mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.10.2

This commit is contained in:
DavidXanatos 2023-07-31 08:30:20 +02:00
parent 58063aa8b5
commit 1ccf217b07
8 changed files with 197 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -24,6 +24,10 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- fixed issue with pinned run entry icons
- fixed UGlobalHotkey lib not being compatible with Qt6
### Removed
- removed hardcoded support for LogApiDll
- use addon manager and dll injection settings
## [1.10.1 / 5.65.1] - 2023-07-24

120
SandboxiePlus/SandMan/Forms/OptionsWindow.ui
View File

@ -1295,21 +1295,14 @@
</item>
</layout>
</widget>
<widget class="QWidget" name="tabImage">
<widget class="QWidget" name="tabDlls">
<attribute name="title">
<string>Image Protection</string>
<string>Dlls &amp;&amp; Extensions</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_77">
<item row="0" column="0">
<item row="1" column="0">
<layout class="QGridLayout" name="gridLayout_49">
<item row="3" column="2">
<widget class="QCheckBox" name="chkHostProtectMsg">
<property name="text">
<string>Issue message 1305 when a program tries to load a sandboxed dll</string>
</property>
</widget>
</item>
<item row="4" column="0">
<item row="6" column="1">
<spacer name="verticalSpacer_36">
<property name="orientation">
<enum>Qt::Vertical</enum>
@ -1322,31 +1315,10 @@
</property>
</spacer>
</item>
<item row="4" column="2">
<spacer name="horizontalSpacer_16">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1" colspan="2">
<widget class="QCheckBox" name="chkHostProtect">
<property name="text">
<string>Prevent sandboxes programs installed on host from loading dll's from the sandbox</string>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<item row="3" column="0" colspan="2">
<widget class="QLabel" name="lblProtection">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -1359,36 +1331,86 @@
</property>
</widget>
</item>
<item row="3" column="1">
<widget class="QLabel" name="label_47">
<property name="minimumSize">
<size>
<width>20</width>
<height>0</height>
</size>
<item row="1" column="0" colspan="3">
<widget class="QTreeWidget" name="treeInjectDll">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Expanding">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximumSize">
<size>
<width>20</width>
<height>16777215</height>
</size>
<column>
<property name="text">
<string>Name</string>
</property>
</column>
<column>
<property name="text">
<string>Description</string>
</property>
</column>
</widget>
</item>
<item row="4" column="1" colspan="2">
<widget class="QCheckBox" name="chkHostProtect">
<property name="toolTip">
<string>Sandboxies resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. ClosedFilePath=! iexplore.exe,C:Users* will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the “Access policies” page.
This is done to prevent rogue processes inside the sandbox from creating a renamed copy of themselves and accessing protected resources. Another exploit vector is the injection of a library into an authorized process to get access to everything it is allowed to access. Using Host Image Protection, this can be prevented by blocking applications (installed on the host) running inside a sandbox from loading libraries from the sandbox itself.</string>
</property>
<property name="text">
<string/>
<string>Prevent sandboxes programs installed on host from loading dll's from the sandbox</string>
</property>
</widget>
</item>
<item row="5" column="2">
<widget class="QCheckBox" name="chkHostProtectMsg">
<property name="text">
<string>Issue message 1305 when a program tries to load a sandboxed dll</string>
</property>
</widget>
</item>
<item row="0" column="0" colspan="3">
<widget class="QLabel" name="label_52">
<widget class="QLabel" name="label_36">
<property name="sizePolicy">
<sizepolicy hsizetype="Preferred" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Sandboxies resource access rules often discriminate against program binaries located inside the sandbox. OpenFilePath and OpenKeyPath work only for application binaries located on the host natively. In order to define a rule without this restriction, OpenPipePath or OpenConfPath must be used. Likewise, all Closed(File|Key|Ipc)Path directives which are defined by negation e.g. ClosedFilePath=! iexplore.exe,C:Users* will be always closed for binaries located inside a sandbox. Both restriction policies can be disabled on the “Access policies” page.
This is done to prevent rogue processes inside the sandbox from creating a renamed copy of themselves and accessing protected resources. Another exploit vector is the injection of a library into an authorized process to get access to everything it is allowed to access. Using Host Image Protection, this can be prevented by blocking applications (installed on the host) running inside a sandbox from loading libraries from the sandbox itself.</string>
<string>Sandboxies functionality can be enhanced using optional dlls which can be loaded into each sandboxed process on start by the SbieDll.dll, the addon manager in the global settings offers a couple useful extensions, once installed they can be enabled here for the current box.</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="2" column="2">
<spacer name="horizontalSpacer_16">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="3">
<spacer name="verticalSpacer_39">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
</layout>
</item>
</layout>

BIN
SandboxiePlus/SandMan/Resources/Actions/Dll.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

1
SandboxiePlus/SandMan/Resources/SandMan.qrc
View File

@ -177,6 +177,7 @@
<file>Actions/Qube.png</file>
<file>Actions/Font.png</file>
<file>Actions/ResetFont.png</file>
<file>Actions/Dll.png</file>
</qresource>
<qresource prefix="/Boxes">
<file alias="Empty3">Boxes/sandbox-b-empty.png</file>

5
SandboxiePlus/SandMan/SandMan.cpp
View File

@ -3236,6 +3236,11 @@ void CSandMan::OnEditIni()
}
}
EditIni(IniPath, bPlus);
}
void CSandMan::EditIni(const QString& IniPath, bool bPlus)
{
bool bIsWritable = bPlus;
if (!bIsWritable) {
QFile File(IniPath);

2
SandboxiePlus/SandMan/SandMan.h
View File

@ -91,6 +91,8 @@ public:
bool RunSandboxed(const QStringList& Commands, QString BoxName = QString(), const QString& WrkDir = QString());
SB_RESULT(quint32) RunStart(const QString& BoxName, const QString& Command, bool Elevated = false, const QString& WorkingDir = QString(), QProcess* pProcess = NULL);
void EditIni(const QString& IniPath, bool bPlus = false);
QIcon GetBoxIcon(int boxType, bool inUse = false);// , bool inBusy = false);
QRgb GetBoxColor(int boxType) { return m_BoxColors[boxType]; }
QIcon GetColorIcon(QColor boxColor, bool inUse = false/*, bool bOut = false*/);

111
SandboxiePlus/SandMan/Windows/OptionsAdvanced.cpp
View File

@ -6,6 +6,7 @@
#include "../MiscHelpers/Common/Common.h"
#include "../MiscHelpers/Common/ComboInputDialog.h"
#include "../MiscHelpers/Common/SettingsWidgets.h"
#include "../AddonManager.h"
#include "Helpers/WinAdmin.h"
void COptionsWindow::CreateAdvanced()
@ -97,6 +98,10 @@ void COptionsWindow::CreateAdvanced()
connect(ui.btnDelHostProcess, SIGNAL(clicked(bool)), this, SLOT(OnDelHostProcess()));
connect(ui.chkShowHostProcTmpl, SIGNAL(clicked(bool)), this, SLOT(OnShowHostProcTmpl()));
connect(ui.chkConfidential, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged())); // todo notify premium feature
connect(ui.treeInjectDll, SIGNAL(itemChanged(QTreeWidgetItem *, int)), this, SLOT(OnToggleInjectDll(QTreeWidgetItem *, int)));
connect(ui.treeInjectDll, SIGNAL(itemDoubleClicked(QTreeWidgetItem*, int)), this, SLOT(OnDblClickInjedtDll(QTreeWidgetItem*, int)));
connect(ui.chkHostProtect, SIGNAL(clicked(bool)), this, SLOT(OnHostProtectChanged()));
connect(ui.chkHostProtectMsg, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged()));
@ -133,6 +138,57 @@ void COptionsWindow::LoadAdvanced()
ui.chkOpenSamEndpoint->setChecked(m_pBox->GetBool("OpenSamEndpoint", false));
ui.chkOpenLsaEndpoint->setChecked(m_pBox->GetBool("OpenLsaEndpoint", false));
ui.treeInjectDll->clear();
QStringList InjectDll = m_pBox->GetTextList("InjectDll", false);
QStringList InjectDll64 = m_pBox->GetTextList("InjectDll64", false);
#ifdef _M_ARM64
QStringList InjectDllARM64 = m_pBox->GetTextList("InjectDllARM64");
#endif
foreach(const CAddonInfoPtr pAddon, theGUI->GetAddonManager()->GetAddons()) {
if (!pAddon->Installed)
continue;
QVariantMap InjectDlls = pAddon->Data["injectDlls"].toMap();
if (!InjectDlls.isEmpty())
{
int Found = 0;
int Count = 0;
foreach(const QString & Key, InjectDlls.keys()) {
QStringList List;
if (Key == "x64") List = InjectDll;
else if (Key == "x86") List = InjectDll64;
#ifdef _M_ARM64
else if (Key == "a64") List = InjectDllARM64;
#endif
else
continue;
Count++;
foreach(const QString & DllPath, List) {
if (DllPath.endsWith(InjectDlls[Key].toString(), Qt::CaseInsensitive)) {
Found++;
break;
}
}
}
QTreeWidgetItem* pItem = new QTreeWidgetItem();
pItem->setData(0, Qt::UserRole, pAddon->Id);
pItem->setText(0, pAddon->GetLocalizedEntry("name"));
if (Found == Count) {
pItem->setCheckState(0, Qt::Checked);
pItem->setData(0, Qt::UserRole + 1, Qt::Checked);
} else if (Found > 0) {
pItem->setCheckState(0, Qt::PartiallyChecked);
pItem->setData(0, Qt::UserRole + 1, Qt::PartiallyChecked);
}
else {
pItem->setCheckState(0, Qt::Unchecked);
pItem->setData(0, Qt::UserRole + 1, Qt::Unchecked);
}
pItem->setText(1, pAddon->GetLocalizedEntry("description"));
ui.treeInjectDll->addTopLevelItem(pItem);
}
}
ui.chkHostProtect->setChecked(m_pBox->GetBool("ProtectHostImages", false));
ui.chkHostProtectMsg->setEnabled(ui.chkHostProtect->isChecked());
ui.chkHostProtectMsg->setChecked(m_pBox->GetBool("NotifyImageLoadDenied", true));
@ -269,8 +325,49 @@ void COptionsWindow::SaveAdvanced()
WriteAdvancedCheck(ui.chkOpenSamEndpoint, "OpenSamEndpoint", "y", "");
WriteAdvancedCheck(ui.chkOpenLsaEndpoint, "OpenLsaEndpoint", "y", "");
QStringList InjectDll = m_pBox->GetTextList("InjectDll", false);
QStringList InjectDll64 = m_pBox->GetTextList("InjectDll64", false);
#ifdef _M_ARM64
QStringList InjectDllARM64 = m_pBox->GetTextList("InjectDllARM64");
#endif
for (int i = 0; i < ui.treeInjectDll->topLevelItemCount(); i++) {
QTreeWidgetItem* pItem = ui.treeInjectDll->topLevelItem(i);
CAddonPtr pAddon = theGUI->GetAddonManager()->GetAddon(pItem->data(0, Qt::UserRole).toString());
if (pAddon && pItem->checkState(0) != Qt::PartiallyChecked && pItem->checkState(0) != pItem->data(0, Qt::UserRole + 1))
{
QVariantMap InjectDlls = pAddon->Data["injectDlls"].toMap();
foreach(const QString & Key, InjectDlls.keys()) {
QStringList* pList;
if (Key == "x64") pList = &InjectDll;
else if (Key == "x86") pList = &InjectDll64;
#ifdef _M_ARM64
else if (Key == "a64") pList = &InjectDllARM64;
#endif
else
continue;
// remove old entries
for (int i = 0; i < pList->size(); i++) {
if (pList->at(i).endsWith(InjectDlls[Key].toString(), Qt::CaseInsensitive))
pList->removeAt(i--);
}
// add new entries
if (pItem->checkState(0) == Qt::Checked)
pList->append(pAddon->Data["installPath"].toString() + InjectDlls[Key].toString());
}
}
}
m_pBox->UpdateTextList("InjectDll", InjectDll, false);
m_pBox->UpdateTextList("InjectDll64", InjectDll64, false);
#ifdef _M_ARM64
m_pBox->UpdateTextList("InjectDllARM64", InjectDllARM64, false);
#endif
WriteAdvancedCheck(ui.chkHostProtect, "ProtectHostImages", "y", "");
WriteAdvancedCheck(ui.chkHostProtectMsg, "NotifyImageLoadDenied", "", "n");
WriteGlobalCheck(ui.chkSbieLogon, "SandboxieLogon", false);
SaveOptionList();
@ -438,6 +535,20 @@ void COptionsWindow::OnNoWindowRename()
DelAccessEntry(eWnd, "", eOpen, "#");
}
void COptionsWindow::OnToggleInjectDll(QTreeWidgetItem* pItem, int Column)
{
OnAdvancedChanged();
}
void COptionsWindow::OnDblClickInjedtDll(QTreeWidgetItem* pItem, int Column)
{
CAddonPtr pAddon = theGUI->GetAddonManager()->GetAddon(pItem->data(0, Qt::UserRole).toString());
if (!pAddon || pAddon->Data["configFile"].toString().isEmpty())
return;
theGUI->EditIni(theAPI->GetSbiePath() + pAddon->Data["installPath"].toString() + pAddon->Data["configFile"].toString());
}
void COptionsWindow::OnHostProtectChanged()
{
ui.chkHostProtectMsg->setEnabled(ui.chkHostProtect->isChecked());

3
SandboxiePlus/SandMan/Windows/OptionsWindow.h
View File

@ -105,6 +105,9 @@ private slots:
//void OnShowStartTmpl() { LoadStartTmpl(true); }
void OnStartChanged(QTreeWidgetItem* pItem, int Index);
void OnToggleInjectDll(QTreeWidgetItem* pItem, int Column);
void OnDblClickInjedtDll(QTreeWidgetItem* pItem, int Column);
void OnHostProtectChanged();
// net