Solution to preventing Internet access for IE in the sandbox
Source: Internet
Author: User
Recently, we have solved a problem where Internet Explorer is not accessible in our sandbox: Internet Explorer is not accessible. Enter www.baidu.com and prompt: No DNS can be found. Or Ping other browsers to access the Internet. (SG browser, chrome, Firefox, Cheetah, 360) Why can't ie access the Internet? Solution: Debug ie on the application layer, on ws2_32! The socket cannot be created successfully. Then I found that I first needed to access qurl.f.360.cn and then www.baidu.com. Do I need to filter the access URL through qurl.f.360.cn? Qurl.f.360.cn domain name resolution fails and then cannot access the Internet? In ws2_32! The socket continues tracing in kernel mode debugging. The final stack kd> kbn # retaddr: ARGs to Child: Call site00 fffff880 '0505f14c: 00000000 '2017 00000000 '000007a0 fffffa80 '2017 00000000' 02894010: AFD! ??: Nngakegl: 'string' + 0x1b1a01 fffff880 '04c20ed7: 00000000 '000007a0 00000000' 000007a0 00000000 '00000000 100' 00000000: AFD! Afddispatch + 0x6c02 fffff880 '04c20095: 00000000 '000000' 00000010 fffff880 '0000fffffa80' bandwidth: Pushed + 0000fffff800 '0000: 100' 00000000 fffff800 '0000fffffa80 '00000000 fffffa80' bandwidth: 360antihacker64 + 0x209504 fffff800 '041cf764: fffffa80 '035d23b0 100' 00000000 fffffa80 '035f1360 100' 00000000: NT! Iopparsedevice + 0x5a705 fffff800 '041d4876: fffffa80 '035f1360 fffff880 '021779f0 fffffffa80' 00000042 fffffa80' 02548820: NT! Obplookupobjectname + 0x58506 fffff800 '041db587: 00000000 '2017 00000000 '2017 00000000 '2017 00000003 '00000000: NT! Obopenobjectbyname + 0x30607 fffff800 '041e5198: 00000000 '067ee158 00000000 'c0140000 00000000' 00000000 00000000 '067ee180: NT! Iopcreatefile + 0x2b708 fffff800 '03ed8153: fffff880 '0217760fffffa80 '03867500 fffff880 '02177bb8 100' 00000000: NT! Ntcreatefile + 0x7809 00000000 '76ff040a: 000007fe 'fc502747 00000000 '0532e1f0 00000000' 00000000 00000000: NT! Kisystemservicecopyend + 0x130a 000007fe 'fc502747: 00000000 '0532e1f0 00000000 '00000000 00000000 '00000000 100' 0052ba80: NTDLL! Zwcreatefile + 0xa0b 000007fe 'fc503874: 00630069 '004d005c 006f0073' 006f0072 0057005c '00740066 00000000 '067ee320: mswsock! Socksocket + 0x5020c 000007fe 'fdb81fe2: 00000000 '20202020' 004c3f90 00000000 '00000000 100' 00000000: mswsock! Wspsocket + 0x23a0d 000007fe 'fdb83600: 00000004 '0000000007fe '00000017 00000002 '000000' 00000000: ws2_32! Wsasocketw + 0x1120e 000007fe 'fdb84b60: 000007fe '00000002 00000000 00000000 '05309f70 00000000 '00000000 100' 004a6ea0: ws2_32! Getprotocolstateforfamily + 0x7c0f 000007fe 'fdb83332: 00000000 '2017 00000000 '00000000 00000000 00000000 '067ee5f4: ws2_32! Lookupaddressforname + 0x10010 000007fe 'fdb82d28: 00000000 '00000000 000000' 00000000 00000050b620 000007fe 'fd7a3b2c: ws2_32! Getaddrinfow + 0x23211 000007fe 'fd1b1845: 00000000 '00000000 00000000 '067ee818 00000000' 067ee838 00000000 '00000000: ws2_32! Getaddrinfo + 0x9812 000007fe 'fd1cfabb: 00000000 '0000000050bec0 00000000 '03d496c0 00000000' 0050b620: wininet! Mygetaddrwithtracing + 0xca13 000007fe 'fd1b249b: 00000000 '00549a50 00000000 '00000000 00000000' 00549a50 00000000 '00000000: wininet! Caddresslist: resolvehost_fsm + 0x3a6
Call getaddrinfo from ws2_32 and then go through 360antihacker64 to TCPIP
Stack with the last error
Kd> kbn # retaddr: ARGs to Child: Call site00 fffff880 '0184e33d: fffffa80 '018602bf: TCPIP! Inetinspectcreateendpoint + 0x5e01 fffff880 '0184e24c: fffffa80 '03940950 fffffa80 '037f3d70 fffffa80' 02d6d930 00000000 '000007ff: TCPIP! Udpcreateendpointworkqueueroutine + 0xad02 fffff880 '0184e3e9: 00000000 '00000011 fffffa80 '025e78c0 fffffa80' 0361260fffff880 '0184e3b0: TCPIP! Udpcreateendpoint + 0x1ac03 fffff880 '0504ee17: fffff8a0 '098abde0 fffffa80 '025e78c0 fffffffa80 '0361260fffffa80 '026e1530: TCPIP! Udptlproviderendpoint + 0x3904 fffff880 '0505f14c: 00000000 '00000000 00000000' 000007a0 fffffa80 '026e1530 00000000 '00000018: AFD! ??: Nngakegl: 'string' + 0x1b1a05 fffff880 '04c20ed7: 00000000 '000007a0 00000000' 000007a0 00000000 '00000000 100' 00000000: AFD! Afddispatch + 0x6c06 fffff880 '04c20095: 00000000 '000000' 00000010 fffff880 '0000fffffa80' bandwidth: Pushed + 0000fffffff800 '0000fffff800 '00000000 fffffff800 '0000fff80' bandwidth: 360antihacker64 + 0x209508 fffff800 '041cf764: fffffa80 '035d23b0 100' 00000000 fffffa80 '042c8760 100' 00000000: NT! Iopparsedevice + 0x5a709 fffff800 '041d4876: fffffa80 '042c8760 fffff880 '040809f0 100' 00000000 fffffa80' 00000042: NT! Obplookupobjectname + 0x5850a fffff800 '041db587: 00000000 '000000' 00000000 100' 00000000 100' 00000003: NT! Obopenobjectbyname + 0x3060b fffff800 '041e5198: 00000000 '0647da68 00000000 'c0140000 00000000' 00000000 00000000 '0647da90: NT! Iopcreatefile + 0x2b70c fffff800 '03ed8153: fffff880 '0408060fffffa80 '03867500 fffff880 '04080bb8 100' 00000000: NT! Ntcreatefile + 0x780d 00000000 '76ff040a: 000007fe 'fc502747 00000000 '0532efb0 00000000' 00000000 100' 00000000: NT! Kisystemservicecopyend + 0x130e 000007fe 'fc502747: 00000000 '0532efb0 00000000 '00000000 00000000 00000000' 0052ba80: NTDLL! Zwcreatefile + 0xa0f 000007fe 'fc503874: 00630069 '004d005c 006f0073' 006f0072 0057005c '00740066 00000000' 0647dc30: mswsock! Socksocket + 0x50210 000007fe 'fdb81fe2: 00000000 '00000000 0000004c3f90 00000000 '00000000 100' 00000002: mswsock! Wspsocket + 0x23a11 000007fe 'fdb83600: 00000004 '000000' 00000017 00000000 '000000' 00000002: ws2_32! Wsasocketw + 0x11212 000007fe 'fdb84b60: 000007fe '00000002 00000000 00000000 '03d47f60 00000000 '00000000 100' 004a6ea0: ws2_32! Getprotocolstateforfamily + 0x7c13 000007fe 'fdb83332: 00000000 '00000000 000000' 00000000 00000000 100' 0647df04: ws2_32! Lookupaddressforname + 0x100tcpip! Wfpalecapturesecurityinformation
Code of the wfpaleplookupprocessinformation function:
. Text: 0000000000068eb0 mov [RSP + arg_0], RBx. text: Pushed 000000068eb5 push RDI. text: 0000000000068eb6 sub RSP, 40 h. text: 0000000000068eba mov RDX, [RDX]. text: 0000000000068ebd mov RBx, r8.text: 0000000000068ec0 mov RDI, rcX. text: 20171000000068ec3 test RDX, RDX. text: 0000000000068ec6 JZ loc_9894a.text: 0000000000068ecc. text: 0000000000068ecc loc_68ecc:; Code xref: wfpaleplookupprocessinformation + 2fa9e J. text: 0000000000068ecc Lea R8, [RSP + 48 h + var_28]. text: 0000000000068ed1 Lea rcX, galemasterhashtable. text: 0000000000068ed8 call CS :__ imp_rtllookupentryhashtable.text: 0000000000068ede test rax, Rax. text: 0000000000068ee1 JZ loc_9896e.text: 0000000000068ee7. text: 0000000000068ee7 loc_68ee7:; Code xref: wfpaleplookupprocessinformation + 2fab8 J. text: 0000000000068ee7 add rax, 0ffffffffffffb8h. text: 0000000000068eeb CMP [Rax], RDI. text: 0000000000068eee jnz loc_98953.text: 0000000000068ef4 mov [RBx], Rax. text: 0000000000068ef7 XOR eax, eax. text: 0000000000068ef9. text: 0000000000068ef9 loc_68ef9:; Code xref: wfpaleplookupprocessinformation + 2fad9 J. text: 0000000000068ef9 mov RBx, [RSP + 48 h + arg_0]. text: 0000000000068efe add RSP, 40h. text: 0000000000068f02 pop RDI. text: 0000000000068f03 retn
Finally, call CS :__ imp_rtllookupentryhashtable returns 0 and an error occurs. But why is the error still confused? What is it in 360antihacker64? At 360antihacker64, there is no trace of file operations. So is there a problem with 360antihacker64? Start with a USB flash drive, modify the names of all 360 EXE files, rename all sys files, and enable IE to access the Internet. Then, the 360antihacker64. sys can be retained to access the Internet, and the 360box64. sys can be retained in the experiment. The problem arises. The Sandbox initialization process is slow. Because our sandbox and 360 sandbox use the minifilter file filtering technology. Therefore, if a file is accessed, such as createfile ---> our driver ---> 360box64. sys ---> NTFS Driver or createfile ---> 360box64. sys ---> our driver --> NTFS Driver. Who is there? In the Registry, the 360box64 value determined by altitude is: 382310, and our driver is running later. When I change the altitude value of this driver to 140000, after restarting, OK because it is the same as the file filter driver, the redirected path needs to be passed to the next driver, and the next driver does not know how to operate or whether to process it, whether 360box64 filters IE File Operations, and does not go into detail. There were also some episodes: 1. Observe the communication between drivers. They both construct IRPs and call iofcalldriver 2 to call functions in other drivers. Find the deviceobject of other drivers and obtain the device extension, then, use function pointer 3 to drive communications with the application layer, and map the physical memory to the virtual memory. Then, share with the application layer. 4. After the process is killed, all threads of the process are released, but the process does not disappear, but it does not disappear in the character manager. For example, after the name of 360antihacker64 is changed, it is modified. Therefore, we can simply change both the EXE and SYS names, saving some protection programs in the way they are. It is very troublesome to locate the problem. It is much easier to modify it.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
