- Timestamp:
- Oct 10, 2014 9:58:30 AM (10 years ago)
- Location:
- trunk/src/VBox/HostDrivers/Support/win
- Files:
-
- 3 edited
-
SUPHardenedVerify-win.h (modified) (2 diffs)
-
SUPHardenedVerifyProcess-win.cpp (modified) (1 diff)
-
SUPR3HardenedMain-win.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h
r53017 r53021 57 57 * @{ */ 58 58 /** Replace unwanted executable memory allocations with a new one that's filled 59 * with zeros(default is just to free it).59 * with a safe read-write copy (default is just to free it). 60 60 * 61 61 * This is one way we attempt to work around buggy protection software that … … 70 70 * - Maybe one more. 71 71 */ 72 #define SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ ZERORT_BIT_32(0)72 #define SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW RT_BIT_32(0) 73 73 /** @} */ 74 74 DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, uint32_t fFlags, -
trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp
r53018 r53021 1493 1493 if (MemInfo.Type == MEM_PRIVATE) 1494 1494 { 1495 SUP_DPRINTF((pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ZERO1496 ? "supHardNtVpScanVirtualMemory: Replacing exec mem at %p (%p LB %#zx)\n"1497 : "supHardNtVpScanVirtualMemory: Freeing exec mem at %p (%p LB %#zx)\n",1498 uPtrWhere, MemInfo.BaseAddress, MemInfo.RegionSize));1499 1495 PVOID pvFree = MemInfo.BaseAddress; 1500 1496 SIZE_T cbFree = MemInfo.RegionSize; 1501 rcNt = NtFreeVirtualMemory(pThis->hProcess, &pvFree, &cbFree, MEM_RELEASE); 1502 if (!NT_SUCCESS(rcNt)) 1503 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FREE_VIRTUAL_MEMORY_FAILED, 1504 "NtFreeVirtualMemory (%p LB %#zx) failed: %#x", 1505 MemInfo.BaseAddress, MemInfo.RegionSize, rcNt); 1506 /* The Trend Micro sakfile.sys BSOD kludge. */ 1507 if (pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ZERO) 1497 if (!(pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW)) 1508 1498 { 1509 pvFree = MemInfo.BaseAddress; 1510 cbFree = MemInfo.RegionSize; 1511 rcNt = NtAllocateVirtualMemory(pThis->hProcess, &pvFree, 0, &cbFree, MEM_COMMIT, PAGE_READWRITE); 1499 SUP_DPRINTF(("supHardNtVpScanVirtualMemory: Freeing exec mem at %p (%p LB %#zx)\n", 1500 uPtrWhere, MemInfo.BaseAddress, MemInfo.RegionSize)); 1501 1502 rcNt = NtFreeVirtualMemory(pThis->hProcess, &pvFree, &cbFree, MEM_RELEASE); 1512 1503 if (!NT_SUCCESS(rcNt)) 1513 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, 1514 "NtAllocateVirtualMemory (%p LB %#zx) failed with rcNt=%#x allocating " 1515 "replacement memory for working around buggy protection software. " 1516 "See VBoxStartup.log for more details", 1504 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FREE_VIRTUAL_MEMORY_FAILED, 1505 "NtFreeVirtualMemory (%p LB %#zx) failed: %#x", 1517 1506 MemInfo.BaseAddress, MemInfo.RegionSize, rcNt); 1518 if (pvFree != MemInfo.BaseAddress) 1519 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, 1520 "We wanted NtAllocateVirtualMemory to get us %p LB %#zx, but it returned %p LB %#zx.", 1521 MemInfo.BaseAddress, MemInfo.RegionSize, pvFree, cbFree, rcNt); 1507 } 1508 else 1509 { 1510 /* The Trend Micro sakfile.sys and Digital Guardian dgmaster.sys BSOD kludge. */ 1511 SUP_DPRINTF(("supHardNtVpScanVirtualMemory: Replacing exec mem at %p (%p LB %#zx)\n", 1512 uPtrWhere, MemInfo.BaseAddress, MemInfo.RegionSize)); 1513 void *pvCopy = RTMemAllocZ(cbFree); 1514 if (pvCopy) 1515 { 1516 rcNt = supHardNtVpReadMem(pThis->hProcess, (uintptr_t)pvFree, pvCopy, cbFree); 1517 if (!NT_SUCCESS(rcNt)) 1518 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, 1519 "Error reading data from original alloc: %#x (%p LB %#zx)", 1520 rcNt, MemInfo.BaseAddress, MemInfo.RegionSize, rcNt); 1521 1522 rcNt = NtFreeVirtualMemory(pThis->hProcess, &pvFree, &cbFree, MEM_RELEASE); 1523 if (NT_SUCCESS(rcNt)) 1524 { 1525 pvFree = MemInfo.BaseAddress; 1526 cbFree = MemInfo.RegionSize; 1527 rcNt = NtAllocateVirtualMemory(pThis->hProcess, &pvFree, 0, &cbFree, MEM_COMMIT, PAGE_READWRITE); 1528 if (!NT_SUCCESS(rcNt)) 1529 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, 1530 "NtAllocateVirtualMemory (%p LB %#zx) failed with rcNt=%#x allocating " 1531 "replacement memory for working around buggy protection software. " 1532 "See VBoxStartup.log for more details", 1533 MemInfo.BaseAddress, MemInfo.RegionSize, rcNt); 1534 else if (pvFree != MemInfo.BaseAddress) 1535 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, 1536 "We wanted NtAllocateVirtualMemory to get us %p LB %#zx, but it returned %p LB %#zx.", 1537 MemInfo.BaseAddress, MemInfo.RegionSize, pvFree, cbFree, rcNt); 1538 else 1539 { 1540 SIZE_T cbWritten; 1541 rcNt = NtWriteVirtualMemory(pThis->hProcess, MemInfo.BaseAddress, pvCopy, MemInfo.RegionSize, 1542 &cbWritten); 1543 if (!NT_SUCCESS(rcNt)) 1544 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FREE_VIRTUAL_MEMORY_FAILED, 1545 "NtWriteVirtualMemory (%p LB %#zx) failed: %#x", 1546 MemInfo.BaseAddress, MemInfo.RegionSize, rcNt); 1547 } 1548 } 1549 else 1550 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FREE_VIRTUAL_MEMORY_FAILED, 1551 "NtFreeVirtualMemory (%p LB %#zx) failed: %#x", 1552 MemInfo.BaseAddress, MemInfo.RegionSize, rcNt); 1553 RTMemFree(pvCopy); 1554 } 1555 else 1556 supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FREE_VIRTUAL_MEMORY_FAILED, 1557 "RTMemAllocZ(%#zx) failed", MemInfo.RegionSize); 1522 1558 } 1523 1559 } -
trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp
r53017 r53021 3523 3523 g_fSupAdversaries & ( SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE 3524 3524 | SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN) 3525 ? SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_ ZERO: 0,3525 ? SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW : 0, 3526 3526 &cFixes, RTErrInfoInitStatic(&g_ErrInfoStatic)); 3527 3527 if (RT_FAILURE(rc))
Note:
See TracChangeset
for help on using the changeset viewer.
