1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_TOOLS_FINDER_FINDER_H__ 6 #define SANDBOX_TOOLS_FINDER_FINDER_H__ 7 8 #include "sandbox/win/src/restricted_token_utils.h" 9 #include "sandbox/win/tools/finder/ntundoc.h" 10 11 // Type of stats that we calculate during the Scan operation 12 enum Stats { 13 READ = 0, // Number of objects with read access 14 WRITE, // Number of objects with write access 15 ALL, // Number of objects with r/w access 16 PARSE, // Number of objects parsed 17 BROKEN, // Number of errors while parsing the objects 18 SIZE_STATS // size of the enum 19 }; 20 21 const int kScanRegistry = 0x01; 22 const int kScanFileSystem = 0x02; 23 const int kScanKernelObjects = 0x04; 24 25 const int kTestForRead = 0x01; 26 const int kTestForWrite = 0x02; 27 const int kTestForAll = 0x04; 28 29 #define FS_ERR L"FILE-ERROR" 30 #define OBJ_ERR L"OBJ-ERROR" 31 #define REG_ERR L"REG_ERROR" 32 #define OBJ L"OBJ" 33 #define FS L"FILE" 34 #define REG L"REG" 35 36 // The impersonater class will impersonate a token when the object is created 37 // and revert when the object is going out of scope. 38 class Impersonater { 39 public: 40 Impersonater(HANDLE token_handle) { 41 if (token_handle) 42 ::ImpersonateLoggedOnUser(token_handle); 43 }; 44 ~Impersonater() { 45 ::RevertToSelf(); 46 }; 47 }; 48 49 // The finder class handles the search of objects (file system, registry, kernel 50 // objects) on the system that can be opened by a restricted token. It can 51 // support multiple levels of restriction for the restricted token and can check 52 // for read, write or r/w access. It outputs the results to a file or stdout. 53 class Finder { 54 public: 55 Finder(); 56 ~Finder(); 57 DWORD Init(sandbox::TokenLevel token_type, DWORD object_type, 58 DWORD access_type, FILE *file_output); 59 DWORD Scan(); 60 61 private: 62 // Parses a file system path and perform an access check on all files and 63 // folder found. 64 // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the 65 // win32 error code associated with the error. 66 DWORD ParseFileSystem(ATL::CString path); 67 68 // Parses a registry hive referenced by "key" and performs an access check on 69 // all subkeys found. 70 // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the 71 // win32 error code associated with the error. 72 DWORD ParseRegistry(HKEY key, ATL::CString print_name); 73 74 // Parses the kernel namespace beginning at "path" and performs an access 75 // check on all objects found. However, only some object types are supported, 76 // all non supported objects are ignored. 77 // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the 78 // win32 error code associated with the error. 79 DWORD ParseKernelObjects(ATL::CString path); 80 81 // Checks if "path" can be accessed with the restricted token. 82 // Returns the access granted. 83 DWORD TestFileAccess(ATL::CString path); 84 85 // Checks if the registry key with the path key\name can be accessed with the 86 // restricted token. 87 // print_name is only use for logging purpose. 88 // Returns the access granted. 89 DWORD TestRegAccess(HKEY key, ATL::CString name, ATL::CString print_name); 90 91 // Checks if the kernel object "path" of type "type" can be accessed with 92 // the restricted token. 93 // Returns the access granted. 94 DWORD TestKernelObjectAccess(ATL::CString path, ATL::CString type); 95 96 // Outputs information to the logfile 97 void Output(ATL::CString type, ATL::CString access, ATL::CString info) { 98 fprintf(file_output_, "\n%S;%S;%S", type.GetBuffer(), access.GetBuffer(), 99 info.GetBuffer()); 100 }; 101 102 // Output information to the log file. 103 void Output(ATL::CString type, DWORD error, ATL::CString info) { 104 fprintf(file_output_, "\n%S;0x%X;%S", type.GetBuffer(), error, 105 info.GetBuffer()); 106 }; 107 108 // Set func_to_call to the function pointer of the function used to handle 109 // requests for the kernel objects of type "type". If the type is not 110 // supported at the moment the function returns false and the func_to_call 111 // parameter is not modified. 112 bool GetFunctionForType(ATL::CString type, NTGENERICOPEN * func_to_call); 113 114 // Initializes the NT function pointers to be able to use all the needed 115 // functions in NTDDL. 116 // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the 117 // win32 error code associated with the error. 118 DWORD InitNT(); 119 120 // Calls func_to_call with the parameters desired_access, object_attributes 121 // and handle. func_to_call is a pointer to a function to open a kernel 122 // object. 123 NTSTATUS NtGenericOpen(ACCESS_MASK desired_access, 124 OBJECT_ATTRIBUTES *object_attributes, 125 NTGENERICOPEN func_to_call, 126 HANDLE *handle); 127 128 // Type of object to check for. 129 DWORD object_type_; 130 // Access to try. 131 DWORD access_type_; 132 // Output file for the results. 133 FILE * file_output_; 134 // Handle to the restricted token. 135 HANDLE token_handle_; 136 // Stats containing the number of operations performed on the different 137 // objects. 138 int filesystem_stats_[SIZE_STATS]; 139 int registry_stats_[SIZE_STATS]; 140 int kernel_object_stats_[SIZE_STATS]; 141 }; 142 143 #endif // SANDBOX_TOOLS_FINDER_FINDER_H__ 144
