From 030032f1ac5027645523d24cbeaaacd84739d163 Mon Sep 17 00:00:00 2001 From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com> Date: Sun, 15 Sep 2024 20:33:45 +0200 Subject: [PATCH] 1.14.9 --- Sandboxie/core/dll/sbieapi.c | 6 ++-- Sandboxie/core/dll/sbieapi.h | 2 +- Sandboxie/core/drv/api_defs.h | 1 + Sandboxie/core/drv/driver.c | 51 ++++++++++++++-------------- Sandboxie/core/drv/process_force.c | 6 ++-- Sandboxie/core/drv/session.c | 15 ++++---- Sandboxie/core/drv/token.c | 9 +++-- Sandboxie/core/svc/sbieiniserver.cpp | 2 +- 8 files changed, 50 insertions(+), 42 deletions(-) diff --git a/Sandboxie/core/dll/sbieapi.c b/Sandboxie/core/dll/sbieapi.c index 18b85a1870..2fdbeba112 100644 --- a/Sandboxie/core/dll/sbieapi.c +++ b/Sandboxie/core/dll/sbieapi.c @@ -1816,7 +1816,7 @@ _FX LONG SbieApi_GetUnmountHive( //--------------------------------------------------------------------------- -_FX LONG SbieApi_SessionLeader(HANDLE TokenHandle, HANDLE *ProcessId) +_FX LONG SbieApi_SessionLeader(ULONG session_id, HANDLE *ProcessId) { NTSTATUS status; __declspec(align(8)) ULONG64 ResultValue; @@ -1826,9 +1826,11 @@ _FX LONG SbieApi_SessionLeader(HANDLE TokenHandle, HANDLE *ProcessId) memset(parms, 0, sizeof(parms)); args->func_code = API_SESSION_LEADER; if (ProcessId) { - args->token_handle.val64 = (ULONG64)(ULONG_PTR)TokenHandle; + args->session_id.val64 = (ULONG64)(ULONG_PTR)session_id; + args->token_handle.val64 = 0; args->process_id.val64 = (ULONG64)(ULONG_PTR)&ResultValue; } else { + args->session_id.val64 = 0; args->token_handle.val64 = 0; args->process_id.val64 = 0; } diff --git a/Sandboxie/core/dll/sbieapi.h b/Sandboxie/core/dll/sbieapi.h index 9cf379aed8..3311f8f8c5 100644 --- a/Sandboxie/core/dll/sbieapi.h +++ b/Sandboxie/core/dll/sbieapi.h @@ -190,7 +190,7 @@ LONG SbieApi_EnumProcessEx( SBIEAPI_EXPORT LONG SbieApi_SessionLeader( - HANDLE TokenHandle, + ULONG session_id, HANDLE *ProcessId); SBIEAPI_EXPORT diff --git a/Sandboxie/core/drv/api_defs.h b/Sandboxie/core/drv/api_defs.h index 425608ffdf..83bfd93c4a 100644 --- a/Sandboxie/core/drv/api_defs.h +++ b/Sandboxie/core/drv/api_defs.h @@ -410,6 +410,7 @@ API_ARGS_CLOSE(API_OPEN_DEVICE_MAP_ARGS) API_ARGS_BEGIN(API_SESSION_LEADER_ARGS) API_ARGS_FIELD(HANDLE,token_handle) API_ARGS_FIELD(ULONG64 *,process_id) +API_ARGS_FIELD(ULONG,session_id) API_ARGS_CLOSE(API_SESSION_LEADER_ARGS) diff --git a/Sandboxie/core/drv/driver.c b/Sandboxie/core/drv/driver.c index 6d2b087bdd..61bd0e79b8 100644 --- a/Sandboxie/core/drv/driver.c +++ b/Sandboxie/core/drv/driver.c @@ -690,32 +690,6 @@ void* Driver_FindMissingService(const char* ProcName, int prmcnt) _FX BOOLEAN Driver_FindMissingServices(void) { -#ifdef OLD_DDK - UNICODE_STRING uni; - RtlInitUnicodeString(&uni, L"ZwSetInformationToken"); - - // - // Windows 7 kernel exports ZwSetInformationToken - // on earlier versions of Windows, we search for it - // -//#ifndef _WIN64 - if (Driver_OsVersion < DRIVER_WINDOWS_7) { - - ZwSetInformationToken = (P_NtSetInformationToken) Driver_FindMissingService("ZwSetInformationToken", 4); - - } else -//#endif - { - ZwSetInformationToken = (P_NtSetInformationToken) MmGetSystemRoutineAddress(&uni); - } - - if (!ZwSetInformationToken) { - Log_Msg1(MSG_1108, uni.Buffer); - return FALSE; - } -#endif - - // // Retrieve some unexported kernel functions which may be useful // @@ -773,6 +747,31 @@ _FX BOOLEAN Driver_FindMissingServices(void) #endif +#ifdef OLD_DDK + UNICODE_STRING uni; + RtlInitUnicodeString(&uni, L"ZwSetInformationToken"); + + // + // Windows 7 kernel exports ZwSetInformationToken + // on earlier versions of Windows, we search for it + // +//#ifndef _WIN64 + if (Driver_OsVersion < DRIVER_WINDOWS_7) { + + ZwSetInformationToken = (P_NtSetInformationToken) Driver_FindMissingService("ZwSetInformationToken", 4); + + } else +//#endif + { + ZwSetInformationToken = (P_NtSetInformationToken) MmGetSystemRoutineAddress(&uni); + } + + if (!ZwSetInformationToken) { + Log_Msg1(MSG_1108, uni.Buffer); + return FALSE; + } +#endif + return TRUE; } diff --git a/Sandboxie/core/drv/process_force.c b/Sandboxie/core/drv/process_force.c index 5220fa0a42..e9930c7170 100644 --- a/Sandboxie/core/drv/process_force.c +++ b/Sandboxie/core/drv/process_force.c @@ -168,9 +168,9 @@ _FX BOX *Process_GetForcedStartBox( BOOLEAN same_image_name; - void* nbuf; - ULONG nlen; - WCHAR* ParentName; + void* nbuf = NULL; + ULONG nlen = 0; + WCHAR* ParentName = NULL; check_force = TRUE; diff --git a/Sandboxie/core/drv/session.c b/Sandboxie/core/drv/session.c index aedca89aae..6e51a69e88 100644 --- a/Sandboxie/core/drv/session.c +++ b/Sandboxie/core/drv/session.c @@ -362,19 +362,22 @@ _FX NTSTATUS Session_Api_Leader(PROCESS *proc, ULONG64 *parms) // get leader // - HANDLE TokenHandle = args->token_handle.val; + ULONG session_id = args->session_id.val; - ULONG SessionId; - ULONG len = sizeof(ULONG); + if (session_id == -1) { - status = ZwQueryInformationToken( - TokenHandle, TokenSessionId, &SessionId, len, &len); + HANDLE TokenHandle = args->token_handle.val; + + ULONG len = sizeof(session_id); + status = ZwQueryInformationToken( + TokenHandle, TokenSessionId, &session_id, len, &len); + } if (NT_SUCCESS(status)) { __try { - session = Session_Get(FALSE, SessionId, &irql); + session = Session_Get(FALSE, session_id, &irql); if (session) ProcessIdToReturn = (ULONG64)session->leader_pid; diff --git a/Sandboxie/core/drv/token.c b/Sandboxie/core/drv/token.c index 93822db917..38b038373a 100644 --- a/Sandboxie/core/drv/token.c +++ b/Sandboxie/core/drv/token.c @@ -1290,6 +1290,7 @@ _FX NTSTATUS Token_RestrictHelper2( return STATUS_SUCCESS; BOOLEAN NoUntrustedToken = Conf_Get_Boolean(proc->box->name, L"NoUntrustedToken", 0, FALSE); + BOOLEAN OpenWndStation = Conf_Get_Boolean(proc->box->name, L"OpenWndStation", 0, FALSE); label = (ULONG)(ULONG_PTR)Token_Query( TokenObject, TokenIntegrityLevel, proc->box->session_id); @@ -1316,7 +1317,7 @@ _FX NTSTATUS Token_RestrictHelper2( LabelSid[1] = 0x10000000; // debug tip. You can change the sandboxed process's integrity level below //LabelSid[2] = SECURITY_MANDATORY_HIGH_RID; - if(NoUntrustedToken) + if(NoUntrustedToken || OpenWndStation) LabelSid[2] = SECURITY_MANDATORY_LOW_RID; else LabelSid[2] = SECURITY_MANDATORY_UNTRUSTED_RID; @@ -1392,6 +1393,7 @@ _FX void *Token_RestrictHelper3( BOOLEAN KeepUserGroup = Conf_Get_Boolean(proc->box->name, L"KeepUserGroup", 0, FALSE); BOOLEAN KeepLogonSession = Conf_Get_Boolean(proc->box->name, L"KeepLogonSession", 0, FALSE); + BOOLEAN OpenWndStation = Conf_Get_Boolean(proc->box->name, L"OpenWndStation", 0, FALSE); n = 0; @@ -1400,7 +1402,7 @@ _FX void *Token_RestrictHelper3( if (Groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) continue; - if (KeepLogonSession && (Groups->Groups[i].Attributes & SE_GROUP_LOGON_ID)) + if ((KeepLogonSession || OpenWndStation) && (Groups->Groups[i].Attributes & SE_GROUP_LOGON_ID)) continue; if (RtlEqualSid(Groups->Groups[i].Sid, UserSid)) { @@ -2250,6 +2252,7 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc) if (!Conf_Get_Boolean(proc->box->name, L"UnstrippedToken", 0, FALSE)) { BOOLEAN NoUntrustedToken = Conf_Get_Boolean(proc->box->name, L"NoUntrustedToken", 0, FALSE); + BOOLEAN OpenWndStation = Conf_Get_Boolean(proc->box->name, L"OpenWndStation", 0, FALSE); BOOLEAN KeepUserGroup = Conf_Get_Boolean(proc->box->name, L"KeepUserGroup", 0, FALSE); BOOLEAN KeepLogonSession = Conf_Get_Boolean(proc->box->name, L"KeepLogonSession", 0, FALSE); @@ -2257,7 +2260,7 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc) if (LocalGroups->Groups[i].Attributes & SE_GROUP_INTEGRITY) { if (!Conf_Get_Boolean(proc->box->name, L"KeepTokenIntegrity", 0, FALSE)) { - if(NoUntrustedToken) + if(NoUntrustedToken || OpenWndStation) *RtlSubAuthoritySid(LocalGroups->Groups[i].Sid, 0) = SECURITY_MANDATORY_LOW_RID; else *RtlSubAuthoritySid(LocalGroups->Groups[i].Sid, 0) = SECURITY_MANDATORY_UNTRUSTED_RID; diff --git a/Sandboxie/core/svc/sbieiniserver.cpp b/Sandboxie/core/svc/sbieiniserver.cpp index ef6eda235e..c69d952575 100644 --- a/Sandboxie/core/svc/sbieiniserver.cpp +++ b/Sandboxie/core/svc/sbieiniserver.cpp @@ -2275,7 +2275,7 @@ MSG_HEADER *SbieIniServer::RunSbieCtrl(MSG_HEADER *msg, HANDLE idProcess, bool i if (ok) { HANDLE SbieCtrlProcessId; - SbieApi_SessionLeader(hToken, &SbieCtrlProcessId); + SbieApi_SessionLeader(m_session_id, &SbieCtrlProcessId); if (SbieCtrlProcessId) { status = STATUS_IMAGE_ALREADY_LOADED; ok = FALSE;