1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // For information about interceptions as a whole see
6 // http://dev.chromium.org/developers/design-documents/sandbox .
7
8 #include "sandbox/win/src/interception_agent.h"
9
10 #include <windows.h>
11
12 #include <stddef.h>
13
14 #include "sandbox/win/src/eat_resolver.h"
15 #include "sandbox/win/src/interception_internal.h"
16 #include "sandbox/win/src/interceptors.h"
17 #include "sandbox/win/src/sandbox_nt_util.h"
18 #include "sandbox/win/src/sidestep_resolver.h"
19
20 namespace {
21
22 // Returns true if target lies between base and base + range.
IsWithinRange(const void * base,size_t range,const void * target)23 bool IsWithinRange(const void* base, size_t range, const void* target) {
24 const char* end = reinterpret_cast<const char*>(base) + range;
25 return reinterpret_cast<const char*>(target) < end;
26 }
27
28 } // namespace
29
30 namespace sandbox {
31
32 // This is the list of all imported symbols from ntdll.dll.
33 SANDBOX_INTERCEPT NtExports g_nt;
34
35 // The list of intercepted functions back-pointers.
36 SANDBOX_INTERCEPT OriginalFunctions g_originals;
37
38 // Memory buffer mapped from the parent, with the list of interceptions.
39 SANDBOX_INTERCEPT SharedMemory* g_interceptions = nullptr;
40
GetInterceptionAgent()41 InterceptionAgent* InterceptionAgent::GetInterceptionAgent() {
42 static InterceptionAgent* s_singleton = nullptr;
43 if (!s_singleton) {
44 if (!g_interceptions)
45 return nullptr;
46
47 size_t array_bytes = g_interceptions->num_intercepted_dlls * sizeof(void*);
48 s_singleton = reinterpret_cast<InterceptionAgent*>(
49 new (NT_ALLOC) char[array_bytes + sizeof(InterceptionAgent)]);
50
51 bool success = s_singleton->Init(g_interceptions);
52 if (!success) {
53 operator delete(s_singleton, NT_ALLOC);
54 s_singleton = nullptr;
55 }
56 }
57 return s_singleton;
58 }
59
Init(SharedMemory * shared_memory)60 bool InterceptionAgent::Init(SharedMemory* shared_memory) {
61 interceptions_ = shared_memory;
62 for (int i = 0; i < shared_memory->num_intercepted_dlls; i++)
63 dlls_[i] = nullptr;
64 return true;
65 }
66
DllMatch(const UNICODE_STRING * full_path,const UNICODE_STRING * name,const DllPatchInfo * dll_info)67 bool InterceptionAgent::DllMatch(const UNICODE_STRING* full_path,
68 const UNICODE_STRING* name,
69 const DllPatchInfo* dll_info) {
70 UNICODE_STRING current_name;
71 current_name.Length =
72 static_cast<USHORT>(g_nt.wcslen(dll_info->dll_name) * sizeof(wchar_t));
73 current_name.MaximumLength = current_name.Length;
74 current_name.Buffer = const_cast<wchar_t*>(dll_info->dll_name);
75
76 BOOLEAN case_insensitive = TRUE;
77 if (full_path &&
78 !g_nt.RtlCompareUnicodeString(¤t_name, full_path, case_insensitive))
79 return true;
80
81 if (name &&
82 !g_nt.RtlCompareUnicodeString(¤t_name, name, case_insensitive))
83 return true;
84
85 return false;
86 }
87
OnDllLoad(const UNICODE_STRING * full_path,const UNICODE_STRING * name,void * base_address)88 bool InterceptionAgent::OnDllLoad(const UNICODE_STRING* full_path,
89 const UNICODE_STRING* name,
90 void* base_address) {
91 DllPatchInfo* dll_info = interceptions_->dll_list;
92 int i = 0;
93 for (; i < interceptions_->num_intercepted_dlls; i++) {
94 if (DllMatch(full_path, name, dll_info))
95 break;
96
97 dll_info = reinterpret_cast<DllPatchInfo*>(
98 reinterpret_cast<char*>(dll_info) + dll_info->record_bytes);
99 }
100
101 // Return now if the dll is not in our list of interest.
102 if (i == interceptions_->num_intercepted_dlls)
103 return true;
104
105 // The dll must be unloaded.
106 if (dll_info->unload_module)
107 return false;
108
109 // Purify causes this condition to trigger.
110 if (dlls_[i])
111 return true;
112
113 size_t buffer_bytes = offsetof(DllInterceptionData, thunks) +
114 dll_info->num_functions * sizeof(ThunkData);
115 dlls_[i] = reinterpret_cast<DllInterceptionData*>(
116 new (NT_PAGE, base_address) char[buffer_bytes]);
117
118 DCHECK_NT(dlls_[i]);
119 if (!dlls_[i])
120 return true;
121
122 dlls_[i]->data_bytes = buffer_bytes;
123 dlls_[i]->num_thunks = 0;
124 dlls_[i]->base = base_address;
125 dlls_[i]->used_bytes = offsetof(DllInterceptionData, thunks);
126
127 VERIFY(PatchDll(dll_info, dlls_[i]));
128
129 ULONG old_protect;
130 SIZE_T real_size = buffer_bytes;
131 void* to_protect = dlls_[i];
132 VERIFY_SUCCESS(g_nt.ProtectVirtualMemory(NtCurrentProcess, &to_protect,
133 &real_size, PAGE_EXECUTE_READ,
134 &old_protect));
135 return true;
136 }
137
OnDllUnload(void * base_address)138 void InterceptionAgent::OnDllUnload(void* base_address) {
139 for (int i = 0; i < interceptions_->num_intercepted_dlls; i++) {
140 if (dlls_[i] && dlls_[i]->base == base_address) {
141 operator delete(dlls_[i], NT_PAGE);
142 dlls_[i] = nullptr;
143 break;
144 }
145 }
146 }
147
148 // TODO(rvargas): We have to deal with prebinded dlls. I see two options: change
149 // the timestamp of the patched dll, or modify the info on the prebinded dll.
150 // the first approach messes matching of debug symbols, the second one is more
151 // complicated.
PatchDll(const DllPatchInfo * dll_info,DllInterceptionData * thunks)152 bool InterceptionAgent::PatchDll(const DllPatchInfo* dll_info,
153 DllInterceptionData* thunks) {
154 DCHECK_NT(thunks);
155 DCHECK_NT(dll_info);
156
157 const FunctionInfo* function = reinterpret_cast<const FunctionInfo*>(
158 reinterpret_cast<const char*>(dll_info) + dll_info->offset_to_functions);
159
160 for (int i = 0; i < dll_info->num_functions; i++) {
161 if (!IsWithinRange(dll_info, dll_info->record_bytes, function->function)) {
162 NOTREACHED_NT();
163 return false;
164 }
165
166 ResolverThunk* resolver = GetResolver(function->type);
167 if (!resolver)
168 return false;
169
170 const char* interceptor =
171 function->function + g_nt.strlen(function->function) + 1;
172
173 if (!IsWithinRange(function, function->record_bytes, interceptor) ||
174 !IsWithinRange(dll_info, dll_info->record_bytes, interceptor)) {
175 NOTREACHED_NT();
176 return false;
177 }
178
179 NTSTATUS ret = resolver->Setup(
180 thunks->base, interceptions_->interceptor_base, function->function,
181 interceptor, function->interceptor_address, &thunks->thunks[i],
182 sizeof(ThunkData), nullptr);
183 if (!NT_SUCCESS(ret)) {
184 NOTREACHED_NT();
185 return false;
186 }
187
188 DCHECK_NT(!g_originals[function->id] ||
189 g_originals[function->id] == &thunks->thunks[i]);
190 g_originals[function->id] = &thunks->thunks[i];
191
192 thunks->num_thunks++;
193 thunks->used_bytes += sizeof(ThunkData);
194
195 function = reinterpret_cast<const FunctionInfo*>(
196 reinterpret_cast<const char*>(function) + function->record_bytes);
197 }
198
199 return true;
200 }
201
202 // This method is called from within the loader lock
GetResolver(InterceptionType type)203 ResolverThunk* InterceptionAgent::GetResolver(InterceptionType type) {
204 static EatResolverThunk* eat_resolver = nullptr;
205 static SidestepResolverThunk* sidestep_resolver = nullptr;
206 static SmartSidestepResolverThunk* smart_sidestep_resolver = nullptr;
207
208 if (!eat_resolver)
209 eat_resolver = new (NT_ALLOC) EatResolverThunk;
210
211 #if !defined(_WIN64)
212 // Sidestep is not supported for x64.
213 if (!sidestep_resolver)
214 sidestep_resolver = new (NT_ALLOC) SidestepResolverThunk;
215
216 if (!smart_sidestep_resolver)
217 smart_sidestep_resolver = new (NT_ALLOC) SmartSidestepResolverThunk;
218 #endif
219
220 switch (type) {
221 case INTERCEPTION_EAT:
222 return eat_resolver;
223 case INTERCEPTION_SIDESTEP:
224 return sidestep_resolver;
225 case INTERCEPTION_SMART_SIDESTEP:
226 return smart_sidestep_resolver;
227 default:
228 NOTREACHED_NT();
229 }
230
231 return nullptr;
232 }
233
234 } // namespace sandbox
235