1// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "sandbox/win/sandbox_poc/pocdll/exports.h" 6#include "sandbox/win/sandbox_poc/pocdll/utils.h" 7#include "sandbox/win/tools/finder/ntundoc.h" 8 9// This file contains the tests used to verify the security of handles in 10// the process 11 12NTQUERYOBJECT NtQueryObject; 13NTQUERYINFORMATIONFILE NtQueryInformationFile; 14NTQUERYSYSTEMINFORMATION NtQuerySystemInformation; 15 16void POCDLL_API TestGetHandle(HANDLE log) { 17 HandleToFile handle2file; 18 FILE *output = handle2file.Translate(log, "w"); 19 20 // Initialize the NTAPI functions we need 21 HMODULE ntdll_handle = ::GetModuleHandle(L"ntdll.dll"); 22 if (!ntdll_handle) { 23 fprintf(output, "[ERROR] Cannot load ntdll.dll. Error %d\r\n", 24 ::GetLastError()); 25 return; 26 } 27 28 NtQueryObject = reinterpret_cast<NTQUERYOBJECT>( 29 GetProcAddress(ntdll_handle, "NtQueryObject")); 30 NtQueryInformationFile = reinterpret_cast<NTQUERYINFORMATIONFILE>( 31 GetProcAddress(ntdll_handle, "NtQueryInformationFile")); 32 NtQuerySystemInformation = reinterpret_cast<NTQUERYSYSTEMINFORMATION>( 33 GetProcAddress(ntdll_handle, "NtQuerySystemInformation")); 34 35 if (!NtQueryObject || !NtQueryInformationFile || !NtQuerySystemInformation) { 36 fprintf(output, "[ERROR] Cannot load all NT functions. Error %d\r\n", 37 ::GetLastError()); 38 return; 39 } 40 41 // Get the number of handles on the system 42 DWORD buffer_size = 0; 43 SYSTEM_HANDLE_INFORMATION_EX temp_info; 44 NTSTATUS status = NtQuerySystemInformation( 45 SystemHandleInformation, &temp_info, sizeof(temp_info), 46 &buffer_size); 47 if (!buffer_size) { 48 fprintf(output, "[ERROR] Get the number of handles. Error 0x%X\r\n", 49 status); 50 return; 51 } 52 53 SYSTEM_HANDLE_INFORMATION_EX *system_handles = 54 reinterpret_cast<SYSTEM_HANDLE_INFORMATION_EX*>(new BYTE[buffer_size]); 55 56 status = NtQuerySystemInformation(SystemHandleInformation, system_handles, 57 buffer_size, &buffer_size); 58 if (STATUS_SUCCESS != status) { 59 fprintf(output, "[ERROR] Failed to get the handle list. Error 0x%X\r\n", 60 status); 61 delete [] system_handles; 62 return; 63 } 64 65 for (ULONG i = 0; i < system_handles->NumberOfHandles; ++i) { 66 USHORT h = system_handles->Information[i].Handle; 67 if (system_handles->Information[i].ProcessId != ::GetCurrentProcessId()) 68 continue; 69 70 OBJECT_NAME_INFORMATION *name = NULL; 71 ULONG name_size = 0; 72 // Query the name information a first time to get the size of the name. 73 status = NtQueryObject(reinterpret_cast<HANDLE>(h), 74 ObjectNameInformation, 75 name, 76 name_size, 77 &name_size); 78 79 if (name_size) { 80 name = reinterpret_cast<OBJECT_NAME_INFORMATION *>(new BYTE[name_size]); 81 82 // Query the name information a second time to get the name of the 83 // object referenced by the handle. 84 status = NtQueryObject(reinterpret_cast<HANDLE>(h), 85 ObjectNameInformation, 86 name, 87 name_size, 88 &name_size); 89 } 90 91 PUBLIC_OBJECT_TYPE_INFORMATION *type = NULL; 92 ULONG type_size = 0; 93 94 // Query the object to get the size of the object type name. 95 status = NtQueryObject(reinterpret_cast<HANDLE>(h), 96 ObjectTypeInformation, 97 type, 98 type_size, 99 &type_size); 100 if (type_size) { 101 type = reinterpret_cast<PUBLIC_OBJECT_TYPE_INFORMATION *>( 102 new BYTE[type_size]); 103 104 // Query the type information a second time to get the object type 105 // name. 106 status = NtQueryObject(reinterpret_cast<HANDLE>(h), 107 ObjectTypeInformation, 108 type, 109 type_size, 110 &type_size); 111 } 112 113 // NtQueryObject cannot return the name for a file. In this case we 114 // need to ask NtQueryInformationFile 115 FILE_NAME_INFORMATION *file_name = NULL; 116 if (type && wcsncmp(L"File", type->TypeName.Buffer, 117 (type->TypeName.Length / 118 sizeof(type->TypeName.Buffer[0]))) == 0) { 119 // This function does not return the size of the buffer. We need to 120 // iterate and always increase the buffer size until the function 121 // succeeds. (Or at least does not fail with STATUS_BUFFER_OVERFLOW) 122 ULONG size_file = MAX_PATH; 123 IO_STATUS_BLOCK status_block = {0}; 124 do { 125 // Delete the previous buffer create. The buffer was too small 126 if (file_name) { 127 delete[] reinterpret_cast<BYTE*>(file_name); 128 file_name = NULL; 129 } 130 131 // Increase the buffer and do the call agan 132 size_file += MAX_PATH; 133 file_name = reinterpret_cast<FILE_NAME_INFORMATION *>( 134 new BYTE[size_file]); 135 status = NtQueryInformationFile(reinterpret_cast<HANDLE>(h), 136 &status_block, 137 file_name, 138 size_file, 139 FileNameInformation); 140 } while (status == STATUS_BUFFER_OVERFLOW); 141 142 if (STATUS_SUCCESS != status) { 143 if (file_name) { 144 delete[] file_name; 145 file_name = NULL; 146 } 147 } 148 } 149 150 if (file_name) { 151 UNICODE_STRING file_name_string; 152 file_name_string.Buffer = file_name->FileName; 153 file_name_string.Length = (USHORT)file_name->FileNameLength; 154 file_name_string.MaximumLength = (USHORT)file_name->FileNameLength; 155 fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X " 156 "Type: %-13.13wZ Path: %wZ\r\n", 157 h, 158 system_handles->Information[i].GrantedAccess, 159 type ? &type->TypeName : NULL, 160 &file_name_string); 161 } else { 162 fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X " 163 "Type: %-13.13wZ Path: %wZ\r\n", 164 h, 165 system_handles->Information[i].GrantedAccess, 166 type ? &type->TypeName : NULL, 167 name ? &name->ObjectName : NULL); 168 } 169 170 if (type) { 171 delete[] type; 172 } 173 174 if (file_name) { 175 delete[] file_name; 176 } 177 178 if (name) { 179 delete [] name; 180 } 181 } 182 183 if (system_handles) { 184 delete [] system_handles; 185 } 186} 187