13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/nt/nt-and-windows.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <AccCtrl.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <AclApi.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifndef PROCESS_SET_LIMITED_INFORMATION

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define PROCESS_SET_LIMITED_INFORMATION 0x2000

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifndef LOAD_LIBRARY_SEARCH_APPLICATION_DIR

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define LOAD_LIBRARY_SEARCH_APPLICATION_DIR 0x200

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define LOAD_LIBRARY_SEARCH_SYSTEM32 0x800

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <VBox/sup.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <VBox/err.h>

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync#include <VBox/dis.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/ctype.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/string.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/initterm.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include <iprt/param.h>

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync#include <iprt/path.h>

2fce40121ae472df2fd959fbe19775ed43304a0bvboxsync#include <iprt/thread.h>

edde275acba04aca58db4172a163741e3abadfbcvboxsync#include <iprt/zero.h>

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include "SUPLibInternal.h"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#include "win/SUPHardenedVerify-win.h"

40839c441cb305d84420565f7ca25403d8177413vboxsync#include "../SUPDrvIOC.h"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync#ifndef IMAGE_SCN_TYPE_NOLOAD

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync# define IMAGE_SCN_TYPE_NOLOAD 0x00000002

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync#endif

7d6ce198fd361f58bd1ebdeee7772f76b4e58966vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a1d9d394b49969e730c5a8e037ea2d672a48dbf6vboxsync#define SUPR3_RESPAWN_1_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-2ndchild"

edde275acba04aca58db4172a163741e3abadfbcvboxsync

a1d9d394b49969e730c5a8e037ea2d672a48dbf6vboxsync#define SUPR3_RESPAWN_2_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#define SUPR3HARDENED_ASSERT(a_Expr) \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync do { \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!(a_Expr)) \

2fce40121ae472df2fd959fbe19775ed43304a0bvboxsync supR3HardenedFatal("%s: %s\n", __FUNCTION__, #a_Expr); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } while (0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#define SUPR3HARDENED_ASSERT_NT_SUCCESS(a_Expr) \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync do { \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync NTSTATUS rcNtAssert = (a_Expr); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!NT_SUCCESS(rcNtAssert)) \

2fce40121ae472df2fd959fbe19775ed43304a0bvboxsync supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, rcNtAssert); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } while (0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#define SUPR3HARDENED_ASSERT_WIN32_SUCCESS(a_Expr) \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync do { \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync BOOL fRcAssert = (a_Expr); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (fRcAssert == FALSE) \

30f07af559efcbd967e801903746fc21f81ee533vboxsync supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, GetLastError()); \

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } while (0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsynctypedef struct MYSECURITYCLEANUP

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync union

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync SID Sid;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint8_t abPadding[SECURITY_MAX_SID_SIZE];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } Everyone, Owner, User, Login;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync union

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync ACL AclHdr;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint8_t abPadding[1024];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync } Acl;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PSECURITY_DESCRIPTOR pSecDesc;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync} MYSECURITYCLEANUP;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsynctypedef MYSECURITYCLEANUP *PMYSECURITYCLEANUP;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsynctypedef struct VERIFIERCACHEENTRY

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** Pointer to the next entry with the same hash value. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync struct VERIFIERCACHEENTRY * volatile pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** Next entry in the WinVerifyTrust todo list. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync struct VERIFIERCACHEENTRY * volatile pNextTodoWvt;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** The file handle. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync HANDLE hFile;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** If fIndexNumber is set, this is an file system internal file identifier. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync LARGE_INTEGER IndexNumber;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** The path hash value. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** The verification result. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync int rc;

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync /** Used for shutting up errors after a while. */

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync uint32_t volatile cErrorHits;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /** The validation flags (for WinVerifyTrust retry). */

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync uint32_t fFlags;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** Whether IndexNumber is valid */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync bool fIndexNumberValid;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** Whether verified by WinVerifyTrust. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync bool volatile fWinVerifyTrust;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** cwcPath * sizeof(RTUTF16). */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint16_t cbPath;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /** The full path of this entry (variable size). */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync RTUTF16 wszPath[1];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync} VERIFIERCACHEENTRY;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsynctypedef VERIFIERCACHEENTRY *PVERIFIERCACHEENTRY;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsynctypedef struct VERIFIERCACHEIMPORT

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** Pointer to the next DLL in the list. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync struct VERIFIERCACHEIMPORT * volatile pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** The length of pwszAltSearchDir if available. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cwcAltSearchDir;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** This points the directory containing the DLL needing it, this will be

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PWCHAR pwszAltSearchDir;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /** The name of the import DLL (variable length). */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync char szName[1];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync} VERIFIERCACHEIMPORT;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsynctypedef VERIFIERCACHEIMPORT *PVERIFIERCACHEIMPORT;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncuint32_t g_uNtVerCombined = 0;

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncstatic uint32_t volatile g_cSuplibHardenedWindowsMainCalls;

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncRTUTF16 g_wszSupLibHardenedExePath[1024];

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncSUPSYSROOTDIRBUF g_SupLibHardenedExeNtPath;

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncuint32_t g_offSupLibHardenedExeNtName;

0c2ffca957882f38c677fc23f324cfd695b96947vboxsync

0c2ffca957882f38c677fc23f324cfd695b96947vboxsyncextern "C" PFNRT g_pfnNtCreateSectionJmpBack = NULL;

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncstatic NTSTATUS (NTAPI * g_pfnNtCreateSectionReal)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync PLARGE_INTEGER, ULONG, ULONG, HANDLE);

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#if 0

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncextern "C" PFNRT g_pfnLdrLoadDllJmpBack = NULL;

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#endif

88d7b87c38cc3800f532139696785e8c96bfd531vboxsyncstatic NTSTATUS (NTAPI * g_pfnLdrLoadDllReal)(PWSTR, PULONG, PUNICODE_STRING, PHANDLE);

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncstatic PVERIFIERCACHEENTRY volatile g_apVerifierCache[128];

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncstatic PVERIFIERCACHEENTRY volatile g_pVerifierCacheTodoWvt = NULL;

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncstatic PVERIFIERCACHEIMPORT volatile g_pVerifierCacheTodoImports = NULL;

0c2ffca957882f38c677fc23f324cfd695b96947vboxsync

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncstatic RTERRINFOSTATIC g_ErrInfoStatic;

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncextern "C" uint8_t g_abSupHardReadWriteExecPage[PAGE_SIZE];

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncstatic bool g_fSupInitThunkSelfPatched;

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncstatic uint8_t g_abLdrInitThunkSelfBackup[16];

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsyncstatic uint32_t g_fSupAdversaries = 0;

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#define SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT RT_BIT_32(0)

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#define SUPHARDNT_ADVERSARY_SYMANTEC_N360 RT_BIT_32(1)

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#define SUPHARDNT_ADVERSARY_AVAST RT_BIT_32(2)

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#define SUPHARDNT_ADVERSARY_TRENDMICRO RT_BIT_32(3)

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#define SUPHARDNT_ADVERSARY_MCAFEE RT_BIT_32(4)

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#define SUPHARDNT_ADVERSARY_KASPERSKY RT_BIT_32(5)

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#define SUPHARDNT_ADVERSARY_MBAM RT_BIT_32(6)

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#define SUPHARDNT_ADVERSARY_AVG RT_BIT_32(7)

f20463d06f9bf3f81e2c049c697dcd20a0b0c435vboxsync#define SUPHARDNT_ADVERSARY_PANDA RT_BIT_32(8)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#define SUPHARDNT_ADVERSARY_MSE RT_BIT_32(9)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#define SUPHARDNT_ADVERSARY_COMODO RT_BIT_32(10)

0c2ffca957882f38c677fc23f324cfd695b96947vboxsync#define SUPHARDNT_ADVERSARY_UNKNOWN RT_BIT_32(31)

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, PULONG pfAccess, PULONG pfProtect,

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust,

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync bool *pfQuietFailure);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifdef RT_ARCH_AMD64

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define SYSCALL(a_Num) DECLASM(void) RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num)(void)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# include "NtCreateSection-template-amd64-syscall-type-1.h"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# undef SYSCALL

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#ifdef RT_ARCH_X86

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# define SYSCALL(a_Num) DECLASM(void) RT_CONCAT(supR3HardenedJmpBack_NtCreateSection_,a_Num)(void)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# include "NtCreateSection-template-x86-syscall-type-1.h"

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync# undef SYSCALL

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsyncstatic PRTUTF16 suplibHardenedWStrChr(PCRTUTF16 pwszHaystack, RTUTF16 wcNeedle)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync for (;;)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsync RTUTF16 wcCur = *pwszHaystack;

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsync if (wcCur == wcNeedle)

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsync return (PRTUTF16)pwszHaystack;

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsync if (wcCur == '\0')

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsync return NULL;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pwszHaystack++;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsyncstatic size_t suplibHardenedWStrLen(PCRTUTF16 pwsz)

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsync{

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsync PCRTUTF16 pwszCur = pwsz;

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsync while (*pwszCur != '\0')

46b9d3cd08a855c5d0e968e4fff0e89dea3fc2dfvboxsync pwszCur++;

9f997e760f610c92e3a365be21ead6972bc46130vboxsync return pwszCur - pwsz;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

8302394f164acb4adb187954f6ac8ef7a9efa629vboxsyncDECLHIDDEN(void *) suplibHardenedAllocZ(size_t cb)

8302394f164acb4adb187954f6ac8ef7a9efa629vboxsync{

8302394f164acb4adb187954f6ac8ef7a9efa629vboxsync void *pv = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cb);

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsync if (!pv)

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsync supR3HardenedFatal("HeapAlloc failed to allocate %zu bytes.\n", cb);

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsync return pv;

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsync}

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsync

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsync

55f0ad00baf08057a3d6087ca698d4fd86e7b4a7vboxsyncDECLHIDDEN(void *) suplibHardenedReAlloc(void *pvOld, size_t cbNew)

100b161379af7255c69e27587cc746e5f76ff050vboxsync{

100b161379af7255c69e27587cc746e5f76ff050vboxsync if (!pvOld)

100b161379af7255c69e27587cc746e5f76ff050vboxsync return suplibHardenedAllocZ(cbNew);

100b161379af7255c69e27587cc746e5f76ff050vboxsync void *pv = HeapReAlloc(GetProcessHeap(), 0 /*dwFlags*/, pvOld, cbNew);

100b161379af7255c69e27587cc746e5f76ff050vboxsync if (!pv)

100b161379af7255c69e27587cc746e5f76ff050vboxsync supR3HardenedFatal("HeapReAlloc failed to allocate %zu bytes.\n", cbNew);

100b161379af7255c69e27587cc746e5f76ff050vboxsync return pv;

100b161379af7255c69e27587cc746e5f76ff050vboxsync}

100b161379af7255c69e27587cc746e5f76ff050vboxsync

a6c871653045073d6ef74d0589de345ae62b607dvboxsync

beed5fc4d17b85d6d05516ae63e6308af82ad96fvboxsyncDECLHIDDEN(void) suplibHardenedFree(void *pv)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (pv)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync HeapFree(GetProcessHeap(), 0 /* dwFlags*/, pv);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncDECLHIDDEN(void *) supR3HardenedWinLoadLibrary(const char *pszName, bool fSystem32Only)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync WCHAR wszPath[RTPATH_MAX];

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PRTUTF16 pwszPath = wszPath;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync int rc = RTStrToUtf16Ex(pszName, RTSTR_MAX, &pwszPath, RT_ELEMENTS(wszPath), NULL);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (RT_SUCCESS(rc))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while (*pwszPath)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (*pwszPath == '/')

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync *pwszPath = '\\';

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pwszPath++;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync DWORD fFlags = 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync fFlags |= LOAD_LIBRARY_SEARCH_SYSTEM32;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (!fSystem32Only)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync fFlags |= LOAD_LIBRARY_SEARCH_APPLICATION_DIR;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync void *pvRet = (void *)LoadLibraryExW(wszPath, NULL /*hFile*/, fFlags);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /* Vista, W7, W2K8R might not work without KB2533623, so retry with no flags. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if ( !pvRet

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync && fFlags

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync && g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync && GetLastError() == ERROR_INVALID_PARAMETER)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pvRet = (void *)LoadLibraryExW(wszPath, NULL /*hFile*/, 0);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return pvRet;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync supR3HardenedFatal("RTStrToUtf16Ex failed on '%s': %Rrc", pszName, rc);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return NULL;

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync}

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsyncstatic bool supR3HardenedWinVerifyCacheGetIndexNumber(HANDLE hFile, PLARGE_INTEGER pIndexNumber)

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync{

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync NTSTATUS rcNt = NtQueryInformationFile(hFile, &Ios, pIndexNumber, sizeof(*pIndexNumber), FileInternalInformation);

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync if (NT_SUCCESS(rcNt))

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync rcNt = Ios.Status;

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync#ifdef DEBUG_bird

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync if (!NT_SUCCESS(rcNt))

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync __debugbreak();

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync#endif

4db69c2a1302fa56bc5dd7181377b9f47cfd875evboxsync return NT_SUCCESS(rcNt) && pIndexNumber->QuadPart != 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic uint32_t supR3HardenedWinVerifyCacheHashPath(PCUNICODE_STRING pUniStr)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t uHash = 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync unsigned cwcLeft = pUniStr->Length / sizeof(WCHAR);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PRTUTF16 pwc = pUniStr->Buffer;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while (cwcLeft-- > 0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync RTUTF16 wc = *pwc++;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (wc < 0x80)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uHash = wc + (uHash << 6) + (uHash << 16) - uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic uint32_t supR3HardenedWinVerifyCacheHashDirAndFile(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

30f07af559efcbd967e801903746fc21f81ee533vboxsync uint32_t uHash = 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while (cwcDir-- > 0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync RTUTF16 wc = *pawcDir++;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (wc < 0x80)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uHash = wc + (uHash << 6) + (uHash << 16) - uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync unsigned char ch = '\\';

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uHash = ch + (uHash << 6) + (uHash << 16) - uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while ((ch = *pszName++) != '\0')

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync ch = RT_C_TO_LOWER(ch);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uHash = ch + (uHash << 6) + (uHash << 16) - uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return uHash;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic bool supR3HardenedWinVerifyCacheIsMatch(PCRTUTF16 pawcLeft, PCRTUTF16 pawcRight, uint32_t cwcToCompare)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* Try a quick memory compare first. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (memcmp(pawcLeft, pawcRight, cwcToCompare * sizeof(RTUTF16)) == 0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return true;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /* Slow char by char compare. */

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while (cwcToCompare-- > 0)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync RTUTF16 wcLeft = *pawcLeft++;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync RTUTF16 wcRight = *pawcRight++;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (wcLeft != wcRight)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync wcLeft = wcLeft != '/' ? RT_C_TO_LOWER(wcLeft) : '\\';

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync wcLeft = wcRight != '/' ? RT_C_TO_LOWER(wcRight) : '\\';

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (wcLeft != wcRight)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return false;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return true;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncstatic void supR3HardenedWinVerifyCacheInsert(PCUNICODE_STRING pUniStr, HANDLE hFile, int rc,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync bool fWinVerifyTrust, uint32_t fFlags)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEENTRY pEntry = (PVERIFIERCACHEENTRY)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync sizeof(VERIFIERCACHEENTRY) + pUniStr->Length);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (pEntry)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->pNext = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->pNextTodoWvt = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->hFile = hFile;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->rc = rc;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->fFlags = fFlags;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->cErrorHits = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->fWinVerifyTrust = fWinVerifyTrust;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->cbPath = pUniStr->Length;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync memcpy(pEntry->wszPath, pUniStr->Buffer, pUniStr->Length);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pEntry->wszPath[pUniStr->Length / sizeof(WCHAR)] = '\0';

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pEntry->fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &pEntry->IndexNumber);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t iHashTab = pEntry->uHash % RT_ELEMENTS(g_apVerifierCache);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync VERIFIERCACHEENTRY * volatile *ppEntry = &g_apVerifierCache[iHashTab];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync for (;;)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (ASMAtomicCmpXchgPtr(ppEntry, pEntry, NULL))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (!fWinVerifyTrust)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync do

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pEntry->pNextTodoWvt = g_pVerifierCacheTodoWvt;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pEntry, pEntry->pNextTodoWvt));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheInsert: %ls\n", pUniStr->Buffer));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEENTRY pOther = *ppEntry;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (!pOther)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

efdc3bd872b77b5ec7d19d77504264de24b0582bvboxsync if ( pOther->uHash == pEntry->uHash

efdc3bd872b77b5ec7d19d77504264de24b0582bvboxsync && pOther->cbPath == pEntry->cbPath

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && supR3HardenedWinVerifyCacheIsMatch(pOther->wszPath, pEntry->wszPath, pEntry->cbPath / sizeof(RTUTF16)))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync break;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync ppEntry = &pOther->pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* Duplicate entry (may happen due to races). */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync HeapFree(GetProcessHeap(), 0 /* dwFlags*/, pEntry);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NtClose(hFile);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookup(PCUNICODE_STRING pUniStr, HANDLE hFile)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync{

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync PRTUTF16 const pwszPath = pUniStr->Buffer;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint16_t const cbPath = pUniStr->Length;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];

30f07af559efcbd967e801903746fc21f81ee533vboxsync while (pCur)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if ( pCur->uHash == uHash

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && pCur->cbPath == cbPath

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pwszPath, cbPath / sizeof(RTUTF16)))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync if (!pCur->fIndexNumberValid)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync return pCur;

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync LARGE_INTEGER IndexNumber;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync bool fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &IndexNumber);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( fIndexNumberValid

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && IndexNumber.QuadPart == pCur->IndexNumber.QuadPart)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return pCur;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync#ifdef DEBUG_bird

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync __debugbreak();

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync#endif

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pCur = pCur->pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncstatic PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookupImport(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t uHash = supR3HardenedWinVerifyCacheHashDirAndFile(pawcDir, cwcDir, pszName);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t const cbPath = (uint32_t)((cwcDir + 1 + strlen(pszName)) * sizeof(RTUTF16));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while (pCur)

e17f6f8a70a7709a9a6319d9a473596fb600b552vboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( pCur->uHash == uHash

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && pCur->cbPath == cbPath)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pawcDir, cwcDir))

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

30f07af559efcbd967e801903746fc21f81ee533vboxsync if (pCur->wszPath[cwcDir] == '\\' || pCur->wszPath[cwcDir] == '/')

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (RTUtf16ICmpAscii(&pCur->wszPath[cwcDir + 1], pszName))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return pCur;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync pCur = pCur->pNext;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync return NULL;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync}

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsyncDECLHIDDEN(void) supR3HardenedWinVerifyCacheScheduleImports(RTLDRMOD hLdrMod, PCRTUTF16 pwszName)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /*

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t cImports;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync int rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_COUNT, NULL /*pvBits*/, &cImports, sizeof(cImports), NULL);

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (RT_SUCCESS(rc))

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if (cImports)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync {

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync /*

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync PCRTUTF16 pawcDir = pwszName;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t cwcDir = 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync uint32_t i = 0;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync RTUTF16 wc;

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync while ((wc = pawcDir[i++]) != '\0')

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync if ((wc == '\\' || wc == '/' || wc == ':') && cwcDir + 2 != i)

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync cwcDir = i - 1;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( g_System32NtPath.UniStr.Length / sizeof(WCHAR) == cwcDir

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && supR3HardenedWinVerifyCacheIsMatch(pawcDir, g_System32NtPath.UniStr.Buffer, cwcDir))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pawcDir = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync for (i = 0; i < cImports; i++)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync union

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync char szName[256];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t iImport;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync } uBuf;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uBuf.iImport = i;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_MODULE, NULL /*pvBits*/, &uBuf, sizeof(uBuf), NULL);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (RT_SUCCESS(rc))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync RTStrToLower(uBuf.szName);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( RTStrCmp(uBuf.szName, "kernel32.dll") == 0

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync || RTStrCmp(uBuf.szName, "kernelbase.dll") == 0

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync || RTStrCmp(uBuf.szName, "ntdll.dll") == 0

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync || RTStrNCmp(uBuf.szName, RT_STR_TUPLE("api-ms-win-")) == 0 )

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync g_System32NtPath.UniStr.Length / sizeof(WCHAR),

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uBuf.szName) != NULL)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for system32\n", uBuf.szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedExeNtPath.UniStr.Buffer,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync g_offSupLibHardenedExeNtName,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uBuf.szName) != NULL)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for appdir\n", uBuf.szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (pawcDir && supR3HardenedWinVerifyCacheLookupImport(pawcDir, cwcDir, uBuf.szName) != NULL)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for dll dir\n", uBuf.szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync continue;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* We could skip already scheduled modules, but that'll require serialization and extra work... */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: Import todo: #%u '%s'.\n", i, uBuf.szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cbName = (uint32_t)strlen(uBuf.szName) + 1;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cbNameAligned = RT_ALIGN_32(cbName, sizeof(RTUTF16));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync uint32_t cbNeeded = RT_OFFSETOF(VERIFIERCACHEIMPORT, szName[cbNameAligned])

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync + (pawcDir ? (cwcDir + 1) * sizeof(RTUTF16) : 0);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEIMPORT pImport = (PVERIFIERCACHEIMPORT)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbNeeded);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (pImport)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* Init it. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync memcpy(pImport->szName, uBuf.szName, cbName);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (!pawcDir)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->cwcAltSearchDir = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->pwszAltSearchDir = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->cwcAltSearchDir = cwcDir;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->pwszAltSearchDir = (PRTUTF16)&pImport->szName[cbNameAligned];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync memcpy(pImport->pwszAltSearchDir, pawcDir, cwcDir * sizeof(RTUTF16));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->pwszAltSearchDir[cwcDir] = '\0';

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* Insert it. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync do

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pImport->pNext = g_pVerifierCacheTodoImports;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoImports, pImport, pImport->pNext));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("RTLDRPROP_IMPORT_MODULE failed with rc=%Rrc i=%#x on '%ls'\n", rc, i, pwszName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("'%ls' has no imports\n", pwszName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("RTLDRPROP_IMPORT_COUNT failed with rc=%Rrc on '%ls'\n", rc, pwszName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsyncstatic void supR3HardenedWinVerifyCacheProcessImportTodos(void)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync{

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync for (;;)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEIMPORT pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoImports, NULL, PVERIFIERCACHEIMPORT);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (!pTodo)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync break;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync do

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PVERIFIERCACHEIMPORT pCur = pTodo;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pTodo = pTodo->pNext;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if ( !supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync g_System32NtPath.UniStr.Length / sizeof(WCHAR),

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pCur->szName)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && !supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedExeNtPath.UniStr.Buffer,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync g_offSupLibHardenedExeNtName,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pCur->szName)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync && ( pCur->cwcAltSearchDir == 0

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync || !supR3HardenedWinVerifyCacheLookupImport(pCur->pwszAltSearchDir, pCur->cwcAltSearchDir, pCur->szName)) )

30f07af559efcbd967e801903746fc21f81ee533vboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Processing '%s'...\n", pCur->szName));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NTSTATUS rcNt;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NTSTATUS rcNtRedir = 0x22222222;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync HANDLE hFile = INVALID_HANDLE_VALUE;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync RTUTF16 wszPath[260 + 260]; /* Assumes we've limited the import name length to 256. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync AssertCompile(sizeof(wszPath) > sizeof(g_System32NtPath));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync size_t cwcName = 260;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PRTUTF16 pwszName = &wszPath[0];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync int rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (RT_SUCCESS(rc))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync UNICODE_STRING UniStrName;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync UniStrName.Buffer = wszPath;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync UniStrName.Length = (USHORT)cwcName * sizeof(WCHAR);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync UNICODE_STRING UniStrStatic;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync UniStrStatic.Buffer = &wszPath[cwcName + 1];

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync UniStrStatic.Length = 0;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync UniStrStatic.MaximumLength = (USHORT)(sizeof(wszPath) - cwcName * sizeof(WCHAR) - sizeof(WCHAR));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync static UNICODE_STRING const s_DefaultSuffix = RTNT_CONSTANT_UNISTR(L".dll");

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync UNICODE_STRING UniStrDynamic = { 0, 0, NULL };

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PUNICODE_STRING pUniStrResult = NULL;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync rcNtRedir = RtlDosApplyFileIsolationRedirection_Ustr(1 /*fFlags*/,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync &UniStrName,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync (PUNICODE_STRING)&s_DefaultSuffix,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync &UniStrStatic,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync &UniStrDynamic,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync &pUniStrResult,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NULL /*pNewFlags*/,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NULL /*pcbFilename*/,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NULL /*pcbNeeded*/);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (NT_SUCCESS(rcNtRedir))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync OBJECT_ATTRIBUTES ObjAttr;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync InitializeObjectAttributes(&ObjAttr, pUniStrResult,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync rcNt = NtCreateFile(&hFile,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync &ObjAttr,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync &Ios,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NULL /* Allocation Size*/,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync FILE_ATTRIBUTE_NORMAL,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync FILE_SHARE_READ,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync FILE_OPEN,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync NULL /*EaBuffer*/,

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync 0 /*EaLength*/);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (NT_SUCCESS(rcNt))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync rcNt = Ios.Status;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (NT_SUCCESS(rcNt))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* For accurate logging. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync size_t cwcCopy = RT_MIN(pUniStrResult->Length / sizeof(RTUTF16), RT_ELEMENTS(wszPath) - 1);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync memcpy(wszPath, pUniStrResult->Buffer, cwcCopy * sizeof(RTUTF16));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync wszPath[cwcCopy] = '\0';

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync hFile = INVALID_HANDLE_VALUE;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync RtlFreeUnicodeString(&UniStrDynamic);

100b161379af7255c69e27587cc746e5f76ff050vboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #1 failed: %Rrc\n", rc));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync /*

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (hFile == INVALID_HANDLE_VALUE)

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync struct

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync PRTUTF16 pawcDir;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync uint32_t cwcDir;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync } Tmp, aDirs[] =

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync { g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length / sizeof(WCHAR) },

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync { g_SupLibHardenedExeNtPath.UniStr.Buffer, g_offSupLibHardenedExeNtName - 1 },

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync { pCur->pwszAltSearchDir, pCur->cwcAltSearchDir },

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync };

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

2fce40121ae472df2fd959fbe19775ed43304a0bvboxsync /* Search System32 first, unless it's a 'V*' or 'm*' name, the latter for msvcrt. */

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if ( pCur->szName[0] == 'v'

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync || pCur->szName[0] == 'V'

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync || pCur->szName[0] == 'm'

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync || pCur->szName[0] == 'M')

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

100b161379af7255c69e27587cc746e5f76ff050vboxsync Tmp = aDirs[0];

100b161379af7255c69e27587cc746e5f76ff050vboxsync aDirs[0] = aDirs[1];

100b161379af7255c69e27587cc746e5f76ff050vboxsync aDirs[1] = Tmp;

100b161379af7255c69e27587cc746e5f76ff050vboxsync }

100b161379af7255c69e27587cc746e5f76ff050vboxsync

100b161379af7255c69e27587cc746e5f76ff050vboxsync for (uint32_t i = 0; i < RT_ELEMENTS(aDirs); i++)

100b161379af7255c69e27587cc746e5f76ff050vboxsync {

100b161379af7255c69e27587cc746e5f76ff050vboxsync if (aDirs[i].pawcDir && aDirs[i].cwcDir && aDirs[i].cwcDir < RT_ELEMENTS(wszPath) / 3 * 2)

100b161379af7255c69e27587cc746e5f76ff050vboxsync {

100b161379af7255c69e27587cc746e5f76ff050vboxsync memcpy(wszPath, aDirs[i].pawcDir, aDirs[i].cwcDir * sizeof(RTUTF16));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync uint32_t cwc = aDirs[i].cwcDir;

100b161379af7255c69e27587cc746e5f76ff050vboxsync wszPath[cwc++] = '\\';

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync cwcName = RT_ELEMENTS(wszPath) - cwc;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync pwszName = &wszPath[cwc];

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (RT_SUCCESS(rc))

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync UNICODE_STRING NtName;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NtName.Buffer = wszPath;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NtName.Length = (USHORT)((cwc + cwcName) * sizeof(WCHAR));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NtName.MaximumLength = NtName.Length + sizeof(WCHAR);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync OBJECT_ATTRIBUTES ObjAttr;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rcNt = NtCreateFile(&hFile,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync &ObjAttr,

100b161379af7255c69e27587cc746e5f76ff050vboxsync &Ios,

100b161379af7255c69e27587cc746e5f76ff050vboxsync NULL /* Allocation Size*/,

100b161379af7255c69e27587cc746e5f76ff050vboxsync FILE_ATTRIBUTE_NORMAL,

100b161379af7255c69e27587cc746e5f76ff050vboxsync FILE_SHARE_READ,

100b161379af7255c69e27587cc746e5f76ff050vboxsync FILE_OPEN,

100b161379af7255c69e27587cc746e5f76ff050vboxsync FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,

100b161379af7255c69e27587cc746e5f76ff050vboxsync NULL /*EaBuffer*/,

100b161379af7255c69e27587cc746e5f76ff050vboxsync 0 /*EaLength*/);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (NT_SUCCESS(rcNt))

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rcNt = Ios.Status;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (NT_SUCCESS(rcNt))

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync break;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync hFile = INVALID_HANDLE_VALUE;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #2 failed: %Rrc\n", rc));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync }

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync }

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync /*

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (hFile != INVALID_HANDLE_VALUE)

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' -> '%ls' [rcNtRedir=%#x]\n",

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync pCur->szName, wszPath, rcNtRedir));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync ULONG fAccess = 0;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync ULONG fProtect = 0;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync bool fCallRealApi = false;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, &fAccess, &fProtect, &fCallRealApi,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync "Imports", false /*fAvoidWinVerifyTrust*/, NULL /*pfQuietFailure*/);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync NtClose(hFile);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync }

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync else

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Failed to locate '%s'\n", pCur->szName));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync }

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync else

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' is in the cache.\n", pCur->szName));

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync HeapFree(GetProcessHeap(), 0 /* dwFlags*/, pCur);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync } while (pTodo);

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsyncstatic void supR3HardenedWinVerifyCacheProcessWvtTodos(void)

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync{

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync PVERIFIERCACHEENTRY pReschedule = NULL;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync PVERIFIERCACHEENTRY volatile *ppReschedLastNext = NULL;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync /*

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync for (;;)

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (!supHardenedWinIsWinVerifyTrustCallable())

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync break;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync PVERIFIERCACHEENTRY pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoWvt, NULL, PVERIFIERCACHEENTRY);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (!pTodo)

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync break;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync do

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync PVERIFIERCACHEENTRY pCur = pTodo;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync pTodo = pTodo->pNextTodoWvt;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync pCur->pNextTodoWvt = NULL;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if ( !pCur->fWinVerifyTrust

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync && RT_SUCCESS(pCur->rc))

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync bool fWinVerifyTrust = false;

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync int rc = supHardenedWinVerifyImageTrust(pCur->hFile, pCur->wszPath, pCur->fFlags, pCur->rc,

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync &fWinVerifyTrust, NULL /* pErrInfo*/);

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync if (RT_FAILURE(rc) || fWinVerifyTrust)

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync {

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",

817577d2c4d6dee709de7a92d3bb7d0aeedae9aevboxsync rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pCur->fWinVerifyTrust = true;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync pCur->rc = rc;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* Retry it at a later time. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls' [rescheduled]\n",

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (!pReschedule)

100b161379af7255c69e27587cc746e5f76ff050vboxsync ppReschedLastNext = &pCur->pNextTodoWvt;

100b161379af7255c69e27587cc746e5f76ff050vboxsync pCur->pNextTodoWvt = pReschedule;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /* else: already processed. */

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync } while (pTodo);

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync /*

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync if (pReschedule)

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync {

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync do

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync *ppReschedLastNext = g_pVerifierCacheTodoWvt;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pReschedule, *ppReschedLastNext));

30f07af559efcbd967e801903746fc21f81ee533vboxsync }

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync}

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsyncstatic PRTUTF16 supR3HardenedWinIsPossible8dot3Path(PCRTUTF16 pwszPath)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync{

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync PCRTUTF16 pwszName = pwszPath;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync for (;;)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync RTUTF16 wc = *pwszPath++;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (wc == '~')

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /* Could check more here before jumping to conclusions... */

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (pwszPath - pwszName <= 8+1+3)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync return (PRTUTF16)pwszName;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync else if (wc == '\\' || wc == '/' || wc == ':')

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pwszName = pwszPath;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync else if (wc == 0)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync break;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync }

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync return NULL;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync}

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsyncstatic void supR3HardenedWinFix8dot3Path(HANDLE hFile, PUNICODE_STRING pUniStr)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync{

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync /*

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync PRTUTF16 pwszFix = pUniStr->Buffer;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync while (*pwszFix)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pwszFix = supR3HardenedWinIsPossible8dot3Path(pwszFix);

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (pwszFix == NULL)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync break;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync RTUTF16 wc;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync PRTUTF16 pwszFixEnd = pwszFix;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync while ((wc = *pwszFixEnd) != '\0' && wc != '\\' && wc != '//')

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync pwszFixEnd++;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (wc == '\0')

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync break;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync RTUTF16 const wcSaved = *pwszFix;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync *pwszFix = '\0'; /* paranoia. */

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync UNICODE_STRING NtDir;

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync NtDir.Buffer = pUniStr->Buffer;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtDir.Length = NtDir.MaximumLength = (USHORT)((pwszFix - pUniStr->Buffer) * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync HANDLE hDir = RTNT_INVALID_HANDLE_VALUE;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync OBJECT_ATTRIBUTES ObjAttr;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync InitializeObjectAttributes(&ObjAttr, &NtDir, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NTSTATUS rcNt = NtCreateFile(&hDir,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_READ_DATA | SYNCHRONIZE,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &ObjAttr,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &Ios,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /* Allocation Size*/,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_ATTRIBUTE_NORMAL,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_OPEN,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /*EaBuffer*/,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync 0 /*EaLength*/);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync *pwszFix = wcSaved;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (NT_SUCCESS(rcNt))

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync union

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FILE_BOTH_DIR_INFORMATION Info;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uint8_t abBuffer[sizeof(FILE_BOTH_DIR_INFORMATION) + 2048 * sizeof(WCHAR)];

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync } uBuf;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync RT_ZERO(uBuf);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync UNICODE_STRING NtFilterStr;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtFilterStr.Buffer = pwszFix;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtFilterStr.Length = (USHORT)((uintptr_t)pwszFixEnd - (uintptr_t)pwszFix);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtFilterStr.MaximumLength = NtFilterStr.Length;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync rcNt = NtQueryDirectoryFile(hDir,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /* Event */,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /* ApcRoutine */,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NULL /* ApcContext */,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &Ios,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &uBuf,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync sizeof(uBuf) - sizeof(WCHAR),

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FileBothDirectoryInformation,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FALSE /*ReturnSingleEntry*/,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &NtFilterStr,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync FALSE /*RestartScan */);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (NT_SUCCESS(rcNt) && uBuf.Info.NextEntryOffset == 0) /* There shall only be one entry matching... */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uint32_t offName = uBuf.Info.FileNameLength / sizeof(WCHAR);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync while (offName > 0 && uBuf.Info.FileName[offName - 1] != '\\' && uBuf.Info.FileName[offName - 1] != '/')

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync offName--;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uint32_t cwcNameNew = (uBuf.Info.FileNameLength / sizeof(WCHAR)) - offName;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uint32_t cwcNameOld = pwszFixEnd - pwszFix;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (cwcNameOld == cwcNameNew)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync memcpy(pwszFix, &uBuf.Info.FileName[offName], cwcNameNew * sizeof(WCHAR));

efdc3bd872b77b5ec7d19d77504264de24b0582bvboxsync else if ( pUniStr->Length + cwcNameNew * sizeof(WCHAR) - cwcNameOld * sizeof(WCHAR) + sizeof(WCHAR)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync <= pUniStr->MaximumLength)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync size_t cwcLeft = pUniStr->Length - (pwszFixEnd - pUniStr->Buffer) * sizeof(WCHAR) + sizeof(WCHAR);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync memmove(&pwszFix[cwcNameNew], pwszFixEnd, cwcLeft * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pUniStr->Length -= (USHORT)(cwcNameOld * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pUniStr->Length += (USHORT)(cwcNameNew * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pwszFixEnd -= cwcNameOld;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pwszFixEnd -= cwcNameNew;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync memcpy(pwszFix, &uBuf.Info.FileName[offName], cwcNameNew * sizeof(WCHAR));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /* else: ignore overflow. */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /* else: ignore failure. */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NtClose(hDir);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /* Advance */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pwszFix = pwszFixEnd;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync}

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsyncstatic NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, PULONG pfAccess, PULONG pfProtect,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync bool *pfQuietFailure)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync{

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync *pfCallRealApi = false;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (pfQuietFailure)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync *pfQuietFailure = false;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /*

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync union

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync UNICODE_STRING UniStr;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uint8_t abBuffer[sizeof(UNICODE_STRING) + 2048 * sizeof(WCHAR)];

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync } uBuf;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync RT_ZERO(uBuf);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync ULONG cbNameBuf;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync NTSTATUS rcNt = NtQueryObject(hFile, ObjectNameInformation, &uBuf, sizeof(uBuf) - sizeof(WCHAR) - 128, &cbNameBuf);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (!NT_SUCCESS(rcNt))

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync supR3HardenedError(VINF_SUCCESS, false,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync "supR3HardenedScreenImage/%s: NtQueryObject -> %#x (fImage=%d fProtect=%#x fAccess=%#x)\n",

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pszCaller, fImage, *pfProtect, *pfAccess);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync return rcNt;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (supR3HardenedWinIsPossible8dot3Path(uBuf.UniStr.Buffer))

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync uBuf.UniStr.MaximumLength = sizeof(uBuf) - 128;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync supR3HardenedWinFix8dot3Path(hFile, &uBuf.UniStr);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /*

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync PVERIFIERCACHEENTRY pCacheHit = supR3HardenedWinVerifyCacheLookup(&uBuf.UniStr, hFile);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (pCacheHit)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync /* If we haven't done the WinVerifyTrust thing, do it if we can. */

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if ( !pCacheHit->fWinVerifyTrust

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync && RT_SUCCESS(pCacheHit->rc)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync && supHardenedWinIsWinVerifyTrustCallable() )

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (!fAvoidWinVerifyTrust)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [redoing WinVerifyTrust]\n",

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pszCaller, pCacheHit->rc, pCacheHit->wszPath));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync bool fWinVerifyTrust = false;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync int rc = supHardenedWinVerifyImageTrust(pCacheHit->hFile, pCacheHit->wszPath, pCacheHit->fFlags, pCacheHit->rc,

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync &fWinVerifyTrust, NULL /* pErrInfo*/);

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync if (RT_FAILURE(rc) || fWinVerifyTrust)

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync {

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pszCaller, rc, pCacheHit->rc, fWinVerifyTrust, pCacheHit->wszPath));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pCacheHit->fWinVerifyTrust = true;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pCacheHit->rc = rc;

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync else

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: WinVerifyTrust not available, rescheduling %ls\n",

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync pszCaller, pCacheHit->wszPath));

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync }

4f2b002896072b0b5a7cb566341c8bac5e69392bvboxsync else

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [avoiding WinVerifyTrust]\n",

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync pszCaller, pCacheHit->rc, pCacheHit->wszPath));

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync else if (pCacheHit->cErrorHits < 16)

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls%s\n",

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync pszCaller, pCacheHit->rc, pCacheHit->wszPath, pCacheHit->fWinVerifyTrust ? "" : " [lacks WinVerifyTrust]"));

eb259de2a9eac4b4dda56e89f5004671f926bd9bvboxsync

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync /* Return the cached value. */

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync if (RT_SUCCESS(pCacheHit->rc))

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync {

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync *pfCallRealApi = true;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync return STATUS_SUCCESS;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync }

13493ab7596e827b8d0caab2c89e635dd65f78f9vboxsync

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync uint32_t cErrorHits = ASMAtomicIncU32(&pCacheHit->cErrorHits);

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync if ( cErrorHits < 8

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync || RT_IS_POWER_OF_TWO(cErrorHits))

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync supR3HardenedError(VINF_SUCCESS, false,

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync "supR3HardenedScreenImage/%s: cached rc=%Rrc fImage=%d fProtect=%#x fAccess=%#x cErrorHits=%u %ls\n",

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync pszCaller, pCacheHit->rc, fImage, *pfProtect, *pfAccess, cErrorHits, uBuf.UniStr.Buffer);

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync else if (pfQuietFailure)

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync *pfQuietFailure = true;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync return STATUS_TRUST_FAILURE;

a60be2c64ea23bb7ce4c9998bcd541c4db879fbavboxsync }

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync /*

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync HANDLE hMyFile = NULL;

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync rcNt = NtDuplicateObject(NtCurrentProcess(), hFile, NtCurrentProcess(),

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync &hMyFile,

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync 0 /* Handle attributes*/, 0 /* Options */);

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (!NT_SUCCESS(rcNt))

48e06e6a052c50ecf176f63f5537f80b544bf34avboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync if (rcNt == STATUS_ACCESS_DENIED)

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync {

93e05ea894cefd56ca308d72372b4dd8045bd1eevboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;