Changeset 106267 in vbox
- Timestamp:
- Oct 9, 2024 11:59:02 PM (7 weeks ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp
r106061 r106267 117 117 /** Set if this is the DLL. */ 118 118 bool fDll; 119 /** Set if the image is NTDLL an the verficiation code needs to watch out for119 /** Set if the image is NTDLL and the verficiation code needs to watch out for 120 120 * the NtCreateSection patch. */ 121 121 bool fNtCreateSectionPatch; … … 808 808 809 809 uint32_t const cbImage = fIs32Bit ? pNtHdrs32->OptionalHeader.SizeOfImage : pNtHdrs->OptionalHeader.SizeOfImage; 810 if (RT_ALIGN_32(pImage->cbImage, PAGE_SIZE) != RT_ALIGN_32(cbImage, PAGE_SIZE) && !pImage->fApiSetSchemaOnlySection1) 811 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE, 812 "%s: SizeOfImage (%#x) isn't close enough to the mapping size (%#x)", 813 pImage->pszName, cbImage, pImage->cbImage); 810 uint32_t const cbImagePgAligned = RT_ALIGN_32(cbImage, PAGE_SIZE); 811 if (RT_ALIGN_32(pImage->cbImage, PAGE_SIZE) != cbImagePgAligned && !pImage->fApiSetSchemaOnlySection1) 812 { 813 /* 814 * Since 24h2, the kernel loader appends three pages to system images (from 815 * the looks of it). This manifests in an additional 2 (or 1) mapping regions, 816 * one which is execute/read (one page in 27718) and a 2nd one which is reserved. 817 * They both assocated with the DLL section object, so not like the typical AV 818 * allocations placed right after DLLs for entertaining unsolicited code changes. 819 */ 820 if (pImage->cbImage < cbImagePgAligned) 821 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE, 822 "%s: SizeOfImage (%#x) is larger than the mapping size (%#x)", 823 pImage->pszName, cbImage, pImage->cbImage); 824 825 /* This code has to be paranoid, so we must put some kind of limit on this extra 826 space. 64KB is taken out of thin (late night office) air, as per usual. */ 827 if (pImage->cbImage > cbImagePgAligned + _64K) 828 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE, 829 "%s: SizeOfImage (%#x) isn't close enough to the mapping size (%#x) - diff %#x bytes; max expected is 64KB", 830 pImage->pszName, cbImage, pImage->cbImage, pImage->cbImage - cbImage); 831 832 /* Locate the mapping region for the extra pages: */ 833 if (pImage->cRegions <= 1) 834 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE, 835 "%s: SizeOfImage (%#x) is smaller than the mapping size (%#x) and there are less than two mapping regions!", 836 pImage->pszName, cbImage, pImage->cbImage); 837 uint32_t iRegion = pImage->cRegions - 1; 838 while (iRegion > 0 && pImage->aRegions[iRegion].uRva > cbImagePgAligned) 839 iRegion--; 840 if (pImage->aRegions[iRegion].uRva != cbImagePgAligned) 841 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE, 842 "%s: SizeOfImage (%#x) is smaller than the mapping size (%#x) and we cannot locate the region(s) for the extra space! (iRegion=%d: uRva=%#x, expected %#x)", 843 pImage->pszName, cbImage, pImage->cbImage, iRegion, pImage->aRegions[iRegion].uRva, 844 cbImagePgAligned); 845 846 /* Check that none of the pages are both writable & executable. */ 847 for (uint32_t i = iRegion; i < pImage->cRegions; i++) 848 if (pImage->aRegions[i].fProt & PAGE_EXECUTE_READWRITE) 849 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE, 850 "%s: SizeOfImage (%#x) is smaller than the mapping size (%#x) and extra page %#x LB %#x are RWX (%#x)!", 851 pImage->pszName, cbImage, pImage->cbImage, 852 pImage->aRegions[i].uRva, pImage->aRegions[i].cb, pImage->aRegions[i].fProt); 853 /** @todo more restrictions on this? */ 854 } 855 814 856 if (cbImage != RTLdrSize(pImage->pCacheEntry->hLdrMod)) 815 857 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE,
Note:
See TracChangeset
for help on using the changeset viewer.
