VirtualBox

source: vbox/trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp@ 70917

Last change on this file since 70917 was 70917, checked in by vboxsync, 7 years ago

SUPDrv,VMM: Added SUPR0GetRawModeUsability() for checking whether we're allowed to modify CR4 under Hyper-V. It's called from VMMR0/ModuleInit and the result is cached in a global variable and checked before we call into RC.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 196.1 KB
Line 
1/* $Id: SUPDrv-win.cpp 70917 2018-02-08 15:56:43Z vboxsync $ */
2/** @file
3 * VBoxDrv - The VirtualBox Support Driver - Windows NT specifics.
4 */
5
6/*
7 * Copyright (C) 2006-2017 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#define IPRT_NT_MAP_TO_ZW
32#define LOG_GROUP LOG_GROUP_SUP_DRV
33#include "../SUPDrvInternal.h"
34#include <excpt.h>
35#include <ntimage.h>
36
37#include <iprt/assert.h>
38#include <iprt/avl.h>
39#include <iprt/ctype.h>
40#include <iprt/initterm.h>
41#include <iprt/mem.h>
42#include <iprt/process.h>
43#include <iprt/power.h>
44#include <iprt/rand.h>
45#include <iprt/semaphore.h>
46#include <iprt/spinlock.h>
47#include <iprt/string.h>
48#include <iprt/x86.h>
49#include <VBox/log.h>
50#include <VBox/err.h>
51
52#include <iprt/asm-amd64-x86.h>
53
54#ifdef VBOX_WITH_HARDENING
55# include "SUPHardenedVerify-win.h"
56#endif
57
58
59/*********************************************************************************************************************************
60* Defined Constants And Macros *
61*********************************************************************************************************************************/
62/** The support service name. */
63#define SERVICE_NAME "VBoxDrv"
64/** The Pool tag (VBox). */
65#define SUPDRV_NT_POOL_TAG 'xoBV'
66
67/** NT device name for user access. */
68#define DEVICE_NAME_NT_USR L"\\Device\\VBoxDrvU"
69#ifdef VBOX_WITH_HARDENING
70/** Macro for checking for deflecting calls to the stub device. */
71# define VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_DEV(a_pDevObj, a_pIrp) \
72 do { if ((a_pDevObj) == g_pDevObjStub) \
73 return supdrvNtCompleteRequest(STATUS_ACCESS_DENIED, a_pIrp); \
74 } while (0)
75/** Macro for checking for deflecting calls to the stub and error info
76 * devices. */
77# define VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_OR_ERROR_INFO_DEV(a_pDevObj, a_pIrp) \
78 do { if ((a_pDevObj) == g_pDevObjStub || (a_pDevObj) == g_pDevObjErrorInfo) \
79 return supdrvNtCompleteRequest(STATUS_ACCESS_DENIED, a_pIrp); \
80 } while (0)
81#else
82# define VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_DEV(a_pDevObj, a_pIrp) do {} while (0)
83# define VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_OR_ERROR_INFO_DEV(a_pDevObj, a_pIrp) do {} while (0)
84#endif
85
86/** Enables the fast I/O control code path. */
87#define VBOXDRV_WITH_FAST_IO
88
89
90/*********************************************************************************************************************************
91* Structures and Typedefs *
92*********************************************************************************************************************************/
93/**
94 * Device extension used by VBoxDrvU.
95 */
96typedef struct SUPDRVDEVEXTUSR
97{
98 /** Global cookie (same location as in SUPDRVDEVEXT, different value). */
99 uint32_t u32Cookie;
100 /** Pointer to the main driver extension. */
101 PSUPDRVDEVEXT pMainDrvExt;
102} SUPDRVDEVEXTUSR;
103AssertCompileMembersAtSameOffset(SUPDRVDEVEXT, u32Cookie, SUPDRVDEVEXTUSR, u32Cookie);
104/** Pointer to the VBoxDrvU device extension. */
105typedef SUPDRVDEVEXTUSR *PSUPDRVDEVEXTUSR;
106/** Value of SUPDRVDEVEXTUSR::u32Cookie. */
107#define SUPDRVDEVEXTUSR_COOKIE UINT32_C(0x12345678)
108
109/** Get the main device extension. */
110#define SUPDRVNT_GET_DEVEXT(pDevObj) \
111 ( pDevObj != g_pDevObjUsr \
112 ? (PSUPDRVDEVEXT)pDevObj->DeviceExtension \
113 : ((PSUPDRVDEVEXTUSR)pDevObj->DeviceExtension)->pMainDrvExt )
114
115#ifdef VBOX_WITH_HARDENING
116
117/**
118 * Device extension used by VBoxDrvStub.
119 */
120typedef struct SUPDRVDEVEXTSTUB
121{
122 /** Common header. */
123 SUPDRVDEVEXTUSR Common;
124} SUPDRVDEVEXTSTUB;
125/** Pointer to the VBoxDrvStub device extension. */
126typedef SUPDRVDEVEXTSTUB *PSUPDRVDEVEXTSTUB;
127/** Value of SUPDRVDEVEXTSTUB::Common.u32Cookie. */
128#define SUPDRVDEVEXTSTUB_COOKIE UINT32_C(0x90abcdef)
129
130
131/**
132 * Device extension used by VBoxDrvErrorInfo.
133 */
134typedef struct SUPDRVDEVEXTERRORINFO
135{
136 /** Common header. */
137 SUPDRVDEVEXTUSR Common;
138} SUPDRVDEVEXTERRORINFO;
139/** Pointer to the VBoxDrvErrorInfo device extension. */
140typedef SUPDRVDEVEXTERRORINFO *PSUPDRVDEVEXTERRORINFO;
141/** Value of SUPDRVDEVEXTERRORINFO::Common.u32Cookie. */
142#define SUPDRVDEVEXTERRORINFO_COOKIE UINT32_C(0xBadC0ca0)
143
144/**
145 * Error info for a failed VBoxDrv or VBoxDrvStub open attempt.
146 */
147typedef struct SUPDRVNTERRORINFO
148{
149 /** The list entry (in g_ErrorInfoHead). */
150 RTLISTNODE ListEntry;
151 /** The ID of the process this error info belongs to. */
152 HANDLE hProcessId;
153 /** The ID of the thread owning this info. */
154 HANDLE hThreadId;
155 /** Milliseconds createion timestamp (for cleaning up). */
156 uint64_t uCreatedMsTs;
157 /** Number of bytes of valid info. */
158 uint32_t cchErrorInfo;
159 /** The error info. */
160 char szErrorInfo[16384 - sizeof(RTLISTNODE) - sizeof(HANDLE)*2 - sizeof(uint64_t) - sizeof(uint32_t) - 0x20];
161} SUPDRVNTERRORINFO;
162/** Pointer to error info. */
163typedef SUPDRVNTERRORINFO *PSUPDRVNTERRORINFO;
164
165
166/**
167 * The kind of process we're protecting.
168 */
169typedef enum SUPDRVNTPROTECTKIND
170{
171 kSupDrvNtProtectKind_Invalid = 0,
172
173 /** Stub process protection while performing process verification.
174 * Next: StubSpawning (or free) */
175 kSupDrvNtProtectKind_StubUnverified,
176 /** Stub process protection before it creates the VM process.
177 * Next: StubParent, StubDead. */
178 kSupDrvNtProtectKind_StubSpawning,
179 /** Stub process protection while having a VM process as child.
180 * Next: StubDead */
181 kSupDrvNtProtectKind_StubParent,
182 /** Dead stub process. */
183 kSupDrvNtProtectKind_StubDead,
184
185 /** Potential VM process.
186 * Next: VmProcessConfirmed, VmProcessDead. */
187 kSupDrvNtProtectKind_VmProcessUnconfirmed,
188 /** Confirmed VM process.
189 * Next: VmProcessDead. */
190 kSupDrvNtProtectKind_VmProcessConfirmed,
191 /** Dead VM process. */
192 kSupDrvNtProtectKind_VmProcessDead,
193
194 /** End of valid protection kinds. */
195 kSupDrvNtProtectKind_End
196} SUPDRVNTPROTECTKIND;
197
198/**
199 * A NT process protection structure.
200 */
201typedef struct SUPDRVNTPROTECT
202{
203 /** The AVL node core structure. The process ID is the pid. */
204 AVLPVNODECORE AvlCore;
205 /** Magic value (SUPDRVNTPROTECT_MAGIC). */
206 uint32_t volatile u32Magic;
207 /** Reference counter. */
208 uint32_t volatile cRefs;
209 /** The kind of process we're protecting. */
210 SUPDRVNTPROTECTKIND volatile enmProcessKind;
211 /** Whether this structure is in the tree. */
212 bool fInTree : 1;
213 /** 7,: Hack to allow the supid themes service duplicate handle privileges to
214 * our process. */
215 bool fThemesFirstProcessCreateHandle : 1;
216 /** Vista, 7 & 8: Hack to allow more rights to the handle returned by
217 * NtCreateUserProcess. Only applicable to VmProcessUnconfirmed. */
218 bool fFirstProcessCreateHandle : 1;
219 /** Vista, 7 & 8: Hack to allow more rights to the handle returned by
220 * NtCreateUserProcess. Only applicable to VmProcessUnconfirmed. */
221 bool fFirstThreadCreateHandle : 1;
222 /** 8.1: Hack to allow more rights to the handle returned by
223 * NtCreateUserProcess. Only applicable to VmProcessUnconfirmed. */
224 bool fCsrssFirstProcessCreateHandle : 1;
225 /** Vista, 7 & 8: Hack to allow more rights to the handle duplicated by CSRSS
226 * during process creation. Only applicable to VmProcessUnconfirmed. On
227 * 32-bit systems we allow two as ZoneAlarm's system call hooks has been
228 * observed to do some seemingly unnecessary duplication work. */
229 int32_t volatile cCsrssFirstProcessDuplicateHandle;
230
231 /** The parent PID for VM processes, otherwise NULL. */
232 HANDLE hParentPid;
233 /** The TID of the thread opening VBoxDrv or VBoxDrvStub, NULL if not opened. */
234 HANDLE hOpenTid;
235 /** The PID of the CSRSS process associated with this process. */
236 HANDLE hCsrssPid;
237 /** Pointer to the CSRSS process structure (referenced). */
238 PEPROCESS pCsrssProcess;
239 /** State dependent data. */
240 union
241 {
242 /** A stub process in the StubParent state will keep a reference to a child
243 * while it's in the VmProcessUnconfirmed state so that it can be cleaned up
244 * correctly if things doesn't work out. */
245 struct SUPDRVNTPROTECT *pChild;
246 /** A process in the VmProcessUnconfirmed state will keep a weak
247 * reference to the parent's protection structure so it can clean up the pChild
248 * reference the parent has to it. */
249 struct SUPDRVNTPROTECT *pParent;
250 } u;
251} SUPDRVNTPROTECT;
252/** Pointer to a NT process protection record. */
253typedef SUPDRVNTPROTECT *PSUPDRVNTPROTECT;
254/** The SUPDRVNTPROTECT::u32Magic value (Robert A. Heinlein). */
255# define SUPDRVNTPROTECT_MAGIC UINT32_C(0x19070707)
256/** The SUPDRVNTPROTECT::u32Magic value of a dead structure. */
257# define SUPDRVNTPROTECT_MAGIC_DEAD UINT32_C(0x19880508)
258
259/** Pointer to ObGetObjectType. */
260typedef POBJECT_TYPE (NTAPI *PFNOBGETOBJECTTYPE)(PVOID);
261/** Pointer to ObRegisterCallbacks. */
262typedef NTSTATUS (NTAPI *PFNOBREGISTERCALLBACKS)(POB_CALLBACK_REGISTRATION, PVOID *);
263/** Pointer to ObUnregisterCallbacks. */
264typedef VOID (NTAPI *PFNOBUNREGISTERCALLBACKS)(PVOID);
265/** Pointer to PsSetCreateProcessNotifyRoutineEx. */
266typedef NTSTATUS (NTAPI *PFNPSSETCREATEPROCESSNOTIFYROUTINEEX)(PCREATE_PROCESS_NOTIFY_ROUTINE_EX, BOOLEAN);
267/** Pointer to PsReferenceProcessFilePointer. */
268typedef NTSTATUS (NTAPI *PFNPSREFERENCEPROCESSFILEPOINTER)(PEPROCESS, PFILE_OBJECT *);
269/** Pointer to PsIsProtectedProcessLight. */
270typedef BOOLEAN (NTAPI *PFNPSISPROTECTEDPROCESSLIGHT)(PEPROCESS);
271/** Pointer to ZwAlpcCreatePort. */
272typedef NTSTATUS (NTAPI *PFNZWALPCCREATEPORT)(PHANDLE, POBJECT_ATTRIBUTES, struct _ALPC_PORT_ATTRIBUTES *);
273
274#endif /* VBOX_WITH_HARDENINIG */
275
276
277/*********************************************************************************************************************************
278* Internal Functions *
279*********************************************************************************************************************************/
280static void _stdcall VBoxDrvNtUnload(PDRIVER_OBJECT pDrvObj);
281static NTSTATUS _stdcall VBoxDrvNtCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp);
282static NTSTATUS _stdcall VBoxDrvNtCleanup(PDEVICE_OBJECT pDevObj, PIRP pIrp);
283static NTSTATUS _stdcall VBoxDrvNtClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);
284#ifdef VBOXDRV_WITH_FAST_IO
285static BOOLEAN _stdcall VBoxDrvNtFastIoDeviceControl(PFILE_OBJECT pFileObj, BOOLEAN fWait, PVOID pvInput, ULONG cbInput,
286 PVOID pvOutput, ULONG cbOutput, ULONG uCmd,
287 PIO_STATUS_BLOCK pIoStatus, PDEVICE_OBJECT pDevObj);
288#endif
289static NTSTATUS _stdcall VBoxDrvNtDeviceControl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
290static int VBoxDrvNtDeviceControlSlow(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, PIRP pIrp, PIO_STACK_LOCATION pStack);
291static NTSTATUS _stdcall VBoxDrvNtInternalDeviceControl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
292static VOID _stdcall VBoxPowerDispatchCallback(PVOID pCallbackContext, PVOID pArgument1, PVOID pArgument2);
293static NTSTATUS _stdcall VBoxDrvNtRead(PDEVICE_OBJECT pDevObj, PIRP pIrp);
294static NTSTATUS _stdcall VBoxDrvNtNotSupportedStub(PDEVICE_OBJECT pDevObj, PIRP pIrp);
295static NTSTATUS VBoxDrvNtErr2NtStatus(int rc);
296#ifdef VBOX_WITH_HARDENING
297static NTSTATUS supdrvNtProtectInit(void);
298static void supdrvNtProtectTerm(void);
299static int supdrvNtProtectCreate(PSUPDRVNTPROTECT *ppNtProtect, HANDLE hPid,
300 SUPDRVNTPROTECTKIND enmProcessKind, bool fLink);
301static void supdrvNtProtectRelease(PSUPDRVNTPROTECT pNtProtect);
302static PSUPDRVNTPROTECT supdrvNtProtectLookup(HANDLE hPid);
303static int supdrvNtProtectFindAssociatedCsrss(PSUPDRVNTPROTECT pNtProtect);
304static int supdrvNtProtectVerifyProcess(PSUPDRVNTPROTECT pNtProtect);
305
306static bool supdrvNtIsDebuggerAttached(void);
307static void supdrvNtErrorInfoCleanupProcess(HANDLE hProcessId);
308
309#endif
310
311
312/*********************************************************************************************************************************
313* Exported Functions *
314*********************************************************************************************************************************/
315RT_C_DECLS_BEGIN
316NTSTATUS _stdcall DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath);
317RT_C_DECLS_END
318
319
320/*********************************************************************************************************************************
321* Global Variables *
322*********************************************************************************************************************************/
323/** Pointer to the system device instance. */
324static PDEVICE_OBJECT g_pDevObjSys = NULL;
325/** Pointer to the user device instance. */
326static PDEVICE_OBJECT g_pDevObjUsr = NULL;
327#ifdef VBOXDRV_WITH_FAST_IO
328/** Fast I/O dispatch table. */
329static FAST_IO_DISPATCH const g_VBoxDrvFastIoDispatch =
330{
331 /* .SizeOfFastIoDispatch = */ sizeof(g_VBoxDrvFastIoDispatch),
332 /* .FastIoCheckIfPossible = */ NULL,
333 /* .FastIoRead = */ NULL,
334 /* .FastIoWrite = */ NULL,
335 /* .FastIoQueryBasicInfo = */ NULL,
336 /* .FastIoQueryStandardInfo = */ NULL,
337 /* .FastIoLock = */ NULL,
338 /* .FastIoUnlockSingle = */ NULL,
339 /* .FastIoUnlockAll = */ NULL,
340 /* .FastIoUnlockAllByKey = */ NULL,
341 /* .FastIoDeviceControl = */ VBoxDrvNtFastIoDeviceControl,
342 /* .AcquireFileForNtCreateSection = */ NULL,
343 /* .ReleaseFileForNtCreateSection = */ NULL,
344 /* .FastIoDetachDevice = */ NULL,
345 /* .FastIoQueryNetworkOpenInfo = */ NULL,
346 /* .AcquireForModWrite = */ NULL,
347 /* .MdlRead = */ NULL,
348 /* .MdlReadComplete = */ NULL,
349 /* .PrepareMdlWrite = */ NULL,
350 /* .MdlWriteComplete = */ NULL,
351 /* .FastIoReadCompressed = */ NULL,
352 /* .FastIoWriteCompressed = */ NULL,
353 /* .MdlReadCompleteCompressed = */ NULL,
354 /* .MdlWriteCompleteCompressed = */ NULL,
355 /* .FastIoQueryOpen = */ NULL,
356 /* .ReleaseForModWrite = */ NULL,
357 /* .AcquireForCcFlush = */ NULL,
358 /* .ReleaseForCcFlush = */ NULL,
359};
360#endif /* VBOXDRV_WITH_FAST_IO */
361
362/** Default ZERO value. */
363static ULONG g_fOptDefaultZero = 0;
364/** Registry values.
365 * We wrap these in a struct to ensure they are followed by a little zero
366 * padding in order to limit the chance of trouble on unpatched systems. */
367struct
368{
369 /** The ForceAsync registry value. */
370 ULONG fOptForceAsyncTsc;
371 /** Padding. */
372 uint64_t au64Padding[2];
373} g_Options = { FALSE, 0, 0 };
374/** Registry query table for RtlQueryRegistryValues. */
375static RTL_QUERY_REGISTRY_TABLE g_aRegValues[] =
376{
377 {
378 /* .QueryRoutine = */ NULL,
379 /* .Flags = */ RTL_QUERY_REGISTRY_DIRECT | RTL_QUERY_REGISTRY_TYPECHECK,
380 /* .Name = */ L"ForceAsyncTsc",
381 /* .EntryContext = */ &g_Options.fOptForceAsyncTsc,
382 /* .DefaultType = */ (REG_DWORD << RTL_QUERY_REGISTRY_TYPECHECK_SHIFT) | REG_DWORD,
383 /* .DefaultData = */ &g_fOptDefaultZero,
384 /* .DefaultLength = */ sizeof(g_fOptDefaultZero),
385 },
386 { NULL, 0, NULL, NULL, 0, NULL, 0 } /* terminator entry. */
387};
388
389/** Pointer to KeQueryMaximumGroupCount. */
390static PFNKEQUERYMAXIMUMGROUPCOUNT g_pfnKeQueryMaximumGroupCount = NULL;
391/** Pointer to KeGetProcessorIndexFromNumber. */
392static PFNKEGETPROCESSORINDEXFROMNUMBER g_pfnKeGetProcessorIndexFromNumber = NULL;
393/** Pointer to KeGetProcessorNumberFromIndex. */
394static PFNKEGETPROCESSORNUMBERFROMINDEX g_pfnKeGetProcessorNumberFromIndex = NULL;
395
396#ifdef VBOX_WITH_HARDENING
397/** Pointer to the stub device instance. */
398static PDEVICE_OBJECT g_pDevObjStub = NULL;
399/** Spinlock protecting g_NtProtectTree as well as the releasing of protection
400 * structures. */
401static RTSPINLOCK g_hNtProtectLock = NIL_RTSPINLOCK;
402/** AVL tree of SUPDRVNTPROTECT structures. */
403static AVLPVTREE g_NtProtectTree = NULL;
404/** Cookie returned by ObRegisterCallbacks for the callbacks. */
405static PVOID g_pvObCallbacksCookie = NULL;
406/** Combined windows NT version number. See SUP_MAKE_NT_VER_COMBINED. */
407uint32_t g_uNtVerCombined = 0;
408/** Pointer to ObGetObjectType if available.. */
409static PFNOBGETOBJECTTYPE g_pfnObGetObjectType = NULL;
410/** Pointer to ObRegisterCallbacks if available.. */
411static PFNOBREGISTERCALLBACKS g_pfnObRegisterCallbacks = NULL;
412/** Pointer to ObUnregisterCallbacks if available.. */
413static PFNOBUNREGISTERCALLBACKS g_pfnObUnRegisterCallbacks = NULL;
414/** Pointer to PsSetCreateProcessNotifyRoutineEx if available.. */
415static PFNPSSETCREATEPROCESSNOTIFYROUTINEEX g_pfnPsSetCreateProcessNotifyRoutineEx = NULL;
416/** Pointer to PsReferenceProcessFilePointer if available. */
417static PFNPSREFERENCEPROCESSFILEPOINTER g_pfnPsReferenceProcessFilePointer = NULL;
418/** Pointer to PsIsProtectedProcessLight. */
419static PFNPSISPROTECTEDPROCESSLIGHT g_pfnPsIsProtectedProcessLight = NULL;
420/** Pointer to ZwAlpcCreatePort. */
421static PFNZWALPCCREATEPORT g_pfnZwAlpcCreatePort = NULL;
422
423# ifdef RT_ARCH_AMD64
424extern "C" {
425/** Pointer to KiServiceLinkage (used to fake missing ZwQueryVirtualMemory on
426 * XP64 / W2K3-64). */
427PFNRT g_pfnKiServiceLinkage = NULL;
428/** Pointer to KiServiceInternal (used to fake missing ZwQueryVirtualMemory on
429 * XP64 / W2K3-64) */
430PFNRT g_pfnKiServiceInternal = NULL;
431}
432# endif
433/** The primary ALPC port object type. (LpcPortObjectType at init time.) */
434static POBJECT_TYPE g_pAlpcPortObjectType1 = NULL;
435/** The secondary ALPC port object type. (Sampled at runtime.) */
436static POBJECT_TYPE volatile g_pAlpcPortObjectType2 = NULL;
437
438/** Pointer to the error information device instance. */
439static PDEVICE_OBJECT g_pDevObjErrorInfo = NULL;
440/** Fast mutex semaphore protecting the error info list. */
441static RTSEMMUTEX g_hErrorInfoLock = NIL_RTSEMMUTEX;
442/** Head of the error info (SUPDRVNTERRORINFO). */
443static RTLISTANCHOR g_ErrorInfoHead;
444
445#endif
446
447
448/**
449 * Takes care of creating the devices and their symbolic links.
450 *
451 * @returns NT status code.
452 * @param pDrvObj Pointer to driver object.
453 */
454static NTSTATUS vboxdrvNtCreateDevices(PDRIVER_OBJECT pDrvObj)
455{
456 /*
457 * System device.
458 */
459 UNICODE_STRING DevName;
460 RtlInitUnicodeString(&DevName, SUPDRV_NT_DEVICE_NAME_SYS);
461 NTSTATUS rcNt = IoCreateDevice(pDrvObj, sizeof(SUPDRVDEVEXT), &DevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &g_pDevObjSys);
462 if (NT_SUCCESS(rcNt))
463 {
464 /*
465 * User device.
466 */
467 RtlInitUnicodeString(&DevName, SUPDRV_NT_DEVICE_NAME_USR);
468 rcNt = IoCreateDevice(pDrvObj, sizeof(SUPDRVDEVEXTUSR), &DevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &g_pDevObjUsr);
469 if (NT_SUCCESS(rcNt))
470 {
471 PSUPDRVDEVEXTUSR pDevExtUsr = (PSUPDRVDEVEXTUSR)g_pDevObjUsr->DeviceExtension;
472 pDevExtUsr->pMainDrvExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
473 pDevExtUsr->u32Cookie = SUPDRVDEVEXTUSR_COOKIE;
474
475#ifdef VBOX_WITH_HARDENING
476 /*
477 * Hardened stub device.
478 */
479 RtlInitUnicodeString(&DevName, SUPDRV_NT_DEVICE_NAME_STUB);
480 rcNt = IoCreateDevice(pDrvObj, sizeof(SUPDRVDEVEXTSTUB), &DevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &g_pDevObjStub);
481 if (NT_SUCCESS(rcNt))
482 {
483 if (NT_SUCCESS(rcNt))
484 {
485 PSUPDRVDEVEXTSTUB pDevExtStub = (PSUPDRVDEVEXTSTUB)g_pDevObjStub->DeviceExtension;
486 pDevExtStub->Common.pMainDrvExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
487 pDevExtStub->Common.u32Cookie = SUPDRVDEVEXTSTUB_COOKIE;
488
489 /*
490 * Hardened error information device.
491 */
492 RtlInitUnicodeString(&DevName, SUPDRV_NT_DEVICE_NAME_ERROR_INFO);
493 rcNt = IoCreateDevice(pDrvObj, sizeof(SUPDRVDEVEXTERRORINFO), &DevName, FILE_DEVICE_UNKNOWN, 0, FALSE,
494 &g_pDevObjErrorInfo);
495 if (NT_SUCCESS(rcNt))
496 {
497 g_pDevObjErrorInfo->Flags |= DO_BUFFERED_IO;
498
499 if (NT_SUCCESS(rcNt))
500 {
501 PSUPDRVDEVEXTERRORINFO pDevExtStub = (PSUPDRVDEVEXTERRORINFO)g_pDevObjStub->DeviceExtension;
502 pDevExtStub->Common.pMainDrvExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
503 pDevExtStub->Common.u32Cookie = SUPDRVDEVEXTERRORINFO_COOKIE;
504
505#endif
506 /* Done. */
507 return rcNt;
508#ifdef VBOX_WITH_HARDENING
509 }
510
511 /* Bail out. */
512 IoDeleteDevice(g_pDevObjErrorInfo);
513 g_pDevObjErrorInfo = NULL;
514 }
515 }
516
517 /* Bail out. */
518 IoDeleteDevice(g_pDevObjStub);
519 g_pDevObjUsr = NULL;
520 }
521 IoDeleteDevice(g_pDevObjUsr);
522 g_pDevObjUsr = NULL;
523#endif
524 }
525 IoDeleteDevice(g_pDevObjSys);
526 g_pDevObjSys = NULL;
527 }
528 return rcNt;
529}
530
531/**
532 * Destroys the devices and links created by vboxdrvNtCreateDevices.
533 */
534static void vboxdrvNtDestroyDevices(void)
535{
536 if (g_pDevObjUsr)
537 {
538 PSUPDRVDEVEXTUSR pDevExtUsr = (PSUPDRVDEVEXTUSR)g_pDevObjUsr->DeviceExtension;
539 pDevExtUsr->pMainDrvExt = NULL;
540 }
541#ifdef VBOX_WITH_HARDENING
542 if (g_pDevObjStub)
543 {
544 PSUPDRVDEVEXTSTUB pDevExtStub = (PSUPDRVDEVEXTSTUB)g_pDevObjStub->DeviceExtension;
545 pDevExtStub->Common.pMainDrvExt = NULL;
546 }
547 if (g_pDevObjErrorInfo)
548 {
549 PSUPDRVDEVEXTERRORINFO pDevExtErrorInfo = (PSUPDRVDEVEXTERRORINFO)g_pDevObjStub->DeviceExtension;
550 pDevExtErrorInfo->Common.pMainDrvExt = NULL;
551 }
552#endif
553
554#ifdef VBOX_WITH_HARDENING
555 IoDeleteDevice(g_pDevObjErrorInfo);
556 g_pDevObjErrorInfo = NULL;
557 IoDeleteDevice(g_pDevObjStub);
558 g_pDevObjStub = NULL;
559#endif
560 IoDeleteDevice(g_pDevObjUsr);
561 g_pDevObjUsr = NULL;
562 IoDeleteDevice(g_pDevObjSys);
563 g_pDevObjSys = NULL;
564}
565
566
567/**
568 * Driver entry point.
569 *
570 * @returns appropriate status code.
571 * @param pDrvObj Pointer to driver object.
572 * @param pRegPath Registry base path.
573 */
574NTSTATUS _stdcall DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath)
575{
576 RT_NOREF1(pRegPath);
577
578 /*
579 * Sanity checks.
580 */
581#ifdef VBOXDRV_WITH_FAST_IO
582 if (g_VBoxDrvFastIoDispatch.FastIoDeviceControl != VBoxDrvNtFastIoDeviceControl)
583 {
584 DbgPrint("VBoxDrv: FastIoDeviceControl=%p instead of %p\n",
585 g_VBoxDrvFastIoDispatch.FastIoDeviceControl, VBoxDrvNtFastIoDeviceControl);
586 return STATUS_INTERNAL_ERROR;
587 }
588#endif
589
590 /*
591 * Query options first so any overflows on unpatched machines will do less
592 * harm (see MS11-011 / 2393802 / 2011-03-18).
593 *
594 * Unfortunately, pRegPath isn't documented as zero terminated, even if it
595 * quite likely always is, so we have to make a copy here.
596 */
597 NTSTATUS rcNt;
598 PWSTR pwszCopy = (PWSTR)ExAllocatePoolWithTag(NonPagedPool, pRegPath->Length + sizeof(WCHAR), 'VBox');
599 if (pwszCopy)
600 {
601 memcpy(pwszCopy, pRegPath->Buffer, pRegPath->Length);
602 pwszCopy[pRegPath->Length / sizeof(WCHAR)] = '\0';
603 rcNt = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE | RTL_REGISTRY_OPTIONAL, pwszCopy,
604 g_aRegValues, NULL /*pvContext*/, NULL /*pvEnv*/);
605 ExFreePoolWithTag(pwszCopy, 'VBox');
606 /* Probably safe to ignore rcNt here. */
607 }
608
609 /*
610 * Resolve methods we want but isn't available everywhere.
611 */
612 UNICODE_STRING RoutineName;
613 RtlInitUnicodeString(&RoutineName, L"KeQueryMaximumGroupCount");
614 g_pfnKeQueryMaximumGroupCount = (PFNKEQUERYMAXIMUMGROUPCOUNT)MmGetSystemRoutineAddress(&RoutineName);
615
616 RtlInitUnicodeString(&RoutineName, L"KeGetProcessorIndexFromNumber");
617 g_pfnKeGetProcessorIndexFromNumber = (PFNKEGETPROCESSORINDEXFROMNUMBER)MmGetSystemRoutineAddress(&RoutineName);
618
619 RtlInitUnicodeString(&RoutineName, L"KeGetProcessorNumberFromIndex");
620 g_pfnKeGetProcessorNumberFromIndex = (PFNKEGETPROCESSORNUMBERFROMINDEX)MmGetSystemRoutineAddress(&RoutineName);
621
622 Assert( (g_pfnKeGetProcessorNumberFromIndex != NULL) == (g_pfnKeGetProcessorIndexFromNumber != NULL)
623 && (g_pfnKeGetProcessorNumberFromIndex != NULL) == (g_pfnKeQueryMaximumGroupCount != NULL)); /* all or nothing. */
624
625 /*
626 * Initialize the runtime (IPRT).
627 */
628 int vrc = RTR0Init(0);
629 if (RT_SUCCESS(vrc))
630 {
631 Log(("VBoxDrv::DriverEntry\n"));
632
633#ifdef VBOX_WITH_HARDENING
634 /*
635 * Initialize process protection.
636 */
637 rcNt = supdrvNtProtectInit();
638 if (NT_SUCCESS(rcNt))
639#endif
640 {
641 /*
642 * Create device.
643 * (That means creating a device object and a symbolic link so the DOS
644 * subsystems (OS/2, win32, ++) can access the device.)
645 */
646 rcNt = vboxdrvNtCreateDevices(pDrvObj);
647 if (NT_SUCCESS(rcNt))
648 {
649 /*
650 * Initialize the device extension.
651 */
652 PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
653 memset(pDevExt, 0, sizeof(*pDevExt));
654
655 vrc = supdrvInitDevExt(pDevExt, sizeof(SUPDRVSESSION));
656 if (!vrc)
657 {
658 /*
659 * Setup the driver entry points in pDrvObj.
660 */
661 pDrvObj->DriverUnload = VBoxDrvNtUnload;
662 pDrvObj->MajorFunction[IRP_MJ_CREATE] = VBoxDrvNtCreate;
663 pDrvObj->MajorFunction[IRP_MJ_CLEANUP] = VBoxDrvNtCleanup;
664 pDrvObj->MajorFunction[IRP_MJ_CLOSE] = VBoxDrvNtClose;
665 pDrvObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = VBoxDrvNtDeviceControl;
666 pDrvObj->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = VBoxDrvNtInternalDeviceControl;
667 pDrvObj->MajorFunction[IRP_MJ_READ] = VBoxDrvNtRead;
668 pDrvObj->MajorFunction[IRP_MJ_WRITE] = VBoxDrvNtNotSupportedStub;
669
670#ifdef VBOXDRV_WITH_FAST_IO
671 /* Fast I/O to speed up guest execution roundtrips. */
672 pDrvObj->FastIoDispatch = (PFAST_IO_DISPATCH)&g_VBoxDrvFastIoDispatch;
673#endif
674
675 /*
676 * Register ourselves for power state changes. We don't
677 * currently care if this fails.
678 */
679 UNICODE_STRING CallbackName;
680 RtlInitUnicodeString(&CallbackName, L"\\Callback\\PowerState");
681
682 OBJECT_ATTRIBUTES Attr;
683 InitializeObjectAttributes(&Attr, &CallbackName, OBJ_CASE_INSENSITIVE, NULL, NULL);
684
685 rcNt = ExCreateCallback(&pDevExt->pObjPowerCallback, &Attr, TRUE, TRUE);
686 if (rcNt == STATUS_SUCCESS)
687 pDevExt->hPowerCallback = ExRegisterCallback(pDevExt->pObjPowerCallback,
688 VBoxPowerDispatchCallback,
689 g_pDevObjSys);
690
691 /*
692 * Done! Returning success!
693 */
694 Log(("VBoxDrv::DriverEntry returning STATUS_SUCCESS\n"));
695 return STATUS_SUCCESS;
696 }
697
698 Log(("supdrvInitDevExit failed with vrc=%d!\n", vrc));
699 rcNt = VBoxDrvNtErr2NtStatus(vrc);
700
701 vboxdrvNtDestroyDevices();
702 }
703#ifdef VBOX_WITH_HARDENING
704 supdrvNtProtectTerm();
705#endif
706 }
707 RTTermRunCallbacks(RTTERMREASON_UNLOAD, 0);
708 RTR0Term();
709 }
710 else
711 {
712 Log(("RTR0Init failed with vrc=%d!\n", vrc));
713 rcNt = VBoxDrvNtErr2NtStatus(vrc);
714 }
715 if (NT_SUCCESS(rcNt))
716 rcNt = STATUS_INVALID_PARAMETER;
717 return rcNt;
718}
719
720
721/**
722 * Unload the driver.
723 *
724 * @param pDrvObj Driver object.
725 */
726void _stdcall VBoxDrvNtUnload(PDRIVER_OBJECT pDrvObj)
727{
728 PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
729
730 Log(("VBoxDrvNtUnload at irql %d\n", KeGetCurrentIrql()));
731
732 /* Clean up the power callback registration. */
733 if (pDevExt->hPowerCallback)
734 ExUnregisterCallback(pDevExt->hPowerCallback);
735 if (pDevExt->pObjPowerCallback)
736 ObDereferenceObject(pDevExt->pObjPowerCallback);
737
738 /*
739 * We ASSUME that it's not possible to unload a driver with open handles.
740 */
741 supdrvDeleteDevExt(pDevExt);
742#ifdef VBOX_WITH_HARDENING
743 supdrvNtProtectTerm();
744#endif
745 RTTermRunCallbacks(RTTERMREASON_UNLOAD, 0);
746 RTR0Term();
747 vboxdrvNtDestroyDevices();
748
749 NOREF(pDrvObj);
750}
751
752
753/**
754 * For simplifying request completion into a simple return statement, extended
755 * version.
756 *
757 * @returns rcNt
758 * @param rcNt The status code.
759 * @param uInfo Extra info value.
760 * @param pIrp The IRP.
761 */
762DECLINLINE(NTSTATUS) supdrvNtCompleteRequestEx(NTSTATUS rcNt, ULONG_PTR uInfo, PIRP pIrp)
763{
764 pIrp->IoStatus.Status = rcNt;
765 pIrp->IoStatus.Information = uInfo;
766 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
767 return rcNt;
768}
769
770
771/**
772 * For simplifying request completion into a simple return statement.
773 *
774 * @returns rcNt
775 * @param rcNt The status code.
776 * @param pIrp The IRP.
777 */
778DECLINLINE(NTSTATUS) supdrvNtCompleteRequest(NTSTATUS rcNt, PIRP pIrp)
779{
780 return supdrvNtCompleteRequestEx(rcNt, 0 /*uInfo*/, pIrp);
781}
782
783
784/**
785 * Create (i.e. Open) file entry point.
786 *
787 * @param pDevObj Device object.
788 * @param pIrp Request packet.
789 */
790NTSTATUS _stdcall VBoxDrvNtCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp)
791{
792 Log(("VBoxDrvNtCreate: RequestorMode=%d\n", pIrp->RequestorMode));
793 PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
794 PFILE_OBJECT pFileObj = pStack->FileObject;
795 PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
796
797 /*
798 * We are not remotely similar to a directory...
799 * (But this is possible.)
800 */
801 if (pStack->Parameters.Create.Options & FILE_DIRECTORY_FILE)
802 return supdrvNtCompleteRequest(STATUS_NOT_A_DIRECTORY, pIrp);
803
804 /*
805 * Don't create a session for kernel clients, they'll close the handle
806 * immediately and work with the file object via
807 * VBoxDrvNtInternalDeviceControl. The first request will be one to
808 * create a session.
809 */
810 NTSTATUS rcNt;
811 if (pIrp->RequestorMode == KernelMode)
812 {
813 if (pDevObj == g_pDevObjSys)
814 return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
815
816 rcNt = STATUS_ACCESS_DENIED;
817 }
818#ifdef VBOX_WITH_HARDENING
819 /*
820 * Anyone can open the error device.
821 */
822 else if (pDevObj == g_pDevObjErrorInfo)
823 {
824 pFileObj->FsContext = NULL;
825 return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
826 }
827#endif
828 else
829 {
830#if defined(VBOX_WITH_HARDENING) && !defined(VBOX_WITHOUT_DEBUGGER_CHECKS)
831 /*
832 * Make sure no debuggers are attached to non-user processes.
833 */
834 if ( pDevObj != g_pDevObjUsr
835 && supdrvNtIsDebuggerAttached())
836 {
837 LogRel(("vboxdrv: Process %p is being debugged, access to vboxdrv / vboxdrvu declined.\n",
838 PsGetProcessId(PsGetCurrentProcess())));
839 rcNt = STATUS_TRUST_FAILURE;
840 }
841 else
842#endif
843 {
844 int rc = VINF_SUCCESS;
845
846#ifdef VBOX_WITH_HARDENING
847 /*
848 * Access to the stub device is only granted to processes which
849 * passes verification.
850 *
851 * Note! The stub device has no need for a SUPDRVSESSION structure,
852 * so the it uses the SUPDRVNTPROTECT directly instead.
853 */
854 if (pDevObj == g_pDevObjStub)
855 {
856 PSUPDRVNTPROTECT pNtProtect = NULL;
857 rc = supdrvNtProtectCreate(&pNtProtect, PsGetProcessId(PsGetCurrentProcess()),
858 kSupDrvNtProtectKind_StubUnverified, true /*fLink*/);
859 if (RT_SUCCESS(rc))
860 {
861 rc = supdrvNtProtectFindAssociatedCsrss(pNtProtect);
862 if (RT_SUCCESS(rc))
863 rc = supdrvNtProtectVerifyProcess(pNtProtect);
864 if (RT_SUCCESS(rc))
865 {
866 pFileObj->FsContext = pNtProtect; /* Keeps reference. */
867 return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
868 }
869
870 supdrvNtProtectRelease(pNtProtect);
871 }
872 LogRel(("vboxdrv: Declined %p access to VBoxDrvStub: rc=%d\n", PsGetProcessId(PsGetCurrentProcess()), rc));
873 }
874 /*
875 * Unrestricted access is only granted to a process in the
876 * VmProcessUnconfirmed state that checks out correctly and is
877 * allowed to transition to VmProcessConfirmed. Again, only one
878 * session per process.
879 */
880 else if (pDevObj != g_pDevObjUsr)
881 {
882 PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(PsGetProcessId(PsGetCurrentProcess()));
883 if (pNtProtect)
884 {
885 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
886 {
887 rc = supdrvNtProtectVerifyProcess(pNtProtect);
888 if (RT_SUCCESS(rc))
889 {
890 /* Create a session. */
891 PSUPDRVSESSION pSession;
892 rc = supdrvCreateSession(pDevExt, true /*fUser*/, pDevObj == g_pDevObjSys /*fUnrestricted*/,
893 &pSession);
894 if (RT_SUCCESS(rc))
895 {
896 rc = supdrvSessionHashTabInsert(pDevExt, pSession, (PSUPDRVSESSION *)&pFileObj->FsContext, NULL);
897 supdrvSessionRelease(pSession);
898 if (RT_SUCCESS(rc))
899 {
900 pSession->pNtProtect = pNtProtect; /* Keeps reference. */
901 return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
902 }
903 }
904
905 /* No second attempt. */
906 RTSpinlockAcquire(g_hNtProtectLock);
907 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessConfirmed)
908 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
909 RTSpinlockRelease(g_hNtProtectLock);
910
911 LogRel(("vboxdrv: supdrvCreateSession failed for process %p: rc=%d.\n",
912 PsGetProcessId(PsGetCurrentProcess()), rc));
913 }
914 else
915 LogRel(("vboxdrv: Process %p failed process verification: rc=%d.\n",
916 PsGetProcessId(PsGetCurrentProcess()), rc));
917 }
918 else
919 {
920 LogRel(("vboxdrv: %p is not a budding VM process (enmProcessKind=%d).\n",
921 PsGetProcessId(PsGetCurrentProcess()), pNtProtect->enmProcessKind));
922 rc = VERR_SUPDRV_NOT_BUDDING_VM_PROCESS_2;
923 }
924 supdrvNtProtectRelease(pNtProtect);
925 }
926 else
927 {
928 LogRel(("vboxdrv: %p is not a budding VM process.\n", PsGetProcessId(PsGetCurrentProcess())));
929 rc = VERR_SUPDRV_NOT_BUDDING_VM_PROCESS_1;
930 }
931 }
932 /*
933 * Call common code to create an unprivileged session.
934 */
935 else
936 {
937 PSUPDRVSESSION pSession;
938 rc = supdrvCreateSession(pDevExt, true /*fUser*/, false /*fUnrestricted*/, &pSession);
939 if (RT_SUCCESS(rc))
940 {
941 rc = supdrvSessionHashTabInsert(pDevExt, pSession, (PSUPDRVSESSION *)&pFileObj->FsContext, NULL);
942 supdrvSessionRelease(pSession);
943 if (RT_SUCCESS(rc))
944 {
945 pFileObj->FsContext = pSession; /* Keeps reference. No race. */
946 pSession->pNtProtect = NULL;
947 return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
948 }
949 }
950 }
951
952#else /* !VBOX_WITH_HARDENING */
953 /*
954 * Call common code to create a session.
955 */
956 pFileObj->FsContext = NULL;
957 PSUPDRVSESSION pSession;
958 rc = supdrvCreateSession(pDevExt, true /*fUser*/, pDevObj == g_pDevObjSys /*fUnrestricted*/, &pSession);
959 if (RT_SUCCESS(rc))
960 {
961 rc = supdrvSessionHashTabInsert(pDevExt, pSession, (PSUPDRVSESSION *)&pFileObj->FsContext, NULL);
962 supdrvSessionRelease(pSession);
963 if (RT_SUCCESS(rc))
964 return supdrvNtCompleteRequestEx(STATUS_SUCCESS, FILE_OPENED, pIrp);
965
966 }
967#endif /* !VBOX_WITH_HARDENING */
968
969 /* bail out */
970 rcNt = VBoxDrvNtErr2NtStatus(rc);
971 }
972 }
973
974 Assert(!NT_SUCCESS(rcNt));
975 pFileObj->FsContext = NULL;
976 return supdrvNtCompleteRequest(rcNt, pIrp); /* Note. the IoStatus is completely ignored on error. */
977}
978
979
980/**
981 * Clean up file handle entry point.
982 *
983 * This is called when the last handle reference is released, or something like
984 * that. In the case of IoGetDeviceObjectPointer, this is called as it closes
985 * the handle, however it will go on using the file object afterwards...
986 *
987 * @param pDevObj Device object.
988 * @param pIrp Request packet.
989 */
990NTSTATUS _stdcall VBoxDrvNtCleanup(PDEVICE_OBJECT pDevObj, PIRP pIrp)
991{
992 PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
993 PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
994 PFILE_OBJECT pFileObj = pStack->FileObject;
995
996#ifdef VBOX_WITH_HARDENING
997 if (pDevObj == g_pDevObjStub)
998 {
999 PSUPDRVNTPROTECT pNtProtect = (PSUPDRVNTPROTECT)pFileObj->FsContext;
1000 Log(("VBoxDrvNtCleanup: pDevExt=%p pFileObj=%p pNtProtect=%p\n", pDevExt, pFileObj, pNtProtect));
1001 if (pNtProtect)
1002 {
1003 supdrvNtProtectRelease(pNtProtect);
1004 pFileObj->FsContext = NULL;
1005 }
1006 }
1007 else if (pDevObj == g_pDevObjErrorInfo)
1008 supdrvNtErrorInfoCleanupProcess(PsGetCurrentProcessId());
1009 else
1010#endif
1011 {
1012 PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, RTProcSelf(), RTR0ProcHandleSelf(),
1013 (PSUPDRVSESSION *)&pFileObj->FsContext);
1014 Log(("VBoxDrvNtCleanup: pDevExt=%p pFileObj=%p pSession=%p\n", pDevExt, pFileObj, pSession));
1015 if (pSession)
1016 {
1017 supdrvSessionHashTabRemove(pDevExt, pSession, NULL);
1018 supdrvSessionRelease(pSession); /* Drops the reference from supdrvSessionHashTabLookup. */
1019 }
1020 }
1021
1022 return supdrvNtCompleteRequest(STATUS_SUCCESS, pIrp);
1023}
1024
1025
1026/**
1027 * Close file entry point.
1028 *
1029 * @param pDevObj Device object.
1030 * @param pIrp Request packet.
1031 */
1032NTSTATUS _stdcall VBoxDrvNtClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
1033{
1034 PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
1035 PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
1036 PFILE_OBJECT pFileObj = pStack->FileObject;
1037
1038#ifdef VBOX_WITH_HARDENING
1039 if (pDevObj == g_pDevObjStub)
1040 {
1041 PSUPDRVNTPROTECT pNtProtect = (PSUPDRVNTPROTECT)pFileObj->FsContext;
1042 Log(("VBoxDrvNtClose: pDevExt=%p pFileObj=%p pNtProtect=%p\n", pDevExt, pFileObj, pNtProtect));
1043 if (pNtProtect)
1044 {
1045 supdrvNtProtectRelease(pNtProtect);
1046 pFileObj->FsContext = NULL;
1047 }
1048 }
1049 else if (pDevObj == g_pDevObjErrorInfo)
1050 supdrvNtErrorInfoCleanupProcess(PsGetCurrentProcessId());
1051 else
1052#endif
1053 {
1054 PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, RTProcSelf(), RTR0ProcHandleSelf(),
1055 (PSUPDRVSESSION *)&pFileObj->FsContext);
1056 Log(("VBoxDrvNtCleanup: pDevExt=%p pFileObj=%p pSession=%p\n", pDevExt, pFileObj, pSession));
1057 if (pSession)
1058 {
1059 supdrvSessionHashTabRemove(pDevExt, pSession, NULL);
1060 supdrvSessionRelease(pSession); /* Drops the reference from supdrvSessionHashTabLookup. */
1061 }
1062 }
1063
1064 return supdrvNtCompleteRequest(STATUS_SUCCESS, pIrp);
1065}
1066
1067
1068#ifdef VBOXDRV_WITH_FAST_IO
1069/**
1070 * Fast I/O device control callback.
1071 *
1072 * This performs no buffering, neither on the way in or out.
1073 *
1074 * @returns TRUE if handled, FALSE if the normal I/O control routine should be
1075 * called.
1076 * @param pFileObj The file object.
1077 * @param fWait Whether it's a blocking call
1078 * @param pvInput The input buffer as specified by the user.
1079 * @param cbInput The size of the input buffer.
1080 * @param pvOutput The output buffer as specfied by the user.
1081 * @param cbOutput The size of the output buffer.
1082 * @param uCmd The I/O command/function being invoked.
1083 * @param pIoStatus Where to return the status of the operation.
1084 * @param pDevObj The device object..
1085 */
1086static BOOLEAN _stdcall VBoxDrvNtFastIoDeviceControl(PFILE_OBJECT pFileObj, BOOLEAN fWait, PVOID pvInput, ULONG cbInput,
1087 PVOID pvOutput, ULONG cbOutput, ULONG uCmd,
1088 PIO_STATUS_BLOCK pIoStatus, PDEVICE_OBJECT pDevObj)
1089{
1090 RT_NOREF1(fWait);
1091
1092 /*
1093 * Only the normal devices, not the stub or error info ones.
1094 */
1095 if (pDevObj != g_pDevObjSys && pDevObj != g_pDevObjUsr)
1096 {
1097 pIoStatus->Status = STATUS_NOT_SUPPORTED;
1098 pIoStatus->Information = 0;
1099 return TRUE;
1100 }
1101
1102 /*
1103 * Check the input a little bit and get a the session references.
1104 */
1105 PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
1106 PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, RTProcSelf(), RTR0ProcHandleSelf(),
1107 (PSUPDRVSESSION *)&pFileObj->FsContext);
1108 if (!pSession)
1109 {
1110 pIoStatus->Status = STATUS_TRUST_FAILURE;
1111 pIoStatus->Information = 0;
1112 return TRUE;
1113 }
1114
1115 if (pSession->fUnrestricted)
1116 {
1117#if defined(VBOX_WITH_HARDENING) && !defined(VBOX_WITHOUT_DEBUGGER_CHECKS)
1118 if (supdrvNtIsDebuggerAttached())
1119 {
1120 pIoStatus->Status = STATUS_TRUST_FAILURE;
1121 pIoStatus->Information = 0;
1122 supdrvSessionRelease(pSession);
1123 return TRUE;
1124 }
1125#endif
1126
1127 /*
1128 * Deal with the 2-3 high-speed IOCtl that takes their arguments from
1129 * the session and iCmd, and does not return anything.
1130 */
1131 if ( uCmd == SUP_IOCTL_FAST_DO_RAW_RUN
1132 || uCmd == SUP_IOCTL_FAST_DO_HM_RUN
1133 || uCmd == SUP_IOCTL_FAST_DO_NOP)
1134 {
1135 int rc = supdrvIOCtlFast(uCmd, (unsigned)(uintptr_t)pvOutput/* VMCPU id */, pDevExt, pSession);
1136 pIoStatus->Status = RT_SUCCESS(rc) ? STATUS_SUCCESS : STATUS_INVALID_PARAMETER;
1137 pIoStatus->Information = 0; /* Could be used to pass rc if we liked. */
1138 supdrvSessionRelease(pSession);
1139 return TRUE;
1140 }
1141 }
1142
1143 /*
1144 * The normal path.
1145 */
1146 NTSTATUS rcNt;
1147 unsigned cbOut = 0;
1148 int rc = 0;
1149 Log2(("VBoxDrvNtFastIoDeviceControl(%p): ioctl=%#x pvIn=%p cbIn=%#x pvOut=%p cbOut=%#x pSession=%p\n",
1150 pDevExt, uCmd, pvInput, cbInput, pvOutput, cbOutput, pSession));
1151
1152# ifdef RT_ARCH_AMD64
1153 /* Don't allow 32-bit processes to do any I/O controls. */
1154 if (!IoIs32bitProcess(NULL))
1155# endif
1156 {
1157 /*
1158 * In this fast I/O device control path we have to do our own buffering.
1159 */
1160 /* Verify that the I/O control function matches our pattern. */
1161 if ((uCmd & 0x3) == METHOD_BUFFERED)
1162 {
1163 /* Get the header so we can validate it a little bit against the
1164 parameters before allocating any memory kernel for the reqest. */
1165 SUPREQHDR Hdr;
1166 if (cbInput >= sizeof(Hdr) && cbOutput >= sizeof(Hdr))
1167 {
1168 __try
1169 {
1170 RtlCopyMemory(&Hdr, pvInput, sizeof(Hdr));
1171 rcNt = STATUS_SUCCESS;
1172 }
1173 __except(EXCEPTION_EXECUTE_HANDLER)
1174 {
1175 rcNt = GetExceptionCode();
1176 Hdr.cbIn = Hdr.cbOut = 0; /* shut up MSC */
1177 }
1178 }
1179 else
1180 {
1181 Hdr.cbIn = Hdr.cbOut = 0; /* shut up MSC */
1182 rcNt = STATUS_INVALID_PARAMETER;
1183 }
1184 if (NT_SUCCESS(rcNt))
1185 {
1186 /* Verify that the sizes in the request header are correct. */
1187 ULONG cbBuf = RT_MAX(cbInput, cbOutput);
1188 if ( cbInput == Hdr.cbIn
1189 && cbOutput == Hdr.cbOut
1190 && cbBuf < _1M*16)
1191 {
1192 /* Allocate a buffer and copy all the input into it. */
1193 PSUPREQHDR pHdr = (PSUPREQHDR)ExAllocatePoolWithTag(NonPagedPool, cbBuf, 'VBox');
1194 if (pHdr)
1195 {
1196 __try
1197 {
1198 RtlCopyMemory(pHdr, pvInput, cbInput);
1199 if (cbInput < cbBuf)
1200 RtlZeroMemory((uint8_t *)pHdr + cbInput, cbBuf - cbInput);
1201 if (!memcmp(pHdr, &Hdr, sizeof(Hdr)))
1202 rcNt = STATUS_SUCCESS;
1203 else
1204 rcNt = STATUS_INVALID_PARAMETER;
1205 }
1206 __except(EXCEPTION_EXECUTE_HANDLER)
1207 {
1208 rcNt = GetExceptionCode();
1209 }
1210 if (NT_SUCCESS(rcNt))
1211 {
1212 /*
1213 * Now call the common code to do the real work.
1214 */
1215 rc = supdrvIOCtl(uCmd, pDevExt, pSession, pHdr, cbBuf);
1216 if (RT_SUCCESS(rc))
1217 {
1218 /*
1219 * Copy back the result.
1220 */
1221 cbOut = pHdr->cbOut;
1222 if (cbOut > cbOutput)
1223 {
1224 cbOut = cbOutput;
1225 OSDBGPRINT(("VBoxDrvNtFastIoDeviceControl: too much output! %#x > %#x; uCmd=%#x!\n",
1226 pHdr->cbOut, cbOut, uCmd));
1227 }
1228 if (cbOut)
1229 {
1230 __try
1231 {
1232 RtlCopyMemory(pvOutput, pHdr, cbOut);
1233 rcNt = STATUS_SUCCESS;
1234 }
1235 __except(EXCEPTION_EXECUTE_HANDLER)
1236 {
1237 rcNt = GetExceptionCode();
1238 }
1239 }
1240 else
1241 rcNt = STATUS_SUCCESS;
1242 }
1243 else if (rc == VERR_INVALID_PARAMETER)
1244 rcNt = STATUS_INVALID_PARAMETER;
1245 else
1246 rcNt = STATUS_NOT_SUPPORTED;
1247 Log2(("VBoxDrvNtFastIoDeviceControl: returns %#x cbOut=%d rc=%#x\n", rcNt, cbOut, rc));
1248 }
1249 else
1250 Log(("VBoxDrvNtFastIoDeviceControl: Error reading %u bytes of user memory at %p (uCmd=%#x)\n",
1251 cbInput, pvInput, uCmd));
1252 ExFreePoolWithTag(pHdr, 'VBox');
1253 }
1254 else
1255 rcNt = STATUS_NO_MEMORY;
1256 }
1257 else
1258 {
1259 Log(("VBoxDrvNtFastIoDeviceControl: Mismatching sizes (%#x) - Hdr=%#lx/%#lx Irp=%#lx/%#lx!\n",
1260 uCmd, Hdr.cbIn, Hdr.cbOut, cbInput, cbOutput));
1261 rcNt = STATUS_INVALID_PARAMETER;
1262 }
1263 }
1264 }
1265 else
1266 {
1267 Log(("VBoxDrvNtFastIoDeviceControl: not buffered request (%#x) - not supported\n", uCmd));
1268 rcNt = STATUS_NOT_SUPPORTED;
1269 }
1270 }
1271# ifdef RT_ARCH_AMD64
1272 else
1273 {
1274 Log(("VBoxDrvNtFastIoDeviceControl: WOW64 req - not supported\n"));
1275 rcNt = STATUS_NOT_SUPPORTED;
1276 }
1277# endif
1278
1279 /* complete the request. */
1280 pIoStatus->Status = rcNt;
1281 pIoStatus->Information = cbOut;
1282 supdrvSessionRelease(pSession);
1283 return TRUE; /* handled. */
1284}
1285#endif /* VBOXDRV_WITH_FAST_IO */
1286
1287
1288/**
1289 * Device I/O Control entry point.
1290 *
1291 * @param pDevObj Device object.
1292 * @param pIrp Request packet.
1293 */
1294NTSTATUS _stdcall VBoxDrvNtDeviceControl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
1295{
1296 VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_OR_ERROR_INFO_DEV(pDevObj, pIrp);
1297
1298 PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
1299 PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
1300 PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, RTProcSelf(), RTR0ProcHandleSelf(),
1301 (PSUPDRVSESSION *)&pStack->FileObject->FsContext);
1302
1303 if (!RT_VALID_PTR(pSession))
1304 return supdrvNtCompleteRequest(STATUS_TRUST_FAILURE, pIrp);
1305
1306 /*
1307 * Deal with the 2-3 high-speed IOCtl that takes their arguments from
1308 * the session and iCmd, and does not return anything.
1309 */
1310 if (pSession->fUnrestricted)
1311 {
1312#if defined(VBOX_WITH_HARDENING) && !defined(VBOX_WITHOUT_DEBUGGER_CHECKS)
1313 if (supdrvNtIsDebuggerAttached())
1314 {
1315 supdrvSessionRelease(pSession);
1316 return supdrvNtCompleteRequest(STATUS_TRUST_FAILURE, pIrp);
1317 }
1318#endif
1319
1320 ULONG ulCmd = pStack->Parameters.DeviceIoControl.IoControlCode;
1321 if ( ulCmd == SUP_IOCTL_FAST_DO_RAW_RUN
1322 || ulCmd == SUP_IOCTL_FAST_DO_HM_RUN
1323 || ulCmd == SUP_IOCTL_FAST_DO_NOP)
1324 {
1325 int rc = supdrvIOCtlFast(ulCmd, (unsigned)(uintptr_t)pIrp->UserBuffer /* VMCPU id */, pDevExt, pSession);
1326
1327 /* Complete the I/O request. */
1328 supdrvSessionRelease(pSession);
1329 return supdrvNtCompleteRequest(RT_SUCCESS(rc) ? STATUS_SUCCESS : STATUS_INVALID_PARAMETER, pIrp);
1330 }
1331 }
1332
1333 return VBoxDrvNtDeviceControlSlow(pDevExt, pSession, pIrp, pStack);
1334}
1335
1336
1337/**
1338 * Worker for VBoxDrvNtDeviceControl that takes the slow IOCtl functions.
1339 *
1340 * @returns NT status code.
1341 *
1342 * @param pDevExt Device extension.
1343 * @param pSession The session.
1344 * @param pIrp Request packet.
1345 * @param pStack The stack location containing the DeviceControl parameters.
1346 */
1347static int VBoxDrvNtDeviceControlSlow(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, PIRP pIrp, PIO_STACK_LOCATION pStack)
1348{
1349 NTSTATUS rcNt;
1350 uint32_t cbOut = 0;
1351 int rc = 0;
1352 Log2(("VBoxDrvNtDeviceControlSlow(%p,%p): ioctl=%#x pBuf=%p cbIn=%#x cbOut=%#x pSession=%p\n",
1353 pDevExt, pIrp, pStack->Parameters.DeviceIoControl.IoControlCode,
1354 pIrp->AssociatedIrp.SystemBuffer, pStack->Parameters.DeviceIoControl.InputBufferLength,
1355 pStack->Parameters.DeviceIoControl.OutputBufferLength, pSession));
1356
1357#ifdef RT_ARCH_AMD64
1358 /* Don't allow 32-bit processes to do any I/O controls. */
1359 if (!IoIs32bitProcess(pIrp))
1360#endif
1361 {
1362 /* Verify that it's a buffered CTL. */
1363 if ((pStack->Parameters.DeviceIoControl.IoControlCode & 0x3) == METHOD_BUFFERED)
1364 {
1365 /* Verify that the sizes in the request header are correct. */
1366 PSUPREQHDR pHdr = (PSUPREQHDR)pIrp->AssociatedIrp.SystemBuffer;
1367 if ( pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr)
1368 && pStack->Parameters.DeviceIoControl.InputBufferLength == pHdr->cbIn
1369 && pStack->Parameters.DeviceIoControl.OutputBufferLength == pHdr->cbOut)
1370 {
1371 /* Zero extra output bytes to make sure we don't leak anything. */
1372 if (pHdr->cbIn < pHdr->cbOut)
1373 RtlZeroMemory((uint8_t *)pHdr + pHdr->cbIn, pHdr->cbOut - pHdr->cbIn);
1374
1375 /*
1376 * Do the job.
1377 */
1378 rc = supdrvIOCtl(pStack->Parameters.DeviceIoControl.IoControlCode, pDevExt, pSession, pHdr,
1379 RT_MAX(pHdr->cbIn, pHdr->cbOut));
1380 if (!rc)
1381 {
1382 rcNt = STATUS_SUCCESS;
1383 cbOut = pHdr->cbOut;
1384 if (cbOut > pStack->Parameters.DeviceIoControl.OutputBufferLength)
1385 {
1386 cbOut = pStack->Parameters.DeviceIoControl.OutputBufferLength;
1387 OSDBGPRINT(("VBoxDrvNtDeviceControlSlow: too much output! %#x > %#x; uCmd=%#x!\n",
1388 pHdr->cbOut, cbOut, pStack->Parameters.DeviceIoControl.IoControlCode));
1389 }
1390 }
1391 else
1392 rcNt = STATUS_INVALID_PARAMETER;
1393 Log2(("VBoxDrvNtDeviceControlSlow: returns %#x cbOut=%d rc=%#x\n", rcNt, cbOut, rc));
1394 }
1395 else
1396 {
1397 Log(("VBoxDrvNtDeviceControlSlow: Mismatching sizes (%#x) - Hdr=%#lx/%#lx Irp=%#lx/%#lx!\n",
1398 pStack->Parameters.DeviceIoControl.IoControlCode,
1399 pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr) ? pHdr->cbIn : 0,
1400 pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr) ? pHdr->cbOut : 0,
1401 pStack->Parameters.DeviceIoControl.InputBufferLength,
1402 pStack->Parameters.DeviceIoControl.OutputBufferLength));
1403 rcNt = STATUS_INVALID_PARAMETER;
1404 }
1405 }
1406 else
1407 {
1408 Log(("VBoxDrvNtDeviceControlSlow: not buffered request (%#x) - not supported\n",
1409 pStack->Parameters.DeviceIoControl.IoControlCode));
1410 rcNt = STATUS_NOT_SUPPORTED;
1411 }
1412 }
1413#ifdef RT_ARCH_AMD64
1414 else
1415 {
1416 Log(("VBoxDrvNtDeviceControlSlow: WOW64 req - not supported\n"));
1417 rcNt = STATUS_NOT_SUPPORTED;
1418 }
1419#endif
1420
1421 /* complete the request. */
1422 pIrp->IoStatus.Status = rcNt;
1423 pIrp->IoStatus.Information = cbOut;
1424 supdrvSessionRelease(pSession);
1425 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1426 return rcNt;
1427}
1428
1429
1430/**
1431 * Internal Device I/O Control entry point, used for IDC.
1432 *
1433 * @param pDevObj Device object.
1434 * @param pIrp Request packet.
1435 */
1436NTSTATUS _stdcall VBoxDrvNtInternalDeviceControl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
1437{
1438 VBOXDRV_COMPLETE_IRP_AND_RETURN_IF_STUB_OR_ERROR_INFO_DEV(pDevObj, pIrp);
1439
1440 PSUPDRVDEVEXT pDevExt = SUPDRVNT_GET_DEVEXT(pDevObj);
1441 PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
1442 PFILE_OBJECT pFileObj = pStack ? pStack->FileObject : NULL;
1443 PSUPDRVSESSION pSession = pFileObj ? (PSUPDRVSESSION)pFileObj->FsContext : NULL;
1444 NTSTATUS rcNt;
1445 unsigned cbOut = 0;
1446 int rc = 0;
1447 Log2(("VBoxDrvNtInternalDeviceControl(%p,%p): ioctl=%#x pBuf=%p cbIn=%#x cbOut=%#x pSession=%p\n",
1448 pDevExt, pIrp, pStack->Parameters.DeviceIoControl.IoControlCode,
1449 pIrp->AssociatedIrp.SystemBuffer, pStack->Parameters.DeviceIoControl.InputBufferLength,
1450 pStack->Parameters.DeviceIoControl.OutputBufferLength, pSession));
1451
1452 /* Verify that it's a buffered CTL. */
1453 if ((pStack->Parameters.DeviceIoControl.IoControlCode & 0x3) == METHOD_BUFFERED)
1454 {
1455 /* Verify the pDevExt in the session. */
1456 if ( pStack->Parameters.DeviceIoControl.IoControlCode != SUPDRV_IDC_REQ_CONNECT
1457 ? VALID_PTR(pSession) && pSession->pDevExt == pDevExt
1458 : !pSession
1459 )
1460 {
1461 /* Verify that the size in the request header is correct. */
1462 PSUPDRVIDCREQHDR pHdr = (PSUPDRVIDCREQHDR)pIrp->AssociatedIrp.SystemBuffer;
1463 if ( pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr)
1464 && pStack->Parameters.DeviceIoControl.InputBufferLength == pHdr->cb
1465 && pStack->Parameters.DeviceIoControl.OutputBufferLength == pHdr->cb)
1466 {
1467 /*
1468 * Call the generic code.
1469 *
1470 * Note! Connect and disconnect requires some extra attention
1471 * in order to get the session handling right.
1472 */
1473 if (pStack->Parameters.DeviceIoControl.IoControlCode == SUPDRV_IDC_REQ_DISCONNECT)
1474 pFileObj->FsContext = NULL;
1475
1476 rc = supdrvIDC(pStack->Parameters.DeviceIoControl.IoControlCode, pDevExt, pSession, pHdr);
1477 if (!rc)
1478 {
1479 if (pStack->Parameters.DeviceIoControl.IoControlCode == SUPDRV_IDC_REQ_CONNECT)
1480 pFileObj->FsContext = ((PSUPDRVIDCREQCONNECT)pHdr)->u.Out.pSession;
1481
1482 rcNt = STATUS_SUCCESS;
1483 cbOut = pHdr->cb;
1484 }
1485 else
1486 {
1487 rcNt = STATUS_INVALID_PARAMETER;
1488 if (pStack->Parameters.DeviceIoControl.IoControlCode == SUPDRV_IDC_REQ_DISCONNECT)
1489 pFileObj->FsContext = pSession;
1490 }
1491 Log2(("VBoxDrvNtInternalDeviceControl: returns %#x/rc=%#x\n", rcNt, rc));
1492 }
1493 else
1494 {
1495 Log(("VBoxDrvNtInternalDeviceControl: Mismatching sizes (%#x) - Hdr=%#lx Irp=%#lx/%#lx!\n",
1496 pStack->Parameters.DeviceIoControl.IoControlCode,
1497 pStack->Parameters.DeviceIoControl.InputBufferLength >= sizeof(*pHdr) ? pHdr->cb : 0,
1498 pStack->Parameters.DeviceIoControl.InputBufferLength,
1499 pStack->Parameters.DeviceIoControl.OutputBufferLength));
1500 rcNt = STATUS_INVALID_PARAMETER;
1501 }
1502 }
1503 else
1504 rcNt = STATUS_NOT_SUPPORTED;
1505 }
1506 else
1507 {
1508 Log(("VBoxDrvNtInternalDeviceControl: not buffered request (%#x) - not supported\n",
1509 pStack->Parameters.DeviceIoControl.IoControlCode));
1510 rcNt = STATUS_NOT_SUPPORTED;
1511 }
1512
1513 /* complete the request. */
1514 pIrp->IoStatus.Status = rcNt;
1515 pIrp->IoStatus.Information = cbOut;
1516 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1517 return rcNt;
1518}
1519
1520
1521/**
1522 * Implementation of the read major function for VBoxDrvErrorInfo.
1523 *
1524 * This is a stub function for the other devices.
1525 *
1526 * @returns NT status code.
1527 * @param pDevObj The device object.
1528 * @param pIrp The I/O request packet.
1529 */
1530NTSTATUS _stdcall VBoxDrvNtRead(PDEVICE_OBJECT pDevObj, PIRP pIrp)
1531{
1532 Log(("VBoxDrvNtRead\n"));
1533 RT_NOREF1(pDevObj);
1534
1535 NTSTATUS rcNt;
1536 pIrp->IoStatus.Information = 0;
1537
1538#ifdef VBOX_WITH_HARDENING
1539 /*
1540 * VBoxDrvErrorInfo?
1541 */
1542 if (pDevObj == g_pDevObjErrorInfo)
1543 {
1544 PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
1545 if ( pStack
1546 && (pIrp->Flags & IRP_BUFFERED_IO))
1547 {
1548 /*
1549 * Look up the process error information.
1550 */
1551 HANDLE hCurThreadId = PsGetCurrentThreadId();
1552 HANDLE hCurProcessId = PsGetCurrentProcessId();
1553 int rc = RTSemMutexRequestNoResume(g_hErrorInfoLock, RT_INDEFINITE_WAIT);
1554 if (RT_SUCCESS(rc))
1555 {
1556 PSUPDRVNTERRORINFO pCur;
1557 RTListForEach(&g_ErrorInfoHead, pCur, SUPDRVNTERRORINFO, ListEntry)
1558 {
1559 if ( pCur->hProcessId == hCurProcessId
1560 && pCur->hThreadId == hCurThreadId)
1561 break;
1562 }
1563
1564 /*
1565 * Did we find error info and is the caller requesting data within it?
1566 * If so, check the destination buffer and copy the data into it.
1567 */
1568 if ( pCur
1569 && pStack->Parameters.Read.ByteOffset.QuadPart < pCur->cchErrorInfo
1570 && pStack->Parameters.Read.ByteOffset.QuadPart >= 0)
1571 {
1572 PVOID pvDstBuf = pIrp->AssociatedIrp.SystemBuffer;
1573 if (pvDstBuf)
1574 {
1575 uint32_t offRead = (uint32_t)pStack->Parameters.Read.ByteOffset.QuadPart;
1576 uint32_t cbToRead = pCur->cchErrorInfo - offRead;
1577 if (cbToRead < pStack->Parameters.Read.Length)
1578 RT_BZERO((uint8_t *)pvDstBuf + cbToRead, pStack->Parameters.Read.Length - cbToRead);
1579 else
1580 cbToRead = pStack->Parameters.Read.Length;
1581 memcpy(pvDstBuf, &pCur->szErrorInfo[offRead], cbToRead);
1582 pIrp->IoStatus.Information = cbToRead;
1583
1584 rcNt = STATUS_SUCCESS;
1585 }
1586 else
1587 rcNt = STATUS_INVALID_ADDRESS;
1588 }
1589 /*
1590 * End of file. Free the info.
1591 */
1592 else if (pCur)
1593 {
1594 RTListNodeRemove(&pCur->ListEntry);
1595 RTMemFree(pCur);
1596 rcNt = STATUS_END_OF_FILE;
1597 }
1598 /*
1599 * We found no error info. Return EOF.
1600 */
1601 else
1602 rcNt = STATUS_END_OF_FILE;
1603
1604 RTSemMutexRelease(g_hErrorInfoLock);
1605 }
1606 else
1607 rcNt = STATUS_UNSUCCESSFUL;
1608
1609 /* Paranoia: Clear the buffer on failure. */
1610 if (!NT_SUCCESS(rcNt))
1611 {
1612 PVOID pvDstBuf = pIrp->AssociatedIrp.SystemBuffer;
1613 if ( pvDstBuf
1614 && pStack->Parameters.Read.Length)
1615 RT_BZERO(pvDstBuf, pStack->Parameters.Read.Length);
1616 }
1617 }
1618 else
1619 rcNt = STATUS_INVALID_PARAMETER;
1620 }
1621 else
1622#endif /* VBOX_WITH_HARDENING */
1623 {
1624 /*
1625 * Stub.
1626 */
1627 rcNt = STATUS_NOT_SUPPORTED;
1628 }
1629
1630 /*
1631 * Complete the request.
1632 */
1633 pIrp->IoStatus.Status = rcNt;
1634 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1635 return rcNt;
1636}
1637
1638
1639/**
1640 * Stub function for functions we don't implemented.
1641 *
1642 * @returns STATUS_NOT_SUPPORTED
1643 * @param pDevObj Device object.
1644 * @param pIrp IRP.
1645 */
1646NTSTATUS _stdcall VBoxDrvNtNotSupportedStub(PDEVICE_OBJECT pDevObj, PIRP pIrp)
1647{
1648 Log(("VBoxDrvNtNotSupportedStub\n"));
1649 NOREF(pDevObj);
1650
1651 pIrp->IoStatus.Information = 0;
1652 pIrp->IoStatus.Status = STATUS_NOT_SUPPORTED;
1653 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1654
1655 return STATUS_NOT_SUPPORTED;
1656}
1657
1658
1659/**
1660 * ExRegisterCallback handler for power events
1661 *
1662 * @param pCallbackContext User supplied parameter (pDevObj)
1663 * @param pvArgument1 First argument
1664 * @param pvArgument2 Second argument
1665 */
1666VOID _stdcall VBoxPowerDispatchCallback(PVOID pCallbackContext, PVOID pvArgument1, PVOID pvArgument2)
1667{
1668 /*PDEVICE_OBJECT pDevObj = (PDEVICE_OBJECT)pCallbackContext;*/ RT_NOREF1(pCallbackContext);
1669 Log(("VBoxPowerDispatchCallback: %x %x\n", pvArgument1, pvArgument2));
1670
1671 /* Power change imminent? */
1672 if ((uintptr_t)pvArgument1 == PO_CB_SYSTEM_STATE_LOCK)
1673 {
1674 if (pvArgument2 == NULL)
1675 Log(("VBoxPowerDispatchCallback: about to go into suspend mode!\n"));
1676 else
1677 Log(("VBoxPowerDispatchCallback: resumed!\n"));
1678
1679 /* Inform any clients that have registered themselves with IPRT. */
1680 RTPowerSignalEvent(pvArgument2 == NULL ? RTPOWEREVENT_SUSPEND : RTPOWEREVENT_RESUME);
1681 }
1682}
1683
1684
1685/**
1686 * Called to clean up the session structure before it's freed.
1687 *
1688 * @param pDevExt The device globals.
1689 * @param pSession The session that's being cleaned up.
1690 */
1691void VBOXCALL supdrvOSCleanupSession(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession)
1692{
1693#ifdef VBOX_WITH_HARDENING
1694 if (pSession->pNtProtect)
1695 {
1696 supdrvNtProtectRelease(pSession->pNtProtect);
1697 pSession->pNtProtect = NULL;
1698 }
1699 RT_NOREF1(pDevExt);
1700#else
1701 RT_NOREF2(pDevExt, pSession);
1702#endif
1703}
1704
1705
1706void VBOXCALL supdrvOSSessionHashTabInserted(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, void *pvUser)
1707{
1708 NOREF(pDevExt); NOREF(pSession); NOREF(pvUser);
1709}
1710
1711
1712void VBOXCALL supdrvOSSessionHashTabRemoved(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, void *pvUser)
1713{
1714 NOREF(pDevExt); NOREF(pSession); NOREF(pvUser);
1715}
1716
1717
1718size_t VBOXCALL supdrvOSGipGetGroupTableSize(PSUPDRVDEVEXT pDevExt)
1719{
1720 NOREF(pDevExt);
1721 uint32_t cMaxCpus = RTMpGetCount();
1722 uint32_t cGroups = RTMpGetMaxCpuGroupCount();
1723
1724 return cGroups * RT_OFFSETOF(SUPGIPCPUGROUP, aiCpuSetIdxs)
1725 + RT_SIZEOFMEMB(SUPGIPCPUGROUP, aiCpuSetIdxs[0]) * cMaxCpus;
1726}
1727
1728
1729int VBOXCALL supdrvOSInitGipGroupTable(PSUPDRVDEVEXT pDevExt, PSUPGLOBALINFOPAGE pGip, size_t cbGipCpuGroups)
1730{
1731 Assert(cbGipCpuGroups > 0); NOREF(cbGipCpuGroups); NOREF(pDevExt);
1732
1733 unsigned const cGroups = RTMpGetMaxCpuGroupCount();
1734 AssertReturn(cGroups > 0 && cGroups < RT_ELEMENTS(pGip->aoffCpuGroup), VERR_INTERNAL_ERROR_2);
1735 pGip->cPossibleCpuGroups = cGroups;
1736
1737 PSUPGIPCPUGROUP pGroup = (PSUPGIPCPUGROUP)&pGip->aCPUs[pGip->cCpus];
1738 for (uint32_t idxGroup = 0; idxGroup < cGroups; idxGroup++)
1739 {
1740 uint32_t cActive = 0;
1741 uint32_t cMax = RTMpGetCpuGroupCounts(idxGroup, &cActive);
1742 uint32_t cbNeeded = RT_OFFSETOF(SUPGIPCPUGROUP, aiCpuSetIdxs[cMax]);
1743 AssertReturn(cbNeeded <= cbGipCpuGroups, VERR_INTERNAL_ERROR_3);
1744 AssertReturn(cActive <= cMax, VERR_INTERNAL_ERROR_4);
1745
1746 pGip->aoffCpuGroup[idxGroup] = (uint16_t)((uintptr_t)pGroup - (uintptr_t)pGip);
1747 pGroup->cMembers = cActive;
1748 pGroup->cMaxMembers = cMax;
1749 for (uint32_t idxMember = 0; idxMember < cMax; idxMember++)
1750 {
1751 pGroup->aiCpuSetIdxs[idxMember] = RTMpSetIndexFromCpuGroupMember(idxGroup, idxMember);
1752 Assert((unsigned)pGroup->aiCpuSetIdxs[idxMember] < pGip->cPossibleCpus);
1753 }
1754
1755 /* advance. */
1756 cbGipCpuGroups -= cbNeeded;
1757 pGroup = (PSUPGIPCPUGROUP)&pGroup->aiCpuSetIdxs[cMax];
1758 }
1759
1760 return VINF_SUCCESS;
1761}
1762
1763
1764void VBOXCALL supdrvOSGipInitGroupBitsForCpu(PSUPDRVDEVEXT pDevExt, PSUPGLOBALINFOPAGE pGip, PSUPGIPCPU pGipCpu)
1765{
1766 NOREF(pDevExt);
1767
1768 /*
1769 * Translate the CPU index into a group and member.
1770 */
1771 PROCESSOR_NUMBER ProcNum = { 0, pGipCpu->iCpuSet, 0 };
1772 if (g_pfnKeGetProcessorNumberFromIndex)
1773 {
1774 NTSTATUS rcNt = g_pfnKeGetProcessorNumberFromIndex(pGipCpu->iCpuSet, &ProcNum);
1775 if (NT_SUCCESS(rcNt))
1776 Assert(ProcNum.Group < g_pfnKeQueryMaximumGroupCount());
1777 else
1778 {
1779 AssertFailed();
1780 ProcNum.Group = 0;
1781 ProcNum.Number = pGipCpu->iCpuSet;
1782 }
1783 }
1784 pGipCpu->iCpuGroup = ProcNum.Group;
1785 pGipCpu->iCpuGroupMember = ProcNum.Number;
1786
1787 /*
1788 * Update the group info. Just do this wholesale for now (doesn't scale well).
1789 */
1790 for (uint32_t idxGroup = 0; idxGroup < pGip->cPossibleCpuGroups; idxGroup++)
1791 if (pGip->aoffCpuGroup[idxGroup] != UINT16_MAX)
1792 {
1793 PSUPGIPCPUGROUP pGroup = (PSUPGIPCPUGROUP)((uintptr_t)pGip + pGip->aoffCpuGroup[idxGroup]);
1794
1795 uint32_t cActive = 0;
1796 uint32_t cMax = RTMpGetCpuGroupCounts(idxGroup, &cActive);
1797 AssertStmt(cMax == pGroup->cMaxMembers, cMax = pGroup->cMaxMembers);
1798 AssertStmt(cActive <= cMax, cActive = cMax);
1799 if (pGroup->cMembers != cActive)
1800 pGroup->cMembers = cActive;
1801
1802 for (uint32_t idxMember = 0; idxMember < cMax; idxMember++)
1803 {
1804 int idxCpuSet = RTMpSetIndexFromCpuGroupMember(idxGroup, idxMember);
1805 AssertMsg((unsigned)idxCpuSet < pGip->cPossibleCpus,
1806 ("%d vs %d for %u.%u\n", idxCpuSet, pGip->cPossibleCpus, idxGroup, idxMember));
1807
1808 if (pGroup->aiCpuSetIdxs[idxMember] != idxCpuSet)
1809 pGroup->aiCpuSetIdxs[idxMember] = idxCpuSet;
1810 }
1811 }
1812}
1813
1814
1815/**
1816 * Initializes any OS specific object creator fields.
1817 */
1818void VBOXCALL supdrvOSObjInitCreator(PSUPDRVOBJ pObj, PSUPDRVSESSION pSession)
1819{
1820 NOREF(pObj);
1821 NOREF(pSession);
1822}
1823
1824
1825/**
1826 * Checks if the session can access the object.
1827 *
1828 * @returns true if a decision has been made.
1829 * @returns false if the default access policy should be applied.
1830 *
1831 * @param pObj The object in question.
1832 * @param pSession The session wanting to access the object.
1833 * @param pszObjName The object name, can be NULL.
1834 * @param prc Where to store the result when returning true.
1835 */
1836bool VBOXCALL supdrvOSObjCanAccess(PSUPDRVOBJ pObj, PSUPDRVSESSION pSession, const char *pszObjName, int *prc)
1837{
1838 NOREF(pObj);
1839 NOREF(pSession);
1840 NOREF(pszObjName);
1841 NOREF(prc);
1842 return false;
1843}
1844
1845
1846/**
1847 * Force async tsc mode (stub).
1848 */
1849bool VBOXCALL supdrvOSGetForcedAsyncTscMode(PSUPDRVDEVEXT pDevExt)
1850{
1851 RT_NOREF1(pDevExt);
1852 return g_Options.fOptForceAsyncTsc != 0;
1853}
1854
1855
1856/**
1857 * Whether the host takes CPUs offline during a suspend/resume operation.
1858 */
1859bool VBOXCALL supdrvOSAreCpusOfflinedOnSuspend(void)
1860{
1861 return false;
1862}
1863
1864
1865/**
1866 * Whether the hardware TSC has been synchronized by the OS.
1867 */
1868bool VBOXCALL supdrvOSAreTscDeltasInSync(void)
1869{
1870 /* If IPRT didn't find KeIpiGenericCall we pretend windows(, the firmware,
1871 or whoever) always configures TSCs perfectly. */
1872 return !RTMpOnPairIsConcurrentExecSupported();
1873}
1874
1875
1876/**
1877 * Checks whether we're allowed by Hyper-V to modify CR4.
1878 */
1879int VBOXCALL supdrvOSGetRawModeUsability(void)
1880{
1881 int rc = VINF_SUCCESS;
1882
1883#ifdef RT_ARCH_AMD64
1884 /*
1885 * Broadwell running W10 17083.100:
1886 * CR4: 0x170678
1887 * Evil mask: 0x170638
1888 * X86_CR4_SMEP - evil
1889 * X86_CR4_FSGSBASE - evil
1890 * X86_CR4_PCIDE - evil
1891 * X86_CR4_OSXSAVE - evil
1892 * X86_CR4_OSFXSR - evil
1893 * X86_CR4_OSXMMEEXCPT - evil
1894 * X86_CR4_PSE - evil
1895 * X86_CR4_PAE - evil
1896 * X86_CR4_MCE - okay
1897 * X86_CR4_DE - evil
1898 */
1899 if (ASMHasCpuId())
1900 {
1901 uint32_t cStd = ASMCpuId_EAX(0);
1902 if (ASMIsValidStdRange(cStd))
1903 {
1904 uint32_t uIgn = 0;
1905 uint32_t fEdxFeatures = 0;
1906 uint32_t fEcxFeatures = 0;
1907 ASMCpuIdExSlow(1, 0, 0, 0, &uIgn, &uIgn, &fEcxFeatures, &fEdxFeatures);
1908 if (fEcxFeatures & X86_CPUID_FEATURE_ECX_HVP)
1909 {
1910 RTCCUINTREG const fOldFlags = ASMIntDisableFlags();
1911 RTCCUINTXREG const fCr4 = ASMGetCR4();
1912
1913 RTCCUINTXREG const fSafeToClear = X86_CR4_TSD | X86_CR4_DE | X86_CR4_PGE | X86_CR4_PCE
1914 | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_SMEP | X86_CR4_SMAP
1915 | X86_CR4_OSXSAVE | X86_CR4_OSFXSR | X86_CR4_OSXMMEEXCPT;
1916 RTCCUINTXREG fLoadCr4 = fCr4 & ~fSafeToClear;
1917 RTCCUINTXREG const fCleared = fCr4 & fSafeToClear;
1918 if (!(fCleared & X86_CR4_TSD) && (fEdxFeatures & X86_CPUID_FEATURE_EDX_TSC))
1919 fLoadCr4 |= X86_CR4_TSD;
1920 if (!(fCleared & X86_CR4_PGE) && (fEdxFeatures & X86_CPUID_FEATURE_EDX_PGE))
1921 fLoadCr4 |= X86_CR4_PGE;
1922 __try
1923 {
1924 ASMSetCR4(fLoadCr4);
1925 }
1926 __except(EXCEPTION_EXECUTE_HANDLER)
1927 {
1928 rc = VERR_SUPDRV_NO_RAW_MODE_HYPER_V_ROOT;
1929 }
1930 if (RT_SUCCESS(rc))
1931 ASMSetCR4(fCr4);
1932 ASMSetFlags(fOldFlags);
1933 }
1934 }
1935 }
1936#endif
1937 return rc;
1938}
1939
1940
1941#define MY_SystemLoadGdiDriverInSystemSpaceInformation 54
1942#define MY_SystemUnloadGdiDriverInformation 27
1943
1944typedef struct MYSYSTEMGDIDRIVERINFO
1945{
1946 UNICODE_STRING Name; /**< In: image file name. */
1947 PVOID ImageAddress; /**< Out: the load address. */
1948 PVOID SectionPointer; /**< Out: section object. */
1949 PVOID EntryPointer; /**< Out: entry point address. */
1950 PVOID ExportSectionPointer; /**< Out: export directory/section. */
1951 ULONG ImageLength; /**< Out: SizeOfImage. */
1952} MYSYSTEMGDIDRIVERINFO;
1953
1954extern "C" __declspec(dllimport) NTSTATUS NTAPI ZwSetSystemInformation(ULONG, PVOID, ULONG);
1955
1956int VBOXCALL supdrvOSLdrOpen(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage, const char *pszFilename)
1957{
1958 pImage->pvNtSectionObj = NULL;
1959 pImage->hMemLock = NIL_RTR0MEMOBJ;
1960
1961#ifdef VBOX_WITHOUT_NATIVE_R0_LOADER
1962# ifndef RT_ARCH_X86
1963# error "VBOX_WITHOUT_NATIVE_R0_LOADER is only safe on x86."
1964# endif
1965 NOREF(pDevExt); NOREF(pszFilename); NOREF(pImage);
1966 return VERR_NOT_SUPPORTED;
1967
1968#else
1969 /*
1970 * Convert the filename from DOS UTF-8 to NT UTF-16.
1971 */
1972 size_t cwcFilename;
1973 int rc = RTStrCalcUtf16LenEx(pszFilename, RTSTR_MAX, &cwcFilename);
1974 if (RT_FAILURE(rc))
1975 return rc;
1976
1977 PRTUTF16 pwcsFilename = (PRTUTF16)RTMemTmpAlloc((4 + cwcFilename + 1) * sizeof(RTUTF16));
1978 if (!pwcsFilename)
1979 return VERR_NO_TMP_MEMORY;
1980
1981 pwcsFilename[0] = '\\';
1982 pwcsFilename[1] = '?';
1983 pwcsFilename[2] = '?';
1984 pwcsFilename[3] = '\\';
1985 PRTUTF16 pwcsTmp = &pwcsFilename[4];
1986 rc = RTStrToUtf16Ex(pszFilename, RTSTR_MAX, &pwcsTmp, cwcFilename + 1, NULL);
1987 if (RT_SUCCESS(rc))
1988 {
1989 /*
1990 * Try load it.
1991 */
1992 MYSYSTEMGDIDRIVERINFO Info;
1993 RtlInitUnicodeString(&Info.Name, pwcsFilename);
1994 Info.ImageAddress = NULL;
1995 Info.SectionPointer = NULL;
1996 Info.EntryPointer = NULL;
1997 Info.ExportSectionPointer = NULL;
1998 Info.ImageLength = 0;
1999
2000 NTSTATUS rcNt = ZwSetSystemInformation(MY_SystemLoadGdiDriverInSystemSpaceInformation, &Info, sizeof(Info));
2001 if (NT_SUCCESS(rcNt))
2002 {
2003 pImage->pvImage = Info.ImageAddress;
2004 pImage->pvNtSectionObj = Info.SectionPointer;
2005 Log(("ImageAddress=%p SectionPointer=%p ImageLength=%#x cbImageBits=%#x rcNt=%#x '%ls'\n",
2006 Info.ImageAddress, Info.SectionPointer, Info.ImageLength, pImage->cbImageBits, rcNt, Info.Name.Buffer));
2007# ifdef DEBUG_bird
2008 SUPR0Printf("ImageAddress=%p SectionPointer=%p ImageLength=%#x cbImageBits=%#x rcNt=%#x '%ws'\n",
2009 Info.ImageAddress, Info.SectionPointer, Info.ImageLength, pImage->cbImageBits, rcNt, Info.Name.Buffer);
2010# endif
2011 if (pImage->cbImageBits == Info.ImageLength)
2012 {
2013 /*
2014 * Lock down the entire image, just to be on the safe side.
2015 */
2016 rc = RTR0MemObjLockKernel(&pImage->hMemLock, pImage->pvImage, pImage->cbImageBits, RTMEM_PROT_READ);
2017 if (RT_FAILURE(rc))
2018 {
2019 pImage->hMemLock = NIL_RTR0MEMOBJ;
2020 supdrvOSLdrUnload(pDevExt, pImage);
2021 }
2022 }
2023 else
2024 {
2025 supdrvOSLdrUnload(pDevExt, pImage);
2026 rc = VERR_LDR_MISMATCH_NATIVE;
2027 }
2028 }
2029 else
2030 {
2031 Log(("rcNt=%#x '%ls'\n", rcNt, pwcsFilename));
2032 SUPR0Printf("VBoxDrv: rcNt=%x '%ws'\n", rcNt, pwcsFilename);
2033 switch (rcNt)
2034 {
2035 case /* 0xc0000003 */ STATUS_INVALID_INFO_CLASS:
2036# ifdef RT_ARCH_AMD64
2037 /* Unwind will crash and BSOD, so no fallback here! */
2038 rc = VERR_NOT_IMPLEMENTED;
2039# else
2040 /*
2041 * Use the old way of loading the modules.
2042 *
2043 * Note! We do *NOT* try class 26 because it will probably
2044 * not work correctly on terminal servers and such.
2045 */
2046 rc = VERR_NOT_SUPPORTED;
2047# endif
2048 break;
2049 case /* 0xc0000034 */ STATUS_OBJECT_NAME_NOT_FOUND:
2050 rc = VERR_MODULE_NOT_FOUND;
2051 break;
2052 case /* 0xC0000263 */ STATUS_DRIVER_ENTRYPOINT_NOT_FOUND:
2053 rc = VERR_LDR_IMPORTED_SYMBOL_NOT_FOUND;
2054 break;
2055 case /* 0xC0000428 */ STATUS_INVALID_IMAGE_HASH:
2056 rc = VERR_LDR_IMAGE_HASH;
2057 break;
2058 case /* 0xC000010E */ STATUS_IMAGE_ALREADY_LOADED:
2059 Log(("WARNING: see @bugref{4853} for cause of this failure on Windows 7 x64\n"));
2060 rc = VERR_ALREADY_LOADED;
2061 break;
2062 default:
2063 rc = VERR_LDR_GENERAL_FAILURE;
2064 break;
2065 }
2066
2067 pImage->pvNtSectionObj = NULL;
2068 }
2069 }
2070
2071 RTMemTmpFree(pwcsFilename);
2072 NOREF(pDevExt);
2073 return rc;
2074#endif
2075}
2076
2077
2078void VBOXCALL supdrvOSLdrNotifyOpened(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage, const char *pszFilename)
2079{
2080 NOREF(pDevExt); NOREF(pImage); NOREF(pszFilename);
2081}
2082
2083void VBOXCALL supdrvOSLdrNotifyUnloaded(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage)
2084{
2085 NOREF(pDevExt); NOREF(pImage);
2086}
2087
2088int VBOXCALL supdrvOSLdrValidatePointer(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage, void *pv, const uint8_t *pbImageBits)
2089{
2090 NOREF(pDevExt); NOREF(pImage); NOREF(pv); NOREF(pbImageBits);
2091 return VINF_SUCCESS;
2092}
2093
2094
2095/**
2096 * memcmp + errormsg + log.
2097 *
2098 * @returns Same as memcmp.
2099 * @param pImage The image.
2100 * @param pbImageBits The image bits ring-3 uploads.
2101 * @param uRva The RVA to start comparing at.
2102 * @param cb The number of bytes to compare.
2103 * @param pReq The load request.
2104 */
2105static int supdrvNtCompare(PSUPDRVLDRIMAGE pImage, const uint8_t *pbImageBits, uint32_t uRva, uint32_t cb, PSUPLDRLOAD pReq)
2106{
2107 int iDiff = memcmp((uint8_t const *)pImage->pvImage + uRva, pbImageBits + uRva, cb);
2108 if (iDiff)
2109 {
2110 uint32_t cbLeft = cb;
2111 const uint8_t *pbNativeBits = (const uint8_t *)pImage->pvImage;
2112 for (size_t off = uRva; cbLeft > 0; off++, cbLeft--)
2113 if (pbNativeBits[off] != pbImageBits[off])
2114 {
2115 /* Note! We need to copy image bits into a temporary stack buffer here as we'd
2116 otherwise risk overwriting them while formatting the error message. */
2117 uint8_t abBytes[64];
2118 memcpy(abBytes, &pbImageBits[off], RT_MIN(64, cbLeft));
2119 supdrvLdrLoadError(VERR_LDR_MISMATCH_NATIVE, pReq,
2120 "Mismatch at %#x (%p) of %s loaded at %p:\n"
2121 "ntld: %.*Rhxs\n"
2122 "iprt: %.*Rhxs",
2123 off, &pbNativeBits[off], pImage->szName, pImage->pvImage,
2124 RT_MIN(64, cbLeft), &pbNativeBits[off],
2125 RT_MIN(64, cbLeft), &abBytes[0]);
2126 SUPR0Printf("VBoxDrv: %s", pReq->u.Out.szError);
2127 break;
2128 }
2129 }
2130 return iDiff;
2131}
2132
2133
2134int VBOXCALL supdrvOSLdrLoad(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage, const uint8_t *pbImageBits, PSUPLDRLOAD pReq)
2135{
2136 NOREF(pDevExt);
2137 if (pImage->pvNtSectionObj)
2138 {
2139 /*
2140 * Usually, the entire image matches exactly.
2141 */
2142 if (!memcmp(pImage->pvImage, pbImageBits, pImage->cbImageBits))
2143 return VINF_SUCCESS;
2144
2145 /*
2146 * On Windows 10 the ImageBase member of the optional header is sometimes
2147 * updated with the actual load address and sometimes not. Try compare
2148 *
2149 */
2150 uint32_t const offNtHdrs = *(uint16_t *)pbImageBits == IMAGE_DOS_SIGNATURE
2151 ? ((IMAGE_DOS_HEADER const *)pbImageBits)->e_lfanew
2152 : 0;
2153 AssertLogRelReturn(offNtHdrs + sizeof(IMAGE_NT_HEADERS) < pImage->cbImageBits, VERR_INTERNAL_ERROR_5);
2154 IMAGE_NT_HEADERS const *pNtHdrsIprt = (IMAGE_NT_HEADERS const *)(pbImageBits + offNtHdrs);
2155 IMAGE_NT_HEADERS const *pNtHdrsNtLd = (IMAGE_NT_HEADERS const *)((uintptr_t)pImage->pvImage + offNtHdrs);
2156
2157 uint32_t const offImageBase = offNtHdrs + RT_OFFSETOF(IMAGE_NT_HEADERS, OptionalHeader.ImageBase);
2158 uint32_t const cbImageBase = RT_SIZEOFMEMB(IMAGE_NT_HEADERS, OptionalHeader.ImageBase);
2159 if ( pNtHdrsNtLd->OptionalHeader.ImageBase != pNtHdrsIprt->OptionalHeader.ImageBase
2160 && ( pNtHdrsNtLd->OptionalHeader.ImageBase == (uintptr_t)pImage->pvImage
2161 || pNtHdrsIprt->OptionalHeader.ImageBase == (uintptr_t)pImage->pvImage)
2162 && pNtHdrsIprt->Signature == IMAGE_NT_SIGNATURE
2163 && pNtHdrsIprt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR_MAGIC
2164 && !memcmp(pImage->pvImage, pbImageBits, offImageBase)
2165 && !memcmp((uint8_t const *)pImage->pvImage + offImageBase + cbImageBase,
2166 pbImageBits + offImageBase + cbImageBase,
2167 pImage->cbImageBits - offImageBase - cbImageBase))
2168 return VINF_SUCCESS;
2169
2170 /*
2171 * On Windows Server 2003 (sp2 x86) both import thunk tables are fixed
2172 * up and we typically get a mismatch in the INIT section.
2173 *
2174 * So, lets see if everything matches when excluding the
2175 * OriginalFirstThunk tables and (maybe) the ImageBase member.
2176 * For simplicity the max number of exclusion regions is set to 16.
2177 */
2178 if ( pNtHdrsIprt->Signature == IMAGE_NT_SIGNATURE
2179 && pNtHdrsIprt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR_MAGIC
2180 && pNtHdrsIprt->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IMPORT
2181 && pNtHdrsIprt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size >= sizeof(IMAGE_IMPORT_DESCRIPTOR)
2182 && pNtHdrsIprt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress > sizeof(IMAGE_NT_HEADERS)
2183 && pNtHdrsIprt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress < pImage->cbImageBits
2184 )
2185 {
2186 struct MyRegion
2187 {
2188 uint32_t uRva;
2189 uint32_t cb;
2190 } aExcludeRgns[16];
2191 unsigned cExcludeRgns = 0;
2192
2193 /* ImageBase: */
2194 if ( pNtHdrsNtLd->OptionalHeader.ImageBase != pNtHdrsIprt->OptionalHeader.ImageBase
2195 && ( pNtHdrsNtLd->OptionalHeader.ImageBase == (uintptr_t)pImage->pvImage
2196 || pNtHdrsIprt->OptionalHeader.ImageBase == (uintptr_t)pImage->pvImage) )
2197 {
2198 aExcludeRgns[cExcludeRgns].uRva = offImageBase;
2199 aExcludeRgns[cExcludeRgns].cb = cbImageBase;
2200 cExcludeRgns++;
2201 }
2202
2203 /* Imports: */
2204 uint32_t cImpsLeft = pNtHdrsIprt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size
2205 / sizeof(IMAGE_IMPORT_DESCRIPTOR);
2206 uint32_t offImps = pNtHdrsIprt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
2207 AssertLogRelReturn(offImps + cImpsLeft * sizeof(IMAGE_IMPORT_DESCRIPTOR) <= pImage->cbImageBits, VERR_INTERNAL_ERROR_3);
2208 IMAGE_IMPORT_DESCRIPTOR const *pImp = (IMAGE_IMPORT_DESCRIPTOR const *)(pbImageBits + offImps);
2209 while ( cImpsLeft-- > 0
2210 && cExcludeRgns < RT_ELEMENTS(aExcludeRgns))
2211 {
2212 uint32_t uRvaThunk = pImp->OriginalFirstThunk;
2213 if ( uRvaThunk > sizeof(IMAGE_NT_HEADERS)
2214 && uRvaThunk <= pImage->cbImageBits - sizeof(IMAGE_THUNK_DATA)
2215 && uRvaThunk != pImp->FirstThunk)
2216 {
2217 /* Find the size of the thunk table. */
2218 IMAGE_THUNK_DATA const *paThunk = (IMAGE_THUNK_DATA const *)(pbImageBits + uRvaThunk);
2219 uint32_t cMaxThunks = (pImage->cbImageBits - uRvaThunk) / sizeof(IMAGE_THUNK_DATA);
2220 uint32_t cThunks = 0;
2221 while (cThunks < cMaxThunks && paThunk[cThunks].u1.Function != 0)
2222 cThunks++;
2223
2224 /* Ordered table insert. */
2225 unsigned i = 0;
2226 for (; i < cExcludeRgns; i++)
2227 if (uRvaThunk < aExcludeRgns[i].uRva)
2228 break;
2229 if (i != cExcludeRgns)
2230 memmove(&aExcludeRgns[i + 1], &aExcludeRgns[i], (cExcludeRgns - i) * sizeof(aExcludeRgns[0]));
2231 aExcludeRgns[i].uRva = uRvaThunk;
2232 aExcludeRgns[i].cb = cThunks * sizeof(IMAGE_THUNK_DATA);
2233 cExcludeRgns++;
2234 }
2235
2236 /* advance */
2237 pImp++;
2238 }
2239
2240 /*
2241 * Ok, do the comparison.
2242 */
2243 int iDiff = 0;
2244 uint32_t uRvaNext = 0;
2245 for (unsigned i = 0; !iDiff && i < cExcludeRgns; i++)
2246 {
2247 if (uRvaNext < aExcludeRgns[i].uRva)
2248 iDiff = supdrvNtCompare(pImage, pbImageBits, uRvaNext, aExcludeRgns[i].uRva - uRvaNext, pReq);
2249 uRvaNext = aExcludeRgns[i].uRva + aExcludeRgns[i].cb;
2250 }
2251 if (!iDiff && uRvaNext < pImage->cbImageBits)
2252 iDiff = supdrvNtCompare(pImage, pbImageBits, uRvaNext, pImage->cbImageBits - uRvaNext, pReq);
2253 if (!iDiff)
2254 return VINF_SUCCESS;
2255 }
2256 else
2257 supdrvNtCompare(pImage, pbImageBits, 0, pImage->cbImageBits, pReq);
2258 return VERR_LDR_MISMATCH_NATIVE;
2259 }
2260 return supdrvLdrLoadError(VERR_INTERNAL_ERROR_4, pReq, "No NT section object! Impossible!");
2261}
2262
2263
2264void VBOXCALL supdrvOSLdrUnload(PSUPDRVDEVEXT pDevExt, PSUPDRVLDRIMAGE pImage)
2265{
2266 if (pImage->pvNtSectionObj)
2267 {
2268 if (pImage->hMemLock != NIL_RTR0MEMOBJ)
2269 {
2270 RTR0MemObjFree(pImage->hMemLock, false /*fFreeMappings*/);
2271 pImage->hMemLock = NIL_RTR0MEMOBJ;
2272 }
2273
2274 NTSTATUS rcNt = ZwSetSystemInformation(MY_SystemUnloadGdiDriverInformation,
2275 &pImage->pvNtSectionObj, sizeof(pImage->pvNtSectionObj));
2276 if (rcNt != STATUS_SUCCESS)
2277 SUPR0Printf("VBoxDrv: failed to unload '%s', rcNt=%#x\n", pImage->szName, rcNt);
2278 pImage->pvNtSectionObj = NULL;
2279 }
2280 NOREF(pDevExt);
2281}
2282
2283
2284#ifdef SUPDRV_WITH_MSR_PROBER
2285
2286#if 1
2287/** @todo make this selectable. */
2288# define AMD_MSR_PASSCODE 0x9c5a203a
2289#else
2290# define ASMRdMsrEx(a, b, c) ASMRdMsr(a)
2291# define ASMWrMsrEx(a, b, c) ASMWrMsr(a,c)
2292#endif
2293
2294
2295/**
2296 * Argument package used by supdrvOSMsrProberRead and supdrvOSMsrProberWrite.
2297 */
2298typedef struct SUPDRVNTMSPROBERARGS
2299{
2300 uint32_t uMsr;
2301 uint64_t uValue;
2302 bool fGp;
2303} SUPDRVNTMSPROBERARGS;
2304
2305/** @callback_method_impl{FNRTMPWORKER, Worker for supdrvOSMsrProberRead.} */
2306static DECLCALLBACK(void) supdrvNtMsProberReadOnCpu(RTCPUID idCpu, void *pvUser1, void *pvUser2)
2307{
2308 /*
2309 * rdmsr and wrmsr faults can be caught even with interrupts disabled.
2310 * (At least on 32-bit XP.)
2311 */
2312 SUPDRVNTMSPROBERARGS *pArgs = (SUPDRVNTMSPROBERARGS *)pvUser1; NOREF(idCpu); NOREF(pvUser2);
2313 RTCCUINTREG fOldFlags = ASMIntDisableFlags();
2314 __try
2315 {
2316 pArgs->uValue = ASMRdMsrEx(pArgs->uMsr, AMD_MSR_PASSCODE);
2317 pArgs->fGp = false;
2318 }
2319 __except(EXCEPTION_EXECUTE_HANDLER)
2320 {
2321 pArgs->fGp = true;
2322 pArgs->uValue = 0;
2323 }
2324 ASMSetFlags(fOldFlags);
2325}
2326
2327
2328int VBOXCALL supdrvOSMsrProberRead(uint32_t uMsr, RTCPUID idCpu, uint64_t *puValue)
2329{
2330 SUPDRVNTMSPROBERARGS Args;
2331 Args.uMsr = uMsr;
2332 Args.uValue = 0;
2333 Args.fGp = true;
2334
2335 if (idCpu == NIL_RTCPUID)
2336 supdrvNtMsProberReadOnCpu(idCpu, &Args, NULL);
2337 else
2338 {
2339 int rc = RTMpOnSpecific(idCpu, supdrvNtMsProberReadOnCpu, &Args, NULL);
2340 if (RT_FAILURE(rc))
2341 return rc;
2342 }
2343
2344 if (Args.fGp)
2345 return VERR_ACCESS_DENIED;
2346 *puValue = Args.uValue;
2347 return VINF_SUCCESS;
2348}
2349
2350
2351/** @callback_method_impl{FNRTMPWORKER, Worker for supdrvOSMsrProberWrite.} */
2352static DECLCALLBACK(void) supdrvNtMsProberWriteOnCpu(RTCPUID idCpu, void *pvUser1, void *pvUser2)
2353{
2354 /*
2355 * rdmsr and wrmsr faults can be caught even with interrupts disabled.
2356 * (At least on 32-bit XP.)
2357 */
2358 SUPDRVNTMSPROBERARGS *pArgs = (SUPDRVNTMSPROBERARGS *)pvUser1; NOREF(idCpu); NOREF(pvUser2);
2359 RTCCUINTREG fOldFlags = ASMIntDisableFlags();
2360 __try
2361 {
2362 ASMWrMsrEx(pArgs->uMsr, AMD_MSR_PASSCODE, pArgs->uValue);
2363 pArgs->fGp = false;
2364 }
2365 __except(EXCEPTION_EXECUTE_HANDLER)
2366 {
2367 pArgs->fGp = true;
2368 }
2369 ASMSetFlags(fOldFlags);
2370}
2371
2372int VBOXCALL supdrvOSMsrProberWrite(uint32_t uMsr, RTCPUID idCpu, uint64_t uValue)
2373{
2374 SUPDRVNTMSPROBERARGS Args;
2375 Args.uMsr = uMsr;
2376 Args.uValue = uValue;
2377 Args.fGp = true;
2378
2379 if (idCpu == NIL_RTCPUID)
2380 supdrvNtMsProberWriteOnCpu(idCpu, &Args, NULL);
2381 else
2382 {
2383 int rc = RTMpOnSpecific(idCpu, supdrvNtMsProberWriteOnCpu, &Args, NULL);
2384 if (RT_FAILURE(rc))
2385 return rc;
2386 }
2387
2388 if (Args.fGp)
2389 return VERR_ACCESS_DENIED;
2390 return VINF_SUCCESS;
2391}
2392
2393/** @callback_method_impl{FNRTMPWORKER, Worker for supdrvOSMsrProberModify.} */
2394static DECLCALLBACK(void) supdrvNtMsProberModifyOnCpu(RTCPUID idCpu, void *pvUser1, void *pvUser2)
2395{
2396 PSUPMSRPROBER pReq = (PSUPMSRPROBER)pvUser1;
2397 register uint32_t uMsr = pReq->u.In.uMsr;
2398 bool const fFaster = pReq->u.In.enmOp == SUPMSRPROBEROP_MODIFY_FASTER;
2399 uint64_t uBefore = 0;
2400 uint64_t uWritten = 0;
2401 uint64_t uAfter = 0;
2402 bool fBeforeGp = true;
2403 bool fModifyGp = true;
2404 bool fAfterGp = true;
2405 bool fRestoreGp = true;
2406 RTCCUINTREG fOldFlags;
2407 RT_NOREF2(idCpu, pvUser2);
2408
2409 /*
2410 * Do the job.
2411 */
2412 fOldFlags = ASMIntDisableFlags();
2413 ASMCompilerBarrier(); /* paranoia */
2414 if (!fFaster)
2415 ASMWriteBackAndInvalidateCaches();
2416
2417 __try
2418 {
2419 uBefore = ASMRdMsrEx(uMsr, AMD_MSR_PASSCODE);
2420 fBeforeGp = false;
2421 }
2422 __except(EXCEPTION_EXECUTE_HANDLER)
2423 {
2424 fBeforeGp = true;
2425 }
2426 if (!fBeforeGp)
2427 {
2428 register uint64_t uRestore = uBefore;
2429
2430 /* Modify. */
2431 uWritten = uRestore;
2432 uWritten &= pReq->u.In.uArgs.Modify.fAndMask;
2433 uWritten |= pReq->u.In.uArgs.Modify.fOrMask;
2434 __try
2435 {
2436 ASMWrMsrEx(uMsr, AMD_MSR_PASSCODE, uWritten);
2437 fModifyGp = false;
2438 }
2439 __except(EXCEPTION_EXECUTE_HANDLER)
2440 {
2441 fModifyGp = true;
2442 }
2443
2444 /* Read modified value. */
2445 __try
2446 {
2447 uAfter = ASMRdMsrEx(uMsr, AMD_MSR_PASSCODE);
2448 fAfterGp = false;
2449 }
2450 __except(EXCEPTION_EXECUTE_HANDLER)
2451 {
2452 fAfterGp = true;
2453 }
2454
2455 /* Restore original value. */
2456 __try
2457 {
2458 ASMWrMsrEx(uMsr, AMD_MSR_PASSCODE, uRestore);
2459 fRestoreGp = false;
2460 }
2461 __except(EXCEPTION_EXECUTE_HANDLER)
2462 {
2463 fRestoreGp = true;
2464 }
2465
2466 /* Invalid everything we can. */
2467 if (!fFaster)
2468 {
2469 ASMWriteBackAndInvalidateCaches();
2470 ASMReloadCR3();
2471 ASMNopPause();
2472 }
2473 }
2474
2475 ASMCompilerBarrier(); /* paranoia */
2476 ASMSetFlags(fOldFlags);
2477
2478 /*
2479 * Write out the results.
2480 */
2481 pReq->u.Out.uResults.Modify.uBefore = uBefore;
2482 pReq->u.Out.uResults.Modify.uWritten = uWritten;
2483 pReq->u.Out.uResults.Modify.uAfter = uAfter;
2484 pReq->u.Out.uResults.Modify.fBeforeGp = fBeforeGp;
2485 pReq->u.Out.uResults.Modify.fModifyGp = fModifyGp;
2486 pReq->u.Out.uResults.Modify.fAfterGp = fAfterGp;
2487 pReq->u.Out.uResults.Modify.fRestoreGp = fRestoreGp;
2488 RT_ZERO(pReq->u.Out.uResults.Modify.afReserved);
2489}
2490
2491
2492int VBOXCALL supdrvOSMsrProberModify(RTCPUID idCpu, PSUPMSRPROBER pReq)
2493{
2494 if (idCpu == NIL_RTCPUID)
2495 {
2496 supdrvNtMsProberModifyOnCpu(idCpu, pReq, NULL);
2497 return VINF_SUCCESS;
2498 }
2499 return RTMpOnSpecific(idCpu, supdrvNtMsProberModifyOnCpu, pReq, NULL);
2500}
2501
2502#endif /* SUPDRV_WITH_MSR_PROBER */
2503
2504
2505/**
2506 * Converts an IPRT error code to an nt status code.
2507 *
2508 * @returns corresponding nt status code.
2509 * @param rc IPRT error status code.
2510 */
2511static NTSTATUS VBoxDrvNtErr2NtStatus(int rc)
2512{
2513 switch (rc)
2514 {
2515 case VINF_SUCCESS: return STATUS_SUCCESS;
2516 case VERR_GENERAL_FAILURE: return STATUS_NOT_SUPPORTED;
2517 case VERR_INVALID_PARAMETER: return STATUS_INVALID_PARAMETER;
2518 case VERR_INVALID_MAGIC: return STATUS_UNKNOWN_REVISION;
2519 case VERR_INVALID_HANDLE: return STATUS_INVALID_HANDLE;
2520 case VERR_INVALID_POINTER: return STATUS_INVALID_ADDRESS;
2521 case VERR_LOCK_FAILED: return STATUS_NOT_LOCKED;
2522 case VERR_ALREADY_LOADED: return STATUS_IMAGE_ALREADY_LOADED;
2523 case VERR_PERMISSION_DENIED: return STATUS_ACCESS_DENIED;
2524 case VERR_VERSION_MISMATCH: return STATUS_REVISION_MISMATCH;
2525 }
2526
2527 if (rc < 0)
2528 {
2529 if (((uint32_t)rc & UINT32_C(0xffff0000)) == UINT32_C(0xffff0000))
2530 return (NTSTATUS)( ((uint32_t)rc & UINT32_C(0xffff)) | SUP_NT_STATUS_BASE );
2531 }
2532 return STATUS_UNSUCCESSFUL;
2533}
2534
2535
2536/**
2537 * Alternative version of SUPR0Printf for Windows.
2538 *
2539 * @returns 0.
2540 * @param pszFormat The format string.
2541 */
2542SUPR0DECL(int) SUPR0Printf(const char *pszFormat, ...)
2543{
2544 va_list va;
2545 char szMsg[384];
2546
2547 va_start(va, pszFormat);
2548 size_t cch = RTStrPrintfV(szMsg, sizeof(szMsg) - 1, pszFormat, va);
2549 szMsg[sizeof(szMsg) - 1] = '\0';
2550 va_end(va);
2551
2552 RTLogWriteDebugger(szMsg, cch);
2553 return 0;
2554}
2555
2556
2557SUPR0DECL(uint32_t) SUPR0GetKernelFeatures(void)
2558{
2559 return 0;
2560}
2561
2562
2563#ifdef VBOX_WITH_HARDENING
2564
2565/** @name Identifying Special Processes: CSRSS.EXE
2566 * @{ */
2567
2568
2569/**
2570 * Checks if the process is a system32 process by the given name.
2571 *
2572 * @returns true / false.
2573 * @param pProcess The process to check.
2574 * @param pszName The lower case process name (no path!).
2575 */
2576static bool supdrvNtProtectIsSystem32ProcessMatch(PEPROCESS pProcess, const char *pszName)
2577{
2578 Assert(strlen(pszName) < 16); /* see buffer below */
2579
2580 /*
2581 * This test works on XP+.
2582 */
2583 const char *pszImageFile = (const char *)PsGetProcessImageFileName(pProcess);
2584 if (!pszImageFile)
2585 return false;
2586
2587 if (RTStrICmp(pszImageFile, pszName) != 0)
2588 return false;
2589
2590 /*
2591 * This test requires a Vista+ API.
2592 */
2593 if (g_pfnPsReferenceProcessFilePointer)
2594 {
2595 PFILE_OBJECT pFile = NULL;
2596 NTSTATUS rcNt = g_pfnPsReferenceProcessFilePointer(pProcess, &pFile);
2597 if (!NT_SUCCESS(rcNt))
2598 return false;
2599
2600 union
2601 {
2602 OBJECT_NAME_INFORMATION Info;
2603 uint8_t abBuffer[sizeof(g_System32NtPath) + 16 * sizeof(WCHAR)];
2604 } Buf;
2605 ULONG cbIgn;
2606 rcNt = ObQueryNameString(pFile, &Buf.Info, sizeof(Buf) - sizeof(WCHAR), &cbIgn);
2607 ObDereferenceObject(pFile);
2608 if (!NT_SUCCESS(rcNt))
2609 return false;
2610
2611 /* Terminate the name. */
2612 PRTUTF16 pwszName = Buf.Info.Name.Buffer;
2613 pwszName[Buf.Info.Name.Length / sizeof(RTUTF16)] = '\0';
2614
2615 /* Match the name against the system32 directory path. */
2616 uint32_t cbSystem32 = g_System32NtPath.UniStr.Length;
2617 if (Buf.Info.Name.Length < cbSystem32)
2618 return false;
2619 if (memcmp(pwszName, g_System32NtPath.UniStr.Buffer, cbSystem32))
2620 return false;
2621 pwszName += cbSystem32 / sizeof(RTUTF16);
2622 if (*pwszName++ != '\\')
2623 return false;
2624
2625 /* Compare the name. */
2626 const char *pszRight = pszName;
2627 for (;;)
2628 {
2629 WCHAR wchLeft = *pwszName++;
2630 char chRight = *pszRight++;
2631 Assert(chRight == RT_C_TO_LOWER(chRight));
2632
2633 if ( wchLeft != chRight
2634 && RT_C_TO_LOWER(wchLeft) != chRight)
2635 return false;
2636 if (!chRight)
2637 break;
2638 }
2639 }
2640
2641 return true;
2642}
2643
2644
2645/**
2646 * Checks if the current process is likely to be CSRSS.
2647 *
2648 * @returns true/false.
2649 * @param pProcess The process.
2650 */
2651static bool supdrvNtProtectIsCsrssByProcess(PEPROCESS pProcess)
2652{
2653 /*
2654 * On Windows 8.1 CSRSS.EXE is a protected process.
2655 */
2656 if (g_pfnPsIsProtectedProcessLight)
2657 {
2658 if (!g_pfnPsIsProtectedProcessLight(pProcess))
2659 return false;
2660 }
2661
2662 /*
2663 * The name tests.
2664 */
2665 if (!supdrvNtProtectIsSystem32ProcessMatch(pProcess, "csrss.exe"))
2666 return false;
2667
2668 /** @todo Could extend the CSRSS.EXE check with that the TokenUser of the
2669 * current process must be "NT AUTHORITY\SYSTEM" (S-1-5-18). */
2670
2671 return true;
2672}
2673
2674
2675/**
2676 * Helper for supdrvNtProtectGetAlpcPortObjectType that tries out a name.
2677 *
2678 * @returns true if done, false if not.
2679 * @param pwszPortNm The port path.
2680 * @param ppObjType The object type return variable, updated when
2681 * returning true.
2682 */
2683static bool supdrvNtProtectGetAlpcPortObjectType2(PCRTUTF16 pwszPortNm, POBJECT_TYPE *ppObjType)
2684{
2685 bool fDone = false;
2686
2687 UNICODE_STRING UniStrPortNm;
2688 UniStrPortNm.Buffer = (WCHAR *)pwszPortNm;
2689 UniStrPortNm.Length = (USHORT)(RTUtf16Len(pwszPortNm) * sizeof(WCHAR));
2690 UniStrPortNm.MaximumLength = UniStrPortNm.Length + sizeof(WCHAR);
2691
2692 OBJECT_ATTRIBUTES ObjAttr;
2693 InitializeObjectAttributes(&ObjAttr, &UniStrPortNm, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
2694
2695 HANDLE hPort;
2696 NTSTATUS rcNt = g_pfnZwAlpcCreatePort(&hPort, &ObjAttr, NULL /*pPortAttribs*/);
2697 if (NT_SUCCESS(rcNt))
2698 {
2699 PVOID pvObject;
2700 rcNt = ObReferenceObjectByHandle(hPort, 0 /*DesiredAccess*/, NULL /*pObjectType*/,
2701 KernelMode, &pvObject, NULL /*pHandleInfo*/);
2702 if (NT_SUCCESS(rcNt))
2703 {
2704 POBJECT_TYPE pObjType = g_pfnObGetObjectType(pvObject);
2705 if (pObjType)
2706 {
2707 SUPR0Printf("vboxdrv: ALPC Port Object Type %p (vs %p)\n", pObjType, *ppObjType);
2708 *ppObjType = pObjType;
2709 fDone = true;
2710 }
2711 ObDereferenceObject(pvObject);
2712 }
2713 NtClose(hPort);
2714 }
2715 return fDone;
2716}
2717
2718
2719/**
2720 * Attempts to retrieve the ALPC Port object type.
2721 *
2722 * We've had at least three reports that using LpcPortObjectType when trying to
2723 * get at the ApiPort object results in STATUS_OBJECT_TYPE_MISMATCH errors.
2724 * It's not known who has modified LpcPortObjectType or AlpcPortObjectType (not
2725 * exported) so that it differs from the actual ApiPort type, or maybe this
2726 * unknown entity is intercepting our attempt to reference the port and
2727 * tries to mislead us. The paranoid explanataion is of course that some evil
2728 * root kit like software is messing with the OS, however, it's possible that
2729 * this is valid kernel behavior that 99.8% of our users and 100% of the
2730 * developers are not triggering for some reason.
2731 *
2732 * The code here creates an ALPC port object and gets it's type. It will cache
2733 * the result in g_pAlpcPortObjectType2 on success.
2734 *
2735 * @returns Object type.
2736 * @param uSessionId The session id.
2737 * @param pszSessionId The session id formatted as a string.
2738 */
2739static POBJECT_TYPE supdrvNtProtectGetAlpcPortObjectType(uint32_t uSessionId, const char *pszSessionId)
2740{
2741 POBJECT_TYPE pObjType = *LpcPortObjectType;
2742
2743 if ( g_pfnZwAlpcCreatePort
2744 && g_pfnObGetObjectType)
2745 {
2746 int rc;
2747 ssize_t cchTmp; NOREF(cchTmp);
2748 char szTmp[16];
2749 RTUTF16 wszPortNm[128];
2750 size_t offRand;
2751
2752 /*
2753 * First attempt is in the session directory.
2754 */
2755 rc = RTUtf16CopyAscii(wszPortNm, RT_ELEMENTS(wszPortNm), "\\Sessions\\");
2756 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), pszSessionId);
2757 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), "\\VBoxDrv-");
2758 cchTmp = RTStrFormatU32(szTmp, sizeof(szTmp), (uint32_t)(uintptr_t)PsGetProcessId(PsGetCurrentProcess()), 16, 0, 0, 0);
2759 Assert(cchTmp > 0);
2760 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), szTmp);
2761 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), "-");
2762 offRand = RTUtf16Len(wszPortNm);
2763 cchTmp = RTStrFormatU32(szTmp, sizeof(szTmp), RTRandU32(), 16, 0, 0, 0);
2764 Assert(cchTmp > 0);
2765 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), szTmp);
2766 AssertRCSuccess(rc);
2767
2768 bool fDone = supdrvNtProtectGetAlpcPortObjectType2(wszPortNm, &pObjType);
2769 if (!fDone)
2770 {
2771 wszPortNm[offRand] = '\0';
2772 cchTmp = RTStrFormatU32(szTmp, sizeof(szTmp), RTRandU32(), 16, 0, 0, 0); Assert(cchTmp > 0);
2773 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), szTmp);
2774 AssertRCSuccess(rc);
2775
2776 fDone = supdrvNtProtectGetAlpcPortObjectType2(wszPortNm, &pObjType);
2777 }
2778 if (!fDone)
2779 {
2780 /*
2781 * Try base names.
2782 */
2783 if (uSessionId == 0)
2784 rc = RTUtf16CopyAscii(wszPortNm, RT_ELEMENTS(wszPortNm), "\\BaseNamedObjects\\VBoxDrv-");
2785 else
2786 {
2787 rc = RTUtf16CopyAscii(wszPortNm, RT_ELEMENTS(wszPortNm), "\\Sessions\\");
2788 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), pszSessionId);
2789 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), "\\BaseNamedObjects\\VBoxDrv-");
2790 }
2791 cchTmp = RTStrFormatU32(szTmp, sizeof(szTmp), (uint32_t)(uintptr_t)PsGetProcessId(PsGetCurrentProcess()), 16, 0, 0, 0);
2792 Assert(cchTmp > 0);
2793 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), szTmp);
2794 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), "-");
2795 offRand = RTUtf16Len(wszPortNm);
2796 cchTmp = RTStrFormatU32(szTmp, sizeof(szTmp), RTRandU32(), 16, 0, 0, 0);
2797 Assert(cchTmp > 0);
2798 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), szTmp);
2799 AssertRCSuccess(rc);
2800
2801 bool fDone = supdrvNtProtectGetAlpcPortObjectType2(wszPortNm, &pObjType);
2802 if (!fDone)
2803 {
2804 wszPortNm[offRand] = '\0';
2805 cchTmp = RTStrFormatU32(szTmp, sizeof(szTmp), RTRandU32(), 16, 0, 0, 0);
2806 Assert(cchTmp > 0);
2807 rc |= RTUtf16CatAscii(wszPortNm, RT_ELEMENTS(wszPortNm), szTmp);
2808 AssertRCSuccess(rc);
2809
2810 fDone = supdrvNtProtectGetAlpcPortObjectType2(wszPortNm, &pObjType);
2811 }
2812 }
2813
2814 /* Cache the result in g_pAlpcPortObjectType2. */
2815 if ( g_pAlpcPortObjectType2 == NULL
2816 && pObjType != g_pAlpcPortObjectType1
2817 && fDone)
2818 g_pAlpcPortObjectType2 = pObjType;
2819
2820 }
2821
2822 return pObjType;
2823}
2824
2825
2826/**
2827 * Called in the context of VBoxDrvNtCreate to determin the CSRSS for the
2828 * current process.
2829 *
2830 * The Client/Server Runtime Subsystem (CSRSS) process needs to be allowed some
2831 * additional access right so we need to make 101% sure we correctly identify
2832 * the CSRSS process a process is associated with.
2833 *
2834 * @returns IPRT status code.
2835 * @param pNtProtect The NT protected process structure. The
2836 * hCsrssPid member will be updated on success.
2837 */
2838static int supdrvNtProtectFindAssociatedCsrss(PSUPDRVNTPROTECT pNtProtect)
2839{
2840 Assert(pNtProtect->AvlCore.Key == PsGetCurrentProcessId());
2841 Assert(pNtProtect->pCsrssProcess == NULL);
2842 Assert(pNtProtect->hCsrssPid == NULL);
2843
2844 /*
2845 * We'll try use the ApiPort LPC object for the session we're in to track
2846 * down the CSRSS process. So, we start by constructing a path to it.
2847 */
2848 int rc;
2849 uint32_t uSessionId = PsGetProcessSessionId(PsGetCurrentProcess());
2850 char szSessionId[16];
2851 WCHAR wszApiPort[48];
2852 if (uSessionId == 0)
2853 {
2854 szSessionId[0] = '0';
2855 szSessionId[1] = '\0';
2856 rc = RTUtf16CopyAscii(wszApiPort, RT_ELEMENTS(wszApiPort), "\\Windows\\ApiPort");
2857 }
2858 else
2859 {
2860 ssize_t cchTmp = RTStrFormatU32(szSessionId, sizeof(szSessionId), uSessionId, 10, 0, 0, 0);
2861 AssertReturn(cchTmp > 0, (int)cchTmp);
2862 rc = RTUtf16CopyAscii(wszApiPort, RT_ELEMENTS(wszApiPort), "\\Sessions\\");
2863 if (RT_SUCCESS(rc))
2864 rc = RTUtf16CatAscii(wszApiPort, RT_ELEMENTS(wszApiPort), szSessionId);
2865 if (RT_SUCCESS(rc))
2866 rc = RTUtf16CatAscii(wszApiPort, RT_ELEMENTS(wszApiPort), "\\Windows\\ApiPort");
2867 }
2868 AssertRCReturn(rc, rc);
2869
2870 UNICODE_STRING ApiPortStr;
2871 ApiPortStr.Buffer = wszApiPort;
2872 ApiPortStr.Length = (USHORT)(RTUtf16Len(wszApiPort) * sizeof(RTUTF16));
2873 ApiPortStr.MaximumLength = ApiPortStr.Length + sizeof(RTUTF16);
2874
2875 /*
2876 * The object cannot be opened, but we can reference it by name.
2877 */
2878 void *pvApiPortObj = NULL;
2879 NTSTATUS rcNt = ObReferenceObjectByName(&ApiPortStr,
2880 0,
2881 NULL /*pAccessState*/,
2882 STANDARD_RIGHTS_READ,
2883 g_pAlpcPortObjectType1,
2884 KernelMode,
2885 NULL /*pvParseContext*/,
2886 &pvApiPortObj);
2887 if ( rcNt == STATUS_OBJECT_TYPE_MISMATCH
2888 && g_pAlpcPortObjectType2 != NULL)
2889 rcNt = ObReferenceObjectByName(&ApiPortStr,
2890 0,
2891 NULL /*pAccessState*/,
2892 STANDARD_RIGHTS_READ,
2893 g_pAlpcPortObjectType2,
2894 KernelMode,
2895 NULL /*pvParseContext*/,
2896 &pvApiPortObj);
2897 if ( rcNt == STATUS_OBJECT_TYPE_MISMATCH
2898 && g_pfnObGetObjectType
2899 && g_pfnZwAlpcCreatePort)
2900 rcNt = ObReferenceObjectByName(&ApiPortStr,
2901 0,
2902 NULL /*pAccessState*/,
2903 STANDARD_RIGHTS_READ,
2904 supdrvNtProtectGetAlpcPortObjectType(uSessionId, szSessionId),
2905 KernelMode,
2906 NULL /*pvParseContext*/,
2907 &pvApiPortObj);
2908 if (!NT_SUCCESS(rcNt))
2909 {
2910 SUPR0Printf("vboxdrv: Error opening '%ls': %#x\n", wszApiPort, rcNt);
2911 return rcNt == STATUS_OBJECT_TYPE_MISMATCH ? VERR_SUPDRV_APIPORT_OPEN_ERROR_TYPE : VERR_SUPDRV_APIPORT_OPEN_ERROR;
2912 }
2913
2914 /*
2915 * Query the processes in the system so we can locate CSRSS.EXE candidates.
2916 * Note! Attempts at using SystemSessionProcessInformation failed with
2917 * STATUS_ACCESS_VIOLATION.
2918 * Note! The 32 bytes on the size of to counteract the allocation header
2919 * that rtR0MemAllocEx slaps on everything.
2920 */
2921 ULONG cbNeeded = _64K - 32;
2922 uint32_t cbBuf;
2923 uint8_t *pbBuf = NULL;
2924 do
2925 {
2926 cbBuf = RT_ALIGN(cbNeeded + _4K, _64K) - 32;
2927 pbBuf = (uint8_t *)RTMemAlloc(cbBuf);
2928 if (!pbBuf)
2929 break;
2930
2931 cbNeeded = 0;
2932#if 0 /* doesn't work. */
2933 SYSTEM_SESSION_PROCESS_INFORMATION Req;
2934 Req.SessionId = uSessionId;
2935 Req.BufferLength = cbBuf;
2936 Req.Buffer = pbBuf;
2937 rcNt = NtQuerySystemInformation(SystemSessionProcessInformation, &Req, sizeof(Req), &cbNeeded);
2938#else
2939 rcNt = NtQuerySystemInformation(SystemProcessInformation, pbBuf, cbBuf, &cbNeeded);
2940#endif
2941 if (NT_SUCCESS(rcNt))
2942 break;
2943
2944 RTMemFree(pbBuf);
2945 pbBuf = NULL;
2946 } while ( rcNt == STATUS_INFO_LENGTH_MISMATCH
2947 && cbNeeded > cbBuf
2948 && cbNeeded < 32U*_1M);
2949
2950 if ( pbBuf
2951 && NT_SUCCESS(rcNt)
2952 && cbNeeded >= sizeof(SYSTEM_PROCESS_INFORMATION))
2953 {
2954 /*
2955 * Walk the returned data and look for the process associated with the
2956 * ApiPort object. The ApiPort object keeps the EPROCESS address of
2957 * the owner process (i.e. CSRSS) relatively early in the structure. On
2958 * 64-bit windows 8.1 it's at offset 0x18. So, obtain the EPROCESS
2959 * pointer to likely CSRSS processes and check for a match in the first
2960 * 0x40 bytes of the ApiPort object.
2961 */
2962 rc = VERR_SUPDRV_CSRSS_NOT_FOUND;
2963 for (uint32_t offBuf = 0; offBuf <= cbNeeded - sizeof(SYSTEM_PROCESS_INFORMATION);)
2964 {
2965 PRTNT_SYSTEM_PROCESS_INFORMATION pProcInfo = (PRTNT_SYSTEM_PROCESS_INFORMATION)&pbBuf[offBuf];
2966 if ( pProcInfo->ProcessName.Length == 9 * sizeof(WCHAR)
2967 && pProcInfo->NumberOfThreads > 2 /* Very low guess. */
2968 && pProcInfo->HandleCount > 32 /* Very low guess, I hope. */
2969 && (uintptr_t)pProcInfo->ProcessName.Buffer - (uintptr_t)pbBuf < cbNeeded
2970 && RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[0]) == 'c'
2971 && RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[1]) == 's'
2972 && RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[2]) == 'r'
2973 && RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[3]) == 's'
2974 && RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[4]) == 's'
2975 && pProcInfo->ProcessName.Buffer[5] == '.'
2976 && RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[6]) == 'e'
2977 && RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[7]) == 'x'
2978 && RT_C_TO_LOWER(pProcInfo->ProcessName.Buffer[8]) == 'e' )
2979 {
2980
2981 /* Get the process structure and perform some more thorough
2982 process checks. */
2983 PEPROCESS pProcess;
2984 rcNt = PsLookupProcessByProcessId(pProcInfo->UniqueProcessId, &pProcess);
2985 if (NT_SUCCESS(rcNt))
2986 {
2987 if (supdrvNtProtectIsCsrssByProcess(pProcess))
2988 {
2989 if (PsGetProcessSessionId(pProcess) == uSessionId)
2990 {
2991 /* Final test, check the ApiPort.
2992 Note! The old LPC (pre Vista) objects has the PID
2993 much earlier in the structure. Might be
2994 worth looking for it instead. */
2995 bool fThatsIt = false;
2996 __try
2997 {
2998 PEPROCESS *ppPortProc = (PEPROCESS *)pvApiPortObj;
2999 uint32_t cTests = g_uNtVerCombined >= SUP_NT_VER_VISTA ? 16 : 38; /* ALPC since Vista. */
3000 do
3001 {
3002 fThatsIt = *ppPortProc == pProcess;
3003 ppPortProc++;
3004 } while (!fThatsIt && --cTests > 0);
3005 }
3006 __except(EXCEPTION_EXECUTE_HANDLER)
3007 {
3008 fThatsIt = false;
3009 }
3010 if (fThatsIt)
3011 {
3012 /* Ok, we found it! Keep the process structure
3013 reference as well as the PID so we can
3014 safely identify it later on. */
3015 pNtProtect->hCsrssPid = pProcInfo->UniqueProcessId;
3016 pNtProtect->pCsrssProcess = pProcess;
3017 rc = VINF_SUCCESS;
3018 break;
3019 }
3020 }
3021 }
3022
3023 ObDereferenceObject(pProcess);
3024 }
3025 }
3026
3027 /* Advance. */
3028 if (!pProcInfo->NextEntryOffset)
3029 break;
3030 offBuf += pProcInfo->NextEntryOffset;
3031 }
3032 }
3033 else
3034 rc = VERR_SUPDRV_SESSION_PROCESS_ENUM_ERROR;
3035 RTMemFree(pbBuf);
3036 ObDereferenceObject(pvApiPortObj);
3037 return rc;
3038}
3039
3040
3041/**
3042 * Checks that the given process is the CSRSS process associated with protected
3043 * process.
3044 *
3045 * @returns true / false.
3046 * @param pNtProtect The NT protection structure.
3047 * @param pCsrss The process structure of the alleged CSRSS.EXE
3048 * process.
3049 */
3050static bool supdrvNtProtectIsAssociatedCsrss(PSUPDRVNTPROTECT pNtProtect, PEPROCESS pCsrss)
3051{
3052 if (pNtProtect->pCsrssProcess == pCsrss)
3053 {
3054 if (pNtProtect->hCsrssPid == PsGetProcessId(pCsrss))
3055 {
3056 return true;
3057 }
3058 }
3059 return false;
3060}
3061
3062
3063/**
3064 * Checks if the given process is the stupid themes service.
3065 *
3066 * The caller does some screening of access masks and what not. We do the rest.
3067 *
3068 * @returns true / false.
3069 * @param pNtProtect The NT protection structure.
3070 * @param pAnnoyingProcess The process structure of an process that might
3071 * happen to be the annoying themes process.
3072 */
3073static bool supdrvNtProtectIsFrigginThemesService(PSUPDRVNTPROTECT pNtProtect, PEPROCESS pAnnoyingProcess)
3074{
3075 RT_NOREF1(pNtProtect);
3076
3077 /*
3078 * Check the process name.
3079 */
3080 if (!supdrvNtProtectIsSystem32ProcessMatch(pAnnoyingProcess, "svchost.exe"))
3081 return false;
3082
3083 /** @todo Come up with more checks. */
3084
3085 return true;
3086}
3087
3088
3089#ifdef VBOX_WITHOUT_DEBUGGER_CHECKS
3090/**
3091 * Checks if the given process is one of the whitelisted debuggers.
3092 *
3093 * @returns true / false.
3094 * @param pProcess The process to check.
3095 */
3096static bool supdrvNtProtectIsWhitelistedDebugger(PEPROCESS pProcess)
3097{
3098 const char *pszImageFile = (const char *)PsGetProcessImageFileName(pProcess);
3099 if (!pszImageFile)
3100 return false;
3101
3102 if (pszImageFile[0] == 'w' || pszImageFile[0] == 'W')
3103 {
3104 if (RTStrICmp(pszImageFile, "windbg.exe") == 0)
3105 return true;
3106 if (RTStrICmp(pszImageFile, "werfault.exe") == 0)
3107 return true;
3108 if (RTStrICmp(pszImageFile, "werfaultsecure.exe") == 0)
3109 return true;
3110 }
3111 else if (pszImageFile[0] == 'd' || pszImageFile[0] == 'D')
3112 {
3113 if (RTStrICmp(pszImageFile, "drwtsn32.exe") == 0)
3114 return true;
3115 if (RTStrICmp(pszImageFile, "dwwin.exe") == 0)
3116 return true;
3117 }
3118
3119 return false;
3120}
3121#endif /* VBOX_WITHOUT_DEBUGGER_CHECKS */
3122
3123
3124/** @} */
3125
3126
3127/** @name Process Creation Callbacks.
3128 * @{ */
3129
3130
3131/**
3132 * Cleans up VBoxDrv or VBoxDrvStub error info not collected by the dead process.
3133 *
3134 * @param hProcessId The ID of the dead process.
3135 */
3136static void supdrvNtErrorInfoCleanupProcess(HANDLE hProcessId)
3137{
3138 int rc = RTSemMutexRequestNoResume(g_hErrorInfoLock, RT_INDEFINITE_WAIT);
3139 if (RT_SUCCESS(rc))
3140 {
3141 PSUPDRVNTERRORINFO pCur, pNext;
3142 RTListForEachSafe(&g_ErrorInfoHead, pCur, pNext, SUPDRVNTERRORINFO, ListEntry)
3143 {
3144 if (pCur->hProcessId == hProcessId)
3145 {
3146 RTListNodeRemove(&pCur->ListEntry);
3147 RTMemFree(pCur);
3148 }
3149 }
3150 RTSemMutexRelease(g_hErrorInfoLock);
3151 }
3152}
3153
3154
3155/**
3156 * Common worker used by the process creation hooks as well as the process
3157 * handle creation hooks to check if a VM process is being created.
3158 *
3159 * @returns true if likely to be a VM process, false if not.
3160 * @param pNtStub The NT protection structure for the possible
3161 * stub process.
3162 * @param hParentPid The parent pid.
3163 * @param hChildPid The child pid.
3164 */
3165static bool supdrvNtProtectIsSpawningStubProcess(PSUPDRVNTPROTECT pNtStub, HANDLE hParentPid, HANDLE hChildPid)
3166{
3167 bool fRc = false;
3168 if (pNtStub->AvlCore.Key == hParentPid) /* paranoia */
3169 {
3170 if (pNtStub->enmProcessKind == kSupDrvNtProtectKind_StubSpawning)
3171 {
3172 /* Compare short names. */
3173 PEPROCESS pStubProcess;
3174 NTSTATUS rcNt = PsLookupProcessByProcessId(hParentPid, &pStubProcess);
3175 if (NT_SUCCESS(rcNt))
3176 {
3177 PEPROCESS pChildProcess;
3178 rcNt = PsLookupProcessByProcessId(hChildPid, &pChildProcess);
3179 if (NT_SUCCESS(rcNt))
3180 {
3181 const char *pszStub = (const char *)PsGetProcessImageFileName(pStubProcess);
3182 const char *pszChild = (const char *)PsGetProcessImageFileName(pChildProcess);
3183 fRc = pszStub != NULL
3184 && pszChild != NULL
3185 && strcmp(pszStub, pszChild) == 0;
3186
3187 /** @todo check that the full image names matches. */
3188
3189 ObDereferenceObject(pChildProcess);
3190 }
3191 ObDereferenceObject(pStubProcess);
3192 }
3193 }
3194 }
3195 return fRc;
3196}
3197
3198
3199/**
3200 * Common code used by the notifies to protect a child process.
3201 *
3202 * @returns VBox status code.
3203 * @param pNtStub The NT protect structure for the parent.
3204 * @param hChildPid The child pid.
3205 */
3206static int supdrvNtProtectProtectNewStubChild(PSUPDRVNTPROTECT pNtParent, HANDLE hChildPid)
3207{
3208 /*
3209 * Create a child protection struction.
3210 */
3211 PSUPDRVNTPROTECT pNtChild;
3212 int rc = supdrvNtProtectCreate(&pNtChild, hChildPid, kSupDrvNtProtectKind_VmProcessUnconfirmed, false /*fLink*/);
3213 if (RT_SUCCESS(rc))
3214 {
3215 pNtChild->fFirstProcessCreateHandle = true;
3216 pNtChild->fFirstThreadCreateHandle = true;
3217 pNtChild->fCsrssFirstProcessCreateHandle = true;
3218 pNtChild->cCsrssFirstProcessDuplicateHandle = ARCH_BITS == 32 ? 2 : 1;
3219 pNtChild->fThemesFirstProcessCreateHandle = true;
3220 pNtChild->hParentPid = pNtParent->AvlCore.Key;
3221 pNtChild->hCsrssPid = pNtParent->hCsrssPid;
3222 pNtChild->pCsrssProcess = pNtParent->pCsrssProcess;
3223 if (pNtChild->pCsrssProcess)
3224 ObReferenceObject(pNtChild->pCsrssProcess);
3225
3226 /*
3227 * Take the spinlock, recheck parent conditions and link things.
3228 */
3229 RTSpinlockAcquire(g_hNtProtectLock);
3230 if (pNtParent->enmProcessKind == kSupDrvNtProtectKind_StubSpawning)
3231 {
3232 bool fSuccess = RTAvlPVInsert(&g_NtProtectTree, &pNtChild->AvlCore);
3233 if (fSuccess)
3234 {
3235 pNtChild->fInTree = true;
3236 pNtParent->u.pChild = pNtChild; /* Parent keeps the initial reference. */
3237 pNtParent->enmProcessKind = kSupDrvNtProtectKind_StubParent;
3238 pNtChild->u.pParent = pNtParent;
3239
3240 RTSpinlockRelease(g_hNtProtectLock);
3241 return VINF_SUCCESS;
3242 }
3243
3244 rc = VERR_INTERNAL_ERROR_2;
3245 }
3246 else
3247 rc = VERR_WRONG_ORDER;
3248 pNtChild->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
3249 RTSpinlockRelease(g_hNtProtectLock);
3250
3251 supdrvNtProtectRelease(pNtChild);
3252 }
3253 return rc;
3254}
3255
3256
3257/**
3258 * Common process termination code.
3259 *
3260 * Transitions protected process to the dead states, protecting against handle
3261 * PID reuse (esp. with unconfirmed VM processes) and handle cleanup issues.
3262 *
3263 * @param hDeadPid The PID of the dead process.
3264 */
3265static void supdrvNtProtectUnprotectDeadProcess(HANDLE hDeadPid)
3266{
3267 PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(hDeadPid);
3268 if (pNtProtect)
3269 {
3270 PSUPDRVNTPROTECT pNtChild = NULL;
3271
3272 RTSpinlockAcquire(g_hNtProtectLock);
3273
3274 /*
3275 * If this is an unconfirmed VM process, we must release the reference
3276 * the parent structure holds.
3277 */
3278 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
3279 {
3280 PSUPDRVNTPROTECT pNtParent = pNtProtect->u.pParent;
3281 AssertRelease(pNtParent); AssertRelease(pNtParent->u.pChild == pNtProtect);
3282 pNtParent->u.pChild = NULL;
3283 pNtProtect->u.pParent = NULL;
3284 pNtChild = pNtProtect;
3285 }
3286 /*
3287 * If this is a stub exitting before the VM process gets confirmed,
3288 * release the protection of the potential VM process as this is not
3289 * the prescribed behavior.
3290 */
3291 else if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent
3292 && pNtProtect->u.pChild)
3293 {
3294 pNtChild = pNtProtect->u.pChild;
3295 pNtProtect->u.pChild = NULL;
3296 pNtChild->u.pParent = NULL;
3297 pNtChild->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
3298 }
3299
3300 /*
3301 * Transition it to the dead state to prevent it from opening the
3302 * support driver again or be posthumously abused as a vm process parent.
3303 */
3304 if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3305 || pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessConfirmed)
3306 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
3307 else if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent
3308 || pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubSpawning
3309 || pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubUnverified)
3310 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_StubDead;
3311
3312 RTSpinlockRelease(g_hNtProtectLock);
3313
3314 supdrvNtProtectRelease(pNtProtect);
3315 supdrvNtProtectRelease(pNtChild);
3316
3317 /*
3318 * Do session cleanups.
3319 */
3320 AssertReturnVoid((HANDLE)(uintptr_t)RTProcSelf() == hDeadPid);
3321 if (g_pDevObjSys)
3322 {
3323 PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)g_pDevObjSys->DeviceExtension;
3324 PSUPDRVSESSION pSession = supdrvSessionHashTabLookup(pDevExt, (RTPROCESS)(uintptr_t)hDeadPid,
3325 RTR0ProcHandleSelf(), NULL);
3326 if (pSession)
3327 {
3328 supdrvSessionHashTabRemove(pDevExt, pSession, NULL);
3329 supdrvSessionRelease(pSession); /* Drops the reference from supdrvSessionHashTabLookup. */
3330 }
3331 }
3332 }
3333}
3334
3335
3336/**
3337 * Common worker for the process creation callback that verifies a new child
3338 * being created by the handle creation callback code.
3339 *
3340 * @param pNtStub The parent.
3341 * @param pNtVm The child.
3342 * @param fCallerChecks The result of any additional tests the caller made.
3343 * This is in order to avoid duplicating the failure
3344 * path code.
3345 */
3346static void supdrvNtProtectVerifyNewChildProtection(PSUPDRVNTPROTECT pNtStub, PSUPDRVNTPROTECT pNtVm, bool fCallerChecks)
3347{
3348 if ( fCallerChecks
3349 && pNtStub->enmProcessKind == kSupDrvNtProtectKind_StubParent
3350 && pNtVm->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3351 && pNtVm->u.pParent == pNtStub
3352 && pNtStub->u.pChild == pNtVm)
3353 {
3354 /* Fine, reset the CSRSS hack (fixes ViRobot APT Shield 2.0 issue). */
3355 pNtVm->fFirstProcessCreateHandle = true;
3356 return;
3357 }
3358
3359 LogRel(("vboxdrv: Misdetected vm stub; hParentPid=%p hChildPid=%p\n", pNtStub->AvlCore.Key, pNtVm->AvlCore.Key));
3360 if (pNtStub->enmProcessKind != kSupDrvNtProtectKind_VmProcessConfirmed)
3361 supdrvNtProtectUnprotectDeadProcess(pNtVm->AvlCore.Key);
3362}
3363
3364
3365/**
3366 * Old style callback (since forever).
3367 *
3368 * @param hParentPid The parent PID.
3369 * @param hNewPid The PID of the new child.
3370 * @param fCreated TRUE if it's a creation notification,
3371 * FALSE if termination.
3372 * @remarks ASSUMES this arrives before the handle creation callback.
3373 */
3374static VOID __stdcall
3375supdrvNtProtectCallback_ProcessCreateNotify(HANDLE hParentPid, HANDLE hNewPid, BOOLEAN fCreated)
3376{
3377 /*
3378 * Is it a new process that needs protection?
3379 */
3380 if (fCreated)
3381 {
3382 PSUPDRVNTPROTECT pNtStub = supdrvNtProtectLookup(hParentPid);
3383 if (pNtStub)
3384 {
3385 PSUPDRVNTPROTECT pNtVm = supdrvNtProtectLookup(hNewPid);
3386 if (!pNtVm)
3387 {
3388 if (supdrvNtProtectIsSpawningStubProcess(pNtStub, hParentPid, hNewPid))
3389 supdrvNtProtectProtectNewStubChild(pNtStub, hNewPid);
3390 }
3391 else
3392 {
3393 supdrvNtProtectVerifyNewChildProtection(pNtStub, pNtVm, true);
3394 supdrvNtProtectRelease(pNtVm);
3395 }
3396 supdrvNtProtectRelease(pNtStub);
3397 }
3398 }
3399 /*
3400 * Process termination, do clean ups.
3401 */
3402 else
3403 {
3404 supdrvNtProtectUnprotectDeadProcess(hNewPid);
3405 supdrvNtErrorInfoCleanupProcess(hNewPid);
3406 }
3407}
3408
3409
3410/**
3411 * New style callback (Vista SP1+ / w2k8).
3412 *
3413 * @param pNewProcess The new process.
3414 * @param hNewPid The PID of the new process.
3415 * @param pInfo Process creation details. NULL if process
3416 * termination notification.
3417 * @remarks ASSUMES this arrives before the handle creation callback.
3418 */
3419static VOID __stdcall
3420supdrvNtProtectCallback_ProcessCreateNotifyEx(PEPROCESS pNewProcess, HANDLE hNewPid, PPS_CREATE_NOTIFY_INFO pInfo)
3421{
3422 RT_NOREF1(pNewProcess);
3423
3424 /*
3425 * Is it a new process that needs protection?
3426 */
3427 if (pInfo)
3428 {
3429 PSUPDRVNTPROTECT pNtStub = supdrvNtProtectLookup(pInfo->CreatingThreadId.UniqueProcess);
3430
3431 Log(("vboxdrv/NewProcessEx: ctx=%04zx/%p pid=%04zx ppid=%04zx ctor=%04zx/%04zx rcNt=%#x %.*ls\n",
3432 PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3433 hNewPid, pInfo->ParentProcessId,
3434 pInfo->CreatingThreadId.UniqueProcess, pInfo->CreatingThreadId.UniqueThread, pInfo->CreationStatus,
3435 pInfo->FileOpenNameAvailable && pInfo->ImageFileName ? (size_t)pInfo->ImageFileName->Length / 2 : 0,
3436 pInfo->FileOpenNameAvailable && pInfo->ImageFileName ? pInfo->ImageFileName->Buffer : NULL));
3437
3438 if (pNtStub)
3439 {
3440 PSUPDRVNTPROTECT pNtVm = supdrvNtProtectLookup(hNewPid);
3441 if (!pNtVm)
3442 {
3443 /* Parent must be creator. */
3444 if (pInfo->CreatingThreadId.UniqueProcess == pInfo->ParentProcessId)
3445 {
3446 if (supdrvNtProtectIsSpawningStubProcess(pNtStub, pInfo->ParentProcessId, hNewPid))
3447 supdrvNtProtectProtectNewStubChild(pNtStub, hNewPid);
3448 }
3449 }
3450 else
3451 {
3452 /* Parent must be creator (as above). */
3453 supdrvNtProtectVerifyNewChildProtection(pNtStub, pNtVm,
3454 pInfo->CreatingThreadId.UniqueProcess == pInfo->ParentProcessId);
3455 supdrvNtProtectRelease(pNtVm);
3456 }
3457 supdrvNtProtectRelease(pNtStub);
3458 }
3459 }
3460 /*
3461 * Process termination, do clean ups.
3462 */
3463 else
3464 {
3465 supdrvNtProtectUnprotectDeadProcess(hNewPid);
3466 supdrvNtErrorInfoCleanupProcess(hNewPid);
3467 }
3468}
3469
3470/** @} */
3471
3472
3473/** @name Process Handle Callbacks.
3474 * @{ */
3475
3476/** Process rights that we allow for handles to stub and VM processes. */
3477# define SUPDRV_NT_ALLOW_PROCESS_RIGHTS \
3478 ( PROCESS_TERMINATE \
3479 | PROCESS_VM_READ \
3480 | PROCESS_QUERY_INFORMATION \
3481 | PROCESS_QUERY_LIMITED_INFORMATION \
3482 | PROCESS_SUSPEND_RESUME \
3483 | DELETE \
3484 | READ_CONTROL \
3485 | SYNCHRONIZE)
3486
3487/** Evil process rights. */
3488# define SUPDRV_NT_EVIL_PROCESS_RIGHTS \
3489 ( PROCESS_CREATE_THREAD \
3490 | PROCESS_SET_SESSIONID /*?*/ \
3491 | PROCESS_VM_OPERATION \
3492 | PROCESS_VM_WRITE \
3493 | PROCESS_DUP_HANDLE \
3494 | PROCESS_CREATE_PROCESS /*?*/ \
3495 | PROCESS_SET_QUOTA /*?*/ \
3496 | PROCESS_SET_INFORMATION \
3497 | PROCESS_SET_LIMITED_INFORMATION /*?*/ \
3498 | 0)
3499AssertCompile((SUPDRV_NT_ALLOW_PROCESS_RIGHTS & SUPDRV_NT_EVIL_PROCESS_RIGHTS) == 0);
3500
3501
3502static OB_PREOP_CALLBACK_STATUS __stdcall
3503supdrvNtProtectCallback_ProcessHandlePre(PVOID pvUser, POB_PRE_OPERATION_INFORMATION pOpInfo)
3504{
3505 Assert(pvUser == NULL); RT_NOREF1(pvUser);
3506 Assert(pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE || pOpInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE);
3507 Assert(pOpInfo->ObjectType == *PsProcessType);
3508
3509 /*
3510 * Protected? Kludge required for NtOpenProcess calls comming in before
3511 * the create process hook triggers on Windows 8.1 (possibly others too).
3512 */
3513 HANDLE hObjPid = PsGetProcessId((PEPROCESS)pOpInfo->Object);
3514 PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(hObjPid);
3515 if (!pNtProtect)
3516 {
3517 HANDLE hParentPid = PsGetProcessInheritedFromUniqueProcessId((PEPROCESS)pOpInfo->Object);
3518 PSUPDRVNTPROTECT pNtStub = supdrvNtProtectLookup(hParentPid);
3519 if (pNtStub)
3520 {
3521 if (supdrvNtProtectIsSpawningStubProcess(pNtStub, hParentPid, hObjPid))
3522 {
3523 supdrvNtProtectProtectNewStubChild(pNtStub, hObjPid);
3524 pNtProtect = supdrvNtProtectLookup(hObjPid);
3525 }
3526 supdrvNtProtectRelease(pNtStub);
3527 }
3528 }
3529 pOpInfo->CallContext = pNtProtect; /* Just for reference. */
3530 if (pNtProtect)
3531 {
3532 /*
3533 * Ok, it's a protected process. Strip rights as required or possible.
3534 */
3535 static ACCESS_MASK const s_fCsrssStupidDesires = 0x1fffff;
3536 ACCESS_MASK fAllowedRights = SUPDRV_NT_ALLOW_PROCESS_RIGHTS;
3537
3538 if (pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE)
3539 {
3540 /* Don't restrict the process accessing itself. */
3541 if ((PEPROCESS)pOpInfo->Object == PsGetCurrentProcess())
3542 {
3543 pOpInfo->CallContext = NULL; /* don't assert */
3544 pNtProtect->fFirstProcessCreateHandle = false;
3545
3546 Log(("vboxdrv/ProcessHandlePre: %sctx=%04zx/%p wants %#x to %p in pid=%04zx [%d] %s\n",
3547 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3548 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
3549 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3550 PsGetProcessImageFileName(PsGetCurrentProcess()) ));
3551 }
3552#ifdef VBOX_WITHOUT_DEBUGGER_CHECKS
3553 /* Allow debuggers full access. */
3554 else if (supdrvNtProtectIsWhitelistedDebugger(PsGetCurrentProcess()))
3555 {
3556 pOpInfo->CallContext = NULL; /* don't assert */
3557 pNtProtect->fFirstProcessCreateHandle = false;
3558
3559 Log(("vboxdrv/ProcessHandlePre: %sctx=%04zx/%p wants %#x to %p in pid=%04zx [%d] %s [debugger]\n",
3560 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3561 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
3562 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3563 PsGetProcessImageFileName(PsGetCurrentProcess()) ));
3564 }
3565#endif
3566 else
3567 {
3568 ACCESS_MASK const fDesiredAccess = pOpInfo->Parameters->CreateHandleInformation.DesiredAccess;
3569
3570 /* Special case 1 on Vista, 7 & 8:
3571 The CreateProcess code passes the handle over to CSRSS.EXE
3572 and the code inBaseSrvCreateProcess will duplicate the
3573 handle with 0x1fffff as access mask. NtDuplicateObject will
3574 fail this call before it ever gets down here.
3575
3576 Special case 2 on 8.1:
3577 The CreateProcess code requires additional rights for
3578 something, we'll drop these in the stub code. */
3579 if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3580 && pNtProtect->fFirstProcessCreateHandle
3581 && pOpInfo->KernelHandle == 0
3582 && pNtProtect->hParentPid == PsGetProcessId(PsGetCurrentProcess())
3583 && ExGetPreviousMode() != KernelMode)
3584 {
3585 if ( !pOpInfo->KernelHandle
3586 && fDesiredAccess == s_fCsrssStupidDesires)
3587 {
3588 if (g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 3))
3589 fAllowedRights |= s_fCsrssStupidDesires;
3590 else
3591 fAllowedRights = fAllowedRights
3592 | PROCESS_VM_OPERATION
3593 | PROCESS_VM_WRITE
3594 | PROCESS_SET_INFORMATION
3595 | PROCESS_SET_LIMITED_INFORMATION
3596 | 0;
3597 pOpInfo->CallContext = NULL; /* don't assert this. */
3598 }
3599 pNtProtect->fFirstProcessCreateHandle = false;
3600 }
3601
3602 /* Special case 3 on 8.1:
3603 The interaction between the CreateProcess code and CSRSS.EXE
3604 has changed to the better with Windows 8.1. CSRSS.EXE no
3605 longer duplicates the process (thread too) handle, but opens
3606 it, thus allowing us to do our job. */
3607 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3)
3608 && pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3609 && pNtProtect->fCsrssFirstProcessCreateHandle
3610 && pOpInfo->KernelHandle == 0
3611 && ExGetPreviousMode() == UserMode
3612 && supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
3613 {
3614 pNtProtect->fCsrssFirstProcessCreateHandle = false;
3615 if (fDesiredAccess == s_fCsrssStupidDesires)
3616 {
3617 /* Not needed: PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID,
3618 PROCESS_CREATE_PROCESS */
3619 fAllowedRights = fAllowedRights
3620 | PROCESS_VM_OPERATION
3621 | PROCESS_VM_WRITE
3622 | PROCESS_DUP_HANDLE /* Needed for CreateProcess/VBoxTestOGL. */
3623 | 0;
3624 pOpInfo->CallContext = NULL; /* don't assert this. */
3625 }
3626 }
3627
3628 /* Special case 4, Windows 7, Vista, possibly 8, but not 8.1:
3629 The Themes service requires PROCESS_DUP_HANDLE access to our
3630 process or we won't get any menus and dialogs will be half
3631 unreadable. This is _very_ unfortunate and more work will
3632 go into making this more secure. */
3633 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)
3634 && g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2)
3635 && fDesiredAccess == 0x1478 /* 6.1.7600.16385 (win7_rtm.090713-1255) */
3636 && pNtProtect->fThemesFirstProcessCreateHandle
3637 && pOpInfo->KernelHandle == 0
3638 && ExGetPreviousMode() == UserMode
3639 && supdrvNtProtectIsFrigginThemesService(pNtProtect, PsGetCurrentProcess()) )
3640 {
3641 pNtProtect->fThemesFirstProcessCreateHandle = true; /* Only once! */
3642 fAllowedRights |= PROCESS_DUP_HANDLE;
3643 pOpInfo->CallContext = NULL; /* don't assert this. */
3644 }
3645
3646 /* Special case 6a, Windows 10+: AudioDG.exe opens the process with the
3647 PROCESS_SET_LIMITED_INFORMATION right. It seems like it need it for
3648 some myserious and weirdly placed cpu set management of our process.
3649 I'd love to understand what that's all about...
3650 Currently playing safe and only grand this right, however limited, to
3651 audiodg.exe. */
3652 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(10, 0)
3653 && ( fDesiredAccess == PROCESS_SET_LIMITED_INFORMATION
3654 || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* expected fix #1 */
3655 || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION) /* expected fix #2 */
3656 )
3657 && pOpInfo->KernelHandle == 0
3658 && ExGetPreviousMode() == UserMode
3659 && supdrvNtProtectIsSystem32ProcessMatch(PsGetCurrentProcess(), "audiodg.exe") )
3660 {
3661 fAllowedRights |= PROCESS_SET_LIMITED_INFORMATION;
3662 pOpInfo->CallContext = NULL; /* don't assert this. */
3663 }
3664
3665 Log(("vboxdrv/ProcessHandlePre: %sctx=%04zx/%p wants %#x to %p/pid=%04zx [%d], allow %#x => %#x; %s [prev=%#x]\n",
3666 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3667 fDesiredAccess, pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3668 fAllowedRights, fDesiredAccess & fAllowedRights,
3669 PsGetProcessImageFileName(PsGetCurrentProcess()), ExGetPreviousMode() ));
3670
3671 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess &= fAllowedRights;
3672 }
3673 }
3674 else
3675 {
3676 /* Don't restrict the process accessing itself. */
3677 if ( (PEPROCESS)pOpInfo->Object == PsGetCurrentProcess()
3678 && pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess == pOpInfo->Object)
3679 {
3680 Log(("vboxdrv/ProcessHandlePre: ctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d] %s\n",
3681 PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3682 pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess,
3683 PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess),
3684 pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess,
3685 pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess,
3686 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3687 PsGetProcessImageFileName(PsGetCurrentProcess()) ));
3688
3689 pOpInfo->CallContext = NULL; /* don't assert */
3690 }
3691 else
3692 {
3693 ACCESS_MASK const fDesiredAccess = pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess;
3694
3695 /* Special case 5 on Vista, 7 & 8:
3696 This is the CSRSS.EXE end of special case #1. */
3697 if ( g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 3)
3698 && pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3699 && pNtProtect->cCsrssFirstProcessDuplicateHandle > 0
3700 && pOpInfo->KernelHandle == 0
3701 && fDesiredAccess == s_fCsrssStupidDesires
3702 && pNtProtect->hParentPid
3703 == PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess)
3704 && pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess == PsGetCurrentProcess()
3705 && ExGetPreviousMode() == UserMode
3706 && supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()))
3707 {
3708 if (ASMAtomicDecS32(&pNtProtect->cCsrssFirstProcessDuplicateHandle) >= 0)
3709 {
3710 /* Not needed: PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID,
3711 PROCESS_CREATE_PROCESS, PROCESS_DUP_HANDLE */
3712 fAllowedRights = fAllowedRights
3713 | PROCESS_VM_OPERATION
3714 | PROCESS_VM_WRITE
3715 | PROCESS_DUP_HANDLE /* Needed for launching VBoxTestOGL. */
3716 | 0;
3717 pOpInfo->CallContext = NULL; /* don't assert this. */
3718 }
3719 }
3720
3721 /* Special case 6b, Windows 10+: AudioDG.exe duplicates the handle it opened above. */
3722 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(10, 0)
3723 && ( fDesiredAccess == PROCESS_SET_LIMITED_INFORMATION
3724 || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION) /* expected fix #1 */
3725 || fDesiredAccess == (PROCESS_SET_LIMITED_INFORMATION | PROCESS_QUERY_INFORMATION) /* expected fix #2 */
3726 )
3727 && pOpInfo->KernelHandle == 0
3728 && ExGetPreviousMode() == UserMode
3729 && supdrvNtProtectIsSystem32ProcessMatch(PsGetCurrentProcess(), "audiodg.exe") )
3730 {
3731 fAllowedRights |= PROCESS_SET_LIMITED_INFORMATION;
3732 pOpInfo->CallContext = NULL; /* don't assert this. */
3733 }
3734
3735 Log(("vboxdrv/ProcessHandlePre: %sctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d] %s\n",
3736 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3737 pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess,
3738 PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess),
3739 pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess,
3740 fDesiredAccess,
3741 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3742 PsGetProcessImageFileName(PsGetCurrentProcess()) ));
3743
3744 pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess &= fAllowedRights;
3745 }
3746 }
3747 supdrvNtProtectRelease(pNtProtect);
3748 }
3749
3750 return OB_PREOP_SUCCESS;
3751}
3752
3753
3754static VOID __stdcall
3755supdrvNtProtectCallback_ProcessHandlePost(PVOID pvUser, POB_POST_OPERATION_INFORMATION pOpInfo)
3756{
3757 Assert(pvUser == NULL); RT_NOREF1(pvUser);
3758 Assert(pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE || pOpInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE);
3759 Assert(pOpInfo->ObjectType == *PsProcessType);
3760
3761 if ( pOpInfo->CallContext
3762 && NT_SUCCESS(pOpInfo->ReturnStatus))
3763 {
3764 ACCESS_MASK const fGrantedAccess = pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE
3765 ? pOpInfo->Parameters->CreateHandleInformation.GrantedAccess
3766 : pOpInfo->Parameters->DuplicateHandleInformation.GrantedAccess;
3767 AssertReleaseMsg( !(fGrantedAccess & ~( SUPDRV_NT_ALLOW_PROCESS_RIGHTS
3768 | WRITE_OWNER | WRITE_DAC /* these two might be forced upon us */
3769 | PROCESS_UNKNOWN_4000 /* Seen set on win 8.1 */
3770 /*| PROCESS_UNKNOWN_8000 */ ) )
3771 || pOpInfo->KernelHandle,
3772 ("GrantedAccess=%#x - we allow %#x - we did not allow %#x\n",
3773 fGrantedAccess, SUPDRV_NT_ALLOW_PROCESS_RIGHTS, fGrantedAccess & ~SUPDRV_NT_ALLOW_PROCESS_RIGHTS));
3774 }
3775}
3776
3777# undef SUPDRV_NT_ALLOW_PROCESS_RIGHTS
3778
3779/** @} */
3780
3781
3782/** @name Thread Handle Callbacks
3783 * @{ */
3784
3785/* From ntifs.h */
3786extern "C" NTKERNELAPI PEPROCESS __stdcall IoThreadToProcess(PETHREAD);
3787
3788/** Thread rights that we allow for handles to stub and VM processes. */
3789# define SUPDRV_NT_ALLOWED_THREAD_RIGHTS \
3790 ( THREAD_TERMINATE \
3791 | THREAD_GET_CONTEXT \
3792 | THREAD_QUERY_INFORMATION \
3793 | THREAD_QUERY_LIMITED_INFORMATION \
3794 | DELETE \
3795 | READ_CONTROL \
3796 | SYNCHRONIZE)
3797/** @todo consider THREAD_SET_LIMITED_INFORMATION & THREAD_RESUME */
3798
3799/** Evil thread rights.
3800 * @remarks THREAD_RESUME is not included as it seems to be forced upon us by
3801 * Windows 8.1, at least for some processes. We dont' actively
3802 * allow it though, just tollerate it when forced to. */
3803# define SUPDRV_NT_EVIL_THREAD_RIGHTS \
3804 ( THREAD_SUSPEND_RESUME \
3805 | THREAD_SET_CONTEXT \
3806 | THREAD_SET_INFORMATION \
3807 | THREAD_SET_LIMITED_INFORMATION /*?*/ \
3808 | THREAD_SET_THREAD_TOKEN /*?*/ \
3809 | THREAD_IMPERSONATE /*?*/ \
3810 | THREAD_DIRECT_IMPERSONATION /*?*/ \
3811 /*| THREAD_RESUME - see remarks. */ \
3812 | 0)
3813AssertCompile((SUPDRV_NT_EVIL_THREAD_RIGHTS & SUPDRV_NT_ALLOWED_THREAD_RIGHTS) == 0);
3814
3815
3816static OB_PREOP_CALLBACK_STATUS __stdcall
3817supdrvNtProtectCallback_ThreadHandlePre(PVOID pvUser, POB_PRE_OPERATION_INFORMATION pOpInfo)
3818{
3819 Assert(pvUser == NULL); RT_NOREF1(pvUser);
3820 Assert(pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE || pOpInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE);
3821 Assert(pOpInfo->ObjectType == *PsThreadType);
3822
3823 PEPROCESS pProcess = IoThreadToProcess((PETHREAD)pOpInfo->Object);
3824 PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(PsGetProcessId(pProcess));
3825 pOpInfo->CallContext = pNtProtect; /* Just for reference. */
3826 if (pNtProtect)
3827 {
3828 static ACCESS_MASK const s_fCsrssStupidDesires = 0x1fffff;
3829 ACCESS_MASK fAllowedRights = SUPDRV_NT_ALLOWED_THREAD_RIGHTS;
3830
3831 if (pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE)
3832 {
3833 /* Don't restrict the process accessing its own threads. */
3834 if (pProcess == PsGetCurrentProcess())
3835 {
3836 Log(("vboxdrv/ThreadHandlePre: %sctx=%04zx/%p wants %#x to %p in pid=%04zx [%d] self\n",
3837 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3838 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
3839 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind));
3840 pOpInfo->CallContext = NULL; /* don't assert */
3841 pNtProtect->fFirstThreadCreateHandle = false;
3842 }
3843#ifdef VBOX_WITHOUT_DEBUGGER_CHECKS
3844 /* Allow debuggers full access. */
3845 else if (supdrvNtProtectIsWhitelistedDebugger(PsGetCurrentProcess()))
3846 {
3847 Log(("vboxdrv/ThreadHandlePre: %sctx=%04zx/%p wants %#x to %p in pid=%04zx [%d] %s [debugger]\n",
3848 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3849 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
3850 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3851 PsGetProcessImageFileName(PsGetCurrentProcess()) ));
3852 pOpInfo->CallContext = NULL; /* don't assert */
3853 }
3854#endif
3855 else
3856 {
3857 /* Special case 1 on Vista, 7, 8:
3858 The CreateProcess code passes the handle over to CSRSS.EXE
3859 and the code inBaseSrvCreateProcess will duplicate the
3860 handle with 0x1fffff as access mask. NtDuplicateObject will
3861 fail this call before it ever gets down here. */
3862 if ( g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 3)
3863 && pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3864 && pNtProtect->fFirstThreadCreateHandle
3865 && pOpInfo->KernelHandle == 0
3866 && ExGetPreviousMode() == UserMode
3867 && pNtProtect->hParentPid == PsGetProcessId(PsGetCurrentProcess()) )
3868 {
3869 if ( !pOpInfo->KernelHandle
3870 && pOpInfo->Parameters->CreateHandleInformation.DesiredAccess == s_fCsrssStupidDesires)
3871 {
3872 fAllowedRights |= s_fCsrssStupidDesires;
3873 pOpInfo->CallContext = NULL; /* don't assert this. */
3874 }
3875 pNtProtect->fFirstThreadCreateHandle = false;
3876 }
3877
3878 /* Special case 2 on 8.1, possibly also Vista, 7, 8:
3879 When creating a process like VBoxTestOGL from the VM process,
3880 CSRSS.EXE will try talk to the calling thread and, it
3881 appears, impersonate it. We unfortunately need to allow
3882 this or there will be no 3D support. Typical DbgPrint:
3883 "SXS: BasepCreateActCtx() Calling csrss server failed. Status = 0xc00000a5" */
3884 SUPDRVNTPROTECTKIND enmProcessKind;
3885 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_COMBINED(6, 0, 0, 0, 0)
3886 && ( (enmProcessKind = pNtProtect->enmProcessKind) == kSupDrvNtProtectKind_VmProcessConfirmed
3887 || enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
3888 && pOpInfo->KernelHandle == 0
3889 && ExGetPreviousMode() == UserMode
3890 && supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
3891 {
3892 fAllowedRights |= THREAD_IMPERSONATE;
3893 fAllowedRights |= THREAD_DIRECT_IMPERSONATION;
3894 //fAllowedRights |= THREAD_SET_LIMITED_INFORMATION; - try without this one
3895 pOpInfo->CallContext = NULL; /* don't assert this. */
3896 }
3897
3898 Log(("vboxdrv/ThreadHandlePre: %sctx=%04zx/%p wants %#x to %p in pid=%04zx [%d], allow %#x => %#x; %s [prev=%#x]\n",
3899 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3900 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess,
3901 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights,
3902 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess & fAllowedRights,
3903 PsGetProcessImageFileName(PsGetCurrentProcess()), ExGetPreviousMode()));
3904
3905 pOpInfo->Parameters->CreateHandleInformation.DesiredAccess &= fAllowedRights;
3906 }
3907 }
3908 else
3909 {
3910 /* Don't restrict the process accessing its own threads. */
3911 if ( pProcess == PsGetCurrentProcess()
3912 && (PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess == pProcess)
3913 {
3914 Log(("vboxdrv/ThreadHandlePre: %sctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d] self\n",
3915 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3916 pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess,
3917 PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess),
3918 pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess,
3919 pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess,
3920 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3921 PsGetProcessImageFileName(PsGetCurrentProcess()) ));
3922 pOpInfo->CallContext = NULL; /* don't assert */
3923 }
3924 else
3925 {
3926 /* Special case 3 on Vista, 7, 8:
3927 This is the follow up to special case 1. */
3928 SUPDRVNTPROTECTKIND enmProcessKind;
3929 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_COMBINED(6, 0, 0, 0, 0)
3930 && ( (enmProcessKind = pNtProtect->enmProcessKind) == kSupDrvNtProtectKind_VmProcessConfirmed
3931 || enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
3932 && pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess == PsGetCurrentProcess()
3933 && pOpInfo->KernelHandle == 0
3934 && ExGetPreviousMode() == UserMode
3935 && supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
3936 {
3937 fAllowedRights |= THREAD_IMPERSONATE;
3938 fAllowedRights |= THREAD_DIRECT_IMPERSONATION;
3939 //fAllowedRights |= THREAD_SET_LIMITED_INFORMATION; - try without this one
3940 pOpInfo->CallContext = NULL; /* don't assert this. */
3941 }
3942
3943 Log(("vboxdrv/ThreadHandlePre: %sctx=%04zx/%p[%p] dup from %04zx/%p with %#x to %p in pid=%04zx [%d], allow %#x => %#x; %s\n",
3944 pOpInfo->KernelHandle ? "k" : "", PsGetProcessId(PsGetCurrentProcess()), PsGetCurrentProcess(),
3945 pOpInfo->Parameters->DuplicateHandleInformation.TargetProcess,
3946 PsGetProcessId((PEPROCESS)pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess),
3947 pOpInfo->Parameters->DuplicateHandleInformation.SourceProcess,
3948 pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess,
3949 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights,
3950 pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess & fAllowedRights,
3951 PsGetProcessImageFileName(PsGetCurrentProcess()) ));
3952
3953 pOpInfo->Parameters->DuplicateHandleInformation.DesiredAccess &= fAllowedRights;
3954 }
3955 }
3956
3957 supdrvNtProtectRelease(pNtProtect);
3958 }
3959
3960 return OB_PREOP_SUCCESS;
3961}
3962
3963
3964static VOID __stdcall
3965supdrvNtProtectCallback_ThreadHandlePost(PVOID pvUser, POB_POST_OPERATION_INFORMATION pOpInfo)
3966{
3967 Assert(pvUser == NULL); RT_NOREF1(pvUser);
3968 Assert(pOpInfo->Operation == OB_OPERATION_HANDLE_CREATE || pOpInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE);
3969 Assert(pOpInfo->ObjectType == *PsThreadType);
3970
3971 if ( pOpInfo->CallContext
3972 && NT_SUCCESS(pOpInfo->ReturnStatus))
3973 {
3974 ACCESS_MASK const fGrantedAccess = pOpInfo->Parameters->CreateHandleInformation.GrantedAccess;
3975 AssertReleaseMsg( !(fGrantedAccess & ~( SUPDRV_NT_ALLOWED_THREAD_RIGHTS
3976 | WRITE_OWNER | WRITE_DAC /* these two might be forced upon us */
3977 | THREAD_RESUME /* This seems to be force upon us too with 8.1. */
3978 ) )
3979 || pOpInfo->KernelHandle,
3980 ("GrantedAccess=%#x - we allow %#x - we did not allow %#x\n",
3981 fGrantedAccess, SUPDRV_NT_ALLOWED_THREAD_RIGHTS, fGrantedAccess & ~SUPDRV_NT_ALLOWED_THREAD_RIGHTS));
3982 }
3983}
3984
3985# undef SUPDRV_NT_ALLOWED_THREAD_RIGHTS
3986
3987/** @} */
3988
3989
3990/**
3991 * Creates a new process protection structure.
3992 *
3993 * @returns VBox status code.
3994 * @param ppNtProtect Where to return the pointer to the structure
3995 * on success.
3996 * @param hPid The process ID of the process to protect.
3997 * @param enmProcessKind The kind of process we're protecting.
3998 * @param fLink Whether to link the structure into the tree.
3999 */
4000static int supdrvNtProtectCreate(PSUPDRVNTPROTECT *ppNtProtect, HANDLE hPid, SUPDRVNTPROTECTKIND enmProcessKind, bool fLink)
4001{
4002 AssertReturn(g_hNtProtectLock != NIL_RTSPINLOCK, VERR_WRONG_ORDER);
4003
4004 PSUPDRVNTPROTECT pNtProtect = (PSUPDRVNTPROTECT)RTMemAllocZ(sizeof(*pNtProtect));
4005 if (!pNtProtect)
4006 return VERR_NO_MEMORY;
4007
4008 pNtProtect->AvlCore.Key = hPid;
4009 pNtProtect->u32Magic = SUPDRVNTPROTECT_MAGIC;
4010 pNtProtect->cRefs = 1;
4011 pNtProtect->enmProcessKind = enmProcessKind;
4012 pNtProtect->hParentPid = NULL;
4013 pNtProtect->hOpenTid = NULL;
4014 pNtProtect->hCsrssPid = NULL;
4015 pNtProtect->pCsrssProcess = NULL;
4016
4017 if (fLink)
4018 {
4019 RTSpinlockAcquire(g_hNtProtectLock);
4020 bool fSuccess = RTAvlPVInsert(&g_NtProtectTree, &pNtProtect->AvlCore);
4021 pNtProtect->fInTree = fSuccess;
4022 RTSpinlockRelease(g_hNtProtectLock);
4023
4024 if (!fSuccess)
4025 {
4026 /* Duplicate entry, fail. */
4027 pNtProtect->u32Magic = SUPDRVNTPROTECT_MAGIC_DEAD;
4028 LogRel(("supdrvNtProtectCreate: Duplicate (%#x).\n", pNtProtect->AvlCore.Key));
4029 RTMemFree(pNtProtect);
4030 return VERR_DUPLICATE;
4031 }
4032 }
4033
4034 *ppNtProtect = pNtProtect;
4035 return VINF_SUCCESS;
4036}
4037
4038
4039/**
4040 * Releases a reference to a NT protection structure.
4041 *
4042 * @param pNtProtect The NT protection structure.
4043 */
4044static void supdrvNtProtectRelease(PSUPDRVNTPROTECT pNtProtect)
4045{
4046 if (!pNtProtect)
4047 return;
4048 AssertReturnVoid(pNtProtect->u32Magic == SUPDRVNTPROTECT_MAGIC);
4049
4050 RTSpinlockAcquire(g_hNtProtectLock);
4051 uint32_t cRefs = ASMAtomicDecU32(&pNtProtect->cRefs);
4052 if (cRefs != 0)
4053 RTSpinlockRelease(g_hNtProtectLock);
4054 else
4055 {
4056 /*
4057 * That was the last reference. Remove it from the tree, invalidate it
4058 * and free the resources associated with it. Also, release any
4059 * child/parent references related to this protection structure.
4060 */
4061 ASMAtomicWriteU32(&pNtProtect->u32Magic, SUPDRVNTPROTECT_MAGIC_DEAD);
4062 if (pNtProtect->fInTree)
4063 {
4064 PSUPDRVNTPROTECT pRemoved = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pNtProtect->AvlCore.Key);
4065 Assert(pRemoved == pNtProtect); RT_NOREF_PV(pRemoved);
4066 pNtProtect->fInTree = false;
4067 }
4068
4069 PSUPDRVNTPROTECT pChild = NULL;
4070 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent)
4071 {
4072 pChild = pNtProtect->u.pChild;
4073 if (pChild)
4074 {
4075 pNtProtect->u.pChild = NULL;
4076 pChild->u.pParent = NULL;
4077 pChild->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
4078 uint32_t cChildRefs = ASMAtomicDecU32(&pChild->cRefs);
4079 if (!cChildRefs)
4080 {
4081 Assert(pChild->fInTree);
4082 if (pChild->fInTree)
4083 {
4084 PSUPDRVNTPROTECT pRemovedChild = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pChild->AvlCore.Key);
4085 Assert(pRemovedChild == pChild); RT_NOREF_PV(pRemovedChild);
4086 pChild->fInTree = false;
4087 }
4088 }
4089 else
4090 pChild = NULL;
4091 }
4092 }
4093 else
4094 AssertRelease(pNtProtect->enmProcessKind != kSupDrvNtProtectKind_VmProcessUnconfirmed);
4095
4096 RTSpinlockRelease(g_hNtProtectLock);
4097
4098 if (pNtProtect->pCsrssProcess)
4099 {
4100 ObDereferenceObject(pNtProtect->pCsrssProcess);
4101 pNtProtect->pCsrssProcess = NULL;
4102 }
4103
4104 RTMemFree(pNtProtect);
4105 if (pChild)
4106 RTMemFree(pChild);
4107 }
4108}
4109
4110
4111/**
4112 * Looks up a PID in the NT protect tree.
4113 *
4114 * @returns Pointer to a NT protection structure (with a referenced) on success,
4115 * NULL if not found.
4116 * @param hPid The process ID.
4117 */
4118static PSUPDRVNTPROTECT supdrvNtProtectLookup(HANDLE hPid)
4119{
4120 RTSpinlockAcquire(g_hNtProtectLock);
4121 PSUPDRVNTPROTECT pFound = (PSUPDRVNTPROTECT)RTAvlPVGet(&g_NtProtectTree, hPid);
4122 if (pFound)
4123 ASMAtomicIncU32(&pFound->cRefs);
4124 RTSpinlockRelease(g_hNtProtectLock);
4125 return pFound;
4126}
4127
4128
4129/**
4130 * Validates a few facts about the stub process when the VM process opens
4131 * vboxdrv.
4132 *
4133 * This makes sure the stub process is still around and that it has neither
4134 * debugger nor extra threads in it.
4135 *
4136 * @returns VBox status code.
4137 * @param pNtProtect The unconfirmed VM process currently trying to
4138 * open vboxdrv.
4139 * @param pErrInfo Additional error information.
4140 */
4141static int supdrvNtProtectVerifyStubForVmProcess(PSUPDRVNTPROTECT pNtProtect, PRTERRINFO pErrInfo)
4142{
4143 /*
4144 * Grab a reference to the parent stub process.
4145 */
4146 SUPDRVNTPROTECTKIND enmStub = kSupDrvNtProtectKind_Invalid;
4147 PSUPDRVNTPROTECT pNtStub = NULL;
4148 RTSpinlockAcquire(g_hNtProtectLock);
4149 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
4150 {
4151 pNtStub = pNtProtect->u.pParent; /* weak reference. */
4152 if (pNtStub)
4153 {
4154 enmStub = pNtStub->enmProcessKind;
4155 if (enmStub == kSupDrvNtProtectKind_StubParent)
4156 {
4157 uint32_t cRefs = ASMAtomicIncU32(&pNtStub->cRefs);
4158 Assert(cRefs > 0 && cRefs < 1024); RT_NOREF_PV(cRefs);
4159 }
4160 else
4161 pNtStub = NULL;
4162 }
4163 }
4164 RTSpinlockRelease(g_hNtProtectLock);
4165
4166 /*
4167 * We require the stub process to be present.
4168 */
4169 if (!pNtStub)
4170 return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_NOT_FOUND, "Missing stub process (enmStub=%d).", enmStub);
4171
4172 /*
4173 * Open the parent process and thread so we can check for debuggers and unwanted threads.
4174 */
4175 int rc;
4176 PEPROCESS pStubProcess;
4177 NTSTATUS rcNt = PsLookupProcessByProcessId(pNtStub->AvlCore.Key, &pStubProcess);
4178 if (NT_SUCCESS(rcNt))
4179 {
4180 HANDLE hStubProcess;
4181 rcNt = ObOpenObjectByPointer(pStubProcess, OBJ_KERNEL_HANDLE, NULL /*PassedAccessState*/,
4182 0 /*DesiredAccess*/, *PsProcessType, KernelMode, &hStubProcess);
4183 if (NT_SUCCESS(rcNt))
4184 {
4185 PETHREAD pStubThread;
4186 rcNt = PsLookupThreadByThreadId(pNtStub->hOpenTid, &pStubThread);
4187 if (NT_SUCCESS(rcNt))
4188 {
4189 HANDLE hStubThread;
4190 rcNt = ObOpenObjectByPointer(pStubThread, OBJ_KERNEL_HANDLE, NULL /*PassedAccessState*/,
4191 0 /*DesiredAccess*/, *PsThreadType, KernelMode, &hStubThread);
4192 if (NT_SUCCESS(rcNt))
4193 {
4194 /*
4195 * Do some simple sanity checking.
4196 */
4197 rc = supHardNtVpDebugger(hStubProcess, pErrInfo);
4198 if (RT_SUCCESS(rc))
4199 rc = supHardNtVpThread(hStubProcess, hStubThread, pErrInfo);
4200
4201 /* Clean up. */
4202 rcNt = NtClose(hStubThread); AssertMsg(NT_SUCCESS(rcNt), ("%#x\n", rcNt));
4203 }
4204 else
4205 rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_THREAD_OPEN_ERROR,
4206 "Error opening stub thread %p (tid %p, pid %p): %#x",
4207 pStubThread, pNtStub->hOpenTid, pNtStub->AvlCore.Key, rcNt);
4208 }
4209 else
4210 rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_THREAD_NOT_FOUND,
4211 "Failed to locate thread %p in %p: %#x", pNtStub->hOpenTid, pNtStub->AvlCore.Key, rcNt);
4212 rcNt = NtClose(hStubProcess); AssertMsg(NT_SUCCESS(rcNt), ("%#x\n", rcNt));
4213 }
4214 else
4215 rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_OPEN_ERROR,
4216 "Error opening stub process %p (pid %p): %#x", pStubProcess, pNtStub->AvlCore.Key, rcNt);
4217 ObDereferenceObject(pStubProcess);
4218 }
4219 else
4220 rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_STUB_NOT_FOUND,
4221 "Failed to locate stub process %p: %#x", pNtStub->AvlCore.Key, rcNt);
4222
4223 supdrvNtProtectRelease(pNtStub);
4224 return rc;
4225}
4226
4227
4228/**
4229 * Worker for supdrvNtProtectVerifyProcess that verifies the handles to a VM
4230 * process and its thread.
4231 *
4232 * @returns VBox status code.
4233 * @param pNtProtect The NT protect structure for getting information
4234 * about special processes.
4235 * @param pErrInfo Where to return additional error details.
4236 */
4237static int supdrvNtProtectRestrictHandlesToProcessAndThread(PSUPDRVNTPROTECT pNtProtect, PRTERRINFO pErrInfo)
4238{
4239 /*
4240 * What to protect.
4241 */
4242 PEPROCESS pProtectedProcess = PsGetCurrentProcess();
4243 HANDLE hProtectedPid = PsGetProcessId(pProtectedProcess);
4244 PETHREAD pProtectedThread = PsGetCurrentThread();
4245 AssertReturn(pNtProtect->AvlCore.Key == hProtectedPid, VERR_INTERNAL_ERROR_5);
4246
4247 /*
4248 * Take a snapshot of all the handles in the system.
4249 * Note! The 32 bytes on the size of to counteract the allocation header
4250 * that rtR0MemAllocEx slaps on everything.
4251 */
4252 uint32_t cbBuf = _256K - 32;
4253 uint8_t *pbBuf = (uint8_t *)RTMemAlloc(cbBuf);
4254 ULONG cbNeeded = cbBuf;
4255 NTSTATUS rcNt = NtQuerySystemInformation(SystemExtendedHandleInformation, pbBuf, cbBuf, &cbNeeded);
4256 if (!NT_SUCCESS(rcNt))
4257 {
4258 while ( rcNt == STATUS_INFO_LENGTH_MISMATCH
4259 && cbNeeded > cbBuf
4260 && cbBuf <= 32U*_1M)
4261 {
4262 cbBuf = RT_ALIGN_32(cbNeeded + _4K, _64K) - 32;
4263 RTMemFree(pbBuf);
4264 pbBuf = (uint8_t *)RTMemAlloc(cbBuf);
4265 if (!pbBuf)
4266 return RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "Error allocating %zu bytes for querying handles.", cbBuf);
4267 rcNt = NtQuerySystemInformation(SystemExtendedHandleInformation, pbBuf, cbBuf, &cbNeeded);
4268 }
4269 if (!NT_SUCCESS(rcNt))
4270 {
4271 RTMemFree(pbBuf);
4272 return RTErrInfoSetF(pErrInfo, RTErrConvertFromNtStatus(rcNt),
4273 "NtQuerySystemInformation/SystemExtendedHandleInformation failed: %#x\n", rcNt);
4274 }
4275 }
4276
4277 /*
4278 * Walk the information and look for handles to the two objects we're protecting.
4279 */
4280 int rc = VINF_SUCCESS;
4281# ifdef VBOX_WITHOUT_DEBUGGER_CHECKS
4282 HANDLE idLastDebugger = (HANDLE)~(uintptr_t)0;
4283# endif
4284
4285 uint32_t cCsrssProcessHandles = 0;
4286 uint32_t cSystemProcessHandles = 0;
4287 uint32_t cEvilProcessHandles = 0;
4288 uint32_t cBenignProcessHandles = 0;
4289
4290 uint32_t cCsrssThreadHandles = 0;
4291 uint32_t cEvilThreadHandles = 0;
4292 uint32_t cBenignThreadHandles = 0;
4293
4294 SYSTEM_HANDLE_INFORMATION_EX const *pInfo = (SYSTEM_HANDLE_INFORMATION_EX const *)pbBuf;
4295 ULONG_PTR i = pInfo->NumberOfHandles;
4296 AssertRelease(RT_OFFSETOF(SYSTEM_HANDLE_INFORMATION_EX, Handles[i]) == cbNeeded);
4297 while (i-- > 0)
4298 {
4299 const char *pszType;
4300 SYSTEM_HANDLE_ENTRY_INFO_EX const *pHandleInfo = &pInfo->Handles[i];
4301 if (pHandleInfo->Object == pProtectedProcess)
4302 {
4303 /* Handles within the protected process are fine. */
4304 if ( !(pHandleInfo->GrantedAccess & SUPDRV_NT_EVIL_PROCESS_RIGHTS)
4305 || pHandleInfo->UniqueProcessId == hProtectedPid)
4306 {
4307 cBenignProcessHandles++;
4308 continue;
4309 }
4310
4311 /* CSRSS is allowed to have one evil process handle.
4312 See the special cases in the hook code. */
4313 if ( cCsrssProcessHandles < 1
4314 && pHandleInfo->UniqueProcessId == pNtProtect->hCsrssPid)
4315 {
4316 cCsrssProcessHandles++;
4317 continue;
4318 }
4319
4320 /* The system process is allowed having two open process handle in
4321 Windows 8.1 and later, and one in earlier. This is probably a
4322 little overly paranoid as I think we can safely trust the
4323 system process... */
4324 if ( cSystemProcessHandles < (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 3) ? UINT32_C(2) : UINT32_C(1))
4325 && pHandleInfo->UniqueProcessId == PsGetProcessId(PsInitialSystemProcess))
4326 {
4327 cSystemProcessHandles++;
4328 continue;
4329 }
4330
4331 cEvilProcessHandles++;
4332 pszType = "process";
4333 }
4334 else if (pHandleInfo->Object == pProtectedThread)
4335 {
4336 /* Handles within the protected process is fine. */
4337 if ( !(pHandleInfo->GrantedAccess & SUPDRV_NT_EVIL_THREAD_RIGHTS)
4338 || pHandleInfo->UniqueProcessId == hProtectedPid)
4339 {
4340 cBenignThreadHandles++;
4341 continue;
4342 }
4343
4344 /* CSRSS is allowed to have one evil handle to the primary thread
4345 for LPC purposes. See the hook for special case. */
4346 if ( cCsrssThreadHandles < 1
4347 && pHandleInfo->UniqueProcessId == pNtProtect->hCsrssPid)
4348 {
4349 cCsrssThreadHandles++;
4350 continue;
4351 }
4352
4353 cEvilThreadHandles++;
4354 pszType = "thread";
4355 }
4356 else
4357 continue;
4358
4359# ifdef VBOX_WITHOUT_DEBUGGER_CHECKS
4360 /* Ignore whitelisted debuggers. */
4361 if (pHandleInfo->UniqueProcessId == idLastDebugger)
4362 continue;
4363 PEPROCESS pDbgProc;
4364 NTSTATUS rcNt = PsLookupProcessByProcessId(pHandleInfo->UniqueProcessId, &pDbgProc);
4365 if (NT_SUCCESS(rcNt))
4366 {
4367 bool fIsDebugger = supdrvNtProtectIsWhitelistedDebugger(pDbgProc);
4368 ObDereferenceObject(pDbgProc);
4369 if (fIsDebugger)
4370 {
4371 idLastDebugger = pHandleInfo->UniqueProcessId;
4372 continue;
4373 }
4374 }
4375# endif
4376
4377 /* Found evil handle. Currently ignoring on pre-Vista. */
4378# ifndef VBOX_WITH_VISTA_NO_SP
4379 if ( g_uNtVerCombined >= SUP_NT_VER_VISTA
4380# else
4381 if ( g_uNtVerCombined >= SUP_MAKE_NT_VER_COMBINED(6, 0, 6001, 0, 0)
4382# endif
4383 || g_pfnObRegisterCallbacks)
4384 {
4385 LogRel(("vboxdrv: Found evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s\n",
4386 pHandleInfo->UniqueProcessId, pHandleInfo->HandleValue,
4387 pHandleInfo->GrantedAccess, pHandleInfo->HandleAttributes, pszType));
4388 rc = RTErrInfoAddF(pErrInfo, VERR_SUPDRV_HARDENING_EVIL_HANDLE,
4389 *pErrInfo->pszMsg
4390 ? "\nFound evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s"
4391 : "Found evil handle to budding VM process: pid=%p h=%p acc=%#x attr=%#x type=%s",
4392 pHandleInfo->UniqueProcessId, pHandleInfo->HandleValue,
4393 pHandleInfo->GrantedAccess, pHandleInfo->HandleAttributes, pszType);
4394
4395 /* Try add the process name. */
4396 PEPROCESS pOffendingProcess;
4397 rcNt = PsLookupProcessByProcessId(pHandleInfo->UniqueProcessId, &pOffendingProcess);
4398 if (NT_SUCCESS(rcNt))
4399 {
4400 const char *pszName = (const char *)PsGetProcessImageFileName(pOffendingProcess);
4401 if (pszName && *pszName)
4402 rc = RTErrInfoAddF(pErrInfo, rc, " [%s]", pszName);
4403
4404 ObDereferenceObject(pOffendingProcess);
4405 }
4406 }
4407 }
4408
4409 RTMemFree(pbBuf);
4410 return rc;
4411}
4412
4413
4414/**
4415 * Checks if the current process checks out as a VM process stub.
4416 *
4417 * @returns VBox status code.
4418 * @param pNtProtect The NT protect structure. This is upgraded to a
4419 * final protection kind (state) on success.
4420 */
4421static int supdrvNtProtectVerifyProcess(PSUPDRVNTPROTECT pNtProtect)
4422{
4423 AssertReturn(PsGetProcessId(PsGetCurrentProcess()) == pNtProtect->AvlCore.Key, VERR_INTERNAL_ERROR_3);
4424
4425 /*
4426 * Do the verification. The handle restriction checks are only preformed
4427 * on VM processes.
4428 */
4429 int rc = VINF_SUCCESS;
4430 PSUPDRVNTERRORINFO pErrorInfo = (PSUPDRVNTERRORINFO)RTMemAllocZ(sizeof(*pErrorInfo));
4431 if (RT_SUCCESS(rc))
4432 {
4433 pErrorInfo->hProcessId = PsGetCurrentProcessId();
4434 pErrorInfo->hThreadId = PsGetCurrentThreadId();
4435 RTERRINFO ErrInfo;
4436 RTErrInfoInit(&ErrInfo, pErrorInfo->szErrorInfo, sizeof(pErrorInfo->szErrorInfo));
4437
4438 if (pNtProtect->enmProcessKind >= kSupDrvNtProtectKind_VmProcessUnconfirmed)
4439 rc = supdrvNtProtectRestrictHandlesToProcessAndThread(pNtProtect, &ErrInfo);
4440 if (RT_SUCCESS(rc))
4441 {
4442 rc = supHardenedWinVerifyProcess(NtCurrentProcess(), NtCurrentThread(), SUPHARDNTVPKIND_VERIFY_ONLY, 0 /*fFlags*/,
4443 NULL /*pcFixes*/, &ErrInfo);
4444 if (RT_SUCCESS(rc) && pNtProtect->enmProcessKind >= kSupDrvNtProtectKind_VmProcessUnconfirmed)
4445 rc = supdrvNtProtectVerifyStubForVmProcess(pNtProtect, &ErrInfo);
4446 }
4447 }
4448 else
4449 rc = VERR_NO_MEMORY;
4450
4451 /*
4452 * Upgrade and return.
4453 */
4454 HANDLE hOpenTid = PsGetCurrentThreadId();
4455 RTSpinlockAcquire(g_hNtProtectLock);
4456
4457 /* Stub process verficiation is pretty much straight forward. */
4458 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubUnverified)
4459 {
4460 pNtProtect->enmProcessKind = RT_SUCCESS(rc) ? kSupDrvNtProtectKind_StubSpawning : kSupDrvNtProtectKind_StubDead;
4461 pNtProtect->hOpenTid = hOpenTid;
4462 }
4463 /* The VM process verification is a little bit more complicated
4464 because we need to drop the parent process reference as well. */
4465 else if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
4466 {
4467 AssertRelease(pNtProtect->cRefs >= 2); /* Parent + Caller */
4468 PSUPDRVNTPROTECT pParent = pNtProtect->u.pParent;
4469 AssertRelease(pParent);
4470 AssertRelease(pParent->u.pParent == pNtProtect);
4471 AssertRelease(pParent->enmProcessKind == kSupDrvNtProtectKind_StubParent);
4472 pParent->u.pParent = NULL;
4473
4474 pNtProtect->u.pParent = NULL;
4475 ASMAtomicDecU32(&pNtProtect->cRefs);
4476
4477 if (RT_SUCCESS(rc))
4478 {
4479 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessConfirmed;
4480 pNtProtect->hOpenTid = hOpenTid;
4481 }
4482 else
4483 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
4484 }
4485
4486 /* Since the stub and VM processes are only supposed to have one thread,
4487 we're not supposed to be subject to any races from within the processes.
4488
4489 There is a race between VM process verification and the stub process
4490 exiting, though. We require the stub process to be alive until the new
4491 VM process has made it thru the validation. So, when the stub
4492 terminates the notification handler will change the state of both stub
4493 and VM process to dead.
4494
4495 Also, I'm not entirely certain where the process
4496 termination notification is triggered from, so that can theorically
4497 create a race in both cases. */
4498 else
4499 {
4500 AssertReleaseMsg( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubDead
4501 || pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessDead,
4502 ("enmProcessKind=%d rc=%Rrc\n", pNtProtect->enmProcessKind, rc));
4503 if (RT_SUCCESS(rc))
4504 rc = VERR_INVALID_STATE; /* There should be no races here. */
4505 }
4506
4507 RTSpinlockRelease(g_hNtProtectLock);
4508
4509 /*
4510 * Free error info on success, keep it on failure.
4511 */
4512 if (RT_SUCCESS(rc))
4513 RTMemFree(pErrorInfo);
4514 else if (pErrorInfo)
4515 {
4516 pErrorInfo->cchErrorInfo = (uint32_t)strlen(pErrorInfo->szErrorInfo);
4517 if (!pErrorInfo->cchErrorInfo)
4518 pErrorInfo->cchErrorInfo = (uint32_t)RTStrPrintf(pErrorInfo->szErrorInfo, sizeof(pErrorInfo->szErrorInfo),
4519 "supdrvNtProtectVerifyProcess: rc=%d", rc);
4520 RTLogWriteDebugger(pErrorInfo->szErrorInfo, pErrorInfo->cchErrorInfo);
4521
4522 int rc2 = RTSemMutexRequest(g_hErrorInfoLock, RT_INDEFINITE_WAIT);
4523 if (RT_SUCCESS(rc2))
4524 {
4525 pErrorInfo->uCreatedMsTs = RTTimeMilliTS();
4526
4527 /* Free old entries. */
4528 PSUPDRVNTERRORINFO pCur;
4529 while ( (pCur = RTListGetFirst(&g_ErrorInfoHead, SUPDRVNTERRORINFO, ListEntry)) != NULL
4530 && (int64_t)(pErrorInfo->uCreatedMsTs - pCur->uCreatedMsTs) > 60000 /*60sec*/)
4531 {
4532 RTListNodeRemove(&pCur->ListEntry);
4533 RTMemFree(pCur);
4534 }
4535
4536 /* Insert our new entry. */
4537 RTListAppend(&g_ErrorInfoHead, &pErrorInfo->ListEntry);
4538
4539 RTSemMutexRelease(g_hErrorInfoLock);
4540 }
4541 else
4542 RTMemFree(pErrorInfo);
4543 }
4544
4545 return rc;
4546}
4547
4548
4549# ifndef VBOX_WITHOUT_DEBUGGER_CHECKS
4550
4551/**
4552 * Checks if the current process is being debugged.
4553 * @return @c true if debugged, @c false if not.
4554 */
4555static bool supdrvNtIsDebuggerAttached(void)
4556{
4557 return PsIsProcessBeingDebugged(PsGetCurrentProcess()) != FALSE;
4558}
4559
4560# endif /* !VBOX_WITHOUT_DEBUGGER_CHECKS */
4561
4562
4563/**
4564 * Terminates the hardening bits.
4565 */
4566static void supdrvNtProtectTerm(void)
4567{
4568 /*
4569 * Stop intercepting process and thread handle creation calls.
4570 */
4571 if (g_pvObCallbacksCookie)
4572 {
4573 g_pfnObUnRegisterCallbacks(g_pvObCallbacksCookie);
4574 g_pvObCallbacksCookie = NULL;
4575 }
4576
4577 /*
4578 * Stop intercepting process creation and termination notifications.
4579 */
4580 NTSTATUS rcNt;
4581 if (g_pfnPsSetCreateProcessNotifyRoutineEx)
4582 rcNt = g_pfnPsSetCreateProcessNotifyRoutineEx(supdrvNtProtectCallback_ProcessCreateNotifyEx, TRUE /*fRemove*/);
4583 else
4584 rcNt = PsSetCreateProcessNotifyRoutine(supdrvNtProtectCallback_ProcessCreateNotify, TRUE /*fRemove*/);
4585 AssertMsg(NT_SUCCESS(rcNt), ("rcNt=%#x\n", rcNt));
4586
4587 Assert(g_NtProtectTree == NULL);
4588
4589 /*
4590 * Clean up globals.
4591 */
4592 RTSpinlockDestroy(g_hNtProtectLock);
4593 g_NtProtectTree = NIL_RTSPINLOCK;
4594
4595 RTSemMutexDestroy(g_hErrorInfoLock);
4596 g_hErrorInfoLock = NIL_RTSEMMUTEX;
4597
4598 PSUPDRVNTERRORINFO pCur;
4599 while ((pCur = RTListGetFirst(&g_ErrorInfoHead, SUPDRVNTERRORINFO, ListEntry)) != NULL)
4600 {
4601 RTListNodeRemove(&pCur->ListEntry);
4602 RTMemFree(pCur);
4603 }
4604
4605 supHardenedWinTermImageVerifier();
4606}
4607
4608# ifdef RT_ARCH_X86
4609DECLASM(void) supdrvNtQueryVirtualMemory_0xAF(void);
4610DECLASM(void) supdrvNtQueryVirtualMemory_0xB0(void);
4611DECLASM(void) supdrvNtQueryVirtualMemory_0xB1(void);
4612DECLASM(void) supdrvNtQueryVirtualMemory_0xB2(void);
4613DECLASM(void) supdrvNtQueryVirtualMemory_0xB3(void);
4614DECLASM(void) supdrvNtQueryVirtualMemory_0xB4(void);
4615DECLASM(void) supdrvNtQueryVirtualMemory_0xB5(void);
4616DECLASM(void) supdrvNtQueryVirtualMemory_0xB6(void);
4617DECLASM(void) supdrvNtQueryVirtualMemory_0xB7(void);
4618DECLASM(void) supdrvNtQueryVirtualMemory_0xB8(void);
4619DECLASM(void) supdrvNtQueryVirtualMemory_0xB9(void);
4620DECLASM(void) supdrvNtQueryVirtualMemory_0xBA(void);
4621DECLASM(void) supdrvNtQueryVirtualMemory_0xBB(void);
4622DECLASM(void) supdrvNtQueryVirtualMemory_0xBC(void);
4623DECLASM(void) supdrvNtQueryVirtualMemory_0xBD(void);
4624DECLASM(void) supdrvNtQueryVirtualMemory_0xBE(void);
4625# elif defined(RT_ARCH_AMD64)
4626DECLASM(void) supdrvNtQueryVirtualMemory_0x1F(void);
4627DECLASM(void) supdrvNtQueryVirtualMemory_0x20(void);
4628DECLASM(void) supdrvNtQueryVirtualMemory_0x21(void);
4629DECLASM(void) supdrvNtQueryVirtualMemory_0x22(void);
4630DECLASM(void) supdrvNtQueryVirtualMemory_0x23(void);
4631extern "C" NTSYSAPI NTSTATUS NTAPI ZwRequestWaitReplyPort(HANDLE, PVOID, PVOID);
4632# endif
4633
4634
4635/**
4636 * Initalizes the hardening bits.
4637 *
4638 * @returns NT status code.
4639 */
4640static NTSTATUS supdrvNtProtectInit(void)
4641{
4642 /*
4643 * Initialize the globals.
4644 */
4645
4646 /* The NT version. */
4647 ULONG uMajor, uMinor, uBuild;
4648 PsGetVersion(&uMajor, &uMinor, &uBuild, NULL);
4649 g_uNtVerCombined = SUP_MAKE_NT_VER_COMBINED(uMajor, uMinor, uBuild, 0, 0);
4650
4651 /* Resolve methods we want but isn't available everywhere. */
4652 UNICODE_STRING RoutineName;
4653
4654 RtlInitUnicodeString(&RoutineName, L"ObGetObjectType");
4655 g_pfnObGetObjectType = (PFNOBGETOBJECTTYPE)MmGetSystemRoutineAddress(&RoutineName);
4656
4657 RtlInitUnicodeString(&RoutineName, L"ObRegisterCallbacks");
4658 g_pfnObRegisterCallbacks = (PFNOBREGISTERCALLBACKS)MmGetSystemRoutineAddress(&RoutineName);
4659
4660 RtlInitUnicodeString(&RoutineName, L"ObUnRegisterCallbacks");
4661 g_pfnObUnRegisterCallbacks = (PFNOBUNREGISTERCALLBACKS)MmGetSystemRoutineAddress(&RoutineName);
4662
4663 RtlInitUnicodeString(&RoutineName, L"PsSetCreateProcessNotifyRoutineEx");
4664 g_pfnPsSetCreateProcessNotifyRoutineEx = (PFNPSSETCREATEPROCESSNOTIFYROUTINEEX)MmGetSystemRoutineAddress(&RoutineName);
4665
4666 RtlInitUnicodeString(&RoutineName, L"PsReferenceProcessFilePointer");
4667 g_pfnPsReferenceProcessFilePointer = (PFNPSREFERENCEPROCESSFILEPOINTER)MmGetSystemRoutineAddress(&RoutineName);
4668
4669 RtlInitUnicodeString(&RoutineName, L"PsIsProtectedProcessLight");
4670 g_pfnPsIsProtectedProcessLight = (PFNPSISPROTECTEDPROCESSLIGHT)MmGetSystemRoutineAddress(&RoutineName);
4671
4672 RtlInitUnicodeString(&RoutineName, L"ZwAlpcCreatePort");
4673 g_pfnZwAlpcCreatePort = (PFNZWALPCCREATEPORT)MmGetSystemRoutineAddress(&RoutineName);
4674
4675 RtlInitUnicodeString(&RoutineName, L"ZwQueryVirtualMemory"); /* Yes, using Zw version here. */
4676 g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)MmGetSystemRoutineAddress(&RoutineName);
4677 if (!g_pfnNtQueryVirtualMemory && g_uNtVerCombined < SUP_NT_VER_VISTA)
4678 {
4679 /* XP & W2K3 doesn't have this function exported, so we've cooked up a
4680 few alternative in the assembly helper file that uses the code in
4681 ZwReadFile with a different eax value. We figure the syscall number
4682 by inspecting ZwQueryVolumeInformationFile as it's the next number. */
4683# ifdef RT_ARCH_X86
4684 uint8_t const *pbCode = (uint8_t const *)(uintptr_t)ZwQueryVolumeInformationFile;
4685 if (*pbCode == 0xb8) /* mov eax, dword */
4686 switch (*(uint32_t const *)&pbCode[1])
4687 {
4688 case 0xb0: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xAF; break; /* just in case */
4689 case 0xb1: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB0; break; /* just in case */
4690 case 0xb2: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB1; break; /* just in case */
4691 case 0xb3: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB2; break; /* XP SP3 */
4692 case 0xb4: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB2; break; /* just in case */
4693 case 0xb5: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB3; break; /* just in case */
4694 case 0xb6: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB4; break; /* just in case */
4695 case 0xb7: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB5; break; /* just in case */
4696 case 0xb8: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB6; break; /* just in case */
4697 case 0xb9: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB7; break; /* just in case */
4698 case 0xba: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xB8; break; /* just in case */
4699 case 0xbb: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBA; break; /* W2K3 R2 SP2 */
4700 case 0xbc: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBB; break; /* just in case */
4701 case 0xbd: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBC; break; /* just in case */
4702 case 0xbe: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBD; break; /* just in case */
4703 case 0xbf: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0xBE; break; /* just in case */
4704 }
4705# elif defined(RT_ARCH_AMD64)
4706 uint8_t const *pbCode = (uint8_t const *)(uintptr_t)ZwRequestWaitReplyPort;
4707 if ( pbCode[ 0] == 0x48 /* mov rax, rsp */
4708 && pbCode[ 1] == 0x8b
4709 && pbCode[ 2] == 0xc4
4710 && pbCode[ 3] == 0xfa /* cli */
4711 && pbCode[ 4] == 0x48 /* sub rsp, 10h */
4712 && pbCode[ 5] == 0x83
4713 && pbCode[ 6] == 0xec
4714 && pbCode[ 7] == 0x10
4715 && pbCode[ 8] == 0x50 /* push rax */
4716 && pbCode[ 9] == 0x9c /* pushfq */
4717 && pbCode[10] == 0x6a /* push 10 */
4718 && pbCode[11] == 0x10
4719 && pbCode[12] == 0x48 /* lea rax, [nt!KiServiceLinkage] */
4720 && pbCode[13] == 0x8d
4721 && pbCode[14] == 0x05
4722 && pbCode[19] == 0x50 /* push rax */
4723 && pbCode[20] == 0xb8 /* mov eax,1fh <- the syscall no. */
4724 /*&& pbCode[21] == 0x1f*/
4725 && pbCode[22] == 0x00
4726 && pbCode[23] == 0x00
4727 && pbCode[24] == 0x00
4728 && pbCode[25] == 0xe9 /* jmp KiServiceInternal */
4729 )
4730 {
4731 uint8_t const *pbKiServiceInternal = &pbCode[30] + *(int32_t const *)&pbCode[26];
4732 uint8_t const *pbKiServiceLinkage = &pbCode[19] + *(int32_t const *)&pbCode[15];
4733 if (*pbKiServiceLinkage == 0xc3)
4734 {
4735 g_pfnKiServiceInternal = (PFNRT)pbKiServiceInternal;
4736 g_pfnKiServiceLinkage = (PFNRT)pbKiServiceLinkage;
4737 switch (pbCode[21])
4738 {
4739 case 0x1e: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x1F; break;
4740 case 0x1f: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x20; break;
4741 case 0x20: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x21; break;
4742 case 0x21: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x22; break;
4743 case 0x22: g_pfnNtQueryVirtualMemory = (PFNNTQUERYVIRTUALMEMORY)supdrvNtQueryVirtualMemory_0x23; break;
4744 }
4745 }
4746 }
4747# endif
4748 }
4749 if (!g_pfnNtQueryVirtualMemory)
4750 {
4751 LogRel(("vboxdrv: Cannot locate ZwQueryVirtualMemory in ntoskrnl, nor were we able to cook up a replacement.\n"));
4752 return STATUS_PROCEDURE_NOT_FOUND;
4753 }
4754
4755# ifdef VBOX_STRICT
4756 if ( g_uNtVerCombined >= SUP_NT_VER_W70
4757 && ( g_pfnObGetObjectType == NULL
4758 || g_pfnZwAlpcCreatePort == NULL) )
4759 {
4760 LogRel(("vboxdrv: g_pfnObGetObjectType=%p g_pfnZwAlpcCreatePort=%p.\n", g_pfnObGetObjectType, g_pfnZwAlpcCreatePort));
4761 return STATUS_PROCEDURE_NOT_FOUND;
4762 }
4763# endif
4764
4765 /* LPC object type. */
4766 g_pAlpcPortObjectType1 = *LpcPortObjectType;
4767
4768 /* The spinlock protecting our structures. */
4769 int rc = RTSpinlockCreate(&g_hNtProtectLock, RTSPINLOCK_FLAGS_INTERRUPT_UNSAFE, "NtProtectLock");
4770 if (RT_FAILURE(rc))
4771 return VBoxDrvNtErr2NtStatus(rc);
4772 g_NtProtectTree = NULL;
4773
4774 NTSTATUS rcNt;
4775
4776 /* The mutex protecting the error information. */
4777 RTListInit(&g_ErrorInfoHead);
4778 rc = RTSemMutexCreate(&g_hErrorInfoLock);
4779 if (RT_SUCCESS(rc))
4780 {
4781 /* Image stuff + certificates. */
4782 rc = supHardenedWinInitImageVerifier(NULL);
4783 if (RT_SUCCESS(rc))
4784 {
4785 /*
4786 * Intercept process creation and termination.
4787 */
4788 if (g_pfnPsSetCreateProcessNotifyRoutineEx)
4789 rcNt = g_pfnPsSetCreateProcessNotifyRoutineEx(supdrvNtProtectCallback_ProcessCreateNotifyEx, FALSE /*fRemove*/);
4790 else
4791 rcNt = PsSetCreateProcessNotifyRoutine(supdrvNtProtectCallback_ProcessCreateNotify, FALSE /*fRemove*/);
4792 if (NT_SUCCESS(rcNt))
4793 {
4794 /*
4795 * Intercept process and thread handle creation calls.
4796 * The preferred method is only available on Vista SP1+.
4797 */
4798 if (g_pfnObRegisterCallbacks && g_pfnObUnRegisterCallbacks)
4799 {
4800 static OB_OPERATION_REGISTRATION s_aObOperations[] =
4801 {
4802 {
4803 0, /* PsProcessType - imported, need runtime init, better do it explicitly. */
4804 OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE,
4805 supdrvNtProtectCallback_ProcessHandlePre,
4806 supdrvNtProtectCallback_ProcessHandlePost,
4807 },
4808 {
4809 0, /* PsThreadType - imported, need runtime init, better do it explicitly. */
4810 OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE,
4811 supdrvNtProtectCallback_ThreadHandlePre,
4812 supdrvNtProtectCallback_ThreadHandlePost,
4813 },
4814 };
4815 s_aObOperations[0].ObjectType = PsProcessType;
4816 s_aObOperations[1].ObjectType = PsThreadType;
4817
4818 static OB_CALLBACK_REGISTRATION s_ObCallbackReg =
4819 {
4820 /* .Version = */ OB_FLT_REGISTRATION_VERSION,
4821 /* .OperationRegistrationCount = */ RT_ELEMENTS(s_aObOperations),
4822 /* .Altitude.Length = */ 0,
4823 /* .Altitude.MaximumLength = */ 0,
4824 /* .Altitude.Buffer = */ NULL,
4825 /* .RegistrationContext = */ NULL,
4826 /* .OperationRegistration = */ &s_aObOperations[0]
4827 };
4828 static WCHAR const *s_apwszAltitudes[] = /** @todo get a valid number */
4829 {
4830 L"48596.98940", L"46935.19485", L"49739.39704", L"40334.74976",
4831 L"66667.98940", L"69888.19485", L"69889.39704", L"60364.74976",
4832 L"85780.98940", L"88978.19485", L"89939.39704", L"80320.74976",
4833 L"329879.98940", L"326787.19485", L"328915.39704", L"320314.74976",
4834 };
4835
4836 rcNt = STATUS_FLT_INSTANCE_ALTITUDE_COLLISION;
4837 for (uint32_t i = 0; i < RT_ELEMENTS(s_apwszAltitudes) && rcNt == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION; i++)
4838 {
4839 s_ObCallbackReg.Altitude.Buffer = (WCHAR *)s_apwszAltitudes[i];
4840 s_ObCallbackReg.Altitude.Length = (uint16_t)RTUtf16Len(s_apwszAltitudes[i]) * sizeof(WCHAR);
4841 s_ObCallbackReg.Altitude.MaximumLength = s_ObCallbackReg.Altitude.Length + sizeof(WCHAR);
4842
4843 rcNt = g_pfnObRegisterCallbacks(&s_ObCallbackReg, &g_pvObCallbacksCookie);
4844 if (NT_SUCCESS(rcNt))
4845 {
4846 /*
4847 * Happy ending.
4848 */
4849 return STATUS_SUCCESS;
4850 }
4851 }
4852 LogRel(("vboxdrv: ObRegisterCallbacks failed with rcNt=%#x\n", rcNt));
4853 g_pvObCallbacksCookie = NULL;
4854 }
4855 else
4856 {
4857 /*
4858 * For the time being, we do not implement extra process
4859 * protection on pre-Vista-SP1 systems as they are lacking
4860 * necessary KPIs. XP is end of life, we do not wish to
4861 * spend more time on it, so we don't put up a fuss there.
4862 * Vista users without SP1 can install SP1 (or later), darn it,
4863 * so refuse to load.
4864 */
4865 /** @todo Hack up an XP solution - will require hooking kernel APIs or doing bad
4866 * stuff to a couple of object types. */
4867# ifndef VBOX_WITH_VISTA_NO_SP
4868 if (g_uNtVerCombined >= SUP_NT_VER_VISTA)
4869# else
4870 if (g_uNtVerCombined >= SUP_MAKE_NT_VER_COMBINED(6, 0, 6001, 0, 0))
4871# endif
4872 {
4873 DbgPrint("vboxdrv: ObRegisterCallbacks was not found. Please make sure you got the latest updates and service packs installed\n");
4874 rcNt = STATUS_SXS_VERSION_CONFLICT;
4875 }
4876 else
4877 {
4878 Log(("vboxdrv: ObRegisterCallbacks was not found; ignored pre-Vista\n"));
4879 return rcNt = STATUS_SUCCESS;
4880 }
4881 g_pvObCallbacksCookie = NULL;
4882 }
4883
4884 /*
4885 * Drop process create/term notifications.
4886 */
4887 if (g_pfnPsSetCreateProcessNotifyRoutineEx)
4888 g_pfnPsSetCreateProcessNotifyRoutineEx(supdrvNtProtectCallback_ProcessCreateNotifyEx, TRUE /*fRemove*/);
4889 else
4890 PsSetCreateProcessNotifyRoutine(supdrvNtProtectCallback_ProcessCreateNotify, TRUE /*fRemove*/);
4891 }
4892 else
4893 LogRel(("vboxdrv: PsSetCreateProcessNotifyRoutine%s failed with rcNt=%#x\n",
4894 g_pfnPsSetCreateProcessNotifyRoutineEx ? "Ex" : "", rcNt));
4895 supHardenedWinTermImageVerifier();
4896 }
4897 else
4898 rcNt = VBoxDrvNtErr2NtStatus(rc);
4899
4900 RTSemMutexDestroy(g_hErrorInfoLock);
4901 g_hErrorInfoLock = NIL_RTSEMMUTEX;
4902 }
4903 else
4904 rcNt = VBoxDrvNtErr2NtStatus(rc);
4905
4906 RTSpinlockDestroy(g_hNtProtectLock);
4907 g_NtProtectTree = NIL_RTSPINLOCK;
4908 return rcNt;
4909}
4910
4911#endif /* VBOX_WITH_HARDENING */
4912
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette