| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/target_process.h" | 5 #include "sandbox/win/src/target_process.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <memory> | 10 #include <memory> |
| 11 #include <utility> | 11 #include <utility> |
| 12 | 12 |
| 13 #include "base/macros.h" | 13 #include "base/macros.h" |
| 14 #include "base/memory/free_deleter.h" | 14 #include "base/memory/free_deleter.h" |
| 15 #include "base/win/pe_image.h" | |
| 16 #include "base/win/startup_information.h" | 15 #include "base/win/startup_information.h" |
| 17 #include "base/win/windows_version.h" | 16 #include "base/win/windows_version.h" |
| 18 #include "sandbox/win/src/crosscall_client.h" | 17 #include "sandbox/win/src/crosscall_client.h" |
| 19 #include "sandbox/win/src/crosscall_server.h" | 18 #include "sandbox/win/src/crosscall_server.h" |
| 20 #include "sandbox/win/src/policy_low_level.h" | 19 #include "sandbox/win/src/policy_low_level.h" |
| 21 #include "sandbox/win/src/sandbox_types.h" | 20 #include "sandbox/win/src/sandbox_types.h" |
| 22 #include "sandbox/win/src/sharedmem_ipc_server.h" | 21 #include "sandbox/win/src/sharedmem_ipc_server.h" |
| 23 #include "sandbox/win/src/win_utils.h" | 22 #include "sandbox/win/src/win_utils.h" |
| 24 | 23 |
| 25 namespace { | 24 namespace { |
| (...skipping 17 matching lines...) Expand all Loading... |
| 43 } | 42 } |
| 44 | 43 |
| 45 } // namespace | 44 } // namespace |
| 46 | 45 |
| 47 namespace sandbox { | 46 namespace sandbox { |
| 48 | 47 |
| 49 SANDBOX_INTERCEPT HANDLE g_shared_section; | 48 SANDBOX_INTERCEPT HANDLE g_shared_section; |
| 50 SANDBOX_INTERCEPT size_t g_shared_IPC_size; | 49 SANDBOX_INTERCEPT size_t g_shared_IPC_size; |
| 51 SANDBOX_INTERCEPT size_t g_shared_policy_size; | 50 SANDBOX_INTERCEPT size_t g_shared_policy_size; |
| 52 | 51 |
| 53 // Returns the address of the main exe module in memory taking in account | |
| 54 // address space layout randomization. | |
| 55 void* GetBaseAddress(const wchar_t* exe_name, void* entry_point) { | |
| 56 HMODULE exe = ::LoadLibrary(exe_name); | |
| 57 if (NULL == exe) | |
| 58 return exe; | |
| 59 | |
| 60 base::win::PEImage pe(exe); | |
| 61 if (!pe.VerifyMagic()) { | |
| 62 ::FreeLibrary(exe); | |
| 63 return exe; | |
| 64 } | |
| 65 PIMAGE_NT_HEADERS nt_header = pe.GetNTHeaders(); | |
| 66 char* base = reinterpret_cast<char*>(entry_point) - | |
| 67 nt_header->OptionalHeader.AddressOfEntryPoint; | |
| 68 | |
| 69 ::FreeLibrary(exe); | |
| 70 return base; | |
| 71 } | |
| 72 | |
| 73 TargetProcess::TargetProcess(base::win::ScopedHandle initial_token, | 52 TargetProcess::TargetProcess(base::win::ScopedHandle initial_token, |
| 74 base::win::ScopedHandle lockdown_token, | 53 base::win::ScopedHandle lockdown_token, |
| 75 HANDLE job, | 54 HANDLE job, |
| 76 ThreadProvider* thread_pool) | 55 ThreadProvider* thread_pool) |
| 77 // This object owns everything initialized here except thread_pool and | 56 // This object owns everything initialized here except thread_pool and |
| 78 // the job_ handle. The Job handle is closed by BrokerServices and results | 57 // the job_ handle. The Job handle is closed by BrokerServices and results |
| 79 // eventually in a call to our dtor. | 58 // eventually in a call to our dtor. |
| 80 : lockdown_token_(std::move(lockdown_token)), | 59 : lockdown_token_(std::move(lockdown_token)), |
| 81 initial_token_(std::move(initial_token)), | 60 initial_token_(std::move(initial_token)), |
| 82 job_(job), | 61 job_(job), |
| (...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 173 if (!::SetThreadToken(&temp_thread, initial_token_.Get())) { | 152 if (!::SetThreadToken(&temp_thread, initial_token_.Get())) { |
| 174 *win_error = ::GetLastError(); | 153 *win_error = ::GetLastError(); |
| 175 // It might be a security breach if we let the target run outside the job | 154 // It might be a security breach if we let the target run outside the job |
| 176 // so kill it before it causes damage. | 155 // so kill it before it causes damage. |
| 177 ::TerminateProcess(process_info.process_handle(), 0); | 156 ::TerminateProcess(process_info.process_handle(), 0); |
| 178 return SBOX_ERROR_SET_THREAD_TOKEN; | 157 return SBOX_ERROR_SET_THREAD_TOKEN; |
| 179 } | 158 } |
| 180 initial_token_.Close(); | 159 initial_token_.Close(); |
| 181 } | 160 } |
| 182 | 161 |
| 183 CONTEXT context; | |
| 184 context.ContextFlags = CONTEXT_ALL; | |
| 185 if (!::GetThreadContext(process_info.thread_handle(), &context)) { | |
| 186 *win_error = ::GetLastError(); | |
| 187 ::TerminateProcess(process_info.process_handle(), 0); | |
| 188 return SBOX_ERROR_GET_THREAD_CONTEXT; | |
| 189 } | |
| 190 | |
| 191 #if defined(_WIN64) | |
| 192 void* entry_point = reinterpret_cast<void*>(context.Rcx); | |
| 193 #else | |
| 194 #pragma warning(push) | |
| 195 #pragma warning(disable: 4312) | |
| 196 // This cast generates a warning because it is 32 bit specific. | |
| 197 void* entry_point = reinterpret_cast<void*>(context.Eax); | |
| 198 #pragma warning(pop) | |
| 199 #endif // _WIN64 | |
| 200 | |
| 201 if (!target_info->DuplicateFrom(process_info)) { | 162 if (!target_info->DuplicateFrom(process_info)) { |
| 202 *win_error = ::GetLastError(); // This may or may not be correct. | 163 *win_error = ::GetLastError(); // This may or may not be correct. |
| 203 ::TerminateProcess(process_info.process_handle(), 0); | 164 ::TerminateProcess(process_info.process_handle(), 0); |
| 204 return SBOX_ERROR_DUPLICATE_TARGET_INFO; | 165 return SBOX_ERROR_DUPLICATE_TARGET_INFO; |
| 205 } | 166 } |
| 206 | 167 |
| 207 base_address_ = GetBaseAddress(exe_path, entry_point); | 168 base_address_ = GetProcessBaseAddress(process_info.process_handle()); |
| 169 DCHECK(base_address_); |
| 170 if (!base_address_) { |
| 171 *win_error = ::GetLastError(); |
| 172 ::TerminateProcess(process_info.process_handle(), 0); |
| 173 return SBOX_ERROR_CANNOT_FIND_BASE_ADDRESS; |
| 174 } |
| 175 |
| 208 sandbox_process_info_.Set(process_info.Take()); | 176 sandbox_process_info_.Set(process_info.Take()); |
| 209 return SBOX_ALL_OK; | 177 return SBOX_ALL_OK; |
| 210 } | 178 } |
| 211 | 179 |
| 212 ResultCode TargetProcess::TransferVariable(const char* name, void* address, | 180 ResultCode TargetProcess::TransferVariable(const char* name, void* address, |
| 213 size_t size) { | 181 size_t size) { |
| 214 if (!sandbox_process_info_.IsValid()) | 182 if (!sandbox_process_info_.IsValid()) |
| 215 return SBOX_ERROR_UNEXPECTED_CALL; | 183 return SBOX_ERROR_UNEXPECTED_CALL; |
| 216 | 184 |
| 217 void* child_var = address; | 185 void* child_var = address; |
| (...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 360 TargetProcess* target = new TargetProcess( | 328 TargetProcess* target = new TargetProcess( |
| 361 base::win::ScopedHandle(), base::win::ScopedHandle(), NULL, NULL); | 329 base::win::ScopedHandle(), base::win::ScopedHandle(), NULL, NULL); |
| 362 PROCESS_INFORMATION process_info = {}; | 330 PROCESS_INFORMATION process_info = {}; |
| 363 process_info.hProcess = process; | 331 process_info.hProcess = process; |
| 364 target->sandbox_process_info_.Set(process_info); | 332 target->sandbox_process_info_.Set(process_info); |
| 365 target->base_address_ = base_address; | 333 target->base_address_ = base_address; |
| 366 return target; | 334 return target; |
| 367 } | 335 } |
| 368 | 336 |
| 369 } // namespace sandbox | 337 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2323443003:
Implement new method to get process base address in Windows sandbox. (Closed)
