From f1796a6af58391ee8f0bb6900dbaae73d15cd799 Mon Sep 17 00:00:00 2001 From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com> Date: Sat, 28 Jan 2023 20:57:20 +0100 Subject: [PATCH] 1.7.0c --- CHANGELOG.md | 1 + Sandboxie/core/drv/process_api.c | 15 +++-- .../QSbieAPI/Sandboxie/BoxedProcess.cpp | 12 ++-- .../QSbieAPI/Sandboxie/BoxedProcess.h | 2 + SandboxiePlus/QSbieAPI/SbieAPI.cpp | 2 +- SandboxiePlus/QSbieAPI/SbieAPI.h | 4 +- SandboxiePlus/SandMan/SbieProcess.cpp | 58 ++++++++++++++++++- SandboxiePlus/SandMan/SbieProcess.h | 46 ++++++++++----- 8 files changed, 113 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 778d081d..d1512657 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - added sandbox creation wizard (not available in Vintage View mode) - added ability to open all com classes [#2448](https://github.com/sandboxie-plus/Sandboxie/issues/2448) -- use OpenClsid={00000000-0000-0000-0000-000000000000} to open all +- the SandMan UI now indicates if a sandboxed process has a Elevated(Admin) or System token ### Changed - refactored network blocking code in driver diff --git a/Sandboxie/core/drv/process_api.c b/Sandboxie/core/drv/process_api.c index 33da09f8..e61019ac 100644 --- a/Sandboxie/core/drv/process_api.c +++ b/Sandboxie/core/drv/process_api.c @@ -408,7 +408,7 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms) } else if (args->info_type.val == 'ptok') { // primary token - if(is_caller_sandboxed || !Session_CheckAdminAccess(TRUE)) + if(is_caller_sandboxed) status = STATUS_ACCESS_DENIED; else { @@ -418,9 +418,12 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms) ObReferenceObject(PrimaryTokenObject); //ACCESS_MASK access = (PsGetCurrentProcessId() != Api_ServiceProcessId) ? TOKEN_ALL_ACCESS : (TOKEN_QUERY | TOKEN_DUPLICATE); + ACCESS_MASK access = TOKEN_QUERY | TOKEN_QUERY_SOURCE; + if (Session_CheckAdminAccess(TRUE)) + access |= TOKEN_DUPLICATE; HANDLE MyTokenHandle; - status = ObOpenObjectByPointer(PrimaryTokenObject, 0, NULL, TOKEN_QUERY | TOKEN_DUPLICATE, *SeTokenObjectType, UserMode, &MyTokenHandle); + status = ObOpenObjectByPointer(PrimaryTokenObject, 0, NULL, access, *SeTokenObjectType, UserMode, &MyTokenHandle); ObDereferenceObject(PrimaryTokenObject); @@ -432,7 +435,7 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms) } else if (args->info_type.val == 'itok' || args->info_type.val == 'ttok') { // impersonation token / test thread token - if(is_caller_sandboxed || (args->info_type.val == 'itok' && !Session_CheckAdminAccess(TRUE))) + if(is_caller_sandboxed) status = STATUS_ACCESS_DENIED; else if(!proc->threads_lock) status = STATUS_NOT_FOUND; @@ -463,8 +466,12 @@ _FX NTSTATUS Process_Api_QueryInfo(PROCESS *proc, ULONG64 *parms) if (ImpersonationTokenObject) { + ACCESS_MASK access = TOKEN_QUERY | TOKEN_QUERY_SOURCE; + if (Session_CheckAdminAccess(TRUE)) + access |= TOKEN_DUPLICATE; + HANDLE MyTokenHandle; - status = ObOpenObjectByPointer(ImpersonationTokenObject, 0, NULL, TOKEN_QUERY | TOKEN_DUPLICATE, *SeTokenObjectType, UserMode, &MyTokenHandle); + status = ObOpenObjectByPointer(ImpersonationTokenObject, 0, NULL, access, *SeTokenObjectType, UserMode, &MyTokenHandle); ObDereferenceObject(ImpersonationTokenObject); diff --git a/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.cpp b/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.cpp index 71895140..c09fdd3a 100644 --- a/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.cpp +++ b/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.cpp @@ -224,6 +224,14 @@ bool CBoxedProcess::InitProcessInfo() if (ProcessHandle == INVALID_HANDLE_VALUE) return false; + InitProcessInfoImpl(ProcessHandle); + + NtClose(ProcessHandle); + return true; +} + +void CBoxedProcess::InitProcessInfoImpl(void* ProcessHandle) +{ PROCESS_BASIC_INFORMATION BasicInformation; NTSTATUS status = NtQueryInformationProcess(ProcessHandle, ProcessBasicInformation, &BasicInformation, sizeof(PROCESS_BASIC_INFORMATION), NULL); if (NT_SUCCESS(status)) { @@ -259,10 +267,6 @@ bool CBoxedProcess::InitProcessInfo() { m_CommandLine = CBoxedProcess__GetPebString(ProcessHandle, PhpoCommandLine); } - - NtClose(ProcessHandle); - - return true; } bool CBoxedProcess::InitProcessInfoEx() diff --git a/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.h b/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.h index 71950ec1..9f6473a3 100644 --- a/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.h +++ b/SandboxiePlus/QSbieAPI/Sandboxie/BoxedProcess.h @@ -56,6 +56,8 @@ public: protected: friend class CSbieAPI; + virtual void InitProcessInfoImpl(void* ProcessHandle); + quint32 m_ProcessId; QString m_BoxName; quint32 m_ParendPID; diff --git a/SandboxiePlus/QSbieAPI/SbieAPI.cpp b/SandboxiePlus/QSbieAPI/SbieAPI.cpp index 94921268..1e9d0a1b 100644 --- a/SandboxiePlus/QSbieAPI/SbieAPI.cpp +++ b/SandboxiePlus/QSbieAPI/SbieAPI.cpp @@ -1666,7 +1666,7 @@ CBoxedProcessPtr CSbieAPI::GetProcessById(quint32 ProcessId) const return m_BoxedProxesses.value(ProcessId); } -quint32 CSbieAPI::QueryProcessInfo(quint32 ProcessId, quint32 InfoClass) +quint64 CSbieAPI::QueryProcessInfo(quint32 ProcessId, quint32 InfoClass) { __declspec(align(8)) ULONG64 ResultValue; __declspec(align(8)) ULONG64 parms[API_NUM_ARGS]; diff --git a/SandboxiePlus/QSbieAPI/SbieAPI.h b/SandboxiePlus/QSbieAPI/SbieAPI.h index c4105f8f..98200f45 100644 --- a/SandboxiePlus/QSbieAPI/SbieAPI.h +++ b/SandboxiePlus/QSbieAPI/SbieAPI.h @@ -135,6 +135,8 @@ public: virtual void ClearTrace() { m_TraceList.clear(); QMutexLocker Lock(&m_TraceMutex); m_TraceCache.clear(); } // Other + virtual quint64 QueryProcessInfo(quint32 ProcessId, quint32 InfoClass = 0); + virtual QString GetSbieMsgStr(quint32 code, quint32 Lang = 1033); virtual SB_STATUS RunStart(const QString& BoxName, const QString& Command, bool Elevated = false, const QString& WorkingDir = QString(), QProcess* pProcess = NULL); @@ -202,8 +204,6 @@ protected: virtual bool GetLog(); virtual bool GetMonitor(); - virtual quint32 QueryProcessInfo(quint32 ProcessId, quint32 InfoClass = 0); - virtual SB_STATUS TerminateAll(const QString& BoxName); virtual SB_STATUS Terminate(quint32 ProcessId); diff --git a/SandboxiePlus/SandMan/SbieProcess.cpp b/SandboxiePlus/SandMan/SbieProcess.cpp index 2d1b82e1..79d0364f 100644 --- a/SandboxiePlus/SandMan/SbieProcess.cpp +++ b/SandboxiePlus/SandMan/SbieProcess.cpp @@ -1,6 +1,20 @@ #include "stdafx.h" #include "SbieProcess.h" +#include +#define WIN32_NO_STATUS +typedef long NTSTATUS; + +#include +#include "..\..\Sandboxie\common\win32_ntddk.h" + +#include + +CSbieProcess::CSbieProcess(quint32 ProcessId, class CSandBox* pBox) + : CBoxedProcess(ProcessId, pBox) +{ + m_ProcessInfo.Flags = 0; +} QString CSbieProcess::ImageTypeToStr(quint32 type) { @@ -77,9 +91,19 @@ QString CSbieProcess::ImageTypeToStr(quint32 type) } } + +QString CSbieProcess::GetProcessName() const +{ + QString Name = CBoxedProcess::GetProcessName(); + if (m_bIsWoW64) + Name += " *32"; + return Name; +} + QString CSbieProcess::GetStatusStr() const { QString Status; + if (m_uTerminated != 0) Status = tr("Terminated"); //else if (m_bSuspended) @@ -90,12 +114,14 @@ QString CSbieProcess::GetStatusStr() const Status.prepend(tr("Forced ")); } + if (m_ProcessInfo.IsElevated) + Status += tr(" Elevated"); + if (m_ProcessInfo.IsSystem) + Status += tr(" as System"); + if(m_SessionId != theAPI->GetSessionID()) Status += tr(" in session %1").arg(m_SessionId); - if (m_bIsWoW64) - Status += " *32"; - quint32 ImageType = GetImageType(); if (ImageType != -1) { QString Type = ImageTypeToStr(ImageType); @@ -105,3 +131,29 @@ QString CSbieProcess::GetStatusStr() const return Status; } + +SID SeLocalSystemSid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } }; + +void CSbieProcess::InitProcessInfoImpl(void* ProcessHandle) +{ + CBoxedProcess::InitProcessInfoImpl(ProcessHandle); + + HANDLE TokenHandle = (HANDLE)m_pBox->Api()->QueryProcessInfo(m_ProcessId, 'ptok'); + //if (NT_SUCCESS(NtOpenProcessToken(ProcessHandle, TOKEN_QUERY, &TokenHandle))) + if (TokenHandle != INVALID_HANDLE_VALUE) + { + ULONG returnLength; + + TOKEN_ELEVATION_TYPE elevationType; + if (NT_SUCCESS(NtQueryInformationToken(TokenHandle, (TOKEN_INFORMATION_CLASS)TokenElevationType, &elevationType, sizeof(TOKEN_ELEVATION_TYPE), &returnLength))) { + m_ProcessInfo.IsElevated = elevationType == TokenElevationTypeFull; + } + + BYTE tokenUserBuff[0x80] = { 0 }; + if (NT_SUCCESS(NtQueryInformationToken(TokenHandle, TokenUser, tokenUserBuff, sizeof(tokenUserBuff), &returnLength))){ + m_ProcessInfo.IsSystem = RtlEqualSid(((PTOKEN_USER)tokenUserBuff)->User.Sid, &SeLocalSystemSid); + } + + CloseHandle(TokenHandle); + } +} \ No newline at end of file diff --git a/SandboxiePlus/SandMan/SbieProcess.h b/SandboxiePlus/SandMan/SbieProcess.h index 2ee3e88d..96907324 100644 --- a/SandboxiePlus/SandMan/SbieProcess.h +++ b/SandboxiePlus/SandMan/SbieProcess.h @@ -6,27 +6,47 @@ class CSbieProcess : public CBoxedProcess { Q_OBJECT public: - CSbieProcess(quint32 ProcessId, class CSandBox* pBox) : CBoxedProcess(ProcessId, pBox) {} + CSbieProcess(quint32 ProcessId, class CSandBox* pBox); + virtual QString GetProcessName() const; virtual QString GetStatusStr() const; - virtual void BlockProgram() { GetBox()->BlockProgram(m_ImageName); } - virtual void SetInternetAccess(bool bSet) { GetBox()->SetInternetAccess(m_ImageName, bSet); } - virtual bool HasInternetAccess() { return GetBox()->HasInternetAccess(m_ImageName); } - virtual void SetForcedProgram(bool bSet) { GetBox()->SetForcedProgram(m_ImageName, bSet); } - virtual bool IsForcedProgram() { return GetBox()->IsForcedProgram(m_ImageName); } - virtual void SetLingeringProgram(bool bSet) { GetBox()->SetLingeringProgram(m_ImageName, bSet); } - virtual int IsLingeringProgram() { return GetBox()->IsLingeringProgram(m_ImageName); } - virtual void SetLeaderProgram(bool bSet) { GetBox()->SetLeaderProgram(m_ImageName, bSet); } - virtual int IsLeaderProgram() { return GetBox()->IsLeaderProgram(m_ImageName); } + virtual void BlockProgram() { GetBox()->BlockProgram(m_ImageName); } + virtual void SetInternetAccess(bool bSet) { GetBox()->SetInternetAccess(m_ImageName, bSet); } + virtual bool HasInternetAccess() { return GetBox()->HasInternetAccess(m_ImageName); } + virtual void SetForcedProgram(bool bSet) { GetBox()->SetForcedProgram(m_ImageName, bSet); } + virtual bool IsForcedProgram() { return GetBox()->IsForcedProgram(m_ImageName); } + virtual void SetLingeringProgram(bool bSet) { GetBox()->SetLingeringProgram(m_ImageName, bSet); } + virtual int IsLingeringProgram() { return GetBox()->IsLingeringProgram(m_ImageName); } + virtual void SetLeaderProgram(bool bSet) { GetBox()->SetLeaderProgram(m_ImageName, bSet); } + virtual int IsLeaderProgram() { return GetBox()->IsLeaderProgram(m_ImageName); } virtual CSandBoxPlus* GetBox() { return qobject_cast(m_pBox); } - virtual int GetRememberedAction(int Action) { return m_RememberedActions.value(Action, -1); } - virtual void SetRememberedAction(int Action, int retval) { m_RememberedActions.insert(Action, retval); } + virtual int GetRememberedAction(int Action) { return m_RememberedActions.value(Action, -1); } + virtual void SetRememberedAction(int Action, int retval) { m_RememberedActions.insert(Action, retval); } - static QString ImageTypeToStr(quint32 type); + static QString ImageTypeToStr(quint32 type); + + virtual bool HasElevatedToken() { return m_ProcessInfo.IsElevated; } + virtual bool HasSystemToken() { return m_ProcessInfo.IsSystem; } protected: + + virtual void InitProcessInfoImpl(void* ProcessHandle); + QMap m_RememberedActions; + + // Flags + union + { + quint32 Flags; + struct + { + quint32 + IsElevated : 1, + IsSystem : 1, + Spare : 30; + }; + } m_ProcessInfo; }; \ No newline at end of file