diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ba71719..75039ee8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,9 @@ This project adheres to [Semantic Versioning](http://semver.org/). ### Added - added username notation when the LogFile registry setting is applied as workaround for [#2207](https://github.com/sandboxie-plus/Sandboxie/issues/2207) -- usage: in "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" add REG_SZ "LogFile" with "3;[path]\Sandboxie.log" +- added option to block host processes from accessing sandboxed once [#2132](https://github.com/sandboxie-plus/Sandboxie/issues/2132) +-- usage: DenyHostAccess=Program.exe,y +- added compatybility template for ReHIPS ### Changed - improved sandman settings behaviour for non admin users [#2123](https://github.com/sandboxie-plus/Sandboxie/issues/2123) diff --git a/Sandboxie/core/drv/obj_flt.c b/Sandboxie/core/drv/obj_flt.c index 492e9eb0..e9c08e88 100644 --- a/Sandboxie/core/drv/obj_flt.c +++ b/Sandboxie/core/drv/obj_flt.c @@ -186,16 +186,6 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback( if (PreInfo->KernelHandle == 1) return OB_PREOP_SUCCESS; - // - // Get the sandboxed process if this request comes form one, - // filter only requests from sandboxed processes - // - - PROCESS *proc = NULL; - proc = Process_Find(NULL, NULL); - if (!proc || (proc == PROCESS_TERMINATED) || proc->bHostInject || proc->disable_object_flt) - return OB_PREOP_SUCCESS; - // // Get information about the intended operation // @@ -231,16 +221,8 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback( if (PreInfo->ObjectType == *PsProcessType) { HANDLE TargetProcessId = PsGetProcessId((PEPROCESS)PreInfo->Object); - - // - // Ignore requests for threads belonging to the current processes. - // - - if (TargetProcessId == PsGetCurrentProcessId()) - goto Exit; - PEPROCESS ProcessObject = (PEPROCESS)PreInfo->Object; - if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, InitialDesiredAccess, TRUE, TRUE))) { + if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, TRUE, TRUE))) { #ifdef DRV_BREAKOUT // @@ -248,12 +230,16 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback( // BOOLEAN is_breakout = FALSE; + PROCESS *proc; PROCESS *proc2; KIRQL irql; - proc2 = Process_Find(TargetProcessId, &irql); - if (proc2 && Process_IsStarter(proc, proc2)) { - is_breakout = TRUE; + proc = Process_Find(NULL, NULL); + if (proc) { + proc2 = Process_Find(TargetProcessId, &irql); + if (proc2 && Process_IsStarter(proc, proc2)) { + is_breakout = TRUE; + } } ExReleaseResourceLite(Process_ListLock); @@ -290,16 +276,8 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback( else if (PreInfo->ObjectType == *PsThreadType) { HANDLE TargetProcessId = PsGetThreadProcessId ((PETHREAD)PreInfo->Object); - - // - // Ignore requests that are trying to open/duplicate the current process. - // - - if (TargetProcessId == PsGetCurrentProcessId()) - goto Exit; - PEPROCESS ProcessObject = PsGetThreadProcess((PETHREAD)PreInfo->Object); - if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, InitialDesiredAccess, FALSE, TRUE))) { + if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, FALSE, TRUE))) { *DesiredAccess = 0; // deny any access } //ObjectTypeName = L"PsThreadType"; diff --git a/Sandboxie/core/drv/process.h b/Sandboxie/core/drv/process.h index 76647570..b075c8c8 100644 --- a/Sandboxie/core/drv/process.h +++ b/Sandboxie/core/drv/process.h @@ -333,12 +333,14 @@ ULONG Process_MatchPathEx( // Process_GetConf: retrieves a configuration data value for a given process // use with Conf_AdjustUseCount to make sure the returned pointer is valid +const WCHAR* Process_GetConfEx(BOX* box, const WCHAR* image_name, const WCHAR* setting); const WCHAR* Process_GetConf(PROCESS* proc, const WCHAR* setting); // Process_GetConf_bool: parses a y/n setting. this function does not // have to be protected with Conf_AdjustUseCount +BOOLEAN Process_GetConfEx_bool(BOX* box, const WCHAR* image_name, const WCHAR* setting, BOOLEAN def); BOOLEAN Process_GetConf_bool(PROCESS* proc, const WCHAR* setting, BOOLEAN def); diff --git a/Sandboxie/core/drv/process_util.c b/Sandboxie/core/drv/process_util.c index a308a23a..d658b57c 100644 --- a/Sandboxie/core/drv/process_util.c +++ b/Sandboxie/core/drv/process_util.c @@ -357,11 +357,11 @@ _FX const WCHAR* Process_MatchImageAndGetValue(BOX *box, const WCHAR* value, con //--------------------------------------------------------------------------- -// Process_GetConf +// Process_GetConfEx //--------------------------------------------------------------------------- -_FX const WCHAR* Process_GetConf(PROCESS *proc, const WCHAR* setting) +_FX const WCHAR* Process_GetConfEx(BOX *box, const WCHAR *image_name, const WCHAR* setting) { ULONG index = 0; const WCHAR *value; @@ -370,12 +370,12 @@ _FX const WCHAR* Process_GetConf(PROCESS *proc, const WCHAR* setting) for (index = 0; ; ++index) { - value = Conf_Get(proc->box->name, setting, index); + value = Conf_Get(box->name, setting, index); if (! value) break; ULONG level = -1; - value = Process_MatchImageAndGetValue(proc->box, value, proc->image_name, &level); + value = Process_MatchImageAndGetValue(box, value, image_name, &level); if (!value || level > found_level) continue; found_value = value; @@ -387,18 +387,29 @@ _FX const WCHAR* Process_GetConf(PROCESS *proc, const WCHAR* setting) //--------------------------------------------------------------------------- -// Process_GetConf_bool +// Process_GetConf //--------------------------------------------------------------------------- -_FX BOOLEAN Process_GetConf_bool(PROCESS *proc, const WCHAR* setting, BOOLEAN def) +_FX const WCHAR* Process_GetConf(PROCESS* proc, const WCHAR* setting) +{ + return Process_GetConfEx(proc->box, proc->image_name, setting); +} + + +//--------------------------------------------------------------------------- +// Process_GetConfEx_bool +//--------------------------------------------------------------------------- + + +_FX BOOLEAN Process_GetConfEx_bool(BOX *box, const WCHAR *image_name, const WCHAR* setting, BOOLEAN def) { const WCHAR *value; BOOLEAN retval; Conf_AdjustUseCount(TRUE); - value = Process_GetConf(proc, setting); + value = Process_GetConfEx(box, image_name, setting); retval = def; if (value) { @@ -414,6 +425,17 @@ _FX BOOLEAN Process_GetConf_bool(PROCESS *proc, const WCHAR* setting, BOOLEAN de } +//--------------------------------------------------------------------------- +// Process_GetConf_bool +//--------------------------------------------------------------------------- + + +_FX BOOLEAN Process_GetConf_bool(PROCESS* proc, const WCHAR* setting, BOOLEAN def) +{ + return Process_GetConfEx_bool(proc->box, proc->image_name, setting, def); +} + + //--------------------------------------------------------------------------- // Process_GetPaths //--------------------------------------------------------------------------- diff --git a/Sandboxie/core/drv/thread.c b/Sandboxie/core/drv/thread.c index 39b6c3a6..0b55a36e 100644 --- a/Sandboxie/core/drv/thread.c +++ b/Sandboxie/core/drv/thread.c @@ -28,6 +28,7 @@ #include "obj.h" #include "session.h" #include "api.h" +#include "util.h" //--------------------------------------------------------------------------- @@ -1129,6 +1130,87 @@ finish: } +//--------------------------------------------------------------------------- +// Thread_CheckObject_CommonEx +//--------------------------------------------------------------------------- + + +_FX NTSTATUS Thread_CheckObject_CommonEx( + HANDLE pid, PEPROCESS ProcessObject, + ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess, + BOOLEAN ExplicitAccess) +{ + // + // Ignore requests for threads belonging to the current processes. + // + + HANDLE cur_pid = PsGetCurrentProcessId(); + if (pid == cur_pid) + return STATUS_SUCCESS; + + // + // Get the sandboxed process if this request comes form one + // + + PROCESS *proc = Process_Find(NULL, NULL); + + // + // This functionality allows to protect boxed processes from host processes + // we need to grant access to sbiesvc.exe and csrss.exe + // + // If the calling process is sandboxed the later common check will do the blocking + // + + if (!proc || proc->bHostInject) { // caller is not sandboxed + + KIRQL irql; + PROCESS* proc2 = Process_Find(pid, &irql); + BOOLEAN protect_process = FALSE; + + if (proc2 && !proc2->bHostInject) { // target is sandboxed + + void* nbuf = 0; + ULONG nlen = 0; + WCHAR* nptr = 0; + Process_GetProcessName(proc2->pool, (ULONG_PTR)cur_pid, &nbuf, &nlen, &nptr); + if (nbuf) { + + protect_process = Process_GetConfEx_bool(proc2->box, nptr, L"DenyHostAccess", FALSE); + + // + // in case use specified wildcard "*" always grant access to sbiesvc.exe and csrss.exe + // + + if (protect_process && MyIsProcessRunningAsSystemAccount(cur_pid)) { + if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0)) + protect_process = FALSE; + } + + Mem_Free(nbuf, nlen); + } + } + + ExReleaseResourceLite(Process_ListLock); + KeLowerIrql(irql); + + if (protect_process) { + + DbgPrint("SBIE: protect boxed processes %d from %d\n", pid, cur_pid); + return STATUS_ACCESS_DENIED; + } + } + + // + // filter only requests from sandboxed processes + // + + if (!proc || (proc == PROCESS_TERMINATED) || proc->bHostInject || proc->disable_object_flt) + return STATUS_SUCCESS; + + return Thread_CheckObject_Common(proc, ProcessObject, GrantedAccess, EntireProcess, ExplicitAccess); +} + + //--------------------------------------------------------------------------- // Thread_Api_OpenProcess //--------------------------------------------------------------------------- diff --git a/Sandboxie/core/drv/thread.h b/Sandboxie/core/drv/thread.h index 4ab72f4c..91a7e421 100644 --- a/Sandboxie/core/drv/thread.h +++ b/Sandboxie/core/drv/thread.h @@ -99,6 +99,11 @@ NTSTATUS Thread_CheckObject_Common( ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess, BOOLEAN ExplicitAccess); +NTSTATUS Thread_CheckObject_CommonEx( + HANDLE pid, PEPROCESS ProcessObject, + ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess, + BOOLEAN ExplicitAccess); + //--------------------------------------------------------------------------- diff --git a/Sandboxie/install/Templates.ini b/Sandboxie/install/Templates.ini index 28c60b0c..354b2fbe 100644 --- a/Sandboxie/install/Templates.ini +++ b/Sandboxie/install/Templates.ini @@ -2287,6 +2287,14 @@ Tmpl.ScanService=pcapsvc OpenIpcPath=*\BaseNamedObjects*\proxycap_*_event* OpenPipePath=\Device\NamedPipe\proxycap_s_pipe +[Template_ReHIPS] +Tmpl.Title=ReHIPS +Tmpl.Class=Security +Tmpl.Url=https://rehips.com/ +Tmpl.Scan=s +Tmpl.ScanService=ReHIPSService +DenyHostAccess=HIPSAgent64.exe,y + [Template_RoboForm] Tmpl.Title=RoboForm Tmpl.Class=Security