Home | History | Annotate | Download | only in src
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 // For information about interceptions as a whole see
      6 // http://dev.chromium.org/developers/design-documents/sandbox .
      7 
      8 #include <set>
      9 
     10 #include "sandbox/win/src/interception.h"
     11 
     12 #include "base/logging.h"
     13 #include "base/memory/scoped_ptr.h"
     14 #include "base/strings/string16.h"
     15 #include "base/win/pe_image.h"
     16 #include "base/win/windows_version.h"
     17 #include "sandbox/win/src/interception_internal.h"
     18 #include "sandbox/win/src/interceptors.h"
     19 #include "sandbox/win/src/sandbox.h"
     20 #include "sandbox/win/src/service_resolver.h"
     21 #include "sandbox/win/src/target_interceptions.h"
     22 #include "sandbox/win/src/target_process.h"
     23 #include "sandbox/win/src/wow64.h"
     24 
     25 namespace {
     26 
     27 const char kMapViewOfSectionName[] = "NtMapViewOfSection";
     28 const char kUnmapViewOfSectionName[] = "NtUnmapViewOfSection";
     29 
     30 // Standard allocation granularity and page size for Windows.
     31 const size_t kAllocGranularity = 65536;
     32 const size_t kPageSize = 4096;
     33 
     34 // Find a random offset within 64k and aligned to ceil(log2(size)).
     35 size_t GetGranularAlignedRandomOffset(size_t size) {
     36   CHECK_LE(size, kAllocGranularity);
     37   unsigned int offset;
     38 
     39   do {
     40     rand_s(&offset);
     41     offset &= (kAllocGranularity - 1);
     42   } while (offset > (kAllocGranularity - size));
     43 
     44   // Find an alignment between 64 and the page size (4096).
     45   size_t align_size = kPageSize;
     46   for (size_t new_size = align_size / 2;  new_size >= size; new_size /= 2) {
     47     align_size = new_size;
     48   }
     49   return offset & ~(align_size - 1);
     50 }
     51 
     52 }  // namespace
     53 
     54 namespace sandbox {
     55 
     56 SANDBOX_INTERCEPT SharedMemory* g_interceptions;
     57 
     58 // Table of the unpatched functions that we intercept. Mapped from the parent.
     59 SANDBOX_INTERCEPT OriginalFunctions g_originals = { NULL };
     60 
     61 // Magic constant that identifies that this function is not to be patched.
     62 const char kUnloadDLLDummyFunction[] = "@";
     63 
     64 InterceptionManager::InterceptionManager(TargetProcess* child_process,
     65                                          bool relaxed)
     66     : child_(child_process), names_used_(false), relaxed_(relaxed) {
     67   child_->AddRef();
     68 }
     69 InterceptionManager::~InterceptionManager() {
     70   child_->Release();
     71 }
     72 
     73 bool InterceptionManager::AddToPatchedFunctions(
     74     const wchar_t* dll_name, const char* function_name,
     75     InterceptionType interception_type, const void* replacement_code_address,
     76     InterceptorId id) {
     77   InterceptionData function;
     78   function.type = interception_type;
     79   function.id = id;
     80   function.dll = dll_name;
     81   function.function = function_name;
     82   function.interceptor_address = replacement_code_address;
     83 
     84   interceptions_.push_back(function);
     85   return true;
     86 }
     87 
     88 bool InterceptionManager::AddToPatchedFunctions(
     89     const wchar_t* dll_name, const char* function_name,
     90     InterceptionType interception_type, const char* replacement_function_name,
     91     InterceptorId id) {
     92   InterceptionData function;
     93   function.type = interception_type;
     94   function.id = id;
     95   function.dll = dll_name;
     96   function.function = function_name;
     97   function.interceptor = replacement_function_name;
     98   function.interceptor_address = NULL;
     99 
    100   interceptions_.push_back(function);
    101   names_used_ = true;
    102   return true;
    103 }
    104 
    105 bool InterceptionManager::AddToUnloadModules(const wchar_t* dll_name) {
    106   InterceptionData module_to_unload;
    107   module_to_unload.type = INTERCEPTION_UNLOAD_MODULE;
    108   module_to_unload.dll = dll_name;
    109   // The next two are dummy values that make the structures regular, instead
    110   // of having special cases. They should not be used.
    111   module_to_unload.function = kUnloadDLLDummyFunction;
    112   module_to_unload.interceptor_address = reinterpret_cast<void*>(1);
    113 
    114   interceptions_.push_back(module_to_unload);
    115   return true;
    116 }
    117 
    118 bool InterceptionManager::InitializeInterceptions() {
    119   if (interceptions_.empty())
    120     return true;  // Nothing to do here
    121 
    122   size_t buffer_bytes = GetBufferSize();
    123   scoped_ptr<char[]> local_buffer(new char[buffer_bytes]);
    124 
    125   if (!SetupConfigBuffer(local_buffer.get(), buffer_bytes))
    126     return false;
    127 
    128   void* remote_buffer;
    129   if (!CopyDataToChild(local_buffer.get(), buffer_bytes, &remote_buffer))
    130     return false;
    131 
    132   bool hot_patch_needed = (0 != buffer_bytes);
    133   if (!PatchNtdll(hot_patch_needed))
    134     return false;
    135 
    136   g_interceptions = reinterpret_cast<SharedMemory*>(remote_buffer);
    137   ResultCode rc = child_->TransferVariable("g_interceptions",
    138                                            &g_interceptions,
    139                                            sizeof(g_interceptions));
    140   return (SBOX_ALL_OK == rc);
    141 }
    142 
    143 size_t InterceptionManager::GetBufferSize() const {
    144   std::set<base::string16> dlls;
    145   size_t buffer_bytes = 0;
    146 
    147   std::list<InterceptionData>::const_iterator it = interceptions_.begin();
    148   for (; it != interceptions_.end(); ++it) {
    149     // skip interceptions that are performed from the parent
    150     if (!IsInterceptionPerformedByChild(*it))
    151       continue;
    152 
    153     if (!dlls.count(it->dll)) {
    154       // NULL terminate the dll name on the structure
    155       size_t dll_name_bytes = (it->dll.size() + 1) * sizeof(wchar_t);
    156 
    157       // include the dll related size
    158       buffer_bytes += RoundUpToMultiple(offsetof(DllPatchInfo, dll_name) +
    159                                             dll_name_bytes, sizeof(size_t));
    160       dlls.insert(it->dll);
    161     }
    162 
    163     // we have to NULL terminate the strings on the structure
    164     size_t strings_chars = it->function.size() + it->interceptor.size() + 2;
    165 
    166     // a new FunctionInfo is required per function
    167     size_t record_bytes = offsetof(FunctionInfo, function) + strings_chars;
    168     record_bytes = RoundUpToMultiple(record_bytes, sizeof(size_t));
    169     buffer_bytes += record_bytes;
    170   }
    171 
    172   if (0 != buffer_bytes)
    173     // add the part of SharedMemory that we have not counted yet
    174     buffer_bytes += offsetof(SharedMemory, dll_list);
    175 
    176   return buffer_bytes;
    177 }
    178 
    179 // Basically, walk the list of interceptions moving them to the config buffer,
    180 // but keeping together all interceptions that belong to the same dll.
    181 // The config buffer is a local buffer, not the one allocated on the child.
    182 bool InterceptionManager::SetupConfigBuffer(void* buffer, size_t buffer_bytes) {
    183   if (0 == buffer_bytes)
    184     return true;
    185 
    186   DCHECK(buffer_bytes > sizeof(SharedMemory));
    187 
    188   SharedMemory* shared_memory = reinterpret_cast<SharedMemory*>(buffer);
    189   DllPatchInfo* dll_info = shared_memory->dll_list;
    190   int num_dlls = 0;
    191 
    192   shared_memory->interceptor_base = names_used_ ? child_->MainModule() : NULL;
    193 
    194   buffer_bytes -= offsetof(SharedMemory, dll_list);
    195   buffer = dll_info;
    196 
    197   std::list<InterceptionData>::iterator it = interceptions_.begin();
    198   for (; it != interceptions_.end();) {
    199     // skip interceptions that are performed from the parent
    200     if (!IsInterceptionPerformedByChild(*it)) {
    201       ++it;
    202       continue;
    203     }
    204 
    205     const base::string16 dll = it->dll;
    206     if (!SetupDllInfo(*it, &buffer, &buffer_bytes))
    207       return false;
    208 
    209     // walk the interceptions from this point, saving the ones that are
    210     // performed on this dll, and removing the entry from the list.
    211     // advance the iterator before removing the element from the list
    212     std::list<InterceptionData>::iterator rest = it;
    213     for (; rest != interceptions_.end();) {
    214       if (rest->dll == dll) {
    215         if (!SetupInterceptionInfo(*rest, &buffer, &buffer_bytes, dll_info))
    216           return false;
    217         if (it == rest)
    218           ++it;
    219         rest = interceptions_.erase(rest);
    220       } else {
    221         ++rest;
    222       }
    223     }
    224     dll_info = reinterpret_cast<DllPatchInfo*>(buffer);
    225     ++num_dlls;
    226   }
    227 
    228   shared_memory->num_intercepted_dlls = num_dlls;
    229   return true;
    230 }
    231 
    232 // Fills up just the part that depends on the dll, not the info that depends on
    233 // the actual interception.
    234 bool InterceptionManager::SetupDllInfo(const InterceptionData& data,
    235                                        void** buffer,
    236                                        size_t* buffer_bytes) const {
    237   DCHECK(buffer_bytes);
    238   DCHECK(buffer);
    239   DCHECK(*buffer);
    240 
    241   DllPatchInfo* dll_info = reinterpret_cast<DllPatchInfo*>(*buffer);
    242 
    243   // the strings have to be zero terminated
    244   size_t required = offsetof(DllPatchInfo, dll_name) +
    245                     (data.dll.size() + 1) * sizeof(wchar_t);
    246   required = RoundUpToMultiple(required, sizeof(size_t));
    247   if (*buffer_bytes < required)
    248     return false;
    249 
    250   *buffer_bytes -= required;
    251   *buffer = reinterpret_cast<char*>(*buffer) + required;
    252 
    253   // set up the dll info to be what we know about it at this time
    254   dll_info->unload_module = (data.type == INTERCEPTION_UNLOAD_MODULE);
    255   dll_info->record_bytes = required;
    256   dll_info->offset_to_functions = required;
    257   dll_info->num_functions = 0;
    258   data.dll._Copy_s(dll_info->dll_name, data.dll.size(), data.dll.size());
    259   dll_info->dll_name[data.dll.size()] = L'\0';
    260 
    261   return true;
    262 }
    263 
    264 bool InterceptionManager::SetupInterceptionInfo(const InterceptionData& data,
    265                                                 void** buffer,
    266                                                 size_t* buffer_bytes,
    267                                                 DllPatchInfo* dll_info) const {
    268   DCHECK(buffer_bytes);
    269   DCHECK(buffer);
    270   DCHECK(*buffer);
    271 
    272   if ((dll_info->unload_module) &&
    273       (data.function != kUnloadDLLDummyFunction)) {
    274     // Can't specify a dll for both patch and unload.
    275     NOTREACHED();
    276   }
    277 
    278   FunctionInfo* function = reinterpret_cast<FunctionInfo*>(*buffer);
    279 
    280   size_t name_bytes = data.function.size();
    281   size_t interceptor_bytes = data.interceptor.size();
    282 
    283   // the strings at the end of the structure are zero terminated
    284   size_t required = offsetof(FunctionInfo, function) +
    285                     name_bytes + interceptor_bytes + 2;
    286   required = RoundUpToMultiple(required, sizeof(size_t));
    287   if (*buffer_bytes < required)
    288     return false;
    289 
    290   // update the caller's values
    291   *buffer_bytes -= required;
    292   *buffer = reinterpret_cast<char*>(*buffer) + required;
    293 
    294   function->record_bytes = required;
    295   function->type = data.type;
    296   function->id = data.id;
    297   function->interceptor_address = data.interceptor_address;
    298   char* names = function->function;
    299 
    300   data.function._Copy_s(names, name_bytes, name_bytes);
    301   names += name_bytes;
    302   *names++ = '\0';
    303 
    304   // interceptor follows the function_name
    305   data.interceptor._Copy_s(names, interceptor_bytes, interceptor_bytes);
    306   names += interceptor_bytes;
    307   *names++ = '\0';
    308 
    309   // update the dll table
    310   dll_info->num_functions++;
    311   dll_info->record_bytes += required;
    312 
    313   return true;
    314 }
    315 
    316 bool InterceptionManager::CopyDataToChild(const void* local_buffer,
    317                                           size_t buffer_bytes,
    318                                           void** remote_buffer) const {
    319   DCHECK(NULL != remote_buffer);
    320   if (0 == buffer_bytes) {
    321     *remote_buffer = NULL;
    322     return true;
    323   }
    324 
    325   HANDLE child = child_->Process();
    326 
    327   // Allocate memory on the target process without specifying the address
    328   void* remote_data = ::VirtualAllocEx(child, NULL, buffer_bytes,
    329                                        MEM_COMMIT, PAGE_READWRITE);
    330   if (NULL == remote_data)
    331     return false;
    332 
    333   SIZE_T bytes_written;
    334   BOOL success = ::WriteProcessMemory(child, remote_data, local_buffer,
    335                                       buffer_bytes, &bytes_written);
    336   if (FALSE == success || bytes_written != buffer_bytes) {
    337     ::VirtualFreeEx(child, remote_data, 0, MEM_RELEASE);
    338     return false;
    339   }
    340 
    341   *remote_buffer = remote_data;
    342 
    343   return true;
    344 }
    345 
    346 // Only return true if the child should be able to perform this interception.
    347 bool InterceptionManager::IsInterceptionPerformedByChild(
    348     const InterceptionData& data) const {
    349   if (INTERCEPTION_INVALID == data.type)
    350     return false;
    351 
    352   if (INTERCEPTION_SERVICE_CALL == data.type)
    353     return false;
    354 
    355   if (data.type >= INTERCEPTION_LAST)
    356     return false;
    357 
    358   base::string16 ntdll(kNtdllName);
    359   if (ntdll == data.dll)
    360     return false;  // ntdll has to be intercepted from the parent
    361 
    362   return true;
    363 }
    364 
    365 bool InterceptionManager::PatchNtdll(bool hot_patch_needed) {
    366   // Maybe there is nothing to do
    367   if (!hot_patch_needed && interceptions_.empty())
    368     return true;
    369 
    370   if (hot_patch_needed) {
    371 #if SANDBOX_EXPORTS
    372     // Make sure the functions are not excluded by the linker.
    373 #if defined(_WIN64)
    374     #pragma comment(linker, "/include:TargetNtMapViewOfSection64")
    375     #pragma comment(linker, "/include:TargetNtUnmapViewOfSection64")
    376 #else
    377     #pragma comment(linker, "/include:_TargetNtMapViewOfSection@44")
    378     #pragma comment(linker, "/include:_TargetNtUnmapViewOfSection@12")
    379 #endif
    380 #endif
    381     ADD_NT_INTERCEPTION(NtMapViewOfSection, MAP_VIEW_OF_SECTION_ID, 44);
    382     ADD_NT_INTERCEPTION(NtUnmapViewOfSection, UNMAP_VIEW_OF_SECTION_ID, 12);
    383   }
    384 
    385   // Reserve a full 64k memory range in the child process.
    386   HANDLE child = child_->Process();
    387   BYTE* thunk_base = reinterpret_cast<BYTE*>(
    388                          ::VirtualAllocEx(child, NULL, kAllocGranularity,
    389                                           MEM_RESERVE, PAGE_NOACCESS));
    390 
    391   // Find an aligned, random location within the reserved range.
    392   size_t thunk_bytes = interceptions_.size() * sizeof(ThunkData) +
    393                        sizeof(DllInterceptionData);
    394   size_t thunk_offset = GetGranularAlignedRandomOffset(thunk_bytes);
    395 
    396   // Split the base and offset along page boundaries.
    397   thunk_base += thunk_offset & ~(kPageSize - 1);
    398   thunk_offset &= kPageSize - 1;
    399 
    400   // Make an aligned, padded allocation, and move the pointer to our chunk.
    401   size_t thunk_bytes_padded = (thunk_bytes + kPageSize - 1) & ~(kPageSize - 1);
    402   thunk_base = reinterpret_cast<BYTE*>(
    403                    ::VirtualAllocEx(child, thunk_base, thunk_bytes_padded,
    404                                     MEM_COMMIT, PAGE_EXECUTE_READWRITE));
    405   CHECK(thunk_base);  // If this fails we'd crash anyway on an invalid access.
    406   DllInterceptionData* thunks = reinterpret_cast<DllInterceptionData*>(
    407                                     thunk_base + thunk_offset);
    408 
    409   DllInterceptionData dll_data;
    410   dll_data.data_bytes = thunk_bytes;
    411   dll_data.num_thunks = 0;
    412   dll_data.used_bytes = offsetof(DllInterceptionData, thunks);
    413 
    414   // Reset all helpers for a new child.
    415   memset(g_originals, 0, sizeof(g_originals));
    416 
    417   // this should write all the individual thunks to the child's memory
    418   if (!PatchClientFunctions(thunks, thunk_bytes, &dll_data))
    419     return false;
    420 
    421   // and now write the first part of the table to the child's memory
    422   SIZE_T written;
    423   bool ok = FALSE != ::WriteProcessMemory(child, thunks, &dll_data,
    424                                           offsetof(DllInterceptionData, thunks),
    425                                           &written);
    426 
    427   if (!ok || (offsetof(DllInterceptionData, thunks) != written))
    428     return false;
    429 
    430   // Attempt to protect all the thunks, but ignore failure
    431   DWORD old_protection;
    432   ::VirtualProtectEx(child, thunks, thunk_bytes,
    433                      PAGE_EXECUTE_READ, &old_protection);
    434 
    435   ResultCode ret = child_->TransferVariable("g_originals", g_originals,
    436                                             sizeof(g_originals));
    437   return (SBOX_ALL_OK == ret);
    438 }
    439 
    440 bool InterceptionManager::PatchClientFunctions(DllInterceptionData* thunks,
    441                                                size_t thunk_bytes,
    442                                                DllInterceptionData* dll_data) {
    443   DCHECK(NULL != thunks);
    444   DCHECK(NULL != dll_data);
    445 
    446   HMODULE ntdll_base = ::GetModuleHandle(kNtdllName);
    447   if (!ntdll_base)
    448     return false;
    449 
    450   base::win::PEImage ntdll_image(ntdll_base);
    451 
    452   // Bypass purify's interception.
    453   wchar_t* loader_get = reinterpret_cast<wchar_t*>(
    454                             ntdll_image.GetProcAddress("LdrGetDllHandle"));
    455   if (loader_get) {
    456     if (!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
    457                                GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
    458                            loader_get, &ntdll_base))
    459       return false;
    460   }
    461 
    462   if (base::win::GetVersion() <= base::win::VERSION_VISTA) {
    463     Wow64 WowHelper(child_, ntdll_base);
    464     if (!WowHelper.WaitForNtdll())
    465       return false;
    466   }
    467 
    468   char* interceptor_base = NULL;
    469 
    470 #if SANDBOX_EXPORTS
    471   interceptor_base = reinterpret_cast<char*>(child_->MainModule());
    472   HMODULE local_interceptor = ::LoadLibrary(child_->Name());
    473 #endif
    474 
    475   ServiceResolverThunk* thunk;
    476 #if defined(_WIN64)
    477   thunk = new ServiceResolverThunk(child_->Process(), relaxed_);
    478 #else
    479   base::win::OSInfo* os_info = base::win::OSInfo::GetInstance();
    480   if (os_info->wow64_status() == base::win::OSInfo::WOW64_ENABLED) {
    481     if (os_info->version() >= base::win::VERSION_WIN8)
    482       thunk = new Wow64W8ResolverThunk(child_->Process(), relaxed_);
    483     else
    484       thunk = new Wow64ResolverThunk(child_->Process(), relaxed_);
    485   } else if (os_info->version() >= base::win::VERSION_WIN8) {
    486     thunk = new Win8ResolverThunk(child_->Process(), relaxed_);
    487   } else {
    488     thunk = new ServiceResolverThunk(child_->Process(), relaxed_);
    489   }
    490 #endif
    491 
    492   std::list<InterceptionData>::iterator it = interceptions_.begin();
    493   for (; it != interceptions_.end(); ++it) {
    494     const base::string16 ntdll(kNtdllName);
    495     if (it->dll != ntdll)
    496       break;
    497 
    498     if (INTERCEPTION_SERVICE_CALL != it->type)
    499       break;
    500 
    501 #if SANDBOX_EXPORTS
    502     // We may be trying to patch by function name.
    503     if (NULL == it->interceptor_address) {
    504       const char* address;
    505       NTSTATUS ret = thunk->ResolveInterceptor(local_interceptor,
    506                                                it->interceptor.c_str(),
    507                                                reinterpret_cast<const void**>(
    508                                                &address));
    509       if (!NT_SUCCESS(ret))
    510         break;
    511 
    512       // Translate the local address to an address on the child.
    513       it->interceptor_address = interceptor_base + (address -
    514                                     reinterpret_cast<char*>(local_interceptor));
    515     }
    516 #endif
    517     NTSTATUS ret = thunk->Setup(ntdll_base,
    518                                 interceptor_base,
    519                                 it->function.c_str(),
    520                                 it->interceptor.c_str(),
    521                                 it->interceptor_address,
    522                                 &thunks->thunks[dll_data->num_thunks],
    523                                 thunk_bytes - dll_data->used_bytes,
    524                                 NULL);
    525     if (!NT_SUCCESS(ret))
    526       break;
    527 
    528     DCHECK(!g_originals[it->id]);
    529     g_originals[it->id] = &thunks->thunks[dll_data->num_thunks];
    530 
    531     dll_data->num_thunks++;
    532     dll_data->used_bytes += sizeof(ThunkData);
    533   }
    534 
    535   delete(thunk);
    536 
    537 #if SANDBOX_EXPORTS
    538   if (NULL != local_interceptor)
    539     ::FreeLibrary(local_interceptor);
    540 #endif
    541 
    542   if (it != interceptions_.end())
    543     return false;
    544 
    545   return true;
    546 }
    547 
    548 }  // namespace sandbox
    549