Windows Vista IE 7 protection mode developer Survival Guide

Windows Vista IE 7 Developer Survival Guide for protection mode Overview of protection ModesThe protection mode of Internet Explorer 7 is a new feature of Vista and is part of User Account Control (UAC. The protection mode restricts the code running in the IE process to protect the computer. Even if a malicious webpage uses a code in the IE or IE Plug-in to inject a bug, nor can it cause damage to the system. Integrity Level and uipiWindows Vista introduces a new property for objects that require security: the mandatory Integrity Level, which consists of the following four levels: system level: used by system components. Generally, applications should not be used. Ø advanced: Run all processes that are promoted to administrator permissions. Intermediate: processes running in normal state. Ø low level: it is used by IE and Windows Mail to provide protection mode. When running a process in Windows, it usually contains its integrity level. Once the process is running, the level cannot be changed and can only be set at the moment the process is created. The process integrity level has three major impacts: 1. Any security object created by the process has the same integrity level. 2. processes cannot access resources with a higher level than their own integrity. 3. A process cannot send window messages to processes with a higher level of integrity than itself. The above list is not complete, but these three have a particularly significant impact on IE Plug-ins. The first two prevent low-level processes from tampering with IPC resources, for example, the shared memory that contains sensitive data or key data that affects the proper execution of programs; the latter is called user interface process isolation uipi ), designed to prevent some destructive attacks. For example, attackers can send messages to induce a process to run Insecure code. VirtualizationVirtualization (also known as redirection in some Microsoft documents) is a function that prevents processes from writing to the protected area of the Registry and file system without affecting the normal functions of the program. For processes with intermediate integrity, the protected areas are key areas of the system, such as the HKLM, system32, and program files directories. for low-level processes with integrity, it is more restrictive. It can only write data to a specific low-Permission Area of the Registry and file system. Any write requests outside this area will be prohibited. When a process wants to write data to a region that has no permissions, virtualization takes effect. It redirects these write operations to the current user's personal profile) directory (or Registry Key), the final write operation is written here. Then, when the program wants to read data, the read operation is redirected to this point, correctly reading the previously written data. Virtualization technology will also affect the IE Plug-in, because the plug-in can no longer share data with other processes, but write the configuration information into the registry (or even hkcu), at the same time, the data that can be written by plug-ins is also highly constrained. Only some directories specific to IE, such as favorites and cookies, can be written. When to enable protection modeIn Vista by default, ie runs in protection mode. The status bar () shows whether the protection mode is Enabled: Disable UAC to completely disable the protection mode, on the Security page of the Internet Properties dialog box, do not check "enable protection mode". You can also run a new ie instance with elevated permissions to temporarily bypass the protection mode, it enables IE to run at the level of high-level integrity, rather than being intermediate as a common program. Sample programs and plug-insThe sample code contains two projects. The first project is ieextension, which is a plug-in docked at the bottom of the IE window. The second project is demoapp, it is an EXE file used for communication. There are not many codes, and key codes communicate with it in ieextension. The buttons that appear in the plug-in represent the methods (Button 1) that cannot work normally in the protection mode and the new methods that can work in the protection mode (Button 2 ), the list control is used to display status information, such as the return values of Windows APIs. The following describes how the plug-in needs to work properly in the protection mode, and describes some APIs in the sample code. Each topic corresponds to one (or one) button. Solution under protection modeSeveral new APIs are added in IE 7, which are located in ieframe. in DLL, plug-ins can use them to execute functions restricted in the protection mode, either directly through iepmapi. lib links to these Apis. You can also use loadlibrary ()/getprocaddress () to obtain the function pointer at runtime. If you want the plug-in to load normally on the Windows platform before Vista, you must use the latter method. Role. Probe protection mode during runtimeIf you want to know whether the plug-in is running in the protection mode of the IE process, you can use ieisprotectedmodeprocess (): hresult ieisprotectedmodeprocess (bool * pbresult ); if the returned value is a successful hresult and * pbresult is true, it can be determined as the protection mode. In addition, based on the * pbresult returned value, you can also decide what to do next in the Code: hresult hr; bool bprotectedmode = false; HR = ieisprotectedmodeprocess (& bprotectedmode); If (succeeded (HR) & bprotectedmode) // IE is running in protection mode. Else // IE is not running in protection mode. File System writeIn protected mode, the plug-in can only be written to some directories in the user configuration file, and only low-level directories such as temp, Temporary Internet Files, cookies, and favorites are writable. However, IE 7 also takes care of some compatibility issues and virtualizes some commonly used directories. Writing these directories will be redirected to the subdirectory of Temporary Internet Files; if the plug-in wants to write data to sensitive locations, such as the Windows directory, the write operation will fail. Back to the topic, when the plug-in wants to write data to the file system, use the iegetwriteablefolderpath () API instead of getspecialfolderpath (), getfolderpath (), and shgetknownfolderpath (). Iegetwriteablefolderpath () can be used to detect the protection mode. If the directory requested by the plug-in cannot be written, iegetwriteablefolderpath () will return the prototype of e_accessdenied. The authorization () is as follows, lpwstr * lppwstrpath); GUID is defined in knownfolders. the folderid_internetcache, folderid_cookies, and folderid_history in the H header file. In addition, there seems to be no guid corresponding to the temp directory. Therefore, folderid_internetcache is recommended when writing temporary files. The following code creates a temporary file in the cache: hresult hr; lpwstr pwszcachedir = NULL; tchar sztempfile [max_path] = {0}; HR = iegetwriteablefolderpath (folderid_internetcache, & pwszcachedir ); if (succeeded (HR) {gettempfilename (cw2ct (pwszcachedir), _ T ("Bob"), 0, sztempfile); cotaskmemfree (pwszcachedir ); // the full path of the temporary file in sztempfile} if the iegetwriteablefolderpath () succeeds, it will allocate a buffer and return its address in pwszcachedir, we only need to pass this directory to gettempfilename (), and then use C Otaskmemfree () releases the buffer. Iegetwriteablefolderpath () is not only used to write temporary files, but can also be used by the plug-in the Save As dialog box in protected mode. This will be mentioned in the "prompt users to save files" section below. Write to registryBecause the registry is a key area of the system, you should not allow code running in the browser to modify any part of the code to prevent malicious code from running. Therefore, only one key value can be written to the plug-in. Like the file system, this key is also in the low-Permission Area of the current user configuration file. You can call iegetwriteablehkcu () hresult iegetwriteablehkcu (hkey * phkey); if the function is successful, you can use the returned hkey in other registry APIs to write data. Prompt the user to save the fileWhen IE is running in protection mode, the plug-in can also be written to the file system (not directly) and out of the Low-permission area. This is done by calling ieshowsavefiledialog () the Save file dialog box is displayed. If you enter a file name, the plug-in can call iesavefile () to allow IE to write the file. Note that this operation always displays the save file dialog box to ensure that the user knows that a file is to be written. To save a file, follow these steps: 1. Call ieshowsavefiledialog () to display the save file dialog box. 2. Call iegetwriteablefolderpath () to obtain the IE cache directory. 3. Write data to a temporary file in the cache directory. 4. Call iesavefile () to copy the data to the selected file. 5. Clearing the temporary file Inventory () is a packaging function for the general-purpose file storage dialog box: hresult Export (hwnd, lpcwstr loss, lpcwstr lpwstrinitialdir, lpcwstr lpwstrfilter, lpcwstr lpwstrdefext, DWORD dwfilter, DWORD dwflags, lpwstr * lppwstrdestinationfilepath, handle * phstate); hwnd is a window handle owned by the plug-in, and IE uses the top-level owner window as the parent window of the dialog box; lppwstrdestinationfilepath is a pointer to lpwstr, which is the path of the selected file; phstate is a pointer to handle It is the handle of the file selected by the user. This handle is also used when other APIs are called. The usage of other parameters is similar to that of corresponding members in the openfilename structure. If s_ OK is returned for ieshowsavefiledialog (), the user selects a file name, s_false indicates that the dialog box is canceled, and the failed hresult indicates that the API is not successful. The following sample code first calls ieshowsavefiledialog () to prompt the user to enter the file path: void cbanddialog: onsavelog (uint ucode, int NID, hwnd hwndctrl) {hresult hr; handle hstate; lpwstr pwszselectedfilename = NULL; const DWORD dwsaveflags = ofn_enablesizing | ofn_hidereadonly | ofn_pathmustexist | ofn_overwriteprompt; // get a filename from the user. hR = ieshowsavefiledialog (m_hwnd, l "saved log.txt", null, l "text files | *. TXT | all files | *. * | ", L" TXT ", 1, dwsaveflags, & pwszselectedfilename, & hstate); If (s_ OK! = HR) return; next, call iegetwriteablefolderpath () to obtain the writable cache directory path: lpwstr pwszcachedir = NULL; tchar sztempfile [max_path] = {0 }; // obtain the IE cache directory path, which is the writable directory hR = iegetwriteablefolderpath (folderid_internetcache, & pwszcachedir) in protection mode; If (succeeded (HR )) {// get a temporary file name in the directory gettempfilename (cw2ct (pwszcachedir), _ T ("Bob"), 0, sztempfile); cotaskmemfree (pwszcachedir ); // write data to the temporary file hR = writelogfile (sztempfi Le);} if everything is normal, the iesavefile () and iesavefile () will be called to accept the status handle and temporary file path returned by ieshowsavefiledialog () as parameters. Note that, this handle is not a standard handle and does not need to be closed. After calling iesavefile (), the handle is automatically released. If the call to iesavefile () is incomplete for some reason, for example, an error occurs when writing a temporary file, you must clear the temporary space allocated in handle and ieshowsavefiledialog (), which is determined by iecancelsavefile (). If (succeeded (HR) {// if the file is successfully written, ie will save the data in the path selected by the user hR = iesavefile (hstate, t2cw (sztempfile )); // Delete the temporary file deletefile (sztempfile);} else {// The save operation is not completed, and only the iecancelsavefile (hstate) is canceled );} Communication between plug-ins and other programsThe content described above is related to the file system and the Registry, which limits IE to call some APIs to cause damage to the system. The following describes more complex content, communication with other processes that run programs at a higher level of integrity (IPC) is divided into two types: kernel objects and window messages. 1. Communication between an IPC object plug-in and a single process involves the NT Security API and mandatory Integrity Level Check. By default, communication between the plug-in and a single process is blocked, because the external program runs at a higher level of integrity than IE. If an external program creates a kernel object (such as event or mutex) that can be used by the plug-in, the integrity level of the object must be lowered so that the plug-in can access it. External programs can use Security APIs to reduce the integrity level by modifying the object ACL. The following code comes from msdn and accepts the handle of a kernel object as a parameter, and set its integrity level to low: // label_security_information sddl sacl is set to low integrity level: lpcwstr low_integrity_sddl_sacl_w = L "s :( ml; NW; LW )"; bool upload (handle hobject, se_object_type = se_kernel_object) {bool Bret = false; DWORD dwerr = empty; empty PSD = NULL; PACl psacl = NULL; bool fsaclpresent = false; bool fsacl Defaulted = false; If (values (low_integrity_sddl_sacl_w, sddl_revision_1, & PSD, null) {If (getsecuritydescriptorsacl (PSD, & fsaclpresent, & psacl, & fsacldefaulted )) {dwerr = setsecurityinfo (hobject, type, label_security_information, null, psacl); Bret = (error_success = dwerr);} localfree (PSD);} return Bret ;} in our example program Two mutex files are used to allow the plug-in to determine when the program is running. When the demoapp starts, the two mutex files are created. When you click one of them, the plug-in tries to open them. Mutex 1 has a default integrity level, while mutex 2 is set to a low integrity level by setobjecttolowintegrity (), which means that once in protected mode, the plug-in can only access mutex 2, the following is the program output after the Open mutex button is clicked: Another function of the protection mode is that the plug-in cannot start a separate process inherited from the kernel object handle. For example, in the protection mode, in the example, the plug-in cannot start a separate process (the binherithandles parameter in CreateProcess () is true) by creating a file ing object, and the process inherits the handle of the file ing object. Handle hmapping; security_attributes SA = {sizeof (security_attributes)}; SA. binherithandle = true; hmapping = createfilemapping (invalid_handle_value, & SA, page_readwrite, 0, cbydata, null ); // store the data in the shared memory block // run the EXE and pass it the shared memory handle cstring scommandline; bool bsuccess; startupinfo Si = {sizeof (startupinfo )}; process_information Pi = {0}; scommandline. format (_ T ("\" C: \ path \ To \ demoapp.exe \ "/h: % P"), hm Apping); bsuccess = CreateProcess (null, scommandline. getbuffer (0), null, null, true, // true indicates that the new process should inherit the handle normal_priority_class, null, null, & Si, & PI ); demoapp reads the handle value from the/h option and uses it to call mapviewoffile () to read the data. This is also a standard method for the new process to automatically receive the handle of a kernel object, but in the protection mode, the new process is actually started by the proxy process. It is precisely because the IE process does not start the new process directly, so the handle inheritance is invalid. To break through this restriction, the plug-in can use a predefined name for the IPC object so that other processes can access this object (because this object is of a low integrity level ). If you do not want to use a pre-defined name, you can also generate a "name" at runtime (for example, use a guid for the name) and pass it to other independent processes. // Get a guidguid guid = {0}; wchar wszguid [64] = {0}; hresult hr; cocreateguid (& guid); stringfromguid2 (guid, wszguid, _ countof (wszguid); // create a file ing object. Because the handle cannot be inherited, The security_attributes structure handle hmapping; hmapping = createfilemapping (invalid_handle_value, null, page_readwrite, 0, cbydata, cw2ct (wszguid); // you can place the data in the shared memory block. // run the EXE and pass it to the shared memory object name. // note CreateProcess () the binherithandles parameter in is falsecstr Ing scommandline; bool bsuccess; startupinfo Si = {sizeof (startupinfo)}; process_information Pi = {0}; scommandline. format (_ T ("\" C: \ path \ To \ demoapp.exe \ "/N: % ls"), wszguid); bsuccess = CreateProcess (null, scommandline. getbuffer (0), null, null, false, // false indicates that the new process does not inherit the handle normal_priority_class, null, null, & Si, & PI, EXE can receive the IPC object name in the command line. It will then call openfilemapping () to access this object. In addition, the most important thing in this method is to pay close attention to the object. Life cycle. Follow these steps to inherit from a handle: 1. the plug-in creates an IPC object and sets the reference count to 1. 2. The plug-in starts a new process and inherits the handle. This operation increases the object reference count to 2. 3. The plug-in can immediately close its handle because it no longer needs this object. The reference count is reduced to 1. 4. The new process can perform the required operations through the IPC object. Because it has an open handle, the object will not end until the new process closes the handle. If you follow the preceding steps and only pass the object name to the EXE, a "race" state is actually created, the plug-in may shut down the EXE before it has the opportunity to open the handle (the IPC object is also deleted ). Follow these steps: 1. the plug-in creates an IPC object and sets the reference count to 1. 2. The plug-in starts a new process and passes it the IPC object name. The reference count is still 1. 3. The plug-in cannot immediately close its handle. It needs to wait until the new process has opened a handle for this object. In this case, some synchronization is required. 4. The new process opens the object handle and reads data. At this time, it can send a signal to the plug-in to wake up its thread. The plug-in can now safely close its handle. In the example program, we asked demoapp to read data from the shared memory before creating the main window. After calling CreateProcess (), the plug-in can call waitforinputidle (). This function blocks the thread until the main window of demoapp is created and displayed. Once the demoapp thread is idle, it no longer uses shared memory, and the plug-in can safely close its handle. When you click "Run EXE 1", the program writes the current date and time to the shared memory and passes it to demoapp with a handle. If this mode is in protected mode, this method will fail, the demoapp returns an invalid handle error. When you click "Run EXE 2", the program will pass the file ing object name to the demoapp. Then, the program will display the data read from the shared memory. Ii. Receiving Window message uipi prevents specific window messages (that is, all messages with a message value greater than or equal to wm_user) from being sent to a program of higher level than its own in a program of lower integrity level. If your program needs to receive messages from the plug-in, you can call changewindowmessagefilter () to allow specific messages to pass through: bool changewindowmessagefilter (uint message, DWORD dwflag); message is the message value, dwflag indicates whether the message is allowed or blocked. msgflt_add allows messages, while msgflt_remove blocks messages. Be cautious with messages from other processes. If you receive data through messages, you must carefully confirm and verify the received data, because messages between processes are uncertain and may be maliciously exploited. The example program demonstrates how to communicate by registering window messages. In the mutex example, there are two types of messages. demoapp will allow the second type of message to pass through in oninitdialog: response = registerwindowmessage (response); m_uregisteredmsg2 = registerwindowmessage (response); changewindowmessagefilter (m_uregisteredmsg2, msgflt_add); when you click "Send message" in the program, the following output is displayed: the first message is not allowed to pass, so sendmessage () returns 0. Other restrictions in protection mode1. Run other program ie. There is also a mechanism to prevent malicious code from communicating or starting other processes. If a plug-in tries to start another process, before ie starts the process, request the user's permission. For example, click the "View Source File" command to see the following prompt: If the plug-in needs to run a separate EXE, you can add a registry key value to inform IE that this EXE is a trusted program and runs without a prompt. The key value for controlling this behavior is: HKLM \ SOFTWARE \ Microsoft \ Internet Explorer \ low rights \ elevationpolicy; Create a New guid, and then add a new key under elevationpolicy. The name is The GUID. In the new key, create the following three values: ø appname: executable file name, for example, demoapp.exe. Ø apppath: directory where EXE is located. Ø policy: Set to the DWORD Value of 3. If you select "no longer display this warning for this program" in the preceding prompt, ie will also create this key. 2. Drag and Drop other programs. If you drag some content from the webpage to other programs, a similar prompt will be displayed: Similarly, you can also create a key value in the Registry without displaying this prompt. The format is the same as the previous one, but this time the key value is located in dragdrop rather than under elevationpolicy.