diff --git a/CHANGELOG.md b/CHANGELOG.md index ba7f1c3a4c..0cd7c43e45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,13 +13,14 @@ This project adheres to [Semantic Versioning](http://semver.org/). ### Changed - without an active, non expired, supporter certificate, automatic updates/downloads are not longer available for the stable channel - the autoamtic updater will still work and notify about new stable releases, the user will be guided to visit the download page and download the latest installer manually +- cleanup button is also enabled when not connencted to core ### Fixed - fixed running sandboxed processes located in a imdisk volume [#3472](https://github.com/sandboxie-plus/Sandboxie/discussions/3472) - fixed sample 634d066fd4f9a8b201a3ddf346e880be unable to be terminate on windows 7 x64 [#3482](https://github.com/sandboxie-plus/Sandboxie/issues/3482) - fixed UseNewSymlinkResolver causes applications to create both the link and the target folder [#3481](https://github.com/sandboxie-plus/Sandboxie/issues/3481) - fixed Renaming a sandbox breaks Group hierarchy [#3430](https://github.com/sandboxie-plus/Sandboxie/issues/3430) - +- fixed Encrypted confidential Box + red box preset blocks box access to it's own root directories [#3475](https://github.com/sandboxie-plus/Sandboxie/issues/3475) diff --git a/Sandboxie/core/dll/dll.h b/Sandboxie/core/dll/dll.h index 886def8a33..68543bbaec 100644 --- a/Sandboxie/core/dll/dll.h +++ b/Sandboxie/core/dll/dll.h @@ -266,10 +266,12 @@ extern const WCHAR *Dll_HomeDosPath; //extern ULONG Dll_HomeDosPathLen; extern const WCHAR *Dll_BoxFilePath; +extern const WCHAR *Dll_BoxFileDosPath; extern const WCHAR *Dll_BoxKeyPath; extern const WCHAR *Dll_BoxIpcPath; extern ULONG Dll_BoxFilePathLen; +extern ULONG Dll_BoxFileDosPathLen; extern ULONG Dll_BoxKeyPathLen; extern ULONG Dll_BoxIpcPathLen; extern ULONG Dll_SidStringLen; diff --git a/Sandboxie/core/dll/dllmain.c b/Sandboxie/core/dll/dllmain.c index a4b3bc4aa5..86b97c2e3d 100644 --- a/Sandboxie/core/dll/dllmain.c +++ b/Sandboxie/core/dll/dllmain.c @@ -74,10 +74,12 @@ const WCHAR *Dll_HomeDosPath = NULL; //ULONG Dll_HomeDosPathLen = 0; const WCHAR *Dll_BoxFilePath = NULL; +const WCHAR *Dll_BoxFileDosPath = NULL; const WCHAR *Dll_BoxKeyPath = NULL; const WCHAR *Dll_BoxIpcPath = NULL; ULONG Dll_BoxFilePathLen = 0; +ULONG Dll_BoxFileDosPathLen = 0; ULONG Dll_BoxKeyPathLen = 0; ULONG Dll_BoxIpcPathLen = 0; ULONG Dll_SidStringLen = 0; diff --git a/Sandboxie/core/dll/file.c b/Sandboxie/core/dll/file.c index 23b0d836ca..3c8b8981b1 100644 --- a/Sandboxie/core/dll/file.c +++ b/Sandboxie/core/dll/file.c @@ -7350,6 +7350,21 @@ _FX BOOLEAN SbieDll_TranslateNtToDosPath(WCHAR *path) } path_len = wcslen(path); + + // + // workaround for hidden box root + // + + if (Dll_BoxFileDosPathLen && Dll_BoxFilePathLen <= path_len && _wcsnicmp(path, Dll_BoxFilePath, Dll_BoxFilePathLen) == 0) + { + wmemmove(path + Dll_BoxFileDosPathLen, path + Dll_BoxFilePathLen, wcslen(path + Dll_BoxFilePathLen) + 1); + wmemcpy(path, Dll_BoxFileDosPath, Dll_BoxFileDosPathLen); + return TRUE; + } + + // + // Find Dos Drive Letter + // drive = File_GetDriveForPath(path, path_len); if (drive) diff --git a/Sandboxie/core/dll/file_init.c b/Sandboxie/core/dll/file_init.c index 459d6e417e..ba939545b6 100644 --- a/Sandboxie/core/dll/file_init.c +++ b/Sandboxie/core/dll/file_init.c @@ -176,6 +176,34 @@ _FX BOOLEAN File_Init(void) } } + + Dll_BoxFileDosPath = Dll_Alloc((Dll_BoxFilePathLen + 1) * sizeof(WCHAR)); + wcscpy((WCHAR *)Dll_BoxFileDosPath, Dll_BoxFilePath); + if (!SbieDll_TranslateNtToDosPath((WCHAR *)Dll_BoxFileDosPath) || _wcsnicmp(Dll_BoxFileDosPath, L"\\\\.\\", 4) == 0) + { + Dll_Free((WCHAR *)Dll_BoxFileDosPath); + Dll_BoxFileDosPath = NULL; + + // + // the root is redirected with a reparse point and the target device does not have a drvie letter + // implement workaround, see SbieDll_TranslateNtToDosPath + // + + ULONG BoxFilePathLen = (0x1000 + 1) * sizeof(WCHAR); + WCHAR* BoxFilePathConf = Dll_AllocTemp(BoxFilePathLen); + SbieApi_QueryConf(NULL, L"FileRootPath", 0, BoxFilePathConf, BoxFilePathLen); + + if (SbieDll_TranslateNtToDosPath(BoxFilePathConf)) + { + Dll_BoxFileDosPathLen = wcslen(BoxFilePathConf); + Dll_BoxFileDosPath = Dll_Alloc((Dll_BoxFileDosPathLen + 1) * sizeof(WCHAR)); + wcscpy((WCHAR *)Dll_BoxFileDosPath, BoxFilePathConf); + } + Dll_Free(BoxFilePathConf); + } + else + Dll_BoxFileDosPathLen = wcslen(Dll_BoxFileDosPath); + File_InitSnapshots(); File_InitRecoverFolders(); diff --git a/Sandboxie/core/drv/file.c b/Sandboxie/core/drv/file.c index 0ba9c26e04..10a30e9e14 100644 --- a/Sandboxie/core/drv/file.c +++ b/Sandboxie/core/drv/file.c @@ -1021,7 +1021,8 @@ _FX BOOLEAN File_InitProcess(PROCESS *proc) // make sure the image path does not match a ClosedFilePath setting // - if (ok && proc->image_path && (! proc->image_sbie)) { + if (ok && proc->image_path && (! proc->image_sbie) + && _wcsnicmp(proc->image_path, proc->box->file_path, (proc->box->file_path_len / sizeof(WCHAR)) - 1) != 0) { #ifdef USE_MATCH_PATH_EX ULONG mp_flags = Process_MatchPathEx(proc, proc->image_path, wcslen(proc->image_path), L'f', diff --git a/Sandboxie/core/drv/file_flt.c b/Sandboxie/core/drv/file_flt.c index 618a700226..86c3a01664 100644 --- a/Sandboxie/core/drv/file_flt.c +++ b/Sandboxie/core/drv/file_flt.c @@ -503,6 +503,11 @@ _FX FLT_PREOP_CALLBACK_STATUS File_PreOperation( && _wcsnicmp(Name->Name.Buffer, root->file_root, root->file_root_len) == 0 ) { + //DbgPrint("IRP_MJ_CREATE: %S\n", root->file_root); + + if (Util_IsProtectedProcess(PsGetCurrentProcessId())) + break; + status = STATUS_ACCESS_DENIED; if (proc && !proc->bHostInject) { diff --git a/Sandboxie/core/drv/thread.c b/Sandboxie/core/drv/thread.c index 78266f5408..0fd69ad30c 100644 --- a/Sandboxie/core/drv/thread.c +++ b/Sandboxie/core/drv/thread.c @@ -1138,36 +1138,6 @@ _FX NTSTATUS Thread_CheckObject_Common( } -//--------------------------------------------------------------------------- -// Thread_IsProtectedProcess -//--------------------------------------------------------------------------- - -NTKERNELAPI BOOLEAN NTAPI PsIsProtectedProcess(_In_ PEPROCESS Process); - -_FX BOOLEAN Thread_IsProtectedProcess(HANDLE pid) -{ - PEPROCESS ProcessObject; - NTSTATUS status; - BOOLEAN ret = FALSE; - - // - // Check if this process is a protected process, - // as protected processes are integral windows processes or trusted antimalware services - // we allow such processes to access even confidential sandboxed programs. - // - - status = PsLookupProcessByProcessId(pid, &ProcessObject); - if (NT_SUCCESS(status)) { - - ret = PsIsProtectedProcess(ProcessObject); - - ObDereferenceObject(ProcessObject); - } - - return ret; -} - - //--------------------------------------------------------------------------- // Thread_CheckObject_CommonEx //--------------------------------------------------------------------------- @@ -1232,10 +1202,9 @@ _FX ACCESS_MASK Thread_CheckObject_CommonEx( // if (protect_process /*&& MyIsProcessRunningAsSystemAccount(cur_pid)*/) { - if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0) + if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || Util_IsProtectedProcess(cur_pid) || (_wcsicmp(nptr, L"conhost.exe") == 0) - || (_wcsicmp(nptr, L"taskmgr.exe") == 0) || (_wcsicmp(nptr, L"sandman.exe") == 0) - || Thread_IsProtectedProcess(cur_pid)) + || (_wcsicmp(nptr, L"taskmgr.exe") == 0) || (_wcsicmp(nptr, L"sandman.exe") == 0)) protect_process = FALSE; } diff --git a/Sandboxie/core/drv/util.c b/Sandboxie/core/drv/util.c index b10c3f44d3..14091c1c4b 100644 --- a/Sandboxie/core/drv/util.c +++ b/Sandboxie/core/drv/util.c @@ -446,6 +446,36 @@ _FX HANDLE Util_GetProcessPidByName(const WCHAR* name) } +//--------------------------------------------------------------------------- +// Util_IsProtectedProcess +//--------------------------------------------------------------------------- + +NTKERNELAPI BOOLEAN NTAPI PsIsProtectedProcess(_In_ PEPROCESS Process); + +_FX BOOLEAN Util_IsProtectedProcess(HANDLE pid) +{ + PEPROCESS ProcessObject; + NTSTATUS status; + BOOLEAN ret = FALSE; + + // + // Check if this process is a protected process, + // as protected processes are integral windows processes or trusted antimalware services + // we allow such processes to access even confidential sandboxed programs. + // + + status = PsLookupProcessByProcessId(pid, &ProcessObject); + if (NT_SUCCESS(status)) { + + ret = PsIsProtectedProcess(ProcessObject); + + ObDereferenceObject(ProcessObject); + } + + return ret; +} + + //--------------------------------------------------------------------------- // Util_GetTime //--------------------------------------------------------------------------- diff --git a/Sandboxie/core/drv/util.h b/Sandboxie/core/drv/util.h index 9044c298f5..af67a5791f 100644 --- a/Sandboxie/core/drv/util.h +++ b/Sandboxie/core/drv/util.h @@ -109,6 +109,7 @@ NTSTATUS MyValidateCertificate(void); HANDLE Util_GetProcessPidByName(const WCHAR* name); +BOOLEAN Util_IsProtectedProcess(HANDLE pid); LARGE_INTEGER Util_GetTimestamp(void); diff --git a/SandboxiePlus/SandMan/SandMan.cpp b/SandboxiePlus/SandMan/SandMan.cpp index 76b5a4b3af..a3c881d8d9 100644 --- a/SandboxiePlus/SandMan/SandMan.cpp +++ b/SandboxiePlus/SandMan/SandMan.cpp @@ -2498,10 +2498,6 @@ void CSandMan::UpdateState() m_pDisableForce->setEnabled(isConnected); m_pDisableForce2->setEnabled(isConnected); - //m_pCleanUpMenu->setEnabled(isConnected); - //m_pCleanUpButton->setEnabled(isConnected); - //m_pKeepTerminated->setEnabled(isConnected); - m_pEditIni->setEnabled(isConnected); if(m_pEditIni2) m_pEditIni2->setEnabled(isConnected); m_pReloadIni->setEnabled(isConnected); @@ -2509,7 +2505,7 @@ void CSandMan::UpdateState() if (m_pNewBoxButton) m_pNewBoxButton->setEnabled(isConnected); if (m_pEditIniButton) m_pEditIniButton->setEnabled(isConnected); - if (m_pCleanUpButton) m_pCleanUpButton->setEnabled(isConnected); + //if (m_pCleanUpButton) m_pCleanUpButton->setEnabled(isConnected); } void CSandMan::OnMenuHover(QAction* action)