From d45feba10b63c180b7f752f9a37bd906b8ae6713 Mon Sep 17 00:00:00 2001 From: DavidXanatos Date: Thu, 3 Jun 2021 17:00:04 +0200 Subject: [PATCH] vs 1029 compatybility update --- Sandboxie/core/drv/SboxDrv.vcxproj | 4 ++-- Sandboxie/core/drv/box.c | 2 +- Sandboxie/core/drv/conf.c | 8 ++++---- Sandboxie/core/drv/conf_expand.c | 2 +- Sandboxie/core/drv/dll.c | 10 +++++----- Sandboxie/core/drv/driver.c | 6 ++++-- Sandboxie/core/drv/driver.h | 2 ++ Sandboxie/core/drv/file.c | 8 ++++---- Sandboxie/core/drv/file_ctrl.c | 4 ++-- Sandboxie/core/drv/file_flt.c | 2 +- Sandboxie/core/drv/gui.c | 2 ++ Sandboxie/core/drv/gui_xp.c | 10 +++++----- Sandboxie/core/drv/hook_32.c | 2 +- Sandboxie/core/drv/hook_64.c | 2 +- Sandboxie/core/drv/ipc.c | 2 +- Sandboxie/core/drv/ipc_lsa.c | 2 +- Sandboxie/core/drv/ipc_port.c | 4 ++-- Sandboxie/core/drv/ipc_sam.c | 4 ++-- Sandboxie/core/drv/ipc_spl.c | 2 +- Sandboxie/core/drv/key.c | 2 +- Sandboxie/core/drv/log.c | 4 ++-- Sandboxie/core/drv/my_winnt.h | 4 +--- Sandboxie/core/drv/process.c | 3 ++- Sandboxie/core/drv/process_util.c | 2 +- Sandboxie/core/drv/syscall.c | 6 ++++-- Sandboxie/core/drv/syscall_64.c | 2 ++ Sandboxie/core/drv/syscall_open.c | 12 ++++++------ Sandboxie/core/drv/thread.c | 4 +++- Sandboxie/core/drv/token.c | 29 ++++++++++++++++++++++++++++- 29 files changed, 92 insertions(+), 54 deletions(-) diff --git a/Sandboxie/core/drv/SboxDrv.vcxproj b/Sandboxie/core/drv/SboxDrv.vcxproj index 9d7d2d4c..d5fd81b2 100644 --- a/Sandboxie/core/drv/SboxDrv.vcxproj +++ b/Sandboxie/core/drv/SboxDrv.vcxproj @@ -185,7 +185,7 @@ Native - ntoskrnl.lib;hal.lib;wmilib.lib;fltmgr.lib;Ksecdd.lib;%(AdditionalDependencies) + ntoskrnl.lib;hal.lib;wmilib.lib;fltmgr.lib;Ksecdd.lib;ntstrsafe.lib;%(AdditionalDependencies) DriverEntry @@ -215,7 +215,7 @@ Native - ntoskrnl.lib;hal.lib;wmilib.lib;fltmgr.lib;Ksecdd.lib;%(AdditionalDependencies) + ntoskrnl.lib;hal.lib;wmilib.lib;fltmgr.lib;Ksecdd.lib;ntstrsafe.lib;%(AdditionalDependencies) DriverEntry diff --git a/Sandboxie/core/drv/box.c b/Sandboxie/core/drv/box.c index 97656234..69b10552 100644 --- a/Sandboxie/core/drv/box.c +++ b/Sandboxie/core/drv/box.c @@ -333,7 +333,7 @@ _FX BOOLEAN Box_InitPaths(POOL *pool, BOX *box) } // sometimes we get here without a user temp var being set. Check first to avoid an error popup. - swprintf(KeyPath, L"\\REGISTRY\\USER\\%.184s\\Environment", box->sid); + RtlStringCbPrintfW(KeyPath, sizeof(KeyPath), L"\\REGISTRY\\USER\\%.184s\\Environment", box->sid); if (DoesRegValueExist(RTL_REGISTRY_ABSOLUTE, KeyPath, L"temp")) Box_ExpandString(box, L"%temp%", L"", &box->user_temp_path, &box->user_temp_path_len); diff --git a/Sandboxie/core/drv/conf.c b/Sandboxie/core/drv/conf.c index be465c76..acf0adac 100644 --- a/Sandboxie/core/drv/conf.c +++ b/Sandboxie/core/drv/conf.c @@ -205,7 +205,7 @@ _FX NTSTATUS Conf_Read(ULONG session_id) // path_home = TRUE; // = FALSE; - swprintf(path, path_sandboxie, Driver_HomePathDos); // , SystemRoot); + RtlStringCbPrintfW(path, path_len, path_sandboxie, Driver_HomePathDos); // , SystemRoot); status = Stream_Open( &stream, path, FILE_GENERIC_READ, 0, FILE_SHARE_READ, FILE_OPEN, 0); @@ -213,7 +213,7 @@ _FX NTSTATUS Conf_Read(ULONG session_id) if (status == STATUS_OBJECT_NAME_NOT_FOUND) { path_home = FALSE; // = TRUE; - swprintf(path, path_sandboxie, SystemRoot); // , Driver_HomePathDos); + RtlStringCbPrintfW(path, path_len, path_sandboxie, SystemRoot); // , Driver_HomePathDos); status = Stream_Open( &stream, path, @@ -270,7 +270,7 @@ _FX NTSTATUS Conf_Read(ULONG session_id) if (NT_SUCCESS(status)) { - swprintf(path, path_templates, Driver_HomePathDos); + RtlStringCbPrintfW(path, path_len, path_templates, Driver_HomePathDos); status = Stream_Open( &stream, path, @@ -350,7 +350,7 @@ _FX NTSTATUS Conf_Read(ULONG session_id) // if (! NT_SUCCESS(status)) { - swprintf(linenum_str, L"%d", linenum); + RtlStringCbPrintfW(linenum_str, sizeof(linenum_str), L"%d", linenum); //DbgPrint("Conf error %X at line %d (%S)\n", status, linenum, linenum_str); if (status == STATUS_BUFFER_OVERFLOW) { Log_Msg_Session( diff --git a/Sandboxie/core/drv/conf_expand.c b/Sandboxie/core/drv/conf_expand.c index e42713f7..85ecf95d 100644 --- a/Sandboxie/core/drv/conf_expand.c +++ b/Sandboxie/core/drv/conf_expand.c @@ -249,7 +249,7 @@ _FX NTSTATUS Conf_Expand_Template( varname2 = Mem_Alloc(args->pool, varname2_len); if (! varname2) return STATUS_INSUFFICIENT_RESOURCES; - swprintf(varname2, L"%s.%s", varname, varvalue); + RtlStringCbPrintfW(varname2, varname2_len, L"%s.%s", varname, varvalue); Conf_AdjustUseCount(TRUE); diff --git a/Sandboxie/core/drv/dll.c b/Sandboxie/core/drv/dll.c index e0460cda..0b3f38b6 100644 --- a/Sandboxie/core/drv/dll.c +++ b/Sandboxie/core/drv/dll.c @@ -86,9 +86,9 @@ _FX BOOLEAN Dll_Init(void) List_Init(&Dll_List); Dll_List_Initialized = TRUE; - if (! Dll_Load(Dll_NTDLL)) + if (! Dll_Load(Dll_NTDLL)) // ntoskrnl.exe - ntdll.dll return FALSE; - if (! Dll_Load(Dll_USER)) + if (! Dll_Load(Dll_USER)) // win32k.sys - w10: win32u.dll - w7: user32.dll & gdi32.dll return FALSE; return TRUE; @@ -174,7 +174,7 @@ _FX DLL_ENTRY *Dll_Load(const WCHAR *DllBaseName) // open the dll file and query its on-disk size // - swprintf(path, L"\\SystemRoot\\System32\\%s%s", DllBaseName, _DotDll); + RtlStringCbPrintfW(path, sizeof(path), L"\\SystemRoot\\System32\\%s%s", DllBaseName, _DotDll); #ifdef _WIN64 @@ -358,7 +358,7 @@ _FX void *Dll_GetProc( if (! proc) { WCHAR dll_proc_name[96]; - swprintf(dll_proc_name, L"%s.%S", DllName, ProcName); + RtlStringCbPrintfW(dll_proc_name, sizeof(dll_proc_name), L"%s.%S", DllName, ProcName); Log_Msg1(MSG_DLL_GET_PROC, dll_proc_name); } @@ -400,7 +400,7 @@ _FX ULONG Dll_GetNextProc( if (! dll_offset) { WCHAR dll_proc_name[96]; - swprintf(dll_proc_name, L"%s.%S", dll->name, SearchName); + RtlStringCbPrintfW(dll_proc_name, sizeof(dll_proc_name), L"%s.%S", dll->name, SearchName); Log_Msg1(MSG_1112, dll_proc_name); } diff --git a/Sandboxie/core/drv/driver.c b/Sandboxie/core/drv/driver.c index dbd37828..e91cdab9 100644 --- a/Sandboxie/core/drv/driver.c +++ b/Sandboxie/core/drv/driver.c @@ -284,6 +284,8 @@ _FX BOOLEAN Driver_CheckOsVersion(void) ( MajorVersion == MajorVersionMin && MinorVersion >= MinorVersionMin)) { + // Hard Offset Dependency + if (MajorVersion == 10) { Driver_OsVersion = DRIVER_WINDOWS_10; #ifdef _WIN64 @@ -332,7 +334,7 @@ _FX BOOLEAN Driver_CheckOsVersion(void) return TRUE; } - swprintf(str, L"%d.%d (%d)", MajorVersion, MinorVersion, Driver_OsBuild); + RtlStringCbPrintfW(str, sizeof(str), L"%d.%d (%d)", MajorVersion, MinorVersion, Driver_OsBuild); Log_Msg(MSG_1105, str, NULL); return FALSE; } @@ -605,7 +607,7 @@ _FX BOOLEAN Driver_FindHomePath(UNICODE_STRING *RegistryPath) return FALSE; \ if (! Hook_GetService( \ ptr, NULL, prmcnt, NULL, (void **)&svc)) { \ - swprintf(err_txt, L"%s.%S", Dll_NTDLL, ProcName); \ + RtlStringCbPrintfW(err_txt, szieof(err_txt), L"%s.%S", Dll_NTDLL, ProcName); \ Log_Msg1(MSG_1108, err_txt); \ return FALSE; \ } \ diff --git a/Sandboxie/core/drv/driver.h b/Sandboxie/core/drv/driver.h index fb2aafaa..a3015fb4 100644 --- a/Sandboxie/core/drv/driver.h +++ b/Sandboxie/core/drv/driver.h @@ -42,6 +42,8 @@ #include "log.h" #include "mem.h" +#define NTSTRSAFE_LIB +#include //--------------------------------------------------------------------------- // Defines diff --git a/Sandboxie/core/drv/file.c b/Sandboxie/core/drv/file.c index 294b0de0..a884a974 100644 --- a/Sandboxie/core/drv/file.c +++ b/Sandboxie/core/drv/file.c @@ -403,7 +403,7 @@ _FX void File_CreateBoxPath_2(HANDLE FileHandle) File_DesktopIniText = Mem_Alloc(Driver_Pool, 768); if (File_DesktopIniText) { - sprintf(File_DesktopIniText, + RtlStringCbPrintfA(File_DesktopIniText, 768, "[.ShellClassInfo]\r\n" "IconFile=%S\\%S\r\n" "IconIndex=9\r\n" @@ -996,7 +996,7 @@ _FX NTSTATUS File_Generic_MyParseProc( ignore_str = Mem_Alloc(proc->pool, ignore_str_len); if (ignore_str) { - swprintf(ignore_str, + RtlStringCbPrintfW(ignore_str, ignore_str_len, L"(FI) %08X %s", device_type, device_name_ptr); if (proc->file_trace & TRACE_IGNORE) @@ -1511,7 +1511,7 @@ skip_due_to_home_folder: if(!IsPipeDevice && !ShouldMonitorAccess) mon_type |= MONITOR_TRACE; - swprintf(access_str, L"(F%c) %08X.%02X.%08X", + RtlStringCbPrintfW(access_str, sizeof(access_str), L"(F%c) %08X.%02X.%08X", letter, DesiredAccess, CreateDisposition & 0x0F, CreateOptions); Log_Debug_Msg(mon_type, access_str, Name->Name.Buffer); @@ -2247,7 +2247,7 @@ _FX NTSTATUS File_Api_Open(PROCESS *proc, ULONG64 *parms) ULONG mon_type = MONITOR_FILE; mon_type |= MONITOR_TRACE; - swprintf(access_str, L"(F%c) %08X.%02X.%08X", + RtlStringCbPrintfW(access_str, sizeof(access_str), L"(F%c) %08X.%02X.%08X", letter, DesiredAccess, 0 & 0x0F, CreateOptions); Log_Debug_Msg(mon_type, access_str, path); diff --git a/Sandboxie/core/drv/file_ctrl.c b/Sandboxie/core/drv/file_ctrl.c index 273d20e6..9cdfe937 100644 --- a/Sandboxie/core/drv/file_ctrl.c +++ b/Sandboxie/core/drv/file_ctrl.c @@ -106,7 +106,7 @@ _FX NTSTATUS Syscall_DeviceIoControlFile( /* WCHAR msg_str[240]; - swprintf(msg_str, L"DeviceIoContoleFile, CMApi, func = 0x%X, filter=%d, p=%06d t=%06d, %s\n", + RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"DeviceIoContoleFile, CMApi, func = 0x%X, filter=%d, p=%06d t=%06d, %s\n", function, filter, PsGetCurrentProcessId(), PsGetCurrentThreadId(), proc->image_name); Log_Debug_Msg(MONITOR_OTHER | MONITOR_TRACE, msg_str, NULL);*/ @@ -123,7 +123,7 @@ _FX NTSTATUS Syscall_DeviceIoControlFile( if (mon_type) { WCHAR msg_str[24]; - swprintf(msg_str, L"Func: %02X", (ULONG)function); + RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Func: %02X", (ULONG)function); Log_Debug_Msg(mon_type, L"\\Device\\DeviceApi\\CMApi", msg_str); } } diff --git a/Sandboxie/core/drv/file_flt.c b/Sandboxie/core/drv/file_flt.c index a2db7613..f2fb024f 100644 --- a/Sandboxie/core/drv/file_flt.c +++ b/Sandboxie/core/drv/file_flt.c @@ -397,7 +397,7 @@ _FX FLT_PREOP_CALLBACK_STATUS File_PreOperation( WCHAR wcPid[32]; status = STATUS_ACCESS_DENIED; // disallow the call - swprintf(wcPid, L"[%d]", ulOwnerPid); + RtlStringCbPrintfW(wcPid, sizeof(wcPid), L"[%d]", ulOwnerPid); // create a string for the sandboxed proc name plus the blocked file name (plus a L", " plus NULL = 6) len = proc->image_name_len + pTargetFileNameInfo->Name.Length + 6; diff --git a/Sandboxie/core/drv/gui.c b/Sandboxie/core/drv/gui.c index b5e628c8..445eaafb 100644 --- a/Sandboxie/core/drv/gui.c +++ b/Sandboxie/core/drv/gui.c @@ -314,6 +314,8 @@ _FX GUI_CLIPBOARD *Gui_GetClipboard(void) ULONG Clipboard_Offset = 0; + // Hard Offset Dependency + #ifdef _WIN64 if (Driver_OsVersion <= DRIVER_WINDOWS_7) { Clipboard_Offset = 0x58; diff --git a/Sandboxie/core/drv/gui_xp.c b/Sandboxie/core/drv/gui_xp.c index eab2ca29..88660acb 100644 --- a/Sandboxie/core/drv/gui_xp.c +++ b/Sandboxie/core/drv/gui_xp.c @@ -188,7 +188,7 @@ static ULONG_PTR __jmp_NtRequestWaitReplyPort = 0; return FALSE; \ svc_num = Hook_GetServiceIndex(ptr, SkipIndexes); \ if (svc_num <= 0 || (svc_num & 0xF000) != range) { \ - swprintf(err_txt, L"%s.%S", dllname, ProcName); \ + RtlStringCbPrintfW(err_txt, 128*sizeof(WCHAR), L"%s.%S", dllname, ProcName); \ Log_Msg1(MSG_1108, err_txt); \ return FALSE; \ } \ @@ -1346,7 +1346,7 @@ _FX ULONG_PTR Gui_NtUserPostThreadMessage( if (proc->gui_trace & TRACE_DENY) { WCHAR access_str[80]; - swprintf(access_str, + RtlStringCbPrintfW(access_str, sizeof(access_str), L"(GD) ThrdMessage %05d (%04X) to tid=%06d pid=%06d", Msg, Msg, idThread, idProcess); Log_Debug_Msg(MONITOR_WINCLASS, access_str, Driver_Empty); @@ -1441,7 +1441,7 @@ _FX ULONG_PTR Gui_NtUserSendInput( if (letter) { - swprintf(access_str, L"(G%c) SendInput", letter); + RtlStringCbPrintfW(access_str, sizeof(access_str), L"(G%c) SendInput", letter); Log_Debug_Msg(MONITOR_WINCLASS | MONITOR_TRACE, access_str, Driver_Empty); } } @@ -1535,7 +1535,7 @@ _FX ULONG_PTR Gui_NtUserSetWindowsHookEx( if (letter) { - swprintf(access_str, + RtlStringCbPrintfW(access_str, sizeof(access_str), L"(G%c) WinHook %04d on tid=%06d pid=%06d", letter, HookType, idThread, idProcess); Log_Debug_Msg(MONITOR_WINCLASS | MONITOR_TRACE, access_str, Driver_Empty); @@ -1593,7 +1593,7 @@ _FX ULONG_PTR Gui_NtUserSetWinEventHook( if (letter) { - swprintf(access_str, L"(G%c) AccHook on tid=%06d pid=%06d", + RtlStringCbPrintfW(access_str, sizeof(access_str), L"(G%c) AccHook on tid=%06d pid=%06d", letter, idThread, idProcess); Log_Debug_Msg(MONITOR_WINCLASS | MONITOR_TRACE, access_str, Driver_Empty); } diff --git a/Sandboxie/core/drv/hook_32.c b/Sandboxie/core/drv/hook_32.c index 617954c4..1ce407a2 100644 --- a/Sandboxie/core/drv/hook_32.c +++ b/Sandboxie/core/drv/hook_32.c @@ -112,7 +112,7 @@ _FX void *Hook_GetZwServiceInternal(ULONG ServiceIndex) subcode = Hook_Find_ZwRoutine_2(ServiceIndex, &routine); if (subcode != 0) { WCHAR err[8]; - swprintf(err, L"0x%X", subcode); + RtlStringCbPrintfW(err, sizeof(err), L"0x%X", subcode); Log_Msg1(MSG_HOOK_ZW_SERVICE, err); routine = NULL; } diff --git a/Sandboxie/core/drv/hook_64.c b/Sandboxie/core/drv/hook_64.c index 062dacc2..9a7dc0d1 100644 --- a/Sandboxie/core/drv/hook_64.c +++ b/Sandboxie/core/drv/hook_64.c @@ -141,7 +141,7 @@ _FX void *Hook_GetZwServiceInternal(ULONG ServiceIndex) subcode = Hook_Find_ZwRoutine(ServiceIndex, &routine); if (subcode != 0) { WCHAR err[8]; - swprintf(err, L"%d", subcode); + RtlStringCbPrintfW(err, sizeof(err), L"%d", subcode); Log_Msg1(MSG_HOOK_ZW_SERVICE, err); routine = NULL; } diff --git a/Sandboxie/core/drv/ipc.c b/Sandboxie/core/drv/ipc.c index 470fa6bb..4742860a 100644 --- a/Sandboxie/core/drv/ipc.c +++ b/Sandboxie/core/drv/ipc.c @@ -942,7 +942,7 @@ _FX NTSTATUS Ipc_CheckGenericObject( mon_type |= MONITOR_DENY; } - swprintf(access_str, L"(I%c) %08X", letter, GrantedAccess); + RtlStringCbPrintfW(access_str, sizeof(access_str), L"(I%c) %08X", letter, GrantedAccess); Log_Debug_Msg(mon_type, access_str, Name->Buffer); } } diff --git a/Sandboxie/core/drv/ipc_lsa.c b/Sandboxie/core/drv/ipc_lsa.c index e229610d..c614ec04 100644 --- a/Sandboxie/core/drv/ipc_lsa.c +++ b/Sandboxie/core/drv/ipc_lsa.c @@ -341,7 +341,7 @@ _FX BOOLEAN Ipc_Filter_Lsa_Ep_Msg(PROCESS* proc, UCHAR uMsg) if (mon_type) { WCHAR msg_str[24]; - swprintf(msg_str, L"Msg: %02X", (ULONG)uMsg); + RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Msg: %02X", (ULONG)uMsg); Log_Debug_Msg(mon_type, L"\\RPC Control\\LSARPC_ENDPOINT", msg_str); } } diff --git a/Sandboxie/core/drv/ipc_port.c b/Sandboxie/core/drv/ipc_port.c index 823b4838..fd19b662 100644 --- a/Sandboxie/core/drv/ipc_port.c +++ b/Sandboxie/core/drv/ipc_port.c @@ -256,7 +256,7 @@ _FX NTSTATUS Ipc_CheckPortRequest( /*if (Session_MonitorCount)// && (proc->ipc_trace & (TRACE_ALLOW | TRACE_DENY))) { WCHAR msg_str[256]; - swprintf(msg_str, L"CheckPortRequest, Status <%08X> on Port <%*.*s>\n", status, Name->Name.Length / sizeof(WCHAR), Name->Name.Length / sizeof(WCHAR), Name->Name.Buffer); + RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"CheckPortRequest, Status <%08X> on Port <%*.*s>\n", status, Name->Name.Length / sizeof(WCHAR), Name->Name.Length / sizeof(WCHAR), Name->Name.Buffer); Log_Debug_Msg(MONITOR_IPC, msg_str, NULL); }*/ @@ -825,7 +825,7 @@ _FX NTSTATUS Ipc_Api_GetRpcPortName_2(PEPROCESS ProcessObject, WCHAR* pDstPortNa (ObjName->Length < 64 * sizeof(WCHAR)) && _wcsnicmp(ObjName->Buffer, L"LRPC-", 5) == 0) { - swprintf(name, L"%s\\%s", _rpc_control, ObjName->Buffer); + RtlStringCbPrintfW(name, sizeof(name), L"%s\\%s", _rpc_control, ObjName->Buffer); RtlInitUnicodeString(&objname, name); diff --git a/Sandboxie/core/drv/ipc_sam.c b/Sandboxie/core/drv/ipc_sam.c index 685bff7c..2a337433 100644 --- a/Sandboxie/core/drv/ipc_sam.c +++ b/Sandboxie/core/drv/ipc_sam.c @@ -101,7 +101,7 @@ _FX BOOLEAN Ipc_Filter_Sam_Msg(PROCESS* proc, UCHAR uMsg) { //case 0x00: //SamConnect //case 0x01: //SamCloseHandle - case 0x02: //SamSetSecurityObject + case 0x02: //SamSetSecurityObject // fixme: SandboxieCrypto.exe needs this some times #740 //if(proc->image_sbie) break; //case 0x03: //SamQuerySecurityObject //case 0x05: //SamLookupDomainInSamServer //case 0x06: //SamEnumerateDomainsInSamServer @@ -180,7 +180,7 @@ _FX BOOLEAN Ipc_Filter_Sam_Msg(PROCESS* proc, UCHAR uMsg) if (mon_type) { WCHAR msg_str[24]; - swprintf(msg_str, L"Msg: %02X", (ULONG)uMsg); + RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Msg: %02X", (ULONG)uMsg); Log_Debug_Msg(mon_type, L"\\RPC Control\\samss lpc", msg_str); } } diff --git a/Sandboxie/core/drv/ipc_spl.c b/Sandboxie/core/drv/ipc_spl.c index 9d9fa14a..45661d02 100644 --- a/Sandboxie/core/drv/ipc_spl.c +++ b/Sandboxie/core/drv/ipc_spl.c @@ -311,7 +311,7 @@ _FX BOOLEAN Ipc_Filter_Spooler_Msg(PROCESS* proc, UCHAR uMsg) if (mon_type) { WCHAR msg_str[24]; - swprintf(msg_str, L"Msg: %02X", (ULONG)uMsg); + RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Msg: %02X", (ULONG)uMsg); Log_Debug_Msg(mon_type, L"\\RPC Control\\spoolss", msg_str); } } diff --git a/Sandboxie/core/drv/key.c b/Sandboxie/core/drv/key.c index fc74ba89..ec7490ed 100644 --- a/Sandboxie/core/drv/key.c +++ b/Sandboxie/core/drv/key.c @@ -474,7 +474,7 @@ _FX NTSTATUS Key_MyParseProc_2(OBJ_PARSE_PROC_ARGS_2) if (!ShouldMonitorAccess) mon_type |= MONITOR_TRACE; - swprintf(access_str, L"(K%c) %08X", + RtlStringCbPrintfW(access_str, sizeof(access_str), L"(K%c) %08X", letter, AccessState->OriginalDesiredAccess); Log_Debug_Msg(mon_type, access_str, Name->Name.Buffer); } diff --git a/Sandboxie/core/drv/log.c b/Sandboxie/core/drv/log.c index 5b80dc68..c7746663 100644 --- a/Sandboxie/core/drv/log.c +++ b/Sandboxie/core/drv/log.c @@ -317,9 +317,9 @@ _FX void Log_Status_Ex_Process( WCHAR str[100]; if (error_subcode) - swprintf(str, L"[%08X / %02X]", nt_status, error_subcode); + RtlStringCbPrintfW(str, sizeof(str), L"[%08X / %02X]", nt_status, error_subcode); else - swprintf(str, L"[%08X]", nt_status); + RtlStringCbPrintfW(str, sizeof(str), L"[%08X]", nt_status); Log_Msg_Process(error_code, str, string2, session_id, process_id); } diff --git a/Sandboxie/core/drv/my_winnt.h b/Sandboxie/core/drv/my_winnt.h index 1a68a9ad..c2f570ef 100644 --- a/Sandboxie/core/drv/my_winnt.h +++ b/Sandboxie/core/drv/my_winnt.h @@ -84,9 +84,7 @@ NTOS_API(ULONG) SeTokenImpersonationLevel( // Misc // ------------------------------------------------------------------ - -ULONG __cdecl sprintf(char *buffer, const char *format, ...); - +//ULONG __cdecl sprintf(char *buffer, const char *format, ...); //ULONG __cdecl swprintf(wchar_t *buffer, const wchar_t *format, ...); NTOS_NTSTATUS ZwYieldExecution(void); diff --git a/Sandboxie/core/drv/process.c b/Sandboxie/core/drv/process.c index 34ae96b7..571f553e 100644 --- a/Sandboxie/core/drv/process.c +++ b/Sandboxie/core/drv/process.c @@ -1054,7 +1054,8 @@ _FX void Process_NotifyProcess_Create( if (! bHostInject) { WCHAR msg[48], *buf = msg; - buf += swprintf(buf, L"%s%c%d", new_proc->box->name, L'\0', (ULONG)ParentId) + 1; + RtlStringCbPrintfW(buf, sizeof(msg), L"%s%c%d", new_proc->box->name, L'\0', (ULONG)ParentId); + buf += wcslen(buf) + 1; Log_Popup_MsgEx(MSG_1399, new_proc->image_path, wcslen(new_proc->image_path), msg, (ULONG)(buf - msg), new_proc->box->session_id, ProcessId); if (! add_process_to_job) diff --git a/Sandboxie/core/drv/process_util.c b/Sandboxie/core/drv/process_util.c index d3fb99bd..bbba04f2 100644 --- a/Sandboxie/core/drv/process_util.c +++ b/Sandboxie/core/drv/process_util.c @@ -972,7 +972,7 @@ _FX void Process_LogMessage(PROCESS *proc, ULONG msgid) BOX *box = proc->box; ULONG len = proc->image_name_len + box->name_len + 8 * sizeof(WCHAR); WCHAR *text = Mem_Alloc(proc->pool, len); - swprintf(text, L"%s [%s]", proc->image_name, box->name); + RtlStringCbPrintfW(text, len, L"%s [%s]", proc->image_name, box->name); if (proc->image_from_box) wcscat(text, L" *"); Log_MsgP1(msgid, text, proc->pid); diff --git a/Sandboxie/core/drv/syscall.c b/Sandboxie/core/drv/syscall.c index 8481153b..f332e139 100644 --- a/Sandboxie/core/drv/syscall.c +++ b/Sandboxie/core/drv/syscall.c @@ -253,6 +253,8 @@ _FX BOOLEAN Syscall_Init_List(void) for (name_len = 0; (name_len < 64) && name[name_len]; ++name_len) ; + //DbgPrint(" Found SysCall %s\n", name); + entry = NULL; // @@ -857,7 +859,7 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms) if (hConnection) { WCHAR trace_str[128]; - swprintf(trace_str, L"[syscall] %.*S, status = 0x%X, handle = %X; ", //59 chars + entry->name + RtlStringCbPrintfW(trace_str, sizeof(trace_str), L"[syscall] %.*S, status = 0x%X, handle = %X; ", //59 chars + entry->name max(strlen(entry->name), 64), entry->name, status, hConnection); const WCHAR* strings[3] = { trace_str, puStr ? puStr->Buffer : NULL, NULL }; @@ -870,7 +872,7 @@ _FX NTSTATUS Syscall_Api_Invoke(PROCESS *proc, ULONG64 *parms) if (!traced && ((proc->call_trace & TRACE_ALLOW) || ((status != STATUS_SUCCESS) && (proc->call_trace & TRACE_DENY)))) { WCHAR trace_str[128]; - swprintf(trace_str, L"[syscall] %.*S, status = 0x%X", //59 chars + entry->name + RtlStringCbPrintfW(trace_str, sizeof(trace_str), L"[syscall] %.*S, status = 0x%X", //59 chars + entry->name max(strlen(entry->name), 64), entry->name, status); const WCHAR* strings[2] = { trace_str, NULL }; diff --git a/Sandboxie/core/drv/syscall_64.c b/Sandboxie/core/drv/syscall_64.c index e87e1640..5fa08706 100644 --- a/Sandboxie/core/drv/syscall_64.c +++ b/Sandboxie/core/drv/syscall_64.c @@ -298,6 +298,8 @@ _FX void *Syscall_GetServiceTable(void) if (ShadowTable) return ShadowTable; + // Hard Offset Dependency + // // the shadow table should be 0x40 bytes before the master table, // on Windows XP (64-bit), diff --git a/Sandboxie/core/drv/syscall_open.c b/Sandboxie/core/drv/syscall_open.c index 8a1992bc..d096b5a5 100644 --- a/Sandboxie/core/drv/syscall_open.c +++ b/Sandboxie/core/drv/syscall_open.c @@ -198,7 +198,7 @@ _FX NTSTATUS Syscall_CheckObject( puName = &Name->Name; WCHAR msg[256]; - swprintf(msg, L"%S (%08X) access=%08X initialized=%d", syscall_entry->name, status, HandleInfo->GrantedAccess, proc->initialized); + RtlStringCbPrintfW(msg, sizeof(msg), L"%S (%08X) access=%08X initialized=%d", syscall_entry->name, status, HandleInfo->GrantedAccess, proc->initialized); Log_Msg_Process(MSG_2101, msg, puName != NULL ? puName->Buffer : L"Unnamed object", -1, proc->pid); } @@ -270,7 +270,7 @@ _FX NTSTATUS Syscall_OpenHandle( || wcsncmp(&puName->Buffer[4], L"Volume", 6) == 0) // \??\Volume{2b985816-4b6f-11ea-bd33-48a4725d5bbe} { WCHAR access_str[24]; - swprintf(access_str, L"(DD) %08X", DesiredAccess); + RtlStringCbPrintfW(access_str, sizeof(access_str), L"(DD) %08X", DesiredAccess); Log_Debug_Msg(MONITOR_DRIVE | MONITOR_DENY, access_str, puName->Buffer); if (proc->file_warn_direct_access) { @@ -318,7 +318,7 @@ _FX NTSTATUS Syscall_OpenHandle( if (! NewHandle) { //WCHAR trace_str[128]; - //swprintf(trace_str, L"Syscall %.*S security violation terminating process", max(strlen(syscall_entry->name), 64), syscall_entry->name); + //RtlStringCbPrintfW(trace_str, sizeof(trace_str), L"Syscall %.*S security violation terminating process", max(strlen(syscall_entry->name), 64), syscall_entry->name); //Session_MonitorPut(MONITOR_OTHER, trace_str, PsGetCurrentProcessId()); Process_SetTerminated(proc, 6); @@ -385,7 +385,7 @@ _FX NTSTATUS Syscall_OpenHandle( if (!NT_SUCCESS(status)) { //WCHAR trace_str[128]; - //swprintf(trace_str, L"Syscall %.*S security violation, status = 0x%X, terminating process", max(strlen(syscall_entry->name), 64), syscall_entry->name, status); + //RtlStringCbPrintfW(trace_str, sizeof(trace_str), L"Syscall %.*S security violation, status = 0x%X, terminating process", max(strlen(syscall_entry->name), 64), syscall_entry->name, status); //Session_MonitorPut(MONITOR_OTHER, trace_str, PsGetCurrentProcessId()); Process_SetTerminated(proc, 7); @@ -478,7 +478,7 @@ _FX NTSTATUS Syscall_DuplicateHandle( if (! NewHandle) { //WCHAR trace_str[128]; - //swprintf(trace_str, L"Syscall %.*S security violation terminating process", max(strlen(syscall_entry->name), 64), syscall_entry->name); + //RtlStringCbPrintfW(trace_str, sizeof(trace_str), L"Syscall %.*S security violation terminating process", max(strlen(syscall_entry->name), 64), syscall_entry->name); //Session_MonitorPut(MONITOR_OTHER, trace_str, PsGetCurrentProcessId()); Process_SetTerminated(proc, 8); @@ -542,7 +542,7 @@ _FX NTSTATUS Syscall_DuplicateHandle( // } // // //WCHAR trace_str[128]; - // //swprintf(trace_str, L"Syscall %.*S security violation terminating process", max(strlen(syscall_entry->name), 64), syscall_entry->name); + // //RtlStringCbPrintfW(trace_str, sizeof(trace_str), L"Syscall %.*S security violation terminating process", max(strlen(syscall_entry->name), 64), syscall_entry->name); // //Session_MonitorPut(MONITOR_OTHER, trace_str, PsGetCurrentProcessId()); // // Process_SetTerminated(proc, 9); diff --git a/Sandboxie/core/drv/thread.c b/Sandboxie/core/drv/thread.c index cfe50ade..bbd77fa8 100644 --- a/Sandboxie/core/drv/thread.c +++ b/Sandboxie/core/drv/thread.c @@ -579,6 +579,8 @@ _FX NTSTATUS Thread_MyImpersonateClient( NTSTATUS status = PsImpersonateClient(ThreadObject, TokenObject, CopyOnOpen, EffectiveOnly, SecurityIdentification); + // Hard Offset Dependency + // ***** ImpersonationInfo_offset is the offset of ClientSecurity field in nt!ETHREAD structure ***** if (NT_SUCCESS(status) && TokenObject) { @@ -1074,7 +1076,7 @@ trace: Letter2 = 0; if (Letter2) { - swprintf(str, L"(%c%c) %08X %06d", + RtlStringCbPrintfW(str, sizeof(str), L"(%c%c) %08X %06d", Letter1, Letter2, GrantedAccess, (int)pid); Log_Debug_Msg(MONITOR_IPC | MONITOR_TRACE, str, Driver_Empty); } diff --git a/Sandboxie/core/drv/token.c b/Sandboxie/core/drv/token.c index df2e0e09..7b4438ac 100644 --- a/Sandboxie/core/drv/token.c +++ b/Sandboxie/core/drv/token.c @@ -483,6 +483,15 @@ _FX void *Token_FilterPrimary(PROCESS *proc, void *ProcessObject) DropRights = (proc->drop_rights ? -1 : 0); + // + // special allowance for MSIServer - does not seam to be needed with the CreateWaitableTimerW hook + // + //if (DropRights && !proc->image_from_box && _wcsicmp(proc->image_name, L"msiexec.exe") == 0 + // && Conf_Get_Boolean(proc->box->name, L"MsiInstallerExemptions", 0, FALSE)) + //{ + // DropRights = 0; + //} + // DbgPrint(" Drop rights %d - %d <%S>\n", proc->drop_rights, proc->pid, proc->image_name); ReturnToken = Token_Filter( @@ -1238,7 +1247,19 @@ _FX void *Token_RestrictHelper1( PSID NewSid = NULL; - // SbieLogin BEGIN + // + // Alternative (less secure) workaround for msi issue started with windows 17763 + // the workaround in Proc_CreateProcessInternalW_RS5 makes solves thsi usse well + // + //if (!proc->image_from_box && _wcsicmp(proc->image_name, L"msiexec.exe") == 0 + // && RtlEqualSid(SidInToken, SystemLogonSid) + // && Conf_Get_Boolean(proc->box->name, L"MsiInstallerExemptions", 0, FALSE)) + //{ + // //DbgPrint("Sbie, MsiServer was allowed to keep its system token\n"); + //} + //else + + // SbieLogin BEGIN if (Conf_Get_Boolean(proc->box->name, L"SandboxieLogon", 0, FALSE)) { if (SandboxieLogonSid[0] != 0) @@ -1558,6 +1579,8 @@ _FX NTSTATUS Token_AssignPrimaryHandle( // on Windows Vista and later, we need to clear the PrimaryTokenFrozen // bit in the EPROCESS structure before we can replace the primary token + // Hard Offset Dependency + // dt nt!_eprocess if (Driver_OsVersion >= DRIVER_WINDOWS_VISTA) { @@ -1647,6 +1670,10 @@ _FX NTSTATUS Token_AssignPrimaryHandle( } + /*WCHAR msg[256]; + swprintf(msg, L"BAM: Flags2_Offset=%d MitigationFlags_Offset=%d SignatureLevel_Offset=%d\n", Flags2_Offset, MitigationFlags_Offset, SignatureLevel_Offset); + Session_MonitorPut(MONITOR_OTHER, msg, PsGetCurrentProcessId());*/ + #endif _WIN64 PtrPrimaryTokenFrozen = (ULONG *)((UCHAR *)ProcessObject + Flags2_Offset);