VirtualBox

Browse Source

Changeset 80212 in vbox for trunk/src/VBox/HostDrivers/Support/win

Timestamp:

Aug 9, 2019 1:11:21 PM (5 years ago)

Author:

vboxsync

Message:

SUPHardNt: Hack for fending off unwanted APCs during early process initialization, preventing them from tripping over when we're evicted code they need (executable memory allocations). We only allow the LdrInitializeThunk APC to go thru. bugdbref:29744598

Location:

trunk/src/VBox/HostDrivers/Support/win

Files:

: 4 edited

SUPHardenedVerifyProcess-win.cpp (modified) (4 diffs)
SUPR3HardenedMain-win.cpp (modified) (16 diffs)
SUPR3HardenedMainA-win.asm (modified) (2 diffs)
import-template-ntdll.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

-              r77816
+              r80212
      */
     uint32_t         cSkipAreas = 0;
     SUPHNTVPSKIPAREA aSkipAreas[5];
+    SUPHNTVPSKIPAREA aSkipAreas[6];
     if (pImage->fNtCreateSectionPatch)
+    {
 …
         if (RT_FAILURE(rc))
             return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'LdrInitializeThunk': %Rrc", pImage->pszName, rc);
+        aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue;
+        aSkipAreas[cSkipAreas++].cb = 14;
+        /* Ignore our patched KiUserApcDispatcher hack. */
+        rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pbBits, 0, UINT32_MAX, "KiUserApcDispatcher", &uValue);
+        if (RT_FAILURE(rc))
+            return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'KiUserApcDispatcher': %Rrc", pImage->pszName, rc);
         aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue;
         aSkipAreas[cSkipAreas++].cb = 14;
 …
     /*
      * In the BSOD workaround mode, we need to make a copy of the memory before
      * freeing it.
+     * freeing it.  Bird abuses this code for logging purposes too.
      */
     uintptr_t   uCopySrc  = (uintptr_t)pvFree;
     size_t      cbCopy    = 0;
     void       *pvCopy    = NULL;
     if (pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW)
+    //if (pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW)
+    {
         cbCopy = cbFree;
 …
             supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED,
                                 "Error reading data from original alloc: %#x (%p LB %#zx)", rcNt, uCopySrc, cbCopy, rcNt);
+        supR3HardenedLogFlush();
+        for (size_t off = 0; off < cbCopy; off += 256)
+        {
+            size_t const cbChunk = RT_MIN(256, cbCopy - off);
+            void const  *pvChunk = (uint8_t const *)pvCopy + off;
+            if (!ASMMemIsZero(pvChunk, cbChunk))
+                SUP_DPRINTF(("%.*RhxD\n", cbChunk, pvChunk));
+        }
+        if (pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW)
+            supR3HardenedLogFlush();
+    }

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

-              r79642
+              r80212
 /** Pointer to the bit of assembly code that will perform the original
  *  NtCreateSection operation. */
 static NTSTATUS (NTAPI *    g_pfnNtCreateSectionReal)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,
+static NTSTATUS     (NTAPI *g_pfnNtCreateSectionReal)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,
                                                       PLARGE_INTEGER, ULONG, ULONG, HANDLE);
 /** Pointer to the NtCreateSection function in NtDll (for patching purposes). */
 …
 /** Pointer to the bit of assembly code that will perform the original
  *  LdrLoadDll operation. */
 static NTSTATUS (NTAPI *    g_pfnLdrLoadDllReal)(PWSTR, PULONG, PUNICODE_STRING, PHANDLE);
+static NTSTATUS     (NTAPI *g_pfnLdrLoadDllReal)(PWSTR, PULONG, PUNICODE_STRING, PHANDLE);
 /** Pointer to the LdrLoadDll function in NtDll (for patching purposes). */
 static uint8_t             *g_pbLdrLoadDll;
 /** The patched LdrLoadDll bytes (for restoring). */
 static uint8_t              g_abLdrLoadDllPatch[16];
+/** Pointer to the bit of assembly code that will perform the original
+ *  KiUserApcDispatcher operation. */
+static VOID        (NTAPI *g_pfnKiUserApcDispatcherReal)(void);
+/** Pointer to the KiUserApcDispatcher function in NtDll (for patching
+ *  purposes). */
+static uint8_t             *g_pbKiUserApcDispatcher;
+/** The patched KiUserApcDispatcher bytes (for restoring). */
+static uint8_t              g_abKiUserApcDispatcherPatch[16];
+/** Pointer to the LdrInitializeThunk function in NtDll for
+ *  supR3HardenedMonitor_KiUserApcDispatcher_C() to use for APC vetting. */
+static uintptr_t            g_pfnLdrInitializeThunk;
 /** The hash table of verifier cache . */
 …
 /** Sophos Endpoint Defense. */
 #define SUPHARDNT_ADVERSARY_SOPHOS                  RT_BIT_32(18)
+/** VMware horizon view agent. */
+#define SUPHARDNT_ADVERSARY_HORIZON_VIEW_AGENT      RT_BIT_32(19)
 /** Unknown adversary detected while waiting on child. */
 #define SUPHARDNT_ADVERSARY_UNKNOWN                 RT_BIT_32(31)
 …
 static void     supR3HardenedWinReInstallHooks(bool fFirst);
 DECLASM(void)   supR3HardenedEarlyProcessInitThunk(void);
+DECLASM(void)   supR3HardenedMonitor_KiUserApcDispatcher(void);
 …
+/**
+ * Dummy replacement routine we use for passifying unwanted user APC
+ * callbacks during early process initialization.
+ *
+ * @sa supR3HardenedMonitor_KiUserApcDispatcher_C
+ */
+static VOID NTAPI supR3HardenedWinDummyApcRoutine(PVOID pvArg1, PVOID pvArg2, PVOID pvArg3)
+{
+    SUP_DPRINTF(("supR3HardenedWinDummyApcRoutine: pvArg1=%p pvArg2=%p pvArg3=%p\n", pvArg1, pvArg2, pvArg3));
+    RT_NOREF(pvArg1, pvArg2, pvArg3);
+}
+/**
+ * This is called when ntdll!KiUserApcDispatcher is invoked (via
+ * supR3HardenedMonitor_KiUserApcDispatcher).
+ *
+ * The parent process hooks KiUserApcDispatcher before the guest starts
+ * executing. There should only be one APC request dispatched while the process
+ * is being initialized, and that's the one calling ntdll!LdrInitializeThunk.
+ *
+ * @returns Where to go to run the original code.
+ * @param   pvApcArgs   The APC dispatcher arguments.
+ */
+DECLASM(uintptr_t) supR3HardenedMonitor_KiUserApcDispatcher_C(void *pvApcArgs)
+{
+#ifdef RT_ARCH_AMD64
+    PCONTEXT   pCtx        = (PCONTEXT)pvApcArgs;
+    uintptr_t *ppfnRoutine = (uintptr_t *)&pCtx->P4Home;
+#else
+    struct X86APCCTX
+    {
+        uintptr_t   pfnRoutine;
+        uintptr_t   pvCtx;
+        uintptr_t   pvUser1;
+        uintptr_t   pvUser2;
+        CONTEXT     Ctx;
+    } *pCtx = (struct X86APCCTX *)pvApcArgs;
+    uintptr_t *ppfnRoutine = &pCtx->pfnRoutine;
+#endif
+    uintptr_t  pfnRoutine = *ppfnRoutine;
+    if (g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_HARDENED_MAIN_CALLED)
+    {
+        if (pfnRoutine == g_pfnLdrInitializeThunk) /* Note! we could use this to detect thread creation too. */
+            SUP_DPRINTF(("supR3HardenedMonitor_KiUserApcDispatcher_C: pfnRoutine=%p enmState=%d - okay\n",
+                         pfnRoutine, g_enmSupR3HardenedMainState));
+        else
+        {
+            *ppfnRoutine = (uintptr_t)supR3HardenedWinDummyApcRoutine;
+            SUP_DPRINTF(("supR3HardenedMonitor_KiUserApcDispatcher_C: pfnRoutine=%p enmState=%d -> supR3HardenedWinDummyApcRoutine\n",
+                         pfnRoutine, g_enmSupR3HardenedMainState));
+        }
+    }
+    return (uintptr_t)g_pfnKiUserApcDispatcherReal;
+}
 static void supR3HardenedWinHookFailed(const char *pszWhich, uint8_t const *pbPrologue)
+{
 …
     } const s_aPatches[] =
+    {
+        { sizeof(g_abNtCreateSectionPatch), g_abNtCreateSectionPatch, &g_pbNtCreateSection, "NtCreateSection" },
+        { sizeof(g_abLdrLoadDllPatch),      g_abLdrLoadDllPatch,      &g_pbLdrLoadDll,      "LdrLoadDll"      },
+        { sizeof(g_abNtCreateSectionPatch),     g_abNtCreateSectionPatch,     &g_pbNtCreateSection,     "NtCreateSection"     },
+        { sizeof(g_abLdrLoadDllPatch),          g_abLdrLoadDllPatch,          &g_pbLdrLoadDll,          "LdrLoadDll"          },
+        { sizeof(g_abKiUserApcDispatcherPatch), g_abKiUserApcDispatcherPatch, &g_pbKiUserApcDispatcher, "KiUserApcDispatcher" },
     };
 …
     //SUPR3HARDENED_ASSERT(pfnLdrLoadDll == (FARPROC)LdrLoadDll);
+    PFNRT pfnKiUserApcDispatcher = supR3HardenedWinGetRealDllSymbol("ntdll.dll", "KiUserApcDispatcher");
+    SUPR3HARDENED_ASSERT(pfnKiUserApcDispatcher != NULL);
+    g_pfnLdrInitializeThunk = (uintptr_t)supR3HardenedWinGetRealDllSymbol("ntdll.dll", "LdrInitializeThunk");
+    SUPR3HARDENED_ASSERT(g_pfnLdrInitializeThunk != NULL);
     /*
      * Exec page setup & management.
 …
     g_abLdrLoadDllPatch[0] = 0xe9;
     *(uint32_t *)&g_abLdrLoadDllPatch[1] = (uintptr_t)supR3HardenedMonitor_LdrLoadDll - (uintptr_t)&pbLdrLoadDll[1+4];
+#endif
+    /*
+     * Hook #3 - KiUserApcDispatcher
+     * Purpose: Prevent user APC to memory we (or our parent) has freed from
+     *          crashing the process.  Also ensures no code injection via user
+     *          APC during process init given the way we're vetting the APCs.
+     *
+     * This differs from the first function in that is no a system call and
+     * we're at the mercy of the handwritten assembly.
+     */
+    uint8_t * const pbKiUserApcDispatcher = (uint8_t *)(uintptr_t)pfnKiUserApcDispatcher;
+    g_pbKiUserApcDispatcher = pbKiUserApcDispatcher;
+    memcpy(g_abKiUserApcDispatcherPatch, pbKiUserApcDispatcher, sizeof(g_abKiUserApcDispatcherPatch));
+#ifdef RT_ARCH_AMD64
+    /*
+     * Patch 64-bit hosts.
+     */
+    /* Just use the disassembler to skip 12 bytes or more. */
+    offJmpBack = 0;
+    while (offJmpBack < 12)
+    {
+        cbInstr = 1;
+        int rc = DISInstr(pbKiUserApcDispatcher + offJmpBack, DISCPUMODE_64BIT, &Dis, &cbInstr);
+        if (   RT_FAILURE(rc)
+            || (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW))
+            || (Dis.ModRM.Bits.Mod == 0 && Dis.ModRM.Bits.Rm == 5 /* wrt RIP */) )
+            supR3HardenedWinHookFailed("KiUserApcDispatcher", pbKiUserApcDispatcher);
+        offJmpBack += cbInstr;
+    }
+    /* Assemble the code for resuming the call.*/
+    *(PFNRT *)&g_pfnKiUserApcDispatcherReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
+    memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbKiUserApcDispatcher, offJmpBack);
+    offExecPage += offJmpBack;
+    g_abSupHardReadWriteExecPage[offExecPage++] = 0xff; /* jmp qword [$+8 wrt RIP] */
+    g_abSupHardReadWriteExecPage[offExecPage++] = 0x25;
+    *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = RT_ALIGN_32(offExecPage + 4, 8) - (offExecPage + 4);
+    offExecPage = RT_ALIGN_32(offExecPage + 4, 8);
+    *(uint64_t *)&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbKiUserApcDispatcher[offJmpBack];
+    offExecPage = RT_ALIGN_32(offExecPage + 8, 16);
+    /* Assemble the KiUserApcDispatcher patch. */
+    Assert(offJmpBack >= 12);
+    g_abKiUserApcDispatcherPatch[0]  = 0x48; /* mov rax, qword */
+    g_abKiUserApcDispatcherPatch[1]  = 0xb8;
+    *(uint64_t *)&g_abKiUserApcDispatcherPatch[2] = (uint64_t)supR3HardenedMonitor_KiUserApcDispatcher;
+    g_abKiUserApcDispatcherPatch[10] = 0xff; /* jmp rax */
+    g_abKiUserApcDispatcherPatch[11] = 0xe0;
+#else
+    /*
+     * Patch 32-bit hosts.
+     */
+    /* Just use the disassembler to skip 5 bytes or more. */
+    offJmpBack = 0;
+    while (offJmpBack < 5)
+    {
+        cbInstr = 1;
+        int rc = DISInstr(pbKiUserApcDispatcher + offJmpBack, DISCPUMODE_32BIT, &Dis, &cbInstr);
+        if (   RT_FAILURE(rc)
+            || (Dis.pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW)) )
+            supR3HardenedWinHookFailed("KiUserApcDispatcher", pbKiUserApcDispatcher);
+        offJmpBack += cbInstr;
+    }
+    /* Assemble the code for resuming the call.*/
+    *(PFNRT *)&g_pfnKiUserApcDispatcherReal = (PFNRT)(uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage];
+    memcpy(&g_abSupHardReadWriteExecPage[offExecPage], pbKiUserApcDispatcher, offJmpBack);
+    offExecPage += offJmpBack;
+    g_abSupHardReadWriteExecPage[offExecPage++] = 0xe9; /* jmp rel32 */
+    *(uint32_t *)&g_abSupHardReadWriteExecPage[offExecPage] = (uintptr_t)&pbKiUserApcDispatcher[offJmpBack]
+                                                            - (uintptr_t)&g_abSupHardReadWriteExecPage[offExecPage + 4];
+    offExecPage = RT_ALIGN_32(offExecPage + 4, 16);
+    /* Assemble the KiUserApcDispatcher patch. */
+    memcpy(g_abKiUserApcDispatcherPatch, pbKiUserApcDispatcher, sizeof(g_abKiUserApcDispatcherPatch));
+    Assert(offJmpBack >= 5);
+    g_abKiUserApcDispatcherPatch[0] = 0xe9;
+    *(uint32_t *)&g_abKiUserApcDispatcherPatch[1] = (uintptr_t)supR3HardenedMonitor_KiUserApcDispatcher - (uintptr_t)&pbKiUserApcDispatcher[1+4];
 #endif
 …
                                              PRTERRINFO pErrInfo)
+{
     SUP_DPRINTF(("supR3HardNtEnableThreadCreation:\n"));
+    SUP_DPRINTF(("supR3HardNtEnableThreadCreationEx:\n"));
     SUPR3HARDENED_ASSERT(cbBackup == 16);
 …
     if (!NT_SUCCESS(rcNt))
         return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
                              "supR3HardNtDisableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
+                             "supR3HardNtEnableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk failed: %#x", rcNt);
     SIZE_T cbIgnored;
 …
     if (!NT_SUCCESS(rcNt))
         return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
                              "supR3HardNtEnableThreadCreation: NtWriteVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
+                             "supR3HardNtEnableThreadCreationEx: NtWriteVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
                              rcNt);
 …
     if (!NT_SUCCESS(rcNt))
         return RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
                              "supR3HardNtEnableThreadCreation: NtProtectVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
+                             "supR3HardNtEnableThreadCreationEx: NtProtectVirtualMemory/LdrInitializeThunk[restore] failed: %#x",
                              rcNt);
 …
         { SUPHARDNT_ADVERSARY_SOPHOS,               "SophosED" }, /* Not verified. */
+        { SUPHARDNT_ADVERSARY_HORIZON_VIEW_AGENT,   "vmwicpdr" },
     };
 …
         { SUPHARDNT_ADVERSARY_SOPHOS, L"\\SystemRoot\\System32\\drivers\\SophosED.sys" }, // not verified
+        { SUPHARDNT_ADVERSARY_HORIZON_VIEW_AGENT, L"\\SystemRoot\\System32\\drivers\\vmwicpdr.sys" },
+        { SUPHARDNT_ADVERSARY_HORIZON_VIEW_AGENT, L"\\SystemRoot\\System32\\drivers\\ftsjail.sys" },
     };
 …
         supR3HardenedWinRegisterDllNotificationCallback();
         supR3HardenedWinReInstallHooks(false /*fFirstCall */);
+        /*
+         * Flush user APCs before the g_enmSupR3HardenedMainState changes
+         * and disables the APC restrictions.
+         */
+        NtTestAlert();
+    }
 …
     LARGE_INTEGER Timeout;
     Timeout.QuadPart = -1200000000; /* 120 second */
     rcNt = pfnNtWaitForSingleObject(hEvtChild, FALSE /*Alertable*/, &Timeout);
+    rcNt = pfnNtWaitForSingleObject(hEvtChild, FALSE /*Alertable (never alertable before hooking!) */, &Timeout);
     if (rcNt != STATUS_SUCCESS)
         return 0x34; /* crash */

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMainA-win.asm

-              r76553
+              r80212
 ; External code.
 extern NAME(supR3HardenedEarlyProcessInit)
+extern NAME(supR3HardenedMonitor_KiUserApcDispatcher_C)
 …
 ENDPROC   supR3HardenedEarlyProcessInitThunk
+;;
+; Hook for KiUserApcDispatcher that validates user APC calls during early process
+; init to prevent calls going to or referring to executable memory we've freed
+; already.
+;
+; We just call C code here, just like supR3HardenedEarlyProcessInitThunk does.
+;
+; @sa supR3HardenedMonitor_KiUserApcDispatcher_C
+;
+BEGINPROC supR3HardenedMonitor_KiUserApcDispatcher
+        ;
+        ; Prologue.
+        ;
+        ; Reserve space for the "return" address.
+        push    0
+        ; Create a stack frame, saving xBP.
+        push    xBP
+        SEH64_PUSH_xBP
+        mov     xBP, xSP
+        SEH64_SET_FRAME_xBP 0 ; probably wrong...
+        ; Save all volatile registers.
+        push    xAX
+        push    xCX
+        push    xDX
+%ifdef RT_ARCH_AMD64
+        push    r8
+        push    r9
+        push    r10
+        push    r11
+%endif
+        ; Reserve spill space and align the stack.
+        sub     xSP, 20h
+        and     xSP, ~0fh
+        SEH64_END_PROLOGUE
+        ;
+        ; Call the C/C++ code that does the actual work.  This returns the
+        ; resume address in xAX, which we put in the "return" stack position.
+        ;
+        ; On AMD64, a CONTEXT structure is found at our RSP address when we're called.
+        ; On x86, there a 16 byte structure containing the two routines and their
+        ; arguments followed by a CONTEXT structure.
+        ;
+        lea     xCX, [xBP + xCB + xCB]
+%ifdef RT_ARCH_X86
+        mov     [xSP], xCX
+%endif
+        call    NAME(supR3HardenedMonitor_KiUserApcDispatcher_C)
+        mov     [xBP + xCB], xAX
+        ;
+        ; Restore volatile registers.
+        ;
+        mov     xAX, [xBP - xCB*1]
+        mov     xCX, [xBP - xCB*2]
+        mov     xDX, [xBP - xCB*3]
+%ifdef RT_ARCH_AMD64
+        mov     r8,  [xBP - xCB*4]
+        mov     r9,  [xBP - xCB*5]
+        mov     r10, [xBP - xCB*6]
+        mov     r11, [xBP - xCB*7]
+%endif
+        ;
+        ; Use the leave instruction to restore xBP and set up xSP to point at
+        ; the resume address. Then use the 'ret' instruction to execute the
+        ; original KiUserApcDispatcher code as if we've never been here...
+        ;
+        leave
+        ret
+ENDPROC   supR3HardenedMonitor_KiUserApcDispatcher

trunk/src/VBox/HostDrivers/Support/win/import-template-ntdll.h

r67979	r80212
51	51	SUPHARNT_IMPORT_SYSCALL(NtTerminateProcess, 8)
52	52	SUPHARNT_IMPORT_SYSCALL(NtTerminateThread, 8)
	53	SUPHARNT_IMPORT_SYSCALL(NtTestAlert, 0)
53	54	SUPHARNT_IMPORT_SYSCALL(NtUnmapViewOfSection, 8)
54	55	SUPHARNT_IMPORT_SYSCALL(NtWaitForMultipleObjects, 20)

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats:

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette