Changeset 52875 in vbox for trunk/src

Timestamp:

Sep 26, 2014 6:05:23 PM (11 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

96299

Message:

SUP: Log more details on system dlls and hot patching.

Location:

trunk/src/VBox/HostDrivers/Support/win

Files:

• SUPHardenedVerifyProcess-win.cpp (modified) (1 diff)
• SUPR3HardenedMain-win.cpp (modified) (5 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -1767 +1767 @@
     pEntry->fVerified = false;
 
+#ifdef IN_SUP_HARDENED_R3
+    /*
+     * Log the image timestamp when in the hardened exe.
+     */
+    uint64_t uTimestamp = 0;
+    rc = RTLdrQueryProp(hLdrMod, RTLDRPROP_TIMESTAMP_SECONDS, &uTimestamp, sizeof(uint64_t));
+    SUP_DPRINTF(("%s: timestamp %#llx (rc=%Rrc)\n", pszName, uTimestamp, rc));
+#endif
+
     return VINF_SUCCESS;
 }

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -4447 +4447 @@
                 g_fSupAdversaries |= SUPHARDNT_ADVERSARY_UNKNOWN;
             cMsFudge = 512;
-            SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
+
+            /* Log the KiOpPrefetchPatchCount value if available, hoping it might sched some light on spider38's case. */
+            ULONG cPatchCount = 0;
+            NTSTATUS rcNt = NtQuerySystemInformation(SystemInformation_KiOpPrefetchPatchCount,
+                                                     &cPatchCount, sizeof(cPatchCount), NULL);
+            if (NT_SUCCESS(rcNt))
+                SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x cPatchCount=%#u\n",
+                             cFixes, g_fSupAdversaries, cPatchCount));
+            else
+                SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
         }
 
@@ -4560 +4569 @@
 
 /**
- * Logs information about a file from a protection product.
+ * Logs information about a file from a protection product or from Windows.
  *
  * The purpose here is to better see which version of the product is installed
@@ -4566 +4575 @@
  *
  * @param   pwszFile            The NT path to the file.
- */
-static void supR3HardenedLogAdversarialFile(PCRTUTF16 pwszFile)
+ * @param   fAdversarial        Set if from a protection product, false if
+ *                              system file.
+ */
+static void supR3HardenedLogFileInfo(PCRTUTF16 pwszFile, bool fAdversarial)
 {
     /*
@@ -5051 +5062 @@
     for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++)
         if (fFound & s_aFiles[i].fAdversary)
-            supR3HardenedLogAdversarialFile(s_aFiles[i].pwszFile);
+            supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, true /* fAdversarial */);
 
     return fFound;
@@ -5102 +5113 @@
 
     /*
-     * Scan the system for adversaries.
+     * Log information about important system files.
+     */
+    supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\ntdll.dll", false /* fAdversarial */);
+    supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\kernel32.dll", false /* fAdversarial */);
+    supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\KernelBase.dll", false /* fAdversarial */);
+    supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\apisetschema.dll", false /* fAdversarial */);
+
+    /*
+     * Scan the system for adversaries, logging information about them.
      */
     g_fSupAdversaries = supR3HardenedWinFindAdversaries();