Changeset 106945 in vbox for trunk/src/VBox/HostDrivers/Support

Timestamp:

Nov 12, 2024 2:41:36 AM (6 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

165871

Message:

SUPDrv,/Config.kmk,/Makefile.kmk: Implemented the simplified process validation for the VBOX_WITH_MINIMAL_HARDENING mode. jiraref:VBP-1449

Location:

trunk/src/VBox/HostDrivers/Support

Files:

• Makefile.kmk (modified) (1 diff)
• testcase/Makefile.kmk (modified) (3 diffs)
• win/SUPDrv-win.cpp (modified) (21 diffs)
• win/SUPHardenedVerifyProcess-win.cpp (modified) (53 diffs)

trunk/src/VBox/HostDrivers/Support/Makefile.kmk

@@ -807 +807 @@
    VBoxDrv_SOURCES.win   += \
         win/SUPHardenedVerifyImage-win.cpp \
+        win/SUPHardenedVerifyProcess-win.cpp \
         $(VBOX_SUP_WIN_CERTS_FILE)
-   ifdef VBOX_WITH_HARDENING
-    VBoxDrv_SOURCES.win  += \
-        win/SUPHardenedVerifyProcess-win.cpp
-   endif
    ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT
     VBoxDrv_DEFS.win     += VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT

trunk/src/VBox/HostDrivers/Support/testcase/Makefile.kmk

@@ -78 +78 @@
 SUPUninstall_LIBS     = $(LIB_RUNTIME)
 
-SUPLoggerCtl_TEMPLATE = VBoxR3Exe
+SUPLoggerCtl_TEMPLATE = VBoxR3SignedExe
 SUPLoggerCtl_SOURCES  = SUPLoggerCtl.cpp
 SUPLoggerCtl_LIBS     = $(LIB_RUNTIME)
 
-tstInt_TEMPLATE       = VBoxR3Exe
+tstInt_TEMPLATE       = VBoxR3SignedExe
 tstInt_DEFS           = $(VMM_COMMON_DEFS)
 tstInt_SOURCES        = tstInt.cpp
 tstInt_LIBS           = $(LIB_RUNTIME)
 
-tstContiguous_TEMPLATE = VBoxR3TstExe
+tstContiguous_TEMPLATE = VBoxR3SignedTstExe
 tstContiguous_SOURCES = tstContiguous.cpp
 
-tstInit_TEMPLATE      = VBoxR3TstExe
+tstInit_TEMPLATE      = VBoxR3SignedTstExe
 tstInit_SOURCES       = tstInit.cpp
 
-tstLow_TEMPLATE       = VBoxR3TstExe
+tstLow_TEMPLATE       = VBoxR3SignedTstExe
 tstLow_SOURCES        = tstLow.cpp
 
@@ -100 +100 @@
 tstNtQueryStuff_SOURCES  = tstNtQueryStuff.cpp
 
-tstPin_TEMPLATE       = VBoxR3TstExe
+tstPin_TEMPLATE       = VBoxR3SignedTstExe
 tstPin_SOURCES        = tstPin.cpp
 
-tstPage_TEMPLATE      = VBoxR3TstExe
+tstPage_TEMPLATE      = VBoxR3SignedTstExe
 tstPage_SOURCES       = tstPage.cpp
 
@@ -130 +130 @@
  tstGIP-2_TEMPLATE  := VBoxR3HardenedTstDll
 else
- tstGIP-2_TEMPLATE  := VBoxR3TstExe
+ tstGIP-2_TEMPLATE  := VBoxR3SignedTstExe
 endif
 tstGIP-2_SOURCES = tstGIP-2.cpp
 
-tstGetPagingMode_TEMPLATE = VBoxR3TstExe
+tstGetPagingMode_TEMPLATE = VBoxR3SignedTstExe
 tstGetPagingMode_SOURCES = tstGetPagingMode.cpp
 
-tstSupLoadModule_TEMPLATE = VBoxR3TstExe
+tstSupLoadModule_TEMPLATE = VBoxR3SignedTstExe
 tstSupLoadModule_SOURCES  = tstSupLoadModule.cpp
 
-tstSupSem_TEMPLATE    = VBoxR3TstExe
+tstSupSem_TEMPLATE    = VBoxR3SignedTstExe
 tstSupSem_SOURCES     = tstSupSem.cpp
 
-tstSupSem-Zombie_TEMPLATE = VBoxR3TstExe
+tstSupSem-Zombie_TEMPLATE = VBoxR3SignedTstExe
 tstSupSem-Zombie_SOURCES  = tstSupSem-Zombie.cpp
 
-tstSupTscDelta_TEMPLATE = VBoxR3TstExe
+tstSupTscDelta_TEMPLATE = VBoxR3SignedTstExe
 tstSupTscDelta_SOURCES  = tstSupTscDelta.cpp
 

trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp

@@ -347 +347 @@
 static NTSTATUS _stdcall   VBoxDrvNtNotSupportedStub(PDEVICE_OBJECT pDevObj, PIRP pIrp);
 static NTSTATUS            VBoxDrvNtErr2NtStatus(int rc);
-#ifdef VBOX_WITH_HARDENING
+#if defined(VBOX_WITH_HARDENING) || defined(VBOX_WITH_MINIMAL_HARDENING)
 static NTSTATUS             supdrvNtProtectInit(void);
 static void                 supdrvNtProtectTerm(void);
+#endif
+#ifdef VBOX_WITH_HARDENING
 static int                  supdrvNtProtectCreate(PSUPDRVNTPROTECT *ppNtProtect, HANDLE hPid,
                                                   SUPDRVNTPROTECTKIND enmProcessKind, bool fLink);
@@ -708 +710 @@
         Log(("VBoxDrv::DriverEntry\n"));
 
-#ifdef VBOX_WITH_HARDENING
+#if defined(VBOX_WITH_HARDENING) || defined(VBOX_WITH_MINIMAL_HARDENING)
         /*
          * Initialize process protection.
@@ -805 +807 @@
             }
 #endif
-#ifdef VBOX_WITH_HARDENING
+#if defined(VBOX_WITH_HARDENING) || defined(VBOX_WITH_MINIMAL_HARDENING)
             supdrvNtProtectTerm();
 #endif
         }
-#ifdef VBOX_WITH_HARDENING
+#if defined(VBOX_WITH_HARDENING) || defined(VBOX_WITH_MINIMAL_HARDENING)
         else
             DbgPrint("VBoxSup::DriverEntry: supdrvNtProtectInit failed with rcNt=%#x!\n", rcNt);
@@ -1260 +1262 @@
 
 #else  /* !VBOX_WITH_HARDENING */
+# ifdef VBOX_WITH_MINIMAL_HARDENING
             /*
-             * Call common code to create a session.
+             * Check that the process is allowed to access the device, i.e. the
+             * process image is signed with the build certificate.
              */
-            pFileObj->FsContext = NULL;
-            PSUPDRVSESSION pSession;
-            rc = supdrvCreateSession(pDevExt, true /*fUser*/, pDevObj == g_pDevObjSys /*fUnrestricted*/, &pSession);
+            PRTERRINFOSTATIC pErrInfo = (PRTERRINFOSTATIC)RTMemAllocZ(sizeof(*pErrInfo));
+            rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_VERIFY_ONLY, 0 /*fFlags*/,
+                                             NULL, pErrInfo ? RTErrInfoInitStatic(pErrInfo) : NULL);
+            if (RT_FAILURE(rc))
+                SUPR0Printf("VBoxDrv: Checking process failed: %Rrc%#RTeim\n", rc, &pErrInfo->Core);
+            RTMemFree(pErrInfo);
+
             if (RT_SUCCESS(rc))
-            {
+# endif
+            {
+                /*
+                 * Call common code to create a session.
+                 */
+                pFileObj->FsContext = NULL;
+                PSUPDRVSESSION pSession;
+                rc = supdrvCreateSession(pDevExt, true /*fUser*/, pDevObj == g_pDevObjSys /*fUnrestricted*/, &pSession);
+                if (RT_SUCCESS(rc))
+                {
 # ifdef VBOXDRV_WITH_SID_TO_UID_MAPPING
-                rc = supdrvNtUserIdMakeForSession(pSession);
-                if (RT_SUCCESS(rc))
+                    rc = supdrvNtUserIdMakeForSession(pSession);
+                    if (RT_SUCCESS(rc))
 # endif
-                    rc = supdrvSessionHashTabInsert(pDevExt, pSession, (PSUPDRVSESSION *)&pFileObj->FsContext, NULL);
-                supdrvSessionRelease(pSession);
-                if (RT_SUCCESS(rc))
-                    return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
-
+                        rc = supdrvSessionHashTabInsert(pDevExt, pSession, (PSUPDRVSESSION *)&pFileObj->FsContext, NULL);
+                    supdrvSessionRelease(pSession);
+                    if (RT_SUCCESS(rc))
+                        return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
+
+                }
             }
 #endif /* !VBOX_WITH_HARDENING */
@@ -5454 +5472 @@
 
 # ifndef VBOX_WITHOUT_DEBUGGER_CHECKS
-
 /**
  * Checks if the current process is being debugged.
@@ -5463 +5480 @@
     return PsIsProcessBeingDebugged(PsGetCurrentProcess()) != FALSE;
 }
-
 # endif /* !VBOX_WITHOUT_DEBUGGER_CHECKS */
 
+#endif /* VBOX_WITH_HARDENING */
+#if defined(VBOX_WITH_HARDENING) || defined(VBOX_WITH_MINIMAL_HARDENING)
 
 /**
@@ -5472 +5490 @@
 static void supdrvNtProtectTerm(void)
 {
+# ifdef VBOX_WITH_HARDENING
     /*
      * Stop intercepting process and thread handle creation calls.
@@ -5508 +5527 @@
         RTMemFree(pCur);
     }
+# endif /* VBOX_WITH_HARDENING */
 
     supHardenedWinTermImageVerifier();
 }
 
-# ifdef RT_ARCH_X86
+# ifdef VBOX_WITH_HARDENING
+#  ifdef RT_ARCH_X86
 DECLASM(void) supdrvNtQueryVirtualMemory_0xAF(void);
 DECLASM(void) supdrvNtQueryVirtualMemory_0xB0(void);
@@ -5529 +5550 @@
 DECLASM(void) supdrvNtQueryVirtualMemory_0xBD(void);
 DECLASM(void) supdrvNtQueryVirtualMemory_0xBE(void);
-# elif defined(RT_ARCH_AMD64)
+#  elif defined(RT_ARCH_AMD64)
 DECLASM(void) supdrvNtQueryVirtualMemory_0x1F(void);
 DECLASM(void) supdrvNtQueryVirtualMemory_0x20(void);
@@ -5536 +5557 @@
 DECLASM(void) supdrvNtQueryVirtualMemory_0x23(void);
 extern "C" NTSYSAPI NTSTATUS NTAPI ZwRequestWaitReplyPort(HANDLE, PVOID, PVOID);
-# endif
+#  endif
+# endif /* VBOX_WITH_HARDENING */
 
 
@@ -5550 +5572 @@
      */
 
+# ifdef VBOX_WITH_HARDENING
     /* Resolve methods we want but isn't available everywhere. */
     UNICODE_STRING RoutineName;
@@ -5582 +5605 @@
            ZwReadFile with a different eax value.  We figure the syscall number
            by inspecting ZwQueryVolumeInformationFile as it's the next number. */
-# ifdef RT_ARCH_X86
+#  ifdef RT_ARCH_X86
         uint8_t const *pbCode = (uint8_t const *)(uintptr_t)ZwQueryVolumeInformationFile;
         if (*pbCode == 0xb8) /* mov eax, dword */
@@ -5604 +5627 @@
                 case 0xbf: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBE; break; /* just in case */
             }
-# elif defined(RT_ARCH_AMD64)
+#  elif defined(RT_ARCH_AMD64)
         uint8_t const *pbCode = (uint8_t const *)(uintptr_t)ZwRequestWaitReplyPort;
         if (   pbCode[ 0] == 0x48   /* mov rax, rsp */
@@ -5646 +5669 @@
             }
         }
-# endif
+#  endif
     }
     if (!g_pfnNtQueryVirtualMemory)
@@ -5654 +5677 @@
     }
 
-# ifdef VBOX_STRICT
+# else  /* !VBOX_WITH_HARDENING */
+    /* Always present on arm64 and more recent systems. */
+    g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)ZwQueryVirtualMemory;
+# endif /* !VBOX_WITH_HARDENING */
+
+    NTSTATUS rcNt;
+    int      rc;
+
+# ifdef VBOX_WITH_HARDENING
+#  ifdef VBOX_STRICT
     if (   g_uNtVerCombined >= SUP_NT_VER_W70
         && (   g_pfnObGetObjectType == NULL
@@ -5662 +5694 @@
         return STATUS_PROCEDURE_NOT_FOUND;
     }
-# endif
+#  endif
 
     /* LPC object type. */
@@ -5668 +5700 @@
 
     /* The spinlock protecting our structures. */
-    int rc = RTSpinlockCreate(&g_hNtProtectLock, RTSPINLOCK_FLAGS_INTERRUPT_UNSAFE, "NtProtectLock");
+    rc = RTSpinlockCreate(&g_hNtProtectLock, RTSPINLOCK_FLAGS_INTERRUPT_UNSAFE, "NtProtectLock");
     if (RT_FAILURE(rc))
         return VBoxDrvNtErr2NtStatus(rc);
     g_NtProtectTree = NULL;
-
-    NTSTATUS rcNt;
 
     /* The mutex protecting the error information. */
@@ -5680 +5710 @@
     if (RT_SUCCESS(rc))
     {
+# endif /* VBOX_WITH_HARDENING */
         /* Image stuff + certificates. */
         rc = supHardenedWinInitImageVerifier(NULL);
         if (RT_SUCCESS(rc))
         {
+# ifdef VBOX_WITH_HARDENING
             /*
              * Intercept process creation and termination.
@@ -5745 +5777 @@
                         if (NT_SUCCESS(rcNt))
                         {
+# endif /* VBOX_WITH_HARDENING */
                             /*
                              * Happy ending.
                              */
                             return STATUS_SUCCESS;
+# ifdef VBOX_WITH_HARDENING
                         }
                     }
@@ -5801 +5835 @@
             }
             supHardenedWinTermImageVerifier();
+# endif /* VBOX_WITH_HARDENING */
         }
         else
             rcNt = VBoxDrvNtErr2NtStatus(rc);
 
+# ifdef VBOX_WITH_HARDENING
         RTSemMutexDestroy(g_hErrorInfoLock);
         g_hErrorInfoLock = NIL_RTSEMMUTEX;
@@ -5813 +5849 @@
     RTSpinlockDestroy(g_hNtProtectLock);
     g_NtProtectTree = NIL_RTSPINLOCK;
+# endif
     return rcNt;
 }
 
-#endif /* VBOX_WITH_HARDENING */
-
+#endif /* VBOX_WITH_HARDENING || VBOX_WITH_MINIMAL_HARDENING */
+

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -74 +74 @@
 #endif
 
+#ifdef VBOX_WITH_MINIMAL_HARDENING
+# define IMAGE_LOG_NAME_FMT         "%ls"
+# define IMAGE_LOG_NAME(pImage)     ((pImage)->Name.awcBuffer)
+#else
+# define IMAGE_LOG_NAME_FMT         "%s"
+# define IMAGE_LOG_NAME(pImage)     ((pImage)->pszName)
+#endif
 
 
@@ -104 +111 @@
     uintptr_t       cbImage;
 
+#ifndef VBOX_WITH_MINIMAL_HARDENING
     /** The name from the allowed lists. */
     const char     *pszName;
+#endif
     /** Name structure for NtQueryVirtualMemory/MemorySectionName. */
     struct
@@ -256 +265 @@
     "tstRTR0TimerDriver.exe",
     "tstSSM.exe",
+    "tstInt.exe",
 };
 
@@ -484 +494 @@
         if (!NT_SUCCESS(rcNt))
             return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_MEMORY_READ_ERROR,
-                                       "%s: Error reading %#x bytes at %p (rva %#x, #%u, %.8s) from memory: %#x",
-                                       pImage->pszName, cbThis, pImage->uImageBase + uRva, uRva, iSh + 1,
+                                       IMAGE_LOG_NAME_FMT ": Error reading %#x bytes at %p (rva %#x, #%u, %.8s) from memory: %#x",
+                                       IMAGE_LOG_NAME(pImage), cbThis, pImage->uImageBase + uRva, uRva, iSh + 1,
                                        iSh >= 0 ? (char *)pThis->aSecHdrs[iSh].Name : "headers", rcNt);
 
@@ -492 +502 @@
         {
             const char *pachSectNm = iSh >= 0 ? (char *)pThis->aSecHdrs[iSh].Name : "headers";
-            SUP_DPRINTF(("%s: Differences in section #%u (%s) between file and memory:\n", pImage->pszName, iSh + 1, pachSectNm));
+            SUP_DPRINTF((IMAGE_LOG_NAME_FMT ": Differences in section #%u (%s) between file and memory:\n",
+                         IMAGE_LOG_NAME(pImage), iSh + 1, pachSectNm));
 
             uint32_t off = 0;
@@ -521 +532 @@
                 else
                     return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_MEMORY_VS_FILE_MISMATCH,
-                                               "%s: Failed to restore %#x bytes at %p (%#x, #%u, %s): %#x (cDiffs=%#x, first=%#x)",
-                                               pImage->pszName, cbThis, pvRestoreAddr, uRva, iSh + 1, pachSectNm, rcNt,
+                                               IMAGE_LOG_NAME_FMT  ": Failed to restore %#x bytes at %p (%#x, #%u, %s): %#x (cDiffs=%#x, first=%#x)",
+                                               IMAGE_LOG_NAME(pImage), cbThis, pvRestoreAddr, uRva, iSh + 1, pachSectNm, rcNt,
                                                cDiffs, uRva + off);
             }
@@ -528 +539 @@
 #endif /* IN_RING3 */
                 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_MEMORY_VS_FILE_MISMATCH,
-                                           "%s: %u differences between %#x and %#x in #%u (%.8s), first: %02x != %02x",
-                                           pImage->pszName, cDiffs, uRva + off, uRva + offLast, iSh + 1,
+                                           IMAGE_LOG_NAME_FMT ": %u differences between %#x and %#x in #%u (%.8s), first: %02x != %02x",
+                                           IMAGE_LOG_NAME(pImage), cDiffs, uRva + off, uRva + offLast, iSh + 1,
                                            pachSectNm, pbFile[off], pbMemory[off]);
         }
@@ -567 +578 @@
                     || pImage->aRegions[i].fProt != PAGE_WRITECOPY))
                 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_SECTION_PROTECTION_MISMATCH,
-                                           "%s: RVA range %#x-%#x protection is %#x, expected %#x. (cb=%#x)",
-                                           pImage->pszName, uRva, uRva + cbLeft - 1, pImage->aRegions[i].fProt, fProt, cb);
+                                           IMAGE_LOG_NAME_FMT ": RVA range %#x-%#x protection is %#x, expected %#x. (cb=%#x)",
+                                           IMAGE_LOG_NAME(pImage), uRva, uRva + cbLeft - 1, pImage->aRegions[i].fProt, fProt, cb);
             if (cbLeft >= cb)
                 return VINF_SUCCESS;
@@ -589 +600 @@
 
     return supHardNtVpSetInfo2(pThis, cbOrg == cb ? VERR_SUP_VP_SECTION_NOT_MAPPED : VERR_SUP_VP_SECTION_NOT_FULLY_MAPPED,
-                               "%s: RVA range %#x-%#x is not mapped?", pImage->pszName, uRva, uRva + cb - 1);
-}
-
+                               IMAGE_LOG_NAME_FMT ": RVA range %#x-%#x is not mapped?", IMAGE_LOG_NAME(pImage), uRva, uRva + cb - 1);
+}
+
+#ifndef VBOX_WITH_MINIMAL_HARDENING
 
 DECLINLINE(bool) supHardNtVpIsModuleNameMatch(PSUPHNTVPIMAGE pImage, const char *pszModule)
@@ -658 +670 @@
 }
 
+#endif /* !VBOX_WITH_MINIMAL_HARDENING */
+
 
 /**
@@ -665 +679 @@
                                               PRTLDRADDR pValue, void *pvUser)
 {
+    /*SUP_DPRINTF(("supHardNtVpGetImport: %s / %#x / %s.\n", pszModule, uSymbol, pszSymbol));*/
+    PSUPHNTVPSTATE const pThis = (PSUPHNTVPSTATE)pvUser;
+
+#ifndef VBOX_WITH_MINIMAL_HARDENING
     RT_NOREF1(hLdrMod);
-    /*SUP_DPRINTF(("supHardNtVpGetImport: %s / %#x / %s.\n", pszModule, uSymbol, pszSymbol));*/
-    PSUPHNTVPSTATE pThis = (PSUPHNTVPSTATE)pvUser;
 
     int rc = VERR_MODULE_NOT_FOUND;
@@ -738 +754 @@
                      uSymbol, pszSymbol, pszModule, rc));
     return rc;
+
+#else  /* VBOX_WITH_MINIMAL_HARDENING */
+    /*
+     * We don't care about correct imports here, as we will skip the import
+     * table while comparing image bits.  (If we wanted to produce correct
+     * imports, we'd have to track all the DLLs in the process, which would be
+     * bothersome and expensive while not really gaining any better certainty
+     * that we are actually executing the image we're looking at.)
+     */
+    RT_NOREF(hLdrMod, pszModule, pszSymbol, uSymbol);
+    *pValue = pThis->aImages[0].uImageBase - PAGE_SIZE;
+    return VINF_SUCCESS;
+#endif /* VBOX_WITH_MINIMAL_HARDENING */
 }
 
@@ -759 +788 @@
     if (RT_FAILURE(rc))
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_IMAGE_HDR_READ_ERROR,
-                                   "%s: Error reading image header: %Rrc", pImage->pszName, rc);
+                                   IMAGE_LOG_NAME_FMT ": Error reading image header: %Rrc", IMAGE_LOG_NAME(pImage), rc);
 
     uint32_t offNtHdrs = 0;
@@ -768 +797 @@
         if (offNtHdrs > 512 || offNtHdrs < sizeof(*pDosHdr))
             return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_MZ_OFFSET,
-                                       "%s: Unexpected e_lfanew value: %#x", pImage->pszName, offNtHdrs);
+                                       IMAGE_LOG_NAME_FMT ": Unexpected e_lfanew value: %#x", IMAGE_LOG_NAME(pImage), offNtHdrs);
     }
     PIMAGE_NT_HEADERS   pNtHdrs   = (PIMAGE_NT_HEADERS)&pThis->abFile[offNtHdrs];
@@ -774 +803 @@
     if (pNtHdrs->Signature != IMAGE_NT_SIGNATURE)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIGNATURE,
-                                   "%s: No PE signature at %#x: %#x", pImage->pszName, offNtHdrs, pNtHdrs->Signature);
+                                   IMAGE_LOG_NAME_FMT ": No PE signature at %#x: %#x", IMAGE_LOG_NAME(pImage), offNtHdrs, pNtHdrs->Signature);
 
     /*
@@ -794 +823 @@
 #endif
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNEXPECTED_IMAGE_MACHINE,
-                                   "%s: Unexpected machine: %#x (expected %#x)",
-                                   pImage->pszName, pNtHdrs->FileHeader.Machine, uExpectedMachine);
+                                   IMAGE_LOG_NAME_FMT ": Unexpected machine: %#x (expected %#x)",
+                                   IMAGE_LOG_NAME(pImage), pNtHdrs->FileHeader.Machine, uExpectedMachine);
     bool const fIs32Bit = pNtHdrs->FileHeader.Machine == IMAGE_FILE_MACHINE_I386;
 
     if (pNtHdrs->FileHeader.SizeOfOptionalHeader != (fIs32Bit ? sizeof(IMAGE_OPTIONAL_HEADER32) : sizeof(IMAGE_OPTIONAL_HEADER64)))
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER,
-                                   "%s: Unexpected optional header size: %#x",
-                                   pImage->pszName, pNtHdrs->FileHeader.SizeOfOptionalHeader);
+                                   IMAGE_LOG_NAME_FMT ": Unexpected optional header size: %#x",
+                                   IMAGE_LOG_NAME(pImage), pNtHdrs->FileHeader.SizeOfOptionalHeader);
 
     if (pNtHdrs->OptionalHeader.Magic != (fIs32Bit ? IMAGE_NT_OPTIONAL_HDR32_MAGIC : IMAGE_NT_OPTIONAL_HDR64_MAGIC))
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER,
-                                   "%s: Unexpected optional header magic: %#x", pImage->pszName, pNtHdrs->OptionalHeader.Magic);
+                                   IMAGE_LOG_NAME_FMT ": Unexpected optional header magic: %#x", IMAGE_LOG_NAME(pImage), pNtHdrs->OptionalHeader.Magic);
 
     uint32_t cDirs = (fIs32Bit ? pNtHdrs32->OptionalHeader.NumberOfRvaAndSizes : pNtHdrs->OptionalHeader.NumberOfRvaAndSizes);
     if (cDirs != IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER,
-                                   "%s: Unexpected data dirs: %#x", pImage->pszName, cDirs);
+                                   IMAGE_LOG_NAME_FMT ": Unexpected data dirs: %#x", IMAGE_LOG_NAME(pImage), cDirs);
 
     /*
@@ -818 +847 @@
     if (cSections > RT_ELEMENTS(pThis->aSecHdrs))
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_SECTIONS,
-                                   "%s: Too many section headers: %#x", pImage->pszName, cSections);
+                                   IMAGE_LOG_NAME_FMT ": Too many section headers: %#x", IMAGE_LOG_NAME(pImage), cSections);
     suplibHardenedMemCopy(pThis->aSecHdrs, (fIs32Bit ? (void *)(pNtHdrs32 + 1) : (void *)(pNtHdrs + 1)),
                           cSections * sizeof(IMAGE_SECTION_HEADER));
@@ -825 +854 @@
     if (uImageBase & PAGE_OFFSET_MASK)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_BASE,
-                                   "%s: Invalid image base: %p", pImage->pszName, uImageBase);
+                                   IMAGE_LOG_NAME_FMT ": Invalid image base: %p", IMAGE_LOG_NAME(pImage), uImageBase);
 
     uint32_t  const cbImage    = fIs32Bit ? pNtHdrs32->OptionalHeader.SizeOfImage : pNtHdrs->OptionalHeader.SizeOfImage;
@@ -840 +869 @@
         if (pImage->cbImage < cbImagePgAligned)
             return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE,
-                                       "%s: SizeOfImage (%#x) is larger than the mapping size (%#x)",
-                                       pImage->pszName, cbImage, pImage->cbImage);
+                                       IMAGE_LOG_NAME_FMT ": SizeOfImage (%#x) is larger than the mapping size (%#x)",
+                                       IMAGE_LOG_NAME(pImage), cbImage, pImage->cbImage);
 
         /* This code has to be paranoid, so we must put some kind of limit on this extra
@@ -847 +876 @@
         if (pImage->cbImage > cbImagePgAligned + _64K)
             return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE,
-                                       "%s: SizeOfImage (%#x) isn't close enough to the mapping size (%#x) - diff %#x bytes; max expected is 64KB",
-                                       pImage->pszName, cbImage, pImage->cbImage, pImage->cbImage - cbImage);
+                                       IMAGE_LOG_NAME_FMT ": SizeOfImage (%#x) isn't close enough to the mapping size (%#x) - diff %#x bytes; max expected is 64KB",
+                                       IMAGE_LOG_NAME(pImage), cbImage, pImage->cbImage, pImage->cbImage - cbImage);
 
         /* Locate the mapping region for the extra pages: */
         if (pImage->cRegions <= 1)
             return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE,
-                                       "%s: SizeOfImage (%#x) is smaller than the mapping size (%#x) and there are less than two mapping regions!",
-                                       pImage->pszName, cbImage, pImage->cbImage);
+                                       IMAGE_LOG_NAME_FMT ": SizeOfImage (%#x) is smaller than the mapping size (%#x) and there are less than two mapping regions!",
+                                       IMAGE_LOG_NAME(pImage), cbImage, pImage->cbImage);
         uint32_t iRegion = pImage->cRegions - 1;
         while (iRegion > 0 && pImage->aRegions[iRegion].uRva > cbImagePgAligned)
@@ -860 +889 @@
         if (pImage->aRegions[iRegion].uRva != cbImagePgAligned)
             return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE,
-                                       "%s: SizeOfImage (%#x) is smaller than the mapping size (%#x) and we cannot locate the region(s) for the extra space! (iRegion=%d: uRva=%#x, expected %#x)",
-                                       pImage->pszName, cbImage, pImage->cbImage, iRegion, pImage->aRegions[iRegion].uRva,
+                                       IMAGE_LOG_NAME_FMT ": SizeOfImage (%#x) is smaller than the mapping size (%#x) and we cannot locate the region(s) for the extra space! (iRegion=%d: uRva=%#x, expected %#x)",
+                                       IMAGE_LOG_NAME(pImage), cbImage, pImage->cbImage, iRegion, pImage->aRegions[iRegion].uRva,
                                        cbImagePgAligned);
 
@@ -868 +897 @@
             if (pImage->aRegions[i].fProt & PAGE_EXECUTE_READWRITE)
                 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE,
-                                           "%s: SizeOfImage (%#x) is smaller than the mapping size (%#x) and extra page %#x LB %#x are RWX (%#x)!",
-                                           pImage->pszName, cbImage, pImage->cbImage,
+                                           IMAGE_LOG_NAME_FMT ": SizeOfImage (%#x) is smaller than the mapping size (%#x) and extra page %#x LB %#x are RWX (%#x)!",
+                                           IMAGE_LOG_NAME(pImage), cbImage, pImage->cbImage,
                                            pImage->aRegions[i].uRva, pImage->aRegions[i].cb, pImage->aRegions[i].fProt);
         /** @todo more restrictions on this? */
@@ -876 +905 @@
     if (cbImage != RTLdrSize(pImage->pCacheEntry->hLdrMod))
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE,
-                                   "%s: SizeOfImage (%#x) differs from what RTLdrSize returns (%#zx)",
-                                   pImage->pszName, cbImage, RTLdrSize(pImage->pCacheEntry->hLdrMod));
+                                   IMAGE_LOG_NAME_FMT ": SizeOfImage (%#x) differs from what RTLdrSize returns (%#zx)",
+                                   IMAGE_LOG_NAME(pImage), cbImage, RTLdrSize(pImage->pCacheEntry->hLdrMod));
 
     uint32_t const cbSectAlign = fIs32Bit ? pNtHdrs32->OptionalHeader.SectionAlignment : pNtHdrs->OptionalHeader.SectionAlignment;
@@ -884 +913 @@
         || cbSectAlign > (pImage->fApiSetSchemaOnlySection1 ? _64K : (uint32_t)PAGE_SIZE) )
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_ALIGNMENT_VALUE,
-                                   "%s: Unexpected SectionAlignment value: %#x", pImage->pszName, cbSectAlign);
+                                   IMAGE_LOG_NAME_FMT ": Unexpected SectionAlignment value: %#x", IMAGE_LOG_NAME(pImage), cbSectAlign);
 
     uint32_t const cbFileAlign = fIs32Bit ? pNtHdrs32->OptionalHeader.FileAlignment : pNtHdrs->OptionalHeader.FileAlignment;
     if (!RT_IS_POWER_OF_TWO(cbFileAlign) || cbFileAlign < 512 || cbFileAlign > PAGE_SIZE || cbFileAlign > cbSectAlign)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_FILE_ALIGNMENT_VALUE,
-                                   "%s: Unexpected FileAlignment value: %#x (cbSectAlign=%#x)",
-                                   pImage->pszName, cbFileAlign, cbSectAlign);
+                                   IMAGE_LOG_NAME_FMT ": Unexpected FileAlignment value: %#x (cbSectAlign=%#x)",
+                                   IMAGE_LOG_NAME(pImage), cbFileAlign, cbSectAlign);
 
     uint32_t  const cbHeaders  = fIs32Bit ? pNtHdrs32->OptionalHeader.SizeOfHeaders : pNtHdrs->OptionalHeader.SizeOfHeaders;
@@ -897 +926 @@
     if (cbHeaders < cbMinHdrs)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SIZE_OF_HEADERS,
-                                   "%s: Headers are too small: %#x < %#x (cSections=%#x)",
-                                   pImage->pszName, cbHeaders, cbMinHdrs, cSections);
+                                   IMAGE_LOG_NAME_FMT ": Headers are too small: %#x < %#x (cSections=%#x)",
+                                   IMAGE_LOG_NAME(pImage), cbHeaders, cbMinHdrs, cSections);
     uint32_t  const cbHdrsFile = RT_ALIGN_32(cbHeaders, cbFileAlign);
     if (cbHdrsFile > sizeof(pThis->abFile))
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SIZE_OF_HEADERS,
-                                   "%s: Headers are larger than expected: %#x/%#x (expected max %zx)",
-                                   pImage->pszName, cbHeaders, cbHdrsFile, sizeof(pThis->abFile));
+                                   IMAGE_LOG_NAME_FMT ": Headers are larger than expected: %#x/%#x (expected max %zx)",
+                                   IMAGE_LOG_NAME(pImage), cbHeaders, cbHdrsFile, sizeof(pThis->abFile));
 
     /*
@@ -948 +977 @@
     uint32_t         cSkipAreas = 0;
     SUPHNTVPSKIPAREA aSkipAreas[7];
+#ifndef VBOX_WITH_MINIMAL_HARDENING
     if (pImage->fNtCreateSectionPatch)
     {
@@ -982 +1012 @@
         aSkipAreas[cSkipAreas++].cb = 14;
 
-#ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING
+# ifndef VBOX_WITHOUT_HARDENDED_XCPT_LOGGING
         /* Ignore our patched KiUserExceptionDispatcher hack. */
         rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pbBits, 0, UINT32_MAX, "KiUserExceptionDispatcher", &uValue);
@@ -989 +1019 @@
         aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue + (HC_ARCH_BITS == 64);
         aSkipAreas[cSkipAreas++].cb = HC_ARCH_BITS == 64 ? 13 : 12;
-#endif
+# endif
 
         /* LdrSystemDllInitBlock is filled in by the kernel. It mainly contains addresses of 32-bit ntdll method for wow64. */
@@ -1001 +1031 @@
         Assert(cSkipAreas <= RT_ELEMENTS(aSkipAreas));
     }
+
+#else  /* VBOX_WITH_MINIMAL_HARDENING */
+# if 0 /* This is .rdata stuff, which it turns out contains more random stuff modified via the loadcfg. So, skipping it .rdata. */
+    /* Skip the IAT as we don't process fixups correctly. */
+    uint32_t const offAfterHdrs = offNtHdrs
+                                + (!fIs32Bit ? pNtHdrs->OptionalHeader.SizeOfHeaders : pNtHdrs32->OptionalHeader.SizeOfHeaders);
+    aSkipAreas[cSkipAreas].uRva = !fIs32Bit
+                                ? pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress
+                                : pNtHdrs32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress;
+    aSkipAreas[cSkipAreas].cb   = !fIs32Bit
+                                ? pNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size
+                                : pNtHdrs32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size;
+    if (   aSkipAreas[cSkipAreas].cb   > 0
+        && aSkipAreas[cSkipAreas].cb   < pImage->cbImage / 4
+        && aSkipAreas[cSkipAreas].uRva > offAfterHdrs
+        && aSkipAreas[cSkipAreas].uRva < pImage->cbImage
+        && aSkipAreas[cSkipAreas].uRva + aSkipAreas[cSkipAreas].cb <= pImage->cbImage)
+        cSkipAreas++;
+# endif
+#endif /* VBOX_WITH_MINIMAL_HARDENING */
 
     /*
@@ -1030 +1080 @@
         if (uSectRva < uRva || uSectRva > cbImage || RT_ALIGN_32(uSectRva, cbSectAlign) != uSectRva)
             return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_RVA,
-                                       "%s: Section %u: Invalid virtual address: %#x (uRva=%#x, cbImage=%#x, cbSectAlign=%#x)",
-                                       pImage->pszName, i, uSectRva, uRva, cbImage, cbSectAlign);
+                                       IMAGE_LOG_NAME_FMT ": Section %u: Invalid virtual address: %#x (uRva=%#x, cbImage=%#x, cbSectAlign=%#x)",
+                                       IMAGE_LOG_NAME(pImage), i, uSectRva, uRva, cbImage, cbSectAlign);
         uint32_t cbMap  = pThis->aSecHdrs[i].Misc.VirtualSize;
         if (cbMap > cbImage || uRva + cbMap > cbImage)
             return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_VIRTUAL_SIZE,
-                                       "%s: Section %u: Invalid virtual size: %#x (uSectRva=%#x, uRva=%#x, cbImage=%#x)",
-                                       pImage->pszName, i, cbMap, uSectRva, uRva, cbImage);
+                                       IMAGE_LOG_NAME_FMT ": Section %u: Invalid virtual size: %#x (uSectRva=%#x, uRva=%#x, cbImage=%#x)",
+                                       IMAGE_LOG_NAME(pImage), i, cbMap, uSectRva, uRva, cbImage);
         uint32_t cbFile = pThis->aSecHdrs[i].SizeOfRawData;
         if (cbFile != RT_ALIGN_32(cbFile, cbFileAlign) || cbFile > RT_ALIGN_32(cbMap, cbSectAlign))
             return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_FILE_SIZE,
-                                       "%s: Section %u: Invalid file size: %#x (cbMap=%#x, uSectRva=%#x)",
-                                       pImage->pszName, i, cbFile, cbMap, uSectRva);
+                                       IMAGE_LOG_NAME_FMT ": Section %u: Invalid file size: %#x (cbMap=%#x, uSectRva=%#x)",
+                                       IMAGE_LOG_NAME(pImage), i, cbFile, cbMap, uSectRva);
 
         /* Validate the protection and bits. */
@@ -1078 +1128 @@
                 default:
                     return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNEXPECTED_SECTION_FLAGS,
-                                               "%s: Section %u: Unexpected characteristics: %#x (uSectRva=%#x, cbMap=%#x)",
-                                               pImage->pszName, i, pThis->aSecHdrs[i].Characteristics, uSectRva, cbMap);
+                                               IMAGE_LOG_NAME_FMT ": Section %u: Unexpected characteristics: %#x (uSectRva=%#x, cbMap=%#x)",
+                                               IMAGE_LOG_NAME(pImage), i, pThis->aSecHdrs[i].Characteristics, uSectRva, cbMap);
             }
 
@@ -1087 +1137 @@
             if (   (   (pThis->aSecHdrs[i].Characteristics & (IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_CNT_CODE))
                     && !(pThis->aSecHdrs[i].Characteristics & IMAGE_SCN_MEM_WRITE))
+#ifndef VBOX_WITH_MINIMAL_HARDENING /* only executable segments */
                 || (pThis->aSecHdrs[i].Characteristics & (IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE)) == IMAGE_SCN_MEM_READ
                 || (pThis->enmKind == SUPHARDNTVPKIND_VERIFY_ONLY && pImage->fDll)
-                || pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION)
+                || pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION
+#endif
+               )
             {
                 rc = VINF_SUCCESS;
@@ -1376 +1429 @@
         cwcDirName--;
 
+#ifndef VBOX_WITH_MINIMAL_HARDENING
     /*
      * Match it against known DLLs.
@@ -1386 +1440 @@
             pImage->fDll    = true;
 
-#ifndef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
+# ifndef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
             /* The directory name must match the one we've got for System32. */
             if (   (   cwcDirName * sizeof(WCHAR) != g_System32NtPath.UniStr.Length
                     || suplibHardenedMemComp(pLongName->Buffer, g_System32NtPath.UniStr.Buffer, cwcDirName * sizeof(WCHAR)) )
-# ifdef VBOX_PERMIT_MORE
+#  ifdef VBOX_PERMIT_MORE
                 && (   pImage->pszName[0] != 'a'
                     || pImage->pszName[1] != 'c'
                     || !supHardViIsAppPatchDir(pLongName->Buffer, pLongName->Length / sizeof(WCHAR)) )
-# endif
+#  endif
                 )
                 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NON_SYSTEM32_DLL,
                                            "Expected %ls to be loaded from %ls.",
                                            pLongName->Buffer, g_System32NtPath.UniStr.Buffer);
-# ifdef VBOX_PERMIT_MORE
+#  ifdef VBOX_PERMIT_MORE
             if (g_uNtVerCombined < SUP_NT_VER_W70 && i >= VBOX_PERMIT_MORE_FIRST_IDX)
                 pImage->pszName = NULL; /* hard limit: user32.dll is unwanted prior to w7. */
-# endif
-
-#endif /* VBOX_PERMIT_VISUAL_STUDIO_PROFILING */
+#  endif
+
+# endif /* VBOX_PERMIT_VISUAL_STUDIO_PROFILING */
             break;
         }
     if (!pImage->pszName)
+#endif /* !VBOX_WITH_MINIMAL_HARDENING */
     {
         /*
          * Not a known DLL, is it a known executable?
          */
+#ifdef VBOX_WITH_MINIMAL_HARDENING
+        pImage->fDll = true;
+#endif
         for (uint32_t i = 0; i < RT_ELEMENTS(g_apszSupNtVpAllowedVmExes); i++)
             if (supHardNtVpAreNamesEqual(g_apszSupNtVpAllowedVmExes[i], pwszFilename))
             {
+#ifndef VBOX_WITH_MINIMAL_HARDENING
                 pImage->pszName = g_apszSupNtVpAllowedVmExes[i];
+#endif
                 pImage->fDll    = false;
                 break;
             }
     }
+#ifndef VBOX_WITH_MINIMAL_HARDENING
     if (!pImage->pszName)
     {
@@ -1429 +1490 @@
          * as in "may you live in interesting times".
          */
-#ifdef IN_RING3
+# ifdef IN_RING3
         if (   pMemInfo->AllocationBase == pMemInfo->BaseAddress
             && pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION)
@@ -1447 +1508 @@
             return VINF_OBJECT_DESTROYED;
         }
-#endif
+# endif
         /*
          * Special error message if we can.
@@ -1479 +1540 @@
                                        "Duplicate image entries for %s: %ls and %ls",
                                        pImage->pszName, pImage->Name.UniStr.Buffer, pThis->aImages[i].Name.UniStr.Buffer);
+#endif /* !VBOX_WITH_MINIMAL_HARDENING */
 
     /*
@@ -1485 +1547 @@
     if (pMemInfo->AllocationBase != pMemInfo->BaseAddress)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_IMAGE_MAPPING_BASE_ERROR,
-                                   "Invalid AllocationBase/BaseAddress for %s: %p vs %p.",
-                                   pImage->pszName, pMemInfo->AllocationBase, pMemInfo->BaseAddress);
+                                   "Invalid AllocationBase/BaseAddress for " IMAGE_LOG_NAME_FMT ": %p vs %p.",
+                                   IMAGE_LOG_NAME(pImage), pMemInfo->AllocationBase, pMemInfo->BaseAddress);
 
     /*
@@ -1493 +1555 @@
     if (pMemInfo->RegionSize >= _2G)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_LARGE_REGION,
-                                   "Region 0 of image %s is too large: %p.", pImage->pszName, pMemInfo->RegionSize);
+                                   "Region 0 of image " IMAGE_LOG_NAME_FMT " is too large: %p.",
+                                   IMAGE_LOG_NAME(pImage), pMemInfo->RegionSize);
 
     /*
@@ -1506 +1569 @@
     pImage->aRegions[0].fProt   = pMemInfo->Protect;
 
+#ifndef VBOX_WITH_MINIMAL_HARDENING
     if (suplibHardenedStrCmp(pImage->pszName, "ntdll.dll") == 0)
         pImage->fNtCreateSectionPatch = true;
     else if (suplibHardenedStrCmp(pImage->pszName, "apisetschema.dll") == 0)
         pImage->fApiSetSchemaOnlySection1 = true; /** @todo Check the ApiSetMap field in the PEB. */
-#ifdef VBOX_PERMIT_MORE
+# ifdef VBOX_PERMIT_MORE
     else if (suplibHardenedStrCmp(pImage->pszName, "acres.dll") == 0)
         pImage->f32bitResourceDll = true;
-#endif
+# endif
+#endif /* !VBOX_WITH_MINIMAL_HARDENING */
 
     return VINF_SUCCESS;
@@ -1534 +1599 @@
     if (pImage->uImageBase != (uintptr_t)pMemInfo->AllocationBase)
         return supHardNtVpSetInfo2(pThis, VERR_SUPLIB_NT_PROCESS_UNTRUSTED_3,
-                                   "Base address mismatch for %s: have %p, found %p for region %p LB %#zx.",
-                                   pImage->pszName, pImage->uImageBase, pMemInfo->AllocationBase,
+                                   "Base address mismatch for " IMAGE_LOG_NAME_FMT ": have %p, found %p for region %p LB %#zx.",
+                                   IMAGE_LOG_NAME(pImage), pImage->uImageBase, pMemInfo->AllocationBase,
                                    pMemInfo->BaseAddress, pMemInfo->RegionSize);
 
@@ -1544 +1609 @@
     if (pMemInfo->RegionSize >= _2G)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_LARGE_REGION,
-                                   "Region %u of image %s is too large: %p/%p.", pImage->pszName, pMemInfo->RegionSize, uRva);
+                                   "Region %u of image " IMAGE_LOG_NAME_FMT " is too large: %p/%p.",
+                                   IMAGE_LOG_NAME(pImage), pMemInfo->RegionSize, uRva);
     if (uRva >= _2G)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_HIGH_REGION_RVA,
-                                   "Region %u of image %s is too high: %p/%p.", pImage->pszName, pMemInfo->RegionSize, uRva);
+                                   "Region %u of image " IMAGE_LOG_NAME_FMT " is too high: %p/%p.",
+                                   IMAGE_LOG_NAME(pImage), pMemInfo->RegionSize, uRva);
 
 
@@ -1556 +1623 @@
     if (iRegion + 1 >= RT_ELEMENTS(pImage->aRegions))
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_IMAGE_REGIONS,
-                                   "Too many regions for %s.", pImage->pszName);
+                                   "Too many regions for " IMAGE_LOG_NAME_FMT ".", IMAGE_LOG_NAME(pImage));
     pImage->aRegions[iRegion].uRva  = (uint32_t)uRva;
     pImage->aRegions[iRegion].cb    = (uint32_t)pMemInfo->RegionSize;
@@ -1818 +1885 @@
     uintptr_t   cbAdvance = 0;
     uintptr_t   uPtrWhere = 0;
-#ifdef VBOX_PERMIT_VERIFIER_DLL
+#if defined(VBOX_PERMIT_VERIFIER_DLL) || defined(VBOX_WITH_MINIMAL_HARDENING)
     for (uint32_t i = 0; i < 10240; i++)
 #else
@@ -1882 +1949 @@
             if (fNew)
             {
+#ifdef VBOX_WITH_MINIMAL_HARDENING
+                /* Prune non-executable images before trying to add another. We only want the executable. */
+                if (iImg > 0 && pThis->aImages[iImg - 1].fDll)
+                {
+                    pThis->cImages = --iImg;
+                    RT_ZERO(pThis->aImages[iImg]);
+                    pThis->aImages[iImg].Name = pThis->aImages[iImg + 1].Name;
+                    pThis->aImages[iImg].Name.UniStr.Buffer = pThis->aImages[iImg].Name.awcBuffer;
+                }
+#endif
                 int rc = supHardNtVpNewImage(pThis, &pThis->aImages[iImg], &MemInfo);
                 if (RT_SUCCESS(rc))
@@ -2336 +2413 @@
         PSUPHNTVPIMAGE pImage = &pThis->aImages[i];
 
+#ifdef VBOX_WITH_MINIMAL_HARDENING
+        /* Only the process executable image is verified here, so don't bother open all the other ones. */
+        if (pImage->fDll)
+            continue;
+#endif
+
 #ifdef IN_RING3
         /*
@@ -2358 +2441 @@
 #endif
 
-        int rc = supHardNtLdrCacheNewEntry(pImage->pCacheEntry, pImage->pszName, &pImage->Name.UniStr,
+#ifndef VBOX_WITH_MINIMAL_HARDENING
+        const char * const pszName = pImage->pszName;
+#else
+        const char * const pszName = "ignored.exe";
+#endif
+        int rc = supHardNtLdrCacheNewEntry(pImage->pCacheEntry, pszName, &pImage->Name.UniStr,
                                            pImage->fDll, pImage->f32bitResourceDll, pThis->pErrInfo);
         if (RT_FAILURE(rc))
@@ -2486 +2574 @@
 
 
+#ifndef VBOX_WITH_MINIMAL_HARDENING
 /**
  * Check the integrity of the DLLs found in the process.
@@ -2548 +2637 @@
     return VINF_SUCCESS;
 }
+#endif /* !VBOX_WITH_MINIMAL_HARDENING */
 
 
@@ -2683 +2773 @@
                                             uint32_t *pcFixes, PRTERRINFO pErrInfo)
 {
+    RT_NOREF(hThread);
     if (pcFixes)
         *pcFixes = 0;
@@ -2691 +2782 @@
      */
     int rc = VINF_SUCCESS;
+#ifndef VBOX_WITH_MINIMAL_HARDENING
     if (   enmKind != SUPHARDNTVPKIND_CHILD_PURIFICATION
         && enmKind != SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED)
@@ -2697 +2789 @@
         rc = supHardNtVpDebugger(hProcess, pErrInfo);
     if (RT_SUCCESS(rc))
+#endif /* !VBOX_WITH_MINIMAL_HARDENING */
     {
         /*
@@ -2718 +2811 @@
             if (RT_SUCCESS(rc))
                 rc = supHardNtVpCheckExe(pThis);
+#ifndef VBOX_WITH_MINIMAL_HARDENING
             if (RT_SUCCESS(rc))
                 rc = supHardNtVpCheckDlls(pThis);
-#ifdef IN_RING3
+# ifdef IN_RING3
             if (enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED)
                 rc = supHardNtVpCheckHandles(pThis);
-#endif
+# endif
+#endif /* !VBOX_WITH_MINIMAL_HARDENING */
+
 
             if (pcFixes)