONG, PVOID, ULONG);
1437
1438	int VBOXCALL supdrvOSLdrOpen(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage, const char *pszFilename)
1439	{
1440	pImage->pvNtSectionObj = NULL;
1441	pImage->hMemLock = NIL_RTR0MEMOBJ;
1442
1443	#ifdef VBOX_WITHOUT_NATIVE_R0_LOADER
1444	# ifndef RT_ARCH_X86
1445	# error "VBOX_WITHOUT_NATIVE_R0_LOADER is only safe on x86."
1446	# endif
1447	NOREF(pDevExt); NOREF(pszFilename); NOREF(pImage);
1448	return VERR_NOT_SUPPORTED;
1449
1450	#else
1451	/*
1452	* Convert the filename from DOS UTF-8 to NT UTF-16.
1453	*/
1454	size_t cwcFilename;
1455	int rc = RTStrCalcUtf16LenEx(pszFilename, RTSTR_MAX, &cwcFilename);
1456	if (RT_FAILURE(rc))
1457	return rc;
1458
1459	PRTUTF16 pwcsFilename = (PRTUTF16)RTMemTmpAlloc((4 + cwcFilename + 1) * sizeof(RTUTF16));
1460	if (!pwcsFilename)
1461	return VERR_NO_TMP_MEMORY;
1462
1463	pwcsFilename[0] = '\\';
1464	pwcsFilename[1] = '?';
1465	pwcsFilename[2] = '?';
1466	pwcsFilename[3] = '\\';
1467	PRTUTF16 pwcsTmp = &pwcsFilename[4];
1468	rc = RTStrToUtf16Ex(pszFilename, RTSTR_MAX, &pwcsTmp, cwcFilename + 1, NULL);
1469	if (RT_SUCCESS(rc))
1470	{
1471	/*
1472	* Try load it.
1473	*/
1474	MYSYSTEMGDIDRIVERINFO Info;
1475	RtlInitUnicodeString(&Info.Name, pwcsFilename);
1476	Info.ImageAddress = NULL;
1477	Info.SectionPointer = NULL;
1478	Info.EntryPointer = NULL;
1479	Info.ExportSectionPointer = NULL;
1480	Info.ImageLength = 0;
1481
1482	NTSTATUS rcNt = ZwSetSystemInformation(MY_SystemLoadGdiDriverInSystemSpaceInformation, &Info, sizeof(Info));
1483	if (NT_SUCCESS(rcNt))
1484	{
1485	pImage->pvImage = Info.ImageAddress;
1486	pImage->pvNtSectionObj = Info.SectionPointer;
1487	Log(("ImageAddress=%p SectionPointer=%p ImageLength=%#x cbImageBits=%#x rcNt=%#x '%ls'\n",
1488	Info.ImageAddress, Info.SectionPointer, Info.ImageLength, pImage->cbImageBits, rcNt, Info.Name.Buffer));
1489	# ifdef DEBUG_bird
1490	SUPR0Printf("ImageAddress=%p SectionPointer=%p ImageLength=%#x cbImageBits=%#x rcNt=%#x '%ws'\n",
1491	Info.ImageAddress, Info.SectionPointer, Info.ImageLength, pImage->cbImageBits, rcNt, Info.Name.Buffer);
1492	# endif
1493	if (pImage->cbImageBits == Info.ImageLength)
1494	{
1495	/*
1496	* Lock down the entire image, just to be on the safe side.
1497	*/
1498	rc = RTR0MemObjLockKernel(&pImage->hMemLock, pImage->pvImage, pImage->cbImageBits, RTMEM_PROT_READ);
1499	if (RT_FAILURE(rc))
1500	{
1501	pImage->hMemLock = NIL_RTR0MEMOBJ;
1502	supdrvOSLdrUnload(pDevExt, pImage);
1503	}
1504	}
1505	else
1506	{
1507	supdrvOSLdrUnload(pDevExt, pImage);
1508	rc = VERR_LDR_MISMATCH_NATIVE;
1509	}
1510	}
1511	else
1512	{
1513	Log(("rcNt=%#x '%ls'\n", rcNt, pwcsFilename));
1514	SUPR0Printf("VBoxDrv: rcNt=%x '%ws'\n", rcNt, pwcsFilename);
1515	switch (rcNt)
1516	{
1517	case /* 0xc0000003 */ STATUS_INVALID_INFO_CLASS:
1518	# ifdef RT_ARCH_AMD64
1519	/* Unwind will crash and BSOD, so no fallback here! */
1520	rc = VERR_NOT_IMPLEMENTED;
1521	# else
1522	/*
1523	* Use the old way of loading the modules.
1524	*
1525	* Note! We do NOT try class 26 because it will probably
1526	* not work correctly on terminal servers and such.
1527	*/
1528	rc = VERR_NOT_SUPPORTED;
1529	# endif
1530	break;
1531	case /* 0xc0000034 */ STATUS_OBJECT_NAME_NOT_FOUND:
1532	rc = VERR_MODULE_NOT_FOUND;
1533	break;
1534	case /* 0xC0000263 */ STATUS_DRIVER_ENTRYPOINT_NOT_FOUND:
1535	rc = VERR_LDR_IMPORTED_SYMBOL_NOT_FOUND;
1536	break;
1537	case /* 0xC0000428 */ STATUS_INVALID_IMAGE_HASH:
1538	rc = VERR_LDR_IMAGE_HASH;
1539	break;
1540	case /* 0xC000010E */ STATUS_IMAGE_ALREADY_LOADED:
1541	Log(("WARNING: see @bugref{4853} for cause of this failure on Windows 7 x64\n"));
1542	rc = VERR_ALREADY_LOADED;
1543	break;
1544	default:
1545	rc = VERR_LDR_GENERAL_FAILURE;
1546	break;
1547	}
1548
1549	pImage->pvNtSectionObj = NULL;
1550	}
1551	}
1552
1553	RTMemTmpFree(pwcsFilename);
1554	NOREF(pDevExt);
1555	return rc;
1556	#endif
1557	}
1558
1559
1560	void VBOXCALL supdrvOSLdrNotifyOpened(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage)
1561	{
1562	NOREF(pDevExt); NOREF(pImage);
1563	}
1564
1565
1566	int VBOXCALL supdrvOSLdrValidatePointer(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage, void pv, const uint8_t pbImageBits)
1567	{
1568	NOREF(pDevExt); NOREF(pImage); NOREF(pv); NOREF(pbImageBits);
1569	return VINF_SUCCESS;
1570	}
1571
1572
1573	/**
1574	* memcmp + log.
1575	*
1576	* @returns Same as memcmp.
1577	* @param pImage The image.
1578	* @param pbImageBits The image bits ring-3 uploads.
1579	* @param uRva The RVA to start comparing at.
1580	* @param cb The number of bytes to compare.
1581	*/
1582	static int supdrvNtCompare(PSUPDRVLDRIMAGE pImage, const uint8_t *pbImageBits, uint32_t uRva, uint32_t cb)
1583	{
1584	int iDiff = memcmp((uint8_t const *)pImage->pvImage + uRva, pbImageBits + uRva, cb);
1585	if (iDiff)
1586	{
1587	uint32_t cbLeft = cb;
1588	const uint8_t pbNativeBits = (const uint8_t )pImage->pvImage;
1589	for (size_t off = uRva; cbLeft > 0; off++, cbLeft--)
1590	if (pbNativeBits[off] != pbImageBits[off])
1591	{
1592	char szBytes[128];
1593	RTStrPrintf(szBytes, sizeof(szBytes), "native: %.Rhxs our: %.Rhxs",
1594	RT_MIN(12, cbLeft), &pbNativeBits[off],
1595	RT_MIN(12, cbLeft), &pbImageBits[off]);
1596	SUPR0Printf("VBoxDrv: Mismatch at %#x of %s: %s\n", off, pImage->szName, szBytes);
1597	break;
1598	}
1599	}
1600	return iDiff;
1601	}
1602
1603	int VBOXCALL supdrvOSLdrLoad(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage, const uint8_t *pbImageBits, PSUPLDRLOAD pReq)
1604	{
1605	NOREF(pDevExt); NOREF(pReq);
1606	if (pImage->pvNtSectionObj)
1607	{
1608	/*
1609	* Usually, the entire image matches exactly.
1610	*/
1611	if (!memcmp(pImage->pvImage, pbImageBits, pImage->cbImageBits))
1612	return VINF_SUCCESS;
1613
1614	/*
1615	* However, on Windows Server 2003 (sp2 x86) both import thunk tables
1616	* are fixed up and we typically get a mismatch in the INIT section.
1617	*
1618	* So, lets see if everything matches when excluding the
1619	* OriginalFirstThunk tables. To make life simpler, set the max number
1620	* of imports to 16 and just record and sort the locations that needs
1621	* to be excluded from the comparison.
1622	*/
1623	IMAGE_NT_HEADERS const *pNtHdrs;
1624	pNtHdrs = (IMAGE_NT_HEADERS const *)(pbImageBits
1625	+ ( (uint16_t )pbImageBits == IMAGE_DOS_SIGNATURE
1626	? ((IMAGE_DOS_HEADER const *)pbImageBits)->e_lfanew
1627	: 0));
1628	if ( pNtHdrs->Signature == IMAGE_NT_SIGNATURE
1629	&& pNtHdrs->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR_MAGIC
1630	&& pNtHdrs->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IMPORT
1631	&& pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size >= sizeof(IMAGE_IMPORT_DESCRIPTOR)
1632	&& pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress > sizeof(IMAGE_NT_HEADERS)
1633	&& pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress < pImage->cbImageBits
1634	)
1635	{
1636	struct MyRegion
1637	{
1638	uint32_t uRva;
1639	uint32_t cb;
1640	} aExcludeRgns[16];
1641	unsigned cExcludeRgns = 0;
1642	uint32_t cImpsLeft = pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size
1643	/ sizeof(IMAGE_IMPORT_DESCRIPTOR);
1644	IMAGE_IMPORT_DESCRIPTOR const *pImp;
1645	pImp = (IMAGE_IMPORT_DESCRIPTOR const *)(pbImageBits
1646	+ pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
1647	while ( cImpsLeft-- > 0
1648	&& cExcludeRgns < RT_ELEMENTS(aExcludeRgns))
1649	{
1650	uint32_t uRvaThunk = pImp->OriginalFirstThunk;
1651	if ( uRvaThunk > sizeof(IMAGE_NT_HEADERS)
1652	&& uRvaThunk <= pImage->cbImageBits - sizeof(IMAGE_THUNK_DATA)
1653	&& uRvaThunk != pImp->FirstThunk)
1654	{
1655	/* Find the size of the thunk table. */
1656	IMAGE_THUNK_DATA const paThunk = (IMAGE_THUNK_DATA const )(pbImageBits + uRvaThunk);
1657	uint32_t cMaxThunks = (pImage->cbImageBits - uRvaThunk) / sizeof(IMAGE_THUNK_DATA);
1658	uint32_t cThunks = 0;
1659	while (cThunks < cMaxThunks && paThunk[cThunks].u1.Function != 0)
1660	cThunks++;
1661
1662	/* Ordered table insert. */
1663	unsigned i = 0;
1664	for (; i < cExcludeRgns; i++)
1665	if (uRvaThunk < aExcludeRgns[i].uRva)
1666	break;
1667	if (i != cExcludeRgns)
1668	memmove(&aExcludeRgns[i + 1], &aExcludeRgns[i], (cExcludeRgns - i) * sizeof(aExcludeRgns[0]));
1669	aExcludeRgns[i].uRva = uRvaThunk;
1670	aExcludeRgns[i].cb = cThunks * sizeof(IMAGE_THUNK_DATA);
1671	cExcludeRgns++;
1672	}
1673
1674	/* advance */
1675	pImp++;
1676	}
1677
1678	/*
1679	* Ok, do the comparison.
1680	*/
1681	int iDiff = 0;
1682	uint32_t uRvaNext = 0;
1683	for (unsigned i = 0; !iDiff && i < cExcludeRgns; i++)
1684	{
1685	if (uRvaNext < aExcludeRgns[i].uRva)
1686	iDiff = supdrvNtCompare(pImage, pbImageBits, uRvaNext, aExcludeRgns[i].uRva - uRvaNext);
1687	uRvaNext = aExcludeRgns[i].uRva + aExcludeRgns[i].cb;
1688	}
1689	if (!iDiff && uRvaNext < pImage->cbImageBits)
1690	iDiff = supdrvNtCompare(pImage, pbImageBits, uRvaNext, pImage->cbImageBits - uRvaNext);
1691	if (!iDiff)
1692	return VINF_SUCCESS;
1693	}
1694	else
1695	supdrvNtCompare(pImage, pbImageBits, 0, pImage->cbImageBits);
1696	return VERR_LDR_MISMATCH_NATIVE;
1697	}
1698	return VERR_INTERNAL_ERROR_4;
1699	}
1700
1701
1702	void VBOXCALL supdrvOSLdrUnload(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage)
1703	{
1704	if (pImage->pvNtSectionObj)
1705	{
1706	if (pImage->hMemLock != NIL_RTR0MEMOBJ)
1707	{
1708	RTR0MemObjFree(pImage->hMemLock, false /fFreeMappings/);
1709	pImage->hMemLock = NIL_RTR0MEMOBJ;
1710	}
1711
1712	NTSTATUS rcNt = ZwSetSystemInformation(MY_SystemUnloadGdiDriverInformation,
1713	&pImage->pvNtSectionObj, sizeof(pImage->pvNtSectionObj));
1714	if (rcNt != STATUS_SUCCESS)
1715	SUPR0Printf("VBoxDrv: failed to unload '%s', rcNt=%#x\n", pImage->szName, rcNt);
1716	pImage->pvNtSectionObj = NULL;
1717	}
1718	NOREF(pDevExt);
1719	}
1720
1721
1722	#ifdef SUPDRV_WITH_MSR_PROBER
1723
1724	#if 1
1725	/** @todo make this selectable. */
1726	# define AMD_MSR_PASSCODE 0x9c5a203a
1727	#else
1728	# define ASMRdMsrEx(a, b, c) ASMRdMsr(a)
1729	# define ASMWrMsrEx(a, b, c) ASMWrMsr(a,c)
1730	#endif
1731
1732
1733	/**
1734	* Argument package used by supdrvOSMsrProberRead and supdrvOSMsrProberWrite.
1735	*/
1736	typedef struct SUPDRVNTMSPROBERARGS
1737	{
1738	uint32_t uMsr;
1739	uint64_t uValue;
1740	bool fGp;
1741	} SUPDRVNTMSPROBERARGS;
1742
1743	/** @callback_method_impl{FNRTMPWORKER, Worker for supdrvOSMsrProberRead.} */
1744	static DECLCALLBACK(void) supdrvNtMsProberReadOnCpu(RTCPUID idCpu, void pvUser1, void pvUser2)
1745	{
1746	/*
1747	* rdmsr and wrmsr faults can be caught even with interrupts disabled.
1748	* (At least on 32-bit XP.)
1749	*/
1750	SUPDRVNTMSPROBERARGS pArgs = (SUPDRVNTMSPROBERARGS )pvUser1; NOREF(idCpu); NOREF(pvUser2);
1751	RTCCUINTREG fOldFlags = ASMIntDisableFlags();
1752	__try
1753	{
1754	pArgs->uValue = ASMRdMsrEx(pArgs->uMsr, AMD_MSR_PASSCODE);
1755	pArgs->fGp = false;
1756	}
1757	__except(EXCEPTION_EXECUTE_HANDLER)
1758	{
1759	pArgs->fGp = true;
1760	pArgs->uValue = 0;
1761	}
1762	ASMSetFlags(fOldFlags);
1763	}
1764
1765
1766	int VBOXCALL supdrvOSMsrProberRead(uint32_t uMsr, RTCPUID idCpu, uint64_t *puValue)
1767	{
1768	SUPDRVNTMSPROBERARGS Args;
1769	Args.uMsr = uMsr;
1770	Args.uValue = 0;
1771	Args.fGp = true;
1772
1773	if (idCpu == NIL_RTCPUID)
1774	supdrvNtMsProberReadOnCpu(idCpu, &Args, NULL);
1775	else
1776	{
1777	int rc = RTMpOnSpecific(idCpu, supdrvNtMsProberReadOnCpu, &Args, NULL);
1778	if (RT_FAILURE(rc))
1779	return rc;
1780	}
1781
1782	if (Args.fGp)
1783	return VERR_ACCESS_DENIED;
1784	*puValue = Args.uValue;
1785	return VINF_SUCCESS;
1786	}
1787
1788
1789	/** @callback_method_impl{FNRTMPWORKER, Worker for supdrvOSMsrProberWrite.} */
1790	static DECLCALLBACK(void) supdrvNtMsProberWriteOnCpu(RTCPUID idCpu, void pvUser1, void pvUser2)
1791	{
1792	/*
1793	* rdmsr and wrmsr faults can be caught even with interrupts disabled.
1794	* (At least on 32-bit XP.)
1795	*/
1796	SUPDRVNTMSPROBERARGS pArgs = (SUPDRVNTMSPROBERARGS )pvUser1; NOREF(idCpu); NOREF(pvUser2);
1797	RTCCUINTREG fOldFlags = ASMIntDisableFlags();
1798	__try
1799	{
1800	ASMWrMsrEx(pArgs->uMsr, AMD_MSR_PASSCODE, pArgs->uValue);
1801	pArgs->fGp = false;
1802	}
1803	__except(EXCEPTION_EXECUTE_HANDLER)
1804	{
1805	pArgs->fGp = true;
1806	}
1807	ASMSetFlags(fOldFlags);
1808	}
1809
1810	int VBOXCALL supdrvOSMsrProberWrite(uint32_t uMsr, RTCPUID idCpu, uint64_t uValue)
1811	{
1812	SUPDRVNTMSPROBERARGS Args;
1813	Args.uMsr = uMsr;
1814	Args.uValue = uValue;
1815	Args.fGp = true;
1816
1817	if (idCpu == NIL_RTCPUID)
1818	supdrvNtMsProberReadOnCpu(idCpu, &Args, NULL);
1819	else
1820	{
1821	int rc = RTMpOnSpecific(idCpu, supdrvNtMsProberReadOnCpu, &Args, NULL);
1822	if (RT_FAILURE(rc))
1823	return rc;
1824	}
1825
1826	if (Args.fGp)
1827	return VERR_ACCESS_DENIED;
1828	return VINF_SUCCESS;
1829	}
1830
1831	/** @callback_method_impl{FNRTMPWORKER, Worker for supdrvOSMsrProberModify.} */
1832	static DECLCALLBACK(void) supdrvNtMsProberModifyOnCpu(RTCPUID idCpu, void pvUser1, void pvUser2)
1833	{
1834	PSUPMSRPROBER pReq = (PSUPMSRPROBER)pvUser1;
1835	register uint32_t uMsr = pReq->u.In.uMsr;
1836	bool const fFaster = pReq->u.In.enmOp == SUPMSRPROBEROP_MODIFY_FASTER;
1837	uint64_t uBefore = 0;
1838	uint64_t uWritten = 0;
1839	uint64_t uAfter = 0;
1840	bool fBeforeGp = true;
1841	bool fModifyGp = true;
1842	bool fAfterGp = true;
1843	bool fRestoreGp = true;
1844	RTCCUINTREG fOldFlags;
1845
1846	/*
1847	* Do the job.
1848	*/
1849	fOldFlags = ASMIntDisableFlags();
1850	ASMCompilerBarrier(); /* paranoia */
1851	if (!fFaster)
1852	ASMWriteBackAndInvalidateCaches();
1853
1854	__try
1855	{
1856	uBefore = ASMRdMsrEx(uMsr, AMD_MSR_PASSCODE);
1857	fBeforeGp = false;
1858	}
1859	__except(EXCEPTION_EXECUTE_HANDLER)
1860	{
1861	fBeforeGp = true;
1862	}
1863	if (!fBeforeGp)
1864	{
1865	register uint64_t uRestore = uBefore;
1866
1867	/* Modify. */
1868	uWritten = uRestore;
1869	uWritten &= pReq->u.In.uArgs.Modify.fAndMask;
1870	uWritten \|= pReq->u.In.uArgs.Modify.fOrMask;
1871	__try
1872	{
1873	ASMWrMsrEx(uMsr, AMD_MSR_PASSCODE, uWritten);
1874	fModifyGp = false;
1875	}
1876	__except(EXCEPTION_EXECUTE_HANDLER)
1877	{
1878	fModifyGp = true;
1879	}
1880
1881	/* Read modified value. */
1882	__try
1883	{
1884	uAfter = ASMRdMsrEx(uMsr, AMD_MSR_PASSCODE);
1885	fAfterGp = false;
1886	}
1887	__except(EXCEPTION_EXECUTE_HANDLER)
1888	{
1889	fAfterGp = true;
1890	}
1891
1892	/* Restore original value. */
1893	__try
1894	{
1895	ASMWrMsrEx(uMsr, AMD_MSR_PASSCODE, uRestore);
1896	fRestoreGp = false;
1897	}
1898	__except(EXCEPTION_EXECUTE_HANDLER)
1899	{
1900	fRestoreGp = true;
1901	}
1902
1903	/* Invalid everything we can. */
1904	if (!fFaster)
1905	{
1906	ASMWriteBackAndInvalidateCaches();
1907	ASMReloadCR3();
1908	ASMNopPause();
1909	}
1910	}
1911
1912	ASMCompilerBarrier(); /* paranoia */
1913	ASMSetFlags(fOldFlags);
1914
1915	/*
1916	* Write out the results.
1917	*/
1918	pReq->u.Out.uResults.Modify.uBefore = uBefore;
1919	pReq->u.Out.uResults.Modify.uWritten = uWritten;
1920	pReq->u.Out.uResults.Modify.uAfter = uAfter;
1921	pReq->u.Out.uResults.Modify.fBeforeGp = fBeforeGp;
1922	pReq->u.Out.uResults.Modify.fModifyGp = fModifyGp;
1923	pReq->u.Out.uResults.Modify.fAfterGp = fAfterGp;
1924	pReq->u.Out.uResults.Modify.fRestoreGp = fRestoreGp;
1925	RT_ZERO(pReq->u.Out.uResults.Modify.afReserved);
1926	}
1927
1928
1929	int VBOXCALL supdrvOSMsrProberModify(RTCPUID idCpu, PSUPMSRPROBER pReq)
1930	{
1931	if (idCpu == NIL_RTCPUID)
1932	{
1933	supdrvNtMsProberModifyOnCpu(idCpu, pReq, NULL);
1934	return VINF_SUCCESS;
1935	}
1936	return RTMpOnSpecific(idCpu, supdrvNtMsProberModifyOnCpu, pReq, NULL);
1937	}
1938
1939	#endif /* SUPDRV_WITH_MSR_PROBER */
1940
1941
1942	/**
1943	* Converts an IPRT error code to an nt status code.
1944	*
1945	* @returns corresponding nt status code.
1946	* @param rc IPRT error status code.
1947	*/
1948	static NTSTATUS VBoxDrvNtErr2NtStatus(int rc)
1949	{
1950	switch (rc)
1951	{
1952	case VINF_SUCCESS: return STATUS_SUCCESS;
1953	case VERR_GENERAL_FAILURE: return STATUS_NOT_SUPPORTED;
1954	case VERR_INVALID_PARAMETER: return STATUS_INVALID_PARAMETER;
1955	case VERR_INVALID_MAGIC: return STATUS_UNKNOWN_REVISION;
1956	case VERR_INVALID_HANDLE: return STATUS_INVALID_HANDLE;
1957	case VERR_INVALID_POINTER: return STATUS_INVALID_ADDRESS;
1958	case VERR_LOCK_FAILED: return STATUS_NOT_LOCKED;
1959	case VERR_ALREADY_LOADED: return STATUS_IMAGE_ALREADY_LOADED;
1960	case VERR_PERMISSION_DENIED: return STATUS_ACCESS_DENIED;
1961	case VERR_VERSION_MISMATCH: return STATUS_REVISION_MISMATCH;
1962	}
1963
1964	if (rc < 0)
1965	{
1966	if (((uint32_t)rc & UINT32_C(0xffff0000)) == UINT32_C(0xffff0000))
1967	return (NTSTATUS)( ((uint32_t)rc & UINT32_C(0xffff)) \| SUP_NT_STATUS_BASE );
1968	}
1969	return STATUS_UNSUCCESSFUL;
1970	}
1971
1972
1973	#if 0 /* See alternative in SUPDrvA-win.asm */
1974	/**
1975	* Alternative version of SUPR0Printf for Windows.
1976	*
1977	* @returns 0.
1978	* @param pszFormat The format string.
1979	*/
1980	SUPR0DECL(int) SUPR0Printf(const char *pszFormat, ...)
1981	{
1982	va_list va;
1983	char szMsg[512];
1984
1985	va_start(va, pszFormat);
1986	size_t cch = RTStrPrintfV(szMsg, sizeof(szMsg) - 1, pszFormat, va);
1987	szMsg[sizeof(szMsg) - 1] = '\0';
1988	va_end(va);
1989
1990	RTLogWriteDebugger(szMsg, cch);
1991	return 0;
1992	}
1993	#endif
1994
1995
1996	/**
1997	* Returns configuration flags of the host kernel.
1998	*/
1999	SUPR0DECL(uint32_t) SUPR0GetKernelFeatures(void)
2000	{
2001	return 0;
2002	}
2003
2004
2005	#ifdef VBOX_WITH_HARDENING
2006
2007	/** @name Identifying Special Processes: CSRSS.EXE
2008	* @{ */
2009
2010
2011	/**
2012	* Checks if the process is a system32 process by the given name.
2013	*
2014	* @returns true / false.
2015	* @param pProcess The process to check.
2016	* @param pszName The lower case process name (no path!).
2017	*/
2018	static bool supdrvNtProtectIsSystem32ProcessMatch(PEPROCESS pProcess, const char *pszName)
2019	{
2020	Assert(strlen(pszName) < 16); /* see buffer below */
2021
2022	/*
2023	* This test works on XP+.
2024	*/
2025	const char pszImageFile = (const char )PsGetProcessImageFileName(pProcess);
2026	if (!pszImageFile)
2027	return false;
2028
2029	if (RTStrICmp(pszImageFile, pszName) != 0)
2030	return false;
2031
2032	/*
2033	* This test requires a Vista+ API.
2034	*/
2035	if (g_pfnPsReferenceProcessFilePointer)
2036	{
2037	PFILE_OBJECT pFile = NULL;
2038	NTSTATUS rcNt = g_pfnPsReferenceProcessFilePointer(pProcess, &pFile);
2039	if (!NT_SUCCESS(rcNt))
2040	return false;
2041
2042	union
2043	{
2044	OBJECT_NAME_INFORMATION Info;
2045	uint8_t abBuffer[sizeof(g_System32NtPath) + 16 * sizeof(WCHAR)];
2046	} Buf;
2047	ULONG cbIgn;
2048	rcNt = ObQueryNameString(pFile, &Buf.Info, sizeof(Buf) - sizeof(WCHAR), &cbIgn);
2049	ObDereferenceObject(pFile);
2050	if (!NT_SUCCESS(rcNt))
2051	return false;
2052
2053	/* Terminate the name. */
2054	PRTUTF16 pwszName = Buf.Info.Name.Buffer;
2055	pwszName[Buf.Info.Name.Length / sizeof(RTUTF16)] = '\0';
2056
2057	/* Match the name against the system32 directory path. */
2058	uint32_t cbSystem32 = g_System32NtPath.UniStr.Length;
2059	if (Buf.Info.Name.Length < cbSystem32)
2060	return false;
2061	if (memcmp(pwszName, g_System32NtPath.UniStr.Buffer, cbSystem32))
2062	return false;
2063	pwszName += cbSystem32 / sizeof(RTUTF16);
2064	if (*pwszName++ != '\\')
2065	return false;
2066
2067	/* Compare the name. */
2068	const char *pszRight = pszName;
2069	for (;;)
2070	{
2071	WCHAR wchLeft = *pwszName++;
2072	char chRight = *pszRight++;
2073	Assert(chRight == RT_C_TO_LOWER(chRight));
2074
2075	if ( wchLeft != chRight
2076	&& RT_C_TO_LOWER(wchLeft) != chRight)
2077	return false;
2078	if (!chRight)
2079	break;
2080	}
2081	}
2082
2083	return true;
2084	}
2085
2086
2087	/**
2088	* Checks if the current process is likely to be CSRSS.
2089	*
2090	* @returns true/false.
2091	* @param pProcess The process.
2092	*/
2093	static bool supdrvNtProtectIsCsrssByProcess(PEPROCESS pProcess)
2094	{
2095	/*
2096	* On Windows 8.1 CSRSS.EXE is a protected process.
2097	*/
2098	if (g_pfnPsIsProtectedProcessLight)
2099	{
2100	if (!g_pfnPsIsProtectedProcessLight(pProcess))
2101	return false;
2102	}
2103
2104	/*
2105	* The name tests.
2106	*/
2107	if (!supdrvNtProtectIsSystem32ProcessMatch(pProcess, "csrss.exe"))
2108	return false;
2109
2110	/** @todo Could extend the CSRSS.EXE check with that the TokenUser of the
2111	* current process must be "NT AUTHORITY\SYSTEM" (S-1-5-18). */
2112
2113	return true;
2114	}
2115
2116
2117	/**
2118	* Called in the context of VBoxDrvNtCreate to determin the CSRSS for the
2119	* current process.
2120	*
2121	* The Client/Server Runtime Subsystem (CSRSS) process needs to be allowed some
2122	* additional access right so we need to make 101% sure we correctly identify
2123	* the CSRSS process a process is associated with.
2124	*
2125	* @returns IPRT status code.
2126	* @param pNtProtect The NT protected process structure. The
2127	* hCsrssPid member will be updated on success.
2128	*/
2129	static int supdrvNtProtectFindAssociatedCsrss(PSUPDRVNTPROTECT pNtProtect)
2130	{
2131	Assert(pNtProtect->AvlCore.Key == PsGetCurrentProcessId());
2132	Assert(pNtProtect->pCsrssProcess == NULL);
2133	Assert(pNtProtect->hCsrssPid == NULL);
2134
2135	/*
2136	* We'll try use the ApiPort LPC object for the session we're in to track
2137	* down the CSRSS process. So, we start by constructing a path to it.
2138	*/
2139	int rc;
2140	uint32_t uSessionId = PsGetProcessSessionId(PsGetCurrentProcess());
2141	WCHAR wszApiPort[48];
2142	if (uSessionId == 0)
2143	rc = RTUtf16CopyAscii(wszApiPort, RT_ELEMENTS(wszApiPort), "\\Windows\\ApiPort");
2144	else
2145	{
2146	char szTmp[64];
2147	ssize_t cchTmp = RTStrFormatU32(szTmp, sizeof(szTmp), uSessionId, 10, 0, 0, 0);
2148	AssertReturn(cchTmp > 0, (int)cchTmp);
2149	rc = RTUtf16CopyAscii(wszApiPort, RT_ELEMENTS(wszApiPort), "\\Sessions\\");
2150	if (RT_SUCCESS(rc))
2151	rc = RTUtf16CatAscii(wszApiPort, RT_ELEMENTS(wszApiPort), szTmp);
2152	if (RT_SUCCESS(rc))
2153	rc = RTUtf16CatAscii(wszApiPort, RT_ELEMENTS(wszApiPort), "\\Windows\\ApiPort");
2154	}
2155	AssertRCReturn(rc, rc);
2156
2157	UNICODE_STRING ApiPortStr;
2158	ApiPortStr.Buffer = wszApiPort;
2159	ApiPortStr.Length = (USHORT)(RTUtf16Len(wszApiPort) * sizeof(RTUTF16));
2160	ApiPortStr.MaximumLength = ApiPortStr.Length + sizeof(RTUTF16);
2161
2162	/*
2163	* The object cannot be opened, but we can reference it by name.
2164	*/
2165	void *pvApiPortObj = NULL;
2166	NTSTATUS rcNt = ObReferenceObjectByName(&ApiPortStr,
2167	0,
2168	NULL /pAccessState/,
2169	STANDARD_RIGHTS_READ,
2170	*LpcPortObjectType,
2171	KernelMode,
2172	NULL /pvParseContext/,
2173	&pvApiPortObj);
2174	if (!NT_SUCCESS(rcNt))
2175	{
2176	SUPR0Printf("vboxdrv: Error opening '%ls': %#x\n", wszApiPort, rcNt);
2177	return VERR_SUPDRV_APIPORT_OPEN_ERROR;
2178	}
2179
2180	/*
2181	* Query the processes in the system so we can locate CSRSS.EXE candidates.
2182	* Note! Attempts at using SystemSessionProcessInformation failed with
2183	* STATUS_ACCESS_VIOLATION.
2184	* Note! The 32 bytes on the size of to counteract the allocation header
2185	* that rtR0MemAllocEx slaps on everything.
2186	*/
2187	ULONG cbNeeded = _64K - 32;
2188	uint32_t cbBuf;
2189	uint8_t *pbBuf = NULL;
2190	do
2191	{
2192	cbBuf = RT_ALIGN(cbNeeded + _4K, _64K) - 32;
2193	pbBuf = (uint8_t *)RTMemAlloc(cbBuf);
2194	if (!pbBuf)
2195	break;
2196
2197	cbNeeded = 0;
2198	#if 0 /* doesn't work. */
2199	SYSTEM_SESSION_PROCESS_INFORMATION Req;
2200	Req.SessionId = uSessionId;
2201	Req.BufferLength = cbBuf;
2202	Req.Buffer = pbBuf;
2203	rcNt = NtQuerySystemInformation(SystemSessionProcessInformation, &Req, sizeof(Req), &cbNeeded);
2204	#else
2205	rcNt = NtQuerySystemInformation(SystemProcessInformation, pbBuf, cbBuf, &cbNeeded);
2206	#endif
2207	if (NT_SUCCESS(rcNt))
2208	break;
2209
2210	RTMemFree(pbBuf);
2211	pbBuf = NULL;
2212	} while ( rcNt == STATUS_INFO_LENGTH_MISMATCH
2213	&& cbNeeded > cbBuf
2214	&& cbNeeded < 32U*_1M);
2215
2216	if ( pbBuf
2217	&& NT_SUCCESS(rcNt)
2218	&& cbNeeded >= sizeof(SYSTEM_PROCESS_INFORMATION))
2219	{
2220	/*
2221	* Walk the returned data and look for the process associated with the
2222	* ApiPort object. The ApiPort object keeps the EPROCESS address of
2223	* the owner process (i.e. CSRSS) relatively early in the structure. On
2224	* 64-bit windows 8.1 it's at offset 0x18. So, obtain the EPROCESS
2225	* pointer to likely CSRSS processes and check for a match in the first
2226	* 0x40 bytes of the ApiPort object.
2227	*/
2228	rc = VERR_SUPDRV_CSRSS_NOT_FOUND;
2229	for (uint32_t offBuf = 0; offBuf <= cbNeeded - sizeof(SYSTEM_PROCESS_INFORMATION);)
2230	{
2231	PRTNT_SYSTEM_PROCESS_INFORMATION pProcInfo = (PRTNT_SYSTEM_PROCESS_INFORMATION)&pbBuf[offBuf];
2232	if ( pProcInfo->ProcessName.Length == 9 * sizeof(WCHAR)
2233	&& pProcInfo->NumberOfThreads > 2 /* Very low guess. */
2234	&& pProcInfo->HandleCount > 32 /* Very low guess, I hope. */
2235	&& (uintptr_t)pProcInfo->ProcessName.Buffer - (uintptr_t)pbBuf < cbNeeded
2236	&& RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[0]) == 'c'
2237	&& RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[1]) == 's'
2238	&& RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[2]) == 'r'
2239	&& RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[3]) == 's'
2240	&& RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[4]) == 's'
2241	&& pProcInfo->ProcessName.Buffer[5] == '.'
2242	&& RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[6]) == 'e'
2243	&& RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[7]) == 'x'
2244	&& RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[8]) == 'e' )
2245	{
2246
2247	/* Get the process structure and perform some more thorough
2248	process checks. */
2249	PEPROCESS pProcess;
2250	rcNt = PsLookupProcessByProcessId(pProcInfo->UniqueProcessId, &pProcess);
2251	if (NT_SUCCESS(rcNt))
2252	{
2253	if (supdrvNtProtectIsCsrssByProcess(pProcess))
2254	{
2255	if (PsGetProcessSessionId(pProcess) == uSessionId)
2256	{
2257	/* Final test, check the ApiPort.
2258	Note! The old LPC (pre Vista) objects has the PID
2259	much earlier in the structure. Might be
2260	worth looking for it instead. */
2261	bool fThatsIt = false;
2262	__try
2263	{
2264	PEPROCESS ppPortProc = (PEPROCESS )pvApiPortObj;
2265	uint32_t cTests = g_uNtVerCombined >= SUP_NT_VER_VISTA ? 16 : 38; /* ALPC since Vista. */
2266	do
2267	{
2268	fThatsIt = *ppPortProc == pProcess;
2269	ppPortProc++;
2270	} while (!fThatsIt && --cTests > 0);
2271	}
2272	__except(EXCEPTION_EXECUTE_HANDLER)
2273	{
2274	fThatsIt = false;
2275	}
2276	if (fThatsIt)
2277	{
2278	/* Ok, we found it! Keep the process structure
2279	reference as well as the PID so we can
2280	safely identify it later on. */
2281	pNtProtect->hCsrssPid = pProcInfo->UniqueProcessId;
2282	pNtProtect->pCsrssProcess = pProcess;
2283	rc = VINF_SUCCESS;
2284	break;
2285	}
2286	}
2287	}
2288
2289	ObDereferenceObject(pProcess);
2290	}
2291	}
2292
2293	/* Advance. */
2294	if (!pProcInfo->NextEntryOffset)
2295	break;
2296	offBuf += pProcInfo->NextEntryOffset;
2297	}
2298	}
2299	else
2300	rc = VERR_SUPDRV_SESSION_PROCESS_ENUM_ERROR;
2301	RTMemFree(pbBuf);
2302	ObDereferenceObject(pvApiPortObj);
2303	return rc;
2304	}
2305
2306
2307	/**
2308	* Checks that the given process is the CSRSS process associated with protected
2309	* process.
2310	*
2311	* @returns true / false.
2312	* @param pNtProtect The NT protection structure.
2313	* @param pCsrss The process structure of the alleged CSRSS.EXE
2314	* process.
2315	*/
2316	static bool supdrvNtProtectIsAssociatedCsrss(PSUPDRVNTPROTECT pNtProtect, PEPROCESS pCsrss)
2317	{
2318	if (pNtProtect->pCsrssProcess == pCsrss)
2319	{
2320	if (pNtProtect->hCsrssPid == PsGetProcessId(pCsrss))
2321	{
2322	return true;
2323	}
2324	}
2325	return false;
2326	}
2327
2328
2329	/**
2330	* Checks if the given process is the stupid themes service.
2331	*
2332	* The caller does some screening of access masks and what not. We do the rest.
2333	*
2334	* @returns true / false.
2335	* @param pNtProtect The NT protection structure.
2336	* @param pAnnoyingProcess The process structure of an process that might
2337	* happen to be the annoying themes process.
2338	*/
2339	static bool supdrvNtProtectIsFrigginThemesService(PSUPDRVNTPROTECT pNtProtect, PEPROCESS pAnnoyingProcess)
2340	{
2341	/*
2342	* Check the process name.
2343	*/
2344	if (!supdrvNtProtectIsSystem32ProcessMatch(pAnnoyingProcess, "svchost.exe"))
2345	return false;
2346
2347	/** @todo Come up with more checks. */
2348
2349	return true;
2350	}
2351
2352
2353	/** @} */
2354
2355
2356	/** @name Process Creation Callbacks.
2357	* @{ */
2358
2359	/**
2360	* Common worker used by the process creation hooks as well as the process
2361	* handle creation hooks to check if a VM process is being created.
2362	*
2363	* @returns true if likely to be a VM process, false if not.
2364	* @param pNtStub The NT protection structure for the possible
2365	* stub process.
2366	* @param hParentPid The parent pid.
2367	* @param hChildPid The child pid.
2368	*/
2369	static bool supdrvNtProtectIsSpawningStubProcess(PSUPDRVNTPROTECT pNtStub, HANDLE hParentPid, HANDLE hChildPid)
2370	{
2371	bool fRc = false;
2372	if (pNtStub->AvlCore.Key == hParentPid) /* paranoia */
2373	{
2374	if (pNtStub->enmProcessKind == kSupDrvNtProtectKind_StubSpawning)
2375	{
2376	/* Compare short names. */
2377	PEPROCESS pStubProcess;
2378	NTSTATUS rcNt = PsLookupProcessByProcessId(hParentPid, &pStubProcess);
2379	if (NT_SUCCESS(rcNt))
2380	{
2381	PEPROCESS pChildProcess;
2382	rcNt = PsLookupProcessByProcessId(hChildPid, &pChildProcess);
2383	if (NT_SUCCESS(rcNt))
2384	{
2385	const char pszStub = (const char )PsGetProcessImageFileName(pStubProcess);
2386	const char pszChild = (const char )PsGetProcessImageFileName(pChildProcess);
2387	fRc = pszStub != NULL
2388	&& pszChild != NULL
2389	&& strcmp(pszStub, pszChild) == 0;
2390
2391	/** @todo check that the full image names matches. */
2392
2393	ObDereferenceObject(pChildProcess);
2394	}
2395	ObDereferenceObject(pStubProcess);
2396	}
2397	}
2398	}
2399	return fRc;
2400	}
2401
2402
2403	/**
2404	* Common code used by the notifies to protect a child process.
2405	*
2406	* @returns VBox status code.
2407	* @param pNtStub The NT protect structure for the parent.
2408	* @param hChildPid The child pid.
2409	*/
2410	static int supdrvNtProtectProtectNewStubChild(PSUPDRVNTPROTECT pNtParent, HANDLE hChildPid)
2411	{
2412	/*
2413	* Create a child protection struction.
2414	*/
2415	PSUPDRVNTPROTECT pNtChild;
2416	int rc = supdrvNtProtectCreate(&pNtChild, hChildPid, kSupDrvNtProtectKind_VmProcessUnconfirmed, false /fLink/);
2417	if (RT_SUCCESS(rc))
2418	{
2419	pNtChild->fFirstProcessCreateHandle = true;
2420	pNtChild->fFirstThreadCreateHandle = true;
2421	pNtChild->fCsrssFirstProcessCreateHandle = true;
2422	pNtChild->fCsrssFirstProcessDuplicateHandle = true;
2423	pNtChild->fThemesFirstProcessCreateHandle = true;
2424	pNtChild->hParentPid = pNtParent->AvlCore.Key;
2425	pNtChild->hCsrssPid = pNtParent->hCsrssPid;
2426	pNtChild->pCsrssProcess = pNtParent->pCsrssProcess;
2427	if (pNtChild->pCsrssProcess)
2428	ObReferenceObject(pNtChild->pCsrssProcess);
2429
2430	/*
2431	* Take the spinlock, recheck parent conditions and link things.
2432	*/
2433	RTSpinlockAcquire(g_hNtProtectLock);
2434	if (pNtParent->enmProcessKind == kSupDrvNtProtectKind_StubSpawning)
2435	{
2436	bool fSuccess = RTAvlPVInsert(&g_NtProtectTree, &pNtChild->AvlCore);
2437	if (fSuccess)
2438	{
2439	pNtParent->u.pChild = pNtChild; /* Parent keeps the initial reference. */
2440	pNtParent->enmProcessKind = kSupDrvNtProtectKind_StubParent;
2441	pNtChild->u.pParent = pNtParent;
2442
2443	RTSpinlockRelease(g_hNtProtectLock);
2444	return VINF_SUCCESS;
2445	}
2446
2447	rc = VERR_INTERNAL_ERROR_2;
2448	}
2449	else
2450	rc = VERR_WRONG_ORDER;
2451	RTSpinlockRelease(g_hNtProtectLock);
2452
2453	supdrvNtProtectRelease(pNtChild);
2454	}
2455	return rc;
2456	}
2457
2458
2459	/**
2460	* Common process termination code.
2461	*
2462	* Transitions protected process to the dead states, protecting against handle
2463	* PID reuse (esp. with unconfirmed VM processes) and handle cleanup issues.
2464	*
2465	* @param hDeadPid The PID of the dead process.
2466	*/
2467	static void supdrvNtProtectUnprotectDeadProcess(HANDLE hDeadPid)
2468	{
2469	PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(hDeadPid);
2470	if (pNtProtect)
2471	{
2472	PSUPDRVNTPROTECT pNtChild = NULL;
2473
2474	RTSpinlockAcquire(g_hNtProtectLock);
2475
2476	/*
2477	* If this is an unconfirmed VM process, we must release the reference
2478	* the parent structure holds.
2479	*/
2480	if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
2481	{
2482	PSUPDRVNTPROTECT pNtParent = pNtProtect->u.pParent;
2483	AssertRelease(pNtParent); AssertRelease(pNtParent->u.pChild == pNtProtect);
2484	pNtParent->u.pChild = NULL;
2485	pNtProtect->u.pParent = NULL;
2486	pNtChild = pNtProtect;
2487	}
2488	/*
2489	* If this is a stub exitting before the VM process gets confirmed,
2490	* release the protection of the potential VM process as this is not
2491	* the prescribed behavior.
2492	*/
2493	else if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent
2494	&& pNtProtect->u.pChild)
2495	{
2496	pNtChild = pNtProtect->u.pChild;
2497	pNtProtect->u.pChild = NULL;
2498	pNtChild->u.pParent = NULL;
2499	pNtChild->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
2500	}
2501
2502	/*
2503	* Transition it to the dead state to prevent it from opening the
2504	* support driver again or be posthumously abused as a vm process parent.
2505	*/
2506	if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
2507	\|\| pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessConfirmed)
2508	pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
2509	else if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent
2510	\|\| pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubSpawning
2511	\|\| pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubUnverified)
2512	pNtProtect->enmProcessKind = kSupDrvNtProtectKind_StubDead;
2513
2514	RTSpinlockRelease(g_hNtProtectLock);
2515
2516	supdrvNtProtectRelease(pNtProtect);
2517	supdrvNtProtectRelease(pNtChild);
2518
2519	/*
2520	* Do session cleanups.
2521	*/
2522	AssertReturnVoid((HANDLE)(uintptr_t)RTProcSelf() == hDeadPid);
2523	if (g_pDevObjSys)
2524	{
2525	PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
2526	PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, (RTPROCESS)(uintptr_t)hDeadPid,
2527	RTR0ProcHandleSelf(), NULL);
2528	if (pSession)
2529	{
2530	supdrvSessionHashTabRemove(pDevExt, pSession, NULL);
2531	supdrvSessionRelease(pSession); /* Drops the reference from supdrvSessionHashTabLookup. */
2532	}
2533	}
2534	}
2535	}
2536
2537
2538	/**
2539	* Common worker for the process creation callback that verifies a new child
2540	* being created by the handle creation callback code.
2541	*
2542	* @param pNtStub The parent.
2543	* @param pNtVm The child.
2544	* @param fCallerChecks The result of any additional tests the caller made.
2545	* This is in order to avoid duplicating the failure
2546	* path code.
2547	*/
2548	static void supdrvNtProtectVerifyNewChildProtection(PSUPDRVNTPROTECT pNtStub, PSUPDRVNTPROTECT pNtVm, bool fCallerChecks)
2549	{
2550	if ( fCallerChecks
2551	&& pNtStub->enmProcessKind == kSupDrvNtProtectKind_StubParent
2552	&& pNtVm->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
2553	&& pNtVm->u.pParent == pNtStub
2554	&& pNtStub->u.pChild == pNtVm)
2555	{
2556	/* Fine, nothing to do. */
2557	return;
2558	}
2559
2560	LogRel(("vboxdrv: Misdetected vm stub; hParentPid=%p hChildPid=%p\n", pNtStub->AvlCore.Key, pNtVm->AvlCore.Key));
2561	if (pNtStub->enmProcessKind != kSupDrvNtProtectKind_VmProcessConfirmed)
2562	supdrvNtProtectUnprotectDeadProcess(pNtVm->AvlCore.Key);
2563	}
2564
2565
2566	/**
2567	* Old style callback (since forever).
2568	*
2569	* @param hParentPid The parent PID.
2570	* @param hNewPid The PID of the new child.
2571	* @param fCreated TRUE if it's a creation notification,
2572	* FALSE if termination.
2573	* @remarks ASSUMES this arrives before the handle creation callback.
2574	*/
2575	static VOID __stdcall
2576	supdrvNtProtectCallback_ProcessCreateNotify(HANDLE hParentPid, HANDLE hNewPid, BOOLEAN fCreated)
2577	{
2578	/*
2579	* Is it a new process that needs protection?
2580	*/
2581	if (fCreated)
2582	{
2583	PSUPDRVNTPROTECT pNtStub = supdrvNtProtectLookup(hParentPid);
2584	if (pNtStub)
2585	{
2586	PSUPDRVNTPROTECT pNtVm = supdrvNtProtectLookup(hNewPid);
2587	if (!pNtVm)
2588	{
2589	if (supdrvNtProtectIsSpawningStubProcess(pNtStub, hParentPid, hNewPid))
2590	supdrvNtProtectProtectNewStubChild(pNtStub, hNewPid);
2591	}
2592	else
2593	{
2594	supdrvNtProtectVerifyNewChildProtection(pNtStub, pNtVm, true);
2595	supdrvNtProtectRelease(pNtVm);
2596	}
2597	supdrvNtProtectRelease(pNtStub);
2598	}
2599	}
2600	/*
2601	* Process termination, do clean ups.
2602	*/
2603	else
2604	supdrvNtProtectUnprotectDeadProcess(hNewPid);
2605	}
2606
2607
2608	/**
2609	* New style callback (Vista SP1+ / w2k8).
2610	*
2611	* @param pNewProcess The new process.
2612	* @param hNewPid The PID of the new process.
2613	* @param pInfo Process creation details. NULL if process
2614	* termination notification.
2615	* @remarks ASSUMES this arrives before the handle creation callback.
2616	*/
2617	static VOID __stdcall
2618	supdrvNtProtectCallback_ProcessCreateNotifyEx(PEPROCESS pNewProcess, HANDLE hNewPid, PPS_CREATE_NOTIFY_INFO pInfo)
2619	{
2620	/*
2621	* Is it a new process that needs protection?
2622	*/
2623	if (pInfo)
2624	{
2625	PSUPDRVNTPROTECT pNtStub = supdrvNtProtectLookup(pInfo->CreatingThreadId.UniqueProcess);
2626
2627	Log(("vboxdrv/NewProcessEx: ctx=%04zx/%p pid=%04zx ppid=%04zx ctor=%04zx/%04zx rcNt=%#x %.*ls\n",
2628	PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
2629	hNewPid, pInfo->ParentProcessId,
2630	pInfo->CreatingThreadId.UniqueProcess, pInfo->CreatingThreadId.UniqueThread, pInfo->CreationStatus,
2631	pInfo->FileOpenNameAvailable && pInfo->ImageFileName ? (size_t)pInfo->ImageFileName->Length / 2 : 0,
2632	pInfo->FileOpenNameAvailable && pInfo->ImageFileName ? pInfo->ImageFileName->Buffer : NULL));
2633
2634	if (pNtStub)
2635	{
2636	PSUPDRVNTPROTECT pNtVm = supdrvNtProtectLookup(hNewPid);
2637	if (!pNtVm)
2638	{
2639	/* Parent must be creator. */
2640	if (pInfo->CreatingThreadId.UniqueProcess == pInfo->ParentProcessId)
2641	{
2642	if (supdrvNtProtectIsSpawningStubProcess(pNtStub, pInfo->ParentProcessId, hNewPid))
2643	supdrvNtProtectProtectNewStubChild(pNtStub, hNewPid);
2644	}
2645	}
2646	else
2647	{
2648	/* Parent must be creator (as above). */
2649	supdrvNtProtectVerifyNewChildProtection(pNtStub, pNtVm,
2650	pInfo->CreatingThreadId.UniqueProcess == pInfo->ParentProcessId);
2651	supdrvNtProtectRelease(pNtVm);
2652	}
2653	supdrvNtProtectRelease(pNtStub);
2654	}
2655	}
2656	/*
2657	* Process termination, do clean ups.
2658	*/
2659	else
2660	supdrvNtProtectUnprotectDeadProcess(hNewPid);
2661	}
2662
2663	/** @} */
2664
2665
2666	/** @name Process Handle Callbacks.
2667	* @{ */
2668
2669	/** Process rights that we allow for handles to stub and VM processes. */
2670	# define SUPDRV_NT_ALLOW_PROCESS_RIGHTS \
2671	( PROCESS_TERMINATE \
2672	\| PROCESS_VM_READ \
2673	\| PROCESS_QUERY_INFORMATION \
2674	\| PROCESS_QUERY_LIMITED_INFORMATION \
2675	\| PROCESS_SUSPEND_RESUME \
2676	\| DELETE \
2677	\| READ_CONTROL \
2678	\| SYNCHRONIZE)
2679
2680	/** Evil process rights. */
2681	# define SUPDRV_NT_EVIL_PROCESS_RIGHTS \
2682	( PROCESS_CREATE_THREAD \
2683	\| PROCESS_SET_SESSIONID /?/ \
2684	\| PROCESS_VM_OPERATION \
2685	\| PROCESS_VM_WRITE \
2686	\| PROCESS_DUP_HANDLE \
2687	\| PROCESS_CREATE_PROCESS /?/ \
2688	\| PROCESS_SET_QUOTA /?/ \
2689	\| PROCESS_SET_INFORMATION \
2690	\| PROCESS_SET_LIMITED_INFORMATION /?/ \
2691	\| 0)
2692	AssertCompile((SUPDRV_NT_ALLOW_PROCESS_RIGHTS & SUPDRV_NT_EVIL_PROCESS_RIGHTS) == 0);
2693
2694
2695	static OB_PREOP_CALLBACK_STATUS __stdcall
2696	supdrvNtProtectCallback_ProcessHandlePre(PVOID pvUser, POB_PRE_OPERATION_INFORMATION pOpInfo)
2697	{
2698	Assert(pvUser == NULL);
2699	Assert(pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE \|\| pOpInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE);
2700	Assert(pOpInfo->ObjectType == *PsProcessType);
2701
2702	/*
2703	* Protected? Kludge required for NtOpenProcess calls comming in before
2704	* the create process hook triggers on Windows 8.1 (possibly others too).
2705	*/
2706	HANDLE hObjPid = PsGetProcessId((PEPROCESS)pOpInfo->Object);
2707	PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(hObjPid);
2708	if (!pNtProtect)
2709	{
2710	HANDLE hParentPid = PsGetProcessInheritedFromUniqueProcessId((PEPROCESS)pOpInfo->Object);
2711	PSUPDRVNTPROTECT pNtStub = supdrvNtProtectLookup(hParentPid);
2712	if (pNtStub)
2713	{
2714	if (supdrvNtProtectIsSpawningStubProcess(pNtStub, hParentPid, hObjPid))
2715	{
2716	supdrvNtProtectProtectNewStubChild(pNtStub, hObjPid);
2717	pNtProtect = supdrvNtProtectLookup(hObjPid);
2718	}
2719	supdrvNtProtectRelease(pNtStub);
2720	}
2721	}
2722	pOpInfo->CallContext = pNtProtect; /* Just for reference. */
2723	if (pNtProtect)
2724	{
2725	/*
2726	* Ok, it's a protected process. Strip rights as required or possible.
2727	*/
2728	static ACCESS_MASK const s_fCsrssStupidDesires = 0x1fffff;
2729	ACCESS_MASK fAllowedRights = SUPDRV_NT_ALLOW_PROCESS_RIGHTS;
2730
2731	if (pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE)
2732	{
2733	/* Don't restrict the process accessing itself. */
2734	if ((PEPROCESS)pOpInfo->Object == PsGetCurrentProcess())
2735	{
2736	pOpInfo->CallContext = NULL; /* don't assert */
2737	pNtProtect->fFirstProcessCreateHandle = false;
2738
2739	Log(("vboxdrv/ProcessHandlePre: ctx=%04zx/%p wants %#x to %p in pid=%04zx [%d] %s\n",
2740	PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
2741	pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
2742	pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
2743	PsGetProcessImageFileName(PsGetCurrentProcess()) ));
2744	}
2745	else
2746	{
2747	/* Special case 1 on Vista, 7 & 8:
2748	The CreateProcess code passes the handle over to CSRSS.EXE
2749	and the code inBaseSrvCreateProcess will duplicate the
2750	handle with 0x1fffff as access mask. NtDuplicateObject will
2751	fail this call before it ever gets down here.
2752
2753	Special case 2 on 8.1:
2754	The CreateProcess code requires additional rights for
2755	something, we'll drop these in the stub code. */
2756	if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
2757	&& pNtProtect->fFirstProcessCreateHandle
2758	&& pOpInfo->KernelHandle == 0
2759	&& pNtProtect->hParentPid == PsGetProcessId(PsGetCurrentProcess()))
2760	{
2761	if ( !pOpInfo->KernelHandle
2762	&& pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == s_fCsrssStupidDesires)
2763	{
2764	if (g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 3))
2765	fAllowedRights \|= s_fCsrssStupidDesires;
2766	else
2767	fAllowedRights = fAllowedRights
2768	\| PROCESS_VM_OPERATION
2769	\| PROCESS_VM_WRITE
2770	\| PROCESS_SET_INFORMATION
2771	\| PROCESS_SET_LIMITED_INFORMATION
2772	\| 0;
2773	pOpInfo->CallContext = NULL; /* don't assert this. */
2774	}
2775	pNtProtect->fFirstProcessCreateHandle = false;
2776	}
2777
2778	/* Special case 3 on 8.1:
2779	The interaction between the CreateProcess code and CSRSS.EXE
2780	has changed to the better with Windows 8.1. CSRSS.EXE no
2781	longer duplicates the process (thread too) handle, but opens
2782	it, thus allowing us to do our job. */
2783	if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3)
2784	&& pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
2785	&& pNtProtect->fCsrssFirstProcessCreateHandle
2786	&& pOpInfo->KernelHandle == 0
2787	&& supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
2788	{
2789	pNtProtect->fCsrssFirstProcessCreateHandle = false;
2790	if (pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == s_fCsrssStupidDesires)
2791	{
2792	/* Not needed: PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID,
2793	PROCESS_CREATE_PROCESS */
2794	fAllowedRights = fAllowedRights
2795	\| PROCESS_VM_OPERATION
2796	\| PROCESS_VM_WRITE
2797	\| PROCESS_DUP_HANDLE /* Needed for CreateProcess/VBoxTestOGL. */
2798	\| 0;
2799	pOpInfo->CallContext = NULL; /* don't assert this. */
2800	}
2801	}
2802
2803	/* Special case 4, Windows 7, Vista, possibly 8, but not 8.1:
2804	The Themes service requires PROCESS_DUP_HANDLE access to our
2805	process or we won't get any menus and dialogs will be half
2806	unreadable. This is _very_ unfortunate and more work will
2807	go into making this more secure. */
2808	if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)
2809	&& g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2)
2810	&& pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == 0x1478 /* 6.1.7600.16385 (win7_rtm.090713-1255) */
2811	&& pNtProtect->fThemesFirstProcessCreateHandle
2812	&& pOpInfo->KernelHandle == 0
2813	&& supdrvNtProtectIsFrigginThemesService(pNtProtect, PsGetCurrentProcess()) )
2814	{
2815	pNtProtect->fThemesFirstProcessCreateHandle = true; /* Only once! */
2816	fAllowedRights \|= PROCESS_DUP_HANDLE;
2817	pOpInfo->CallContext = NULL; /* don't assert this. */
2818	}
2819
2820	Log(("vboxdrv/ProcessHandlePre: ctx=%04zx/%p wants %#x to %p/pid=%04zx [%d], allow %#x => %#x; %s\n",
2821	PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
2822	pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
2823	pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights,
2824	pOpInfo->Parameters->CreateHandleInformation.DesiredAccess & fAllowedRights,
2825	PsGetProcessImageFileName(PsGetCurrentProcess())));
2826
2827	pOpInfo->Parameters->CreateHandleInformation.DesiredAccess &= fAllowedRights;
2828	}
2829	}
2830	else
2831	{
2832	/* Don't restrict the process accessing itself. */
2833	if ( (PEPROCESS)pOpInfo->Object == PsGetCurrentProcess()
2834	&& pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess == pOpInfo->Object)
2835	{
2836	Log(("vboxdrv/ProcessHandlePre: ctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d] %s\n",
2837	PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
2838	pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess,
2839	PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess),
2840	pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess,
2841	pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess,
2842	pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
2843	PsGetProcessImageFileName(PsGetCurrentProcess()) ));
2844
2845	pOpInfo->CallContext = NULL; /* don't assert */
2846	}
2847	else
2848	{
2849	/* Special case 5 on Vista, 7 & 8:
2850	This is the CSRSS.EXE end of special case #1. */
2851	if ( g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 3)
2852	&& pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
2853	&& pNtProtect->fCsrssFirstProcessDuplicateHandle
2854	&& pOpInfo->KernelHandle == 0
2855	&& pNtProtect->hParentPid
2856	== PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess)
2857	&& pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess == PsGetCurrentProcess()
2858	&& supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
2859	{
2860	pNtProtect->fCsrssFirstProcessDuplicateHandle = false;
2861	if (pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess == s_fCsrssStupidDesires)
2862	{
2863	/* Not needed: PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID,
2864	PROCESS_CREATE_PROCESS, PROCESS_DUP_HANDLE */
2865	fAllowedRights = fAllowedRights
2866	\| PROCESS_VM_OPERATION
2867	\| PROCESS_VM_WRITE
2868	\| PROCESS_DUP_HANDLE /* Needed for launching VBoxTestOGL. */
2869	\| 0;
2870	pOpInfo->CallContext = NULL; /* don't assert this. */
2871	}
2872	}
2873
2874	Log(("vboxdrv/ProcessHandlePre: ctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d] %s\n",
2875	PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
2876	pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess,
2877	PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess),
2878	pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess,
2879	pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess,
2880	pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
2881	PsGetProcessImageFileName(PsGetCurrentProcess()) ));
2882
2883	pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess &= fAllowedRights;
2884	}
2885	}
2886	supdrvNtProtectRelease(pNtProtect);
2887	}
2888
2889	return OB_PREOP_SUCCESS;
2890	}
2891
2892
2893	static VOID __stdcall
2894	supdrvNtProtectCallback_ProcessHandlePost(PVOID pvUser, POB_POST_OPERATION_INFORMATION pOpInfo)
2895	{
2896	Assert(pvUser == NULL);
2897	Assert(pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE \|\| pOpInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE);
2898	Assert(pOpInfo->ObjectType == *PsProcessType);
2899
2900	if ( pOpInfo->CallContext
2901	&& NT_SUCCESS(pOpInfo->ReturnStatus))
2902	{
2903	ACCESS_MASK const fGrantedAccess = pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE
2904	? pOpInfo->Parameters->CreateHandleInformation.GrantedAccess
2905	: pOpInfo->Parameters->DuplicateHandleInformation.GrantedAccess;
2906	AssertReleaseMsg( !(fGrantedAccess & ~( SUPDRV_NT_ALLOW_PROCESS_RIGHTS
2907	\| WRITE_OWNER \| WRITE_DAC /* these two might be forced upon us */
2908	\| PROCESS_UNKNOWN_4000 /* Seen set on win 8.1 */
2909	/\| PROCESS_UNKNOWN_8000 / ) )
2910	\|\| pOpInfo->KernelHandle,
2911	("GrantedAccess=%#x - we allow %#x - we did not allow %#x\n",
2912	fGrantedAccess, SUPDRV_NT_ALLOW_PROCESS_RIGHTS, fGrantedAccess & ~SUPDRV_NT_ALLOW_PROCESS_RIGHTS));
2913	}
2914	}
2915
2916	# undef SUPDRV_NT_ALLOW_PROCESS_RIGHTS
2917
2918	/** @} */
2919
2920
2921	/** @name Thread Handle Callbacks
2922	* @{ */
2923
2924	/* From ntifs.h */
2925	extern "C" NTKERNELAPI PEPROCESS __stdcall IoThreadToProcess(PETHREAD);
2926
2927	/** Thread rights that we allow for handles to stub and VM processes. */
2928	# define SUPDRV_NT_ALLOWED_THREAD_RIGHTS \
2929	( THREAD_TERMINATE \
2930	\| THREAD_GET_CONTEXT \
2931	\| THREAD_QUERY_INFORMATION \
2932	\| THREAD_QUERY_LIMITED_INFORMATION \
2933	\| DELETE \
2934	\| READ_CONTROL \
2935	\| SYNCHRONIZE)
2936	/** @todo consider THREAD_SET_LIMITED_INFORMATION & THREAD_RESUME */
2937
2938	/** Evil thread rights.
2939	* @remarks THREAD_RESUME is not included as it seems to be forced upon us by
2940	* Windows 8.1, at least for some processes. We dont' actively
2941	* allow it though, just tollerate it when forced to. */
2942	# define SUPDRV_NT_EVIL_THREAD_RIGHTS \
2943	( THREAD_SUSPEND_RESUME \
2944	\| THREAD_SET_CONTEXT \
2945	\| THREAD_SET_INFORMATION \
2946	\| THREAD_SET_LIMITED_INFORMATION /?/ \
2947	\| THREAD_SET_THREAD_TOKEN /?/ \
2948	\| THREAD_IMPERSONATE /?/ \
2949	\| THREAD_DIRECT_IMPERSONATION /?/ \
2950	/\| THREAD_RESUME - see remarks. / \
2951	\| 0)
2952	AssertCompile((SUPDRV_NT_EVIL_THREAD_RIGHTS & SUPDRV_NT_ALLOWED_THREAD_RIGHTS) == 0);
2953
2954
2955	static OB_PREOP_CALLBACK_STATUS __stdcall
2956	supdrvNtProtectCallback_ThreadHandlePre(PVOID pvUser, POB_PRE_OPERATION_INFORMATION pOpInfo)
2957	{
2958	Assert(pvUser == NULL);
2959	Assert(pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE \|\| pOpInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE);
2960	Assert(pOpInfo->ObjectType == *PsThreadType);
2961
2962	PEPROCESS pProcess = IoThreadToProcess((PETHREAD)pOpInfo->Object);
2963	PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(PsGetProcessId(pProcess));
2964	pOpInfo->CallContext = pNtProtect; /* Just for reference. */
2965	if (pNtProtect)
2966	{
2967	static ACCESS_MASK const s_fCsrssStupidDesires = 0x1fffff;
2968	ACCESS_MASK fAllowedRights = SUPDRV_NT_ALLOWED_THREAD_RIGHTS;
2969
2970	if (pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE)
2971	{
2972	/* Don't restrict the process accessing its own threads. */
2973	if (pProcess == PsGetCurrentProcess())
2974	{
2975	Log(("vboxdrv/ThreadHandlePre: ctx=%04zx/%p wants %#x to %p in pid=%04zx [%d] self\n",
2976	PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
2977	pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
2978	pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind));
2979	pOpInfo->CallContext = NULL; /* don't assert */
2980	pNtProtect->fFirstThreadCreateHandle = false;
2981	}
2982	else
2983	{
2984	/* Special case 1 on Vista, 7, 8:
2985	The CreateProcess code passes the handle over to CSRSS.EXE
2986	and the code inBaseSrvCreateProcess will duplicate the
2987	handle with 0x1fffff as access mask. NtDuplicateObject will
2988	fail this call before it ever gets down here. */
2989	if ( g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 3)
2990	&& pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
2991	&& pNtProtect->fFirstThreadCreateHandle
2992	&& pOpInfo->KernelHandle == 0
2993	&& pNtProtect->hParentPid == PsGetProcessId(PsGetCurrentProcess()) )
2994	{
2995	if ( !pOpInfo->KernelHandle
2996	&& pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == s_fCsrssStupidDesires)
2997	{
2998	fAllowedRights \|= s_fCsrssStupidDesires;
2999	pOpInfo->CallContext = NULL; /* don't assert this. */
3000	}
3001	pNtProtect->fFirstThreadCreateHandle = false;
3002	}
3003
3004	/* Special case 2 on 8.1, possibly also Vista, 7, 8:
3005	When creating a process like VBoxTestOGL from the VM process,
3006	CSRSS.EXE will try talk to the calling thread and, it
3007	appears, impersonate it. We unfortunately need to allow
3008	this or there will be no 3D support. Typical DbgPrint:
3009	"SXS: BasepCreateActCtx() Calling csrss server failed. Status = 0xc00000a5" */
3010	SUPDRVNTPROTECTKIND enmProcessKind;
3011	if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_COMBINED(6, 0, 0, 0, 0)
3012	&& ( (enmProcessKind = pNtProtect->enmProcessKind) == kSupDrvNtProtectKind_VmProcessConfirmed
3013	\|\| enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
3014	&& pOpInfo->KernelHandle == 0
3015	&& supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
3016	{
3017	fAllowedRights \|= THREAD_IMPERSONATE;
3018	fAllowedRights \|= THREAD_DIRECT_IMPERSONATION;
3019	//fAllowedRights \|= THREAD_SET_LIMITED_INFORMATION; - try without this one
3020	pOpInfo->CallContext = NULL; /* don't assert this. */
3021	}
3022
3023	Log(("vboxdrv/ThreadHandlePre: ctx=%04zx/%p wants %#x to %p in pid=%04zx [%d], allow %#x => %#x; %s\n",
3024	PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3025	pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
3026	pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights,
3027	pOpInfo->Parameters->CreateHandleInformation.DesiredAccess & fAllowedRights,
3028	PsGetProcessImageFileName(PsGetCurrentProcess())));
3029
3030	pOpInfo->Parameters->CreateHandleInformation.DesiredAccess &= fAllowedRights;
3031	}
3032	}
3033	else
3034	{
3035	/* Don't restrict the process accessing its own threads. */
3036	if ( pProcess == PsGetCurrentProcess()
3037	&& (PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess == pProcess)
3038	{
3039	Log(("vboxdrv/ThreadHandlePre: ctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d] self\n",
3040	PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3041	pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess,
3042	PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess),
3043	pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess,
3044	pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess,
3045	pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3046	PsGetProcessImageFileName(PsGetCurrentProcess()) ));
3047	pOpInfo->CallContext = NULL; /* don't assert */
3048	}
3049	else
3050	{
3051	/* Special case 3 on Vista, 7, 8:
3052	This is the follow up to special case 1. */
3053	SUPDRVNTPROTECTKIND enmProcessKind;
3054	if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_COMBINED(6, 0, 0, 0, 0)
3055	&& ( (enmProcessKind = pNtProtect->enmProcessKind) == kSupDrvNtProtectKind_VmProcessConfirmed
3056	\|\| enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
3057	&& pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess == PsGetCurrentProcess()
3058	&& pOpInfo->KernelHandle == 0
3059	&& supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
3060	{
3061	fAllowedRights \|= THREAD_IMPERSONATE;
3062	fAllowedRights \|= THREAD_DIRECT_IMPERSONATION;
3063	//fAllowedRights \|= THREAD_SET_LIMITED_INFORMATION; - try without this one
3064	pOpInfo->CallContext = NULL; /* don't assert this. */
3065	}
3066
3067	Log(("vboxdrv/ThreadHandlePre: ctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d], allow %#x => %#x; %s\n",
3068	PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3069	pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess,
3070	PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess),
3071	pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess,
3072	pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess,
3073	pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights,
3074	pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess & fAllowedRights,
3075	PsGetProcessImageFileName(PsGetCurrentProcess()) ));
3076
3077	pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess &= fAllowedRights;
3078	}
3079	}
3080
3081	supdrvNtProtectRelease(pNtProtect);
3082	}
3083
3084	return OB_PREOP_SUCCESS;
3085	}
3086
3087
3088	static VOID __stdcall
3089	supdrvNtProtectCallback_ThreadHandlePost(PVOID pvUser, POB_POST_OPERATION_INFORMATION pOpInfo)
3090	{
3091	Assert(pvUser == NULL);
3092	Assert(pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE \|\| pOpInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE);
3093	Assert(pOpInfo->ObjectType == *PsThreadType);
3094
3095	if ( pOpInfo->CallContext
3096	&& NT_SUCCESS(pOpInfo->ReturnStatus))
3097	{
3098	ACCESS_MASK const fGrantedAccess = pOpInfo->Parameters->CreateHandleInformation.GrantedAccess;
3099	AssertReleaseMsg( !(fGrantedAccess & ~( SUPDRV_NT_ALLOWED_THREAD_RIGHTS
3100	\| WRITE_OWNER \| WRITE_DAC /* these two might be forced upon us */
3101	\| THREAD_RESUME /* This seems to be force upon us too with 8.1. */
3102	) )
3103	\|\| pOpInfo->KernelHandle,
3104	("GrantedAccess=%#x - we allow %#x - we did not allow %#x\n",
3105	fGrantedAccess, SUPDRV_NT_ALLOWED_THREAD_RIGHTS, fGrantedAccess & ~SUPDRV_NT_ALLOWED_THREAD_RIGHTS));
3106	}
3107	}
3108
3109	# undef SUPDRV_NT_ALLOWED_THREAD_RIGHTS
3110
3111	/** @} */
3112
3113
3114	/**
3115	* Creates a new process protection structure.
3116	*
3117	* @returns VBox status code.
3118	* @param ppNtProtect Where to return the pointer to the structure
3119	* on success.
3120	* @param hPid The process ID of the process to protect.
3121	* @param enmProcessKind The kind of process we're protecting.
3122	* @param fLink Whether to link the structure into the tree.
3123	*/
3124	static int supdrvNtProtectCreate(PSUPDRVNTPROTECT *ppNtProtect, HANDLE hPid, SUPDRVNTPROTECTKIND enmProcessKind, bool fLink)
3125	{
3126	AssertReturn(g_hNtProtectLock != NIL_RTSPINLOCK, VERR_WRONG_ORDER);
3127
3128	PSUPDRVNTPROTECT pNtProtect = (PSUPDRVNTPROTECT)RTMemAllocZ(sizeof(*pNtProtect));
3129	if (!pNtProtect)
3130	return VERR_NO_MEMORY;
3131
3132	pNtProtect->AvlCore.Key = hPid;
3133	pNtProtect->u32Magic = SUPDRVNTPROTECT_MAGIC;
3134	pNtProtect->cRefs = 1;
3135	pNtProtect->enmProcessKind = enmProcessKind;
3136	pNtProtect->hParentPid = NULL;
3137	pNtProtect->hCsrssPid = NULL;
3138	pNtProtect->pCsrssProcess = NULL;
3139
3140	if (fLink)
3141	{
3142	RTSpinlockAcquire(g_hNtProtectLock);
3143	bool fSuccess = RTAvlPVInsert(&g_NtProtectTree, &pNtProtect->AvlCore);
3144	RTSpinlockRelease(g_hNtProtectLock);
3145
3146	if (!fSuccess)
3147	{
3148	/* Duplicate entry, fail. */
3149	pNtProtect->u32Magic = SUPDRVNTPROTECT_MAGIC_DEAD;
3150	LogRel(("supdrvNtProtectCreate: Duplicate (%#x).\n", pNtProtect->AvlCore.Key));
3151	RTMemFree(pNtProtect);
3152	return VERR_DUPLICATE;
3153	}
3154	}
3155
3156	*ppNtProtect = pNtProtect;
3157	return VINF_SUCCESS;
3158	}
3159
3160
3161	/**
3162	* Releases a reference to a NT protection structure.
3163	*
3164	* @param pNtProtect The NT protection structure.
3165	*/
3166	static void supdrvNtProtectRelease(PSUPDRVNTPROTECT pNtProtect)
3167	{
3168	if (!pNtProtect)
3169	return;
3170	AssertReturnVoid(pNtProtect->u32Magic == SUPDRVNTPROTECT_MAGIC);
3171
3172	RTSpinlockAcquire(g_hNtProtectLock);
3173	uint32_t cRefs = ASMAtomicDecU32(&pNtProtect->cRefs);
3174	if (cRefs != 0)
3175	RTSpinlockRelease(g_hNtProtectLock);
3176	else
3177	{
3178	/*
3179	* That was the last reference. Remove it from the tree, invalidate it
3180	* and free the resources associated with it. Also, release any
3181	* child/parent references related to this protection structure.
3182	*/
3183	ASMAtomicWriteU32(&pNtProtect->u32Magic, SUPDRVNTPROTECT_MAGIC_DEAD);
3184	PSUPDRVNTPROTECT pRemoved = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pNtProtect->AvlCore.Key);
3185
3186	PSUPDRVNTPROTECT pRemovedChild = NULL;
3187	PSUPDRVNTPROTECT pChild = NULL;
3188	if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent)
3189	{
3190	pChild = pNtProtect->u.pChild;
3191	if (pChild)
3192	{
3193	pNtProtect->u.pChild = NULL;
3194	pChild->u.pParent = NULL;
3195	pChild->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
3196	uint32_t cChildRefs = ASMAtomicIncU32(&pChild->cRefs);
3197	if (!cChildRefs)
3198	pRemovedChild = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pChild->AvlCore.Key);
3199	else
3200	pChild = NULL;
3201	}
3202	}
3203	else
3204	AssertRelease(pNtProtect->enmProcessKind != kSupDrvNtProtectKind_VmProcessUnconfirmed);
3205
3206	RTSpinlockRelease(g_hNtProtectLock);
3207	Assert(pRemoved == pNtProtect);
3208	Assert(pRemovedChild == pChild);
3209
3210	if (pNtProtect->pCsrssProcess)
3211	{
3212	ObDereferenceObject(pNtProtect->pCsrssProcess);
3213	pNtProtect->pCsrssProcess = NULL;
3214	}
3215
3216	RTMemFree(pNtProtect);
3217	if (pChild)
3218	RTMemFree(pChild);
3219	}
3220	}
3221
3222
3223	/**
3224	* Looks up a PID in the NT protect tree.
3225	*
3226	* @returns Pointer to a NT protection structure (with a referenced) on success,
3227	* NULL if not found.
3228	* @param hPid The process ID.
3229	*/
3230	static PSUPDRVNTPROTECT supdrvNtProtectLookup(HANDLE hPid)
3231	{
3232	RTSpinlockAcquire(g_hNtProtectLock);
3233	PSUPDRVNTPROTECT pFound = (PSUPDRVNTPROTECT)RTAvlPVGet(&g_NtProtectTree, hPid);
3234	if (pFound)
3235	ASMAtomicIncU32(&pFound->cRefs);
3236	RTSpinlockRelease(g_hNtProtectLock);
3237	return pFound;
3238	}
3239
3240
3241	/**
3242	* Worker for supdrvNtProtectVerifyProcess that verifies the handles to a VM
3243	* process and its thread.
3244	*
3245	* @returns VBox status code.
3246	* @param pNtProtect The NT protect structure for getting information
3247	* about special processes.
3248	*/
3249	static int supdrvNtProtectRestrictHandlesToProcessAndThread(PSUPDRVNTPROTECT pNtProtect)
3250	{
3251	/*
3252	* What to protect.
3253	*/
3254	PEPROCESS pProtectedProcess = PsGetCurrentProcess();
3255	HANDLE hProtectedPid = PsGetProcessId(pProtectedProcess);
3256	PETHREAD pProtectedThread = PsGetCurrentThread();
3257	AssertReturn(pNtProtect->AvlCore.Key == hProtectedPid, VERR_INTERNAL_ERROR_5);
3258
3259	/*
3260	* Take a snapshot of all the handles in the system.
3261	* Note! The 32 bytes on the size of to counteract the allocation header
3262	* that rtR0MemAllocEx slaps on everything.
3263	*/
3264	uint32_t cbBuf = _256K - 32;
3265	uint8_t pbBuf = (uint8_t )RTMemAlloc(cbBuf);
3266	ULONG cbNeeded = cbBuf;
3267	NTSTATUS rcNt = NtQuerySystemInformation(SystemExtendedHandleInformation, pbBuf, cbBuf, &cbNeeded);
3268	if (!NT_SUCCESS(rcNt))
3269	{
3270	while ( rcNt == STATUS_INFO_LENGTH_MISMATCH
3271	&& cbNeeded > cbBuf
3272	&& cbBuf <= 32U*_1M)
3273	{
3274	cbBuf = RT_ALIGN_32(cbNeeded + _4K, _64K) - 32;
3275	RTMemFree(pbBuf);
3276	pbBuf = (uint8_t *)RTMemAlloc(cbBuf);
3277	if (!pbBuf)
3278	return VERR_NO_MEMORY;
3279	rcNt = NtQuerySystemInformation(SystemExtendedHandleInformation, pbBuf, cbBuf, &cbNeeded);
3280	}
3281	if (!NT_SUCCESS(rcNt))
3282	{
3283	RTMemFree(pbBuf);
3284	return RTErrConvertFromNtStatus(rcNt);
3285	}
3286	}
3287
3288	/*
3289	* Walk the information and look for handles to the two objects we're protecting.
3290	*/
3291	int rc = VINF_SUCCESS;
3292
3293	uint32_t cCsrssProcessHandles = 0;
3294	uint32_t cSystemProcessHandles = 0;
3295	uint32_t cEvilProcessHandles = 0;
3296	uint32_t cBenignProcessHandles = 0;
3297
3298	uint32_t cCsrssThreadHandles = 0;
3299	uint32_t cEvilThreadHandles = 0;
3300	uint32_t cBenignThreadHandles = 0;
3301
3302	SYSTEM_HANDLE_INFORMATION_EX const pInfo = (SYSTEM_HANDLE_INFORMATION_EX const )pbBuf;
3303	ULONG_PTR i = pInfo->NumberOfHandles;
3304	AssertRelease(RT_OFFSETOF(SYSTEM_HANDLE_INFORMATION_EX, Handles[i]) == cbNeeded);
3305	while (i-- > 0)
3306	{
3307	const char *pszType;
3308	SYSTEM_HANDLE_ENTRY_INFO_EX const *pHandleInfo = &pInfo->Handles[i];
3309	if (pHandleInfo->Object == pProtectedProcess)
3310	{
3311	/* Handles within the protected process is fine. */
3312	if ( !(pHandleInfo->GrantedAccess & SUPDRV_NT_EVIL_PROCESS_RIGHTS)
3313	\|\| pHandleInfo->UniqueProcessId == hProtectedPid)
3314	{
3315	cBenignProcessHandles++;
3316	continue;
3317	}
3318
3319	/* CSRSS is allowed to have one evil process handle.
3320	See the special cases in the hook code. */
3321	if ( cCsrssProcessHandles < 1
3322	&& pHandleInfo->UniqueProcessId == pNtProtect->hCsrssPid)
3323	{
3324	cCsrssProcessHandles++;
3325	continue;
3326	}
3327
3328	/* The system process is allowed having one open process handle in
3329	Windows 8.1 and later. */
3330	if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3)
3331	&& cSystemProcessHandles < 1
3332	&& pHandleInfo->UniqueProcessId == PsGetProcessId(PsInitialSystemProcess))
3333	{
3334	cSystemProcessHandles++;
3335	continue;
3336	}
3337
3338	cEvilProcessHandles++;
3339	pszType = "process";
3340	}
3341	else if (pHandleInfo->Object == pProtectedThread)
3342	{
3343	/* Handles within the protected process is fine. */
3344	if ( !(pHandleInfo->GrantedAccess & SUPDRV_NT_EVIL_THREAD_RIGHTS)
3345	\|\| pHandleInfo->UniqueProcessId == hProtectedPid)
3346	{
3347	cBenignThreadHandles++;
3348	continue;
3349	}
3350
3351	/* CSRSS is allowed to have one evil handle to the primary thread
3352	for LPC purposes. See the hook for special case. */
3353	if ( cCsrssThreadHandles < 1
3354	&& pHandleInfo->UniqueProcessId == pNtProtect->hCsrssPid)
3355	{
3356	cCsrssThreadHandles++;
3357	continue;
3358	}
3359
3360	cEvilThreadHandles++;
3361	pszType = "thread";
3362	}
3363	else
3364	continue;
3365
3366	/* Found evil handle. Currently ignoring on pre-Vista. */
3367	# ifndef VBOX_WITH_VISTA_NO_SP
3368	if ( g_uNtVerCombined >= SUP_NT_VER_VISTA
3369	# else
3370	if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_COMBINED(6, 0, 6001, 0, 0)
3371	# endif
3372	\|\| g_pfnObRegisterCallbacks)
3373	{
3374	LogRel(("vboxdrv: Found evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s\n",
3375	pHandleInfo->UniqueProcessId, pHandleInfo->HandleValue,
3376	pHandleInfo->GrantedAccess, pHandleInfo->HandleAttributes, pszType));
3377	rc = VERR_SUPDRV_HARDENING_EVIL_HANDLE;
3378	}
3379	}
3380
3381	RTMemFree(pbBuf);
3382	return rc;
3383	}
3384
3385
3386	/**
3387	* Checks if the current process checks out as a VM process stub.
3388	*
3389	* @returns VBox status code.
3390	* @param pNtProtect The NT protect structure. This is upgraded to a
3391	* final protection kind (state) on success.
3392	*/
3393	static int supdrvNtProtectVerifyProcess(PSUPDRVNTPROTECT pNtProtect)
3394	{
3395	AssertReturn(PsGetProcessId(PsGetCurrentProcess()) == pNtProtect->AvlCore.Key, VERR_INTERNAL_ERROR_3);
3396
3397	/*
3398	* Do the verification. The handle restriction checks are only preformed
3399	* on VM processes.
3400	*/
3401	int rc = VINF_SUCCESS;
3402	if (pNtProtect->enmProcessKind >= kSupDrvNtProtectKind_VmProcessUnconfirmed)
3403	rc = supdrvNtProtectRestrictHandlesToProcessAndThread(pNtProtect);
3404	if (RT_SUCCESS(rc))
3405	{
3406	char szErr[256];
3407	RT_ZERO(szErr);
3408	RTERRINFO ErrInfo;
3409	RTErrInfoInit(&ErrInfo, szErr, sizeof(szErr));
3410
3411	rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_VERIFY_ONLY, &ErrInfo);
3412	if (RT_FAILURE(rc))
3413	RTLogWriteDebugger(szErr, strlen(szErr));
3414	}
3415
3416	/*
3417	* Upgrade and return.
3418	*/
3419	RTSpinlockAcquire(g_hNtProtectLock);
3420
3421	/* Stub process verficiation is pretty much straight forward. */
3422	if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubUnverified)
3423	pNtProtect->enmProcessKind = RT_SUCCESS(rc) ? kSupDrvNtProtectKind_StubSpawning : kSupDrvNtProtectKind_StubDead;
3424
3425	/* The VM process verification is a little bit more complicated
3426	because we need to drop the parent process reference as well. */
3427	else if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
3428	{
3429	AssertRelease(pNtProtect->cRefs >= 2); /* Parent + Caller */
3430	PSUPDRVNTPROTECT pParent = pNtProtect->u.pParent;
3431	AssertRelease(pParent);
3432	AssertRelease(pParent->u.pParent == pNtProtect);
3433	AssertRelease(pParent->enmProcessKind == kSupDrvNtProtectKind_StubParent);
3434	pParent->u.pParent = NULL;
3435
3436	pNtProtect->u.pParent = NULL;
3437	ASMAtomicDecU32(&pNtProtect->cRefs);
3438
3439	if (RT_SUCCESS(rc))
3440	pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessConfirmed;
3441	else
3442	pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
3443	}
3444
3445	/* Since the stub and VM processes are only supposed to have one thread,
3446	we're not supposed to be subject to any races from within the processes.
3447
3448	There is a race between VM process verification and the stub process
3449	exiting, though. We require the stub process to be alive until the new
3450	VM process has made it thru the validation. So, when the stub
3451	terminates the notification handler will change the state of both stub
3452	and VM process to dead.
3453
3454	Also, I'm not entirely certain where the process
3455	termination notification is triggered from, so that can theorically
3456	create a race in both cases. */
3457	else
3458	{
3459	AssertReleaseMsg( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubDead
3460	\|\| pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessDead,
3461	("enmProcessKind=%d rc=%Rrc\n", pNtProtect->enmProcessKind, rc));
3462	if (RT_SUCCESS(rc))
3463	rc = VERR_INVALID_STATE; /* There should be no races here. */
3464	}
3465
3466	RTSpinlockRelease(g_hNtProtectLock);
3467	return rc;
3468	}
3469
3470
3471	# ifndef VBOX_WITHOUT_DEBUGGER_CHECKS
3472
3473	/**
3474	* Checks if the current process is being debugged.
3475	* @return @c true if debugged, @c false if not.
3476	*/
3477	static bool supdrvNtIsDebuggerAttached(void)
3478	{
3479	return PsIsProcessBeingDebugged(PsGetCurrentProcess()) != FALSE;
3480	}
3481
3482	# endif /* !VBOX_WITHOUT_DEBUGGER_CHECKS */
3483
3484
3485	/**
3486	* Terminates the hardening bits.
3487	*/
3488	static void supdrvNtProtectTerm(void)
3489	{
3490	/*
3491	* Stop intercepting process and thread handle creation calls.
3492	*/
3493	if (g_pvObCallbacksCookie)
3494	{
3495	g_pfnObUnRegisterCallbacks(g_pvObCallbacksCookie);
3496	g_pvObCallbacksCookie = NULL;
3497	}
3498
3499	/*
3500	* Stop intercepting process creation and termination notifications.
3501	*/
3502	NTSTATUS rcNt;
3503	if (g_pfnPsSetCreateProcessNotifyRoutineEx)
3504	rcNt = g_pfnPsSetCreateProcessNotifyRoutineEx(supdrvNtProtectCallback_ProcessCreateNotifyEx, TRUE /fRemove/);
3505	else
3506	rcNt = PsSetCreateProcessNotifyRoutine(supdrvNtProtectCallback_ProcessCreateNotify, TRUE /fRemove/);
3507	AssertMsg(NT_SUCCESS(rcNt), ("rcNt=%#x\n", rcNt));
3508
3509	Assert(g_NtProtectTree == NULL);
3510
3511	/*
3512	* Clean up globals.
3513	*/
3514	RTSpinlockDestroy(g_hNtProtectLock);
3515	g_NtProtectTree = NIL_RTSPINLOCK;
3516
3517	supHardenedWinTermImageVerifier();
3518	}
3519
3520	# ifdef RT_ARCH_X86
3521	DECLASM(void) supdrvNtQueryVirtualMemory_0xAF(void);
3522	DECLASM(void) supdrvNtQueryVirtualMemory_0xB0(void);
3523	DECLASM(void) supdrvNtQueryVirtualMemory_0xB1(void);
3524	DECLASM(void) supdrvNtQueryVirtualMemory_0xB2(void);
3525	DECLASM(void) supdrvNtQueryVirtualMemory_0xB3(void);
3526	DECLASM(void) supdrvNtQueryVirtualMemory_0xB4(void);
3527	DECLASM(void) supdrvNtQueryVirtualMemory_0xB5(void);
3528	DECLASM(void) supdrvNtQueryVirtualMemory_0xB6(void);
3529	DECLASM(void) supdrvNtQueryVirtualMemory_0xB7(void);
3530	DECLASM(void) supdrvNtQueryVirtualMemory_0xB8(void);
3531	DECLASM(void) supdrvNtQueryVirtualMemory_0xB9(void);
3532	DECLASM(void) supdrvNtQueryVirtualMemory_0xBA(void);
3533	DECLASM(void) supdrvNtQueryVirtualMemory_0xBB(void);
3534	DECLASM(void) supdrvNtQueryVirtualMemory_0xBC(void);
3535	DECLASM(void) supdrvNtQueryVirtualMemory_0xBD(void);
3536	DECLASM(void) supdrvNtQueryVirtualMemory_0xBE(void);
3537	# elif defined(RT_ARCH_AMD64)
3538	DECLASM(void) supdrvNtQueryVirtualMemory_0x1F(void);
3539	DECLASM(void) supdrvNtQueryVirtualMemory_0x20(void);
3540	DECLASM(void) supdrvNtQueryVirtualMemory_0x21(void);
3541	DECLASM(void) supdrvNtQueryVirtualMemory_0x22(void);
3542	DECLASM(void) supdrvNtQueryVirtualMemory_0x23(void);
3543	extern "C" NTSYSAPI NTSTATUS NTAPI ZwRequestWaitReplyPort(HANDLE, PVOID, PVOID);
3544	# endif
3545
3546	/**
3547	* Initalizes the hardening bits.
3548	*
3549	* @returns NT status code.
3550	*/
3551	static NTSTATUS supdrvNtProtectInit(void)
3552	{
3553	/*
3554	* Initialize the globals.
3555	*/
3556
3557	/* The NT version. */
3558	ULONG uMajor, uMinor, uBuild;
3559	PsGetVersion(&uMajor, &uMinor, &uBuild, NULL);
3560	g_uNtVerCombined = SUP_MAKE_NT_VER_COMBINED(uMajor, uMinor, uBuild, 0, 0);
3561
3562	/* Resolve methods we want but isn't available everywhere. */
3563	UNICODE_STRING RoutineName;
3564
3565	RtlInitUnicodeString(&RoutineName, L"ObRegisterCallbacks");
3566	g_pfnObRegisterCallbacks = (PFNOBREGISTERCALLBACKS)MmGetSystemRoutineAddress(&RoutineName);
3567
3568	RtlInitUnicodeString(&RoutineName, L"ObUnRegisterCallbacks");
3569	g_pfnObUnRegisterCallbacks = (PFNOBUNREGISTERCALLBACKS)MmGetSystemRoutineAddress(&RoutineName);
3570
3571	RtlInitUnicodeString(&RoutineName, L"PsSetCreateProcessNotifyRoutineEx");
3572	g_pfnPsSetCreateProcessNotifyRoutineEx = (PFNPSSETCREATEPROCESSNOTIFYROUTINEEX)MmGetSystemRoutineAddress(&RoutineName);
3573
3574	RtlInitUnicodeString(&RoutineName, L"PsReferenceProcessFilePointer");
3575	g_pfnPsReferenceProcessFilePointer = (PFNPSREFERENCEPROCESSFILEPOINTER)MmGetSystemRoutineAddress(&RoutineName);
3576
3577	RtlInitUnicodeString(&RoutineName, L"PsIsProtectedProcessLight");
3578	g_pfnPsIsProtectedProcessLight = (PFNPSISPROTECTEDPROCESSLIGHT)MmGetSystemRoutineAddress(&RoutineName);
3579
3580	RtlInitUnicodeString(&RoutineName, L"ZwQueryVirtualMemory"); /* Yes, using Zw version here. */
3581	g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)MmGetSystemRoutineAddress(&RoutineName);
3582	if (!g_pfnNtQueryVirtualMemory && g_uNtVerCombined < SUP_NT_VER_VISTA)
3583	{
3584	/* XP & W2K3 doesn't have this function exported, so we've cooked up a
3585	few alternative in the assembly helper file that uses the code in
3586	ZwReadFile with a different eax value. We figure the syscall number
3587	by inspecting ZwQueryVolumeInformationFile as it's the next number. */
3588	# ifdef RT_ARCH_X86
3589	uint8_t const pbCode = (uint8_t const )(uintptr_t)ZwQueryVolumeInformationFile;
3590	if (pbCode == 0xb8) / mov eax, dword */
3591	switch ((uint32_t const )&pbCode[1])
3592	{
3593	case 0xb0: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xAF; break; /* just in case */
3594	case 0xb1: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB0; break; /* just in case */
3595	case 0xb2: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB1; break; /* just in case */
3596	case 0xb3: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB2; break; /* XP SP3 */
3597	case 0xb4: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB2; break; /* just in case */
3598	case 0xb5: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB3; break; /* just in case */
3599	case 0xb6: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB4; break; /* just in case */
3600	case 0xb7: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB5; break; /* just in case */
3601	case 0xb8: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB6; break; /* just in case */
3602	case 0xb9: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB7; break; /* just in case */
3603	case 0xba: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB8; break; /* just in case */
3604	case 0xbb: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBA; break; /* W2K3 R2 SP2 */
3605	case 0xbc: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBB; break; /* just in case */
3606	case 0xbd: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBC; break; /* just in case */
3607	case 0xbe: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBD; break; /* just in case */
3608	case 0xbf: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBE; break; /* just in case */
3609	}
3610	# elif defined(RT_ARCH_AMD64)
3611	uint8_t const pbCode = (uint8_t const )(uintptr_t)ZwRequestWaitReplyPort;
3612	if ( pbCode[ 0] == 0x48 /* mov rax, rsp */
3613	&& pbCode[ 1] == 0x8b
3614	&& pbCode[ 2] == 0xc4
3615	&& pbCode[ 3] == 0xfa /* cli */
3616	&& pbCode[ 4] == 0x48 /* sub rsp, 10h */
3617	&& pbCode[ 5] == 0x83
3618	&& pbCode[ 6] == 0xec
3619	&& pbCode[ 7] == 0x10
3620	&& pbCode[ 8] == 0x50 /* push rax */
3621	&& pbCode[ 9] == 0x9c /* pushfq */
3622	&& pbCode[10] == 0x6a /* push 10 */
3623	&& pbCode[11] == 0x10
3624	&& pbCode[12] == 0x48 /* lea rax, [nt!KiServiceLinkage] */
3625	&& pbCode[13] == 0x8d
3626	&& pbCode[14] == 0x05
3627	&& pbCode[19] == 0x50 /* push rax */
3628	&& pbCode[20] == 0xb8 /* mov eax,1fh <- the syscall no. */
3629	/&& pbCode[21] == 0x1f/
3630	&& pbCode[22] == 0x00
3631	&& pbCode[23] == 0x00
3632	&& pbCode[24] == 0x00
3633	&& pbCode[25] == 0xe9 /* jmp KiServiceInternal */
3634	)
3635	{
3636	uint8_t const pbKiServiceInternal = &pbCode[30] + (int32_t const *)&pbCode[26];
3637	uint8_t const pbKiServiceLinkage = &pbCode[19] + (int32_t const *)&pbCode[15];
3638	if (*pbKiServiceLinkage == 0xc3)
3639	{
3640	g_pfnKiServiceInternal = (PFNRT)pbKiServiceInternal;
3641	g_pfnKiServiceLinkage = (PFNRT)pbKiServiceLinkage;
3642	switch (pbCode[21])
3643	{
3644	case 0x1e: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x1F; break;
3645	case 0x1f: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x20; break;
3646	case 0x20: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x21; break;
3647	case 0x21: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x22; break;
3648	case 0x22: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x23; break;
3649	}
3650	}
3651	}
3652	# endif
3653	}
3654	if (!g_pfnNtQueryVirtualMemory)
3655	{
3656	LogRel(("vboxdrv: Cannot locate ZwQueryVirtualMemory in ntoskrnl, nor were we able to cook up a replacement.\n"));
3657	return STATUS_PROCEDURE_NOT_FOUND;
3658	}
3659
3660
3661	/* The spinlock protecting our structures. */
3662	int rc = RTSpinlockCreate(&g_hNtProtectLock, RTSPINLOCK_FLAGS_INTERRUPT_UNSAFE, "NtProtectLock");
3663	if (RT_FAILURE(rc))
3664	return VBoxDrvNtErr2NtStatus(rc);
3665	g_NtProtectTree = NULL;
3666
3667	/* Image stuff + certificates. */
3668	NTSTATUS rcNt;
3669	rc = supHardenedWinInitImageVerifier(NULL);
3670	if (RT_SUCCESS(rc))
3671	{
3672	/*
3673	* Intercept process creation and termination.
3674	*/
3675	if (g_pfnPsSetCreateProcessNotifyRoutineEx)
3676	rcNt = g_pfnPsSetCreateProcessNotifyRoutineEx(supdrvNtProtectCallback_ProcessCreateNotifyEx, FALSE /fRemove/);
3677	else
3678	rcNt = PsSetCreateProcessNotifyRoutine(supdrvNtProtectCallback_ProcessCreateNotify, FALSE /fRemove/);
3679	if (NT_SUCCESS(rcNt))
3680	{
3681	/*
3682	* Intercept process and thread handle creation calls.
3683	* The preferred method is only available on Vista SP1+.
3684	*/
3685	if (g_pfnObRegisterCallbacks && g_pfnObUnRegisterCallbacks)
3686	{
3687	static OB_OPERATION_REGISTRATION s_aObOperations[] =
3688	{
3689	{
3690	PsProcessType,
3691	OB_OPERATION_HANDLE_CREATE \| OB_OPERATION_HANDLE_DUPLICATE,
3692	supdrvNtProtectCallback_ProcessHandlePre,
3693	supdrvNtProtectCallback_ProcessHandlePost,
3694	},
3695	{
3696	PsThreadType,
3697	OB_OPERATION_HANDLE_CREATE \| OB_OPERATION_HANDLE_DUPLICATE,
3698	supdrvNtProtectCallback_ThreadHandlePre,
3699	supdrvNtProtectCallback_ThreadHandlePost,
3700	},
3701	};
3702	static OB_CALLBACK_REGISTRATION s_ObCallbackReg =
3703	{
3704	/* .Version = */ OB_FLT_REGISTRATION_VERSION,
3705	/* .OperationRegistrationCount = */ RT_ELEMENTS(s_aObOperations),
3706	/* .Altitude.Length = */ 0,
3707	/* .Altitude.MaximumLength = */ 0,
3708	/* .Altitude.Buffer = */ NULL,
3709	/* .RegistrationContext = */ NULL,
3710	/* .OperationRegistration = */ &s_aObOperations[0]
3711	};
3712	static WCHAR const s_apwszAltitudes[] = /* @todo get a valid number */
3713	{
3714	L"48596.98940", L"46935.19485", L"49739.39704", L"40334.74976",
3715	L"66667.98940", L"69888.19485", L"69889.39704", L"60364.74976",
3716	L"85780.98940", L"88978.19485", L"89939.39704", L"80320.74976",
3717	L"329879.98940", L"326787.19485", L"328915.39704", L"320314.74976",
3718	};
3719
3720	rcNt = STATUS_FLT_INSTANCE_ALTITUDE_COLLISION;
3721	for (uint32_t i = 0; i < RT_ELEMENTS(s_apwszAltitudes) && rcNt == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION; i++)
3722	{
3723	s_ObCallbackReg.Altitude.Buffer = (WCHAR *)s_apwszAltitudes[i];
3724	s_ObCallbackReg.Altitude.Length = (uint16_t)RTUtf16Len(s_apwszAltitudes[i]) * sizeof(WCHAR);
3725	s_ObCallbackReg.Altitude.MaximumLength = s_ObCallbackReg.Altitude.Length + sizeof(WCHAR);
3726
3727	rcNt = g_pfnObRegisterCallbacks(&s_ObCallbackReg, &g_pvObCallbacksCookie);
3728	if (NT_SUCCESS(rcNt))
3729	{
3730	/*
3731	* Happy ending.
3732	*/
3733	return STATUS_SUCCESS;
3734	}
3735	}
3736	LogRel(("vboxdrv: ObRegisterCallbacks failed with rcNt=%#x\n", rcNt));
3737	g_pvObCallbacksCookie = NULL;
3738	}
3739	else
3740	{
3741	/*
3742	* For the time being, we do not implement extra process
3743	* protection on pre-Vista-SP1 systems as they are lacking
3744	* necessary KPIs. XP is end of life, we do not wish to
3745	* spend more time on it, so we don't put up a fuss there.
3746	* Vista users without SP1 can install SP1 (or later), darn it,
3747	* so refuse to load.
3748	*/
3749	/** @todo Hack up an XP solution - will require hooking kernel APIs or doing bad
3750	* stuff to a couple of object types. */
3751	# ifndef VBOX_WITH_VISTA_NO_SP
3752	if (g_uNtVerCombined >= SUP_NT_VER_VISTA)
3753	# else
3754	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_COMBINED(6, 0, 6001, 0, 0))
3755	# endif
3756	{
3757	DbgPrint("vboxdrv: ObRegisterCallbacks was not found. Please make sure you got the latest updates and service packs installed\n");
3758	rcNt = STATUS_SXS_VERSION_CONFLICT;
3759	}
3760	else
3761	{
3762	Log(("vboxdrv: ObRegisterCallbacks was not found; ignored pre-Vista\n"));
3763	return rcNt = STATUS_SUCCESS;
3764	}
3765	g_pvObCallbacksCookie = NULL;
3766	}
3767
3768	/*
3769	* Drop process create/term notifications.
3770	*/
3771	if (g_pfnPsSetCreateProcessNotifyRoutineEx)
3772	g_pfnPsSetCreateProcessNotifyRoutineEx(supdrvNtProtectCallback_ProcessCreateNotifyEx, TRUE /fRemove/);
3773	else
3774	PsSetCreateProcessNotifyRoutine(supdrvNtProtectCallback_ProcessCreateNotify, TRUE /fRemove/);
3775	}
3776	else
3777	LogRel(("vboxdrv: PsSetCreateProcessNotifyRoutine%s failed with rcNt=%#x\n",
3778	g_pfnPsSetCreateProcessNotifyRoutineEx ? "Ex" : "", rcNt));
3779	supHardenedWinTermImageVerifier();
3780	}
3781	else
3782	rcNt = VBoxDrvNtErr2NtStatus(rc);
3783
3784	RTSpinlockDestroy(g_hNtProtectLock);
3785	g_NtProtectTree = NIL_RTSPINLOCK;
3786	return rcNt;
3787	}
3788
3789	#endif /* VBOX_WITH_HARDENING */
3790

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp@ 52374

Download in other formats: