This commit is contained in:
DavidXanatos 2023-12-21 13:41:01 +01:00
parent 03488113b9
commit 6419d1c5d8
8 changed files with 115 additions and 20 deletions

View File

@ -11,6 +11,7 @@ todo: improve behaviorue of toolbar customization menu
### Fixed
- fixed fix for [#3475](https://github.com/sandboxie-plus/Sandboxie/issues/3475) not working without FileRootPath being explicitly set
- fixed "The directory name is invalid" when starting a process in a encrypted private box [#3475](https://github.com/sandboxie-plus/Sandboxie/issues/3475)

View File

@ -189,18 +189,21 @@ _FX BOOLEAN File_Init(void)
// implement workaround, see SbieDll_TranslateNtToDosPath
//
ULONG BoxFilePathLen = (0x1000 + 1) * sizeof(WCHAR);
WCHAR* BoxFilePathConf = Dll_AllocTemp(BoxFilePathLen);
if (!NT_SUCCESS(SbieApi_QueryConf(NULL, L"FileRootPath", 0, BoxFilePathConf, BoxFilePathLen)))
SbieApi_QueryConf(NULL, L"\\??\\%SystemDrive%\\Sandbox\\%USER%\\%SANDBOX%", CONF_JUST_EXPAND, BoxFilePathConf, BoxFilePathLen);
if (SbieDll_TranslateNtToDosPath(BoxFilePathConf))
ULONG BoxFilePathLen = 0;
if (NT_SUCCESS(SbieApi_QueryProcessInfoStr(0, 'root', NULL, &BoxFilePathLen)))
{
Dll_BoxFileDosPathLen = wcslen(BoxFilePathConf);
Dll_BoxFileDosPath = Dll_Alloc((Dll_BoxFileDosPathLen + 1) * sizeof(WCHAR));
wcscpy((WCHAR *)Dll_BoxFileDosPath, BoxFilePathConf);
WCHAR* BoxFilePathConf = Dll_AllocTemp(BoxFilePathLen);
if (NT_SUCCESS(SbieApi_QueryProcessInfoStr(0, 'root', BoxFilePathConf, &BoxFilePathLen)))
{
if (SbieDll_TranslateNtToDosPath(BoxFilePathConf))
{
Dll_BoxFileDosPathLen = wcslen(BoxFilePathConf);
Dll_BoxFileDosPath = Dll_Alloc((Dll_BoxFileDosPathLen + 1) * sizeof(WCHAR));
wcscpy((WCHAR*)Dll_BoxFileDosPath, BoxFilePathConf);
}
}
Dll_Free(BoxFilePathConf);
}
Dll_Free(BoxFilePathConf);
}
else
Dll_BoxFileDosPathLen = wcslen(Dll_BoxFileDosPath);

View File

@ -662,6 +662,47 @@ _FX ULONG64 SbieApi_QueryProcessInfoEx(
}
//---------------------------------------------------------------------------
// SbieApi_QueryProcessInfoStr
//---------------------------------------------------------------------------
_FX LONG SbieApi_QueryProcessInfoStr(
HANDLE ProcessId,
ULONG info_type,
WCHAR *out_str,
ULONG *inout_str_len)
{
NTSTATUS status;
__declspec(align(8)) UNICODE_STRING64 UniStr;
__declspec(align(8)) ULONG64 parms[API_NUM_ARGS];
API_QUERY_PROCESS_INFO_ARGS *args = (API_QUERY_PROCESS_INFO_ARGS *)parms;
memzero(parms, sizeof(parms));
args->func_code = API_QUERY_PROCESS_INFO;
args->process_id.val64 = (ULONG64)(ULONG_PTR)ProcessId;
args->info_type.val64 = (ULONG64)(ULONG_PTR)info_type;
args->info_data.val64 = (ULONG64)(ULONG_PTR)inout_str_len;
if (out_str) {
UniStr.Length = 0;
UniStr.MaximumLength = (USHORT)*inout_str_len;
UniStr.Buffer = (ULONG64)(ULONG_PTR)out_str;
args->ext_data.val64 = (ULONG64)(ULONG_PTR)&UniStr;
}
status = SbieApi_Ioctl(parms);
if (!NT_SUCCESS(status)) {
if (out_str)
*out_str = L'\0';
}
return status;
}
//---------------------------------------------------------------------------
// SbieApi_QueryBoxPath
//---------------------------------------------------------------------------

View File

@ -138,6 +138,13 @@ ULONG64 SbieApi_QueryProcessInfoEx(
ULONG info_type,
ULONG64 ext_data);
SBIEAPI_EXPORT
LONG SbieApi_QueryProcessInfoStr(
HANDLE ProcessId,
ULONG info_type,
WCHAR *out_str,
ULONG *inout_str_len);
SBIEAPI_EXPORT
LONG SbieApi_QueryBoxPath(
const WCHAR *box_name, // WCHAR [34]

View File

@ -113,6 +113,8 @@ _FX void Box_Free(BOX *box)
Mem_Free(box->expand_args, sizeof(CONF_EXPAND_ARGS));
if (box->file_path)
Mem_Free(box->file_path, box->file_path_len);
if (box->file_raw_path)
Mem_Free(box->file_raw_path, box->file_raw_path_len);
if (box->key_path)
Mem_Free(box->key_path, box->key_path_len);
if (box->ipc_path)
@ -526,6 +528,7 @@ _FX BOX *Box_Clone(POOL *pool, const BOX *model)
CLONE_MEMBER(sid);
CLONE_MEMBER(file_path);
CLONE_MEMBER(file_raw_path);
CLONE_MEMBER(key_path);
CLONE_MEMBER(ipc_path);
CLONE_MEMBER(pipe_path);

View File

@ -68,6 +68,11 @@ struct _BOX {
WCHAR *file_path;
ULONG file_path_len; // in bytes, including NULL
// when the file_path was redirected by a reparse point, we keep the original
WCHAR *file_raw_path;
ULONG file_raw_path_len; // in bytes, including NULL
// 2. the registry entry point into the sandbox
// (but note that the Registry.dat file resides below file_path)
// default: HKEY_CURRENT_USER\Sandbox\BoxName

View File

@ -533,6 +533,9 @@ _FX void File_AdjustBoxFilePath(PROCESS *proc, HANDLE handle)
path_len = (path_len + 1) * sizeof(WCHAR);
InterlockedExchangePointer(&box->file_raw_path, box->file_path);
InterlockedExchange(&box->file_raw_path_len, box->file_path_len);
InterlockedExchange(&box->file_path_len, 0);
InterlockedExchangePointer(&box->file_path, path);
InterlockedExchange(&box->file_path_len, path_len);
@ -1252,7 +1255,7 @@ _FX NTSTATUS File_Generic_MyParseProc(
}
}
} else if (Box_IsBoxedPath(proc->box, file, &Name->Name))
} else if (Box_IsBoxedPath(proc->box, file, &Name->Name) || (proc->box->file_raw_path && Box_IsBoxedPath(proc->box, file_raw, &Name->Name)))
IsBoxedPath = TRUE;
//

View File

@ -357,9 +357,6 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)
__try {
ULONG64 *data = args->info_data.val;
ProbeForWrite(data, sizeof(ULONG64), sizeof(ULONG64));
if (args->info_type.val == 0) {
ULONG64 flags = 0;
@ -410,18 +407,24 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)
flags = SBIE_FLAG_HOST_INJECT_PROCESS;
}
*data = flags;
ProbeForWrite(args->info_data.val, sizeof(ULONG64), sizeof(ULONG64));
*args->info_data.val = flags;
} else if (args->info_type.val == 'pril') {
*data = proc->integrity_level;
ProbeForWrite(args->info_data.val, sizeof(ULONG64), sizeof(ULONG64));
*args->info_data.val = proc->integrity_level;
} else if (args->info_type.val == 'nt32') {
*data = proc->ntdll32_base;
ProbeForWrite(args->info_data.val, sizeof(ULONG64), sizeof(ULONG64));
*args->info_data.val = proc->ntdll32_base;
} else if (args->info_type.val == 'ptok') { // primary token
ULONG64 *data = args->info_data.val;
ProbeForWrite(data, sizeof(ULONG64), sizeof(ULONG64));
if(is_caller_sandboxed)
status = STATUS_ACCESS_DENIED;
else
@ -449,6 +452,9 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)
} else if (args->info_type.val == 'itok' || args->info_type.val == 'ttok') { // impersonation token / test thread token
ULONG64 *data = args->info_data.val;
ProbeForWrite(data, sizeof(ULONG64), sizeof(ULONG64));
if(is_caller_sandboxed)
status = STATUS_ACCESS_DENIED;
else if(!proc->threads_lock)
@ -506,6 +512,9 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)
} else if (args->info_type.val == 'ippt') { // is primary process token
ULONG64 *data = args->info_data.val;
ProbeForWrite(data, sizeof(ULONG64), sizeof(ULONG64));
HANDLE handle = (HANDLE)(args->ext_data.val);
OBJECT_TYPE* object;
@ -524,11 +533,34 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)
proc->detected_image_type = (ULONG)(args->ext_data.val);
*data = 0;
} else if (args->info_type.val == 'gpit') { // get process image type
*data = proc->detected_image_type;
ProbeForWrite(args->info_data.val, sizeof(ULONG64), sizeof(ULONG64));
*args->info_data.val = proc->detected_image_type;
} else if (args->info_type.val == 'root') {
//
// When querygin a sandboxed process API_QUERY_PROCESS_PATH return the reparsed file root path
// this info class is used to retrive the raw i.e. not reparsed file root path
//
// Note: API_QUERY_BOX_PATH when invoked by a sandboxed process also returns its reparsed file root path
//
if(!proc->box->file_raw_path)
status = STATUS_VARIABLE_NOT_FOUND;
else
{
ULONG* file_path_len = (ULONG*)args->info_data.val64;
UNICODE_STRING64 *file_path = (UNICODE_STRING64*)args->ext_data.val64;
if (file_path_len) {
ProbeForWrite(file_path_len, sizeof(ULONG), sizeof(ULONG));
*file_path_len = proc->box->file_raw_path_len;
}
Api_CopyStringToUser(file_path, proc->box->file_raw_path, proc->box->file_raw_path_len);
}
} else
status = STATUS_INVALID_INFO_CLASS;