Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aslr_module_get_times and ReOpenFile support #7106

Open
dmex opened this issue Dec 6, 2024 · 2 comments
Open

aslr_module_get_times and ReOpenFile support #7106

dmex opened this issue Dec 6, 2024 · 2 comments
Labels
help wanted OpSys-Windows

Comments

@dmex
Copy link

dmex commented Dec 6, 2024

  • Is your feature request related to a problem? Please describe.

The aslr_module_get_times function has multiple issues with file handles per these comments:

dynamorio/core/win32/aslr.c

Lines 4475 to 4478 in b0237d2

/* Note: this routine cannot be used on original handles since we
* don't have proper permissions for the application handle. Leaving
* the routine in case we find it useful for files that we have opened
* ourselves and we want to detect too old files.

dynamorio/core/win32/aslr.c

Lines 4516 to 4519 in b0237d2

/* FIXME: we can't even use DuplicateHandle() SDK: For example, a
* file handle created with the GENERIC_READ access right cannot
* be duplicated so that it has both the GENERIC_READ and
* GENERIC_WRITE access right.

  • Describe the solution you'd like

Add support for the ReOpenFile function since it fixes both issues including cases where handles are duplicated using DuplicateHandle. The function is available on Vista and above.
@derekbruening
Copy link
Contributor

I assume you mean calling whatever ntdll.dll routines are used by kernel32 in its ReOpenFile code as we don't want core DR depending on kernel32.dll.

@dmex
Copy link
Author

dmex commented Dec 7, 2024

calling whatever ntdll.dll routines are used by kernel32 in its ReOpenFile

@derekbruening

ReOpenFile passes the original file handle as the OBJECT_ATTRIBUTES RootDirectory and calls the standard NtCreateFile function.

Here's a reimplementation using native routines:

NTSTATUS DynamoReOpenFile(
    _Out_ PHANDLE FileHandle,
    _In_ HANDLE OriginalFileHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ ULONG ShareAccess,
    _In_ ULONG OpenOptions
    )
{
    NTSTATUS status;
    HANDLE fileHandle;
    UNICODE_STRING fileName;
    OBJECT_ATTRIBUTES objectAttributes;
    IO_STATUS_BLOCK ioStatusBlock;

    RtlInitEmptyUnicodeString(&fileName, NULL, 0);
    InitializeObjectAttributes(
        &objectAttributes,
        &fileName,
        OBJ_CASE_INSENSITIVE,
        OriginalFileHandle,
        NULL
        );

    status = NtCreateFile(
        &fileHandle,
        DesiredAccess,
        &objectAttributes,
        &ioStatusBlock,
        NULL,
        0,
        ShareAccess,
        FILE_OPEN,
        OpenOptions,
        NULL,
        0
        );

    if (NT_SUCCESS(status))
    {
        *FileHandle = fileHandle;
    }

    return status;
}

FileName must also be a valid pointer to an empty UNICODE_STRING.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted OpSys-Windows
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmex @derekbruening