1.7.0c

2023-01-28 20:57:20 +01:00 · 2023-01-28 20:57:20 +01:00 · f1796a6af5
parent 156f5be594
commit f1796a6af5
8 changed files with 113 additions and 27 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,6 +13,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - added sandbox creation wizard (not available in Vintage View mode)
 - added ability to open all com classes [#2448](https://github.com/sandboxie-plus/Sandboxie/issues/2448)
 -- use OpenClsid={00000000-0000-0000-0000-000000000000} to open all
+- the SandMan UI now indicates if a sandboxed process has a Elevated(Admin) or System token

 ### Changed
 - refactored network blocking code in driver
--- a/Sandboxie/core/drv/process_api.c
+++ b/Sandboxie/core/drv/process_api.c
@ -408,7 +408,7 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)

        } else if (args->info_type.val == 'ptok') { // primary token

-			if(is_caller_sandboxed || !Session_CheckAdminAccess(TRUE))
+			if(is_caller_sandboxed)
 				status = STATUS_ACCESS_DENIED;
 			else
 			{
@ -418,9 +418,12 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)
 					ObReferenceObject(PrimaryTokenObject);

                    //ACCESS_MASK access = (PsGetCurrentProcessId() != Api_ServiceProcessId) ? TOKEN_ALL_ACCESS : (TOKEN_QUERY | TOKEN_DUPLICATE);
+                    ACCESS_MASK access = TOKEN_QUERY | TOKEN_QUERY_SOURCE;
+                    if (Session_CheckAdminAccess(TRUE))
+                        access |= TOKEN_DUPLICATE;

 					HANDLE MyTokenHandle;
-					status = ObOpenObjectByPointer(PrimaryTokenObject, 0, NULL, TOKEN_QUERY | TOKEN_DUPLICATE, *SeTokenObjectType, UserMode, &MyTokenHandle);
+					status = ObOpenObjectByPointer(PrimaryTokenObject, 0, NULL, access, *SeTokenObjectType, UserMode, &MyTokenHandle);

 					ObDereferenceObject(PrimaryTokenObject);

@ -432,7 +435,7 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)

 		} else if (args->info_type.val == 'itok' || args->info_type.val == 'ttok') { // impersonation token / test thread token

-			if(is_caller_sandboxed || (args->info_type.val == 'itok' && !Session_CheckAdminAccess(TRUE)))
+			if(is_caller_sandboxed)
 				status = STATUS_ACCESS_DENIED;
            else if(!proc->threads_lock)
                status = STATUS_NOT_FOUND;
@ -463,8 +466,12 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms)

                        if (ImpersonationTokenObject)
                        {
+                            ACCESS_MASK access = TOKEN_QUERY | TOKEN_QUERY_SOURCE;
+                            if (Session_CheckAdminAccess(TRUE))
+                                access |= TOKEN_DUPLICATE;
+
                            HANDLE MyTokenHandle;
-                            status = ObOpenObjectByPointer(ImpersonationTokenObject, 0, NULL, TOKEN_QUERY | TOKEN_DUPLICATE, *SeTokenObjectType, UserMode, &MyTokenHandle);
+                            status = ObOpenObjectByPointer(ImpersonationTokenObject, 0, NULL, access, *SeTokenObjectType, UserMode, &MyTokenHandle);

                            ObDereferenceObject(ImpersonationTokenObject);

--- a/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.cpp
+++ b/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.cpp
@ -224,6 +224,14 @@ bool CBoxedProcess::InitProcessInfo()
 	if (ProcessHandle == INVALID_HANDLE_VALUE)
 		return false;

+	InitProcessInfoImpl(ProcessHandle);
+
+	NtClose(ProcessHandle);
+	return true;
+}
+
+void CBoxedProcess::InitProcessInfoImpl(void* ProcessHandle)
+{
 	PROCESS_BASIC_INFORMATION BasicInformation;
 	NTSTATUS status = NtQueryInformationProcess(ProcessHandle, ProcessBasicInformation, &BasicInformation, sizeof(PROCESS_BASIC_INFORMATION), NULL);
 	if (NT_SUCCESS(status)) {
@ -259,10 +267,6 @@ bool CBoxedProcess::InitProcessInfo()
 	{
 		m_CommandLine = CBoxedProcess__GetPebString(ProcessHandle, PhpoCommandLine);
 	}
-
-	NtClose(ProcessHandle);
-
-	return true;
 }

 bool CBoxedProcess::InitProcessInfoEx()
--- a/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.h
+++ b/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.h
@ -56,6 +56,8 @@ public:
 protected:
 	friend class CSbieAPI;

+	virtual void			InitProcessInfoImpl(void* ProcessHandle);
+
 	quint32			m_ProcessId;
 	QString			m_BoxName;
 	quint32			m_ParendPID;
--- a/SandboxiePlus/QSbieAPI/SbieAPI.cpp
+++ b/SandboxiePlus/QSbieAPI/SbieAPI.cpp
@ -1666,7 +1666,7 @@ CBoxedProcessPtr CSbieAPI::GetProcessById(quint32 ProcessId) const
 	return m_BoxedProxesses.value(ProcessId);
 }

-quint32 CSbieAPI::QueryProcessInfo(quint32 ProcessId, quint32 InfoClass)
+quint64 CSbieAPI::QueryProcessInfo(quint32 ProcessId, quint32 InfoClass)
 {
 	__declspec(align(8)) ULONG64 ResultValue;
 	__declspec(align(8)) ULONG64 parms[API_NUM_ARGS];
--- a/SandboxiePlus/QSbieAPI/SbieAPI.h
+++ b/SandboxiePlus/QSbieAPI/SbieAPI.h
@ -135,6 +135,8 @@ public:
 	virtual void			ClearTrace() { m_TraceList.clear(); QMutexLocker Lock(&m_TraceMutex); m_TraceCache.clear(); }

 	// Other
+	virtual quint64			QueryProcessInfo(quint32 ProcessId, quint32 InfoClass = 0);
+
 	virtual QString			GetSbieMsgStr(quint32 code, quint32 Lang = 1033);

 	virtual SB_STATUS		RunStart(const QString& BoxName, const QString& Command, bool Elevated = false, const QString& WorkingDir = QString(), QProcess* pProcess = NULL);
@ -202,8 +204,6 @@ protected:
 	virtual bool			GetLog();
 	virtual bool			GetMonitor();

-	virtual quint32			QueryProcessInfo(quint32 ProcessId, quint32 InfoClass = 0);
-
 	virtual SB_STATUS		TerminateAll(const QString& BoxName);
 	virtual SB_STATUS		Terminate(quint32 ProcessId);

--- a/SandboxiePlus/SandMan/SbieProcess.cpp
+++ b/SandboxiePlus/SandMan/SbieProcess.cpp
@ -1,6 +1,20 @@
 #include "stdafx.h"
 #include "SbieProcess.h"

+#include <ntstatus.h>
+#define WIN32_NO_STATUS
+typedef long NTSTATUS;
+
+#include <windows.h>
+#include "..\..\Sandboxie\common\win32_ntddk.h"
+
+#include <winnt.h>
+
+CSbieProcess::CSbieProcess(quint32 ProcessId, class CSandBox* pBox) 
+	: CBoxedProcess(ProcessId, pBox) 
+{
+	m_ProcessInfo.Flags = 0;
+}

 QString CSbieProcess::ImageTypeToStr(quint32 type)
 {
@ -77,9 +91,19 @@ QString CSbieProcess::ImageTypeToStr(quint32 type)
 	}
 }

+
+QString	CSbieProcess::GetProcessName() const
+{
+	QString Name = CBoxedProcess::GetProcessName();
+	if (m_bIsWoW64)
+		Name += " *32";
+	return Name;
+}
+
 QString CSbieProcess::GetStatusStr() const
 {
 	QString Status;
+
 	if (m_uTerminated != 0)
 		Status = tr("Terminated");
 	//else if (m_bSuspended)
@ -90,12 +114,14 @@ QString CSbieProcess::GetStatusStr() const
 			Status.prepend(tr("Forced "));
 	}

+	if (m_ProcessInfo.IsElevated)
+		Status += tr(" Elevated");
+	if (m_ProcessInfo.IsSystem)
+		Status += tr(" as System");
+
 	if(m_SessionId != theAPI->GetSessionID())
 		Status += tr(" in session %1").arg(m_SessionId);

-	if (m_bIsWoW64)
-		Status += " *32";
-
 	quint32 ImageType = GetImageType();
 	if (ImageType != -1) {
 		QString Type = ImageTypeToStr(ImageType);
@ -105,3 +131,29 @@ QString CSbieProcess::GetStatusStr() const

 	return Status;
 }
+
+SID SeLocalSystemSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } };
+
+void CSbieProcess::InitProcessInfoImpl(void* ProcessHandle)
+{
+	CBoxedProcess::InitProcessInfoImpl(ProcessHandle);
+
+	HANDLE TokenHandle = (HANDLE)m_pBox->Api()->QueryProcessInfo(m_ProcessId, 'ptok');
+	//if (NT_SUCCESS(NtOpenProcessToken(ProcessHandle, TOKEN_QUERY, &TokenHandle)))
+	if (TokenHandle != INVALID_HANDLE_VALUE)
+	{
+		ULONG returnLength;
+
+		TOKEN_ELEVATION_TYPE elevationType;
+		if (NT_SUCCESS(NtQueryInformationToken(TokenHandle, (TOKEN_INFORMATION_CLASS)TokenElevationType, &elevationType, sizeof(TOKEN_ELEVATION_TYPE), &returnLength))) {
+			m_ProcessInfo.IsElevated = elevationType == TokenElevationTypeFull;
+		}
+
+		BYTE tokenUserBuff[0x80] = { 0 };
+		if (NT_SUCCESS(NtQueryInformationToken(TokenHandle, TokenUser, tokenUserBuff, sizeof(tokenUserBuff), &returnLength))){
+			m_ProcessInfo.IsSystem = RtlEqualSid(((PTOKEN_USER)tokenUserBuff)->User.Sid, &SeLocalSystemSid);
+		}
+
+		CloseHandle(TokenHandle);
+	}
+}
--- a/SandboxiePlus/SandMan/SbieProcess.h
+++ b/SandboxiePlus/SandMan/SbieProcess.h
@ -6,27 +6,47 @@ class CSbieProcess : public CBoxedProcess
 {
 	Q_OBJECT
 public:
-	CSbieProcess(quint32 ProcessId, class CSandBox* pBox) : CBoxedProcess(ProcessId, pBox) {}
+	CSbieProcess(quint32 ProcessId, class CSandBox* pBox);

+	virtual QString	GetProcessName() const;
 	virtual QString	GetStatusStr() const;

-	virtual void BlockProgram()									{ GetBox()->BlockProgram(m_ImageName); }
-	virtual void SetInternetAccess(bool bSet)					{ GetBox()->SetInternetAccess(m_ImageName, bSet); }
-	virtual bool HasInternetAccess()							{ return GetBox()->HasInternetAccess(m_ImageName); }
-	virtual void SetForcedProgram(bool bSet)					{ GetBox()->SetForcedProgram(m_ImageName, bSet); }
-	virtual bool IsForcedProgram()								{ return GetBox()->IsForcedProgram(m_ImageName); }
-	virtual void SetLingeringProgram(bool bSet)					{ GetBox()->SetLingeringProgram(m_ImageName, bSet); }
-	virtual int	 IsLingeringProgram()							{ return GetBox()->IsLingeringProgram(m_ImageName); }
-	virtual void SetLeaderProgram(bool bSet)					{ GetBox()->SetLeaderProgram(m_ImageName, bSet); }
-	virtual int	 IsLeaderProgram()								{ return GetBox()->IsLeaderProgram(m_ImageName); }
+	virtual void	BlockProgram()								{ GetBox()->BlockProgram(m_ImageName); }
+	virtual void	SetInternetAccess(bool bSet)				{ GetBox()->SetInternetAccess(m_ImageName, bSet); }
+	virtual bool	HasInternetAccess()							{ return GetBox()->HasInternetAccess(m_ImageName); }
+	virtual void	SetForcedProgram(bool bSet)					{ GetBox()->SetForcedProgram(m_ImageName, bSet); }
+	virtual bool	IsForcedProgram()							{ return GetBox()->IsForcedProgram(m_ImageName); }
+	virtual void	SetLingeringProgram(bool bSet)				{ GetBox()->SetLingeringProgram(m_ImageName, bSet); }
+	virtual int		IsLingeringProgram()						{ return GetBox()->IsLingeringProgram(m_ImageName); }
+	virtual void	SetLeaderProgram(bool bSet)					{ GetBox()->SetLeaderProgram(m_ImageName, bSet); }
+	virtual int		IsLeaderProgram()							{ return GetBox()->IsLeaderProgram(m_ImageName); }

 	virtual CSandBoxPlus* GetBox()								{ return qobject_cast<CSandBoxPlus*>(m_pBox); }

-	virtual int GetRememberedAction(int Action)					{ return m_RememberedActions.value(Action, -1); }
-	virtual void SetRememberedAction(int Action, int retval)	{ m_RememberedActions.insert(Action, retval); }
+	virtual int		GetRememberedAction(int Action)				{ return m_RememberedActions.value(Action, -1); }
+	virtual void	SetRememberedAction(int Action, int retval)	{ m_RememberedActions.insert(Action, retval); }

-	static QString ImageTypeToStr(quint32 type);
+	static QString	ImageTypeToStr(quint32 type);
+
+	virtual bool	HasElevatedToken()							{ return m_ProcessInfo.IsElevated; }
+	virtual bool	HasSystemToken()							{ return m_ProcessInfo.IsSystem; }

 protected:
+
+	virtual void			InitProcessInfoImpl(void* ProcessHandle);
+
 	QMap<int, int>			m_RememberedActions;
+
+	// Flags
+	union
+	{
+		quint32 Flags;
+		struct
+		{
+			quint32
+				IsElevated : 1,
+				IsSystem : 1,
+				Spare : 30;
+		};
+	}						m_ProcessInfo;
 };