[Bug 45133] New: NewProcessFromToken tool (.NET app) from Google sandbox-attacksurface-analysis-tools v1.1.x wants ' ntdll.NtQueryInformationProcess' to support 'ProcessSessionInformation'

wine-bugs at winehq.org wine-bugs at winehq.org
Fri May 4 15:42:39 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=45133

            Bug ID: 45133
           Summary: NewProcessFromToken tool (.NET app) from Google
                    sandbox-attacksurface-analysis-tools v1.1.x wants
                    'ntdll.NtQueryInformationProcess' to support
                    'ProcessSessionInformation'
           Product: Wine
           Version: 3.7
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

needed by 'NewProcessFromToken' .NET-based app from
https://github.com/google/sandbox-attacksurface-analysis-tools

--- quote ---
sandbox-attacksurface-analysis-tools

(c) Google Inc. 2015, 2016, 2017, 2018
Developed by James Forshaw

This is a small suite of tools to test various properties of sandboxes on
Windows. Many of the checking
tools take a -p flag which is used to specify the PID of a sandboxed process.
The tool will impersonate
the token of that process and determine what access is allowed from that
location. Also it's recommended
to run these tools as an administrator or local system to ensure the system can
be appropriately enumerated.

CheckExeManifest: Check for specific executable manifest flags.
CheckNetworkAccess: Check access to network stack.
NewProcessFromToken: Create a new process based on existing token.
TokenView: View and manipulate various process token values.
NtApiDotNet: A basic managed library to access NT system calls and objects.
NtObjectManager: A powershell module which uses NtApiDotNet to expose the NT
object manager.
ViewSecurityDescriptor: View the security descriptor from an SDDL string or an
inherited object.
--- quote ---

It's actually a pretty neat "testsuite" for native API, Wine could benefit from
it.

Prerequisite:

* 32-bit WINEPREFIX
* .NET Framework 4.5 -> 'winetricks -q dotnet45'

NOTE: needs at least one running process (Windows pids -> command line)

--- snip ---
Wine-dbg>info process
 pid      threads  executable (all id:s are in hex)
 00000033 1        'notepad.exe'
 00000013 4        'explorer.exe'
 0000000e 5        'services.exe'
 00000028 4        \_ 'winedevice.exe'
 00000023 3        \_ 'plugplay.exe'
 0000001b 4        \_ 'winedevice.exe'
--- snip ---

--- snip ---
$ WINEDEBUG=+seh,+relay,+ntdll wine ./NewProcessFromToken.exe -p 51 notepad.exe
>>log.txt 2>&1
...
004f:Call
ntdll.NtQueryInformationProcess(0000014c,00000018,0011e300,00000004,0032f39c)
ret=03f67d78
004f:trace:ntdll:NtQueryInformationProcess
(0x14c,0x00000018,0x11e300,0x00000004,0x32f39c)
004f:fixme:ntdll:NtQueryInformationProcess (process=0x14c) Unimplemented
information class: ProcessSessionInformation
004f:Ret  ntdll.NtQueryInformationProcess() retval=c0000003 ret=03f67d78
004f:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0032f274)
ret=00788fdb
004f:trace:seh:raise_exception code=e0434352 flags=1 addr=0x7b446ec7
ip=7b446ec7 tid=004f
004f:trace:seh:raise_exception  info[0]=80131600
004f:trace:seh:raise_exception  info[1]=00000000
004f:trace:seh:raise_exception  info[2]=00000000
004f:trace:seh:raise_exception  info[3]=00000000
004f:trace:seh:raise_exception  info[4]=00630000
004f:trace:seh:raise_exception  eax=7b435589 ebx=00000005 ecx=00000000
edx=0032f220 esi=0032f220 edi=0032f1e0
004f:trace:seh:raise_exception  ebp=0032f1b8 esp=0032f154 cs=f7bb0023 ds=32002b
es=f7be002b fs=f7be0063 gs=f7be006b flags=00000212
004f:trace:seh:call_vectored_handlers calling handler at 0x7ba398 code=e0434352
flags=1
004f:Call KERNEL32.GetLastError() ret=007ba3c6
004f:Ret  KERNEL32.GetLastError() retval=00000000 ret=007ba3c6 
...
004f:Call KERNEL32.CreateProcessW(00000000,010e2280
L"notepad.exe",00000000,00000000,00000000,00080000,00000000,00000000,0032f24c,0032f36c)
ret=03f6485b 
...
--- snip ---

The failure to query the process session ID is not critical (it will still
launch new process) .. hence "wants" in summary.

Source:
https://github.com/google/sandbox-attacksurface-analysis-tools/blob/43ab463798ea8ad447ae021451803b662bca7292/NtApiDotNet/NtProcess.cs#L1079

$ sha1sum Release-v1.1.14.7z 
8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a  Release-v1.1.14.7z

$ du -sh Release-v1.1.14.7z 
384K    Release-v1.1.14.7z

$ wine --version
wine-3.7-65-ge637a6f0bf

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list