Changeset 52446 in vbox for trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

Timestamp:

Aug 21, 2014 5:23:33 PM (10 years ago)

Author:

vboxsync

Message:

SUPHardenedVerifyProcess-win.cpp: When doing child purification, we can unmap DLLs we don't like... This should hopefully fix the sysferThunk.dll issue that I cannot reproduce.

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (modified) (3 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -1110 +1110 @@
  *
  * @returns VBox status code.
+ * @retval  VINF_OBJECT_DESTROYED if we've unmapped the image (child
+ *          purification only).
  * @param   pThis               The process scanning state structure.
  * @param   pImage              The new image structure.  Only the unicode name
@@ -1190 +1192 @@
     if (!pImage->pszName)
     {
+        /*
+         * Unknown image.
+         *
+         * If we're cleaning up a child process, we can unmap the offending
+         * DLL...  Might have interesting side effects, or at least interesting
+         * as in "may you live in interesting times".
+         */
+#ifdef IN_RING3
+        if (   pMemInfo->AllocationBase == pMemInfo->BaseAddress
+            && pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION)
+        {
+            SUP_DPRINTF(("supHardNtVpScanVirtualMemory: Unmapping image mem at %p (%p LB %#zx) - '%ls'\n",
+                         pMemInfo->AllocationBase, pMemInfo->BaseAddress, pMemInfo->RegionSize));
+            NTSTATUS rcNt = NtUnmapViewOfSection(pThis->hProcess, pMemInfo->AllocationBase);
+            if (NT_SUCCESS(rcNt))
+                return VINF_OBJECT_DESTROYED;
+            SUP_DPRINTF(("supHardNtVpScanVirtualMemory: NtUnmapViewOfSection(,%p) failed: %#x\n", pMemInfo->AllocationBase, rcNt));
+        }
+#endif
+        /*
+         * Special error message if we can.
+         */
         if (   pMemInfo->AllocationBase == pMemInfo->BaseAddress
             && (   supHardNtVpAreNamesEqual("sysfer.dll", pwszFilename)
                 || supHardNtVpAreNamesEqual("sysfer32.dll", pwszFilename)
-                || supHardNtVpAreNamesEqual("sysfer64.dll", pwszFilename)) )
+                || supHardNtVpAreNamesEqual("sysfer64.dll", pwszFilename)
+                || supHardNtVpAreNamesEqual("sysfrethunk.dll", pwszFilename)) )
         {
             supHardNtVpSetInfo2(pThis, VERR_SUP_VP_SYSFER_DLL,
@@ -1388 +1413 @@
                 if (RT_SUCCESS(rc))
                 {
-                    pThis->cImages++;
-                    if (pThis->cImages >= RT_ELEMENTS(pThis->aImages))
-                        return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_DLLS_LOADED,
-                                                   "Internal error: aImages is full.\n");
+                    if (rc != VINF_OBJECT_DESTROYED)
+                    {
+                        pThis->cImages++;
+                        if (pThis->cImages >= RT_ELEMENTS(pThis->aImages))
+                            return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_DLLS_LOADED,
+                                                       "Internal error: aImages is full.\n");
+                    }
                 }
 #ifdef IN_RING3 /* Continue and add more information if unknown DLLs are found. */