Skip to content

Commit 41371a6

Browse files
committed
Remove restart manager support (3rd party DoS issue) winsiderss#792 winsiderss#453
1 parent b913f08 commit 41371a6

File tree

2 files changed

+85
-47
lines changed

2 files changed

+85
-47
lines changed

ProcessHacker/main.c

Lines changed: 85 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,10 @@ BOOLEAN PhInitializeMitigationSignaturePolicy(
9090
VOID
9191
);
9292

93+
BOOLEAN PhInitializeComPolicy(
94+
VOID
95+
);
96+
9397
BOOLEAN PhPluginsEnabled = FALSE;
9498
PPH_STRING PhSettingsFileName = NULL;
9599
PH_STARTUP_PARAMETERS PhStartupParameters;
@@ -123,15 +127,12 @@ INT WINAPI wWinMain(
123127
return 1;
124128
if (!PhInitializeMitigationPolicy())
125129
return 1;
126-
//if (!PhInitializeRestartPolicy())
127-
// return 1;
130+
if (!PhInitializeComPolicy())
131+
return 1;
128132

129133
PhpProcessStartupParameters();
130134
PhpEnablePrivileges();
131135

132-
if (!SUCCEEDED(CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE)))
133-
return 1;
134-
135136
if (PhStartupParameters.RunAsServiceMode)
136137
{
137138
PhExitApplication(PhRunAsServiceStart(PhStartupParameters.RunAsServiceMode));
@@ -491,9 +492,9 @@ static BOOLEAN NTAPI PhpPreviousInstancesCallback(
491492
for (ULONG i = 0; i < context.WindowList->Count; i++)
492493
{
493494
HWND windowHandle = context.WindowList->Items[i];
494-
ULONG_PTR result;
495+
ULONG_PTR result = 0;
495496

496-
SendMessageTimeout(windowHandle, WM_PH_ACTIVATE, PhStartupParameters.SelectPid, 0, SMTO_BLOCK, 5000, &result);
497+
SendMessageTimeout(windowHandle, WM_PH_ACTIVATE, PhStartupParameters.SelectPid, 0, SMTO_ABORTIFHUNG | SMTO_BLOCK, 5000, &result);
497498

498499
if (result == PH_ACTIVATE_REPLY)
499500
{
@@ -592,40 +593,6 @@ BOOLEAN PhInitializeDirectoryPolicy(
592593
return TRUE;
593594
}
594595

595-
BOOLEAN PhInitializeRestartPolicy(
596-
VOID
597-
)
598-
{
599-
#ifndef DEBUG
600-
PH_STRINGREF commandLineSr;
601-
PH_STRINGREF fileNameSr;
602-
PH_STRINGREF argumentsSr;
603-
PPH_STRING argumentsString = NULL;
604-
605-
PhUnicodeStringToStringRef(&NtCurrentPeb()->ProcessParameters->CommandLine, &commandLineSr);
606-
607-
if (!PhParseCommandLineFuzzy(&commandLineSr, &fileNameSr, &argumentsSr, NULL))
608-
return FALSE;
609-
610-
if (argumentsSr.Length)
611-
{
612-
static PH_STRINGREF commandlinePart = PH_STRINGREF_INIT(L"-nomp");
613-
614-
if (PhEndsWithStringRef(&argumentsSr, &commandlinePart, FALSE))
615-
PhTrimStringRef(&argumentsSr, &commandlinePart, PH_TRIM_END_ONLY);
616-
617-
argumentsString = PhCreateString2(&argumentsSr);
618-
}
619-
620-
// MSDN: Do not include the file name in the command line.
621-
RegisterApplicationRestart(PhGetString(argumentsString), 0);
622-
623-
if (argumentsString)
624-
PhDereferenceObject(argumentsString);
625-
#endif
626-
return TRUE;
627-
}
628-
629596
#ifndef DEBUG
630597
#include <symprv.h>
631598
#include <minidumpapiset.h>
@@ -782,7 +749,6 @@ BOOLEAN PhInitializeExceptionPolicy(
782749
VOID
783750
)
784751
{
785-
#if (PHNT_VERSION >= PHNT_WIN7)
786752
#ifndef DEBUG
787753
ULONG errorMode;
788754

@@ -794,8 +760,6 @@ BOOLEAN PhInitializeExceptionPolicy(
794760

795761
RtlSetUnhandledExceptionFilter(PhpUnhandledExceptionCallback);
796762
#endif
797-
#endif
798-
799763
return TRUE;
800764
}
801765

@@ -1010,6 +974,83 @@ BOOLEAN PhInitializeMitigationSignaturePolicy(
1010974
return TRUE;
1011975
}
1012976

977+
BOOLEAN PhInitializeComPolicy(
978+
VOID
979+
)
980+
{
981+
#ifdef PH_COM_SVC
982+
static SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY;
983+
static SID_IDENTIFIER_AUTHORITY packageAuthority = SECURITY_APP_PACKAGE_AUTHORITY;
984+
ULONG securityDescriptorAllocationLength;
985+
PSECURITY_DESCRIPTOR securityDescriptor;
986+
UCHAR administratorsSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG) * 2];
987+
UCHAR packagesSidSidBuffer[FIELD_OFFSET(SID, SubAuthority) + sizeof(ULONG) * 2];
988+
PSID administratorsSid;
989+
PSID packagesSid;
990+
PACL dacl;
991+
992+
if (!SUCCEEDED(CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE)))
993+
return TRUE; // Continue without COM support. (dmex)
994+
995+
administratorsSid = (PSID)administratorsSidBuffer;
996+
RtlInitializeSid(administratorsSid, &ntAuthority, 2);
997+
*RtlSubAuthoritySid(administratorsSid, 0) = SECURITY_BUILTIN_DOMAIN_RID;
998+
*RtlSubAuthoritySid(administratorsSid, 1) = DOMAIN_ALIAS_RID_ADMINS;
999+
1000+
packagesSid = (PSID)packagesSidSidBuffer;
1001+
RtlInitializeSid(packagesSid, &packageAuthority, SECURITY_BUILTIN_APP_PACKAGE_RID_COUNT);
1002+
*RtlSubAuthoritySid(packagesSid, 0) = SECURITY_APP_PACKAGE_BASE_RID;
1003+
*RtlSubAuthoritySid(packagesSid, 1) = SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE;
1004+
1005+
securityDescriptorAllocationLength = SECURITY_DESCRIPTOR_MIN_LENGTH +
1006+
(ULONG)sizeof(ACL) +
1007+
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
1008+
RtlLengthSid(&PhSeAuthenticatedUserSid) +
1009+
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
1010+
RtlLengthSid(&packagesSid) +
1011+
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
1012+
RtlLengthSid(&PhSeLocalSystemSid) +
1013+
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
1014+
RtlLengthSid(&administratorsSid);
1015+
1016+
securityDescriptor = PhAllocate(securityDescriptorAllocationLength);
1017+
dacl = PTR_ADD_OFFSET(securityDescriptor, SECURITY_DESCRIPTOR_MIN_LENGTH);
1018+
// "O:BAG:BAD:(A;;0x3;;;AU)(A;;0x3;;;AC)(A;;0x3;;;SY)(A;;0x3;;;BA)"
1019+
RtlCreateSecurityDescriptor(securityDescriptor, SECURITY_DESCRIPTOR_REVISION);
1020+
RtlCreateAcl(dacl, securityDescriptorAllocationLength - SECURITY_DESCRIPTOR_MIN_LENGTH, ACL_REVISION);
1021+
RtlAddAccessAllowedAce(dacl, ACL_REVISION, FILE_READ_DATA | FILE_WRITE_DATA, &PhSeAuthenticatedUserSid);
1022+
RtlAddAccessAllowedAce(dacl, ACL_REVISION, FILE_READ_DATA | FILE_WRITE_DATA, packagesSid);
1023+
RtlAddAccessAllowedAce(dacl, ACL_REVISION, FILE_READ_DATA | FILE_WRITE_DATA, &PhSeLocalSystemSid);
1024+
RtlAddAccessAllowedAce(dacl, ACL_REVISION, FILE_READ_DATA | FILE_WRITE_DATA, administratorsSid);
1025+
RtlSetDaclSecurityDescriptor(securityDescriptor, TRUE, dacl, FALSE);
1026+
RtlSetGroupSecurityDescriptor(securityDescriptor, administratorsSid, FALSE);
1027+
RtlSetOwnerSecurityDescriptor(securityDescriptor, administratorsSid, FALSE);
1028+
1029+
if (!SUCCEEDED(CoInitializeSecurity(
1030+
securityDescriptor,
1031+
UINT_MAX,
1032+
NULL,
1033+
NULL,
1034+
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
1035+
RPC_C_IMP_LEVEL_IDENTIFY,
1036+
NULL,
1037+
EOAC_NONE,
1038+
NULL
1039+
)))
1040+
{
1041+
NOTHING;
1042+
}
1043+
1044+
PhFree(securityDescriptor);
1045+
return TRUE;
1046+
#else
1047+
if (!SUCCEEDED(CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE)))
1048+
NOTHING;
1049+
1050+
return TRUE;
1051+
#endif
1052+
}
1053+
10131054
NTSTATUS PhpReadSignature(
10141055
_In_ PWSTR FileName,
10151056
_Out_ PUCHAR *Signature,

ProcessHacker/mainwnd.c

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -533,9 +533,6 @@ NTSTATUS PhMwpLoadStage1Worker(
533533
SetProcessShutdownParameters(0x1, SHUTDOWN_NORETRY);
534534
}
535535

536-
// Register application for restart (dmex)
537-
RegisterApplicationRestart(NULL, 0);
538-
539536
DelayedLoadCompleted = TRUE;
540537
//PostMessage((HWND)Parameter, WM_PH_DELAYED_LOAD_COMPLETED, 0, 0);
541538

0 commit comments

Comments
 (0)