Changeset 54560 in vbox for trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

Timestamp:

Feb 27, 2015 4:25:52 PM (10 years ago)

Author:

vboxsync

Message:

SUPHardNt: Don't get confused and throw VERR_SUP_VP_NO_FOUND_NO_EXE_MAPPING at the user just because some app happened to start us using the DOS-8.3 filename (SFN) (open(SFN) + map may also cause confusion).

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (modified) (10 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -1090 +1090 @@
 
 /**
+ * Checks whether the path could be containing alternative 8.3 names generated
+ * by NTFS, FAT, or other similar file systems.
+ *
+ * @returns Pointer to the first component that might be an 8.3 name, NULL if
+ *          not 8.3 path.
+ * @param   pwszPath        The path to check.
+ *
+ * @remarks This is making bad ASSUMPTION wrt to the naming scheme of 8.3 names,
+ *          however, non-tilde 8.3 aliases are probably rare enough to not be
+ *          worth all the extra code necessary to open each path component and
+ *          check if we've got the short name or not.
+ */
+DECLHIDDEN(PRTUTF16) supHardNtVpIsPossible8dot3Path(PCRTUTF16 pwszPath)
+{
+    PCRTUTF16 pwszName = pwszPath;
+    for (;;)
+    {
+        RTUTF16 wc = *pwszPath++;
+        if (wc == '~')
+        {
+            /* Could check more here before jumping to conclusions... */
+            if (pwszPath - pwszName <= 8+1+3)
+                return (PRTUTF16)pwszName;
+        }
+        else if (wc == '\\' || wc == '/' || wc == ':')
+            pwszName = pwszPath;
+        else if (wc == 0)
+            break;
+    }
+    return NULL;
+}
+
+
+/**
+ * Fixes up a path possibly containing one or more alternative 8-dot-3 style
+ * components.
+ *
+ * The path is fixed up in place.  Errors are ignored.
+ *
+ * @param   pUniStr     The path to fix up. MaximumLength is the max buffer
+ *                      length.
+ */
+DECLHIDDEN(void) supHardNtVpFix8dot3Path(PUNICODE_STRING pUniStr, bool fPathOnly)
+{
+    /*
+     * We could use FileNormalizedNameInformation here and slap the volume device
+     * path in front of the result, but it's only supported since windows 8.0
+     * according to some docs... So we expand all supicious names.
+     */
+    union fix8dot3tmp
+    {
+        FILE_BOTH_DIR_INFORMATION Info;
+        uint8_t abBuffer[sizeof(FILE_BOTH_DIR_INFORMATION) + 2048 * sizeof(WCHAR)];
+    } *puBuf = NULL;
+
+
+    PRTUTF16 pwszFix = pUniStr->Buffer;
+    while (*pwszFix)
+    {
+        pwszFix = supHardNtVpIsPossible8dot3Path(pwszFix);
+        if (pwszFix == NULL)
+            break;
+
+        RTUTF16 wc;
+        PRTUTF16 pwszFixEnd = pwszFix;
+        while ((wc = *pwszFixEnd) != '\0' && wc != '\\' && wc != '/')
+            pwszFixEnd++;
+        if (wc == '\0' && fPathOnly)
+            break;
+
+        if (!puBuf)
+        {
+            puBuf = (union fix8dot3tmp *)RTMemAlloc(sizeof(*puBuf));
+            if (!puBuf)
+                break;
+        }
+
+        RTUTF16 const wcSaved = *pwszFix;
+        *pwszFix = '\0';                     /* paranoia. */
+
+        UNICODE_STRING      NtDir;
+        NtDir.Buffer = pUniStr->Buffer;
+        NtDir.Length = NtDir.MaximumLength = (USHORT)((pwszFix - pUniStr->Buffer) * sizeof(WCHAR));
+
+        HANDLE              hDir  = RTNT_INVALID_HANDLE_VALUE;
+        IO_STATUS_BLOCK     Ios   = RTNT_IO_STATUS_BLOCK_INITIALIZER;
+
+        OBJECT_ATTRIBUTES   ObjAttr;
+        InitializeObjectAttributes(&ObjAttr, &NtDir, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);
+#ifdef IN_RING0
+        ObjAttr.Attributes |= OBJ_KERNEL_HANDLE;
+#endif
+
+        NTSTATUS rcNt = NtCreateFile(&hDir,
+                                     FILE_READ_DATA | SYNCHRONIZE,
+                                     &ObjAttr,
+                                     &Ios,
+                                     NULL /* Allocation Size*/,
+                                     FILE_ATTRIBUTE_NORMAL,
+                                     FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+                                     FILE_OPEN,
+                                     FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT,
+                                     NULL /*EaBuffer*/,
+                                     0 /*EaLength*/);
+        *pwszFix = wcSaved;
+        if (NT_SUCCESS(rcNt))
+        {
+            RT_ZERO(*puBuf);
+
+            IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
+            UNICODE_STRING  NtFilterStr;
+            NtFilterStr.Buffer = pwszFix;
+            NtFilterStr.Length = (USHORT)((uintptr_t)pwszFixEnd - (uintptr_t)pwszFix);
+            NtFilterStr.MaximumLength = NtFilterStr.Length;
+            rcNt = NtQueryDirectoryFile(hDir,
+                                        NULL /* Event */,
+                                        NULL /* ApcRoutine */,
+                                        NULL /* ApcContext */,
+                                        &Ios,
+                                        puBuf,
+                                        sizeof(*puBuf) - sizeof(WCHAR),
+                                        FileBothDirectoryInformation,
+                                        FALSE /*ReturnSingleEntry*/,
+                                        &NtFilterStr,
+                                        FALSE /*RestartScan */);
+            if (NT_SUCCESS(rcNt) && puBuf->Info.NextEntryOffset == 0) /* There shall only be one entry matching... */
+            {
+                uint32_t offName = puBuf->Info.FileNameLength / sizeof(WCHAR);
+                while (offName > 0  && puBuf->Info.FileName[offName - 1] != '\\' && puBuf->Info.FileName[offName - 1] != '/')
+                    offName--;
+                uint32_t cwcNameNew = (puBuf->Info.FileNameLength / sizeof(WCHAR)) - offName;
+                uint32_t cwcNameOld = (uint32_t)(pwszFixEnd - pwszFix);
+
+                if (cwcNameOld == cwcNameNew)
+                    memcpy(pwszFix, &puBuf->Info.FileName[offName], cwcNameNew * sizeof(WCHAR));
+                else if (   pUniStr->Length + cwcNameNew * sizeof(WCHAR) - cwcNameOld * sizeof(WCHAR) + sizeof(WCHAR)
+                         <= pUniStr->MaximumLength)
+                {
+                    size_t cwcLeft = pUniStr->Length - (pwszFixEnd - pUniStr->Buffer) * sizeof(WCHAR) + sizeof(WCHAR);
+                    memmove(&pwszFix[cwcNameNew], pwszFixEnd, cwcLeft * sizeof(WCHAR));
+                    pUniStr->Length -= (USHORT)(cwcNameOld * sizeof(WCHAR));
+                    pUniStr->Length += (USHORT)(cwcNameNew * sizeof(WCHAR));
+                    pwszFixEnd      -= cwcNameOld;
+                    pwszFixEnd      -= cwcNameNew;
+                    memcpy(pwszFix, &puBuf->Info.FileName[offName], cwcNameNew * sizeof(WCHAR));
+                }
+                /* else: ignore overflow. */
+            }
+            /* else: ignore failure. */
+
+            NtClose(hDir);
+        }
+
+        /* Advance */
+        pwszFix = pwszFixEnd;
+    }
+
+    if (puBuf)
+        RTMemFree(puBuf);
+}
+
+
+
+/**
  * Matches two UNICODE_STRING structures in a case sensitive fashion.
  *
@@ -1133 +1297 @@
  * Records an additional memory region for an image.
  *
+ * May trash pThis->abMemory.
+ *
  * @returns VBox status code.
  * @retval  VINF_OBJECT_DESTROYED if we've unmapped the image (child
@@ -1138 +1304 @@
  * @param   pThis               The process scanning state structure.
  * @param   pImage              The new image structure.  Only the unicode name
- *                              buffer is valid.
+ *                              buffer is valid (it's zero-terminated).
  * @param   pMemInfo            The memory information for the image.
  */
@@ -1144 +1310 @@
 {
     /*
+     * If the filename or path contains short names, we have to get the long
+     * path so that we will recognize the DLLs and their location.
+     */
+    PUNICODE_STRING pLongName = &pImage->Name.UniStr;
+    if (supHardNtVpIsPossible8dot3Path(pLongName->Buffer))
+    {
+        AssertCompile(sizeof(pThis->abMemory) > sizeof(pImage->Name));
+        PUNICODE_STRING pTmp = (PUNICODE_STRING)pThis->abMemory;
+        pTmp->MaximumLength = (USHORT)RT_MIN(_64K - 1, sizeof(pThis->abMemory) - sizeof(*pTmp)) - sizeof(RTUTF16);
+        pTmp->Length = pImage->Name.UniStr.Length;
+        pTmp->Buffer = (PRTUTF16)(pTmp + 1);
+        memcpy(pTmp->Buffer, pLongName->Buffer, pLongName->Length + sizeof(RTUTF16));
+
+        supHardNtVpFix8dot3Path(pTmp, false /*fPathOnly*/);
+        Assert(pTmp->Buffer[pTmp->Length / sizeof(RTUTF16)] == '\0');
+
+        pLongName = pTmp;
+    }
+
+    /*
      * Extract the final component.
      */
-    unsigned  cwcDirName   = pImage->Name.UniStr.Length / sizeof(WCHAR);
-    PCRTUTF16 pwszFilename = &pImage->Name.UniStr.Buffer[cwcDirName];
+    RTUTF16   wc;
+    unsigned  cwcDirName   = pLongName->Length / sizeof(WCHAR);
+    PCRTUTF16 pwcDirName   = &pLongName->Buffer[cwcDirName];
+    PCRTUTF16 pwszFilename = &pLongName->Buffer[cwcDirName];
     while (   cwcDirName > 0
-           && pwszFilename[-1] != '\\'
-           && pwszFilename[-1] != '/'
-           && pwszFilename[-1] != ':')
+           && (wc = pwszFilename[-1]) != '\\'
+           && wc != '/'
+           && wc != ':')
     {
         pwszFilename--;
@@ -1158 +1346 @@
     if (!*pwszFilename)
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_IMAGE_MAPPING_NAME,
-                                   "Empty filename (len=%u) for image at %p.", pImage->Name.UniStr.Length, pMemInfo->BaseAddress);
+                                   "Empty filename (len=%u) for image at %p.", pLongName->Length, pMemInfo->BaseAddress);
 
     /*
@@ -1164 +1352 @@
      */
     while (   cwcDirName > 0
-           && (   pImage->Name.UniStr.Buffer[cwcDirName - 1] == '\\'
-               || pImage->Name.UniStr.Buffer[cwcDirName - 1] == '/'))
+           && (   pLongName->Buffer[cwcDirName - 1] == '\\'
+               || pLongName->Buffer[cwcDirName - 1] == '/'))
         cwcDirName--;
 
@@ -1181 +1369 @@
             /* The directory name must match the one we've got for System32. */
             if (   (   cwcDirName * sizeof(WCHAR) != g_System32NtPath.UniStr.Length
-                    || suplibHardenedMemComp(pImage->Name.UniStr.Buffer,
-                                            g_System32NtPath.UniStr.Buffer,
-                                            cwcDirName * sizeof(WCHAR)) )
+                    || suplibHardenedMemComp(pLongName->Buffer, g_System32NtPath.UniStr.Buffer, cwcDirName * sizeof(WCHAR)) )
 # ifdef VBOX_PERMIT_MORE
                 && (   pImage->pszName[0] != 'a'
                     || pImage->pszName[1] != 'c'
-                    || !supHardViIsAppPatchDir(pImage->Name.UniStr.Buffer, pImage->Name.UniStr.Length / sizeof(WCHAR)) )
+                    || !supHardViIsAppPatchDir(pLongName->Buffer, pLongName->Length / sizeof(WCHAR)) )
 # endif
                 )
                 return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NON_SYSTEM32_DLL,
                                            "Expected %ls to be loaded from %ls.",
-                                           pImage->Name.UniStr.Buffer, g_System32NtPath.UniStr.Buffer);
+                                           pLongName->Buffer, g_System32NtPath.UniStr.Buffer);
 # ifdef VBOX_PERMIT_MORE
             if (g_uNtVerCombined < SUP_NT_VER_W70 && i >= VBOX_PERMIT_MORE_FIRST_IDX)
@@ -1228 +1414 @@
         {
             SUP_DPRINTF(("supHardNtVpScanVirtualMemory: Unmapping image mem at %p (%p LB %#zx) - '%ls'\n",
-                         pMemInfo->AllocationBase, pMemInfo->BaseAddress, pMemInfo->RegionSize));
+                         pMemInfo->AllocationBase, pMemInfo->BaseAddress, pMemInfo->RegionSize, pwszFilename));
             NTSTATUS rcNt = NtUnmapViewOfSection(pThis->hProcess, pMemInfo->AllocationBase);
             if (NT_SUCCESS(rcNt))
@@ -1250 +1436 @@
                                 "component (or disable it) to prevent ADC from injecting itself into the VirtualBox VM processes. "
                                 "See http://www.symantec.com/connect/articles/creating-application-control-exclusions-symantec-endpoint-protection-121"
-                                , pImage->Name.UniStr.Buffer, pMemInfo->BaseAddress);
+                                , pLongName->Buffer, pMemInfo->BaseAddress);
             return pThis->rcResult = VERR_SUP_VP_SYSFER_DLL; /* Try make sure this is what the user sees first! */
         }
         return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NOT_KNOWN_DLL_OR_EXE,
-                                   "Unknown image file %ls at %p.", pImage->Name.UniStr.Buffer, pMemInfo->BaseAddress);
+                                   "Unknown image file %ls at %p.", pLongName->Buffer, pMemInfo->BaseAddress);
     }
 
@@ -1359 +1545 @@
  *
  * This collects the locations of DLLs and the EXE, and verifies that executable
- * memory is only associated with these.
+ * memory is only associated with these.  May trash pThis->abMemory.
  *
  * @returns VBox status code.