15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2011 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/interceptors_64.h" 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/interceptors.h" 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/filesystem_interception.h" 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/named_pipe_interception.h" 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/policy_target.h" 11f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)#include "sandbox/win/src/process_mitigations_win32k_interception.h" 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/process_thread_interception.h" 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/registry_interception.h" 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/sandbox_nt_types.h" 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/sandbox_types.h" 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/sync_interception.h" 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/target_interceptions.h" 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace sandbox { 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NtExports g_nt; 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT OriginalFunctions g_originals; 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)NTSTATUS WINAPI TargetNtMapViewOfSection64( 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE section, HANDLE process, PVOID *base, ULONG_PTR zero_bits, 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size, 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect) { 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtMapViewOfSectionFunction orig_fn = reinterpret_cast< 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtMapViewOfSectionFunction>(g_originals[MAP_VIEW_OF_SECTION_ID]); 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtMapViewOfSection(orig_fn, section, process, base, zero_bits, 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) commit_size, offset, view_size, inherit, 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) allocation_type, protect); 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)NTSTATUS WINAPI TargetNtUnmapViewOfSection64(HANDLE process, PVOID base) { 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtUnmapViewOfSectionFunction orig_fn = reinterpret_cast< 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtUnmapViewOfSectionFunction>(g_originals[UNMAP_VIEW_OF_SECTION_ID]); 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtUnmapViewOfSection(orig_fn, process, base); 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)NTSTATUS WINAPI TargetNtSetInformationThread64( 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE thread, NT_THREAD_INFORMATION_CLASS thread_info_class, 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PVOID thread_information, ULONG thread_information_bytes) { 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtSetInformationThreadFunction orig_fn = reinterpret_cast< 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtSetInformationThreadFunction>(g_originals[SET_INFORMATION_THREAD_ID]); 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtSetInformationThread(orig_fn, thread, thread_info_class, 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) thread_information, 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) thread_information_bytes); 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)NTSTATUS WINAPI TargetNtOpenThreadToken64( 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE token) { 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenThreadTokenFunction orig_fn = reinterpret_cast< 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenThreadTokenFunction>(g_originals[OPEN_THREAD_TOKEN_ID]); 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtOpenThreadToken(orig_fn, thread, desired_access, open_as_self, 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) token); 615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)NTSTATUS WINAPI TargetNtOpenThreadTokenEx64( 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG handle_attributes, PHANDLE token) { 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenThreadTokenExFunction orig_fn = reinterpret_cast< 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenThreadTokenExFunction>(g_originals[OPEN_THREAD_TOKEN_EX_ID]); 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtOpenThreadTokenEx(orig_fn, thread, desired_access, 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) open_as_self, handle_attributes, token); 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateFile64( 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE file, ACCESS_MASK desired_access, 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PLARGE_INTEGER allocation_size, ULONG file_attributes, ULONG sharing, 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG disposition, ULONG options, PVOID ea_buffer, ULONG ea_length) { 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtCreateFileFunction orig_fn = reinterpret_cast< 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtCreateFileFunction>(g_originals[CREATE_FILE_ID]); 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtCreateFile(orig_fn, file, desired_access, object_attributes, 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) io_status, allocation_size, file_attributes, 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) sharing, disposition, options, ea_buffer, 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ea_length); 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenFile64( 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE file, ACCESS_MASK desired_access, 895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG sharing, ULONG options) { 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenFileFunction orig_fn = reinterpret_cast< 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenFileFunction>(g_originals[OPEN_FILE_ID]); 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtOpenFile(orig_fn, file, desired_access, object_attributes, 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) io_status, sharing, options); 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryAttributesFile64( 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PFILE_BASIC_INFORMATION file_attributes) { 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtQueryAttributesFileFunction orig_fn = reinterpret_cast< 1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtQueryAttributesFileFunction>(g_originals[QUERY_ATTRIB_FILE_ID]); 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtQueryAttributesFile(orig_fn, object_attributes, 1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) file_attributes); 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryFullAttributesFile64( 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PFILE_NETWORK_OPEN_INFORMATION file_attributes) { 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtQueryFullAttributesFileFunction orig_fn = reinterpret_cast< 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtQueryFullAttributesFileFunction>( 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) g_originals[QUERY_FULL_ATTRIB_FILE_ID]); 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtQueryFullAttributesFile(orig_fn, object_attributes, 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) file_attributes); 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationFile64( 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE file, PIO_STATUS_BLOCK io_status, PVOID file_information, 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG length, FILE_INFORMATION_CLASS file_information_class) { 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtSetInformationFileFunction orig_fn = reinterpret_cast< 1205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtSetInformationFileFunction>(g_originals[SET_INFO_FILE_ID]); 1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtSetInformationFile(orig_fn, file, io_status, file_information, 1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) length, file_information_class); 1235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW64( 1285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPCWSTR pipe_name, DWORD open_mode, DWORD pipe_mode, DWORD max_instance, 1295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DWORD out_buffer_size, DWORD in_buffer_size, DWORD default_timeout, 1305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES security_attributes) { 1315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CreateNamedPipeWFunction orig_fn = reinterpret_cast< 1325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CreateNamedPipeWFunction>(g_originals[CREATE_NAMED_PIPE_ID]); 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetCreateNamedPipeW(orig_fn, pipe_name, open_mode, pipe_mode, 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) max_instance, out_buffer_size, in_buffer_size, 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) default_timeout, security_attributes); 1365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 1395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThread64( 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE thread, ACCESS_MASK desired_access, 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id) { 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenThreadFunction orig_fn = reinterpret_cast< 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenThreadFunction>(g_originals[OPEN_TREAD_ID]); 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtOpenThread(orig_fn, thread, desired_access, object_attributes, 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) client_id); 1475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcess64( 1505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE process, ACCESS_MASK desired_access, 1515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id) { 1525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenProcessFunction orig_fn = reinterpret_cast< 1535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenProcessFunction>(g_originals[OPEN_PROCESS_ID]); 1545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtOpenProcess(orig_fn, process, desired_access, 1555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) object_attributes, client_id); 1565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessToken64( 1595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE process, ACCESS_MASK desired_access, PHANDLE token) { 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenProcessTokenFunction orig_fn = reinterpret_cast< 1615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenProcessTokenFunction>(g_originals[OPEN_PROCESS_TOKEN_ID]); 1625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtOpenProcessToken(orig_fn, process, desired_access, token); 1635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessTokenEx64( 1665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE process, ACCESS_MASK desired_access, ULONG handle_attributes, 1675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE token) { 1685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenProcessTokenExFunction orig_fn = reinterpret_cast< 1695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenProcessTokenExFunction>(g_originals[OPEN_PROCESS_TOKEN_EX_ID]); 1705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtOpenProcessTokenEx(orig_fn, process, desired_access, 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) handle_attributes, token); 1725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessW64( 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPCWSTR application_name, LPWSTR command_line, 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES process_attributes, 1775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 1785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPVOID environment, LPCWSTR current_directory, LPSTARTUPINFOW startup_info, 1795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPPROCESS_INFORMATION process_information) { 1805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CreateProcessWFunction orig_fn = reinterpret_cast< 1815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CreateProcessWFunction>(g_originals[CREATE_PROCESSW_ID]); 1825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetCreateProcessW(orig_fn, application_name, command_line, 1835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) process_attributes, thread_attributes, 1845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) inherit_handles, flags, environment, 1855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) current_directory, startup_info, 1865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) process_information); 1875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 1885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessA64( 1905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPCSTR application_name, LPSTR command_line, 1915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES process_attributes, 1925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 1935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPVOID environment, LPCSTR current_directory, LPSTARTUPINFOA startup_info, 1945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPPROCESS_INFORMATION process_information) { 1955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CreateProcessAFunction orig_fn = reinterpret_cast< 1965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CreateProcessAFunction>(g_originals[CREATE_PROCESSA_ID]); 1975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetCreateProcessA(orig_fn, application_name, command_line, 1985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) process_attributes, thread_attributes, 1995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) inherit_handles, flags, environment, 2005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) current_directory, startup_info, 2015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) process_information); 2025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 2055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateKey64( 2075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE key, ACCESS_MASK desired_access, 2085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, ULONG title_index, 2095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PUNICODE_STRING class_name, ULONG create_options, PULONG disposition) { 2105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtCreateKeyFunction orig_fn = reinterpret_cast< 2115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtCreateKeyFunction>(g_originals[CREATE_KEY_ID]); 2125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtCreateKey(orig_fn, key, desired_access, object_attributes, 2135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) title_index, class_name, create_options, 2145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) disposition); 2155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKey64( 2185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE key, ACCESS_MASK desired_access, 2195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes) { 2205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenKeyFunction orig_fn = reinterpret_cast< 2215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenKeyFunction>(g_originals[OPEN_KEY_ID]); 2225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtOpenKey(orig_fn, key, desired_access, object_attributes); 2235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKeyEx64( 2265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE key, ACCESS_MASK desired_access, 2275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, ULONG open_options) { 2285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenKeyExFunction orig_fn = reinterpret_cast< 2295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NtOpenKeyExFunction>(g_originals[OPEN_KEY_EX_ID]); 2305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return TargetNtOpenKeyEx(orig_fn, key, desired_access, object_attributes, 2315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) open_options); 2325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 2355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2361e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateEvent64( 2371e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) PHANDLE event_handle, ACCESS_MASK desired_access, 2381e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, EVENT_TYPE event_type, 2391e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) BOOLEAN initial_state) { 2401e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) NtCreateEventFunction orig_fn = reinterpret_cast< 2411e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) NtCreateEventFunction>(g_originals[CREATE_EVENT_ID]); 2421e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) return TargetNtCreateEvent(orig_fn, event_handle, desired_access, 2431e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) object_attributes, event_type, initial_state); 2445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 2455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 2461e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenEvent64( 2471e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) PHANDLE event_handle, ACCESS_MASK desired_access, 2481e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes) { 2491e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) NtOpenEventFunction orig_fn = reinterpret_cast< 2501e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) NtOpenEventFunction>(g_originals[OPEN_EVENT_ID]); 2511e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) return TargetNtOpenEvent(orig_fn, event_handle, desired_access, 2521e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) object_attributes); 2534e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles)} 2544e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles) 255f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)// ----------------------------------------------------------------------- 256f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 257f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)SANDBOX_INTERCEPT BOOL WINAPI TargetGdiDllInitialize64( 258f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) HANDLE dll, 259f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) DWORD reason) { 260f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) GdiDllInitializeFunction orig_fn = reinterpret_cast< 261f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) GdiDllInitializeFunction>(g_originals[GDIINITIALIZE_ID]); 262f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) return TargetGdiDllInitialize(orig_fn, dll, reason); 263f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)} 264f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 265f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)SANDBOX_INTERCEPT HGDIOBJ WINAPI TargetGetStockObject64(int object) { 266f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) GetStockObjectFunction orig_fn = reinterpret_cast< 267f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) GetStockObjectFunction>(g_originals[GETSTOCKOBJECT_ID]); 268f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) return TargetGetStockObject(orig_fn, object); 269f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)} 270f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 271f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)SANDBOX_INTERCEPT ATOM WINAPI TargetRegisterClassW64( 272f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) const WNDCLASS* wnd_class) { 273f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) RegisterClassWFunction orig_fn = reinterpret_cast< 274f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) RegisterClassWFunction>(g_originals[REGISTERCLASSW_ID]); 275f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) return TargetRegisterClassW(orig_fn, wnd_class); 276f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)} 277f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 2785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace sandbox 279