This source file includes following definitions.
- InitNT
- ParseKernelObjects
- TestKernelObjectAccess
- NtGenericOpen
- GetFunctionForType
#include "sandbox/win/src/restricted_token.h"
#include "sandbox/win/src/restricted_token_utils.h"
#include "sandbox/win/tools/finder/finder.h"
#include "sandbox/win/tools/finder/ntundoc.h"
#define BUFFER_SIZE 0x800
#define CHECKPTR(x) if (!x) return ::GetLastError()
NTQUERYDIRECTORYOBJECT NtQueryDirectoryObject;
NTOPENDIRECTORYOBJECT NtOpenDirectoryObject;
NTOPENEVENT NtOpenEvent;
NTOPENJOBOBJECT NtOpenJobObject;
NTOPENKEYEDEVENT NtOpenKeyedEvent;
NTOPENMUTANT NtOpenMutant;
NTOPENSECTION NtOpenSection;
NTOPENSEMAPHORE NtOpenSemaphore;
NTOPENSYMBOLICLINKOBJECT NtOpenSymbolicLinkObject;
NTOPENTIMER NtOpenTimer;
NTOPENFILE NtOpenFile;
NTCLOSE NtClose;
DWORD Finder::InitNT() {
HMODULE ntdll_handle = ::LoadLibrary(L"ntdll.dll");
CHECKPTR(ntdll_handle);
NtOpenSymbolicLinkObject = (NTOPENSYMBOLICLINKOBJECT) ::GetProcAddress(
ntdll_handle, "NtOpenSymbolicLinkObject");
CHECKPTR(NtOpenSymbolicLinkObject);
NtQueryDirectoryObject = (NTQUERYDIRECTORYOBJECT) ::GetProcAddress(
ntdll_handle, "NtQueryDirectoryObject");
CHECKPTR(NtQueryDirectoryObject);
NtOpenDirectoryObject = (NTOPENDIRECTORYOBJECT) ::GetProcAddress(
ntdll_handle, "NtOpenDirectoryObject");
CHECKPTR(NtOpenDirectoryObject);
NtOpenKeyedEvent = (NTOPENKEYEDEVENT) ::GetProcAddress(
ntdll_handle, "NtOpenKeyedEvent");
CHECKPTR(NtOpenKeyedEvent);
NtOpenJobObject = (NTOPENJOBOBJECT) ::GetProcAddress(
ntdll_handle, "NtOpenJobObject");
CHECKPTR(NtOpenJobObject);
NtOpenSemaphore = (NTOPENSEMAPHORE) ::GetProcAddress(
ntdll_handle, "NtOpenSemaphore");
CHECKPTR(NtOpenSemaphore);
NtOpenSection = (NTOPENSECTION) ::GetProcAddress(
ntdll_handle, "NtOpenSection");
CHECKPTR(NtOpenSection);
NtOpenMutant= (NTOPENMUTANT) ::GetProcAddress(ntdll_handle, "NtOpenMutant");
CHECKPTR(NtOpenMutant);
NtOpenEvent = (NTOPENEVENT) ::GetProcAddress(ntdll_handle, "NtOpenEvent");
CHECKPTR(NtOpenEvent);
NtOpenTimer = (NTOPENTIMER) ::GetProcAddress(ntdll_handle, "NtOpenTimer");
CHECKPTR(NtOpenTimer);
NtOpenFile = (NTOPENFILE) ::GetProcAddress(ntdll_handle, "NtOpenFile");
CHECKPTR(NtOpenFile);
NtClose = (NTCLOSE) ::GetProcAddress(ntdll_handle, "NtClose");
CHECKPTR(NtClose);
return ERROR_SUCCESS;
}
DWORD Finder::ParseKernelObjects(ATL::CString path) {
UNICODE_STRING unicode_str;
unicode_str.Length = (USHORT)path.GetLength()*2;
unicode_str.MaximumLength = (USHORT)path.GetLength()*2+2;
unicode_str.Buffer = path.GetBuffer();
OBJECT_ATTRIBUTES path_attributes;
InitializeObjectAttributes(&path_attributes,
&unicode_str,
0,
NULL,
NULL);
DWORD object_index = 0;
DWORD data_written = 0;
OBJDIR_INFORMATION *object_directory_info =
(OBJDIR_INFORMATION*) ::HeapAlloc(GetProcessHeap(),
0,
BUFFER_SIZE);
HANDLE file_handle;
NTSTATUS status_code = NtOpenDirectoryObject(&file_handle,
DIRECTORY_QUERY,
&path_attributes);
if (status_code != 0)
return ERROR_UNIDENTIFIED_ERROR;
status_code = NtQueryDirectoryObject(file_handle,
object_directory_info,
BUFFER_SIZE,
TRUE,
TRUE,
&object_index,
&data_written);
if (status_code != 0)
return ERROR_UNIDENTIFIED_ERROR;
while (NtQueryDirectoryObject(file_handle, object_directory_info,
BUFFER_SIZE, TRUE, FALSE, &object_index,
&data_written) == 0 ) {
ATL::CString cur_path(object_directory_info->ObjectName.Buffer,
object_directory_info->ObjectName.Length / sizeof(WCHAR));
ATL::CString cur_type(object_directory_info->ObjectTypeName.Buffer,
object_directory_info->ObjectTypeName.Length / sizeof(WCHAR));
ATL::CString new_path;
if (path == L"\\") {
new_path = path + cur_path;
} else {
new_path = path + L"\\" + cur_path;
}
TestKernelObjectAccess(new_path, cur_type);
if (cur_type == L"Directory") {
ParseKernelObjects(new_path);
}
}
NtClose(file_handle);
return ERROR_SUCCESS;
}
DWORD Finder::TestKernelObjectAccess(ATL::CString path, ATL::CString type) {
Impersonater impersonate(token_handle_);
kernel_object_stats_[PARSE]++;
NTGENERICOPEN func = NULL;
GetFunctionForType(type, &func);
if (!func) {
kernel_object_stats_[BROKEN]++;
Output(OBJ_ERR, type + L" Unsupported", path);
return ERROR_UNSUPPORTED_TYPE;
}
UNICODE_STRING unicode_str;
unicode_str.Length = (USHORT)path.GetLength()*2;
unicode_str.MaximumLength = (USHORT)path.GetLength()*2+2;
unicode_str.Buffer = path.GetBuffer();
OBJECT_ATTRIBUTES path_attributes;
InitializeObjectAttributes(&path_attributes,
&unicode_str,
0,
NULL,
NULL);
HANDLE handle;
NTSTATUS status_code = 0;
if (access_type_ & kTestForAll) {
status_code = NtGenericOpen(GENERIC_ALL, &path_attributes, func, &handle);
if (STATUS_SUCCESS == status_code) {
kernel_object_stats_[ALL]++;
Output(OBJ, L"R/W", path);
NtClose(handle);
return GENERIC_ALL;
} else if (status_code != EXCEPTION_ACCESS_VIOLATION &&
status_code != STATUS_ACCESS_DENIED) {
Output(OBJ_ERR, status_code, path);
kernel_object_stats_[BROKEN]++;
}
}
if (access_type_ & kTestForWrite) {
status_code = NtGenericOpen(GENERIC_WRITE, &path_attributes, func, &handle);
if (STATUS_SUCCESS == status_code) {
kernel_object_stats_[WRITE]++;
Output(OBJ, L"W", path);
NtClose(handle);
return GENERIC_WRITE;
} else if (status_code != EXCEPTION_ACCESS_VIOLATION &&
status_code != STATUS_ACCESS_DENIED) {
Output(OBJ_ERR, status_code, path);
kernel_object_stats_[BROKEN]++;
}
}
if (access_type_ & kTestForRead) {
status_code = NtGenericOpen(GENERIC_READ, &path_attributes, func, &handle);
if (STATUS_SUCCESS == status_code) {
kernel_object_stats_[READ]++;
Output(OBJ, L"R", path);
NtClose(handle);
return GENERIC_READ;
} else if (status_code != EXCEPTION_ACCESS_VIOLATION &&
status_code != STATUS_ACCESS_DENIED) {
Output(OBJ_ERR, status_code, path);
kernel_object_stats_[BROKEN]++;
}
}
return 0;
}
NTSTATUS Finder::NtGenericOpen(ACCESS_MASK desired_access,
OBJECT_ATTRIBUTES *object_attributes,
NTGENERICOPEN func_to_call,
HANDLE *handle) {
return func_to_call(handle, desired_access, object_attributes);
}
bool Finder::GetFunctionForType(ATL::CString type,
NTGENERICOPEN * func_to_call) {
NTGENERICOPEN func = NULL;
if (type == L"Event") func = NtOpenEvent;
else if (type == L"Job") func = NtOpenJobObject;
else if (type == L"KeyedEvent") func = NtOpenKeyedEvent;
else if (type == L"Mutant") func = NtOpenMutant;
else if (type == L"Section") func = NtOpenSection;
else if (type == L"Semaphore") func = NtOpenSemaphore;
else if (type == L"Timer") func = NtOpenTimer;
else if (type == L"SymbolicLink") func = NtOpenSymbolicLinkObject;
else if (type == L"Directory") func = NtOpenDirectoryObject;
if (func) {
*func_to_call = func;
return true;
}
return false;
}