mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

Build 0.5.4

This commit is contained in:
DavidXanatos 2021-01-07 20:01:21 +01:00
parent 9549515544
commit 124d926c65
44 changed files with 1257 additions and 666 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
CHANGELOG.md
View File

@ -3,6 +3,46 @@ All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).
## [0.5.4 / 5.46.0] - 2021-01-06
### Added
- Sandboxie now strips particularly problematic privileges from sandboxed system tokens
-- with those a process could atempt to bypass the sandbox isolation (thanks Diversenok)
-- old legacy behavior can be enabled with "StripSystemPrivileges=n" (absolutely NOT Recommended)
- added new isolation options "ClosePrintSpooler=y" and "OpenSmartCard=n"
-- those resources are open by default but for a hardened box its desired to close them
- added print spooler filter to prevent printers from being set up outside the sandbox
-- the filter can be disabled with "OpenPrintSpooler=y"
- added overwrite prompt when recovering an already existing file
- added "StartProgram=", "StartService=" and "AutoExec=" options to the SandMan UI
- added more compatybility templates (thanks isaak654)
### Changed
- Changed Emulated SCM behavior, boxed services are no longer by default started as boxed system
-- use "RunServicesAsSystem=y" to enable the old legacy behavior
-- Note: sandboxed services with a system token are still sandboxed and restricted
-- However not granting them a system token in the first place removes possible exploit vectors
-- Note: this option is not compatible with "ProtectRpcSs=y" and takes precedence!
- Reworked dynamic IPC port handling
- Improved Resource Monitor status strings
### Fixed
- fixed a critical issue that allowed to create processes outside the sandbox (thanks Diversenok)
- fixed issues with dynamic IPC port handling that allowed to bypass IPC isolation
- fixed issue with ipc tracing
- fixed CVE-2019-13502 "\RPC Control\LSARPC_ENDPOINT" is now filtered by the driver (thanks Diversenok)
-- this allowed some system options to be changed, to disable filtering use "OpenLsaEndpoint=y"
- fixed hooking issues SBIE2303 with chrome, edge and possibly others
- fixed failed check for running processes when performing snapshot operations
- fixed some box option checkboxes were not properly initialized
- fixed unavailable options are not properly disabled when sandman is not connected to the driver
- fixed MSI instalelr issue, not being able to create "C:\Config.Msi" folder on windows 20H2
- added missing localization to generic list commands
- fixed issue with "iconcache_*" when runngin sandboxed explorer
- fixed more issues with groups
## [0.5.3b / 5.45.2] - 2021-01-02
### Added
@ -56,7 +96,6 @@ This project adheres to [Semantic Versioning](http://semver.org/).
## [0.5.2a / 5.45.1] - 2020-12-23
### Fixed

9
Sandboxie/Sandbox.sln
View File

@ -1,7 +1,7 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.960
# Visual Studio Version 16
VisualStudioVersion = 16.0.30804.86
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SboxSvc", "core\svc\SboxSvc.vcxproj", "{2D3DBCAE-883E-54A6-F8F6-11228D989033}"
ProjectSection(ProjectDependencies) = postProject
@ -98,6 +98,11 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Docs", "Docs", "{666D2193-3
EndProjectSection
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "com", "com", "{7495BFF6-A576-4B96-9071-10CF956368FC}"
ProjectSection(SolutionItems) = preProject
apps\com\common.h = apps\com\common.h
apps\com\header.h = apps\com\header.h
apps\com\privs.h = apps\com\privs.h
EndProjectSection
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "core", "core", "{E9D1318A-FAF0-4EF8-8561-FCB03862AC99}"
EndProject

15
Sandboxie/apps/com/common.h
View File

@ -196,20 +196,7 @@ _FX ULONG FindProcessId(
return ret_pid;
}
//---------------------------------------------------------------------------
// Service Control Manager handles
//---------------------------------------------------------------------------
#define SC_HANDLE_MIN ((SC_HANDLE)0x12345670)
#define SC_HANDLE_BITS ((SC_HANDLE)0x12345671)
#define SC_HANDLE_RPCSS ((SC_HANDLE)0x12345672)
#define SC_HANDLE_MSISERVER ((SC_HANDLE)0x12345673)
#define SC_HANDLE_EVENTSYSTEM ((SC_HANDLE)0x12345674)
#define SC_HANDLE_MAX ((SC_HANDLE)0x12345679)
#define SC_HANDLE_IS_FAKE(h) ((h) > SC_HANDLE_MIN && (h) < SC_HANDLE_MAX)
#include "header.h"
//---------------------------------------------------------------------------

32
Sandboxie/apps/com/header.h Normal file
View File

@ -0,0 +1,32 @@
/*
* Copyright 2004-2020 Sandboxie Holdings, LLC
* Copyright 2020 David Xanatos, xanasoft.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
//---------------------------------------------------------------------------
// Service Control Manager handles
//---------------------------------------------------------------------------
#define SC_HANDLE_MIN ((SC_HANDLE)0x12345670)
#define SC_HANDLE_BITS ((SC_HANDLE)0x12345671)
#define SC_HANDLE_RPCSS ((SC_HANDLE)0x12345672)
#define SC_HANDLE_MSISERVER ((SC_HANDLE)0x12345673)
#define SC_HANDLE_EVENTSYSTEM ((SC_HANDLE)0x12345674)
#define SC_HANDLE_MAX ((SC_HANDLE)0x12345679)
#define SC_HANDLE_IS_FAKE(h) ((h) > SC_HANDLE_MIN && (h) < SC_HANDLE_MAX)

6
Sandboxie/common/my_version.h
View File

@ -21,9 +21,9 @@
#ifndef _MY_VERSION_H
#define _MY_VERSION_H
#define MY_VERSION_BINARY 5,45,2
#define MY_VERSION_STRING "5.45.2"
#define MY_VERSION_COMPAT "5.45.0" // this refers to the driver ABI compatibility
#define MY_VERSION_BINARY 5,46,0
#define MY_VERSION_STRING "5.46.0"
#define MY_VERSION_COMPAT "5.46.0" // this refers to the driver ABI compatibility
// These #defines are used by either Resource Compiler, or by NSIC installer
#define SBIE_INSTALLER_PATH "..\\Bin\\"

12
Sandboxie/core/dll/SboxDll.vcxproj.filters
View File

@ -17,7 +17,6 @@
<ClCompile Include="obj.c" />
<ClCompile Include="pdh.c" />
<ClCompile Include="proc.c" />
<ClCompile Include="rpcrt.c" />
<ClCompile Include="secure.c" />
<ClCompile Include="setup.c" />
<ClCompile Include="sfc.c" />
@ -171,6 +170,9 @@
<ClCompile Include="..\..\common\my_ntdll.c">
<Filter>common</Filter>
</ClCompile>
<ClCompile Include="rpcrt.c">
<Filter>ipc</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="advapi.h" />
@ -233,12 +235,6 @@
<None Include="util_32.asm">
<Filter>hook</Filter>
</None>
<None Include="..\..\common\NtCRT\x64\ntdll.def">
<Filter>common</Filter>
</None>
<None Include="..\..\common\NtCRT\x86\ntdll.def">
<Filter>common</Filter>
</None>
</ItemGroup>
<ItemGroup>
<Filter Include="scm">
@ -284,5 +280,7 @@
<CustomBuild Include="..\..\common\NtCRT\x86\except_handler3.asm">
<Filter>common</Filter>
</CustomBuild>
<CustomBuild Include="..\..\common\NtCRT\x64\ntdll.def" />
<CustomBuild Include="..\..\common\NtCRT\x86\ntdll.def" />
</ItemGroup>
</Project>

6
Sandboxie/core/dll/com.c
View File

@ -1369,9 +1369,9 @@ _FX BOOLEAN Com_Init_ComBase(HMODULE module)
}
{
WCHAR buf[96];
NTSTATUS status = SbieApi_QueryConfAsIs(NULL, L"ClsidTrace", 0, buf, 90 * sizeof(WCHAR));
if (buf[0] == L'*')
// If there are any ClsidTrace options set, then output this debug string
WCHAR wsTraceOptions[4];
if (SbieApi_QueryConf(NULL, L"ClsidTrace", 0, wsTraceOptions, sizeof(wsTraceOptions)) == STATUS_SUCCESS && wsTraceOptions[0] != L'\0')
Com_TraceFlag = TRUE;
}

1
Sandboxie/core/dll/dll.h
View File

@ -88,6 +88,7 @@ enum {
DLL_IMAGE_SANDBOXIE_WUAU,
DLL_IMAGE_SANDBOXIE_BITS,
DLL_IMAGE_SANDBOXIE_SBIESVC,
DLL_IMAGE_MSI_INSTALLER,
DLL_IMAGE_TRUSTED_INSTALLER,
DLL_IMAGE_WUAUCLT,
DLL_IMAGE_SHELL_EXPLORER,

1
Sandboxie/core/dll/dllmain.c
View File

@ -545,6 +545,7 @@ _FX void Dll_SelectImageType(void)
SANDBOXIE L"BITS.exe", (WCHAR *)DLL_IMAGE_SANDBOXIE_BITS,
SBIESVC_EXE, (WCHAR *)DLL_IMAGE_SANDBOXIE_SBIESVC,
L"msiexec.exe", (WCHAR *)DLL_IMAGE_MSI_INSTALLER,
L"TrustedInstaller.exe", (WCHAR *)DLL_IMAGE_TRUSTED_INSTALLER,
L"TiWorker.exe", (WCHAR *)DLL_IMAGE_TRUSTED_INSTALLER,
L"wuauclt.exe", (WCHAR *)DLL_IMAGE_WUAUCLT,

2
Sandboxie/core/dll/dllpath.c
View File

@ -419,8 +419,6 @@ _FX ULONG SbieDll_MatchPath2(WCHAR path_code, const WCHAR *path, BOOLEAN bCheckO
if (monflag) {
if (! monflag)
monflag = MONITOR_IPC;
if (PATH_IS_CLOSED(mp_flags))
monflag |= MONITOR_DENY;
else if (PATH_IS_OPEN(mp_flags))

20
Sandboxie/core/dll/file.c
View File

@ -3154,8 +3154,8 @@ ReparseLoop:
ptr = wcsstr(TempPath,
L"\\microsoft\\windows\\explorer\\");
if (ptr && ( wcscmp(ptr + 28, L"thumbcache_") == 0
|| wcscmp(ptr + 28, L"iconcache_") == 0)) {
if (ptr && ( wcsncmp(ptr + 28, L"thumbcache_", 11) == 0
|| wcsncmp(ptr + 28, L"iconcache_", 10) == 0)) {
WithContents = FALSE;
}
@ -4841,6 +4841,22 @@ _FX NTSTATUS File_NtQueryFullAttributesFile(
{
NTSTATUS status = File_NtQueryFullAttributesFileImpl(ObjectAttributes, FileInformation);
if (status == STATUS_OBJECT_NAME_NOT_FOUND && Dll_ImageType == DLL_IMAGE_MSI_INSTALLER
&& ObjectAttributes != NULL && ObjectAttributes->ObjectName != NULL
// ObjectAttributes->ObjectName == "\\??\\C:\\Config.Msi" // or any other system drive
&& ObjectAttributes->ObjectName->Buffer && ObjectAttributes->ObjectName->Length == 34
&& _wcsicmp(ObjectAttributes->ObjectName->Buffer + 6, L"\\Config.Msi") == 0
) {
//
// MSI bug: this must not fail, hence we create the directory and retry
//
CreateDirectory(ObjectAttributes->ObjectName->Buffer, NULL);
status = File_NtQueryFullAttributesFileImpl(ObjectAttributes, FileInformation);
}
status = StopTailCallOptimization(status);
return status;

2
Sandboxie/core/dll/gui.c
View File

@ -2592,7 +2592,7 @@ _FX void *Gui_CallProxyEx(
}
}
SbieApi_Log(2203, L"%S - %S [%08X]", _QueueName, Dll_ImageName, status);
SbieApi_Log(2203, L"%S; MsgId: %d - %S [%08X]", _QueueName, *(ULONG*)req, Dll_ImageName, status);
SetLastError(ERROR_SERVER_DISABLED);
return NULL;
}

2
Sandboxie/core/dll/guimisc.c
View File

@ -1213,7 +1213,7 @@ _FX LONG Gui_GetRawInputDeviceInfo_impl(
LPVOID reqData = (BYTE*)req + sizeof(GUI_GET_RAW_INPUT_DEVICE_INFO_REQ);
req->msgid = GUI_GET_RAW_INPUT_DEVICE_INFO;
req->hDevice = hDevice;
req->hDevice = (ULONG64)hDevice;
req->uiCommand = uiCommand;
req->unicode = bUnicode;
if (lenData) {

2
Sandboxie/core/dll/ipc_start.c
View File

@ -173,7 +173,7 @@ _FX BOOLEAN Ipc_StartServer(const WCHAR *TruePath, BOOLEAN Async)
Sbie_snwprintf(fullpath, 512, L"\"%s\\%s\"", homedir, program);
//
// Note: many proesses started by DcomLaunch must be started as user this is currently a bit broken,
// Note: many processes started by DcomLaunch must be started as user this is currently a bit broken,
// see Proc_CreateProcessInternalW_RS5 so for successfull operation in most cases we can't run RpcSs with a system token
// Fix-Me: fix Proc_CreateProcessInternalW_RS5 and make prtected RpcSs and subsequently DcomLaunch the deault
//

38
Sandboxie/core/dll/proc.c
View File

@ -74,6 +74,11 @@ static BOOL Proc_UpdateProcThreadAttribute(
_Out_writes_bytes_opt_(cbSize) PVOID lpPreviousValue,
_In_opt_ PSIZE_T lpReturnSize);
static BOOL Proc_SetProcessMitigationPolicy(
_In_ PROCESS_MITIGATION_POLICY MitigationPolicy,
_In_reads_bytes_(dwLength) PVOID lpBuffer,
_In_ SIZE_T dwLength);
static BOOL Proc_AlternateCreateProcess(
const WCHAR *lpApplicationName, WCHAR *lpCommandLine,
void *lpCurrentDirectory, LPPROCESS_INFORMATION lpProcessInformation,
@ -264,6 +269,11 @@ typedef BOOL(*P_UpdateProcThreadAttribute)(
_Out_writes_bytes_opt_(cbSize) PVOID lpPreviousValue,
_In_opt_ PSIZE_T lpReturnSize);
typedef BOOL (*P_SetProcessMitigationPolicy)(
_In_ PROCESS_MITIGATION_POLICY MitigationPolicy,
_In_reads_bytes_(dwLength) PVOID lpBuffer,
_In_ SIZE_T dwLength);
//---------------------------------------------------------------------------
@ -296,6 +306,8 @@ static P_GetLengthSid __sys_GetLengthSid = NULL;*/
static P_UpdateProcThreadAttribute __sys_UpdateProcThreadAttribute = NULL;
static P_SetProcessMitigationPolicy __sys_SetProcessMitigationPolicy = NULL;
//---------------------------------------------------------------------------
// Variables
//---------------------------------------------------------------------------
@ -372,6 +384,17 @@ _FX BOOLEAN Proc_Init(void)
SBIEDLL_HOOK(Proc_, UpdateProcThreadAttribute);
}
// fox for SBIE2303 Could not hook ... (33, 1655) due to mitigation policies
if (Dll_OsBuild >= 8400) // win8
{
void* SetProcessMitigationPolicy = NULL;
RtlInitString(&ansi, "SetProcessMitigationPolicy");
status = LdrGetProcedureAddress(
Dll_KernelBase, &ansi, 0, (void**)&SetProcessMitigationPolicy);
if (NT_SUCCESS(status))
SBIEDLL_HOOK(Proc_, SetProcessMitigationPolicy);
}
// OriginalToken BEGIN
if (!SbieApi_QueryConfBool(NULL, L"OriginalToken", FALSE))
// OriginalToken END
@ -972,6 +995,21 @@ _FX BOOL Proc_UpdateProcThreadAttribute(
return __sys_UpdateProcThreadAttribute(lpAttributeList, dwFlags, Attribute, lpValue, cbSize, lpPreviousValue, lpReturnSize);
}
_FX BOOL Proc_SetProcessMitigationPolicy(
_In_ PROCESS_MITIGATION_POLICY MitigationPolicy,
_In_reads_bytes_(dwLength) PVOID lpBuffer,
_In_ SIZE_T dwLength)
{
// fix for SBIE2303 Could not hook ... (33, 1655)
// This Mitigation Policy breaks our ability to hook functions once its enabled,
// As we need to be able to hook them we prevent the activation of this policy.
if (MitigationPolicy == ProcessDynamicCodePolicy)
return TRUE;
return __sys_SetProcessMitigationPolicy(MitigationPolicy, lpBuffer, dwLength);
}
void *Proc_GetImageFullPath(const WCHAR *lpApplicationName, const WCHAR *lpCommandLine)
{
if ((lpApplicationName == NULL) && (lpCommandLine == NULL))

246
Sandboxie/core/dll/rpcrt.c
View File

@ -229,18 +229,55 @@ _FX ULONG RpcRt_RpcBindingInqAuthClientEx(
return rc;
}
HANDLE FindServicePidByName(WCHAR *pSvcName)
{
HANDLE hPidRet = NULL;
SERVICE_QUERY_RPL *rpl = (SERVICE_QUERY_RPL *)
Scm_QueryServiceByName(pSvcName, TRUE, FALSE);
if (rpl) {
hPidRet = (HANDLE)rpl->service_status.dwProcessId;
//---------------------------------------------------------------------------
// RpcRt_TestCallingModule
//---------------------------------------------------------------------------
BOOLEAN RpcRt_TestCallingModule(ULONG_PTR pRetAddr, ULONG_PTR hModule)
{
if (hModule && (pRetAddr > hModule))
{
MODULEINFO modinfo;
if (__sys_GetModuleInformation(GetCurrentProcess(), (HANDLE)hModule, &modinfo, sizeof(MODULEINFO)))
{
// return address within the module?
if (pRetAddr < hModule + modinfo.SizeOfImage)
return TRUE;
}
}
return FALSE;
}
//---------------------------------------------------------------------------
// GetDynamicLpcPortName
//---------------------------------------------------------------------------
WCHAR* GetDynamicLpcPortName(ENUM_DYNAMIC_PORT_TYPE portType)
{
EPMAPPER_GET_PORT_NAME_REQ req;
EPMAPPER_GET_PORT_NAME_RPL* rpl;
memset(&req, 0, sizeof(req));
req.h.length = sizeof(EPMAPPER_GET_PORT_NAME_REQ);
req.h.msgid = MSGID_EPMAPPER_GET_PORT_NAME;
req.portType = portType;
rpl = (EPMAPPER_GET_PORT_NAME_RPL*)SbieDll_CallServer(&req.h);
if (rpl && NT_SUCCESS(rpl->h.status))
{
wcsncpy(g_Ipc_DynamicPortNames[portType], rpl->wszPortName, DYNAMIC_PORT_NAME_CHARS);
Dll_Free(rpl);
return g_Ipc_DynamicPortNames[portType] + 13; // skip "\\RPC Control\\"
}
return hPidRet;
return NULL;
}
@ -292,29 +329,22 @@ _FX ULONG RpcRt_RpcBindingFromStringBindingW(
if (_wcsicmp(StringBinding, _old) == 0) {
ULONG_PTR WinSpool = (ULONG_PTR)GetModuleHandle(L"winspool.drv");
ULONG_PTR RetAddr = (ULONG_PTR)_ReturnAddress();
if (WinSpool && (RetAddr > WinSpool)
&& (RetAddr < WinSpool + 0x1FFFF)) {
ULONG_PTR pWinSpool = (ULONG_PTR)GetModuleHandle(L"winspool.drv");
ULONG_PTR pRetAddr = (ULONG_PTR)_ReturnAddress();
HANDLE hPidSpooler = FindServicePidByName(L"Spooler");
if (RpcRt_TestCallingModule(pRetAddr, pWinSpool)) {
if (hPidSpooler) {
WCHAR* pwszTempPortName = GetDynamicLpcPortName(SPOOLER_PORT);
WCHAR pwszPortName[DYNAMIC_PORT_NAME_CHARS];
memset(pwszPortName, 0, sizeof(pwszPortName));
if (pwszTempPortName) {
if (SbieApi_CallThree(
API_GET_SPOOLER_PORT,
(ULONG_PTR)hPidSpooler,
(ULONG_PTR)L"spoolsv.exe",
(ULONG_PTR)g_Ipc_DynamicPortNames[SPOOLER_PORT]) == STATUS_SUCCESS)
{
wcscpy(pwszPortName, L"ncalrpc:[");
wcscpy(pwszPortName + 9, g_Ipc_DynamicPortNames[SPOOLER_PORT] + 13);
wcscat(pwszPortName, _old + 9);
return __sys_RpcBindingFromStringBindingW(pwszPortName, OutBinding);
}
WCHAR wstrPortName[DYNAMIC_PORT_NAME_CHARS];
memset(wstrPortName, 0, sizeof(wstrPortName));
wcscpy(wstrPortName, L"ncalrpc:[");
wcscpy(wstrPortName + 9, pwszTempPortName);
wcscat(wstrPortName, _old + 9);
return __sys_RpcBindingFromStringBindingW(wstrPortName, OutBinding);
}
}
}
@ -322,40 +352,23 @@ _FX ULONG RpcRt_RpcBindingFromStringBindingW(
// WPAD (Windows Proxy Auto Discovery) uses dynamic RPC endpoints starting in Win 10 Anniv.
else if (_wcsicmp(StringBinding, L"ncalrpc:") == 0) {
// are we being called from WinHttp?
ULONG_PTR hWinHttp = (ULONG_PTR)GetModuleHandle(L"WinHttp.dll");
ULONG_PTR pRetAddr = (ULONG_PTR)_ReturnAddress();
if (RpcRt_TestCallingModule(pRetAddr, hWinHttp)) {
if (hWinHttp && (pRetAddr > hWinHttp))
{
MODULEINFO modinfo;
WCHAR* pwszTempPortName = GetDynamicLpcPortName(WPAD_PORT);
if (__sys_GetModuleInformation(GetCurrentProcess(), (HANDLE)hWinHttp, &modinfo, sizeof(MODULEINFO)))
if (pwszTempPortName)
{
// return address within WinHttp?
if (pRetAddr < hWinHttp + modinfo.SizeOfImage)
{
HANDLE hPidWpad = FindServicePidByName(L"WinHttpAutoProxySvc");
if (hPidWpad)
{
WCHAR wstrPortName[DYNAMIC_PORT_NAME_CHARS];
memset(wstrPortName, 0, sizeof(wstrPortName));
WCHAR wstrPortName[DYNAMIC_PORT_NAME_CHARS];
memset(wstrPortName, 0, sizeof(wstrPortName));
wmemcpy(wstrPortName, L"ncalrpc:[", 9);
if (SbieApi_CallThree(
API_GET_WPAD_PORT,
(ULONG_PTR)hPidWpad,
(ULONG_PTR)L"svchost.exe",
(ULONG_PTR)g_Ipc_DynamicPortNames[WPAD_PORT]) == STATUS_SUCCESS)
{
wcscpy(wstrPortName + 9, g_Ipc_DynamicPortNames[WPAD_PORT] + 13);
wcscat(wstrPortName, L"]");
return __sys_RpcBindingFromStringBindingW(wstrPortName, OutBinding);
}
}
}
wcscpy(wstrPortName, L"ncalrpc:[");
wcscpy(wstrPortName + 9, pwszTempPortName);
wcscat(wstrPortName, L"]");
return __sys_RpcBindingFromStringBindingW(wstrPortName, OutBinding);
}
}
}
@ -364,57 +377,21 @@ _FX ULONG RpcRt_RpcBindingFromStringBindingW(
status = __sys_RpcBindingFromStringBindingW(StringBinding, OutBinding);
// If there are any IpcTrace options set, then output this debug string
WCHAR wsTraceOptions[4];
if (SbieApi_QueryConf(NULL, L"IpcTrace", 0, wsTraceOptions, sizeof(wsTraceOptions)) == STATUS_SUCCESS)
if (SbieApi_QueryConf(NULL, L"IpcTrace", 0, wsTraceOptions, sizeof(wsTraceOptions)) == STATUS_SUCCESS && wsTraceOptions != L'\0')
{
WCHAR msg[512];
Sbie_snwprintf(msg, 512, L"SBIE p=%06d t=%06d RpcBindingFromStringBindingW StringBinding = '%s', BindingHandle = 0x%X, status = 0x%X\n", GetCurrentProcessId(), GetCurrentThreadId(),
StringBinding,
OutBinding,
status);
OutputDebugString(msg);
//OutputDebugString(msg);
SbieApi_MonitorPut(MONITOR_IPC | MONITOR_TRACE, msg);
}
__sys_RpcMgmtSetComTimeout(*OutBinding, RPC_C_BINDING_TIMEOUT);
return status;
}
WCHAR *GetSCardLpcPortName()
{
EPMAPPER_GET_PORT_NAME_REQ req;
EPMAPPER_GET_PORT_NAME_RPL *rpl;
// smart card interface {C6B5235A-E413-481D-9AC8-31681B1FAAF5}
RPC_IF_ID ifidRequest = { {0xC6B5235A, 0xE413, 0x481D, { 0x9A, 0xC8, 0x31, 0x68, 0x1B, 0x1F, 0xAA, 0xF5 }}, 1, 1};
memset(&req, 0, sizeof(req));
req.h.length = sizeof(EPMAPPER_GET_PORT_NAME_REQ);
req.h.msgid = MSGID_EPMAPPER_GET_PORT_NAME;
memcpy(&req.ifidRequest, &ifidRequest, sizeof(RPC_IF_ID));
rpl = (EPMAPPER_GET_PORT_NAME_RPL *)SbieDll_CallServer(&req.h);
if (rpl)
{
static WCHAR wstrTempPortName[DYNAMIC_PORT_NAME_CHARS];
memset(wstrTempPortName, 0, sizeof(wstrTempPortName));
wcscpy(wstrTempPortName, rpl->wszPortName + 9); // format is "ncalrpc:[LRPC-f760d5b40689a98168]" We only want actual port name
wstrTempPortName[23] = 0; // Take off the ']'
// Param 1 is dynamic port name (e.g. "LRPC-f760d5b40689a98168")
// Param 2 will return the port name with "\RPC Control\" prepended
SbieApi_CallTwo(
API_SET_SMART_CARD_PORT,
(ULONG_PTR)wstrTempPortName,
(ULONG_PTR)g_Ipc_DynamicPortNames[SMART_CARD_PORT]);
Dll_Free(rpl);
return wstrTempPortName;
}
return NULL;
}
DEFINE_GUID(
EMPTY_UUID,
0x00000000, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00);
@ -439,68 +416,19 @@ _FX RPC_STATUS RpcRt_RpcBindingCreateW(
RPC_PROTSEQ_LRPC == Template->ProtocolSequence &&
!Template->StringEndpoint)
{
ULONG_PTR hWinSCard = (ULONG_PTR)GetModuleHandle(L"WinSCard.dll");
ULONG_PTR hResourcePolicyClient = (ULONG_PTR)GetModuleHandle(L"resourcepolicyclient.dll");
ULONG_PTR pRetAddr = (ULONG_PTR)_ReturnAddress();
ULONG_PTR hWinSCard = (ULONG_PTR)GetModuleHandle(L"WinSCard.dll");
if (hWinSCard && (pRetAddr > hWinSCard))
if (RpcRt_TestCallingModule(pRetAddr, hWinSCard))
{
MODULEINFO modinfo;
if (__sys_GetModuleInformation(GetCurrentProcess(), (HANDLE)hWinSCard, &modinfo, sizeof(MODULEINFO)))
{
// return address within WinSCard?
if (pRetAddr < hWinSCard + modinfo.SizeOfImage)
{
Template->StringEndpoint = GetSCardLpcPortName();
}
}
// smart card interface {C6B5235A-E413-481D-9AC8-31681B1FAAF5}
Template->StringEndpoint = GetDynamicLpcPortName(SMART_CARD_PORT);
}
else if (hResourcePolicyClient && (pRetAddr > hResourcePolicyClient))
else if (RpcRt_TestCallingModule(pRetAddr, hResourcePolicyClient))
{
MODULEINFO modinfo;
if (__sys_GetModuleInformation(GetCurrentProcess(), (HANDLE)hResourcePolicyClient, &modinfo, sizeof(MODULEINFO)))
{
// return address within ResourcePolicyClient?
if (pRetAddr < hResourcePolicyClient + modinfo.SizeOfImage)
{
EPMAPPER_GET_PORT_NAME_REQ req;
EPMAPPER_GET_PORT_NAME_RPL *rpl;
// Win 10 AU WinRT interface
RPC_IF_ID ifidRequest = { {0x88abcbc3, 0x34EA, 0x76AE, { 0x82, 0x15, 0x76, 0x75, 0x20, 0x65, 0x5A, 0x23 }}, 0, 0};
memset(&req, 0, sizeof(req));
req.h.length = sizeof(EPMAPPER_GET_PORT_NAME_REQ);
req.h.msgid = MSGID_EPMAPPER_GET_PORT_NAME;
memcpy(&req.ifidRequest, &ifidRequest, sizeof(RPC_IF_ID));
rpl = (EPMAPPER_GET_PORT_NAME_RPL *)SbieDll_CallServer(&req.h);
if (rpl) {
ULONG rpl_status = rpl->h.status;
if (rpl_status == 0)
{
static WCHAR wstrTempPortName[DYNAMIC_PORT_NAME_CHARS];
memset(wstrTempPortName, 0, sizeof(wstrTempPortName));
wcscpy(wstrTempPortName, rpl->wszPortName + 9); // format is "ncalrpc:[LRPC-f760d5b40689a98168]" We only want actual port name
wstrTempPortName[23] = 0; // Take off the ']'
Template->StringEndpoint = wstrTempPortName;
// Param 1 is dynamic port name (e.g. "LRPC-f760d5b40689a98168")
// Param 2 will return the port name with "\RPC Control\" prepended
SbieApi_CallTwo(
API_SET_GAME_CONFIG_STORE_PORT,
(ULONG_PTR)wstrTempPortName,
(ULONG_PTR)g_Ipc_DynamicPortNames[GAME_CONFIG_STORE_PORT]);
}
Dll_Free(rpl);
}
}
}
// Win 10 AU WinRT interface - {88ABCBC3-34EA-76AE-8215-767520655A23}
Template->StringEndpoint = GetDynamicLpcPortName(GAME_CONFIG_STORE_PORT);
}
}
@ -508,7 +436,7 @@ _FX RPC_STATUS RpcRt_RpcBindingCreateW(
status = __sys_RpcBindingCreateW(Template, Security, Options, Binding);
// If there are any IpcTrace options set, then output this debug string
WCHAR wsTraceOptions[4];
if (SbieApi_QueryConf(NULL, L"IpcTrace", 0, wsTraceOptions, sizeof(wsTraceOptions)) == STATUS_SUCCESS)
if (SbieApi_QueryConf(NULL, L"IpcTrace", 0, wsTraceOptions, sizeof(wsTraceOptions)) == STATUS_SUCCESS && wsTraceOptions[0] != L'\0')
{
WCHAR msg[512];
RPC_CSTR StringUuid;
@ -518,8 +446,10 @@ _FX RPC_STATUS RpcRt_RpcBindingCreateW(
Template && Template->StringEndpoint ? Template->StringEndpoint : L"null",
StringUuid,
status);
OutputDebugString(msg);
__sys_RpcStringFreeW(&StringUuid);
//OutputDebugString(msg);
SbieApi_MonitorPut(MONITOR_IPC | MONITOR_TRACE, msg);
}
__sys_RpcMgmtSetComTimeout(*Binding, RPC_C_BINDING_TIMEOUT);
return status;
@ -532,14 +462,10 @@ RPC_STATUS RPC_ENTRY RpcRt_RpcStringBindingComposeW(TCHAR *ObjUuid,TCHAR *ProtSe
ULONG_PTR hSppc = (ULONG_PTR)GetModuleHandle(L"sppc.dll");
ULONG_PTR pRetAddr = (ULONG_PTR)_ReturnAddress();
if (hSppc && (pRetAddr > hSppc) && EndPoint == NULL && ObjUuid == NULL) {
MODULEINFO modinfo;
if (__sys_GetModuleInformation(GetCurrentProcess(), (HANDLE)hSppc, &modinfo, sizeof(MODULEINFO))) {
if (pRetAddr < hSppc + modinfo.SizeOfImage) {
EndPoint = L"SPPCTransportEndpoint-00001";
Scm_Start_Sppsvc();
}
}
if (RpcRt_TestCallingModule(pRetAddr, hSppc))
{
EndPoint = L"SPPCTransportEndpoint-00001";
Scm_Start_Sppsvc();
}
// we must block this in Win 10 to prevent r-click context menu hang in Explorer
else if (ObjUuid && (!_wcsicmp(ObjUuid, UUID_UserMgrCli)))

2
Sandboxie/core/dll/sbieapi.h
View File

@ -58,7 +58,7 @@ SBIEAPI_EXPORT
LONG SbieApi_CallTwo(ULONG api_code, ULONG_PTR arg1, ULONG_PTR arg2);
SBIEAPI_EXPORT
LONG SbieApi_CallThree(ULONG api_code, ULONG_PTR arg1, ULONG_PTR arg2, ULONG_PTR arg3);
LONG SbieApi_CallThree(ULONG api_code, ULONG_PTR arg1, ULONG_PTR arg2, ULONG_PTR arg3);
SBIEAPI_EXPORT LONG SbieApi_GetVersion(
WCHAR *version_string); // WCHAR [16]

8
Sandboxie/core/dll/scm.c
View File

@ -29,6 +29,7 @@
#include "common/win32_ntddk.h"
#include "core/svc/ServiceWire.h"
#include "common/my_version.h"
#include "../../apps/com/header.h" //SC_HANDLE_...
//---------------------------------------------------------------------------
@ -848,12 +849,11 @@ _FX BOOL Scm_CloseServiceHandle(SC_HANDLE hSCObject)
_FX WCHAR *Scm_GetHandleName(SC_HANDLE hService)
{
WCHAR *name = NULL;
// fix-me: refactory include of SC_HANDLE_
if (hService == /*SC_HANDLE_RPCSS*/((SC_HANDLE)0x12345672))
if (hService == SC_HANDLE_RPCSS)
return L"RpcSs";
if (hService == /*SC_HANDLE_MSISERVER*/((SC_HANDLE)0x12345673))
if (hService == SC_HANDLE_MSISERVER)
return L"MSIServer";
if (hService == /*SC_HANDLE_EVENTSYSTEM*/((SC_HANDLE)0x12345674))
if (hService == SC_HANDLE_EVENTSYSTEM)
return L"EventSystem";
__try {
if (hService && *(ULONG *)hService == tzuk)

1
Sandboxie/core/drv/SboxDrv.vcxproj
View File

@ -309,6 +309,7 @@
</ClCompile>
<ClCompile Include="includes.c" />
<ClCompile Include="ipc.c" />
<ClCompile Include="ipc_lsa.c" />
<ClCompile Include="ipc_port.c" />
<ClCompile Include="ipc_spl.c" />
<ClCompile Include="key.c" />

130
Sandboxie/core/drv/SboxDrv.vcxproj.filters
View File

@ -8,31 +8,13 @@
<ClCompile Include="conf_user.c" />
<ClCompile Include="dll.c" />
<ClCompile Include="driver.c" />
<ClCompile Include="file.c" />
<ClCompile Include="file_flt.c" />
<ClCompile Include="file_xlat.c" />
<ClCompile Include="gui.c" />
<ClCompile Include="includes.c" />
<ClCompile Include="ipc.c" />
<ClCompile Include="ipc_port.c" />
<ClCompile Include="ipc_spl.c" />
<ClCompile Include="key.c" />
<ClCompile Include="log.c" />
<ClCompile Include="mem.c" />
<ClCompile Include="obj.c" />
<ClCompile Include="process.c" />
<ClCompile Include="process_api.c" />
<ClCompile Include="process_force.c" />
<ClCompile Include="process_low.c" />
<ClCompile Include="process_util.c" />
<ClCompile Include="log_buff.c" />
<ClCompile Include="session.c" />
<ClCompile Include="syscall.c" />
<ClCompile Include="syscall_32.c" />
<ClCompile Include="syscall_64.c" />
<ClCompile Include="syscall_open.c" />
<ClCompile Include="thread.c" />
<ClCompile Include="token.c" />
<ClCompile Include="util.c" />
<ClCompile Include="file_xp.c">
<Filter>xp</Filter>
@ -55,7 +37,6 @@
<ClCompile Include="hook.c">
<Filter>hook</Filter>
</ClCompile>
<ClCompile Include="thread_token.c" />
<ClCompile Include="process_hook.c">
<Filter>hook</Filter>
</ClCompile>
@ -71,10 +52,71 @@
<ClCompile Include="..\..\common\list.c">
<Filter>common</Filter>
</ClCompile>
<ClCompile Include="key_flt.c" />
<ClCompile Include="ipc.c">
<Filter>ipc</Filter>
</ClCompile>
<ClCompile Include="ipc_port.c">
<Filter>ipc</Filter>
</ClCompile>
<ClCompile Include="ipc_spl.c">
<Filter>ipc</Filter>
</ClCompile>
<ClCompile Include="ipc_lsa.c">
<Filter>ipc</Filter>
</ClCompile>
<ClCompile Include="file.c">
<Filter>file</Filter>
</ClCompile>
<ClCompile Include="file_flt.c">
<Filter>file</Filter>
</ClCompile>
<ClCompile Include="file_xlat.c">
<Filter>file</Filter>
</ClCompile>
<ClCompile Include="key.c">
<Filter>key</Filter>
</ClCompile>
<ClCompile Include="key_flt.c">
<Filter>key</Filter>
</ClCompile>
<ClCompile Include="process.c">
<Filter>process</Filter>
</ClCompile>
<ClCompile Include="process_api.c">
<Filter>process</Filter>
</ClCompile>
<ClCompile Include="process_force.c">
<Filter>process</Filter>
</ClCompile>
<ClCompile Include="process_low.c">
<Filter>process</Filter>
</ClCompile>
<ClCompile Include="process_util.c">
<Filter>process</Filter>
</ClCompile>
<ClCompile Include="thread.c">
<Filter>process</Filter>
</ClCompile>
<ClCompile Include="thread_token.c">
<Filter>process</Filter>
</ClCompile>
<ClCompile Include="token.c">
<Filter>process</Filter>
</ClCompile>
<ClCompile Include="syscall.c">
<Filter>syscall</Filter>
</ClCompile>
<ClCompile Include="syscall_32.c">
<Filter>syscall</Filter>
</ClCompile>
<ClCompile Include="syscall_64.c">
<Filter>syscall</Filter>
</ClCompile>
<ClCompile Include="syscall_open.c">
<Filter>syscall</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="alpc.h" />
<ClInclude Include="api.h" />
<ClInclude Include="api_defs.h" />
<ClInclude Include="api_flags.h" />
@ -82,21 +124,14 @@
<ClInclude Include="conf.h" />
<ClInclude Include="dll.h" />
<ClInclude Include="driver.h" />
<ClInclude Include="file.h" />
<ClInclude Include="gui.h" />
<ClInclude Include="ipc.h" />
<ClInclude Include="key.h" />
<ClInclude Include="log.h" />
<ClInclude Include="mem.h" />
<ClInclude Include="my_fltkernel.h" />
<ClInclude Include="my_winnt.h" />
<ClInclude Include="obj.h" />
<ClInclude Include="process.h" />
<ClInclude Include="log_buff.h" />
<ClInclude Include="session.h" />
<ClInclude Include="syscall.h" />
<ClInclude Include="thread.h" />
<ClInclude Include="token.h" />
<ClInclude Include="util.h" />
<ClInclude Include="hook.h">
<Filter>hook</Filter>
@ -113,6 +148,30 @@
<ClInclude Include="..\..\common\my_version.h">
<Filter>common</Filter>
</ClInclude>
<ClInclude Include="ipc.h">
<Filter>ipc</Filter>
</ClInclude>
<ClInclude Include="alpc.h">
<Filter>ipc</Filter>
</ClInclude>
<ClInclude Include="file.h">
<Filter>file</Filter>
</ClInclude>
<ClInclude Include="key.h">
<Filter>key</Filter>
</ClInclude>
<ClInclude Include="process.h">
<Filter>process</Filter>
</ClInclude>
<ClInclude Include="thread.h">
<Filter>process</Filter>
</ClInclude>
<ClInclude Include="token.h">
<Filter>process</Filter>
</ClInclude>
<ClInclude Include="syscall.h">
<Filter>syscall</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<CustomBuild Include="aulldvrm.asm" />
@ -131,5 +190,20 @@
<Filter Include="common">
<UniqueIdentifier>{73d2a54c-a013-4184-b5e6-74b565ecc048}</UniqueIdentifier>
</Filter>
<Filter Include="ipc">
<UniqueIdentifier>{0e28321b-be74-4113-b88c-d6492e618788}</UniqueIdentifier>
</Filter>
<Filter Include="file">
<UniqueIdentifier>{dbb808f3-ff22-4a4d-b061-e34a4b28b75a}</UniqueIdentifier>
</Filter>
<Filter Include="key">
<UniqueIdentifier>{2a86be4e-fef5-4ad8-be88-39efde9761af}</UniqueIdentifier>
</Filter>
<Filter Include="process">
<UniqueIdentifier>{754e9503-8dd2-4b40-848c-590343d2ac39}</UniqueIdentifier>
</Filter>
<Filter Include="syscall">
<UniqueIdentifier>{0da98f76-24ea-4a59-9913-2bbeb0ea5e1e}</UniqueIdentifier>
</Filter>
</ItemGroup>
</Project>

53
Sandboxie/core/drv/api.c
View File

@ -1186,11 +1186,13 @@ _FX void Api_CopyStringToUser(
//---------------------------------------------------------------------------
// Ipc_Api_AllowSpoolerPrintToFile
// Api_ProcessExemptionControl
//---------------------------------------------------------------------------
_FX NTSTATUS Api_ProcessExemptionControl(PROCESS *proc, ULONG64 *parms)
{
NTSTATUS status = STATUS_SUCCESS;
//KIRQL irql;
API_PROCESS_EXEMPTION_CONTROL_ARGS *pArgs = (API_PROCESS_EXEMPTION_CONTROL_ARGS *)parms;
ULONG *in_flag;
ULONG *out_flag;
@ -1200,10 +1202,6 @@ _FX NTSTATUS Api_ProcessExemptionControl(PROCESS *proc, ULONG64 *parms)
if (pArgs->process_id.val == 0)
return STATUS_INVALID_PARAMETER;
proc = Process_Find(pArgs->process_id.val, NULL);
if (!proc || proc == PROCESS_TERMINATED)
return STATUS_NOT_FOUND;
in_flag = pArgs->set_flag.val;
if (in_flag) {
@ -1218,22 +1216,31 @@ _FX NTSTATUS Api_ProcessExemptionControl(PROCESS *proc, ULONG64 *parms)
if(!in_flag && !out_flag)
return STATUS_INVALID_PARAMETER;
if (pArgs->action_id.val == 'splr')
{
if(in_flag)
proc->m_boolAllowSpoolerPrintToFile = *in_flag != 0;
if (out_flag)
*out_flag = proc->m_boolAllowSpoolerPrintToFile;
}
else if (pArgs->action_id.val == 'inet')
{
if(in_flag)
proc->AllowInternetAccess = *in_flag != 0;
if (out_flag)
*out_flag = proc->AllowInternetAccess;
}
else
return STATUS_INVALID_INFO_CLASS;
return 0;
//proc = Process_Find(pArgs->process_id.val, &irql);
proc = Process_Find(pArgs->process_id.val, NULL);
if (proc && (proc != PROCESS_TERMINATED))
{
if (pArgs->action_id.val == 'splr')
{
if (in_flag)
proc->ipc_allowSpoolerPrintToFile = *in_flag != 0;
if (out_flag)
*out_flag = proc->ipc_allowSpoolerPrintToFile;
}
else if (pArgs->action_id.val == 'inet')
{
if (in_flag)
proc->AllowInternetAccess = *in_flag != 0;
if (out_flag)
*out_flag = proc->AllowInternetAccess;
}
else
status = STATUS_INVALID_INFO_CLASS;
}
else
status = STATUS_NOT_FOUND;
//ExReleaseResourceLite(Process_ListLock);
//KeLowerIrql(irql);
return status;
}

46
Sandboxie/core/drv/api_defs.h
View File

@ -135,7 +135,7 @@ enum {
API_QUERY_SYMBOLIC_LINK,
API_OPEN_KEY,
API_SET_LOW_LABEL_KEY,
API_OVERRIDE_PROCESS_TOKEN_DEPRECATED,
API_OVERRIDE_PROCESS_TOKEN_DEPRECATED, // deprecated
API_SET_SERVICE_PORT,
API_INJECT_COMPLETE,
API_QUERY_SYSCALLS,
@ -144,13 +144,15 @@ enum {
API_ALLOW_SPOOLER_PRINT_TO_FILE_DEPRECATED, // deprecated
API_RELOAD_CONF2,
API_MONITOR_PUT2,
API_GET_SPOOLER_PORT,
API_GET_WPAD_PORT,
API_SET_GAME_CONFIG_STORE_PORT,
API_SET_SMART_CARD_PORT,
API_GET_SPOOLER_PORT, // deprecated
API_GET_WPAD_PORT, // deprecated
API_SET_GAME_CONFIG_STORE_PORT, // deprecated
API_SET_SMART_CARD_PORT, // deprecated
API_MONITOR_GET_EX,
API_GET_MESSAGE,
API_PROCESS_EXEMPTION_CONTROL,
API_GET_DYNAMIC_PORT_FROM_PID,
API_OPEN_DYNAMIC_PORT,
API_LAST
};
@ -193,12 +195,12 @@ API_ARGS_FIELD(WCHAR *,string)
API_ARGS_CLOSE(API_GET_VERSION_ARGS)
/*API_ARGS_BEGIN(API_GET_WORK_ARGS)
API_ARGS_FIELD(ULONG,session_id)
API_ARGS_FIELD(void *,buffer)
API_ARGS_FIELD(ULONG,buffer_len)
API_ARGS_FIELD(ULONG *,result_len_ptr)
API_ARGS_CLOSE(API_GET_WORK_ARGS)*/
//API_ARGS_BEGIN(API_GET_WORK_ARGS)
//API_ARGS_FIELD(ULONG,session_id)
//API_ARGS_FIELD(void *,buffer)
//API_ARGS_FIELD(ULONG,buffer_len)
//API_ARGS_FIELD(ULONG *,result_len_ptr)
//API_ARGS_CLOSE(API_GET_WORK_ARGS)
API_ARGS_BEGIN(API_LOG_MESSAGE_ARGS)
@ -424,19 +426,10 @@ API_ARGS_CLOSE(API_RELOAD_CONF2_ARGS)
API_ARGS_BEGIN(API_GET_DYNAMIC_PORT_FROM_PID_ARGS)
API_ARGS_FIELD(HANDLE,process_id)
API_ARGS_FIELD(WCHAR *,exe_name)
API_ARGS_FIELD(WCHAR *,port_name)
//API_ARGS_FIELD(WCHAR *,exe_name)
API_ARGS_FIELD(WCHAR *,full_port_name)
API_ARGS_CLOSE(API_GET_DYNAMIC_PORT_FROM_PID_ARGS)
API_ARGS_BEGIN(API_SET_GAME_CONFIG_STORE_PORT_ARGS)
API_ARGS_FIELD(WCHAR *,port_name)
API_ARGS_FIELD(WCHAR *,full_port_name)
API_ARGS_CLOSE(API_SET_GAME_CONFIG_STORE_PORT_ARGS)
API_ARGS_BEGIN(API_SET_SMART_CARD_PORT_ARGS)
API_ARGS_FIELD(WCHAR *,port_name)
API_ARGS_FIELD(WCHAR *,full_port_name)
API_ARGS_CLOSE(API_SET_SMART_CARD_PORT_ARGS)
API_ARGS_BEGIN(API_PROCESS_EXEMPTION_CONTROL_ARGS)
API_ARGS_FIELD(HANDLE,process_id)
@ -445,6 +438,15 @@ API_ARGS_FIELD(ULONG *,set_flag)
API_ARGS_FIELD(ULONG *,get_flag)
API_ARGS_CLOSE(API_PROCESS_EXEMPTION_CONTROL_ARGS)
API_ARGS_BEGIN(API_OPEN_DYNAMIC_PORT_ARGS)
API_ARGS_FIELD(WCHAR*,port_name)
API_ARGS_FIELD(HANDLE,process_id)
API_ARGS_FIELD(ULONG,port_type)
API_ARGS_CLOSE(API_OPEN_DYNAMIC_PORT_ARGS)
#undef API_ARGS_BEGIN
#undef API_ARGS_FIELD
#undef API_ARGS_CLOSE

2
Sandboxie/core/drv/file_flt.c
View File

@ -363,7 +363,7 @@ _FX FLT_PREOP_CALLBACK_STATUS File_PreOperation(
{
proc = Process_Find((HANDLE)ulOwnerPid, NULL); // is this a sandboxed process?
if (proc && proc != PROCESS_TERMINATED &&
!proc->m_boolAllowSpoolerPrintToFile) // if process specifically allowed to use spooler print to file, we can skip everything below
!proc->ipc_allowSpoolerPrintToFile) // if process specifically allowed to use spooler print to file, we can skip everything below
{
FLT_FILE_NAME_INFORMATION *pTargetFileNameInfo = NULL;
BOOLEAN result = FALSE;

1
Sandboxie/core/drv/gui.c
View File

@ -196,7 +196,6 @@ _FX BOOLEAN Gui_InitProcess(PROCESS *proc)
}
}
//if (Conf_Get_Boolean(proc->box->name, L"OpenDefaultWinClass", 0, TRUE)) // ToDo: can we do that
if (ok) {
BOOLEAN AddMSTaskSwWClass = FALSE;
if (Driver_OsVersion >= DRIVER_WINDOWS_7) {

113
Sandboxie/core/drv/ipc.c
View File

@ -201,31 +201,23 @@ _FX BOOLEAN Ipc_Init(void)
Api_SetFunction(API_SET_LSA_AUTH_PKG, Ipc_Api_SetLsaAuthPkg);
#endif ! _WIN64
Api_SetFunction(API_GET_DYNAMIC_PORT_FROM_PID, Ipc_Api_GetDynamicPortFromPid);
Api_SetFunction(API_OPEN_DYNAMIC_PORT, Ipc_Api_OpenDynamicPort);
if (Driver_OsVersion >= DRIVER_WINDOWS_81) {
if (Mem_GetLockResource(&Ipc_Dynamic_Ports[SPOOLER_PORT].pPortLock, TRUE)) {
Api_SetFunction(API_GET_SPOOLER_PORT, Ipc_Api_GetSpoolerPortFromPid);
}
else
if (!Mem_GetLockResource(&Ipc_Dynamic_Ports[SPOOLER_PORT].pPortLock, TRUE))
return FALSE;
}
if (Driver_OsVersion >= DRIVER_WINDOWS_10) {
if (Mem_GetLockResource(&Ipc_Dynamic_Ports[WPAD_PORT].pPortLock, TRUE)) {
Api_SetFunction(API_GET_WPAD_PORT, Ipc_Api_GetWpadPortFromPid);
}
else
return FALSE;
if (Mem_GetLockResource(&Ipc_Dynamic_Ports[GAME_CONFIG_STORE_PORT].pPortLock, TRUE)) {
Api_SetFunction(API_SET_GAME_CONFIG_STORE_PORT, Ipc_Api_SetGameConfigStorePort);
}
else
return FALSE;
if (Mem_GetLockResource(&Ipc_Dynamic_Ports[SMART_CARD_PORT].pPortLock, TRUE)) {
Api_SetFunction(API_SET_SMART_CARD_PORT, Ipc_Api_SetSmartCardPort);
}
else
return FALSE;
}
// Note: those don't have a special treatment
//if (Driver_OsVersion >= DRIVER_WINDOWS_10) {
//
// if(!Mem_GetLockResource(&Ipc_Dynamic_Ports[WPAD_PORT].pPortLock, TRUE)
// || !Mem_GetLockResource(&Ipc_Dynamic_Ports[GAME_CONFIG_STORE_PORT].pPortLock, TRUE)
// || !Mem_GetLockResource(&Ipc_Dynamic_Ports[SMART_CARD_PORT].pPortLock, TRUE)
// ) return FALSE;
//}
//
// finish
@ -587,12 +579,15 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS *proc)
// add default/built-in open paths
//
for (i = 0; openpaths[i] && ok; ++i) {
ok = Process_AddPath(proc, &proc->open_ipc_paths, NULL,
TRUE, openpaths[i], FALSE);
if (ok) {
for (i = 0; openpaths[i] && ok; ++i) {
ok = Process_AddPath(proc, &proc->open_ipc_paths, NULL,
TRUE, openpaths[i], FALSE);
}
}
if (Driver_OsVersion >= DRIVER_WINDOWS_VISTA) {
if (ok && Driver_OsVersion >= DRIVER_WINDOWS_VISTA) {
for (i = 0; openpaths_vista[i] && ok; ++i) {
ok = Process_AddPath(proc, &proc->open_ipc_paths, NULL,
@ -600,7 +595,7 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS *proc)
}
}
if (Driver_OsVersion >= DRIVER_WINDOWS_7) {
if (ok && Driver_OsVersion >= DRIVER_WINDOWS_7) {
for (i = 0; openpaths_windows7[i] && ok; ++i) {
ok = Process_AddPath(proc, &proc->open_ipc_paths, NULL,
@ -608,7 +603,7 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS *proc)
}
}
if (Driver_OsVersion >= DRIVER_WINDOWS_8) {
if (ok && Driver_OsVersion >= DRIVER_WINDOWS_8) {
for (i = 0; openpaths_windows8[i] && ok; ++i) {
ok = Process_AddPath(proc, &proc->open_ipc_paths, NULL,
@ -616,7 +611,7 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS *proc)
}
}
if (Driver_OsVersion >= DRIVER_WINDOWS_10) {
if (ok && Driver_OsVersion >= DRIVER_WINDOWS_10) {
for (i = 0; openpaths_windows10[i] && ok; ++i) {
ok = Process_AddPath(proc, &proc->open_ipc_paths, NULL,
@ -656,9 +651,15 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS *proc)
proc->ipc_block_password =
Conf_Get_Boolean(proc->box->name, L"BlockPassword", 0, TRUE);
proc->m_boolAllowSpoolerPrintToFile =
proc->ipc_open_lsa_endpoint =
Conf_Get_Boolean(proc->box->name, L"OpenLsaEndpoint", 0, FALSE);
proc->ipc_allowSpoolerPrintToFile =
Conf_Get_Boolean(proc->box->name, L"AllowSpoolerPrintToFile", 0, FALSE);
proc->ipc_openPrintSpooler =
Conf_Get_Boolean(proc->box->name, L"OpenPrintSpooler", 0, FALSE);
//
// if process is launched as a COM server process by DcomLaunch service
// outside the sandbox, then we will need to restart it as Start.exe
@ -871,32 +872,34 @@ _FX NTSTATUS Ipc_CheckGenericObject(
status = STATUS_ACCESS_DENIED;
}
else if (!is_open && !is_closed)
{
int i;
for (i = 0; i < NUM_DYNAMIC_PORTS; i++)
{
if (Ipc_Dynamic_Ports[i].pPortLock)
{
KeEnterCriticalRegion();
ExAcquireResourceSharedLite(Ipc_Dynamic_Ports[i].pPortLock, TRUE);
if (*Ipc_Dynamic_Ports[i].wstrPortName
&& (Name->Length >= 32 * sizeof(WCHAR))
&& _wcsicmp(Name->Buffer, Ipc_Dynamic_Ports[i].wstrPortName) == 0)
{
// dynamic version of RPC ports, see also ipc_spl.c
// and RpcBindingFromStringBindingW in core/dll/rpcrt.c
is_open = TRUE;
}
ExReleaseResourceLite(Ipc_Dynamic_Ports[i].pPortLock);
KeLeaveCriticalRegion();
if (is_open)
break;
}
}
}
// Note: since version 5.46 these are open only per process
//else if (!is_open && !is_closed)
//{
// int i;
// for (i = 0; i < NUM_DYNAMIC_PORTS; i++)
// {
// if (Ipc_Dynamic_Ports[i].pPortLock)
// {
// KeEnterCriticalRegion();
// ExAcquireResourceSharedLite(Ipc_Dynamic_Ports[i].pPortLock, TRUE);
//
// if (*Ipc_Dynamic_Ports[i].wstrPortName
// && (Name->Length >= 32 * sizeof(WCHAR))
// && _wcsicmp(Name->Buffer, Ipc_Dynamic_Ports[i].wstrPortName) == 0)
// {
// // dynamic version of RPC ports, see also ipc_spl.c
// // and RpcBindingFromStringBindingW in core/dll/rpcrt.c
// is_open = TRUE;
// }
//
// ExReleaseResourceLite(Ipc_Dynamic_Ports[i].pPortLock);
// KeLeaveCriticalRegion();
//
// if (is_open)
// break;
// }
// }
//}
if (is_closed || (! is_open))
status = STATUS_ACCESS_DENIED;

12
Sandboxie/core/drv/ipc.h
View File

@ -88,19 +88,11 @@ NTSTATUS Ipc_NtRequestWaitReplyPort(
NTSTATUS Ipc_Api_SetLsaAuthPkg(PROCESS *proc, ULONG64 *parms);
NTSTATUS Ipc_Api_GetSpoolerPort(PROCESS *proc, ULONG64 *parms);
NTSTATUS Ipc_Api_GetSpoolerPortFromPid(PROCESS *proc, ULONG64 *parms);
//NTSTATUS Ipc_Api_AllowSpoolerPrintToFile(PROCESS *proc, ULONG64 *parms);
NTSTATUS Ipc_Api_GetSpoolerPortFromPid(PROCESS *proc, ULONG64 *parms);
NTSTATUS Ipc_Api_GetWpadPortFromPid(PROCESS *proc, ULONG64 *parms);
NTSTATUS Ipc_Api_SetGameConfigStorePort(PROCESS *proc, ULONG64 *parms);
NTSTATUS Ipc_Api_GetSmartCardPortFromPid(PROCESS *proc, ULONG64 *parms);
NTSTATUS Ipc_Api_SetSmartCardPort(PROCESS *proc, ULONG64 *parms);
NTSTATUS Ipc_Api_OpenDynamicPort(PROCESS* proc, ULONG64* parms);
NTSTATUS Ipc_Api_GetRpcPortFromPid(enum ENUM_DYNAMIC_PORT_TYPE ePortType, PROCESS *proc, ULONG64 *parms);
NTSTATUS Ipc_Api_GetDynamicPortFromPid(PROCESS *proc, ULONG64 *parms);
//---------------------------------------------------------------------------
// Variables

133
Sandboxie/core/drv/ipc_lsa.c Normal file
View File

@ -0,0 +1,133 @@
/*
* Copyright 2004-2020 Sandboxie Holdings, LLC
* Copyright 2020 David Xanatos, xanasoft.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
//---------------------------------------------------------------------------
// Inter-Process Communication
//---------------------------------------------------------------------------
#include "ipc.h"
#include "obj.h"
#include "api.h"
#include "util.h"
#include "session.h"
//---------------------------------------------------------------------------
// Ipc_Filter_Lsa_Ep_Msg
//---------------------------------------------------------------------------
_FX BOOLEAN Ipc_Filter_Lsa_Ep_Msg(UCHAR uMsg)
{
BOOLEAN filter = FALSE;
switch (uMsg)
{
//case 0x00: //LsaClose_0
//case 0x02: //LsaEnumeratePrivileges
//case 0x03: //LsaQuerySecurityObject
case 0x04: //LsaSetSecurityObject
//case 0x07: //LsaQueryInformationPolicy
case 0x08: //LsaSetInformationPolicy
case 0x09: //LsaClearAuditLog
case 0x0A: //LsaCreateAccount
//case 0x0B: //LsaEnumerateAccounts
case 0x0C: //LsaCreateTrustedDomain
//case 0x0D: //LsaEnumerateTrustedDomains
//case 0x0E: //LsaICLookupNames
//case 0x0F: //LsaICLookupSids_0
//case 0x10: //LsaCreateSecret
//case 0x11: //LsaOpenAccount
//case 0x12: //LsaEnumeratePrivilegesOfAccount
case 0x13: //LsaAddPrivilegesToAccount
case 0x14: //LsaRemovePrivilegesFromAccount
//case 0x15: //LsaGetQuotasForAccount
case 0x16: //LsaSetQuotasForAccount
//case 0x17: //LsaGetSystemAccessAccount
case 0x18: //LsaSetSystemAccessAccount
//case 0x19: //LsaOpenTrustedDomain
//case 0x1A: //LsaQueryInfoTrustedDomain
case 0x1B: //LsaSetInformationTrustedDomain
//case 0x1C: //LsaOpenSecret
//case 0x1D: //LsaSetSecret_Old
//case 0x1E: //LsaQuerySecret_Old
//case 0x1F: //LsaLookupPrivilegeValue
//case 0x20: //LsaLookupPrivilegeName
//case 0x21: //LsaLookupPrivilegeDisplayName
//case 0x22: //LsaDelete
//case 0x23: //LsaEnumerateAccountsWithUserRight
//case 0x24: //LsaEnumerateAccountRights
case 0x25: //LsaAddAccountRights
case 0x26: //LsaRemoveAccountRights
//case 0x27: //LsaQueryTrustedDomainInfo
case 0x28: //LsaSetTrustedDomainInformation
case 0x29: //LsaDeleteTrustedDomain
case 0x2A: //LsaStorePrivateData_Old
case 0x2B: //LsaRetrievePrivateData_Old
//case 0x2C: //LsaOpenPolicy_0
//case 0x2D: //LsaGetUserName
//case 0x2E: //LsaQueryInformationPolicy
//case 0x30: //LsaQueryTrustedDomainInfoByName
case 0x31: //LsaSetTrustedDomainInfoByName
//case 0x32: //LsaEnumerateTrustedDomainsEx
//case 0x35: //LsaQueryDomainInformationPolicy
case 0x36: //LsaSetDomainInformationPolicy
//case 0x37: //LsaOpenTrustedDomainByName
//case 0x39: //LsaICLookupSids_0
//case 0x3A: //LsaICLookupNames
case 0x3B: //LsaCreateTrustedDomainEx
//case 0x44: //LsaICLookupNames
//case 0x49: //LsaQueryForestTrustInformation
case 0x4A: //LsaSetForestTrustInformation
//case 0x4C: //LsaICLookupSidsWithCreds
//case 0x4D: //LsaICLookupNamesWithCreds
//case 0x4E: //LsaOpenPolicySce
case 0x5F: //LsaManageSidNameMapping
case 0x67: //AuditpSetGlobalSacl
//case 0x68: //AuditpQueryGlobalSacl
//case 0xEF: //Unknown
filter = TRUE;
}
if (Session_MonitorCount) {
WCHAR access_str[24];
swprintf(access_str, L" Msg: %02X", (ULONG)uMsg);
const WCHAR* strings[3] = { L"\\RPC Control\\LSARPC_ENDPOINT", access_str, NULL };
Session_MonitorPutEx(MONITOR_IPC | (filter ? MONITOR_DENY : MONITOR_OPEN), strings, PsGetCurrentProcessId());
}
return filter;
}

148
Sandboxie/core/drv/ipc_port.c
View File

@ -131,11 +131,14 @@ static NTSTATUS Ipc_CheckPortRequest_WinApi(
static NTSTATUS Ipc_CheckPortRequest_Lsa(
PROCESS *proc, OBJECT_NAME_INFORMATION *Name, PORT_MESSAGE *msg);
static NTSTATUS Ipc_CheckPortRequest_LsaEP(
PROCESS* proc, OBJECT_NAME_INFORMATION* Name, PORT_MESSAGE* msg);
static NTSTATUS Ipc_CheckPortRequest_PowerManagement(
PROCESS *proc, OBJECT_NAME_INFORMATION *Name, PORT_MESSAGE *msg);
//static NTSTATUS Ipc_CheckPortRequest_SpoolerPort(
// PROCESS *proc, OBJECT_NAME_INFORMATION *Name, PORT_MESSAGE *msg);
static NTSTATUS Ipc_CheckPortRequest_SpoolerPort(
PROCESS *proc, OBJECT_NAME_INFORMATION *Name, PORT_MESSAGE *msg);
@ -237,10 +240,12 @@ _FX NTSTATUS Ipc_CheckPortRequest(
status = Ipc_CheckPortRequest_WinApi(proc, Name, msg);
if (status == STATUS_BAD_INITIAL_PC)
status = Ipc_CheckPortRequest_Lsa(proc, Name, msg);
if (status == STATUS_BAD_INITIAL_PC)
status = Ipc_CheckPortRequest_LsaEP(proc, Name, msg);
if (status == STATUS_BAD_INITIAL_PC)
status = Ipc_CheckPortRequest_PowerManagement(proc, Name, msg);
//if (status == STATUS_BAD_INITIAL_PC)
//status = Ipc_CheckPortRequest_SpoolerPort(proc, Name, msg);
if (status == STATUS_BAD_INITIAL_PC)
status = Ipc_CheckPortRequest_SpoolerPort(proc, Name, msg);
if (status == STATUS_BAD_INITIAL_PC)
status = STATUS_SUCCESS;
@ -270,13 +275,17 @@ finish:
// This routine is currently not used. We chose to block spooler CreateFile in the minifilter instead. But I (Curt) am keeping this code
// around because it demonstrates how to examine & filter RPC requests going to the spooler.
/*
// todo: move this code to ipc_spl.c
BOOLEAN Ipc_Filter_Spooler_Msg(UCHAR uMsg);
_FX NTSTATUS Ipc_CheckPortRequest_SpoolerPort(
PROCESS *proc, OBJECT_NAME_INFORMATION *Name, PORT_MESSAGE *msg)
{
NTSTATUS status;
if (! proc->ipc_block_password)
if (proc->ipc_openPrintSpooler) // see if we are not filtering spooler requests
return STATUS_BAD_INITIAL_PC;
//
@ -284,13 +293,33 @@ _FX NTSTATUS Ipc_CheckPortRequest_SpoolerPort(
//
if (Driver_OsVersion >= DRIVER_WINDOWS_81) {
if (Name->Name.Length < 13 * sizeof(WCHAR))
return STATUS_BAD_INITIAL_PC;
if (_wcsicmp(Name->Name.Buffer + 13, Ipc_SpoolerPort) != 0)
BOOLEAN is_spooler = FALSE;
if (Ipc_Dynamic_Ports[SPOOLER_PORT].pPortLock)
{
KeEnterCriticalRegion();
ExAcquireResourceSharedLite(Ipc_Dynamic_Ports[SPOOLER_PORT].pPortLock, TRUE);
if (_wcsicmp(Name->Name.Buffer, Ipc_Dynamic_Ports[SPOOLER_PORT].wstrPortName) == 0)
{
// dynamic version of RPC ports, see also ipc_spl.c
// and RpcBindingFromStringBindingW in core/dll/rpcrt.c
is_spooler = TRUE;
}
ExReleaseResourceLite(Ipc_Dynamic_Ports[SPOOLER_PORT].pPortLock);
KeLeaveCriticalRegion();
}
if(!is_spooler)
return STATUS_BAD_INITIAL_PC;
}
else if (Driver_OsVersion >= DRIVER_WINDOWS_VISTA) {
if (_wcsicmp(Name->Name.Buffer, L"\\RPC Control\\spoolss") != 0)
return STATUS_BAD_INITIAL_PC;
@ -301,9 +330,6 @@ _FX NTSTATUS Ipc_CheckPortRequest_SpoolerPort(
// examine message
//
if (proc->m_boolAllowSpoolerPrintToFile) // see if we are allowing print to file
return STATUS_BAD_INITIAL_PC;
status = STATUS_SUCCESS;
__try {
@ -322,19 +348,32 @@ _FX NTSTATUS Ipc_CheckPortRequest_SpoolerPort(
ProbeForRead(ptr, len, sizeof(WCHAR));
if (ptr[20] == 17) { // RpcStartDocPrinter = Opnum 17
status = STATUS_ACCESS_DENIED;
//for (i = 20; i < len - 12; i++)
//{
// rc = memcmp((void*)&(ptr[i]), "\4\0\0\0\0\0\0\0\4\0\0\0\0", 12); // search for marshaled "RAW" field length bytes
// if (rc == 0)
// {
// rc = _wcsnicmp((void*)&(ptr[i + 12]), L"raw", 3); // search for case insensitive "RAW"
// if (rc == 0)
// status = STATUS_ACCESS_DENIED;
// }
//}
/*if (ptr[20] == 17) { // RpcStartDocPrinter = Opnum 17
if (!proc->ipc_allowSpoolerPrintToFile)
{
status = STATUS_ACCESS_DENIED;
//for (i = 20; i < len - 12; i++)
//{
// rc = memcmp((void*)&(ptr[i]), "\4\0\0\0\0\0\0\0\4\0\0\0\0", 12); // search for marshaled "RAW" field length bytes
// if (rc == 0)
// {
// rc = _wcsnicmp((void*)&(ptr[i + 12]), L"raw", 3); // search for case insensitive "RAW"
// if (rc == 0)
// status = STATUS_ACCESS_DENIED;
// }
//}
}
if (status == STATUS_ACCESS_DENIED)
Log_MsgP0(MSG_1319, proc->pid);
}
else*/
if (Ipc_Filter_Spooler_Msg(ptr[20]))
status = STATUS_ACCESS_DENIED;
//DbgPrint("Spooler IPC Port message ID: %d\n", (int)ptr[20]);
}
@ -342,12 +381,8 @@ _FX NTSTATUS Ipc_CheckPortRequest_SpoolerPort(
status = GetExceptionCode();
}
if (status == STATUS_ACCESS_DENIED)
Log_MsgP0(MSG_1319, proc->pid);
return status;
}
*/
//---------------------------------------------------------------------------
// Ipc_DisplayPowerMsg
@ -658,7 +693,7 @@ _FX NTSTATUS Ipc_CheckPortRequest_Lsa(
--len;
}
} else {
} else { // xp support
//
// prior to Windows Vista, we have a 'call package' api
@ -699,6 +734,65 @@ _FX NTSTATUS Ipc_CheckPortRequest_Lsa(
}
//---------------------------------------------------------------------------
// Ipc_CheckPortRequest_LsaEP
//---------------------------------------------------------------------------
// todo: move the lsa code to code to ipc_lsa.c
BOOLEAN Ipc_Filter_Lsa_Ep_Msg(UCHAR uMsg);
_FX NTSTATUS Ipc_CheckPortRequest_LsaEP(
PROCESS* proc, OBJECT_NAME_INFORMATION* Name, PORT_MESSAGE* msg)
{
NTSTATUS status;
if (proc->ipc_open_lsa_endpoint)
return STATUS_BAD_INITIAL_PC;
if (Name->Name.Length == 28 * sizeof(WCHAR)) {
if (_wcsicmp(Name->Name.Buffer, L"\\RPC Control\\LSARPC_ENDPOINT") != 0)
return STATUS_BAD_INITIAL_PC;
}
else
return STATUS_BAD_INITIAL_PC;
//
// examine message
//
status = STATUS_SUCCESS;
__try {
ProbeForRead(msg, sizeof(PORT_MESSAGE), sizeof(ULONG_PTR));
if (Driver_OsVersion >= DRIVER_WINDOWS_7) {
ULONG len = msg->u1.s1.DataLength;
UCHAR* ptr = (UCHAR*)((UCHAR*)msg + sizeof(PORT_MESSAGE));
int i = 0;
int rc = -2;
ProbeForRead(ptr, len, sizeof(WCHAR));
if (Ipc_Filter_Lsa_Ep_Msg(ptr[20]))
status = STATUS_ACCESS_DENIED;
//DbgPrint("\\RPC Control\\LSARPC_ENDPOINT message ID: %d\n", (int)ptr[20]);
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode();
}
return status;
}
//---------------------------------------------------------------------------
// Ipc_ImpersonatePort
//---------------------------------------------------------------------------

348
Sandboxie/core/drv/ipc_spl.c
View File

@ -25,6 +25,7 @@
#include "obj.h"
#include "api.h"
#include "util.h"
#include "session.h"
//---------------------------------------------------------------------------
@ -32,9 +33,7 @@
//---------------------------------------------------------------------------
static NTSTATUS Ipc_Api_GetRpcPortName_2(enum ENUM_DYNAMIC_PORT_TYPE ePortType, PEPROCESS ProcessObject, WCHAR *pDstPortName);
static NTSTATUS Ipc_Api_CopyRpcPortName(enum ENUM_DYNAMIC_PORT_TYPE ePortType, WCHAR *pDstPortName, WCHAR *pSrcPortName);
static NTSTATUS Ipc_Api_GetRpcPortName_2(PEPROCESS ProcessObject, WCHAR *pDstPortName);
//---------------------------------------------------------------------------
@ -61,67 +60,114 @@ static const WCHAR *_rpc_control = L"\\RPC Control";
// {
// PROCESS *proc = Process_Find(pArgs->process_id.val, NULL);
// if (proc && proc != PROCESS_TERMINATED)
// proc->m_boolAllowSpoolerPrintToFile = TRUE;
// proc->ipc_allowSpoolerPrintToFile = TRUE;
// }
// return 0;
//}
_FX NTSTATUS Ipc_Api_GetSpoolerPortFromPid(PROCESS *proc, ULONG64 *parms)
//---------------------------------------------------------------------------
// Ipc_Api_OpenDynamicPort
//---------------------------------------------------------------------------
// Param 1 is dynamic port name (e.g. "\RPC Control\LRPC-f760d5b40689a98168"), WCHAR[DYNAMIC_PORT_NAME_CHARS]
// Param 2 is the process PID for which to open the port
// Param 3 is the port type/identifier, can be -1 indicating non special port
_FX NTSTATUS Ipc_Api_OpenDynamicPort(PROCESS* proc, ULONG64* parms)
{
return Ipc_Api_GetRpcPortFromPid(SPOOLER_PORT, proc, parms);
NTSTATUS status = STATUS_SUCCESS;
//KIRQL irql;
API_OPEN_DYNAMIC_PORT_ARGS* pArgs = (API_OPEN_DYNAMIC_PORT_ARGS*)parms;
WCHAR portName[DYNAMIC_PORT_NAME_CHARS];
if (proc) // is caller sandboxed?
return STATUS_ACCESS_DENIED;
//if (PsGetCurrentProcessId() != Api_ServiceProcessId)
// return STATUS_ACCESS_DENIED;
ENUM_DYNAMIC_PORT_TYPE ePortType = NUM_DYNAMIC_PORTS;
//if (pArgs->port_type.val == -1)
// ePortType = NUM_DYNAMIC_PORTS;
//else
if (pArgs->port_type.val <= NUM_DYNAMIC_PORTS)
ePortType = (ENUM_DYNAMIC_PORT_TYPE)pArgs->port_type.val;
//else
// return STATUS_INVALID_PARAMETER;
if(pArgs->port_name.val == NULL)
return STATUS_INVALID_PARAMETER;
try {
ProbeForRead(pArgs->port_name.val, sizeof(WCHAR) * DYNAMIC_PORT_NAME_CHARS, sizeof(WCHAR));
wmemcpy(portName, pArgs->port_name.val, DYNAMIC_PORT_NAME_CHARS - 1);
portName[DYNAMIC_PORT_NAME_CHARS - 1] = L'\0';
}
__except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode();
}
if (!NT_SUCCESS(status))
return status;
//proc = Process_Find(pArgs->process_id.val, &irql);
proc = Process_Find(pArgs->process_id.val, NULL);
if (proc && (proc != PROCESS_TERMINATED))
{
//
// When this is a special port save it our global Ipc_Dynamic_Ports structure
//
if (ePortType != NUM_DYNAMIC_PORTS && Ipc_Dynamic_Ports[ePortType].pPortLock)
{
KeEnterCriticalRegion();
ExAcquireResourceExclusiveLite(Ipc_Dynamic_Ports[ePortType].pPortLock, TRUE);
wmemcpy(Ipc_Dynamic_Ports[ePortType].wstrPortName, portName, DYNAMIC_PORT_NAME_CHARS);
ExReleaseResourceLite(Ipc_Dynamic_Ports[ePortType].pPortLock);
KeLeaveCriticalRegion();
}
//
// Open the port for the selected process
//
KIRQL irql2;
KeRaiseIrql(APC_LEVEL, &irql2);
ExAcquireResourceExclusiveLite(proc->ipc_lock, TRUE);
Process_AddPath(proc, &proc->open_ipc_paths, NULL, FALSE, portName, FALSE);
ExReleaseResourceLite(proc->ipc_lock);
KeLowerIrql(irql2);
}
else
status = STATUS_NOT_FOUND;
//ExReleaseResourceLite(Process_ListLock);
//KeLowerIrql(irql);
return status;
}
_FX NTSTATUS Ipc_Api_GetWpadPortFromPid(PROCESS *proc, ULONG64 *parms)
{
return Ipc_Api_GetRpcPortFromPid(WPAD_PORT, proc, parms);
}
//---------------------------------------------------------------------------
// Ipc_Api_GetDynamicPortFromPid
//---------------------------------------------------------------------------
_FX NTSTATUS Ipc_Api_GetSmartCardPortFromPid(PROCESS *proc, ULONG64 *parms)
{
return Ipc_Api_GetRpcPortFromPid(SMART_CARD_PORT, proc, parms);
}
// Param 1 is dynamic port name (e.g. "LRPC-f760d5b40689a98168")
// Param 1 is the service PID
// Param 2 will return the port name with "\RPC Control\" prepended
_FX NTSTATUS Ipc_Api_SetGameConfigStorePort(PROCESS *proc, ULONG64 *parms)
{
WCHAR name[DYNAMIC_PORT_NAME_CHARS];
API_SET_GAME_CONFIG_STORE_PORT_ARGS *pArgs = (API_SET_GAME_CONFIG_STORE_PORT_ARGS *)parms;
swprintf(name, L"%s\\%s", _rpc_control, pArgs->port_name);
return Ipc_Api_CopyRpcPortName(GAME_CONFIG_STORE_PORT, pArgs->full_port_name.val, name);
}
_FX NTSTATUS Ipc_Api_SetSmartCardPort(PROCESS *proc, ULONG64 *parms)
{
WCHAR name[DYNAMIC_PORT_NAME_CHARS];
API_SET_SMART_CARD_PORT_ARGS *pArgs = (API_SET_SMART_CARD_PORT_ARGS *)parms;
swprintf(name, L"%s\\%s", _rpc_control, pArgs->port_name);
return Ipc_Api_CopyRpcPortName(SMART_CARD_PORT, pArgs->full_port_name.val, name);
}
//---------------------------------------------------------------------------
// Ipc_Api_GetRpcPortNameFromPid
//---------------------------------------------------------------------------
_FX NTSTATUS Ipc_Api_GetRpcPortFromPid(enum ENUM_DYNAMIC_PORT_TYPE ePortType, PROCESS *proc, ULONG64 *parms)
_FX NTSTATUS Ipc_Api_GetDynamicPortFromPid(PROCESS *proc, ULONG64 *parms)
{
NTSTATUS status;
PEPROCESS ProcessObject;
BOOLEAN done = FALSE;
//BOOLEAN done = FALSE;
API_GET_DYNAMIC_PORT_FROM_PID_ARGS *pArgs = (API_GET_DYNAMIC_PORT_FROM_PID_ARGS *)parms;
if (proc) // is caller sandboxed?
return STATUS_ACCESS_DENIED;
//
// this function determines the dynamic RPC endpoint that is used by a service/process
//
@ -130,28 +176,28 @@ _FX NTSTATUS Ipc_Api_GetRpcPortFromPid(enum ENUM_DYNAMIC_PORT_TYPE ePortType, PR
if (NT_SUCCESS(status)) {
if (PsGetProcessSessionId(ProcessObject) == 0) {
//if (PsGetProcessSessionId(ProcessObject) == 0) {
//
// void *nbuf;
// ULONG nlen;
// WCHAR *nptr;
//
// Process_GetProcessName(
// Driver_Pool, (ULONG_PTR)pArgs->process_id.val, &nbuf, &nlen, &nptr);
//
// if (nbuf) {
//
// if (_wcsicmp(nptr, pArgs->exe_name.val) == 0
// && MyIsProcessRunningAsSystemAccount(pArgs->process_id.val)) {
void *nbuf;
ULONG nlen;
WCHAR *nptr;
status = Ipc_Api_GetRpcPortName_2(ProcessObject, pArgs->full_port_name.val);
Process_GetProcessName(
Driver_Pool, (ULONG_PTR)pArgs->process_id.val, &nbuf, &nlen, &nptr);
if (nbuf) {
if (_wcsicmp(nptr, pArgs->exe_name.val) == 0
&& MyIsProcessRunningAsSystemAccount(pArgs->process_id.val)) {
status = Ipc_Api_GetRpcPortName_2(ePortType, ProcessObject, pArgs->port_name.val);
done = TRUE;
}
Mem_Free(nbuf, nlen);
}
}
// done = TRUE;
// }
//
// Mem_Free(nbuf, nlen);
// }
//}
ObDereferenceObject(ProcessObject);
}
@ -164,7 +210,8 @@ _FX NTSTATUS Ipc_Api_GetRpcPortFromPid(enum ENUM_DYNAMIC_PORT_TYPE ePortType, PR
// Ipc_Api_GetRpcPortName_2
//---------------------------------------------------------------------------
_FX NTSTATUS Ipc_Api_GetRpcPortName_2(enum ENUM_DYNAMIC_PORT_TYPE ePortType, PEPROCESS ProcessObject, WCHAR *pDstPortName)
_FX NTSTATUS Ipc_Api_GetRpcPortName_2(PEPROCESS ProcessObject, WCHAR *pDstPortName)
{
NTSTATUS status;
ULONG len, dummy_len;
@ -187,7 +234,7 @@ _FX NTSTATUS Ipc_Api_GetRpcPortName_2(enum ENUM_DYNAMIC_PORT_TYPE ePortType, PEP
return status;
//
// get a list of all processes in the system
// get a list of all objects in the system
//
len = 0;
@ -259,7 +306,20 @@ _FX NTSTATUS Ipc_Api_GetRpcPortName_2(enum ENUM_DYNAMIC_PORT_TYPE ePortType, PEP
} *AlpcPortObject = PortObject;
if (AlpcPortObject->OwnerProcess == ProcessObject) {
Ipc_Api_CopyRpcPortName(ePortType, pDstPortName, name);
__try {
if (pDstPortName)
{
ProbeForWrite(pDstPortName, sizeof(WCHAR) * DYNAMIC_PORT_NAME_CHARS, sizeof(WCHAR));
wmemcpy(pDstPortName, name, DYNAMIC_PORT_NAME_CHARS - 1);
pDstPortName[DYNAMIC_PORT_NAME_CHARS - 1] = L'\0';
}
} __except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode();
}
ObDereferenceObject(PortObject);
break;
}
@ -285,45 +345,139 @@ _FX NTSTATUS Ipc_Api_GetRpcPortName_2(enum ENUM_DYNAMIC_PORT_TYPE ePortType, PEP
//---------------------------------------------------------------------------
// Ipc_Api_CopyRpcPortName
// Ipc_Filter_Spooler_Msg
//---------------------------------------------------------------------------
_FX NTSTATUS Ipc_Api_CopyRpcPortName(enum ENUM_DYNAMIC_PORT_TYPE ePortType, WCHAR *pDstPortName, WCHAR *pSrcPortName)
_FX BOOLEAN Ipc_Filter_Spooler_Msg(UCHAR uMsg)
{
NTSTATUS status;
BOOLEAN filter = FALSE;
if (Ipc_Dynamic_Ports[ePortType].pPortLock) {
switch (uMsg)
{
//case 0x00: //EnumPrinters
//case 0x02: //SetJob
//case 0x03: //GetJob
//case 0x04: //EnumJobs
case 0x05: //AddPrinter
case 0x06: //DeletePrinter
//case 0x07: //SetPrinter
//case 0x08: //GetPrinter
//case 0x0A: //EnumPrinterDrivers
//case 0x0B: //CallDrvDocumentEventThunk
//case 0x0C: //GetPrinterDriverDirectory
case 0x0D: //DeletePrinterDriver
case 0x0E: //AddPrintProcessor
//case 0x0F: //EnumPrintProcessors
//case 0x10: //GetPrintProcessorDirectory
//case 0x11: //StartDocPrinter
//case 0x12: //StartPagePrinter
//case 0x13: //FlushBuffer
//case 0x14: //EndPagePrinter
//case 0x15: //AbortPrinter
//case 0x16: //ReadPrinter
//case 0x17: //EndDocPrinter
//case 0x18: //AddJob
//case 0x19: //ScheduleJobWorker
//case 0x1A: //GetPrinterData
case 0x1B: //SetPrinterData
//case 0x1C: //WaitForPrinterChange
//case 0x1D: //ClosePrinterContextHandle
case 0x1E: //AddForm
case 0x1F: //DeleteForm
//case 0x20: //GetForm
case 0x21: //SetForm
//case 0x22: //EnumForms
//case 0x23: //EnumPorts
//case 0x24: //EnumMonitors
case 0x25: //AddPort
case 0x26: //ConfigurePort
case 0x27: //DeletePort
case 0x28: //CreatePrinterIC
case 0x29: //PlayGdiScriptOnPrinterIC
case 0x2A: //DeletePrinterIC
//case 0x2C: //DeletePrinterConnection
case 0x2E: //AddMonitor
case 0x2F: //DeleteMonitor
case 0x30: //DeletePrintProcessor
case 0x31: //AddPrintProvidor
case 0x32: //DeletePrintProvidor
//case 0x33: //EnumPrintProcessorDatatypes
//case 0x35: //GetPrinterDriver
//case 0x36: //FindFirstPrinterChangeNotificationWorker
//case 0x37: //FindNextPrinterChangeNotification
//case 0x38: //FindClosePrinterChangeNotificationWorker
KeEnterCriticalRegion();
ExAcquireResourceExclusiveLite(Ipc_Dynamic_Ports[ePortType].pPortLock, TRUE);
case 0x3D: //AddPortEx
if (pSrcPortName && (*pSrcPortName))
{
__try {
//case 0x40: //ResetPrinter
if (pDstPortName)
{
ProbeForWrite(pDstPortName, sizeof(WCHAR) * DYNAMIC_PORT_NAME_CHARS, sizeof(WCHAR));
wmemcpy(pDstPortName, pSrcPortName, DYNAMIC_PORT_NAME_CHARS - 1);
pDstPortName[DYNAMIC_PORT_NAME_CHARS - 1] = L'\0';
}
// save port name in our global Ipc_Dynamic_Ports structure
wmemcpy(Ipc_Dynamic_Ports[ePortType].wstrPortName, pSrcPortName, DYNAMIC_PORT_NAME_CHARS - 1);
Ipc_Dynamic_Ports[ePortType].wstrPortName[DYNAMIC_PORT_NAME_CHARS - 1] = L'\0';
case 0x47: //SetPort
//case 0x48: //EnumPrinterData
case 0x49: //DeletePrinterData
status = STATUS_SUCCESS;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode();
}
}
case 0x4D: //SetPrinterDataEx
//case 0x4E: //GetPrinterDataEx
//case 0x4F: //EnumPrinterDataEx
//case 0x50: //EnumPrinterKey
case 0x51: //DeletePrinterDataEx
case 0x52: //DeletePrinterKey
//case 0x53: //SeekPrinter
case 0x54: //DeletePrinterDriverEx
case 0x55: //AddPerMachineConnection
case 0x56: //DeletePerMachineConnection
//case 0x57: //EnumPerMachineConnections
//case 0x58: //GetMonitorUI
case 0x59: //AddPrinterDriverEx
//case 0x5A: //OpenPrinterRPC
ExReleaseResourceLite(Ipc_Dynamic_Ports[ePortType].pPortLock);
KeLeaveCriticalRegion();
//case 0x5D: //GetSpoolFileHandle
//case 0x5E: //CommitSpoolData
//case 0x5F: //CloseSpoolFileHandle
//case 0x60: //FlushPrinter
//case 0x61: //SendRecvBidiData
case 0x63: //AddPrinterConnection
case 0x64: //InstallPrinterDriverFromPackage
case 0x65: //UploadPrinterDriverPackage
//case 0x66: //GetCorePrinterDrivers
//case 0x67: //CorePrinterDriverInstalled
//case 0x68: //GetPrinterDriverPackagePath
case 0x69: //DeletePrinterDriverPackage
//case 0x6A: //FindCompatibleDriver
//case 0x6B: //ReportJobProcessingProgress
case 0x6C: //SpoolerSetPolicy
//case 0x6D: //GetPrinterDriver
//case 0x6E: //GetJobNamedPropertyValue
//case 0x6F: //SetJobNamedProperty
//case 0x70: //DeleteJobNamedProperty
//case 0x71: //EnumJobNamedProperties
//case 0x72: //ConnectToLd64In32ServerWorker
//case 0x73: //GetUserPropertyBag
//case 0x74: //LogJobInfoForBranchOffice
//case 0x75: //RegeneratePrintDeviceCapabilities
//case 0xEF: //Unknown
filter = TRUE;
}
if (Session_MonitorCount) {
WCHAR access_str[24];
swprintf(access_str, L" Msg: %02X", (ULONG)uMsg);
const WCHAR* strings[3] = { L"\\RPC Control\\spoolss", access_str, NULL };
Session_MonitorPutEx(MONITOR_IPC | (filter ? MONITOR_DENY : MONITOR_OPEN), strings, PsGetCurrentProcessId());
}
return status;
return filter;
}

10
Sandboxie/core/drv/process.c
View File

@ -786,10 +786,14 @@ _FX void Process_NotifyProcess(
if (Create) {
if (ParentId) {
//
// it is possible to specify the parrent process when calling RtlCreateUserProcess
// this is for example done by the appinfo service running under svchost.exe
// to start LocalBridge.exe with RuntimeBroker.exe as parent
// hence we take for our purposes the ID of the process calling RtlCreateUserProcess instead
//
Process_NotifyProcess_Create(ProcessId, ParentId, NULL);
}
Process_NotifyProcess_Create(ProcessId, PsGetCurrentProcessId(), NULL);
} else {

4
Sandboxie/core/drv/process.h
View File

@ -153,7 +153,9 @@ struct _PROCESS {
ULONG ipc_trace;
BOOLEAN ipc_warn_startrun;
BOOLEAN ipc_block_password;
BOOLEAN m_boolAllowSpoolerPrintToFile;
BOOLEAN ipc_open_lsa_endpoint;
BOOLEAN ipc_allowSpoolerPrintToFile;
BOOLEAN ipc_openPrintSpooler;
// gui-related

6
Sandboxie/core/drv/thread.c
View File

@ -178,13 +178,13 @@ _FX BOOLEAN Thread_Init(void)
if (! Syscall_Set1("OpenThreadTokenEx", Thread_OpenThreadTokenEx))
return FALSE;
if (! Syscall_Set1("SetInformationProcess",Thread_SetInformationProcess))
if (! Syscall_Set1("SetInformationProcess", Thread_SetInformationProcess))
return FALSE;
if (! Syscall_Set1("SetInformationThread", Thread_SetInformationThread))
return FALSE;
if (! Syscall_Set1(
"ImpersonateAnonymousToken", Thread_ImpersonateAnonymousToken))
"ImpersonateAnonymousToken", Thread_ImpersonateAnonymousToken))
return FALSE;
//
@ -212,7 +212,7 @@ _FX BOOLEAN Thread_Init(void)
// set API handlers
//
Api_SetFunction(API_OPEN_PROCESS, Thread_Api_OpenProcess);
Api_SetFunction(API_OPEN_PROCESS, Thread_Api_OpenProcess);
return TRUE;
}

10
Sandboxie/core/drv/thread_token.c
View File

@ -639,6 +639,16 @@ _FX void *Thread_SetInformationProcess_PrimaryToken_3(
return TokenObject2;
}
//
// special allowance for MSIServer
//
if (!proc->image_from_box &&
_wcsicmp(proc->image_name, L"msiexec.exe") == 0) {
return TokenObject2;
}
//
// otherwise, deny request to set an arbitrary token
//

2
Sandboxie/core/drv/token.c
View File

@ -190,7 +190,7 @@ _FX BOOLEAN Token_Init(void)
MySetPrivilege(3) = SE_SHUTDOWN_PRIVILEGE;
MySetPrivilege(4) = SE_DEBUG_PRIVILEGE;
MySetPrivilege(5) = SE_SYSTEMTIME_PRIVILEGE;
MySetPrivilege(6) = SE_TIME_ZONE_PRIVILEGE;
MySetPrivilege(6) = SE_TIME_ZONE_PRIVILEGE; // vista
#undef MySetPrivilege

128
Sandboxie/core/svc/EpMapperServer.cpp
View File

@ -25,7 +25,7 @@
#include "EpMapperWire.h"
#include "core/dll/sbiedll.h"
#include "common/defines.h"
#include "core/drv/api_defs.h"
//---------------------------------------------------------------------------
// Constructor
@ -65,36 +65,120 @@ MSG_HEADER *EpMapperServer::EpmapperGetPortNameHandler(MSG_HEADER *msg)
if (req->h.length < sizeof(EPMAPPER_GET_PORT_NAME_REQ))
return SHORT_REPLY(E_INVALIDARG);
EPMAPPER_GET_PORT_NAME_RPL *rpl =
(EPMAPPER_GET_PORT_NAME_RPL *)LONG_REPLY(sizeof(EPMAPPER_GET_PORT_NAME_RPL));
HANDLE idProcess = (HANDLE)(ULONG_PTR)PipeServer::GetCallerProcessId();
WCHAR boxname[48];
if (!NT_SUCCESS(SbieApi_QueryProcess(idProcess, boxname, NULL, NULL, NULL)))
return SHORT_REPLY(E_FAIL);
const WCHAR* wstrSpooler = L"Spooler";
const WCHAR* wstrWPAD = L"WinHttpAutoProxySvc";
RPC_IF_ID ifidGCS = { {0x88abcbc3, 0x34EA, 0x76AE, { 0x82, 0x15, 0x76, 0x75, 0x20, 0x65, 0x5A, 0x23 }}, 0, 0 };
RPC_IF_ID ifidSmartCard = { {0xC6B5235A, 0xE413, 0x481D, { 0x9A, 0xC8, 0x31, 0x68, 0x1B, 0x1F, 0xAA, 0xF5 }}, 1, 1 };
RPC_IF_ID ifidRequest;
const WCHAR* pwszServiceName = NULL;
switch (req->portType)
{
case SPOOLER_PORT: if (SbieApi_QueryConfBool(boxname, L"ClosePrintSpooler", FALSE)) return SHORT_REPLY(E_ACCESSDENIED);
pwszServiceName = wstrSpooler; break;
case WPAD_PORT: pwszServiceName = wstrWPAD; break;
case GAME_CONFIG_STORE_PORT: memcpy(&ifidRequest, &ifidGCS, sizeof(RPC_IF_ID)); break;
case SMART_CARD_PORT: if (!SbieApi_QueryConfBool(boxname, L"OpenSmartCard", TRUE)) return SHORT_REPLY(E_ACCESSDENIED);
memcpy(&ifidRequest, &ifidSmartCard, sizeof(RPC_IF_ID)); break;
default: return SHORT_REPLY(E_INVALIDARG);
}
EPMAPPER_GET_PORT_NAME_RPL *rpl = (EPMAPPER_GET_PORT_NAME_RPL *)LONG_REPLY(sizeof(EPMAPPER_GET_PORT_NAME_RPL));
if (rpl == NULL)
return SHORT_REPLY(E_OUTOFMEMORY);
RPC_EP_INQ_HANDLE hContext = 0;
rpl->h.status = STATUS_NOT_FOUND;
// ask EpMapper for dynamic endpoint names for the desired RPC_IF_ID
RPC_STATUS status = RpcMgmtEpEltInqBegin(NULL, RPC_C_EP_MATCH_BY_IF, &req->ifidRequest, RPC_C_VERS_ALL, NULL, &hContext);
if (status == RPC_S_OK)
{
RPC_BINDING_HANDLE hBinding = 0;
RPC_IF_ID ifidEndpoint;
if (pwszServiceName != NULL) {
// return the 1st match that contains "LRPC-"
while ((status = RpcMgmtEpEltInqNextW(hContext, &ifidEndpoint, &hBinding, NULL, NULL)) == RPC_S_OK)
HANDLE hPid = NULL;
// find the service process
//ULONG error = 0;
SC_HANDLE sc_handle = OpenSCManager(NULL, NULL, GENERIC_READ);
if (sc_handle)
{
RPC_WSTR pwszPortName = NULL;
status = RpcBindingToStringBindingW(hBinding, &pwszPortName); // Get string port name. Format is "ncalrpc:[LRPC-f760d5b40689a98168]"
memset(rpl->wszPortName, 0, sizeof(rpl->wszPortName));
wcsncpy(rpl->wszPortName, (wchar_t *)pwszPortName, DYNAMIC_PORT_NAME_CHARS);
RpcStringFreeW(&pwszPortName);
if (wcsstr(rpl->wszPortName, L"LRPC-"))
break;
SC_HANDLE svc_handle = OpenService(sc_handle, pwszServiceName, SERVICE_QUERY_STATUS | SERVICE_QUERY_CONFIG);
if (svc_handle)
{
SERVICE_STATUS_PROCESS service_status;
ULONG len = sizeof(service_status);
if (QueryServiceStatusEx(svc_handle, SC_STATUS_PROCESS_INFO, (BYTE*)&service_status, len, &len))
hPid = (HANDLE)service_status.dwProcessId;
//else
// error = GetLastError();
CloseServiceHandle(svc_handle);
}
//else
// error = GetLastError();
CloseServiceHandle(sc_handle);
}
RpcMgmtEpEltInqDone(&hContext);
//else
// error = GetLastError();
if (hPid)
{
// Param 1 is the service PID
// Param 2 will return the port name with "\RPC Control\" prepended
rpl->h.status = SbieApi_CallTwo(
API_GET_DYNAMIC_PORT_FROM_PID,
(ULONG_PTR)hPid,
(ULONG_PTR)rpl->wszPortName);
}
}
else {
RPC_EP_INQ_HANDLE hContext = 0;
// ask EpMapper for dynamic endpoint names for the desired RPC_IF_ID
RPC_STATUS status = RpcMgmtEpEltInqBegin(NULL, RPC_C_EP_MATCH_BY_IF, &ifidRequest, RPC_C_VERS_ALL, NULL, &hContext);
if (status == RPC_S_OK)
{
RPC_BINDING_HANDLE hBinding = 0;
RPC_IF_ID ifidEndpoint;
// return the 1st match that contains "LRPC-"
while ((status = RpcMgmtEpEltInqNextW(hContext, &ifidEndpoint, &hBinding, NULL, NULL)) == RPC_S_OK)
{
WCHAR wstrPortName[DYNAMIC_PORT_NAME_CHARS];
RPC_WSTR pwszPortName = NULL;
RpcBindingToStringBindingW(hBinding, &pwszPortName); // Get string port name. Format is "ncalrpc:[LRPC-f760d5b40689a98168]"
if (pwszPortName == NULL)
continue;
wcsncpy(wstrPortName, (wchar_t*)pwszPortName + 9, DYNAMIC_PORT_NAME_CHARS); // format is "ncalrpc:[LRPC-f760d5b40689a98168]" We only want actual port name
wstrPortName[23] = 0; // Take off the ']'
RpcStringFreeW(&pwszPortName);
if (wcsncmp(wstrPortName, L"LRPC-", 5) == 0)
{
_snwprintf(rpl->wszPortName, DYNAMIC_PORT_NAME_CHARS, L"\\RPC Control\\%s", wstrPortName);
rpl->h.status = STATUS_SUCCESS;
break;
}
}
RpcMgmtEpEltInqDone(&hContext);
}
//rpl->hr = status;
}
if (rpl->h.status == STATUS_SUCCESS)
{
// Param 1 is dynamic port name (e.g. "LRPC-f760d5b40689a98168"), WCHAR[DYNAMIC_PORT_NAME_CHARS]
// Param 2 is the process PID for which to open the port
// Param 3 is the port type/identifier, can be -1 indicating non special port
rpl->h.status = SbieApi_CallThree(API_OPEN_DYNAMIC_PORT,
(ULONG_PTR)rpl->wszPortName,
(ULONG_PTR)idProcess,
(ULONG_PTR)req->portType);
}
rpl->hr = status;
return (MSG_HEADER *)rpl;
}

4
Sandboxie/core/svc/EpMapperWire.h
View File

@ -39,13 +39,13 @@
struct tagEPMAPPER_GET_PORT_NAME_REQ
{
MSG_HEADER h;
RPC_IF_ID ifidRequest;
ULONG portType;
};
struct tagEPMAPPER_GET_PORT_NAME_RPL
{
MSG_HEADER h; // h.status is RPC_STATUS
HRESULT hr;
//HRESULT hr;
WCHAR wszPortName[DYNAMIC_PORT_NAME_CHARS];
};

4
Sandboxie/core/svc/GuiServer.cpp
View File

@ -3414,10 +3414,10 @@ ULONG GuiServer::GetRawInputDeviceInfoSlave(SlaveArgs *args)
SetLastError(ERROR_SUCCESS);
if (req->unicode) {
rpl->retval = GetRawInputDeviceInfoW(req->hDevice, req->uiCommand, reqData, pcbSize);
rpl->retval = GetRawInputDeviceInfoW((HANDLE)req->hDevice, req->uiCommand, reqData, pcbSize);
}
else {
rpl->retval = GetRawInputDeviceInfoA(req->hDevice, req->uiCommand, reqData, pcbSize);
rpl->retval = GetRawInputDeviceInfoA((HANDLE)req->hDevice, req->uiCommand, reqData, pcbSize);
}
rpl->error = GetLastError();

2
Sandboxie/core/svc/GuiWire.h
View File

@ -686,7 +686,7 @@ typedef struct tagGUI_REMOVE_HOST_WINDOW_RPL GUI_REMOVE_HOST_WINDOW_RPL;
struct tagGUI_GET_RAW_INPUT_DEVICE_INFO_REQ
{
ULONG msgid;
HANDLE hDevice;
ULONG64 hDevice;
UINT uiCommand;
BOOLEAN unicode;
BOOLEAN hasData;

129
Sandboxie/core/svc/ProcessServer.cpp
View File

@ -31,6 +31,7 @@
#include "common/my_version.h"
#include "core/dll/sbiedll.h"
#include "core/drv/api_defs.h"
#include <sddl.h>
#define SECONDS(n64) (((LONGLONG)n64) * 10000000L)
#define MINUTES(n64) (SECONDS(n64) * 60)
@ -670,13 +671,24 @@ HANDLE ProcessServer::RunSandboxedGetToken(
HANDLE NewTokenHandle;
ULONG LastError;
BOOL ok;
bool ShouldAdjustSessionId = true;
//bool ShouldAdjustSessionId = true;
bool ShouldAdjustDacl = false;
WCHAR boxname[48] = { 0 };
if (CallerInSandbox) {
SbieApi_QueryProcess((HANDLE)(ULONG_PTR)idProcess, boxname, NULL, NULL, NULL);
if (wcscmp(BoxName, L"*SYSTEM*") == 0) {
//
// RunServicesAsSystem=n is not compatible with ProtectRpcSs=y and takes precedence,
// fallbac to using the calling thread's token
//
if (!SbieApi_QueryConfBool(boxname, L"RunServicesAsSystem", FALSE))
goto DoThread;
//
// sandboxed caller specified *SYSTEM* so we use our system token
//
@ -704,6 +716,8 @@ HANDLE ProcessServer::RunSandboxedGetToken(
ShouldAdjustSessionId = false;*/
} else if (wcscmp(BoxName, L"*THREAD*") == 0) {
DoThread:
//
// sandboxed caller specified *THREAD* so we use its thread token
@ -721,22 +735,17 @@ HANDLE ProcessServer::RunSandboxedGetToken(
CloseHandle(ThreadHandle);
// OriginalToken BEGIN
if (!ok)
{
WCHAR boxname[48];
ULONG status = SbieApi_QueryProcessEx2((HANDLE)PipeServer::GetCallerProcessId(), 0,
boxname, NULL, NULL, NULL, NULL);
if (!ok) {
if (status == 0 && SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE))
{
if (SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) {
ThreadHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,
HANDLE ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,
PipeServer::GetCallerProcessId());
ok = OpenProcessToken(
ThreadHandle, TOKEN_RIGHTS, &OldTokenHandle);
ProcessHandle, TOKEN_RIGHTS, &OldTokenHandle);
CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
}
}
// OriginalToken END
@ -751,6 +760,17 @@ HANDLE ProcessServer::RunSandboxedGetToken(
SetLastError(ERROR_INVALID_PARAMETER);
return NULL;
}
}
else
{
if (*BoxName == L'-')
{
LONG_PTR Pid = _wtoi(BoxName + 1);
SbieApi_QueryProcess((HANDLE)(ULONG_PTR)Pid, boxname, NULL, NULL, NULL);
}
else
wcscpy(boxname, BoxName);
}
if (! OldTokenHandle) {
@ -771,18 +791,18 @@ HANDLE ProcessServer::RunSandboxedGetToken(
// then adjust session and default dacl
//
ok = DuplicateTokenEx(OldTokenHandle, TOKEN_RIGHTS, NULL,
ok = DuplicateTokenEx(OldTokenHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_RIGHTS, NULL,
SecurityIdentification, TokenPrimary,
&NewTokenHandle);
if (! ok)
NewTokenHandle = NULL;
if (ok && ShouldAdjustSessionId) {
/*if (ok && ShouldAdjustSessionId) {
ULONG SessionId = PipeServer::GetCallerSessionId();
ok = SetTokenInformation(NewTokenHandle, TokenSessionId,
&SessionId, sizeof(ULONG));
}
}*/
if (ok && ShouldAdjustDacl) {
@ -791,17 +811,18 @@ HANDLE ProcessServer::RunSandboxedGetToken(
// then we want to adjust the dacl in the new token
//
WCHAR boxname[48] = { 0 };
if (CallerInSandbox)
SbieApi_QueryProcess((HANDLE)(ULONG_PTR)idProcess, boxname, NULL, NULL, NULL);
else
wcscpy(boxname, BoxName);
if (SbieApi_QueryConfBool(boxname, L"ExposeBoxedSystem", FALSE))
ok = RunSandboxedSetDacl(CallerProcessHandle, NewTokenHandle, GENERIC_ALL, TRUE);
else
ok = RunSandboxedSetDacl(CallerProcessHandle, NewTokenHandle, GENERIC_READ, FALSE);
if (ok && SbieApi_QueryConfBool(boxname, L"StripSystemPrivileges", TRUE)) {
ok = RunSandboxedStripPrivileges(NewTokenHandle);
}
}
if (! ok) {
LastError = GetLastError();
if (NewTokenHandle) {
@ -825,8 +846,15 @@ HANDLE ProcessServer::RunSandboxedGetToken(
BOOL ProcessServer::RunSandboxedSetDacl(
HANDLE CallerProcessHandle, HANDLE NewTokenHandle, DWORD AccessMask, bool useUserSID)
HANDLE CallerProcessHandle, HANDLE NewTokenHandle, DWORD AccessMask, bool useUserSID, HANDLE idProcess)
{
static UCHAR AnonymousLogonSid[12] = {
1, // Revision
1, // SubAuthorityCount
0,0,0,0,0,5, // SECURITY_NT_AUTHORITY // IdentifierAuthority
SECURITY_ANONYMOUS_LOGON_RID,0,0,0 // SubAuthority
};
ULONG LastError;
HANDLE hToken;
ULONG len;
@ -866,6 +894,30 @@ BOOL ProcessServer::RunSandboxedSetDacl(
ok = GetTokenInformation(hToken, TokenUser, pUser, 512, &len);
LastError = GetLastError();
if (idProcess != NULL) // this is used when starting a service
{
//
// in Sandboxie version 4, the primary process token is going to be
// the anonymous token which isn't very useful here, so get the
// textual SID string and convert it into a SID value
//
if (ok && memcmp(pUser->User.Sid, AnonymousLogonSid,
sizeof(AnonymousLogonSid)) == 0) {
PSID TempSid;
WCHAR SidString[96];
SbieApi_QueryProcess(idProcess, NULL, NULL, SidString, NULL);
if (SidString[0]) {
if (ConvertStringSidToSid(SidString, &TempSid)) {
memcpy(pUser + 1, TempSid, GetLengthSid(TempSid));
pUser->User.Sid = (PSID)(pUser + 1);
LocalFree(TempSid);
}
}
}
}
pSid = pUser->User.Sid;
}
else
@ -918,6 +970,43 @@ finish:
}
//---------------------------------------------------------------------------
// RunSandboxedStripPrivilege
//---------------------------------------------------------------------------
BOOL ProcessServer::RunSandboxedStripPrivilege(HANDLE NewTokenHandle, LPCWSTR lpName)
{
LUID luid;
if (!LookupPrivilegeValue(NULL, lpName, &luid))
return FALSE;
TOKEN_PRIVILEGES NewState;
NewState.PrivilegeCount = 1;
NewState.Privileges[0].Luid = luid;
NewState.Privileges[0].Attributes = SE_PRIVILEGE_REMOVED; // Note: A once removed pivilege can not be re added!
NTSTATUS status = NtAdjustPrivilegesToken(NewTokenHandle, FALSE, &NewState, sizeof(NewState), (PTOKEN_PRIVILEGES)NULL, 0);
return NT_SUCCESS(status); // STATUS_SUCCESS or STATUS_NOT_ALL_ASSIGNED when the privilege wasnt there in the first palce, which is also passes NT_SUCCESS
}
//---------------------------------------------------------------------------
// RunSandboxedStripPrivilege
//---------------------------------------------------------------------------
BOOL ProcessServer::RunSandboxedStripPrivileges(HANDLE NewTokenHandle)
{
BOOLEAN ok = RunSandboxedStripPrivilege(NewTokenHandle, SE_TCB_NAME);
if (ok) ok = RunSandboxedStripPrivilege(NewTokenHandle, SE_CREATE_TOKEN_NAME);
if (ok) ok = RunSandboxedStripPrivilege(NewTokenHandle, SE_ASSIGNPRIMARYTOKEN_NAME);
return ok;
}
//---------------------------------------------------------------------------
// RunSandboxedStartProcess
//---------------------------------------------------------------------------

6
Sandboxie/core/svc/ProcessServer.h
View File

@ -35,6 +35,10 @@ public:
ProcessServer(PipeServer *pipeServer);
static BOOL RunSandboxedSetDacl(HANDLE CallerProcessHandle, HANDLE NewTokenHandle, DWORD AccessMask, bool useUserSID, HANDLE idProcess = NULL);
static BOOL RunSandboxedStripPrivilege(HANDLE NewTokenHandle, LPCWSTR lpName);
static BOOL RunSandboxedStripPrivileges(HANDLE NewTokenHandle);
protected:
static MSG_HEADER *Handler(void *_this, MSG_HEADER *msg);
@ -62,8 +66,6 @@ protected:
HANDLE RunSandboxedGetToken(
HANDLE CallerProcessHandle, bool CallerInSandbox,
const WCHAR *BoxName, ULONG idProcess);
BOOL RunSandboxedSetDacl(
HANDLE CallerProcessHandle, HANDLE NewTokenHandle, DWORD AccessMask, bool useUserSID);
BOOL RunSandboxedStartProcess(
HANDLE PrimaryTokenHandle, LONG_PTR BoxNameOrModelPid,
ULONG CallerProcessId,

5
Sandboxie/core/svc/serviceserver.h
View File

@ -70,10 +70,7 @@ private:
ULONG RunHandler2(
HANDLE idProcess, ULONG idSession,
const WCHAR *devmap, const WCHAR *svcname, const WCHAR *path);
void SetTokenCustomDacl(
HANDLE hNewToken, HANDLE idProcess, DWORD AccessMask, bool useUserSID);
MSG_HEADER *UacHandler(
MSG_HEADER *msg, HANDLE idProcess, HANDLE idThread);

165
Sandboxie/core/svc/serviceserver2.cpp
View File

@ -24,13 +24,13 @@
#include <shellapi.h>
#include <stdlib.h>
#include <sddl.h>
#include "serviceserver.h"
#include "servicewire.h"
#include "common/defines.h"
#include "common/my_version.h"
#include "core/dll/sbiedll.h"
#include <aclapi.h>
#include "ProcessServer.h"
#define MISC_H_WITHOUT_WIN32_NTDDK_H
#include "misc.h"
@ -288,6 +288,10 @@ ULONG ServiceServer::RunHandler2(
ULONG errlvl;
BOOL ok = TRUE;
WCHAR boxname[48] = { 0 };
SbieApi_QueryProcess(idProcess, boxname, NULL, NULL, NULL);
if (ok) {
errlvl = 0x21;
ExePath =
@ -300,13 +304,21 @@ ULONG ServiceServer::RunHandler2(
if (ok) {
errlvl = 0x22;
ok = OpenProcessToken(GetCurrentProcess(), TOKEN_RIGHTS, &hOldToken);
if (SbieApi_QueryConfBool(boxname, L"RunServicesAsSystem", FALSE)
|| (_wcsicmp(svcname, L"MSIServer") == 0)) { // special exception for MSIServer, see also core/drv/thread_token.c
// use our system token
ok = OpenProcessToken(GetCurrentProcess(), TOKEN_RIGHTS, &hOldToken);
}
else {
// use the callers original token
hOldToken = (HANDLE)SbieApi_QueryProcessInfo(idProcess, 'ptok');
}
}
if (ok) {
errlvl = 0x23;
ok = DuplicateTokenEx(
hOldToken, TOKEN_RIGHTS, NULL, SecurityAnonymous,
hOldToken, TOKEN_ADJUST_PRIVILEGES | TOKEN_RIGHTS, NULL, SecurityAnonymous,
TokenPrimary, &hNewToken);
}
@ -317,15 +329,27 @@ ULONG ServiceServer::RunHandler2(
}
if (ok) {
WCHAR boxname[48] = { 0 };
SbieApi_QueryProcess(idProcess, boxname, NULL, NULL, NULL); // if this fail we take the global config if present
if (SbieApi_QueryConfBool(boxname, L"ExposeBoxedSystem", FALSE))
SetTokenCustomDacl(hNewToken, idProcess, GENERIC_ALL, TRUE);
else //if (_wcsicmp(svcname, L"MSIServer") == 0)
// The MSIServer needs to be extra allowances to work correctly
SetTokenCustomDacl(hNewToken, idProcess, GENERIC_READ, FALSE);
errlvl = 0x26;
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, (ULONG)(ULONG_PTR)idProcess);
if (!hProcess)
ok = FALSE;
else
{
if (SbieApi_QueryConfBool(boxname, L"ExposeBoxedSystem", FALSE))
ok = ProcessServer::RunSandboxedSetDacl(hProcess, hNewToken, GENERIC_ALL, TRUE, idProcess);
else
ok = ProcessServer::RunSandboxedSetDacl(hProcess, hNewToken, GENERIC_READ, FALSE);
CloseHandle(hProcess);
}
}
if (ok && SbieApi_QueryConfBool(boxname, L"StripSystemPrivileges", TRUE)) {
errlvl = 0x27;
ok = ProcessServer::RunSandboxedStripPrivileges(hNewToken);
}
if (ok) {
STARTUPINFO si;
@ -365,127 +389,6 @@ ULONG ServiceServer::RunHandler2(
}
//---------------------------------------------------------------------------
// SetTokenCustomDacl
//---------------------------------------------------------------------------
void ServiceServer::SetTokenCustomDacl(HANDLE hNewToken, HANDLE idProcess, DWORD AccessMask, bool useUserSID)
{
static UCHAR AnonymousLogonSid[12] = {
1, // Revision
1, // SubAuthorityCount
0,0,0,0,0,5, // SECURITY_NT_AUTHORITY // IdentifierAuthority
SECURITY_ANONYMOUS_LOGON_RID,0,0,0 // SubAuthority
};
HANDLE hProcess;
HANDLE hToken;
ULONG len;
BOOL ok;
//
// When SbieSvc launches a service process as SYSTEM, make sure the
// default DACL of the new process includes the caller's SID. This
// resolves a problem where a client MsiExec invokes the service
// MsiExec, which in turn invokes a custom action MsiExec process,
// and the client MsiExec fails to open the custom action process.
//
UCHAR *WorkSpace = (UCHAR *)HeapAlloc(GetProcessHeap(), 0, 1024);
if (! WorkSpace)
return;
TOKEN_GROUPS *pLogOn = (TOKEN_GROUPS *)WorkSpace;
TOKEN_USER *pUser = (TOKEN_USER *)WorkSpace;
TOKEN_DEFAULT_DACL *pDacl = (TOKEN_DEFAULT_DACL *)(WorkSpace + 128);
PSID pSid;
//
// get the token for the calling process, extract the user SID
//
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION, FALSE, (ULONG)(ULONG_PTR)idProcess);
if (! hProcess)
goto finish;
ok = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken);
CloseHandle(hProcess);
if (! ok)
goto finish;
if (useUserSID)
{
ok = GetTokenInformation(hToken, TokenUser, pUser, 128, &len);
//
// in Sandboxie version 4, the primary process token is going to be
// the anonymous token which isn't very useful here, so get the
// textual SID string and convert it into a SID value
//
if (ok && memcmp(pUser->User.Sid, AnonymousLogonSid,
sizeof(AnonymousLogonSid)) == 0) {
PSID TempSid;
WCHAR SidString[96];
SbieApi_QueryProcess(idProcess, NULL, NULL, SidString, NULL);
if (SidString[0]) {
if (ConvertStringSidToSid(SidString, &TempSid)) {
memcpy(pUser + 1, TempSid, GetLengthSid(TempSid));
pUser->User.Sid = (PSID)(pUser + 1);
LocalFree(TempSid);
}
}
}
pSid = pUser->User.Sid;
}
else
{
ok = GetTokenInformation(hToken, TokenLogonSid, pLogOn, 128, &len);
pSid = pLogOn->Groups[0].Sid; // use the LogonSessionId token
}
CloseHandle(hToken);
if (!ok)
goto finish;
//
// extract the default DACL, update it and store it back
//
ok = GetTokenInformation(
hNewToken, TokenDefaultDacl, pDacl, (1024 - 128), &len);
if (! ok)
goto finish;
PACL pAcl = pDacl->DefaultDacl;
pAcl->AclSize += sizeof(ACCESS_ALLOWED_ACE)
- sizeof(DWORD) // minus SidStart member
+ (WORD)GetLengthSid(pSid);
AddAccessAllowedAce(pAcl, ACL_REVISION, AccessMask, pSid);
ok = SetTokenInformation(
hNewToken, TokenDefaultDacl, pDacl, (1024 - 128));
//
// finish
//
finish:
HeapFree(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, WorkSpace);
}
//---------------------------------------------------------------------------
// UacHandler
//---------------------------------------------------------------------------

16
Sandboxie/install/SandboxieVS.nsi
View File

@ -37,6 +37,12 @@ SetCompressor /SOLID /FINAL lzma
!define BIN_ROOT_BASE "${SBIE_INSTALLER_PATH}"
!if "${_BUILDARCH}" == "x64"
!define _W7DRV_COMPAT "$%SbieVer%.x64"
!else
!define _W7DRV_COMPAT "$%SbieVer%.x86"
!endif
;!define SBIEDRV_SYS4 "${SBIEDRV_SYS}.rc4"
;!define SBIEDRV_SYSX "${SBIEDRV_SYS}.w10"
@ -681,7 +687,7 @@ Function InstallTypePage
w7_Drv_ask:
MessageBox MB_YESNO|MB_ICONQUESTION "Windows 7 requires a provisional driver package, you will have to download it from the GitHub release page https://github.com/sandboxie-plus/Sandboxie/releases/ \r\ndo you have it downloaded?" IDYES w7_Drv_ok
MessageBox MB_YESNO|MB_ICONQUESTION "Windows 7 requires a provisional driver package. You will have to download it from the GitHub release page https://github.com/sandboxie-plus/Sandboxie/releases/$\r$\nDo you have it downloaded?" IDYES w7_Drv_ok
MessageBox MB_YESNO|MB_ICONQUESTION "Do you want to open the download page in your default web browser?" IDNO w7_Drv_cancel
ExecShell "open" "https://github.com/sandboxie-plus/Sandboxie/releases/"
@ -694,13 +700,7 @@ w7_Drv_cancel:
w7_Drv_ok:
!if "${_BUILDARCH}" == "x64"
!define w7_drv_compat "5.45.1.x64"
!else
!define w7_drv_compat "5.45.1.x86"
!endif
nsDialogs::SelectFileDialog open "" "Driver binary (*.${w7_drv_compat}.rc4)|*.${w7_drv_compat}.rc4|All Files|*.*"
nsDialogs::SelectFileDialog open "" "Driver binary (*.${_W7DRV_COMPAT}.rc4)|*.${_W7DRV_COMPAT}.rc4|All Files|*.*"
Pop $0
StrCmp $0 "" w7_Drv_cancel

BIN
Sandboxie/install/Templates.ini
View File

Binary file not shown.