This commit is contained in:
DavidXanatos 2021-09-19 20:30:40 +02:00
parent 2fb67c23fb
commit 7acaad37ce
7 changed files with 61 additions and 55 deletions

View File

@ -743,13 +743,13 @@ _FX ULONG_PTR Dll_Ordinal1(
data = (SBIELOW_DATA *)inject->sbielow_data;
bHostInject = data->bHostInject == 1;
bHostInject = data->flags.bHostInject == 1;
//
// the SbieLow data area includes values that are useful to us
//
Dll_IsWow64 = data->is_wow64;
Dll_IsWow64 = data->flags.is_wow64 == 1;
SbieApi_DeviceHandle = (HANDLE)data->api_device_handle;

View File

@ -479,7 +479,7 @@ ULONG64 SbieDll_FindWOW64_Ntdll(_In_ HANDLE ProcessHandle)
//---------------------------------------------------------------------------
_FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle)
_FX ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle)
{
//SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg;
ULONG errlvl = 0;
@ -501,15 +501,14 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
SBIELOW_DATA lowdata;
memzero(&lowdata, sizeof(lowdata));
lowdata.flags.init_flags = init_flags;
#ifdef _WIN64
if (is_wow64)//(msg->is_wow64)
if (lowdata.flags.is_wow64)
lowdata.ntdll_wow64_base = SbieDll_FindWOW64_Ntdll(hProcess);
#endif
lowdata.ntdll_base = (ULONG64)(ULONG_PTR)Dll_Ntdll;
lowdata.is_wow64 = is_wow64; //msg->is_wow64;
lowdata.bHostInject = bHostInject; //msg->bHostInject;
lowdata.RealNtDeviceIoControlFile = (ULONG64)GetProcAddress((HMODULE)lowdata.ntdll_base, "NtDeviceIoControlFile");
//
// on 64-bit Windows 8, there might be a difference of more than
@ -517,22 +516,22 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
// use of longer jump sequences than the 5-byte 0xE9 relative jump
//
if (Dll_Windows >= 10) {
lowdata.is_win10 = TRUE;
lowdata.flags.is_win10 = 1;
}
void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.is_wow64, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp));
void *remote_addr = SbieDll_InjectLow_CopyCode(hProcess, lowdata.flags.is_wow64 == 1, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp));
if (!remote_addr) {
errlvl = 0x33;
goto finish;
}
// if (lowdata.is_wow64 && (m_addr_high != m_addr_high_32))
#ifdef _WIN64
lowdata.long_diff = TRUE;
lowdata.flags.long_diff = 1;
if (SbieDll_Has32BitJumpHorizon((void *)m_LdrInitializeThunk, remote_addr)) {
lowdata.long_diff = FALSE;
lowdata.flags.long_diff = 0;
}
#else
lowdata.long_diff = FALSE;
lowdata.flags.long_diff = 0;
#endif
if (dup_drv_handle)
@ -581,7 +580,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
+ m_sbielow_data_offset // offset of args area
+ FIELD_OFFSET(SBIELOW_DATA, LdrInitializeThunk_tramp);
if (!SbieDll_InjectLow_BuildTramp(lowdata.long_diff,
if (!SbieDll_InjectLow_BuildTramp(lowdata.flags.long_diff == 1,
lowdata.LdrInitializeThunk_tramp, tramp_remote_addr)) {
//UCHAR *code = lowdata.LdrInitializeThunk_tramp;
@ -627,7 +626,7 @@ _FX ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInje
//
// Removed hard coded dependency on (.HEAD.00). No longer need to add 8 to
// the remote_addr
if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.long_diff, &lowdata)) {
if (!SbieDll_InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.flags.long_diff == 1, &lowdata)) {
errlvl = 0x77;
goto finish;
}

View File

@ -199,7 +199,7 @@ SBIEDLL_EXPORT BOOLEAN SbieDll_ExpandAndRunProgram(const WCHAR *Command);
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitHelper();
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitSyscalls(BOOLEAN drv_init);
SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle);
SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, ULONG init_flags, BOOLEAN dup_drv_handle);
SBIEDLL_EXPORT BOOLEAN SbieDll_MatchImage(const WCHAR* pat_str, const WCHAR* test_str, const WCHAR* BoxName);

View File

@ -376,7 +376,7 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService)
jTableTarget[2] = 0xc2;
*(ULONG *)&jTableTarget[3] = SyscallPtr[0];
// jmp <4 byte SystemServiceAsm>
if (data->is_win10) {
if (data->flags.is_win10) {
jTableTarget[7] = 0x48;
jTableTarget[8] = 0xe9;
*(ULONG *)&jTableTarget[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (jTableTarget + 13));
@ -424,9 +424,9 @@ _FX void InitSyscalls(SBIELOW_DATA *data, void * SystemService)
ZwXxxPtr[1] = 0xC7;
ZwXxxPtr[2] = 0xC2;
*(ULONG *)&ZwXxxPtr[3] = SyscallPtr[0];
if (!data->long_diff) {
if (!data->flags.long_diff) {
if (data->is_win10) {
if (data->flags.is_win10) {
ZwXxxPtr[7] = 0x48; // jmp SystemServiceAsm
ZwXxxPtr[8] = 0xE9; // jmp SystemServiceAsm
*(ULONG *)&ZwXxxPtr[9] = (ULONG)(ULONG_PTR)(SystemServiceAsm - (ZwXxxPtr + 13));
@ -479,7 +479,7 @@ _FX void InitConsole(SBIELOW_DATA *data)
ULONG64 addr64;
ULONG addr32;
if (! data->is_wow64)
if (! data->flags.is_wow64)
return;
//
@ -564,11 +564,11 @@ _FX ULONG_PTR EntrypointC(SBIELOW_DATA *data,void *ActivationContext, void *Syst
// WaitForDebugger(data);
if(!data->bHostInject)
if(!data->flags.bHostInject && !data->flags.bNoSysHooks)
InitSyscalls(data, SystemService);
#ifdef _WIN64
InitInject(data, ActivationContext, ActivationContext64);
if (!data->bHostInject)
if (!data->flags.bNoConsole)
InitConsole(data);
#else
InitInject(data, ActivationContext);

View File

@ -246,7 +246,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt
#ifdef _WIN64
if (data->is_wow64) {
if (data->flags.is_wow64) {
//
// Instead of requiering the driver for this task, we can simplify it
@ -320,7 +320,7 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt
#ifdef _WIN64
if (data->is_wow64) {
if (data->flags.is_wow64) {
InitInjectWow64(data,RtlFindActivationContextSectionString);
goto store_sbielow_address;

View File

@ -43,20 +43,7 @@ typedef struct _SBIELOW_J_TABLE
#endif
typedef struct _SBIELOW_DATA {
ULONG64 ntdll_base;
ULONG64 syscall_data;
ULONG64 api_device_handle;
ULONG api_sbiedrv_ctlcode;
ULONG api_invoke_syscall;
BOOLEAN is_wow64;
BOOLEAN long_diff;
BOOLEAN bHostInject;
BOOLEAN is_win10;
/*union {
typedef union _SBIELOW_FLAGS {
ULONG init_flags;
struct {
ULONG
@ -74,7 +61,21 @@ typedef struct _SBIELOW_DATA {
is_win10 : 1,
reservd_4 : 7;
};
};*/
} SBIELOW_FLAGS;
typedef struct _SBIELOW_DATA {
ULONG64 ntdll_base;
ULONG64 syscall_data;
ULONG64 api_device_handle;
ULONG api_sbiedrv_ctlcode;
ULONG api_invoke_syscall;
//BOOLEAN is_wow64;
//BOOLEAN long_diff;
//BOOLEAN bHostInject;
//BOOLEAN is_win10;
SBIELOW_FLAGS flags;
__declspec(align(16))
UCHAR LdrInitializeThunk_tramp[48];

View File

@ -77,13 +77,19 @@ void DriverAssist::InjectLow(void *_msg)
// inject the lowlevel.dll into the target process
//
BOOLEAN bHostInject = msg->bHostInject;
// NoSysCallHooks BEGIN
if (!bHostInject && SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE))
bHostInject = 2;
// NoSysCallHooks END
SBIELOW_FLAGS sbieLow;
sbieLow.init_flags = 0;
errlvl = SbieDll_InjectLow(hProcess, msg->is_wow64, bHostInject, TRUE);
sbieLow.is_wow64 = msg->is_wow64;
sbieLow.bHostInject = msg->bHostInject;
// NoSysCallHooks BEGIN
sbieLow.bNoSysHooks = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE);
// NoSysCallHooks END
// NoSbieDesk BEGIN
sbieLow.bNoConsole = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
// NoSbieDesk END
errlvl = SbieDll_InjectLow(hProcess, sbieLow.init_flags, TRUE);
if(errlvl != 0)
goto finish;
@ -92,10 +98,10 @@ void DriverAssist::InjectLow(void *_msg)
//
// NoSbieDesk BEGIN
BOOLEAN GuiProxy = SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
BOOLEAN GuiProxy = !SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE);
// NoSbieDesk END
// DisableComProxy BEGIN
BOOLEAN ComProxy = SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE);
BOOLEAN ComProxy = !SbieApi_QueryConfBool(boxname, L"DisableComProxy", FALSE);
// DisableComProxy END
if(GuiProxy || ComProxy) // if we need a GUI/Console or a COM Proxy
if (!msg->bHostInject)