143     HANDLE                  hProcess;
326 static NTSTATUS supHardNtVpReadMem(HANDLE hProcess, uintptr_t uPtr, void *pvBuf, size_t cbRead)
329     /* ASSUMES hProcess is the current process. */
337     NTSTATUS rcNt = NtReadVirtualMemory(hProcess, (PVOID)uPtr, pvBuf, cbRead, &cbIgn);
352     NTSTATUS rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, PAGE_READWRITE, &fOldProt);
356         rcNt = NtWriteVirtualMemory(pThis->hProcess, pvRestoreAddr, pbFile, cbToRestore, &cbIgnored);
360         NTSTATUS rcNt2 = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, fCorrectProtection, &fOldProt);
424         NTSTATUS rcNt = supHardNtVpReadMem(pThis->hProcess, pImage->uImageBase + uRva, pbMemory, cbThis);
689  * @param   hProcess            Handle to the process.
692 static int supHardNtVpVerifyImageMemoryCompare(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, HANDLE hProcess, PRTERRINFO pErrInfo)
1008  * @param   hProcess            Handle to the process.
1011 static int supHardNtVpVerifyImage(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, HANDLE hProcess)
1022             rc = supHardNtVpVerifyImageMemoryCompare(pThis, pImage, hProcess, pThis->pErrInfo);
1034  * @param   hProcess            The process.
1038 DECLHIDDEN(int) supHardNtVpThread(HANDLE hProcess, HANDLE hThread, PRTERRINFO pErrInfo)
1055     /** @todo Would be nice to verify the relation ship between hProcess and hThread
1065  * @param   hProcess            The process.
1068 DECLHIDDEN(int) supHardNtVpDebugger(HANDLE hProcess, PRTERRINFO pErrInfo)
1077     NTSTATUS rcNt = NtQueryInformationProcess(hProcess,
1417             NTSTATUS rcNt = NtUnmapViewOfSection(pThis->hProcess, pMemInfo->AllocationBase);
1551  * @param   hProcess            The process to verify.
1555 static bool supHardNtVpFreeOrReplacePrivateExecMemory(PSUPHNTVPSTATE pThis, HANDLE hProcess,
1570         rcNt = g_pfnNtQueryVirtualMemory(hProcess,
1602         rcNt = supHardNtVpReadMem(hProcess, uCopySrc, pvCopy, cbCopy);
1616         rcNt = NtFreeVirtualMemory(hProcess, &pvFreeInOut, &cbFreeInOut, MEM_RELEASE);
1629             rcNt = NtFreeVirtualMemory(hProcess, &pvFreeInOut, &cbFreeInOut, MEM_RELEASE);
1643                 rcNt = NtFreeVirtualMemory(hProcess, &pvFreeInOut, &cbFreeInOut, MEM_RELEASE);
1666         NTSTATUS rcNt2 = g_pfnNtQueryVirtualMemory(hProcess, pvFree, MemoryBasicInformation,
1689         rcNt = NtAllocateVirtualMemory(hProcess, &pvAlloc, 0, &cbAlloc, MEM_COMMIT, PAGE_READWRITE);
1698             NtTerminateProcess(hProcess, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED);
1709             NtTerminateProcess(hProcess, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED);
1739         rcNt = NtWriteVirtualMemory(hProcess, pbDst, pbSrc, cbSrc, &cbWritten);
1751             NtTerminateProcess(hProcess, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED);
1771  * @param   hProcess            The process to verify.
1773 static int supHardNtVpScanVirtualMemory(PSUPHNTVPSTATE pThis, HANDLE hProcess)
1790         NTSTATUS rcNt = g_pfnNtQueryVirtualMemory(hProcess,
1812             rcNt = g_pfnNtQueryVirtualMemory(hProcess,
1900                     if (!supHardNtVpFreeOrReplacePrivateExecMemory(pThis, hProcess, &MemInfo))
1910                     rcNt = NtUnmapViewOfSection(hProcess, MemInfo.AllocationBase);
1915                         NTSTATUS rcNt2 = NtProtectVirtualMemory(hProcess, &pvCopy, &cbCopy, PAGE_NOACCESS, NULL);
1917                             rcNt2 = NtProtectVirtualMemory(hProcess, &pvCopy, &cbCopy, PAGE_READONLY, NULL);
2339  * @param   hProcess            The process to verify.
2341 static int supHardNtVpCheckExe(PSUPHNTVPSTATE pThis, HANDLE hProcess)
2375     NTSTATUS rcNt = NtQueryInformationProcess(hProcess, ProcessImageFileName, pUniStr, cbUniStr - sizeof(WCHAR), &cbIgn);
2399     rc = supHardNtVpVerifyImage(pThis, pImage, hProcess);
2409     rcNt = NtQueryInformationProcess(hProcess, ProcessImageInformation, &ImageInfo, sizeof(ImageInfo), NULL);
2414             && hProcess != NtCurrentProcess() )
2417                                    "NtQueryInformationProcess/ProcessImageInformation failed: %#x hProcess=%#x", rcNt, hProcess);
2452  * @param   hProcess            The process to verify.
2454 static int supHardNtVpCheckDlls(PSUPHNTVPSTATE pThis, HANDLE hProcess)
2499         int rc = supHardNtVpVerifyImage(pThis, &pThis->aImages[i], hProcess);
2523  * @param   hProcess            The process to verify.
2531 DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, uint32_t fFlags,
2543        rc = supHardNtVpThread(hProcess, hThread, pErrInfo);
2545         rc = supHardNtVpDebugger(hProcess, pErrInfo);
2557             pThis->hProcess = hProcess;
2563             rc = supHardNtVpScanVirtualMemory(pThis, hProcess);
2567                 rc = supHardNtVpCheckExe(pThis, hProcess);
2569                 rc = supHardNtVpCheckDlls(pThis, hProcess);

Indexes created Tue Jul 24 14:28:13 CEST 2018