Transcription
MWRI PUBLICUNDERSTANDING THE MICROSOFT OFFICE2013 PROTECTED-VIEW SANDBOXYong Chuan, Koh (@yongchuank)2015/07/09mwrinfosecurity.com MWR InfoSecurityMWRI PUBLIC
MWRI PUBLICTable of Contents1.Introduction . 32.Sandbox Internals . 42.12.1.1Interception Component . 42.1.2Elevation Policy Manager . 42.1.3Inter-Process Communication . 52.2Sandbox Initialization . 62.2.2File Locations . 122.2.3Registry Keys . 122.2.4Network Connections . 133.1IPC Objects . 153.2IPC Parsers. 203.3IPC Format . 203.3.1Message Header . 213.3.2Message 0x001000 . 213.3.3Message 0x011000 . 223.3.4Message 0x061000 . 243.3.5Message 0x091000 . 243.3.6Message 0x0A1000 . 253.3.7Message 0x0C1000 . 263.3.8Message 0x0F1000 . 313.3.9Message 0x141000 . 33Comments . 33Microsoft Office 2016 . 344.1Sandbox Restrictions. 344.2Sandbox Code . 344.2.1Sandbox Initialization . 354.2.2Message 0x0C1000 . 364.2.3Message 0x161000 . 364.2.4Message 0x031100 . 374.35.Comments . 14Inter-Process Communication (IPC) Mechanism . 153.44.Sandbox Restrictions. 62.2.12.33.Architecture . 4Comments . 37Conclusion . 37mwrinfosecurity.com MWR InfoSecurityMWRI PUBLIC1
MWRI PUBLIC6.Bibliography . 387.Appendix A: IPC Format of Remaining Messages . 398.Appendix B: Standard Error Codes and Messages . 50mwrinfosecurity.com MWR InfoSecurityMWRI PUBLIC2
MWRI PUBLIC1. IntroductionSandbox is an increasingly popular technique adopted by software vendors to minimize the security impact of acompromised system. Wikipedia defines a sandbox as:“ a sandbox is a security mechanism for separating running programs A sandbox typically provides a tightlycontrolled set of resources for guest programs to run in .A sandbox is implemented by executing thesoftware in a restricted operating system environment, thus controlling the resources ( ) that a process mayuse ” (1)This definition suggests that imposing restrictions on an application’s accessible system resources is central tosandboxing. And it is through these restrictions that the minimal security impact is achieved; the malware isstill not able to access important information even though the system may be compromised. As a testament ofits effectiveness, popular applications that have adopted sandboxing include Google Chrome, Internet Explorerand Adobe Reader.The MS Office is no exception; its sandbox is implemented as the Protected-View feature since MS Office 2010.Unlike typical sandboxes, the Protected-View only sandboxes files that it deem as “untrusted”, which isdefined as Word, PowerPoint and Excel files that are opened from dangerous locations (2), and could also beidentified from the “Zone.Identifier: DATA” alternate-data-streams contents. In general, the Protected-Viewoffers the user a read-only text-view representation of the file and disables all unnecessary features for thispurpose.The motivation for this research arises because at present, there are many excellent research performed onthe sandboxes for Chrome (3), Internet Explorer Enhanced Protected Mode (IE EPM) (4) (5) and Adobe Reader(6) (7). However, no research has been performed on the MS Office Protected-View sandbox since itsintroduction 5 years ago. To add to the obscurity, Microsoft did not release any technical information onProtected-View as well. As a result, the wider community is left wondering about the mechanism behind it.This whitepaper aims to bridge this gap in two parts. The first part attempts to describe the sandbox internalsby discussing its architecture, how the sandbox is started and the system resource restrictions. The second partdiscusses the Inter-Process Communication (IPC) mechanism, including the mode of communication, internalobjects that the broker uses, format of IPC messages and semantics of selected IPC messages. This whitepaperwill also do a comparison with MS Office 2016 Preview (to check how the Protected-View sandbox may haveevolve. Finally, the whitepaper will end with a conclusion.With most of the Protected-View sandbox code found in MSO.DLL and WWLIB.DLL, this whitepaper is based on32-bit MS Office 2013 v15.0.4420.1017, MSO.DLL v15.0.4420.1017 and WWLIB.DLL v15.0.4420.1017 running onWindows 8 (x86). For MS Office 2016 Preview, MSO.DLL v16.0.3930.1008 and WWLIB.DLL v16.0.3930.1008 areused.mwrinfosecurity.com MWR InfoSecurityMWRI PUBLIC3
MWRI PUBLIC2. Sandbox InternalsThis first part of the paper aims to provide the reader with a holistic understanding of the Protected-Viewsandbox implementation through two sub-sections; the architecture of the sandbox and the system resourcesthat the sandbox is restricted to. This knowledge should serve as the foundation for subsequent work toidentify subtle weaknesses or attack surfaces.2.1 ArchitectureAs the Protected-View sandbox architecture is unknown, the approach taken to “sketch” it is by comparisonagainst the Internet Explorer (IE) Enhanced Protected Mode (EPM) sandbox model. It is chosen because of thelikelihood of code reuse, design similarity and also the wealth of information from the community.Like most architectures, the Protected-View model consists of the higher-privileged broker, lower-privilegedsandbox and operating system. All untrusted files are rendered in the same sandbox process that utilizes theAppContainer or Low-Integrity technology, depending on the operating system, to restrict system resources.In IE EPM, 3 main components are central to its implementation. These are the Interception Component,Elevation-Policy Component and Inter-Process Communication (IPC) Component. So it is fundamental to checkwhether these are present in Protected-View as well.2.1.1Interception ComponentThe IE EPM implements an Interception Component which uses a Shims mechanism to redirect selected APIcalls so that its sandbox can still support full functionalities and not disrupt users’ experience. These API callsare redirected for three possible outcomes. First, it aims to seamlessly enable untrusted third-party plug-ins tocontinue functioning as before under sandbox restrictions. Second, some functionalities require higherprivileges to execute (in the broker context). Third, it is forwarded to the Elevation-Policy Component to allowonly trusted processes and COM to be created.API hooking is one of the techniques to redirect API calls, and the patching of Import Address Table (IAT),Export Address Table (EAT) and function prologues are common methods to achieve this. In Protected-View,the presence of an Interception Component is verified by checking for these three methods of patching. Thefollowing results are yielded: All function prologues in both broker and sandbox processes are similar, indicating no inline-hooking. All function addresses in IAT and EAT references the respective modules range, indicating no IAT andEAT hooking.2.1.2Elevation Policy ManagerThe Elevation-Policy Component is a subsequent decision-maker from Interception Component, and bydeduction, the absence of the latter will indicate absence of the former as well. This hypothesis will besupported by another check for this component, but from another perspective. In IE EPM, the Elevation-Policymwrinfosecurity.com MWR InfoSecurityMWRI PUBLIC4
MWRI PUBLICComponent is implemented in the “HKEY LOCAL MACHINE\Software\Microsoft\Internet Explorer\LowRights\ElevationPolicy\” registry key, and contains the application names (AppName), paths (AppPath), CLSIDand launch behaviour (LaunchPolicyValue).To determine if this component is implemented in Protected-View, new registry keys found in MS Office 2013(vs MS Office 2007) are identified. MS Office 2007 is chosen because it is the last version that does not offer theProtected-View feature. Therefore, if the component is implemented, its set of elevation policies should befound among these new registry keys, which are show below:HKEY CURRENT sageData utoSavePurgeTimeCommon\ServicesManagerCache\ x*Word\File nternet\WebServiceCache\*Word\Place MRU\*Common\LCCache\SmartArt\1033\*Word\Reading Locations\Document *Common\LCCache\Themes\1033\*Word\Recent e\WordDocParts\1033\*Word\Security\Trusted Documents\LastPurgeTimeHKEY LOCAL MACHINE\SOFTWARE\Microsoft\Office\15.0\Common\COM Compatibility\{CLSID}\*Common\Config\{CLSID}\*User Settings\Excel Core\Create\Software\Microsoft\Internet Explorer\ProtocolExecute\*\WarnOnOpenUser Settings\PowerPoint Core\Create\Software\Microsoft\Internet Explorer\ProtocolExecute\*\WarnOnOpenUser Settings\Word Core\Create\Software\Microsoft\Internet Explorer\ProtocolExecute\*\WarnOnOpenWord\Document Inspectors\*Word\Text Converters\OOXML Converters\Import\IFDP*PowerPoint\Document Inspectors\*Excel\Document Inspectors\*And none of these keys have values similar to AppName, AppPath, CLSID and LaunchPolicyValue. Therefore, itis concluded that Protected-View does not implement the Elevation-Policy Component.2.1.3Inter-Process CommunicationThe Inter-Process Communication (IPC) is an important component in any sandbox architecture because bothbroker and sandbox processes would have to exchange data or make higher-privilege requests for a variety ofreasons. IE EPM implements two types of IPC; the COM IPC and Shared-Memory IPC. In both cases, the brokerwould establish these 2 IPC channels (for COM IPC; initializing and marshalling the COM interface, for SharedMemory IPC; creating shared memory sections in a private namespace with sandbox) and hand them over aspart of the sandbox initialization.mwrinfosecurity.com MWR InfoSecurityMWRI PUBLIC5
MWRI PUBLICIn Protected-View, these 2 types of IPC channels are not instantiated during initialization, as discussed inSandbox Initialization (section 2.2.1). Instead, it would implement only the Name-Pipe IPC as the mode ofinter-process communication. The Name-Pipe IPC mechanism would be further discussed in Inter-ProcessCommunication (IPC) Mechanism (section 3).2.2 Sandbox RestrictionsThis section examines the system resources that Protected-View sandbox can access by default. This will painta clearer picture on the sandbox boundary and set the baseline of what may constitute a sandbox escape.Starting with Windows 8, Microsoft introduces the AppContainer restriction mechanism that applications canutilize. In this mechanism, resources are restricted based on capabilities (8). Examples of standard capabilitiesare musicLibrary, internetClient and webcam, as defined in Winnt.h (9) or the registry key“HKEY LOCAL DeviceAccess\CapabilityMappings\”.However, Microsoft does not assign standard capabilities to the Protected-View sandbox. Instead, it assignsonly one undocumented capabilitySID S-1-15-3-2929230137-1657469040that seem to be unique only to MSOffice. Therefore understanding thesystem resources accessible to thiscapability will lead to a betterunderstanding of the Protected-Viewsandbox restrictions. For thispurpose, a brute-force approach istaken to list the file locations andregistry keys that it can access, aswell as its network ability. Andlikewise for the Protected-ViewAppContainer-SID. Unlike IE EPM, the“ALL APPLICATION PACKAGES” SID(S-1-15-2-1) is not being consideredFigure 1: Capability-SID assigned to Protected-View sandboxsince MS Office is not a Metroapplication (yet).The first sub-section will describe the Protected-View initialization process to understand how the sandbox isto be created, and at the same time, identify any weakness. The subsequent sub-sections will list theaccessible file locations, registry keys and network capability. For the rest of this whitepaper, Sandbox-SID andAppContainer-SID will be used interchangeably.2.2.1Sandbox InitializationThe sandbox initialization process begins at MSO.sub 00AD0245(), and undergoes this sequence of actions:mwrinfosecurity.com MWR InfoSecurityMWRI PUBLIC6
MSO.sub 00AD0245()Creates unique sandbox name, lpSandboxName: ui16SandboxID SecureRandomValue & 3FFF lpSandboxName "OICE 15 974FA576 32C1D314 ui16SandboxID "Creates sandbox job object, hSandboxJob, with lpSandboxNameSets hSandboxJob with JobObjectBasicUIRestrictions restrictionsUnkObj.fAlternateWinStation 1(UnkObj.fAlternateWinStation 0 && UnkObj.Offset 2A 0)JOBOBJECT BASIC UI RESTRICTIONS.UIRestrictionsClass 0xFFDefaultJOBOBJECT BASIC UI RESTRICTIONS.UIRestrictionsClass 0x00JOB OBJECT UILIMIT DESKTOP JOB OBJECT UILIMIT DISPLAYSETTINGS JOB OBJECT UILIMIT EXITWINDOWS JOB OBJECT UILIMIT GLOBALATOMS JOB OBJECT UILIMIT HANDLES JOB OBJECT UILIMIT READCLIPBOARD JOB OBJECT UILIMIT SYSTEMPARAMETERS JOB OBJECT UILIMIT WRITECLIPBOARDJOBOBJECT BASIC UI RESTRICTIONS.UIRestrictionsClass 0xE8JOB OBJECT UILIMIT DESKTOP JOB OBJECT UILIMIT EXITWINDOWS JOB OBJECT UILIMIT GLOBALATOMS JOB OBJECT UILIMIT SYSTEMPARAMETERSmwrinfosecurity.com MWR InfoSecurity7
Sets hSandboxJob with JobObjectExtendedLimitInformation restrictions:JOBOBJECT BASIC LIMIT INFORMATION.ActiveProcessLimit 1JOBOBJECT BASIC LIMIT INFORMATION.LimitFlags 0x2408JOB OBJECT LIMIT KILL ON JOB CLOSE JOB OBJECT LIMIT DIE ON UNHANDLED EXCEPTION JOB OBJECT LIMIT ACTIVE PROCESS Gets Sandbox-SID according to sandbox modeLowIntegrity-modeAppContainer-modeSandbox-SID “S-1-5-21-1734954099-297494 ui16SandboxID ”Sandbox-SID DeriveAppContainerSidFromAppContainerName() with lpSandboxNameAdd Office-Capability-SID to registry key “HKCU\Software\Microsoft\Office”Gets broker token, hBrokerToken, with (TOKEN ALL ACCESS 0x100) rightsLowIntegrity-modeAppContainer-modeCreates sandbox token, hSandboxToken, with restricted rights: Flags DISABLE MAX PRIVILEGE Disable these SIDs from TokenGroups:- nsole Logon)(This Organization)(NTLM Authentication)(Medium Mandatory Level)Restricting these SIDs from YSandbox-SID(Restricted Code)(Everyone)(Users)(Logon Session)mwrinfosecurity.com MWR InfoSecurity8
Append ACCESS ALLOWED ACEs to hSandboxToken DACL: ACE 1: SID TokenUser of hBrokerTokenACE 2: SID S-1-5-5-X-Y (Logon Session)Sets hSandboxToken integrity level: TokenIntegrityLevel S-1-16-4096 (Low Mandatory Level )Creates security descriptor, pSandboxDirSecDescriptor, and sets ACL: DACL-ACE: S-1-5-32-544(Administrators);Access Mask GENERIC ALLDACL-ACE: S-1-3-0(Creator Owner);Access Mask GENERIC ALLDACL-ACE: User-SID of hBrokerToken;Access Mask GENERIC ALLDACL-ACE: Sandbox-SID,Access Mask GENERIC ALLSACL-ACE: S-1-16-4096(Low Mandatory Level); Access Mask x01Creates Sandbox directory, lpDirectory, with new profile:Creates Sandbox directory, lpDirectory, with pSandboxDirSecDescriptor: lpDirectory GetUserProfileDirecotry() lpSandboxName Profile capability Sandbox-SIDlpDirectory GetAppContainerFolderPath() ”\\Temp”Checks for creation of new desktopUnkObj.fAlternateWinStation 1Default: UnkObj.fAlternateWinStation ! 1Creates new desktop: szDesktop “Microsoft Office Isolated Environment”dwDesiredAccess GENERIC ALLGets desktop window handle, hDesktopWindowUnkObj.Offset 50 1mwrinfosecurity.com MWR InfoSecurityDefault: UnkObj.Offset 50 ! 19
Sets hSandboxJob to hDesktopWindowCreates new SECURITY DESCRIPTOR, pNamePipeSecDescriptor, and sets ACL: DACL-ACE: S-1-5-32-544(Administrators);Access Mask GENERIC ALLDACL-ACE: S-1-3-0(Creator Owner);Access Mask GENERIC ALLDACL-ACE: User-SID of hBrokerToken;Access Mask GENERIC ALLDACL-ACE: Sandbox-SID;Access Mask SYNCHRONIZE READ CONTROL 0x8BSACL-ACE: S-1-16-4096(Low Mandatory Level); Access Mask 0x01Connects named-pipe with pNamePipeSecDescriptor: lpPipeName “\\.\pipe\OfficeUser ” lpSandboxNamedwOpenMode FILE FLAG OVERLAPPED FILE FLAG FIRST PIPE INSTANCE PIPE ACCESS DUPLEXdwPipeMode PIPE TYPE MESSAGE PIPE READMODE MESSAGE PIPE REJECT REMOTE CLIENTSnMaxInstance 1nOutBufferSize 0x00002000nInBufferSize 0x00002000nDefaultTimeOut NULL (default time-out of 50 ms)Adds Office-Capability-SID, if s attribute for sandbox process, UpdateProcThreadAttribute(): mwrinfosecurity.com MWR InfoSecurityAttributelpValue PROC THREAD ATTRIBUTE SECURITY CAPABILITIES Office-Capability-SID (S-1-15-3-2929230137-1657469040)10
dwCreationFlags 0x414dwCreationFlags 0x80414CREATE UNICODE ENVIRONMENT CREATE NEW CONSOLE CREATE SUSPENDEDEXTENDED STARTUPINFO PRESENT CREATE UNICODE ENVIRONMENT CREATE NEW CONSOLE CREATE SUSPENDEDCreates sandbox process with CreateProcessAsUser(): hToken hSandboxToken (Low-Integrity mode) or hBrokerToken (AppContainer mode)lpApplicationName NULLlpCommandLine Full-path application with “/Embedding” switchAssign hSandboxProcess to hSandboxJobResume sandbox processFigure 2: Flowchart of Protected-View initialization. Differences between Low-Integrity mode and AppContainer mode are shown in orange blocks.Differences due to application settings are shown in green blocks.mwrinfosecurity.com MWR InfoSecurity11
To start the sandbox as a Low-Integrity or AppContainer process depends on its operating system,which the broker will discover with either of these two methods:1. Checks if y\UserAppContainer is 1, or2. Checks if GetProcAddress() for () andUserrenv.GetAppContainerFolderPath() succeeds2.2.2File LocationsFile LocationsAccess MaskSandbox-SID l\Packages\ lpSandboxName \*STANDARD RIGHTS ALL 0x1FFOffice-Capability-SID (S-1-15-3-2929230137-1657469040)NoneNoneThe accessible file locations are determined only by Sandbox-SID, and restricts Protected-View only tothe sandbox directory. This resonates with the observation that only the Sandbox-SID is granted tosandbox directory during initialization. The Capability-SID does not allow access to file locations.2.2.3Registry KeysRegistry KeysAccess MaskSandbox-SID ppings\ Sandbox-KEY READSID HKCR ersion\AppContainer\Mappings\ Sandbox -KEY ALL ACCESSSID \ChildrenHKCR ersion\AppContainer\Storage\ lpSandboxName KEY ALL ACCESSHKCR ersion\AppContainer\Storage\ lpSandboxName \Childrenmwrinfosecurity.com MWR InfoSecurityKEY ALL ACCESS12
HKCR \Windows\CurrentVersion\AppContainer\Mappings\ Sandbox SID KEY READHKCR \Windows\CurrentVersion\AppContainer\Mappings\ Sandbox SID \ChildrenKEY ALL ACCESSHKCR \Windows\CurrentVersion\AppContainer\Storage\ lpSandboxName HKCR \Windows\CurrentVersion\AppContainer\Storage\ lpSandboxNaKEY ALL ACCESSKEY ALL ACCESSme \ChildrenHKEY USERS\ WinUser-SID \Windows\CurrentVersion\AppContainer\Mappings\ Sandbox -KEY READSID HKEY USERS\ WinUser-SID \Windows\CurrentVersion\AppContainer\Mappings\ Sandbox -KEY ALL ACCESSSID \ChildrenHKEY USERS\ WinUser-SID \Windows\CurrentVersion\AppContainer\Storage\ lpSandboxNaKEY ALL ACCESSme HKEY USERS\ WinUser-SID \Windows\CurrentVersion\AppContainer\Storage\ lpSandboxNaKEY ALL ACCESSme \ChildrenOffice-Capability-SID osoft\Office\*KEY READHKEY USERS\ WinUser-SID \Software\Microsoft\Office\*KEY READIn summary, the Sandbox-SID allows access to sandbox-related registry keys (mostly withKEY ALL ACCESS), and the Capability-SID allows KEY READ access to Office-related registry keys.2.2.4Network ConnectionsWithout InternetClient or other network capabilities, the sandbox is not allowed to make outboundconnections to Internet endpoints in AppContainer mode. And neither does the Capability-SID (S-1-153-2929230137-1657469040) allows the sandbox to do so, failing with the WSAEACCES “PermissionDenied” error.mwrinfosecurity.com MWR InfoSecurity13
2.3 CommentsIn summary, the final Protected-View architecture is illustrated below:Default DesktopBroker ProcessActiveX COMElevation PolicyManagerAPI CallElevation PoliciesInterceptionManagerOperating SystemCOM IPCProcess AName-Pipe IPCProcess BInteractionsInternetShims (Interception Client)API Call- Sandbox Directory (RIGHTS ALL)- Sandbox Registry (KEY ALL ACCESS)- Office Registry (KEY READ)No ActiveX ControlsSandbox ProcessUntrusted FileUntrustedN File2 UntrustedFile1 Figure 3: Illustration of the Protected-View ArchitectureThe absence of Interception Component and Elevation-Policy Component is not surprising because theProtected-View feature is intended to offer only a text-preview of the file. It does not have to supportthe full functionalities of the application and therefore, can simplify its architecture. The lack ofsupport for ActiveX controls also implies that basic functions such as saving or printing are not availablein the Protected-View mode.In practice, sandbox process should be created with a restricted access token, restricted job object,and GUI sub-system isolation (10). But as the initialization process shows, by default, the Protected-mwrinfosecurity.com MWR InfoSecurity14
View is created with no job UI restrictions (11) and nodesktop/windowstation isolation. As a result, thesandbox is able to read from/write to the clipboardshared with other processes in the default desktop,perform screen scraping and screen captures. All ofthese are known issues that affects IE EPM (4).With Capability-SID S-1-15-3-2929230137-1657469040,the sandbox can read registry keys related to MS Office.Among these, 2 registry keys might be of interest toattackers. The first isFigure 4: No job UI \Common\ServicesManagerCache”, which stores the user’sMicrosoft Live account information such as the connection state account UUID if he signs in from MSOffice. The second is d Locations”, which definesthe file locations that are excluded from Protected-View mode.The Capability-SID does not allow sandbox to connect to Internet endpoints, which interestingly,alleviate the issues from lack of job UI restrictions and desktop isolation because the disclosedinformation cannot be sent out from sandbox.Finally, the Protected-View file locations restrictions does not apply to a VMWare-HGFS file system.Hence the sandbox can still read from/write to the mapped-drive from VMWare file-sharing feature.Other system resource restrictions that are specific to AppContainer have been discussed in MarkVincent Yason’s IE EPM research (4) and shall not be repeated here.3. Inter-Process Communication (IPC) MechanismThe second part of this paper discusses the inter-process communication (IPC) mechanism used in theProtected-View sandbox model. As with all sandbox models, the IPC is an attractive attack vector forsandbox escape issues because of its interaction with the higher-privilege broker. Examples are suchsandbox escapes are CVE-2013-0641 (memory corruption vulnerability in the Adobe Reader sandbox)CVE-2013-3186 and CVE-2013-4015 (policy-check vulnerabilities in IE EPM).This part begins with a section on the internal objects used for sandboxing. Next, the code in MSO.DLLand WWLIB.DLL that is responsible for servicing the messages are identified. Finally, the format andmeaning of some notable IPC messages are discussed before concluding this section with some overallcomments.3.1 IPC ObjectsSince all untrusted files are parsed in a shared Protected-View sandbox process, the broker need tokeep an overview of the sandboxing state (e.g. how many files are sandboxed, locations of these files,etc.) and also track the state of each file (e.g. identify keyboard inputs and hyperlink requests tocorresponding files). This information is stored by the broker in these IPC objects, and referenced bymwrinfosecurity.com MWR InfoSecurity15
many IPC messages to retrieve or update the fields. An overview of how these objects are related isshown below.ThreadMgr ObjectlpIPCMsgSendRecvArray of ViewFile Objects ViewFile 1 Object (free/busy)ViewMgr ObjectlpSameBrokerApp lpThreadMgr 1 lpViewTracker 1 lpThreadMgr 4 lpViewTracker 4ViewFile N Object (free/busy)IPCMsgSendRecv ObjectlpViewMgrIPCViewRestrictions ObjectlpViewRestrictionslpSameBrokerAppViewTracker Object lpThreadMgrui32NumViewFileSameBrokerApp PCMsg WWLIBIPCMsg Object Figure 5: Overview of Protected-View IPC objectsThe overview starts with the ThreadMgr object, which also hold references to the IPCMsgSendRecv andIPCViewRestrictions objects. The former describes the status of IPC pipe and its buffer to readfrom/write to. The latter describes the information used during sandbox initialization. Both are oflittle interest in understanding the IPC messages and not elaborated further.The details of each object is shown here, with fields whose meanings are unclear omitted for brevity.ThreadMgr ObjectOffsetSizeFieldmwrinfosecurity.com MWR InfoSecurityComment16
00LPVOIDlpVTableRVA er to an object that sends/receives IPCmessagesPointer to an object describing the sandboxrestrictionsPointer to ViewMgr objectViewMgr ObjectOffsetSizeFieldComment00LPVOIDlpVTableRVA MSO.3B7A7004UINT32ui32NumNumber of untrusted files 208LPVOIDlpThreadMgr 1-0CLPVOIDlpViewTacker 1Pointer to ViewTracker object10HAN
Jul 09, 2015 · To determine if this component is implemented in Protected-View, new registry keys found in MS Office 2013 (vs MS Office 2007) are identified. MS Office 2007 is chosen because it is the last version that does not offer the Protected-View feature. Therefore, if the componen
