Changeset 52524 in vbox for trunk/src/VBox/HostDrivers
- Timestamp:
- Aug 29, 2014 7:27:33 AM (10 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp
r52523 r52524 2946 2946 2947 2947 /** 2948 * Unmaps a DLL from the child process that was previously mapped by 2949 * supR3HardNtPuChMapDllIntoChild. 2950 * 2951 * @returns Pointer to the DLL mapping on success, NULL on failure. 2952 * @param pThis The child purification instance data. 2953 * @param pvBase The base address of the mapping. Nothing done 2954 * if NULL. 2955 * @param pszShort The short name (for logging). 2956 */ 2957 static void supR3HardNtPuChUnmapDllFromChild(PSUPR3HARDNTPUCH pThis, PVOID pvBase, const char *pszShort) 2958 { 2959 if (pvBase) 2960 { 2961 NTSTATUS rcNt = NtUnmapViewOfSection(pThis->hProcess, pvBase); 2962 if (!NT_SUCCESS(!rcNt)) 2963 SUP_DPRINTF(("supR3HardNtPuChTriggerInitialImageEvents: NtUnmapViewOfSection failed on %s: %#x (%p)\n", 2964 pszShort, rcNt, pvBase)); 2965 } 2966 } 2967 2968 2969 /** 2948 2970 * Maps a DLL into the child process. 2949 2971 * … … 3055 3077 3056 3078 /* 3079 * To further muddle the waters, we map the executable image and ntdll.dll 3080 * a 2nd time into the process before we actually start executing the thread 3081 * and trigger the genuine image load events. 3082 */ 3083 PVOID pvExe2 = supR3HardNtPuChMapDllIntoChild(pThis, &g_SupLibHardenedExeNtPath.UniStr, "executable[2nd]"); 3084 3085 UNICODE_STRING NtName1 = RTNT_CONSTANT_UNISTR(L"\\SystemRoot\\System32\\ntdll.dll"); 3086 PVOID pvNtDll2 = supR3HardNtPuChMapDllIntoChild(pThis, &NtName1, "ntdll.dll[2nd]"); 3087 3088 /* 3057 3089 * Create the thread, waiting 10 seconds for it to complete. 3058 3090 */ … … 3083 3115 * that we'd rather see early than later. 3084 3116 */ 3085 UNICODE_STRING NtName 1= RTNT_CONSTANT_UNISTR(L"\\SystemRoot\\System32\\kernel32.dll");3086 PVOID pvKernel32 = supR3HardNtPuChMapDllIntoChild(pThis, &NtName 1, "kernel32.dll");3087 3088 UNICODE_STRING NtName 2= RTNT_CONSTANT_UNISTR(L"\\SystemRoot\\System32\\KernelBase.dll");3117 UNICODE_STRING NtName2 = RTNT_CONSTANT_UNISTR(L"\\SystemRoot\\System32\\kernel32.dll"); 3118 PVOID pvKernel32 = supR3HardNtPuChMapDllIntoChild(pThis, &NtName2, "kernel32.dll"); 3119 3120 UNICODE_STRING NtName3 = RTNT_CONSTANT_UNISTR(L"\\SystemRoot\\System32\\KernelBase.dll"); 3089 3121 PVOID pvKernelBase = g_uNtVerCombined >= SUP_NT_VER_VISTA 3090 ? supR3HardNtPuChMapDllIntoChild(pThis, &NtName 2, "KernelBase.dll")3122 ? supR3HardNtPuChMapDllIntoChild(pThis, &NtName3, "KernelBase.dll") 3091 3123 : NULL; 3092 3124 … … 3103 3135 3104 3136 NtYieldExecution(); 3137 3138 Time.QuadPart = -8000000 / 100; /* 8ms in 100ns units, relative time. */ 3139 NtDelayExecution(FALSE, &Time); 3140 3141 NtYieldExecution(); 3105 3142 SUP_DPRINTF(("supR3HardNtPuChTriggerInitialImageEvents: Startup delay kludge #1: %u ms\n", GetTickCount() - dwStart)); 3106 3143 3107 3144 /* 3108 * Unmap kernel32 & kernelbase. Wonder how the AV stuff is gonna react to this... 3109 */ 3110 if (pvKernel32) 3111 { 3112 rcNt = NtUnmapViewOfSection(pThis->hProcess, pvKernel32); 3113 if (!NT_SUCCESS(!rcNt)) 3114 SUP_DPRINTF(("supR3HardNtPuChTriggerInitialImageEvents: NtUnmapViewOfSection failed on kernel32: %#x (%p)\n", 3115 rcNt, pvKernel32)); 3116 } 3117 if (pvKernelBase) 3118 { 3119 rcNt = NtUnmapViewOfSection(pThis->hProcess, pvKernelBase); 3120 if (!NT_SUCCESS(!rcNt)) 3121 SUP_DPRINTF(("supR3HardNtPuChTriggerInitialImageEvents: NtUnmapViewOfSection failed on KernelBase: %#x (%p)\n", 3122 rcNt, pvKernelBase)); 3123 } 3145 * Unmap the image we mapped into the guest above. 3146 */ 3147 supR3HardNtPuChUnmapDllFromChild(pThis, pvKernel32, "kernel32.dll"); 3148 supR3HardNtPuChUnmapDllFromChild(pThis, pvKernelBase, "KernelBase.dll"); 3149 supR3HardNtPuChUnmapDllFromChild(pThis, pvNtDll2, "ntdll.dll[2nd]"); 3150 supR3HardNtPuChUnmapDllFromChild(pThis, pvExe2, "executable[2nd]"); 3124 3151 3125 3152 /*
Note:
See TracChangeset
for help on using the changeset viewer.
