0

In windows 7 there is a new Reg call that we need to

hook. NtOpenKeyEx.

I don't know what the last parameter is. I suspect it's
a reserved flag for "options". (As in RegOpenKeyEx).

I do not handle the case where this unknown flag is non-zero.

The current unit tests covers this code.

bug:7611

Review URL: http://codereview.chromium.org/20287

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9762 0039d316-1c4b-4281-b951-d872f2087c98
This commit is contained in:
nsylvain@chromium.org
2009-02-13 18:07:00 +00:00
parent 91115469ab
commit 8869a5f5c9
4 changed files with 48 additions and 8 deletions

@ -354,6 +354,12 @@ typedef NTSTATUS (WINAPI *NtOpenKeyFunction)(
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
typedef NTSTATUS (WINAPI *NtOpenKeyExFunction)(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN DWORD unknown); // TODO(nsylvain): define this. bug 7611
// -----------------------------------------------------------------------
// Memory

@ -6,6 +6,7 @@
#include "base/logging.h"
#include "base/scoped_handle_win.h"
#include "base/win_util.h"
#include "sandbox/src/crosscall_client.h"
#include "sandbox/src/interception.h"
#include "sandbox/src/ipc_tags.h"
@ -60,8 +61,12 @@ bool RegistryDispatcher::SetupService(InterceptionManager* manager,
if (IPC_NTCREATEKEY_TAG == service)
return INTERCEPT_NT(manager, NtCreateKey, "_TargetNtCreateKey@32");
if (IPC_NTOPENKEY_TAG == service)
return INTERCEPT_NT(manager, NtOpenKey, "_TargetNtOpenKey@16");
if (IPC_NTOPENKEY_TAG == service) {
bool result = INTERCEPT_NT(manager, NtOpenKey, "_TargetNtOpenKey@16");
if (win_util::GetWinVersion() >= win_util::WINVERSION_WIN7)
result &= INTERCEPT_NT(manager, NtOpenKeyEx, "_TargetNtOpenKeyEx@20");
return result;
}
return false;
}

@ -88,14 +88,9 @@ NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey,
return status;
}
NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, PHANDLE key,
NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS status, PHANDLE key,
ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes) {
// Check if the process can open it first.
NTSTATUS status = orig_OpenKey(key, desired_access, object_attributes);
if (NT_SUCCESS(status))
return status;
// We don't trust that the IPC can work this early.
if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
return status;
@ -146,5 +141,33 @@ NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, PHANDLE key,
return status;
}
NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, PHANDLE key,
ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes) {
// Check if the process can open it first.
NTSTATUS status = orig_OpenKey(key, desired_access, object_attributes);
if (NT_SUCCESS(status))
return status;
return CommonNtOpenKey(status, key, desired_access, object_attributes);
}
NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpenKeyExFunction orig_OpenKeyEx,
PHANDLE key, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes,
DWORD unknown) {
// Check if the process can open it first.
NTSTATUS status = orig_OpenKeyEx(key, desired_access, object_attributes,
unknown);
// TODO(nsylvain): We don't know what the last parameter is. If it's not
// zero, we don't attempt to proxy the call. We need to find out what it is!
// See bug 7611
if (NT_SUCCESS(status) || unknown != 0)
return status;
return CommonNtOpenKey(status, key, desired_access, object_attributes);
}
} // namespace sandbox

@ -25,6 +25,12 @@ SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKey(
NtOpenKeyFunction orig_OpenKey, PHANDLE key, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes);
// Interception of NtOpenKeyEx on the child process.
// It should never be called directly
SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKeyEx(
NtOpenKeyExFunction orig_OpenKeyEx, PHANDLE key, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes, DWORD unknown);
} // extern "C"
} // namespace sandbox