From 7acaad37ce91188be2027431ccc85814a9b6ebd4 Mon Sep 17 00:00:00 2001 From: DavidXanatos Date: Sun, 19 Sep 2021 20:30:40 +0200 Subject: [PATCH] --- Sandboxie/core/dll/dllmain.c | 4 +- Sandboxie/core/dll/lowlevel_inject.c | 23 +++++------ Sandboxie/core/dll/sbiedll.h | 2 +- Sandboxie/core/low/init.c | 12 +++--- Sandboxie/core/low/inject.c | 4 +- Sandboxie/core/low/lowdata.h | 49 ++++++++++++----------- Sandboxie/core/svc/DriverAssistInject.cpp | 22 ++++++---- 7 files changed, 61 insertions(+), 55 deletions(-) diff --git a/Sandboxie/core/dll/dllmain.c b/Sandboxie/core/dll/dllmain.c index fe5375aa..20e621fb 100644 --- a/Sandboxie/core/dll/dllmain.c +++ b/Sandboxie/core/dll/dllmain.c @@ -743,13 +743,13 @@ _FX ULONG_PTR Dll_Ordinal1( data = (SBIELOW_DATA *)inject->sbielow_data; - bHostInject = data->bHostInject == 1; + bHostInject = data->flags.bHostInject == 1; // // the SbieLow data area includes values that are useful to us // - Dll_IsWow64 = data->is_wow64; + Dll_IsWow64 = data->flags.is_wow64 == 1; SbieApi_DeviceHandle = (HANDLE)data->api_device_handle; diff --git a/Sandboxie/core/dll/lowlevel_inject.c b/Sandboxie/core/dll/lowlevel_inject.c index 0adc321b..50563269 100644 --- a/Sandboxie/core/dll/lowlevel_inject.c +++ b/Sandboxie/core/dll/lowlevel_inject.c @@ -479,7 +479,7 @@ ULONG64 SbieDll_FindWOW64_Ntdll(_In_ HANDLE ProcessHandle) //--------------------------------------------------------------------------- -_FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle) +_FX ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle) { //SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg; ULONG errlvl = 0; @@ -501,15 +501,14 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje SBIELOW_DATA lowdata; memzero(&lowdata, sizeof(lowdata)); + lowdata.flags.init_flags = init_flags; + #ifdef _WIN64 - if (is_wow64)//(msg->is_wow64) + if (lowdata.flags.is_wow64) lowdata.ntdll_wow64_base = SbieDll_FindWOW64_Ntdll(hProcess); #endif lowdata.ntdll_base = (ULONG64)(ULONG_PTR)Dll_Ntdll; - lowdata.is_wow64 = is_wow64; //msg->is_wow64; - lowdata.bHostInject = bHostInject; //msg->bHostInject; - lowdata.RealNtDeviceIoControlFile = (ULONG64)GetProcAddress((HMODULE)lowdata.ntdll_base, "NtDeviceIoControlFile"); // // on 64-bit Windows 8, there might be a difference of more than @@ -517,22 +516,22 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje // use of longer jump sequences than the 5-byte 0xE9 relative jump // if (Dll_Windows >= 10) { - lowdata.is_win10 = TRUE; + lowdata.flags.is_win10 = 1; } - void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.is_wow64, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp)); + void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.flags.is_wow64 == 1, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp)); if (!remote_addr) { errlvl = 0x33; goto finish; } // if (lowdata.is_wow64 && (m_addr_high != m_addr_high_32)) #ifdef _WIN64 - lowdata.long_diff = TRUE; + lowdata.flags.long_diff = 1; if (SbieDll_Has32BitJumpHorizon((void *)m_LdrInitializeThunk, remote_addr)) { - lowdata.long_diff = FALSE; + lowdata.flags.long_diff = 0; } #else - lowdata.long_diff = FALSE; + lowdata.flags.long_diff = 0; #endif if (dup_drv_handle) @@ -581,7 +580,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje + m_sbielow_data_offset // offset of args area + FIELD_OFFSET(SBIELOW_DATA, LdrInitializeThunk_tramp); - if (!SbieDll_InjectLow_BuildTramp(lowdata.long_diff, + if (!SbieDll_InjectLow_BuildTramp(lowdata.flags.long_diff == 1, lowdata.LdrInitializeThunk_tramp, tramp_remote_addr)) { //UCHAR *code = lowdata.LdrInitializeThunk_tramp; @@ -627,7 +626,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje // // Removed hard coded dependency on (.HEAD.00). No longer need to add 8 to // the remote_addr - if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.long_diff, &lowdata)) { + if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.flags.long_diff == 1, &lowdata)) { errlvl = 0x77; goto finish; } diff --git a/Sandboxie/core/dll/sbiedll.h b/Sandboxie/core/dll/sbiedll.h index 4288f150..86371063 100644 --- a/Sandboxie/core/dll/sbiedll.h +++ b/Sandboxie/core/dll/sbiedll.h @@ -199,7 +199,7 @@ SBIEDLL_EXPORT BOOLEAN SbieDll_ExpandAndRunProgram(const WCHAR *Command); SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitHelper(); SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitSyscalls(BOOLEAN drv_init); -SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle); +SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle); SBIEDLL_EXPORT BOOLEAN SbieDll_MatchImage(const WCHAR* pat_str, const WCHAR* test_str, const WCHAR* BoxName); diff --git a/Sandboxie/core/low/init.c b/Sandboxie/core/low/init.c index a546beb4..5a35b21a 100644 --- a/Sandboxie/core/low/init.c +++ b/Sandboxie/core/low/init.c @@ -376,7 +376,7 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService) jTableTarget[2] = 0xc2; *(ULONG *)&jTableTarget[3] = SyscallPtr[0]; // jmp <4 byte SystemServiceAsm> - if (data->is_win10) { + if (data->flags.is_win10) { jTableTarget[7] = 0x48; jTableTarget[8] = 0xe9; *(ULONG *)&jTableTarget[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (jTableTarget + 13)); @@ -424,9 +424,9 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService) ZwXxxPtr[1] = 0xC7; ZwXxxPtr[2] = 0xC2; *(ULONG *)&ZwXxxPtr[3] = SyscallPtr[0]; - if (!data->long_diff) { + if (!data->flags.long_diff) { - if (data->is_win10) { + if (data->flags.is_win10) { ZwXxxPtr[7] = 0x48; // jmp SystemServiceAsm ZwXxxPtr[8] = 0xE9; // jmp SystemServiceAsm *(ULONG *)&ZwXxxPtr[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (ZwXxxPtr + 13)); @@ -479,7 +479,7 @@ _FX void InitConsole(SBIELOW_DATA *data) ULONG64 addr64; ULONG addr32; - if (! data->is_wow64) + if (! data->flags.is_wow64) return; // @@ -564,11 +564,11 @@ _FX ULONG_PTR EntrypointC(SBIELOW_DATA *data,void *ActivationContext, void *Syst // WaitForDebugger(data); - if(!data->bHostInject) + if(!data->flags.bHostInject && !data->flags.bNoSysHooks) InitSyscalls(data, SystemService); #ifdef _WIN64 InitInject(data, ActivationContext, ActivationContext64); - if (!data->bHostInject) + if (!data->flags.bNoConsole) InitConsole(data); #else InitInject(data, ActivationContext); diff --git a/Sandboxie/core/low/inject.c b/Sandboxie/core/low/inject.c index 5f51d857..d6b79f13 100644 --- a/Sandboxie/core/low/inject.c +++ b/Sandboxie/core/low/inject.c @@ -246,7 +246,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt #ifdef _WIN64 - if (data->is_wow64) { + if (data->flags.is_wow64) { // // Instead of requiering the driver for this task, we can simplify it @@ -320,7 +320,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt #ifdef _WIN64 - if (data->is_wow64) { + if (data->flags.is_wow64) { InitInjectWow64(data,RtlFindActivationContextSectionString); goto store_sbielow_address; diff --git a/Sandboxie/core/low/lowdata.h b/Sandboxie/core/low/lowdata.h index 9637199d..b5808c23 100644 --- a/Sandboxie/core/low/lowdata.h +++ b/Sandboxie/core/low/lowdata.h @@ -43,6 +43,26 @@ typedef struct _SBIELOW_J_TABLE #endif +typedef union _SBIELOW_FLAGS { + ULONG init_flags; + struct { + ULONG + is_wow64 : 1, + reservd_1 : 7, + + long_diff : 1, + reservd_2 : 7, + + bHostInject : 1, + bNoSysHooks : 1, + bNoConsole : 1, + reservd_3 : 5, + + is_win10 : 1, + reservd_4 : 7; + }; +} SBIELOW_FLAGS; + typedef struct _SBIELOW_DATA { ULONG64 ntdll_base; ULONG64 syscall_data; @@ -51,30 +71,11 @@ typedef struct _SBIELOW_DATA { ULONG api_sbiedrv_ctlcode; ULONG api_invoke_syscall; - BOOLEAN is_wow64; - BOOLEAN long_diff; - BOOLEAN bHostInject; - BOOLEAN is_win10; - - /*union { - ULONG init_flags; - struct { - ULONG - is_wow64 : 1, - reservd_1 : 7, - - long_diff : 1, - reservd_2 : 7, - - bHostInject : 1, - bNoSysHooks : 1, - bNoConsole : 1, - reservd_3 : 5, - - is_win10 : 1, - reservd_4 : 7; - }; - };*/ + //BOOLEAN is_wow64; + //BOOLEAN long_diff; + //BOOLEAN bHostInject; + //BOOLEAN is_win10; + SBIELOW_FLAGS flags; __declspec(align(16)) UCHAR LdrInitializeThunk_tramp[48]; diff --git a/Sandboxie/core/svc/DriverAssistInject.cpp b/Sandboxie/core/svc/DriverAssistInject.cpp index 1d3c5676..31585e96 100644 --- a/Sandboxie/core/svc/DriverAssistInject.cpp +++ b/Sandboxie/core/svc/DriverAssistInject.cpp @@ -77,13 +77,19 @@ void DriverAssist::InjectLow(void *_msg) // inject the lowlevel.dll into the target process // - BOOLEAN bHostInject = msg->bHostInject; - // NoSysCallHooks BEGIN - if (!bHostInject && SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE)) - bHostInject = 2; - // NoSysCallHooks END + SBIELOW_FLAGS sbieLow; + sbieLow.init_flags = 0; - errlvl = SbieDll_InjectLow(hProcess, msg->is_wow64, bHostInject, TRUE); + sbieLow.is_wow64 = msg->is_wow64; + sbieLow.bHostInject = msg->bHostInject; + // NoSysCallHooks BEGIN + sbieLow.bNoSysHooks = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE); + // NoSysCallHooks END + // NoSbieDesk BEGIN + sbieLow.bNoConsole = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE); + // NoSbieDesk END + + errlvl = SbieDll_InjectLow(hProcess, sbieLow.init_flags, TRUE); if(errlvl != 0) goto finish; @@ -92,10 +98,10 @@ void DriverAssist::InjectLow(void *_msg) // // NoSbieDesk BEGIN - BOOLEAN GuiProxy = SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE); + BOOLEAN GuiProxy = !SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE); // NoSbieDesk END // DisableComProxy BEGIN - BOOLEAN ComProxy = SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE); + BOOLEAN ComProxy = !SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE); // DisableComProxy END if(GuiProxy || ComProxy) // if we need a GUI/Console or a COM Proxy if (!msg->bHostInject)