Chromium Code Reviews Chromium Code Reviews
Issue 1225183003:
CreateThread interception, to use CreateRemoteThread (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <memory> | 5 #include <memory> |
| 6 #include <string> | 6 #include <string> |
| 7 | 7 |
| 8 #include "base/strings/string16.h" | 8 #include "base/strings/string16.h" |
| 9 #include "base/strings/sys_string_conversions.h" | 9 #include "base/strings/sys_string_conversions.h" |
| 10 #include "base/win/scoped_handle.h" | 10 #include "base/win/scoped_handle.h" |
| 11 #include "base/win/scoped_process_information.h" | 11 #include "base/win/scoped_process_information.h" |
| 12 #include "base/win/windows_version.h" | 12 #include "base/win/windows_version.h" |
| 13 #include "sandbox/win/src/process_thread_interception.h" | |
| 13 #include "sandbox/win/src/sandbox.h" | 14 #include "sandbox/win/src/sandbox.h" |
| 14 #include "sandbox/win/src/sandbox_factory.h" | 15 #include "sandbox/win/src/sandbox_factory.h" |
| 15 #include "sandbox/win/src/sandbox_policy.h" | 16 #include "sandbox/win/src/sandbox_policy.h" |
| 16 #include "sandbox/win/tests/common/controller.h" | 17 #include "sandbox/win/tests/common/controller.h" |
| 17 #include "testing/gtest/include/gtest/gtest.h" | 18 #include "testing/gtest/include/gtest/gtest.h" |
| 18 | 19 |
| 19 namespace { | 20 namespace { |
| 20 | 21 |
| 21 // While the shell API provides better calls than this home brew function | 22 // While the shell API provides better calls than this home brew function |
| 22 // we use GetSystemWindowsDirectoryW which does not query the registry so | 23 // we use GetSystemWindowsDirectoryW which does not query the registry so |
| (...skipping 228 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 251 return SBOX_TEST_DENIED; | 252 return SBOX_TEST_DENIED; |
| 252 } | 253 } |
| 253 } else { | 254 } else { |
| 254 ::CloseHandle(token); | 255 ::CloseHandle(token); |
| 255 return SBOX_TEST_SUCCEEDED; | 256 return SBOX_TEST_SUCCEEDED; |
| 256 } | 257 } |
| 257 | 258 |
| 258 return SBOX_TEST_FAILED; | 259 return SBOX_TEST_FAILED; |
| 259 } | 260 } |
| 260 | 261 |
| 262 // Generate a event name, used to test thread creation. | |
| 263 std::wstring GenerateEventName(DWORD pid) { | |
| 264 wchar_t buff[30] = {0}; | |
| 265 int res = swprintf_s(buff, sizeof(buff) / sizeof(buff[0]), | |
| 266 L"ProcessPolicyTest_%08x", pid); | |
| 267 if (-1 != res) { | |
| 268 return std::wstring(buff); | |
| 269 } | |
| 270 return std::wstring(); | |
| 271 } | |
| 272 | |
| 273 // This is the function that is called when testing thread creation. | |
| 274 // It is expected to set an event that the caller is waiting on. | |
| 275 DWORD TestThreadFunc(LPVOID lpdwThreadParam) { | |
| 276 std::wstring event_name = GenerateEventName((DWORD)lpdwThreadParam); | |
| 277 if (!event_name.length()) { | |
| 278 return 1; | |
| 279 } | |
| 280 HANDLE event = ::OpenEvent(EVENT_ALL_ACCESS | EVENT_MODIFY_STATE, FALSE, | |
| 281 event_name.c_str()); | |
| 282 if (!event) { | |
| 283 return 1; | |
| 284 } | |
| 285 if (!SetEvent(event)) { | |
| 286 return 1; | |
| 287 } | |
| 288 return 0; | |
| 289 } | |
| 290 | |
| 291 SBOX_TESTS_COMMAND int Process_CreateThread(int argc, wchar_t** argv) { | |
| 292 DWORD pid = ::GetCurrentProcessId(); | |
| 293 std::wstring event_name = GenerateEventName(pid); | |
| 294 if (!event_name.length()) { | |
| 295 return SBOX_TEST_FAILED; | |
| 296 } | |
| 297 HANDLE event = ::CreateEvent(NULL, TRUE, FALSE, event_name.c_str()); | |
| 298 | |
| 299 if (!event) { | |
| 300 return SBOX_TEST_FAILED; | |
| 301 } | |
| 302 | |
| 303 DWORD thread_id = 0; | |
| 304 HANDLE thread = NULL; | |
| 305 thread = ::CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&TestThreadFunc, | |
| 306 (LPVOID)pid, 0, &thread_id); | |
| 307 | |
| 308 if (!thread) { | |
| 309 return SBOX_TEST_FAILED; | |
| 310 } | |
| 311 if (!thread_id) { | |
| 312 return SBOX_TEST_FAILED; | |
|
Will Harris
2015/12/03 06:41:50
if the interception returns 0 thread_id on XP how
liamjm (20p)
2015/12/03 21:53:29
Yes, CSRSS is only disable on >= win8 so this code
| |
| 313 } | |
| 314 | |
| 315 if (WaitForSingleObject(thread, INFINITE) != WAIT_OBJECT_0) { | |
| 316 return SBOX_TEST_FAILED; | |
| 317 } | |
| 318 DWORD exit_code = 0; | |
| 319 if (!GetExitCodeThread(thread, &exit_code)) { | |
| 320 return SBOX_TEST_FAILED; | |
| 321 } | |
| 322 if (exit_code) { | |
| 323 return SBOX_TEST_FAILED; | |
| 324 } | |
| 325 if (WaitForSingleObject(event, INFINITE) != WAIT_OBJECT_0) { | |
| 326 return SBOX_TEST_FAILED; | |
| 327 } | |
| 328 return SBOX_TEST_SUCCEEDED; | |
| 329 } | |
| 330 | |
| 261 TEST(ProcessPolicyTest, TestAllAccess) { | 331 TEST(ProcessPolicyTest, TestAllAccess) { |
| 262 // Check if the "all access" rule fails to be added when the token is too | 332 // Check if the "all access" rule fails to be added when the token is too |
| 263 // powerful. | 333 // powerful. |
| 264 TestRunner runner; | 334 TestRunner runner; |
| 265 | 335 |
| 266 // Check the failing case. | 336 // Check the failing case. |
| 267 runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN); | 337 runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN); |
| 268 EXPECT_EQ(SBOX_ERROR_UNSUPPORTED, | 338 EXPECT_EQ(SBOX_ERROR_UNSUPPORTED, |
| 269 runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS, | 339 runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS, |
| 270 TargetPolicy::PROCESS_ALL_EXEC, | 340 TargetPolicy::PROCESS_ALL_EXEC, |
| (...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 375 base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); | 445 base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe"); |
| 376 ASSERT_TRUE(!exe_path.empty()); | 446 ASSERT_TRUE(!exe_path.empty()); |
| 377 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, | 447 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, |
| 378 TargetPolicy::PROCESS_ALL_EXEC, | 448 TargetPolicy::PROCESS_ALL_EXEC, |
| 379 exe_path.c_str())); | 449 exe_path.c_str())); |
| 380 | 450 |
| 381 EXPECT_EQ(SBOX_TEST_SUCCEEDED, | 451 EXPECT_EQ(SBOX_TEST_SUCCEEDED, |
| 382 runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); | 452 runner.RunTest(L"Process_GetChildProcessToken findstr.exe")); |
| 383 } | 453 } |
| 384 | 454 |
| 455 // This tests that the CreateThread works with CSRSS not locked down. | |
| 456 // In other words, that the interception passes through OK. | |
| 457 TEST(ProcessPolicyTest, TestCreateThreadWithCsrss) { | |
| 458 TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE); | |
| 459 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_CreateThread")); | |
| 460 } | |
| 461 | |
| 462 // This tests that the CreateThread works with CSRSS locked down. | |
| 463 // In other words, that the interception correctly works. | |
| 464 TEST(ProcessPolicyTest, TestCreateThreadWithoutCsrss) { | |
| 465 TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE); | |
| 466 | |
| 467 EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS, | |
| 468 TargetPolicy::PROCESS_MIN_EXEC, | |
|
Will Harris
2015/12/03 06:41:50
why do you need TargetPolicy::PROCESS_MIN_EXEC
liamjm (20p)
2015/12/03 21:53:29
Changed to PROCESS_ALL_EXEC as this is more suitab
Will Harris
2015/12/03 23:58:13
can you explain why this policy is needed at all?
rickyz (no longer on Chrome)
2015/12/07 10:37:54
Background for "this is not important" - this was
| |
| 469 L"this is not important")); | |
| 470 | |
| 471 EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_CreateThread")); | |
| 472 } | |
| 473 | |
| 474 // This tests that our CreateThread interceptors works when called directly. | |
| 475 TEST(ProcessPolicyTest, TestCreateThreadOutsideSandbox) { | |
| 476 DWORD pid = ::GetCurrentProcessId(); | |
| 477 std::wstring event_name = GenerateEventName(pid); | |
| 478 ASSERT_STRNE(NULL, event_name.c_str()); | |
| 479 HANDLE event = ::CreateEvent(NULL, TRUE, FALSE, event_name.c_str()); | |
| 480 EXPECT_NE(NULL, int(event)); | |
| 481 | |
| 482 DWORD thread_id = 0; | |
| 483 HANDLE thread = NULL; | |
| 484 thread = TargetCreateThread(::CreateThread, NULL, 0, | |
| 485 (LPTHREAD_START_ROUTINE)&TestThreadFunc, | |
| 486 (LPVOID)pid, 0, &thread_id); | |
| 487 EXPECT_NE(NULL, int(thread)); | |
| 488 EXPECT_EQ(WAIT_OBJECT_0, WaitForSingleObject(thread, INFINITE)); | |
| 489 EXPECT_EQ(WAIT_OBJECT_0, WaitForSingleObject(event, INFINITE)); | |
| 490 } | |
| 491 | |
| 385 } // namespace sandbox | 492 } // namespace sandbox |
| OLD | NEW |
