1// Copyright (c) 2011 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "sandbox/win/src/nt_internals.h" 6#include "sandbox/win/src/sandbox_types.h" 7 8#ifndef SANDBOX_SRC_INTERCEPTORS_64_H_ 9#define SANDBOX_SRC_INTERCEPTORS_64_H_ 10 11namespace sandbox { 12 13extern "C" { 14 15// Interception of NtMapViewOfSection on the child process. 16// It should never be called directly. This function provides the means to 17// detect dlls being loaded, so we can patch them if needed. 18SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtMapViewOfSection64( 19 HANDLE section, HANDLE process, PVOID *base, ULONG_PTR zero_bits, 20 SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size, 21 SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect); 22 23// Interception of NtUnmapViewOfSection on the child process. 24// It should never be called directly. This function provides the means to 25// detect dlls being unloaded, so we can clean up our interceptions. 26SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtUnmapViewOfSection64(HANDLE process, 27 PVOID base); 28 29// ----------------------------------------------------------------------- 30// Interceptors without IPC. 31 32// Interception of NtSetInformationThread on the child process. 33SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationThread64( 34 HANDLE thread, NT_THREAD_INFORMATION_CLASS thread_info_class, 35 PVOID thread_information, ULONG thread_information_bytes); 36 37// Interception of NtOpenThreadToken on the child process. 38SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadToken64( 39 HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 40 PHANDLE token); 41 42// Interception of NtOpenThreadTokenEx on the child process. 43SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadTokenEx64( 44 HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 45 ULONG handle_attributes, PHANDLE token); 46 47// ----------------------------------------------------------------------- 48// Interceptors handled by the file system dispatcher. 49 50// Interception of NtCreateFile on the child process. 51SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateFile64( 52 PHANDLE file, ACCESS_MASK desired_access, 53 POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 54 PLARGE_INTEGER allocation_size, ULONG file_attributes, ULONG sharing, 55 ULONG disposition, ULONG options, PVOID ea_buffer, ULONG ea_length); 56 57// Interception of NtOpenFile on the child process. 58SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenFile64( 59 PHANDLE file, ACCESS_MASK desired_access, 60 POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 61 ULONG sharing, ULONG options); 62 63// Interception of NtQueryAtttributesFile on the child process. 64SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryAttributesFile64( 65 POBJECT_ATTRIBUTES object_attributes, 66 PFILE_BASIC_INFORMATION file_attributes); 67 68// Interception of NtQueryFullAtttributesFile on the child process. 69SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryFullAttributesFile64( 70 POBJECT_ATTRIBUTES object_attributes, 71 PFILE_NETWORK_OPEN_INFORMATION file_attributes); 72 73// Interception of NtSetInformationFile on the child process. 74SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationFile64( 75 HANDLE file, PIO_STATUS_BLOCK io_status, PVOID file_information, 76 ULONG length, FILE_INFORMATION_CLASS file_information_class); 77 78// ----------------------------------------------------------------------- 79// Interceptors handled by the named pipe dispatcher. 80 81// Interception of CreateNamedPipeW in kernel32.dll 82SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW64( 83 LPCWSTR pipe_name, DWORD open_mode, DWORD pipe_mode, DWORD max_instance, 84 DWORD out_buffer_size, DWORD in_buffer_size, DWORD default_timeout, 85 LPSECURITY_ATTRIBUTES security_attributes); 86 87// ----------------------------------------------------------------------- 88// Interceptors handled by the process-thread dispatcher. 89 90// Interception of NtOpenThread on the child process. 91SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThread64( 92 PHANDLE thread, ACCESS_MASK desired_access, 93 POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id); 94 95// Interception of NtOpenProcess on the child process. 96SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcess64( 97 PHANDLE process, ACCESS_MASK desired_access, 98 POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id); 99 100// Interception of NtOpenProcessToken on the child process. 101SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessToken64( 102 HANDLE process, ACCESS_MASK desired_access, PHANDLE token); 103 104// Interception of NtOpenProcessTokenEx on the child process. 105SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessTokenEx64( 106 HANDLE process, ACCESS_MASK desired_access, ULONG handle_attributes, 107 PHANDLE token); 108 109// Interception of CreateProcessW in kernel32.dll. 110SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessW64( 111 LPCWSTR application_name, LPWSTR command_line, 112 LPSECURITY_ATTRIBUTES process_attributes, 113 LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 114 LPVOID environment, LPCWSTR current_directory, LPSTARTUPINFOW startup_info, 115 LPPROCESS_INFORMATION process_information); 116 117// Interception of CreateProcessA in kernel32.dll. 118SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessA64( 119 LPCSTR application_name, LPSTR command_line, 120 LPSECURITY_ATTRIBUTES process_attributes, 121 LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 122 LPVOID environment, LPCSTR current_directory, LPSTARTUPINFOA startup_info, 123 LPPROCESS_INFORMATION process_information); 124 125// ----------------------------------------------------------------------- 126// Interceptors handled by the registry dispatcher. 127 128// Interception of NtCreateKey on the child process. 129SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateKey64( 130 PHANDLE key, ACCESS_MASK desired_access, 131 POBJECT_ATTRIBUTES object_attributes, ULONG title_index, 132 PUNICODE_STRING class_name, ULONG create_options, PULONG disposition); 133 134// Interception of NtOpenKey on the child process. 135SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKey64( 136 PHANDLE key, ACCESS_MASK desired_access, 137 POBJECT_ATTRIBUTES object_attributes); 138 139// Interception of NtOpenKeyEx on the child process. 140SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKeyEx64( 141 PHANDLE key, ACCESS_MASK desired_access, 142 POBJECT_ATTRIBUTES object_attributes, ULONG open_options); 143 144// ----------------------------------------------------------------------- 145// Interceptors handled by the sync dispatcher. 146 147// Interception of NtCreateEvent/NtOpenEvent on the child process. 148SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateEvent64( 149 PHANDLE event_handle, ACCESS_MASK desired_access, 150 POBJECT_ATTRIBUTES object_attributes, EVENT_TYPE event_type, 151 BOOLEAN initial_state); 152 153SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenEvent64( 154 PHANDLE event_handle, ACCESS_MASK desired_access, 155 POBJECT_ATTRIBUTES object_attributes); 156 157// ----------------------------------------------------------------------- 158// Interceptors handled by the process mitigations win32k lockdown code. 159 160// Interceptor for the GdiDllInitialize function. 161SANDBOX_INTERCEPT BOOL WINAPI TargetGdiDllInitialize64( 162 HANDLE dll, 163 DWORD reason); 164 165// Interceptor for the GetStockObject function. 166SANDBOX_INTERCEPT HGDIOBJ WINAPI TargetGetStockObject64(int object); 167 168// Interceptor for the RegisterClassW function. 169SANDBOX_INTERCEPT ATOM WINAPI TargetRegisterClassW64(const WNDCLASS* wnd_class); 170 171} // extern "C" 172 173} // namespace sandbox 174 175#endif // SANDBOX_SRC_INTERCEPTORS_64_H_ 176