[Bug 45132] New: CommonObjects tool (.NET app) from Google sandbox-attacksurface-analysis-tools v1.1.x needs ' ntdll.NtQuerySystemInformation' to support ' SystemExtendedHandleInformation'
https://bugs.winehq.org/show_bug.cgi?id=45132
Bug ID: 45132 Summary: CommonObjects tool (.NET app) from Google sandbox-attacksurface-analysis-tools v1.1.x needs 'ntdll.NtQuerySystemInformation' to support 'SystemExtendedHandleInformation' Product: Wine Version: 3.7 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
needed by 'CommonObjects' .NET-based app from https://github.com/google/sandbox-attacksurface-analysis-tools
--- quote --- sandbox-attacksurface-analysis-tools
(c) Google Inc. 2015, 2016, 2017, 2018 Developed by James Forshaw
This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
CheckExeManifest: Check for specific executable manifest flags. CheckNetworkAccess: Check access to network stack. NewProcessFromToken: Create a new process based on existing token. TokenView: View and manipulate various process token values. NtApiDotNet: A basic managed library to access NT system calls and objects. NtObjectManager: A powershell module which uses NtApiDotNet to expose the NT object manager. ViewSecurityDescriptor: View the security descriptor from an SDDL string or an inherited object. --- quote ---
It's actually a pretty neat "testsuite" for native API, Wine could benefit from it.
Prerequisite:
* 32-bit WINEPREFIX * .NET Framework 4.5 -> 'winetricks -q dotnet45'
NOTE: needs at least two running processes (Windows pids -> command line)
--- snip --- Wine-dbg>info process pid threads executable (all id:s are in hex) 00000033 1 'notepad.exe' 00000013 4 'explorer.exe' 0000000e 5 'services.exe' 00000028 4 _ 'winedevice.exe' 00000023 3 _ 'plugplay.exe' 0000001b 4 _ 'winedevice.exe' --- snip ---
--- snip --- $ WINEDEBUG=+seh,+relay,+ntdll wine ./CommonObjects.exe -a 17 51 >> log.txt 2>&1 ... 005f:Call ntdll.NtQuerySystemInformation(00000040,00193f20,00001008,0032f2fc) ret=0409a210 005f:trace:ntdll:NtQuerySystemInformation (0x00000040,0x193f20,0x00001008,0x32f2fc) 005f:fixme:ntdll:NtQuerySystemInformation (0x00000040,0x193f20,0x00001008,0x32f2fc) stub 005f:Ret ntdll.NtQuerySystemInformation() retval=c0000003 ret=0409a210 005f:Call KERNEL32.GetLastError() ret=0064af80 005f:Ret KERNEL32.GetLastError() retval=00000078 ret=0064af80 ... 005f:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0032f1d4) ret=00788fdb 005f:trace:seh:raise_exception code=e0434352 flags=1 addr=0x7b446ec7 ip=7b446ec7 tid=005f 005f:trace:seh:raise_exception info[0]=80131600 005f:trace:seh:raise_exception info[1]=00000000 005f:trace:seh:raise_exception info[2]=00000000 005f:trace:seh:raise_exception info[3]=00000000 005f:trace:seh:raise_exception info[4]=00630000 005f:trace:seh:raise_exception eax=7b435589 ebx=00000005 ecx=00000000 edx=0032f180 esi=0032f180 edi=0032f140 005f:trace:seh:raise_exception ebp=0032f118 esp=0032f0b4 cs=f7bc0023 ds=32002b es=f7be002b fs=f7be0063 gs=f7be006b flags=00000216 005f:trace:seh:call_vectored_handlers calling handler at 0x7ba398 code=e0434352 flags=1 --- snip ---
Managed backtrace:
--- snip --- NtApiDotNet.NtException: (0xC0000003) - STATUS_INVALID_INFO_CLASS at NtApiDotNet.NtObjectUtils.ToNtException(NtStatus status, Boolean throw_on_error) at NtApiDotNet.NtSystemInfo.QuerySystemInfoVariable[T](SystemInformationClass info_class) at NtApiDotNet.NtSystemInfo.GetHandles(Int32 pid, Boolean allow_query) at CommonObjects.Program.Main(String[] args) --- snip ---
Source:
https://github.com/google/sandbox-attacksurface-analysis-tools/blob/master/N...
https://github.com/google/sandbox-attacksurface-analysis-tools/blob/master/N...
Support for this was added here: https://github.com/google/sandbox-attacksurface-analysis-tools/commit/02a6fa... ("Added extended handle information to allow for PIDs larger than 64k.").
Shouldn't be very hard to add. Wine already has the non-ex 'SystemHandleInformation' and 'SYSTEM_HANDLE_ENTRY'.
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/que...
SYSTEM_HANDLE_INFORMATION_EX:
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/hand...
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/hand...
$ sha1sum Release-v1.1.14.7z 8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a Release-v1.1.14.7z
$ du -sh Release-v1.1.14.7z 384K Release-v1.1.14.7z
$ wine --version wine-3.7-65-ge637a6f0bf
Regards
https://bugs.winehq.org/show_bug.cgi?id=45132
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |dotnet, download URL| |https://github.com/google/s | |andbox-attacksurface-analys | |is-tools/releases/download/ | |v1.1.14/Release-v1.1.14.7z
https://bugs.winehq.org/show_bug.cgi?id=45132
tokktokk fdsfgs@krutt.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fdsfgs@krutt.org
https://bugs.winehq.org/show_bug.cgi?id=45132
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://github.com/google/s |https://web.archive.org/web |andbox-attacksurface-analys |/20210117130822/https://git |is-tools/releases/download/ |hub.com/google/sandbox-atta |v1.1.14/Release-v1.1.14.7z |cksurface-analysis-tools/re | |leases/download/v1.1.14/Rel | |ease-v1.1.14.7z
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, obviously still present.
Adding stable download link via Internet Archive.
https://web.archive.org/web/20210117130822/https://github.com/google/sandbox...
$ wine --version wine-6.0-40-g00401d22782
Regards
https://bugs.winehq.org/show_bug.cgi?id=45132
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |835f5fff7150034139919801444 | |b52a4c0186f44 Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit https://source.winehq.org/git/wine.git/commitdiff/835f5fff715003413991980144... ("ntdll: Implement NtQuerySystemInformation(SystemExtendedHandleInformation).")
Thanks Michael
--- snip --- Wine-dbg>info process pid threads executable (all id:s are in hex)
0000010c 2 'notepad.exe'
00000114 3 _ 'explorer.exe' 00000104 2 'conhost.exe' 00000038 9 'services.exe' 000000d4 6 _ 'rpcss.exe' 00000094 6 _ 'winedevice.exe' 0000007c 5 _ 'plugplay.exe' 0000005c 4 _ 'winedevice.exe' 00000044 3 _ 'svchost.exe' --- snip ---
'notepad.exe' pid 0x10c -> 268 'conhost.exe' pid 0x104 -> 260
--- snip --- $ wine ./CommonObjects.exe -a 268 260 ... 0 Semaphore 268/0x10C 4/0x4 0x00020003 268/0x10C 8/0x8 0x00100020 268/0x10C 12/0xC 0x000F003F 268/0x10C 16/0x10 0x000F003F 268/0x10C 20/0x14 0x000F003F 268/0x10C 24/0x18 0x000F003F 268/0x10C 28/0x1C 0x000F003F 268/0x10C 32/0x20 0x000F003F 268/0x10C 36/0x24 0x000F003F 268/0x10C 40/0x28 0x000F003F 268/0x10C 44/0x2C 0x00000006 268/0x10C 48/0x30 0x001F0001 268/0x10C 52/0x34 0x000F003F 268/0x10C 56/0x38 0x00000006 268/0x10C 60/0x3C 0x0000037F 268/0x10C 64/0x40 0x000001FF 268/0x10C 68/0x44 0x000F003F 268/0x10C 72/0x48 0x000F003F 268/0x10C 76/0x4C 0x000F003F 268/0x10C 80/0x50 0x000F003F 268/0x10C 84/0x54 0x000F003F 268/0x10C 88/0x58 0x001F0003 268/0x10C 92/0x5C 0x00100000 268/0x10C 96/0x60 0x000F003F 268/0x10C 100/0x64 0x000F003F 268/0x10C 104/0x68 0x001F0001 268/0x10C 108/0x6C 0x000F003F 268/0x10C 112/0x70 0x000F003F 268/0x10C 116/0x74 0x00000000 268/0x10C 120/0x78 0x00100000 260/0x104 4/0x4 0x00120089 260/0x104 8/0x8 0x00120116 260/0x104 12/0xC 0x00100018 260/0x104 16/0x10 0x00020003 260/0x104 20/0x14 0x00100020 260/0x104 24/0x18 0x000F003F 260/0x104 28/0x1C 0x000F003F 260/0x104 32/0x20 0x000F003F 260/0x104 36/0x24 0x000F003F 260/0x104 40/0x28 0x000F003F 260/0x104 44/0x2C 0x000F003F 260/0x104 48/0x30 0x000F003F 260/0x104 52/0x34 0x000F003F 260/0x104 56/0x38 0x00000006 260/0x104 60/0x3C 0x001F0001 260/0x104 64/0x40 0x000F003F 260/0x104 68/0x44 0x00000006 260/0x104 72/0x48 0x0000037F 260/0x104 76/0x4C 0x000001FF 260/0x104 80/0x50 0x000F003F 260/0x104 84/0x54 0x000F003F 260/0x104 88/0x58 0x000F003F 260/0x104 92/0x5C 0x001FFFFF 260/0x104 96/0x60 0x001F0003 260/0x104 100/0x64 0x00100000 260/0x104 104/0x68 0x000F003F 260/0x104 108/0x6C 0x000F003F --- snip ---
$ wine --version wine-6.2-157-gb8719736c5a
Regards
https://bugs.winehq.org/show_bug.cgi?id=45132
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #3 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.3.
https://bugs.winehq.org/show_bug.cgi?id=45132
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |6.0.x
https://bugs.winehq.org/show_bug.cgi?id=45132
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|6.0.x |---
--- Comment #4 from Michael Stefaniuc mstefani@winehq.org --- Removing the 6.0.x milestone from bug fixes included in 6.0.1.
-
wine-bugs@winehq.org -
WineHQ Bugzilla