This commit is contained in:
DavidXanatos 2021-12-12 21:32:12 +01:00
parent 9995471076
commit 839cb832e4
4 changed files with 63 additions and 6 deletions

View File

@ -8,9 +8,10 @@ This project adheres to [Semantic Versioning](http://semver.org/).
### Added
- added mechanism to hook Win32 system calls on windows 10 and later, this should resolve the issue with Chromium HW acceleration
-- Note: this mechanism does not, yet, work for 32 bit applications running under WoW64
-- to enable it, add "EnableWin32kHooks=y" to the global ini section, this feature is highly experimental (!)
-- the hooks will be automatically applied to Chromium GPU processes
-- to force Win32k hooks for all processes in a selected box add "AlwaysUseWin32kHooks=y" [#1261](https://github.com/sandboxie-plus/Sandboxie/issues/1261) [#1395](https://github.com/sandboxie-plus/Sandboxie/issues/1395)
-- to force Win32k hooks for all processes in a selected box add "AlwaysUseWin32kHooks=program.exe,y" [#1261](https://github.com/sandboxie-plus/Sandboxie/issues/1261) [#1395](https://github.com/sandboxie-plus/Sandboxie/issues/1395)
### Fixed
- fixed bug in GetVersionExW making "OverrideOsBuild=..." not working [#605](https://github.com/sandboxie-plus/Sandboxie/issues/605) [#1426](https://github.com/sandboxie-plus/Sandboxie/issues/1426)
@ -58,7 +59,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- added new "App Compartment" mode of operation, it is enabled by adding "NoSecurityIsolation=y" to the box configuration
-- in this mode, security is traded in for compatibility, it should not be used for untrusted applications
-- note: in this mode, file and registry filtering are still in place, hence processes run without administrative privileges
-- Note: in this mode, file and registry filtering are still in place, hence processes run without administrative privileges
-- it is reasonably safe, all filtering can be disabled with "NoSecurityFiltering=y"
- added experimental use of ObRegisterCallbacks to filter object creation and duplication

View File

@ -20,10 +20,15 @@
//---------------------------------------------------------------------------
#define NOGDI
#include "dll.h"
#include "common\pattern.h"
#define HOOK_WIN32K
//#define WOW64_EXPERIMEN
#ifdef HOOK_WIN32K
#include "core/drv/api_defs.h"
@ -146,6 +151,7 @@ _FX BOOLEAN SbieDll_HookWin32SysCalls(HMODULE win32u_base)
}
#ifndef _WIN64
#ifdef WOW64_EXPERIMEN
_FX NTSTATUS SbieDll_WoW64SysCall(ULONG syscall, ULONG* args)
{
extern HANDLE SbieApi_DeviceHandle;
@ -210,7 +216,7 @@ _FX BOOLEAN SbieDll_HookWoW64SysCalls(HMODULE win32u_base)
void *RegionBase;
SIZE_T RegionSize;
ULONG OldProtect;
SystemServiceAsm = (UCHAR*)SbieDll_WoW64SysCallProc;
UCHAR* syscall_data = (UCHAR *)HeapAlloc(GetProcessHeap(), 0, 144000); // enough room for 2000 syscalls with names
@ -224,6 +230,10 @@ _FX BOOLEAN SbieDll_HookWoW64SysCalls(HMODULE win32u_base)
return FALSE;
}
LIST DisabledHookList;
List_Init(&DisabledHookList);
Config_InitPatternList(L"SkipWin32Hook", &DisabledHookList);
SyscallPtr = (ULONG *)(syscall_data
+ sizeof(ULONG)); // size of buffer
@ -233,8 +243,24 @@ _FX BOOLEAN SbieDll_HookWoW64SysCalls(HMODULE win32u_base)
strcpy(FuncName + 2, (char*)&SyscallPtr[2]);
ZwXxxPtr = (UCHAR*)GetProcAddress(win32u_base, FuncName);
if (!ZwXxxPtr)
return FALSE;
goto next;
{
ULONG len = strlen((char*)&SyscallPtr[2]);
WCHAR wname[68];
for (ULONG i = 0; i < len; i++)
wname[i] = ((char*)&SyscallPtr[2])[i];
wname[len] = 0;
PATTERN* pat = List_Head(&DisabledHookList);
while (pat)
{
if (Pattern_Match(pat, _wcslwr(wname), len))
goto next;
pat = List_Next(pat);
}
}
RegionBase = ZwXxxPtr;
RegionSize = 10;
@ -253,14 +279,17 @@ _FX BOOLEAN SbieDll_HookWoW64SysCalls(HMODULE win32u_base)
NtCurrentProcess(), &RegionBase, &RegionSize,
OldProtect, &OldProtect);
next:
SyscallPtr += 2 + 16;
}
Config_FreePatternList(&DisabledHookList);
HeapFree(GetProcessHeap(), 0, syscall_data);
return TRUE;
}
#endif
#endif
#endif
@ -276,6 +305,12 @@ _FX BOOLEAN Win32_Init(HMODULE hmodule)
return TRUE;
// NoSysCallHooks END
#ifndef WOW64_EXPERIMEN
// ToDo: add no WoW64 support
if (! Dll_IsWow64)
return TRUE;
#endif
// disable Electron Workaround when we are ready to hook the required win32k syscalls
extern BOOL Dll_ElectronWorkaround;
Dll_ElectronWorkaround = FALSE;
@ -287,12 +322,14 @@ _FX BOOLEAN Win32_Init(HMODULE hmodule)
WCHAR* cmdline = GetCommandLine();
if ((wcsstr(cmdline, L"--type=gpu-process") != NULL && wcsstr(cmdline, L"--gpu-preferences=") != NULL)
|| SbieApi_QueryConfBool(NULL, L"AlwaysUseWin32kHooks", FALSE)) {
|| SbieDll_GetSettingsForName_bool(NULL, Dll_ImageName, L"AlwaysUseWin32kHooks", FALSE)) {
#ifndef _WIN64
#ifdef WOW64_EXPERIMEN
if (Dll_IsWow64)
SbieDll_HookWoW64SysCalls(hmodule);
else
#endif
#endif
SbieDll_HookWin32SysCalls(hmodule);
}

View File

@ -329,6 +329,23 @@ _FX BOOLEAN Config_InitPatternList(const WCHAR* setting, LIST* list)
}
//---------------------------------------------------------------------------
// Config_FreePatternList
//---------------------------------------------------------------------------
_FX VOID Config_FreePatternList(LIST *list)
{
PATTERN* pat;
while (1) {
pat = List_Head(list);
if (! pat)
break;
List_Remove(list, pat);
Pattern_Free(pat);
}
}
//---------------------------------------------------------------------------
// SbieDll_GetSettingsForName
//---------------------------------------------------------------------------

View File

@ -779,6 +779,8 @@ WCHAR* Config_MatchImageAndGetValue(WCHAR* value, const WCHAR* ImageName, ULONG*
BOOLEAN Config_InitPatternList(const WCHAR* setting, LIST* list);
VOID Config_FreePatternList(LIST* list);
BOOLEAN Config_String2Bool(const WCHAR* value, BOOLEAN defval);
BOOLEAN Config_GetSettingsForImageName_bool(const WCHAR* setting, BOOLEAN defval);