Changeset 52156 in vbox for trunk/src/VBox/HostDrivers
- Timestamp:
- Jul 23, 2014 6:47:53 PM (10 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp
r52139 r52156 1475 1475 /** Error buffer. */ 1476 1476 PRTERRINFO pErrInfo; 1477 /** The address of NTDLL in the child. */ 1478 uintptr_t uNtDllAddr; 1479 /** The address of NTDLL in this process. */ 1480 uintptr_t uNtDllParentAddr; 1477 1481 /** The basic process info. */ 1478 1482 PROCESS_BASIC_INFORMATION BasicInfo; … … 1527 1531 static int supR3HardNtPuChTriggerInitialImageEvents(PSUPR3HARDNTPUCH pThis) 1528 1532 { 1529 /** @todo stop assuming NTDLL doesn't move. */ 1530 PVOID pvLdrInitThunk = (PVOID)(uintptr_t)LdrInitializeThunk; 1531 PVOID pvNtTerminateThread = (PVOID)(uintptr_t)NtTerminateThread; 1533 PVOID pvLdrInitThunk = (PVOID)((uintptr_t)LdrInitializeThunk + pThis->uNtDllAddr - pThis->uNtDllParentAddr); 1534 PVOID pvNtTerminateThread = (PVOID)((uintptr_t)NtTerminateThread + pThis->uNtDllAddr - pThis->uNtDllParentAddr); 1532 1535 1533 1536 /* … … 1972 1975 1973 1976 1977 static void supR3HardNtPuChFindNtdll(PSUPR3HARDNTPUCH pThis) 1978 { 1979 /* 1980 * Find NTDLL in this process first and take that as a starting point. 1981 */ 1982 pThis->uNtDllParentAddr = (uintptr_t)GetModuleHandleW(L"ntdll.dll"); 1983 SUPR3HARDENED_ASSERT(pThis->uNtDllParentAddr != 0 && !(pThis->uNtDllParentAddr & PAGE_OFFSET_MASK)); 1984 pThis->uNtDllAddr = pThis->uNtDllParentAddr; 1985 1986 /* 1987 * Scan the virtual memory of the child. 1988 */ 1989 uintptr_t cbAdvance = 0; 1990 uintptr_t uPtrWhere = 0; 1991 for (uint32_t i = 0; i < 1024; i++) 1992 { 1993 /* Query information. */ 1994 SIZE_T cbActual = 0; 1995 MEMORY_BASIC_INFORMATION MemInfo = { 0, 0, 0, 0, 0, 0, 0 }; 1996 NTSTATUS rcNt = NtQueryVirtualMemory(pThis->hProcess, 1997 (void const *)uPtrWhere, 1998 MemoryBasicInformation, 1999 &MemInfo, 2000 sizeof(MemInfo), 2001 &cbActual); 2002 if (!NT_SUCCESS(rcNt)) 2003 break; 2004 2005 if ( MemInfo.Type == SEC_IMAGE 2006 || MemInfo.Type == SEC_PROTECTED_IMAGE 2007 || MemInfo.Type == (SEC_IMAGE | SEC_PROTECTED_IMAGE)) 2008 { 2009 if (MemInfo.BaseAddress == MemInfo.AllocationBase) 2010 { 2011 /* Get the image name. */ 2012 union 2013 { 2014 UNICODE_STRING UniStr; 2015 uint8_t abPadding[4096]; 2016 } uBuf; 2017 NTSTATUS rcNt = NtQueryVirtualMemory(pThis->hProcess, 2018 MemInfo.BaseAddress, 2019 MemorySectionName, 2020 &uBuf, 2021 sizeof(uBuf) - sizeof(WCHAR), 2022 &cbActual); 2023 if (NT_SUCCESS(rcNt)) 2024 { 2025 uBuf.UniStr.Buffer[uBuf.UniStr.Length / sizeof(WCHAR)] = '\0'; 2026 if ( uBuf.UniStr.Length > g_System32NtPath.UniStr.Length 2027 && memcmp(uBuf.UniStr.Buffer, g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length) == 0 2028 && uBuf.UniStr.Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR)] == '\\') 2029 { 2030 if (RTUtf16ICmpAscii(&uBuf.UniStr.Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR) + 1], 2031 "ntdll.dll") == 0) 2032 { 2033 pThis->uNtDllAddr = (uintptr_t)MemInfo.AllocationBase; 2034 return; 2035 } 2036 } 2037 } 2038 } 2039 } 2040 2041 /* 2042 * Advance. 2043 */ 2044 cbAdvance = MemInfo.RegionSize; 2045 if (uPtrWhere + cbAdvance <= uPtrWhere) 2046 break; 2047 uPtrWhere += MemInfo.RegionSize; 2048 } 2049 2050 #ifdef DEBUG 2051 supR3HardenedFatal("%s: ntdll.dll not found in child.", __FUNCTION__); 2052 #endif 2053 } 2054 2055 2056 1974 2057 static int supR3HardenedWinPurifyChild(HANDLE hProcess, HANDLE hThread, PRTERRINFO pErrInfo) 1975 2058 { … … 2007 2090 if (!NT_SUCCESS(rcNt)) 2008 2091 return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, "NtReadVirtualMemory/Peb failed: %#x", rcNt); 2092 2093 supR3HardNtPuChFindNtdll(&This); 2009 2094 2010 2095 /*
Note:
See TracChangeset
for help on using the changeset viewer.
