CreateThread interception, to use CreateRemoteThread

sandbox/win/src/process_policy_test.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <memory>
 #include <string>
 
 #include "base/strings/string16.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/win/scoped_handle.h"
 #include "base/win/scoped_process_information.h"
 #include "base/win/windows_version.h"
+#include "sandbox/win/src/process_thread_interception.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_policy.h"
 #include "sandbox/win/tests/common/controller.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace {
 
 // While the shell API provides better calls than this home brew function
 // we use GetSystemWindowsDirectoryW which does not query the registry so
@@ skipping 228 matching lines @@
       return SBOX_TEST_DENIED;
     }
   } else {
     ::CloseHandle(token);
     return SBOX_TEST_SUCCEEDED;
   }
 
   return SBOX_TEST_FAILED;
 }
 
+// Generate a event name, used to test thread creation.
+std::wstring GenerateEventName(DWORD pid) {
+  wchar_t buff[30] = {0};
+  int res = swprintf_s(buff, sizeof(buff) / sizeof(buff[0]),
+                       L"ProcessPolicyTest_%08x", pid);
+  if (-1 != res) {
+    return std::wstring(buff);
+  }
+  return std::wstring();
+}
+
+// This is the function that is called when testing thread creation.
+// It is expected to set an event that the caller is waiting on.
+DWORD TestThreadFunc(LPVOID lpdwThreadParam) {
+  std::wstring event_name = GenerateEventName((DWORD)lpdwThreadParam);
+  if (!event_name.length()) {
+    return 1;
+  }
+  HANDLE event = ::OpenEvent(EVENT_ALL_ACCESS | EVENT_MODIFY_STATE, FALSE,
+                             event_name.c_str());
+  if (!event) {
+    return 1;
+  }
+  if (!SetEvent(event)) {
+    return 1;
+  }
+  return 0;
+}
+
+SBOX_TESTS_COMMAND int Process_CreateThread(int argc, wchar_t** argv) {
+  DWORD pid = ::GetCurrentProcessId();
+  std::wstring event_name = GenerateEventName(pid);
+  if (!event_name.length()) {
+    return SBOX_TEST_FAILED;
+  }
+  HANDLE event = ::CreateEvent(NULL, TRUE, FALSE, event_name.c_str());
+
+  if (!event) {
+    return SBOX_TEST_FAILED;
+  }
+
+  DWORD thread_id = 0;
+  HANDLE thread = NULL;
+  thread = ::CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&TestThreadFunc,
+                          (LPVOID)pid, 0, &thread_id);
+
+  if (!thread) {
+    return SBOX_TEST_FAILED;
+  }
+  if (!thread_id) {
+    return SBOX_TEST_FAILED;
+  }
+
+  if (WaitForSingleObject(thread, INFINITE) != WAIT_OBJECT_0) {
+    return SBOX_TEST_FAILED;
+  }
+  if (WaitForSingleObject(event, INFINITE) != WAIT_OBJECT_0) {

[Will Harris, 2015/09/17 23:08:00]

nit: consider adding a test for return code of 0 before waiting here, using
GetExitCodeThread.

[liamjm (20p), 2015/10/19 20:17:43]

Done.

+    return SBOX_TEST_FAILED;
+  }
+  return SBOX_TEST_SUCCEEDED;
+}
+
 TEST(ProcessPolicyTest, TestAllAccess) {
   // Check if the "all access" rule fails to be added when the token is too
   // powerful.
   TestRunner runner;
 
   // Check the failing case.
   runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN);
   EXPECT_EQ(SBOX_ERROR_UNSUPPORTED,
             runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS,
                                         TargetPolicy::PROCESS_ALL_EXEC,
@@ skipping 104 matching lines @@
   base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe");
   ASSERT_TRUE(!exe_path.empty());
   EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
                              TargetPolicy::PROCESS_ALL_EXEC,
                              exe_path.c_str()));
 
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
 }
 
+// This tests that the CreateThread works with CSRSS not locked down.
+// In other words, that the interception passes through OK.
+TEST(ProcessPolicyTest, TestCreateThreadWithCsrss) {
+  TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE);
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_CreateThread"));
+}
+
+// This tests that the CreateThread works with CSRSS locked down.
+// In other words, that the interception correctly works.
+TEST(ProcessPolicyTest, TestCreateThreadWithoutCsrss) {
+  TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE);
+
+  EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
+                             TargetPolicy::PROCESS_MIN_EXEC,
+                             L"this is not important"));
+
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_CreateThread"));
+}
+
+// This tests that our CreateThread interceptors works when called directly.
+TEST(ProcessPolicyTest, TestCreateThreadOutsideSandbox) {
+  DWORD pid = ::GetCurrentProcessId();
+  std::wstring event_name = GenerateEventName(pid);
+  ASSERT_STRNE(NULL, event_name.c_str());
+  HANDLE event = ::CreateEvent(NULL, TRUE, FALSE, event_name.c_str());
+  EXPECT_NE(int(event), NULL);

[Will Harris, 2015/09/17 23:08:00]

EXPECT_NE(NULL, event);

[liamjm (20p), 2015/10/19 20:17:43]

Done.

+
+  DWORD thread_id = 0;
+  HANDLE thread = NULL;
+  thread = TargetCreateThread(::CreateThread, NULL, 0,
+                              (LPTHREAD_START_ROUTINE)&TestThreadFunc,
+                              (LPVOID)pid, 0, &thread_id);
+  EXPECT_NE(int(thread), NULL);

[Will Harris, 2015/09/17 23:08:00]

EXPECT_EQ(NULL, thread);

[liamjm (20p), 2015/10/19 20:17:43]

Done.

+  EXPECT_EQ(WAIT_OBJECT_0, WaitForSingleObject(thread, INFINITE));
+  EXPECT_EQ(WAIT_OBJECT_0, WaitForSingleObject(event, INFINITE));
+}
+
 }  // namespace sandbox