From a4b5af2bbf0263c19975938e9751934f99ed7b54 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 26 May 2024 17:15:34 +0800 Subject: [PATCH 01/44] Update --- Sandboxie/core/dll/sysinfo.c | 33 ++++++++++++++++++++++++++++++--- Sandboxie/core/dll/terminal.c | 2 +- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index e415ac69..09598cd7 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -206,6 +206,17 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( SysInfo_DiscardProcesses(Buffer); } + if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, "HideFirmWareInfo", FALSE)) { + HKEY hKey; + PVOID lpData; + DWORD dwLen = 0; + if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\SandboxieHide\\", 0, KEY_READ, hKey)) + RegQueryValueExW(hKey, "FalseFirewareValue", 0, REG_SZ, lpData, &dwLen); + if (dwLen != 0) { + Buffer = lpData; + *ReturnLength = dwLen; + } + } return status; } @@ -214,7 +225,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( //--------------------------------------------------------------------------- // SysInfo_DiscardProcesses //--------------------------------------------------------------------------- - +BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE* pToken); _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) { @@ -228,6 +239,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) WCHAR* hiddenProcessesPtr = NULL; ULONG hiddenProcessesLen = 100 * 110; // we can hide up to 100 processes, should be enough WCHAR hiddenProcess[110]; + ULONG tempSession = 0,tempSid=0; for (ULONG index = 0; ; ++index) { NTSTATUS status = SbieApi_QueryConfAsIs(NULL, L"HideHostProcess", index, hiddenProcess, 108 * sizeof(WCHAR)); @@ -262,9 +274,20 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) if (next == curr) break; - SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, NULL, NULL); - + SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, &tempSid, &tempSession); + DWORD currentSession = WTSGetActiveConsoleSessionId(); + HANDLE token1; + Terminal_WTSQueryUserToken(currentSession, &token1); + SID_AND_ATTRIBUTES attrs; + ULONG uRtn = 0; + ZeroMemory(&attrs, sizeof(attrs)); + NtQueryInformationToken(token1, TokenUser, &attrs, sizeof(attrs), &uRtn); BOOL hideProcess = FALSE; + if (attrs.Sid == tempSid) { + if (SbieApi_QueryConfBool(NULL,L"HideInteractionProcess", FALSE)) + hideProcess = TRUE; + } + else if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) { hideProcess = TRUE; } @@ -279,6 +302,10 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) break; } } + }else + if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) { + if (SbieApi_QueryConfBool(NULL, L"HideSbieProcess", FALSE)) + hideProcess = TRUE; } } diff --git a/Sandboxie/core/dll/terminal.c b/Sandboxie/core/dll/terminal.c index 8ec2a90f..13d586e3 100644 --- a/Sandboxie/core/dll/terminal.c +++ b/Sandboxie/core/dll/terminal.c @@ -186,7 +186,7 @@ static void Terminal_WinStationFreeMemory(void *pMemory); static BOOLEAN Terminal_DontHook(void); -static BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE *pToken); +BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE *pToken); static WCHAR *Terminal_GetWindowStationName(void); From 8ac2b3ef9abe564874197d786a59ebc3a38ec993 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 26 May 2024 19:06:43 +0800 Subject: [PATCH 02/44] Fix. --- Sandboxie/core/dll/sysinfo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 09598cd7..9e41b67d 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -207,8 +207,8 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( SysInfo_DiscardProcesses(Buffer); } if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, "HideFirmWareInfo", FALSE)) { - HKEY hKey; - PVOID lpData; + HKEY hKey=NULL; + PVOID lpData=NULL; DWORD dwLen = 0; if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\SandboxieHide\\", 0, KEY_READ, hKey)) RegQueryValueExW(hKey, "FalseFirewareValue", 0, REG_SZ, lpData, &dwLen); From ec8a23a7cf84f51517e739097db25140e63bbad3 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 26 May 2024 19:18:37 +0800 Subject: [PATCH 03/44] Fix --- Sandboxie/core/dll/sysinfo.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 9e41b67d..b082a01b 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -210,6 +210,26 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( HKEY hKey=NULL; PVOID lpData=NULL; DWORD dwLen = 0; + typedef LSTATUS + (*ROK)( + _In_ HKEY hKey, + _In_opt_ LPCWSTR lpSubKey, + _In_opt_ DWORD ulOptions, + _In_ REGSAM samDesired, + _Out_ PHKEY phkResult + ); + typedef LSTATUS + (*RQVEW)( + HKEY hKey, + LPCWSTR lpValueName, + LPDWORD lpReserved, + LPDWORD lpType, + LPBYTE lpData, + LPDWORD lpcbData + ); + ROK RegOpenKeyExW=Ldr_GetProcAddrOld(L"Advapi32.dll",L"RegOpenKeyExW"); + RQVEW RegQueryValueExW = Ldr_GetProcAddrOld(L"Advapi32.dll", L"RegQueryValueExW"); + if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\SandboxieHide\\", 0, KEY_READ, hKey)) RegQueryValueExW(hKey, "FalseFirewareValue", 0, REG_SZ, lpData, &dwLen); if (dwLen != 0) { From 9857b7287940a47e619f55401d0f60b9ecf573a1 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 26 May 2024 19:29:50 +0800 Subject: [PATCH 04/44] Update --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a1fc9dd..ee7e0082 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,9 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add UI option to start unsandboxed process but force child processes in SelectBoxWindow. - Add option "AlertBeforeStart".When it is set,a prompt pops up before launching a new program into the sandbox using "Start.exe" and checks if the program that started "Start.exe" is a Sandboxie component itself,if it is not, a warning pops up. - Add option for EditAdminOnly in SetupWizard. +- Add option "HideInteractionProcess" to hide the interactive user's processes from the sandboxed process list. +- Add option "HideSbieProcess" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). +- When "HideFirmWareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirewareValue ### Changed - split the advanced new box wizard page in two From da14f5eed6d7c48bb3132612d02bcd8f1365bdc4 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 26 May 2024 19:41:35 +0800 Subject: [PATCH 05/44] fix --- Sandboxie/core/dll/sysinfo.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index b082a01b..a4f6ad8e 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -229,9 +229,9 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( ); ROK RegOpenKeyExW=Ldr_GetProcAddrOld(L"Advapi32.dll",L"RegOpenKeyExW"); RQVEW RegQueryValueExW = Ldr_GetProcAddrOld(L"Advapi32.dll", L"RegQueryValueExW"); - - if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\SandboxieHide\\", 0, KEY_READ, hKey)) - RegQueryValueExW(hKey, "FalseFirewareValue", 0, REG_SZ, lpData, &dwLen); + DWORD type; + if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\SandboxieHide\\", 0, KEY_READ, &hKey)) + RegQueryValueExW(hKey, "FalseFirewareValue", 0, &type, lpData, &dwLen); if (dwLen != 0) { Buffer = lpData; *ReturnLength = dwLen; From cae33d599bb9810550ac427e6b761c8b414cf191 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 26 May 2024 20:24:52 +0800 Subject: [PATCH 06/44] fix --- Sandboxie/core/dll/sysinfo.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index a4f6ad8e..0f3a9fde 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -259,7 +259,8 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) WCHAR* hiddenProcessesPtr = NULL; ULONG hiddenProcessesLen = 100 * 110; // we can hide up to 100 processes, should be enough WCHAR hiddenProcess[110]; - ULONG tempSession = 0,tempSid=0; + ULONG tempSession = 0; + WCHAR* tempSid = L""; for (ULONG index = 0; ; ++index) { NTSTATUS status = SbieApi_QueryConfAsIs(NULL, L"HideHostProcess", index, hiddenProcess, 108 * sizeof(WCHAR)); @@ -295,7 +296,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) break; SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, &tempSid, &tempSession); - DWORD currentSession = WTSGetActiveConsoleSessionId(); + DWORD currentSession = tempSession; HANDLE token1; Terminal_WTSQueryUserToken(currentSession, &token1); SID_AND_ATTRIBUTES attrs; @@ -303,9 +304,18 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) ZeroMemory(&attrs, sizeof(attrs)); NtQueryInformationToken(token1, TokenUser, &attrs, sizeof(attrs), &uRtn); BOOL hideProcess = FALSE; - if (attrs.Sid == tempSid) { - if (SbieApi_QueryConfBool(NULL,L"HideInteractionProcess", FALSE)) - hideProcess = TRUE; + UNICODE_STRING uni; + WCHAR* buf = L""; + uni.Length = 0; + uni.MaximumLength = 512; + uni.Buffer = buf; + if(NT_SUCCESS(RtlConvertSidToUnicodeString(&uni,attrs.Sid,FALSE))){ + if (_wcsicmp(buf,tempSid)==0) { + if (SbieApi_QueryConfBool(NULL, L"HideInteractionProcess", FALSE)) { + hideProcess = TRUE; + } + } + RtlFreeUnicodeString(&uni); } else if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) { From 57d1eb9e41e0258236dadf6479ba59fb50e27e4b Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 26 May 2024 20:36:30 +0800 Subject: [PATCH 07/44] Fix --- Sandboxie/core/dll/sysinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 0f3a9fde..05667f33 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -295,7 +295,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) if (next == curr) break; - SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, &tempSid, &tempSession); + SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); DWORD currentSession = tempSession; HANDLE token1; Terminal_WTSQueryUserToken(currentSession, &token1); From af4f3e72166c2639ce46205cc5164e0c5dc84824 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 1 Jun 2024 09:59:31 +0800 Subject: [PATCH 08/44] Fix --- Sandboxie/core/dll/sysinfo.c | 61 +++++++++++++++++++++++++----------- 1 file changed, 43 insertions(+), 18 deletions(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 05667f33..b8d62235 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -246,7 +246,47 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( // SysInfo_DiscardProcesses //--------------------------------------------------------------------------- BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE* pToken); +_FX BOOL Sysinfo_IsTokenAnySid(HANDLE hToken,WCHAR* compare) +{ + NTSTATUS status; + BOOLEAN return_value = FALSE; + ULONG64 user_space[88]; + PTOKEN_USER user = (PTOKEN_USER)user_space; + ULONG len; + + len = sizeof(user_space); + status = NtQueryInformationToken( + hToken, TokenUser, user, len, &len); + + if (status == STATUS_BUFFER_TOO_SMALL) { + + user = Dll_AllocTemp(len); + status = NtQueryInformationToken( + hToken, TokenUser, user, len, &len); + } + + if (NT_SUCCESS(status)) { + + UNICODE_STRING SidString; + + status = RtlConvertSidToUnicodeString( + &SidString, user->User.Sid, TRUE); + + if (NT_SUCCESS(status)) { + + if (_wcsicmp(SidString.Buffer, /*L"S-1-5-18" */compare ) == 0) + return_value = TRUE; + + RtlFreeUnicodeString(&SidString); + } + } + + if (user != (PTOKEN_USER)user_space) + Dll_Free(user); + + return return_value; +} _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) { SYSTEM_PROCESS_INFORMATION *curr = buf; @@ -294,38 +334,23 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) next = (SYSTEM_PROCESS_INFORMATION *) (((UCHAR *)curr) + curr->NextEntryOffset); if (next == curr) break; - SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); DWORD currentSession = tempSession; HANDLE token1; Terminal_WTSQueryUserToken(currentSession, &token1); - SID_AND_ATTRIBUTES attrs; - ULONG uRtn = 0; - ZeroMemory(&attrs, sizeof(attrs)); - NtQueryInformationToken(token1, TokenUser, &attrs, sizeof(attrs), &uRtn); BOOL hideProcess = FALSE; - UNICODE_STRING uni; - WCHAR* buf = L""; - uni.Length = 0; - uni.MaximumLength = 512; - uni.Buffer = buf; - if(NT_SUCCESS(RtlConvertSidToUnicodeString(&uni,attrs.Sid,FALSE))){ - if (_wcsicmp(buf,tempSid)==0) { - if (SbieApi_QueryConfBool(NULL, L"HideInteractionProcess", FALSE)) { + if(!Sysinfo_IsTokenAnySid(token1, L"S-1-5-18")&& !Sysinfo_IsTokenAnySid(token1, L"S-1-5-80")&& !Sysinfo_IsTokenAnySid(token1, L"S-1-5-20")&& !Sysinfo_IsTokenAnySid(token1, L"S-1-5-6")&& SbieApi_QueryConfBool(NULL, L"HideNonSystemProcess", FALSE)) { hideProcess = TRUE; - } - } - RtlFreeUnicodeString(&uni); } else if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) { hideProcess = TRUE; } - else if(hiddenProcesses && next->ImageName.Buffer) { + else if(next->ImageName.Buffer) { WCHAR* imagename = wcschr(next->ImageName.Buffer, L'\\'); if (imagename) imagename += 1; // skip L'\\' else imagename = next->ImageName.Buffer; - if (!*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) { + if (hiddenProcesses && !*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) { for (hiddenProcessesPtr = hiddenProcesses; *hiddenProcessesPtr != L'\0'; hiddenProcessesPtr += wcslen(hiddenProcessesPtr) + 1) { if (_wcsicmp(imagename, hiddenProcessesPtr) == 0) { hideProcess = TRUE; From 5eb32ee9344a6298e5331745e4912bbd59d796f7 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 1 Jun 2024 10:22:43 +0800 Subject: [PATCH 09/44] Fix --- Sandboxie/core/dll/sysinfo.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index b8d62235..e2255fb4 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -335,11 +335,8 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) if (next == curr) break; SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); - DWORD currentSession = tempSession; - HANDLE token1; - Terminal_WTSQueryUserToken(currentSession, &token1); BOOL hideProcess = FALSE; - if(!Sysinfo_IsTokenAnySid(token1, L"S-1-5-18")&& !Sysinfo_IsTokenAnySid(token1, L"S-1-5-80")&& !Sysinfo_IsTokenAnySid(token1, L"S-1-5-20")&& !Sysinfo_IsTokenAnySid(token1, L"S-1-5-6")&& SbieApi_QueryConfBool(NULL, L"HideNonSystemProcess", FALSE)) { + if(_wcsicmp(tempSid, L"S-1-5-18") != 0 && _wcsicmp(tempSid, L"S-1-5-80") != 0 && _wcsicmp(tempSid, L"S-1-5-20") != 0 && !_wcsicmp(tempSid, L"S-1-5-6") == 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcess", FALSE)) { hideProcess = TRUE; } else @@ -357,10 +354,12 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) break; } } - }else - if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) { - if (SbieApi_QueryConfBool(NULL, L"HideSbieProcess", FALSE)) - hideProcess = TRUE; + } + if (!hideProcess) { + if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) { + if (SbieApi_QueryConfBool(NULL, L"HideSbieProcess", FALSE)) + hideProcess = TRUE; + } } } From 410b672abc96d13f25949c7fdd8d76e05835b865 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 1 Jun 2024 10:44:11 +0800 Subject: [PATCH 10/44] Fix --- Sandboxie/core/dll/sysinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index e2255fb4..2e71866e 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -336,7 +336,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) break; SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); BOOL hideProcess = FALSE; - if(_wcsicmp(tempSid, L"S-1-5-18") != 0 && _wcsicmp(tempSid, L"S-1-5-80") != 0 && _wcsicmp(tempSid, L"S-1-5-20") != 0 && !_wcsicmp(tempSid, L"S-1-5-6") == 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcess", FALSE)) { + if(_wcsicmp(tempSid, L"S-1-5-18") != 0 && _wcsicmp(tempSid, L"S-1-5-80") != 0 && _wcsicmp(tempSid, L"S-1-5-20") != 0 && _wcsicmp(tempSid, L"S-1-5-6") != 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcess", FALSE)) { hideProcess = TRUE; } else From 683debeef2d826435e9081fc6582f260ec22f4cc Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 1 Jun 2024 11:17:46 +0800 Subject: [PATCH 11/44] CopyOnRead --- Sandboxie/core/dll/file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Sandboxie/core/dll/file.c b/Sandboxie/core/dll/file.c index 9709d07f..aebc583d 100644 --- a/Sandboxie/core/dll/file.c +++ b/Sandboxie/core/dll/file.c @@ -3516,7 +3516,10 @@ ReparseLoop: // open, for a CopyPath that does not exist, must also include // write access, or else it would have been handled earlier already) // - + if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE)) + status = File_MigrateFile( + TruePath, CopyPath, IsWritePath, TRUE); + else if (FileType & TYPE_REPARSE_POINT) { status = File_MigrateJunction( From 869f533a4293b5c1ec863526c54f4ad77acd70f5 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 1 Jun 2024 16:26:31 +0800 Subject: [PATCH 12/44] Update Changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee7e0082..5c0ef1be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add UI option to start unsandboxed process but force child processes in SelectBoxWindow. - Add option "AlertBeforeStart".When it is set,a prompt pops up before launching a new program into the sandbox using "Start.exe" and checks if the program that started "Start.exe" is a Sandboxie component itself,if it is not, a warning pops up. - Add option for EditAdminOnly in SetupWizard. -- Add option "HideInteractionProcess" to hide the interactive user's processes from the sandboxed process list. +- Add option "HideNonSystemProcess" to hide processes other than some system services from processes lists for sandboxed processes. - Add option "HideSbieProcess" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). - When "HideFirmWareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirewareValue From ea8e0829ee684fc24d1d615bb445ce4f59a339e0 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 1 Jun 2024 20:18:27 +0800 Subject: [PATCH 13/44] Try fixing... --- Sandboxie/core/dll/sysinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 2e71866e..ad80db40 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -336,7 +336,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) break; SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); BOOL hideProcess = FALSE; - if(_wcsicmp(tempSid, L"S-1-5-18") != 0 && _wcsicmp(tempSid, L"S-1-5-80") != 0 && _wcsicmp(tempSid, L"S-1-5-20") != 0 && _wcsicmp(tempSid, L"S-1-5-6") != 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcess", FALSE)) { + if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 /* && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 */ && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcess", FALSE)) { hideProcess = TRUE; } else From c49ee0654f6cde614f98750163b80f5a311c5e86 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 1 Jun 2024 22:46:46 +0800 Subject: [PATCH 14/44] Add BlockAccessWMI template --- Sandboxie/install/Templates.ini | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Sandboxie/install/Templates.ini b/Sandboxie/install/Templates.ini index 4d5a9793..ca7efbd0 100644 --- a/Sandboxie/install/Templates.ini +++ b/Sandboxie/install/Templates.ini @@ -3771,6 +3771,12 @@ Tmpl.Title=Block DNS Tmpl.Class=Misc NetworkAccess=*,Block;Port=53;Protocol=UDP +[Template_BlockAccessWMI] +Tmpl.Title=Block Accessing WMI +Tmpl.Class=Misc +ClosedFilePath=%SystemRoot%\System32\wbem\* + + [Template_BlockTelemetry] Tmpl.Title=#4307 Tmpl.Class=Misc From e44176fc998d783eac540e868d77bbd9aaf44837 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 1 Jun 2024 22:50:45 +0800 Subject: [PATCH 15/44] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c0ef1be..792526f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add option "HideNonSystemProcess" to hide processes other than some system services from processes lists for sandboxed processes. - Add option "HideSbieProcess" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). - When "HideFirmWareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirewareValue +- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. ### Changed - split the advanced new box wizard page in two From a4ee9fa9a119ff50f661666e56c5ead62f2847aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:03:15 +0800 Subject: [PATCH 16/44] Update Sandboxie/core/dll/sysinfo.c Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- Sandboxie/core/dll/sysinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index ad80db40..0e8fdf44 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -206,7 +206,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( SysInfo_DiscardProcesses(Buffer); } - if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, "HideFirmWareInfo", FALSE)) { + if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) { HKEY hKey=NULL; PVOID lpData=NULL; DWORD dwLen = 0; From 80a428f3682e406be20629e4da57eafe42f855af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:04:02 +0800 Subject: [PATCH 17/44] Update Sandboxie/core/dll/sysinfo.c Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- Sandboxie/core/dll/sysinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 0e8fdf44..21b7977d 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -231,7 +231,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( RQVEW RegQueryValueExW = Ldr_GetProcAddrOld(L"Advapi32.dll", L"RegQueryValueExW"); DWORD type; if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\SandboxieHide\\", 0, KEY_READ, &hKey)) - RegQueryValueExW(hKey, "FalseFirewareValue", 0, &type, lpData, &dwLen); + RegQueryValueExW(hKey, "FalseFirmwareValue", 0, &type, lpData, &dwLen); if (dwLen != 0) { Buffer = lpData; *ReturnLength = dwLen; From ea8bd28d464606395efa474816f5bd0bf9202ae3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:05:14 +0800 Subject: [PATCH 18/44] Update Sandboxie/core/dll/sysinfo.c Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- Sandboxie/core/dll/sysinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 21b7977d..39f9c988 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -336,7 +336,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) break; SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); BOOL hideProcess = FALSE; - if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 /* && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 */ && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcess", FALSE)) { + if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 /* && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 */ && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE)) { hideProcess = TRUE; } else From b8467d5de9a8f34a3ad38f4c7474c6cf60baeab9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:05:55 +0800 Subject: [PATCH 19/44] Update Sandboxie/core/dll/sysinfo.c Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- Sandboxie/core/dll/sysinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 39f9c988..b94138a8 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -357,7 +357,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) } if (!hideProcess) { if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) { - if (SbieApi_QueryConfBool(NULL, L"HideSbieProcess", FALSE)) + if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)) hideProcess = TRUE; } } From 13fc3c7dad19620682275d1d60b680e9f16dc1b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:06:06 +0800 Subject: [PATCH 20/44] Update CHANGELOG.md Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5ef12af..b54c5e07 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add UI option to start unsandboxed process but force child processes in SelectBoxWindow. - Add option "AlertBeforeStart".When it is set,a prompt pops up before launching a new program into the sandbox using "Start.exe" and checks if the program that started "Start.exe" is a Sandboxie component itself,if it is not, a warning pops up. - Add option for EditAdminOnly in SetupWizard. -- Add option "HideNonSystemProcess" to hide processes other than some system services from processes lists for sandboxed processes. +- Add option "HideNonSystemProcesses" to hide processes other than some system services from processes lists for sandboxed processes. - Add option "HideSbieProcess" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). - When "HideFirmWareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirewareValue - Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. From 613df8822849dc329f8a09375805d64b643d416e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:06:23 +0800 Subject: [PATCH 21/44] Update CHANGELOG.md Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b54c5e07..5e1d9b08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add option "AlertBeforeStart".When it is set,a prompt pops up before launching a new program into the sandbox using "Start.exe" and checks if the program that started "Start.exe" is a Sandboxie component itself,if it is not, a warning pops up. - Add option for EditAdminOnly in SetupWizard. - Add option "HideNonSystemProcesses" to hide processes other than some system services from processes lists for sandboxed processes. -- Add option "HideSbieProcess" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). +- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). - When "HideFirmWareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirewareValue - Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. From 22ac812d5eb18d5040b4098d6bd2cf334138c3e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:06:39 +0800 Subject: [PATCH 22/44] Update CHANGELOG.md Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e1d9b08..cac6e7da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add option for EditAdminOnly in SetupWizard. - Add option "HideNonSystemProcesses" to hide processes other than some system services from processes lists for sandboxed processes. - Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). -- When "HideFirmWareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirewareValue +- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue - Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. ### Changed From 6f237f25223aed85046d0071c1932499830ad7b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:07:02 +0800 Subject: [PATCH 23/44] Update Sandboxie/install/Templates.ini Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- Sandboxie/install/Templates.ini | 1 - 1 file changed, 1 deletion(-) diff --git a/Sandboxie/install/Templates.ini b/Sandboxie/install/Templates.ini index ca7efbd0..0f37d1f0 100644 --- a/Sandboxie/install/Templates.ini +++ b/Sandboxie/install/Templates.ini @@ -3776,7 +3776,6 @@ Tmpl.Title=Block Accessing WMI Tmpl.Class=Misc ClosedFilePath=%SystemRoot%\System32\wbem\* - [Template_BlockTelemetry] Tmpl.Title=#4307 Tmpl.Class=Misc From d8d13c643bae5693778f6515589c6f1cadc6dcd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Sun, 2 Jun 2024 09:09:25 +0800 Subject: [PATCH 24/44] Update sysinfo.c --- Sandboxie/core/dll/sysinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index b94138a8..6e560e8a 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -231,7 +231,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( RQVEW RegQueryValueExW = Ldr_GetProcAddrOld(L"Advapi32.dll", L"RegQueryValueExW"); DWORD type; if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\SandboxieHide\\", 0, KEY_READ, &hKey)) - RegQueryValueExW(hKey, "FalseFirmwareValue", 0, &type, lpData, &dwLen); + RegQueryValueExW(hKey, L"FalseFirmwareValue", 0, &type, lpData, &dwLen); if (dwLen != 0) { Buffer = lpData; *ReturnLength = dwLen; From 4211eb42db34042e0dc05519ad39c454251f6c54 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 2 Jun 2024 10:51:05 +0800 Subject: [PATCH 25/44] Extend Temp Template --- CHANGELOG.md | 1 + SandboxiePlus/SandMan/SandMan.cpp | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ef7f1c52..181caa72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). ### Changed - split the advanced new box wizard page in two - reorganized box options a bit +- Extend "Temp Template" to make it could delete local template section. ### Fixed - fixed issue with proxy authentication setting diff --git a/SandboxiePlus/SandMan/SandMan.cpp b/SandboxiePlus/SandMan/SandMan.cpp index 43fcdb41..31f242d5 100644 --- a/SandboxiePlus/SandMan/SandMan.cpp +++ b/SandboxiePlus/SandMan/SandMan.cpp @@ -2308,15 +2308,21 @@ void CSandMan::OnBoxClosed(const CSandBoxPtr& pBox) } QString tempValPrefix = "Temp_"; + QString tempValLocalPrefix = "Local_Temp_"; QStringList to_delete; QStringList list = pBox->GetTextList("Template", FALSE); foreach(const QString& Value, list) { if (tempValPrefix.compare(Value.left(5)) == 0) to_delete.append(Value); + else if (tempValLocalPrefix.compare(Value.left(11)) == 0) + to_delete.append(Value); } if (!to_delete.isEmpty()) { - foreach(const QString & Value, to_delete) + foreach(const QString& Value, to_delete) { + if (tempValLocalPrefix.compare(Value.left(11)) == 0) + theAPI->SbieIniSet("Template_" + tempValLocalPrefix, "*", "", CSbieAPI::eIniUpdate); list.removeAt(list.indexOf(Value)); + } pBox->UpdateTextList("Template", list, FALSE); } From 35fa3135024972a40176eb32be1819b328b62fad Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 2 Jun 2024 15:50:35 +0800 Subject: [PATCH 26/44] Add UI for Limit. --- SandboxiePlus/SandMan/Forms/OptionsWindow.ui | 251 +++++++++++------- .../SandMan/Windows/OptionsGeneral.cpp | 17 +- 2 files changed, 171 insertions(+), 97 deletions(-) diff --git a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui index 7cde8a5b..fdd5988e 100644 --- a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui +++ b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui @@ -6,7 +6,7 @@ 0 0 - 787 + 835 588 @@ -31,8 +31,8 @@ SandboxiePlus Options - - + + @@ -45,7 +45,7 @@ QTabWidget::North - 1 + 0 @@ -55,7 +55,7 @@ - 0 + 3 @@ -672,8 +672,8 @@ Restrictions - - + + @@ -690,14 +690,93 @@ - - + + - Open Windows Credentials Store (user mode) + Block access to the printer spooler - + + + + Remove spooler restriction, printers can be installed outside the sandbox + + + + + + + + 0 + 0 + + + + Allow the print spooler to print to files outside the sandbox + + + + + + + + 75 + true + true + + + + Protect the system from sandboxed processes + + + Limit restrictions + + + + + + + Single Process Memory Limit: + + + + + + + Leave it blank to disable the setting(Unit:KB) + + + + + + + Total Processes Memory Limit: + + + + + + + Leave it blank to disable the setting(Unit:KB) + + + + + + + Total Processes Number Limit: + + + + + + + Leave it blank to disable the setting + + + + @@ -714,85 +793,14 @@ - - - - Allow to read memory of unsandboxed processes (not recommended) - - - - - - - Qt::Horizontal - - - - 556 - 20 - - - - - - - - This feature does not block all means of obtaining a screen capture, only some common ones. - - - Prevent sandboxed processes from capturing window images (Experimental, may cause UI glitches) - - - - + Open System Protected Storage - - - - - 0 - 0 - - - - Allow the print spooler to print to files outside the sandbox - - - - - - - Block access to the printer spooler - - - - - - - Remove spooler restriction, printers can be installed outside the sandbox - - - - - - - Block read access to the clipboard - - - - - - - Issue message 2111 when a process access is denied - - - - + @@ -811,14 +819,62 @@ - + + + + Open Windows Credentials Store (user mode) + + + + + + + Block read access to the clipboard + + + + + + + Allow to read memory of unsandboxed processes (not recommended) + + + + + + + Issue message 2111 when a process access is denied + + + + Prevent sandboxed processes from interfering with power operations (Experimental) - + + + + Prevent move mouse, bring in front, and similar operations, this is likely to cause issues with games. + + + Prevent interference with the user interface (Experimental) + + + + + + + This feature does not block all means of obtaining a screen capture, only some common ones. + + + Prevent sandboxed processes from capturing window images (Experimental, may cause UI glitches) + + + + Qt::Vertical @@ -831,15 +887,18 @@ - - - - Prevent move mouse, bring in front, and similar operations, this is likely to cause issues with games. + + + + Qt::Horizontal - - Prevent interference with the user interface (Experimental) + + + 556 + 20 + - + @@ -1088,7 +1147,7 @@ - 0 + 1 @@ -4967,8 +5026,8 @@ instead of "*". 0 0 - 98 - 28 + 75 + 16 diff --git a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp index 102b62d2..c2afdc9a 100644 --- a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp +++ b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp @@ -281,6 +281,10 @@ void COptionsWindow::LoadGeneral() ui.chkOpenSpooler->setChecked(m_pBox->GetBool("OpenPrintSpooler", false)); ui.chkPrintToFile->setChecked(m_pBox->GetBool("AllowSpoolerPrintToFile", false)); + ui.lineSingleMemory->setText(m_pBox->GetText("ProcessMemoryLimit", "")); + ui.lineTotalMemory->setText(m_pBox->GetText("TotalMemoryLimit", "")); + ui.lineTotalNumber->setText(m_pBox->GetText("TotalNumberLimit", "")); + //ui.chkOpenProtectedStorage->setChecked(m_pBox->GetBool("OpenProtectedStorage", false)); ui.chkOpenProtectedStorage->setChecked(m_BoxTemplates.contains("OpenProtectedStorage")); ui.chkOpenCredentials->setChecked(!ui.chkOpenCredentials->isEnabled() || m_pBox->GetBool("OpenCredentials", false)); @@ -420,6 +424,13 @@ void COptionsWindow::SaveGeneral() WriteAdvancedCheck(ui.chkOpenSpooler, "OpenPrintSpooler", "y", ""); WriteAdvancedCheck(ui.chkPrintToFile, "AllowSpoolerPrintToFile", "y", ""); + if (!ui.lineSingleMemory->text().isEmpty()) + WriteText("ProcessMemoryLimit", ui.lineSingleMemory->text()); + if (!ui.lineTotalMemory->text().isEmpty()) + WriteText("TotalMemoryLimit", ui.lineTotalMemory->text()); + if (!ui.lineTotalNumber->text().isEmpty()) + WriteText("ProcessNumberLimit", ui.lineTotalNumber->text()); + //WriteAdvancedCheck(ui.chkOpenProtectedStorage, "OpenProtectedStorage", "y", ""); SetTemplate("OpenProtectedStorage", ui.chkOpenProtectedStorage->isChecked()); if (ui.chkOpenCredentials->isEnabled()) @@ -797,7 +808,11 @@ void COptionsWindow::OnGeneralChanged() ui.chkOpenSpooler->setEnabled(!ui.chkBlockSpooler->isChecked() && !ui.chkNoSecurityIsolation->isChecked()); ui.chkPrintToFile->setEnabled(!ui.chkBlockSpooler->isChecked() && !ui.chkNoSecurityFiltering->isChecked()); - + + ui.lineSingleMemory->setEnabled(ui.chkAddToJob->isChecked()); + ui.lineTotalMemory->setEnabled(ui.chkAddToJob->isChecked()); + ui.lineTotalNumber->setEnabled(ui.chkAddToJob->isChecked()); + ui.chkOpenCredentials->setEnabled(!ui.chkOpenProtectedStorage->isChecked()); if (!ui.chkOpenCredentials->isEnabled()) ui.chkOpenCredentials->setChecked(true); From 23737b55d8c50075c6e11db040ca5dd2735e19ca Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 2 Jun 2024 17:29:15 +0800 Subject: [PATCH 27/44] Add new box type. --- CHANGELOG.md | 2 + SandboxiePlus/SandMan/SandMan.cpp | 6 +- SandboxiePlus/SandMan/SbiePlusAPI.cpp | 15 +++++ SandboxiePlus/SandMan/SbiePlusAPI.h | 1 + .../SandMan/Windows/OptionsGeneral.cpp | 57 ++++++++++++++++++- .../SandMan/Wizards/NewBoxWizard.cpp | 28 ++++++++- 6 files changed, 104 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e30f2ea2..d8c7057b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). - When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue - Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. +- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox. +- Add new box type "Maximize Isolation Sandbox". ### Changed - split the advanced new box wizard page in two diff --git a/SandboxiePlus/SandMan/SandMan.cpp b/SandboxiePlus/SandMan/SandMan.cpp index 31f242d5..6257674e 100644 --- a/SandboxiePlus/SandMan/SandMan.cpp +++ b/SandboxiePlus/SandMan/SandMan.cpp @@ -247,6 +247,7 @@ CSandMan::CSandMan(QWidget *parent) SetupHotKeys(); m_BoxColors[CSandBoxPlus::eHardenedPlus] = qRgb(238,35,4); + m_BoxColors[CSandBoxPlus::eIsoationMax] = qRgb(72,61,139); m_BoxColors[CSandBoxPlus::eHardened] = qRgb(247,125,2); m_BoxColors[CSandBoxPlus::eDefaultPlus] = qRgb(1,133,248); m_BoxColors[CSandBoxPlus::eDefault] = qRgb(246,246,2); @@ -1550,6 +1551,9 @@ QString CSandMan::GetBoxDescription(int boxType) QString Info; switch (boxType) { + case CSandBoxPlus::eIsoationMax: + Info = tr("This box provides all the most common isolation options we can offer, and aims to maximize the isolation inside and outside the sandbox. The default options for this box type may change later."); + break; case CSandBoxPlus::eHardenedPlus: case CSandBoxPlus::eHardened: Info = tr("This box provides enhanced security isolation, it is suitable to test untrusted software."); @@ -1567,7 +1571,7 @@ QString CSandMan::GetBoxDescription(int boxType) break; } - if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus) + if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus || boxType==CSandBoxPlus::eIsoationMax) Info.append(tr("

This box prevents access to all user data locations, except explicitly granted in the Resource Access options.")); return Info; diff --git a/SandboxiePlus/SandMan/SbiePlusAPI.cpp b/SandboxiePlus/SandMan/SbiePlusAPI.cpp index fec969de..a7dd10d8 100644 --- a/SandboxiePlus/SandMan/SbiePlusAPI.cpp +++ b/SandboxiePlus/SandMan/SbiePlusAPI.cpp @@ -813,6 +813,21 @@ CSandBoxPlus::EBoxTypes CSandBoxPlus::GetTypeImpl() const if (m_iUnsecureDebugging != 0) return eInsecure; + BOOL isMAX = GetBool("HideNonSystemProcess") && + GetBool("HideOtherBoxes") && + GetBool("ClosePrintSpooler") && + !GetBool("OpenClipboard") && + GetBool("BlockInterferePower") && + GetBool("BlockInterferenceControl") && + GetBool("BlockScreenCapture") && + GetBool("UseSandboxDesktop") && + GetBool("ConfidentialBox") && + GetBool("CoverBoxedWindows") && + GetBool("AlertBeforeStart") && + GetBool("ForceProtectionOnMount") && + GetBool("ProtectHostImages"); + if (isMAX && m_bSecurityEnhanced && m_bPrivacyEnhanced) + return eIsoationMax; if (m_bSecurityEnhanced && m_bPrivacyEnhanced) return eHardenedPlus; if (m_bSecurityEnhanced) diff --git a/SandboxiePlus/SandMan/SbiePlusAPI.h b/SandboxiePlus/SandMan/SbiePlusAPI.h index da3dc4f6..788221c3 100644 --- a/SandboxiePlus/SandMan/SbiePlusAPI.h +++ b/SandboxiePlus/SandMan/SbiePlusAPI.h @@ -146,6 +146,7 @@ public: { eHardenedPlus, eHardened, + eIsoationMax, eDefaultPlus, eDefault, eAppBoxPlus, diff --git a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp index c2afdc9a..00681106 100644 --- a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp +++ b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp @@ -61,6 +61,7 @@ void COptionsWindow::CreateGeneral() ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardenedPlus), tr("Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus); + ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eIsoationMax), tr("Maximize Isolation Sandbox"), (int)CSandBoxPlus::eIsoationMax); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardened), tr("Security Hardened Sandbox"), (int)CSandBoxPlus::eHardened); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefaultPlus), tr("Sandbox with Data Protection"), (int)CSandBoxPlus::eDefaultPlus); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefault), tr("Standard Isolation Sandbox (Default)"), (int)CSandBoxPlus::eDefault); @@ -1059,8 +1060,24 @@ void COptionsWindow::UpdateBoxType() bool bPrivacyMode = ui.chkPrivacy->isChecked(); bool bSecurityMode = ui.chkSecurityMode->isChecked(); bool bAppBox = ui.chkNoSecurityIsolation->isChecked(); + bool bIsoationMax = m_pBox->GetBool("HideNonSystemProcess") + && m_pBox->GetBool("HideNonSystemProcess") + && m_pBox->GetBool("HideOtherBoxes") + && m_pBox->GetBool("ClosePrintSpooler") + && m_pBox->GetBool("BlockInterferePower") + && !m_pBox->GetBool("OpenClipboard") + && m_pBox->GetBool("BlockInterferenceControl") + && m_pBox->GetBool("BlockScreenCapture") + && m_pBox->GetBool("ConfidentialBox") + && m_pBox->GetBool("CoverBoxedWindows") + && m_pBox->GetBool("AlertBeforeStart") + && m_pBox->GetBool("ForceProtectionOnMount") + && bSecurityMode && bPrivacyMode && !bAppBox; int BoxType; + if (bIsoationMax) + BoxType = (int)CSandBoxPlus::eIsoationMax; + else if (bAppBox) BoxType = bPrivacyMode ? (int)CSandBoxPlus::eAppBoxPlus : (int)CSandBoxPlus::eAppBox; else if (bSecurityMode) @@ -1086,13 +1103,51 @@ void COptionsWindow::OnBoxTypChanged() int BoxType = ui.cmbBoxType->currentData().toInt(); switch (BoxType) { + case CSandBoxPlus::eIsoationMax: + /*pBox->SetBool("HideNonSystemProcess", true); + pBox->InsertText("Template", "BlockAccessWMI"); + pBox->InsertText("Template", "BlockDNS"); + pBox->SetBool("HideOtherBoxes", true); + pBox->SetBool("ClosePrintSpooler", true); + pBox->SetBool("OpenClipboard", false); + pBox->SetBool("BlockInterferePower", true); + pBox->SetBool("BlockInterferenceControl", true); + pBox->SetBool("BlockScreenCapture", true); + pBox->AppendText("NetworkAccess","*,Block;Port=*;Address=127.*.*.*;Protocol=Any"); + pBox->SetBool("UseSandboxDesktop", true); + pBox->SetBool("ConfidentialBox", true); + pBox->SetBool("CoverBoxedWindows", true); + pBox->SetBool("AlertBeforeStart", true); + pBox->SetBool("ForceProtectionOnMount", true); + pBox->SetNum64("ProcessMemoryLimit", 80000000); + pBox->SetNum("ProcessNumberLimit", 20); + pBox->SetBool("ProtectHostImages", true);*/ + SetTemplate("BlockAccessWMI", true); + ui.chkBlockDns->setChecked(true); + ui.chkHideOtherBoxes->setChecked(true); + ui.chkCloseClipBoard->setChecked(true); + ui.chkBlockSpooler->setChecked(true); + ui.chkBlockCapture->setChecked(true); + ui.chkAddToJob->setChecked(true); + ui.chkAlertBeforeStart->setChecked(true); + ui.chkConfidential->setChecked(true); + ui.chkProtectPower->setChecked(true); + ui.chkUserOperation->setChecked(true); + ui.chkProtectWindow->setChecked(true); + ui.chkProtectSCM->setChecked(true); + ui.chkProtectSystem->setChecked(true); + ui.chkRestrictServices->setChecked(true); + ui.chkSbieLogon->setChecked(true); + ui.chkDropPrivileges->setChecked(true); + ui.chkHideOtherBoxes->setChecked(true); + ui.chkHostProtect->setChecked(true); case CSandBoxPlus::eHardenedPlus: case CSandBoxPlus::eHardened: ui.chkNoSecurityIsolation->setChecked(false); ui.chkNoSecurityFiltering->setChecked(false); ui.chkSecurityMode->setChecked(true); //ui.chkRestrictServices->setChecked(true); - ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus); + ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus||BoxType==CSandBoxPlus::eIsoationMax); //SetTemplate("NoUACProxy", false); SetTemplate("RpcPortBindingsExt", false); break; diff --git a/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp b/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp index aa937208..4eafd5e6 100644 --- a/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp +++ b/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp @@ -182,6 +182,25 @@ SB_STATUS CNewBoxWizard::TryToCreateBox() if (!disableWizardSettings || sharedTemplateMode == 0) { switch (BoxType) { + case CSandBoxPlus::eIsoationMax: + pBox->SetBool("HideNonSystemProcess", true); + pBox->InsertText("Template", "BlockAccessWMI"); + pBox->InsertText("Template", "BlockDNS"); + pBox->SetBool("HideOtherBoxes", true); + pBox->SetBool("ClosePrintSpooler", true); + pBox->SetBool("OpenClipboard", false); + pBox->SetBool("BlockInterferePower", true); + pBox->SetBool("BlockInterferenceControl", true); + pBox->SetBool("BlockScreenCapture", true); + pBox->InsertText("Template","BlockLocalConnect"); + pBox->SetBool("UseSandboxDesktop", true); + pBox->SetBool("ConfidentialBox", true); + pBox->SetBool("CoverBoxedWindows", true); + pBox->SetBool("AlertBeforeStart", true); + pBox->SetBool("ForceProtectionOnMount", true); + pBox->SetNum64("ProcessMemoryLimit", 80000000); + pBox->SetNum("ProcessNumberLimit", 20); + pBox->SetBool("ProtectHostImages", true); case CSandBoxPlus::eHardenedPlus: pBox->SetBool("UsePrivacyMode", true); case CSandBoxPlus::eHardened: @@ -247,7 +266,7 @@ SB_STATUS CNewBoxWizard::TryToCreateBox() } pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool()); - bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened); + bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType== CSandBoxPlus::eIsoationMax); bool bDropAdmin = field("dropAdmin").toBool(); if (field("dropAdmin").toBool() && !bHardened) pBox->SetBool("DropAdminRights", true); @@ -385,7 +404,10 @@ CBoxTypePage::CBoxTypePage(bool bAlowTemp, QWidget *parent) //return qMakePair(pW, pIcon); return pC; }; - + AddBoxType(tr("Maximum Isolation Sandbox with security enhancements and data protection"), (int)CSandBoxPlus::eIsoationMax, + tr("We try to provide maximum isolation for the sandbox, which covers all the features of the Security Hardened box and the Data Protection box,\n" + "In addition, there are other configurations that facilitate isolation,\n" + "such as processes and image access control, and so on.")); AddBoxType(tr("Security Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus, tr("This box type offers the highest level of protection by significantly reducing the attack surface exposed to sandboxed processes. \n" "It strictly limits access to user data, allowing processes within this box to only access C:\\Windows and C:\\Program Files directories. \n" @@ -790,7 +812,7 @@ void CIsolationPage::initializePage() { int BoxType = wizard()->field("boxType").toInt(); - bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened); + bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType==CSandBoxPlus::eIsoationMax); bool bDropAdmin = field("dropAdmin").toBool(); m_pMSIServer->setEnabled(!bHardened && !bDropAdmin); m_pShareAccess->setEnabled(!bHardened); From cce9a87e1b06fadf5dbb4a2fc4802679c557e3e8 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 2 Jun 2024 17:40:34 +0800 Subject: [PATCH 28/44] Update templates --- Sandboxie/install/Templates.ini | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Sandboxie/install/Templates.ini b/Sandboxie/install/Templates.ini index ca7efbd0..9bf2bbf8 100644 --- a/Sandboxie/install/Templates.ini +++ b/Sandboxie/install/Templates.ini @@ -3776,6 +3776,10 @@ Tmpl.Title=Block Accessing WMI Tmpl.Class=Misc ClosedFilePath=%SystemRoot%\System32\wbem\* +[Template_BlockLocalConnect] +Tmpl.Title=Block Local Connect +Tmpl.Class=Misc +NetworkAccess=*,Block;Port=*;Address=*;Protocol=Any [Template_BlockTelemetry] Tmpl.Title=#4307 From dab4e94386b4aada2e28c56760619e46a318bd31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Tue, 4 Jun 2024 06:42:59 +0800 Subject: [PATCH 29/44] Update Templates.ini --- Sandboxie/install/Templates.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/install/Templates.ini b/Sandboxie/install/Templates.ini index 9bf2bbf8..5532fa97 100644 --- a/Sandboxie/install/Templates.ini +++ b/Sandboxie/install/Templates.ini @@ -3779,7 +3779,7 @@ ClosedFilePath=%SystemRoot%\System32\wbem\* [Template_BlockLocalConnect] Tmpl.Title=Block Local Connect Tmpl.Class=Misc -NetworkAccess=*,Block;Port=*;Address=*;Protocol=Any +NetworkAccess=*,Block;Port=*;Address=127.*.*.*;Protocol=Any [Template_BlockTelemetry] Tmpl.Title=#4307 From f1f144730ae1f041a1af8a394223f6205c74cce1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Tue, 4 Jun 2024 06:44:50 +0800 Subject: [PATCH 30/44] Update SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp index 00681106..0c6c7740 100644 --- a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp +++ b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp @@ -1061,7 +1061,7 @@ void COptionsWindow::UpdateBoxType() bool bSecurityMode = ui.chkSecurityMode->isChecked(); bool bAppBox = ui.chkNoSecurityIsolation->isChecked(); bool bIsoationMax = m_pBox->GetBool("HideNonSystemProcess") - && m_pBox->GetBool("HideNonSystemProcess") + && m_pBox->GetBool("HideNonSystemProcesses") && m_pBox->GetBool("HideOtherBoxes") && m_pBox->GetBool("ClosePrintSpooler") && m_pBox->GetBool("BlockInterferePower") From ccb9c725adaa4ff4cc686b2b438c7f7b96d2739a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Fri, 7 Jun 2024 19:52:34 +0800 Subject: [PATCH 31/44] Update file.c --- Sandboxie/core/dll/file.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Sandboxie/core/dll/file.c b/Sandboxie/core/dll/file.c index aebc583d..9c8cb3f2 100644 --- a/Sandboxie/core/dll/file.c +++ b/Sandboxie/core/dll/file.c @@ -3516,9 +3516,11 @@ ReparseLoop: // open, for a CopyPath that does not exist, must also include // write access, or else it would have been handled earlier already) // - if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE)) + /* + //Disabled it now to test. + if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE)) status = File_MigrateFile( - TruePath, CopyPath, IsWritePath, TRUE); + TruePath, CopyPath, IsWritePath, TRUE);*/ else if (FileType & TYPE_REPARSE_POINT) { From 19131f0413091d4c3a2a8cc3617b13a2ef3c46ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Fri, 7 Jun 2024 19:53:58 +0800 Subject: [PATCH 32/44] Update SandboxiePlus/SandMan/SbiePlusAPI.cpp Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- SandboxiePlus/SandMan/SbiePlusAPI.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SandboxiePlus/SandMan/SbiePlusAPI.cpp b/SandboxiePlus/SandMan/SbiePlusAPI.cpp index a7dd10d8..ad2a5865 100644 --- a/SandboxiePlus/SandMan/SbiePlusAPI.cpp +++ b/SandboxiePlus/SandMan/SbiePlusAPI.cpp @@ -813,7 +813,7 @@ CSandBoxPlus::EBoxTypes CSandBoxPlus::GetTypeImpl() const if (m_iUnsecureDebugging != 0) return eInsecure; - BOOL isMAX = GetBool("HideNonSystemProcess") && + BOOL isMAX = GetBool("HideNonSystemProcesses") && GetBool("HideOtherBoxes") && GetBool("ClosePrintSpooler") && !GetBool("OpenClipboard") && From d7789a38de04175d280b608cd7d28c08a7653879 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Fri, 7 Jun 2024 19:54:09 +0800 Subject: [PATCH 33/44] Update Sandboxie/install/Templates.ini Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- Sandboxie/install/Templates.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sandboxie/install/Templates.ini b/Sandboxie/install/Templates.ini index 5532fa97..9b188d65 100644 --- a/Sandboxie/install/Templates.ini +++ b/Sandboxie/install/Templates.ini @@ -3779,7 +3779,7 @@ ClosedFilePath=%SystemRoot%\System32\wbem\* [Template_BlockLocalConnect] Tmpl.Title=Block Local Connect Tmpl.Class=Misc -NetworkAccess=*,Block;Port=*;Address=127.*.*.*;Protocol=Any +NetworkAccess=*,Block;Port=*;Address=127.0.0.0-127.255.255.255;Protocol=Any [Template_BlockTelemetry] Tmpl.Title=#4307 From 27a30fae532008fe78f3048487b62096378ef626 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Fri, 7 Jun 2024 19:54:30 +0800 Subject: [PATCH 34/44] Update SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp Co-authored-by: offhub <6871698+offhub@users.noreply.github.com> --- SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp b/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp index 4eafd5e6..046b0dbf 100644 --- a/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp +++ b/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp @@ -183,7 +183,7 @@ SB_STATUS CNewBoxWizard::TryToCreateBox() switch (BoxType) { case CSandBoxPlus::eIsoationMax: - pBox->SetBool("HideNonSystemProcess", true); + pBox->SetBool("HideNonSystemProcesses", true); pBox->InsertText("Template", "BlockAccessWMI"); pBox->InsertText("Template", "BlockDNS"); pBox->SetBool("HideOtherBoxes", true); From 01eacac7b9222a676db28468646d5c018ece1f09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=88=B1=E7=BC=96=E7=A8=8B=E7=9A=84=E5=8F=B6=E4=B8=80?= =?UTF-8?q?=E7=AC=91?= <92030377+love-code-yeyixiao@users.noreply.github.com> Date: Fri, 7 Jun 2024 20:22:26 +0800 Subject: [PATCH 35/44] Debug --- Sandboxie/core/dll/sysinfo.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 6e560e8a..322d5317 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -206,7 +206,10 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( SysInfo_DiscardProcesses(Buffer); } - if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) { + + /* + //Disabled it now + if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) { HKEY hKey=NULL; PVOID lpData=NULL; DWORD dwLen = 0; @@ -237,7 +240,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( *ReturnLength = dwLen; } } - +*/ return status; } From f29615d9654f43aa937c3f45323874c87dfca458 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 8 Jun 2024 10:15:17 +0800 Subject: [PATCH 36/44] Debug --- Sandboxie/core/dll/file.c | 4 ++-- Sandboxie/core/dll/sysinfo.c | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/Sandboxie/core/dll/file.c b/Sandboxie/core/dll/file.c index 9c8cb3f2..8e2d089c 100644 --- a/Sandboxie/core/dll/file.c +++ b/Sandboxie/core/dll/file.c @@ -3520,8 +3520,8 @@ ReparseLoop: //Disabled it now to test. if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE)) status = File_MigrateFile( - TruePath, CopyPath, IsWritePath, TRUE);*/ - else + TruePath, CopyPath, IsWritePath, TRUE); + else*/ if (FileType & TYPE_REPARSE_POINT) { status = File_MigrateJunction( diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 322d5317..a4ebb43d 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -207,8 +207,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( SysInfo_DiscardProcesses(Buffer); } - /* - //Disabled it now + if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) { HKEY hKey=NULL; PVOID lpData=NULL; @@ -240,7 +239,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( *ReturnLength = dwLen; } } -*/ + return status; } From 007b530cf19a867ed91bb734a5b73f697cd07133 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 8 Jun 2024 10:35:19 +0800 Subject: [PATCH 37/44] Debug --- Sandboxie/core/dll/file.c | 7 +++---- Sandboxie/core/dll/sysinfo.c | 21 +++++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Sandboxie/core/dll/file.c b/Sandboxie/core/dll/file.c index 8e2d089c..a604b60a 100644 --- a/Sandboxie/core/dll/file.c +++ b/Sandboxie/core/dll/file.c @@ -3516,12 +3516,11 @@ ReparseLoop: // open, for a CopyPath that does not exist, must also include // write access, or else it would have been handled earlier already) // - /* - //Disabled it now to test. - if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE)) + + if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE)) status = File_MigrateFile( TruePath, CopyPath, IsWritePath, TRUE); - else*/ + if (FileType & TYPE_REPARSE_POINT) { status = File_MigrateJunction( diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index a4ebb43d..ec3329a4 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -337,11 +337,12 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) if (next == curr) break; SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); + //SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); BOOL hideProcess = FALSE; - if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 /* && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 */ && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE)) { - hideProcess = TRUE; - } - else + //if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 /* && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 */ && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE)) { + // hideProcess = TRUE; + //} + //else if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) { hideProcess = TRUE; } @@ -357,12 +358,12 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) } } } - if (!hideProcess) { - if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) { - if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)) - hideProcess = TRUE; - } - } + //if (!hideProcess) { + // if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) { + // if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)) + // hideProcess = TRUE; + // } + //} } if (!hideProcess) From f03dab86b0f4b19d5513a450f2406e5cf07f8262 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 8 Jun 2024 16:00:57 +0800 Subject: [PATCH 38/44] Fix --- Sandboxie/core/dll/sysinfo.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index ec3329a4..5e59ade4 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -302,7 +302,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) ULONG hiddenProcessesLen = 100 * 110; // we can hide up to 100 processes, should be enough WCHAR hiddenProcess[110]; ULONG tempSession = 0; - WCHAR* tempSid = L""; + WCHAR tempSid[96] = {0}; for (ULONG index = 0; ; ++index) { NTSTATUS status = SbieApi_QueryConfAsIs(NULL, L"HideHostProcess", index, hiddenProcess, 108 * sizeof(WCHAR)); @@ -336,13 +336,13 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) next = (SYSTEM_PROCESS_INFORMATION *) (((UCHAR *)curr) + curr->NextEntryOffset); if (next == curr) break; + SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); - //SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); BOOL hideProcess = FALSE; - //if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 /* && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 */ && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE)) { - // hideProcess = TRUE; - //} - //else + if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE)) { + hideProcess = TRUE; + } + else if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) { hideProcess = TRUE; } @@ -358,12 +358,12 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) } } } - //if (!hideProcess) { - // if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) { - // if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)) - // hideProcess = TRUE; - // } - //} + if (!hideProcess) { + if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) { + if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)) + hideProcess = TRUE; + } + } } if (!hideProcess) From 843def289d328989d69ee9351bd5612f3bf17c01 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 8 Jun 2024 17:39:57 +0800 Subject: [PATCH 39/44] Fix --- Sandboxie/core/dll/sysinfo.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 5e59ade4..16ec7a0f 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -336,21 +336,26 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) next = (SYSTEM_PROCESS_INFORMATION *) (((UCHAR *)curr) + curr->NextEntryOffset); if (next == curr) break; - - SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession); + WCHAR* imageFileName = NULL; + SbieApi_QueryProcess(next->UniqueProcessId, boxname,imageFileName, tempSid, &tempSession); BOOL hideProcess = FALSE; - if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE)) { + if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE) && !*boxname) { hideProcess = TRUE; } else if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) { hideProcess = TRUE; } - else if(next->ImageName.Buffer) { + else + if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)&&*imageFileName&&(wcsstr(imageFileName, L"Sandboxie") != NULL ||wcsstr(imageFileName, L"Sbie") != NULL)) { + + hideProcess = TRUE; + } + else if(hiddenProcesses && next->ImageName.Buffer) { WCHAR* imagename = wcschr(next->ImageName.Buffer, L'\\'); if (imagename) imagename += 1; // skip L'\\' else imagename = next->ImageName.Buffer; - if (hiddenProcesses && !*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) { + if ( !*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) { for (hiddenProcessesPtr = hiddenProcesses; *hiddenProcessesPtr != L'\0'; hiddenProcessesPtr += wcslen(hiddenProcessesPtr) + 1) { if (_wcsicmp(imagename, hiddenProcessesPtr) == 0) { hideProcess = TRUE; @@ -358,12 +363,6 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) } } } - if (!hideProcess) { - if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) { - if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)) - hideProcess = TRUE; - } - } } if (!hideProcess) From 29f3230afd1fa7304bf0435a3f8ee8ad761c7369 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 8 Jun 2024 19:32:31 +0800 Subject: [PATCH 40/44] #3975 --- CHANGELOG.md | 21 ++++++++++++++------- Sandboxie/core/dll/gui.c | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 45 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e33ba93d..cad833d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,19 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). +## [1.14.2 / 5.69.2] - 2024-??-?? + +### Added +- Add option "HideNonSystemProcesses" to hide processes other than some system services from processes lists for sandboxed processes. +- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). +- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue +- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. +- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox. +- Add new box type "Maximize Isolation Sandbox". +- Add new option "AllowCoverTaskbar" for #3975. + +### Changed +- Extend "Temp Template" to make it could delete local template section. ## [1.14.1 / 5.69.1] - 2024-06-06 @@ -14,17 +27,11 @@ This project adheres to [Semantic Versioning](http://semver.org/). - Add UI option to start unsandboxed process but force child processes in SelectBoxWindow. - Add option "AlertBeforeStart".When it is set,a prompt pops up before launching a new program into the sandbox using "Start.exe" and checks if the program that started "Start.exe" is a Sandboxie component itself,if it is not, a warning pops up. - Add option for EditAdminOnly in SetupWizard. -- Add option "HideNonSystemProcesses" to hide processes other than some system services from processes lists for sandboxed processes. -- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). -- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue -- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. -- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox. -- Add new box type "Maximize Isolation Sandbox". + ### Changed - split the advanced new box wizard page in two - reorganized box options a bit -- Extend "Temp Template" to make it could delete local template section. ### Fixed - fixed issue with proxy authentication setting diff --git a/Sandboxie/core/dll/gui.c b/Sandboxie/core/dll/gui.c index b94a1026..8e2aca6d 100644 --- a/Sandboxie/core/dll/gui.c +++ b/Sandboxie/core/dll/gui.c @@ -1356,6 +1356,35 @@ _FX HWND Gui_CreateWindowExW( // replace parent // + if (Gui_BlockInterferenceControl && !SbieApi_QueryConfBool(NULL, L"AllowCoverTaskbar", FALSE)) { + + typedef BOOL(*P_SystemParametersInfoA)(UINT uiAction, UINT uiParam, PVOID pvParam, UINT fWinIni); + static P_SystemParametersInfoA SystemParametersInfoA = NULL; + if (!SystemParametersInfoA) SystemParametersInfoA = Ldr_GetProcAddrNew(L"user32.dll", L"SystemParametersInfoA", "SystemParametersInfoA"); + + typedef int (*P_GetSystemMetrics)(int nIndex); + static P_GetSystemMetrics GetSystemMetrics = NULL; + if (!GetSystemMetrics) GetSystemMetrics = Ldr_GetProcAddrNew(L"user32.dll", L"GetSystemMetrics", "GetSystemMetrics"); + + if (SystemParametersInfoA && GetSystemMetrics) { + + RECT rt; + SystemParametersInfoA(SPI_GETWORKAREA, 0, &rt, 0); + int y1 = GetSystemMetrics(SM_CYSCREEN) - rt.bottom; + int x1 = GetSystemMetrics(SM_CXSCREEN) - rt.right; + int y2 = GetSystemMetrics(SM_CYSCREEN) - rt.top; + int x2 = GetSystemMetrics(SM_CXSCREEN) - rt.left; + if (y + nHeight > y1) + nHeight = y1 - y - 2; + if (y < y2) + y = y2 + 2; + if (x + nWidth > x1) + nWidth = x1 - x; + if (x < x2) + x = x2 + 2; + } + } + if ((! Gui_DisableTitle) && lpWindowName && (dwStyle & WS_CAPTION) == WS_CAPTION && ((! hWndParent) || (dwStyle & WS_CHILD) == 0)) @@ -1946,7 +1975,7 @@ _FX BOOL Gui_MoveWindow( return FALSE; } - if (Gui_BlockInterferenceControl) { + if (Gui_BlockInterferenceControl && !SbieApi_QueryConfBool(NULL, L"AllowCoverTaskbar", FALSE)) { typedef BOOL (*P_SystemParametersInfoA)(UINT uiAction, UINT uiParam, PVOID pvParam, UINT fWinIni); static P_SystemParametersInfoA SystemParametersInfoA = NULL; @@ -1998,7 +2027,7 @@ _FX BOOL Gui_SetWindowPos( // use SbieSvc GUI Proxy if hWnd is accessible but outside the sandbox // - if (Gui_BlockInterferenceControl) { + if (Gui_BlockInterferenceControl&&!SbieApi_QueryConfBool(NULL,L"AllowCoverTaskbar",FALSE)) { if (hWndInsertAfter == HWND_TOPMOST || hWndInsertAfter == HWND_TOP) hWndInsertAfter = HWND_DESKTOP; From a28ffe0e0b239def2a3876339db40bd69b33e80e Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 8 Jun 2024 19:40:28 +0800 Subject: [PATCH 41/44] UI --- SandboxiePlus/SandMan/Forms/OptionsWindow.ui | 15 +++++++++++---- SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp | 8 ++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui index fdd5988e..e2ba78ce 100644 --- a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui +++ b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui @@ -672,7 +672,7 @@ Restrictions - + @@ -717,7 +717,7 @@ - + @@ -864,7 +864,14 @@ - + + + + Allow sandboxed windows to cover taskbar + + + + This feature does not block all means of obtaining a screen capture, only some common ones. @@ -874,7 +881,7 @@ - + Qt::Vertical diff --git a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp index 00681106..09f1ce6d 100644 --- a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp +++ b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp @@ -192,6 +192,7 @@ void COptionsWindow::CreateGeneral() connect(ui.chkEncrypt, SIGNAL(clicked(bool)), this, SLOT(OnDiskChanged())); connect(ui.chkForceProtection, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged())); connect(ui.chkUserOperation, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged())); + connect(ui.chkCoverBar, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged())); connect(ui.btnPassword, SIGNAL(clicked(bool)), this, SLOT(OnSetPassword())); bool bImDiskReady = theGUI->IsImDiskReady(); @@ -283,8 +284,11 @@ void COptionsWindow::LoadGeneral() ui.chkPrintToFile->setChecked(m_pBox->GetBool("AllowSpoolerPrintToFile", false)); ui.lineSingleMemory->setText(m_pBox->GetText("ProcessMemoryLimit", "")); + ui.lineSingleMemory->setEnabled(true); ui.lineTotalMemory->setText(m_pBox->GetText("TotalMemoryLimit", "")); + ui.lineTotalMemory->setEnabled(true); ui.lineTotalNumber->setText(m_pBox->GetText("TotalNumberLimit", "")); + ui.lineTotalNumber->setEnabled(true); //ui.chkOpenProtectedStorage->setChecked(m_pBox->GetBool("OpenProtectedStorage", false)); ui.chkOpenProtectedStorage->setChecked(m_BoxTemplates.contains("OpenProtectedStorage")); @@ -338,6 +342,7 @@ void COptionsWindow::LoadGeneral() ui.chkEncrypt->setChecked(m_pBox->GetBool("UseFileImage", false)); ui.chkForceProtection->setChecked(m_pBox->GetBool("ForceProtectionOnMount", false)); ui.chkUserOperation->setChecked(m_pBox->GetBool("BlockInterferenceControl", false)); + ui.chkCoverBar->setChecked(m_pBox->GetBool("AllowCoverTaskbar", false)); if (ui.chkRamBox->isEnabled()) { ui.chkEncrypt->setEnabled(!ui.chkRamBox->isChecked()); ui.chkForceProtection->setEnabled(!ui.chkRamBox->isChecked()); @@ -441,6 +446,7 @@ void COptionsWindow::SaveGeneral() WriteAdvancedCheck(ui.chkProtectPower, "BlockInterferePower", "y", ""); WriteAdvancedCheck(ui.chkForceProtection, "ForceProtectionOnMount", "y", ""); WriteAdvancedCheck(ui.chkUserOperation, "BlockInterferenceControl", "y", ""); + WriteAdvancedCheck(ui.chkCoverBar, "AllowCoverTaskbar", "y", ""); WriteAdvancedCheck(ui.chkVmReadNotify, "NotifyProcessAccessDenied", "y", ""); //WriteAdvancedCheck(ui.chkOpenSmartCard, "OpenSmartCard", "", "n"); //WriteAdvancedCheck(ui.chkOpenBluetooth, "OpenBluetooth", "y", ""); @@ -814,6 +820,8 @@ void COptionsWindow::OnGeneralChanged() ui.lineTotalMemory->setEnabled(ui.chkAddToJob->isChecked()); ui.lineTotalNumber->setEnabled(ui.chkAddToJob->isChecked()); + ui.chkCoverBar->setEnabled(ui.chkUserOperation->isChecked()); + ui.chkOpenCredentials->setEnabled(!ui.chkOpenProtectedStorage->isChecked()); if (!ui.chkOpenCredentials->isEnabled()) ui.chkOpenCredentials->setChecked(true); From 65dc8cd4a91adb94d527f4674e5068dc473db707 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 8 Jun 2024 20:42:14 +0800 Subject: [PATCH 42/44] Update CHANGELOG.MD --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cad833d0..daa8c2df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## [1.14.2 / 5.69.2] - 2024-??-?? ### Added -- Add option "HideNonSystemProcesses" to hide processes other than some system services from processes lists for sandboxed processes. +- Add option "HideNonSystemProcesses" to hide processes not in a sandbox from processes lists for sandboxed processes. - Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). - When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue - Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. From 4ed9234691a3dc13d08bc2853ef40dcda11f6f39 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sat, 8 Jun 2024 21:46:06 +0800 Subject: [PATCH 43/44] UI --- SandboxiePlus/SandMan/Forms/OptionsWindow.ui | 313 +++++++++--------- .../SandMan/Windows/OptionsAccess.cpp | 3 + .../SandMan/Windows/OptionsGeneral.cpp | 26 +- 3 files changed, 170 insertions(+), 172 deletions(-) diff --git a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui index 0d1dc9ac..7445156a 100644 --- a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui +++ b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui @@ -7,7 +7,7 @@ 0 0 835 - 588 + 575 @@ -45,7 +45,7 @@ QTabWidget::North - 0 + 6 @@ -3086,125 +3086,125 @@ To specify a process use '$:program.exe' as path. Access Policies - - - 9 - - - 9 - - - 9 - - - 9 - + - - - - - - 75 - true - true - - - - Rule Policies - - - - - - - Apply Close...=!<program>,... rules also to all binaries located in the sandbox. - - - - - - - Prioritize rules based on their Specificity and Process Match Level - - - - - - - Apply File and Key Open directives only to binaries located outside the sandbox. - - - - - - - Qt::Horizontal - - - - 40 - 20 - - - - - - - - - 75 - true - true - - - - Access Mode - - - - - - - The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like "*.tmp" would have the highest specificity as it would always match the entire file path. + + + + 75 + true + true + + + + Access Mode + + + + + + + Privacy Mode, block file and registry access to all locations except the generic system ones + + + + + + + When the Privacy Mode is enabled, sandboxed processes will be only able to read C:\Windows\*, C:\Program Files\*, and parts of the HKLM registry, all other locations will need explicit access to be readable and/or writable. In this mode, Rule Specificity is always enabled. + + + true + + + + + + + Prevent sandboxed processes from accessing system deatils through WMI + + + + + + + Some programs read system deatils through WMI(A Windows built-in database) +instead of normal ways.For example,"tasklist.exe" could get full processes list +even if "HideOtherBoxes" is opened through accessing WMI.Enable this option to stop these heavior. + + + + + + + + 75 + true + true + + + + Rule Policies + + + + + + + Prioritize rules based on their Specificity and Process Match Level + + + + + + + The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like "*.tmp" would have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process. - - - true - - - - - - - Privacy Mode, block file and registry access to all locations except the generic system ones - - - - - - - Qt::Vertical - - - - 20 - 40 - - - - - - - - When the Privacy Mode is enabled, sandboxed processes will be only able to read C:\Windows\*, C:\Program Files\*, and parts of the HKLM registry, all other locations will need explicit access to be readable and/or writable. In this mode, Rule Specificity is always enabled. - - - true - - - - + + + true + + + + + + + Apply Close...=!<program>,... rules also to all binaries located in the sandbox. + + + + + + + Apply File and Key Open directives only to binaries located outside the sandbox. + + + + + + + Qt::Vertical + + + + 20 + 81 + + + + + + + + Qt::Horizontal + + + + 638 + 20 + + + @@ -4253,7 +4253,7 @@ This is done to prevent rogue processes inside the sandbox from creating a renam - 4 + 2 @@ -4640,25 +4640,6 @@ This is done to prevent rogue processes inside the sandbox from creating a renam Hide Processes - - 3 - - - 6 - - - 3 - - - 3 - - - - - Add Process - - - @@ -4666,7 +4647,31 @@ This is done to prevent rogue processes inside the sandbox from creating a renam - + + + + Don't allow sandboxed processes to see processes running outside any boxes + + + + + + + Add Process + + + + + + + Hide host processes from processes running in the sandbox. + + + true + + + + Qt::Vertical @@ -4679,24 +4684,21 @@ This is done to prevent rogue processes inside the sandbox from creating a renam - - - - Hide host processes from processes running in the sandbox. - - - true - - - - + Show Templates - + + + + Remove + + + + true @@ -4713,13 +4715,6 @@ This is done to prevent rogue processes inside the sandbox from creating a renam - - - - Remove - - - diff --git a/SandboxiePlus/SandMan/Windows/OptionsAccess.cpp b/SandboxiePlus/SandMan/Windows/OptionsAccess.cpp index 4167969e..110a61c4 100644 --- a/SandboxiePlus/SandMan/Windows/OptionsAccess.cpp +++ b/SandboxiePlus/SandMan/Windows/OptionsAccess.cpp @@ -15,6 +15,7 @@ void COptionsWindow::CreateAccess() // Resource Access connect(ui.chkPrivacy, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged())); connect(ui.chkUseSpecificity, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged())); + connect(ui.chkBlockWMI, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged())); connect(ui.chkCloseForBox, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged())); connect(ui.chkNoOpenForBox, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged())); // @@ -156,6 +157,7 @@ void COptionsWindow::LoadAccessList() { ui.chkPrivacy->setChecked(m_pBox->GetBool("UsePrivacyMode", false)); ui.chkUseSpecificity->setChecked(m_pBox->GetBool("UseRuleSpecificity", false)); + ui.chkBlockWMI->setChecked(m_BoxTemplates.contains("BlockAccessWMI")); ui.chkCloseForBox->setChecked(m_pBox->GetBool("AlwaysCloseForBoxed", true)); ui.chkNoOpenForBox->setChecked(m_pBox->GetBool("DontOpenForBoxed", true)); @@ -694,6 +696,7 @@ void COptionsWindow::SaveAccessList() { WriteAdvancedCheck(ui.chkPrivacy, "UsePrivacyMode", "y", ""); WriteAdvancedCheck(ui.chkUseSpecificity, "UseRuleSpecificity", "y", ""); + SetTemplate("BlockAccessWMI", ui.chkBlockWMI->isChecked()); WriteAdvancedCheck(ui.chkCloseForBox, "AlwaysCloseForBoxed", "", "n"); WriteAdvancedCheck(ui.chkNoOpenForBox, "DontOpenForBoxed", "", "n"); diff --git a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp index c22213e4..e2853c8b 100644 --- a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp +++ b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp @@ -1068,18 +1068,18 @@ void COptionsWindow::UpdateBoxType() bool bPrivacyMode = ui.chkPrivacy->isChecked(); bool bSecurityMode = ui.chkSecurityMode->isChecked(); bool bAppBox = ui.chkNoSecurityIsolation->isChecked(); - bool bIsoationMax = m_pBox->GetBool("HideNonSystemProcess") - && m_pBox->GetBool("HideNonSystemProcesses") - && m_pBox->GetBool("HideOtherBoxes") - && m_pBox->GetBool("ClosePrintSpooler") - && m_pBox->GetBool("BlockInterferePower") - && !m_pBox->GetBool("OpenClipboard") - && m_pBox->GetBool("BlockInterferenceControl") - && m_pBox->GetBool("BlockScreenCapture") - && m_pBox->GetBool("ConfidentialBox") - && m_pBox->GetBool("CoverBoxedWindows") - && m_pBox->GetBool("AlertBeforeStart") - && m_pBox->GetBool("ForceProtectionOnMount") + bool bIsoationMax = ui.chkHideHostProcesses->isChecked() + && ui.chkBlockWMI->isChecked() + && ui.chkHideOtherBoxes->isChecked() + && ui.chkBlockSpooler->isChecked() + && ui.chkProtectPower->isChecked() + && ui.chkCloseClipBoard->isChecked() + && ui.chkUserOperation->isChecked() + && ui.chkBlockCapture->isChecked() + && ui.chkConfidential->isChecked() + && ui.chkProtectWindow->isChecked() + && ui.chkAlertBeforeStart->isChecked() + && ui.chkForceProtection->isChecked() && bSecurityMode && bPrivacyMode && !bAppBox; int BoxType; @@ -1130,7 +1130,7 @@ void COptionsWindow::OnBoxTypChanged() pBox->SetNum64("ProcessMemoryLimit", 80000000); pBox->SetNum("ProcessNumberLimit", 20); pBox->SetBool("ProtectHostImages", true);*/ - SetTemplate("BlockAccessWMI", true); + ui.chkBlockWMI->setChecked(true); ui.chkBlockDns->setChecked(true); ui.chkHideOtherBoxes->setChecked(true); ui.chkCloseClipBoard->setChecked(true); From 1d8aaf940c28af2bda0dde3f97f85ba4c0055bd6 Mon Sep 17 00:00:00 2001 From: love-code-yeyixiao <188240888@qq.com> Date: Sun, 9 Jun 2024 16:25:29 +0800 Subject: [PATCH 44/44] Fix --- SandboxiePlus/SandMan/SbiePlusAPI.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SandboxiePlus/SandMan/SbiePlusAPI.cpp b/SandboxiePlus/SandMan/SbiePlusAPI.cpp index ad2a5865..7598b2ca 100644 --- a/SandboxiePlus/SandMan/SbiePlusAPI.cpp +++ b/SandboxiePlus/SandMan/SbiePlusAPI.cpp @@ -814,7 +814,7 @@ CSandBoxPlus::EBoxTypes CSandBoxPlus::GetTypeImpl() const return eInsecure; BOOL isMAX = GetBool("HideNonSystemProcesses") && - GetBool("HideOtherBoxes") && + GetBool("HideOtherBoxes",true) && GetBool("ClosePrintSpooler") && !GetBool("OpenClipboard") && GetBool("BlockInterferePower") &&