1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <windows.h>
6 #include <tchar.h>
7 #include <shellapi.h>
8 #include "sandbox/win/sandbox_poc/sandbox.h"
9 #include "base/logging.h"
10 #include "sandbox/win/sandbox_poc/main_ui_window.h"
11 #include "sandbox/win/src/sandbox.h"
12 #include "sandbox/win/src/sandbox_factory.h"
13
14 // Prototype allowed for functions to be called in the POC
15 typedef void(__cdecl *lpfnInit)(HANDLE);
16
ParseCommandLine(wchar_t * command_line,std::string * dll_name,std::string * entry_point,base::string16 * log_file)17 bool ParseCommandLine(wchar_t * command_line,
18 std::string * dll_name,
19 std::string * entry_point,
20 base::string16 * log_file) {
21 DCHECK(dll_name);
22 DCHECK(entry_point);
23 DCHECK(log_file);
24 if (!dll_name || !entry_point || !log_file)
25 return false;
26
27 LPWSTR *arg_list;
28 int arg_count;
29
30 // We expect the command line to contain: EntryPointName "DLLPath" "LogPath"
31 // NOTE: Double quotes are required, even if long path name not used
32 // NOTE: LogPath can be blank, but still requires the double quotes
33 arg_list = CommandLineToArgvW(command_line, &arg_count);
34 if (NULL == arg_list || arg_count < 4) {
35 return false;
36 }
37
38 base::string16 entry_point_wide = arg_list[1];
39 base::string16 dll_name_wide = arg_list[2];
40 *entry_point = std::string(entry_point_wide.begin(), entry_point_wide.end());
41 *dll_name = std::string(dll_name_wide.begin(), dll_name_wide.end());
42 *log_file = arg_list[3];
43
44 // Free memory allocated for CommandLineToArgvW arguments.
45 LocalFree(arg_list);
46
47 return true;
48 }
49
_tWinMain(HINSTANCE instance,HINSTANCE,wchar_t * command_line,int show_command)50 int APIENTRY _tWinMain(HINSTANCE instance, HINSTANCE, wchar_t* command_line,
51 int show_command) {
52 UNREFERENCED_PARAMETER(command_line);
53
54 sandbox::BrokerServices* broker_service =
55 sandbox::SandboxFactory::GetBrokerServices();
56 sandbox::ResultCode result;
57
58 // This application starts as the broker; an application with a UI that
59 // spawns an instance of itself (called a 'target') inside the sandbox.
60 // Before spawning a hidden instance of itself, the application will have
61 // asked the user which DLL the spawned instance should load and passes
62 // that as command line argument to the spawned instance.
63 //
64 // We check here to see if we can retrieve a pointer to the BrokerServices,
65 // which is not possible if we are running inside the sandbox under a
66 // restricted token so it also tells us which mode we are in. If we can
67 // retrieve the pointer, then we are the broker, otherwise we are the target
68 // that the broker launched.
69 if (NULL != broker_service) {
70 // Yes, we are the broker so we need to initialize and show the UI
71 if (0 != (result = broker_service->Init())) {
72 ::MessageBox(NULL, L"Failed to initialize the BrokerServices object",
73 L"Error during initialization", MB_ICONERROR);
74 return 1;
75 }
76
77 wchar_t exe_name[MAX_PATH];
78 if (0 == GetModuleFileName(NULL, exe_name, MAX_PATH - 1)) {
79 ::MessageBox(NULL, L"Failed to get name of current EXE",
80 L"Error during initialization", MB_ICONERROR);
81 return 1;
82 }
83
84 // The CreateMainWindowAndLoop() call will not return until the user closes
85 // the application window (or selects File\Exit).
86 MainUIWindow window;
87 window.CreateMainWindowAndLoop(instance,
88 exe_name,
89 show_command,
90 broker_service);
91
92
93 // Cannot exit until we have cleaned up after all the targets we have
94 // created
95 broker_service->WaitForAllTargets();
96 } else {
97 // This is an instance that has been spawned inside the sandbox by the
98 // broker, so we need to parse the command line to figure out which DLL to
99 // load and what entry point to call
100 sandbox::TargetServices* target_service
101 = sandbox::SandboxFactory::GetTargetServices();
102
103 if (NULL == target_service) {
104 // TODO(finnur): write the failure to the log file
105 // We cannot display messageboxes inside the sandbox unless access to
106 // the desktop handle has been granted to us, and we don't have a
107 // console window to write to. Therefore we need to have the broker
108 // grant us access to a handle to a logfile and write the error that
109 // occurred into the log before continuing
110 return -1;
111 }
112
113 // Debugging the spawned application can be tricky, because DebugBreak()
114 // and _asm int 3 cause the app to terminate (due to a flag in the job
115 // object), MessageBoxes() will not be displayed unless we have been granted
116 // that privilege and the target finishes its business so quickly we cannot
117 // attach to it quickly enough. Therefore, you can uncomment the
118 // following line and attach (w. msdev or windbg) as the target is sleeping
119
120 // Sleep(10000);
121
122 if (sandbox::SBOX_ALL_OK != (result = target_service->Init())) {
123 // TODO(finnur): write the initialization error to the log file
124 return -2;
125 }
126
127 // Parse the command line to find out what we need to call
128 std::string dll_name, entry_point;
129 base::string16 log_file;
130 if (!ParseCommandLine(GetCommandLineW(),
131 &dll_name,
132 &entry_point,
133 &log_file)) {
134 // TODO(finnur): write the failure to the log file
135 return -3;
136 }
137
138 // Open the pipe to transfert the log output
139 HANDLE pipe = ::CreateFile(log_file.c_str(),
140 GENERIC_WRITE,
141 FILE_SHARE_READ | FILE_SHARE_WRITE,
142 NULL, // Default security attributes.
143 CREATE_ALWAYS,
144 FILE_ATTRIBUTE_NORMAL,
145 NULL); // No template
146
147 if (INVALID_HANDLE_VALUE == pipe) {
148 return -4;
149 }
150
151 // We now know what we should load, so load it
152 HMODULE dll_module = ::LoadLibraryA(dll_name.c_str());
153 if (dll_module == NULL) {
154 // TODO(finnur): write the failure to the log file
155 return -5;
156 }
157
158 // Initialization is finished, so we can enter lock-down mode
159 target_service->LowerToken();
160
161 lpfnInit init_function =
162 (lpfnInit) ::GetProcAddress(dll_module, entry_point.c_str());
163
164 if (!init_function) {
165 // TODO(finnur): write the failure to the log file
166 ::FreeLibrary(dll_module);
167 CloseHandle(pipe);
168 return -6;
169 }
170
171 // Transfer control to the entry point in the DLL requested
172 init_function(pipe);
173
174 CloseHandle(pipe);
175 Sleep(1000); // Give a change to the debug output to arrive before the
176 // end of the process
177
178 ::FreeLibrary(dll_module);
179 }
180
181 return 0;
182 }
183