Changeset 52967 in vbox

Timestamp:

Oct 6, 2014 10:18:51 PM (10 years ago)

Author:

vboxsync

Message:

SUP: simplified the ntdll hooking / patching so we can avoid the jump table memory as it may end up where system dlls like kernel32 are supposed to be loaded (STATUS_CONFLICTING_ADDRESSES (0xc0000018) process init failure).

Location:

trunk/src/VBox/HostDrivers/Support

Files:

• SUPLibInternal.h (modified) (1 diff)
• win/NtCreateSection-template-amd64-syscall-type-1.h (deleted)
• win/NtCreateSection-template-x86-syscall-type-1.h (deleted)
• win/SUPHardenedVerifyProcess-win.cpp (modified) (2 diffs)
• win/SUPR3HardenedMain-win.cpp (modified) (20 diffs)
• win/SUPR3HardenedMainA-win.asm (modified) (2 diffs)
• win/SUPR3HardenedMainImports-win.cpp (modified) (17 diffs)

trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h

@@ -449 +449 @@
 DECLHIDDEN(void)    supR3HardenedWinInitImports(void);
 DECLHIDDEN(void)    supR3HardenedWinInitImportsEarly(uintptr_t uNtDllAddr);
+DECLHIDDEN(void)    supR3HardenedWinInitSyscalls(bool fReportErrors);
 DECLHIDDEN(PFNRT)   supR3HardenedWinGetRealDllSymbol(const char *pszDll, const char *pszProcedure);
 DECLHIDDEN(void)    supR3HardenedWinEnableThreadCreation(void);

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -843 +843 @@
                 return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'NtCreateSection': %Rrc", pImage->pszName, rc);
             aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue;
-            aSkipAreas[cSkipAreas++].cb = 5 + (ARCH_BITS == 64);
+            aSkipAreas[cSkipAreas++].cb = ARCH_BITS == 32 ? 5 : 12;
 
             /* Ignore our LdrLoadDll hack. */
@@ -850 +850 @@
                 return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'LdrLoadDll': %Rrc", pImage->pszName, rc);
             aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue;
-            aSkipAreas[cSkipAreas++].cb = 5 + (ARCH_BITS == 64);
+            aSkipAreas[cSkipAreas++].cb = ARCH_BITS == 32 ? 5 : 12;
         }
 

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -228 +228 @@
 /** @name Hook related variables.
  * @{ */
-/** The jump back address of the patched NtCreateSection. */
-extern "C" PFNRT            g_pfnNtCreateSectionJmpBack = NULL;
 /** Pointer to the bit of assembly code that will perform the original
  *  NtCreateSection operation. */
@@ -238 +236 @@
 /** The patched NtCreateSection bytes (for restoring). */
 static uint8_t              g_abNtCreateSectionPatch[16];
-#if 0
-/** The jump back address of the patched LdrLoadDll. */
-extern "C" PFNRT            g_pfnLdrLoadDllJmpBack = NULL;
-#endif
 /** Pointer to the bit of assembly code that will perform the original
  *  LdrLoadDll operation. */
@@ -320 +314 @@
                                          bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust,
                                          bool *pfQuietFailure);
-static void supR3HardenedWinRegisterDllNotificationCallback(void);
-static void supR3HardenedWinReInstallHooks(bool fFirst);
-
-
-#ifdef RT_ARCH_AMD64
-# define SYSCALL(a_Num) DECLASM(void) RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num)(void)
-# include "NtCreateSection-template-amd64-syscall-type-1.h"
-# undef SYSCALL
-#endif
-#ifdef RT_ARCH_X86
-# define SYSCALL(a_Num) DECLASM(void) RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num)(void)
-# include "NtCreateSection-template-x86-syscall-type-1.h"
-# undef SYSCALL
-#endif
-
-DECLASM(void) supR3HardenedEarlyProcessInitThunk(void);
+static void     supR3HardenedWinRegisterDllNotificationCallback(void);
+static void     supR3HardenedWinReInstallHooks(bool fFirst);
+DECLASM(void)   supR3HardenedEarlyProcessInitThunk(void);
 
 
@@ -1989 +1970 @@
     else
         SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
+
     supR3HardenedWinVerifyCacheProcessWvtTodos();
 
@@ -2528 +2510 @@
     //SUPR3HARDENED_ASSERT(pfnLdrLoadDll == (FARPROC)LdrLoadDll);
 
-
-#ifdef RT_ARCH_AMD64
-    /*
-     * For 64-bit hosts we need some memory within a +/-2GB range of the
-     * actual function to be able to patch it.
-     */
-    uintptr_t uStart = RT_MAX((uintptr_t)pfnNtCreateSection, (uintptr_t)pfnLdrLoadDll);
-    size_t    cbMem  = _4K;
-    void  *pvMem = supR3HardenedWinAllocHookMemory(uStart, uStart - _2G + PAGE_SIZE, -1, cbMem);
-    if (!pvMem)
-    {
-        uintptr_t uStart = RT_MIN((uintptr_t)pfnNtCreateSection, (uintptr_t)pfnLdrLoadDll);
-        pvMem = supR3HardenedWinAllocHookMemory(uStart, uStart + _2G - PAGE_SIZE, 1, cbMem);
-        if (!pvMem)
-            supR3HardenedFatalMsg("supR3HardenedWinInstallHooks", kSupInitOp_Misc, VERR_NO_MEMORY,
-                                  "Failed to allocate memory within the +/-2GB range from NTDLL.\n");
-    }
-    uintptr_t *puJmpTab = (uintptr_t *)pvMem;
-#endif
+    /*
+     * Exec page setup & management.
+     */
+    uint32_t offExecPage = 0;
+    memset(g_abSupHardReadWriteExecPage, 0xcc, PAGE_SIZE);
 
     /*
@@ -2556 +2524 @@
     g_pbNtCreateSection = pbNtCreateSection;
     memcpy(g_abNtCreateSectionPatch, pbNtCreateSection, sizeof(g_abNtCreateSectionPatch));
-/** @todo This patch could be simplified iff we had our own syscall operational
- *        from the get-go. */
+
+    g_pfnNtCreateSectionReal = NtCreateSection; /* our direct syscall */
 
 #ifdef RT_ARCH_AMD64
@@ -2563 +2531 @@
      * Patch 64-bit hosts.
      */
-    PFNRT       pfnCallReal = NULL;
-    uint8_t     offJmpBack  = UINT8_MAX;
-
     /* Pattern #1: XP64/W2K3-64 thru Windows 8.1
        0:000> u ntdll!NtCreateSection
@@ -2575 +2540 @@
        00000000`779f175b 0f1f440000      nop     dword ptr [rax+rax]
        The variant is the value loaded into eax: W2K3=??, Vista=47h?, W7=47h, W80=48h, W81=49h */
-    if (   pbNtCreateSection[ 0] == 0x4c /* mov r10, rcx */
-        && pbNtCreateSection[ 1] == 0x8b
-        && pbNtCreateSection[ 2] == 0xd1
-        && pbNtCreateSection[ 3] == 0xb8 /* mov eax, 000000xxh */
-        && pbNtCreateSection[ 5] == 0x00
-        && pbNtCreateSection[ 6] == 0x00
-        && pbNtCreateSection[ 7] == 0x00
-        && pbNtCreateSection[ 8] == 0x0f /* syscall */
-        && pbNtCreateSection[ 9] == 0x05
-        && pbNtCreateSection[10] == 0xc3 /* ret */
-       )
-    {
-        offJmpBack = 8; /* the 3rd instruction (syscall). */
-        switch (pbNtCreateSection[4])
-        {
-# define SYSCALL(a_Num) case a_Num: pfnCallReal = RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num); break;
-# include "NtCreateSection-template-amd64-syscall-type-1.h"
-# undef SYSCALL
-        }
-    }
-    if (!pfnCallReal)
-        supR3HardenedWinHookFailed("NtCreateSection", pbNtCreateSection);
-
-    g_pfnNtCreateSectionJmpBack         = (PFNRT)(uintptr_t)(pbNtCreateSection + offJmpBack);
-    *(PFNRT *)&g_pfnNtCreateSectionReal = pfnCallReal;
 
     /* Assemble the patch. */
-    g_abNtCreateSectionPatch[0] = 0xff;
-    g_abNtCreateSectionPatch[1] = 0x25;
-    *(uint32_t *)&g_abNtCreateSectionPatch[2] = (uint32_t)((uintptr_t)puJmpTab - (uintptr_t)&pbNtCreateSection[2+4]);
-
-    *puJmpTab = (uintptr_t)supR3HardenedMonitor_NtCreateSection;
-    puJmpTab++;
+    g_abNtCreateSectionPatch[0]  = 0x48; /* mov rax, qword */
+    g_abNtCreateSectionPatch[1]  = 0xb8;
+    *(uint64_t *)&g_abNtCreateSectionPatch[2] = (uint64_t)supR3HardenedMonitor_NtCreateSection;
+    g_abNtCreateSectionPatch[10] = 0xff; /* jmp rax */
+    g_abNtCreateSectionPatch[11] = 0xe0;
 
 #else
@@ -2613 +2552 @@
      * Patch 32-bit hosts.
      */
-    PFNRT       pfnCallReal = NULL;
-    uint8_t     offJmpBack  = UINT8_MAX;
-
     /* Pattern #1: XP thru Windows 7
             kd> u ntdll!NtCreateSection
@@ -2635 +2571 @@
             6a15eacb 0f34            sysenter
             6a15eacd c3              ret
-       The variable bit is the value loaded into eax: W81=154h
-       Note! One nice thing here is that we can share code pattern #1.  */
-
-    if (   pbNtCreateSection[ 0] == 0xb8 /* mov eax, 000000xxh*/
-        && pbNtCreateSection[ 2] <= 0x02
-        && pbNtCreateSection[ 3] == 0x00
-        && pbNtCreateSection[ 4] == 0x00
-        && (   (   pbNtCreateSection[ 5] == 0xba /* mov edx, offset SharedUserData!SystemCallStub */
-                && pbNtCreateSection[ 6] == 0x00
-                && pbNtCreateSection[ 7] == 0x03
-                && pbNtCreateSection[ 8] == 0xfe
-                && pbNtCreateSection[ 9] == 0x7f
-                && pbNtCreateSection[10] == 0xff /* call [edx] */
-                && pbNtCreateSection[11] == 0x12
-                && pbNtCreateSection[12] == 0xc2 /* ret 1ch */
-                && pbNtCreateSection[13] == 0x1c
-                && pbNtCreateSection[14] == 0x00)
-
-            || (   pbNtCreateSection[ 5] == 0xe8 /* call [$+3] */
-                && RT_ABS(*(int32_t *)&pbNtCreateSection[6]) < 0x10
-                && pbNtCreateSection[10] == 0xc2 /* ret 1ch */
-                && pbNtCreateSection[11] == 0x1c
-                && pbNtCreateSection[12] == 0x00 )
-          )
-       )
-    {
-        offJmpBack = 5; /* the 2nd instruction. */
-        switch (*(uint32_t const *)&pbNtCreateSection[1])
-        {
-# define SYSCALL(a_Num) case a_Num: pfnCallReal = RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num); break;
-# include "NtCreateSection-template-x86-syscall-type-1.h"
-# undef SYSCALL
-        }
-    }
-    if (!pfnCallReal)
-        supR3HardenedWinHookFailed("NtCreateSection", pbNtCreateSection);
-
-    g_pfnNtCreateSectionJmpBack         = (PFNRT)(uintptr_t)(pbNtCreateSection + offJmpBack);
-    *(PFNRT *)&g_pfnNtCreateSectionReal = pfnCallReal;
+       The variable bit is the value loaded into eax: W81=154h */
 
     /* Assemble the patch. */
-    g_abNtCreateSectionPatch[0] = 0xe9;
+    g_abNtCreateSectionPatch[0] = 0xe9;  /* jmp rel32 */
     *(uint32_t *)&g_abNtCreateSectionPatch[1] = (uintptr_t)supR3HardenedMonitor_NtCreateSection
                                               - (uintptr_t)&pbNtCreateSection[1+4];
+
 #endif
-
-    /*
-     * Exec page setup & management.
-     */
-    uint32_t offExecPage = 0;
-    memset(g_abSupHardReadWriteExecPage, 0xcc, PAGE_SIZE);
 
     /*
@@ -2700 +2593 @@
     memcpy(g_abLdrLoadDllPatch, pbLdrLoadDll, sizeof(g_abLdrLoadDllPatch));
 
-#ifdef RT_ARCH_AMD64
-    /*
-     * Patch 64-bit hosts.
-     */
-    /* Just use the disassembler to skip 6 bytes or more. */
     DISSTATE Dis;
     uint32_t cbInstr;
-    offJmpBack = 0;
-    while (offJmpBack < 6)
+    uint32_t offJmpBack = 0;
+
+#ifdef RT_ARCH_AMD64
+    /*
+     * Patch 64-bit hosts.
+     */
+    /* Just use the disassembler to skip 12 bytes or more. */
+    while (offJmpBack < 12)
     {
         cbInstr = 1;
@@ -2733 +2627 @@
 
     /* Assemble the LdrLoadDll patch. */
-    Assert(offJmpBack >= 6);
-    g_abLdrLoadDllPatch[0] = 0xff;
-    g_abLdrLoadDllPatch[1] = 0x25;
-    *(uint32_t *)&g_abLdrLoadDllPatch[2] = (uint32_t)((uintptr_t)puJmpTab - (uintptr_t)&pbLdrLoadDll[2+4]);
-
-    *puJmpTab = (uintptr_t)supR3HardenedMonitor_LdrLoadDll;
-    puJmpTab++;
+    Assert(offJmpBack >= 12);
+    g_abLdrLoadDllPatch[0]  = 0x48; /* mov rax, qword */
+    g_abLdrLoadDllPatch[1]  = 0xb8;
+    *(uint64_t *)&g_abLdrLoadDllPatch[2] = (uint64_t)supR3HardenedMonitor_LdrLoadDll;
+    g_abLdrLoadDllPatch[10] = 0xff; /* jmp rax */
+    g_abLdrLoadDllPatch[11] = 0xe0;
 
 #else
@@ -2745 +2638 @@
      * Patch 32-bit hosts.
      */
-    /* Just use the disassembler to skip 6 bytes or more. */
-    DISSTATE Dis;
-    uint32_t cbInstr;
-    offJmpBack = 0;
+    /* Just use the disassembler to skip 5 bytes or more. */
     while (offJmpBack < 5)
     {
@@ -2765 +2655 @@
     offExecPage += offJmpBack;
 
-    g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9;
+    g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9; /* jmp rel32 */
     *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbLdrLoadDll[offJmpBack]
                                                             - (uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage + 4];
@@ -3524 +3414 @@
     }
 
+#if 0
     /*
      * Map kernel32.dll and kernelbase.dll (if applicable) into the process.
@@ -3536 +3427 @@
                        ? supR3HardNtPuChMapDllIntoChild(pThis, &NtName3, "KernelBase.dll")
                        : NULL;
+#endif
 
     /*
@@ -3543 +3435 @@
     uint64_t uMsTsStart = supR3HardenedWinGetMilliTS();
     uint32_t cMsKludge = (g_fSupAdversaries & SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT) ? 256 : g_fSupAdversaries ? 64 : 16;
+cMsKludge = 1024;
     do
     {
@@ -3553 +3446 @@
                  supR3HardenedWinGetMilliTS() - uMsTsStart));
 
+#if 0
     /*
      * Unmap the image we mapped into the guest above.
@@ -3560 +3454 @@
     supR3HardNtPuChUnmapDllFromChild(pThis, pvNtDll2, "ntdll.dll[2nd]");
     supR3HardNtPuChUnmapDllFromChild(pThis, pvExe2, "executable[2nd]");
+#endif
 
     /*
@@ -5641 +5536 @@
 
     /*
+     * Set up the direct system calls so we can more easily hook NtCreateSection.
+     */
+    supR3HardenedWinInitSyscalls(true /*fReportErrors*/);
+
+    /*
      * Determine the executable path and name.  Will NOT determine the windows style
      * executable path here as we don't need it.

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainA-win.asm

@@ -32 +32 @@
 
 
-; External data.
-extern NAME(g_pfnNtCreateSectionJmpBack)
-
 ; External code.
 extern NAME(supR3HardenedEarlyProcessInit)
@@ -40 +37 @@
 
 BEGINCODE
-
-;
-; 64-bit
-;
-%ifdef RT_ARCH_AMD64
- %macro supR3HardenedJmpBack_NtCreateSection_Xxx 1
- BEGINPROC supR3HardenedJmpBack_NtCreateSection_ %+ %1
-        SEH64_END_PROLOGUE
-        ; The code we replaced.
-        mov     r10, rcx
-        mov     eax, %1
-
-        ; Jump back to the original code.
-        jmp     [NAME(g_pfnNtCreateSectionJmpBack) wrt RIP]
- ENDPROC   supR3HardenedJmpBack_NtCreateSection_ %+ %1
- %endm
- %define SYSCALL(a_Num) supR3HardenedJmpBack_NtCreateSection_Xxx a_Num
- %include "NtCreateSection-template-amd64-syscall-type-1.h"
-
-%endif
-
-
-;
-; 32-bit.
-;
-%ifdef RT_ARCH_X86
- %macro supR3HardenedJmpBack_NtCreateSection_Xxx 1
- BEGINPROC supR3HardenedJmpBack_NtCreateSection_ %+ %1
-        ; The code we replaced.
-        mov     eax, %1
-
-        ; Jump back to the original code.
-        jmp     [NAME(g_pfnNtCreateSectionJmpBack)]
- ENDPROC   supR3HardenedJmpBack_NtCreateSection_ %+ %1
- %endm
- %define SYSCALL(a_Num) supR3HardenedJmpBack_NtCreateSection_Xxx a_Num
- %include "NtCreateSection-template-x86-syscall-type-1.h"
-
-%endif
-
 
 

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainImports-win.cpp

@@ -48 +48 @@
 #define VBOX_HARDENED_STUB_WITHOUT_IMPORTS
 #ifdef VBOX_HARDENED_STUB_WITHOUT_IMPORTS
-# define SUPHNTIMP_ERROR(a_id, a_szWhere, a_enmOp, a_rc, ...) \
-    do { static const char s_szWhere[] = a_szWhere; *(char *)(uintptr_t)(a_id) += 1; __debugbreak(); } while (0)
+# define SUPHNTIMP_ERROR(a_fReportErrors, a_id, a_szWhere, a_enmOp, a_rc, ...) \
+    do { \
+        if (a_fReportErrors) supR3HardenedFatalMsg(a_szWhere, a_enmOp, a_rc, __VA_ARGS__); \
+        else { static const char s_szWhere[] = a_szWhere; *(char *)(uintptr_t)(a_id) += 1; __debugbreak(); } \
+    } while (0)
 #else
-# define SUPHNTIMP_ERROR(a_id, a_szWhere, a_enmOp, a_rc, ...) \
+# define SUPHNTIMP_ERROR(a_fReportErrors, a_id, a_szWhere, a_enmOp, a_rc, ...) \
     supR3HardenedFatalMsg(a_szWhere, a_enmOp, a_rc, __VA_ARGS__)
 
@@ -268 +271 @@
         pDll->pbImageBase = NULL; /* optional */
     else
-        SUPHNTIMP_ERROR(1, "supR3HardenedFindOrLoadModule", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
+        SUPHNTIMP_ERROR(false, 1, "supR3HardenedFindOrLoadModule", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
                         "Failed to locate %ls", pDll->pwszName);
 #else
     HMODULE hmod = GetModuleHandleW(pDll->pwszName);
     if (RT_UNLIKELY(!hmod && pDll->cImports))
-        SUPHNTIMP_ERROR(1, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
+        SUPHNTIMP_ERROR(true, 1, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
                         "Failed to locate %ls", pDll->pwszName);
     pDll->pbImageBase = (uint8_t *)hmod;
@@ -292 +295 @@
         offNtHdrs = pMzHdr->e_lfanew;
         if (offNtHdrs > _2K)
-            SUPHNTIMP_ERROR(2, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
+            SUPHNTIMP_ERROR(false, 2, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
                             "%ls: e_lfanew=%#x, expected a lower value", pDll->pwszName, offNtHdrs);
     }
@@ -298 +301 @@
 
     if (pNtHdrs->Signature != IMAGE_NT_SIGNATURE)
-        SUPHNTIMP_ERROR(3, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
+        SUPHNTIMP_ERROR(false, 3, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
                         "%ls: Invalid PE signature: %#x", pDll->pwszName, pNtHdrs->Signature);
     if (pNtHdrs->FileHeader.SizeOfOptionalHeader != sizeof(pNtHdrs->OptionalHeader))
-        SUPHNTIMP_ERROR(4, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
+        SUPHNTIMP_ERROR(false, 4, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
                         "%ls: Unexpected optional header size: %#x", pDll->pwszName, pNtHdrs->FileHeader.SizeOfOptionalHeader);
     if (pNtHdrs->OptionalHeader.Magic != RT_CONCAT3(IMAGE_NT_OPTIONAL_HDR,ARCH_BITS,_MAGIC))
-        SUPHNTIMP_ERROR(5, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
+        SUPHNTIMP_ERROR(false, 5, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
                         "%ls: Unexpected optional header magic: %#x", pDll->pwszName, pNtHdrs->OptionalHeader.Magic);
     if (pNtHdrs->OptionalHeader.NumberOfRvaAndSizes != IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
-        SUPHNTIMP_ERROR(6, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
+        SUPHNTIMP_ERROR(false, 6, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
                         "%ls: Unexpected number of RVA and sizes: %#x", pDll->pwszName, pNtHdrs->OptionalHeader.NumberOfRvaAndSizes);
 
@@ -324 +327 @@
         || ExpDir.VirtualAddress >= pNtHdrs->OptionalHeader.SizeOfImage
         || ExpDir.VirtualAddress + ExpDir.Size > pNtHdrs->OptionalHeader.SizeOfImage)
-        SUPHNTIMP_ERROR(7, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
+        SUPHNTIMP_ERROR(false, 7, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
                         "%ls: Missing or invalid export directory: %#lx LB %#x", pDll->pwszName, ExpDir.VirtualAddress, ExpDir.Size);
     pDll->offExportDir = ExpDir.VirtualAddress;
@@ -335 +338 @@
         || pExpDir->NumberOfNames     >= _1M
         || pExpDir->NumberOfNames     <  1)
-        SUPHNTIMP_ERROR(8, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
+        SUPHNTIMP_ERROR(false, 8, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
                         "%ls: NumberOfNames or/and NumberOfFunctions are outside the expected range: nof=%#x non=%#x\n",
                         pDll->pwszName, pExpDir->NumberOfFunctions, pExpDir->NumberOfNames);
@@ -344 +347 @@
         || pExpDir->AddressOfFunctions >= pNtHdrs->OptionalHeader.SizeOfImage
         || pExpDir->AddressOfFunctions + pDll->cExports * sizeof(uint32_t) > pNtHdrs->OptionalHeader.SizeOfImage)
-           SUPHNTIMP_ERROR(9, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
+           SUPHNTIMP_ERROR(false, 9, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
                            "%ls: Bad AddressOfFunctions: %#x\n", pDll->pwszName, pExpDir->AddressOfFunctions);
     pDll->paoffExports = (uint32_t const *)&pDll->pbImageBase[pExpDir->AddressOfFunctions];
@@ -351 +354 @@
         || pExpDir->AddressOfNames >= pNtHdrs->OptionalHeader.SizeOfImage
         || pExpDir->AddressOfNames + pExpDir->NumberOfNames * sizeof(uint32_t) > pNtHdrs->OptionalHeader.SizeOfImage)
-           SUPHNTIMP_ERROR(10, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
+           SUPHNTIMP_ERROR(false, 10, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
                            "%ls: Bad AddressOfNames: %#x\n", pDll->pwszName, pExpDir->AddressOfNames);
     pDll->paoffNamedExports = (uint32_t const *)&pDll->pbImageBase[pExpDir->AddressOfNames];
@@ -358 +361 @@
         || pExpDir->AddressOfNameOrdinals >= pNtHdrs->OptionalHeader.SizeOfImage
         || pExpDir->AddressOfNameOrdinals + pExpDir->NumberOfNames * sizeof(uint32_t) > pNtHdrs->OptionalHeader.SizeOfImage)
-           SUPHNTIMP_ERROR(11, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
+           SUPHNTIMP_ERROR(false, 11, "supR3HardenedParseModule", kSupInitOp_Misc, VERR_INVALID_EXE_SIGNATURE,
                            "%ls: Bad AddressOfNameOrdinals: %#x\n", pDll->pwszName, pExpDir->AddressOfNameOrdinals);
     pDll->pau16NameOrdinals = (uint16_t const *)&pDll->pbImageBase[pExpDir->AddressOfNameOrdinals];
@@ -364 +367 @@
 
 
-static const char *supR3HardenedResolveImport(PSUPHNTIMPDLL pDll, PCSUPHNTIMPFUNC pImport)
+static const char *supR3HardenedResolveImport(PSUPHNTIMPDLL pDll, PCSUPHNTIMPFUNC pImport, bool fReportErrors)
 {
     /*
@@ -376 +379 @@
         uint32_t offExpName  = pDll->paoffNamedExports[iCur];
         if (RT_UNLIKELY(offExpName < pDll->offEndSectHdrs || offExpName >= pDll->cbImage))
-            SUPHNTIMP_ERROR(12, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_SYMBOL_NOT_FOUND,
+            SUPHNTIMP_ERROR(fReportErrors, 12, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_SYMBOL_NOT_FOUND,
                             "%ls: Bad export name entry: %#x (iCur=%#x)", pDll->pwszName, offExpName, iCur);
 
@@ -405 +408 @@
                 return (const char *)&pDll->pbImageBase[offExport];
             }
-            SUPHNTIMP_ERROR(14, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_BAD_EXE_FORMAT,
+            SUPHNTIMP_ERROR(fReportErrors, 14, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_BAD_EXE_FORMAT,
                             "%ls: Name ordinal for '%s' is out of bounds: %#x (max %#x)",
                             pDll->pwszName, iExpOrdinal, pDll->cExports);
@@ -413 +416 @@
 
     if (!pImport->fOptional)
-        SUPHNTIMP_ERROR(15, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_SYMBOL_NOT_FOUND,
+        SUPHNTIMP_ERROR(fReportErrors, 15, "supR3HardenedResolveImport", kSupInitOp_Misc, VERR_SYMBOL_NOT_FOUND,
                         "%ls: Failed to resolve '%s'.", pDll->pwszName, pImport->pszName);
     *pImport->ppfnImport = NULL;
@@ -421 +424 @@
 
 static void supR3HardenedDirectSyscall(PSUPHNTIMPDLL pDll, PCSUPHNTIMPFUNC pImport, PCSUPHNTIMPSYSCALL pSyscall,
-                                       PSUPHNTLDRCACHEENTRY pLdrEntry, uint8_t *pbBits)
+                                       PSUPHNTLDRCACHEENTRY pLdrEntry, uint8_t *pbBits, bool fReportErrors)
 {
     /*
@@ -436 +439 @@
     if (RT_FAILURE(rc))
     {
-        SUPHNTIMP_ERROR(16, "supR3HardenedDirectSyscall", kSupInitOp_Misc, rc,
+        SUPHNTIMP_ERROR(fReportErrors, 16, "supR3HardenedDirectSyscall", kSupInitOp_Misc, rc,
                         "%s: RTLdrGetSymbolEx failed on %s: %Rrc", pDll->pszName, pImport->pszName, rc);
         return;
@@ -541 +544 @@
     volatile uint8_t abCopy[16];
     memcpy((void *)&abCopy[0], pbFunction, sizeof(abCopy));
-    SUPHNTIMP_ERROR(17, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc,
+    SUPHNTIMP_ERROR(fReportErrors, 17, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc,
                     "%ls: supHardNtLdrCacheOpen failed: '%s': %.16Rhxs",
-                    g_aSupNtImpDlls[iDll].pwszName, pImport->pszName, &abCopy[0]);
+                    pDll->pwszName, pImport->pszName, &abCopy[0]);
 }
 
 
 /**
- * Resolves NtDll functions we can trust calling before process init.
- *
- * @param   uNtDllAddr          The address of the NTDLL.
- */
-DECLHIDDEN(void) supR3HardenedWinInitImportsEarly(uintptr_t uNtDllAddr)
-{
-    /*
-     * NTDLL is the first entry in the list.
-     */
-    g_aSupNtImpDlls[0].pbImageBase = (uint8_t const *)uNtDllAddr;
-    supR3HardenedParseModule(&g_aSupNtImpDlls[0]);
-    for (uint32_t i = 0; i < g_aSupNtImpDlls[0].cImports; i++)
-        if (!g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy)
-        {
-            const char *pszForwarder = supR3HardenedResolveImport(&g_aSupNtImpDlls[0], &g_aSupNtImpDlls[0].paImports[i]);
-            if (pszForwarder)
-                SUPHNTIMP_ERROR(32, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
-                                "ntdll: Failed to resolve forwarder '%s'.", pszForwarder);
-        }
-        else
-            *g_aSupNtImpDlls[0].paImports[i].ppfnImport = g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy;
-
-    /*
-     * Pointer the other imports at the early init stubs.
-     */
-    for (uint32_t iDll = 1; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
-        for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++)
-            if (!g_aSupNtImpDlls[iDll].paImports[i].fOptional)
-                *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = g_aSupNtImpDlls[iDll].paImports[i].pfnEarlyDummy;
-            else
-                *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = NULL;
-}
-
-
-/**
- * Resolves imported functions, esp. system calls from NTDLL.
- *
- * This crap is necessary because there are sandboxing products out there that
- * will mess with system calls we make, just like any other wannabe userland
- * rootkit.  Kudos to microsoft for not providing a generic system call hook API
- * in the kernel mode, which I guess is what forcing these kind of products to
- * do ugly userland hacks that doesn't really hold water.
- */
-DECLHIDDEN(void) supR3HardenedWinInitImports(void)
-{
-    /*
-     * Find the DLLs we will be needing first (forwarders).
-     */
-    for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
-    {
-        supR3HardenedFindOrLoadModule(&g_aSupNtImpDlls[iDll]);
-        if (g_aSupNtImpDlls[iDll].pbImageBase)
-            supR3HardenedParseModule(&g_aSupNtImpDlls[iDll]);
-    }
-
-    /*
-     * Resolve the functions.
-     */
-    for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
-        for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++)
-        {
-            const char *pszForwarder = supR3HardenedResolveImport(&g_aSupNtImpDlls[iDll], &g_aSupNtImpDlls[iDll].paImports[i]);
-            if (pszForwarder)
-            {
-                const char *pszDot = strchr(pszForwarder, '.');
-                size_t  cchDllName = pszDot - pszForwarder;
-                SUPHNTIMPFUNC  Tmp = g_aSupNtImpDlls[iDll].paImports[i];
-                Tmp.pszName = pszDot + 1;
-                if (cchDllName == sizeof("ntdll") - 1 && RTStrNICmp(pszForwarder, RT_STR_TUPLE("ntdll")) == 0)
-                    supR3HardenedResolveImport(&g_aSupNtImpDlls[0], &Tmp);
-                else if (cchDllName == sizeof("kernelbase") - 1 && RTStrNICmp(pszForwarder, RT_STR_TUPLE("kernelbase")) == 0)
-                    supR3HardenedResolveImport(&g_aSupNtImpDlls[1], &Tmp);
-                else
-                    SUPHNTIMP_ERROR(18, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
-                                    "%ls: Failed to resolve forwarder '%s'.", g_aSupNtImpDlls[iDll].pwszName, pszForwarder);
-            }
-        }
-
-    /*
-     * Check out system calls and try do them directly if we can.
-     * In order to do this though, we need to access the DLL on disk as we
-     * cannot trust the memory content to be unpatched.
-     *
-     * Note! It's too early to validate any signatures.
-     */
+ * Check out system calls and do the directly instead of via NtDll.
+ *
+ * We need to have access to the on disk NTDLL.DLL file as we do not trust the
+ * stuff we find in memory.  Too early to verify signatures though.
+ *
+ * @param   fReportErrors       Whether we've got the machinery for reporting
+ *                              errors going already.
+ */
+DECLHIDDEN(void) supR3HardenedWinInitSyscalls(bool fReportErrors)
+{
     for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
         if (g_aSupNtImpDlls[iDll].paSyscalls)
@@ -647 +575 @@
                     for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++)
                         supR3HardenedDirectSyscall(&g_aSupNtImpDlls[iDll], &g_aSupNtImpDlls[iDll].paImports[i],
-                                                   &g_aSupNtImpDlls[iDll].paSyscalls[i], pLdrEntry, pbBits);
+                                                   &g_aSupNtImpDlls[iDll].paSyscalls[i], pLdrEntry, pbBits, fReportErrors);
                 }
                 else
-                    SUPHNTIMP_ERROR(20, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc,
+                    SUPHNTIMP_ERROR(fReportErrors, 20, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc,
                                     "%ls: supHardNtLdrCacheEntryGetBits failed: %Rrc '%s'.", g_aSupNtImpDlls[iDll].pwszName, rc);
             }
             else
-                SUPHNTIMP_ERROR(21, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc,
+                SUPHNTIMP_ERROR(fReportErrors, 21, "supR3HardenedWinInitImports", kSupInitOp_Misc, rc,
                                 "%ls: supHardNtLdrCacheOpen failed: %Rrc '%s'.", g_aSupNtImpDlls[iDll].pwszName, rc);
         }
+}
+
+
+
+/**
+ * Resolves NtDll functions we can trust calling before process init.
+ *
+ * @param   uNtDllAddr          The address of the NTDLL.
+ */
+DECLHIDDEN(void) supR3HardenedWinInitImportsEarly(uintptr_t uNtDllAddr)
+{
+    /*
+     * NTDLL is the first entry in the list.
+     */
+    g_aSupNtImpDlls[0].pbImageBase = (uint8_t const *)uNtDllAddr;
+    supR3HardenedParseModule(&g_aSupNtImpDlls[0]);
+    for (uint32_t i = 0; i < g_aSupNtImpDlls[0].cImports; i++)
+        if (!g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy)
+        {
+            const char *pszForwarder = supR3HardenedResolveImport(&g_aSupNtImpDlls[0], &g_aSupNtImpDlls[0].paImports[i], false);
+            if (pszForwarder)
+                SUPHNTIMP_ERROR(false, 32, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
+                                "ntdll: Failed to resolve forwarder '%s'.", pszForwarder);
+        }
+        else
+            *g_aSupNtImpDlls[0].paImports[i].ppfnImport = g_aSupNtImpDlls[0].paImports[i].pfnEarlyDummy;
+
+    /*
+     * Pointer the other imports at the early init stubs.
+     */
+    for (uint32_t iDll = 1; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
+        for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++)
+            if (!g_aSupNtImpDlls[iDll].paImports[i].fOptional)
+                *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = g_aSupNtImpDlls[iDll].paImports[i].pfnEarlyDummy;
+            else
+                *g_aSupNtImpDlls[iDll].paImports[i].ppfnImport = NULL;
+}
+
+
+/**
+ * Resolves imported functions, esp. system calls from NTDLL.
+ *
+ * This crap is necessary because there are sandboxing products out there that
+ * will mess with system calls we make, just like any other wannabe userland
+ * rootkit.  Kudos to microsoft for not providing a generic system call hook API
+ * in the kernel mode, which I guess is what forcing these kind of products to
+ * do ugly userland hacks that doesn't really hold water.
+ */
+DECLHIDDEN(void) supR3HardenedWinInitImports(void)
+{
+    /*
+     * Find the DLLs we will be needing first (forwarders).
+     */
+    for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
+    {
+        supR3HardenedFindOrLoadModule(&g_aSupNtImpDlls[iDll]);
+        if (g_aSupNtImpDlls[iDll].pbImageBase)
+            supR3HardenedParseModule(&g_aSupNtImpDlls[iDll]);
+    }
+
+    /*
+     * Resolve the functions.
+     */
+    for (uint32_t iDll = 0; iDll < RT_ELEMENTS(g_aSupNtImpDlls); iDll++)
+        for (uint32_t i = 0; i < g_aSupNtImpDlls[iDll].cImports; i++)
+        {
+            const char *pszForwarder = supR3HardenedResolveImport(&g_aSupNtImpDlls[iDll], &g_aSupNtImpDlls[iDll].paImports[i],
+                                                                  false);
+            if (pszForwarder)
+            {
+                const char *pszDot = strchr(pszForwarder, '.');
+                size_t  cchDllName = pszDot - pszForwarder;
+                SUPHNTIMPFUNC  Tmp = g_aSupNtImpDlls[iDll].paImports[i];
+                Tmp.pszName = pszDot + 1;
+                if (cchDllName == sizeof("ntdll") - 1 && RTStrNICmp(pszForwarder, RT_STR_TUPLE("ntdll")) == 0)
+                    supR3HardenedResolveImport(&g_aSupNtImpDlls[0], &Tmp, false);
+                else if (cchDllName == sizeof("kernelbase") - 1 && RTStrNICmp(pszForwarder, RT_STR_TUPLE("kernelbase")) == 0)
+                    supR3HardenedResolveImport(&g_aSupNtImpDlls[1], &Tmp, false);
+                else
+                    SUPHNTIMP_ERROR(false, 18, "supR3HardenedWinInitImports", kSupInitOp_Misc, VERR_MODULE_NOT_FOUND,
+                                    "%ls: Failed to resolve forwarder '%s'.", g_aSupNtImpDlls[iDll].pwszName, pszForwarder);
+            }
+        }
+
+    /*
+     * Do system calls directly.
+     */
+    supR3HardenedWinInitSyscalls(false);
 
     /*