diff options
Diffstat (limited to 'sandbox/tools/finder')
| -rw-r--r-- | sandbox/tools/finder/finder.cc | 89 | ||||
| -rw-r--r-- | sandbox/tools/finder/finder.h | 168 | ||||
| -rw-r--r-- | sandbox/tools/finder/finder.vcproj | 201 | ||||
| -rw-r--r-- | sandbox/tools/finder/finder_fs.cc | 142 | ||||
| -rw-r--r-- | sandbox/tools/finder/finder_kernel.cc | 273 | ||||
| -rw-r--r-- | sandbox/tools/finder/finder_registry.cc | 118 | ||||
| -rw-r--r-- | sandbox/tools/finder/main.cc | 173 | ||||
| -rw-r--r-- | sandbox/tools/finder/ntundoc.h | 263 | ||||
| -rw-r--r-- | sandbox/tools/finder/stdafx.cc | 33 | ||||
| -rw-r--r-- | sandbox/tools/finder/stdafx.h | 44 |
10 files changed, 1504 insertions, 0 deletions
diff --git a/sandbox/tools/finder/finder.cc b/sandbox/tools/finder/finder.cc new file mode 100644 index 0000000..e556def --- /dev/null +++ b/sandbox/tools/finder/finder.cc @@ -0,0 +1,89 @@ +// Copyright 2008, Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#include "sandbox/src/restricted_token.h" +#include "sandbox/src/restricted_token_utils.h" +#include "sandbox/tools/finder/finder.h" + +Finder::Finder() { + file_output_ = NULL; + object_type_ = 0; + access_type_ = 0; + token_handle_ = NULL; + memset(filesystem_stats_, 0, sizeof(filesystem_stats_)); + memset(registry_stats_, 0, sizeof(registry_stats_)); + memset(kernel_object_stats_, 0, sizeof(kernel_object_stats_)); +} + +Finder::~Finder() { + if (token_handle_) + ::CloseHandle(token_handle_); +} + +DWORD Finder::Init(sandbox::TokenLevel token_type, + DWORD object_type, + DWORD access_type, + FILE *file_output) { + DWORD err_code = ERROR_SUCCESS; + + err_code = InitNT(); + if (ERROR_SUCCESS != err_code) + return err_code; + + object_type_ = object_type; + access_type_ = access_type; + file_output_ = file_output; + + err_code = sandbox::CreateRestrictedToken(&token_handle_, token_type, + sandbox::INTEGRITY_LEVEL_LAST, + sandbox::PRIMARY); + return err_code; +} + +DWORD Finder::Scan() { + if (!token_handle_) { + return ERROR_NO_TOKEN; + } + + if (object_type_ & kScanRegistry) { + ParseRegistry(HKEY_LOCAL_MACHINE, L"HKLM\\"); + ParseRegistry(HKEY_USERS, L"HKU\\"); + ParseRegistry(HKEY_CURRENT_CONFIG, L"HKCC\\"); + } + + if (object_type_ & kScanFileSystem) { + ParseFileSystem(L"\\\\?\\C:"); + } + + if (object_type_ & kScanKernelObjects) { + ParseKernelObjects(L"\\"); + } + + return ERROR_SUCCESS; +}
\ No newline at end of file diff --git a/sandbox/tools/finder/finder.h b/sandbox/tools/finder/finder.h new file mode 100644 index 0000000..0bad128 --- /dev/null +++ b/sandbox/tools/finder/finder.h @@ -0,0 +1,168 @@ +// Copyright 2008, Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#ifndef SANDBOX_TOOLS_FINDER_FINDER_H__ +#define SANDBOX_TOOLS_FINDER_FINDER_H__ + +#include "sandbox/src/restricted_token_utils.h" +#include "sandbox/tools/finder/ntundoc.h" + +// Type of stats that we calculate during the Scan operation +enum Stats { + READ = 0, // Number of objects with read access + WRITE, // Number of objects with write access + ALL, // Number of objects with r/w access + PARSE, // Number of objects parsed + BROKEN, // Number of errors while parsing the objects + SIZE_STATS // size of the enum +}; + +const int kScanRegistry = 0x01; +const int kScanFileSystem = 0x02; +const int kScanKernelObjects = 0x04; + +const int kTestForRead = 0x01; +const int kTestForWrite = 0x02; +const int kTestForAll = 0x04; + +#define FS_ERR L"FILE-ERROR" +#define OBJ_ERR L"OBJ-ERROR" +#define REG_ERR L"REG_ERROR" +#define OBJ L"OBJ" +#define FS L"FILE" +#define REG L"REG" + +// The impersonater class will impersonate a token when the object is created +// and revert when the object is going out of scope. +class Impersonater { + public: + Impersonater(HANDLE token_handle) { + if (token_handle) + ::ImpersonateLoggedOnUser(token_handle); + }; + ~Impersonater() { + ::RevertToSelf(); + }; +}; + +// The finder class handles the search of objects (file system, registry, kernel +// objects) on the system that can be opened by a restricted token. It can +// support multiple levels of restriction for the restricted token and can check +// for read, write or r/w access. It outputs the results to a file or stdout. +class Finder { + public: + Finder(); + ~Finder(); + DWORD Init(sandbox::TokenLevel token_type, DWORD object_type, + DWORD access_type, FILE *file_output); + DWORD Scan(); + + private: + // Parses a file system path and perform an access check on all files and + // folder found. + // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the + // win32 error code associated with the error. + DWORD ParseFileSystem(ATL::CString path); + + // Parses a registry hive referenced by "key" and performs an access check on + // all subkeys found. + // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the + // win32 error code associated with the error. + DWORD ParseRegistry(HKEY key, ATL::CString print_name); + + // Parses the kernel namespace beginning at "path" and performs an access + // check on all objects found. However, only some object types are supported, + // all non supported objects are ignored. + // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the + // win32 error code associated with the error. + DWORD ParseKernelObjects(ATL::CString path); + + // Checks if "path" can be accessed with the restricted token. + // Returns the access granted. + DWORD TestFileAccess(ATL::CString path); + + // Checks if the registry key with the path key\name can be accessed with the + // restricted token. + // print_name is only use for logging purpose. + // Returns the access granted. + DWORD TestRegAccess(HKEY key, ATL::CString name, ATL::CString print_name); + + // Checks if the kernel object "path" of type "type" can be accessed with + // the restricted token. + // Returns the access granted. + DWORD TestKernelObjectAccess(ATL::CString path, ATL::CString type); + + // Outputs information to the logfile + void Output(ATL::CString type, ATL::CString access, ATL::CString info) { + fprintf(file_output_, "\n%S;%S;%S", type.GetBuffer(), access.GetBuffer(), + info.GetBuffer()); + }; + + // Output information to the log file. + void Output(ATL::CString type, DWORD error, ATL::CString info) { + fprintf(file_output_, "\n%S;0x%X;%S", type.GetBuffer(), error, + info.GetBuffer()); + }; + + // Set func_to_call to the function pointer of the function used to handle + // requests for the kernel objects of type "type". If the type is not + // supported at the moment the function returns false and the func_to_call + // parameter is not modified. + bool GetFunctionForType(ATL::CString type, NTGENERICOPEN * func_to_call); + + // Initializes the NT function pointers to be able to use all the needed + // functions in NTDDL. + // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the + // win32 error code associated with the error. + DWORD InitNT(); + + // Calls func_to_call with the parameters desired_access, object_attributes + // and handle. func_to_call is a pointer to a function to open a kernel + // object. + NTSTATUS NtGenericOpen(ACCESS_MASK desired_access, + OBJECT_ATTRIBUTES *object_attributes, + NTGENERICOPEN func_to_call, + HANDLE *handle); + + // Type of object to check for. + DWORD object_type_; + // Access to try. + DWORD access_type_; + // Output file for the results. + FILE * file_output_; + // Handle to the restricted token. + HANDLE token_handle_; + // Stats containing the number of operations performed on the different + // objects. + int filesystem_stats_[SIZE_STATS]; + int registry_stats_[SIZE_STATS]; + int kernel_object_stats_[SIZE_STATS]; +}; + +#endif // SANDBOX_TOOLS_FINDER_FINDER_H__
\ No newline at end of file diff --git a/sandbox/tools/finder/finder.vcproj b/sandbox/tools/finder/finder.vcproj new file mode 100644 index 0000000..787c847 --- /dev/null +++ b/sandbox/tools/finder/finder.vcproj @@ -0,0 +1,201 @@ +<?xml version="1.0" encoding="Windows-1252"?> +<VisualStudioProject + ProjectType="Visual C++" + Version="8.00" + Name="finder" + ProjectGUID="{ACDC2E06-0366-41A4-A646-C37E130A605D}" + RootNamespace="finder" + Keyword="Win32Proj" + > + <Platforms> + <Platform + Name="Win32" + /> + </Platforms> + <ToolFiles> + </ToolFiles> + <Configurations> + <Configuration + Name="Debug|Win32" + ConfigurationType="1" + InheritedPropertySheets="$(SolutionDir)..\build\debug.vsprops;$(SolutionDir)..\build\common.vsprops" + > + <Tool + Name="VCPreBuildEventTool" + /> + <Tool + Name="VCCustomBuildTool" + /> + <Tool + Name="VCXMLDataGeneratorTool" + /> + <Tool + Name="VCWebServiceProxyGeneratorTool" + /> + <Tool + Name="VCMIDLTool" + /> + <Tool + Name="VCCLCompilerTool" + UsePrecompiledHeader="2" + ForcedIncludeFiles="stdafx.h" + /> + <Tool + Name="VCManagedResourceCompilerTool" + /> + <Tool + Name="VCResourceCompilerTool" + /> + <Tool + Name="VCPreLinkEventTool" + /> + <Tool + Name="VCLinkerTool" + /> + <Tool + Name="VCALinkTool" + /> + <Tool + Name="VCManifestTool" + /> + <Tool + Name="VCXDCMakeTool" + /> + <Tool + Name="VCBscMakeTool" + /> + <Tool + Name="VCFxCopTool" + /> + <Tool + Name="VCAppVerifierTool" + /> + <Tool + Name="VCWebDeploymentTool" + /> + <Tool + Name="VCPostBuildEventTool" + /> + </Configuration> + <Configuration + Name="Release|Win32" + ConfigurationType="1" + InheritedPropertySheets="$(SolutionDir)..\build\release.vsprops;$(SolutionDir)..\build\common.vsprops" + > + <Tool + Name="VCPreBuildEventTool" + /> + <Tool + Name="VCCustomBuildTool" + /> + <Tool + Name="VCXMLDataGeneratorTool" + /> + <Tool + Name="VCWebServiceProxyGeneratorTool" + /> + <Tool + Name="VCMIDLTool" + /> + <Tool + Name="VCCLCompilerTool" + UsePrecompiledHeader="0" + ForcedIncludeFiles="stdafx.h" + /> + <Tool + Name="VCManagedResourceCompilerTool" + /> + <Tool + Name="VCResourceCompilerTool" + /> + <Tool + Name="VCPreLinkEventTool" + /> + <Tool + Name="VCLinkerTool" + /> + <Tool + Name="VCALinkTool" + /> + <Tool + Name="VCManifestTool" + /> + <Tool + Name="VCXDCMakeTool" + /> + <Tool + Name="VCBscMakeTool" + /> + <Tool + Name="VCFxCopTool" + /> + <Tool + Name="VCAppVerifierTool" + /> + <Tool + Name="VCWebDeploymentTool" + /> + <Tool + Name="VCPostBuildEventTool" + /> + </Configuration> + </Configurations> + <References> + </References> + <Files> + <File + RelativePath=".\finder.cc" + > + </File> + <File + RelativePath=".\finder.h" + > + </File> + <File + RelativePath=".\finder_fs.cc" + > + </File> + <File + RelativePath=".\finder_kernel.cc" + > + </File> + <File + RelativePath=".\finder_registry.cc" + > + </File> + <File + RelativePath=".\main.cc" + > + </File> + <File + RelativePath=".\ntundoc.h" + > + </File> + <File + RelativePath=".\stdafx.cc" + > + <FileConfiguration + Name="Debug|Win32" + > + <Tool + Name="VCCLCompilerTool" + UsePrecompiledHeader="1" + /> + </FileConfiguration> + <FileConfiguration + Name="Release|Win32" + > + <Tool + Name="VCCLCompilerTool" + UsePrecompiledHeader="0" + /> + </FileConfiguration> + </File> + <File + RelativePath=".\stdafx.h" + > + </File> + </Files> + <Globals> + </Globals> +</VisualStudioProject> diff --git a/sandbox/tools/finder/finder_fs.cc b/sandbox/tools/finder/finder_fs.cc new file mode 100644 index 0000000..8441011 --- /dev/null +++ b/sandbox/tools/finder/finder_fs.cc @@ -0,0 +1,142 @@ +// Copyright 2008, Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#include "sandbox/src/restricted_token.h" +#include "sandbox/src/restricted_token_utils.h" +#include "sandbox/tools/finder/finder.h" + +DWORD Finder::ParseFileSystem(ATL::CString directory) { + WIN32_FIND_DATA find_data; + HANDLE find; + + //Search for items in the directory. + ATL::CString name_to_search = directory + L"\\*"; + find = ::FindFirstFile(name_to_search, &find_data); + if (INVALID_HANDLE_VALUE == find) { + DWORD error = ::GetLastError(); + Output(FS_ERR, error, directory); + filesystem_stats_[BROKEN]++; + return error; + } + + // parse all files or folders. + do { + if (_tcscmp(find_data.cFileName, L".") == 0 || + _tcscmp(find_data.cFileName, L"..") == 0) + continue; + + ATL::CString complete_name = directory + L"\\" + find_data.cFileName; + TestFileAccess(complete_name); + + // Call recursively the function if the path found is a directory. + if ((find_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0) { + ParseFileSystem(complete_name); + } + } while (::FindNextFile(find, &find_data) != 0); + + DWORD err_code = ::GetLastError(); + ::FindClose(find); + + if (ERROR_NO_MORE_FILES != err_code) { + Output(FS_ERR, err_code, directory); + filesystem_stats_[BROKEN]++; + return err_code; + } + + return ERROR_SUCCESS; +} + +DWORD Finder::TestFileAccess(ATL::CString name) { + Impersonater impersonate(token_handle_); + + filesystem_stats_[PARSE]++; + + HANDLE file; + if (access_type_ & kTestForAll) { + file = ::CreateFile(name.GetBuffer(), + GENERIC_ALL, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, + NULL, + OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, + NULL); + + if (file != INVALID_HANDLE_VALUE) { + filesystem_stats_[ALL]++; + Output(FS, L"R/W", name.GetBuffer()); + ::CloseHandle(file); + return GENERIC_ALL; + } else if (::GetLastError() != ERROR_ACCESS_DENIED) { + Output(FS_ERR, GetLastError(), name); + filesystem_stats_[BROKEN]++; + } + } + + if (access_type_ & kTestForWrite) { + file = ::CreateFile(name.GetBuffer(), + GENERIC_WRITE, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, + NULL, + OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, + NULL); + + if (file != INVALID_HANDLE_VALUE) { + filesystem_stats_[WRITE]++; + Output(FS, L"W", name); + ::CloseHandle(file); + return GENERIC_WRITE; + } else if (::GetLastError() != ERROR_ACCESS_DENIED) { + Output(FS_ERR, ::GetLastError(), name); + filesystem_stats_[BROKEN]++; + } + } + + if (access_type_ & kTestForRead) { + file = ::CreateFile(name.GetBuffer(), + GENERIC_READ, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, + NULL, + OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, + NULL); + + if (file != INVALID_HANDLE_VALUE) { + filesystem_stats_[READ]++; + Output(FS, L"R", name); + ::CloseHandle(file); + return GENERIC_READ; + } else if (::GetLastError() != ERROR_ACCESS_DENIED) { + Output(FS_ERR, GetLastError(), name); + filesystem_stats_[BROKEN]++; + } + } + + return 0; +}
\ No newline at end of file diff --git a/sandbox/tools/finder/finder_kernel.cc b/sandbox/tools/finder/finder_kernel.cc new file mode 100644 index 0000000..4ab17e7 --- /dev/null +++ b/sandbox/tools/finder/finder_kernel.cc @@ -0,0 +1,273 @@ +// Copyright 2008, Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#include "sandbox/src/restricted_token.h" +#include "sandbox/src/restricted_token_utils.h" +#include "sandbox/tools/finder/finder.h" +#include "sandbox/tools/finder/ntundoc.h" + +#define BUFFER_SIZE 0x800 +#define CHECKPTR(x) if (!x) return ::GetLastError() + +// NT API +NTQUERYDIRECTORYOBJECT NtQueryDirectoryObject; +NTOPENDIRECTORYOBJECT NtOpenDirectoryObject; +NTOPENEVENT NtOpenEvent; +NTOPENJOBOBJECT NtOpenJobObject; +NTOPENKEYEDEVENT NtOpenKeyedEvent; +NTOPENMUTANT NtOpenMutant; +NTOPENSECTION NtOpenSection; +NTOPENSEMAPHORE NtOpenSemaphore; +NTOPENSYMBOLICLINKOBJECT NtOpenSymbolicLinkObject; +NTOPENTIMER NtOpenTimer; +NTOPENFILE NtOpenFile; +NTCLOSE NtClose; + +DWORD Finder::InitNT() { + HMODULE ntdll_handle = ::LoadLibrary(L"ntdll.dll"); + CHECKPTR(ntdll_handle); + + NtOpenSymbolicLinkObject = (NTOPENSYMBOLICLINKOBJECT) ::GetProcAddress( + ntdll_handle, "NtOpenSymbolicLinkObject"); + CHECKPTR(NtOpenSymbolicLinkObject); + + NtQueryDirectoryObject = (NTQUERYDIRECTORYOBJECT) ::GetProcAddress( + ntdll_handle, "NtQueryDirectoryObject"); + CHECKPTR(NtQueryDirectoryObject); + + NtOpenDirectoryObject = (NTOPENDIRECTORYOBJECT) ::GetProcAddress( + ntdll_handle, "NtOpenDirectoryObject"); + CHECKPTR(NtOpenDirectoryObject); + + NtOpenKeyedEvent = (NTOPENKEYEDEVENT) ::GetProcAddress( + ntdll_handle, "NtOpenKeyedEvent"); + CHECKPTR(NtOpenKeyedEvent); + + NtOpenJobObject = (NTOPENJOBOBJECT) ::GetProcAddress( + ntdll_handle, "NtOpenJobObject"); + CHECKPTR(NtOpenJobObject); + + NtOpenSemaphore = (NTOPENSEMAPHORE) ::GetProcAddress( + ntdll_handle, "NtOpenSemaphore"); + CHECKPTR(NtOpenSemaphore); + + NtOpenSection = (NTOPENSECTION) ::GetProcAddress( + ntdll_handle, "NtOpenSection"); + CHECKPTR(NtOpenSection); + + NtOpenMutant= (NTOPENMUTANT) ::GetProcAddress(ntdll_handle, "NtOpenMutant"); + CHECKPTR(NtOpenMutant); + + NtOpenEvent = (NTOPENEVENT) ::GetProcAddress(ntdll_handle, "NtOpenEvent"); + CHECKPTR(NtOpenEvent); + + NtOpenTimer = (NTOPENTIMER) ::GetProcAddress(ntdll_handle, "NtOpenTimer"); + CHECKPTR(NtOpenTimer); + + NtOpenFile = (NTOPENFILE) ::GetProcAddress(ntdll_handle, "NtOpenFile"); + CHECKPTR(NtOpenFile); + + NtClose = (NTCLOSE) ::GetProcAddress(ntdll_handle, "NtClose"); + CHECKPTR(NtClose); + + return ERROR_SUCCESS; +} + +DWORD Finder::ParseKernelObjects(ATL::CString path) { + UNICODE_STRING unicode_str; + unicode_str.Length = (USHORT)path.GetLength()*2; + unicode_str.MaximumLength = (USHORT)path.GetLength()*2+2; + unicode_str.Buffer = path.GetBuffer(); + + OBJECT_ATTRIBUTES path_attributes; + InitializeObjectAttributes(&path_attributes, + &unicode_str, + 0, // No Attributes + NULL, // No Root Directory + NULL); // No Security Descriptor + + + DWORD object_index = 0; + DWORD data_written = 0; + + // TODO(nsylvain): Do not use BUFFER_SIZE. Try to get the size + // dynamically. + OBJDIR_INFORMATION *object_directory_info = + (OBJDIR_INFORMATION*) ::HeapAlloc(GetProcessHeap(), + 0, + BUFFER_SIZE); + + HANDLE file_handle; + NTSTATUS status_code = NtOpenDirectoryObject(&file_handle, + DIRECTORY_QUERY, + &path_attributes); + if (status_code != 0) + return ERROR_UNIDENTIFIED_ERROR; + + status_code = NtQueryDirectoryObject(file_handle, + object_directory_info, + BUFFER_SIZE, + TRUE, // Get Next Index + TRUE, // Ignore Input Index + &object_index, + &data_written); + + if (status_code != 0) + return ERROR_UNIDENTIFIED_ERROR; + + while (NtQueryDirectoryObject(file_handle, object_directory_info, + BUFFER_SIZE, TRUE, FALSE, &object_index, + &data_written) == 0 ) { + ATL::CString cur_path(object_directory_info->ObjectName.Buffer, + object_directory_info->ObjectName.Length / sizeof(WCHAR)); + + ATL::CString cur_type(object_directory_info->ObjectTypeName.Buffer, + object_directory_info->ObjectTypeName.Length / sizeof(WCHAR)); + + ATL::CString new_path; + if (path == L"\\") { + new_path = path + cur_path; + } else { + new_path = path + L"\\" + cur_path; + } + + TestKernelObjectAccess(new_path, cur_type); + + // Call the function recursively for all subdirectories + if (cur_type == L"Directory") { + ParseKernelObjects(new_path); + } + } + + NtClose(file_handle); + return ERROR_SUCCESS; +} + +DWORD Finder::TestKernelObjectAccess(ATL::CString path, ATL::CString type) { + Impersonater impersonate(token_handle_); + + kernel_object_stats_[PARSE]++; + + NTGENERICOPEN func = NULL; + GetFunctionForType(type, &func); + + if (!func) { + kernel_object_stats_[BROKEN]++; + Output(OBJ_ERR, type + L" Unsupported", path); + return ERROR_UNSUPPORTED_TYPE; + } + + UNICODE_STRING unicode_str; + unicode_str.Length = (USHORT)path.GetLength()*2; + unicode_str.MaximumLength = (USHORT)path.GetLength()*2+2; + unicode_str.Buffer = path.GetBuffer(); + + OBJECT_ATTRIBUTES path_attributes; + InitializeObjectAttributes(&path_attributes, + &unicode_str, + 0, // No Attributes + NULL, // No Root Directory + NULL); // No Security Descriptor + + HANDLE handle; + NTSTATUS status_code = 0; + + if (access_type_ & kTestForAll) { + status_code = NtGenericOpen(GENERIC_ALL, &path_attributes, func, &handle); + if (STATUS_SUCCESS == status_code) { + kernel_object_stats_[ALL]++; + Output(OBJ, L"R/W", path); + NtClose(handle); + return GENERIC_ALL; + } else if (status_code != EXCEPTION_ACCESS_VIOLATION && + status_code != STATUS_ACCESS_DENIED) { + Output(OBJ_ERR, status_code, path); + kernel_object_stats_[BROKEN]++; + } + } + + if (access_type_ & kTestForWrite) { + status_code = NtGenericOpen(GENERIC_WRITE, &path_attributes, func, &handle); + if (STATUS_SUCCESS == status_code) { + kernel_object_stats_[WRITE]++; + Output(OBJ, L"W", path); + NtClose(handle); + return GENERIC_WRITE; + } else if (status_code != EXCEPTION_ACCESS_VIOLATION && + status_code != STATUS_ACCESS_DENIED) { + Output(OBJ_ERR, status_code, path); + kernel_object_stats_[BROKEN]++; + } + } + + if (access_type_ & kTestForRead) { + status_code = NtGenericOpen(GENERIC_READ, &path_attributes, func, &handle); + if (STATUS_SUCCESS == status_code) { + kernel_object_stats_[READ]++; + Output(OBJ, L"R", path); + NtClose(handle); + return GENERIC_READ; + } else if (status_code != EXCEPTION_ACCESS_VIOLATION && + status_code != STATUS_ACCESS_DENIED) { + Output(OBJ_ERR, status_code, path); + kernel_object_stats_[BROKEN]++; + } + } + + return 0; +} + +NTSTATUS Finder::NtGenericOpen(ACCESS_MASK desired_access, + OBJECT_ATTRIBUTES *object_attributes, + NTGENERICOPEN func_to_call, + HANDLE *handle) { + return func_to_call(handle, desired_access, object_attributes); +} + +bool Finder::GetFunctionForType(ATL::CString type, + NTGENERICOPEN * func_to_call) { + NTGENERICOPEN func = NULL; + + if (type == L"Event") func = NtOpenEvent; + else if (type == L"Job") func = NtOpenJobObject; + else if (type == L"KeyedEvent") func = NtOpenKeyedEvent; + else if (type == L"Mutant") func = NtOpenMutant; + else if (type == L"Section") func = NtOpenSection; + else if (type == L"Semaphore") func = NtOpenSemaphore; + else if (type == L"Timer") func = NtOpenTimer; + else if (type == L"SymbolicLink") func = NtOpenSymbolicLinkObject; + else if (type == L"Directory") func = NtOpenDirectoryObject; + + if (func) { + *func_to_call = func; + return true; + } + + return false; +}
\ No newline at end of file diff --git a/sandbox/tools/finder/finder_registry.cc b/sandbox/tools/finder/finder_registry.cc new file mode 100644 index 0000000..14bf657 --- /dev/null +++ b/sandbox/tools/finder/finder_registry.cc @@ -0,0 +1,118 @@ +// Copyright 2008, Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#include "sandbox/src/restricted_token.h" +#include "sandbox/src/restricted_token_utils.h" +#include "sandbox/tools/finder/finder.h" + +DWORD Finder::ParseRegistry(HKEY key, ATL::CString print_name) { + DWORD index = 0; + DWORD name_size = 2048; + wchar_t buffer[2048] = {0}; + // TODO(nsylvain): Don't hardcode 2048. Get the key len by calling the + // function. + LONG err_code = ::RegEnumKey(key, index, buffer, name_size); + while (ERROR_SUCCESS == err_code) { + ATL::CString name_complete = print_name + buffer + L"\\"; + TestRegAccess(key, buffer, name_complete); + + // Call the function recursively to parse all subkeys + HKEY key_to_parse; + err_code = ::RegOpenKeyEx(key, buffer, 0, KEY_ENUMERATE_SUB_KEYS, + &key_to_parse); + if (ERROR_SUCCESS == err_code) { + ParseRegistry(key_to_parse, name_complete); + ::RegCloseKey(key_to_parse); + } else { + registry_stats_[BROKEN]++; + Output(REG_ERR, err_code, name_complete); + } + + index++; + err_code = ::RegEnumKey(key, index, buffer, name_size); + } + + if (ERROR_NO_MORE_ITEMS != err_code) { + registry_stats_[BROKEN]++; + Output(REG_ERR, err_code, print_name); + } + + return ERROR_SUCCESS; +} + +DWORD Finder::TestRegAccess(HKEY key, ATL::CString name, + ATL::CString print_name) { + Impersonater impersonate(token_handle_); + + registry_stats_[PARSE]++; + + HKEY key_res; + LONG err_code = 0; + + if (access_type_ & kTestForAll) { + err_code = ::RegOpenKeyEx(key, name, 0, GENERIC_ALL, &key_res); + if (ERROR_SUCCESS == err_code) { + registry_stats_[ALL]++; + Output(REG, L"R/W", print_name); + ::RegCloseKey(key_res); + return GENERIC_ALL; + } else if (err_code != ERROR_ACCESS_DENIED) { + Output(REG_ERR, err_code, print_name); + registry_stats_[BROKEN]++; + } + } + + if (access_type_ & kTestForWrite) { + err_code = ::RegOpenKeyEx(key, name, 0, GENERIC_WRITE, &key_res); + if (ERROR_SUCCESS == err_code) { + registry_stats_[WRITE]++; + Output(REG, L"W", print_name); + ::RegCloseKey(key_res); + return GENERIC_WRITE; + } else if (err_code != ERROR_ACCESS_DENIED) { + Output(REG_ERR, err_code, print_name); + registry_stats_[BROKEN]++; + } + } + + if (access_type_ & kTestForRead) { + err_code = ::RegOpenKeyEx(key, name, 0, GENERIC_READ, &key_res); + if (ERROR_SUCCESS == err_code) { + registry_stats_[READ]++; + Output(REG, L"R", print_name); + ::RegCloseKey(key_res); + return GENERIC_READ; + } else if (err_code != ERROR_ACCESS_DENIED) { + Output(REG_ERR, err_code, print_name); + registry_stats_[BROKEN]++; + } + } + + return 0; +}
\ No newline at end of file diff --git a/sandbox/tools/finder/main.cc b/sandbox/tools/finder/main.cc new file mode 100644 index 0000000..7037bfa --- /dev/null +++ b/sandbox/tools/finder/main.cc @@ -0,0 +1,173 @@ +// Copyright 2008, Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#include "sandbox/src/restricted_token_utils.h" +#include "sandbox/tools/finder/finder.h" + +#define PARAM_IS(y) (argc > i) && (_wcsicmp(argv[i], y) == 0) + +void PrintUsage(wchar_t *application_name) { + wprintf(L"\n\nUsage: \n %s --token type --object ob1 [ob2 ob3] " + L"--access ac1 [ac2 ac3] [--log filename]", application_name); + wprintf(L"\n\n Token Types : \n\tLOCKDOWN \n\tRESTRICTED " + L"\n\tLIMITED_USER \n\tINTERACTIVE_USER \n\tNON_ADMIN \n\tUNPROTECTED"); + wprintf(L"\n Object Types: \n\tREG \n\tFILE \n\tKERNEL"); + wprintf(L"\n Access Types: \n\tR \n\tW \n\tALL"); + wprintf(L"\n\nSample: \n %s --token LOCKDOWN --object REG FILE KERNEL " + L"--access R W ALL", application_name); +} + +int wmain(int argc, wchar_t* argv[]) { + // Extract the filename from the path. + wchar_t *app_name = wcsrchr(argv[0], L'\\'); + if (!app_name) { + app_name = argv[0]; + } else { + app_name++; + } + + // parameters to read + ATL::CString log_file; + sandbox::TokenLevel token_type = sandbox::USER_LOCKDOWN; + DWORD object_type = 0; + DWORD access_type = 0; + + // no arguments + if (argc == 1) { + PrintUsage(app_name); + return -1; + } + + // parse command line. + for (int i = 1; i < argc; ++i) { + if (PARAM_IS(L"--token")) { + i++; + if (argc > i) { + if (PARAM_IS(L"LOCKDOWN")) { + token_type = sandbox::USER_LOCKDOWN; + } else if (PARAM_IS(L"RESTRICTED")) { + token_type = sandbox::USER_RESTRICTED; + } else if (PARAM_IS(L"LIMITED_USER")) { + token_type = sandbox::USER_LIMITED; + } else if (PARAM_IS(L"INTERACTIVE_USER")) { + token_type = sandbox::USER_INTERACTIVE; + } else if (PARAM_IS(L"NON_ADMIN")) { + token_type = sandbox::USER_NON_ADMIN; + } else if (PARAM_IS(L"USER_RESTRICTED_SAME_ACCESS")) { + token_type = sandbox::USER_RESTRICTED_SAME_ACCESS; + } else if (PARAM_IS(L"UNPROTECTED")) { + token_type = sandbox::USER_UNPROTECTED; + } else { + wprintf(L"\nAbord. Invalid token type \"%s\"", argv[i]); + PrintUsage(app_name); + return -1; + } + } + } else if (PARAM_IS(L"--object")) { + bool is_object = true; + do { + i++; + if (PARAM_IS(L"REG")) { + object_type |= kScanRegistry; + } else if (PARAM_IS(L"FILE")) { + object_type |= kScanFileSystem; + } else if (PARAM_IS(L"KERNEL")) { + object_type |= kScanKernelObjects; + } else { + is_object = false; + } + } while(is_object); + i--; + } else if (PARAM_IS(L"--access")) { + bool is_access = true; + do { + i++; + if (PARAM_IS(L"R")) { + access_type |= kTestForRead; + } else if (PARAM_IS(L"W")) { + access_type |= kTestForWrite; + } else if (PARAM_IS(L"ALL")) { + access_type |= kTestForAll; + } else { + is_access = false; + } + } while(is_access); + i--; + } else if (PARAM_IS(L"--log")) { + i++; + if (argc > i) { + log_file = argv[i]; + } + else { + wprintf(L"\nAbord. No log file specified"); + PrintUsage(app_name); + return -1; + } + } else { + wprintf(L"\nAbord. Unrecognized parameter \"%s\"", argv[i]); + PrintUsage(app_name); + return -1; + } + } + + // validate parameters + if (0 == access_type) { + wprintf(L"\nAbord, Access type not specified"); + PrintUsage(app_name); + return -1; + } + + if (0 == object_type) { + wprintf(L"\nAbord, Object type not specified"); + PrintUsage(app_name); + return -1; + } + + + // Open log file + FILE * file_output; + if (log_file.GetLength()) { + errno_t err = _wfopen_s(&file_output, log_file, L"w"); + if (err) { + wprintf(L"\nAbord, Cannot open file \"%s\"", log_file.GetBuffer()); + return -1; + } + } else { + file_output = stdout; + } + + Finder finder_obj; + finder_obj.Init(token_type, object_type, access_type, file_output); + finder_obj.Scan(); + + fclose(file_output); + + return 0; +} + diff --git a/sandbox/tools/finder/ntundoc.h b/sandbox/tools/finder/ntundoc.h new file mode 100644 index 0000000..47fdf014 --- /dev/null +++ b/sandbox/tools/finder/ntundoc.h @@ -0,0 +1,263 @@ +// Copyright 2008, Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#ifndef SANDBOX_TOOLS_FINDER_NTUNDOC_H__ +#define SANDBOX_TOOLS_FINDER_NTUNDOC_H__ + +#define NTSTATUS ULONG +#define STATUS_SUCCESS 0x00000000 +#define STATUS_ACCESS_DENIED 0xC0000022 +#define STATUS_BUFFER_OVERFLOW 0x80000005 + +typedef struct _LSA_UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING; + +typedef struct _OBJDIR_INFORMATION { + UNICODE_STRING ObjectName; + UNICODE_STRING ObjectTypeName; + BYTE Data[1]; +} OBJDIR_INFORMATION; + +typedef struct _OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + UNICODE_STRING *ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES; + +typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION { + ULONG Attributes; + ACCESS_MASK GrantedAccess; + ULONG HandleCount; + ULONG PointerCount; + ULONG Reserved[10]; // reserved for internal use + } PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; + +typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION { + UNICODE_STRING TypeName; + ULONG Reserved [22]; // reserved for internal use +} PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION; + +typedef struct _OBJECT_NAME_INFORMATION { + UNICODE_STRING ObjectName; +} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; + + +typedef enum _OBJECT_INFORMATION_CLASS { + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectAllInformation, + ObjectDataInformation +} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; + +typedef struct _FILE_NAME_INFORMATION { + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; + +typedef enum _FILE_INFORMATION_CLASS { + // end_wdm + FileDirectoryInformation = 1, + FileFullDirectoryInformation, // 2 + FileBothDirectoryInformation, // 3 + FileBasicInformation, // 4 wdm + FileStandardInformation, // 5 wdm + FileInternalInformation, // 6 + FileEaInformation, // 7 + FileAccessInformation, // 8 + FileNameInformation, // 9 + FileRenameInformation, // 10 + FileLinkInformation, // 11 + FileNamesInformation, // 12 + FileDispositionInformation, // 13 + FilePositionInformation, // 14 wdm + FileFullEaInformation, // 15 + FileModeInformation, // 16 + FileAlignmentInformation, // 17 + FileAllInformation, // 18 + FileAllocationInformation, // 19 + FileEndOfFileInformation, // 20 wdm + FileAlternateNameInformation, // 21 + FileStreamInformation, // 22 + FilePipeInformation, // 23 + FilePipeLocalInformation, // 24 + FilePipeRemoteInformation, // 25 + FileMailslotQueryInformation, // 26 + FileMailslotSetInformation, // 27 + FileCompressionInformation, // 28 + FileObjectIdInformation, // 29 + FileCompletionInformation, // 30 + FileMoveClusterInformation, // 31 + FileQuotaInformation, // 32 + FileReparsePointInformation, // 33 + FileNetworkOpenInformation, // 34 + FileAttributeTagInformation, // 35 + FileTrackingInformation, // 36 + FileMaximumInformation + // begin_wdm +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemHandleInformation = 16 +} SYSTEM_INFORMATION_CLASS; + +typedef struct +{ + NTSTATUS Status; + ULONG Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ +} + +typedef struct _SYSTEM_HANDLE_INFORMATION { + USHORT ProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeNumber; + UCHAR Flags; + USHORT Handle; + PVOID Object; + ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _SYSTEM_HANDLE_INFORMATION_EX { + ULONG NumberOfHandles; + SYSTEM_HANDLE_INFORMATION Information[1]; +} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; + +#define POBJECT_ATTRIBUTES OBJECT_ATTRIBUTES* + +typedef NTSTATUS (WINAPI* NTQUERYDIRECTORYOBJECT)( + HANDLE, + OBJDIR_INFORMATION*, + DWORD, + DWORD, + DWORD, + DWORD*, + DWORD*); + +typedef NTSTATUS (WINAPI* NTOPENDIRECTORYOBJECT)( + HANDLE *, + DWORD, + OBJECT_ATTRIBUTES* ); + +typedef NTSTATUS (WINAPI* NTGENERICOPEN) ( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS (WINAPI* NTOPENEVENT)( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS (WINAPI* NTOPENJOBOBJECT)( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS (WINAPI* NTOPENKEYEDEVENT)( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS (WINAPI* NTOPENMUTANT)( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS (WINAPI* NTOPENSECTION)( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS (WINAPI* NTOPENSEMAPHORE)( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS (WINAPI* NTOPENSYMBOLICLINKOBJECT)( + OUT PHANDLE SymbolicLinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS (WINAPI* NTOPENTIMER)( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +typedef NTSTATUS (WINAPI* NTOPENFILE)( + HANDLE *, + DWORD, + OBJECT_ATTRIBUTES *, + IO_STATUS_BLOCK *, + DWORD, + DWORD); + +typedef NTSTATUS (WINAPI* NTQUERYINFORMATIONFILE)( + HANDLE, + PIO_STATUS_BLOCK, + PVOID, + ULONG, + FILE_INFORMATION_CLASS); + +typedef NTSTATUS (WINAPI* NTQUERYSYSTEMINFORMATION)( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength); + +typedef NTSTATUS (WINAPI* NTQUERYOBJECT)( + HANDLE Handle, + OBJECT_INFORMATION_CLASS ObjectInformationClass, + PVOID ObjectInformation, + ULONG ObjectInformationLength, + PULONG ReturnLength); + +typedef NTSTATUS (WINAPI* NTCLOSE) (HANDLE); + +#define DIRECTORY_QUERY 0x0001 +#define DIRECTORY_TRAVERSE 0x0002 +#define DIRECTORY_CREATE_OBJECT 0x0004 +#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 +#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) + +#endif // SANDBOX_TOOLS_FINDER_NTUNDOC_H__
\ No newline at end of file diff --git a/sandbox/tools/finder/stdafx.cc b/sandbox/tools/finder/stdafx.cc new file mode 100644 index 0000000..2330be4 --- /dev/null +++ b/sandbox/tools/finder/stdafx.cc @@ -0,0 +1,33 @@ +// Copyright 2008, Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#include "sandbox/tools/finder/stdafx.h" + +// TODO: reference any additional headers you need in STDAFX.H +// and not in this file diff --git a/sandbox/tools/finder/stdafx.h b/sandbox/tools/finder/stdafx.h new file mode 100644 index 0000000..1c0404d --- /dev/null +++ b/sandbox/tools/finder/stdafx.h @@ -0,0 +1,44 @@ +// Copyright 2008, Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +#ifndef SANDBOX_TOOLS_FINDER_STDAFX_H__ +#define SANDBOX_TOOLS_FINDER_STDAFX_H__ + +#ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later. +#define _WIN32_WINNT 0x0501 // Change this to the appropriate value to target other versions of Windows. +#endif + +#include <stdio.h> +#include <tchar.h> +#include <windows.h> +#define _ATL_NO_EXCEPTIONS +#include <atlbase.h> +#include <atlsecurity.h> + +#endif // SANDBOX_TOOLS_FINDER_STDAFX_H__
\ No newline at end of file |