[chromium-dev] Problem in Hooking 'ExTextOut'

2010-09-15 Thread ZHOU Xiaobo
Hi:

  I want to: 
 capture the word under my cursor and translate it into Chinese. A 
normal way to achieve this is injecting a DLL and hooking the
systemcall 'ExTextOut'; when my cursor move over the word, an 'invalidatedata' 
will be invoked and 'ExTextOut' too, then I 
can get the word.

   Since the 'render' process of Chrome has no window, I create a remote 
thread into the 'render' process's address
space and call 'LoadLibrary' to load my DLL. The result is the 'OpenFile' 
failed.

  I found:
 'OpenFile' is hooked and the address is 'ErrorXXX'(or sth like that).
So I manually changed the address to the real adress of 'OpenFile' in 'NTDLL', 
but it still failed
with error: 'permission denied'.


  My question is:
 what the sandbox does is just hooking a subset of the systemcall such 
as 'OpenFile' 'CreateProcess' etc ?
 what is the correct way to achieve my goal?

thanks a lot.






ZHOU Xiaobo
 


-- 
Chromium Developers mailing list: chromium-dev@googlegroups.com 
View archives, change email options, or unsubscribe: 
http://groups.google.com/group/chromium-dev


Re: [chromium-dev] Problem in Hooking 'ExTextOut'

2010-09-15 Thread Elliot Glaysher (Chromium)
On Wed, Sep 15, 2010 at 10:04 AM, ZHOU Xiaobo xb.z...@qq.com wrote:
  My question is:
         what the sandbox does is just hooking a subset of the systemcall such 
 as 'OpenFile' 'CreateProcess' etc ?

The effect is crashing the process on any syscall we don't whitelist.
I don't know exactly how it works on Windows. I know that it's almost
17k sloc and does quite a bit of communication with the NT kernel
which enforces the restrictions. (On Linux, our seccomp sandbox works
by rewriting the binary in memory so each syscall callsite is
rewritten as a read/write to a proxy that makes the security decision,
and then telling the linux kernel to kill the process if it does any
syscall other than read() and write().)

There is no way to turn the sandbox off once it is on; this is an
important part of chrome's security model. If a malicious website
exploited a buffer overflow somewhere in the renderer, being able to
tell the kernel to turn the sandbox off would kind of defeat the
point, right?

         what is the correct way to achieve my goal? (capture the word under 
 my cursor and translate it into Chinese.)

You should be using a content script in an extension:

http://code.google.com/chrome/extensions/content_scripts.html

There are already content scripts that read text under the cursor (I
specifically mentioned rikaikun on IRC when ), and either replacing
the word or popping up a translation box (again, rikaikun) are trivial
operations. In addition to being the correct thing to do, an extension
would work on all platforms while trying to make a DLL would be
Windows only.

(You mentioned on IRC that you can't use an extension, though your
phrasing suggested that was because you couldn't get the word under
the cursor, which is wrong, you can. If you need to use a DLL because
you already have a translation software already written in a compiled
language or something, you don't really have any good options since
you aren't going to be able to load a DLL into the process where text
rendering is done.)

-- Elliot

-- 
Chromium Developers mailing list: chromium-dev@googlegroups.com 
View archives, change email options, or unsubscribe: 
http://groups.google.com/group/chromium-dev