Changeset 66484 in vbox
- Timestamp:
- Apr 8, 2017 5:20:26 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/include/iprt/formats/pecoff.h
r65240 r66484 544 544 #define IMAGE_SNAP_BY_ORDINAL64(ord) (!!((ord) & IMAGE_ORDINAL_FLAG64)) 545 545 /** @} */ 546 547 /** @name PE Resource directory 548 * @{ */ 549 typedef struct _IMAGE_RESOURCE_DIRECTORY 550 { 551 uint32_t Characteristics; 552 uint32_t TimeDateStamp; 553 uint16_t MajorVersion; 554 uint16_t MinorVersion; 555 uint16_t NumberOfNamedEntries; 556 uint16_t NumberOfIdEntries; 557 } IMAGE_RESOURCE_DIRECTORY; 558 typedef IMAGE_RESOURCE_DIRECTORY *PIMAGE_RESOURCE_DIRECTORY; 559 typedef IMAGE_RESOURCE_DIRECTORY const *PCIMAGE_RESOURCE_DIRECTORY; 560 561 typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY 562 { 563 union 564 { 565 struct 566 { 567 uint32_t NameOffset : 31; 568 uint32_t NameIsString : 1; /**< IMAGE_RESOURCE_NAME_IS_STRING */ 569 } s; 570 uint32_t Name; 571 uint16_t Id; 572 } u; 573 union 574 { 575 struct 576 { 577 uint32_t OffsetToDirectory : 31; 578 uint32_t DataIsDirectory : 1; /**< IMAGE_RESOURCE_DATA_IS_DIRECTORY*/ 579 } s2; 580 uint32_t OffsetToData; 581 } u2; 582 } IMAGE_RESOURCE_DIRECTORY_ENTRY; 583 typedef IMAGE_RESOURCE_DIRECTORY_ENTRY *PIMAGE_RESOURCE_DIRECTORY_ENTRY; 584 typedef IMAGE_RESOURCE_DIRECTORY_ENTRY const *PCIMAGE_RESOURCE_DIRECTORY_ENTRY; 585 586 #define IMAGE_RESOURCE_NAME_IS_STRING UINT32_C(0x80000000) 587 #define IMAGE_RESOURCE_DATA_IS_DIRECTORY UINT32_C(0x80000000) 588 589 typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING 590 { 591 uint16_t Length; 592 char NameString[1]; 593 } IMAGE_RESOURCE_DIRECTORY_STRING; 594 typedef IMAGE_RESOURCE_DIRECTORY_STRING *PIMAGE_RESOURCE_DIRECTORY_STRING; 595 typedef IMAGE_RESOURCE_DIRECTORY_STRING const *PCIMAGE_RESOURCE_DIRECTORY_STRING; 596 597 598 typedef struct _IMAGE_RESOURCE_DIR_STRING_U 599 { 600 uint16_t Length; 601 RTUTF16 NameString[1]; 602 } IMAGE_RESOURCE_DIR_STRING_U; 603 typedef IMAGE_RESOURCE_DIR_STRING_U *PIMAGE_RESOURCE_DIR_STRING_U; 604 typedef IMAGE_RESOURCE_DIR_STRING_U const *PCIMAGE_RESOURCE_DIR_STRING_U; 605 606 607 typedef struct _IMAGE_RESOURCE_DATA_ENTRY 608 { 609 uint32_t OffsetToData; 610 uint32_t Size; 611 uint32_t CodePage; 612 uint32_t Reserved; 613 } IMAGE_RESOURCE_DATA_ENTRY; 614 typedef IMAGE_RESOURCE_DATA_ENTRY *PIMAGE_RESOURCE_DATA_ENTRY; 615 typedef IMAGE_RESOURCE_DATA_ENTRY const *PCIMAGE_RESOURCE_DATA_ENTRY; 616 617 /** @} */ 618 619 546 620 547 621 /** @name Image load config directories -
trunk/src/VBox/HostDrivers/Support/Makefile.kmk
r66415 r66484 332 332 $(VBOX_PATH_RUNTIME_SRC)/common/string/mempcpy.asm \ 333 333 $(VBOX_PATH_RUNTIME_SRC)/common/string/memset.asm \ 334 $(VBOX_PATH_RUNTIME_SRC)/common/string/strversion.cpp \ 334 335 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrPrintHexBytes.cpp \ 335 336 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrCat.cpp \ … … 338 339 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrNCmp.cpp \ 339 340 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrNLen.cpp \ 341 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTUtf16Copy.cpp \ 340 342 $(VBOX_PATH_RUNTIME_SRC)/common/string/RTUtf16NLenEx.cpp \ 341 343 $(VBOX_PATH_RUNTIME_SRC)/common/string/strchr.asm \ -
trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp
r65782 r66484 366 366 /** Check Point's Zone Alarm (may include Kaspersky). */ 367 367 #define SUPHARDNT_ADVERSARY_ZONE_ALARM RT_BIT_32(12) 368 /** Digital guardian. */ 369 #define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN RT_BIT_32(13) 368 /** Digital guardian, old problematic version. */ 369 #define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD RT_BIT_32(13) 370 /** Digital guardian, new version. */ 371 #define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_NEW RT_BIT_32(14) 370 372 /** Cylance protect or something (from googling, no available sample copy). */ 371 #define SUPHARDNT_ADVERSARY_CYLANCE RT_BIT_32(1 4)373 #define SUPHARDNT_ADVERSARY_CYLANCE RT_BIT_32(15) 372 374 /** BeyondTrust / PowerBroker / something (googling, no available sample copy). */ 373 #define SUPHARDNT_ADVERSARY_BEYONDTRUST RT_BIT_32(1 5)375 #define SUPHARDNT_ADVERSARY_BEYONDTRUST RT_BIT_32(16) 374 376 /** Avecto / Defendpoint / Privilege Guard (details from support guy, hoping to get sample copy). */ 375 #define SUPHARDNT_ADVERSARY_AVECTO RT_BIT_32(1 6)377 #define SUPHARDNT_ADVERSARY_AVECTO RT_BIT_32(17) 376 378 /** Unknown adversary detected while waiting on child. */ 377 379 #define SUPHARDNT_ADVERSARY_UNKNOWN RT_BIT_32(31) … … 3523 3525 int rc = supHardenedWinVerifyProcess(pThis->hProcess, pThis->hThread, SUPHARDNTVPKIND_CHILD_PURIFICATION, 3524 3526 g_fSupAdversaries & ( SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE 3525 | SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN )3527 | SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD) 3526 3528 ? SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW : 0, 3527 3529 &cFixes, RTErrInfoInitStatic(&g_ErrInfoStatic)); … … 4955 4957 4956 4958 /** 4957 * Logs information about a file from a protection product or from Windows. 4959 * Worker for supR3HardenedFindVersionRsrcOffset. 4960 * 4961 * @returns RVA the version resource data, UINT32_MAX if not found. 4962 * @param pRootDir The root resource directory. Expects data to 4963 * follow. 4964 * @param cbBuf The amount of data at pRootDir. 4965 * @param offData The offset to the data entry. 4966 * @param pcbData Where to return the size of the data. 4967 */ 4968 static uint32_t supR3HardenedGetRvaFromRsrcDataEntry(PIMAGE_RESOURCE_DIRECTORY pRootDir, uint32_t cbBuf, uint32_t offData, 4969 uint32_t *pcbData) 4970 { 4971 if ( offData <= cbBuf 4972 && offData + sizeof(IMAGE_RESOURCE_DATA_ENTRY) <= cbBuf) 4973 { 4974 PIMAGE_RESOURCE_DATA_ENTRY pRsrcData = (PIMAGE_RESOURCE_DATA_ENTRY)((uintptr_t)pRootDir + offData); 4975 SUP_DPRINTF((" [Raw version resource data: %#x LB %#x, codepage %#x (reserved %#x)]\n", 4976 pRsrcData->OffsetToData, pRsrcData->Size, pRsrcData->CodePage, pRsrcData->Reserved)); 4977 if (pRsrcData->Size > 0) 4978 { 4979 *pcbData = pRsrcData->Size; 4980 return pRsrcData->OffsetToData; 4981 } 4982 } 4983 else 4984 SUP_DPRINTF((" Version resource data (%#x) is outside the buffer (%#x)! :-(\n", offData, cbBuf)); 4985 4986 *pcbData = 0; 4987 return UINT32_MAX; 4988 } 4989 4990 4991 /** @def SUP_RSRC_DPRINTF 4992 * Dedicated debug printf for resource directory parsing. 4993 * @sa SUP_DPRINTF 4994 */ 4995 #if 0 /* more details */ 4996 # define SUP_RSRC_DPRINTF(a) SUP_DPRINTF(a) 4997 #else 4998 # define SUP_RSRC_DPRINTF(a) do { } while (0) 4999 #endif 5000 5001 /** 5002 * Scans the resource directory for a version resource. 5003 * 5004 * @returns RVA of the version resource data, UINT32_MAX if not found. 5005 * @param pRootDir The root resource directory. Expects data to 5006 * follow. 5007 * @param cbBuf The amount of data at pRootDir. 5008 * @param pcbData Where to return the size of the version data. 5009 */ 5010 static uint32_t supR3HardenedFindVersionRsrcRva(PIMAGE_RESOURCE_DIRECTORY pRootDir, uint32_t cbBuf, uint32_t *pcbData) 5011 { 5012 SUP_RSRC_DPRINTF((" ResDir: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n", 5013 pRootDir->Characteristics, 5014 pRootDir->TimeDateStamp, 5015 pRootDir->MajorVersion, 5016 pRootDir->MinorVersion, 5017 pRootDir->NumberOfNamedEntries, 5018 pRootDir->NumberOfIdEntries)); 5019 5020 PIMAGE_RESOURCE_DIRECTORY_ENTRY paEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pRootDir + 1); 5021 unsigned cMaxEntries = (cbBuf - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY); 5022 unsigned cEntries = pRootDir->NumberOfNamedEntries + pRootDir->NumberOfIdEntries; 5023 if (cEntries > cMaxEntries) 5024 cEntries = cMaxEntries; 5025 for (unsigned i = 0; i < cEntries; i++) 5026 { 5027 if (!paEntries[i].NameIsString) 5028 { 5029 if (!paEntries[i].DataIsDirectory) 5030 SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n", 5031 i, paEntries[i].Id, paEntries[i].OffsetToData)); 5032 else 5033 SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n", 5034 i, paEntries[i].Id, paEntries[i].OffsetToDirectory)); 5035 } 5036 else 5037 { 5038 if (!paEntries[i].DataIsDirectory) 5039 SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n", 5040 i, paEntries[i].NameOffset, paEntries[i].OffsetToData)); 5041 else 5042 SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n", 5043 i, paEntries[i].NameOffset, paEntries[i].OffsetToDirectory)); 5044 } 5045 5046 /* 5047 * Look for the version resource type. Skip to the next entry if not found. 5048 */ 5049 if (paEntries[i].NameIsString) 5050 continue; 5051 if (paEntries[i].Id != 0x10 /*RT_VERSION*/) 5052 continue; 5053 if (!paEntries[i].DataIsDirectory) 5054 { 5055 SUP_DPRINTF((" #%u: ID: #%#06x Data: %#010x - WEIRD!\n", i, paEntries[i].Id, paEntries[i].OffsetToData)); 5056 continue; 5057 } 5058 SUP_RSRC_DPRINTF((" Version resource dir entry #%u: dir offset: %#x (cbBuf=%#x)\n", 5059 i, paEntries[i].OffsetToDirectory, cbBuf)); 5060 5061 /* 5062 * Locate the sub-resource directory for it. 5063 */ 5064 if (paEntries[i].OffsetToDirectory >= cbBuf) 5065 { 5066 SUP_DPRINTF((" Version resource dir is outside the buffer! :-(\n")); 5067 continue; 5068 } 5069 uint32_t cbMax = cbBuf - paEntries[i].OffsetToDirectory; 5070 if (cbMax < sizeof(IMAGE_RESOURCE_DIRECTORY) + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY)) 5071 { 5072 SUP_DPRINTF((" Version resource dir entry #0 is outside the buffer! :-(\n")); 5073 continue; 5074 } 5075 PIMAGE_RESOURCE_DIRECTORY pVerDir = (PIMAGE_RESOURCE_DIRECTORY)((uintptr_t)pRootDir + paEntries[i].OffsetToDirectory); 5076 SUP_RSRC_DPRINTF((" VerDir: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n", 5077 pVerDir->Characteristics, 5078 pVerDir->TimeDateStamp, 5079 pVerDir->MajorVersion, 5080 pVerDir->MinorVersion, 5081 pVerDir->NumberOfNamedEntries, 5082 pVerDir->NumberOfIdEntries)); 5083 PIMAGE_RESOURCE_DIRECTORY_ENTRY paVerEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pVerDir + 1); 5084 unsigned cMaxVerEntries = (cbMax - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY); 5085 unsigned cVerEntries = pVerDir->NumberOfNamedEntries + pVerDir->NumberOfIdEntries; 5086 if (cVerEntries > cMaxVerEntries) 5087 cVerEntries = cMaxVerEntries; 5088 for (unsigned iVer = 0; iVer < cVerEntries; iVer++) 5089 { 5090 if (!paVerEntries[iVer].NameIsString) 5091 { 5092 if (!paVerEntries[iVer].DataIsDirectory) 5093 SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n", 5094 iVer, paVerEntries[iVer].Id, paVerEntries[iVer].OffsetToData)); 5095 else 5096 SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n", 5097 iVer, paVerEntries[iVer].Id, paVerEntries[iVer].OffsetToDirectory)); 5098 } 5099 else 5100 { 5101 if (!paVerEntries[iVer].DataIsDirectory) 5102 SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n", 5103 iVer, paVerEntries[iVer].NameOffset, paVerEntries[iVer].OffsetToData)); 5104 else 5105 SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n", 5106 iVer, paVerEntries[iVer].NameOffset, paVerEntries[iVer].OffsetToDirectory)); 5107 } 5108 if (!paVerEntries[iVer].DataIsDirectory) 5109 { 5110 SUP_DPRINTF((" [Version info resource found at %#x! (ID/Name: #%#x)]\n", 5111 paVerEntries[iVer].OffsetToData, paVerEntries[iVer].Name)); 5112 return supR3HardenedGetRvaFromRsrcDataEntry(pRootDir, cbBuf, paVerEntries[iVer].OffsetToData, pcbData); 5113 } 5114 5115 /* 5116 * Check out the next directory level. 5117 */ 5118 if (paVerEntries[iVer].OffsetToDirectory >= cbBuf) 5119 { 5120 SUP_DPRINTF((" Version resource subdir is outside the buffer! :-(\n")); 5121 continue; 5122 } 5123 cbMax = cbBuf - paVerEntries[iVer].OffsetToDirectory; 5124 if (cbMax < sizeof(IMAGE_RESOURCE_DIRECTORY) + sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY)) 5125 { 5126 SUP_DPRINTF((" Version resource subdir entry #0 is outside the buffer! :-(\n")); 5127 continue; 5128 } 5129 PIMAGE_RESOURCE_DIRECTORY pVerSubDir = (PIMAGE_RESOURCE_DIRECTORY)((uintptr_t)pRootDir + paVerEntries[iVer].OffsetToDirectory); 5130 SUP_RSRC_DPRINTF((" VerSubDir#%u: Char=%#x Time=%#x Ver=%d%d #NamedEntries=%#x #IdEntries=%#x\n", 5131 iVer, 5132 pVerSubDir->Characteristics, 5133 pVerSubDir->TimeDateStamp, 5134 pVerSubDir->MajorVersion, 5135 pVerSubDir->MinorVersion, 5136 pVerSubDir->NumberOfNamedEntries, 5137 pVerSubDir->NumberOfIdEntries)); 5138 PIMAGE_RESOURCE_DIRECTORY_ENTRY paVerSubEntries = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pVerSubDir + 1); 5139 unsigned cMaxVerSubEntries = (cbMax - sizeof(IMAGE_RESOURCE_DIRECTORY)) / sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY); 5140 unsigned cVerSubEntries = pVerSubDir->NumberOfNamedEntries + pVerSubDir->NumberOfIdEntries; 5141 if (cVerSubEntries > cMaxVerSubEntries) 5142 cVerSubEntries = cMaxVerSubEntries; 5143 for (unsigned iVerSub = 0; iVerSub < cVerSubEntries; iVerSub++) 5144 { 5145 if (!paVerSubEntries[iVerSub].NameIsString) 5146 { 5147 if (!paVerSubEntries[iVerSub].DataIsDirectory) 5148 SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Data: %#010x\n", 5149 iVerSub, paVerSubEntries[iVerSub].Id, paVerSubEntries[iVerSub].OffsetToData)); 5150 else 5151 SUP_RSRC_DPRINTF((" #%u: ID: #%#06x Dir: %#010x\n", 5152 iVerSub, paVerSubEntries[iVerSub].Id, paVerSubEntries[iVerSub].OffsetToDirectory)); 5153 } 5154 else 5155 { 5156 if (!paVerSubEntries[iVerSub].DataIsDirectory) 5157 SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Data: %#010x\n", 5158 iVerSub, paVerSubEntries[iVerSub].NameOffset, paVerSubEntries[iVerSub].OffsetToData)); 5159 else 5160 SUP_RSRC_DPRINTF((" #%u: Name: #%#06x Dir: %#010x\n", 5161 iVerSub, paVerSubEntries[iVerSub].NameOffset, paVerSubEntries[iVerSub].OffsetToDirectory)); 5162 } 5163 if (!paVerSubEntries[iVerSub].DataIsDirectory) 5164 { 5165 SUP_DPRINTF((" [Version info resource found at %#x! (ID/Name: %#x; SubID/SubName: %#x)]\n", 5166 paVerSubEntries[iVerSub].OffsetToData, paVerEntries[iVer].Name, paVerSubEntries[iVerSub].Name)); 5167 return supR3HardenedGetRvaFromRsrcDataEntry(pRootDir, cbBuf, paVerSubEntries[iVerSub].OffsetToData, pcbData); 5168 } 5169 } 5170 } 5171 } 5172 5173 *pcbData = 0; 5174 return UINT32_MAX; 5175 } 5176 5177 5178 /** 5179 * Logs information about a file from a protection product or from Windows, 5180 * optionally returning the file version. 4958 5181 * 4959 5182 * The purpose here is to better see which version of the product is installed 4960 5183 * and not needing to depend on the user supplying the correct information. 4961 5184 * 4962 * @param pwszFile The NT path to the file. 4963 * @param fAdversarial Set if from a protection product, false if 4964 * system file. 4965 */ 4966 static void supR3HardenedLogFileInfo(PCRTUTF16 pwszFile, bool fAdversarial) 4967 { 4968 RT_NOREF1(fAdversarial); 5185 * @param pwszFile The NT path to the file. 5186 * @param pwszFileVersion Where to return the file version, if found. NULL if 5187 * not interested. 5188 * @param cwcFileVersion The size of the file version buffer (UTF-16 units). 5189 */ 5190 static void supR3HardenedLogFileInfo(PCRTUTF16 pwszFile, PRTUTF16 pwszFileVersion, size_t cwcFileVersion) 5191 { 5192 /* 5193 * Make sure the file version is always set when we return. 5194 */ 5195 if (pwszFileVersion && cwcFileVersion) 5196 *pwszFileVersion = '\0'; 4969 5197 4970 5198 /* … … 5003 5231 RTUTF16 awcBuf[16384]; 5004 5232 IMAGE_DOS_HEADER MzHdr; 5233 IMAGE_RESOURCE_DIRECTORY ResDir; 5005 5234 } u; 5006 5235 RTTIMESPEC TimeSpec; … … 5076 5305 >= pNtHdrs64->FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER) ) 5077 5306 { 5307 uint32_t uRvaRsrcSect = 0; 5308 uint32_t cbRsrcSect = 0; 5309 uint32_t offRsrcSect = 0; 5078 5310 offRead.QuadPart = 0; 5079 5311 for (uint32_t i = 0; i < pNtHdrs64->FileHeader.NumberOfSections; i++) 5080 if ( paSectHdrs[i].VirtualAddress - RsrcDir.VirtualAddress < paSectHdrs[i].SizeOfRawData 5081 && paSectHdrs[i].PointerToRawData > offNtHdrs) 5312 { 5313 uRvaRsrcSect = paSectHdrs[i].VirtualAddress; 5314 cbRsrcSect = paSectHdrs[i].Misc.VirtualSize; 5315 offRsrcSect = paSectHdrs[i].PointerToRawData; 5316 if ( RsrcDir.VirtualAddress - uRvaRsrcSect < cbRsrcSect 5317 && offRsrcSect > offNtHdrs) 5082 5318 { 5083 offRead.QuadPart = paSectHdrs[i].PointerToRawData 5084 + (paSectHdrs[i].VirtualAddress - RsrcDir.VirtualAddress); 5319 offRead.QuadPart = offRsrcSect + (RsrcDir.VirtualAddress - uRvaRsrcSect); 5085 5320 break; 5086 5321 } 5322 } 5087 5323 if (offRead.QuadPart > 0) 5088 5324 { … … 5090 5326 rcNt = NtReadFile(hFile, NULL /*hEvent*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/, &Ios, 5091 5327 &u, (ULONG)sizeof(u), &offRead, NULL); 5328 PCRTUTF16 pwcVersionData = &u.awcBuf[0]; 5329 size_t cbVersionData = sizeof(u); 5330 5092 5331 if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status)) 5093 5332 { 5094 static const struct { PCRTUTF16 pwsz; size_t cb; } s_abFields[] = 5333 /* Make it less crude by try find the version resource data. */ 5334 uint32_t cbVersion; 5335 uint32_t uRvaVersion = supR3HardenedFindVersionRsrcRva(&u.ResDir, sizeof(u), &cbVersion); 5336 NOREF(uRvaVersion); 5337 if ( uRvaVersion != UINT32_MAX 5338 && cbVersion < cbRsrcSect 5339 && uRvaVersion - uRvaRsrcSect <= cbRsrcSect - cbVersion) 5095 5340 { 5096 #define MY_WIDE_STR_TUPLE(a_sz) { L ## a_sz, sizeof(L ## a_sz) - sizeof(RTUTF16) } 5097 MY_WIDE_STR_TUPLE("ProductName"), 5098 MY_WIDE_STR_TUPLE("ProductVersion"), 5099 MY_WIDE_STR_TUPLE("FileVersion"), 5100 MY_WIDE_STR_TUPLE("SpecialBuild"), 5101 MY_WIDE_STR_TUPLE("PrivateBuild"), 5102 MY_WIDE_STR_TUPLE("FileDescription"), 5341 uint32_t const offVersion = uRvaVersion - uRvaRsrcSect; 5342 if ( offVersion < sizeof(u) 5343 && offVersion + cbVersion <= sizeof(u)) 5344 { 5345 pwcVersionData = (PCRTUTF16)&u.abBuf[offVersion]; 5346 cbVersionData = cbVersion; 5347 } 5348 else 5349 { 5350 offRead.QuadPart = offVersion + offRsrcSect; 5351 RT_ZERO(u); 5352 rcNt = NtReadFile(hFile, NULL /*hEvent*/, NULL /*ApcRoutine*/, NULL /*ApcContext*/, &Ios, 5353 &u, (ULONG)sizeof(u), &offRead, NULL); 5354 pwcVersionData = &u.awcBuf[0]; 5355 cbVersionData = RT_MIN(cbVersion, sizeof(u)); 5356 } 5357 } 5358 } 5359 5360 if (NT_SUCCESS(rcNt) && NT_SUCCESS(Ios.Status)) 5361 { 5362 static const struct { PCRTUTF16 pwsz; size_t cb; bool fRet; } s_abFields[] = 5363 { 5364 #define MY_WIDE_STR_TUPLE(a_sz, a_fRet) { L ## a_sz, sizeof(L ## a_sz) - sizeof(RTUTF16), a_fRet } 5365 MY_WIDE_STR_TUPLE("ProductName", false), 5366 MY_WIDE_STR_TUPLE("ProductVersion", false), 5367 MY_WIDE_STR_TUPLE("FileVersion", true), 5368 MY_WIDE_STR_TUPLE("SpecialBuild", false), 5369 MY_WIDE_STR_TUPLE("PrivateBuild", false), 5370 MY_WIDE_STR_TUPLE("FileDescription", false), 5103 5371 #undef MY_WIDE_STR_TUPLE 5104 5372 }; 5105 5373 for (uint32_t i = 0; i < RT_ELEMENTS(s_abFields); i++) 5106 5374 { 5107 size_t cwcLeft = (sizeof(u) - s_abFields[i].cb - 10) / sizeof(RTUTF16); 5108 PCRTUTF16 pwc = u.awcBuf; 5375 if (cbVersionData <= s_abFields[i].cb + 10) 5376 continue; 5377 size_t cwcLeft = (cbVersionData - s_abFields[i].cb - 10) / sizeof(RTUTF16); 5378 PCRTUTF16 pwc = pwcVersionData; 5109 5379 RTUTF16 const wcFirst = *s_abFields[i].pwsz; 5110 5380 while (cwcLeft-- > 0) … … 5124 5394 RTSTR_VALIDATE_ENCODING_ZERO_TERMINATED); 5125 5395 if (RT_SUCCESS(rc)) 5396 { 5126 5397 SUP_DPRINTF((" %ls:%*s %ls", 5127 5398 s_abFields[i].pwsz, cwcField < 15 ? 15 - cwcField : 0, "", pwc)); 5399 if ( s_abFields[i].fRet 5400 && pwszFileVersion 5401 && cwcFileVersion > 1) 5402 RTUtf16Copy(pwszFileVersion, cwcFileVersion, pwc); 5403 } 5128 5404 else 5129 5405 SUP_DPRINTF((" %ls:%*s rc=%Rrc", … … 5256 5532 { SUPHARDNT_ADVERSARY_COMODO, "cmdHlp" }, 5257 5533 5258 { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN , "dgmaster" }, /* Not verified. */5534 { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD, "dgmaster" }, 5259 5535 5260 5536 { SUPHARDNT_ADVERSARY_CYLANCE, "cyprotectdrv" }, /* Not verified. */ … … 5376 5652 { SUPHARDNT_ADVERSARY_ZONE_ALARM, L"\\SystemRoot\\System32\\AntiTheftCredentialProvider.dll" }, 5377 5653 5378 { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN , L"\\SystemRoot\\System32\\drivers\\dgmaster.sys" },5654 { SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD, L"\\SystemRoot\\System32\\drivers\\dgmaster.sys" }, 5379 5655 5380 5656 { SUPHARDNT_ADVERSARY_CYLANCE, L"\\SystemRoot\\System32\\drivers\\cyprotectdrv32.sys" }, … … 5473 5749 5474 5750 /* 5475 * Log details .5751 * Log details and upgrade select adversaries. 5476 5752 */ 5477 5753 SUP_DPRINTF(("supR3HardenedWinFindAdversaries: %#x\n", fFound)); 5478 5754 for (uint32_t i = 0; i < RT_ELEMENTS(s_aFiles); i++) 5479 if (fFound & s_aFiles[i].fAdversary) 5480 supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, true /* fAdversarial */); 5755 if (s_aFiles[i].fAdversary & fFound) 5756 { 5757 if (!(s_aFiles[i].fAdversary & SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD)) 5758 supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, NULL, 0); 5759 else 5760 { 5761 /* 5762 * See if it's a newer version of the driver which doesn't BSODs when we free 5763 * its memory. To use RTStrVersionCompare we do a rough UTF-16 -> ASCII conversion. 5764 */ 5765 union 5766 { 5767 char szFileVersion[64]; 5768 RTUTF16 wszFileVersion[32]; 5769 } uBuf; 5770 supR3HardenedLogFileInfo(s_aFiles[i].pwszFile, uBuf.wszFileVersion, RT_ELEMENTS(uBuf.wszFileVersion)); 5771 if (uBuf.wszFileVersion[0]) 5772 { 5773 for (uint32_t off = 0; off < RT_ELEMENTS(uBuf.wszFileVersion); off++) 5774 { 5775 RTUTF16 wch = uBuf.wszFileVersion[off]; 5776 uBuf.szFileVersion[off] = (char)wch; 5777 if (!wch) 5778 break; 5779 } 5780 uBuf.szFileVersion[RT_ELEMENTS(uBuf.wszFileVersion)] = '\0'; 5781 if (RTStrVersionCompare(uBuf.szFileVersion, "7.3.0.0171") >= 0) 5782 { 5783 uint32_t const fOldFound = fFound; 5784 fFound = (fOldFound & ~SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_OLD) 5785 | SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN_NEW; 5786 SUP_DPRINTF(("supR3HardenedWinFindAdversaries: Found newer version: %#x -> %#x\n", fOldFound, fFound)); 5787 } 5788 } 5789 } 5790 } 5481 5791 5482 5792 return fFound; … … 5553 5863 * Log information about important system files. 5554 5864 */ 5555 supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\ntdll.dll", false /* fAdversarial*/);5556 supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\kernel32.dll", false /* fAdversarial*/);5557 supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\KernelBase.dll", false /* fAdversarial*/);5558 supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\apisetschema.dll", false /* fAdversarial*/);5865 supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\ntdll.dll", NULL /*pwszFileVersion*/, 0 /*cwcFileVersion*/); 5866 supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\kernel32.dll", NULL /*pwszFileVersion*/, 0 /*cwcFileVersion*/); 5867 supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\KernelBase.dll", NULL /*pwszFileVersion*/, 0 /*cwcFileVersion*/); 5868 supR3HardenedLogFileInfo(L"\\SystemRoot\\System32\\apisetschema.dll", NULL /*pwszFileVersion*/, 0 /*cwcFileVersion*/); 5559 5869 5560 5870 /*
Note:
See TracChangeset
for help on using the changeset viewer.