CreateThread interception, to use CreateRemoteThread

sandbox/win/src/process_thread_interception.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/process_thread_interception.h"
 
+#include "base/win/windows_version.h"

[cpu_(ooo_6.6-7.5), 2016/02/04 01:40:52]

wrong include order?

 #include <stdint.h>
-
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
 
 namespace sandbox {
@@ skipping 382 matching lines @@
     if (ERROR_SUCCESS != answer.win32_result)
       return FALSE;
 
     return TRUE;
   } while (false);
 
   ::SetLastError(original_error);
   return FALSE;
 }
 
+HANDLE WINAPI TargetCreateThread(CreateThreadFunction orig_CreateThread,
+                                 LPSECURITY_ATTRIBUTES thread_attributes,
+                                 SIZE_T stack_size,
+                                 LPTHREAD_START_ROUTINE start_address,
+                                 LPVOID parameter,
+                                 DWORD creation_flags,
+                                 LPDWORD thread_id) {
+  HANDLE hThread = NULL;
+
+  TargetServices* target_services = SandboxFactory::GetTargetServices();
+  if (NULL == target_services ||
+      target_services->GetState()->IsCsrssConnected()) {
+    hThread = orig_CreateThread(thread_attributes, stack_size, start_address,

[cpu_(ooo_6.6-7.5), 2016/02/04 01:40:52]

this block looks funny. Regardless of crss state, if the target can create the
thread then it should, right?


We don't use the code for TargetCreateProcessA right? that was only done to
support the adobe NPAPI pdf reader right?  Justin?

[jschuh, 2016/02/04 04:49:51]

No, because CreateThread() will try to register via CSRSS and fail (IIRC
triggering a crash).
No, we don't use it. It goes back to one of nsylvain@'s early efforts at plugin
sandboxing, so maybe PDF.

+                                parameter, creation_flags, thread_id);
+    if (hThread) {
+      return hThread;
+    }
+  }
+
+  if (NULL == target_services)
+    return NULL;
+
+  // We don't trust that the IPC can work this early.
+  if (!target_services->GetState()->InitCalled())
+    return NULL;
+
+  DWORD original_error = ::GetLastError();
+
+  do {
+    if (NULL != thread_id &&
+        !ValidParameter(thread_id, sizeof(*thread_id), WRITE))
+      break;
+
+    void* memory = GetGlobalIPCMemory();
+    if (NULL == memory)
+      break;
+
+    SharedMemIPCClient ipc(memory);
+    CrossCallReturn answer = {0};
+
+    // NOTE: we don't pass the thread_attributes through. This matches the
+    // approach in CreateProcess and in CreateThreadInternal().
+    ResultCode code = CrossCall(ipc, IPC_CREATETHREAD_TAG,
+                                reinterpret_cast<LPVOID>(stack_size),
+                                reinterpret_cast<LPVOID>(start_address),
+                                parameter, creation_flags, &answer);
+    if (SBOX_ALL_OK != code)
+      break;
+
+    ::SetLastError(answer.win32_result);
+    if (ERROR_SUCCESS != answer.win32_result) {
+      return NULL;
+    }
+
+    if (thread_id != NULL) {
+      *thread_id = ::GetThreadId(answer.handle);
+    }
+    return answer.handle;
+  } while (false);
+
+  ::SetLastError(original_error);
+  return NULL;
+}
+
 }  // namespace sandbox