VirtualBox

Changeset 80216 in vbox for trunk/src/VBox/HostDrivers


Ignore:
Timestamp:
Aug 10, 2019 2:04:07 AM (5 years ago)
Author:
vboxsync
Message:

SUPHardNt: Restore text and import sections for ntdll, kernelbase and kernel32 for the first process too to try shake nasty stuff like easyhook that modifies the initial thread context and crashes the guest when trying to execute memory we've freed up during child purification.

Location:
trunk/src/VBox/HostDrivers/Support
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp

    r77912 r80216  
    25182518    {
    25192519        SUP_DPRINTF(("SUPR3HardenedMain: Respawn #1\n"));
    2520         supR3HardenedWinInit(SUPSECMAIN_FLAGS_DONT_OPEN_DEV, false /*fAvastKludge*/);
     2520        supR3HardenedWinInit(SUPSECMAIN_FLAGS_DONT_OPEN_DEV | SUPSECMAIN_FLAGS_FIRST_PROCESS, false /*fAvastKludge*/);
    25212521        supR3HardenedVerifyAll(true /* fFatal */, pszProgName, g_szSupLibHardenedExePath, fFlags);
    25222522        return supR3HardenedWinReSpawn(1 /*iWhich*/);

  • trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h

    r77972 r80216  
    5555    SUPHARDNTVPKIND_CHILD_PURIFICATION,
    5656    SUPHARDNTVPKIND_SELF_PURIFICATION,
     57    SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED,
    5758    SUPHARDNTVPKIND_32BIT_HACK = 0x7fffffff
    5859} SUPHARDNTVPKIND;

  • trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

    r80212 r80216  
    492492#ifdef IN_RING3
    493493            if (   pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION
    494                 || pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION)
     494                || pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION
     495                || pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED)
    495496            {
    496497                PVOID pvRestoreAddr = (uint8_t *)pImage->uImageBase + uRva;
     
    532533        return VINF_SUCCESS;
    533534    if (   pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION
    534         || pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION)
     535        || pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION
     536        || pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED)
    535537        return VINF_SUCCESS;
    536538
     
    13571359            pThis->cFixes++;
    13581360            SUP_DPRINTF(("supHardNtVpScanVirtualMemory: NtUnmapViewOfSection(,%p) failed: %#x\n", pMemInfo->AllocationBase, rcNt));
     1361        }
     1362        else if (pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED)
     1363        {
     1364            SUP_DPRINTF(("supHardNtVpScanVirtualMemory: Ignoring unknown mem at %p LB %#zx (base %p) - '%ls'\n",
     1365                         pMemInfo->BaseAddress, pMemInfo->RegionSize, pMemInfo->AllocationBase, pwszFilename));
     1366            return VINF_OBJECT_DESTROYED;
    13591367        }
    13601368#endif
     
    18771885                pThis->cFixes++;
    18781886            }
    1879             else
     1887            else if (pThis->enmKind != SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED)
    18801888# endif /* IN_RING3 */
    18811889                supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FOUND_EXEC_MEMORY,
     
    24362444        return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_NTDLL_MAPPING,
    24372445                                   "The process has no NTDLL.DLL.");
    2438     if (iKernel32 == UINT32_MAX && pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION)
     2446    if (iKernel32 == UINT32_MAX && (   pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION
     2447                                    || pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED))
    24392448        return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_KERNEL32_MAPPING,
    24402449                                   "The process has no KERNEL32.DLL.");
     
    24922501     */
    24932502    int rc = VINF_SUCCESS;
    2494     if (enmKind != SUPHARDNTVPKIND_CHILD_PURIFICATION)
     2503    if (   enmKind != SUPHARDNTVPKIND_CHILD_PURIFICATION
     2504        && enmKind != SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED)
    24952505       rc = supHardNtVpThread(hProcess, hThread, pErrInfo);
    24962506    if (RT_SUCCESS(rc))

  • trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

    r80212 r80216  
    51575157         */
    51585158        supR3HardenedWinInstallHooks();
     5159    }
     5160    else if (fFlags & SUPSECMAIN_FLAGS_FIRST_PROCESS)
     5161    {
     5162        /*
     5163         * Try shake anyone (e.g. easyhook) patching process creation code in
     5164         * kernelbase, kernel32 or ntdll so they won't so easily cause the child
     5165         * to crash when we respawn and purify it.
     5166         */
     5167        SUP_DPRINTF(("supR3HardenedWinInit: doing limited purification...\n"));
     5168        uint32_t cFixes = 0;
     5169        rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED,
     5170                                         0 /*fFlags*/, &cFixes, NULL /*pErrInfo*/);
     5171        SUP_DPRINTF(("supR3HardenedWinInit: SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED -> %Rrc, cFixes=%d\n", rc, cFixes));
     5172        RT_NOREF(rc); /* ignored on purpose */
    51595173    }
    51605174
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette