diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b611b5c..287a11c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ This project adheres to [Semantic Versioning](http://semver.org/). - added option to hide installed programs [#4139](https://github.com/sandboxie-plus/Sandboxie/issues/4139) - added Hide Tray Icon [#4075](https://github.com/sandboxie-plus/Sandboxie/issues/4075) - added improved trace logging filtering [#4338](https://github.com/sandboxie-plus/Sandboxie/issues/4338) +- added EventLog monitoring for SbieMessages [#4113](https://github.com/sandboxie-plus/Sandboxie/issues/4113) + - add 'LogMessageEvents=y' to the global settings to log all sbie events to the system event log ### Fixed - fixed Sign the .tmp file that gets dropped when installing or updating Sandboxie Plus [#2643](https://github.com/sandboxie-plus/Sandboxie/issues/2643) [#4343](https://github.com/sandboxie-plus/Sandboxie/issues/4343) diff --git a/Sandboxie/core/drv/api.c b/Sandboxie/core/drv/api.c index 8a220032..96d3d1ff 100644 --- a/Sandboxie/core/drv/api.c +++ b/Sandboxie/core/drv/api.c @@ -57,8 +57,6 @@ static BOOLEAN Api_FastIo_DEVICE_CONTROL( ULONG IoControlCode, IO_STATUS_BLOCK *IoStatus, DEVICE_OBJECT *DeviceObject); -//static void Api_DelWork(API_WORK_ITEM *work_item); - //--------------------------------------------------------------------------- @@ -69,8 +67,6 @@ static NTSTATUS Api_LogMessage(PROCESS *proc, ULONG64 *parms); static NTSTATUS Api_GetMessage(PROCESS *proc, ULONG64 *parms); -//static NTSTATUS Api_GetWork(PROCESS *proc, ULONG64 *parms); - static NTSTATUS Api_GetHomePath(PROCESS *proc, ULONG64 *parms); static NTSTATUS Api_SetServicePort(PROCESS *proc, ULONG64 *parms); @@ -110,8 +106,7 @@ volatile HANDLE Api_ServiceProcessId = NULL; static PERESOURCE Api_LockResource = NULL; -//static LIST Api_WorkList; -static BOOLEAN Api_WorkListInitialized = FALSE; +static BOOLEAN Api_Initialized = FALSE; static LOG_BUFFER* Api_LogBuffer = NULL; @@ -137,15 +132,13 @@ _FX BOOLEAN Api_Init(void) Api_LogBuffer = log_buffer_init(8 * 8 * 1024); // - // initialize work list + // initialize lock // - //List_Init(&Api_WorkList); - if (! Mem_GetLockResource(&Api_LockResource, TRUE)) return FALSE; - Api_WorkListInitialized = TRUE; + Api_Initialized = TRUE; // // initialize Fast IO dispatch pointers @@ -193,7 +186,6 @@ _FX BOOLEAN Api_Init(void) // Api_SetFunction(API_GET_VERSION, Api_GetVersion); - //Api_SetFunction(API_GET_WORK, Api_GetWork); Api_SetFunction(API_LOG_MESSAGE, Api_LogMessage); Api_SetFunction(API_GET_MESSAGE, Api_GetMessage); Api_SetFunction(API_GET_HOME_PATH, Api_GetHomePath); @@ -240,24 +232,16 @@ _FX void Api_Unload(void) Api_FastIoDispatch = NULL; } - if (Api_WorkListInitialized) { + if (Api_Initialized) { if (Api_LogBuffer) { log_buffer_free(Api_LogBuffer); Api_LogBuffer = NULL; } - /*API_WORK_ITEM *work_item; - while (1) { - work_item = List_Head(&Api_WorkList); - if (! work_item) - break; - Api_DelWork(work_item); - }*/ - Mem_FreeLockResource(&Api_LockResource); - Api_WorkListInitialized = FALSE; + Api_Initialized = FALSE; } if (Api_ServicePortObject) { @@ -682,11 +666,11 @@ _FX void Api_AddMessage( { KIRQL irql; - if (!Api_WorkListInitialized) // if (!Api_LogBuffer) + if (!Api_Initialized) return; // - // add work at the end of the work list + // add message // irql = Api_EnterCriticalSection(); @@ -922,140 +906,6 @@ _FX BOOLEAN Api_SendServiceMessage(ULONG msgid, ULONG data_len, void *data) } -//--------------------------------------------------------------------------- -// Api_AddWork -//--------------------------------------------------------------------------- - - -/*_FX BOOLEAN Api_AddWork(API_WORK_ITEM *work_item) -{ - KIRQL irql; - - if (! Api_WorkListInitialized) - return FALSE; - - // - // add work at the end of the work list - // - - irql = Api_EnterCriticalSection(); - - List_Insert_After(&Api_WorkList, NULL, work_item); - - Api_LeaveCriticalSection(irql); - - // - // set the work event so SbieSvc wakes up - // - - if (work_item->session_id != -1) - return TRUE; - - return TRUE; -}*/ - - -//--------------------------------------------------------------------------- -// Api_DelWork -//--------------------------------------------------------------------------- - - -/*_FX void Api_DelWork(API_WORK_ITEM *work_item) -{ - // this assumes Api_WorkList is already locked using Api_Lock - - List_Remove(&Api_WorkList, work_item); - Mem_Free(work_item, work_item->length); -}*/ - - -//--------------------------------------------------------------------------- -// Api_GetWork -//--------------------------------------------------------------------------- - - -/*_FX NTSTATUS Api_GetWork(PROCESS *proc, ULONG64 *parms) -{ - API_GET_WORK_ARGS *args = (API_GET_WORK_ARGS *)parms; - NTSTATUS status; - void *buffer_ptr; - ULONG buffer_len; - ULONG *result_len; - ULONG length; - API_WORK_ITEM *work_item; - KIRQL irql; - - // - // caller must not be sandboxed, and caller has to be SbieSvc - // if session parameter is -1 - // - - if (proc) - return STATUS_NOT_IMPLEMENTED; - - if (args->session_id.val == -1 && - PsGetCurrentProcessId() != Api_ServiceProcessId) - return STATUS_ACCESS_DENIED; - - // - // find next work/log item for the session - // - - buffer_ptr = args->buffer.val; - buffer_len = args->buffer_len.val; - result_len = args->result_len_ptr.val; - - irql = Api_EnterCriticalSection(); - - work_item = List_Head(&Api_WorkList); - while (work_item) { - if (work_item->session_id == args->session_id.val) - break; - work_item = List_Next(work_item); - } - - __try { - - if (! work_item) { - - status = STATUS_NO_MORE_ENTRIES; - - } else { - - if (work_item->length <= buffer_len) { - - length = work_item->length - - FIELD_OFFSET(API_WORK_ITEM, type); - ProbeForWrite(buffer_ptr, length, sizeof(UCHAR)); - memcpy(buffer_ptr, &work_item->type, length); - - status = STATUS_SUCCESS; - - } else { - - length = work_item->length; - status = STATUS_BUFFER_TOO_SMALL; - } - - if (result_len) { - ProbeForWrite(result_len, sizeof(ULONG), sizeof(ULONG)); - *result_len = length; - } - - if (status == STATUS_SUCCESS) - Api_DelWork(work_item); - } - - } __except (EXCEPTION_EXECUTE_HANDLER) { - status = GetExceptionCode(); - } - - Api_LeaveCriticalSection(irql); - - return status; -}*/ - - //--------------------------------------------------------------------------- // Api_GetHomePath //--------------------------------------------------------------------------- diff --git a/Sandboxie/core/drv/api.h b/Sandboxie/core/drv/api.h index 35c5f481..3489624c 100644 --- a/Sandboxie/core/drv/api.h +++ b/Sandboxie/core/drv/api.h @@ -39,17 +39,6 @@ //--------------------------------------------------------------------------- -/*typedef struct _API_WORK_ITEM { - - LIST_ELEM list_elem; - ULONG length; // length includes both header and data - ULONG session_id; - ULONG type; - - ULONG data[1]; - -} API_WORK_ITEM;*/ - typedef struct _Sbie_SeFilterTokenArg { PACCESS_TOKEN ExistingToken; @@ -106,14 +95,6 @@ void Api_ResetServiceProcess(void); BOOLEAN Api_SendServiceMessage(ULONG msgid, ULONG data_len, void *data); -// -// Publish WORK_ITEM to be consumed by SandboxieService. Caller must -// allocate work_item from Driver_Pool, and initialize type, length and data -// - -//BOOLEAN Api_AddWork(API_WORK_ITEM *work_item); - - // // Add message to log buffer // diff --git a/Sandboxie/core/drv/log.c b/Sandboxie/core/drv/log.c index ce98c23a..584e3a2f 100644 --- a/Sandboxie/core/drv/log.c +++ b/Sandboxie/core/drv/log.c @@ -26,6 +26,7 @@ #include "api.h" #include "util.h" #include "session.h" +#include "conf.h" //--------------------------------------------------------------------------- // Functions @@ -37,12 +38,6 @@ static void Log_Event_Msg( const WCHAR *string1, const WCHAR *string2); -/*static void Log_Popup_Msg_2( - NTSTATUS error_code, - const WCHAR *string1, ULONG string1_len, - const WCHAR *string2, ULONG string2_len, - ULONG session_id);*/ - //--------------------------------------------------------------------------- // Log_Event_Msg @@ -151,9 +146,6 @@ _FX void Log_Popup_MsgEx( if ((Driver_OsVersion >= DRIVER_WINDOWS_VISTA) && (session_id == 0)) session_id = 1; - //Log_Popup_Msg_2( - // error_code, string1, string1_len, string2, string2_len, session_id, (ULONG)pid); - const WCHAR* strings[3] = { string1, string2, NULL }; ULONG lengths[3] = { string1_len, string2_len, 0 }; Api_AddMessage(error_code, strings, lengths, session_id, (ULONG)pid); @@ -162,71 +154,17 @@ _FX void Log_Popup_MsgEx( // log message to SbieSvc and trigger SbieSvc to wake up and collect it // - //Log_Popup_Msg_2( - // error_code, string1, string1_len, string2, string2_len, -1, (ULONG)pid); + ULONG data = 0; + + if (Conf_Get_Boolean(NULL, L"LogMessageEvents", 0, FALSE)) + data |= 0x01; - ULONG data = 0; Api_SendServiceMessage(SVC_LOG_MESSAGE, sizeof(ULONG), &data); // DbgPrint("POPUP %04d %S %S\n", error_code & 0xFFFF, string1, string2); } -//--------------------------------------------------------------------------- -// Log_Popup_Msg_2 -//--------------------------------------------------------------------------- - - -/*_FX void Log_Popup_Msg_2( - NTSTATUS error_code, - const WCHAR *string1, ULONG string1_len, - const WCHAR *string2, ULONG string2_len, - ULONG session_id) -{ - API_WORK_ITEM *work_item; - ULONG length; - WCHAR *ptr; - - length = sizeof(API_WORK_ITEM) - + sizeof(ULONG) // msgid - + (string1_len + 1) * sizeof(WCHAR) - + (string2_len + 1) * sizeof(WCHAR); - - // - // prepare work item - // - - work_item = Mem_Alloc(Driver_Pool, length); - if (work_item) { - - work_item->length = length; - - work_item->session_id = session_id; - - work_item->type = API_LOG_MESSAGE; - - work_item->data[0] = error_code; - - ptr = (WCHAR *)&work_item->data[1]; - - if (string1_len) { - wmemcpy(ptr, string1, string1_len); - ptr += string1_len; - } - *ptr = L'\0'; - ++ptr; - - if (string2_len) { - wmemcpy(ptr, string2, string2_len); - ptr += string2_len; - } - *ptr = L'\0'; - - Api_AddWork(work_item); - } -}*/ - - //--------------------------------------------------------------------------- // Log_Msg //--------------------------------------------------------------------------- diff --git a/Sandboxie/core/svc/DriverAssist.cpp b/Sandboxie/core/svc/DriverAssist.cpp index a22acc1c..5cdf4e76 100644 --- a/Sandboxie/core/svc/DriverAssist.cpp +++ b/Sandboxie/core/svc/DriverAssist.cpp @@ -303,7 +303,7 @@ void DriverAssist::MsgWorkerThread(void *MyMsg) } else if (msgid == SVC_LOG_MESSAGE) { - LogMessage(); + LogMessage(data_ptr); } else if (msgid == SVC_CONFIG_UPDATED) { diff --git a/Sandboxie/core/svc/DriverAssist.h b/Sandboxie/core/svc/DriverAssist.h index 3d236e78..ba398470 100644 --- a/Sandboxie/core/svc/DriverAssist.h +++ b/Sandboxie/core/svc/DriverAssist.h @@ -103,7 +103,7 @@ private: // log messages to file // - void LogMessage(); + void LogMessage(void *_msg); void LogMessage_Single(ULONG code, wchar_t* data, ULONG pid); void LogMessage_Multi(ULONG msgid, const WCHAR *path, const WCHAR *text); diff --git a/Sandboxie/core/svc/DriverAssistLog.cpp b/Sandboxie/core/svc/DriverAssistLog.cpp index 69cd1193..02d3c763 100644 --- a/Sandboxie/core/svc/DriverAssistLog.cpp +++ b/Sandboxie/core/svc/DriverAssistLog.cpp @@ -69,29 +69,33 @@ bool GetUserNameFromProcess(DWORD pid, WCHAR* user, DWORD userSize, WCHAR* domai //--------------------------------------------------------------------------- -void DriverAssist::LogMessage() +void DriverAssist::LogMessage(void *_msg) { + ULONG data = _msg ? *(ULONG*)_msg : 0; + + bool LogMessageEvents = (data & 0x01) != 0; + EnterCriticalSection(&m_LogMessage_CritSec); - ULONG m_workItemLen = 4096; - void *m_workItemBuf = NULL; + ULONG m_MessageLen = 4096; + void *m_MessageBuf = NULL; while (1) { - m_workItemBuf = HeapAlloc(GetProcessHeap(), 0, m_workItemLen); - if (! m_workItemBuf) + m_MessageBuf = HeapAlloc(GetProcessHeap(), 0, m_MessageLen); + if (! m_MessageBuf) break; - ULONG len = m_workItemLen; + ULONG len = m_MessageLen; ULONG message_number = m_last_message_number; ULONG code = -1; ULONG pid = 0; - ULONG status = SbieApi_GetMessage(&message_number, -1, &code, &pid, (wchar_t*)m_workItemBuf, len); + ULONG status = SbieApi_GetMessage(&message_number, -1, &code, &pid, (wchar_t*)m_MessageBuf, len); if (status == STATUS_BUFFER_TOO_SMALL) { - HeapFree(GetProcessHeap(), 0, m_workItemBuf); - m_workItemBuf = NULL; - m_workItemLen += 4096; + HeapFree(GetProcessHeap(), 0, m_MessageBuf); + m_MessageBuf = NULL; + m_MessageLen += 4096; continue; } @@ -111,14 +115,21 @@ void DriverAssist::LogMessage() continue; // - // Add to log + // Add to event log // - LogMessage_Single(code, (wchar_t*)m_workItemBuf, pid); + if (LogMessageEvents) + LogMessage_Event(code, (wchar_t*)m_MessageBuf, pid); + + // + // Add to log file + // + + LogMessage_Single(code, (wchar_t*)m_MessageBuf, pid); } - if (m_workItemBuf) - HeapFree(GetProcessHeap(), 0, m_workItemBuf); + if (m_MessageBuf) + HeapFree(GetProcessHeap(), 0, m_MessageBuf); LeaveCriticalSection(&m_LogMessage_CritSec); } diff --git a/Sandboxie/core/svc/DriverAssistStart.cpp b/Sandboxie/core/svc/DriverAssistStart.cpp index 44d7bee8..0e5daa5f 100644 --- a/Sandboxie/core/svc/DriverAssistStart.cpp +++ b/Sandboxie/core/svc/DriverAssistStart.cpp @@ -45,6 +45,8 @@ NTSTATUS LsaLookupAuthenticationPackage( ULONG DriverAssist::StartDriverAsync(void *arg) { + DriverAssist* This = (DriverAssist*)arg; + // // get windows version // @@ -309,7 +311,7 @@ driver_started: // messages that were logged while the driver was starting // - m_instance->LogMessage(); + m_instance->LogMessage(NULL); m_instance->m_DriverReady = true; diff --git a/Sandboxie/core/svc/main.cpp b/Sandboxie/core/svc/main.cpp index 815fc9ca..b6145d40 100644 --- a/Sandboxie/core/svc/main.cpp +++ b/Sandboxie/core/svc/main.cpp @@ -22,6 +22,7 @@ #include "stdafx.h" #include +#include #include "MountManager.h" #include "DriverAssist.h" #include "PipeServer.h" @@ -336,6 +337,61 @@ void LogEvent(ULONG msgid, ULONG level, ULONG detail) } +//--------------------------------------------------------------------------- +// LogMessage_Event +//--------------------------------------------------------------------------- + + +void LogMessage_Event(ULONG code, wchar_t* data, ULONG pid) +{ + // + // get log message + // + + WCHAR *str1 = data; + ULONG str1_len = wcslen(str1); + WCHAR *str2 = str1 + str1_len + 1; + ULONG str2_len = wcslen(str2); + + WCHAR *text = SbieDll_FormatMessage2(code, str1, str2); + if (! text) + return; + + // + // add user name + // + /* + WCHAR user[UNLEN + 1]; + WCHAR domain[DNLEN + 1]; + bool GetUserNameFromProcess(DWORD pid, WCHAR * user, DWORD userSize, WCHAR * domain, DWORD domainSize); + if (GetUserNameFromProcess(pid, user, UNLEN + 1, domain, DNLEN + 1)) { + + WCHAR *text2 = (WCHAR *)LocalAlloc( + LMEM_FIXED, (wcslen(text) + UNLEN + DNLEN + 10) * sizeof(WCHAR)); + if (text2) { + + wsprintf(text2, L"%s (%s\\%s)", text, domain, user); + + LocalFree(text); + text = text2; + } + }*/ + + // + // add event + // + + const WCHAR* ptr_extra[2] = { text, NULL }; + USHORT num_extra = 1; + + if (EventLog) { + ReportEvent(EventLog, EVENTLOG_INFORMATION_TYPE, 0, code, NULL, num_extra, 0, ptr_extra, NULL); + } + + LocalFree(text); +} + + //--------------------------------------------------------------------------- // AbortServer //--------------------------------------------------------------------------- diff --git a/Sandboxie/core/svc/misc.h b/Sandboxie/core/svc/misc.h index a7a1bc58..d1b82acc 100644 --- a/Sandboxie/core/svc/misc.h +++ b/Sandboxie/core/svc/misc.h @@ -21,6 +21,7 @@ #include "msgs/msgs.h" void LogEvent(ULONG msgid, ULONG level, ULONG detail); +void LogMessage_Event(ULONG code, wchar_t* data, ULONG pid); void AbortServer(void); bool RestrictToken(void); bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName);