BSOD fix

2024-05-24 23:00:37 +02:00 · 2024-05-24 23:00:37 +02:00 · abcd8b989c
parent 46a6e5f508
commit abcd8b989c
3 changed files with 61 additions and 5 deletions
--- a/Sandboxie/core/drv/driver.h
+++ b/Sandboxie/core/drv/driver.h
@ -98,7 +98,8 @@ extern P_NtSetInformationToken          ZwSetInformationToken;
 #endif // OLD_DDK

 #ifdef _M_ARM64
-NTSTATUS Sbie_CallZwServiceFunction_asm(UINT_PTR arg1, UINT_PTR arg2, UINT_PTR arg3, UINT_PTR arg4, UINT_PTR arg5, UINT_PTR arg6, UINT_PTR arg7, UINT_PTR arg8, 
+NTSTATUS Sbie_CallZwServiceFunction_asm(
+    UINT_PTR arg1, UINT_PTR arg2, UINT_PTR arg3, UINT_PTR arg4, UINT_PTR arg5, UINT_PTR arg6, UINT_PTR arg7, UINT_PTR arg8, 
    UINT_PTR arg9, UINT_PTR arg10, UINT_PTR arg11, UINT_PTR arg12, UINT_PTR arg13, UINT_PTR arg14, UINT_PTR arg15, UINT_PTR arg16, UINT_PTR arg17, UINT_PTR arg18, UINT_PTR arg19,
    UINT_PTR svc_num);

@ -106,6 +107,11 @@ extern void*                            Driver_KiServiceInternal;
 extern USHORT                           ZwCreateToken_num;
 extern USHORT                           ZwCreateTokenEx_num;
 #else
+#ifdef _WIN64
+NTSTATUS Sbie_CallFunction_asm(VOID* func, 
+    UINT_PTR arg1, UINT_PTR arg2, UINT_PTR arg3, UINT_PTR arg4, UINT_PTR arg5, UINT_PTR arg6, UINT_PTR arg7, UINT_PTR arg8, 
+    UINT_PTR arg9, UINT_PTR arg10, UINT_PTR arg11, UINT_PTR arg12, UINT_PTR arg13, UINT_PTR arg14, UINT_PTR arg15, UINT_PTR arg16, UINT_PTR arg17, UINT_PTR arg18, UINT_PTR arg19);
+#endif
 extern P_NtCreateToken                  ZwCreateToken;
 extern P_NtCreateTokenEx                ZwCreateTokenEx;
 #endif
--- a/Sandboxie/core/drv/token.c
+++ b/Sandboxie/core/drv/token.c
@ -2114,15 +2114,28 @@ _FX NTSTATUS SbieCreateToken(PHANDLE TokenHandle, ACCESS_MASK DesiredAccess, POB
            ZwCreateToken_num);
 #else
    if (ZwCreateTokenEx) { // Win 8+
+#ifdef _WIN64
+        return Sbie_CallFunction_asm(ZwCreateTokenEx, (UINT_PTR)TokenHandle, (UINT_PTR)DesiredAccess, (UINT_PTR)ObjectAttributes,
+            (UINT_PTR)Type, (UINT_PTR)AuthenticationId, (UINT_PTR)ExpirationTime, (UINT_PTR)User, (UINT_PTR)Groups, (UINT_PTR)Privileges,
+            (UINT_PTR)UserAttributes, (UINT_PTR)DeviceAttributes, (UINT_PTR)DeviceGroups, (UINT_PTR)MandatoryPolicy,
+            (UINT_PTR)Owner, (UINT_PTR)PrimaryGroup, (UINT_PTR)DefaultDacl, (UINT_PTR)Source, 0, 0);
+#else
        return ZwCreateTokenEx(TokenHandle, DesiredAccess, ObjectAttributes,
            Type, AuthenticationId, ExpirationTime, User, Groups, Privileges,
            UserAttributes, DeviceAttributes, DeviceGroups, MandatoryPolicy,
            Owner, PrimaryGroup, DefaultDacl, Source);
+#endif
    }
    if (ZwCreateToken) {
-        NTSTATUS status =  ZwCreateToken(TokenHandle, DesiredAccess, ObjectAttributes,
+#ifdef _WIN64
+        NTSTATUS status = Sbie_CallFunction_asm(ZwCreateToken, (UINT_PTR)TokenHandle, (UINT_PTR)DesiredAccess, (UINT_PTR)ObjectAttributes,
+            (UINT_PTR)Type, (UINT_PTR)AuthenticationId, (UINT_PTR)ExpirationTime, (UINT_PTR)User, (UINT_PTR)Groups, (UINT_PTR)Privileges,
+            (UINT_PTR)Owner, (UINT_PTR)PrimaryGroup, (UINT_PTR)DefaultDacl, (UINT_PTR)Source, 0, 0, 0, 0, 0, 0);
+#else
+        NTSTATUS status = ZwCreateToken(TokenHandle, DesiredAccess, ObjectAttributes,
            Type, AuthenticationId, ExpirationTime, User, Groups, Privileges,
            Owner, PrimaryGroup, DefaultDacl, Source);
+#endif
 #endif
        if (NT_SUCCESS(status)) {
            if(MandatoryPolicy)
--- a/Sandboxie/core/drv/util_asm.asm
+++ b/Sandboxie/core/drv/util_asm.asm
@ -228,6 +228,43 @@ endif

 ;----------------------------------------------------------------------------

+ifdef _WIN64
+Sbie_CallFunction_asm PROC FRAME
+
+    mov         qword ptr [rsp+20h],r9
+    mov         qword ptr [rsp+18h],r8
+    mov         qword ptr [rsp+10h],rdx
+    mov         qword ptr [rsp+8],rcx
+
+    push        rsi
+    .pushreg    rsi
+    push        rdi
+    .pushreg    rdi
+    sub         rsp,0A8h
+    .allocstack 0A8h
+    .endprolog
+
+    lea         rsi, [rsp+0E8h]
+    lea         rdi, [rsp+020h]
+    mov         rcx, 15
+    rep         movsq
+
+    mov         r9,qword ptr [rsp+0E0h]
+    mov         r8,qword ptr [rsp+0D8h]
+    mov         rdx,qword ptr [rsp+0D0h]
+    mov         rcx,qword ptr [rsp+0C8h]
+    call        qword ptr [rsp+0C0h]
+
+    add         rsp,0A8h
+    pop         rdi
+    pop         rsi
+    ret
+
+Sbie_CallFunction_asm ENDP
+endif
+
+;----------------------------------------------------------------------------
+
 ifdef _WIN64

 EXTERN Token_SepFilterToken : QWORD
@ -237,9 +274,9 @@ Sbie_SepFilterTokenHandler_asm PROC FRAME
    mov         qword ptr [rsp+20h],r9  
    mov         qword ptr [rsp+18h],r8  
    mov         qword ptr [rsp+10h],rdx  
-    mov         qword ptr [rsp+8],rcx  
+    mov         qword ptr [rsp+8],rcx

-    sub         rsp,78h  
+    sub         rsp,78h                  ; 8 * 15 - reserve stack space
    .allocstack 78h
    .endprolog

@ -259,7 +296,7 @@ Sbie_SepFilterTokenHandler_asm PROC FRAME
    mov         r8d,0
    mov         edx,0
    mov         rcx,qword ptr [rsp+080h] ; TokenObject 
-    call        Token_SepFilterToken
+    call        Token_SepFilterToken     ; 11 arguments

    add         rsp,78h