Runtime

Timestamp:

Jul 5, 2024 2:44:07 AM (8 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

163791

Message:

IPRT/nocrt-startup-*win.cpp: Avoid a couple of ntdll function so as to not trigger silly AV heuristics.

Location:

trunk/src/VBox/Runtime/r3/win

Files:

: 2 edited

nocrt-startup-common-win.cpp (modified) (2 diffs)
nocrt-startup-exe-win.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/VBox/Runtime/r3/win/nocrt-startup-common-win.cpp

-              r98103
+              r105155
                 else
+                {
+# if 1              /* This dynamic stupidity is because of stupid AV heuristics. */
+                    static decltype(NtProtectVirtualMemory) *s_pfnNtProtectVirtualMemory = NULL;
+                    if (!s_pfnNtProtectVirtualMemory)
+                        s_pfnNtProtectVirtualMemory
+                            = (decltype(NtProtectVirtualMemory) *)GetProcAddress(GetModuleHandleW(L"ntdll.dll"),
+                                                                                 "NtProtectVirtualMemory");
+                    if (!s_pfnNtProtectVirtualMemory)
+                    {
+                        RT_BREAKPOINT();
+                        continue;
+                    }
+# else
+#  define s_pfnNtProtectVirtualMemory NtProtectVirtualMemory
+# endif
                     /* The section is not writable, so temporarily make it writable. */
                     PVOID pvAligned = pbToZero - ((uintptr_t)pbToZero & PAGE_OFFSET_MASK);
 …
                                     ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;
                     ULONG fOldProt  = fNewProt;
                     NTSTATUS rcNt = NtProtectVirtualMemory(NtCurrentProcess(), &pvAligned, &cbAligned, fNewProt, &fOldProt);
+                    NTSTATUS rcNt = s_pfnNtProtectVirtualMemory(NtCurrentProcess(), &pvAligned, &cbAligned, fNewProt, &fOldProt);
                     if (NT_SUCCESS(rcNt))
+                    {
                         memset(pbToZero, 0, cbToZero);
                         rcNt = NtProtectVirtualMemory(NtCurrentProcess(), &pvAligned, &cbAligned, fOldProt, &fNewProt);
+                        rcNt = s_pfnNtProtectVirtualMemory(NtCurrentProcess(), &pvAligned, &cbAligned, fOldProt, &fNewProt);
+                    }
                     else

trunk/src/VBox/Runtime/r3/win/nocrt-startup-exe-win.cpp

-              r98103
+              r105155
      */
     for (;;)
+#if 1 /* Using NtTerminateProcess triggers heuristics in some annoying AV scanner.  */
+        TerminateProcess(NtCurrentProcess(), rcExit);
+#else
         NtTerminateProcess(NtCurrentProcess(), rcExit);
+#endif
+}

Note: See TracChangeset for help on using the changeset viewer.

Changeset 105155 in vbox for trunk/src/VBox/Runtime

Legend:

trunk/src/VBox/Runtime/r3/win/nocrt-startup-common-win.cpp

trunk/src/VBox/Runtime/r3/win/nocrt-startup-exe-win.cpp

Download in other formats: