From 65c68b9fb6137d04cb7fd402cd23137393a1d0aa Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Fri, 31 May 2024 11:35:09 +0200
Subject: [PATCH] fix

---
 Sandboxie/core/drv/ipc.c     | 69 +++++++++++++++++++++++++++++++++---
 Sandboxie/core/drv/process.c | 24 +++++++++++++
 Sandboxie/core/drv/process.h |  1 +
 3 files changed, 90 insertions(+), 4 deletions(-)

diff --git a/Sandboxie/core/drv/ipc.c b/Sandboxie/core/drv/ipc.c
index fe7c2e50..e127fc52 100644
--- a/Sandboxie/core/drv/ipc.c
+++ b/Sandboxie/core/drv/ipc.c
@@ -78,6 +78,12 @@ static NTSTATUS Ipc_Api_QuerySymbolicLink(PROCESS *proc, ULONG64 *parms);
 
 //---------------------------------------------------------------------------
 
+
+NTSTATUS Thread_GetKernelHandleForUserHandle(
+    HANDLE *OutKernelHandle, HANDLE InUserHandle);
+
+//---------------------------------------------------------------------------
+
 #ifdef ALLOC_PRAGMA
 #pragma alloc_text (INIT, Ipc_Init)
 #pragma alloc_text (INIT, Ipc_Init_Type)
@@ -1421,10 +1427,65 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms)
 
     if (NT_SUCCESS(status)) {
 
-        status = NtDuplicateObject(
-            SourceProcessHandle, SourceHandle,
-            TargetProcessHandle, TargetHandle,
-            DesiredAccess, HandleAttributes, Options);
+        PROCESS* proc1 = NULL;
+        if (!IS_ARG_CURRENT_PROCESS(SourceProcessHandle))
+            proc1 = Process_Find_ByHandle(SourceProcessHandle, NULL);
+        else
+            proc1 = proc;
+            
+        PROCESS* proc2 = NULL;
+        if (!IS_ARG_CURRENT_PROCESS(TargetProcessHandle))
+            proc2 = Process_Find_ByHandle(TargetProcessHandle, NULL);
+        else
+            proc2 = proc;
+            
+        if (proc1 != proc2 && (proc1 == NULL || proc2 == NULL || !Process_IsSameBox(proc1, proc2, 0))) {
+
+            status = NtDuplicateObject(
+                SourceProcessHandle, SourceHandle,
+                TargetProcessHandle, TargetHandle,
+                DesiredAccess, HandleAttributes, Options);
+
+        } else {
+
+            HANDLE SourceProcessKernelHandle;
+            if (!IS_ARG_CURRENT_PROCESS(SourceProcessHandle))
+                status = Thread_GetKernelHandleForUserHandle(&SourceProcessKernelHandle, SourceProcessHandle);
+            else
+                SourceProcessKernelHandle = ZwCurrentProcess();
+            if (NT_SUCCESS(status)) {
+                HANDLE TargetProcessKernelHandle;
+                if (!IS_ARG_CURRENT_PROCESS(TargetProcessHandle))
+                    status = Thread_GetKernelHandleForUserHandle(&TargetProcessKernelHandle, TargetProcessHandle);
+                else
+                    TargetProcessKernelHandle = ZwCurrentProcess();
+                if (NT_SUCCESS(status)) {
+
+                    HANDLE SourceKernelHandle;
+                    status = Thread_GetKernelHandleForUserHandle(&SourceKernelHandle, SourceHandle);
+                    if (NT_SUCCESS(status)) {
+
+                        status = ZwDuplicateObject(
+                            SourceProcessKernelHandle, SourceKernelHandle,
+                            TargetProcessKernelHandle, &DuplicatedHandle,
+                            DesiredAccess, HandleAttributes, Options & ~DUPLICATE_CLOSE_SOURCE);
+
+                        if (Options & DUPLICATE_CLOSE_SOURCE)
+                            NtClose(SourceHandle);
+
+                        *TargetHandle = DuplicatedHandle;
+
+                        ZwClose(SourceKernelHandle);
+                    }
+
+                    if (!IS_ARG_CURRENT_PROCESS(TargetProcessKernelHandle))
+                        ZwClose(TargetProcessKernelHandle);
+                }
+
+                if (!IS_ARG_CURRENT_PROCESS(SourceProcessKernelHandle))
+                    ZwClose(SourceProcessKernelHandle);
+            }
+        }
     }
 
     //
diff --git a/Sandboxie/core/drv/process.c b/Sandboxie/core/drv/process.c
index 4e23e07a..c036fd88 100644
--- a/Sandboxie/core/drv/process.c
+++ b/Sandboxie/core/drv/process.c
@@ -554,6 +554,30 @@ _FX PROCESS *Process_FindSandboxed(HANDLE ProcessId, KIRQL *out_irql)
 }
 
 
+//---------------------------------------------------------------------------
+// Process_Find_ByHandle
+//---------------------------------------------------------------------------
+
+
+_FX PROCESS *Process_Find_ByHandle(HANDLE Handle, KIRQL *out_irql)
+{
+    NTSTATUS Status;
+    PEPROCESS ProcessObject = NULL;
+    PROCESS* Process = NULL;
+    
+    Status = ObReferenceObjectByHandle(Handle, PROCESS_QUERY_INFORMATION, *PsProcessType, UserMode, (PVOID*)&ProcessObject, NULL);
+    if (NT_SUCCESS(Status)) {
+
+        Process = Process_Find(PsGetProcessId(ProcessObject), out_irql);
+
+        // Dereference the process object
+        ObDereferenceObject(ProcessObject);
+    }
+
+    return Process;
+}
+
+
 //---------------------------------------------------------------------------
 // Process_CreateTerminated
 //---------------------------------------------------------------------------
diff --git a/Sandboxie/core/drv/process.h b/Sandboxie/core/drv/process.h
index d819dede..95058675 100644
--- a/Sandboxie/core/drv/process.h
+++ b/Sandboxie/core/drv/process.h
@@ -239,6 +239,7 @@ PROCESS *Process_Find(HANDLE ProcessId, KIRQL *out_irql);
 
 PROCESS *Process_FindSandboxed(HANDLE ProcessId, KIRQL *out_irql);
 
+PROCESS *Process_Find_ByHandle(HANDLE Handle, KIRQL *out_irql);
 
 // Start supervising a new process