This commit is contained in:
DavidXanatos 2021-09-19 20:30:40 +02:00
parent 2fb67c23fb
commit 7acaad37ce
7 changed files with 61 additions and 55 deletions

View File

@ -743,13 +743,13 @@ _FX ULONG_PTR Dll_Ordinal1(
data = (SBIELOW_DATA *)inject->sbielow_data; data = (SBIELOW_DATA *)inject->sbielow_data;
bHostInject = data->bHostInject == 1; bHostInject = data->flags.bHostInject == 1;
// //
// the SbieLow data area includes values that are useful to us // the SbieLow data area includes values that are useful to us
// //
Dll_IsWow64 = data->is_wow64; Dll_IsWow64 = data->flags.is_wow64 == 1;
SbieApi_DeviceHandle = (HANDLE)data->api_device_handle; SbieApi_DeviceHandle = (HANDLE)data->api_device_handle;

View File

@ -479,7 +479,7 @@ ULONG64 SbieDll_FindWOW64_Ntdll(_In_ HANDLE ProcessHandle)
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
_FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle) _FX ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle)
{ {
//SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg; //SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg;
ULONG errlvl = 0; ULONG errlvl = 0;
@ -501,15 +501,14 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
SBIELOW_DATA lowdata; SBIELOW_DATA lowdata;
memzero(&lowdata, sizeof(lowdata)); memzero(&lowdata, sizeof(lowdata));
lowdata.flags.init_flags = init_flags;
#ifdef _WIN64 #ifdef _WIN64
if (is_wow64)//(msg->is_wow64) if (lowdata.flags.is_wow64)
lowdata.ntdll_wow64_base = SbieDll_FindWOW64_Ntdll(hProcess); lowdata.ntdll_wow64_base = SbieDll_FindWOW64_Ntdll(hProcess);
#endif #endif
lowdata.ntdll_base = (ULONG64)(ULONG_PTR)Dll_Ntdll; lowdata.ntdll_base = (ULONG64)(ULONG_PTR)Dll_Ntdll;
lowdata.is_wow64 = is_wow64; //msg->is_wow64;
lowdata.bHostInject = bHostInject; //msg->bHostInject;
lowdata.RealNtDeviceIoControlFile = (ULONG64)GetProcAddress((HMODULE)lowdata.ntdll_base, "NtDeviceIoControlFile"); lowdata.RealNtDeviceIoControlFile = (ULONG64)GetProcAddress((HMODULE)lowdata.ntdll_base, "NtDeviceIoControlFile");
// //
// on 64-bit Windows 8, there might be a difference of more than // on 64-bit Windows 8, there might be a difference of more than
@ -517,22 +516,22 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
// use of longer jump sequences than the 5-byte 0xE9 relative jump // use of longer jump sequences than the 5-byte 0xE9 relative jump
// //
if (Dll_Windows >= 10) { if (Dll_Windows >= 10) {
lowdata.is_win10 = TRUE; lowdata.flags.is_win10 = 1;
} }
void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.is_wow64, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp)); void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.flags.is_wow64 == 1, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp));
if (!remote_addr) { if (!remote_addr) {
errlvl = 0x33; errlvl = 0x33;
goto finish; goto finish;
} }
// if (lowdata.is_wow64 && (m_addr_high != m_addr_high_32)) // if (lowdata.is_wow64 && (m_addr_high != m_addr_high_32))
#ifdef _WIN64 #ifdef _WIN64
lowdata.long_diff = TRUE; lowdata.flags.long_diff = 1;
if (SbieDll_Has32BitJumpHorizon((void *)m_LdrInitializeThunk, remote_addr)) { if (SbieDll_Has32BitJumpHorizon((void *)m_LdrInitializeThunk, remote_addr)) {
lowdata.long_diff = FALSE; lowdata.flags.long_diff = 0;
} }
#else #else
lowdata.long_diff = FALSE; lowdata.flags.long_diff = 0;
#endif #endif
if (dup_drv_handle) if (dup_drv_handle)
@ -581,7 +580,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
+ m_sbielow_data_offset // offset of args area + m_sbielow_data_offset // offset of args area
+ FIELD_OFFSET(SBIELOW_DATA, LdrInitializeThunk_tramp); + FIELD_OFFSET(SBIELOW_DATA, LdrInitializeThunk_tramp);
if (!SbieDll_InjectLow_BuildTramp(lowdata.long_diff, if (!SbieDll_InjectLow_BuildTramp(lowdata.flags.long_diff == 1,
lowdata.LdrInitializeThunk_tramp, tramp_remote_addr)) { lowdata.LdrInitializeThunk_tramp, tramp_remote_addr)) {
//UCHAR *code = lowdata.LdrInitializeThunk_tramp; //UCHAR *code = lowdata.LdrInitializeThunk_tramp;
@ -627,7 +626,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
// //
// Removed hard coded dependency on (.HEAD.00). No longer need to add 8 to // Removed hard coded dependency on (.HEAD.00). No longer need to add 8 to
// the remote_addr // the remote_addr
if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.long_diff, &lowdata)) { if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.flags.long_diff == 1, &lowdata)) {
errlvl = 0x77; errlvl = 0x77;
goto finish; goto finish;
} }

View File

@ -199,7 +199,7 @@ SBIEDLL_EXPORT BOOLEAN SbieDll_ExpandAndRunProgram(const WCHAR *Command);
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitHelper(); SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitHelper();
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitSyscalls(BOOLEAN drv_init); SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitSyscalls(BOOLEAN drv_init);
SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle); SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle);
SBIEDLL_EXPORT BOOLEAN SbieDll_MatchImage(const WCHAR* pat_str, const WCHAR* test_str, const WCHAR* BoxName); SBIEDLL_EXPORT BOOLEAN SbieDll_MatchImage(const WCHAR* pat_str, const WCHAR* test_str, const WCHAR* BoxName);

View File

@ -376,7 +376,7 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService)
jTableTarget[2] = 0xc2; jTableTarget[2] = 0xc2;
*(ULONG *)&jTableTarget[3] = SyscallPtr[0]; *(ULONG *)&jTableTarget[3] = SyscallPtr[0];
// jmp <4 byte SystemServiceAsm> // jmp <4 byte SystemServiceAsm>
if (data->is_win10) { if (data->flags.is_win10) {
jTableTarget[7] = 0x48; jTableTarget[7] = 0x48;
jTableTarget[8] = 0xe9; jTableTarget[8] = 0xe9;
*(ULONG *)&jTableTarget[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (jTableTarget + 13)); *(ULONG *)&jTableTarget[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (jTableTarget + 13));
@ -424,9 +424,9 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService)
ZwXxxPtr[1] = 0xC7; ZwXxxPtr[1] = 0xC7;
ZwXxxPtr[2] = 0xC2; ZwXxxPtr[2] = 0xC2;
*(ULONG *)&ZwXxxPtr[3] = SyscallPtr[0]; *(ULONG *)&ZwXxxPtr[3] = SyscallPtr[0];
if (!data->long_diff) { if (!data->flags.long_diff) {
if (data->is_win10) { if (data->flags.is_win10) {
ZwXxxPtr[7] = 0x48; // jmp SystemServiceAsm ZwXxxPtr[7] = 0x48; // jmp SystemServiceAsm
ZwXxxPtr[8] = 0xE9; // jmp SystemServiceAsm ZwXxxPtr[8] = 0xE9; // jmp SystemServiceAsm
*(ULONG *)&ZwXxxPtr[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (ZwXxxPtr + 13)); *(ULONG *)&ZwXxxPtr[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (ZwXxxPtr + 13));
@ -479,7 +479,7 @@ _FX void InitConsole(SBIELOW_DATA *data)
ULONG64 addr64; ULONG64 addr64;
ULONG addr32; ULONG addr32;
if (! data->is_wow64) if (! data->flags.is_wow64)
return; return;
// //
@ -564,11 +564,11 @@ _FX ULONG_PTR EntrypointC(SBIELOW_DATA *data,void *ActivationContext, void *Syst
// WaitForDebugger(data); // WaitForDebugger(data);
if(!data->bHostInject) if(!data->flags.bHostInject && !data->flags.bNoSysHooks)
InitSyscalls(data, SystemService); InitSyscalls(data, SystemService);
#ifdef _WIN64 #ifdef _WIN64
InitInject(data, ActivationContext, ActivationContext64); InitInject(data, ActivationContext, ActivationContext64);
if (!data->bHostInject) if (!data->flags.bNoConsole)
InitConsole(data); InitConsole(data);
#else #else
InitInject(data, ActivationContext); InitInject(data, ActivationContext);

View File

@ -246,7 +246,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt
#ifdef _WIN64 #ifdef _WIN64
if (data->is_wow64) { if (data->flags.is_wow64) {
// //
// Instead of requiering the driver for this task, we can simplify it // Instead of requiering the driver for this task, we can simplify it
@ -320,7 +320,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt
#ifdef _WIN64 #ifdef _WIN64
if (data->is_wow64) { if (data->flags.is_wow64) {
InitInjectWow64(data,RtlFindActivationContextSectionString); InitInjectWow64(data,RtlFindActivationContextSectionString);
goto store_sbielow_address; goto store_sbielow_address;

View File

@ -43,6 +43,26 @@ typedef struct _SBIELOW_J_TABLE
#endif #endif
typedef union _SBIELOW_FLAGS {
ULONG init_flags;
struct {
ULONG
is_wow64 : 1,
reservd_1 : 7,
long_diff : 1,
reservd_2 : 7,
bHostInject : 1,
bNoSysHooks : 1,
bNoConsole : 1,
reservd_3 : 5,
is_win10 : 1,
reservd_4 : 7;
};
} SBIELOW_FLAGS;
typedef struct _SBIELOW_DATA { typedef struct _SBIELOW_DATA {
ULONG64 ntdll_base; ULONG64 ntdll_base;
ULONG64 syscall_data; ULONG64 syscall_data;
@ -51,30 +71,11 @@ typedef struct _SBIELOW_DATA {
ULONG api_sbiedrv_ctlcode; ULONG api_sbiedrv_ctlcode;
ULONG api_invoke_syscall; ULONG api_invoke_syscall;
BOOLEAN is_wow64; //BOOLEAN is_wow64;
BOOLEAN long_diff; //BOOLEAN long_diff;
BOOLEAN bHostInject; //BOOLEAN bHostInject;
BOOLEAN is_win10; //BOOLEAN is_win10;
SBIELOW_FLAGS flags;
/*union {
ULONG init_flags;
struct {
ULONG
is_wow64 : 1,
reservd_1 : 7,
long_diff : 1,
reservd_2 : 7,
bHostInject : 1,
bNoSysHooks : 1,
bNoConsole : 1,
reservd_3 : 5,
is_win10 : 1,
reservd_4 : 7;
};
};*/
__declspec(align(16)) __declspec(align(16))
UCHAR LdrInitializeThunk_tramp[48]; UCHAR LdrInitializeThunk_tramp[48];

View File

@ -77,13 +77,19 @@ void DriverAssist::InjectLow(void *_msg)
// inject the lowlevel.dll into the target process // inject the lowlevel.dll into the target process
// //
BOOLEAN bHostInject = msg->bHostInject; SBIELOW_FLAGS sbieLow;
// NoSysCallHooks BEGIN sbieLow.init_flags = 0;
if (!bHostInject && SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE))
bHostInject = 2;
// NoSysCallHooks END
errlvl = SbieDll_InjectLow(hProcess, msg->is_wow64, bHostInject, TRUE); sbieLow.is_wow64 = msg->is_wow64;
sbieLow.bHostInject = msg->bHostInject;
// NoSysCallHooks BEGIN
sbieLow.bNoSysHooks = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE);
// NoSysCallHooks END
// NoSbieDesk BEGIN
sbieLow.bNoConsole = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
// NoSbieDesk END
errlvl = SbieDll_InjectLow(hProcess, sbieLow.init_flags, TRUE);
if(errlvl != 0) if(errlvl != 0)
goto finish; goto finish;
@ -92,10 +98,10 @@ void DriverAssist::InjectLow(void *_msg)
// //
// NoSbieDesk BEGIN // NoSbieDesk BEGIN
BOOLEAN GuiProxy = SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE); BOOLEAN GuiProxy = !SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
// NoSbieDesk END // NoSbieDesk END
// DisableComProxy BEGIN // DisableComProxy BEGIN
BOOLEAN ComProxy = SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE); BOOLEAN ComProxy = !SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE);
// DisableComProxy END // DisableComProxy END
if(GuiProxy || ComProxy) // if we need a GUI/Console or a COM Proxy if(GuiProxy || ComProxy) // if we need a GUI/Console or a COM Proxy
if (!msg->bHostInject) if (!msg->bHostInject)