| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "sandbox/win/src/restricted_token.h" |
| 6 #include "sandbox/win/src/restricted_token_utils.h" |
| 7 #include "sandbox/win/tools/finder/finder.h" |
| 8 #include "sandbox/win/tools/finder/ntundoc.h" |
| 9 |
| 10 #define BUFFER_SIZE 0x800 |
| 11 #define CHECKPTR(x) if (!x) return ::GetLastError() |
| 12 |
| 13 // NT API |
| 14 NTQUERYDIRECTORYOBJECT NtQueryDirectoryObject; |
| 15 NTOPENDIRECTORYOBJECT NtOpenDirectoryObject; |
| 16 NTOPENEVENT NtOpenEvent; |
| 17 NTOPENJOBOBJECT NtOpenJobObject; |
| 18 NTOPENKEYEDEVENT NtOpenKeyedEvent; |
| 19 NTOPENMUTANT NtOpenMutant; |
| 20 NTOPENSECTION NtOpenSection; |
| 21 NTOPENSEMAPHORE NtOpenSemaphore; |
| 22 NTOPENSYMBOLICLINKOBJECT NtOpenSymbolicLinkObject; |
| 23 NTOPENTIMER NtOpenTimer; |
| 24 NTOPENFILE NtOpenFile; |
| 25 NTCLOSE NtClose; |
| 26 |
| 27 DWORD Finder::InitNT() { |
| 28 HMODULE ntdll_handle = ::LoadLibrary(L"ntdll.dll"); |
| 29 CHECKPTR(ntdll_handle); |
| 30 |
| 31 NtOpenSymbolicLinkObject = (NTOPENSYMBOLICLINKOBJECT) ::GetProcAddress( |
| 32 ntdll_handle, "NtOpenSymbolicLinkObject"); |
| 33 CHECKPTR(NtOpenSymbolicLinkObject); |
| 34 |
| 35 NtQueryDirectoryObject = (NTQUERYDIRECTORYOBJECT) ::GetProcAddress( |
| 36 ntdll_handle, "NtQueryDirectoryObject"); |
| 37 CHECKPTR(NtQueryDirectoryObject); |
| 38 |
| 39 NtOpenDirectoryObject = (NTOPENDIRECTORYOBJECT) ::GetProcAddress( |
| 40 ntdll_handle, "NtOpenDirectoryObject"); |
| 41 CHECKPTR(NtOpenDirectoryObject); |
| 42 |
| 43 NtOpenKeyedEvent = (NTOPENKEYEDEVENT) ::GetProcAddress( |
| 44 ntdll_handle, "NtOpenKeyedEvent"); |
| 45 CHECKPTR(NtOpenKeyedEvent); |
| 46 |
| 47 NtOpenJobObject = (NTOPENJOBOBJECT) ::GetProcAddress( |
| 48 ntdll_handle, "NtOpenJobObject"); |
| 49 CHECKPTR(NtOpenJobObject); |
| 50 |
| 51 NtOpenSemaphore = (NTOPENSEMAPHORE) ::GetProcAddress( |
| 52 ntdll_handle, "NtOpenSemaphore"); |
| 53 CHECKPTR(NtOpenSemaphore); |
| 54 |
| 55 NtOpenSection = (NTOPENSECTION) ::GetProcAddress( |
| 56 ntdll_handle, "NtOpenSection"); |
| 57 CHECKPTR(NtOpenSection); |
| 58 |
| 59 NtOpenMutant= (NTOPENMUTANT) ::GetProcAddress(ntdll_handle, "NtOpenMutant"); |
| 60 CHECKPTR(NtOpenMutant); |
| 61 |
| 62 NtOpenEvent = (NTOPENEVENT) ::GetProcAddress(ntdll_handle, "NtOpenEvent"); |
| 63 CHECKPTR(NtOpenEvent); |
| 64 |
| 65 NtOpenTimer = (NTOPENTIMER) ::GetProcAddress(ntdll_handle, "NtOpenTimer"); |
| 66 CHECKPTR(NtOpenTimer); |
| 67 |
| 68 NtOpenFile = (NTOPENFILE) ::GetProcAddress(ntdll_handle, "NtOpenFile"); |
| 69 CHECKPTR(NtOpenFile); |
| 70 |
| 71 NtClose = (NTCLOSE) ::GetProcAddress(ntdll_handle, "NtClose"); |
| 72 CHECKPTR(NtClose); |
| 73 |
| 74 return ERROR_SUCCESS; |
| 75 } |
| 76 |
| 77 DWORD Finder::ParseKernelObjects(ATL::CString path) { |
| 78 UNICODE_STRING unicode_str; |
| 79 unicode_str.Length = (USHORT)path.GetLength()*2; |
| 80 unicode_str.MaximumLength = (USHORT)path.GetLength()*2+2; |
| 81 unicode_str.Buffer = path.GetBuffer(); |
| 82 |
| 83 OBJECT_ATTRIBUTES path_attributes; |
| 84 InitializeObjectAttributes(&path_attributes, |
| 85 &unicode_str, |
| 86 0, // No Attributes |
| 87 NULL, // No Root Directory |
| 88 NULL); // No Security Descriptor |
| 89 |
| 90 |
| 91 DWORD object_index = 0; |
| 92 DWORD data_written = 0; |
| 93 |
| 94 // TODO(nsylvain): Do not use BUFFER_SIZE. Try to get the size |
| 95 // dynamically. |
| 96 OBJDIR_INFORMATION *object_directory_info = |
| 97 (OBJDIR_INFORMATION*) ::HeapAlloc(GetProcessHeap(), |
| 98 0, |
| 99 BUFFER_SIZE); |
| 100 |
| 101 HANDLE file_handle; |
| 102 NTSTATUS status_code = NtOpenDirectoryObject(&file_handle, |
| 103 DIRECTORY_QUERY, |
| 104 &path_attributes); |
| 105 if (status_code != 0) |
| 106 return ERROR_UNIDENTIFIED_ERROR; |
| 107 |
| 108 status_code = NtQueryDirectoryObject(file_handle, |
| 109 object_directory_info, |
| 110 BUFFER_SIZE, |
| 111 TRUE, // Get Next Index |
| 112 TRUE, // Ignore Input Index |
| 113 &object_index, |
| 114 &data_written); |
| 115 |
| 116 if (status_code != 0) |
| 117 return ERROR_UNIDENTIFIED_ERROR; |
| 118 |
| 119 while (NtQueryDirectoryObject(file_handle, object_directory_info, |
| 120 BUFFER_SIZE, TRUE, FALSE, &object_index, |
| 121 &data_written) == 0 ) { |
| 122 ATL::CString cur_path(object_directory_info->ObjectName.Buffer, |
| 123 object_directory_info->ObjectName.Length / sizeof(WCHAR)); |
| 124 |
| 125 ATL::CString cur_type(object_directory_info->ObjectTypeName.Buffer, |
| 126 object_directory_info->ObjectTypeName.Length / sizeof(WCHAR)); |
| 127 |
| 128 ATL::CString new_path; |
| 129 if (path == L"\\") { |
| 130 new_path = path + cur_path; |
| 131 } else { |
| 132 new_path = path + L"\\" + cur_path; |
| 133 } |
| 134 |
| 135 TestKernelObjectAccess(new_path, cur_type); |
| 136 |
| 137 // Call the function recursively for all subdirectories |
| 138 if (cur_type == L"Directory") { |
| 139 ParseKernelObjects(new_path); |
| 140 } |
| 141 } |
| 142 |
| 143 NtClose(file_handle); |
| 144 return ERROR_SUCCESS; |
| 145 } |
| 146 |
| 147 DWORD Finder::TestKernelObjectAccess(ATL::CString path, ATL::CString type) { |
| 148 Impersonater impersonate(token_handle_); |
| 149 |
| 150 kernel_object_stats_[PARSE]++; |
| 151 |
| 152 NTGENERICOPEN func = NULL; |
| 153 GetFunctionForType(type, &func); |
| 154 |
| 155 if (!func) { |
| 156 kernel_object_stats_[BROKEN]++; |
| 157 Output(OBJ_ERR, type + L" Unsupported", path); |
| 158 return ERROR_UNSUPPORTED_TYPE; |
| 159 } |
| 160 |
| 161 UNICODE_STRING unicode_str; |
| 162 unicode_str.Length = (USHORT)path.GetLength()*2; |
| 163 unicode_str.MaximumLength = (USHORT)path.GetLength()*2+2; |
| 164 unicode_str.Buffer = path.GetBuffer(); |
| 165 |
| 166 OBJECT_ATTRIBUTES path_attributes; |
| 167 InitializeObjectAttributes(&path_attributes, |
| 168 &unicode_str, |
| 169 0, // No Attributes |
| 170 NULL, // No Root Directory |
| 171 NULL); // No Security Descriptor |
| 172 |
| 173 HANDLE handle; |
| 174 NTSTATUS status_code = 0; |
| 175 |
| 176 if (access_type_ & kTestForAll) { |
| 177 status_code = NtGenericOpen(GENERIC_ALL, &path_attributes, func, &handle); |
| 178 if (STATUS_SUCCESS == status_code) { |
| 179 kernel_object_stats_[ALL]++; |
| 180 Output(OBJ, L"R/W", path); |
| 181 NtClose(handle); |
| 182 return GENERIC_ALL; |
| 183 } else if (status_code != EXCEPTION_ACCESS_VIOLATION && |
| 184 status_code != STATUS_ACCESS_DENIED) { |
| 185 Output(OBJ_ERR, status_code, path); |
| 186 kernel_object_stats_[BROKEN]++; |
| 187 } |
| 188 } |
| 189 |
| 190 if (access_type_ & kTestForWrite) { |
| 191 status_code = NtGenericOpen(GENERIC_WRITE, &path_attributes, func, &handle); |
| 192 if (STATUS_SUCCESS == status_code) { |
| 193 kernel_object_stats_[WRITE]++; |
| 194 Output(OBJ, L"W", path); |
| 195 NtClose(handle); |
| 196 return GENERIC_WRITE; |
| 197 } else if (status_code != EXCEPTION_ACCESS_VIOLATION && |
| 198 status_code != STATUS_ACCESS_DENIED) { |
| 199 Output(OBJ_ERR, status_code, path); |
| 200 kernel_object_stats_[BROKEN]++; |
| 201 } |
| 202 } |
| 203 |
| 204 if (access_type_ & kTestForRead) { |
| 205 status_code = NtGenericOpen(GENERIC_READ, &path_attributes, func, &handle); |
| 206 if (STATUS_SUCCESS == status_code) { |
| 207 kernel_object_stats_[READ]++; |
| 208 Output(OBJ, L"R", path); |
| 209 NtClose(handle); |
| 210 return GENERIC_READ; |
| 211 } else if (status_code != EXCEPTION_ACCESS_VIOLATION && |
| 212 status_code != STATUS_ACCESS_DENIED) { |
| 213 Output(OBJ_ERR, status_code, path); |
| 214 kernel_object_stats_[BROKEN]++; |
| 215 } |
| 216 } |
| 217 |
| 218 return 0; |
| 219 } |
| 220 |
| 221 NTSTATUS Finder::NtGenericOpen(ACCESS_MASK desired_access, |
| 222 OBJECT_ATTRIBUTES *object_attributes, |
| 223 NTGENERICOPEN func_to_call, |
| 224 HANDLE *handle) { |
| 225 return func_to_call(handle, desired_access, object_attributes); |
| 226 } |
| 227 |
| 228 bool Finder::GetFunctionForType(ATL::CString type, |
| 229 NTGENERICOPEN * func_to_call) { |
| 230 NTGENERICOPEN func = NULL; |
| 231 |
| 232 if (type == L"Event") func = NtOpenEvent; |
| 233 else if (type == L"Job") func = NtOpenJobObject; |
| 234 else if (type == L"KeyedEvent") func = NtOpenKeyedEvent; |
| 235 else if (type == L"Mutant") func = NtOpenMutant; |
| 236 else if (type == L"Section") func = NtOpenSection; |
| 237 else if (type == L"Semaphore") func = NtOpenSemaphore; |
| 238 else if (type == L"Timer") func = NtOpenTimer; |
| 239 else if (type == L"SymbolicLink") func = NtOpenSymbolicLinkObject; |
| 240 else if (type == L"Directory") func = NtOpenDirectoryObject; |
| 241 |
| 242 if (func) { |
| 243 *func_to_call = func; |
| 244 return true; |
| 245 } |
| 246 |
| 247 return false; |
| 248 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2775123002:
Revert of Remove sandbox/win/tools. (Closed)
