From 731a5796bfa3f6d07aff6a2c431ebcf8301c4496 Mon Sep 17 00:00:00 2001 From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com> Date: Thu, 21 Dec 2023 14:26:33 +0100 Subject: [PATCH] 1.12.6 --- CHANGELOG.md | 1 + Sandboxie/core/drv/file_flt.c | 6 +++++- Sandboxie/core/drv/thread.c | 4 +++- Sandboxie/core/drv/util.c | 30 ++++++++++++++++++++++++++++++ Sandboxie/core/drv/util.h | 2 ++ 5 files changed, 41 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1454c87b..ab0e521d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). todo: improve behaviorue of toolbar customization menu ### Fixed +- fixed Sandboxie-Plus 1.12.4 + failed to start start.exe in confidential box [#3514](https://github.com/sandboxie-plus/Sandboxie/issues/3514) - fixed fix for [#3475](https://github.com/sandboxie-plus/Sandboxie/issues/3475) not working without FileRootPath being explicitly set - fixed "The directory name is invalid" when starting a process in a encrypted private box [#3475](https://github.com/sandboxie-plus/Sandboxie/issues/3475) diff --git a/Sandboxie/core/drv/file_flt.c b/Sandboxie/core/drv/file_flt.c index 86c3a016..6f9026dd 100644 --- a/Sandboxie/core/drv/file_flt.c +++ b/Sandboxie/core/drv/file_flt.c @@ -505,7 +505,11 @@ check: //DbgPrint("IRP_MJ_CREATE: %S\n", root->file_root); - if (Util_IsProtectedProcess(PsGetCurrentProcessId())) + // + // csrss.exe needs acces to binaries of starting up processes, + // + + if (Util_IsCsrssProcess(PsGetCurrentProcessId())) break; status = STATUS_ACCESS_DENIED; diff --git a/Sandboxie/core/drv/thread.c b/Sandboxie/core/drv/thread.c index 0fd69ad3..3c5aa87c 100644 --- a/Sandboxie/core/drv/thread.c +++ b/Sandboxie/core/drv/thread.c @@ -1202,7 +1202,9 @@ _FX ACCESS_MASK Thread_CheckObject_CommonEx( // if (protect_process /*&& MyIsProcessRunningAsSystemAccount(cur_pid)*/) { - if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || Util_IsProtectedProcess(cur_pid) + if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) + || Util_IsCsrssProcess(cur_pid) + || Util_IsProtectedProcess(cur_pid) || (_wcsicmp(nptr, L"conhost.exe") == 0) || (_wcsicmp(nptr, L"taskmgr.exe") == 0) || (_wcsicmp(nptr, L"sandman.exe") == 0)) protect_process = FALSE; diff --git a/Sandboxie/core/drv/util.c b/Sandboxie/core/drv/util.c index 14091c1c..c5482dc8 100644 --- a/Sandboxie/core/drv/util.c +++ b/Sandboxie/core/drv/util.c @@ -446,6 +446,36 @@ retry: } +//--------------------------------------------------------------------------- +// Util_IsCsrssProcess +//--------------------------------------------------------------------------- + +NTKERNELAPI PCHAR NTAPI PsGetProcessImageFileName(_In_ PEPROCESS Process); + +_FX BOOLEAN Util_IsCsrssProcess(HANDLE pid) +{ + PEPROCESS ProcessObject; + NTSTATUS status; + PCHAR ImageFileName; + BOOLEAN ret = FALSE; + + if (!MyIsProcessRunningAsSystemAccount(pid)) + return FALSE; + + status = PsLookupProcessByProcessId(pid, &ProcessObject); + if (NT_SUCCESS(status)) { + + ImageFileName = PsGetProcessImageFileName(ProcessObject); + + ret = (_stricmp(ImageFileName, "csrss.exe") == 0); + + ObDereferenceObject(ProcessObject); + } + + return ret; +} + + //--------------------------------------------------------------------------- // Util_IsProtectedProcess //--------------------------------------------------------------------------- diff --git a/Sandboxie/core/drv/util.h b/Sandboxie/core/drv/util.h index af67a579..63675077 100644 --- a/Sandboxie/core/drv/util.h +++ b/Sandboxie/core/drv/util.h @@ -109,6 +109,8 @@ NTSTATUS MyValidateCertificate(void); HANDLE Util_GetProcessPidByName(const WCHAR* name); +BOOLEAN Util_IsCsrssProcess(HANDLE pid); + BOOLEAN Util_IsProtectedProcess(HANDLE pid); LARGE_INTEGER Util_GetTimestamp(void);