interceptors_64.h revision 4e180b6a0b4720a9b8e9e959a882386f690f08ff
15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2011 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/nt_internals.h" 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/sandbox_types.h" 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#ifndef SANDBOX_SRC_INTERCEPTORS_64_H_ 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define SANDBOX_SRC_INTERCEPTORS_64_H_ 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace sandbox { 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)extern "C" { 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtMapViewOfSection on the child process. 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// It should never be called directly. This function provides the means to 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// detect dlls being loaded, so we can patch them if needed. 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtMapViewOfSection64( 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE section, HANDLE process, PVOID *base, ULONG_PTR zero_bits, 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size, 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect); 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtUnmapViewOfSection on the child process. 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// It should never be called directly. This function provides the means to 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// detect dlls being unloaded, so we can clean up our interceptions. 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtUnmapViewOfSection64(HANDLE process, 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PVOID base); 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors without IPC. 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtSetInformationThread on the child process. 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationThread64( 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE thread, NT_THREAD_INFORMATION_CLASS thread_info_class, 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PVOID thread_information, ULONG thread_information_bytes); 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenThreadToken on the child process. 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadToken64( 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE token); 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenThreadTokenEx on the child process. 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadTokenEx64( 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG handle_attributes, PHANDLE token); 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of CreateThread on the child process. 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateThread64( 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES thread_attributes, SIZE_T stack_size, 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPTHREAD_START_ROUTINE start_address, PVOID parameter, 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DWORD creation_flags, LPDWORD thread_id); 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of GetUserDefaultLCID on the child process. 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT LCID WINAPI TargetGetUserDefaultLCID64(); 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the file system dispatcher. 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtCreateFile on the child process. 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateFile64( 615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE file, ACCESS_MASK desired_access, 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PLARGE_INTEGER allocation_size, ULONG file_attributes, ULONG sharing, 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG disposition, ULONG options, PVOID ea_buffer, ULONG ea_length); 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenFile on the child process. 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenFile64( 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE file, ACCESS_MASK desired_access, 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG sharing, ULONG options); 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtQueryAtttributesFile on the child process. 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryAttributesFile64( 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PFILE_BASIC_INFORMATION file_attributes); 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtQueryFullAtttributesFile on the child process. 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryFullAttributesFile64( 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PFILE_NETWORK_OPEN_INFORMATION file_attributes); 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtSetInformationFile on the child process. 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationFile64( 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE file, PIO_STATUS_BLOCK io_status, PVOID file_information, 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ULONG length, FILE_INFORMATION_CLASS file_information_class); 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the named pipe dispatcher. 895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of CreateNamedPipeW in kernel32.dll 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW64( 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPCWSTR pipe_name, DWORD open_mode, DWORD pipe_mode, DWORD max_instance, 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DWORD out_buffer_size, DWORD in_buffer_size, DWORD default_timeout, 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES security_attributes); 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the process-thread dispatcher. 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenThread on the child process. 1005821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThread64( 1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE thread, ACCESS_MASK desired_access, 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id); 1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenProcess on the child process. 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcess64( 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE process, ACCESS_MASK desired_access, 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id); 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenProcessToken on the child process. 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessToken64( 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE process, ACCESS_MASK desired_access, PHANDLE token); 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenProcessTokenEx on the child process. 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessTokenEx64( 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE process, ACCESS_MASK desired_access, ULONG handle_attributes, 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE token); 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of CreateProcessW in kernel32.dll. 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessW64( 1205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPCWSTR application_name, LPWSTR command_line, 1215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES process_attributes, 1225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 1235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPVOID environment, LPCWSTR current_directory, LPSTARTUPINFOW startup_info, 1245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPPROCESS_INFORMATION process_information); 1255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of CreateProcessA in kernel32.dll. 1275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessA64( 1285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPCSTR application_name, LPSTR command_line, 1295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES process_attributes, 1305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 1315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPVOID environment, LPCSTR current_directory, LPSTARTUPINFOA startup_info, 1325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPPROCESS_INFORMATION process_information); 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the registry dispatcher. 1365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtCreateKey on the child process. 1385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateKey64( 1395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE key, ACCESS_MASK desired_access, 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, ULONG title_index, 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PUNICODE_STRING class_name, ULONG create_options, PULONG disposition); 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenKey on the child process. 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKey64( 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE key, ACCESS_MASK desired_access, 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes); 1475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of NtOpenKeyEx on the child process. 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKeyEx64( 1505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PHANDLE key, ACCESS_MASK desired_access, 1515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) POBJECT_ATTRIBUTES object_attributes, ULONG open_options); 1525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// ----------------------------------------------------------------------- 1545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interceptors handled by the sync dispatcher. 1555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of CreateEventW on the child process. 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateEventW64( 1585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) LPSECURITY_ATTRIBUTES security_attributes, BOOL manual_reset, 1595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) BOOL initial_state, LPCWSTR name); 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1614e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles)// Interception of CreateEventA on the child process. 1624e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles)SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateEventA64( 1634e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles) LPSECURITY_ATTRIBUTES security_attributes, BOOL manual_reset, 1644e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles) BOOL initial_state, LPCSTR name); 1654e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles) 1665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Interception of OpenEventW on the child process. 1675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)SANDBOX_INTERCEPT HANDLE WINAPI TargetOpenEventW64( 1685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) ACCESS_MASK desired_access, BOOL inherit_handle, LPCWSTR name); 1695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1704e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles)// Interception of OpenEventA on the child process. 1714e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles)SANDBOX_INTERCEPT HANDLE WINAPI TargetOpenEventA64( 1724e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles) ACCESS_MASK desired_access, BOOL inherit_handle, LPCSTR name); 1734e180b6a0b4720a9b8e9e959a882386f690f08ffTorne (Richard Coles) 1745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // extern "C" 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace sandbox 1775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif // SANDBOX_SRC_INTERCEPTORS_64_H_ 179