ipc.c rolback to 1.14.0

https://github.com/sandboxie-plus/Sandboxie/issues/4012
2024-06-24 14:57:04 +02:00 · 2024-06-24 14:57:04 +02:00 · 0239e66827
parent 1c8037591f
commit 0239e66827
1 changed files with 32 additions and 38 deletions
--- a/Sandboxie/core/drv/ipc.c
+++ b/Sandboxie/core/drv/ipc.c
@ -1402,15 +1402,22 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms)
    } else if (IS_ARG_CURRENT_PROCESS(TargetProcessHandle)) {
        //
        // we duplicate the handle into kernel space such that that user 
        // won't be able to grab it while we are evaluaiting it
        //
        HANDLE SourceProcessKernelHandle;
        status = Thread_GetKernelHandleForUserHandle(&SourceProcessKernelHandle, SourceProcessHandle);
        if (NT_SUCCESS(status)) {
            HANDLE TargetProcessKernelHandle = ZwCurrentProcess(); // TargetProcessHandle == NtCurrentProcess();
-            HANDLE SourceKernelHandle;
+            //
-            status = Thread_GetKernelHandleForUserHandle(&SourceKernelHandle, SourceHandle);
+            // driver verifier wants us to provide a kernel handle as process handles
-            if (NT_SUCCESS(status)) {
+            // but the source handle must be a user handle and the ZwDuplicateObject
            // function creates another user handle hence NtClose
            //
            status = ZwDuplicateObject(
                SourceProcessKernelHandle, SourceHandle,
@ -1425,9 +1432,6 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms)
                NtClose(DuplicatedHandle);
            }
                ZwClose(SourceKernelHandle);
            }
            ZwClose(SourceProcessKernelHandle);
        }
@ -1440,40 +1444,30 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms)
    if (NT_SUCCESS(status)) {
-        HANDLE SourceProcessKernelHandle = ZwCurrentProcess();
+        HANDLE SourceProcessKernelHandle = (HANDLE)-1;
        HANDLE TargetProcessKernelHandle = (HANDLE)-1;
        if (!IS_ARG_CURRENT_PROCESS(SourceProcessHandle)) 
            status = Thread_GetKernelHandleForUserHandle(&SourceProcessKernelHandle, SourceProcessHandle);
        if (NT_SUCCESS(status)) {
            HANDLE TargetProcessKernelHandle = ZwCurrentProcess();
            if (!IS_ARG_CURRENT_PROCESS(TargetProcessHandle))
                status = Thread_GetKernelHandleForUserHandle(&TargetProcessKernelHandle, TargetProcessHandle);
            if (NT_SUCCESS(status)) {
                HANDLE SourceKernelHandle;
                status = Thread_GetKernelHandleForUserHandle(&SourceKernelHandle, SourceHandle);
                if (NT_SUCCESS(status)) {
                status = ZwDuplicateObject(
-                        SourceProcessKernelHandle, SourceKernelHandle,
+                    SourceProcessKernelHandle, SourceHandle,
                    TargetProcessKernelHandle, &DuplicatedHandle,
-                        DesiredAccess, HandleAttributes, Options & ~DUPLICATE_CLOSE_SOURCE);
+                    DesiredAccess, HandleAttributes, Options);
                    if (Options & DUPLICATE_CLOSE_SOURCE)
                        NtClose(SourceHandle);
                *TargetHandle = DuplicatedHandle;
-
+            }
                    ZwClose(SourceKernelHandle);
        }
-                if (!IS_ARG_CURRENT_PROCESS(TargetProcessKernelHandle))
+        if (SourceProcessKernelHandle && !IS_ARG_CURRENT_PROCESS(SourceProcessKernelHandle))
                    ZwClose(TargetProcessKernelHandle);
            }
            if (!IS_ARG_CURRENT_PROCESS(SourceProcessKernelHandle))
            ZwClose(SourceProcessKernelHandle);
-        }
+        if (TargetProcessKernelHandle && !IS_ARG_CURRENT_PROCESS(TargetProcessKernelHandle))
            ZwClose(TargetProcessKernelHandle);
    }
    //