All geek questions in one place

Is there a way to create a named pipe from AppContainer BHO in IE11?

I am trying to write BHO for Internet Explorer 11 (Windows 8.1). My BHO implements the AppContainer sandbox, but I cannot create a Named Pipe, CreateNamedPipe failed with this message: Access is denied.

Here is the code that I use to create a named pipe (which I found on a Russian site , last comment:

  LPCWSTR LOW_INTEGRITY_SDDL_SACL_W = L "S: (ML ;; NW ;;; LW) D: (A ;; 0x120083 ;;; WD) (A ;; 0x120083 ;;; AC)";

         PSECURITY_DESCRIPTOR pSD = NULL;
         ConvertStringSecurityDescriptorToSecurityDescriptorW (
             LOW_INTEGRITY_SDDL_SACL_W,
             SDDL_REVISION_1,
             & pSD,
             NULL);

         if (pSD! = NULL)
         {
             SECURITY_ATTRIBUTES SecurityAttributes;

             SecurityAttributes.nLength = sizeof (SECURITY_ATTRIBUTES);
             SecurityAttributes.bInheritHandle = TRUE;
             SecurityAttributes.lpSecurityDescriptor = pSD;

             HANDLE hPipe = CreateNamedPipe (
                 L "\\\\. \\ pipe \\ testpipe",
                 PIPE_ACCESS_DUPLEX,                     
                 PIPE_TYPE_BYTE |  PIPE_READMODE_BYTE,
                 1,                                  
                 4096,                   
                 4096,                               
                 1000
                 & SecurityAttributes);           

         }

Unfortunately, it does not work. GetLastError () returns this Access is denied , as usual.

+6
source share
3 answers

You cannot create a Named Pipe in BHO. But you can create it in your brokerage process and connect to the pipe from BHO. I am the author of this comment, and I checked the code in the brokerage part of my IE addon.

Code snippets. Creating pipes in autostart exe (Delphi)

 function CreateAppContainerSecurityDescriptor(var SD: PSECURITY_DESCRIPTOR): boolean; const SDDL_REVISION_1 = 1; var pSD: PSECURITY_DESCRIPTOR; ConvertStringSecurityDescriptorToSecurityDescriptor: TConvertStringSecurityDescriptorToSecurityDescriptorW; begin @ConvertStringSecurityDescriptorToSecurityDescriptor := GetProcAddress(AdvapiDll(), 'ConvertStringSecurityDescriptorToSecurityDescriptorW'); result := false; if ConvertStringSecurityDescriptorToSecurityDescriptor('S:(ML;;NW;;;LW)D:(A;;0x120083;;;WD)(A;;0x120083;;;AC)', SDDL_REVISION_1, pSD, nil) then begin SD := pSD; result := true; end; end; function TPipeServer.Start: boolean; var SD: PSECURITY_DESCRIPTOR; SecurityAttributes: SECURITY_ATTRIBUTES; begin result := false; if Win32MajorVersion >= 6 then begin if CreateAppContainerSecurityDescriptor(SD) then begin SecurityAttributes.nLength := sizeof(SECURITY_ATTRIBUTES); SecurityAttributes.bInheritHandle := true; SecurityAttributes.lpSecurityDescriptor := SD; PipeHandle := CreateNamedPipe('\\.\pipe\MyPipe', PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE or PIPE_READMODE_BYTE, 1, 0, 0, 1000, @SecurityAttributes); result := PipeHandle <> INVALID_HANDLE_VALUE; end; end; end; procedure TPipeServer.Execute; begin if Start() then begin while true do begin if ConnectNamedPipe(PipeHandle, nil) then begin ... end; end; end; end;

Connection to a pipe in the IE toolbar (C ++)

 #define PIPE_NAME "\\\\.\\pipe\\MYPipe" LRESULT CMFToolbar::OnCommand(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& bHandled) { ... HANDLE PipeHandle; if (WaitNamedPipe(PIPE_NAME, NMPWAIT_WAIT_FOREVER) != 0) { PipeHandle = CreateFile(PIPE_NAME, FILE_READ_DATA | FILE_WRITE_DATA, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (PipeHandle != INVALID_HANDLE_VALUE) { WriteFile(PipeHandle, ... CloseHandle(PipeHandle); } }
+8
source

you can add ALL_APPLICATION_PACKAGE permission to the descriptor, but this is a backdoor solution, the broker solution is a long-term one.

 DWORD WindowsSecurity::AddDACLToObject(HANDLE hObj,SE_OBJECT_TYPE seObjectType) { LPWSTR szAddSid = SID_ALL_APP_PACKAGES; PACL pACL = NULL; DWORD dwRes; PSID pSIDAllAppPackage = NULL; PSECURITY_DESCRIPTOR pSDOld = NULL; PACL pOldDACL = NULL; dwRes = GetSecurityInfo(hObj, seObjectType, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, &pSDOld); if (ERROR_SUCCESS != dwRes) { return dwRes; } if(ConvertStringSidToSid(szAddSid,&pSIDAllAppPackage) == FALSE) { dwRes = GetLastError(); return dwRes; } const int NUM_ACES = 1; EXPLICIT_ACCESS ea[NUM_ACES]; ZeroMemory(&ea, NUM_ACES * sizeof(EXPLICIT_ACCESS)); ea[0].grfAccessPermissions = GENERIC_ALL; ea[0].grfAccessMode = SET_ACCESS; ea[0].grfInheritance = NO_INHERITANCE; ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[0].Trustee.TrusteeType = TRUSTEE_IS_GROUP; ea[0].Trustee.ptstrName = (LPTSTR)pSIDAllAppPackage; dwRes = SetEntriesInAcl(NUM_ACES, ea, pOldDACL, &pACL); if (ERROR_SUCCESS != dwRes) { return dwRes; } dwRes = SetSecurityInfo( hObj, // name of the object seObjectType, // type of object DACL_SECURITY_INFORMATION, // change only the object DACL NULL, NULL, // do not change owner or group pACL, // DACL specified NULL); // do not change SACL return dwRes;

}

0
source

I found this question very useful and wanted to add to my 2 cents, based on my recent experience of refitting an EPM compatible BHO in a complex product. Drop some information here that hopefully helps the community. My original question was published here, so some of them are repeated my comments there - Access to named pipe servers from IE EPM BHO

I needed a way to achieve two-way communication -

  • From the BHO to the Windows service, which contains some relevant data: the security descriptor above will not work, because the IPC cross-session is not working. I tried installing named pipes to allow EVERYONE.

    • I solved it by adding a broker to send the message.

  • From external to BHO: this was supposed to provide BHO with some data to perform actions - manipulating the DOM, etc. The default IPC settings are named pipes, Windows RPC, etc. will not work because BHO cannot accept named pipe servers for external access.

    • I solved it by creating the HWND_MESSAGE window in the SetSite function and calling it from the Broker process using SendMessage. The message type used must be WM_COPYDATA, as it is a cross-process.
0
source

Source: https://habr.com/ru/post/954502/

More articles:


All Articles