| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "sandbox/sandbox_poc/pocdll/exports.h" | |
| 6 #include "sandbox/sandbox_poc/pocdll/utils.h" | |
| 7 #include "sandbox/tools/finder/ntundoc.h" | |
| 8 | |
| 9 // This file contains the tests used to verify the security of handles in | |
| 10 // the process | |
| 11 | |
| 12 NTQUERYOBJECT NtQueryObject; | |
| 13 NTQUERYINFORMATIONFILE NtQueryInformationFile; | |
| 14 NTQUERYSYSTEMINFORMATION NtQuerySystemInformation; | |
| 15 | |
| 16 void POCDLL_API TestGetHandle(HANDLE log) { | |
| 17 HandleToFile handle2file; | |
| 18 FILE *output = handle2file.Translate(log, "w"); | |
| 19 | |
| 20 // Initialize the NTAPI functions we need | |
| 21 HMODULE ntdll_handle = ::GetModuleHandle(L"ntdll.dll"); | |
| 22 if (!ntdll_handle) { | |
| 23 fprintf(output, "[ERROR] Cannot load ntdll.dll. Error %d\r\n", | |
| 24 ::GetLastError()); | |
| 25 return; | |
| 26 } | |
| 27 | |
| 28 NtQueryObject = reinterpret_cast<NTQUERYOBJECT>( | |
| 29 GetProcAddress(ntdll_handle, "NtQueryObject")); | |
| 30 NtQueryInformationFile = reinterpret_cast<NTQUERYINFORMATIONFILE>( | |
| 31 GetProcAddress(ntdll_handle, "NtQueryInformationFile")); | |
| 32 NtQuerySystemInformation = reinterpret_cast<NTQUERYSYSTEMINFORMATION>( | |
| 33 GetProcAddress(ntdll_handle, "NtQuerySystemInformation")); | |
| 34 | |
| 35 if (!NtQueryObject || !NtQueryInformationFile || !NtQuerySystemInformation) { | |
| 36 fprintf(output, "[ERROR] Cannot load all NT functions. Error %d\r\n", | |
| 37 ::GetLastError()); | |
| 38 return; | |
| 39 } | |
| 40 | |
| 41 // Get the number of handles on the system | |
| 42 DWORD buffer_size = 0; | |
| 43 SYSTEM_HANDLE_INFORMATION_EX temp_info; | |
| 44 NTSTATUS status = NtQuerySystemInformation( | |
| 45 SystemHandleInformation, &temp_info, sizeof(temp_info), | |
| 46 &buffer_size); | |
| 47 if (!buffer_size) { | |
| 48 fprintf(output, "[ERROR] Get the number of handles. Error 0x%X\r\n", | |
| 49 status); | |
| 50 return; | |
| 51 } | |
| 52 | |
| 53 SYSTEM_HANDLE_INFORMATION_EX *system_handles = | |
| 54 reinterpret_cast<SYSTEM_HANDLE_INFORMATION_EX*>(new BYTE[buffer_size]); | |
| 55 | |
| 56 status = NtQuerySystemInformation(SystemHandleInformation, system_handles, | |
| 57 buffer_size, &buffer_size); | |
| 58 if (STATUS_SUCCESS != status) { | |
| 59 fprintf(output, "[ERROR] Failed to get the handle list. Error 0x%X\r\n", | |
| 60 status); | |
| 61 delete [] system_handles; | |
| 62 return; | |
| 63 } | |
| 64 | |
| 65 for (ULONG i = 0; i < system_handles->NumberOfHandles; ++i) { | |
| 66 USHORT h = system_handles->Information[i].Handle; | |
| 67 if (system_handles->Information[i].ProcessId != ::GetCurrentProcessId()) | |
| 68 continue; | |
| 69 | |
| 70 OBJECT_NAME_INFORMATION *name = NULL; | |
| 71 ULONG name_size = 0; | |
| 72 // Query the name information a first time to get the size of the name. | |
| 73 status = NtQueryObject(reinterpret_cast<HANDLE>(h), | |
| 74 ObjectNameInformation, | |
| 75 name, | |
| 76 name_size, | |
| 77 &name_size); | |
| 78 | |
| 79 if (name_size) { | |
| 80 name = reinterpret_cast<OBJECT_NAME_INFORMATION *>(new BYTE[name_size]); | |
| 81 | |
| 82 // Query the name information a second time to get the name of the | |
| 83 // object referenced by the handle. | |
| 84 status = NtQueryObject(reinterpret_cast<HANDLE>(h), | |
| 85 ObjectNameInformation, | |
| 86 name, | |
| 87 name_size, | |
| 88 &name_size); | |
| 89 } | |
| 90 | |
| 91 PUBLIC_OBJECT_TYPE_INFORMATION *type = NULL; | |
| 92 ULONG type_size = 0; | |
| 93 | |
| 94 // Query the object to get the size of the object type name. | |
| 95 status = NtQueryObject(reinterpret_cast<HANDLE>(h), | |
| 96 ObjectTypeInformation, | |
| 97 type, | |
| 98 type_size, | |
| 99 &type_size); | |
| 100 if (type_size) { | |
| 101 type = reinterpret_cast<PUBLIC_OBJECT_TYPE_INFORMATION *>( | |
| 102 new BYTE[type_size]); | |
| 103 | |
| 104 // Query the type information a second time to get the object type | |
| 105 // name. | |
| 106 status = NtQueryObject(reinterpret_cast<HANDLE>(h), | |
| 107 ObjectTypeInformation, | |
| 108 type, | |
| 109 type_size, | |
| 110 &type_size); | |
| 111 } | |
| 112 | |
| 113 // NtQueryObject cannot return the name for a file. In this case we | |
| 114 // need to ask NtQueryInformationFile | |
| 115 FILE_NAME_INFORMATION *file_name = NULL; | |
| 116 if (type && wcsncmp(L"File", type->TypeName.Buffer, | |
| 117 (type->TypeName.Length / | |
| 118 sizeof(type->TypeName.Buffer[0]))) == 0) { | |
| 119 // This function does not return the size of the buffer. We need to | |
| 120 // iterate and always increase the buffer size until the function | |
| 121 // succeeds. (Or at least does not fail with STATUS_BUFFER_OVERFLOW) | |
| 122 ULONG size_file = MAX_PATH; | |
| 123 IO_STATUS_BLOCK status_block = {0}; | |
| 124 do { | |
| 125 // Delete the previous buffer create. The buffer was too small | |
| 126 if (file_name) { | |
| 127 delete[] reinterpret_cast<BYTE*>(file_name); | |
| 128 file_name = NULL; | |
| 129 } | |
| 130 | |
| 131 // Increase the buffer and do the call agan | |
| 132 size_file += MAX_PATH; | |
| 133 file_name = reinterpret_cast<FILE_NAME_INFORMATION *>( | |
| 134 new BYTE[size_file]); | |
| 135 status = NtQueryInformationFile(reinterpret_cast<HANDLE>(h), | |
| 136 &status_block, | |
| 137 file_name, | |
| 138 size_file, | |
| 139 FileNameInformation); | |
| 140 } while (status == STATUS_BUFFER_OVERFLOW); | |
| 141 | |
| 142 if (STATUS_SUCCESS != status) { | |
| 143 if (file_name) { | |
| 144 delete[] file_name; | |
| 145 file_name = NULL; | |
| 146 } | |
| 147 } | |
| 148 } | |
| 149 | |
| 150 if (file_name) { | |
| 151 UNICODE_STRING file_name_string; | |
| 152 file_name_string.Buffer = file_name->FileName; | |
| 153 file_name_string.Length = (USHORT)file_name->FileNameLength; | |
| 154 file_name_string.MaximumLength = (USHORT)file_name->FileNameLength; | |
| 155 fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X " | |
| 156 "Type: %-13.13wZ Path: %wZ\r\n", | |
| 157 h, | |
| 158 system_handles->Information[i].GrantedAccess, | |
| 159 type ? &type->TypeName : NULL, | |
| 160 &file_name_string); | |
| 161 } else { | |
| 162 fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X " | |
| 163 "Type: %-13.13wZ Path: %wZ\r\n", | |
| 164 h, | |
| 165 system_handles->Information[i].GrantedAccess, | |
| 166 type ? &type->TypeName : NULL, | |
| 167 name ? &name->ObjectName : NULL); | |
| 168 } | |
| 169 | |
| 170 if (type) { | |
| 171 delete[] type; | |
| 172 } | |
| 173 | |
| 174 if (file_name) { | |
| 175 delete[] file_name; | |
| 176 } | |
| 177 | |
| 178 if (name) { | |
| 179 delete [] name; | |
| 180 } | |
| 181 } | |
| 182 | |
| 183 if (system_handles) { | |
| 184 delete [] system_handles; | |
| 185 } | |
| 186 } | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10689170:
Move the Windows sandbox to sandbox/win (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src