On Jan 21, 2016 9:41 AM, "Sebastian Lackner" <sebastian(a)fds-team.de> wrote:
... In this case it shouldn't matter (as far as I know NtOpenFile isn't intercepted by the Chromium Sandbox), however when thinking more carefully about it, heap functions could indeed be problematic. What we theoretically need is two sets of them, user mode calls are supposed to go through NtAllocateVirtualMemory, but kernel mode calls not. I'll do some more testing myself, so far I haven't found out which thunks exactly introduce the randomness in the Chromium sandboxing code. ...
Maybe this is being overly simplistic, but we do have both Zw* and Nt* entry points. It could make sense to use Zw* internally and route all the external calls through the thunks (Nt*). Best, Erich