Sandboxie Plus 破解

https://github.com/sandboxie-plus/Sandboxie

代码开源，但是自行编译会因为驱动签名问题无法加载，需要开启测试模式，但又不太安全。

在网上看到了saturn-mapper项目可以读写任意内核空间，于是尝试利用这个漏洞驱动读写内存的功能Patch Sandboxie 驱动的代码，实现破解。

NTSTATUS CustomDriverEntry(_In_ PDRIVER_OBJECT  saturniv, _In_ PUNICODE_STRING saturnivxyz)
{
	//UNREFERENCED_PARAMETER(saturniv);
	//UNREFERENCED_PARAMETER(saturnivxyz);
	
    DbgPrintEx(0,0, "\nSuccessfully Loaded the Saturn test driver.\n");
    // CreateFileInKernelMode();

    ULONG64 baseAddress = (ULONG64)GetModuleBaseAddress("SbieDrv.sys");
    if (baseAddress!=0)
    {
        DbgPrintEx(0, 0, "\nBase address of SbieDrv.sys: 0x%p\n", (PVOID)baseAddress);
        ULONG64 target_addr = baseAddress + 0x2521A;
        PrintMemoryAsHex(target_addr, 10);
        static UCHAR opcode[] = { 0xB8, 0x01, 0x00, 0x00, 0x00 };
        //ModifyMemory(target_addr, opcode, sizeof(opcode));

        WPOFFx64();
        RtlCopyMemory((PVOID)target_addr, opcode, sizeof(opcode));

        WPONx64();
        PrintMemoryAsHex(target_addr, 10);
        DbgPrint("Patched Success!\n");

    }
    else
    {
        DbgPrintEx(0,0, "\nFailed to find SbieDrv.sys\n");
    }

	return 0;
}

Patch前：

Patch后：

note

众邦银行小程序加密算法上一篇

利用CheatEngine驱动实现内核空间任意读写下一篇