Changeset 52176 in vbox for trunk/src/VBox/HostDrivers

Timestamp:

Jul 24, 2014 6:48:25 PM (10 years ago)

Author:

vboxsync

Message:

SUP: Fixed windows 7 regression where the child purification code would replace the (PEB::)ApiSetMap section with the start of the apisetschema.dll file because it though it was a normal image mapping.

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (4 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -1464 +1464 @@
 
 
+/**
+ * Check if the zero terminated NT unicode string is the path to the given
+ * system32 DLL.
+ *
+ * @returns true if it is, false if not.
+ * @param   pUniStr             The zero terminated NT unicode string path.
+ * @param   pszName             The name of the system32 DLL.
+ */
+static bool supR3HardNtIsNamedSystem32Dll(PUNICODE_STRING pUniStr, const char *pszName)
+{
+    if (pUniStr->Length > g_System32NtPath.UniStr.Length)
+    {
+        if (memcmp(pUniStr->Buffer, g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length) == 0)
+        {
+            if (pUniStr->Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR)] == '\\')
+            {
+                if (RTUtf16ICmpAscii(&pUniStr->Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR) + 1], pszName) == 0)
+                    return true;
+            }
+        }
+    }
+
+    return false;
+}
+
+
 
 /*
@@ -1840 +1866 @@
             if (NT_SUCCESS(rcNt))
             {
-                PIMAGE_NT_HEADERS pNtProc = (PIMAGE_NT_HEADERS)&abProc[(uint8_t *)pNtFile - &abFile[0]];
-                pNtFile->OptionalHeader.ImageBase = pNtProc->OptionalHeader.ImageBase;
-
-                size_t cbCompare = RT_MIN(pNtFile->OptionalHeader.SizeOfHeaders, sizeof(abProc));
-                if (cbCompare < sizeof(abFile))
-                    RT_BZERO(&abFile[cbCompare], sizeof(abFile) - cbCompare);
-                if (!memcmp(abFile, abProc, cbCompare))
-                    rc = VINF_SUCCESS;
+                /*
+                 * Watch out for apisetschema.dll, it only has section #1
+                 * mapped into the process.
+                 */
+                if (   g_uNtVerCombined < SUP_NT_VER_W70
+                    || pThis->Peb.Diff3.W7.ApiSetMap != pMemInfo->BaseAddress
+                    || !supR3HardNtIsNamedSystem32Dll(&uBuf.UniStr, "apisetschema.dll"))
+                {
+                    PIMAGE_NT_HEADERS pNtProc = supR3HardNtPuChFindNtHeaders(abProc, sizeof(abProc));
+                    if ((uintptr_t)pNtProc - (uintptr_t)abProc == (uintptr_t)pNtFile - (uintptr_t)abFile)
+                    {
+                        pNtFile->OptionalHeader.ImageBase = pNtProc->OptionalHeader.ImageBase;
+
+                        size_t cbCompare = RT_MIN(pNtFile->OptionalHeader.SizeOfHeaders, sizeof(abProc));
+                        if (cbCompare < sizeof(abFile))
+                            RT_BZERO(&abFile[cbCompare], sizeof(abFile) - cbCompare);
+                        if (!memcmp(abFile, abProc, cbCompare))
+                            rc = VINF_SUCCESS;
+                        else
+                        {
+                            SUP_DPRINTF(("supR3HardNtPuChSanitizeImage: Header diff @%#x in ('%ls')\n",
+                                         supR3HardNtPuChFindFirstDiff(abFile, abProc, sizeof(abProc)), uBuf.UniStr.Buffer));
+                            rc = supR3HardNtPuChRestoreImageBits(pThis, pMemInfo->BaseAddress, abFile, cbCompare, PAGE_READONLY);
+                        }
+                    }
+                    else
+                        rc = RTErrInfoSetF(pThis->pErrInfo, VERR_GENERAL_FAILURE,
+                                           "PE header offset differs between file and memory: offProc=%p offFile=%p '%ls'\n",
+                                           (uintptr_t)pNtProc - (uintptr_t)abProc, (uintptr_t)pNtFile - (uintptr_t)abFile,
+                                           uBuf.UniStr.Buffer);
+                }
                 else
                 {
-                    SUP_DPRINTF(("supR3HardNtPuChSanitizeImage: Header diff @%#x in ('%ls')\n",
-                                 supR3HardNtPuChFindFirstDiff(abFile, abProc, sizeof(abProc)), uBuf.UniStr.Buffer));
-                    rc = supR3HardNtPuChRestoreImageBits(pThis, pMemInfo->BaseAddress, abFile, cbCompare, PAGE_READONLY);
+                    /*
+                     * Validate the API set map.
+                     */
                 }
             }
@@ -2036 +2085 @@
                 {
                     uBuf.UniStr.Buffer[uBuf.UniStr.Length / sizeof(WCHAR)] = '\0';
-                    if (   uBuf.UniStr.Length > g_System32NtPath.UniStr.Length
-                        && memcmp(uBuf.UniStr.Buffer, g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length) == 0
-                        && uBuf.UniStr.Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR)] == '\\')
+                    if (supR3HardNtIsNamedSystem32Dll(&uBuf.UniStr, "ntdll.dll"))
                     {
-                        if (RTUtf16ICmpAscii(&uBuf.UniStr.Buffer[g_System32NtPath.UniStr.Length / sizeof(WCHAR) + 1],
-                                             "ntdll.dll") == 0)
-                        {
-                            pThis->uNtDllAddr = (uintptr_t)MemInfo.AllocationBase;
-                            SUP_DPRINTF(("supR3HardNtPuChFindNtdll: uNtDllParentAddr=%p uNtDllChildAddr=%p\n",
-                                         pThis->uNtDllParentAddr, pThis->uNtDllAddr));
-                            return;
-                        }
+                        pThis->uNtDllAddr = (uintptr_t)MemInfo.AllocationBase;
+                        SUP_DPRINTF(("supR3HardNtPuChFindNtdll: uNtDllParentAddr=%p uNtDllChildAddr=%p\n",
+                                     pThis->uNtDllParentAddr, pThis->uNtDllAddr));
+                        return;
                     }
                 }
@@ -2403 +2446 @@
 
     NtClose(hProcWait);
-    SUP_DPRINTF(("supR3HardenedWinDoReSpawn(%d): Quitting: ExitCode=%#x rcNt=%#x\n", BasicInfo.ExitStatus, rcNt));
+    SUP_DPRINTF(("supR3HardenedWinDoReSpawn(%d): Quitting: ExitCode=%#x rcNt=%#x\n", iWhich, BasicInfo.ExitStatus, rcNt));
     suplibHardenedExit((RTEXITCODE)BasicInfo.ExitStatus);
 }