This commit is contained in:
DavidXanatos 2024-11-17 14:29:45 +01:00
parent 64d0363322
commit b3c28d120c
10 changed files with 101 additions and 260 deletions

View File

@ -16,6 +16,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- added option to hide installed programs [#4139](https://github.com/sandboxie-plus/Sandboxie/issues/4139) - added option to hide installed programs [#4139](https://github.com/sandboxie-plus/Sandboxie/issues/4139)
- added Hide Tray Icon [#4075](https://github.com/sandboxie-plus/Sandboxie/issues/4075) - added Hide Tray Icon [#4075](https://github.com/sandboxie-plus/Sandboxie/issues/4075)
- added improved trace logging filtering [#4338](https://github.com/sandboxie-plus/Sandboxie/issues/4338) - added improved trace logging filtering [#4338](https://github.com/sandboxie-plus/Sandboxie/issues/4338)
- added EventLog monitoring for SbieMessages [#4113](https://github.com/sandboxie-plus/Sandboxie/issues/4113)
- add 'LogMessageEvents=y' to the global settings to log all sbie events to the system event log
### Fixed ### Fixed
- fixed Sign the .tmp file that gets dropped when installing or updating Sandboxie Plus [#2643](https://github.com/sandboxie-plus/Sandboxie/issues/2643) [#4343](https://github.com/sandboxie-plus/Sandboxie/issues/4343) - fixed Sign the .tmp file that gets dropped when installing or updating Sandboxie Plus [#2643](https://github.com/sandboxie-plus/Sandboxie/issues/2643) [#4343](https://github.com/sandboxie-plus/Sandboxie/issues/4343)

View File

@ -57,8 +57,6 @@ static BOOLEAN Api_FastIo_DEVICE_CONTROL(
ULONG IoControlCode, IO_STATUS_BLOCK *IoStatus, ULONG IoControlCode, IO_STATUS_BLOCK *IoStatus,
DEVICE_OBJECT *DeviceObject); DEVICE_OBJECT *DeviceObject);
//static void Api_DelWork(API_WORK_ITEM *work_item);
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
@ -69,8 +67,6 @@ static NTSTATUS Api_LogMessage(PROCESS *proc, ULONG64 *parms);
static NTSTATUS Api_GetMessage(PROCESS *proc, ULONG64 *parms); static NTSTATUS Api_GetMessage(PROCESS *proc, ULONG64 *parms);
//static NTSTATUS Api_GetWork(PROCESS *proc, ULONG64 *parms);
static NTSTATUS Api_GetHomePath(PROCESS *proc, ULONG64 *parms); static NTSTATUS Api_GetHomePath(PROCESS *proc, ULONG64 *parms);
static NTSTATUS Api_SetServicePort(PROCESS *proc, ULONG64 *parms); static NTSTATUS Api_SetServicePort(PROCESS *proc, ULONG64 *parms);
@ -110,8 +106,7 @@ volatile HANDLE Api_ServiceProcessId = NULL;
static PERESOURCE Api_LockResource = NULL; static PERESOURCE Api_LockResource = NULL;
//static LIST Api_WorkList; static BOOLEAN Api_Initialized = FALSE;
static BOOLEAN Api_WorkListInitialized = FALSE;
static LOG_BUFFER* Api_LogBuffer = NULL; static LOG_BUFFER* Api_LogBuffer = NULL;
@ -137,15 +132,13 @@ _FX BOOLEAN Api_Init(void)
Api_LogBuffer = log_buffer_init(8 * 8 * 1024); Api_LogBuffer = log_buffer_init(8 * 8 * 1024);
// //
// initialize work list // initialize lock
// //
//List_Init(&Api_WorkList);
if (! Mem_GetLockResource(&Api_LockResource, TRUE)) if (! Mem_GetLockResource(&Api_LockResource, TRUE))
return FALSE; return FALSE;
Api_WorkListInitialized = TRUE; Api_Initialized = TRUE;
// //
// initialize Fast IO dispatch pointers // initialize Fast IO dispatch pointers
@ -193,7 +186,6 @@ _FX BOOLEAN Api_Init(void)
// //
Api_SetFunction(API_GET_VERSION, Api_GetVersion); Api_SetFunction(API_GET_VERSION, Api_GetVersion);
//Api_SetFunction(API_GET_WORK, Api_GetWork);
Api_SetFunction(API_LOG_MESSAGE, Api_LogMessage); Api_SetFunction(API_LOG_MESSAGE, Api_LogMessage);
Api_SetFunction(API_GET_MESSAGE, Api_GetMessage); Api_SetFunction(API_GET_MESSAGE, Api_GetMessage);
Api_SetFunction(API_GET_HOME_PATH, Api_GetHomePath); Api_SetFunction(API_GET_HOME_PATH, Api_GetHomePath);
@ -240,24 +232,16 @@ _FX void Api_Unload(void)
Api_FastIoDispatch = NULL; Api_FastIoDispatch = NULL;
} }
if (Api_WorkListInitialized) { if (Api_Initialized) {
if (Api_LogBuffer) { if (Api_LogBuffer) {
log_buffer_free(Api_LogBuffer); log_buffer_free(Api_LogBuffer);
Api_LogBuffer = NULL; Api_LogBuffer = NULL;
} }
/*API_WORK_ITEM *work_item;
while (1) {
work_item = List_Head(&Api_WorkList);
if (! work_item)
break;
Api_DelWork(work_item);
}*/
Mem_FreeLockResource(&Api_LockResource); Mem_FreeLockResource(&Api_LockResource);
Api_WorkListInitialized = FALSE; Api_Initialized = FALSE;
} }
if (Api_ServicePortObject) { if (Api_ServicePortObject) {
@ -682,11 +666,11 @@ _FX void Api_AddMessage(
{ {
KIRQL irql; KIRQL irql;
if (!Api_WorkListInitialized) // if (!Api_LogBuffer) if (!Api_Initialized)
return; return;
// //
// add work at the end of the work list // add message
// //
irql = Api_EnterCriticalSection(); irql = Api_EnterCriticalSection();
@ -922,140 +906,6 @@ _FX BOOLEAN Api_SendServiceMessage(ULONG msgid, ULONG data_len, void *data)
} }
//---------------------------------------------------------------------------
// Api_AddWork
//---------------------------------------------------------------------------
/*_FX BOOLEAN Api_AddWork(API_WORK_ITEM *work_item)
{
KIRQL irql;
if (! Api_WorkListInitialized)
return FALSE;
//
// add work at the end of the work list
//
irql = Api_EnterCriticalSection();
List_Insert_After(&Api_WorkList, NULL, work_item);
Api_LeaveCriticalSection(irql);
//
// set the work event so SbieSvc wakes up
//
if (work_item->session_id != -1)
return TRUE;
return TRUE;
}*/
//---------------------------------------------------------------------------
// Api_DelWork
//---------------------------------------------------------------------------
/*_FX void Api_DelWork(API_WORK_ITEM *work_item)
{
// this assumes Api_WorkList is already locked using Api_Lock
List_Remove(&Api_WorkList, work_item);
Mem_Free(work_item, work_item->length);
}*/
//---------------------------------------------------------------------------
// Api_GetWork
//---------------------------------------------------------------------------
/*_FX NTSTATUS Api_GetWork(PROCESS *proc, ULONG64 *parms)
{
API_GET_WORK_ARGS *args = (API_GET_WORK_ARGS *)parms;
NTSTATUS status;
void *buffer_ptr;
ULONG buffer_len;
ULONG *result_len;
ULONG length;
API_WORK_ITEM *work_item;
KIRQL irql;
//
// caller must not be sandboxed, and caller has to be SbieSvc
// if session parameter is -1
//
if (proc)
return STATUS_NOT_IMPLEMENTED;
if (args->session_id.val == -1 &&
PsGetCurrentProcessId() != Api_ServiceProcessId)
return STATUS_ACCESS_DENIED;
//
// find next work/log item for the session
//
buffer_ptr = args->buffer.val;
buffer_len = args->buffer_len.val;
result_len = args->result_len_ptr.val;
irql = Api_EnterCriticalSection();
work_item = List_Head(&Api_WorkList);
while (work_item) {
if (work_item->session_id == args->session_id.val)
break;
work_item = List_Next(work_item);
}
__try {
if (! work_item) {
status = STATUS_NO_MORE_ENTRIES;
} else {
if (work_item->length <= buffer_len) {
length = work_item->length
- FIELD_OFFSET(API_WORK_ITEM, type);
ProbeForWrite(buffer_ptr, length, sizeof(UCHAR));
memcpy(buffer_ptr, &work_item->type, length);
status = STATUS_SUCCESS;
} else {
length = work_item->length;
status = STATUS_BUFFER_TOO_SMALL;
}
if (result_len) {
ProbeForWrite(result_len, sizeof(ULONG), sizeof(ULONG));
*result_len = length;
}
if (status == STATUS_SUCCESS)
Api_DelWork(work_item);
}
} __except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode();
}
Api_LeaveCriticalSection(irql);
return status;
}*/
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// Api_GetHomePath // Api_GetHomePath
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------

View File

@ -39,17 +39,6 @@
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
/*typedef struct _API_WORK_ITEM {
LIST_ELEM list_elem;
ULONG length; // length includes both header and data
ULONG session_id;
ULONG type;
ULONG data[1];
} API_WORK_ITEM;*/
typedef struct _Sbie_SeFilterTokenArg typedef struct _Sbie_SeFilterTokenArg
{ {
PACCESS_TOKEN ExistingToken; PACCESS_TOKEN ExistingToken;
@ -106,14 +95,6 @@ void Api_ResetServiceProcess(void);
BOOLEAN Api_SendServiceMessage(ULONG msgid, ULONG data_len, void *data); BOOLEAN Api_SendServiceMessage(ULONG msgid, ULONG data_len, void *data);
//
// Publish WORK_ITEM to be consumed by SandboxieService. Caller must
// allocate work_item from Driver_Pool, and initialize type, length and data
//
//BOOLEAN Api_AddWork(API_WORK_ITEM *work_item);
// //
// Add message to log buffer // Add message to log buffer
// //

View File

@ -26,6 +26,7 @@
#include "api.h" #include "api.h"
#include "util.h" #include "util.h"
#include "session.h" #include "session.h"
#include "conf.h"
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// Functions // Functions
@ -37,12 +38,6 @@ static void Log_Event_Msg(
const WCHAR *string1, const WCHAR *string1,
const WCHAR *string2); const WCHAR *string2);
/*static void Log_Popup_Msg_2(
NTSTATUS error_code,
const WCHAR *string1, ULONG string1_len,
const WCHAR *string2, ULONG string2_len,
ULONG session_id);*/
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// Log_Event_Msg // Log_Event_Msg
@ -151,9 +146,6 @@ _FX void Log_Popup_MsgEx(
if ((Driver_OsVersion >= DRIVER_WINDOWS_VISTA) && (session_id == 0)) if ((Driver_OsVersion >= DRIVER_WINDOWS_VISTA) && (session_id == 0))
session_id = 1; session_id = 1;
//Log_Popup_Msg_2(
// error_code, string1, string1_len, string2, string2_len, session_id, (ULONG)pid);
const WCHAR* strings[3] = { string1, string2, NULL }; const WCHAR* strings[3] = { string1, string2, NULL };
ULONG lengths[3] = { string1_len, string2_len, 0 }; ULONG lengths[3] = { string1_len, string2_len, 0 };
Api_AddMessage(error_code, strings, lengths, session_id, (ULONG)pid); Api_AddMessage(error_code, strings, lengths, session_id, (ULONG)pid);
@ -162,71 +154,17 @@ _FX void Log_Popup_MsgEx(
// log message to SbieSvc and trigger SbieSvc to wake up and collect it // log message to SbieSvc and trigger SbieSvc to wake up and collect it
// //
//Log_Popup_Msg_2(
// error_code, string1, string1_len, string2, string2_len, -1, (ULONG)pid);
ULONG data = 0; ULONG data = 0;
if (Conf_Get_Boolean(NULL, L"LogMessageEvents", 0, FALSE))
data |= 0x01;
Api_SendServiceMessage(SVC_LOG_MESSAGE, sizeof(ULONG), &data); Api_SendServiceMessage(SVC_LOG_MESSAGE, sizeof(ULONG), &data);
// DbgPrint("POPUP %04d %S %S\n", error_code & 0xFFFF, string1, string2); // DbgPrint("POPUP %04d %S %S\n", error_code & 0xFFFF, string1, string2);
} }
//---------------------------------------------------------------------------
// Log_Popup_Msg_2
//---------------------------------------------------------------------------
/*_FX void Log_Popup_Msg_2(
NTSTATUS error_code,
const WCHAR *string1, ULONG string1_len,
const WCHAR *string2, ULONG string2_len,
ULONG session_id)
{
API_WORK_ITEM *work_item;
ULONG length;
WCHAR *ptr;
length = sizeof(API_WORK_ITEM)
+ sizeof(ULONG) // msgid
+ (string1_len + 1) * sizeof(WCHAR)
+ (string2_len + 1) * sizeof(WCHAR);
//
// prepare work item
//
work_item = Mem_Alloc(Driver_Pool, length);
if (work_item) {
work_item->length = length;
work_item->session_id = session_id;
work_item->type = API_LOG_MESSAGE;
work_item->data[0] = error_code;
ptr = (WCHAR *)&work_item->data[1];
if (string1_len) {
wmemcpy(ptr, string1, string1_len);
ptr += string1_len;
}
*ptr = L'\0';
++ptr;
if (string2_len) {
wmemcpy(ptr, string2, string2_len);
ptr += string2_len;
}
*ptr = L'\0';
Api_AddWork(work_item);
}
}*/
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// Log_Msg // Log_Msg
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------

View File

@ -303,7 +303,7 @@ void DriverAssist::MsgWorkerThread(void *MyMsg)
} }
else if (msgid == SVC_LOG_MESSAGE) { else if (msgid == SVC_LOG_MESSAGE) {
LogMessage(); LogMessage(data_ptr);
} }
else if (msgid == SVC_CONFIG_UPDATED) { else if (msgid == SVC_CONFIG_UPDATED) {

View File

@ -103,7 +103,7 @@ private:
// log messages to file // log messages to file
// //
void LogMessage(); void LogMessage(void *_msg);
void LogMessage_Single(ULONG code, wchar_t* data, ULONG pid); void LogMessage_Single(ULONG code, wchar_t* data, ULONG pid);
void LogMessage_Multi(ULONG msgid, const WCHAR *path, const WCHAR *text); void LogMessage_Multi(ULONG msgid, const WCHAR *path, const WCHAR *text);

View File

@ -69,29 +69,33 @@ bool GetUserNameFromProcess(DWORD pid, WCHAR* user, DWORD userSize, WCHAR* domai
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
void DriverAssist::LogMessage() void DriverAssist::LogMessage(void *_msg)
{ {
ULONG data = _msg ? *(ULONG*)_msg : 0;
bool LogMessageEvents = (data & 0x01) != 0;
EnterCriticalSection(&m_LogMessage_CritSec); EnterCriticalSection(&m_LogMessage_CritSec);
ULONG m_workItemLen = 4096; ULONG m_MessageLen = 4096;
void *m_workItemBuf = NULL; void *m_MessageBuf = NULL;
while (1) { while (1) {
m_workItemBuf = HeapAlloc(GetProcessHeap(), 0, m_workItemLen); m_MessageBuf = HeapAlloc(GetProcessHeap(), 0, m_MessageLen);
if (! m_workItemBuf) if (! m_MessageBuf)
break; break;
ULONG len = m_workItemLen; ULONG len = m_MessageLen;
ULONG message_number = m_last_message_number; ULONG message_number = m_last_message_number;
ULONG code = -1; ULONG code = -1;
ULONG pid = 0; ULONG pid = 0;
ULONG status = SbieApi_GetMessage(&message_number, -1, &code, &pid, (wchar_t*)m_workItemBuf, len); ULONG status = SbieApi_GetMessage(&message_number, -1, &code, &pid, (wchar_t*)m_MessageBuf, len);
if (status == STATUS_BUFFER_TOO_SMALL) { if (status == STATUS_BUFFER_TOO_SMALL) {
HeapFree(GetProcessHeap(), 0, m_workItemBuf); HeapFree(GetProcessHeap(), 0, m_MessageBuf);
m_workItemBuf = NULL; m_MessageBuf = NULL;
m_workItemLen += 4096; m_MessageLen += 4096;
continue; continue;
} }
@ -111,14 +115,21 @@ void DriverAssist::LogMessage()
continue; continue;
// //
// Add to log // Add to event log
// //
LogMessage_Single(code, (wchar_t*)m_workItemBuf, pid); if (LogMessageEvents)
LogMessage_Event(code, (wchar_t*)m_MessageBuf, pid);
//
// Add to log file
//
LogMessage_Single(code, (wchar_t*)m_MessageBuf, pid);
} }
if (m_workItemBuf) if (m_MessageBuf)
HeapFree(GetProcessHeap(), 0, m_workItemBuf); HeapFree(GetProcessHeap(), 0, m_MessageBuf);
LeaveCriticalSection(&m_LogMessage_CritSec); LeaveCriticalSection(&m_LogMessage_CritSec);
} }

View File

@ -45,6 +45,8 @@ NTSTATUS LsaLookupAuthenticationPackage(
ULONG DriverAssist::StartDriverAsync(void *arg) ULONG DriverAssist::StartDriverAsync(void *arg)
{ {
DriverAssist* This = (DriverAssist*)arg;
// //
// get windows version // get windows version
// //
@ -309,7 +311,7 @@ driver_started:
// messages that were logged while the driver was starting // messages that were logged while the driver was starting
// //
m_instance->LogMessage(); m_instance->LogMessage(NULL);
m_instance->m_DriverReady = true; m_instance->m_DriverReady = true;

View File

@ -22,6 +22,7 @@
#include "stdafx.h" #include "stdafx.h"
#include <Sddl.h> #include <Sddl.h>
#include <lmcons.h>
#include "MountManager.h" #include "MountManager.h"
#include "DriverAssist.h" #include "DriverAssist.h"
#include "PipeServer.h" #include "PipeServer.h"
@ -336,6 +337,61 @@ void LogEvent(ULONG msgid, ULONG level, ULONG detail)
} }
//---------------------------------------------------------------------------
// LogMessage_Event
//---------------------------------------------------------------------------
void LogMessage_Event(ULONG code, wchar_t* data, ULONG pid)
{
//
// get log message
//
WCHAR *str1 = data;
ULONG str1_len = wcslen(str1);
WCHAR *str2 = str1 + str1_len + 1;
ULONG str2_len = wcslen(str2);
WCHAR *text = SbieDll_FormatMessage2(code, str1, str2);
if (! text)
return;
//
// add user name
//
/*
WCHAR user[UNLEN + 1];
WCHAR domain[DNLEN + 1];
bool GetUserNameFromProcess(DWORD pid, WCHAR * user, DWORD userSize, WCHAR * domain, DWORD domainSize);
if (GetUserNameFromProcess(pid, user, UNLEN + 1, domain, DNLEN + 1)) {
WCHAR *text2 = (WCHAR *)LocalAlloc(
LMEM_FIXED, (wcslen(text) + UNLEN + DNLEN + 10) * sizeof(WCHAR));
if (text2) {
wsprintf(text2, L"%s (%s\\%s)", text, domain, user);
LocalFree(text);
text = text2;
}
}*/
//
// add event
//
const WCHAR* ptr_extra[2] = { text, NULL };
USHORT num_extra = 1;
if (EventLog) {
ReportEvent(EventLog, EVENTLOG_INFORMATION_TYPE, 0, code, NULL, num_extra, 0, ptr_extra, NULL);
}
LocalFree(text);
}
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// AbortServer // AbortServer
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------

View File

@ -21,6 +21,7 @@
#include "msgs/msgs.h" #include "msgs/msgs.h"
void LogEvent(ULONG msgid, ULONG level, ULONG detail); void LogEvent(ULONG msgid, ULONG level, ULONG detail);
void LogMessage_Event(ULONG code, wchar_t* data, ULONG pid);
void AbortServer(void); void AbortServer(void);
bool RestrictToken(void); bool RestrictToken(void);
bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName); bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName);