From 1b1342c426ba6fc45c4c1c0faf8ce53231a76c11 Mon Sep 17 00:00:00 2001 From: DavidXanatos Date: Wed, 1 Jun 2022 19:40:51 +0200 Subject: [PATCH] 1.1.1 --- CHANGELOG.md | 3 +- Sandboxie/core/dll/advapi.c | 74 ++++++++++++++++++++----------- Sandboxie/core/dll/gui.c | 6 +++ Sandboxie/core/dll/guienum.c | 75 +++++++++++++++++++++----------- Sandboxie/core/svc/GuiServer.cpp | 31 +++++++++++-- Sandboxie/core/svc/GuiServer.h | 2 +- Sandboxie/core/svc/GuiWire.h | 2 + 7 files changed, 138 insertions(+), 55 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c1d2a37..5f94694e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,11 +20,12 @@ This project adheres to [Semantic Versioning](http://semver.org/). - fixed issues with the new delete V2 mechanism when using "SeparateUserFolders=y" [#1885](https://github.com/sandboxie-plus/Sandboxie/issues/1885) - fixed credential issue [#1770](https://github.com/sandboxie-plus/Sandboxie/pull/1770) - fixed force process priorities [#1883](https://github.com/sandboxie-plus/Sandboxie/issues/1883) +- fixed issues with the new delete V2 mechanism - fixed issue with the Windows 11 menu on older Windows builds [1877](https://github.com/sandboxie-plus/Sandboxie/issues/1877) - refresh now works without WatchBoxSize option [#1885](https://github.com/sandboxie-plus/Sandboxie/issues/1885) - fixed crash issue with WatchBoxSize=true [#1885](https://github.com/sandboxie-plus/Sandboxie/issues/1885) - fixed issue with recovery folder paths [#1840](https://github.com/sandboxie-plus/Sandboxie/issues/1840) - +- fixed issues with sbie desktop and wndStation affecting acrobat reader [#1863](https://github.com/sandboxie-plus/Sandboxie/issues/1863) diff --git a/Sandboxie/core/dll/advapi.c b/Sandboxie/core/dll/advapi.c index acd86753..c32b97ca 100644 --- a/Sandboxie/core/dll/advapi.c +++ b/Sandboxie/core/dll/advapi.c @@ -112,8 +112,11 @@ typedef BOOL (*P_SaferComputeTokenFromLevel)( typedef ULONG (*P_GetEffectiveRightsFromAcl)( PACL pacl, void *pTrustee, PACCESS_MASK pAccessRights); -typedef BOOL (*P_EnumWindowStations) (_In_ WINSTAENUMPROC lpEnumFunc, _In_ LPARAM lParam); -typedef HANDLE (*P_OpenWindowStationW) (LPCWSTR lpszWinSta, BOOL fInherit, ACCESS_MASK dwDesiredAccess); +//typedef BOOL (*P_EnumWindowStations) (WINSTAENUMPROC lpEnumFunc, LPARAM lParam); +//typedef HANDLE (*P_OpenWindowStationW) (LPCWSTR lpszWinSta, BOOL fInherit, ACCESS_MASK dwDesiredAccess); +// +//typedef BOOL (*P_EnumDesktopsW) (HWINSTA hwinsta, DESKTOPENUMPROCW lpEnumFunc, LPARAM lParam); +//typedef HANDLE (*P_OpenDesktopW) (LPCWSTR lpszDesktop, DWORD dwFlags, BOOL fInherit, ACCESS_MASK dwDesiredAccess); //--------------------------------------------------------------------------- @@ -155,8 +158,12 @@ typedef HANDLE (*P_OpenWindowStationW) (LPCWSTR lpszWinSta, BOOL fInherit, ACCES P_SaferComputeTokenFromLevel __sys_SaferComputeTokenFromLevel = NULL; P_GetEffectiveRightsFromAcl __sys_GetEffectiveRightsFromAclW = NULL; - P_EnumWindowStations __sys_EnumWindowStationsW = NULL; - P_OpenWindowStationW __sys_OpenWindowStationW = NULL; + + //P_EnumWindowStations __sys_EnumWindowStationsW = NULL; + //P_OpenWindowStationW __sys_OpenWindowStationW = NULL; + +//extern P_EnumDesktopsW __sys_EnumDesktopsW; +//extern P_OpenDesktopW __sys_OpenDesktopW; static HMODULE AdvApi_Module = NULL; @@ -240,7 +247,7 @@ _FX BOOLEAN AdvApi_Init(HMODULE module) // only hook SetSecurityInfo if this is Chrome. Outlook 2013 uses delayed loading and will cause infinite callbacks // Starting with Win 10, we only want to hook ntmarta!SetSecurityInfo. Do NOT hook advapi!SetSecurityInfo. Delay loading for advapi will cause infinite recursion. // Note: the infinite recursion issue has been resolved int 5.43 - if (((Dll_ImageType == DLL_IMAGE_GOOGLE_CHROME) || (Dll_ImageType == DLL_IMAGE_ACROBAT_READER)) && (Dll_Windows < 10)) { + if ((Dll_ImageType == DLL_IMAGE_GOOGLE_CHROME) || (Dll_ImageType == DLL_IMAGE_ACROBAT_READER)) { SetSecurityInfo = __sys_SetSecurityInfo; GetSecurityInfo = __sys_GetSecurityInfo; SBIEDLL_HOOK(AdvApi_, SetSecurityInfo); @@ -489,12 +496,8 @@ _FX ULONG AdvApi_CreateRestrictedToken( } - -HANDLE Sandboxie_WinSta = 0; - -BOOL CALLBACK myEnumWindowStationProc( - _In_ LPTSTR lpszWindowStation, - _In_ LPARAM lParam); +/*HANDLE Sandboxie_WinSta = 0; +HANDLE Sandboxie_Desktop = 0; // Get Sandbox Dummy WindowStation Handle BOOL CALLBACK myEnumWindowStationProc( @@ -511,6 +514,37 @@ BOOL CALLBACK myEnumWindowStationProc( return TRUE; } +BOOL CALLBACK myEnumDesktopsProc( + _In_ LPTSTR lpszDesktop, + _In_ LPARAM lParam) +{ + if ((!lpszDesktop) || (!__sys_OpenDesktopW)) { + return FALSE; + } + if (!_wcsnicmp(lpszDesktop, L"Sandbox", 7)) { + const ACCESS_MASK DESKTOP_ALL_ACCESS = 0x1FF; // see WinUser.h + Sandboxie_Desktop = __sys_OpenDesktopW(lpszDesktop, 0, FALSE, DESKTOP_ALL_ACCESS); + return FALSE; + } + return TRUE; +} + + +_FX VOID OpenWinSta() +{ + if (!Sandboxie_WinSta) { + __sys_EnumWindowStationsW = (P_EnumWindowStations)Ldr_GetProcAddrNew(L"User32.dll", L"EnumWindowStationsW", "EnumWindowStationsW"); + __sys_OpenWindowStationW = (P_OpenWindowStationW)Ldr_GetProcAddrNew(L"User32.dll", L"OpenWindowStationW", "OpenWindowStationW"); + if (__sys_EnumWindowStationsW) { + __sys_EnumWindowStationsW(myEnumWindowStationProc, 0); + + if (Sandboxie_WinSta) { + if (__sys_EnumDesktopsW) + __sys_EnumDesktopsW(Sandboxie_WinSta, myEnumDesktopsProc, 0); + } + } + } +}*/ // Chrome 52+ now needs to be able to create a WindowStation and Desktop for its sandbox // GetSecurityInfo will fail when chrome tries to do a DACL read on the default WindowStation. @@ -518,6 +552,8 @@ BOOL CALLBACK myEnumWindowStationProc( // this will allow chrome to create the required WindowStation and Desktop. See comment in // GuiServer.cpp: GuiServer::GetWindowStationAndDesktopName. +extern HANDLE Sandboxie_WinSta; + _FX DWORD AdvApi_GetSecurityInfo( HANDLE handle, SE_OBJECT_TYPE ObjectType, @@ -532,13 +568,7 @@ _FX DWORD AdvApi_GetSecurityInfo( rc = __sys_GetSecurityInfo(handle, ObjectType, SecurityInfo, psidOwner, psidGroup, pDacl, pSacl, ppSecurityDescriptor); if (rc && ObjectType == SE_WINDOW_OBJECT && SecurityInfo == DACL_SECURITY_INFORMATION) { - __sys_EnumWindowStationsW = (P_EnumWindowStations)Ldr_GetProcAddrNew(L"User32.dll", L"EnumWindowStationsW", "EnumWindowStationsW"); - __sys_OpenWindowStationW = (P_OpenWindowStationW)Ldr_GetProcAddrNew(L"User32.dll", L"OpenWindowStationW", "OpenWindowStationW"); - if (!Sandboxie_WinSta) { - if (__sys_EnumWindowStationsW) { - rc = __sys_EnumWindowStationsW(myEnumWindowStationProc, 0); - } - } + //OpenWinSta(); rc = __sys_GetSecurityInfo(Sandboxie_WinSta, ObjectType, SecurityInfo, psidOwner, psidGroup, pDacl, pSacl, ppSecurityDescriptor); } return rc; @@ -753,13 +783,7 @@ _FX DWORD Ntmarta_GetSecurityInfo( rc = __sys_Ntmarta_GetSecurityInfo(handle, ObjectType, SecurityInfo, psidOwner, psidGroup, pDacl, pSacl, ppSecurityDescriptor); if (rc && ObjectType == SE_WINDOW_OBJECT && SecurityInfo == DACL_SECURITY_INFORMATION) { - __sys_EnumWindowStationsW = (P_EnumWindowStations)Ldr_GetProcAddrNew(L"User32.dll", L"EnumWindowStationsW", "EnumWindowStationsW"); - __sys_OpenWindowStationW = (P_OpenWindowStationW)Ldr_GetProcAddrNew(L"User32.dll", L"OpenWindowStationW", "OpenWindowStationW"); - if (!Sandboxie_WinSta) { - if (__sys_EnumWindowStationsW) { - rc = __sys_EnumWindowStationsW(myEnumWindowStationProc, 0); - } - } + //OpenWinSta(); rc = __sys_Ntmarta_GetSecurityInfo(Sandboxie_WinSta, ObjectType, SecurityInfo, psidOwner, psidGroup, pDacl, pSacl, ppSecurityDescriptor); } return rc; diff --git a/Sandboxie/core/dll/gui.c b/Sandboxie/core/dll/gui.c index 6f9d94cb..fc886c89 100644 --- a/Sandboxie/core/dll/gui.c +++ b/Sandboxie/core/dll/gui.c @@ -821,6 +821,9 @@ _FX BOOL DisallowWin32kSystemCallsIsOn() extern P_NtSetInformationThread __sys_NtSetInformationThread; +HANDLE Sandboxie_WinSta = NULL; +HANDLE Sandboxie_Desktop = NULL; + _FX BOOLEAN Gui_ConnectToWindowStationAndDesktop(HMODULE User32) { static HDESK _ProcessDesktop = NULL; @@ -900,6 +903,9 @@ _FX BOOLEAN Gui_ConnectToWindowStationAndDesktop(HMODULE User32) errlvl = 2; else { + Sandboxie_WinSta = (HANDLE)rpl->hsbie_winsta; + Sandboxie_Desktop = (HANDLE)rpl->hsbie_desk; + // // locate windowstation and desktop functions in user32 dll // diff --git a/Sandboxie/core/dll/guienum.c b/Sandboxie/core/dll/guienum.c index 483d8e91..30a62f62 100644 --- a/Sandboxie/core/dll/guienum.c +++ b/Sandboxie/core/dll/guienum.c @@ -175,6 +175,7 @@ static BOOLEAN Gui_D3D9_Loaded = FALSE; static ULONG64 Gui_GetShellWindow_LastTicks = 0; +static BOOLEAN Winsta_Hack = FALSE; //--------------------------------------------------------------------------- // Gui_InitEnum @@ -244,16 +245,11 @@ _FX BOOLEAN Gui_InitEnum(void) // raises an error when CreateDesktop is call. This hook // is removed for chrome. See advapi.c: AdvApi_GetSecurityInfo - if (!Config_GetSettingsForImageName_bool(L"UseSbieWndStation", TRUE) && - (Dll_ImageType != DLL_IMAGE_GOOGLE_CHROME) && - (Dll_ImageType != DLL_IMAGE_MOZILLA_FIREFOX)) { - SBIEDLL_HOOK_GUI(CreateDesktopW); - SBIEDLL_HOOK_GUI(CreateDesktopA); - } - else { - SBIEDLL_HOOK_GUI(CreateWindowStationW); - SBIEDLL_HOOK_GUI(CreateWindowStationA); - } + SBIEDLL_HOOK_GUI(CreateDesktopW); + SBIEDLL_HOOK_GUI(CreateDesktopA); + + SBIEDLL_HOOK_GUI(CreateWindowStationW); + SBIEDLL_HOOK_GUI(CreateWindowStationA); return TRUE; } @@ -582,49 +578,69 @@ _FX HDESK Gui_OpenDesktopA( //--------------------------------------------------------------------------- //Gui_CreateWindowStationW //--------------------------------------------------------------------------- -extern HANDLE Sandboxie_WinSta ; +extern HANDLE Sandboxie_WinSta; _FX HANDLE Gui_CreateWindowStationW (void *lpwinsta, DWORD dwFlags, ACCESS_MASK dwDesiredAccess, LPSECURITY_ATTRIBUTES lpsa) { HANDLE myHandle = 0; myHandle = __sys_CreateWindowStationW(lpwinsta, dwFlags, dwDesiredAccess, lpsa); if (!myHandle) { - return Sandboxie_WinSta; + if(Sandboxie_WinSta) + return Sandboxie_WinSta; + SbieApi_Log(2205, L"CreateWindowStation"); } return myHandle; } + +//--------------------------------------------------------------------------- +//Gui_CreateWindowStationA +//--------------------------------------------------------------------------- + + _FX HANDLE Gui_CreateWindowStationA (void *lpwinsta, DWORD dwFlags, ACCESS_MASK dwDesiredAccess, LPSECURITY_ATTRIBUTES lpsa) { HANDLE myHandle = 0; myHandle = __sys_CreateWindowStationA(lpwinsta, dwFlags, dwDesiredAccess, lpsa); if (!myHandle) { - return Sandboxie_WinSta; + if(Sandboxie_WinSta) + return Sandboxie_WinSta; + SbieApi_Log(2205, L"CreateWindowStation"); } return myHandle; } + //--------------------------------------------------------------------------- // Gui_CreateDesktopW //--------------------------------------------------------------------------- - +extern HANDLE Sandboxie_Desktop; _FX HDESK Gui_CreateDesktopW( void *lpszDesktop, void *lpszDevice, void *DevMode, ULONG dwFlags, ACCESS_MASK dwDesiredAccess, void *SecurityAttributes) { HANDLE rc = 0; - //Call the system CreateDesktopW without a security context. - //This works in tandem with the Ntmarta_GetSecurityInfo hook (see in advapi.c). - - //Also see comment in Ntmarta_Init at SBIEDLL_HOOK2(Ntmarta_,GetSecurityInfo) for - //Acrobat Reader. This is needed to allow this process to create a desktop with - //the sandboxie restricted token by dropping the security context. This won't - //work without the GetSecrityInfo hook. - rc = __sys_CreateDesktopW(lpszDesktop, NULL, NULL, dwFlags, dwDesiredAccess, NULL); - if (rc) { + + rc = __sys_CreateDesktopW(lpszDesktop, lpszDevice, DevMode, dwFlags, dwDesiredAccess, SecurityAttributes); + if (rc) return rc; + + if (!Config_GetSettingsForImageName_bool(L"UseSbieWndStation", TRUE) && (Dll_ImageType != DLL_IMAGE_GOOGLE_CHROME) && (Dll_ImageType != DLL_IMAGE_MOZILLA_FIREFOX)) + { + //Call the system CreateDesktopW without a security context. + //This works in tandem with the Ntmarta_GetSecurityInfo hook (see in advapi.c). + + //Also see comment in Ntmarta_Init at SBIEDLL_HOOK2(Ntmarta_,GetSecurityInfo) for + //Acrobat Reader. This is needed to allow this process to create a desktop with + //the sandboxie restricted token by dropping the security context. This won't + //work without the GetSecurityInfo hook. + rc = __sys_CreateDesktopW(lpszDesktop, NULL, NULL, dwFlags, dwDesiredAccess, NULL); + if (rc) + return rc; } + if (Sandboxie_Desktop) + return Sandboxie_Desktop; SbieApi_Log(2205, L"CreateDesktop"); return CreateEvent(NULL, FALSE, FALSE, NULL); } @@ -640,11 +656,20 @@ _FX HDESK Gui_CreateDesktopA( ACCESS_MASK dwDesiredAccess, void *SecurityAttributes) { HANDLE rc = 0; - rc = __sys_CreateDesktopA(lpszDesktop, NULL, NULL, dwFlags, dwDesiredAccess, NULL); - if (rc) { + + rc = __sys_CreateDesktopA(lpszDesktop, lpszDevice, DevMode, dwFlags, dwDesiredAccess, SecurityAttributes); + if (rc) return rc; + + if (!Config_GetSettingsForImageName_bool(L"UseSbieWndStation", TRUE) && (Dll_ImageType != DLL_IMAGE_GOOGLE_CHROME) && (Dll_ImageType != DLL_IMAGE_MOZILLA_FIREFOX)) + { + rc = __sys_CreateDesktopA(lpszDesktop, NULL, NULL, dwFlags, dwDesiredAccess, NULL); + if (rc) + return rc; } + if (Sandboxie_Desktop) + return Sandboxie_Desktop; SbieApi_Log(2205, L"CreateDesktop"); return CreateEvent(NULL, FALSE, FALSE, NULL); } diff --git a/Sandboxie/core/svc/GuiServer.cpp b/Sandboxie/core/svc/GuiServer.cpp index 576bea0c..1a341403 100644 --- a/Sandboxie/core/svc/GuiServer.cpp +++ b/Sandboxie/core/svc/GuiServer.cpp @@ -605,7 +605,7 @@ void GuiServer::RunSlave(const WCHAR *cmdline) // create window station // - if (! pThis->GetWindowStationAndDesktopName(NULL)) + if (! pThis->GetWindowStationAndDesktopName(NULL, NULL, NULL)) return; // @@ -1190,7 +1190,7 @@ HANDLE GuiServer::GetJobObject(const WCHAR *boxname) //--------------------------------------------------------------------------- -bool GuiServer::GetWindowStationAndDesktopName(WCHAR *out_name) +bool GuiServer::GetWindowStationAndDesktopName(WCHAR *out_name, HANDLE* out_winsta, HANDLE* out_desk) { static HWINSTA _hWinSta = NULL; static HDESK _hDesk = NULL; @@ -1205,6 +1205,8 @@ bool GuiServer::GetWindowStationAndDesktopName(WCHAR *out_name) if (out_name) { wcscpy(out_name, _CombinedName); + if (out_winsta) *out_winsta = _hWinSta; + if (out_desk) *out_desk = _hDesk; return true; } @@ -1273,6 +1275,8 @@ bool GuiServer::GetWindowStationAndDesktopName(WCHAR *out_name) else { + if (out_winsta) *out_winsta = _hWinSta; + if (! SetProcessWindowStation(_hWinSta)) errlvl = 0x62; else { @@ -1285,6 +1289,9 @@ bool GuiServer::GetWindowStationAndDesktopName(WCHAR *out_name) const ACCESS_MASK DESKTOP_ALL_ACCESS = 0x1FF; // see WinUser.h _hDesk = CreateDesktop(desktop_name, NULL, NULL, 0, DESKTOP_ALL_ACCESS | WRITE_OWNER, &sa); + + if (out_desk) *out_desk = _hDesk; + if (! _hDesk) errlvl = 0x63; @@ -1467,7 +1474,9 @@ ULONG GuiServer::GetWindowStationSlave(SlaveArgs *args) GUI_GET_WINDOW_STATION_RPL *rpl = (GUI_GET_WINDOW_STATION_RPL *)args->rpl_buf; - if (! GetWindowStationAndDesktopName(rpl->name)) { + HANDLE sbie_winsta; + HANDLE sbie_desk; + if (! GetWindowStationAndDesktopName(rpl->name, &sbie_winsta, &sbie_desk)) { status = -1; errlvl = 0x73; goto finish; @@ -1524,6 +1533,22 @@ ULONG GuiServer::GetWindowStationSlave(SlaveArgs *args) goto finish; } + if (! DuplicateHandle(NtCurrentProcess(), sbie_winsta, + hProcess, (HANDLE *)&rpl->hsbie_winsta, + WINSTA_ALL_ACCESS | STANDARD_RIGHTS_REQUIRED, FALSE, 0)) { + status = GetLastError(); + errlvl = 0x85; + goto finish; + } + + if (! DuplicateHandle(NtCurrentProcess(), sbie_desk, + hProcess, (HANDLE *)&rpl->hsbie_desk, + 0, FALSE, DUPLICATE_SAME_ACCESS)) { + status = GetLastError(); + errlvl = 0x86; + goto finish; + } + #ifdef _WIN64 // diff --git a/Sandboxie/core/svc/GuiServer.h b/Sandboxie/core/svc/GuiServer.h index 49993d23..1536a34b 100644 --- a/Sandboxie/core/svc/GuiServer.h +++ b/Sandboxie/core/svc/GuiServer.h @@ -80,7 +80,7 @@ protected: HANDLE GetJobObject(const WCHAR *boxname); - bool GetWindowStationAndDesktopName(WCHAR *out_name); + bool GetWindowStationAndDesktopName(WCHAR *out_name, HANDLE* out_winsta, HANDLE* out_desk); protected: diff --git a/Sandboxie/core/svc/GuiWire.h b/Sandboxie/core/svc/GuiWire.h index 3eb5d47d..678a1d9c 100644 --- a/Sandboxie/core/svc/GuiWire.h +++ b/Sandboxie/core/svc/GuiWire.h @@ -94,6 +94,8 @@ struct tagGUI_GET_WINDOW_STATION_RPL ULONG64 hwinsta; ULONG64 hdesk; WCHAR name[96]; + ULONG64 hsbie_winsta; + ULONG64 hsbie_desk; }; typedef struct tagGUI_GET_WINDOW_STATION_RPL GUI_GET_WINDOW_STATION_RPL;