1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "sandbox/win/src/nt_internals.h" 6 #include "sandbox/win/src/sandbox_types.h" 7 8 #ifndef SANDBOX_SRC_INTERCEPTORS_64_H_ 9 #define SANDBOX_SRC_INTERCEPTORS_64_H_ 10 11 namespace sandbox { 12 13 extern "C" { 14 15 // Interception of NtMapViewOfSection on the child process. 16 // It should never be called directly. This function provides the means to 17 // detect dlls being loaded, so we can patch them if needed. 18 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtMapViewOfSection64( 19 HANDLE section, HANDLE process, PVOID *base, ULONG_PTR zero_bits, 20 SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size, 21 SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect); 22 23 // Interception of NtUnmapViewOfSection on the child process. 24 // It should never be called directly. This function provides the means to 25 // detect dlls being unloaded, so we can clean up our interceptions. 26 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtUnmapViewOfSection64(HANDLE process, 27 PVOID base); 28 29 // ----------------------------------------------------------------------- 30 // Interceptors without IPC. 31 32 // Interception of NtSetInformationThread on the child process. 33 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationThread64( 34 HANDLE thread, NT_THREAD_INFORMATION_CLASS thread_info_class, 35 PVOID thread_information, ULONG thread_information_bytes); 36 37 // Interception of NtOpenThreadToken on the child process. 38 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadToken64( 39 HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 40 PHANDLE token); 41 42 // Interception of NtOpenThreadTokenEx on the child process. 43 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadTokenEx64( 44 HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self, 45 ULONG handle_attributes, PHANDLE token); 46 47 // Interception of CreateThread on the child process. 48 SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateThread64( 49 LPSECURITY_ATTRIBUTES thread_attributes, SIZE_T stack_size, 50 LPTHREAD_START_ROUTINE start_address, PVOID parameter, 51 DWORD creation_flags, LPDWORD thread_id); 52 53 // Interception of GetUserDefaultLCID on the child process. 54 SANDBOX_INTERCEPT LCID WINAPI TargetGetUserDefaultLCID64(); 55 56 // ----------------------------------------------------------------------- 57 // Interceptors handled by the file system dispatcher. 58 59 // Interception of NtCreateFile on the child process. 60 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateFile64( 61 PHANDLE file, ACCESS_MASK desired_access, 62 POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 63 PLARGE_INTEGER allocation_size, ULONG file_attributes, ULONG sharing, 64 ULONG disposition, ULONG options, PVOID ea_buffer, ULONG ea_length); 65 66 // Interception of NtOpenFile on the child process. 67 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenFile64( 68 PHANDLE file, ACCESS_MASK desired_access, 69 POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, 70 ULONG sharing, ULONG options); 71 72 // Interception of NtQueryAtttributesFile on the child process. 73 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryAttributesFile64( 74 POBJECT_ATTRIBUTES object_attributes, 75 PFILE_BASIC_INFORMATION file_attributes); 76 77 // Interception of NtQueryFullAtttributesFile on the child process. 78 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryFullAttributesFile64( 79 POBJECT_ATTRIBUTES object_attributes, 80 PFILE_NETWORK_OPEN_INFORMATION file_attributes); 81 82 // Interception of NtSetInformationFile on the child process. 83 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationFile64( 84 HANDLE file, PIO_STATUS_BLOCK io_status, PVOID file_information, 85 ULONG length, FILE_INFORMATION_CLASS file_information_class); 86 87 // ----------------------------------------------------------------------- 88 // Interceptors handled by the named pipe dispatcher. 89 90 // Interception of CreateNamedPipeW in kernel32.dll 91 SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW64( 92 LPCWSTR pipe_name, DWORD open_mode, DWORD pipe_mode, DWORD max_instance, 93 DWORD out_buffer_size, DWORD in_buffer_size, DWORD default_timeout, 94 LPSECURITY_ATTRIBUTES security_attributes); 95 96 // ----------------------------------------------------------------------- 97 // Interceptors handled by the process-thread dispatcher. 98 99 // Interception of NtOpenThread on the child process. 100 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThread64( 101 PHANDLE thread, ACCESS_MASK desired_access, 102 POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id); 103 104 // Interception of NtOpenProcess on the child process. 105 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcess64( 106 PHANDLE process, ACCESS_MASK desired_access, 107 POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id); 108 109 // Interception of NtOpenProcessToken on the child process. 110 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessToken64( 111 HANDLE process, ACCESS_MASK desired_access, PHANDLE token); 112 113 // Interception of NtOpenProcessTokenEx on the child process. 114 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessTokenEx64( 115 HANDLE process, ACCESS_MASK desired_access, ULONG handle_attributes, 116 PHANDLE token); 117 118 // Interception of CreateProcessW in kernel32.dll. 119 SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessW64( 120 LPCWSTR application_name, LPWSTR command_line, 121 LPSECURITY_ATTRIBUTES process_attributes, 122 LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 123 LPVOID environment, LPCWSTR current_directory, LPSTARTUPINFOW startup_info, 124 LPPROCESS_INFORMATION process_information); 125 126 // Interception of CreateProcessA in kernel32.dll. 127 SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessA64( 128 LPCSTR application_name, LPSTR command_line, 129 LPSECURITY_ATTRIBUTES process_attributes, 130 LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags, 131 LPVOID environment, LPCSTR current_directory, LPSTARTUPINFOA startup_info, 132 LPPROCESS_INFORMATION process_information); 133 134 // ----------------------------------------------------------------------- 135 // Interceptors handled by the registry dispatcher. 136 137 // Interception of NtCreateKey on the child process. 138 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateKey64( 139 PHANDLE key, ACCESS_MASK desired_access, 140 POBJECT_ATTRIBUTES object_attributes, ULONG title_index, 141 PUNICODE_STRING class_name, ULONG create_options, PULONG disposition); 142 143 // Interception of NtOpenKey on the child process. 144 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKey64( 145 PHANDLE key, ACCESS_MASK desired_access, 146 POBJECT_ATTRIBUTES object_attributes); 147 148 // Interception of NtOpenKeyEx on the child process. 149 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKeyEx64( 150 PHANDLE key, ACCESS_MASK desired_access, 151 POBJECT_ATTRIBUTES object_attributes, ULONG open_options); 152 153 // ----------------------------------------------------------------------- 154 // Interceptors handled by the sync dispatcher. 155 156 // Interception of NtCreateEvent/NtOpenEvent on the child process. 157 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateEvent64( 158 PHANDLE event_handle, ACCESS_MASK desired_access, 159 POBJECT_ATTRIBUTES object_attributes, EVENT_TYPE event_type, 160 BOOLEAN initial_state); 161 162 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenEvent64( 163 PHANDLE event_handle, ACCESS_MASK desired_access, 164 POBJECT_ATTRIBUTES object_attributes); 165 166 } // extern "C" 167 168 } // namespace sandbox 169 170 #endif // SANDBOX_SRC_INTERCEPTORS_64_H_ 171
