[Bug 45132] New: CommonObjects tool (.NET app) from Google sandbox-attacksurface-analysis-tools v1.1.x needs ' ntdll.NtQuerySystemInformation' to support ' SystemExtendedHandleInformation'

wine-bugs at winehq.org wine-bugs at winehq.org
Fri May 4 15:17:34 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=45132

            Bug ID: 45132
           Summary: CommonObjects tool (.NET app) from Google
                    sandbox-attacksurface-analysis-tools v1.1.x needs
                    'ntdll.NtQuerySystemInformation' to support
                    'SystemExtendedHandleInformation'
           Product: Wine
           Version: 3.7
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

needed by 'CommonObjects' .NET-based app from
https://github.com/google/sandbox-attacksurface-analysis-tools

--- quote ---
sandbox-attacksurface-analysis-tools

(c) Google Inc. 2015, 2016, 2017, 2018
Developed by James Forshaw

This is a small suite of tools to test various properties of sandboxes on
Windows. Many of the checking
tools take a -p flag which is used to specify the PID of a sandboxed process.
The tool will impersonate
the token of that process and determine what access is allowed from that
location. Also it's recommended
to run these tools as an administrator or local system to ensure the system can
be appropriately enumerated.

CheckExeManifest: Check for specific executable manifest flags.
CheckNetworkAccess: Check access to network stack.
NewProcessFromToken: Create a new process based on existing token.
TokenView: View and manipulate various process token values.
NtApiDotNet: A basic managed library to access NT system calls and objects.
NtObjectManager: A powershell module which uses NtApiDotNet to expose the NT
object manager.
ViewSecurityDescriptor: View the security descriptor from an SDDL string or an
inherited object.
--- quote ---

It's actually a pretty neat "testsuite" for native API, Wine could benefit from
it.

Prerequisite:

* 32-bit WINEPREFIX
* .NET Framework 4.5 -> 'winetricks -q dotnet45'

NOTE: needs at least two running processes (Windows pids -> command line)

--- snip ---
Wine-dbg>info process
 pid      threads  executable (all id:s are in hex)
 00000033 1        'notepad.exe'
 00000013 4        'explorer.exe'
 0000000e 5        'services.exe'
 00000028 4        \_ 'winedevice.exe'
 00000023 3        \_ 'plugplay.exe'
 0000001b 4        \_ 'winedevice.exe'
--- snip ---

--- snip ---
$ WINEDEBUG=+seh,+relay,+ntdll wine ./CommonObjects.exe  -a 17 51 >> log.txt
2>&1
...
005f:Call ntdll.NtQuerySystemInformation(00000040,00193f20,00001008,0032f2fc)
ret=0409a210
005f:trace:ntdll:NtQuerySystemInformation
(0x00000040,0x193f20,0x00001008,0x32f2fc)
005f:fixme:ntdll:NtQuerySystemInformation
(0x00000040,0x193f20,0x00001008,0x32f2fc) stub
005f:Ret  ntdll.NtQuerySystemInformation() retval=c0000003 ret=0409a210
005f:Call KERNEL32.GetLastError() ret=0064af80
005f:Ret  KERNEL32.GetLastError() retval=00000078 ret=0064af80 
...
005f:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0032f1d4)
ret=00788fdb
005f:trace:seh:raise_exception code=e0434352 flags=1 addr=0x7b446ec7
ip=7b446ec7 tid=005f
005f:trace:seh:raise_exception  info[0]=80131600
005f:trace:seh:raise_exception  info[1]=00000000
005f:trace:seh:raise_exception  info[2]=00000000
005f:trace:seh:raise_exception  info[3]=00000000
005f:trace:seh:raise_exception  info[4]=00630000
005f:trace:seh:raise_exception  eax=7b435589 ebx=00000005 ecx=00000000
edx=0032f180 esi=0032f180 edi=0032f140
005f:trace:seh:raise_exception  ebp=0032f118 esp=0032f0b4 cs=f7bc0023 ds=32002b
es=f7be002b fs=f7be0063 gs=f7be006b flags=00000216
005f:trace:seh:call_vectored_handlers calling handler at 0x7ba398 code=e0434352
flags=1 
--- snip ---

Managed backtrace:

--- snip ---
NtApiDotNet.NtException: (0xC0000003) - STATUS_INVALID_INFO_CLASS
   at NtApiDotNet.NtObjectUtils.ToNtException(NtStatus status, Boolean
throw_on_error)
   at
NtApiDotNet.NtSystemInfo.QuerySystemInfoVariable[T](SystemInformationClass
info_class)
   at NtApiDotNet.NtSystemInfo.GetHandles(Int32 pid, Boolean allow_query)
   at CommonObjects.Program.Main(String[] args)
--- snip ---

Source:

https://github.com/google/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/NtSystemInfo.cs#L824

https://github.com/google/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/NtSystemInfo.cs#L860

Support for this was added here:
https://github.com/google/sandbox-attacksurface-analysis-tools/commit/02a6fa0a9f17dd1487e299b96b1a169ca0c20e38
("Added extended handle information to allow for PIDs larger than 64k.").

Shouldn't be very hard to add. Wine already has the non-ex
'SystemHandleInformation' and 'SYSTEM_HANDLE_ENTRY'.

https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/query.htm

SYSTEM_HANDLE_INFORMATION_EX:

http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle_ex.htm

SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX 

http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle_table_entry_ex.htm

$ sha1sum Release-v1.1.14.7z 
8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a  Release-v1.1.14.7z

$ du -sh Release-v1.1.14.7z 
384K    Release-v1.1.14.7z

$ wine --version
wine-3.7-65-ge637a6f0bf

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list