Add 64-bit support to browser blacklisting

sandbox/win/src/service_resolver_64.cc

Index: sandbox/win/src/service_resolver_64.cc
diff --git a/sandbox/win/src/service_resolver_64.cc b/sandbox/win/src/service_resolver_64.cc
index 473ddbc7f16d806f8b1d86fb245959c4ceb4d3d4..1116f538f15b095972a4ab28aca8b4f2afb4b743 100644
--- a/sandbox/win/src/service_resolver_64.cc
+++ b/sandbox/win/src/service_resolver_64.cc
@@ -56,7 +56,7 @@ struct ServiceEntryW8 {
   ULONG mov_r10_rcx_mov_eax;  // = 4C 8B D1 B8
   ULONG service_id;
   USHORT syscall;             // = 0F 05
-  BYTE ret;                   // = C2
+  BYTE ret;                   // = C3
   BYTE nop;                   // = 90
 };
 
@@ -126,16 +126,6 @@ bool ServiceResolverThunk::IsFunctionAService(void* local_thunk) const {
   if (sizeof(function_code) != read)
     return false;
 
-  if (!IsService(&function_code)) {
-    // See if it's the Win8 signature.
-    ServiceEntryW8* w8_service = &function_code.original_w8;
-    if (!IsService(&w8_service->mov_r10_rcx_mov_eax) ||
-        w8_service->mov_1 != kMov1 || w8_service->mov_1 != kMov1 ||
-        w8_service->mov_1 != kMov1) {
-      return false;
-    }
-  }
-
   // Save the verified code.
   memcpy(local_thunk, &function_code, sizeof(function_code));
 
@@ -190,4 +180,28 @@ bool Win2kResolverThunk::IsFunctionAService(void* local_thunk) const {
   return false;
 }
 
+bool Win8ResolverThunk::IsFunctionAService(void* local_thunk) const {

[rvargas (doing something else), 2014/01/07 23:38:34]

We cannot do this.

I know it is not properly documented, but win 8.1 went back to the regular stub,
and that's why we check both patterns for all versions of the OS.

[csharp, 2014/01/08 14:48:19]

How come the 32bit version still differs between win8 and the rest? Did it not
revert in 8.1? (Also, is there any good place to learn more about these issues)

Should I just use ServiceResolverThunk and add a comment explaining this issue
or would it be better to still keep this function, but have it check for both
patterns (then the 64bit code in blacklist.cc and interception.cc would have the
same pattern as the 32-bit code).

[rvargas (doing something else), 2014/01/09 01:12:00]

Yes it did. We default to relaxed interception on 32 bits and we may not have
bots for 8.1. I don't know of a place to track similar issues.
Well, there are 5 resolvers for 32 bits and at most 2 for 64 bits so the code
will differ in any case. If you want to add an explicit win8 resolver we should
make IsFunctionAService a protected method and just call the implementation of
the base class. Or just add a comment and use ServiceResolverThunk directly (I
think I actually prefer that, given that the caller is not really going to be
common code).

+  ServiceEntryW8 function_code;
+  SIZE_T read;
+  if (!::ReadProcessMemory(process_, target_, &function_code,
+                           sizeof(function_code), &read))
+    return false;
+
+  if (sizeof(function_code) != read)
+    return false;
+
+  if (kMov1 != function_code.mov_1 || kMov2 != function_code.mov_2 ||
+      kMov3 != function_code.mov_3 ||
+      kMmovR10EcxMovEax != function_code.mov_r10_rcx_mov_eax ||
+      kSyscall != function_code.syscall ||
+      kRetNp != function_code.ret) {
+    return false;
+  }
+
+  // Save the verified code
+  memcpy(local_thunk, &function_code, sizeof(function_code));
+
+  return true;
+}
+
 }  // namespace sandbox