#4113

2024-11-17 14:29:45 +01:00 · 2024-11-17 14:29:45 +01:00 · b3c28d120c
parent 64d0363322
commit b3c28d120c
10 changed files with 101 additions and 260 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -16,6 +16,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - added option to hide installed programs [#4139](https://github.com/sandboxie-plus/Sandboxie/issues/4139)
 - added Hide Tray Icon [#4075](https://github.com/sandboxie-plus/Sandboxie/issues/4075)
 - added improved trace logging filtering [#4338](https://github.com/sandboxie-plus/Sandboxie/issues/4338)
 - added EventLog monitoring for SbieMessages [#4113](https://github.com/sandboxie-plus/Sandboxie/issues/4113)
  - add 'LogMessageEvents=y' to the global settings to log all sbie events to the system event log
 ### Fixed
 - fixed Sign the .tmp file that gets dropped when installing or updating Sandboxie Plus [#2643](https://github.com/sandboxie-plus/Sandboxie/issues/2643) [#4343](https://github.com/sandboxie-plus/Sandboxie/issues/4343)
--- a/Sandboxie/core/drv/api.c
+++ b/Sandboxie/core/drv/api.c
@ -57,8 +57,6 @@ static BOOLEAN Api_FastIo_DEVICE_CONTROL(
    ULONG IoControlCode, IO_STATUS_BLOCK *IoStatus,
    DEVICE_OBJECT *DeviceObject);
 //static void Api_DelWork(API_WORK_ITEM *work_item);
 //---------------------------------------------------------------------------
@ -69,8 +67,6 @@ static NTSTATUS Api_LogMessage(PROCESS *proc, ULONG64 *parms);
 static NTSTATUS Api_GetMessage(PROCESS *proc, ULONG64 *parms);
 //static NTSTATUS Api_GetWork(PROCESS *proc, ULONG64 *parms);
 static NTSTATUS Api_GetHomePath(PROCESS *proc, ULONG64 *parms);
 static NTSTATUS Api_SetServicePort(PROCESS *proc, ULONG64 *parms);
@ -110,8 +106,7 @@ volatile HANDLE Api_ServiceProcessId = NULL;
 static PERESOURCE Api_LockResource = NULL;
-//static LIST Api_WorkList;
+static BOOLEAN Api_Initialized = FALSE;
 static BOOLEAN Api_WorkListInitialized = FALSE;
 static LOG_BUFFER* Api_LogBuffer = NULL;
@ -137,15 +132,13 @@ _FX BOOLEAN Api_Init(void)
 	Api_LogBuffer = log_buffer_init(8 * 8 * 1024);
    //
-    // initialize work list
+    // initialize lock
    //
    //List_Init(&Api_WorkList);
    if (! Mem_GetLockResource(&Api_LockResource, TRUE))
        return FALSE;
-    Api_WorkListInitialized = TRUE;
+    Api_Initialized = TRUE;
    //
    // initialize Fast IO dispatch pointers
@ -193,7 +186,6 @@ _FX BOOLEAN Api_Init(void)
    //
    Api_SetFunction(API_GET_VERSION,        Api_GetVersion);
    //Api_SetFunction(API_GET_WORK,           Api_GetWork);
    Api_SetFunction(API_LOG_MESSAGE,        Api_LogMessage);
 	Api_SetFunction(API_GET_MESSAGE,        Api_GetMessage);
    Api_SetFunction(API_GET_HOME_PATH,      Api_GetHomePath);
@ -240,24 +232,16 @@ _FX void Api_Unload(void)
        Api_FastIoDispatch = NULL;
    }
-    if (Api_WorkListInitialized) {
+    if (Api_Initialized) {
 		if (Api_LogBuffer) {
 			log_buffer_free(Api_LogBuffer);
 			Api_LogBuffer = NULL;
 		}
        /*API_WORK_ITEM *work_item;
 		while (1) {
            work_item = List_Head(&Api_WorkList);
            if (! work_item)
                break;
            Api_DelWork(work_item);
        }*/
        Mem_FreeLockResource(&Api_LockResource);
-        Api_WorkListInitialized = FALSE;
+        Api_Initialized = FALSE;
    }
    if (Api_ServicePortObject) {
@ -682,11 +666,11 @@ _FX void Api_AddMessage(
 {
 	KIRQL irql;
-	if (!Api_WorkListInitialized) // if (!Api_LogBuffer)
+	if (!Api_Initialized)
 		return;
 	//
-	// add work at the end of the work list
+	// add message
 	//
 	irql = Api_EnterCriticalSection();
@ -922,140 +906,6 @@ _FX BOOLEAN Api_SendServiceMessage(ULONG msgid, ULONG data_len, void *data)
 }
 //---------------------------------------------------------------------------
 // Api_AddWork
 //---------------------------------------------------------------------------
 /*_FX BOOLEAN Api_AddWork(API_WORK_ITEM *work_item)
 {
    KIRQL irql;
    if (! Api_WorkListInitialized)
        return FALSE;
    //
    // add work at the end of the work list
    //
    irql = Api_EnterCriticalSection();
    List_Insert_After(&Api_WorkList, NULL, work_item);
    Api_LeaveCriticalSection(irql);
    //
    // set the work event so SbieSvc wakes up
    //
    if (work_item->session_id != -1)
        return TRUE;
    return TRUE;
 }*/
 //---------------------------------------------------------------------------
 // Api_DelWork
 //---------------------------------------------------------------------------
 /*_FX void Api_DelWork(API_WORK_ITEM *work_item)
 {
    // this assumes Api_WorkList is already locked using Api_Lock
    List_Remove(&Api_WorkList, work_item);
    Mem_Free(work_item, work_item->length);
 }*/
 //---------------------------------------------------------------------------
 // Api_GetWork
 //---------------------------------------------------------------------------
 /*_FX NTSTATUS Api_GetWork(PROCESS *proc, ULONG64 *parms)
 {
    API_GET_WORK_ARGS *args = (API_GET_WORK_ARGS *)parms;
    NTSTATUS status;
    void *buffer_ptr;
    ULONG buffer_len;
    ULONG *result_len;
    ULONG length;
    API_WORK_ITEM *work_item;
    KIRQL irql;
    //
    // caller must not be sandboxed, and caller has to be SbieSvc
    // if session parameter is -1
    //
    if (proc)
        return STATUS_NOT_IMPLEMENTED;
    if (args->session_id.val == -1 &&
            PsGetCurrentProcessId() != Api_ServiceProcessId)
        return STATUS_ACCESS_DENIED;
    //
    // find next work/log item for the session
    //
    buffer_ptr = args->buffer.val;
    buffer_len = args->buffer_len.val;
    result_len = args->result_len_ptr.val;
    irql = Api_EnterCriticalSection();
    work_item = List_Head(&Api_WorkList);
    while (work_item) {
        if (work_item->session_id == args->session_id.val)
            break;
        work_item = List_Next(work_item);
    }
    __try {
    if (! work_item) {
        status = STATUS_NO_MORE_ENTRIES;
    } else {
        if (work_item->length <= buffer_len) {
            length = work_item->length
                   - FIELD_OFFSET(API_WORK_ITEM, type);
            ProbeForWrite(buffer_ptr, length, sizeof(UCHAR));
            memcpy(buffer_ptr, &work_item->type, length);
            status = STATUS_SUCCESS;
        } else {
            length = work_item->length;
            status = STATUS_BUFFER_TOO_SMALL;
        }
        if (result_len) {
            ProbeForWrite(result_len, sizeof(ULONG), sizeof(ULONG));
            *result_len = length;
        }
        if (status == STATUS_SUCCESS)
            Api_DelWork(work_item);
    }
    } __except (EXCEPTION_EXECUTE_HANDLER) {
        status = GetExceptionCode();
    }
    Api_LeaveCriticalSection(irql);
    return status;
 }*/
 //---------------------------------------------------------------------------
 // Api_GetHomePath
 //---------------------------------------------------------------------------
--- a/Sandboxie/core/drv/api.h
+++ b/Sandboxie/core/drv/api.h
@ -39,17 +39,6 @@
 //---------------------------------------------------------------------------
 /*typedef struct _API_WORK_ITEM {
    LIST_ELEM list_elem;
    ULONG length;           // length includes both header and data
    ULONG session_id;
    ULONG type;
    ULONG data[1];
 } API_WORK_ITEM;*/
 typedef struct _Sbie_SeFilterTokenArg
 {
    PACCESS_TOKEN       ExistingToken;
@ -106,14 +95,6 @@ void Api_ResetServiceProcess(void);
 BOOLEAN Api_SendServiceMessage(ULONG msgid, ULONG data_len, void *data);
 //
 // Publish WORK_ITEM to be consumed by SandboxieService.  Caller must
 // allocate work_item from Driver_Pool, and initialize type, length and data
 //
 //BOOLEAN Api_AddWork(API_WORK_ITEM *work_item);
 //
 // Add message to log buffer
 //
--- a/Sandboxie/core/drv/log.c
+++ b/Sandboxie/core/drv/log.c
@ -26,6 +26,7 @@
 #include "api.h"
 #include "util.h"
 #include "session.h"
 #include "conf.h"
 //---------------------------------------------------------------------------
 // Functions
@ -37,12 +38,6 @@ static void Log_Event_Msg(
    const WCHAR *string1,
    const WCHAR *string2);
 /*static void Log_Popup_Msg_2(
    NTSTATUS error_code,
    const WCHAR *string1, ULONG string1_len,
    const WCHAR *string2, ULONG string2_len,
    ULONG session_id);*/
 //---------------------------------------------------------------------------
 // Log_Event_Msg
@ -151,9 +146,6 @@ _FX void Log_Popup_MsgEx(
    if ((Driver_OsVersion >= DRIVER_WINDOWS_VISTA) && (session_id == 0))
        session_id = 1;
    //Log_Popup_Msg_2(
    //  error_code, string1, string1_len, string2, string2_len, session_id, (ULONG)pid);
    const WCHAR* strings[3] = { string1, string2, NULL };
    ULONG lengths[3] = { string1_len, string2_len, 0 };
 	Api_AddMessage(error_code, strings, lengths, session_id, (ULONG)pid);
@ -162,71 +154,17 @@ _FX void Log_Popup_MsgEx(
    // log message to SbieSvc and trigger SbieSvc to wake up and collect it
    //
-    //Log_Popup_Msg_2(
+    ULONG data = 0;
-    //    error_code, string1, string1_len, string2, string2_len, -1, (ULONG)pid);
+    
    if (Conf_Get_Boolean(NULL, L"LogMessageEvents", 0, FALSE))
        data |= 0x01;
 	ULONG data = 0;
    Api_SendServiceMessage(SVC_LOG_MESSAGE, sizeof(ULONG), &data);
    // DbgPrint("POPUP %04d %S %S\n", error_code & 0xFFFF, string1, string2);
 }
 //---------------------------------------------------------------------------
 // Log_Popup_Msg_2
 //---------------------------------------------------------------------------
 /*_FX void Log_Popup_Msg_2(
    NTSTATUS error_code,
    const WCHAR *string1, ULONG string1_len,
    const WCHAR *string2, ULONG string2_len,
    ULONG session_id)
 {
    API_WORK_ITEM *work_item;
    ULONG length;
    WCHAR *ptr;
    length = sizeof(API_WORK_ITEM)
           + sizeof(ULONG)      // msgid
           + (string1_len + 1) * sizeof(WCHAR)
           + (string2_len + 1) * sizeof(WCHAR);
    //
    // prepare work item
    //
    work_item = Mem_Alloc(Driver_Pool, length);
    if (work_item) {
        work_item->length = length;
        work_item->session_id = session_id;
        work_item->type = API_LOG_MESSAGE;
        work_item->data[0] = error_code;
        ptr = (WCHAR *)&work_item->data[1];
        if (string1_len) {
            wmemcpy(ptr, string1, string1_len);
            ptr += string1_len;
        }
        *ptr = L'\0';
        ++ptr;
        if (string2_len) {
            wmemcpy(ptr, string2, string2_len);
            ptr += string2_len;
        }
        *ptr = L'\0';
        Api_AddWork(work_item);
    }
 }*/
 //---------------------------------------------------------------------------
 // Log_Msg
 //---------------------------------------------------------------------------
--- a/Sandboxie/core/svc/DriverAssist.cpp
+++ b/Sandboxie/core/svc/DriverAssist.cpp
@ -303,7 +303,7 @@ void DriverAssist::MsgWorkerThread(void *MyMsg)
    }
    else if (msgid == SVC_LOG_MESSAGE) {
-        LogMessage();
+        LogMessage(data_ptr);
    }
    else if (msgid == SVC_CONFIG_UPDATED) {
--- a/Sandboxie/core/svc/DriverAssist.h
+++ b/Sandboxie/core/svc/DriverAssist.h
@ -103,7 +103,7 @@ private:
    // log messages to file
    //
-    void LogMessage();
+    void LogMessage(void *_msg);
    void LogMessage_Single(ULONG code, wchar_t* data, ULONG pid);
    void LogMessage_Multi(ULONG msgid, const WCHAR *path, const WCHAR *text);
--- a/Sandboxie/core/svc/DriverAssistLog.cpp
+++ b/Sandboxie/core/svc/DriverAssistLog.cpp
@ -69,29 +69,33 @@ bool GetUserNameFromProcess(DWORD pid, WCHAR* user, DWORD userSize, WCHAR* domai
 //---------------------------------------------------------------------------
-void DriverAssist::LogMessage()
+void DriverAssist::LogMessage(void *_msg)
 {
    ULONG data = _msg ? *(ULONG*)_msg : 0;
    bool LogMessageEvents = (data & 0x01) != 0;
    EnterCriticalSection(&m_LogMessage_CritSec);
-    ULONG m_workItemLen = 4096;
+    ULONG m_MessageLen = 4096;
-    void *m_workItemBuf = NULL;
+    void *m_MessageBuf = NULL;
    while (1) {
-        m_workItemBuf = HeapAlloc(GetProcessHeap(), 0, m_workItemLen);
+        m_MessageBuf = HeapAlloc(GetProcessHeap(), 0, m_MessageLen);
-        if (! m_workItemBuf)
+        if (! m_MessageBuf)
            break;
-        ULONG len = m_workItemLen;
+        ULONG len = m_MessageLen;
 		ULONG message_number = m_last_message_number;
 		ULONG code = -1;
 		ULONG pid = 0;
-		ULONG status = SbieApi_GetMessage(&message_number, -1, &code, &pid, (wchar_t*)m_workItemBuf, len);
+		ULONG status = SbieApi_GetMessage(&message_number, -1, &code, &pid, (wchar_t*)m_MessageBuf, len);
        if (status == STATUS_BUFFER_TOO_SMALL) {
-            HeapFree(GetProcessHeap(), 0, m_workItemBuf);
+            HeapFree(GetProcessHeap(), 0, m_MessageBuf);
-            m_workItemBuf = NULL;
+            m_MessageBuf = NULL;
-            m_workItemLen += 4096;
+            m_MessageLen += 4096;
            continue;
        }
@ -111,14 +115,21 @@ void DriverAssist::LogMessage()
 		    continue;
        //
-        // Add to log
+        // Add to event log
        //
-		LogMessage_Single(code, (wchar_t*)m_workItemBuf, pid);
+        if (LogMessageEvents)
            LogMessage_Event(code, (wchar_t*)m_MessageBuf, pid);
        //
        // Add to log file
        //
 		LogMessage_Single(code, (wchar_t*)m_MessageBuf, pid);
    }
-    if (m_workItemBuf)
+    if (m_MessageBuf)
-        HeapFree(GetProcessHeap(), 0, m_workItemBuf);
+        HeapFree(GetProcessHeap(), 0, m_MessageBuf);
    LeaveCriticalSection(&m_LogMessage_CritSec);
 }
--- a/Sandboxie/core/svc/DriverAssistStart.cpp
+++ b/Sandboxie/core/svc/DriverAssistStart.cpp
@ -45,6 +45,8 @@ NTSTATUS LsaLookupAuthenticationPackage(
 ULONG DriverAssist::StartDriverAsync(void *arg)
 {
    DriverAssist* This = (DriverAssist*)arg;
    //
    // get windows version
    //
@ -309,7 +311,7 @@ driver_started:
        // messages that were logged while the driver was starting
        //
-        m_instance->LogMessage();
+        m_instance->LogMessage(NULL);
        m_instance->m_DriverReady = true;
--- a/Sandboxie/core/svc/main.cpp
+++ b/Sandboxie/core/svc/main.cpp
@ -22,6 +22,7 @@
 #include "stdafx.h"
 #include <Sddl.h>
 #include <lmcons.h>
 #include "MountManager.h"
 #include "DriverAssist.h"
 #include "PipeServer.h"
@ -336,6 +337,61 @@ void LogEvent(ULONG msgid, ULONG level, ULONG detail)
 }
 //---------------------------------------------------------------------------
 // LogMessage_Event
 //---------------------------------------------------------------------------
 void LogMessage_Event(ULONG code, wchar_t* data, ULONG pid)
 {
    //
    // get log message
    //
    WCHAR *str1 = data;
    ULONG str1_len = wcslen(str1);
    WCHAR *str2 = str1 + str1_len + 1;
    ULONG str2_len = wcslen(str2);
    WCHAR *text = SbieDll_FormatMessage2(code, str1, str2);
    if (! text)
        return;
    //
    // add user name
    //
    /*
    WCHAR user[UNLEN + 1];
    WCHAR domain[DNLEN + 1];
    bool GetUserNameFromProcess(DWORD pid, WCHAR * user, DWORD userSize, WCHAR * domain, DWORD domainSize);
    if (GetUserNameFromProcess(pid, user, UNLEN + 1, domain, DNLEN + 1)) {
        WCHAR *text2 = (WCHAR *)LocalAlloc(
            LMEM_FIXED, (wcslen(text) + UNLEN + DNLEN + 10) * sizeof(WCHAR));
        if (text2) {
            wsprintf(text2, L"%s (%s\\%s)", text, domain, user);
            LocalFree(text);
            text = text2;
        }
    }*/
    //
    // add event
    //
    const WCHAR* ptr_extra[2] = { text, NULL };
    USHORT num_extra = 1;
    if (EventLog) {
        ReportEvent(EventLog, EVENTLOG_INFORMATION_TYPE, 0, code, NULL, num_extra, 0, ptr_extra, NULL);
    }
    LocalFree(text);
 }
 //---------------------------------------------------------------------------
 // AbortServer
 //---------------------------------------------------------------------------
--- a/Sandboxie/core/svc/misc.h
+++ b/Sandboxie/core/svc/misc.h
@ -21,6 +21,7 @@
 #include "msgs/msgs.h"
 void LogEvent(ULONG msgid, ULONG level, ULONG detail);
 void LogMessage_Event(ULONG code, wchar_t* data, ULONG pid);
 void AbortServer(void);
 bool RestrictToken(void);
 bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName);