// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef SANDBOX_TOOLS_FINDER_FINDER_H__ #define SANDBOX_TOOLS_FINDER_FINDER_H__ #include "sandbox/src/restricted_token_utils.h" #include "sandbox/tools/finder/ntundoc.h" // Type of stats that we calculate during the Scan operation enum Stats { READ = 0, // Number of objects with read access WRITE, // Number of objects with write access ALL, // Number of objects with r/w access PARSE, // Number of objects parsed BROKEN, // Number of errors while parsing the objects SIZE_STATS // size of the enum }; const int kScanRegistry = 0x01; const int kScanFileSystem = 0x02; const int kScanKernelObjects = 0x04; const int kTestForRead = 0x01; const int kTestForWrite = 0x02; const int kTestForAll = 0x04; #define FS_ERR L"FILE-ERROR" #define OBJ_ERR L"OBJ-ERROR" #define REG_ERR L"REG_ERROR" #define OBJ L"OBJ" #define FS L"FILE" #define REG L"REG" // The impersonater class will impersonate a token when the object is created // and revert when the object is going out of scope. class Impersonater { public: Impersonater(HANDLE token_handle) { if (token_handle) ::ImpersonateLoggedOnUser(token_handle); }; ~Impersonater() { ::RevertToSelf(); }; }; // The finder class handles the search of objects (file system, registry, kernel // objects) on the system that can be opened by a restricted token. It can // support multiple levels of restriction for the restricted token and can check // for read, write or r/w access. It outputs the results to a file or stdout. class Finder { public: Finder(); ~Finder(); DWORD Init(sandbox::TokenLevel token_type, DWORD object_type, DWORD access_type, FILE *file_output); DWORD Scan(); private: // Parses a file system path and perform an access check on all files and // folder found. // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the // win32 error code associated with the error. DWORD ParseFileSystem(ATL::CString path); // Parses a registry hive referenced by "key" and performs an access check on // all subkeys found. // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the // win32 error code associated with the error. DWORD ParseRegistry(HKEY key, ATL::CString print_name); // Parses the kernel namespace beginning at "path" and performs an access // check on all objects found. However, only some object types are supported, // all non supported objects are ignored. // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the // win32 error code associated with the error. DWORD ParseKernelObjects(ATL::CString path); // Checks if "path" can be accessed with the restricted token. // Returns the access granted. DWORD TestFileAccess(ATL::CString path); // Checks if the registry key with the path key\name can be accessed with the // restricted token. // print_name is only use for logging purpose. // Returns the access granted. DWORD TestRegAccess(HKEY key, ATL::CString name, ATL::CString print_name); // Checks if the kernel object "path" of type "type" can be accessed with // the restricted token. // Returns the access granted. DWORD TestKernelObjectAccess(ATL::CString path, ATL::CString type); // Outputs information to the logfile void Output(ATL::CString type, ATL::CString access, ATL::CString info) { fprintf(file_output_, "\n%S;%S;%S", type.GetBuffer(), access.GetBuffer(), info.GetBuffer()); }; // Output information to the log file. void Output(ATL::CString type, DWORD error, ATL::CString info) { fprintf(file_output_, "\n%S;0x%X;%S", type.GetBuffer(), error, info.GetBuffer()); }; // Set func_to_call to the function pointer of the function used to handle // requests for the kernel objects of type "type". If the type is not // supported at the moment the function returns false and the func_to_call // parameter is not modified. bool GetFunctionForType(ATL::CString type, NTGENERICOPEN * func_to_call); // Initializes the NT function pointers to be able to use all the needed // functions in NTDDL. // Returns ERROR_SUCCESS if the function succeeded, otherwise, it returns the // win32 error code associated with the error. DWORD InitNT(); // Calls func_to_call with the parameters desired_access, object_attributes // and handle. func_to_call is a pointer to a function to open a kernel // object. NTSTATUS NtGenericOpen(ACCESS_MASK desired_access, OBJECT_ATTRIBUTES *object_attributes, NTGENERICOPEN func_to_call, HANDLE *handle); // Type of object to check for. DWORD object_type_; // Access to try. DWORD access_type_; // Output file for the results. FILE * file_output_; // Handle to the restricted token. HANDLE token_handle_; // Stats containing the number of operations performed on the different // objects. int filesystem_stats_[SIZE_STATS]; int registry_stats_[SIZE_STATS]; int kernel_object_stats_[SIZE_STATS]; }; #endif // SANDBOX_TOOLS_FINDER_FINDER_H__