sR6uWE

More documents

Recommendations

Info

IPC: INTERNAL OBJECTSViewFile Object (size 0x1C)Offset Size Field Comment04 UINT32 ui32ViewID Unique ID to identify respective untrusted file.08 HWND hOPHWnd hWnd for “OPH Previewer Window” class(Global MSO.015E9A9C = 0)File 1aFile 1b0C LPWSTR lpwFileName Pointer to full-path to original file10 LPWSTR lpwTemporaryFileName Pointer to full-path to temp file in sandbox dir14 LPVOID lpSameBrokerApp Pointer to SameBrokerApp objectFile 2aFile 2b18 UINT32 ui32SessionEnableHyperlinks Used in Tag 0x091000 (TRUE or FALSE)SameBrokerApp ObjectSameBrokerApp object missing(Global MSO.015E9A9C = 6)Offset Size Field Comment0C LPVOID lpWWLIBIPCMsg Pointer to WWLIBIPCMsg object84 HWND hOPHParentWnd Used in 0x061000 and 0x101000 IPC messageMSO-Group of IPC Messages90 LPVOID lpDRMStream Used in 0x081000 IPC messageB0 LPVOID lpTaskList Used in 0x0B1000 IPC messageWWLIBIPCMsg ObjectOffset Size Field Comment1C UINT32 ui32IPC0A1100 Used in 0x0A1100 IPC message20 UCHAR [0x2C] uchIPC091100Contents Buffer storing IPC 0x091100 message contents4C UINT32 ui32IPC071100MsgID MsgID of IPC 0x071100 message50 UINT32 ui32IPC081100MsgID MsgID of IPC 0x081100 message54 UINT32 ui32IPC091100MsgID MsgID of IPC 0x091100 message58 UINT32 ui32IPC031100MsgID MsgID of IPC 0x031100 messageWWLIB-Group of IPC Messages5C UINT32 ui32IPC041100MsgID MsgID of IPC 0x041100 message60 UINT32 ui32IPC0E1100MsgID MsgID of IPC 0x0E1100 message64 UCHAR [0x24] uchIPC041100Contents Buffer storing IPC 0x041100 message contents8C UCHAR [0x1D4] uchIPC031100Contents Buffer storing IPC 0x031100 message contentsLabs.mwrinfosecurity.com | © MWR Labs 26
IPC: MESSAGE FORMATMessage HeaderMessage Body(Optional)Request Header for MSO-Group (size 0x10-bytes)UINT32 ui32VirtualKey Used in 0x071000 request. Otherwise ignoredUINT32 ui32MsgTagType of (22) IPC requestRanges 0x001000 to 0x151000, at inc 0x010000UINT32 ui32MsgID Matches IPC request to its responseUINT32 ui32MsgSize Total size of IPC message in bytes (max 0x2000)Request Header for WWLIB-Group (size 0x14-bytes)UINT32 ui32VirtualKey -UINT32 ui32MsgTagType of (16) IPC requestRanges 0x001100 to 0x0F1100, at inc 0x010000UINT32 ui32MsgID -UINT32 ui32MsgSize -UINT32 ui32ViewID Sandboxed file ID. Corr to lpViewFile->ui32ViewIDResponse Header (size 0x10-bytes)UINT32 ui32Status Return status of IPC requestUINT32 ui32MsgTag -UINT32 ui32MsgID Matches IPC request to its responseUINT32 ui32MsgSize -Message Body Format Specific to MsgTag………Labs.mwrinfosecurity.com | © MWR Labs 27
Page 1 and 2: UNDERSTANDING THE MICROSOFT OFFICE
Page 3 and 4: Outline• Introduction• Sandbox
Page 5 and 6: INTRODUCTION• Sandboxing 101- Wik
Page 7 and 8: MS OFFICE 2013 PROTECTED-VIEW SANDB
Page 9 and 10: OperatingINTERNALS: ARCHITECTUREBro
Page 11 and 12: INTERNALS: ARCHITECTURE• Elevatio
Page 13 and 14: OperatingINTERNALS: ARCHITECTUREBro
Page 15 and 16: INTERNALS: INITIALIZATIONMSO.sub_00
Page 17 and 18: INTERNALS: INITIALIZATIONLowIntegri
Page 19 and 20: INTERNALS: RESTRICTIONSFile Locatio
Page 21 and 22: INTERNALS: RESTRICTIONS• Capabili
Page 25: IPC: INTERNAL OBJECTSThreadMgr Obje
Page 29 and 30: IPC: MESSAGE 0X001000• No message
Page 31 and 32: IPC: MESSAGE 0X091000Message Body f
Page 33 and 34: IPC: MESSAGE 0X0C1000• Windows Er
Page 35 and 36: WER ServerIPC: MESSAGE 0X0C1000Wind
Page 37 and 38: IPC: MESSAGE 0X0C1000• Issue 2: D
Page 39 and 40: IPC: MESSAGE 0X0C1000• DemoLabs.m
Page 41 and 42: IPC: MESSAGE 0X0F1000• “Microso
Page 45 and 46: MS OFFICE 2016: SANDBOX INTERNALS
Page 47 and 48: MS OFFICE 2016: IPC 0X161000• New
Page 51 and 52: REFERENCES• Yason, Mark Vincent.

sR6uWE

Create successful ePaper yourself

Delete template?

Save as template?