从IE EPM BHO中访问命名管道服务器 [英] Accessing named pipe servers from within IE EPM BHO
问题描述
我正在尝试对我们的旧产品进行一些更改,以支持BHO上的IE EPM。我设法让它加载和各种方法 - SetSite,DocumentComplete等 - 被调用。
I am trying to make some changes to our legacy product to support IE EPM on the BHO. I have managed to get it to load and the various methods - SetSite, DocumentComplete etc. - get invoked.
我试图连接到它时似乎遇到了障碍在Windows服务中运行的命名管道服务器。
I seem to be hitting a snag when trying to connect to the named pipe server running inside a Windows Service.
以前,我们已经进行了更改以允许IE BHO处于保护模式以访问命名管道服务器 - 使用LOW_INTEGRITY_SDDL_SACL(S:(ML ;; NW ;;; LW))。在代码中,我们使用ConvertStringSecurityDescriptorToSecurityDescriptor方法创建安全描述符,然后在实际SD或SECURITY_ATTRIBUTES对象上执行SetSecurityDescriptorSacl。这允许BHO代码访问SYSTEM服务中托管的命名管道服务器。
Previously, we had already made changes to allow IE BHO in protected mode to access the named pipe server - using LOW_INTEGRITY_SDDL_SACL ("S:(ML;;NW;;;LW)"). Within the code, we were using creating the security descriptor using the ConvertStringSecurityDescriptorToSecurityDescriptor method, then performing a SetSecurityDescriptorSacl on the actual SD or the SECURITY_ATTRIBUTES object. This allowed the BHO code to access named pipe servers hosted in the SYSTEM service.
我提到了一些文章,可能最有用的一篇是这篇文章 - 有没有办法在IE11上从AppContainer BHO创建命名管道?
I referred to a few articles and probably the most useful one was this post - Is there a way to create a named pipe from an AppContainer BHO on IE11?
我对SDDL进行了一些更改,现在它看起来像 -
I made some changes to SDDL so it now looks like -
#define EPM_INTEGRITY_SDDL L"S:(ML;;NW;;;LW)D:(A;;FA;;;SY)(A;;FA;;;WD)(A;;FA;;;AC)"
这基本上给出了完整档案访问DACL部分中的所有人,所有应用程序包和系统。我知道它太过宽松了,但我预计这应该至少在我使用SetSecurityDescriptorDacl时起作用: - )
This basically gives full file access to Everyone, ALL APPLICATION PACKAGES and SYSTEM in the DACL part. I know it's way too permissive, but I expected this should at least work once I used SetSecurityDescriptorDacl :-)
无论如何,设置SD的代码现在如下所示。我在这里遗漏了什么吗?
Anyway, the code that sets the SD now looks as below. Am I missing something here?
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(EPM_INTEGRITY_SDDL, SDDL_REVISION_1, &pLISD, NULL))
{
OutputDebugString(L"Unable to get the app-container integrity security descriptor");
return false;
}
PACL pAcl = 0;
BOOL bAclPresent = FALSE;
BOOL bAclDefaulted = FALSE;
if (!GetSecurityDescriptorSacl(pLISD, &bAclPresent, &pAcl, &bAclDefaulted) || !bAclPresent)
{
return false;
}
if (!SetSecurityDescriptorSacl(pSecurityDesc, TRUE, pAcl, FALSE))
{
return false;
}
pAcl = 0;
bAclPresent = FALSE;
bAclDefaulted = FALSE;
if (!GetSecurityDescriptorDacl(pLISD, &bAclPresent, &pAcl, &bAclDefaulted) || !bAclPresent)
{
OutputDebugString(L"Setting to low integrity : No DACL Available");
return false;
}
if (!SetSecurityDescriptorDacl(pSecurityDesc, TRUE, pAcl, FALSE))
{
OutputDebugString(L"Setting to low integrity : Unable to set the DACL");
return false;
}
推荐答案
我做了一些研究和管理找出一种有效的方法。
I did some research and managed to figure out an approach that works.
首先,似乎AppContainer中的BHO无法访问在Windows会话中创建的命名管道等。由于我在Windows服务中创建了命名管道服务器,因此我指定的安全描述符无关紧要。它不起作用。
First, it appears that the BHO inside the AppContainer cannot access named pipes etc. created in a Windows session other than its own. Since I was creating my named pipe server in a Windows Service, it doesn't matter what security descriptor I specify. It won't work.
其次,使用中等完整性代理程序进程创建具有相同尝试SD的命名管道,并且可以访问它。因此,我采用的方法是为我的BHO创建一个代理,将这些消息转发给Windows服务。所以,我的服务器逻辑不需要移动。
Second, use the medium-integrity broker process to create the named pipe with the same attempted SD and it will be accessible. So, the approach I took was to create a proxy to my BHO that forwards these messages to the Windows Service. So, my "server" logic did not need to move.
我对这种方法并不感到兴奋,但它并不太糟糕,因为我可以重用这段代码对于基于JS的扩展,也没有完全重写核心代码。
I am not thrilled with the approach, but it isn't too bad, because I can reuse this code for the JS-based extensions too without completely re-writing the core code.
第三,我需要某种方式回调BHO,要求它采取一些行动基于外部刺激。我设法通过在BHO的SetSite中创建HWND_MESSAGE窗口并使用Broker进程中的SendMessage调用它来实现此目的。由于这是跨进程的,因此您需要使用WM_COPYDATA。
Third, I needed some way to call back into the BHO to ask it to take some action based on external stimuli. I managed to achieve this by creating a HWND_MESSAGE window in the SetSite of the BHO and calling to it using SendMessage from the Broker process. Since this is cross-process, you would need to use WM_COPYDATA.
这篇关于从IE EPM BHO中访问命名管道服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!