Changeset 77816 in vbox

Timestamp:

Mar 21, 2019 12:01:49 AM (6 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

129490

Message:

SupHardNt: Made RTNtPathExpand8dot3Path() work correctly in kernel context (needs IPRT_NT_MAP_TO_ZW) and expand 8.3 names when comparing the executable image we found in the memory map with what NT returns for the process.

Location:

trunk

Files:

• Config.kmk (modified) (1 diff)
• include/iprt/nt/nt.h (modified) (2 diffs)
• src/VBox/HostDrivers/Support/Makefile.kmk (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (modified) (1 diff)
• src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp (modified) (3 diffs)
• src/VBox/Runtime/Makefile.kmk (modified) (2 diffs)
• src/VBox/Runtime/nt/RTErrConvertFromNtStatus.cpp (modified) (1 diff)
• src/VBox/Runtime/nt/RTNtPathExpand8dot3Path.cpp (modified) (1 diff)
• src/VBox/Runtime/nt/RTNtPathExpand8dot3PathA.cpp (added)
• src/VBox/Runtime/r0drv/nt/dbgkrnlinfo-r0drv-nt.cpp (modified) (1 diff)

trunk/Config.kmk

@@ -4506 +4506 @@
  TEMPLATE_VBOXR0DRV_DEFS.x86          += WIN9X_COMPAT_SPINLOCK     # Avoid multiply defined _KeInitializeSpinLock@4
  TEMPLATE_VBOXR0DRV_DEFS.amd64         = _AMD64_
+ TEMPLATE_VBOXR0DRV_DEFS.win           = IPRT_NT_MAP_TO_ZW
  TEMPLATE_VBOXR0DRV_CXXFLAGS           = -Zi -Zl -GR- -EHs- -GF -Gz -GS- -Zc:wchar_t- $(VBOX_VCC_FP) -Gs4096 $(VBOX_VCC_OPT) \
         $(VBOX_VCC_WARN_ALL) $(VBOX_VCC_WERR)

trunk/include/iprt/nt/nt.h

@@ -40 +40 @@
 
 #ifdef IPRT_NT_MAP_TO_ZW
+# define NtQueryDirectoryFile           ZwQueryDirectoryFile
 # define NtQueryInformationFile         ZwQueryInformationFile
 # define NtQueryInformationProcess      ZwQueryInformationProcess
@@ -388 +389 @@
  */
 RTDECL(int) RTNtPathExpand8dot3Path(struct _UNICODE_STRING *pUniStr, bool fPathOnly);
+
+/**
+ * Wrapper around RTNtPathExpand8dot3Path that allocates a buffer instead of
+ * working on the input buffer.
+ *
+ * @returns IPRT status code, see RTNtPathExpand8dot3Path().
+ * @param   pUniStrSrc  The path to fix up. MaximumLength is the max buffer
+ *                      length.
+ * @param   fPathOnly   Whether to only process the path and leave the filename
+ *                      as passed in.
+ * @param   pUniStrDst  Output string.  On success, the caller must use
+ *                      RTUtf16Free to free what the Buffer member points to.
+ *                      This is all zeros and NULL on failure.
+ */
+RTDECL(int) RTNtPathExpand8dot3PathA(struct _UNICODE_STRING const *pShort, bool fPathOnly, struct _UNICODE_STRING *pUniStrDst);
 
 

trunk/src/VBox/HostDrivers/Support/Makefile.kmk

@@ -393 +393 @@
         $(VBOX_PATH_RUNTIME_SRC)/nt/RTNtPathFindPossible8dot3Name.cpp \
         $(VBOX_PATH_RUNTIME_SRC)/nt/RTNtPathExpand8dot3Path.cpp \
+        $(VBOX_PATH_RUNTIME_SRC)/nt/RTNtPathExpand8dot3PathA.cpp \
         $(VBOX_PATH_RUNTIME_SRC)/r3/nt/pathint-nt.cpp \
         $(VBOX_PATH_RUNTIME_SRC)/win/RTErrConvertFromWin32.cpp \

trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp

@@ -29 +29 @@
 *   Header Files                                                                                                                 *
 *********************************************************************************************************************************/
-#define IPRT_NT_MAP_TO_ZW
+#ifndef IPRT_NT_MAP_TO_ZW
+# define IPRT_NT_MAP_TO_ZW
+#endif
 #define LOG_GROUP LOG_GROUP_SUP_DRV
 #include "../SUPDrvInternal.h"

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -30 +30 @@
 *********************************************************************************************************************************/
 #ifdef IN_RING0
-# define IPRT_NT_MAP_TO_ZW
+# ifndef IPRT_NT_MAP_TO_ZW
+#  define IPRT_NT_MAP_TO_ZW
+# endif
 # include <iprt/nt/nt.h>
 # include <ntimage.h>

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -30 +30 @@
 *********************************************************************************************************************************/
 #ifdef IN_RING0
-# define IPRT_NT_MAP_TO_ZW
+# ifndef IPRT_NT_MAP_TO_ZW
+#  define IPRT_NT_MAP_TO_ZW
+# endif
 # include <iprt/nt/nt.h>
 # include <ntimage.h>
@@ -1166 +1168 @@
             return true;
     }
+}
+
+
+/**
+ * Compares two paths, expanding 8.3 short names as needed.
+ *
+ * @returns true / false.
+ * @param   pUniStr1        The first path.  Must be zero terminated!
+ * @param   pUniStr2        The second path.  Must be zero terminated!
+ */
+static bool supHardNtVpArePathsEqual(PCUNICODE_STRING pUniStr1, PCUNICODE_STRING pUniStr2)
+{
+    /* Both strings must be null terminated. */
+    Assert(pUniStr1->Buffer[pUniStr1->Length / sizeof(WCHAR)] == '\0');
+    Assert(pUniStr2->Buffer[pUniStr1->Length / sizeof(WCHAR)] == '\0');
+
+    /* Simple compare first.*/
+    if (supHardNtVpAreUniStringsEqual(pUniStr1, pUniStr2))
+        return true;
+
+    /* Make long names if needed. */
+    UNICODE_STRING UniStrLong1 = { 0, 0, NULL };
+    if (RTNtPathFindPossible8dot3Name(pUniStr1->Buffer))
+    {
+        int rc = RTNtPathExpand8dot3PathA(pUniStr1, false /*fPathOnly*/, &UniStrLong1);
+        if (RT_SUCCESS(rc))
+            pUniStr1 = &UniStrLong1;
+    }
+
+    UNICODE_STRING UniStrLong2 = { 0, 0, NULL };
+    if (RTNtPathFindPossible8dot3Name(pUniStr2->Buffer))
+    {
+        int rc = RTNtPathExpand8dot3PathA(pUniStr2, false /*fPathOnly*/, &UniStrLong2);
+        if (RT_SUCCESS(rc))
+            pUniStr2 = &UniStrLong2;
+    }
+
+    /* Compare again. */
+    bool fCompare = supHardNtVpAreUniStringsEqual(pUniStr1, pUniStr2);
+
+    /* Clean up. */
+    if (UniStrLong1.Buffer)
+        RTUtf16Free(UniStrLong1.Buffer);
+    if (UniStrLong2.Buffer)
+        RTUtf16Free(UniStrLong2.Buffer);
+
+    return fCompare;
 }
 
@@ -2264 +2313 @@
     if (NT_SUCCESS(rcNt))
     {
-        if (supHardNtVpAreUniStringsEqual(pUniStr, &pImage->Name.UniStr))
+        pUniStr->Buffer[pUniStr->Length / sizeof(WCHAR)] = '\0';
+        if (supHardNtVpArePathsEqual(pUniStr, &pImage->Name.UniStr))
             rc = VINF_SUCCESS;
         else
-        {
-            pUniStr->Buffer[pUniStr->Length / sizeof(WCHAR)] = '\0';
             rc = supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_VS_PROC_NAME_MISMATCH,
                                      "Process image name does not match the exectuable we found: %ls vs %ls.",
                                      pUniStr->Buffer, pImage->Name.UniStr.Buffer);
-        }
     }
     else

trunk/src/VBox/Runtime/Makefile.kmk

@@ -840 +840 @@
         nt/RTErrConvertFromNtStatus.cpp \
         nt/RTNtPathExpand8dot3Path.cpp \
+        nt/RTNtPathExpand8dot3PathA.cpp \
         nt/RTNtPathFindPossible8dot3Name.cpp \
         nt/fileioutils-nt.cpp \
@@ -2930 +2931 @@
         nt/RTErrConvertFromNtStatus.cpp \
         nt/RTNtPathExpand8dot3Path.cpp \
+        nt/RTNtPathExpand8dot3PathA.cpp \
         nt/RTNtPathFindPossible8dot3Name.cpp \
         r0drv/generic/threadctxhooks-r0drv-generic.cpp \

trunk/src/VBox/Runtime/nt/RTErrConvertFromNtStatus.cpp

@@ -85 +85 @@
         case STATUS_SHARING_VIOLATION:      return VERR_SHARING_VIOLATION;
         case STATUS_NO_MEDIA_IN_DEVICE:     return VERR_DRIVE_IS_EMPTY;
+        case STATUS_ACCESS_VIOLATION:       return VERR_INVALID_POINTER;
 
         case STATUS_REPARSE_POINT_NOT_RESOLVED:

trunk/src/VBox/Runtime/nt/RTNtPathExpand8dot3Path.cpp

@@ -30 +30 @@
 *********************************************************************************************************************************/
 #define LOG_GROUP RTLOGGROUP_FS
+#if !defined(IPRT_NT_MAP_TO_ZW) && defined(IN_RING0)
+# define IPRT_NT_MAP_TO_ZW
+#endif
 #ifdef IN_SUP_HARDENED_R3
 # include <iprt/nt/nt-and-windows.h>

trunk/src/VBox/Runtime/r0drv/nt/dbgkrnlinfo-r0drv-nt.cpp

@@ -35 +35 @@
 #define PIMAGE_NT_HEADERS32 NT_PIMAGE_NT_HEADERS32
 #define PIMAGE_NT_HEADERS64 NT_PIMAGE_NT_HEADERS64
-#define IPRT_NT_MAP_TO_ZW
+#ifndef IPRT_NT_MAP_TO_ZW
+# define IPRT_NT_MAP_TO_ZW
+#endif
 #include "the-nt-kernel.h"
 #include <iprt/dbg.h>