Changeset 97023 in vbox for trunk/src/VBox/HostDrivers

Timestamp:

Oct 6, 2022 8:23:59 AM (2 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

153956

Message:

SUP: Check inherited handles in bugging VM processes. bugref:10294

Location:

trunk/src/VBox/HostDrivers/Support/win

Files:

• SUPDrv-win.cpp (modified) (4 diffs)
• SUPHardenedVerifyProcess-win.cpp (modified) (2 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp

@@ -4943 +4943 @@
 
 
+static const char *supdrvNtProtectHandleTypeIndexToName(ULONG idxType, char *pszName, size_t cbName)
+{
+    /*
+     * Query the object types.
+     */
+    uint32_t  cbBuf    = _8K;
+    uint8_t  *pbBuf    = (uint8_t *)RTMemAllocZ(_8K);
+    ULONG     cbNeeded = cbBuf;
+    NTSTATUS rcNt = NtQueryObject(NULL, ObjectTypesInformation, pbBuf, cbBuf, &cbNeeded);
+    while (rcNt == STATUS_INFO_LENGTH_MISMATCH)
+    {
+        cbBuf = RT_ALIGN_32(cbNeeded + 256, _64K);
+        RTMemFree(pbBuf);
+        pbBuf = (uint8_t *)RTMemAllocZ(cbBuf);
+        if (pbBuf)
+            rcNt = NtQueryObject(NULL, ObjectTypesInformation, pbBuf, cbBuf, &cbNeeded);
+        else
+            break;
+    }
+    if (NT_SUCCESS(rcNt))
+    {
+        Assert(cbNeeded <= cbBuf);
+
+        POBJECT_TYPES_INFORMATION pObjTypes = (OBJECT_TYPES_INFORMATION *)pbBuf;
+        POBJECT_TYPE_INFORMATION  pCurType  = &pObjTypes->FirstType;
+        ULONG cLeft = pObjTypes->NumberOfTypes;
+        while (cLeft-- > 0 && (uintptr_t)&pCurType[1] - (uintptr_t)pbBuf < cbNeeded)
+        {
+            if (pCurType->TypeIndex == idxType)
+            {
+                PCRTUTF16 const pwszSrc = pCurType->TypeName.Buffer;
+                AssertBreak(pwszSrc);
+                size_t          idxName = pCurType->TypeName.Length / sizeof(RTUTF16);
+                AssertBreak(idxName > 0);
+                AssertBreak(idxName < 128);
+                if (idxName >= cbName)
+                    idxName = cbName - 1;
+                pszName[idxName] = '\0';
+                while (idxName-- > 0)
+                    pszName[idxName] = (char )pwszSrc[idxName];
+                RTMemFree(pbBuf);
+                return pszName;
+            }
+
+            /* next */
+            pCurType = (POBJECT_TYPE_INFORMATION)(  (uintptr_t)pCurType->TypeName.Buffer
+                                                  + RT_ALIGN_32(pCurType->TypeName.MaximumLength, sizeof(uintptr_t)));
+        }
+    }
+
+    RTMemFree(pbBuf);
+    return "unknown";
+}
+
+
 /**
  * Worker for supdrvNtProtectVerifyProcess that verifies the handles to a VM
@@ -5009 +5064 @@
     uint32_t cBenignThreadHandles  = 0;
 
+    uint32_t cEvilInheritableHandles   = 0;
+    uint32_t cBenignInheritableHandles = 0;
+    char     szTmpName[32];
+
     SYSTEM_HANDLE_INFORMATION_EX const *pInfo = (SYSTEM_HANDLE_INFORMATION_EX const *)pbBuf;
     ULONG_PTR i = pInfo->NumberOfHandles;
@@ -5070 +5129 @@
             cEvilThreadHandles++;
             pszType = "thread";
+        }
+        else if (   (pHandleInfo->HandleAttributes & OBJ_INHERIT)
+                 && pHandleInfo->UniqueProcessId == hProtectedPid)
+        {
+            /* No handles should be marked inheritable, except files and two events.
+               Handles to NT 'directory' objects are especially evil, because of
+               KnownDlls faking. See bugref{10294} for details.
+
+               Correlating the ObjectTypeIndex to a type is complicated, so instead
+               we try referecing the handle and check the type that way.  So, only
+               file and events objects are allowed to be marked inheritable at the
+               moment. Add more in whitelist fashion if needed. */
+            void *pvObject = NULL;
+            rcNt = ObReferenceObjectByHandle(pHandleInfo->HandleValue, 0, *IoFileObjectType, KernelMode, &pvObject, NULL);
+            if (rcNt == STATUS_OBJECT_TYPE_MISMATCH)
+                rcNt = ObReferenceObjectByHandle(pHandleInfo->HandleValue, 0, *ExEventObjectType, KernelMode, &pvObject, NULL);
+            if (NT_SUCCESS(rcNt))
+            {
+                ObDereferenceObject(pvObject);
+                cBenignInheritableHandles++;
+                continue;
+            }
+
+            if (rcNt != STATUS_OBJECT_TYPE_MISMATCH)
+            {
+                cBenignInheritableHandles++;
+                continue;
+            }
+
+            cEvilInheritableHandles++;
+            pszType = supdrvNtProtectHandleTypeIndexToName(pHandleInfo->ObjectTypeIndex, szTmpName, sizeof(szTmpName));
         }
         else
@@ -5100 +5190 @@
             || g_pfnObRegisterCallbacks)
         {
-            LogRel(("vboxdrv: Found evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s\n",
+            LogRel(("vboxdrv: Found evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s (%u)\n",
                     pHandleInfo->UniqueProcessId, pHandleInfo->HandleValue,
-                    pHandleInfo->GrantedAccess, pHandleInfo->HandleAttributes, pszType));
+                    pHandleInfo->GrantedAccess, pHandleInfo->HandleAttributes, pszType, pHandleInfo->ObjectTypeIndex));
             rc = RTErrInfoAddF(pErrInfo, VERR_SUPDRV_HARDENING_EVIL_HANDLE,
                                *pErrInfo->pszMsg
-                               ? "\nFound evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s"
-                               : "Found evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s",
+                               ? "\nFound evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s (%u)"
+                               : "Found evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s (%u)",
                                pHandleInfo->UniqueProcessId, pHandleInfo->HandleValue,
-                               pHandleInfo->GrantedAccess, pHandleInfo->HandleAttributes, pszType);
+                               pHandleInfo->GrantedAccess, pHandleInfo->HandleAttributes, pszType, pHandleInfo->ObjectTypeIndex);
 
             /* Try add the process name. */

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp

@@ -2486 +2486 @@
 
 
+#ifdef IN_RING3
+/**
+ * Verifies that we don't have any inheritable handles around, other than a few
+ * ones for file and event objects.
+ *
+ * When finding an inheritable handle of a different type, it will change it to
+ * non-inhertiable.  This must NOT be called in the final process prior to
+ * opening the device!
+ *
+ * @returns VBox status code
+ * @param   pThis               The process scanning state structure.
+ */
+static int supHardNtVpCheckHandles(PSUPHNTVPSTATE pThis)
+{
+    SUP_DPRINTF(("supHardNtVpCheckHandles:\n"));
+
+    /*
+     * Take a snapshot of all the handles in the system.
+     * (Because the current process handle snapshot was added in Windows 8,
+     * so we cannot use that yet.)
+     */
+    uint32_t    cbBuf    = _256K;
+    uint8_t    *pbBuf    = (uint8_t *)RTMemAlloc(cbBuf);
+    ULONG       cbNeeded = cbBuf;
+    NTSTATUS rcNt = NtQuerySystemInformation(SystemExtendedHandleInformation, pbBuf, cbBuf, &cbNeeded);
+    if (!NT_SUCCESS(rcNt))
+    {
+        while (   rcNt == STATUS_INFO_LENGTH_MISMATCH
+               && cbNeeded > cbBuf
+               && cbBuf <= _32M)
+        {
+            cbBuf = RT_ALIGN_32(cbNeeded + _4K, _64K);
+            RTMemFree(pbBuf);
+            pbBuf = (uint8_t *)RTMemAlloc(cbBuf);
+            if (!pbBuf)
+                return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_MEMORY, "Failed to allocate %zu bytes querying handles.", cbBuf);
+            rcNt = NtQuerySystemInformation(SystemExtendedHandleInformation, pbBuf, cbBuf, &cbNeeded);
+        }
+        if (!NT_SUCCESS(rcNt))
+        {
+            RTMemFree(pbBuf);
+            return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_MEMORY, "Failed to allocate %zu bytes querying handles.", cbBuf);
+        }
+    }
+
+    /*
+     * Examine the snapshot for handles for this process.
+     */
+    int                                 rcRet     = VINF_SUCCESS;
+    HANDLE const                        idProcess = RTNtCurrentTeb()->ClientId.UniqueProcess;
+    SYSTEM_HANDLE_INFORMATION_EX const *pInfo     = (SYSTEM_HANDLE_INFORMATION_EX const *)pbBuf;
+    ULONG_PTR                           i         = pInfo->NumberOfHandles;
+    AssertRelease(RT_UOFFSETOF_DYN(SYSTEM_HANDLE_INFORMATION_EX, Handles[i]) == cbNeeded);
+    while (i-- > 0)
+    {
+        SYSTEM_HANDLE_ENTRY_INFO_EX const *pHandleInfo = &pInfo->Handles[i];
+        if (   (pHandleInfo->HandleAttributes & OBJ_INHERIT)
+            && pHandleInfo->UniqueProcessId == idProcess)
+        {
+            ULONG cbNeeded2 = 0;
+            rcNt = NtQueryObject(pHandleInfo->HandleValue, ObjectTypeInformation,
+                                 pThis->abMemory, sizeof(pThis->abMemory), &cbNeeded2);
+            if (NT_SUCCESS(rcNt))
+            {
+                POBJECT_TYPE_INFORMATION pTypeInfo = (POBJECT_TYPE_INFORMATION)pThis->abMemory;
+                if (   pTypeInfo->TypeName.Length == sizeof(L"File") - sizeof(wchar_t)
+                    && memcmp(pTypeInfo->TypeName.Buffer, L"File", sizeof(L"File") - sizeof(wchar_t)) == 0)
+                    SUP_DPRINTF(("supHardNtVpCheckHandles: Inheritable file handle: %p\n", pHandleInfo->HandleValue));
+                else if (   pTypeInfo->TypeName.Length == sizeof(L"Event") - sizeof(wchar_t)
+                         && memcmp(pTypeInfo->TypeName.Buffer, L"Event", sizeof(L"Event") - sizeof(wchar_t)) == 0)
+                    SUP_DPRINTF(("supHardNtVpCheckHandles: Inheritable event handle: %p\n", pHandleInfo->HandleValue));
+                else
+                {
+                    OBJECT_HANDLE_FLAG_INFORMATION SetInfo;
+                    SetInfo.Inherit = FALSE;
+                    SetInfo.ProtectFromClose = FALSE;
+                    rcNt = NtSetInformationObject(pHandleInfo->HandleValue, ObjectHandleFlagInformation,
+                                                  &SetInfo, sizeof(SetInfo));
+                    if (NT_SUCCESS(rcNt))
+                    {
+                        SUP_DPRINTF(("supHardNtVpCheckHandles: Marked %ls handle non-inheritable: %p\n",
+                                     pTypeInfo->TypeName.Buffer, pHandleInfo->HandleValue));
+                        pThis->cFixes++;
+                    }
+                    else
+                    {
+                        rcRet = supHardNtVpSetInfo2(pThis, VERR_SUP_VP_SET_HANDLE_NOINHERIT,
+                                                    "NtSetInformationObject(%p,,,) -> %#x", pHandleInfo->HandleValue, rcNt);
+                        break;
+                    }
+                }
+            }
+            else
+            {
+                rcRet = supHardNtVpSetInfo2(pThis, VERR_SUP_VP_QUERY_HANDLE_TYPE,
+                                            "NtQueryObject(%p,,,,) -> %#x", pHandleInfo->HandleValue, rcNt);
+                break;
+            }
+
+        }
+    }
+    RTMemFree(pbBuf);
+    return rcRet;
+}
+#endif /* IN_RING3 */
+
+
 /**
  * Verifies the given process.
@@ -2549 +2656 @@
             if (RT_SUCCESS(rc))
                 rc = supHardNtVpCheckDlls(pThis);
+#ifdef IN_RING3
+            if (enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION_LIMITED)
+                rc = supHardNtVpCheckHandles(pThis);
+#endif
 
             if (pcFixes)