mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.0.18

This commit is contained in:
DavidXanatos 2022-04-06 21:27:21 +02:00
parent 64054bb4f4
commit 7706ffee6e
16 changed files with 167 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
CHANGELOG.md
View File

@ -8,6 +8,17 @@ This project adheres to [Semantic Versioning](http://semver.org/).
## [1.0.18 / 5.55.18] - 2022-04-??
### Changed
- Failed memory read attempts to unboxed processes will by default no longer cause message 2111
-- Note: the message can be enabled in the settings if desired "NotifyProcessAccessDenied=y"
###
- fixed pipe impersonation in comaprtment mode
- fixed issue with box clean up introduced in a recent build
## [1.0.17 / 5.55.17] - 2022-04-02
@ -1772,3 +1783,4 @@ Fixed issue with Windows 7
### Fixed
- fixed "Windows Installer Service could not be accessed" that got introduced with Windows 1903

4
Sandboxie/common/my_version.h
View File

@ -21,8 +21,8 @@
#ifndef _MY_VERSION_H
#define _MY_VERSION_H
#define MY_VERSION_BINARY 5,55,17
#define MY_VERSION_STRING "5.55.17"
#define MY_VERSION_BINARY 5,55,18
#define MY_VERSION_STRING "5.55.18"
#define MY_VERSION_COMPAT "5.55.0" // this refers to the driver ABI compatibility
// These #defines are used by either Resource Compiler or NSIS installer

11
Sandboxie/core/dll/dll.h
View File

@ -345,9 +345,20 @@ void Dll_FreeCode128(void *ptr);
THREAD_DATA *Dll_GetTlsData(ULONG *pLastError);
void Dll_FreeTlsData(void);
//#define NAME_BUFFER_DEBUG
#ifdef NAME_BUFFER_DEBUG
WCHAR *Dll_GetTlsNameBuffer_(THREAD_DATA *data, ULONG which, ULONG size, char* func);
void Dll_PushTlsNameBuffer_(THREAD_DATA *data, char* func);
void Dll_PopTlsNameBuffer_(THREAD_DATA *data, char* func);
#define Dll_GetTlsNameBuffer(x,y,z) Dll_GetTlsNameBuffer_(x, y, z, __FUNCTION__)
#define Dll_PushTlsNameBuffer(x) Dll_PushTlsNameBuffer_(x, __FUNCTION__)
#define Dll_PopTlsNameBuffer(x) Dll_PopTlsNameBuffer_(x, __FUNCTION__)
#else
WCHAR *Dll_GetTlsNameBuffer(THREAD_DATA *data, ULONG which, ULONG size);
void Dll_PushTlsNameBuffer(THREAD_DATA *data);
void Dll_PopTlsNameBuffer(THREAD_DATA *data);
#endif
//---------------------------------------------------------------------------

16
Sandboxie/core/dll/dllmem.c
View File

@ -372,8 +372,16 @@ ALIGNED WCHAR *Dll_GetTlsNameBuffer(
//---------------------------------------------------------------------------
#ifdef NAME_BUFFER_DEBUG
ALIGNED void Dll_PushTlsNameBuffer_(THREAD_DATA *data, char* func)
#else
ALIGNED void Dll_PushTlsNameBuffer(THREAD_DATA *data)
#endif
{
#ifdef NAME_BUFFER_DEBUG
DbgTrace("Dll_PushTlsNameBuffer, %s, %d\r\n", func, data->depth);
#endif
++data->depth;
if (data->depth > NAME_BUFFER_DEPTH - 4)
SbieApi_Log(2310, L"%d", data->depth);
@ -388,8 +396,16 @@ ALIGNED void Dll_PushTlsNameBuffer(THREAD_DATA *data)
//---------------------------------------------------------------------------
#ifdef NAME_BUFFER_DEBUG
_FX void Dll_PopTlsNameBuffer_(THREAD_DATA *data, char* func)
#else
_FX void Dll_PopTlsNameBuffer(THREAD_DATA *data)
#endif
{
#ifdef NAME_BUFFER_DEBUG
DbgTrace("Dll_PopTlsNameBuffer, %s, %d\r\n", func, data->depth-1);
#endif
//
// debug checks: the name buffer is allocated at least 64 bytes
// more than needed. fill these with 0xCC, andd check that later

2
Sandboxie/core/dll/file_pipe.c
View File

@ -1164,7 +1164,7 @@ _FX NTSTATUS File_NtFsControlFile(
InputBuffer, InputBufferLength);
SetLastError(LastError);
} else if (IoControlCode == FSCTL_PIPE_IMPERSONATE) {
} else if (IoControlCode == FSCTL_PIPE_IMPERSONATE && !Dll_CompartmentMode) {
SbieApi_Log(2205, L"ImpersonateNamedPipe");
if (Proc_ImpersonateSelf(TRUE))

2
Sandboxie/core/dll/hook_inst.c
View File

@ -157,7 +157,7 @@ ALIGNED BOOLEAN Hook_Analyze(
if (! addr) {
addr = address;
#ifdef KERNEL_MODE
RtlStringCbPrintfW(text, 64,
RtlStringCbPrintfW(text, sizeof(text),
#else
Sbie_snwprintf(text, 64,
#endif

1
Sandboxie/core/dll/ldr_init.c
View File

@ -154,7 +154,6 @@ static const WCHAR *Ldr_InjectDll = LDR_INJECT_SETTING_NAME;
static const WCHAR *Ldr_HostInjectDll = LDR_HOST_INJECT_SETTING_NAME;
static ULONG_PTR Ldr_ImageBase = 0;
static ULONG_PTR Ldr_ImportDescriptor = 0;
BOOLEAN Ldr_BoxedImage = FALSE;

14
Sandboxie/core/dll/scm_create.c
View File

@ -825,7 +825,7 @@ _FX BOOL SbieDll_StartBoxedService(const WCHAR *ServiceName, BOOLEAN WithAdd)
WCHAR text[130];
Sbie_snwprintf(text, 130, L"StartBoxedService; name: '%s'", ServiceName);
SbieApi_MonitorPut(MONITOR_SCM, text);
SbieApi_MonitorPutMsg(MONITOR_SCM, text);
//
// when invoked from SandboxieRpcSs to handle StartProcess,
@ -1096,7 +1096,7 @@ _FX BOOL Scm_StartServiceW(
WCHAR text[130];
Sbie_snwprintf(text, 130, L"StartService: %s", ServiceName);
SbieApi_MonitorPut(MONITOR_SCM, text);
SbieApi_MonitorPutMsg(MONITOR_SCM, text);
if (Scm_IsBoxedService(ServiceName))
return SbieDll_StartBoxedService(ServiceName, FALSE);
@ -1146,13 +1146,13 @@ _FX ULONG Scm_ServiceMainThread(ULONG_PTR *args)
{
WCHAR text[130];
Sbie_snwprintf(text, 130, L"ServiceMainThread; begin");
SbieApi_MonitorPut(MONITOR_SCM, text);
SbieApi_MonitorPutMsg(MONITOR_SCM, text);
typedef void (*P_Main)(ULONG argc, void **argv);
((P_Main)args[0])(1, (void **)&args[1]);
Sbie_snwprintf(text, 130, L"ServiceMainThread; end");
SbieApi_MonitorPut(MONITOR_SCM, text);
SbieApi_MonitorPutMsg(MONITOR_SCM, text);
//
// if this is the MSI Server, then wait for all our callers to end
@ -1244,7 +1244,7 @@ _FX BOOL Scm_StartServiceCtrlDispatcherX(
WCHAR text[130];
Sbie_snwprintf(text, 130, L"StartServiceCtrlDispatcher; name: '%s'", ServiceName);
SbieApi_MonitorPut(MONITOR_SCM, text);
SbieApi_MonitorPutMsg(MONITOR_SCM, text);
//
// open the key for the service
@ -1362,7 +1362,7 @@ _FX BOOL Scm_StartServiceCtrlDispatcherX(
//
Sbie_snwprintf(text, 130, L"StartServiceCtrlDispatcher; result: %s", Scm_Started ? L"sucess" : L"failure");
SbieApi_MonitorPut(MONITOR_SCM, text);
SbieApi_MonitorPutMsg(MONITOR_SCM, text);
if (! Scm_Started) {
SbieApi_Log(2211, ServiceName);
@ -1499,7 +1499,7 @@ _FX BOOL Scm_SetServiceStatus_Internal(
WCHAR text[130];
Sbie_snwprintf(text, 130, L"SetServiceStatus; status: <%08X>", lpServiceStatus->dwCurrentState);
SbieApi_MonitorPut(MONITOR_SCM, text);
SbieApi_MonitorPutMsg(MONITOR_SCM, text);
#define MySetValueKey() \
NtSetValueKey(ServiceKeyHandle, &uni, \

3
Sandboxie/core/drv/ipc.c
View File

@ -724,6 +724,9 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
proc->ipc_warn_startrun = Conf_Get_Boolean(
proc->box->name, L"NotifyStartRunAccessDenied", 0, TRUE);
proc->ipc_warn_open_proc = Conf_Get_Boolean(
proc->box->name, L"NotifyProcessAccessDenied", 0, FALSE);
//
// block password
//

1
Sandboxie/core/drv/process.h
View File

@ -192,6 +192,7 @@ struct _PROCESS {
ULONG ipc_trace;
BOOLEAN disable_object_flt;
BOOLEAN ipc_warn_startrun;
BOOLEAN ipc_warn_open_proc;
BOOLEAN ipc_block_password;
BOOLEAN ipc_open_lsa_endpoint;
BOOLEAN ipc_open_sam_endpoint;

2
Sandboxie/core/drv/thread.c
View File

@ -1115,7 +1115,7 @@ finish:
Session_MonitorPut(mon_type, nptr, proc->pid);
}
if (ExplicitAccess && (status != STATUS_SUCCESS) && (status != STATUS_BAD_INITIAL_PC)) {
if (ExplicitAccess && proc->ipc_warn_open_proc && (status != STATUS_SUCCESS) && (status != STATUS_BAD_INITIAL_PC)) {
WCHAR msg[256];
RtlStringCbPrintfW(msg, sizeof(msg), L"%s (%08X) access=%08X initialized=%d", EntireProcess ? L"OpenProcess" : L"OpenThread", status, GrantedAccess, proc->initialized);

11
SandboxiePlus/QSbieAPI/Sandboxie/SandBox.cpp
View File

@ -135,10 +135,7 @@ SB_STATUS CSandBox::RunSandboxed(const QString& Command)
SB_STATUS CSandBox::TerminateAll()
{
SB_STATUS Status = m_pAPI->TerminateAll(m_Name);
if(!Status.IsError())
m_ActiveProcessCount = 0;
return Status;
return m_pAPI->TerminateAll(m_Name);
}
bool CSandBox::IsEmpty() const
@ -365,7 +362,7 @@ SB_PROGRESS CSandBox::TakeSnapshot(const QString& Name)
QSettings ini(m_FilePath + "\\Snapshots.ini", QSettings::IniFormat);
if (m_pAPI->HasProcesses(m_Name))
return SB_ERR(SB_SnapIsRunning, OP_CONFIRM);
return SB_ERR(SB_SnapIsRunning);
if (!IsInitialized())
return SB_ERR(SB_SnapIsEmpty);
@ -419,7 +416,7 @@ SB_PROGRESS CSandBox::RemoveSnapshot(const QString& ID)
return SB_ERR(SB_SnapNotFound);
if (m_pAPI->HasProcesses(m_Name))
return SB_ERR(SB_SnapIsRunning, OP_CONFIRM);
return SB_ERR(SB_SnapIsRunning);
QStringList ChildIDs;
foreach(const QString& Snapshot, ini.childGroups())
@ -595,7 +592,7 @@ SB_PROGRESS CSandBox::SelectSnapshot(const QString& ID)
return SB_ERR(SB_SnapNotFound);
if (m_pAPI->HasProcesses(m_Name))
return SB_ERR(SB_SnapIsRunning, OP_CONFIRM);
return SB_ERR(SB_SnapIsRunning);
foreach(const SBoxDataFile& BoxDataFile, CSandBox__BoxDataFiles)
{

199
SandboxiePlus/SandMan/Forms/OptionsWindow.ui
View File

@ -571,39 +571,10 @@
<layout class="QGridLayout" name="gridLayout_37">
<item row="0" column="0">
<layout class="QGridLayout" name="gridLayout_36">
<item row="3" column="1">
<widget class="QLabel" name="label_39">
<property name="minimumSize">
<size>
<width>20</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>20</width>
<height>16777215</height>
</size>
</property>
<item row="10" column="1" colspan="2">
<widget class="QCheckBox" name="chkCloseClipBoard">
<property name="text">
<string/>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="label_34">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="toolTip">
<string>Protect the system from sandboxed processes</string>
</property>
<property name="text">
<string>Network restrictions</string>
<string>Block read access to the clipboard</string>
</property>
</widget>
</item>
@ -614,6 +585,19 @@
</property>
</widget>
</item>
<item row="13" column="2">
<spacer name="horizontalSpacer_5">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="7" column="0" colspan="2">
<widget class="QLabel" name="label_18">
<property name="font">
@ -631,67 +615,6 @@
</property>
</widget>
</item>
<item row="9" column="2">
<widget class="QCheckBox" name="chkOpenCredentials">
<property name="text">
<string>Open Windows Credentials Store (user mode)</string>
</property>
</widget>
</item>
<item row="5" column="2">
<widget class="QCheckBox" name="chkOpenSpooler">
<property name="text">
<string>Remove spooler restriction, printers can be installed outside the sandbox</string>
</property>
</widget>
</item>
<item row="8" column="1" colspan="2">
<widget class="QCheckBox" name="chkOpenProtectedStorage">
<property name="text">
<string>Open System Protected Storage</string>
</property>
</widget>
</item>
<item row="12" column="2">
<spacer name="horizontalSpacer_5">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1" colspan="2">
<widget class="QCheckBox" name="chkBlockNetParam">
<property name="text">
<string>Prevent change to network and firewall parameters (user mode)</string>
</property>
</widget>
</item>
<item row="12" column="0">
<spacer name="verticalSpacer_12">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="10" column="1" colspan="2">
<widget class="QCheckBox" name="chkCloseClipBoard">
<property name="text">
<string>Block read access to the clipboard</string>
</property>
</widget>
</item>
<item row="3" column="0">
<widget class="QLabel" name="label_31">
<property name="font">
@ -722,6 +645,39 @@
</property>
</widget>
</item>
<item row="11" column="1" colspan="2">
<widget class="QCheckBox" name="chkVmRead">
<property name="text">
<string>Allow to read memory of unsandboxed processes (not recommended)</string>
</property>
</widget>
</item>
<item row="3" column="1">
<widget class="QLabel" name="label_39">
<property name="minimumSize">
<size>
<width>20</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>20</width>
<height>16777215</height>
</size>
</property>
<property name="text">
<string/>
</property>
</widget>
</item>
<item row="2" column="1" colspan="2">
<widget class="QCheckBox" name="chkBlockNetParam">
<property name="text">
<string>Prevent change to network and firewall parameters (user mode)</string>
</property>
</widget>
</item>
<item row="1" column="1" colspan="2">
<widget class="QCheckBox" name="chkBlockNetShare">
<property name="text">
@ -729,10 +685,61 @@
</property>
</widget>
</item>
<item row="11" column="1" colspan="2">
<widget class="QCheckBox" name="chkVmRead">
<item row="9" column="2">
<widget class="QCheckBox" name="chkOpenCredentials">
<property name="text">
<string>Allow to read memory of unsandboxed processes (not recommended)</string>
<string>Open Windows Credentials Store (user mode)</string>
</property>
</widget>
</item>
<item row="5" column="2">
<widget class="QCheckBox" name="chkOpenSpooler">
<property name="text">
<string>Remove spooler restriction, printers can be installed outside the sandbox</string>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="label_34">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="toolTip">
<string>Protect the system from sandboxed processes</string>
</property>
<property name="text">
<string>Network restrictions</string>
</property>
</widget>
</item>
<item row="13" column="0">
<spacer name="verticalSpacer_12">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="8" column="1" colspan="2">
<widget class="QCheckBox" name="chkOpenProtectedStorage">
<property name="text">
<string>Open System Protected Storage</string>
</property>
</widget>
</item>
<item row="12" column="2">
<widget class="QCheckBox" name="chkVmReadNotify">
<property name="text">
<string>Issue message 2111 when a process access is denided</string>
</property>
</widget>
</item>

1
SandboxiePlus/SandMan/SandMan.cpp
View File

@ -958,6 +958,7 @@ SB_STATUS CSandMan::DeleteBoxContent(const CSandBoxPtr& pBox, EDelMode Mode, boo
if (Mode != eAuto) {
Ret = pBox->TerminateAll();
theAPI->UpdateProcesses(m_pKeepTerminated->isChecked(), m_pShowAllSessions->isChecked());
if (Ret.IsError())
goto finish;
}

3
SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp
View File

@ -72,6 +72,7 @@ void COptionsWindow::CreateGeneral()
connect(ui.chkOpenProtectedStorage, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
connect(ui.chkCloseClipBoard, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
connect(ui.chkVmRead, SIGNAL(clicked(bool)), this, SLOT(OnVmRead()));
connect(ui.chkVmReadNotify, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
//connect(ui.chkOpenSmartCard, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
//connect(ui.chkOpenBluetooth, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
@ -124,6 +125,7 @@ void COptionsWindow::LoadGeneral()
ui.chkOpenProtectedStorage->setChecked(m_pBox->GetBool("OpenProtectedStorage", false));
ui.chkOpenCredentials->setChecked(!ui.chkOpenCredentials->isEnabled() || m_pBox->GetBool("OpenCredentials", false));
ui.chkCloseClipBoard->setChecked(!m_pBox->GetBool("OpenClipboard", true));
ui.chkVmReadNotify->setChecked(m_pBox->GetBool("NotifyProcessAccessDenied", false));
//ui.chkOpenSmartCard->setChecked(m_pBox->GetBool("OpenSmartCard", true));
//ui.chkOpenBluetooth->setChecked(m_pBox->GetBool("OpenBluetooth", false));
@ -180,6 +182,7 @@ void COptionsWindow::SaveGeneral()
if (ui.chkOpenCredentials->isEnabled())
WriteAdvancedCheck(ui.chkOpenCredentials, "OpenCredentials", "y", "");
WriteAdvancedCheck(ui.chkCloseClipBoard, "OpenClipboard", "n", "");
WriteAdvancedCheck(ui.chkVmReadNotify, "NotifyProcessAccessDenied", "y", "");
//WriteAdvancedCheck(ui.chkOpenSmartCard, "OpenSmartCard", "", "n");
//WriteAdvancedCheck(ui.chkOpenBluetooth, "OpenBluetooth", "y", "");

2
SandboxiePlus/version.h
View File

@ -2,7 +2,7 @@
#define VERSION_MJR 1
#define VERSION_MIN 0
#define VERSION_REV 17
#define VERSION_REV 18
#define VERSION_UPD 0
#ifndef STR