CINXE.COM

<!DOCTYPE html> <html lang="en-US"> <head>   <title> SUPHardenedVerifyProcess-win.cpp in vbox/trunk/src/VBox/HostDrivers/Support/win – Oracle VirtualBox </title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" />  <link rel="search" href="/search" /> <link rel="help" href="/wiki/TracGuide" /> <link rel="alternate" href="/browser/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp?rev=67954&format=txt" title="Plain Text" type="text/plain" /> <link rel="alternate" href="/export/67954/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp" title="Original Format" type="text/x-c++src; charset=utf-8" /> <link rel="up" href="/browser/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp" /> <link rel="next" href="/browser/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp?rev=69496" title="Revision 69496" /> <link rel="start" href="/wiki" /> <link rel="stylesheet" href="/chrome/common/css/trac.css" type="text/css" /> <link rel="stylesheet" href="/chrome/common/css/code.css" type="text/css" /> <link rel="stylesheet" href="/pygments/trac.css" type="text/css" /> <link rel="stylesheet" href="/chrome/common/css/browser.css" type="text/css" /> <link rel="prev" href="/browser/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp?rev=66351" title="Revision 66351" /> <link rel="icon" href="/favicon.ico" type="image/x-icon" /> <noscript> <style> .trac-noscript { display: none !important } </style> </noscript> <link type="application/opensearchdescription+xml" rel="search" href="/search/opensearch" title="Search Oracle VirtualBox"/> <script src="/chrome/common/js/jquery.js"></script> <script src="/chrome/common/js/jquery-migrate.js"></script> <script src="/chrome/common/js/babel.js"></script> <script src="/chrome/common/js/trac.js"></script> <script src="/chrome/common/js/search.js"></script> <script src="/chrome/common/js/folding.js"></script> <script> jQuery(function($) { $(".trac-autofocus").focus(); $(".trac-target-new").attr("target", "_blank"); if ($.ui) { /* is jquery-ui added? */ $(".trac-datepicker:not([readonly])") .prop("autocomplete", "off").datepicker(); // Input current date when today is pressed. var _goToToday = $.datepicker._gotoToday; $.datepicker._gotoToday = function(id) { _goToToday.call(this, id); this._selectDate(id) }; $(".trac-datetimepicker:not([readonly])") .prop("autocomplete", "off").datetimepicker(); $("#main").addClass("trac-nodatetimehint"); } $(".trac-disable").disableSubmit(".trac-disable-determinant"); setTimeout(function() { $(".trac-scroll").scrollToTop() }, 1); $(".trac-disable-on-submit").disableOnSubmit(); }); </script>  <link rel="stylesheet" type="text/css" href="/chrome/site/style.css"/> <script> jQuery(function($) { var $ntg = $("#newticketguide"); if ($ntg.length) $("#propertyform").prepend($ntg.detach()); }); </script> <script> jQuery(function($) { var $content = $("#content"); var $opener = $("#opener"); if ($("#opener").length) $content.toggleClass('narrow'); }); </script>   <script> jQuery(function($) { $(".trac-toggledeleted").show().click(function() { $(this).siblings().find(".trac-deleted").toggle(); return false; }).click(); $("#jumploc input").hide(); $("#jumploc select").change(function () { this.parentNode.parentNode.submit(); }); $('#preview table.code').enableCollapsibleColumns( $('#preview table.code thead th.content')); }); </script>  </head> <body>    <div id="vboxstring"> <img src="/graphics/vboxlogodown.png" alt="VirtualBox"/> </div> <div id="center">  <div id="banner"> <form id="search" action="/search" method="get"> <div> <label for="proj-search">Search:</label> <input type="text" id="proj-search" name="q" size="18" value="" /> <input type="submit" value="Search" /> </div> </form> </div> <div id="mainnav" class="nav"> <ul><li class="active last first"><a href="/browser">Browse Source</a></li></ul> </div> <div id="main" > <div id="ctxtnav"> <li> <a id="logo" href="https://www.virtualbox.org/"><img alt="Oracle VirtualBox" src="/graphics/vbox-new-logo.png"></a> </li> <ul> <li><a href="https://www.virtualbox.org/">Home</a></li> <li><a href="/wiki/Downloads">Download</a></li> <li><a href="/wiki/Documentation">Documentation</a></li> <li><a href="/wiki/Community">Community</a></li> <li class="first"> <a id="profile" href="/login"><img src="/graphics/user.png" alt="User profile icon"></a> </li> <form style="text-align: right" action="/search" method="get"> <div> <input id="vboxsearch" type="text" name="q" size="10" accesskey="f" value="Search:" onblur="if(this.value=='') this.value='Search:';" onfocus="if(this.value=='Search:') this.value='';"> <input type="hidden" name="wiki" value="on"> <input type="hidden" name="changeset" value="on"> <input type="hidden" name="ticket" value="on"> </div> </form> </li> </ul> </div>  <div id="content" class="browser"> <h1> <a class="pathentry first" href="/browser?order=name" title="Go to repository index">source:</a> <a class="pathentry" href="/browser/vbox?rev=67954&order=name" title="View vbox">vbox</a>/<a class="pathentry" href="/browser/vbox/trunk?rev=67954&order=name" title="View trunk">trunk</a>/<a class="pathentry" href="/browser/vbox/trunk/src?rev=67954&order=name" title="View src">src</a>/<a class="pathentry" href="/browser/vbox/trunk/src/VBox?rev=67954&order=name" title="View VBox">VBox</a>/<a class="pathentry" href="/browser/vbox/trunk/src/VBox/HostDrivers?rev=67954&order=name" title="View HostDrivers">HostDrivers</a>/<a class="pathentry" href="/browser/vbox/trunk/src/VBox/HostDrivers/Support?rev=67954&order=name" title="View Support">Support</a>/<a class="pathentry" href="/browser/vbox/trunk/src/VBox/HostDrivers/Support/win?rev=67954&order=name" title="View win">win</a>/<a class="pathentry" href="/browser/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp?rev=67954&order=name" title="View SUPHardenedVerifyProcess-win.cpp">SUPHardenedVerifyProcess-win.cpp</a>@ <a class="pathentry" href="/changeset/67954/vbox" title="View changeset 67954">67954</a> </h1> <div id="diffrev"> <form action="/changeset" method="get"> <div> <label title="Show the diff against a specific revision"> View diff against: <input type="text" name="old" size="6"/> <input type="hidden" name="old_path" value="vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp"/> <input type="hidden" name="new" value="67954"/> <input type="hidden" name="new_path" value="vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp"/> </label> </div> </form> </div> <div id="jumprev"> <form action="#" method="get"> <div> <label for="rev" title="Hint: clear the field to view latest revision"> View revision:</label> <input type="text" id="rev" name="rev" value="67954" size="6" /> </div> </form> </div> <div id="jumploc"> <form action="#" method="get"> <div class="buttons"> <label for="preselected">Visit:</label> <select id="preselected" name="preselected"> <option selected="selected"></option> <optgroup label="branches"> <option value="/browser/vbox/trunk">trunk</option> </optgroup> </select> <input type="submit" value="Go!" title="Jump to the chosen preselected path" /> </div> </form> </div> <div class="trac-tags"> </div> <table id="info"> <tr> <th> <a href="/changeset/67950/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp" title="View differences">Last change</a> on this file since 67954 was <a href="/changeset/67950/vbox" title="View changeset 67950">67950</a>, checked in by vboxsync, <a class="timeline" href="/timeline?from=2017-07-13T10%3A23%3A32Z&precision=second" title="See timeline at Jul 13, 2017 10:23:32 AM">7 years ago</a> </th> </tr> <tr> <td class="message searchable"> supHardNtVpNewImage: Always log the 8dot3->long conversion results. <a href="https://www.virtualbox.org/ticket/16878" title="16878 in ticketref">ticketref:16878</a> </td> </tr> <tr> <td colspan="2"> <ul class="props"> <li> Property svn:eol-style set to <code>native</code> </li> <li> Property svn:keywords set to <code>Author Date Id Revision</code> </li> </ul> </td> </tr> <tr> <td colspan="2"> File size: 99.7 KB </td> </tr> </table> <div id="preview" class="searchable"> <table class="code"><thead><tr><th class="lineno" title="Line numbers">Line</th><th class="content"> </th></tr></thead><tbody><tr><th id="L1"><a href="#L1">1</a></th><td>/* $Id: SUPHardenedVerifyProcess-win.cpp 67950 2017-07-13 10:23:32Z vboxsync $ */ </td></tr><tr><th id="L2"><a href="#L2">2</a></th><td>/** @file </td></tr><tr><th id="L3"><a href="#L3">3</a></th><td> * VirtualBox Support Library/Driver - Hardened Process Verification, Windows. </td></tr><tr><th id="L4"><a href="#L4">4</a></th><td> */ </td></tr><tr><th id="L5"><a href="#L5">5</a></th><td> </td></tr><tr><th id="L6"><a href="#L6">6</a></th><td>/* </td></tr><tr><th id="L7"><a href="#L7">7</a></th><td> * Copyright (C) 2006-2016 Oracle Corporation </td></tr><tr><th id="L8"><a href="#L8">8</a></th><td> * </td></tr><tr><th id="L9"><a href="#L9">9</a></th><td> * This file is part of VirtualBox Open Source Edition (OSE), as </td></tr><tr><th id="L10"><a href="#L10">10</a></th><td> * available from http://www.virtualbox.org. This file is free software; </td></tr><tr><th id="L11"><a href="#L11">11</a></th><td> * you can redistribute it and/or modify it under the terms of the GNU </td></tr><tr><th id="L12"><a href="#L12">12</a></th><td> * General Public License (GPL) as published by the Free Software </td></tr><tr><th id="L13"><a href="#L13">13</a></th><td> * Foundation, in version 2 as it comes in the "COPYING" file of the </td></tr><tr><th id="L14"><a href="#L14">14</a></th><td> * VirtualBox OSE distribution. VirtualBox OSE is distributed in the </td></tr><tr><th id="L15"><a href="#L15">15</a></th><td> * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind. </td></tr><tr><th id="L16"><a href="#L16">16</a></th><td> * </td></tr><tr><th id="L17"><a href="#L17">17</a></th><td> * The contents of this file may alternatively be used under the terms </td></tr><tr><th id="L18"><a href="#L18">18</a></th><td> * of the Common Development and Distribution License Version 1.0 </td></tr><tr><th id="L19"><a href="#L19">19</a></th><td> * (CDDL) only, as it comes in the "COPYING.CDDL" file of the </td></tr><tr><th id="L20"><a href="#L20">20</a></th><td> * VirtualBox OSE distribution, in which case the provisions of the </td></tr><tr><th id="L21"><a href="#L21">21</a></th><td> * CDDL are applicable instead of those of the GPL. </td></tr><tr><th id="L22"><a href="#L22">22</a></th><td> * </td></tr><tr><th id="L23"><a href="#L23">23</a></th><td> * You may elect to license modified versions of this file under the </td></tr><tr><th id="L24"><a href="#L24">24</a></th><td> * terms and conditions of either the GPL or the CDDL or both. </td></tr><tr><th id="L25"><a href="#L25">25</a></th><td> */ </td></tr><tr><th id="L26"><a href="#L26">26</a></th><td> </td></tr><tr><th id="L27"><a href="#L27">27</a></th><td> </td></tr><tr><th id="L28"><a href="#L28">28</a></th><td>/********************************************************************************************************************************* </td></tr><tr><th id="L29"><a href="#L29">29</a></th><td>* Header Files * </td></tr><tr><th id="L30"><a href="#L30">30</a></th><td>*********************************************************************************************************************************/ </td></tr><tr><th id="L31"><a href="#L31">31</a></th><td>#ifdef IN_RING0 </td></tr><tr><th id="L32"><a href="#L32">32</a></th><td># define IPRT_NT_MAP_TO_ZW </td></tr><tr><th id="L33"><a href="#L33">33</a></th><td># include <iprt/nt/nt.h> </td></tr><tr><th id="L34"><a href="#L34">34</a></th><td># include <ntimage.h> </td></tr><tr><th id="L35"><a href="#L35">35</a></th><td>#else </td></tr><tr><th id="L36"><a href="#L36">36</a></th><td># include <iprt/nt/nt-and-windows.h> </td></tr><tr><th id="L37"><a href="#L37">37</a></th><td>#endif </td></tr><tr><th id="L38"><a href="#L38">38</a></th><td> </td></tr><tr><th id="L39"><a href="#L39">39</a></th><td>#include <VBox/sup.h> </td></tr><tr><th id="L40"><a href="#L40">40</a></th><td>#include <VBox/err.h> </td></tr><tr><th id="L41"><a href="#L41">41</a></th><td>#include <iprt/alloca.h> </td></tr><tr><th id="L42"><a href="#L42">42</a></th><td>#include <iprt/ctype.h> </td></tr><tr><th id="L43"><a href="#L43">43</a></th><td>#include <iprt/param.h> </td></tr><tr><th id="L44"><a href="#L44">44</a></th><td>#include <iprt/string.h> </td></tr><tr><th id="L45"><a href="#L45">45</a></th><td>#include <iprt/zero.h> </td></tr><tr><th id="L46"><a href="#L46">46</a></th><td> </td></tr><tr><th id="L47"><a href="#L47">47</a></th><td>#ifdef IN_RING0 </td></tr><tr><th id="L48"><a href="#L48">48</a></th><td># include "SUPDrvInternal.h" </td></tr><tr><th id="L49"><a href="#L49">49</a></th><td>#else </td></tr><tr><th id="L50"><a href="#L50">50</a></th><td># include "SUPLibInternal.h" </td></tr><tr><th id="L51"><a href="#L51">51</a></th><td>#endif </td></tr><tr><th id="L52"><a href="#L52">52</a></th><td>#include "win/SUPHardenedVerify-win.h" </td></tr><tr><th id="L53"><a href="#L53">53</a></th><td> </td></tr><tr><th id="L54"><a href="#L54">54</a></th><td> </td></tr><tr><th id="L55"><a href="#L55">55</a></th><td>/********************************************************************************************************************************* </td></tr><tr><th id="L56"><a href="#L56">56</a></th><td>* Structures and Typedefs * </td></tr><tr><th id="L57"><a href="#L57">57</a></th><td>*********************************************************************************************************************************/ </td></tr><tr><th id="L58"><a href="#L58">58</a></th><td>/** </td></tr><tr><th id="L59"><a href="#L59">59</a></th><td> * Virtual address space region. </td></tr><tr><th id="L60"><a href="#L60">60</a></th><td> */ </td></tr><tr><th id="L61"><a href="#L61">61</a></th><td>typedef struct SUPHNTVPREGION </td></tr><tr><th id="L62"><a href="#L62">62</a></th><td>{ </td></tr><tr><th id="L63"><a href="#L63">63</a></th><td> /** The RVA of the region. */ </td></tr><tr><th id="L64"><a href="#L64">64</a></th><td> uint32_t uRva; </td></tr><tr><th id="L65"><a href="#L65">65</a></th><td> /** The size of the region. */ </td></tr><tr><th id="L66"><a href="#L66">66</a></th><td> uint32_t cb; </td></tr><tr><th id="L67"><a href="#L67">67</a></th><td> /** The protection of the region. */ </td></tr><tr><th id="L68"><a href="#L68">68</a></th><td> uint32_t fProt; </td></tr><tr><th id="L69"><a href="#L69">69</a></th><td>} SUPHNTVPREGION; </td></tr><tr><th id="L70"><a href="#L70">70</a></th><td>/** Pointer to a virtual address space region. */ </td></tr><tr><th id="L71"><a href="#L71">71</a></th><td>typedef SUPHNTVPREGION *PSUPHNTVPREGION; </td></tr><tr><th id="L72"><a href="#L72">72</a></th><td> </td></tr><tr><th id="L73"><a href="#L73">73</a></th><td>/** </td></tr><tr><th id="L74"><a href="#L74">74</a></th><td> * Virtual address space image information. </td></tr><tr><th id="L75"><a href="#L75">75</a></th><td> */ </td></tr><tr><th id="L76"><a href="#L76">76</a></th><td>typedef struct SUPHNTVPIMAGE </td></tr><tr><th id="L77"><a href="#L77">77</a></th><td>{ </td></tr><tr><th id="L78"><a href="#L78">78</a></th><td> /** The base address of the image. */ </td></tr><tr><th id="L79"><a href="#L79">79</a></th><td> uintptr_t uImageBase; </td></tr><tr><th id="L80"><a href="#L80">80</a></th><td> /** The size of the image mapping. */ </td></tr><tr><th id="L81"><a href="#L81">81</a></th><td> uintptr_t cbImage; </td></tr><tr><th id="L82"><a href="#L82">82</a></th><td> </td></tr><tr><th id="L83"><a href="#L83">83</a></th><td> /** The name from the allowed lists. */ </td></tr><tr><th id="L84"><a href="#L84">84</a></th><td> const char *pszName; </td></tr><tr><th id="L85"><a href="#L85">85</a></th><td> /** Name structure for NtQueryVirtualMemory/MemorySectionName. */ </td></tr><tr><th id="L86"><a href="#L86">86</a></th><td> struct </td></tr><tr><th id="L87"><a href="#L87">87</a></th><td> { </td></tr><tr><th id="L88"><a href="#L88">88</a></th><td> /** The full unicode name. */ </td></tr><tr><th id="L89"><a href="#L89">89</a></th><td> UNICODE_STRING UniStr; </td></tr><tr><th id="L90"><a href="#L90">90</a></th><td> /** Buffer space. */ </td></tr><tr><th id="L91"><a href="#L91">91</a></th><td> WCHAR awcBuffer[260]; </td></tr><tr><th id="L92"><a href="#L92">92</a></th><td> } Name; </td></tr><tr><th id="L93"><a href="#L93">93</a></th><td> </td></tr><tr><th id="L94"><a href="#L94">94</a></th><td> /** The number of mapping regions. */ </td></tr><tr><th id="L95"><a href="#L95">95</a></th><td> uint32_t cRegions; </td></tr><tr><th id="L96"><a href="#L96">96</a></th><td> /** Mapping regions. */ </td></tr><tr><th id="L97"><a href="#L97">97</a></th><td> SUPHNTVPREGION aRegions[16]; </td></tr><tr><th id="L98"><a href="#L98">98</a></th><td> </td></tr><tr><th id="L99"><a href="#L99">99</a></th><td> /** The image characteristics from the FileHeader. */ </td></tr><tr><th id="L100"><a href="#L100">100</a></th><td> uint16_t fImageCharecteristics; </td></tr><tr><th id="L101"><a href="#L101">101</a></th><td> /** The DLL characteristics from the OptionalHeader. */ </td></tr><tr><th id="L102"><a href="#L102">102</a></th><td> uint16_t fDllCharecteristics; </td></tr><tr><th id="L103"><a href="#L103">103</a></th><td> </td></tr><tr><th id="L104"><a href="#L104">104</a></th><td> /** Set if this is the DLL. */ </td></tr><tr><th id="L105"><a href="#L105">105</a></th><td> bool fDll; </td></tr><tr><th id="L106"><a href="#L106">106</a></th><td> /** Set if the image is NTDLL an the verficiation code needs to watch out for </td></tr><tr><th id="L107"><a href="#L107">107</a></th><td> * the NtCreateSection patch. */ </td></tr><tr><th id="L108"><a href="#L108">108</a></th><td> bool fNtCreateSectionPatch; </td></tr><tr><th id="L109"><a href="#L109">109</a></th><td> /** Whether the API set schema hack needs to be applied when verifying memory </td></tr><tr><th id="L110"><a href="#L110">110</a></th><td> * content. The hack means that we only check if the 1st section is mapped. */ </td></tr><tr><th id="L111"><a href="#L111">111</a></th><td> bool fApiSetSchemaOnlySection1; </td></tr><tr><th id="L112"><a href="#L112">112</a></th><td> /** This may be a 32-bit resource DLL. */ </td></tr><tr><th id="L113"><a href="#L113">113</a></th><td> bool f32bitResourceDll; </td></tr><tr><th id="L114"><a href="#L114">114</a></th><td> </td></tr><tr><th id="L115"><a href="#L115">115</a></th><td> /** Pointer to the loader cache entry for the image. */ </td></tr><tr><th id="L116"><a href="#L116">116</a></th><td> PSUPHNTLDRCACHEENTRY pCacheEntry; </td></tr><tr><th id="L117"><a href="#L117">117</a></th><td>#ifdef IN_RING0 </td></tr><tr><th id="L118"><a href="#L118">118</a></th><td> /** In ring-0 we don't currently cache images, so put it here. */ </td></tr><tr><th id="L119"><a href="#L119">119</a></th><td> SUPHNTLDRCACHEENTRY CacheEntry; </td></tr><tr><th id="L120"><a href="#L120">120</a></th><td>#endif </td></tr><tr><th id="L121"><a href="#L121">121</a></th><td>} SUPHNTVPIMAGE; </td></tr><tr><th id="L122"><a href="#L122">122</a></th><td>/** Pointer to image info from the virtual address space scan. */ </td></tr><tr><th id="L123"><a href="#L123">123</a></th><td>typedef SUPHNTVPIMAGE *PSUPHNTVPIMAGE; </td></tr><tr><th id="L124"><a href="#L124">124</a></th><td> </td></tr><tr><th id="L125"><a href="#L125">125</a></th><td>/** </td></tr><tr><th id="L126"><a href="#L126">126</a></th><td> * Virtual address space scanning state. </td></tr><tr><th id="L127"><a href="#L127">127</a></th><td> */ </td></tr><tr><th id="L128"><a href="#L128">128</a></th><td>typedef struct SUPHNTVPSTATE </td></tr><tr><th id="L129"><a href="#L129">129</a></th><td>{ </td></tr><tr><th id="L130"><a href="#L130">130</a></th><td> /** Type of verification to perform. */ </td></tr><tr><th id="L131"><a href="#L131">131</a></th><td> SUPHARDNTVPKIND enmKind; </td></tr><tr><th id="L132"><a href="#L132">132</a></th><td> /** Combination of SUPHARDNTVP_F_XXX. */ </td></tr><tr><th id="L133"><a href="#L133">133</a></th><td> uint32_t fFlags; </td></tr><tr><th id="L134"><a href="#L134">134</a></th><td> /** The result. */ </td></tr><tr><th id="L135"><a href="#L135">135</a></th><td> int rcResult; </td></tr><tr><th id="L136"><a href="#L136">136</a></th><td> /** Number of fixes we've done. </td></tr><tr><th id="L137"><a href="#L137">137</a></th><td> * Only applicable in the purification modes. */ </td></tr><tr><th id="L138"><a href="#L138">138</a></th><td> uint32_t cFixes; </td></tr><tr><th id="L139"><a href="#L139">139</a></th><td> /** Number of images in aImages. */ </td></tr><tr><th id="L140"><a href="#L140">140</a></th><td> uint32_t cImages; </td></tr><tr><th id="L141"><a href="#L141">141</a></th><td> /** The index of the last image we looked up. */ </td></tr><tr><th id="L142"><a href="#L142">142</a></th><td> uint32_t iImageHint; </td></tr><tr><th id="L143"><a href="#L143">143</a></th><td> /** The process handle. */ </td></tr><tr><th id="L144"><a href="#L144">144</a></th><td> HANDLE hProcess; </td></tr><tr><th id="L145"><a href="#L145">145</a></th><td> /** Images found in the process. </td></tr><tr><th id="L146"><a href="#L146">146</a></th><td> * The array is large enough to hold the executable, all allowed DLLs, and one </td></tr><tr><th id="L147"><a href="#L147">147</a></th><td> * more so we can get the image name of the first unwanted DLL. */ </td></tr><tr><th id="L148"><a href="#L148">148</a></th><td> SUPHNTVPIMAGE aImages[1 + 6 + 1 </td></tr><tr><th id="L149"><a href="#L149">149</a></th><td>#ifdef VBOX_PERMIT_VERIFIER_DLL </td></tr><tr><th id="L150"><a href="#L150">150</a></th><td> + 1 </td></tr><tr><th id="L151"><a href="#L151">151</a></th><td>#endif </td></tr><tr><th id="L152"><a href="#L152">152</a></th><td>#ifdef VBOX_PERMIT_MORE </td></tr><tr><th id="L153"><a href="#L153">153</a></th><td> + 5 </td></tr><tr><th id="L154"><a href="#L154">154</a></th><td>#endif </td></tr><tr><th id="L155"><a href="#L155">155</a></th><td>#ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING </td></tr><tr><th id="L156"><a href="#L156">156</a></th><td> + 16 </td></tr><tr><th id="L157"><a href="#L157">157</a></th><td>#endif </td></tr><tr><th id="L158"><a href="#L158">158</a></th><td> ]; </td></tr><tr><th id="L159"><a href="#L159">159</a></th><td> /** Memory compare scratch buffer.*/ </td></tr><tr><th id="L160"><a href="#L160">160</a></th><td> uint8_t abMemory[_4K]; </td></tr><tr><th id="L161"><a href="#L161">161</a></th><td> /** File compare scratch buffer.*/ </td></tr><tr><th id="L162"><a href="#L162">162</a></th><td> uint8_t abFile[_4K]; </td></tr><tr><th id="L163"><a href="#L163">163</a></th><td> /** Section headers for use when comparing file and loaded image. */ </td></tr><tr><th id="L164"><a href="#L164">164</a></th><td> IMAGE_SECTION_HEADER aSecHdrs[16]; </td></tr><tr><th id="L165"><a href="#L165">165</a></th><td> /** Pointer to the error info. */ </td></tr><tr><th id="L166"><a href="#L166">166</a></th><td> PRTERRINFO pErrInfo; </td></tr><tr><th id="L167"><a href="#L167">167</a></th><td>} SUPHNTVPSTATE; </td></tr><tr><th id="L168"><a href="#L168">168</a></th><td>/** Pointer to stat information of a virtual address space scan. */ </td></tr><tr><th id="L169"><a href="#L169">169</a></th><td>typedef SUPHNTVPSTATE *PSUPHNTVPSTATE; </td></tr><tr><th id="L170"><a href="#L170">170</a></th><td> </td></tr><tr><th id="L171"><a href="#L171">171</a></th><td> </td></tr><tr><th id="L172"><a href="#L172">172</a></th><td>/********************************************************************************************************************************* </td></tr><tr><th id="L173"><a href="#L173">173</a></th><td>* Global Variables * </td></tr><tr><th id="L174"><a href="#L174">174</a></th><td>*********************************************************************************************************************************/ </td></tr><tr><th id="L175"><a href="#L175">175</a></th><td>/** </td></tr><tr><th id="L176"><a href="#L176">176</a></th><td> * System DLLs allowed to be loaded into the process. </td></tr><tr><th id="L177"><a href="#L177">177</a></th><td> * @remarks supHardNtVpCheckDlls assumes these are lower case. </td></tr><tr><th id="L178"><a href="#L178">178</a></th><td> */ </td></tr><tr><th id="L179"><a href="#L179">179</a></th><td>static const char *g_apszSupNtVpAllowedDlls[] = </td></tr><tr><th id="L180"><a href="#L180">180</a></th><td>{ </td></tr><tr><th id="L181"><a href="#L181">181</a></th><td> "ntdll.dll", </td></tr><tr><th id="L182"><a href="#L182">182</a></th><td> "kernel32.dll", </td></tr><tr><th id="L183"><a href="#L183">183</a></th><td> "kernelbase.dll", </td></tr><tr><th id="L184"><a href="#L184">184</a></th><td> "apphelp.dll", </td></tr><tr><th id="L185"><a href="#L185">185</a></th><td> "apisetschema.dll", </td></tr><tr><th id="L186"><a href="#L186">186</a></th><td>#ifdef VBOX_PERMIT_VERIFIER_DLL </td></tr><tr><th id="L187"><a href="#L187">187</a></th><td> "verifier.dll", </td></tr><tr><th id="L188"><a href="#L188">188</a></th><td>#endif </td></tr><tr><th id="L189"><a href="#L189">189</a></th><td>#ifdef VBOX_PERMIT_MORE </td></tr><tr><th id="L190"><a href="#L190">190</a></th><td># define VBOX_PERMIT_MORE_FIRST_IDX 5 </td></tr><tr><th id="L191"><a href="#L191">191</a></th><td> "sfc.dll", </td></tr><tr><th id="L192"><a href="#L192">192</a></th><td> "sfc_os.dll", </td></tr><tr><th id="L193"><a href="#L193">193</a></th><td> "user32.dll", </td></tr><tr><th id="L194"><a href="#L194">194</a></th><td> "acres.dll", </td></tr><tr><th id="L195"><a href="#L195">195</a></th><td> "acgenral.dll", </td></tr><tr><th id="L196"><a href="#L196">196</a></th><td>#endif </td></tr><tr><th id="L197"><a href="#L197">197</a></th><td>#ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING </td></tr><tr><th id="L198"><a href="#L198">198</a></th><td> "psapi.dll", </td></tr><tr><th id="L199"><a href="#L199">199</a></th><td> "msvcrt.dll", </td></tr><tr><th id="L200"><a href="#L200">200</a></th><td> "advapi32.dll", </td></tr><tr><th id="L201"><a href="#L201">201</a></th><td> "sechost.dll", </td></tr><tr><th id="L202"><a href="#L202">202</a></th><td> "rpcrt4.dll", </td></tr><tr><th id="L203"><a href="#L203">203</a></th><td> "SamplingRuntime.dll", </td></tr><tr><th id="L204"><a href="#L204">204</a></th><td>#endif </td></tr><tr><th id="L205"><a href="#L205">205</a></th><td>}; </td></tr><tr><th id="L206"><a href="#L206">206</a></th><td> </td></tr><tr><th id="L207"><a href="#L207">207</a></th><td>/** </td></tr><tr><th id="L208"><a href="#L208">208</a></th><td> * VBox executables allowed to start VMs. </td></tr><tr><th id="L209"><a href="#L209">209</a></th><td> * @remarks Remember to keep in sync with g_aSupInstallFiles in </td></tr><tr><th id="L210"><a href="#L210">210</a></th><td> * SUPR3HardenedVerify.cpp. </td></tr><tr><th id="L211"><a href="#L211">211</a></th><td> */ </td></tr><tr><th id="L212"><a href="#L212">212</a></th><td>static const char *g_apszSupNtVpAllowedVmExes[] = </td></tr><tr><th id="L213"><a href="#L213">213</a></th><td>{ </td></tr><tr><th id="L214"><a href="#L214">214</a></th><td> "VBoxHeadless.exe", </td></tr><tr><th id="L215"><a href="#L215">215</a></th><td> "VirtualBox.exe", </td></tr><tr><th id="L216"><a href="#L216">216</a></th><td> "VBoxSDL.exe", </td></tr><tr><th id="L217"><a href="#L217">217</a></th><td> "VBoxNetDHCP.exe", </td></tr><tr><th id="L218"><a href="#L218">218</a></th><td> "VBoxNetNAT.exe", </td></tr><tr><th id="L219"><a href="#L219">219</a></th><td> "VBoxVMMPreload.exe", </td></tr><tr><th id="L220"><a href="#L220">220</a></th><td> </td></tr><tr><th id="L221"><a href="#L221">221</a></th><td> "tstMicro.exe", </td></tr><tr><th id="L222"><a href="#L222">222</a></th><td> "tstPDMAsyncCompletion.exe", </td></tr><tr><th id="L223"><a href="#L223">223</a></th><td> "tstPDMAsyncCompletionStress.exe", </td></tr><tr><th id="L224"><a href="#L224">224</a></th><td> "tstVMM.exe", </td></tr><tr><th id="L225"><a href="#L225">225</a></th><td> "tstVMREQ.exe", </td></tr><tr><th id="L226"><a href="#L226">226</a></th><td> "tstCFGM.exe", </td></tr><tr><th id="L227"><a href="#L227">227</a></th><td> "tstGIP-2.exe", </td></tr><tr><th id="L228"><a href="#L228">228</a></th><td> "tstIntNet-1.exe", </td></tr><tr><th id="L229"><a href="#L229">229</a></th><td> "tstMMHyperHeap.exe", </td></tr><tr><th id="L230"><a href="#L230">230</a></th><td> "tstRTR0ThreadPreemptionDriver.exe", </td></tr><tr><th id="L231"><a href="#L231">231</a></th><td> "tstRTR0MemUserKernelDriver.exe", </td></tr><tr><th id="L232"><a href="#L232">232</a></th><td> "tstRTR0SemMutexDriver.exe", </td></tr><tr><th id="L233"><a href="#L233">233</a></th><td> "tstRTR0TimerDriver.exe", </td></tr><tr><th id="L234"><a href="#L234">234</a></th><td> "tstSSM.exe", </td></tr><tr><th id="L235"><a href="#L235">235</a></th><td>}; </td></tr><tr><th id="L236"><a href="#L236">236</a></th><td> </td></tr><tr><th id="L237"><a href="#L237">237</a></th><td>/** Pointer to NtQueryVirtualMemory. Initialized by SUPDrv-win.cpp in </td></tr><tr><th id="L238"><a href="#L238">238</a></th><td> * ring-0, in ring-3 it's just a slightly confusing define. */ </td></tr><tr><th id="L239"><a href="#L239">239</a></th><td>#ifdef IN_RING0 </td></tr><tr><th id="L240"><a href="#L240">240</a></th><td>PFNNTQUERYVIRTUALMEMORY g_pfnNtQueryVirtualMemory = NULL; </td></tr><tr><th id="L241"><a href="#L241">241</a></th><td>#else </td></tr><tr><th id="L242"><a href="#L242">242</a></th><td># define g_pfnNtQueryVirtualMemory NtQueryVirtualMemory </td></tr><tr><th id="L243"><a href="#L243">243</a></th><td>#endif </td></tr><tr><th id="L244"><a href="#L244">244</a></th><td> </td></tr><tr><th id="L245"><a href="#L245">245</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L246"><a href="#L246">246</a></th><td>/** The number of valid entries in the loader cache. */ </td></tr><tr><th id="L247"><a href="#L247">247</a></th><td>static uint32_t g_cSupNtVpLdrCacheEntries = 0; </td></tr><tr><th id="L248"><a href="#L248">248</a></th><td>/** The loader cache entries. */ </td></tr><tr><th id="L249"><a href="#L249">249</a></th><td>static SUPHNTLDRCACHEENTRY g_aSupNtVpLdrCacheEntries[RT_ELEMENTS(g_apszSupNtVpAllowedDlls) + 1 + 3]; </td></tr><tr><th id="L250"><a href="#L250">250</a></th><td>#endif </td></tr><tr><th id="L251"><a href="#L251">251</a></th><td> </td></tr><tr><th id="L252"><a href="#L252">252</a></th><td> </td></tr><tr><th id="L253"><a href="#L253">253</a></th><td>/** </td></tr><tr><th id="L254"><a href="#L254">254</a></th><td> * Fills in error information. </td></tr><tr><th id="L255"><a href="#L255">255</a></th><td> * </td></tr><tr><th id="L256"><a href="#L256">256</a></th><td> * @returns @a rc. </td></tr><tr><th id="L257"><a href="#L257">257</a></th><td> * @param pErrInfo Pointer to the extended error info structure. </td></tr><tr><th id="L258"><a href="#L258">258</a></th><td> * Can be NULL. </td></tr><tr><th id="L259"><a href="#L259">259</a></th><td> * @param rc The status to return. </td></tr><tr><th id="L260"><a href="#L260">260</a></th><td> * @param pszMsg The format string for the message. </td></tr><tr><th id="L261"><a href="#L261">261</a></th><td> * @param ... The arguments for the format string. </td></tr><tr><th id="L262"><a href="#L262">262</a></th><td> */ </td></tr><tr><th id="L263"><a href="#L263">263</a></th><td>static int supHardNtVpSetInfo1(PRTERRINFO pErrInfo, int rc, const char *pszMsg, ...) </td></tr><tr><th id="L264"><a href="#L264">264</a></th><td>{ </td></tr><tr><th id="L265"><a href="#L265">265</a></th><td> va_list va; </td></tr><tr><th id="L266"><a href="#L266">266</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L267"><a href="#L267">267</a></th><td> va_start(va, pszMsg); </td></tr><tr><th id="L268"><a href="#L268">268</a></th><td> supR3HardenedError(rc, false /*fFatal*/, "%N\n", pszMsg, &va); </td></tr><tr><th id="L269"><a href="#L269">269</a></th><td> va_end(va); </td></tr><tr><th id="L270"><a href="#L270">270</a></th><td>#endif </td></tr><tr><th id="L271"><a href="#L271">271</a></th><td> </td></tr><tr><th id="L272"><a href="#L272">272</a></th><td> va_start(va, pszMsg); </td></tr><tr><th id="L273"><a href="#L273">273</a></th><td> RTErrInfoSetV(pErrInfo, rc, pszMsg, va); </td></tr><tr><th id="L274"><a href="#L274">274</a></th><td> va_end(va); </td></tr><tr><th id="L275"><a href="#L275">275</a></th><td> </td></tr><tr><th id="L276"><a href="#L276">276</a></th><td> return rc; </td></tr><tr><th id="L277"><a href="#L277">277</a></th><td>} </td></tr><tr><th id="L278"><a href="#L278">278</a></th><td> </td></tr><tr><th id="L279"><a href="#L279">279</a></th><td> </td></tr><tr><th id="L280"><a href="#L280">280</a></th><td>/** </td></tr><tr><th id="L281"><a href="#L281">281</a></th><td> * Adds error information. </td></tr><tr><th id="L282"><a href="#L282">282</a></th><td> * </td></tr><tr><th id="L283"><a href="#L283">283</a></th><td> * @returns @a rc. </td></tr><tr><th id="L284"><a href="#L284">284</a></th><td> * @param pErrInfo Pointer to the extended error info structure </td></tr><tr><th id="L285"><a href="#L285">285</a></th><td> * which may contain some details already. Can be </td></tr><tr><th id="L286"><a href="#L286">286</a></th><td> * NULL. </td></tr><tr><th id="L287"><a href="#L287">287</a></th><td> * @param rc The status to return. </td></tr><tr><th id="L288"><a href="#L288">288</a></th><td> * @param pszMsg The format string for the message. </td></tr><tr><th id="L289"><a href="#L289">289</a></th><td> * @param ... The arguments for the format string. </td></tr><tr><th id="L290"><a href="#L290">290</a></th><td> */ </td></tr><tr><th id="L291"><a href="#L291">291</a></th><td>static int supHardNtVpAddInfo1(PRTERRINFO pErrInfo, int rc, const char *pszMsg, ...) </td></tr><tr><th id="L292"><a href="#L292">292</a></th><td>{ </td></tr><tr><th id="L293"><a href="#L293">293</a></th><td> va_list va; </td></tr><tr><th id="L294"><a href="#L294">294</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L295"><a href="#L295">295</a></th><td> va_start(va, pszMsg); </td></tr><tr><th id="L296"><a href="#L296">296</a></th><td> if (pErrInfo && pErrInfo->pszMsg) </td></tr><tr><th id="L297"><a href="#L297">297</a></th><td> supR3HardenedError(rc, false /*fFatal*/, "%N - %s\n", pszMsg, &va, pErrInfo->pszMsg); </td></tr><tr><th id="L298"><a href="#L298">298</a></th><td> else </td></tr><tr><th id="L299"><a href="#L299">299</a></th><td> supR3HardenedError(rc, false /*fFatal*/, "%N\n", pszMsg, &va); </td></tr><tr><th id="L300"><a href="#L300">300</a></th><td> va_end(va); </td></tr><tr><th id="L301"><a href="#L301">301</a></th><td>#endif </td></tr><tr><th id="L302"><a href="#L302">302</a></th><td> </td></tr><tr><th id="L303"><a href="#L303">303</a></th><td> va_start(va, pszMsg); </td></tr><tr><th id="L304"><a href="#L304">304</a></th><td> RTErrInfoAddV(pErrInfo, rc, pszMsg, va); </td></tr><tr><th id="L305"><a href="#L305">305</a></th><td> va_end(va); </td></tr><tr><th id="L306"><a href="#L306">306</a></th><td> </td></tr><tr><th id="L307"><a href="#L307">307</a></th><td> return rc; </td></tr><tr><th id="L308"><a href="#L308">308</a></th><td>} </td></tr><tr><th id="L309"><a href="#L309">309</a></th><td> </td></tr><tr><th id="L310"><a href="#L310">310</a></th><td> </td></tr><tr><th id="L311"><a href="#L311">311</a></th><td>/** </td></tr><tr><th id="L312"><a href="#L312">312</a></th><td> * Fills in error information. </td></tr><tr><th id="L313"><a href="#L313">313</a></th><td> * </td></tr><tr><th id="L314"><a href="#L314">314</a></th><td> * @returns @a rc. </td></tr><tr><th id="L315"><a href="#L315">315</a></th><td> * @param pThis The process validator instance. </td></tr><tr><th id="L316"><a href="#L316">316</a></th><td> * @param rc The status to return. </td></tr><tr><th id="L317"><a href="#L317">317</a></th><td> * @param pszMsg The format string for the message. </td></tr><tr><th id="L318"><a href="#L318">318</a></th><td> * @param ... The arguments for the format string. </td></tr><tr><th id="L319"><a href="#L319">319</a></th><td> */ </td></tr><tr><th id="L320"><a href="#L320">320</a></th><td>static int supHardNtVpSetInfo2(PSUPHNTVPSTATE pThis, int rc, const char *pszMsg, ...) </td></tr><tr><th id="L321"><a href="#L321">321</a></th><td>{ </td></tr><tr><th id="L322"><a href="#L322">322</a></th><td> va_list va; </td></tr><tr><th id="L323"><a href="#L323">323</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L324"><a href="#L324">324</a></th><td> va_start(va, pszMsg); </td></tr><tr><th id="L325"><a href="#L325">325</a></th><td> supR3HardenedError(rc, false /*fFatal*/, "%N\n", pszMsg, &va); </td></tr><tr><th id="L326"><a href="#L326">326</a></th><td> va_end(va); </td></tr><tr><th id="L327"><a href="#L327">327</a></th><td>#endif </td></tr><tr><th id="L328"><a href="#L328">328</a></th><td> </td></tr><tr><th id="L329"><a href="#L329">329</a></th><td> va_start(va, pszMsg); </td></tr><tr><th id="L330"><a href="#L330">330</a></th><td>#ifdef IN_RING0 </td></tr><tr><th id="L331"><a href="#L331">331</a></th><td> RTErrInfoSetV(pThis->pErrInfo, rc, pszMsg, va); </td></tr><tr><th id="L332"><a href="#L332">332</a></th><td> pThis->rcResult = rc; </td></tr><tr><th id="L333"><a href="#L333">333</a></th><td>#else </td></tr><tr><th id="L334"><a href="#L334">334</a></th><td> if (RT_SUCCESS(pThis->rcResult)) </td></tr><tr><th id="L335"><a href="#L335">335</a></th><td> { </td></tr><tr><th id="L336"><a href="#L336">336</a></th><td> RTErrInfoSetV(pThis->pErrInfo, rc, pszMsg, va); </td></tr><tr><th id="L337"><a href="#L337">337</a></th><td> pThis->rcResult = rc; </td></tr><tr><th id="L338"><a href="#L338">338</a></th><td> } </td></tr><tr><th id="L339"><a href="#L339">339</a></th><td> else </td></tr><tr><th id="L340"><a href="#L340">340</a></th><td> { </td></tr><tr><th id="L341"><a href="#L341">341</a></th><td> RTErrInfoAddF(pThis->pErrInfo, rc, " \n[rc=%d] ", rc); </td></tr><tr><th id="L342"><a href="#L342">342</a></th><td> RTErrInfoAddV(pThis->pErrInfo, rc, pszMsg, va); </td></tr><tr><th id="L343"><a href="#L343">343</a></th><td> } </td></tr><tr><th id="L344"><a href="#L344">344</a></th><td>#endif </td></tr><tr><th id="L345"><a href="#L345">345</a></th><td> va_end(va); </td></tr><tr><th id="L346"><a href="#L346">346</a></th><td> </td></tr><tr><th id="L347"><a href="#L347">347</a></th><td> return pThis->rcResult; </td></tr><tr><th id="L348"><a href="#L348">348</a></th><td>} </td></tr><tr><th id="L349"><a href="#L349">349</a></th><td> </td></tr><tr><th id="L350"><a href="#L350">350</a></th><td> </td></tr><tr><th id="L351"><a href="#L351">351</a></th><td>static int supHardNtVpReadImage(PSUPHNTVPIMAGE pImage, uint64_t off, void *pvBuf, size_t cbRead) </td></tr><tr><th id="L352"><a href="#L352">352</a></th><td>{ </td></tr><tr><th id="L353"><a href="#L353">353</a></th><td> return pImage->pCacheEntry->pNtViRdr->Core.pfnRead(&pImage->pCacheEntry->pNtViRdr->Core, pvBuf, cbRead, off); </td></tr><tr><th id="L354"><a href="#L354">354</a></th><td>} </td></tr><tr><th id="L355"><a href="#L355">355</a></th><td> </td></tr><tr><th id="L356"><a href="#L356">356</a></th><td> </td></tr><tr><th id="L357"><a href="#L357">357</a></th><td>static NTSTATUS supHardNtVpReadMem(HANDLE hProcess, uintptr_t uPtr, void *pvBuf, size_t cbRead) </td></tr><tr><th id="L358"><a href="#L358">358</a></th><td>{ </td></tr><tr><th id="L359"><a href="#L359">359</a></th><td>#ifdef IN_RING0 </td></tr><tr><th id="L360"><a href="#L360">360</a></th><td> /* ASSUMES hProcess is the current process. */ </td></tr><tr><th id="L361"><a href="#L361">361</a></th><td> RT_NOREF1(hProcess); </td></tr><tr><th id="L362"><a href="#L362">362</a></th><td> /** @todo use MmCopyVirtualMemory where available! */ </td></tr><tr><th id="L363"><a href="#L363">363</a></th><td> int rc = RTR0MemUserCopyFrom(pvBuf, uPtr, cbRead); </td></tr><tr><th id="L364"><a href="#L364">364</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L365"><a href="#L365">365</a></th><td> return STATUS_SUCCESS; </td></tr><tr><th id="L366"><a href="#L366">366</a></th><td> return STATUS_ACCESS_DENIED; </td></tr><tr><th id="L367"><a href="#L367">367</a></th><td>#else </td></tr><tr><th id="L368"><a href="#L368">368</a></th><td> SIZE_T cbIgn; </td></tr><tr><th id="L369"><a href="#L369">369</a></th><td> NTSTATUS rcNt = NtReadVirtualMemory(hProcess, (PVOID)uPtr, pvBuf, cbRead, &cbIgn); </td></tr><tr><th id="L370"><a href="#L370">370</a></th><td> if (NT_SUCCESS(rcNt) && cbIgn != cbRead) </td></tr><tr><th id="L371"><a href="#L371">371</a></th><td> rcNt = STATUS_IO_DEVICE_ERROR; </td></tr><tr><th id="L372"><a href="#L372">372</a></th><td> return rcNt; </td></tr><tr><th id="L373"><a href="#L373">373</a></th><td>#endif </td></tr><tr><th id="L374"><a href="#L374">374</a></th><td>} </td></tr><tr><th id="L375"><a href="#L375">375</a></th><td> </td></tr><tr><th id="L376"><a href="#L376">376</a></th><td> </td></tr><tr><th id="L377"><a href="#L377">377</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L378"><a href="#L378">378</a></th><td>static NTSTATUS supHardNtVpFileMemRestore(PSUPHNTVPSTATE pThis, PVOID pvRestoreAddr, uint8_t const *pbFile, uint32_t cbToRestore, </td></tr><tr><th id="L379"><a href="#L379">379</a></th><td> uint32_t fCorrectProtection) </td></tr><tr><th id="L380"><a href="#L380">380</a></th><td>{ </td></tr><tr><th id="L381"><a href="#L381">381</a></th><td> PVOID pvProt = pvRestoreAddr; </td></tr><tr><th id="L382"><a href="#L382">382</a></th><td> SIZE_T cbProt = cbToRestore; </td></tr><tr><th id="L383"><a href="#L383">383</a></th><td> ULONG fOldProt = 0; </td></tr><tr><th id="L384"><a href="#L384">384</a></th><td> NTSTATUS rcNt = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, PAGE_READWRITE, &fOldProt); </td></tr><tr><th id="L385"><a href="#L385">385</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L386"><a href="#L386">386</a></th><td> { </td></tr><tr><th id="L387"><a href="#L387">387</a></th><td> SIZE_T cbIgnored; </td></tr><tr><th id="L388"><a href="#L388">388</a></th><td> rcNt = NtWriteVirtualMemory(pThis->hProcess, pvRestoreAddr, pbFile, cbToRestore, &cbIgnored); </td></tr><tr><th id="L389"><a href="#L389">389</a></th><td> </td></tr><tr><th id="L390"><a href="#L390">390</a></th><td> pvProt = pvRestoreAddr; </td></tr><tr><th id="L391"><a href="#L391">391</a></th><td> cbProt = cbToRestore; </td></tr><tr><th id="L392"><a href="#L392">392</a></th><td> NTSTATUS rcNt2 = NtProtectVirtualMemory(pThis->hProcess, &pvProt, &cbProt, fCorrectProtection, &fOldProt); </td></tr><tr><th id="L393"><a href="#L393">393</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L394"><a href="#L394">394</a></th><td> rcNt = rcNt2; </td></tr><tr><th id="L395"><a href="#L395">395</a></th><td> } </td></tr><tr><th id="L396"><a href="#L396">396</a></th><td> pThis->cFixes++; </td></tr><tr><th id="L397"><a href="#L397">397</a></th><td> return rcNt; </td></tr><tr><th id="L398"><a href="#L398">398</a></th><td>} </td></tr><tr><th id="L399"><a href="#L399">399</a></th><td>#endif /* IN_RING3 */ </td></tr><tr><th id="L400"><a href="#L400">400</a></th><td> </td></tr><tr><th id="L401"><a href="#L401">401</a></th><td> </td></tr><tr><th id="L402"><a href="#L402">402</a></th><td>typedef struct SUPHNTVPSKIPAREA </td></tr><tr><th id="L403"><a href="#L403">403</a></th><td>{ </td></tr><tr><th id="L404"><a href="#L404">404</a></th><td> uint32_t uRva; </td></tr><tr><th id="L405"><a href="#L405">405</a></th><td> uint32_t cb; </td></tr><tr><th id="L406"><a href="#L406">406</a></th><td>} SUPHNTVPSKIPAREA; </td></tr><tr><th id="L407"><a href="#L407">407</a></th><td>typedef SUPHNTVPSKIPAREA *PSUPHNTVPSKIPAREA; </td></tr><tr><th id="L408"><a href="#L408">408</a></th><td> </td></tr><tr><th id="L409"><a href="#L409">409</a></th><td>static int supHardNtVpFileMemCompareSection(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, </td></tr><tr><th id="L410"><a href="#L410">410</a></th><td> uint32_t uRva, uint32_t cb, const uint8_t *pbFile, </td></tr><tr><th id="L411"><a href="#L411">411</a></th><td> int32_t iSh, PSUPHNTVPSKIPAREA paSkipAreas, uint32_t cSkipAreas, </td></tr><tr><th id="L412"><a href="#L412">412</a></th><td> uint32_t fCorrectProtection) </td></tr><tr><th id="L413"><a href="#L413">413</a></th><td>{ </td></tr><tr><th id="L414"><a href="#L414">414</a></th><td>#ifndef IN_RING3 </td></tr><tr><th id="L415"><a href="#L415">415</a></th><td> RT_NOREF1(fCorrectProtection); </td></tr><tr><th id="L416"><a href="#L416">416</a></th><td>#endif </td></tr><tr><th id="L417"><a href="#L417">417</a></th><td> AssertCompileAdjacentMembers(SUPHNTVPSTATE, abMemory, abFile); /* Use both the memory and file buffers here. Parfait might hate me for this... */ </td></tr><tr><th id="L418"><a href="#L418">418</a></th><td> uint32_t const cbMemory = sizeof(pThis->abMemory) + sizeof(pThis->abFile); </td></tr><tr><th id="L419"><a href="#L419">419</a></th><td> uint8_t * const pbMemory = &pThis->abMemory[0]; </td></tr><tr><th id="L420"><a href="#L420">420</a></th><td> </td></tr><tr><th id="L421"><a href="#L421">421</a></th><td> while (cb > 0) </td></tr><tr><th id="L422"><a href="#L422">422</a></th><td> { </td></tr><tr><th id="L423"><a href="#L423">423</a></th><td> uint32_t cbThis = RT_MIN(cb, cbMemory); </td></tr><tr><th id="L424"><a href="#L424">424</a></th><td> </td></tr><tr><th id="L425"><a href="#L425">425</a></th><td> /* Clipping. */ </td></tr><tr><th id="L426"><a href="#L426">426</a></th><td> uint32_t uNextRva = uRva + cbThis; </td></tr><tr><th id="L427"><a href="#L427">427</a></th><td> if (cSkipAreas) </td></tr><tr><th id="L428"><a href="#L428">428</a></th><td> { </td></tr><tr><th id="L429"><a href="#L429">429</a></th><td> uint32_t uRvaEnd = uNextRva; </td></tr><tr><th id="L430"><a href="#L430">430</a></th><td> uint32_t i = cSkipAreas; </td></tr><tr><th id="L431"><a href="#L431">431</a></th><td> while (i-- > 0) </td></tr><tr><th id="L432"><a href="#L432">432</a></th><td> { </td></tr><tr><th id="L433"><a href="#L433">433</a></th><td> uint32_t uSkipEnd = paSkipAreas[i].uRva + paSkipAreas[i].cb; </td></tr><tr><th id="L434"><a href="#L434">434</a></th><td> if ( uRva < uSkipEnd </td></tr><tr><th id="L435"><a href="#L435">435</a></th><td> && uRvaEnd > paSkipAreas[i].uRva) </td></tr><tr><th id="L436"><a href="#L436">436</a></th><td> { </td></tr><tr><th id="L437"><a href="#L437">437</a></th><td> if (uRva < paSkipAreas[i].uRva) </td></tr><tr><th id="L438"><a href="#L438">438</a></th><td> { </td></tr><tr><th id="L439"><a href="#L439">439</a></th><td> cbThis = paSkipAreas[i].uRva - uRva; </td></tr><tr><th id="L440"><a href="#L440">440</a></th><td> uRvaEnd = paSkipAreas[i].uRva; </td></tr><tr><th id="L441"><a href="#L441">441</a></th><td> uNextRva = uSkipEnd; </td></tr><tr><th id="L442"><a href="#L442">442</a></th><td> } </td></tr><tr><th id="L443"><a href="#L443">443</a></th><td> else if (uRvaEnd >= uSkipEnd) </td></tr><tr><th id="L444"><a href="#L444">444</a></th><td> { </td></tr><tr><th id="L445"><a href="#L445">445</a></th><td> cbThis -= uSkipEnd - uRva; </td></tr><tr><th id="L446"><a href="#L446">446</a></th><td> pbFile += uSkipEnd - uRva; </td></tr><tr><th id="L447"><a href="#L447">447</a></th><td> uRva = uSkipEnd; </td></tr><tr><th id="L448"><a href="#L448">448</a></th><td> } </td></tr><tr><th id="L449"><a href="#L449">449</a></th><td> else </td></tr><tr><th id="L450"><a href="#L450">450</a></th><td> { </td></tr><tr><th id="L451"><a href="#L451">451</a></th><td> uNextRva = uSkipEnd; </td></tr><tr><th id="L452"><a href="#L452">452</a></th><td> cbThis = 0; </td></tr><tr><th id="L453"><a href="#L453">453</a></th><td> break; </td></tr><tr><th id="L454"><a href="#L454">454</a></th><td> } </td></tr><tr><th id="L455"><a href="#L455">455</a></th><td> } </td></tr><tr><th id="L456"><a href="#L456">456</a></th><td> } </td></tr><tr><th id="L457"><a href="#L457">457</a></th><td> } </td></tr><tr><th id="L458"><a href="#L458">458</a></th><td> </td></tr><tr><th id="L459"><a href="#L459">459</a></th><td> /* Read the memory. */ </td></tr><tr><th id="L460"><a href="#L460">460</a></th><td> NTSTATUS rcNt = supHardNtVpReadMem(pThis->hProcess, pImage->uImageBase + uRva, pbMemory, cbThis); </td></tr><tr><th id="L461"><a href="#L461">461</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L462"><a href="#L462">462</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_MEMORY_READ_ERROR, </td></tr><tr><th id="L463"><a href="#L463">463</a></th><td> "%s: Error reading %#x bytes at %p (rva %#x, #%u, %.8s) from memory: %#x", </td></tr><tr><th id="L464"><a href="#L464">464</a></th><td> pImage->pszName, cbThis, pImage->uImageBase + uRva, uRva, iSh + 1, </td></tr><tr><th id="L465"><a href="#L465">465</a></th><td> iSh >= 0 ? (char *)pThis->aSecHdrs[iSh].Name : "headers", rcNt); </td></tr><tr><th id="L466"><a href="#L466">466</a></th><td> </td></tr><tr><th id="L467"><a href="#L467">467</a></th><td> /* Do the compare. */ </td></tr><tr><th id="L468"><a href="#L468">468</a></th><td> if (memcmp(pbFile, pbMemory, cbThis) != 0) </td></tr><tr><th id="L469"><a href="#L469">469</a></th><td> { </td></tr><tr><th id="L470"><a href="#L470">470</a></th><td> const char *pachSectNm = iSh >= 0 ? (char *)pThis->aSecHdrs[iSh].Name : "headers"; </td></tr><tr><th id="L471"><a href="#L471">471</a></th><td> SUP_DPRINTF(("%s: Differences in section #%u (%s) between file and memory:\n", pImage->pszName, iSh + 1, pachSectNm)); </td></tr><tr><th id="L472"><a href="#L472">472</a></th><td> </td></tr><tr><th id="L473"><a href="#L473">473</a></th><td> uint32_t off = 0; </td></tr><tr><th id="L474"><a href="#L474">474</a></th><td> while (off < cbThis && pbFile[off] == pbMemory[off]) </td></tr><tr><th id="L475"><a href="#L475">475</a></th><td> off++; </td></tr><tr><th id="L476"><a href="#L476">476</a></th><td> SUP_DPRINTF((" %p / %#09x: %02x != %02x\n", </td></tr><tr><th id="L477"><a href="#L477">477</a></th><td> pImage->uImageBase + uRva + off, uRva + off, pbFile[off], pbMemory[off])); </td></tr><tr><th id="L478"><a href="#L478">478</a></th><td> uint32_t offLast = off; </td></tr><tr><th id="L479"><a href="#L479">479</a></th><td> uint32_t cDiffs = 1; </td></tr><tr><th id="L480"><a href="#L480">480</a></th><td> for (uint32_t off2 = off + 1; off2 < cbThis; off2++) </td></tr><tr><th id="L481"><a href="#L481">481</a></th><td> if (pbFile[off2] != pbMemory[off2]) </td></tr><tr><th id="L482"><a href="#L482">482</a></th><td> { </td></tr><tr><th id="L483"><a href="#L483">483</a></th><td> SUP_DPRINTF((" %p / %#09x: %02x != %02x\n", </td></tr><tr><th id="L484"><a href="#L484">484</a></th><td> pImage->uImageBase + uRva + off2, uRva + off2, pbFile[off2], pbMemory[off2])); </td></tr><tr><th id="L485"><a href="#L485">485</a></th><td> cDiffs++; </td></tr><tr><th id="L486"><a href="#L486">486</a></th><td> offLast = off2; </td></tr><tr><th id="L487"><a href="#L487">487</a></th><td> } </td></tr><tr><th id="L488"><a href="#L488">488</a></th><td> </td></tr><tr><th id="L489"><a href="#L489">489</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L490"><a href="#L490">490</a></th><td> if ( pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION </td></tr><tr><th id="L491"><a href="#L491">491</a></th><td> || pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION) </td></tr><tr><th id="L492"><a href="#L492">492</a></th><td> { </td></tr><tr><th id="L493"><a href="#L493">493</a></th><td> PVOID pvRestoreAddr = (uint8_t *)pImage->uImageBase + uRva; </td></tr><tr><th id="L494"><a href="#L494">494</a></th><td> rcNt = supHardNtVpFileMemRestore(pThis, pvRestoreAddr, pbFile, cbThis, fCorrectProtection); </td></tr><tr><th id="L495"><a href="#L495">495</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L496"><a href="#L496">496</a></th><td> SUP_DPRINTF((" Restored %#x bytes of original file content at %p\n", cbThis, pvRestoreAddr)); </td></tr><tr><th id="L497"><a href="#L497">497</a></th><td> else </td></tr><tr><th id="L498"><a href="#L498">498</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_MEMORY_VS_FILE_MISMATCH, </td></tr><tr><th id="L499"><a href="#L499">499</a></th><td> "%s: Failed to restore %#x bytes at %p (%#x, #%u, %s): %#x (cDiffs=%#x, first=%#x)", </td></tr><tr><th id="L500"><a href="#L500">500</a></th><td> pImage->pszName, cbThis, pvRestoreAddr, uRva, iSh + 1, pachSectNm, rcNt, </td></tr><tr><th id="L501"><a href="#L501">501</a></th><td> cDiffs, uRva + off); </td></tr><tr><th id="L502"><a href="#L502">502</a></th><td> } </td></tr><tr><th id="L503"><a href="#L503">503</a></th><td> else </td></tr><tr><th id="L504"><a href="#L504">504</a></th><td>#endif /* IN_RING3 */ </td></tr><tr><th id="L505"><a href="#L505">505</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_MEMORY_VS_FILE_MISMATCH, </td></tr><tr><th id="L506"><a href="#L506">506</a></th><td> "%s: %u differences between %#x and %#x in #%u (%.8s), first: %02x != %02x", </td></tr><tr><th id="L507"><a href="#L507">507</a></th><td> pImage->pszName, cDiffs, uRva + off, uRva + offLast, iSh + 1, </td></tr><tr><th id="L508"><a href="#L508">508</a></th><td> pachSectNm, pbFile[off], pbMemory[off]); </td></tr><tr><th id="L509"><a href="#L509">509</a></th><td> } </td></tr><tr><th id="L510"><a href="#L510">510</a></th><td> </td></tr><tr><th id="L511"><a href="#L511">511</a></th><td> /* Advance. The clipping makes it a little bit complicated. */ </td></tr><tr><th id="L512"><a href="#L512">512</a></th><td> cbThis = uNextRva - uRva; </td></tr><tr><th id="L513"><a href="#L513">513</a></th><td> if (cbThis >= cb) </td></tr><tr><th id="L514"><a href="#L514">514</a></th><td> break; </td></tr><tr><th id="L515"><a href="#L515">515</a></th><td> cb -= cbThis; </td></tr><tr><th id="L516"><a href="#L516">516</a></th><td> pbFile += cbThis; </td></tr><tr><th id="L517"><a href="#L517">517</a></th><td> uRva = uNextRva; </td></tr><tr><th id="L518"><a href="#L518">518</a></th><td> } </td></tr><tr><th id="L519"><a href="#L519">519</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L520"><a href="#L520">520</a></th><td>} </td></tr><tr><th id="L521"><a href="#L521">521</a></th><td> </td></tr><tr><th id="L522"><a href="#L522">522</a></th><td> </td></tr><tr><th id="L523"><a href="#L523">523</a></th><td> </td></tr><tr><th id="L524"><a href="#L524">524</a></th><td>static int supHardNtVpCheckSectionProtection(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, </td></tr><tr><th id="L525"><a href="#L525">525</a></th><td> uint32_t uRva, uint32_t cb, uint32_t fProt) </td></tr><tr><th id="L526"><a href="#L526">526</a></th><td>{ </td></tr><tr><th id="L527"><a href="#L527">527</a></th><td> uint32_t const cbOrg = cb; </td></tr><tr><th id="L528"><a href="#L528">528</a></th><td> if (!cb) </td></tr><tr><th id="L529"><a href="#L529">529</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L530"><a href="#L530">530</a></th><td> if ( pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION </td></tr><tr><th id="L531"><a href="#L531">531</a></th><td> || pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION) </td></tr><tr><th id="L532"><a href="#L532">532</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L533"><a href="#L533">533</a></th><td> </td></tr><tr><th id="L534"><a href="#L534">534</a></th><td> for (uint32_t i = 0; i < pImage->cRegions; i++) </td></tr><tr><th id="L535"><a href="#L535">535</a></th><td> { </td></tr><tr><th id="L536"><a href="#L536">536</a></th><td> uint32_t offRegion = uRva - pImage->aRegions[i].uRva; </td></tr><tr><th id="L537"><a href="#L537">537</a></th><td> if (offRegion < pImage->aRegions[i].cb) </td></tr><tr><th id="L538"><a href="#L538">538</a></th><td> { </td></tr><tr><th id="L539"><a href="#L539">539</a></th><td> uint32_t cbLeft = pImage->aRegions[i].cb - offRegion; </td></tr><tr><th id="L540"><a href="#L540">540</a></th><td> if ( pImage->aRegions[i].fProt != fProt </td></tr><tr><th id="L541"><a href="#L541">541</a></th><td> && ( fProt != PAGE_READWRITE </td></tr><tr><th id="L542"><a href="#L542">542</a></th><td> || pImage->aRegions[i].fProt != PAGE_WRITECOPY)) </td></tr><tr><th id="L543"><a href="#L543">543</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_SECTION_PROTECTION_MISMATCH, </td></tr><tr><th id="L544"><a href="#L544">544</a></th><td> "%s: RVA range %#x-%#x protection is %#x, expected %#x. (cb=%#x)", </td></tr><tr><th id="L545"><a href="#L545">545</a></th><td> pImage->pszName, uRva, uRva + cbLeft - 1, pImage->aRegions[i].fProt, fProt, cb); </td></tr><tr><th id="L546"><a href="#L546">546</a></th><td> if (cbLeft >= cb) </td></tr><tr><th id="L547"><a href="#L547">547</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L548"><a href="#L548">548</a></th><td> cb -= cbLeft; </td></tr><tr><th id="L549"><a href="#L549">549</a></th><td> uRva += cbLeft; </td></tr><tr><th id="L550"><a href="#L550">550</a></th><td> </td></tr><tr><th id="L551"><a href="#L551">551</a></th><td>#if 0 /* This shouldn't ever be necessary. */ </td></tr><tr><th id="L552"><a href="#L552">552</a></th><td> if ( i + 1 < pImage->cRegions </td></tr><tr><th id="L553"><a href="#L553">553</a></th><td> && uRva < pImage->aRegions[i + 1].uRva) </td></tr><tr><th id="L554"><a href="#L554">554</a></th><td> { </td></tr><tr><th id="L555"><a href="#L555">555</a></th><td> cbLeft = pImage->aRegions[i + 1].uRva - uRva; </td></tr><tr><th id="L556"><a href="#L556">556</a></th><td> if (cbLeft >= cb) </td></tr><tr><th id="L557"><a href="#L557">557</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L558"><a href="#L558">558</a></th><td> cb -= cbLeft; </td></tr><tr><th id="L559"><a href="#L559">559</a></th><td> uRva += cbLeft; </td></tr><tr><th id="L560"><a href="#L560">560</a></th><td> } </td></tr><tr><th id="L561"><a href="#L561">561</a></th><td>#endif </td></tr><tr><th id="L562"><a href="#L562">562</a></th><td> } </td></tr><tr><th id="L563"><a href="#L563">563</a></th><td> } </td></tr><tr><th id="L564"><a href="#L564">564</a></th><td> </td></tr><tr><th id="L565"><a href="#L565">565</a></th><td> return supHardNtVpSetInfo2(pThis, cbOrg == cb ? VERR_SUP_VP_SECTION_NOT_MAPPED : VERR_SUP_VP_SECTION_NOT_FULLY_MAPPED, </td></tr><tr><th id="L566"><a href="#L566">566</a></th><td> "%s: RVA range %#x-%#x is not mapped?", pImage->pszName, uRva, uRva + cb - 1); </td></tr><tr><th id="L567"><a href="#L567">567</a></th><td>} </td></tr><tr><th id="L568"><a href="#L568">568</a></th><td> </td></tr><tr><th id="L569"><a href="#L569">569</a></th><td> </td></tr><tr><th id="L570"><a href="#L570">570</a></th><td>DECLINLINE(bool) supHardNtVpIsModuleNameMatch(PSUPHNTVPIMAGE pImage, const char *pszModule) </td></tr><tr><th id="L571"><a href="#L571">571</a></th><td>{ </td></tr><tr><th id="L572"><a href="#L572">572</a></th><td> if (pImage->fDll) </td></tr><tr><th id="L573"><a href="#L573">573</a></th><td> { </td></tr><tr><th id="L574"><a href="#L574">574</a></th><td> const char *pszImageNm = pImage->pszName; </td></tr><tr><th id="L575"><a href="#L575">575</a></th><td> for (;;) </td></tr><tr><th id="L576"><a href="#L576">576</a></th><td> { </td></tr><tr><th id="L577"><a href="#L577">577</a></th><td> char chLeft = *pszImageNm++; </td></tr><tr><th id="L578"><a href="#L578">578</a></th><td> char chRight = *pszModule++; </td></tr><tr><th id="L579"><a href="#L579">579</a></th><td> if (chLeft != chRight) </td></tr><tr><th id="L580"><a href="#L580">580</a></th><td> { </td></tr><tr><th id="L581"><a href="#L581">581</a></th><td> Assert(chLeft == RT_C_TO_LOWER(chLeft)); </td></tr><tr><th id="L582"><a href="#L582">582</a></th><td> if (chLeft != RT_C_TO_LOWER(chRight)) </td></tr><tr><th id="L583"><a href="#L583">583</a></th><td> { </td></tr><tr><th id="L584"><a href="#L584">584</a></th><td> if ( chRight == '\0' </td></tr><tr><th id="L585"><a href="#L585">585</a></th><td> && chLeft == '.' </td></tr><tr><th id="L586"><a href="#L586">586</a></th><td> && pszImageNm[0] == 'd' </td></tr><tr><th id="L587"><a href="#L587">587</a></th><td> && pszImageNm[1] == 'l' </td></tr><tr><th id="L588"><a href="#L588">588</a></th><td> && pszImageNm[2] == 'l' </td></tr><tr><th id="L589"><a href="#L589">589</a></th><td> && pszImageNm[3] == '\0') </td></tr><tr><th id="L590"><a href="#L590">590</a></th><td> return true; </td></tr><tr><th id="L591"><a href="#L591">591</a></th><td> break; </td></tr><tr><th id="L592"><a href="#L592">592</a></th><td> } </td></tr><tr><th id="L593"><a href="#L593">593</a></th><td> } </td></tr><tr><th id="L594"><a href="#L594">594</a></th><td> </td></tr><tr><th id="L595"><a href="#L595">595</a></th><td> if (chLeft == '\0') </td></tr><tr><th id="L596"><a href="#L596">596</a></th><td> return true; </td></tr><tr><th id="L597"><a href="#L597">597</a></th><td> } </td></tr><tr><th id="L598"><a href="#L598">598</a></th><td> } </td></tr><tr><th id="L599"><a href="#L599">599</a></th><td> </td></tr><tr><th id="L600"><a href="#L600">600</a></th><td> return false; </td></tr><tr><th id="L601"><a href="#L601">601</a></th><td>} </td></tr><tr><th id="L602"><a href="#L602">602</a></th><td> </td></tr><tr><th id="L603"><a href="#L603">603</a></th><td> </td></tr><tr><th id="L604"><a href="#L604">604</a></th><td>/** </td></tr><tr><th id="L605"><a href="#L605">605</a></th><td> * Worker for supHardNtVpGetImport that looks up a module in the module table. </td></tr><tr><th id="L606"><a href="#L606">606</a></th><td> * </td></tr><tr><th id="L607"><a href="#L607">607</a></th><td> * @returns Pointer to the module if found, NULL if not found. </td></tr><tr><th id="L608"><a href="#L608">608</a></th><td> * @param pThis The process validator instance. </td></tr><tr><th id="L609"><a href="#L609">609</a></th><td> * @param pszModule The name of the module we're looking for. </td></tr><tr><th id="L610"><a href="#L610">610</a></th><td> */ </td></tr><tr><th id="L611"><a href="#L611">611</a></th><td>static PSUPHNTVPIMAGE supHardNtVpFindModule(PSUPHNTVPSTATE pThis, const char *pszModule) </td></tr><tr><th id="L612"><a href="#L612">612</a></th><td>{ </td></tr><tr><th id="L613"><a href="#L613">613</a></th><td> /* </td></tr><tr><th id="L614"><a href="#L614">614</a></th><td> * Check out the hint first. </td></tr><tr><th id="L615"><a href="#L615">615</a></th><td> */ </td></tr><tr><th id="L616"><a href="#L616">616</a></th><td> if ( pThis->iImageHint < pThis->cImages </td></tr><tr><th id="L617"><a href="#L617">617</a></th><td> && supHardNtVpIsModuleNameMatch(&pThis->aImages[pThis->iImageHint], pszModule)) </td></tr><tr><th id="L618"><a href="#L618">618</a></th><td> return &pThis->aImages[pThis->iImageHint]; </td></tr><tr><th id="L619"><a href="#L619">619</a></th><td> </td></tr><tr><th id="L620"><a href="#L620">620</a></th><td> /* </td></tr><tr><th id="L621"><a href="#L621">621</a></th><td> * Linear array search next. </td></tr><tr><th id="L622"><a href="#L622">622</a></th><td> */ </td></tr><tr><th id="L623"><a href="#L623">623</a></th><td> uint32_t i = pThis->cImages; </td></tr><tr><th id="L624"><a href="#L624">624</a></th><td> while (i-- > 0) </td></tr><tr><th id="L625"><a href="#L625">625</a></th><td> if (supHardNtVpIsModuleNameMatch(&pThis->aImages[i], pszModule)) </td></tr><tr><th id="L626"><a href="#L626">626</a></th><td> { </td></tr><tr><th id="L627"><a href="#L627">627</a></th><td> pThis->iImageHint = i; </td></tr><tr><th id="L628"><a href="#L628">628</a></th><td> return &pThis->aImages[i]; </td></tr><tr><th id="L629"><a href="#L629">629</a></th><td> } </td></tr><tr><th id="L630"><a href="#L630">630</a></th><td> </td></tr><tr><th id="L631"><a href="#L631">631</a></th><td> /* No cigar. */ </td></tr><tr><th id="L632"><a href="#L632">632</a></th><td> return NULL; </td></tr><tr><th id="L633"><a href="#L633">633</a></th><td>} </td></tr><tr><th id="L634"><a href="#L634">634</a></th><td> </td></tr><tr><th id="L635"><a href="#L635">635</a></th><td> </td></tr><tr><th id="L636"><a href="#L636">636</a></th><td>/** </td></tr><tr><th id="L637"><a href="#L637">637</a></th><td> * @callback_method_impl{FNRTLDRIMPORT} </td></tr><tr><th id="L638"><a href="#L638">638</a></th><td> */ </td></tr><tr><th id="L639"><a href="#L639">639</a></th><td>static DECLCALLBACK(int) supHardNtVpGetImport(RTLDRMOD hLdrMod, const char *pszModule, const char *pszSymbol, unsigned uSymbol, </td></tr><tr><th id="L640"><a href="#L640">640</a></th><td> PRTLDRADDR pValue, void *pvUser) </td></tr><tr><th id="L641"><a href="#L641">641</a></th><td>{ </td></tr><tr><th id="L642"><a href="#L642">642</a></th><td> RT_NOREF1(hLdrMod); </td></tr><tr><th id="L643"><a href="#L643">643</a></th><td> /*SUP_DPRINTF(("supHardNtVpGetImport: %s / %#x / %s.\n", pszModule, uSymbol, pszSymbol));*/ </td></tr><tr><th id="L644"><a href="#L644">644</a></th><td> PSUPHNTVPSTATE pThis = (PSUPHNTVPSTATE)pvUser; </td></tr><tr><th id="L645"><a href="#L645">645</a></th><td> </td></tr><tr><th id="L646"><a href="#L646">646</a></th><td> int rc = VERR_MODULE_NOT_FOUND; </td></tr><tr><th id="L647"><a href="#L647">647</a></th><td> PSUPHNTVPIMAGE pImage = supHardNtVpFindModule(pThis, pszModule); </td></tr><tr><th id="L648"><a href="#L648">648</a></th><td> if (pImage) </td></tr><tr><th id="L649"><a href="#L649">649</a></th><td> { </td></tr><tr><th id="L650"><a href="#L650">650</a></th><td> rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pImage->pCacheEntry->pbBits, </td></tr><tr><th id="L651"><a href="#L651">651</a></th><td> pImage->uImageBase, uSymbol, pszSymbol, pValue); </td></tr><tr><th id="L652"><a href="#L652">652</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L653"><a href="#L653">653</a></th><td> return rc; </td></tr><tr><th id="L654"><a href="#L654">654</a></th><td> } </td></tr><tr><th id="L655"><a href="#L655">655</a></th><td> /* </td></tr><tr><th id="L656"><a href="#L656">656</a></th><td> * API set hacks. </td></tr><tr><th id="L657"><a href="#L657">657</a></th><td> */ </td></tr><tr><th id="L658"><a href="#L658">658</a></th><td> else if (!RTStrNICmp(pszModule, RT_STR_TUPLE("api-ms-win-"))) </td></tr><tr><th id="L659"><a href="#L659">659</a></th><td> { </td></tr><tr><th id="L660"><a href="#L660">660</a></th><td> static const char * const s_apszDlls[] = { "ntdll.dll", "kernelbase.dll", "kernel32.dll" }; </td></tr><tr><th id="L661"><a href="#L661">661</a></th><td> for (uint32_t i = 0; i < RT_ELEMENTS(s_apszDlls); i++) </td></tr><tr><th id="L662"><a href="#L662">662</a></th><td> { </td></tr><tr><th id="L663"><a href="#L663">663</a></th><td> pImage = supHardNtVpFindModule(pThis, s_apszDlls[i]); </td></tr><tr><th id="L664"><a href="#L664">664</a></th><td> if (pImage) </td></tr><tr><th id="L665"><a href="#L665">665</a></th><td> { </td></tr><tr><th id="L666"><a href="#L666">666</a></th><td> rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pImage->pCacheEntry->pbBits, </td></tr><tr><th id="L667"><a href="#L667">667</a></th><td> pImage->uImageBase, uSymbol, pszSymbol, pValue); </td></tr><tr><th id="L668"><a href="#L668">668</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L669"><a href="#L669">669</a></th><td> return rc; </td></tr><tr><th id="L670"><a href="#L670">670</a></th><td> if (rc != VERR_SYMBOL_NOT_FOUND) </td></tr><tr><th id="L671"><a href="#L671">671</a></th><td> break; </td></tr><tr><th id="L672"><a href="#L672">672</a></th><td> } </td></tr><tr><th id="L673"><a href="#L673">673</a></th><td> } </td></tr><tr><th id="L674"><a href="#L674">674</a></th><td> } </td></tr><tr><th id="L675"><a href="#L675">675</a></th><td> </td></tr><tr><th id="L676"><a href="#L676">676</a></th><td> /* </td></tr><tr><th id="L677"><a href="#L677">677</a></th><td> * Deal with forwarders. </td></tr><tr><th id="L678"><a href="#L678">678</a></th><td> * ASSUMES no forwarders thru any api-ms-win-core-*.dll. </td></tr><tr><th id="L679"><a href="#L679">679</a></th><td> * ASSUMES forwarders are resolved after one redirection. </td></tr><tr><th id="L680"><a href="#L680">680</a></th><td> */ </td></tr><tr><th id="L681"><a href="#L681">681</a></th><td> if (rc == VERR_LDR_FORWARDER) </td></tr><tr><th id="L682"><a href="#L682">682</a></th><td> { </td></tr><tr><th id="L683"><a href="#L683">683</a></th><td> size_t cbInfo = RT_MIN((uint32_t)*pValue, sizeof(RTLDRIMPORTINFO) + 32); </td></tr><tr><th id="L684"><a href="#L684">684</a></th><td> PRTLDRIMPORTINFO pInfo = (PRTLDRIMPORTINFO)alloca(cbInfo); </td></tr><tr><th id="L685"><a href="#L685">685</a></th><td> rc = RTLdrQueryForwarderInfo(pImage->pCacheEntry->hLdrMod, pImage->pCacheEntry->pbBits, </td></tr><tr><th id="L686"><a href="#L686">686</a></th><td> uSymbol, pszSymbol, pInfo, cbInfo); </td></tr><tr><th id="L687"><a href="#L687">687</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L688"><a href="#L688">688</a></th><td> { </td></tr><tr><th id="L689"><a href="#L689">689</a></th><td> rc = VERR_MODULE_NOT_FOUND; </td></tr><tr><th id="L690"><a href="#L690">690</a></th><td> pImage = supHardNtVpFindModule(pThis, pInfo->szModule); </td></tr><tr><th id="L691"><a href="#L691">691</a></th><td> if (pImage) </td></tr><tr><th id="L692"><a href="#L692">692</a></th><td> { </td></tr><tr><th id="L693"><a href="#L693">693</a></th><td> rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pImage->pCacheEntry->pbBits, </td></tr><tr><th id="L694"><a href="#L694">694</a></th><td> pImage->uImageBase, pInfo->iOrdinal, pInfo->pszSymbol, pValue); </td></tr><tr><th id="L695"><a href="#L695">695</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L696"><a href="#L696">696</a></th><td> return rc; </td></tr><tr><th id="L697"><a href="#L697">697</a></th><td> </td></tr><tr><th id="L698"><a href="#L698">698</a></th><td> SUP_DPRINTF(("supHardNtVpGetImport: Failed to find symbol '%s' in '%s' (forwarded from %s / %s): %Rrc\n", </td></tr><tr><th id="L699"><a href="#L699">699</a></th><td> pInfo->pszSymbol, pInfo->szModule, pszModule, pszSymbol, rc)); </td></tr><tr><th id="L700"><a href="#L700">700</a></th><td> if (rc == VERR_LDR_FORWARDER) </td></tr><tr><th id="L701"><a href="#L701">701</a></th><td> rc = VERR_LDR_FORWARDER_CHAIN_TOO_LONG; </td></tr><tr><th id="L702"><a href="#L702">702</a></th><td> } </td></tr><tr><th id="L703"><a href="#L703">703</a></th><td> else </td></tr><tr><th id="L704"><a href="#L704">704</a></th><td> SUP_DPRINTF(("supHardNtVpGetImport: Failed to find forwarder module '%s' (%#x / %s; originally %s / %#x / %s): %Rrc\n", </td></tr><tr><th id="L705"><a href="#L705">705</a></th><td> pInfo->szModule, pInfo->iOrdinal, pInfo->pszSymbol, pszModule, uSymbol, pszSymbol, rc)); </td></tr><tr><th id="L706"><a href="#L706">706</a></th><td> } </td></tr><tr><th id="L707"><a href="#L707">707</a></th><td> else </td></tr><tr><th id="L708"><a href="#L708">708</a></th><td> SUP_DPRINTF(("supHardNtVpGetImport: RTLdrQueryForwarderInfo failed on symbol %#x/'%s' in '%s': %Rrc\n", </td></tr><tr><th id="L709"><a href="#L709">709</a></th><td> uSymbol, pszSymbol, pszModule, rc)); </td></tr><tr><th id="L710"><a href="#L710">710</a></th><td> } </td></tr><tr><th id="L711"><a href="#L711">711</a></th><td> else </td></tr><tr><th id="L712"><a href="#L712">712</a></th><td> SUP_DPRINTF(("supHardNtVpGetImport: Failed to find symbol %#x / '%s' in '%s': %Rrc\n", </td></tr><tr><th id="L713"><a href="#L713">713</a></th><td> uSymbol, pszSymbol, pszModule, rc)); </td></tr><tr><th id="L714"><a href="#L714">714</a></th><td> return rc; </td></tr><tr><th id="L715"><a href="#L715">715</a></th><td>} </td></tr><tr><th id="L716"><a href="#L716">716</a></th><td> </td></tr><tr><th id="L717"><a href="#L717">717</a></th><td> </td></tr><tr><th id="L718"><a href="#L718">718</a></th><td>/** </td></tr><tr><th id="L719"><a href="#L719">719</a></th><td> * Compares process memory with the disk content. </td></tr><tr><th id="L720"><a href="#L720">720</a></th><td> * </td></tr><tr><th id="L721"><a href="#L721">721</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L722"><a href="#L722">722</a></th><td> * @param pThis The process scanning state structure (for the </td></tr><tr><th id="L723"><a href="#L723">723</a></th><td> * two scratch buffers). </td></tr><tr><th id="L724"><a href="#L724">724</a></th><td> * @param pImage The image data collected during the address </td></tr><tr><th id="L725"><a href="#L725">725</a></th><td> * space scan. </td></tr><tr><th id="L726"><a href="#L726">726</a></th><td> */ </td></tr><tr><th id="L727"><a href="#L727">727</a></th><td>static int supHardNtVpVerifyImageMemoryCompare(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage) </td></tr><tr><th id="L728"><a href="#L728">728</a></th><td>{ </td></tr><tr><th id="L729"><a href="#L729">729</a></th><td> </td></tr><tr><th id="L730"><a href="#L730">730</a></th><td> /* </td></tr><tr><th id="L731"><a href="#L731">731</a></th><td> * Read and find the file headers. </td></tr><tr><th id="L732"><a href="#L732">732</a></th><td> */ </td></tr><tr><th id="L733"><a href="#L733">733</a></th><td> int rc = supHardNtVpReadImage(pImage, 0 /*off*/, pThis->abFile, sizeof(pThis->abFile)); </td></tr><tr><th id="L734"><a href="#L734">734</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L735"><a href="#L735">735</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_IMAGE_HDR_READ_ERROR, </td></tr><tr><th id="L736"><a href="#L736">736</a></th><td> "%s: Error reading image header: %Rrc", pImage->pszName, rc); </td></tr><tr><th id="L737"><a href="#L737">737</a></th><td> </td></tr><tr><th id="L738"><a href="#L738">738</a></th><td> uint32_t offNtHdrs = 0; </td></tr><tr><th id="L739"><a href="#L739">739</a></th><td> PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)&pThis->abFile[0]; </td></tr><tr><th id="L740"><a href="#L740">740</a></th><td> if (pDosHdr->e_magic == IMAGE_DOS_SIGNATURE) </td></tr><tr><th id="L741"><a href="#L741">741</a></th><td> { </td></tr><tr><th id="L742"><a href="#L742">742</a></th><td> offNtHdrs = pDosHdr->e_lfanew; </td></tr><tr><th id="L743"><a href="#L743">743</a></th><td> if (offNtHdrs > 512 || offNtHdrs < sizeof(*pDosHdr)) </td></tr><tr><th id="L744"><a href="#L744">744</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_MZ_OFFSET, </td></tr><tr><th id="L745"><a href="#L745">745</a></th><td> "%s: Unexpected e_lfanew value: %#x", pImage->pszName, offNtHdrs); </td></tr><tr><th id="L746"><a href="#L746">746</a></th><td> } </td></tr><tr><th id="L747"><a href="#L747">747</a></th><td> PIMAGE_NT_HEADERS pNtHdrs = (PIMAGE_NT_HEADERS)&pThis->abFile[offNtHdrs]; </td></tr><tr><th id="L748"><a href="#L748">748</a></th><td> PIMAGE_NT_HEADERS32 pNtHdrs32 = (PIMAGE_NT_HEADERS32)pNtHdrs; </td></tr><tr><th id="L749"><a href="#L749">749</a></th><td> if (pNtHdrs->Signature != IMAGE_NT_SIGNATURE) </td></tr><tr><th id="L750"><a href="#L750">750</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIGNATURE, </td></tr><tr><th id="L751"><a href="#L751">751</a></th><td> "%s: No PE signature at %#x: %#x", pImage->pszName, offNtHdrs, pNtHdrs->Signature); </td></tr><tr><th id="L752"><a href="#L752">752</a></th><td> </td></tr><tr><th id="L753"><a href="#L753">753</a></th><td> /* </td></tr><tr><th id="L754"><a href="#L754">754</a></th><td> * Do basic header validation. </td></tr><tr><th id="L755"><a href="#L755">755</a></th><td> */ </td></tr><tr><th id="L756"><a href="#L756">756</a></th><td>#ifdef RT_ARCH_AMD64 </td></tr><tr><th id="L757"><a href="#L757">757</a></th><td> if (pNtHdrs->FileHeader.Machine != IMAGE_FILE_MACHINE_AMD64 && !pImage->f32bitResourceDll) </td></tr><tr><th id="L758"><a href="#L758">758</a></th><td>#else </td></tr><tr><th id="L759"><a href="#L759">759</a></th><td> if (pNtHdrs->FileHeader.Machine != IMAGE_FILE_MACHINE_I386) </td></tr><tr><th id="L760"><a href="#L760">760</a></th><td>#endif </td></tr><tr><th id="L761"><a href="#L761">761</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNEXPECTED_IMAGE_MACHINE, </td></tr><tr><th id="L762"><a href="#L762">762</a></th><td> "%s: Unexpected machine: %#x", pImage->pszName, pNtHdrs->FileHeader.Machine); </td></tr><tr><th id="L763"><a href="#L763">763</a></th><td> bool const fIs32Bit = pNtHdrs->FileHeader.Machine == IMAGE_FILE_MACHINE_I386; </td></tr><tr><th id="L764"><a href="#L764">764</a></th><td> </td></tr><tr><th id="L765"><a href="#L765">765</a></th><td> if (pNtHdrs->FileHeader.SizeOfOptionalHeader != (fIs32Bit ? sizeof(IMAGE_OPTIONAL_HEADER32) : sizeof(IMAGE_OPTIONAL_HEADER64))) </td></tr><tr><th id="L766"><a href="#L766">766</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER, </td></tr><tr><th id="L767"><a href="#L767">767</a></th><td> "%s: Unexpected optional header size: %#x", </td></tr><tr><th id="L768"><a href="#L768">768</a></th><td> pImage->pszName, pNtHdrs->FileHeader.SizeOfOptionalHeader); </td></tr><tr><th id="L769"><a href="#L769">769</a></th><td> </td></tr><tr><th id="L770"><a href="#L770">770</a></th><td> if (pNtHdrs->OptionalHeader.Magic != (fIs32Bit ? IMAGE_NT_OPTIONAL_HDR32_MAGIC : IMAGE_NT_OPTIONAL_HDR64_MAGIC)) </td></tr><tr><th id="L771"><a href="#L771">771</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER, </td></tr><tr><th id="L772"><a href="#L772">772</a></th><td> "%s: Unexpected optional header magic: %#x", pImage->pszName, pNtHdrs->OptionalHeader.Magic); </td></tr><tr><th id="L773"><a href="#L773">773</a></th><td> </td></tr><tr><th id="L774"><a href="#L774">774</a></th><td> uint32_t cDirs = (fIs32Bit ? pNtHdrs32->OptionalHeader.NumberOfRvaAndSizes : pNtHdrs->OptionalHeader.NumberOfRvaAndSizes); </td></tr><tr><th id="L775"><a href="#L775">775</a></th><td> if (cDirs != IMAGE_NUMBEROF_DIRECTORY_ENTRIES) </td></tr><tr><th id="L776"><a href="#L776">776</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_OPTIONAL_HEADER, </td></tr><tr><th id="L777"><a href="#L777">777</a></th><td> "%s: Unexpected data dirs: %#x", pImage->pszName, cDirs); </td></tr><tr><th id="L778"><a href="#L778">778</a></th><td> </td></tr><tr><th id="L779"><a href="#L779">779</a></th><td> /* </td></tr><tr><th id="L780"><a href="#L780">780</a></th><td> * Before we start comparing things, store what we need to know from the headers. </td></tr><tr><th id="L781"><a href="#L781">781</a></th><td> */ </td></tr><tr><th id="L782"><a href="#L782">782</a></th><td> uint32_t const cSections = pNtHdrs->FileHeader.NumberOfSections; </td></tr><tr><th id="L783"><a href="#L783">783</a></th><td> if (cSections > RT_ELEMENTS(pThis->aSecHdrs)) </td></tr><tr><th id="L784"><a href="#L784">784</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_SECTIONS, </td></tr><tr><th id="L785"><a href="#L785">785</a></th><td> "%s: Too many section headers: %#x", pImage->pszName, cSections); </td></tr><tr><th id="L786"><a href="#L786">786</a></th><td> suplibHardenedMemCopy(pThis->aSecHdrs, (fIs32Bit ? (void *)(pNtHdrs32 + 1) : (void *)(pNtHdrs + 1)), </td></tr><tr><th id="L787"><a href="#L787">787</a></th><td> cSections * sizeof(IMAGE_SECTION_HEADER)); </td></tr><tr><th id="L788"><a href="#L788">788</a></th><td> </td></tr><tr><th id="L789"><a href="#L789">789</a></th><td> uintptr_t const uImageBase = fIs32Bit ? pNtHdrs32->OptionalHeader.ImageBase : pNtHdrs->OptionalHeader.ImageBase; </td></tr><tr><th id="L790"><a href="#L790">790</a></th><td> if (uImageBase & PAGE_OFFSET_MASK) </td></tr><tr><th id="L791"><a href="#L791">791</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_BASE, </td></tr><tr><th id="L792"><a href="#L792">792</a></th><td> "%s: Invalid image base: %p", pImage->pszName, uImageBase); </td></tr><tr><th id="L793"><a href="#L793">793</a></th><td> </td></tr><tr><th id="L794"><a href="#L794">794</a></th><td> uint32_t const cbImage = fIs32Bit ? pNtHdrs32->OptionalHeader.SizeOfImage : pNtHdrs->OptionalHeader.SizeOfImage; </td></tr><tr><th id="L795"><a href="#L795">795</a></th><td> if (RT_ALIGN_32(pImage->cbImage, PAGE_SIZE) != RT_ALIGN_32(cbImage, PAGE_SIZE) && !pImage->fApiSetSchemaOnlySection1) </td></tr><tr><th id="L796"><a href="#L796">796</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE, </td></tr><tr><th id="L797"><a href="#L797">797</a></th><td> "%s: SizeOfImage (%#x) isn't close enough to the mapping size (%#x)", </td></tr><tr><th id="L798"><a href="#L798">798</a></th><td> pImage->pszName, cbImage, pImage->cbImage); </td></tr><tr><th id="L799"><a href="#L799">799</a></th><td> if (cbImage != RTLdrSize(pImage->pCacheEntry->hLdrMod)) </td></tr><tr><th id="L800"><a href="#L800">800</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_IMAGE_SIZE, </td></tr><tr><th id="L801"><a href="#L801">801</a></th><td> "%s: SizeOfImage (%#x) differs from what RTLdrSize returns (%#zx)", </td></tr><tr><th id="L802"><a href="#L802">802</a></th><td> pImage->pszName, cbImage, RTLdrSize(pImage->pCacheEntry->hLdrMod)); </td></tr><tr><th id="L803"><a href="#L803">803</a></th><td> </td></tr><tr><th id="L804"><a href="#L804">804</a></th><td> uint32_t const cbSectAlign = fIs32Bit ? pNtHdrs32->OptionalHeader.SectionAlignment : pNtHdrs->OptionalHeader.SectionAlignment; </td></tr><tr><th id="L805"><a href="#L805">805</a></th><td> if ( !RT_IS_POWER_OF_TWO(cbSectAlign) </td></tr><tr><th id="L806"><a href="#L806">806</a></th><td> || cbSectAlign < PAGE_SIZE </td></tr><tr><th id="L807"><a href="#L807">807</a></th><td> || cbSectAlign > (pImage->fApiSetSchemaOnlySection1 ? _64K : (uint32_t)PAGE_SIZE) ) </td></tr><tr><th id="L808"><a href="#L808">808</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_ALIGNMENT_VALUE, </td></tr><tr><th id="L809"><a href="#L809">809</a></th><td> "%s: Unexpected SectionAlignment value: %#x", pImage->pszName, cbSectAlign); </td></tr><tr><th id="L810"><a href="#L810">810</a></th><td> </td></tr><tr><th id="L811"><a href="#L811">811</a></th><td> uint32_t const cbFileAlign = fIs32Bit ? pNtHdrs32->OptionalHeader.FileAlignment : pNtHdrs->OptionalHeader.FileAlignment; </td></tr><tr><th id="L812"><a href="#L812">812</a></th><td> if (!RT_IS_POWER_OF_TWO(cbFileAlign) || cbFileAlign < 512 || cbFileAlign > PAGE_SIZE || cbFileAlign > cbSectAlign) </td></tr><tr><th id="L813"><a href="#L813">813</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_FILE_ALIGNMENT_VALUE, </td></tr><tr><th id="L814"><a href="#L814">814</a></th><td> "%s: Unexpected FileAlignment value: %#x (cbSectAlign=%#x)", </td></tr><tr><th id="L815"><a href="#L815">815</a></th><td> pImage->pszName, cbFileAlign, cbSectAlign); </td></tr><tr><th id="L816"><a href="#L816">816</a></th><td> </td></tr><tr><th id="L817"><a href="#L817">817</a></th><td> uint32_t const cbHeaders = fIs32Bit ? pNtHdrs32->OptionalHeader.SizeOfHeaders : pNtHdrs->OptionalHeader.SizeOfHeaders; </td></tr><tr><th id="L818"><a href="#L818">818</a></th><td> uint32_t const cbMinHdrs = offNtHdrs + (fIs32Bit ? sizeof(*pNtHdrs32) : sizeof(*pNtHdrs) ) </td></tr><tr><th id="L819"><a href="#L819">819</a></th><td> + sizeof(IMAGE_SECTION_HEADER) * cSections; </td></tr><tr><th id="L820"><a href="#L820">820</a></th><td> if (cbHeaders < cbMinHdrs) </td></tr><tr><th id="L821"><a href="#L821">821</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SIZE_OF_HEADERS, </td></tr><tr><th id="L822"><a href="#L822">822</a></th><td> "%s: Headers are too small: %#x < %#x (cSections=%#x)", </td></tr><tr><th id="L823"><a href="#L823">823</a></th><td> pImage->pszName, cbHeaders, cbMinHdrs, cSections); </td></tr><tr><th id="L824"><a href="#L824">824</a></th><td> uint32_t const cbHdrsFile = RT_ALIGN_32(cbHeaders, cbFileAlign); </td></tr><tr><th id="L825"><a href="#L825">825</a></th><td> if (cbHdrsFile > sizeof(pThis->abFile)) </td></tr><tr><th id="L826"><a href="#L826">826</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SIZE_OF_HEADERS, </td></tr><tr><th id="L827"><a href="#L827">827</a></th><td> "%s: Headers are larger than expected: %#x/%#x (expected max %zx)", </td></tr><tr><th id="L828"><a href="#L828">828</a></th><td> pImage->pszName, cbHeaders, cbHdrsFile, sizeof(pThis->abFile)); </td></tr><tr><th id="L829"><a href="#L829">829</a></th><td> </td></tr><tr><th id="L830"><a href="#L830">830</a></th><td> /* </td></tr><tr><th id="L831"><a href="#L831">831</a></th><td> * Save some header fields we might be using later on. </td></tr><tr><th id="L832"><a href="#L832">832</a></th><td> */ </td></tr><tr><th id="L833"><a href="#L833">833</a></th><td> pImage->fImageCharecteristics = pNtHdrs->FileHeader.Characteristics; </td></tr><tr><th id="L834"><a href="#L834">834</a></th><td> pImage->fDllCharecteristics = fIs32Bit ? pNtHdrs32->OptionalHeader.DllCharacteristics : pNtHdrs->OptionalHeader.DllCharacteristics; </td></tr><tr><th id="L835"><a href="#L835">835</a></th><td> </td></tr><tr><th id="L836"><a href="#L836">836</a></th><td> /* </td></tr><tr><th id="L837"><a href="#L837">837</a></th><td> * Correct the apisetschema image base, size and region rva. </td></tr><tr><th id="L838"><a href="#L838">838</a></th><td> */ </td></tr><tr><th id="L839"><a href="#L839">839</a></th><td> if (pImage->fApiSetSchemaOnlySection1) </td></tr><tr><th id="L840"><a href="#L840">840</a></th><td> { </td></tr><tr><th id="L841"><a href="#L841">841</a></th><td> pImage->uImageBase -= pThis->aSecHdrs[0].VirtualAddress; </td></tr><tr><th id="L842"><a href="#L842">842</a></th><td> pImage->cbImage += pThis->aSecHdrs[0].VirtualAddress; </td></tr><tr><th id="L843"><a href="#L843">843</a></th><td> pImage->aRegions[0].uRva = pThis->aSecHdrs[0].VirtualAddress; </td></tr><tr><th id="L844"><a href="#L844">844</a></th><td> } </td></tr><tr><th id="L845"><a href="#L845">845</a></th><td> </td></tr><tr><th id="L846"><a href="#L846">846</a></th><td> /* </td></tr><tr><th id="L847"><a href="#L847">847</a></th><td> * Get relocated bits. </td></tr><tr><th id="L848"><a href="#L848">848</a></th><td> */ </td></tr><tr><th id="L849"><a href="#L849">849</a></th><td> uint8_t *pbBits; </td></tr><tr><th id="L850"><a href="#L850">850</a></th><td> if (pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION) </td></tr><tr><th id="L851"><a href="#L851">851</a></th><td> rc = supHardNtLdrCacheEntryGetBits(pImage->pCacheEntry, &pbBits, pImage->uImageBase, NULL /*pfnGetImport*/, pThis, </td></tr><tr><th id="L852"><a href="#L852">852</a></th><td> pThis->pErrInfo); </td></tr><tr><th id="L853"><a href="#L853">853</a></th><td> else </td></tr><tr><th id="L854"><a href="#L854">854</a></th><td> rc = supHardNtLdrCacheEntryGetBits(pImage->pCacheEntry, &pbBits, pImage->uImageBase, supHardNtVpGetImport, pThis, </td></tr><tr><th id="L855"><a href="#L855">855</a></th><td> pThis->pErrInfo); </td></tr><tr><th id="L856"><a href="#L856">856</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L857"><a href="#L857">857</a></th><td> return rc; </td></tr><tr><th id="L858"><a href="#L858">858</a></th><td> </td></tr><tr><th id="L859"><a href="#L859">859</a></th><td> /* XP SP3 does not set ImageBase to load address. It fixes up the image on load time though. */ </td></tr><tr><th id="L860"><a href="#L860">860</a></th><td> if (g_uNtVerCombined >= SUP_NT_VER_VISTA) </td></tr><tr><th id="L861"><a href="#L861">861</a></th><td> { </td></tr><tr><th id="L862"><a href="#L862">862</a></th><td> if (fIs32Bit) </td></tr><tr><th id="L863"><a href="#L863">863</a></th><td> ((PIMAGE_NT_HEADERS32)&pbBits[offNtHdrs])->OptionalHeader.ImageBase = (uint32_t)pImage->uImageBase; </td></tr><tr><th id="L864"><a href="#L864">864</a></th><td> else </td></tr><tr><th id="L865"><a href="#L865">865</a></th><td> ((PIMAGE_NT_HEADERS)&pbBits[offNtHdrs])->OptionalHeader.ImageBase = pImage->uImageBase; </td></tr><tr><th id="L866"><a href="#L866">866</a></th><td> } </td></tr><tr><th id="L867"><a href="#L867">867</a></th><td> </td></tr><tr><th id="L868"><a href="#L868">868</a></th><td> /* </td></tr><tr><th id="L869"><a href="#L869">869</a></th><td> * Figure out areas we should skip during comparison. </td></tr><tr><th id="L870"><a href="#L870">870</a></th><td> */ </td></tr><tr><th id="L871"><a href="#L871">871</a></th><td> uint32_t cSkipAreas = 0; </td></tr><tr><th id="L872"><a href="#L872">872</a></th><td> SUPHNTVPSKIPAREA aSkipAreas[5]; </td></tr><tr><th id="L873"><a href="#L873">873</a></th><td> if (pImage->fNtCreateSectionPatch) </td></tr><tr><th id="L874"><a href="#L874">874</a></th><td> { </td></tr><tr><th id="L875"><a href="#L875">875</a></th><td> RTLDRADDR uValue; </td></tr><tr><th id="L876"><a href="#L876">876</a></th><td> if (pThis->enmKind == SUPHARDNTVPKIND_VERIFY_ONLY) </td></tr><tr><th id="L877"><a href="#L877">877</a></th><td> { </td></tr><tr><th id="L878"><a href="#L878">878</a></th><td> /* Ignore our NtCreateSection hack. */ </td></tr><tr><th id="L879"><a href="#L879">879</a></th><td> rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pbBits, 0, UINT32_MAX, "NtCreateSection", &uValue); </td></tr><tr><th id="L880"><a href="#L880">880</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L881"><a href="#L881">881</a></th><td> return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'NtCreateSection': %Rrc", pImage->pszName, rc); </td></tr><tr><th id="L882"><a href="#L882">882</a></th><td> aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue; </td></tr><tr><th id="L883"><a href="#L883">883</a></th><td> aSkipAreas[cSkipAreas++].cb = ARCH_BITS == 32 ? 5 : 12; </td></tr><tr><th id="L884"><a href="#L884">884</a></th><td> </td></tr><tr><th id="L885"><a href="#L885">885</a></th><td> /* Ignore our LdrLoadDll hack. */ </td></tr><tr><th id="L886"><a href="#L886">886</a></th><td> rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pbBits, 0, UINT32_MAX, "LdrLoadDll", &uValue); </td></tr><tr><th id="L887"><a href="#L887">887</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L888"><a href="#L888">888</a></th><td> return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'LdrLoadDll': %Rrc", pImage->pszName, rc); </td></tr><tr><th id="L889"><a href="#L889">889</a></th><td> aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue; </td></tr><tr><th id="L890"><a href="#L890">890</a></th><td> aSkipAreas[cSkipAreas++].cb = ARCH_BITS == 32 ? 5 : 12; </td></tr><tr><th id="L891"><a href="#L891">891</a></th><td> } </td></tr><tr><th id="L892"><a href="#L892">892</a></th><td> </td></tr><tr><th id="L893"><a href="#L893">893</a></th><td> /* Ignore our patched LdrInitializeThunk hack. */ </td></tr><tr><th id="L894"><a href="#L894">894</a></th><td> rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pbBits, 0, UINT32_MAX, "LdrInitializeThunk", &uValue); </td></tr><tr><th id="L895"><a href="#L895">895</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L896"><a href="#L896">896</a></th><td> return supHardNtVpSetInfo2(pThis, rc, "%s: Failed to find 'LdrInitializeThunk': %Rrc", pImage->pszName, rc); </td></tr><tr><th id="L897"><a href="#L897">897</a></th><td> aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue; </td></tr><tr><th id="L898"><a href="#L898">898</a></th><td> aSkipAreas[cSkipAreas++].cb = 14; </td></tr><tr><th id="L899"><a href="#L899">899</a></th><td> </td></tr><tr><th id="L900"><a href="#L900">900</a></th><td> /* LdrSystemDllInitBlock is filled in by the kernel. It mainly contains addresses of 32-bit ntdll method for wow64. */ </td></tr><tr><th id="L901"><a href="#L901">901</a></th><td> rc = RTLdrGetSymbolEx(pImage->pCacheEntry->hLdrMod, pbBits, 0, UINT32_MAX, "LdrSystemDllInitBlock", &uValue); </td></tr><tr><th id="L902"><a href="#L902">902</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L903"><a href="#L903">903</a></th><td> { </td></tr><tr><th id="L904"><a href="#L904">904</a></th><td> aSkipAreas[cSkipAreas].uRva = (uint32_t)uValue; </td></tr><tr><th id="L905"><a href="#L905">905</a></th><td> aSkipAreas[cSkipAreas++].cb = RT_MAX(pbBits[(uint32_t)uValue], 0x50); </td></tr><tr><th id="L906"><a href="#L906">906</a></th><td> } </td></tr><tr><th id="L907"><a href="#L907">907</a></th><td> </td></tr><tr><th id="L908"><a href="#L908">908</a></th><td> Assert(cSkipAreas <= RT_ELEMENTS(aSkipAreas)); </td></tr><tr><th id="L909"><a href="#L909">909</a></th><td> } </td></tr><tr><th id="L910"><a href="#L910">910</a></th><td> </td></tr><tr><th id="L911"><a href="#L911">911</a></th><td> /* </td></tr><tr><th id="L912"><a href="#L912">912</a></th><td> * Compare the file header with the loaded bits. The loader will fiddle </td></tr><tr><th id="L913"><a href="#L913">913</a></th><td> * with image base, changing it to the actual load address. </td></tr><tr><th id="L914"><a href="#L914">914</a></th><td> */ </td></tr><tr><th id="L915"><a href="#L915">915</a></th><td> if (!pImage->fApiSetSchemaOnlySection1) </td></tr><tr><th id="L916"><a href="#L916">916</a></th><td> { </td></tr><tr><th id="L917"><a href="#L917">917</a></th><td> rc = supHardNtVpFileMemCompareSection(pThis, pImage, 0 /*uRva*/, cbHdrsFile, pbBits, -1, NULL, 0, PAGE_READONLY); </td></tr><tr><th id="L918"><a href="#L918">918</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L919"><a href="#L919">919</a></th><td> return rc; </td></tr><tr><th id="L920"><a href="#L920">920</a></th><td> </td></tr><tr><th id="L921"><a href="#L921">921</a></th><td> rc = supHardNtVpCheckSectionProtection(pThis, pImage, 0 /*uRva*/, cbHdrsFile, PAGE_READONLY); </td></tr><tr><th id="L922"><a href="#L922">922</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L923"><a href="#L923">923</a></th><td> return rc; </td></tr><tr><th id="L924"><a href="#L924">924</a></th><td> } </td></tr><tr><th id="L925"><a href="#L925">925</a></th><td> </td></tr><tr><th id="L926"><a href="#L926">926</a></th><td> /* </td></tr><tr><th id="L927"><a href="#L927">927</a></th><td> * Validate sections: </td></tr><tr><th id="L928"><a href="#L928">928</a></th><td> * - Check them against the mapping regions. </td></tr><tr><th id="L929"><a href="#L929">929</a></th><td> * - Check section bits according to enmKind. </td></tr><tr><th id="L930"><a href="#L930">930</a></th><td> */ </td></tr><tr><th id="L931"><a href="#L931">931</a></th><td> uint32_t fPrevProt = PAGE_READONLY; </td></tr><tr><th id="L932"><a href="#L932">932</a></th><td> uint32_t uRva = cbHdrsFile; </td></tr><tr><th id="L933"><a href="#L933">933</a></th><td> for (uint32_t i = 0; i < cSections; i++) </td></tr><tr><th id="L934"><a href="#L934">934</a></th><td> { </td></tr><tr><th id="L935"><a href="#L935">935</a></th><td> /* Validate the section. */ </td></tr><tr><th id="L936"><a href="#L936">936</a></th><td> uint32_t uSectRva = pThis->aSecHdrs[i].VirtualAddress; </td></tr><tr><th id="L937"><a href="#L937">937</a></th><td> if (uSectRva < uRva || uSectRva > cbImage || RT_ALIGN_32(uSectRva, cbSectAlign) != uSectRva) </td></tr><tr><th id="L938"><a href="#L938">938</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_RVA, </td></tr><tr><th id="L939"><a href="#L939">939</a></th><td> "%s: Section %u: Invalid virtual address: %#x (uRva=%#x, cbImage=%#x, cbSectAlign=%#x)", </td></tr><tr><th id="L940"><a href="#L940">940</a></th><td> pImage->pszName, i, uSectRva, uRva, cbImage, cbSectAlign); </td></tr><tr><th id="L941"><a href="#L941">941</a></th><td> uint32_t cbMap = pThis->aSecHdrs[i].Misc.VirtualSize; </td></tr><tr><th id="L942"><a href="#L942">942</a></th><td> if (cbMap > cbImage || uRva + cbMap > cbImage) </td></tr><tr><th id="L943"><a href="#L943">943</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_VIRTUAL_SIZE, </td></tr><tr><th id="L944"><a href="#L944">944</a></th><td> "%s: Section %u: Invalid virtual size: %#x (uSectRva=%#x, uRva=%#x, cbImage=%#x)", </td></tr><tr><th id="L945"><a href="#L945">945</a></th><td> pImage->pszName, i, cbMap, uSectRva, uRva, cbImage); </td></tr><tr><th id="L946"><a href="#L946">946</a></th><td> uint32_t cbFile = pThis->aSecHdrs[i].SizeOfRawData; </td></tr><tr><th id="L947"><a href="#L947">947</a></th><td> if (cbFile != RT_ALIGN_32(cbFile, cbFileAlign) || cbFile > RT_ALIGN_32(cbMap, cbSectAlign)) </td></tr><tr><th id="L948"><a href="#L948">948</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_BAD_SECTION_FILE_SIZE, </td></tr><tr><th id="L949"><a href="#L949">949</a></th><td> "%s: Section %u: Invalid file size: %#x (cbMap=%#x, uSectRva=%#x)", </td></tr><tr><th id="L950"><a href="#L950">950</a></th><td> pImage->pszName, i, cbFile, cbMap, uSectRva); </td></tr><tr><th id="L951"><a href="#L951">951</a></th><td> </td></tr><tr><th id="L952"><a href="#L952">952</a></th><td> /* Validate the protection and bits. */ </td></tr><tr><th id="L953"><a href="#L953">953</a></th><td> if (!pImage->fApiSetSchemaOnlySection1 || i == 0) </td></tr><tr><th id="L954"><a href="#L954">954</a></th><td> { </td></tr><tr><th id="L955"><a href="#L955">955</a></th><td> uint32_t fProt; </td></tr><tr><th id="L956"><a href="#L956">956</a></th><td> switch (pThis->aSecHdrs[i].Characteristics & (IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE)) </td></tr><tr><th id="L957"><a href="#L957">957</a></th><td> { </td></tr><tr><th id="L958"><a href="#L958">958</a></th><td> case IMAGE_SCN_MEM_READ: </td></tr><tr><th id="L959"><a href="#L959">959</a></th><td> fProt = PAGE_READONLY; </td></tr><tr><th id="L960"><a href="#L960">960</a></th><td> break; </td></tr><tr><th id="L961"><a href="#L961">961</a></th><td> case IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE: </td></tr><tr><th id="L962"><a href="#L962">962</a></th><td> fProt = PAGE_READWRITE; </td></tr><tr><th id="L963"><a href="#L963">963</a></th><td> if ( pThis->enmKind != SUPHARDNTVPKIND_VERIFY_ONLY </td></tr><tr><th id="L964"><a href="#L964">964</a></th><td> && pThis->enmKind != SUPHARDNTVPKIND_CHILD_PURIFICATION </td></tr><tr><th id="L965"><a href="#L965">965</a></th><td> && !suplibHardenedMemComp(pThis->aSecHdrs[i].Name, ".mrdata", 8)) /* w8.1, ntdll. Changed by proc init. */ </td></tr><tr><th id="L966"><a href="#L966">966</a></th><td> fProt = PAGE_READONLY; </td></tr><tr><th id="L967"><a href="#L967">967</a></th><td> break; </td></tr><tr><th id="L968"><a href="#L968">968</a></th><td> case IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE: </td></tr><tr><th id="L969"><a href="#L969">969</a></th><td> fProt = PAGE_EXECUTE_READ; </td></tr><tr><th id="L970"><a href="#L970">970</a></th><td> break; </td></tr><tr><th id="L971"><a href="#L971">971</a></th><td> case IMAGE_SCN_MEM_EXECUTE: </td></tr><tr><th id="L972"><a href="#L972">972</a></th><td> fProt = PAGE_EXECUTE; </td></tr><tr><th id="L973"><a href="#L973">973</a></th><td> break; </td></tr><tr><th id="L974"><a href="#L974">974</a></th><td> case IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE: </td></tr><tr><th id="L975"><a href="#L975">975</a></th><td> /* Only the executable is allowed to have this section, </td></tr><tr><th id="L976"><a href="#L976">976</a></th><td> and it's protected after we're done patching. */ </td></tr><tr><th id="L977"><a href="#L977">977</a></th><td> if (!pImage->fDll) </td></tr><tr><th id="L978"><a href="#L978">978</a></th><td> { </td></tr><tr><th id="L979"><a href="#L979">979</a></th><td> if (pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION) </td></tr><tr><th id="L980"><a href="#L980">980</a></th><td> fProt = PAGE_EXECUTE_READWRITE; </td></tr><tr><th id="L981"><a href="#L981">981</a></th><td> else </td></tr><tr><th id="L982"><a href="#L982">982</a></th><td> fProt = PAGE_EXECUTE_READ; </td></tr><tr><th id="L983"><a href="#L983">983</a></th><td> break; </td></tr><tr><th id="L984"><a href="#L984">984</a></th><td> } </td></tr><tr><th id="L985"><a href="#L985">985</a></th><td> default: </td></tr><tr><th id="L986"><a href="#L986">986</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNEXPECTED_SECTION_FLAGS, </td></tr><tr><th id="L987"><a href="#L987">987</a></th><td> "%s: Section %u: Unexpected characteristics: %#x (uSectRva=%#x, cbMap=%#x)", </td></tr><tr><th id="L988"><a href="#L988">988</a></th><td> pImage->pszName, i, pThis->aSecHdrs[i].Characteristics, uSectRva, cbMap); </td></tr><tr><th id="L989"><a href="#L989">989</a></th><td> } </td></tr><tr><th id="L990"><a href="#L990">990</a></th><td> </td></tr><tr><th id="L991"><a href="#L991">991</a></th><td> /* The section bits. Child purification verifies all, normal </td></tr><tr><th id="L992"><a href="#L992">992</a></th><td> verification verifies all except where the executable is </td></tr><tr><th id="L993"><a href="#L993">993</a></th><td> concerned (due to opening vboxdrv during early process init). */ </td></tr><tr><th id="L994"><a href="#L994">994</a></th><td> if ( ( (pThis->aSecHdrs[i].Characteristics & (IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_CNT_CODE)) </td></tr><tr><th id="L995"><a href="#L995">995</a></th><td> && !(pThis->aSecHdrs[i].Characteristics & IMAGE_SCN_MEM_WRITE)) </td></tr><tr><th id="L996"><a href="#L996">996</a></th><td> || (pThis->aSecHdrs[i].Characteristics & (IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE)) == IMAGE_SCN_MEM_READ </td></tr><tr><th id="L997"><a href="#L997">997</a></th><td> || (pThis->enmKind == SUPHARDNTVPKIND_VERIFY_ONLY && pImage->fDll) </td></tr><tr><th id="L998"><a href="#L998">998</a></th><td> || pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION) </td></tr><tr><th id="L999"><a href="#L999">999</a></th><td> { </td></tr><tr><th id="L1000"><a href="#L1000">1000</a></th><td> rc = VINF_SUCCESS; </td></tr><tr><th id="L1001"><a href="#L1001">1001</a></th><td> if (uRva < uSectRva && !pImage->fApiSetSchemaOnlySection1) /* Any gap worth checking? */ </td></tr><tr><th id="L1002"><a href="#L1002">1002</a></th><td> rc = supHardNtVpFileMemCompareSection(pThis, pImage, uRva, uSectRva - uRva, pbBits + uRva, </td></tr><tr><th id="L1003"><a href="#L1003">1003</a></th><td> i - 1, NULL, 0, fPrevProt); </td></tr><tr><th id="L1004"><a href="#L1004">1004</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L1005"><a href="#L1005">1005</a></th><td> rc = supHardNtVpFileMemCompareSection(pThis, pImage, uSectRva, cbMap, pbBits + uSectRva, </td></tr><tr><th id="L1006"><a href="#L1006">1006</a></th><td> i, aSkipAreas, cSkipAreas, fProt); </td></tr><tr><th id="L1007"><a href="#L1007">1007</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L1008"><a href="#L1008">1008</a></th><td> { </td></tr><tr><th id="L1009"><a href="#L1009">1009</a></th><td> uint32_t cbMapAligned = i + 1 < cSections && !pImage->fApiSetSchemaOnlySection1 </td></tr><tr><th id="L1010"><a href="#L1010">1010</a></th><td> ? RT_ALIGN_32(cbMap, cbSectAlign) : RT_ALIGN_32(cbMap, PAGE_SIZE); </td></tr><tr><th id="L1011"><a href="#L1011">1011</a></th><td> if (cbMapAligned > cbMap) </td></tr><tr><th id="L1012"><a href="#L1012">1012</a></th><td> rc = supHardNtVpFileMemCompareSection(pThis, pImage, uSectRva + cbMap, cbMapAligned - cbMap, </td></tr><tr><th id="L1013"><a href="#L1013">1013</a></th><td> g_abRTZeroPage, i, NULL, 0, fProt); </td></tr><tr><th id="L1014"><a href="#L1014">1014</a></th><td> } </td></tr><tr><th id="L1015"><a href="#L1015">1015</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L1016"><a href="#L1016">1016</a></th><td> return rc; </td></tr><tr><th id="L1017"><a href="#L1017">1017</a></th><td> } </td></tr><tr><th id="L1018"><a href="#L1018">1018</a></th><td> </td></tr><tr><th id="L1019"><a href="#L1019">1019</a></th><td> /* The protection (must be checked afterwards!). */ </td></tr><tr><th id="L1020"><a href="#L1020">1020</a></th><td> rc = supHardNtVpCheckSectionProtection(pThis, pImage, uSectRva, RT_ALIGN_32(cbMap, PAGE_SIZE), fProt); </td></tr><tr><th id="L1021"><a href="#L1021">1021</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L1022"><a href="#L1022">1022</a></th><td> return rc; </td></tr><tr><th id="L1023"><a href="#L1023">1023</a></th><td> </td></tr><tr><th id="L1024"><a href="#L1024">1024</a></th><td> fPrevProt = fProt; </td></tr><tr><th id="L1025"><a href="#L1025">1025</a></th><td> } </td></tr><tr><th id="L1026"><a href="#L1026">1026</a></th><td> </td></tr><tr><th id="L1027"><a href="#L1027">1027</a></th><td> /* Advance the RVA. */ </td></tr><tr><th id="L1028"><a href="#L1028">1028</a></th><td> uRva = uSectRva + RT_ALIGN_32(cbMap, cbSectAlign); </td></tr><tr><th id="L1029"><a href="#L1029">1029</a></th><td> } </td></tr><tr><th id="L1030"><a href="#L1030">1030</a></th><td> </td></tr><tr><th id="L1031"><a href="#L1031">1031</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L1032"><a href="#L1032">1032</a></th><td>} </td></tr><tr><th id="L1033"><a href="#L1033">1033</a></th><td> </td></tr><tr><th id="L1034"><a href="#L1034">1034</a></th><td> </td></tr><tr><th id="L1035"><a href="#L1035">1035</a></th><td>/** </td></tr><tr><th id="L1036"><a href="#L1036">1036</a></th><td> * Verifies the signature of the given image on disk, then checks if the memory </td></tr><tr><th id="L1037"><a href="#L1037">1037</a></th><td> * mapping matches what we verified. </td></tr><tr><th id="L1038"><a href="#L1038">1038</a></th><td> * </td></tr><tr><th id="L1039"><a href="#L1039">1039</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L1040"><a href="#L1040">1040</a></th><td> * @param pThis The process scanning state structure (for the </td></tr><tr><th id="L1041"><a href="#L1041">1041</a></th><td> * two scratch buffers). </td></tr><tr><th id="L1042"><a href="#L1042">1042</a></th><td> * @param pImage The image data collected during the address </td></tr><tr><th id="L1043"><a href="#L1043">1043</a></th><td> * space scan. </td></tr><tr><th id="L1044"><a href="#L1044">1044</a></th><td> */ </td></tr><tr><th id="L1045"><a href="#L1045">1045</a></th><td>static int supHardNtVpVerifyImage(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage) </td></tr><tr><th id="L1046"><a href="#L1046">1046</a></th><td>{ </td></tr><tr><th id="L1047"><a href="#L1047">1047</a></th><td> /* </td></tr><tr><th id="L1048"><a href="#L1048">1048</a></th><td> * Validate the file signature first, then do the memory compare. </td></tr><tr><th id="L1049"><a href="#L1049">1049</a></th><td> */ </td></tr><tr><th id="L1050"><a href="#L1050">1050</a></th><td> int rc; </td></tr><tr><th id="L1051"><a href="#L1051">1051</a></th><td> if ( pImage->pCacheEntry != NULL </td></tr><tr><th id="L1052"><a href="#L1052">1052</a></th><td> && pImage->pCacheEntry->hLdrMod != NIL_RTLDRMOD) </td></tr><tr><th id="L1053"><a href="#L1053">1053</a></th><td> { </td></tr><tr><th id="L1054"><a href="#L1054">1054</a></th><td> rc = supHardNtLdrCacheEntryVerify(pImage->pCacheEntry, pImage->Name.UniStr.Buffer, pThis->pErrInfo); </td></tr><tr><th id="L1055"><a href="#L1055">1055</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L1056"><a href="#L1056">1056</a></th><td> rc = supHardNtVpVerifyImageMemoryCompare(pThis, pImage); </td></tr><tr><th id="L1057"><a href="#L1057">1057</a></th><td> } </td></tr><tr><th id="L1058"><a href="#L1058">1058</a></th><td> else </td></tr><tr><th id="L1059"><a href="#L1059">1059</a></th><td> rc = supHardNtVpSetInfo2(pThis, VERR_OPEN_FAILED, "pCacheEntry/hLdrMod is NIL! Impossible!"); </td></tr><tr><th id="L1060"><a href="#L1060">1060</a></th><td> return rc; </td></tr><tr><th id="L1061"><a href="#L1061">1061</a></th><td>} </td></tr><tr><th id="L1062"><a href="#L1062">1062</a></th><td> </td></tr><tr><th id="L1063"><a href="#L1063">1063</a></th><td> </td></tr><tr><th id="L1064"><a href="#L1064">1064</a></th><td>/** </td></tr><tr><th id="L1065"><a href="#L1065">1065</a></th><td> * Verifies that there is only one thread in the process. </td></tr><tr><th id="L1066"><a href="#L1066">1066</a></th><td> * </td></tr><tr><th id="L1067"><a href="#L1067">1067</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L1068"><a href="#L1068">1068</a></th><td> * @param hProcess The process. </td></tr><tr><th id="L1069"><a href="#L1069">1069</a></th><td> * @param hThread The thread. </td></tr><tr><th id="L1070"><a href="#L1070">1070</a></th><td> * @param pErrInfo Pointer to error info structure. Optional. </td></tr><tr><th id="L1071"><a href="#L1071">1071</a></th><td> */ </td></tr><tr><th id="L1072"><a href="#L1072">1072</a></th><td>DECLHIDDEN(int) supHardNtVpThread(HANDLE hProcess, HANDLE hThread, PRTERRINFO pErrInfo) </td></tr><tr><th id="L1073"><a href="#L1073">1073</a></th><td>{ </td></tr><tr><th id="L1074"><a href="#L1074">1074</a></th><td> RT_NOREF1(hProcess); </td></tr><tr><th id="L1075"><a href="#L1075">1075</a></th><td> </td></tr><tr><th id="L1076"><a href="#L1076">1076</a></th><td> /* </td></tr><tr><th id="L1077"><a href="#L1077">1077</a></th><td> * Use the ThreadAmILastThread request to check that there is only one </td></tr><tr><th id="L1078"><a href="#L1078">1078</a></th><td> * thread in the process. </td></tr><tr><th id="L1079"><a href="#L1079">1079</a></th><td> * Seems this isn't entirely reliable when hThread isn't the current thread? </td></tr><tr><th id="L1080"><a href="#L1080">1080</a></th><td> */ </td></tr><tr><th id="L1081"><a href="#L1081">1081</a></th><td> ULONG cbIgn = 0; </td></tr><tr><th id="L1082"><a href="#L1082">1082</a></th><td> ULONG fAmI = 0; </td></tr><tr><th id="L1083"><a href="#L1083">1083</a></th><td> NTSTATUS rcNt = NtQueryInformationThread(hThread, ThreadAmILastThread, &fAmI, sizeof(fAmI), &cbIgn); </td></tr><tr><th id="L1084"><a href="#L1084">1084</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1085"><a href="#L1085">1085</a></th><td> return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_NT_QI_THREAD_ERROR, </td></tr><tr><th id="L1086"><a href="#L1086">1086</a></th><td> "NtQueryInformationThread/ThreadAmILastThread -> %#x", rcNt); </td></tr><tr><th id="L1087"><a href="#L1087">1087</a></th><td> if (!fAmI) </td></tr><tr><th id="L1088"><a href="#L1088">1088</a></th><td> return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_THREAD_NOT_ALONE, </td></tr><tr><th id="L1089"><a href="#L1089">1089</a></th><td> "More than one thread in process"); </td></tr><tr><th id="L1090"><a href="#L1090">1090</a></th><td> </td></tr><tr><th id="L1091"><a href="#L1091">1091</a></th><td> /** @todo Would be nice to verify the relation ship between hProcess and hThread </td></tr><tr><th id="L1092"><a href="#L1092">1092</a></th><td> * as well... */ </td></tr><tr><th id="L1093"><a href="#L1093">1093</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L1094"><a href="#L1094">1094</a></th><td>} </td></tr><tr><th id="L1095"><a href="#L1095">1095</a></th><td> </td></tr><tr><th id="L1096"><a href="#L1096">1096</a></th><td> </td></tr><tr><th id="L1097"><a href="#L1097">1097</a></th><td>/** </td></tr><tr><th id="L1098"><a href="#L1098">1098</a></th><td> * Verifies that there isn't a debugger attached to the process. </td></tr><tr><th id="L1099"><a href="#L1099">1099</a></th><td> * </td></tr><tr><th id="L1100"><a href="#L1100">1100</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L1101"><a href="#L1101">1101</a></th><td> * @param hProcess The process. </td></tr><tr><th id="L1102"><a href="#L1102">1102</a></th><td> * @param pErrInfo Pointer to error info structure. Optional. </td></tr><tr><th id="L1103"><a href="#L1103">1103</a></th><td> */ </td></tr><tr><th id="L1104"><a href="#L1104">1104</a></th><td>DECLHIDDEN(int) supHardNtVpDebugger(HANDLE hProcess, PRTERRINFO pErrInfo) </td></tr><tr><th id="L1105"><a href="#L1105">1105</a></th><td>{ </td></tr><tr><th id="L1106"><a href="#L1106">1106</a></th><td>#ifndef VBOX_WITHOUT_DEBUGGER_CHECKS </td></tr><tr><th id="L1107"><a href="#L1107">1107</a></th><td> /* </td></tr><tr><th id="L1108"><a href="#L1108">1108</a></th><td> * Use the ProcessDebugPort request to check there is no debugger </td></tr><tr><th id="L1109"><a href="#L1109">1109</a></th><td> * currently attached to the process. </td></tr><tr><th id="L1110"><a href="#L1110">1110</a></th><td> */ </td></tr><tr><th id="L1111"><a href="#L1111">1111</a></th><td> ULONG cbIgn = 0; </td></tr><tr><th id="L1112"><a href="#L1112">1112</a></th><td> uintptr_t uPtr = ~(uintptr_t)0; </td></tr><tr><th id="L1113"><a href="#L1113">1113</a></th><td> NTSTATUS rcNt = NtQueryInformationProcess(hProcess, </td></tr><tr><th id="L1114"><a href="#L1114">1114</a></th><td> ProcessDebugPort, </td></tr><tr><th id="L1115"><a href="#L1115">1115</a></th><td> &uPtr, sizeof(uPtr), &cbIgn); </td></tr><tr><th id="L1116"><a href="#L1116">1116</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1117"><a href="#L1117">1117</a></th><td> return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_NT_QI_PROCESS_DBG_PORT_ERROR, </td></tr><tr><th id="L1118"><a href="#L1118">1118</a></th><td> "NtQueryInformationProcess/ProcessDebugPort -> %#x", rcNt); </td></tr><tr><th id="L1119"><a href="#L1119">1119</a></th><td> if (uPtr != 0) </td></tr><tr><th id="L1120"><a href="#L1120">1120</a></th><td> return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_DEBUGGED, </td></tr><tr><th id="L1121"><a href="#L1121">1121</a></th><td> "Debugger attached (%#zx)", uPtr); </td></tr><tr><th id="L1122"><a href="#L1122">1122</a></th><td>#else </td></tr><tr><th id="L1123"><a href="#L1123">1123</a></th><td> RT_NOREF2(hProcess, pErrInfo); </td></tr><tr><th id="L1124"><a href="#L1124">1124</a></th><td>#endif /* !VBOX_WITHOUT_DEBUGGER_CHECKS */ </td></tr><tr><th id="L1125"><a href="#L1125">1125</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L1126"><a href="#L1126">1126</a></th><td>} </td></tr><tr><th id="L1127"><a href="#L1127">1127</a></th><td> </td></tr><tr><th id="L1128"><a href="#L1128">1128</a></th><td> </td></tr><tr><th id="L1129"><a href="#L1129">1129</a></th><td>/** </td></tr><tr><th id="L1130"><a href="#L1130">1130</a></th><td> * Matches two UNICODE_STRING structures in a case sensitive fashion. </td></tr><tr><th id="L1131"><a href="#L1131">1131</a></th><td> * </td></tr><tr><th id="L1132"><a href="#L1132">1132</a></th><td> * @returns true if equal, false if not. </td></tr><tr><th id="L1133"><a href="#L1133">1133</a></th><td> * @param pUniStr1 The first unicode string. </td></tr><tr><th id="L1134"><a href="#L1134">1134</a></th><td> * @param pUniStr2 The first unicode string. </td></tr><tr><th id="L1135"><a href="#L1135">1135</a></th><td> */ </td></tr><tr><th id="L1136"><a href="#L1136">1136</a></th><td>static bool supHardNtVpAreUniStringsEqual(PCUNICODE_STRING pUniStr1, PCUNICODE_STRING pUniStr2) </td></tr><tr><th id="L1137"><a href="#L1137">1137</a></th><td>{ </td></tr><tr><th id="L1138"><a href="#L1138">1138</a></th><td> if (pUniStr1->Length != pUniStr2->Length) </td></tr><tr><th id="L1139"><a href="#L1139">1139</a></th><td> return false; </td></tr><tr><th id="L1140"><a href="#L1140">1140</a></th><td> return suplibHardenedMemComp(pUniStr1->Buffer, pUniStr2->Buffer, pUniStr1->Length) == 0; </td></tr><tr><th id="L1141"><a href="#L1141">1141</a></th><td>} </td></tr><tr><th id="L1142"><a href="#L1142">1142</a></th><td> </td></tr><tr><th id="L1143"><a href="#L1143">1143</a></th><td> </td></tr><tr><th id="L1144"><a href="#L1144">1144</a></th><td>/** </td></tr><tr><th id="L1145"><a href="#L1145">1145</a></th><td> * Performs a case insensitive comparison of an ASCII and an UTF-16 file name. </td></tr><tr><th id="L1146"><a href="#L1146">1146</a></th><td> * </td></tr><tr><th id="L1147"><a href="#L1147">1147</a></th><td> * @returns true / false </td></tr><tr><th id="L1148"><a href="#L1148">1148</a></th><td> * @param pszName1 The ASCII name. </td></tr><tr><th id="L1149"><a href="#L1149">1149</a></th><td> * @param pwszName2 The UTF-16 name. </td></tr><tr><th id="L1150"><a href="#L1150">1150</a></th><td> */ </td></tr><tr><th id="L1151"><a href="#L1151">1151</a></th><td>static bool supHardNtVpAreNamesEqual(const char *pszName1, PCRTUTF16 pwszName2) </td></tr><tr><th id="L1152"><a href="#L1152">1152</a></th><td>{ </td></tr><tr><th id="L1153"><a href="#L1153">1153</a></th><td> for (;;) </td></tr><tr><th id="L1154"><a href="#L1154">1154</a></th><td> { </td></tr><tr><th id="L1155"><a href="#L1155">1155</a></th><td> char ch1 = *pszName1++; </td></tr><tr><th id="L1156"><a href="#L1156">1156</a></th><td> RTUTF16 wc2 = *pwszName2++; </td></tr><tr><th id="L1157"><a href="#L1157">1157</a></th><td> if (ch1 != wc2) </td></tr><tr><th id="L1158"><a href="#L1158">1158</a></th><td> { </td></tr><tr><th id="L1159"><a href="#L1159">1159</a></th><td> ch1 = RT_C_TO_LOWER(ch1); </td></tr><tr><th id="L1160"><a href="#L1160">1160</a></th><td> wc2 = wc2 < 0x80 ? RT_C_TO_LOWER(wc2) : wc2; </td></tr><tr><th id="L1161"><a href="#L1161">1161</a></th><td> if (ch1 != wc2) </td></tr><tr><th id="L1162"><a href="#L1162">1162</a></th><td> return false; </td></tr><tr><th id="L1163"><a href="#L1163">1163</a></th><td> } </td></tr><tr><th id="L1164"><a href="#L1164">1164</a></th><td> if (!ch1) </td></tr><tr><th id="L1165"><a href="#L1165">1165</a></th><td> return true; </td></tr><tr><th id="L1166"><a href="#L1166">1166</a></th><td> } </td></tr><tr><th id="L1167"><a href="#L1167">1167</a></th><td>} </td></tr><tr><th id="L1168"><a href="#L1168">1168</a></th><td> </td></tr><tr><th id="L1169"><a href="#L1169">1169</a></th><td> </td></tr><tr><th id="L1170"><a href="#L1170">1170</a></th><td>/** </td></tr><tr><th id="L1171"><a href="#L1171">1171</a></th><td> * Records an additional memory region for an image. </td></tr><tr><th id="L1172"><a href="#L1172">1172</a></th><td> * </td></tr><tr><th id="L1173"><a href="#L1173">1173</a></th><td> * May trash pThis->abMemory. </td></tr><tr><th id="L1174"><a href="#L1174">1174</a></th><td> * </td></tr><tr><th id="L1175"><a href="#L1175">1175</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L1176"><a href="#L1176">1176</a></th><td> * @retval VINF_OBJECT_DESTROYED if we've unmapped the image (child </td></tr><tr><th id="L1177"><a href="#L1177">1177</a></th><td> * purification only). </td></tr><tr><th id="L1178"><a href="#L1178">1178</a></th><td> * @param pThis The process scanning state structure. </td></tr><tr><th id="L1179"><a href="#L1179">1179</a></th><td> * @param pImage The new image structure. Only the unicode name </td></tr><tr><th id="L1180"><a href="#L1180">1180</a></th><td> * buffer is valid (it's zero-terminated). </td></tr><tr><th id="L1181"><a href="#L1181">1181</a></th><td> * @param pMemInfo The memory information for the image. </td></tr><tr><th id="L1182"><a href="#L1182">1182</a></th><td> */ </td></tr><tr><th id="L1183"><a href="#L1183">1183</a></th><td>static int supHardNtVpNewImage(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, PMEMORY_BASIC_INFORMATION pMemInfo) </td></tr><tr><th id="L1184"><a href="#L1184">1184</a></th><td>{ </td></tr><tr><th id="L1185"><a href="#L1185">1185</a></th><td> /* </td></tr><tr><th id="L1186"><a href="#L1186">1186</a></th><td> * If the filename or path contains short names, we have to get the long </td></tr><tr><th id="L1187"><a href="#L1187">1187</a></th><td> * path so that we will recognize the DLLs and their location. </td></tr><tr><th id="L1188"><a href="#L1188">1188</a></th><td> */ </td></tr><tr><th id="L1189"><a href="#L1189">1189</a></th><td> int rc83Exp = VERR_IGNORED; </td></tr><tr><th id="L1190"><a href="#L1190">1190</a></th><td> PUNICODE_STRING pLongName = &pImage->Name.UniStr; </td></tr><tr><th id="L1191"><a href="#L1191">1191</a></th><td> if (RTNtPathFindPossible8dot3Name(pLongName->Buffer)) </td></tr><tr><th id="L1192"><a href="#L1192">1192</a></th><td> { </td></tr><tr><th id="L1193"><a href="#L1193">1193</a></th><td> AssertCompile(sizeof(pThis->abMemory) > sizeof(pImage->Name)); </td></tr><tr><th id="L1194"><a href="#L1194">1194</a></th><td> PUNICODE_STRING pTmp = (PUNICODE_STRING)pThis->abMemory; </td></tr><tr><th id="L1195"><a href="#L1195">1195</a></th><td> pTmp->MaximumLength = (USHORT)RT_MIN(_64K - 1, sizeof(pThis->abMemory) - sizeof(*pTmp)) - sizeof(RTUTF16); </td></tr><tr><th id="L1196"><a href="#L1196">1196</a></th><td> pTmp->Length = pImage->Name.UniStr.Length; </td></tr><tr><th id="L1197"><a href="#L1197">1197</a></th><td> pTmp->Buffer = (PRTUTF16)(pTmp + 1); </td></tr><tr><th id="L1198"><a href="#L1198">1198</a></th><td> memcpy(pTmp->Buffer, pLongName->Buffer, pLongName->Length + sizeof(RTUTF16)); </td></tr><tr><th id="L1199"><a href="#L1199">1199</a></th><td> </td></tr><tr><th id="L1200"><a href="#L1200">1200</a></th><td> rc83Exp = RTNtPathExpand8dot3Path(pTmp, false /*fPathOnly*/); </td></tr><tr><th id="L1201"><a href="#L1201">1201</a></th><td> Assert(rc83Exp == VINF_SUCCESS); </td></tr><tr><th id="L1202"><a href="#L1202">1202</a></th><td> Assert(pTmp->Buffer[pTmp->Length / sizeof(RTUTF16)] == '\0'); </td></tr><tr><th id="L1203"><a href="#L1203">1203</a></th><td> if (rc83Exp == VINF_SUCCESS) </td></tr><tr><th id="L1204"><a href="#L1204">1204</a></th><td> SUP_DPRINTF(("supHardNtVpNewImage: 8dot3 -> long: '%ls' -> '%ls'\n", pLongName->Buffer, pTmp->Buffer)); </td></tr><tr><th id="L1205"><a href="#L1205">1205</a></th><td> else </td></tr><tr><th id="L1206"><a href="#L1206">1206</a></th><td> SUP_DPRINTF(("supHardNtVpNewImage: RTNtPathExpand8dot3Path returns %Rrc for '%ls' (-> '%ls')\n", </td></tr><tr><th id="L1207"><a href="#L1207">1207</a></th><td> rc83Exp, pLongName->Buffer, pTmp->Buffer)); </td></tr><tr><th id="L1208"><a href="#L1208">1208</a></th><td> </td></tr><tr><th id="L1209"><a href="#L1209">1209</a></th><td> pLongName = pTmp; </td></tr><tr><th id="L1210"><a href="#L1210">1210</a></th><td> } </td></tr><tr><th id="L1211"><a href="#L1211">1211</a></th><td> </td></tr><tr><th id="L1212"><a href="#L1212">1212</a></th><td> /* </td></tr><tr><th id="L1213"><a href="#L1213">1213</a></th><td> * Extract the final component. </td></tr><tr><th id="L1214"><a href="#L1214">1214</a></th><td> */ </td></tr><tr><th id="L1215"><a href="#L1215">1215</a></th><td> RTUTF16 wc; </td></tr><tr><th id="L1216"><a href="#L1216">1216</a></th><td> unsigned cwcDirName = pLongName->Length / sizeof(WCHAR); </td></tr><tr><th id="L1217"><a href="#L1217">1217</a></th><td> PCRTUTF16 pwszFilename = &pLongName->Buffer[cwcDirName]; </td></tr><tr><th id="L1218"><a href="#L1218">1218</a></th><td> while ( cwcDirName > 0 </td></tr><tr><th id="L1219"><a href="#L1219">1219</a></th><td> && (wc = pwszFilename[-1]) != '\\' </td></tr><tr><th id="L1220"><a href="#L1220">1220</a></th><td> && wc != '/' </td></tr><tr><th id="L1221"><a href="#L1221">1221</a></th><td> && wc != ':') </td></tr><tr><th id="L1222"><a href="#L1222">1222</a></th><td> { </td></tr><tr><th id="L1223"><a href="#L1223">1223</a></th><td> pwszFilename--; </td></tr><tr><th id="L1224"><a href="#L1224">1224</a></th><td> cwcDirName--; </td></tr><tr><th id="L1225"><a href="#L1225">1225</a></th><td> } </td></tr><tr><th id="L1226"><a href="#L1226">1226</a></th><td> if (!*pwszFilename) </td></tr><tr><th id="L1227"><a href="#L1227">1227</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_IMAGE_MAPPING_NAME, </td></tr><tr><th id="L1228"><a href="#L1228">1228</a></th><td> "Empty filename (len=%u) for image at %p.", pLongName->Length, pMemInfo->BaseAddress); </td></tr><tr><th id="L1229"><a href="#L1229">1229</a></th><td> </td></tr><tr><th id="L1230"><a href="#L1230">1230</a></th><td> /* </td></tr><tr><th id="L1231"><a href="#L1231">1231</a></th><td> * Drop trailing slashes from the directory name. </td></tr><tr><th id="L1232"><a href="#L1232">1232</a></th><td> */ </td></tr><tr><th id="L1233"><a href="#L1233">1233</a></th><td> while ( cwcDirName > 0 </td></tr><tr><th id="L1234"><a href="#L1234">1234</a></th><td> && ( pLongName->Buffer[cwcDirName - 1] == '\\' </td></tr><tr><th id="L1235"><a href="#L1235">1235</a></th><td> || pLongName->Buffer[cwcDirName - 1] == '/')) </td></tr><tr><th id="L1236"><a href="#L1236">1236</a></th><td> cwcDirName--; </td></tr><tr><th id="L1237"><a href="#L1237">1237</a></th><td> </td></tr><tr><th id="L1238"><a href="#L1238">1238</a></th><td> /* </td></tr><tr><th id="L1239"><a href="#L1239">1239</a></th><td> * Match it against known DLLs. </td></tr><tr><th id="L1240"><a href="#L1240">1240</a></th><td> */ </td></tr><tr><th id="L1241"><a href="#L1241">1241</a></th><td> pImage->pszName = NULL; </td></tr><tr><th id="L1242"><a href="#L1242">1242</a></th><td> for (uint32_t i = 0; i < RT_ELEMENTS(g_apszSupNtVpAllowedDlls); i++) </td></tr><tr><th id="L1243"><a href="#L1243">1243</a></th><td> if (supHardNtVpAreNamesEqual(g_apszSupNtVpAllowedDlls[i], pwszFilename)) </td></tr><tr><th id="L1244"><a href="#L1244">1244</a></th><td> { </td></tr><tr><th id="L1245"><a href="#L1245">1245</a></th><td> pImage->pszName = g_apszSupNtVpAllowedDlls[i]; </td></tr><tr><th id="L1246"><a href="#L1246">1246</a></th><td> pImage->fDll = true; </td></tr><tr><th id="L1247"><a href="#L1247">1247</a></th><td> </td></tr><tr><th id="L1248"><a href="#L1248">1248</a></th><td>#ifndef VBOX_PERMIT_VISUAL_STUDIO_PROFILING </td></tr><tr><th id="L1249"><a href="#L1249">1249</a></th><td> /* The directory name must match the one we've got for System32. */ </td></tr><tr><th id="L1250"><a href="#L1250">1250</a></th><td> if ( ( cwcDirName * sizeof(WCHAR) != g_System32NtPath.UniStr.Length </td></tr><tr><th id="L1251"><a href="#L1251">1251</a></th><td> || suplibHardenedMemComp(pLongName->Buffer, g_System32NtPath.UniStr.Buffer, cwcDirName * sizeof(WCHAR)) ) </td></tr><tr><th id="L1252"><a href="#L1252">1252</a></th><td># ifdef VBOX_PERMIT_MORE </td></tr><tr><th id="L1253"><a href="#L1253">1253</a></th><td> && ( pImage->pszName[0] != 'a' </td></tr><tr><th id="L1254"><a href="#L1254">1254</a></th><td> || pImage->pszName[1] != 'c' </td></tr><tr><th id="L1255"><a href="#L1255">1255</a></th><td> || !supHardViIsAppPatchDir(pLongName->Buffer, pLongName->Length / sizeof(WCHAR)) ) </td></tr><tr><th id="L1256"><a href="#L1256">1256</a></th><td># endif </td></tr><tr><th id="L1257"><a href="#L1257">1257</a></th><td> ) </td></tr><tr><th id="L1258"><a href="#L1258">1258</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NON_SYSTEM32_DLL, </td></tr><tr><th id="L1259"><a href="#L1259">1259</a></th><td> "Expected %ls to be loaded from %ls.", </td></tr><tr><th id="L1260"><a href="#L1260">1260</a></th><td> pLongName->Buffer, g_System32NtPath.UniStr.Buffer); </td></tr><tr><th id="L1261"><a href="#L1261">1261</a></th><td># ifdef VBOX_PERMIT_MORE </td></tr><tr><th id="L1262"><a href="#L1262">1262</a></th><td> if (g_uNtVerCombined < SUP_NT_VER_W70 && i >= VBOX_PERMIT_MORE_FIRST_IDX) </td></tr><tr><th id="L1263"><a href="#L1263">1263</a></th><td> pImage->pszName = NULL; /* hard limit: user32.dll is unwanted prior to w7. */ </td></tr><tr><th id="L1264"><a href="#L1264">1264</a></th><td># endif </td></tr><tr><th id="L1265"><a href="#L1265">1265</a></th><td> </td></tr><tr><th id="L1266"><a href="#L1266">1266</a></th><td>#endif /* VBOX_PERMIT_VISUAL_STUDIO_PROFILING */ </td></tr><tr><th id="L1267"><a href="#L1267">1267</a></th><td> break; </td></tr><tr><th id="L1268"><a href="#L1268">1268</a></th><td> } </td></tr><tr><th id="L1269"><a href="#L1269">1269</a></th><td> if (!pImage->pszName) </td></tr><tr><th id="L1270"><a href="#L1270">1270</a></th><td> { </td></tr><tr><th id="L1271"><a href="#L1271">1271</a></th><td> /* </td></tr><tr><th id="L1272"><a href="#L1272">1272</a></th><td> * Not a known DLL, is it a known executable? </td></tr><tr><th id="L1273"><a href="#L1273">1273</a></th><td> */ </td></tr><tr><th id="L1274"><a href="#L1274">1274</a></th><td> for (uint32_t i = 0; i < RT_ELEMENTS(g_apszSupNtVpAllowedVmExes); i++) </td></tr><tr><th id="L1275"><a href="#L1275">1275</a></th><td> if (supHardNtVpAreNamesEqual(g_apszSupNtVpAllowedVmExes[i], pwszFilename)) </td></tr><tr><th id="L1276"><a href="#L1276">1276</a></th><td> { </td></tr><tr><th id="L1277"><a href="#L1277">1277</a></th><td> pImage->pszName = g_apszSupNtVpAllowedVmExes[i]; </td></tr><tr><th id="L1278"><a href="#L1278">1278</a></th><td> pImage->fDll = false; </td></tr><tr><th id="L1279"><a href="#L1279">1279</a></th><td> break; </td></tr><tr><th id="L1280"><a href="#L1280">1280</a></th><td> } </td></tr><tr><th id="L1281"><a href="#L1281">1281</a></th><td> } </td></tr><tr><th id="L1282"><a href="#L1282">1282</a></th><td> if (!pImage->pszName) </td></tr><tr><th id="L1283"><a href="#L1283">1283</a></th><td> { </td></tr><tr><th id="L1284"><a href="#L1284">1284</a></th><td> /* </td></tr><tr><th id="L1285"><a href="#L1285">1285</a></th><td> * Unknown image. </td></tr><tr><th id="L1286"><a href="#L1286">1286</a></th><td> * </td></tr><tr><th id="L1287"><a href="#L1287">1287</a></th><td> * If we're cleaning up a child process, we can unmap the offending </td></tr><tr><th id="L1288"><a href="#L1288">1288</a></th><td> * DLL... Might have interesting side effects, or at least interesting </td></tr><tr><th id="L1289"><a href="#L1289">1289</a></th><td> * as in "may you live in interesting times". </td></tr><tr><th id="L1290"><a href="#L1290">1290</a></th><td> */ </td></tr><tr><th id="L1291"><a href="#L1291">1291</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L1292"><a href="#L1292">1292</a></th><td> if ( pMemInfo->AllocationBase == pMemInfo->BaseAddress </td></tr><tr><th id="L1293"><a href="#L1293">1293</a></th><td> && pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION) </td></tr><tr><th id="L1294"><a href="#L1294">1294</a></th><td> { </td></tr><tr><th id="L1295"><a href="#L1295">1295</a></th><td> SUP_DPRINTF(("supHardNtVpScanVirtualMemory: Unmapping image mem at %p (%p LB %#zx) - '%ls'\n", </td></tr><tr><th id="L1296"><a href="#L1296">1296</a></th><td> pMemInfo->AllocationBase, pMemInfo->BaseAddress, pMemInfo->RegionSize, pwszFilename)); </td></tr><tr><th id="L1297"><a href="#L1297">1297</a></th><td> NTSTATUS rcNt = NtUnmapViewOfSection(pThis->hProcess, pMemInfo->AllocationBase); </td></tr><tr><th id="L1298"><a href="#L1298">1298</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1299"><a href="#L1299">1299</a></th><td> return VINF_OBJECT_DESTROYED; </td></tr><tr><th id="L1300"><a href="#L1300">1300</a></th><td> pThis->cFixes++; </td></tr><tr><th id="L1301"><a href="#L1301">1301</a></th><td> SUP_DPRINTF(("supHardNtVpScanVirtualMemory: NtUnmapViewOfSection(,%p) failed: %#x\n", pMemInfo->AllocationBase, rcNt)); </td></tr><tr><th id="L1302"><a href="#L1302">1302</a></th><td> } </td></tr><tr><th id="L1303"><a href="#L1303">1303</a></th><td>#endif </td></tr><tr><th id="L1304"><a href="#L1304">1304</a></th><td> /* </td></tr><tr><th id="L1305"><a href="#L1305">1305</a></th><td> * Special error message if we can. </td></tr><tr><th id="L1306"><a href="#L1306">1306</a></th><td> */ </td></tr><tr><th id="L1307"><a href="#L1307">1307</a></th><td> if ( pMemInfo->AllocationBase == pMemInfo->BaseAddress </td></tr><tr><th id="L1308"><a href="#L1308">1308</a></th><td> && ( supHardNtVpAreNamesEqual("sysfer.dll", pwszFilename) </td></tr><tr><th id="L1309"><a href="#L1309">1309</a></th><td> || supHardNtVpAreNamesEqual("sysfer32.dll", pwszFilename) </td></tr><tr><th id="L1310"><a href="#L1310">1310</a></th><td> || supHardNtVpAreNamesEqual("sysfer64.dll", pwszFilename) </td></tr><tr><th id="L1311"><a href="#L1311">1311</a></th><td> || supHardNtVpAreNamesEqual("sysfrethunk.dll", pwszFilename)) ) </td></tr><tr><th id="L1312"><a href="#L1312">1312</a></th><td> { </td></tr><tr><th id="L1313"><a href="#L1313">1313</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_SYSFER_DLL, </td></tr><tr><th id="L1314"><a href="#L1314">1314</a></th><td> "Found %ls at %p - This is probably part of Symantec Endpoint Protection. \n" </td></tr><tr><th id="L1315"><a href="#L1315">1315</a></th><td> "You or your admin need to add and exception to the Application and Device Control (ADC) " </td></tr><tr><th id="L1316"><a href="#L1316">1316</a></th><td> "component (or disable it) to prevent ADC from injecting itself into the VirtualBox VM processes. " </td></tr><tr><th id="L1317"><a href="#L1317">1317</a></th><td> "See http://www.symantec.com/connect/articles/creating-application-control-exclusions-symantec-endpoint-protection-121" </td></tr><tr><th id="L1318"><a href="#L1318">1318</a></th><td> , pLongName->Buffer, pMemInfo->BaseAddress); </td></tr><tr><th id="L1319"><a href="#L1319">1319</a></th><td> return pThis->rcResult = VERR_SUP_VP_SYSFER_DLL; /* Try make sure this is what the user sees first! */ </td></tr><tr><th id="L1320"><a href="#L1320">1320</a></th><td> } </td></tr><tr><th id="L1321"><a href="#L1321">1321</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NOT_KNOWN_DLL_OR_EXE, </td></tr><tr><th id="L1322"><a href="#L1322">1322</a></th><td> "Unknown image file %ls at %p. (rc83Exp=%Rrc)", </td></tr><tr><th id="L1323"><a href="#L1323">1323</a></th><td> pLongName->Buffer, pMemInfo->BaseAddress, rc83Exp); </td></tr><tr><th id="L1324"><a href="#L1324">1324</a></th><td> } </td></tr><tr><th id="L1325"><a href="#L1325">1325</a></th><td> </td></tr><tr><th id="L1326"><a href="#L1326">1326</a></th><td> /* </td></tr><tr><th id="L1327"><a href="#L1327">1327</a></th><td> * Checks for multiple mappings of the same DLL but with different image file paths. </td></tr><tr><th id="L1328"><a href="#L1328">1328</a></th><td> */ </td></tr><tr><th id="L1329"><a href="#L1329">1329</a></th><td> uint32_t i = pThis->cImages; </td></tr><tr><th id="L1330"><a href="#L1330">1330</a></th><td> while (i-- > 1) </td></tr><tr><th id="L1331"><a href="#L1331">1331</a></th><td> if (pImage->pszName == pThis->aImages[i].pszName) </td></tr><tr><th id="L1332"><a href="#L1332">1332</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_DUPLICATE_DLL_MAPPING, </td></tr><tr><th id="L1333"><a href="#L1333">1333</a></th><td> "Duplicate image entries for %s: %ls and %ls", </td></tr><tr><th id="L1334"><a href="#L1334">1334</a></th><td> pImage->pszName, pImage->Name.UniStr.Buffer, pThis->aImages[i].Name.UniStr.Buffer); </td></tr><tr><th id="L1335"><a href="#L1335">1335</a></th><td> </td></tr><tr><th id="L1336"><a href="#L1336">1336</a></th><td> /* </td></tr><tr><th id="L1337"><a href="#L1337">1337</a></th><td> * Since it's a new image, we expect to be at the start of the mapping now. </td></tr><tr><th id="L1338"><a href="#L1338">1338</a></th><td> */ </td></tr><tr><th id="L1339"><a href="#L1339">1339</a></th><td> if (pMemInfo->AllocationBase != pMemInfo->BaseAddress) </td></tr><tr><th id="L1340"><a href="#L1340">1340</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_IMAGE_MAPPING_BASE_ERROR, </td></tr><tr><th id="L1341"><a href="#L1341">1341</a></th><td> "Invalid AllocationBase/BaseAddress for %s: %p vs %p.", </td></tr><tr><th id="L1342"><a href="#L1342">1342</a></th><td> pImage->pszName, pMemInfo->AllocationBase, pMemInfo->BaseAddress); </td></tr><tr><th id="L1343"><a href="#L1343">1343</a></th><td> </td></tr><tr><th id="L1344"><a href="#L1344">1344</a></th><td> /* </td></tr><tr><th id="L1345"><a href="#L1345">1345</a></th><td> * Check for size/rva overflow. </td></tr><tr><th id="L1346"><a href="#L1346">1346</a></th><td> */ </td></tr><tr><th id="L1347"><a href="#L1347">1347</a></th><td> if (pMemInfo->RegionSize >= _2G) </td></tr><tr><th id="L1348"><a href="#L1348">1348</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_LARGE_REGION, </td></tr><tr><th id="L1349"><a href="#L1349">1349</a></th><td> "Region 0 of image %s is too large: %p.", pImage->pszName, pMemInfo->RegionSize); </td></tr><tr><th id="L1350"><a href="#L1350">1350</a></th><td> </td></tr><tr><th id="L1351"><a href="#L1351">1351</a></th><td> /* </td></tr><tr><th id="L1352"><a href="#L1352">1352</a></th><td> * Fill in details from the memory info. </td></tr><tr><th id="L1353"><a href="#L1353">1353</a></th><td> */ </td></tr><tr><th id="L1354"><a href="#L1354">1354</a></th><td> pImage->uImageBase = (uintptr_t)pMemInfo->AllocationBase; </td></tr><tr><th id="L1355"><a href="#L1355">1355</a></th><td> pImage->cbImage = pMemInfo->RegionSize; </td></tr><tr><th id="L1356"><a href="#L1356">1356</a></th><td> pImage->pCacheEntry= NULL; </td></tr><tr><th id="L1357"><a href="#L1357">1357</a></th><td> pImage->cRegions = 1; </td></tr><tr><th id="L1358"><a href="#L1358">1358</a></th><td> pImage->aRegions[0].uRva = 0; </td></tr><tr><th id="L1359"><a href="#L1359">1359</a></th><td> pImage->aRegions[0].cb = (uint32_t)pMemInfo->RegionSize; </td></tr><tr><th id="L1360"><a href="#L1360">1360</a></th><td> pImage->aRegions[0].fProt = pMemInfo->Protect; </td></tr><tr><th id="L1361"><a href="#L1361">1361</a></th><td> </td></tr><tr><th id="L1362"><a href="#L1362">1362</a></th><td> if (suplibHardenedStrCmp(pImage->pszName, "ntdll.dll") == 0) </td></tr><tr><th id="L1363"><a href="#L1363">1363</a></th><td> pImage->fNtCreateSectionPatch = true; </td></tr><tr><th id="L1364"><a href="#L1364">1364</a></th><td> else if (suplibHardenedStrCmp(pImage->pszName, "apisetschema.dll") == 0) </td></tr><tr><th id="L1365"><a href="#L1365">1365</a></th><td> pImage->fApiSetSchemaOnlySection1 = true; /** @todo Check the ApiSetMap field in the PEB. */ </td></tr><tr><th id="L1366"><a href="#L1366">1366</a></th><td>#ifdef VBOX_PERMIT_MORE </td></tr><tr><th id="L1367"><a href="#L1367">1367</a></th><td> else if (suplibHardenedStrCmp(pImage->pszName, "acres.dll") == 0) </td></tr><tr><th id="L1368"><a href="#L1368">1368</a></th><td> pImage->f32bitResourceDll = true; </td></tr><tr><th id="L1369"><a href="#L1369">1369</a></th><td>#endif </td></tr><tr><th id="L1370"><a href="#L1370">1370</a></th><td> </td></tr><tr><th id="L1371"><a href="#L1371">1371</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L1372"><a href="#L1372">1372</a></th><td>} </td></tr><tr><th id="L1373"><a href="#L1373">1373</a></th><td> </td></tr><tr><th id="L1374"><a href="#L1374">1374</a></th><td> </td></tr><tr><th id="L1375"><a href="#L1375">1375</a></th><td>/** </td></tr><tr><th id="L1376"><a href="#L1376">1376</a></th><td> * Records an additional memory region for an image. </td></tr><tr><th id="L1377"><a href="#L1377">1377</a></th><td> * </td></tr><tr><th id="L1378"><a href="#L1378">1378</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L1379"><a href="#L1379">1379</a></th><td> * @param pThis The process scanning state structure. </td></tr><tr><th id="L1380"><a href="#L1380">1380</a></th><td> * @param pImage The image. </td></tr><tr><th id="L1381"><a href="#L1381">1381</a></th><td> * @param pMemInfo The memory information for the region. </td></tr><tr><th id="L1382"><a href="#L1382">1382</a></th><td> */ </td></tr><tr><th id="L1383"><a href="#L1383">1383</a></th><td>static int supHardNtVpAddRegion(PSUPHNTVPSTATE pThis, PSUPHNTVPIMAGE pImage, PMEMORY_BASIC_INFORMATION pMemInfo) </td></tr><tr><th id="L1384"><a href="#L1384">1384</a></th><td>{ </td></tr><tr><th id="L1385"><a href="#L1385">1385</a></th><td> /* </td></tr><tr><th id="L1386"><a href="#L1386">1386</a></th><td> * Make sure the base address matches. </td></tr><tr><th id="L1387"><a href="#L1387">1387</a></th><td> */ </td></tr><tr><th id="L1388"><a href="#L1388">1388</a></th><td> if (pImage->uImageBase != (uintptr_t)pMemInfo->AllocationBase) </td></tr><tr><th id="L1389"><a href="#L1389">1389</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUPLIB_NT_PROCESS_UNTRUSTED_3, </td></tr><tr><th id="L1390"><a href="#L1390">1390</a></th><td> "Base address mismatch for %s: have %p, found %p for region %p LB %#zx.", </td></tr><tr><th id="L1391"><a href="#L1391">1391</a></th><td> pImage->pszName, pImage->uImageBase, pMemInfo->AllocationBase, </td></tr><tr><th id="L1392"><a href="#L1392">1392</a></th><td> pMemInfo->BaseAddress, pMemInfo->RegionSize); </td></tr><tr><th id="L1393"><a href="#L1393">1393</a></th><td> </td></tr><tr><th id="L1394"><a href="#L1394">1394</a></th><td> /* </td></tr><tr><th id="L1395"><a href="#L1395">1395</a></th><td> * Check for size and rva overflows. </td></tr><tr><th id="L1396"><a href="#L1396">1396</a></th><td> */ </td></tr><tr><th id="L1397"><a href="#L1397">1397</a></th><td> uintptr_t uRva = (uintptr_t)pMemInfo->BaseAddress - pImage->uImageBase; </td></tr><tr><th id="L1398"><a href="#L1398">1398</a></th><td> if (pMemInfo->RegionSize >= _2G) </td></tr><tr><th id="L1399"><a href="#L1399">1399</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_LARGE_REGION, </td></tr><tr><th id="L1400"><a href="#L1400">1400</a></th><td> "Region %u of image %s is too large: %p/%p.", pImage->pszName, pMemInfo->RegionSize, uRva); </td></tr><tr><th id="L1401"><a href="#L1401">1401</a></th><td> if (uRva >= _2G) </td></tr><tr><th id="L1402"><a href="#L1402">1402</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_HIGH_REGION_RVA, </td></tr><tr><th id="L1403"><a href="#L1403">1403</a></th><td> "Region %u of image %s is too high: %p/%p.", pImage->pszName, pMemInfo->RegionSize, uRva); </td></tr><tr><th id="L1404"><a href="#L1404">1404</a></th><td> </td></tr><tr><th id="L1405"><a href="#L1405">1405</a></th><td> </td></tr><tr><th id="L1406"><a href="#L1406">1406</a></th><td> /* </td></tr><tr><th id="L1407"><a href="#L1407">1407</a></th><td> * Record the region. </td></tr><tr><th id="L1408"><a href="#L1408">1408</a></th><td> */ </td></tr><tr><th id="L1409"><a href="#L1409">1409</a></th><td> uint32_t iRegion = pImage->cRegions; </td></tr><tr><th id="L1410"><a href="#L1410">1410</a></th><td> if (iRegion + 1 >= RT_ELEMENTS(pImage->aRegions)) </td></tr><tr><th id="L1411"><a href="#L1411">1411</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_IMAGE_REGIONS, </td></tr><tr><th id="L1412"><a href="#L1412">1412</a></th><td> "Too many regions for %s.", pImage->pszName); </td></tr><tr><th id="L1413"><a href="#L1413">1413</a></th><td> pImage->aRegions[iRegion].uRva = (uint32_t)uRva; </td></tr><tr><th id="L1414"><a href="#L1414">1414</a></th><td> pImage->aRegions[iRegion].cb = (uint32_t)pMemInfo->RegionSize; </td></tr><tr><th id="L1415"><a href="#L1415">1415</a></th><td> pImage->aRegions[iRegion].fProt = pMemInfo->Protect; </td></tr><tr><th id="L1416"><a href="#L1416">1416</a></th><td> pImage->cbImage = pImage->aRegions[iRegion].uRva + pImage->aRegions[iRegion].cb; </td></tr><tr><th id="L1417"><a href="#L1417">1417</a></th><td> pImage->cRegions++; </td></tr><tr><th id="L1418"><a href="#L1418">1418</a></th><td> pImage->fApiSetSchemaOnlySection1 = false; </td></tr><tr><th id="L1419"><a href="#L1419">1419</a></th><td> </td></tr><tr><th id="L1420"><a href="#L1420">1420</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L1421"><a href="#L1421">1421</a></th><td>} </td></tr><tr><th id="L1422"><a href="#L1422">1422</a></th><td> </td></tr><tr><th id="L1423"><a href="#L1423">1423</a></th><td> </td></tr><tr><th id="L1424"><a href="#L1424">1424</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L1425"><a href="#L1425">1425</a></th><td>/** </td></tr><tr><th id="L1426"><a href="#L1426">1426</a></th><td> * Frees (or replaces) executable memory of allocation type private. </td></tr><tr><th id="L1427"><a href="#L1427">1427</a></th><td> * </td></tr><tr><th id="L1428"><a href="#L1428">1428</a></th><td> * @returns True if nothing really bad happen, false if to quit ASAP because we </td></tr><tr><th id="L1429"><a href="#L1429">1429</a></th><td> * killed the process being scanned. </td></tr><tr><th id="L1430"><a href="#L1430">1430</a></th><td> * @param pThis The process scanning state structure. Details </td></tr><tr><th id="L1431"><a href="#L1431">1431</a></th><td> * about images are added to this. </td></tr><tr><th id="L1432"><a href="#L1432">1432</a></th><td> * @param hProcess The process to verify. </td></tr><tr><th id="L1433"><a href="#L1433">1433</a></th><td> * @param pMemInfo The information we've got on this private </td></tr><tr><th id="L1434"><a href="#L1434">1434</a></th><td> * executable memory. </td></tr><tr><th id="L1435"><a href="#L1435">1435</a></th><td> */ </td></tr><tr><th id="L1436"><a href="#L1436">1436</a></th><td>static bool supHardNtVpFreeOrReplacePrivateExecMemory(PSUPHNTVPSTATE pThis, HANDLE hProcess, </td></tr><tr><th id="L1437"><a href="#L1437">1437</a></th><td> MEMORY_BASIC_INFORMATION const *pMemInfo) </td></tr><tr><th id="L1438"><a href="#L1438">1438</a></th><td>{ </td></tr><tr><th id="L1439"><a href="#L1439">1439</a></th><td> NTSTATUS rcNt; </td></tr><tr><th id="L1440"><a href="#L1440">1440</a></th><td> </td></tr><tr><th id="L1441"><a href="#L1441">1441</a></th><td> /* </td></tr><tr><th id="L1442"><a href="#L1442">1442</a></th><td> * Try figure the entire allocation size. Free/Alloc may fail otherwise. </td></tr><tr><th id="L1443"><a href="#L1443">1443</a></th><td> */ </td></tr><tr><th id="L1444"><a href="#L1444">1444</a></th><td> PVOID pvFree = pMemInfo->AllocationBase; </td></tr><tr><th id="L1445"><a href="#L1445">1445</a></th><td> SIZE_T cbFree = pMemInfo->RegionSize + ((uintptr_t)pMemInfo->BaseAddress - (uintptr_t)pMemInfo->AllocationBase); </td></tr><tr><th id="L1446"><a href="#L1446">1446</a></th><td> for (;;) </td></tr><tr><th id="L1447"><a href="#L1447">1447</a></th><td> { </td></tr><tr><th id="L1448"><a href="#L1448">1448</a></th><td> SIZE_T cbActual = 0; </td></tr><tr><th id="L1449"><a href="#L1449">1449</a></th><td> MEMORY_BASIC_INFORMATION MemInfo2 = { 0, 0, 0, 0, 0, 0, 0 }; </td></tr><tr><th id="L1450"><a href="#L1450">1450</a></th><td> uintptr_t uPtrNext = (uintptr_t)pvFree + cbFree; </td></tr><tr><th id="L1451"><a href="#L1451">1451</a></th><td> rcNt = g_pfnNtQueryVirtualMemory(hProcess, </td></tr><tr><th id="L1452"><a href="#L1452">1452</a></th><td> (void const *)uPtrNext, </td></tr><tr><th id="L1453"><a href="#L1453">1453</a></th><td> MemoryBasicInformation, </td></tr><tr><th id="L1454"><a href="#L1454">1454</a></th><td> &MemInfo2, </td></tr><tr><th id="L1455"><a href="#L1455">1455</a></th><td> sizeof(MemInfo2), </td></tr><tr><th id="L1456"><a href="#L1456">1456</a></th><td> &cbActual); </td></tr><tr><th id="L1457"><a href="#L1457">1457</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1458"><a href="#L1458">1458</a></th><td> break; </td></tr><tr><th id="L1459"><a href="#L1459">1459</a></th><td> if (pMemInfo->AllocationBase != MemInfo2.AllocationBase) </td></tr><tr><th id="L1460"><a href="#L1460">1460</a></th><td> break; </td></tr><tr><th id="L1461"><a href="#L1461">1461</a></th><td> if (MemInfo2.RegionSize == 0) </td></tr><tr><th id="L1462"><a href="#L1462">1462</a></th><td> break; </td></tr><tr><th id="L1463"><a href="#L1463">1463</a></th><td> cbFree += MemInfo2.RegionSize; </td></tr><tr><th id="L1464"><a href="#L1464">1464</a></th><td> } </td></tr><tr><th id="L1465"><a href="#L1465">1465</a></th><td> SUP_DPRINTF(("supHardNtVpFreeOrReplacePrivateExecMemory: %s exec mem at %p (LB %#zx, %p LB %#zx)\n", </td></tr><tr><th id="L1466"><a href="#L1466">1466</a></th><td> pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW ? "Replacing" : "Freeing", </td></tr><tr><th id="L1467"><a href="#L1467">1467</a></th><td> pvFree, cbFree, pMemInfo->BaseAddress, pMemInfo->RegionSize)); </td></tr><tr><th id="L1468"><a href="#L1468">1468</a></th><td> </td></tr><tr><th id="L1469"><a href="#L1469">1469</a></th><td> /* </td></tr><tr><th id="L1470"><a href="#L1470">1470</a></th><td> * In the BSOD workaround mode, we need to make a copy of the memory before </td></tr><tr><th id="L1471"><a href="#L1471">1471</a></th><td> * freeing it. </td></tr><tr><th id="L1472"><a href="#L1472">1472</a></th><td> */ </td></tr><tr><th id="L1473"><a href="#L1473">1473</a></th><td> uintptr_t uCopySrc = (uintptr_t)pvFree; </td></tr><tr><th id="L1474"><a href="#L1474">1474</a></th><td> size_t cbCopy = 0; </td></tr><tr><th id="L1475"><a href="#L1475">1475</a></th><td> void *pvCopy = NULL; </td></tr><tr><th id="L1476"><a href="#L1476">1476</a></th><td> if (pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW) </td></tr><tr><th id="L1477"><a href="#L1477">1477</a></th><td> { </td></tr><tr><th id="L1478"><a href="#L1478">1478</a></th><td> cbCopy = cbFree; </td></tr><tr><th id="L1479"><a href="#L1479">1479</a></th><td> pvCopy = RTMemAllocZ(cbCopy); </td></tr><tr><th id="L1480"><a href="#L1480">1480</a></th><td> if (!pvCopy) </td></tr><tr><th id="L1481"><a href="#L1481">1481</a></th><td> { </td></tr><tr><th id="L1482"><a href="#L1482">1482</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, "RTMemAllocZ(%#zx) failed", cbCopy); </td></tr><tr><th id="L1483"><a href="#L1483">1483</a></th><td> return true; </td></tr><tr><th id="L1484"><a href="#L1484">1484</a></th><td> } </td></tr><tr><th id="L1485"><a href="#L1485">1485</a></th><td> </td></tr><tr><th id="L1486"><a href="#L1486">1486</a></th><td> rcNt = supHardNtVpReadMem(hProcess, uCopySrc, pvCopy, cbCopy); </td></tr><tr><th id="L1487"><a href="#L1487">1487</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1488"><a href="#L1488">1488</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, </td></tr><tr><th id="L1489"><a href="#L1489">1489</a></th><td> "Error reading data from original alloc: %#x (%p LB %#zx)", rcNt, uCopySrc, cbCopy, rcNt); </td></tr><tr><th id="L1490"><a href="#L1490">1490</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1491"><a href="#L1491">1491</a></th><td> } </td></tr><tr><th id="L1492"><a href="#L1492">1492</a></th><td> </td></tr><tr><th id="L1493"><a href="#L1493">1493</a></th><td> /* </td></tr><tr><th id="L1494"><a href="#L1494">1494</a></th><td> * Free the memory. </td></tr><tr><th id="L1495"><a href="#L1495">1495</a></th><td> */ </td></tr><tr><th id="L1496"><a href="#L1496">1496</a></th><td> for (uint32_t i = 0; i < 10; i++) </td></tr><tr><th id="L1497"><a href="#L1497">1497</a></th><td> { </td></tr><tr><th id="L1498"><a href="#L1498">1498</a></th><td> PVOID pvFreeInOut = pvFree; </td></tr><tr><th id="L1499"><a href="#L1499">1499</a></th><td> SIZE_T cbFreeInOut = 0; </td></tr><tr><th id="L1500"><a href="#L1500">1500</a></th><td> rcNt = NtFreeVirtualMemory(hProcess, &pvFreeInOut, &cbFreeInOut, MEM_RELEASE); </td></tr><tr><th id="L1501"><a href="#L1501">1501</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1502"><a href="#L1502">1502</a></th><td> { </td></tr><tr><th id="L1503"><a href="#L1503">1503</a></th><td> SUP_DPRINTF(("supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 succeeded: %#x [%p/%p LB 0/%#zx]\n", </td></tr><tr><th id="L1504"><a href="#L1504">1504</a></th><td> rcNt, pvFree, pvFreeInOut, cbFreeInOut)); </td></tr><tr><th id="L1505"><a href="#L1505">1505</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1506"><a href="#L1506">1506</a></th><td> } </td></tr><tr><th id="L1507"><a href="#L1507">1507</a></th><td> else </td></tr><tr><th id="L1508"><a href="#L1508">1508</a></th><td> { </td></tr><tr><th id="L1509"><a href="#L1509">1509</a></th><td> SUP_DPRINTF(("supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #1 failed: %#x [%p LB 0]\n", rcNt, pvFree)); </td></tr><tr><th id="L1510"><a href="#L1510">1510</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1511"><a href="#L1511">1511</a></th><td> pvFreeInOut = pvFree; </td></tr><tr><th id="L1512"><a href="#L1512">1512</a></th><td> cbFreeInOut = cbFree; </td></tr><tr><th id="L1513"><a href="#L1513">1513</a></th><td> rcNt = NtFreeVirtualMemory(hProcess, &pvFreeInOut, &cbFreeInOut, MEM_RELEASE); </td></tr><tr><th id="L1514"><a href="#L1514">1514</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1515"><a href="#L1515">1515</a></th><td> { </td></tr><tr><th id="L1516"><a href="#L1516">1516</a></th><td> SUP_DPRINTF(("supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #2 succeeded: %#x [%p/%p LB %#zx/%#zx]\n", </td></tr><tr><th id="L1517"><a href="#L1517">1517</a></th><td> rcNt, pvFree, pvFreeInOut, cbFree, cbFreeInOut)); </td></tr><tr><th id="L1518"><a href="#L1518">1518</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1519"><a href="#L1519">1519</a></th><td> } </td></tr><tr><th id="L1520"><a href="#L1520">1520</a></th><td> else </td></tr><tr><th id="L1521"><a href="#L1521">1521</a></th><td> { </td></tr><tr><th id="L1522"><a href="#L1522">1522</a></th><td> SUP_DPRINTF(("supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #2 failed: %#x [%p LB %#zx]\n", </td></tr><tr><th id="L1523"><a href="#L1523">1523</a></th><td> rcNt, pvFree, cbFree)); </td></tr><tr><th id="L1524"><a href="#L1524">1524</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1525"><a href="#L1525">1525</a></th><td> pvFreeInOut = pMemInfo->BaseAddress; </td></tr><tr><th id="L1526"><a href="#L1526">1526</a></th><td> cbFreeInOut = pMemInfo->RegionSize; </td></tr><tr><th id="L1527"><a href="#L1527">1527</a></th><td> rcNt = NtFreeVirtualMemory(hProcess, &pvFreeInOut, &cbFreeInOut, MEM_RELEASE); </td></tr><tr><th id="L1528"><a href="#L1528">1528</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1529"><a href="#L1529">1529</a></th><td> { </td></tr><tr><th id="L1530"><a href="#L1530">1530</a></th><td> pvFree = pMemInfo->BaseAddress; </td></tr><tr><th id="L1531"><a href="#L1531">1531</a></th><td> cbFree = pMemInfo->RegionSize; </td></tr><tr><th id="L1532"><a href="#L1532">1532</a></th><td> SUP_DPRINTF(("supHardNtVpFreeOrReplacePrivateExecMemory: Free attempt #3 succeeded [%p LB %#zx]\n", </td></tr><tr><th id="L1533"><a href="#L1533">1533</a></th><td> pvFree, cbFree)); </td></tr><tr><th id="L1534"><a href="#L1534">1534</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1535"><a href="#L1535">1535</a></th><td> } </td></tr><tr><th id="L1536"><a href="#L1536">1536</a></th><td> else </td></tr><tr><th id="L1537"><a href="#L1537">1537</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FREE_VIRTUAL_MEMORY_FAILED, </td></tr><tr><th id="L1538"><a href="#L1538">1538</a></th><td> "NtFreeVirtualMemory [%p LB %#zx and %p LB %#zx] failed: %#x", </td></tr><tr><th id="L1539"><a href="#L1539">1539</a></th><td> pvFree, cbFree, pMemInfo->BaseAddress, pMemInfo->RegionSize, rcNt); </td></tr><tr><th id="L1540"><a href="#L1540">1540</a></th><td> } </td></tr><tr><th id="L1541"><a href="#L1541">1541</a></th><td> } </td></tr><tr><th id="L1542"><a href="#L1542">1542</a></th><td> </td></tr><tr><th id="L1543"><a href="#L1543">1543</a></th><td> /* </td></tr><tr><th id="L1544"><a href="#L1544">1544</a></th><td> * Query the region again, redo the free operation if there's still memory there. </td></tr><tr><th id="L1545"><a href="#L1545">1545</a></th><td> */ </td></tr><tr><th id="L1546"><a href="#L1546">1546</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1547"><a href="#L1547">1547</a></th><td> break; </td></tr><tr><th id="L1548"><a href="#L1548">1548</a></th><td> SIZE_T cbActual = 0; </td></tr><tr><th id="L1549"><a href="#L1549">1549</a></th><td> MEMORY_BASIC_INFORMATION MemInfo3 = { 0, 0, 0, 0, 0, 0, 0 }; </td></tr><tr><th id="L1550"><a href="#L1550">1550</a></th><td> NTSTATUS rcNt2 = g_pfnNtQueryVirtualMemory(hProcess, pvFree, MemoryBasicInformation, </td></tr><tr><th id="L1551"><a href="#L1551">1551</a></th><td> &MemInfo3, sizeof(MemInfo3), &cbActual); </td></tr><tr><th id="L1552"><a href="#L1552">1552</a></th><td> if (!NT_SUCCESS(rcNt2)) </td></tr><tr><th id="L1553"><a href="#L1553">1553</a></th><td> break; </td></tr><tr><th id="L1554"><a href="#L1554">1554</a></th><td> SUP_DPRINTF(("supHardNtVpFreeOrReplacePrivateExecMemory: QVM after free %u: [%p]/%p LB %#zx s=%#x ap=%#x rp=%#p\n", </td></tr><tr><th id="L1555"><a href="#L1555">1555</a></th><td> i, MemInfo3.AllocationBase, MemInfo3.BaseAddress, MemInfo3.RegionSize, MemInfo3.State, </td></tr><tr><th id="L1556"><a href="#L1556">1556</a></th><td> MemInfo3.AllocationProtect, MemInfo3.Protect)); </td></tr><tr><th id="L1557"><a href="#L1557">1557</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1558"><a href="#L1558">1558</a></th><td> if (MemInfo3.State == MEM_FREE || !(pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW)) </td></tr><tr><th id="L1559"><a href="#L1559">1559</a></th><td> break; </td></tr><tr><th id="L1560"><a href="#L1560">1560</a></th><td> NtYieldExecution(); </td></tr><tr><th id="L1561"><a href="#L1561">1561</a></th><td> SUP_DPRINTF(("supHardNtVpFreeOrReplacePrivateExecMemory: Retrying free...\n")); </td></tr><tr><th id="L1562"><a href="#L1562">1562</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1563"><a href="#L1563">1563</a></th><td> } </td></tr><tr><th id="L1564"><a href="#L1564">1564</a></th><td> </td></tr><tr><th id="L1565"><a href="#L1565">1565</a></th><td> /* </td></tr><tr><th id="L1566"><a href="#L1566">1566</a></th><td> * Restore memory as non-executable - Kludge for Trend Micro sakfile.sys </td></tr><tr><th id="L1567"><a href="#L1567">1567</a></th><td> * and Digital Guardian dgmaster.sys BSODs. </td></tr><tr><th id="L1568"><a href="#L1568">1568</a></th><td> */ </td></tr><tr><th id="L1569"><a href="#L1569">1569</a></th><td> if (NT_SUCCESS(rcNt) && (pThis->fFlags & SUPHARDNTVP_F_EXEC_ALLOC_REPLACE_WITH_RW)) </td></tr><tr><th id="L1570"><a href="#L1570">1570</a></th><td> { </td></tr><tr><th id="L1571"><a href="#L1571">1571</a></th><td> PVOID pvAlloc = pvFree; </td></tr><tr><th id="L1572"><a href="#L1572">1572</a></th><td> SIZE_T cbAlloc = cbFree; </td></tr><tr><th id="L1573"><a href="#L1573">1573</a></th><td> rcNt = NtAllocateVirtualMemory(hProcess, &pvAlloc, 0, &cbAlloc, MEM_COMMIT, PAGE_READWRITE); </td></tr><tr><th id="L1574"><a href="#L1574">1574</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1575"><a href="#L1575">1575</a></th><td> { </td></tr><tr><th id="L1576"><a href="#L1576">1576</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, </td></tr><tr><th id="L1577"><a href="#L1577">1577</a></th><td> "NtAllocateVirtualMemory (%p LB %#zx) failed with rcNt=%#x allocating " </td></tr><tr><th id="L1578"><a href="#L1578">1578</a></th><td> "replacement memory for working around buggy protection software. " </td></tr><tr><th id="L1579"><a href="#L1579">1579</a></th><td> "See VBoxStartup.log for more details", </td></tr><tr><th id="L1580"><a href="#L1580">1580</a></th><td> pvAlloc, cbFree, rcNt); </td></tr><tr><th id="L1581"><a href="#L1581">1581</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1582"><a href="#L1582">1582</a></th><td> NtTerminateProcess(hProcess, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED); </td></tr><tr><th id="L1583"><a href="#L1583">1583</a></th><td> return false; </td></tr><tr><th id="L1584"><a href="#L1584">1584</a></th><td> } </td></tr><tr><th id="L1585"><a href="#L1585">1585</a></th><td> </td></tr><tr><th id="L1586"><a href="#L1586">1586</a></th><td> if ( (uintptr_t)pvFree < (uintptr_t)pvAlloc </td></tr><tr><th id="L1587"><a href="#L1587">1587</a></th><td> || (uintptr_t)pvFree + cbFree > (uintptr_t)pvAlloc + cbFree) </td></tr><tr><th id="L1588"><a href="#L1588">1588</a></th><td> { </td></tr><tr><th id="L1589"><a href="#L1589">1589</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED, </td></tr><tr><th id="L1590"><a href="#L1590">1590</a></th><td> "We wanted NtAllocateVirtualMemory to get us %p LB %#zx, but it returned %p LB %#zx.", </td></tr><tr><th id="L1591"><a href="#L1591">1591</a></th><td> pMemInfo->BaseAddress, pMemInfo->RegionSize, pvFree, cbFree, rcNt); </td></tr><tr><th id="L1592"><a href="#L1592">1592</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1593"><a href="#L1593">1593</a></th><td> NtTerminateProcess(hProcess, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED); </td></tr><tr><th id="L1594"><a href="#L1594">1594</a></th><td> return false; </td></tr><tr><th id="L1595"><a href="#L1595">1595</a></th><td> } </td></tr><tr><th id="L1596"><a href="#L1596">1596</a></th><td> </td></tr><tr><th id="L1597"><a href="#L1597">1597</a></th><td> /* </td></tr><tr><th id="L1598"><a href="#L1598">1598</a></th><td> * Copy what we can, considering the 2nd free attempt. </td></tr><tr><th id="L1599"><a href="#L1599">1599</a></th><td> */ </td></tr><tr><th id="L1600"><a href="#L1600">1600</a></th><td> uint8_t *pbDst = (uint8_t *)pvFree; </td></tr><tr><th id="L1601"><a href="#L1601">1601</a></th><td> size_t cbDst = cbFree; </td></tr><tr><th id="L1602"><a href="#L1602">1602</a></th><td> uint8_t *pbSrc = (uint8_t *)pvCopy; </td></tr><tr><th id="L1603"><a href="#L1603">1603</a></th><td> size_t cbSrc = cbCopy; </td></tr><tr><th id="L1604"><a href="#L1604">1604</a></th><td> if ((uintptr_t)pbDst != uCopySrc) </td></tr><tr><th id="L1605"><a href="#L1605">1605</a></th><td> { </td></tr><tr><th id="L1606"><a href="#L1606">1606</a></th><td> if ((uintptr_t)pbDst > uCopySrc) </td></tr><tr><th id="L1607"><a href="#L1607">1607</a></th><td> { </td></tr><tr><th id="L1608"><a href="#L1608">1608</a></th><td> uintptr_t cbAdj = (uintptr_t)pbDst - uCopySrc; </td></tr><tr><th id="L1609"><a href="#L1609">1609</a></th><td> pbSrc += cbAdj; </td></tr><tr><th id="L1610"><a href="#L1610">1610</a></th><td> cbSrc -= cbAdj; </td></tr><tr><th id="L1611"><a href="#L1611">1611</a></th><td> } </td></tr><tr><th id="L1612"><a href="#L1612">1612</a></th><td> else </td></tr><tr><th id="L1613"><a href="#L1613">1613</a></th><td> { </td></tr><tr><th id="L1614"><a href="#L1614">1614</a></th><td> uintptr_t cbAdj = uCopySrc - (uintptr_t)pbDst; </td></tr><tr><th id="L1615"><a href="#L1615">1615</a></th><td> pbDst += cbAdj; </td></tr><tr><th id="L1616"><a href="#L1616">1616</a></th><td> cbDst -= cbAdj; </td></tr><tr><th id="L1617"><a href="#L1617">1617</a></th><td> } </td></tr><tr><th id="L1618"><a href="#L1618">1618</a></th><td> } </td></tr><tr><th id="L1619"><a href="#L1619">1619</a></th><td> if (cbSrc > cbDst) </td></tr><tr><th id="L1620"><a href="#L1620">1620</a></th><td> cbSrc = cbDst; </td></tr><tr><th id="L1621"><a href="#L1621">1621</a></th><td> </td></tr><tr><th id="L1622"><a href="#L1622">1622</a></th><td> SIZE_T cbWritten; </td></tr><tr><th id="L1623"><a href="#L1623">1623</a></th><td> rcNt = NtWriteVirtualMemory(hProcess, pbDst, pbSrc, cbSrc, &cbWritten); </td></tr><tr><th id="L1624"><a href="#L1624">1624</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1625"><a href="#L1625">1625</a></th><td> { </td></tr><tr><th id="L1626"><a href="#L1626">1626</a></th><td> SUP_DPRINTF(("supHardNtVpFreeOrReplacePrivateExecMemory: Restored the exec memory as non-exec.\n")); </td></tr><tr><th id="L1627"><a href="#L1627">1627</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1628"><a href="#L1628">1628</a></th><td> } </td></tr><tr><th id="L1629"><a href="#L1629">1629</a></th><td> else </td></tr><tr><th id="L1630"><a href="#L1630">1630</a></th><td> { </td></tr><tr><th id="L1631"><a href="#L1631">1631</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FREE_VIRTUAL_MEMORY_FAILED, </td></tr><tr><th id="L1632"><a href="#L1632">1632</a></th><td> "NtWriteVirtualMemory (%p LB %#zx) failed: %#x", </td></tr><tr><th id="L1633"><a href="#L1633">1633</a></th><td> pMemInfo->BaseAddress, pMemInfo->RegionSize, rcNt); </td></tr><tr><th id="L1634"><a href="#L1634">1634</a></th><td> supR3HardenedLogFlush(); </td></tr><tr><th id="L1635"><a href="#L1635">1635</a></th><td> NtTerminateProcess(hProcess, VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED); </td></tr><tr><th id="L1636"><a href="#L1636">1636</a></th><td> return false; </td></tr><tr><th id="L1637"><a href="#L1637">1637</a></th><td> } </td></tr><tr><th id="L1638"><a href="#L1638">1638</a></th><td> } </td></tr><tr><th id="L1639"><a href="#L1639">1639</a></th><td> if (pvCopy) </td></tr><tr><th id="L1640"><a href="#L1640">1640</a></th><td> RTMemFree(pvCopy); </td></tr><tr><th id="L1641"><a href="#L1641">1641</a></th><td> return true; </td></tr><tr><th id="L1642"><a href="#L1642">1642</a></th><td>} </td></tr><tr><th id="L1643"><a href="#L1643">1643</a></th><td>#endif /* IN_RING3 */ </td></tr><tr><th id="L1644"><a href="#L1644">1644</a></th><td> </td></tr><tr><th id="L1645"><a href="#L1645">1645</a></th><td> </td></tr><tr><th id="L1646"><a href="#L1646">1646</a></th><td>/** </td></tr><tr><th id="L1647"><a href="#L1647">1647</a></th><td> * Scans the virtual memory of the process. </td></tr><tr><th id="L1648"><a href="#L1648">1648</a></th><td> * </td></tr><tr><th id="L1649"><a href="#L1649">1649</a></th><td> * This collects the locations of DLLs and the EXE, and verifies that executable </td></tr><tr><th id="L1650"><a href="#L1650">1650</a></th><td> * memory is only associated with these. May trash pThis->abMemory. </td></tr><tr><th id="L1651"><a href="#L1651">1651</a></th><td> * </td></tr><tr><th id="L1652"><a href="#L1652">1652</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L1653"><a href="#L1653">1653</a></th><td> * @param pThis The process scanning state structure. Details </td></tr><tr><th id="L1654"><a href="#L1654">1654</a></th><td> * about images are added to this. </td></tr><tr><th id="L1655"><a href="#L1655">1655</a></th><td> * @param hProcess The process to verify. </td></tr><tr><th id="L1656"><a href="#L1656">1656</a></th><td> */ </td></tr><tr><th id="L1657"><a href="#L1657">1657</a></th><td>static int supHardNtVpScanVirtualMemory(PSUPHNTVPSTATE pThis, HANDLE hProcess) </td></tr><tr><th id="L1658"><a href="#L1658">1658</a></th><td>{ </td></tr><tr><th id="L1659"><a href="#L1659">1659</a></th><td> SUP_DPRINTF(("supHardNtVpScanVirtualMemory: enmKind=%s\n", </td></tr><tr><th id="L1660"><a href="#L1660">1660</a></th><td> pThis->enmKind == SUPHARDNTVPKIND_VERIFY_ONLY ? "VERIFY_ONLY" : </td></tr><tr><th id="L1661"><a href="#L1661">1661</a></th><td> pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION ? "CHILD_PURIFICATION" : "SELF_PURIFICATION")); </td></tr><tr><th id="L1662"><a href="#L1662">1662</a></th><td> </td></tr><tr><th id="L1663"><a href="#L1663">1663</a></th><td> uint32_t cXpExceptions = 0; </td></tr><tr><th id="L1664"><a href="#L1664">1664</a></th><td> uintptr_t cbAdvance = 0; </td></tr><tr><th id="L1665"><a href="#L1665">1665</a></th><td> uintptr_t uPtrWhere = 0; </td></tr><tr><th id="L1666"><a href="#L1666">1666</a></th><td>#ifdef VBOX_PERMIT_VERIFIER_DLL </td></tr><tr><th id="L1667"><a href="#L1667">1667</a></th><td> for (uint32_t i = 0; i < 10240; i++) </td></tr><tr><th id="L1668"><a href="#L1668">1668</a></th><td>#else </td></tr><tr><th id="L1669"><a href="#L1669">1669</a></th><td> for (uint32_t i = 0; i < 1024; i++) </td></tr><tr><th id="L1670"><a href="#L1670">1670</a></th><td>#endif </td></tr><tr><th id="L1671"><a href="#L1671">1671</a></th><td> { </td></tr><tr><th id="L1672"><a href="#L1672">1672</a></th><td> SIZE_T cbActual = 0; </td></tr><tr><th id="L1673"><a href="#L1673">1673</a></th><td> MEMORY_BASIC_INFORMATION MemInfo = { 0, 0, 0, 0, 0, 0, 0 }; </td></tr><tr><th id="L1674"><a href="#L1674">1674</a></th><td> NTSTATUS rcNt = g_pfnNtQueryVirtualMemory(hProcess, </td></tr><tr><th id="L1675"><a href="#L1675">1675</a></th><td> (void const *)uPtrWhere, </td></tr><tr><th id="L1676"><a href="#L1676">1676</a></th><td> MemoryBasicInformation, </td></tr><tr><th id="L1677"><a href="#L1677">1677</a></th><td> &MemInfo, </td></tr><tr><th id="L1678"><a href="#L1678">1678</a></th><td> sizeof(MemInfo), </td></tr><tr><th id="L1679"><a href="#L1679">1679</a></th><td> &cbActual); </td></tr><tr><th id="L1680"><a href="#L1680">1680</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1681"><a href="#L1681">1681</a></th><td> { </td></tr><tr><th id="L1682"><a href="#L1682">1682</a></th><td> if (rcNt == STATUS_INVALID_PARAMETER) </td></tr><tr><th id="L1683"><a href="#L1683">1683</a></th><td> return pThis->rcResult; </td></tr><tr><th id="L1684"><a href="#L1684">1684</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_QI_VIRTUAL_MEMORY_ERROR, </td></tr><tr><th id="L1685"><a href="#L1685">1685</a></th><td> "NtQueryVirtualMemory failed for %p: %#x", uPtrWhere, rcNt); </td></tr><tr><th id="L1686"><a href="#L1686">1686</a></th><td> } </td></tr><tr><th id="L1687"><a href="#L1687">1687</a></th><td> </td></tr><tr><th id="L1688"><a href="#L1688">1688</a></th><td> /* </td></tr><tr><th id="L1689"><a href="#L1689">1689</a></th><td> * Record images. </td></tr><tr><th id="L1690"><a href="#L1690">1690</a></th><td> */ </td></tr><tr><th id="L1691"><a href="#L1691">1691</a></th><td> if ( MemInfo.Type == SEC_IMAGE </td></tr><tr><th id="L1692"><a href="#L1692">1692</a></th><td> || MemInfo.Type == SEC_PROTECTED_IMAGE </td></tr><tr><th id="L1693"><a href="#L1693">1693</a></th><td> || MemInfo.Type == (SEC_IMAGE | SEC_PROTECTED_IMAGE)) </td></tr><tr><th id="L1694"><a href="#L1694">1694</a></th><td> { </td></tr><tr><th id="L1695"><a href="#L1695">1695</a></th><td> uint32_t iImg = pThis->cImages; </td></tr><tr><th id="L1696"><a href="#L1696">1696</a></th><td> rcNt = g_pfnNtQueryVirtualMemory(hProcess, </td></tr><tr><th id="L1697"><a href="#L1697">1697</a></th><td> (void const *)uPtrWhere, </td></tr><tr><th id="L1698"><a href="#L1698">1698</a></th><td> MemorySectionName, </td></tr><tr><th id="L1699"><a href="#L1699">1699</a></th><td> &pThis->aImages[iImg].Name, </td></tr><tr><th id="L1700"><a href="#L1700">1700</a></th><td> sizeof(pThis->aImages[iImg].Name) - sizeof(WCHAR), </td></tr><tr><th id="L1701"><a href="#L1701">1701</a></th><td> &cbActual); </td></tr><tr><th id="L1702"><a href="#L1702">1702</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1703"><a href="#L1703">1703</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_QI_VIRTUAL_MEMORY_NM_ERROR, </td></tr><tr><th id="L1704"><a href="#L1704">1704</a></th><td> "NtQueryVirtualMemory/MemorySectionName failed for %p: %#x", uPtrWhere, rcNt); </td></tr><tr><th id="L1705"><a href="#L1705">1705</a></th><td> pThis->aImages[iImg].Name.UniStr.Buffer[pThis->aImages[iImg].Name.UniStr.Length / sizeof(WCHAR)] = '\0'; </td></tr><tr><th id="L1706"><a href="#L1706">1706</a></th><td> SUP_DPRINTF((MemInfo.AllocationBase == MemInfo.BaseAddress </td></tr><tr><th id="L1707"><a href="#L1707">1707</a></th><td> ? " *%p-%p %#06x/%#06x %#09x %ls\n" </td></tr><tr><th id="L1708"><a href="#L1708">1708</a></th><td> : " %p-%p %#06x/%#06x %#09x %ls\n", </td></tr><tr><th id="L1709"><a href="#L1709">1709</a></th><td> MemInfo.BaseAddress, (uintptr_t)MemInfo.BaseAddress + MemInfo.RegionSize - 1, MemInfo.Protect, </td></tr><tr><th id="L1710"><a href="#L1710">1710</a></th><td> MemInfo.AllocationProtect, MemInfo.Type, pThis->aImages[iImg].Name.UniStr.Buffer)); </td></tr><tr><th id="L1711"><a href="#L1711">1711</a></th><td> </td></tr><tr><th id="L1712"><a href="#L1712">1712</a></th><td> /* New or existing image? */ </td></tr><tr><th id="L1713"><a href="#L1713">1713</a></th><td> bool fNew = true; </td></tr><tr><th id="L1714"><a href="#L1714">1714</a></th><td> uint32_t iSearch = iImg; </td></tr><tr><th id="L1715"><a href="#L1715">1715</a></th><td> while (iSearch-- > 0) </td></tr><tr><th id="L1716"><a href="#L1716">1716</a></th><td> if (supHardNtVpAreUniStringsEqual(&pThis->aImages[iSearch].Name.UniStr, &pThis->aImages[iImg].Name.UniStr)) </td></tr><tr><th id="L1717"><a href="#L1717">1717</a></th><td> { </td></tr><tr><th id="L1718"><a href="#L1718">1718</a></th><td> int rc = supHardNtVpAddRegion(pThis, &pThis->aImages[iSearch], &MemInfo); </td></tr><tr><th id="L1719"><a href="#L1719">1719</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L1720"><a href="#L1720">1720</a></th><td> return rc; </td></tr><tr><th id="L1721"><a href="#L1721">1721</a></th><td> fNew = false; </td></tr><tr><th id="L1722"><a href="#L1722">1722</a></th><td> break; </td></tr><tr><th id="L1723"><a href="#L1723">1723</a></th><td> } </td></tr><tr><th id="L1724"><a href="#L1724">1724</a></th><td> else if (pThis->aImages[iSearch].uImageBase == (uintptr_t)MemInfo.AllocationBase) </td></tr><tr><th id="L1725"><a href="#L1725">1725</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_MAPPING_NAME_CHANGED, </td></tr><tr><th id="L1726"><a href="#L1726">1726</a></th><td> "Unexpected base address match"); </td></tr><tr><th id="L1727"><a href="#L1727">1727</a></th><td> </td></tr><tr><th id="L1728"><a href="#L1728">1728</a></th><td> if (fNew) </td></tr><tr><th id="L1729"><a href="#L1729">1729</a></th><td> { </td></tr><tr><th id="L1730"><a href="#L1730">1730</a></th><td> int rc = supHardNtVpNewImage(pThis, &pThis->aImages[iImg], &MemInfo); </td></tr><tr><th id="L1731"><a href="#L1731">1731</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L1732"><a href="#L1732">1732</a></th><td> { </td></tr><tr><th id="L1733"><a href="#L1733">1733</a></th><td> if (rc != VINF_OBJECT_DESTROYED) </td></tr><tr><th id="L1734"><a href="#L1734">1734</a></th><td> { </td></tr><tr><th id="L1735"><a href="#L1735">1735</a></th><td> pThis->cImages++; </td></tr><tr><th id="L1736"><a href="#L1736">1736</a></th><td> if (pThis->cImages >= RT_ELEMENTS(pThis->aImages)) </td></tr><tr><th id="L1737"><a href="#L1737">1737</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_DLLS_LOADED, </td></tr><tr><th id="L1738"><a href="#L1738">1738</a></th><td> "Internal error: aImages is full.\n"); </td></tr><tr><th id="L1739"><a href="#L1739">1739</a></th><td> } </td></tr><tr><th id="L1740"><a href="#L1740">1740</a></th><td> } </td></tr><tr><th id="L1741"><a href="#L1741">1741</a></th><td>#ifdef IN_RING3 /* Continue and add more information if unknown DLLs are found. */ </td></tr><tr><th id="L1742"><a href="#L1742">1742</a></th><td> else if (rc != VERR_SUP_VP_NOT_KNOWN_DLL_OR_EXE && rc != VERR_SUP_VP_NON_SYSTEM32_DLL) </td></tr><tr><th id="L1743"><a href="#L1743">1743</a></th><td> return rc; </td></tr><tr><th id="L1744"><a href="#L1744">1744</a></th><td>#else </td></tr><tr><th id="L1745"><a href="#L1745">1745</a></th><td> else </td></tr><tr><th id="L1746"><a href="#L1746">1746</a></th><td> return rc; </td></tr><tr><th id="L1747"><a href="#L1747">1747</a></th><td>#endif </td></tr><tr><th id="L1748"><a href="#L1748">1748</a></th><td> } </td></tr><tr><th id="L1749"><a href="#L1749">1749</a></th><td> } </td></tr><tr><th id="L1750"><a href="#L1750">1750</a></th><td> /* </td></tr><tr><th id="L1751"><a href="#L1751">1751</a></th><td> * XP, W2K3: Ignore the CSRSS read-only region as best we can. </td></tr><tr><th id="L1752"><a href="#L1752">1752</a></th><td> */ </td></tr><tr><th id="L1753"><a href="#L1753">1753</a></th><td> else if ( (MemInfo.Protect & (PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)) </td></tr><tr><th id="L1754"><a href="#L1754">1754</a></th><td> == PAGE_EXECUTE_READ </td></tr><tr><th id="L1755"><a href="#L1755">1755</a></th><td> && cXpExceptions == 0 </td></tr><tr><th id="L1756"><a href="#L1756">1756</a></th><td> && (uintptr_t)MemInfo.BaseAddress >= UINT32_C(0x78000000) </td></tr><tr><th id="L1757"><a href="#L1757">1757</a></th><td> /* && MemInfo.BaseAddress == pPeb->ReadOnlySharedMemoryBase */ </td></tr><tr><th id="L1758"><a href="#L1758">1758</a></th><td> && g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 0) ) </td></tr><tr><th id="L1759"><a href="#L1759">1759</a></th><td> { </td></tr><tr><th id="L1760"><a href="#L1760">1760</a></th><td> cXpExceptions++; </td></tr><tr><th id="L1761"><a href="#L1761">1761</a></th><td> SUP_DPRINTF((" %p-%p %#06x/%#06x %#09x XP CSRSS read-only region\n", MemInfo.BaseAddress, </td></tr><tr><th id="L1762"><a href="#L1762">1762</a></th><td> (uintptr_t)MemInfo.BaseAddress + MemInfo.RegionSize - 1, MemInfo.Protect, </td></tr><tr><th id="L1763"><a href="#L1763">1763</a></th><td> MemInfo.AllocationProtect, MemInfo.Type)); </td></tr><tr><th id="L1764"><a href="#L1764">1764</a></th><td> } </td></tr><tr><th id="L1765"><a href="#L1765">1765</a></th><td> /* </td></tr><tr><th id="L1766"><a href="#L1766">1766</a></th><td> * Executable memory? </td></tr><tr><th id="L1767"><a href="#L1767">1767</a></th><td> */ </td></tr><tr><th id="L1768"><a href="#L1768">1768</a></th><td>#ifndef VBOX_PERMIT_VISUAL_STUDIO_PROFILING </td></tr><tr><th id="L1769"><a href="#L1769">1769</a></th><td> else if (MemInfo.Protect & (PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)) </td></tr><tr><th id="L1770"><a href="#L1770">1770</a></th><td> { </td></tr><tr><th id="L1771"><a href="#L1771">1771</a></th><td> SUP_DPRINTF((MemInfo.AllocationBase == MemInfo.BaseAddress </td></tr><tr><th id="L1772"><a href="#L1772">1772</a></th><td> ? " *%p-%p %#06x/%#06x %#09x !!\n" </td></tr><tr><th id="L1773"><a href="#L1773">1773</a></th><td> : " %p-%p %#06x/%#06x %#09x !!\n", </td></tr><tr><th id="L1774"><a href="#L1774">1774</a></th><td> MemInfo.BaseAddress, (uintptr_t)MemInfo.BaseAddress + MemInfo.RegionSize - 1, </td></tr><tr><th id="L1775"><a href="#L1775">1775</a></th><td> MemInfo.Protect, MemInfo.AllocationProtect, MemInfo.Type)); </td></tr><tr><th id="L1776"><a href="#L1776">1776</a></th><td># ifdef IN_RING3 </td></tr><tr><th id="L1777"><a href="#L1777">1777</a></th><td> if (pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION) </td></tr><tr><th id="L1778"><a href="#L1778">1778</a></th><td> { </td></tr><tr><th id="L1779"><a href="#L1779">1779</a></th><td> /* </td></tr><tr><th id="L1780"><a href="#L1780">1780</a></th><td> * Free any private executable memory (sysplant.sys allocates executable memory). </td></tr><tr><th id="L1781"><a href="#L1781">1781</a></th><td> */ </td></tr><tr><th id="L1782"><a href="#L1782">1782</a></th><td> if (MemInfo.Type == MEM_PRIVATE) </td></tr><tr><th id="L1783"><a href="#L1783">1783</a></th><td> { </td></tr><tr><th id="L1784"><a href="#L1784">1784</a></th><td> if (!supHardNtVpFreeOrReplacePrivateExecMemory(pThis, hProcess, &MemInfo)) </td></tr><tr><th id="L1785"><a href="#L1785">1785</a></th><td> break; </td></tr><tr><th id="L1786"><a href="#L1786">1786</a></th><td> } </td></tr><tr><th id="L1787"><a href="#L1787">1787</a></th><td> /* </td></tr><tr><th id="L1788"><a href="#L1788">1788</a></th><td> * Unmap mapped memory, failing that, drop exec privileges. </td></tr><tr><th id="L1789"><a href="#L1789">1789</a></th><td> */ </td></tr><tr><th id="L1790"><a href="#L1790">1790</a></th><td> else if (MemInfo.Type == MEM_MAPPED) </td></tr><tr><th id="L1791"><a href="#L1791">1791</a></th><td> { </td></tr><tr><th id="L1792"><a href="#L1792">1792</a></th><td> SUP_DPRINTF(("supHardNtVpScanVirtualMemory: Unmapping exec mem at %p (%p/%p LB %#zx)\n", </td></tr><tr><th id="L1793"><a href="#L1793">1793</a></th><td> uPtrWhere, MemInfo.AllocationBase, MemInfo.BaseAddress, MemInfo.RegionSize)); </td></tr><tr><th id="L1794"><a href="#L1794">1794</a></th><td> rcNt = NtUnmapViewOfSection(hProcess, MemInfo.AllocationBase); </td></tr><tr><th id="L1795"><a href="#L1795">1795</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L1796"><a href="#L1796">1796</a></th><td> { </td></tr><tr><th id="L1797"><a href="#L1797">1797</a></th><td> PVOID pvCopy = MemInfo.BaseAddress; </td></tr><tr><th id="L1798"><a href="#L1798">1798</a></th><td> SIZE_T cbCopy = MemInfo.RegionSize; </td></tr><tr><th id="L1799"><a href="#L1799">1799</a></th><td> NTSTATUS rcNt2 = NtProtectVirtualMemory(hProcess, &pvCopy, &cbCopy, PAGE_NOACCESS, NULL); </td></tr><tr><th id="L1800"><a href="#L1800">1800</a></th><td> if (!NT_SUCCESS(rcNt2)) </td></tr><tr><th id="L1801"><a href="#L1801">1801</a></th><td> rcNt2 = NtProtectVirtualMemory(hProcess, &pvCopy, &cbCopy, PAGE_READONLY, NULL); </td></tr><tr><th id="L1802"><a href="#L1802">1802</a></th><td> if (!NT_SUCCESS(rcNt2)) </td></tr><tr><th id="L1803"><a href="#L1803">1803</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNMAP_AND_PROTECT_FAILED, </td></tr><tr><th id="L1804"><a href="#L1804">1804</a></th><td> "NtUnmapViewOfSection (%p/%p LB %#zx) failed: %#x (%#x)", </td></tr><tr><th id="L1805"><a href="#L1805">1805</a></th><td> MemInfo.AllocationBase, MemInfo.BaseAddress, MemInfo.RegionSize, rcNt, rcNt2); </td></tr><tr><th id="L1806"><a href="#L1806">1806</a></th><td> } </td></tr><tr><th id="L1807"><a href="#L1807">1807</a></th><td> } </td></tr><tr><th id="L1808"><a href="#L1808">1808</a></th><td> else </td></tr><tr><th id="L1809"><a href="#L1809">1809</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_UNKOWN_MEM_TYPE, </td></tr><tr><th id="L1810"><a href="#L1810">1810</a></th><td> "Unknown executable memory type %#x at %p/%p LB %#zx", </td></tr><tr><th id="L1811"><a href="#L1811">1811</a></th><td> MemInfo.Type, MemInfo.AllocationBase, MemInfo.BaseAddress, MemInfo.RegionSize); </td></tr><tr><th id="L1812"><a href="#L1812">1812</a></th><td> pThis->cFixes++; </td></tr><tr><th id="L1813"><a href="#L1813">1813</a></th><td> } </td></tr><tr><th id="L1814"><a href="#L1814">1814</a></th><td> else </td></tr><tr><th id="L1815"><a href="#L1815">1815</a></th><td># endif /* IN_RING3 */ </td></tr><tr><th id="L1816"><a href="#L1816">1816</a></th><td> supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FOUND_EXEC_MEMORY, </td></tr><tr><th id="L1817"><a href="#L1817">1817</a></th><td> "Found executable memory at %p (%p LB %#zx): type=%#x prot=%#x state=%#x aprot=%#x abase=%p", </td></tr><tr><th id="L1818"><a href="#L1818">1818</a></th><td> uPtrWhere, MemInfo.BaseAddress, MemInfo.RegionSize, MemInfo.Type, MemInfo.Protect, </td></tr><tr><th id="L1819"><a href="#L1819">1819</a></th><td> MemInfo.State, MemInfo.AllocationBase, MemInfo.AllocationProtect); </td></tr><tr><th id="L1820"><a href="#L1820">1820</a></th><td> </td></tr><tr><th id="L1821"><a href="#L1821">1821</a></th><td># ifndef IN_RING3 </td></tr><tr><th id="L1822"><a href="#L1822">1822</a></th><td> if (RT_FAILURE(pThis->rcResult)) </td></tr><tr><th id="L1823"><a href="#L1823">1823</a></th><td> return pThis->rcResult; </td></tr><tr><th id="L1824"><a href="#L1824">1824</a></th><td># endif </td></tr><tr><th id="L1825"><a href="#L1825">1825</a></th><td> /* Continue add more information about the problematic process. */ </td></tr><tr><th id="L1826"><a href="#L1826">1826</a></th><td> } </td></tr><tr><th id="L1827"><a href="#L1827">1827</a></th><td>#endif /* VBOX_PERMIT_VISUAL_STUDIO_PROFILING */ </td></tr><tr><th id="L1828"><a href="#L1828">1828</a></th><td> else </td></tr><tr><th id="L1829"><a href="#L1829">1829</a></th><td> SUP_DPRINTF((MemInfo.AllocationBase == MemInfo.BaseAddress </td></tr><tr><th id="L1830"><a href="#L1830">1830</a></th><td> ? " *%p-%p %#06x/%#06x %#09x\n" </td></tr><tr><th id="L1831"><a href="#L1831">1831</a></th><td> : " %p-%p %#06x/%#06x %#09x\n", </td></tr><tr><th id="L1832"><a href="#L1832">1832</a></th><td> MemInfo.BaseAddress, (uintptr_t)MemInfo.BaseAddress + MemInfo.RegionSize - 1, </td></tr><tr><th id="L1833"><a href="#L1833">1833</a></th><td> MemInfo.Protect, MemInfo.AllocationProtect, MemInfo.Type)); </td></tr><tr><th id="L1834"><a href="#L1834">1834</a></th><td> </td></tr><tr><th id="L1835"><a href="#L1835">1835</a></th><td> /* </td></tr><tr><th id="L1836"><a href="#L1836">1836</a></th><td> * Advance. </td></tr><tr><th id="L1837"><a href="#L1837">1837</a></th><td> */ </td></tr><tr><th id="L1838"><a href="#L1838">1838</a></th><td> cbAdvance = MemInfo.RegionSize; </td></tr><tr><th id="L1839"><a href="#L1839">1839</a></th><td> if (uPtrWhere + cbAdvance <= uPtrWhere) </td></tr><tr><th id="L1840"><a href="#L1840">1840</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EMPTY_REGION_TOO_LARGE, </td></tr><tr><th id="L1841"><a href="#L1841">1841</a></th><td> "Empty region at %p.", uPtrWhere); </td></tr><tr><th id="L1842"><a href="#L1842">1842</a></th><td> uPtrWhere += MemInfo.RegionSize; </td></tr><tr><th id="L1843"><a href="#L1843">1843</a></th><td> } </td></tr><tr><th id="L1844"><a href="#L1844">1844</a></th><td> </td></tr><tr><th id="L1845"><a href="#L1845">1845</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_TOO_MANY_MEMORY_REGIONS, </td></tr><tr><th id="L1846"><a href="#L1846">1846</a></th><td> "Too many virtual memory regions.\n"); </td></tr><tr><th id="L1847"><a href="#L1847">1847</a></th><td>} </td></tr><tr><th id="L1848"><a href="#L1848">1848</a></th><td> </td></tr><tr><th id="L1849"><a href="#L1849">1849</a></th><td> </td></tr><tr><th id="L1850"><a href="#L1850">1850</a></th><td>/** </td></tr><tr><th id="L1851"><a href="#L1851">1851</a></th><td> * Verifies the loader image, i.e. check cryptographic signatures if present. </td></tr><tr><th id="L1852"><a href="#L1852">1852</a></th><td> * </td></tr><tr><th id="L1853"><a href="#L1853">1853</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L1854"><a href="#L1854">1854</a></th><td> * @param pEntry The loader cache entry. </td></tr><tr><th id="L1855"><a href="#L1855">1855</a></th><td> * @param pwszName The filename to use in error messages. </td></tr><tr><th id="L1856"><a href="#L1856">1856</a></th><td> * @param pErrInfo Where to return extened error information. </td></tr><tr><th id="L1857"><a href="#L1857">1857</a></th><td> */ </td></tr><tr><th id="L1858"><a href="#L1858">1858</a></th><td>DECLHIDDEN(int) supHardNtLdrCacheEntryVerify(PSUPHNTLDRCACHEENTRY pEntry, PCRTUTF16 pwszName, PRTERRINFO pErrInfo) </td></tr><tr><th id="L1859"><a href="#L1859">1859</a></th><td>{ </td></tr><tr><th id="L1860"><a href="#L1860">1860</a></th><td> int rc = VINF_SUCCESS; </td></tr><tr><th id="L1861"><a href="#L1861">1861</a></th><td> if (!pEntry->fVerified) </td></tr><tr><th id="L1862"><a href="#L1862">1862</a></th><td> { </td></tr><tr><th id="L1863"><a href="#L1863">1863</a></th><td> rc = supHardenedWinVerifyImageByLdrMod(pEntry->hLdrMod, pwszName, pEntry->pNtViRdr, </td></tr><tr><th id="L1864"><a href="#L1864">1864</a></th><td> false /*fAvoidWinVerifyTrust*/, NULL /*pfWinVerifyTrust*/, pErrInfo); </td></tr><tr><th id="L1865"><a href="#L1865">1865</a></th><td> pEntry->fVerified = RT_SUCCESS(rc); </td></tr><tr><th id="L1866"><a href="#L1866">1866</a></th><td> } </td></tr><tr><th id="L1867"><a href="#L1867">1867</a></th><td> return rc; </td></tr><tr><th id="L1868"><a href="#L1868">1868</a></th><td>} </td></tr><tr><th id="L1869"><a href="#L1869">1869</a></th><td> </td></tr><tr><th id="L1870"><a href="#L1870">1870</a></th><td> </td></tr><tr><th id="L1871"><a href="#L1871">1871</a></th><td>/** </td></tr><tr><th id="L1872"><a href="#L1872">1872</a></th><td> * Allocates a image bits buffer and calls RTLdrGetBits on them. </td></tr><tr><th id="L1873"><a href="#L1873">1873</a></th><td> * </td></tr><tr><th id="L1874"><a href="#L1874">1874</a></th><td> * An assumption here is that there won't ever be concurrent use of the cache. </td></tr><tr><th id="L1875"><a href="#L1875">1875</a></th><td> * It's currently 104% single threaded, non-reentrant. Thus, we can't reuse the </td></tr><tr><th id="L1876"><a href="#L1876">1876</a></th><td> * pbBits allocation. </td></tr><tr><th id="L1877"><a href="#L1877">1877</a></th><td> * </td></tr><tr><th id="L1878"><a href="#L1878">1878</a></th><td> * @returns VBox status code </td></tr><tr><th id="L1879"><a href="#L1879">1879</a></th><td> * @param pEntry The loader cache entry. </td></tr><tr><th id="L1880"><a href="#L1880">1880</a></th><td> * @param ppbBits Where to return the pointer to the allocation. </td></tr><tr><th id="L1881"><a href="#L1881">1881</a></th><td> * @param uBaseAddress The image base address, see RTLdrGetBits. </td></tr><tr><th id="L1882"><a href="#L1882">1882</a></th><td> * @param pfnGetImport Import getter, see RTLdrGetBits. </td></tr><tr><th id="L1883"><a href="#L1883">1883</a></th><td> * @param pvUser The user argument for @a pfnGetImport. </td></tr><tr><th id="L1884"><a href="#L1884">1884</a></th><td> * @param pErrInfo Where to return extened error information. </td></tr><tr><th id="L1885"><a href="#L1885">1885</a></th><td> */ </td></tr><tr><th id="L1886"><a href="#L1886">1886</a></th><td>DECLHIDDEN(int) supHardNtLdrCacheEntryGetBits(PSUPHNTLDRCACHEENTRY pEntry, uint8_t **ppbBits, </td></tr><tr><th id="L1887"><a href="#L1887">1887</a></th><td> RTLDRADDR uBaseAddress, PFNRTLDRIMPORT pfnGetImport, void *pvUser, </td></tr><tr><th id="L1888"><a href="#L1888">1888</a></th><td> PRTERRINFO pErrInfo) </td></tr><tr><th id="L1889"><a href="#L1889">1889</a></th><td>{ </td></tr><tr><th id="L1890"><a href="#L1890">1890</a></th><td> int rc; </td></tr><tr><th id="L1891"><a href="#L1891">1891</a></th><td> </td></tr><tr><th id="L1892"><a href="#L1892">1892</a></th><td> /* </td></tr><tr><th id="L1893"><a href="#L1893">1893</a></th><td> * First time around we have to allocate memory before we can get the image bits. </td></tr><tr><th id="L1894"><a href="#L1894">1894</a></th><td> */ </td></tr><tr><th id="L1895"><a href="#L1895">1895</a></th><td> if (!pEntry->pbBits) </td></tr><tr><th id="L1896"><a href="#L1896">1896</a></th><td> { </td></tr><tr><th id="L1897"><a href="#L1897">1897</a></th><td> size_t cbBits = RTLdrSize(pEntry->hLdrMod); </td></tr><tr><th id="L1898"><a href="#L1898">1898</a></th><td> if (cbBits >= _1M*32U) </td></tr><tr><th id="L1899"><a href="#L1899">1899</a></th><td> return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_IMAGE_TOO_BIG, "Image %s is too large: %zu bytes (%#zx).", </td></tr><tr><th id="L1900"><a href="#L1900">1900</a></th><td> pEntry->pszName, cbBits, cbBits); </td></tr><tr><th id="L1901"><a href="#L1901">1901</a></th><td> </td></tr><tr><th id="L1902"><a href="#L1902">1902</a></th><td> pEntry->pbBits = (uint8_t *)RTMemAllocZ(cbBits); </td></tr><tr><th id="L1903"><a href="#L1903">1903</a></th><td> if (!pEntry->pbBits) </td></tr><tr><th id="L1904"><a href="#L1904">1904</a></th><td> return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_NO_MEMORY, "Failed to allocate %zu bytes for image %s.", </td></tr><tr><th id="L1905"><a href="#L1905">1905</a></th><td> cbBits, pEntry->pszName); </td></tr><tr><th id="L1906"><a href="#L1906">1906</a></th><td> </td></tr><tr><th id="L1907"><a href="#L1907">1907</a></th><td> pEntry->fValidBits = false; /* paranoia */ </td></tr><tr><th id="L1908"><a href="#L1908">1908</a></th><td> </td></tr><tr><th id="L1909"><a href="#L1909">1909</a></th><td> rc = RTLdrGetBits(pEntry->hLdrMod, pEntry->pbBits, uBaseAddress, pfnGetImport, pvUser); </td></tr><tr><th id="L1910"><a href="#L1910">1910</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L1911"><a href="#L1911">1911</a></th><td> return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_NO_MEMORY, "RTLdrGetBits failed on image %s: %Rrc", </td></tr><tr><th id="L1912"><a href="#L1912">1912</a></th><td> pEntry->pszName, rc); </td></tr><tr><th id="L1913"><a href="#L1913">1913</a></th><td> pEntry->uImageBase = uBaseAddress; </td></tr><tr><th id="L1914"><a href="#L1914">1914</a></th><td> pEntry->fValidBits = pfnGetImport == NULL; </td></tr><tr><th id="L1915"><a href="#L1915">1915</a></th><td> </td></tr><tr><th id="L1916"><a href="#L1916">1916</a></th><td> } </td></tr><tr><th id="L1917"><a href="#L1917">1917</a></th><td> /* </td></tr><tr><th id="L1918"><a href="#L1918">1918</a></th><td> * Cache hit? No? </td></tr><tr><th id="L1919"><a href="#L1919">1919</a></th><td> * </td></tr><tr><th id="L1920"><a href="#L1920">1920</a></th><td> * Note! We cannot currently cache image bits for images with imports as we </td></tr><tr><th id="L1921"><a href="#L1921">1921</a></th><td> * don't control the way they're resolved. Fortunately, NTDLL and </td></tr><tr><th id="L1922"><a href="#L1922">1922</a></th><td> * the VM process images all have no imports. </td></tr><tr><th id="L1923"><a href="#L1923">1923</a></th><td> */ </td></tr><tr><th id="L1924"><a href="#L1924">1924</a></th><td> else if ( !pEntry->fValidBits </td></tr><tr><th id="L1925"><a href="#L1925">1925</a></th><td> || pEntry->uImageBase != uBaseAddress </td></tr><tr><th id="L1926"><a href="#L1926">1926</a></th><td> || pfnGetImport) </td></tr><tr><th id="L1927"><a href="#L1927">1927</a></th><td> { </td></tr><tr><th id="L1928"><a href="#L1928">1928</a></th><td> pEntry->fValidBits = false; </td></tr><tr><th id="L1929"><a href="#L1929">1929</a></th><td> </td></tr><tr><th id="L1930"><a href="#L1930">1930</a></th><td> rc = RTLdrGetBits(pEntry->hLdrMod, pEntry->pbBits, uBaseAddress, pfnGetImport, pvUser); </td></tr><tr><th id="L1931"><a href="#L1931">1931</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L1932"><a href="#L1932">1932</a></th><td> return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_NO_MEMORY, "RTLdrGetBits failed on image %s: %Rrc", </td></tr><tr><th id="L1933"><a href="#L1933">1933</a></th><td> pEntry->pszName, rc); </td></tr><tr><th id="L1934"><a href="#L1934">1934</a></th><td> pEntry->uImageBase = uBaseAddress; </td></tr><tr><th id="L1935"><a href="#L1935">1935</a></th><td> pEntry->fValidBits = pfnGetImport == NULL; </td></tr><tr><th id="L1936"><a href="#L1936">1936</a></th><td> } </td></tr><tr><th id="L1937"><a href="#L1937">1937</a></th><td> </td></tr><tr><th id="L1938"><a href="#L1938">1938</a></th><td> *ppbBits = pEntry->pbBits; </td></tr><tr><th id="L1939"><a href="#L1939">1939</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L1940"><a href="#L1940">1940</a></th><td>} </td></tr><tr><th id="L1941"><a href="#L1941">1941</a></th><td> </td></tr><tr><th id="L1942"><a href="#L1942">1942</a></th><td> </td></tr><tr><th id="L1943"><a href="#L1943">1943</a></th><td>/** </td></tr><tr><th id="L1944"><a href="#L1944">1944</a></th><td> * Frees all resources associated with a cache entry and wipes the members </td></tr><tr><th id="L1945"><a href="#L1945">1945</a></th><td> * clean. </td></tr><tr><th id="L1946"><a href="#L1946">1946</a></th><td> * </td></tr><tr><th id="L1947"><a href="#L1947">1947</a></th><td> * @param pEntry The entry to delete. </td></tr><tr><th id="L1948"><a href="#L1948">1948</a></th><td> */ </td></tr><tr><th id="L1949"><a href="#L1949">1949</a></th><td>static void supHardNTLdrCacheDeleteEntry(PSUPHNTLDRCACHEENTRY pEntry) </td></tr><tr><th id="L1950"><a href="#L1950">1950</a></th><td>{ </td></tr><tr><th id="L1951"><a href="#L1951">1951</a></th><td> if (pEntry->pbBits) </td></tr><tr><th id="L1952"><a href="#L1952">1952</a></th><td> { </td></tr><tr><th id="L1953"><a href="#L1953">1953</a></th><td> RTMemFree(pEntry->pbBits); </td></tr><tr><th id="L1954"><a href="#L1954">1954</a></th><td> pEntry->pbBits = NULL; </td></tr><tr><th id="L1955"><a href="#L1955">1955</a></th><td> } </td></tr><tr><th id="L1956"><a href="#L1956">1956</a></th><td> </td></tr><tr><th id="L1957"><a href="#L1957">1957</a></th><td> if (pEntry->hLdrMod != NIL_RTLDRMOD) </td></tr><tr><th id="L1958"><a href="#L1958">1958</a></th><td> { </td></tr><tr><th id="L1959"><a href="#L1959">1959</a></th><td> RTLdrClose(pEntry->hLdrMod); </td></tr><tr><th id="L1960"><a href="#L1960">1960</a></th><td> pEntry->hLdrMod = NIL_RTLDRMOD; </td></tr><tr><th id="L1961"><a href="#L1961">1961</a></th><td> pEntry->pNtViRdr = NULL; </td></tr><tr><th id="L1962"><a href="#L1962">1962</a></th><td> } </td></tr><tr><th id="L1963"><a href="#L1963">1963</a></th><td> else if (pEntry->pNtViRdr) </td></tr><tr><th id="L1964"><a href="#L1964">1964</a></th><td> { </td></tr><tr><th id="L1965"><a href="#L1965">1965</a></th><td> pEntry->pNtViRdr->Core.pfnDestroy(&pEntry->pNtViRdr->Core); </td></tr><tr><th id="L1966"><a href="#L1966">1966</a></th><td> pEntry->pNtViRdr = NULL; </td></tr><tr><th id="L1967"><a href="#L1967">1967</a></th><td> } </td></tr><tr><th id="L1968"><a href="#L1968">1968</a></th><td> </td></tr><tr><th id="L1969"><a href="#L1969">1969</a></th><td> if (pEntry->hFile) </td></tr><tr><th id="L1970"><a href="#L1970">1970</a></th><td> { </td></tr><tr><th id="L1971"><a href="#L1971">1971</a></th><td> NtClose(pEntry->hFile); </td></tr><tr><th id="L1972"><a href="#L1972">1972</a></th><td> pEntry->hFile = NULL; </td></tr><tr><th id="L1973"><a href="#L1973">1973</a></th><td> } </td></tr><tr><th id="L1974"><a href="#L1974">1974</a></th><td> </td></tr><tr><th id="L1975"><a href="#L1975">1975</a></th><td> pEntry->pszName = NULL; </td></tr><tr><th id="L1976"><a href="#L1976">1976</a></th><td> pEntry->fVerified = false; </td></tr><tr><th id="L1977"><a href="#L1977">1977</a></th><td> pEntry->fValidBits = false; </td></tr><tr><th id="L1978"><a href="#L1978">1978</a></th><td> pEntry->uImageBase = 0; </td></tr><tr><th id="L1979"><a href="#L1979">1979</a></th><td>} </td></tr><tr><th id="L1980"><a href="#L1980">1980</a></th><td> </td></tr><tr><th id="L1981"><a href="#L1981">1981</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L1982"><a href="#L1982">1982</a></th><td> </td></tr><tr><th id="L1983"><a href="#L1983">1983</a></th><td>/** </td></tr><tr><th id="L1984"><a href="#L1984">1984</a></th><td> * Flushes the cache. </td></tr><tr><th id="L1985"><a href="#L1985">1985</a></th><td> * </td></tr><tr><th id="L1986"><a href="#L1986">1986</a></th><td> * This is called from one of two points in the hardened main code, first is </td></tr><tr><th id="L1987"><a href="#L1987">1987</a></th><td> * after respawning and the second is when we open the vboxdrv device for </td></tr><tr><th id="L1988"><a href="#L1988">1988</a></th><td> * unrestricted access. </td></tr><tr><th id="L1989"><a href="#L1989">1989</a></th><td> */ </td></tr><tr><th id="L1990"><a href="#L1990">1990</a></th><td>DECLHIDDEN(void) supR3HardenedWinFlushLoaderCache(void) </td></tr><tr><th id="L1991"><a href="#L1991">1991</a></th><td>{ </td></tr><tr><th id="L1992"><a href="#L1992">1992</a></th><td> uint32_t i = g_cSupNtVpLdrCacheEntries; </td></tr><tr><th id="L1993"><a href="#L1993">1993</a></th><td> while (i-- > 0) </td></tr><tr><th id="L1994"><a href="#L1994">1994</a></th><td> supHardNTLdrCacheDeleteEntry(&g_aSupNtVpLdrCacheEntries[i]); </td></tr><tr><th id="L1995"><a href="#L1995">1995</a></th><td> g_cSupNtVpLdrCacheEntries = 0; </td></tr><tr><th id="L1996"><a href="#L1996">1996</a></th><td>} </td></tr><tr><th id="L1997"><a href="#L1997">1997</a></th><td> </td></tr><tr><th id="L1998"><a href="#L1998">1998</a></th><td> </td></tr><tr><th id="L1999"><a href="#L1999">1999</a></th><td>/** </td></tr><tr><th id="L2000"><a href="#L2000">2000</a></th><td> * Searches the cache for a loader image. </td></tr><tr><th id="L2001"><a href="#L2001">2001</a></th><td> * </td></tr><tr><th id="L2002"><a href="#L2002">2002</a></th><td> * @returns Pointer to the cache entry if found, NULL if not. </td></tr><tr><th id="L2003"><a href="#L2003">2003</a></th><td> * @param pszName The name (from g_apszSupNtVpAllowedVmExes or </td></tr><tr><th id="L2004"><a href="#L2004">2004</a></th><td> * g_apszSupNtVpAllowedDlls). </td></tr><tr><th id="L2005"><a href="#L2005">2005</a></th><td> */ </td></tr><tr><th id="L2006"><a href="#L2006">2006</a></th><td>static PSUPHNTLDRCACHEENTRY supHardNtLdrCacheLookupEntry(const char *pszName) </td></tr><tr><th id="L2007"><a href="#L2007">2007</a></th><td>{ </td></tr><tr><th id="L2008"><a href="#L2008">2008</a></th><td> /* </td></tr><tr><th id="L2009"><a href="#L2009">2009</a></th><td> * Since the caller is supplying us a pszName from one of the two tables, </td></tr><tr><th id="L2010"><a href="#L2010">2010</a></th><td> * we can dispense with string compare and simply compare string pointers. </td></tr><tr><th id="L2011"><a href="#L2011">2011</a></th><td> */ </td></tr><tr><th id="L2012"><a href="#L2012">2012</a></th><td> uint32_t i = g_cSupNtVpLdrCacheEntries; </td></tr><tr><th id="L2013"><a href="#L2013">2013</a></th><td> while (i-- > 0) </td></tr><tr><th id="L2014"><a href="#L2014">2014</a></th><td> if (g_aSupNtVpLdrCacheEntries[i].pszName == pszName) </td></tr><tr><th id="L2015"><a href="#L2015">2015</a></th><td> return &g_aSupNtVpLdrCacheEntries[i]; </td></tr><tr><th id="L2016"><a href="#L2016">2016</a></th><td> return NULL; </td></tr><tr><th id="L2017"><a href="#L2017">2017</a></th><td>} </td></tr><tr><th id="L2018"><a href="#L2018">2018</a></th><td> </td></tr><tr><th id="L2019"><a href="#L2019">2019</a></th><td>#endif /* IN_RING3 */ </td></tr><tr><th id="L2020"><a href="#L2020">2020</a></th><td> </td></tr><tr><th id="L2021"><a href="#L2021">2021</a></th><td>static int supHardNtLdrCacheNewEntry(PSUPHNTLDRCACHEENTRY pEntry, const char *pszName, PUNICODE_STRING pUniStrPath, </td></tr><tr><th id="L2022"><a href="#L2022">2022</a></th><td> bool fDll, bool f32bitResourceDll, PRTERRINFO pErrInfo) </td></tr><tr><th id="L2023"><a href="#L2023">2023</a></th><td>{ </td></tr><tr><th id="L2024"><a href="#L2024">2024</a></th><td> /* </td></tr><tr><th id="L2025"><a href="#L2025">2025</a></th><td> * Open the image file. </td></tr><tr><th id="L2026"><a href="#L2026">2026</a></th><td> */ </td></tr><tr><th id="L2027"><a href="#L2027">2027</a></th><td> HANDLE hFile = RTNT_INVALID_HANDLE_VALUE; </td></tr><tr><th id="L2028"><a href="#L2028">2028</a></th><td> IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER; </td></tr><tr><th id="L2029"><a href="#L2029">2029</a></th><td> </td></tr><tr><th id="L2030"><a href="#L2030">2030</a></th><td> OBJECT_ATTRIBUTES ObjAttr; </td></tr><tr><th id="L2031"><a href="#L2031">2031</a></th><td> InitializeObjectAttributes(&ObjAttr, pUniStrPath, OBJ_CASE_INSENSITIVE, NULL /*hRootDir*/, NULL /*pSecDesc*/); </td></tr><tr><th id="L2032"><a href="#L2032">2032</a></th><td>#ifdef IN_RING0 </td></tr><tr><th id="L2033"><a href="#L2033">2033</a></th><td> ObjAttr.Attributes |= OBJ_KERNEL_HANDLE; </td></tr><tr><th id="L2034"><a href="#L2034">2034</a></th><td>#endif </td></tr><tr><th id="L2035"><a href="#L2035">2035</a></th><td> </td></tr><tr><th id="L2036"><a href="#L2036">2036</a></th><td> NTSTATUS rcNt = NtCreateFile(&hFile, </td></tr><tr><th id="L2037"><a href="#L2037">2037</a></th><td> GENERIC_READ | SYNCHRONIZE, </td></tr><tr><th id="L2038"><a href="#L2038">2038</a></th><td> &ObjAttr, </td></tr><tr><th id="L2039"><a href="#L2039">2039</a></th><td> &Ios, </td></tr><tr><th id="L2040"><a href="#L2040">2040</a></th><td> NULL /* Allocation Size*/, </td></tr><tr><th id="L2041"><a href="#L2041">2041</a></th><td> FILE_ATTRIBUTE_NORMAL, </td></tr><tr><th id="L2042"><a href="#L2042">2042</a></th><td> FILE_SHARE_READ, </td></tr><tr><th id="L2043"><a href="#L2043">2043</a></th><td> FILE_OPEN, </td></tr><tr><th id="L2044"><a href="#L2044">2044</a></th><td> FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, </td></tr><tr><th id="L2045"><a href="#L2045">2045</a></th><td> NULL /*EaBuffer*/, </td></tr><tr><th id="L2046"><a href="#L2046">2046</a></th><td> 0 /*EaLength*/); </td></tr><tr><th id="L2047"><a href="#L2047">2047</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L2048"><a href="#L2048">2048</a></th><td> rcNt = Ios.Status; </td></tr><tr><th id="L2049"><a href="#L2049">2049</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L2050"><a href="#L2050">2050</a></th><td> return supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_IMAGE_FILE_OPEN_ERROR, </td></tr><tr><th id="L2051"><a href="#L2051">2051</a></th><td> "Error opening image for scanning: %#x (name %ls)", rcNt, pUniStrPath->Buffer); </td></tr><tr><th id="L2052"><a href="#L2052">2052</a></th><td> </td></tr><tr><th id="L2053"><a href="#L2053">2053</a></th><td> /* </td></tr><tr><th id="L2054"><a href="#L2054">2054</a></th><td> * Figure out validation flags we'll be using and create the reader </td></tr><tr><th id="L2055"><a href="#L2055">2055</a></th><td> * for this image. </td></tr><tr><th id="L2056"><a href="#L2056">2056</a></th><td> */ </td></tr><tr><th id="L2057"><a href="#L2057">2057</a></th><td> uint32_t fFlags = fDll </td></tr><tr><th id="L2058"><a href="#L2058">2058</a></th><td> ? SUPHNTVI_F_TRUSTED_INSTALLER_OWNER | SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION </td></tr><tr><th id="L2059"><a href="#L2059">2059</a></th><td> : SUPHNTVI_F_REQUIRE_BUILD_CERT; </td></tr><tr><th id="L2060"><a href="#L2060">2060</a></th><td> if (f32bitResourceDll) </td></tr><tr><th id="L2061"><a href="#L2061">2061</a></th><td> fFlags |= SUPHNTVI_F_IGNORE_ARCHITECTURE; </td></tr><tr><th id="L2062"><a href="#L2062">2062</a></th><td> </td></tr><tr><th id="L2063"><a href="#L2063">2063</a></th><td> PSUPHNTVIRDR pNtViRdr; </td></tr><tr><th id="L2064"><a href="#L2064">2064</a></th><td> int rc = supHardNtViRdrCreate(hFile, pUniStrPath->Buffer, fFlags, &pNtViRdr); </td></tr><tr><th id="L2065"><a href="#L2065">2065</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L2066"><a href="#L2066">2066</a></th><td> { </td></tr><tr><th id="L2067"><a href="#L2067">2067</a></th><td> NtClose(hFile); </td></tr><tr><th id="L2068"><a href="#L2068">2068</a></th><td> return rc; </td></tr><tr><th id="L2069"><a href="#L2069">2069</a></th><td> } </td></tr><tr><th id="L2070"><a href="#L2070">2070</a></th><td> </td></tr><tr><th id="L2071"><a href="#L2071">2071</a></th><td> /* </td></tr><tr><th id="L2072"><a href="#L2072">2072</a></th><td> * Finally, open the image with the loader </td></tr><tr><th id="L2073"><a href="#L2073">2073</a></th><td> */ </td></tr><tr><th id="L2074"><a href="#L2074">2074</a></th><td> RTLDRMOD hLdrMod; </td></tr><tr><th id="L2075"><a href="#L2075">2075</a></th><td> RTLDRARCH enmArch = fFlags & SUPHNTVI_F_RC_IMAGE ? RTLDRARCH_X86_32 : RTLDRARCH_HOST; </td></tr><tr><th id="L2076"><a href="#L2076">2076</a></th><td> if (fFlags & SUPHNTVI_F_IGNORE_ARCHITECTURE) </td></tr><tr><th id="L2077"><a href="#L2077">2077</a></th><td> enmArch = RTLDRARCH_WHATEVER; </td></tr><tr><th id="L2078"><a href="#L2078">2078</a></th><td> rc = RTLdrOpenWithReader(&pNtViRdr->Core, RTLDR_O_FOR_VALIDATION, enmArch, &hLdrMod, pErrInfo); </td></tr><tr><th id="L2079"><a href="#L2079">2079</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L2080"><a href="#L2080">2080</a></th><td> return supHardNtVpAddInfo1(pErrInfo, rc, "RTLdrOpenWithReader failed: %Rrc (Image='%ls').", </td></tr><tr><th id="L2081"><a href="#L2081">2081</a></th><td> rc, pUniStrPath->Buffer); </td></tr><tr><th id="L2082"><a href="#L2082">2082</a></th><td> </td></tr><tr><th id="L2083"><a href="#L2083">2083</a></th><td> /* </td></tr><tr><th id="L2084"><a href="#L2084">2084</a></th><td> * Fill in the cache entry. </td></tr><tr><th id="L2085"><a href="#L2085">2085</a></th><td> */ </td></tr><tr><th id="L2086"><a href="#L2086">2086</a></th><td> pEntry->pszName = pszName; </td></tr><tr><th id="L2087"><a href="#L2087">2087</a></th><td> pEntry->hLdrMod = hLdrMod; </td></tr><tr><th id="L2088"><a href="#L2088">2088</a></th><td> pEntry->pNtViRdr = pNtViRdr; </td></tr><tr><th id="L2089"><a href="#L2089">2089</a></th><td> pEntry->hFile = hFile; </td></tr><tr><th id="L2090"><a href="#L2090">2090</a></th><td> pEntry->pbBits = NULL; </td></tr><tr><th id="L2091"><a href="#L2091">2091</a></th><td> pEntry->fVerified = false; </td></tr><tr><th id="L2092"><a href="#L2092">2092</a></th><td> pEntry->fValidBits = false; </td></tr><tr><th id="L2093"><a href="#L2093">2093</a></th><td> pEntry->uImageBase = ~(uintptr_t)0; </td></tr><tr><th id="L2094"><a href="#L2094">2094</a></th><td> </td></tr><tr><th id="L2095"><a href="#L2095">2095</a></th><td>#ifdef IN_SUP_HARDENED_R3 </td></tr><tr><th id="L2096"><a href="#L2096">2096</a></th><td> /* </td></tr><tr><th id="L2097"><a href="#L2097">2097</a></th><td> * Log the image timestamp when in the hardened exe. </td></tr><tr><th id="L2098"><a href="#L2098">2098</a></th><td> */ </td></tr><tr><th id="L2099"><a href="#L2099">2099</a></th><td> uint64_t uTimestamp = 0; </td></tr><tr><th id="L2100"><a href="#L2100">2100</a></th><td> rc = RTLdrQueryProp(hLdrMod, RTLDRPROP_TIMESTAMP_SECONDS, &uTimestamp, sizeof(uint64_t)); </td></tr><tr><th id="L2101"><a href="#L2101">2101</a></th><td> SUP_DPRINTF(("%s: timestamp %#llx (rc=%Rrc)\n", pszName, uTimestamp, rc)); </td></tr><tr><th id="L2102"><a href="#L2102">2102</a></th><td>#endif </td></tr><tr><th id="L2103"><a href="#L2103">2103</a></th><td> </td></tr><tr><th id="L2104"><a href="#L2104">2104</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L2105"><a href="#L2105">2105</a></th><td>} </td></tr><tr><th id="L2106"><a href="#L2106">2106</a></th><td> </td></tr><tr><th id="L2107"><a href="#L2107">2107</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L2108"><a href="#L2108">2108</a></th><td>/** </td></tr><tr><th id="L2109"><a href="#L2109">2109</a></th><td> * Opens a loader cache entry. </td></tr><tr><th id="L2110"><a href="#L2110">2110</a></th><td> * </td></tr><tr><th id="L2111"><a href="#L2111">2111</a></th><td> * Currently this is only used by the import code for getting NTDLL. </td></tr><tr><th id="L2112"><a href="#L2112">2112</a></th><td> * </td></tr><tr><th id="L2113"><a href="#L2113">2113</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L2114"><a href="#L2114">2114</a></th><td> * @param pszName The DLL name. Must be one from the </td></tr><tr><th id="L2115"><a href="#L2115">2115</a></th><td> * g_apszSupNtVpAllowedDlls array. </td></tr><tr><th id="L2116"><a href="#L2116">2116</a></th><td> * @param ppEntry Where to return the entry we've opened/found. </td></tr><tr><th id="L2117"><a href="#L2117">2117</a></th><td> * @param pErrInfo Optional buffer where to return additional error </td></tr><tr><th id="L2118"><a href="#L2118">2118</a></th><td> * information. </td></tr><tr><th id="L2119"><a href="#L2119">2119</a></th><td> */ </td></tr><tr><th id="L2120"><a href="#L2120">2120</a></th><td>DECLHIDDEN(int) supHardNtLdrCacheOpen(const char *pszName, PSUPHNTLDRCACHEENTRY *ppEntry, PRTERRINFO pErrInfo) </td></tr><tr><th id="L2121"><a href="#L2121">2121</a></th><td>{ </td></tr><tr><th id="L2122"><a href="#L2122">2122</a></th><td> /* </td></tr><tr><th id="L2123"><a href="#L2123">2123</a></th><td> * Locate the dll. </td></tr><tr><th id="L2124"><a href="#L2124">2124</a></th><td> */ </td></tr><tr><th id="L2125"><a href="#L2125">2125</a></th><td> uint32_t i = 0; </td></tr><tr><th id="L2126"><a href="#L2126">2126</a></th><td> while ( i < RT_ELEMENTS(g_apszSupNtVpAllowedDlls) </td></tr><tr><th id="L2127"><a href="#L2127">2127</a></th><td> && strcmp(pszName, g_apszSupNtVpAllowedDlls[i])) </td></tr><tr><th id="L2128"><a href="#L2128">2128</a></th><td> i++; </td></tr><tr><th id="L2129"><a href="#L2129">2129</a></th><td> if (i >= RT_ELEMENTS(g_apszSupNtVpAllowedDlls)) </td></tr><tr><th id="L2130"><a href="#L2130">2130</a></th><td> return VERR_FILE_NOT_FOUND; </td></tr><tr><th id="L2131"><a href="#L2131">2131</a></th><td> pszName = g_apszSupNtVpAllowedDlls[i]; </td></tr><tr><th id="L2132"><a href="#L2132">2132</a></th><td> </td></tr><tr><th id="L2133"><a href="#L2133">2133</a></th><td> /* </td></tr><tr><th id="L2134"><a href="#L2134">2134</a></th><td> * Try the cache. </td></tr><tr><th id="L2135"><a href="#L2135">2135</a></th><td> */ </td></tr><tr><th id="L2136"><a href="#L2136">2136</a></th><td> *ppEntry = supHardNtLdrCacheLookupEntry(pszName); </td></tr><tr><th id="L2137"><a href="#L2137">2137</a></th><td> if (*ppEntry) </td></tr><tr><th id="L2138"><a href="#L2138">2138</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L2139"><a href="#L2139">2139</a></th><td> </td></tr><tr><th id="L2140"><a href="#L2140">2140</a></th><td> /* </td></tr><tr><th id="L2141"><a href="#L2141">2141</a></th><td> * Not in the cache, so open it. </td></tr><tr><th id="L2142"><a href="#L2142">2142</a></th><td> * Note! We cannot assume that g_System32NtPath has been initialized at this point. </td></tr><tr><th id="L2143"><a href="#L2143">2143</a></th><td> */ </td></tr><tr><th id="L2144"><a href="#L2144">2144</a></th><td> if (g_cSupNtVpLdrCacheEntries >= RT_ELEMENTS(g_aSupNtVpLdrCacheEntries)) </td></tr><tr><th id="L2145"><a href="#L2145">2145</a></th><td> return VERR_INTERNAL_ERROR_3; </td></tr><tr><th id="L2146"><a href="#L2146">2146</a></th><td> </td></tr><tr><th id="L2147"><a href="#L2147">2147</a></th><td> static WCHAR s_wszSystem32[] = L"\\SystemRoot\\System32\\"; </td></tr><tr><th id="L2148"><a href="#L2148">2148</a></th><td> WCHAR wszPath[64]; </td></tr><tr><th id="L2149"><a href="#L2149">2149</a></th><td> memcpy(wszPath, s_wszSystem32, sizeof(s_wszSystem32)); </td></tr><tr><th id="L2150"><a href="#L2150">2150</a></th><td> RTUtf16CatAscii(wszPath, sizeof(wszPath), pszName); </td></tr><tr><th id="L2151"><a href="#L2151">2151</a></th><td> </td></tr><tr><th id="L2152"><a href="#L2152">2152</a></th><td> UNICODE_STRING UniStr; </td></tr><tr><th id="L2153"><a href="#L2153">2153</a></th><td> UniStr.Buffer = wszPath; </td></tr><tr><th id="L2154"><a href="#L2154">2154</a></th><td> UniStr.Length = (USHORT)(RTUtf16Len(wszPath) * sizeof(WCHAR)); </td></tr><tr><th id="L2155"><a href="#L2155">2155</a></th><td> UniStr.MaximumLength = UniStr.Length + sizeof(WCHAR); </td></tr><tr><th id="L2156"><a href="#L2156">2156</a></th><td> </td></tr><tr><th id="L2157"><a href="#L2157">2157</a></th><td> int rc = supHardNtLdrCacheNewEntry(&g_aSupNtVpLdrCacheEntries[g_cSupNtVpLdrCacheEntries], pszName, &UniStr, </td></tr><tr><th id="L2158"><a href="#L2158">2158</a></th><td> true /*fDll*/, false /*f32bitResourceDll*/, pErrInfo); </td></tr><tr><th id="L2159"><a href="#L2159">2159</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L2160"><a href="#L2160">2160</a></th><td> { </td></tr><tr><th id="L2161"><a href="#L2161">2161</a></th><td> *ppEntry = &g_aSupNtVpLdrCacheEntries[g_cSupNtVpLdrCacheEntries]; </td></tr><tr><th id="L2162"><a href="#L2162">2162</a></th><td> g_cSupNtVpLdrCacheEntries++; </td></tr><tr><th id="L2163"><a href="#L2163">2163</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L2164"><a href="#L2164">2164</a></th><td> } </td></tr><tr><th id="L2165"><a href="#L2165">2165</a></th><td> return rc; </td></tr><tr><th id="L2166"><a href="#L2166">2166</a></th><td>} </td></tr><tr><th id="L2167"><a href="#L2167">2167</a></th><td>#endif /* IN_RING3 */ </td></tr><tr><th id="L2168"><a href="#L2168">2168</a></th><td> </td></tr><tr><th id="L2169"><a href="#L2169">2169</a></th><td> </td></tr><tr><th id="L2170"><a href="#L2170">2170</a></th><td>/** </td></tr><tr><th id="L2171"><a href="#L2171">2171</a></th><td> * Opens all the images with the IPRT loader, setting both, hFile, pNtViRdr and </td></tr><tr><th id="L2172"><a href="#L2172">2172</a></th><td> * hLdrMod for each image. </td></tr><tr><th id="L2173"><a href="#L2173">2173</a></th><td> * </td></tr><tr><th id="L2174"><a href="#L2174">2174</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L2175"><a href="#L2175">2175</a></th><td> * @param pThis The process scanning state structure. </td></tr><tr><th id="L2176"><a href="#L2176">2176</a></th><td> */ </td></tr><tr><th id="L2177"><a href="#L2177">2177</a></th><td>static int supHardNtVpOpenImages(PSUPHNTVPSTATE pThis) </td></tr><tr><th id="L2178"><a href="#L2178">2178</a></th><td>{ </td></tr><tr><th id="L2179"><a href="#L2179">2179</a></th><td> unsigned i = pThis->cImages; </td></tr><tr><th id="L2180"><a href="#L2180">2180</a></th><td> while (i-- > 0) </td></tr><tr><th id="L2181"><a href="#L2181">2181</a></th><td> { </td></tr><tr><th id="L2182"><a href="#L2182">2182</a></th><td> PSUPHNTVPIMAGE pImage = &pThis->aImages[i]; </td></tr><tr><th id="L2183"><a href="#L2183">2183</a></th><td> </td></tr><tr><th id="L2184"><a href="#L2184">2184</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L2185"><a href="#L2185">2185</a></th><td> /* </td></tr><tr><th id="L2186"><a href="#L2186">2186</a></th><td> * Try the cache first. </td></tr><tr><th id="L2187"><a href="#L2187">2187</a></th><td> */ </td></tr><tr><th id="L2188"><a href="#L2188">2188</a></th><td> pImage->pCacheEntry = supHardNtLdrCacheLookupEntry(pImage->pszName); </td></tr><tr><th id="L2189"><a href="#L2189">2189</a></th><td> if (pImage->pCacheEntry) </td></tr><tr><th id="L2190"><a href="#L2190">2190</a></th><td> continue; </td></tr><tr><th id="L2191"><a href="#L2191">2191</a></th><td> </td></tr><tr><th id="L2192"><a href="#L2192">2192</a></th><td> /* </td></tr><tr><th id="L2193"><a href="#L2193">2193</a></th><td> * Not in the cache, so load it into the cache. </td></tr><tr><th id="L2194"><a href="#L2194">2194</a></th><td> */ </td></tr><tr><th id="L2195"><a href="#L2195">2195</a></th><td> if (g_cSupNtVpLdrCacheEntries >= RT_ELEMENTS(g_aSupNtVpLdrCacheEntries)) </td></tr><tr><th id="L2196"><a href="#L2196">2196</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_INTERNAL_ERROR_3, "Loader cache overflow."); </td></tr><tr><th id="L2197"><a href="#L2197">2197</a></th><td> pImage->pCacheEntry = &g_aSupNtVpLdrCacheEntries[g_cSupNtVpLdrCacheEntries]; </td></tr><tr><th id="L2198"><a href="#L2198">2198</a></th><td>#else </td></tr><tr><th id="L2199"><a href="#L2199">2199</a></th><td> /* </td></tr><tr><th id="L2200"><a href="#L2200">2200</a></th><td> * In ring-0 we don't have a cache at the moment (resource reasons), so </td></tr><tr><th id="L2201"><a href="#L2201">2201</a></th><td> * we have a static cache entry in each image structure that we use instead. </td></tr><tr><th id="L2202"><a href="#L2202">2202</a></th><td> */ </td></tr><tr><th id="L2203"><a href="#L2203">2203</a></th><td> pImage->pCacheEntry = &pImage->CacheEntry; </td></tr><tr><th id="L2204"><a href="#L2204">2204</a></th><td>#endif </td></tr><tr><th id="L2205"><a href="#L2205">2205</a></th><td> </td></tr><tr><th id="L2206"><a href="#L2206">2206</a></th><td> int rc = supHardNtLdrCacheNewEntry(pImage->pCacheEntry, pImage->pszName, &pImage->Name.UniStr, </td></tr><tr><th id="L2207"><a href="#L2207">2207</a></th><td> pImage->fDll, pImage->f32bitResourceDll, pThis->pErrInfo); </td></tr><tr><th id="L2208"><a href="#L2208">2208</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L2209"><a href="#L2209">2209</a></th><td> return rc; </td></tr><tr><th id="L2210"><a href="#L2210">2210</a></th><td>#ifdef IN_RING3 </td></tr><tr><th id="L2211"><a href="#L2211">2211</a></th><td> g_cSupNtVpLdrCacheEntries++; </td></tr><tr><th id="L2212"><a href="#L2212">2212</a></th><td>#endif </td></tr><tr><th id="L2213"><a href="#L2213">2213</a></th><td> } </td></tr><tr><th id="L2214"><a href="#L2214">2214</a></th><td> </td></tr><tr><th id="L2215"><a href="#L2215">2215</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L2216"><a href="#L2216">2216</a></th><td>} </td></tr><tr><th id="L2217"><a href="#L2217">2217</a></th><td> </td></tr><tr><th id="L2218"><a href="#L2218">2218</a></th><td> </td></tr><tr><th id="L2219"><a href="#L2219">2219</a></th><td>/** </td></tr><tr><th id="L2220"><a href="#L2220">2220</a></th><td> * Check the integrity of the executable of the process. </td></tr><tr><th id="L2221"><a href="#L2221">2221</a></th><td> * </td></tr><tr><th id="L2222"><a href="#L2222">2222</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L2223"><a href="#L2223">2223</a></th><td> * @param pThis The process scanning state structure. Details </td></tr><tr><th id="L2224"><a href="#L2224">2224</a></th><td> * about images are added to this. The hProcess </td></tr><tr><th id="L2225"><a href="#L2225">2225</a></th><td> * member holds the handle to the process that is </td></tr><tr><th id="L2226"><a href="#L2226">2226</a></th><td> * to be verified. </td></tr><tr><th id="L2227"><a href="#L2227">2227</a></th><td> */ </td></tr><tr><th id="L2228"><a href="#L2228">2228</a></th><td>static int supHardNtVpCheckExe(PSUPHNTVPSTATE pThis) </td></tr><tr><th id="L2229"><a href="#L2229">2229</a></th><td>{ </td></tr><tr><th id="L2230"><a href="#L2230">2230</a></th><td> /* </td></tr><tr><th id="L2231"><a href="#L2231">2231</a></th><td> * Make sure there is exactly one executable image. </td></tr><tr><th id="L2232"><a href="#L2232">2232</a></th><td> */ </td></tr><tr><th id="L2233"><a href="#L2233">2233</a></th><td> unsigned cExecs = 0; </td></tr><tr><th id="L2234"><a href="#L2234">2234</a></th><td> unsigned iExe = ~0U; </td></tr><tr><th id="L2235"><a href="#L2235">2235</a></th><td> unsigned i = pThis->cImages; </td></tr><tr><th id="L2236"><a href="#L2236">2236</a></th><td> while (i-- > 0) </td></tr><tr><th id="L2237"><a href="#L2237">2237</a></th><td> { </td></tr><tr><th id="L2238"><a href="#L2238">2238</a></th><td> if (!pThis->aImages[i].fDll) </td></tr><tr><th id="L2239"><a href="#L2239">2239</a></th><td> { </td></tr><tr><th id="L2240"><a href="#L2240">2240</a></th><td> cExecs++; </td></tr><tr><th id="L2241"><a href="#L2241">2241</a></th><td> iExe = i; </td></tr><tr><th id="L2242"><a href="#L2242">2242</a></th><td> } </td></tr><tr><th id="L2243"><a href="#L2243">2243</a></th><td> } </td></tr><tr><th id="L2244"><a href="#L2244">2244</a></th><td> if (cExecs == 0) </td></tr><tr><th id="L2245"><a href="#L2245">2245</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_FOUND_NO_EXE_MAPPING, </td></tr><tr><th id="L2246"><a href="#L2246">2246</a></th><td> "No executable mapping found in the virtual address space."); </td></tr><tr><th id="L2247"><a href="#L2247">2247</a></th><td> if (cExecs != 1) </td></tr><tr><th id="L2248"><a href="#L2248">2248</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_FOUND_MORE_THAN_ONE_EXE_MAPPING, </td></tr><tr><th id="L2249"><a href="#L2249">2249</a></th><td> "Found more than one executable mapping in the virtual address space."); </td></tr><tr><th id="L2250"><a href="#L2250">2250</a></th><td> PSUPHNTVPIMAGE pImage = &pThis->aImages[iExe]; </td></tr><tr><th id="L2251"><a href="#L2251">2251</a></th><td> </td></tr><tr><th id="L2252"><a href="#L2252">2252</a></th><td> /* </td></tr><tr><th id="L2253"><a href="#L2253">2253</a></th><td> * Check that it matches the executable image of the process. </td></tr><tr><th id="L2254"><a href="#L2254">2254</a></th><td> */ </td></tr><tr><th id="L2255"><a href="#L2255">2255</a></th><td> int rc; </td></tr><tr><th id="L2256"><a href="#L2256">2256</a></th><td> ULONG cbUniStr = sizeof(UNICODE_STRING) + RTPATH_MAX * sizeof(RTUTF16); </td></tr><tr><th id="L2257"><a href="#L2257">2257</a></th><td> PUNICODE_STRING pUniStr = (PUNICODE_STRING)RTMemAllocZ(cbUniStr); </td></tr><tr><th id="L2258"><a href="#L2258">2258</a></th><td> if (!pUniStr) </td></tr><tr><th id="L2259"><a href="#L2259">2259</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_MEMORY, </td></tr><tr><th id="L2260"><a href="#L2260">2260</a></th><td> "Error allocating %zu bytes for process name.", cbUniStr); </td></tr><tr><th id="L2261"><a href="#L2261">2261</a></th><td> ULONG cbIgn = 0; </td></tr><tr><th id="L2262"><a href="#L2262">2262</a></th><td> NTSTATUS rcNt = NtQueryInformationProcess(pThis->hProcess, ProcessImageFileName, pUniStr, cbUniStr - sizeof(WCHAR), &cbIgn); </td></tr><tr><th id="L2263"><a href="#L2263">2263</a></th><td> if (NT_SUCCESS(rcNt)) </td></tr><tr><th id="L2264"><a href="#L2264">2264</a></th><td> { </td></tr><tr><th id="L2265"><a href="#L2265">2265</a></th><td> if (supHardNtVpAreUniStringsEqual(pUniStr, &pImage->Name.UniStr)) </td></tr><tr><th id="L2266"><a href="#L2266">2266</a></th><td> rc = VINF_SUCCESS; </td></tr><tr><th id="L2267"><a href="#L2267">2267</a></th><td> else </td></tr><tr><th id="L2268"><a href="#L2268">2268</a></th><td> { </td></tr><tr><th id="L2269"><a href="#L2269">2269</a></th><td> pUniStr->Buffer[pUniStr->Length / sizeof(WCHAR)] = '\0'; </td></tr><tr><th id="L2270"><a href="#L2270">2270</a></th><td> rc = supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_VS_PROC_NAME_MISMATCH, </td></tr><tr><th id="L2271"><a href="#L2271">2271</a></th><td> "Process image name does not match the exectuable we found: %ls vs %ls.", </td></tr><tr><th id="L2272"><a href="#L2272">2272</a></th><td> pUniStr->Buffer, pImage->Name.UniStr.Buffer); </td></tr><tr><th id="L2273"><a href="#L2273">2273</a></th><td> } </td></tr><tr><th id="L2274"><a href="#L2274">2274</a></th><td> } </td></tr><tr><th id="L2275"><a href="#L2275">2275</a></th><td> else </td></tr><tr><th id="L2276"><a href="#L2276">2276</a></th><td> rc = supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_QI_PROCESS_NM_ERROR, </td></tr><tr><th id="L2277"><a href="#L2277">2277</a></th><td> "NtQueryInformationProcess/ProcessImageFileName failed: %#x", rcNt); </td></tr><tr><th id="L2278"><a href="#L2278">2278</a></th><td> RTMemFree(pUniStr); </td></tr><tr><th id="L2279"><a href="#L2279">2279</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L2280"><a href="#L2280">2280</a></th><td> return rc; </td></tr><tr><th id="L2281"><a href="#L2281">2281</a></th><td> </td></tr><tr><th id="L2282"><a href="#L2282">2282</a></th><td> /* </td></tr><tr><th id="L2283"><a href="#L2283">2283</a></th><td> * Validate the signing of the executable image. </td></tr><tr><th id="L2284"><a href="#L2284">2284</a></th><td> * This will load the fDllCharecteristics and fImageCharecteristics members we use below. </td></tr><tr><th id="L2285"><a href="#L2285">2285</a></th><td> */ </td></tr><tr><th id="L2286"><a href="#L2286">2286</a></th><td> rc = supHardNtVpVerifyImage(pThis, pImage); </td></tr><tr><th id="L2287"><a href="#L2287">2287</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L2288"><a href="#L2288">2288</a></th><td> return rc; </td></tr><tr><th id="L2289"><a href="#L2289">2289</a></th><td> </td></tr><tr><th id="L2290"><a href="#L2290">2290</a></th><td> /* </td></tr><tr><th id="L2291"><a href="#L2291">2291</a></th><td> * Check linking requirements. </td></tr><tr><th id="L2292"><a href="#L2292">2292</a></th><td> * This query is only available using the current process pseudo handle on </td></tr><tr><th id="L2293"><a href="#L2293">2293</a></th><td> * older windows versions. The cut-off seems to be Vista. </td></tr><tr><th id="L2294"><a href="#L2294">2294</a></th><td> */ </td></tr><tr><th id="L2295"><a href="#L2295">2295</a></th><td> SECTION_IMAGE_INFORMATION ImageInfo; </td></tr><tr><th id="L2296"><a href="#L2296">2296</a></th><td> rcNt = NtQueryInformationProcess(pThis->hProcess, ProcessImageInformation, &ImageInfo, sizeof(ImageInfo), NULL); </td></tr><tr><th id="L2297"><a href="#L2297">2297</a></th><td> if (!NT_SUCCESS(rcNt)) </td></tr><tr><th id="L2298"><a href="#L2298">2298</a></th><td> { </td></tr><tr><th id="L2299"><a href="#L2299">2299</a></th><td> if ( rcNt == STATUS_INVALID_PARAMETER </td></tr><tr><th id="L2300"><a href="#L2300">2300</a></th><td> && g_uNtVerCombined < SUP_NT_VER_VISTA </td></tr><tr><th id="L2301"><a href="#L2301">2301</a></th><td> && pThis->hProcess != NtCurrentProcess() ) </td></tr><tr><th id="L2302"><a href="#L2302">2302</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L2303"><a href="#L2303">2303</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NT_QI_PROCESS_IMG_INFO_ERROR, </td></tr><tr><th id="L2304"><a href="#L2304">2304</a></th><td> "NtQueryInformationProcess/ProcessImageInformation failed: %#x hProcess=%#x", </td></tr><tr><th id="L2305"><a href="#L2305">2305</a></th><td> rcNt, pThis->hProcess); </td></tr><tr><th id="L2306"><a href="#L2306">2306</a></th><td> } </td></tr><tr><th id="L2307"><a href="#L2307">2307</a></th><td> if ( !(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)) </td></tr><tr><th id="L2308"><a href="#L2308">2308</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_FORCE_INTEGRITY, </td></tr><tr><th id="L2309"><a href="#L2309">2309</a></th><td> "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY to be set.", </td></tr><tr><th id="L2310"><a href="#L2310">2310</a></th><td> ImageInfo.DllCharacteristics); </td></tr><tr><th id="L2311"><a href="#L2311">2311</a></th><td> if (!(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)) </td></tr><tr><th id="L2312"><a href="#L2312">2312</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_DYNAMIC_BASE, </td></tr><tr><th id="L2313"><a href="#L2313">2313</a></th><td> "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE to be set.", </td></tr><tr><th id="L2314"><a href="#L2314">2314</a></th><td> ImageInfo.DllCharacteristics); </td></tr><tr><th id="L2315"><a href="#L2315">2315</a></th><td> if (!(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT)) </td></tr><tr><th id="L2316"><a href="#L2316">2316</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_NX_COMPAT, </td></tr><tr><th id="L2317"><a href="#L2317">2317</a></th><td> "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_NX_COMPAT to be set.", </td></tr><tr><th id="L2318"><a href="#L2318">2318</a></th><td> ImageInfo.DllCharacteristics); </td></tr><tr><th id="L2319"><a href="#L2319">2319</a></th><td> </td></tr><tr><th id="L2320"><a href="#L2320">2320</a></th><td> if (pImage->fDllCharecteristics != ImageInfo.DllCharacteristics) </td></tr><tr><th id="L2321"><a href="#L2321">2321</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_DLL_CHARECTERISTICS_MISMATCH, </td></tr><tr><th id="L2322"><a href="#L2322">2322</a></th><td> "EXE Info.DllCharacteristics=%#x fDllCharecteristics=%#x.", </td></tr><tr><th id="L2323"><a href="#L2323">2323</a></th><td> ImageInfo.DllCharacteristics, pImage->fDllCharecteristics); </td></tr><tr><th id="L2324"><a href="#L2324">2324</a></th><td> </td></tr><tr><th id="L2325"><a href="#L2325">2325</a></th><td> if (pImage->fImageCharecteristics != ImageInfo.ImageCharacteristics) </td></tr><tr><th id="L2326"><a href="#L2326">2326</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_DLL_CHARECTERISTICS_MISMATCH, </td></tr><tr><th id="L2327"><a href="#L2327">2327</a></th><td> "EXE Info.ImageCharacteristics=%#x fImageCharecteristics=%#x.", </td></tr><tr><th id="L2328"><a href="#L2328">2328</a></th><td> ImageInfo.ImageCharacteristics, pImage->fImageCharecteristics); </td></tr><tr><th id="L2329"><a href="#L2329">2329</a></th><td> </td></tr><tr><th id="L2330"><a href="#L2330">2330</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L2331"><a href="#L2331">2331</a></th><td>} </td></tr><tr><th id="L2332"><a href="#L2332">2332</a></th><td> </td></tr><tr><th id="L2333"><a href="#L2333">2333</a></th><td> </td></tr><tr><th id="L2334"><a href="#L2334">2334</a></th><td>/** </td></tr><tr><th id="L2335"><a href="#L2335">2335</a></th><td> * Check the integrity of the DLLs found in the process. </td></tr><tr><th id="L2336"><a href="#L2336">2336</a></th><td> * </td></tr><tr><th id="L2337"><a href="#L2337">2337</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L2338"><a href="#L2338">2338</a></th><td> * @param pThis The process scanning state structure. Details </td></tr><tr><th id="L2339"><a href="#L2339">2339</a></th><td> * about images are added to this. The hProcess </td></tr><tr><th id="L2340"><a href="#L2340">2340</a></th><td> * member holds the handle to the process that is </td></tr><tr><th id="L2341"><a href="#L2341">2341</a></th><td> * to be verified. </td></tr><tr><th id="L2342"><a href="#L2342">2342</a></th><td> */ </td></tr><tr><th id="L2343"><a href="#L2343">2343</a></th><td>static int supHardNtVpCheckDlls(PSUPHNTVPSTATE pThis) </td></tr><tr><th id="L2344"><a href="#L2344">2344</a></th><td>{ </td></tr><tr><th id="L2345"><a href="#L2345">2345</a></th><td> /* </td></tr><tr><th id="L2346"><a href="#L2346">2346</a></th><td> * Check for duplicate entries (paranoia). </td></tr><tr><th id="L2347"><a href="#L2347">2347</a></th><td> */ </td></tr><tr><th id="L2348"><a href="#L2348">2348</a></th><td> uint32_t i = pThis->cImages; </td></tr><tr><th id="L2349"><a href="#L2349">2349</a></th><td> while (i-- > 1) </td></tr><tr><th id="L2350"><a href="#L2350">2350</a></th><td> { </td></tr><tr><th id="L2351"><a href="#L2351">2351</a></th><td> const char *pszName = pThis->aImages[i].pszName; </td></tr><tr><th id="L2352"><a href="#L2352">2352</a></th><td> uint32_t j = i; </td></tr><tr><th id="L2353"><a href="#L2353">2353</a></th><td> while (j-- > 0) </td></tr><tr><th id="L2354"><a href="#L2354">2354</a></th><td> if (pThis->aImages[j].pszName == pszName) </td></tr><tr><th id="L2355"><a href="#L2355">2355</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_DUPLICATE_DLL_MAPPING, </td></tr><tr><th id="L2356"><a href="#L2356">2356</a></th><td> "Duplicate image entries for %s: %ls and %ls", </td></tr><tr><th id="L2357"><a href="#L2357">2357</a></th><td> pszName, pThis->aImages[i].Name.UniStr.Buffer, pThis->aImages[j].Name.UniStr.Buffer); </td></tr><tr><th id="L2358"><a href="#L2358">2358</a></th><td> } </td></tr><tr><th id="L2359"><a href="#L2359">2359</a></th><td> </td></tr><tr><th id="L2360"><a href="#L2360">2360</a></th><td> /* </td></tr><tr><th id="L2361"><a href="#L2361">2361</a></th><td> * Check that both ntdll and kernel32 are present. </td></tr><tr><th id="L2362"><a href="#L2362">2362</a></th><td> * ASSUMES the entries in g_apszSupNtVpAllowedDlls are all lower case. </td></tr><tr><th id="L2363"><a href="#L2363">2363</a></th><td> */ </td></tr><tr><th id="L2364"><a href="#L2364">2364</a></th><td> uint32_t iNtDll = UINT32_MAX; </td></tr><tr><th id="L2365"><a href="#L2365">2365</a></th><td> uint32_t iKernel32 = UINT32_MAX; </td></tr><tr><th id="L2366"><a href="#L2366">2366</a></th><td> i = pThis->cImages; </td></tr><tr><th id="L2367"><a href="#L2367">2367</a></th><td> while (i-- > 0) </td></tr><tr><th id="L2368"><a href="#L2368">2368</a></th><td> if (suplibHardenedStrCmp(pThis->aImages[i].pszName, "ntdll.dll") == 0) </td></tr><tr><th id="L2369"><a href="#L2369">2369</a></th><td> iNtDll = i; </td></tr><tr><th id="L2370"><a href="#L2370">2370</a></th><td> else if (suplibHardenedStrCmp(pThis->aImages[i].pszName, "kernel32.dll") == 0) </td></tr><tr><th id="L2371"><a href="#L2371">2371</a></th><td> iKernel32 = i; </td></tr><tr><th id="L2372"><a href="#L2372">2372</a></th><td> if (iNtDll == UINT32_MAX) </td></tr><tr><th id="L2373"><a href="#L2373">2373</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_NTDLL_MAPPING, </td></tr><tr><th id="L2374"><a href="#L2374">2374</a></th><td> "The process has no NTDLL.DLL."); </td></tr><tr><th id="L2375"><a href="#L2375">2375</a></th><td> if (iKernel32 == UINT32_MAX && pThis->enmKind == SUPHARDNTVPKIND_SELF_PURIFICATION) </td></tr><tr><th id="L2376"><a href="#L2376">2376</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_NO_KERNEL32_MAPPING, </td></tr><tr><th id="L2377"><a href="#L2377">2377</a></th><td> "The process has no KERNEL32.DLL."); </td></tr><tr><th id="L2378"><a href="#L2378">2378</a></th><td> else if (iKernel32 != UINT32_MAX && pThis->enmKind == SUPHARDNTVPKIND_CHILD_PURIFICATION) </td></tr><tr><th id="L2379"><a href="#L2379">2379</a></th><td> return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_KERNEL32_ALREADY_MAPPED, </td></tr><tr><th id="L2380"><a href="#L2380">2380</a></th><td> "The process already has KERNEL32.DLL loaded."); </td></tr><tr><th id="L2381"><a href="#L2381">2381</a></th><td> </td></tr><tr><th id="L2382"><a href="#L2382">2382</a></th><td> /* </td></tr><tr><th id="L2383"><a href="#L2383">2383</a></th><td> * Verify that the DLLs are correctly signed (by MS). </td></tr><tr><th id="L2384"><a href="#L2384">2384</a></th><td> */ </td></tr><tr><th id="L2385"><a href="#L2385">2385</a></th><td> i = pThis->cImages; </td></tr><tr><th id="L2386"><a href="#L2386">2386</a></th><td> while (i-- > 0) </td></tr><tr><th id="L2387"><a href="#L2387">2387</a></th><td> { </td></tr><tr><th id="L2388"><a href="#L2388">2388</a></th><td> int rc = supHardNtVpVerifyImage(pThis, &pThis->aImages[i]); </td></tr><tr><th id="L2389"><a href="#L2389">2389</a></th><td> if (RT_FAILURE(rc)) </td></tr><tr><th id="L2390"><a href="#L2390">2390</a></th><td> return rc; </td></tr><tr><th id="L2391"><a href="#L2391">2391</a></th><td> } </td></tr><tr><th id="L2392"><a href="#L2392">2392</a></th><td> </td></tr><tr><th id="L2393"><a href="#L2393">2393</a></th><td> return VINF_SUCCESS; </td></tr><tr><th id="L2394"><a href="#L2394">2394</a></th><td>} </td></tr><tr><th id="L2395"><a href="#L2395">2395</a></th><td> </td></tr><tr><th id="L2396"><a href="#L2396">2396</a></th><td> </td></tr><tr><th id="L2397"><a href="#L2397">2397</a></th><td>/** </td></tr><tr><th id="L2398"><a href="#L2398">2398</a></th><td> * Verifies the given process. </td></tr><tr><th id="L2399"><a href="#L2399">2399</a></th><td> * </td></tr><tr><th id="L2400"><a href="#L2400">2400</a></th><td> * The following requirements are checked: </td></tr><tr><th id="L2401"><a href="#L2401">2401</a></th><td> * - The process only has one thread, the calling thread. </td></tr><tr><th id="L2402"><a href="#L2402">2402</a></th><td> * - The process has no debugger attached. </td></tr><tr><th id="L2403"><a href="#L2403">2403</a></th><td> * - The executable image of the process is verified to be signed with </td></tr><tr><th id="L2404"><a href="#L2404">2404</a></th><td> * certificate known to this code at build time. </td></tr><tr><th id="L2405"><a href="#L2405">2405</a></th><td> * - The executable image is one of a predefined set. </td></tr><tr><th id="L2406"><a href="#L2406">2406</a></th><td> * - The process has only a very limited set of system DLLs loaded. </td></tr><tr><th id="L2407"><a href="#L2407">2407</a></th><td> * - The system DLLs signatures check out fine. </td></tr><tr><th id="L2408"><a href="#L2408">2408</a></th><td> * - The only executable memory in the process belongs to the system DLLs and </td></tr><tr><th id="L2409"><a href="#L2409">2409</a></th><td> * the executable image. </td></tr><tr><th id="L2410"><a href="#L2410">2410</a></th><td> * </td></tr><tr><th id="L2411"><a href="#L2411">2411</a></th><td> * @returns VBox status code. </td></tr><tr><th id="L2412"><a href="#L2412">2412</a></th><td> * @param hProcess The process to verify. </td></tr><tr><th id="L2413"><a href="#L2413">2413</a></th><td> * @param hThread A thread in the process (the caller). </td></tr><tr><th id="L2414"><a href="#L2414">2414</a></th><td> * @param enmKind The kind of process verification to perform. </td></tr><tr><th id="L2415"><a href="#L2415">2415</a></th><td> * @param fFlags Valid combination of SUPHARDNTVP_F_XXX flags. </td></tr><tr><th id="L2416"><a href="#L2416">2416</a></th><td> * @param pErrInfo Pointer to error info structure. Optional. </td></tr><tr><th id="L2417"><a href="#L2417">2417</a></th><td> * @param pcFixes Where to return the number of fixes made during </td></tr><tr><th id="L2418"><a href="#L2418">2418</a></th><td> * purification. Optional. </td></tr><tr><th id="L2419"><a href="#L2419">2419</a></th><td> */ </td></tr><tr><th id="L2420"><a href="#L2420">2420</a></th><td>DECLHIDDEN(int) supHardenedWinVerifyProcess(HANDLE hProcess, HANDLE hThread, SUPHARDNTVPKIND enmKind, uint32_t fFlags, </td></tr><tr><th id="L2421"><a href="#L2421">2421</a></th><td> uint32_t *pcFixes, PRTERRINFO pErrInfo) </td></tr><tr><th id="L2422"><a href="#L2422">2422</a></th><td>{ </td></tr><tr><th id="L2423"><a href="#L2423">2423</a></th><td> if (pcFixes) </td></tr><tr><th id="L2424"><a href="#L2424">2424</a></th><td> *pcFixes = 0; </td></tr><tr><th id="L2425"><a href="#L2425">2425</a></th><td> </td></tr><tr><th id="L2426"><a href="#L2426">2426</a></th><td> /* </td></tr><tr><th id="L2427"><a href="#L2427">2427</a></th><td> * Some basic checks regarding threads and debuggers. We don't need </td></tr><tr><th id="L2428"><a href="#L2428">2428</a></th><td> * allocate any state memory for these. </td></tr><tr><th id="L2429"><a href="#L2429">2429</a></th><td> */ </td></tr><tr><th id="L2430"><a href="#L2430">2430</a></th><td> int rc = VINF_SUCCESS; </td></tr><tr><th id="L2431"><a href="#L2431">2431</a></th><td> if (enmKind != SUPHARDNTVPKIND_CHILD_PURIFICATION) </td></tr><tr><th id="L2432"><a href="#L2432">2432</a></th><td> rc = supHardNtVpThread(hProcess, hThread, pErrInfo); </td></tr><tr><th id="L2433"><a href="#L2433">2433</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L2434"><a href="#L2434">2434</a></th><td> rc = supHardNtVpDebugger(hProcess, pErrInfo); </td></tr><tr><th id="L2435"><a href="#L2435">2435</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L2436"><a href="#L2436">2436</a></th><td> { </td></tr><tr><th id="L2437"><a href="#L2437">2437</a></th><td> /* </td></tr><tr><th id="L2438"><a href="#L2438">2438</a></th><td> * Allocate and initialize memory for the state. </td></tr><tr><th id="L2439"><a href="#L2439">2439</a></th><td> */ </td></tr><tr><th id="L2440"><a href="#L2440">2440</a></th><td> PSUPHNTVPSTATE pThis = (PSUPHNTVPSTATE)RTMemAllocZ(sizeof(*pThis)); </td></tr><tr><th id="L2441"><a href="#L2441">2441</a></th><td> if (pThis) </td></tr><tr><th id="L2442"><a href="#L2442">2442</a></th><td> { </td></tr><tr><th id="L2443"><a href="#L2443">2443</a></th><td> pThis->enmKind = enmKind; </td></tr><tr><th id="L2444"><a href="#L2444">2444</a></th><td> pThis->fFlags = fFlags; </td></tr><tr><th id="L2445"><a href="#L2445">2445</a></th><td> pThis->rcResult = VINF_SUCCESS; </td></tr><tr><th id="L2446"><a href="#L2446">2446</a></th><td> pThis->hProcess = hProcess; </td></tr><tr><th id="L2447"><a href="#L2447">2447</a></th><td> pThis->pErrInfo = pErrInfo; </td></tr><tr><th id="L2448"><a href="#L2448">2448</a></th><td> </td></tr><tr><th id="L2449"><a href="#L2449">2449</a></th><td> /* </td></tr><tr><th id="L2450"><a href="#L2450">2450</a></th><td> * Perform the verification. </td></tr><tr><th id="L2451"><a href="#L2451">2451</a></th><td> */ </td></tr><tr><th id="L2452"><a href="#L2452">2452</a></th><td> rc = supHardNtVpScanVirtualMemory(pThis, hProcess); </td></tr><tr><th id="L2453"><a href="#L2453">2453</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L2454"><a href="#L2454">2454</a></th><td> rc = supHardNtVpOpenImages(pThis); </td></tr><tr><th id="L2455"><a href="#L2455">2455</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L2456"><a href="#L2456">2456</a></th><td> rc = supHardNtVpCheckExe(pThis); </td></tr><tr><th id="L2457"><a href="#L2457">2457</a></th><td> if (RT_SUCCESS(rc)) </td></tr><tr><th id="L2458"><a href="#L2458">2458</a></th><td> rc = supHardNtVpCheckDlls(pThis); </td></tr><tr><th id="L2459"><a href="#L2459">2459</a></th><td> </td></tr><tr><th id="L2460"><a href="#L2460">2460</a></th><td> if (pcFixes) </td></tr><tr><th id="L2461"><a href="#L2461">2461</a></th><td> *pcFixes = pThis->cFixes; </td></tr><tr><th id="L2462"><a href="#L2462">2462</a></th><td> </td></tr><tr><th id="L2463"><a href="#L2463">2463</a></th><td> /* </td></tr><tr><th id="L2464"><a href="#L2464">2464</a></th><td> * Clean up the state. </td></tr><tr><th id="L2465"><a href="#L2465">2465</a></th><td> */ </td></tr><tr><th id="L2466"><a href="#L2466">2466</a></th><td>#ifdef IN_RING0 </td></tr><tr><th id="L2467"><a href="#L2467">2467</a></th><td> for (uint32_t i = 0; i < pThis->cImages; i++) </td></tr><tr><th id="L2468"><a href="#L2468">2468</a></th><td> supHardNTLdrCacheDeleteEntry(&pThis->aImages[i].CacheEntry); </td></tr><tr><th id="L2469"><a href="#L2469">2469</a></th><td>#endif </td></tr><tr><th id="L2470"><a href="#L2470">2470</a></th><td> RTMemFree(pThis); </td></tr><tr><th id="L2471"><a href="#L2471">2471</a></th><td> } </td></tr><tr><th id="L2472"><a href="#L2472">2472</a></th><td> else </td></tr><tr><th id="L2473"><a href="#L2473">2473</a></th><td> rc = supHardNtVpSetInfo1(pErrInfo, VERR_SUP_VP_NO_MEMORY_STATE, </td></tr><tr><th id="L2474"><a href="#L2474">2474</a></th><td> "Failed to allocate %zu bytes for state structures.", sizeof(*pThis)); </td></tr><tr><th id="L2475"><a href="#L2475">2475</a></th><td> } </td></tr><tr><th id="L2476"><a href="#L2476">2476</a></th><td> return rc; </td></tr><tr><th id="L2477"><a href="#L2477">2477</a></th><td>} </td></tr><tr><th id="L2478"><a href="#L2478">2478</a></th><td> </td></tr></tbody></table> </div> <div id="anydiff"> <form action="/diff" method="get"> <div class="buttons"> <input type="hidden" name="new_path" value="/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp" /> <input type="hidden" name="old_path" value="/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp" /> <input type="hidden" name="new_rev" value="67954" /> <input type="hidden" name="old_rev" value="67954" /> <input type="submit" value="View changes..." title="Select paths and revs for Diff" /> </div> </form> </div> <div class="trac-help"> Note: See <a href="/wiki/TracBrowser">TracBrowser</a> for help on using the repository browser. </div> </div>  <div id="altlinks"> <h3>Download in other formats:</h3> <ul> <li class="first"> <a rel="nofollow" href="/browser/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp?rev=67954&format=txt" class=""> Plain Text</a> </li> <li class="last"> <a rel="nofollow" href="/export/67954/vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp" class=""> Original Format</a> </li> </ul> </div>   </div> <div id="footer"><hr/> <a id="tracpowered" href="https://trac.edgewall.org/" ><img src="/chrome/common/trac_logo_mini.png" height="30" width="107" alt="Trac Powered"/></a> Powered by <a href="/about">Trac 1.4.3.2</a> By <a href="http://www.edgewall.org/">Edgewall Software</a> . </div>  </div> <div id="vboxfooter"> <a href="https://www.oracle.com"> © 2024 Oracle</a> <a href="https://www.oracle.com/virtualization/virtualbox/#rc30category-support-services">Support</a> <a href="https://www.oracle.com/html/privacy.html">Privacy </a> / <a href="https://www.oracle.com/legal/privacy/privacy-choices.html"> Do Not Sell My Info</a> <a href="https://www.oracle.com/html/terms.html">Terms of Use</a> <a href="https://www.oracle.com/legal/trademarks.html">Trademark Policy</a> <a href="/wiki/AutomatedAccessEtiquette">Automated Access Etiquette</a> </div>   </body> </html>