Changeset 52365 in vbox

Timestamp:

Aug 13, 2014 6:11:50 AM (11 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

95497

Message:

sup: Check for TrustedInstaller; accept ProgramFiles and CommonFiles.

Location:

trunk

Files:

• include/VBox/err.h (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h (modified) (2 diffs)
• src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (modified) (18 diffs)
• src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (10 diffs)
• src/VBox/HostDrivers/Support/win/import-template-kernel32.h (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/import-template-ntdll.h (modified) (3 diffs)

trunk/include/VBox/err.h

@@ -2505 +2505 @@
 /** Process Purification Failure: Unknown memory type of executable memory.   */
 #define VERR_SUP_VP_UNKOWN_MEM_TYPE                 (-5666)
+/** The image file is not owned by TrustedInstaller is it should be. */
+#define VERR_SUP_VP_NOT_OWNED_BY_TRUSTED_INSTALLER  (-5667)
 
 /** @} */

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h

@@ -97 +97 @@
 /** Whether to allow image verification by catalog file. */
 #  define SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION    RT_BIT(3)
+/** The file owner must be TrustedInstaller on Vista+. */
+#  define SUPHNTVI_F_TRUSTED_INSTALLER_OWNER        RT_BIT(4)
 /** Resource image, could be any bitness. */
 #  define SUPHNTVI_F_RESOURCE_IMAGE                 RT_BIT(30)
@@ -122 +124 @@
 extern SUPSYSROOTDIRBUF g_System32NtPath;
 extern SUPSYSROOTDIRBUF g_WinSxSNtPath;
+#ifdef IN_RING3
+extern SUPSYSROOTDIRBUF g_ProgramFilesNtPath;
+extern SUPSYSROOTDIRBUF g_CommonFilesNtPath;
+# if ARCH_BITS == 64
+extern SUPSYSROOTDIRBUF g_ProgramFilesX86NtPath;
+extern SUPSYSROOTDIRBUF g_CommonFilesX86NtPath;
+# endif
+#endif
 extern SUPSYSROOTDIRBUF g_SupLibHardenedExeNtPath;
 extern uint32_t         g_offSupLibHardenedExeNtName;

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -117 +117 @@
 /** The full \\SystemRoot\\WinSxS path. */
 SUPSYSROOTDIRBUF            g_WinSxSNtPath;
+#ifdef IN_RING3
+/** The full 'Program Files' path. */
+SUPSYSROOTDIRBUF            g_ProgramFilesNtPath;
+# ifdef RT_ARCH_AMD64
+/** The full 'Program Files (x86)' path. */
+SUPSYSROOTDIRBUF            g_ProgramFilesX86NtPath;
+# endif
+/** The full 'Common Files' path. */
+SUPSYSROOTDIRBUF            g_CommonFilesNtPath;
+# ifdef RT_ARCH_AMD64
+/** The full 'Common Files (x86)' path. */
+SUPSYSROOTDIRBUF            g_CommonFilesX86NtPath;
+# endif
+#endif /* IN_RING3 */
+
+/** The TrustedInstaller SID (Vista+). */
+static union
+{
+    SID                     Sid;
+    uint8_t                 abPadding[SECURITY_MAX_SID_SIZE];
+}                           g_TrustedInstallerSid;
 
 /** Set after we've retrived other SPC root certificates from the system. */
@@ -379 +400 @@
 
 /**
+ * Checks if the file is owned by TrustedInstaller on Vista and later.
+ *
+ * @returns true if owned by TrustedInstaller of pre-Vista, false if not.
+ *
+ * @param   hFile               The handle to the file.
+ * @param   pwszName            The name of the file.
+ */
+static bool supHardNtViCheckIsOwnedByTrustedInstaller(HANDLE hFile, PCRTUTF16 pwszName)
+{
+    if (g_uNtVerCombined < SUP_NT_VER_VISTA)
+        return true;
+
+    /*
+     * Get the ownership information.
+     */
+    union
+    {
+        SECURITY_DESCRIPTOR_RELATIVE    Rel;
+        SECURITY_DESCRIPTOR             Abs;
+        uint8_t                         abView[256];
+    } uBuf;
+    ULONG cbActual;
+    NTSTATUS rcNt = NtQuerySecurityObject(hFile, OWNER_SECURITY_INFORMATION, &uBuf.Abs, sizeof(uBuf), &cbActual);
+SUP_DPRINTF(("NtQuerySecurityObject: rcNt=%#x on '%ls'\n", rcNt, pwszName));
+    if (!NT_SUCCESS(rcNt))
+    {
+        SUP_DPRINTF(("NtQuerySecurityObject failed with rcNt=%#x on '%ls'\n", rcNt, pwszName));
+        return false;
+    }
+
+    /*
+     * Check the owner.
+     */
+    PSID pOwner = uBuf.Rel.Control & SE_SELF_RELATIVE ? &uBuf.abView[uBuf.Rel.Owner] : uBuf.Abs.Owner;
+    Assert((uintptr_t)pOwner - (uintptr_t)&uBuf < sizeof(uBuf) - sizeof(SID));
+    if (RtlEqualSid(pOwner, &g_TrustedInstallerSid))
+        return true;
+
+    SUP_DPRINTF(("%ls: Owner is not trusted installer (%.*Rhxs)\n",
+                 pwszName, ((uint8_t *)pOwner)[1] /*SubAuthorityCount*/ * sizeof(ULONG) + 8, pOwner));
+    return false;
+}
+
+
+/**
  * Simple case insensitive UTF-16 / ASCII path compare.
  *
@@ -484 +550 @@
                                                 PCRTUTF16 pwszRight, uint32_t cwcRight, bool fCheckSlash)
 {
-    if (cwcLeft < cwcRight)
+    if (cwcLeft < cwcRight || !cwcRight || !pwszRight)
         return false;
 
@@ -586 +652 @@
  * @param   pwszName            The NT name of the DLL/EXE.
  * @param   fFlags              Flags.
+ * @param   hFile               The file handle.
  * @param   rc                  The status code..
  */
-static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, uint32_t fFlags, int rc)
+static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, uint32_t fFlags, HANDLE hFile, int rc)
 {
     if (fFlags & (SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING))
@@ -625 +692 @@
     {
         pwsz = pwszName + cwcOther + 1;
+
+        /* Must be owned by trusted installer. */
+        if (   !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+            && !supHardNtViCheckIsOwnedByTrustedInstaller(hFile, pwszName))
+            return rc;
 
         /* Core DLLs. */
@@ -650 +722 @@
 
 #ifndef IN_RING0
-# if 0 /* Allow anything below System32 that WinVerifyTrust thinks is fine. */
-        /* The ATI drivers load system drivers into the process, allow this,
-           but reject anything else from a subdirectory. */
-        uint32_t cSlashes = supHardViUtf16PathCountSlashes(pwsz);
-        if (cSlashes > 0)
-        {
-            if (   cSlashes == 1
-                && supHardViUtf16PathStartsWithAscii(pwsz, "drivers\\ati")
-                && (   supHardViUtf16PathEndsWith(pwsz, ".sys")
-                    || supHardViUtf16PathEndsWith(pwsz, ".dll") ) )
-                return VINF_LDRVI_NOT_SIGNED;
-            return rc;
-        }
-# endif
-
         /* Check that this DLL isn't supposed to be signed on this windows
            version.  If it should, it's likely to be a fake. */
         /** @todo list of signed dlls for various windows versions.  */
-
-        /** @todo check file permissions? TrustedInstaller is supposed to be involved
-         *        with all of them. */
+SUP_DPRINTF(("supHardNtViCheckIfNotSignedOk: VINF_LDRVI_NOT_SIGNED\n"));
         return VINF_LDRVI_NOT_SIGNED;
 #else
         return rc;
-#endif
+#endif /* IN_RING0 */
     }
 
@@ -682 +737 @@
      *
      * Just like with System32 there are potentially a number of DLLs that
-     * could be required from WinSxS.  However, so far only comctl32.dll
-     * variations have been required.  So, we limit ourselves to explicit
-     * whitelisting of unsigned families of DLLs.
+     * could be required from WinSxS.
      */
     cwcOther = g_WinSxSNtPath.UniStr.Length / sizeof(WCHAR);
@@ -697 +750 @@
             return rc;
 
-# if 0 /* See below */
-        /* The common controls mess. */
-# ifdef RT_ARCH_AMD64
-        if (supHardViUtf16PathStartsWithAscii(pwsz, "amd64_microsoft.windows.common-controls_"))
-# elif defined(RT_ARCH_X86)
-        if (supHardViUtf16PathStartsWithAscii(pwsz, "x86_microsoft.windows.common-controls_"))
-# else
-#  error "Unsupported architecture"
-# endif
-        {
-            if (supHardViUtf16PathEndsWith(pwsz, "\\comctl32.dll"))
-                return VINF_LDRVI_NOT_SIGNED;
-        }
-# endif
-
-        /* Allow anything slightly microsoftish from WinSxS. W2K3 wanted winhttp.dll early on... */
-# ifdef RT_ARCH_AMD64
-        if (supHardViUtf16PathStartsWithAscii(pwsz, "amd64_microsoft."))
-# elif defined(RT_ARCH_X86)
-        if (supHardViUtf16PathStartsWithAscii(pwsz, "x86_microsoft."))
-# else
-#  error "Unsupported architecture"
-# endif
-        {
+        if (   (fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+            && supHardNtViCheckIsOwnedByTrustedInstaller(hFile, pwszName))
             return VINF_LDRVI_NOT_SIGNED;
-        }
-
         return rc;
     }
-#endif
+#endif /* !IN_RING0 */
 
 #ifdef VBOX_PERMIT_MORE
@@ -736 +765 @@
         cwcOther = g_System32NtPath.UniStr.Length / sizeof(WCHAR); /* ASSUMES System32 is called System32. */
         pwsz = pwszName + cwcOther + 1;
+
+        if (   !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+            && !supHardNtViCheckIsOwnedByTrustedInstaller(hFile, pwszName))
+            return rc;
 
         if (supHardViUtf16PathIsEqual(pwsz, "acres.dll"))
@@ -748 +781 @@
 # endif
 
+# ifndef IN_RING0
+        return VINF_LDRVI_NOT_SIGNED;
+# else
         return rc;
-    }
-#else
-# error should not be here...
-#endif
+# endif
+    }
+#endif /* VBOX_PERMIT_MORE */
+
+#if !defined(IN_RING0) && defined(VBOX_PERMIT_MORE)
+    /*
+     * Program files and common files.
+     * Permit anything that's signed and correctly installed.
+     */
+    if (   supHardViUtf16PathStartsWithEx(pwszName, cwcName,
+                                          g_ProgramFilesNtPath.UniStr.Buffer, g_ProgramFilesNtPath.UniStr.Length,
+                                          true /*fCheckSlash*/)
+        || supHardViUtf16PathStartsWithEx(pwszName, cwcName,
+                                          g_CommonFilesNtPath.UniStr.Buffer, g_CommonFilesNtPath.UniStr.Length,
+                                          true /*fCheckSlash*/)
+# ifdef RT_ARCH_AMD64
+        || supHardViUtf16PathStartsWithEx(pwszName, cwcName,
+                                          g_ProgramFilesX86NtPath.UniStr.Buffer, g_ProgramFilesX86NtPath.UniStr.Length,
+                                          true /*fCheckSlash*/)
+        || supHardViUtf16PathStartsWithEx(pwszName, cwcName,
+                                          g_CommonFilesX86NtPath.UniStr.Buffer, g_CommonFilesX86NtPath.UniStr.Length,
+                                          true /*fCheckSlash*/)
+# endif
+       )
+    {
+        if (   (fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+            && supHardNtViCheckIsOwnedByTrustedInstaller(hFile, pwszName))
+            return VINF_LDRVI_NOT_SIGNED;
+        return rc;
+    }
+#endif /* !IN_RING0 && VBOX_PERMIT_MORE*/
 
     return rc;
@@ -940 +1003 @@
 
     /*
+     * Check the trusted installer bit first, if requested as it's somewhat
+     * cheaper than the rest.
+     */
+    if (   (pNtViRdr->fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER)
+        && !supHardNtViCheckIsOwnedByTrustedInstaller(pNtViRdr->hFile, pwszName))
+        return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_NOT_OWNED_BY_TRUSTED_INSTALLER,
+                             "supHardenedWinVerifyImageByHandle: TrustedInstaller is not the owner of '%ls'.", pwszName);
+
+    /*
      * Verify it.
      *
@@ -976 +1048 @@
          */
         if (rc == VERR_LDRVI_NOT_SIGNED)
-            rc = supHardNtViCheckIfNotSignedOk(hLdrMod, pwszName, pNtViRdr->fFlags, rc);
+            rc = supHardNtViCheckIfNotSignedOk(hLdrMod, pwszName, pNtViRdr->fFlags, pNtViRdr->hFile, rc);
         if (RT_FAILURE(rc))
             RTErrInfoAddF(pErrInfo, rc, ": %ls", pwszName);
@@ -1307 +1379 @@
 
 
+
+#ifdef IN_RING3
+/**
+ * Initializes the windows paths.
+ */
+static void supHardenedWinInitImageVerifierWinPaths(void)
+{
+    /*
+     * Windows paths that we're interested in.
+     */
+    static const struct
+    {
+        SUPSYSROOTDIRBUF   *pNtPath;
+        WCHAR const        *pwszRegValue;
+        const char         *pszLogName;
+    } s_aPaths[] =
+    {
+        { &g_ProgramFilesNtPath,    L"ProgramFilesDir",         "ProgDir" },
+        { &g_CommonFilesNtPath,     L"CommonFilesDir",          "ComDir" },
+# ifdef RT_ARCH_AMD64
+        { &g_ProgramFilesX86NtPath, L"ProgramFilesDir (x86)",   "ProgDir32" },
+        { &g_CommonFilesX86NtPath,  L"CommonFilesDir (x86)",    "ComDir32" },
+# endif
+    };
+
+    /*
+     * Open the registry key containing the paths.
+     */
+    UNICODE_STRING NtName = RTNT_CONSTANT_UNISTR(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion");
+    OBJECT_ATTRIBUTES ObjAttr;
+    InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
+    HANDLE hKey;
+    NTSTATUS rcNt = NtOpenKey(&hKey, KEY_QUERY_VALUE, &ObjAttr);
+    if (NT_SUCCESS(rcNt))
+    {
+        /*
+         * Loop over the paths and resolve their NT paths.
+         */
+        for (uint32_t i = 0; i < RT_ELEMENTS(s_aPaths); i++)
+        {
+            /*
+             * Query the value first.
+             */
+            UNICODE_STRING ValueName;
+            ValueName.Buffer = (WCHAR *)s_aPaths[i].pwszRegValue;
+            ValueName.Length = (USHORT)(RTUtf16Len(s_aPaths[i].pwszRegValue) * sizeof(WCHAR));
+            ValueName.MaximumLength = ValueName.Length + sizeof(WCHAR);
+
+            union
+            {
+                KEY_VALUE_PARTIAL_INFORMATION   PartialInfo;
+                uint8_t                         abPadding[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(WCHAR) * 128];
+                uint64_t                        uAlign;
+            } uBuf;
+
+            ULONG cbActual = 0;
+            rcNt = NtQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, &uBuf, sizeof(uBuf) - sizeof(WCHAR), &cbActual);
+            if (NT_SUCCESS(rcNt))
+            {
+                /*
+                 * Must be a simple string value, terminate it.
+                 */
+                if (   uBuf.PartialInfo.Type == REG_EXPAND_SZ
+                    || uBuf.PartialInfo.Type == REG_SZ)
+                {
+                    /*
+                     * Expand any environment variable references before opening it.
+                     * We use the result buffer as storage for the expaneded path,
+                     * reserving space for the windows name space prefix.
+                     */
+                    UNICODE_STRING Src;
+                    Src.Buffer = (WCHAR *)uBuf.PartialInfo.Data;
+                    Src.Length = uBuf.PartialInfo.DataLength;
+                    if (Src.Length >= sizeof(WCHAR) && Src.Buffer[Src.Length / sizeof(WCHAR) - 1] == '\0')
+                        Src.Length -= sizeof(WCHAR);
+                    Src.MaximumLength = Src.Length + sizeof(WCHAR);
+                    Src.Buffer[uBuf.PartialInfo.DataLength / sizeof(WCHAR)] = '\0';
+
+                    s_aPaths[i].pNtPath->awcBuffer[0] = '\\';
+                    s_aPaths[i].pNtPath->awcBuffer[1] = '?';
+                    s_aPaths[i].pNtPath->awcBuffer[2] = '?';
+                    s_aPaths[i].pNtPath->awcBuffer[3] = '\\';
+                    UNICODE_STRING Dst;
+                    Dst.Buffer = &s_aPaths[i].pNtPath->awcBuffer[4];
+                    Dst.MaximumLength = sizeof(s_aPaths[i].pNtPath->awcBuffer) - sizeof(WCHAR) * 5;
+                    Dst.Length = Dst.MaximumLength;
+
+                    if (uBuf.PartialInfo.Type == REG_EXPAND_SZ)
+                        rcNt = RtlExpandEnvironmentStrings_U(NULL, &Src, &Dst, NULL);
+                    else
+                    {
+                        memcpy(Dst.Buffer, Src.Buffer, Src.Length);
+                        Dst.Length = Src.Length;
+                    }
+                    if (NT_SUCCESS(rcNt))
+                    {
+                        Dst.Buffer[Dst.Length / sizeof(WCHAR)] = '\0';
+
+                        /*
+                         * Include the \\??\\ prefix in the result and open the path.
+                         */
+                        Dst.Buffer        -= 4;
+                        Dst.Length        += 4 * sizeof(WCHAR);
+                        Dst.MaximumLength += 4 * sizeof(WCHAR);
+                        InitializeObjectAttributes(&ObjAttr, &Dst, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
+                        HANDLE          hFile = INVALID_HANDLE_VALUE;
+                        IO_STATUS_BLOCK Ios   = RTNT_IO_STATUS_BLOCK_INITIALIZER;
+                        NTSTATUS rcNt = NtCreateFile(&hFile,
+                                                     FILE_READ_DATA | SYNCHRONIZE,
+                                                     &ObjAttr,
+                                                     &Ios,
+                                                     NULL /* Allocation Size*/,
+                                                     FILE_ATTRIBUTE_NORMAL,
+                                                     FILE_SHARE_READ | FILE_SHARE_WRITE,
+                                                     FILE_OPEN,
+                                                     FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT
+                                                     | FILE_SYNCHRONOUS_IO_NONALERT,
+                                                     NULL /*EaBuffer*/,
+                                                     0 /*EaLength*/);
+                        if (NT_SUCCESS(rcNt))
+                            rcNt = Ios.Status;
+                        if (NT_SUCCESS(rcNt))
+                        {
+                            /*
+                             * Query the real NT name.
+                             */
+                            ULONG cbIgn;
+                            rcNt = NtQueryObject(hFile,
+                                                 ObjectNameInformation,
+                                                 s_aPaths[i].pNtPath,
+                                                 sizeof(*s_aPaths[i].pNtPath) - sizeof(WCHAR),
+                                                 &cbIgn);
+                            if (NT_SUCCESS(rcNt))
+                            {
+                                if (s_aPaths[i].pNtPath->UniStr.Length > 0)
+                                {
+                                    /* Make sure it's terminated.*/
+                                    s_aPaths[i].pNtPath->UniStr.Buffer[s_aPaths[i].pNtPath->UniStr.Length / sizeof(WCHAR)] = '\0';
+                                    SUP_DPRINTF(("%s:%*s %ls\n", s_aPaths[i].pszLogName, 9 - strlen(s_aPaths[i].pszLogName), "",
+                                                 s_aPaths[i].pNtPath->UniStr.Buffer));
+                                }
+                                else
+                                {
+                                    SUP_DPRINTF(("%s: NtQueryObject returned empty string\n", s_aPaths[i].pszLogName));
+                                    rcNt = STATUS_INVALID_PARAMETER;
+                                }
+                            }
+                            else
+                                SUP_DPRINTF(("%s: NtQueryObject failed: %#x\n", s_aPaths[i].pszLogName, rcNt));
+                            NtClose(hFile);
+                        }
+                        else
+                            SUP_DPRINTF(("%s: NtCreateFile failed: %#x (%ls)\n",
+                                         s_aPaths[i].pszLogName, rcNt, Dst.Buffer));
+                    }
+                    else
+                        SUP_DPRINTF(("%s: RtlExpandEnvironmentStrings_U failed: %#x (%ls)\n",
+                                     s_aPaths[i].pszLogName, rcNt, Src.Buffer));
+                }
+                else
+                {
+                    SUP_DPRINTF(("%s: type mismatch: %#x\n", s_aPaths[i].pszLogName, uBuf.PartialInfo.Type));
+                    rcNt = STATUS_INVALID_PARAMETER;
+                }
+            }
+            else
+                SUP_DPRINTF(("%s: NtQueryValueKey failed: %#x\n", s_aPaths[i].pszLogName, rcNt));
+
+            /* Stub the entry on failure. */
+            if (!NT_SUCCESS(rcNt))
+            {
+                s_aPaths[i].pNtPath->UniStr.Length = 0;
+                s_aPaths[i].pNtPath->UniStr.Buffer = NULL;
+            }
+        }
+        NtClose(hKey);
+    }
+    else
+    {
+        SUP_DPRINTF(("NtOpenKey(%ls) failed: %#x\n", NtName.Buffer, rcNt));
+
+        /* Stub all the entries on failure. */
+        for (uint32_t i = 0; i < RT_ELEMENTS(s_aPaths); i++)
+        {
+            s_aPaths[i].pNtPath->UniStr.Length = 0;
+            s_aPaths[i].pNtPath->UniStr.Buffer = NULL;
+        }
+    }
+}
+#endif /* IN_RING3 */
+
+
 /**
  * This initializes the certificates globals so we don't have to reparse them
@@ -1326 +1590 @@
     if (RT_SUCCESS(rc))
     {
+        SUP_DPRINTF(("System32:  %ls\n", g_System32NtPath.UniStr.Buffer));
+        SUP_DPRINTF(("WinSxS:    %ls\n", g_WinSxSNtPath.UniStr.Buffer));
+#ifdef IN_RING3
+        supHardenedWinInitImageVerifierWinPaths();
+#endif
+
         /*
          * Initialize it, leaving the cleanup to the termination call.
@@ -1359 +1629 @@
 
         if (RT_SUCCESS(rc))
-            return VINF_SUCCESS;
+        {
+            /*
+             * Finally initialize known SIDs that we use.
+             */
+            SID_IDENTIFIER_AUTHORITY s_NtAuth = SECURITY_NT_AUTHORITY;
+            NTSTATUS rcNt = RtlInitializeSid(&g_TrustedInstallerSid, &s_NtAuth, SECURITY_SERVICE_ID_RID_COUNT);
+            if (NT_SUCCESS(rcNt))
+            {
+                *RtlSubAuthoritySid(&g_TrustedInstallerSid, 0) = SECURITY_SERVICE_ID_BASE_RID;
+                *RtlSubAuthoritySid(&g_TrustedInstallerSid, 1) = 956008885;
+                *RtlSubAuthoritySid(&g_TrustedInstallerSid, 2) = 3418522649;
+                *RtlSubAuthoritySid(&g_TrustedInstallerSid, 3) = 1831038044;
+                *RtlSubAuthoritySid(&g_TrustedInstallerSid, 4) = 1853292631;
+                *RtlSubAuthoritySid(&g_TrustedInstallerSid, 5) = 2271478464;
+                return VINF_SUCCESS;
+            }
+            rc = RTErrConvertFromNtStatus(rcNt);
+        }
         supHardenedWinTermImageVerifier();
     }
@@ -1771 +2058 @@
             rc = RTErrInfoSetF(pErrInfo, VERR_LDRVI_UNSUPPORTED_ARCH,
                                "WinVerifyTrust failed with hrc=%Rhrc on '%ls'", hrc, pwszName);
+        SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrust: WinVerifyTrust failed with %#x (%s) on '%ls'\n",
+                     hrc, pszErrConst, pwszName));
     }
 
@@ -1826 +2115 @@
 
         NTSTATUS rcNt = NtCreateFile(&hFile,
-                                     FILE_READ_DATA | SYNCHRONIZE,
+                                     FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
                                      &ObjAttr,
                                      &Ios,
@@ -1961 +2250 @@
 
                                 HRESULT hrc = pfnWinVerifyTrust(NULL /*hwnd*/, &s_aPolicies[iPolicy], &TrustData);
-                                SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: WinVerifyTrust => %#x; cat=%ls\n", hrc, CatInfo.wszCatalogFile));
+                                SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: WinVerifyTrust => %#x; cat='%ls'; file='%ls'\n",
+                                             hrc, CatInfo.wszCatalogFile, pwszName));
 
                                 if (SUCCEEDED(hrc))

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -1535 +1535 @@
          * for this image.
          */
-        uint32_t fFlags = pImage->fDll ? 0 : SUPHNTVI_F_REQUIRE_BUILD_CERT;
+        uint32_t fFlags = pImage->fDll
+                        ? SUPHNTVI_F_TRUSTED_INSTALLER_OWNER | SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION
+                        : SUPHNTVI_F_REQUIRE_BUILD_CERT;
         if (pImage->f32bitResourceDll)
             fFlags |= SUPHNTVI_F_RESOURCE_IMAGE;

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -658 +658 @@
             {
                 supR3HardenedError(VINF_SUCCESS, false,
-                                   "supR3HardenedMonitor_NtCreateSection: NtQueryObject -> %#x (fImage=%d fExecMap=%d fExecProt=%d)\n",
+                                   "NtCreateSection: NtQueryObject -> %#x (fImage=%d fExecMap=%d fExecProt=%d)\n",
                                    fImage, fExecMap, fExecProt);
                 return rcNt;
@@ -675 +675 @@
             if (pCacheHit)
             {
-                SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: cache hit (%Rrc) on %ls\n", pCacheHit->rc, pCacheHit->wszPath));
+                SUP_DPRINTF(("NtCreateSection: cache hit (%Rrc) on %ls\n", pCacheHit->rc, pCacheHit->wszPath));
                 if (RT_SUCCESS(pCacheHit->rc))
                     return g_pfnNtCreateSectionReal(phSection, fAccess, pObjAttribs, pcbSection, fProtect, fAttribs, hFile);
                 supR3HardenedError(VINF_SUCCESS, false,
-                                   "supR3HardenedMonitor_NtCreateSection: cached rc=%Rrc fImage=%d fExecMap=%d fExecProt=%d %ls\n",
+                                   "NtCreateSection: cached rc=%Rrc fImage=%d fExecMap=%d fExecProt=%d %ls\n",
                                    pCacheHit->rc, fImage, fExecMap, fExecProt, uBuf.UniStr.Buffer);
                 return STATUS_TRUST_FAILURE;
@@ -686 +686 @@
             /*
              * On XP the loader might hand us handles with just FILE_EXECUTE and
-             * SYNCRHONIZE, the means reading will fail later on.  So, we might
-             * have to reopen the file here in order to validate it - annoying.
+             * SYNCHRONIZE, the means reading will fail later on.  Also, we need
+             * READ_CONTROL access to check the file ownership later on, and non
+             * of the OS versions seems be giving us that.  So, in effect we
+             * more or less always reopen the file here.
              */
             HANDLE hMyFile = NULL;
             rcNt = NtDuplicateObject(NtCurrentProcess(), hFile, NtCurrentProcess(),
                                      &hMyFile,
-                                     FILE_READ_DATA | SYNCHRONIZE,
+                                     FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
                                      0 /* Handle attributes*/, 0 /* Options */);
             if (!NT_SUCCESS(rcNt))
@@ -698 +700 @@
                 if (rcNt == STATUS_ACCESS_DENIED)
                 {
-                    HANDLE              hFile = RTNT_INVALID_HANDLE_VALUE;
                     IO_STATUS_BLOCK     Ios   = RTNT_IO_STATUS_BLOCK_INITIALIZER;
-
                     OBJECT_ATTRIBUTES   ObjAttr;
                     InitializeObjectAttributes(&ObjAttr, &uBuf.UniStr, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
 
                     rcNt = NtCreateFile(&hMyFile,
-                                        FILE_READ_DATA | SYNCHRONIZE,
+                                        FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,
                                         &ObjAttr,
                                         &Ios,
@@ -712 +712 @@
                                         FILE_SHARE_READ,
                                         FILE_OPEN,
-                                        FILE_NON_DIRECTORY_FILE,
+                                        FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
                                         NULL /*EaBuffer*/,
                                         0 /*EaLength*/);
@@ -720 +720 @@
                     {
                         supR3HardenedError(VINF_SUCCESS, false,
-                                           "supR3HardenedMonitor_NtCreateSection: Failed to duplicate and open the file: rcNt=%#x hFile=%p %ls\n",
+                                           "NtCreateSection: Failed to duplicate and open the file: rcNt=%#x hFile=%p %ls\n",
                                            rcNt, hFile, uBuf.UniStr.Buffer);
                         return rcNt;
+                    }
+
+                    /* Check that we've got the same file. */
+                    LARGE_INTEGER idMyFile, idInFile;
+                    bool fMyValid = supR3HardenedWinVerifyCacheGetIndexNumber(hMyFile, &idMyFile);
+                    bool fInValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &idInFile);
+                    if (   fMyValid
+                        && (   fMyValid != fInValid
+                            || idMyFile.QuadPart != idInFile.QuadPart))
+                    {
+                        supR3HardenedError(VINF_SUCCESS, false,
+                                           "NtCreateSection: Re-opened has different ID that input: %#llx vx %#llx (%ls)\n",
+                                           rcNt, idMyFile.QuadPart, idInFile.QuadPart, uBuf.UniStr.Buffer);
+                        NtClose(hMyFile);
+                        return STATUS_TRUST_FAILURE;
                     }
                 }
                 else
                 {
+                    SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: NtDuplicateObject -> %#x\n", rcNt));
 #ifdef DEBUG
 
@@ -757 +773 @@
                         fProtect = (fProtect & ~PAGE_EXECUTE) | PAGE_READONLY;
                     fProtect = (fProtect & ~UINT32_C(0xf0)) | ((fProtect & UINT32_C(0xe0)) >> 4);
+                    if (hMyFile != hFile)
+                        NtClose(hMyFile);
                     return g_pfnNtCreateSectionReal(phSection, fAccess, pObjAttribs, pcbSection, fProtect, fAttribs, hFile);
                 }
@@ -763 +781 @@
             /*
              * Check the path.  We don't allow DLLs to be loaded from just anywhere:
-             *      1. System32   - normal code or cat signing.
-             *      2. WinSxS     - normal code or cat signing.
-             *      3. VirtualBox - kernel code signing and integrity checks.
+             *      1. System32      - normal code or cat signing, owner TrustedInstaller.
+             *      2. WinSxS        - normal code or cat signing, owner TrustedInstaller.
+             *      3. VirtualBox    - kernel code signing and integrity checks.
+             *      4. AppPatchDir   - normal code or cat signing, owner TrustedInstaller.
+             *      5. Program Files - normal code or cat signing, owner TrustedInstaller.
+             *      6. Common Files  - normal code or cat signing, owner TrustedInstaller.
+             *      7. x86 variations of 4 & 5 - ditto.
              */
             bool fSystem32 = false;
@@ -773 +795 @@
             {
                 fSystem32 = true;
-                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION;
+                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
             }
             else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_WinSxSNtPath.UniStr, true /*fCheckSlash*/))
-                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION;
+                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
             else if (supHardViUtf16PathStartsWithEx(uBuf.UniStr.Buffer, uBuf.UniStr.Length / sizeof(WCHAR),
                                                     g_SupLibHardenedExeNtPath.UniStr.Buffer,
@@ -783 +805 @@
 #ifdef VBOX_PERMIT_MORE
             else if (supHardViIsAppPatchDir(uBuf.UniStr.Buffer, uBuf.UniStr.Length / sizeof(WCHAR)))
-                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION;
+                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+            else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesNtPath.UniStr, true /*fCheckSlash*/))
+                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+            else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesNtPath.UniStr, true /*fCheckSlash*/))
+                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+# ifdef RT_ARCH_AMD64
+            else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesX86NtPath.UniStr, true /*fCheckSlash*/))
+                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+            else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesX86NtPath.UniStr, true /*fCheckSlash*/))
+                fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER;
+# endif
 #endif
 #ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING

trunk/src/VBox/HostDrivers/Support/win/import-template-kernel32.h

@@ +1 @@
+SUPHARNT_IMPORT_STDCALL(CloseHandle, 4)
+SUPHARNT_IMPORT_STDCALL(CreateFileW, 28)
+SUPHARNT_IMPORT_STDCALL(CreateProcessW, 40)
+SUPHARNT_IMPORT_STDCALL(ExitProcess, 4)
+SUPHARNT_IMPORT_STDCALL(GetCurrentThreadId, 0)
+SUPHARNT_IMPORT_STDCALL(GetFullPathNameA, 16)
 SUPHARNT_IMPORT_STDCALL(GetLastError, 0)
-SUPHARNT_IMPORT_STDCALL(GetFullPathNameA, 16)
-SUPHARNT_IMPORT_STDCALL(CloseHandle, 4)
+SUPHARNT_IMPORT_STDCALL(GetModuleFileNameW, 12)
+SUPHARNT_IMPORT_STDCALL(GetModuleHandleA, 4)
+SUPHARNT_IMPORT_STDCALL(GetModuleHandleW, 4)
+SUPHARNT_IMPORT_STDCALL(GetProcAddress, 8)
+SUPHARNT_IMPORT_STDCALL(GetProcessHeap, 0)
+SUPHARNT_IMPORT_STDCALL(GetTickCount, 0)
+SUPHARNT_IMPORT_STDCALL(HeapAlloc, 12)
+SUPHARNT_IMPORT_STDCALL(HeapFree, 8)
+SUPHARNT_IMPORT_STDCALL(HeapReAlloc, 16)
+SUPHARNT_IMPORT_STDCALL(LoadLibraryExW, 12)
+SUPHARNT_IMPORT_STDCALL(OutputDebugStringA, 4)
+SUPHARNT_IMPORT_STDCALL(Sleep, 4)
+SUPHARNT_IMPORT_STDCALL(VirtualProtectEx, 20)
 SUPHARNT_IMPORT_STDCALL(WriteFile, 20)
-SUPHARNT_IMPORT_STDCALL(OutputDebugStringA, 4)
-SUPHARNT_IMPORT_STDCALL(ExitProcess, 4)
-SUPHARNT_IMPORT_STDCALL(GetModuleHandleA, 4)
-SUPHARNT_IMPORT_STDCALL(GetModuleFileNameW, 12)
-SUPHARNT_IMPORT_STDCALL(CreateFileW, 28)
-SUPHARNT_IMPORT_STDCALL(Sleep, 4)
-SUPHARNT_IMPORT_STDCALL(CreateProcessW, 40)
-SUPHARNT_IMPORT_STDCALL(GetTickCount, 0)
-SUPHARNT_IMPORT_STDCALL(GetModuleHandleW, 4)
-SUPHARNT_IMPORT_STDCALL(HeapAlloc, 12)
-SUPHARNT_IMPORT_STDCALL(GetProcessHeap, 0)
-SUPHARNT_IMPORT_STDCALL(HeapReAlloc, 16)
-SUPHARNT_IMPORT_STDCALL(HeapFree, 8)
-SUPHARNT_IMPORT_STDCALL(LoadLibraryExW, 12)
-SUPHARNT_IMPORT_STDCALL(VirtualProtectEx, 20)
-SUPHARNT_IMPORT_STDCALL(GetProcAddress, 8)
-

trunk/src/VBox/HostDrivers/Support/win/import-template-ntdll.h

@@ -9 +9 @@
 SUPHARNT_IMPORT_SYSCALL(NtMapViewOfSection, 40)
 SUPHARNT_IMPORT_SYSCALL(NtOpenDirectoryObject, 12)
+SUPHARNT_IMPORT_SYSCALL(NtOpenKey, 12)
 SUPHARNT_IMPORT_SYSCALL(NtOpenProcess, 16)
 SUPHARNT_IMPORT_SYSCALL(NtOpenProcessToken, 12)
@@ -21 +22 @@
 SUPHARNT_IMPORT_SYSCALL(NtQueryInformationToken, 20)
 SUPHARNT_IMPORT_SYSCALL(NtQueryObject, 20)
+SUPHARNT_IMPORT_SYSCALL(NtQuerySecurityObject, 20)
 SUPHARNT_IMPORT_SYSCALL(NtQueryTimerResolution, 12)
+SUPHARNT_IMPORT_SYSCALL(NtQueryValueKey, 24)
 SUPHARNT_IMPORT_SYSCALL(NtQueryVirtualMemory, 24)
 SUPHARNT_IMPORT_SYSCALL(NtReadFile, 36)
@@ -57 +60 @@
 SUPHARNT_IMPORT_STDCALL(RtlCreateUserThread, 40)
 SUPHARNT_IMPORT_STDCALL(RtlDestroyProcessParameters, 4)
+SUPHARNT_IMPORT_STDCALL(RtlEqualSid, 8)
+SUPHARNT_IMPORT_STDCALL(RtlExpandEnvironmentStrings_U, 16)
 SUPHARNT_IMPORT_STDCALL(RtlGetVersion, 4)
 SUPHARNT_IMPORT_STDCALL(RtlInitializeSid, 12)