// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome_elf/create_file/chrome_create_file.h"
#include <windows.h>
#include <bitset>
#include <string>
#include "base/base_paths_win.h"
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/files/scoped_temp_dir.h"
#include "base/path_service.h"
#include "base/threading/platform_thread.h"
#include "base/win/iat_patch_function.h"
#include "base/win/scoped_handle.h"
#include "base/win/windows_version.h"
#include "chrome_elf/chrome_elf_constants.h"
#include "chrome_elf/ntdll_cache.h"
#include "sandbox/win/src/interception_internal.h"
#include "sandbox/win/src/nt_internals.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "testing/platform_test.h"
namespace {
// Test fixtures -------------------------------------------------------------
class ChromeCreateFileTest : public PlatformTest {
protected:
struct NtCreateFileParams {
ACCESS_MASK desired_access;
OBJECT_ATTRIBUTES object_attributes;
PLARGE_INTEGER allocation_size;
ULONG file_attributes;
ULONG share_access;
ULONG create_disposition;
ULONG create_options;
PVOID ea_buffer;
ULONG ea_length;
};
enum CallPath {
ELF,
KERNEL
};
template<CallPath path>
static NTSTATUS WINAPI FakeNtCreateFile(
PHANDLE file_handle,
ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes,
PIO_STATUS_BLOCK io_status_block,
PLARGE_INTEGER allocation_size,
ULONG file_attributes,
ULONG share_access,
ULONG create_disposition,
ULONG create_options,
PVOID ea_buffer,
ULONG ea_length) {
return self_->HandleCreateFileCall(file_handle,
desired_access,
object_attributes,
io_status_block,
allocation_size,
file_attributes,
share_access,
create_disposition,
create_options,
ea_buffer,
ea_length,
path);
}
virtual void SetUp() OVERRIDE {
original_thread_ = base::PlatformThread::CurrentId();
InitCache();
PlatformTest::SetUp();
base::FilePath user_data_dir;
PathService::Get(base::DIR_LOCAL_APP_DATA, &user_data_dir);
ASSERT_TRUE(temp_dir_.CreateUniqueTempDirUnderPath(user_data_dir));
ASSERT_TRUE(temp_dir2_.CreateUniqueTempDir());
self_ = this;
}
void UnsetThunkStorage() {
DWORD old_protect = 0;
EXPECT_TRUE(::VirtualProtect(&g_nt_thunk_storage,
sizeof(g_nt_thunk_storage),
PAGE_EXECUTE_READWRITE,
&old_protect));
memset(&g_nt_thunk_storage, 0, sizeof(g_nt_thunk_storage));
EXPECT_TRUE(::VirtualProtect(&g_nt_thunk_storage,
sizeof(g_nt_thunk_storage),
PAGE_EXECUTE_READ,
&old_protect));
}
void RedirectNtCreateFileCalls() {
UnsetThunkStorage();
old_func_ptr_ =
reinterpret_cast<NtCreateFileFunction>(g_ntdll_lookup["NtCreateFile"]);
// KernelBase.dll only exists for Win7 and later, prior to that, kernel32
// imports from ntdll directly.
if (base::win::GetVersion() < base::win::VERSION_WIN7) {
patcher_.Patch(L"kernel32.dll", "ntdll.dll", "NtCreateFile",
reinterpret_cast<void(*)()>(&FakeNtCreateFile<KERNEL>));
} else {
patcher_.Patch(L"kernelbase.dll", "ntdll.dll", "NtCreateFile",
reinterpret_cast<void(*)()>(&FakeNtCreateFile<KERNEL>));
}
g_ntdll_lookup["NtCreateFile"] = reinterpret_cast<void(*)()>(
&ChromeCreateFileTest::FakeNtCreateFile<ELF>);
}
void ResetNtCreateFileCalls() {
g_ntdll_lookup["NtCreateFile"] = reinterpret_cast<void*>(old_func_ptr_);
patcher_.Unpatch();
}
NTSTATUS HandleCreateFileCall(PHANDLE file_handle,
ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes,
PIO_STATUS_BLOCK io_status_block,
PLARGE_INTEGER allocation_size,
ULONG file_attributes,
ULONG share_access,
ULONG create_disposition,
ULONG create_options,
PVOID ea_buffer,
ULONG ea_length,
CallPath call_path) {
if (original_thread_ == base::PlatformThread::CurrentId()) {
SetParams(desired_access,
object_attributes,
allocation_size,
file_attributes,
share_access,
create_disposition,
create_options,
ea_buffer,
ea_length,
call_path == ELF ? &elf_params_ : &kernel_params_);
}
// Forward the call to the real NTCreateFile.
return old_func_ptr_(file_handle,
desired_access,
object_attributes,
io_status_block,
allocation_size,
file_attributes,
share_access,
create_disposition,
create_options,
ea_buffer,
ea_length);
}
void SetParams(ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes,
PLARGE_INTEGER allocation_size,
ULONG file_attributes,
ULONG share_access,
ULONG create_disposition,
ULONG create_options,
PVOID ea_buffer,
ULONG ea_length,
NtCreateFileParams* params) {
params->desired_access = desired_access;
params->object_attributes.Length = object_attributes->Length;
params->object_attributes.ObjectName = object_attributes->ObjectName;
params->object_attributes.RootDirectory = object_attributes->RootDirectory;
params->object_attributes.Attributes = object_attributes->Attributes;
params->object_attributes.SecurityDescriptor =
object_attributes->SecurityDescriptor;
params->object_attributes.SecurityQualityOfService =
object_attributes->SecurityQualityOfService;
params->allocation_size = allocation_size;
params->file_attributes = file_attributes;
params->share_access = share_access;
params->create_disposition = create_disposition;
params->create_options = create_options;
params->ea_buffer = ea_buffer;
params->ea_length = ea_length;
}
void CheckParams() {
std::bitset<32> elf((int) elf_params_.desired_access);
std::bitset<32> ker((int) kernel_params_.desired_access);
EXPECT_EQ(kernel_params_.desired_access, elf_params_.desired_access)
<< elf << "\n" << ker;
EXPECT_EQ(kernel_params_.object_attributes.Length,
elf_params_.object_attributes.Length);
EXPECT_EQ(kernel_params_.object_attributes.RootDirectory,
elf_params_.object_attributes.RootDirectory);
EXPECT_EQ(kernel_params_.object_attributes.Attributes,
elf_params_.object_attributes.Attributes);
EXPECT_EQ(kernel_params_.object_attributes.SecurityDescriptor,
elf_params_.object_attributes.SecurityDescriptor);
EXPECT_EQ(kernel_params_.allocation_size, elf_params_.allocation_size);
EXPECT_EQ(kernel_params_.file_attributes, elf_params_.file_attributes);
EXPECT_EQ(kernel_params_.share_access, elf_params_.share_access);
EXPECT_EQ(kernel_params_.create_disposition,
elf_params_.create_disposition);
EXPECT_EQ(kernel_params_.create_options, elf_params_.create_options);
EXPECT_EQ(kernel_params_.ea_buffer, elf_params_.ea_buffer);
EXPECT_EQ(kernel_params_.ea_length, elf_params_.ea_length);
}
void DoWriteCheck(const base::FilePath& path, DWORD flag, bool is_system) {
base::win::ScopedHandle file_handle;
const char kTestData[] = "0123456789";
int buffer_size = sizeof(kTestData) - 1;
DWORD bytes_written;
if (is_system) {
file_handle.Set(::CreateFileW(path.value().c_str(),
GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL | flag,
NULL));
} else {
file_handle.Set(CreateFileNTDLL(path.value().c_str(),
GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL | flag,
NULL));
}
EXPECT_FALSE(file_handle == INVALID_HANDLE_VALUE);
::WriteFile(file_handle, kTestData, buffer_size, &bytes_written, NULL);
EXPECT_EQ(buffer_size, bytes_written);
}
void DoReadCheck(const base::FilePath& path, DWORD flag, bool is_system) {
base::win::ScopedHandle file_handle;
const char kTestData[] = "0123456789";
int buffer_size = sizeof(kTestData) - 1;
DWORD bytes_read;
char read_buffer[10];
if (is_system) {
file_handle.Set(::CreateFileW(path.value().c_str(),
GENERIC_READ,
0,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL | flag,
NULL));
} else {
file_handle.Set(CreateFileNTDLL(path.value().c_str(),
GENERIC_READ,
0,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL | flag,
NULL));
}
EXPECT_FALSE(file_handle == INVALID_HANDLE_VALUE);
::ReadFile(file_handle, read_buffer, buffer_size, &bytes_read, NULL);
EXPECT_EQ(buffer_size, bytes_read);
EXPECT_EQ(0, memcmp(kTestData, read_buffer, bytes_read));
}
void RunChecks(DWORD flag, bool check_reads) {
// Make sure we can write to this file handle when called via the system.
base::FilePath junk_path_1 = temp_dir_.path().Append(L"junk_1.txt");
base::FilePath junk_path_2 = temp_dir_.path().Append(L"junk_2.txt");
DoWriteCheck(junk_path_1, flag, true);
DoWriteCheck(junk_path_2, flag, false);
CheckParams();
if (check_reads) {
// Make sure we can read from this file handle when called via the system.
DoReadCheck(junk_path_1, flag, true);
DoReadCheck(junk_path_2, flag, false);
CheckParams();
}
base::DeleteFile(junk_path_1, false);
base::DeleteFile(junk_path_2, false);
}
static ChromeCreateFileTest* self_;
NtCreateFileFunction old_func_ptr_;
base::ScopedTempDir temp_dir_;
base::ScopedTempDir temp_dir2_;
base::win::IATPatchFunction patcher_;
NtCreateFileParams kernel_params_;
NtCreateFileParams elf_params_;
base::PlatformThreadId original_thread_;
};
ChromeCreateFileTest* ChromeCreateFileTest::self_ = NULL;
// Tests ---------------------------------------------------------------------
TEST_F(ChromeCreateFileTest, CheckParams_FILE_ATTRIBUTE_NORMAL) {
RedirectNtCreateFileCalls();
RunChecks(FILE_ATTRIBUTE_NORMAL, true);
ResetNtCreateFileCalls();
}
TEST_F(ChromeCreateFileTest, CheckParams_FILE_FLAG_WRITE_THROUGH) {
RedirectNtCreateFileCalls();
RunChecks(FILE_FLAG_WRITE_THROUGH, true);
ResetNtCreateFileCalls();
}
TEST_F(ChromeCreateFileTest, CheckParams_FILE_FLAG_RANDOM_ACCESS) {
RedirectNtCreateFileCalls();
RunChecks(FILE_FLAG_RANDOM_ACCESS, true);
ResetNtCreateFileCalls();
}
TEST_F(ChromeCreateFileTest, CheckParams_FILE_FLAG_SEQUENTIAL_SCAN) {
RedirectNtCreateFileCalls();
RunChecks(FILE_FLAG_SEQUENTIAL_SCAN, true);
ResetNtCreateFileCalls();
}
TEST_F(ChromeCreateFileTest, CheckParams_FILE_FLAG_DELETE_ON_CLOSE) {
RedirectNtCreateFileCalls();
RunChecks(FILE_FLAG_DELETE_ON_CLOSE, false);
ResetNtCreateFileCalls();
}
TEST_F(ChromeCreateFileTest, CheckParams_FILE_FLAG_BACKUP_SEMANTICS) {
RedirectNtCreateFileCalls();
RunChecks(FILE_FLAG_BACKUP_SEMANTICS, true);
ResetNtCreateFileCalls();
}
TEST_F(ChromeCreateFileTest, CheckParams_FILE_FLAG_OPEN_REPARSE_POINT) {
RedirectNtCreateFileCalls();
RunChecks(FILE_FLAG_OPEN_REPARSE_POINT, true);
ResetNtCreateFileCalls();
}
TEST_F(ChromeCreateFileTest, CheckParams_FILE_FLAG_OPEN_NO_RECALL) {
RedirectNtCreateFileCalls();
RunChecks(FILE_FLAG_OPEN_NO_RECALL, true);
ResetNtCreateFileCalls();
}
TEST_F(ChromeCreateFileTest, BypassTest) {
std::wstring UNC_filepath_file(L"\\\\.\\some_file.txt");
base::FilePath local_path;
PathService::Get(base::DIR_LOCAL_APP_DATA, &local_path);
base::FilePath local_prefs_path = local_path.Append(kAppDataDirName).Append(
kUserDataDirName).Append(L"default\\Preferences");
base::FilePath local_state_path = local_path.Append(kAppDataDirName).Append(
kUserDataDirName).Append(L"ninja\\Local State");
base::FilePath local_junk_path = local_path.Append(kAppDataDirName).Append(
kUserDataDirName).Append(L"default\\Junk");
base::FilePath desktop_path;
PathService::Get(base::DIR_USER_DESKTOP, &desktop_path);
base::FilePath desktop_junk_path =
desktop_path.Append(L"Downloads\\junk.txt");
base::FilePath desktop_prefs_path =
desktop_path.Append(L"Downloads\\Preferences");
// Don't redirect UNC files.
EXPECT_FALSE(ShouldBypass(UNC_filepath_file.c_str()));
// Don't redirect if file is not in UserData directory.
EXPECT_FALSE(ShouldBypass(desktop_junk_path.value().c_str()));
EXPECT_FALSE(ShouldBypass(desktop_prefs_path.value().c_str()));
// Only redirect "Preferences" and "Local State" files.
EXPECT_TRUE(ShouldBypass(local_prefs_path.value().c_str()));
EXPECT_TRUE(ShouldBypass(local_state_path.value().c_str()));
EXPECT_FALSE(ShouldBypass(local_junk_path.value().c_str()));
}
TEST_F(ChromeCreateFileTest, ReadWriteFromNtDll) {
UnsetThunkStorage();
base::FilePath file_name = temp_dir_.path().Append(L"some_file.txt");
DoWriteCheck(file_name, FILE_ATTRIBUTE_NORMAL, false);
DoReadCheck(file_name, FILE_ATTRIBUTE_NORMAL, false);
}
TEST_F(ChromeCreateFileTest, ReadWriteFromThunk) {
base::FilePath file_name = temp_dir_.path().Append(L"some_file.txt");
DoWriteCheck(file_name, FILE_ATTRIBUTE_NORMAL, false);
DoReadCheck(file_name, FILE_ATTRIBUTE_NORMAL, false);
}
} // namespace