2020-06-18 16:44:29 +01:00
|
|
|
#include "stdafx.h"
|
|
|
|
|
#include "SbiePlusAPI.h"
|
2020-07-19 21:09:02 +01:00
|
|
|
#include "..\MiscHelpers\Common\Common.h"
|
2020-06-18 16:44:29 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
CSbiePlusAPI::CSbiePlusAPI(QObject* parent) : CSbieAPI(parent)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CSbiePlusAPI::~CSbiePlusAPI()
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CSandBox* CSbiePlusAPI::NewSandBox(const QString& BoxName, class CSbieAPI* pAPI)
|
|
|
|
|
{
|
|
|
|
|
return new CSandBoxPlus(BoxName, pAPI);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CBoxedProcess* CSbiePlusAPI::NewBoxedProcess(quint64 ProcessId, class CSandBox* pBox)
|
|
|
|
|
{
|
|
|
|
|
return new CBoxedProcess(ProcessId, pBox);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
// CSandBox
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
CSandBoxPlus::CSandBoxPlus(const QString& BoxName, class CSbieAPI* pAPI) : CSandBox(BoxName, pAPI)
|
|
|
|
|
{
|
|
|
|
|
m_bLogApiFound = false;
|
2020-07-04 11:07:36 +01:00
|
|
|
m_bINetBlocked = false;
|
|
|
|
|
m_bSharesAllowed = false;
|
|
|
|
|
m_bDropRights = false;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
m_bSecurityRestricted = false;
|
|
|
|
|
m_iUnsecureDebugging = 0;
|
2020-06-18 16:44:29 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CSandBoxPlus::~CSandBoxPlus()
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void CSandBoxPlus::UpdateDetails()
|
|
|
|
|
{
|
2020-07-04 11:07:36 +01:00
|
|
|
m_bLogApiFound = GetTextList("OpenPipePath").contains("\\Device\\NamedPipe\\LogAPI");
|
|
|
|
|
|
2020-11-03 15:45:04 +00:00
|
|
|
m_bINetBlocked = false;
|
|
|
|
|
foreach(const QString& Entry, GetTextList("ClosedFilePath"))
|
|
|
|
|
{
|
|
|
|
|
if (Entry.contains("InternetAccessDevices")) {
|
|
|
|
|
m_bINetBlocked = true;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-07-04 11:07:36 +01:00
|
|
|
|
|
|
|
|
m_bSharesAllowed = GetBool("BlockNetworkFiles", true) == false;
|
|
|
|
|
|
|
|
|
|
m_bDropRights = GetBool("DropAdminRights", false);
|
2020-06-18 16:44:29 +01:00
|
|
|
|
2020-07-04 11:07:36 +01:00
|
|
|
if (CheckOpenToken())
|
|
|
|
|
m_iUnsecureDebugging = 1;
|
|
|
|
|
else if(GetBool("ExposeBoxedSystem", false) || GetBool("UnrestrictedSCM", false))
|
|
|
|
|
m_iUnsecureDebugging = 2;
|
|
|
|
|
else
|
|
|
|
|
m_iUnsecureDebugging = 0;
|
2020-06-19 22:12:57 +01:00
|
|
|
|
2020-07-04 11:07:36 +01:00
|
|
|
//GetBool("SandboxieLogon", false)
|
|
|
|
|
|
|
|
|
|
m_bSecurityRestricted = m_iUnsecureDebugging == 0 && (GetBool("DropAdminRights", false) || GetBool("ProtectRpcSs", false) || !GetBool("OpenDefaultClsid", true));
|
2020-06-18 16:44:29 +01:00
|
|
|
|
|
|
|
|
CSandBox::UpdateDetails();
|
2020-07-04 11:07:36 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
QString CSandBoxPlus::GetStatusStr() const
|
|
|
|
|
{
|
|
|
|
|
QStringList Status;
|
|
|
|
|
|
|
|
|
|
if (m_iUnsecureDebugging == 1)
|
|
|
|
|
Status.append(tr("NOT SECURE (Debug Config)"));
|
|
|
|
|
else if (m_iUnsecureDebugging == 2)
|
|
|
|
|
Status.append(tr("Reduced Isolation"));
|
|
|
|
|
else if(m_bSecurityRestricted)
|
|
|
|
|
Status.append(tr("Enhanced Isolation"));
|
|
|
|
|
|
|
|
|
|
if (m_bLogApiFound)
|
|
|
|
|
Status.append(tr("API Log"));
|
|
|
|
|
if (m_bINetBlocked)
|
|
|
|
|
Status.append(tr("No INet"));
|
|
|
|
|
if (m_bSharesAllowed)
|
|
|
|
|
Status.append(tr("Net Share"));
|
|
|
|
|
if (m_bDropRights)
|
|
|
|
|
Status.append(tr("No Admin"));
|
|
|
|
|
|
|
|
|
|
if (Status.isEmpty())
|
|
|
|
|
return tr("Normal");
|
|
|
|
|
return Status.join(", ");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool CSandBoxPlus::CheckOpenToken() const
|
|
|
|
|
{
|
|
|
|
|
if (GetBool("OpenToken", false)) return true;
|
|
|
|
|
if(GetBool("UnrestrictedToken", false)) return true;
|
|
|
|
|
if (!GetBool("AnonymousLogon", true)) return true;
|
|
|
|
|
if (GetBool("KeepTokenIntegrity", false)) return true;
|
|
|
|
|
if(GetBool("UnfilteredToken", false)) return true;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void CSandBoxPlus::SetLogApi(bool bEnable)
|
|
|
|
|
{
|
|
|
|
|
if (bEnable)
|
|
|
|
|
{
|
|
|
|
|
InsertText("OpenPipePath", "\\Device\\NamedPipe\\LogAPI");
|
|
|
|
|
InsertText("InjectDll", "\\LogAPI\\logapi32.dll");
|
|
|
|
|
InsertText("InjectDll64", "\\LogAPI\\logapi64.dll");
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
DelValue("OpenPipePath", "\\Device\\NamedPipe\\LogAPI");
|
|
|
|
|
DelValue("InjectDll", "\\LogAPI\\logapi32.dll");
|
|
|
|
|
DelValue("InjectDll64", "\\LogAPI\\logapi64.dll");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void CSandBoxPlus::SetINetBlock(bool bEnable)
|
|
|
|
|
{
|
|
|
|
|
if (bEnable)
|
2020-11-03 15:45:04 +00:00
|
|
|
InsertText("ClosedFilePath", "!<InternetAccess>,InternetAccessDevices");
|
2020-07-04 11:07:36 +01:00
|
|
|
else
|
2020-11-03 15:45:04 +00:00
|
|
|
DelValue("ClosedFilePath", "!<InternetAccess>,InternetAccessDevices");
|
2020-07-04 11:07:36 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void CSandBoxPlus::SetAllowShares(bool bEnable)
|
|
|
|
|
{
|
2020-07-19 21:09:02 +01:00
|
|
|
SetBool("BlockNetworkFiles", !bEnable);
|
2020-07-04 11:07:36 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void CSandBoxPlus::SetDropRights(bool bEnable)
|
|
|
|
|
{
|
|
|
|
|
SetBool("DropAdminRights", bEnable);
|
|
|
|
|
}
|
