VirtualBox

Browse Source

Changeset 52943 in vbox

Timestamp:

Oct 4, 2014 1:54:58 AM (10 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

96383

Message:

SUP: The child side of early VM process init.

Location:

Files:

: 10 edited

include/iprt/nt/nt.h (modified) (1 diff)
src/VBox/HostDrivers/Support/SUPLibInternal.h (modified) (4 diffs)
src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp (modified) (12 diffs)
src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h (modified) (2 diffs)
src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (modified) (5 diffs)
src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (5 diffs)
src/VBox/HostDrivers/Support/win/SUPR3HardenedMainA-win.asm (modified) (2 diffs)
src/VBox/HostDrivers/Support/win/SUPR3HardenedMainImports-win.cpp (modified) (2 diffs)
src/VBox/HostDrivers/Support/win/import-template-ntdll.h (modified) (8 diffs)
src/VBox/Runtime/r3/win/ntdll-mini-implib.def (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/include/iprt/nt/nt.h

-              r52941
+              r52943
 NTSYSAPI NTSTATUS NTAPI NtQuerySecurityObject(HANDLE, ULONG, PSECURITY_DESCRIPTOR, ULONG, PULONG);
+#ifdef IPRT_NT_USE_WINTERNL
+typedef enum _EVENT_TYPE
+{
+    /* Manual reset event. */
+    NotificationEvent = 0,
+    /* Automaitc reset event. */
+    SynchronizationEvent
+} EVENT_TYPE;
+#endif
+NTSYSAPI NTSTATUS NTAPI NtCreateEvent(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, EVENT_TYPE, BOOLEAN);
+NTSYSAPI NTSTATUS NTAPI NtOpenEvent(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES);
+NTSYSAPI NTSTATUS NTAPI NtClearEvent(HANDLE);
+NTSYSAPI NTSTATUS NTAPI NtResetEvent(HANDLE, PULONG);
+NTSYSAPI NTSTATUS NTAPI NtSetEvent(HANDLE, PULONG);
+typedef enum _EVENT_INFORMATION_CLASS
+{
+    EventBasicInformation = 0
+} EVENT_INFORMATION_CLASS;
+/** Data returned by NtQueryEvent + EventBasicInformation. */
+typedef struct EVENT_BASIC_INFORMATION
+{
+    EVENT_TYPE  EventType;
+    ULONG       EventState;
+} EVENT_BASIC_INFORMATION;
+typedef EVENT_BASIC_INFORMATION *PEVENT_BASIC_INFORMATION;
+NTSYSAPI NTSTATUS NTAPI NtQueryEvent(HANDLE, EVENT_INFORMATION_CLASS, PVOID, ULONG, PULONG);
 #ifdef IPRT_NT_USE_WINTERNL

trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h

-              r52941
+              r52943
+{
     SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED = 0,
+    SUPR3HARDENEDMAINSTATE_WIN_VM_INIT_CALLED,
+    SUPR3HARDENEDMAINSTATE_WIN_EARLY_IMPORTS_RESOLVED,
+    SUPR3HARDENEDMAINSTATE_WIN_EARLY_DEVICE_OPENED,
     SUPR3HARDENEDMAINSTATE_WIN_EP_CALLED,
     SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED,
     SUPR3HARDENEDMAINSTATE_WIN_VERSION_INITIALIZED,
+    SUPR3HARDENEDMAINSTATE_VERIFY_TRUST_READY,
+    SUPR3HARDENEDMAINSTATE_WIN_VERIFY_TRUST_READY,
+    SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED,
     SUPR3HARDENEDMAINSTATE_INIT_RUNTIME,
     SUPR3HARDENEDMAINSTATE_GET_TRUSTED_MAIN,
     SUPR3HARDENEDMAINSTATE_CALLED_TRUSTED_MAIN,
+    SUPR3HARDENEDMAINSTATE_END
+    SUPR3HARDENEDMAINSTATE_END,
+    SUPR3HARDENEDMAINSTATE_32BIT_HACK = 0x7fffffff
 } SUPR3HARDENEDMAINSTATE;
 …
 #endif
 extern DECLHIDDEN(SUPR3HARDENEDMAINSTATE) g_enmSupR3HardenedMainState;
+#ifdef RT_OS_WINDOWS
+extern DECLHIDDEN(bool)                 g_fSupEarlyVmProcessInit;
+#endif
 …
 #ifdef RT_OS_WINDOWS
 DECLHIDDEN(void)    supR3HardenedWinInit(uint32_t fFlags);
+DECLHIDDEN(void)    supR3HardenedWinInit(uint32_t fFlags, bool fAvastKludge);
 DECLHIDDEN(void)    supR3HardenedWinInitVersion(void);
 DECLHIDDEN(void)    supR3HardenedWinInitImports(void);
+DECLHIDDEN(void)    supR3HardenedWinInitImportsEarly(uintptr_t uNtDllAddr);
 DECLHIDDEN(PFNRT)   supR3HardenedWinGetRealDllSymbol(const char *pszDll, const char *pszProcedure);
 DECLHIDDEN(void)    supR3HardenedWinVerifyProcess(void);
 …
 # endif
 DECLHIDDEN(void)    supR3HardenedWinCompactHeaps(void);
+DECLHIDDEN(void)    supR3HardenedMainOpenDevice(void);
+DECLHIDDEN(void)    supR3HardenedWinReportErrorToParent(int rc, const char *pszFormat, va_list va);
 #endif

trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp

-              r52941
+              r52943
 /** The current SUPR3HardenedMain state / location. */
 SUPR3HARDENEDMAINSTATE  g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED;
+AssertCompileSize(g_enmSupR3HardenedMainState, sizeof(uint32_t));
 …
     if (hStdOut != NULL)
+    {
+# if 0 /* Windows 7 and earlier uses fake handles, with the last two bits set ((hStdOut & 3) == 3). */
+        IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
+        NtWriteFile(hStdOut, NULL /*Event*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/,
+                    &Ios, (PVOID)pch, (ULONG)cch, NULL /*ByteOffset*/, NULL /*Key*/);
+# else
+        DWORD cbWritten;
+        WriteFile(hStdOut, pch, (DWORD)cch, &cbWritten, NULL);
+# endif
+        if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
+        {
+            DWORD cbWritten;
+            WriteFile(hStdOut, pch, (DWORD)cch, &cbWritten, NULL);
+        }
+        /* Windows 7 and earlier uses fake handles, with the last two bits set ((hStdOut & 3) == 3). */
+        else if (NtWriteFile != NULL && ((uintptr_t)hStdOut & 3) == 0)
+        {
+            IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
+            NtWriteFile(hStdOut, NULL /*Event*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/,
+                        &Ios, (PVOID)pch, (ULONG)cch, NULL /*ByteOffset*/, NULL /*Key*/);
+        }
+    }
 #else
 …
+    }
+    /*
+     * Don't call TrustedError if it's too early.
+     */
+    if (g_enmSupR3HardenedMainState >= SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED)
+    {
 #ifdef SUP_HARDENED_SUID
     /*
      * Drop any root privileges we might be holding, this won't return
      * if it fails but end up calling supR3HardenedFatal[V].
      */
     supR3HardenedMainDropPrivileges();
 #endif /* SUP_HARDENED_SUID */
     /*
      * Now try resolve and call the TrustedError entry point if we can
      * find it.  We'll fork before we attempt this because that way the
      * session management in main will see us exiting immediately (if
      * it's involved with us).
      */
+        /*
+         * Drop any root privileges we might be holding, this won't return
+         * if it fails but end up calling supR3HardenedFatal[V].
+         */
+        supR3HardenedMainDropPrivileges();
+#endif
+        /*
+         * Now try resolve and call the TrustedError entry point if we can
+         * find it.  We'll fork before we attempt this because that way the
+         * session management in main will see us exiting immediately (if
+         * it's involved with us).
+         */
 #if !defined(RT_OS_WINDOWS) && !defined(RT_OS_OS2)
+    int pid = fork();
+    if (pid <= 0)
+#endif
+    {
+        static volatile bool s_fRecursive = false; /* Loader hooks may cause recursion. */
+        if (!s_fRecursive)
+        int pid = fork();
+        if (pid <= 0)
+#endif
+        {
+            s_fRecursive = true;
+            PFNSUPTRUSTEDERROR pfnTrustedError = supR3HardenedMainGetTrustedError(g_pszSupLibHardenedProgName);
+            if (pfnTrustedError)
+                pfnTrustedError(pszWhere, enmWhat, rc, pszMsgFmt, va);
+            s_fRecursive = false;
+            static volatile bool s_fRecursive = false; /* Loader hooks may cause recursion. */
+            if (!s_fRecursive)
+            {
+                s_fRecursive = true;
+                PFNSUPTRUSTEDERROR pfnTrustedError = supR3HardenedMainGetTrustedError(g_pszSupLibHardenedProgName);
+                if (pfnTrustedError)
+                    pfnTrustedError(pszWhere, enmWhat, rc, pszMsgFmt, va);
+                s_fRecursive = false;
+            }
+        }
+    }
+#if defined(RT_OS_WINDOWS)
+    /*
+     * Report the error to the parent if this happens during early VM init.
+     */
+    else if (   g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
+             && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
+        supR3HardenedWinReportErrorToParent(rc, pszMsgFmt, va);
+#endif
     /*
 …
     va_end(vaCopy);
+    suplibHardenedPrintPrefix();
+    suplibHardenedPrintFV(pszFormat, va);
+#if defined(RT_OS_WINDOWS)
+    /*
+     * Report the error to the parent if this happens during early VM init.
+     */
+    if (   g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
+        && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
+        supR3HardenedWinReportErrorToParent(VERR_INTERNAL_ERROR, pszFormat, va);
+    else
+#endif
+    {
+        suplibHardenedPrintPrefix();
+        suplibHardenedPrintFV(pszFormat, va);
+    }
     suplibHardenedExit(RTEXITCODE_FAILURE);
+}
 …
  * @remarks This function will not return on failure.
  */
 static void supR3HardenedMainOpenDevice(void)
+DECLHIDDEN(void) supR3HardenedMainOpenDevice(void)
+{
     int rc = suplibOsInit(&g_SupPreInitData.Data, false /*fPreInit*/, true /*fUnrestricted*/);
 …
+{
     SUP_DPRINTF(("SUPR3HardenedMain: pszProgName=%s fFlags=%#x\n", pszProgName, fFlags));
+    g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED;
     /*
 …
     g_pszSupLibHardenedProgName = pszProgName;
     g_fSupHardenedMain          = fFlags;
+    g_SupPreInitData.u32Magic     = SUPPREINITDATA_MAGIC;
+    g_SupPreInitData.Data.hDevice = SUP_HDEVICE_NIL;
+    g_SupPreInitData.u32EndMagic  = SUPPREINITDATA_MAGIC;
+#ifdef RT_OS_WINDOWS
+    if (!g_fSupEarlyVmProcessInit)
+#endif
+    {
+        g_SupPreInitData.u32Magic     = SUPPREINITDATA_MAGIC;
+        g_SupPreInitData.Data.hDevice = SUP_HDEVICE_NIL;
+        g_SupPreInitData.u32EndMagic  = SUPPREINITDATA_MAGIC;
+    }
 #ifdef SUP_HARDENED_SUID
 …
      */
     supR3HardenedGetFullExePath();
 # endif
 …
      * at dropping compatibility layers and process "security" solutions.
      */
+    if (   !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV)
+    if (   !g_fSupEarlyVmProcessInit
+        && !(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV)
         && supR3HardenedWinIsReSpawnNeeded(1 /*iWhich*/, argc, argv))
+    {
         SUP_DPRINTF(("SUPR3HardenedMain: Respawn #1\n"));
         supR3HardenedWinInit(SUPSECMAIN_FLAGS_DONT_OPEN_DEV);
+        supR3HardenedWinInit(SUPSECMAIN_FLAGS_DONT_OPEN_DEV, true /*fAvastKludge*/);
         supR3HardenedVerifyAll(true /* fFatal */, pszProgName);
         return supR3HardenedWinReSpawn(1 /*iWhich*/);
 …
      * Windows: Initialize the image verification global data so we can verify the
      * signature of the process image and hook the core of the DLL loader API so we
+     * can check the signature of all DLLs mapped into the process.
+     */
+    supR3HardenedWinInit(fFlags);
+     * can check the signature of all DLLs mapped into the process.  (Already done
+     * by early VM process init.)
+     */
+    if (!g_fSupEarlyVmProcessInit)
+        supR3HardenedWinInit(fFlags, true /*fAvastKludge*/);
 #endif /* RT_OS_WINDOWS */
 …
     /*
      * The next steps are only taken if we actually need to access the support
+     * driver.
+     */
+    if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
+    {
+     * driver.  (Already done by early VM process init.)
+     */
 #ifdef RT_OS_WINDOWS
+        /*
+         * Windows: Verify the process (repeated by the kernel later.
+         */
+        supR3HardenedWinVerifyProcess();
+        /*
+         * Windows: The second respawn.  This time we make a special arrangement
+         * with vboxdrv to monitor access to the new process from its inception.
+         */
+        if (supR3HardenedWinIsReSpawnNeeded(2 /* iWhich*/, argc, argv))
+    if (!g_fSupEarlyVmProcessInit)
+#endif
+        if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
+        {
+            SUP_DPRINTF(("SUPR3HardenedMain: Respawn #2\n"));
+            return supR3HardenedWinReSpawn(2 /* iWhich*/);
+#ifdef RT_OS_WINDOWS
+            /*
+             * Windows: Verify the process (repeated by the kernel later.
+             */
+            supR3HardenedWinVerifyProcess();
+            /*
+             * Windows: The second respawn.  This time we make a special arrangement
+             * with vboxdrv to monitor access to the new process from its inception.
+             */
+            if (supR3HardenedWinIsReSpawnNeeded(2 /* iWhich*/, argc, argv))
+            {
+                SUP_DPRINTF(("SUPR3HardenedMain: Respawn #2\n"));
+                return supR3HardenedWinReSpawn(2 /* iWhich*/);
+            }
+            SUP_DPRINTF(("SUPR3HardenedMain: Final process, opening VBoxDrv...\n"));
+            supR3HardenedWinFlushLoaderCache();
+#endif /* RT_OS_WINDOWS */
+            /*
+             * Open the vboxdrv device.
+             */
+            supR3HardenedMainOpenDevice();
+        }
-        SUP_DPRINTF(("SUPR3HardenedMain: Final process, opening VBoxDrv...\n"));
-        supR3HardenedWinFlushLoaderCache();
-#endif /* RT_OS_WINDOWS */
-        /*
-         * Open the vboxdrv device.
-         */
-        supR3HardenedMainOpenDevice();
+    }
 #ifdef RT_OS_WINDOWS
 …
     supR3HardenedWinFlushLoaderCache();
     supR3HardenedWinResolveVerifyTrustApiAndHookThreadCreation(g_pszSupLibHardenedProgName);
     g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_VERIFY_TRUST_READY;
+    g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_VERIFY_TRUST_READY;
 #endif

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h

-              r52940
+              r52943
 extern SUPSYSROOTDIRBUF g_System32NtPath;
 extern SUPSYSROOTDIRBUF g_WinSxSNtPath;
 #ifdef IN_RING3
+#if defined(IN_RING3) && !defined(VBOX_PERMIT_EVEN_MORE)
 extern SUPSYSROOTDIRBUF g_ProgramFilesNtPath;
 extern SUPSYSROOTDIRBUF g_CommonFilesNtPath;
 …
 extern SUPSYSROOTDIRBUF g_CommonFilesX86NtPath;
 # endif
 #endif
+#endif /* IN_RING3 && !VBOX_PERMIT_EVEN_MORE */
 extern SUPSYSROOTDIRBUF g_SupLibHardenedExeNtPath;
 extern uint32_t         g_offSupLibHardenedExeNtName;

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

-              r52940
+              r52943
 /** The full \\SystemRoot\\WinSxS path. */
 SUPSYSROOTDIRBUF            g_WinSxSNtPath;
 #ifdef IN_RING3
+#if defined(IN_RING3) && !defined(VBOX_PERMIT_EVEN_MORE)
 /** The full 'Program Files' path. */
 SUPSYSROOTDIRBUF            g_ProgramFilesNtPath;
 …
 SUPSYSROOTDIRBUF            g_CommonFilesX86NtPath;
 # endif
 #endif /* IN_RING3 */
+#endif /* IN_RING3 && !VBOX_PERMIT_MORE*/
 static union
 …
+#ifdef IN_RING3
+#if defined(IN_RING3) && !defined(VBOX_PERMIT_EVEN_MORE)
 /**
  * Initializes the windows paths.
 …
+    }
+}
 #endif /* IN_RING3 */
+#endif /* IN_RING3 && !VBOX_PERMIT_EVEN_MORE */
 …
         SUP_DPRINTF(("System32:  %ls\n", g_System32NtPath.UniStr.Buffer));
         SUP_DPRINTF(("WinSxS:    %ls\n", g_WinSxSNtPath.UniStr.Buffer));
 #ifdef IN_RING3
+#if defined(IN_RING3) && !defined(VBOX_PERMIT_EVEN_MORE)
         supHardenedWinInitImageVerifierWinPaths();
 #endif

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

-              r52941
+              r52943
+/**
+ * VM process parameters.
+ */
+typedef struct SUPR3WINPROCPARAMS
+{
+    /** The event semaphore the child will be waiting on. */
+    HANDLE          hEvtChild;
+    /** The event semaphore the parent will be waiting on. */
+    HANDLE          hEvtParent;
+    /** The address of the NTDLL. */
+    uintptr_t       uNtDllAddr;
+    /** The last status. */
+    int32_t         rc;
+    /** Error message / path name string space. */
+    char            szErrorMsg[4096];
+} SUPR3WINPROCPARAMS;
 /*******************************************************************************
 *   Global Variables                                                           *
 *******************************************************************************/
+/** Process parameters.  Specified by parent if VM process, see
+ *  supR3HardenedVmProcessInit. */
+static SUPR3WINPROCPARAMS   g_ProcParams = { NULL, NULL, 0, 0 };
+/** Set if supR3HardenedVmProcessInit was invoked. */
+bool                        g_fSupEarlyVmProcessInit = false;
 /** @name Global variables initialized by suplibHardenedWindowsMain.
  * @{ */
 …
  * Initializes the windows verficiation bits.
  * @param   fFlags          The main flags.
+ */
+DECLHIDDEN(void) supR3HardenedWinInit(uint32_t fFlags)
+ * @param   fAvastKludge    Whether to apply the avast kludge.
+ */
+DECLHIDDEN(void) supR3HardenedWinInit(uint32_t fFlags, bool fAvastKludge)
+{
     RTErrInfoInitStatic(&g_ErrInfoStatic);
 …
     if (!(fFlags & SUPSECMAIN_FLAGS_DONT_OPEN_DEV))
+    {
+        /*
+         * Do a self purification to cure avast's weird NtOpenFile write-thru
+         * change in GetBinaryTypeW change in kernel32.  Unfortunately, avast
+         * uses a system thread to perform the process modifications, which
+         * means it's hard to make sure it had the chance to make them...
+         *
+         * We have to resort to kludge doing yield and sleep fudging for a
+         * number of milliseconds and schedulings before we can hope that avast
+         * and similar products have done what they need to do.  If we do any
+         * fixes, we wait for a while again and redo it until we're clean.
+         *
+         * This is unfortunately kind of fragile.
+         */
+        uint32_t cMsFudge = g_fSupAdversaries ? 512 : 128;
+        uint32_t cFixes;
+        for (uint32_t iLoop = 0; iLoop < 16; iLoop++)
+        {
+            uint32_t    cSleeps = 0;
+            DWORD       dwStart = GetTickCount();
+            do
+        if (fAvastKludge)
+        {
+            /*
+             * Do a self purification to cure avast's weird NtOpenFile write-thru
+             * change in GetBinaryTypeW change in kernel32.  Unfortunately, avast
+             * uses a system thread to perform the process modifications, which
+             * means it's hard to make sure it had the chance to make them...
+             *
+             * We have to resort to kludge doing yield and sleep fudging for a
+             * number of milliseconds and schedulings before we can hope that avast
+             * and similar products have done what they need to do.  If we do any
+             * fixes, we wait for a while again and redo it until we're clean.
+             *
+             * This is unfortunately kind of fragile.
+             */
+            uint32_t cMsFudge = g_fSupAdversaries ? 512 : 128;
+            uint32_t cFixes;
+            for (uint32_t iLoop = 0; iLoop < 16; iLoop++)
+            {
+                NtYieldExecution();
+                LARGE_INTEGER Time;
+                Time.QuadPart = -8000000 / 100; /* 8ms in 100ns units, relative time. */
+                NtDelayExecution(FALSE, &Time);
+                cSleeps++;
+            } while (   GetTickCount() - dwStart <= cMsFudge
+                     || cSleeps < 8);
+            SUP_DPRINTF(("supR3HardenedWinInit: Startup delay kludge #2/%u: %u ms, %u sleeps\n",
+                         iLoop, GetTickCount() - dwStart, cSleeps));
+            cFixes = 0;
+            rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_SELF_PURIFICATION,
+                                             &cFixes, NULL /*pErrInfo*/);
+            if (RT_FAILURE(rc) || cFixes == 0)
+                break;
+            if (!g_fSupAdversaries)
+                g_fSupAdversaries |= SUPHARDNT_ADVERSARY_UNKNOWN;
+            cMsFudge = 512;
+            /* Log the KiOpPrefetchPatchCount value if available, hoping it might sched some light on spider38's case. */
+            ULONG cPatchCount = 0;
+            NTSTATUS rcNt = NtQuerySystemInformation(SystemInformation_KiOpPrefetchPatchCount,
+                                                     &cPatchCount, sizeof(cPatchCount), NULL);
+            if (NT_SUCCESS(rcNt))
+                SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x cPatchCount=%#u\n",
+                             cFixes, g_fSupAdversaries, cPatchCount));
+            else
+                SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
+                uint32_t    cSleeps = 0;
+                DWORD       dwStart = GetTickCount();
+                do
+                {
+                    NtYieldExecution();
+                    LARGE_INTEGER Time;
+                    Time.QuadPart = -8000000 / 100; /* 8ms in 100ns units, relative time. */
+                    NtDelayExecution(FALSE, &Time);
+                    cSleeps++;
+                } while (   GetTickCount() - dwStart <= cMsFudge
+                         || cSleeps < 8);
+                SUP_DPRINTF(("supR3HardenedWinInit: Startup delay kludge #2/%u: %u ms, %u sleeps\n",
+                             iLoop, GetTickCount() - dwStart, cSleeps));
+                cFixes = 0;
+                rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_SELF_PURIFICATION,
+                                                 &cFixes, NULL /*pErrInfo*/);
+                if (RT_FAILURE(rc) || cFixes == 0)
+                    break;
+                if (!g_fSupAdversaries)
+                    g_fSupAdversaries |= SUPHARDNT_ADVERSARY_UNKNOWN;
+                cMsFudge = 512;
+                /* Log the KiOpPrefetchPatchCount value if available, hoping it might sched some light on spider38's case. */
+                ULONG cPatchCount = 0;
+                NTSTATUS rcNt = NtQuerySystemInformation(SystemInformation_KiOpPrefetchPatchCount,
+                                                         &cPatchCount, sizeof(cPatchCount), NULL);
+                if (NT_SUCCESS(rcNt))
+                    SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x cPatchCount=%#u\n",
+                                 cFixes, g_fSupAdversaries, cPatchCount));
+                else
+                    SUP_DPRINTF(("supR3HardenedWinInit: cFixes=%u g_fSupAdversaries=%#x\n", cFixes, g_fSupAdversaries));
+            }
+        }
 …
     /*
+     * Notify the parent process that we're probably capable of reporting our
+     * own errors.
+     */
+    if (g_ProcParams.hEvtParent || g_ProcParams.hEvtChild)
+    {
+        SUPR3HARDENED_ASSERT(g_fSupEarlyVmProcessInit);
+        NtSetEvent(g_ProcParams.hEvtParent, NULL);
+        NtClose(g_ProcParams.hEvtParent);
+        NtClose(g_ProcParams.hEvtChild);
+        g_ProcParams.hEvtParent = NULL;
+        g_ProcParams.hEvtChild  = NULL;
+    }
+    else
+        SUPR3HARDENED_ASSERT(!g_fSupEarlyVmProcessInit);
+    /*
      * After having resolved imports we patch the LdrInitializeThunk code so
      * that it's more difficult to invade our privacy by CreateRemoteThread.
 …
+}
+/**
+ * Reports an error to the parent process via the process parameter structure.
+ *
+ * @param   rc                  The status code to report.
+ * @param   pszFormat           The format string.
+ * @param   va                  The format arguments.
+ */
+DECLHIDDEN(void) supR3HardenedWinReportErrorToParent(int rc, const char *pszFormat, va_list va)
+{
+    RTStrPrintfV(g_ProcParams.szErrorMsg, sizeof(g_ProcParams.szErrorMsg), pszFormat, va);
+    g_ProcParams.rc = RT_SUCCESS(rc) ? VERR_INTERNAL_ERROR_2 : rc;
+    NTSTATUS rcNt = NtSetEvent(g_ProcParams.hEvtParent, NULL);
+    if (NT_SUCCESS(rcNt))
+    {
+        LARGE_INTEGER Timeout;
+        Timeout.QuadPart = -300000000; /* 30 second */
+        NTSTATUS rcNt = NtWaitForSingleObject(g_ProcParams.hEvtChild, FALSE /*Alertable*/, &Timeout);
+        NtClearEvent(g_ProcParams.hEvtChild);
+    }
+}
+/**
+ * Routine called by the supR3HardenedVmProcessInitThunk assembly routine when
+ * LdrInitializeThunk is executed in during process initialization.
+ *
+ * This initializes the VM process, hooking NTDLL APIs and opening the device
+ * driver before any other DLLs gets loaded into the process.  This greately
+ * reduces and controls the trusted code base of the process compared to the
+ * opening it from SUPR3HardenedMain, avoid issues with so call protection
+ * software that is in the habit of patching half of the ntdll and kernel32
+ * APIs in the process, making it almost indistinguishable from software that is
+ * up to no good.  Once we've opened vboxdrv, the process should be locked down
+ * so thighly that only kernel software and csrss can mess with the process.
+ */
+DECLASM(uintptr_t) supR3HardenedVmProcessInit(void)
+{
+    /*
+     * Only let the first thread thru.
+     */
+    if (!ASMAtomicCmpXchgU32((uint32_t volatile *)&g_enmSupR3HardenedMainState,
+                             SUPR3HARDENEDMAINSTATE_WIN_VM_INIT_CALLED,
+                             SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED))
+    {
+        NtTerminateThread(0, 0);
+        return 0x22;  /* crash */
+    }
+    g_fSupEarlyVmProcessInit = true;
+    /*
+     * Initialize the NTDLL imports that we consider usable before the
+     * process has been initialized.
+     */
+    supR3HardenedWinInitImportsEarly(g_ProcParams.uNtDllAddr);
+    g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_IMPORTS_RESOLVED;
+    /*
+     * Init g_uNtVerCombined as well as we can at this point.
+     */
+    supR3HardenedWinInitVersion();
+    /*
+     * Wait on the parent process to dispose of the full access process handle.
+     */
+    LARGE_INTEGER Timeout;
+    Timeout.QuadPart = -600000000; /* 60 second */
+    NTSTATUS rcNt = NtWaitForSingleObject(g_ProcParams.hEvtChild, FALSE /*Alertable*/, &Timeout);
+    if (NT_SUCCESS(rcNt))
+        rcNt = NtClearEvent(g_ProcParams.hEvtChild);
+    if (!NT_SUCCESS(rcNt))
+    {
+        NtTerminateProcess(NtCurrentProcess(), 0x42);
+        return 0x42; /* crash */
+    }
+    /*
+     * Convert the arguments to UTF-8 so we can open the log file if specified.
+     * Note! This leaks memory at present.
+     */
+    PUNICODE_STRING pCmdLineStr = &NtCurrentPeb()->ProcessParameters->CommandLine;
+    int    cArgs;
+    char **papszArgs = suplibCommandLineToArgvWStub(pCmdLineStr->Buffer, pCmdLineStr->Length / sizeof(WCHAR), &cArgs);
+    supR3HardenedOpenLog(&cArgs, papszArgs);
+    SUP_DPRINTF(("supR3HardenedVmProcessInit: uNtDllAddr=%p\n", g_ProcParams.uNtDllAddr));
+    /*
+     * Determine the executable path and name.  Will NOT determine the windows style
+     * executable path here as we don't need it.
+     */
+    SIZE_T cbActual = 0;
+    rcNt = NtQueryVirtualMemory(NtCurrentProcess(), &g_ProcParams, MemorySectionName, &g_SupLibHardenedExeNtPath,
+                                sizeof(g_SupLibHardenedExeNtPath) - sizeof(WCHAR), &cbActual);
+    if (   !NT_SUCCESS(rcNt)
+        || g_SupLibHardenedExeNtPath.UniStr.Length == 0
+        || g_SupLibHardenedExeNtPath.UniStr.Length & 1)
+        supR3HardenedFatal("NtQueryVirtualMemory/MemorySectionName failed in supR3HardenedVmProcessInit: %#x\n", rcNt);
+    /* The NT executable name offset / dir path length. */
+    g_offSupLibHardenedExeNtName = g_SupLibHardenedExeNtPath.UniStr.Length / sizeof(WCHAR);
+    while (   g_offSupLibHardenedExeNtName > 1
+           && g_SupLibHardenedExeNtPath.UniStr.Buffer[g_offSupLibHardenedExeNtName - 1] != '\\' )
+        g_offSupLibHardenedExeNtName--;
+    /*
+     * Initialize the image verification stuff (hooks LdrLoadDll and NtCreateSection).
+     */
+    supR3HardenedWinInit(0, false /*fAvastKludge*/);
+    /*
+     * Open the driver.
+     */
+    supR3HardenedMainOpenDevice();
+    g_enmSupR3HardenedMainState = SUPR3HARDENEDMAINSTATE_WIN_EARLY_DEVICE_OPENED;
+    /*
+     * Restore the LdrInitializeThunk code so we can initialize the process
+     * normally when we return.
+     */
+    PSUPHNTLDRCACHEENTRY pLdrEntry;
+    int rc = supHardNtLdrCacheOpen("ntdll.dll", &pLdrEntry);
+    if (RT_FAILURE(rc))
+        supR3HardenedFatal("supR3HardenedVmProcessInit: supHardNtLdrCacheOpen failed on NTDLL: %Rrc\n", rc);
+    RTLDRADDR uValue;
+    rc = RTLdrGetSymbolEx(pLdrEntry->hLdrMod, pLdrEntry->pbBits, 0, UINT32_MAX, "LdrInitializeThunk", &uValue);
+    if (RT_FAILURE(rc))
+        supR3HardenedFatal("supR3HardenedVmProcessInit: Failed to find LdrInitializeThunk (%Rrc).\n", rc);
+    PVOID pvLdrInitThunk = (uint8_t *)g_ProcParams.uNtDllAddr + (uint32_t)uValue;
+    SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pvLdrInitThunk, 16, PAGE_EXECUTE_READWRITE));
+    memcpy(pvLdrInitThunk, pLdrEntry->pbBits + (uint32_t)uValue, 16);
+    SUPR3HARDENED_ASSERT_NT_SUCCESS(supR3HardenedWinProtectMemory(pvLdrInitThunk, 16, PAGE_EXECUTE_READ));
+    return (uintptr_t)pvLdrInitThunk;
+}

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainA-win.asm

-              r52941
+              r52943
 extern NAME(g_pfnNtCreateSectionJmpBack)
+; External code.
+extern NAME(supR3HardenedVmProcessInit)
 BEGINCODE
 …
 %endif
+;;
+; Alternative code for LdrInitializeThunk that performs the VM process startup.
+;
+; This does not concern itself with any arguments on stack or in registers that
+; may be passed to the LdrIntializeThunk routine as we just save and restore
+; them all before we restart the restored LdrInitializeThunk routine.
+;
+BEGINPROC supR3HardenedVmProcessInitThunk
+        ;
+        ; Prologue.
+        ;
+        ; Reserve space for the "return" address.
+        push    0
+        ; Create a stack frame, saving xBP.
+        push    xBP
+        SEH64_PUSH_xBP
+        mov     xBP, xSP
+        SEH64_SET_FRAME_xBP 0 ; probably wrong...
+        ; Save all volatile registers.
+        push    xAX
+        push    xCX
+        push    xDX
+%ifdef RT_ARCH_AMD64
+        push    r8
+        push    r9
+        push    r10
+        push    r11
+%endif
+        ; Reserve spill space and align the stack.
+        sub     xSP, 20h
+        and     xSP, ~0fh
+        SEH64_END_PROLOGUE
+        ;
+        ; Call the C/C++ code that does the actual work.  This returns the
+        ; resume address in xAX, which we put in the "return" stack position.
+        ;
+        call    NAME(supR3HardenedVmProcessInit)
+        mov     [xBP + xCB], xAX
+        ;
+        ; Restore volatile registers.
+        ;
+        mov     xAX, [xBP - xCB*1]
+        mov     xCX, [xBP - xCB*2]
+        mov     xDX, [xBP - xCB*3]
+%ifdef RT_ARCH_AMD64
+        mov     r8,  [xBP - xCB*4]
+        mov     r9,  [xBP - xCB*5]
+        mov     r10, [xBP - xCB*6]
+        mov     r11, [xBP - xCB*7]
+%endif
+        ;
+        ; Use the leave instruction to restore xBP and set up xSP to point at
+        ; the resume address. Then use the 'ret' instruction to resume process
+        ; initializaton.
+        ;
+        leave
+        ret
+ENDPROC   supR3HardenedVmProcessInitThunk
 ;;

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainImports-win.cpp

-              r52941
+              r52943
 /**
  * All the DLLs we import from.
+ * @remarks Code ASSUMES that ntdll is the first entry.
  */
 static SUPHNTIMPDLL g_aSupNtImpDlls[] =
 …
+/**
+ * Resolves NtDll functions we can trust calling before process init.
+ *
+ * @param   uNtDllAddr          The address of the NTDLL.
+ */
+DECLHIDDEN(void) supR3HardenedWinInitImportsEarly(uintptr_t uNtDllAddr)
+{
+    /*
+     * NTDLL is the first entry in the list.
+     */
+    g_aSupNtImpDlls[0].pbImageBase = (uint8_t const *)uNtDllAddr;
+    supR3HardenedParseModule(&g_aSupNtImpDlls[0]);
+    for (uint32_t i = 0; i < g_aSupNtImpDlls[0].cImports; i++)
+        if (!g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy)
+        {
+            const char *pszForwarder = supR3HardenedResolveImport(&g_aSupNtImpDlls[0], &g_aSupNtImpDlls[0].paImports[i]);
+            if (pszForwarder)
+                SUPHNTIMP_ERROR(32, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
+                                "ntdll: Failed to resolve forwarder '%s'.", pszForwarder);
+        }
+        else
+            *g_aSupNtImpDlls[0].paImports[i].ppfnImport = g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy;
+    /*
+     * Pointer the other imports at the early init stubs.
+     */
+    for (uint32_t iDll = 1; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
+        for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++)
+            if (!g_aSupNtImpDlls[iDll].paImports[i].fOptional)
+                *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = g_aSupNtImpDlls[iDll].paImports[i].pfnEarlyDummy;
+            else
+                *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = NULL;
+}
 /**

trunk/src/VBox/HostDrivers/Support/win/import-template-ntdll.h

-              r52941
+              r52943
 SUPHARNT_IMPORT_SYSCALL(NtAllocateVirtualMemory, 24)
+SUPHARNT_IMPORT_SYSCALL(NtClearEvent, 4)
 SUPHARNT_IMPORT_SYSCALL(NtClose, 4)
+SUPHARNT_IMPORT_SYSCALL(NtCreateEvent, 20)
 SUPHARNT_IMPORT_SYSCALL(NtCreateFile, 44)
 SUPHARNT_IMPORT_SYSCALL(NtDelayExecution, 8)
 …
 SUPHARNT_IMPORT_SYSCALL(NtMapViewOfSection, 40)
 SUPHARNT_IMPORT_SYSCALL(NtOpenDirectoryObject, 12)
+SUPHARNT_IMPORT_SYSCALL(NtOpenEvent, 12)
 SUPHARNT_IMPORT_SYSCALL(NtOpenKey, 12)
 SUPHARNT_IMPORT_SYSCALL(NtOpenProcess, 16)
 …
 SUPHARNT_IMPORT_SYSCALL(NtQueryDirectoryFile, 44)
 SUPHARNT_IMPORT_SYSCALL(NtQueryDirectoryObject, 28)
+SUPHARNT_IMPORT_SYSCALL(NtQueryEvent, 20)
 SUPHARNT_IMPORT_SYSCALL(NtQueryInformationFile, 20)
 SUPHARNT_IMPORT_SYSCALL(NtQueryInformationProcess, 20)
 …
 SUPHARNT_IMPORT_SYSCALL(NtQueryInformationToken, 20)
 SUPHARNT_IMPORT_SYSCALL(NtQueryObject, 20)
+SUPHARNT_IMPORT_SYSCALL(NtQuerySecurityObject, 20)
 SUPHARNT_IMPORT_SYSCALL(NtQuerySystemInformation, 16)
-SUPHARNT_IMPORT_SYSCALL(NtQuerySecurityObject, 20)
 SUPHARNT_IMPORT_SYSCALL(NtQueryTimerResolution, 12)
 SUPHARNT_IMPORT_SYSCALL(NtQueryValueKey, 24)
 …
 SUPHARNT_IMPORT_SYSCALL(NtReadFile, 36)
 SUPHARNT_IMPORT_SYSCALL(NtReadVirtualMemory, 20)
+SUPHARNT_IMPORT_SYSCALL(NtResetEvent, 8)
 SUPHARNT_IMPORT_SYSCALL(NtResumeProcess, 4)
 SUPHARNT_IMPORT_SYSCALL(NtResumeThread, 8)
 SUPHARNT_IMPORT_SYSCALL(NtSetContextThread, 8)
+SUPHARNT_IMPORT_SYSCALL(NtSetEvent, 8)
 SUPHARNT_IMPORT_SYSCALL(NtSetInformationFile, 20)
 SUPHARNT_IMPORT_SYSCALL(NtSetInformationObject, 16)
 …
 SUPHARNT_IMPORT_SYSCALL(NtTerminateThread, 8)
 SUPHARNT_IMPORT_SYSCALL(NtUnmapViewOfSection, 8)
+SUPHARNT_IMPORT_SYSCALL(NtWaitForMultipleObjects, 20)
 SUPHARNT_IMPORT_SYSCALL(NtWaitForSingleObject, 12)
-SUPHARNT_IMPORT_SYSCALL(NtWaitForMultipleObjects, 20)
 SUPHARNT_IMPORT_SYSCALL(NtWriteFile, 36)
 SUPHARNT_IMPORT_SYSCALL(NtWriteVirtualMemory, 20)
 SUPHARNT_IMPORT_SYSCALL(NtYieldExecution, 0)
 SUPHARNT_IMPORT_STDCALL_EARLY(NtCreateSection, 28)
 SUPHARNT_IMPORT_STDCALL_EARLY(NtQueryVolumeInformationFile, 20)
 SUPHARNT_IMPORT_STDCALL_EARLY(LdrInitializeThunk, 12)
 SUPHARNT_IMPORT_STDCALL(RtlAddAccessAllowedAce, 16)
 SUPHARNT_IMPORT_STDCALL(RtlAddAccessDeniedAce, 16)
 …
 SUPHARNT_IMPORT_STDCALL_EARLY(RtlGetLastWin32Error, 0)
 SUPHARNT_IMPORT_STDCALL_EARLY(RtlGetVersion, 4)
 SUPHARNT_IMPORT_STDCALL(RtlInitializeSid, 12)
+SUPHARNT_IMPORT_STDCALL_EARLY(RtlInitializeSid, 12)
 SUPHARNT_IMPORT_STDCALL_EARLY(RtlNtStatusToDosError, 4)
 SUPHARNT_IMPORT_STDCALL_EARLY(RtlReAllocateHeap, 16)
 …
 SUPHARNT_IMPORT_STDCALL_EARLY(RtlSetLastWin32ErrorAndNtStatusFromNtStatus, 4)
 SUPHARNT_IMPORT_STDCALL_EARLY(RtlSizeHeap, 12)
 SUPHARNT_IMPORT_STDCALL(RtlSubAuthoritySid, 8)
+SUPHARNT_IMPORT_STDCALL_EARLY(RtlSubAuthoritySid, 8)

trunk/src/VBox/Runtime/r3/win/ntdll-mini-implib.def

-              r52942
+              r52943
     NtAllocateVirtualMemory               ;;= _NtAllocateVirtualMemory@24
+    NtClearEvent                          ;;= _NtClearEvent@4
     NtClose                               ;;= _NtClose@4
+    NtCreateEvent                         ;;= _NtCreateEvent@20
     NtCreateFile                          ;;= _NtCreateFile@44
     NtCreateSection                       ;;= _NtCreateSection@28
 …
     NtMapViewOfSection                    ;;= _NtMapViewOfSection@40
     NtOpenDirectoryObject                 ;;= _NtOpenDirectoryObject@12
+    NtOpenEvent                           ;;= _NtOpenEvent@12
     NtOpenKey                             ;;= _NtOpenKey@12
     NtOpenProcess                         ;;= _NtOpenProcess@16
 …
     NtQueryDirectoryFile                  ;;= _NtQueryDirectoryFile@44
     NtQueryDirectoryObject                ;;= _NtQueryDirectoryObject@28
+    NtQueryEvent                          ;;= _NtQueryEvent@20
     NtQueryInformationFile                ;;= _NtQueryInformationFile@20
     NtQueryInformationProcess             ;;= _NtQueryInformationProcess@20
 …
     NtReadFile                            ;;= _NtReadFile@36
     NtReadVirtualMemory                   ;;= _NtReadVirtualMemory@20
+    NtResetEvent                          ;;= _NtResetEvent@8
     NtResumeProcess                       ;;= _NtResumeProcess@4
     NtResumeThread                        ;;= _NtResumeThread@8
     NtSetContextThread                    ;;= _NtSetContextThread@8
+    NtSetEvent                            ;;= _NtSetEvent@8
     NtSetInformationFile                  ;;= _NtSetInformationFile@20
     NtSetInformationObject                ;;= _NtSetInformationObject@16
 …
     NtTerminateThread                     ;;= _NtTerminateThread@8
     NtUnmapViewOfSection                  ;;= _NtUnmapViewOfSection@8
+    NtWaitForMultipleObjects              ;;= _NtWaitForMultipleObjects@20
     NtWaitForSingleObject                 ;;= _NtWaitForSingleObject@12
-    NtWaitForMultipleObjects              ;;= _NtWaitForMultipleObjects@20
     NtWriteFile                           ;;= _NtWriteFile@36
     NtWriteVirtualMemory                  ;;= _NtWriteVirtualMemory@20

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats:

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette