Changeset 52962 in vbox for trunk

Timestamp:

Oct 6, 2014 8:09:04 PM (10 years ago)

Author:

vboxsync

Message:

SUP: Check the entire NTDLL during process verification now that we're opening vboxdrv[stub] before it is initialized. check the stub process for extra threads and debugger when the VM process opens vboxdrv.

Location:

trunk

Files:

• include/VBox/err.h (modified) (1 diff)
• src/VBox/HostDrivers/Support/SUPLibInternal.h (modified) (2 diffs)
• src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp (modified) (4 diffs)
• src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp (modified) (7 diffs)
• src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (4 diffs)

trunk/include/VBox/err.h

@@ -2513 +2513 @@
 /** The image is outside the expected range. */
 #define VERR_SUP_VP_IMAGE_TOO_BIG                   (-5668)
+/** Stub process not found so it cannot be revalidated when vboxdrv is opened
+ * by the VM process. */
+#define VERR_SUP_VP_STUB_NOT_FOUND                  (-5669)
+/** Error openeing the stub process for revalidation when vboxdrv is opened by
+ *  the VM process. */
+#define VERR_SUP_VP_STUB_OPEN_ERROR                 (-5670)
+/** Stub process thread not found during revalidation upon vboxdrv opening by
+ * the VM process. */
+#define VERR_SUP_VP_STUB_THREAD_NOT_FOUND           (-5671)
+/** Error opening the stub process thread for revalidation when vboxdrv is
+ * opened by the VM process. */
+#define VERR_SUP_VP_STUB_THREAD_OPEN_ERROR          (-5672)
 
 /** @} */

trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h

@@ -450 +450 @@
 DECLHIDDEN(void)    supR3HardenedWinInitImportsEarly(uintptr_t uNtDllAddr);
 DECLHIDDEN(PFNRT)   supR3HardenedWinGetRealDllSymbol(const char *pszDll, const char *pszProcedure);
-DECLHIDDEN(void)    supR3HardenedWinVerifyProcess(void);
 DECLHIDDEN(void)    supR3HardenedWinEnableThreadCreation(void);
 DECLHIDDEN(void)    supR3HardenedWinResolveVerifyTrustApiAndHookThreadCreation(const char *pszProgName);
@@ -466 +465 @@
 DECLHIDDEN(void)    supR3HardenedWinCompactHeaps(void);
 DECLHIDDEN(void)    supR3HardenedMainOpenDevice(void);
-DECLHIDDEN(void)    supR3HardenedWinReportErrorToParent(int rc, const char *pszFormat, va_list va);
+DECLHIDDEN(void)    supR3HardenedWinReportErrorToParent(const char *pszWhere, SUPINITOP enmWhat, int rc,
+                                                        const char *pszFormat, va_list va);
 #endif
 

trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp

@@ -1143 +1143 @@
     else if (   g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
              && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
-        supR3HardenedWinReportErrorToParent(rc, pszMsgFmt, va);
+        supR3HardenedWinReportErrorToParent(pszWhere, enmWhat, rc, pszMsgFmt, va);
 #endif
 
@@ -1176 +1176 @@
     if (   g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_WIN_IMPORTS_RESOLVED
         && g_enmSupR3HardenedMainState != SUPR3HARDENEDMAINSTATE_NOT_YET_CALLED)
-        supR3HardenedWinReportErrorToParent(VERR_INTERNAL_ERROR, pszFormat, va);
+        supR3HardenedWinReportErrorToParent(NULL, kSupInitOp_Invalid, VERR_INTERNAL_ERROR, pszFormat, va);
     else
 #endif
@@ -1781 +1781 @@
 #ifdef RT_OS_WINDOWS
         /*
-         * Windows: Verify the process (repeated by the kernel later).
-         */
-        if (!g_fSupEarlyProcessInit)
-            supR3HardenedWinVerifyProcess();
-
-        /*
          * Windows: The second respawn.  This time we make a special arrangement
          * with vboxdrv to monitor access to the new process from its inception.
@@ -1797 +1791 @@
         SUP_DPRINTF(("SUPR3HardenedMain: Final process, opening VBoxDrv...\n"));
         supR3HardenedWinFlushLoaderCache();
-#endif /* RT_OS_WINDOWS */
-
+
+#else
         /*
          * Open the vboxdrv device.
          */
-#ifdef RT_OS_WINDOWS
-        if (!g_fSupEarlyProcessInit)
-#endif
-            supR3HardenedMainOpenDevice();
+        supR3HardenedMainOpenDevice();
+#endif /* !RT_OS_WINDOWS */
     }
 

trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp

@@ -187 +187 @@
     /** The parent PID for VM processes, otherwise NULL. */
     HANDLE              hParentPid;
+    /** The TID of the thread opening VBoxDrv or VBoxDrvStub, NULL if not opened. */
+    HANDLE              hOpenTid;
     /** The PID of the CSRSS process associated with this process. */
     HANDLE              hCsrssPid;
@@ -200 +202 @@
         /** A process in the VmProcessUnconfirmed state will keep a weak
          * reference to the parent's protection structure so it can clean up the pChild
-         * refernece the parent has to it. */
+         * reference the parent has to it. */
         struct SUPDRVNTPROTECT *pParent;
     } u;
@@ -3401 +3403 @@
     pNtProtect->enmProcessKind               = enmProcessKind;
     pNtProtect->hParentPid                   = NULL;
+    pNtProtect->hOpenTid                     = NULL;
     pNtProtect->hCsrssPid                    = NULL;
     pNtProtect->pCsrssProcess                = NULL;
@@ -3502 +3505 @@
     RTSpinlockRelease(g_hNtProtectLock);
     return pFound;
+}
+
+
+/**
+ * Validates a few facts about the stub process when the VM process opens
+ * vboxdrv.
+ *
+ * This makes sure the stub process is still around and that it has neither
+ * debugger nor extra threads in it.
+ *
+ * @returns VBox status code.
+ * @param   pNtProtect          The unconfirmed VM process currently trying to
+ *                              open vboxdrv.
+ * @param   pErrInfo            Additional error information.
+ */
+static int supdrvNtProtectVerifyStubForVmProcess(PSUPDRVNTPROTECT pNtProtect, PRTERRINFO pErrInfo)
+{
+    /*
+     * Grab a reference to the parent stub process.
+     */
+    SUPDRVNTPROTECTKIND enmStub = kSupDrvNtProtectKind_Invalid;
+    PSUPDRVNTPROTECT    pNtStub = NULL;
+    RTSpinlockAcquire(g_hNtProtectLock);
+    if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
+    {
+        pNtStub = pNtProtect->u.pParent; /* weak reference. */
+        if (pNtStub)
+        {
+            enmStub = pNtStub->enmProcessKind;
+            if (enmStub == kSupDrvNtProtectKind_StubParent)
+            {
+                uint32_t cRefs = ASMAtomicIncU32(&pNtStub->cRefs);
+                Assert(cRefs > 0 && cRefs < 1024);
+            }
+            else
+                pNtStub = NULL;
+        }
+    }
+    RTSpinlockRelease(g_hNtProtectLock);
+
+    /*
+     * We require the stub process to be present.
+     */
+    if (!pNtStub)
+        return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_NOT_FOUND, "Missing stub process (enmStub=%d).", enmStub);
+
+    /*
+     * Open the parent process and thread so we can check for debuggers and unwanted threads.
+     */
+    int rc;
+    PEPROCESS pStubProcess;
+    NTSTATUS rcNt = PsLookupProcessByProcessId(pNtStub->AvlCore.Key, &pStubProcess);
+    if (NT_SUCCESS(rcNt))
+    {
+        HANDLE hStubProcess;
+        rcNt = ObOpenObjectByPointer(pStubProcess, OBJ_KERNEL_HANDLE, NULL /*PassedAccessState*/,
+                                     0 /*DesiredAccess*/, *PsProcessType, KernelMode, &hStubProcess);
+        if (NT_SUCCESS(rcNt))
+        {
+            PETHREAD pStubThread;
+            rcNt = PsLookupThreadByThreadId(pNtStub->hOpenTid, &pStubThread);
+            if (NT_SUCCESS(rcNt))
+            {
+                HANDLE hStubThread;
+                rcNt = ObOpenObjectByPointer(pStubThread, OBJ_KERNEL_HANDLE, NULL /*PassedAccessState*/,
+                                             0 /*DesiredAccess*/, *PsThreadType, KernelMode, &hStubThread);
+                if (NT_SUCCESS(rcNt))
+                {
+                    /*
+                     * Do some simple sanity checking.
+                     */
+                    rc = supHardNtVpDebugger(hStubProcess, pErrInfo);
+                    if (RT_SUCCESS(rc))
+                        rc = supHardNtVpThread(hStubProcess, hStubThread, pErrInfo);
+
+                    /* Clean up. */
+                    rcNt = NtClose(hStubThread); AssertMsg(NT_SUCCESS(rcNt), ("%#x\n", rcNt));
+                }
+                else
+                    rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_THREAD_OPEN_ERROR,
+                                       "Error opening stub thread %p (tid %p, pid %p): %#x",
+                                       pStubThread, pNtStub->hOpenTid, pNtStub->AvlCore.Key, rcNt);
+            }
+            else
+                rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_THREAD_NOT_FOUND,
+                                   "Failed to locate thread %p in %p: %#x", pNtStub->hOpenTid, pNtStub->AvlCore.Key, rcNt);
+            rcNt = NtClose(hStubProcess); AssertMsg(NT_SUCCESS(rcNt), ("%#x\n", rcNt));
+        }
+        else
+            rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_OPEN_ERROR,
+                               "Error opening stub process %p (pid %p): %#x", pStubProcess, pNtStub->AvlCore.Key, rcNt);
+        ObDereferenceObject(pStubProcess);
+    }
+    else
+        rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_NOT_FOUND,
+                           "Failed to locate stub process %p: %#x", pNtStub->AvlCore.Key, rcNt);
+
+    supdrvNtProtectRelease(pNtStub);
+    return rc;
 }
 
@@ -3698 +3800 @@
         rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_VERIFY_ONLY,
                                          NULL /*pcFixes*/, &ErrInfo);
+        if (RT_SUCCESS(rc) && pNtProtect->enmProcessKind >= kSupDrvNtProtectKind_VmProcessUnconfirmed)
+            rc = supdrvNtProtectVerifyStubForVmProcess(pNtProtect, &ErrInfo);
         if (RT_FAILURE(rc))
             RTLogWriteDebugger(szErr, strlen(szErr));
@@ -3705 +3809 @@
      * Upgrade and return.
      */
+    HANDLE hOpenTid = PsGetCurrentThreadId();
     RTSpinlockAcquire(g_hNtProtectLock);
 
     /* Stub process verficiation is pretty much straight forward. */
     if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubUnverified)
+    {
         pNtProtect->enmProcessKind = RT_SUCCESS(rc) ? kSupDrvNtProtectKind_StubSpawning : kSupDrvNtProtectKind_StubDead;
-
+        pNtProtect->hOpenTid       = hOpenTid;
+    }
     /* The VM process verification is a little bit more complicated
        because we need to drop the parent process reference as well. */
@@ -3726 +3833 @@
 
         if (RT_SUCCESS(rc))
+        {
             pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessConfirmed;
+            pNtProtect->hOpenTid       = hOpenTid;
+        }
         else
             pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -953 +953 @@
             }
 
-            /* The section bits, only child purification verifies all bits . */
-            if (   pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION
-                || (   (pThis->aSecHdrs[i].Characteristics & (IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_CNT_CODE))
+            /* The section bits. Child purification verifies all, normal
+               verification verifies all except where the executable is
+               concerned (due to opening vboxdrv during early process init). */
+            if (   (   (pThis->aSecHdrs[i].Characteristics & (IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_CNT_CODE))
                     && !(pThis->aSecHdrs[i].Characteristics & IMAGE_SCN_MEM_WRITE))
-                || (pThis->aSecHdrs[i].Characteristics & (IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE)) == IMAGE_SCN_MEM_READ)
+                || (pThis->aSecHdrs[i].Characteristics & (IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE)) == IMAGE_SCN_MEM_READ
+                || (pThis->enmKind == SUPHARDNTVPKIND_VERIFY_ONLY && pImage->fDll)
+                || pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION)
             {
                 rc = VINF_SUCCESS;

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -189 +189 @@
     /** The last status. */
     int32_t         rc;
+    /** The init operation the error relates to if message, kSupInitOp_Invalid if
+     *  not message. */
+    SUPINITOP       enmWhat;
+    /** Where if message. */
+    char            szWhere[80];
     /** Error message / path name string space. */
     char            szErrorMsg[4096];
@@ -2785 +2790 @@
 
 /**
- * Verifies the process integrity.
- */
-DECLHIDDEN(void) supR3HardenedWinVerifyProcess(void)
-{
-    RTErrInfoInitStatic(&g_ErrInfoStatic);
-    int rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(),
-                                         SUPHARDNTVPKIND_VERIFY_ONLY, NULL /*pcFixes*/, &g_ErrInfoStatic.Core);
-    if (RT_FAILURE(rc))
-        supR3HardenedFatalMsg("supR3HardenedWinVerifyProcess", kSupInitOp_Integrity, rc,
-                              "Failed to verify process integrity: %s", g_ErrInfoStatic.szMsg);
-}
-
-
-/**
  * Gets the SID of the user associated with the process.
  *
@@ -3903 +3894 @@
     /* An error occurred, report it. */
     ChildProcParams.szErrorMsg[sizeof(ChildProcParams.szErrorMsg) - 1] = '\0';
-    supR3HardenedFatalMsg("supR3HardenedWinCheckChild", kSupInitOp_Misc, ChildProcParams.rc, "%s", ChildProcParams.szErrorMsg);
+    ChildProcParams.szWhere[sizeof(ChildProcParams.szWhere) - 1] = '\0';
+    SUP_DPRINTF(("supR3HardenedWinCheckChild: rc=%d enmWhat=%d %s: %s\n",
+                 ChildProcParams.rc, ChildProcParams.enmWhat, ChildProcParams.szWhere, ChildProcParams.szErrorMsg));
+
+    if (ChildProcParams.enmWhat == kSupInitOp_Invalid)
+        supR3HardenedFatalMsg("supR3HardenedWinCheckChild", kSupInitOp_Misc, ChildProcParams.rc,
+                              "%s", ChildProcParams.szErrorMsg);
+    else
+        supR3HardenedFatalMsg(ChildProcParams.szWhere, ChildProcParams.enmWhat, ChildProcParams.rc,
+                              "%s", ChildProcParams.szErrorMsg);
 }
 
@@ -5545 +5545 @@
  * Reports an error to the parent process via the process parameter structure.
  *
+ * @param   pszWhere            Where this error occured, if fatal message. NULL
+ *                              if not message.
+ * @param   enmWhat             Which init operation went wrong if fatal
+ *                              message. kSupInitOp_Invalid if not message.
  * @param   rc                  The status code to report.
  * @param   pszFormat           The format string.
  * @param   va                  The format arguments.
  */
-DECLHIDDEN(void) supR3HardenedWinReportErrorToParent(int rc, const char *pszFormat, va_list va)
-{
+DECLHIDDEN(void) supR3HardenedWinReportErrorToParent(const char *pszWhere, SUPINITOP enmWhat, int rc,
+                                                     const char *pszFormat, va_list va)
+{
+    if (pszWhere)
+        RTStrCopy(g_ProcParams.szWhere, sizeof(g_ProcParams.szWhere), pszWhere);
+    else
+        g_ProcParams.szWhere[0] = '\0';
     RTStrPrintfV(g_ProcParams.szErrorMsg, sizeof(g_ProcParams.szErrorMsg), pszFormat, va);
-    g_ProcParams.rc = RT_SUCCESS(rc) ? VERR_INTERNAL_ERROR_2 : rc;
+    g_ProcParams.enmWhat = enmWhat;
+    g_ProcParams.rc      = RT_SUCCESS(rc) ? VERR_INTERNAL_ERROR_2 : rc;
 
     NTSTATUS rcNt = NtSetEvent(g_ProcParams.hEvtParent, NULL);