[Bug 45133] New: NewProcessFromToken tool (.NET app) from Google sandbox-attacksurface-analysis-tools v1.1.x wants ' ntdll.NtQueryInformationProcess' to support 'ProcessSessionInformation'
https://bugs.winehq.org/show_bug.cgi?id=45133
Bug ID: 45133 Summary: NewProcessFromToken tool (.NET app) from Google sandbox-attacksurface-analysis-tools v1.1.x wants 'ntdll.NtQueryInformationProcess' to support 'ProcessSessionInformation' Product: Wine Version: 3.7 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
needed by 'NewProcessFromToken' .NET-based app from https://github.com/google/sandbox-attacksurface-analysis-tools
--- quote --- sandbox-attacksurface-analysis-tools
(c) Google Inc. 2015, 2016, 2017, 2018 Developed by James Forshaw
This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
CheckExeManifest: Check for specific executable manifest flags. CheckNetworkAccess: Check access to network stack. NewProcessFromToken: Create a new process based on existing token. TokenView: View and manipulate various process token values. NtApiDotNet: A basic managed library to access NT system calls and objects. NtObjectManager: A powershell module which uses NtApiDotNet to expose the NT object manager. ViewSecurityDescriptor: View the security descriptor from an SDDL string or an inherited object. --- quote ---
It's actually a pretty neat "testsuite" for native API, Wine could benefit from it.
Prerequisite:
* 32-bit WINEPREFIX * .NET Framework 4.5 -> 'winetricks -q dotnet45'
NOTE: needs at least one running process (Windows pids -> command line)
--- snip --- Wine-dbg>info process pid threads executable (all id:s are in hex) 00000033 1 'notepad.exe' 00000013 4 'explorer.exe' 0000000e 5 'services.exe' 00000028 4 _ 'winedevice.exe' 00000023 3 _ 'plugplay.exe' 0000001b 4 _ 'winedevice.exe' --- snip ---
--- snip --- $ WINEDEBUG=+seh,+relay,+ntdll wine ./NewProcessFromToken.exe -p 51 notepad.exe
log.txt 2>&1
... 004f:Call ntdll.NtQueryInformationProcess(0000014c,00000018,0011e300,00000004,0032f39c) ret=03f67d78 004f:trace:ntdll:NtQueryInformationProcess (0x14c,0x00000018,0x11e300,0x00000004,0x32f39c) 004f:fixme:ntdll:NtQueryInformationProcess (process=0x14c) Unimplemented information class: ProcessSessionInformation 004f:Ret ntdll.NtQueryInformationProcess() retval=c0000003 ret=03f67d78 004f:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0032f274) ret=00788fdb 004f:trace:seh:raise_exception code=e0434352 flags=1 addr=0x7b446ec7 ip=7b446ec7 tid=004f 004f:trace:seh:raise_exception info[0]=80131600 004f:trace:seh:raise_exception info[1]=00000000 004f:trace:seh:raise_exception info[2]=00000000 004f:trace:seh:raise_exception info[3]=00000000 004f:trace:seh:raise_exception info[4]=00630000 004f:trace:seh:raise_exception eax=7b435589 ebx=00000005 ecx=00000000 edx=0032f220 esi=0032f220 edi=0032f1e0 004f:trace:seh:raise_exception ebp=0032f1b8 esp=0032f154 cs=f7bb0023 ds=32002b es=f7be002b fs=f7be0063 gs=f7be006b flags=00000212 004f:trace:seh:call_vectored_handlers calling handler at 0x7ba398 code=e0434352 flags=1 004f:Call KERNEL32.GetLastError() ret=007ba3c6 004f:Ret KERNEL32.GetLastError() retval=00000000 ret=007ba3c6 ... 004f:Call KERNEL32.CreateProcessW(00000000,010e2280 L"notepad.exe",00000000,00000000,00000000,00080000,00000000,00000000,0032f24c,0032f36c) ret=03f6485b ... --- snip ---
The failure to query the process session ID is not critical (it will still launch new process) .. hence "wants" in summary.
Source: https://github.com/google/sandbox-attacksurface-analysis-tools/blob/43ab4637...
$ sha1sum Release-v1.1.14.7z 8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a Release-v1.1.14.7z
$ du -sh Release-v1.1.14.7z 384K Release-v1.1.14.7z
$ wine --version wine-3.7-65-ge637a6f0bf
Regards
https://bugs.winehq.org/show_bug.cgi?id=45133
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|NewProcessFromToken tool |Multiple applications need |(.NET app) from Google |'ntdll.NtQueryInformationPr |sandbox-attacksurface-analy |ocess' to support |sis-tools v1.1.x wants |'ProcessSessionInformation' |'ntdll.NtQueryInformationPr |info class (ProcessHacker, |ocess' to support |NewProcessFromToken) |'ProcessSessionInformation' | URL| |https://github.com/google/s | |andbox-attacksurface-analys | |is-tools/releases/download/ | |v1.1.14/Release-v1.1.14.7z Keywords| |dotnet, download
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
widening the summary a bit, 'ProcessHacker' might need this too.
https://github.com/processhacker/processhacker/search?q=ProcessSessionInform...
--- snip --- /** * Gets a process' session ID. * * \param ProcessHandle A handle to a process. The handle must have * PROCESS_QUERY_LIMITED_INFORMATION access. * \param SessionId A variable which receives the process' session ID. */ FORCEINLINE NTSTATUS PhGetProcessSessionId( _In_ HANDLE ProcessHandle, _Out_ PULONG SessionId ) { NTSTATUS status; PROCESS_SESSION_INFORMATION sessionInfo;
status = NtQueryInformationProcess( ProcessHandle, ProcessSessionInformation, &sessionInfo, sizeof(PROCESS_SESSION_INFORMATION), NULL );
if (NT_SUCCESS(status)) { *SessionId = sessionInfo.SessionId; }
return status; } --- snip ---
https://github.com/processhacker/processhacker/search?q=PhGetProcessSessionI...
https://github.com/processhacker/processhacker/search?q=sessionid
Regards
https://bugs.winehq.org/show_bug.cgi?id=45133
tokktokk fdsfgs@krutt.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fdsfgs@krutt.org
https://bugs.winehq.org/show_bug.cgi?id=45133
dmex04@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dmex04@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=45133
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |source URL|https://github.com/google/s |https://web.archive.org/web |andbox-attacksurface-analys |/20210117130822/https://git |is-tools/releases/download/ |hub.com/google/sandbox-atta |v1.1.14/Release-v1.1.14.7z |cksurface-analysis-tools/re | |leases/download/v1.1.14/Rel | |ease-v1.1.14.7z
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, obviously still present.
Adding stable download link via Internet Archive.
https://web.archive.org/web/20210117130822/https://github.com/google/sandbox...
Wine source:
https://source.winehq.org/git/wine.git/blob/00401d2278298d151b555fcdffb15bb2...
$ wine --version wine-6.0-40-g00401d22782
Regards
https://bugs.winehq.org/show_bug.cgi?id=45133
Alex Henrie alexhenrie24@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |alexhenrie24@gmail.com
--- Comment #3 from Alex Henrie alexhenrie24@gmail.com --- NtQueryInformationProcess(ProcessSessionInformation) was implemented in https://source.winehq.org/git/wine.git/commitdiff/bf4105b731b84c053c20796ad1... - are there any remaining problems with it?
https://bugs.winehq.org/show_bug.cgi?id=45133
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |bf4105b731b84c053c20796ad12 | |2f229fa3889ec
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit https://source.winehq.org/git/wine.git/commitdiff/bf4105b731b84c053c20796ad1... ("ntdll: Implement NtQueryInformationProcess(ProcessSessionInformation).").
Part of Wine 6.12 release.
Thanks Alexandre. Thanks Alex Henrie for the reminder.
--- snip --- ... 0568:Call ntdll.NtQueryInformationProcess(00000158,00000018,002b7050,00000004,0021f3ec) ret=043750f8 0568:Ret ntdll.NtQueryInformationProcess() retval=00000000 ret=043750f8 0568:Call KERNEL32.GetLastError() ret=0159bc2a 0568:Ret KERNEL32.GetLastError() retval=00000000 ret=0159bc2a ... --- snip ---
Process Hacker also shows the session id now if you add it through 'Choose Column' when right clicking on process listview header. Previously it was only showing '0'.
$ wine --version wine-6.16-222-g8b9f1e12841
Regards
https://bugs.winehq.org/show_bug.cgi?id=45133
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.17.
-
wine-bugs@winehq.org -
WineHQ Bugzilla