This commit is contained in:
parent
2fb67c23fb
commit
7acaad37ce
|
@ -743,13 +743,13 @@ _FX ULONG_PTR Dll_Ordinal1(
|
|||
|
||||
data = (SBIELOW_DATA *)inject->sbielow_data;
|
||||
|
||||
bHostInject = data->bHostInject == 1;
|
||||
bHostInject = data->flags.bHostInject == 1;
|
||||
|
||||
//
|
||||
// the SbieLow data area includes values that are useful to us
|
||||
//
|
||||
|
||||
Dll_IsWow64 = data->is_wow64;
|
||||
Dll_IsWow64 = data->flags.is_wow64 == 1;
|
||||
|
||||
SbieApi_DeviceHandle = (HANDLE)data->api_device_handle;
|
||||
|
||||
|
|
|
@ -479,7 +479,7 @@ ULONG64 SbieDll_FindWOW64_Ntdll(_In_ HANDLE ProcessHandle)
|
|||
//---------------------------------------------------------------------------
|
||||
|
||||
|
||||
_FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle)
|
||||
_FX ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle)
|
||||
{
|
||||
//SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg;
|
||||
ULONG errlvl = 0;
|
||||
|
@ -501,15 +501,14 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
|
|||
SBIELOW_DATA lowdata;
|
||||
memzero(&lowdata, sizeof(lowdata));
|
||||
|
||||
lowdata.flags.init_flags = init_flags;
|
||||
|
||||
#ifdef _WIN64
|
||||
if (is_wow64)//(msg->is_wow64)
|
||||
if (lowdata.flags.is_wow64)
|
||||
lowdata.ntdll_wow64_base = SbieDll_FindWOW64_Ntdll(hProcess);
|
||||
#endif
|
||||
lowdata.ntdll_base = (ULONG64)(ULONG_PTR)Dll_Ntdll;
|
||||
|
||||
lowdata.is_wow64 = is_wow64; //msg->is_wow64;
|
||||
lowdata.bHostInject = bHostInject; //msg->bHostInject;
|
||||
|
||||
lowdata.RealNtDeviceIoControlFile = (ULONG64)GetProcAddress((HMODULE)lowdata.ntdll_base, "NtDeviceIoControlFile");
|
||||
//
|
||||
// on 64-bit Windows 8, there might be a difference of more than
|
||||
|
@ -517,22 +516,22 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
|
|||
// use of longer jump sequences than the 5-byte 0xE9 relative jump
|
||||
//
|
||||
if (Dll_Windows >= 10) {
|
||||
lowdata.is_win10 = TRUE;
|
||||
lowdata.flags.is_win10 = 1;
|
||||
}
|
||||
|
||||
void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.is_wow64, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp));
|
||||
void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.flags.is_wow64 == 1, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp));
|
||||
if (!remote_addr) {
|
||||
errlvl = 0x33;
|
||||
goto finish;
|
||||
}
|
||||
// if (lowdata.is_wow64 && (m_addr_high != m_addr_high_32))
|
||||
#ifdef _WIN64
|
||||
lowdata.long_diff = TRUE;
|
||||
lowdata.flags.long_diff = 1;
|
||||
if (SbieDll_Has32BitJumpHorizon((void *)m_LdrInitializeThunk, remote_addr)) {
|
||||
lowdata.long_diff = FALSE;
|
||||
lowdata.flags.long_diff = 0;
|
||||
}
|
||||
#else
|
||||
lowdata.long_diff = FALSE;
|
||||
lowdata.flags.long_diff = 0;
|
||||
#endif
|
||||
|
||||
if (dup_drv_handle)
|
||||
|
@ -581,7 +580,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
|
|||
+ m_sbielow_data_offset // offset of args area
|
||||
+ FIELD_OFFSET(SBIELOW_DATA, LdrInitializeThunk_tramp);
|
||||
|
||||
if (!SbieDll_InjectLow_BuildTramp(lowdata.long_diff,
|
||||
if (!SbieDll_InjectLow_BuildTramp(lowdata.flags.long_diff == 1,
|
||||
lowdata.LdrInitializeThunk_tramp, tramp_remote_addr)) {
|
||||
|
||||
//UCHAR *code = lowdata.LdrInitializeThunk_tramp;
|
||||
|
@ -627,7 +626,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
|
|||
//
|
||||
// Removed hard coded dependency on (.HEAD.00). No longer need to add 8 to
|
||||
// the remote_addr
|
||||
if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.long_diff, &lowdata)) {
|
||||
if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.flags.long_diff == 1, &lowdata)) {
|
||||
errlvl = 0x77;
|
||||
goto finish;
|
||||
}
|
||||
|
|
|
@ -199,7 +199,7 @@ SBIEDLL_EXPORT BOOLEAN SbieDll_ExpandAndRunProgram(const WCHAR *Command);
|
|||
|
||||
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitHelper();
|
||||
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitSyscalls(BOOLEAN drv_init);
|
||||
SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle);
|
||||
SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle);
|
||||
|
||||
|
||||
SBIEDLL_EXPORT BOOLEAN SbieDll_MatchImage(const WCHAR* pat_str, const WCHAR* test_str, const WCHAR* BoxName);
|
||||
|
|
|
@ -376,7 +376,7 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService)
|
|||
jTableTarget[2] = 0xc2;
|
||||
*(ULONG *)&jTableTarget[3] = SyscallPtr[0];
|
||||
// jmp <4 byte SystemServiceAsm>
|
||||
if (data->is_win10) {
|
||||
if (data->flags.is_win10) {
|
||||
jTableTarget[7] = 0x48;
|
||||
jTableTarget[8] = 0xe9;
|
||||
*(ULONG *)&jTableTarget[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (jTableTarget + 13));
|
||||
|
@ -424,9 +424,9 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService)
|
|||
ZwXxxPtr[1] = 0xC7;
|
||||
ZwXxxPtr[2] = 0xC2;
|
||||
*(ULONG *)&ZwXxxPtr[3] = SyscallPtr[0];
|
||||
if (!data->long_diff) {
|
||||
if (!data->flags.long_diff) {
|
||||
|
||||
if (data->is_win10) {
|
||||
if (data->flags.is_win10) {
|
||||
ZwXxxPtr[7] = 0x48; // jmp SystemServiceAsm
|
||||
ZwXxxPtr[8] = 0xE9; // jmp SystemServiceAsm
|
||||
*(ULONG *)&ZwXxxPtr[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (ZwXxxPtr + 13));
|
||||
|
@ -479,7 +479,7 @@ _FX void InitConsole(SBIELOW_DATA *data)
|
|||
ULONG64 addr64;
|
||||
ULONG addr32;
|
||||
|
||||
if (! data->is_wow64)
|
||||
if (! data->flags.is_wow64)
|
||||
return;
|
||||
|
||||
//
|
||||
|
@ -564,11 +564,11 @@ _FX ULONG_PTR EntrypointC(SBIELOW_DATA *data,void *ActivationContext, void *Syst
|
|||
|
||||
// WaitForDebugger(data);
|
||||
|
||||
if(!data->bHostInject)
|
||||
if(!data->flags.bHostInject && !data->flags.bNoSysHooks)
|
||||
InitSyscalls(data, SystemService);
|
||||
#ifdef _WIN64
|
||||
InitInject(data, ActivationContext, ActivationContext64);
|
||||
if (!data->bHostInject)
|
||||
if (!data->flags.bNoConsole)
|
||||
InitConsole(data);
|
||||
#else
|
||||
InitInject(data, ActivationContext);
|
||||
|
|
|
@ -246,7 +246,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt
|
|||
|
||||
#ifdef _WIN64
|
||||
|
||||
if (data->is_wow64) {
|
||||
if (data->flags.is_wow64) {
|
||||
|
||||
//
|
||||
// Instead of requiering the driver for this task, we can simplify it
|
||||
|
@ -320,7 +320,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt
|
|||
|
||||
#ifdef _WIN64
|
||||
|
||||
if (data->is_wow64) {
|
||||
if (data->flags.is_wow64) {
|
||||
|
||||
InitInjectWow64(data,RtlFindActivationContextSectionString);
|
||||
goto store_sbielow_address;
|
||||
|
|
|
@ -43,20 +43,7 @@ typedef struct _SBIELOW_J_TABLE
|
|||
|
||||
#endif
|
||||
|
||||
typedef struct _SBIELOW_DATA {
|
||||
ULONG64 ntdll_base;
|
||||
ULONG64 syscall_data;
|
||||
|
||||
ULONG64 api_device_handle;
|
||||
ULONG api_sbiedrv_ctlcode;
|
||||
ULONG api_invoke_syscall;
|
||||
|
||||
BOOLEAN is_wow64;
|
||||
BOOLEAN long_diff;
|
||||
BOOLEAN bHostInject;
|
||||
BOOLEAN is_win10;
|
||||
|
||||
/*union {
|
||||
typedef union _SBIELOW_FLAGS {
|
||||
ULONG init_flags;
|
||||
struct {
|
||||
ULONG
|
||||
|
@ -74,7 +61,21 @@ typedef struct _SBIELOW_DATA {
|
|||
is_win10 : 1,
|
||||
reservd_4 : 7;
|
||||
};
|
||||
};*/
|
||||
} SBIELOW_FLAGS;
|
||||
|
||||
typedef struct _SBIELOW_DATA {
|
||||
ULONG64 ntdll_base;
|
||||
ULONG64 syscall_data;
|
||||
|
||||
ULONG64 api_device_handle;
|
||||
ULONG api_sbiedrv_ctlcode;
|
||||
ULONG api_invoke_syscall;
|
||||
|
||||
//BOOLEAN is_wow64;
|
||||
//BOOLEAN long_diff;
|
||||
//BOOLEAN bHostInject;
|
||||
//BOOLEAN is_win10;
|
||||
SBIELOW_FLAGS flags;
|
||||
|
||||
__declspec(align(16))
|
||||
UCHAR LdrInitializeThunk_tramp[48];
|
||||
|
|
|
@ -77,13 +77,19 @@ void DriverAssist::InjectLow(void *_msg)
|
|||
// inject the lowlevel.dll into the target process
|
||||
//
|
||||
|
||||
BOOLEAN bHostInject = msg->bHostInject;
|
||||
// NoSysCallHooks BEGIN
|
||||
if (!bHostInject && SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE))
|
||||
bHostInject = 2;
|
||||
// NoSysCallHooks END
|
||||
SBIELOW_FLAGS sbieLow;
|
||||
sbieLow.init_flags = 0;
|
||||
|
||||
errlvl = SbieDll_InjectLow(hProcess, msg->is_wow64, bHostInject, TRUE);
|
||||
sbieLow.is_wow64 = msg->is_wow64;
|
||||
sbieLow.bHostInject = msg->bHostInject;
|
||||
// NoSysCallHooks BEGIN
|
||||
sbieLow.bNoSysHooks = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE);
|
||||
// NoSysCallHooks END
|
||||
// NoSbieDesk BEGIN
|
||||
sbieLow.bNoConsole = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
|
||||
// NoSbieDesk END
|
||||
|
||||
errlvl = SbieDll_InjectLow(hProcess, sbieLow.init_flags, TRUE);
|
||||
if(errlvl != 0)
|
||||
goto finish;
|
||||
|
||||
|
@ -92,10 +98,10 @@ void DriverAssist::InjectLow(void *_msg)
|
|||
//
|
||||
|
||||
// NoSbieDesk BEGIN
|
||||
BOOLEAN GuiProxy = SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
|
||||
BOOLEAN GuiProxy = !SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
|
||||
// NoSbieDesk END
|
||||
// DisableComProxy BEGIN
|
||||
BOOLEAN ComProxy = SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE);
|
||||
BOOLEAN ComProxy = !SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE);
|
||||
// DisableComProxy END
|
||||
if(GuiProxy || ComProxy) // if we need a GUI/Console or a COM Proxy
|
||||
if (!msg->bHostInject)
|
||||
|
|
Loading…
Reference in New Issue