CreateThread interception, to use CreateRemoteThread

sandbox/win/src/process_thread_dispatcher.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/process_thread_dispatcher.h"
 
 #include "base/basictypes.h"
 #include "base/logging.h"
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/interception.h"
@@ skipping 104 matching lines @@
       {IPC_NTOPENPROCESSTOKENEX_TAG, {VOIDPTR_TYPE, UINT32_TYPE, UINT32_TYPE}},
       reinterpret_cast<CallbackGeneric>(
           &ThreadProcessDispatcher::NtOpenProcessTokenEx)};
 
   static const IPCCall create_params = {
       {IPC_CREATEPROCESSW_TAG,
        {WCHAR_TYPE, WCHAR_TYPE, WCHAR_TYPE, INOUTPTR_TYPE}},
       reinterpret_cast<CallbackGeneric>(
           &ThreadProcessDispatcher::CreateProcessW)};
 
+  // NOTE(liamjm): 2nd param is size_t: Using VOIDPTR_TYPE as they are
+  // the same size on windows.
+  assert(sizeof(size_t) == sizeof(void*));

[Will Harris, 2015/12/03 23:58:14]

this should be static_assert - see
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/POISBQEhGzU/Q_0uG...

[liamjm (20p), 2016/02/01 23:36:39]

Done.

+  static const IPCCall create_thread_params = {
+      {IPC_CREATETHREAD_TAG,
+       {VOIDPTR_TYPE, VOIDPTR_TYPE, VOIDPTR_TYPE, VOIDPTR_TYPE, UINT32_TYPE}},
+      reinterpret_cast<CallbackGeneric>(
+          &ThreadProcessDispatcher::CreateThread)};
+
   ipc_calls_.push_back(open_thread);
   ipc_calls_.push_back(open_process);
   ipc_calls_.push_back(process_token);
   ipc_calls_.push_back(process_tokenex);
   ipc_calls_.push_back(create_params);
+  ipc_calls_.push_back(create_thread_params);
 }
 
 bool ThreadProcessDispatcher::SetupService(InterceptionManager* manager,
                                            int service) {
   switch (service) {
     case IPC_NTOPENTHREAD_TAG:
     case IPC_NTOPENPROCESS_TAG:
     case IPC_NTOPENPROCESSTOKEN_TAG:
     case IPC_NTOPENPROCESSTOKENEX_TAG:
       // There is no explicit policy for these services.
       NOTREACHED();
       return false;
 
     case IPC_CREATEPROCESSW_TAG:
       return INTERCEPT_EAT(manager, kKerneldllName, CreateProcessW,
                            CREATE_PROCESSW_ID, 44) &&
              INTERCEPT_EAT(manager, L"kernel32.dll", CreateProcessA,
                            CREATE_PROCESSA_ID, 44);
 
+    case IPC_CREATETHREAD_TAG:
+      return INTERCEPT_EAT(manager, kKerneldllName, CreateThread,
+                           CREATE_THREAD_ID, 28);
+
     default:
       return false;
   }
 }
 
 bool ThreadProcessDispatcher::NtOpenThread(IPCInfo* ipc,
                                            uint32 desired_access,
                                            uint32 thread_id) {
   HANDLE handle;
   NTSTATUS ret = ProcessPolicy::OpenThreadAction(*ipc->client_info,
@@ skipping 76 matching lines @@
   // Here we force the app_name to be the one we used for the policy lookup.
   // If our logic was wrong, at least we wont allow create a random process.
   DWORD ret = ProcessPolicy::CreateProcessWAction(eval, *ipc->client_info,
                                                   exe_name, *cmd_line,
                                                   proc_info);
 
   ipc->return_info.win32_result = ret;
   return true;
 }
 
+bool ThreadProcessDispatcher::CreateThread(
+    IPCInfo* ipc,
+    LPSECURITY_ATTRIBUTES thread_attributes,
+    SIZE_T stack_size,
+    LPTHREAD_START_ROUTINE start_address,
+    PVOID parameter,
+    DWORD creation_flags) {
+  if (!start_address) {
+    return false;
+  }
+
+  HANDLE handle;
+  DWORD ret = ProcessPolicy::CreateThreadAction(
+      GIVE_ALLACCESS, *ipc->client_info, thread_attributes, stack_size,
+      start_address, parameter, creation_flags, NULL, &handle);
+
+  ipc->return_info.nt_status = ret;
+  ipc->return_info.handle = handle;
+  return true;
+}
+
 }  // namespace sandbox