13 Replies Latest reply on Mar 29, 2011 8:26 PM by Stanley Zhao

    Whitelist in Reader X doesn't work

    Stanley Zhao

      Hello everyone,

       

      Anybody can help me figure out this?

       

      I have a plug-in which will call functions in a DLL to invoke 3rd-party application's UI. It works in Reader 9.0, none-protect mode in Reader X. But it doesn't work in protect mode in Reader X.

      (Here, it used COM to make the communication. )

       

      To make this plug-in be trusted. I followed the document to make whitelist:

       

      1. Set registry to enable the configurable file of white-list.
      Create a key-value named bUseWhitelistConfigFile with value 1, under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\10.0\FeatureLockDown.
      2. Create the configure file named ProtectedModeWhitelistConfig.txt under Reader X’s installation folder.
      3. Write configure file in #2 with following content to allow it access to Tamale Software
      ; Files Section
      FILES_ALLOW_ANY = *
      ; Processes
      PROCESS_ALL_EXEC = *
      ; Registry
      REG_ALLOW_ANY = *
      ; Mutants
      MUTANT_ALLOW_ANY = *
      ; Sections
      SECTION_ALLOW_ANY = *

       

      I think my configure will allow all access to local. Same as disable the protect mode. Right?

      Why my plug-in can work when protect mode is disabled but cannot work in my setting of whitelist?

       

      Thanks a lot~ ^_^

        • 1. Re: Whitelist in Reader X doesn't work
          Stanley Zhao Level 1

          More information about this topic:

           

          I got log from Reader X:

           

          ...

          [03:22/01:20:51] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:51] name: MSFT.VSA.COM.DISABLE.4092

          [03:22/01:20:51] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:51] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:51] name: MSFT.VSA.IEC.STATUS.6c736db0

          [03:22/01:20:51] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:51] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:51] name: Global\CLR_PerfMon_StartEnumEvent

          [03:22/01:20:51] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:51] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:51] name: Global\CLR_PerfMon_StartEnumEvent

          [03:22/01:20:51] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:52] NtCreateMutant: STATUS_ACCESS_DENIED

          [03:22/01:20:52] real_path: \BaseNamedObjects\MSCTF.GCompartListMUTEX.DefaultS-1-5-21-212926602-4199581602-1198870392 -1007

          [03:22/01:20:52] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY

          [03:22/01:20:52] NtCreateMutant: STATUS_ACCESS_DENIED

          [03:22/01:20:52] real_path: \BaseNamedObjects\MSCTF.GCompartListMUTEX.DefaultS-1-5-21-212926602-4199581602-1198870392 -1007

          [03:22/01:20:52] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY

          [03:22/01:20:54] NtCreateMutant: STATUS_ACCESS_DENIED

          [03:22/01:20:54] real_path: \BaseNamedObjects\MSCTF.GCompartListMUTEX.DefaultS-1-5-21-212926602-4199581602-1198870392 -1007

          [03:22/01:20:54] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY

          [03:22/01:20:54] NtCreateMutant: STATUS_ACCESS_DENIED

          [03:22/01:20:54] real_path: \BaseNamedObjects\MSCTF.GCompartListMUTEX.DefaultS-1-5-21-212926602-4199581602-1198870392 -1007

          [03:22/01:20:54] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY

          [03:22/01:20:54] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:54] name: MSFT.VSA.COM.DISABLE.4092

          [03:22/01:20:54] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:54] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:54] name: MSFT.VSA.IEC.STATUS.6c736db0

          [03:22/01:20:54] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:21:00] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:21:00] name: _fCanRegisterWithShellService

          [03:22/01:21:00] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:21:07] NtOpenSection: STATUS_ACCESS_DENIED

          ...

           

          All status are Denied. Why? I feel confused about this.

          • 2. Re: Whitelist in Reader X doesn't work
            Stanley Zhao Level 1

            I updated my policy rules. Now, I will not get STATUS_ACCESS_DENIED in the log anymore.

            But still, my plug-in does not work.

             

            The latest log is:

            [03:22/01:51:22] Adobe Reader Protected Mode Logging Initiated

            [03:22/01:51:22] Found custom policy file: C:\Program Files\Adobe\Reader 10.0\Reader\ProtectedModeWhitelistConfig.txt

            [03:22/01:51:22] Adding custom policy: FILES_ALLOW_ANY = c:\*

            [03:22/01:51:22] Adding custom policy: PROCESS_ALL_EXEC = c:\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_CLASSES_ROOT\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_USERS\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_CONFIG\*

            [03:22/01:51:22] Adding custom policy: MUTANT_ALLOW_ANY = \BaseNamedObjects\MS*

            [03:22/01:51:22] Adding custom policy: SECTION_ALLOW_ANY = \BaseNamedObjects\MS*

            [03:22/01:51:22] Adding custom policy: SECTION_ALLOW_ANY = \BaseNamedObjects\Local*

            [03:22/01:51:22] Adding custom policy: EVENTS_ALLOW_ANY = MS*

            [03:22/01:51:22] Adding custom policy: EVENTS_ALLOW_ANY = Gl*

            [03:22/01:51:22] Adding custom policy: EVENTS_ALLOW_ANY = _fC*

            [03:22/01:51:22] Adding custom policy: NAMEDPIPES_ALLOW_ANY = MS*

            [03:22/01:51:22] Adding custom policy: FILES_ALLOW_DIR_ANY = c:\*

            Then, nothing else. Any idea of my issue?

            Thanks a lot.

            • 3. Re: Whitelist in Reader X doesn't work
              George_Johnson MVP & Adobe Community Professional

              You might want to post this to the Acrobat SDK forum here since it involves a plugin. Also, see the protected mode info here: http://blogs.adobe.com/pdfdevjunkie/2010/10/what-developers-need-to-know-about-acrobat-x.h tml

              1 person found this helpful
              • 4. Re: Whitelist in Reader X doesn't work
                Stanley Zhao Level 1

                Thank you George.

                You are right, I should post this to Acrobat SDK forums also.

                 

                To update my current status of this issue.

                 

                Now, I can catch the error when I try to create the instance of COM object. It will throw an error said: Class not registered.

                 

                I still feel confused about this.

                 

                 

                • 5. Re: Whitelist in Reader X doesn't work
                  ashutoshmehra Adobe Employee

                  Could you tell a bit more about your problem:

                  1. Is the COM object (whose creation is failing) in-proc or out-of-proc?

                  2. What API are you using to create the COM object that is returning the error you mentioned? Is it CoCreateInstance? If so, could you try doing a CoGetClassObject() first and see if that fails as well.

                  3. What operating system (WinXP or WinVista/Win7) is this?

                   

                  Activation of out-of-proc COM objects may fail even in the presence of your wildcard white-list because the latter only grants access to kernel objects and process launches.

                  1 person found this helpful
                  • 6. Re: Whitelist in Reader X doesn't work
                    Stanley Zhao Level 1

                    Thank you ashutoshmehra, here is more detail information of my problem:

                     

                    1. Is the COM object (whose creation is failing) in-proc or out-of-proc?

                    When running this line, an error thrown:

                    Proxy::IProxyPtr p(__uuidof(Proxy::LocalProxy));

                    Here, I used a Proxy.tlb and Proxy.dll (Created by .NET 2.0) as COM. Therefore, I think it's in-proc.

                     

                    2. What API are you using to create the COM object that is returning the error you mentioned? Is it CoCreateInstance? If so, could you try doing a CoGetClassObject() first and see if that fails as well.

                    I didn't use CoCreateInstance() or CoGetClassObject() to create COM object. I add a reference of Proxy.tlb and Proxy.dll in my plug-in project. Then, in codes, I used Proxy::IProxyPtr p(__uuidof(Proxy::LocalProxy)); to create the COM object "p". At this time, it failed.

                     

                    3. What operating system (WinXP or WinVista/Win7) is this?

                    Oh, forgot this. I am working on:

                    WinxXP SP3 32-bits

                    VS2005

                    Office 2007

                    Adobe Reader X

                     

                    Anything wrong with my codes? Thanks very much~

                    • 7. Re: Whitelist in Reader X doesn't work
                      Stanley Zhao Level 1

                      I am thinking if the codes always try to access the Proxy.tlb on Sandbox by default, though I set the white-list. If it is, that may be the reason why "Class not registered" shown. Because Proxy.tlb and Proxy.dll were not registered on Sandbox, that's true.

                       

                      But I cannot prove my thinking.

                      • 8. Re: Whitelist in Reader X doesn't work
                        Stanley Zhao Level 1

                        Another day passed...

                        I am still fighting with the issues.

                         

                        Now, my status is that, I found the reason why COM dll cannot be found (Class not registered).

                        Because it's strong named.

                         

                        If I make it none strong named DLL. It can be loaded successfully by plug-in.

                        But in my next step, I still get "Access Denied" COM error when I tried to use this COM object's method to access another resource. That's the 3rd-party application I want to used as host application.

                        Seems Protect Mode will still block out-side process even plug-in can load it with the help of white-list.

                         

                        Then, my current issues became to:

                        1.    How to make strong named DLL be loaded in Adobe Reader X in Protect Mode.
                        (BTW, I searched one way to deploy strong named DLL. Use GACUtil.exe, a tool to deploy DLL to GAC. I tried, DLL deployed to GAC successfully, but it still cannot be loaded by Plug-in.)

                        2.    Plug-in can access the none strong named DLL listed in white-list, but seems Protected Mode will block out-side process (the DLL) to access other resources.

                         

                        Any suggestion on this two issues is welcomed~

                         

                        Thanks for your help very much~

                        • 9. Re: Whitelist in Reader X doesn't work
                          ashutoshmehra Adobe Employee

                          A couple of reasons why loading strong-named assembly might be failing:

                           

                          1. Failure during DLL loading could be because the DLL image doesn't grant BUILTIN\Users or BUILTIN\Everyone access to READ the DLL. Since the DLL is loaded by CSRSS, in the absense of these rights, the sandbox process may be unable to load the DLL. Check that your assembly's DACL provides this access.

                          2. It is possible that certain cryptographic checks are performed when loading a strong-named assembly, and some of those cryptographic checks fail because of restricted access of the sandbox to the user's crypt store.

                           

                          Further, since your DLL is called Proxy, I imagine you are using out-of-proc COM. Enabling a whitelist rule (via PROCESS_ALL_EXEC) for EXE will not make your out-of-proc COM object activation work because PROCESS_ALL_EXEC only governs processes that are created directly from the sandbox (via, say, CreateProcess). (Out-of-process) COM activation is managed by a service and hence PROCESS_ALL_EXEC has no bearing on it.

                           

                          Is there a small plugin project that demonstrates this problem? Then I can debug it on my side and see if there's a way around.

                          • 10. Re: Whitelist in Reader X doesn't work
                            Stanley Zhao Level 1

                            Thank you very much ashutoshmehra, for your very useful information.

                             

                            You are right. I may be need to remove the strong name for all the DLLs I used. To support sandbox using them.

                             

                            What's your email? I want to create a demo to make this happen. Then, if you are free, you can help me debug my issue. I don't know how to make my DLL call out-of-proc methods.

                             

                             

                            • 11. Re: Whitelist in Reader X doesn't work
                              Stanley Zhao Level 1

                              Let me continue trace this issue.

                               

                              Now, removed all strongly name, it's OK that DLL can be loaded in plug-in.

                               

                              But it's blocked here, in this line:

                              _3rdProxy p = (_3rdProxy)Activator.GetObject(typeof(_3rdProxy), url);

                               

                              I tried to use this line get remote object, then, I can really use my DLL communicate with 3rd application.

                              But it sai: "Access Denied".

                               

                              Any body know how to set Adobe Reader to make it allow accessing remote object?

                               

                              Thanks very much~

                              • 12. Re: Whitelist in Reader X doesn't work
                                jlan000000

                                Any further progress on this issue.  I have a similar issue with my plugin.  We use an Active-X control that loads a COM object inproc.  I don't get an access denied error, but creating the Active-X Control just returns an empty handle with no further error messages.

                                • 13. Re: Whitelist in Reader X doesn't work
                                  Stanley Zhao Level 1

                                  Hi, no more progress of this issue. out-of-proc/Active-X is not supported by current Reader X SDK. Therefore, that's the root reason. I sent email to Adobe engineer, they said they are fixing this issue. And hope not more this issue on next release.

                                   

                                  BTW, I used another way do communicate with my plug-in and out-of-proc COM object. That's:

                                  1. I write files to disk in plug-in, to a specified folder which is watched by my out-of-proc COM application.

                                  2. When new file puts there, my out-of-proc COM application will open it and take content out.

                                   

                                  That solution works on my case. Not sure it will work for you. Because I am using the COM created by myself. It will do next communication with 3rd-party application, I can add logic about watching folder to my COM object.

                                  But for you, if you are using a 3rd-party COM, I am not sure you can use this solution.