1.0.6
This commit is contained in:
parent
a51e663453
commit
79f99e126a
|
@ -20,7 +20,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
|||
- fixed box initialization issue in Privacy mode [#1469](https://github.com/sandboxie-plus/Sandboxie/issues/1469)
|
||||
- fixed issue with shortcuts creation introduced in a recent build [#1471](https://github.com/sandboxie-plus/Sandboxie/issues/1471)
|
||||
- fixed various issues in Privacy Enhanced boxes and rule specificity
|
||||
- fixed issue with SeAccessCheckByType
|
||||
- fixed issue with SeAccessCheckByType and alike
|
||||
- fixed issues with win32k hooking on 32 bit windows [#1479](https://github.com/sandboxie-plus/Sandboxie/issues/1479)
|
||||
|
||||
### Removed
|
||||
- removed obsolete SkyNet rootkit detection from 32 bit build
|
||||
|
|
|
@ -82,7 +82,8 @@
|
|||
<MultiProcessorCompilation>true</MultiProcessorCompilation>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>SbieDll.lib;ws2_32.lib;advapi32.lib;kernel32.lib;ntdll.lib;gdi32.lib;user32.lib;secur32.lib;psapi.lib</AdditionalDependencies>
|
||||
<AdditionalDependencies>SbieDll.lib;ws2_32.lib;advapi32.lib;kernel32.lib;libucrt.lib;ntdll.lib;gdi32.lib;user32.lib;secur32.lib;psapi.lib</AdditionalDependencies>
|
||||
<IgnoreSpecificDefaultLibraries>libucrt.lib</IgnoreSpecificDefaultLibraries>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">
|
||||
|
|
|
@ -86,7 +86,8 @@
|
|||
<MultiProcessorCompilation>true</MultiProcessorCompilation>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>SbieDll.lib;secur32.lib;ntdll.lib;psapi.lib;AdvApi32.lib;user32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>SbieDll.lib;secur32.lib;libucrt.lib;ntdll.lib;psapi.lib;AdvApi32.lib;user32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<IgnoreSpecificDefaultLibraries>libucrt.lib</IgnoreSpecificDefaultLibraries>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">
|
||||
|
|
|
@ -390,7 +390,7 @@ finish:
|
|||
_FX BOOLEAN Win32_Init(HMODULE hmodule)
|
||||
{
|
||||
// In Windows 10 all Win32k.sys calls are located in win32u.dll
|
||||
if (Dll_OsBuild < 10041 || (Dll_ProcessFlags & SBIE_FLAG_WIN32K_HOOKABLE) == 0)
|
||||
if (Dll_OsBuild < 10041 || (Dll_ProcessFlags & SBIE_FLAG_WIN32K_HOOKABLE) == 0 || !SbieApi_QueryConfBool(NULL, L"EnableWin32kHooks", TRUE))
|
||||
return TRUE; // just return on older builds, or not enabled
|
||||
|
||||
if ((Dll_ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0 || SbieApi_data->flags.bNoSysHooks)
|
||||
|
|
|
@ -430,7 +430,7 @@ _FX NTSTATUS Obj_NtQueryInformationProcess(
|
|||
status = __sys_NtQueryInformationProcess(
|
||||
ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength, &outlen);
|
||||
|
||||
if (ProcessInformationClass == ProcessImageFileName)
|
||||
if (ProcessInformationClass == ProcessImageFileName && ProcessInformation != NULL)
|
||||
{
|
||||
//
|
||||
// since file paths are always shorter without the sandbox prefix we can keep this simple
|
||||
|
|
|
@ -110,7 +110,7 @@ _FX BOOLEAN Syscall_TestHookMap(const UCHAR* name, ULONG name_len, LIST* enabled
|
|||
|
||||
int disabe_match = Syscall_HookMapMatch(wname, name_len, disabled_hooks);
|
||||
int enable_match = Syscall_HookMapMatch(wname, name_len, enabled_hooks);
|
||||
if (disabe_match >= enable_match)
|
||||
if (disabe_match != 0 && disabe_match >= enable_match)
|
||||
return FALSE;
|
||||
if (enable_match != 0)
|
||||
return TRUE;
|
||||
|
|
|
@ -90,18 +90,13 @@ typedef struct _KSERVICE_TABLE_DESCRIPTOR
|
|||
unsigned long *Base;
|
||||
unsigned long *Reserved1;
|
||||
unsigned long Limit;
|
||||
unsigned int *Number;
|
||||
unsigned char *Number;
|
||||
} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR ;
|
||||
|
||||
|
||||
_FX BOOLEAN Syscall_GetWin32kAddr(ULONG *Base_Copy,
|
||||
#ifdef _WIN64
|
||||
_FX BOOLEAN Syscall_GetWin32kAddr(KSERVICE_TABLE_DESCRIPTOR *ShadowTable, ULONG *Base_Copy,
|
||||
ULONG index, void **pKernelAddr, ULONG *pParamCount)
|
||||
{
|
||||
KSERVICE_TABLE_DESCRIPTOR *ShadowTable = (KSERVICE_TABLE_DESCRIPTOR *)Syscall_GetServiceTable();
|
||||
ShadowTable += 1; // ServiceDescriptorTableShadow[0] -> ntoskrnl.exe, ServiceDescriptorTableShadow[1] -> win32k.sys
|
||||
|
||||
if (ShadowTable) {
|
||||
|
||||
ULONG MaxSyscallIndexPlusOne = ShadowTable->Limit;
|
||||
if ((index >= 0x1000) &&
|
||||
((index & 0xFFF) < MaxSyscallIndexPlusOne)) {
|
||||
|
@ -115,11 +110,26 @@ _FX BOOLEAN Syscall_GetWin32kAddr(ULONG *Base_Copy,
|
|||
}
|
||||
|
||||
Log_Msg1(MSG_1113, L"ADDRESS");
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
#else
|
||||
_FX BOOLEAN Syscall_GetWin32kAddr(KSERVICE_TABLE_DESCRIPTOR *ShadowTable, ULONG *ProcTable, UCHAR *ParmTable,
|
||||
ULONG index, void **pKernelAddr, ULONG *pParamCount)
|
||||
{
|
||||
ULONG MaxSyscallIndexPlusOne = ShadowTable->Limit;
|
||||
if ((index >= 0x1000) &&
|
||||
((index & 0xFFF) < MaxSyscallIndexPlusOne)) {
|
||||
|
||||
*pKernelAddr = (void *)ProcTable[index & 0xFFF];
|
||||
*pParamCount = ((ULONG)ParmTable[index & 0xFFF]) / 4;
|
||||
//DbgPrint(" SysCall32 offset: %d\r\n", (ULONG)(EntryValue >> 4));
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
Log_Msg1(MSG_1113, L"ADDRESS");
|
||||
return FALSE;
|
||||
}
|
||||
#endif
|
||||
|
||||
//---------------------------------------------------------------------------
|
||||
// Syscall_Init_List32
|
||||
|
@ -135,7 +145,10 @@ _FX BOOLEAN Syscall_Init_List32(void)
|
|||
SYSCALL_ENTRY *entry;
|
||||
ULONG proc_index, proc_offset, syscall_index, param_count;
|
||||
ULONG name_len, entry_len;
|
||||
ULONG* table_copy = NULL;
|
||||
ULONG* base_copy = NULL;
|
||||
#ifndef _WIN64
|
||||
UCHAR* number_copy = NULL;
|
||||
#endif
|
||||
|
||||
List_Init(&Syscall_List32);
|
||||
|
||||
|
@ -159,8 +172,8 @@ _FX BOOLEAN Syscall_Init_List32(void)
|
|||
Log_Msg1(MSG_1113, L"SHADOW_TABLE");
|
||||
goto finish;
|
||||
}
|
||||
//DbgPrint(" win32k.sys SysCalls: %d %p %p\n", ShadowTable->Limit, ShadowTable->Base, ShadowTable->Number);
|
||||
ShadowTable += 1;
|
||||
//DbgPrint(" ntoskrln.exe SysCalls: %d %p %p\n", ShadowTable->Limit, ShadowTable->Base, ShadowTable->Number);
|
||||
ShadowTable += 1; // ServiceDescriptorTableShadow[0] -> ntoskrnl.exe, ServiceDescriptorTableShadow[1] -> win32k.sys
|
||||
//DbgPrint(" win32k.sys SysCalls: %d %p %p\n", ShadowTable->Limit, ShadowTable->Base, ShadowTable->Number);
|
||||
|
||||
if (ShadowTable->Limit > 0xFFF) { // not plausible
|
||||
|
@ -180,16 +193,28 @@ _FX BOOLEAN Syscall_Init_List32(void)
|
|||
goto finish;
|
||||
}
|
||||
|
||||
table_copy = (ULONG*)Mem_AllocEx(Driver_Pool, ShadowTable->Limit * sizeof(long), TRUE);
|
||||
if (!table_copy)
|
||||
base_copy = (ULONG*)Mem_AllocEx(Driver_Pool, ShadowTable->Limit * sizeof(long), TRUE);
|
||||
if (!base_copy)
|
||||
goto finish;
|
||||
#ifndef _WIN64
|
||||
number_copy = (UCHAR*)Mem_AllocEx(Driver_Pool, ShadowTable->Limit * sizeof(char), TRUE);
|
||||
if (!number_copy)
|
||||
goto finish;
|
||||
#endif
|
||||
|
||||
PEPROCESS ProcessObject;
|
||||
if (NT_SUCCESS(PsLookupProcessByProcessId(csrssId,&ProcessObject))) {
|
||||
KAPC_STATE ApcState;
|
||||
KeStackAttachProcess(ProcessObject, &ApcState);
|
||||
if (MmIsAddressValid(ShadowTable->Base)) {
|
||||
memcpy(table_copy, ShadowTable->Base, ShadowTable->Limit * sizeof(long));
|
||||
if (MmIsAddressValid(ShadowTable->Base)
|
||||
#ifndef _WIN64
|
||||
&& MmIsAddressValid(ShadowTable->Number)
|
||||
#endif
|
||||
) {
|
||||
memcpy(base_copy, ShadowTable->Base, ShadowTable->Limit * sizeof(long));
|
||||
#ifndef _WIN64
|
||||
memcpy(number_copy, ShadowTable->Number, ShadowTable->Limit * sizeof(char));
|
||||
#endif
|
||||
success = TRUE;
|
||||
}
|
||||
KeUnstackDetachProcess(&ApcState);
|
||||
|
@ -289,7 +314,10 @@ _FX BOOLEAN Syscall_Init_List32(void)
|
|||
|
||||
if (syscall_index != -1) {
|
||||
|
||||
Syscall_GetWin32kAddr(table_copy,
|
||||
Syscall_GetWin32kAddr(ShadowTable, base_copy,
|
||||
#ifndef _WIN64
|
||||
number_copy,
|
||||
#endif
|
||||
syscall_index, &ntos_addr, ¶m_count);
|
||||
|
||||
//BOOLEAN test;
|
||||
|
@ -297,7 +325,7 @@ _FX BOOLEAN Syscall_Init_List32(void)
|
|||
//test = MmIsAddressValid(ntos_addr);
|
||||
//KeUnstackDetachProcess(&ApcState);
|
||||
//DbgPrint(" Found SysCall32: %s, pcnt %d; idx: %d; addr: %p %s\r\n", name, param_count, syscall_index, ntos_addr, test ? "valid" : "invalid");
|
||||
//DbgPrint(" Found SysCall32: %s, pcnt %d; idx: %d\r\n", name, param_count, syscall_index);
|
||||
//DbgPrint(" Found SysCall32: %s, pcnt %d; idx: %d; addr: %p\r\n", name, param_count, syscall_index, ntos_addr);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -370,8 +398,12 @@ finish:
|
|||
Syscall_FreeHookMap(&enabled_hooks);
|
||||
Syscall_FreeHookMap(&disabled_hooks);
|
||||
|
||||
if (table_copy)
|
||||
Mem_Free(table_copy, ShadowTable->Limit * sizeof(long));
|
||||
if (base_copy)
|
||||
Mem_Free(base_copy, ShadowTable->Limit * sizeof(long));
|
||||
#ifndef _WIN64
|
||||
if (number_copy)
|
||||
Mem_Free(number_copy, ShadowTable->Limit * sizeof(char));
|
||||
#endif
|
||||
|
||||
return success;
|
||||
}
|
||||
|
|
|
@ -262,7 +262,7 @@ else ; 32-bit
|
|||
; parms[0] = API_INVOKE_SYSCALL (from SbieLowData)
|
||||
;
|
||||
|
||||
and eax, 0FFFh ; keep just service index number
|
||||
and eax, 1FFFh ; keep just service index number
|
||||
mov dword ptr [esp+2*8], eax
|
||||
|
||||
lea eax, [ebp+4*3] ; eax -> orig arg 1 on stack
|
||||
|
|
Loading…
Reference in New Issue