SUPHardenedVerifyImage-win.cpp

Last change on this file was 106061, checked in by vboxsync, 2 months ago
Copyright year updates by scm.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 135.7 KB

Line
1	/* $Id: SUPHardenedVerifyImage-win.cpp 106061 2024-09-16 14:03:52Z vboxsync $ */
2	/** @file
3	* VirtualBox Support Library/Driver - Hardened Image Verification, Windows.
4	*/
5
6	/*
7	* Copyright (C) 2006-2024 Oracle and/or its affiliates.
8	*
9	* This file is part of VirtualBox base platform packages, as
10	* available from https://www.virtualbox.org.
11	*
12	* This program is free software; you can redistribute it and/or
13	* modify it under the terms of the GNU General Public License
14	* as published by the Free Software Foundation, in version 3 of the
15	* License.
16	*
17	* This program is distributed in the hope that it will be useful, but
18	* WITHOUT ANY WARRANTY; without even the implied warranty of
19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20	* General Public License for more details.
21	*
22	* You should have received a copy of the GNU General Public License
23	* along with this program; if not, see <https://www.gnu.org/licenses>.
24	*
25	* The contents of this file may alternatively be used under the terms
26	* of the Common Development and Distribution License Version 1.0
27	* (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
28	* in the VirtualBox distribution, in which case the provisions of the
29	* CDDL are applicable instead of those of the GPL.
30	*
31	* You may elect to license modified versions of this file under the
32	* terms and conditions of either the GPL or the CDDL or both.
33	*
34	* SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
35	*/
36
37
38	/*********************************************************************************************************************************
39	* Header Files *
40	*********************************************************************************************************************************/
41	#ifdef IN_RING0
42	# ifndef IPRT_NT_MAP_TO_ZW
43	# define IPRT_NT_MAP_TO_ZW
44	# endif
45	# include <iprt/nt/nt.h>
46	# include <ntimage.h>
47	#else
48	# include <iprt/nt/nt-and-windows.h>
49	# include "Wintrust.h"
50	# include "Softpub.h"
51	# include "mscat.h"
52	# ifndef LOAD_LIBRARY_SEARCH_APPLICATION_DIR
53	# define LOAD_LIBRARY_SEARCH_SYSTEM32 0x800
54	# endif
55	#endif
56
57	#include <VBox/sup.h>
58	#include <VBox/err.h>
59	#include <iprt/ctype.h>
60	#include <iprt/ldr.h>
61	#include <iprt/log.h>
62	#include <iprt/path.h>
63	#include <iprt/string.h>
64	#include <iprt/utf16.h>
65	#include <iprt/crypto/pkcs7.h>
66	#include <iprt/crypto/store.h>
67
68	#ifdef IN_RING0
69	# include "SUPDrvInternal.h"
70	#else
71	# include "SUPLibInternal.h"
72	#endif
73	#include "win/SUPHardenedVerify-win.h"
74
75
76	/*********************************************************************************************************************************
77	* Defined Constants And Macros *
78	*********************************************************************************************************************************/
79	/** The size of static hash (output) buffers.
80	* Avoids dynamic allocations and cleanups for of small buffers as well as extra
81	* calls for getting the appropriate buffer size. The largest digest in regular
82	* use by current windows version is SHA-512, we double this and hope it's
83	* enough a good while. */
84	#define SUPHARDNTVI_MAX_CAT_HASH_SIZE 128
85
86
87	#if defined(VBOX_PERMIT_EVEN_MORE) && !defined(VBOX_PERMIT_MORE)
88	# error "VBOX_PERMIT_EVEN_MORE without VBOX_PERMIT_MORE!"
89	#endif
90
91
92	/*********************************************************************************************************************************
93	* Structures and Typedefs *
94	*********************************************************************************************************************************/
95
96	#ifdef IN_RING3
97	typedef DECLCALLBACKPTR_EX(LONG, WINAPI, PFNWINVERIFYTRUST,(HWND hwnd, GUID const *pgActionID, PVOID pWVTData));
98	typedef DECLCALLBACKPTR_EX(BOOL, WINAPI, PFNCRYPTCATADMINACQUIRECONTEXT,(HCATADMIN phCatAdmin, const GUID pGuidSubsystem,
99	DWORD dwFlags));
100	typedef DECLCALLBACKPTR_EX(BOOL, WINAPI, PFNCRYPTCATADMINACQUIRECONTEXT2,(HCATADMIN phCatAdmin, const GUID pGuidSubsystem,
101	PCWSTR pwszHashAlgorithm,
102	struct _CERT_STRONG_SIGN_PARA const *pStrongHashPolicy,
103	DWORD dwFlags));
104	typedef DECLCALLBACKPTR_EX(BOOL, WINAPI, PFNCRYPTCATADMINCALCHASHFROMFILEHANDLE,(HANDLE hFile, DWORD pcbHash, BYTE pbHash,
105	DWORD dwFlags));
106	typedef DECLCALLBACKPTR_EX(BOOL, WINAPI, PFNCRYPTCATADMINCALCHASHFROMFILEHANDLE2,(HCATADMIN hCatAdmin, HANDLE hFile,
107	DWORD pcbHash, BYTE pbHash, DWORD dwFlags));
108	typedef DECLCALLBACKPTR_EX(HCATINFO, WINAPI, PFNCRYPTCATADMINENUMCATALOGFROMHASH,(HCATADMIN hCatAdmin, BYTE *pbHash, DWORD cbHash,
109	DWORD dwFlags, HCATINFO *phPrevCatInfo));
110	typedef DECLCALLBACKPTR_EX(BOOL, WINAPI, PFNCRYPTCATADMINRELEASECATALOGCONTEXT,(HCATADMIN hCatAdmin, HCATINFO hCatInfo,
111	DWORD dwFlags));
112	typedef DECLCALLBACKPTR_EX(BOOL, WINAPI, PFNCRYPTCATDADMINRELEASECONTEXT,(HCATADMIN hCatAdmin, DWORD dwFlags));
113	typedef DECLCALLBACKPTR_EX(BOOL, WINAPI, PFNCRYPTCATCATALOGINFOFROMCONTEXT,(HCATINFO hCatInfo, CATALOG_INFO *psCatInfo,
114	DWORD dwFlags));
115
116	typedef DECLCALLBACKPTR_EX(HCERTSTORE, WINAPI, PFNCERTOPENSTORE,(PCSTR pszStoreProvider, DWORD dwEncodingType,
117	HCRYPTPROV_LEGACY hCryptProv, DWORD dwFlags, const void *pvParam));
118	typedef DECLCALLBACKPTR_EX(BOOL, WINAPI, PFNCERTCLOSESTORE,(HCERTSTORE hCertStore, DWORD dwFlags));
119	typedef DECLCALLBACKPTR_EX(PCCERT_CONTEXT, WINAPI, PFNCERTENUMCERTIFICATESINSTORE,(HCERTSTORE hCertStore,
120	PCCERT_CONTEXT pPrevCertContext));
121
122	typedef DECLCALLBACKPTR_EX(NTSTATUS, WINAPI, PFNBCRYPTOPENALGORTIHMPROVIDER,(BCRYPT_ALG_HANDLE *phAlgo, PCWSTR pwszAlgoId,
123	PCWSTR pwszImpl, DWORD dwFlags));
124	#endif
125
126
127	/*********************************************************************************************************************************
128	* Global Variables *
129	*********************************************************************************************************************************/
130	/** The build certificate. */
131	static RTCRX509CERTIFICATE g_BuildX509Cert;
132
133	/** Store for root software publisher certificates. */
134	static RTCRSTORE g_hSpcRootStore = NIL_RTCRSTORE;
135	/** Store for root NT kernel certificates. */
136	static RTCRSTORE g_hNtKernelRootStore = NIL_RTCRSTORE;
137
138	/** Store containing SPC, NT kernel signing, and timestamp root certificates. */
139	static RTCRSTORE g_hSpcAndNtKernelRootStore = NIL_RTCRSTORE;
140	/** Store for supplemental certificates for use with
141	* g_hSpcAndNtKernelRootStore. */
142	static RTCRSTORE g_hSpcAndNtKernelSuppStore = NIL_RTCRSTORE;
143
144	/** The full \\SystemRoot\\System32 path. */
145	SUPSYSROOTDIRBUF g_System32NtPath;
146	/** The full \\SystemRoot\\WinSxS path. */
147	SUPSYSROOTDIRBUF g_WinSxSNtPath;
148	#if defined(IN_RING3) && !defined(VBOX_PERMIT_EVEN_MORE)
149	/** The full 'Program Files' path. */
150	SUPSYSROOTDIRBUF g_ProgramFilesNtPath;
151	# ifdef RT_ARCH_AMD64
152	/** The full 'Program Files (x86)' path. */
153	SUPSYSROOTDIRBUF g_ProgramFilesX86NtPath;
154	# endif
155	/** The full 'Common Files' path. */
156	SUPSYSROOTDIRBUF g_CommonFilesNtPath;
157	# ifdef RT_ARCH_AMD64
158	/** The full 'Common Files (x86)' path. */
159	SUPSYSROOTDIRBUF g_CommonFilesX86NtPath;
160	# endif
161	#endif /* IN_RING3 && !VBOX_PERMIT_MORE*/
162
163	/**
164	* Blacklisted DLL names.
165	*/
166	const RTSTRTUPLE g_aSupNtViBlacklistedDlls[] =
167	{
168	{ RT_STR_TUPLE("SCROBJ.dll") },
169	{ NULL, 0 } /* terminator entry */
170	};
171
172
173	static union
174	{
175	SID Sid;
176	uint8_t abPadding[SECURITY_MAX_SID_SIZE];
177	}
178	/** The TrustedInstaller SID (Vista+). */
179	g_TrustedInstallerSid,
180	/** Local system ID (S-1-5-21). */
181	g_LocalSystemSid,
182	/** Builtin Administrators group alias (S-1-5-32-544). */
183	g_AdminsGroupSid;
184
185
186	/** Set after we've retrived other SPC root certificates from the system. */
187	static bool g_fHaveOtherRoots = false;
188
189	#if defined(IN_RING3) && !defined(IN_SUP_HARDENED_R3)
190	/** Combined windows NT version number. See SUP_MAKE_NT_VER_COMBINED and
191	* SUP_MAKE_NT_VER_SIMPLE. */
192	uint32_t g_uNtVerCombined;
193	#endif
194
195	#ifdef IN_RING3
196	/** Timestamp hack working around issues with old DLLs that we ship.
197	* See supHardenedWinVerifyImageByHandle() for details. */
198	static uint64_t g_uBuildTimestampHack = 0;
199	#endif
200
201	#ifdef IN_RING3
202	/** Pointer to WinVerifyTrust. */
203	PFNWINVERIFYTRUST g_pfnWinVerifyTrust;
204	/** Pointer to CryptCATAdminAcquireContext. */
205	PFNCRYPTCATADMINACQUIRECONTEXT g_pfnCryptCATAdminAcquireContext;
206	/** Pointer to CryptCATAdminAcquireContext2 if available. */
207	PFNCRYPTCATADMINACQUIRECONTEXT2 g_pfnCryptCATAdminAcquireContext2;
208	/** Pointer to CryptCATAdminCalcHashFromFileHandle. */
209	PFNCRYPTCATADMINCALCHASHFROMFILEHANDLE g_pfnCryptCATAdminCalcHashFromFileHandle;
210	/** Pointer to CryptCATAdminCalcHashFromFileHandle2. */
211	PFNCRYPTCATADMINCALCHASHFROMFILEHANDLE2 g_pfnCryptCATAdminCalcHashFromFileHandle2;
212	/** Pointer to CryptCATAdminEnumCatalogFromHash. */
213	PFNCRYPTCATADMINENUMCATALOGFROMHASH g_pfnCryptCATAdminEnumCatalogFromHash;
214	/** Pointer to CryptCATAdminReleaseCatalogContext. */
215	PFNCRYPTCATADMINRELEASECATALOGCONTEXT g_pfnCryptCATAdminReleaseCatalogContext;
216	/** Pointer to CryptCATAdminReleaseContext. */
217	PFNCRYPTCATDADMINRELEASECONTEXT g_pfnCryptCATAdminReleaseContext;
218	/** Pointer to CryptCATCatalogInfoFromContext. */
219	PFNCRYPTCATCATALOGINFOFROMCONTEXT g_pfnCryptCATCatalogInfoFromContext;
220
221	/** Where we store the TLS entry for detecting WinVerifyTrustRecursion. */
222	static uint32_t g_iTlsWinVerifyTrustRecursion = UINT32_MAX;
223	/** Fallback WinVerifyTrust recursion protection. */
224	static uint32_t volatile g_idActiveThread = UINT32_MAX;
225
226	#endif
227
228
229	/*********************************************************************************************************************************
230	* Internal Functions *
231	*********************************************************************************************************************************/
232	#ifdef IN_RING3
233	static int supR3HardNtViCallWinVerifyTrust(HANDLE hFile, PCRTUTF16 pwszName, uint32_t fFlags, PRTERRINFO pErrInfo,
234	PFNWINVERIFYTRUST pfnWinVerifyTrust, HRESULT *phrcWinVerifyTrust);
235	static int supR3HardNtViCallWinVerifyTrustCatFile(HANDLE hFile, PCRTUTF16 pwszName, uint32_t fFlags, PRTERRINFO pErrInfo,
236	PFNWINVERIFYTRUST pfnWinVerifyTrust);
237	#endif
238
239
240
241
242	/** @copydoc RTLDRREADER::pfnRead */
243	static DECLCALLBACK(int) supHardNtViRdrRead(PRTLDRREADER pReader, void *pvBuf, size_t cb, RTFOFF off)
244	{
245	PSUPHNTVIRDR pNtViRdr = (PSUPHNTVIRDR)pReader;
246	Assert(pNtViRdr->Core.uMagic == RTLDRREADER_MAGIC);
247	NTSTATUS rcNt;
248
249	/* Check for type overflow (paranoia). */
250	if ((ULONG)cb != cb)
251	return VERR_OUT_OF_RANGE;
252
253	#ifdef IN_RING3
254	/* Make sure the event semaphore is reset (normally we don't use one). */
255	if (pNtViRdr->hEvent)
256	{
257	rcNt = NtClearEvent(pNtViRdr->hEvent);
258	if (!NT_SUCCESS(rcNt))
259	return RTErrConvertFromNtStatus(rcNt);
260	}
261	#endif
262
263	/* Perform the read. */
264	LARGE_INTEGER offNt;
265	offNt.QuadPart = off;
266
267	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
268	rcNt = NtReadFile(pNtViRdr->hFile,
269	pNtViRdr->hEvent,
270	NULL /ApcRoutine/,
271	NULL /ApcContext/,
272	&Ios,
273	pvBuf,
274	(ULONG)cb,
275	&offNt,
276	NULL);
277
278	#ifdef IN_RING0
279	/* In ring-0 the handles shall be synchronized and not alertable. */
280	AssertMsg(rcNt == STATUS_SUCCESS \|\| !NT_SUCCESS(rcNt), ("%#x\n", rcNt));
281	#else
282	/* In ring-3 we like our handles synchronized and non-alertable, but we
283	sometimes have to take what we can get. So, deal with pending I/O as
284	best we can. */
285	if (rcNt == STATUS_PENDING)
286	rcNt = NtWaitForSingleObject(pNtViRdr->hEvent ? pNtViRdr->hEvent : pNtViRdr->hFile, FALSE /Alertable/, NULL);
287	#endif
288	if (NT_SUCCESS(rcNt))
289	rcNt = Ios.Status;
290	if (NT_SUCCESS(rcNt))
291	{
292	/* We require the caller to not read beyond the end of the file since
293	we don't have any way to communicate that we've read less that
294	requested. */
295	if (Ios.Information == cb)
296	{
297	pNtViRdr->off = off + cb; /* (just for show) */
298	return VINF_SUCCESS;
299	}
300	#ifdef IN_RING3
301	supR3HardenedError(VERR_READ_ERROR, false,
302	"supHardNtViRdrRead: Only got %#zx bytes when requesting %#zx bytes at %#llx in '%s'.\n",
303	Ios.Information, off, cb, pNtViRdr->szFilename);
304	#endif
305	}
306	pNtViRdr->off = -1;
307	return VERR_READ_ERROR;
308	}
309
310
311	/** @copydoc RTLDRREADER::pfnTell */
312	static DECLCALLBACK(RTFOFF) supHardNtViRdrTell(PRTLDRREADER pReader)
313	{
314	PSUPHNTVIRDR pNtViRdr = (PSUPHNTVIRDR)pReader;
315	Assert(pNtViRdr->Core.uMagic == RTLDRREADER_MAGIC);
316	return pNtViRdr->off;
317	}
318
319
320	/** @copydoc RTLDRREADER::pfnSize */
321	static DECLCALLBACK(uint64_t) supHardNtViRdrSize(PRTLDRREADER pReader)
322	{
323	PSUPHNTVIRDR pNtViRdr = (PSUPHNTVIRDR)pReader;
324	Assert(pNtViRdr->Core.uMagic == RTLDRREADER_MAGIC);
325	return pNtViRdr->cbFile;
326	}
327
328
329	/** @copydoc RTLDRREADER::pfnLogName */
330	static DECLCALLBACK(const char *) supHardNtViRdrLogName(PRTLDRREADER pReader)
331	{
332	PSUPHNTVIRDR pNtViRdr = (PSUPHNTVIRDR)pReader;
333	return pNtViRdr->szFilename;
334	}
335
336
337	/** @copydoc RTLDRREADER::pfnMap */
338	static DECLCALLBACK(int) supHardNtViRdrMap(PRTLDRREADER pReader, const void **ppvBits)
339	{
340	RT_NOREF2(pReader, ppvBits);
341	return VERR_NOT_SUPPORTED;
342	}
343
344
345	/** @copydoc RTLDRREADER::pfnUnmap */
346	static DECLCALLBACK(int) supHardNtViRdrUnmap(PRTLDRREADER pReader, const void *pvBits)
347	{
348	RT_NOREF2(pReader, pvBits);
349	return VERR_NOT_SUPPORTED;
350	}
351
352
353	/** @copydoc RTLDRREADER::pfnDestroy */
354	static DECLCALLBACK(int) supHardNtViRdrDestroy(PRTLDRREADER pReader)
355	{
356	PSUPHNTVIRDR pNtViRdr = (PSUPHNTVIRDR)pReader;
357	Assert(pNtViRdr->Core.uMagic == RTLDRREADER_MAGIC);
358
359	pNtViRdr->Core.uMagic = ~RTLDRREADER_MAGIC;
360	pNtViRdr->hFile = NULL;
361	#ifdef IN_RING3
362	if (pNtViRdr->hEvent)
363	{
364	NtClose(pNtViRdr->hEvent);
365	pNtViRdr->hEvent = NULL;
366	}
367	#endif
368	RTMemFree(pNtViRdr);
369	return VINF_SUCCESS;
370	}
371
372
373	/**
374	* Creates a loader reader instance for the given NT file handle.
375	*
376	* @returns iprt status code.
377	* @param hFile Native NT file handle.
378	* @param pwszName Optional file name.
379	* @param fFlags Flags, SUPHNTVI_F_XXX.
380	* @param ppNtViRdr Where to store the reader instance on success.
381	*/
382	DECLHIDDEN(int) supHardNtViRdrCreate(HANDLE hFile, PCRTUTF16 pwszName, uint32_t fFlags, PSUPHNTVIRDR *ppNtViRdr)
383	{
384	/*
385	* Try determine the size of the file.
386	*/
387	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
388	FILE_STANDARD_INFORMATION StdInfo;
389	NTSTATUS rcNt = NtQueryInformationFile(hFile, &Ios, &StdInfo, sizeof(StdInfo), FileStandardInformation);
390	if (!NT_SUCCESS(rcNt) \|\| !NT_SUCCESS(Ios.Status))
391	return VERR_LDRVI_FILE_LENGTH_ERROR;
392
393	/*
394	* Figure the file mode so we can see whether we'll be needing an event
395	* semaphore for waiting on reads. This may happen in very unlikely
396	* NtCreateSection scenarios.
397	*/
398	#if defined(IN_RING3) \|\| defined(VBOX_STRICT)
399	Ios.Status = STATUS_UNSUCCESSFUL;
400	ULONG fMode;
401	rcNt = NtQueryInformationFile(hFile, &Ios, &fMode, sizeof(fMode), FileModeInformation);
402	if (!NT_SUCCESS(rcNt) \|\| !NT_SUCCESS(Ios.Status))
403	return VERR_SUP_VP_FILE_MODE_ERROR;
404	#endif
405
406	HANDLE hEvent = NULL;
407	#ifdef IN_RING3
408	if (!(fMode & (FILE_SYNCHRONOUS_IO_NONALERT \| FILE_SYNCHRONOUS_IO_ALERT)))
409	{
410	rcNt = NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, NULL, NotificationEvent, FALSE);
411	if (!NT_SUCCESS(rcNt))
412	return VERR_SUP_VP_CREATE_READ_EVT_SEM_FAILED;
413	}
414	#else
415	Assert(fMode & FILE_SYNCHRONOUS_IO_NONALERT);
416	#endif
417
418	/*
419	* Calc the file name length and allocate memory for the reader instance.
420	*/
421	size_t cchFilename = 0;
422	if (pwszName)
423	cchFilename = RTUtf16CalcUtf8Len(pwszName);
424
425	int rc = VERR_NO_MEMORY;
426	PSUPHNTVIRDR pNtViRdr = (PSUPHNTVIRDR)RTMemAllocZ(sizeof(*pNtViRdr) + cchFilename);
427	if (!pNtViRdr)
428	{
429	#ifdef IN_RING3
430	if (hEvent != NULL)
431	NtClose(hEvent);
432	#endif
433	return VERR_NO_MEMORY;
434	}
435
436	/*
437	* Initialize the structure.
438	*/
439	if (cchFilename)
440	{
441	char *pszName = &pNtViRdr->szFilename[0];
442	rc = RTUtf16ToUtf8Ex(pwszName, RTSTR_MAX, &pszName, cchFilename + 1, NULL);
443	AssertStmt(RT_SUCCESS(rc), pNtViRdr->szFilename[0] = '\0');
444	}
445	else
446	pNtViRdr->szFilename[0] = '\0';
447
448	pNtViRdr->Core.uMagic = RTLDRREADER_MAGIC;
449	pNtViRdr->Core.pfnRead = supHardNtViRdrRead;
450	pNtViRdr->Core.pfnTell = supHardNtViRdrTell;
451	pNtViRdr->Core.pfnSize = supHardNtViRdrSize;
452	pNtViRdr->Core.pfnLogName = supHardNtViRdrLogName;
453	pNtViRdr->Core.pfnMap = supHardNtViRdrMap;
454	pNtViRdr->Core.pfnUnmap = supHardNtViRdrUnmap;
455	pNtViRdr->Core.pfnDestroy = supHardNtViRdrDestroy;
456	pNtViRdr->hFile = hFile;
457	pNtViRdr->hEvent = hEvent;
458	pNtViRdr->off = 0;
459	pNtViRdr->cbFile = (uint64_t)StdInfo.EndOfFile.QuadPart;
460	pNtViRdr->fFlags = fFlags;
461	*ppNtViRdr = pNtViRdr;
462	return VINF_SUCCESS;
463	}
464
465
466	/**
467	* Checks if the file is owned by TrustedInstaller (Vista+) or similar.
468	*
469	* @returns true if owned by TrustedInstaller of pre-Vista, false if not.
470	*
471	* @param hFile The handle to the file.
472	* @param pwszName The name of the file.
473	*/
474	static bool supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(HANDLE hFile, PCRTUTF16 pwszName)
475	{
476	if (g_uNtVerCombined < SUP_NT_VER_VISTA)
477	return true;
478
479	/*
480	* Get the ownership information.
481	*/
482	union
483	{
484	SECURITY_DESCRIPTOR_RELATIVE Rel;
485	SECURITY_DESCRIPTOR Abs;
486	uint8_t abView[256];
487	} uBuf;
488	ULONG cbActual;
489	NTSTATUS rcNt = NtQuerySecurityObject(hFile, OWNER_SECURITY_INFORMATION, &uBuf.Abs, sizeof(uBuf), &cbActual);
490	if (!NT_SUCCESS(rcNt))
491	{
492	SUP_DPRINTF(("NtQuerySecurityObject failed with rcNt=%#x on '%ls'\n", rcNt, pwszName));
493	return false;
494	}
495
496	/*
497	* Check the owner.
498	*
499	* Initially we wished to only allow TrustedInstaller. But a Windows CAPI
500	* plugin "Program Files\Tumbleweed\Desktop Validator\tmwdcapiclient.dll"
501	* turned up owned by the local system user, and we cannot operate without
502	* the plugin loaded once it's installed (WinVerityTrust fails).
503	*
504	* We'd like to avoid allowing Builtin\Administrators here since it's the
505	* default owner of anything an admin user creates (at least when elevated).
506	* Seems windows update or someone ends up installing or modifying system
507	* DLL ownership to this group, so for system32 and winsxs it's unavoidable.
508	* And, not surprise, a bunch of products, including AV, firewalls and similar
509	* ends up with their files installed with this group as owner. For instance
510	* if we wish to have NAT continue working, we need to allow this.
511	*
512	* Hopefully, we can limit the allowed files to these owners though, so
513	* we won't be subject to ordinary (non-admin, or not elevated) users
514	* downloading or be tricked into putting evil DLLs around the place...
515	*/
516	PSID pOwner = uBuf.Rel.Control & SE_SELF_RELATIVE ? &uBuf.abView[uBuf.Rel.Owner] : uBuf.Abs.Owner;
517	Assert((uintptr_t)pOwner - (uintptr_t)&uBuf < sizeof(uBuf) - sizeof(SID));
518	if (RtlEqualSid(pOwner, &g_TrustedInstallerSid))
519	return true;
520	if (RtlEqualSid(pOwner, &g_LocalSystemSid))
521	return true;
522	if (RtlEqualSid(pOwner, &g_AdminsGroupSid))
523	{
524	SUP_DPRINTF(("%ls: Owner is administrators group.\n", pwszName));
525	return true;
526	}
527
528	SUP_DPRINTF(("%ls: Owner is not trusted installer (%.*Rhxs)\n",
529	pwszName, ((uint8_t )pOwner)[1] /SubAuthorityCount/ sizeof(ULONG) + 8, pOwner));
530	RT_NOREF1(pwszName);
531	return false;
532	}
533
534
535	/**
536	* Simple case insensitive UTF-16 / ASCII path compare.
537	*
538	* @returns true if equal, false if not.
539	* @param pawcLeft The UTF-16 path string, not necessarily null
540	* terminated.
541	* @param cwcLeft The number of chars in the left string,
542	* RTSTR_MAX if unknown but terminated.
543	* @param pszRight The ascii string.
544	*/
545	DECLHIDDEN(bool) supHardViUtf16PathIsEqualEx(PCRTUTF16 pawcLeft, size_t cwcLeft, const char *pszRight)
546	{
547	for (;;)
548	{
549	RTUTF16 wc;
550	if (cwcLeft-- > 0)
551	wc =*pawcLeft++;
552	else
553	wc = 0;
554	uint8_t b = *pszRight++;
555	if (b != wc)
556	{
557	if (wc >= 0x80)
558	return false;
559	wc = RT_C_TO_LOWER(wc);
560	if (wc != b)
561	{
562	b = RT_C_TO_LOWER(b);
563	if (wc != b)
564	{
565	if (wc == '/')
566	wc = '\\';
567	if (b == '/')
568	b = '\\';
569	if (wc != b)
570	return false;
571	}
572	}
573	}
574	if (!b)
575	return true;
576	}
577	}
578
579
580	/**
581	* Simple case insensitive UTF-16 / ASCII path compare.
582	*
583	* @returns true if equal, false if not.
584	* @param pwszLeft The UTF-16 path string.
585	* @param pszRight The ascii string.
586	*/
587	static bool supHardViUtf16PathIsEqual(PCRTUTF16 pwszLeft, const char *pszRight)
588	{
589	return supHardViUtf16PathIsEqualEx(pwszLeft, RTSTR_MAX, pszRight);
590	}
591
592
593	#if 0 /* unused */
594	/**
595	* Simple case insensitive UTF-16 / ASCII ends-with path predicate.
596	*
597	* @returns true if equal, false if not.
598	* @param pwsz The UTF-16 path string.
599	* @param pszSuffix The ascii suffix string.
600	*/
601	static bool supHardViUtf16PathEndsWith(PCRTUTF16 pwsz, const char *pszSuffix)
602	{
603	size_t cwc = RTUtf16Len(pwsz);
604	size_t cchSuffix = strlen(pszSuffix);
605	if (cwc >= cchSuffix)
606	return supHardViUtf16PathIsEqual(pwsz + cwc - cchSuffix, pszSuffix);
607	return false;
608	}
609	#endif
610
611
612	/**
613	* Simple case insensitive UTF-16 / ASCII starts-with path predicate.
614	*
615	* @returns true if starts with given string, false if not.
616	* @param pwszLeft The UTF-16 path string.
617	* @param pszRight The ascii prefix string.
618	*/
619	static bool supHardViUtf16PathStartsWithAscii(PCRTUTF16 pwszLeft, const char *pszRight)
620	{
621	for (;;)
622	{
623	RTUTF16 wc = *pwszLeft++;
624	uint8_t b = *pszRight++;
625	if (b != wc)
626	{
627	if (!b)
628	return true;
629	if (wc >= 0x80 \|\| wc == 0)
630	return false;
631	wc = RT_C_TO_LOWER(wc);
632	if (wc != b)
633	{
634	b = RT_C_TO_LOWER(b);
635	if (wc != b)
636	{
637	if (wc == '/')
638	wc = '\\';
639	if (b == '/')
640	b = '\\';
641	if (wc != b)
642	return false;
643	}
644	}
645	}
646	}
647	}
648
649
650	/**
651	* Simple case insensitive UNICODE_STRING starts-with path predicate.
652	*
653	* @returns true if starts with given string, false if not.
654	* @param pwszLeft The path to check.
655	* @param cwcLeft The length of @a pwszLeft
656	* @param pwszRight The starts-with path.
657	* @param cwcRight The length of @a pwszRight.
658	* @param fCheckSlash Check for a slash following the prefix.
659	*/
660	DECLHIDDEN(bool) supHardViUtf16PathStartsWithEx(PCRTUTF16 pwszLeft, uint32_t cwcLeft,
661	PCRTUTF16 pwszRight, uint32_t cwcRight, bool fCheckSlash)
662	{
663	if (cwcLeft < cwcRight \|\| !cwcRight \|\| !pwszRight)
664	return false;
665
666	/* See if we can get away with a case sensitive compare first. */
667	if (memcmp(pwszLeft, pwszRight, cwcRight * sizeof(RTUTF16)) == 0)
668	pwszLeft += cwcRight;
669	else
670	{
671	/* No luck, do a slow case insensitive comapre. */
672	uint32_t cLeft = cwcRight;
673	while (cLeft-- > 0)
674	{
675	RTUTF16 wcLeft = *pwszLeft++;
676	RTUTF16 wcRight = *pwszRight++;
677	if (wcLeft != wcRight)
678	{
679	wcLeft = wcLeft < 0x80 ? wcLeft == '/' ? '\\' : RT_C_TO_LOWER(wcLeft) : wcLeft;
680	wcRight = wcRight < 0x80 ? wcRight == '/' ? '\\' : RT_C_TO_LOWER(wcRight) : wcRight;
681	if (wcLeft != wcRight)
682	return false;
683	}
684	}
685	}
686
687	/* Check for slash following the prefix, if request. */
688	if ( !fCheckSlash
689	\|\| *pwszLeft == '\\'
690	\|\| *pwszLeft == '/')
691	return true;
692	return false;
693	}
694
695
696	/**
697	* Simple case insensitive UNICODE_STRING starts-with path predicate.
698	*
699	* @returns true if starts with given string, false if not.
700	* @param pUniStrLeft The path to check.
701	* @param pUniStrRight The starts-with path.
702	* @param fCheckSlash Check for a slash following the prefix.
703	*/
704	DECLHIDDEN(bool) supHardViUniStrPathStartsWithUniStr(UNICODE_STRING const *pUniStrLeft,
705	UNICODE_STRING const *pUniStrRight, bool fCheckSlash)
706	{
707	return supHardViUtf16PathStartsWithEx(pUniStrLeft->Buffer, pUniStrLeft->Length / sizeof(WCHAR),
708	pUniStrRight->Buffer, pUniStrRight->Length / sizeof(WCHAR), fCheckSlash);
709	}
710
711
712	#ifndef IN_RING0
713	/**
714	* Counts slashes in the given UTF-8 path string.
715	*
716	* @returns Number of slashes.
717	* @param pwsz The UTF-16 path string.
718	*/
719	static uint32_t supHardViUtf16PathCountSlashes(PCRTUTF16 pwsz)
720	{
721	uint32_t cSlashes = 0;
722	RTUTF16 wc;
723	while ((wc = *pwsz++) != '\0')
724	if (wc == '/' \|\| wc == '\\')
725	cSlashes++;
726	return cSlashes;
727	}
728	#endif
729
730
731	#ifdef VBOX_PERMIT_MORE
732	/**
733	* Checks if the path goes into %windir%\apppatch\.
734	*
735	* @returns true if apppatch, false if not.
736	* @param pwszPath The path to examine.
737	*/
738	DECLHIDDEN(bool) supHardViIsAppPatchDir(PCRTUTF16 pwszPath, uint32_t cwcName)
739	{
740	uint32_t cwcWinDir = (g_System32NtPath.UniStr.Length - sizeof(L"System32")) / sizeof(WCHAR);
741
742	if (cwcName <= cwcWinDir + sizeof("AppPatch"))
743	return false;
744
745	if (memcmp(pwszPath, g_System32NtPath.UniStr.Buffer, cwcWinDir * sizeof(WCHAR)))
746	return false;
747
748	if (!supHardViUtf16PathStartsWithAscii(&pwszPath[cwcWinDir], "\\AppPatch\\"))
749	return false;
750
751	return g_uNtVerCombined >= SUP_NT_VER_VISTA;
752	}
753	#else
754	# error should not get here..
755	#endif
756
757
758
759	/**
760	* Checks if the unsigned DLL is fine or not.
761	*
762	* @returns VINF_LDRVI_NOT_SIGNED or @a rc.
763	* @param hLdrMod The loader module handle.
764	* @param pwszName The NT name of the DLL/EXE.
765	* @param fFlags Flags.
766	* @param hFile The file handle.
767	* @param rc The status code..
768	*/
769	static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, uint32_t fFlags, HANDLE hFile, int rc)
770	{
771	RT_NOREF1(hLdrMod);
772
773	if (fFlags & (SUPHNTVI_F_REQUIRE_BUILD_CERT \| SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING))
774	return rc;
775
776	/*
777	* Version macros.
778	*/
779	uint32_t const uNtVer = g_uNtVerCombined;
780	#define IS_XP() ( uNtVer >= SUP_MAKE_NT_VER_SIMPLE(5, 1) && uNtVer < SUP_MAKE_NT_VER_SIMPLE(5, 2) )
781	#define IS_W2K3() ( uNtVer >= SUP_MAKE_NT_VER_SIMPLE(5, 2) && uNtVer < SUP_MAKE_NT_VER_SIMPLE(5, 3) )
782	#define IS_VISTA() ( uNtVer >= SUP_MAKE_NT_VER_SIMPLE(6, 0) && uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 1) )
783	#define IS_W70() ( uNtVer >= SUP_MAKE_NT_VER_SIMPLE(6, 1) && uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 2) )
784	#define IS_W80() ( uNtVer >= SUP_MAKE_NT_VER_SIMPLE(6, 2) && uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 3) )
785	#define IS_W81() ( uNtVer >= SUP_MAKE_NT_VER_SIMPLE(6, 3) && uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 4) )
786
787	/*
788	* The System32 directory.
789	*
790	* System32 is full of unsigned DLLs shipped by microsoft, graphics
791	* hardware vendors, input device/method vendors and whatnot else that
792	* actually needs to be loaded into a process for it to work correctly.
793	* We have to ASSUME that anything our process attempts to load from
794	* System32 is trustworthy and that the Windows system with the help of
795	* anti-virus software make sure there is nothing evil lurking in System32
796	* or being loaded from it.
797	*
798	* A small measure of protection is to list DLLs we know should be signed
799	* and decline loading unsigned versions of them, assuming they have been
800	* replaced by an adversary with evil intentions.
801	*/
802	PCRTUTF16 pwsz;
803	uint32_t cwcName = (uint32_t)RTUtf16Len(pwszName);
804	uint32_t cwcOther = g_System32NtPath.UniStr.Length / sizeof(WCHAR);
805	if (supHardViUtf16PathStartsWithEx(pwszName, cwcName, g_System32NtPath.UniStr.Buffer, cwcOther, true /fCheckSlash/))
806	{
807	pwsz = pwszName + cwcOther + 1;
808
809	/* Must be owned by trusted installer. (This test is superfuous, thus no relaxation here.) */
810	if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
811	&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
812	return rc;
813
814	/* Core DLLs. */
815	if (supHardViUtf16PathIsEqual(pwsz, "ntdll.dll"))
816	return uNtVer < SUP_NT_VER_VISTA ? VINF_LDRVI_NOT_SIGNED : rc;
817	if (supHardViUtf16PathIsEqual(pwsz, "kernel32.dll"))
818	return uNtVer < SUP_NT_VER_W81 ? VINF_LDRVI_NOT_SIGNED : rc;
819	if (supHardViUtf16PathIsEqual(pwsz, "kernelbase.dll"))
820	return IS_W80() \|\| IS_W70() ? VINF_LDRVI_NOT_SIGNED : rc;
821	if (supHardViUtf16PathIsEqual(pwsz, "apisetschema.dll"))
822	return IS_W70() ? VINF_LDRVI_NOT_SIGNED : rc;
823	if (supHardViUtf16PathIsEqual(pwsz, "apphelp.dll"))
824	return VINF_LDRVI_NOT_SIGNED; /* So far, never signed... */
825	#ifdef VBOX_PERMIT_VERIFIER_DLL
826	if (supHardViUtf16PathIsEqual(pwsz, "verifier.dll"))
827	return uNtVer < SUP_NT_VER_W81 ? VINF_LDRVI_NOT_SIGNED : rc;
828	#endif
829	#ifdef VBOX_PERMIT_MORE
830	if (uNtVer >= SUP_NT_VER_W70) /* hard limit: user32.dll is unwanted prior to w7. */
831	{
832	if (supHardViUtf16PathIsEqual(pwsz, "sfc.dll"))
833	return uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 4) ? VINF_LDRVI_NOT_SIGNED : rc;
834	if (supHardViUtf16PathIsEqual(pwsz, "sfc_os.dll"))
835	return uNtVer < SUP_MAKE_NT_VER_SIMPLE(6, 4) ? VINF_LDRVI_NOT_SIGNED : rc;
836	if (supHardViUtf16PathIsEqual(pwsz, "user32.dll"))
837	return uNtVer < SUP_NT_VER_W81 ? VINF_LDRVI_NOT_SIGNED : rc;
838	}
839	#endif
840
841	#ifndef IN_RING0
842	/* Check that this DLL isn't supposed to be signed on this windows
843	version. If it should, it's likely to be a fake. */
844	/** @todo list of signed dlls for various windows versions. */
845	return VINF_LDRVI_NOT_SIGNED;
846	#else
847	return rc;
848	#endif /* IN_RING0 */
849	}
850
851
852	#ifndef IN_RING0
853	/*
854	* The WinSxS white list.
855	*
856	* Just like with System32 there are potentially a number of DLLs that
857	* could be required from WinSxS.
858	*/
859	cwcOther = g_WinSxSNtPath.UniStr.Length / sizeof(WCHAR);
860	if (supHardViUtf16PathStartsWithEx(pwszName, cwcName, g_WinSxSNtPath.UniStr.Buffer, cwcOther, true /fCheckSlash/))
861	{
862	pwsz = pwszName + cwcOther + 1;
863	cwcName -= cwcOther + 1;
864
865	/* The WinSxS layout means everything worth loading is exactly one level down. */
866	uint32_t cSlashes = supHardViUtf16PathCountSlashes(pwsz);
867	if (cSlashes != 1)
868	return rc;
869
870	/* Must be owned by trusted installer. */
871	if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
872	&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
873	return rc;
874	return VINF_LDRVI_NOT_SIGNED;
875	}
876	#endif /* !IN_RING0 */
877
878
879	#ifdef VBOX_PERMIT_MORE
880	/*
881	* AppPatch whitelist.
882	*/
883	if (supHardViIsAppPatchDir(pwszName, cwcName))
884	{
885	cwcOther = g_System32NtPath.UniStr.Length / sizeof(WCHAR); /* ASSUMES System32 is called System32. */
886	pwsz = pwszName + cwcOther + 1;
887
888	if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
889	&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
890	return rc;
891
892	# ifndef VBOX_PERMIT_EVEN_MORE
893	if (supHardViUtf16PathIsEqual(pwsz, "acres.dll"))
894	return VINF_LDRVI_NOT_SIGNED;
895
896	# ifdef RT_ARCH_AMD64
897	if (supHardViUtf16PathIsEqual(pwsz, "AppPatch64\\AcGenral.dll"))
898	return VINF_LDRVI_NOT_SIGNED;
899	# elif defined(RT_ARCH_X86)
900	if (supHardViUtf16PathIsEqual(pwsz, "AcGenral.dll"))
901	return VINF_LDRVI_NOT_SIGNED;
902	# endif
903	# endif /* !VBOX_PERMIT_EVEN_MORE */
904
905	# ifdef IN_RING0
906	return rc;
907	# else
908	return VINF_LDRVI_NOT_SIGNED;
909	# endif
910	}
911	#endif /* VBOX_PERMIT_MORE */
912
913
914	#ifndef IN_RING0
915	# if defined(VBOX_PERMIT_MORE) && !defined(VBOX_PERMIT_EVEN_MORE)
916	/*
917	* Program files and common files.
918	* Permit anything that's signed and correctly installed.
919	*/
920	if ( supHardViUtf16PathStartsWithEx(pwszName, cwcName,
921	g_ProgramFilesNtPath.UniStr.Buffer, g_ProgramFilesNtPath.UniStr.Length,
922	true /fCheckSlash/)
923	\|\| supHardViUtf16PathStartsWithEx(pwszName, cwcName,
924	g_CommonFilesNtPath.UniStr.Buffer, g_CommonFilesNtPath.UniStr.Length,
925	true /fCheckSlash/)
926	# ifdef RT_ARCH_AMD64
927	\|\| supHardViUtf16PathStartsWithEx(pwszName, cwcName,
928	g_ProgramFilesX86NtPath.UniStr.Buffer, g_ProgramFilesX86NtPath.UniStr.Length,
929	true /fCheckSlash/)
930	\|\| supHardViUtf16PathStartsWithEx(pwszName, cwcName,
931	g_CommonFilesX86NtPath.UniStr.Buffer, g_CommonFilesX86NtPath.UniStr.Length,
932	true /fCheckSlash/)
933	# endif
934	)
935	{
936	if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
937	&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
938	return rc;
939	return VINF_LDRVI_NOT_SIGNED;
940	}
941
942	# elif defined(VBOX_PERMIT_MORE) && defined(VBOX_PERMIT_EVEN_MORE)
943	/*
944	* Anything that's owned by the trusted installer.
945	*/
946	if ( (fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
947	\|\| supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName))
948	return VINF_LDRVI_NOT_SIGNED;
949
950	# endif
951	#endif /* !IN_RING0 */
952
953	/*
954	* Not permitted.
955	*/
956	return rc;
957	}
958
959
960	/**
961	* @callback_method_impl{FNRTDUMPPRINTFV, Formats into RTERRINFO. }
962	*/
963	static DECLCALLBACK(void) supHardNtViAsn1DumpToErrInfo(void pvUser, const char pszFormat, va_list va)
964	{
965	PRTERRINFO pErrInfo = (PRTERRINFO)pvUser;
966	RTErrInfoAddV(pErrInfo, pErrInfo->rc, pszFormat, va);
967	}
968
969
970	/**
971	* Attempts to locate a root certificate in the specified store.
972	*
973	* @returns IPRT status code.
974	* @retval VINF_SUCCESS if found.
975	* @retval VWRN_NOT_FOUND if not found.
976	*
977	* @param hRootStore The root certificate store to search.
978	* @param pSubject The root certificate subject.
979	* @param pPublicKeyInfo The public key of the root certificate to find.
980	*/
981	static int supHardNtViCertVerifyFindRootCert(RTCRSTORE hRootStore, PCRTCRX509NAME pSubject,
982	PCRTCRX509SUBJECTPUBLICKEYINFO pPublicKeyInfo)
983	{
984	RTCRSTORECERTSEARCH Search;
985	int rc = RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(hRootStore, pSubject, &Search);
986	AssertRCReturn(rc, rc);
987
988	rc = VWRN_NOT_FOUND;
989	PCRTCRCERTCTX pCertCtx;
990	while ((pCertCtx = RTCrStoreCertSearchNext(hRootStore, &Search)) != NULL)
991	{
992	PCRTCRX509SUBJECTPUBLICKEYINFO pCertPubKeyInfo = NULL;
993	if (pCertCtx->pCert)
994	pCertPubKeyInfo = &pCertCtx->pCert->TbsCertificate.SubjectPublicKeyInfo;
995	else if (pCertCtx->pTaInfo)
996	pCertPubKeyInfo = &pCertCtx->pTaInfo->PubKey;
997	else
998	pCertPubKeyInfo = NULL;
999	if ( pCertPubKeyInfo
1000	&& RTCrX509SubjectPublicKeyInfo_Compare(pCertPubKeyInfo, pPublicKeyInfo) == 0)
1001	{
1002	RTCrCertCtxRelease(pCertCtx);
1003	rc = VINF_SUCCESS;
1004	break;
1005	}
1006	RTCrCertCtxRelease(pCertCtx);
1007	}
1008
1009	int rc2 = RTCrStoreCertSearchDestroy(hRootStore, &Search);
1010	AssertRC(rc2);
1011	return rc;
1012	}
1013
1014
1015	/**
1016	* @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
1017	* Standard code signing. Use this for Microsoft SPC.}
1018	*/
1019	static DECLCALLBACK(int) supHardNtViCertVerifyCallback(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths,
1020	uint32_t fFlags, void *pvUser, PRTERRINFO pErrInfo)
1021	{
1022	PSUPHNTVIRDR pNtViRdr = (PSUPHNTVIRDR)pvUser;
1023	Assert(pNtViRdr->Core.uMagic == RTLDRREADER_MAGIC);
1024
1025	/*
1026	* If there is no certificate path build & validator associated with this
1027	* callback, it must be because of the build certificate. We trust the
1028	* build certificate without any second thoughts.
1029	*/
1030	if (RTCrX509Certificate_Compare(pCert, &g_BuildX509Cert) == 0)
1031	{
1032	#ifdef VBOX_STRICT
1033	Assert(RTCrX509CertPathsGetPathCount(hCertPaths) == 1);
1034	bool fTrusted = false;
1035	uint32_t cNodes = UINT32_MAX;
1036	int rcVerify = -1;
1037	int rc = RTCrX509CertPathsQueryPathInfo(hCertPaths, 0, &fTrusted, &cNodes, NULL, NULL, NULL, NULL, &rcVerify);
1038	AssertRC(rc); AssertRC(rcVerify); Assert(fTrusted); Assert(cNodes == 1);
1039	#endif
1040	return VINF_SUCCESS;
1041	}
1042
1043	/*
1044	* Standard code signing capabilites required.
1045	*/
1046	int rc = RTCrPkcs7VerifyCertCallbackCodeSigning(pCert, hCertPaths, fFlags, NULL, pErrInfo);
1047	if ( RT_SUCCESS(rc)
1048	&& (fFlags & RTCRPKCS7VCC_F_SIGNED_DATA))
1049	{
1050	/*
1051	* For kernel code signing there are two options for a valid certificate path:
1052	* 1. Anchored by the microsoft kernel signing root certificate (g_hNtKernelRootStore).
1053	* 2. Anchored by an SPC root and signing entity including a 1.3.6.1.4.1.311.10.3.5 (WHQL)
1054	* or 1.3.6.1.4.1.311.10.3.5.1 (WHQL attestation) extended usage key.
1055	*/
1056	if (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING)
1057	{
1058	uint32_t cPaths = RTCrX509CertPathsGetPathCount(hCertPaths);
1059	uint32_t cFound = 0;
1060	uint32_t cValid = 0;
1061	for (uint32_t iPath = 0; iPath < cPaths; iPath++)
1062	{
1063	bool fTrusted;
1064	PCRTCRX509NAME pSubject;
1065	PCRTCRX509SUBJECTPUBLICKEYINFO pPublicKeyInfo;
1066	int rcVerify;
1067	rc = RTCrX509CertPathsQueryPathInfo(hCertPaths, iPath, &fTrusted, NULL /pcNodes/, &pSubject, &pPublicKeyInfo,
1068	NULL, NULL /pCertCtx/, &rcVerify);
1069	AssertRCBreak(rc);
1070
1071	if (RT_SUCCESS(rcVerify))
1072	{
1073	Assert(fTrusted);
1074	cValid++;
1075
1076	/*
1077	* 1. Search the kernel signing root store for a matching anchor.
1078	*/
1079	rc = supHardNtViCertVerifyFindRootCert(g_hNtKernelRootStore, pSubject, pPublicKeyInfo);
1080	if (rc == VINF_SUCCESS)
1081	cFound++;
1082	/*
1083	* 2. Check for WHQL EKU and make sure it has a SPC root.
1084	*/
1085	else if ( rc == VWRN_NOT_FOUND
1086	&& ( pCert->TbsCertificate.T3.fExtKeyUsage
1087	& (RTCRX509CERT_EKU_F_MS_ATTEST_WHQL_CRYPTO \| RTCRX509CERT_EKU_F_MS_WHQL_CRYPTO)))
1088	{
1089	rc = supHardNtViCertVerifyFindRootCert(g_hSpcRootStore, pSubject, pPublicKeyInfo);
1090	if (rc == VINF_SUCCESS)
1091	cFound++;
1092	}
1093	AssertRCBreak(rc);
1094	}
1095	}
1096	if (RT_SUCCESS(rc) && cFound == 0)
1097	rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_NOT_VALID_KERNEL_CODE_SIGNATURE,
1098	"Signature #%u/%u: Not valid kernel code signature.",
1099	pNtViRdr->iCurSignature + 1, pNtViRdr->cTotalSignatures);
1100
1101
1102	if (RT_SUCCESS(rc) && cValid < 2 && g_fHaveOtherRoots)
1103	rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_UNEXPECTED_VALID_PATH_COUNT,
1104	"Signature #%u/%u: Expected at least %u valid paths, not %u.",
1105	pNtViRdr->iCurSignature + 1, pNtViRdr->cTotalSignatures, 2, cValid);
1106	if (rc == VWRN_NOT_FOUND)
1107	rc = VINF_SUCCESS;
1108	}
1109	}
1110
1111	/*
1112	* More requirements? NT5 build lab?
1113	*/
1114
1115	return rc;
1116	}
1117
1118
1119	/**
1120	* RTTimeNow equivaltent that handles ring-3 where we cannot use it.
1121	*
1122	* @returns pNow
1123	* @param pNow Where to return the current time.
1124	*/
1125	static PRTTIMESPEC supHardNtTimeNow(PRTTIMESPEC pNow)
1126	{
1127	#ifdef IN_RING3
1128	/*
1129	* Just read system time.
1130	*/
1131	KUSER_SHARED_DATA volatile pUserSharedData = (KUSER_SHARED_DATA volatile )MM_SHARED_USER_DATA_VA;
1132	# ifdef RT_ARCH_AMD64
1133	uint64_t uRet = (uint64_t volatile )&pUserSharedData->SystemTime; /* This is what KeQuerySystemTime does (missaligned). */
1134	return RTTimeSpecSetNtTime(pNow, uRet);
1135	# else
1136
1137	LARGE_INTEGER NtTime;
1138	do
1139	{
1140	NtTime.HighPart = pUserSharedData->SystemTime.High1Time;
1141	NtTime.LowPart = pUserSharedData->SystemTime.LowPart;
1142	} while (pUserSharedData->SystemTime.High2Time != NtTime.HighPart);
1143	return RTTimeSpecSetNtTime(pNow, NtTime.QuadPart);
1144	# endif
1145	#else /* IN_RING0 */
1146	return RTTimeNow(pNow);
1147	#endif /* IN_RING0 */
1148	}
1149
1150
1151	/**
1152	* @callback_method_impl{FNRTLDRVALIDATESIGNEDDATA}
1153	*/
1154	static DECLCALLBACK(int) supHardNtViCallback(RTLDRMOD hLdrMod, PCRTLDRSIGNATUREINFO pInfo, PRTERRINFO pErrInfo, void *pvUser)
1155	{
1156	RT_NOREF(hLdrMod);
1157
1158	/*
1159	* Check out the input.
1160	*/
1161	PSUPHNTVIRDR pNtViRdr = (PSUPHNTVIRDR)pvUser;
1162	Assert(pNtViRdr->Core.uMagic == RTLDRREADER_MAGIC);
1163	pNtViRdr->cTotalSignatures = pInfo->cSignatures;
1164	pNtViRdr->iCurSignature = pInfo->iSignature;
1165
1166	AssertReturn(pInfo->enmType == RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA, VERR_INTERNAL_ERROR_5);
1167	AssertReturn(!pInfo->pvExternalData, VERR_INTERNAL_ERROR_5);
1168	AssertReturn(pInfo->cbSignature == sizeof(RTCRPKCS7CONTENTINFO), VERR_INTERNAL_ERROR_5);
1169	PCRTCRPKCS7CONTENTINFO pContentInfo = (PCRTCRPKCS7CONTENTINFO)pInfo->pvSignature;
1170	AssertReturn(RTCrPkcs7ContentInfo_IsSignedData(pContentInfo), VERR_INTERNAL_ERROR_5);
1171	AssertReturn(pContentInfo->u.pSignedData->SignerInfos.cItems == 1, VERR_INTERNAL_ERROR_5);
1172	PCRTCRPKCS7SIGNERINFO pSignerInfo = pContentInfo->u.pSignedData->SignerInfos.papItems[0];
1173
1174
1175	/*
1176	* If special certificate requirements, check them out before validating
1177	* the signature. These only apply to the first signature (for now).
1178	*/
1179	if ( (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT)
1180	&& pInfo->iSignature == 0)
1181	{
1182	if (!RTCrX509Certificate_MatchIssuerAndSerialNumber(&g_BuildX509Cert,
1183	&pSignerInfo->IssuerAndSerialNumber.Name,
1184	&pSignerInfo->IssuerAndSerialNumber.SerialNumber))
1185	return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_NOT_SIGNED_WITH_BUILD_CERT,
1186	"Signature #%u/%u: Not signed with the build certificate (serial %.Rhxs, expected %.Rhxs)",
1187	pInfo->iSignature + 1, pInfo->cSignatures,
1188	pSignerInfo->IssuerAndSerialNumber.SerialNumber.Asn1Core.cb,
1189	pSignerInfo->IssuerAndSerialNumber.SerialNumber.Asn1Core.uData.pv,
1190	g_BuildX509Cert.TbsCertificate.SerialNumber.Asn1Core.cb,
1191	g_BuildX509Cert.TbsCertificate.SerialNumber.Asn1Core.uData.pv);
1192	}
1193
1194	/*
1195	* We instruction the verifier to use the signing time counter signature
1196	* when present, but provides the linker time then the current time as
1197	* fallbacks should the timestamp be missing or unusable.
1198	*
1199	* Update: Save the first timestamp we validate with build cert and
1200	* use this as a minimum timestamp for further build cert
1201	* validations. This works around issues with old DLLs that
1202	* we sign against with our certificate (crt, sdl, qt).
1203	*
1204	* Update: If the validation fails, retry with the current timestamp. This
1205	* is a workaround for NTDLL.DLL in build 14971 having a weird
1206	* timestamp: 0xDF1E957E (Sat Aug 14 14:05:18 2088).
1207	*/
1208	uint32_t fFlags = RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT
1209	\| RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT
1210	\| RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY;
1211
1212	/* In ring-0 we don't have all the necessary timestamp server root certificate
1213	* info, so we have to allow using counter signatures unverified there.
1214	* Ditto for the early period of ring-3 hardened stub execution. */
1215	#ifndef IN_RING0
1216	if (!g_fHaveOtherRoots)
1217	#endif
1218	fFlags \|= RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED \| RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED;
1219
1220	/* Fallback timestamps to try: */
1221	struct { RTTIMESPEC TimeSpec; const char *pszDesc; } aTimes[2];
1222	unsigned cTimes = 0;
1223
1224	/* 1. The linking timestamp: */
1225	uint64_t uTimestamp = 0;
1226	int rc = RTLdrQueryProp(hLdrMod, RTLDRPROP_TIMESTAMP_SECONDS, &uTimestamp, sizeof(uTimestamp));
1227	if (RT_SUCCESS(rc))
1228	{
1229	#ifdef IN_RING3 /* Hack alert! (see above) */
1230	if ( (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING)
1231	&& (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT)
1232	&& uTimestamp < g_uBuildTimestampHack)
1233	uTimestamp = g_uBuildTimestampHack;
1234	#endif
1235	RTTimeSpecSetSeconds(&aTimes[0].TimeSpec, uTimestamp);
1236	aTimes[0].pszDesc = "link";
1237	cTimes++;
1238	}
1239	else
1240	SUP_DPRINTF(("RTLdrQueryProp/RTLDRPROP_TIMESTAMP_SECONDS failed on %s: %Rrc", pNtViRdr->szFilename, rc));
1241
1242	/* 2. Current time. */
1243	supHardNtTimeNow(&aTimes[cTimes].TimeSpec);
1244	aTimes[cTimes].pszDesc = "now";
1245	cTimes++;
1246
1247	/* Make the verfication attempts. */
1248	for (unsigned i = 0; ; i++)
1249	{
1250	Assert(i < cTimes);
1251	rc = RTCrPkcs7VerifySignedData(pContentInfo, fFlags, g_hSpcAndNtKernelSuppStore, g_hSpcAndNtKernelRootStore,
1252	&aTimes[i].TimeSpec, supHardNtViCertVerifyCallback, pNtViRdr, pErrInfo);
1253	if (RT_SUCCESS(rc))
1254	{
1255	if (rc != VINF_SUCCESS)
1256	{
1257	SUP_DPRINTF(("%s: Signature #%u/%u: info status: %d\n", pNtViRdr->szFilename, pInfo->iSignature + 1, pInfo->cSignatures, rc));
1258	if (pNtViRdr->rcLastSignatureFailure == VINF_SUCCESS)
1259	pNtViRdr->rcLastSignatureFailure = rc;
1260	}
1261	pNtViRdr->cOkaySignatures++;
1262
1263	#ifdef IN_RING3 /* Hack alert! (see above) */
1264	if ((pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT) && g_uBuildTimestampHack == 0 && cTimes > 1)
1265	g_uBuildTimestampHack = uTimestamp;
1266	#endif
1267	return VINF_SUCCESS;
1268	}
1269
1270	if (rc == VERR_CR_X509_CPV_NOT_VALID_AT_TIME && i + 1 < cTimes)
1271	SUP_DPRINTF(("%s: Signature #%u/%u: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for %#RX64; retrying against current time: %#RX64.\n",
1272	pNtViRdr->szFilename, pInfo->iSignature + 1, pInfo->cSignatures,
1273	RTTimeSpecGetSeconds(&aTimes[0].TimeSpec), RTTimeSpecGetSeconds(&aTimes[1].TimeSpec)));
1274	else
1275	{
1276	/* There are a couple of failures we can tollerate if there are more than
1277	one signature and one of them works out fine. The RTLdrVerifySignature
1278	caller will have to check the failure counts though to make sure
1279	something succeeded.
1280
1281	VERR_CR_PKCS7_KEY_USAGE_MISMATCH: Nvidia 391.35 nvldumpx.dll has an misconfigured
1282	certificate "CN=NVIDIA Corporation PE Sign v2016" without valid Key Usage. It is
1283	rooted by "CN=NVIDIA Subordinate CA 2016 v2,DC=nvidia,DC=com", so homebrewn.
1284	Sysinternals' sigcheck util ignores it, while MS sigtool doesn't trust the root.
1285	It's possible we're being too strict, but well, it's the only case so far, so no
1286	need to relax the Key Usage restrictions just for a certificate w/o a trusted root.
1287
1288	VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION: Intel 27.20.100.9126 igdumdim64.dll
1289	has three signatures, the first is signed with a certificate (C=US,ST=CA,
1290	L=Santa Clara,O=Intel Corporation,CN=IntelGraphicsPE2021) that has a critical
1291	subject key identifier. This used to trip up the path validator. However, the
1292	other two signatures are from microsoft and checks out fine. So, in future
1293	situations like this it would be nice to simply continue with the next signature.
1294	See bugref{10130} for details.
1295
1296	VERR_SUP_VP_NOT_VALID_KERNEL_CODE_SIGNATURE: Is related to the above intel problem,
1297	but this is what we get if suppressing the unknown critical subjectKeyIdentifier
1298	in IPRT. We don't need all signatures to be valid kernel signatures, we should be
1299	happy with just one and ignore any additional signatures as long as they don't look
1300	like they've been compromised. Thus continue with this status too. */
1301	pNtViRdr->rcLastSignatureFailure = rc;
1302	if ( rc == VERR_CR_X509_CPV_NOT_VALID_AT_TIME
1303	\|\| rc == VERR_CR_X509_CPV_NO_TRUSTED_PATHS
1304	\|\| rc == VERR_CR_PKCS7_KEY_USAGE_MISMATCH
1305	\|\| rc == VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION
1306	\|\| rc == VERR_SUP_VP_NOT_VALID_KERNEL_CODE_SIGNATURE)
1307	{
1308	SUP_DPRINTF(("%s: Signature #%u/%u: %s (%d) w/ timestamp=%#RX64/%s.\n", pNtViRdr->szFilename, pInfo->iSignature + 1, pInfo->cSignatures,
1309	rc == VERR_CR_X509_CPV_NOT_VALID_AT_TIME ? "VERR_CR_X509_CPV_NOT_VALID_AT_TIME"
1310	: rc == VERR_CR_X509_CPV_NO_TRUSTED_PATHS ? "VERR_CR_X509_CPV_NO_TRUSTED_PATHS"
1311	: rc == VERR_CR_PKCS7_KEY_USAGE_MISMATCH ? "VERR_CR_PKCS7_KEY_USAGE_MISMATCH"
1312	: rc == VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION ? "VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION"
1313	: "VERR_SUP_VP_NOT_VALID_KERNEL_CODE_SIGNATURE",
1314	rc, RTTimeSpecGetSeconds(&aTimes[i].TimeSpec), aTimes[i].pszDesc));
1315
1316	/* This leniency is not applicable to build certificate requirements (signature #1 only). */
1317	if ( !(pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT)
1318	\|\| pInfo->iSignature != 0)
1319	{
1320	pNtViRdr->cNokSignatures++;
1321	rc = VINF_SUCCESS;
1322	}
1323	}
1324	else
1325	SUP_DPRINTF(("%s: Signature #%u/%u: %Rrc w/ timestamp=%#RX64/%s.\n", pNtViRdr->szFilename, pInfo->iSignature + 1, pInfo->cSignatures,
1326	rc, RTTimeSpecGetSeconds(&aTimes[i].TimeSpec), aTimes[i].pszDesc));
1327	return rc;
1328	}
1329	}
1330	}
1331
1332
1333	/**
1334	* Verifies the given loader image.
1335	*
1336	* @returns IPRT status code.
1337	* @param hLdrMod File handle to the executable file.
1338	* @param pwszName Full NT path to the DLL in question, used for
1339	* dealing with unsigned system dlls as well as for
1340	* error/logging.
1341	* @param pNtViRdr The reader instance /w flags.
1342	* @param fAvoidWinVerifyTrust Whether to avoid WinVerifyTrust because of
1343	* deadlock or other loader related dangers.
1344	* @param pfWinVerifyTrust Where to return whether WinVerifyTrust was used.
1345	* @param pErrInfo Pointer to error info structure. Optional.
1346	*/
1347	DECLHIDDEN(int) supHardenedWinVerifyImageByLdrMod(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, PSUPHNTVIRDR pNtViRdr,
1348	bool fAvoidWinVerifyTrust, bool *pfWinVerifyTrust, PRTERRINFO pErrInfo)
1349	{
1350	if (pfWinVerifyTrust)
1351	*pfWinVerifyTrust = false;
1352
1353	#ifdef IN_RING3
1354	/* Check that the caller has performed the necessary library initialization. */
1355	if (!RTCrX509Certificate_IsPresent(&g_BuildX509Cert))
1356	return RTErrInfoSet(pErrInfo, VERR_WRONG_ORDER,
1357	"supHardenedWinVerifyImageByHandle: supHardenedWinInitImageVerifier was not called.");
1358	#endif
1359
1360	/*
1361	* Check the trusted installer bit first, if requested as it's somewhat
1362	* cheaper than the rest.
1363	*
1364	* We relax this for system32 and a little for WinSxS, like we used to, as
1365	* there are apparently some systems out there where the user, admin, or
1366	* someone has changed the ownership of core windows DLLs like user32.dll
1367	* and comctl32.dll. Since we need user32.dll and will be checking it's
1368	* digital signature, it's reasonably safe to let this thru. (The report
1369	* was of SECURITY_BUILTIN_DOMAIN_RID + DOMAIN_ALIAS_RID_ADMINS
1370	* owning user32.dll, see public ticket 13187, VBoxStartup.3.log.)
1371	*
1372	* We've also had problems with graphics driver components like ig75icd64.dll
1373	* and atig6pxx.dll not being owned by TrustedInstaller, with the result
1374	* that 3D got broken (mod by zero issue in test build 5). These were also
1375	* SECURITY_BUILTIN_DOMAIN_RID + DOMAIN_ALIAS_RID_ADMINS.
1376	*
1377	* In one report by 'thor' the WinSxS resident comctl32.dll was owned by
1378	* SECURITY_BUILTIN_DOMAIN_RID + DOMAIN_ALIAS_RID_ADMINS (with 4.3.16).
1379	*/
1380	/** @todo Since we're now allowing Builtin\\Administrators after all, perhaps we
1381	* could drop these system32 + winsxs hacks?? */
1382	if ( (pNtViRdr->fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER)
1383	&& !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(pNtViRdr->hFile, pwszName))
1384	{
1385	if (supHardViUtf16PathStartsWithEx(pwszName, (uint32_t)RTUtf16Len(pwszName),
1386	g_System32NtPath.UniStr.Buffer, g_System32NtPath.UniStr.Length / sizeof(WCHAR),
1387	true /fCheckSlash/))
1388	SUP_DPRINTF(("%ls: Relaxing the TrustedInstaller requirement for this DLL (it's in system32).\n", pwszName));
1389	else if (supHardViUtf16PathStartsWithEx(pwszName, (uint32_t)RTUtf16Len(pwszName),
1390	g_WinSxSNtPath.UniStr.Buffer, g_WinSxSNtPath.UniStr.Length / sizeof(WCHAR),
1391	true /fCheckSlash/))
1392	SUP_DPRINTF(("%ls: Relaxing the TrustedInstaller requirement for this DLL (it's in WinSxS).\n", pwszName));
1393	else
1394	return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_NOT_OWNED_BY_TRUSTED_INSTALLER,
1395	"supHardenedWinVerifyImageByHandle: TrustedInstaller is not the owner of '%ls'.", pwszName);
1396	}
1397
1398	/*
1399	* Verify it.
1400	*
1401	* The PKCS #7 SignedData signature is checked in the callback. Any
1402	* signing certificate restrictions are also enforced there.
1403	*/
1404	pNtViRdr->cOkaySignatures = 0;
1405	pNtViRdr->cNokSignatures = 0;
1406	pNtViRdr->cTotalSignatures = 0;
1407	pNtViRdr->rcLastSignatureFailure = VINF_SUCCESS;
1408	int rc = RTLdrVerifySignature(hLdrMod, supHardNtViCallback, pNtViRdr, pErrInfo);
1409	if (RT_SUCCESS(rc))
1410	{
1411	Assert(pNtViRdr->cOkaySignatures + pNtViRdr->cNokSignatures == pNtViRdr->cTotalSignatures);
1412	if ( !pNtViRdr->cOkaySignatures
1413	\|\| pNtViRdr->cOkaySignatures + pNtViRdr->cNokSignatures < pNtViRdr->cTotalSignatures /* paranoia */)
1414	{
1415	rc = pNtViRdr->rcLastSignatureFailure;
1416	AssertStmt(RT_FAILURE_NP(rc), rc = VERR_INTERNAL_ERROR_3);
1417	}
1418	else if (rc == VINF_SUCCESS && RT_SUCCESS(pNtViRdr->rcLastSignatureFailure))
1419	rc = pNtViRdr->rcLastSignatureFailure;
1420	}
1421
1422	/*
1423	* Microsoft doesn't sign a whole bunch of DLLs, so we have to
1424	* ASSUME that a bunch of system DLLs are fine.
1425	*/
1426	if (rc == VERR_LDRVI_NOT_SIGNED)
1427	rc = supHardNtViCheckIfNotSignedOk(hLdrMod, pwszName, pNtViRdr->fFlags, pNtViRdr->hFile, rc);
1428	if (RT_FAILURE(rc))
1429	RTErrInfoAddF(pErrInfo, rc, ": %ls", pwszName);
1430
1431	/*
1432	* Check for the signature checking enforcement, if requested to do so.
1433	*/
1434	if (RT_SUCCESS(rc) && (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT))
1435	{
1436	bool fEnforced = false;
1437	int rc2 = RTLdrQueryProp(hLdrMod, RTLDRPROP_SIGNATURE_CHECKS_ENFORCED, &fEnforced, sizeof(fEnforced));
1438	if (RT_FAILURE(rc2))
1439	rc = RTErrInfoSetF(pErrInfo, rc2, "Querying RTLDRPROP_SIGNATURE_CHECKS_ENFORCED failed on %ls: %Rrc.",
1440	pwszName, rc2);
1441	else if (!fEnforced)
1442	rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_SIGNATURE_CHECKS_NOT_ENFORCED,
1443	"The image '%ls' was not linked with /IntegrityCheck.", pwszName);
1444	}
1445
1446	#ifdef IN_RING3
1447	/*
1448	* Pass it thru WinVerifyTrust when possible.
1449	*/
1450	if (!fAvoidWinVerifyTrust)
1451	rc = supHardenedWinVerifyImageTrust(pNtViRdr->hFile, pwszName, pNtViRdr->fFlags, rc, pfWinVerifyTrust, pErrInfo);
1452	#else
1453	RT_NOREF1(fAvoidWinVerifyTrust);
1454	#endif
1455
1456	/*
1457	* Check for blacklisted DLLs, both internal name and filename.
1458	*/
1459	if (RT_SUCCESS(rc))
1460	{
1461	size_t const cwcName = RTUtf16Len(pwszName);
1462	char szIntName[64];
1463	int rc2 = RTLdrQueryProp(hLdrMod, RTLDRPROP_INTERNAL_NAME, szIntName, sizeof(szIntName));
1464	if (RT_SUCCESS(rc2))
1465	{
1466	size_t const cchIntName = strlen(szIntName);
1467	for (unsigned i = 0; g_aSupNtViBlacklistedDlls[i].psz != NULL; i++)
1468	if ( cchIntName == g_aSupNtViBlacklistedDlls[i].cch
1469	&& RTStrICmpAscii(szIntName, g_aSupNtViBlacklistedDlls[i].psz) == 0)
1470	{
1471	rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_UNDESIRABLE_MODULE,
1472	"The image '%ls' is listed as undesirable.", pwszName);
1473	break;
1474	}
1475	}
1476	if (RT_SUCCESS(rc))
1477	{
1478	for (unsigned i = 0; g_aSupNtViBlacklistedDlls[i].psz != NULL; i++)
1479	if (cwcName >= g_aSupNtViBlacklistedDlls[i].cch)
1480	{
1481	PCRTUTF16 pwszTmp = &pwszName[cwcName - g_aSupNtViBlacklistedDlls[i].cch];
1482	if ( ( cwcName == g_aSupNtViBlacklistedDlls[i].cch
1483	\|\| pwszTmp[-1] == '\\'
1484	\|\| pwszTmp[-1] == '/')
1485	&& RTUtf16ICmpAscii(pwszTmp, g_aSupNtViBlacklistedDlls[i].psz) == 0)
1486	{
1487	rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_UNDESIRABLE_MODULE,
1488	"The image '%ls' is listed as undesirable.", pwszName);
1489	break;
1490	}
1491	}
1492	}
1493	}
1494
1495	#ifdef IN_SUP_HARDENED_R3
1496	/*
1497	* Hook for the LdrLoadDll code to schedule scanning of imports.
1498	*/
1499	if (RT_SUCCESS(rc))
1500	supR3HardenedWinVerifyCacheScheduleImports(hLdrMod, pwszName);
1501	#endif
1502
1503	return rc;
1504	}
1505
1506
1507	/**
1508	* Verifies the given executable image.
1509	*
1510	* @returns IPRT status code.
1511	* @param hFile File handle to the executable file.
1512	* @param pwszName Full NT path to the DLL in question, used for
1513	* dealing with unsigned system dlls as well as for
1514	* error/logging.
1515	* @param fFlags Flags, SUPHNTVI_F_XXX.
1516	* @param fAvoidWinVerifyTrust Whether to avoid WinVerifyTrust because of
1517	* deadlock or other loader related dangers.
1518	* @param pfWinVerifyTrust Where to return whether WinVerifyTrust was used.
1519	* @param pErrInfo Pointer to error info structure. Optional.
1520	*/
1521	DECLHIDDEN(int) supHardenedWinVerifyImageByHandle(HANDLE hFile, PCRTUTF16 pwszName, uint32_t fFlags,
1522	bool fAvoidWinVerifyTrust, bool *pfWinVerifyTrust, PRTERRINFO pErrInfo)
1523	{
1524	/*
1525	* Create a reader instance.
1526	*/
1527	PSUPHNTVIRDR pNtViRdr;
1528	int rc = supHardNtViRdrCreate(hFile, pwszName, fFlags, &pNtViRdr);
1529	if (RT_SUCCESS(rc))
1530	{
1531	/*
1532	* Open the image.
1533	*/
1534	RTLDRMOD hLdrMod;
1535	RTLDRARCH enmArch = fFlags & SUPHNTVI_F_RC_IMAGE ? RTLDRARCH_X86_32 : RTLDRARCH_HOST;
1536	uint32_t fLdrFlags = RTLDR_O_FOR_VALIDATION \| RTLDR_O_IGNORE_ARCH_IF_NO_CODE;
1537	if (fFlags & SUPHNTVI_F_IGNORE_ARCHITECTURE)
1538	fLdrFlags \|= RTLDR_O_IGNORE_ARCH_IF_NO_CODE;
1539	rc = RTLdrOpenWithReader(&pNtViRdr->Core, fLdrFlags, enmArch, &hLdrMod, pErrInfo);
1540	if (RT_SUCCESS(rc))
1541	{
1542	/*
1543	* Verify it.
1544	*/
1545	rc = supHardenedWinVerifyImageByLdrMod(hLdrMod, pwszName, pNtViRdr, fAvoidWinVerifyTrust, pfWinVerifyTrust, pErrInfo);
1546	int rc2 = RTLdrClose(hLdrMod); AssertRC(rc2);
1547	}
1548	else
1549	supHardNtViRdrDestroy(&pNtViRdr->Core);
1550	}
1551	SUP_DPRINTF(("supHardenedWinVerifyImageByHandle: -> %d (%ls)%s\n",
1552	rc, pwszName, pfWinVerifyTrust && *pfWinVerifyTrust ? " WinVerifyTrust" : ""));
1553	return rc;
1554	}
1555
1556
1557	#ifdef IN_RING3
1558	/**
1559	* supHardenedWinVerifyImageByHandle version without the name.
1560	*
1561	* The name is derived from the handle.
1562	*
1563	* @returns IPRT status code.
1564	* @param hFile File handle to the executable file.
1565	* @param fFlags Flags, SUPHNTVI_F_XXX.
1566	* @param pErrInfo Pointer to error info structure. Optional.
1567	*/
1568	DECLHIDDEN(int) supHardenedWinVerifyImageByHandleNoName(HANDLE hFile, uint32_t fFlags, PRTERRINFO pErrInfo)
1569	{
1570	/*
1571	* Determine the NT name and call the verification function.
1572	*/
1573	union
1574	{
1575	UNICODE_STRING UniStr;
1576	uint8_t abBuffer[(MAX_PATH + 8 + 1) * 2];
1577	} uBuf;
1578
1579	ULONG cbIgn;
1580	NTSTATUS rcNt = NtQueryObject(hFile,
1581	ObjectNameInformation,
1582	&uBuf,
1583	sizeof(uBuf) - sizeof(WCHAR),
1584	&cbIgn);
1585	if (NT_SUCCESS(rcNt))
1586	uBuf.UniStr.Buffer[uBuf.UniStr.Length / sizeof(WCHAR)] = '\0';
1587	else
1588	uBuf.UniStr.Buffer = (WCHAR *)L"TODO3";
1589
1590	return supHardenedWinVerifyImageByHandle(hFile, uBuf.UniStr.Buffer, fFlags, false /fAvoidWinVerifyTrust/,
1591	NULL /pfWinVerifyTrust/, pErrInfo);
1592	}
1593	#endif /* IN_RING3 */
1594
1595
1596	/**
1597	* Retrieves the full official path to the system root or one of it's sub
1598	* directories.
1599	*
1600	* This code is also used by the support driver.
1601	*
1602	* @returns VBox status code.
1603	* @param pvBuf The output buffer. This will contain a
1604	* UNICODE_STRING followed (at the kernel's
1605	* discretion) the string buffer.
1606	* @param cbBuf The size of the buffer @a pvBuf points to.
1607	* @param enmDir Which directory under the system root we're
1608	* interested in.
1609	* @param pErrInfo Pointer to error info structure. Optional.
1610	*/
1611	DECLHIDDEN(int) supHardNtGetSystemRootDir(void *pvBuf, uint32_t cbBuf, SUPHARDNTSYSROOTDIR enmDir, PRTERRINFO pErrInfo)
1612	{
1613	HANDLE hFile = RTNT_INVALID_HANDLE_VALUE;
1614	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1615
1616	UNICODE_STRING NtName;
1617	switch (enmDir)
1618	{
1619	case kSupHardNtSysRootDir_System32:
1620	{
1621	static const WCHAR s_wszNameSystem32[] = L"\\SystemRoot\\System32\\";
1622	NtName.Buffer = (PWSTR)s_wszNameSystem32;
1623	NtName.Length = sizeof(s_wszNameSystem32) - sizeof(WCHAR);
1624	NtName.MaximumLength = sizeof(s_wszNameSystem32);
1625	break;
1626	}
1627	case kSupHardNtSysRootDir_WinSxS:
1628	{
1629	static const WCHAR s_wszNameWinSxS[] = L"\\SystemRoot\\WinSxS\\";
1630	NtName.Buffer = (PWSTR)s_wszNameWinSxS;
1631	NtName.Length = sizeof(s_wszNameWinSxS) - sizeof(WCHAR);
1632	NtName.MaximumLength = sizeof(s_wszNameWinSxS);
1633	break;
1634	}
1635	default:
1636	AssertFailed();
1637	return VERR_INVALID_PARAMETER;
1638	}
1639
1640	OBJECT_ATTRIBUTES ObjAttr;
1641	InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
1642
1643	NTSTATUS rcNt = NtCreateFile(&hFile,
1644	FILE_READ_DATA \| SYNCHRONIZE,
1645	&ObjAttr,
1646	&Ios,
1647	NULL /* Allocation Size*/,
1648	FILE_ATTRIBUTE_NORMAL,
1649	FILE_SHARE_READ \| FILE_SHARE_WRITE,
1650	FILE_OPEN,
1651	FILE_DIRECTORY_FILE \| FILE_OPEN_FOR_BACKUP_INTENT \| FILE_SYNCHRONOUS_IO_NONALERT,
1652	NULL /EaBuffer/,
1653	0 /EaLength/);
1654	if (NT_SUCCESS(rcNt))
1655	rcNt = Ios.Status;
1656	if (NT_SUCCESS(rcNt))
1657	{
1658	ULONG cbIgn;
1659	rcNt = NtQueryObject(hFile,
1660	ObjectNameInformation,
1661	pvBuf,
1662	cbBuf - sizeof(WCHAR),
1663	&cbIgn);
1664	NtClose(hFile);
1665	if (NT_SUCCESS(rcNt))
1666	{
1667	PUNICODE_STRING pUniStr = (PUNICODE_STRING)pvBuf;
1668	if (pUniStr->Length > 0)
1669	{
1670	/* Make sure it's terminated so it can safely be printed.*/
1671	pUniStr->Buffer[pUniStr->Length / sizeof(WCHAR)] = '\0';
1672	return VINF_SUCCESS;
1673	}
1674
1675	return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_SYSTEM32_PATH,
1676	"NtQueryObject returned an empty path for '%ls'", NtName.Buffer);
1677	}
1678	return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_SYSTEM32_PATH, "NtQueryObject failed on '%ls' dir: %#x", NtName.Buffer, rcNt);
1679	}
1680	return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_SYSTEM32_PATH, "Failure to open '%ls': %#x", NtName.Buffer, rcNt);
1681	}
1682
1683
1684	/**
1685	* Initialize one certificate entry.
1686	*
1687	* @returns VBox status code.
1688	* @param pCert The X.509 certificate representation to init.
1689	* @param pabCert The raw DER encoded certificate.
1690	* @param cbCert The size of the raw certificate.
1691	* @param pErrInfo Where to return extended error info. Optional.
1692	* @param pszErrorTag Error tag.
1693	*/
1694	static int supHardNtViCertInit(PRTCRX509CERTIFICATE pCert, unsigned char const *pabCert, unsigned cbCert,
1695	PRTERRINFO pErrInfo, const char *pszErrorTag)
1696	{
1697	AssertReturn(cbCert > 16 && cbCert < _128K,
1698	RTErrInfoSetF(pErrInfo, VERR_INTERNAL_ERROR_3, "%s: cbCert=%#x out of range", pszErrorTag, cbCert));
1699	AssertReturn(!RTCrX509Certificate_IsPresent(pCert),
1700	RTErrInfoSetF(pErrInfo, VERR_WRONG_ORDER, "%s: Certificate already decoded?", pszErrorTag));
1701
1702	RTASN1CURSORPRIMARY PrimaryCursor;
1703	RTAsn1CursorInitPrimary(&PrimaryCursor, pabCert, cbCert, pErrInfo, &g_RTAsn1DefaultAllocator, RTASN1CURSOR_FLAGS_DER, NULL);
1704	int rc = RTCrX509Certificate_DecodeAsn1(&PrimaryCursor.Cursor, 0, pCert, pszErrorTag);
1705	if (RT_SUCCESS(rc))
1706	rc = RTCrX509Certificate_CheckSanity(pCert, 0, pErrInfo, pszErrorTag);
1707	return rc;
1708	}
1709
1710
1711	static int supHardNtViCertStoreAddArray(RTCRSTORE hStore, PCSUPTAENTRY paCerts, unsigned cCerts, PRTERRINFO pErrInfo)
1712	{
1713	for (uint32_t i = 0; i < cCerts; i++)
1714	{
1715	int rc = RTCrStoreCertAddEncoded(hStore, RTCRCERTCTX_F_ENC_TAF_DER, paCerts[i].pch, paCerts[i].cb, pErrInfo);
1716	if (RT_FAILURE(rc))
1717	return rc;
1718	}
1719	return VINF_SUCCESS;
1720	}
1721
1722
1723	/**
1724	* Initialize a certificate table.
1725	*
1726	* @param phStore Where to return the store pointer.
1727	* @param paCerts1 Pointer to the first certificate table.
1728	* @param cCerts1 Entries in the first certificate table.
1729	* @param paCerts2 Pointer to the second certificate table.
1730	* @param cCerts2 Entries in the second certificate table.
1731	* @param paCerts3 Pointer to the third certificate table.
1732	* @param cCerts3 Entries in the third certificate table.
1733	* @param pErrInfo Where to return extended error info. Optional.
1734	* @param pszErrorTag Error tag.
1735	*/
1736	static int supHardNtViCertStoreInit(PRTCRSTORE phStore,
1737	PCSUPTAENTRY paCerts1, unsigned cCerts1,
1738	PCSUPTAENTRY paCerts2, unsigned cCerts2,
1739	PCSUPTAENTRY paCerts3, unsigned cCerts3,
1740	PRTERRINFO pErrInfo, const char *pszErrorTag)
1741	{
1742	AssertReturn(*phStore == NIL_RTCRSTORE, VERR_WRONG_ORDER);
1743	RT_NOREF1(pszErrorTag);
1744
1745	int rc = RTCrStoreCreateInMem(phStore, cCerts1 + cCerts2);
1746	if (RT_FAILURE(rc))
1747	return RTErrInfoSetF(pErrInfo, rc, "RTCrStoreCreateMemoryStore failed: %Rrc", rc);
1748
1749	rc = supHardNtViCertStoreAddArray(*phStore, paCerts1, cCerts1, pErrInfo);
1750	if (RT_SUCCESS(rc))
1751	rc = supHardNtViCertStoreAddArray(*phStore, paCerts2, cCerts2, pErrInfo);
1752	if (RT_SUCCESS(rc))
1753	rc = supHardNtViCertStoreAddArray(*phStore, paCerts3, cCerts3, pErrInfo);
1754	return rc;
1755	}
1756
1757
1758	#if defined(IN_RING3) && !defined(VBOX_PERMIT_EVEN_MORE)
1759	/**
1760	* Initializes the windows paths.
1761	*/
1762	static void supHardenedWinInitImageVerifierWinPaths(void)
1763	{
1764	/*
1765	* Windows paths that we're interested in.
1766	*/
1767	static const struct
1768	{
1769	SUPSYSROOTDIRBUF *pNtPath;
1770	WCHAR const *pwszRegValue;
1771	const char *pszLogName;
1772	} s_aPaths[] =
1773	{
1774	{ &g_ProgramFilesNtPath, L"ProgramFilesDir", "ProgDir" },
1775	{ &g_CommonFilesNtPath, L"CommonFilesDir", "ComDir" },
1776	# ifdef RT_ARCH_AMD64
1777	{ &g_ProgramFilesX86NtPath, L"ProgramFilesDir (x86)", "ProgDir32" },
1778	{ &g_CommonFilesX86NtPath, L"CommonFilesDir (x86)", "ComDir32" },
1779	# endif
1780	};
1781
1782	/*
1783	* Open the registry key containing the paths.
1784	*/
1785	UNICODE_STRING NtName = RTNT_CONSTANT_UNISTR(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion");
1786	OBJECT_ATTRIBUTES ObjAttr;
1787	InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
1788	HANDLE hKey;
1789	NTSTATUS rcNt = NtOpenKey(&hKey, KEY_QUERY_VALUE, &ObjAttr);
1790	if (NT_SUCCESS(rcNt))
1791	{
1792	/*
1793	* Loop over the paths and resolve their NT paths.
1794	*/
1795	for (uint32_t i = 0; i < RT_ELEMENTS(s_aPaths); i++)
1796	{
1797	/*
1798	* Query the value first.
1799	*/
1800	UNICODE_STRING ValueName;
1801	ValueName.Buffer = (WCHAR *)s_aPaths[i].pwszRegValue;
1802	ValueName.Length = (USHORT)(RTUtf16Len(s_aPaths[i].pwszRegValue) * sizeof(WCHAR));
1803	ValueName.MaximumLength = ValueName.Length + sizeof(WCHAR);
1804
1805	union
1806	{
1807	KEY_VALUE_PARTIAL_INFORMATION PartialInfo;
1808	uint8_t abPadding[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(WCHAR) * 128];
1809	uint64_t uAlign;
1810	} uBuf;
1811
1812	ULONG cbActual = 0;
1813	rcNt = NtQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, &uBuf, sizeof(uBuf) - sizeof(WCHAR), &cbActual);
1814	if (NT_SUCCESS(rcNt))
1815	{
1816	/*
1817	* Must be a simple string value, terminate it.
1818	*/
1819	if ( uBuf.PartialInfo.Type == REG_EXPAND_SZ
1820	\|\| uBuf.PartialInfo.Type == REG_SZ)
1821	{
1822	/*
1823	* Expand any environment variable references before opening it.
1824	* We use the result buffer as storage for the expaneded path,
1825	* reserving space for the windows name space prefix.
1826	*/
1827	UNICODE_STRING Src;
1828	Src.Buffer = (WCHAR *)uBuf.PartialInfo.Data;
1829	Src.Length = uBuf.PartialInfo.DataLength;
1830	if (Src.Length >= sizeof(WCHAR) && Src.Buffer[Src.Length / sizeof(WCHAR) - 1] == '\0')
1831	Src.Length -= sizeof(WCHAR);
1832	Src.MaximumLength = Src.Length + sizeof(WCHAR);
1833	Src.Buffer[uBuf.PartialInfo.DataLength / sizeof(WCHAR)] = '\0';
1834
1835	s_aPaths[i].pNtPath->awcBuffer[0] = '\\';
1836	s_aPaths[i].pNtPath->awcBuffer[1] = '?';
1837	s_aPaths[i].pNtPath->awcBuffer[2] = '?';
1838	s_aPaths[i].pNtPath->awcBuffer[3] = '\\';
1839	UNICODE_STRING Dst;
1840	Dst.Buffer = &s_aPaths[i].pNtPath->awcBuffer[4];
1841	Dst.MaximumLength = sizeof(s_aPaths[i].pNtPath->awcBuffer) - sizeof(WCHAR) * 5;
1842	Dst.Length = Dst.MaximumLength;
1843
1844	if (uBuf.PartialInfo.Type == REG_EXPAND_SZ)
1845	rcNt = RtlExpandEnvironmentStrings_U(NULL, &Src, &Dst, NULL);
1846	else
1847	{
1848	memcpy(Dst.Buffer, Src.Buffer, Src.Length);
1849	Dst.Length = Src.Length;
1850	}
1851	if (NT_SUCCESS(rcNt))
1852	{
1853	Dst.Buffer[Dst.Length / sizeof(WCHAR)] = '\0';
1854
1855	/*
1856	* Include the \\??\\ prefix in the result and open the path.
1857	*/
1858	Dst.Buffer -= 4;
1859	Dst.Length += 4 * sizeof(WCHAR);
1860	Dst.MaximumLength += 4 * sizeof(WCHAR);
1861	InitializeObjectAttributes(&ObjAttr, &Dst, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
1862	HANDLE hFile = INVALID_HANDLE_VALUE;
1863	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
1864	NTSTATUS rcNt = NtCreateFile(&hFile,
1865	FILE_READ_DATA \| SYNCHRONIZE,
1866	&ObjAttr,
1867	&Ios,
1868	NULL /* Allocation Size*/,
1869	FILE_ATTRIBUTE_NORMAL,
1870	FILE_SHARE_READ \| FILE_SHARE_WRITE,
1871	FILE_OPEN,
1872	FILE_DIRECTORY_FILE \| FILE_OPEN_FOR_BACKUP_INTENT
1873	\| FILE_SYNCHRONOUS_IO_NONALERT,
1874	NULL /EaBuffer/,
1875	0 /EaLength/);
1876	if (NT_SUCCESS(rcNt))
1877	rcNt = Ios.Status;
1878	if (NT_SUCCESS(rcNt))
1879	{
1880	/*
1881	* Query the real NT name.
1882	*/
1883	ULONG cbIgn;
1884	rcNt = NtQueryObject(hFile,
1885	ObjectNameInformation,
1886	s_aPaths[i].pNtPath,
1887	sizeof(*s_aPaths[i].pNtPath) - sizeof(WCHAR),
1888	&cbIgn);
1889	if (NT_SUCCESS(rcNt))
1890	{
1891	if (s_aPaths[i].pNtPath->UniStr.Length > 0)
1892	{
1893	/* Make sure it's terminated.*/
1894	s_aPaths[i].pNtPath->UniStr.Buffer[s_aPaths[i].pNtPath->UniStr.Length / sizeof(WCHAR)] = '\0';
1895	SUP_DPRINTF(("%s:%*s %ls\n", s_aPaths[i].pszLogName, 9 - strlen(s_aPaths[i].pszLogName), "",
1896	s_aPaths[i].pNtPath->UniStr.Buffer));
1897	}
1898	else
1899	{
1900	SUP_DPRINTF(("%s: NtQueryObject returned empty string\n", s_aPaths[i].pszLogName));
1901	rcNt = STATUS_INVALID_PARAMETER;
1902	}
1903	}
1904	else
1905	SUP_DPRINTF(("%s: NtQueryObject failed: %#x\n", s_aPaths[i].pszLogName, rcNt));
1906	NtClose(hFile);
1907	}
1908	else
1909	SUP_DPRINTF(("%s: NtCreateFile failed: %#x (%ls)\n",
1910	s_aPaths[i].pszLogName, rcNt, Dst.Buffer));
1911	}
1912	else
1913	SUP_DPRINTF(("%s: RtlExpandEnvironmentStrings_U failed: %#x (%ls)\n",
1914	s_aPaths[i].pszLogName, rcNt, Src.Buffer));
1915	}
1916	else
1917	{
1918	SUP_DPRINTF(("%s: type mismatch: %#x\n", s_aPaths[i].pszLogName, uBuf.PartialInfo.Type));
1919	rcNt = STATUS_INVALID_PARAMETER;
1920	}
1921	}
1922	else
1923	SUP_DPRINTF(("%s: NtQueryValueKey failed: %#x\n", s_aPaths[i].pszLogName, rcNt));
1924
1925	/* Stub the entry on failure. */
1926	if (!NT_SUCCESS(rcNt))
1927	{
1928	s_aPaths[i].pNtPath->UniStr.Length = 0;
1929	s_aPaths[i].pNtPath->UniStr.Buffer = NULL;
1930	}
1931	}
1932	NtClose(hKey);
1933	}
1934	else
1935	{
1936	SUP_DPRINTF(("NtOpenKey(%ls) failed: %#x\n", NtName.Buffer, rcNt));
1937
1938	/* Stub all the entries on failure. */
1939	for (uint32_t i = 0; i < RT_ELEMENTS(s_aPaths); i++)
1940	{
1941	s_aPaths[i].pNtPath->UniStr.Length = 0;
1942	s_aPaths[i].pNtPath->UniStr.Buffer = NULL;
1943	}
1944	}
1945	}
1946	#endif /* IN_RING3 && !VBOX_PERMIT_EVEN_MORE */
1947
1948
1949	/**
1950	* This initializes the certificates globals so we don't have to reparse them
1951	* every time we need to verify an image.
1952	*
1953	* @returns IPRT status code.
1954	* @param pErrInfo Where to return extended error info. Optional.
1955	*/
1956	DECLHIDDEN(int) supHardenedWinInitImageVerifier(PRTERRINFO pErrInfo)
1957	{
1958	AssertReturn(!RTCrX509Certificate_IsPresent(&g_BuildX509Cert), VERR_WRONG_ORDER);
1959
1960	/*
1961	* Get the system root paths.
1962	*/
1963	int rc = supHardNtGetSystemRootDir(&g_System32NtPath, sizeof(g_System32NtPath), kSupHardNtSysRootDir_System32, pErrInfo);
1964	if (RT_SUCCESS(rc))
1965	rc = supHardNtGetSystemRootDir(&g_WinSxSNtPath, sizeof(g_WinSxSNtPath), kSupHardNtSysRootDir_WinSxS, pErrInfo);
1966	if (RT_SUCCESS(rc))
1967	{
1968	SUP_DPRINTF(("System32: %ls\n", g_System32NtPath.UniStr.Buffer));
1969	SUP_DPRINTF(("WinSxS: %ls\n", g_WinSxSNtPath.UniStr.Buffer));
1970	#if defined(IN_RING3) && !defined(VBOX_PERMIT_EVEN_MORE)
1971	supHardenedWinInitImageVerifierWinPaths();
1972	#endif
1973
1974	/*
1975	* Initialize it, leaving the cleanup to the termination call.
1976	*/
1977	rc = supHardNtViCertInit(&g_BuildX509Cert, g_abSUPBuildCert, g_cbSUPBuildCert, pErrInfo, "BuildCertificate");
1978	if (RT_SUCCESS(rc))
1979	rc = supHardNtViCertStoreInit(&g_hSpcRootStore, g_aSUPSpcRootTAs, g_cSUPSpcRootTAs,
1980	NULL, 0, NULL, 0, pErrInfo, "SpcRoot");
1981	if (RT_SUCCESS(rc))
1982	rc = supHardNtViCertStoreInit(&g_hNtKernelRootStore, g_aSUPNtKernelRootTAs, g_cSUPNtKernelRootTAs,
1983	NULL, 0, NULL, 0, pErrInfo, "NtKernelRoot");
1984	if (RT_SUCCESS(rc))
1985	rc = supHardNtViCertStoreInit(&g_hSpcAndNtKernelRootStore,
1986	g_aSUPSpcRootTAs, g_cSUPSpcRootTAs,
1987	g_aSUPNtKernelRootTAs, g_cSUPNtKernelRootTAs,
1988	g_aSUPTimestampTAs, g_cSUPTimestampTAs,
1989	pErrInfo, "SpcAndNtKernelRoot");
1990	if (RT_SUCCESS(rc))
1991	rc = supHardNtViCertStoreInit(&g_hSpcAndNtKernelSuppStore,
1992	NULL, 0, NULL, 0, NULL, 0,
1993	pErrInfo, "SpcAndNtKernelSupplemental");
1994
1995	#if 0 /* For the time being, always trust the build certificate. It bypasses the timestamp issues of CRT and SDL. */
1996	/* If the build certificate is a test singing certificate, it must be a
1997	trusted root or we'll fail to validate anything. */
1998	if ( RT_SUCCESS(rc)
1999	&& RTCrX509Name_Compare(&g_BuildX509Cert.TbsCertificate.Subject, &g_BuildX509Cert.TbsCertificate.Issuer) == 0)
2000	#else
2001	if (RT_SUCCESS(rc))
2002	#endif
2003	rc = RTCrStoreCertAddEncoded(g_hSpcAndNtKernelRootStore, RTCRCERTCTX_F_ENC_X509_DER,
2004	g_abSUPBuildCert, g_cbSUPBuildCert, pErrInfo);
2005
2006	if (RT_SUCCESS(rc))
2007	{
2008	/*
2009	* Finally initialize known SIDs that we use.
2010	*/
2011	SID_IDENTIFIER_AUTHORITY s_NtAuth = SECURITY_NT_AUTHORITY;
2012	NTSTATUS rcNt = RtlInitializeSid(&g_TrustedInstallerSid, &s_NtAuth, SECURITY_SERVICE_ID_RID_COUNT);
2013	if (NT_SUCCESS(rcNt))
2014	{
2015	*RtlSubAuthoritySid(&g_TrustedInstallerSid, 0) = SECURITY_SERVICE_ID_BASE_RID;
2016	*RtlSubAuthoritySid(&g_TrustedInstallerSid, 1) = 956008885;
2017	*RtlSubAuthoritySid(&g_TrustedInstallerSid, 2) = 3418522649;
2018	*RtlSubAuthoritySid(&g_TrustedInstallerSid, 3) = 1831038044;
2019	*RtlSubAuthoritySid(&g_TrustedInstallerSid, 4) = 1853292631;
2020	*RtlSubAuthoritySid(&g_TrustedInstallerSid, 5) = 2271478464;
2021
2022	rcNt = RtlInitializeSid(&g_LocalSystemSid, &s_NtAuth, 1);
2023	if (NT_SUCCESS(rcNt))
2024	{
2025	*RtlSubAuthoritySid(&g_LocalSystemSid, 0) = SECURITY_LOCAL_SYSTEM_RID;
2026
2027	rcNt = RtlInitializeSid(&g_AdminsGroupSid, &s_NtAuth, 2);
2028	if (NT_SUCCESS(rcNt))
2029	{
2030	*RtlSubAuthoritySid(&g_AdminsGroupSid, 0) = SECURITY_BUILTIN_DOMAIN_RID;
2031	*RtlSubAuthoritySid(&g_AdminsGroupSid, 1) = DOMAIN_ALIAS_RID_ADMINS;
2032	return VINF_SUCCESS;
2033	}
2034	}
2035	}
2036	rc = RTErrConvertFromNtStatus(rcNt);
2037	}
2038	supHardenedWinTermImageVerifier();
2039	}
2040	return rc;
2041	}
2042
2043
2044	/**
2045	* Releases resources allocated by supHardenedWinInitImageVerifier.
2046	*/
2047	DECLHIDDEN(void) supHardenedWinTermImageVerifier(void)
2048	{
2049	if (RTCrX509Certificate_IsPresent(&g_BuildX509Cert))
2050	RTAsn1VtDelete(&g_BuildX509Cert.SeqCore.Asn1Core);
2051
2052	RTCrStoreRelease(g_hSpcAndNtKernelSuppStore);
2053	g_hSpcAndNtKernelSuppStore = NIL_RTCRSTORE;
2054	RTCrStoreRelease(g_hSpcAndNtKernelRootStore);
2055	g_hSpcAndNtKernelRootStore = NIL_RTCRSTORE;
2056
2057	RTCrStoreRelease(g_hNtKernelRootStore);
2058	g_hNtKernelRootStore = NIL_RTCRSTORE;
2059	RTCrStoreRelease(g_hSpcRootStore);
2060	g_hSpcRootStore = NIL_RTCRSTORE;
2061	}
2062
2063	#ifdef IN_RING3
2064
2065	/**
2066	* This is a hardcoded list of certificates we thing we might need.
2067	*
2068	* @returns true if wanted, false if not.
2069	* @param pCert The certificate.
2070	*/
2071	static bool supR3HardenedWinIsDesiredRootCA(PCRTCRX509CERTIFICATE pCert)
2072	{
2073	char szSubject[512];
2074	szSubject[sizeof(szSubject) - 1] = '\0';
2075	RTCrX509Name_FormatAsString(&pCert->TbsCertificate.Subject, szSubject, sizeof(szSubject) - 1, NULL);
2076
2077	/*
2078	* Check that it's a plausible root certificate.
2079	*/
2080	if (!RTCrX509Certificate_IsSelfSigned(pCert))
2081	{
2082	SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - not-self-signed: %s\n", szSubject));
2083	return false;
2084	}
2085
2086	if (RTAsn1Integer_UnsignedCompareWithU32(&pCert->TbsCertificate.T0.Version, 3) > 0)
2087	{
2088	if ( !(pCert->TbsCertificate.T3.fExtKeyUsage & RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN)
2089	&& (pCert->TbsCertificate.T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE) )
2090	{
2091	SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - non-cert-sign: %s\n", szSubject));
2092	return false;
2093	}
2094	if ( pCert->TbsCertificate.T3.pBasicConstraints
2095	&& !pCert->TbsCertificate.T3.pBasicConstraints->CA.fValue)
2096	{
2097	SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - non-CA: %s\n", szSubject));
2098	return false;
2099	}
2100	}
2101	if (pCert->TbsCertificate.SubjectPublicKeyInfo.SubjectPublicKey.cBits < 256) /* mostly for u64KeyId reading. */
2102	{
2103	SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - key too small: %u bits %s\n",
2104	pCert->TbsCertificate.SubjectPublicKeyInfo.SubjectPublicKey.cBits, szSubject));
2105	return false;
2106	}
2107	uint64_t const u64KeyId = pCert->TbsCertificate.SubjectPublicKeyInfo.SubjectPublicKey.uBits.pu64[1];
2108
2109	# if 0
2110	/*
2111	* Whitelist - Array of names and key clues of the certificates we want.
2112	*/
2113	static struct
2114	{
2115	uint64_t u64KeyId;
2116	const char *pszName;
2117	} const s_aWanted[] =
2118	{
2119	/* SPC */
2120	{ UINT64_C(0xffffffffffffffff), "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" },
2121	{ UINT64_C(0xffffffffffffffff), "L=Internet, O=VeriSign, Inc., OU=VeriSign Commercial Software Publishers CA" },
2122	{ UINT64_C(0x491857ead79dde00), "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority" },
2123
2124	/* TS */
2125	{ UINT64_C(0xffffffffffffffff), "O=Microsoft Trust Network, OU=Microsoft Corporation, OU=Microsoft Time Stamping Service Root, OU=Copyright (c) 1997 Microsoft Corp." },
2126	{ UINT64_C(0xffffffffffffffff), "O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign Time Stamping Service Root, OU=NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc." },
2127	{ UINT64_C(0xffffffffffffffff), "C=ZA, ST=Western Cape, L=Durbanville, O=Thawte, OU=Thawte Certification, CN=Thawte Timestamping CA" },
2128
2129	/* Additional Windows 8.1 list: */
2130	{ UINT64_C(0x5ad46780fa5df300), "DC=com, DC=microsoft, CN=Microsoft Root Certificate Authority" },
2131	{ UINT64_C(0x3be670c1bd02a900), "OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root Authority" },
2132	{ UINT64_C(0x4d3835aa4180b200), "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2011" },
2133	{ UINT64_C(0x646e3fe3ba08df00), "C=US, O=MSFT, CN=Microsoft Authenticode(tm) Root Authority" },
2134	{ UINT64_C(0xece4e4289e08b900), "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010" },
2135	{ UINT64_C(0x59faf1086271bf00), "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2" },
2136	{ UINT64_C(0x3d98ab22bb04a300), "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root" },
2137	{ UINT64_C(0x91e3728b8b40d000), "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority" },
2138	{ UINT64_C(0x61a3a33f81aace00), "C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Object" },
2139	{ UINT64_C(0x9e5bc2d78b6a3636), "C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA, Email=premium-server@thawte.com" },
2140	{ UINT64_C(0xf4fd306318ccda00), "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA" },
2141	{ UINT64_C(0xa0ee62086758b15d), "C=US, O=Equifax, OU=Equifax Secure Certificate Authority" },
2142	{ UINT64_C(0x8ff6fc03c1edbd00), "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2" },
2143	{ UINT64_C(0xa3ce8d99e60eda00), "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA" },
2144	{ UINT64_C(0xa671e9fec832b700), "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority" },
2145	{ UINT64_C(0xa8de7211e13be200), "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" },
2146	{ UINT64_C(0x0ff3891b54348328), "C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.netSecure Server Certification Authority" },
2147	{ UINT64_C(0x7ae89c50f0b6a00f), "C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root" },
2148	{ UINT64_C(0xd45980fbf0a0ac00), "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA" },
2149	{ UINT64_C(0x9e5bc2d78b6a3636), "C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA, Email=premium-server@thawte.com" },
2150	{ UINT64_C(0x7c4fd32ec1b1ce00), "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" },
2151	{ UINT64_C(0xd4fbe673e5ccc600), "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA" },
2152	{ UINT64_C(0x16e64d2a56ccf200), "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certificates.starfieldtech.com/repository/, CN=Starfield Services Root Certificate Authority" },
2153	{ UINT64_C(0x6e2ba21058eedf00), "C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC" },
2154	{ UINT64_C(0xb28612a94b4dad00), "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.netCertification Authority (2048)" },
2155	{ UINT64_C(0x357a29080824af00), "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class3 Public Primary Certification Authority - G5" },
2156	{ UINT64_C(0x466cbc09db88c100), "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority" },
2157	{ UINT64_C(0x9259c8abe5ca713a), "L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com/, Email=info@valicert.com" },
2158	{ UINT64_C(0x1f78fc529cbacb00), "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class3 Public Primary Certification Authority - G3" },
2159	{ UINT64_C(0x8043e4ce150ead00), "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA" },
2160	{ UINT64_C(0x00f2e6331af7b700), "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" },
2161	};
2162
2163
2164	uint32_t i = RT_ELEMENTS(s_aWanted);
2165	while (i-- > 0)
2166	if ( s_aWanted[i].u64KeyId == u64KeyId
2167	\|\| s_aWanted[i].u64KeyId == UINT64_MAX)
2168	if (RTCrX509Name_MatchWithString(&pCert->TbsCertificate.Subject, s_aWanted[i].pszName))
2169	{
2170	SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: Adding %#llx %s\n", u64KeyId, szSubject));
2171	return true;
2172	}
2173
2174	SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping %#llx %s\n", u64KeyId, szSubject));
2175	return false;
2176	# else
2177	/*
2178	* Blacklist approach.
2179	*/
2180	static struct
2181	{
2182	uint64_t u64KeyId;
2183	const char *pszName;
2184	} const s_aUnwanted[] =
2185	{
2186	{ UINT64_C(0xffffffffffffffff), "C=US, O=U.S. Robots and Mechanical Men, Inc., OU=V.I.K.I." }, /* dummy entry */
2187	};
2188
2189	uint32_t i = RT_ELEMENTS(s_aUnwanted);
2190	while (i-- > 0)
2191	if ( s_aUnwanted[i].u64KeyId == u64KeyId
2192	\|\| s_aUnwanted[i].u64KeyId == UINT64_MAX)
2193	if (RTCrX509Name_MatchWithString(&pCert->TbsCertificate.Subject, s_aUnwanted[i].pszName))
2194	{
2195	SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - blacklisted: %#llx %s\n", u64KeyId, szSubject));
2196	return false;
2197	}
2198
2199	SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: Adding %#llx %s\n", u64KeyId, szSubject));
2200	return true;
2201	# endif
2202	}
2203
2204
2205	/**
2206	* Loads a module in the system32 directory.
2207	*
2208	* @returns Module handle on success. Won't return on failure if fMandatory = true.
2209	* @param pszName The name of the DLL to load.
2210	* @param fMandatory Whether the library is mandatory.
2211	*/
2212	DECLHIDDEN(HMODULE) supR3HardenedWinLoadSystem32Dll(const char *pszName, bool fMandatory)
2213	{
2214	WCHAR wszName[200+60];
2215	UINT cwcDir = GetSystemDirectoryW(wszName, RT_ELEMENTS(wszName) - 60);
2216	wszName[cwcDir] = '\\';
2217	RTUtf16CopyAscii(&wszName[cwcDir + 1], RT_ELEMENTS(wszName) - cwcDir, pszName);
2218
2219	DWORD fFlags = 0;
2220	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0))
2221	fFlags = LOAD_LIBRARY_SEARCH_SYSTEM32;
2222	HMODULE hMod = LoadLibraryExW(wszName, NULL, fFlags);
2223	if ( hMod == NULL
2224	&& fFlags
2225	&& g_uNtVerCombined < SUP_MAKE_NT_VER_SIMPLE(6, 2)
2226	&& RtlGetLastWin32Error() == ERROR_INVALID_PARAMETER)
2227	{
2228	fFlags = 0;
2229	hMod = LoadLibraryExW(wszName, NULL, fFlags);
2230	}
2231	if ( hMod == NULL
2232	&& fMandatory)
2233	supR3HardenedFatal("Error loading '%s': %u [%ls]", pszName, RtlGetLastWin32Error(), wszName);
2234	return hMod;
2235	}
2236
2237
2238	/**
2239	* Called by supR3HardenedWinResolveVerifyTrustApiAndHookThreadCreation to
2240	* import selected root CAs from the system certificate store.
2241	*
2242	* These certificates permits us to correctly validate third party DLLs.
2243	*/
2244	static void supR3HardenedWinRetrieveTrustedRootCAs(void)
2245	{
2246	uint32_t cAdded = 0;
2247
2248	/*
2249	* Load crypt32.dll and resolve the APIs we need.
2250	*/
2251	HMODULE hCrypt32 = supR3HardenedWinLoadSystem32Dll("crypt32.dll", true /fMandatory/);
2252
2253	#define RESOLVE_CRYPT32_API(a_Name, a_pfnType) \
2254	a_pfnType pfn##a_Name = (a_pfnType)GetProcAddress(hCrypt32, #a_Name); \
2255	if (pfn##a_Name == NULL) supR3HardenedFatal("Error locating '" #a_Name "' in 'crypt32.dll': %u", RtlGetLastWin32Error())
2256	RESOLVE_CRYPT32_API(CertOpenStore, PFNCERTOPENSTORE);
2257	RESOLVE_CRYPT32_API(CertCloseStore, PFNCERTCLOSESTORE);
2258	RESOLVE_CRYPT32_API(CertEnumCertificatesInStore, PFNCERTENUMCERTIFICATESINSTORE);
2259	#undef RESOLVE_CRYPT32_API
2260
2261	/*
2262	* Open the root store and look for the certificates we wish to use.
2263	*/
2264	DWORD fOpenStore = CERT_STORE_OPEN_EXISTING_FLAG \| CERT_STORE_READONLY_FLAG;
2265	HCERTSTORE hStore = pfnCertOpenStore(CERT_STORE_PROV_SYSTEM_W, PKCS_7_ASN_ENCODING \| X509_ASN_ENCODING,
2266	NULL /* hCryptProv = default */, CERT_SYSTEM_STORE_LOCAL_MACHINE \| fOpenStore, L"Root");
2267	if (!hStore)
2268	hStore = pfnCertOpenStore(CERT_STORE_PROV_SYSTEM_W, PKCS_7_ASN_ENCODING \| X509_ASN_ENCODING,
2269	NULL /* hCryptProv = default */, CERT_SYSTEM_STORE_CURRENT_USER \| fOpenStore, L"Root");
2270	if (hStore)
2271	{
2272	PCCERT_CONTEXT pCurCtx = NULL;
2273	while ((pCurCtx = pfnCertEnumCertificatesInStore(hStore, pCurCtx)) != NULL)
2274	{
2275	if (pCurCtx->dwCertEncodingType & X509_ASN_ENCODING)
2276	{
2277	RTERRINFOSTATIC StaticErrInfo;
2278	RTASN1CURSORPRIMARY PrimaryCursor;
2279	RTAsn1CursorInitPrimary(&PrimaryCursor, pCurCtx->pbCertEncoded, pCurCtx->cbCertEncoded,
2280	RTErrInfoInitStatic(&StaticErrInfo),
2281	&g_RTAsn1DefaultAllocator, RTASN1CURSOR_FLAGS_DER, "CurCtx");
2282	RTCRX509CERTIFICATE MyCert;
2283	int rc = RTCrX509Certificate_DecodeAsn1(&PrimaryCursor.Cursor, 0, &MyCert, "Cert");
2284	if (RT_SUCCESS(rc))
2285	{
2286	if (supR3HardenedWinIsDesiredRootCA(&MyCert))
2287	{
2288	rc = RTCrStoreCertAddEncoded(g_hSpcRootStore, RTCRCERTCTX_F_ENC_X509_DER,
2289	pCurCtx->pbCertEncoded, pCurCtx->cbCertEncoded, NULL /pErrInfo/);
2290	AssertRC(rc);
2291
2292	rc = RTCrStoreCertAddEncoded(g_hSpcAndNtKernelRootStore, RTCRCERTCTX_F_ENC_X509_DER,
2293	pCurCtx->pbCertEncoded, pCurCtx->cbCertEncoded, NULL /pErrInfo/);
2294	AssertRC(rc);
2295	cAdded++;
2296	}
2297
2298	RTCrX509Certificate_Delete(&MyCert);
2299	}
2300	/* XP root certificate "C&W HKT SecureNet CA SGC Root" has non-standard validity
2301	timestamps, the UTC formatting isn't Zulu time but specifies timezone offsets.
2302	Ignore these failures and certificates. */
2303	else if (rc != VERR_ASN1_INVALID_UTC_TIME_ENCODING)
2304	AssertMsgFailed(("RTCrX509Certificate_DecodeAsn1 failed: rc=%#x: %s\n", rc, StaticErrInfo.szMsg));
2305	}
2306	}
2307	pfnCertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG);
2308	g_fHaveOtherRoots = true;
2309	}
2310	SUP_DPRINTF(("supR3HardenedWinRetrieveTrustedRootCAs: cAdded=%u\n", cAdded));
2311	}
2312
2313
2314	/**
2315	* Resolves the WinVerifyTrust API after the process has been verified and
2316	* installs a thread creation hook.
2317	*
2318	* The WinVerifyTrust API is used in addition our own Authenticode verification
2319	* code. If the image has the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag
2320	* set, it will be checked again by the kernel. All our image has this flag set
2321	* and we require all VBox extensions to have it set as well. In effect, the
2322	* authenticode signature will be checked two or three times.
2323	*
2324	* @param pszProgName The program name.
2325	*/
2326	DECLHIDDEN(void) supR3HardenedWinResolveVerifyTrustApiAndHookThreadCreation(const char *pszProgName)
2327	{
2328	# ifdef IN_SUP_HARDENED_R3
2329	/*
2330	* Load our the support library DLL that does the thread hooking as the
2331	* security API may trigger the creation of COM worker threads (or
2332	* whatever they are).
2333	*
2334	* The thread creation hook makes the threads very slippery to debuggers by
2335	* irreversably disabling most (if not all) debug events for them.
2336	*/
2337	char szPath[RTPATH_MAX];
2338	supR3HardenedPathAppSharedLibs(szPath, sizeof(szPath) - sizeof("/VBoxSupLib.DLL"));
2339	suplibHardenedStrCat(szPath, "/VBoxSupLib.DLL");
2340	HMODULE hSupLibMod = (HMODULE)supR3HardenedWinLoadLibrary(szPath, true /fSystem32Only/, 0 /fMainFlags/);
2341	if (hSupLibMod == NULL)
2342	supR3HardenedFatal("Error loading '%s': %u", szPath, RtlGetLastWin32Error());
2343	# endif
2344
2345	/*
2346	* Allocate TLS entry for WinVerifyTrust recursion prevention.
2347	*/
2348	DWORD iTls = TlsAlloc();
2349	if (iTls != TLS_OUT_OF_INDEXES)
2350	g_iTlsWinVerifyTrustRecursion = iTls;
2351	else
2352	supR3HardenedError(RtlGetLastWin32Error(), false /fFatal/, "TlsAlloc failed");
2353
2354	/*
2355	* Resolve the imports we need.
2356	*/
2357	HMODULE hWintrust = supR3HardenedWinLoadSystem32Dll("Wintrust.dll", true /fMandatory/);
2358	#define RESOLVE_CRYPT_API(a_Name, a_pfnType, a_uMinWinVer) \
2359	do { \
2360	g_pfn##a_Name = (a_pfnType)GetProcAddress(hWintrust, #a_Name); \
2361	if (g_pfn##a_Name == NULL && (a_uMinWinVer) < g_uNtVerCombined) \
2362	supR3HardenedFatal("Error locating '" #a_Name "' in 'Wintrust.dll': %u", RtlGetLastWin32Error()); \
2363	} while (0)
2364
2365	PFNWINVERIFYTRUST pfnWinVerifyTrust = (PFNWINVERIFYTRUST)GetProcAddress(hWintrust, "WinVerifyTrust");
2366	if (!pfnWinVerifyTrust)
2367	supR3HardenedFatal("Error locating 'WinVerifyTrust' in 'Wintrust.dll': %u", RtlGetLastWin32Error());
2368
2369	RESOLVE_CRYPT_API(CryptCATAdminAcquireContext, PFNCRYPTCATADMINACQUIRECONTEXT, 0);
2370	RESOLVE_CRYPT_API(CryptCATAdminCalcHashFromFileHandle, PFNCRYPTCATADMINCALCHASHFROMFILEHANDLE, 0);
2371	RESOLVE_CRYPT_API(CryptCATAdminEnumCatalogFromHash, PFNCRYPTCATADMINENUMCATALOGFROMHASH, 0);
2372	RESOLVE_CRYPT_API(CryptCATAdminReleaseCatalogContext, PFNCRYPTCATADMINRELEASECATALOGCONTEXT, 0);
2373	RESOLVE_CRYPT_API(CryptCATAdminReleaseContext, PFNCRYPTCATDADMINRELEASECONTEXT, 0);
2374	RESOLVE_CRYPT_API(CryptCATCatalogInfoFromContext, PFNCRYPTCATCATALOGINFOFROMCONTEXT, 0);
2375
2376	RESOLVE_CRYPT_API(CryptCATAdminAcquireContext2, PFNCRYPTCATADMINACQUIRECONTEXT2, SUP_NT_VER_W80);
2377	RESOLVE_CRYPT_API(CryptCATAdminCalcHashFromFileHandle2, PFNCRYPTCATADMINCALCHASHFROMFILEHANDLE2, SUP_NT_VER_W80);
2378
2379	# ifdef IN_SUP_HARDENED_R3
2380	/*
2381	* Load bcrypt.dll and instantiate a few hashing and signing providers to
2382	* make sure the providers are cached for later us. Avoid recursion issues.
2383	*/
2384	HMODULE hBCrypt = supR3HardenedWinLoadSystem32Dll("bcrypt.dll", false /fMandatory/);
2385	if (hBCrypt)
2386	{
2387	PFNBCRYPTOPENALGORTIHMPROVIDER pfnOpenAlgoProvider;
2388	pfnOpenAlgoProvider = (PFNBCRYPTOPENALGORTIHMPROVIDER)GetProcAddress(hBCrypt, "BCryptOpenAlgorithmProvider");
2389	if (pfnOpenAlgoProvider)
2390	{
2391	SUP_DPRINTF(("bcrypt.dll loaded at %p, BCryptOpenAlgorithmProvider at %p, preloading providers:\n",
2392	hBCrypt, pfnOpenAlgoProvider));
2393	# define PRELOAD_ALGO_PROVIDER(a_Name) \
2394	do { \
2395	BCRYPT_ALG_HANDLE hAlgo = NULL; \
2396	NTSTATUS rcNt = pfnOpenAlgoProvider(&hAlgo, a_Name, NULL, 0); \
2397	SUP_DPRINTF(("%sBCryptOpenAlgorithmProvider(,'%ls',0,0) -> %#x (hAlgo=%p)\n", \
2398	NT_SUCCESS(rcNt) ? " " : "warning: ", a_Name, rcNt, hAlgo)); \
2399	} while (0)
2400	PRELOAD_ALGO_PROVIDER(BCRYPT_MD2_ALGORITHM);
2401	PRELOAD_ALGO_PROVIDER(BCRYPT_MD4_ALGORITHM);
2402	PRELOAD_ALGO_PROVIDER(BCRYPT_MD5_ALGORITHM);
2403	PRELOAD_ALGO_PROVIDER(BCRYPT_SHA1_ALGORITHM);
2404	PRELOAD_ALGO_PROVIDER(BCRYPT_SHA256_ALGORITHM);
2405	PRELOAD_ALGO_PROVIDER(BCRYPT_SHA512_ALGORITHM);
2406	PRELOAD_ALGO_PROVIDER(BCRYPT_RSA_ALGORITHM);
2407	PRELOAD_ALGO_PROVIDER(BCRYPT_DSA_ALGORITHM);
2408	# undef PRELOAD_ALGO_PROVIDER
2409	}
2410	else
2411	SUP_DPRINTF(("Warning! Failed to find BCryptOpenAlgorithmProvider in bcrypt.dll\n"));
2412	}
2413	else
2414	SUP_DPRINTF(("Warning! Failed to load bcrypt.dll\n"));
2415
2416	/*
2417	* Call the verification API on ourselves and ntdll to make sure it works
2418	* and loads more stuff it needs, preventing any recursive fun we'd run
2419	* into after we set g_pfnWinVerifyTrust.
2420	*/
2421	RTERRINFOSTATIC ErrInfoStatic;
2422	RTErrInfoInitStatic(&ErrInfoStatic);
2423	int rc = supR3HardNtViCallWinVerifyTrust(NULL, g_SupLibHardenedExeNtPath.UniStr.Buffer, 0,
2424	&ErrInfoStatic.Core, pfnWinVerifyTrust, NULL);
2425	if (RT_FAILURE(rc))
2426	supR3HardenedFatalMsg(pszProgName, kSupInitOp_Integrity, rc,
2427	"WinVerifyTrust failed on stub executable: %s", ErrInfoStatic.szMsg);
2428	# else
2429	RT_NOREF1(pszProgName);
2430	# endif
2431
2432	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0)) /* ntdll isn't signed on XP, assuming this is the case on W2K3 for now. */
2433	supR3HardNtViCallWinVerifyTrust(NULL, L"\\SystemRoot\\System32\\ntdll.dll", 0, NULL, pfnWinVerifyTrust, NULL);
2434	supR3HardNtViCallWinVerifyTrustCatFile(NULL, L"\\SystemRoot\\System32\\ntdll.dll", 0, NULL, pfnWinVerifyTrust);
2435
2436	g_pfnWinVerifyTrust = pfnWinVerifyTrust;
2437	SUP_DPRINTF(("g_pfnWinVerifyTrust=%p\n", pfnWinVerifyTrust));
2438
2439	# ifdef IN_SUP_HARDENED_R3
2440	/*
2441	* Load some problematic DLLs into the verifier cache to prevent
2442	* recursion trouble.
2443	*/
2444	supR3HardenedWinVerifyCachePreload(L"\\SystemRoot\\System32\\crypt32.dll");
2445	supR3HardenedWinVerifyCachePreload(L"\\SystemRoot\\System32\\Wintrust.dll");
2446	# endif
2447
2448	/*
2449	* Now, get trusted root CAs so we can verify a broader scope of signatures.
2450	*/
2451	supR3HardenedWinRetrieveTrustedRootCAs();
2452	}
2453
2454
2455	static int supR3HardNtViNtToWinPath(PCRTUTF16 pwszNtName, PCRTUTF16 *ppwszWinPath,
2456	PRTUTF16 pwszWinPathBuf, size_t cwcWinPathBuf)
2457	{
2458	static const RTUTF16 s_wszPrefix[] = L"\\\\.\\GLOBALROOT";
2459
2460	if (pwszNtName != '\\' && pwszNtName != '/')
2461	return VERR_PATH_DOES_NOT_START_WITH_ROOT;
2462
2463	size_t cwcNtName = RTUtf16Len(pwszNtName);
2464	if (RT_ELEMENTS(s_wszPrefix) + cwcNtName > cwcWinPathBuf)
2465	return VERR_FILENAME_TOO_LONG;
2466
2467	memcpy(pwszWinPathBuf, s_wszPrefix, sizeof(s_wszPrefix));
2468	memcpy(&pwszWinPathBuf[sizeof(s_wszPrefix) / sizeof(RTUTF16) - 1], pwszNtName, (cwcNtName + 1) * sizeof(RTUTF16));
2469	*ppwszWinPath = pwszWinPathBuf;
2470	return VINF_SUCCESS;
2471	}
2472
2473
2474	/**
2475	* Calls WinVerifyTrust to verify an PE image.
2476	*
2477	* @returns VBox status code.
2478	* @param hFile File handle to the executable file.
2479	* @param pwszName Full NT path to the DLL in question, used for
2480	* dealing with unsigned system dlls as well as for
2481	* error/logging.
2482	* @param fFlags Flags, SUPHNTVI_F_XXX.
2483	* @param pErrInfo Pointer to error info structure. Optional.
2484	* @param pfnWinVerifyTrust Pointer to the API.
2485	* @param phrcWinVerifyTrust Where to WinVerifyTrust error status on failure,
2486	* optional.
2487	*/
2488	static int supR3HardNtViCallWinVerifyTrust(HANDLE hFile, PCRTUTF16 pwszName, uint32_t fFlags, PRTERRINFO pErrInfo,
2489	PFNWINVERIFYTRUST pfnWinVerifyTrust, HRESULT *phrcWinVerifyTrust)
2490	{
2491	RT_NOREF1(fFlags);
2492	if (phrcWinVerifyTrust)
2493	*phrcWinVerifyTrust = S_OK;
2494
2495	/*
2496	* Convert the name into a Windows name.
2497	*/
2498	RTUTF16 wszWinPathBuf[MAX_PATH];
2499	PCRTUTF16 pwszWinPath;
2500	int rc = supR3HardNtViNtToWinPath(pwszName, &pwszWinPath, wszWinPathBuf, RT_ELEMENTS(wszWinPathBuf));
2501	if (RT_FAILURE(rc))
2502	return RTErrInfoSetF(pErrInfo, rc, "Bad path passed to supR3HardNtViCallWinVerifyTrust: rc=%Rrc '%ls'", rc, pwszName);
2503
2504	/*
2505	* Construct input parameters and call the API.
2506	*/
2507	WINTRUST_FILE_INFO FileInfo;
2508	RT_ZERO(FileInfo);
2509	FileInfo.cbStruct = sizeof(FileInfo);
2510	FileInfo.pcwszFilePath = pwszWinPath;
2511	FileInfo.hFile = hFile;
2512
2513	GUID PolicyActionGuid = WINTRUST_ACTION_GENERIC_VERIFY_V2;
2514
2515	WINTRUST_DATA TrustData;
2516	RT_ZERO(TrustData);
2517	TrustData.cbStruct = sizeof(TrustData);
2518	TrustData.fdwRevocationChecks = WTD_REVOKE_NONE; /* Keep simple for now. */
2519	TrustData.dwStateAction = WTD_STATEACTION_VERIFY;
2520	TrustData.dwUIChoice = WTD_UI_NONE;
2521	TrustData.dwProvFlags = 0;
2522	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0))
2523	TrustData.dwProvFlags = WTD_CACHE_ONLY_URL_RETRIEVAL;
2524	else
2525	TrustData.dwProvFlags = WTD_REVOCATION_CHECK_NONE;
2526	TrustData.dwUnionChoice = WTD_CHOICE_FILE;
2527	TrustData.pFile = &FileInfo;
2528
2529	HRESULT hrc = pfnWinVerifyTrust(NULL /hwnd/, &PolicyActionGuid, &TrustData);
2530	# ifdef DEBUG_bird /* TEMP HACK */
2531	if (hrc == CERT_E_EXPIRED)
2532	hrc = S_OK;
2533	# endif
2534	if (hrc == S_OK)
2535	rc = VINF_SUCCESS;
2536	else
2537	{
2538	/*
2539	* Failed. Format a nice error message.
2540	*/
2541	# ifdef DEBUG_bird
2542	if (hrc != CERT_E_CHAINING /* Un-updated vistas, XPs, ++ */)
2543	__debugbreak();
2544	# endif
2545	const char *pszErrConst = NULL;
2546	switch (hrc)
2547	{
2548	case TRUST_E_SYSTEM_ERROR: pszErrConst = "TRUST_E_SYSTEM_ERROR"; break;
2549	case TRUST_E_NO_SIGNER_CERT: pszErrConst = "TRUST_E_NO_SIGNER_CERT"; break;
2550	case TRUST_E_COUNTER_SIGNER: pszErrConst = "TRUST_E_COUNTER_SIGNER"; break;
2551	case TRUST_E_CERT_SIGNATURE: pszErrConst = "TRUST_E_CERT_SIGNATURE"; break;
2552	case TRUST_E_TIME_STAMP: pszErrConst = "TRUST_E_TIME_STAMP"; break;
2553	case TRUST_E_BAD_DIGEST: pszErrConst = "TRUST_E_BAD_DIGEST"; break;
2554	case TRUST_E_BASIC_CONSTRAINTS: pszErrConst = "TRUST_E_BASIC_CONSTRAINTS"; break;
2555	case TRUST_E_FINANCIAL_CRITERIA: pszErrConst = "TRUST_E_FINANCIAL_CRITERIA"; break;
2556	case TRUST_E_PROVIDER_UNKNOWN: pszErrConst = "TRUST_E_PROVIDER_UNKNOWN"; break;
2557	case TRUST_E_ACTION_UNKNOWN: pszErrConst = "TRUST_E_ACTION_UNKNOWN"; break;
2558	case TRUST_E_SUBJECT_FORM_UNKNOWN: pszErrConst = "TRUST_E_SUBJECT_FORM_UNKNOWN"; break;
2559	case TRUST_E_SUBJECT_NOT_TRUSTED: pszErrConst = "TRUST_E_SUBJECT_NOT_TRUSTED"; break;
2560	case TRUST_E_NOSIGNATURE: pszErrConst = "TRUST_E_NOSIGNATURE"; break;
2561	case TRUST_E_FAIL: pszErrConst = "TRUST_E_FAIL"; break;
2562	case TRUST_E_EXPLICIT_DISTRUST: pszErrConst = "TRUST_E_EXPLICIT_DISTRUST"; break;
2563	case CERT_E_EXPIRED: pszErrConst = "CERT_E_EXPIRED"; break;
2564	case CERT_E_VALIDITYPERIODNESTING: pszErrConst = "CERT_E_VALIDITYPERIODNESTING"; break;
2565	case CERT_E_ROLE: pszErrConst = "CERT_E_ROLE"; break;
2566	case CERT_E_PATHLENCONST: pszErrConst = "CERT_E_PATHLENCONST"; break;
2567	case CERT_E_CRITICAL: pszErrConst = "CERT_E_CRITICAL"; break;
2568	case CERT_E_PURPOSE: pszErrConst = "CERT_E_PURPOSE"; break;
2569	case CERT_E_ISSUERCHAINING: pszErrConst = "CERT_E_ISSUERCHAINING"; break;
2570	case CERT_E_MALFORMED: pszErrConst = "CERT_E_MALFORMED"; break;
2571	case CERT_E_UNTRUSTEDROOT: pszErrConst = "CERT_E_UNTRUSTEDROOT"; break;
2572	case CERT_E_CHAINING: pszErrConst = "CERT_E_CHAINING"; break;
2573	case CERT_E_REVOKED: pszErrConst = "CERT_E_REVOKED"; break;
2574	case CERT_E_UNTRUSTEDTESTROOT: pszErrConst = "CERT_E_UNTRUSTEDTESTROOT"; break;
2575	case CERT_E_REVOCATION_FAILURE: pszErrConst = "CERT_E_REVOCATION_FAILURE"; break;
2576	case CERT_E_CN_NO_MATCH: pszErrConst = "CERT_E_CN_NO_MATCH"; break;
2577	case CERT_E_WRONG_USAGE: pszErrConst = "CERT_E_WRONG_USAGE"; break;
2578	case CERT_E_UNTRUSTEDCA: pszErrConst = "CERT_E_UNTRUSTEDCA"; break;
2579	case CERT_E_INVALID_POLICY: pszErrConst = "CERT_E_INVALID_POLICY"; break;
2580	case CERT_E_INVALID_NAME: pszErrConst = "CERT_E_INVALID_NAME"; break;
2581	case CRYPT_E_FILE_ERROR: pszErrConst = "CRYPT_E_FILE_ERROR"; break;
2582	case CRYPT_E_REVOKED: pszErrConst = "CRYPT_E_REVOKED"; break;
2583	}
2584	if (pszErrConst)
2585	rc = RTErrInfoSetF(pErrInfo, VERR_LDRVI_UNSUPPORTED_ARCH,
2586	"WinVerifyTrust failed with hrc=%s on '%ls'", pszErrConst, pwszName);
2587	else
2588	rc = RTErrInfoSetF(pErrInfo, VERR_LDRVI_UNSUPPORTED_ARCH,
2589	"WinVerifyTrust failed with hrc=%Rhrc on '%ls'", hrc, pwszName);
2590	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrust: WinVerifyTrust failed with %#x (%s) on '%ls'\n",
2591	hrc, pszErrConst, pwszName));
2592	if (phrcWinVerifyTrust)
2593	*phrcWinVerifyTrust = hrc;
2594	}
2595
2596	/* clean up state data. */
2597	TrustData.dwStateAction = WTD_STATEACTION_CLOSE;
2598	FileInfo.hFile = NULL;
2599	hrc = pfnWinVerifyTrust(NULL /hwnd/, &PolicyActionGuid, &TrustData);
2600
2601	return rc;
2602	}
2603
2604
2605	/**
2606	* Calls WinVerifyTrust to verify an PE image via catalog files.
2607	*
2608	* @returns VBox status code.
2609	* @param hFile File handle to the executable file.
2610	* @param pwszName Full NT path to the DLL in question, used for
2611	* dealing with unsigned system dlls as well as for
2612	* error/logging.
2613	* @param fFlags Flags, SUPHNTVI_F_XXX.
2614	* @param pErrInfo Pointer to error info structure. Optional.
2615	* @param pfnWinVerifyTrust Pointer to the API.
2616	*/
2617	static int supR3HardNtViCallWinVerifyTrustCatFile(HANDLE hFile, PCRTUTF16 pwszName, uint32_t fFlags, PRTERRINFO pErrInfo,
2618	PFNWINVERIFYTRUST pfnWinVerifyTrust)
2619	{
2620	RT_NOREF1(fFlags);
2621	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: hFile=%p pwszName=%ls\n", hFile, pwszName));
2622
2623	/*
2624	* Convert the name into a Windows name.
2625	*/
2626	RTUTF16 wszWinPathBuf[MAX_PATH];
2627	PCRTUTF16 pwszWinPath;
2628	int rc = supR3HardNtViNtToWinPath(pwszName, &pwszWinPath, wszWinPathBuf, RT_ELEMENTS(wszWinPathBuf));
2629	if (RT_FAILURE(rc))
2630	return RTErrInfoSetF(pErrInfo, rc, "Bad path passed to supR3HardNtViCallWinVerifyTrustCatFile: rc=%Rrc '%ls'", rc, pwszName);
2631
2632	/*
2633	* Open the file if we didn't get a handle.
2634	*/
2635	HANDLE hFileClose = NULL;
2636	if (hFile == RTNT_INVALID_HANDLE_VALUE \|\| hFile == NULL)
2637	{
2638	hFile = RTNT_INVALID_HANDLE_VALUE;
2639	IO_STATUS_BLOCK Ios = RTNT_IO_STATUS_BLOCK_INITIALIZER;
2640
2641	UNICODE_STRING NtName;
2642	NtName.Buffer = (PWSTR)pwszName;
2643	NtName.Length = (USHORT)(RTUtf16Len(pwszName) * sizeof(WCHAR));
2644	NtName.MaximumLength = NtName.Length + sizeof(WCHAR);
2645
2646	OBJECT_ATTRIBUTES ObjAttr;
2647	InitializeObjectAttributes(&ObjAttr, &NtName, OBJ_CASE_INSENSITIVE, NULL /hRootDir/, NULL /pSecDesc/);
2648
2649	NTSTATUS rcNt = NtCreateFile(&hFile,
2650	FILE_READ_DATA \| READ_CONTROL \| SYNCHRONIZE,
2651	&ObjAttr,
2652	&Ios,
2653	NULL /* Allocation Size*/,
2654	FILE_ATTRIBUTE_NORMAL,
2655	FILE_SHARE_READ,
2656	FILE_OPEN,
2657	FILE_NON_DIRECTORY_FILE \| FILE_SYNCHRONOUS_IO_NONALERT,
2658	NULL /EaBuffer/,
2659	0 /EaLength/);
2660	if (NT_SUCCESS(rcNt))
2661	rcNt = Ios.Status;
2662	if (!NT_SUCCESS(rcNt))
2663	return RTErrInfoSetF(pErrInfo, RTErrConvertFromNtStatus(rcNt),
2664	"NtCreateFile returned %#x opening '%ls'.", rcNt, pwszName);
2665	hFileClose = hFile;
2666	}
2667
2668	/*
2669	* On Windows 8.0 and later there are more than one digest choice.
2670	*/
2671	int fNoSignedCatalogFound = -1;
2672	rc = VERR_LDRVI_NOT_SIGNED;
2673	static struct
2674	{
2675	/** The digest algorithm name. */
2676	const WCHAR *pszAlgorithm;
2677	/** Cached catalog admin handle. */
2678	HCATADMIN volatile hCachedCatAdmin;
2679	} s_aHashes[] =
2680	{
2681	{ NULL, NULL },
2682	{ L"SHA256", NULL },
2683	};
2684	for (uint32_t i = 0; i < RT_ELEMENTS(s_aHashes); i++)
2685	{
2686	/*
2687	* Another loop for dealing with different trust provider policies
2688	* required for successfully validating different catalog signatures.
2689	*/
2690	bool fTryNextPolicy;
2691	uint32_t iPolicy = 0;
2692	static const GUID s_aPolicies[] =
2693	{
2694	DRIVER_ACTION_VERIFY, /* Works with microsoft bits. Most frequently used, thus first. */
2695	WINTRUST_ACTION_GENERIC_VERIFY_V2, /* Works with ATI and other SPC kernel-code signed stuff. */
2696	};
2697	do
2698	{
2699	/*
2700	* Create a context.
2701	*/
2702	fTryNextPolicy = false;
2703	bool fFreshContext = false;
2704	BOOL fRc;
2705	HCATADMIN hCatAdmin = ASMAtomicXchgPtr(&s_aHashes[i].hCachedCatAdmin, NULL);
2706	if (hCatAdmin)
2707	{
2708	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: Cached context %p\n", hCatAdmin));
2709	fFreshContext = false;
2710	fRc = TRUE;
2711	}
2712	else
2713	{
2714	l_fresh_context:
2715	fFreshContext = true;
2716	if (g_pfnCryptCATAdminAcquireContext2)
2717	fRc = g_pfnCryptCATAdminAcquireContext2(&hCatAdmin, &s_aPolicies[iPolicy], s_aHashes[i].pszAlgorithm,
2718	NULL /pStrongHashPolicy/, 0 /dwFlags/);
2719	else
2720	fRc = g_pfnCryptCATAdminAcquireContext(&hCatAdmin, &s_aPolicies[iPolicy], 0 /dwFlags/);
2721	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: New context %p\n", hCatAdmin));
2722	}
2723	if (fRc)
2724	{
2725	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=%p\n", hCatAdmin));
2726
2727	/*
2728	* Hash the file.
2729	*/
2730	BYTE abHash[SUPHARDNTVI_MAX_CAT_HASH_SIZE];
2731	DWORD cbHash = sizeof(abHash);
2732	if (g_pfnCryptCATAdminCalcHashFromFileHandle2)
2733	fRc = g_pfnCryptCATAdminCalcHashFromFileHandle2(hCatAdmin, hFile, &cbHash, abHash, 0 /dwFlags/);
2734	else
2735	fRc = g_pfnCryptCATAdminCalcHashFromFileHandle(hFile, &cbHash, abHash, 0 /dwFlags/);
2736	if (fRc)
2737	{
2738	/* Produce a string version of it that we can pass to WinVerifyTrust. */
2739	RTUTF16 wszDigest[SUPHARDNTVI_MAX_CAT_HASH_SIZE * 2 + 1];
2740	int rc2 = RTUtf16PrintHexBytes(wszDigest, RT_ELEMENTS(wszDigest), abHash, cbHash, RTSTRPRINTHEXBYTES_F_UPPER);
2741	if (RT_SUCCESS(rc2))
2742	{
2743	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: cbHash=%u wszDigest=%ls\n", cbHash, wszDigest));
2744
2745	/*
2746	* Enumerate catalog information that matches the hash.
2747	*/
2748	uint32_t iCat = 0;
2749	HCATINFO hCatInfoPrev = NULL;
2750	do
2751	{
2752	/* Get the next match. */
2753	HCATINFO hCatInfo = g_pfnCryptCATAdminEnumCatalogFromHash(hCatAdmin, abHash, cbHash, 0, &hCatInfoPrev);
2754	if (!hCatInfo)
2755	{
2756	if (!fFreshContext)
2757	{
2758	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context (CryptCATAdminEnumCatalogFromHash -> %u; iCat=%#x)\n", RtlGetLastWin32Error(), iCat));
2759	if (hCatInfoPrev != NULL)
2760	g_pfnCryptCATAdminReleaseCatalogContext(hCatAdmin, hCatInfoPrev, 0 /dwFlags/);
2761	g_pfnCryptCATAdminReleaseContext(hCatAdmin, 0 /dwFlags/);
2762	goto l_fresh_context;
2763	}
2764	ULONG ulErr = RtlGetLastWin32Error();
2765	fNoSignedCatalogFound = ulErr == ERROR_NOT_FOUND && fNoSignedCatalogFound != 0;
2766	if (iCat == 0)
2767	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (%u)\n", ulErr));
2768	else if (iCat == 0)
2769	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed %u\n", ulErr));
2770	break;
2771	}
2772	fNoSignedCatalogFound = 0;
2773	Assert(hCatInfoPrev == NULL);
2774	hCatInfoPrev = hCatInfo;
2775
2776	/*
2777	* Call WinVerifyTrust.
2778	*/
2779	CATALOG_INFO CatInfo;
2780	CatInfo.cbStruct = sizeof(CatInfo);
2781	CatInfo.wszCatalogFile[0] = '\0';
2782	if (g_pfnCryptCATCatalogInfoFromContext(hCatInfo, &CatInfo, 0 /dwFlags/))
2783	{
2784	WINTRUST_CATALOG_INFO WtCatInfo;
2785	RT_ZERO(WtCatInfo);
2786	WtCatInfo.cbStruct = sizeof(WtCatInfo);
2787	WtCatInfo.dwCatalogVersion = 0;
2788	WtCatInfo.pcwszCatalogFilePath = CatInfo.wszCatalogFile;
2789	WtCatInfo.pcwszMemberTag = wszDigest;
2790	WtCatInfo.pcwszMemberFilePath = pwszWinPath;
2791	WtCatInfo.pbCalculatedFileHash = abHash;
2792	WtCatInfo.cbCalculatedFileHash = cbHash;
2793	WtCatInfo.pcCatalogContext = NULL;
2794
2795	WINTRUST_DATA TrustData;
2796	RT_ZERO(TrustData);
2797	TrustData.cbStruct = sizeof(TrustData);
2798	TrustData.fdwRevocationChecks = WTD_REVOKE_NONE; /* Keep simple for now. */
2799	TrustData.dwStateAction = WTD_STATEACTION_VERIFY;
2800	TrustData.dwUIChoice = WTD_UI_NONE;
2801	TrustData.dwProvFlags = 0;
2802	if (g_uNtVerCombined >= SUP_MAKE_NT_VER_SIMPLE(6, 0))
2803	TrustData.dwProvFlags = WTD_CACHE_ONLY_URL_RETRIEVAL;
2804	else
2805	TrustData.dwProvFlags = WTD_REVOCATION_CHECK_NONE;
2806	TrustData.dwUnionChoice = WTD_CHOICE_CATALOG;
2807	TrustData.pCatalog = &WtCatInfo;
2808
2809	HRESULT hrc = pfnWinVerifyTrust(NULL /hwnd/, &s_aPolicies[iPolicy], &TrustData);
2810	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: WinVerifyTrust => %#x; cat='%ls'; file='%ls'\n",
2811	hrc, CatInfo.wszCatalogFile, pwszName));
2812
2813	if (SUCCEEDED(hrc))
2814	rc = VINF_SUCCESS;
2815	else if (hrc == TRUST_E_NOSIGNATURE)
2816	{ /* ignore because it's useless. */ }
2817	else if (hrc == ERROR_INVALID_PARAMETER)
2818	{ /* This is returned if the given file isn't found in the catalog, it seems. */ }
2819	else
2820	{
2821	rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_WINTRUST_CAT_FAILURE,
2822	"WinVerifyTrust failed with hrc=%#x on '%ls' and .cat-file='%ls'.",
2823	hrc, pwszWinPath, CatInfo.wszCatalogFile);
2824	fTryNextPolicy \|= (hrc == CERT_E_UNTRUSTEDROOT);
2825	}
2826
2827	/* clean up state data. */
2828	TrustData.dwStateAction = WTD_STATEACTION_CLOSE;
2829	hrc = pfnWinVerifyTrust(NULL /hwnd/, &s_aPolicies[iPolicy], &TrustData);
2830	Assert(SUCCEEDED(hrc));
2831	}
2832	else
2833	{
2834	rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
2835	"CryptCATCatalogInfoFromContext failed: %d [file=%s]",
2836	RtlGetLastWin32Error(), pwszName);
2837	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: CryptCATCatalogInfoFromContext failed\n"));
2838	}
2839	iCat++;
2840	} while (rc == VERR_LDRVI_NOT_SIGNED && iCat < 128);
2841
2842	if (hCatInfoPrev != NULL)
2843	if (!g_pfnCryptCATAdminReleaseCatalogContext(hCatAdmin, hCatInfoPrev, 0 /dwFlags/))
2844	AssertFailed();
2845	}
2846	else
2847	rc = RTErrInfoSetF(pErrInfo, rc2, "RTUtf16PrintHexBytes failed: %Rrc", rc);
2848	}
2849	else
2850	rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
2851	"CryptCATAdminCalcHashFromFileHandle[2] failed: %d [file=%s]", RtlGetLastWin32Error(), pwszName);
2852
2853	if (!ASMAtomicCmpXchgPtr(&s_aHashes[i].hCachedCatAdmin, hCatAdmin, NULL))
2854	if (!g_pfnCryptCATAdminReleaseContext(hCatAdmin, 0 /dwFlags/))
2855	AssertFailed();
2856	}
2857	else
2858	rc = RTErrInfoSetF(pErrInfo, RTErrConvertFromWin32(RtlGetLastWin32Error()),
2859	"CryptCATAdminAcquireContext[2] failed: %d [file=%s]", RtlGetLastWin32Error(), pwszName);
2860	iPolicy++;
2861	} while ( fTryNextPolicy
2862	&& iPolicy < RT_ELEMENTS(s_aPolicies));
2863
2864	/*
2865	* Only repeat if we've got g_pfnCryptCATAdminAcquireContext2 and can specify the hash algorithm.
2866	*/
2867	if (!g_pfnCryptCATAdminAcquireContext2)
2868	break;
2869	if (rc != VERR_LDRVI_NOT_SIGNED)
2870	break;
2871	}
2872
2873	if (hFileClose != NULL)
2874	NtClose(hFileClose);
2875
2876	/*
2877	* DLLs that are likely candidates for local modifications.
2878	*/
2879	if (rc == VERR_LDRVI_NOT_SIGNED)
2880	{
2881	bool fCoreSystemDll = false;
2882	PCRTUTF16 pwsz;
2883	uint32_t cwcName = (uint32_t)RTUtf16Len(pwszName);
2884	uint32_t cwcOther = g_System32NtPath.UniStr.Length / sizeof(WCHAR);
2885	if (supHardViUtf16PathStartsWithEx(pwszName, cwcName, g_System32NtPath.UniStr.Buffer, cwcOther, true /fCheckSlash/))
2886	{
2887	pwsz = pwszName + cwcOther + 1;
2888	if ( supHardViUtf16PathIsEqual(pwsz, "uxtheme.dll")
2889	\|\| supHardViUtf16PathIsEqual(pwsz, "user32.dll")
2890	\|\| supHardViUtf16PathIsEqual(pwsz, "gdi32.dll")
2891	\|\| supHardViUtf16PathIsEqual(pwsz, "opengl32.dll")
2892	\|\| (fCoreSystemDll = supHardViUtf16PathIsEqual(pwsz, "KernelBase.dll"))
2893	\|\| (fCoreSystemDll = supHardViUtf16PathIsEqual(pwsz, "kernel32.dll"))
2894	\|\| (fCoreSystemDll = supHardViUtf16PathIsEqual(pwsz, "ntdll.dll"))
2895	)
2896	{
2897	if (RTErrInfoIsSet(pErrInfo))
2898	RTErrInfoAdd(pErrInfo, rc, "\n");
2899	RTErrInfoAddF(pErrInfo, rc, "'%ls' is most likely modified.", pwszName);
2900	}
2901	}
2902
2903	/* Kludge for ancient windows versions we don't want to support but
2904	users still wants to use. Keep things as safe as possible without
2905	unnecessary effort. Problem is that 3rd party catalog files cannot
2906	easily be found. Showstopper for ATI users. */
2907	if ( fNoSignedCatalogFound == 1
2908	&& g_uNtVerCombined < SUP_NT_VER_VISTA
2909	&& !fCoreSystemDll)
2910	{
2911	rc = VINF_LDRVI_NOT_SIGNED;
2912	}
2913	}
2914
2915	return rc;
2916	}
2917
2918
2919	/**
2920	* Verifies the given image using WinVerifyTrust in some way.
2921	*
2922	* This is used by supHardenedWinVerifyImageByLdrMod as well as
2923	* supR3HardenedScreenImage.
2924	*
2925	* @returns IPRT status code, modified @a rc.
2926	* @param hFile Handle of the file to verify.
2927	* @param pwszName Full NT path to the DLL in question, used for
2928	* dealing with unsigned system dlls as well as for
2929	* error/logging.
2930	* @param fFlags SUPHNTVI_F_XXX.
2931	* @param rc The current status code.
2932	* @param pfWinVerifyTrust Where to return whether WinVerifyTrust was
2933	* actually used.
2934	* @param pErrInfo Pointer to error info structure. Optional.
2935	*/
2936	DECLHIDDEN(int) supHardenedWinVerifyImageTrust(HANDLE hFile, PCRTUTF16 pwszName, uint32_t fFlags, int rc,
2937	bool *pfWinVerifyTrust, PRTERRINFO pErrInfo)
2938	{
2939	if (pfWinVerifyTrust)
2940	*pfWinVerifyTrust = false;
2941
2942	/*
2943	* Call the windows verify trust API if we've resolved it and aren't in
2944	* some obvious recursion.
2945	*/
2946	if (g_pfnWinVerifyTrust != NULL)
2947	{
2948	uint32_t const idCurrentThread = RTNtCurrentThreadId();
2949
2950	/* Check if loader lock owner. */
2951	struct _RTL_CRITICAL_SECTION volatile *pLoaderLock = NtCurrentPeb()->LoaderLock;
2952	bool fOwnsLoaderLock = pLoaderLock
2953	&& pLoaderLock->OwningThread == (HANDLE)(uintptr_t)idCurrentThread
2954	&& pLoaderLock->RecursionCount > 0;
2955	if (!fOwnsLoaderLock)
2956	{
2957	/* Check for recursion. */
2958	bool fNoRecursion;
2959	if (g_iTlsWinVerifyTrustRecursion != UINT32_MAX)
2960	{
2961	fNoRecursion = TlsGetValue(g_iTlsWinVerifyTrustRecursion) == 0;
2962	if (fNoRecursion)
2963	TlsSetValue(g_iTlsWinVerifyTrustRecursion, (void *)1);
2964	}
2965	else
2966	fNoRecursion = ASMAtomicCmpXchgU32(&g_idActiveThread, idCurrentThread, UINT32_MAX);
2967
2968	if (fNoRecursion && !fOwnsLoaderLock)
2969	{
2970	/* We can call WinVerifyTrust. */
2971	if (pfWinVerifyTrust)
2972	*pfWinVerifyTrust = true;
2973
2974	if (rc != VERR_LDRVI_NOT_SIGNED)
2975	{
2976	if (rc == VINF_LDRVI_NOT_SIGNED)
2977	{
2978	if (fFlags & SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION)
2979	{
2980	int rc2 = supR3HardNtViCallWinVerifyTrustCatFile(hFile, pwszName, fFlags, pErrInfo,
2981	g_pfnWinVerifyTrust);
2982	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile -> %d (org %d)\n", rc2, rc));
2983	rc = rc2;
2984	}
2985	else
2986	{
2987	AssertFailed();
2988	rc = VERR_LDRVI_NOT_SIGNED;
2989	}
2990	}
2991	else if (RT_SUCCESS(rc))
2992	{
2993	HRESULT hrcWinVerifyTrust;
2994	rc = supR3HardNtViCallWinVerifyTrust(hFile, pwszName, fFlags, pErrInfo, g_pfnWinVerifyTrust,
2995	&hrcWinVerifyTrust);
2996
2997	/* DLLs signed with special roots, like "Microsoft Digital Media Authority 2005",
2998	may fail here because the root cert is not in the normal certificate stores
2999	(if any). Our verification code has the basics of these certificates included
3000	and can verify them, which is why we end up here instead of in the
3001	VINF_LDRVI_NOT_SIGNED case above. Current workaround is to do as above.
3002	(Intel graphics driver DLLs, like igdusc64.dll. */
3003	if ( RT_FAILURE(rc)
3004	&& hrcWinVerifyTrust == CERT_E_CHAINING
3005	&& (fFlags & SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION))
3006	{
3007	rc = supR3HardNtViCallWinVerifyTrustCatFile(hFile, pwszName, fFlags, pErrInfo, g_pfnWinVerifyTrust);
3008	SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile -> %d (was CERT_E_CHAINING)\n", rc));
3009	}
3010	}
3011	else
3012	{
3013	int rc2 = supR3HardNtViCallWinVerifyTrust(hFile, pwszName, fFlags, pErrInfo, g_pfnWinVerifyTrust, NULL);
3014	AssertMsg(RT_FAILURE_NP(rc2),
3015	("rc=%Rrc, rc2=%Rrc %s", rc, rc2, pErrInfo ? pErrInfo->pszMsg : "<no-err-info>"));
3016	RT_NOREF_PV(rc2);
3017	}
3018	}
3019
3020	/* Unwind recursion. */
3021	if (g_iTlsWinVerifyTrustRecursion != UINT32_MAX)
3022	TlsSetValue(g_iTlsWinVerifyTrustRecursion, (void *)0);
3023	else
3024	ASMAtomicWriteU32(&g_idActiveThread, UINT32_MAX);
3025	}
3026	/*
3027	* No can do.
3028	*/
3029	else
3030	SUP_DPRINTF(("Detected WinVerifyTrust recursion: rc=%Rrc '%ls'.\n", rc, pwszName));
3031	}
3032	else
3033	SUP_DPRINTF(("Detected loader lock ownership: rc=%Rrc '%ls'.\n", rc, pwszName));
3034	}
3035	return rc;
3036	}
3037
3038
3039	/**
3040	* Checks if WinVerifyTrust is callable on the current thread.
3041	*
3042	* Used by the main code to figure whether it makes sense to try revalidate an
3043	* image that hasn't passed thru WinVerifyTrust yet.
3044	*
3045	* @returns true if callable on current thread, false if not.
3046	*/
3047	DECLHIDDEN(bool) supHardenedWinIsWinVerifyTrustCallable(void)
3048	{
3049	return g_pfnWinVerifyTrust != NULL
3050	&& ( g_iTlsWinVerifyTrustRecursion != UINT32_MAX
3051	? (uintptr_t)TlsGetValue(g_iTlsWinVerifyTrustRecursion) == 0
3052	: g_idActiveThread != RTNtCurrentThreadId() );
3053	}
3054
3055
3056
3057	/**
3058	* Initializes g_uNtVerCombined and g_NtVerInfo.
3059	* Called from suplibHardenedWindowsMain and suplibOsInit.
3060	*/
3061	DECLHIDDEN(void) supR3HardenedWinInitVersion(bool fEarly)
3062	{
3063	/*
3064	* Get the windows version. Use RtlGetVersion as GetVersionExW and
3065	* GetVersion might not be telling the whole truth (8.0 on 8.1 depending on
3066	* the application manifest).
3067	*
3068	* Note! Windows 10 build 14267+ touches BSS when calling RtlGetVersion, so we
3069	* have to use the fallback for the call from the early init code.
3070	*/
3071	OSVERSIONINFOEXW NtVerInfo;
3072
3073	RT_ZERO(NtVerInfo);
3074	NtVerInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
3075	if ( fEarly
3076	\|\| !NT_SUCCESS(RtlGetVersion((PRTL_OSVERSIONINFOW)&NtVerInfo)))
3077	{
3078	RT_ZERO(NtVerInfo);
3079	PPEB pPeb = NtCurrentPeb();
3080	NtVerInfo.dwMajorVersion = pPeb->OSMajorVersion;
3081	NtVerInfo.dwMinorVersion = pPeb->OSMinorVersion;
3082	NtVerInfo.dwBuildNumber = pPeb->OSBuildNumber;
3083	}
3084
3085	g_uNtVerCombined = SUP_MAKE_NT_VER_COMBINED(NtVerInfo.dwMajorVersion, NtVerInfo.dwMinorVersion, NtVerInfo.dwBuildNumber,
3086	NtVerInfo.wServicePackMajor, NtVerInfo.wServicePackMinor);
3087	}
3088
3089	#endif /* IN_RING3 */
3090

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

Download in other formats: