This commit is contained in:
parent
2fb67c23fb
commit
7acaad37ce
|
@ -743,13 +743,13 @@ _FX ULONG_PTR Dll_Ordinal1(
|
||||||
|
|
||||||
data = (SBIELOW_DATA *)inject->sbielow_data;
|
data = (SBIELOW_DATA *)inject->sbielow_data;
|
||||||
|
|
||||||
bHostInject = data->bHostInject == 1;
|
bHostInject = data->flags.bHostInject == 1;
|
||||||
|
|
||||||
//
|
//
|
||||||
// the SbieLow data area includes values that are useful to us
|
// the SbieLow data area includes values that are useful to us
|
||||||
//
|
//
|
||||||
|
|
||||||
Dll_IsWow64 = data->is_wow64;
|
Dll_IsWow64 = data->flags.is_wow64 == 1;
|
||||||
|
|
||||||
SbieApi_DeviceHandle = (HANDLE)data->api_device_handle;
|
SbieApi_DeviceHandle = (HANDLE)data->api_device_handle;
|
||||||
|
|
||||||
|
|
|
@ -479,7 +479,7 @@ ULONG64 SbieDll_FindWOW64_Ntdll(_In_ HANDLE ProcessHandle)
|
||||||
//---------------------------------------------------------------------------
|
//---------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
_FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle)
|
_FX ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle)
|
||||||
{
|
{
|
||||||
//SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg;
|
//SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg;
|
||||||
ULONG errlvl = 0;
|
ULONG errlvl = 0;
|
||||||
|
@ -501,15 +501,14 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
|
||||||
SBIELOW_DATA lowdata;
|
SBIELOW_DATA lowdata;
|
||||||
memzero(&lowdata, sizeof(lowdata));
|
memzero(&lowdata, sizeof(lowdata));
|
||||||
|
|
||||||
|
lowdata.flags.init_flags = init_flags;
|
||||||
|
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
if (is_wow64)//(msg->is_wow64)
|
if (lowdata.flags.is_wow64)
|
||||||
lowdata.ntdll_wow64_base = SbieDll_FindWOW64_Ntdll(hProcess);
|
lowdata.ntdll_wow64_base = SbieDll_FindWOW64_Ntdll(hProcess);
|
||||||
#endif
|
#endif
|
||||||
lowdata.ntdll_base = (ULONG64)(ULONG_PTR)Dll_Ntdll;
|
lowdata.ntdll_base = (ULONG64)(ULONG_PTR)Dll_Ntdll;
|
||||||
|
|
||||||
lowdata.is_wow64 = is_wow64; //msg->is_wow64;
|
|
||||||
lowdata.bHostInject = bHostInject; //msg->bHostInject;
|
|
||||||
|
|
||||||
lowdata.RealNtDeviceIoControlFile = (ULONG64)GetProcAddress((HMODULE)lowdata.ntdll_base, "NtDeviceIoControlFile");
|
lowdata.RealNtDeviceIoControlFile = (ULONG64)GetProcAddress((HMODULE)lowdata.ntdll_base, "NtDeviceIoControlFile");
|
||||||
//
|
//
|
||||||
// on 64-bit Windows 8, there might be a difference of more than
|
// on 64-bit Windows 8, there might be a difference of more than
|
||||||
|
@ -517,22 +516,22 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
|
||||||
// use of longer jump sequences than the 5-byte 0xE9 relative jump
|
// use of longer jump sequences than the 5-byte 0xE9 relative jump
|
||||||
//
|
//
|
||||||
if (Dll_Windows >= 10) {
|
if (Dll_Windows >= 10) {
|
||||||
lowdata.is_win10 = TRUE;
|
lowdata.flags.is_win10 = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.is_wow64, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp));
|
void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.flags.is_wow64 == 1, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp));
|
||||||
if (!remote_addr) {
|
if (!remote_addr) {
|
||||||
errlvl = 0x33;
|
errlvl = 0x33;
|
||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
// if (lowdata.is_wow64 && (m_addr_high != m_addr_high_32))
|
// if (lowdata.is_wow64 && (m_addr_high != m_addr_high_32))
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
lowdata.long_diff = TRUE;
|
lowdata.flags.long_diff = 1;
|
||||||
if (SbieDll_Has32BitJumpHorizon((void *)m_LdrInitializeThunk, remote_addr)) {
|
if (SbieDll_Has32BitJumpHorizon((void *)m_LdrInitializeThunk, remote_addr)) {
|
||||||
lowdata.long_diff = FALSE;
|
lowdata.flags.long_diff = 0;
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
lowdata.long_diff = FALSE;
|
lowdata.flags.long_diff = 0;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (dup_drv_handle)
|
if (dup_drv_handle)
|
||||||
|
@ -581,7 +580,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
|
||||||
+ m_sbielow_data_offset // offset of args area
|
+ m_sbielow_data_offset // offset of args area
|
||||||
+ FIELD_OFFSET(SBIELOW_DATA, LdrInitializeThunk_tramp);
|
+ FIELD_OFFSET(SBIELOW_DATA, LdrInitializeThunk_tramp);
|
||||||
|
|
||||||
if (!SbieDll_InjectLow_BuildTramp(lowdata.long_diff,
|
if (!SbieDll_InjectLow_BuildTramp(lowdata.flags.long_diff == 1,
|
||||||
lowdata.LdrInitializeThunk_tramp, tramp_remote_addr)) {
|
lowdata.LdrInitializeThunk_tramp, tramp_remote_addr)) {
|
||||||
|
|
||||||
//UCHAR *code = lowdata.LdrInitializeThunk_tramp;
|
//UCHAR *code = lowdata.LdrInitializeThunk_tramp;
|
||||||
|
@ -627,7 +626,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
|
||||||
//
|
//
|
||||||
// Removed hard coded dependency on (.HEAD.00). No longer need to add 8 to
|
// Removed hard coded dependency on (.HEAD.00). No longer need to add 8 to
|
||||||
// the remote_addr
|
// the remote_addr
|
||||||
if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.long_diff, &lowdata)) {
|
if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.flags.long_diff == 1, &lowdata)) {
|
||||||
errlvl = 0x77;
|
errlvl = 0x77;
|
||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
|
|
|
@ -199,7 +199,7 @@ SBIEDLL_EXPORT BOOLEAN SbieDll_ExpandAndRunProgram(const WCHAR *Command);
|
||||||
|
|
||||||
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitHelper();
|
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitHelper();
|
||||||
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitSyscalls(BOOLEAN drv_init);
|
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitSyscalls(BOOLEAN drv_init);
|
||||||
SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle);
|
SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle);
|
||||||
|
|
||||||
|
|
||||||
SBIEDLL_EXPORT BOOLEAN SbieDll_MatchImage(const WCHAR* pat_str, const WCHAR* test_str, const WCHAR* BoxName);
|
SBIEDLL_EXPORT BOOLEAN SbieDll_MatchImage(const WCHAR* pat_str, const WCHAR* test_str, const WCHAR* BoxName);
|
||||||
|
|
|
@ -376,7 +376,7 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService)
|
||||||
jTableTarget[2] = 0xc2;
|
jTableTarget[2] = 0xc2;
|
||||||
*(ULONG *)&jTableTarget[3] = SyscallPtr[0];
|
*(ULONG *)&jTableTarget[3] = SyscallPtr[0];
|
||||||
// jmp <4 byte SystemServiceAsm>
|
// jmp <4 byte SystemServiceAsm>
|
||||||
if (data->is_win10) {
|
if (data->flags.is_win10) {
|
||||||
jTableTarget[7] = 0x48;
|
jTableTarget[7] = 0x48;
|
||||||
jTableTarget[8] = 0xe9;
|
jTableTarget[8] = 0xe9;
|
||||||
*(ULONG *)&jTableTarget[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (jTableTarget + 13));
|
*(ULONG *)&jTableTarget[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (jTableTarget + 13));
|
||||||
|
@ -424,9 +424,9 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService)
|
||||||
ZwXxxPtr[1] = 0xC7;
|
ZwXxxPtr[1] = 0xC7;
|
||||||
ZwXxxPtr[2] = 0xC2;
|
ZwXxxPtr[2] = 0xC2;
|
||||||
*(ULONG *)&ZwXxxPtr[3] = SyscallPtr[0];
|
*(ULONG *)&ZwXxxPtr[3] = SyscallPtr[0];
|
||||||
if (!data->long_diff) {
|
if (!data->flags.long_diff) {
|
||||||
|
|
||||||
if (data->is_win10) {
|
if (data->flags.is_win10) {
|
||||||
ZwXxxPtr[7] = 0x48; // jmp SystemServiceAsm
|
ZwXxxPtr[7] = 0x48; // jmp SystemServiceAsm
|
||||||
ZwXxxPtr[8] = 0xE9; // jmp SystemServiceAsm
|
ZwXxxPtr[8] = 0xE9; // jmp SystemServiceAsm
|
||||||
*(ULONG *)&ZwXxxPtr[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (ZwXxxPtr + 13));
|
*(ULONG *)&ZwXxxPtr[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (ZwXxxPtr + 13));
|
||||||
|
@ -479,7 +479,7 @@ _FX void InitConsole(SBIELOW_DATA *data)
|
||||||
ULONG64 addr64;
|
ULONG64 addr64;
|
||||||
ULONG addr32;
|
ULONG addr32;
|
||||||
|
|
||||||
if (! data->is_wow64)
|
if (! data->flags.is_wow64)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
//
|
//
|
||||||
|
@ -564,11 +564,11 @@ _FX ULONG_PTR EntrypointC(SBIELOW_DATA *data,void *ActivationContext, void *Syst
|
||||||
|
|
||||||
// WaitForDebugger(data);
|
// WaitForDebugger(data);
|
||||||
|
|
||||||
if(!data->bHostInject)
|
if(!data->flags.bHostInject && !data->flags.bNoSysHooks)
|
||||||
InitSyscalls(data, SystemService);
|
InitSyscalls(data, SystemService);
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
InitInject(data, ActivationContext, ActivationContext64);
|
InitInject(data, ActivationContext, ActivationContext64);
|
||||||
if (!data->bHostInject)
|
if (!data->flags.bNoConsole)
|
||||||
InitConsole(data);
|
InitConsole(data);
|
||||||
#else
|
#else
|
||||||
InitInject(data, ActivationContext);
|
InitInject(data, ActivationContext);
|
||||||
|
|
|
@ -246,7 +246,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt
|
||||||
|
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
|
|
||||||
if (data->is_wow64) {
|
if (data->flags.is_wow64) {
|
||||||
|
|
||||||
//
|
//
|
||||||
// Instead of requiering the driver for this task, we can simplify it
|
// Instead of requiering the driver for this task, we can simplify it
|
||||||
|
@ -320,7 +320,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt
|
||||||
|
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
|
|
||||||
if (data->is_wow64) {
|
if (data->flags.is_wow64) {
|
||||||
|
|
||||||
InitInjectWow64(data,RtlFindActivationContextSectionString);
|
InitInjectWow64(data,RtlFindActivationContextSectionString);
|
||||||
goto store_sbielow_address;
|
goto store_sbielow_address;
|
||||||
|
|
|
@ -43,6 +43,26 @@ typedef struct _SBIELOW_J_TABLE
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
typedef union _SBIELOW_FLAGS {
|
||||||
|
ULONG init_flags;
|
||||||
|
struct {
|
||||||
|
ULONG
|
||||||
|
is_wow64 : 1,
|
||||||
|
reservd_1 : 7,
|
||||||
|
|
||||||
|
long_diff : 1,
|
||||||
|
reservd_2 : 7,
|
||||||
|
|
||||||
|
bHostInject : 1,
|
||||||
|
bNoSysHooks : 1,
|
||||||
|
bNoConsole : 1,
|
||||||
|
reservd_3 : 5,
|
||||||
|
|
||||||
|
is_win10 : 1,
|
||||||
|
reservd_4 : 7;
|
||||||
|
};
|
||||||
|
} SBIELOW_FLAGS;
|
||||||
|
|
||||||
typedef struct _SBIELOW_DATA {
|
typedef struct _SBIELOW_DATA {
|
||||||
ULONG64 ntdll_base;
|
ULONG64 ntdll_base;
|
||||||
ULONG64 syscall_data;
|
ULONG64 syscall_data;
|
||||||
|
@ -51,30 +71,11 @@ typedef struct _SBIELOW_DATA {
|
||||||
ULONG api_sbiedrv_ctlcode;
|
ULONG api_sbiedrv_ctlcode;
|
||||||
ULONG api_invoke_syscall;
|
ULONG api_invoke_syscall;
|
||||||
|
|
||||||
BOOLEAN is_wow64;
|
//BOOLEAN is_wow64;
|
||||||
BOOLEAN long_diff;
|
//BOOLEAN long_diff;
|
||||||
BOOLEAN bHostInject;
|
//BOOLEAN bHostInject;
|
||||||
BOOLEAN is_win10;
|
//BOOLEAN is_win10;
|
||||||
|
SBIELOW_FLAGS flags;
|
||||||
/*union {
|
|
||||||
ULONG init_flags;
|
|
||||||
struct {
|
|
||||||
ULONG
|
|
||||||
is_wow64 : 1,
|
|
||||||
reservd_1 : 7,
|
|
||||||
|
|
||||||
long_diff : 1,
|
|
||||||
reservd_2 : 7,
|
|
||||||
|
|
||||||
bHostInject : 1,
|
|
||||||
bNoSysHooks : 1,
|
|
||||||
bNoConsole : 1,
|
|
||||||
reservd_3 : 5,
|
|
||||||
|
|
||||||
is_win10 : 1,
|
|
||||||
reservd_4 : 7;
|
|
||||||
};
|
|
||||||
};*/
|
|
||||||
|
|
||||||
__declspec(align(16))
|
__declspec(align(16))
|
||||||
UCHAR LdrInitializeThunk_tramp[48];
|
UCHAR LdrInitializeThunk_tramp[48];
|
||||||
|
|
|
@ -77,13 +77,19 @@ void DriverAssist::InjectLow(void *_msg)
|
||||||
// inject the lowlevel.dll into the target process
|
// inject the lowlevel.dll into the target process
|
||||||
//
|
//
|
||||||
|
|
||||||
BOOLEAN bHostInject = msg->bHostInject;
|
SBIELOW_FLAGS sbieLow;
|
||||||
// NoSysCallHooks BEGIN
|
sbieLow.init_flags = 0;
|
||||||
if (!bHostInject && SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE))
|
|
||||||
bHostInject = 2;
|
|
||||||
// NoSysCallHooks END
|
|
||||||
|
|
||||||
errlvl = SbieDll_InjectLow(hProcess, msg->is_wow64, bHostInject, TRUE);
|
sbieLow.is_wow64 = msg->is_wow64;
|
||||||
|
sbieLow.bHostInject = msg->bHostInject;
|
||||||
|
// NoSysCallHooks BEGIN
|
||||||
|
sbieLow.bNoSysHooks = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE);
|
||||||
|
// NoSysCallHooks END
|
||||||
|
// NoSbieDesk BEGIN
|
||||||
|
sbieLow.bNoConsole = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
|
||||||
|
// NoSbieDesk END
|
||||||
|
|
||||||
|
errlvl = SbieDll_InjectLow(hProcess, sbieLow.init_flags, TRUE);
|
||||||
if(errlvl != 0)
|
if(errlvl != 0)
|
||||||
goto finish;
|
goto finish;
|
||||||
|
|
||||||
|
@ -92,10 +98,10 @@ void DriverAssist::InjectLow(void *_msg)
|
||||||
//
|
//
|
||||||
|
|
||||||
// NoSbieDesk BEGIN
|
// NoSbieDesk BEGIN
|
||||||
BOOLEAN GuiProxy = SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
|
BOOLEAN GuiProxy = !SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
|
||||||
// NoSbieDesk END
|
// NoSbieDesk END
|
||||||
// DisableComProxy BEGIN
|
// DisableComProxy BEGIN
|
||||||
BOOLEAN ComProxy = SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE);
|
BOOLEAN ComProxy = !SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE);
|
||||||
// DisableComProxy END
|
// DisableComProxy END
|
||||||
if(GuiProxy || ComProxy) // if we need a GUI/Console or a COM Proxy
|
if(GuiProxy || ComProxy) // if we need a GUI/Console or a COM Proxy
|
||||||
if (!msg->bHostInject)
|
if (!msg->bHostInject)
|
||||||
|
|
Loading…
Reference in New Issue