diff options
Diffstat (limited to 'chromium/chrome_elf/ntdll_cache.cc')
-rw-r--r-- | chromium/chrome_elf/ntdll_cache.cc | 110 |
1 files changed, 74 insertions, 36 deletions
diff --git a/chromium/chrome_elf/ntdll_cache.cc b/chromium/chrome_elf/ntdll_cache.cc index e5504421ae4..a0429a45aed 100644 --- a/chromium/chrome_elf/ntdll_cache.cc +++ b/chromium/chrome_elf/ntdll_cache.cc @@ -2,50 +2,88 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +#include "chrome_elf/ntdll_cache.h" + #include <stdint.h> #include <windows.h> -#include "chrome_elf/ntdll_cache.h" +#include "base/basictypes.h" +#include "base/memory/scoped_ptr.h" +#include "base/win/pe_image.h" +#include "chrome_elf/thunk_getter.h" +#include "sandbox/win/src/interception_internal.h" +#include "sandbox/win/src/internal_types.h" +#include "sandbox/win/src/service_resolver.h" FunctionLookupTable g_ntdll_lookup; +// Allocate storage for thunks in a page of this module to save on doing +// an extra allocation at run time. +#pragma section(".crthunk",read,execute) +__declspec(allocate(".crthunk")) sandbox::ThunkData g_nt_thunk_storage; + + + +namespace { + +bool EnumExportsCallback(const base::win::PEImage& image, + DWORD ordinal, + DWORD hint, + LPCSTR name, + PVOID function_addr, + LPCSTR forward, + PVOID cookie) { + // Our lookup only cares about named functions that are in ntdll, so skip + // unnamed or forwarded exports. + if (name && function_addr) + g_ntdll_lookup[std::string(name)] = function_addr; + + return true; +} + +} // namespace + void InitCache() { HMODULE ntdll_handle = ::GetModuleHandle(L"ntdll.dll"); - // To find the Export Address Table address, we start from the DOS header. - // The module handle is actually the address of the header. - IMAGE_DOS_HEADER* dos_header = - reinterpret_cast<IMAGE_DOS_HEADER*>(ntdll_handle); - // The e_lfanew is an offset from the DOS header to the NT header. It should - // never be 0. - IMAGE_NT_HEADERS* nt_headers = reinterpret_cast<IMAGE_NT_HEADERS*>( - ntdll_handle + dos_header->e_lfanew / sizeof(uint32_t)); - // For modules that have an import address table, its offset from the - // DOS header is stored in the second data directory's VirtualAddress. - if (!nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress) - return; - - BYTE* base_addr = reinterpret_cast<BYTE*>(ntdll_handle); - - IMAGE_DATA_DIRECTORY* exports_data_dir = - &nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; - - IMAGE_EXPORT_DIRECTORY* exports = reinterpret_cast<IMAGE_EXPORT_DIRECTORY*>( - base_addr + exports_data_dir->VirtualAddress); - - WORD* ordinals = reinterpret_cast<WORD*>( - base_addr + exports->AddressOfNameOrdinals); - DWORD* names = reinterpret_cast<DWORD*>( - base_addr + exports->AddressOfNames); - DWORD* funcs = reinterpret_cast<DWORD*>( - base_addr + exports->AddressOfFunctions); - int num_entries = exports->NumberOfNames; - - for (int i = 0; i < num_entries; i++) { - char* name = reinterpret_cast<char*>(base_addr + names[i]); - WORD ord = ordinals[i]; - DWORD func = funcs[ord]; - FARPROC func_addr = reinterpret_cast<FARPROC>(func + base_addr); - g_ntdll_lookup[std::string(name)] = func_addr; + base::win::PEImage ntdll_image(ntdll_handle); + + ntdll_image.EnumExports(EnumExportsCallback, NULL); + + // If ntdll has already been patched, don't copy it. + const bool kRelaxed = false; + + // Create a thunk via the appropriate ServiceResolver instance. + scoped_ptr<sandbox::ServiceResolverThunk> thunk(GetThunk(kRelaxed)); + + if (thunk.get()) { + BYTE* thunk_storage = reinterpret_cast<BYTE*>(&g_nt_thunk_storage); + + // Mark the thunk storage as readable and writeable, since we + // are ready to write to it. + DWORD old_protect = 0; + if (!::VirtualProtect(&g_nt_thunk_storage, + sizeof(g_nt_thunk_storage), + PAGE_EXECUTE_READWRITE, + &old_protect)) { + return; + } + + size_t storage_used = 0; + NTSTATUS ret = thunk->CopyThunk(::GetModuleHandle(sandbox::kNtdllName), + "NtCreateFile", + thunk_storage, + sizeof(sandbox::ThunkData), + &storage_used); + + if (!NT_SUCCESS(ret)) { + memset(&g_nt_thunk_storage, 0, sizeof(g_nt_thunk_storage)); + } + + // Ensure that the pointer to the old function can't be changed. + ::VirtualProtect(&g_nt_thunk_storage, + sizeof(g_nt_thunk_storage), + PAGE_EXECUTE_READ, + &old_protect); } } |