Changeset 53017 in vbox for trunk

Timestamp:

Oct 10, 2014 1:44:08 AM (10 years ago)

Author:

vboxsync

Message:

SUP: Try to work around sakfile.sys bsod and dgmaster.sys.

Location:

trunk

Files:

• include/VBox/err.h (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (modified) (4 diffs)
• src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (6 diffs)

trunk/include/VBox/err.h

@@ -2525 +2525 @@
  * opened by the VM process. */
 #define VERR_SUP_VP_STUB_THREAD_OPEN_ERROR          (-5672)
+/** Process Purification Failure: NtAllocateVirtualMemory failed to get us
+ * suitable replacement memory for a chunk of executable memory that
+ * shouldn't be present in our process.  (You will only see this message if you
+ * got potentially fatally buggy anti-virus software installed.) */
+#define VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED   (-5673)
 
 /** @} */

trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp

@@ -4063 +4063 @@
         if (RT_SUCCESS(rc))
         {
-            rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_VERIFY_ONLY,
+            rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_VERIFY_ONLY, 0 /*fFlags*/,
                                              NULL /*pcFixes*/, &ErrInfo);
             if (RT_SUCCESS(rc) && pNtProtect->enmProcessKind >= kSupDrvNtProtectKind_VmProcessUnconfirmed)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h

@@ -54 +54 @@
     SUPHARDNTVPKIND_32BIT_HACK = 0x7fffffff
 } SUPHARDNTVPKIND;
-DECLHIDDEN(int)     supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind,
+/** @name SUPHARDNTVP_F_XXX - Flags for supHardenedWinVerifyProcess
+ * @{ */
+/** Replace unwanted executable memory allocations with a new one that's filled
+ * with zeros (default is just to free it).
+ *
+ * This is one way we attempt to work around buggy protection software that
+ * either result in host BSOD or VBox application malfunction.  Here the current
+ * shit list:
+ *  - Trend Micro's data protection software includes a buggy driver called
+ *    sakfile.sys that has been observed crashing accessing user memory that we
+ *    probably freed.  I'd love to report this to Trend Micro, but unfortunately
+ *    they doesn't advertise (or have?) an email address for reporting security
+ *    vulnerabilities in the their software.  Having wasted time looking and not
+ *    very sorry for having to disclosing the bug here.
+ *  - Maybe one more.
+ */
+#define SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ZERO          RT_BIT_32(0)
+/** @} */
+DECLHIDDEN(int)     supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, uint32_t fFlags,
                                                 uint32_t *pcFixes, PRTERRINFO pErrInfo);
 DECLHIDDEN(int)     supHardNtVpThread(HANDLE hProcess, HANDLE hThread, PRTERRINFO pErrInfo);

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -129 +129 @@
     /** Type of verification to perform. */
     SUPHARDNTVPKIND         enmKind;
+    /** Combination of SUPHARDNTVP_F_XXX. */
+    uint32_t                fFlags;
     /** The result. */
     int                     rcResult;
@@ -1500 +1502 @@
                                             "NtFreeVirtualMemory (%p LB %#zx) failed: %#x",
                                             MemInfo.BaseAddress, MemInfo.RegionSize, rcNt);
+                    /* The Trend Micro sakfile.sys BSOD kludge. */
+                    if (pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ZERO)
+                    {
+                        pvFree = MemInfo.BaseAddress;
+                        cbFree = MemInfo.RegionSize;
+                        rcNt = NtAllocateVirtualMemory(pThis->hProcess, &pvFree, 0, &cbFree, MEM_COMMIT, PAGE_READWRITE);
+                        if (!NT_SUCCESS(rcNt))
+                            supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED,
+                                                "NtAllocateVirtualMemory (%p LB %#zx) failed with rcNt=%#x allocating "
+                                                "replacement memory for working around buggy protection software. "
+                                                "See VBoxStartup.log for more details",
+                                                MemInfo.BaseAddress, MemInfo.RegionSize, rcNt);
+                        if (pvFree != MemInfo.BaseAddress)
+                            supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED,
+                                                "We wanted NtAllocateVirtualMemory to get us %p LB %#zx, but it returned %p LB %#zx.",
+                                                MemInfo.BaseAddress, MemInfo.RegionSize, pvFree, cbFree, rcNt);
+                    }
                 }
                 /*
@@ -2124 +2143 @@
  * @param   hThread             A thread in the process (the caller).
  * @param   enmKind             The kind of process verification to perform.
+ * @param   fFlags              Valid combination of SUPHARDNTVP_F_XXX flags.
  * @param   pErrInfo            Pointer to error info structure. Optional.
  * @param   pcFixes             Where to return the number of fixes made during
  *                              purification.  Optional.
  */
-DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind,
+DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, uint32_t fFlags,
                                             uint32_t *pcFixes, PRTERRINFO pErrInfo)
 {
@@ -2152 +2172 @@
         {
             pThis->enmKind  = enmKind;
+            pThis->fFlags   = fFlags;
             pThis->rcResult = VINF_SUCCESS;
             pThis->hProcess = hProcess;

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -340 +340 @@
 /** TrendMicro OfficeScan and probably others. */
 #define SUPHARDNT_ADVERSARY_TRENDMICRO              RT_BIT_32(3)
+/** TrendMicro potentially buggy sakfile.sys. */
+#define SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE      RT_BIT_32(4)
 /** McAfee.  */
-#define SUPHARDNT_ADVERSARY_MCAFEE                  RT_BIT_32(4)
+#define SUPHARDNT_ADVERSARY_MCAFEE                  RT_BIT_32(5)
 /** Kaspersky or OEMs of it.  */
-#define SUPHARDNT_ADVERSARY_KASPERSKY               RT_BIT_32(5)
+#define SUPHARDNT_ADVERSARY_KASPERSKY               RT_BIT_32(6)
 /** Malwarebytes Anti-Malware (MBAM). */
-#define SUPHARDNT_ADVERSARY_MBAM                    RT_BIT_32(6)
+#define SUPHARDNT_ADVERSARY_MBAM                    RT_BIT_32(7)
 /** AVG Internet Security. */
-#define SUPHARDNT_ADVERSARY_AVG                     RT_BIT_32(7)
+#define SUPHARDNT_ADVERSARY_AVG                     RT_BIT_32(8)
 /** Panda Security. */
-#define SUPHARDNT_ADVERSARY_PANDA                   RT_BIT_32(8)
+#define SUPHARDNT_ADVERSARY_PANDA                   RT_BIT_32(9)
 /** Microsoft Security Essentials. */
-#define SUPHARDNT_ADVERSARY_MSE                     RT_BIT_32(9)
+#define SUPHARDNT_ADVERSARY_MSE                     RT_BIT_32(10)
 /** Comodo. */
-#define SUPHARDNT_ADVERSARY_COMODO                  RT_BIT_32(10)
+#define SUPHARDNT_ADVERSARY_COMODO                  RT_BIT_32(11)
 /** Check Point's Zone Alarm (may include Kaspersky).  */
-#define SUPHARDNT_ADVERSARY_ZONE_ALARM              RT_BIT_32(11)
+#define SUPHARDNT_ADVERSARY_ZONE_ALARM              RT_BIT_32(12)
+/** Digital guardian.  */
+#define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN        RT_BIT_32(13)
 /** Unknown adversary detected while waiting on child. */
 #define SUPHARDNT_ADVERSARY_UNKNOWN                 RT_BIT_32(31)
@@ -3517 +3521 @@
         cFixes = 0;
         int rc = supHardenedWinVerifyProcess(pThis->hProcess, pThis->hThread, SUPHARDNTVPKIND_CHILD_PURIFICATION,
+                                             g_fSupAdversaries & (  SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE
+                                                                  | SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN)
+                                             ? SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ZERO : 0,
                                              &cFixes, RTErrInfoInitStatic(&g_ErrInfoStatic));
         if (RT_FAILURE(rc))
@@ -4675 +4682 @@
                 cFixes = 0;
                 rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_SELF_PURIFICATION,
-                                                 &cFixes, NULL /*pErrInfo*/);
+                                                 0 /*fFlags*/, &cFixes, NULL /*pErrInfo*/);
                 if (RT_FAILURE(rc) || cFixes == 0)
                     break;
@@ -5102 +5109 @@
         { SUPHARDNT_ADVERSARY_COMODO, "cmdHlp" },
 
+        { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN, "dgmaster" }, /* Not verified. */
     };
 
@@ -5140 +5148 @@
         { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmeevw.sys" },
         { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\tmciesc.sys" },
+        { SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE, L"\\SystemRoot\\System32\\drivers\\sakfile.sys" },  /* Data Loss Prevention, not officescan. */
+        { SUPHARDNT_ADVERSARY_TRENDMICRO, L"\\SystemRoot\\System32\\drivers\\sakcd.sys" },  /* Data Loss Prevention, not officescan. */
+
 
         { SUPHARDNT_ADVERSARY_MCAFEE, L"\\SystemRoot\\System32\\drivers\\cfwids.sys" },
@@ -5211 +5222 @@
         { SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\drivers\\vsdatant.sys" },
         { SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\AntiTheftCredentialProvider.dll" },
+
+        { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN, L"\\SystemRoot\\System32\\drivers\\dgmaster.sys" },
     };