https://bugs.winehq.org/show_bug.cgi?id=45133
Bug ID: 45133 Summary: NewProcessFromToken tool (.NET app) from Google sandbox-attacksurface-analysis-tools v1.1.x wants 'ntdll.NtQueryInformationProcess' to support 'ProcessSessionInformation' Product: Wine Version: 3.7 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
needed by 'NewProcessFromToken' .NET-based app from https://github.com/google/sandbox-attacksurface-analysis-tools
--- quote --- sandbox-attacksurface-analysis-tools
(c) Google Inc. 2015, 2016, 2017, 2018 Developed by James Forshaw
This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
CheckExeManifest: Check for specific executable manifest flags. CheckNetworkAccess: Check access to network stack. NewProcessFromToken: Create a new process based on existing token. TokenView: View and manipulate various process token values. NtApiDotNet: A basic managed library to access NT system calls and objects. NtObjectManager: A powershell module which uses NtApiDotNet to expose the NT object manager. ViewSecurityDescriptor: View the security descriptor from an SDDL string or an inherited object. --- quote ---
It's actually a pretty neat "testsuite" for native API, Wine could benefit from it.
Prerequisite:
* 32-bit WINEPREFIX * .NET Framework 4.5 -> 'winetricks -q dotnet45'
NOTE: needs at least one running process (Windows pids -> command line)
--- snip --- Wine-dbg>info process pid threads executable (all id:s are in hex) 00000033 1 'notepad.exe' 00000013 4 'explorer.exe' 0000000e 5 'services.exe' 00000028 4 _ 'winedevice.exe' 00000023 3 _ 'plugplay.exe' 0000001b 4 _ 'winedevice.exe' --- snip ---
--- snip --- $ WINEDEBUG=+seh,+relay,+ntdll wine ./NewProcessFromToken.exe -p 51 notepad.exe
log.txt 2>&1
... 004f:Call ntdll.NtQueryInformationProcess(0000014c,00000018,0011e300,00000004,0032f39c) ret=03f67d78 004f:trace:ntdll:NtQueryInformationProcess (0x14c,0x00000018,0x11e300,0x00000004,0x32f39c) 004f:fixme:ntdll:NtQueryInformationProcess (process=0x14c) Unimplemented information class: ProcessSessionInformation 004f:Ret ntdll.NtQueryInformationProcess() retval=c0000003 ret=03f67d78 004f:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0032f274) ret=00788fdb 004f:trace:seh:raise_exception code=e0434352 flags=1 addr=0x7b446ec7 ip=7b446ec7 tid=004f 004f:trace:seh:raise_exception info[0]=80131600 004f:trace:seh:raise_exception info[1]=00000000 004f:trace:seh:raise_exception info[2]=00000000 004f:trace:seh:raise_exception info[3]=00000000 004f:trace:seh:raise_exception info[4]=00630000 004f:trace:seh:raise_exception eax=7b435589 ebx=00000005 ecx=00000000 edx=0032f220 esi=0032f220 edi=0032f1e0 004f:trace:seh:raise_exception ebp=0032f1b8 esp=0032f154 cs=f7bb0023 ds=32002b es=f7be002b fs=f7be0063 gs=f7be006b flags=00000212 004f:trace:seh:call_vectored_handlers calling handler at 0x7ba398 code=e0434352 flags=1 004f:Call KERNEL32.GetLastError() ret=007ba3c6 004f:Ret KERNEL32.GetLastError() retval=00000000 ret=007ba3c6 ... 004f:Call KERNEL32.CreateProcessW(00000000,010e2280 L"notepad.exe",00000000,00000000,00000000,00080000,00000000,00000000,0032f24c,0032f36c) ret=03f6485b ... --- snip ---
The failure to query the process session ID is not critical (it will still launch new process) .. hence "wants" in summary.
Source: https://github.com/google/sandbox-attacksurface-analysis-tools/blob/43ab4637...
$ sha1sum Release-v1.1.14.7z 8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a Release-v1.1.14.7z
$ du -sh Release-v1.1.14.7z 384K Release-v1.1.14.7z
$ wine --version wine-3.7-65-ge637a6f0bf
Regards