#3638

2024-04-20 20:17:51 +02:00 · 2024-04-20 20:17:51 +02:00 · c40fb91c1c
parent 585210423b
commit c40fb91c1c
5 changed files with 21 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -34,6 +34,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - fixed Enabling "DropAdminRights/FakeAdminRights" adds "BlockInterferePower and ForceProtectionOnMount" to the INI [#3825](https://github.com/sandboxie-plus/Sandboxie/issues/3825)
 - fixed KeePass "Out of Memory" crash due to "BlockScreenCapture=y" [#3768](https://github.com/sandboxie-plus/Sandboxie/issues/3768)
 - fixed Sandboxie 1.13.4 with IsBlockCapture=y brakes on Windows 7 [#3769](https://github.com/sandboxie-plus/Sandboxie/issues/3769)
+- fixed explorer.exe issue "FakeAdminRights=y" [#3638](https://github.com/sandboxie-plus/Sandboxie/issues/3638)



--- a/Sandboxie/core/dll/dll.h
+++ b/Sandboxie/core/dll/dll.h
@ -200,6 +200,7 @@ typedef struct _THREAD_DATA {
    BOOLEAN         proc_create_process_capture_image;
    BOOLEAN         proc_create_process_force_elevate;
    BOOLEAN         proc_create_process_as_invoker;
+    BOOLEAN         proc_create_process_fake_admin;
    BOOLEAN         proc_image_is_copy;
    WCHAR          *proc_image_path;
    WCHAR          *proc_command_line;
@ -310,6 +311,8 @@ extern ULONG Dll_Windows;
 extern PSECURITY_DESCRIPTOR Secure_NormalSD;
 extern PSECURITY_DESCRIPTOR Secure_EveryoneSD;

+extern BOOLEAN Secure_FakeAdmin;
+
 extern BOOLEAN Ldr_BoxedImage;

 extern WCHAR *Ldr_ImageTruePath;
--- a/Sandboxie/core/dll/proc.c
+++ b/Sandboxie/core/dll/proc.c
@ -1335,12 +1335,16 @@ _FX BOOL Proc_CreateProcessInternalW(
 		    lpProcessAttributes = NULL;
        }

+        TlsData->proc_create_process_fake_admin = (Secure_FakeAdmin == FALSE && SbieApi_QueryConfBool(NULL, L"FakeAdminRights", FALSE));
+
        ok = __sys_CreateProcessInternalW(
            hToken, lpApplicationName, lpCommandLine,
            lpProcessAttributes, lpThreadAttributes, bInheritHandles,
            dwCreationFlags, lpEnvironment, lpCurrentDirectory,
            lpStartupInfo, lpProcessInformation, hNewToken);

+        TlsData->proc_create_process_fake_admin = FALSE;
+
        err = GetLastError();

        goto finish;
@ -1410,6 +1414,7 @@ _FX BOOL Proc_CreateProcessInternalW(
        }
    }

+    TlsData->proc_create_process_fake_admin = (Secure_FakeAdmin == FALSE && SbieApi_QueryConfBool(NULL, L"FakeAdminRights", FALSE));

    ok = __sys_CreateProcessInternalW(
        NULL, lpApplicationName, lpCommandLine,
@ -1419,6 +1424,7 @@ _FX BOOL Proc_CreateProcessInternalW(

    err = GetLastError();

+    TlsData->proc_create_process_fake_admin = FALSE;

    //
    // restore the original owner pointers in the security descriptors
--- a/Sandboxie/core/dll/secure.c
+++ b/Sandboxie/core/dll/secure.c
@ -1003,8 +1003,9 @@ _FX NTSTATUS Ldr_NtQueryInformationToken(
    ULONG TokenInformationLength,
    ULONG *ReturnLength)
 {
+    THREAD_DATA *TlsData = Dll_GetTlsData(NULL);
+
    NTSTATUS status = 0;
-    THREAD_DATA *TlsData = NULL;
    HANDLE hTokenReal = NULL;
    BOOLEAN FakeAdmin = FALSE;

@ -1019,7 +1020,7 @@ _FX NTSTATUS Ldr_NtQueryInformationToken(
    // we also ensure that the token belongs to the current process
    //

-    if (Secure_FakeAdmin && (SbieApi_QueryProcessInfoEx(0, 'ippt', (LONG_PTR)(hTokenReal ? hTokenReal : TokenHandle))))
+    if ((Secure_FakeAdmin || TlsData->proc_create_process_fake_admin) && (SbieApi_QueryProcessInfoEx(0, 'ippt', (LONG_PTR)(hTokenReal ? hTokenReal : TokenHandle))))
    {
        FakeAdmin = TRUE;
    }
@ -1039,8 +1040,6 @@ _FX NTSTATUS Ldr_NtQueryInformationToken(
    // we are running as Administrator
    //

-    TlsData = Dll_GetTlsData(NULL);
-
    if (Secure_Is_IE_NtQueryInformationToken && !TlsData->proc_create_process)
    {
        FakeAdmin = TRUE;
@ -1150,10 +1149,12 @@ NTSTATUS Ldr_NtAccessCheckByType(PSECURITY_DESCRIPTOR SecurityDescriptor, PSID P

 _FX NTSTATUS Ldr_NtAccessCheck(PSECURITY_DESCRIPTOR SecurityDescriptor, HANDLE ClientToken, ACCESS_MASK DesiredAccess, PGENERIC_MAPPING GenericMapping, PPRIVILEGE_SET RequiredPrivilegesBuffer, PULONG BufferLength, PACCESS_MASK GrantedAccess, PNTSTATUS AccessStatus)
 {
+    THREAD_DATA *TlsData = Dll_GetTlsData(NULL);
+
    NTSTATUS status = 0;
    HANDLE hTokenReal = NULL;

-    if (Secure_FakeAdmin && SecurityDescriptor) {
+    if ((Secure_FakeAdmin || TlsData->proc_create_process_fake_admin) && SecurityDescriptor) {
        BOOLEAN Fake = FALSE;

        PSID Group, Owner;
@ -1352,7 +1353,7 @@ _FX NTSTATUS Secure_RtlQueryElevationFlags(ULONG *Flags)

    BOOLEAN fake = FALSE;

-    if (Secure_FakeAdmin) 
+    if (Secure_FakeAdmin || TlsData->proc_create_process_fake_admin) 
    {
        fake = TRUE;
    } 
@ -1446,7 +1447,9 @@ NTSTATUS Secure_RtlCheckTokenMembershipEx(
    DWORD flags,
    PUCHAR isMember)
 {
-    if (Secure_FakeAdmin && RtlEqualSid(sidToCheck, AdministratorsSid)) {
+    THREAD_DATA *TlsData = Dll_GetTlsData(NULL);
+
+    if ((Secure_FakeAdmin || TlsData->proc_create_process_fake_admin) && RtlEqualSid(sidToCheck, AdministratorsSid)) {
        if (isMember) *isMember = TRUE;
        return STATUS_SUCCESS;
    }
--- a/Sandboxie/install/Templates.ini
+++ b/Sandboxie/install/Templates.ini
@ -1034,6 +1034,7 @@ Tmpl.ScanService=edgeupdate
 # SBIE fix for MS Edge WebView2
 #ExternalManifestHack=msedgewebview2.exe,y
 NormalFilePath=msedge.exe,%LocalAppData%\Microsoft\Edge\User Data\Default\Secure Preferences
+FakeAdminRights=msedge.exe,n

 #
 # Vivaldi