Changeset 52795 in vbox for trunk/src/VBox/HostDrivers/Support

Timestamp:

Sep 19, 2014 3:02:04 PM (10 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

96187

Message:

SUP: Deal with comodo's ntdll export and getprocaddress modifications. Fixed bug in supHardNtLdrCacheOpen.

Location:

trunk/src/VBox/HostDrivers/Support

Files:

• SUPLibInternal.h (modified) (1 diff)
• win/SUPHardenedVerifyImage-win.cpp (modified) (1 diff)
• win/SUPHardenedVerifyProcess-win.cpp (modified) (1 diff)
• win/SUPR3HardenedMain-win.cpp (modified) (5 diffs)
• win/SUPR3HardenedMainImports-win.cpp (modified) (4 diffs)

trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h

@@ -437 +437 @@
 DECLHIDDEN(void)    supR3HardenedWinInitVersion(void);
 DECLHIDDEN(void)    supR3HardenedWinInitImports(void);
+DECLHIDDEN(PFNRT)   supR3HardenedWinGetRealDllSymbol(const char *pszDll, const char *pszProcedure);
 DECLHIDDEN(void)    supR3HardenedWinVerifyProcess(void);
 DECLHIDDEN(void)    supR3HardenedWinEnableThreadCreation(void);

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -2161 +2161 @@
         switch (hrc)
         {
-            case TRUST_E_SYSTEM_ERROR:             pszErrConst = "TRUST_E_SYSTEM_ERROR";          break;
-            case TRUST_E_NO_SIGNER_CERT:           pszErrConst = "TRUST_E_NO_SIGNER_CERT";        break;
-            case TRUST_E_COUNTER_SIGNER:           pszErrConst = "TRUST_E_COUNTER_SIGNER";        break;
-            case TRUST_E_CERT_SIGNATURE:           pszErrConst = "TRUST_E_CERT_SIGNATURE";        break;
-            case TRUST_E_TIME_STAMP:               pszErrConst = "TRUST_E_TIME_STAMP";            break;
-            case TRUST_E_BAD_DIGEST:               pszErrConst = "TRUST_E_BAD_DIGEST";            break;
-            case TRUST_E_BASIC_CONSTRAINTS:        pszErrConst = "TRUST_E_BASIC_CONSTRAINTS";     break;
-            case TRUST_E_FINANCIAL_CRITERIA:       pszErrConst = "TRUST_E_FINANCIAL_CRITERIA";    break;
-            case TRUST_E_PROVIDER_UNKNOWN:         pszErrConst = "TRUST_E_PROVIDER_UNKNOWN";      break;
-            case TRUST_E_ACTION_UNKNOWN:           pszErrConst = "TRUST_E_ACTION_UNKNOWN";        break;
-            case TRUST_E_SUBJECT_FORM_UNKNOWN:     pszErrConst = "TRUST_E_SUBJECT_FORM_UNKNOWN";  break;
-            case TRUST_E_SUBJECT_NOT_TRUSTED:      pszErrConst = "TRUST_E_SUBJECT_NOT_TRUSTED";   break;
-            case TRUST_E_NOSIGNATURE:              pszErrConst = "TRUST_E_NOSIGNATURE";           break;
-            case TRUST_E_FAIL:                     pszErrConst = "TRUST_E_FAIL";                  break;
-            case TRUST_E_EXPLICIT_DISTRUST:        pszErrConst = "TRUST_E_EXPLICIT_DISTRUST";     break;
-            case CERT_E_CHAINING:                  pszErrConst = "CERT_E_CHAINING";               break;
-            case CERT_E_REVOCATION_FAILURE:        pszErrConst = "CERT_E_REVOCATION_FAILURE";     break;
+            case TRUST_E_SYSTEM_ERROR:            pszErrConst = "TRUST_E_SYSTEM_ERROR";         break;
+            case TRUST_E_NO_SIGNER_CERT:          pszErrConst = "TRUST_E_NO_SIGNER_CERT";       break;
+            case TRUST_E_COUNTER_SIGNER:          pszErrConst = "TRUST_E_COUNTER_SIGNER";       break;
+            case TRUST_E_CERT_SIGNATURE:          pszErrConst = "TRUST_E_CERT_SIGNATURE";       break;
+            case TRUST_E_TIME_STAMP:              pszErrConst = "TRUST_E_TIME_STAMP";           break;
+            case TRUST_E_BAD_DIGEST:              pszErrConst = "TRUST_E_BAD_DIGEST";           break;
+            case TRUST_E_BASIC_CONSTRAINTS:       pszErrConst = "TRUST_E_BASIC_CONSTRAINTS";    break;
+            case TRUST_E_FINANCIAL_CRITERIA:      pszErrConst = "TRUST_E_FINANCIAL_CRITERIA";   break;
+            case TRUST_E_PROVIDER_UNKNOWN:        pszErrConst = "TRUST_E_PROVIDER_UNKNOWN";     break;
+            case TRUST_E_ACTION_UNKNOWN:          pszErrConst = "TRUST_E_ACTION_UNKNOWN";       break;
+            case TRUST_E_SUBJECT_FORM_UNKNOWN:    pszErrConst = "TRUST_E_SUBJECT_FORM_UNKNOWN"; break;
+            case TRUST_E_SUBJECT_NOT_TRUSTED:     pszErrConst = "TRUST_E_SUBJECT_NOT_TRUSTED";  break;
+            case TRUST_E_NOSIGNATURE:             pszErrConst = "TRUST_E_NOSIGNATURE";          break;
+            case TRUST_E_FAIL:                    pszErrConst = "TRUST_E_FAIL";                 break;
+            case TRUST_E_EXPLICIT_DISTRUST:       pszErrConst = "TRUST_E_EXPLICIT_DISTRUST";    break;
+            case CERT_E_CHAINING:                 pszErrConst = "CERT_E_CHAINING";              break;
+            case CERT_E_REVOCATION_FAILURE:       pszErrConst = "CERT_E_REVOCATION_FAILURE";    break;
+            case CRYPT_E_FILE_ERROR:              pszErrConst = "CRYPT_E_FILE_ERROR";           break;
+            case CRYPT_E_REVOKED:                 pszErrConst = "CRYPT_E_REVOKED";              break;
         }
         if (pszErrConst)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -1787 +1787 @@
      */
     uint32_t i = 0;
-    while (i < RT_ELEMENTS(g_apszSupNtVpAllowedDlls))
-        if (!strcmp(pszName, g_apszSupNtVpAllowedDlls[i]))
-            break;
+    while (   i < RT_ELEMENTS(g_apszSupNtVpAllowedDlls)
+           && strcmp(pszName, g_apszSupNtVpAllowedDlls[i]))
+        i++;
     if (i >= RT_ELEMENTS(g_apszSupNtVpAllowedDlls))
         return VERR_FILE_NOT_FOUND;

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -253 +253 @@
 /** Microsoft Security Essentials. */
 #define SUPHARDNT_ADVERSARY_MSE                     RT_BIT_32(9)
+/** Comodo. */
+#define SUPHARDNT_ADVERSARY_COMODO                  RT_BIT_32(10)
 /** Unknown adversary detected while waiting on child. */
 #define SUPHARDNT_ADVERSARY_UNKNOWN                 RT_BIT_32(31)
@@ -2207 +2209 @@
      * Locate the routines first so we can allocate memory that's near enough.
      */
-    HMODULE hmodNtDll = GetModuleHandleW(L"NTDLL");
-    SUPR3HARDENED_ASSERT(hmodNtDll != NULL);
-
-    FARPROC pfnNtCreateSection = GetProcAddress(hmodNtDll, "NtCreateSection");
+    PFNRT pfnNtCreateSection = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "NtCreateSection");
     SUPR3HARDENED_ASSERT(pfnNtCreateSection != NULL);
     //SUPR3HARDENED_ASSERT(pfnNtCreateSection == (FARPROC)NtCreateSection);
 
-    FARPROC pfnLdrLoadDll = GetProcAddress(hmodNtDll, "LdrLoadDll");
+    PFNRT pfnLdrLoadDll = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "LdrLoadDll");
     SUPR3HARDENED_ASSERT(pfnLdrLoadDll != NULL);
     //SUPR3HARDENED_ASSERT(pfnLdrLoadDll == (FARPROC)LdrLoadDll);
@@ -3190 +3189 @@
     /* Cannot use the imported NtTerminateThread as it's pointing to our own
        syscall assembly code. */
-    FARPROC pfnNtTerminateThread = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtTerminateThread");
-    SUPR3HARDENED_ASSERT(pfnNtTerminateThread);
+    static PFNRT s_pfnNtTerminateThread = NULL;
+    if (s_pfnNtTerminateThread == NULL)
+        s_pfnNtTerminateThread = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "NtTerminateThread");
+    SUPR3HARDENED_ASSERT(s_pfnNtTerminateThread);
 
     int rc = supR3HardNtDisableThreadCreationEx(NtCurrentProcess(),
                                                 (void *)(uintptr_t)&LdrInitializeThunk,
-                                                (void *)(uintptr_t)pfnNtTerminateThread,
+                                                (void *)(uintptr_t)s_pfnNtTerminateThread,
                                                 g_abLdrInitThunkSelfBackup, sizeof(g_abLdrInitThunkSelfBackup),
                                                 NULL /* pErrInfo*/);
@@ -4849 +4850 @@
 
         { SUPHARDNT_ADVERSARY_MSE,                  "NisDrv" },
+
+        /*{ SUPHARDNT_ADVERSARY_COMODO, "cmdguard" }, file system */
+        { SUPHARDNT_ADVERSARY_COMODO, "inspect" },
+        { SUPHARDNT_ADVERSARY_COMODO, "cmdHlp" },
+
     };
 
@@ -4944 +4950 @@
         { SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\MpFilter.sys" },
         { SUPHARDNT_ADVERSARY_MSE, L"\\SystemRoot\\System32\\drivers\\NisDrvWFP.sys" },
+
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmdguard.sys" },
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmderd.sys" },
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\inspect.sys" },
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cmdhlp.sys" },
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\cfrmd.sys" },
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\drivers\\hmd.sys" },
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\guard64.dll" },
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdvrt64.dll" },
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdkbd64.dll" },
+        { SUPHARDNT_ADVERSARY_COMODO, L"\\SystemRoot\\System32\\cmdcsr.dll" },
     };
 

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainImports-win.cpp

@@ -139 +139 @@
     uint16_t const         *pau16NameOrdinals;
 
+    /** Number of patched export table entries. */
+    uint32_t                cPatchedExports;
+
 } SUPHNTIMPDLL;
 /** Pointer to an import DLL entry. */
@@ -365 +368 @@
             {
                 uint32_t offExport = pDll->paoffExports[iExpOrdinal];
-                if (offExport < pDll->cbImage)
+
+                /* detect export table patching. */
+                if (offExport >= pDll->cbImage)
+                    pDll->cPatchedExports++;
+
+                if (offExport - pDll->offExportDir >= pDll->cbExportDir)
                 {
-                    if (offExport - pDll->offExportDir >= pDll->cbExportDir)
-                    {
-                        *pImport->ppfnImport = (PFNRT)&pDll->pbImageBase[offExport];
-                        return NULL;
-                    }
-
-                    /* Forwarder. */
-                    return (const char *)&pDll->pbImageBase[offExport];
+                    *pImport->ppfnImport = (PFNRT)&pDll->pbImageBase[offExport];
+                    return NULL;
                 }
-                SUPHNTIMP_ERROR(13, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_BAD_EXE_FORMAT,
-                                "%ls: The export RVA for '%s' is out of bounds: %#x (SizeOfImage %#x)",
-                                 pDll->pwszName, offExport, pDll->cbImage);
+
+                /* Forwarder. */
+                return (const char *)&pDll->pbImageBase[offExport];
             }
             SUPHNTIMP_ERROR(14, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_BAD_EXE_FORMAT,
@@ -601 +603 @@
         }
 
+    /*
+     * Use the on disk image to avoid export table patching.  Currently
+     * ignoring errors here as can live normally without this step.
+     */
+    for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
+        if (g_aSupNtImpDlls[iDll].cPatchedExports > 0)
+        {
+            PSUPHNTLDRCACHEENTRY pLdrEntry;
+            int rc = supHardNtLdrCacheOpen(g_aSupNtImpDlls[iDll].pszName, &pLdrEntry);
+            if (RT_SUCCESS(rc))
+            {
+                uint8_t *pbBits;
+                rc = supHardNtLdrCacheEntryAllocBits(pLdrEntry, &pbBits, NULL);
+                if (RT_SUCCESS(rc))
+                    for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++)
+                    {
+                        RTLDRADDR uValue;
+                        rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbBits, (uintptr_t)g_aSupNtImpDlls[iDll].pbImageBase,
+                                              UINT32_MAX, g_aSupNtImpDlls[iDll].paImports[i].pszName, &uValue);
+                        if (RT_SUCCESS(rc))
+                            *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = (PFNRT)(uintptr_t)uValue;
+                    }
+            }
+        }
+
+
 #if 0 /* Win7/32 ntdll!LdrpDebugFlags. */
     *(uint8_t *)&g_aSupNtImpDlls[0].pbImageBase[0xdd770] = 0x3;
@@ -606 +634 @@
 }
 
+
+/**
+ * Gets the address of a procedure in a DLL, ignoring our own syscall
+ * implementations.
+ *
+ * Currently restricted to NTDLL and KERNEL32
+ *
+ * @returns The procedure address.
+ * @param   pszDll          The DLL name.
+ * @param   pszProcedure    The procedure name.
+ */
+DECLHIDDEN(PFNRT) supR3HardenedWinGetRealDllSymbol(const char *pszDll, const char *pszProcedure)
+{
+    /*
+     * Look the DLL up in the import DLL table.
+     */
+    for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
+        if (RTStrICmp(g_aSupNtImpDlls[iDll].pszName, pszDll) == 0)
+        {
+            PSUPHNTLDRCACHEENTRY pLdrEntry;
+            int rc = supHardNtLdrCacheOpen(g_aSupNtImpDlls[iDll].pszName, &pLdrEntry);
+            if (RT_SUCCESS(rc))
+            {
+                uint8_t *pbBits;
+                rc = supHardNtLdrCacheEntryAllocBits(pLdrEntry, &pbBits, NULL);
+                if (RT_SUCCESS(rc))
+                {
+                    RTLDRADDR uValue;
+                    rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pbBits, (uintptr_t)g_aSupNtImpDlls[iDll].pbImageBase,
+                                          UINT32_MAX, pszProcedure, &uValue);
+                    if (RT_SUCCESS(rc))
+                        return (PFNRT)(uintptr_t)uValue;
+                    SUP_DPRINTF(("supR3HardenedWinGetRealDllSymbol: Error getting %s in %s -> %Rrc\n", pszProcedure, pszDll, rc));
+                }
+                else
+                    SUP_DPRINTF(("supR3HardenedWinGetRealDllSymbol: supHardNtLdrCacheEntryAllocBits failed on %s: %Rrc\n",
+                                 pszDll, rc));
+            }
+            else
+                SUP_DPRINTF(("supR3HardenedWinGetRealDllSymbol: supHardNtLdrCacheOpen failed on %s: %Rrc\n",
+                             pszDll, rc));
+
+            /* Complications, just call GetProcAddress. */
+            return (PFNRT)GetProcAddress(GetModuleHandleW(g_aSupNtImpDlls[iDll].pwszName), pszProcedure);
+        }
+
+    supR3HardenedFatal("supR3HardenedWinGetRealDllSymbol: Unknown DLL %s (proc: %s)\n", pszDll, pszProcedure);
+    return NULL;
+}
+