553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#include <iprt/nt/nt-and-windows.h>

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#include <AccCtrl.h>

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#include <AclApi.h>

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#ifndef PROCESS_SET_LIMITED_INFORMATION

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync# define PROCESS_SET_LIMITED_INFORMATION 0x2000

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#endif

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#ifndef LOAD_LIBRARY_SEARCH_APPLICATION_DIR

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync# define LOAD_LIBRARY_SEARCH_APPLICATION_DIR 0x200

c10a6f0c7041e4d1ee50ad38425aab9d43c55522vboxsync# define LOAD_LIBRARY_SEARCH_SYSTEM32 0x800

c10a6f0c7041e4d1ee50ad38425aab9d43c55522vboxsync#endif

c10a6f0c7041e4d1ee50ad38425aab9d43c55522vboxsync

c10a6f0c7041e4d1ee50ad38425aab9d43c55522vboxsync#include <VBox/sup.h>

c10a6f0c7041e4d1ee50ad38425aab9d43c55522vboxsync#include <VBox/err.h>

c10a6f0c7041e4d1ee50ad38425aab9d43c55522vboxsync#include <VBox/dis.h>

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#include <iprt/ctype.h>

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#include <iprt/string.h>

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#include <iprt/initterm.h>

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#include <iprt/param.h>

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#include <iprt/path.h>

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#include <iprt/thread.h>

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#include <iprt/zero.h>

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync#include "SUPLibInternal.h"

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync#include "win/SUPHardenedVerify-win.h"

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync#include "../SUPDrvIOC.h"

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#ifndef IMAGE_SCN_TYPE_NOLOAD

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync# define IMAGE_SCN_TYPE_NOLOAD 0x00000002

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync#endif

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPR3_RESPAWN_1_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-2ndchild"

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPR3_RESPAWN_2_ARG0 "60eaff78-4bdd-042d-2e72-669728efd737-suplib-3rdchild"

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPR3HARDENED_ASSERT(a_Expr) \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync do { \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync if (!(a_Expr)) \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync supR3HardenedFatal("%s: %s\n", __FUNCTION__, #a_Expr); \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync } while (0)

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#define SUPR3HARDENED_ASSERT_NT_SUCCESS(a_Expr) \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync do { \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync NTSTATUS rcNtAssert = (a_Expr); \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync if (!NT_SUCCESS(rcNtAssert)) \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, rcNtAssert); \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync } while (0)

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync#define SUPR3HARDENED_ASSERT_WIN32_SUCCESS(a_Expr) \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync do { \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync BOOL fRcAssert = (a_Expr); \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync if (fRcAssert == FALSE) \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync supR3HardenedFatal("%s: %s -> %#x\n", __FUNCTION__, #a_Expr, RtlGetLastWin32Error()); \

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync } while (0)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef struct MYSECURITYCLEANUP

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync union

ffb50166c9adb4ae583b914d405197035cf890advboxsync {

ffb50166c9adb4ae583b914d405197035cf890advboxsync SID Sid;

ffb50166c9adb4ae583b914d405197035cf890advboxsync uint8_t abPadding[SECURITY_MAX_SID_SIZE];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync } Everyone, Owner, User, Login;

ffb50166c9adb4ae583b914d405197035cf890advboxsync union

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync ACL AclHdr;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint8_t abPadding[1024];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync } Acl;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PSECURITY_DESCRIPTOR pSecDesc;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync} MYSECURITYCLEANUP;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef MYSECURITYCLEANUP *PMYSECURITYCLEANUP;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef struct VERIFIERCACHEENTRY

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Pointer to the next entry with the same hash value. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync struct VERIFIERCACHEENTRY * volatile pNext;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Next entry in the WinVerifyTrust todo list. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync struct VERIFIERCACHEENTRY * volatile pNextTodoWvt;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The file handle. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hFile;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** If fIndexNumber is set, this is an file system internal file identifier. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync LARGE_INTEGER IndexNumber;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The path hash value. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t uHash;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The verification result. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync int rc;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Used for shutting up load and error messages after a while so they don't

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t volatile cHits;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The validation flags (for WinVerifyTrust retry). */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t fFlags;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Whether IndexNumber is valid */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync bool fIndexNumberValid;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Whether verified by WinVerifyTrust. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync bool volatile fWinVerifyTrust;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** cwcPath * sizeof(RTUTF16). */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint16_t cbPath;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The full path of this entry (variable size). */

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync RTUTF16 wszPath[1];

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync} VERIFIERCACHEENTRY;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef VERIFIERCACHEENTRY *PVERIFIERCACHEENTRY;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef struct VERIFIERCACHEIMPORT

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

11b175175a0ed424b8e8354acda681ad0adde0f8vboxsync /** Pointer to the next DLL in the list. */

11b175175a0ed424b8e8354acda681ad0adde0f8vboxsync struct VERIFIERCACHEIMPORT * volatile pNext;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The length of pwszAltSearchDir if available. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t cwcAltSearchDir;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** This points the directory containing the DLL needing it, this will be

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PWCHAR pwszAltSearchDir;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The name of the import DLL (variable length). */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync char szName[1];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync} VERIFIERCACHEIMPORT;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef VERIFIERCACHEIMPORT *PVERIFIERCACHEIMPORT;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef enum SUPR3WINCHILDREQ

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Perform child purification and close full access handles (must be zero). */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync kSupR3WinChildReq_PurifyChildAndCloseHandles = 0,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Close the events, we're good on our own from here on. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync kSupR3WinChildReq_CloseEvents,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Reporting error. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync kSupR3WinChildReq_Error,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** End of valid requests. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync kSupR3WinChildReq_End

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync} SUPR3WINCHILDREQ;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef struct SUPR3WINPROCPARAMS

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The event semaphore the child will be waiting on. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hEvtChild;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The event semaphore the parent will be waiting on. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hEvtParent;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The address of the NTDLL. This is only valid during the very early

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uintptr_t uNtDllAddr;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The requested operation (set by the child). */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUPR3WINCHILDREQ enmRequest;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The last status. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync int32_t rc;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The init operation the error relates to if message, kSupInitOp_Invalid if

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUPINITOP enmWhat;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Where if message. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync char szWhere[80];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Error message / path name string space. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync char szErrorMsg[4096];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync} SUPR3WINPROCPARAMS;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef struct SUPR3HARDNTCHILD

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Process handle. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hProcess;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Primary thread handle. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hThread;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Handle to the parent process, if we're the middle (stub) process. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hParent;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The event semaphore the child will be waiting on. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hEvtChild;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The event semaphore the parent will be waiting on. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hEvtParent;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The address of NTDLL in the child. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uintptr_t uNtDllAddr;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The address of NTDLL in this process. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uintptr_t uNtDllParentAddr;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** Which respawn number this is (1 = stub, 2 = VM). */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync int iWhich;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The basic process info. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PROCESS_BASIC_INFORMATION BasicInfo;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The probable size of the PEB. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync size_t cbPeb;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The pristine process environment block. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PEB Peb;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /** The child process parameters. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUPR3WINPROCPARAMS ProcParams;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync} SUPR3HARDNTCHILD;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsynctypedef SUPR3HARDNTCHILD *PSUPR3HARDNTCHILD;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic SUPR3WINPROCPARAMS g_ProcParams = { NULL, NULL, 0, (SUPR3WINCHILDREQ)0, 0 };

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncbool g_fSupEarlyProcessInit = false;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncbool g_fSupStubOpened = false;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncuint32_t g_uNtVerCombined = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint32_t volatile g_cSuplibHardenedWindowsMainCalls;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncRTUTF16 g_wszSupLibHardenedExePath[1024];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncSUPSYSROOTDIRBUF g_SupLibHardenedExeNtPath;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncuint32_t g_offSupLibHardenedExeNtName;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic NTSTATUS (NTAPI * g_pfnNtCreateSectionReal)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PLARGE_INTEGER, ULONG, ULONG, HANDLE);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint8_t *g_pbNtCreateSection;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint8_t g_abNtCreateSectionPatch[16];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic NTSTATUS (NTAPI * g_pfnLdrLoadDllReal)(PWSTR, PULONG, PUNICODE_STRING, PHANDLE);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint8_t *g_pbLdrLoadDll;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint8_t g_abLdrLoadDllPatch[16];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic PVERIFIERCACHEENTRY volatile g_apVerifierCache[128];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic PVERIFIERCACHEENTRY volatile g_pVerifierCacheTodoWvt = NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic PVERIFIERCACHEIMPORT volatile g_pVerifierCacheTodoImports = NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncSUPSYSROOTDIRBUF g_System32WinPath;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic int g_cDllNotificationRegistered = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic PVOID g_pvDllNotificationCookie = NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic RTERRINFOSTATIC g_ErrInfoStatic;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncextern "C" uint8_t g_abSupHardReadWriteExecPage[PAGE_SIZE];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic bool g_fSupInitThunkSelfPatched;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint8_t g_abLdrInitThunkSelfBackup[16];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint32_t g_fSupAdversaries = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_SYMANTEC_SYSPLANT RT_BIT_32(0)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_SYMANTEC_N360 RT_BIT_32(1)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_AVAST RT_BIT_32(2)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_TRENDMICRO RT_BIT_32(3)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_TRENDMICRO_SAKFILE RT_BIT_32(4)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_MCAFEE RT_BIT_32(5)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_KASPERSKY RT_BIT_32(6)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_MBAM RT_BIT_32(7)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_AVG RT_BIT_32(8)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_PANDA RT_BIT_32(9)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_MSE RT_BIT_32(10)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_COMODO RT_BIT_32(11)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_ZONE_ALARM RT_BIT_32(12)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_DIGITAL_GUARDIAN RT_BIT_32(13)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#define SUPHARDNT_ADVERSARY_UNKNOWN RT_BIT_32(31)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfAccess, PULONG pfProtect,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync bool *pfQuiet);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic void supR3HardenedWinRegisterDllNotificationCallback(void);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic void supR3HardenedWinReInstallHooks(bool fFirst);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncDECLASM(void) supR3HardenedEarlyProcessInitThunk(void);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic PRTUTF16 suplibHardenedWStrChr(PCRTUTF16 pwszHaystack, RTUTF16 wcNeedle)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync for (;;)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RTUTF16 wcCur = *pwszHaystack;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (wcCur == wcNeedle)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return (PRTUTF16)pwszHaystack;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (wcCur == '\0')

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pwszHaystack++;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic size_t suplibHardenedWStrLen(PCRTUTF16 pwsz)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PCRTUTF16 pwszCur = pwsz;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while (*pwszCur != '\0')

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pwszCur++;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return pwszCur - pwsz;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint64_t supR3HardenedWinGetMilliTS(void)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PKUSER_SHARED_DATA pUserSharedData = (PKUSER_SHARED_DATA)(uintptr_t)0x7ffe0000;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /* use interrupt time */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync LARGE_INTEGER Time;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync do

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync Time.HighPart = pUserSharedData->InterruptTime.High1Time;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync Time.LowPart = pUserSharedData->InterruptTime.LowPart;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync } while (pUserSharedData->InterruptTime.High2Time != Time.HighPart);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return (uint64_t)Time.QuadPart / 10000;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncDECLHIDDEN(void *) supR3HardenedWinLoadLibrary(const char *pszName, bool fSystem32Only)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync WCHAR wszPath[RTPATH_MAX];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PRTUTF16 pwszPath = wszPath;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync int rc = RTStrToUtf16Ex(pszName, RTSTR_MAX, &pwszPath, RT_ELEMENTS(wszPath), NULL);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (RT_SUCCESS(rc))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while (*pwszPath)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (*pwszPath == '/')

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync *pwszPath = '\\';

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pwszPath++;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync DWORD fFlags = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync fFlags |= LOAD_LIBRARY_SEARCH_SYSTEM32;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (!fSystem32Only)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync fFlags |= LOAD_LIBRARY_SEARCH_APPLICATION_DIR;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync void *pvRet = (void *)LoadLibraryExW(wszPath, NULL /*hFile*/, fFlags);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /* Vista, W7, W2K8R might not work without KB2533623, so retry with no flags. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if ( !pvRet

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && fFlags

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && RtlGetLastWin32Error() == ERROR_INVALID_PARAMETER)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pvRet = (void *)LoadLibraryExW(wszPath, NULL /*hFile*/, 0);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return pvRet;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync supR3HardenedFatal("RTStrToUtf16Ex failed on '%s': %Rrc", pszName, rc);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic bool supR3HardenedWinVerifyCacheGetIndexNumber(HANDLE hFile, PLARGE_INTEGER pIndexNumber)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync NTSTATUS rcNt = NtQueryInformationFile(hFile, &Ios, pIndexNumber, sizeof(*pIndexNumber), FileInternalInformation);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (NT_SUCCESS(rcNt))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync rcNt = Ios.Status;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#ifdef DEBUG_bird

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (!NT_SUCCESS(rcNt))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync __debugbreak();

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#endif

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return NT_SUCCESS(rcNt) && pIndexNumber->QuadPart != 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint32_t supR3HardenedWinVerifyCacheHashPath(PCUNICODE_STRING pUniStr)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t uHash = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync unsigned cwcLeft = pUniStr->Length / sizeof(WCHAR);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PRTUTF16 pwc = pUniStr->Buffer;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while (cwcLeft-- > 0)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RTUTF16 wc = *pwc++;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (wc < 0x80)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uHash = wc + (uHash << 6) + (uHash << 16) - uHash;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return uHash;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic uint32_t supR3HardenedWinVerifyCacheHashDirAndFile(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t uHash = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while (cwcDir-- > 0)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RTUTF16 wc = *pawcDir++;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (wc < 0x80)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync wc = wc != '/' ? RT_C_TO_LOWER(wc) : '\\';

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uHash = wc + (uHash << 6) + (uHash << 16) - uHash;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync unsigned char ch = '\\';

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uHash = ch + (uHash << 6) + (uHash << 16) - uHash;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while ((ch = *pszName++) != '\0')

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync ch = RT_C_TO_LOWER(ch);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uHash = ch + (uHash << 6) + (uHash << 16) - uHash;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return uHash;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic bool supR3HardenedWinVerifyCacheIsMatch(PCRTUTF16 pawcLeft, PCRTUTF16 pawcRight, uint32_t cwcToCompare)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /* Try a quick memory compare first. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (memcmp(pawcLeft, pawcRight, cwcToCompare * sizeof(RTUTF16)) == 0)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return true;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /* Slow char by char compare. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while (cwcToCompare-- > 0)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RTUTF16 wcLeft = *pawcLeft++;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RTUTF16 wcRight = *pawcRight++;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (wcLeft != wcRight)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync wcLeft = wcLeft != '/' ? RT_C_TO_LOWER(wcLeft) : '\\';

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync wcRight = wcRight != '/' ? RT_C_TO_LOWER(wcRight) : '\\';

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (wcLeft != wcRight)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return false;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return true;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic void supR3HardenedWinVerifyCacheInsert(PCUNICODE_STRING pUniStr, HANDLE hFile, int rc,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync bool fWinVerifyTrust, uint32_t fFlags)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PVERIFIERCACHEENTRY pEntry = (PVERIFIERCACHEENTRY)RTMemAllocZ(sizeof(VERIFIERCACHEENTRY) + pUniStr->Length);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (pEntry)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->pNext = NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->pNextTodoWvt = NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->hFile = hFile;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->rc = rc;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->fFlags = fFlags;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->cHits = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->fWinVerifyTrust = fWinVerifyTrust;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->cbPath = pUniStr->Length;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync memcpy(pEntry->wszPath, pUniStr->Buffer, pUniStr->Length);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->wszPath[pUniStr->Length / sizeof(WCHAR)] = '\0';

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &pEntry->IndexNumber);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t iHashTab = pEntry->uHash % RT_ELEMENTS(g_apVerifierCache);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync VERIFIERCACHEENTRY * volatile *ppEntry = &g_apVerifierCache[iHashTab];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync for (;;)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (ASMAtomicCmpXchgPtr(ppEntry, pEntry, NULL))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (!fWinVerifyTrust)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync do

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pEntry->pNextTodoWvt = g_pVerifierCacheTodoWvt;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pEntry, pEntry->pNextTodoWvt));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheInsert: %ls\n", pUniStr->Buffer));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PVERIFIERCACHEENTRY pOther = *ppEntry;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (!pOther)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync continue;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if ( pOther->uHash == pEntry->uHash

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && pOther->cbPath == pEntry->cbPath

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && supR3HardenedWinVerifyCacheIsMatch(pOther->wszPath, pEntry->wszPath, pEntry->cbPath / sizeof(RTUTF16)))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync break;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync ppEntry = &pOther->pNext;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /* Duplicate entry (may happen due to races). */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RTMemFree(pEntry);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync NtClose(hFile);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookup(PCUNICODE_STRING pUniStr, HANDLE hFile)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PRTUTF16 const pwszPath = pUniStr->Buffer;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint16_t const cbPath = pUniStr->Length;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t uHash = supR3HardenedWinVerifyCacheHashPath(pUniStr);

c10a6f0c7041e4d1ee50ad38425aab9d43c55522vboxsync uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);

c10a6f0c7041e4d1ee50ad38425aab9d43c55522vboxsync PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while (pCur)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if ( pCur->uHash == uHash

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && pCur->cbPath == cbPath

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pwszPath, cbPath / sizeof(RTUTF16)))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (!pCur->fIndexNumberValid)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return pCur;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync LARGE_INTEGER IndexNumber;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync bool fIndexNumberValid = supR3HardenedWinVerifyCacheGetIndexNumber(hFile, &IndexNumber);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if ( fIndexNumberValid

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && IndexNumber.QuadPart == pCur->IndexNumber.QuadPart)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return pCur;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#ifdef DEBUG_bird

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync __debugbreak();

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync#endif

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pCur = pCur->pNext;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic PVERIFIERCACHEENTRY supR3HardenedWinVerifyCacheLookupImport(PCRTUTF16 pawcDir, uint32_t cwcDir, const char *pszName)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t uHash = supR3HardenedWinVerifyCacheHashDirAndFile(pawcDir, cwcDir, pszName);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t iHashTab = uHash % RT_ELEMENTS(g_apVerifierCache);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t const cbPath = (uint32_t)((cwcDir + 1 + strlen(pszName)) * sizeof(RTUTF16));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PVERIFIERCACHEENTRY pCur = g_apVerifierCache[iHashTab];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while (pCur)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if ( pCur->uHash == uHash

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && pCur->cbPath == cbPath)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (supR3HardenedWinVerifyCacheIsMatch(pCur->wszPath, pawcDir, cwcDir))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (pCur->wszPath[cwcDir] == '\\' || pCur->wszPath[cwcDir] == '/')

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (RTUtf16ICmpAscii(&pCur->wszPath[cwcDir + 1], pszName))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return pCur;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pCur = pCur->pNext;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncDECLHIDDEN(void) supR3HardenedWinVerifyCacheScheduleImports(RTLDRMOD hLdrMod, PCRTUTF16 pwszName)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t cImports;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync int rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_COUNT, NULL /*pvBits*/, &cImports, sizeof(cImports), NULL);

ffb50166c9adb4ae583b914d405197035cf890advboxsync if (RT_SUCCESS(rc))

ffb50166c9adb4ae583b914d405197035cf890advboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (cImports)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PCRTUTF16 pawcDir = pwszName;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t cwcDir = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t i = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RTUTF16 wc;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while ((wc = pawcDir[i++]) != '\0')

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if ((wc == '\\' || wc == '/' || wc == ':') && cwcDir + 2 != i)

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync cwcDir = i - 1;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if ( g_System32NtPath.UniStr.Length / sizeof(WCHAR) == cwcDir

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && supR3HardenedWinVerifyCacheIsMatch(pawcDir, g_System32NtPath.UniStr.Buffer, cwcDir))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pawcDir = NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync for (i = 0; i < cImports; i++)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync union

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync char szName[256];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t iImport;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync } uBuf;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uBuf.iImport = i;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_IMPORT_MODULE, NULL /*pvBits*/, &uBuf, sizeof(uBuf), NULL);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (RT_SUCCESS(rc))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RTStrToLower(uBuf.szName);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if ( RTStrCmp(uBuf.szName, "kernel32.dll") == 0

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync || RTStrCmp(uBuf.szName, "kernelbase.dll") == 0

ffb50166c9adb4ae583b914d405197035cf890advboxsync || RTStrCmp(uBuf.szName, "ntdll.dll") == 0

ffb50166c9adb4ae583b914d405197035cf890advboxsync || RTStrNCmp(uBuf.szName, RT_STR_TUPLE("api-ms-win-")) == 0 )

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync continue;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

ffb50166c9adb4ae583b914d405197035cf890advboxsync if (supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,

ffb50166c9adb4ae583b914d405197035cf890advboxsync g_System32NtPath.UniStr.Length / sizeof(WCHAR),

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uBuf.szName) != NULL)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for system32\n", uBuf.szName));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync continue;

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync }

ffb50166c9adb4ae583b914d405197035cf890advboxsync if (supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedExeNtPath.UniStr.Buffer,

ffb50166c9adb4ae583b914d405197035cf890advboxsync g_offSupLibHardenedExeNtName,

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync uBuf.szName) != NULL)

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync {

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for appdir\n", uBuf.szName));

ffb50166c9adb4ae583b914d405197035cf890advboxsync continue;

ffb50166c9adb4ae583b914d405197035cf890advboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (pawcDir && supR3HardenedWinVerifyCacheLookupImport(pawcDir, cwcDir, uBuf.szName) != NULL)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: '%s' cached for dll dir\n", uBuf.szName));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync continue;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /* We could skip already scheduled modules, but that'll require serialization and extra work... */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheScheduleImports: Import todo: #%u '%s'.\n", i, uBuf.szName));

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync uint32_t cbName = (uint32_t)strlen(uBuf.szName) + 1;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t cbNameAligned = RT_ALIGN_32(cbName, sizeof(RTUTF16));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint32_t cbNeeded = RT_OFFSETOF(VERIFIERCACHEIMPORT, szName[cbNameAligned])

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync + (pawcDir ? (cwcDir + 1) * sizeof(RTUTF16) : 0);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PVERIFIERCACHEIMPORT pImport = (PVERIFIERCACHEIMPORT)RTMemAllocZ(cbNeeded);

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync if (pImport)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /* Init it. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync memcpy(pImport->szName, uBuf.szName, cbName);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (!pawcDir)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync pImport->cwcAltSearchDir = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pImport->pwszAltSearchDir = NULL;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync else

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync pImport->cwcAltSearchDir = cwcDir;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pImport->pwszAltSearchDir = (PRTUTF16)&pImport->szName[cbNameAligned];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync memcpy(pImport->pwszAltSearchDir, pawcDir, cwcDir * sizeof(RTUTF16));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pImport->pwszAltSearchDir[cwcDir] = '\0';

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /* Insert it. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync do

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pImport->pNext = g_pVerifierCacheTodoImports;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoImports, pImport, pImport->pNext));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync else

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUP_DPRINTF(("RTLDRPROP_IMPORT_MODULE failed with rc=%Rrc i=%#x on '%ls'\n", rc, i, pwszName));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync else

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUP_DPRINTF(("'%ls' has no imports\n", pwszName));

ffb50166c9adb4ae583b914d405197035cf890advboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync else

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUP_DPRINTF(("RTLDRPROP_IMPORT_COUNT failed with rc=%Rrc on '%ls'\n", rc, pwszName));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync}

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsyncstatic void supR3HardenedWinVerifyCacheProcessImportTodos(void)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync{

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync /*

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync for (;;)

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync {

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync PVERIFIERCACHEIMPORT pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoImports, NULL, PVERIFIERCACHEIMPORT);

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync if (!pTodo)

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync break;

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync do

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync {

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync PVERIFIERCACHEIMPORT pCur = pTodo;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pTodo = pTodo->pNext;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if ( !supR3HardenedWinVerifyCacheLookupImport(g_System32NtPath.UniStr.Buffer,

c10a6f0c7041e4d1ee50ad38425aab9d43c55522vboxsync g_System32NtPath.UniStr.Length / sizeof(WCHAR),

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pCur->szName)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && !supR3HardenedWinVerifyCacheLookupImport(g_SupLibHardenedExeNtPath.UniStr.Buffer,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync g_offSupLibHardenedExeNtName,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pCur->szName)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync && ( pCur->cwcAltSearchDir == 0

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync || !supR3HardenedWinVerifyCacheLookupImport(pCur->pwszAltSearchDir, pCur->cwcAltSearchDir, pCur->szName)) )

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Processing '%s'...\n", pCur->szName));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync NTSTATUS rcNt;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync NTSTATUS rcNtRedir = 0x22222222;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hFile = INVALID_HANDLE_VALUE;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RTUTF16 wszPath[260 + 260]; /* Assumes we've limited the import name length to 256. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync AssertCompile(sizeof(wszPath) > sizeof(g_System32NtPath));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync size_t cwcName = 260;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync PRTUTF16 pwszName = &wszPath[0];

0dd3967035b8a02985920baa57f948dc542b9388vboxsync int rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (RT_SUCCESS(rc))

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync UNICODE_STRING UniStrName;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync UniStrName.Buffer = wszPath;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync UniStrName.Length = (USHORT)cwcName * sizeof(WCHAR);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync UniStrName.MaximumLength = UniStrName.Length + sizeof(WCHAR);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync UNICODE_STRING UniStrStatic;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync UniStrStatic.Buffer = &wszPath[cwcName + 1];

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync UniStrStatic.Length = 0;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync UniStrStatic.MaximumLength = (USHORT)(sizeof(wszPath) - cwcName * sizeof(WCHAR) - sizeof(WCHAR));

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync static UNICODE_STRING const s_DefaultSuffix = RTNT_CONSTANT_UNISTR(L".dll");

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync UNICODE_STRING UniStrDynamic = { 0, 0, NULL };

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync PUNICODE_STRING pUniStrResult = NULL;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync rcNtRedir = RtlDosApplyFileIsolationRedirection_Ustr(1 /*fFlags*/,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync &UniStrName,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync (PUNICODE_STRING)&s_DefaultSuffix,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync &UniStrStatic,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync &UniStrDynamic,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync &pUniStrResult,

0dd3967035b8a02985920baa57f948dc542b9388vboxsync NULL /*pNewFlags*/,

0dd3967035b8a02985920baa57f948dc542b9388vboxsync NULL /*pcbFilename*/,

0dd3967035b8a02985920baa57f948dc542b9388vboxsync NULL /*pcbNeeded*/);

0dd3967035b8a02985920baa57f948dc542b9388vboxsync if (NT_SUCCESS(rcNtRedir))

0dd3967035b8a02985920baa57f948dc542b9388vboxsync {

0dd3967035b8a02985920baa57f948dc542b9388vboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync OBJECT_ATTRIBUTES ObjAttr;

0dd3967035b8a02985920baa57f948dc542b9388vboxsync InitializeObjectAttributes(&ObjAttr, pUniStrResult,

0dd3967035b8a02985920baa57f948dc542b9388vboxsync OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);

0dd3967035b8a02985920baa57f948dc542b9388vboxsync rcNt = NtCreateFile(&hFile,

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync &ObjAttr,

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync &Ios,

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync NULL /* Allocation Size*/,

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync FILE_ATTRIBUTE_NORMAL,

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync FILE_SHARE_READ,

0dd3967035b8a02985920baa57f948dc542b9388vboxsync FILE_OPEN,

0dd3967035b8a02985920baa57f948dc542b9388vboxsync FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,

0dd3967035b8a02985920baa57f948dc542b9388vboxsync NULL /*EaBuffer*/,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync 0 /*EaLength*/);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync if (NT_SUCCESS(rcNt))

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync rcNt = Ios.Status;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync if (NT_SUCCESS(rcNt))

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync /* For accurate logging. */

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync size_t cwcCopy = RT_MIN(pUniStrResult->Length / sizeof(RTUTF16), RT_ELEMENTS(wszPath) - 1);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync memcpy(wszPath, pUniStrResult->Buffer, cwcCopy * sizeof(RTUTF16));

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync wszPath[cwcCopy] = '\0';

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync else

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync hFile = INVALID_HANDLE_VALUE;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync RtlFreeUnicodeString(&UniStrDynamic);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync else

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #1 failed: %Rrc\n", rc));

0dd3967035b8a02985920baa57f948dc542b9388vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync /*

0dd3967035b8a02985920baa57f948dc542b9388vboxsync if (hFile == INVALID_HANDLE_VALUE)

0dd3967035b8a02985920baa57f948dc542b9388vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync struct

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync PRTUTF16 pawcDir;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync uint32_t cwcDir;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync } Tmp, aDirs[] =

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync { g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length / sizeof(WCHAR) },

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync { g_SupLibHardenedExeNtPath.UniStr.Buffer, g_offSupLibHardenedExeNtName - 1 },

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync { pCur->pwszAltSearchDir, pCur->cwcAltSearchDir },

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync };

3c6306a66deef467e3c13483dd6529e1e1c6b822vboxsync

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync /* Search System32 first, unless it's a 'V*' or 'm*' name, the latter for msvcrt. */

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync if ( pCur->szName[0] == 'v'

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync || pCur->szName[0] == 'V'

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync || pCur->szName[0] == 'm'

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync || pCur->szName[0] == 'M')

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync {

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync Tmp = aDirs[0];

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync aDirs[0] = aDirs[1];

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync aDirs[1] = Tmp;

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync }

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync for (uint32_t i = 0; i < RT_ELEMENTS(aDirs); i++)

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync {

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync if (aDirs[i].pawcDir && aDirs[i].cwcDir && aDirs[i].cwcDir < RT_ELEMENTS(wszPath) / 3 * 2)

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync {

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync memcpy(wszPath, aDirs[i].pawcDir, aDirs[i].cwcDir * sizeof(RTUTF16));

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync uint32_t cwc = aDirs[i].cwcDir;

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync wszPath[cwc++] = '\\';

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync cwcName = RT_ELEMENTS(wszPath) - cwc;

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync pwszName = &wszPath[cwc];

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync rc = RTStrToUtf16Ex(pCur->szName, RTSTR_MAX, &pwszName, cwcName, &cwcName);

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync if (RT_SUCCESS(rc))

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync UNICODE_STRING NtName;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync NtName.Buffer = wszPath;

3c6306a66deef467e3c13483dd6529e1e1c6b822vboxsync NtName.Length = (USHORT)((cwc + cwcName) * sizeof(WCHAR));

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync NtName.MaximumLength = NtName.Length + sizeof(WCHAR);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync OBJECT_ATTRIBUTES ObjAttr;

3c6306a66deef467e3c13483dd6529e1e1c6b822vboxsync InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync rcNt = NtCreateFile(&hFile,

3c6306a66deef467e3c13483dd6529e1e1c6b822vboxsync FILE_READ_DATA | READ_CONTROL | SYNCHRONIZE,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync &ObjAttr,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync &Ios,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync NULL /* Allocation Size*/,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync FILE_ATTRIBUTE_NORMAL,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync FILE_SHARE_READ,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync FILE_OPEN,

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync NULL /*EaBuffer*/,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync 0 /*EaLength*/);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (NT_SUCCESS(rcNt))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync rcNt = Ios.Status;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (NT_SUCCESS(rcNt))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync break;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync hFile = INVALID_HANDLE_VALUE;

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync else

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: RTStrToUtf16Ex #2 failed: %Rrc\n", rc));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (hFile != INVALID_HANDLE_VALUE)

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' -> '%ls' [rcNtRedir=%#x]\n",

3c6306a66deef467e3c13483dd6529e1e1c6b822vboxsync pCur->szName, wszPath, rcNtRedir));

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync ULONG fAccess = 0;

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync ULONG fProtect = 0;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync bool fCallRealApi = false;

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, false /*fIgnoreArch*/, &fAccess, &fProtect,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync &fCallRealApi, "Imports", false /*fAvoidWinVerifyTrust*/, NULL /*pfQuiet*/);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync NtClose(hFile);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync else

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: Failed to locate '%s'\n", pCur->szName));

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync else

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessImportTodos: '%s' is in the cache.\n", pCur->szName));

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync RTMemFree(pCur);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync } while (pTodo);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync}

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsyncstatic void supR3HardenedWinVerifyCacheProcessWvtTodos(void)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync{

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PVERIFIERCACHEENTRY pReschedule = NULL;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync PVERIFIERCACHEENTRY volatile *ppReschedLastNext = NULL;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync /*

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync for (;;)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync if (!supHardenedWinIsWinVerifyTrustCallable())

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync break;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync PVERIFIERCACHEENTRY pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoWvt, NULL, PVERIFIERCACHEENTRY);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync if (!pTodo)

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync break;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync do

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync PVERIFIERCACHEENTRY pCur = pTodo;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync pTodo = pTodo->pNextTodoWvt;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync pCur->pNextTodoWvt = NULL;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync if ( !pCur->fWinVerifyTrust

ffb50166c9adb4ae583b914d405197035cf890advboxsync && RT_SUCCESS(pCur->rc))

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

ffb50166c9adb4ae583b914d405197035cf890advboxsync bool fWinVerifyTrust = false;

ffb50166c9adb4ae583b914d405197035cf890advboxsync int rc = supHardenedWinVerifyImageTrust(pCur->hFile, pCur->wszPath, pCur->fFlags, pCur->rc,

ffb50166c9adb4ae583b914d405197035cf890advboxsync &fWinVerifyTrust, NULL /* pErrInfo*/);

ffb50166c9adb4ae583b914d405197035cf890advboxsync if (RT_FAILURE(rc) || fWinVerifyTrust)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

ffb50166c9adb4ae583b914d405197035cf890advboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",

ffb50166c9adb4ae583b914d405197035cf890advboxsync rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));

ffb50166c9adb4ae583b914d405197035cf890advboxsync pCur->fWinVerifyTrust = true;

ffb50166c9adb4ae583b914d405197035cf890advboxsync pCur->rc = rc;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

ffb50166c9adb4ae583b914d405197035cf890advboxsync else

ffb50166c9adb4ae583b914d405197035cf890advboxsync {

3c6306a66deef467e3c13483dd6529e1e1c6b822vboxsync /* Retry it at a later time. */

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls' [rescheduled]\n",

ffb50166c9adb4ae583b914d405197035cf890advboxsync rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));

ffb50166c9adb4ae583b914d405197035cf890advboxsync if (!pReschedule)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync ppReschedLastNext = &pCur->pNextTodoWvt;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync pCur->pNextTodoWvt = pReschedule;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync }

f75c6db919d277952ca03b7acf643e5e3ac96cafvboxsync /* else: already processed. */

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync } while (pTodo);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync /*

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync if (pReschedule)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync do

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync *ppReschedLastNext = g_pVerifierCacheTodoWvt;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pReschedule, *ppReschedLastNext));

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync}

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsyncstatic PRTUTF16 supR3HardenedWinIsPossible8dot3Path(PCRTUTF16 pwszPath)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync{

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync PCRTUTF16 pwszName = pwszPath;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync for (;;)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync RTUTF16 wc = *pwszPath++;

0dd3967035b8a02985920baa57f948dc542b9388vboxsync if (wc == '~')

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync /* Could check more here before jumping to conclusions... */

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync if (pwszPath - pwszName <= 8+1+3)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync return (PRTUTF16)pwszName;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync else if (wc == '\\' || wc == '/' || wc == ':')

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync pwszName = pwszPath;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync else if (wc == 0)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync break;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync }

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync return NULL;

ffb50166c9adb4ae583b914d405197035cf890advboxsync}

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

ffb50166c9adb4ae583b914d405197035cf890advboxsyncstatic void supR3HardenedWinFix8dot3Path(HANDLE hFile, PUNICODE_STRING pUniStr)

ffb50166c9adb4ae583b914d405197035cf890advboxsync{

ffb50166c9adb4ae583b914d405197035cf890advboxsync /*

ffb50166c9adb4ae583b914d405197035cf890advboxsync PRTUTF16 pwszFix = pUniStr->Buffer;

ffb50166c9adb4ae583b914d405197035cf890advboxsync while (*pwszFix)

ffb50166c9adb4ae583b914d405197035cf890advboxsync {

ffb50166c9adb4ae583b914d405197035cf890advboxsync pwszFix = supR3HardenedWinIsPossible8dot3Path(pwszFix);

ffb50166c9adb4ae583b914d405197035cf890advboxsync if (pwszFix == NULL)

ffb50166c9adb4ae583b914d405197035cf890advboxsync break;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync RTUTF16 wc;

ffb50166c9adb4ae583b914d405197035cf890advboxsync PRTUTF16 pwszFixEnd = pwszFix;

ffb50166c9adb4ae583b914d405197035cf890advboxsync while ((wc = *pwszFixEnd) != '\0' && wc != '\\' && wc != '/')

ffb50166c9adb4ae583b914d405197035cf890advboxsync pwszFixEnd++;

ffb50166c9adb4ae583b914d405197035cf890advboxsync if (wc == '\0')

ffb50166c9adb4ae583b914d405197035cf890advboxsync break;

ffb50166c9adb4ae583b914d405197035cf890advboxsync

ffb50166c9adb4ae583b914d405197035cf890advboxsync RTUTF16 const wcSaved = *pwszFix;

ffb50166c9adb4ae583b914d405197035cf890advboxsync *pwszFix = '\0'; /* paranoia. */

ffb50166c9adb4ae583b914d405197035cf890advboxsync

3c6306a66deef467e3c13483dd6529e1e1c6b822vboxsync UNICODE_STRING NtDir;

ffb50166c9adb4ae583b914d405197035cf890advboxsync NtDir.Buffer = pUniStr->Buffer;

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync NtDir.Length = NtDir.MaximumLength = (USHORT)((pwszFix - pUniStr->Buffer) * sizeof(WCHAR));

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync HANDLE hDir = RTNT_INVALID_HANDLE_VALUE;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync

ffb50166c9adb4ae583b914d405197035cf890advboxsync OBJECT_ATTRIBUTES ObjAttr;

ffb50166c9adb4ae583b914d405197035cf890advboxsync InitializeObjectAttributes(&ObjAttr, &NtDir, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/);

ffb50166c9adb4ae583b914d405197035cf890advboxsync

ffb50166c9adb4ae583b914d405197035cf890advboxsync NTSTATUS rcNt = NtCreateFile(&hDir,

ffb50166c9adb4ae583b914d405197035cf890advboxsync FILE_READ_DATA | SYNCHRONIZE,

ffb50166c9adb4ae583b914d405197035cf890advboxsync &ObjAttr,

ffb50166c9adb4ae583b914d405197035cf890advboxsync &Ios,

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync NULL /* Allocation Size*/,

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync FILE_ATTRIBUTE_NORMAL,

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync FILE_OPEN,

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync FILE_DIRECTORY_FILE | FILE_OPEN_FOR_BACKUP_INTENT | FILE_SYNCHRONOUS_IO_NONALERT,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync NULL /*EaBuffer*/,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync 0 /*EaLength*/);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync *pwszFix = wcSaved;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync if (NT_SUCCESS(rcNt))

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync union

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync FILE_BOTH_DIR_INFORMATION Info;

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync uint8_t abBuffer[sizeof(FILE_BOTH_DIR_INFORMATION) + 2048 * sizeof(WCHAR)];

b4d7b4dbcc45b8bde7502aa129440d92d7ffd038vboxsync } uBuf;

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync RT_ZERO(uBuf);

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;

ffb50166c9adb4ae583b914d405197035cf890advboxsync UNICODE_STRING NtFilterStr;

ffb50166c9adb4ae583b914d405197035cf890advboxsync NtFilterStr.Buffer = pwszFix;

ffb50166c9adb4ae583b914d405197035cf890advboxsync NtFilterStr.Length = (USHORT)((uintptr_t)pwszFixEnd - (uintptr_t)pwszFix);

ffb50166c9adb4ae583b914d405197035cf890advboxsync NtFilterStr.MaximumLength = NtFilterStr.Length;

ffb50166c9adb4ae583b914d405197035cf890advboxsync rcNt = NtQueryDirectoryFile(hDir,

ffb50166c9adb4ae583b914d405197035cf890advboxsync NULL /* Event */,

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync NULL /* ApcRoutine */,

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync NULL /* ApcContext */,

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync &Ios,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync &uBuf,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync sizeof(uBuf) - sizeof(WCHAR),

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync FileBothDirectoryInformation,

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync FALSE /*ReturnSingleEntry*/,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync &NtFilterStr,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync FALSE /*RestartScan */);

ffb50166c9adb4ae583b914d405197035cf890advboxsync if (NT_SUCCESS(rcNt) && uBuf.Info.NextEntryOffset == 0) /* There shall only be one entry matching... */

ffb50166c9adb4ae583b914d405197035cf890advboxsync {

ffb50166c9adb4ae583b914d405197035cf890advboxsync uint32_t offName = uBuf.Info.FileNameLength / sizeof(WCHAR);

ffb50166c9adb4ae583b914d405197035cf890advboxsync while (offName > 0 && uBuf.Info.FileName[offName - 1] != '\\' && uBuf.Info.FileName[offName - 1] != '/')

ffb50166c9adb4ae583b914d405197035cf890advboxsync offName--;

ffb50166c9adb4ae583b914d405197035cf890advboxsync uint32_t cwcNameNew = (uBuf.Info.FileNameLength / sizeof(WCHAR)) - offName;

ffb50166c9adb4ae583b914d405197035cf890advboxsync uint32_t cwcNameOld = pwszFixEnd - pwszFix;

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync if (cwcNameOld == cwcNameNew)

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync memcpy(pwszFix, &uBuf.Info.FileName[offName], cwcNameNew * sizeof(WCHAR));

ffb50166c9adb4ae583b914d405197035cf890advboxsync else if ( pUniStr->Length + cwcNameNew * sizeof(WCHAR) - cwcNameOld * sizeof(WCHAR) + sizeof(WCHAR)

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync <= pUniStr->MaximumLength)

c89333d3e41e439ed9e74768000edc399d3e72e6vboxsync {

ffb50166c9adb4ae583b914d405197035cf890advboxsync size_t cwcLeft = pUniStr->Length - (pwszFixEnd - pUniStr->Buffer) * sizeof(WCHAR) + sizeof(WCHAR);

ffb50166c9adb4ae583b914d405197035cf890advboxsync memmove(&pwszFix[cwcNameNew], pwszFixEnd, cwcLeft * sizeof(WCHAR));

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync pUniStr->Length -= (USHORT)(cwcNameOld * sizeof(WCHAR));

ffb50166c9adb4ae583b914d405197035cf890advboxsync pUniStr->Length += (USHORT)(cwcNameNew * sizeof(WCHAR));

ffb50166c9adb4ae583b914d405197035cf890advboxsync pwszFixEnd -= cwcNameOld;

ffb50166c9adb4ae583b914d405197035cf890advboxsync pwszFixEnd -= cwcNameNew;

ffb50166c9adb4ae583b914d405197035cf890advboxsync memcpy(pwszFix, &uBuf.Info.FileName[offName], cwcNameNew * sizeof(WCHAR));

ffb50166c9adb4ae583b914d405197035cf890advboxsync }

ffb50166c9adb4ae583b914d405197035cf890advboxsync /* else: ignore overflow. */

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync }

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync /* else: ignore failure. */

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync NtClose(hDir);

750df3fe104e01cadbc3d5bd20243055d283d4e5vboxsync }

ffb50166c9adb4ae583b914d405197035cf890advboxsync

ffb50166c9adb4ae583b914d405197035cf890advboxsync /* Advance */

ffb50166c9adb4ae583b914d405197035cf890advboxsync pwszFix = pwszFixEnd;

ffb50166c9adb4ae583b914d405197035cf890advboxsync }

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync}

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync

6475559a7e0e52892efbab4fbdedc879f6866109vboxsyncstatic NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfAccess, PULONG pfProtect,

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust, bool *pfQuiet)

ffb50166c9adb4ae583b914d405197035cf890advboxsync{

ffb50166c9adb4ae583b914d405197035cf890advboxsync *pfCallRealApi = false;

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync if (pfQuiet)

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync *pfQuiet = false;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

6475559a7e0e52892efbab4fbdedc879f6866109vboxsync /*

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync union

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync UNICODE_STRING UniStr;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uint8_t abBuffer[sizeof(UNICODE_STRING) + 2048 * sizeof(WCHAR)];

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync } uBuf;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync RT_ZERO(uBuf);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync ULONG cbNameBuf;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync NTSTATUS rcNt = NtQueryObject(hFile, ObjectNameInformation, &uBuf, sizeof(uBuf) - sizeof(WCHAR) - 128, &cbNameBuf);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (!NT_SUCCESS(rcNt))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync supR3HardenedError(VINF_SUCCESS, false,

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync "supR3HardenedScreenImage/%s: NtQueryObject -> %#x (fImage=%d fProtect=%#x fAccess=%#x)\n",

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync pszCaller, fImage, *pfProtect, *pfAccess);

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync return rcNt;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync }

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync if (supR3HardenedWinIsPossible8dot3Path(uBuf.UniStr.Buffer))

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync {

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync uBuf.UniStr.MaximumLength = sizeof(uBuf) - 128;

553a2f0d8ef91a6dad8de4eef206ff093af53a5dvboxsync supR3HardenedWinFix8dot3Path(hFile, &uBuf.UniStr);