Maple

Maple

Open source, open mind
HomeArchives

Use Win32-app-isolation to sandbox domestic software.

#windows#security251
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
Windows operating systems need to ensure programs can use system resources properly while preventing them from abusing permissions or interfering with other programs. Windows 11 Build 2023 introduced Win32 app isolation to isolate and run apps efficiently, simplifying permission management. By using Microsoft tools, the process of converting WeChat and TIM exe installation packages into sandboxed MSIX format packages was successful.

All operating systems need to ensure that programs can use system resources properly while preventing programs from abusing permissions or interfering with the normal operation of other programs. As a system with chaotic permission management, Windows allows a high degree of autonomy in application installation and packaging, which allows some malicious applications to modify the registry, install unknown services and startup items, and even secretly read data from the entire disk without the user's knowledge.

In Windows 11 Build 2023, Microsoft introduced an application isolation solution called Win32 app isolation. This solution is similar to running containers, which not only ensures the efficient operation of converted applications but also simplifies permission management. Using Microsoft's tools, I successfully converted the installation packages of WeChat and TIM exe into MSIX format installation packages with sandbox functionality.

Step 0: Dependencies#

  • Windows 11
  • MSIX Packaging Tool
  • Software installation packages downloaded from the official website: WeChat
  • Uninstall WeChat from your computer in advance

Step 1: Convert#

Open the MSIX Packaging Tool and select the first option "Package an application" on the homepage. In the "Select Environment" step, choose "Create a package on this computer". Follow the instructions in the "Prepare your computer" step.

In the "Select Installer" step, choose the installation package file of WeChat. Although signing is necessary for installation, the generation of certificate signing requires the next step of package information, so skip it here and perform the operation in a later step.

In the "Package Information" step, specify the relevant information of the package, such as the package name, display name, and publisher name. You can directly copy them from the right-click menu of the exe file. For example: [WeChat, WeChat, CN=Tencent, Tencent, 3.9.4.0]

Click Next, and then the Packager will execute the exe file to perform a routine installation operation, automatically recording the program installation path. When we finish the installation, a popup window will ask if it is completed. We just need to follow the general installation process. I didn't encounter any problems when installing WeChat, but after completing the installation of TIM (possibly the same for QQ), I found that the Packager did not pop up, which means that the installation process of TIM has not ended. At this time, if you forcibly end the TIM process in Task Manager, the Packager will report an error. Finally, I found that I can click the option to restart the computer in the Packager to safely end the process.

Finally, click "Create" in the lower right corner to create a software deployment package with the .msix extension. With this, the first step is considered complete.

Step 2: Uninstall App#

Uninstall WeChat and TIM that were just installed in "Settings-Apps". After completion, remember to manually end the TIM uninstall process.

Step 3: Generate Certificate#

If the software package is not signed, the .msix application will not be able to be installed. The mechanism of software package signing is similar to HTTPS certificates. Developers sign the hash1 of the program with a private key, and users decrypt hash1 with the corresponding public key, and then calculate the hash2 of the current program. If the two are the same, the verification is passed. Since the self-packaged MSIX program package cannot be signed with Tencent's private key, it is necessary to generate a private key and install the corresponding certificate in the system's trust list.

  1. Open Administrative Powershell and generate a certificate fingerprint:
New-SelfSignedCertificate -Type Custom -Subject "CN=Tencent Technology(Shenzhen) Company Limited, O=Tencent Technology(Shenzhen) Company Limited, L=Shenzhen, S=Guangdong Province, C=CN" -KeyUsage DigitalSignature -FriendlyName"WeChat" -CertStoreLocation "Cert:\LocalMachine\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3","2.5.29.19={text}")
  • -Subject: Can be modified arbitrarily.
  • -CertStoreLocation "Cert:\LocalMachine\My": Specifies the location of the certificate storage in the local computer's personal certificate store.
  • -TextExtension: Adds extensions to the certificate. 2.5.29.37={text}1.3.6.1.5.5.7.3.3 specifies the Enhanced Key Usage (EKU) of the certificate, and 1.3.6.1.5.5.7.3.3 is the OID for code signing. 2.5.29.19={text} is the basic constraints extension, but no specific value is specified here.

  1. Copy the obtained THUMBPRINT1 and save it in a secure location, such as Bitwarden. Then generate a password or use a password that is easy to remember. I will use PASSWORD1 to represent it in the following text.

  2. Generate the certificate:

$password = ConvertTo-SecureString -String "PASSWORD1" -Force -AsPlainText
Export-PfxCertificate -cert "Cert:\LocalMachine\My\THUMBPRINT1" -FilePath Wechat.pfx -Password $password
Remove-Item -Path "Cert:\LocalMachine\My\THUMBPRINT1"

You need to replace PASSWORD1 and THUMBPRINT1 with the corresponding values.

After completion, go to File Explorer, find the current directory, double-click Wechat.pfx, and select "Local Computer" as the storage location in the certificate import wizard. Then enter the password PASSWORD1 that was set just now and click Next.

In the "Certificate Store" section, select the second option "Place all certificates in the following store", click Browse, find "Trusted People", and then click Next to complete the import operation.

Step 4: Apply Certificate#

Open the MSIX Packaging Tool, select "Edit package" and open the .msix file saved earlier. In the Package Editor page, in the "Signing Preferences", select "Sign with a certificate (.pfx)", choose Wechat.pfx, and enter the password. But don't rush to save it yet, there is still the next step.

Step 5: Modify Permissions#

In the third column "Capabilities" on the left, you can choose to enable several permissions. I enabled camera, microphone, notification, and internet permissions for WeChat. In addition, there are some options that cannot be directly selected here. We need to go back to the first column "Package Information" and click the bottom "Edit manifest file" to scroll to the bottom of the text and add a few lines adjacent to rescap:XXXXXXX:

<rescap:Capability Name="isolatedWin32-print" />
<rescap:Capability Name="isolatedWin32-sysTrayIcon" />
<rescap:Capability Name="isolatedWin32-promptForAccess" />
<rescap:Capability Name="isolatedWin32-accessToPublisherDirectory" />

These capabilities correspond to: printing files, displaying notifications from the system tray, requesting user approval when accessing files, and allowing access to directories ending with the publisher ID.

Finally, save it as a .msix program package, double-click to install it, and the sealing work is considered complete!Tencent, go to hell

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.