No commit message

CHANGELOG.md

@@ -4,6 +4,22 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 
 
+
+## [0.5.4c / 5.46.2] - 2021-01-10
+
+### Added
+- added "CallTrace=*" to log all system calls to the access log
+
+### Changed
+- improved ipc logging code
+- improved MSG_2101 logging
+
+### Fixed
+- fixed more issues with ipc tracing
+- fixed SBIE2101 issue with crome and derivatives
+
+
+
 ## [0.5.4b / 5.46.1] - 2021-01-08
 
 ### Added

Sandboxie/apps/control/MonitorDialog.cpp

@@ -97,6 +97,7 @@ BOOL CMonitorDialog::OnInitDialog()
 void CMonitorDialog::OnIdle()
 {
     static const WCHAR *_Unknown    = L"(Unk)    ";
+    static const WCHAR *_SysCall    = L"SysCall  ";
     static const WCHAR *_Pipe       = L"Pipe     ";
     static const WCHAR *_Ipc        = L"Ipc      ";
     static const WCHAR *_WinClass   = L"WinCls   ";
@@ -146,7 +147,9 @@ void CMonitorDialog::OnIdle()
 		type &= 0x0FFF;
 
         const WCHAR *PrefixPtr = _Unknown;
-        if (type == MONITOR_PIPE)
+        if (type == MONITOR_SYSCALL)
+            PrefixPtr = _SysCall;
+        else if (type == MONITOR_PIPE)
             PrefixPtr = _Pipe;
         else if (type == MONITOR_IPC)
             PrefixPtr = _Ipc;

Sandboxie/common/my_version.h

@@ -21,8 +21,8 @@
 #ifndef _MY_VERSION_H
 #define _MY_VERSION_H
 
-#define MY_VERSION_BINARY       5,46,1
-#define MY_VERSION_STRING       "5.46.1"
+#define MY_VERSION_BINARY       5,46,2
+#define MY_VERSION_STRING       "5.46.2"
 #define MY_VERSION_COMPAT		"5.46.0" // this refers to the driver ABI compatibility
 
 // These #defines are used by either Resource Compiler, or by NSIC installer

Sandboxie/core/dll/com.c

@@ -3314,7 +3314,7 @@ _FX void Com_Trace(
         return;
 
     text = Com_Alloc(1024 * sizeof(WCHAR));
-    ptr = text + Sbie_snwprintf(text, 1024, L"SBIE %s <%08X> ", TraceType, hr);
+    ptr = text + Sbie_snwprintf(text, 1024, L"COM %s <%08X> ", TraceType, hr);
 
     if (rclsid) {
         Com_Trace_Guid(ptr, rclsid, L"CLSID");

Sandboxie/core/dll/rpcrt.c

@@ -269,6 +269,19 @@ WCHAR* GetDynamicLpcPortName(ENUM_DYNAMIC_PORT_TYPE portType)
 
     rpl = (EPMAPPER_GET_PORT_NAME_RPL*)SbieDll_CallServer(&req.h);
 
+    WCHAR   wsTraceOptions[4];
+    if (SbieApi_QueryConf(NULL, L"IpcTrace", 0, wsTraceOptions, sizeof(wsTraceOptions)) == STATUS_SUCCESS && wsTraceOptions[0] != L'\0')
+    {
+        WCHAR text[130];
+
+        if (rpl && NT_SUCCESS(rpl->h.status))
+            Sbie_snwprintf(text, 130, L"Resolved dynamic port: %d; endpoint: %s", req.portType, rpl->wszPortName);
+        else
+            Sbie_snwprintf(text, 130, L"Failed to resolve dynamic port: %d; status: %08X", req.portType, rpl ? rpl->h.status : 0);
+
+        SbieApi_MonitorPut2(MONITOR_IPC | MONITOR_TRACE, text, FALSE);
+    }
+
     if (rpl && NT_SUCCESS(rpl->h.status))
     {
         wcsncpy(g_Ipc_DynamicPortNames[portType], rpl->wszPortName, DYNAMIC_PORT_NAME_CHARS);
@@ -377,15 +390,16 @@ _FX ULONG RpcRt_RpcBindingFromStringBindingW(
     status = __sys_RpcBindingFromStringBindingW(StringBinding, OutBinding);
     // If there are any IpcTrace options set, then output this debug string
     WCHAR   wsTraceOptions[4];
-    if (SbieApi_QueryConf(NULL, L"IpcTrace", 0, wsTraceOptions, sizeof(wsTraceOptions)) == STATUS_SUCCESS && wsTraceOptions != L'\0')
+    if (SbieApi_QueryConf(NULL, L"IpcTrace", 0, wsTraceOptions, sizeof(wsTraceOptions)) == STATUS_SUCCESS && wsTraceOptions[0] != L'\0')
     {
         WCHAR msg[512];
-        Sbie_snwprintf(msg, 512, L"SBIE p=%06d t=%06d RpcBindingFromStringBindingW StringBinding = '%s', BindingHandle = 0x%X, status = 0x%X\n", GetCurrentProcessId(), GetCurrentThreadId(),
-            StringBinding,
-            OutBinding,
-            status);
+
+        //Sbie_snwprintf(msg, 512, L"SBIE p=%06d t=%06d RpcBindingFromStringBindingW StringBinding = '%s', BindingHandle = 0x%X, status = 0x%X\n", GetCurrentProcessId(), GetCurrentThreadId(),
+        Sbie_snwprintf(msg, 512, L"StringBinding = '%s', BindingHandle = 0x%X, status = 0x%08X",
+            StringBinding, OutBinding, status);
+
         //OutputDebugString(msg);
-        SbieApi_MonitorPut(MONITOR_IPC | MONITOR_TRACE, msg);
+        SbieApi_MonitorPut2(MONITOR_IPC | MONITOR_TRACE, msg, FALSE);
     }
     __sys_RpcMgmtSetComTimeout(*OutBinding, RPC_C_BINDING_TIMEOUT);
     return status;
@@ -442,14 +456,14 @@ _FX RPC_STATUS RpcRt_RpcBindingCreateW(
         RPC_CSTR   StringUuid;
 
         __sys_UuidToStringW(&Template->ObjectUuid, &StringUuid);
-        Sbie_snwprintf(msg, 512, L"SBIE p=%06d t=%06d RpcBindingCreateW Endpoint = '%s', UUID = %s, status = 0x%X\n", GetCurrentProcessId(), GetCurrentThreadId(),
+        //Sbie_snwprintf(msg, 512, L"SBIE p=%06d t=%06d RpcBindingCreateW Endpoint = '%s', UUID = %s, status = 0x%X\n", GetCurrentProcessId(), GetCurrentThreadId(),
+        Sbie_snwprintf(msg, 512, L"Endpoint = '%s', UUID = %s, status = 0x%08X", 
             Template && Template->StringEndpoint ? Template->StringEndpoint : L"null",
-            StringUuid,
-            status);
+            StringUuid, status);
         __sys_RpcStringFreeW(&StringUuid);
 
         //OutputDebugString(msg);
-        SbieApi_MonitorPut(MONITOR_IPC | MONITOR_TRACE, msg);
+        SbieApi_MonitorPut2(MONITOR_IPC | MONITOR_TRACE, msg, FALSE);
     }
     __sys_RpcMgmtSetComTimeout(*Binding, RPC_C_BINDING_TIMEOUT);
     return status;

Sandboxie/core/drv/api_flags.h

@@ -41,7 +41,7 @@
 #define DUPLICATE_INHERIT           0x00040000
 #define DUPLICATE_INTO_OTHER        0x00080000  // otherwise DUP_FROM_OTHER
 
-
+#define MONITOR_SYSCALL				0x000B
 #define MONITOR_PIPE                0x011B
 #define MONITOR_IPC                 0x022B
 #define MONITOR_WINCLASS            0x033B
@@ -51,6 +51,12 @@
 #define MONITOR_IMAGE               0x077B
 #define MONITOR_FILE_OR_KEY         0x088B
 #define MONITOR_OTHER				0x099B
+//#define MONITOR_					0x0AAB
+//#define MONITOR_					0x0BBB
+//#define MONITOR_					0x0CCB
+//#define MONITOR_					0x0DDB
+//#define MONITOR_					0x0EEB
+//#define MONITOR_					0x0FFB
 #define MONITOR_OPEN                0x1000
 #define MONITOR_DENY                0x2000
 #define MONITOR_TRACE               0x8000

Sandboxie/core/drv/ipc.c

@@ -210,14 +210,13 @@ _FX BOOLEAN Ipc_Init(void)
             return FALSE;
     }
 
-    // Note: those don't have a special treatment
-    //if (Driver_OsVersion >= DRIVER_WINDOWS_10) {
-    //
-    //    if(!Mem_GetLockResource(&Ipc_Dynamic_Ports[WPAD_PORT].pPortLock, TRUE)
-    //    || !Mem_GetLockResource(&Ipc_Dynamic_Ports[GAME_CONFIG_STORE_PORT].pPortLock, TRUE)
-    //    || !Mem_GetLockResource(&Ipc_Dynamic_Ports[SMART_CARD_PORT].pPortLock, TRUE)
-    //        ) return FALSE;    
-    //}
+    if (Driver_OsVersion >= DRIVER_WINDOWS_10) {
+
+        if(!Mem_GetLockResource(&Ipc_Dynamic_Ports[WPAD_PORT].pPortLock, TRUE)
+        || !Mem_GetLockResource(&Ipc_Dynamic_Ports[GAME_CONFIG_STORE_PORT].pPortLock, TRUE)
+        || !Mem_GetLockResource(&Ipc_Dynamic_Ports[SMART_CARD_PORT].pPortLock, TRUE)
+            ) return FALSE;    
+    }
 
     //
     // finish
@@ -872,34 +871,34 @@ _FX NTSTATUS Ipc_CheckGenericObject(
                 status = STATUS_ACCESS_DENIED;
         }
 
-        // Note: since version 5.46 these are open only per process
-        //else if (!is_open && !is_closed)
-        //{
-        //    int i;
-        //    for (i = 0; i < NUM_DYNAMIC_PORTS; i++)
-        //    {
-        //        if (Ipc_Dynamic_Ports[i].pPortLock)
-        //        {
-        //            KeEnterCriticalRegion();
-        //            ExAcquireResourceSharedLite(Ipc_Dynamic_Ports[i].pPortLock, TRUE);
-        //
-        //            if (*Ipc_Dynamic_Ports[i].wstrPortName
-        //                && (Name->Length >= 32 * sizeof(WCHAR))
-        //                && _wcsicmp(Name->Buffer, Ipc_Dynamic_Ports[i].wstrPortName) == 0)
-        //            {
-        //                // dynamic version of RPC ports, see also ipc_spl.c
-        //                // and RpcBindingFromStringBindingW in core/dll/rpcrt.c
-        //                is_open = TRUE;
-        //            }
-        //
-        //            ExReleaseResourceLite(Ipc_Dynamic_Ports[i].pPortLock);
-        //            KeLeaveCriticalRegion();
-        //
-        //            if (is_open)
-        //                break;
-        //        }
-        //    }
-        //}
+
+        else if (!is_open && !is_closed)
+        {
+            int i;
+            for (i = 0; i < NUM_DYNAMIC_PORTS; i++)
+            {
+                if (Ipc_Dynamic_Ports[i].pPortLock)
+                {
+                    KeEnterCriticalRegion();
+                    ExAcquireResourceSharedLite(Ipc_Dynamic_Ports[i].pPortLock, TRUE);
+
+                    if (*Ipc_Dynamic_Ports[i].wstrPortName
+                        && (Name->Length >= 32 * sizeof(WCHAR))
+                        && _wcsicmp(Name->Buffer, Ipc_Dynamic_Ports[i].wstrPortName) == 0)
+                    {
+                        // dynamic version of RPC ports, see also ipc_spl.c
+                        // and RpcBindingFromStringBindingW in core/dll/rpcrt.c
+                        is_open = TRUE;
+                    }
+
+                    ExReleaseResourceLite(Ipc_Dynamic_Ports[i].pPortLock);
+                    KeLeaveCriticalRegion();
+
+                    if (is_open)
+                        break;
+                }
+            }
+        }
 
         if (is_closed || (! is_open))
             status = STATUS_ACCESS_DENIED;

Sandboxie/core/drv/ipc_lsa.c

@@ -125,7 +125,7 @@ _FX BOOLEAN Ipc_Filter_Lsa_Ep_Msg(UCHAR uMsg)
         WCHAR access_str[24];
         swprintf(access_str, L" Msg: %02X", (ULONG)uMsg);
         const WCHAR* strings[3] = { L"\\RPC Control\\LSARPC_ENDPOINT", access_str, NULL };
-        Session_MonitorPutEx(MONITOR_IPC | (filter ? MONITOR_DENY : MONITOR_OPEN), strings, PsGetCurrentProcessId());
+        Session_MonitorPutEx(MONITOR_IPC | (filter ? MONITOR_DENY : MONITOR_OPEN), strings, NULL, PsGetCurrentProcessId());
     }
 
     return filter;

Sandboxie/core/drv/ipc_spl.c

@@ -71,7 +71,7 @@ static const WCHAR *_rpc_control = L"\\RPC Control";
 //---------------------------------------------------------------------------
 
 // Param 1 is dynamic port name (e.g. "\RPC Control\LRPC-f760d5b40689a98168"), WCHAR[DYNAMIC_PORT_NAME_CHARS]
-// Param 2 is the process PID for which to open the port
+// Param 2 is the process PID for which to open the port, can be 0 when port is special
 // Param 3 is the port type/identifier, can be -1 indicating non special port
 
 _FX NTSTATUS Ipc_Api_OpenDynamicPort(PROCESS* proc, ULONG64* parms)
@@ -109,43 +109,46 @@ _FX NTSTATUS Ipc_Api_OpenDynamicPort(PROCESS* proc, ULONG64* parms)
     if (!NT_SUCCESS(status))
         return status;
 
-    //proc = Process_Find(pArgs->process_id.val, &irql);
-    proc = Process_Find(pArgs->process_id.val, NULL);
-    if (proc && (proc != PROCESS_TERMINATED))
-    {
-        //
-        // When this is a special port save it our global Ipc_Dynamic_Ports structure
-        //
+    //
+    // When this is a special port save it our global Ipc_Dynamic_Ports structure
+    //
 
-        if (ePortType != NUM_DYNAMIC_PORTS && Ipc_Dynamic_Ports[ePortType].pPortLock) 
-        {
-            KeEnterCriticalRegion();
-            ExAcquireResourceExclusiveLite(Ipc_Dynamic_Ports[ePortType].pPortLock, TRUE);
+    if (ePortType != NUM_DYNAMIC_PORTS && Ipc_Dynamic_Ports[ePortType].pPortLock)
+    {
+        KeEnterCriticalRegion();
+        ExAcquireResourceExclusiveLite(Ipc_Dynamic_Ports[ePortType].pPortLock, TRUE);
 
-            wmemcpy(Ipc_Dynamic_Ports[ePortType].wstrPortName, portName, DYNAMIC_PORT_NAME_CHARS);
+        wmemcpy(Ipc_Dynamic_Ports[ePortType].wstrPortName, portName, DYNAMIC_PORT_NAME_CHARS);
 
-            ExReleaseResourceLite(Ipc_Dynamic_Ports[ePortType].pPortLock);
-            KeLeaveCriticalRegion();
-        }
+        ExReleaseResourceLite(Ipc_Dynamic_Ports[ePortType].pPortLock);
+        KeLeaveCriticalRegion();
+    }
 
-        //
-        // Open the port for the selected process
-        //
+    //
+    // Open the port for the selected process
+    //
 
-        KIRQL irql2;
+    if (pArgs->process_id.val != 0)
+    {
+        //proc = Process_Find(pArgs->process_id.val, &irql);
+        proc = Process_Find(pArgs->process_id.val, NULL);
+        if (proc && (proc != PROCESS_TERMINATED))
+        {
+            KIRQL irql2;
 
-        KeRaiseIrql(APC_LEVEL, &irql2);
-        ExAcquireResourceExclusiveLite(proc->ipc_lock, TRUE);
+            KeRaiseIrql(APC_LEVEL, &irql2);
+            ExAcquireResourceExclusiveLite(proc->ipc_lock, TRUE);
 
-        Process_AddPath(proc, &proc->open_ipc_paths, NULL, FALSE, portName, FALSE);
+            Process_AddPath(proc, &proc->open_ipc_paths, NULL, FALSE, portName, FALSE);
 
-        ExReleaseResourceLite(proc->ipc_lock);
-        KeLowerIrql(irql2);
+            ExReleaseResourceLite(proc->ipc_lock);
+            KeLowerIrql(irql2);
+        }
+        else
+            status = STATUS_NOT_FOUND;
+        //ExReleaseResourceLite(Process_ListLock);
+        //KeLowerIrql(irql);
     }
-    else
-        status = STATUS_NOT_FOUND;
-    //ExReleaseResourceLite(Process_ListLock);
-    //KeLowerIrql(irql);
 
     return status;
 }
@@ -476,7 +479,7 @@ _FX BOOLEAN Ipc_Filter_Spooler_Msg(UCHAR uMsg)
         WCHAR access_str[24];
         swprintf(access_str, L" Msg: %02X", (ULONG)uMsg);
         const WCHAR* strings[3] = { L"\\RPC Control\\spoolss", access_str, NULL };
-        Session_MonitorPutEx(MONITOR_IPC | (filter ? MONITOR_DENY : MONITOR_OPEN), strings, PsGetCurrentProcessId());
+        Session_MonitorPutEx(MONITOR_IPC | (filter ? MONITOR_DENY : MONITOR_OPEN), strings, NULL, PsGetCurrentProcessId());
     }
 
     return filter;

Sandboxie/core/drv/log.c

@@ -337,6 +337,6 @@ _FX void Log_Debug_Msg(USHORT type, const WCHAR *string1, const WCHAR *string2)
 	if (Session_MonitorCount) {
 
 		const WCHAR* strings[4] = { string1, L" ", string2, NULL };
-		Session_MonitorPutEx(type | MONITOR_TRACE, strings, PsGetCurrentProcessId());
+		Session_MonitorPutEx(type | MONITOR_TRACE, strings, NULL, PsGetCurrentProcessId());
 	}
 }

Sandboxie/core/drv/process.c

@@ -695,6 +695,7 @@ _FX PROCESS *Process_Create(
     // initialize trace flags
     //
 
+    proc->call_trace = Process_GetTraceFlag(proc, L"CallTrace");
     proc->file_trace = Process_GetTraceFlag(proc, L"FileTrace");
     proc->pipe_trace = Process_GetTraceFlag(proc, L"PipeTrace");
     proc->key_trace  = Process_GetTraceFlag(proc, L"KeyTrace");

Sandboxie/core/drv/process.h

@@ -121,6 +121,8 @@ struct _PROCESS {
 
     UCHAR   create_console_flag;
 
+    ULONG call_trace;
+
     // file-related
 
     PERESOURCE file_lock;