1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/src/target_interceptions.h"
6
7 #include "sandbox/win/src/interception_agent.h"
8 #include "sandbox/win/src/sandbox_factory.h"
9 #include "sandbox/win/src/sandbox_nt_util.h"
10 #include "sandbox/win/src/target_services.h"
11
12 namespace sandbox {
13
14 SANDBOX_INTERCEPT NtExports g_nt;
15
16 // Hooks NtMapViewOfSection to detect the load of DLLs. If hot patching is
17 // required for this dll, this functions patches it.
TargetNtMapViewOfSection(NtMapViewOfSectionFunction orig_MapViewOfSection,HANDLE section,HANDLE process,PVOID * base,ULONG_PTR zero_bits,SIZE_T commit_size,PLARGE_INTEGER offset,PSIZE_T view_size,SECTION_INHERIT inherit,ULONG allocation_type,ULONG protect)18 NTSTATUS WINAPI TargetNtMapViewOfSection(
19 NtMapViewOfSectionFunction orig_MapViewOfSection, HANDLE section,
20 HANDLE process, PVOID *base, ULONG_PTR zero_bits, SIZE_T commit_size,
21 PLARGE_INTEGER offset, PSIZE_T view_size, SECTION_INHERIT inherit,
22 ULONG allocation_type, ULONG protect) {
23 NTSTATUS ret = orig_MapViewOfSection(section, process, base, zero_bits,
24 commit_size, offset, view_size, inherit,
25 allocation_type, protect);
26
27 static int s_load_count = 0;
28 if (1 == s_load_count) {
29 SandboxFactory::GetTargetServices()->GetState()->SetKernel32Loaded();
30 s_load_count = 2;
31 }
32
33 do {
34 if (!NT_SUCCESS(ret))
35 break;
36
37 if (!InitHeap())
38 break;
39
40 if (!IsSameProcess(process))
41 break;
42
43 if (!IsValidImageSection(section, base, offset, view_size))
44 break;
45
46 UINT image_flags;
47 UNICODE_STRING* module_name =
48 GetImageInfoFromModule(reinterpret_cast<HMODULE>(*base), &image_flags);
49 UNICODE_STRING* file_name = GetBackingFilePath(*base);
50
51 if ((!module_name) && (image_flags & MODULE_HAS_CODE)) {
52 // If the module has no exports we retrieve the module name from the
53 // full path of the mapped section.
54 module_name = ExtractModuleName(file_name);
55 }
56
57 InterceptionAgent* agent = InterceptionAgent::GetInterceptionAgent();
58
59 if (agent) {
60 if (!agent->OnDllLoad(file_name, module_name, *base)) {
61 // Interception agent is demanding to un-map the module.
62 g_nt.UnmapViewOfSection(process, *base);
63 ret = STATUS_UNSUCCESSFUL;
64 }
65 }
66
67 if (module_name)
68 operator delete(module_name, NT_ALLOC);
69
70 if (file_name)
71 operator delete(file_name, NT_ALLOC);
72
73 } while (false);
74
75 if (!s_load_count)
76 s_load_count = 1;
77
78 return ret;
79 }
80
TargetNtUnmapViewOfSection(NtUnmapViewOfSectionFunction orig_UnmapViewOfSection,HANDLE process,PVOID base)81 NTSTATUS WINAPI TargetNtUnmapViewOfSection(
82 NtUnmapViewOfSectionFunction orig_UnmapViewOfSection, HANDLE process,
83 PVOID base) {
84 NTSTATUS ret = orig_UnmapViewOfSection(process, base);
85
86 if (!NT_SUCCESS(ret))
87 return ret;
88
89 if (!IsSameProcess(process))
90 return ret;
91
92 InterceptionAgent* agent = InterceptionAgent::GetInterceptionAgent();
93
94 if (agent)
95 agent->OnDllUnload(base);
96
97 return ret;
98 }
99
100 } // namespace sandbox
101