// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "sandbox/win/sandbox_poc/pocdll/exports.h" #include "sandbox/win/sandbox_poc/pocdll/utils.h" #include "sandbox/win/tools/finder/ntundoc.h" // This file contains the tests used to verify the security of handles in // the process NTQUERYOBJECT NtQueryObject; NTQUERYINFORMATIONFILE NtQueryInformationFile; NTQUERYSYSTEMINFORMATION NtQuerySystemInformation; void POCDLL_API TestGetHandle(HANDLE log) { HandleToFile handle2file; FILE *output = handle2file.Translate(log, "w"); // Initialize the NTAPI functions we need HMODULE ntdll_handle = ::GetModuleHandle(L"ntdll.dll"); if (!ntdll_handle) { fprintf(output, "[ERROR] Cannot load ntdll.dll. Error %d\r\n", ::GetLastError()); return; } NtQueryObject = reinterpret_cast( GetProcAddress(ntdll_handle, "NtQueryObject")); NtQueryInformationFile = reinterpret_cast( GetProcAddress(ntdll_handle, "NtQueryInformationFile")); NtQuerySystemInformation = reinterpret_cast( GetProcAddress(ntdll_handle, "NtQuerySystemInformation")); if (!NtQueryObject || !NtQueryInformationFile || !NtQuerySystemInformation) { fprintf(output, "[ERROR] Cannot load all NT functions. Error %d\r\n", ::GetLastError()); return; } // Get the number of handles on the system DWORD buffer_size = 0; SYSTEM_HANDLE_INFORMATION_EX temp_info; NTSTATUS status = NtQuerySystemInformation( SystemHandleInformation, &temp_info, sizeof(temp_info), &buffer_size); if (!buffer_size) { fprintf(output, "[ERROR] Get the number of handles. Error 0x%X\r\n", status); return; } SYSTEM_HANDLE_INFORMATION_EX *system_handles = reinterpret_cast(new BYTE[buffer_size]); status = NtQuerySystemInformation(SystemHandleInformation, system_handles, buffer_size, &buffer_size); if (STATUS_SUCCESS != status) { fprintf(output, "[ERROR] Failed to get the handle list. Error 0x%X\r\n", status); delete [] system_handles; return; } for (ULONG i = 0; i < system_handles->NumberOfHandles; ++i) { USHORT h = system_handles->Information[i].Handle; if (system_handles->Information[i].ProcessId != ::GetCurrentProcessId()) continue; OBJECT_NAME_INFORMATION *name = NULL; ULONG name_size = 0; // Query the name information a first time to get the size of the name. status = NtQueryObject(reinterpret_cast(h), ObjectNameInformation, name, name_size, &name_size); if (name_size) { name = reinterpret_cast(new BYTE[name_size]); // Query the name information a second time to get the name of the // object referenced by the handle. status = NtQueryObject(reinterpret_cast(h), ObjectNameInformation, name, name_size, &name_size); } PUBLIC_OBJECT_TYPE_INFORMATION *type = NULL; ULONG type_size = 0; // Query the object to get the size of the object type name. status = NtQueryObject(reinterpret_cast(h), ObjectTypeInformation, type, type_size, &type_size); if (type_size) { type = reinterpret_cast( new BYTE[type_size]); // Query the type information a second time to get the object type // name. status = NtQueryObject(reinterpret_cast(h), ObjectTypeInformation, type, type_size, &type_size); } // NtQueryObject cannot return the name for a file. In this case we // need to ask NtQueryInformationFile FILE_NAME_INFORMATION *file_name = NULL; if (type && wcsncmp(L"File", type->TypeName.Buffer, (type->TypeName.Length / sizeof(type->TypeName.Buffer[0]))) == 0) { // This function does not return the size of the buffer. We need to // iterate and always increase the buffer size until the function // succeeds. (Or at least does not fail with STATUS_BUFFER_OVERFLOW) ULONG size_file = MAX_PATH; IO_STATUS_BLOCK status_block = {0}; do { // Delete the previous buffer create. The buffer was too small if (file_name) { delete[] reinterpret_cast(file_name); file_name = NULL; } // Increase the buffer and do the call agan size_file += MAX_PATH; file_name = reinterpret_cast( new BYTE[size_file]); status = NtQueryInformationFile(reinterpret_cast(h), &status_block, file_name, size_file, FileNameInformation); } while (status == STATUS_BUFFER_OVERFLOW); if (STATUS_SUCCESS != status) { if (file_name) { delete[] file_name; file_name = NULL; } } } if (file_name) { UNICODE_STRING file_name_string; file_name_string.Buffer = file_name->FileName; file_name_string.Length = (USHORT)file_name->FileNameLength; file_name_string.MaximumLength = (USHORT)file_name->FileNameLength; fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X " "Type: %-13.13wZ Path: %wZ\r\n", h, system_handles->Information[i].GrantedAccess, type ? &type->TypeName : NULL, &file_name_string); } else { fprintf(output, "[GRANTED] Handle 0x%4.4X Access: 0x%8.8X " "Type: %-13.13wZ Path: %wZ\r\n", h, system_handles->Information[i].GrantedAccess, type ? &type->TypeName : NULL, name ? &name->ObjectName : NULL); } if (type) { delete[] type; } if (file_name) { delete[] file_name; } if (name) { delete [] name; } } if (system_handles) { delete [] system_handles; } }