[Bug 45120] New: Multiple applications from Google sandbox-attacksurface-analysis-tools v1.1.x (targeting native API) need 'ntdll.RtlXXXBoundaryDescriptor' implementation

wine-bugs at winehq.org wine-bugs at winehq.org
Wed May 2 17:38:31 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=45120

            Bug ID: 45120
           Summary: Multiple applications from Google
                    sandbox-attacksurface-analysis-tools v1.1.x (targeting
                    native API) need 'ntdll.RtlXXXBoundaryDescriptor'
                    implementation
           Product: Wine
           Version: 3.7
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

required by various .NET-based apps from
https://github.com/google/sandbox-attacksurface-analysis-tools

--- quote ---
sandbox-attacksurface-analysis-tools

(c) Google Inc. 2015, 2016, 2017, 2018
Developed by James Forshaw

This is a small suite of tools to test various properties of sandboxes on
Windows. Many of the checking
tools take a -p flag which is used to specify the PID of a sandboxed process.
The tool will impersonate
the token of that process and determine what access is allowed from that
location. Also it's recommended
to run these tools as an administrator or local system to ensure the system can
be appropriately enumerated.

CheckExeManifest: Check for specific executable manifest flags.
CheckNetworkAccess: Check access to network stack.
NewProcessFromToken: Create a new process based on existing token.
TokenView: View and manipulate various process token values.
NtApiDotNet: A basic managed library to access NT system calls and objects.
NtObjectManager: A powershell module which uses NtApiDotNet to expose the NT
object manager.
ViewSecurityDescriptor: View the security descriptor from an SDDL string or an
inherited object.
--- quote ---

It's actually a pretty neat "testsuite" for native API, Wine could benefit from
it. I've already found 20+ bugs within one hour of playing with this (missing
exports, stubs, incomplete + incorrect impl. etc.).
Will create more tickets as time/mood permits ;-)

Prerequisite: 

* 32-bit WINEPREFIX
* .NET Framework 4.5 -> 'winetricks -q dotnet45'

--- snip ---
$ wine ./ObjectList.exe -r "c:\\"
...
Unhandled Exception: System.EntryPointNotFoundException: Unable to find an
entry point named 'RtlDeleteBoundaryDescriptor' in DLL 'ntdll.dll'.
   at NtApiDotNet.NtRtl.RtlDeleteBoundaryDescriptor(IntPtr BoundaryDescriptor)
   at NtApiDotNet.BoundaryDescriptor.Finalize()
--- snip ---

https://github.com/google/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/NtDirectory.cs#L178

--- snip ---
    public static partial class NtRtl
    {
        [DllImport("ntdll.dll")]
        public static extern IntPtr RtlCreateBoundaryDescriptor([In]
UnicodeString Name, BoundaryDescriptorFlags Flags);

        [DllImport("ntdll.dll")]
        public static extern NtStatus RtlAddSIDToBoundaryDescriptor(ref IntPtr
BoundaryDescriptor, SafeSidBufferHandle RequiredSid);

        [DllImport("ntdll.dll")]
        public static extern NtStatus
RtlAddIntegrityLabelToBoundaryDescriptor(ref IntPtr BoundaryDescriptor,
SafeSidBufferHandle RequiredSid);

        [DllImport("ntdll.dll")]
        public static extern bool RtlDeleteBoundaryDescriptor(IntPtr
BoundaryDescriptor);
}
--- snip ---

https://github.com/processhacker/processhacker/blob/master/phnt/include/ntrtl.h#L5898

--- snip ---
#if (PHNT_VERSION >= PHNT_VISTA)

// begin_private

NTSYSAPI
PVOID
NTAPI
RtlCreateBoundaryDescriptor(
    _In_ PUNICODE_STRING Name,
    _In_ ULONG Flags
    );

NTSYSAPI
VOID
NTAPI
RtlDeleteBoundaryDescriptor(
    _In_ PVOID BoundaryDescriptor
    );

NTSYSAPI
NTSTATUS
NTAPI
RtlAddSIDToBoundaryDescriptor(
    _Inout_ PVOID *BoundaryDescriptor,
    _In_ PSID RequiredSid
    );

#if (PHNT_VERSION >= PHNT_WIN7)
// rev
NTSYSAPI
NTSTATUS
NTAPI
RtlAddIntegrityLabelToBoundaryDescriptor(
    _Inout_ PVOID *BoundaryDescriptor,
    _In_ PSID IntegrityLabel
    );
#endif
--- snip ---

Later various components could forward to ntdll (when implemented).

--- snip ---
$ grep -Hrn BoundaryDescriptor
dlls/kernel32/kernel32.spec:144:# @ stub AddIntegrityLabelToBoundaryDescriptor
dlls/kernel32/kernel32.spec:148:# @ stub AddSIDToBoundaryDescriptor
dlls/kernel32/kernel32.spec:269:# @ stub CreateBoundaryDescriptorA
dlls/kernel32/kernel32.spec:270:# @ stub CreateBoundaryDescriptorW
dlls/kernel32/kernel32.spec:363:# @ stub DeleteBoundaryDescriptor
dlls/api-ms-win-core-namespace-l1-1-0/api-ms-win-core-namespace-l1-1-0.spec:1:@
stub AddSIDToBoundaryDescriptor
dlls/api-ms-win-core-namespace-l1-1-0/api-ms-win-core-namespace-l1-1-0.spec:3:@
stub CreateBoundaryDescriptorW
dlls/api-ms-win-core-namespace-l1-1-0/api-ms-win-core-namespace-l1-1-0.spec:5:@
stub DeleteBoundaryDescriptor
dlls/kernelbase/kernelbase.spec:26:# @ stub AddSIDToBoundaryDescriptor
dlls/kernelbase/kernelbase.spec:176:# @ stub CreateBoundaryDescriptorW
dlls/kernelbase/kernelbase.spec:250:# @ stub DeleteBoundaryDescriptor
--- snip ---

$ sha1sum Release-v1.1.14.7z 
8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a  Release-v1.1.14.7z

$ du -sh Release-v1.1.14.7z 
384K    Release-v1.1.14.7z

$ wine --version
wine-3.7-50-g8dca6c35e1

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list