CreateThread interception, to use CreateRemoteThread

sandbox/win/src/process_thread_policy.cc

Index: sandbox/win/src/process_thread_policy.cc
diff --git a/sandbox/win/src/process_thread_policy.cc b/sandbox/win/src/process_thread_policy.cc
index b58a287ed2d5937917b480fd30bbfe4c7acc5d97..6068ce9a03268fbe67cee2ec7b18fb097b94b7c6 100644
--- a/sandbox/win/src/process_thread_policy.cc
+++ b/sandbox/win/src/process_thread_policy.cc
@@ -97,6 +97,9 @@ bool ProcessPolicy::GenerateRules(const wchar_t* name,
   if (!policy->AddRule(IPC_CREATEPROCESSW_TAG, process.get())) {
     return false;
   }
+  if (!policy->AddRule(IPC_CREATETHREAD_TAG, process.get())) {
+    return false;
+  }
   return true;
 }
 
@@ -236,4 +239,32 @@ DWORD ProcessPolicy::CreateProcessWAction(EvalResult eval_result,
   return ERROR_SUCCESS;
 }
 
+DWORD ProcessPolicy::CreateThreadAction(
+    EvalResult eval_result,
+    const ClientInfo& client_info,
+    const LPSECURITY_ATTRIBUTES thread_attributes,
+    const SIZE_T stack_size,
+    const LPTHREAD_START_ROUTINE start_address,
+    const PVOID parameter,
+    const DWORD creation_flags,
+    LPDWORD thread_id,
+    HANDLE* handle) {
+  // The only action supported is ASK_BROKER which means create the process.
+  if (GIVE_ALLACCESS != eval_result && GIVE_READONLY != eval_result) {
+    return ERROR_ACCESS_DENIED;
+  }
+  HANDLE local_handle =
+      CreateRemoteThread(client_info.process, thread_attributes, stack_size,
+                         start_address, parameter, creation_flags, thread_id);
+  if (!local_handle) {
+    return GetLastError();

[Will Harris, 2015/12/03 23:58:14]

nit: use ::GetLastError() to be consistent.

+  }
+  if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
+                         client_info.process, handle, 0, FALSE,
+                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
+    return ERROR_ACCESS_DENIED;
+  }
+  return ERROR_SUCCESS;
+}
+
 }  // namespace sandbox