SUPR3HardenedMain-win.cpp@ 78351

Last change on this file since 78351 was 76553, checked in by vboxsync, 6 years ago
scm --update-copyright-year
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 277.5 KB

Line
1	/* $Id: SUPR3HardenedMain-win.cpp 76553 2019-01-01 01:45:53Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library - Hardened main(), windows bits.
4	*/
5
6	/*
7	* Copyright (C) 2006-2019 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27
28	/*********************************************************************************************************************************
29	* Header Files *
30	*********************************************************************************************************************************/
31	#include <iprt/nt/nt-and-windows.h>
32	#include <AccCtrl.h>
33	#include <AclApi.h>
34	#ifndef PROCESS_SET_LIMITED_INFORMATION
35	# define PROCESS_SET_LIMITED_INFORMATION 0x2000
36	#endif
37	#ifndef LOAD_LIBRARY_SEARCH_APPLICATION_DIR
38	# define LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR UINT32_C(0x100)
39	# define LOAD_LIBRARY_SEARCH_APPLICATION_DIR UINT32_C(0x200)
40	# define LOAD_LIBRARY_SEARCH_USER_DIRS UINT32_C(0x400)
41	# define LOAD_LIBRARY_SEARCH_SYSTEM32 UINT32_C(0x800)
42	#endif
43
44	#include <VBox/sup.h>
45	#include <VBox/err.h>
46	#include <VBox/dis.h>
47	#include <iprt/ctype.h>
48	#include <iprt/string.h>
49	#include <iprt/initterm.h>
50	#include <iprt/param.h>
51	#include <iprt/path.h>
52	#include <iprt/thread.h>
53	#include <iprt/utf16.h>
54	#include <iprt/zero.h>
55
56	#include "SUPLibInternal.h"
57	#include "win/SUPHardenedVerify-win.h"
58	#include "../SUPDrvIOC.h"
59
60	#ifndef IMAGE_SCN_TYPE_NOLOAD
61	# define IMAGE_SCN_TYPE_NOLOAD 0x00000002
62	#endif
63
64
65	/*********************************************************************************************************************************
66	* Defined Constants And Macros *
67	*********************************************************************************************************************************/
68	/** The first argument of a respawed stub when respawned for the first time.
69	* This just needs to be unique enough to avoid most confusion with real
70	* executable names, there are other checks in place to make sure we've respanwed. */
71	#define SUPR3_RESPAWN_1_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-2ndchild"
72
73	/** The first argument of a respawed stub when respawned for the second time.
74	* This just needs to be unique enough to avoid most confusion with real
75	* executable names, there are other checks in place to make sure we've respanwed. */
76	#define SUPR3_RESPAWN_2_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild"
77
78	/** Unconditional assertion. */
79	#define SUPR3HARDENED_ASSERT(a_Expr) \
80	do { \
81	if (!(a_Expr)) \
82	supR3HardenedFatal("%s: %s\n", __FUNCTION__, #a_Expr); \
83	} while (0)
84
85	/** Unconditional assertion of NT_SUCCESS. */
86	#define SUPR3HARDENED_ASSERT_NT_SUCCESS(a_Expr) \
87	do { \
88	NTSTATUS rcNtAssert = (a_Expr); \
89	if (!NT_SUCCESS(rcNtAssert)) \
90	supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, rcNtAssert); \
91	} while (0)
92
93	/** Unconditional assertion of a WIN32 API returning non-FALSE. */
94	#define SUPR3HARDENED_ASSERT_WIN32_SUCCESS(a_Expr) \
95	do { \
96	BOOL fRcAssert = (a_Expr); \
97	if (fRcAssert == FALSE) \
98	supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, RtlGetLastWin32Error()); \
99	} while (0)
100
101
102	/*********************************************************************************************************************************
103	* Structures and Typedefs *
104	*********************************************************************************************************************************/
105	/**
106	* Security descriptor cleanup structure.
107	*/
108	typedef struct MYSECURITYCLEANUP
109	{
110	union
111	{
112	SID Sid;
113	uint8_t abPadding[SECURITY_MAX_SID_SIZE];
114	} Everyone, Owner, User, Login;
115	union
116	{
117	ACL AclHdr;
118	uint8_t abPadding[1024];
119	} Acl;
120	PSECURITY_DESCRIPTOR pSecDesc;
121	} MYSECURITYCLEANUP;
122	/** Pointer to security cleanup structure. */
123	typedef MYSECURITYCLEANUP *PMYSECURITYCLEANUP;
124
125
126	/**
127	* Image verifier cache entry.
128	*/
129	typedef struct VERIFIERCACHEENTRY
130	{
131	/** Pointer to the next entry with the same hash value. */
132	struct VERIFIERCACHEENTRY * volatile pNext;
133	/** Next entry in the WinVerifyTrust todo list. */
134	struct VERIFIERCACHEENTRY * volatile pNextTodoWvt;
135
136	/** The file handle. */
137	HANDLE hFile;
138	/** If fIndexNumber is set, this is an file system internal file identifier. */
139	LARGE_INTEGER IndexNumber;
140	/** The path hash value. */
141	uint32_t uHash;
142	/** The verification result. */
143	int rc;
144	/** Used for shutting up load and error messages after a while so they don't
145	* flood the log file and fill up the disk. */
146	uint32_t volatile cHits;
147	/** The validation flags (for WinVerifyTrust retry). */
148	uint32_t fFlags;
149	/** Whether IndexNumber is valid */
150	bool fIndexNumberValid;
151	/** Whether verified by WinVerifyTrust. */
152	bool volatile fWinVerifyTrust;
153	/** cwcPath * sizeof(RTUTF16). */
154	uint16_t cbPath;
155	/** The full path of this entry (variable size). */
156	RTUTF16 wszPath[1];
157	} VERIFIERCACHEENTRY;
158	/** Pointer to an image verifier path entry. */
159	typedef VERIFIERCACHEENTRY *PVERIFIERCACHEENTRY;
160
161
162	/**
163	* Name of an import DLL that we need to check out.
164	*/
165	typedef struct VERIFIERCACHEIMPORT
166	{
167	/** Pointer to the next DLL in the list. */
168	struct VERIFIERCACHEIMPORT * volatile pNext;
169	/** The length of pwszAltSearchDir if available. */
170	uint32_t cwcAltSearchDir;
171	/** This points the directory containing the DLL needing it, this will be
172	* NULL for a System32 DLL. */
173	PWCHAR pwszAltSearchDir;
174	/** The name of the import DLL (variable length). */
175	char szName[1];
176	} VERIFIERCACHEIMPORT;
177	/** Pointer to a import DLL that needs checking out. */
178	typedef VERIFIERCACHEIMPORT *PVERIFIERCACHEIMPORT;
179
180
181	/**
182	* Child requests.
183	*/
184	typedef enum SUPR3WINCHILDREQ
185	{
186	/** Perform child purification and close full access handles (must be zero). */
187	kSupR3WinChildReq_PurifyChildAndCloseHandles = 0,
188	/** Close the events, we're good on our own from here on. */
189	kSupR3WinChildReq_CloseEvents,
190	/** Reporting error. */
191	kSupR3WinChildReq_Error,
192	/** End of valid requests. */
193	kSupR3WinChildReq_End
194	} SUPR3WINCHILDREQ;
195
196	/**
197	* Child process parameters.
198	*/
199	typedef struct SUPR3WINPROCPARAMS
200	{
201	/** The event semaphore the child will be waiting on. */
202	HANDLE hEvtChild;
203	/** The event semaphore the parent will be waiting on. */
204	HANDLE hEvtParent;
205
206	/** The address of the NTDLL. This is only valid during the very early
207	* initialization as we abuse for thread creation protection. */
208	uintptr_t uNtDllAddr;
209
210	/** The requested operation (set by the child). */
211	SUPR3WINCHILDREQ enmRequest;
212	/** The last status. */
213	int32_t rc;
214	/** The init operation the error relates to if message, kSupInitOp_Invalid if
215	* not message. */
216	SUPINITOP enmWhat;
217	/** Where if message. */
218	char szWhere[80];
219	/** Error message / path name string space. */
220	char szErrorMsg[16384+1024];
221	} SUPR3WINPROCPARAMS;
222
223
224	/**
225	* Child process data structure for use during child process init setup and
226	* purification.
227	*/
228	typedef struct SUPR3HARDNTCHILD
229	{
230	/** Process handle. */
231	HANDLE hProcess;
232	/** Primary thread handle. */
233	HANDLE hThread;
234	/** Handle to the parent process, if we're the middle (stub) process. */
235	HANDLE hParent;
236	/** The event semaphore the child will be waiting on. */
237	HANDLE hEvtChild;
238	/** The event semaphore the parent will be waiting on. */
239	HANDLE hEvtParent;
240	/** The address of NTDLL in the child. */
241	uintptr_t uNtDllAddr;
242	/** The address of NTDLL in this process. */
243	uintptr_t uNtDllParentAddr;
244	/** Which respawn number this is (1 = stub, 2 = VM). */
245	int iWhich;
246	/** The basic process info. */
247	PROCESS_BASIC_INFORMATION BasicInfo;
248	/** The probable size of the PEB. */
249	size_t cbPeb;
250	/** The pristine process environment block. */
251	PEB Peb;
252	/** The child process parameters. */
253	SUPR3WINPROCPARAMS ProcParams;
254	} SUPR3HARDNTCHILD;
255	/** Pointer to a child process data structure. */
256	typedef SUPR3HARDNTCHILD *PSUPR3HARDNTCHILD;
257
258
259	/*********************************************************************************************************************************
260	* Global Variables *
261	*********************************************************************************************************************************/
262	/** Process parameters. Specified by parent if VM process, see
263	* supR3HardenedVmProcessInit. */
264	static SUPR3WINPROCPARAMS g_ProcParams = { NULL, NULL, 0, (SUPR3WINCHILDREQ)0, 0 };
265	/** Set if supR3HardenedEarlyProcessInit was invoked. */
266	bool g_fSupEarlyProcessInit = false;
267	/** Set if the stub device has been opened (stub process only). */
268	bool g_fSupStubOpened = false;
269
270	/** @name Global variables initialized by suplibHardenedWindowsMain.
271	* @{ */
272	/** Combined windows NT version number. See SUP_MAKE_NT_VER_COMBINED. */
273	uint32_t g_uNtVerCombined = 0;
274	/** Count calls to the special main function for linking santity checks. */
275	static uint32_t volatile g_cSuplibHardenedWindowsMainCalls;
276	/** The UTF-16 windows path to the executable. */
277	RTUTF16 g_wszSupLibHardenedExePath[1024];
278	/** The NT path of the executable. */
279	SUPSYSROOTDIRBUF g_SupLibHardenedExeNtPath;
280	/** The NT path of the application binary directory. */
281	SUPSYSROOTDIRBUF g_SupLibHardenedAppBinNtPath;
282	/** The offset into g_SupLibHardenedExeNtPath of the executable name (WCHAR,
283	* not byte). This also gives the length of the exectuable directory path,
284	* including a trailing slash. */
285	static uint32_t g_offSupLibHardenedExeNtName;
286	/** Set if we need to use the LOAD_LIBRARY_SEARCH_USER_DIRS option. */
287	bool g_fSupLibHardenedDllSearchUserDirs = false;
288	/** @} */
289
290	/** @name Hook related variables.
291	* @{ */
292	/** Pointer to the bit of assembly code that will perform the original
293	* NtCreateSection operation. */
294	static NTSTATUS (NTAPI * g_pfnNtCreateSectionReal)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,
295	PLARGE_INTEGER, ULONG, ULONG, HANDLE);
296	/** Pointer to the NtCreateSection function in NtDll (for patching purposes). */
297	static uint8_t *g_pbNtCreateSection;
298	/** The patched NtCreateSection bytes (for restoring). */
299	static uint8_t g_abNtCreateSectionPatch[16];
300	/** Pointer to the bit of assembly code that will perform the original
301	* LdrLoadDll operation. */
302	static NTSTATUS (NTAPI * g_pfnLdrLoadDllReal)(PWSTR, PULONG, PUNICODE_STRING, PHANDLE);
303	/** Pointer to the LdrLoadDll function in NtDll (for patching purposes). */
304	static uint8_t *g_pbLdrLoadDll;
305	/** The patched LdrLoadDll bytes (for restoring). */
306	static uint8_t g_abLdrLoadDllPatch[16];
307
308	/** The hash table of verifier cache . */
309	static PVERIFIERCACHEENTRY volatile g_apVerifierCache[128];
310	/** Queue of cached images which needs WinVerifyTrust to check them. */
311	static PVERIFIERCACHEENTRY volatile g_pVerifierCacheTodoWvt = NULL;
312	/** Queue of cached images which needs their imports checked. */
313	static PVERIFIERCACHEIMPORT volatile g_pVerifierCacheTodoImports = NULL;
314
315	/** The windows path to dir \\SystemRoot\\System32 directory (technically
316	* this whatever \\KnownDlls\\KnownDllPath points to). */
317	SUPSYSROOTDIRBUF g_System32WinPath;
318	/** @ */
319
320	/** Positive if the DLL notification callback has been registered, counts
321	* registration attempts as negative. */
322	static int g_cDllNotificationRegistered = 0;
323	/** The registration cookie of the DLL notification callback. */
324	static PVOID g_pvDllNotificationCookie = NULL;
325
326	/** Static error info structure used during init. */
327	static RTERRINFOSTATIC g_ErrInfoStatic;
328
329	/** In the assembly file. */
330	extern "C" uint8_t g_abSupHardReadWriteExecPage[PAGE_SIZE];
331
332	/** Whether we've patched our own LdrInitializeThunk or not. We do this to
333	* disable thread creation. */
334	static bool g_fSupInitThunkSelfPatched;
335	/** The backup of our own LdrInitializeThunk code, for enabling and disabling
336	* thread creation in this process. */
337	static uint8_t g_abLdrInitThunkSelfBackup[16];
338
339	/** Mask of adversaries that we've detected (SUPHARDNT_ADVERSARY_XXX). */
340	static uint32_t g_fSupAdversaries = 0;
341	/** @name SUPHARDNT_ADVERSARY_XXX - Adversaries
342	* @{ */
343	/** Symantec endpoint protection or similar including SysPlant.sys. */
344	#define SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT RT_BIT_32(0)
345	/** Symantec Norton 360. */
346	#define SUPHARDNT_ADVERSARY_SYMANTEC_N360 RT_BIT_32(1)
347	/** Avast! */
348	#define SUPHARDNT_ADVERSARY_AVAST RT_BIT_32(2)
349	/** TrendMicro OfficeScan and probably others. */
350	#define SUPHARDNT_ADVERSARY_TRENDMICRO RT_BIT_32(3)
351	/** TrendMicro potentially buggy sakfile.sys. */
352	#define SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE RT_BIT_32(4)
353	/** McAfee. */
354	#define SUPHARDNT_ADVERSARY_MCAFEE RT_BIT_32(5)
355	/** Kaspersky or OEMs of it. */
356	#define SUPHARDNT_ADVERSARY_KASPERSKY RT_BIT_32(6)
357	/** Malwarebytes Anti-Malware (MBAM). */
358	#define SUPHARDNT_ADVERSARY_MBAM RT_BIT_32(7)
359	/** AVG Internet Security. */
360	#define SUPHARDNT_ADVERSARY_AVG RT_BIT_32(8)
361	/** Panda Security. */
362	#define SUPHARDNT_ADVERSARY_PANDA RT_BIT_32(9)
363	/** Microsoft Security Essentials. */
364	#define SUPHARDNT_ADVERSARY_MSE RT_BIT_32(10)
365	/** Comodo. */
366	#define SUPHARDNT_ADVERSARY_COMODO RT_BIT_32(11)
367	/** Check Point's Zone Alarm (may include Kaspersky). */
368	#define SUPHARDNT_ADVERSARY_ZONE_ALARM RT_BIT_32(12)
369	/** Digital guardian, old problematic version. */
370	#define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD RT_BIT_32(13)
371	/** Digital guardian, new version. */
372	#define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_NEW RT_BIT_32(14)
373	/** Cylance protect or something (from googling, no available sample copy). */
374	#define SUPHARDNT_ADVERSARY_CYLANCE RT_BIT_32(15)
375	/** BeyondTrust / PowerBroker / something (googling, no available sample copy). */
376	#define SUPHARDNT_ADVERSARY_BEYONDTRUST RT_BIT_32(16)
377	/** Avecto / Defendpoint / Privilege Guard (details from support guy, hoping to get sample copy). */
378	#define SUPHARDNT_ADVERSARY_AVECTO RT_BIT_32(17)
379	/** Unknown adversary detected while waiting on child. */
380	#define SUPHARDNT_ADVERSARY_UNKNOWN RT_BIT_32(31)
381	/** @} */
382
383
384	/*********************************************************************************************************************************
385	* Internal Functions *
386	*********************************************************************************************************************************/
387	static NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfAccess, PULONG pfProtect,
388	bool pfCallRealApi, const char pszCaller, bool fAvoidWinVerifyTrust,
389	bool *pfQuiet);
390	static void supR3HardenedWinRegisterDllNotificationCallback(void);
391	static void supR3HardenedWinReInstallHooks(bool fFirst);
392	DECLASM(void) supR3HardenedEarlyProcessInitThunk(void);
393
394
395	#if 0 /* unused */
396
397	/**
398	* Simple wide char search routine.
399	*
400	* @returns Pointer to the first location of @a wcNeedle in @a pwszHaystack.
401	* NULL if not found.
402	* @param pwszHaystack Pointer to the string that should be searched.
403	* @param wcNeedle The character to search for.
404	*/
405	static PRTUTF16 suplibHardenedWStrChr(PCRTUTF16 pwszHaystack, RTUTF16 wcNeedle)
406	{
407	for (;;)
408	{
409	RTUTF16 wcCur = *pwszHaystack;
410	if (wcCur == wcNeedle)
411	return (PRTUTF16)pwszHaystack;
412	if (wcCur == '\0')
413	return NULL;
414	pwszHaystack++;
415	}
416	}
417
418
419	/**
420	* Simple wide char string length routine.
421	*
422	* @returns The number of characters in the given string. (Excludes the
423	* terminator.)
424	* @param pwsz The string.
425	*/
426	static size_t suplibHardenedWStrLen(PCRTUTF16 pwsz)
427	{
428	PCRTUTF16 pwszCur = pwsz;
429	while (*pwszCur != '\0')
430	pwszCur++;
431	return pwszCur - pwsz;
432	}
433
434	#endif /* unused */
435
436
437	/**
438	* Our version of GetTickCount.
439	* @returns Millisecond timestamp.
440	*/
441	static uint64_t supR3HardenedWinGetMilliTS(void)
442	{
443	PKUSER_SHARED_DATA pUserSharedData = (PKUSER_SHARED_DATA)(uintptr_t)0x7ffe0000;
444
445	/* use interrupt time */
446	LARGE_INTEGER Time;
447	do
448	{
449	Time.HighPart = pUserSharedData->InterruptTime.High1Time;
450	Time.LowPart = pUserSharedData->InterruptTime.LowPart;
451	} while (pUserSharedData->InterruptTime.High2Time != Time.HighPart);
452
453	return (uint64_t)Time.QuadPart / 10000;
454	}
455
456
457
458	/**
459	* Wrapper around LoadLibraryEx that deals with the UTF-8 to UTF-16 conversion
460	* and supplies the right flags.
461	*
462	* @returns Module handle on success, NULL on failure.
463	* @param pszName The full path to the DLL.
464	* @param fSystem32Only Whether to only look for imports in the system32
465	* directory. If set to false, the application
466	* directory is also searched.
467	* @param fMainFlags The main flags (giving the location), if the DLL
468	* being loaded is loaded from the app bin
469	* directory and import other DLLs from there. Pass
470	* 0 (= SUPSECMAIN_FLAGS_LOC_APP_BIN) if not
471	* applicable. Ignored if @a fSystem32Only is set.
472	*
473	* This is only needed to load VBoxRT.dll when
474	* executing a testcase from the testcase/ subdir.
475	*/
476	DECLHIDDEN(void ) supR3HardenedWinLoadLibrary(const char pszName, bool fSystem32Only, uint32_t fMainFlags)
477	{
478	WCHAR wszPath[RTPATH_MAX];
479	PRTUTF16 pwszPath = wszPath;
480	int rc = RTStrToUtf16Ex(pszName, RTSTR_MAX, &pwszPath, RT_ELEMENTS(wszPath), NULL);
481	if (RT_SUCCESS(rc))
482	{
483	while (*pwszPath)
484	{
485	if (*pwszPath == '/')
486	*pwszPath = '\\';
487	pwszPath++;
488	}
489
490	DWORD fFlags = 0;
491	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0))
492	{
493	fFlags \|= LOAD_LIBRARY_SEARCH_SYSTEM32;
494	if (!fSystem32Only)
495	{
496	fFlags \|= LOAD_LIBRARY_SEARCH_APPLICATION_DIR;
497	if (g_fSupLibHardenedDllSearchUserDirs)
498	fFlags \|= LOAD_LIBRARY_SEARCH_USER_DIRS;
499	if ((fMainFlags & SUPSECMAIN_FLAGS_LOC_MASK) != SUPSECMAIN_FLAGS_LOC_APP_BIN)
500	fFlags \|= LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR;
501	}
502	}
503
504	void pvRet = (void )LoadLibraryExW(wszPath, NULL /hFile/, fFlags);
505
506	/* Vista, W7, W2K8R might not work without KB2533623, so retry with no flags. */
507	if ( !pvRet
508	&& fFlags
509	&& g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2)
510	&& RtlGetLastWin32Error() == ERROR_INVALID_PARAMETER)
511	pvRet = (void )LoadLibraryExW(wszPath, NULL /hFile*/, 0);
512
513	return pvRet;
514	}
515	supR3HardenedFatal("RTStrToUtf16Ex failed on '%s': %Rrc", pszName, rc);
516	/* not reached */
517	}
518
519
520	/**
521	* Gets the internal index number of the file.
522	*
523	* @returns True if we got an index number, false if not.
524	* @param hFile The file in question.
525	* @param pIndexNumber where to return the index number.
526	*/
527	static bool supR3HardenedWinVerifyCacheGetIndexNumber(HANDLE hFile, PLARGE_INTEGER pIndexNumber)
528	{
529	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
530	NTSTATUS rcNt = NtQueryInformationFile(hFile, &Ios, pIndexNumber, sizeof(*pIndexNumber), FileInternalInformation);
531	if (NT_SUCCESS(rcNt))
532	rcNt = Ios.Status;
533	#ifdef DEBUG_bird
534	if (!NT_SUCCESS(rcNt))
535	__debugbreak();
536	#endif
537	return NT_SUCCESS(rcNt) && pIndexNumber->QuadPart != 0;
538	}
539
540
541	/**
542	* Calculates the hash value for the given UTF-16 path string.
543	*
544	* @returns Hash value.
545	* @param pUniStr String to hash.
546	*/
547	static uint32_t supR3HardenedWinVerifyCacheHashPath(PCUNICODE_STRING pUniStr)
548	{
549	uint32_t uHash = 0;
550	unsigned cwcLeft = pUniStr->Length / sizeof(WCHAR);
551	PRTUTF16 pwc = pUniStr->Buffer;
552
553	while (cwcLeft-- > 0)
554	{
555	RTUTF16 wc = *pwc++;
556	if (wc < 0x80)
557	wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';
558	uHash = wc + (uHash << 6) + (uHash << 16) - uHash;
559	}
560	return uHash;
561	}
562
563
564	/**
565	* Calculates the hash value for a directory + filename combo as if they were
566	* one single string.
567	*
568	* @returns Hash value.
569	* @param pawcDir The directory name.
570	* @param cwcDir The length of the directory name. RTSTR_MAX if
571	* not available.
572	* @param pszName The import name (UTF-8).
573	*/
574	static uint32_t supR3HardenedWinVerifyCacheHashDirAndFile(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)
575	{
576	uint32_t uHash = 0;
577	while (cwcDir-- > 0)
578	{
579	RTUTF16 wc = *pawcDir++;
580	if (wc < 0x80)
581	wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';
582	uHash = wc + (uHash << 6) + (uHash << 16) - uHash;
583	}
584
585	unsigned char ch = '\\';
586	uHash = ch + (uHash << 6) + (uHash << 16) - uHash;
587
588	while ((ch = *pszName++) != '\0')
589	{
590	ch = RT_C_TO_LOWER(ch);
591	uHash = ch + (uHash << 6) + (uHash << 16) - uHash;
592	}
593
594	return uHash;
595	}
596
597
598	/**
599	* Verify string cache compare function.
600	*
601	* @returns true if the strings match, false if not.
602	* @param pawcLeft The left hand string.
603	* @param pawcRight The right hand string.
604	* @param cwcToCompare The number of chars to compare.
605	*/
606	static bool supR3HardenedWinVerifyCacheIsMatch(PCRTUTF16 pawcLeft, PCRTUTF16 pawcRight, uint32_t cwcToCompare)
607	{
608	/* Try a quick memory compare first. */
609	if (memcmp(pawcLeft, pawcRight, cwcToCompare * sizeof(RTUTF16)) == 0)
610	return true;
611
612	/* Slow char by char compare. */
613	while (cwcToCompare-- > 0)
614	{
615	RTUTF16 wcLeft = *pawcLeft++;
616	RTUTF16 wcRight = *pawcRight++;
617	if (wcLeft != wcRight)
618	{
619	wcLeft = wcLeft != '/' ? RT_C_TO_LOWER(wcLeft) : '\\';
620	wcRight = wcRight != '/' ? RT_C_TO_LOWER(wcRight) : '\\';
621	if (wcLeft != wcRight)
622	return false;
623	}
624	}
625
626	return true;
627	}
628
629
630
631	/**
632	* Inserts the given verifier result into the cache.
633	*
634	* @param pUniStr The full path of the image.
635	* @param hFile The file handle - must either be entered into
636	* the cache or closed.
637	* @param rc The verifier result.
638	* @param fWinVerifyTrust Whether verified by WinVerifyTrust or not.
639	* @param fFlags The image verification flags.
640	*/
641	static void supR3HardenedWinVerifyCacheInsert(PCUNICODE_STRING pUniStr, HANDLE hFile, int rc,
642	bool fWinVerifyTrust, uint32_t fFlags)
643	{
644	/*
645	* Allocate and initalize a new entry.
646	*/
647	PVERIFIERCACHEENTRY pEntry = (PVERIFIERCACHEENTRY)RTMemAllocZ(sizeof(VERIFIERCACHEENTRY) + pUniStr->Length);
648	if (pEntry)
649	{
650	pEntry->pNext = NULL;
651	pEntry->pNextTodoWvt = NULL;
652	pEntry->hFile = hFile;
653	pEntry->uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);
654	pEntry->rc = rc;
655	pEntry->fFlags = fFlags;
656	pEntry->cHits = 0;
657	pEntry->fWinVerifyTrust = fWinVerifyTrust;
658	pEntry->cbPath = pUniStr->Length;
659	memcpy(pEntry->wszPath, pUniStr->Buffer, pUniStr->Length);
660	pEntry->wszPath[pUniStr->Length / sizeof(WCHAR)] = '\0';
661	pEntry->fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &pEntry->IndexNumber);
662
663	/*
664	* Try insert it, careful with concurrent code as well as potential duplicates.
665	*/
666	uint32_t iHashTab = pEntry->uHash % RT_ELEMENTS(g_apVerifierCache);
667	VERIFIERCACHEENTRY * volatile *ppEntry = &g_apVerifierCache[iHashTab];
668	for (;;)
669	{
670	if (ASMAtomicCmpXchgPtr(ppEntry, pEntry, NULL))
671	{
672	if (!fWinVerifyTrust)
673	do
674	pEntry->pNextTodoWvt = g_pVerifierCacheTodoWvt;
675	while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pEntry, pEntry->pNextTodoWvt));
676
677	SUP_DPRINTF(("supR3HardenedWinVerifyCacheInsert: %ls\n", pUniStr->Buffer));
678	return;
679	}
680
681	PVERIFIERCACHEENTRY pOther = *ppEntry;
682	if (!pOther)
683	continue;
684	if ( pOther->uHash == pEntry->uHash
685	&& pOther->cbPath == pEntry->cbPath
686	&& supR3HardenedWinVerifyCacheIsMatch(pOther->wszPath, pEntry->wszPath, pEntry->cbPath / sizeof(RTUTF16)))
687	break;
688	ppEntry = &pOther->pNext;
689	}
690
691	/* Duplicate entry (may happen due to races). */
692	RTMemFree(pEntry);
693	}
694	NtClose(hFile);
695	}
696
697
698	/**
699	* Looks up an entry in the verifier hash table.
700	*
701	* @return Pointer to the entry on if found, NULL if not.
702	* @param pUniStr The full path of the image.
703	* @param hFile The file handle.
704	*/
705	static PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookup(PCUNICODE_STRING pUniStr, HANDLE hFile)
706	{
707	PRTUTF16 const pwszPath = pUniStr->Buffer;
708	uint16_t const cbPath = pUniStr->Length;
709	uint32_t uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);
710	uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);
711	PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];
712	while (pCur)
713	{
714	if ( pCur->uHash == uHash
715	&& pCur->cbPath == cbPath
716	&& supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pwszPath, cbPath / sizeof(RTUTF16)))
717	{
718
719	if (!pCur->fIndexNumberValid)
720	return pCur;
721	LARGE_INTEGER IndexNumber;
722	bool fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &IndexNumber);
723	if ( fIndexNumberValid
724	&& IndexNumber.QuadPart == pCur->IndexNumber.QuadPart)
725	return pCur;
726	#ifdef DEBUG_bird
727	__debugbreak();
728	#endif
729	}
730	pCur = pCur->pNext;
731	}
732	return NULL;
733	}
734
735
736	/**
737	* Looks up an import DLL in the verifier hash table.
738	*
739	* @return Pointer to the entry on if found, NULL if not.
740	* @param pawcDir The directory name.
741	* @param cwcDir The length of the directory name.
742	* @param pszName The import name (UTF-8).
743	*/
744	static PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookupImport(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)
745	{
746	uint32_t uHash = supR3HardenedWinVerifyCacheHashDirAndFile(pawcDir, cwcDir, pszName);
747	uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);
748	uint32_t const cbPath = (uint32_t)((cwcDir + 1 + strlen(pszName)) * sizeof(RTUTF16));
749	PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];
750	while (pCur)
751	{
752	if ( pCur->uHash == uHash
753	&& pCur->cbPath == cbPath)
754	{
755	if (supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pawcDir, cwcDir))
756	{
757	if (pCur->wszPath[cwcDir] == '\\' \|\| pCur->wszPath[cwcDir] == '/')
758	{
759	if (RTUtf16ICmpAscii(&pCur->wszPath[cwcDir + 1], pszName))
760	{
761	return pCur;
762	}
763	}
764	}
765	}
766
767	pCur = pCur->pNext;
768	}
769	return NULL;
770	}
771
772
773	/**
774	* Schedules the import DLLs for verification and entry into the cache.
775	*
776	* @param hLdrMod The loader module which imports should be
777	* scheduled for verification.
778	* @param pwszName The full NT path of the module.
779	*/
780	DECLHIDDEN(void) supR3HardenedWinVerifyCacheScheduleImports(RTLDRMOD hLdrMod, PCRTUTF16 pwszName)
781	{
782	/*
783	* Any imports?
784	*/
785	uint32_t cImports;
786	int rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_COUNT, NULL /pvBits/, &cImports, sizeof(cImports), NULL);
787	if (RT_SUCCESS(rc))
788	{
789	if (cImports)
790	{
791	/*
792	* Figure out the DLL directory from pwszName.
793	*/
794	PCRTUTF16 pawcDir = pwszName;
795	uint32_t cwcDir = 0;
796	uint32_t i = 0;
797	RTUTF16 wc;
798	while ((wc = pawcDir[i++]) != '\0')
799	if ((wc == '\\' \|\| wc == '/' \|\| wc == ':') && cwcDir + 2 != i)
800	cwcDir = i - 1;
801	if ( g_System32NtPath.UniStr.Length / sizeof(WCHAR) == cwcDir
802	&& supR3HardenedWinVerifyCacheIsMatch(pawcDir, g_System32NtPath.UniStr.Buffer, cwcDir))
803	pawcDir = NULL;
804
805	/*
806	* Enumerate the imports.
807	*/
808	for (i = 0; i < cImports; i++)
809	{
810	union
811	{
812	char szName[256];
813	uint32_t iImport;
814	} uBuf;
815	uBuf.iImport = i;
816	rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_MODULE, NULL /pvBits/, &uBuf, sizeof(uBuf), NULL);
817	if (RT_SUCCESS(rc))
818	{
819	/*
820	* Skip kernel32, ntdll and API set stuff.
821	*/
822	RTStrToLower(uBuf.szName);
823	if ( RTStrCmp(uBuf.szName, "kernel32.dll") == 0
824	\|\| RTStrCmp(uBuf.szName, "kernelbase.dll") == 0
825	\|\| RTStrCmp(uBuf.szName, "ntdll.dll") == 0
826	\|\| RTStrNCmp(uBuf.szName, RT_STR_TUPLE("api-ms-win-")) == 0
827	\|\| RTStrNCmp(uBuf.szName, RT_STR_TUPLE("ext-ms-win-")) == 0
828	)
829	{
830	continue;
831	}
832
833	/*
834	* Skip to the next one if it's already in the cache.
835	*/
836	if (supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,
837	g_System32NtPath.UniStr.Length / sizeof(WCHAR),
838	uBuf.szName) != NULL)
839	{
840	SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for system32\n", uBuf.szName));
841	continue;
842	}
843	if (supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedAppBinNtPath.UniStr.Buffer,
844	g_SupLibHardenedAppBinNtPath.UniStr.Length / sizeof(CHAR),
845	uBuf.szName) != NULL)
846	{
847	SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for appdir\n", uBuf.szName));
848	continue;
849	}
850	if (pawcDir && supR3HardenedWinVerifyCacheLookupImport(pawcDir, cwcDir, uBuf.szName) != NULL)
851	{
852	SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for dll dir\n", uBuf.szName));
853	continue;
854	}
855
856	/* We could skip already scheduled modules, but that'll require serialization and extra work... */
857
858	/*
859	* Add it to the todo list.
860	*/
861	SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: Import todo: #%u '%s'.\n", i, uBuf.szName));
862	uint32_t cbName = (uint32_t)strlen(uBuf.szName) + 1;
863	uint32_t cbNameAligned = RT_ALIGN_32(cbName, sizeof(RTUTF16));
864	uint32_t cbNeeded = RT_UOFFSETOF_DYN(VERIFIERCACHEIMPORT, szName[cbNameAligned])
865	+ (pawcDir ? (cwcDir + 1) * sizeof(RTUTF16) : 0);
866	PVERIFIERCACHEIMPORT pImport = (PVERIFIERCACHEIMPORT)RTMemAllocZ(cbNeeded);
867	if (pImport)
868	{
869	/* Init it. */
870	memcpy(pImport->szName, uBuf.szName, cbName);
871	if (!pawcDir)
872	{
873	pImport->cwcAltSearchDir = 0;
874	pImport->pwszAltSearchDir = NULL;
875	}
876	else
877	{
878	pImport->cwcAltSearchDir = cwcDir;
879	pImport->pwszAltSearchDir = (PRTUTF16)&pImport->szName[cbNameAligned];
880	memcpy(pImport->pwszAltSearchDir, pawcDir, cwcDir * sizeof(RTUTF16));
881	pImport->pwszAltSearchDir[cwcDir] = '\0';
882	}
883
884	/* Insert it. */
885	do
886	pImport->pNext = g_pVerifierCacheTodoImports;
887	while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoImports, pImport, pImport->pNext));
888	}
889	}
890	else
891	SUP_DPRINTF(("RTLDRPROP_IMPORT_MODULE failed with rc=%Rrc i=%#x on '%ls'\n", rc, i, pwszName));
892	}
893	}
894	else
895	SUP_DPRINTF(("'%ls' has no imports\n", pwszName));
896	}
897	else
898	SUP_DPRINTF(("RTLDRPROP_IMPORT_COUNT failed with rc=%Rrc on '%ls'\n", rc, pwszName));
899	}
900
901
902	/**
903	* Processes the list of import todos.
904	*/
905	static void supR3HardenedWinVerifyCacheProcessImportTodos(void)
906	{
907	/*
908	* Work until we've got nothing more todo.
909	*/
910	for (;;)
911	{
912	PVERIFIERCACHEIMPORT pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoImports, NULL, PVERIFIERCACHEIMPORT);
913	if (!pTodo)
914	break;
915	do
916	{
917	PVERIFIERCACHEIMPORT pCur = pTodo;
918	pTodo = pTodo->pNext;
919
920	/*
921	* Not in the cached already?
922	*/
923	if ( !supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,
924	g_System32NtPath.UniStr.Length / sizeof(WCHAR),
925	pCur->szName)
926	&& !supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedAppBinNtPath.UniStr.Buffer,
927	g_SupLibHardenedAppBinNtPath.UniStr.Length / sizeof(WCHAR),
928	pCur->szName)
929	&& ( pCur->cwcAltSearchDir == 0
930	\|\| !supR3HardenedWinVerifyCacheLookupImport(pCur->pwszAltSearchDir, pCur->cwcAltSearchDir, pCur->szName)) )
931	{
932	/*
933	* Try locate the imported DLL and open it.
934	*/
935	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Processing '%s'...\n", pCur->szName));
936
937	NTSTATUS rcNt;
938	NTSTATUS rcNtRedir = 0x22222222;
939	HANDLE hFile = INVALID_HANDLE_VALUE;
940	RTUTF16 wszPath[260 + 260]; /* Assumes we've limited the import name length to 256. */
941	AssertCompile(sizeof(wszPath) > sizeof(g_System32NtPath));
942
943	/*
944	* Check for DLL isolation / redirection / mapping.
945	*/
946	size_t cwcName = 260;
947	PRTUTF16 pwszName = &wszPath[0];
948	int rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);
949	if (RT_SUCCESS(rc))
950	{
951	UNICODE_STRING UniStrName;
952	UniStrName.Buffer = wszPath;
953	UniStrName.Length = (USHORT)cwcName * sizeof(WCHAR);
954	UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);
955
956	UNICODE_STRING UniStrStatic;
957	UniStrStatic.Buffer = &wszPath[cwcName + 1];
958	UniStrStatic.Length = 0;
959	UniStrStatic.MaximumLength = (USHORT)(sizeof(wszPath) - cwcName * sizeof(WCHAR) - sizeof(WCHAR));
960
961	static UNICODE_STRING const s_DefaultSuffix = RTNT_CONSTANT_UNISTR(L".dll");
962	UNICODE_STRING UniStrDynamic = { 0, 0, NULL };
963	PUNICODE_STRING pUniStrResult = NULL;
964
965	rcNtRedir = RtlDosApplyFileIsolationRedirection_Ustr(1 /fFlags/,
966	&UniStrName,
967	(PUNICODE_STRING)&s_DefaultSuffix,
968	&UniStrStatic,
969	&UniStrDynamic,
970	&pUniStrResult,
971	NULL /pNewFlags/,
972	NULL /pcbFilename/,
973	NULL /pcbNeeded/);
974	if (NT_SUCCESS(rcNtRedir))
975	{
976	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
977	OBJECT_ATTRIBUTES ObjAttr;
978	InitializeObjectAttributes(&ObjAttr, pUniStrResult,
979	OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
980	rcNt = NtCreateFile(&hFile,
981	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
982	&ObjAttr,
983	&Ios,
984	NULL /* Allocation Size*/,
985	FILE_ATTRIBUTE_NORMAL,
986	FILE_SHARE_READ,
987	FILE_OPEN,
988	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
989	NULL /EaBuffer/,
990	0 /EaLength/);
991	if (NT_SUCCESS(rcNt))
992	rcNt = Ios.Status;
993	if (NT_SUCCESS(rcNt))
994	{
995	/* For accurate logging. */
996	size_t cwcCopy = RT_MIN(pUniStrResult->Length / sizeof(RTUTF16), RT_ELEMENTS(wszPath) - 1);
997	memcpy(wszPath, pUniStrResult->Buffer, cwcCopy * sizeof(RTUTF16));
998	wszPath[cwcCopy] = '\0';
999	}
1000	else
1001	hFile = INVALID_HANDLE_VALUE;
1002	RtlFreeUnicodeString(&UniStrDynamic);
1003	}
1004	}
1005	else
1006	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #1 failed: %Rrc\n", rc));
1007
1008	/*
1009	* If not something that gets remapped, do the half normal searching we need.
1010	*/
1011	if (hFile == INVALID_HANDLE_VALUE)
1012	{
1013	struct
1014	{
1015	PRTUTF16 pawcDir;
1016	uint32_t cwcDir;
1017	} Tmp, aDirs[] =
1018	{
1019	{ g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length / sizeof(WCHAR) },
1020	{ g_SupLibHardenedExeNtPath.UniStr.Buffer, g_SupLibHardenedAppBinNtPath.UniStr.Length / sizeof(WCHAR) },
1021	{ pCur->pwszAltSearchDir, pCur->cwcAltSearchDir },
1022	};
1023
1024	/* Search System32 first, unless it's a 'V' or 'm' name, the latter for msvcrt. */
1025	if ( pCur->szName[0] == 'v'
1026	\|\| pCur->szName[0] == 'V'
1027	\|\| pCur->szName[0] == 'm'
1028	\|\| pCur->szName[0] == 'M')
1029	{
1030	Tmp = aDirs[0];
1031	aDirs[0] = aDirs[1];
1032	aDirs[1] = Tmp;
1033	}
1034
1035	for (uint32_t i = 0; i < RT_ELEMENTS(aDirs); i++)
1036	{
1037	if (aDirs[i].pawcDir && aDirs[i].cwcDir && aDirs[i].cwcDir < RT_ELEMENTS(wszPath) / 3 * 2)
1038	{
1039	memcpy(wszPath, aDirs[i].pawcDir, aDirs[i].cwcDir * sizeof(RTUTF16));
1040	uint32_t cwc = aDirs[i].cwcDir;
1041	wszPath[cwc++] = '\\';
1042	cwcName = RT_ELEMENTS(wszPath) - cwc;
1043	pwszName = &wszPath[cwc];
1044	rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);
1045	if (RT_SUCCESS(rc))
1046	{
1047	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1048	UNICODE_STRING NtName;
1049	NtName.Buffer = wszPath;
1050	NtName.Length = (USHORT)((cwc + cwcName) * sizeof(WCHAR));
1051	NtName.MaximumLength = NtName.Length + sizeof(WCHAR);
1052	OBJECT_ATTRIBUTES ObjAttr;
1053	InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
1054
1055	rcNt = NtCreateFile(&hFile,
1056	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
1057	&ObjAttr,
1058	&Ios,
1059	NULL /* Allocation Size*/,
1060	FILE_ATTRIBUTE_NORMAL,
1061	FILE_SHARE_READ,
1062	FILE_OPEN,
1063	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
1064	NULL /EaBuffer/,
1065	0 /EaLength/);
1066	if (NT_SUCCESS(rcNt))
1067	rcNt = Ios.Status;
1068	if (NT_SUCCESS(rcNt))
1069	break;
1070	hFile = INVALID_HANDLE_VALUE;
1071	}
1072	else
1073	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #2 failed: %Rrc\n", rc));
1074	}
1075	}
1076	}
1077
1078	/*
1079	* If we successfully opened it, verify it and cache the result.
1080	*/
1081	if (hFile != INVALID_HANDLE_VALUE)
1082	{
1083	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' -> '%ls' [rcNtRedir=%#x]\n",
1084	pCur->szName, wszPath, rcNtRedir));
1085
1086	ULONG fAccess = 0;
1087	ULONG fProtect = 0;
1088	bool fCallRealApi = false;
1089	rcNt = supR3HardenedScreenImage(hFile, true /fImage/, false /fIgnoreArch/, &fAccess, &fProtect,
1090	&fCallRealApi, "Imports", false /fAvoidWinVerifyTrust/, NULL /pfQuiet/);
1091	NtClose(hFile);
1092	}
1093	else
1094	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Failed to locate '%s'\n", pCur->szName));
1095	}
1096	else
1097	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' is in the cache.\n", pCur->szName));
1098
1099	RTMemFree(pCur);
1100	} while (pTodo);
1101	}
1102	}
1103
1104
1105	/**
1106	* Processes the list of WinVerifyTrust todos.
1107	*/
1108	static void supR3HardenedWinVerifyCacheProcessWvtTodos(void)
1109	{
1110	PVERIFIERCACHEENTRY pReschedule = NULL;
1111	PVERIFIERCACHEENTRY volatile *ppReschedLastNext = NULL;
1112
1113	/*
1114	* Work until we've got nothing more todo.
1115	*/
1116	for (;;)
1117	{
1118	if (!supHardenedWinIsWinVerifyTrustCallable())
1119	break;
1120	PVERIFIERCACHEENTRY pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoWvt, NULL, PVERIFIERCACHEENTRY);
1121	if (!pTodo)
1122	break;
1123	do
1124	{
1125	PVERIFIERCACHEENTRY pCur = pTodo;
1126	pTodo = pTodo->pNextTodoWvt;
1127	pCur->pNextTodoWvt = NULL;
1128
1129	if ( !pCur->fWinVerifyTrust
1130	&& RT_SUCCESS(pCur->rc))
1131	{
1132	bool fWinVerifyTrust = false;
1133	int rc = supHardenedWinVerifyImageTrust(pCur->hFile, pCur->wszPath, pCur->fFlags, pCur->rc,
1134	&fWinVerifyTrust, NULL /* pErrInfo*/);
1135	if (RT_FAILURE(rc) \|\| fWinVerifyTrust)
1136	{
1137	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",
1138	rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));
1139	pCur->fWinVerifyTrust = true;
1140	pCur->rc = rc;
1141	}
1142	else
1143	{
1144	/* Retry it at a later time. */
1145	SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls' [rescheduled]\n",
1146	rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));
1147	if (!pReschedule)
1148	ppReschedLastNext = &pCur->pNextTodoWvt;
1149	pCur->pNextTodoWvt = pReschedule;
1150	}
1151	}
1152	/* else: already processed. */
1153	} while (pTodo);
1154	}
1155
1156	/*
1157	* Anything to reschedule.
1158	*/
1159	if (pReschedule)
1160	{
1161	do
1162	*ppReschedLastNext = g_pVerifierCacheTodoWvt;
1163	while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pReschedule, *ppReschedLastNext));
1164	}
1165	}
1166
1167
1168	/**
1169	* Translates VBox status code (from supHardenedWinVerifyImageTrust) to an NT
1170	* status.
1171	*
1172	* @returns NT status.
1173	* @param rc VBox status code.
1174	*/
1175	static NTSTATUS supR3HardenedScreenImageCalcStatus(int rc)
1176	{
1177	/* This seems to be what LdrLoadDll returns when loading a 32-bit DLL into
1178	a 64-bit process. At least here on windows 10 (2015-11-xx).
1179
1180	NtCreateSection probably returns something different, possibly a warning,
1181	we currently don't distinguish between the too, so we stick with the
1182	LdrLoadDll one as it's definitely an error.*/
1183	if (rc == VERR_LDR_ARCH_MISMATCH)
1184	return STATUS_INVALID_IMAGE_FORMAT;
1185
1186	return STATUS_TRUST_FAILURE;
1187	}
1188
1189
1190	/**
1191	* Screens an image file or file mapped with execute access.
1192	*
1193	* @returns NT status code.
1194	* @param hFile The file handle.
1195	* @param fImage Set if image file mapping being made
1196	* (NtCreateSection thing).
1197	* @param fIgnoreArch Using the DONT_RESOLVE_DLL_REFERENCES flag,
1198	* which also implies that DLL init / term code
1199	* isn't called, so the architecture should be
1200	* ignored.
1201	* @param pfAccess Pointer to the NtCreateSection access flags,
1202	* so we can modify them if necessary.
1203	* @param pfProtect Pointer to the NtCreateSection protection
1204	* flags, so we can modify them if necessary.
1205	* @param pfCallRealApi Whether it's ok to go on to the real API.
1206	* @param pszCaller Who is calling (for debugging / logging).
1207	* @param fAvoidWinVerifyTrust Whether we should avoid WinVerifyTrust.
1208	* @param pfQuiet Where to return whether to be quiet about
1209	* this image in the log (i.e. we've seen it
1210	* lots of times already). Optional.
1211	*/
1212	static NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfAccess, PULONG pfProtect,
1213	bool pfCallRealApi, const char pszCaller, bool fAvoidWinVerifyTrust, bool *pfQuiet)
1214	{
1215	*pfCallRealApi = false;
1216	if (pfQuiet)
1217	*pfQuiet = false;
1218
1219	/*
1220	* Query the name of the file, making sure to zero terminator the
1221	* string. (2nd half of buffer is used for error info, see below.)
1222	*/
1223	union
1224	{
1225	UNICODE_STRING UniStr;
1226	uint8_t abBuffer[sizeof(UNICODE_STRING) + 2048 * sizeof(WCHAR)];
1227	} uBuf;
1228	RT_ZERO(uBuf);
1229	ULONG cbNameBuf;
1230	NTSTATUS rcNt = NtQueryObject(hFile, ObjectNameInformation, &uBuf, sizeof(uBuf) - sizeof(WCHAR) - 128, &cbNameBuf);
1231	if (!NT_SUCCESS(rcNt))
1232	{
1233	supR3HardenedError(VINF_SUCCESS, false,
1234	"supR3HardenedScreenImage/%s: NtQueryObject -> %#x (fImage=%d fProtect=%#x fAccess=%#x)\n",
1235	pszCaller, fImage, pfProtect, pfAccess);
1236	return rcNt;
1237	}
1238
1239	if (!RTNtPathFindPossible8dot3Name(uBuf.UniStr.Buffer))
1240	cbNameBuf += sizeof(WCHAR);
1241	else
1242	{
1243	uBuf.UniStr.MaximumLength = sizeof(uBuf) - 128;
1244	RTNtPathExpand8dot3Path(&uBuf.UniStr, true /fPathOnly/);
1245	cbNameBuf = (uintptr_t)uBuf.UniStr.Buffer + uBuf.UniStr.Length + sizeof(WCHAR) - (uintptr_t)&uBuf.abBuffer[0];
1246	}
1247
1248	/*
1249	* Check the cache.
1250	*/
1251	PVERIFIERCACHEENTRY pCacheHit = supR3HardenedWinVerifyCacheLookup(&uBuf.UniStr, hFile);
1252	if (pCacheHit)
1253	{
1254	/* Do hit accounting and figure whether we need to be quiet or not. */
1255	uint32_t cHits = ASMAtomicIncU32(&pCacheHit->cHits);
1256	bool const fQuiet = cHits >= 8 && !RT_IS_POWER_OF_TWO(cHits);
1257	if (pfQuiet)
1258	*pfQuiet = fQuiet;
1259
1260	/* If we haven't done the WinVerifyTrust thing, do it if we can. */
1261	if ( !pCacheHit->fWinVerifyTrust
1262	&& RT_SUCCESS(pCacheHit->rc)
1263	&& supHardenedWinIsWinVerifyTrustCallable() )
1264	{
1265	if (!fAvoidWinVerifyTrust)
1266	{
1267	SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [redoing WinVerifyTrust]\n",
1268	pszCaller, pCacheHit->rc, pCacheHit->wszPath));
1269
1270	bool fWinVerifyTrust = false;
1271	int rc = supHardenedWinVerifyImageTrust(pCacheHit->hFile, pCacheHit->wszPath, pCacheHit->fFlags, pCacheHit->rc,
1272	&fWinVerifyTrust, NULL /* pErrInfo*/);
1273	if (RT_FAILURE(rc) \|\| fWinVerifyTrust)
1274	{
1275	SUP_DPRINTF(("supR3HardenedScreenImage/%s: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",
1276	pszCaller, rc, pCacheHit->rc, fWinVerifyTrust, pCacheHit->wszPath));
1277	pCacheHit->fWinVerifyTrust = true;
1278	pCacheHit->rc = rc;
1279	}
1280	else
1281	SUP_DPRINTF(("supR3HardenedScreenImage/%s: WinVerifyTrust not available, rescheduling %ls\n",
1282	pszCaller, pCacheHit->wszPath));
1283	}
1284	else
1285	SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [avoiding WinVerifyTrust]\n",
1286	pszCaller, pCacheHit->rc, pCacheHit->wszPath));
1287	}
1288	else if (!fQuiet \|\| !pCacheHit->fWinVerifyTrust)
1289	SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls%s\n",
1290	pszCaller, pCacheHit->rc, pCacheHit->wszPath, pCacheHit->fWinVerifyTrust ? "" : " [lacks WinVerifyTrust]"));
1291
1292	/* Return the cached value. */
1293	if (RT_SUCCESS(pCacheHit->rc))
1294	{
1295	*pfCallRealApi = true;
1296	return STATUS_SUCCESS;
1297	}
1298
1299	if (!fQuiet)
1300	supR3HardenedError(VINF_SUCCESS, false,
1301	"supR3HardenedScreenImage/%s: cached rc=%Rrc fImage=%d fProtect=%#x fAccess=%#x cHits=%u %ls\n",
1302	pszCaller, pCacheHit->rc, fImage, pfProtect, pfAccess, cHits, uBuf.UniStr.Buffer);
1303	return supR3HardenedScreenImageCalcStatus(pCacheHit->rc);
1304	}
1305
1306	/*
1307	* On XP the loader might hand us handles with just FILE_EXECUTE and
1308	* SYNCHRONIZE, the means reading will fail later on. Also, we need
1309	* READ_CONTROL access to check the file ownership later on, and non
1310	* of the OS versions seems be giving us that. So, in effect we
1311	* more or less always reopen the file here.
1312	*/
1313	HANDLE hMyFile = NULL;
1314	rcNt = NtDuplicateObject(NtCurrentProcess(), hFile, NtCurrentProcess(),
1315	&hMyFile,
1316	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
1317	0 /* Handle attributes/, 0 / Options */);
1318	if (!NT_SUCCESS(rcNt))
1319	{
1320	if (rcNt == STATUS_ACCESS_DENIED)
1321	{
1322	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1323	OBJECT_ATTRIBUTES ObjAttr;
1324	InitializeObjectAttributes(&ObjAttr, &uBuf.UniStr, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
1325
1326	rcNt = NtCreateFile(&hMyFile,
1327	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
1328	&ObjAttr,
1329	&Ios,
1330	NULL /* Allocation Size*/,
1331	FILE_ATTRIBUTE_NORMAL,
1332	FILE_SHARE_READ,
1333	FILE_OPEN,
1334	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
1335	NULL /EaBuffer/,
1336	0 /EaLength/);
1337	if (NT_SUCCESS(rcNt))
1338	rcNt = Ios.Status;
1339	if (!NT_SUCCESS(rcNt))
1340	{
1341	supR3HardenedError(VINF_SUCCESS, false,
1342	"supR3HardenedScreenImage/%s: Failed to duplicate and open the file: rcNt=%#x hFile=%p %ls\n",
1343	pszCaller, rcNt, hFile, uBuf.UniStr.Buffer);
1344	return rcNt;
1345	}
1346
1347	/* Check that we've got the same file. */
1348	LARGE_INTEGER idMyFile, idInFile;
1349	bool fMyValid = supR3HardenedWinVerifyCacheGetIndexNumber(hMyFile, &idMyFile);
1350	bool fInValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &idInFile);
1351	if ( fMyValid
1352	&& ( fMyValid != fInValid
1353	\|\| idMyFile.QuadPart != idInFile.QuadPart))
1354	{
1355	supR3HardenedError(VINF_SUCCESS, false,
1356	"supR3HardenedScreenImage/%s: Re-opened has different ID that input: %#llx vx %#llx (%ls)\n",
1357	pszCaller, rcNt, idMyFile.QuadPart, idInFile.QuadPart, uBuf.UniStr.Buffer);
1358	NtClose(hMyFile);
1359	return STATUS_TRUST_FAILURE;
1360	}
1361	}
1362	else
1363	{
1364	SUP_DPRINTF(("supR3HardenedScreenImage/%s: NtDuplicateObject -> %#x\n", pszCaller, rcNt));
1365	#ifdef DEBUG
1366
1367	supR3HardenedError(VINF_SUCCESS, false,
1368	"supR3HardenedScreenImage/%s: NtDuplicateObject(,%#x,) failed: %#x\n", pszCaller, hFile, rcNt);
1369	#endif
1370	hMyFile = hFile;
1371	}
1372	}
1373
1374	/*
1375	* Special Kludge for Windows XP and W2K3 and their stupid attempts
1376	* at mapping a hidden XML file called c:\Windows\WindowsShell.Manifest
1377	* with executable access. The image bit isn't set, fortunately.
1378	*/
1379	if ( !fImage
1380	&& uBuf.UniStr.Length > g_System32NtPath.UniStr.Length - sizeof(L"System32") + sizeof(WCHAR)
1381	&& memcmp(uBuf.UniStr.Buffer, g_System32NtPath.UniStr.Buffer,
1382	g_System32NtPath.UniStr.Length - sizeof(L"System32") + sizeof(WCHAR)) == 0)
1383	{
1384	PRTUTF16 pwszName = &uBuf.UniStr.Buffer[(g_System32NtPath.UniStr.Length - sizeof(L"System32") + sizeof(WCHAR)) / sizeof(WCHAR)];
1385	if (RTUtf16ICmpAscii(pwszName, "WindowsShell.Manifest") == 0)
1386	{
1387	/*
1388	* Drop all executable access to the mapping and let it continue.
1389	*/
1390	SUP_DPRINTF(("supR3HardenedScreenImage/%s: Applying the drop-exec-kludge for '%ls'\n", pszCaller, uBuf.UniStr.Buffer));
1391	if (*pfAccess & SECTION_MAP_EXECUTE)
1392	pfAccess = (pfAccess & ~SECTION_MAP_EXECUTE) \| SECTION_MAP_READ;
1393	if (*pfProtect & PAGE_EXECUTE)
1394	pfProtect = (pfProtect & ~PAGE_EXECUTE) \| PAGE_READONLY;
1395	pfProtect = (pfProtect & ~UINT32_C(0xf0)) \| ((*pfProtect & UINT32_C(0xe0)) >> 4);
1396	if (hMyFile != hFile)
1397	NtClose(hMyFile);
1398	*pfCallRealApi = true;
1399	return STATUS_SUCCESS;
1400	}
1401	}
1402
1403	#ifndef VBOX_PERMIT_EVEN_MORE
1404	/*
1405	* Check the path. We don't allow DLLs to be loaded from just anywhere:
1406	* 1. System32 - normal code or cat signing, owner TrustedInstaller.
1407	* 2. WinSxS - normal code or cat signing, owner TrustedInstaller.
1408	* 3. VirtualBox - kernel code signing and integrity checks.
1409	* 4. AppPatchDir - normal code or cat signing, owner TrustedInstaller.
1410	* 5. Program Files - normal code or cat signing, owner TrustedInstaller.
1411	* 6. Common Files - normal code or cat signing, owner TrustedInstaller.
1412	* 7. x86 variations of 4 & 5 - ditto.
1413	*/
1414	uint32_t fFlags = 0;
1415	if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_System32NtPath.UniStr, true /fCheckSlash/))
1416	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1417	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_WinSxSNtPath.UniStr, true /fCheckSlash/))
1418	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1419	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /fCheckSlash/))
1420	fFlags \|= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING \| SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
1421	# ifdef VBOX_PERMIT_MORE
1422	else if (supHardViIsAppPatchDir(uBuf.UniStr.Buffer, uBuf.UniStr.Length / sizeof(WCHAR)))
1423	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1424	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesNtPath.UniStr, true /fCheckSlash/))
1425	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1426	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesNtPath.UniStr, true /fCheckSlash/))
1427	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1428	# ifdef RT_ARCH_AMD64
1429	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesX86NtPath.UniStr, true /fCheckSlash/))
1430	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1431	else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesX86NtPath.UniStr, true /fCheckSlash/))
1432	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1433	# endif
1434	# endif
1435	# ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
1436	/* Hack to allow profiling our code with Visual Studio. */
1437	else if ( uBuf.UniStr.Length > sizeof(L"\\SamplingRuntime.dll")
1438	&& memcmp(uBuf.UniStr.Buffer + (uBuf.UniStr.Length - sizeof(L"\\SamplingRuntime.dll") + sizeof(WCHAR)) / sizeof(WCHAR),
1439	L"\\SamplingRuntime.dll", sizeof(L"\\SamplingRuntime.dll") - sizeof(WCHAR)) == 0 )
1440	{
1441	if (hMyFile != hFile)
1442	NtClose(hMyFile);
1443	*pfCallRealApi = true;
1444	return STATUS_SUCCESS;
1445	}
1446	# endif
1447	else
1448	{
1449	supR3HardenedError(VINF_SUCCESS, false,
1450	"supR3HardenedScreenImage/%s: Not a trusted location: '%ls' (fImage=%d fProtect=%#x fAccess=%#x)\n",
1451	pszCaller, uBuf.UniStr.Buffer, fImage, pfAccess, pfProtect);
1452	if (hMyFile != hFile)
1453	NtClose(hMyFile);
1454	return STATUS_TRUST_FAILURE;
1455	}
1456
1457	#else /* VBOX_PERMIT_EVEN_MORE */
1458	/*
1459	* Require trusted installer + some kind of signature on everything, except
1460	* for the VBox bits where we require kernel code signing and special
1461	* integrity checks.
1462	*/
1463	uint32_t fFlags = 0;
1464	if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /fCheckSlash/))
1465	fFlags \|= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING \| SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
1466	else
1467	fFlags \|= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION \| SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
1468	#endif /* VBOX_PERMIT_EVEN_MORE */
1469
1470	/*
1471	* Do the verification. For better error message we borrow what's
1472	* left of the path buffer for an RTERRINFO buffer.
1473	*/
1474	if (fIgnoreArch)
1475	fFlags \|= SUPHNTVI_F_IGNORE_ARCHITECTURE;
1476	RTERRINFO ErrInfo;
1477	RTErrInfoInit(&ErrInfo, (char *)&uBuf.abBuffer[cbNameBuf], sizeof(uBuf) - cbNameBuf);
1478
1479	int rc;
1480	bool fWinVerifyTrust = false;
1481	rc = supHardenedWinVerifyImageByHandle(hMyFile, uBuf.UniStr.Buffer, fFlags, fAvoidWinVerifyTrust, &fWinVerifyTrust, &ErrInfo);
1482	if (RT_FAILURE(rc))
1483	{
1484	supR3HardenedError(VINF_SUCCESS, false,
1485	"supR3HardenedScreenImage/%s: rc=%Rrc fImage=%d fProtect=%#x fAccess=%#x %ls: %s\n",
1486	pszCaller, rc, fImage, pfAccess, pfProtect, uBuf.UniStr.Buffer, ErrInfo.pszMsg);
1487	if (hMyFile != hFile)
1488	supR3HardenedWinVerifyCacheInsert(&uBuf.UniStr, hMyFile, rc, fWinVerifyTrust, fFlags);
1489	return supR3HardenedScreenImageCalcStatus(rc);
1490	}
1491
1492	/*
1493	* Insert into the cache.
1494	*/
1495	if (hMyFile != hFile)
1496	supR3HardenedWinVerifyCacheInsert(&uBuf.UniStr, hMyFile, rc, fWinVerifyTrust, fFlags);
1497
1498	*pfCallRealApi = true;
1499	return STATUS_SUCCESS;
1500	}
1501
1502
1503	/**
1504	* Preloads a file into the verify cache if possible.
1505	*
1506	* This is used to avoid known cyclic LoadLibrary issues with WinVerifyTrust.
1507	*
1508	* @param pwszName The name of the DLL to verify.
1509	*/
1510	DECLHIDDEN(void) supR3HardenedWinVerifyCachePreload(PCRTUTF16 pwszName)
1511	{
1512	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
1513	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1514
1515	UNICODE_STRING UniStr;
1516	UniStr.Buffer = (PWCHAR)pwszName;
1517	UniStr.Length = (USHORT)(RTUtf16Len(pwszName) * sizeof(WCHAR));
1518	UniStr.MaximumLength = UniStr.Length + sizeof(WCHAR);
1519
1520	OBJECT_ATTRIBUTES ObjAttr;
1521	InitializeObjectAttributes(&ObjAttr, &UniStr, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
1522
1523	NTSTATUS rcNt = NtCreateFile(&hFile,
1524	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
1525	&ObjAttr,
1526	&Ios,
1527	NULL /* Allocation Size*/,
1528	FILE_ATTRIBUTE_NORMAL,
1529	FILE_SHARE_READ,
1530	FILE_OPEN,
1531	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
1532	NULL /EaBuffer/,
1533	0 /EaLength/);
1534	if (NT_SUCCESS(rcNt))
1535	rcNt = Ios.Status;
1536	if (!NT_SUCCESS(rcNt))
1537	{
1538	SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: Error %#x opening '%ls'.\n", rcNt, pwszName));
1539	return;
1540	}
1541
1542	ULONG fAccess = 0;
1543	ULONG fProtect = 0;
1544	bool fCallRealApi;
1545	//SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: scanning %ls\n", pwszName));
1546	supR3HardenedScreenImage(hFile, false, false /fIgnoreArch/, &fAccess, &fProtect, &fCallRealApi, "preload",
1547	false /fAvoidWinVerifyTrust/, NULL /pfQuiet/);
1548	//SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: done %ls\n", pwszName));
1549
1550	NtClose(hFile);
1551	}
1552
1553
1554
1555	/**
1556	* Hook that monitors NtCreateSection calls.
1557	*
1558	* @returns NT status code.
1559	* @param phSection Where to return the section handle.
1560	* @param fAccess The desired access.
1561	* @param pObjAttribs The object attributes (optional).
1562	* @param pcbSection The section size (optional).
1563	* @param fProtect The max section protection.
1564	* @param fAttribs The section attributes.
1565	* @param hFile The file to create a section from (optional).
1566	*/
1567	static NTSTATUS NTAPI
1568	supR3HardenedMonitor_NtCreateSection(PHANDLE phSection, ACCESS_MASK fAccess, POBJECT_ATTRIBUTES pObjAttribs,
1569	PLARGE_INTEGER pcbSection, ULONG fProtect, ULONG fAttribs, HANDLE hFile)
1570	{
1571	bool fNeedUncChecking = false;
1572	if ( hFile != NULL
1573	&& hFile != INVALID_HANDLE_VALUE)
1574	{
1575	bool const fImage = RT_BOOL(fAttribs & (SEC_IMAGE \| SEC_PROTECTED_IMAGE));
1576	bool const fExecMap = RT_BOOL(fAccess & SECTION_MAP_EXECUTE);
1577	bool const fExecProt = RT_BOOL(fProtect & (PAGE_EXECUTE \| PAGE_EXECUTE_READ \| PAGE_EXECUTE_WRITECOPY
1578	\| PAGE_EXECUTE_READWRITE));
1579	if (fImage \|\| fExecMap \|\| fExecProt)
1580	{
1581	fNeedUncChecking = true;
1582	DWORD dwSavedLastError = RtlGetLastWin32Error();
1583
1584	bool fCallRealApi;
1585	//SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: 1\n"));
1586	NTSTATUS rcNt = supR3HardenedScreenImage(hFile, fImage, true /fIgnoreArch/, &fAccess, &fProtect, &fCallRealApi,
1587	"NtCreateSection", true /fAvoidWinVerifyTrust/, NULL /pfQuiet/);
1588	//SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: 2 rcNt=%#x fCallRealApi=%#x\n", rcNt, fCallRealApi));
1589
1590	RtlRestoreLastWin32Error(dwSavedLastError);
1591
1592	if (!NT_SUCCESS(rcNt))
1593	return rcNt;
1594	Assert(fCallRealApi);
1595	if (!fCallRealApi)
1596	return STATUS_TRUST_FAILURE;
1597
1598	}
1599	}
1600
1601	/*
1602	* Call checked out OK, call the original.
1603	*/
1604	NTSTATUS rcNtReal = g_pfnNtCreateSectionReal(phSection, fAccess, pObjAttribs, pcbSection, fProtect, fAttribs, hFile);
1605
1606	/*
1607	* Check that the image that got mapped bear some resemblance to the one that was
1608	* requested. Apparently there are ways to trick the NT cache manager to map a
1609	* file different from hFile into memory using local UNC accesses.
1610	*/
1611	if ( NT_SUCCESS(rcNtReal)
1612	&& fNeedUncChecking)
1613	{
1614	DWORD dwSavedLastError = RtlGetLastWin32Error();
1615
1616	bool fOkay = false;
1617
1618	/* To get the name of the file backing the section, we unfortunately have to map it. */
1619	SIZE_T cbView = 0;
1620	PVOID pvTmpMap = NULL;
1621	NTSTATUS rcNt = NtMapViewOfSection(phSection, NtCurrentProcess(), &pvTmpMap, 0, 0, NULL /poffSection*/, &cbView,
1622	ViewUnmap, MEM_TOP_DOWN, PAGE_EXECUTE);
1623	if (NT_SUCCESS(rcNt))
1624	{
1625	/* Query the name. */
1626	union
1627	{
1628	UNICODE_STRING UniStr;
1629	RTUTF16 awcBuf[512];
1630	} uBuf;
1631	RT_ZERO(uBuf);
1632	SIZE_T cbActual = 0;
1633	NTSTATUS rcNtQuery = NtQueryVirtualMemory(NtCurrentProcess(), pvTmpMap, MemorySectionName,
1634	&uBuf, sizeof(uBuf) - sizeof(RTUTF16), &cbActual);
1635
1636	/* Unmap the view. */
1637	rcNt = NtUnmapViewOfSection(NtCurrentProcess(), pvTmpMap);
1638	if (!NT_SUCCESS(rcNt))
1639	SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtUnmapViewOfSection failed on %p (hSection=%p, hFile=%p) with %#x!\n",
1640	pvTmpMap, *phSection, hFile, rcNt));
1641
1642	/* Process the name query result. */
1643	if (NT_SUCCESS(rcNtQuery))
1644	{
1645	static UNICODE_STRING const s_UncPrefix = RTNT_CONSTANT_UNISTR(L"\\Device\\Mup");
1646	if (!supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &s_UncPrefix, true /fCheckSlash/))
1647	fOkay = true;
1648	else
1649	supR3HardenedError(VINF_SUCCESS, false,
1650	"supR3HardenedMonitor_NtCreateSection: Image section with UNC path is not trusted: '%.*ls'\n",
1651	uBuf.UniStr.Length / sizeof(RTUTF16), uBuf.UniStr.Buffer);
1652	}
1653	else
1654	SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtQueryVirtualMemory failed on %p (hFile=%p) with %#x -> STATUS_TRUST_FAILURE\n",
1655	*phSection, hFile, rcNt));
1656	}
1657	else
1658	SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtMapViewOfSection failed on %p (hFile=%p) with %#x -> STATUS_TRUST_FAILURE\n",
1659	*phSection, hFile, rcNt));
1660	if (!fOkay)
1661	{
1662	NtClose(*phSection);
1663	*phSection = INVALID_HANDLE_VALUE;
1664	RtlRestoreLastWin32Error(dwSavedLastError);
1665	return STATUS_TRUST_FAILURE;
1666	}
1667
1668	RtlRestoreLastWin32Error(dwSavedLastError);
1669	}
1670	return rcNtReal;
1671	}
1672
1673
1674	/**
1675	* Checks if the given name is a valid ApiSet name.
1676	*
1677	* This is only called on likely looking names.
1678	*
1679	* @returns true if ApiSet name, false if not.
1680	* @param pName The name to check out.
1681	*/
1682	static bool supR3HardenedIsApiSetDll(PUNICODE_STRING pName)
1683	{
1684	/*
1685	* API added in Windows 8, or so they say.
1686	*/
1687	if (ApiSetQueryApiSetPresence != NULL)
1688	{
1689	BOOLEAN fPresent = FALSE;
1690	NTSTATUS rcNt = ApiSetQueryApiSetPresence(pName, &fPresent);
1691	SUP_DPRINTF(("supR3HardenedIsApiSetDll: ApiSetQueryApiSetPresence(%.*ls) -> %#x, fPresent=%d\n",
1692	pName->Length / sizeof(WCHAR), pName->Buffer, rcNt, fPresent));
1693	return fPresent != 0;
1694	}
1695
1696	/*
1697	* Fallback needed for Windows 7. Fortunately, there aren't too many fake DLLs here.
1698	*/
1699	if ( g_uNtVerCombined >= SUP_NT_VER_W70
1700	&& ( supHardViUtf16PathStartsWithEx(pName->Buffer, pName->Length / sizeof(WCHAR),
1701	L"api-ms-win-", 11, false /fCheckSlash/)
1702	\|\| supHardViUtf16PathStartsWithEx(pName->Buffer, pName->Length / sizeof(WCHAR),
1703	L"ext-ms-win-", 11, false /fCheckSlash/) ))
1704	{
1705	#define MY_ENTRY(a) { a, sizeof(a) - 1 }
1706	static const struct { const char *psz; size_t cch; } s_aKnownSets[] =
1707	{
1708	MY_ENTRY("api-ms-win-core-console-l1-1-0 "),
1709	MY_ENTRY("api-ms-win-core-datetime-l1-1-0"),
1710	MY_ENTRY("api-ms-win-core-debug-l1-1-0"),
1711	MY_ENTRY("api-ms-win-core-delayload-l1-1-0"),
1712	MY_ENTRY("api-ms-win-core-errorhandling-l1-1-0"),
1713	MY_ENTRY("api-ms-win-core-fibers-l1-1-0"),
1714	MY_ENTRY("api-ms-win-core-file-l1-1-0"),
1715	MY_ENTRY("api-ms-win-core-handle-l1-1-0"),
1716	MY_ENTRY("api-ms-win-core-heap-l1-1-0"),
1717	MY_ENTRY("api-ms-win-core-interlocked-l1-1-0"),
1718	MY_ENTRY("api-ms-win-core-io-l1-1-0"),
1719	MY_ENTRY("api-ms-win-core-libraryloader-l1-1-0"),
1720	MY_ENTRY("api-ms-win-core-localization-l1-1-0"),
1721	MY_ENTRY("api-ms-win-core-localregistry-l1-1-0"),
1722	MY_ENTRY("api-ms-win-core-memory-l1-1-0"),
1723	MY_ENTRY("api-ms-win-core-misc-l1-1-0"),
1724	MY_ENTRY("api-ms-win-core-namedpipe-l1-1-0"),
1725	MY_ENTRY("api-ms-win-core-processenvironment-l1-1-0"),
1726	MY_ENTRY("api-ms-win-core-processthreads-l1-1-0"),
1727	MY_ENTRY("api-ms-win-core-profile-l1-1-0"),
1728	MY_ENTRY("api-ms-win-core-rtlsupport-l1-1-0"),
1729	MY_ENTRY("api-ms-win-core-string-l1-1-0"),
1730	MY_ENTRY("api-ms-win-core-synch-l1-1-0"),
1731	MY_ENTRY("api-ms-win-core-sysinfo-l1-1-0"),
1732	MY_ENTRY("api-ms-win-core-threadpool-l1-1-0"),
1733	MY_ENTRY("api-ms-win-core-ums-l1-1-0"),
1734	MY_ENTRY("api-ms-win-core-util-l1-1-0"),
1735	MY_ENTRY("api-ms-win-core-xstate-l1-1-0"),
1736	MY_ENTRY("api-ms-win-security-base-l1-1-0"),
1737	MY_ENTRY("api-ms-win-security-lsalookup-l1-1-0"),
1738	MY_ENTRY("api-ms-win-security-sddl-l1-1-0"),
1739	MY_ENTRY("api-ms-win-service-core-l1-1-0"),
1740	MY_ENTRY("api-ms-win-service-management-l1-1-0"),
1741	MY_ENTRY("api-ms-win-service-management-l2-1-0"),
1742	MY_ENTRY("api-ms-win-service-winsvc-l1-1-0"),
1743	};
1744	#undef MY_ENTRY
1745
1746	/* drop the dll suffix if present. */
1747	PCRTUTF16 pawcName = pName->Buffer;
1748	size_t cwcName = pName->Length / sizeof(WCHAR);
1749	if ( cwcName > 5
1750	&& (pawcName[cwcName - 1] == 'l' \|\| pawcName[cwcName - 1] == 'L')
1751	&& (pawcName[cwcName - 2] == 'l' \|\| pawcName[cwcName - 2] == 'L')
1752	&& (pawcName[cwcName - 3] == 'd' \|\| pawcName[cwcName - 3] == 'D')
1753	&& pawcName[cwcName - 4] == '.')
1754	cwcName -= 4;
1755
1756	/* Search the table. */
1757	for (size_t i = 0; i < RT_ELEMENTS(s_aKnownSets); i++)
1758	if ( cwcName == s_aKnownSets[i].cch
1759	&& RTUtf16NICmpAscii(pawcName, s_aKnownSets[i].psz, cwcName) == 0)
1760	{
1761	SUP_DPRINTF(("supR3HardenedIsApiSetDll: '%.*ls' -> true\n", pName->Length / sizeof(WCHAR)));
1762	return true;
1763	}
1764
1765	SUP_DPRINTF(("supR3HardenedIsApiSetDll: Warning! '%.*ls' looks like an API set, but it's not in the list!\n",
1766	pName->Length / sizeof(WCHAR), pName->Buffer));
1767	}
1768
1769	SUP_DPRINTF(("supR3HardenedIsApiSetDll: '%.*ls' -> false\n", pName->Length / sizeof(WCHAR)));
1770	return false;
1771	}
1772
1773
1774	/**
1775	* Checks whether the given unicode string contains a path separator and at
1776	* least one dash.
1777	*
1778	* This is used to check for likely ApiSet name. So far, all the pseudo DLL
1779	* names include multiple dashes, so we use that as a criteria for recognizing
1780	* them. By happy coincident, most regular DLLs doesn't include dashes.
1781	*
1782	* @returns true if it contains path separator, false if only a name.
1783	* @param pPath The path to check.
1784	*/
1785	static bool supR3HardenedHasDashButNoPath(PUNICODE_STRING pPath)
1786	{
1787	size_t cDashes = 0;
1788	size_t cwcLeft = pPath->Length / sizeof(WCHAR);
1789	PCRTUTF16 pwc = pPath->Buffer;
1790	while (cwcLeft-- > 0)
1791	{
1792	RTUTF16 wc = *pwc++;
1793	switch (wc)
1794	{
1795	default:
1796	break;
1797
1798	case '-':
1799	cDashes++;
1800	break;
1801
1802	case '\\':
1803	case '/':
1804	case ':':
1805	return false;
1806	}
1807	}
1808	return cDashes > 0;
1809	}
1810
1811
1812	/**
1813	* Helper for supR3HardenedMonitor_LdrLoadDll.
1814	*
1815	* @returns NT status code.
1816	* @param pwszPath The path destination buffer.
1817	* @param cwcPath The size of the path buffer.
1818	* @param pUniStrResult The result string.
1819	* @param pOrgName The orignal name (for errors).
1820	* @param pcwc Where to return the actual length.
1821	*/
1822	static NTSTATUS supR3HardenedCopyRedirectionResult(WCHAR *pwszPath, size_t cwcPath, PUNICODE_STRING pUniStrResult,
1823	PUNICODE_STRING pOrgName, UINT *pcwc)
1824	{
1825	UINT cwc;
1826	*pcwc = cwc = pUniStrResult->Length / sizeof(WCHAR);
1827	if (pUniStrResult->Buffer == pwszPath)
1828	pwszPath[cwc] = '\0';
1829	else
1830	{
1831	if (cwc > cwcPath - 1)
1832	{
1833	supR3HardenedError(VINF_SUCCESS, false,
1834	"supR3HardenedMonitor_LdrLoadDll: Name too long: %.ls -> %.ls (RtlDosApplyFileIoslationRedirection_Ustr)\n",
1835	pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer,
1836	pUniStrResult->Length / sizeof(WCHAR), pUniStrResult->Buffer);
1837	return STATUS_NAME_TOO_LONG;
1838	}
1839	memcpy(&pwszPath[0], pUniStrResult->Buffer, pUniStrResult->Length);
1840	pwszPath[cwc] = '\0';
1841	}
1842	return STATUS_SUCCESS;
1843	}
1844
1845
1846	/**
1847	* Helper for supR3HardenedMonitor_LdrLoadDll that compares the name part of the
1848	* input path against a ASCII name string of a given length.
1849	*
1850	* @returns true if the name part matches
1851	* @param pPath The LdrLoadDll input path.
1852	* @param pszName The name to try match it with.
1853	* @param cchName The name length.
1854	*/
1855	static bool supR3HardenedIsFilenameMatchDll(PUNICODE_STRING pPath, const char *pszName, size_t cchName)
1856	{
1857	if (pPath->Length < cchName * 2)
1858	return false;
1859	PCRTUTF16 pwszTmp = &pPath->Buffer[pPath->Length / sizeof(RTUTF16) - cchName];
1860	if ( pPath->Length != cchName
1861	&& pwszTmp[-1] != '\\'
1862	&& pwszTmp[-1] != '/')
1863	return false;
1864	return RTUtf16ICmpAscii(pwszTmp, pszName) == 0;
1865	}
1866
1867
1868	/**
1869	* Hooks that intercepts LdrLoadDll calls.
1870	*
1871	* Two purposes:
1872	* -# Enforce our own search path restrictions.
1873	* -# Prevalidate DLLs about to be loaded so we don't upset the loader data
1874	* by doing it from within the NtCreateSection hook (WinVerifyTrust
1875	* seems to be doing harm there on W7/32).
1876	*
1877	* @returns
1878	* @param pwszSearchPath The search path to use.
1879	* @param pfFlags Flags on input. DLL characteristics or something
1880	* on return?
1881	* @param pName The name of the module.
1882	* @param phMod Where the handle of the loaded DLL is to be
1883	* returned to the caller.
1884	*/
1885	static NTSTATUS NTAPI
1886	supR3HardenedMonitor_LdrLoadDll(PWSTR pwszSearchPath, PULONG pfFlags, PUNICODE_STRING pName, PHANDLE phMod)
1887	{
1888	DWORD dwSavedLastError = RtlGetLastWin32Error();
1889	PUNICODE_STRING const pOrgName = pName;
1890	NTSTATUS rcNt;
1891
1892	/*
1893	* Make sure the DLL notification callback is registered. If we could, we
1894	* would've done this during early process init, but due to lack of heap
1895	* and uninitialized loader lock, it's not possible that early on.
1896	*
1897	* The callback protects our NtDll hooks from getting unhooked by
1898	* "friendly" fire from the AV crowd.
1899	*/
1900	supR3HardenedWinRegisterDllNotificationCallback();
1901
1902	/*
1903	* Process WinVerifyTrust todo before and after.
1904	*/
1905	supR3HardenedWinVerifyCacheProcessWvtTodos();
1906
1907	/*
1908	* Reject things we don't want to deal with.
1909	*/
1910	if (!pName \|\| pName->Length == 0)
1911	{
1912	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: name is NULL or have a zero length.\n");
1913	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x (pName=%p)\n", STATUS_INVALID_PARAMETER, pName));
1914	RtlRestoreLastWin32Error(dwSavedLastError);
1915	return STATUS_INVALID_PARAMETER;
1916	}
1917	PCWCHAR const pawcOrgName = pName->Buffer;
1918	uint32_t const cwcOrgName = pName->Length / sizeof(WCHAR);
1919
1920	/SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: pName=%.ls *pfFlags=%#x pwszSearchPath=%p:%ls\n",
1921	(unsigned)pName->Length / sizeof(WCHAR), pName->Buffer, pfFlags ? *pfFlags : UINT32_MAX, pwszSearchPath,
1922	!((uintptr_t)pwszSearchPath & 1) && (uintptr_t)pwszSearchPath >= 0x2000U ? pwszSearchPath : L"<flags>"));*/
1923
1924	/*
1925	* Reject long paths that's close to the 260 limit without looking.
1926	*/
1927	if (cwcOrgName > 256)
1928	{
1929	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: too long name: %#x bytes\n", pName->Length);
1930	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_NAME_TOO_LONG));
1931	RtlRestoreLastWin32Error(dwSavedLastError);
1932	return STATUS_NAME_TOO_LONG;
1933	}
1934
1935	/*
1936	* Reject all UNC-like paths as we cannot trust non-local files at all.
1937	* Note! We may have to relax this to deal with long path specifications and NT pass thrus.
1938	*/
1939	if ( cwcOrgName >= 3
1940	&& RTPATH_IS_SLASH(pawcOrgName[0])
1941	&& RTPATH_IS_SLASH(pawcOrgName[1])
1942	&& !RTPATH_IS_SLASH(pawcOrgName[2]))
1943	{
1944	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: rejecting UNC name '%.*ls'\n", cwcOrgName, pawcOrgName);
1945	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_REDIRECTOR_NOT_STARTED));
1946	RtlRestoreLastWin32Error(dwSavedLastError);
1947	return STATUS_REDIRECTOR_NOT_STARTED;
1948	}
1949
1950	/*
1951	* Reject PGHook.dll as it creates a thread from its DllMain that breaks
1952	* our preconditions respawning the 2nd process, resulting in
1953	* VERR_SUP_VP_THREAD_NOT_ALONE. The DLL is being loaded by a user APC
1954	* scheduled during kernel32.dll load notification from a kernel driver,
1955	* so failing the load attempt should not upset anyone.
1956	*/
1957	if (g_enmSupR3HardenedMainState == SUPR3HARDENEDMAINSTATE_WIN_EARLY_STUB_DEVICE_OPENED)
1958	{
1959	static const struct { const char *psz; size_t cch; } s_aUnwantedEarlyDlls[] =
1960	{
1961	{ RT_STR_TUPLE("PGHook.dll") },
1962	};
1963	for (unsigned i = 0; i < RT_ELEMENTS(s_aUnwantedEarlyDlls); i++)
1964	if (supR3HardenedIsFilenameMatchDll(pName, s_aUnwantedEarlyDlls[i].psz, s_aUnwantedEarlyDlls[i].cch))
1965	{
1966	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: Refusing to load '%.*ls' as it is expected to create undesirable threads that will upset our respawn checks (returning STATUS_TOO_MANY_THREADS)\n",
1967	pName->Length / sizeof(RTUTF16), pName->Buffer));
1968	return STATUS_TOO_MANY_THREADS;
1969	}
1970	}
1971
1972	/*
1973	* Resolve the path, copying the result into wszPath
1974	*/
1975	NTSTATUS rcNtResolve = STATUS_SUCCESS;
1976	bool fSkipValidation = false;
1977	bool fCheckIfLoaded = false;
1978	WCHAR wszPath[260];
1979	static UNICODE_STRING const s_DefaultSuffix = RTNT_CONSTANT_UNISTR(L".dll");
1980	UNICODE_STRING UniStrStatic = { 0, (USHORT)sizeof(wszPath) - sizeof(WCHAR), wszPath };
1981	UNICODE_STRING UniStrDynamic = { 0, 0, NULL };
1982	PUNICODE_STRING pUniStrResult = NULL;
1983	UNICODE_STRING ResolvedName;
1984
1985	/*
1986	* Process the name a little, checking if it needs a DLL suffix and is pathless.
1987	*/
1988	uint32_t offLastSlash = UINT32_MAX;
1989	uint32_t offLastDot = UINT32_MAX;
1990	for (uint32_t i = 0; i < cwcOrgName; i++)
1991	switch (pawcOrgName[i])
1992	{
1993	case '\\':
1994	case '/':
1995	offLastSlash = i;
1996	offLastDot = UINT32_MAX;
1997	break;
1998	case '.':
1999	offLastDot = i;
2000	break;
2001	}
2002	bool const fNeedDllSuffix = offLastDot == UINT32_MAX;
2003	//bool const fTrailingDot = offLastDot == cwcOrgName - 1;
2004
2005	/*
2006	* Absolute path?
2007	*/
2008	if ( ( cwcOrgName >= 4
2009	&& RT_C_IS_ALPHA(pawcOrgName[0])
2010	&& pawcOrgName[1] == ':'
2011	&& RTPATH_IS_SLASH(pawcOrgName[2]) )
2012	\|\| ( cwcOrgName >= 1
2013	&& RTPATH_IS_SLASH(pawcOrgName[0]) )
2014	)
2015	{
2016	rcNtResolve = RtlDosApplyFileIsolationRedirection_Ustr(1 /fFlags/,
2017	pName,
2018	(PUNICODE_STRING)&s_DefaultSuffix,
2019	&UniStrStatic,
2020	&UniStrDynamic,
2021	&pUniStrResult,
2022	NULL /pNewFlags/,
2023	NULL /pcbFilename/,
2024	NULL /pcbNeeded/);
2025	if (NT_SUCCESS(rcNtResolve))
2026	{
2027	UINT cwc;
2028	rcNt = supR3HardenedCopyRedirectionResult(wszPath, RT_ELEMENTS(wszPath), pUniStrResult, pName, &cwc);
2029	RtlFreeUnicodeString(&UniStrDynamic);
2030	if (!NT_SUCCESS(rcNt))
2031	{
2032	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", rcNt));
2033	RtlRestoreLastWin32Error(dwSavedLastError);
2034	return rcNt;
2035	}
2036
2037	ResolvedName.Buffer = wszPath;
2038	ResolvedName.Length = (USHORT)(cwc * sizeof(WCHAR));
2039	ResolvedName.MaximumLength = ResolvedName.Length + sizeof(WCHAR);
2040
2041	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: '%.ls' -> '%.ls' [redir]\n",
2042	(unsigned)pName->Length / sizeof(WCHAR), pName->Buffer,
2043	ResolvedName.Length / sizeof(WCHAR), ResolvedName.Buffer, rcNt));
2044	pName = &ResolvedName;
2045	}
2046	else
2047	{
2048	/* Copy the path. */
2049	memcpy(wszPath, pawcOrgName, cwcOrgName * sizeof(WCHAR));
2050	if (!fNeedDllSuffix)
2051	wszPath[cwcOrgName] = '\0';
2052	else
2053	{
2054	if (cwcOrgName + 4 >= RT_ELEMENTS(wszPath))
2055	{
2056	supR3HardenedError(VINF_SUCCESS, false,
2057	"supR3HardenedMonitor_LdrLoadDll: Name too long (abs): %.*ls\n", cwcOrgName, pawcOrgName);
2058	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_NAME_TOO_LONG));
2059	RtlRestoreLastWin32Error(dwSavedLastError);
2060	return STATUS_NAME_TOO_LONG;
2061	}
2062	memcpy(&wszPath[cwcOrgName], L".dll", 5 * sizeof(WCHAR));
2063	}
2064	}
2065	}
2066	/*
2067	* Not an absolute path. Check if it's one of those special API set DLLs
2068	* or something we're known to use but should be taken from WinSxS.
2069	*/
2070	else if ( supR3HardenedHasDashButNoPath(pName)
2071	&& supR3HardenedIsApiSetDll(pName))
2072	{
2073	memcpy(wszPath, pName->Buffer, pName->Length);
2074	wszPath[pName->Length / sizeof(WCHAR)] = '\0';
2075	fSkipValidation = true;
2076	}
2077	/*
2078	* Not an absolute path or special API set. There are two alternatives
2079	* now, either there is no path at all or there is a relative path. We
2080	* will resolve it to an absolute path in either case, failing the call
2081	* if we can't.
2082	*/
2083	else
2084	{
2085	/*
2086	* Reject relative paths for now as they might be breakout attempts.
2087	*/
2088	if (offLastSlash != UINT32_MAX)
2089	{
2090	supR3HardenedError(VINF_SUCCESS, false,
2091	"supR3HardenedMonitor_LdrLoadDll: relative name not permitted: %.*ls\n",
2092	cwcOrgName, pawcOrgName);
2093	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_OBJECT_NAME_INVALID));
2094	RtlRestoreLastWin32Error(dwSavedLastError);
2095	return STATUS_OBJECT_NAME_INVALID;
2096	}
2097
2098	/*
2099	* Perform dll redirection to WinSxS such. We using an undocumented
2100	* API here, which as always is a bit risky... ASSUMES that the API
2101	* returns a full DOS path.
2102	*/
2103	UINT cwc;
2104	rcNtResolve = RtlDosApplyFileIsolationRedirection_Ustr(1 /fFlags/,
2105	pName,
2106	(PUNICODE_STRING)&s_DefaultSuffix,
2107	&UniStrStatic,
2108	&UniStrDynamic,
2109	&pUniStrResult,
2110	NULL /pNewFlags/,
2111	NULL /pcbFilename/,
2112	NULL /pcbNeeded/);
2113	if (NT_SUCCESS(rcNtResolve))
2114	{
2115	rcNt = supR3HardenedCopyRedirectionResult(wszPath, RT_ELEMENTS(wszPath), pUniStrResult, pName, &cwc);
2116	RtlFreeUnicodeString(&UniStrDynamic);
2117	if (!NT_SUCCESS(rcNt))
2118	{
2119	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", rcNt));
2120	RtlRestoreLastWin32Error(dwSavedLastError);
2121	return rcNt;
2122	}
2123	}
2124	else
2125	{
2126	/*
2127	* Search for the DLL. Only System32 is allowed as the target of
2128	* a search on the API level, all VBox calls will have full paths.
2129	* If the DLL is not in System32, we will resort to check if it's
2130	* refering to an already loaded DLL (fCheckIfLoaded).
2131	*/
2132	AssertCompile(sizeof(g_System32WinPath.awcBuffer) <= sizeof(wszPath));
2133	cwc = g_System32WinPath.UniStr.Length / sizeof(RTUTF16); Assert(cwc > 2);
2134	if (cwc + 1 + cwcOrgName + fNeedDllSuffix * 4 >= RT_ELEMENTS(wszPath))
2135	{
2136	supR3HardenedError(VINF_SUCCESS, false,
2137	"supR3HardenedMonitor_LdrLoadDll: Name too long (system32): %.*ls\n", cwcOrgName, pawcOrgName);
2138	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_NAME_TOO_LONG));
2139	RtlRestoreLastWin32Error(dwSavedLastError);
2140	return STATUS_NAME_TOO_LONG;
2141	}
2142	memcpy(wszPath, g_System32WinPath.UniStr.Buffer, cwc * sizeof(RTUTF16));
2143	wszPath[cwc++] = '\\';
2144	memcpy(&wszPath[cwc], pawcOrgName, cwcOrgName * sizeof(WCHAR));
2145	cwc += cwcOrgName;
2146	if (!fNeedDllSuffix)
2147	wszPath[cwc] = '\0';
2148	else
2149	{
2150	memcpy(&wszPath[cwc], L".dll", 5 * sizeof(WCHAR));
2151	cwc += 4;
2152	}
2153	fCheckIfLoaded = true;
2154	}
2155
2156	ResolvedName.Buffer = wszPath;
2157	ResolvedName.Length = (USHORT)(cwc * sizeof(WCHAR));
2158	ResolvedName.MaximumLength = ResolvedName.Length + sizeof(WCHAR);
2159	pName = &ResolvedName;
2160	}
2161
2162	#ifndef IN_SUP_R3_STATIC
2163	/*
2164	* Reject blacklisted DLLs based on input name.
2165	*/
2166	for (unsigned i = 0; g_aSupNtViBlacklistedDlls[i].psz != NULL; i++)
2167	if (supR3HardenedIsFilenameMatchDll(pName, g_aSupNtViBlacklistedDlls[i].psz, g_aSupNtViBlacklistedDlls[i].cch))
2168	{
2169	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: Refusing to load blacklisted DLL: '%.*ls'\n",
2170	pName->Length / sizeof(RTUTF16), pName->Buffer));
2171	RtlRestoreLastWin32Error(dwSavedLastError);
2172	return STATUS_TOO_MANY_THREADS;
2173	}
2174	#endif
2175
2176	bool fQuiet = false;
2177	if (!fSkipValidation)
2178	{
2179	/*
2180	* Try open the file. If this fails, never mind, just pass it on to
2181	* the real API as we've replaced any searchable name with a full name
2182	* and the real API can come up with a fitting status code for it.
2183	*/
2184	HANDLE hRootDir;
2185	UNICODE_STRING NtPathUniStr;
2186	int rc = RTNtPathFromWinUtf16Ex(&NtPathUniStr, &hRootDir, wszPath, RTSTR_MAX);
2187	if (RT_FAILURE(rc))
2188	{
2189	supR3HardenedError(rc, false,
2190	"supR3HardenedMonitor_LdrLoadDll: RTNtPathFromWinUtf16Ex failed on '%ls': %Rrc\n", wszPath, rc);
2191	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x\n", STATUS_OBJECT_NAME_INVALID));
2192	RtlRestoreLastWin32Error(dwSavedLastError);
2193	return STATUS_OBJECT_NAME_INVALID;
2194	}
2195
2196	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
2197	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
2198	OBJECT_ATTRIBUTES ObjAttr;
2199	InitializeObjectAttributes(&ObjAttr, &NtPathUniStr, OBJ_CASE_INSENSITIVE, hRootDir, NULL /pSecDesc/);
2200
2201	rcNt = NtCreateFile(&hFile,
2202	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
2203	&ObjAttr,
2204	&Ios,
2205	NULL /* Allocation Size*/,
2206	FILE_ATTRIBUTE_NORMAL,
2207	FILE_SHARE_READ,
2208	FILE_OPEN,
2209	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
2210	NULL /EaBuffer/,
2211	0 /EaLength/);
2212	if (NT_SUCCESS(rcNt))
2213	rcNt = Ios.Status;
2214	if (NT_SUCCESS(rcNt))
2215	{
2216	ULONG fAccess = 0;
2217	ULONG fProtect = 0;
2218	bool fCallRealApi = false;
2219	rcNt = supR3HardenedScreenImage(hFile, true /fImage/, RT_VALID_PTR(pfFlags) && (pfFlags & 0x2) /fIgnoreArch*/,
2220	&fAccess, &fProtect, &fCallRealApi,
2221	"LdrLoadDll", false /fAvoidWinVerifyTrust/, &fQuiet);
2222	NtClose(hFile);
2223	if (!NT_SUCCESS(rcNt))
2224	{
2225	if (!fQuiet)
2226	{
2227	if (pOrgName != pName)
2228	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: rejecting '%ls': rcNt=%#x\n",
2229	wszPath, rcNt);
2230	else
2231	supR3HardenedError(VINF_SUCCESS, false, "supR3HardenedMonitor_LdrLoadDll: rejecting '%ls' (%.*ls): rcNt=%#x\n",
2232	wszPath, pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer, rcNt);
2233	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
2234	}
2235	RtlRestoreLastWin32Error(dwSavedLastError);
2236	return rcNt;
2237	}
2238
2239	supR3HardenedWinVerifyCacheProcessImportTodos();
2240	}
2241	else
2242	{
2243	DWORD dwErr = RtlGetLastWin32Error();
2244
2245	/*
2246	* Deal with special case where the caller (first case was MS LifeCam)
2247	* is using LoadLibrary instead of GetModuleHandle to find a loaded DLL.
2248	*/
2249	NTSTATUS rcNtGetDll = STATUS_SUCCESS;
2250	if ( fCheckIfLoaded
2251	&& ( rcNt == STATUS_OBJECT_NAME_NOT_FOUND
2252	\|\| rcNt == STATUS_OBJECT_PATH_NOT_FOUND))
2253	{
2254	rcNtGetDll = LdrGetDllHandle(NULL /DllPath/, NULL /pfFlags/, pOrgName, phMod);
2255	if (NT_SUCCESS(rcNtGetDll))
2256	{
2257	RTNtPathFree(&NtPathUniStr, &hRootDir);
2258	RtlRestoreLastWin32Error(dwSavedLastError);
2259	return rcNtGetDll;
2260	}
2261	}
2262
2263	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: error opening '%ls': %u (NtPath=%.ls; Input=%.ls; rcNtGetDll=%#x\n",
2264	wszPath, dwErr, NtPathUniStr.Length / sizeof(RTUTF16), NtPathUniStr.Buffer,
2265	pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer, rcNtGetDll));
2266
2267	RTNtPathFree(&NtPathUniStr, &hRootDir);
2268	RtlRestoreLastWin32Error(dwSavedLastError);
2269	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
2270	return rcNt;
2271	}
2272	RTNtPathFree(&NtPathUniStr, &hRootDir);
2273	}
2274
2275	/*
2276	* Screened successfully enough. Call the real thing.
2277	*/
2278	if (!fQuiet)
2279	{
2280	if (pOrgName != pName)
2281	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: pName=%.ls (Input=%.ls, rcNtResolve=%#x) *pfFlags=%#x pwszSearchPath=%p:%ls [calling]\n",
2282	(unsigned)pName->Length / sizeof(WCHAR), pName->Buffer,
2283	(unsigned)pOrgName->Length / sizeof(WCHAR), pOrgName->Buffer, rcNtResolve,
2284	pfFlags ? *pfFlags : UINT32_MAX, pwszSearchPath,
2285	!((uintptr_t)pwszSearchPath & 1) && (uintptr_t)pwszSearchPath >= 0x2000U ? pwszSearchPath : L"<flags>"));
2286	else
2287	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: pName=%.ls (rcNtResolve=%#x) pfFlags=%#x pwszSearchPath=%p:%ls [calling]\n",
2288	(unsigned)pName->Length / sizeof(WCHAR), pName->Buffer, rcNtResolve,
2289	pfFlags ? *pfFlags : UINT32_MAX, pwszSearchPath,
2290	!((uintptr_t)pwszSearchPath & 1) && (uintptr_t)pwszSearchPath >= 0x2000U ? pwszSearchPath : L"<flags>"));
2291	}
2292
2293	RtlRestoreLastWin32Error(dwSavedLastError);
2294	rcNt = g_pfnLdrLoadDllReal(pwszSearchPath, pfFlags, pName, phMod);
2295
2296	/*
2297	* Log the result and process pending WinVerifyTrust work if we can.
2298	*/
2299	dwSavedLastError = RtlGetLastWin32Error();
2300
2301	if (NT_SUCCESS(rcNt) && phMod)
2302	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x hMod=%p '%ls'\n", rcNt, *phMod, wszPath));
2303	else if (!NT_SUCCESS(rcNt) \|\| !fQuiet)
2304	SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
2305
2306	supR3HardenedWinVerifyCacheProcessWvtTodos();
2307
2308	RtlRestoreLastWin32Error(dwSavedLastError);
2309
2310	return rcNt;
2311	}
2312
2313
2314	/**
2315	* DLL load and unload notification callback.
2316	*
2317	* This is a safety against our LdrLoadDll hook being replaced by protection
2318	* software. Though, we prefer the LdrLoadDll hook to this one as it allows us
2319	* to call WinVerifyTrust more freely.
2320	*
2321	* @param ulReason The reason we're called, see
2322	* LDR_DLL_NOTIFICATION_REASON_XXX.
2323	* @param pData Reason specific data. (Format is currently the same for
2324	* both load and unload.)
2325	* @param pvUser User parameter (ignored).
2326	*
2327	* @remarks Vista and later.
2328	* @remarks The loader lock is held when we're called, at least on Windows 7.
2329	*/
2330	static VOID CALLBACK supR3HardenedDllNotificationCallback(ULONG ulReason, PCLDR_DLL_NOTIFICATION_DATA pData, PVOID pvUser)
2331	{
2332	NOREF(pvUser);
2333
2334	/*
2335	* Screen the image on load. We will normally get a verification cache
2336	* hit here because of the LdrLoadDll and NtCreateSection hooks, so it
2337	* should be relatively cheap to recheck. In case our NtDll patches
2338	* got re
2339	*
2340	* This ASSUMES that we get informed after the fact as indicated by the
2341	* available documentation.
2342	*/
2343	if (ulReason == LDR_DLL_NOTIFICATION_REASON_LOADED)
2344	{
2345	SUP_DPRINTF(("supR3HardenedDllNotificationCallback: load %p LB %#010x %.*ls [fFlags=%#x]\n",
2346	pData->Loaded.DllBase, pData->Loaded.SizeOfImage,
2347	pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer,
2348	pData->Loaded.Flags));
2349
2350	/* Convert the windows path to an NT path and open it. */
2351	HANDLE hRootDir;
2352	UNICODE_STRING NtPathUniStr;
2353	int rc = RTNtPathFromWinUtf16Ex(&NtPathUniStr, &hRootDir, pData->Loaded.FullDllName->Buffer,
2354	pData->Loaded.FullDllName->Length / sizeof(WCHAR));
2355	if (RT_FAILURE(rc))
2356	{
2357	supR3HardenedFatal("supR3HardenedDllNotificationCallback: RTNtPathFromWinUtf16Ex failed on '%.*ls': %Rrc\n",
2358	pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer, rc);
2359	return;
2360	}
2361
2362	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
2363	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
2364	OBJECT_ATTRIBUTES ObjAttr;
2365	InitializeObjectAttributes(&ObjAttr, &NtPathUniStr, OBJ_CASE_INSENSITIVE, hRootDir, NULL /pSecDesc/);
2366
2367	NTSTATUS rcNt = NtCreateFile(&hFile,
2368	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
2369	&ObjAttr,
2370	&Ios,
2371	NULL /* Allocation Size*/,
2372	FILE_ATTRIBUTE_NORMAL,
2373	FILE_SHARE_READ,
2374	FILE_OPEN,
2375	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
2376	NULL /EaBuffer/,
2377	0 /EaLength/);
2378	if (NT_SUCCESS(rcNt))
2379	rcNt = Ios.Status;
2380	if (!NT_SUCCESS(rcNt))
2381	{
2382	supR3HardenedFatal("supR3HardenedDllNotificationCallback: NtCreateFile failed on '%.ls' / '%.ls': %#x\n",
2383	pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer,
2384	NtPathUniStr.Length / sizeof(WCHAR), NtPathUniStr.Buffer, rcNt);
2385	/* not reached */
2386	}
2387
2388	/* Do the screening. */
2389	ULONG fAccess = 0;
2390	ULONG fProtect = 0;
2391	bool fCallRealApi = false;
2392	bool fQuietFailure = false;
2393	rcNt = supR3HardenedScreenImage(hFile, true /fImage/, true /fIgnoreArch/, &fAccess, &fProtect, &fCallRealApi,
2394	"LdrLoadDll", true /fAvoidWinVerifyTrust/, &fQuietFailure);
2395	NtClose(hFile);
2396	if (!NT_SUCCESS(rcNt))
2397	{
2398	supR3HardenedFatal("supR3HardenedDllNotificationCallback: supR3HardenedScreenImage failed on '%.ls' / '%.ls': %#x\n",
2399	pData->Loaded.FullDllName->Length / sizeof(WCHAR), pData->Loaded.FullDllName->Buffer,
2400	NtPathUniStr.Length / sizeof(WCHAR), NtPathUniStr.Buffer, rcNt);
2401	/* not reached */
2402	}
2403	RTNtPathFree(&NtPathUniStr, &hRootDir);
2404	}
2405	/*
2406	* Log the unload call.
2407	*/
2408	else if (ulReason == LDR_DLL_NOTIFICATION_REASON_UNLOADED)
2409	{
2410	SUP_DPRINTF(("supR3HardenedDllNotificationCallback: Unload %p LB %#010x %.*ls [flags=%#x]\n",
2411	pData->Unloaded.DllBase, pData->Unloaded.SizeOfImage,
2412	pData->Unloaded.FullDllName->Length / sizeof(WCHAR), pData->Unloaded.FullDllName->Buffer,
2413	pData->Unloaded.Flags));
2414	}
2415	/*
2416	* Just log things we don't know and then return without caching anything.
2417	*/
2418	else
2419	{
2420	static uint32_t s_cLogEntries = 0;
2421	if (s_cLogEntries++ < 32)
2422	SUP_DPRINTF(("supR3HardenedDllNotificationCallback: ulReason=%u pData=%p\n", ulReason, pData));
2423	return;
2424	}
2425
2426	/*
2427	* Use this opportunity to make sure our NtDll patches are still in place,
2428	* since they may be replaced by indecent protection software solutions.
2429	*/
2430	supR3HardenedWinReInstallHooks(false /fFirstCall /);
2431	}
2432
2433
2434	/**
2435	* Registers the DLL notification callback if it hasn't already been registered.
2436	*/
2437	static void supR3HardenedWinRegisterDllNotificationCallback(void)
2438	{
2439	/*
2440	* The notification API was added in Vista, so it's an optional (weak) import.
2441	*/
2442	if ( LdrRegisterDllNotification != NULL
2443	&& g_cDllNotificationRegistered <= 0
2444	&& g_cDllNotificationRegistered > -32)
2445	{
2446	NTSTATUS rcNt = LdrRegisterDllNotification(0, supR3HardenedDllNotificationCallback, NULL, &g_pvDllNotificationCookie);
2447	if (NT_SUCCESS(rcNt))
2448	{
2449	SUP_DPRINTF(("Registered Dll notification callback with NTDLL.\n"));
2450	g_cDllNotificationRegistered = 1;
2451	}
2452	else
2453	{
2454	supR3HardenedError(rcNt, false /fFatal/, "LdrRegisterDllNotification failed: %#x\n", rcNt);
2455	g_cDllNotificationRegistered--;
2456	}
2457	}
2458	}
2459
2460
2461	static void supR3HardenedWinHookFailed(const char pszWhich, uint8_t const pbPrologue)
2462	{
2463	supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_NO_MEMORY,
2464	"Failed to install %s monitor: %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x\n "
2465	#ifdef RT_ARCH_X86
2466	"(It is also possible you are running 32-bit VirtualBox under 64-bit windows.)\n"
2467	#endif
2468	,
2469	pszWhich,
2470	pbPrologue[0], pbPrologue[1], pbPrologue[2], pbPrologue[3],
2471	pbPrologue[4], pbPrologue[5], pbPrologue[6], pbPrologue[7],
2472	pbPrologue[8], pbPrologue[9], pbPrologue[10], pbPrologue[11],
2473	pbPrologue[12], pbPrologue[13], pbPrologue[14], pbPrologue[15]);
2474	}
2475
2476
2477	/**
2478	* IPRT thread that waits for the parent process to terminate and reacts by
2479	* exiting the current process.
2480	*
2481	* @returns VINF_SUCCESS
2482	* @param hSelf The current thread. Ignored.
2483	* @param pvUser The handle of the parent process.
2484	*/
2485	static DECLCALLBACK(int) supR3HardenedWinParentWatcherThread(RTTHREAD hSelf, void *pvUser)
2486	{
2487	HANDLE hProcWait = (HANDLE)pvUser;
2488	NOREF(hSelf);
2489
2490	/*
2491	* Wait for the parent to terminate.
2492	*/
2493	NTSTATUS rcNt;
2494	for (;;)
2495	{
2496	rcNt = NtWaitForSingleObject(hProcWait, TRUE /Alertable/, NULL /pTimeout/);
2497	if ( rcNt == STATUS_WAIT_0
2498	\|\| rcNt == STATUS_ABANDONED_WAIT_0)
2499	break;
2500	if ( rcNt != STATUS_TIMEOUT
2501	&& rcNt != STATUS_USER_APC
2502	&& rcNt != STATUS_ALERTED)
2503	supR3HardenedFatal("NtWaitForSingleObject returned %#x\n", rcNt);
2504	}
2505
2506	/*
2507	* Proxy the termination code of the child, if it exited already.
2508	*/
2509	PROCESS_BASIC_INFORMATION BasicInfo;
2510	NTSTATUS rcNt2 = NtQueryInformationProcess(hProcWait, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
2511	if ( !NT_SUCCESS(rcNt2)
2512	\|\| BasicInfo.ExitStatus == STATUS_PENDING)
2513	BasicInfo.ExitStatus = RTEXITCODE_FAILURE;
2514
2515	NtClose(hProcWait);
2516	SUP_DPRINTF(("supR3HardenedWinParentWatcherThread: Quitting: ExitCode=%#x rcNt=%#x\n", BasicInfo.ExitStatus, rcNt));
2517	suplibHardenedExit((RTEXITCODE)BasicInfo.ExitStatus);
2518	/* not reached */
2519	}
2520
2521
2522	/**
2523	* Creates the parent watcher thread that will make sure this process exits when
2524	* the parent does.
2525	*
2526	* This is a necessary evil to make VBoxNetDhcp and VBoxNetNat termination from
2527	* Main work without too much new magic. It also makes Ctrl-C or similar work
2528	* in on the hardened processes in the windows console.
2529	*
2530	* @param hVBoxRT The VBoxRT.dll handle. We use RTThreadCreate to
2531	* spawn the thread to avoid duplicating thread
2532	* creation and thread naming code from IPRT.
2533	*/
2534	DECLHIDDEN(void) supR3HardenedWinCreateParentWatcherThread(HMODULE hVBoxRT)
2535	{
2536	/*
2537	* Resolve runtime methods that we need.
2538	*/
2539	PFNRTTHREADCREATE pfnRTThreadCreate = (PFNRTTHREADCREATE)GetProcAddress(hVBoxRT, "RTThreadCreate");
2540	SUPR3HARDENED_ASSERT(pfnRTThreadCreate != NULL);
2541
2542	/*
2543	* Find the parent process ID.
2544	*/
2545	PROCESS_BASIC_INFORMATION BasicInfo;
2546	NTSTATUS rcNt = NtQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
2547	if (!NT_SUCCESS(rcNt))
2548	supR3HardenedFatal("supR3HardenedWinCreateParentWatcherThread: NtQueryInformationProcess failed: %#x\n", rcNt);
2549
2550	/*
2551	* Open the parent process for waiting and exitcode query.
2552	*/
2553	OBJECT_ATTRIBUTES ObjAttr;
2554	InitializeObjectAttributes(&ObjAttr, NULL, 0, NULL /hRootDir/, NULL /pSecDesc/);
2555
2556	CLIENT_ID ClientId;
2557	ClientId.UniqueProcess = (HANDLE)BasicInfo.InheritedFromUniqueProcessId;
2558	ClientId.UniqueThread = NULL;
2559
2560	HANDLE hParent;
2561	rcNt = NtOpenProcess(&hParent, SYNCHRONIZE \| PROCESS_QUERY_INFORMATION, &ObjAttr, &ClientId);
2562	if (!NT_SUCCESS(rcNt))
2563	supR3HardenedFatalMsg("supR3HardenedWinCreateParentWatcherThread", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
2564	"NtOpenProcess(%p.0) failed: %#x\n", ClientId.UniqueProcess, rcNt);
2565
2566	/*
2567	* Create the thread that should do the waiting.
2568	*/
2569	int rc = pfnRTThreadCreate(NULL, supR3HardenedWinParentWatcherThread, hParent, _64K /* stack */,
2570	RTTHREADTYPE_DEFAULT, 0 /fFlags/, "ParentWatcher");
2571	if (RT_FAILURE(rc))
2572	supR3HardenedFatal("supR3HardenedWinCreateParentWatcherThread: RTThreadCreate failed: %Rrc\n", rc);
2573	}
2574
2575
2576	/**
2577	* Checks if the calling thread is the only one in the process.
2578	*
2579	* @returns true if we're positive we're alone, false if not.
2580	*/
2581	static bool supR3HardenedWinAmIAlone(void)
2582	{
2583	ULONG fAmIAlone = 0;
2584	ULONG cbIgn = 0;
2585	NTSTATUS rcNt = NtQueryInformationThread(NtCurrentThread(), ThreadAmILastThread, &fAmIAlone, sizeof(fAmIAlone), &cbIgn);
2586	Assert(NT_SUCCESS(rcNt));
2587	return NT_SUCCESS(rcNt) && fAmIAlone != 0;
2588	}
2589
2590
2591	/**
2592	* Simplify NtProtectVirtualMemory interface.
2593	*
2594	* Modifies protection for the current process. Caller must know the current
2595	* protection as it's not returned.
2596	*
2597	* @returns NT status code.
2598	* @param pvMem The memory to change protection for.
2599	* @param cbMem The amount of memory to change.
2600	* @param fNewProt The new protection.
2601	*/
2602	static NTSTATUS supR3HardenedWinProtectMemory(PVOID pvMem, SIZE_T cbMem, ULONG fNewProt)
2603	{
2604	ULONG fOldProt = 0;
2605	return NtProtectVirtualMemory(NtCurrentProcess(), &pvMem, &cbMem, fNewProt, &fOldProt);
2606	}
2607
2608
2609	/**
2610	* Installs or reinstalls the NTDLL patches.
2611	*/
2612	static void supR3HardenedWinReInstallHooks(bool fFirstCall)
2613	{
2614	struct
2615	{
2616	size_t cbPatch;
2617	uint8_t const *pabPatch;
2618	uint8_t **ppbApi;
2619	const char *pszName;
2620	} const s_aPatches[] =
2621	{
2622	{ sizeof(g_abNtCreateSectionPatch), g_abNtCreateSectionPatch, &g_pbNtCreateSection, "NtCreateSection" },
2623	{ sizeof(g_abLdrLoadDllPatch), g_abLdrLoadDllPatch, &g_pbLdrLoadDll, "LdrLoadDll" },
2624	};
2625
2626	ULONG fAmIAlone = ~(ULONG)0;
2627
2628	for (uint32_t i = 0; i < RT_ELEMENTS(s_aPatches); i++)
2629	{
2630	uint8_t pbApi = s_aPatches[i].ppbApi;
2631	if (memcmp(pbApi, s_aPatches[i].pabPatch, s_aPatches[i].cbPatch) != 0)
2632	{
2633	/*
2634	* Log the incident if it's not the initial call.
2635	*/
2636	static uint32_t volatile s_cTimes = 0;
2637	if (!fFirstCall && s_cTimes < 128)
2638	{
2639	s_cTimes++;
2640	SUP_DPRINTF(("supR3HardenedWinReInstallHooks: Reinstalling %s (%p: %.*Rhxs).\n",
2641	s_aPatches[i].pszName, pbApi, s_aPatches[i].cbPatch, pbApi));
2642	}
2643
2644	Assert(s_aPatches[i].cbPatch >= 4);
2645
2646	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, s_aPatches[i].cbPatch, PAGE_EXECUTE_READWRITE));
2647
2648	/*
2649	* If we're alone, just memcpy the patch in.
2650	*/
2651
2652	if (fAmIAlone == ~(ULONG)0)
2653	fAmIAlone = supR3HardenedWinAmIAlone();
2654	if (fAmIAlone)
2655	memcpy(pbApi, s_aPatches[i].pabPatch, s_aPatches[i].cbPatch);
2656	else
2657	{
2658	/*
2659	* Not alone. Start by injecting a JMP $-2, then waste some
2660	* CPU cycles to get the other threads a good chance of getting
2661	* out of the code before we replace it.
2662	*/
2663	RTUINT32U uJmpDollarMinus;
2664	uJmpDollarMinus.au8[0] = 0xeb;
2665	uJmpDollarMinus.au8[1] = 0xfe;
2666	uJmpDollarMinus.au8[2] = pbApi[2];
2667	uJmpDollarMinus.au8[3] = pbApi[3];
2668	ASMAtomicXchgU32((uint32_t volatile *)pbApi, uJmpDollarMinus.u);
2669
2670	NtYieldExecution();
2671	NtYieldExecution();
2672
2673	/* Copy in the tail bytes of the patch, then xchg the jmp $-2. */
2674	if (s_aPatches[i].cbPatch > 4)
2675	memcpy(&pbApi[4], &s_aPatches[i].pabPatch[4], s_aPatches[i].cbPatch - 4);
2676	ASMAtomicXchgU32((uint32_t volatile )pbApi, (uint32_t *)s_aPatches[i].pabPatch);
2677	}
2678
2679	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pbApi, s_aPatches[i].cbPatch, PAGE_EXECUTE_READ));
2680	}
2681	}
2682	}
2683
2684
2685	/**
2686	* Install hooks for intercepting calls dealing with mapping shared libraries
2687	* into the process.
2688	*
2689	* This allows us to prevent undesirable shared libraries from being loaded.
2690	*
2691	* @remarks We assume we're alone in this process, so no seralizing trickery is
2692	* necessary when installing the patch.
2693	*
2694	* @remarks We would normally just copy the prologue sequence somewhere and add
2695	* a jump back at the end of it. But because we wish to avoid
2696	* allocating executable memory, we need to have preprepared assembly
2697	* "copies". This makes the non-system call patching a little tedious
2698	* and inflexible.
2699	*/
2700	static void supR3HardenedWinInstallHooks(void)
2701	{
2702	NTSTATUS rcNt;
2703
2704	/*
2705	* Disable hard error popups so we can quietly refuse images to be loaded.
2706	*/
2707	ULONG fHardErr = 0;
2708	rcNt = NtQueryInformationProcess(NtCurrentProcess(), ProcessDefaultHardErrorMode, &fHardErr, sizeof(fHardErr), NULL);
2709	if (!NT_SUCCESS(rcNt))
2710	supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
2711	"NtQueryInformationProcess/ProcessDefaultHardErrorMode failed: %#x\n", rcNt);
2712	if (fHardErr & PROCESS_HARDERR_CRITICAL_ERROR)
2713	{
2714	fHardErr &= ~PROCESS_HARDERR_CRITICAL_ERROR;
2715	rcNt = NtSetInformationProcess(NtCurrentProcess(), ProcessDefaultHardErrorMode, &fHardErr, sizeof(fHardErr));
2716	if (!NT_SUCCESS(rcNt))
2717	supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
2718	"NtSetInformationProcess/ProcessDefaultHardErrorMode failed: %#x\n", rcNt);
2719	}
2720
2721	/*
2722	* Locate the routines first so we can allocate memory that's near enough.
2723	*/
2724	PFNRT pfnNtCreateSection = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "NtCreateSection");
2725	SUPR3HARDENED_ASSERT(pfnNtCreateSection != NULL);
2726	//SUPR3HARDENED_ASSERT(pfnNtCreateSection == (FARPROC)NtCreateSection);
2727
2728	PFNRT pfnLdrLoadDll = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "LdrLoadDll");
2729	SUPR3HARDENED_ASSERT(pfnLdrLoadDll != NULL);
2730	//SUPR3HARDENED_ASSERT(pfnLdrLoadDll == (FARPROC)LdrLoadDll);
2731
2732	/*
2733	* Exec page setup & management.
2734	*/
2735	uint32_t offExecPage = 0;
2736	memset(g_abSupHardReadWriteExecPage, 0xcc, PAGE_SIZE);
2737
2738	/*
2739	* Hook #1 - NtCreateSection.
2740	* Purpose: Validate everything that can be mapped into the process before
2741	* it's mapped and we still have a file handle to work with.
2742	*/
2743	uint8_t * const pbNtCreateSection = (uint8_t *)(uintptr_t)pfnNtCreateSection;
2744	g_pbNtCreateSection = pbNtCreateSection;
2745	memcpy(g_abNtCreateSectionPatch, pbNtCreateSection, sizeof(g_abNtCreateSectionPatch));
2746
2747	g_pfnNtCreateSectionReal = NtCreateSection; /* our direct syscall */
2748
2749	#ifdef RT_ARCH_AMD64
2750	/*
2751	* Patch 64-bit hosts.
2752	*/
2753	/* Pattern #1: XP64/W2K3-64 thru Windows 8.1
2754	0:000> u ntdll!NtCreateSection
2755	ntdll!NtCreateSection:
2756	00000000`779f1750 4c8bd1 mov r10,rcx
2757	00000000`779f1753 b847000000 mov eax,47h
2758	00000000`779f1758 0f05 syscall
2759	00000000`779f175a c3 ret
2760	00000000`779f175b 0f1f440000 nop dword ptr [rax+rax]
2761	The variant is the value loaded into eax: W2K3=??, Vista=47h?, W7=47h, W80=48h, W81=49h */
2762
2763	/* Assemble the patch. */
2764	g_abNtCreateSectionPatch[0] = 0x48; /* mov rax, qword */
2765	g_abNtCreateSectionPatch[1] = 0xb8;
2766	(uint64_t )&g_abNtCreateSectionPatch[2] = (uint64_t)supR3HardenedMonitor_NtCreateSection;
2767	g_abNtCreateSectionPatch[10] = 0xff; /* jmp rax */
2768	g_abNtCreateSectionPatch[11] = 0xe0;
2769
2770	#else
2771	/*
2772	* Patch 32-bit hosts.
2773	*/
2774	/* Pattern #1: XP thru Windows 7
2775	kd> u ntdll!NtCreateSection
2776	ntdll!NtCreateSection:
2777	7c90d160 b832000000 mov eax,32h
2778	7c90d165 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
2779	7c90d16a ff12 call dword ptr [edx]
2780	7c90d16c c21c00 ret 1Ch
2781	7c90d16f 90 nop
2782	The variable bit is the value loaded into eax: XP=32h, W2K3=34h, Vista=4bh, W7=54h
2783
2784	Pattern #2: Windows 8.1
2785	0:000:x86> u ntdll_6a0f0000!NtCreateSection
2786	ntdll_6a0f0000!NtCreateSection:
2787	6a15eabc b854010000 mov eax,154h
2788	6a15eac1 e803000000 call ntdll_6a0f0000!NtCreateSection+0xd (6a15eac9)
2789	6a15eac6 c21c00 ret 1Ch
2790	6a15eac9 8bd4 mov edx,esp
2791	6a15eacb 0f34 sysenter
2792	6a15eacd c3 ret
2793	The variable bit is the value loaded into eax: W81=154h */
2794
2795	/* Assemble the patch. */
2796	g_abNtCreateSectionPatch[0] = 0xe9; /* jmp rel32 */
2797	(uint32_t )&g_abNtCreateSectionPatch[1] = (uintptr_t)supR3HardenedMonitor_NtCreateSection
2798	- (uintptr_t)&pbNtCreateSection[1+4];
2799
2800	#endif
2801
2802	/*
2803	* Hook #2 - LdrLoadDll
2804	* Purpose: (a) Enforce LdrLoadDll search path constraints, and (b) pre-validate
2805	* DLLs so we can avoid calling WinVerifyTrust from the first hook,
2806	* and thus avoiding messing up the loader data on some installations.
2807	*
2808	* This differs from the above function in that is no a system call and
2809	* we're at the mercy of the compiler.
2810	*/
2811	uint8_t * const pbLdrLoadDll = (uint8_t *)(uintptr_t)pfnLdrLoadDll;
2812	g_pbLdrLoadDll = pbLdrLoadDll;
2813	memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch));
2814
2815	DISSTATE Dis;
2816	uint32_t cbInstr;
2817	uint32_t offJmpBack = 0;
2818
2819	#ifdef RT_ARCH_AMD64
2820	/*
2821	* Patch 64-bit hosts.
2822	*/
2823	/* Just use the disassembler to skip 12 bytes or more. */
2824	while (offJmpBack < 12)
2825	{
2826	cbInstr = 1;
2827	int rc = DISInstr(pbLdrLoadDll + offJmpBack, DISCPUMODE_64BIT, &Dis, &cbInstr);
2828	if ( RT_FAILURE(rc)
2829	\|\| (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW))
2830	\|\| (Dis.ModRM.Bits.Mod == 0 && Dis.ModRM.Bits.Rm == 5 /* wrt RIP */) )
2831	supR3HardenedWinHookFailed("LdrLoadDll", pbLdrLoadDll);
2832	offJmpBack += cbInstr;
2833	}
2834
2835	/* Assemble the code for resuming the call.*/
2836	(PFNRT )&g_pfnLdrLoadDllReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
2837
2838	memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbLdrLoadDll, offJmpBack);
2839	offExecPage += offJmpBack;
2840
2841	g_abSupHardReadWriteExecPage[offExecPage++] = 0xff; /* jmp qword [$+8 wrt RIP] */
2842	g_abSupHardReadWriteExecPage[offExecPage++] = 0x25;
2843	(uint32_t )&g_abSupHardReadWriteExecPage[offExecPage] = RT_ALIGN_32(offExecPage + 4, 8) - (offExecPage + 4);
2844	offExecPage = RT_ALIGN_32(offExecPage + 4, 8);
2845	(uint64_t )&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbLdrLoadDll[offJmpBack];
2846	offExecPage = RT_ALIGN_32(offExecPage + 8, 16);
2847
2848	/* Assemble the LdrLoadDll patch. */
2849	Assert(offJmpBack >= 12);
2850	g_abLdrLoadDllPatch[0] = 0x48; /* mov rax, qword */
2851	g_abLdrLoadDllPatch[1] = 0xb8;
2852	(uint64_t )&g_abLdrLoadDllPatch[2] = (uint64_t)supR3HardenedMonitor_LdrLoadDll;
2853	g_abLdrLoadDllPatch[10] = 0xff; /* jmp rax */
2854	g_abLdrLoadDllPatch[11] = 0xe0;
2855
2856	#else
2857	/*
2858	* Patch 32-bit hosts.
2859	*/
2860	/* Just use the disassembler to skip 5 bytes or more. */
2861	while (offJmpBack < 5)
2862	{
2863	cbInstr = 1;
2864	int rc = DISInstr(pbLdrLoadDll + offJmpBack, DISCPUMODE_32BIT, &Dis, &cbInstr);
2865	if ( RT_FAILURE(rc)
2866	\|\| (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW)) )
2867	supR3HardenedWinHookFailed("LdrLoadDll", pbLdrLoadDll);
2868	offJmpBack += cbInstr;
2869	}
2870
2871	/* Assemble the code for resuming the call.*/
2872	(PFNRT )&g_pfnLdrLoadDllReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
2873
2874	memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbLdrLoadDll, offJmpBack);
2875	offExecPage += offJmpBack;
2876
2877	g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9; /* jmp rel32 */
2878	(uint32_t )&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbLdrLoadDll[offJmpBack]
2879	- (uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage + 4];
2880	offExecPage = RT_ALIGN_32(offExecPage + 4, 16);
2881
2882	/* Assemble the LdrLoadDll patch. */
2883	memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch));
2884	Assert(offJmpBack >= 5);
2885	g_abLdrLoadDllPatch[0] = 0xe9;
2886	(uint32_t )&g_abLdrLoadDllPatch[1] = (uintptr_t)supR3HardenedMonitor_LdrLoadDll - (uintptr_t)&pbLdrLoadDll[1+4];
2887	#endif
2888
2889	/*
2890	* Seal the rwx page.
2891	*/
2892	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(g_abSupHardReadWriteExecPage, PAGE_SIZE, PAGE_EXECUTE_READ));
2893
2894	/*
2895	* Install the patches.
2896	*/
2897	supR3HardenedWinReInstallHooks(true /fFirstCall/);
2898	}
2899
2900
2901
2902
2903
2904
2905	/*
2906	*
2907	* T h r e a d c r e a t i o n c o n t r o l
2908	* T h r e a d c r e a t i o n c o n t r o l
2909	* T h r e a d c r e a t i o n c o n t r o l
2910	*
2911	*/
2912
2913
2914	/**
2915	* Common code used for child and parent to make new threads exit immediately.
2916	*
2917	* This patches the LdrInitializeThunk code to call NtTerminateThread with
2918	* STATUS_SUCCESS instead of doing the NTDLL initialization.
2919	*
2920	* @returns VBox status code.
2921	* @param hProcess The process to do this to.
2922	* @param pvLdrInitThunk The address of the LdrInitializeThunk code to
2923	* override.
2924	* @param pvNtTerminateThread The address of the NtTerminateThread function in
2925	* the NTDLL instance we're patching. (Must be +/-
2926	* 2GB from the thunk code.)
2927	* @param pabBackup Where to back up the original instruction bytes
2928	* at pvLdrInitThunk.
2929	* @param cbBackup The size of the backup area. Must be 16 bytes.
2930	* @param pErrInfo Where to return extended error information.
2931	* Optional.
2932	*/
2933	static int supR3HardNtDisableThreadCreationEx(HANDLE hProcess, void pvLdrInitThunk, void pvNtTerminateThread,
2934	uint8_t *pabBackup, size_t cbBackup, PRTERRINFO pErrInfo)
2935	{
2936	SUP_DPRINTF(("supR3HardNtDisableThreadCreation: pvLdrInitThunk=%p pvNtTerminateThread=%p\n", pvLdrInitThunk, pvNtTerminateThread));
2937	SUPR3HARDENED_ASSERT(cbBackup == 16);
2938	SUPR3HARDENED_ASSERT(RT_ABS((intptr_t)pvLdrInitThunk - (intptr_t)pvNtTerminateThread) < 16*_1M);
2939
2940	/*
2941	* Back up the thunk code.
2942	*/
2943	SIZE_T cbIgnored;
2944	NTSTATUS rcNt = NtReadVirtualMemory(hProcess, pvLdrInitThunk, pabBackup, cbBackup, &cbIgnored);
2945	if (!NT_SUCCESS(rcNt))
2946	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
2947	"supR3HardNtDisableThreadCreation: NtReadVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
2948
2949	/*
2950	* Cook up replacement code that calls NtTerminateThread.
2951	*/
2952	uint8_t abReplacement[16];
2953	memcpy(abReplacement, pabBackup, sizeof(abReplacement));
2954
2955	#ifdef RT_ARCH_AMD64
2956	abReplacement[0] = 0x31; /* xor ecx, ecx */
2957	abReplacement[1] = 0xc9;
2958	abReplacement[2] = 0x31; /* xor edx, edx */
2959	abReplacement[3] = 0xd2;
2960	abReplacement[4] = 0xe8; /* call near NtTerminateThread */
2961	(int32_t )&abReplacement[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9));
2962	abReplacement[9] = 0xcc; /* int3 */
2963	#elif defined(RT_ARCH_X86)
2964	abReplacement[0] = 0x6a; /* push 0 */
2965	abReplacement[1] = 0x00;
2966	abReplacement[2] = 0x6a; /* push 0 */
2967	abReplacement[3] = 0x00;
2968	abReplacement[4] = 0xe8; /* call near NtTerminateThread */
2969	(int32_t )&abReplacement[5] = (int32_t)((uintptr_t)pvNtTerminateThread - ((uintptr_t)pvLdrInitThunk + 9));
2970	abReplacement[9] = 0xcc; /* int3 */
2971	#else
2972	# error "Unsupported arch."
2973	#endif
2974
2975	/*
2976	* Install the replacment code.
2977	*/
2978	PVOID pvProt = pvLdrInitThunk;
2979	SIZE_T cbProt = cbBackup;
2980	ULONG fOldProt = 0;
2981	rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt);
2982	if (!NT_SUCCESS(rcNt))
2983	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
2984	"supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
2985
2986	rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, abReplacement, sizeof(abReplacement), &cbIgnored);
2987	if (!NT_SUCCESS(rcNt))
2988	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
2989	"supR3HardNtDisableThreadCreationEx: NtWriteVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
2990
2991	pvProt = pvLdrInitThunk;
2992	cbProt = cbBackup;
2993	rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, fOldProt, &fOldProt);
2994	if (!NT_SUCCESS(rcNt))
2995	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
2996	"supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk/2 failed: %#x", rcNt);
2997
2998	return VINF_SUCCESS;
2999	}
3000
3001
3002	/**
3003	* Undo the effects of supR3HardNtDisableThreadCreationEx.
3004	*
3005	* @returns VBox status code.
3006	* @param hProcess The process to do this to.
3007	* @param pvLdrInitThunk The address of the LdrInitializeThunk code to
3008	* override.
3009	* @param pabBackup Where to back up the original instruction bytes
3010	* at pvLdrInitThunk.
3011	* @param cbBackup The size of the backup area. Must be 16 bytes.
3012	* @param pErrInfo Where to return extended error information.
3013	* Optional.
3014	*/
3015	static int supR3HardNtEnableThreadCreationEx(HANDLE hProcess, void pvLdrInitThunk, uint8_t const pabBackup, size_t cbBackup,
3016	PRTERRINFO pErrInfo)
3017	{
3018	SUP_DPRINTF(("supR3HardNtEnableThreadCreation:\n"));
3019	SUPR3HARDENED_ASSERT(cbBackup == 16);
3020
3021	PVOID pvProt = pvLdrInitThunk;
3022	SIZE_T cbProt = cbBackup;
3023	ULONG fOldProt = 0;
3024	NTSTATUS rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt);
3025	if (!NT_SUCCESS(rcNt))
3026	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
3027	"supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
3028
3029	SIZE_T cbIgnored;
3030	rcNt = NtWriteVirtualMemory(hProcess, pvLdrInitThunk, pabBackup, cbBackup, &cbIgnored);
3031	if (!NT_SUCCESS(rcNt))
3032	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
3033	"supR3HardNtEnableThreadCreation: NtWriteVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
3034	rcNt);
3035
3036	pvProt = pvLdrInitThunk;
3037	cbProt = cbBackup;
3038	rcNt = NtProtectVirtualMemory(hProcess, &pvProt, &cbProt, fOldProt, &fOldProt);
3039	if (!NT_SUCCESS(rcNt))
3040	return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
3041	"supR3HardNtEnableThreadCreation: NtProtectVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
3042	rcNt);
3043
3044	return VINF_SUCCESS;
3045	}
3046
3047
3048	/**
3049	* Disable thread creation for the current process.
3050	*
3051	* @remarks Doesn't really disables it, just makes the threads exit immediately
3052	* without executing any real code.
3053	*/
3054	static void supR3HardenedWinDisableThreadCreation(void)
3055	{
3056	/* Cannot use the imported NtTerminateThread as it's pointing to our own
3057	syscall assembly code. */
3058	static PFNRT s_pfnNtTerminateThread = NULL;
3059	if (s_pfnNtTerminateThread == NULL)
3060	s_pfnNtTerminateThread = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "NtTerminateThread");
3061	SUPR3HARDENED_ASSERT(s_pfnNtTerminateThread);
3062
3063	int rc = supR3HardNtDisableThreadCreationEx(NtCurrentProcess(),
3064	(void *)(uintptr_t)&LdrInitializeThunk,
3065	(void *)(uintptr_t)s_pfnNtTerminateThread,
3066	g_abLdrInitThunkSelfBackup, sizeof(g_abLdrInitThunkSelfBackup),
3067	NULL /* pErrInfo*/);
3068	g_fSupInitThunkSelfPatched = RT_SUCCESS(rc);
3069	}
3070
3071
3072	/**
3073	* Undoes the effects of supR3HardenedWinDisableThreadCreation.
3074	*/
3075	DECLHIDDEN(void) supR3HardenedWinEnableThreadCreation(void)
3076	{
3077	if (g_fSupInitThunkSelfPatched)
3078	{
3079	int rc = supR3HardNtEnableThreadCreationEx(NtCurrentProcess(),
3080	(void *)(uintptr_t)&LdrInitializeThunk,
3081	g_abLdrInitThunkSelfBackup, sizeof(g_abLdrInitThunkSelfBackup),
3082	RTErrInfoInitStatic(&g_ErrInfoStatic));
3083	if (RT_FAILURE(rc))
3084	supR3HardenedError(rc, true /fFatal/, "%s", g_ErrInfoStatic.szMsg);
3085	g_fSupInitThunkSelfPatched = false;
3086	}
3087	}
3088
3089
3090
3091
3092	/*
3093	*
3094	* R e s p a w n
3095	* R e s p a w n
3096	* R e s p a w n
3097	*
3098	*/
3099
3100
3101	/**
3102	* Gets the SID of the user associated with the process.
3103	*
3104	* @returns @c true if we've got a login SID, @c false if not.
3105	* @param pSidUser Where to return the user SID.
3106	* @param cbSidUser The size of the user SID buffer.
3107	* @param pSidLogin Where to return the login SID.
3108	* @param cbSidLogin The size of the login SID buffer.
3109	*/
3110	static bool supR3HardNtChildGetUserAndLogSids(PSID pSidUser, ULONG cbSidUser, PSID pSidLogin, ULONG cbSidLogin)
3111	{
3112	HANDLE hToken;
3113	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken));
3114	union
3115	{
3116	TOKEN_USER UserInfo;
3117	TOKEN_GROUPS Groups;
3118	uint8_t abPadding[4096];
3119	} uBuf;
3120	ULONG cbRet = 0;
3121	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtQueryInformationToken(hToken, TokenUser, &uBuf, sizeof(uBuf), &cbRet));
3122	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCopySid(cbSidUser, pSidUser, uBuf.UserInfo.User.Sid));
3123
3124	bool fLoginSid = false;
3125	NTSTATUS rcNt = NtQueryInformationToken(hToken, TokenLogonSid, &uBuf, sizeof(uBuf), &cbRet);
3126	if (NT_SUCCESS(rcNt))
3127	{
3128	for (DWORD i = 0; i < uBuf.Groups.GroupCount; i++)
3129	if ((uBuf.Groups.Groups[i].Attributes & SE_GROUP_LOGON_ID) == SE_GROUP_LOGON_ID)
3130	{
3131	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCopySid(cbSidLogin, pSidLogin, uBuf.Groups.Groups[i].Sid));
3132	fLoginSid = true;
3133	break;
3134	}
3135	}
3136
3137	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtClose(hToken));
3138
3139	return fLoginSid;
3140	}
3141
3142
3143	/**
3144	* Build security attributes for the process or the primary thread (@a fProcess)
3145	*
3146	* Process DACLs can be bypassed using the SeDebugPrivilege (generally available
3147	* to admins, i.e. normal windows users), or by taking ownership and/or
3148	* modifying the DACL. However, it restricts
3149	*
3150	* @param pSecAttrs Where to return the security attributes.
3151	* @param pCleanup Cleanup record.
3152	* @param fProcess Set if it's for the process, clear if it's for
3153	* the primary thread.
3154	*/
3155	static void supR3HardNtChildInitSecAttrs(PSECURITY_ATTRIBUTES pSecAttrs, PMYSECURITYCLEANUP pCleanup, bool fProcess)
3156	{
3157	/*
3158	* Safe return values.
3159	*/
3160	suplibHardenedMemSet(pCleanup, 0, sizeof(*pCleanup));
3161
3162	pSecAttrs->nLength = sizeof(*pSecAttrs);
3163	pSecAttrs->bInheritHandle = FALSE;
3164	pSecAttrs->lpSecurityDescriptor = NULL;
3165
3166	/** @todo This isn't at all complete, just sketches... */
3167
3168	/*
3169	* Create an ACL detailing the access of the above groups.
3170	*/
3171	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateAcl(&pCleanup->Acl.AclHdr, sizeof(pCleanup->Acl), ACL_REVISION));
3172
3173	ULONG fDeny = DELETE \| WRITE_DAC \| WRITE_OWNER;
3174	ULONG fAllow = SYNCHRONIZE \| READ_CONTROL;
3175	ULONG fAllowLogin = SYNCHRONIZE \| READ_CONTROL;
3176	if (fProcess)
3177	{
3178	fDeny \|= PROCESS_CREATE_THREAD \| PROCESS_SET_SESSIONID \| PROCESS_VM_OPERATION \| PROCESS_VM_WRITE
3179	\| PROCESS_CREATE_PROCESS \| PROCESS_DUP_HANDLE \| PROCESS_SET_QUOTA
3180	\| PROCESS_SET_INFORMATION \| PROCESS_SUSPEND_RESUME;
3181	fAllow \|= PROCESS_TERMINATE \| PROCESS_VM_READ \| PROCESS_QUERY_INFORMATION;
3182	fAllowLogin \|= PROCESS_TERMINATE \| PROCESS_VM_READ \| PROCESS_QUERY_INFORMATION;
3183	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* Introduced in Vista. */
3184	{
3185	fAllow \|= PROCESS_QUERY_LIMITED_INFORMATION;
3186	fAllowLogin \|= PROCESS_QUERY_LIMITED_INFORMATION;
3187	}
3188	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3)) /* Introduced in Windows 8.1. */
3189	fAllow \|= PROCESS_SET_LIMITED_INFORMATION;
3190	}
3191	else
3192	{
3193	fDeny \|= THREAD_SUSPEND_RESUME \| THREAD_SET_CONTEXT \| THREAD_SET_INFORMATION \| THREAD_SET_THREAD_TOKEN
3194	\| THREAD_IMPERSONATE \| THREAD_DIRECT_IMPERSONATION;
3195	fAllow \|= THREAD_GET_CONTEXT \| THREAD_QUERY_INFORMATION;
3196	fAllowLogin \|= THREAD_GET_CONTEXT \| THREAD_QUERY_INFORMATION;
3197	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* Introduced in Vista. */
3198	{
3199	fAllow \|= THREAD_QUERY_LIMITED_INFORMATION \| THREAD_SET_LIMITED_INFORMATION;
3200	fAllowLogin \|= THREAD_QUERY_LIMITED_INFORMATION;
3201	}
3202
3203	}
3204	fDeny \|= ~fAllow & (SPECIFIC_RIGHTS_ALL \| STANDARD_RIGHTS_ALL);
3205
3206	/* Deny everyone access to bad bits. */
3207	#if 1
3208	SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
3209	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlInitializeSid(&pCleanup->Everyone.Sid, &SIDAuthWorld, 1));
3210	*RtlSubAuthoritySid(&pCleanup->Everyone.Sid, 0) = SECURITY_WORLD_RID;
3211	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessDeniedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3212	fDeny, &pCleanup->Everyone.Sid));
3213	#endif
3214
3215	#if 0
3216	/* Grant some access to the owner - doesn't work. */
3217	SID_IDENTIFIER_AUTHORITY SIDAuthCreator = SECURITY_CREATOR_SID_AUTHORITY;
3218	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlInitializeSid(&pCleanup->Owner.Sid, &SIDAuthCreator, 1));
3219	*RtlSubAuthoritySid(&pCleanup->Owner.Sid, 0) = SECURITY_CREATOR_OWNER_RID;
3220
3221	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessDeniedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3222	fDeny, &pCleanup->Owner.Sid));
3223	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessAllowedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3224	fAllow, &pCleanup->Owner.Sid));
3225	#endif
3226
3227	#if 1
3228	bool fHasLoginSid = supR3HardNtChildGetUserAndLogSids(&pCleanup->User.Sid, sizeof(pCleanup->User),
3229	&pCleanup->Login.Sid, sizeof(pCleanup->Login));
3230
3231	# if 1
3232	/* Grant minimal access to the user. */
3233	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessDeniedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3234	fDeny, &pCleanup->User.Sid));
3235	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessAllowedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3236	fAllow, &pCleanup->User.Sid));
3237	# endif
3238
3239	# if 1
3240	/* Grant very limited access to the login sid. */
3241	if (fHasLoginSid)
3242	{
3243	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlAddAccessAllowedAce(&pCleanup->Acl.AclHdr, ACL_REVISION,
3244	fAllowLogin, &pCleanup->Login.Sid));
3245	}
3246	# endif
3247
3248	#endif
3249
3250	/*
3251	* Create a security descriptor with the above ACL.
3252	*/
3253	PSECURITY_DESCRIPTOR pSecDesc = (PSECURITY_DESCRIPTOR)RTMemAllocZ(SECURITY_DESCRIPTOR_MIN_LENGTH);
3254	pCleanup->pSecDesc = pSecDesc;
3255
3256	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateSecurityDescriptor(pSecDesc, SECURITY_DESCRIPTOR_REVISION));
3257	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlSetDaclSecurityDescriptor(pSecDesc, TRUE /fDaclPresent/, &pCleanup->Acl.AclHdr,
3258	FALSE /fDaclDefaulted/));
3259	pSecAttrs->lpSecurityDescriptor = pSecDesc;
3260	}
3261
3262
3263	/**
3264	* Predicate function which tests whether @a ch is a argument separator
3265	* character.
3266	*
3267	* @returns True/false.
3268	* @param ch The character to examine.
3269	*/
3270	DECLINLINE(bool) suplibCommandLineIsArgSeparator(int ch)
3271	{
3272	return ch == ' '
3273	\|\| ch == '\t'
3274	\|\| ch == '\n'
3275	\|\| ch == '\r';
3276	}
3277
3278
3279	/**
3280	* Construct the new command line.
3281	*
3282	* Since argc/argv are both derived from GetCommandLineW (see
3283	* suplibHardenedWindowsMain), we skip the argument by argument UTF-8 -> UTF-16
3284	* conversion and quoting by going to the original source.
3285	*
3286	* The executable name, though, is replaced in case it's not a fullly
3287	* qualified path.
3288	*
3289	* The re-spawn indicator is added immediately after the executable name
3290	* so that we don't get tripped up missing close quote chars in the last
3291	* argument.
3292	*
3293	* @returns Pointer to a command line string (heap).
3294	* @param pString Unicode string structure to initialize to the
3295	* command line. Optional.
3296	* @param iWhich Which respawn we're to check for, 1 being the first
3297	* one, and 2 the second and final.
3298	*/
3299	static PRTUTF16 supR3HardNtChildConstructCmdLine(PUNICODE_STRING pString, int iWhich)
3300	{
3301	SUPR3HARDENED_ASSERT(iWhich == 1 \|\| iWhich == 2);
3302
3303	/*
3304	* Get the command line and skip the executable name.
3305	*/
3306	PUNICODE_STRING pCmdLineStr = &NtCurrentPeb()->ProcessParameters->CommandLine;
3307	PCRTUTF16 pawcArgs = pCmdLineStr->Buffer;
3308	uint32_t cwcArgs = pCmdLineStr->Length / sizeof(WCHAR);
3309
3310	/* Skip leading space (shouldn't be any, but whatever). */
3311	while (cwcArgs > 0 && suplibCommandLineIsArgSeparator(*pawcArgs) )
3312	cwcArgs--, pawcArgs++;
3313	SUPR3HARDENED_ASSERT(cwcArgs > 0 && *pawcArgs != '\0');
3314
3315	/* Walk to the end of it. */
3316	int fQuoted = false;
3317	do
3318	{
3319	if (*pawcArgs == '"')
3320	{
3321	fQuoted = !fQuoted;
3322	cwcArgs--; pawcArgs++;
3323	}
3324	else if (*pawcArgs != '\\' \|\| (pawcArgs[1] != '\\' && pawcArgs[1] != '"'))
3325	cwcArgs--, pawcArgs++;
3326	else
3327	{
3328	unsigned cSlashes = 0;
3329	do
3330	{
3331	cSlashes++;
3332	cwcArgs--;
3333	pawcArgs++;
3334	}
3335	while (cwcArgs > 0 && *pawcArgs == '\\');
3336	if (cwcArgs > 0 && *pawcArgs == '"' && (cSlashes & 1))
3337	cwcArgs--, pawcArgs++; /* odd number of slashes == escaped quote */
3338	}
3339	} while (cwcArgs > 0 && (fQuoted \|\| !suplibCommandLineIsArgSeparator(*pawcArgs)));
3340
3341	/* Skip trailing spaces. */
3342	while (cwcArgs > 0 && suplibCommandLineIsArgSeparator(*pawcArgs))
3343	cwcArgs--, pawcArgs++;
3344
3345	/*
3346	* Allocate a new buffer.
3347	*/
3348	AssertCompile(sizeof(SUPR3_RESPAWN_1_ARG0) == sizeof(SUPR3_RESPAWN_2_ARG0));
3349	size_t cwcCmdLine = (sizeof(SUPR3_RESPAWN_1_ARG0) - 1) / sizeof(SUPR3_RESPAWN_1_ARG0[0]) /* Respawn exe name. */
3350	+ !!cwcArgs + cwcArgs; /* if arguments present, add space + arguments. */
3351	if (cwcCmdLine * sizeof(WCHAR) >= 0xfff0)
3352	supR3HardenedFatalMsg("supR3HardNtChildConstructCmdLine", kSupInitOp_Misc, VERR_OUT_OF_RANGE,
3353	"Command line is too long (%u chars)!", cwcCmdLine);
3354
3355	PRTUTF16 pwszCmdLine = (PRTUTF16)RTMemAlloc((cwcCmdLine + 1) * sizeof(RTUTF16));
3356	SUPR3HARDENED_ASSERT(pwszCmdLine != NULL);
3357
3358	/*
3359	* Construct the new command line.
3360	*/
3361	PRTUTF16 pwszDst = pwszCmdLine;
3362	for (const char pszSrc = iWhich == 1 ? SUPR3_RESPAWN_1_ARG0 : SUPR3_RESPAWN_2_ARG0; pszSrc; pszSrc++)
3363	pwszDst++ = pszSrc;
3364
3365	if (cwcArgs)
3366	{
3367	*pwszDst++ = ' ';
3368	suplibHardenedMemCopy(pwszDst, pawcArgs, cwcArgs * sizeof(RTUTF16));
3369	pwszDst += cwcArgs;
3370	}
3371
3372	*pwszDst = '\0';
3373	SUPR3HARDENED_ASSERT((uintptr_t)(pwszDst - pwszCmdLine) == cwcCmdLine);
3374
3375	if (pString)
3376	{
3377	pString->Buffer = pwszCmdLine;
3378	pString->Length = (USHORT)(cwcCmdLine * sizeof(WCHAR));
3379	pString->MaximumLength = pString->Length + sizeof(WCHAR);
3380	}
3381	return pwszCmdLine;
3382	}
3383
3384
3385	/**
3386	* Terminates the child process.
3387	*
3388	* @param hProcess The process handle.
3389	* @param pszWhere Who's having child rasing troubles.
3390	* @param rc The status code to report.
3391	* @param pszFormat The message format string.
3392	* @param ... Message format arguments.
3393	*/
3394	static void supR3HardenedWinKillChild(HANDLE hProcess, const char pszWhere, int rc, const char pszFormat, ...)
3395	{
3396	/*
3397	* Terminate the process ASAP and display error.
3398	*/
3399	NtTerminateProcess(hProcess, RTEXITCODE_FAILURE);
3400
3401	va_list va;
3402	va_start(va, pszFormat);
3403	supR3HardenedErrorV(rc, false /fFatal/, pszFormat, va);
3404	va_end(va);
3405
3406	/*
3407	* Wait for the process to really go away.
3408	*/
3409	PROCESS_BASIC_INFORMATION BasicInfo;
3410	NTSTATUS rcNtExit = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
3411	bool fExitOk = NT_SUCCESS(rcNtExit) && BasicInfo.ExitStatus != STATUS_PENDING;
3412	if (!fExitOk)
3413	{
3414	NTSTATUS rcNtWait;
3415	uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
3416	do
3417	{
3418	NtTerminateProcess(hProcess, DBG_TERMINATE_PROCESS);
3419
3420	LARGE_INTEGER Timeout;
3421	Timeout.QuadPart = -20000000; /* 2 second */
3422	rcNtWait = NtWaitForSingleObject(hProcess, TRUE /Alertable/, &Timeout);
3423
3424	rcNtExit = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
3425	fExitOk = NT_SUCCESS(rcNtExit) && BasicInfo.ExitStatus != STATUS_PENDING;
3426	} while ( !fExitOk
3427	&& ( rcNtWait == STATUS_TIMEOUT
3428	\|\| rcNtWait == STATUS_USER_APC
3429	\|\| rcNtWait == STATUS_ALERTED)
3430	&& supR3HardenedWinGetMilliTS() - uMsTsStart < 60 * 1000);
3431	if (fExitOk)
3432	supR3HardenedError(rc, false /fFatal/,
3433	"NtDuplicateObject failed and we failed to kill child: rc=%u (%#x) rcNtWait=%#x hProcess=%p\n",
3434	rc, rc, rcNtWait, hProcess);
3435	}
3436
3437	/*
3438	* Final error message.
3439	*/
3440	va_start(va, pszFormat);
3441	supR3HardenedFatalMsgV(pszWhere, kSupInitOp_Misc, rc, pszFormat, va);
3442	/* not reached */
3443	}
3444
3445
3446	/**
3447	* Checks the child process when hEvtParent is signalled.
3448	*
3449	* This will read the request data from the child and check it against expected
3450	* request. If an error is signalled, we'll raise it and make sure the child
3451	* terminates before terminating the calling process.
3452	*
3453	* @param pThis The child process data structure.
3454	* @param enmExpectedRequest The expected child request.
3455	* @param pszWhat What we're waiting for.
3456	*/
3457	static void supR3HardNtChildProcessRequest(PSUPR3HARDNTCHILD pThis, SUPR3WINCHILDREQ enmExpectedRequest, const char *pszWhat)
3458	{
3459	/*
3460	* Read the process parameters from the child.
3461	*/
3462	uintptr_t uChildAddr = (uintptr_t)pThis->Peb.ImageBaseAddress
3463	+ ((uintptr_t)&g_ProcParams - (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
3464	SIZE_T cbIgnored = 0;
3465	RT_ZERO(pThis->ProcParams);
3466	NTSTATUS rcNt = NtReadVirtualMemory(pThis->hProcess, (PVOID)uChildAddr,
3467	&pThis->ProcParams, sizeof(pThis->ProcParams), &cbIgnored);
3468	if (!NT_SUCCESS(rcNt))
3469	supR3HardenedWinKillChild(pThis, "supR3HardNtChildProcessRequest", rcNt,
3470	"NtReadVirtualMemory(,%p,) failed reading child process status: %#x\n", uChildAddr, rcNt);
3471
3472	/*
3473	* Is it the expected request?
3474	*/
3475	if (pThis->ProcParams.enmRequest == enmExpectedRequest)
3476	return;
3477
3478	/*
3479	* No, not the expected request. If it's an error request, tell the child
3480	* to terminate itself, otherwise we'll have to terminate it.
3481	*/
3482	pThis->ProcParams.szErrorMsg[sizeof(pThis->ProcParams.szErrorMsg) - 1] = '\0';
3483	pThis->ProcParams.szWhere[sizeof(pThis->ProcParams.szWhere) - 1] = '\0';
3484	SUP_DPRINTF(("supR3HardenedWinCheckChild: enmRequest=%d rc=%d enmWhat=%d %s: %s\n",
3485	pThis->ProcParams.enmRequest, pThis->ProcParams.rc, pThis->ProcParams.enmWhat,
3486	pThis->ProcParams.szWhere, pThis->ProcParams.szErrorMsg));
3487
3488	if (pThis->ProcParams.enmRequest != kSupR3WinChildReq_Error)
3489	supR3HardenedWinKillChild(pThis, "supR3HardenedWinCheckChild", VERR_INVALID_PARAMETER,
3490	"Unexpected child request #%d. Was expecting #%d (%s).\n",
3491	pThis->ProcParams.enmRequest, enmExpectedRequest, pszWhat);
3492
3493	rcNt = NtSetEvent(pThis->hEvtChild, NULL);
3494	if (!NT_SUCCESS(rcNt))
3495	supR3HardenedWinKillChild(pThis, "supR3HardNtChildProcessRequest", rcNt, "NtSetEvent failed: %#x\n", rcNt);
3496
3497	/* Wait for it to terminate. */
3498	LARGE_INTEGER Timeout;
3499	Timeout.QuadPart = -50000000; /* 5 seconds */
3500	rcNt = NtWaitForSingleObject(pThis->hProcess, FALSE /Alertable/, &Timeout);
3501	if (rcNt != STATUS_WAIT_0)
3502	{
3503	SUP_DPRINTF(("supR3HardNtChildProcessRequest: Child is taking too long to quit (rcWait=%#x), killing it...\n", rcNt));
3504	NtTerminateProcess(pThis->hProcess, DBG_TERMINATE_PROCESS);
3505	}
3506
3507	/*
3508	* Report the error in the same way as it occured in the guest.
3509	*/
3510	if (pThis->ProcParams.enmWhat == kSupInitOp_Invalid)
3511	supR3HardenedFatalMsg("supR3HardenedWinCheckChild", kSupInitOp_Misc, pThis->ProcParams.rc,
3512	"%s", pThis->ProcParams.szErrorMsg);
3513	else
3514	supR3HardenedFatalMsg(pThis->ProcParams.szWhere, pThis->ProcParams.enmWhat, pThis->ProcParams.rc,
3515	"%s", pThis->ProcParams.szErrorMsg);
3516	}
3517
3518
3519	/**
3520	* Waits for the child to make a certain request or terminate.
3521	*
3522	* The stub process will also wait on it's parent to terminate.
3523	* This call will only return if the child made the expected request.
3524	*
3525	* @param pThis The child process data structure.
3526	* @param enmExpectedRequest The child request to wait for.
3527	* @param cMsTimeout The number of milliseconds to wait (at least).
3528	* @param pszWhat What we're waiting for.
3529	*/
3530	static void supR3HardNtChildWaitFor(PSUPR3HARDNTCHILD pThis, SUPR3WINCHILDREQ enmExpectedRequest, RTMSINTERVAL cMsTimeout,
3531	const char *pszWhat)
3532	{
3533	/*
3534	* The wait loop.
3535	* Will return when the expected request arrives.
3536	* Will break out when one of the processes terminates.
3537	*/
3538	NTSTATUS rcNtWait;
3539	LARGE_INTEGER Timeout;
3540	uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
3541	uint64_t cMsElapsed = 0;
3542	for (;;)
3543	{
3544	/*
3545	* Assemble handles to wait for.
3546	*/
3547	ULONG cHandles = 1;
3548	HANDLE ahHandles[3];
3549	ahHandles[0] = pThis->hProcess;
3550	if (pThis->hEvtParent)
3551	ahHandles[cHandles++] = pThis->hEvtParent;
3552	if (pThis->hParent)
3553	ahHandles[cHandles++] = pThis->hParent;
3554
3555	/*
3556	* Do the waiting according to the callers wishes.
3557	*/
3558	if ( enmExpectedRequest == kSupR3WinChildReq_End
3559	\|\| cMsTimeout == RT_INDEFINITE_WAIT)
3560	rcNtWait = NtWaitForMultipleObjects(cHandles, &ahHandles[0], WaitAnyObject, TRUE /Alertable/, NULL /Timeout/);
3561	else
3562	{
3563	Timeout.QuadPart = -(int64_t)(cMsTimeout - cMsElapsed) * 10000;
3564	rcNtWait = NtWaitForMultipleObjects(cHandles, &ahHandles[0], WaitAnyObject, TRUE /Alertable/, &Timeout);
3565	}
3566
3567	/*
3568	* Process child request.
3569	*/
3570	if (rcNtWait == STATUS_WAIT_0 + 1 && pThis->hEvtParent != NULL)
3571	{
3572	supR3HardNtChildProcessRequest(pThis, enmExpectedRequest, pszWhat);
3573	SUP_DPRINTF(("supR3HardNtChildWaitFor: Found expected request %d (%s) after %llu ms.\n",
3574	enmExpectedRequest, pszWhat, supR3HardenedWinGetMilliTS() - uMsTsStart));
3575	return; /* Expected request received. */
3576	}
3577
3578	/*
3579	* Process termination?
3580	*/
3581	if ( (ULONG)rcNtWait - (ULONG)STATUS_WAIT_0 < cHandles
3582	\|\| (ULONG)rcNtWait - (ULONG)STATUS_ABANDONED_WAIT_0 < cHandles)
3583	break;
3584
3585	/*
3586	* Check sanity.
3587	*/
3588	if ( rcNtWait != STATUS_TIMEOUT
3589	&& rcNtWait != STATUS_USER_APC
3590	&& rcNtWait != STATUS_ALERTED)
3591	supR3HardenedWinKillChild(pThis, "supR3HardNtChildWaitFor", rcNtWait,
3592	"NtWaitForMultipleObjects returned %#x waiting for #%d (%s)\n",
3593	rcNtWait, enmExpectedRequest, pszWhat);
3594
3595	/*
3596	* Calc elapsed time for the next timeout calculation, checking to see
3597	* if we've timed out already.
3598	*/
3599	cMsElapsed = supR3HardenedWinGetMilliTS() - uMsTsStart;
3600	if ( cMsElapsed > cMsTimeout
3601	&& cMsTimeout != RT_INDEFINITE_WAIT
3602	&& enmExpectedRequest != kSupR3WinChildReq_End)
3603	{
3604	if (rcNtWait == STATUS_USER_APC \|\| rcNtWait == STATUS_ALERTED)
3605	cMsElapsed = cMsTimeout - 1; /* try again */
3606	else
3607	{
3608	/* We timed out. */
3609	supR3HardenedWinKillChild(pThis, "supR3HardNtChildWaitFor", rcNtWait,
3610	"Timed out after %llu ms waiting for child request #%d (%s).\n",
3611	cMsElapsed, enmExpectedRequest, pszWhat);
3612	}
3613	}
3614	}
3615
3616	/*
3617	* Proxy the termination code of the child, if it exited already.
3618	*/
3619	PROCESS_BASIC_INFORMATION BasicInfo;
3620	NTSTATUS rcNt1 = NtQueryInformationProcess(pThis->hProcess, ProcessBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL);
3621	NTSTATUS rcNt2 = STATUS_PENDING;
3622	NTSTATUS rcNt3 = STATUS_PENDING;
3623	if ( !NT_SUCCESS(rcNt1)
3624	\|\| BasicInfo.ExitStatus == STATUS_PENDING)
3625	{
3626	rcNt2 = NtTerminateProcess(pThis->hProcess, RTEXITCODE_FAILURE);
3627	Timeout.QuadPart = NT_SUCCESS(rcNt2) ? -20000000 /* 2 sec / : -1280000 / 128 ms */;
3628	rcNt3 = NtWaitForSingleObject(pThis->hProcess, FALSE /Alertable/, NULL /Timeout/);
3629	BasicInfo.ExitStatus = RTEXITCODE_FAILURE;
3630	}
3631
3632	SUP_DPRINTF(("supR3HardNtChildWaitFor[%d]: Quitting: ExitCode=%#x (rcNtWait=%#x, rcNt1=%#x, rcNt2=%#x, rcNt3=%#x, %llu ms, %s);\n",
3633	pThis->iWhich, BasicInfo.ExitStatus, rcNtWait, rcNt1, rcNt2, rcNt3,
3634	supR3HardenedWinGetMilliTS() - uMsTsStart, pszWhat));
3635	suplibHardenedExit((RTEXITCODE)BasicInfo.ExitStatus);
3636	}
3637
3638
3639	/**
3640	* Closes full access child thread and process handles, making a harmless
3641	* duplicate of the process handle first.
3642	*
3643	* The hProcess member of the child process data structure will be change to the
3644	* harmless handle, while the hThread will be set to NULL.
3645	*
3646	* @param pThis The child process data structure.
3647	*/
3648	static void supR3HardNtChildCloseFullAccessHandles(PSUPR3HARDNTCHILD pThis)
3649	{
3650	/*
3651	* The thread handle.
3652	*/
3653	NTSTATUS rcNt = NtClose(pThis->hThread);
3654	if (!NT_SUCCESS(rcNt))
3655	supR3HardenedWinKillChild(pThis, "supR3HardenedWinReSpawn", rcNt, "NtClose(hThread) failed: %#x", rcNt);
3656	pThis->hThread = NULL;
3657
3658	/*
3659	* Duplicate the process handle into a harmless one.
3660	*/
3661	HANDLE hProcWait;
3662	ULONG fRights = SYNCHRONIZE \| PROCESS_TERMINATE \| PROCESS_VM_READ;
3663	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* Introduced in Vista. */
3664	fRights \|= PROCESS_QUERY_LIMITED_INFORMATION;
3665	else
3666	fRights \|= PROCESS_QUERY_INFORMATION;
3667	rcNt = NtDuplicateObject(NtCurrentProcess(), pThis->hProcess,
3668	NtCurrentProcess(), &hProcWait,
3669	fRights, 0 /HandleAttributes/, 0);
3670	if (rcNt == STATUS_ACCESS_DENIED)
3671	{
3672	supR3HardenedError(rcNt, false /fFatal/,
3673	"supR3HardenedWinDoReSpawn: NtDuplicateObject(,,,,%#x,,) -> %#x, retrying with only %#x...\n",
3674	fRights, rcNt, SYNCHRONIZE);
3675	rcNt = NtDuplicateObject(NtCurrentProcess(), pThis->hProcess,
3676	NtCurrentProcess(), &hProcWait,
3677	SYNCHRONIZE, 0 /HandleAttributes/, 0);
3678	}
3679	if (!NT_SUCCESS(rcNt))
3680	supR3HardenedWinKillChild(pThis, "supR3HardenedWinReSpawn", rcNt,
3681	"NtDuplicateObject failed on child process handle: %#x\n", rcNt);
3682	/*
3683	* Close the process handle and replace it with the harmless one.
3684	*/
3685	rcNt = NtClose(pThis->hProcess);
3686	pThis->hProcess = hProcWait;
3687	if (!NT_SUCCESS(rcNt))
3688	supR3HardenedWinKillChild(pThis, "supR3HardenedWinReSpawn", VERR_INVALID_NAME,
3689	"NtClose failed on child process handle: %#x\n", rcNt);
3690	}
3691
3692
3693	/**
3694	* This restores the child PEB and tweaks a couple of fields before we do the
3695	* child purification and let the process run normally.
3696	*
3697	* @param pThis The child process data structure.
3698	*/
3699	static void supR3HardNtChildSanitizePeb(PSUPR3HARDNTCHILD pThis)
3700	{
3701	/*
3702	* Make a copy of the pre-execution PEB.
3703	*/
3704	PEB Peb = pThis->Peb;
3705
3706	#if 0
3707	/*
3708	* There should not be any activation context, so if there is, we scratch the memory associated with it.
3709	*/
3710	int rc = 0;
3711	if (RT_SUCCESS(rc) && Peb.pShimData && !((uintptr_t)Peb.pShimData & PAGE_OFFSET_MASK))
3712	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.pShimData, PAGE_SIZE, "pShimData", pErrInfo);
3713	if (RT_SUCCESS(rc) && Peb.ActivationContextData && !((uintptr_t)Peb.ActivationContextData & PAGE_OFFSET_MASK))
3714	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.ActivationContextData, PAGE_SIZE, "ActivationContextData", pErrInfo);
3715	if (RT_SUCCESS(rc) && Peb.ProcessAssemblyStorageMap && !((uintptr_t)Peb.ProcessAssemblyStorageMap & PAGE_OFFSET_MASK))
3716	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.ProcessAssemblyStorageMap, PAGE_SIZE, "ProcessAssemblyStorageMap", pErrInfo);
3717	if (RT_SUCCESS(rc) && Peb.SystemDefaultActivationContextData && !((uintptr_t)Peb.SystemDefaultActivationContextData & PAGE_OFFSET_MASK))
3718	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.ProcessAssemblyStorageMap, PAGE_SIZE, "SystemDefaultActivationContextData", pErrInfo);
3719	if (RT_SUCCESS(rc) && Peb.SystemAssemblyStorageMap && !((uintptr_t)Peb.SystemAssemblyStorageMap & PAGE_OFFSET_MASK))
3720	rc = supR3HardenedWinScratchChildMemory(hProcess, Peb.SystemAssemblyStorageMap, PAGE_SIZE, "SystemAssemblyStorageMap", pErrInfo);
3721	if (RT_FAILURE(rc))
3722	return rc;
3723	#endif
3724
3725	/*
3726	* Clear compatibility and activation related fields.
3727	*/
3728	Peb.AppCompatFlags.QuadPart = 0;
3729	Peb.AppCompatFlagsUser.QuadPart = 0;
3730	Peb.pShimData = NULL;
3731	Peb.AppCompatInfo = NULL;
3732	#if 0
3733	Peb.ActivationContextData = NULL;
3734	Peb.ProcessAssemblyStorageMap = NULL;
3735	Peb.SystemDefaultActivationContextData = NULL;
3736	Peb.SystemAssemblyStorageMap = NULL;
3737	/Peb.Diff0.W6.IsProtectedProcess = 1;/
3738	#endif
3739
3740	/*
3741	* Write back the PEB.
3742	*/
3743	SIZE_T cbActualMem = pThis->cbPeb;
3744	NTSTATUS rcNt = NtWriteVirtualMemory(pThis->hProcess, pThis->BasicInfo.PebBaseAddress, &Peb, pThis->cbPeb, &cbActualMem);
3745	if (!NT_SUCCESS(rcNt))
3746	supR3HardenedWinKillChild(pThis, "supR3HardNtChildSanitizePeb", rcNt,
3747	"NtWriteVirtualMemory/Peb failed: %#x", rcNt);
3748
3749	}
3750
3751
3752	/**
3753	* Purifies the child process after very early init has been performed.
3754	*
3755	* @param pThis The child process data structure.
3756	*/
3757	static void supR3HardNtChildPurify(PSUPR3HARDNTCHILD pThis)
3758	{
3759	/*
3760	* We loop until we no longer make any fixes. This is similar to what
3761	* we do (or used to do, really) in the fAvastKludge case of
3762	* supR3HardenedWinInit. We might be up against asynchronous changes,
3763	* which we fudge by waiting a short while before earch purification. This
3764	* is arguably a fragile technique, but it's currently the best we've got.
3765	* Fortunately, most AVs seems to either favor immediate action on initial
3766	* load events or (much better for us) later events like kernel32.
3767	*/
3768	uint64_t uMsTsOuterStart = supR3HardenedWinGetMilliTS();
3769	uint32_t cMsFudge = g_fSupAdversaries ? 512 : 256;
3770	uint32_t cTotalFixes = 0;
3771	uint32_t cFixes = 0; /* (MSC wrongly thinks this maybe used uninitialized) */
3772	for (uint32_t iLoop = 0; iLoop < 16; iLoop++)
3773	{
3774	/*
3775	* Delay.
3776	*/
3777	uint32_t cSleeps = 0;
3778	uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
3779	do
3780	{
3781	NtYieldExecution();
3782	LARGE_INTEGER Time;
3783	Time.QuadPart = -8000000 / 100; /* 8ms in 100ns units, relative time. */
3784	NtDelayExecution(FALSE, &Time);
3785	cSleeps++;
3786	} while ( supR3HardenedWinGetMilliTS() - uMsTsStart <= cMsFudge
3787	\|\| cSleeps < 8);
3788	SUP_DPRINTF(("supR3HardNtChildPurify: Startup delay kludge #1/%u: %u ms, %u sleeps\n",
3789	iLoop, supR3HardenedWinGetMilliTS() - uMsTsStart, cSleeps));
3790
3791	/*
3792	* Purify.
3793	*/
3794	cFixes = 0;
3795	int rc = supHardenedWinVerifyProcess(pThis->hProcess, pThis->hThread, SUPHARDNTVPKIND_CHILD_PURIFICATION,
3796	g_fSupAdversaries & ( SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE
3797	\| SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD)
3798	? SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW : 0,
3799	&cFixes, RTErrInfoInitStatic(&g_ErrInfoStatic));
3800	if (RT_FAILURE(rc))
3801	supR3HardenedWinKillChild(pThis, "supR3HardNtChildPurify", rc,
3802	"supHardenedWinVerifyProcess failed with %Rrc: %s", rc, g_ErrInfoStatic.szMsg);
3803	if (cFixes == 0)
3804	{
3805	SUP_DPRINTF(("supR3HardNtChildPurify: Done after %llu ms and %u fixes (loop #%u).\n",
3806	supR3HardenedWinGetMilliTS() - uMsTsOuterStart, cTotalFixes, iLoop));
3807	return; /* We're probably good. */
3808	}
3809	cTotalFixes += cFixes;
3810
3811	if (!g_fSupAdversaries)
3812	g_fSupAdversaries \|= SUPHARDNT_ADVERSARY_UNKNOWN;
3813	cMsFudge = 512;
3814
3815	/*
3816	* Log the KiOpPrefetchPatchCount value if available, hoping it might
3817	* sched some light on spider38's case.
3818	*/
3819	ULONG cPatchCount = 0;
3820	NTSTATUS rcNt = NtQuerySystemInformation(SystemInformation_KiOpPrefetchPatchCount,
3821	&cPatchCount, sizeof(cPatchCount), NULL);
3822	if (NT_SUCCESS(rcNt))
3823	SUP_DPRINTF(("supR3HardNtChildPurify: cFixes=%u g_fSupAdversaries=%#x cPatchCount=%#u\n",
3824	cFixes, g_fSupAdversaries, cPatchCount));
3825	else
3826	SUP_DPRINTF(("supR3HardNtChildPurify: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
3827	}
3828
3829	/*
3830	* We've given up fixing the child process. Probably fighting someone
3831	* that monitors their patches or/and our activities.
3832	*/
3833	supR3HardenedWinKillChild(pThis, "supR3HardNtChildPurify", VERR_TRY_AGAIN,
3834	"Unable to purify child process! After 16 tries over %llu ms, we still %u fix(es) in the last pass.",
3835	supR3HardenedWinGetMilliTS() - uMsTsOuterStart, cFixes);
3836	}
3837
3838
3839
3840	/**
3841	* Sets up the early process init.
3842	*
3843	* @param pThis The child process data structure.
3844	*/
3845	static void supR3HardNtChildSetUpChildInit(PSUPR3HARDNTCHILD pThis)
3846	{
3847	uintptr_t const uChildExeAddr = (uintptr_t)pThis->Peb.ImageBaseAddress;
3848
3849	/*
3850	* Plant the process parameters. This ASSUMES the handle inheritance is
3851	* performed when creating the child process.
3852	*/
3853	RT_ZERO(pThis->ProcParams);
3854	pThis->ProcParams.hEvtChild = pThis->hEvtChild;
3855	pThis->ProcParams.hEvtParent = pThis->hEvtParent;
3856	pThis->ProcParams.uNtDllAddr = pThis->uNtDllAddr;
3857	pThis->ProcParams.enmRequest = kSupR3WinChildReq_Error;
3858	pThis->ProcParams.rc = VINF_SUCCESS;
3859
3860	uintptr_t uChildAddr = uChildExeAddr + ((uintptr_t)&g_ProcParams - (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
3861	SIZE_T cbIgnored;
3862	NTSTATUS rcNt = NtWriteVirtualMemory(pThis->hProcess, (PVOID)uChildAddr, &pThis->ProcParams,
3863	sizeof(pThis->ProcParams), &cbIgnored);
3864	if (!NT_SUCCESS(rcNt))
3865	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
3866	"NtWriteVirtualMemory(,%p,) failed writing child process parameters: %#x\n", uChildAddr, rcNt);
3867
3868	/*
3869	* Locate the LdrInitializeThunk address in the child as well as pristine
3870	* code bits for it.
3871	*/
3872	PSUPHNTLDRCACHEENTRY pLdrEntry;
3873	int rc = supHardNtLdrCacheOpen("ntdll.dll", &pLdrEntry, NULL /pErrInfo/);
3874	if (RT_FAILURE(rc))
3875	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
3876	"supHardNtLdrCacheOpen failed on NTDLL: %Rrc\n", rc);
3877
3878	uint8_t *pbChildNtDllBits;
3879	rc = supHardNtLdrCacheEntryGetBits(pLdrEntry, &pbChildNtDllBits, pThis->uNtDllAddr, NULL, NULL, NULL /pErrInfo/);
3880	if (RT_FAILURE(rc))
3881	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
3882	"supHardNtLdrCacheEntryGetBits failed on NTDLL: %Rrc\n", rc);
3883
3884	RTLDRADDR uLdrInitThunk;
3885	rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbChildNtDllBits, pThis->uNtDllAddr, UINT32_MAX,
3886	"LdrInitializeThunk", &uLdrInitThunk);
3887	if (RT_FAILURE(rc))
3888	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rc,
3889	"Error locating LdrInitializeThunk in NTDLL: %Rrc", rc);
3890	PVOID pvLdrInitThunk = (PVOID)(uintptr_t)uLdrInitThunk;
3891	SUP_DPRINTF(("supR3HardenedWinSetupChildInit: uLdrInitThunk=%p\n", (uintptr_t)uLdrInitThunk));
3892
3893	/*
3894	* Calculate the address of our code in the child process.
3895	*/
3896	uintptr_t uEarlyProcInitEP = uChildExeAddr + ( (uintptr_t)&supR3HardenedEarlyProcessInitThunk
3897	- (uintptr_t)NtCurrentPeb()->ImageBaseAddress);
3898
3899	/*
3900	* Compose the LdrInitializeThunk replacement bytes.
3901	* Note! The amount of code we replace here must be less or equal to what
3902	* the process verification code ignores.
3903	*/
3904	uint8_t abNew[16];
3905	memcpy(abNew, pbChildNtDllBits + ((uintptr_t)uLdrInitThunk - pThis->uNtDllAddr), sizeof(abNew));
3906	#ifdef RT_ARCH_AMD64
3907	abNew[0] = 0xff;
3908	abNew[1] = 0x25;
3909	(uint32_t )&abNew[2] = 0;
3910	(uint64_t )&abNew[6] = uEarlyProcInitEP;
3911	#elif defined(RT_ARCH_X86)
3912	abNew[0] = 0xe9;
3913	(uint32_t )&abNew[1] = uEarlyProcInitEP - ((uint32_t)uLdrInitThunk + 5);
3914	#else
3915	# error "Unsupported arch."
3916	#endif
3917
3918	/*
3919	* Install the LdrInitializeThunk replacement code in the child process.
3920	*/
3921	PVOID pvProt = pvLdrInitThunk;
3922	SIZE_T cbProt = sizeof(abNew);
3923	ULONG fOldProt;
3924	rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, PAGE_EXECUTE_READWRITE, &fOldProt);
3925	if (!NT_SUCCESS(rcNt))
3926	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
3927	"NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
3928
3929	rcNt = NtWriteVirtualMemory(pThis->hProcess, pvLdrInitThunk, abNew, sizeof(abNew), &cbIgnored);
3930	if (!NT_SUCCESS(rcNt))
3931	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
3932	"NtWriteVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
3933
3934	pvProt = pvLdrInitThunk;
3935	cbProt = sizeof(abNew);
3936	rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, fOldProt, &fOldProt);
3937	if (!NT_SUCCESS(rcNt))
3938	supR3HardenedWinKillChild(pThis, "supR3HardenedWinSetupChildInit", rcNt,
3939	"NtProtectVirtualMemory/LdrInitializeThunk[restore] failed: %#x", rcNt);
3940
3941	/* Caller starts child execution. */
3942	SUP_DPRINTF(("supR3HardenedWinSetupChildInit: Start child.\n"));
3943	}
3944
3945
3946
3947	/**
3948	* This messes with the child PEB before we trigger the initial image events.
3949	*
3950	* @param pThis The child process data structure.
3951	*/
3952	static void supR3HardNtChildScrewUpPebForInitialImageEvents(PSUPR3HARDNTCHILD pThis)
3953	{
3954	/*
3955	* Not sure if any of the cracker software uses the PEB at this point, but
3956	* just in case they do make some of the PEB fields a little less useful.
3957	*/
3958	PEB Peb = pThis->Peb;
3959
3960	/* Make ImageBaseAddress useless. */
3961	Peb.ImageBaseAddress = (PVOID)((uintptr_t)Peb.ImageBaseAddress ^ UINT32_C(0x5f139000));
3962	#ifdef RT_ARCH_AMD64
3963	Peb.ImageBaseAddress = (PVOID)((uintptr_t)Peb.ImageBaseAddress \| UINT64_C(0x0313000000000000));
3964	#endif
3965
3966	/*
3967	* Write the PEB.
3968	*/
3969	SIZE_T cbActualMem = pThis->cbPeb;
3970	NTSTATUS rcNt = NtWriteVirtualMemory(pThis->hProcess, pThis->BasicInfo.PebBaseAddress, &Peb, pThis->cbPeb, &cbActualMem);
3971	if (!NT_SUCCESS(rcNt))
3972	supR3HardenedWinKillChild(pThis, "supR3HardNtChildScrewUpPebForInitialImageEvents", rcNt,
3973	"NtWriteVirtualMemory/Peb failed: %#x", rcNt);
3974	}
3975
3976
3977	/**
3978	* Check if the zero terminated NT unicode string is the path to the given
3979	* system32 DLL.
3980	*
3981	* @returns true if it is, false if not.
3982	* @param pUniStr The zero terminated NT unicode string path.
3983	* @param pszName The name of the system32 DLL.
3984	*/
3985	static bool supR3HardNtIsNamedSystem32Dll(PUNICODE_STRING pUniStr, const char *pszName)
3986	{
3987	if (pUniStr->Length > g_System32NtPath.UniStr.Length)
3988	{
3989	if (memcmp(pUniStr->Buffer, g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length) == 0)
3990	{
3991	if (pUniStr->Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR)] == '\\')
3992	{
3993	if (RTUtf16ICmpAscii(&pUniStr->Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR) + 1], pszName) == 0)
3994	return true;
3995	}
3996	}
3997	}
3998
3999	return false;
4000	}
4001
4002
4003	/**
4004	* Worker for supR3HardNtChildGatherData that locates NTDLL in the child
4005	* process.
4006	*
4007	* @param pThis The child process data structure.
4008	*/
4009	static void supR3HardNtChildFindNtdll(PSUPR3HARDNTCHILD pThis)
4010	{
4011	/*
4012	* Find NTDLL in this process first and take that as a starting point.
4013	*/
4014	pThis->uNtDllParentAddr = (uintptr_t)GetModuleHandleW(L"ntdll.dll");
4015	SUPR3HARDENED_ASSERT(pThis->uNtDllParentAddr != 0 && !(pThis->uNtDllParentAddr & PAGE_OFFSET_MASK));
4016	pThis->uNtDllAddr = pThis->uNtDllParentAddr;
4017
4018	/*
4019	* Scan the virtual memory of the child.
4020	*/
4021	uintptr_t cbAdvance = 0;
4022	uintptr_t uPtrWhere = 0;
4023	for (uint32_t i = 0; i < 1024; i++)
4024	{
4025	/* Query information. */
4026	SIZE_T cbActual = 0;
4027	MEMORY_BASIC_INFORMATION MemInfo = { 0, 0, 0, 0, 0, 0, 0 };
4028	NTSTATUS rcNt = NtQueryVirtualMemory(pThis->hProcess,
4029	(void const *)uPtrWhere,
4030	MemoryBasicInformation,
4031	&MemInfo,
4032	sizeof(MemInfo),
4033	&cbActual);
4034	if (!NT_SUCCESS(rcNt))
4035	break;
4036
4037	if ( MemInfo.Type == SEC_IMAGE
4038	\|\| MemInfo.Type == SEC_PROTECTED_IMAGE
4039	\|\| MemInfo.Type == (SEC_IMAGE \| SEC_PROTECTED_IMAGE))
4040	{
4041	if (MemInfo.BaseAddress == MemInfo.AllocationBase)
4042	{
4043	/* Get the image name. */
4044	union
4045	{
4046	UNICODE_STRING UniStr;
4047	uint8_t abPadding[4096];
4048	} uBuf;
4049	NTSTATUS rcNt = NtQueryVirtualMemory(pThis->hProcess,
4050	MemInfo.BaseAddress,
4051	MemorySectionName,
4052	&uBuf,
4053	sizeof(uBuf) - sizeof(WCHAR),
4054	&cbActual);
4055	if (NT_SUCCESS(rcNt))
4056	{
4057	uBuf.UniStr.Buffer[uBuf.UniStr.Length / sizeof(WCHAR)] = '\0';
4058	if (supR3HardNtIsNamedSystem32Dll(&uBuf.UniStr, "ntdll.dll"))
4059	{
4060	pThis->uNtDllAddr = (uintptr_t)MemInfo.AllocationBase;
4061	SUP_DPRINTF(("supR3HardNtPuChFindNtdll: uNtDllParentAddr=%p uNtDllChildAddr=%p\n",
4062	pThis->uNtDllParentAddr, pThis->uNtDllAddr));
4063	return;
4064	}
4065	}
4066	}
4067	}
4068
4069	/*
4070	* Advance.
4071	*/
4072	cbAdvance = MemInfo.RegionSize;
4073	if (uPtrWhere + cbAdvance <= uPtrWhere)
4074	break;
4075	uPtrWhere += MemInfo.RegionSize;
4076	}
4077
4078	supR3HardenedWinKillChild(pThis, "supR3HardNtChildFindNtdll", VERR_MODULE_NOT_FOUND, "ntdll.dll not found in child process.");
4079	}
4080
4081
4082	/**
4083	* Gather child data.
4084	*
4085	* @param pThis The child process data structure.
4086	*/
4087	static void supR3HardNtChildGatherData(PSUPR3HARDNTCHILD pThis)
4088	{
4089	/*
4090	* Basic info.
4091	*/
4092	ULONG cbActual = 0;
4093	NTSTATUS rcNt = NtQueryInformationProcess(pThis->hProcess, ProcessBasicInformation,
4094	&pThis->BasicInfo, sizeof(pThis->BasicInfo), &cbActual);
4095	if (!NT_SUCCESS(rcNt))
4096	supR3HardenedWinKillChild(pThis, "supR3HardNtChildGatherData", rcNt,
4097	"NtQueryInformationProcess/ProcessBasicInformation failed: %#x", rcNt);
4098
4099	/*
4100	* If this is the middle (stub) process, we wish to wait for both child
4101	* and parent. So open the parent process. Not fatal if we cannnot.
4102	*/
4103	if (pThis->iWhich > 1)
4104	{
4105	PROCESS_BASIC_INFORMATION SelfInfo;
4106	rcNt = NtQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &SelfInfo, sizeof(SelfInfo), &cbActual);
4107	if (NT_SUCCESS(rcNt))
4108	{
4109	OBJECT_ATTRIBUTES ObjAttr;
4110	InitializeObjectAttributes(&ObjAttr, NULL, 0, NULL /hRootDir/, NULL /pSecDesc/);
4111
4112	CLIENT_ID ClientId;
4113	ClientId.UniqueProcess = (HANDLE)SelfInfo.InheritedFromUniqueProcessId;
4114	ClientId.UniqueThread = NULL;
4115
4116	rcNt = NtOpenProcess(&pThis->hParent, SYNCHRONIZE \| PROCESS_QUERY_INFORMATION, &ObjAttr, &ClientId);
4117	#ifdef DEBUG
4118	SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt);
4119	#endif
4120	if (!NT_SUCCESS(rcNt))
4121	{
4122	pThis->hParent = NULL;
4123	SUP_DPRINTF(("supR3HardNtChildGatherData: Failed to open parent process (%#p): %#x\n", ClientId.UniqueProcess, rcNt));
4124	}
4125	}
4126
4127	}
4128
4129	/*
4130	* Process environment block.
4131	*/
4132	if (g_uNtVerCombined < SUP_NT_VER_W2K3)
4133	pThis->cbPeb = PEB_SIZE_W51;
4134	else if (g_uNtVerCombined < SUP_NT_VER_VISTA)
4135	pThis->cbPeb = PEB_SIZE_W52;
4136	else if (g_uNtVerCombined < SUP_NT_VER_W70)
4137	pThis->cbPeb = PEB_SIZE_W6;
4138	else if (g_uNtVerCombined < SUP_NT_VER_W80)
4139	pThis->cbPeb = PEB_SIZE_W7;
4140	else if (g_uNtVerCombined < SUP_NT_VER_W81)
4141	pThis->cbPeb = PEB_SIZE_W80;
4142	else
4143	pThis->cbPeb = PEB_SIZE_W81;
4144
4145	SUP_DPRINTF(("supR3HardNtChildGatherData: PebBaseAddress=%p cbPeb=%#x\n",
4146	pThis->BasicInfo.PebBaseAddress, pThis->cbPeb));
4147
4148	SIZE_T cbActualMem;
4149	RT_ZERO(pThis->Peb);
4150	rcNt = NtReadVirtualMemory(pThis->hProcess, pThis->BasicInfo.PebBaseAddress, &pThis->Peb, sizeof(pThis->Peb), &cbActualMem);
4151	if (!NT_SUCCESS(rcNt))
4152	supR3HardenedWinKillChild(pThis, "supR3HardNtChildGatherData", rcNt,
4153	"NtReadVirtualMemory/Peb failed: %#x", rcNt);
4154
4155	/*
4156	* Locate NtDll.
4157	*/
4158	supR3HardNtChildFindNtdll(pThis);
4159	}
4160
4161
4162	/**
4163	* Does the actually respawning.
4164	*
4165	* @returns Never, will call exit or raise fatal error.
4166	* @param iWhich Which respawn we're to check for, 1 being the
4167	* first one, and 2 the second and final.
4168	*/
4169	static DECL_NO_RETURN(void) supR3HardenedWinDoReSpawn(int iWhich)
4170	{
4171	NTSTATUS rcNt;
4172	PPEB pPeb = NtCurrentPeb();
4173	PRTL_USER_PROCESS_PARAMETERS pParentProcParams = pPeb->ProcessParameters;
4174
4175	SUPR3HARDENED_ASSERT(g_cSuplibHardenedWindowsMainCalls == 1);
4176
4177	/*
4178	* Init the child process data structure, creating the child communication
4179	* event sempahores.
4180	*/
4181	SUPR3HARDNTCHILD This;
4182	RT_ZERO(This);
4183	This.iWhich = iWhich;
4184
4185	OBJECT_ATTRIBUTES ObjAttrs;
4186	This.hEvtChild = NULL;
4187	InitializeObjectAttributes(&ObjAttrs, NULL /pName/, OBJ_INHERIT, NULL /hRootDir/, NULL /pSecDesc/);
4188	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtCreateEvent(&This.hEvtChild, EVENT_ALL_ACCESS, &ObjAttrs, SynchronizationEvent, FALSE));
4189
4190	This.hEvtParent = NULL;
4191	InitializeObjectAttributes(&ObjAttrs, NULL /pName/, OBJ_INHERIT, NULL /hRootDir/, NULL /pSecDesc/);
4192	SUPR3HARDENED_ASSERT_NT_SUCCESS(NtCreateEvent(&This.hEvtParent, EVENT_ALL_ACCESS, &ObjAttrs, SynchronizationEvent, FALSE));
4193
4194	/*
4195	* Set up security descriptors.
4196	*/
4197	SECURITY_ATTRIBUTES ProcessSecAttrs;
4198	MYSECURITYCLEANUP ProcessSecAttrsCleanup;
4199	supR3HardNtChildInitSecAttrs(&ProcessSecAttrs, &ProcessSecAttrsCleanup, true /fProcess/);
4200
4201	SECURITY_ATTRIBUTES ThreadSecAttrs;
4202	MYSECURITYCLEANUP ThreadSecAttrsCleanup;
4203	supR3HardNtChildInitSecAttrs(&ThreadSecAttrs, &ThreadSecAttrsCleanup, false /fProcess/);
4204
4205	#if 1
4206	/*
4207	* Configure the startup info and creation flags.
4208	*/
4209	DWORD dwCreationFlags = CREATE_SUSPENDED;
4210
4211	STARTUPINFOEXW SiEx;
4212	suplibHardenedMemSet(&SiEx, 0, sizeof(SiEx));
4213	if (1)
4214	SiEx.StartupInfo.cb = sizeof(SiEx.StartupInfo);
4215	else
4216	{
4217	SiEx.StartupInfo.cb = sizeof(SiEx);
4218	dwCreationFlags \|= EXTENDED_STARTUPINFO_PRESENT;
4219	/** @todo experiment with protected process stuff later on. */
4220	}
4221
4222	SiEx.StartupInfo.dwFlags \|= pParentProcParams->WindowFlags & STARTF_USESHOWWINDOW;
4223	SiEx.StartupInfo.wShowWindow = (WORD)pParentProcParams->ShowWindowFlags;
4224
4225	SiEx.StartupInfo.dwFlags \|= STARTF_USESTDHANDLES;
4226	SiEx.StartupInfo.hStdInput = pParentProcParams->StandardInput;
4227	SiEx.StartupInfo.hStdOutput = pParentProcParams->StandardOutput;
4228	SiEx.StartupInfo.hStdError = pParentProcParams->StandardError;
4229
4230	/*
4231	* Construct the command line and launch the process.
4232	*/
4233	PRTUTF16 pwszCmdLine = supR3HardNtChildConstructCmdLine(NULL, iWhich);
4234
4235	supR3HardenedWinEnableThreadCreation();
4236	PROCESS_INFORMATION ProcessInfoW32 = { NULL, NULL, 0, 0 };
4237	if (!CreateProcessW(g_wszSupLibHardenedExePath,
4238	pwszCmdLine,
4239	&ProcessSecAttrs,
4240	&ThreadSecAttrs,
4241	TRUE /fInheritHandles/,
4242	dwCreationFlags,
4243	NULL /pwszzEnvironment/,
4244	NULL /pwszCurDir/,
4245	&SiEx.StartupInfo,
4246	&ProcessInfoW32))
4247	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Misc, VERR_INVALID_NAME,
4248	"Error relaunching VirtualBox VM process: %u\n"
4249	"Command line: '%ls'",
4250	RtlGetLastWin32Error(), pwszCmdLine);
4251	supR3HardenedWinDisableThreadCreation();
4252
4253	SUP_DPRINTF(("supR3HardenedWinDoReSpawn(%d): New child %x.%x [kernel32].\n",
4254	iWhich, ProcessInfoW32.dwProcessId, ProcessInfoW32.dwThreadId));
4255	This.hProcess = ProcessInfoW32.hProcess;
4256	This.hThread = ProcessInfoW32.hThread;
4257
4258	#else
4259
4260	/*
4261	* Construct the process parameters.
4262	*/
4263	UNICODE_STRING W32ImageName;
4264	W32ImageName.Buffer = g_wszSupLibHardenedExePath; /* Yes the windows name for the process parameters. */
4265	W32ImageName.Length = (USHORT)RTUtf16Len(g_wszSupLibHardenedExePath) * sizeof(WCHAR);
4266	W32ImageName.MaximumLength = W32ImageName.Length + sizeof(WCHAR);
4267
4268	UNICODE_STRING CmdLine;
4269	supR3HardNtChildConstructCmdLine(&CmdLine, iWhich);
4270
4271	PRTL_USER_PROCESS_PARAMETERS pProcParams = NULL;
4272	SUPR3HARDENED_ASSERT_NT_SUCCESS(RtlCreateProcessParameters(&pProcParams,
4273	&W32ImageName,
4274	NULL /* DllPath - inherit from this process */,
4275	NULL /* CurrentDirectory - inherit from this process */,
4276	&CmdLine,
4277	NULL /* Environment - inherit from this process */,
4278	NULL /* WindowsTitle - none */,
4279	NULL /* DesktopTitle - none. */,
4280	NULL /* ShellInfo - none. */,
4281	NULL /* RuntimeInfo - none (byte array for MSVCRT file info) */)
4282	);
4283
4284	/** @todo this doesn't work. :-( */
4285	pProcParams->ConsoleHandle = pParentProcParams->ConsoleHandle;
4286	pProcParams->ConsoleFlags = pParentProcParams->ConsoleFlags;
4287	pProcParams->StandardInput = pParentProcParams->StandardInput;
4288	pProcParams->StandardOutput = pParentProcParams->StandardOutput;
4289	pProcParams->StandardError = pParentProcParams->StandardError;
4290
4291	RTL_USER_PROCESS_INFORMATION ProcessInfoNt = { sizeof(ProcessInfoNt) };
4292	rcNt = RtlCreateUserProcess(&g_SupLibHardenedExeNtPath.UniStr,
4293	OBJ_INHERIT \| OBJ_CASE_INSENSITIVE /Attributes/,
4294	pProcParams,
4295	NULL, //&ProcessSecAttrs,
4296	NULL, //&ThreadSecAttrs,
4297	NtCurrentProcess() /* ParentProcess */,
4298	FALSE /fInheritHandles/,
4299	NULL /* DebugPort */,
4300	NULL /* ExceptionPort */,
4301	&ProcessInfoNt);
4302	if (!NT_SUCCESS(rcNt))
4303	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Misc, VERR_INVALID_NAME,
4304	"Error relaunching VirtualBox VM process: %#x\n"
4305	"Command line: '%ls'",
4306	rcNt, CmdLine.Buffer);
4307
4308	SUP_DPRINTF(("supR3HardenedWinDoReSpawn(%d): New child %x.%x [ntdll].\n",
4309	iWhich, ProcessInfo.ClientId.UniqueProcess, ProcessInfo.ClientId.UniqueThread));
4310	RtlDestroyProcessParameters(pProcParams);
4311
4312	This.hProcess = ProcessInfoNt.ProcessHandle;
4313	This.hThread = ProcessInfoNt.ThreadHandle;
4314	#endif
4315
4316	#ifndef VBOX_WITHOUT_DEBUGGER_CHECKS
4317	/*
4318	* Apply anti debugger notification trick to the thread. (Also done in
4319	* supR3HardenedWinInit.) This may fail with STATUS_ACCESS_DENIED and
4320	* maybe other errors. (Unfortunately, recent (SEP 12.1) of symantec's
4321	* sysplant.sys driver will cause process deadlocks and a shutdown/reboot
4322	* denial of service problem if we hide the initial thread, so we postpone
4323	* this action if we've detected SEP.)
4324	*/
4325	if (!(g_fSupAdversaries & (SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT \| SUPHARDNT_ADVERSARY_SYMANTEC_N360)))
4326	{
4327	rcNt = NtSetInformationThread(This.hThread, ThreadHideFromDebugger, NULL, 0);
4328	if (!NT_SUCCESS(rcNt))
4329	SUP_DPRINTF(("supR3HardenedWinReSpawn: NtSetInformationThread/ThreadHideFromDebugger failed: %#x (harmless)\n", rcNt));
4330	}
4331	#endif
4332
4333	/*
4334	* Perform very early child initialization.
4335	*/
4336	supR3HardNtChildGatherData(&This);
4337	supR3HardNtChildScrewUpPebForInitialImageEvents(&This);
4338	supR3HardNtChildSetUpChildInit(&This);
4339
4340	ULONG cSuspendCount = 0;
4341	rcNt = NtResumeThread(This.hThread, &cSuspendCount);
4342	if (!NT_SUCCESS(rcNt))
4343	supR3HardenedWinKillChild(&This, "supR3HardenedWinDoReSpawn", rcNt, "NtResumeThread failed: %#x", rcNt);
4344
4345	/*
4346	* Santizie the pre-NTDLL child when it's ready.
4347	*
4348	* AV software and other things injecting themselves into the embryonic
4349	* and budding process to intercept API calls and what not. Unfortunately
4350	* this is also the behavior of viruses, malware and other unfriendly
4351	* software, so we won't stand for it. AV software can scan our image
4352	* as they are loaded via kernel hooks, that's sufficient. No need for
4353	* patching half of NTDLL or messing with the import table of the
4354	* process executable.
4355	*/
4356	supR3HardNtChildWaitFor(&This, kSupR3WinChildReq_PurifyChildAndCloseHandles, 2000 /ms/, "PurifyChildAndCloseHandles");
4357	supR3HardNtChildPurify(&This);
4358	supR3HardNtChildSanitizePeb(&This);
4359
4360	/*
4361	* Close the unrestricted access handles. Since we need to wait on the
4362	* child process, we'll reopen the process with limited access before doing
4363	* away with the process handle returned by CreateProcess.
4364	*/
4365	supR3HardNtChildCloseFullAccessHandles(&This);
4366
4367	/*
4368	* Signal the child that we've closed the unrestricted handles and it can
4369	* safely try open the driver.
4370	*/
4371	rcNt = NtSetEvent(This.hEvtChild, NULL);
4372	if (!NT_SUCCESS(rcNt))
4373	supR3HardenedWinKillChild(&This, "supR3HardenedWinReSpawn", VERR_INVALID_NAME,
4374	"NtSetEvent failed on child process handle: %#x\n", rcNt);
4375
4376	/*
4377	* Ditch the loader cache so we don't sit on too much memory while waiting.
4378	*/
4379	supR3HardenedWinFlushLoaderCache();
4380	supR3HardenedWinCompactHeaps();
4381
4382	/*
4383	* Enable thread creation at this point so Ctrl-C and Ctrl-Break can be processed.
4384	*/
4385	supR3HardenedWinEnableThreadCreation();
4386
4387	/*
4388	* Wait for the child to get to suplibHardenedWindowsMain so we can close the handles.
4389	*/
4390	supR3HardNtChildWaitFor(&This, kSupR3WinChildReq_CloseEvents, 60000 /ms/, "CloseEvents");
4391
4392	NtClose(This.hEvtChild);
4393	NtClose(This.hEvtParent);
4394	This.hEvtChild = NULL;
4395	This.hEvtParent = NULL;
4396
4397	/*
4398	* Wait for the process to terminate.
4399	*/
4400	supR3HardNtChildWaitFor(&This, kSupR3WinChildReq_End, RT_INDEFINITE_WAIT, "the end");
4401	supR3HardenedFatal("supR3HardenedWinDoReSpawn: supR3HardNtChildWaitFor unexpectedly returned!\n");
4402	/* not reached*/
4403	}
4404
4405
4406	/**
4407	* Logs the content of the given object directory.
4408	*
4409	* @returns true if it exists, false if not.
4410	* @param pszDir The path of the directory to log (ASCII).
4411	*/
4412	static void supR3HardenedWinLogObjDir(const char *pszDir)
4413	{
4414	/*
4415	* Open the driver object directory.
4416	*/
4417	RTUTF16 wszDir[128];
4418	int rc = RTUtf16CopyAscii(wszDir, RT_ELEMENTS(wszDir), pszDir);
4419	if (RT_FAILURE(rc))
4420	{
4421	SUP_DPRINTF(("supR3HardenedWinLogObjDir: RTUtf16CopyAscii -> %Rrc on '%s'\n", rc, pszDir));
4422	return;
4423	}
4424
4425	UNICODE_STRING NtDirName;
4426	NtDirName.Buffer = (WCHAR *)wszDir;
4427	NtDirName.Length = (USHORT)(RTUtf16Len(wszDir) * sizeof(WCHAR));
4428	NtDirName.MaximumLength = NtDirName.Length + sizeof(WCHAR);
4429
4430	OBJECT_ATTRIBUTES ObjAttr;
4431	InitializeObjectAttributes(&ObjAttr, &NtDirName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4432
4433	HANDLE hDir;
4434	NTSTATUS rcNt = NtOpenDirectoryObject(&hDir, DIRECTORY_QUERY \| FILE_LIST_DIRECTORY, &ObjAttr);
4435	SUP_DPRINTF(("supR3HardenedWinLogObjDir: %ls => %#x\n", wszDir, rcNt));
4436	if (!NT_SUCCESS(rcNt))
4437	return;
4438
4439	/*
4440	* Enumerate it, looking for the driver.
4441	*/
4442	ULONG uObjDirCtx = 0;
4443	for (;;)
4444	{
4445	uint32_t abBuffer[_64K + _1K];
4446	ULONG cbActual;
4447	rcNt = NtQueryDirectoryObject(hDir,
4448	abBuffer,
4449	sizeof(abBuffer) - 4, /* minus four for string terminator space. */
4450	FALSE /ReturnSingleEntry /,
4451	FALSE /RestartScan/,
4452	&uObjDirCtx,
4453	&cbActual);
4454	if (!NT_SUCCESS(rcNt) \|\| cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION))
4455	{
4456	SUP_DPRINTF(("supR3HardenedWinLogObjDir: NtQueryDirectoryObject => rcNt=%#x cbActual=%#x\n", rcNt, cbActual));
4457	break;
4458	}
4459
4460	POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer;
4461	while (pObjDir->Name.Length != 0)
4462	{
4463	SUP_DPRINTF((" %.ls %.ls\n",
4464	pObjDir->TypeName.Length / sizeof(WCHAR), pObjDir->TypeName.Buffer,
4465	pObjDir->Name.Length / sizeof(WCHAR), pObjDir->Name.Buffer));
4466
4467	/* Next directory entry. */
4468	pObjDir++;
4469	}
4470	}
4471
4472	/*
4473	* Clean up and return.
4474	*/
4475	NtClose(hDir);
4476	}
4477
4478
4479	/**
4480	* Tries to open VBoxDrvErrorInfo and read extra error info from it.
4481	*
4482	* @returns pszErrorInfo.
4483	* @param pszErrorInfo The destination buffer. Will always be
4484	* terminated.
4485	* @param cbErrorInfo The size of the destination buffer.
4486	* @param pszPrefix What to prefix the error info with, if we got
4487	* anything.
4488	*/
4489	DECLHIDDEN(char ) supR3HardenedWinReadErrorInfoDevice(char pszErrorInfo, size_t cbErrorInfo, const char *pszPrefix)
4490	{
4491	RT_BZERO(pszErrorInfo, cbErrorInfo);
4492
4493	/*
4494	* Try open the device.
4495	*/
4496	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
4497	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
4498	UNICODE_STRING NtName = RTNT_CONSTANT_UNISTR(SUPDRV_NT_DEVICE_NAME_ERROR_INFO);
4499	OBJECT_ATTRIBUTES ObjAttr;
4500	InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4501	NTSTATUS rcNt = NtCreateFile(&hFile,
4502	GENERIC_READ, /* No SYNCHRONIZE. */
4503	&ObjAttr,
4504	&Ios,
4505	NULL /* Allocation Size*/,
4506	FILE_ATTRIBUTE_NORMAL,
4507	FILE_SHARE_READ \| FILE_SHARE_WRITE,
4508	FILE_OPEN,
4509	FILE_NON_DIRECTORY_FILE, /* No FILE_SYNCHRONOUS_IO_NONALERT. */
4510	NULL /EaBuffer/,
4511	0 /EaLength/);
4512	if (NT_SUCCESS(rcNt))
4513	rcNt = Ios.Status;
4514	if (NT_SUCCESS(rcNt))
4515	{
4516	/*
4517	* Try read error info.
4518	*/
4519	size_t cchPrefix = strlen(pszPrefix);
4520	if (cchPrefix + 3 < cbErrorInfo)
4521	{
4522	LARGE_INTEGER offRead;
4523	offRead.QuadPart = 0;
4524	rcNt = NtReadFile(hFile, NULL /hEvent/, NULL /ApcRoutine/, NULL /ApcContext/, &Ios,
4525	&pszErrorInfo[cchPrefix], (ULONG)(cbErrorInfo - cchPrefix - 1), &offRead, NULL);
4526	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status) && Ios.Information > 0)
4527	{
4528	memcpy(pszErrorInfo, pszPrefix, cchPrefix);
4529	pszErrorInfo[RT_MIN(cbErrorInfo - 1, cchPrefix + Ios.Information)] = '\0';
4530	SUP_DPRINTF(("supR3HardenedWinReadErrorInfoDevice: '%s'", &pszErrorInfo[cchPrefix]));
4531	}
4532	else
4533	{
4534	*pszErrorInfo = '\0';
4535	if (rcNt != STATUS_END_OF_FILE \|\| Ios.Status != STATUS_END_OF_FILE)
4536	SUP_DPRINTF(("supR3HardenedWinReadErrorInfoDevice: NtReadFile -> %#x / %#x / %p\n",
4537	rcNt, Ios.Status, Ios.Information));
4538	}
4539	}
4540	else
4541	RTStrCopy(pszErrorInfo, cbErrorInfo, "error info buffer too small");
4542	NtClose(hFile);
4543	}
4544	else
4545	SUP_DPRINTF(("supR3HardenedWinReadErrorInfoDevice: NtCreateFile -> %#x\n", rcNt));
4546
4547	return pszErrorInfo;
4548	}
4549
4550
4551
4552	/**
4553	* Checks if the driver exists.
4554	*
4555	* This checks whether the driver is present in the /Driver object directory.
4556	* Drivers being initialized or terminated will have an object there
4557	* before/after their devices nodes are created/deleted.
4558	*
4559	* @returns true if it exists, false if not.
4560	* @param pszDriver The driver name.
4561	*/
4562	static bool supR3HardenedWinDriverExists(const char *pszDriver)
4563	{
4564	/*
4565	* Open the driver object directory.
4566	*/
4567	UNICODE_STRING NtDirName = RTNT_CONSTANT_UNISTR(L"\\Driver");
4568
4569	OBJECT_ATTRIBUTES ObjAttr;
4570	InitializeObjectAttributes(&ObjAttr, &NtDirName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4571
4572	HANDLE hDir;
4573	NTSTATUS rcNt = NtOpenDirectoryObject(&hDir, DIRECTORY_QUERY \| FILE_LIST_DIRECTORY, &ObjAttr);
4574	#ifdef VBOX_STRICT
4575	SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt);
4576	#endif
4577	if (!NT_SUCCESS(rcNt))
4578	return true;
4579
4580	/*
4581	* Enumerate it, looking for the driver.
4582	*/
4583	bool fFound = true;
4584	ULONG uObjDirCtx = 0;
4585	do
4586	{
4587	uint32_t abBuffer[_64K + _1K];
4588	ULONG cbActual;
4589	rcNt = NtQueryDirectoryObject(hDir,
4590	abBuffer,
4591	sizeof(abBuffer) - 4, /* minus four for string terminator space. */
4592	FALSE /ReturnSingleEntry /,
4593	FALSE /RestartScan/,
4594	&uObjDirCtx,
4595	&cbActual);
4596	if (!NT_SUCCESS(rcNt) \|\| cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION))
4597	break;
4598
4599	POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer;
4600	while (pObjDir->Name.Length != 0)
4601	{
4602	WCHAR wcSaved = pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)];
4603	pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = '\0';
4604	if ( pObjDir->Name.Length > 1
4605	&& RTUtf16ICmpAscii(pObjDir->Name.Buffer, pszDriver) == 0)
4606	{
4607	fFound = true;
4608	break;
4609	}
4610	pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = wcSaved;
4611
4612	/* Next directory entry. */
4613	pObjDir++;
4614	}
4615	} while (!fFound);
4616
4617	/*
4618	* Clean up and return.
4619	*/
4620	NtClose(hDir);
4621
4622	return fFound;
4623	}
4624
4625
4626	/**
4627	* Open the stub device before the 2nd respawn.
4628	*/
4629	static void supR3HardenedWinOpenStubDevice(void)
4630	{
4631	if (g_fSupStubOpened)
4632	return;
4633
4634	/*
4635	* Retry if we think driver might still be initializing (STATUS_NO_SUCH_DEVICE + \Drivers\VBoxDrv).
4636	*/
4637	static const WCHAR s_wszName[] = SUPDRV_NT_DEVICE_NAME_STUB;
4638	uint64_t const uMsTsStart = supR3HardenedWinGetMilliTS();
4639	NTSTATUS rcNt;
4640	uint32_t iTry;
4641
4642	for (iTry = 0;; iTry++)
4643	{
4644	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
4645	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
4646
4647	UNICODE_STRING NtName;
4648	NtName.Buffer = (PWSTR)s_wszName;
4649	NtName.Length = sizeof(s_wszName) - sizeof(WCHAR);
4650	NtName.MaximumLength = sizeof(s_wszName);
4651
4652	OBJECT_ATTRIBUTES ObjAttr;
4653	InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4654
4655	rcNt = NtCreateFile(&hFile,
4656	GENERIC_READ \| GENERIC_WRITE, /* No SYNCHRONIZE. */
4657	&ObjAttr,
4658	&Ios,
4659	NULL /* Allocation Size*/,
4660	FILE_ATTRIBUTE_NORMAL,
4661	FILE_SHARE_READ \| FILE_SHARE_WRITE,
4662	FILE_OPEN,
4663	FILE_NON_DIRECTORY_FILE, /* No FILE_SYNCHRONOUS_IO_NONALERT. */
4664	NULL /EaBuffer/,
4665	0 /EaLength/);
4666	if (NT_SUCCESS(rcNt))
4667	rcNt = Ios.Status;
4668
4669	/* The STATUS_NO_SUCH_DEVICE might be returned if the device is not
4670	completely initialized. Delay a little bit and try again. */
4671	if (rcNt != STATUS_NO_SUCH_DEVICE)
4672	break;
4673	if (iTry > 0 && supR3HardenedWinGetMilliTS() - uMsTsStart > 5000) /* 5 sec, at least two tries */
4674	break;
4675	if (!supR3HardenedWinDriverExists("VBoxDrv"))
4676	{
4677	/** @todo Consider starting the VBoxdrv.sys service. Requires 2nd process
4678	* though, rather complicated actually as CreateProcess causes all
4679	* kind of things to happen to this process which would make it hard to
4680	* pass the process verification tests... :-/ */
4681	break;
4682	}
4683
4684	LARGE_INTEGER Time;
4685	if (iTry < 8)
4686	Time.QuadPart = -1000000 / 100; /* 1ms in 100ns units, relative time. */
4687	else
4688	Time.QuadPart = -32000000 / 100; /* 32ms in 100ns units, relative time. */
4689	NtDelayExecution(TRUE, &Time);
4690	}
4691
4692	if (NT_SUCCESS(rcNt))
4693	g_fSupStubOpened = true;
4694	else
4695	{
4696	/*
4697	* Report trouble (fatal). For some errors codes we try gather some
4698	* extra information that goes into VBoxStartup.log so that we stand a
4699	* better chance resolving the issue.
4700	*/
4701	char szErrorInfo[16384];
4702	int rc = VERR_OPEN_FAILED;
4703	if (SUP_NT_STATUS_IS_VBOX(rcNt)) /* See VBoxDrvNtErr2NtStatus. */
4704	{
4705	rc = SUP_NT_STATUS_TO_VBOX(rcNt);
4706
4707	/*
4708	* \Windows\ApiPort open trouble. So far only
4709	* STATUS_OBJECT_TYPE_MISMATCH has been observed.
4710	*/
4711	if (rc == VERR_SUPDRV_APIPORT_OPEN_ERROR)
4712	{
4713	SUP_DPRINTF(("Error opening VBoxDrvStub: VERR_SUPDRV_APIPORT_OPEN_ERROR\n"));
4714
4715	uint32_t uSessionId = NtCurrentPeb()->SessionId;
4716	SUP_DPRINTF((" SessionID=%#x\n", uSessionId));
4717	char szDir[64];
4718	if (uSessionId == 0)
4719	RTStrCopy(szDir, sizeof(szDir), "\\Windows");
4720	else
4721	{
4722	RTStrPrintf(szDir, sizeof(szDir), "\\Sessions\\%u\\Windows", uSessionId);
4723	supR3HardenedWinLogObjDir(szDir);
4724	}
4725	supR3HardenedWinLogObjDir("\\Windows");
4726	supR3HardenedWinLogObjDir("\\Sessions");
4727
4728	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Misc, rc,
4729	"NtCreateFile(%ls) failed: VERR_SUPDRV_APIPORT_OPEN_ERROR\n"
4730	"\n"
4731	"Error getting %s\\ApiPort in the driver from vboxdrv.\n"
4732	"\n"
4733	"Could be due to security software is redirecting access to it, so please include full "
4734	"details of such software in a bug report. VBoxStartup.log may contain details important "
4735	"to resolving the issue.%s"
4736	, s_wszName, szDir,
4737	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4738	"\n\nVBoxDrvStub error: "));
4739	}
4740
4741	/*
4742	* Generic VBox failure message.
4743	*/
4744	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, rc,
4745	"NtCreateFile(%ls) failed: %Rrc (rcNt=%#x)%s", s_wszName, rc, rcNt,
4746	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4747	"\nVBoxDrvStub error: "));
4748	}
4749	else
4750	{
4751	const char *pszDefine;
4752	switch (rcNt)
4753	{
4754	case STATUS_NO_SUCH_DEVICE: pszDefine = " STATUS_NO_SUCH_DEVICE"; break;
4755	case STATUS_OBJECT_NAME_NOT_FOUND: pszDefine = " STATUS_OBJECT_NAME_NOT_FOUND"; break;
4756	case STATUS_ACCESS_DENIED: pszDefine = " STATUS_ACCESS_DENIED"; break;
4757	case STATUS_TRUST_FAILURE: pszDefine = " STATUS_TRUST_FAILURE"; break;
4758	default: pszDefine = ""; break;
4759	}
4760
4761	/*
4762	* Problems opening the device is generally due to driver load/
4763	* unload issues. Check whether the driver is loaded and make
4764	* suggestions accordingly.
4765	*/
4766	/** @todo don't fail during early init, wait till later and try load the driver if missing or at least query the service manager for additional information. */
4767	if ( rcNt == STATUS_NO_SUCH_DEVICE
4768	\|\| rcNt == STATUS_OBJECT_NAME_NOT_FOUND)
4769	{
4770	SUP_DPRINTF(("Error opening VBoxDrvStub: %s\n", pszDefine));
4771	if (supR3HardenedWinDriverExists("VBoxDrv"))
4772	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, VERR_OPEN_FAILED,
4773	"NtCreateFile(%ls) failed: %#x%s (%u retries)\n"
4774	"\n"
4775	"Driver is probably stuck stopping/starting. Try 'sc.exe query vboxdrv' to get more "
4776	"information about its state. Rebooting may actually help.%s"
4777	, s_wszName, rcNt, pszDefine, iTry,
4778	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4779	"\nVBoxDrvStub error: "));
4780	else
4781	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, VERR_OPEN_FAILED,
4782	"NtCreateFile(%ls) failed: %#x%s (%u retries)\n"
4783	"\n"
4784	"Driver is does not appear to be loaded. Try 'sc.exe start vboxdrv', reinstall "
4785	"VirtualBox or reboot.%s"
4786	, s_wszName, rcNt, pszDefine, iTry,
4787	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4788	"\nVBoxDrvStub error: "));
4789	}
4790
4791	/* Generic NT failure message. */
4792	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Driver, VERR_OPEN_FAILED,
4793	"NtCreateFile(%ls) failed: %#x%s (%u retries)%s",
4794	s_wszName, rcNt, pszDefine, iTry,
4795	supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
4796	"\nVBoxDrvStub error: "));
4797	}
4798	}
4799	}
4800
4801
4802	/**
4803	* Called by the main code if supR3HardenedWinIsReSpawnNeeded returns @c true.
4804	*
4805	* @returns Program exit code.
4806	*/
4807	DECLHIDDEN(int) supR3HardenedWinReSpawn(int iWhich)
4808	{
4809	/*
4810	* Before the 2nd respawn we set up a child protection deal with the
4811	* support driver via /Devices/VBoxDrvStub. (We tried to do this
4812	* during the early init, but in case we had trouble accessing vboxdrv we
4813	* retry it here where we have kernel32.dll and others to pull in for
4814	* better diagnostics.)
4815	*/
4816	if (iWhich == 2)
4817	supR3HardenedWinOpenStubDevice();
4818
4819	/*
4820	* Make sure we're alone in the stub process before creating the VM process
4821	* and that there aren't any debuggers attached.
4822	*/
4823	if (iWhich == 2)
4824	{
4825	int rc = supHardNtVpDebugger(NtCurrentProcess(), RTErrInfoInitStatic(&g_ErrInfoStatic));
4826	if (RT_SUCCESS(rc))
4827	rc = supHardNtVpThread(NtCurrentProcess(), NtCurrentThread(), RTErrInfoInitStatic(&g_ErrInfoStatic));
4828	if (RT_FAILURE(rc))
4829	supR3HardenedFatalMsg("supR3HardenedWinReSpawn", kSupInitOp_Integrity, rc, "%s", g_ErrInfoStatic.szMsg);
4830	}
4831
4832
4833	/*
4834	* Respawn the process with kernel protection for the new process.
4835	*/
4836	supR3HardenedWinDoReSpawn(iWhich);
4837	/* not reached! */
4838	}
4839
4840
4841	/**
4842	* Checks if re-spawning is required, replacing the respawn argument if not.
4843	*
4844	* @returns true if required, false if not. In the latter case, the first
4845	* argument in the vector is replaced.
4846	* @param iWhich Which respawn we're to check for, 1 being the
4847	* first one, and 2 the second and final.
4848	* @param cArgs The number of arguments.
4849	* @param papszArgs Pointer to the argument vector.
4850	*/
4851	DECLHIDDEN(bool) supR3HardenedWinIsReSpawnNeeded(int iWhich, int cArgs, char **papszArgs)
4852	{
4853	SUPR3HARDENED_ASSERT(g_cSuplibHardenedWindowsMainCalls == 1);
4854	SUPR3HARDENED_ASSERT(iWhich == 1 \|\| iWhich == 2);
4855
4856	if (cArgs < 1)
4857	return true;
4858
4859	if (suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_1_ARG0) == 0)
4860	{
4861	if (iWhich > 1)
4862	return true;
4863	}
4864	else if (suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_2_ARG0) == 0)
4865	{
4866	if (iWhich < 2)
4867	return false;
4868	}
4869	else
4870	return true;
4871
4872	/* Replace the argument. */
4873	papszArgs[0] = g_szSupLibHardenedExePath;
4874	return false;
4875	}
4876
4877
4878	/**
4879	* Initializes the windows verficiation bits and other things we're better off
4880	* doing after main() has passed on it's data.
4881	*
4882	* @param fFlags The main flags.
4883	* @param fAvastKludge Whether to apply the avast kludge.
4884	*/
4885	DECLHIDDEN(void) supR3HardenedWinInit(uint32_t fFlags, bool fAvastKludge)
4886	{
4887	NTSTATUS rcNt;
4888
4889	#ifndef VBOX_WITHOUT_DEBUGGER_CHECKS
4890	/*
4891	* Install a anti debugging hack before we continue. This prevents most
4892	* notifications from ending up in the debugger. (Also applied to the
4893	* child process when respawning.)
4894	*/
4895	rcNt = NtSetInformationThread(NtCurrentThread(), ThreadHideFromDebugger, NULL, 0);
4896	if (!NT_SUCCESS(rcNt))
4897	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, VERR_GENERAL_FAILURE,
4898	"NtSetInformationThread/ThreadHideFromDebugger failed: %#x\n", rcNt);
4899	#endif
4900
4901	/*
4902	* Init the verifier.
4903	*/
4904	RTErrInfoInitStatic(&g_ErrInfoStatic);
4905	int rc = supHardenedWinInitImageVerifier(&g_ErrInfoStatic.Core);
4906	if (RT_FAILURE(rc))
4907	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, rc,
4908	"supHardenedWinInitImageVerifier failed: %s", g_ErrInfoStatic.szMsg);
4909
4910	/*
4911	* Get the windows system directory from the KnownDlls dir.
4912	*/
4913	HANDLE hSymlink = INVALID_HANDLE_VALUE;
4914	UNICODE_STRING UniStr = RTNT_CONSTANT_UNISTR(L"\\KnownDlls\\KnownDllPath");
4915	OBJECT_ATTRIBUTES ObjAttrs;
4916	InitializeObjectAttributes(&ObjAttrs, &UniStr, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
4917	rcNt = NtOpenSymbolicLinkObject(&hSymlink, SYMBOLIC_LINK_QUERY, &ObjAttrs);
4918	if (!NT_SUCCESS(rcNt))
4919	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, rcNt, "Error opening '%ls': %#x", UniStr.Buffer, rcNt);
4920
4921	g_System32WinPath.UniStr.Buffer = g_System32WinPath.awcBuffer;
4922	g_System32WinPath.UniStr.Length = 0;
4923	g_System32WinPath.UniStr.MaximumLength = sizeof(g_System32WinPath.awcBuffer) - sizeof(RTUTF16);
4924	rcNt = NtQuerySymbolicLinkObject(hSymlink, &g_System32WinPath.UniStr, NULL);
4925	if (!NT_SUCCESS(rcNt))
4926	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, rcNt, "Error querying '%ls': %#x", UniStr.Buffer, rcNt);
4927	g_System32WinPath.UniStr.Buffer[g_System32WinPath.UniStr.Length / sizeof(RTUTF16)] = '\0';
4928
4929	SUP_DPRINTF(("KnownDllPath: %ls\n", g_System32WinPath.UniStr.Buffer));
4930	NtClose(hSymlink);
4931
4932	if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
4933	{
4934	if (fAvastKludge)
4935	{
4936	/*
4937	* Do a self purification to cure avast's weird NtOpenFile write-thru
4938	* change in GetBinaryTypeW change in kernel32. Unfortunately, avast
4939	* uses a system thread to perform the process modifications, which
4940	* means it's hard to make sure it had the chance to make them...
4941	*
4942	* We have to resort to kludge doing yield and sleep fudging for a
4943	* number of milliseconds and schedulings before we can hope that avast
4944	* and similar products have done what they need to do. If we do any
4945	* fixes, we wait for a while again and redo it until we're clean.
4946	*
4947	* This is unfortunately kind of fragile.
4948	*/
4949	uint32_t cMsFudge = g_fSupAdversaries ? 512 : 128;
4950	uint32_t cFixes;
4951	for (uint32_t iLoop = 0; iLoop < 16; iLoop++)
4952	{
4953	uint32_t cSleeps = 0;
4954	uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
4955	do
4956	{
4957	NtYieldExecution();
4958	LARGE_INTEGER Time;
4959	Time.QuadPart = -8000000 / 100; /* 8ms in 100ns units, relative time. */
4960	NtDelayExecution(FALSE, &Time);
4961	cSleeps++;
4962	} while ( supR3HardenedWinGetMilliTS() - uMsTsStart <= cMsFudge
4963	\|\| cSleeps < 8);
4964	SUP_DPRINTF(("supR3HardenedWinInit: Startup delay kludge #2/%u: %u ms, %u sleeps\n",
4965	iLoop, supR3HardenedWinGetMilliTS() - uMsTsStart, cSleeps));
4966
4967	cFixes = 0;
4968	rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_SELF_PURIFICATION,
4969	0 /fFlags/, &cFixes, NULL /pErrInfo/);
4970	if (RT_FAILURE(rc) \|\| cFixes == 0)
4971	break;
4972
4973	if (!g_fSupAdversaries)
4974	g_fSupAdversaries \|= SUPHARDNT_ADVERSARY_UNKNOWN;
4975	cMsFudge = 512;
4976
4977	/* Log the KiOpPrefetchPatchCount value if available, hoping it might sched some light on spider38's case. */
4978	ULONG cPatchCount = 0;
4979	rcNt = NtQuerySystemInformation(SystemInformation_KiOpPrefetchPatchCount,
4980	&cPatchCount, sizeof(cPatchCount), NULL);
4981	if (NT_SUCCESS(rcNt))
4982	SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x cPatchCount=%#u\n",
4983	cFixes, g_fSupAdversaries, cPatchCount));
4984	else
4985	SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
4986	}
4987	}
4988
4989	/*
4990	* Install the hooks.
4991	*/
4992	supR3HardenedWinInstallHooks();
4993	}
4994
4995	#ifndef VBOX_WITH_VISTA_NO_SP
4996	/*
4997	* Complain about Vista w/o service pack if we're launching a VM.
4998	*/
4999	if ( !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV)
5000	&& g_uNtVerCombined >= SUP_NT_VER_VISTA
5001	&& g_uNtVerCombined < SUP_MAKE_NT_VER_COMBINED(6, 0, 6001, 0, 0))
5002	supR3HardenedFatalMsg("supR3HardenedWinInit", kSupInitOp_Misc, VERR_NOT_SUPPORTED,
5003	"Window Vista without any service pack installed is not supported. Please install the latest service pack.");
5004	#endif
5005	}
5006
5007
5008	/**
5009	* Modifies the DLL search path for testcases.
5010	*
5011	* This makes sure the application binary path is in the search path. When
5012	* starting a testcase executable in the testcase/ subdirectory this isn't the
5013	* case by default. So, unless we do something about it we won't be able to
5014	* import VBox DLLs.
5015	*
5016	* @param fFlags The main flags (giving the location).
5017	* @param pszAppBinPath The path to the application binary directory
5018	* (windows style).
5019	*/
5020	DECLHIDDEN(void) supR3HardenedWinModifyDllSearchPath(uint32_t fFlags, const char *pszAppBinPath)
5021	{
5022	/*
5023	* For the testcases to work, we must add the app bin directory to the
5024	* DLL search list before the testcase dll is loaded or it won't be
5025	* able to find the VBox DLLs. This is done _after_ VBoxRT.dll is
5026	* initialized and sets its defaults.
5027	*/
5028	switch (fFlags & SUPSECMAIN_FLAGS_LOC_MASK)
5029	{
5030	case SUPSECMAIN_FLAGS_LOC_TESTCASE:
5031	break;
5032	default:
5033	return;
5034	}
5035
5036	/*
5037	* Dynamically resolve the two APIs we need (the latter uses forwarders on w7).
5038	*/
5039	HMODULE hModKernel32 = GetModuleHandleW(L"kernel32.dll");
5040
5041	typedef BOOL (WINAPI *PFNSETDLLDIRECTORY)(LPCWSTR);
5042	PFNSETDLLDIRECTORY pfnSetDllDir;
5043	pfnSetDllDir = (PFNSETDLLDIRECTORY)GetProcAddress(hModKernel32, "SetDllDirectoryW");
5044
5045	typedef BOOL (WINAPI *PFNSETDEFAULTDLLDIRECTORIES)(DWORD);
5046	PFNSETDEFAULTDLLDIRECTORIES pfnSetDefDllDirs;
5047	pfnSetDefDllDirs = (PFNSETDEFAULTDLLDIRECTORIES)GetProcAddress(hModKernel32, "SetDefaultDllDirectories");
5048
5049	if (pfnSetDllDir != NULL)
5050	{
5051	/*
5052	* Convert the path to UTF-16 and try set it.
5053	*/
5054	PRTUTF16 pwszAppBinPath = NULL;
5055	int rc = RTStrToUtf16(pszAppBinPath, &pwszAppBinPath);
5056	if (RT_SUCCESS(rc))
5057	{
5058	if (pfnSetDllDir(pwszAppBinPath))
5059	{
5060	SUP_DPRINTF(("supR3HardenedWinModifyDllSearchPath: Set dll dir to '%ls'\n", pwszAppBinPath));
5061	g_fSupLibHardenedDllSearchUserDirs = true;
5062
5063	/*
5064	* We set it alright, on W7 and later we also must modify the
5065	* default DLL search order. See @bugref{6861} for details on
5066	* why we don't do this on Vista (also see init-win.cpp in IPRT).
5067	*/
5068	if ( pfnSetDefDllDirs
5069	&& g_uNtVerCombined >= SUP_NT_VER_W70)
5070	{
5071	if (pfnSetDefDllDirs( LOAD_LIBRARY_SEARCH_APPLICATION_DIR
5072	\| LOAD_LIBRARY_SEARCH_SYSTEM32
5073	\| LOAD_LIBRARY_SEARCH_USER_DIRS))
5074	SUP_DPRINTF(("supR3HardenedWinModifyDllSearchPath: Successfully modified search dirs.\n"));
5075	else
5076	supR3HardenedFatal("supR3HardenedWinModifyDllSearchPath: SetDllDirectoryW(%ls) failed: %d\n",
5077	pwszAppBinPath, RtlGetLastWin32Error());
5078	}
5079	}
5080	else
5081	supR3HardenedFatal("supR3HardenedWinModifyDllSearchPath: SetDllDirectoryW(%ls) failed: %d\n",
5082	pwszAppBinPath, RtlGetLastWin32Error());
5083	RTUtf16Free(pwszAppBinPath);
5084	}
5085	else
5086	supR3HardenedFatal("supR3HardenedWinModifyDllSearchPath: RTStrToUtf16(%s) failed: %d\n", pszAppBinPath, rc);
5087	}
5088	}
5089
5090
5091	/**
5092	* Initializes the application binary directory path.
5093	*
5094	* This is called once or twice.
5095	*
5096	* @param fFlags The main flags (giving the location).
5097	*/
5098	DECLHIDDEN(void) supR3HardenedWinInitAppBin(uint32_t fFlags)
5099	{
5100	USHORT cwc = (USHORT)g_offSupLibHardenedExeNtName - 1;
5101	g_SupLibHardenedAppBinNtPath.UniStr.Buffer = g_SupLibHardenedAppBinNtPath.awcBuffer;
5102	memcpy(g_SupLibHardenedAppBinNtPath.UniStr.Buffer, g_SupLibHardenedExeNtPath.UniStr.Buffer, cwc * sizeof(WCHAR));
5103
5104	switch (fFlags & SUPSECMAIN_FLAGS_LOC_MASK)
5105	{
5106	case SUPSECMAIN_FLAGS_LOC_APP_BIN:
5107	break;
5108	case SUPSECMAIN_FLAGS_LOC_TESTCASE:
5109	{
5110	/* Drop one directory level. */
5111	USHORT off = cwc;
5112	WCHAR wc;
5113	while ( off > 1
5114	&& (wc = g_SupLibHardenedAppBinNtPath.UniStr.Buffer[off - 1]) != '\0')
5115	if (wc != '\\' && wc != '/')
5116	off--;
5117	else
5118	{
5119	if (g_SupLibHardenedAppBinNtPath.UniStr.Buffer[off - 2] == ':')
5120	cwc = off;
5121	else
5122	cwc = off - 1;
5123	break;
5124	}
5125	break;
5126	}
5127	default:
5128	supR3HardenedFatal("supR3HardenedWinInitAppBin: Unknown program binary location: %#x\n", fFlags);
5129	}
5130
5131	g_SupLibHardenedAppBinNtPath.UniStr.Buffer[cwc] = '\0';
5132	g_SupLibHardenedAppBinNtPath.UniStr.Length = cwc * sizeof(WCHAR);
5133	g_SupLibHardenedAppBinNtPath.UniStr.MaximumLength = sizeof(g_SupLibHardenedAppBinNtPath.awcBuffer);
5134	SUP_DPRINTF(("supR3HardenedWinInitAppBin(%#x): '%ls'\n", fFlags, g_SupLibHardenedAppBinNtPath.UniStr.Buffer));
5135	}
5136
5137
5138	/**
5139	* Converts the Windows command line string (UTF-16) to an array of UTF-8
5140	* arguments suitable for passing to main().
5141	*
5142	* @returns Pointer to the argument array.
5143	* @param pawcCmdLine The UTF-16 windows command line to parse.
5144	* @param cwcCmdLine The length of the command line.
5145	* @param pcArgs Where to return the number of arguments.
5146	*/
5147	static char *suplibCommandLineToArgvWStub(PCRTUTF16 pawcCmdLine, size_t cwcCmdLine, int pcArgs)
5148	{
5149	/*
5150	* Convert the command line string to UTF-8.
5151	*/
5152	char *pszCmdLine = NULL;
5153	SUPR3HARDENED_ASSERT(RT_SUCCESS(RTUtf16ToUtf8Ex(pawcCmdLine, cwcCmdLine, &pszCmdLine, 0, NULL)));
5154
5155	/*
5156	* Parse the command line, carving argument strings out of it.
5157	*/
5158	int cArgs = 0;
5159	int cArgsAllocated = 4;
5160	char papszArgs = (char )RTMemAllocZ(sizeof(char ) cArgsAllocated);
5161	char *pszSrc = pszCmdLine;
5162	for (;;)
5163	{
5164	/* skip leading blanks. */
5165	char ch = *pszSrc;
5166	while (suplibCommandLineIsArgSeparator(ch))
5167	ch = *++pszSrc;
5168	if (!ch)
5169	break;
5170
5171	/* Add argument to the vector. */
5172	if (cArgs + 2 >= cArgsAllocated)
5173	{
5174	cArgsAllocated *= 2;
5175	papszArgs = (char *)RTMemRealloc(papszArgs, sizeof(char ) * cArgsAllocated);
5176	}
5177	papszArgs[cArgs++] = pszSrc;
5178	papszArgs[cArgs] = NULL;
5179
5180	/* Unquote and unescape the string. */
5181	char *pszDst = pszSrc++;
5182	bool fQuoted = false;
5183	do
5184	{
5185	if (ch == '"')
5186	fQuoted = !fQuoted;
5187	else if (ch != '\\' \|\| (pszSrc != '\\' && pszSrc != '"'))
5188	*pszDst++ = ch;
5189	else
5190	{
5191	unsigned cSlashes = 0;
5192	while ((ch = *pszSrc++) == '\\')
5193	cSlashes++;
5194	if (ch == '"')
5195	{
5196	while (cSlashes >= 2)
5197	{
5198	cSlashes -= 2;
5199	*pszDst++ = '\\';
5200	}
5201	if (cSlashes)
5202	*pszDst++ = '"';
5203	else
5204	fQuoted = !fQuoted;
5205	}
5206	else
5207	{
5208	pszSrc--;
5209	while (cSlashes-- > 0)
5210	*pszDst++ = '\\';
5211	}
5212	}
5213
5214	ch = *pszSrc++;
5215	} while (ch != '\0' && (fQuoted \|\| !suplibCommandLineIsArgSeparator(ch)));
5216
5217	/* Terminate the argument. */
5218	*pszDst = '\0';
5219	if (!ch)
5220	break;
5221	}
5222
5223	*pcArgs = cArgs;
5224	return papszArgs;
5225	}
5226
5227
5228	/**
5229	* Worker for supR3HardenedFindVersionRsrcOffset.
5230	*
5231	* @returns RVA the version resource data, UINT32_MAX if not found.
5232	* @param pRootDir The root resource directory. Expects data to
5233	* follow.
5234	* @param cbBuf The amount of data at pRootDir.
5235	* @param offData The offset to the data entry.
5236	* @param pcbData Where to return the size of the data.
5237	*/
5238	static uint32_t supR3HardenedGetRvaFromRsrcDataEntry(PIMAGE_RESOURCE_DIRECTORY pRootDir, uint32_t cbBuf, uint32_t offData,
5239	uint32_t *pcbData)
5240	{
5241	if ( offData <= cbBuf
5242	&& offData + sizeof(IMAGE_RESOURCE_DATA_ENTRY) <= cbBuf)
5243	{
5244	PIMAGE_RESOURCE_DATA_ENTRY pRsrcData = (PIMAGE_RESOURCE_DATA_ENTRY)((uintptr_t)pRootDir + offData);
5245	SUP_DPRINTF((" [Raw version resource data: %#x LB %#x, codepage %#x (reserved %#x)]\n",
5246	pRsrcData->OffsetToData, pRsrcData->Size, pRsrcData->CodePage, pRsrcData->Reserved));
5247	if (pRsrcData->Size > 0)
5248	{
5249	*pcbData = pRsrcData->Size;
5250	return pRsrcData->OffsetToData;
5251	}
5252	}
5253	else
5254	SUP_DPRINTF((" Version resource data (%#x) is outside the buffer (%#x)! :-(\n", offData, cbBuf));
5255
5256	*pcbData = 0;
5257	return UINT32_MAX;
5258	}
5259
5260
5261	/** @def SUP_RSRC_DPRINTF
5262	* Dedicated debug printf for resource directory parsing.
5263	* @sa SUP_DPRINTF
5264	*/
5265	#if 0 /* more details */
5266	# define SUP_RSRC_DPRINTF(a) SUP_DPRINTF(a)
5267	#else
5268	# define SUP_RSRC_DPRINTF(a) do { } while (0)
5269	#endif
5270
5271	/**
5272	* Scans the resource directory for a version resource.
5273	*
5274	* @returns RVA of the version resource data, UINT32_MAX if not found.
5275	* @param pRootDir The root resource directory. Expects data to
5276	* follow.
5277	* @param cbBuf The amount of data at pRootDir.
5278	* @param pcbData Where to return the size of the version data.
5279	*/
5280	static uint32_t supR3HardenedFindVersionRsrcRva(PIMAGE_RESOURCE_DIRECTORY pRootDir, uint32_t cbBuf, uint32_t *pcbData)
5281	{
5282	SUP_RSRC_DPRINTF((" ResDir: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n",
5283	pRootDir->Characteristics,
5284	pRootDir->TimeDateStamp,
5285	pRootDir->MajorVersion,
5286	pRootDir->MinorVersion,
5287	pRootDir->NumberOfNamedEntries,
5288	pRootDir->NumberOfIdEntries));
5289
5290	PIMAGE_RESOURCE_DIRECTORY_ENTRY paEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pRootDir + 1);
5291	unsigned cMaxEntries = (cbBuf - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
5292	unsigned cEntries = pRootDir->NumberOfNamedEntries + pRootDir->NumberOfIdEntries;
5293	if (cEntries > cMaxEntries)
5294	cEntries = cMaxEntries;
5295	for (unsigned i = 0; i < cEntries; i++)
5296	{
5297	if (!paEntries[i].NameIsString)
5298	{
5299	if (!paEntries[i].DataIsDirectory)
5300	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n",
5301	i, paEntries[i].Id, paEntries[i].OffsetToData));
5302	else
5303	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n",
5304	i, paEntries[i].Id, paEntries[i].OffsetToDirectory));
5305	}
5306	else
5307	{
5308	if (!paEntries[i].DataIsDirectory)
5309	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n",
5310	i, paEntries[i].NameOffset, paEntries[i].OffsetToData));
5311	else
5312	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n",
5313	i, paEntries[i].NameOffset, paEntries[i].OffsetToDirectory));
5314	}
5315
5316	/*
5317	* Look for the version resource type. Skip to the next entry if not found.
5318	*/
5319	if (paEntries[i].NameIsString)
5320	continue;
5321	if (paEntries[i].Id != 0x10 /RT_VERSION/)
5322	continue;
5323	if (!paEntries[i].DataIsDirectory)
5324	{
5325	SUP_DPRINTF((" #%u: ID: #%#06x Data: %#010x - WEIRD!\n", i, paEntries[i].Id, paEntries[i].OffsetToData));
5326	continue;
5327	}
5328	SUP_RSRC_DPRINTF((" Version resource dir entry #%u: dir offset: %#x (cbBuf=%#x)\n",
5329	i, paEntries[i].OffsetToDirectory, cbBuf));
5330
5331	/*
5332	* Locate the sub-resource directory for it.
5333	*/
5334	if (paEntries[i].OffsetToDirectory >= cbBuf)
5335	{
5336	SUP_DPRINTF((" Version resource dir is outside the buffer! :-(\n"));
5337	continue;
5338	}
5339	uint32_t cbMax = cbBuf - paEntries[i].OffsetToDirectory;
5340	if (cbMax < sizeof(IMAGE_RESOURCE_DIRECTORY) + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY))
5341	{
5342	SUP_DPRINTF((" Version resource dir entry #0 is outside the buffer! :-(\n"));
5343	continue;
5344	}
5345	PIMAGE_RESOURCE_DIRECTORY pVerDir = (PIMAGE_RESOURCE_DIRECTORY)((uintptr_t)pRootDir + paEntries[i].OffsetToDirectory);
5346	SUP_RSRC_DPRINTF((" VerDir: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n",
5347	pVerDir->Characteristics,
5348	pVerDir->TimeDateStamp,
5349	pVerDir->MajorVersion,
5350	pVerDir->MinorVersion,
5351	pVerDir->NumberOfNamedEntries,
5352	pVerDir->NumberOfIdEntries));
5353	PIMAGE_RESOURCE_DIRECTORY_ENTRY paVerEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pVerDir + 1);
5354	unsigned cMaxVerEntries = (cbMax - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
5355	unsigned cVerEntries = pVerDir->NumberOfNamedEntries + pVerDir->NumberOfIdEntries;
5356	if (cVerEntries > cMaxVerEntries)
5357	cVerEntries = cMaxVerEntries;
5358	for (unsigned iVer = 0; iVer < cVerEntries; iVer++)
5359	{
5360	if (!paVerEntries[iVer].NameIsString)
5361	{
5362	if (!paVerEntries[iVer].DataIsDirectory)
5363	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n",
5364	iVer, paVerEntries[iVer].Id, paVerEntries[iVer].OffsetToData));
5365	else
5366	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n",
5367	iVer, paVerEntries[iVer].Id, paVerEntries[iVer].OffsetToDirectory));
5368	}
5369	else
5370	{
5371	if (!paVerEntries[iVer].DataIsDirectory)
5372	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n",
5373	iVer, paVerEntries[iVer].NameOffset, paVerEntries[iVer].OffsetToData));
5374	else
5375	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n",
5376	iVer, paVerEntries[iVer].NameOffset, paVerEntries[iVer].OffsetToDirectory));
5377	}
5378	if (!paVerEntries[iVer].DataIsDirectory)
5379	{
5380	SUP_DPRINTF((" [Version info resource found at %#x! (ID/Name: #%#x)]\n",
5381	paVerEntries[iVer].OffsetToData, paVerEntries[iVer].Name));
5382	return supR3HardenedGetRvaFromRsrcDataEntry(pRootDir, cbBuf, paVerEntries[iVer].OffsetToData, pcbData);
5383	}
5384
5385	/*
5386	* Check out the next directory level.
5387	*/
5388	if (paVerEntries[iVer].OffsetToDirectory >= cbBuf)
5389	{
5390	SUP_DPRINTF((" Version resource subdir is outside the buffer! :-(\n"));
5391	continue;
5392	}
5393	cbMax = cbBuf - paVerEntries[iVer].OffsetToDirectory;
5394	if (cbMax < sizeof(IMAGE_RESOURCE_DIRECTORY) + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY))
5395	{
5396	SUP_DPRINTF((" Version resource subdir entry #0 is outside the buffer! :-(\n"));
5397	continue;
5398	}
5399	PIMAGE_RESOURCE_DIRECTORY pVerSubDir = (PIMAGE_RESOURCE_DIRECTORY)((uintptr_t)pRootDir + paVerEntries[iVer].OffsetToDirectory);
5400	SUP_RSRC_DPRINTF((" VerSubDir#%u: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n",
5401	iVer,
5402	pVerSubDir->Characteristics,
5403	pVerSubDir->TimeDateStamp,
5404	pVerSubDir->MajorVersion,
5405	pVerSubDir->MinorVersion,
5406	pVerSubDir->NumberOfNamedEntries,
5407	pVerSubDir->NumberOfIdEntries));
5408	PIMAGE_RESOURCE_DIRECTORY_ENTRY paVerSubEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pVerSubDir + 1);
5409	unsigned cMaxVerSubEntries = (cbMax - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY);
5410	unsigned cVerSubEntries = pVerSubDir->NumberOfNamedEntries + pVerSubDir->NumberOfIdEntries;
5411	if (cVerSubEntries > cMaxVerSubEntries)
5412	cVerSubEntries = cMaxVerSubEntries;
5413	for (unsigned iVerSub = 0; iVerSub < cVerSubEntries; iVerSub++)
5414	{
5415	if (!paVerSubEntries[iVerSub].NameIsString)
5416	{
5417	if (!paVerSubEntries[iVerSub].DataIsDirectory)
5418	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n",
5419	iVerSub, paVerSubEntries[iVerSub].Id, paVerSubEntries[iVerSub].OffsetToData));
5420	else
5421	SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n",
5422	iVerSub, paVerSubEntries[iVerSub].Id, paVerSubEntries[iVerSub].OffsetToDirectory));
5423	}
5424	else
5425	{
5426	if (!paVerSubEntries[iVerSub].DataIsDirectory)
5427	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n",
5428	iVerSub, paVerSubEntries[iVerSub].NameOffset, paVerSubEntries[iVerSub].OffsetToData));
5429	else
5430	SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n",
5431	iVerSub, paVerSubEntries[iVerSub].NameOffset, paVerSubEntries[iVerSub].OffsetToDirectory));
5432	}
5433	if (!paVerSubEntries[iVerSub].DataIsDirectory)
5434	{
5435	SUP_DPRINTF((" [Version info resource found at %#x! (ID/Name: %#x; SubID/SubName: %#x)]\n",
5436	paVerSubEntries[iVerSub].OffsetToData, paVerEntries[iVer].Name, paVerSubEntries[iVerSub].Name));
5437	return supR3HardenedGetRvaFromRsrcDataEntry(pRootDir, cbBuf, paVerSubEntries[iVerSub].OffsetToData, pcbData);
5438	}
5439	}
5440	}
5441	}
5442
5443	*pcbData = 0;
5444	return UINT32_MAX;
5445	}
5446
5447
5448	/**
5449	* Logs information about a file from a protection product or from Windows,
5450	* optionally returning the file version.
5451	*
5452	* The purpose here is to better see which version of the product is installed
5453	* and not needing to depend on the user supplying the correct information.
5454	*
5455	* @param pwszFile The NT path to the file.
5456	* @param pwszFileVersion Where to return the file version, if found. NULL if
5457	* not interested.
5458	* @param cwcFileVersion The size of the file version buffer (UTF-16 units).
5459	*/
5460	static void supR3HardenedLogFileInfo(PCRTUTF16 pwszFile, PRTUTF16 pwszFileVersion, size_t cwcFileVersion)
5461	{
5462	/*
5463	* Make sure the file version is always set when we return.
5464	*/
5465	if (pwszFileVersion && cwcFileVersion)
5466	*pwszFileVersion = '\0';
5467
5468	/*
5469	* Open the file.
5470	*/
5471	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
5472	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
5473	UNICODE_STRING UniStrName;
5474	UniStrName.Buffer = (WCHAR *)pwszFile;
5475	UniStrName.Length = (USHORT)(RTUtf16Len(pwszFile) * sizeof(WCHAR));
5476	UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);
5477	OBJECT_ATTRIBUTES ObjAttr;
5478	InitializeObjectAttributes(&ObjAttr, &UniStrName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
5479	NTSTATUS rcNt = NtCreateFile(&hFile,
5480	GENERIC_READ \| SYNCHRONIZE,
5481	&ObjAttr,
5482	&Ios,
5483	NULL /* Allocation Size*/,
5484	FILE_ATTRIBUTE_NORMAL,
5485	FILE_SHARE_READ,
5486	FILE_OPEN,
5487	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
5488	NULL /EaBuffer/,
5489	0 /EaLength/);
5490	if (NT_SUCCESS(rcNt))
5491	rcNt = Ios.Status;
5492	if (NT_SUCCESS(rcNt))
5493	{
5494	SUP_DPRINTF(("%ls:\n", pwszFile));
5495	union
5496	{
5497	uint64_t u64AlignmentInsurance;
5498	FILE_BASIC_INFORMATION BasicInfo;
5499	FILE_STANDARD_INFORMATION StdInfo;
5500	uint8_t abBuf[32768];
5501	RTUTF16 awcBuf[16384];
5502	IMAGE_DOS_HEADER MzHdr;
5503	IMAGE_RESOURCE_DIRECTORY ResDir;
5504	} u;
5505	RTTIMESPEC TimeSpec;
5506	char szTmp[64];
5507
5508	/*
5509	* Print basic file information available via NtQueryInformationFile.
5510	*/
5511	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
5512	rcNt = NtQueryInformationFile(hFile, &Ios, &u.BasicInfo, sizeof(u.BasicInfo), FileBasicInformation);
5513	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5514	{
5515	SUP_DPRINTF((" CreationTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.CreationTime.QuadPart), szTmp, sizeof(szTmp))));
5516	/SUP_DPRINTF((" LastAccessTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.LastAccessTime.QuadPart), szTmp, sizeof(szTmp))));/
5517	SUP_DPRINTF((" LastWriteTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.LastWriteTime.QuadPart), szTmp, sizeof(szTmp))));
5518	SUP_DPRINTF((" ChangeTime: %s\n", RTTimeSpecToString(RTTimeSpecSetNtTime(&TimeSpec, u.BasicInfo.ChangeTime.QuadPart), szTmp, sizeof(szTmp))));
5519	SUP_DPRINTF((" FileAttributes: %#x\n", u.BasicInfo.FileAttributes));
5520	}
5521	else
5522	SUP_DPRINTF((" FileBasicInformation -> %#x %#x\n", rcNt, Ios.Status));
5523
5524	rcNt = NtQueryInformationFile(hFile, &Ios, &u.StdInfo, sizeof(u.StdInfo), FileStandardInformation);
5525	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5526	SUP_DPRINTF((" Size: %#llx\n", u.StdInfo.EndOfFile.QuadPart));
5527	else
5528	SUP_DPRINTF((" FileStandardInformation -> %#x %#x\n", rcNt, Ios.Status));
5529
5530	/*
5531	* Read the image header and extract the timestamp and other useful info.
5532	*/
5533	RT_ZERO(u);
5534	LARGE_INTEGER offRead;
5535	offRead.QuadPart = 0;
5536	rcNt = NtReadFile(hFile, NULL /hEvent/, NULL /ApcRoutine/, NULL /ApcContext/, &Ios,
5537	&u, (ULONG)sizeof(u), &offRead, NULL);
5538	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5539	{
5540	uint32_t offNtHdrs = 0;
5541	if (u.MzHdr.e_magic == IMAGE_DOS_SIGNATURE)
5542	offNtHdrs = u.MzHdr.e_lfanew;
5543	if (offNtHdrs < sizeof(u) - sizeof(IMAGE_NT_HEADERS))
5544	{
5545	PIMAGE_NT_HEADERS64 pNtHdrs64 = (PIMAGE_NT_HEADERS64)&u.abBuf[offNtHdrs];
5546	PIMAGE_NT_HEADERS32 pNtHdrs32 = (PIMAGE_NT_HEADERS32)&u.abBuf[offNtHdrs];
5547	if (pNtHdrs64->Signature == IMAGE_NT_SIGNATURE)
5548	{
5549	SUP_DPRINTF((" NT Headers: %#x\n", offNtHdrs));
5550	SUP_DPRINTF((" Timestamp: %#x\n", pNtHdrs64->FileHeader.TimeDateStamp));
5551	SUP_DPRINTF((" Machine: %#x%s\n", pNtHdrs64->FileHeader.Machine,
5552	pNtHdrs64->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 ? " - i386"
5553	: pNtHdrs64->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64 ? " - amd64" : ""));
5554	SUP_DPRINTF((" Timestamp: %#x\n", pNtHdrs64->FileHeader.TimeDateStamp));
5555	SUP_DPRINTF((" Image Version: %u.%u\n",
5556	pNtHdrs64->OptionalHeader.MajorImageVersion, pNtHdrs64->OptionalHeader.MinorImageVersion));
5557	SUP_DPRINTF((" SizeOfImage: %#x (%u)\n", pNtHdrs64->OptionalHeader.SizeOfImage, pNtHdrs64->OptionalHeader.SizeOfImage));
5558
5559	/*
5560	* Very crude way to extract info from the file version resource.
5561	*/
5562	PIMAGE_SECTION_HEADER paSectHdrs = (PIMAGE_SECTION_HEADER)( (uintptr_t)&pNtHdrs64->OptionalHeader
5563	+ pNtHdrs64->FileHeader.SizeOfOptionalHeader);
5564	IMAGE_DATA_DIRECTORY RsrcDir = { 0, 0 };
5565	if ( pNtHdrs64->FileHeader.SizeOfOptionalHeader == sizeof(IMAGE_OPTIONAL_HEADER64)
5566	&& pNtHdrs64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE)
5567	RsrcDir = pNtHdrs64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
5568	else if ( pNtHdrs64->FileHeader.SizeOfOptionalHeader == sizeof(IMAGE_OPTIONAL_HEADER32)
5569	&& pNtHdrs32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE)
5570	RsrcDir = pNtHdrs32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
5571	SUP_DPRINTF((" Resource Dir: %#x LB %#x\n", RsrcDir.VirtualAddress, RsrcDir.Size));
5572	if ( RsrcDir.VirtualAddress > offNtHdrs
5573	&& RsrcDir.Size > 0
5574	&& (uintptr_t)&u + sizeof(u) - (uintptr_t)paSectHdrs
5575	>= pNtHdrs64->FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER) )
5576	{
5577	uint32_t uRvaRsrcSect = 0;
5578	uint32_t cbRsrcSect = 0;
5579	uint32_t offRsrcSect = 0;
5580	offRead.QuadPart = 0;
5581	for (uint32_t i = 0; i < pNtHdrs64->FileHeader.NumberOfSections; i++)
5582	{
5583	uRvaRsrcSect = paSectHdrs[i].VirtualAddress;
5584	cbRsrcSect = paSectHdrs[i].Misc.VirtualSize;
5585	offRsrcSect = paSectHdrs[i].PointerToRawData;
5586	if ( RsrcDir.VirtualAddress - uRvaRsrcSect < cbRsrcSect
5587	&& offRsrcSect > offNtHdrs)
5588	{
5589	offRead.QuadPart = offRsrcSect + (RsrcDir.VirtualAddress - uRvaRsrcSect);
5590	break;
5591	}
5592	}
5593	if (offRead.QuadPart > 0)
5594	{
5595	RT_ZERO(u);
5596	rcNt = NtReadFile(hFile, NULL /hEvent/, NULL /ApcRoutine/, NULL /ApcContext/, &Ios,
5597	&u, (ULONG)sizeof(u), &offRead, NULL);
5598	PCRTUTF16 pwcVersionData = &u.awcBuf[0];
5599	size_t cbVersionData = sizeof(u);
5600
5601	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5602	{
5603	/* Make it less crude by try find the version resource data. */
5604	uint32_t cbVersion;
5605	uint32_t uRvaVersion = supR3HardenedFindVersionRsrcRva(&u.ResDir, sizeof(u), &cbVersion);
5606	NOREF(uRvaVersion);
5607	if ( uRvaVersion != UINT32_MAX
5608	&& cbVersion < cbRsrcSect
5609	&& uRvaVersion - uRvaRsrcSect <= cbRsrcSect - cbVersion)
5610	{
5611	uint32_t const offVersion = uRvaVersion - uRvaRsrcSect;
5612	if ( offVersion < sizeof(u)
5613	&& offVersion + cbVersion <= sizeof(u))
5614	{
5615	pwcVersionData = (PCRTUTF16)&u.abBuf[offVersion];
5616	cbVersionData = cbVersion;
5617	}
5618	else
5619	{
5620	offRead.QuadPart = offVersion + offRsrcSect;
5621	RT_ZERO(u);
5622	rcNt = NtReadFile(hFile, NULL /hEvent/, NULL /ApcRoutine/, NULL /ApcContext/, &Ios,
5623	&u, (ULONG)sizeof(u), &offRead, NULL);
5624	pwcVersionData = &u.awcBuf[0];
5625	cbVersionData = RT_MIN(cbVersion, sizeof(u));
5626	}
5627	}
5628	}
5629
5630	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
5631	{
5632	static const struct { PCRTUTF16 pwsz; size_t cb; bool fRet; } s_abFields[] =
5633	{
5634	#define MY_WIDE_STR_TUPLE(a_sz, a_fRet) { L ## a_sz, sizeof(L ## a_sz) - sizeof(RTUTF16), a_fRet }
5635	MY_WIDE_STR_TUPLE("ProductName", false),
5636	MY_WIDE_STR_TUPLE("ProductVersion", false),
5637	MY_WIDE_STR_TUPLE("FileVersion", true),
5638	MY_WIDE_STR_TUPLE("SpecialBuild", false),
5639	MY_WIDE_STR_TUPLE("PrivateBuild", false),
5640	MY_WIDE_STR_TUPLE("FileDescription", false),
5641	#undef MY_WIDE_STR_TUPLE
5642	};
5643	for (uint32_t i = 0; i < RT_ELEMENTS(s_abFields); i++)
5644	{
5645	if (cbVersionData <= s_abFields[i].cb + 10)
5646	continue;
5647	size_t cwcLeft = (cbVersionData - s_abFields[i].cb - 10) / sizeof(RTUTF16);
5648	PCRTUTF16 pwc = pwcVersionData;
5649	RTUTF16 const wcFirst = *s_abFields[i].pwsz;
5650	while (cwcLeft-- > 0)
5651	{
5652	if ( pwc[0] == 1 /* wType == text */
5653	&& pwc[1] == wcFirst)
5654	{
5655	if (memcmp(pwc + 1, s_abFields[i].pwsz, s_abFields[i].cb + sizeof(RTUTF16)) == 0)
5656	{
5657	size_t cwcField = s_abFields[i].cb / sizeof(RTUTF16);
5658	pwc += cwcField + 2;
5659	cwcLeft -= cwcField + 2;
5660	for (uint32_t iPadding = 0; iPadding < 3; iPadding++, pwc++, cwcLeft--)
5661	if (*pwc)
5662	break;
5663	int rc = RTUtf16ValidateEncodingEx(pwc, cwcLeft,
5664	RTSTR_VALIDATE_ENCODING_ZERO_TERMINATED);
5665	if (RT_SUCCESS(rc))
5666	{
5667	SUP_DPRINTF((" %ls:%*s %ls",
5668	s_abFields[i].pwsz, cwcField < 15 ? 15 - cwcField : 0, "", pwc));
5669	if ( s_abFields[i].fRet
5670	&& pwszFileVersion
5671	&& cwcFileVersion > 1)
5672	RTUtf16Copy(pwszFileVersion, cwcFileVersion, pwc);
5673	}
5674	else
5675	SUP_DPRINTF((" %ls:%*s rc=%Rrc",
5676	s_abFields[i].pwsz, cwcField < 15 ? 15 - cwcField : 0, "", rc));
5677
5678	break;
5679	}
5680	}
5681	pwc++;
5682	}
5683	}
5684	}
5685	else
5686	SUP_DPRINTF((" NtReadFile @%#llx -> %#x %#x\n", offRead.QuadPart, rcNt, Ios.Status));
5687	}
5688	else
5689	SUP_DPRINTF((" Resource section not found.\n"));
5690	}
5691	}
5692	else
5693	SUP_DPRINTF((" Nt Headers @%#x: Invalid signature\n", offNtHdrs));
5694	}
5695	else
5696	SUP_DPRINTF((" Nt Headers @%#x: out side buffer\n", offNtHdrs));
5697	}
5698	else
5699	SUP_DPRINTF((" NtReadFile @0 -> %#x %#x\n", rcNt, Ios.Status));
5700	NtClose(hFile);
5701	}
5702	}
5703
5704
5705	/**
5706	* Scans the Driver directory for drivers which may invade our processes.
5707	*
5708	* @returns Mask of SUPHARDNT_ADVERSARY_XXX flags.
5709	*
5710	* @remarks The enumeration of \\Driver normally requires administrator
5711	* privileges. So, the detection we're doing here isn't always gonna
5712	* work just based on that.
5713	*
5714	* @todo Find drivers in \\FileSystems as well, then we could detect VrNsdDrv
5715	* from ViRobot APT Shield 2.0.
5716	*/
5717	static uint32_t supR3HardenedWinFindAdversaries(void)
5718	{
5719	static const struct
5720	{
5721	uint32_t fAdversary;
5722	const char *pszDriver;
5723	} s_aDrivers[] =
5724	{
5725	{ SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, "SysPlant" },
5726
5727	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SRTSPX" },
5728	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymDS" },
5729	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymEvent" },
5730	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymIRON" },
5731	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, "SymNetS" },
5732
5733	{ SUPHARDNT_ADVERSARY_AVAST, "aswHwid" },
5734	{ SUPHARDNT_ADVERSARY_AVAST, "aswMonFlt" },
5735	{ SUPHARDNT_ADVERSARY_AVAST, "aswRdr2" },
5736	{ SUPHARDNT_ADVERSARY_AVAST, "aswRvrt" },
5737	{ SUPHARDNT_ADVERSARY_AVAST, "aswSnx" },
5738	{ SUPHARDNT_ADVERSARY_AVAST, "aswsp" },
5739	{ SUPHARDNT_ADVERSARY_AVAST, "aswStm" },
5740	{ SUPHARDNT_ADVERSARY_AVAST, "aswVmm" },
5741
5742	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmcomm" },
5743	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmactmon" },
5744	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmevtmgr" },
5745	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmtdi" },
5746	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmebc64" }, /* Titanium internet security, not officescan. */
5747	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmeevw" }, /* Titanium internet security, not officescan. */
5748	{ SUPHARDNT_ADVERSARY_TRENDMICRO, "tmciesc" }, /* Titanium internet security, not officescan. */
5749
5750	{ SUPHARDNT_ADVERSARY_MCAFEE, "cfwids" },
5751	{ SUPHARDNT_ADVERSARY_MCAFEE, "McPvDrv" },
5752	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfeapfk" },
5753	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfeavfk" },
5754	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfefirek" },
5755	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfehidk" },
5756	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfencbdc" },
5757	{ SUPHARDNT_ADVERSARY_MCAFEE, "mfewfpk" },
5758
5759	{ SUPHARDNT_ADVERSARY_KASPERSKY, "kl1" },
5760	{ SUPHARDNT_ADVERSARY_KASPERSKY, "klflt" },
5761	{ SUPHARDNT_ADVERSARY_KASPERSKY, "klif" },
5762	{ SUPHARDNT_ADVERSARY_KASPERSKY, "KLIM6" },
5763	{ SUPHARDNT_ADVERSARY_KASPERSKY, "klkbdflt" },
5764	{ SUPHARDNT_ADVERSARY_KASPERSKY, "klmouflt" },
5765	{ SUPHARDNT_ADVERSARY_KASPERSKY, "kltdi" },
5766	{ SUPHARDNT_ADVERSARY_KASPERSKY, "kneps" },
5767
5768	{ SUPHARDNT_ADVERSARY_MBAM, "MBAMWebAccessControl" },
5769	{ SUPHARDNT_ADVERSARY_MBAM, "mbam" },
5770	{ SUPHARDNT_ADVERSARY_MBAM, "mbamchameleon" },
5771	{ SUPHARDNT_ADVERSARY_MBAM, "mwav" },
5772	{ SUPHARDNT_ADVERSARY_MBAM, "mbamswissarmy" },
5773
5774	{ SUPHARDNT_ADVERSARY_AVG, "avgfwfd" },
5775	{ SUPHARDNT_ADVERSARY_AVG, "avgtdia" },
5776
5777	{ SUPHARDNT_ADVERSARY_PANDA, "PSINAflt" },
5778	{ SUPHARDNT_ADVERSARY_PANDA, "PSINFile" },
5779	{ SUPHARDNT_ADVERSARY_PANDA, "PSINKNC" },
5780	{ SUPHARDNT_ADVERSARY_PANDA, "PSINProc" },
5781	{ SUPHARDNT_ADVERSARY_PANDA, "PSINProt" },
5782	{ SUPHARDNT_ADVERSARY_PANDA, "PSINReg" },
5783	{ SUPHARDNT_ADVERSARY_PANDA, "PSKMAD" },
5784	{ SUPHARDNT_ADVERSARY_PANDA, "NNSAlpc" },
5785	{ SUPHARDNT_ADVERSARY_PANDA, "NNSHttp" },
5786	{ SUPHARDNT_ADVERSARY_PANDA, "NNShttps" },
5787	{ SUPHARDNT_ADVERSARY_PANDA, "NNSIds" },
5788	{ SUPHARDNT_ADVERSARY_PANDA, "NNSNAHSL" },
5789	{ SUPHARDNT_ADVERSARY_PANDA, "NNSpicc" },
5790	{ SUPHARDNT_ADVERSARY_PANDA, "NNSPihsw" },
5791	{ SUPHARDNT_ADVERSARY_PANDA, "NNSPop3" },
5792	{ SUPHARDNT_ADVERSARY_PANDA, "NNSProt" },
5793	{ SUPHARDNT_ADVERSARY_PANDA, "NNSPrv" },
5794	{ SUPHARDNT_ADVERSARY_PANDA, "NNSSmtp" },
5795	{ SUPHARDNT_ADVERSARY_PANDA, "NNSStrm" },
5796	{ SUPHARDNT_ADVERSARY_PANDA, "NNStlsc" },
5797
5798	{ SUPHARDNT_ADVERSARY_MSE, "NisDrv" },
5799
5800	/{ SUPHARDNT_ADVERSARY_COMODO, "cmdguard" }, file system /
5801	{ SUPHARDNT_ADVERSARY_COMODO, "inspect" },
5802	{ SUPHARDNT_ADVERSARY_COMODO, "cmdHlp" },
5803
5804	{ SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD, "dgmaster" },
5805
5806	{ SUPHARDNT_ADVERSARY_CYLANCE, "cyprotectdrv" }, /* Not verified. */
5807
5808	{ SUPHARDNT_ADVERSARY_BEYONDTRUST, "privman" }, /* Not verified. */
5809
5810	{ SUPHARDNT_ADVERSARY_AVECTO, "PGDriver" },
5811	};
5812
5813	static const struct
5814	{
5815	uint32_t fAdversary;
5816	PCRTUTF16 pwszFile;
5817	} s_aFiles[] =
5818	{
5819	{ SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, L"\\SystemRoot\\System32\\drivers\\SysPlant.sys" },
5820	{ SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, L"\\SystemRoot\\System32\\sysfer.dll" },
5821	{ SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT, L"\\SystemRoot\\System32\\sysferThunk.dll" },
5822
5823	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\ccsetx64.sys" },
5824	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\ironx64.sys" },
5825	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\srtsp64.sys" },
5826	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\srtspx64.sys" },
5827	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symds64.sys" },
5828	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symefa64.sys" },
5829	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symelam.sys" },
5830	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\N360x64\\1505000.013\\symnets.sys" },
5831	{ SUPHARDNT_ADVERSARY_SYMANTEC_N360, L"\\SystemRoot\\System32\\drivers\\symevent64x86.sys" },
5832
5833	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswHwid.sys" },
5834	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswMonFlt.sys" },
5835	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswRdr2.sys" },
5836	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswRvrt.sys" },
5837	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswSnx.sys" },
5838	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswsp.sys" },
5839	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswStm.sys" },
5840	{ SUPHARDNT_ADVERSARY_AVAST, L"\\SystemRoot\\System32\\drivers\\aswVmm.sys" },
5841
5842	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmcomm.sys" },
5843	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmactmon.sys" },
5844	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmevtmgr.sys" },
5845	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmtdi.sys" },
5846	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmebc64.sys" },
5847	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmeevw.sys" },
5848	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmciesc.sys" },
5849	{ SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE, L"\\SystemRoot\\System32\\drivers\\sakfile.sys" }, /* Data Loss Prevention, not officescan. */
5850	{ SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\sakcd.sys" }, /* Data Loss Prevention, not officescan. */
5851
5852
5853	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\cfwids.sys" },
5854	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\McPvDrv.sys" },
5855	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfeapfk.sys" },
5856	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfeavfk.sys" },
5857	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfefirek.sys" },
5858	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfehidk.sys" },
5859	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfencbdc.sys" },
5860	{ SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\mfewfpk.sys" },
5861
5862	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kl1.sys" },
5863	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klflt.sys" },
5864	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klif.sys" },
5865	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klim6.sys" },
5866	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klkbdflt.sys" },
5867	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\klmouflt.sys" },
5868	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kltdi.sys" },
5869	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\drivers\\kneps.sys" },
5870	{ SUPHARDNT_ADVERSARY_KASPERSKY, L"\\SystemRoot\\System32\\klfphc.dll" },
5871
5872	{ SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\MBAMSwissArmy.sys" },
5873	{ SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mwac.sys" },
5874	{ SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mbamchameleon.sys" },
5875	{ SUPHARDNT_ADVERSARY_MBAM, L"\\SystemRoot\\System32\\drivers\\mbam.sys" },
5876
5877	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgrkx64.sys" },
5878	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgmfx64.sys" },
5879	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgidsdrivera.sys" },
5880	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgidsha.sys" },
5881	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgtdia.sys" },
5882	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgloga.sys" },
5883	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgldx64.sys" },
5884	{ SUPHARDNT_ADVERSARY_AVG, L"\\SystemRoot\\System32\\drivers\\avgdiska.sys" },
5885
5886	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINAflt.sys" },
5887	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINFile.sys" },
5888	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINKNC.sys" },
5889	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINProc.sys" },
5890	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINProt.sys" },
5891	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSINReg.sys" },
5892	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\PSKMAD.sys" },
5893	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSAlpc.sys" },
5894	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSHttp.sys" },
5895	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNShttps.sys" },
5896	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSIds.sys" },
5897	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSNAHSL.sys" },
5898	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSpicc.sys" },
5899	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPihsw.sys" },
5900	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPop3.sys" },
5901	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSProt.sys" },
5902	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSPrv.sys" },
5903	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSSmtp.sys" },
5904	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNSStrm.sys" },
5905	{ SUPHARDNT_ADVERSARY_PANDA, L"\\SystemRoot\\System32\\drivers\\NNStlsc.sys" },
5906
5907	{ SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\MpFilter.sys" },
5908	{ SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\NisDrvWFP.sys" },
5909
5910	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmdguard.sys" },
5911	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmderd.sys" },
5912	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\inspect.sys" },
5913	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmdhlp.sys" },
5914	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cfrmd.sys" },
5915	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\hmd.sys" },
5916	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\guard64.dll" },
5917	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdvrt64.dll" },
5918	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdkbd64.dll" },
5919	{ SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdcsr.dll" },
5920
5921	{ SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\drivers\\vsdatant.sys" },
5922	{ SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\AntiTheftCredentialProvider.dll" },
5923
5924	{ SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD, L"\\SystemRoot\\System32\\drivers\\dgmaster.sys" },
5925
5926	{ SUPHARDNT_ADVERSARY_CYLANCE, L"\\SystemRoot\\System32\\drivers\\cyprotectdrv32.sys" },
5927	{ SUPHARDNT_ADVERSARY_CYLANCE, L"\\SystemRoot\\System32\\drivers\\cyprotectdrv64.sys" },
5928
5929	{ SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\drivers\\privman.sys" },
5930	{ SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\privman64.dll" },
5931	{ SUPHARDNT_ADVERSARY_BEYONDTRUST, L"\\SystemRoot\\System32\\privman32.dll" },
5932
5933	{ SUPHARDNT_ADVERSARY_AVECTO, L"\\SystemRoot\\System32\\drivers\\PGDriver.sys" },
5934	};
5935
5936	uint32_t fFound = 0;
5937
5938	/*
5939	* Open the driver object directory.
5940	*/
5941	UNICODE_STRING NtDirName = RTNT_CONSTANT_UNISTR(L"\\Driver");
5942
5943	OBJECT_ATTRIBUTES ObjAttr;
5944	InitializeObjectAttributes(&ObjAttr, &NtDirName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
5945
5946	HANDLE hDir;
5947	NTSTATUS rcNt = NtOpenDirectoryObject(&hDir, DIRECTORY_QUERY \| FILE_LIST_DIRECTORY, &ObjAttr);
5948	#ifdef VBOX_STRICT
5949	if (rcNt != STATUS_ACCESS_DENIED) /* non-admin */
5950	SUPR3HARDENED_ASSERT_NT_SUCCESS(rcNt);
5951	#endif
5952	if (NT_SUCCESS(rcNt))
5953	{
5954	/*
5955	* Enumerate it, looking for the driver.
5956	*/
5957	ULONG uObjDirCtx = 0;
5958	for (;;)
5959	{
5960	uint32_t abBuffer[_64K + _1K];
5961	ULONG cbActual;
5962	rcNt = NtQueryDirectoryObject(hDir,
5963	abBuffer,
5964	sizeof(abBuffer) - 4, /* minus four for string terminator space. */
5965	FALSE /ReturnSingleEntry /,
5966	FALSE /RestartScan/,
5967	&uObjDirCtx,
5968	&cbActual);
5969	if (!NT_SUCCESS(rcNt) \|\| cbActual < sizeof(OBJECT_DIRECTORY_INFORMATION))
5970	break;
5971
5972	POBJECT_DIRECTORY_INFORMATION pObjDir = (POBJECT_DIRECTORY_INFORMATION)abBuffer;
5973	while (pObjDir->Name.Length != 0)
5974	{
5975	WCHAR wcSaved = pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)];
5976	pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = '\0';
5977
5978	for (uint32_t i = 0; i < RT_ELEMENTS(s_aDrivers); i++)
5979	if (RTUtf16ICmpAscii(pObjDir->Name.Buffer, s_aDrivers[i].pszDriver) == 0)
5980	{
5981	fFound \|= s_aDrivers[i].fAdversary;
5982	SUP_DPRINTF(("Found driver %s (%#x)\n", s_aDrivers[i].pszDriver, s_aDrivers[i].fAdversary));
5983	break;
5984	}
5985
5986	pObjDir->Name.Buffer[pObjDir->Name.Length / sizeof(WCHAR)] = wcSaved;
5987
5988	/* Next directory entry. */
5989	pObjDir++;
5990	}
5991	}
5992
5993	NtClose(hDir);
5994	}
5995	else
5996	SUP_DPRINTF(("NtOpenDirectoryObject failed on \\Driver: %#x\n", rcNt));
5997
5998	/*
5999	* Look for files.
6000	*/
6001	for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++)
6002	{
6003	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
6004	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
6005	UNICODE_STRING UniStrName;
6006	UniStrName.Buffer = (WCHAR *)s_aFiles[i].pwszFile;
6007	UniStrName.Length = (USHORT)(RTUtf16Len(s_aFiles[i].pwszFile) * sizeof(WCHAR));
6008	UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);
6009	InitializeObjectAttributes(&ObjAttr, &UniStrName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
6010	rcNt = NtCreateFile(&hFile, GENERIC_READ \| SYNCHRONIZE, &ObjAttr, &Ios, NULL /* Allocation Size*/,
6011	FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN,
6012	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT, NULL /EaBuffer/, 0 /EaLength/);
6013	if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status))
6014	{
6015	fFound \|= s_aFiles[i].fAdversary;
6016	NtClose(hFile);
6017	}
6018	}
6019
6020	/*
6021	* Log details and upgrade select adversaries.
6022	*/
6023	SUP_DPRINTF(("supR3HardenedWinFindAdversaries: %#x\n", fFound));
6024	for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++)
6025	if (s_aFiles[i].fAdversary & fFound)
6026	{
6027	if (!(s_aFiles[i].fAdversary & SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD))
6028	supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, NULL, 0);
6029	else
6030	{
6031	/*
6032	* See if it's a newer version of the driver which doesn't BSODs when we free
6033	* its memory. To use RTStrVersionCompare we do a rough UTF-16 -> ASCII conversion.
6034	*/
6035	union
6036	{
6037	char szFileVersion[64];
6038	RTUTF16 wszFileVersion[32];
6039	} uBuf;
6040	supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, uBuf.wszFileVersion, RT_ELEMENTS(uBuf.wszFileVersion));
6041	if (uBuf.wszFileVersion[0])
6042	{
6043	for (uint32_t off = 0; off < RT_ELEMENTS(uBuf.wszFileVersion); off++)
6044	{
6045	RTUTF16 wch = uBuf.wszFileVersion[off];
6046	uBuf.szFileVersion[off] = (char)wch;
6047	if (!wch)
6048	break;
6049	}
6050	uBuf.szFileVersion[RT_ELEMENTS(uBuf.wszFileVersion)] = '\0';
6051	#define VER_IN_RANGE(a_pszFirst, a_pszLast) \
6052	(RTStrVersionCompare(uBuf.szFileVersion, a_pszFirst) >= 0 && RTStrVersionCompare(uBuf.szFileVersion, a_pszLast) <= 0)
6053	if ( VER_IN_RANGE("7.3.2.0000", "999999999.9.9.9999")
6054	\|\| VER_IN_RANGE("7.3.1.1000", "7.3.1.3000")
6055	\|\| VER_IN_RANGE("7.3.0.3000", "7.3.0.999999999")
6056	\|\| VER_IN_RANGE("7.2.1.3000", "7.2.999999999.999999999") )
6057	{
6058	uint32_t const fOldFound = fFound;
6059	fFound = (fOldFound & ~SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD)
6060	\| SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_NEW;
6061	SUP_DPRINTF(("supR3HardenedWinFindAdversaries: Found newer version: %#x -> %#x\n", fOldFound, fFound));
6062	}
6063	}
6064	}
6065	}
6066
6067	return fFound;
6068	}
6069
6070
6071	extern "C" int main(int argc, char argv, char envp);
6072
6073	/**
6074	* The executable entry point.
6075	*
6076	* This is normally taken care of by the C runtime library, but we don't want to
6077	* get involved with anything as complicated like the CRT in this setup. So, we
6078	* it everything ourselves, including parameter parsing.
6079	*/
6080	extern "C" void __stdcall suplibHardenedWindowsMain(void)
6081	{
6082	RTEXITCODE rcExit = RTEXITCODE_FAILURE;
6083
6084	g_cSuplibHardenedWindowsMainCalls++;
6085	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EP_CALLED;
6086
6087	/*
6088	* Initialize the NTDLL API wrappers. This aims at bypassing patched NTDLL
6089	* in all the processes leading up the VM process.
6090	*/
6091	supR3HardenedWinInitImports();
6092	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED;
6093
6094	/*
6095	* Notify the parent process that we're probably capable of reporting our
6096	* own errors.
6097	*/
6098	if (g_ProcParams.hEvtParent \|\| g_ProcParams.hEvtChild)
6099	{
6100	SUPR3HARDENED_ASSERT(g_fSupEarlyProcessInit);
6101
6102	g_ProcParams.enmRequest = kSupR3WinChildReq_CloseEvents;
6103	NtSetEvent(g_ProcParams.hEvtParent, NULL);
6104
6105	NtClose(g_ProcParams.hEvtParent);
6106	NtClose(g_ProcParams.hEvtChild);
6107	g_ProcParams.hEvtParent = NULL;
6108	g_ProcParams.hEvtChild = NULL;
6109	}
6110	else
6111	SUPR3HARDENED_ASSERT(!g_fSupEarlyProcessInit);
6112
6113	/*
6114	* After having resolved imports we patch the LdrInitializeThunk code so
6115	* that it's more difficult to invade our privacy by CreateRemoteThread.
6116	* We'll re-enable this after opening the driver or temporarily while respawning.
6117	*/
6118	supR3HardenedWinDisableThreadCreation();
6119
6120	/*
6121	* Init g_uNtVerCombined. (The code is shared with SUPR3.lib and lives in
6122	* SUPHardenedVerfiyImage-win.cpp.)
6123	*/
6124	supR3HardenedWinInitVersion(false /fEarly/);
6125	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_VERSION_INITIALIZED;
6126
6127	/*
6128	* Convert the arguments to UTF-8 and open the log file if specified.
6129	* This must be done as early as possible since the code below may fail.
6130	*/
6131	PUNICODE_STRING pCmdLineStr = &NtCurrentPeb()->ProcessParameters->CommandLine;
6132	int cArgs;
6133	char **papszArgs = suplibCommandLineToArgvWStub(pCmdLineStr->Buffer, pCmdLineStr->Length / sizeof(WCHAR), &cArgs);
6134
6135	supR3HardenedOpenLog(&cArgs, papszArgs);
6136
6137	/*
6138	* Log information about important system files.
6139	*/
6140	supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\ntdll.dll", NULL /pwszFileVersion/, 0 /cwcFileVersion/);
6141	supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\kernel32.dll", NULL /pwszFileVersion/, 0 /cwcFileVersion/);
6142	supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\KernelBase.dll", NULL /pwszFileVersion/, 0 /cwcFileVersion/);
6143	supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\apisetschema.dll", NULL /pwszFileVersion/, 0 /cwcFileVersion/);
6144
6145	/*
6146	* Scan the system for adversaries, logging information about them.
6147	*/
6148	g_fSupAdversaries = supR3HardenedWinFindAdversaries();
6149
6150	/*
6151	* Get the executable name, make sure it's the long version.
6152	*/
6153	DWORD cwcExecName = GetModuleFileNameW(GetModuleHandleW(NULL), g_wszSupLibHardenedExePath,
6154	RT_ELEMENTS(g_wszSupLibHardenedExePath));
6155	if (cwcExecName >= RT_ELEMENTS(g_wszSupLibHardenedExePath))
6156	supR3HardenedFatalMsg("suplibHardenedWindowsMain", kSupInitOp_Integrity, VERR_BUFFER_OVERFLOW,
6157	"The executable path is too long.");
6158
6159	RTUTF16 wszLong[RT_ELEMENTS(g_wszSupLibHardenedExePath)];
6160	DWORD cwcLong = GetLongPathNameW(g_wszSupLibHardenedExePath, wszLong, RT_ELEMENTS(wszLong));
6161	if (cwcLong > 0)
6162	{
6163	memcpy(g_wszSupLibHardenedExePath, wszLong, (cwcLong + 1) * sizeof(RTUTF16));
6164	cwcExecName = cwcLong;
6165	}
6166
6167	/* The NT version of it. */
6168	HANDLE hFile = CreateFileW(g_wszSupLibHardenedExePath, GENERIC_READ, FILE_SHARE_READ, NULL /pSecurityAttributes/,
6169	OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL /hTemplateFile/);
6170	if (hFile == NULL \|\| hFile == INVALID_HANDLE_VALUE)
6171	supR3HardenedFatalMsg("suplibHardenedWindowsMain", kSupInitOp_Integrity, RTErrConvertFromWin32(RtlGetLastWin32Error()),
6172	"Error opening the executable: %u (%ls).", RtlGetLastWin32Error());
6173	RT_ZERO(g_SupLibHardenedExeNtPath);
6174	ULONG cbIgn;
6175	NTSTATUS rcNt = NtQueryObject(hFile, ObjectNameInformation, &g_SupLibHardenedExeNtPath,
6176	sizeof(g_SupLibHardenedExeNtPath) - sizeof(WCHAR), &cbIgn);
6177	if (!NT_SUCCESS(rcNt))
6178	supR3HardenedFatalMsg("suplibHardenedWindowsMain", kSupInitOp_Integrity, RTErrConvertFromNtStatus(rcNt),
6179	"NtQueryObject -> %#x (on %ls)\n", rcNt, g_wszSupLibHardenedExePath);
6180	NtClose(hFile);
6181
6182	/* The NT executable name offset / dir path length. */
6183	g_offSupLibHardenedExeNtName = g_SupLibHardenedExeNtPath.UniStr.Length / sizeof(WCHAR);
6184	while ( g_offSupLibHardenedExeNtName > 1
6185	&& g_SupLibHardenedExeNtPath.UniStr.Buffer[g_offSupLibHardenedExeNtName - 1] != '\\' )
6186	g_offSupLibHardenedExeNtName--;
6187
6188	/*
6189	* Preliminary app binary path init. May change when SUPR3HardenedMain is
6190	* called (via main below).
6191	*/
6192	supR3HardenedWinInitAppBin(SUPSECMAIN_FLAGS_LOC_APP_BIN);
6193
6194	/*
6195	* If we've done early init already, register the DLL load notification
6196	* callback and reinstall the NtDll patches.
6197	*/
6198	if (g_fSupEarlyProcessInit)
6199	{
6200	supR3HardenedWinRegisterDllNotificationCallback();
6201	supR3HardenedWinReInstallHooks(false /fFirstCall /);
6202	}
6203
6204	/*
6205	* Call the C/C++ main function.
6206	*/
6207	SUP_DPRINTF(("Calling main()\n"));
6208	rcExit = (RTEXITCODE)main(cArgs, papszArgs, NULL);
6209
6210	/*
6211	* Exit the process (never return).
6212	*/
6213	SUP_DPRINTF(("Terminating the normal way: rcExit=%d\n", rcExit));
6214	suplibHardenedExit(rcExit);
6215	}
6216
6217
6218	/**
6219	* Reports an error to the parent process via the process parameter structure.
6220	*
6221	* @param pszWhere Where this error occured, if fatal message. NULL
6222	* if not message.
6223	* @param enmWhat Which init operation went wrong if fatal
6224	* message. kSupInitOp_Invalid if not message.
6225	* @param rc The status code to report.
6226	* @param pszFormat The format string.
6227	* @param va The format arguments.
6228	*/
6229	DECLHIDDEN(void) supR3HardenedWinReportErrorToParent(const char *pszWhere, SUPINITOP enmWhat, int rc,
6230	const char *pszFormat, va_list va)
6231	{
6232	if (pszWhere)
6233	RTStrCopy(g_ProcParams.szWhere, sizeof(g_ProcParams.szWhere), pszWhere);
6234	else
6235	g_ProcParams.szWhere[0] = '\0';
6236	RTStrPrintfV(g_ProcParams.szErrorMsg, sizeof(g_ProcParams.szErrorMsg), pszFormat, va);
6237	g_ProcParams.enmWhat = enmWhat;
6238	g_ProcParams.rc = RT_SUCCESS(rc) ? VERR_INTERNAL_ERROR_2 : rc;
6239	g_ProcParams.enmRequest = kSupR3WinChildReq_Error;
6240
6241	NtClearEvent(g_ProcParams.hEvtChild);
6242	NTSTATUS rcNt = NtSetEvent(g_ProcParams.hEvtParent, NULL);
6243	if (NT_SUCCESS(rcNt))
6244	{
6245	LARGE_INTEGER Timeout;
6246	Timeout.QuadPart = -300000000; /* 30 second */
6247	/NTSTATUS rcNt =/ NtWaitForSingleObject(g_ProcParams.hEvtChild, FALSE /Alertable/, &Timeout);
6248	}
6249	}
6250
6251
6252	/**
6253	* Routine called by the supR3HardenedEarlyProcessInitThunk assembly routine
6254	* when LdrInitializeThunk is executed during process initialization.
6255	*
6256	* This initializes the Stub and VM processes, hooking NTDLL APIs and opening
6257	* the device driver before any other DLLs gets loaded into the process. This
6258	* greately reduces and controls the trusted code base of the process compared
6259	* to opening the driver from SUPR3HardenedMain. It also avoids issues with so
6260	* call protection software that is in the habit of patching half of the ntdll
6261	* and kernel32 APIs in the process, making it almost indistinguishable from
6262	* software that is up to no good. Once we've opened vboxdrv, the process
6263	* should be locked down so thighly that only kernel software and csrss can mess
6264	* with the process.
6265	*/
6266	DECLASM(uintptr_t) supR3HardenedEarlyProcessInit(void)
6267	{
6268	/*
6269	* When the first thread gets here we wait for the parent to continue with
6270	* the process purifications. The primary thread must execute for image
6271	* load notifications to trigger, at least in more recent windows versions.
6272	* The old trick of starting a different thread that terminates immediately
6273	* thus doesn't work.
6274	*
6275	* We are not allowed to modify any data at this point because it will be
6276	* reset by the child process purification the parent does when we stop. To
6277	* sabotage thread creation during purification, and to avoid unnecessary
6278	* work for the parent, we reset g_ProcParams before signalling the parent
6279	* here.
6280	*/
6281	if (g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
6282	{
6283	NtTerminateThread(0, 0);
6284	return 0x22; /* crash */
6285	}
6286
6287	/* Retrieve the data we need. */
6288	uintptr_t uNtDllAddr = ASMAtomicXchgPtrT(&g_ProcParams.uNtDllAddr, 0, uintptr_t);
6289	if (!RT_VALID_PTR(uNtDllAddr))
6290	{
6291	NtTerminateThread(0, 0);
6292	return 0x23; /* crash */
6293	}
6294
6295	HANDLE hEvtChild = g_ProcParams.hEvtChild;
6296	HANDLE hEvtParent = g_ProcParams.hEvtParent;
6297	if ( hEvtChild == NULL
6298	\|\| hEvtChild == RTNT_INVALID_HANDLE_VALUE
6299	\|\| hEvtParent == NULL
6300	\|\| hEvtParent == RTNT_INVALID_HANDLE_VALUE)
6301	{
6302	NtTerminateThread(0, 0);
6303	return 0x24; /* crash */
6304	}
6305
6306	/* Resolve the APIs we need. */
6307	PFNNTWAITFORSINGLEOBJECT pfnNtWaitForSingleObject;
6308	PFNNTSETEVENT pfnNtSetEvent;
6309	supR3HardenedWinGetVeryEarlyImports(uNtDllAddr, &pfnNtWaitForSingleObject, &pfnNtSetEvent);
6310
6311	/* Signal the parent that we're ready for purification. */
6312	RT_ZERO(g_ProcParams);
6313	g_ProcParams.enmRequest = kSupR3WinChildReq_PurifyChildAndCloseHandles;
6314	NTSTATUS rcNt = pfnNtSetEvent(hEvtParent, NULL);
6315	if (rcNt != STATUS_SUCCESS)
6316	return 0x33; /* crash */
6317
6318	/* Wait up to 2 mins for the parent to exorcise evil. */
6319	LARGE_INTEGER Timeout;
6320	Timeout.QuadPart = -1200000000; /* 120 second */
6321	rcNt = pfnNtWaitForSingleObject(hEvtChild, FALSE /Alertable/, &Timeout);
6322	if (rcNt != STATUS_SUCCESS)
6323	return 0x34; /* crash */
6324
6325	/*
6326	* We're good to go, work global state and restore process parameters.
6327	* Note that we will not restore uNtDllAddr since that is our first defence
6328	* against unwanted threads (see above).
6329	*/
6330	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_INIT_CALLED;
6331	g_fSupEarlyProcessInit = true;
6332
6333	g_ProcParams.hEvtChild = hEvtChild;
6334	g_ProcParams.hEvtParent = hEvtParent;
6335	g_ProcParams.enmRequest = kSupR3WinChildReq_Error;
6336	g_ProcParams.rc = VINF_SUCCESS;
6337
6338	/*
6339	* Initialize the NTDLL imports that we consider usable before the
6340	* process has been initialized.
6341	*/
6342	supR3HardenedWinInitImportsEarly(uNtDllAddr);
6343	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_IMPORTS_RESOLVED;
6344
6345	/*
6346	* Init g_uNtVerCombined as well as we can at this point.
6347	*/
6348	supR3HardenedWinInitVersion(true /fEarly/);
6349
6350	/*
6351	* Convert the arguments to UTF-8 so we can open the log file if specified.
6352	* We may have to normalize the pointer on older windows version (not w7/64 +).
6353	* Note! This leaks memory at present.
6354	*/
6355	PRTL_USER_PROCESS_PARAMETERS pUserProcParams = NtCurrentPeb()->ProcessParameters;
6356	UNICODE_STRING CmdLineStr = pUserProcParams->CommandLine;
6357	if ( CmdLineStr.Buffer != NULL
6358	&& !(pUserProcParams->Flags & RTL_USER_PROCESS_PARAMS_FLAG_NORMALIZED) )
6359	CmdLineStr.Buffer = (WCHAR *)((uintptr_t)CmdLineStr.Buffer + (uintptr_t)pUserProcParams);
6360	int cArgs;
6361	char **papszArgs = suplibCommandLineToArgvWStub(CmdLineStr.Buffer, CmdLineStr.Length / sizeof(WCHAR), &cArgs);
6362	supR3HardenedOpenLog(&cArgs, papszArgs);
6363	SUP_DPRINTF(("supR3HardenedVmProcessInit: uNtDllAddr=%p g_uNtVerCombined=%#x\n", uNtDllAddr, g_uNtVerCombined));
6364
6365	/*
6366	* Set up the direct system calls so we can more easily hook NtCreateSection.
6367	*/
6368	RTERRINFOSTATIC ErrInfo;
6369	supR3HardenedWinInitSyscalls(true /fReportErrors/, RTErrInfoInitStatic(&ErrInfo));
6370
6371	/*
6372	* Determine the executable path and name. Will NOT determine the windows style
6373	* executable path here as we don't need it.
6374	*/
6375	SIZE_T cbActual = 0;
6376	rcNt = NtQueryVirtualMemory(NtCurrentProcess(), &g_ProcParams, MemorySectionName, &g_SupLibHardenedExeNtPath,
6377	sizeof(g_SupLibHardenedExeNtPath) - sizeof(WCHAR), &cbActual);
6378	if ( !NT_SUCCESS(rcNt)
6379	\|\| g_SupLibHardenedExeNtPath.UniStr.Length == 0
6380	\|\| g_SupLibHardenedExeNtPath.UniStr.Length & 1)
6381	supR3HardenedFatal("NtQueryVirtualMemory/MemorySectionName failed in supR3HardenedVmProcessInit: %#x\n", rcNt);
6382
6383	/* The NT executable name offset / dir path length. */
6384	g_offSupLibHardenedExeNtName = g_SupLibHardenedExeNtPath.UniStr.Length / sizeof(WCHAR);
6385	while ( g_offSupLibHardenedExeNtName > 1
6386	&& g_SupLibHardenedExeNtPath.UniStr.Buffer[g_offSupLibHardenedExeNtName - 1] != '\\' )
6387	g_offSupLibHardenedExeNtName--;
6388
6389	/*
6390	* Preliminary app binary path init. May change when SUPR3HardenedMain is called.
6391	*/
6392	supR3HardenedWinInitAppBin(SUPSECMAIN_FLAGS_LOC_APP_BIN);
6393
6394	/*
6395	* Initialize the image verification stuff (hooks LdrLoadDll and NtCreateSection).
6396	*/
6397	supR3HardenedWinInit(0, false /fAvastKludge/);
6398
6399	/*
6400	* Open the driver.
6401	*/
6402	if (cArgs >= 1 && suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_1_ARG0) == 0)
6403	{
6404	SUP_DPRINTF(("supR3HardenedVmProcessInit: Opening vboxdrv stub...\n"));
6405	supR3HardenedWinOpenStubDevice();
6406	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_STUB_DEVICE_OPENED;
6407	}
6408	else if (cArgs >= 1 && suplibHardenedStrCmp(papszArgs[0], SUPR3_RESPAWN_2_ARG0) == 0)
6409	{
6410	SUP_DPRINTF(("supR3HardenedVmProcessInit: Opening vboxdrv...\n"));
6411	supR3HardenedMainOpenDevice();
6412	g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_REAL_DEVICE_OPENED;
6413	}
6414	else
6415	supR3HardenedFatal("Unexpected first argument '%s'!\n", papszArgs[0]);
6416
6417	/*
6418	* Reinstall the NtDll patches since there is a slight possibility that
6419	* someone undid them while we where busy opening the device.
6420	*/
6421	supR3HardenedWinReInstallHooks(false /fFirstCall /);
6422
6423	/*
6424	* Restore the LdrInitializeThunk code so we can initialize the process
6425	* normally when we return.
6426	*/
6427	SUP_DPRINTF(("supR3HardenedVmProcessInit: Restoring LdrInitializeThunk...\n"));
6428	PSUPHNTLDRCACHEENTRY pLdrEntry;
6429	int rc = supHardNtLdrCacheOpen("ntdll.dll", &pLdrEntry, RTErrInfoInitStatic(&ErrInfo));
6430	if (RT_FAILURE(rc))
6431	supR3HardenedFatal("supR3HardenedVmProcessInit: supHardNtLdrCacheOpen failed on NTDLL: %Rrc %s\n",
6432	rc, ErrInfo.Core.pszMsg);
6433
6434	uint8_t *pbBits;
6435	rc = supHardNtLdrCacheEntryGetBits(pLdrEntry, &pbBits, uNtDllAddr, NULL, NULL, RTErrInfoInitStatic(&ErrInfo));
6436	if (RT_FAILURE(rc))
6437	supR3HardenedFatal("supR3HardenedVmProcessInit: supHardNtLdrCacheEntryGetBits failed on NTDLL: %Rrc %s\n",
6438	rc, ErrInfo.Core.pszMsg);
6439
6440	RTLDRADDR uValue;
6441	rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbBits, uNtDllAddr, UINT32_MAX, "LdrInitializeThunk", &uValue);
6442	if (RT_FAILURE(rc))
6443	supR3HardenedFatal("supR3HardenedVmProcessInit: Failed to find LdrInitializeThunk (%Rrc).\n", rc);
6444
6445	PVOID pvLdrInitThunk = (PVOID)(uintptr_t)uValue;
6446	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pvLdrInitThunk, 16, PAGE_EXECUTE_READWRITE));
6447	memcpy(pvLdrInitThunk, pbBits + ((uintptr_t)uValue - uNtDllAddr), 16);
6448	SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pvLdrInitThunk, 16, PAGE_EXECUTE_READ));
6449
6450	SUP_DPRINTF(("supR3HardenedVmProcessInit: Returning to LdrInitializeThunk...\n"));
6451	return (uintptr_t)pvLdrInitThunk;
6452	}
6453

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp@ 78351

Download in other formats: