mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.0.7

This commit is contained in:
DavidXanatos 2022-01-01 20:31:05 +01:00
parent fe055e8aa9
commit 322f5ab771
14 changed files with 392 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -7,13 +7,15 @@ This project adheres to [Semantic Versioning](http://semver.org/).
## [1.0.7 / 5.55.7] - 2022-01-??
### Added
- added experimental option "CreateToken=y" ability to create a new token instead of restricting an existing one
### Changed
- reworked syscall invocation code in the driver
### Fixed
- Win32k hooking is now compatible with HVCI [#1483](https://github.com/sandboxie-plus/Sandboxie/issues/1483)
- fixed memory leak in driver (conf_user.c)

14
Sandboxie/core/drv/SboxDrv.vcxproj
View File

@ -355,12 +355,7 @@
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="hook.c">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="hook.c" />
<ClCompile Include="hook_32.c">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
@ -515,12 +510,7 @@
<ClInclude Include="driver.h" />
<ClInclude Include="file.h" />
<ClInclude Include="gui.h" />
<ClInclude Include="hook.h">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClInclude>
<ClInclude Include="hook.h" />
<ClInclude Include="ipc.h" />
<ClInclude Include="key.h" />
<ClInclude Include="log.h" />

2
Sandboxie/core/drv/conf_user.c
View File

@ -284,6 +284,8 @@ _FX BOOLEAN Conf_GetGroupsForSid(WCHAR *PageSizeBuffer, ULONG SessionId)
break;
}
ExFreePool(groups);
//
// on Windows Vista, check for UAC split token
//

69
Sandboxie/core/drv/driver.c
View File

@ -56,9 +56,7 @@ static BOOLEAN Driver_InitPublicSecurity(void);
static BOOLEAN Driver_FindHomePath(UNICODE_STRING *RegistryPath);
#ifdef OLD_DDK
static BOOLEAN Driver_FindMissingServices(void);
#endif // OLD_DDK
static void SbieDrv_DriverUnload(DRIVER_OBJECT *DriverObject);
@ -70,9 +68,7 @@ static void SbieDrv_DriverUnload(DRIVER_OBJECT *DriverObject);
#pragma alloc_text (INIT, DriverEntry)
#pragma alloc_text (INIT, Driver_CheckOsVersion)
#pragma alloc_text (INIT, Driver_FindHomePath)
#ifdef OLD_DDK
#pragma alloc_text (INIT, Driver_FindMissingServices)
#endif // OLD_DDK
#endif // ALLOC_PRAGMA
@ -130,6 +126,7 @@ ULONG Process_Flags3 = 0;
#ifdef OLD_DDK
P_NtSetInformationToken ZwSetInformationToken = NULL;
#endif // OLD_DDK
P_NtCreateToken ZwCreateToken = NULL;
//---------------------------------------------------------------------------
@ -199,10 +196,8 @@ _FX NTSTATUS DriverEntry(
if (ok)
ok = Session_Init();
#ifdef OLD_DDK
if (ok)
ok = Driver_FindMissingServices();
#endif // OLD_DDK
if (ok)
ok = Token_Init();
@ -607,60 +602,56 @@ _FX BOOLEAN Driver_FindHomePath(UNICODE_STRING *RegistryPath)
//---------------------------------------------------------------------------
#ifdef OLD_DDK
#define FIND_SERVICE(svc,prmcnt) \
{ \
static const char *ProcName = #svc; \
ptr = Dll_GetProc(Dll_NTDLL, ProcName, FALSE); \
if (! ptr) \
return FALSE; \
if (! Hook_GetService( \
ptr, NULL, prmcnt, NULL, (void **)&svc)) { \
RtlStringCbPrintfW(err_txt, szieof(err_txt), L"%s.%S", Dll_NTDLL, ProcName); \
Log_Msg1(MSG_1108, err_txt); \
return FALSE; \
} \
}
void* Driver_FindMissingService(const char* ProcName, int prmcnt)
{
void* ptr = Dll_GetProc(Dll_NTDLL, ProcName, FALSE);
if (!ptr)
return NULL;
void* svc = NULL;
if (!Hook_GetService(ptr, NULL, prmcnt, NULL, &svc))
return NULL;
return svc;
}
_FX BOOLEAN Driver_FindMissingServices(void)
{
#ifdef OLD_DDK
UNICODE_STRING uni;
RtlInitUnicodeString(&uni, L"ZwSetInformationToken");
//
// Windows 7 kernel exports ZwSetInformationToken
// on earlier versions of Windows, we search for it
//
#ifndef _WIN64
//#ifndef _WIN64
if (Driver_OsVersion < DRIVER_WINDOWS_7) {
void *ptr;
WCHAR err_txt[128];
FIND_SERVICE(ZwSetInformationToken, 4);
ZwSetInformationToken = (P_NtSetInformationToken) Driver_FindMissingService("ZwSetInformationToken", 4);
} else
#endif
//#endif
{
RtlInitUnicodeString(&uni, L"ZwSetInformationToken");
ZwSetInformationToken = (P_NtSetInformationToken)
MmGetSystemRoutineAddress(&uni);
if (!ZwSetInformationToken) {
Log_Msg1(MSG_1108, uni.Buffer);
return FALSE;
}
ZwSetInformationToken = (P_NtSetInformationToken) MmGetSystemRoutineAddress(&uni);
}
if (!ZwSetInformationToken) {
Log_Msg1(MSG_1108, uni.Buffer);
return FALSE;
}
#endif
//
// Retrive some unexported kernel functions that may be usefull
//
ZwCreateToken = (P_NtCreateToken) Driver_FindMissingService("ZwCreateToken", 13);
//DbgPrint("ZwCreateToken: %p\r\n", ZwCreateToken);
return TRUE;
}
#undef FIND_SERVICE
#endif // OLD_DDK
//---------------------------------------------------------------------------
// DriverUnload
//---------------------------------------------------------------------------

2
Sandboxie/core/drv/driver.h
View File

@ -95,7 +95,7 @@ typedef struct _KEY_MOUNT KEY_MOUNT;
#ifdef OLD_DDK
extern P_NtSetInformationToken ZwSetInformationToken;
#endif // OLD_DDK
extern P_NtCreateToken ZwCreateToken;
//---------------------------------------------------------------------------
// Functions

12
Sandboxie/core/drv/hook.c
View File

@ -357,3 +357,15 @@ _FX NTSTATUS Hook_Api_Tramp(PROCESS *proc, ULONG64 *parms)
return status;
}
//---------------------------------------------------------------------------
// 32-bit and 64-bit code
//---------------------------------------------------------------------------
#ifdef _WIN64
#include "hook_64.c"
#else ! _WIN64
#include "hook_32.c"
#endif _WIN64

6
Sandboxie/core/drv/hook_64.c
View File

@ -195,6 +195,10 @@ _FX ULONG Hook_Find_ZwRoutine(ULONG ServiceNum, void **out_routine)
// 0x48 8B C4 FA 48 83 EC xx 50 9C 6A xx 48 8D xx xx xx xx xx 50 ...
// ... B8 xx xx xx xx E9 xx xx xx xx 66 90
// a ZwXxx system service redirector looks like this in Windows 10 64-bit
// 48 8B C4 FA 48 83 EC xx 50 9C 6A xx 48 8D xx xx
// xx xx xx 50 B8 xx xx xx xx E9 xx xx xx xx C3 90
if (addr[0] != 0x48 || addr[1] != 0x8B)
break;
addr += 4;
@ -218,7 +222,7 @@ _FX ULONG Hook_Find_ZwRoutine(ULONG ServiceNum, void **out_routine)
break;
addr += 5;
if (addr[0] != 0x66 || addr[1] != 0x90)
if ((addr[0] != 0x66 && addr[0] != 0xC3) || addr[1] != 0x90)
break;
addr += 2;
}

1
Sandboxie/core/drv/log.c
View File

@ -234,6 +234,7 @@ _FX void Log_Msg(
const WCHAR *string1,
const WCHAR *string2)
{
//DbgPrint("Sbie MSG_%d: %S; %S\r\n", (error_code & 0xFFFF), string1, string2);
Log_Msg_Session(error_code, string1, string2, -1);
}

6
Sandboxie/core/drv/thread_token.c
View File

@ -1359,10 +1359,10 @@ _FX NTSTATUS Thread_CheckTokenForImpersonation(
if (proc->bAppCompartment || Conf_Get_Boolean(proc->box->name, L"OriginalToken", 0, FALSE))
return STATUS_SUCCESS;
// OriginalToken END
// OpenToken BEGIN
if ((Conf_Get_Boolean(proc->box->name, L"OpenToken", 0, FALSE) || Conf_Get_Boolean(proc->box->name, L"UnfilteredToken", 0, FALSE)))
// UnfilteredToken BEGIN
if (Conf_Get_Boolean(proc->box->name, L"UnfilteredToken", 0, FALSE))
return STATUS_SUCCESS;
// OpenToken END
// UnfilteredToken END
BOOLEAN DropRights = proc->drop_rights;
ULONG SessionId = proc->box->session_id;

402
Sandboxie/core/drv/token.c
View File

@ -62,7 +62,7 @@ static NTSTATUS Token_FilterDacl(void *TokenObject, ULONG SessionId);
static NTSTATUS Token_SetHandleDacl(HANDLE Handle, ACL *Dacl);
static void *Token_RestrictHelper1(
void *TokenObject, ULONG *OutIntegrityLevel, PROCESS *proc);
void *TokenObject, PROCESS *proc);
static NTSTATUS Token_RestrictHelper2(
void *TokenObject, ULONG *OutIntegrityLevel, PROCESS *proc);
@ -74,6 +74,9 @@ static void *Token_RestrictHelper3(
static BOOLEAN Token_AssignPrimary(
void *ProcessObject, void *TokenObject, ULONG SessionId);
static void *Token_DuplicateToken(void *TokenObject, PROCESS *proc);
static void *Token_CreateRestricted(void *TokenObject, PROCESS *proc);
//---------------------------------------------------------------------------
@ -485,11 +488,11 @@ _FX void *Token_FilterPrimary(PROCESS *proc, void *ProcessObject)
return NULL;
}
// OpenToken BEGIN
if (Conf_Get_Boolean(proc->box->name, L"OpenToken", 0, FALSE) || Conf_Get_Boolean(proc->box->name, L"UnfilteredToken", 0, FALSE)) {
// UnfilteredToken BEGIN
if (Conf_Get_Boolean(proc->box->name, L"UnfilteredToken", 0, FALSE)) {
return PrimaryToken;
}
// OpenToken END
// UnfilteredToken END
// DbgPrint(" Process Token %08X - %d <%S>\n", PrimaryToken, proc->pid, proc->image_name);
@ -842,82 +845,90 @@ _FX void *Token_Restrict(
TOKEN_PRIVILEGES *privs;
TOKEN_USER *user;
void *NewTokenObject = NULL;
/*if (Conf_Get_Boolean(proc->box->name, L"CreateToken", 0, FALSE))
{
}*/
void* FixedTokenObject;
// OpenToken BEGIN
if (Conf_Get_Boolean(proc->box->name, L"OpenToken", 0, FALSE) || Conf_Get_Boolean(proc->box->name, L"UnrestrictedToken", 0, FALSE)) {
// UnrestrictedToken BEGIN
if (Conf_Get_Boolean(proc->box->name, L"UnrestrictedToken", 0, FALSE)) {
//NTSTATUS status = SeFilterToken(TokenObject, 0, NULL, NULL, NULL, &NewTokenObject);
//NTSTATUS status = SeFilterToken(TokenObject, 0, NULL, NULL, NULL, &NewTokenObject);
//if(!NT_SUCCESS(status))
// Log_Status_Ex_Process(MSG_1222, 0xA0, status, NULL, proc->box->session_id, proc->pid);
// return NewTokenObject;
HANDLE OldTokenHandle;
NTSTATUS status = ObOpenObjectByPointer(
TokenObject, OBJ_KERNEL_HANDLE, NULL, TOKEN_ALL_ACCESS,
*SeTokenObjectType, KernelMode, &OldTokenHandle);
if (NT_SUCCESS(status)) {
HANDLE NewTokenHandle;
status = ZwDuplicateToken(OldTokenHandle, TOKEN_ALL_ACCESS, NULL,
FALSE, TokenPrimary, &NewTokenHandle);
if (NT_SUCCESS(status)) {
status = ObReferenceObjectByHandle(NewTokenHandle, 0, *SeTokenObjectType,
UserMode, &NewTokenObject, NULL);
if (!NT_SUCCESS(status))
Log_Status_Ex_Process(MSG_1222, 0xA3, status, NULL, proc->box->session_id, proc->pid);
NtClose(NewTokenHandle);
}
else
Log_Status_Ex_Process(MSG_1222, 0xA2, status, NULL, proc->box->session_id, proc->pid);
ZwClose(OldTokenHandle);
}
else
Log_Status_Ex_Process(MSG_1222, 0xA1, status, NULL, proc->box->session_id, proc->pid);
return NewTokenObject;
return Token_DuplicateToken(TokenObject, proc);
}
// OpenToken END
// UnrestrictedToken END
groups = Token_Query(TokenObject, TokenGroups, proc->box->session_id);
privs = Token_Query(TokenObject, TokenPrivileges, proc->box->session_id);
user = Token_Query(TokenObject, TokenUser, proc->box->session_id);
//
// Create a heavily restricted primary token
//
if (groups && privs && user) {
if (Conf_Get_Boolean(proc->box->name, L"CreateToken", 0, FALSE)) {
//
// Create a new token from scratch, experimental
//
void *FixedTokenObject = Token_RestrictHelper1(
TokenObject, OutIntegrityLevel, proc);
FixedTokenObject = Token_CreateRestricted(TokenObject, proc);
}
else {
//
// Create a modified token from the original one
//
FixedTokenObject = Token_RestrictHelper1(TokenObject, proc);
}
//
// on Windows Vista, set the untrusted integrity integrity label,
// primarily to prevent programs in the sandbox from being able to
// call PostThreadMessage to threads of programs outside the sandbox
// and to prevent injection of Win32 and WinEvent hooks
//
if (FixedTokenObject) {
NTSTATUS status = Token_RestrictHelper2(
FixedTokenObject, OutIntegrityLevel, proc);
if (!NT_SUCCESS(status)) {
ObDereferenceObject(FixedTokenObject);
FixedTokenObject = NULL;
}
}
if (FixedTokenObject) {
// OpenToken BEGIN
if (Conf_Get_Boolean(proc->box->name, L"UnstrippedToken", 0, FALSE))
NewTokenObject = FixedTokenObject;
else
return FixedTokenObject;
// OpenToken END
if (FixedTokenObject) {
TOKEN_PRIVILEGES *privs_arg =
groups = Token_Query(TokenObject, TokenGroups, proc->box->session_id);
privs = Token_Query(TokenObject, TokenPrivileges, proc->box->session_id);
user = Token_Query(TokenObject, TokenUser, proc->box->session_id);
if (groups && privs && user) {
TOKEN_PRIVILEGES* privs_arg =
(FilterFlags & DISABLE_MAX_PRIVILEGE) ? NULL : privs;
NewTokenObject = Token_RestrictHelper3(
FixedTokenObject, groups, privs_arg,
user->User.Sid, FilterFlags, proc);
ObDereferenceObject(FixedTokenObject);
}
}
ObDereferenceObject(FixedTokenObject);
if (user)
ExFreePool(user);
if (privs)
ExFreePool(privs);
if (groups)
ExFreePool(groups);
if (user)
ExFreePool(user);
if (privs)
ExFreePool(privs);
if (groups)
ExFreePool(groups);
}
return NewTokenObject;
}
@ -1070,7 +1081,7 @@ _FX BOOLEAN Token_IsSharedSid_W8(void *TokenObject)
_FX void *Token_RestrictHelper1(
void *TokenObject, ULONG *OutIntegrityLevel, PROCESS *proc)
void *TokenObject, PROCESS *proc)
{
void *NewTokenObject = NULL;
SID_AND_ATTRIBUTES *SidAndAttrsInToken = NULL;
@ -1311,25 +1322,6 @@ _FX void *Token_RestrictHelper1(
}
else
status = STATUS_UNKNOWN_REVISION;
//
// on Windows Vista, set the untrusted integrity integrity label,
// primarily to prevent programs in the sandbox from being able to
// call PostThreadMessage to threads of programs outside the sandbox
// and to prevent injection of Win32 and WinEvent hooks
//
if (NT_SUCCESS(status)) {
status = Token_RestrictHelper2(
NewTokenObject, OutIntegrityLevel, proc);
}
if (!NT_SUCCESS(status)) {
ObDereferenceObject(NewTokenObject);
NewTokenObject = NULL;
}
}
//
@ -1418,6 +1410,9 @@ _FX NTSTATUS Token_RestrictHelper2(
}
}
if (!NT_SUCCESS(status))
Log_Status_Ex_Process(MSG_1222, 0x33, status, NULL, proc->box->session_id, proc->pid);
return status;
}
@ -1836,7 +1831,7 @@ _FX BOOLEAN Token_ReplacePrimary(PROCESS *proc)
#ifdef _WIN64
// OpenToken BEGIN
if (!Conf_Get_Boolean(proc->box->name, L"OpenToken", 0, FALSE)
if (!Conf_Get_Boolean(proc->box->name, L"CreateToken", 0, FALSE)
&& !Conf_Get_Boolean(proc->box->name, L"UnrestrictedToken", 0, FALSE)
&& Conf_Get_Boolean(proc->box->name, L"AnonymousLogon", 0, TRUE))
// OpenToken END
@ -2150,4 +2145,249 @@ _FX NTSTATUS Token_Api_Filter(PROCESS* proc, ULONG64* parms)
}
return status;
}
}
//---------------------------------------------------------------------------
// Token_DuplicateToken
//---------------------------------------------------------------------------
_FX void *Token_DuplicateToken(void *TokenObject, PROCESS *proc)
{
void *NewTokenObject = NULL;
//
// This just duplicates a token starting with an object instead of a handle
// using SepDuplicateToken would be more convinient but its unexported :/
//
HANDLE OldTokenHandle;
NTSTATUS status = ObOpenObjectByPointer(
TokenObject, OBJ_KERNEL_HANDLE, NULL, TOKEN_ALL_ACCESS,
*SeTokenObjectType, KernelMode, &OldTokenHandle);
if (NT_SUCCESS(status)) {
HANDLE NewTokenHandle;
status = ZwDuplicateToken(OldTokenHandle, TOKEN_ALL_ACCESS, NULL,
FALSE, TokenPrimary, &NewTokenHandle);
if (NT_SUCCESS(status)) {
status = ObReferenceObjectByHandle(NewTokenHandle, 0, *SeTokenObjectType,
UserMode, &NewTokenObject, NULL);
if (!NT_SUCCESS(status))
Log_Status_Ex_Process(MSG_1222, 0xA3, status, NULL, proc->box->session_id, proc->pid);
NtClose(NewTokenHandle);
}
else
Log_Status_Ex_Process(MSG_1222, 0xA2, status, NULL, proc->box->session_id, proc->pid);
ZwClose(OldTokenHandle);
}
else
Log_Status_Ex_Process(MSG_1222, 0xA1, status, NULL, proc->box->session_id, proc->pid);
return NewTokenObject;
}
//---------------------------------------------------------------------------
// Token_CreateRestricted
//---------------------------------------------------------------------------
_FX void* Token_CreateRestricted(void* TokenObject, PROCESS* proc)
{
HANDLE TokenHandle = NULL;
BOOLEAN bRet = FALSE;
NTSTATUS status = STATUS_UNSUCCESSFUL;
ULONG DefaultDacl_Length = 0;
PACL Dacl = NULL;
PSID Sid = NULL;
PTOKEN_STATISTICS LocalStatistics = NULL;
PTOKEN_USER LocalUser = NULL;
PTOKEN_GROUPS LocalGroups = NULL;
PTOKEN_PRIVILEGES LocalPrivileges = NULL;
PTOKEN_OWNER LocalOwner = NULL;
PTOKEN_PRIMARY_GROUP LocalPrimaryGroup = NULL;
PTOKEN_DEFAULT_DACL LocalDefaultDacl = NULL;
PTOKEN_DEFAULT_DACL NewDefaultDacl = NULL;
PTOKEN_SOURCE LocalSource = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
SECURITY_QUALITY_OF_SERVICE SecurityQos;
if (!ZwCreateToken) {
Log_Status_Ex_Process(MSG_1222, 0xA0, STATUS_INVALID_SYSTEM_SERVICE, NULL, proc->box->session_id, proc->pid);
return NULL;
}
//
// Gether informations from the original token
//
if ( !NT_SUCCESS(SeQueryInformationToken(TokenObject, TokenStatistics, &LocalStatistics))
|| !NT_SUCCESS(SeQueryInformationToken(TokenObject, TokenUser, &LocalUser))
|| !NT_SUCCESS(SeQueryInformationToken(TokenObject, TokenGroups, &LocalGroups))
|| !NT_SUCCESS(SeQueryInformationToken(TokenObject, TokenPrivileges, &LocalPrivileges))
|| !NT_SUCCESS(SeQueryInformationToken(TokenObject, TokenOwner, &LocalOwner))
|| !NT_SUCCESS(SeQueryInformationToken(TokenObject, TokenPrimaryGroup, &LocalPrimaryGroup))
|| !NT_SUCCESS(SeQueryInformationToken(TokenObject, TokenDefaultDacl, &LocalDefaultDacl))
|| !NT_SUCCESS(SeQueryInformationToken(TokenObject, TokenSource, &LocalSource))
)
{
Log_Status_Ex_Process(MSG_1222, 0xA1, STATUS_UNSUCCESSFUL, NULL, proc->box->session_id, proc->pid);
goto finish;
}
//
// Change the SID
//
if (Conf_Get_Boolean(proc->box->name, L"AnonymousLogon", 0, TRUE))
{
PSID NewSid = NULL;
// SbieLogin BEGIN
if (Conf_Get_Boolean(proc->box->name, L"SandboxieLogon", 0, FALSE))
{
if (SandboxieLogonSid[0] != 0)
NewSid = (PSID)SandboxieLogonSid;
else {
Log_Status_Ex_Process(MSG_1222, 0xA6, status, NULL, proc->box->session_id, proc->pid);
goto finish;
}
}
else
// SbieLogin END
if (Conf_Get_Boolean(proc->box->name, L"AnonymousLogon", 0, TRUE))
{
NewSid = (PSID)AnonymousLogonSid;
}
if (NewSid != NULL)
{
memcpy(LocalUser->User.Sid, NewSid, RtlLengthSid(NewSid));
}
}
SecurityQos.Length = sizeof(SecurityQos);
SecurityQos.ImpersonationLevel = LocalStatistics->ImpersonationLevel;
SecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
SecurityQos.EffectiveOnly = FALSE;
ObjectAttributes.SecurityQualityOfService = &SecurityQos;
InitializeObjectAttributes(
&ObjectAttributes,
NULL,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
//
// Create a new token from scratch
//
status = ZwCreateToken(
&TokenHandle,
TOKEN_ALL_ACCESS,
&ObjectAttributes,
LocalStatistics->TokenType,
&LocalStatistics->AuthenticationId,
&LocalStatistics->ExpirationTime,
LocalUser,
LocalGroups,
LocalPrivileges,
LocalOwner,
LocalPrimaryGroup,
LocalDefaultDacl,
LocalSource
);
//
// Retry with new DACLs on error
//
if (status == STATUS_INVALID_OWNER)
{
DefaultDacl_Length = LocalDefaultDacl->DefaultDacl->AclSize;
// Construct a new ACL
NewDefaultDacl = (PTOKEN_DEFAULT_DACL)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_DEFAULT_DACL) + 8 + DefaultDacl_Length + 128, tzuk);
if (NULL == NewDefaultDacl)
{
Log_Status_Ex_Process(MSG_1222, 0xA2, status, NULL, proc->box->session_id, proc->pid);
goto finish;
}
memcpy(NewDefaultDacl, LocalDefaultDacl, DefaultDacl_Length);
NewDefaultDacl->DefaultDacl = Dacl = (PACL)((ULONG_PTR)NewDefaultDacl + sizeof(TOKEN_DEFAULT_DACL));
NewDefaultDacl->DefaultDacl->AclSize += 128;
Sid = LocalUser->User.Sid;
RtlAddAccessAllowedAce(Dacl, ACL_REVISION2, GENERIC_ALL, Sid);
status = ZwCreateToken(
&TokenHandle,
TOKEN_ALL_ACCESS,
&ObjectAttributes,
LocalStatistics->TokenType,
&LocalStatistics->AuthenticationId,
&LocalStatistics->ExpirationTime,
LocalUser,
LocalGroups,
LocalPrivileges,
(PTOKEN_OWNER)&Sid,
LocalPrimaryGroup,
NewDefaultDacl,
LocalSource
);
if (!NT_SUCCESS(status))
{
Log_Status_Ex_Process(MSG_1222, 0xA3, status, NULL, proc->box->session_id, proc->pid);
goto finish;
}
Token_SetHandleDacl(NtCurrentProcess(), Dacl);
Token_SetHandleDacl(NtCurrentThread(), Dacl);
Token_SetHandleDacl(TokenHandle, Dacl);
}
else if (!NT_SUCCESS(status))
{
Log_Status_Ex_Process(MSG_1222, 0xA4, status, NULL, proc->box->session_id, proc->pid);
}
finish:
if (LocalStatistics) ExFreePool((PVOID)LocalStatistics);
if (LocalUser) ExFreePool((PVOID)LocalUser);
if (LocalGroups) ExFreePool((PVOID)LocalGroups);
if (LocalPrivileges) ExFreePool((PVOID)LocalPrivileges);
if (LocalOwner) ExFreePool((PVOID)LocalOwner);
if (LocalPrimaryGroup) ExFreePool((PVOID)LocalPrimaryGroup);
if (LocalDefaultDacl) ExFreePool((PVOID)LocalDefaultDacl);
if (LocalSource) ExFreePool((PVOID)LocalSource);
if (NewDefaultDacl) ExFreePool((PVOID)NewDefaultDacl);
//
// get the actual token object from the handle
//
void* NewTokenObject = NULL;
if (TokenHandle != NULL) {
status = ObReferenceObjectByHandle(TokenHandle, 0, *SeTokenObjectType, UserMode, &NewTokenObject, NULL);
if (!NT_SUCCESS(status))
Log_Status_Ex_Process(MSG_1222, 0xA5, status, NULL, proc->box->session_id, proc->pid);
NtClose(TokenHandle);
}
return NewTokenObject;
}

10
Sandboxie/core/drv/util_asm.asm
View File

@ -242,13 +242,13 @@ Sbie_SepFilterTokenHandler_asm PROC
sub rsp,78h
mov dword ptr [rsp+60h],0
mov rax,qword ptr [rsp+00000000000000A0h] ; NewToken
mov rax,qword ptr [rsp+0A0h] ; NewToken
mov qword ptr [rsp+50h],rax
mov rax,qword ptr [rsp+0000000000000098h] ; LengthIncrease
mov rax,qword ptr [rsp+098h] ; LengthIncrease
mov qword ptr [rsp+48h],rax
mov rax,qword ptr [rsp+0000000000000090h] ; SidPtr
mov rax,qword ptr [rsp+090h] ; SidPtr
mov qword ptr [rsp+40h],rax
mov rax,qword ptr [rsp+0000000000000088h] ; SidCount
mov rax,qword ptr [rsp+088h] ; SidCount
mov qword ptr [rsp+38h],rax
mov qword ptr [rsp+30h],0
mov qword ptr [rsp+28h],0
@ -256,7 +256,7 @@ Sbie_SepFilterTokenHandler_asm PROC
mov r9d,0
mov r8d,0
mov edx,0
mov rcx,qword ptr [rsp+0000000000000080h] ; TokenObject
mov rcx,qword ptr [rsp+080h] ; TokenObject
call Token_SepFilterToken
add rsp,78h

6
Sandboxie/core/svc/GuiServer.cpp
View File

@ -1047,10 +1047,10 @@ HANDLE GuiServer::GetJobObjectForAssign(const WCHAR *boxname)
if (SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE))
ok = TRUE;
// OriginalToken END
// OpenToken BEGIN
if ((SbieApi_QueryConfBool(boxname, L"OpenToken", FALSE) || SbieApi_QueryConfBool(boxname, L"UnrestrictedToken", FALSE)))
// UnrestrictedToken BEGIN
if (SbieApi_QueryConfBool(boxname, L"UnrestrictedToken", FALSE))
ok = TRUE;
// OpenToken END
// UnrestrictedToken END
if (! ok) {
ok = SetInformationJobObject(

6
Sandboxie/core/svc/terminalserver.cpp
View File

@ -545,9 +545,9 @@ MSG_HEADER *TerminalServer::GetUserToken(MSG_HEADER *msg)
// OriginalToken BEGIN
if (!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)
// OriginalToken END
// OpenToken BEGIN
&& !SbieApi_QueryConfBool(boxname, L"OpenToken", FALSE) && !SbieApi_QueryConfBool(boxname, L"UnfilteredToken", FALSE))
// OpenToken END
// UnfilteredToken BEGIN
&& !SbieApi_QueryConfBool(boxname, L"UnfilteredToken", FALSE))
// UnfilteredToken END
{
// of one of the above is true we handle unfiltered tokens
// if not we need to filter the token or else security checks in the driver wil fail!

1
SandboxiePlus/SandMan/SbiePlusAPI.cpp
View File

@ -160,6 +160,7 @@ void CSandBoxPlus::CloseBox()
bool CSandBoxPlus::CheckUnsecureConfig() const
{
//if (GetBool("UnsafeTemplate", false)) return true;
if (GetBool("OriginalToken", false)) return true;
if (GetBool("OpenToken", false)) return true;
if(GetBool("UnrestrictedToken", false)) return true;