1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/sandbox_poc/pocdll/exports.h"
6 #include "sandbox/win/sandbox_poc/pocdll/utils.h"
7 #include "sandbox/win/tools/finder/ntundoc.h"
8
9 // This file contains the tests used to verify the security of handles in
10 // the process
11
12 NTQUERYOBJECT NtQueryObject;
13 NTQUERYINFORMATIONFILE NtQueryInformationFile;
14 NTQUERYSYSTEMINFORMATION NtQuerySystemInformation;
15
TestGetHandle(HANDLE log)16 void POCDLL_API TestGetHandle(HANDLE log) {
17 HandleToFile handle2file;
18 FILE *output = handle2file.Translate(log, "w");
19
20 // Initialize the NTAPI functions we need
21 HMODULE ntdll_handle = ::GetModuleHandle(L"ntdll.dll");
22 if (!ntdll_handle) {
23 fprintf(output, "[ERROR] Cannot load ntdll.dll. Error %d\r\n",
24 ::GetLastError());
25 return;
26 }
27
28 NtQueryObject = reinterpret_cast<NTQUERYOBJECT>(
29 GetProcAddress(ntdll_handle, "NtQueryObject"));
30 NtQueryInformationFile = reinterpret_cast<NTQUERYINFORMATIONFILE>(
31 GetProcAddress(ntdll_handle, "NtQueryInformationFile"));
32 NtQuerySystemInformation = reinterpret_cast<NTQUERYSYSTEMINFORMATION>(
33 GetProcAddress(ntdll_handle, "NtQuerySystemInformation"));
34
35 if (!NtQueryObject || !NtQueryInformationFile || !NtQuerySystemInformation) {
36 fprintf(output, "[ERROR] Cannot load all NT functions. Error %d\r\n",
37 ::GetLastError());
38 return;
39 }
40
41 // Get the number of handles on the system
42 DWORD buffer_size = 0;
43 SYSTEM_HANDLE_INFORMATION_EX temp_info;
44 NTSTATUS status = NtQuerySystemInformation(
45 SystemHandleInformation, &temp_info, sizeof(temp_info),
46 &buffer_size);
47 if (!buffer_size) {
48 fprintf(output, "[ERROR] Get the number of handles. Error 0x%X\r\n",
49 status);
50 return;
51 }
52
53 SYSTEM_HANDLE_INFORMATION_EX *system_handles =
54 reinterpret_cast<SYSTEM_HANDLE_INFORMATION_EX*>(new BYTE[buffer_size]);
55
56 status = NtQuerySystemInformation(SystemHandleInformation, system_handles,
57 buffer_size, &buffer_size);
58 if (STATUS_SUCCESS != status) {
59 fprintf(output, "[ERROR] Failed to get the handle list. Error 0x%X\r\n",
60 status);
61 delete [] system_handles;
62 return;
63 }
64
65 for (ULONG i = 0; i < system_handles->NumberOfHandles; ++i) {
66 USHORT h = system_handles->Information[i].Handle;
67 if (system_handles->Information[i].ProcessId != ::GetCurrentProcessId())
68 continue;
69
70 OBJECT_NAME_INFORMATION *name = NULL;
71 ULONG name_size = 0;
72 // Query the name information a first time to get the size of the name.
73 status = NtQueryObject(reinterpret_cast<HANDLE>(h),
74 ObjectNameInformation,
75 name,
76 name_size,
77 &name_size);
78
79 if (name_size) {
80 name = reinterpret_cast<OBJECT_NAME_INFORMATION *>(new BYTE[name_size]);
81
82 // Query the name information a second time to get the name of the
83 // object referenced by the handle.
84 status = NtQueryObject(reinterpret_cast<HANDLE>(h),
85 ObjectNameInformation,
86 name,
87 name_size,
88 &name_size);
89 }
90
91 PUBLIC_OBJECT_TYPE_INFORMATION *type = NULL;
92 ULONG type_size = 0;
93
94 // Query the object to get the size of the object type name.
95 status = NtQueryObject(reinterpret_cast<HANDLE>(h),
96 ObjectTypeInformation,
97 type,
98 type_size,
99 &type_size);
100 if (type_size) {
101 type = reinterpret_cast<PUBLIC_OBJECT_TYPE_INFORMATION *>(
102 new BYTE[type_size]);
103
104 // Query the type information a second time to get the object type
105 // name.
106 status = NtQueryObject(reinterpret_cast<HANDLE>(h),
107 ObjectTypeInformation,
108 type,
109 type_size,
110 &type_size);
111 }
112
113 // NtQueryObject cannot return the name for a file. In this case we
114 // need to ask NtQueryInformationFile
115 FILE_NAME_INFORMATION *file_name = NULL;
116 if (type && wcsncmp(L"File", type->TypeName.Buffer,
117 (type->TypeName.Length /
118 sizeof(type->TypeName.Buffer[0]))) == 0) {
119 // This function does not return the size of the buffer. We need to
120 // iterate and always increase the buffer size until the function
121 // succeeds. (Or at least does not fail with STATUS_BUFFER_OVERFLOW)
122 ULONG size_file = MAX_PATH;
123 IO_STATUS_BLOCK status_block = {0};
124 do {
125 // Delete the previous buffer create. The buffer was too small
126 if (file_name) {
127 delete[] reinterpret_cast<BYTE*>(file_name);
128 file_name = NULL;
129 }
130
131 // Increase the buffer and do the call agan
132 size_file += MAX_PATH;
133 file_name = reinterpret_cast<FILE_NAME_INFORMATION *>(
134 new BYTE[size_file]);
135 status = NtQueryInformationFile(reinterpret_cast<HANDLE>(h),
136 &status_block,
137 file_name,
138 size_file,
139 FileNameInformation);
140 } while (status == STATUS_BUFFER_OVERFLOW);
141
142 if (STATUS_SUCCESS != status) {
143 if (file_name) {
144 delete[] file_name;
145 file_name = NULL;
146 }
147 }
148 }
149
150 if (file_name) {
151 UNICODE_STRING file_name_string;
152 file_name_string.Buffer = file_name->FileName;
153 file_name_string.Length = (USHORT)file_name->FileNameLength;
154 file_name_string.MaximumLength = (USHORT)file_name->FileNameLength;
155 fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X "
156 "Type: %-13.13wZ Path: %wZ\r\n",
157 h,
158 system_handles->Information[i].GrantedAccess,
159 type ? &type->TypeName : NULL,
160 &file_name_string);
161 } else {
162 fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X "
163 "Type: %-13.13wZ Path: %wZ\r\n",
164 h,
165 system_handles->Information[i].GrantedAccess,
166 type ? &type->TypeName : NULL,
167 name ? &name->ObjectName : NULL);
168 }
169
170 if (type) {
171 delete[] type;
172 }
173
174 if (file_name) {
175 delete[] file_name;
176 }
177
178 if (name) {
179 delete [] name;
180 }
181 }
182
183 if (system_handles) {
184 delete [] system_handles;
185 }
186 }
187