Skip to content

Commit

Permalink
1.14.9
Browse files Browse the repository at this point in the history
  • Loading branch information
@DavidXanatos
DavidXanatos committed Sep 15, 2024
1 parent 7ba9820 commit 030032f
Show file tree
Hide file tree
Showing 8 changed files with 50 additions and 42 deletions.
6 changes: 4 additions & 2 deletions Sandboxie/core/dll/sbieapi.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1816,7 +1816,7 @@ _FX LONG SbieApi_GetUnmountHive(
//---------------------------------------------------------------------------


_FX LONG SbieApi_SessionLeader(HANDLE TokenHandle, HANDLE *ProcessId)
_FX LONG SbieApi_SessionLeader(ULONG session_id, HANDLE *ProcessId)
{
NTSTATUS status;
__declspec(align(8)) ULONG64 ResultValue;
Expand All @@ -1826,9 +1826,11 @@ _FX LONG SbieApi_SessionLeader(HANDLE TokenHandle, HANDLE *ProcessId)
memset(parms, 0, sizeof(parms));
args->func_code = API_SESSION_LEADER;
if (ProcessId) {
args->token_handle.val64 = (ULONG64)(ULONG_PTR)TokenHandle;
args->session_id.val64 = (ULONG64)(ULONG_PTR)session_id;
args->token_handle.val64 = 0;
args->process_id.val64 = (ULONG64)(ULONG_PTR)&ResultValue;
} else {
args->session_id.val64 = 0;
args->token_handle.val64 = 0;
args->process_id.val64 = 0;
}
Expand Down
2 changes: 1 addition & 1 deletion Sandboxie/core/dll/sbieapi.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ LONG SbieApi_EnumProcessEx(

SBIEAPI_EXPORT
LONG SbieApi_SessionLeader(
HANDLE TokenHandle,
ULONG session_id,
HANDLE *ProcessId);

SBIEAPI_EXPORT
Expand Down
1 change: 1 addition & 0 deletions Sandboxie/core/drv/api_defs.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -410,6 +410,7 @@ API_ARGS_CLOSE(API_OPEN_DEVICE_MAP_ARGS)
API_ARGS_BEGIN(API_SESSION_LEADER_ARGS)
API_ARGS_FIELD(HANDLE,token_handle)
API_ARGS_FIELD(ULONG64 *,process_id)
API_ARGS_FIELD(ULONG,session_id)
API_ARGS_CLOSE(API_SESSION_LEADER_ARGS)


Expand Down
51 changes: 25 additions & 26 deletions Sandboxie/core/drv/driver.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -690,32 +690,6 @@ void* Driver_FindMissingService(const char* ProcName, int prmcnt)

_FX BOOLEAN Driver_FindMissingServices(void)
{
#ifdef OLD_DDK
UNICODE_STRING uni;
RtlInitUnicodeString(&uni, L"ZwSetInformationToken");

//
// Windows 7 kernel exports ZwSetInformationToken
// on earlier versions of Windows, we search for it
//
//#ifndef _WIN64
if (Driver_OsVersion < DRIVER_WINDOWS_7) {

ZwSetInformationToken = (P_NtSetInformationToken) Driver_FindMissingService("ZwSetInformationToken", 4);

} else
//#endif
{
ZwSetInformationToken = (P_NtSetInformationToken) MmGetSystemRoutineAddress(&uni);
}

if (!ZwSetInformationToken) {
Log_Msg1(MSG_1108, uni.Buffer);
return FALSE;
}
#endif


//
// Retrieve some unexported kernel functions which may be useful
//
Expand Down Expand Up @@ -773,6 +747,31 @@ _FX BOOLEAN Driver_FindMissingServices(void)

#endif

#ifdef OLD_DDK
UNICODE_STRING uni;
RtlInitUnicodeString(&uni, L"ZwSetInformationToken");

//
// Windows 7 kernel exports ZwSetInformationToken
// on earlier versions of Windows, we search for it
//
//#ifndef _WIN64
if (Driver_OsVersion < DRIVER_WINDOWS_7) {

ZwSetInformationToken = (P_NtSetInformationToken) Driver_FindMissingService("ZwSetInformationToken", 4);

} else
//#endif
{
ZwSetInformationToken = (P_NtSetInformationToken) MmGetSystemRoutineAddress(&uni);
}

if (!ZwSetInformationToken) {
Log_Msg1(MSG_1108, uni.Buffer);
return FALSE;
}
#endif

return TRUE;
}

Expand Down
6 changes: 3 additions & 3 deletions Sandboxie/core/drv/process_force.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,9 +168,9 @@ _FX BOX *Process_GetForcedStartBox(
BOOLEAN same_image_name;


void* nbuf;
ULONG nlen;
WCHAR* ParentName;
void* nbuf = NULL;
ULONG nlen = 0;
WCHAR* ParentName = NULL;

check_force = TRUE;

Expand Down
15 changes: 9 additions & 6 deletions Sandboxie/core/drv/session.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,19 +362,22 @@ _FX NTSTATUS Session_Api_Leader(PROCESS *proc, ULONG64 *parms)
// get leader
//

HANDLE TokenHandle = args->token_handle.val;
ULONG session_id = args->session_id.val;

ULONG SessionId;
ULONG len = sizeof(ULONG);
if (session_id == -1) {

status = ZwQueryInformationToken(
TokenHandle, TokenSessionId, &SessionId, len, &len);
HANDLE TokenHandle = args->token_handle.val;

ULONG len = sizeof(session_id);
status = ZwQueryInformationToken(
TokenHandle, TokenSessionId, &session_id, len, &len);
}

if (NT_SUCCESS(status)) {

__try {

session = Session_Get(FALSE, SessionId, &irql);
session = Session_Get(FALSE, session_id, &irql);
if (session)
ProcessIdToReturn = (ULONG64)session->leader_pid;

Expand Down
9 changes: 6 additions & 3 deletions Sandboxie/core/drv/token.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1290,6 +1290,7 @@ _FX NTSTATUS Token_RestrictHelper2(
return STATUS_SUCCESS;

BOOLEAN NoUntrustedToken = Conf_Get_Boolean(proc->box->name, L"NoUntrustedToken", 0, FALSE);
BOOLEAN OpenWndStation = Conf_Get_Boolean(proc->box->name, L"OpenWndStation", 0, FALSE);

label = (ULONG)(ULONG_PTR)Token_Query(
TokenObject, TokenIntegrityLevel, proc->box->session_id);
Expand All @@ -1316,7 +1317,7 @@ _FX NTSTATUS Token_RestrictHelper2(
LabelSid[1] = 0x10000000;
// debug tip. You can change the sandboxed process's integrity level below
//LabelSid[2] = SECURITY_MANDATORY_HIGH_RID;
if(NoUntrustedToken)
if(NoUntrustedToken || OpenWndStation)
LabelSid[2] = SECURITY_MANDATORY_LOW_RID;
else
LabelSid[2] = SECURITY_MANDATORY_UNTRUSTED_RID;
Expand Down Expand Up @@ -1392,6 +1393,7 @@ _FX void *Token_RestrictHelper3(

BOOLEAN KeepUserGroup = Conf_Get_Boolean(proc->box->name, L"KeepUserGroup", 0, FALSE);
BOOLEAN KeepLogonSession = Conf_Get_Boolean(proc->box->name, L"KeepLogonSession", 0, FALSE);
BOOLEAN OpenWndStation = Conf_Get_Boolean(proc->box->name, L"OpenWndStation", 0, FALSE);

n = 0;

Expand All @@ -1400,7 +1402,7 @@ _FX void *Token_RestrictHelper3(
if (Groups->Groups[i].Attributes & SE_GROUP_INTEGRITY)
continue;

if (KeepLogonSession && (Groups->Groups[i].Attributes & SE_GROUP_LOGON_ID))
if ((KeepLogonSession || OpenWndStation) && (Groups->Groups[i].Attributes & SE_GROUP_LOGON_ID))
continue;

if (RtlEqualSid(Groups->Groups[i].Sid, UserSid)) {
Expand Down Expand Up @@ -2250,14 +2252,15 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
if (!Conf_Get_Boolean(proc->box->name, L"UnstrippedToken", 0, FALSE))
{
BOOLEAN NoUntrustedToken = Conf_Get_Boolean(proc->box->name, L"NoUntrustedToken", 0, FALSE);
BOOLEAN OpenWndStation = Conf_Get_Boolean(proc->box->name, L"OpenWndStation", 0, FALSE);
BOOLEAN KeepUserGroup = Conf_Get_Boolean(proc->box->name, L"KeepUserGroup", 0, FALSE);
BOOLEAN KeepLogonSession = Conf_Get_Boolean(proc->box->name, L"KeepLogonSession", 0, FALSE);

for (ULONG i = 0; i < LocalGroups->GroupCount; i++) {

if (LocalGroups->Groups[i].Attributes & SE_GROUP_INTEGRITY) {
if (!Conf_Get_Boolean(proc->box->name, L"KeepTokenIntegrity", 0, FALSE)) {
if(NoUntrustedToken)
if(NoUntrustedToken || OpenWndStation)
*RtlSubAuthoritySid(LocalGroups->Groups[i].Sid, 0) = SECURITY_MANDATORY_LOW_RID;
else
*RtlSubAuthoritySid(LocalGroups->Groups[i].Sid, 0) = SECURITY_MANDATORY_UNTRUSTED_RID;
Expand Down
2 changes: 1 addition & 1 deletion Sandboxie/core/svc/sbieiniserver.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2275,7 +2275,7 @@ MSG_HEADER *SbieIniServer::RunSbieCtrl(MSG_HEADER *msg, HANDLE idProcess, bool i
if (ok) {

HANDLE SbieCtrlProcessId;
SbieApi_SessionLeader(hToken, &SbieCtrlProcessId);
SbieApi_SessionLeader(m_session_id, &SbieCtrlProcessId);
if (SbieCtrlProcessId) {
status = STATUS_IMAGE_ALREADY_LOADED;
ok = FALSE;
Expand Down

0 comments on commit 030032f

Please sign in to comment.