CreateThread interception, to use CreateRemoteThread

sandbox/win/src/process_thread_policy.cc

Index: sandbox/win/src/process_thread_policy.cc
diff --git a/sandbox/win/src/process_thread_policy.cc b/sandbox/win/src/process_thread_policy.cc
index b4976c0bbebeaefc8cfb9cdf57c9533d2c3c0b96..275461bcaebab0d2e311b29ed7d6867fa63373b5 100644
--- a/sandbox/win/src/process_thread_policy.cc
+++ b/sandbox/win/src/process_thread_policy.cc
@@ -99,6 +99,9 @@ bool ProcessPolicy::GenerateRules(const wchar_t* name,
   if (!policy->AddRule(IPC_CREATEPROCESSW_TAG, process.get())) {
     return false;
   }
+  if (!policy->AddRule(IPC_CREATETHREAD_TAG, process.get())) {
+    return false;
+  }
   return true;
 }
 
@@ -238,4 +241,31 @@ DWORD ProcessPolicy::CreateProcessWAction(EvalResult eval_result,
   return ERROR_SUCCESS;
 }
 
+DWORD ProcessPolicy::CreateThreadAction(
+    EvalResult eval_result,
+    const ClientInfo& client_info,
+    const SIZE_T stack_size,
+    const LPTHREAD_START_ROUTINE start_address,
+    const LPVOID parameter,
+    const DWORD creation_flags,
+    LPDWORD thread_id,
+    HANDLE* handle) {
+  // The only action supported is ASK_BROKER which means create the thread.
+  if (GIVE_ALLACCESS != eval_result && GIVE_READONLY != eval_result) {
+    return ERROR_ACCESS_DENIED;
+  }
+  HANDLE local_handle =
+      ::CreateRemoteThread(client_info.process, nullptr, stack_size,
+                         start_address, parameter, creation_flags, thread_id);
+  if (!local_handle) {
+    return ::GetLastError();
+  }
+  if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
+                         client_info.process, handle, 0, FALSE,
+                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
+    return ERROR_ACCESS_DENIED;
+  }
+  return ERROR_SUCCESS;
+}
+
 }  // namespace sandbox