1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_WIN_SRC_INTERCEPTORS_64_H_ 6 #define SANDBOX_WIN_SRC_INTERCEPTORS_64_H_ 7 8 #include "sandbox/win/src/nt_internals.h" 9 #include "sandbox/win/src/sandbox_types.h" 10 11 namespace sandbox { 12 13 extern "C" { 14 15 // Interception of NtMapViewOfSection on the child process. 16 // It should never be called directly. This function provides the means to 17 // detect dlls being loaded, so we can patch them if needed. 18 SANDBOX_INTERCEPT NTSTATUS WINAPI 19 TargetNtMapViewOfSection64(HANDLE section, 20 HANDLE process, 21 PVOID* base, 22 ULONG_PTR zero_bits, 23 SIZE_T commit_size, 24 PLARGE_INTEGER offset, 25 PSIZE_T view_size, 26 SECTION_INHERIT inherit, 27 ULONG allocation_type, 28 ULONG protect); 29 30 // Interception of NtUnmapViewOfSection on the child process. 31 // It should never be called directly. This function provides the means to 32 // detect dlls being unloaded, so we can clean up our interceptions. 33 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtUnmapViewOfSection64(HANDLE process, 34 PVOID base); 35 36 // ----------------------------------------------------------------------- 37 // Interceptors without IPC. 38 39 // Interception of NtSetInformationThread on the child process. 40 SANDBOX_INTERCEPT NTSTATUS WINAPI 41 TargetNtSetInformationThread64(HANDLE thread, 42 NT_THREAD_INFORMATION_CLASS thread_info_class, 43 PVOID thread_information, 44 ULONG thread_information_bytes); 45 46 // Interception of NtOpenThreadToken on the child process. 47 SANDBOX_INTERCEPT NTSTATUS WINAPI 48 TargetNtOpenThreadToken64(HANDLE thread, 49 ACCESS_MASK desired_access, 50 BOOLEAN open_as_self, 51 PHANDLE token); 52 53 // Interception of NtOpenThreadTokenEx on the child process. 54 SANDBOX_INTERCEPT NTSTATUS WINAPI 55 TargetNtOpenThreadTokenEx64(HANDLE thread, 56 ACCESS_MASK desired_access, 57 BOOLEAN open_as_self, 58 ULONG handle_attributes, 59 PHANDLE token); 60 61 // ----------------------------------------------------------------------- 62 // Interceptors handled by the file system dispatcher. 63 64 // Interception of NtCreateFile on the child process. 65 SANDBOX_INTERCEPT NTSTATUS WINAPI 66 TargetNtCreateFile64(PHANDLE file, 67 ACCESS_MASK desired_access, 68 POBJECT_ATTRIBUTES object_attributes, 69 PIO_STATUS_BLOCK io_status, 70 PLARGE_INTEGER allocation_size, 71 ULONG file_attributes, 72 ULONG sharing, 73 ULONG disposition, 74 ULONG options, 75 PVOID ea_buffer, 76 ULONG ea_length); 77 78 // Interception of NtOpenFile on the child process. 79 SANDBOX_INTERCEPT NTSTATUS WINAPI 80 TargetNtOpenFile64(PHANDLE file, 81 ACCESS_MASK desired_access, 82 POBJECT_ATTRIBUTES object_attributes, 83 PIO_STATUS_BLOCK io_status, 84 ULONG sharing, 85 ULONG options); 86 87 // Interception of NtQueryAtttributesFile on the child process. 88 SANDBOX_INTERCEPT NTSTATUS WINAPI 89 TargetNtQueryAttributesFile64(POBJECT_ATTRIBUTES object_attributes, 90 PFILE_BASIC_INFORMATION file_attributes); 91 92 // Interception of NtQueryFullAtttributesFile on the child process. 93 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryFullAttributesFile64( 94 POBJECT_ATTRIBUTES object_attributes, 95 PFILE_NETWORK_OPEN_INFORMATION file_attributes); 96 97 // Interception of NtSetInformationFile on the child process. 98 SANDBOX_INTERCEPT NTSTATUS WINAPI 99 TargetNtSetInformationFile64(HANDLE file, 100 PIO_STATUS_BLOCK io_status, 101 PVOID file_information, 102 ULONG length, 103 FILE_INFORMATION_CLASS file_information_class); 104 105 // ----------------------------------------------------------------------- 106 // Interceptors handled by the named pipe dispatcher. 107 108 // Interception of CreateNamedPipeW in kernel32.dll 109 SANDBOX_INTERCEPT HANDLE WINAPI 110 TargetCreateNamedPipeW64(LPCWSTR pipe_name, 111 DWORD open_mode, 112 DWORD pipe_mode, 113 DWORD max_instance, 114 DWORD out_buffer_size, 115 DWORD in_buffer_size, 116 DWORD default_timeout, 117 LPSECURITY_ATTRIBUTES security_attributes); 118 119 // ----------------------------------------------------------------------- 120 // Interceptors handled by the process-thread dispatcher. 121 122 // Interception of NtOpenThread on the child process. 123 SANDBOX_INTERCEPT NTSTATUS WINAPI 124 TargetNtOpenThread64(PHANDLE thread, 125 ACCESS_MASK desired_access, 126 POBJECT_ATTRIBUTES object_attributes, 127 PCLIENT_ID client_id); 128 129 // Interception of NtOpenProcess on the child process. 130 SANDBOX_INTERCEPT NTSTATUS WINAPI 131 TargetNtOpenProcess64(PHANDLE process, 132 ACCESS_MASK desired_access, 133 POBJECT_ATTRIBUTES object_attributes, 134 PCLIENT_ID client_id); 135 136 // Interception of NtOpenProcessToken on the child process. 137 SANDBOX_INTERCEPT NTSTATUS WINAPI 138 TargetNtOpenProcessToken64(HANDLE process, 139 ACCESS_MASK desired_access, 140 PHANDLE token); 141 142 // Interception of NtOpenProcessTokenEx on the child process. 143 SANDBOX_INTERCEPT NTSTATUS WINAPI 144 TargetNtOpenProcessTokenEx64(HANDLE process, 145 ACCESS_MASK desired_access, 146 ULONG handle_attributes, 147 PHANDLE token); 148 149 // Interception of CreateProcessW in kernel32.dll. 150 SANDBOX_INTERCEPT BOOL WINAPI 151 TargetCreateProcessW64(LPCWSTR application_name, 152 LPWSTR command_line, 153 LPSECURITY_ATTRIBUTES process_attributes, 154 LPSECURITY_ATTRIBUTES thread_attributes, 155 BOOL inherit_handles, 156 DWORD flags, 157 LPVOID environment, 158 LPCWSTR current_directory, 159 LPSTARTUPINFOW startup_info, 160 LPPROCESS_INFORMATION process_information); 161 162 // Interception of CreateProcessA in kernel32.dll. 163 SANDBOX_INTERCEPT BOOL WINAPI 164 TargetCreateProcessA64(LPCSTR application_name, 165 LPSTR command_line, 166 LPSECURITY_ATTRIBUTES process_attributes, 167 LPSECURITY_ATTRIBUTES thread_attributes, 168 BOOL inherit_handles, 169 DWORD flags, 170 LPVOID environment, 171 LPCSTR current_directory, 172 LPSTARTUPINFOA startup_info, 173 LPPROCESS_INFORMATION process_information); 174 175 // Interception of CreateThread in kernel32.dll. 176 SANDBOX_INTERCEPT HANDLE WINAPI 177 TargetCreateThread64(LPSECURITY_ATTRIBUTES thread_attributes, 178 SIZE_T stack_size, 179 LPTHREAD_START_ROUTINE start_address, 180 PVOID parameter, 181 DWORD creation_flags, 182 LPDWORD thread_id); 183 184 // ----------------------------------------------------------------------- 185 // Interceptors handled by the registry dispatcher. 186 187 // Interception of NtCreateKey on the child process. 188 SANDBOX_INTERCEPT NTSTATUS WINAPI 189 TargetNtCreateKey64(PHANDLE key, 190 ACCESS_MASK desired_access, 191 POBJECT_ATTRIBUTES object_attributes, 192 ULONG title_index, 193 PUNICODE_STRING class_name, 194 ULONG create_options, 195 PULONG disposition); 196 197 // Interception of NtOpenKey on the child process. 198 SANDBOX_INTERCEPT NTSTATUS WINAPI 199 TargetNtOpenKey64(PHANDLE key, 200 ACCESS_MASK desired_access, 201 POBJECT_ATTRIBUTES object_attributes); 202 203 // Interception of NtOpenKeyEx on the child process. 204 SANDBOX_INTERCEPT NTSTATUS WINAPI 205 TargetNtOpenKeyEx64(PHANDLE key, 206 ACCESS_MASK desired_access, 207 POBJECT_ATTRIBUTES object_attributes, 208 ULONG open_options); 209 210 // ----------------------------------------------------------------------- 211 // Interceptors handled by the sync dispatcher. 212 213 // Interception of NtCreateEvent/NtOpenEvent on the child process. 214 SANDBOX_INTERCEPT NTSTATUS WINAPI 215 TargetNtCreateEvent64(PHANDLE event_handle, 216 ACCESS_MASK desired_access, 217 POBJECT_ATTRIBUTES object_attributes, 218 EVENT_TYPE event_type, 219 BOOLEAN initial_state); 220 221 SANDBOX_INTERCEPT NTSTATUS WINAPI 222 TargetNtOpenEvent64(PHANDLE event_handle, 223 ACCESS_MASK desired_access, 224 POBJECT_ATTRIBUTES object_attributes); 225 226 // ----------------------------------------------------------------------- 227 // Interceptors handled by the process mitigations win32k lockdown code. 228 229 // Interceptor for the GdiDllInitialize function. 230 SANDBOX_INTERCEPT BOOL WINAPI TargetGdiDllInitialize64(HANDLE dll, 231 DWORD reason); 232 233 // Interceptor for the GetStockObject function. 234 SANDBOX_INTERCEPT HGDIOBJ WINAPI TargetGetStockObject64(int object); 235 236 // Interceptor for the RegisterClassW function. 237 SANDBOX_INTERCEPT ATOM WINAPI TargetRegisterClassW64(const WNDCLASS* wnd_class); 238 239 SANDBOX_INTERCEPT BOOL WINAPI 240 TargetEnumDisplayMonitors64(HDC hdc, 241 LPCRECT lprcClip, 242 MONITORENUMPROC lpfnEnum, 243 LPARAM dwData); 244 245 SANDBOX_INTERCEPT BOOL WINAPI 246 TargetEnumDisplayDevicesA64(LPCSTR lpDevice, 247 DWORD iDevNum, 248 PDISPLAY_DEVICEA lpDisplayDevice, 249 DWORD dwFlags); 250 251 SANDBOX_INTERCEPT BOOL WINAPI TargetGetMonitorInfoA64(HMONITOR hMonitor, 252 LPMONITORINFO lpmi); 253 254 SANDBOX_INTERCEPT BOOL WINAPI TargetGetMonitorInfoW64(HMONITOR hMonitor, 255 LPMONITORINFO lpmi); 256 257 SANDBOX_INTERCEPT NTSTATUS WINAPI 258 TargetGetSuggestedOPMProtectedOutputArraySize64( 259 PUNICODE_STRING device_name, 260 DWORD* suggested_output_array_size); 261 262 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetCreateOPMProtectedOutputs64( 263 PUNICODE_STRING device_name, 264 DXGKMDT_OPM_VIDEO_OUTPUT_SEMANTICS vos, 265 DWORD protected_output_array_size, 266 DWORD* num_output_handles, 267 OPM_PROTECTED_OUTPUT_HANDLE* protected_output_array); 268 269 SANDBOX_INTERCEPT NTSTATUS WINAPI 270 TargetGetCertificate64(PUNICODE_STRING device_name, 271 DXGKMDT_CERTIFICATE_TYPE certificate_type, 272 BYTE* certificate, 273 ULONG certificate_length); 274 275 SANDBOX_INTERCEPT NTSTATUS WINAPI 276 TargetGetCertificateSize64(PUNICODE_STRING device_name, 277 DXGKMDT_CERTIFICATE_TYPE certificate_type, 278 ULONG* certificate_length); 279 280 SANDBOX_INTERCEPT NTSTATUS WINAPI 281 TargetGetCertificateByHandle64(OPM_PROTECTED_OUTPUT_HANDLE protected_output, 282 DXGKMDT_CERTIFICATE_TYPE certificate_type, 283 BYTE* certificate, 284 ULONG certificate_length); 285 286 SANDBOX_INTERCEPT NTSTATUS WINAPI 287 TargetGetCertificateSizeByHandle64(OPM_PROTECTED_OUTPUT_HANDLE protected_output, 288 DXGKMDT_CERTIFICATE_TYPE certificate_type, 289 ULONG* certificate_length); 290 291 SANDBOX_INTERCEPT NTSTATUS WINAPI 292 TargetDestroyOPMProtectedOutput64(OPM_PROTECTED_OUTPUT_HANDLE protected_output); 293 294 SANDBOX_INTERCEPT NTSTATUS WINAPI 295 TargetGetOPMInformation64(OPM_PROTECTED_OUTPUT_HANDLE protected_output, 296 const DXGKMDT_OPM_GET_INFO_PARAMETERS* parameters, 297 DXGKMDT_OPM_REQUESTED_INFORMATION* requested_info); 298 299 SANDBOX_INTERCEPT NTSTATUS WINAPI 300 TargetGetOPMRandomNumber64(OPM_PROTECTED_OUTPUT_HANDLE protected_output, 301 DXGKMDT_OPM_RANDOM_NUMBER* random_number); 302 303 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetSetOPMSigningKeyAndSequenceNumbers64( 304 OPM_PROTECTED_OUTPUT_HANDLE protected_output, 305 const DXGKMDT_OPM_ENCRYPTED_PARAMETERS* parameters); 306 307 SANDBOX_INTERCEPT NTSTATUS WINAPI TargetConfigureOPMProtectedOutput64( 308 OPM_PROTECTED_OUTPUT_HANDLE protected_output, 309 const DXGKMDT_OPM_CONFIGURE_PARAMETERS* parameters, 310 ULONG additional_parameters_size, 311 const BYTE* additional_parameters); 312 313 // ----------------------------------------------------------------------- 314 // Interceptors handled by the signed process code. 315 316 // Interception of NtCreateSection on the child process. 317 SANDBOX_INTERCEPT NTSTATUS WINAPI 318 TargetNtCreateSection64(PHANDLE section_handle, 319 ACCESS_MASK desired_access, 320 POBJECT_ATTRIBUTES object_attributes, 321 PLARGE_INTEGER maximum_size, 322 ULONG section_page_protection, 323 ULONG allocation_attributes, 324 HANDLE file_handle); 325 326 } // extern "C" 327 328 } // namespace sandbox 329 330 #endif // SANDBOX_WIN_SRC_INTERCEPTORS_64_H_ 331