Chrome有使用安全沙箱
在限制的进程中, 对文件,管道,进程,注册表等都有沙箱限制
A. dll加载限制
- 加载程序目录下一个dll, 失败
- 复制系统的一个dll过来加载, 成功
- 修改下这个dll, 破坏签名加载, 失败
跟踪在 LdrLoadDll 失败
可以检查源码相关 TargetNtCreateSection, 实际限制不在这个
可以修改 ConvertProcessMitigationsToPolicy, 去掉多数功能, 然后就可以加载dll了
.text:00428412 83 F9 05 cmp ecx, 5
.text:00428415 0F 8C 1A 01 00 00 jl loc_428535
.text:0042841B 89 CE mov esi, ecx
.text:0042841D F6 C3 08 test bl, 8
.text:00428420 0F 85 6D 01 00 00 jnz loc_428593
00428412 83F9 05 cmp ecx, 5
00428415 E9 1B010000 jmp 00428535
0042841A 90 nop
ConvertProcessMitigationsToPolicy
83F9050F8C1A01000089CEF6C3080F856D010000
83F905E91B01000090
B. 文件访问限制
- 相关的在TargetNtCreateFile
- 实际检测的规则 PolicyBase::AddRuleInternal
可以修改PolicyBase 构造函数, 构造后 AddRuleInternal 来添加想要的规则
int __fastcall PolicyBaseCstru(void *PolicyBase, void *edx);
AsmHook::HOOK_INFO Info_PolicyBaseCstru;
BOOL WINAPIV Hook_PolicyBaseCstru(VOID *pUserParam, AsmHook::PUSHAD_DAT *pReg)
{
CChrome *pThis = (CChrome *)pUserParam;
void *PolicyBase, *edx;
int nRetVal;
PolicyBase = (void *)pReg->Ecx;
decltype(&PolicyBaseCstru) fun;
AsmHook::GetClassOrgFun(pReg, &Info_PolicyBaseCstru, &fun);
nRetVal = fun(PolicyBase, 0);
decltype(&PolicyBaseAddRuleInternal) funAddRuleInternal;
funAddRuleInternal = (decltype(&PolicyBaseAddRuleInternal))NSys::GetClassVirFun(PolicyBase, 24);
edx = NULL;
nRetVal = funAddRuleInternal(PolicyBase, edx, SUBSYS_FILES, FILES_ALLOW_ANY, L"V:\\");
nRetVal = funAddRuleInternal(PolicyBase, edx, SUBSYS_FILES, FILES_ALLOW_ANY, L"V:\\*");
nRetVal = funAddRuleInternal(PolicyBase, edx, SUBSYS_FILES, FILES_ALLOW_ANY, L"V:\\test");
return AsmHook::SetReturn(pReg, nRetVal);
}