From 58e35a4c9f97bb32a23ba9e911b6979865d681e2 Mon Sep 17 00:00:00 2001 From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com> Date: Tue, 4 Jun 2024 08:50:25 +0200 Subject: [PATCH] Update ipc.c --- Sandboxie/core/drv/ipc.c | 70 ++++++++++++++++++++++------------------ 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/Sandboxie/core/drv/ipc.c b/Sandboxie/core/drv/ipc.c index 642da0f6..d6bd0d22 100644 --- a/Sandboxie/core/drv/ipc.c +++ b/Sandboxie/core/drv/ipc.c @@ -1402,34 +1402,30 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms) } else if (IS_ARG_CURRENT_PROCESS(TargetProcessHandle)) { - // - // we duplicate the handle into kernel space such that that user - // won't be able to grab it while we are evaluaiting it - // - HANDLE SourceProcessKernelHandle; status = Thread_GetKernelHandleForUserHandle(&SourceProcessKernelHandle, SourceProcessHandle); if (NT_SUCCESS(status)) { HANDLE TargetProcessKernelHandle = ZwCurrentProcess(); // TargetProcessHandle == NtCurrentProcess(); - // - // driver verifier wants us to provide a kernel handle as process handles - // but the source handle must be a user handle and the ZwDuplicateObject - // function creates another user handle hence NtClose - // - - status = ZwDuplicateObject( - SourceProcessKernelHandle, SourceHandle, - TargetProcessKernelHandle, &DuplicatedHandle, - DesiredAccess, HandleAttributes, - Options & ~DUPLICATE_CLOSE_SOURCE); - + HANDLE SourceKernelHandle; + status = Thread_GetKernelHandleForUserHandle(&SourceKernelHandle, SourceHandle); if (NT_SUCCESS(status)) { - status = Ipc_CheckObjectName(DuplicatedHandle, UserMode); + status = ZwDuplicateObject( + SourceProcessKernelHandle, SourceHandle, + TargetProcessKernelHandle, &DuplicatedHandle, + DesiredAccess, HandleAttributes, + Options & ~DUPLICATE_CLOSE_SOURCE); - NtClose(DuplicatedHandle); + if (NT_SUCCESS(status)) { + + status = Ipc_CheckObjectName(DuplicatedHandle, UserMode); + + NtClose(DuplicatedHandle); + } + + ZwClose(SourceKernelHandle); } ZwClose(SourceProcessKernelHandle); @@ -1444,30 +1440,40 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms) if (NT_SUCCESS(status)) { - HANDLE SourceProcessKernelHandle = (HANDLE)-1; - HANDLE TargetProcessKernelHandle = (HANDLE)-1; - + HANDLE SourceProcessKernelHandle = ZwCurrentProcess(); if (!IS_ARG_CURRENT_PROCESS(SourceProcessHandle)) status = Thread_GetKernelHandleForUserHandle(&SourceProcessKernelHandle, SourceProcessHandle); if (NT_SUCCESS(status)) { + HANDLE TargetProcessKernelHandle = ZwCurrentProcess(); if (!IS_ARG_CURRENT_PROCESS(TargetProcessHandle)) status = Thread_GetKernelHandleForUserHandle(&TargetProcessKernelHandle, TargetProcessHandle); if (NT_SUCCESS(status)) { - status = ZwDuplicateObject( - SourceProcessKernelHandle, SourceHandle, - TargetProcessKernelHandle, &DuplicatedHandle, - DesiredAccess, HandleAttributes, Options); + HANDLE SourceKernelHandle; + status = Thread_GetKernelHandleForUserHandle(&SourceKernelHandle, SourceHandle); + if (NT_SUCCESS(status)) { - *TargetHandle = DuplicatedHandle; + status = ZwDuplicateObject( + SourceProcessKernelHandle, SourceKernelHandle, + TargetProcessKernelHandle, &DuplicatedHandle, + DesiredAccess, HandleAttributes, Options & ~DUPLICATE_CLOSE_SOURCE); + + if (Options & DUPLICATE_CLOSE_SOURCE) + NtClose(SourceHandle); + + *TargetHandle = DuplicatedHandle; + + ZwClose(SourceKernelHandle); + } + + if (!IS_ARG_CURRENT_PROCESS(TargetProcessKernelHandle)) + ZwClose(TargetProcessKernelHandle); } - } - if (SourceProcessKernelHandle && !IS_ARG_CURRENT_PROCESS(SourceProcessKernelHandle)) - ZwClose(SourceProcessKernelHandle); - if (TargetProcessKernelHandle && !IS_ARG_CURRENT_PROCESS(TargetProcessKernelHandle)) - ZwClose(TargetProcessKernelHandle); + if (!IS_ARG_CURRENT_PROCESS(SourceProcessKernelHandle)) + ZwClose(SourceProcessKernelHandle); + } } //