15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2011 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/nt_internals.h" 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/sandbox_types.h" 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#ifndef SANDBOX_SRC_INTERCEPTORS_64_H_ 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define SANDBOX_SRC_INTERCEPTORS_64_H_ 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace sandbox { 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)extern "C" { 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtMapViewOfSection on the child process. 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// It should never be called directly. This function provides the means to 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// detect dlls being loaded, so we can patch them if needed. 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtMapViewOfSection64( 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE section, HANDLE process, PVOID *base, ULONG_PTR zero_bits, 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size, 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect); 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtUnmapViewOfSection on the child process. 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// It should never be called directly. This function provides the means to 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// detect dlls being unloaded, so we can clean up our interceptions. 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtUnmapViewOfSection64(HANDLE process, 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PVOID base); 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors without IPC. 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtSetInformationThread on the child process. 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationThread64( 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE thread, NT_THREAD_INFORMATION_CLASS thread_info_class, 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PVOID thread_information, ULONG thread_information_bytes); 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenThreadToken on the child process. 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadToken64( 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE token); 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenThreadTokenEx on the child process. 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadTokenEx64( 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG handle_attributes, PHANDLE token); 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the file system dispatcher. 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtCreateFile on the child process. 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateFile64( 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE file, ACCESS_MASK desired_access, 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PLARGE_INTEGER allocation_size, ULONG file_attributes, ULONG sharing, 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG disposition, ULONG options, PVOID ea_buffer, ULONG ea_length); 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenFile on the child process. 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenFile64( 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE file, ACCESS_MASK desired_access, 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG sharing, ULONG options); 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtQueryAtttributesFile on the child process. 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryAttributesFile64( 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PFILE_BASIC_INFORMATION file_attributes); 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtQueryFullAtttributesFile on the child process. 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryFullAttributesFile64( 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PFILE_NETWORK_OPEN_INFORMATION file_attributes); 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtSetInformationFile on the child process. 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationFile64( 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE file, PIO_STATUS_BLOCK io_status, PVOID file_information, 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG length, FILE_INFORMATION_CLASS file_information_class); 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the named pipe dispatcher. 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of CreateNamedPipeW in kernel32.dll 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW64( 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPCWSTR pipe_name, DWORD open_mode, DWORD pipe_mode, DWORD max_instance, 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DWORD out_buffer_size, DWORD in_buffer_size, DWORD default_timeout, 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES security_attributes); 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the process-thread dispatcher. 895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenThread on the child process. 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThread64( 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE thread, ACCESS_MASK desired_access, 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id); 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenProcess on the child process. 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcess64( 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE process, ACCESS_MASK desired_access, 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id); 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenProcessToken on the child process. 1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessToken64( 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE process, ACCESS_MASK desired_access, PHANDLE token); 1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenProcessTokenEx on the child process. 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessTokenEx64( 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE process, ACCESS_MASK desired_access, ULONG handle_attributes, 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE token); 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of CreateProcessW in kernel32.dll. 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessW64( 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPCWSTR application_name, LPWSTR command_line, 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES process_attributes, 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPVOID environment, LPCWSTR current_directory, LPSTARTUPINFOW startup_info, 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPPROCESS_INFORMATION process_information); 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of CreateProcessA in kernel32.dll. 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessA64( 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPCSTR application_name, LPSTR command_line, 1205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES process_attributes, 1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPVOID environment, LPCSTR current_directory, LPSTARTUPINFOA startup_info, 1235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPPROCESS_INFORMATION process_information); 1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the registry dispatcher. 1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtCreateKey on the child process. 1295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateKey64( 1305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE key, ACCESS_MASK desired_access, 1315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, ULONG title_index, 1325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PUNICODE_STRING class_name, ULONG create_options, PULONG disposition); 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenKey on the child process. 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKey64( 1365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE key, ACCESS_MASK desired_access, 1375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes); 1385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenKeyEx on the child process. 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKeyEx64( 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE key, ACCESS_MASK desired_access, 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, ULONG open_options); 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the sync dispatcher. 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1471e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles)// Interception of NtCreateEvent/NtOpenEvent on the child process. 1481e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateEvent64( 1491e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) PHANDLE event_handle, ACCESS_MASK desired_access, 1501e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, EVENT_TYPE event_type, 1511e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) BOOLEAN initial_state); 1521e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) 1531e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenEvent64( 1541e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) PHANDLE event_handle, ACCESS_MASK desired_access, 1551e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes); 1564e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles) 157f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)// ----------------------------------------------------------------------- 158f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)// Interceptors handled by the process mitigations win32k lockdown code. 159f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 160f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)// Interceptor for the GdiDllInitialize function. 161f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)SANDBOX_INTERCEPT BOOL WINAPI TargetGdiDllInitialize64( 162f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) HANDLE dll, 163f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) DWORD reason); 164f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 165f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)// Interceptor for the GetStockObject function. 166f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)SANDBOX_INTERCEPT HGDIOBJ WINAPI TargetGetStockObject64(int object); 167f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 168f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)// Interceptor for the RegisterClassW function. 169f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles)SANDBOX_INTERCEPT ATOM WINAPI TargetRegisterClassW64(const WNDCLASS* wnd_class); 170f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // extern "C" 1725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace sandbox 1745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif // SANDBOX_SRC_INTERCEPTORS_64_H_ 176