diff --git a/CHANGELOG.md b/CHANGELOG.md
index d8cf876c..12f61283 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,57 +6,79 @@ This project adheres to [Semantic Versioning](http://semver.org/).
-# [1.1.0 / 5.56.0] - 2022-01-06
+## [1.1.0 / 5.56.0] - 2022-01-??
### Added
- added support for NtRenameKey (this requires UseRegDeleteV2=y) [#205](https://github.com/sandboxie-plus/Sandboxie/issues/205)
+- FIXED SECURITY ISSUE: memory of unsandboxed processes can no longer be read, except for exceptions
+- added ReadIpcPath to enable more flexibility in IPC usage
+
### Changed
- reworked the mechanism sandboxie uses to mark host files as deleted
-- the new behavioure creates a data file in the box root FilePaths.dat instead of creating dummy files
-- it can be enabled with UseFileDeleteV2=y sane for the registry UseRegDeleteV2=y using RegPaths.dat
- disabled a couple driver based workarounds for boxes in compartment mode as then thay should not be required
-
+- removed "AlwaysUseWin32kHooks", now these win32 hooks are always enabled
+-- note: you can use "UseWin32kHooks=program.exe,n" to disable them for sellected programs
+- EnableObjectFiltering is now set enabled by default, and replaces sbies old process/thread handle filter
### Fixed
- fixed folder rename issues (this requires UseFileDeleteV2=y) [#71](https://github.com/sandboxie-plus/Sandboxie/issues/71)
+- fixed issue with process access [#1603](https://github.com/sandboxie-plus/Sandboxie/issues/1603)
-
-# [1.0.10 / 5.55.10] - 2022-01-06
+## [1.0.11 / 5.55.11] - 2022-02-14
### Added
-- added option to show only boxes in tray with runnign processes [#1186](https://github.com/sandboxie-plus/Sandboxie/issues/1186)
--- additional option show only pinned bixes, in box options a bix can be set to be always shown in theay list (Pinned)
-- added options menu command to reset the GUI [#1589](https://github.com/sandboxie-plus/Sandboxie/issues/1589)
-- added 'Run Un-Sandboxed' context menu option
-- added new trigger "OnBoxDelete" that allows to specify a command that is run UNBOXED just before the box content gets deleted
--- note: this can be used as a replacemetn to the DeleteCommand [#591](https://github.com/sandboxie-plus/Sandboxie/issues/591)
-- sellected box operations (deletion) no longer show the progress dialog [1061](https://github.com/sandboxie-plus/Sandboxie/issues/1061)
--- instead a box with a running operation show a blinking hour glass icon, the context menu can be used to cancel the operation
+- added optional tray notification when a box content gets auto deleted
+- added FreeDownloadManager template
+- added warnign when opening unsandboxed regedit [#1606](https://github.com/sandboxie-plus/Sandboxie/issues/1606)
### Changed
-- HideHostProcess=program.exe can now be used to hide sandboxie services [#1336](https://github.com/sandboxie-plus/Sandboxie/issues/1336)
+- the asynchroniouse box operations introduced in the last build are due to a pupular request now disabled by default
+- moved sys tray options from general to shell integration tab
+
+### Fixed
+- fixed compatybility issue with SECUROM [#1597](https://github.com/sandboxie-plus/Sandboxie/issues/1597)
+- fixed modality issue [#1615](https://github.com/sandboxie-plus/Sandboxie/issues/1615)
+
+
+
+## [1.0.10 / 5.55.10] - 2022-02-06
+
+### Added
+- added option to show only boxes in tray with running processes [#1186](https://github.com/sandboxie-plus/Sandboxie/issues/1186)
+-- additional option shows only pinned boxes, in box options a box can be set to be always shown in tray list (Pinned)
+- added Options menu command to reset the GUI [#1589](https://github.com/sandboxie-plus/Sandboxie/issues/1589)
+- added `Run Un-Sandboxed` context menu option
+- added new trigger `OnBoxDelete` that allows to specify a command that is run UNBOXED just before the box content gets deleted
+-- note: this can be used as a replacement to `DeleteCommand` [#591](https://github.com/sandboxie-plus/Sandboxie/issues/591)
+- selected box operations (deletion) no longer show the progress dialog [#1061](https://github.com/sandboxie-plus/Sandboxie/issues/1061)
+-- if a box with a running operation shows a blinking hour glass icon, the context menu can be used to cancel the operation
+
+### Changed
+- `HideHostProcess=program.exe` can now be used to hide sandboxie services [#1336](https://github.com/sandboxie-plus/Sandboxie/issues/1336)
- updater blocking is now done using a template called BlockSoftwareUpdaters
-- enchanced "StartProgram=..." making "StartCommand=..." obsolete
--- for same functionality as "StartCommand=..." use "StartProgram=%SbieHome%\Start.exe ..."
-- merged "Auto Start" General tab with the "Auto Exec" Advanced tab into a universal"Triggers" Advanced tab
+- enhanced `StartProgram=...` makes `StartCommand=...` obsolete
+-- for same functionality as `StartCommand=...`, use `StartProgram=%SbieHome%\Start.exe ...`
+- merged `Auto Start` General tab with the `Auto Exec` Advanced tab into a universal `Triggers` Advanced tab
### Fixed
- fixed a couple issues with the new breakout process feature and improved security (thanks Diversenok)
-- fixed issues with re opening already open windows [#1584](https://github.com/sandboxie-plus/Sandboxie/issues/1584)
+- fixed issues with re-opening windows already open [#1584](https://github.com/sandboxie-plus/Sandboxie/issues/1584)
- fixed issue with desktop access [#1588](https://github.com/sandboxie-plus/Sandboxie/issues/1588)
-- fixed issue handling commandline invokation [#1133](https://github.com/sandboxie-plus/Sandboxie/issues/1133)
-- fixed ui issue with main window state when switching always on top attribute [#1169](https://github.com/sandboxie-plus/Sandboxie/issues/1169)
+- fixed issue about command line invocation handling [#1133](https://github.com/sandboxie-plus/Sandboxie/issues/1133)
+- fixed UI issue with main window state when switching always on top attribute [#1169](https://github.com/sandboxie-plus/Sandboxie/issues/1169)
- fixed issue with box context menu in tray list [1106](https://github.com/sandboxie-plus/Sandboxie/issues/1106)
-- fixed issue with "AutoExec=..."
-- fixed issues canceling box deletion operations didn't working [1061](https://github.com/sandboxie-plus/Sandboxie/issues/1061)
+- fixed issue with `AutoExec=...`
+- fixed issues where canceling box deletion operations didn't work [#1061](https://github.com/sandboxie-plus/Sandboxie/issues/1061)
- fixed issue with DPI scalling and color picker dialog [#803](https://github.com/sandboxie-plus/Sandboxie/issues/803)
### Removed
-- removed UseRpcMgmtSetComTimeout=AppXDeploymentClient.dll,y used for free download manager as it broke other things
--- when using free download manager ad the line manually to your sandboxie.ini
+- removed `UseRpcMgmtSetComTimeout=AppXDeploymentClient.dll,y` used for Free Download Manager as it broke other things
+-- only if you use Free Download Manager together with the setting `RpcMgmtSetComTimeout=n` in a sandbox, you have to add the line manually to your Sandboxie.ini
diff --git a/Sandboxie/common/pool.c b/Sandboxie/common/pool.c
index c0e523bf..7551ed42 100644
--- a/Sandboxie/common/pool.c
+++ b/Sandboxie/common/pool.c
@@ -373,7 +373,7 @@ static const WCHAR *Pool_large_chunks_lock_Name = L"PoolLockL";
ALIGNED void *Pool_Alloc_Mem(ULONG size, ULONG tag)
{
- void *ptr;
+ void *ptr = NULL;
Pool_Timing(NULL);
@@ -382,7 +382,9 @@ ALIGNED void *Pool_Alloc_Mem(ULONG size, ULONG tag)
#ifdef KERNEL_MODE
ptr = ExAllocatePoolWithTag(PagedPool, size, tag);
#else
- ptr = VirtualAlloc(0, size, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
+ //ptr = VirtualAlloc(0, size, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
+ ULONG_PTR RegionSize = size;
+ NtAllocateVirtualMemory(NtCurrentProcess(), &ptr, 0, &RegionSize, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
((UCHAR)tag == 0xFF ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE));
#endif
// printf("Allocated %d bytes at %08X\n", size, ptr);
diff --git a/Sandboxie/common/wow64ext/CMemPtr.h b/Sandboxie/common/wow64ext/CMemPtr.h
index fc7252fe..01502b59 100644
--- a/Sandboxie/common/wow64ext/CMemPtr.h
+++ b/Sandboxie/common/wow64ext/CMemPtr.h
@@ -34,14 +34,21 @@ public:
{
if (*m_ptr && watchActive)
{
- free(*m_ptr);
+ HeapFree(GetProcessHeap(), 0, *m_ptr);
*m_ptr = 0;
}
}
+ static void* Alloc(size_t size) {
+ return HeapAlloc(GetProcessHeap(), 0, size);
+ }
+
void disableWatch() { watchActive = false; }
};
+#define NEW(size) \
+ CMemPtr::Alloc(size)
+
#define WATCH(ptr) \
CMemPtr watch_##ptr((void**)&ptr)
diff --git a/Sandboxie/common/wow64ext/wow64ext.cpp b/Sandboxie/common/wow64ext/wow64ext.cpp
index a524b1d8..91cbd0c7 100644
--- a/Sandboxie/common/wow64ext/wow64ext.cpp
+++ b/Sandboxie/common/wow64ext/wow64ext.cpp
@@ -37,17 +37,6 @@
//HANDLE g_heap;
BOOL g_isWow64 = TRUE;
-void* malloc(size_t size)
-{
- return HeapAlloc(GetProcessHeap(), 0, size);
-}
-
-void free(void* ptr)
-{
- if (nullptr != ptr)
- HeapFree(GetProcessHeap(), 0, ptr);
-}
-
#include "CMemPtr.h"
/*int _wcsicmp(const wchar_t *string1, const wchar_t *string2)
@@ -329,7 +318,7 @@ extern "C" DWORD64 __cdecl GetModuleHandle64(const wchar_t* lpModuleName)
{
getMem64(&head, head.InLoadOrderLinks.Flink, sizeof(LDR_DATA_TABLE_ENTRY64));
- wchar_t* tempBuf = (wchar_t*)malloc(head.BaseDllName.MaximumLength);
+ wchar_t* tempBuf = (wchar_t*)NEW(head.BaseDllName.MaximumLength);
if (nullptr == tempBuf)
return 0;
WATCH(tempBuf);
@@ -373,19 +362,19 @@ DWORD64 getLdrGetProcedureAddress()
IMAGE_EXPORT_DIRECTORY ied;
getMem64(&ied, modBase + idd.VirtualAddress, sizeof(ied));
- DWORD* rvaTable = (DWORD*)malloc(sizeof(DWORD)*ied.NumberOfFunctions);
+ DWORD* rvaTable = (DWORD*)NEW(sizeof(DWORD)*ied.NumberOfFunctions);
if (nullptr == rvaTable)
return 0;
WATCH(rvaTable);
getMem64(rvaTable, modBase + ied.AddressOfFunctions, sizeof(DWORD)*ied.NumberOfFunctions);
- WORD* ordTable = (WORD*)malloc(sizeof(WORD)*ied.NumberOfFunctions);
+ WORD* ordTable = (WORD*)NEW(sizeof(WORD)*ied.NumberOfFunctions);
if (nullptr == ordTable)
return 0;
WATCH(ordTable);
getMem64(ordTable, modBase + ied.AddressOfNameOrdinals, sizeof(WORD)*ied.NumberOfFunctions);
- DWORD* nameTable = (DWORD*)malloc(sizeof(DWORD)*ied.NumberOfNames);
+ DWORD* nameTable = (DWORD*)NEW(sizeof(DWORD)*ied.NumberOfNames);
if (nullptr == nameTable)
return 0;
WATCH(nameTable);
diff --git a/Sandboxie/core/dll/Win32.c b/Sandboxie/core/dll/Win32.c
index ff2438e2..40762e12 100644
--- a/Sandboxie/core/dll/Win32.c
+++ b/Sandboxie/core/dll/Win32.c
@@ -393,21 +393,20 @@ _FX BOOLEAN Win32_Init(HMODULE hmodule)
if (Dll_OsBuild < 10041 || (Dll_ProcessFlags & SBIE_FLAG_WIN32K_HOOKABLE) == 0 || !SbieApi_QueryConfBool(NULL, L"EnableWin32kHooks", TRUE))
return TRUE; // just return on older builds, or not enabled
- if (Dll_CompartmentMode || SbieApi_data->flags.bNoSysHooks)
- return TRUE;
-
// disable Electron Workaround when we are ready to hook the required win32k syscalls
extern BOOL Dll_ElectronWorkaround;
Dll_ElectronWorkaround = FALSE;
+ if (Dll_CompartmentMode || SbieApi_data->flags.bNoSysHooks)
+ return TRUE;
+
//
// chrome needs for a working GPU acceleration the GdiDdDDI* win32k syscalls to have the right user token
//
WCHAR* cmdline = GetCommandLine();
- if ((wcsstr(cmdline, L"--type=gpu-process") != NULL && wcsstr(cmdline, L"--gpu-preferences=") != NULL)
- || SbieDll_GetSettingsForName_bool(NULL, Dll_ImageName, L"AlwaysUseWin32kHooks", FALSE)) {
+ if (SbieDll_GetSettingsForName_bool(NULL, Dll_ImageName, L"UseWin32kHooks", TRUE)) {
#ifndef _WIN64
if (Dll_IsWow64)
diff --git a/Sandboxie/core/dll/debug.c b/Sandboxie/core/dll/debug.c
index 2c0ed036..88eef85a 100644
--- a/Sandboxie/core/dll/debug.c
+++ b/Sandboxie/core/dll/debug.c
@@ -407,15 +407,13 @@ void DbgPrint(const char* format, ...)
va_list va_args;
va_start(va_args, format);
- char *tmp1 = Dll_AllocTemp(510);
+ char tmp1[510];
extern int(*P_vsnprintf)(char *_Buffer, size_t Count, const char * const, va_list Args);
P_vsnprintf(tmp1, 510, format, va_args);
OutputDebugStringA(tmp1);
- Dll_Free(tmp1);
-
va_end(va_args);
}
@@ -431,18 +429,16 @@ void DbgTrace(const char* format, ...)
va_list va_args;
va_start(va_args, format);
- char *tmp1 = Dll_AllocTemp(510);
+ char tmp1[510];
+ WCHAR tmp2[510];
extern int(*P_vsnprintf)(char *_Buffer, size_t Count, const char * const, va_list Args);
P_vsnprintf(tmp1, 510, format, va_args);
- WCHAR *tmp2 = Dll_AllocTemp(510*sizeof(WCHAR));
Sbie_snwprintf((WCHAR *)tmp2, 510, L"%S", tmp1);
SbieApi_MonitorPut2(MONITOR_OTHER | MONITOR_TRACE, tmp2, FALSE);
- Dll_Free(tmp1);
-
va_end(va_args);
}
diff --git a/Sandboxie/core/drv/conf.c b/Sandboxie/core/drv/conf.c
index cbba439a..aa9e6749 100644
--- a/Sandboxie/core/drv/conf.c
+++ b/Sandboxie/core/drv/conf.c
@@ -1458,8 +1458,7 @@ _FX NTSTATUS Conf_Api_Reload(PROCESS *proc, ULONG64 *parms)
}
}
- BOOLEAN obj_filter_enabled = Conf_Get_Boolean(NULL, L"EnableObjectFiltering", 0, FALSE);
- extern BOOLEAN Obj_CallbackInstalled;
+ BOOLEAN obj_filter_enabled = Conf_Get_Boolean(NULL, L"EnableObjectFiltering", 0, TRUE);
if (Obj_CallbackInstalled != obj_filter_enabled && Driver_OsVersion > DRIVER_WINDOWS_VISTA) {
if (obj_filter_enabled) {
Obj_Load_Filter();
diff --git a/Sandboxie/core/drv/file.c b/Sandboxie/core/drv/file.c
index 699f7fc1..684d4fa9 100644
--- a/Sandboxie/core/drv/file.c
+++ b/Sandboxie/core/drv/file.c
@@ -671,21 +671,18 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
//
ok = Process_GetPaths(proc, normal_file_paths, _NormalPath, TRUE);
+
+ if (ok && proc->use_privacy_mode) {
+ for (i = 0; normalpaths[i] && ok; ++i) {
+ ok = Process_AddPath(
+ proc, normal_file_paths, NULL, TRUE, normalpaths[i], FALSE);
+ }
+ }
+
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _NormalPath, proc->pid);
return FALSE;
}
-
- if (proc->use_privacy_mode) {
- for (i = 0; normalpaths[i] && ok; ++i) {
- ok = Process_AddPath(proc, normal_file_paths, _NormalPath, TRUE, normalpaths[i], FALSE);
- }
-
- if (!ok) {
- Log_MsgP1(MSG_INIT_PATHS, _NormalPath, proc->pid);
- return FALSE;
- }
- }
#endif
//
diff --git a/Sandboxie/core/drv/gui_xp.c b/Sandboxie/core/drv/gui_xp.c
index 1e07e19f..31fcc0b5 100644
--- a/Sandboxie/core/drv/gui_xp.c
+++ b/Sandboxie/core/drv/gui_xp.c
@@ -1311,9 +1311,11 @@ _FX ULONG_PTR Gui_NtUserPostThreadMessage(
status = STATUS_SUCCESS;
else {
status = Gui_CheckBoxedThread(proc, idThread, &idProcess);
- if (status == STATUS_ACCESS_DENIED)
- status = Process_CheckProcessName(
- proc, &proc->open_win_classes, idProcess, NULL);
+ if (status == STATUS_ACCESS_DENIED) {
+ if (Process_CheckProcessName(
+ proc, &proc->open_win_classes, idProcess, NULL))
+ status = STATUS_SUCCESS;
+ }
}
if (Session_MonitorCount && !proc->disable_monitor) {
diff --git a/Sandboxie/core/drv/ipc.c b/Sandboxie/core/drv/ipc.c
index 1a769d96..1a30f587 100644
--- a/Sandboxie/core/drv/ipc.c
+++ b/Sandboxie/core/drv/ipc.c
@@ -157,8 +157,7 @@ _FX BOOLEAN Ipc_Init(void)
if (Driver_OsVersion > DRIVER_WINDOWS_VISTA) {
- // Don't use experimental features by default
- if (Conf_Get_Boolean(NULL, L"EnableObjectFiltering", 0, FALSE)) {
+ if (Conf_Get_Boolean(NULL, L"EnableObjectFiltering", 0, TRUE)) {
if (!Obj_Load_Filter())
return FALSE;
@@ -381,6 +380,7 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
#endif
static const WCHAR* _OpenPath = L"OpenIpcPath";
static const WCHAR* _ClosedPath = L"ClosedIpcPath";
+ static const WCHAR* _ReadPath = L"ReadIpcPath";
static const WCHAR* openpaths[] = {
L"\\Windows\\ApiPort",
L"\\Sessions\\*\\Windows\\ApiPort",
@@ -576,6 +576,10 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
// NULL
//};
#endif
+ static const WCHAR *readpaths[] = {
+ L"$:explorer.exe",
+ NULL
+ };
ULONG i;
BOOLEAN ok;
@@ -586,21 +590,19 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
#ifdef USE_MATCH_PATH_EX
ok = Process_GetPaths(proc, &proc->normal_ipc_paths, _NormalPath, FALSE);
+
+ //if (ok && proc->use_privacy_mode) {
+ //
+ // for (i = 0; normalpaths[i] && ok; ++i) {
+ // ok = Process_AddPath(proc, &proc->normal_ipc_paths, NULL,
+ // TRUE, normalpaths[i], FALSE);
+ // }
+ //}
+
if (!ok) {
Log_MsgP1(MSG_INIT_PATHS, _NormalPath, proc->pid);
return FALSE;
}
-
- //if (proc->use_privacy_mode) {
- // for (i = 0; normalpaths[i] && ok; ++i) {
- // ok = Process_AddPath(proc, &proc->normal_ipc_paths, _NormalPath, TRUE, normalpaths[i], FALSE);
- // }
- //
- // if (! ok) {
- // Log_MsgP1(MSG_INIT_PATHS, _NormalPath, proc->pid);
- // return FALSE;
- // }
- //}
#endif
//
@@ -696,6 +698,29 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
return FALSE;
}
+ //
+ // read-only paths
+ //
+
+ ok = Process_GetPaths(proc, &proc->read_ipc_paths, _ReadPath, TRUE);
+
+ if (ok) {
+
+ for (i = 0; readpaths[i] && ok; ++i) {
+ ok = Process_AddPath(proc, &proc->read_ipc_paths, NULL,
+ TRUE, readpaths[i], FALSE);
+ }
+ }
+
+ if (! ok) {
+ Log_MsgP1(MSG_INIT_PATHS, _ReadPath, proc->pid);
+ return FALSE;
+ }
+
+ //
+ // other options
+ //
+
proc->ipc_warn_startrun = Conf_Get_Boolean(
proc->box->name, L"NotifyStartRunAccessDenied", 0, TRUE);
diff --git a/Sandboxie/core/drv/key.c b/Sandboxie/core/drv/key.c
index 2ee360c7..41d74a5d 100644
--- a/Sandboxie/core/drv/key.c
+++ b/Sandboxie/core/drv/key.c
@@ -260,16 +260,18 @@ _FX BOOLEAN Key_InitProcess(PROCESS *proc)
return FALSE;
}
- if (proc->use_privacy_mode) {
- for (i = 0; normalpaths[i] && ok; ++i) {
- ok = Process_AddPath(proc, &proc->normal_key_paths, _NormalPath, TRUE, normalpaths[i], FALSE);
- }
+ if (ok && proc->use_privacy_mode) {
- if (!ok) {
- Log_MsgP1(MSG_INIT_PATHS, _NormalPath, proc->pid);
- return FALSE;
+ for (i = 0; normalpaths[i] && ok; ++i) {
+ ok = Process_AddPath(proc, &proc->normal_key_paths, NULL,
+ TRUE, normalpaths[i], FALSE);
}
}
+
+ if (!ok) {
+ Log_MsgP1(MSG_INIT_PATHS, _NormalPath, proc->pid);
+ return FALSE;
+ }
#endif
//
diff --git a/Sandboxie/core/drv/log.c b/Sandboxie/core/drv/log.c
index 46b9a7af..48feefa3 100644
--- a/Sandboxie/core/drv/log.c
+++ b/Sandboxie/core/drv/log.c
@@ -237,7 +237,6 @@ _FX void Log_Msg(
const WCHAR *string1,
const WCHAR *string2)
{
- //DbgPrint("Sbie MSG_%d: %S; %S\r\n", (error_code & 0xFFFF), string1, string2);
Log_Msg_Session(error_code, string1, string2, -1);
}
@@ -268,6 +267,8 @@ _FX void Log_Msg_Process(
ULONG session_id,
HANDLE process_id)
{
+ DbgPrint("Sbie MSG_%d: %S; %S\r\n", (error_code & 0xFFFF), string1, string2);
+
ULONG facility = (error_code >> 16) & 0x0F;
if (facility & MSG_FACILITY_EVENT)
Log_Event_Msg(error_code, string1, string2);
diff --git a/Sandboxie/core/drv/obj.h b/Sandboxie/core/drv/obj.h
index b2cef3f1..ecb6cfaa 100644
--- a/Sandboxie/core/drv/obj.h
+++ b/Sandboxie/core/drv/obj.h
@@ -91,6 +91,7 @@ extern const OBJECT_NAME_INFORMATION Obj_Unnamed;
extern P_ObGetObjectType pObGetObjectType;
extern P_ObQueryNameInfo pObQueryNameInfo;
+extern BOOLEAN Obj_CallbackInstalled;
//---------------------------------------------------------------------------
// Macros Related to ParseProcedure
diff --git a/Sandboxie/core/drv/obj_flt.c b/Sandboxie/core/drv/obj_flt.c
index 4182de0c..5466598d 100644
--- a/Sandboxie/core/drv/obj_flt.c
+++ b/Sandboxie/core/drv/obj_flt.c
@@ -240,9 +240,7 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
goto Exit;
PEPROCESS ProcessObject = (PEPROCESS)PreInfo->Object;
- ACCESS_MASK WriteAccess = (InitialDesiredAccess & PROCESS_DENIED_ACCESS_MASK);
- if (!NT_SUCCESS(Thread_CheckObject_Common(
- proc, ProcessObject, InitialDesiredAccess, WriteAccess, L'P'))) {
+ if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, InitialDesiredAccess, TRUE))) {
#ifdef DRV_BREAKOUT
//
@@ -301,9 +299,7 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
goto Exit;
PEPROCESS ProcessObject = PsGetThreadProcess((PETHREAD)PreInfo->Object);
- ACCESS_MASK WriteAccess = (InitialDesiredAccess & THREAD_DENIED_ACCESS_MASK);
- if (!NT_SUCCESS(Thread_CheckObject_Common(
- proc, ProcessObject, InitialDesiredAccess, WriteAccess, L'T'))) {
+ if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, InitialDesiredAccess, FALSE))) {
*DesiredAccess = 0; // deny any access
}
//ObjectTypeName = L"PsThreadType";
diff --git a/Sandboxie/core/drv/process.c b/Sandboxie/core/drv/process.c
index d7827e10..4671cbe0 100644
--- a/Sandboxie/core/drv/process.c
+++ b/Sandboxie/core/drv/process.c
@@ -728,8 +728,6 @@ _FX PROCESS *Process_Create(
proc->dont_open_for_boxed = !proc->bAppCompartment && Conf_Get_Boolean(proc->box->name, L"DontOpenForBoxed", 0, TRUE);
- proc->hide_other_boxes = Conf_Get_Boolean(proc->box->name, L"HideOtherBoxes", 0, FALSE);
-
//
// privacy mode requirers Rule Specificity
//
diff --git a/Sandboxie/core/drv/process.h b/Sandboxie/core/drv/process.h
index cdabe4c0..54e3074c 100644
--- a/Sandboxie/core/drv/process.h
+++ b/Sandboxie/core/drv/process.h
@@ -139,7 +139,6 @@ struct _PROCESS {
BOOLEAN always_close_for_boxed;
BOOLEAN dont_open_for_boxed;
- BOOLEAN hide_other_boxes;
#ifdef USE_MATCH_PATH_EX
BOOLEAN use_rule_specificity;
BOOLEAN use_privacy_mode;
@@ -189,6 +188,7 @@ struct _PROCESS {
#endif
LIST open_ipc_paths; // PATTERN elements
LIST closed_ipc_paths; // PATTERN elements
+ LIST read_ipc_paths; // PATTERN elements
ULONG ipc_trace;
BOOLEAN disable_object_flt;
BOOLEAN ipc_warn_startrun;
@@ -371,10 +371,10 @@ void Process_GetProcessName(
// Check if open_path contains setting "$:ProcessName.exe"
// where ProcessName matches the specified idProcess.
-// If not contained, returns STATUS_ACCESS_DENIED with *pSetting = NULL
-// If contained, returns STATUS_SUCCESS with *pSetting -> matching setting
+// If not contained, returns FALSE with *pSetting = NULL
+// If contained, returns TRUE with *pSetting -> matching setting
-NTSTATUS Process_CheckProcessName(
+BOOLEAN Process_CheckProcessName(
PROCESS *proc, LIST *open_paths, ULONG_PTR idProcess,
const WCHAR **pSetting);
diff --git a/Sandboxie/core/drv/process_api.c b/Sandboxie/core/drv/process_api.c
index 2396c0dc..97f67193 100644
--- a/Sandboxie/core/drv/process_api.c
+++ b/Sandboxie/core/drv/process_api.c
@@ -785,6 +785,9 @@ _FX NTSTATUS Process_Api_QueryPathList(PROCESS *proc, ULONG64 *parms)
} else if (args->path_code.val == 'ic') {
list = &proc->closed_ipc_paths;
lock = proc->ipc_lock;
+ } else if (args->path_code.val == 'ir') {
+ list = &proc->read_ipc_paths;
+ lock = proc->ipc_lock;
} else if (args->path_code.val == 'wo') {
list = &proc->open_win_classes;
diff --git a/Sandboxie/core/drv/process_util.c b/Sandboxie/core/drv/process_util.c
index d83bf90a..b2858e5c 100644
--- a/Sandboxie/core/drv/process_util.c
+++ b/Sandboxie/core/drv/process_util.c
@@ -1173,23 +1173,23 @@ _FX void Process_GetProcessName(
//---------------------------------------------------------------------------
-_FX NTSTATUS Process_CheckProcessName(
+_FX BOOLEAN Process_CheckProcessName(
PROCESS *proc, LIST *open_paths, ULONG_PTR idProcess,
const WCHAR **pSetting)
{
- NTSTATUS status;
+ BOOLEAN result;
PATTERN *pat;
void *nbuf;
ULONG nlen;
WCHAR *nptr;
- status = STATUS_ACCESS_DENIED;
+ result = FALSE;
if (pSetting)
*pSetting = NULL;
if (! idProcess)
- return status;
+ return result;
nbuf = NULL;
nlen = 0;
@@ -1213,7 +1213,7 @@ _FX NTSTATUS Process_CheckProcessName(
break;
}
if (_wcsicmp(nptr, src + 2) == 0) {
- status = STATUS_SUCCESS;
+ result = TRUE;
if (pSetting)
*pSetting = src;
break;
@@ -1224,7 +1224,7 @@ _FX NTSTATUS Process_CheckProcessName(
if (nbuf)
Mem_Free(nbuf, nlen);
- return status;
+ return result;
}
diff --git a/Sandboxie/core/drv/thread.c b/Sandboxie/core/drv/thread.c
index 1bf51edc..3a4b4116 100644
--- a/Sandboxie/core/drv/thread.c
+++ b/Sandboxie/core/drv/thread.c
@@ -25,6 +25,7 @@
#include "process.h"
#include "syscall.h"
#include "token.h"
+#include "obj.h"
#include "session.h"
#include "api.h"
@@ -147,6 +148,7 @@ _FX BOOLEAN Thread_Init(void)
"ImpersonateAnonymousToken", Thread_ImpersonateAnonymousToken))
return FALSE;
+
//
// set object open handlers
//
@@ -168,6 +170,7 @@ _FX BOOLEAN Thread_Init(void)
return FALSE;
}
+
//
// set API handlers
//
@@ -947,10 +950,9 @@ _FX NTSTATUS Thread_CheckProcessObject(
PROCESS *proc, void *Object, UNICODE_STRING *Name,
ACCESS_MASK GrantedAccess)
{
+ if (Obj_CallbackInstalled) return STATUS_SUCCESS; // ObCallbacks takes care of that already
PEPROCESS ProcessObject = (PEPROCESS)Object;
- ACCESS_MASK WriteAccess = (GrantedAccess & PROCESS_DENIED_ACCESS_MASK);
- return Thread_CheckObject_Common(
- proc, ProcessObject, GrantedAccess, WriteAccess, L'P');
+ return Thread_CheckObject_Common(proc, ProcessObject, GrantedAccess, TRUE);
}
@@ -963,10 +965,9 @@ _FX NTSTATUS Thread_CheckThreadObject(
PROCESS *proc, void *Object, UNICODE_STRING *Name,
ACCESS_MASK GrantedAccess)
{
+ if (Obj_CallbackInstalled) return STATUS_SUCCESS; // ObCallbacks takes care of that already
PEPROCESS ProcessObject = PsGetThreadProcess(Object);
- ACCESS_MASK WriteAccess = (GrantedAccess & THREAD_DENIED_ACCESS_MASK);
- return Thread_CheckObject_Common(
- proc, ProcessObject, GrantedAccess, WriteAccess, L'T');
+ return Thread_CheckObject_Common(proc, ProcessObject, GrantedAccess, FALSE);
}
@@ -977,11 +978,34 @@ _FX NTSTATUS Thread_CheckThreadObject(
_FX NTSTATUS Thread_CheckObject_Common(
PROCESS *proc, PEPROCESS ProcessObject,
- ACCESS_MASK GrantedAccess, ACCESS_MASK WriteAccess, WCHAR Letter1)
+ ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess)
{
ULONG_PTR pid;
const WCHAR *pSetting;
NTSTATUS status;
+ WCHAR Letter1;
+ ACCESS_MASK WriteAccess;
+ ACCESS_MASK ReadAccess;
+
+ if (EntireProcess) {
+ Letter1 = L'P';
+ WriteAccess = (GrantedAccess & PROCESS_DENIED_ACCESS_MASK);
+ ReadAccess = (GrantedAccess & PROCESS_VM_READ);
+
+ //
+ // PROCESS_QUERY_INFORMATION allows to steal an attached debug object
+ // using object filtering mitigates this issue
+ // but when its not active we should block that access
+ //
+
+ if(!Obj_CallbackInstalled)
+ ReadAccess |= (GrantedAccess & PROCESS_QUERY_INFORMATION);
+ }
+ else {
+ Letter1 = L'T';
+ WriteAccess = (GrantedAccess & THREAD_DENIED_ACCESS_MASK);
+ ReadAccess = 0;
+ }
//
// if an error occured and can't find pid, then don't allow
@@ -992,24 +1016,14 @@ _FX NTSTATUS Thread_CheckObject_Common(
if (! pid)
return STATUS_ACCESS_DENIED;
- //
- // for read-only access to the target process, we don't care
- // if/which boxes are involved
- //
-
- if (pid && (WriteAccess == 0) && !proc->hide_other_boxes) {
- status = STATUS_SUCCESS;
- goto trace;
- }
+ status = STATUS_SUCCESS;
//
- // otherwise this is write access, confirm if same box
+ // allow access if it's within the same box
//
- if (Process_IsSameBox(proc, NULL, pid)) {
- status = STATUS_SUCCESS;
- goto trace;
- }
+ if (Process_IsSameBox(proc, NULL, pid))
+ goto finish;
//
// also permit if process is exiting, because it is possible that
@@ -1018,18 +1032,34 @@ _FX NTSTATUS Thread_CheckObject_Common(
// (e.g. VS2012 MSBuild.exe does this with the csc.exe compiler)
//
- if (PsGetProcessExitProcessCalled(ProcessObject)) {
- status = STATUS_SUCCESS;
- goto trace;
- }
+ if (PsGetProcessExitProcessCalled(ProcessObject))
+ goto finish;
+
//
- // write access outside box, check if we have the following setting
+ // access outside box, check if we have the following setting
// OpenIpcPath=$:ProcessName.exe
//
- status = Process_CheckProcessName(
- proc, &proc->open_ipc_paths, pid, &pSetting);
+ if (Process_CheckProcessName(proc, &proc->closed_ipc_paths, pid, &pSetting)) {
+
+ status = STATUS_ACCESS_DENIED;
+
+ } else if (WriteAccess != 0 || ReadAccess != 0) {
+
+ if (!Process_CheckProcessName(proc, &proc->open_ipc_paths, pid, &pSetting)) {
+
+ if (WriteAccess != 0) {
+
+ status = STATUS_ACCESS_DENIED;
+
+ } else if (!Process_CheckProcessName(proc, &proc->read_ipc_paths, pid, &pSetting)) {
+
+ status = STATUS_ACCESS_DENIED;
+ }
+ }
+ }
+
//
// log the cross-sandbox access attempt, based on the status code
@@ -1059,12 +1089,12 @@ _FX NTSTATUS Thread_CheckObject_Common(
}
}
+finish:
+
//
// trace
//
-trace:
-
if (proc->ipc_trace & (TRACE_ALLOW | TRACE_DENY)) {
WCHAR str[32];
diff --git a/Sandboxie/core/drv/thread.h b/Sandboxie/core/drv/thread.h
index 9b33d793..c7fff52f 100644
--- a/Sandboxie/core/drv/thread.h
+++ b/Sandboxie/core/drv/thread.h
@@ -96,7 +96,7 @@ THREAD *Thread_GetByThreadId(PROCESS *proc, HANDLE tid);
NTSTATUS Thread_CheckObject_Common(
PROCESS *proc, PEPROCESS ProcessObject,
- ACCESS_MASK GrantedAccess, ACCESS_MASK WriteAccess, WCHAR Letter1);
+ ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess);
//---------------------------------------------------------------------------
diff --git a/Sandboxie/install/Templates.ini b/Sandboxie/install/Templates.ini
index 143af548..4e95dd54 100644
--- a/Sandboxie/install/Templates.ini
+++ b/Sandboxie/install/Templates.ini
@@ -1524,7 +1524,7 @@ OpenWinClass=TENTrayMainWindow
OpenWinClass=ENMainFrame
OpenWinClass=ENMainFrame3
OpenWinClass=HwndWrapper[Evernote.exe;*
-OpenWinClass=$:EvernoteClipper.exe
+OpenWinClass=$:EvernoteClipper.exe/IgnoreUIPI
LingerProcess=EvernoteClipper.exe
[Template_MetaProducts_Inquiry]
@@ -1574,7 +1574,7 @@ Tmpl.Url=http://www.kinook.com/UltraRecall/
Tmpl.Scan=s
Tmpl.ScanProduct=Ultra Recall_is1
OpenWinClass=Afx:00400000:0
-OpenWinClass=$:UltraRecall.exe
+OpenWinClass=$:UltraRecall.exe/IgnoreUIPI
OpenIpcPath=*\BaseNamedObjects*\UltraRecall
#
@@ -1750,7 +1750,7 @@ Tmpl.Class=Security
Tmpl.Url=http://www.covenanteyes.com/
Tmpl.Scan=i
OpenIpcPath=*\BaseNamedObjects*\CE_*Obj
-OpenWinClass=$:nmSvc.exe
+OpenWinClass=$:nmSvc.exe/IgnoreUIPI
[Template_ComodoInternetSecurity]
Tmpl.Title=Comodo Internet Security / Antivirus / Firewall
@@ -1939,7 +1939,7 @@ Tmpl.Url=http://technet.microsoft.com/en-us/security/jj653751
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Microsoft\EMET
OpenIpcPath=*\BaseNamedObjects*\emet_pid_*
-OpenWinClass=$:EMET_notifier.exe
+OpenWinClass=$:EMET_notifier.exe/IgnoreUIPI
# EMET 4
OpenPipePath=\Device\Mailslot\EMET_Agent_*
OpenPipePath=\Device\Mailslot\EMET_Recipient_*
@@ -2046,7 +2046,7 @@ Tmpl.Url=http://windows.microsoft.com/en-US/windows/products/security-essentials
Tmpl.Scan=s
Tmpl.ScanService=MsMpSvc
OpenWinClass=msseces_class
-OpenWinClass=$:msseces.exe
+OpenWinClass=$:msseces.exe/IgnoreUIPI
IContextMenuClsid={09A47860-11B0-4DA5-AFA5-26D86198A780}
[Template_Mirekusoft_Install_Monitor]
@@ -2244,7 +2244,7 @@ Tmpl.Class=Security
Tmpl.Url=http://www.proxifier.com/
Tmpl.Scan=w
OpenWinClass=Proxifier32Cls
-OpenWinClass=$:proxifier.exe
+OpenWinClass=$:proxifier.exe/IgnoreUIPI
OpenIpcPath=*\BaseNamedObjects*\Proxifier*
OpenPipePath=\Device\NamedPipe\proxifier
@@ -2411,7 +2411,7 @@ Tmpl.Class=Desktop
Tmpl.Url=http://support.asus.com/Download.aspx?SLanguage=en&m=Eee+PC+1015PX&p=20&s=1
Tmpl.Scan=s
Tmpl.ScanProduct={4B5092B6-F231-4D18-83BC-2618B729CA45}
-OpenWinClass=$:CapsHook.exe
+OpenWinClass=$:CapsHook.exe/IgnoreUIPI
[Template_AcerGridVista]
Tmpl.Title=Acer GridVista
@@ -2535,7 +2535,7 @@ Tmpl.Class=Desktop
Tmpl.Url=http://www.cottonwoodsw.com/fx3summ.html
Tmpl.Scan=s
Tmpl.ScanProduct=File-Ex v3.*
-OpenWinClass=$:FileEx.exe
+OpenWinClass=$:FileEx.exe/IgnoreUIPI
[Template_GoogleToolbarIE]
Tmpl.Title=Google Toolbar for Internet Explorer
@@ -2546,7 +2546,7 @@ OpenIpcPath=*\BaseNamedObjects*\{B7F1F778-8315-4EB2-AC1E-5AFCAA603271}
OpenIpcPath=*\BaseNamedObjects*\{DEBFCCE1-B446-4992-9C9E-CA1CB548C718}
OpenIpcPath=*\BaseNamedObjects*\*{E709AE98-F4E6-40DE-BE47-CFBA9B4605C0}
OpenWinClass={A7E495BF-9589-4A6E-8479-DDA2D8D3C05F}
-OpenWinClass=$:GoogleToolbarNotifier.exe
+OpenWinClass=$:GoogleToolbarNotifier.exe/IgnoreUIPI
OpenClsid={FBA44040-BD27-4A09-ACC8-C08B7C723DCD}
LingerProcess=GoogleToolbarUser.exe
LingerProcess=GoogleToolbarUser_32.exe
@@ -2608,7 +2608,7 @@ Tmpl.Class=Desktop
Tmpl.Url=http://www.intelife.net/ninja/
Tmpl.Scan=i
OpenIpcPath=*\BaseNamedObjects*\KEYBOARD_NINJA_2
-OpenWinClass=$:ninja.exe
+OpenWinClass=$:ninja.exe/IgnoreUIPI
[Template_Lingoes]
Tmpl.Title=Lingoes Translator
@@ -2618,7 +2618,7 @@ Tmpl.Scan=i
OpenIpcPath=*\BaseNamedObjects*\OpenText_ZWFilter_GlobaData*
OpenIpcPath=*\BaseNamedObjects*\OpenText_GrabText_GlobaData*
OpenIpcPath=*\BaseNamedObjects*\OpenText_GrabText_Mutex*
-OpenWinClass=$:lingoes.exe
+OpenWinClass=$:lingoes.exe/IgnoreUIPI
[Template_Linkman]
Tmpl.Title=Linkman
@@ -2637,19 +2637,20 @@ Tmpl.Url=http://www.xrayz.co.uk/
Tmpl.Scan=w
OpenWinClass=LinkStash
OpenWinClass=LinkStashMonitor
-OpenWinClass=$:lnkstash.exe
+OpenWinClass=$:lnkstash.exe/IgnoreUIPI
[Template_Listary]
Tmpl.Title=Listary
Tmpl.Class=Desktop
-Tmpl.Url=http://www.listary.com/
+Tmpl.Url=https://www.listary.com/
Tmpl.Scan=s
Tmpl.ScanProduct=Listary_is1
-OpenIpcPath=*\BaseNamedObjects*\ListarySharedData
OpenWinClass=ListaryToolbarCls
-OpenWinClass=$:listary.exe
-# v4
+OpenWinClass=$:listary.exe/IgnoreUIPI
+# v5
OpenIpcPath=*\BaseNamedObjects*\Listary_MainSharedMemory
+# v6
+OpenIpcPath=*\BaseNamedObjects*\ListaryX_MainSharedMemory
[Template_Logitech_G15_Keyboard]
Tmpl.Title=Logitech Keyboard LCD Display
@@ -2880,13 +2881,13 @@ Tmpl.Class=Desktop
Tmpl.Url=http://www.sumitsoft.com/
Tmpl.Scan=i
OpenIpcPath=*\BaseNamedObjects*\Typing Assistant (*)
-OpenWinClass=$:Typing Assistant (English).exe
-OpenWinClass=$:Typing Assistant (French).exe
-OpenWinClass=$:Typing Assistant (German).exe
-OpenWinClass=$:Typing Assistant (Hungarian).exe
-OpenWinClass=$:Typing Assistant (Italian).exe
-OpenWinClass=$:Typing Assistant (Portuguese).exe
-OpenWinClass=$:Typing Assistant (Spanish).exe
+OpenWinClass=$:Typing Assistant (English).exe/IgnoreUIPI
+OpenWinClass=$:Typing Assistant (French).exe/IgnoreUIPI
+OpenWinClass=$:Typing Assistant (German).exe/IgnoreUIPI
+OpenWinClass=$:Typing Assistant (Hungarian).exe/IgnoreUIPI
+OpenWinClass=$:Typing Assistant (Italian).exe/IgnoreUIPI
+OpenWinClass=$:Typing Assistant (Portuguese).exe/IgnoreUIPI
+OpenWinClass=$:Typing Assistant (Spanish).exe/IgnoreUIPI
[Template_TwoPilots_SpeedTyping]
Tmpl.Title=Two Pilots Speed Typing
@@ -3154,6 +3155,12 @@ OpenClsid={AC746233-E9D3-49CD-862F-068F7B7CCCA4}
# prevent access to host port
# BlockPort=1001
+[Template_FreeDownloadManager]
+Tmpl.Title=Free Download Manager
+Tmpl.Class=Download
+Tmpl.Url=http://www.freedownloadmanager.org/
+RpcMgmtSetComTimeout=fdm.exe,y
+
[Template_SothinkWebVideoDownloader]
Tmpl.Title=Sothink Web Video Downloader Stand-alone
Tmpl.Class=Download
diff --git a/SandboxiePlus/SandMan/Forms/SettingsWindow.ui b/SandboxiePlus/SandMan/Forms/SettingsWindow.ui
index 90883951..a4ff069e 100644
--- a/SandboxiePlus/SandMan/Forms/SettingsWindow.ui
+++ b/SandboxiePlus/SandMan/Forms/SettingsWindow.ui
@@ -7,7 +7,7 @@
0
0
634
- 440
+ 451
@@ -54,108 +54,7 @@
-
-
-
-
-
-
- 75
- true
- true
-
-
-
- Systray options
-
-
-
- -
-
-
- Watch Sandboxie.ini for changes
-
-
-
- -
-
-
- Use Dark Theme (fully applied after a restart)
-
-
- true
-
-
-
- -
-
-
- Show first recovery window when emptying sandboxes
-
-
-
- -
-
-
-
-
-
- Hotkey for terminating all boxed processes:
-
-
-
- -
-
-
-
-
- -
-
-
- Qt::Vertical
-
-
-
- 20
- 40
-
-
-
-
- -
-
-
- -
-
-
- -
-
-
- UI Language:
-
-
- Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
-
-
- -
-
-
- Open urls from this ui sandboxed
-
-
- true
-
-
-
- -
-
-
- Show Notifications for relevant log Messages
-
-
- false
-
-
-
- -
+
-
Qt::Horizontal
@@ -168,26 +67,10 @@
- -
-
+
-
+
- On main window close:
-
-
- Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
-
-
- -
-
-
- Show Icon in Systray:
-
-
- Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
-
- true
+ Watch Sandboxie.ini for changes
@@ -198,6 +81,46 @@
+ -
+
+
+ UI Language:
+
+
+ Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
+
+
+
+ -
+
+
+ Qt::Vertical
+
+
+
+ 20
+ 40
+
+
+
+
+ -
+
+
+ Show first recovery window when emptying sandboxes
+
+
+
+ -
+
+
+ Use Dark Theme (fully applied after a restart)
+
+
+ true
+
+
+
-
@@ -211,21 +134,46 @@
-
- -
-
+
-
+
- Show boxes in tray list:
+ Show Notifications for relevant log Messages
-
- Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
+
+ false
-
+
+
+ -
+
+
+ Open urls from this ui sandboxed
+
+
true
- -
-
+
-
+
+
+ Run box operations asynchronously whenever possible (like content deletion)
+
+
+
+ -
+
+
-
+
+
+ Hotkey for terminating all boxed processes:
+
+
+
+ -
+
+
+
@@ -238,6 +186,69 @@
-
+
-
+
+
+ Add 'Run Sandboxed' to the explorer context menu
+
+
+
+ -
+
+
+ Qt::Horizontal
+
+
+
+ 40
+ 20
+
+
+
+
+ -
+
+
+ Qt::Vertical
+
+
+
+ 20
+ 40
+
+
+
+
+ -
+
+
+ On main window close:
+
+
+ Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
+
+
+
+ -
+
+
+ Start UI when a sandboxed process is started
+
+
+
+ -
+
+
+ Show boxes in tray list:
+
+
+ Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
+
+
+ true
+
+
+
-
@@ -252,6 +263,20 @@
+ -
+
+
+ Always use DefaultBox
+
+
+
+ -
+
+
+ Add 'Run Un-Sandboxed' to the context menu
+
+
+
-
@@ -266,55 +291,7 @@
- -
-
-
- Start UI with Windows
-
-
-
- -
-
-
- Add 'Run Sandboxed' to the explorer context menu
-
-
-
- -
-
-
- Qt::Horizontal
-
-
-
- 40
- 20
-
-
-
-
- -
-
-
- Start UI when a sandboxed process is started
-
-
-
- -
-
-
- Add 'Run Un-Sandboxed' to the context menu
-
-
-
- -
-
-
- Always use DefaultBox
-
-
-
- -
+
-
Qt::Horizontal
@@ -327,15 +304,65 @@
- -
-
+
-
+
+
+ Show Icon in Systray:
+
+
+ Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
+
+
+ true
+
+
+
+ -
+
+
+ Start UI with Windows
+
+
+
+ -
+
+
+ Show a tray notification when automatic box operations are started
+
+
+
+ -
+
+
+
+ 75
+ true
+ true
+
+
+
+ Systray options
+
+
+
+ -
+
+
+ -
+
+
+ -
+
+
+ -
+
- Qt::Vertical
+ Qt::Horizontal
- 20
- 40
+ 40
+ 20
@@ -433,7 +460,7 @@
-
- Activate Kernel Mode Object Filtering (experimental)
+ Activate Kernel Mode Object Filtering
diff --git a/SandboxiePlus/SandMan/SandMan.cpp b/SandboxiePlus/SandMan/SandMan.cpp
index 416ac0e8..2668e4c0 100644
--- a/SandboxiePlus/SandMan/SandMan.cpp
+++ b/SandboxiePlus/SandMan/SandMan.cpp
@@ -900,6 +900,20 @@ void CSandMan::timerEvent(QTimerEvent* pEvent)
}
}
+bool CSandMan::DoDeleteCmd(const CSandBoxPtr &pBox)
+{
+ foreach(const QString& Value, pBox->GetTextList("OnBoxDelete", true, false, true)) {
+ QString Value2 = pBox->Expand(Value);
+ CSbieProgressPtr pProgress = CSbieUtils::RunCommand(Value2, true);
+ if (!pProgress.isNull()) {
+ AddAsyncOp(pProgress, true, tr("Executing OnBoxDelete: %1").arg(Value2));
+ if (pProgress->IsCanceled())
+ return false;
+ }
+ }
+ return true;
+}
+
void CSandMan::OnBoxClosed(const QString& BoxName)
{
CSandBoxPtr pBox = theAPI->GetBoxByName(BoxName);
@@ -913,9 +927,32 @@ void CSandMan::OnBoxClosed(const QString& BoxName)
if(!theGUI->OpenRecovery(pBox, DeleteShapshots, true)) // unless no files are found than continue silently
return;
- auto pBoxEx = pBox.objectCast();
- SB_STATUS Status = pBoxEx->DeleteContentAsync(DeleteShapshots);
- CheckResults(QList() << Status);
+ if(theConf->GetBool("Options/AutoBoxOpsNotify", false))
+ OnLogMessage(tr("Auto deleting content of %1").arg(BoxName), true);
+
+ if (theConf->GetBool("Options/UseAsyncBoxOps", false))
+ {
+ auto pBoxEx = pBox.objectCast();
+ SB_STATUS Status = pBoxEx->DeleteContentAsync(DeleteShapshots);
+ CheckResults(QList() << Status);
+ }
+ else
+ {
+ if (!DoDeleteCmd(pBox))
+ return;
+
+ SB_PROGRESS Status;
+ if (!DeleteShapshots && pBox->HasSnapshots()) { // in auto delete mdoe always return to last snapshot
+ QString Current;
+ pBox->GetDefaultSnapshot(&Current);
+ Status = pBox->SelectSnapshot(Current);
+ }
+ else // if there are no snapshots just use the normal cleaning procedure
+ Status = pBox->CleanBox();
+
+ if (Status.GetStatus() == OP_ASYNC)
+ AddAsyncOp(Status.GetValue(), true, tr("Auto Deleting %1 content").arg(BoxName));
+ }
}
}
@@ -1156,7 +1193,7 @@ void CSandMan::OnLogSbieMessage(quint32 MsgCode, const QStringList& MsgData, qui
Message = tr("The box %1 is configured to use features exclusively available to project supporters, these presets will be ignored.").arg(MsgData[1]);
Message.append(tr("
Become a project supporter, and receive a supporter certificate"));
- QMessageBox msgBox;
+ QMessageBox msgBox(this);
msgBox.setTextFormat(Qt::RichText);
msgBox.setIcon(QMessageBox::Critical);
msgBox.setWindowTitle("Sandboxie-Plus");
@@ -1206,7 +1243,7 @@ bool CSandMan::CheckCertificate()
// return false;
//}
- QMessageBox msgBox;
+ QMessageBox msgBox(this);
msgBox.setTextFormat(Qt::RichText);
msgBox.setIcon(QMessageBox::Information);
msgBox.setWindowTitle("Sandboxie-Plus");
@@ -1589,9 +1626,9 @@ void CSandMan::HandleMaintenance(SB_RESULT(void*) Status)
if (dwStatus != 0)
{
if(m_bStopPending)
- QMessageBox::warning(NULL, tr("Sandboxie-Plus - Error"), tr("Failed to stop all Sandboxie components"));
+ QMessageBox::warning(this, tr("Sandboxie-Plus - Error"), tr("Failed to stop all Sandboxie components"));
else if(m_bConnectPending)
- QMessageBox::warning(NULL, tr("Sandboxie-Plus - Error"), tr("Failed to start required Sandboxie components"));
+ QMessageBox::warning(this, tr("Sandboxie-Plus - Error"), tr("Failed to start required Sandboxie components"));
OnLogMessage(tr("Maintenance operation failed (%1)").arg((quint32)dwStatus));
CheckResults(QList() << SB_ERR(dwStatus));
diff --git a/SandboxiePlus/SandMan/SandMan.h b/SandboxiePlus/SandMan/SandMan.h
index ab7d1170..1b2521dc 100644
--- a/SandboxiePlus/SandMan/SandMan.h
+++ b/SandboxiePlus/SandMan/SandMan.h
@@ -38,6 +38,8 @@ public:
SB_PROGRESS RecoverFiles(const QList>& FileList, int Action = 0);
+ bool DoDeleteCmd(const CSandBoxPtr &pBox);
+
bool AddAsyncOp(const CSbieProgressPtr& pProgress, bool bWait = false, const QString& InitialMsg = QString());
static QString FormatError(const SB_STATUS& Error);
static void CheckResults(QList Results);
diff --git a/SandboxiePlus/SandMan/Views/SbieView.cpp b/SandboxiePlus/SandMan/Views/SbieView.cpp
index f703caa1..63670917 100644
--- a/SandboxiePlus/SandMan/Views/SbieView.cpp
+++ b/SandboxiePlus/SandMan/Views/SbieView.cpp
@@ -872,6 +872,17 @@ void CSbieView::OnSandBoxAction(QAction* Action)
return;
}
+ if (theConf->GetInt("Options/WarnOpenRegistry", -1) == -1)
+ {
+ bool State = false;
+ if (CCheckableMessageBox::question(this, "Sandboxie-Plus", tr("WARNING: The opened registry editor is not sand boxed, please be careful and only do changes to the pre-selected sandbox locations.")
+ , tr("Don't show this warning in future"), &State, QDialogButtonBox::Ok | QDialogButtonBox::Cancel, QDialogButtonBox::Yes, QMessageBox::Information) != QDialogButtonBox::Ok)
+ return;
+
+ if (State)
+ theConf->SetValue("Options/WarnOpenRegistry", 1);
+ }
+
wstring path = QCoreApplication::applicationFilePath().toStdWString();
QStringList RegRoot = SandBoxes.first()->GetRegRoot().split("\\");
@@ -1021,10 +1032,37 @@ void CSbieView::OnSandBoxAction(QAction* Action)
foreach(const CSandBoxPtr &pBox, SandBoxes)
{
- auto pBoxEx = pBox.objectCast();
- SB_STATUS Status = pBoxEx->DeleteContentAsync(DeleteShapshots);
- if (Status.IsError())
- Results.append(Status);
+ if (theConf->GetBool("Options/UseAsyncBoxOps", false))
+ {
+ auto pBoxEx = pBox.objectCast();
+ SB_STATUS Status = pBoxEx->DeleteContentAsync(DeleteShapshots);
+ if (Status.IsError())
+ Results.append(Status);
+ }
+ else
+ {
+ SB_STATUS Status1 = pBox->TerminateAll();
+ if (Status1.IsError()) {
+ Results.append(Status1);
+ continue;
+ }
+
+ if (!theGUI->DoDeleteCmd(pBox))
+ continue;
+
+ SB_PROGRESS Status;
+ if (!DeleteShapshots && pBox->HasSnapshots()) {
+ QString Default = pBox->GetDefaultSnapshot();
+ Status = pBox->SelectSnapshot(Default);
+ }
+ else // if there are no snapshots jut use the normal cleaning procedure
+ Status = pBox->CleanBox();
+
+ if (Status.GetStatus() == OP_ASYNC)
+ theGUI->AddAsyncOp(Status.GetValue());
+ else if (Status.IsError())
+ Results.append(Status);
+ }
}
}
else if (Action == m_pMenuEmptyBox)
diff --git a/SandboxiePlus/SandMan/Windows/OptionsAccess.cpp b/SandboxiePlus/SandMan/Windows/OptionsAccess.cpp
index 749dc85a..a7c1559e 100644
--- a/SandboxiePlus/SandMan/Windows/OptionsAccess.cpp
+++ b/SandboxiePlus/SandMan/Windows/OptionsAccess.cpp
@@ -195,18 +195,19 @@ void COptionsWindow::ParseAndAddAccessEntry(EAccessEntry EntryType, const QStrin
case eOpenPipePath: Type = eFile; Mode = eOpen4All; break;
case eClosedFilePath: Type = eFile; Mode = eClosed; break;
case eReadFilePath: Type = eFile; Mode = eReadOnly; break;
- case eWriteFilePath: Type = eFile; Mode = eWriteOnly; break;
+ case eWriteFilePath: Type = eFile; Mode = eBoxOnly; break;
case eNormalKeyPath: Type = eKey; Mode = eNormal; break;
case eOpenKeyPath: Type = eKey; Mode = eOpen; break;
case eOpenConfPath: Type = eKey; Mode = eOpen4All;break;
case eClosedKeyPath: Type = eKey; Mode = eClosed; break;
case eReadKeyPath: Type = eKey; Mode = eReadOnly; break;
- case eWriteKeyPath: Type = eKey; Mode = eWriteOnly; break;
+ case eWriteKeyPath: Type = eKey; Mode = eBoxOnly; break;
case eNormalIpcPath: Type = eIPC; Mode = eNormal; break;
case eOpenIpcPath: Type = eIPC; Mode = eOpen; break;
case eClosedIpcPath: Type = eIPC; Mode = eClosed; break;
+ case eReadIpcPath: Type = eIPC; Mode = eReadOnly; break;
case eOpenWinClass: Type = eWnd; Mode = eOpen; break;
@@ -243,7 +244,7 @@ QString COptionsWindow::GetAccessModeStr(EAccessMode Mode)
case eClosed: return tr("Closed");
case eClosedRT: return tr("Closed RT");
case eReadOnly: return tr("Read Only");
- case eWriteOnly: return tr("Boxed Only");
+ case eBoxOnly: return tr("Box Only (Write Only)");
}
return tr("Unknown");
}
@@ -328,7 +329,7 @@ QString COptionsWindow::MakeAccessStr(EAccessType Type, EAccessMode Mode)
case eOpen4All: return "OpenPipePath";
case eClosed: return "ClosedFilePath";
case eReadOnly: return "ReadFilePath";
- case eWriteOnly: return "WriteFilePath";
+ case eBoxOnly: return "WriteFilePath";
}
break;
case eKey:
@@ -339,7 +340,7 @@ QString COptionsWindow::MakeAccessStr(EAccessType Type, EAccessMode Mode)
case eOpen4All: return "OpenConfPath";
case eClosed: return "ClosedKeyPath";
case eReadOnly: return "ReadKeyPath";
- case eWriteOnly: return "WriteKeyPath";
+ case eBoxOnly: return "WriteKeyPath";
}
break;
case eIPC:
@@ -348,6 +349,7 @@ QString COptionsWindow::MakeAccessStr(EAccessType Type, EAccessMode Mode)
case eNormal: return "NormalIpcPath";
case eOpen: return "OpenIpcPath";
case eClosed: return "ClosedIpcPath";
+ case eReadOnly: return "ReadIpcPath";
}
break;
case eWnd:
@@ -448,8 +450,8 @@ QList COptionsWindow::GetAccessModes(EAccessType Ty
{
switch (Type)
{
- case eFile: return QList() << eNormal << eOpen << eOpen4All << eClosed << eReadOnly << eWriteOnly;
- case eKey: return QList() << eNormal << eOpen << eOpen4All << eClosed << eReadOnly << eWriteOnly;
+ case eFile: return QList() << eNormal << eOpen << eOpen4All << eClosed << eReadOnly << eBoxOnly;
+ case eKey: return QList() << eNormal << eOpen << eOpen4All << eClosed << eReadOnly << eBoxOnly;
case eIPC: return QList() << eNormal << eOpen << eClosed;
case eWnd: return QList() << eOpen;
case eCOM: return QList() << eOpen << eClosed << eClosedRT;
@@ -556,7 +558,7 @@ void COptionsWindow::SaveAccessList()
QStringList Keys = QStringList()
<< "NormalFilePath" << "OpenFilePath" << "OpenPipePath" << "ClosedFilePath" << "ReadFilePath" << "WriteFilePath"
<< "NormalKeyPath" << "OpenKeyPath" << "OpenConfPath" << "ClosedKeyPath" << "ReadKeyPath" << "WriteKeyPath"
- << "NormalIpcPath"<< "OpenIpcPath" << "ClosedIpcPath" << "OpenWinClass" << "OpenClsid" << "ClosedClsid" << "ClosedRT";
+ << "NormalIpcPath"<< "OpenIpcPath" << "ClosedIpcPath" << "ReadIpcPath" << "OpenWinClass" << "OpenClsid" << "ClosedClsid" << "ClosedRT";
QMap> AccessMap;
for (int i = 0; i < ui.treeAccess->topLevelItemCount(); i++)
diff --git a/SandboxiePlus/SandMan/Windows/OptionsWindow.h b/SandboxiePlus/SandMan/Windows/OptionsWindow.h
index 8479eca7..12370912 100644
--- a/SandboxiePlus/SandMan/Windows/OptionsWindow.h
+++ b/SandboxiePlus/SandMan/Windows/OptionsWindow.h
@@ -202,6 +202,7 @@ protected:
eNormalIpcPath,
eOpenIpcPath,
eClosedIpcPath,
+ eReadIpcPath,
eOpenWinClass,
@@ -229,7 +230,7 @@ protected:
eClosed,
eClosedRT,
eReadOnly,
- eWriteOnly
+ eBoxOnly
};
enum ETriggerAction {
diff --git a/SandboxiePlus/SandMan/Windows/SettingsWindow.cpp b/SandboxiePlus/SandMan/Windows/SettingsWindow.cpp
index 4e920b25..951028dc 100644
--- a/SandboxiePlus/SandMan/Windows/SettingsWindow.cpp
+++ b/SandboxiePlus/SandMan/Windows/SettingsWindow.cpp
@@ -130,7 +130,7 @@ CSettingsWindow::CSettingsWindow(QWidget *parent)
m_FeaturesChanged = false;
connect(ui.chkWFP, SIGNAL(stateChanged(int)), this, SLOT(OnFeaturesChanged()));
connect(ui.chkObjCb, SIGNAL(stateChanged(int)), this, SLOT(OnFeaturesChanged()));
- connect(ui.chkWin32k, SIGNAL(stateChanged(int)), this, SLOT(OnFeaturesChanged()));
+ //connect(ui.chkWin32k, SIGNAL(stateChanged(int)), this, SLOT(OnFeaturesChanged()));
m_WarnProgsChanged = false;
@@ -218,7 +218,7 @@ Qt::CheckState CSettingsWindow__IsContextMenu()
void CSettingsWindow__AddContextMenu()
{
CSbieUtils::AddContextMenu(QApplication::applicationDirPath().replace("/", "\\") + "\\SandMan.exe",
- CSettingsWindow::tr("Run &Sandboxed"), CSettingsWindow::tr("Explore &Sandboxed"),
+ CSettingsWindow::tr("Run &Sandboxed"), //CSettingsWindow::tr("Explore &Sandboxed"),
QApplication::applicationDirPath().replace("/", "\\") + "\\Start.exe");
}
@@ -253,6 +253,7 @@ void CSettingsWindow::LoadSettings()
ui.chkShowRecovery->setChecked(theConf->GetBool("Options/ShowRecovery", false));
ui.chkNotifyRecovery->setChecked(!theConf->GetBool("Options/InstantRecovery", true));
+ ui.chkAsyncBoxOps->setChecked(theConf->GetBool("Options/UseAsyncBoxOps", false));
ui.chkPanic->setChecked(theConf->GetBool("Options/EnablePanicKey", false));
ui.keyPanic->setKeySequence(QKeySequence(theConf->GetString("Options/PanicKeySequence", "Shift+Pause")));
@@ -262,6 +263,7 @@ void CSettingsWindow::LoadSettings()
ui.cmbSysTray->setCurrentIndex(theConf->GetInt("Options/SysTrayIcon", 1));
ui.cmbTrayBoxes->setCurrentIndex(theConf->GetInt("Options/SysTrayFilter", 0));
+ ui.chkBoxOpsNotify->setChecked(theConf->GetBool("Options/AutoBoxOpsNotify", false));
ui.cmbOnClose->setCurrentIndex(ui.cmbOnClose->findData(theConf->GetString("Options/OnClose", "ToTray")));
@@ -277,7 +279,7 @@ void CSettingsWindow::LoadSettings()
ui.ipcRoot->setText(theAPI->GetGlobalSettings()->GetText("IpcRootPath", IpcRootPath_Default));
ui.chkWFP->setChecked(theAPI->GetGlobalSettings()->GetBool("NetworkEnableWFP", false));
- ui.chkObjCb->setChecked(theAPI->GetGlobalSettings()->GetBool("EnableObjectFiltering", false));
+ ui.chkObjCb->setChecked(theAPI->GetGlobalSettings()->GetBool("EnableObjectFiltering", true));
ui.chkWin32k->setChecked(theAPI->GetGlobalSettings()->GetBool("EnableWin32kHooks", true));
ui.chkAdminOnly->setChecked(theAPI->GetGlobalSettings()->GetBool("EditAdminOnly", false));
@@ -406,6 +408,7 @@ void CSettingsWindow::SaveSettings()
theConf->SetValue("Options/ShowRecovery", ui.chkShowRecovery->isChecked());
theConf->SetValue("Options/InstantRecovery", !ui.chkNotifyRecovery->isChecked());
+ theConf->SetValue("Options/UseAsyncBoxOps", ui.chkAsyncBoxOps->isChecked());
theConf->SetValue("Options/EnablePanicKey", ui.chkPanic->isChecked());
theConf->SetValue("Options/PanicKeySequence", ui.keyPanic->keySequence().toString());
@@ -414,6 +417,7 @@ void CSettingsWindow::SaveSettings()
theConf->SetValue("Options/SysTrayIcon", ui.cmbSysTray->currentIndex());
theConf->SetValue("Options/SysTrayFilter", ui.cmbTrayBoxes->currentIndex());
+ theConf->SetValue("Options/AutoBoxOpsNotify", ui.chkBoxOpsNotify->isChecked());
theConf->SetValue("Options/OnClose", ui.cmbOnClose->currentData());