From 03ab74e07db9cea8a47145671ee4b9bb16611e2d Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 25 Nov 2024 13:43:20 +0000 Subject: [PATCH] C++: Add more 'CommandExecutionFunction's. --- cpp/ql/lib/semmle/code/cpp/models/Models.qll | 1 + .../implementations/Win32CommandExecution.qll | 56 +++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 cpp/ql/lib/semmle/code/cpp/models/implementations/Win32CommandExecution.qll diff --git a/cpp/ql/lib/semmle/code/cpp/models/Models.qll b/cpp/ql/lib/semmle/code/cpp/models/Models.qll index 1e0b6cd33ed2..f6776a623ffe 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll @@ -49,3 +49,4 @@ private import implementations.PostgreSql private import implementations.System private import implementations.StructuredExceptionHandling private import implementations.ZMQ +private import implementations.Win32CommandExecution diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Win32CommandExecution.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Win32CommandExecution.qll new file mode 100644 index 000000000000..13d7ffae8075 --- /dev/null +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Win32CommandExecution.qll @@ -0,0 +1,56 @@ +private import semmle.code.cpp.models.interfaces.CommandExecution + +/** The `ShellExecute` family of functions from Win32. */ +class ShellExecute extends Function { + ShellExecute() { this.hasGlobalName("ShellExecute" + ["", "A", "W"]) } +} + +private class ShellExecuteModel extends ShellExecute, CommandExecutionFunction { + override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(2) } +} + +/** The `WinExec` function from Win32. */ +class WinExec extends Function { + WinExec() { this.hasGlobalName("WinExec") } +} + +private class WinExecModel extends WinExec, CommandExecutionFunction { + override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(0) } +} + +/** The `CreateProcess` family of functions from Win32. */ +class CreateProcess extends Function { + CreateProcess() { this.hasGlobalName("CreateProcess" + ["", "A", "W"]) } +} + +private class CreateProcessModel extends CreateProcess, CommandExecutionFunction { + override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(0) } +} + +/** The `CreateProcessAsUser` family of functions from Win32. */ +class CreateProcessAsUser extends Function { + CreateProcessAsUser() { this.hasGlobalName("CreateProcessAsUser" + ["", "A", "W"]) } +} + +private class CreateProcessAsUserModel extends CreateProcessAsUser, CommandExecutionFunction { + override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(1) } +} + +/** The `CreateProcessWithLogonW` function from Win32. */ +class CreateProcessWithLogonW extends Function { + CreateProcessWithLogonW() { this.hasGlobalName("CreateProcessWithLogonW") } +} + +private class CreateProcessWithLogonModel extends CreateProcessWithLogonW, CommandExecutionFunction { + override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(4) } +} + +/** The `CreateProcessWithTokenW` function from Win32. */ +class CreateProcessWithTokenW extends Function { + CreateProcessWithTokenW() { this.hasGlobalName("CreateProcessWithTokenW") } +} + +private class CreateProcessWithTokenWModel extends CreateProcessWithTokenW, CommandExecutionFunction +{ + override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(2) } +}