13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/nt/nt-and-windows.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <AccCtrl.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <AclApi.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifndef PROCESS_SET_LIMITED_INFORMATION

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define PROCESS_SET_LIMITED_INFORMATION 0x2000

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifndef LOAD_LIBRARY_SEARCH_APPLICATION_DIR

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define LOAD_LIBRARY_SEARCH_APPLICATION_DIR 0x200

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define LOAD_LIBRARY_SEARCH_SYSTEM32 0x800

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <VBox/sup.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <VBox/err.h>

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync#include <VBox/dis.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/ctype.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/string.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/initterm.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/param.h>

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync#include <iprt/path.h>

2fce40121ae472df2fd959fbe19775ed43304a0bvboxsync#include <iprt/thread.h>

edde275acba04aca58db4172a163741e3abadfbcvboxsync#include <iprt/zero.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include "SUPLibInternal.h"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include "win/SUPHardenedVerify-win.h"

40839c441cb305d84420565f7ca25403d8177413vboxsync#include "../SUPDrvIOC.h"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync#ifndef IMAGE_SCN_TYPE_NOLOAD

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync# define IMAGE_SCN_TYPE_NOLOAD 0x00000002

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync#endif

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a1d9d394b49969e730c5a8e037ea2d672a48dbf6vboxsync#define SUPR3_RESPAWN_1_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-2ndchild"

edde275acba04aca58db4172a163741e3abadfbcvboxsync

a1d9d394b49969e730c5a8e037ea2d672a48dbf6vboxsync#define SUPR3_RESPAWN_2_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#define SUPR3HARDENED_ASSERT(a_Expr) \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync do { \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!(a_Expr)) \

2fce40121ae472df2fd959fbe19775ed43304a0bvboxsync supR3HardenedFatal("%s: %s\n", __FUNCTION__, #a_Expr); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } while (0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#define SUPR3HARDENED_ASSERT_NT_SUCCESS(a_Expr) \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync do { \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync NTSTATUS rcNtAssert = (a_Expr); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!NT_SUCCESS(rcNtAssert)) \

2fce40121ae472df2fd959fbe19775ed43304a0bvboxsync supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, rcNtAssert); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } while (0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#define SUPR3HARDENED_ASSERT_WIN32_SUCCESS(a_Expr) \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync do { \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync BOOL fRcAssert = (a_Expr); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (fRcAssert == FALSE) \

2fce40121ae472df2fd959fbe19775ed43304a0bvboxsync supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, GetLastError()); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } while (0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsynctypedef struct MYSECURITYCLEANUP

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync union

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync SID Sid;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint8_t abPadding[SECURITY_MAX_SID_SIZE];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } Everyone, Owner, User, Login;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync union

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync ACL AclHdr;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint8_t abPadding[1024];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } Acl;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PSECURITY_DESCRIPTOR pSecDesc;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync} MYSECURITYCLEANUP;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsynctypedef MYSECURITYCLEANUP *PMYSECURITYCLEANUP;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsynctypedef struct VERIFIERCACHEENTRY

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** Pointer to the next entry with the same hash value. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync struct VERIFIERCACHEENTRY * volatile pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** Next entry in the WinVerifyTrust todo list. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync struct VERIFIERCACHEENTRY * volatile pNextTodoWvt;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** The file handle. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync HANDLE hFile;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** If fIndexNumber is set, this is an file system internal file identifier. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync LARGE_INTEGER IndexNumber;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** The path hash value. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** The verification result. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync int rc;

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync /** Used for shutting up errors after a while. */

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync uint32_t volatile cErrorHits;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /** The validation flags (for WinVerifyTrust retry). */

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync uint32_t fFlags;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** Whether IndexNumber is valid */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync bool fIndexNumberValid;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** Whether verified by WinVerifyTrust. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync bool volatile fWinVerifyTrust;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** cwcPath * sizeof(RTUTF16). */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint16_t cbPath;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** The full path of this entry (variable size). */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync RTUTF16 wszPath[1];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync} VERIFIERCACHEENTRY;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsynctypedef VERIFIERCACHEENTRY *PVERIFIERCACHEENTRY;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsynctypedef struct VERIFIERCACHEIMPORT

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** Pointer to the next DLL in the list. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync struct VERIFIERCACHEIMPORT * volatile pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** The length of pwszAltSearchDir if available. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cwcAltSearchDir;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** This points the directory containing the DLL needing it, this will be

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PWCHAR pwszAltSearchDir;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** The name of the import DLL (variable length). */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync char szName[1];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync} VERIFIERCACHEIMPORT;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsynctypedef VERIFIERCACHEIMPORT *PVERIFIERCACHEIMPORT;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncuint32_t g_uNtVerCombined = 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic uint32_t volatile g_cSuplibHardenedWindowsMainCalls;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncRTUTF16 g_wszSupLibHardenedExePath[1024];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncSUPSYSROOTDIRBUF g_SupLibHardenedExeNtPath;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncuint32_t g_offSupLibHardenedExeNtName;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncextern "C" PFNRT g_pfnNtCreateSectionJmpBack = NULL;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic NTSTATUS (NTAPI * g_pfnNtCreateSectionReal)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PLARGE_INTEGER, ULONG, ULONG, HANDLE);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync#if 0

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncextern "C" PFNRT g_pfnLdrLoadDllJmpBack = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync#endif

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncstatic NTSTATUS (NTAPI * g_pfnLdrLoadDllReal)(PWSTR, PULONG, PUNICODE_STRING, PHANDLE);

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsyncstatic PVERIFIERCACHEENTRY volatile g_apVerifierCache[128];

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsyncstatic PVERIFIERCACHEENTRY volatile g_pVerifierCacheTodoWvt = NULL;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsyncstatic PVERIFIERCACHEIMPORT volatile g_pVerifierCacheTodoImports = NULL;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic RTERRINFOSTATIC g_ErrInfoStatic;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncextern "C" uint8_t g_abSupHardReadWriteExecPage[PAGE_SIZE];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

8302394f164acb4adb187954f6ac8ef7a9efa629vboxsyncstatic bool g_fSupInitThunkSelfPatched;

8302394f164acb4adb187954f6ac8ef7a9efa629vboxsyncstatic uint8_t g_abLdrInitThunkSelfBackup[16];

8302394f164acb4adb187954f6ac8ef7a9efa629vboxsync

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsyncstatic uint32_t g_fSupAdversaries = 0;

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsync#define SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT RT_BIT_32(0)

100b161379af7255c69e27587cc746e5f76ff050vboxsync#define SUPHARDNT_ADVERSARY_SYMANTEC_N360 RT_BIT_32(1)

100b161379af7255c69e27587cc746e5f76ff050vboxsync#define SUPHARDNT_ADVERSARY_AVAST RT_BIT_32(2)

100b161379af7255c69e27587cc746e5f76ff050vboxsync#define SUPHARDNT_ADVERSARY_TRENDMICRO RT_BIT_32(3)

100b161379af7255c69e27587cc746e5f76ff050vboxsync#define SUPHARDNT_ADVERSARY_MCAFEE RT_BIT_32(4)

100b161379af7255c69e27587cc746e5f76ff050vboxsync#define SUPHARDNT_ADVERSARY_KASPERSKY RT_BIT_32(5)

100b161379af7255c69e27587cc746e5f76ff050vboxsync#define SUPHARDNT_ADVERSARY_MBAM RT_BIT_32(6)

100b161379af7255c69e27587cc746e5f76ff050vboxsync#define SUPHARDNT_ADVERSARY_AVG RT_BIT_32(7)

100b161379af7255c69e27587cc746e5f76ff050vboxsync#define SUPHARDNT_ADVERSARY_PANDA RT_BIT_32(8)

100b161379af7255c69e27587cc746e5f76ff050vboxsync#define SUPHARDNT_ADVERSARY_MSE RT_BIT_32(9)

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsync#define SUPHARDNT_ADVERSARY_UNKNOWN RT_BIT_32(31)

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncstatic NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, PULONG pfAccess, PULONG pfProtect,

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust,

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync bool *pfQuietFailure);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifdef RT_ARCH_AMD64

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define SYSCALL(a_Num) DECLASM(void) RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num)(void)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# include "NtCreateSection-template-amd64-syscall-type-1.h"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# undef SYSCALL

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifdef RT_ARCH_X86

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define SYSCALL(a_Num) DECLASM(void) RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num)(void)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# include "NtCreateSection-template-x86-syscall-type-1.h"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# undef SYSCALL

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic PRTUTF16 suplibHardenedWStrChr(PCRTUTF16 pwszHaystack, RTUTF16 wcNeedle)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync for (;;)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync RTUTF16 wcCur = *pwszHaystack;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (wcCur == wcNeedle)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return (PRTUTF16)pwszHaystack;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (wcCur == '\0')

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return NULL;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pwszHaystack++;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic size_t suplibHardenedWStrLen(PCRTUTF16 pwsz)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PCRTUTF16 pwszCur = pwsz;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while (*pwszCur != '\0')

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pwszCur++;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return pwszCur - pwsz;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncDECLHIDDEN(void *) suplibHardenedAllocZ(size_t cb)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync void *pv = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cb);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!pv)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync supR3HardenedFatal("HeapAlloc failed to allocate %zu bytes.\n", cb);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return pv;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncDECLHIDDEN(void *) suplibHardenedReAlloc(void *pvOld, size_t cbNew)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!pvOld)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return suplibHardenedAllocZ(cbNew);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync void *pv = HeapReAlloc(GetProcessHeap(), 0 /*dwFlags*/, pvOld, cbNew);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!pv)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync supR3HardenedFatal("HeapReAlloc failed to allocate %zu bytes.\n", cbNew);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return pv;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncDECLHIDDEN(void) suplibHardenedFree(void *pv)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (pv)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync HeapFree(GetProcessHeap(), 0 /* dwFlags*/, pv);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncDECLHIDDEN(void *) supR3HardenedWinLoadLibrary(const char *pszName, bool fSystem32Only)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync WCHAR wszPath[RTPATH_MAX];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PRTUTF16 pwszPath = wszPath;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync int rc = RTStrToUtf16Ex(pszName, RTSTR_MAX, &pwszPath, RT_ELEMENTS(wszPath), NULL);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (RT_SUCCESS(rc))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while (*pwszPath)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (*pwszPath == '/')

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync *pwszPath = '\\';

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pwszPath++;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync DWORD fFlags = 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync fFlags |= LOAD_LIBRARY_SEARCH_SYSTEM32;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!fSystem32Only)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync fFlags |= LOAD_LIBRARY_SEARCH_APPLICATION_DIR;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync void *pvRet = (void *)LoadLibraryExW(wszPath, NULL /*hFile*/, fFlags);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /* Vista, W7, W2K8R might not work without KB2533623, so retry with no flags. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if ( !pvRet

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync && fFlags

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync && g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync && GetLastError() == ERROR_INVALID_PARAMETER)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pvRet = (void *)LoadLibraryExW(wszPath, NULL /*hFile*/, 0);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return pvRet;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync supR3HardenedFatal("RTStrToUtf16Ex failed on '%s': %Rrc", pszName, rc);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return NULL;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic bool supR3HardenedWinVerifyCacheGetIndexNumber(HANDLE hFile, PLARGE_INTEGER pIndexNumber)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync NTSTATUS rcNt = NtQueryInformationFile(hFile, &Ios, pIndexNumber, sizeof(*pIndexNumber), FileInternalInformation);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (NT_SUCCESS(rcNt))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync rcNt = Ios.Status;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifdef DEBUG_bird

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!NT_SUCCESS(rcNt))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync __debugbreak();

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return NT_SUCCESS(rcNt) && pIndexNumber->QuadPart != 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic uint32_t supR3HardenedWinVerifyCacheHashPath(PCUNICODE_STRING pUniStr)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t uHash = 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync unsigned cwcLeft = pUniStr->Length / sizeof(WCHAR);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PRTUTF16 pwc = pUniStr->Buffer;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while (cwcLeft-- > 0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync RTUTF16 wc = *pwc++;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (wc < 0x80)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uHash = wc + (uHash << 6) + (uHash << 16) - uHash;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return uHash;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncstatic uint32_t supR3HardenedWinVerifyCacheHashDirAndFile(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t uHash = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while (cwcDir-- > 0)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync RTUTF16 wc = *pawcDir++;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (wc < 0x80)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uHash = wc + (uHash << 6) + (uHash << 16) - uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync unsigned char ch = '\\';

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uHash = ch + (uHash << 6) + (uHash << 16) - uHash;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while ((ch = *pszName++) != '\0')

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync ch = RT_C_TO_LOWER(ch);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uHash = ch + (uHash << 6) + (uHash << 16) - uHash;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncstatic bool supR3HardenedWinVerifyCacheIsMatch(PCRTUTF16 pawcLeft, PCRTUTF16 pawcRight, uint32_t cwcToCompare)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* Try a quick memory compare first. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (memcmp(pawcLeft, pawcRight, cwcToCompare * sizeof(RTUTF16)) == 0)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return true;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* Slow char by char compare. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while (cwcToCompare-- > 0)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync RTUTF16 wcLeft = *pawcLeft++;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync RTUTF16 wcRight = *pawcRight++;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (wcLeft != wcRight)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync wcLeft = wcLeft != '/' ? RT_C_TO_LOWER(wcLeft) : '\\';

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync wcLeft = wcRight != '/' ? RT_C_TO_LOWER(wcRight) : '\\';

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (wcLeft != wcRight)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return false;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return true;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsyncstatic void supR3HardenedWinVerifyCacheInsert(PCUNICODE_STRING pUniStr, HANDLE hFile, int rc,

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync bool fWinVerifyTrust, uint32_t fFlags)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEENTRY pEntry = (PVERIFIERCACHEENTRY)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync sizeof(VERIFIERCACHEENTRY) + pUniStr->Length);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (pEntry)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->pNext = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->pNextTodoWvt = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->hFile = hFile;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync pEntry->rc = rc;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pEntry->fFlags = fFlags;

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync pEntry->cErrorHits = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->fWinVerifyTrust = fWinVerifyTrust;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->cbPath = pUniStr->Length;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync memcpy(pEntry->wszPath, pUniStr->Buffer, pUniStr->Length);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->wszPath[pUniStr->Length / sizeof(WCHAR)] = '\0';

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &pEntry->IndexNumber);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t iHashTab = pEntry->uHash % RT_ELEMENTS(g_apVerifierCache);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync VERIFIERCACHEENTRY * volatile *ppEntry = &g_apVerifierCache[iHashTab];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync for (;;)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (ASMAtomicCmpXchgPtr(ppEntry, pEntry, NULL))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (!fWinVerifyTrust)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync do

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->pNextTodoWvt = g_pVerifierCacheTodoWvt;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pEntry, pEntry->pNextTodoWvt));

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheInsert: %ls\n", pUniStr->Buffer));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEENTRY pOther = *ppEntry;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (!pOther)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( pOther->uHash == pEntry->uHash

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && pOther->cbPath == pEntry->cbPath

e17f6f8a70a7709a9a6319d9a473596fb600b552vboxsync && supR3HardenedWinVerifyCacheIsMatch(pOther->wszPath, pEntry->wszPath, pEntry->cbPath / sizeof(RTUTF16)))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync break;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync ppEntry = &pOther->pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /* Duplicate entry (may happen due to races). */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync HeapFree(GetProcessHeap(), 0 /* dwFlags*/, pEntry);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync NtClose(hFile);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookup(PCUNICODE_STRING pUniStr, HANDLE hFile)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PRTUTF16 const pwszPath = pUniStr->Buffer;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint16_t const cbPath = pUniStr->Length;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while (pCur)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if ( pCur->uHash == uHash

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync && pCur->cbPath == cbPath

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pwszPath, cbPath / sizeof(RTUTF16)))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!pCur->fIndexNumberValid)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return pCur;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync LARGE_INTEGER IndexNumber;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync bool fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &IndexNumber);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if ( fIndexNumberValid

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync && IndexNumber.QuadPart == pCur->IndexNumber.QuadPart)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return pCur;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifdef DEBUG_bird

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync __debugbreak();

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pCur = pCur->pNext;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return NULL;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncstatic PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookupImport(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t uHash = supR3HardenedWinVerifyCacheHashDirAndFile(pawcDir, cwcDir, pszName);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t const cbPath = (uint32_t)((cwcDir + 1 + strlen(pszName)) * sizeof(RTUTF16));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while (pCur)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( pCur->uHash == uHash

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && pCur->cbPath == cbPath)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pawcDir, cwcDir))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (pCur->wszPath[cwcDir] == '\\' || pCur->wszPath[cwcDir] == '/')

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (RTUtf16ICmpAscii(&pCur->wszPath[cwcDir + 1], pszName))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return pCur;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pCur = pCur->pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncDECLHIDDEN(void) supR3HardenedWinVerifyCacheScheduleImports(RTLDRMOD hLdrMod, PCRTUTF16 pwszName)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cImports;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync int rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_COUNT, NULL /*pvBits*/, &cImports, sizeof(cImports), NULL);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (RT_SUCCESS(rc))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (cImports)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PCRTUTF16 pawcDir = pwszName;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cwcDir = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t i = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync RTUTF16 wc;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while ((wc = pawcDir[i++]) != '\0')

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ((wc == '\\' || wc == '/' || wc == ':') && cwcDir + 2 != i)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync cwcDir = i - 1;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( g_System32NtPath.UniStr.Length / sizeof(WCHAR) == cwcDir

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && supR3HardenedWinVerifyCacheIsMatch(pawcDir, g_System32NtPath.UniStr.Buffer, cwcDir))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pawcDir = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync for (i = 0; i < cImports; i++)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync union

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync char szName[256];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t iImport;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync } uBuf;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uBuf.iImport = i;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_MODULE, NULL /*pvBits*/, &uBuf, sizeof(uBuf), NULL);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (RT_SUCCESS(rc))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync RTStrToLower(uBuf.szName);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( RTStrCmp(uBuf.szName, "kernel32.dll") == 0

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync || RTStrCmp(uBuf.szName, "kernelbase.dll") == 0

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync || RTStrCmp(uBuf.szName, "ntdll.dll") == 0

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync || RTStrNCmp(uBuf.szName, RT_STR_TUPLE("api-ms-win-")) == 0 )

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync g_System32NtPath.UniStr.Length / sizeof(WCHAR),

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uBuf.szName) != NULL)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for system32\n", uBuf.szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedExeNtPath.UniStr.Buffer,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync g_offSupLibHardenedExeNtName,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uBuf.szName) != NULL)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for appdir\n", uBuf.szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (pawcDir && supR3HardenedWinVerifyCacheLookupImport(pawcDir, cwcDir, uBuf.szName) != NULL)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for dll dir\n", uBuf.szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* We could skip already scheduled modules, but that'll require serialization and extra work... */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: Import todo: #%u '%s'.\n", i, uBuf.szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cbName = (uint32_t)strlen(uBuf.szName) + 1;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cbNameAligned = RT_ALIGN_32(cbName, sizeof(RTUTF16));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cbNeeded = RT_OFFSETOF(VERIFIERCACHEIMPORT, szName[cbNameAligned])

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync + (pawcDir ? (cwcDir + 1) * sizeof(RTUTF16) : 0);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEIMPORT pImport = (PVERIFIERCACHEIMPORT)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbNeeded);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (pImport)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* Init it. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync memcpy(pImport->szName, uBuf.szName, cbName);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (!pawcDir)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->cwcAltSearchDir = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->pwszAltSearchDir = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->cwcAltSearchDir = cwcDir;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->pwszAltSearchDir = (PRTUTF16)&pImport->szName[cbNameAligned];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync memcpy(pImport->pwszAltSearchDir, pawcDir, cwcDir * sizeof(RTUTF16));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->pwszAltSearchDir[cwcDir] = '\0';

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* Insert it. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync do

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->pNext = g_pVerifierCacheTodoImports;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoImports, pImport, pImport->pNext));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("RTLDRPROP_IMPORT_MODULE failed with rc=%Rrc i=%#x on '%ls'\n", rc, i, pwszName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("'%ls' has no imports\n", pwszName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("RTLDRPROP_IMPORT_COUNT failed with rc=%Rrc on '%ls'\n", rc, pwszName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncstatic void supR3HardenedWinVerifyCacheProcessImportTodos(void)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync for (;;)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEIMPORT pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoImports, NULL, PVERIFIERCACHEIMPORT);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (!pTodo)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync break;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync do

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEIMPORT pCur = pTodo;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pTodo = pTodo->pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( !supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync g_System32NtPath.UniStr.Length / sizeof(WCHAR),

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pCur->szName)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && !supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedExeNtPath.UniStr.Buffer,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync g_offSupLibHardenedExeNtName,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pCur->szName)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && ( pCur->cwcAltSearchDir == 0

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync || !supR3HardenedWinVerifyCacheLookupImport(pCur->pwszAltSearchDir, pCur->cwcAltSearchDir, pCur->szName)) )

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Processing '%s'...\n", pCur->szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NTSTATUS rcNt;

100b161379af7255c69e27587cc746e5f76ff050vboxsync NTSTATUS rcNtRedir = 0x22222222;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync HANDLE hFile = INVALID_HANDLE_VALUE;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync RTUTF16 wszPath[260 + 260]; /* Assumes we've limited the import name length to 256. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync AssertCompile(sizeof(wszPath) > sizeof(g_System32NtPath));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync /*

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync size_t cwcName = 260;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync PRTUTF16 pwszName = &wszPath[0];

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync int rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (RT_SUCCESS(rc))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UNICODE_STRING UniStrName;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UniStrName.Buffer = wszPath;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UniStrName.Length = (USHORT)cwcName * sizeof(WCHAR);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UNICODE_STRING UniStrStatic;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UniStrStatic.Buffer = &wszPath[cwcName + 1];

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UniStrStatic.Length = 0;

2fce40121ae472df2fd959fbe19775ed43304a0bvboxsync UniStrStatic.MaximumLength = (USHORT)(sizeof(wszPath) - cwcName * sizeof(WCHAR) - sizeof(WCHAR));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync static UNICODE_STRING const s_DefaultSuffix = RTNT_CONSTANT_UNISTR(L".dll");

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UNICODE_STRING UniStrDynamic = { 0, 0, NULL };

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync PUNICODE_STRING pUniStrResult = NULL;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

100b161379af7255c69e27587cc746e5f76ff050vboxsync rcNtRedir = RtlDosApplyFileIsolationRedirection_Ustr(1 /*fFlags*/,

100b161379af7255c69e27587cc746e5f76ff050vboxsync &UniStrName,

100b161379af7255c69e27587cc746e5f76ff050vboxsync (PUNICODE_STRING)&s_DefaultSuffix,

100b161379af7255c69e27587cc746e5f76ff050vboxsync &UniStrStatic,

100b161379af7255c69e27587cc746e5f76ff050vboxsync &UniStrDynamic,

100b161379af7255c69e27587cc746e5f76ff050vboxsync &pUniStrResult,

100b161379af7255c69e27587cc746e5f76ff050vboxsync NULL /*pNewFlags*/,

100b161379af7255c69e27587cc746e5f76ff050vboxsync NULL /*pcbFilename*/,

100b161379af7255c69e27587cc746e5f76ff050vboxsync NULL /*pcbNeeded*/);

100b161379af7255c69e27587cc746e5f76ff050vboxsync if (NT_SUCCESS(rcNtRedir))

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

100b161379af7255c69e27587cc746e5f76ff050vboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync OBJECT_ATTRIBUTES ObjAttr;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync InitializeObjectAttributes(&ObjAttr, pUniStrResult,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rcNt = NtCreateFile(&hFile,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync &ObjAttr,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync &Ios,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NULL /* Allocation Size*/,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_ATTRIBUTE_NORMAL,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_SHARE_READ,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_OPEN,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NULL /*EaBuffer*/,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync 0 /*EaLength*/);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (NT_SUCCESS(rcNt))

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rcNt = Ios.Status;

100b161379af7255c69e27587cc746e5f76ff050vboxsync if (NT_SUCCESS(rcNt))

100b161379af7255c69e27587cc746e5f76ff050vboxsync {

100b161379af7255c69e27587cc746e5f76ff050vboxsync /* For accurate logging. */

100b161379af7255c69e27587cc746e5f76ff050vboxsync size_t cwcCopy = RT_MIN(pUniStrResult->Length / sizeof(RTUTF16), RT_ELEMENTS(wszPath) - 1);

100b161379af7255c69e27587cc746e5f76ff050vboxsync memcpy(wszPath, pUniStrResult->Buffer, cwcCopy * sizeof(RTUTF16));

100b161379af7255c69e27587cc746e5f76ff050vboxsync wszPath[cwcCopy] = '\0';

100b161379af7255c69e27587cc746e5f76ff050vboxsync }

100b161379af7255c69e27587cc746e5f76ff050vboxsync else

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync hFile = INVALID_HANDLE_VALUE;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync RtlFreeUnicodeString(&UniStrDynamic);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync else

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #1 failed: %Rrc\n", rc));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync /*

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (hFile == INVALID_HANDLE_VALUE)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync struct

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync PRTUTF16 pawcDir;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync uint32_t cwcDir;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync } Tmp, aDirs[] =

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync { g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length / sizeof(WCHAR) },

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync { g_SupLibHardenedExeNtPath.UniStr.Buffer, g_offSupLibHardenedExeNtName - 1 },

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync { pCur->pwszAltSearchDir, pCur->cwcAltSearchDir },

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync };

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync /* Search System32 first, unless it's a 'V*' or 'm*' name, the latter for msvcrt. */

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if ( pCur->szName[0] == 'v'

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync || pCur->szName[0] == 'V'

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync || pCur->szName[0] == 'm'

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync || pCur->szName[0] == 'M')

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync Tmp = aDirs[0];

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync aDirs[0] = aDirs[1];

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync aDirs[1] = Tmp;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync }

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync for (uint32_t i = 0; i < RT_ELEMENTS(aDirs); i++)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (aDirs[i].pawcDir && aDirs[i].cwcDir && aDirs[i].cwcDir < RT_ELEMENTS(wszPath) / 3 * 2)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync memcpy(wszPath, aDirs[i].pawcDir, aDirs[i].cwcDir * sizeof(RTUTF16));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync uint32_t cwc = aDirs[i].cwcDir;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync wszPath[cwc++] = '\\';

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync cwcName = RT_ELEMENTS(wszPath) - cwc;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync pwszName = &wszPath[cwc];

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (RT_SUCCESS(rc))

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UNICODE_STRING NtName;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NtName.Buffer = wszPath;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NtName.Length = (USHORT)((cwc + cwcName) * sizeof(WCHAR));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NtName.MaximumLength = NtName.Length + sizeof(WCHAR);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync OBJECT_ATTRIBUTES ObjAttr;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rcNt = NtCreateFile(&hFile,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync &ObjAttr,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync &Ios,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NULL /* Allocation Size*/,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_ATTRIBUTE_NORMAL,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_SHARE_READ,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_OPEN,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NULL /*EaBuffer*/,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync 0 /*EaLength*/);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (NT_SUCCESS(rcNt))

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rcNt = Ios.Status;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (NT_SUCCESS(rcNt))

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync break;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync hFile = INVALID_HANDLE_VALUE;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync }

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync else

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #2 failed: %Rrc\n", rc));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (hFile != INVALID_HANDLE_VALUE)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

100b161379af7255c69e27587cc746e5f76ff050vboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' -> '%ls' [rcNtRedir=%#x]\n",

100b161379af7255c69e27587cc746e5f76ff050vboxsync pCur->szName, wszPath, rcNtRedir));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync ULONG fAccess = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync ULONG fProtect = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync bool fCallRealApi = false;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, &fAccess, &fProtect, &fCallRealApi,

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync "Imports", false /*fAvoidWinVerifyTrust*/, NULL /*pfQuietFailure*/);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NtClose(hFile);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Failed to locate '%s'\n", pCur->szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' is in the cache.\n", pCur->szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync HeapFree(GetProcessHeap(), 0 /* dwFlags*/, pCur);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync } while (pTodo);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsyncstatic void supR3HardenedWinVerifyCacheProcessWvtTodos(void)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync{

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync PVERIFIERCACHEENTRY pReschedule = NULL;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync PVERIFIERCACHEENTRY volatile *ppReschedLastNext = NULL;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /*

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync for (;;)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (!supHardenedWinIsWinVerifyTrustCallable())

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync break;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync PVERIFIERCACHEENTRY pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoWvt, NULL, PVERIFIERCACHEENTRY);

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (!pTodo)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync break;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync do

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync PVERIFIERCACHEENTRY pCur = pTodo;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pTodo = pTodo->pNextTodoWvt;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pCur->pNextTodoWvt = NULL;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if ( !pCur->fWinVerifyTrust

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync && RT_SUCCESS(pCur->rc))

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync bool fWinVerifyTrust = false;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync int rc = supHardenedWinVerifyImageTrust(pCur->hFile, pCur->wszPath, pCur->fFlags, pCur->rc,

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync &fWinVerifyTrust, NULL /* pErrInfo*/);

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (RT_FAILURE(rc) || fWinVerifyTrust)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pCur->fWinVerifyTrust = true;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pCur->rc = rc;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync else

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /* Retry it at a later time. */

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls' [rescheduled]\n",

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (!pReschedule)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync ppReschedLastNext = &pCur->pNextTodoWvt;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pCur->pNextTodoWvt = pReschedule;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /* else: already processed. */

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync } while (pTodo);

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /*

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (pReschedule)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync do

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync *ppReschedLastNext = g_pVerifierCacheTodoWvt;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pReschedule, *ppReschedLastNext));

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync}

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsyncstatic PRTUTF16 supR3HardenedWinIsPossible8dot3Path(PCRTUTF16 pwszPath)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync{

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync PCRTUTF16 pwszName = pwszPath;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync for (;;)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync RTUTF16 wc = *pwszPath++;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (wc == '~')

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /* Could check more here before jumping to conclusions... */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (pwszPath - pwszName <= 8+1+3)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync return (PRTUTF16)pwszName;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync else if (wc == '\\' || wc == '/' || wc == ':')

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pwszName = pwszPath;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync else if (wc == 0)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync break;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync return NULL;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync}

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsyncstatic void supR3HardenedWinFix8dot3Path(HANDLE hFile, PUNICODE_STRING pUniStr)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync{

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /*

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync PRTUTF16 pwszFix = pUniStr->Buffer;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync while (*pwszFix)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pwszFix = supR3HardenedWinIsPossible8dot3Path(pwszFix);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (pwszFix == NULL)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync break;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync RTUTF16 wc;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync PRTUTF16 pwszFixEnd = pwszFix;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync while ((wc = *pwszFixEnd) != '\0' && wc != '\\' && wc != '//')

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pwszFixEnd++;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (wc == '\0')

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync break;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync RTUTF16 const wcSaved = *pwszFix;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync *pwszFix = '\0'; /* paranoia. */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync UNICODE_STRING NtDir;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtDir.Buffer = pUniStr->Buffer;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtDir.Length = NtDir.MaximumLength = (USHORT)((pwszFix - pUniStr->Buffer) * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync HANDLE hDir = RTNT_INVALID_HANDLE_VALUE;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync OBJECT_ATTRIBUTES ObjAttr;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync InitializeObjectAttributes(&ObjAttr, &NtDir, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NTSTATUS rcNt = NtCreateFile(&hDir,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_READ_DATA | SYNCHRONIZE,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &ObjAttr,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &Ios,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /* Allocation Size*/,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_ATTRIBUTE_NORMAL,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_OPEN,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /*EaBuffer*/,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync 0 /*EaLength*/);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync *pwszFix = wcSaved;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (NT_SUCCESS(rcNt))

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync union

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_BOTH_DIR_INFORMATION Info;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uint8_t abBuffer[sizeof(FILE_BOTH_DIR_INFORMATION) + 2048 * sizeof(WCHAR)];

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync } uBuf;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync RT_ZERO(uBuf);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync UNICODE_STRING NtFilterStr;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtFilterStr.Buffer = pwszFix;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtFilterStr.Length = (USHORT)((uintptr_t)pwszFixEnd - (uintptr_t)pwszFix);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtFilterStr.MaximumLength = NtFilterStr.Length;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync rcNt = NtQueryDirectoryFile(hDir,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /* Event */,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /* ApcRoutine */,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /* ApcContext */,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &Ios,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &uBuf,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync sizeof(uBuf) - sizeof(WCHAR),

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FileBothDirectoryInformation,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FALSE /*ReturnSingleEntry*/,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &NtFilterStr,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FALSE /*RestartScan */);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (NT_SUCCESS(rcNt) && uBuf.Info.NextEntryOffset == 0) /* There shall only be one entry matching... */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uint32_t offName = uBuf.Info.FileNameLength / sizeof(WCHAR);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync while (offName > 0 && uBuf.Info.FileName[offName - 1] != '\\' && uBuf.Info.FileName[offName - 1] != '/')

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync offName--;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uint32_t cwcNameNew = (uBuf.Info.FileNameLength / sizeof(WCHAR)) - offName;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uint32_t cwcNameOld = pwszFixEnd - pwszFix;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (cwcNameOld == cwcNameNew)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync memcpy(pwszFix, &uBuf.Info.FileName[offName], cwcNameNew * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync else if ( pUniStr->Length + cwcNameNew * sizeof(WCHAR) - cwcNameOld * sizeof(WCHAR) + sizeof(WCHAR)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync <= pUniStr->MaximumLength)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync size_t cwcLeft = pUniStr->Length - (pwszFixEnd - pUniStr->Buffer) * sizeof(WCHAR) + sizeof(WCHAR);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync memmove(&pwszFix[cwcNameNew], pwszFixEnd, cwcLeft * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pUniStr->Length -= (USHORT)(cwcNameOld * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pUniStr->Length += (USHORT)(cwcNameNew * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pwszFixEnd -= cwcNameOld;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pwszFixEnd -= cwcNameNew;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync memcpy(pwszFix, &uBuf.Info.FileName[offName], cwcNameNew * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /* else: ignore overflow. */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /* else: ignore failure. */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtClose(hDir);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /* Advance */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pwszFix = pwszFixEnd;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync}

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncstatic NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, PULONG pfAccess, PULONG pfProtect,

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust,

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync bool *pfQuietFailure)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync *pfCallRealApi = false;

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync if (pfQuietFailure)

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync *pfQuietFailure = false;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync /*

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync union

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync UNICODE_STRING UniStr;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync uint8_t abBuffer[sizeof(UNICODE_STRING) + 2048 * sizeof(WCHAR)];

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync } uBuf;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync RT_ZERO(uBuf);

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync ULONG cbNameBuf;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync NTSTATUS rcNt = NtQueryObject(hFile, ObjectNameInformation, &uBuf, sizeof(uBuf) - sizeof(WCHAR) - 128, &cbNameBuf);

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync if (!NT_SUCCESS(rcNt))

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync supR3HardenedError(VINF_SUCCESS, false,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync "supR3HardenedScreenImage/%s: NtQueryObject -> %#x (fImage=%d fProtect=%#x fAccess=%#x)\n",

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pszCaller, fImage, *pfProtect, *pfAccess);

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync return rcNt;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync }

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync if (supR3HardenedWinIsPossible8dot3Path(uBuf.UniStr.Buffer))

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync {

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync uBuf.UniStr.MaximumLength = sizeof(uBuf) - 128;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync supR3HardenedWinFix8dot3Path(hFile, &uBuf.UniStr);

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync }

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync /*

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync PVERIFIERCACHEENTRY pCacheHit = supR3HardenedWinVerifyCacheLookup(&uBuf.UniStr, hFile);

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (pCacheHit)

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /* If we haven't done the WinVerifyTrust thing, do it if we can. */

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if ( !pCacheHit->fWinVerifyTrust

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync && RT_SUCCESS(pCacheHit->rc)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync && supHardenedWinIsWinVerifyTrustCallable() )

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (!fAvoidWinVerifyTrust)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [redoing WinVerifyTrust]\n",

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pszCaller, pCacheHit->rc, pCacheHit->wszPath));

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync bool fWinVerifyTrust = false;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync int rc = supHardenedWinVerifyImageTrust(pCacheHit->hFile, pCacheHit->wszPath, pCacheHit->fFlags, pCacheHit->rc,

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync &fWinVerifyTrust, NULL /* pErrInfo*/);

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (RT_FAILURE(rc) || fWinVerifyTrust)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pszCaller, rc, pCacheHit->rc, fWinVerifyTrust, pCacheHit->wszPath));

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pCacheHit->fWinVerifyTrust = true;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pCacheHit->rc = rc;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync else

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: WinVerifyTrust not available, rescheduling %ls\n",

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pszCaller, pCacheHit->wszPath));

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync else

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [avoiding WinVerifyTrust]\n",

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pszCaller, pCacheHit->rc, pCacheHit->wszPath));

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync else if (pCacheHit->cErrorHits < 16)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls%s\n",

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pszCaller, pCacheHit->rc, pCacheHit->wszPath, pCacheHit->fWinVerifyTrust ? "" : " [lacks WinVerifyTrust]"));

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /* Return the cached value. */

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync if (RT_SUCCESS(pCacheHit->rc))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync *pfCallRealApi = true;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync return STATUS_SUCCESS;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync }

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync uint32_t cErrorHits = ASMAtomicIncU32(&pCacheHit->cErrorHits);

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync if ( cErrorHits < 8

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync || RT_IS_POWER_OF_TWO(cErrorHits))

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync supR3HardenedError(VINF_SUCCESS, false,

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync "supR3HardenedScreenImage/%s: cached rc=%Rrc fImage=%d fProtect=%#x fAccess=%#x cErrorHits=%u %ls\n",

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync pszCaller, pCacheHit->rc, fImage, *pfProtect, *pfAccess, cErrorHits, uBuf.UniStr.Buffer);

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync else if (pfQuietFailure)

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync *pfQuietFailure = true;

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync return STATUS_TRUST_FAILURE;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync }

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync /*

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync HANDLE hMyFile = NULL;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync rcNt = NtDuplicateObject(NtCurrentProcess(), hFile, NtCurrentProcess(),

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync &hMyFile,

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync 0 /* Handle attributes*/, 0 /* Options */);

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync if (!NT_SUCCESS(rcNt))

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync {

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync if (rcNt == STATUS_ACCESS_DENIED)

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync {

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync OBJECT_ATTRIBUTES ObjAttr;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync InitializeObjectAttributes(&ObjAttr, &uBuf.UniStr, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);