sandbox/win/src/process_thread_policy.cc - Issue 1225183003: CreateThread interception, to use CreateRemoteThread

Side by Side Diff: sandbox/win/src/process_thread_policy.cc

Issue 1225183003: CreateThread interception, to use CreateRemoteThread (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: remove thread_attributes from IPC call, use nullptr Created 4 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/win/src/process_thread_policy.h"	5 #include "sandbox/win/src/process_thread_policy.h"

6	6

7 #include <stdint.h>	7 #include <stdint.h>

8	8

9 #include <string>	9 #include <string>

10	10

(...skipping 81 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
92 return false;	92 return false;

93 };	93 };

94 }	94 }

95	95

96 if (!process->AddStringMatch(IF, NameBased::NAME, name, CASE_INSENSITIVE)) {	96 if (!process->AddStringMatch(IF, NameBased::NAME, name, CASE_INSENSITIVE)) {

97 return false;	97 return false;

98 }	98 }

99 if (!policy->AddRule(IPC_CREATEPROCESSW_TAG, process.get())) {	99 if (!policy->AddRule(IPC_CREATEPROCESSW_TAG, process.get())) {

100 return false;	100 return false;

101 }	101 }

	102 if (!policy->AddRule(IPC_CREATETHREAD_TAG, process.get())) {

	103 return false;

	104 }
	liamjm (20p) 2016/02/02 20:43:45 cpu@: Can you comment on the suitability of adding cpu@: Can you comment on the suitability of adding create thread to this policy?
102 return true;	105 return true;

103 }	106 }

104	107

105 NTSTATUS ProcessPolicy::OpenThreadAction(const ClientInfo& client_info,	108 NTSTATUS ProcessPolicy::OpenThreadAction(const ClientInfo& client_info,

106 uint32_t desired_access,	109 uint32_t desired_access,

107 uint32_t thread_id,	110 uint32_t thread_id,

108 HANDLE* handle) {	111 HANDLE* handle) {

109 *handle = NULL;	112 *handle = NULL;

110	113

111 NtOpenThreadFunction NtOpenThread = NULL;	114 NtOpenThreadFunction NtOpenThread = NULL;

(...skipping 119 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
231 BOOL should_give_full_access = (GIVE_ALLACCESS == eval_result);	234 BOOL should_give_full_access = (GIVE_ALLACCESS == eval_result);

232 if (!CreateProcessExWHelper(client_info.process, should_give_full_access,	235 if (!CreateProcessExWHelper(client_info.process, should_give_full_access,

233 app_name.c_str(), cmd_line.get(), NULL, NULL,	236 app_name.c_str(), cmd_line.get(), NULL, NULL,

234 FALSE, 0, NULL, NULL, &startup_info,	237 FALSE, 0, NULL, NULL, &startup_info,

235 process_info)) {	238 process_info)) {

236 return ERROR_ACCESS_DENIED;	239 return ERROR_ACCESS_DENIED;

237 }	240 }

238 return ERROR_SUCCESS;	241 return ERROR_SUCCESS;

239 }	242 }

240	243

	244 DWORD ProcessPolicy::CreateThreadAction(
	forshaw 2016/02/02 11:11:49 Is this only going to be used in test code or will Is this only going to be used in test code or will it end up in Chrome when ALPC is eventually dropped? My concern is that many AV have a bit of a thing for CreateRemoteThread, or at least used to. You might find you get spurious failures in production code, or even in theory AV blocking Chrome for malicious behavior. I don't have the context of why this is being implemented, so can't comment if there's a better way. liamjm (20p) 2016/02/02 20:43:45 This is the intended mechanism for CreateThread in Show quoted text On 2016/02/02 11:11:49, forshaw wrote: > Is this only going to be used in test code or will it end up in Chrome when ALPC > is eventually dropped? My concern is that many AV have a bit of a thing for > CreateRemoteThread, or at least used to. You might find you get spurious > failures in production code, or even in theory AV blocking Chrome for malicious > behavior. I don't have the context of why this is being implemented, so can't > comment if there's a better way. This is the intended mechanism for CreateThread inside the renderer to work when ALPC is dropped. Features are only enabled in tests at the moment. Fair point re AV detection.
	245 EvalResult eval_result,

	246 const ClientInfo& client_info,

	247 const SIZE_T stack_size,

	248 const LPTHREAD_START_ROUTINE start_address,

	249 const LPVOID parameter,

	250 const DWORD creation_flags,

	251 LPDWORD thread_id,

	252 HANDLE* handle) {

	253 // The only action supported is ASK_BROKER which means create the process.
	forshaw 2016/02/02 11:11:49 nit: You mean thread not process? nit: You mean thread not process? liamjm (20p) 2016/02/02 20:43:45 Done. Show quoted text On 2016/02/02 11:11:49, forshaw wrote: > nit: You mean thread not process? Done.
	254 if (GIVE_ALLACCESS != eval_result && GIVE_READONLY != eval_result) {

	255 return ERROR_ACCESS_DENIED;

	256 }

	257 HANDLE local_handle =

	258 CreateRemoteThread(client_info.process, nullptr, stack_size,

	259 start_address, parameter, creation_flags, thread_id);

	260 if (!local_handle) {

	261 return ::GetLastError();

	262 }

	263 if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,

	264 client_info.process, handle, 0, FALSE,
	Will Harris 2016/02/02 05:45:33 should this 0 be THREAD_ALL_ACCESS if eval_result should this 0 be THREAD_ALL_ACCESS if eval_result is GIVE_ALLACCESS? forshaw 2016/02/02 11:11:49 CreateRemoteThread should return a handle with THR Show quoted text On 2016/02/02 05:45:33, Will Harris wrote: > should this 0 be THREAD_ALL_ACCESS if eval_result is GIVE_ALLACCESS? CreateRemoteThread should return a handle with THREAD_ALL_ACCESS rights, so I think DUPLICATE_SAME_ACCESS makes the most sense. Especially as you cannot change the rights to add additional ones as that will fail the DACL check (which is based on the target process' token rather than the callers). That said is there supposed to be a distinction between GIVE_ALLACCESS and GIVE_READONLY? liamjm (20p) 2016/02/02 20:43:45 If DUPLCIATE_SAME_ACCESS is specified below, then Show quoted text On 2016/02/02 05:45:33, Will Harris wrote: > should this 0 be THREAD_ALL_ACCESS if eval_result is GIVE_ALLACCESS? If DUPLCIATE_SAME_ACCESS is specified below, then this arg is ignored. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724251(v=vs.85).aspx There is no difference between GIVE_ALLACCESSS and GIVE_READONLY. I've added comments to the policies (PROCESS_MIN_EXEC and PROCESS_ALL_EXEC) in sandbox_policy.h.
	265 DUPLICATE_CLOSE_SOURCE \| DUPLICATE_SAME_ACCESS)) {
	Will Harris 2016/02/02 05:45:33 I'm not sure this should be DUPLICATE_SAME_ACCESS I'm not sure this should be DUPLICATE_SAME_ACCESS
	266 return ERROR_ACCESS_DENIED;

	267 }

	268 return ERROR_SUCCESS;

	269 }

	270

241 } // namespace sandbox	271 } // namespace sandbox

OLD	NEW

« sandbox/win/src/process_thread_interception.cc ('K') | « sandbox/win/src/process_thread_policy.h ('k') | sandbox/win/src/sandbox_policy.h » ('j') | sandbox/win/src/sandbox_policy.h » ('J')