Chrome安全沙箱

Chrome有使用安全沙箱
在限制的进程中, 对文件,管道,进程,注册表等都有沙箱限制
A. dll加载限制

1. 加载程序目录下一个dll, 失败
2. 复制系统的一个dll过来加载, 成功
3. 修改下这个dll, 破坏签名加载, 失败

跟踪在 LdrLoadDll 失败
可以检查源码相关 TargetNtCreateSection, 实际限制不在这个
可以修改 ConvertProcessMitigationsToPolicy, 去掉多数功能, 然后就可以加载dll了

.text:00428412 83 F9 05                          cmp     ecx, 5
.text:00428415 0F 8C 1A 01 00 00                 jl      loc_428535
.text:0042841B 89 CE                             mov     esi, ecx
.text:0042841D F6 C3 08                          test    bl, 8
.text:00428420 0F 85 6D 01 00 00                 jnz     loc_428593

00428412    83F9 05                cmp     ecx, 5
00428415    E9 1B010000            jmp     00428535
0042841A    90                     nop


ConvertProcessMitigationsToPolicy
83F9050F8C1A01000089CEF6C3080F856D010000
83F905E91B01000090

B. 文件访问限制

1. 相关的在TargetNtCreateFile
2. 实际检测的规则 PolicyBase::AddRuleInternal

可以修改PolicyBase 构造函数, 构造后 AddRuleInternal 来添加想要的规则

int	__fastcall	PolicyBaseCstru(void *PolicyBase, void *edx);

AsmHook::HOOK_INFO	Info_PolicyBaseCstru;
BOOL WINAPIV Hook_PolicyBaseCstru(VOID *pUserParam, AsmHook::PUSHAD_DAT *pReg)
{
	CChrome			*pThis = (CChrome *)pUserParam;
	void			*PolicyBase, *edx;
	int				nRetVal;

	PolicyBase = (void *)pReg->Ecx;

	decltype(&PolicyBaseCstru)		fun;

	AsmHook::GetClassOrgFun(pReg, &Info_PolicyBaseCstru, &fun);
	nRetVal = fun(PolicyBase, 0);

	decltype(&PolicyBaseAddRuleInternal)		funAddRuleInternal;

	funAddRuleInternal = (decltype(&PolicyBaseAddRuleInternal))NSys::GetClassVirFun(PolicyBase, 24);

	edx = NULL;
	nRetVal = funAddRuleInternal(PolicyBase, edx, SUBSYS_FILES, FILES_ALLOW_ANY, L"V:\\");
	nRetVal = funAddRuleInternal(PolicyBase, edx, SUBSYS_FILES, FILES_ALLOW_ANY, L"V:\\*");
	nRetVal = funAddRuleInternal(PolicyBase, edx, SUBSYS_FILES, FILES_ALLOW_ANY, L"V:\\test");

	return AsmHook::SetReturn(pReg, nRetVal);
}