This source file includes following definitions.
- TargetNtOpenThread
- TargetNtOpenProcess
- TargetNtOpenProcessToken
- TargetNtOpenProcessTokenEx
- TargetCreateProcessW
- TargetCreateProcessA
- TargetCreateThread
- TargetGetUserDefaultLCID
#include "sandbox/win/src/process_thread_interception.h"
#include "sandbox/win/src/crosscall_client.h"
#include "sandbox/win/src/ipc_tags.h"
#include "sandbox/win/src/policy_params.h"
#include "sandbox/win/src/policy_target.h"
#include "sandbox/win/src/sandbox_factory.h"
#include "sandbox/win/src/sandbox_nt_util.h"
#include "sandbox/win/src/sharedmem_ipc_client.h"
#include "sandbox/win/src/target_services.h"
namespace sandbox {
SANDBOX_INTERCEPT NtExports g_nt;
NTSTATUS WINAPI TargetNtOpenThread(NtOpenThreadFunction orig_OpenThread,
PHANDLE thread, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes,
PCLIENT_ID client_id) {
NTSTATUS status = orig_OpenThread(thread, desired_access, object_attributes,
client_id);
if (NT_SUCCESS(status))
return status;
do {
if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
break;
if (!client_id)
break;
uint32 thread_id = 0;
bool should_break = false;
__try {
if (NULL != client_id->UniqueProcess)
should_break = true;
if (!should_break && NULL != object_attributes) {
if (0 != object_attributes->Attributes ||
NULL != object_attributes->ObjectName ||
NULL != object_attributes->RootDirectory ||
NULL != object_attributes->SecurityDescriptor ||
NULL != object_attributes->SecurityQualityOfService) {
should_break = true;
}
}
thread_id = static_cast<uint32>(
reinterpret_cast<ULONG_PTR>(client_id->UniqueThread));
} __except(EXCEPTION_EXECUTE_HANDLER) {
break;
}
if (should_break)
break;
if (!ValidParameter(thread, sizeof(HANDLE), WRITE))
break;
void* memory = GetGlobalIPCMemory();
if (NULL == memory)
break;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IPC_NTOPENTHREAD_TAG, desired_access,
thread_id, &answer);
if (SBOX_ALL_OK != code)
break;
if (!NT_SUCCESS(answer.nt_status))
break;
__try {
*thread = answer.handle;
} __except(EXCEPTION_EXECUTE_HANDLER) {
break;
}
return answer.nt_status;
} while (false);
return status;
}
NTSTATUS WINAPI TargetNtOpenProcess(NtOpenProcessFunction orig_OpenProcess,
PHANDLE process, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes,
PCLIENT_ID client_id) {
NTSTATUS status = orig_OpenProcess(process, desired_access, object_attributes,
client_id);
if (NT_SUCCESS(status))
return status;
do {
if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
break;
if (!client_id)
break;
uint32 process_id = 0;
bool should_break = false;
__try {
if (!should_break && NULL != object_attributes) {
if (0 != object_attributes->Attributes ||
NULL != object_attributes->ObjectName ||
NULL != object_attributes->RootDirectory ||
NULL != object_attributes->SecurityDescriptor ||
NULL != object_attributes->SecurityQualityOfService) {
should_break = true;
}
}
process_id = static_cast<uint32>(
reinterpret_cast<ULONG_PTR>(client_id->UniqueProcess));
} __except(EXCEPTION_EXECUTE_HANDLER) {
break;
}
if (should_break)
break;
if (!ValidParameter(process, sizeof(HANDLE), WRITE))
break;
void* memory = GetGlobalIPCMemory();
if (NULL == memory)
break;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IPC_NTOPENPROCESS_TAG, desired_access,
process_id, &answer);
if (SBOX_ALL_OK != code)
break;
if (!NT_SUCCESS(answer.nt_status))
return answer.nt_status;
__try {
*process = answer.handle;
} __except(EXCEPTION_EXECUTE_HANDLER) {
break;
}
return answer.nt_status;
} while (false);
return status;
}
NTSTATUS WINAPI TargetNtOpenProcessToken(
NtOpenProcessTokenFunction orig_OpenProcessToken, HANDLE process,
ACCESS_MASK desired_access, PHANDLE token) {
NTSTATUS status = orig_OpenProcessToken(process, desired_access, token);
if (NT_SUCCESS(status))
return status;
do {
if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
break;
if (CURRENT_PROCESS != process)
break;
if (!ValidParameter(token, sizeof(HANDLE), WRITE))
break;
void* memory = GetGlobalIPCMemory();
if (NULL == memory)
break;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IPC_NTOPENPROCESSTOKEN_TAG, process,
desired_access, &answer);
if (SBOX_ALL_OK != code)
break;
if (!NT_SUCCESS(answer.nt_status))
return answer.nt_status;
__try {
*token = answer.handle;
} __except(EXCEPTION_EXECUTE_HANDLER) {
break;
}
return answer.nt_status;
} while (false);
return status;
}
NTSTATUS WINAPI TargetNtOpenProcessTokenEx(
NtOpenProcessTokenExFunction orig_OpenProcessTokenEx, HANDLE process,
ACCESS_MASK desired_access, ULONG handle_attributes, PHANDLE token) {
NTSTATUS status = orig_OpenProcessTokenEx(process, desired_access,
handle_attributes, token);
if (NT_SUCCESS(status))
return status;
do {
if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
break;
if (CURRENT_PROCESS != process)
break;
if (!ValidParameter(token, sizeof(HANDLE), WRITE))
break;
void* memory = GetGlobalIPCMemory();
if (NULL == memory)
break;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IPC_NTOPENPROCESSTOKENEX_TAG, process,
desired_access, handle_attributes, &answer);
if (SBOX_ALL_OK != code)
break;
if (!NT_SUCCESS(answer.nt_status))
return answer.nt_status;
__try {
*token = answer.handle;
} __except(EXCEPTION_EXECUTE_HANDLER) {
break;
}
return answer.nt_status;
} while (false);
return status;
}
BOOL WINAPI TargetCreateProcessW(CreateProcessWFunction orig_CreateProcessW,
LPCWSTR application_name, LPWSTR command_line,
LPSECURITY_ATTRIBUTES process_attributes,
LPSECURITY_ATTRIBUTES thread_attributes,
BOOL inherit_handles, DWORD flags,
LPVOID environment, LPCWSTR current_directory,
LPSTARTUPINFOW startup_info,
LPPROCESS_INFORMATION process_information) {
if (orig_CreateProcessW(application_name, command_line, process_attributes,
thread_attributes, inherit_handles, flags,
environment, current_directory, startup_info,
process_information)) {
return TRUE;
}
if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
return FALSE;
DWORD original_error = ::GetLastError();
do {
if (!ValidParameter(process_information, sizeof(PROCESS_INFORMATION),
WRITE))
break;
void* memory = GetGlobalIPCMemory();
if (NULL == memory)
break;
const wchar_t* cur_dir = NULL;
wchar_t current_directory[MAX_PATH];
DWORD result = ::GetCurrentDirectory(MAX_PATH, current_directory);
if (0 != result && result < MAX_PATH)
cur_dir = current_directory;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
InOutCountedBuffer proc_info(process_information,
sizeof(PROCESS_INFORMATION));
ResultCode code = CrossCall(ipc, IPC_CREATEPROCESSW_TAG, application_name,
command_line, cur_dir, proc_info, &answer);
if (SBOX_ALL_OK != code)
break;
::SetLastError(answer.win32_result);
if (ERROR_SUCCESS != answer.win32_result)
return FALSE;
return TRUE;
} while (false);
::SetLastError(original_error);
return FALSE;
}
BOOL WINAPI TargetCreateProcessA(CreateProcessAFunction orig_CreateProcessA,
LPCSTR application_name, LPSTR command_line,
LPSECURITY_ATTRIBUTES process_attributes,
LPSECURITY_ATTRIBUTES thread_attributes,
BOOL inherit_handles, DWORD flags,
LPVOID environment, LPCSTR current_directory,
LPSTARTUPINFOA startup_info,
LPPROCESS_INFORMATION process_information) {
if (orig_CreateProcessA(application_name, command_line, process_attributes,
thread_attributes, inherit_handles, flags,
environment, current_directory, startup_info,
process_information)) {
return TRUE;
}
if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
return FALSE;
DWORD original_error = ::GetLastError();
do {
if (!ValidParameter(process_information, sizeof(PROCESS_INFORMATION),
WRITE))
break;
void* memory = GetGlobalIPCMemory();
if (NULL == memory)
break;
UNICODE_STRING *cmd_unicode = NULL;
UNICODE_STRING *app_unicode = NULL;
if (command_line) {
cmd_unicode = AnsiToUnicode(command_line);
if (!cmd_unicode)
break;
}
if (application_name) {
app_unicode = AnsiToUnicode(application_name);
if (!app_unicode) {
operator delete(cmd_unicode, NT_ALLOC);
break;
}
}
const wchar_t* cmd_line = cmd_unicode ? cmd_unicode->Buffer : NULL;
const wchar_t* app_name = app_unicode ? app_unicode->Buffer : NULL;
const wchar_t* cur_dir = NULL;
wchar_t current_directory[MAX_PATH];
DWORD result = ::GetCurrentDirectory(MAX_PATH, current_directory);
if (0 != result && result < MAX_PATH)
cur_dir = current_directory;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
InOutCountedBuffer proc_info(process_information,
sizeof(PROCESS_INFORMATION));
ResultCode code = CrossCall(ipc, IPC_CREATEPROCESSW_TAG, app_name,
cmd_line, cur_dir, proc_info, &answer);
operator delete(cmd_unicode, NT_ALLOC);
operator delete(app_unicode, NT_ALLOC);
if (SBOX_ALL_OK != code)
break;
::SetLastError(answer.win32_result);
if (ERROR_SUCCESS != answer.win32_result)
return FALSE;
return TRUE;
} while (false);
::SetLastError(original_error);
return FALSE;
}
HANDLE WINAPI TargetCreateThread(CreateThreadFunction orig_CreateThread,
LPSECURITY_ATTRIBUTES thread_attributes,
SIZE_T stack_size,
LPTHREAD_START_ROUTINE start_address,
PVOID parameter,
DWORD creation_flags,
LPDWORD thread_id) {
static bool use_create_thread = true;
HANDLE thread;
if (use_create_thread) {
thread = orig_CreateThread(thread_attributes, stack_size, start_address,
parameter, creation_flags, thread_id);
if (thread)
return thread;
}
PSECURITY_DESCRIPTOR sd =
thread_attributes ? thread_attributes->lpSecurityDescriptor : NULL;
CLIENT_ID client_id;
NTSTATUS result = g_nt.RtlCreateUserThread(NtCurrentProcess, sd,
creation_flags & CREATE_SUSPENDED,
0, stack_size, 0, start_address,
parameter, &thread, &client_id);
if (!NT_SUCCESS(result))
return 0;
use_create_thread = false;
if (thread_id)
*thread_id = HandleToUlong(client_id.UniqueThread);
return thread;
}
LCID WINAPI TargetGetUserDefaultLCID(
GetUserDefaultLCIDFunction orig_GetUserDefaultLCID) {
static LCID default_lcid = orig_GetUserDefaultLCID();
return default_lcid;
}
}