Changeset 52973 in vbox

Timestamp:

Oct 7, 2014 12:15:09 PM (10 years ago)

Author:

vboxsync

Message:

SUP: Handle denormalized command line string pointer and always ignore LdrInitializeThunk when verify or purifying processes.

Location:

trunk/src/VBox/HostDrivers/Support/win

Files:

• SUPHardenedVerifyProcess-win.cpp (modified) (1 diff)
• SUPR3HardenedMain-win.cpp (modified) (1 diff)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -853 +853 @@
         }
 
-        if (   pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION
-            || pThis->enmKind == SUPHARDNTVPKIND_VERIFY_ONLY)
-        {
-            /* Ignore our patched LdrInitializeThunk hack. */
-            rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pbBits, 0, UINT32_MAX, "LdrInitializeThunk", &uValue);
-            if (RT_FAILURE(rc))
-                return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'LdrInitializeThunk': %Rrc", pImage->pszName, rc);
-            aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue;
-            aSkipAreas[cSkipAreas++].cb = 14;
-        }
+        /* Ignore our patched LdrInitializeThunk hack. */
+        rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pbBits, 0, UINT32_MAX, "LdrInitializeThunk", &uValue);
+        if (RT_FAILURE(rc))
+            return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'LdrInitializeThunk': %Rrc", pImage->pszName, rc);
+        aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue;
+        aSkipAreas[cSkipAreas++].cb = 14;
 
         /* LdrSystemDllInitBlock is filled in by the kernel. It mainly contains addresses of 32-bit ntdll method for wow64. */

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -5489 +5489 @@
     /*
      * Convert the arguments to UTF-8 so we can open the log file if specified.
+     * We may have to normalize the pointer on older windows version (not w7/64 +).
      * Note! This leaks memory at present.
      */
-    PUNICODE_STRING pCmdLineStr = &NtCurrentPeb()->ProcessParameters->CommandLine;
+    PRTL_USER_PROCESS_PARAMETERS pUserProcParams = NtCurrentPeb()->ProcessParameters;
+    UNICODE_STRING CmdLineStr = pUserProcParams->CommandLine;
+    if (   CmdLineStr.Buffer != NULL
+        && !(pUserProcParams->Flags & RTL_USER_PROCESS_PARAMS_FLAG_NORMALIZED) )
+        CmdLineStr.Buffer = (WCHAR *)((uintptr_t)CmdLineStr.Buffer + (uintptr_t)pUserProcParams);
     int    cArgs;
-    char **papszArgs = suplibCommandLineToArgvWStub(pCmdLineStr->Buffer, pCmdLineStr->Length / sizeof(WCHAR), &cArgs);
+    char **papszArgs = suplibCommandLineToArgvWStub(CmdLineStr.Buffer, CmdLineStr.Length / sizeof(WCHAR), &cArgs);
     supR3HardenedOpenLog(&cArgs, papszArgs);
     SUP_DPRINTF(("supR3HardenedVmProcessInit: uNtDllAddr=%p\n", uNtDllAddr));