Skip to content

Commit

Permalink
1.8.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@DavidXanatos
DavidXanatos committed Feb 19, 2023
1 parent 9850c6d commit c97c90c
Show file tree
Hide file tree
Showing 7 changed files with 98 additions and 76 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Expand Up @@ -7,7 +7,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).



## [1.7.3 / 5.62.3] - 2023-02-??
## [1.8.0 / 5.63.0] - 2023-02-??

### Added
- Run menu now supports folders, to be used by entering foldername1\foldername2\entryname in the name column of the UI
Expand All @@ -33,6 +33,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- fixed issue starting services without a system token
- fixed issues with new file migration settings [#2700](https://github.com/sandboxie-plus/Sandboxie/issues/2700)
- fixed shell integration on ARM64 [#2685](https://github.com/sandboxie-plus/Sandboxie/issues/2685)
- fixed new issues with driver verifier [#2708](https://github.com/sandboxie-plus/Sandboxie/issues/2708)



Expand Down
51 changes: 41 additions & 10 deletions Sandboxie/core/drv/api.c
View file
Expand Up @@ -1376,6 +1376,10 @@ _FX NTSTATUS Api_SetSecureParam(PROCESS* proc, ULONG64* parms)
NTSTATUS status = STATUS_SUCCESS;
API_SECURE_PARAM_ARGS *args = (API_SECURE_PARAM_ARGS *)parms;
HANDLE handle = NULL;
WCHAR* name = NULL;
ULONG name_len = 0;
UCHAR* data = NULL;
ULONG data_len = 0;

if (proc) {
status = STATUS_NOT_IMPLEMENTED;
Expand All @@ -1391,22 +1395,35 @@ _FX NTSTATUS Api_SetSecureParam(PROCESS* proc, ULONG64* parms)

UNICODE_STRING KeyPath;
RtlInitUnicodeString(&KeyPath, Api_ParamPath);

name_len = wcslen(args->param_name.val) + 1 * sizeof(WCHAR);
name = Mem_Alloc(Driver_Pool, name_len);
memcpy(name, args->param_name.val, name_len);
UNICODE_STRING ValueName;
RtlInitUnicodeString(&ValueName, args->param_name.val);
RtlInitUnicodeString(&ValueName, name);

OBJECT_ATTRIBUTES objattrs;
InitializeObjectAttributes(&objattrs, &KeyPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
ULONG Disp;
status = ZwCreateKey(&handle, KEY_WRITE, &objattrs, 0, NULL, REG_OPTION_NON_VOLATILE, &Disp);
if (status == STATUS_SUCCESS) {

status = ZwSetValueKey(handle, &ValueName, 0, REG_BINARY, (PVOID)args->param_data.val, args->param_size.val);
data_len = args->param_size.val;
data = Mem_Alloc(Driver_Pool, data_len);
memcpy(data, args->param_data.val, data_len);

status = ZwSetValueKey(handle, &ValueName, 0, REG_BINARY, (PVOID)data, data_len);
}

} __except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode();
}

if (name)
Mem_Free(name, name_len);
if (data)
Mem_Free(data, data_len);

if(handle)
ZwClose(handle);

Expand All @@ -1425,6 +1442,10 @@ _FX NTSTATUS Api_GetSecureParam(PROCESS* proc, ULONG64* parms)
NTSTATUS status = STATUS_SUCCESS;
API_SECURE_PARAM_ARGS *args = (API_SECURE_PARAM_ARGS *)parms;
HANDLE handle = NULL;
WCHAR* name = NULL;
ULONG name_len = 0;
UCHAR* data = NULL;
ULONG data_len = 0;

if (proc) {
status = STATUS_NOT_IMPLEMENTED;
Expand All @@ -1435,32 +1456,42 @@ _FX NTSTATUS Api_GetSecureParam(PROCESS* proc, ULONG64* parms)

UNICODE_STRING KeyPath;
RtlInitUnicodeString(&KeyPath, Api_ParamPath);

name_len = wcslen(args->param_name.val) + 1 * sizeof(WCHAR);
name = Mem_Alloc(Driver_Pool, name_len);
memcpy(name, args->param_name.val, name_len);
UNICODE_STRING ValueName;
RtlInitUnicodeString(&ValueName, args->param_name.val);
RtlInitUnicodeString(&ValueName, name);

OBJECT_ATTRIBUTES objattrs;
InitializeObjectAttributes(&objattrs, &KeyPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
status = ZwOpenKey(&handle, KEY_WRITE, &objattrs);
if (status == STATUS_SUCCESS) {

UCHAR tempBuffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG64)];
PVOID buffer = args->param_size.val > sizeof(tempBuffer) ? args->param_data.val : tempBuffer;
ULONG length = args->param_size.val > sizeof(tempBuffer) ? args->param_size.val : sizeof(tempBuffer);
status = ZwQueryValueKey(handle, &ValueName, KeyValuePartialInformation, buffer, length, &length);
data_len = args->param_size.val + sizeof(KEY_VALUE_PARTIAL_INFORMATION);
data = Mem_Alloc(Driver_Pool, data_len);

ULONG length;
status = ZwQueryValueKey(handle, &ValueName, KeyValuePartialInformation, data, data_len, &length);
if (NT_SUCCESS(status))
{
PKEY_VALUE_PARTIAL_INFORMATION info = (PKEY_VALUE_PARTIAL_INFORMATION)buffer;
PKEY_VALUE_PARTIAL_INFORMATION info = (PKEY_VALUE_PARTIAL_INFORMATION)data;
if (info->DataLength <= args->param_size.val)
memmove(args->param_data.val, info->Data, info->DataLength);
memcpy(args->param_data.val, info->Data, info->DataLength);
else
return STATUS_BUFFER_TOO_SMALL;
status = STATUS_BUFFER_TOO_SMALL;
}
}

} __except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode();
}

if (name)
Mem_Free(name, name_len);
if (data)
Mem_Free(data, data_len);

if(handle)
ZwClose(handle);

Expand Down
9 changes: 1 addition & 8 deletions Sandboxie/core/drv/ipc.c
View file
Expand Up @@ -1444,7 +1444,7 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms)

if (NT_SUCCESS(status)) {

status = ZwDuplicateObject(
status = NtDuplicateObject(
SourceProcessHandle, SourceHandle,
TargetProcessHandle, &DuplicatedHandle,
DesiredAccess, HandleAttributes, Options);
Expand Down Expand Up @@ -1904,19 +1904,12 @@ _FX void Ipc_Unload(void)
if (Ipc_DirLock == NULL)
return; // Early driver initialization failed

KIRQL irql;
KeRaiseIrql(APC_LEVEL, &irql);
ExAcquireResourceExclusiveLite(Ipc_DirLock, TRUE);

DIR_OBJ_HANDLE* obj_handle = List_Head(&Ipc_ObjDirs);
while (obj_handle) {

ZwClose(obj_handle->handle);
obj_handle = List_Next(obj_handle);
}

ExReleaseResourceLite(Ipc_DirLock);
KeLowerIrql(irql);

Mem_FreeLockResource(&Ipc_DirLock);
}
9 changes: 1 addition & 8 deletions Sandboxie/core/drv/process_low.c
View file
Expand Up @@ -263,7 +263,7 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
if (proc) {

//
// the service synamically allocates a per box SID to be used,
// the service dynamically allocates a per box SID to be used,
// if no SID is provided this feature is either disabled or failed
// then we fall back to using the default anonymous SID
//
Expand All @@ -285,13 +285,6 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
status = GetExceptionCode();
}

//
// the service tells us if we should drop admin rights for this process,
// however if security mode is enabled we always drop admin rights
//

proc->drop_rights = proc->use_security_mode || parms[3] != FALSE;

KeSetEvent(Process_Low_Event, 0, FALSE);
status = STATUS_SUCCESS;

Expand Down
94 changes: 49 additions & 45 deletions Sandboxie/core/drv/thread.c
View file
Expand Up @@ -1171,56 +1171,60 @@ _FX ACCESS_MASK Thread_CheckObject_CommonEx(

if (!proc || proc->bHostInject) { // caller is not sandboxed

KIRQL irql;
PROCESS* proc2 = Process_Find(pid, &irql);
BOOLEAN protect_process = FALSE;

if (proc2 && !proc2->bHostInject) { // target is sandboxed

ACCESS_MASK WriteAccess;
if (EntireProcess)
WriteAccess = (DesiredAccess & PROCESS_DENIED_ACCESS_MASK);
else
WriteAccess = (DesiredAccess & THREAD_DENIED_ACCESS_MASK);

if (WriteAccess || proc2->confidential_box) {

void* nbuf = 0;
ULONG nlen = 0;
WCHAR* nptr = 0;
Process_GetProcessName(proc2->pool, (ULONG_PTR)cur_pid, &nbuf, &nlen, &nptr);
if (nbuf) {

protect_process = Process_GetConfEx_bool(proc2->box, nptr, L"DenyHostAccess", FALSE);

//
// in case use specified wildcard "*" always grant access to sbiesvc.exe and csrss.exe
// and a few others
//

if (protect_process /*&& MyIsProcessRunningAsSystemAccount(cur_pid)*/) {
if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0)
|| (_wcsicmp(nptr, L"conhost.exe") == 0)
|| (_wcsicmp(nptr, L"taskmgr.exe") == 0) || (_wcsicmp(nptr, L"sandman.exe") == 0))
protect_process = FALSE;
if (Process_Find(pid, NULL)) { // target is sandboxed - lock free check

void* nbuf = 0;
ULONG nlen = 0;
WCHAR* nptr = 0;
Process_GetProcessName(Driver_Pool, (ULONG_PTR)cur_pid, &nbuf, &nlen, &nptr); // driver verifier: when calling this IRQL must be PASSIVE_LEVEL
if (nbuf) {

BOOLEAN protect_process = FALSE;

KIRQL irql;
PROCESS* proc2 = Process_Find(pid, &irql);

if (proc2 && !proc2->bHostInject) {

ACCESS_MASK WriteAccess;
if (EntireProcess)
WriteAccess = (DesiredAccess & PROCESS_DENIED_ACCESS_MASK);
else
WriteAccess = (DesiredAccess & THREAD_DENIED_ACCESS_MASK);

if (WriteAccess || proc2->confidential_box) {

protect_process = Process_GetConfEx_bool(proc2->box, nptr, L"DenyHostAccess", FALSE);

//
// in case use specified wildcard "*" always grant access to sbiesvc.exe and csrss.exe
// and a few others
//

if (protect_process /*&& MyIsProcessRunningAsSystemAccount(cur_pid)*/) {
if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0)
|| (_wcsicmp(nptr, L"conhost.exe") == 0)
|| (_wcsicmp(nptr, L"taskmgr.exe") == 0) || (_wcsicmp(nptr, L"sandman.exe") == 0))
protect_process = FALSE;
}

if (protect_process) {
WCHAR msg_str[256];
RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Protect boxed processes %s (%d) from %s (%d) requesting 0x%08X", proc2->image_name, (ULONG)pid, nptr, (ULONG)cur_pid, DesiredAccess);
Session_MonitorPut(MONITOR_IMAGE | MONITOR_TRACE, msg_str, pid);
}
}
}

if (protect_process) {
WCHAR msg_str[256];
RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Protect boxed processes %s (%d) from %s (%d) requesting 0x%08X", proc2->image_name, (ULONG)pid, nptr, (ULONG)cur_pid, DesiredAccess);
Session_MonitorPut(MONITOR_IMAGE | MONITOR_TRACE, msg_str, pid);
}
ExReleaseResourceLite(Process_ListLock);
KeLowerIrql(irql);

Mem_Free(nbuf, nlen);
}
Mem_Free(nbuf, nlen);

if (protect_process)
return 0; // deny access
}
}

ExReleaseResourceLite(Process_ListLock);
KeLowerIrql(irql);

if (protect_process)
return 0; // deny access
}

//
Expand Down
2 changes: 2 additions & 0 deletions Sandboxie/core/drv/token.c
View file
Expand Up @@ -519,6 +519,8 @@ _FX void *Token_FilterPrimary(PROCESS *proc, void *ProcessObject)

// DbgPrint(" Process Token %08X - %d <%S>\n", PrimaryToken, proc->pid, proc->image_name);

proc->drop_rights = proc->use_security_mode || Process_GetConf_bool(proc, L"DropAdminRights", FALSE);

DropRights = (proc->drop_rights ? -1 : 0);

// DbgPrint(" Drop rights %d - %d <%S>\n", proc->drop_rights, proc->pid, proc->image_name);
Expand Down
6 changes: 2 additions & 4 deletions Sandboxie/core/svc/DriverAssistInject.cpp
View file
Expand Up @@ -118,12 +118,10 @@ void DriverAssist::InjectLow(void *_msg)
// notify driver that we successfully injected the lowlevel code
//

BOOL drop_rights = SbieDll_GetSettingsForName_bool(boxname, exename, L"DropAdminRights", FALSE);

if (GetSandboxieSID(boxname, SandboxieLogonSid, sizeof(SandboxieLogonSid)))
status = SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, SandboxieLogonSid, drop_rights);
status = SbieApi_Call(API_INJECT_COMPLETE, 2, (ULONG_PTR)msg->process_id, SandboxieLogonSid);
else // if that fails or is not enabled we fall back to using the anonymous logon token
status = SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, NULL, drop_rights);
status = SbieApi_Call(API_INJECT_COMPLETE, 1, (ULONG_PTR)msg->process_id);

if (status == 0)
errlvl = 0;
Expand Down

0 comments on commit c97c90c

Please sign in to comment.