Changeset 52030 in vbox for trunk/src/VBox/HostDrivers

Timestamp:

Jul 15, 2014 7:28:25 AM (10 years ago)

Author:

vboxsync

Message:

Forward ported r95010 from 4.3

Location:

trunk/src/VBox/HostDrivers/Support

Files:

• Makefile.kmk (modified) (3 diffs)
• win/SUPHardenedVerify-win.h (modified) (2 diffs)
• win/SUPHardenedVerifyImage-win.cpp (modified) (4 diffs)
• win/SUPHardenedVerifyProcess-win.cpp (modified) (15 diffs)
• win/SUPR3HardenedMain-win.cpp (modified) (1 diff)

trunk/src/VBox/HostDrivers/Support/Makefile.kmk

@@ -137 +137 @@
 # The Ring-3 Support Library (this is linked into the IPRT dll, VBoxRT).
 #
-SUPR3_TEMPLATE      = VBOXR3NP
+SUPR3_TEMPLATE      = VBOXR3
 SUPR3_DEFS          = \
         IN_SUP_R3 IN_RT_R3 \
         $(if $(VBOX_WITH_SUPSVC),VBOX_WITH_SUPSVC) \
         $(if $(VBOX_WITH_MAIN),VBOX_WITH_MAIN,) \
-        $(if $(VBOX_WITH_RAW_MODE),VBOX_WITH_RAW_MODE,)
+        $(if $(VBOX_WITH_RAW_MODE),VBOX_WITH_RAW_MODE,) \
+        VBOX_PERMIT_MORE
 SUPR3_INCS         := $(PATH_SUB_CURRENT)
 SUPR3_SOURCES       = \
@@ -183 +184 @@
         $(if $(VBOX_WITH_RAW_MODE),VBOX_WITH_RAW_MODE,) \
         $(if $(VBOX_WITHOUT_DEBUGGER_CHECKS),VBOX_WITHOUT_DEBUGGER_CHECKS,) \
-        $(if $(VBOX_PERMIT_VISUAL_STUDIO_PROFILING),VBOX_PERMIT_VISUAL_STUDIO_PROFILING,)
+        $(if $(VBOX_PERMIT_VISUAL_STUDIO_PROFILING),VBOX_PERMIT_VISUAL_STUDIO_PROFILING,) \
+        VBOX_PERMIT_MORE
 ifdef VBOX_WITH_VISTA_NO_SP
  SUPR3HardenedStatic_DEFS.win += VBOX_WITH_VISTA_NO_SP
@@ -535 +537 @@
   VBoxDrv_DEFS           += VBOX_PERMIT_VISUAL_STUDIO_PROFILING
  endif
+ VBoxDrv_DEFS            += VBOX_PERMIT_MORE
  #VBoxDrv_DEFS.debug      += DEBUG_DARWIN_GIP
  VBoxDrv_DEFS.darwin     := VBOX_WITH_HOST_VMX

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h

@@ -39 +39 @@
 DECLHIDDEN(int)      supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, PRTERRINFO pErrInfo);
 
+DECLHIDDEN(bool)     supHardViIsAppPatchDir(PCRTUTF16 pwszPath, uint32_t cwcName);
 DECLHIDDEN(int)      supHardenedWinVerifyImageByHandle(HANDLE hFile, PCRTUTF16 pwszName, uint32_t fFlags, bool *pfCacheable, PRTERRINFO pErrInfo);
 DECLHIDDEN(int)      supHardenedWinVerifyImageByHandleNoName(HANDLE hFile, uint32_t fFlags, PRTERRINFO pErrInfo);
@@ -52 +53 @@
 /** Whether to allow image verification by catalog file. */
 #  define SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION    RT_BIT(3)
+/** Resource image, could be any bitness. */
+#  define SUPHNTVI_F_RESOURCE_IMAGE                 RT_BIT(30)
 /** Raw-mode context image, always 32-bit. */
 #  define SUPHNTVI_F_RC_IMAGE                       RT_BIT(31)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -511 +511 @@
 
 
+#ifdef VBOX_PERMIT_MORE
+/**
+ * Checks if the path goes into %windir%\apppatch\.
+ *
+ * @returns true if apppatch, false if not.
+ * @param   pwszPath        The path to examine.
+ */
+DECLHIDDEN(bool) supHardViIsAppPatchDir(PCRTUTF16 pwszPath, uint32_t cwcName)
+{
+    uint32_t cwcWinDir = (g_System32NtPath.UniStr.Length - sizeof(L"System32")) / sizeof(WCHAR);
+
+    if (cwcName <= cwcWinDir + sizeof("AppPatch"))
+        return false;
+
+    if (memcmp(pwszPath, g_System32NtPath.UniStr.Buffer, cwcWinDir * sizeof(WCHAR)))
+        return false;
+
+    if (!supHardViUtf16PathStartsWith(&pwszPath[cwcWinDir], "\\AppPatch\\"))
+        return false;
+
+    return g_uNtVerCombined >= SUP_NT_VER_VISTA;
+}
+#else
+# error should not get here..
+#endif
+
+
+
 /**
  * Checks if the unsigned DLL is fine or not.
@@ -571 +599 @@
         if (supHardViUtf16PathIsEqual(pwsz, "apphelp.dll"))
             return uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 4) ? VINF_LDRVI_NOT_SIGNED : rc;
-        if (supHardViUtf16PathIsEqual(pwsz, "sfc.dll"))
-            return uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 4) ? VINF_LDRVI_NOT_SIGNED : rc;
+#ifdef VBOX_PERMIT_MORE
+        if (uNtVer >= SUP_NT_VER_W70) /* hard limit: user32.dll is unwanted prior to w7. */
+        {
+            if (supHardViUtf16PathIsEqual(pwsz, "sfc.dll"))
+                return uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 4) ? VINF_LDRVI_NOT_SIGNED : rc;
+            if (supHardViUtf16PathIsEqual(pwsz, "sfc_os.dll"))
+                return uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 4) ? VINF_LDRVI_NOT_SIGNED : rc;
+            if (supHardViUtf16PathIsEqual(pwsz, "user32.dll"))
+                return uNtVer < SUP_NT_VER_W81 ? VINF_LDRVI_NOT_SIGNED : rc;
+        }
+#endif
 
 #ifndef IN_RING0
@@ -653 +690 @@
         return rc;
     }
+#endif
+
+#ifdef VBOX_PERMIT_MORE
+    /*
+     * AppPatch whitelist.
+     */
+    if (supHardViIsAppPatchDir(pwszName, cwcName))
+    {
+        cwcOther = g_System32NtPath.UniStr.Length / sizeof(WCHAR); /* ASSUMES System32 is called System32. */
+        pwsz = pwszName + cwcOther + 1;
+
+        if (supHardViUtf16PathIsEqual(pwsz, "acres.dll"))
+            return VINF_LDRVI_NOT_SIGNED;
+
+# ifdef RT_ARCH_AMD64
+        if (supHardViUtf16PathIsEqual(pwsz, "AppPatch64\\AcGenral.dll"))
+            return VINF_LDRVI_NOT_SIGNED;
+# elif defined(RT_ARCH_X86)
+        if (supHardViUtf16PathIsEqual(pwsz, "AcGenral.dll"))
+            return VINF_LDRVI_NOT_SIGNED;
+# endif
+
+        return rc;
+    }
+#else
+# error should not be here...
 #endif
 
@@ -855 +918 @@
          */
         RTLDRMOD hLdrMod;
-        rc = RTLdrOpenWithReader(&pNtViRdr->Core, RTLDR_O_FOR_VALIDATION,
-                                 fFlags & SUPHNTVI_F_RC_IMAGE ? RTLDRARCH_X86_32 : RTLDRARCH_HOST,
-                                 &hLdrMod, pErrInfo);
+        RTLDRARCH enmArch = fFlags & SUPHNTVI_F_RC_IMAGE ? RTLDRARCH_X86_32 : RTLDRARCH_HOST;
+        if (fFlags & SUPHNTVI_F_RESOURCE_IMAGE)
+            enmArch = RTLDRARCH_WHATEVER;
+        rc = RTLdrOpenWithReader(&pNtViRdr->Core, RTLDR_O_FOR_VALIDATION, enmArch, &hLdrMod, pErrInfo);
         if (RT_SUCCESS(rc))
         {

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -106 +106 @@
      * content.  The hack means that we only check if the 1st section is mapped. */
     bool            fApiSetSchemaOnlySection1;
+    /** This may be a 32-bit resource DLL. */
+    bool            f32bitResourceDll;
 } SUPHNTVPIMAGE;
 /** Pointer to image info from the virtual address space scan. */
@@ -123 +125 @@
      * more so we can get the image name of the first unwanted DLL. */
     SUPHNTVPIMAGE           aImages[1 + 6 + 1
+#ifdef VBOX_PERMIT_MORE
+                                    + 5
+#endif
 #ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
                                     + 16
@@ -154 +159 @@
     "apphelp.dll",
     "apisetschema.dll",
+#ifdef VBOX_PERMIT_MORE
+# define VBOX_PERMIT_MORE_FIRST_IDX 5
     "sfc.dll",
+    "sfc_os.dll",
+    "user32.dll",
+    "acres.dll",
+    "acgenral.dll",
+#endif
 #ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
     "psapi.dll",
@@ -409 +421 @@
                                        "%s: Unexpected e_lfanew value: %#x", pImage->pszName, offNtHdrs);
     }
-    PIMAGE_NT_HEADERS pNtHdrs = (PIMAGE_NT_HEADERS)&pThis->abFile[offNtHdrs];
+    PIMAGE_NT_HEADERS   pNtHdrs   = (PIMAGE_NT_HEADERS)&pThis->abFile[offNtHdrs];
+    PIMAGE_NT_HEADERS32 pNtHdrs32 = (PIMAGE_NT_HEADERS32)pNtHdrs;
     if (pNtHdrs->Signature != IMAGE_NT_SIGNATURE)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIGNATURE,
@@ -418 +431 @@
      */
 #ifdef RT_ARCH_AMD64
-    if (pNtHdrs->FileHeader.Machine != IMAGE_FILE_MACHINE_AMD64)
+    if (pNtHdrs->FileHeader.Machine != IMAGE_FILE_MACHINE_AMD64 && !pImage->f32bitResourceDll)
 #else
     if (pNtHdrs->FileHeader.Machine != IMAGE_FILE_MACHINE_I386)
@@ -424 +437 @@
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNEXPECTED_IMAGE_MACHINE,
                                    "%s: Unexpected machine: %#x", pImage->pszName, pNtHdrs->FileHeader.Machine);
-
-    if (pNtHdrs->FileHeader.SizeOfOptionalHeader != sizeof(pNtHdrs->OptionalHeader))
+    bool const fIs32Bit = pNtHdrs->FileHeader.Machine == IMAGE_FILE_MACHINE_I386;
+
+    if (pNtHdrs->FileHeader.SizeOfOptionalHeader != (fIs32Bit ? sizeof(IMAGE_OPTIONAL_HEADER32) : sizeof(IMAGE_OPTIONAL_HEADER64)))
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER,
                                    "%s: Unexpected optional header size: %#x",
                                    pImage->pszName, pNtHdrs->FileHeader.SizeOfOptionalHeader);
 
-    if (pNtHdrs->OptionalHeader.Magic != RT_CONCAT3(IMAGE_NT_OPTIONAL_HDR,ARCH_BITS,_MAGIC))
+    if (pNtHdrs->OptionalHeader.Magic != (fIs32Bit ? IMAGE_NT_OPTIONAL_HDR32_MAGIC : IMAGE_NT_OPTIONAL_HDR64_MAGIC))
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER,
                                    "%s: Unexpected optional header magic: %#x", pImage->pszName, pNtHdrs->OptionalHeader.Magic);
-    if (pNtHdrs->OptionalHeader.NumberOfRvaAndSizes != IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
+
+    uint32_t cDirs = (fIs32Bit ? pNtHdrs32->OptionalHeader.NumberOfRvaAndSizes : pNtHdrs->OptionalHeader.NumberOfRvaAndSizes);
+    if (cDirs != IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER,
-                                   "%s: Unexpected data dirs: %#x", pImage->pszName, pNtHdrs->OptionalHeader.NumberOfRvaAndSizes);
+                                   "%s: Unexpected data dirs: %#x", pImage->pszName, cDirs);
 
     /*
@@ -444 +460 @@
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_SECTIONS,
                                    "%s: Too many section headers: %#x", pImage->pszName, cSections);
-    suplibHardenedMemCopy(pThis->aSecHdrs, pNtHdrs + 1, cSections * sizeof(IMAGE_SECTION_HEADER));
-
-    uintptr_t const uImageBase = pNtHdrs->OptionalHeader.ImageBase;
+    suplibHardenedMemCopy(pThis->aSecHdrs, (fIs32Bit ? (void *)(pNtHdrs32 + 1) : (void *)(pNtHdrs + 1)),
+                          cSections * sizeof(IMAGE_SECTION_HEADER));
+
+    uintptr_t const uImageBase = fIs32Bit ? pNtHdrs32->OptionalHeader.ImageBase : pNtHdrs->OptionalHeader.ImageBase;
     if (uImageBase & PAGE_OFFSET_MASK)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_BASE,
                                    "%s: Invalid image base: %p", pImage->pszName, uImageBase);
 
-    uint32_t  const cbImage    = pNtHdrs->OptionalHeader.SizeOfImage;
+    uint32_t  const cbImage    = fIs32Bit ? pNtHdrs32->OptionalHeader.SizeOfImage : pNtHdrs->OptionalHeader.SizeOfImage;
     if (RT_ALIGN_32(pImage->cbImage, PAGE_SIZE) != RT_ALIGN_32(cbImage, PAGE_SIZE) && !pImage->fApiSetSchemaOnlySection1)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE,
@@ -457 +474 @@
                                    pImage->pszName, cbImage, pImage->cbImage);
 
-    uint32_t const cbSectAlign = pNtHdrs->OptionalHeader.SectionAlignment;
+    uint32_t const cbSectAlign = fIs32Bit ? pNtHdrs32->OptionalHeader.SectionAlignment : pNtHdrs->OptionalHeader.SectionAlignment;
     if (   !RT_IS_POWER_OF_TWO(cbSectAlign)
         || cbSectAlign < PAGE_SIZE
@@ -464 +481 @@
                                    "%s: Unexpected SectionAlignment value: %#x", pImage->pszName, cbSectAlign);
 
-    uint32_t const cbFileAlign = pNtHdrs->OptionalHeader.FileAlignment;
+    uint32_t const cbFileAlign = fIs32Bit ? pNtHdrs32->OptionalHeader.FileAlignment : pNtHdrs->OptionalHeader.FileAlignment;
     if (!RT_IS_POWER_OF_TWO(cbFileAlign) || cbFileAlign < 512 || cbFileAlign > PAGE_SIZE || cbFileAlign > cbSectAlign)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_FILE_ALIGNMENT_VALUE,
@@ -470 +487 @@
                                    pImage->pszName, cbFileAlign, cbSectAlign);
 
-    uint32_t  const cbHeaders  = pNtHdrs->OptionalHeader.SizeOfHeaders;
-    uint32_t  const cbMinHdrs  = offNtHdrs + sizeof(*pNtHdrs) + sizeof(IMAGE_SECTION_HEADER) * cSections;
+    uint32_t  const cbHeaders  = fIs32Bit ? pNtHdrs32->OptionalHeader.SizeOfHeaders : pNtHdrs->OptionalHeader.SizeOfHeaders;
+    uint32_t  const cbMinHdrs  = offNtHdrs + (fIs32Bit ? sizeof(*pNtHdrs32) : sizeof(*pNtHdrs) )
+                               + sizeof(IMAGE_SECTION_HEADER) * cSections;
     if (cbHeaders < cbMinHdrs)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SIZE_OF_HEADERS,
@@ -494 +512 @@
                                        "%s: Error reading image header from memory: %#x", pImage->pszName, rcNt);
         if (uImageBase != pImage->uImageBase)
-            pNtHdrs->OptionalHeader.ImageBase = pImage->uImageBase;
+        {
+            if (fIs32Bit)
+                pNtHdrs32->OptionalHeader.ImageBase = (uint32_t)pImage->uImageBase;
+            else
+                pNtHdrs->OptionalHeader.ImageBase = pImage->uImageBase;
+        }
 
         rc = supHardNtVpFileMemCompare(pThis, pThis->abFile, pThis->abMemory, cbHeaders, pImage, 0 /*uRva*/);
@@ -508 +531 @@
      */
     pImage->fImageCharecteristics = pNtHdrs->FileHeader.Characteristics;
-    pImage->fDllCharecteristics   = pNtHdrs->OptionalHeader.DllCharacteristics;
+    pImage->fDllCharecteristics   = fIs32Bit ? pNtHdrs32->OptionalHeader.DllCharacteristics : pNtHdrs->OptionalHeader.DllCharacteristics;
 
     /*
@@ -641 +664 @@
      * disk content.
      */
-    int rc = supHardenedWinVerifyImageByHandle(hFile, pImage->Name.UniStr.Buffer,
-                                               pImage->fDll ? 0 : SUPHNTVI_F_REQUIRE_BUILD_CERT,
-                                               NULL /*pfCacheable*/, pThis->pErrInfo);
+    uint32_t fFlags = pImage->fDll ? 0 : SUPHNTVI_F_REQUIRE_BUILD_CERT;
+    if (pImage->f32bitResourceDll)
+        fFlags |= SUPHNTVI_F_RESOURCE_IMAGE;
+    int rc = supHardenedWinVerifyImageByHandle(hFile, pImage->Name.UniStr.Buffer, fFlags, NULL /*pfCacheable*/, pThis->pErrInfo);
     if (RT_SUCCESS(rc))
         rc = supHardNtVpVerifyImageCompareMemory(pThis, pImage, hProcess, hFile, pThis->pErrInfo);
@@ -831 +855 @@
 #ifndef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
             /* The directory name must match the one we've got for System32. */
-            if (   cwcDirName * sizeof(WCHAR) != g_System32NtPath.UniStr.Length
-                || suplibHardenedMemComp(pImage->Name.UniStr.Buffer,
-                                         g_System32NtPath.UniStr.Buffer,
-                                         cwcDirName * sizeof(WCHAR)))
+            if (   (   cwcDirName * sizeof(WCHAR) != g_System32NtPath.UniStr.Length
+                    || suplibHardenedMemComp(pImage->Name.UniStr.Buffer,
+                                            g_System32NtPath.UniStr.Buffer,
+                                            cwcDirName * sizeof(WCHAR)) )
+# ifdef VBOX_PERMIT_MORE
+                && (   pImage->pszName[0] != 'a'
+                    || pImage->pszName[1] != 'c'
+                    || !supHardViIsAppPatchDir(pImage->Name.UniStr.Buffer, pImage->Name.UniStr.Length / sizeof(WCHAR)) )
+# endif
+                )
                 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NON_SYSTEM32_DLL,
                                            "Expected %ls to be loaded from %ls.",
                                            pImage->Name.UniStr.Buffer, g_System32NtPath.UniStr.Buffer);
-#endif
+# ifdef VBOX_PERMIT_MORE
+            if (g_uNtVerCombined < SUP_NT_VER_W70 && i >= VBOX_PERMIT_MORE_FIRST_IDX)
+                pImage->pszName = NULL; /* hard limit: user32.dll is unwanted prior to w7. */
+# endif
+
+#endif /* VBOX_PERMIT_VISUAL_STUDIO_PROFILING */
             break;
         }
@@ -1232 +1267 @@
         else if (suplibHardenedStrCmp(pThis->aImages[i].pszName, "apisetschema.dll") == 0)
             iApiSetSchema = i;
+#ifdef VBOX_PERMIT_MORE
+        else if (suplibHardenedStrCmp(pThis->aImages[i].pszName, "acres.dll") == 0)
+            pThis->aImages[i].f32bitResourceDll = true;
+#endif
     if (iNtDll == UINT32_MAX)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_NTDLL_MAPPING,

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -624 +624 @@
                                g_offSupLibHardenedExeNtName * sizeof(WCHAR)) == 0)
                 fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT;
+#ifdef VBOX_PERMIT_MORE
+            else if (supHardViIsAppPatchDir(uBuf.UniStr.Buffer, uBuf.UniStr.Length / sizeof(WCHAR)))
+                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION;
+#endif
 #ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING
             /* Hack to allow profiling our code with Visual Studio. */