mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

This commit is contained in:
DavidXanatos 2020-11-03 17:41:33 +01:00
parent 717f709091
commit f2314e2847
32 changed files with 2021 additions and 1149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
CHANGELOG.md
View File

@ -4,13 +4,27 @@ This project adheres to [Semantic Versioning](http://semver.org/).
## [0.4.4 / 5.44.0] - 2020-11-03
### Added
- added SbieLdr (experimental)
### Changed
- moved code injection mechanism from SbieSvc to SbieDll
- moved function hooking mechanism from SbieDrv to SbieDll
- introduced a new driverless method to resolve wow64 ntdll base address
### Fixed
### removed
- removed support for windows vista x64
## [0.4.3 / 5.43.7] - 2020-11-03
### Added
- added disable forced programs menu command to he sandman ui
### Changed
### Fixed
- fixed file rename bug introduced with an earlier driver verifier fix
- fixed issue saving access lists

22
Sandboxie/Sandbox.sln
View File

@ -73,7 +73,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SbieControl", "apps\control
{8E0EAA5B-6F5B-E0E2-338A-453EF2B548E4} = {8E0EAA5B-6F5B-E0E2-338A-453EF2B548E4}
{41453A79-CA9B-ABCA-981C-5242AFC72DDF} = {41453A79-CA9B-ABCA-981C-5242AFC72DDF}
{2D3DBCAE-883E-54A6-F8F6-11228D989033} = {2D3DBCAE-883E-54A6-F8F6-11228D989033}
{08A656D9-CDD0-4C9F-AB3F-D98F8E5B6EC6} = {08A656D9-CDD0-4C9F-AB3F-D98F8E5B6EC6}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kmdutil", "install\kmdutil\KmdUtil.vcxproj", "{0BF4988E-2325-4426-8CDC-BD221E4FB68C}"
@ -86,8 +85,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SbieIni", "apps\ini\SbieIni
{8E0EAA5B-6F5B-E0E2-338A-453EF2B548E4} = {8E0EAA5B-6F5B-E0E2-338A-453EF2B548E4}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SandboxieInstall", "install\release\SandboxieInstall.vcxproj", "{08A656D9-CDD0-4C9F-AB3F-D98F8E5B6EC6}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Parse", "msgs\Parse.vcxproj", "{7BA01954-12F1-4CEE-BA97-FAD3250D9776}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SboxHostDll", "SboxHostDll\SboxHostDll.vcxproj", "{3A42A9F3-E0C7-4633-9570-381802D6647D}"
@ -106,6 +103,11 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "core", "core", "{E9D1318A-F
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "apps", "apps", "{0301861F-98D8-4767-BA7D-E146DE2E0C92}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SbieLdr", "apps\ldr\SbieLdr.vcxproj", "{352AA425-D224-4F23-AF1D-D54AFADDDB22}"
ProjectSection(ProjectDependencies) = postProject
{8E0EAA5B-6F5B-E0E2-338A-453EF2B548E4} = {8E0EAA5B-6F5B-E0E2-338A-453EF2B548E4}
EndProjectSection
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
SbieDebug|Win32 = SbieDebug|Win32
@ -234,11 +236,6 @@ Global
{B8D7002B-0468-44E7-93A7-94327A5D7C7A}.SbieRelease|Win32.Build.0 = SbieRelease|Win32
{B8D7002B-0468-44E7-93A7-94327A5D7C7A}.SbieRelease|x64.ActiveCfg = SbieRelease|x64
{B8D7002B-0468-44E7-93A7-94327A5D7C7A}.SbieRelease|x64.Build.0 = SbieRelease|x64
{08A656D9-CDD0-4C9F-AB3F-D98F8E5B6EC6}.SbieDebug|Win32.ActiveCfg = SbieRelease|Win32
{08A656D9-CDD0-4C9F-AB3F-D98F8E5B6EC6}.SbieDebug|Win32.Build.0 = SbieRelease|Win32
{08A656D9-CDD0-4C9F-AB3F-D98F8E5B6EC6}.SbieDebug|x64.ActiveCfg = SbieRelease|Win32
{08A656D9-CDD0-4C9F-AB3F-D98F8E5B6EC6}.SbieRelease|Win32.ActiveCfg = SbieRelease|Win32
{08A656D9-CDD0-4C9F-AB3F-D98F8E5B6EC6}.SbieRelease|x64.ActiveCfg = SbieRelease|Win32
{7BA01954-12F1-4CEE-BA97-FAD3250D9776}.SbieDebug|Win32.ActiveCfg = SbieRelease|Win32
{7BA01954-12F1-4CEE-BA97-FAD3250D9776}.SbieDebug|Win32.Build.0 = SbieRelease|Win32
{7BA01954-12F1-4CEE-BA97-FAD3250D9776}.SbieDebug|x64.ActiveCfg = SbieRelease|Win32
@ -254,6 +251,14 @@ Global
{3A42A9F3-E0C7-4633-9570-381802D6647D}.SbieRelease|Win32.Build.0 = SbieRelease|Win32
{3A42A9F3-E0C7-4633-9570-381802D6647D}.SbieRelease|x64.ActiveCfg = SbieRelease|x64
{3A42A9F3-E0C7-4633-9570-381802D6647D}.SbieRelease|x64.Build.0 = SbieRelease|x64
{352AA425-D224-4F23-AF1D-D54AFADDDB22}.SbieDebug|Win32.ActiveCfg = SbieDebug|Win32
{352AA425-D224-4F23-AF1D-D54AFADDDB22}.SbieDebug|Win32.Build.0 = SbieDebug|Win32
{352AA425-D224-4F23-AF1D-D54AFADDDB22}.SbieDebug|x64.ActiveCfg = SbieDebug|x64
{352AA425-D224-4F23-AF1D-D54AFADDDB22}.SbieDebug|x64.Build.0 = SbieDebug|x64
{352AA425-D224-4F23-AF1D-D54AFADDDB22}.SbieRelease|Win32.ActiveCfg = SbieRelease|Win32
{352AA425-D224-4F23-AF1D-D54AFADDDB22}.SbieRelease|Win32.Build.0 = SbieRelease|Win32
{352AA425-D224-4F23-AF1D-D54AFADDDB22}.SbieRelease|x64.ActiveCfg = SbieRelease|x64
{352AA425-D224-4F23-AF1D-D54AFADDDB22}.SbieRelease|x64.Build.0 = SbieRelease|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
@ -273,6 +278,7 @@ Global
{0BF4988E-2325-4426-8CDC-BD221E4FB68C} = {0301861F-98D8-4767-BA7D-E146DE2E0C92}
{B8D7002B-0468-44E7-93A7-94327A5D7C7A} = {0301861F-98D8-4767-BA7D-E146DE2E0C92}
{3A42A9F3-E0C7-4633-9570-381802D6647D} = {E9D1318A-FAF0-4EF8-8561-FCB03862AC99}
{352AA425-D224-4F23-AF1D-D54AFADDDB22} = {0301861F-98D8-4767-BA7D-E146DE2E0C92}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {8CC68B2E-A32E-409D-8D3F-F68AF524E29C}

3
Sandboxie/SboxHostDll/SboxHostDll.vcxproj
View File

@ -130,9 +130,6 @@
<IgnoreSpecificDefaultLibraries>msvcprt.lib;%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="resource.h" />
<ClInclude Include="SboxHostDll.h" />

152
Sandboxie/apps/ldr/SbieLdr.vcxproj Normal file
View File

@ -0,0 +1,152 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="SbieDebug|Win32">
<Configuration>SbieDebug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="SbieDebug|x64">
<Configuration>SbieDebug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="SbieRelease|Win32">
<Configuration>SbieRelease</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="SbieRelease|x64">
<Configuration>SbieRelease</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="global.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="resource1.rc" />
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{352AA425-D224-4F23-AF1D-D54AFADDDB22}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>SbieLdr</RootNamespace>
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v140</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v140</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v140</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v140</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="..\..\Sandbox32.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="..\..\Sandbox64.props" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="..\..\Sandbox32.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="..\..\Sandbox64.props" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">
<TargetName>SbieLdr</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">
<TargetName>SbieLdr</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">
<TargetName>SbieLdr</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">
<TargetName>SbieLdr</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>Disabled</Optimization>
<MinimalRebuild />
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<AdditionalDependencies>SbieDll.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile />
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>Disabled</Optimization>
<MinimalRebuild />
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<AdditionalDependencies>SbieDll.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile />
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<FunctionLevelLinking>
</FunctionLevelLinking>
<MinimalRebuild />
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<AdditionalDependencies>SbieDll.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile />
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<FunctionLevelLinking>
</FunctionLevelLinking>
<MinimalRebuild />
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<AdditionalDependencies>SbieDll.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<ResourceCompile />
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

22
Sandboxie/apps/ldr/global.h Normal file
View File

@ -0,0 +1,22 @@
/*
* Copyright (c) 2020, David Xanatos
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include <windows.h>
#include <stdio.h>
#include "core/dll/sbiedll.h"

35
Sandboxie/apps/ldr/main.c Normal file
View File

@ -0,0 +1,35 @@
/*
* Copyright (c) 2020, David Xanatos
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include "global.h"
#include "common/my_version.h"
#include "msgs/msgs.h"
int __cdecl wmain(int argc, char **argv)
{
int errlvl = SbieDll_InjectLow_InitHelper();
if (errlvl) {
//LogEvent(MSG_9234, 0x9241, errlvl);
return errlvl;
}
SbieDll_InjectLow_InitSyscalls(FALSE);
return 0;
}

55
Sandboxie/apps/ldr/resource1.rc Normal file
View File

@ -0,0 +1,55 @@
//---------------------------------------------------------------------------
// SbieLdr scripting utility
//---------------------------------------------------------------------------
#include <windows.h>
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
#pragma code_page(1252)
#include "common/my_version.h"
//---------------------------------------------------------------------------
// Version
//---------------------------------------------------------------------------
VS_VERSION_INFO VERSIONINFO
FILEVERSION MY_VERSION_BINARY
PRODUCTVERSION MY_VERSION_BINARY
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
#else
FILEFLAGS 0x0L
#endif
FILEOS 0x40004L
FILETYPE 0x2L
FILESUBTYPE 0x0L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "040904b0"
BEGIN
VALUE "Comments", "\0"
VALUE "CompanyName", MY_COMPANY_NAME_STRING "\0"
VALUE "FileDescription", MY_PRODUCT_NAME_STRING " configuration file utility\0"
VALUE "FileVersion", MY_VERSION_STRING "\0"
OPTIONAL_VALUE("InternalName", "SbieLdr\0")
VALUE "LegalCopyright", MY_COPYRIGHT_STRING "\0"
VALUE "LegalTrademarks", "\0"
OPTIONAL_VALUE("OriginalFilename", "SbieLdr.exe\0")
VALUE "PrivateBuild", "\0"
VALUE "ProductName", MY_PRODUCT_NAME_STRING "\0"
VALUE "ProductVersion", MY_VERSION_STRING "\0"
VALUE "SpecialBuild", "\0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x409, 1200
END
END

6
Sandboxie/common/my_version.h
View File

@ -20,9 +20,9 @@
#ifndef _MY_VERSION_H
#define _MY_VERSION_H
#define MY_VERSION_BINARY 5,43,7
#define MY_VERSION_STRING "5.43.7"
#define MY_VERSION_COMPAT "5.43.5"
#define MY_VERSION_BINARY 5,44,0
#define MY_VERSION_STRING "5.44.0"
#define MY_VERSION_COMPAT "5.44.0" // this reffers to the driver ABI compatybility
// These #defines are used by either Resource Compiler, or by NSIC installer
#define SBIE_INSTALLER_PATH "..\\Bin\\"

17
Sandboxie/core/dll/SboxDll.vcxproj
View File

@ -104,6 +104,9 @@
<OptimizeReferences>false</OptimizeReferences>
<EnableCOMDATFolding>false</EnableCOMDATFolding>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>BUILD_UTILITY_PASS2;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">
<ClCompile>
@ -120,6 +123,9 @@
<OptimizeReferences>false</OptimizeReferences>
<EnableCOMDATFolding>false</EnableCOMDATFolding>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>BUILD_UTILITY_PASS2;MY_WIN64_FLAG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">
<ClCompile>
@ -137,6 +143,9 @@
<OptimizeReferences>false</OptimizeReferences>
<EnableCOMDATFolding>false</EnableCOMDATFolding>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>BUILD_UTILITY_PASS2;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">
<ClCompile>
@ -152,6 +161,9 @@
<OptimizeReferences>false</OptimizeReferences>
<EnableCOMDATFolding>false</EnableCOMDATFolding>
</Link>
<ResourceCompile>
<PreprocessorDefinitions>BUILD_UTILITY_PASS2;MY_WIN64_FLAG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\common\pattern.c">
@ -227,6 +239,8 @@
<ClCompile Include="guimsg.c" />
<ClCompile Include="guiprop.c" />
<ClCompile Include="guititle.c" />
<ClCompile Include="hook_inst.c" />
<ClCompile Include="hook_tramp.c" />
<ClCompile Include="includes.c" />
<ClCompile Include="ipc.c" />
<ClCompile Include="ipc_start.c">
@ -258,6 +272,7 @@
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="lowlevel_inject.c" />
<ClCompile Include="lsa.c" />
<ClCompile Include="mscoree.c" />
<ClCompile Include="net.c" />
@ -336,6 +351,7 @@
<ClInclude Include="dll.h" />
<ClInclude Include="guidlg.h" />
<ClInclude Include="gui_p.h" />
<ClInclude Include="hook.h" />
<ClInclude Include="ipstore_enum.h" />
<ClInclude Include="ipstore_impl.h" />
<ClInclude Include="obj.h" />
@ -346,6 +362,7 @@
<ClInclude Include="taskbar.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="lowlevel.rc" />
<ResourceCompile Include="resource.rc" />
</ItemGroup>
<ItemGroup>

268
Sandboxie/core/dll/SboxDll.vcxproj.filters Normal file
View File

@ -0,0 +1,268 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="advapi.c" />
<ClCompile Include="crypt.c" />
<ClCompile Include="custom.c" />
<ClCompile Include="debug.c" />
<ClCompile Include="dllmem.c" />
<ClCompile Include="dllpath.c" />
<ClCompile Include="event.c" />
<ClCompile Include="includes.c" />
<ClCompile Include="iphlp.c" />
<ClCompile Include="lsa.c" />
<ClCompile Include="mscoree.c" />
<ClCompile Include="net.c" />
<ClCompile Include="netapi.c" />
<ClCompile Include="obj.c" />
<ClCompile Include="pdh.c" />
<ClCompile Include="proc.c" />
<ClCompile Include="rpcrt.c" />
<ClCompile Include="secure.c" />
<ClCompile Include="setup.c" />
<ClCompile Include="sfc.c" />
<ClCompile Include="sh.c" />
<ClCompile Include="support.c" />
<ClCompile Include="sxs.c" />
<ClCompile Include="sysinfo.c" />
<ClCompile Include="terminal.c" />
<ClCompile Include="userenv.c" />
<ClCompile Include="scm.c">
<Filter>scm</Filter>
</ClCompile>
<ClCompile Include="scm_create.c">
<Filter>scm</Filter>
</ClCompile>
<ClCompile Include="scm_event.c">
<Filter>scm</Filter>
</ClCompile>
<ClCompile Include="scm_misc.c">
<Filter>scm</Filter>
</ClCompile>
<ClCompile Include="scm_notify.c">
<Filter>scm</Filter>
</ClCompile>
<ClCompile Include="scm_query.c">
<Filter>scm</Filter>
</ClCompile>
<ClCompile Include="hook_inst.c">
<Filter>hook</Filter>
</ClCompile>
<ClCompile Include="hook_tramp.c">
<Filter>hook</Filter>
</ClCompile>
<ClCompile Include="lowlevel_inject.c">
<Filter>hook</Filter>
</ClCompile>
<ClCompile Include="ldr.c">
<Filter>hook</Filter>
</ClCompile>
<ClCompile Include="ldr_init.c">
<Filter>hook</Filter>
</ClCompile>
<ClCompile Include="file.c">
<Filter>file</Filter>
</ClCompile>
<ClCompile Include="file_dir.c">
<Filter>file</Filter>
</ClCompile>
<ClCompile Include="file_init.c">
<Filter>file</Filter>
</ClCompile>
<ClCompile Include="file_link.c">
<Filter>file</Filter>
</ClCompile>
<ClCompile Include="file_misc.c">
<Filter>file</Filter>
</ClCompile>
<ClCompile Include="file_pipe.c">
<Filter>file</Filter>
</ClCompile>
<ClCompile Include="gdi.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="gui.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guiclass.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guicon.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guidde.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guidlg.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guienum.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guihook.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guimisc.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guimsg.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guiprop.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="guititle.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="..\..\common\pattern.c">
<Filter>common</Filter>
</ClCompile>
<ClCompile Include="..\..\common\pool.c">
<Filter>common</Filter>
</ClCompile>
<ClCompile Include="taskbar.c">
<Filter>gui</Filter>
</ClCompile>
<ClCompile Include="acscmonitor.c" />
<ClCompile Include="pst.cpp">
<Filter>pst</Filter>
</ClCompile>
<ClCompile Include="ipstore_impl.cpp">
<Filter>pst</Filter>
</ClCompile>
<ClCompile Include="ipstore_enum.cpp">
<Filter>pst</Filter>
</ClCompile>
<ClCompile Include="cred.c" />
<ClCompile Include="sbieapi.c">
<Filter>api</Filter>
</ClCompile>
<ClCompile Include="key.c">
<Filter>key</Filter>
</ClCompile>
<ClCompile Include="key_merge.c">
<Filter>key</Filter>
</ClCompile>
<ClCompile Include="key_util.c">
<Filter>key</Filter>
</ClCompile>
<ClCompile Include="dllhook.c">
<Filter>hook</Filter>
</ClCompile>
<ClCompile Include="ipc.c">
<Filter>ipc</Filter>
</ClCompile>
<ClCompile Include="ipc_start.c">
<Filter>ipc</Filter>
</ClCompile>
<ClCompile Include="ole.cpp">
<Filter>com</Filter>
</ClCompile>
<ClCompile Include="com.c">
<Filter>com</Filter>
</ClCompile>
<ClCompile Include="callsvc.c">
<Filter>api</Filter>
</ClCompile>
<ClCompile Include="dllmain.c">
<Filter>hook</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="advapi.h" />
<ClInclude Include="debug.h" />
<ClInclude Include="dll.h" />
<ClInclude Include="hook.h">
<Filter>hook</Filter>
</ClInclude>
<ClInclude Include="gui_p.h">
<Filter>gui</Filter>
</ClInclude>
<ClInclude Include="guidlg.h">
<Filter>gui</Filter>
</ClInclude>
<ClInclude Include="..\..\common\pool.h">
<Filter>common</Filter>
</ClInclude>
<ClInclude Include="propsys.h">
<Filter>gui</Filter>
</ClInclude>
<ClInclude Include="taskbar.h">
<Filter>gui</Filter>
</ClInclude>
<ClInclude Include="pstore.h">
<Filter>pst</Filter>
</ClInclude>
<ClInclude Include="ipstore_impl.h">
<Filter>pst</Filter>
</ClInclude>
<ClInclude Include="ipstore_enum.h">
<Filter>pst</Filter>
</ClInclude>
<ClInclude Include="sbieapi.h">
<Filter>api</Filter>
</ClInclude>
<ClInclude Include="sbiedll.h">
<Filter>api</Filter>
</ClInclude>
<ClInclude Include="obj.h">
<Filter>com</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<CustomBuild Include="util_asm.asm" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="resource.rc" />
<ResourceCompile Include="lowlevel.rc">
<Filter>hook</Filter>
</ResourceCompile>
</ItemGroup>
<ItemGroup>
<None Include="util_32.asm" />
<None Include="util_64.asm" />
<None Include="SboxDll32.def">
<Filter>api</Filter>
</None>
<None Include="SboxDll64.def">
<Filter>api</Filter>
</None>
</ItemGroup>
<ItemGroup>
<Filter Include="scm">
<UniqueIdentifier>{6da9a76f-4d0f-47ee-b825-7c1e546a0d71}</UniqueIdentifier>
</Filter>
<Filter Include="hook">
<UniqueIdentifier>{5f7e4efc-f1a0-402a-bdc9-b2b89d6b7dd2}</UniqueIdentifier>
</Filter>
<Filter Include="file">
<UniqueIdentifier>{881ad2c8-b8c4-4ca8-aecd-5c4796ad46b5}</UniqueIdentifier>
</Filter>
<Filter Include="gui">
<UniqueIdentifier>{8ee84c6a-ed91-4765-b5c9-d8d65a4d605a}</UniqueIdentifier>
</Filter>
<Filter Include="common">
<UniqueIdentifier>{aebace4d-7063-460f-a875-1dacf59a4ed6}</UniqueIdentifier>
</Filter>
<Filter Include="pst">
<UniqueIdentifier>{5d69d34a-4b02-40d2-a27e-ae16165b5933}</UniqueIdentifier>
</Filter>
<Filter Include="key">
<UniqueIdentifier>{d6a7a70a-5bfe-4598-b4e6-516442cd97e1}</UniqueIdentifier>
</Filter>
<Filter Include="ipc">
<UniqueIdentifier>{66c7aa3a-4c74-4ccc-8d57-ddb65c59cd58}</UniqueIdentifier>
</Filter>
<Filter Include="com">
<UniqueIdentifier>{fde0ce5f-2daf-4dfc-9512-731510cffabf}</UniqueIdentifier>
</Filter>
<Filter Include="api">
<UniqueIdentifier>{1903d308-e235-4da0-a117-0dfaa6eb24eb}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<Midl Include="pstore.idl">
<Filter>pst</Filter>
</Midl>
</ItemGroup>
</Project>

23
Sandboxie/core/dll/dllhook.c
View File

@ -22,6 +22,7 @@
#define NOGDI
#include "dll.h"
#include "hook.h"
#include "common/pool.h"
#include "common/pattern.h"
@ -68,6 +69,28 @@ extern CRITICAL_SECTION VT_CriticalSection;
#endif _WIN64
extern ULONG Dll_Windows;
//---------------------------------------------------------------------------
// SbieApi_HookTramp
//---------------------------------------------------------------------------
_FX LONG SbieApi_HookTramp(void *Source, void *Trampoline)
{
NTSTATUS status;
#ifdef _WIN64
BOOLEAN is64 = TRUE;
#else
BOOLEAN is64 = FALSE;
#endif _WIN64
if (Hook_BuildTramp(Source, Trampoline, is64, TRUE))
status = STATUS_SUCCESS;
else
status = STATUS_UNSUCCESSFUL;
return status;
}
//---------------------------------------------------------------------------
// SbieDll_Hook

143
Sandboxie/core/dll/hook.h Normal file
View File

@ -0,0 +1,143 @@
/*
* Copyright 2004-2020 Sandboxie Holdings, LLC
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
//---------------------------------------------------------------------------
// Hook Management
//---------------------------------------------------------------------------
#ifndef _MY_HOOK_H
#define _MY_HOOK_H
//---------------------------------------------------------------------------
// Structures and Types
//---------------------------------------------------------------------------
#ifdef HOOK_WITH_PRIVATE_PARTS
enum HOOK_KIND {
INST_UNKNOWN = 0,
INST_MOVE,
INST_CTLXFER, // jmp/jcc/call with 32-bit disp
INST_CTLXFER_REG, // jmp/call reg or [reg]
INST_CALL_MEM, // call [mem]
INST_JUMP_MEM, // jmp [mem]
INST_SYSCALL,
INST_RET
};
typedef struct _HOOK_INST {
ULONG len;
UCHAR kind;
UCHAR op1, op2;
ULONG64 parm;
LONG *rel32; // --> 32-bit relocation for control-xfer
UCHAR *modrm;
ULONG flags;
} HOOK_INST;
#endif // HOOK_WITH_PRIVATE_PARTS
//---------------------------------------------------------------------------
// HOOK_TRAMP
//---------------------------------------------------------------------------
#pragma pack(push)
#pragma pack(1)
typedef struct _HOOK_TRAMP {
ULONG eyecatcher; // (0,4) signature
ULONG size; // (4,4) tramp size (multiple of 16)
void *target; // (8,4/8) branch target in source
__declspec(align(16))
UCHAR code[64]; // (16) source code + extra jmp
ULONG count; // original length of relocated code
} HOOK_TRAMP;
#pragma pack(pop)
#define HOOK_TRAMP_CODE_TO_TRAMP_HEAD(x) \
(HOOK_TRAMP *)((ULONG_PTR)x - FIELD_OFFSET(HOOK_TRAMP, code))
//---------------------------------------------------------------------------
// Functions
//---------------------------------------------------------------------------
// Hook_BuildTramp constructs a detour trampoline that will jump to
// SourceFunc + n, where n is the length, in bytes, of the first few
// instructions at SourceFunc that would be damaged by placing a jump
// instruction at the top of SourceFunc. The jump instruction is assumed
// to be 5 bytes long in 32-bit mode and 12 bytes long in 64-bit mode.
// The damaged instructions are copied to the detour trampoline.
// Returns the address to the start of the code in the detour trampoline.
// The function being redirected to, through the overwriting jump
// instruction, should jump to the returned value, to invoke the
// original code. The trampoline is built on the address specified
// in Trampoline. Kernel-mode code should pass a NULL address to
// use a system space trampoline.
void *Hook_BuildTramp(
void *SourceFunc, void *Trampoline, BOOLEAN is64, BOOLEAN probe);
// Hook_BuildJump1 will write a 'jmp DestFunc' instruction at
// the address specified by WritableAddr. In case WritableAddr was
// generated using MmGetSystemAddressForMdlSafe, then ExecutableAddr
// specifies the corresponding "real" address which will be used to
// generate a 32-bit jump offset. (Note that 64-bit code does not
// use jump offsets and disregards ExecutableAddr.)
void Hook_BuildJump(
void *WritableAddr, void *ExecutableAddr, void *JumpTarget);
#ifdef HOOK_WITH_PRIVATE_PARTS
// Analyze a single instruction at the specified address
BOOLEAN Hook_Analyze(
void *address,
BOOLEAN probe_address,
BOOLEAN is64,
HOOK_INST *inst);
#endif // HOOK_WITH_PRIVATE_PARTS
//---------------------------------------------------------------------------
#endif // _MY_HOOK_H

14
Sandboxie/core/drv/hook_inst.c → Sandboxie/core/dll/hook_inst.c
View File

@ -20,8 +20,16 @@
//---------------------------------------------------------------------------
#ifdef KERNEL_MODE
#define Sbie_swprintf swprintf
#else
#include "dll.h"
#include "msgs/msgs.h"
#define MSG_HOOK_ANALYZE MSG_1151
#define Log_Msg1 SbieApi_Log
#define HOOK_WITH_PRIVATE_PARTS
#include "hook.h"
#endif
//---------------------------------------------------------------------------
@ -130,8 +138,10 @@ ALIGNED BOOLEAN Hook_Analyze(
__try {
#ifdef KERNEL_MODE
if (probe_address)
ProbeForRead(address, 16, sizeof(UCHAR));
#endif
/*if (1) {
UCHAR *z = (UCHAR *)address;
@ -147,7 +157,7 @@ ALIGNED BOOLEAN Hook_Analyze(
addr = Hook_Analyze_Inst(addr, inst);
if (! addr) {
addr = address;
swprintf(text, L"%08p: %02X,%02X,%02X,%02X,"
Sbie_swprintf(text, L"%08p: %02X,%02X,%02X,%02X,"
L"%02X,%02X,%02X,%02X,%02X,%02X,%02X,%02X", addr,
addr[0], addr[1], addr[2], addr[3], addr[4], addr[5],
addr[6], addr[7], addr[8], addr[9], addr[10], addr[11]);
@ -158,7 +168,7 @@ ALIGNED BOOLEAN Hook_Analyze(
} __except (EXCEPTION_EXECUTE_HANDLER) {
addr = NULL;
swprintf(text, L"(fault at %p)", address);
Sbie_swprintf(text, L"(fault at %p)", address);
Log_Msg1(MSG_HOOK_ANALYZE, text);
}

31
Sandboxie/core/drv/hook_tramp.c → Sandboxie/core/dll/hook_tramp.c
View File

@ -20,9 +20,14 @@
//---------------------------------------------------------------------------
#ifdef KERNEL_MODE
#else
#include "dll.h"
#define HOOK_WITH_PRIVATE_PARTS
#include "hook.h"
#include "util.h"
#endif
//---------------------------------------------------------------------------
// Structures and Types
@ -42,9 +47,6 @@ typedef struct _HOOK_TRAMP_PAGE {
// Functions
//---------------------------------------------------------------------------
static void *Hook_Tramp_Get(ULONG TrampSize);
static BOOLEAN Hook_Tramp_CountBytes(
void *SysProc, ULONG *ByteCount, BOOLEAN is64, BOOLEAN probe);
@ -66,7 +68,7 @@ static BOOLEAN Hook_Tramp_Pages_Initialized = FALSE;
// Hook_Tramp_Get
//---------------------------------------------------------------------------
#ifdef KERNEL_MODE
_FX void *Hook_Tramp_Get(ULONG TrampSize)
{
NTSTATUS status;
@ -172,7 +174,7 @@ finish:
return tramp;
}
#endif
//---------------------------------------------------------------------------
// Hook_Tramp_CountBytes
@ -452,13 +454,14 @@ _FX void *Hook_BuildTramp(
return NULL;
}
if (Trampoline)
#ifdef KERNEL_MODE
if (!Trampoline)
tramp = (HOOK_TRAMP *)Hook_Tramp_Get(sizeof(HOOK_TRAMP));
else
#endif
tramp = (HOOK_TRAMP *)Trampoline;
else {
tramp = (HOOK_TRAMP *)Hook_Tramp_Get(sizeof(HOOK_TRAMP));
if (! tramp)
return NULL;
}
if (! tramp)
return NULL;
if (SourceFunc) {
if (! Hook_Tramp_Copy(tramp, SourceFunc, ByteCount, is64, probe))
@ -479,6 +482,7 @@ _FX void Hook_BuildJump(
{
UCHAR *SourceAddr = (UCHAR *)WritableAddr;
#ifdef KERNEL_MODE
//
// ideally, WritableAddr points at a writable page received through
// MmGetSystemAddressForMdlSafe for the page at ExecutableAddr.
@ -487,6 +491,7 @@ _FX void Hook_BuildJump(
//
DisableWriteProtect();
#endif
//
// if we detect JMP DWORD/QWORD PTR [+00], then replace the jump target
@ -545,5 +550,7 @@ _FX void Hook_BuildJump(
}
#ifdef KERNEL_MODE
EnableWriteProtect();
#endif
}

0
Sandboxie/core/svc/lowlevel.rc → Sandboxie/core/dll/lowlevel.rc
View File

1136
Sandboxie/core/dll/lowlevel_inject.c Normal file
View File

File diff suppressed because it is too large Load Diff

4
Sandboxie/core/dll/sbieapi.c
View File

@ -850,7 +850,7 @@ _FX LONG SbieApi_DisableForceProcess(
//---------------------------------------------------------------------------
_FX LONG SbieApi_HookTramp(void *Source, void *Trampoline)
/*_FX LONG SbieApi_HookTramp(void *Source, void *Trampoline)
{
NTSTATUS status;
__declspec(align(8)) ULONG64 parms[API_NUM_ARGS];
@ -861,7 +861,7 @@ _FX LONG SbieApi_HookTramp(void *Source, void *Trampoline)
status = SbieApi_Ioctl(parms);
return status;
}
}*/
//---------------------------------------------------------------------------

4
Sandboxie/core/dll/sbiedll.h
View File

@ -192,6 +192,10 @@ SBIEDLL_EXPORT BOOLEAN SbieDll_RegisterDllCallback(void *Callback);
SBIEDLL_EXPORT BOOLEAN SbieDll_ExpandAndRunProgram(const WCHAR *Command);
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitHelper();
SBIEDLL_EXPORT ULONG SbieDll_InjectLow_InitSyscalls(BOOLEAN drv_init);
SBIEDLL_EXPORT ULONG SbieDll_InjectLow(HANDLE hProcess, BOOLEAN is_wow64, BOOLEAN bHostInject, BOOLEAN dup_drv_handle);
//---------------------------------------------------------------------------

40
Sandboxie/core/drv/SboxDrv.vcxproj
View File

@ -239,6 +239,18 @@
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="..\dll\hook_inst.c">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="..\dll\hook_tramp.c">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="api.c" />
<ClCompile Include="box.c" />
<ClCompile Include="conf.c" />
@ -267,11 +279,18 @@
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="hook.c" />
<ClCompile Include="hook_32.c" />
<ClCompile Include="hook_64.c" />
<ClCompile Include="hook_inst.c" />
<ClCompile Include="hook_tramp.c" />
<ClCompile Include="hook.c">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="hook_32.c">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="hook_64.c">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="includes.c" />
<ClCompile Include="ipc.c" />
<ClCompile Include="ipc_port.c" />
@ -301,7 +320,10 @@
<ClCompile Include="process.c" />
<ClCompile Include="process_api.c" />
<ClCompile Include="process_force.c" />
<ClCompile Include="process_hook.c" />
<ClCompile Include="process_hook.c">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="process_low.c" />
<ClCompile Include="process_util.c" />
<ClCompile Include="log_buff.c" />
@ -366,6 +388,12 @@
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClInclude>
<ClInclude Include="..\dll\hook.h">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|Win32'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieRelease|x64'">true</ExcludedFromBuild>
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='SbieDebug|x64'">true</ExcludedFromBuild>
</ClInclude>
<ClInclude Include="alpc.h" />
<ClInclude Include="api.h" />
<ClInclude Include="api_defs.h" />

2
Sandboxie/core/drv/api.c
View File

@ -185,7 +185,7 @@ _FX BOOLEAN Api_Init(void)
Api_SetFunction(API_UNLOAD_DRIVER, Driver_Api_Unload);
Api_SetFunction(API_HOOK_TRAMP, Hook_Api_Tramp);
//Api_SetFunction(API_HOOK_TRAMP, Hook_Api_Tramp);
if ((! Api_Functions) || (Api_Functions == (void *)-1))
return FALSE;

2
Sandboxie/core/drv/api_defs.h
View File

@ -97,7 +97,7 @@ enum {
API_QUERY_PATH_LIST,
API_ENUM_PROCESSES,
API_DISABLE_FORCE_PROCESS,
API_HOOK_TRAMP,
API_HOOK_TRAMP, // deprecated
API_UNMOUNT_HIVES, // deprecated
API_QUERY_CONF,
API_RELOAD_CONF,

34
Sandboxie/core/drv/driver.c
View File

@ -256,12 +256,12 @@ _FX BOOLEAN Driver_CheckOsVersion(void)
//
// make sure we're running on Windows XP (v5.1) or later (32-bit)
// or Windows Vista (v6.0) or later (64-bit)
// or Windows 7 (v6.1) or later (64-bit)
//
#ifdef _WIN64
const ULONG MajorVersionMin = 6;
const ULONG MinorVersionMin = 0;
const ULONG MinorVersionMin = 1;
#else
const ULONG MajorVersionMin = 5;
const ULONG MinorVersionMin = 1;
@ -601,28 +601,30 @@ _FX BOOLEAN Driver_FindHomePath(UNICODE_STRING *RegistryPath)
_FX BOOLEAN Driver_FindMissingServices(void)
{
void *ptr;
WCHAR err_txt[128];
UNICODE_STRING uni;
//
// Windows 7 kernel exports ZwSetInformationToken
// on earlier versions of Windows, we search for it
//
#ifndef _WIN64
if (Driver_OsVersion < DRIVER_WINDOWS_7) {
void *ptr;
WCHAR err_txt[128];
if (Driver_OsVersion >= DRIVER_WINDOWS_7) {
FIND_SERVICE(ZwSetInformationToken, 4);
RtlInitUnicodeString(&uni, L"ZwSetInformationToken");
ZwSetInformationToken = (P_NtSetInformationToken)
MmGetSystemRoutineAddress(&uni);
if (! ZwSetInformationToken) {
Log_Msg1(MSG_1108, uni.Buffer);
return FALSE;
}
} else {
FIND_SERVICE(ZwSetInformationToken, 4);
} else
#endif
{
RtlInitUnicodeString(&uni, L"ZwSetInformationToken");
ZwSetInformationToken = (P_NtSetInformationToken)
MmGetSystemRoutineAddress(&uni);
if (!ZwSetInformationToken) {
Log_Msg1(MSG_1108, uni.Buffer);
return FALSE;
}
}
return TRUE;

4
Sandboxie/core/drv/hook.c
View File

@ -24,6 +24,10 @@
#include "hook.h"
#include "dll.h"
#include "util.h"
#define KERNEL_MODE
#include "../dll/hook_inst.c"
#include "../dll/hook_tramp.c"
//---------------------------------------------------------------------------
// Defines

111
Sandboxie/core/drv/hook.h
View File

@ -21,78 +21,12 @@
#ifndef _MY_HOOK_H
#define _MY_HOOK_H
//#define _MY_HOOK_H // defined by "../dll/hook.h"
#include "driver.h"
//---------------------------------------------------------------------------
// Structures and Types
//---------------------------------------------------------------------------
#ifdef HOOK_WITH_PRIVATE_PARTS
enum HOOK_KIND {
INST_UNKNOWN = 0,
INST_MOVE,
INST_CTLXFER, // jmp/jcc/call with 32-bit disp
INST_CTLXFER_REG, // jmp/call reg or [reg]
INST_CALL_MEM, // call [mem]
INST_JUMP_MEM, // jmp [mem]
INST_SYSCALL,
INST_RET
};
typedef struct _HOOK_INST {
ULONG len;
UCHAR kind;
UCHAR op1, op2;
ULONG64 parm;
LONG *rel32; // --> 32-bit relocation for control-xfer
UCHAR *modrm;
ULONG flags;
} HOOK_INST;
#endif // HOOK_WITH_PRIVATE_PARTS
//---------------------------------------------------------------------------
// HOOK_TRAMP
//---------------------------------------------------------------------------
#pragma pack(push)
#pragma pack(1)
typedef struct _HOOK_TRAMP {
ULONG eyecatcher; // (0,4) signature
ULONG size; // (4,4) tramp size (multiple of 16)
void *target; // (8,4/8) branch target in source
__declspec(align(16))
UCHAR code[64]; // (16) source code + extra jmp
ULONG count; // original length of relocated code
} HOOK_TRAMP;
#pragma pack(pop)
#define HOOK_TRAMP_CODE_TO_TRAMP_HEAD(x) \
(HOOK_TRAMP *)((ULONG_PTR)x - FIELD_OFFSET(HOOK_TRAMP, code))
#include "../dll/hook.h"
//---------------------------------------------------------------------------
// Functions
@ -111,49 +45,12 @@ LONG Hook_GetServiceIndex(void *DllProc, LONG *SkipIndexes);
// kernel-mode Zw dispatcher stub (ZwXxx).
BOOLEAN Hook_GetService(
void *DllProc, LONG *SkipIndexes, ULONG ParamCount,
void **NtService, void **ZwService);
// Hook_BuildTramp constructs a detour trampoline that will jump to
// SourceFunc + n, where n is the length, in bytes, of the first few
// instructions at SourceFunc that would be damaged by placing a jump
// instruction at the top of SourceFunc. The jump instruction is assumed
// to be 5 bytes long in 32-bit mode and 12 bytes long in 64-bit mode.
// The damaged instructions are copied to the detour trampoline.
// Returns the address to the start of the code in the detour trampoline.
// The function being redirected to, through the overwriting jump
// instruction, should jump to the returned value, to invoke the
// original code. The trampoline is built on the address specified
// in Trampoline. Kernel-mode code should pass a NULL address to
// use a system space trampoline.
void *Hook_BuildTramp(
void *SourceFunc, void *Trampoline, BOOLEAN is64, BOOLEAN probe);
// Hook_BuildJump1 will write a 'jmp DestFunc' instruction at
// the address specified by WritableAddr. In case WritableAddr was
// generated using MmGetSystemAddressForMdlSafe, then ExecutableAddr
// specifies the corresponding "real" address which will be used to
// generate a 32-bit jump offset. (Note that 64-bit code does not
// use jump offsets and disregards ExecutableAddr.)
void Hook_BuildJump(
void *WritableAddr, void *ExecutableAddr, void *JumpTarget);
void *DllProc, LONG *SkipIndexes, ULONG ParamCount,
void **NtService, void **ZwService);
#ifdef HOOK_WITH_PRIVATE_PARTS
// Analyze a single instruction at the specified address
BOOLEAN Hook_Analyze(
void *address,
BOOLEAN probe_address,
BOOLEAN is64,
HOOK_INST *inst);
// Returns the address of the NTOS kernel service identified by the
// specified service index. It must take exactly as many parameters
// as indicated. This routine is implemented differently for 32-bit

16
Sandboxie/core/low/inject.c
View File

@ -247,12 +247,20 @@ _FX void InitInject(SBIELOW_DATA *data, void * RtlFindActivationContextSectionSt
if (data->is_wow64) {
extern ULONG64 SbieApi_QueryProcessInfo(
SBIELOW_DATA *data, ULONG info_type);
//
// Instead of requiering the driver for this task, we can simplify it
// and use NtQueryVirtualMemory to find the mapped image directly.
// We do that in the injector, but we could also have done it here ourselves.
//
ULONG ntdll32_base = (ULONG)SbieApi_QueryProcessInfo(data, 'nt32');
ntdll_base = (void *)data->ntdll_wow64_base;
ntdll_base = (void *)(ULONG_PTR)ntdll32_base;
//extern ULONG64 SbieApi_QueryProcessInfo(
// SBIELOW_DATA *data, ULONG info_type);
//
//ULONG ntdll32_base = (ULONG)SbieApi_QueryProcessInfo(data, 'nt32');
//
//ntdll_base = (void *)(ULONG_PTR)ntdll32_base;
//
// (prior to Windows 8, the base address of ntdll32 is recorded

1
Sandboxie/core/low/lowdata.h
View File

@ -68,6 +68,7 @@ typedef struct _SBIELOW_DATA {
ULONG64 RealNtDeviceIoControlFile;
#ifdef _WIN64
SBIELOW_J_TABLE * Sbie64bitJumpTable;
ULONG64 ntdll_wow64_base;
#endif
} SBIELOW_DATA;

36
Sandboxie/core/svc/DriverAssist.h
View File

@ -104,27 +104,10 @@ private:
// functions to inject low level code layer into new process
//
bool InjectLow_Init();
bool InjectLow_InitHelper(ULONG *errlvl);
static ULONG_PTR InjectLow_FindHighestAddress();
ULONG InjectLow_InitSyscalls();
bool InjectLow_Init();
void InjectLow(void *_msg);
HANDLE InjectLow_OpenProcess(void *_msg);
HANDLE InjectLow_SendHandle(HANDLE hProcess);
void *InjectLow_CopyCode(HANDLE hProcess, BOOLEAN iswow64,
UCHAR *code, ULONG code_len);
bool InjectLow_BuildTramp(
void *_msg, BOOLEAN long_diff, UCHAR *code, ULONG_PTR addr);
void *InjectLow_CopySyscalls(HANDLE hProcess);
bool InjectLow_CopyData(
HANDLE hProcess, void *remote_addr, void *local_data);
#ifdef _WIN64
void * InjectLow_getPage(HANDLE hProcess,void *remote_addr);
bool DriverAssist::Has32BitJumpHorizon(void * target, void * detour);
#endif
bool InjectLow_WriteJump(
HANDLE hProcess, void *remote_addr, BOOLEAN long_diff, void * local_data);
HANDLE InjectLow_OpenProcess(void *_msg);
//
// data
@ -148,21 +131,6 @@ private:
CRITICAL_SECTION m_LogMessage_CritSec;
CRITICAL_SECTION m_critSecHostInjectedSvcs;
//
// DriverAssistInject data
//
void *m_sbielow_ptr;
//adding two offsets variables to replace the "head" and "tail" dependency
ULONG m_sbielow_start_offset;
ULONG m_sbielow_data_offset;
ULONG m_sbielow_len;
ULONG *m_syscall_data;
ULONG_PTR m_LdrInitializeThunk;
};

964
Sandboxie/core/svc/DriverAssistInject.cpp
View File

@ -35,16 +35,8 @@
bool DriverAssist::InjectLow_Init()
{
ULONG level = 0;
m_sbielow_start_offset = 0;
m_sbielow_data_offset = 0;
m_sbielow_ptr = NULL;
m_sbielow_len = 0;
m_syscall_data = NULL;
ULONG errlvl = 0;
if (! InjectLow_InitHelper(&errlvl)) {
ULONG errlvl = SbieDll_InjectLow_InitHelper();
if (errlvl != 0) {
LogEvent(MSG_9234, 0x9241, errlvl);
return false;
}
@ -53,414 +45,35 @@ bool DriverAssist::InjectLow_Init()
}
//---------------------------------------------------------------------------
// InjectLow_InitHelper
//---------------------------------------------------------------------------
typedef struct _MY_TARGETS {
unsigned long long entry;
unsigned long long data;
} MY_TARGETS;
extern ULONG Dll_Windows;
bool DriverAssist::InjectLow_InitHelper(ULONG *errlvl)
{
//
// lock the SbieLow resource (embedded within the SbieSvc executable,
// see lowlevel.rc) and find the offset to executable code, and length
//
IMAGE_DOS_HEADER *dos_hdr = 0;
IMAGE_NT_HEADERS *nt_hdrs = 0;
IMAGE_SECTION_HEADER *section = 0;
IMAGE_DATA_DIRECTORY *data_dirs = 0;
ULONG_PTR imageBase = 0;
MY_TARGETS *targets = 0;
*errlvl = 0x11;
HRSRC hrsrc = FindResource(NULL, L"LOWLEVEL", RT_RCDATA);
if (! hrsrc)
return false;
ULONG binsize = SizeofResource(NULL, hrsrc);
if (! binsize)
return false;
HGLOBAL hglob = LoadResource(NULL, hrsrc);
if (! hglob)
return false;
UCHAR *bindata = (UCHAR *)LockResource(hglob);
if (! bindata)
return false;
*errlvl = 0x22;
dos_hdr = (IMAGE_DOS_HEADER *)bindata;
if (dos_hdr->e_magic == 'MZ' || dos_hdr->e_magic == 'ZM') {
nt_hdrs = (IMAGE_NT_HEADERS *)((UCHAR *)dos_hdr + dos_hdr->e_lfanew);
if (nt_hdrs->Signature == IMAGE_NT_SIGNATURE) { // 'PE\0\0'
#ifndef _WIN64
if (nt_hdrs->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
IMAGE_NT_HEADERS32 *nt_hdrs_32 = (IMAGE_NT_HEADERS32 *)nt_hdrs;
IMAGE_OPTIONAL_HEADER32 *opt_hdr_32 = &nt_hdrs_32->OptionalHeader;
data_dirs = &opt_hdr_32->DataDirectory[0];
imageBase = opt_hdr_32->ImageBase;
}
#else
if (nt_hdrs->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
IMAGE_NT_HEADERS64 *nt_hdrs_64 = (IMAGE_NT_HEADERS64 *)nt_hdrs;
IMAGE_OPTIONAL_HEADER64 *opt_hdr_64 = &nt_hdrs_64->OptionalHeader;
data_dirs = &opt_hdr_64->DataDirectory[0];
imageBase = (ULONG_PTR)opt_hdr_64->ImageBase;
}
#endif
else {
return false;
}
}
else {
return false;
}
}
if (imageBase) {
return false;
}
section = IMAGE_FIRST_SECTION(nt_hdrs);
if (nt_hdrs->FileHeader.NumberOfSections < 2) return false;
if (strncmp((char *)section[0].Name, SBIELOW_INJECTION_SECTION, strlen(SBIELOW_INJECTION_SECTION)) ||
strncmp((char *)section[1].Name, SBIELOW_SYMBOL_SECTION, strlen(SBIELOW_SYMBOL_SECTION))) {
return false;
}
targets = (MY_TARGETS *)& bindata[section[1].PointerToRawData];
m_sbielow_start_offset = (ULONG)targets->entry - section[0].VirtualAddress;
m_sbielow_data_offset = (ULONG)targets->data - section[0].VirtualAddress;
m_sbielow_ptr = bindata + section[0].PointerToRawData; //Old version: head;
m_sbielow_len = section[0].SizeOfRawData; //Old version: (ULONG)(ULONG_PTR)(tail - head);
if ((!m_sbielow_start_offset) || (!m_sbielow_data_offset))
return false;
//
// record information about ntdll and the virtual memory system
//
*errlvl = 0x33;
m_LdrInitializeThunk = (ULONG_PTR) GetProcAddress(_Ntdll, "LdrInitializeThunk");
if (! m_LdrInitializeThunk)
return false;
#ifdef _WIN64
if (Dll_Windows >= 10) {
unsigned char * code;
code = (unsigned char *)m_LdrInitializeThunk;
if (*(ULONG *)&code[0] == 0x24048b48 && code[0xa] == 0x48) {
m_LdrInitializeThunk += 0xa;
}
}
#endif
return true;
}
// InjectLow_InitSyscalls
//---------------------------------------------------------------------------
ULONG DriverAssist::InjectLow_InitSyscalls()
{
const WCHAR *_SbieDll = L"\\" SBIEDLL L".dll";
ULONG status;
ULONG len;
SBIELOW_EXTRA_DATA *extra;
WCHAR *ptr;
ULONG *syscall_data;
#define ULONG_DIFF(b,a) ((ULONG)((ULONG_PTR)(b) - (ULONG_PTR)(a)))
//
// get the list of syscall from the driver
//
if (! m_syscall_data) {
syscall_data = (ULONG *)HeapAlloc(GetProcessHeap(), 0, 8192);
if (! syscall_data)
return STATUS_INSUFFICIENT_RESOURCES;
*syscall_data = 0;
} else
syscall_data = m_syscall_data;
status = SbieApi_CallOne(API_QUERY_SYSCALLS, (ULONG_PTR)syscall_data);
if (status != 0)
return status;
len = *syscall_data;
if ((! len) || (len & 3) || (len > 4096))
return STATUS_INVALID_IMAGE_FORMAT;
//
// the second ULONG in syscall_data points to extra data appended
// by us here on top of what the driver returned
//
extra = (SBIELOW_EXTRA_DATA *)((ULONG_PTR)syscall_data + len);
syscall_data[1] = len;
//
// write an ASCII string for LdrLoadDll (see core/low/inject.c)
//
ptr = (WCHAR *)((ULONG_PTR)extra + sizeof(SBIELOW_EXTRA_DATA));
strcpy((char *)ptr, "LdrLoadDll");
extra->LdrLoadDll_offset = ULONG_DIFF(ptr, extra);
ptr += 16 / sizeof(WCHAR);
//
// write an ASCII string for LdrGetProcedureAddress
//
strcpy((char *)ptr, "LdrGetProcedureAddress");
extra->LdrGetProcAddr_offset = ULONG_DIFF(ptr, extra);
ptr += 28 / sizeof(WCHAR);
//
// write an ASCII string for NtRaiseHardError
//
strcpy((char *)ptr, "NtRaiseHardError");
extra->NtRaiseHardError_offset = ULONG_DIFF(ptr, extra);
ptr += 20 / sizeof(WCHAR);
//
// write an ASCII string for RtlFindActivationContextSectionString
//
strcpy((char *)ptr, "RtlFindActivationContextSectionString");
extra->RtlFindActCtx_offset = ULONG_DIFF(ptr, extra);
ptr += 44 / sizeof(WCHAR);
//
// ntdll loads kernel32 without a path, we will do the same
// in our hook for RtlFindActivationContextSectionString,
// see entry.asm
//
wcscpy(ptr, L"kernel32.dll");
len = wcslen(ptr);
extra->KernelDll_offset = ULONG_DIFF(ptr, extra);;
extra->KernelDll_length = len * sizeof(WCHAR);
ptr += len + 1;
//
// append paths for native and wow64 SbieDll to the syscall buffer
//
status = SbieApi_GetHomePath(NULL, 0, ptr, 512);
if (status != 0)
return status;
wcscat(ptr, _SbieDll);
len = wcslen(ptr);
extra->NativeSbieDll_offset = ULONG_DIFF(ptr, extra);;
extra->NativeSbieDll_length = len * sizeof(WCHAR);
ptr += len + 1;
#ifdef _WIN64
status = SbieApi_GetHomePath(NULL, 0, ptr, 512);
if (status != 0)
return status;
wcscat(ptr, L"\\32");
wcscat(ptr, _SbieDll);
len = wcslen(ptr);
extra->Wow64SbieDll_offset = ULONG_DIFF(ptr, extra);
extra->Wow64SbieDll_length = len * sizeof(WCHAR);
ptr += len + 1;
#endif _WIN64
//
// adjust size of syscall buffer to include path strings
//
*syscall_data = ULONG_DIFF(ptr, syscall_data);
#undef ULONG_DIFF
m_syscall_data = syscall_data;
return STATUS_SUCCESS;
}
//---------------------------------------------------------------------------
// InjectLow
//---------------------------------------------------------------------------
void DriverAssist::InjectLow(void *_msg)
{
SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg;
ULONG errlvl;
SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg;
//
// verify all aspects of initialization were successful
//
if ((! m_sbielow_ptr) || (! m_syscall_data)) {
ULONG errlvl = 0;
//
// open new process and verify process creation time
//
SetLastError(ERROR_NOT_READY);
errlvl = 0xFF;
goto finish;
}
HANDLE hProcess = InjectLow_OpenProcess(_msg);
if (!hProcess) {
//
// open new process and verify process creation time
//
errlvl = 0x11;
goto finish;
}
HANDLE hProcess = InjectLow_OpenProcess(_msg);
if (! hProcess) {
//
// inject the lowlevel.dll into the target process
//
errlvl = 0x11;
goto finish;
}
//
// prepare the lowdata paramters area to copy into target process
//
SBIELOW_DATA lowdata;
memzero(&lowdata, sizeof(lowdata));
lowdata.ntdll_base = (ULONG64)(ULONG_PTR)_Ntdll;
lowdata.is_wow64 = msg->is_wow64;
lowdata.bHostInject = msg->bHostInject;
lowdata.RealNtDeviceIoControlFile = (ULONG64) GetProcAddress((HMODULE) lowdata.ntdll_base,"NtDeviceIoControlFile");
//
// on 64-bit Windows 8, there might be a difference of more than
// 2GB bytes between ntdll and the injected SbieLow, which requires
// use of longer jump sequences than the 5-byte 0xE9 relative jump
//
if (Dll_Windows >= 10) {
lowdata.is_win10 = TRUE;
}
void *remote_addr = InjectLow_CopyCode(hProcess, lowdata.is_wow64, lowdata.LdrInitializeThunk_tramp, sizeof(lowdata.LdrInitializeThunk_tramp));
if (!remote_addr) {
errlvl = 0x33;
goto finish;
}
// if (lowdata.is_wow64 && (m_addr_high != m_addr_high_32))
#ifdef _WIN64
lowdata.long_diff = TRUE;
if (Has32BitJumpHorizon((void *)m_LdrInitializeThunk, remote_addr)) {
lowdata.long_diff = FALSE;
}
#else
lowdata.long_diff = FALSE;
#endif
//
// duplicate the SbieDrv API file device handle into target process
//
lowdata.api_device_handle = (ULONG64)(ULONG_PTR)
InjectLow_SendHandle(hProcess);
if (! lowdata.api_device_handle) {
errlvl = 0x22;
goto finish;
}
lowdata.api_sbiedrv_ctlcode = API_SBIEDRV_CTLCODE;
lowdata.api_invoke_syscall = API_INVOKE_SYSCALL;
//
// the driver sent us a copy of some functions from ntdll in the
// syscall_data buffer, copy that code to SbieLow through the
// lowdata area (see also core/drv/syscall.c and core/low/lowdata.h)
//
memcpy(lowdata.NtDelayExecution_code, &m_syscall_data[2], (32 * 4));
//
// allocate space for and write the lowlevel (SbieLow) code
// and copy code at LdrInitializeThunk from target process
//
#ifdef _WIN64
lowdata.Sbie64bitJumpTable = (SBIELOW_J_TABLE *) ((ULONG_PTR) remote_addr +m_sbielow_len+0x400); //(0x400 - (m_sbielow_len & 0x3ff))+ m_sbielow_len;
#endif
//
// remove hard coded data block offset
ULONG_PTR tramp_remote_addr = // calculate address in remote process
(ULONG_PTR)remote_addr
+ m_sbielow_data_offset // offset of args area
+ FIELD_OFFSET(SBIELOW_DATA, LdrInitializeThunk_tramp);
if (! InjectLow_BuildTramp(_msg, lowdata.long_diff,
lowdata.LdrInitializeThunk_tramp, tramp_remote_addr)) {
errlvl = 0x44;
goto finish;
}
//
// copy the syscall data buffer (m_syscall_data) to target process
//
void *remote_syscall_data = InjectLow_CopySyscalls(hProcess);
if (! remote_syscall_data) {
errlvl = 0x55;
goto finish;
}
lowdata.syscall_data = (ULONG64)(ULONG_PTR)remote_syscall_data;
//
// write lowdata parameter area, including the converted trampoline
// code, into target process, and make it execute-read
//
if (! InjectLow_CopyData(hProcess, remote_addr, &lowdata)) {
errlvl = 0x66;
goto finish;
}
//
// overwrite the top of LdrInitializeThunk to jump to injected code
// note that we have to skip the 8-byte signature (.HEAD.00)
//
// Removed hard coded dependency on (.HEAD.00). No longer need to add 8 to
// the remote_addr
if (!InjectLow_WriteJump(hProcess, (UCHAR *)remote_addr + m_sbielow_start_offset, lowdata.long_diff, &lowdata)) {
errlvl = 0x77;
goto finish;
}
errlvl = SbieDll_InjectLow(hProcess, msg->is_wow64, msg->bHostInject, TRUE);
if(errlvl != 0)
goto finish;
//
// put process into a job for win32 restrictions
@ -544,540 +157,3 @@ HANDLE DriverAssist::InjectLow_OpenProcess(void *_msg)
return NULL;
}
//---------------------------------------------------------------------------
// InjectLow_SendHandle
//---------------------------------------------------------------------------
HANDLE DriverAssist::InjectLow_SendHandle(HANDLE hProcess)
{
NTSTATUS status;
HANDLE HandleLocal, HandleRemote;
UNICODE_STRING uni;
OBJECT_ATTRIBUTES objattrs;
IO_STATUS_BLOCK MyIoStatusBlock;
//
// open the Sandboxie driver API file handle
//
RtlInitUnicodeString(&uni, API_DEVICE_NAME);
InitializeObjectAttributes(
&objattrs, &uni, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = NtOpenFile(
&HandleLocal, FILE_GENERIC_READ, &objattrs, &MyIoStatusBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 0);
if (NT_SUCCESS(status)) {
//
// duplicate opened handle into new process
//
BOOL ok = DuplicateHandle(NtCurrentProcess(), HandleLocal,
hProcess, &HandleRemote, 0, FALSE,
DUPLICATE_SAME_ACCESS);
CloseHandle(HandleLocal);
if (ok) {
return HandleRemote;
}
}
return NULL;
}
//---------------------------------------------------------------------------
// InjectLow_CopyCode
//---------------------------------------------------------------------------
void *DriverAssist::InjectLow_CopyCode(HANDLE hProcess, BOOLEAN iswow64, UCHAR *code, ULONG code_len)
{
SIZE_T region_size;
SIZE_T lowLevel_size;
void *remote_addr = NULL;
#ifdef _WIN64
lowLevel_size = m_sbielow_len + sizeof(SBIELOW_J_TABLE) + 0x400;
#else
lowLevel_size = m_sbielow_len;
#endif
region_size = lowLevel_size;
for (int i = 8; !remote_addr && i > 2; i--) {
NTSTATUS status = NtAllocateVirtualMemory(hProcess, &remote_addr, i, &region_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!NT_SUCCESS(status)) {
remote_addr = NULL;
region_size = lowLevel_size;
}
}
if (remote_addr) {
//
// copy SbieLow into the allocated region in the new process
//
SIZE_T len1 = m_sbielow_len;
SIZE_T len2 = 0;
BOOL vm_ok = WriteProcessMemory(
hProcess, remote_addr, m_sbielow_ptr,
len1, &len2);
if (vm_ok && len1 == len2) {
//
// copy code at LdrInitializeThunk from new process
//
len1 = code_len;
len2 = 0;
/*
sprintf(buffer,"CopyCode: copy ldr size %d\n",code_len);
OutputDebugStringA(buffer);
*/
vm_ok = ReadProcessMemory(
hProcess, (void *)m_LdrInitializeThunk, code,
len1, &len2);
if (vm_ok && len1 == len2) {
return remote_addr;
}
}
}
return NULL;
}
//---------------------------------------------------------------------------
// InjectLow_BuildTramp
//---------------------------------------------------------------------------
bool DriverAssist::InjectLow_BuildTramp(
void *_msg, BOOLEAN long_diff, UCHAR *code, ULONG_PTR addr)
{
#define IS_1BYTE(a) ( code[offset + 0] == (a))
#define IS_2BYTE(a,b) (IS_1BYTE(a) && code[offset + 1] == (b))
#define IS_3BYTE(a,b,c) (IS_2BYTE(a,b) && code[offset + 2] == (c))
//
// skip past several bytes in the code copied from the top of the
// LdrInitializeThunk fuction, where we will inject a jmp sequence.
//
// a simple E9 relative JMP five byte instruction in most cases,
// a slightly longer seven byte version in case there is a long
// distance between ntdll and SbieLow, i.e. on 64-bit Windows 8
//
ULONG code_len = (long_diff ? 7 : 5);
ULONG offset = 0;
while (offset < code_len) {
ULONG inst_len = 0;
if (0)
;
// push ebp
else if (IS_1BYTE(0x55))
inst_len = 1;
// mov ebp, esp
else if (IS_2BYTE(0x8B, 0xEC))
inst_len = 2;
// mov edi, edi
else if (IS_2BYTE(0x8B, 0xFF))
inst_len = 2;
// push ebx
else if (IS_2BYTE(0xFF, 0xF3))
inst_len = 2;
// push rbx (Windows 8.1)
else if (IS_2BYTE(0x40, 0x53))
inst_len = 2;
// mov dword ptr [esp+imm8],eax
else if (IS_3BYTE(0x89, 0x44, 0x24))
inst_len = 4;
// lea eax, esp+imm8
else if (IS_3BYTE(0x8D, 0x44, 0x24))
inst_len = 4;
// sub rsp, imm8
else if (IS_3BYTE(0x48, 0x83, 0xEC))
inst_len = 4;
// mov rbx, rcx
else if (IS_3BYTE(0x48, 0x8B, 0xD9))
inst_len = 3;
/*
else if (IS_3BYTE(0x48, 0x8B, 0x04))
inst_len = 4;
*/
//
// abort if we don't recognize the instruction
//
if (! inst_len) {
SVC_PROCESS_MSG *msg = (SVC_PROCESS_MSG *)_msg;
SbieApi_LogEx(msg->session_id, 2335,
L"%S [%02X %02X %02X %02X %02X %02X"
L" %02X %02X %02X %02X %02X %02X]",
msg->process_name,
code[0], code[1], code[2], code[3], code[4], code[5],
code[6], code[7], code[8], code[9], code[10], code[11]);
SetLastError(ERROR_UNKNOWN_PRODUCT);
return false;
}
offset += inst_len;
}
#undef IS_3BYTE
#undef IS_2BYTE
#undef IS_1BYTE
//
// append a jump instruction at the bottom of our trampoline for
// LdrInitializeThunk, which jumps back to the real LdrInitializeThunk
//
// note that on Windows 8 the difference between the address of
// LdrInitializeThunk in the 64-bit ntdll and where SbieLow was copied
// may be greater than 32-bit, so we use JMP QWORD rather than the
// 5-byte 0xE9 relative JMP
//
#ifdef _WIN64
if (!long_diff) {
if (Dll_Windows >= 10) {
code[offset] = 0x48;
code[offset + 1] = 0xE9;
*(ULONG *)&code[offset + 2] = (ULONG)
(m_LdrInitializeThunk + offset - (addr + offset + 6));
}
else {
code[offset] = 0xe9;
*(ULONG *)&code[offset + 1] = (ULONG)
(m_LdrInitializeThunk + offset - (addr + offset + 5));
}
}
else {
*(USHORT *)&code[offset] = 0x25FF; // jmp qword ptr
*(ULONG *)&code[offset + 2] = 0;
*(ULONG64 *)&code[offset + 6] = m_LdrInitializeThunk + offset;
}
#else
code[offset] = 0xE9;
*(ULONG *)&code[offset + 1] = (ULONG)
(m_LdrInitializeThunk + offset - (addr + offset + 5));
#endif
return true;
}
//---------------------------------------------------------------------------
// InjectLow_CopySyscalls
//---------------------------------------------------------------------------
void *DriverAssist::InjectLow_CopySyscalls(HANDLE hProcess)
{
//
// allocate virtual memory somewhere in the process. to force an
// address in the low 24-bits of the address space, we have to use
// NtAllocateVirtalMemory and specify ZeroBits = 8 (32 - 8 = 24)
//
void *remote_addr = NULL;
SIZE_T region_size = *m_syscall_data;
int i;
NTSTATUS status;
for (i = 8; !remote_addr && i > 2; i--) {
status = NtAllocateVirtualMemory(hProcess, &remote_addr, i, &region_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!NT_SUCCESS(status)) {
remote_addr = NULL;
region_size = *m_syscall_data;
}
}
if (!NT_SUCCESS(status)) {
remote_addr = NULL;
SetLastError(RtlNtStatusToDosError(status));
}
if (remote_addr) {
//
// copy the syscall data buffer into the new process
//
SIZE_T len1 = *m_syscall_data;
SIZE_T len2 = 0;
BOOL vm_ok = WriteProcessMemory(
hProcess, remote_addr, m_syscall_data, len1, &len2);
if (vm_ok && len1 == len2) {
return remote_addr;
}
}
return NULL;
}
//---------------------------------------------------------------------------
// InjectLow_CopyData
//---------------------------------------------------------------------------
bool DriverAssist::InjectLow_CopyData(
HANDLE hProcess, void *remote_addr, void *local_data)
{
//
// copy SBIELOW_DATA data into the area reserved within SbieLow
// (i.e. at offset SBIELOW_DATA_OFFSET) in the new process
//
void *data_addr = (void *)((ULONG_PTR)remote_addr + m_sbielow_data_offset);
SIZE_T len1 = sizeof(SBIELOW_DATA);
SIZE_T len2 = 0;
BOOL vm_ok = WriteProcessMemory(
hProcess, data_addr, local_data, len1, &len2);
if (vm_ok && len1 == len2) {
ULONG protect;
vm_ok = VirtualProtectEx(hProcess, remote_addr, m_sbielow_len,
PAGE_EXECUTE_READ, &protect);
if (vm_ok) {
return true;
}
}
return false;
}
#ifdef _WIN64
bool DriverAssist::Has32BitJumpHorizon(void * target, void * detour) {
ULONG_PTR diff;
long long delta;
diff = (ULONG_PTR)((ULONG_PTR)target - (ULONG_PTR)detour);
delta = diff;
delta < 0 ? delta *= -1 : delta;
//is DetourFunc in 32bit jump range
if (delta < 0x80000000) {
return TRUE;
}
return FALSE;
}
void * DriverAssist::InjectLow_getPage(HANDLE hProcess, void *remote_addr)
{
SIZE_T mySize;
ULONG_PTR tempAddr;
void * myTable = 0;
UCHAR *func;
ULONG myProtect;
short myBuffer[1024];
SIZE_T readSize;
BOOL myVM;
HANDLE myKernel32;
HANDLE myNtDll;
//HANDLE myTestDll;
func = (UCHAR *)((ULONG_PTR)m_LdrInitializeThunk);
myKernel32 = GetModuleHandleA("kernel32.dll");
myNtDll = GetModuleHandleA("ntdll.dll");
// myTestDll = 0;
/*
if(myTestDll) {
//for testing remove this code!
sprintf(buffer,"Dll Collision Test: address %p\n",myTestDll);
OutputDebugStringA(buffer);
myTable = VirtualAllocEx(hProcess,myTestDll,0x100, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
}
else {
*/
(ULONG_PTR)myNtDll < (ULONG_PTR)myKernel32 ? tempAddr = (ULONG_PTR)myNtDll - 0x10000 : tempAddr = (ULONG_PTR)myKernel32 - 0x10000;
myTable = VirtualAllocEx(hProcess, (void *)tempAddr, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// }
/*
else {
//use hack if all else fails
//OutputDebugStringA("Unable to allocate page!\n");
max_attempts = 0;
}
*/
if (myTable) {
mySize = 0;
if (Has32BitJumpHorizon(myTable, func)) {
WriteProcessMemory(hProcess, myTable, &remote_addr, 8, &mySize);
/*
sprintf(buffer,"myPage = %p, kernel32 = %p, ntdll = %p\n",myTable,myKernel32,myNtDll);
OutputDebugStringA(buffer);
*/
if (mySize == 8) {
return myTable;
}
}
}
/*
sprintf(buffer,"Failed to find table for target address %p, func = %p\n",myTable,func);
OutputDebugStringA(buffer);
*/
readSize = 1;
tempAddr = (ULONG_PTR)func - 8;
ReadProcessMemory(hProcess, (void *)((ULONG_PTR)tempAddr), &myBuffer, 8, &readSize);
// if hot patch area
if (*((ULONG_PTR *)&myBuffer) == 0x9090909090909090 || *((ULONG_PTR *)&myBuffer) == 0xcccccccccccccccc) {
//OutputDebugStringA("Using hotpatch area\n");
myTable = (void *)tempAddr;
}
else { //not hot patch area: This is a hack
//patch area in .rdata section of ntdll
ReadProcessMemory(hProcess, (void *)((ULONG_PTR)tempAddr + 0x100000), myBuffer, sizeof(myBuffer), &readSize);
if (readSize != sizeof(myBuffer)) {
//OutputDebugStringA("Error reading Memory\n");
return NULL;
}
for (int i = 0; i < sizeof(myBuffer) && !myTable; i++) {
if (*((ULONG_PTR*)&myBuffer[i]) == 0x9090909090909090 ||
*((ULONG_PTR*)&myBuffer[i]) == 0xcccccccccccccccc) {
myTable = (void *)((ULONG_PTR)tempAddr + i);
/*
sprintf(buffer,"HACK: table found at %p, index %x\n",myTable, i);
OutputDebugStringA(buffer);
*/
}
}
if (!myTable) {
//OutputDebugStringA("Table not found\n");
return NULL;
}
} //end else not hotpatch area
myVM = VirtualProtectEx(hProcess, myTable, sizeof(void *), PAGE_READWRITE, &myProtect);
if (myVM) {
SIZE_T len2 = 0;
myVM = WriteProcessMemory(hProcess, myTable, &remote_addr, 8, &len2);
if (myVM && 8 == len2) {
myVM = VirtualProtectEx(hProcess, myTable, 8, myProtect, &myProtect);
if (myVM) {
return myTable;
}
}
}
return NULL;
}
#endif //#ifdef _WIN64
//---------------------------------------------------------------------------
// InjectLow_WriteJump
//---------------------------------------------------------------------------
bool DriverAssist::InjectLow_WriteJump(HANDLE hProcess, void *remote_addr, BOOLEAN long_diff, void *localdata)
{
//
// prepare a short prolog code that jumps to the injected SbieLow
//
UCHAR jump_code[16];
void * detour = (void *)remote_addr;
UCHAR *func = (UCHAR *)((ULONG_PTR)m_LdrInitializeThunk);;
SIZE_T len1;
BOOL myVM;
ULONG myProtect;
#ifdef _WIN64
if (!long_diff) {
if (Dll_Windows >= 10) {
len1 = 6;
jump_code[0] = 0x48; //jump to entry code in entry.asm
jump_code[1] = 0xE9; //jump to entry code in entry.asm
*(ULONG *)(jump_code + 2) = (ULONG)((ULONG_PTR)detour - (m_LdrInitializeThunk + 6));
//remote_addr = (void *)m_LdrInitializeThunk;
}
else {
len1 = 5;
jump_code[0] = 0xe9; //jump to entry code in entry.asm
*(ULONG *)(jump_code + 1) = (ULONG)((ULONG_PTR)detour - (m_LdrInitializeThunk + 5));
}
}
else {
void * myTable = 0;
if (!((ULONG_PTR)remote_addr & 0xffffffff00000000)) {
len1 = 7;
jump_code[0] = 0xB8;
*(ULONG *)(jump_code + 1) = (ULONG)(ULONG_PTR)remote_addr;
*(USHORT *)(jump_code + 5) = 0xE0FF; // jmp rax
}
else {
ULONG_PTR target;
ULONG_PTR diff;
len1 = 6;
target = (ULONG_PTR)&func[6];
myTable = InjectLow_getPage(hProcess, remote_addr);
if (!myTable) {
//OutputDebugStringA("Error: Table not set!\n");
return false;
}
diff = (ULONG_PTR) &((ULONG_PTR *)myTable)[0];
diff = diff - target;
*(USHORT *)&jump_code[0] = 0x25ff;
*(ULONG *)&jump_code[2] = (ULONG)diff;
}
}
#else
len1 = 5;
jump_code[0] = 0xE9; //jump to entry code in entry.asm
*(ULONG *)(jump_code + 1) = (ULONG)((ULONG_PTR)detour - (m_LdrInitializeThunk + 5));
//remote_addr = (void *)m_LdrInitializeThunk;
#endif
//
// modify the bytes at LdrInitializeThunk with the prolog code
//
myVM = VirtualProtectEx(hProcess, func, len1, PAGE_READWRITE, &myProtect);
if (myVM) {
SIZE_T len2 = 0;
myVM = WriteProcessMemory(hProcess, func, jump_code, len1, &len2);
/*
sprintf(buffer,"WriteJump: len2 = %d\n",len2);
OutputDebugStringA(buffer);
*/
if (myVM && len1 == len2) {
myVM = VirtualProtectEx(hProcess, func, len1, myProtect, &myProtect);
if (myVM) {
return true;
}
}
}
return false;
}

2
Sandboxie/core/svc/DriverAssistStart.cpp
View File

@ -158,7 +158,7 @@ driver_started:
}
if (ok) {
rc = m_instance->InjectLow_InitSyscalls();
SbieDll_InjectLow_InitSyscalls(TRUE);
if (rc != 0) {
LogEvent(MSG_9234, 0x9362, rc);
ok = false;

1
Sandboxie/core/svc/SboxSvc.vcxproj
View File

@ -268,7 +268,6 @@
<ClInclude Include="terminalwire.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="lowlevel.rc" />
<ResourceCompile Include="resource.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

2
SandboxiePlus/QSbieAPI/SbieAPI.cpp
View File

@ -197,7 +197,7 @@ SB_STATUS CSbieAPI::Connect()
m->lastRecordNum = 0;
#ifndef _DEBUG
QStringList CompatVersions = QStringList () << "5.43" << "5.43.5";
QStringList CompatVersions = QStringList () << "5.43" << "5.43.5" << "5.44.0";
QString CurVersion = GetVersion();
if (!CompatVersions.contains(CurVersion))
{

2
SandboxiePlus/SandMan/SandMan.h
View File

@ -12,7 +12,7 @@
#define VERSION_MJR 0
#define VERSION_MIN 4
#define VERSION_REV 3
#define VERSION_REV 4
#define VERSION_UPD 0