diff --git a/Sandboxie/core/drv/process_low.c b/Sandboxie/core/drv/process_low.c index 91290c26..16f0e645 100644 --- a/Sandboxie/core/drv/process_low.c +++ b/Sandboxie/core/drv/process_low.c @@ -99,7 +99,7 @@ _FX BOOLEAN Process_Low_Inject( SVC_PROCESS_MSG msg; ULONG_PTR is_wow64 = 0; NTSTATUS status = STATUS_SUCCESS; - BOOLEAN sbielow_loaded = FALSE; + BOOLEAN done = FALSE; KIRQL irql; // @@ -179,7 +179,7 @@ _FX BOOLEAN Process_Low_Inject( if (proc && proc->create_time == create_time) { - sbielow_loaded = proc->sbielow_loaded; + done = proc->sbielow_loaded || proc->terminated; if (! is_wow64) proc->ntdll32_base = -1; @@ -188,7 +188,7 @@ _FX BOOLEAN Process_Low_Inject( ExReleaseResourceLite(Process_ListLock); KeLowerIrql(irql); - if (sbielow_loaded) + if (done) break; time.QuadPart = -(SECONDS(1) / 4); // 250ms*40 = 10s @@ -197,7 +197,7 @@ _FX BOOLEAN Process_Low_Inject( ++retries; } - if (! sbielow_loaded) // if no response from SbieSvc + if (! done) // if no response from SbieSvc status = STATUS_TIMEOUT; } @@ -254,14 +254,14 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms) KIRQL irql; PROCESS *proc = Process_Find(ProcessId, &irql); - if (proc) - proc->sbielow_loaded = TRUE; - - ExReleaseResourceLite(Process_ListLock); - KeLowerIrql(irql); - if (proc) { + ULONG error = (ULONG)parms[3]; + if (error) + Process_SetTerminated(proc, 3); + else + proc->sbielow_loaded = TRUE; + // // the service dynamically allocates a per box SID to be used, // if no SID is provided this feature is either disabled or failed @@ -284,6 +284,12 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms) } __except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } + } + + ExReleaseResourceLite(Process_ListLock); + KeLowerIrql(irql); + + if (proc) { KeSetEvent(Process_Low_Event, 0, FALSE); status = STATUS_SUCCESS; diff --git a/Sandboxie/core/drv/syscall.c b/Sandboxie/core/drv/syscall.c index 8e1da594..6fbfdc1b 100644 --- a/Sandboxie/core/drv/syscall.c +++ b/Sandboxie/core/drv/syscall.c @@ -68,8 +68,10 @@ static NTSTATUS Syscall_DeviceIoControlFile( static NTSTATUS Syscall_DuplicateHandle( PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args); +#ifdef _M_AMD64 static BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack( PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args); +#endif //--------------------------------------------------------------------------- @@ -169,8 +171,10 @@ _FX BOOLEAN Syscall_Init(void) if (!Syscall_Set1("DeviceIoControlFile", Syscall_DeviceIoControlFile)) return FALSE; +#ifdef _M_AMD64 if (!Syscall_Set3("QuerySystemInformation", Syscall_QuerySystemInfo_SupportProcmonStack)) return FALSE; +#endif // // set API handlers @@ -338,7 +342,9 @@ _FX BOOLEAN Syscall_Init_List(void) entry->ntos_func = ntos_addr; entry->handler1_func = NULL; entry->handler2_func = NULL; +#ifdef _M_AMD64 entry->handler3_func_support_procmon = NULL; +#endif entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0); entry->name_len = (USHORT)name_len; memcpy(entry->name, name, name_len); @@ -526,7 +532,7 @@ _FX BOOLEAN Syscall_Set1(const UCHAR *name, P_Syscall_Handler1 handler_func) // Syscall_Set3 //--------------------------------------------------------------------------- - +#ifdef _M_AMD64 _FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func) { SYSCALL_ENTRY *entry = Syscall_GetByName(name); @@ -535,7 +541,7 @@ _FX BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_S entry->handler3_func_support_procmon = handler_func; return TRUE; } - +#endif //--------------------------------------------------------------------------- // Syscall_ErrorForAsciiName @@ -598,7 +604,7 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms) SYSCALL_ENTRY *entry; ULONG syscall_index; NTSTATUS status; -#ifdef _WIN64 +#ifdef _M_AMD64 volatile ULONG_PTR ret = 0; volatile ULONG_PTR UserStack = 0; @@ -690,7 +696,10 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms) const ULONG args_len = entry->param_count * sizeof(ULONG_PTR); #ifdef _WIN64 ProbeForRead(user_args, args_len, sizeof(ULONG_PTR)); - +#else ! _WIN64 + ProbeForRead(user_args, args_len, sizeof(UCHAR)); +#endif _WIN64 +#ifdef _M_AMD64 // default - support procmon stack if handler3_func_support_procmon is null. if (!entry->handler3_func_support_procmon || entry->handler3_func_support_procmon(proc, entry, user_args) @@ -700,17 +709,10 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms) pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset); if (pTrapFrame) { -#ifdef _M_ARM64 - //ret = pTrapFrame->Pc; - //UserStack = pTrapFrame->Sp; - //pTrapFrame->Sp = pTrapFrame->Fp; - //pTrapFrame->Pc = pTrapFrame->X27; -#else ret = pTrapFrame->Rip; UserStack = pTrapFrame->Rsp; pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp; pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx; -#endif } } else @@ -722,11 +724,7 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms) { pTrapFrame = NULL; } - -#else ! _WIN64 - ProbeForRead(user_args, args_len, sizeof(UCHAR)); -#endif _WIN64 - +#endif //if (proc->ipc_trace & (TRACE_ALLOW | TRACE_DENY)) //{ @@ -846,16 +844,11 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms) } } -#ifdef _WIN64 +#ifdef _M_AMD64 if (g_TrapFrameOffset) { if (pTrapFrame) { -#ifdef _M_ARM64 - //pTrapFrame->Pc = ret; - //pTrapFrame->Sp = UserStack; -#else pTrapFrame->Rip = ret; pTrapFrame->Rsp = UserStack; -#endif } } #endif @@ -1040,7 +1033,7 @@ _FX void Syscall_Update_Lockdown() // Syscall_QuerySystemInfo_SupportProcmonStack //--------------------------------------------------------------------------- - +#ifdef _M_AMD64 _FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack( PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args) { @@ -1066,7 +1059,7 @@ _FX BOOLEAN Syscall_QuerySystemInfo_SupportProcmonStack( return bRet; } - +#endif //--------------------------------------------------------------------------- // 32-bit and 64-bit code diff --git a/Sandboxie/core/drv/syscall.h b/Sandboxie/core/drv/syscall.h index 1aa33619..fc9b40d3 100644 --- a/Sandboxie/core/drv/syscall.h +++ b/Sandboxie/core/drv/syscall.h @@ -53,8 +53,10 @@ typedef NTSTATUS (*P_Syscall_Handler2)( PROCESS *proc, void *Object, UNICODE_STRING *Name, ULONG Operation, ACCESS_MASK GrantedAccess); +#ifdef _M_AMD64 typedef BOOLEAN (*P_Syscall_Handler3_Support_Procmon_Stack)( PROCESS *proc, SYSCALL_ENTRY *syscall_entry, ULONG_PTR *user_args); +#endif struct _SYSCALL_ENTRY { @@ -66,7 +68,9 @@ struct _SYSCALL_ENTRY { void *ntos_func; P_Syscall_Handler1 handler1_func; P_Syscall_Handler2 handler2_func; +#ifdef _M_AMD64 P_Syscall_Handler3_Support_Procmon_Stack handler3_func_support_procmon; +#endif UCHAR approved; USHORT name_len; UCHAR name[1]; @@ -89,7 +93,9 @@ BOOLEAN Syscall_Set1(const UCHAR *name, P_Syscall_Handler1 handler_func); BOOLEAN Syscall_Set2(const UCHAR *name, P_Syscall_Handler2 handler_func); +#ifdef _M_AMD64 BOOLEAN Syscall_Set3(const UCHAR *name, P_Syscall_Handler3_Support_Procmon_Stack handler_func); +#endif NTSTATUS Syscall_Invoke(SYSCALL_ENTRY *entry, ULONG_PTR *stack); diff --git a/Sandboxie/core/drv/syscall_win32.c b/Sandboxie/core/drv/syscall_win32.c index b1d98499..cb411a74 100644 --- a/Sandboxie/core/drv/syscall_win32.c +++ b/Sandboxie/core/drv/syscall_win32.c @@ -363,7 +363,9 @@ _FX BOOLEAN Syscall_Init_List32(void) entry->ntos_func = ntos_addr; entry->handler1_func = NULL; entry->handler2_func = NULL; +#ifdef _M_AMD64 entry->handler3_func_support_procmon = NULL; +#endif entry->approved = (Syscall_HookMapMatch(name, name_len, &approved_syscalls) != 0); entry->name_len = (USHORT)name_len; memcpy(entry->name, name, name_len); @@ -470,7 +472,7 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms) SYSCALL_ENTRY *entry; ULONG syscall_index; NTSTATUS status; -#ifdef _WIN64 +#ifdef _M_AMD64 volatile ULONG_PTR ret = 0; volatile ULONG_PTR UserStack = 0; @@ -537,7 +539,10 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms) const ULONG args_len = entry->param_count * sizeof(ULONG_PTR); #ifdef _WIN64 ProbeForRead(user_args, args_len, sizeof(ULONG_PTR)); - +#else ! _WIN64 + ProbeForRead(user_args, args_len, sizeof(UCHAR)); +#endif _WIN64 +#ifdef _M_AMD64 // default - support procmon stack if handler3_func_support_procmon is null. if (!entry->handler3_func_support_procmon || entry->handler3_func_support_procmon(proc, entry, user_args) @@ -547,15 +552,10 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms) pTrapFrame = (PKTRAP_FRAME) *(ULONG_PTR*)((UCHAR*)pThread + g_TrapFrameOffset); if (pTrapFrame) { -#ifdef _M_ARM64 - ret = pTrapFrame->Pc; - UserStack = pTrapFrame->Sp; -#else ret = pTrapFrame->Rip; UserStack = pTrapFrame->Rsp; pTrapFrame->Rsp = pTrapFrame->Rbp; //*pRbp; pTrapFrame->Rip = pTrapFrame->Rbx; //*pRbx; -#endif } } else @@ -567,10 +567,7 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms) { pTrapFrame = NULL; } - -#else ! _WIN64 - ProbeForRead(user_args, args_len, sizeof(UCHAR)); -#endif _WIN64 +#endif if (entry->handler1_func) { @@ -607,16 +604,11 @@ _FX NTSTATUS Syscall_Api_Invoke32(PROCESS* proc, ULONG64* parms) strings, lengths, PsGetCurrentProcessId(), PsGetCurrentThreadId()); } -#ifdef _WIN64 +#ifdef _M_AMD64 if (g_TrapFrameOffset) { if (pTrapFrame) { -#ifdef _M_ARM64 - pTrapFrame->Pc = ret; - pTrapFrame->Sp = UserStack; -#else pTrapFrame->Rip = ret; pTrapFrame->Rsp = UserStack; -#endif } } #endif diff --git a/Sandboxie/core/svc/DriverAssistInject.cpp b/Sandboxie/core/svc/DriverAssistInject.cpp index 48f856fa..3a1f8c11 100644 --- a/Sandboxie/core/svc/DriverAssistInject.cpp +++ b/Sandboxie/core/svc/DriverAssistInject.cpp @@ -150,8 +150,10 @@ finish: if (hProcess) { - if (errlvl) - TerminateProcess(hProcess, 1); + if (errlvl) { + SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, NULL, errlvl); + //TerminateProcess(hProcess, 1); + } CloseHandle(hProcess); }