From add64d53e54baf042deaab7ea80f3666168d1fc3 Mon Sep 17 00:00:00 2001 From: DavidXanatos Date: Fri, 23 Jul 2021 09:44:35 +0200 Subject: [PATCH] --- CHANGELOG.md | 5 ++- Sandboxie/core/drv/file.c | 4 +-- Sandboxie/core/drv/file_flt.c | 2 +- Sandboxie/core/drv/key_flt.c | 2 +- Sandboxie/core/drv/process.c | 7 +++++ Sandboxie/core/drv/process.h | 2 ++ SandboxiePlus/QSbieAPI/Sandboxie/SbieIni.cpp | 2 +- SandboxiePlus/SandMan/SandMan.cpp | 19 +++++++++++- SandboxiePlus/SandMan/SbiePlusAPI.cpp | 7 +++-- SandboxiePlus/SandMan/SbiePlusAPI.h | 2 +- SandboxiePlus/SandMan/main.cpp | 32 ++++++++++++++------ 11 files changed, 65 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b30d5f3..0a79f39b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,7 +33,10 @@ This project adheres to [Semantic Versioning](http://semver.org/). -- Note: a process must have administrative privileges to be able to use this API - added a UI option to switch "MsiInstallerExemptions=y" on and off -- just in case a future windows build breaks something for the systemless mode - +- added sample code for ObRegisterCallbacks to the driver +- added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" allowing to disable file and registry filtering +-- Note: this options are for testing only and disable core parts of the sandbox isolation +- added a few CommandLone options to sandman.exe ### Changed - greately improved the performanceof the trace log, but its no longer possible to log to booth sandman and sbiectrl at the same time diff --git a/Sandboxie/core/drv/file.c b/Sandboxie/core/drv/file.c index e971cc39..464e462e 100644 --- a/Sandboxie/core/drv/file.c +++ b/Sandboxie/core/drv/file.c @@ -983,13 +983,13 @@ _FX NTSTATUS File_Generic_MyParseProc( // skip requests dealing with devices we don't care about // - if (device_type != FILE_DEVICE_DISK && + if ((device_type != FILE_DEVICE_DISK && device_type != FILE_DEVICE_NAMED_PIPE && device_type != FILE_DEVICE_MAILSLOT && device_type != FILE_DEVICE_NETWORK && device_type != FILE_DEVICE_MULTI_UNC_PROVIDER && device_type != FILE_DEVICE_NETWORK_FILE_SYSTEM && - device_type != FILE_DEVICE_DFS) + device_type != FILE_DEVICE_DFS) || proc->disable_file_flt) { if ((proc->file_trace & TRACE_IGNORE) || Session_MonitorCount) { diff --git a/Sandboxie/core/drv/file_flt.c b/Sandboxie/core/drv/file_flt.c index 294ea282..24322e30 100644 --- a/Sandboxie/core/drv/file_flt.c +++ b/Sandboxie/core/drv/file_flt.c @@ -432,7 +432,7 @@ _FX FLT_PREOP_CALLBACK_STATUS File_PreOperation( status = STATUS_PROCESS_IS_TERMINATING; goto finish; } - if (!proc || proc->bHostInject) + if (!proc || proc->bHostInject || proc->disable_file_flt) goto finish; // diff --git a/Sandboxie/core/drv/key_flt.c b/Sandboxie/core/drv/key_flt.c index 60273307..ce3dd9f4 100644 --- a/Sandboxie/core/drv/key_flt.c +++ b/Sandboxie/core/drv/key_flt.c @@ -228,7 +228,7 @@ _FX NTSTATUS Key_Callback(void *Context, void *Arg1, void *Arg2) if (status != STATUS_SUCCESS) return status; - if (!proc || proc->bHostInject) + if (!proc || proc->bHostInject || proc->disable_key_flt) return STATUS_SUCCESS; // diff --git a/Sandboxie/core/drv/process.c b/Sandboxie/core/drv/process.c index 2cf57295..fa6203ad 100644 --- a/Sandboxie/core/drv/process.c +++ b/Sandboxie/core/drv/process.c @@ -726,6 +726,13 @@ _FX PROCESS *Process_Create( proc->disable_monitor = Conf_Get_Boolean(proc->box->name, L"DisableResourceMonitor", 0, FALSE); + // + // initialize debug options + // + + proc->disable_file_flt = Conf_Get_Boolean(proc->box->name, L"DisableFileFilter", 0, FALSE); + proc->disable_key_flt = Conf_Get_Boolean(proc->box->name, L"DisableKeyFilter", 0, FALSE); + // // initialize trace flags // diff --git a/Sandboxie/core/drv/process.h b/Sandboxie/core/drv/process.h index 3ac2aa94..45075efd 100644 --- a/Sandboxie/core/drv/process.h +++ b/Sandboxie/core/drv/process.h @@ -145,6 +145,7 @@ struct _PROCESS { LIST blocked_dlls; ULONG file_trace; ULONG pipe_trace; + BOOLEAN disable_file_flt; BOOLEAN file_warn_internet; BOOLEAN file_warn_direct_access; BOOLEAN AllowInternetAccess; @@ -159,6 +160,7 @@ struct _PROCESS { LIST read_key_paths; // PATTERN elements LIST write_key_paths; // PATTERN elements ULONG key_trace; + BOOLEAN disable_key_flt; // ipc-related diff --git a/SandboxiePlus/QSbieAPI/Sandboxie/SbieIni.cpp b/SandboxiePlus/QSbieAPI/Sandboxie/SbieIni.cpp index 529e9182..fe29ed7e 100644 --- a/SandboxiePlus/QSbieAPI/Sandboxie/SbieIni.cpp +++ b/SandboxiePlus/QSbieAPI/Sandboxie/SbieIni.cpp @@ -152,7 +152,7 @@ QStringList CSbieIni::GetTextListTmpl(const QString &Setting, const QString& Tem for (int index = 0; ; index++) { - QString Value = m_pAPI->SbieIniGet("Template_" + Template, Setting, index | CONF_GET_NO_GLOBAL); + QString Value = m_pAPI->SbieIniGet("Template_" + Template, Setting, index | CONF_GET_NO_GLOBAL | CONF_GET_NO_EXPAND); if (Value.isNull()) break; TextList.append(Value); diff --git a/SandboxiePlus/SandMan/SandMan.cpp b/SandboxiePlus/SandMan/SandMan.cpp index 505522bd..d9806d9f 100644 --- a/SandboxiePlus/SandMan/SandMan.cpp +++ b/SandboxiePlus/SandMan/SandMan.cpp @@ -562,7 +562,7 @@ void CSandMan::OnMessage(const QString& Message) setWindowState(Qt::WindowActive); SetForegroundWindow(MainWndHandle); } - else if (Message.left(3) == "Run") + else if (Message.left(4) == "Run:") { QString CmdLine = Message.mid(4); @@ -572,6 +572,23 @@ void CSandMan::OnMessage(const QString& Message) else RunSandboxed(QStringList(CmdLine)); } + else if (Message.left(3) == "Op:") + { + QString Op = Message.mid(3); + + SB_STATUS Status; + if (Op == "Connect") + Status = ConnectSbie(); + else if (Op == "Disconnect") + Status = DisconnectSbie(); + else if (Op == "Shutdown") + Status = StopSbie(); + else if (Op == "EmptyAll") + Status = theAPI->TerminateAll(); + else + Status = SB_ERR(SB_Message, QVariantList () << (tr("Unknown operation '%1' requested via command line").arg(Op))); + CheckResults(QList() << Status); + } else if (Message.left(6) == "Status") { QString Status = Message.mid(7); diff --git a/SandboxiePlus/SandMan/SbiePlusAPI.cpp b/SandboxiePlus/SandMan/SbiePlusAPI.cpp index 0001218f..918b2e76 100644 --- a/SandboxiePlus/SandMan/SbiePlusAPI.cpp +++ b/SandboxiePlus/SandMan/SbiePlusAPI.cpp @@ -122,7 +122,7 @@ void CSandBoxPlus::UpdateDetails() m_bDropRights = GetBool("DropAdminRights", false); - if (CheckOpenToken() || GetBool("StripSystemPrivileges", false)) + if (CheckUnsecureConfig()) m_iUnsecureDebugging = 1; else if(GetBool("ExposeBoxedSystem", false) || GetBool("UnrestrictedSCM", false) /*|| GetBool("RunServicesAsSystem", false)*/) m_iUnsecureDebugging = 2; @@ -174,7 +174,7 @@ QString CSandBoxPlus::GetStatusStr() const return Status.join(", "); } -bool CSandBoxPlus::CheckOpenToken() const +bool CSandBoxPlus::CheckUnsecureConfig() const { if (GetBool("OriginalToken", false)) return true; if (GetBool("OpenToken", false)) return true; @@ -182,6 +182,9 @@ bool CSandBoxPlus::CheckOpenToken() const if (!GetBool("AnonymousLogon", true)) return true; if (GetBool("KeepTokenIntegrity", false)) return true; if(GetBool("UnfilteredToken", false)) return true; + if (GetBool("DisableFileFilter", false)) return true; + if (GetBool("DisableKeyFilter", false)) return true; + if (GetBool("StripSystemPrivileges", false)) return true; return false; } diff --git a/SandboxiePlus/SandMan/SbiePlusAPI.h b/SandboxiePlus/SandMan/SbiePlusAPI.h index 26473437..4943f82c 100644 --- a/SandboxiePlus/SandMan/SbiePlusAPI.h +++ b/SandboxiePlus/SandMan/SbiePlusAPI.h @@ -87,7 +87,7 @@ public: protected: friend class CSbiePlusAPI; - virtual bool CheckOpenToken() const; + virtual bool CheckUnsecureConfig() const; virtual bool TestProgramGroup(const QString& Group, const QString& ProgName); virtual void EditProgramGroup(const QString& Group, const QString& ProgName, bool bSet); diff --git a/SandboxiePlus/SandMan/main.cpp b/SandboxiePlus/SandMan/main.cpp index 003a36cd..84ce9b06 100644 --- a/SandboxiePlus/SandMan/main.cpp +++ b/SandboxiePlus/SandMan/main.cpp @@ -31,15 +31,29 @@ int main(int argc, char *argv[]) return 0; } - QString CommandLine; + QString PendingMessage; + QStringList Args = QCoreApplication::arguments(); - int BoxPos = Args.indexOf("/box:__ask__"); - if (BoxPos != -1) { - for (int i = BoxPos + 1; i < Args.count(); i++) - CommandLine += "\"" + Args[i] + "\" "; - if(app.sendMessage("Run:" + CommandLine.trimmed())) - return 0; + int CmdPos = Args.indexOf("-op"); + if (CmdPos != -1) { + QString Op; + if (Args.count() > CmdPos) + Op = Args.at(CmdPos + 1); + PendingMessage = "Op:" + Op; } + + CmdPos = Args.indexOf("/box:__ask__"); + if (CmdPos != -1) { + QString CommandLine; + for (int i = CmdPos + 1; i < Args.count(); i++) + CommandLine += "\"" + Args[i] + "\" "; + PendingMessage = "Run:" + CommandLine.trimmed(); + } + + if (!PendingMessage.isEmpty()) { + if(app.sendMessage(PendingMessage)) + return 0; + } else if (app.sendMessage("ShowWnd")) return 0; @@ -50,8 +64,8 @@ int main(int argc, char *argv[]) CSandMan* pWnd = new CSandMan(); QObject::connect(&app, SIGNAL(messageReceived(const QString&)), pWnd, SLOT(OnMessage(const QString&))); - if (!CommandLine.isEmpty()) - QMetaObject::invokeMethod(pWnd, "OnMessage", Qt::QueuedConnection, Q_ARG(QString, "Run:" + CommandLine)); + if (!PendingMessage.isEmpty()) + QMetaObject::invokeMethod(pWnd, "OnMessage", Qt::QueuedConnection, Q_ARG(QString, PendingMessage)); int ret = app.exec();