Index: sandbox/win/src/process_thread_policy.cc |
diff --git a/sandbox/win/src/process_thread_policy.cc b/sandbox/win/src/process_thread_policy.cc |
index b4976c0bbebeaefc8cfb9cdf57c9533d2c3c0b96..792965a29b1d1f3af8b45d07a71961757d88c71a 100644 |
--- a/sandbox/win/src/process_thread_policy.cc |
+++ b/sandbox/win/src/process_thread_policy.cc |
@@ -99,6 +99,9 @@ bool ProcessPolicy::GenerateRules(const wchar_t* name, |
if (!policy->AddRule(IPC_CREATEPROCESSW_TAG, process.get())) { |
return false; |
} |
+ if (!policy->AddRule(IPC_CREATETHREAD_TAG, process.get())) { |
+ return false; |
+ } |
return true; |
} |
@@ -238,4 +241,31 @@ DWORD ProcessPolicy::CreateProcessWAction(EvalResult eval_result, |
return ERROR_SUCCESS; |
} |
+DWORD ProcessPolicy::CreateThreadAction( |
+ EvalResult eval_result, |
+ const ClientInfo& client_info, |
+ const SIZE_T stack_size, |
+ const LPTHREAD_START_ROUTINE start_address, |
+ const LPVOID parameter, |
+ const DWORD creation_flags, |
+ LPDWORD thread_id, |
+ HANDLE* handle) { |
+ // The only action supported is ASK_BROKER which means create the thread. |
+ if (GIVE_ALLACCESS != eval_result && GIVE_READONLY != eval_result) { |
+ return ERROR_ACCESS_DENIED; |
+ } |
+ HANDLE local_handle = |
+ CreateRemoteThread(client_info.process, nullptr, stack_size, |
cpu_(ooo_6.6-7.5)
2016/02/04 01:40:52
hmm, what if I pass -1 in client_info.process
?!?
jschuh
2016/02/04 04:49:51
Uh... You're just messing with him here, yes?
liamjm (20p)
2016/02/04 21:56:38
As far as I can tell, a user can't control this, i
|
+ start_address, parameter, creation_flags, thread_id); |
cpu_(ooo_6.6-7.5)
2016/02/04 01:40:52
use :: for windows API calls
liamjm (20p)
2016/02/04 21:56:38
Done.
|
+ if (!local_handle) { |
+ return ::GetLastError(); |
+ } |
+ if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, |
+ client_info.process, handle, 0, FALSE, |
+ DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { |
+ return ERROR_ACCESS_DENIED; |
+ } |
+ return ERROR_SUCCESS; |
+} |
+ |
} // namespace sandbox |