sandbox/win/src/service_resolver_64.cc - Issue 101203010: Add 64-bit support to browser blacklisting

Side by Side Diff: sandbox/win/src/service_resolver_64.cc

Issue 101203010: Add 64-bit support to browser blacklisting (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: Responding to comments Created 6 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/win/src/service_resolver.h"	5 #include "sandbox/win/src/service_resolver.h"

6	6

7 #include "base/memory/scoped_ptr.h"	7 #include "base/memory/scoped_ptr.h"

8 #include "sandbox/win/src/sandbox_nt_util.h"	8 #include "sandbox/win/src/sandbox_nt_util.h"

9 #include "sandbox/win/src/win_utils.h"	9 #include "sandbox/win/src/win_utils.h"

10	10

(...skipping 38 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
49 // 1c 0f05 syscall	49 // 1c 0f05 syscall

50 // 1e c3 ret	50 // 1e c3 ret

51 // 1f 90 nop	51 // 1f 90 nop

52	52

53 ULONG64 mov_1; // = 48 89 4C 24 08 48 89 54	53 ULONG64 mov_1; // = 48 89 4C 24 08 48 89 54

54 ULONG64 mov_2; // = 24 10 4C 89 44 24 18 4C	54 ULONG64 mov_2; // = 24 10 4C 89 44 24 18 4C

55 ULONG mov_3; // = 89 4C 24 20	55 ULONG mov_3; // = 89 4C 24 20

56 ULONG mov_r10_rcx_mov_eax; // = 4C 8B D1 B8	56 ULONG mov_r10_rcx_mov_eax; // = 4C 8B D1 B8

57 ULONG service_id;	57 ULONG service_id;

58 USHORT syscall; // = 0F 05	58 USHORT syscall; // = 0F 05

59 BYTE ret; // = C2	59 BYTE ret; // = C3

60 BYTE nop; // = 90	60 BYTE nop; // = 90

61 };	61 };

62	62

63 // We don't have an internal thunk for x64.	63 // We don't have an internal thunk for x64.

64 struct ServiceFullThunk {	64 struct ServiceFullThunk {

65 union {	65 union {

66 ServiceEntry original;	66 ServiceEntry original;

67 ServiceEntryW8 original_w8;	67 ServiceEntryW8 original_w8;

68 };	68 };

69 };	69 };

(...skipping 49 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
119 bool ServiceResolverThunk::IsFunctionAService(void* local_thunk) const {	119 bool ServiceResolverThunk::IsFunctionAService(void* local_thunk) const {

120 ServiceFullThunk function_code;	120 ServiceFullThunk function_code;

121 SIZE_T read;	121 SIZE_T read;

122 if (!::ReadProcessMemory(process_, target_, &function_code,	122 if (!::ReadProcessMemory(process_, target_, &function_code,

123 sizeof(function_code), &read))	123 sizeof(function_code), &read))

124 return false;	124 return false;

125	125

126 if (sizeof(function_code) != read)	126 if (sizeof(function_code) != read)

127 return false;	127 return false;

128	128

129 if (!IsService(&function_code)) {

130 // See if it's the Win8 signature.

131 ServiceEntryW8* w8_service = &function_code.original_w8;

132 if (!IsService(&w8_service->mov_r10_rcx_mov_eax) \|\|

133 w8_service->mov_1 != kMov1 \|\| w8_service->mov_1 != kMov1 \|\|

134 w8_service->mov_1 != kMov1) {

135 return false;

136 }

137 }

138

139 // Save the verified code.	129 // Save the verified code.

140 memcpy(local_thunk, &function_code, sizeof(function_code));	130 memcpy(local_thunk, &function_code, sizeof(function_code));

141	131

142 return true;	132 return true;

143 }	133 }

144	134

145 NTSTATUS ServiceResolverThunk::PerformPatch(void* local_thunk,	135 NTSTATUS ServiceResolverThunk::PerformPatch(void* local_thunk,

146 void* remote_thunk) {	136 void* remote_thunk) {

147 ServiceFullThunk* full_local_thunk =	137 ServiceFullThunk* full_local_thunk =

148 reinterpret_cast<ServiceFullThunk*>(local_thunk);	138 reinterpret_cast<ServiceFullThunk*>(local_thunk);

(...skipping 34 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
183 bool Wow64ResolverThunk::IsFunctionAService(void* local_thunk) const {	173 bool Wow64ResolverThunk::IsFunctionAService(void* local_thunk) const {

184 NOTREACHED_NT();	174 NOTREACHED_NT();

185 return false;	175 return false;

186 }	176 }

187	177

188 bool Win2kResolverThunk::IsFunctionAService(void* local_thunk) const {	178 bool Win2kResolverThunk::IsFunctionAService(void* local_thunk) const {

189 NOTREACHED_NT();	179 NOTREACHED_NT();

190 return false;	180 return false;

191 }	181 }

192	182

	183 bool Win8ResolverThunk::IsFunctionAService(void* local_thunk) const {
	rvargas (doing something else) 2014/01/07 23:38:34 We cannot do this. I know it is not properly docu We cannot do this. I know it is not properly documented, but win 8.1 went back to the regular stub, and that's why we check both patterns for all versions of the OS. csharp 2014/01/08 14:48:19 How come the 32bit version still differs between w Show quoted text On 2014/01/07 23:38:34, rvargas wrote: > We cannot do this. > > I know it is not properly documented, but win 8.1 went back to the regular stub, > and that's why we check both patterns for all versions of the OS. How come the 32bit version still differs between win8 and the rest? Did it not revert in 8.1? (Also, is there any good place to learn more about these issues) Should I just use ServiceResolverThunk and add a comment explaining this issue or would it be better to still keep this function, but have it check for both patterns (then the 64bit code in blacklist.cc and interception.cc would have the same pattern as the 32-bit code). rvargas (doing something else) 2014/01/09 01:12:00 Yes it did. We default to relaxed interception on Show quoted text On 2014/01/08 14:48:19, csharp wrote: > On 2014/01/07 23:38:34, rvargas wrote: > > We cannot do this. > > > > I know it is not properly documented, but win 8.1 went back to the regular > stub, > > and that's why we check both patterns for all versions of the OS. > > How come the 32bit version still differs between win8 and the rest? Did it not > revert in 8.1? (Also, is there any good place to learn more about these issues) Yes it did. We default to relaxed interception on 32 bits and we may not have bots for 8.1. I don't know of a place to track similar issues. Show quoted text > > Should I just use ServiceResolverThunk and add a comment explaining this issue > or would it be better to still keep this function, but have it check for both > patterns (then the 64bit code in blacklist.cc and interception.cc would have the > same pattern as the 32-bit code). Well, there are 5 resolvers for 32 bits and at most 2 for 64 bits so the code will differ in any case. If you want to add an explicit win8 resolver we should make IsFunctionAService a protected method and just call the implementation of the base class. Or just add a comment and use ServiceResolverThunk directly (I think I actually prefer that, given that the caller is not really going to be common code).
	184 ServiceEntryW8 function_code;

	185 SIZE_T read;

	186 if (!::ReadProcessMemory(process_, target_, &function_code,

	187 sizeof(function_code), &read))

	188 return false;

	189

	190 if (sizeof(function_code) != read)

	191 return false;

	192

	193 if (kMov1 != function_code.mov_1 \|\| kMov2 != function_code.mov_2 \|\|

	194 kMov3 != function_code.mov_3 \|\|

	195 kMmovR10EcxMovEax != function_code.mov_r10_rcx_mov_eax \|\|

	196 kSyscall != function_code.syscall \|\|

	197 kRetNp != function_code.ret) {

	198 return false;

	199 }

	200

	201 // Save the verified code

	202 memcpy(local_thunk, &function_code, sizeof(function_code));

	203

	204 return true;

	205 }

	206

193 } // namespace sandbox	207 } // namespace sandbox

OLD	NEW

« no previous file with comments | « chrome_elf/blacklist/blacklist_interceptions.cc ('k') | no next file » | no next file with comments »