sandbox/win/src/dep.cc - Issue 10690058: Add sandbox support for Windows process mitigations

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: sandbox/win/src/dep.cc

Issue 10690058: Add sandbox support for Windows process mitigations (Closed) Base URL: https://src.chromium.org/svn/trunk/src/

Patch Set: Created 8 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
	(Empty)
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include "sandbox/win/src/dep.h"

6

7 #include <windows.h>

8

9 #include "base/logging.h"

10

11 namespace sandbox {

12

13 namespace {

14

15 // These values are in the Windows 2008 SDK but not in the previous ones. Define

16 // the values here until we're sure everyone updated their SDK.

17 #ifndef PROCESS_DEP_ENABLE

18 #define PROCESS_DEP_ENABLE 0x00000001

19 #endif

20 #ifndef PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION

21 #define PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION 0x00000002

22 #endif

23

24 // SetProcessDEPPolicy is declared in the Windows 2008 SDK.

25 typedef BOOL (WINAPI *FnSetProcessDEPPolicy)(DWORD dwFlags);

26

27 enum PROCESS_INFORMATION_CLASS {

28 ProcessExecuteFlags = 0x22,

29 };

30

31 // Flags named as per their usage.

32 const int MEM_EXECUTE_OPTION_ENABLE = 1;

33 const int MEM_EXECUTE_OPTION_DISABLE = 2;

34 const int MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION = 4;

35 const int MEM_EXECUTE_OPTION_PERMANENT = 8;

36

37 // Not exactly the right signature but that will suffice.

38 typedef HRESULT (WINAPI *FnNtSetInformationProcess)(

39 HANDLE ProcessHandle,

40 PROCESS_INFORMATION_CLASS ProcessInformationClass,

41 PVOID ProcessInformation,

42 ULONG ProcessInformationLength);

43

44 } // namespace

45

46 bool SetCurrentProcessDEP(DepEnforcement enforcement) {

47 #ifdef _WIN64

48 // DEP is always on in x64.

49 return enforcement != DEP_DISABLED;

50 #endif

51 // Only available on Windows XP SP2 and Windows Server 2003 SP1.

52 // For reference: http://www.uninformed.org/?v=2&a=4

53 FnNtSetInformationProcess NtSetInformationProc =

54 reinterpret_cast<FnNtSetInformationProcess>(

55 GetProcAddress(GetModuleHandle(L"ntdll.dll"),

56 "NtSetInformationProcess"));

57

58 if (!NtSetInformationProc)

59 return false;

60

61 // Flags being used as per SetProcessDEPPolicy on Vista SP1.

62 ULONG dep_flags;

63 switch (enforcement) {

64 case DEP_DISABLED:

65 // 2

66 dep_flags = MEM_EXECUTE_OPTION_DISABLE;

67 break;

68 case DEP_ENABLED:

69 // 9

70 dep_flags = MEM_EXECUTE_OPTION_PERMANENT \| MEM_EXECUTE_OPTION_ENABLE;

71 break;

72 case DEP_ENABLED_ATL7_COMPAT:

73 // 0xD

74 dep_flags = MEM_EXECUTE_OPTION_PERMANENT \| MEM_EXECUTE_OPTION_ENABLE \|

75 MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION;

76 break;

77 default:

78 NOTREACHED();

79 return false;

80 }

81

82 HRESULT status = NtSetInformationProc(GetCurrentProcess(),

83 ProcessExecuteFlags,

84 &dep_flags,

85 sizeof(dep_flags));

86 return SUCCEEDED(status);

87 }

88

89 } // namespace sandbox

OLD	NEW

« no previous file with comments | « sandbox/win/src/dep.h ('k') | sandbox/win/src/dep_test.cc » ('j') | sandbox/win/src/process_mitigations.h » ('J')