1.10.2
This commit is contained in:
parent
58063aa8b5
commit
1ccf217b07
|
@ -24,6 +24,10 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
|||
- fixed issue with pinned run entry icons
|
||||
- fixed UGlobalHotkey lib not being compatible with Qt6
|
||||
|
||||
### Removed
|
||||
- removed hardcoded support for LogApiDll
|
||||
- use addon manager and dll injection settings
|
||||
|
||||
|
||||
|
||||
## [1.10.1 / 5.65.1] - 2023-07-24
|
||||
|
|
|
@ -1295,21 +1295,14 @@
|
|||
</item>
|
||||
</layout>
|
||||
</widget>
|
||||
<widget class="QWidget" name="tabImage">
|
||||
<widget class="QWidget" name="tabDlls">
|
||||
<attribute name="title">
|
||||
<string>Image Protection</string>
|
||||
<string>Dlls && Extensions</string>
|
||||
</attribute>
|
||||
<layout class="QGridLayout" name="gridLayout_77">
|
||||
<item row="0" column="0">
|
||||
<item row="1" column="0">
|
||||
<layout class="QGridLayout" name="gridLayout_49">
|
||||
<item row="3" column="2">
|
||||
<widget class="QCheckBox" name="chkHostProtectMsg">
|
||||
<property name="text">
|
||||
<string>Issue message 1305 when a program tries to load a sandboxed dll</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="4" column="0">
|
||||
<item row="6" column="1">
|
||||
<spacer name="verticalSpacer_36">
|
||||
<property name="orientation">
|
||||
<enum>Qt::Vertical</enum>
|
||||
|
@ -1322,31 +1315,10 @@
|
|||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item row="4" column="2">
|
||||
<spacer name="horizontalSpacer_16">
|
||||
<property name="orientation">
|
||||
<enum>Qt::Horizontal</enum>
|
||||
</property>
|
||||
<property name="sizeHint" stdset="0">
|
||||
<size>
|
||||
<width>40</width>
|
||||
<height>20</height>
|
||||
</size>
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item row="2" column="1" colspan="2">
|
||||
<widget class="QCheckBox" name="chkHostProtect">
|
||||
<property name="text">
|
||||
<string>Prevent sandboxes programs installed on host from loading dll's from the sandbox</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="1" column="0" colspan="2">
|
||||
<item row="3" column="0" colspan="2">
|
||||
<widget class="QLabel" name="lblProtection">
|
||||
<property name="font">
|
||||
<font>
|
||||
<weight>75</weight>
|
||||
<bold>true</bold>
|
||||
<kerning>true</kerning>
|
||||
</font>
|
||||
|
@ -1359,36 +1331,86 @@
|
|||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="3" column="1">
|
||||
<widget class="QLabel" name="label_47">
|
||||
<property name="minimumSize">
|
||||
<size>
|
||||
<width>20</width>
|
||||
<height>0</height>
|
||||
</size>
|
||||
<item row="1" column="0" colspan="3">
|
||||
<widget class="QTreeWidget" name="treeInjectDll">
|
||||
<property name="sizePolicy">
|
||||
<sizepolicy hsizetype="Expanding" vsizetype="Expanding">
|
||||
<horstretch>0</horstretch>
|
||||
<verstretch>0</verstretch>
|
||||
</sizepolicy>
|
||||
</property>
|
||||
<property name="maximumSize">
|
||||
<size>
|
||||
<width>20</width>
|
||||
<height>16777215</height>
|
||||
</size>
|
||||
<column>
|
||||
<property name="text">
|
||||
<string>Name</string>
|
||||
</property>
|
||||
</column>
|
||||
<column>
|
||||
<property name="text">
|
||||
<string>Description</string>
|
||||
</property>
|
||||
</column>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="4" column="1" colspan="2">
|
||||
<widget class="QCheckBox" name="chkHostProtect">
|
||||
<property name="toolTip">
|
||||
<string>Sandboxie’s resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. ‘ClosedFilePath=! iexplore.exe,C:Users*’ will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the “Access policies” page.
|
||||
This is done to prevent rogue processes inside the sandbox from creating a renamed copy of themselves and accessing protected resources. Another exploit vector is the injection of a library into an authorized process to get access to everything it is allowed to access. Using Host Image Protection, this can be prevented by blocking applications (installed on the host) running inside a sandbox from loading libraries from the sandbox itself.</string>
|
||||
</property>
|
||||
<property name="text">
|
||||
<string/>
|
||||
<string>Prevent sandboxes programs installed on host from loading dll's from the sandbox</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="5" column="2">
|
||||
<widget class="QCheckBox" name="chkHostProtectMsg">
|
||||
<property name="text">
|
||||
<string>Issue message 1305 when a program tries to load a sandboxed dll</string>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="0" column="0" colspan="3">
|
||||
<widget class="QLabel" name="label_52">
|
||||
<widget class="QLabel" name="label_36">
|
||||
<property name="sizePolicy">
|
||||
<sizepolicy hsizetype="Preferred" vsizetype="Preferred">
|
||||
<horstretch>0</horstretch>
|
||||
<verstretch>0</verstretch>
|
||||
</sizepolicy>
|
||||
</property>
|
||||
<property name="text">
|
||||
<string>Sandboxie’s resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. ‘ClosedFilePath=! iexplore.exe,C:Users*’ will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the “Access policies” page.
|
||||
This is done to prevent rogue processes inside the sandbox from creating a renamed copy of themselves and accessing protected resources. Another exploit vector is the injection of a library into an authorized process to get access to everything it is allowed to access. Using Host Image Protection, this can be prevented by blocking applications (installed on the host) running inside a sandbox from loading libraries from the sandbox itself.</string>
|
||||
<string>Sandboxies functionality can be enhanced using optional dll’s which can be loaded into each sandboxed process on start by the SbieDll.dll, the addon manager in the global settings offers a couple useful extensions, once installed they can be enabled here for the current box.</string>
|
||||
</property>
|
||||
<property name="wordWrap">
|
||||
<bool>true</bool>
|
||||
</property>
|
||||
</widget>
|
||||
</item>
|
||||
<item row="2" column="2">
|
||||
<spacer name="horizontalSpacer_16">
|
||||
<property name="orientation">
|
||||
<enum>Qt::Horizontal</enum>
|
||||
</property>
|
||||
<property name="sizeHint" stdset="0">
|
||||
<size>
|
||||
<width>40</width>
|
||||
<height>20</height>
|
||||
</size>
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
<item row="1" column="3">
|
||||
<spacer name="verticalSpacer_39">
|
||||
<property name="orientation">
|
||||
<enum>Qt::Vertical</enum>
|
||||
</property>
|
||||
<property name="sizeHint" stdset="0">
|
||||
<size>
|
||||
<width>20</width>
|
||||
<height>40</height>
|
||||
</size>
|
||||
</property>
|
||||
</spacer>
|
||||
</item>
|
||||
</layout>
|
||||
</item>
|
||||
</layout>
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 2.0 KiB |
|
@ -177,6 +177,7 @@
|
|||
<file>Actions/Qube.png</file>
|
||||
<file>Actions/Font.png</file>
|
||||
<file>Actions/ResetFont.png</file>
|
||||
<file>Actions/Dll.png</file>
|
||||
</qresource>
|
||||
<qresource prefix="/Boxes">
|
||||
<file alias="Empty3">Boxes/sandbox-b-empty.png</file>
|
||||
|
|
|
@ -3236,6 +3236,11 @@ void CSandMan::OnEditIni()
|
|||
}
|
||||
}
|
||||
|
||||
EditIni(IniPath, bPlus);
|
||||
}
|
||||
|
||||
void CSandMan::EditIni(const QString& IniPath, bool bPlus)
|
||||
{
|
||||
bool bIsWritable = bPlus;
|
||||
if (!bIsWritable) {
|
||||
QFile File(IniPath);
|
||||
|
|
|
@ -91,6 +91,8 @@ public:
|
|||
bool RunSandboxed(const QStringList& Commands, QString BoxName = QString(), const QString& WrkDir = QString());
|
||||
SB_RESULT(quint32) RunStart(const QString& BoxName, const QString& Command, bool Elevated = false, const QString& WorkingDir = QString(), QProcess* pProcess = NULL);
|
||||
|
||||
void EditIni(const QString& IniPath, bool bPlus = false);
|
||||
|
||||
QIcon GetBoxIcon(int boxType, bool inUse = false);// , bool inBusy = false);
|
||||
QRgb GetBoxColor(int boxType) { return m_BoxColors[boxType]; }
|
||||
QIcon GetColorIcon(QColor boxColor, bool inUse = false/*, bool bOut = false*/);
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
#include "../MiscHelpers/Common/Common.h"
|
||||
#include "../MiscHelpers/Common/ComboInputDialog.h"
|
||||
#include "../MiscHelpers/Common/SettingsWidgets.h"
|
||||
#include "../AddonManager.h"
|
||||
#include "Helpers/WinAdmin.h"
|
||||
|
||||
void COptionsWindow::CreateAdvanced()
|
||||
|
@ -97,6 +98,10 @@ void COptionsWindow::CreateAdvanced()
|
|||
connect(ui.btnDelHostProcess, SIGNAL(clicked(bool)), this, SLOT(OnDelHostProcess()));
|
||||
connect(ui.chkShowHostProcTmpl, SIGNAL(clicked(bool)), this, SLOT(OnShowHostProcTmpl()));
|
||||
connect(ui.chkConfidential, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged())); // todo notify premium feature
|
||||
|
||||
connect(ui.treeInjectDll, SIGNAL(itemChanged(QTreeWidgetItem *, int)), this, SLOT(OnToggleInjectDll(QTreeWidgetItem *, int)));
|
||||
connect(ui.treeInjectDll, SIGNAL(itemDoubleClicked(QTreeWidgetItem*, int)), this, SLOT(OnDblClickInjedtDll(QTreeWidgetItem*, int)));
|
||||
|
||||
connect(ui.chkHostProtect, SIGNAL(clicked(bool)), this, SLOT(OnHostProtectChanged()));
|
||||
connect(ui.chkHostProtectMsg, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged()));
|
||||
|
||||
|
@ -133,6 +138,57 @@ void COptionsWindow::LoadAdvanced()
|
|||
ui.chkOpenSamEndpoint->setChecked(m_pBox->GetBool("OpenSamEndpoint", false));
|
||||
ui.chkOpenLsaEndpoint->setChecked(m_pBox->GetBool("OpenLsaEndpoint", false));
|
||||
|
||||
ui.treeInjectDll->clear();
|
||||
QStringList InjectDll = m_pBox->GetTextList("InjectDll", false);
|
||||
QStringList InjectDll64 = m_pBox->GetTextList("InjectDll64", false);
|
||||
#ifdef _M_ARM64
|
||||
QStringList InjectDllARM64 = m_pBox->GetTextList("InjectDllARM64");
|
||||
#endif
|
||||
foreach(const CAddonInfoPtr pAddon, theGUI->GetAddonManager()->GetAddons()) {
|
||||
if (!pAddon->Installed)
|
||||
continue;
|
||||
QVariantMap InjectDlls = pAddon->Data["injectDlls"].toMap();
|
||||
if (!InjectDlls.isEmpty())
|
||||
{
|
||||
int Found = 0;
|
||||
int Count = 0;
|
||||
foreach(const QString & Key, InjectDlls.keys()) {
|
||||
QStringList List;
|
||||
if (Key == "x64") List = InjectDll;
|
||||
else if (Key == "x86") List = InjectDll64;
|
||||
#ifdef _M_ARM64
|
||||
else if (Key == "a64") List = InjectDllARM64;
|
||||
#endif
|
||||
else
|
||||
continue;
|
||||
Count++;
|
||||
foreach(const QString & DllPath, List) {
|
||||
if (DllPath.endsWith(InjectDlls[Key].toString(), Qt::CaseInsensitive)) {
|
||||
Found++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
QTreeWidgetItem* pItem = new QTreeWidgetItem();
|
||||
pItem->setData(0, Qt::UserRole, pAddon->Id);
|
||||
pItem->setText(0, pAddon->GetLocalizedEntry("name"));
|
||||
if (Found == Count) {
|
||||
pItem->setCheckState(0, Qt::Checked);
|
||||
pItem->setData(0, Qt::UserRole + 1, Qt::Checked);
|
||||
} else if (Found > 0) {
|
||||
pItem->setCheckState(0, Qt::PartiallyChecked);
|
||||
pItem->setData(0, Qt::UserRole + 1, Qt::PartiallyChecked);
|
||||
}
|
||||
else {
|
||||
pItem->setCheckState(0, Qt::Unchecked);
|
||||
pItem->setData(0, Qt::UserRole + 1, Qt::Unchecked);
|
||||
}
|
||||
pItem->setText(1, pAddon->GetLocalizedEntry("description"));
|
||||
ui.treeInjectDll->addTopLevelItem(pItem);
|
||||
}
|
||||
}
|
||||
|
||||
ui.chkHostProtect->setChecked(m_pBox->GetBool("ProtectHostImages", false));
|
||||
ui.chkHostProtectMsg->setEnabled(ui.chkHostProtect->isChecked());
|
||||
ui.chkHostProtectMsg->setChecked(m_pBox->GetBool("NotifyImageLoadDenied", true));
|
||||
|
@ -269,8 +325,49 @@ void COptionsWindow::SaveAdvanced()
|
|||
WriteAdvancedCheck(ui.chkOpenSamEndpoint, "OpenSamEndpoint", "y", "");
|
||||
WriteAdvancedCheck(ui.chkOpenLsaEndpoint, "OpenLsaEndpoint", "y", "");
|
||||
|
||||
QStringList InjectDll = m_pBox->GetTextList("InjectDll", false);
|
||||
QStringList InjectDll64 = m_pBox->GetTextList("InjectDll64", false);
|
||||
#ifdef _M_ARM64
|
||||
QStringList InjectDllARM64 = m_pBox->GetTextList("InjectDllARM64");
|
||||
#endif
|
||||
for (int i = 0; i < ui.treeInjectDll->topLevelItemCount(); i++) {
|
||||
QTreeWidgetItem* pItem = ui.treeInjectDll->topLevelItem(i);
|
||||
CAddonPtr pAddon = theGUI->GetAddonManager()->GetAddon(pItem->data(0, Qt::UserRole).toString());
|
||||
if (pAddon && pItem->checkState(0) != Qt::PartiallyChecked && pItem->checkState(0) != pItem->data(0, Qt::UserRole + 1))
|
||||
{
|
||||
QVariantMap InjectDlls = pAddon->Data["injectDlls"].toMap();
|
||||
foreach(const QString & Key, InjectDlls.keys()) {
|
||||
QStringList* pList;
|
||||
if (Key == "x64") pList = &InjectDll;
|
||||
else if (Key == "x86") pList = &InjectDll64;
|
||||
#ifdef _M_ARM64
|
||||
else if (Key == "a64") pList = &InjectDllARM64;
|
||||
#endif
|
||||
else
|
||||
continue;
|
||||
|
||||
// remove old entries
|
||||
for (int i = 0; i < pList->size(); i++) {
|
||||
if (pList->at(i).endsWith(InjectDlls[Key].toString(), Qt::CaseInsensitive))
|
||||
pList->removeAt(i--);
|
||||
}
|
||||
|
||||
// add new entries
|
||||
if (pItem->checkState(0) == Qt::Checked)
|
||||
pList->append(pAddon->Data["installPath"].toString() + InjectDlls[Key].toString());
|
||||
}
|
||||
}
|
||||
}
|
||||
m_pBox->UpdateTextList("InjectDll", InjectDll, false);
|
||||
m_pBox->UpdateTextList("InjectDll64", InjectDll64, false);
|
||||
#ifdef _M_ARM64
|
||||
m_pBox->UpdateTextList("InjectDllARM64", InjectDllARM64, false);
|
||||
#endif
|
||||
|
||||
WriteAdvancedCheck(ui.chkHostProtect, "ProtectHostImages", "y", "");
|
||||
WriteAdvancedCheck(ui.chkHostProtectMsg, "NotifyImageLoadDenied", "", "n");
|
||||
|
||||
|
||||
WriteGlobalCheck(ui.chkSbieLogon, "SandboxieLogon", false);
|
||||
|
||||
SaveOptionList();
|
||||
|
@ -438,6 +535,20 @@ void COptionsWindow::OnNoWindowRename()
|
|||
DelAccessEntry(eWnd, "", eOpen, "#");
|
||||
}
|
||||
|
||||
void COptionsWindow::OnToggleInjectDll(QTreeWidgetItem* pItem, int Column)
|
||||
{
|
||||
OnAdvancedChanged();
|
||||
}
|
||||
|
||||
void COptionsWindow::OnDblClickInjedtDll(QTreeWidgetItem* pItem, int Column)
|
||||
{
|
||||
CAddonPtr pAddon = theGUI->GetAddonManager()->GetAddon(pItem->data(0, Qt::UserRole).toString());
|
||||
if (!pAddon || pAddon->Data["configFile"].toString().isEmpty())
|
||||
return;
|
||||
|
||||
theGUI->EditIni(theAPI->GetSbiePath() + pAddon->Data["installPath"].toString() + pAddon->Data["configFile"].toString());
|
||||
}
|
||||
|
||||
void COptionsWindow::OnHostProtectChanged()
|
||||
{
|
||||
ui.chkHostProtectMsg->setEnabled(ui.chkHostProtect->isChecked());
|
||||
|
|
|
@ -105,6 +105,9 @@ private slots:
|
|||
//void OnShowStartTmpl() { LoadStartTmpl(true); }
|
||||
void OnStartChanged(QTreeWidgetItem* pItem, int Index);
|
||||
|
||||
void OnToggleInjectDll(QTreeWidgetItem* pItem, int Column);
|
||||
void OnDblClickInjedtDll(QTreeWidgetItem* pItem, int Column);
|
||||
|
||||
void OnHostProtectChanged();
|
||||
|
||||
// net
|
||||
|
|
Loading…
Reference in New Issue