[Bug 45119] New: Multiple applications from Google sandbox-attacksurface-analysis-tools ( targeting native API) need 'ntdll.NtGetNextProcess' implementation
https://bugs.winehq.org/show_bug.cgi?id=45119 Bug ID: 45119 Summary: Multiple applications from Google sandbox-attacksurface-analysis-tools (targeting native API) need 'ntdll.NtGetNextProcess' implementation Product: Wine Version: 3.7 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, required by various .NET-based apps from https://github.com/google/sandbox-attacksurface-analysis-tools --- quote --- sandbox-attacksurface-analysis-tools (c) Google Inc. 2015, 2016, 2017, 2018 Developed by James Forshaw This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated. CheckExeManifest: Check for specific executable manifest flags. CheckNetworkAccess: Check access to network stack. NewProcessFromToken: Create a new process based on existing token. TokenView: View and manipulate various process token values. NtApiDotNet: A basic managed library to access NT system calls and objects. NtObjectManager: A powershell module which uses NtApiDotNet to expose the NT object manager. ViewSecurityDescriptor: View the security descriptor from an SDDL string or an inherited object. --- quote --- It's actually a pretty neat "testsuite" for native API, Wine could benefit from it. I've already found 20+ bugs within one hour of playing with this (missing exports, stubs, incomplete + incorrect impl. etc.). Will create more tickets as time/mood permits ;-) Prerequisite: * 32-bit WINEPREFIX * .NET Framework 4.5 -> 'winetricks -q dotnet45' --- snip --- $ wine ./TokenViewer.exe ... Unhandled Exception: System.EntryPointNotFoundException: Unable to find an entry point named 'NtGetNextProcess' in DLL 'ntdll.dll'. at NtApiDotNet.NtSystemCalls.NtGetNextProcess(SafeKernelObjectHandle ProcessHandle, ProcessAccessRights DesiredAccess, AttributeFlags HandleAttributes, Int32 Flags, SafeKernelObjectHandle& NewProcessHandle) at NtApiDotNet.NtProcess.GetFirstProcess(ProcessAccessRights desired_access) at NtApiDotNet.NtProcess.GetProcesses(ProcessAccessRights desired_access, Boolean from_system_info) at TokenViewer.MainForm.RefreshProcessList(String filter, Boolean hideUnrestricted) at TokenViewer.MainForm..ctor() at TokenViewer.Program.Main(String[] args) --- snip --- https://github.com/mirror/processhacker/blob/master/2.x/trunk/phlib/include/... --- snip --- #if !(PHNT_VERSION >= PHNT_WS03) typedef NTSTATUS (NTAPI *_NtGetNextProcess)( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG HandleAttributes, _In_ ULONG Flags, _Out_ PHANDLE NewProcessHandle ); ... --- snip --- $ sha1sum Release-v1.1.14.7z 8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a Release-v1.1.14.7z $ du -sh Release-v1.1.14.7z 384K Release-v1.1.14.7z $ wine --version wine-3.7-50-g8dca6c35e1 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45119 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |dotnet, download Summary|Multiple applications from |Multiple applications from |Google |Google |sandbox-attacksurface-analy |sandbox-attacksurface-analy |sis-tools (targeting native |sis-tools v1.1.x (targeting |API) need |native API) need |'ntdll.NtGetNextProcess' |'ntdll.NtGetNextProcess' |implementation |implementation URL| |https://github.com/google/s | |andbox-attacksurface-analys | |is-tools/releases/download/ | |v1.1.14/Release-v1.1.14.7z -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45119 tokktokk <fdsfgs(a)krutt.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fdsfgs(a)krutt.org -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45119 --- Comment #1 from Nikolay Sivov <bunglehead(a)gmail.com> --- Created attachment 68468 --> https://bugs.winehq.org/attachment.cgi?id=68468 patch Attaching here to potentially pick it up later. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45119 Nikolay Sivov <bunglehead(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45119 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- URL|https://github.com/google/s |https://web.archive.org/web |andbox-attacksurface-analys |/20210117130822/https://git |is-tools/releases/download/ |hub.com/google/sandbox-atta |v1.1.14/Release-v1.1.14.7z |cksurface-analysis-tools/re | |leases/download/v1.1.14/Rel | |ease-v1.1.14.7z Keywords| |source --- Comment #2 from Anastasius Focht <focht(a)gmx.net> --- Hello folks, adding stable download link via Internet Archive. Github links are not stable since project (release) assets can be purged/removed at any time. Although the project might have gazillion forks as distributed backup it's better to use something more sensible. NOTE: To avoid the brain damaged Amazon CDN URL one can prefix the original URL just with the archive.org and snapshot date. When the link is visited, archive.org will go through two 302 hops (wait few seconds in browser) and finally arrive at the CDN link: https://web.archive.org/web/20210117130822/https://github.com/google/sandbox... --- snip --- https://github.com/google/sandbox-attacksurface-analysis-tools/releases/down... Got an HTTP 301 response at crawl time Redirecting to... https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/re... Got an HTTP 302 response at crawl time Redirecting to... https://github-production-release-asset-2e65be.s3.amazonaws.com/44787564/2d3... --- snip --- https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/bl... https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/bl... The same problem can be reproduced with newer releases as well. https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/bl... $ wine --version wine-6.0-40-g00401d22782 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45119 Alex Henrie <alexhenrie24(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Fixed by SHA1| |d2b0c4ec8a77d6c42d97e9b37a9 | |f096759f0b94c Status|NEW |RESOLVED CC| |alexhenrie24(a)gmail.com --- Comment #3 from Alex Henrie <alexhenrie24(a)gmail.com> --- Fixed by https://gitlab.winehq.org/wine/wine/-/commit/d2b0c4ec8a77d6c42d97e9b37a9f096... Thanks Etaash! -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=45119 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #4 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 10.3. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla