• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include <windows.h>
6 #include <tchar.h>
7 #include <shellapi.h>
8 #include "sandbox/win/sandbox_poc/sandbox.h"
9 #include "base/logging.h"
10 #include "sandbox/win/sandbox_poc/main_ui_window.h"
11 #include "sandbox/win/src/sandbox.h"
12 #include "sandbox/win/src/sandbox_factory.h"
13 
14 // Prototype allowed for functions to be called in the POC
15 typedef void(__cdecl *lpfnInit)(HANDLE);
16 
ParseCommandLine(wchar_t * command_line,std::string * dll_name,std::string * entry_point,base::string16 * log_file)17 bool ParseCommandLine(wchar_t * command_line,
18                       std::string * dll_name,
19                       std::string * entry_point,
20                       base::string16 * log_file) {
21   DCHECK(dll_name);
22   DCHECK(entry_point);
23   DCHECK(log_file);
24   if (!dll_name || !entry_point || !log_file)
25     return false;
26 
27   LPWSTR *arg_list;
28   int arg_count;
29 
30   // We expect the command line to contain: EntryPointName "DLLPath" "LogPath"
31   // NOTE: Double quotes are required, even if long path name not used
32   // NOTE: LogPath can be blank, but still requires the double quotes
33   arg_list = CommandLineToArgvW(command_line, &arg_count);
34   if (NULL == arg_list || arg_count < 4) {
35      return false;
36   }
37 
38   base::string16 entry_point_wide = arg_list[1];
39   base::string16 dll_name_wide = arg_list[2];
40   *entry_point = std::string(entry_point_wide.begin(), entry_point_wide.end());
41   *dll_name    = std::string(dll_name_wide.begin(), dll_name_wide.end());
42   *log_file    = arg_list[3];
43 
44   // Free memory allocated for CommandLineToArgvW arguments.
45   LocalFree(arg_list);
46 
47   return true;
48 }
49 
_tWinMain(HINSTANCE instance,HINSTANCE,wchar_t * command_line,int show_command)50 int APIENTRY _tWinMain(HINSTANCE instance, HINSTANCE, wchar_t* command_line,
51                        int show_command) {
52   UNREFERENCED_PARAMETER(command_line);
53 
54   sandbox::BrokerServices* broker_service =
55       sandbox::SandboxFactory::GetBrokerServices();
56   sandbox::ResultCode result;
57 
58   // This application starts as the broker; an application with a UI that
59   // spawns an instance of itself (called a 'target') inside the sandbox.
60   // Before spawning a hidden instance of itself, the application will have
61   // asked the user which DLL the spawned instance should load and passes
62   // that as command line argument to the spawned instance.
63   //
64   // We check here to see if we can retrieve a pointer to the BrokerServices,
65   // which is not possible if we are running inside the sandbox under a
66   // restricted token so it also tells us which mode we are in. If we can
67   // retrieve the pointer, then we are the broker, otherwise we are the target
68   // that the broker launched.
69   if (NULL != broker_service) {
70     // Yes, we are the broker so we need to initialize and show the UI
71     if (0 != (result = broker_service->Init())) {
72       ::MessageBox(NULL, L"Failed to initialize the BrokerServices object",
73                    L"Error during initialization", MB_ICONERROR);
74       return 1;
75     }
76 
77     wchar_t exe_name[MAX_PATH];
78     if (0 == GetModuleFileName(NULL, exe_name, MAX_PATH - 1)) {
79       ::MessageBox(NULL, L"Failed to get name of current EXE",
80                    L"Error during initialization", MB_ICONERROR);
81       return 1;
82     }
83 
84     // The CreateMainWindowAndLoop() call will not return until the user closes
85     // the application window (or selects File\Exit).
86     MainUIWindow window;
87     window.CreateMainWindowAndLoop(instance,
88                                    exe_name,
89                                    show_command,
90                                    broker_service);
91 
92 
93     // Cannot exit until we have cleaned up after all the targets we have
94     // created
95     broker_service->WaitForAllTargets();
96   } else {
97     // This is an instance that has been spawned inside the sandbox by the
98     // broker, so we need to parse the command line to figure out which DLL to
99     // load and what entry point to call
100     sandbox::TargetServices* target_service
101         = sandbox::SandboxFactory::GetTargetServices();
102 
103     if (NULL == target_service) {
104       // TODO(finnur): write the failure to the log file
105       // We cannot display messageboxes inside the sandbox unless access to
106       // the desktop handle has been granted to us, and we don't have a
107       // console window to write to. Therefore we need to have the broker
108       // grant us access to a handle to a logfile and write the error that
109       // occurred into the log before continuing
110       return -1;
111     }
112 
113     // Debugging the spawned application can be tricky, because DebugBreak()
114     // and _asm int 3 cause the app to terminate (due to a flag in the job
115     // object), MessageBoxes() will not be displayed unless we have been granted
116     // that privilege and the target finishes its business so quickly we cannot
117     // attach to it quickly enough. Therefore, you can uncomment the
118     // following line and attach (w. msdev or windbg) as the target is sleeping
119 
120     // Sleep(10000);
121 
122     if (sandbox::SBOX_ALL_OK != (result = target_service->Init())) {
123       // TODO(finnur): write the initialization error to the log file
124       return -2;
125     }
126 
127     // Parse the command line to find out what we need to call
128     std::string dll_name, entry_point;
129     base::string16 log_file;
130     if (!ParseCommandLine(GetCommandLineW(),
131                           &dll_name,
132                           &entry_point,
133                           &log_file)) {
134       // TODO(finnur): write the failure to the log file
135       return -3;
136     }
137 
138     // Open the pipe to transfert the log output
139     HANDLE pipe = ::CreateFile(log_file.c_str(),
140                                GENERIC_WRITE,
141                                FILE_SHARE_READ | FILE_SHARE_WRITE,
142                                NULL,  // Default security attributes.
143                                CREATE_ALWAYS,
144                                FILE_ATTRIBUTE_NORMAL,
145                                NULL);  // No template
146 
147     if (INVALID_HANDLE_VALUE == pipe) {
148       return -4;
149     }
150 
151     // We now know what we should load, so load it
152     HMODULE dll_module = ::LoadLibraryA(dll_name.c_str());
153     if (dll_module == NULL) {
154       // TODO(finnur): write the failure to the log file
155       return -5;
156     }
157 
158     // Initialization is finished, so we can enter lock-down mode
159     target_service->LowerToken();
160 
161     lpfnInit init_function =
162         (lpfnInit) ::GetProcAddress(dll_module, entry_point.c_str());
163 
164     if (!init_function) {
165       // TODO(finnur): write the failure to the log file
166       ::FreeLibrary(dll_module);
167       CloseHandle(pipe);
168       return -6;
169     }
170 
171    // Transfer control to the entry point in the DLL requested
172     init_function(pipe);
173 
174     CloseHandle(pipe);
175     Sleep(1000);  // Give a change to the debug output to arrive before the
176                   // end of the process
177 
178     ::FreeLibrary(dll_module);
179   }
180 
181   return 0;
182 }
183