From 91b70a8e58cedd1cef2913476f82522530165e13 Mon Sep 17 00:00:00 2001 From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com> Date: Thu, 16 Jan 2025 09:28:06 +0100 Subject: [PATCH] 1.15.5 --- Sandboxie/core/dll/dll.h | 1 + Sandboxie/core/dll/dllhook.c | 116 ++++++++++++++++++--------- Sandboxie/core/dll/dllmain.c | 2 + Sandboxie/core/dll/file.c | 36 +++++++-- Sandboxie/core/dll/file_del.c | 4 +- Sandboxie/core/dll/gdi.c | 15 ++-- Sandboxie/core/dll/guimsg.c | 1 + Sandboxie/core/dll/ldr.c | 46 ++++++----- Sandboxie/core/dll/sysinfo.c | 2 +- Sandboxie/core/dll/trace.c | 3 + Sandboxie/core/drv/api_flags.h | 1 + SandboxiePlus/QSbieAPI/SbieTrace.cpp | 3 +- 12 files changed, 153 insertions(+), 77 deletions(-) diff --git a/Sandboxie/core/dll/dll.h b/Sandboxie/core/dll/dll.h index 7c7b9c2622..ef04fe735d 100644 --- a/Sandboxie/core/dll/dll.h +++ b/Sandboxie/core/dll/dll.h @@ -326,6 +326,7 @@ extern const WCHAR *Scm_CryptSvc; extern BOOLEAN Dll_SbieTrace; extern BOOLEAN Dll_ApiTrace; +extern BOOLEAN Dll_FileTrace; //--------------------------------------------------------------------------- diff --git a/Sandboxie/core/dll/dllhook.c b/Sandboxie/core/dll/dllhook.c index e2045b450b..308615601c 100644 --- a/Sandboxie/core/dll/dllhook.c +++ b/Sandboxie/core/dll/dllhook.c @@ -92,6 +92,7 @@ typedef struct _MODULE_HOOK { LIST Dll_ModuleHooks; CRITICAL_SECTION Dll_ModuleHooks_CritSec; +BOOLEAN Dll_HookTrace = FALSE; #ifdef _M_ARM64EC P_NtAllocateVirtualMemoryEx __sys_NtAllocateVirtualMemoryEx = NULL; @@ -111,6 +112,8 @@ _FX void SbieDll_HookInit() InitializeCriticalSection(&Dll_ModuleHooks_CritSec); List_Init(&Dll_ModuleHooks); + Dll_HookTrace = SbieApi_QueryConfBool(NULL, L"HookTrace", FALSE); + #ifdef _M_ARM64EC __sys_NtAllocateVirtualMemoryEx = (P_NtAllocateVirtualMemoryEx)GetProcAddress(Dll_Ntdll, "NtAllocateVirtualMemoryEx"); #endif @@ -1055,25 +1058,14 @@ void* SbieDll_Hook_arm( func = (UCHAR *)pbTarget; - RegionBase = &func[-8]; // -8 for hotpatch area if present - RegionSize = 24; + RegionBase = &func[0]; + RegionSize = 16; if (!VirtualProtect(RegionBase, RegionSize, PAGE_EXECUTE_READWRITE, &prot)) { - - // - // if that fails just start at the exact offset and try again - // without the hot patch area which we don't use anyways - // - - RegionBase = &func[0]; - RegionSize = 16; - - if (!VirtualProtect(RegionBase, RegionSize, PAGE_EXECUTE_READWRITE, &prot)) { - ULONG err = GetLastError(); - SbieApi_Log(2303, _fmt2, SourceFuncName, 33, err); - func = NULL; - goto finish; - } + ULONG err = GetLastError(); + SbieApi_Log(2303, _fmt2, SourceFuncName, 33, err); + func = NULL; + goto finish; } // @@ -1145,7 +1137,7 @@ void* SbieDll_Hook_arm( } // - // restore protection and flush instruction cache + // restore protection and fluch instruction cache // VirtualProtect(RegionBase, RegionSize, prot, &dummy_prot); @@ -1167,22 +1159,29 @@ void* SbieDll_Hook_arm( // SbieDll_HookFunc //--------------------------------------------------------------------------- +#define HOOK_STAT_CHROME 0x00000001 +#define HOOK_STAT_NO_FFS 0x00000002 +#define HOOK_STAT_SKIPPED 0x00000004 +#define HOOK_STAT_TRACE 0x00000100 +#define HOOK_STAT_SYSCALL 0x00000200 // ARM64 EC only +#define HOOK_STAT_INTERESTING 0x000000FF _FX void *SbieDll_HookFunc( - const char *SourceFuncName, void *SourceFunc, void *DetourFunc, HMODULE module) + const char *SourceFuncName, void *SourceFunc, void *DetourFunc, HMODULE module, DWORD* pHookStats) { // // Chrome sandbox support // - //void* OldSourceFunc = SourceFunc; + void* OldSourceFunc = SourceFunc; SourceFunc = Hook_CheckChromeHook(SourceFunc); - //if (OldSourceFunc != SourceFunc) { + if (OldSourceFunc != SourceFunc) { + if (pHookStats) *pHookStats |= HOOK_STAT_CHROME; // WCHAR* ModuleName = Trace_FindModuleByAddress((void*)module); // DbgPrint("Found Chrome Hook on: %S!%s\r\n", ModuleName, SourceFuncName); - //} + } #ifdef _M_ARM64EC @@ -1195,12 +1194,14 @@ _FX void *SbieDll_HookFunc( // // Note: this mechanism is only available during initialization as // at the end of Dll_Ordinal1 we dispose of the syscall/inject data area - // therefore any Nt function hooks must be set up from the get go + // there fore any Nt function hooks must be set up from the get go // extern ULONG* SbieApi_SyscallPtr; if (module == Dll_Ntdll && *(USHORT*)&SourceFuncName[0] == 'tN' && SbieApi_SyscallPtr) { + if (pHookStats) *pHookStats |= HOOK_STAT_SYSCALL; + USHORT index = Hook_GetSysCallIndex(SourceFunc); if (index != 0xFFFF) { @@ -1225,7 +1226,10 @@ _FX void *SbieDll_HookFunc( return SbieDll_Hook_arm(SourceFuncName, SourceFuncEC, DetourFunc, module); } else - SbieApi_Log(2303, _fmt1, SourceFuncName, 69); + { + + if (pHookStats) *pHookStats |= HOOK_STAT_NO_FFS; + } } #endif @@ -1245,19 +1249,14 @@ _FX void *SbieDll_HookFunc( _FX void *SbieDll_Hook( const char *SourceFuncName, void *SourceFunc, void *DetourFunc, HMODULE module) { - if (SbieDll_FuncSkipHook(SourceFuncName)) - return SourceFunc; - const WCHAR* ModuleName = NULL; - if (Dll_SbieTrace || Dll_ApiTrace) { - ModuleName = Trace_FindModuleByAddress((void*)module); - if (!ModuleName) ModuleName = L"unknown"; - } + DWORD HookStats = 0; + void* func = NULL; - if (Dll_SbieTrace) { - WCHAR dbg[1024]; - Sbie_snwprintf(dbg, 1024, L"Hooking%s: %s!%S\r\n", DetourFunc ? L"" : L" (trace)", ModuleName, SourceFuncName); - SbieApi_MonitorPutMsg(MONITOR_OTHER | MONITOR_TRACE, dbg); + if (SbieDll_FuncSkipHook(SourceFuncName)) { + HookStats = HOOK_STAT_SKIPPED; + func = SourceFunc; + goto finish; } // @@ -1267,6 +1266,11 @@ _FX void *SbieDll_Hook( PDWORD64 pDetourFunc = NULL; if (Dll_ApiTrace) { + if(!DetourFunc) + HookStats |= HOOK_STAT_TRACE; + + ModuleName = Trace_FindModuleByAddress((void*)module); + #ifdef _M_ARM64EC MODULE_HOOK* mod_hook = SbieDll_GetModuleHookAndLock(module, (tzuk & 0xFFFFFF00) | 0xEC); // 0xEC - executable ARM64 Emulation Compatible #else @@ -1298,7 +1302,11 @@ _FX void *SbieDll_Hook( *ip.pQ++ = (ULONG_PTR)DetourFunc; // store full function name - int len = Sbie_snprintf(ip.pB, 96, "%S!%s", ModuleName, SourceFuncName); + int len; + if(ModuleName) + len = Sbie_snprintf(ip.pB, 96, "%S!%s", ModuleName, SourceFuncName); + else + len = Sbie_snprintf(ip.pB, 96, "%s", SourceFuncName); pTrace->name = ip.pB + wcslen(ModuleName) + 1; ip.pB += len + 1; @@ -1345,10 +1353,10 @@ _FX void *SbieDll_Hook( // install the hook // - void* func = SbieDll_HookFunc(SourceFuncName, SourceFunc, DetourFunc, module); + func = SbieDll_HookFunc(SourceFuncName, SourceFunc, DetourFunc, module, &HookStats); // - // when tracing API calls of functions that are not normally hooked, + // when tracing api calls of normaly not hooked functions, // we did not have an initial detour and have passed NULL // in this case we set the trampoline itself as final detour target // @@ -1358,6 +1366,38 @@ _FX void *SbieDll_Hook( func = NULL; } +finish: + if (Dll_HookTrace || (HookStats & HOOK_STAT_INTERESTING) || !func) { + + if (!ModuleName) + ModuleName = Trace_FindModuleByAddress((void*)module); + + WCHAR dbg[1024]; + WCHAR* dbg_ptr = dbg; + size_t dbg_size = ARRAYSIZE(dbg); + int len = Sbie_snwprintf(dbg_ptr, dbg_size, L"%sHooking%s: %s!%S", + !func ? L"FAILED " : (HookStats & HOOK_STAT_SKIPPED) ? L"Skipped " : L"", + (HookStats & HOOK_STAT_TRACE) ? L" (trace)" : L"", + ModuleName ? ModuleName : L"unknown", + SourceFuncName); + dbg_ptr += len; + dbg_size -= len; + if (HookStats & HOOK_STAT_CHROME) { + len = Sbie_snwprintf(dbg_ptr, dbg_size, L" (Chrome Hooked)"); + dbg_ptr += len; + dbg_size -= len; + } +#ifdef _M_ARM64EC + if (HookStats & HOOK_STAT_NO_FFS) { + len = Sbie_snwprintf(dbg_ptr, dbg_size, L" FFS Target not found, hoocked x86 code instead"); + dbg_ptr += len; + dbg_size -= len; + } +#endif + wcscat(dbg_ptr, L"\r\n"); + SbieApi_MonitorPutMsg(MONITOR_HOOK | MONITOR_TRACE, dbg); + } + return func; } diff --git a/Sandboxie/core/dll/dllmain.c b/Sandboxie/core/dll/dllmain.c index 034844839f..e32caf772e 100644 --- a/Sandboxie/core/dll/dllmain.c +++ b/Sandboxie/core/dll/dllmain.c @@ -97,6 +97,7 @@ BOOLEAN Dll_IsWow64 = FALSE; #endif #ifdef _M_ARM64EC BOOLEAN Dll_IsArm64ec = FALSE; +void* Dll_xtajit64 = NULL; #endif #ifndef _WIN64 BOOLEAN Dll_IsXtAjit = FALSE; @@ -815,6 +816,7 @@ _FX VOID Dll_Ordinal1(INJECT_DATA * inject) #endif #ifdef _M_ARM64EC Dll_IsArm64ec = data->flags.is_arm64ec == 1; // x64 on arm64 + Dll_xtajit64 = GetModuleHandle(L"xtajit64.dll"); #endif #ifndef _WIN64 Dll_IsXtAjit = data->flags.is_xtajit == 1; // x86 on arm64 diff --git a/Sandboxie/core/dll/file.c b/Sandboxie/core/dll/file.c index 6dbe1a9a06..d5e7f24224 100644 --- a/Sandboxie/core/dll/file.c +++ b/Sandboxie/core/dll/file.c @@ -2498,7 +2498,31 @@ _FX NTSTATUS File_NtOpenFile( ULONG ShareAccess, ULONG OpenOptions) { - NTSTATUS status = File_NtCreateFileImpl( + NTSTATUS status; + +#ifdef _M_ARM64EC + + // + // TODO: Fix-Me: + // In ARM64EC xtajit64.dll calls NtOpenFile and when this happens __chkstk_arm64ec + // crashes causing a stack overflow. To avoid this we call NtOpenFile directly. + // + + extern UINT_PTR Dll_xtajit64; + ULONG_PTR pRetAddr = (ULONG_PTR)_ReturnAddress(); + + if (pRetAddr > Dll_xtajit64 && pRetAddr < Dll_xtajit64 + 0x180000) { + + //SbieApi_Log(2301, L"NtOpenFile bypass on ARM64EC for %S", + // ObjectAttributes && ObjectAttributes->ObjectName && ObjectAttributes->ObjectName->Buffer ? ObjectAttributes->ObjectName->Buffer : L"[UNNAMED]"); + + status = __sys_NtOpenFile( + FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, + ShareAccess, OpenOptions); + } else +#endif + + status = File_NtCreateFileImpl( FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, NULL, 0, ShareAccess, FILE_OPEN, OpenOptions, NULL, 0); @@ -2923,7 +2947,7 @@ _FX NTSTATUS File_NtCreateFileImpl( } } - if (Dll_ApiTrace) { + if (Dll_ApiTrace || Dll_FileTrace) { WCHAR trace_str[2048]; ULONG len = Sbie_snwprintf(trace_str, 2048, L"File_NtCreateFileImpl %s DesiredAccess=0x%08X CreateDisposition=0x%08X CreateOptions=0x%08X", TruePath, DesiredAccess, CreateDisposition, CreateOptions); SbieApi_MonitorPut2Ex(MONITOR_APICALL | MONITOR_TRACE, len, trace_str, FALSE, FALSE); @@ -4086,7 +4110,7 @@ _FX NTSTATUS File_NtCreateFileImpl( status = GetExceptionCode(); } - if (Dll_ApiTrace) { + if (Dll_ApiTrace || Dll_FileTrace) { WCHAR trace_str[2048]; ULONG len = Sbie_snwprintf(trace_str, 2048, L"File_NtCreateFileImpl status = 0x%08X", status); SbieApi_MonitorPut2Ex(MONITOR_APICALL | MONITOR_TRACE, len, trace_str, FALSE, FALSE); @@ -5590,7 +5614,7 @@ _FX NTSTATUS File_NtQueryFullAttributesFileImpl( ObjectAttributes->RootDirectory, ObjectAttributes->ObjectName, &TruePath, &CopyPath, &FileFlags); - if (Dll_ApiTrace) { + if (Dll_ApiTrace || Dll_FileTrace) { WCHAR trace_str[2048]; ULONG len = Sbie_snwprintf(trace_str, 2048, L"File_NtQueryFullAttributesFileImpl %s", TruePath); SbieApi_MonitorPut2Ex(MONITOR_APICALL | MONITOR_TRACE, len, trace_str, FALSE, FALSE); @@ -5792,7 +5816,7 @@ _FX NTSTATUS File_NtQueryFullAttributesFileImpl( status = STATUS_OBJECT_NAME_INVALID; } - if (Dll_ApiTrace) { + if (Dll_ApiTrace || Dll_FileTrace) { WCHAR trace_str[2048]; ULONG len = Sbie_snwprintf(trace_str, 2048, L"File_NtQueryFullAttributesFileImpl status = 0x%08X", status); SbieApi_MonitorPut2Ex(MONITOR_APICALL | MONITOR_TRACE, len, trace_str, FALSE, FALSE); @@ -6118,7 +6142,7 @@ _FX ULONG File_GetFinalPathNameByHandleW( err = GetLastError(); } - if (Dll_ApiTrace) { + if (Dll_ApiTrace || Dll_FileTrace) { WCHAR trace_str[2048]; ULONG len = Sbie_snwprintf(trace_str, 2048, L"File_GetFinalPathNameByHandleW %s", lpszFilePath); SbieApi_MonitorPut2Ex(MONITOR_APICALL | MONITOR_TRACE, len, trace_str, FALSE, FALSE); diff --git a/Sandboxie/core/dll/file_del.c b/Sandboxie/core/dll/file_del.c index dd8e352c0e..7a9d3b6fc1 100644 --- a/Sandboxie/core/dll/file_del.c +++ b/Sandboxie/core/dll/file_del.c @@ -414,7 +414,7 @@ _FX VOID File_AppendPathEntry_internal(HANDLE hPathsFile, const WCHAR* Path, ULO // write the path WCHAR* PathEx = TranslatePath ? TranslatePath(Path) : NULL; - NtWriteFile(hPathsFile, NULL, NULL, NULL, &IoStatusBlock, PathEx ? PathEx : Path, wcslen(PathEx ? PathEx : Path) * sizeof(WCHAR), NULL, NULL); + NtWriteFile(hPathsFile, NULL, NULL, NULL, &IoStatusBlock, PathEx ? PathEx : (WCHAR*)Path, wcslen(PathEx ? PathEx : Path) * sizeof(WCHAR), NULL, NULL); if (PathEx) Dll_Free(PathEx); // write the flags @@ -427,7 +427,7 @@ _FX VOID File_AppendPathEntry_internal(HANDLE hPathsFile, const WCHAR* Path, ULO NtWriteFile(hPathsFile, NULL, NULL, NULL, &IoStatusBlock, FlagStr, sizeof(WCHAR), NULL, NULL); // write | WCHAR* RelocationEx = TranslatePath ? TranslatePath(Relocation) : NULL; - NtWriteFile(hPathsFile, NULL, NULL, NULL, &IoStatusBlock, RelocationEx ? RelocationEx : Relocation, wcslen(RelocationEx ? RelocationEx : Relocation) * sizeof(WCHAR), NULL, NULL); + NtWriteFile(hPathsFile, NULL, NULL, NULL, &IoStatusBlock, RelocationEx ? RelocationEx : (WCHAR*)Relocation, wcslen(RelocationEx ? RelocationEx : Relocation) * sizeof(WCHAR), NULL, NULL); if (RelocationEx) Dll_Free(RelocationEx); } diff --git a/Sandboxie/core/dll/gdi.c b/Sandboxie/core/dll/gdi.c index 503dd05405..f9dc9cea8e 100644 --- a/Sandboxie/core/dll/gdi.c +++ b/Sandboxie/core/dll/gdi.c @@ -867,13 +867,20 @@ _FX BOOLEAN Gdi_InitZero(HMODULE module) // ntdll loader, but there are cases where this is not so. // +#if defined(_M_ARM64) || defined(_M_ARM64EC) + GdiDllInitialize = Ldr_GetProcAddrNew(L"gdi32full.dll", L"GdiDllInitialize","GdiDllInitialize"); +#else GdiDllInitialize = Ldr_GetProcAddrNew(DllName_gdi32, L"GdiDllInitialize","GdiDllInitialize"); +#endif if (GdiDllInitialize == Saved_GdiDllInitialize) return TRUE; Saved_GdiDllInitialize = GdiDllInitialize; +#if defined(_M_ARM64) || defined(_M_ARM64EC) + Gdi_GdiDllInitialize = Gdi_GdiDllInitialize_Vista; +#else if (Dll_OsBuild >= 6000) Gdi_GdiDllInitialize = Gdi_GdiDllInitialize_Vista; @@ -883,14 +890,6 @@ _FX BOOLEAN Gdi_InitZero(HMODULE module) } else Gdi_GdiDllInitialize = Gdi_GdiDllInitialize_XP; - -#ifdef _M_ARM64EC - - // - // set module -1 to not try to find the FFS sequence - // - - module = (HMODULE)- 1; #endif SBIEDLL_HOOK(Gdi_,GdiDllInitialize); diff --git a/Sandboxie/core/dll/guimsg.c b/Sandboxie/core/dll/guimsg.c index 968277dfc4..fda72ec08a 100644 --- a/Sandboxie/core/dll/guimsg.c +++ b/Sandboxie/core/dll/guimsg.c @@ -1,5 +1,6 @@ /* * Copyright 2004-2020 Sandboxie Holdings, LLC + * Copyright 2023 David Xanatos, xanasoft.com * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/Sandboxie/core/dll/ldr.c b/Sandboxie/core/dll/ldr.c index e45341ed70..67af3bd426 100644 --- a/Sandboxie/core/dll/ldr.c +++ b/Sandboxie/core/dll/ldr.c @@ -141,7 +141,7 @@ typedef NTSTATUS(*P_LdrQueryImageFileExecutionOptions)( typedef ULONG_PTR(*P_NtApphelpCacheControl)( ULONG_PTR Unknown1, ULONG_PTR Unknown2); -typedef NTSTATUS(*P_NtTerminateProcess)(HANDLE ProcessHandle, NTSTATUS ExitStatus); +//typedef NTSTATUS(*P_NtTerminateProcess)(HANDLE ProcessHandle, NTSTATUS ExitStatus); typedef NTSTATUS(*P_NtLoadDriver)(UNICODE_STRING *RegistryPath); @@ -155,7 +155,7 @@ typedef void(*P_Ldr_CallOneDllCallback)(const UCHAR *ImageNameA, ULONG_PTR Image static P_LdrRegisterDllNotification __sys_LdrRegisterDllNotification = NULL; static P_LdrUnregisterDllNotification __sys_LdrUnregisterDllNotification = NULL; -static P_NtTerminateProcess __sys_NtTerminateProcess = NULL; +//static P_NtTerminateProcess __sys_NtTerminateProcess = NULL; static P_LdrLockLoaderLock __sys_LdrLockLoaderLock = NULL; static P_LdrUnlockLoaderLock __sys_LdrUnlockLoaderLock = NULL; @@ -218,6 +218,7 @@ static DLL Ldr_Dlls[] = { { L"uxtheme.dll", SH32_Init_UxTheme, 0}, // explorer.exe, SetWindowThemeAttribute { L"hnetcfg.dll", HNet_Init, 0}, // firewall workaround { L"winnsi.dll", NsiRpc_Init, 0}, // WININET workaround +// { L"wininet.dll", Wininet_Init, 0}, { L"nsi.dll", Nsi_Init, 0}, { L"advpack.dll", Proc_Init_AdvPack, 0}, // fix for IE { L"dwrite.dll", Scm_DWriteDll, 0}, // hack for IE 9, make sure FontCache is running @@ -259,23 +260,23 @@ static BOOLEAN Ldr_DynamicImageDetection = FALSE; #include "ldr_init.c" -NTSTATUS Ldr_NtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus) -{ - NTSTATUS rc; - - // ProcessHandle is optional. Unregister callback when current process is terminating - if (!ProcessHandle - || ProcessHandle == NtCurrentProcess() - || GetCurrentProcessId() == GetProcessId(ProcessHandle) - ) - { - __sys_LdrUnregisterDllNotification(LdrLoaderCookie); - } - - rc = __sys_NtTerminateProcess(ProcessHandle, ExitStatus); - - return rc; -} +//NTSTATUS Ldr_NtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus) +//{ +// NTSTATUS rc; +// +// // ProcessHandle is optional. Unregister callback when current process is terminating +// if (!ProcessHandle +// || ProcessHandle == NtCurrentProcess() +// || GetCurrentProcessId() == GetProcessId(ProcessHandle) +// ) +// { +// __sys_LdrUnregisterDllNotification(LdrLoaderCookie); +// } +// +// rc = __sys_NtTerminateProcess(ProcessHandle, ExitStatus); +// +// return rc; +//} //--------------------------------------------------------------------------- @@ -432,7 +433,9 @@ _FX BOOLEAN Ldr_Init() if (Dll_OsBuild >= 9600) { // Windows 8.1 and later NTSTATUS rc = 0; - void *NtTerminateProcess = (P_NtTerminateProcess)GetProcAddress(Dll_Ntdll, "NtTerminateProcess"); + //void *NtTerminateProcess = (P_NtTerminateProcess)GetProcAddress(Dll_Ntdll, "NtTerminateProcess"); + + // this functions are available since windows vista __sys_LdrRegisterDllNotification = (P_LdrRegisterDllNotification)GetProcAddress(Dll_Ntdll, "LdrRegisterDllNotification"); __sys_LdrUnregisterDllNotification = (P_LdrUnregisterDllNotification)GetProcAddress(Dll_Ntdll, "LdrUnregisterDllNotification"); @@ -448,7 +451,8 @@ _FX BOOLEAN Ldr_Init() return FALSE; } - SBIEDLL_HOOK(Ldr_, NtTerminateProcess); + // Todo: Fix-Me: this hangs some processes on arm64 + //SBIEDLL_HOOK(Ldr_, NtTerminateProcess); SBIEDLL_HOOK(Ldr_Win10_, LdrLoadDll); } else { // Windows 8 and before diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 4ea3e1da8f..fcbe9be142 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -246,7 +246,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( // if not set we return no information, 0 length if (RegOpenKeyExW(HKEY_CURRENT_USER, L"System\\SbieCustom", 0, KEY_READ, &hKey) == ERROR_SUCCESS) { if (RegQueryValueExW(hKey, L"SMBiosTable", NULL, &type, (LPBYTE)lpData, &dwLen) != ERROR_SUCCESS) { - dwLen = 0; + dwLen = 0; // In case of failure, reset the length } RegCloseKey(hKey); } diff --git a/Sandboxie/core/dll/trace.c b/Sandboxie/core/dll/trace.c index 94198c4d58..9fc18faa96 100644 --- a/Sandboxie/core/dll/trace.c +++ b/Sandboxie/core/dll/trace.c @@ -66,6 +66,7 @@ static P_OutputDebugString __sys_OutputDebugStringA = NULL; BOOLEAN Dll_SbieTrace = FALSE; BOOLEAN Dll_ApiTrace = FALSE; +BOOLEAN Dll_FileTrace = FALSE; //--------------------------------------------------------------------------- @@ -79,6 +80,8 @@ _FX int Trace_Init(void) Dll_ApiTrace = Config_GetSettingsForImageName_bool(L"ApiTrace", FALSE); + Dll_FileTrace = Config_GetSettingsForImageName_bool(L"FileTrace", FALSE); + if (SbieApi_QueryConfBool(NULL, L"ErrorTrace", FALSE)) { // diff --git a/Sandboxie/core/drv/api_flags.h b/Sandboxie/core/drv/api_flags.h index 7f3fd35aed..7592f45848 100644 --- a/Sandboxie/core/drv/api_flags.h +++ b/Sandboxie/core/drv/api_flags.h @@ -60,6 +60,7 @@ #define MONITOR_APICALL 0x0000000F #define MONITOR_RPC 0x00000010 #define MONITOR_DNS 0x00000011 +#define MONITOR_HOOK 0x00000012 #define MONITOR_TYPE_MASK 0x000000FF #define MONITOR_RESERVED 0x0000FF00 diff --git a/SandboxiePlus/QSbieAPI/SbieTrace.cpp b/SandboxiePlus/QSbieAPI/SbieTrace.cpp index 3fb1702b7b..f79da40f11 100644 --- a/SandboxiePlus/QSbieAPI/SbieTrace.cpp +++ b/SandboxiePlus/QSbieAPI/SbieTrace.cpp @@ -113,7 +113,7 @@ QList CTraceEntry::AllTypes() << MONITOR_KEY << MONITOR_FILE << MONITOR_PIPE << MONITOR_IPC << MONITOR_RPC << MONITOR_COMCLASS << MONITOR_RTCLASS << MONITOR_WINCLASS << MONITOR_DRIVE << MONITOR_IGNORE << MONITOR_IMAGE - << MONITOR_NETFW << MONITOR_DNS << MONITOR_SCM << MONITOR_OTHER; + << MONITOR_NETFW << MONITOR_DNS << MONITOR_SCM << MONITOR_HOOK << MONITOR_OTHER; } QString CTraceEntry::GetTypeStr(quint32 Type) @@ -136,6 +136,7 @@ QString CTraceEntry::GetTypeStr(quint32 Type) case MONITOR_NETFW: return "Socket"; break; case MONITOR_DNS: return "Dns"; break; case MONITOR_SCM: return "SCM"; break; // Service Control Manager + case MONITOR_HOOK: return "Hook"; break; case MONITOR_OTHER: return "Debug"; break; default: return QString(); }