Changeset 57303 in vbox for trunk/src/VBox/HostDrivers/Support
- Timestamp:
- Aug 13, 2015 12:31:23 AM (10 years ago)
- svn:sync-xref-src-repo-rev:
- 102065
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp
r57201 r57303 207 207 /** The kind of process we're protecting. */ 208 208 SUPDRVNTPROTECTKIND volatile enmProcessKind; 209 /** Whether this structure is in the tree. */ 210 bool fInTree : 1; 209 211 /** 7,: Hack to allow the supid themes service duplicate handle privileges to 210 212 * our process. */ … … 2938 2940 if (fSuccess) 2939 2941 { 2942 pNtChild->fInTree = true; 2940 2943 pNtParent->u.pChild = pNtChild; /* Parent keeps the initial reference. */ 2941 2944 pNtParent->enmProcessKind = kSupDrvNtProtectKind_StubParent; … … 3268 3271 else 3269 3272 { 3273 ACCESS_MASK const fDesiredAccess = pOpInfo->Parameters->CreateHandleInformation.DesiredAccess; 3274 3270 3275 /* Special case 1 on Vista, 7 & 8: 3271 3276 The CreateProcess code passes the handle over to CSRSS.EXE … … 3284 3289 { 3285 3290 if ( !pOpInfo->KernelHandle 3286 && pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == s_fCsrssStupidDesires)3291 && fDesiredAccess == s_fCsrssStupidDesires) 3287 3292 { 3288 3293 if (g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 3)) … … 3313 3318 { 3314 3319 pNtProtect->fCsrssFirstProcessCreateHandle = false; 3315 if ( pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == s_fCsrssStupidDesires)3320 if (fDesiredAccess == s_fCsrssStupidDesires) 3316 3321 { 3317 3322 /* Not needed: PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, … … 3333 3338 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0) 3334 3339 && g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2) 3335 && pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == 0x1478 /* 6.1.7600.16385 (win7_rtm.090713-1255) */3340 && fDesiredAccess == 0x1478 /* 6.1.7600.16385 (win7_rtm.090713-1255) */ 3336 3341 && pNtProtect->fThemesFirstProcessCreateHandle 3337 3342 && pOpInfo->KernelHandle == 0 … … 3344 3349 } 3345 3350 3351 /* Special case 6a, Windows 10+: AudioDG.exe opens the process with the 3352 PROCESS_SET_LIMITED_INFORMATION right. It seems like it need it for 3353 some myserious and weirdly placed cpu set management of our process. 3354 I'd love to understand what that's all about... 3355 Currently playing safe and only grand this right, however limited, to 3356 audiodg.exe. */ 3357 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(10, 0) 3358 && ( fDesiredAccess == PROCESS_SET_LIMITED_INFORMATION 3359 || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* expected fix #1 */ 3360 || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION) /* expected fix #2 */ 3361 ) 3362 && pOpInfo->KernelHandle == 0 3363 && ExGetPreviousMode() == UserMode 3364 && supdrvNtProtectIsSystem32ProcessMatch(PsGetCurrentProcess(), "audiodg.exe") ) 3365 { 3366 fAllowedRights |= PROCESS_SET_LIMITED_INFORMATION; 3367 pOpInfo->CallContext = NULL; /* don't assert this. */ 3368 } 3369 3346 3370 Log(("vboxdrv/ProcessHandlePre: %sctx=%04zx/%p wants %#x to %p/pid=%04zx [%d], allow %#x => %#x; %s [prev=%#x]\n", 3347 3371 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(), 3348 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess, 3349 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights, 3350 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess & fAllowedRights, 3372 fDesiredAccess, pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, 3373 fAllowedRights, fDesiredAccess & fAllowedRights, 3351 3374 PsGetProcessImageFileName(PsGetCurrentProcess()), ExGetPreviousMode() )); 3352 3375 … … 3373 3396 else 3374 3397 { 3398 ACCESS_MASK const fDesiredAccess = pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess; 3399 3375 3400 /* Special case 5 on Vista, 7 & 8: 3376 3401 This is the CSRSS.EXE end of special case #1. */ … … 3379 3404 && pNtProtect->cCsrssFirstProcessDuplicateHandle > 0 3380 3405 && pOpInfo->KernelHandle == 0 3381 && pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess == s_fCsrssStupidDesires3406 && fDesiredAccess == s_fCsrssStupidDesires 3382 3407 && pNtProtect->hParentPid 3383 3408 == PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess) … … 3399 3424 } 3400 3425 3426 /* Special case 6b, Windows 10+: AudioDG.exe duplicates the handle it opened above. */ 3427 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(10, 0) 3428 && ( fDesiredAccess == PROCESS_SET_LIMITED_INFORMATION 3429 || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* expected fix #1 */ 3430 || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION) /* expected fix #2 */ 3431 ) 3432 && pOpInfo->KernelHandle == 0 3433 && ExGetPreviousMode() == UserMode 3434 && supdrvNtProtectIsSystem32ProcessMatch(PsGetCurrentProcess(), "audiodg.exe") ) 3435 { 3436 fAllowedRights |= PROCESS_SET_LIMITED_INFORMATION; 3437 pOpInfo->CallContext = NULL; /* don't assert this. */ 3438 } 3439 3401 3440 Log(("vboxdrv/ProcessHandlePre: %sctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d] %s\n", 3402 3441 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(), … … 3404 3443 PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess), 3405 3444 pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess, 3406 pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess,3445 fDesiredAccess, 3407 3446 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, 3408 3447 PsGetProcessImageFileName(PsGetCurrentProcess()) )); … … 3685 3724 RTSpinlockAcquire(g_hNtProtectLock); 3686 3725 bool fSuccess = RTAvlPVInsert(&g_NtProtectTree, &pNtProtect->AvlCore); 3726 pNtProtect->fInTree = fSuccess; 3687 3727 RTSpinlockRelease(g_hNtProtectLock); 3688 3728 … … 3725 3765 */ 3726 3766 ASMAtomicWriteU32(&pNtProtect->u32Magic, SUPDRVNTPROTECT_MAGIC_DEAD); 3727 PSUPDRVNTPROTECT pRemoved = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pNtProtect->AvlCore.Key); 3728 3729 PSUPDRVNTPROTECT pRemovedChild = NULL; 3767 if (pNtProtect->fInTree) 3768 { 3769 PSUPDRVNTPROTECT pRemoved = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pNtProtect->AvlCore.Key); 3770 Assert(pRemoved == pNtProtect); 3771 pNtProtect->fInTree = false; 3772 } 3773 3730 3774 PSUPDRVNTPROTECT pChild = NULL; 3731 3775 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent) … … 3739 3783 uint32_t cChildRefs = ASMAtomicDecU32(&pChild->cRefs); 3740 3784 if (!cChildRefs) 3741 pRemovedChild = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pChild->AvlCore.Key); 3785 { 3786 Assert(pChild->fInTree); 3787 if (pChild->fInTree) 3788 { 3789 PSUPDRVNTPROTECT pRemovedChild = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pChild->AvlCore.Key); 3790 Assert(pRemovedChild == pChild); 3791 pChild->fInTree = false; 3792 } 3793 } 3742 3794 else 3743 3795 pChild = NULL; … … 3748 3800 3749 3801 RTSpinlockRelease(g_hNtProtectLock); 3750 Assert(pRemoved == pNtProtect);3751 Assert(pRemovedChild == pChild);3752 3802 3753 3803 if (pNtProtect->pCsrssProcess) … … 3977 4027 little overly paranoid as I think we can safely trust the 3978 4028 system process... */ 3979 if ( cSystemProcessHandles < (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3) ? 2 : 1)4029 if ( cSystemProcessHandles < (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3) ? UINT32_C(2) : UINT32_C(1)) 3980 4030 && pHandleInfo->UniqueProcessId == PsGetProcessId(PsInitialSystemProcess)) 3981 4031 {
Note:
See TracChangeset
for help on using the changeset viewer.
