• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sandbox/win/sandbox_poc/pocdll/exports.h"
6 #include "sandbox/win/sandbox_poc/pocdll/utils.h"
7 #include "sandbox/win/tools/finder/ntundoc.h"
8 
9 // This file contains the tests used to verify the security of handles in
10 // the process
11 
12 NTQUERYOBJECT NtQueryObject;
13 NTQUERYINFORMATIONFILE NtQueryInformationFile;
14 NTQUERYSYSTEMINFORMATION NtQuerySystemInformation;
15 
TestGetHandle(HANDLE log)16 void POCDLL_API TestGetHandle(HANDLE log) {
17   HandleToFile handle2file;
18   FILE *output = handle2file.Translate(log, "w");
19 
20   // Initialize the NTAPI functions we need
21   HMODULE ntdll_handle = ::GetModuleHandle(L"ntdll.dll");
22   if (!ntdll_handle) {
23     fprintf(output, "[ERROR] Cannot load ntdll.dll. Error %d\r\n",
24             ::GetLastError());
25     return;
26   }
27 
28   NtQueryObject = reinterpret_cast<NTQUERYOBJECT>(
29                       GetProcAddress(ntdll_handle, "NtQueryObject"));
30   NtQueryInformationFile = reinterpret_cast<NTQUERYINFORMATIONFILE>(
31                       GetProcAddress(ntdll_handle, "NtQueryInformationFile"));
32   NtQuerySystemInformation = reinterpret_cast<NTQUERYSYSTEMINFORMATION>(
33                       GetProcAddress(ntdll_handle, "NtQuerySystemInformation"));
34 
35   if (!NtQueryObject || !NtQueryInformationFile || !NtQuerySystemInformation) {
36     fprintf(output, "[ERROR] Cannot load all NT functions. Error %d\r\n",
37                     ::GetLastError());
38     return;
39   }
40 
41   // Get the number of handles on the system
42   DWORD buffer_size = 0;
43   SYSTEM_HANDLE_INFORMATION_EX temp_info;
44   NTSTATUS status = NtQuerySystemInformation(
45       SystemHandleInformation, &temp_info, sizeof(temp_info),
46       &buffer_size);
47   if (!buffer_size) {
48     fprintf(output, "[ERROR] Get the number of handles. Error 0x%X\r\n",
49                     status);
50     return;
51   }
52 
53   SYSTEM_HANDLE_INFORMATION_EX *system_handles =
54       reinterpret_cast<SYSTEM_HANDLE_INFORMATION_EX*>(new BYTE[buffer_size]);
55 
56   status = NtQuerySystemInformation(SystemHandleInformation, system_handles,
57                                     buffer_size, &buffer_size);
58   if (STATUS_SUCCESS != status) {
59     fprintf(output, "[ERROR] Failed to get the handle list. Error 0x%X\r\n",
60                     status);
61     delete [] system_handles;
62     return;
63   }
64 
65   for (ULONG i = 0; i < system_handles->NumberOfHandles; ++i) {
66     USHORT h = system_handles->Information[i].Handle;
67     if (system_handles->Information[i].ProcessId != ::GetCurrentProcessId())
68       continue;
69 
70     OBJECT_NAME_INFORMATION *name = NULL;
71     ULONG name_size = 0;
72     // Query the name information a first time to get the size of the name.
73     status = NtQueryObject(reinterpret_cast<HANDLE>(h),
74                            ObjectNameInformation,
75                            name,
76                            name_size,
77                            &name_size);
78 
79     if (name_size) {
80       name = reinterpret_cast<OBJECT_NAME_INFORMATION *>(new BYTE[name_size]);
81 
82       // Query the name information a second time to get the name of the
83       // object referenced by the handle.
84       status = NtQueryObject(reinterpret_cast<HANDLE>(h),
85                              ObjectNameInformation,
86                              name,
87                              name_size,
88                              &name_size);
89     }
90 
91     PUBLIC_OBJECT_TYPE_INFORMATION *type = NULL;
92     ULONG type_size = 0;
93 
94     // Query the object to get the size of the object type name.
95     status = NtQueryObject(reinterpret_cast<HANDLE>(h),
96                            ObjectTypeInformation,
97                            type,
98                            type_size,
99                            &type_size);
100     if (type_size) {
101       type = reinterpret_cast<PUBLIC_OBJECT_TYPE_INFORMATION *>(
102           new BYTE[type_size]);
103 
104       // Query the type information a second time to get the object type
105       // name.
106       status = NtQueryObject(reinterpret_cast<HANDLE>(h),
107                              ObjectTypeInformation,
108                              type,
109                              type_size,
110                              &type_size);
111     }
112 
113     // NtQueryObject cannot return the name for a file. In this case we
114     // need to ask NtQueryInformationFile
115     FILE_NAME_INFORMATION *file_name = NULL;
116     if (type && wcsncmp(L"File", type->TypeName.Buffer,
117                         (type->TypeName.Length /
118                         sizeof(type->TypeName.Buffer[0]))) == 0)  {
119       // This function does not return the size of the buffer. We need to
120       // iterate and always increase the buffer size until the function
121       // succeeds. (Or at least does not fail with STATUS_BUFFER_OVERFLOW)
122       ULONG size_file = MAX_PATH;
123       IO_STATUS_BLOCK status_block = {0};
124       do {
125         // Delete the previous buffer create. The buffer was too small
126         if (file_name) {
127           delete[] reinterpret_cast<BYTE*>(file_name);
128           file_name = NULL;
129         }
130 
131         // Increase the buffer and do the call agan
132         size_file += MAX_PATH;
133         file_name = reinterpret_cast<FILE_NAME_INFORMATION *>(
134             new BYTE[size_file]);
135         status = NtQueryInformationFile(reinterpret_cast<HANDLE>(h),
136                                         &status_block,
137                                         file_name,
138                                         size_file,
139                                         FileNameInformation);
140       } while (status == STATUS_BUFFER_OVERFLOW);
141 
142       if (STATUS_SUCCESS != status) {
143         if (file_name) {
144           delete[] file_name;
145           file_name = NULL;
146         }
147       }
148     }
149 
150     if (file_name) {
151       UNICODE_STRING file_name_string;
152       file_name_string.Buffer = file_name->FileName;
153       file_name_string.Length = (USHORT)file_name->FileNameLength;
154       file_name_string.MaximumLength = (USHORT)file_name->FileNameLength;
155       fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X "
156                       "Type: %-13.13wZ Path: %wZ\r\n",
157                       h,
158                       system_handles->Information[i].GrantedAccess,
159                       type ? &type->TypeName : NULL,
160                       &file_name_string);
161     } else {
162       fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X "
163                       "Type: %-13.13wZ Path: %wZ\r\n",
164                       h,
165                       system_handles->Information[i].GrantedAccess,
166                       type ? &type->TypeName : NULL,
167                       name ? &name->ObjectName : NULL);
168     }
169 
170     if (type) {
171       delete[] type;
172     }
173 
174     if (file_name) {
175       delete[] file_name;
176     }
177 
178     if (name) {
179       delete [] name;
180     }
181   }
182 
183   if (system_handles) {
184     delete [] system_handles;
185   }
186 }
187