1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_SRC_SERVICE_RESOLVER_H__ 6 #define SANDBOX_SRC_SERVICE_RESOLVER_H__ 7 8 #include "sandbox/win/src/nt_internals.h" 9 #include "sandbox/win/src/resolver.h" 10 11 namespace sandbox { 12 13 // This is the concrete resolver used to perform service-call type functions 14 // inside ntdll.dll. 15 class ServiceResolverThunk : public ResolverThunk { 16 public: 17 // The service resolver needs a child process to write to. ServiceResolverThunk(HANDLE process,bool relaxed)18 ServiceResolverThunk(HANDLE process, bool relaxed) 19 : process_(process), ntdll_base_(NULL), win2k_(false), 20 relaxed_(relaxed), relative_jump_(0) {} ~ServiceResolverThunk()21 virtual ~ServiceResolverThunk() {} 22 23 // Implementation of Resolver::Setup. 24 virtual NTSTATUS Setup(const void* target_module, 25 const void* interceptor_module, 26 const char* target_name, 27 const char* interceptor_name, 28 const void* interceptor_entry_point, 29 void* thunk_storage, 30 size_t storage_bytes, 31 size_t* storage_used); 32 33 // Implementation of Resolver::ResolveInterceptor. 34 virtual NTSTATUS ResolveInterceptor(const void* module, 35 const char* function_name, 36 const void** address); 37 38 // Implementation of Resolver::ResolveTarget. 39 virtual NTSTATUS ResolveTarget(const void* module, 40 const char* function_name, 41 void** address); 42 43 // Implementation of Resolver::GetThunkSize. 44 virtual size_t GetThunkSize() const; 45 46 // Call this to set up ntdll_base_ which will allow for local patches. 47 virtual void AllowLocalPatches(); 48 49 protected: 50 // The unit test will use this member to allow local patch on a buffer. 51 HMODULE ntdll_base_; 52 53 // Handle of the child process. 54 HANDLE process_; 55 56 protected: 57 // Keeps track of a Windows 2000 resolver. 58 bool win2k_; 59 60 private: 61 // Returns true if the code pointer by target_ corresponds to the expected 62 // type of function. Saves that code on the first part of the thunk pointed 63 // by local_thunk (should be directly accessible from the parent). 64 virtual bool IsFunctionAService(void* local_thunk) const; 65 66 // Performs the actual patch of target_. 67 // local_thunk must be already fully initialized, and the first part must 68 // contain the original code. The real type of this buffer is ServiceFullThunk 69 // (yes, private). remote_thunk (real type ServiceFullThunk), must be 70 // allocated on the child, and will contain the thunk data, after this call. 71 // Returns the apropriate status code. 72 virtual NTSTATUS PerformPatch(void* local_thunk, void* remote_thunk); 73 74 // Provides basically the same functionality as IsFunctionAService but it 75 // continues even if it does not recognize the function code. remote_thunk 76 // is the address of our memory on the child. 77 bool SaveOriginalFunction(void* local_thunk, void* remote_thunk); 78 79 // true if we are allowed to patch already-patched functions. 80 bool relaxed_; 81 ULONG relative_jump_; 82 83 DISALLOW_COPY_AND_ASSIGN(ServiceResolverThunk); 84 }; 85 86 // This is the concrete resolver used to perform service-call type functions 87 // inside ntdll.dll on WOW64 (32 bit ntdll on 64 bit Vista). 88 class Wow64ResolverThunk : public ServiceResolverThunk { 89 public: 90 // The service resolver needs a child process to write to. Wow64ResolverThunk(HANDLE process,bool relaxed)91 Wow64ResolverThunk(HANDLE process, bool relaxed) 92 : ServiceResolverThunk(process, relaxed) {} ~Wow64ResolverThunk()93 virtual ~Wow64ResolverThunk() {} 94 95 private: 96 virtual bool IsFunctionAService(void* local_thunk) const; 97 98 DISALLOW_COPY_AND_ASSIGN(Wow64ResolverThunk); 99 }; 100 101 // This is the concrete resolver used to perform service-call type functions 102 // inside ntdll.dll on WOW64 for Windows 8. 103 class Wow64W8ResolverThunk : public ServiceResolverThunk { 104 public: 105 // The service resolver needs a child process to write to. Wow64W8ResolverThunk(HANDLE process,bool relaxed)106 Wow64W8ResolverThunk(HANDLE process, bool relaxed) 107 : ServiceResolverThunk(process, relaxed) {} ~Wow64W8ResolverThunk()108 virtual ~Wow64W8ResolverThunk() {} 109 110 private: 111 virtual bool IsFunctionAService(void* local_thunk) const; 112 113 DISALLOW_COPY_AND_ASSIGN(Wow64W8ResolverThunk); 114 }; 115 116 // This is the concrete resolver used to perform service-call type functions 117 // inside ntdll.dll on Windows 2000 and XP pre SP2. 118 class Win2kResolverThunk : public ServiceResolverThunk { 119 public: 120 // The service resolver needs a child process to write to. Win2kResolverThunk(HANDLE process,bool relaxed)121 Win2kResolverThunk(HANDLE process, bool relaxed) 122 : ServiceResolverThunk(process, relaxed) { 123 win2k_ = true; 124 } ~Win2kResolverThunk()125 virtual ~Win2kResolverThunk() {} 126 127 private: 128 virtual bool IsFunctionAService(void* local_thunk) const; 129 130 DISALLOW_COPY_AND_ASSIGN(Win2kResolverThunk); 131 }; 132 133 // This is the concrete resolver used to perform service-call type functions 134 // inside ntdll.dll on Windows 8. 135 class Win8ResolverThunk : public ServiceResolverThunk { 136 public: 137 // The service resolver needs a child process to write to. Win8ResolverThunk(HANDLE process,bool relaxed)138 Win8ResolverThunk(HANDLE process, bool relaxed) 139 : ServiceResolverThunk(process, relaxed) {} ~Win8ResolverThunk()140 virtual ~Win8ResolverThunk() {} 141 142 private: 143 virtual bool IsFunctionAService(void* local_thunk) const; 144 145 DISALLOW_COPY_AND_ASSIGN(Win8ResolverThunk); 146 }; 147 148 } // namespace sandbox 149 150 151 #endif // SANDBOX_SRC_SERVICE_RESOLVER_H__ 152