Changeset 53005 in vbox

Timestamp:

Oct 9, 2014 1:26:07 AM (10 years ago)

Author:

vboxsync

Message:

SUP: Short list of microsoft files that when found not to be signed in any way are most likely modified rather actually seriously unsigned.

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (modified) (1 diff)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -2486 +2486 @@
         NtClose(hFileClose);
 
+    /*
+     * DLLs that are likely candidates for local modifications.
+     */
+    if (rc == VERR_LDRVI_NOT_SIGNED)
+    {
+        PCRTUTF16 pwsz;
+        uint32_t cwcName = (uint32_t)RTUtf16Len(pwszName);
+        uint32_t cwcOther = g_System32NtPath.UniStr.Length / sizeof(WCHAR);
+        if (supHardViUtf16PathStartsWithEx(pwszName, cwcName, g_System32NtPath.UniStr.Buffer, cwcOther, true /*fCheckSlash*/))
+        {
+            pwsz = pwszName + cwcOther + 1;
+            if (   supHardViUtf16PathIsEqual(pwsz, "uxtheme.dll")
+                || supHardViUtf16PathIsEqual(pwsz, "user32.dll")
+                || supHardViUtf16PathIsEqual(pwsz, "gdi32.dll")
+                || supHardViUtf16PathIsEqual(pwsz, "kernel32.dll")
+                || supHardViUtf16PathIsEqual(pwsz, "KernelBase.dll")
+                || supHardViUtf16PathIsEqual(pwsz, "ntdll.dll")
+                || supHardViUtf16PathIsEqual(pwsz, "opengl32.dll")
+                )
+            {
+                if (RTErrInfoIsSet(pErrInfo))
+                    RTErrInfoAdd(pErrInfo, rc, "\n");
+                RTErrInfoAddF(pErrInfo, rc, "'%ls' is most likely modified.", pwszName);
+            }
+        }
+    }
+
     return rc;
 }