Merge pull request #3670 from love-code-yeyixiao/master

Prevents processes in the sandbox from capturing screen images.
This commit is contained in:
DavidXanatos 2024-03-03 11:58:43 +01:00 committed by GitHub
commit 272e6c5f67
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 294 additions and 183 deletions

View File

@ -8,7 +8,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
### Added ### Added
- added menu entry to restart Sandman as admin [#3581](https://github.com/sandboxie-plus/Sandboxie/issues/3581) (thx Yeyixiao) - added menu entry to restart Sandman as admin [#3581](https://github.com/sandboxie-plus/Sandboxie/issues/3581) (thx Yeyixiao)
- added option to block taking screen capture/screenshot of sandboxed processes [#624](https://github.com/sandboxie-plus/Sandboxie/issues/624) (thx Yeyixiao) - Added the option to prevent sandboxed programs from accessing the images of the window outside the sandbox [#624](https://github.com/sandboxie-plus/Sandboxie/issues/624) [#1985](https://github.com/sandboxie-plus/Sandboxie/issues/1985) (thx Yeyixiao)
- Sandman, suspend all processes [#3582](https://github.com/sandboxie-plus/Sandboxie/issues/3582) - Sandman, suspend all processes [#3582](https://github.com/sandboxie-plus/Sandboxie/issues/3582)
### Fixed ### Fixed

View File

@ -380,6 +380,10 @@ _FX BOOLEAN Gui_Init(HMODULE module)
Gui_UseProxyService = !Dll_CompartmentMode && !SbieApi_QueryConfBool(NULL, L"NoSandboxieDesktop", FALSE); Gui_UseProxyService = !Dll_CompartmentMode && !SbieApi_QueryConfBool(NULL, L"NoSandboxieDesktop", FALSE);
// NoSbieDesk END // NoSbieDesk END
GUI_IMPORT___(PrintWindow)
GUI_IMPORT___(GetWindowDC)
GUI_IMPORT___(GetDC)
GUI_IMPORT___(GetDCEx)
GUI_IMPORT___(GetWindowThreadProcessId); GUI_IMPORT___(GetWindowThreadProcessId);
GUI_IMPORT___(SetThreadDesktop); GUI_IMPORT___(SetThreadDesktop);
GUI_IMPORT___(SwitchDesktop); GUI_IMPORT___(SwitchDesktop);

View File

@ -412,6 +412,14 @@ typedef int (*P_LoadString)(
typedef BOOL (*P_SetProcessWindowStation)(HWINSTA hWinSta); typedef BOOL (*P_SetProcessWindowStation)(HWINSTA hWinSta);
typedef HDC(*P_GetWindowDC)(HWND hWnd);
typedef HDC(*P_GetDC)(HWND hWnd);
typedef HDC(*P_GetDCEx)(HWND hWnd,HRGN hrgnClip,DWORD flags);
typedef BOOL (*P_PrintWindow)(HWND hwnd,HDC hdcBlt,UINT nFlags);
typedef BOOL (*P_SetThreadDesktop)(HDESK hDesktop); typedef BOOL (*P_SetThreadDesktop)(HDESK hDesktop);
typedef BOOL (*P_SwitchDesktop)(HDESK hDesktop); typedef BOOL (*P_SwitchDesktop)(HDESK hDesktop);
@ -534,6 +542,10 @@ extern ATOM Gui_WindowProcOldA_Atom;
#endif #endif
#define GUI_SYS_VAR_2(nm) GUI_SYS_VAR_AW(nm,A); GUI_SYS_VAR_AW(nm,W); #define GUI_SYS_VAR_2(nm) GUI_SYS_VAR_AW(nm,A); GUI_SYS_VAR_AW(nm,W);
GUI_SYS_VAR(GetDC)
GUI_SYS_VAR(GetDCEx)
GUI_SYS_VAR(GetWindowDC)
GUI_SYS_VAR(PrintWindow)
GUI_SYS_VAR(ClipCursor) GUI_SYS_VAR(ClipCursor)
GUI_SYS_VAR(GetClipCursor) GUI_SYS_VAR(GetClipCursor)

View File

@ -99,6 +99,10 @@ static LONG Gui_GetRawInputDeviceInfoW(
_In_opt_ HANDLE hDevice, _In_ UINT uiCommand, _In_opt_ HANDLE hDevice, _In_ UINT uiCommand,
_Inout_ LPVOID pData, _Inout_ PUINT pcbSize); _Inout_ LPVOID pData, _Inout_ PUINT pcbSize);
static HDC Gui_GetDC(HWND hWnd);
static HDC Gui_GetWindowDC(HWND hWnd);
static HDC Gui_GetDCEx(HWND hWnd, HRGN hrgnClip, DWORD flags);
static BOOL Gui_PrintWindow(HWND hwnd,HDC hdcBlt,UINT nFlags);
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
@ -176,7 +180,10 @@ _FX BOOLEAN Gui_InitMisc(HMODULE module)
} }
SBIEDLL_HOOK_GUI(SwapMouseButton); SBIEDLL_HOOK_GUI(SwapMouseButton);
SBIEDLL_HOOK_GUI(SetDoubleClickTime); SBIEDLL_HOOK_GUI(SetDoubleClickTime);
SBIEDLL_HOOK_GUI(GetWindowDC);
SBIEDLL_HOOK_GUI(GetDC);
SBIEDLL_HOOK_GUI(GetDCEx);
SBIEDLL_HOOK_GUI(PrintWindow);
if (Dll_OsBuild >= 6000) { if (Dll_OsBuild >= 6000) {
// //
@ -1458,3 +1465,76 @@ _FX BOOL Gui_ImmAssociateContextEx(
return ok; return ok;
} }
//---------------------------------------------------------------------------
// Gui_GetDC
//---------------------------------------------------------------------------
_FX HDC Gui_GetDC(HWND hWnd)
{
if (SbieApi_QueryConfBool(NULL, L"IsBlockCapture", FALSE)) {
if (hWnd == NULL || hWnd == __sys_GetDesktopWindow()) {
SetLastError(ERROR_ACCESS_DENIED);
return NULL;
}
ULONG_PTR pid=0, tid=0;
if (!Gui_IsSameBox(hWnd, &pid, &tid)) {
SetLastError(ERROR_ACCESS_DENIED);
return NULL;
}
}
return __sys_GetDC(hWnd);
}
_FX HDC Gui_GetWindowDC(HWND hWnd)
{
if (SbieApi_QueryConfBool(NULL, L"IsBlockCapture", FALSE)) {
if (hWnd == NULL || hWnd == __sys_GetDesktopWindow()) {
SetLastError(ERROR_ACCESS_DENIED);
return NULL;
}
ULONG_PTR pid = 0, tid = 0;
if (!Gui_IsSameBox(hWnd, &pid, &tid)) {
SetLastError(ERROR_ACCESS_DENIED);
return NULL;
}
}
return __sys_GetWindowDC(hWnd);
}
_FX HDC Gui_GetDCEx(HWND hWnd,HRGN hrgnClip,DWORD flags)
{
if (SbieApi_QueryConfBool(NULL, L"IsBlockCapture", FALSE)) {
if (hWnd == NULL || hWnd == __sys_GetDesktopWindow()) {
SetLastError(ERROR_ACCESS_DENIED);
return NULL;
}
ULONG_PTR pid = 0, tid = 0;
if (!Gui_IsSameBox(hWnd, &pid, &tid)) {
SetLastError(ERROR_ACCESS_DENIED);
return NULL;
}
}
return __sys_GetWindowDC(hWnd);
}
_FX BOOL Gui_PrintWindow(
HWND hwnd,
HDC hdcBlt,
UINT nFlags
) {
if (SbieApi_QueryConfBool(NULL, L"IsBlockCapture", FALSE)) {
if (hwnd == NULL || hwnd == __sys_GetDesktopWindow()) {
SetLastError(ERROR_ACCESS_DENIED);
return 0;
}
ULONG_PTR pid = 0, tid = 0;
if (!Gui_IsSameBox(hwnd, &pid, &tid)) {
SetLastError(ERROR_ACCESS_DENIED);
return 0;
}
}
return __sys_PrintWindow(hwnd, hdcBlt, nFlags);
}

View File

@ -45,7 +45,7 @@
<enum>QTabWidget::North</enum> <enum>QTabWidget::North</enum>
</property> </property>
<property name="currentIndex"> <property name="currentIndex">
<number>1</number> <number>0</number>
</property> </property>
<widget class="QWidget" name="tabGeneral"> <widget class="QWidget" name="tabGeneral">
<attribute name="title"> <attribute name="title">
@ -55,7 +55,7 @@
<item row="0" column="0"> <item row="0" column="0">
<widget class="QTabWidget" name="tabsGeneral"> <widget class="QTabWidget" name="tabsGeneral">
<property name="currentIndex"> <property name="currentIndex">
<number>0</number> <number>3</number>
</property> </property>
<widget class="QWidget" name="tabOptions"> <widget class="QWidget" name="tabOptions">
<attribute name="title"> <attribute name="title">
@ -665,49 +665,31 @@
<attribute name="title"> <attribute name="title">
<string>Restrictions</string> <string>Restrictions</string>
</attribute> </attribute>
<layout class="QGridLayout" name="gridLayout_37">
<item row="0" column="0">
<layout class="QGridLayout" name="gridLayout_36"> <layout class="QGridLayout" name="gridLayout_36">
<item row="9" column="2"> <item row="0" column="0" colspan="2">
<widget class="QCheckBox" name="chkOpenCredentials"> <widget class="QLabel" name="lblNetwork">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="toolTip">
<string>Protect the system from sandboxed processes</string>
</property>
<property name="text"> <property name="text">
<string>Open Windows Credentials Store (user mode)</string> <string>Network restrictions</string>
</property> </property>
</widget> </widget>
</item> </item>
<item row="13" column="2"> <item row="1" column="1" colspan="2">
<spacer name="horizontalSpacer_5"> <widget class="QCheckBox" name="chkBlockNetShare">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="10" column="1" colspan="2">
<widget class="QCheckBox" name="chkCloseClipBoard">
<property name="text"> <property name="text">
<string>Block read access to the clipboard</string> <string>Block network files and folders, unless specifically opened.</string>
</property> </property>
</widget> </widget>
</item> </item>
<item row="13" column="0">
<spacer name="verticalSpacer_12">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1" colspan="2"> <item row="2" column="1" colspan="2">
<widget class="QCheckBox" name="chkBlockNetParam"> <widget class="QCheckBox" name="chkBlockNetParam">
<property name="text"> <property name="text">
@ -715,10 +697,20 @@
</property> </property>
</widget> </widget>
</item> </item>
<item row="11" column="1" colspan="2"> <item row="3" column="0" colspan="2">
<widget class="QCheckBox" name="chkVmRead"> <widget class="QLabel" name="lblPrinting">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="toolTip">
<string>Protect the system from sandboxed processes</string>
</property>
<property name="text"> <property name="text">
<string>Allow to read memory of unsandboxed processes (not recommended)</string> <string>Printing restrictions</string>
</property> </property>
</widget> </widget>
</item> </item>
@ -729,6 +721,13 @@
</property> </property>
</widget> </widget>
</item> </item>
<item row="5" column="2">
<widget class="QCheckBox" name="chkOpenSpooler">
<property name="text">
<string>Remove spooler restriction, printers can be installed outside the sandbox</string>
</property>
</widget>
</item>
<item row="6" column="2"> <item row="6" column="2">
<widget class="QCheckBox" name="chkPrintToFile"> <widget class="QCheckBox" name="chkPrintToFile">
<property name="sizePolicy"> <property name="sizePolicy">
@ -742,35 +741,7 @@
</property> </property>
</widget> </widget>
</item> </item>
<item row="1" column="1" colspan="2"> <item row="7" column="0">
<widget class="QCheckBox" name="chkBlockNetShare">
<property name="text">
<string>Block network files and folders, unless specifically opened.</string>
</property>
</widget>
</item>
<item row="5" column="2">
<widget class="QCheckBox" name="chkOpenSpooler">
<property name="text">
<string>Remove spooler restriction, printers can be installed outside the sandbox</string>
</property>
</widget>
</item>
<item row="8" column="1" colspan="2">
<widget class="QCheckBox" name="chkOpenProtectedStorage">
<property name="text">
<string>Open System Protected Storage</string>
</property>
</widget>
</item>
<item row="12" column="2">
<widget class="QCheckBox" name="chkVmReadNotify">
<property name="text">
<string>Issue message 2111 when a process access is denied</string>
</property>
</widget>
</item>
<item row="7" column="0" colspan="2">
<widget class="QLabel" name="lblOther"> <widget class="QLabel" name="lblOther">
<property name="font"> <property name="font">
<font> <font>
@ -787,6 +758,13 @@
</property> </property>
</widget> </widget>
</item> </item>
<item row="8" column="1" colspan="2">
<widget class="QCheckBox" name="chkOpenProtectedStorage">
<property name="text">
<string>Open System Protected Storage</string>
</property>
</widget>
</item>
<item row="9" column="1"> <item row="9" column="1">
<widget class="QLabel" name="label_39"> <widget class="QLabel" name="label_39">
<property name="minimumSize"> <property name="minimumSize">
@ -806,41 +784,73 @@
</property> </property>
</widget> </widget>
</item> </item>
<item row="3" column="0" colspan="2"> <item row="9" column="2">
<widget class="QLabel" name="lblPrinting"> <widget class="QCheckBox" name="chkOpenCredentials">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="toolTip">
<string>Protect the system from sandboxed processes</string>
</property>
<property name="text"> <property name="text">
<string>Printing restrictions</string> <string>Open Windows Credentials Store (user mode)</string>
</property> </property>
</widget> </widget>
</item> </item>
<item row="0" column="0" colspan="2"> <item row="10" column="1" colspan="2">
<widget class="QLabel" name="lblNetwork"> <widget class="QCheckBox" name="chkCloseClipBoard">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="toolTip">
<string>Protect the system from sandboxed processes</string>
</property>
<property name="text"> <property name="text">
<string>Network restrictions</string> <string>Block read access to the clipboard</string>
</property> </property>
</widget> </widget>
</item> </item>
</layout> <item row="11" column="1" colspan="2">
<widget class="QCheckBox" name="chkVmRead">
<property name="text">
<string>Allow to read memory of unsandboxed processes (not recommended)</string>
</property>
</widget>
</item>
<item row="12" column="2">
<widget class="QCheckBox" name="chkVmReadNotify">
<property name="text">
<string>Issue message 2111 when a process access is denied</string>
</property>
</widget>
</item>
<item row="13" column="0" rowspan="2">
<spacer name="verticalSpacer_12">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>43</height>
</size>
</property>
</spacer>
</item>
<item row="13" column="1" colspan="2">
<widget class="QCheckBox" name="chkBlockCapture">
<property name="text">
<string>Prevents an in-sandbox process from performing cross-sandbox window image manipulation.</string>
</property>
</widget>
</item>
<item row="14" column="2">
<widget class="QLabel" name="label_19">
<property name="text">
<string>(for example, screenshots) </string>
</property>
</widget>
</item>
<item row="15" column="2">
<spacer name="horizontalSpacer_5">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>556</width>
<height>20</height>
</size>
</property>
</spacer>
</item> </item>
</layout> </layout>
</widget> </widget>
@ -1004,7 +1014,7 @@
<item row="0" column="0"> <item row="0" column="0">
<widget class="QTabWidget" name="tabsSecurity"> <widget class="QTabWidget" name="tabsSecurity">
<property name="currentIndex"> <property name="currentIndex">
<number>2</number> <number>1</number>
</property> </property>
<widget class="QWidget" name="tabHarden"> <widget class="QWidget" name="tabHarden">
<attribute name="title"> <attribute name="title">
@ -1442,6 +1452,7 @@
<widget class="QLabel" name="lblBoxProtection"> <widget class="QLabel" name="lblBoxProtection">
<property name="font"> <property name="font">
<font> <font>
<weight>75</weight>
<bold>true</bold> <bold>true</bold>
<kerning>true</kerning> <kerning>true</kerning>
</font> </font>
@ -4949,7 +4960,6 @@ Please note that this values are currently user specific and saved globally for
</widget> </widget>
<tabstops> <tabstops>
<tabstop>tabs</tabstop> <tabstop>tabs</tabstop>
<tabstop>tabsGeneral</tabstop>
<tabstop>cmbBoxIndicator</tabstop> <tabstop>cmbBoxIndicator</tabstop>
<tabstop>cmbBoxBorder</tabstop> <tabstop>cmbBoxBorder</tabstop>
<tabstop>btnBorderColor</tabstop> <tabstop>btnBorderColor</tabstop>

View File

@ -521,6 +521,8 @@ void COptionsWindow::UpdateBoxIsolation()
ui.chkCloseClipBoard->setEnabled(!ui.chkNoSecurityIsolation->isChecked()); ui.chkCloseClipBoard->setEnabled(!ui.chkNoSecurityIsolation->isChecked());
ui.chkVmRead->setEnabled(!ui.chkNoSecurityIsolation->isChecked()); ui.chkVmRead->setEnabled(!ui.chkNoSecurityIsolation->isChecked());
ui.chkBlockCapture->setEnabled(!ui.chkNoSecurityIsolation->isChecked());
ui.chkCloseForBox->setEnabled(!ui.chkNoSecurityIsolation->isChecked()); ui.chkCloseForBox->setEnabled(!ui.chkNoSecurityIsolation->isChecked());
ui.chkNoOpenForBox->setEnabled(!ui.chkNoSecurityIsolation->isChecked()); ui.chkNoOpenForBox->setEnabled(!ui.chkNoSecurityIsolation->isChecked());

View File

@ -166,6 +166,7 @@ void COptionsWindow::CreateGeneral()
connect(ui.chkOpenProtectedStorage, SIGNAL(clicked(bool)), this, SLOT(OnPSTChanged())); connect(ui.chkOpenProtectedStorage, SIGNAL(clicked(bool)), this, SLOT(OnPSTChanged()));
connect(ui.chkOpenCredentials, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged())); connect(ui.chkOpenCredentials, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
connect(ui.chkCloseClipBoard, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged())); connect(ui.chkCloseClipBoard, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
connect(ui.chkBlockCapture, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
connect(ui.chkVmRead, SIGNAL(clicked(bool)), this, SLOT(OnVmRead())); connect(ui.chkVmRead, SIGNAL(clicked(bool)), this, SLOT(OnVmRead()));
connect(ui.chkVmReadNotify, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged())); connect(ui.chkVmReadNotify, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
//connect(ui.chkOpenSmartCard, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged())); //connect(ui.chkOpenSmartCard, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
@ -282,6 +283,7 @@ void COptionsWindow::LoadGeneral()
ui.chkOpenProtectedStorage->setChecked(m_BoxTemplates.contains("OpenProtectedStorage")); ui.chkOpenProtectedStorage->setChecked(m_BoxTemplates.contains("OpenProtectedStorage"));
ui.chkOpenCredentials->setChecked(!ui.chkOpenCredentials->isEnabled() || m_pBox->GetBool("OpenCredentials", false)); ui.chkOpenCredentials->setChecked(!ui.chkOpenCredentials->isEnabled() || m_pBox->GetBool("OpenCredentials", false));
ui.chkCloseClipBoard->setChecked(!m_pBox->GetBool("OpenClipboard", true)); ui.chkCloseClipBoard->setChecked(!m_pBox->GetBool("OpenClipboard", true));
ui.chkBlockCapture->setChecked(m_pBox->GetBool("IsBlockCapture", false));
ui.chkVmReadNotify->setChecked(m_pBox->GetBool("NotifyProcessAccessDenied", false)); ui.chkVmReadNotify->setChecked(m_pBox->GetBool("NotifyProcessAccessDenied", false));
//ui.chkOpenSmartCard->setChecked(m_pBox->GetBool("OpenSmartCard", true)); //ui.chkOpenSmartCard->setChecked(m_pBox->GetBool("OpenSmartCard", true));
//ui.chkOpenBluetooth->setChecked(m_pBox->GetBool("OpenBluetooth", false)); //ui.chkOpenBluetooth->setChecked(m_pBox->GetBool("OpenBluetooth", false));
@ -416,6 +418,7 @@ void COptionsWindow::SaveGeneral()
if (ui.chkOpenCredentials->isEnabled()) if (ui.chkOpenCredentials->isEnabled())
WriteAdvancedCheck(ui.chkOpenCredentials, "OpenCredentials", "y", ""); WriteAdvancedCheck(ui.chkOpenCredentials, "OpenCredentials", "y", "");
WriteAdvancedCheck(ui.chkCloseClipBoard, "OpenClipboard", "n", ""); WriteAdvancedCheck(ui.chkCloseClipBoard, "OpenClipboard", "n", "");
WriteAdvancedCheck(ui.chkBlockCapture, "IsBlockCapture", "y", "n");
WriteAdvancedCheck(ui.chkVmReadNotify, "NotifyProcessAccessDenied", "y", ""); WriteAdvancedCheck(ui.chkVmReadNotify, "NotifyProcessAccessDenied", "y", "");
//WriteAdvancedCheck(ui.chkOpenSmartCard, "OpenSmartCard", "", "n"); //WriteAdvancedCheck(ui.chkOpenSmartCard, "OpenSmartCard", "", "n");
//WriteAdvancedCheck(ui.chkOpenBluetooth, "OpenBluetooth", "y", ""); //WriteAdvancedCheck(ui.chkOpenBluetooth, "OpenBluetooth", "y", "");