1.0.6

CHANGELOG.md

@@ -14,11 +14,12 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Changed
 - "UseSbieWndStation=y" is now the default behavioure [#1442](https://github.com/sandboxie-plus/Sandboxie/issues/1442)
+- disabled Win32k hooking when HVCI is enabled due to an incompatybility (BSOD)
 
 ### Fixed
 - fixed box initialization issue in privacy mode [#1469](https://github.com/sandboxie-plus/Sandboxie/issues/1469)
 - fixed issue creating shortcuts introduced in a recent build [#1471](https://github.com/sandboxie-plus/Sandboxie/issues/1471)
-
+- fixed access issues in privacy enhanced boxes
 
 
 

Sandboxie/core/dll/Win32.c

@@ -390,13 +390,11 @@ finish:
 _FX BOOLEAN Win32_Init(HMODULE hmodule)
 {
 	// In Windows 10 all Win32k.sys calls are located in win32u.dll
-    if (Dll_OsBuild < 10041 || !SbieApi_QueryConfBool(NULL, L"EnableWin32kHooks", TRUE))
-        return TRUE; // just return on older builds
+    if (Dll_OsBuild < 10041 || (Dll_ProcessFlags & SBIE_FLAG_WIN32K_HOOKABLE) == 0)
+        return TRUE; // just return on older builds, or not enabled
 
-    // NoSysCallHooks BEGIN
-    if ((Dll_ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0 || SbieApi_QueryConfBool(NULL, L"NoSysCallHooks", FALSE))
+    if ((Dll_ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0 || SbieApi_data->flags.bNoSysHooks)
         return TRUE;
-    // NoSysCallHooks END
 
     // disable Electron Workaround when we are ready to hook the required win32k syscalls
     extern BOOL Dll_ElectronWorkaround;

Sandboxie/core/dll/custom.c

@@ -72,7 +72,11 @@ _FX BOOLEAN CustomizeSandbox(void)
     // customize sandbox if we need to
     //
 
+    if ((Dll_ProcessFlags & SBIE_FLAG_PRIVACY_MODE) != 0) {
+
         Key_CreateBaseKeys();
+        Key_CreateBaseFolders();
+    }
 
     if (GetSetCustomLevel(0) != '2') {
 

Sandboxie/core/dll/dll.h

@@ -501,6 +501,7 @@ void Key_DeleteValueFromCLSID(
     const WCHAR *Xxxid, const WCHAR *Guid, const WCHAR *ValueName);
 
 void Key_CreateBaseKeys();
+void Key_CreateBaseFolders();
 
 //---------------------------------------------------------------------------
 // Functions (sxs)

Sandboxie/core/dll/dllpath.c

@@ -284,6 +284,12 @@ _FX void SbieDll_GetReadablePaths(WCHAR path_code, const WCHAR *path, LIST **lis
         lists[2] = &Dll_PathListAnchor->read_key_path;
         lists[3] = NULL;
 
+    } else if (path_code == L'i') {
+
+        lists[0] = &Dll_PathListAnchor->normal_ipc_path;
+        lists[1] = &Dll_PathListAnchor->open_ipc_path;
+        lists[2] = NULL;
+
     }
 }
 
@@ -512,7 +518,7 @@ _FX ULONG SbieDll_MatchPath2(WCHAR path_code, const WCHAR *path, BOOLEAN bCheckO
     int match_len;
     ULONG level;
 
-    BOOLEAN use_rule_specificity = (path_code == L'f' || path_code == L'k') && (Dll_ProcessFlags & SBIE_FLAG_RULE_SPECIFICITY) != 0;
+    BOOLEAN use_rule_specificity = (path_code == L'f' || path_code == L'k' || path_code == L'i') && (Dll_ProcessFlags & SBIE_FLAG_RULE_SPECIFICITY) != 0;
 
     //
     // set default behavioure 
@@ -520,13 +526,13 @@ _FX ULONG SbieDll_MatchPath2(WCHAR path_code, const WCHAR *path, BOOLEAN bCheckO
 
     level = 3; // 3 - global default - lower is better, 3 is max value
     match_len = 0;
-    if ((path_code != L'f' && path_code != L'k') || (Dll_ProcessFlags & SBIE_FLAG_PRIVACY_MODE) == 0) {
+    if ((path_code == L'f' || path_code == L'k' || path_code == L'i') && (Dll_ProcessFlags & SBIE_FLAG_PRIVACY_MODE) != 0) {
 
-        mp_flags = 0; // normal mode
+        mp_flags = PATH_WRITE_FLAG; // write path mode
     }
     else {
 
-        mp_flags = PATH_WRITE_FLAG; // write path mode
+        mp_flags = 0; // normal mode
     }
 
     //

Sandboxie/core/dll/file.c

@@ -341,6 +341,9 @@ static void *File_Wow64DisableWow64FsRedirection = NULL;
 static void *File_Wow64RevertWow64FsRedirection = NULL;
 #endif WOW64_FS_REDIR
 
+static WCHAR *File_SysVolume = NULL;
+static ULONG File_SysVolumeLen = 0;
+
 static WCHAR *File_AllUsers = NULL;
 static ULONG File_AllUsersLen = 0;
 

Sandboxie/core/dll/file_dir.c

@@ -4108,3 +4108,23 @@ _FX void File_UnScrambleShortName(WCHAR* ShortName, ULONG ScramKey)
 	if (ShortName[ShortNameLength - 1] == L'.')
 		ShortName[ShortNameLength-- - 1] = 0;
 }
+
+
+//---------------------------------------------------------------------------
+// Key_CreateBaseFolders
+//---------------------------------------------------------------------------
+
+
+_FX void Key_CreateBaseFolders()
+{
+    //
+    // in privacy mode we need to pre create some folders or else programs may fail
+    //
+
+    File_CreateBoxedPath(File_SysVolume);
+
+    if (SbieApi_QueryConfBool(NULL, L"SeparateUserFolders", TRUE)) {
+        File_CreateBoxedPath(File_AllUsers);
+        File_CreateBoxedPath(File_CurrentUser);
+    }
+}

Sandboxie/core/dll/file_init.c

@@ -297,6 +297,9 @@ _FX void File_InitPathList(void)
     UNICODE_STRING objname;
     IO_STATUS_BLOCK MyIoStatusBlock;
     HANDLE handle;
+    WCHAR *buf, *ptr;
+
+    // why do we do that?
 
     RtlInitUnicodeString(&objname, L"\\SystemRoot");
     InitializeObjectAttributes(
@@ -304,6 +307,26 @@ _FX void File_InitPathList(void)
     handle = 0;
     NtOpenFile(&handle, FILE_READ_DATA, &objattrs,
                &MyIoStatusBlock, FILE_SHARE_VALID_FLAGS, 0);
+
+    // since we do that for some reason lets use it to get the system volume 
+
+    const ULONG PATH_BUF_LEN = 1024;
+    buf = Dll_AllocTemp(PATH_BUF_LEN);
+
+    if (NT_SUCCESS(File_GetFileName(handle, PATH_BUF_LEN, buf)) && (ptr = wcsrchr(buf, L'\\')) != NULL) 
+        ptr[1] = L'\0'; // strip the folder name
+    else // fallback
+        wcscpy(buf, L"\\??\\C:\\");
+
+    File_SysVolumeLen = wcslen(buf);
+    File_SysVolume =
+        Dll_Alloc((File_SysVolumeLen + 1) * sizeof(WCHAR));
+    wcscpy(File_SysVolume, buf);
+
+    Dll_Free(buf);
+
+    //
+
     if (handle)
         NtClose(handle);
 

Sandboxie/core/drv/api_flags.h

@@ -97,7 +97,8 @@
 //#define SBIE_FLAG_BLOCK_FAKE_INPUT    0x00001000
 #define SBIE_FLAG_OPEN_ALL_WIN_CLASS    0x00002000
 //#define SBIE_FLAG_BLOCK_SYS_PARAM     0x00004000
-									  //0x00008000
+#define SBIE_FLAG_WIN32K_HOOKABLE		0x00008000
+
 									  //0x00010000
 									  //0x00020000
 									  //0x00040000
@@ -106,6 +107,7 @@
 									  //0x00200000
 									  //0x00400000
 									  //0x00800000
+
 #define SBIE_FLAG_APP_COMPARTMENT		0x01000000
 #define SBIE_FLAG_PRIVACY_MODE			0x02000000
 #define SBIE_FLAG_RULE_SPECIFICITY		0x04000000

Sandboxie/core/drv/driver.c

@@ -764,18 +764,17 @@ _FX NTSTATUS Driver_Api_Unload(PROCESS *proc, ULONG64 *parms)
 
 
 //---------------------------------------------------------------------------
-// Driver_CheckThirdParty
+// Driver_GetRegDword
 //---------------------------------------------------------------------------
 
 
-_FX BOOLEAN Driver_CheckThirdParty(
-    const WCHAR *DriverName, ULONG DriverType)
+_FX ULONG Driver_GetRegDword(
+    const WCHAR *KeyPath, const WCHAR *ValueName)
 {
     NTSTATUS status;
     RTL_QUERY_REGISTRY_TABLE qrt[2];
     UNICODE_STRING uni;
     ULONG value;
-    BOOLEAN IsInstalled = FALSE;
 
     value = -1;
 
@@ -787,14 +786,15 @@ _FX BOOLEAN Driver_CheckThirdParty(
     qrt[0].Flags =  RTL_QUERY_REGISTRY_REQUIRED |
                     RTL_QUERY_REGISTRY_DIRECT |
                     RTL_QUERY_REGISTRY_NOEXPAND;
-    qrt[0].Name = (WCHAR *)L"Type";
+    qrt[0].Name = (WCHAR *)ValueName;
     qrt[0].EntryContext = &uni;
     qrt[0].DefaultType = REG_NONE;
 
     status = RtlQueryRegistryValues(
-        RTL_REGISTRY_SERVICES, DriverName, qrt, NULL, NULL);
+        RTL_REGISTRY_ABSOLUTE, KeyPath, qrt, NULL, NULL);
 
-    if (status == STATUS_SUCCESS) {
+    if (status != STATUS_SUCCESS)
+        return 0;
 
     if (value == -1) {
 
@@ -806,9 +806,5 @@ _FX BOOLEAN Driver_CheckThirdParty(
         value = *(ULONG *)&uni;
     }
 
-        if (value == DriverType)
-            IsInstalled = TRUE;
-    }
-
-    return IsInstalled;
+    return value;
 }

Sandboxie/core/drv/driver.h

@@ -104,7 +104,8 @@ extern P_NtSetInformationToken          ZwSetInformationToken;
 
 NTSTATUS Driver_Api_Unload(PROCESS *proc, ULONG64 *parms);
 
-BOOLEAN Driver_CheckThirdParty(const WCHAR *DriverName, ULONG DriverType);
+ULONG Driver_GetRegDword(
+    const WCHAR *KeyPath, const WCHAR *ValueName);
 
 
 //---------------------------------------------------------------------------

Sandboxie/core/drv/key_xp.c

@@ -176,11 +176,10 @@ _FX BOOLEAN Key_Init_XpHook(void)
         return FALSE;
     Key_ParseHooked = TRUE;
 
-    if (Driver_CheckThirdParty(L"klif", SERVICE_KERNEL_DRIVER))
+    if (Driver_GetRegDword(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" L"klif", L"Type") == SERVICE_KERNEL_DRIVER)
         Key_HookWaitForSingleObject();
 
-    if (Driver_CheckThirdParty(L"SAVOnAccessControl",
-                                            SERVICE_FILE_SYSTEM_DRIVER))
+    if (Driver_GetRegDword(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" L"SAVOnAccessControl", L"Type") == SERVICE_FILE_SYSTEM_DRIVER)
         Key_NeverUnmountHives = TRUE;
 
     return TRUE;

Sandboxie/core/drv/process_api.c

@@ -380,11 +380,14 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)
 
                 if (proc->open_all_win_classes)
                     flags |= SBIE_FLAG_OPEN_ALL_WIN_CLASS;
+                extern ULONG Syscall_MaxIndex32;
+                if (Syscall_MaxIndex32 != 0)
+                    flags |= SBIE_FLAG_WIN32K_HOOKABLE;
 
-                //if (proc->use_rule_specificity)
-                //    flags |= SBIE_FLAG_RULE_SPECIFICITY;
-                //if (proc->use_privacy_mode)
-                //    flags |= SBIE_FLAG_PRIVACY_MODE;
+                if (proc->use_rule_specificity)
+                    flags |= SBIE_FLAG_RULE_SPECIFICITY;
+                if (proc->use_privacy_mode)
+                    flags |= SBIE_FLAG_PRIVACY_MODE;
                 if (proc->bAppCompartment)
                     flags |= SBIE_FLAG_APP_COMPARTMENT;
             }

Sandboxie/core/drv/syscall.c

@@ -221,8 +221,24 @@ _FX BOOLEAN Syscall_Init(void)
         return FALSE;
 
 #ifdef HOOK_WIN32K
-    // must be windows 10 or later // Don't use experimental features by default
-    if (Driver_OsBuild >= 10041 && Conf_Get_Boolean(NULL, L"EnableWin32kHooks", 0, TRUE)) {
+
+    //
+    // Win32k Hooking requirers 10 or later as only thre Win32u.dll is available
+    //
+    // Note: Win32k Hooking is not compatible with HVCI causing a BSOD
+    //  KERNEL_SECURITY_CHECK_FAILURE (139)
+    //      A kernel component has corrupted a critical data structure.  
+    //      Arguments:
+    //      Arg1: 0000000000000000, A stack-based buffer has been overrun.
+    //      Arg2: 0000000000000000, Address of the trap frame for the exception that caused the bugcheck
+    //      Arg3: 0000000000000000, Address of the exception record for the exception that caused the bugcheck
+    //      Arg4: ffffxxxxxxxxxxxx, Reserved
+    // 
+    // Note: this feature applied to GdiDdDDI* solves HW Acceleration issues with chromium, hence we enable it if possible
+    // 
+
+    if (Driver_OsBuild >= 10041 && Conf_Get_Boolean(NULL, L"EnableWin32kHooks", 0, TRUE)
+        && Driver_GetRegDword(L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity", L"Enabled") == 0) {
 
         if (!Syscall_Init_List32())
             return FALSE;
@@ -1034,10 +1050,10 @@ _FX NTSTATUS Syscall_Api_Query(PROCESS *proc, ULONG64 *parms)
     SYSCALL_ENTRY *entry;
 
 #ifdef HOOK_WIN32K
-    if (parms[2] == 1) { // win32k
+    if (parms[2] == 1) { // 1 - win32k
         return Syscall_Api_Query32(proc, parms);
     }
-    else if (parms[2] != 0) { // ntoskrnl
+    else if (parms[2] != 0) { // 0 - ntoskrnl
         return STATUS_INVALID_PARAMETER;
     }
 #endif

Sandboxie/core/drv/syscall_win32.c

@@ -601,6 +601,9 @@ _FX NTSTATUS Syscall_Api_Query32(PROCESS *proc, ULONG64 *parms)
     ULONG *ptr;
     SYSCALL_ENTRY *entry;
 
+    if (Syscall_MaxIndex32 == 0)
+        return STATUS_NOT_IMPLEMENTED;
+
     BOOLEAN add_names = parms[3] != 0;
 
     //