sR6uWE

More documents

Recommendations

Info

INTERNALS: RESTRICTIONSRegistry KeysAccess MaskSandbox-SID (S-1-15-2-*-*-*-*-*-*-*)HKCR\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\HKCR \Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\\ChildrenHKCR \Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\\*HKCR \Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\HKCR \Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\\ChildrenHKCR \Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\\*HKEY_USERS\\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\HKEY_USERS\\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\\ChildrenHKEY_USERS\\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\\*KEY_READKEY_ALL_ACCESSKEY_ALL_ACCESSKEY_READKEY_ALL_ACCESSKEY_ALL_ACCESSKEY_READKEY_ALL_ACCESSKEY_ALL_ACCESSOffice-Capability-SID (S-1-15-3-2929230137-1657469040)HKCU\Software\Microsoft\Office\*HKEY_USERS\\Software\Microsoft\Office\*KEY_READKEY_READ• Sandbox-SID restricts access to sandbox-related registry keys– Mostly KEY_ALL_ACCESS access• Capability-SID restricts access to Office-related registry keys– Only KEY_READ access– HKCU\Software\Microsoft\Office\15.0\Word\Security\Trusted Locations– HKCU\Software\Microsoft\Office\15.0\Word\File MRULabs.mwrinfosecurity.com | © MWR Labs 20
INTERNALS: RESTRICTIONS• Capability-SID does not allow network outbound connections– WSAEACCES “Permission Denied” errorLabs.mwrinfosecurity.com | © MWR Labs 21
Page 1 and 2: UNDERSTANDING THE MICROSOFT OFFICE
Page 3 and 4: Outline• Introduction• Sandbox
Page 5 and 6: INTRODUCTION• Sandboxing 101- Wik
Page 7 and 8: MS OFFICE 2013 PROTECTED-VIEW SANDB
Page 9 and 10: OperatingINTERNALS: ARCHITECTUREBro
Page 11 and 12: INTERNALS: ARCHITECTURE• Elevatio
Page 13 and 14: OperatingINTERNALS: ARCHITECTUREBro
Page 15 and 16: INTERNALS: INITIALIZATIONMSO.sub_00
Page 17 and 18: INTERNALS: INITIALIZATIONLowIntegri
Page 19: INTERNALS: RESTRICTIONSFile Locatio
Page 25 and 26: IPC: INTERNAL OBJECTSThreadMgr Obje
Page 27 and 28: IPC: MESSAGE FORMATMessage HeaderMe
Page 29 and 30: IPC: MESSAGE 0X001000• No message
Page 31 and 32: IPC: MESSAGE 0X091000Message Body f
Page 33 and 34: IPC: MESSAGE 0X0C1000• Windows Er
Page 35 and 36: WER ServerIPC: MESSAGE 0X0C1000Wind
Page 37 and 38: IPC: MESSAGE 0X0C1000• Issue 2: D
Page 39 and 40: IPC: MESSAGE 0X0C1000• DemoLabs.m
Page 41 and 42: IPC: MESSAGE 0X0F1000• “Microso
Page 45 and 46: MS OFFICE 2016: SANDBOX INTERNALS
Page 47 and 48: MS OFFICE 2016: IPC 0X161000• New
Page 51 and 52: REFERENCES• Yason, Mark Vincent.

sR6uWE

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?