VirtualBox

Changeset 66525 in vbox for trunk/src/VBox/HostDrivers


Ignore:
Timestamp:
Apr 12, 2017 10:48:30 AM (8 years ago)
Author:
vboxsync
Message:

Windows hardening: bugref:8750: blacklist scrobj.dll

Location:
trunk/src/VBox/HostDrivers/Support
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/VBox/HostDrivers/Support/Makefile.kmk

    r66484 r66525  
    337337        $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrCmp.cpp \
    338338        $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrCopy.cpp \
     339        $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrICmpAscii.cpp \
    339340        $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrNCmp.cpp \
    340341        $(VBOX_PATH_RUNTIME_SRC)/common/string/RTStrNLen.cpp \
  • trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h

    r62677 r66525  
    139139/** @} */
    140140
     141/* Array in SUPHardenedVerifyImage-win.cpp */
     142extern const RTSTRTUPLE g_aSupNtViBlacklistedDlls[];
     143
    141144/**
    142145 * Loader cache entry.
  • trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

    r64883 r66525  
    140140# endif
    141141#endif /* IN_RING3 && !VBOX_PERMIT_MORE*/
     142
     143/**
     144 * Blacklisted DLL names.
     145 */
     146const RTSTRTUPLE g_aSupNtViBlacklistedDlls[] =
     147{
     148    { RT_STR_TUPLE("SCROBJ.dll") },
     149    { NULL, 0 } /* terminator entry */
     150};
     151
    142152
    143153static union
     
    12731283    RT_NOREF1(fAvoidWinVerifyTrust);
    12741284#endif
     1285
     1286    /*
     1287     * Check for blacklisted DLLs, both internal name and filename.
     1288     */
     1289    if (RT_SUCCESS(rc))
     1290    {
     1291        size_t const cwcName = RTUtf16Len(pwszName);
     1292        char         szIntName[64];
     1293        int rc2 = RTLdrQueryProp(hLdrMod, RTLDRPROP_INTERNAL_NAME, szIntName, sizeof(szIntName));
     1294        if (RT_SUCCESS(rc2))
     1295        {
     1296            size_t const cchIntName = strlen(szIntName);
     1297            for (unsigned i = 0; g_aSupNtViBlacklistedDlls[i].psz != NULL; i++)
     1298                if (   cchIntName == g_aSupNtViBlacklistedDlls[i].cch
     1299                    && RTStrICmpAscii(szIntName, g_aSupNtViBlacklistedDlls[i].psz) == 0)
     1300                {
     1301                    rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_UNDESIRABLE_MODULE,
     1302                                       "The image '%ls' is listed as undesirable.", pwszName);
     1303                    break;
     1304                }
     1305        }
     1306        if (RT_SUCCESS(rc))
     1307        {
     1308            for (unsigned i = 0; g_aSupNtViBlacklistedDlls[i].psz != NULL; i++)
     1309                if (cwcName >= g_aSupNtViBlacklistedDlls[i].cch)
     1310                {
     1311                    PCRTUTF16 pwszTmp = &pwszName[cwcName - g_aSupNtViBlacklistedDlls[i].cch];
     1312                    if (   (   cwcName == g_aSupNtViBlacklistedDlls[i].cch
     1313                            || pwszTmp[-1] == '\\'
     1314                            || pwszTmp[-1] == '/')
     1315                        && RTUtf16ICmpAscii(pwszTmp, g_aSupNtViBlacklistedDlls[i].psz) == 0)
     1316                    {
     1317                        rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_UNDESIRABLE_MODULE,
     1318                                           "The image '%ls' is listed as undesirable.", pwszName);
     1319                        break;
     1320                    }
     1321                }
     1322        }
     1323    }
    12751324
    12761325#ifdef IN_SUP_HARDENED_R3
  • trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

    r66484 r66525  
    16381638
    16391639/**
     1640 * Helper for supR3HardenedMonitor_LdrLoadDll that compares the name part of the
     1641 * input path against a ASCII name string of a given length.
     1642 *
     1643 * @returns true if the name part matches
     1644 * @param   pPath               The LdrLoadDll input path.
     1645 * @param   pszName             The name to try match it with.
     1646 * @param   cchName             The name length.
     1647 */
     1648static bool supR3HardenedIsFilenameMatchDll(PUNICODE_STRING pPath, const char *pszName, size_t cchName)
     1649{
     1650    if (pPath->Length < cchName * 2)
     1651        return false;
     1652    PCRTUTF16 pwszTmp = &pPath->Buffer[pPath->Length / sizeof(RTUTF16) - cchName];
     1653    if (   pPath->Length != cchName
     1654        && pwszTmp[-1] != '\\'
     1655        && pwszTmp[-1] != '/')
     1656        return false;
     1657    return RTUtf16ICmpAscii(pwszTmp, pszName) == 0;
     1658}
     1659
     1660
     1661/**
    16401662 * Hooks that intercepts LdrLoadDll calls.
    16411663 *
     
    17141736            { RT_STR_TUPLE("PGHook.dll") },
    17151737        };
    1716 
    17171738        for (unsigned i = 0; i < RT_ELEMENTS(s_aUnwantedEarlyDlls); i++)
    1718         {
    1719             if (pName->Length < s_aUnwantedEarlyDlls[i].cch * 2)
    1720                 continue;
    1721             PCRTUTF16 pwszTmp = &pName->Buffer[pName->Length / sizeof(RTUTF16) - s_aUnwantedEarlyDlls[i].cch];
    1722             if (   pName->Length != s_aUnwantedEarlyDlls[i].cch * 2
    1723                 && pwszTmp[-1] != '\\'
    1724                 && pwszTmp[-1] != '/')
    1725                 continue;
    1726             if (RTUtf16ICmpAscii(pwszTmp, s_aUnwantedEarlyDlls[i].psz) != 0)
    1727                 continue;
    1728             SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: Refusing to load '%.*ls' as it is expected to create undesirable threads that will upset our respawn checks (returning STATUS_TOO_MANY_THREADS)\n",
    1729                          pName->Length / sizeof(RTUTF16), pName->Buffer));
    1730             return STATUS_TOO_MANY_THREADS;
    1731         }
     1739            if (supR3HardenedIsFilenameMatchDll(pName, s_aUnwantedEarlyDlls[i].psz, s_aUnwantedEarlyDlls[i].cch))
     1740            {
     1741                SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: Refusing to load '%.*ls' as it is expected to create undesirable threads that will upset our respawn checks (returning STATUS_TOO_MANY_THREADS)\n",
     1742                             pName->Length / sizeof(RTUTF16), pName->Buffer));
     1743                return STATUS_TOO_MANY_THREADS;
     1744            }
    17321745    }
    17331746
     
    19091922        pName = &ResolvedName;
    19101923    }
     1924
     1925#ifndef IN_SUP_R3_STATIC
     1926    /*
     1927     * Reject blacklisted DLLs based on input name.
     1928     */
     1929    for (unsigned i = 0; g_aSupNtViBlacklistedDlls[i].psz != NULL; i++)
     1930        if (supR3HardenedIsFilenameMatchDll(pName, g_aSupNtViBlacklistedDlls[i].psz, g_aSupNtViBlacklistedDlls[i].cch))
     1931        {
     1932            SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: Refusing to load blacklisted DLL: '%.*ls'\n",
     1933                         pName->Length / sizeof(RTUTF16), pName->Buffer));
     1934            RtlRestoreLastWin32Error(dwSavedLastError);
     1935            return STATUS_TOO_MANY_THREADS;
     1936        }
     1937#endif
    19111938
    19121939    bool fQuiet = false;
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette