19 Replies Latest reply on Oct 10, 2017 2:57 AM by khansubhan88

    Whitelist in Reader X doesn't work

    Stanley Zhao

      Hello everyone,

       

      Anybody can help me figure out this?

       

      I have a plug-in which will call functions in a DLL to invoke 3rd-party application's UI. It works in Reader 9.0, none-protect mode in Reader X. But it doesn't work in protect mode in Reader X.

      (Here, it used COM to make the communication. )

       

      To make this plug-in be trusted. I followed the document to make whitelist:

       

      1. Set registry to enable the configurable file of white-list.
      Create a key-value named bUseWhitelistConfigFile with value 1, under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\10.0\FeatureLockDown.
      2. Create the configure file named ProtectedModeWhitelistConfig.txt under Reader X’s installation folder.
      3. Write configure file in #2 with following content to allow it access to Tamale Software
      ; Files Section
      FILES_ALLOW_ANY = *
      ; Processes
      PROCESS_ALL_EXEC = *
      ; Registry
      REG_ALLOW_ANY = *
      ; Mutants
      MUTANT_ALLOW_ANY = *
      ; Sections
      SECTION_ALLOW_ANY = *

       

      I think my configure will allow all access to local. Same as disable the protect mode. Right?

      Why my plug-in can work when protect mode is disabled but cannot work in my setting of whitelist?

       

      Thanks a lot~ ^_^

        • 1. Re: Whitelist in Reader X doesn't work
          Stanley Zhao Level 1

          More information about this topic:

           

          I got log from Reader X:

           

          ...

          [03:22/01:20:51] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:51] name: MSFT.VSA.COM.DISABLE.4092

          [03:22/01:20:51] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:51] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:51] name: MSFT.VSA.IEC.STATUS.6c736db0

          [03:22/01:20:51] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:51] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:51] name: Global\CLR_PerfMon_StartEnumEvent

          [03:22/01:20:51] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:51] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:51] name: Global\CLR_PerfMon_StartEnumEvent

          [03:22/01:20:51] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:52] NtCreateMutant: STATUS_ACCESS_DENIED

          [03:22/01:20:52] real_path: \BaseNamedObjects\MSCTF.GCompartListMUTEX.DefaultS-1-5-21-212926602-4199581602-1198870392 -1007

          [03:22/01:20:52] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY

          [03:22/01:20:52] NtCreateMutant: STATUS_ACCESS_DENIED

          [03:22/01:20:52] real_path: \BaseNamedObjects\MSCTF.GCompartListMUTEX.DefaultS-1-5-21-212926602-4199581602-1198870392 -1007

          [03:22/01:20:52] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY

          [03:22/01:20:54] NtCreateMutant: STATUS_ACCESS_DENIED

          [03:22/01:20:54] real_path: \BaseNamedObjects\MSCTF.GCompartListMUTEX.DefaultS-1-5-21-212926602-4199581602-1198870392 -1007

          [03:22/01:20:54] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY

          [03:22/01:20:54] NtCreateMutant: STATUS_ACCESS_DENIED

          [03:22/01:20:54] real_path: \BaseNamedObjects\MSCTF.GCompartListMUTEX.DefaultS-1-5-21-212926602-4199581602-1198870392 -1007

          [03:22/01:20:54] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY

          [03:22/01:20:54] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:54] name: MSFT.VSA.COM.DISABLE.4092

          [03:22/01:20:54] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:20:54] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:20:54] name: MSFT.VSA.IEC.STATUS.6c736db0

          [03:22/01:20:54] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:21:00] OpenEvent: STATUS_ACCESS_DENIED

          [03:22/01:21:00] name: _fCanRegisterWithShellService

          [03:22/01:21:00] Consider modifying policy using these policy rules: EVENTS_ALLOW_ANY

          [03:22/01:21:07] NtOpenSection: STATUS_ACCESS_DENIED

          ...

           

          All status are Denied. Why? I feel confused about this.

          • 2. Re: Whitelist in Reader X doesn't work
            Stanley Zhao Level 1

            I updated my policy rules. Now, I will not get STATUS_ACCESS_DENIED in the log anymore.

            But still, my plug-in does not work.

             

            The latest log is:

            [03:22/01:51:22] Adobe Reader Protected Mode Logging Initiated

            [03:22/01:51:22] Found custom policy file: C:\Program Files\Adobe\Reader 10.0\Reader\ProtectedModeWhitelistConfig.txt

            [03:22/01:51:22] Adding custom policy: FILES_ALLOW_ANY = c:\*

            [03:22/01:51:22] Adding custom policy: PROCESS_ALL_EXEC = c:\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_CLASSES_ROOT\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_USERS\*

            [03:22/01:51:22] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_CONFIG\*

            [03:22/01:51:22] Adding custom policy: MUTANT_ALLOW_ANY = \BaseNamedObjects\MS*

            [03:22/01:51:22] Adding custom policy: SECTION_ALLOW_ANY = \BaseNamedObjects\MS*

            [03:22/01:51:22] Adding custom policy: SECTION_ALLOW_ANY = \BaseNamedObjects\Local*

            [03:22/01:51:22] Adding custom policy: EVENTS_ALLOW_ANY = MS*

            [03:22/01:51:22] Adding custom policy: EVENTS_ALLOW_ANY = Gl*

            [03:22/01:51:22] Adding custom policy: EVENTS_ALLOW_ANY = _fC*

            [03:22/01:51:22] Adding custom policy: NAMEDPIPES_ALLOW_ANY = MS*

            [03:22/01:51:22] Adding custom policy: FILES_ALLOW_DIR_ANY = c:\*

            Then, nothing else. Any idea of my issue?

            Thanks a lot.

            • 3. Re: Whitelist in Reader X doesn't work
              George_Johnson MVP & Adobe Community Professional

              You might want to post this to the Acrobat SDK forum here since it involves a plugin. Also, see the protected mode info here: http://blogs.adobe.com/pdfdevjunkie/2010/10/what-developers-need-to-know-about-acrobat-x.h tml

              1 person found this helpful
              • 4. Re: Whitelist in Reader X doesn't work
                Stanley Zhao Level 1

                Thank you George.

                You are right, I should post this to Acrobat SDK forums also.

                 

                To update my current status of this issue.

                 

                Now, I can catch the error when I try to create the instance of COM object. It will throw an error said: Class not registered.

                 

                I still feel confused about this.

                 

                 

                • 5. Re: Whitelist in Reader X doesn't work
                  ashutoshmehra Adobe Employee

                  Could you tell a bit more about your problem:

                  1. Is the COM object (whose creation is failing) in-proc or out-of-proc?

                  2. What API are you using to create the COM object that is returning the error you mentioned? Is it CoCreateInstance? If so, could you try doing a CoGetClassObject() first and see if that fails as well.

                  3. What operating system (WinXP or WinVista/Win7) is this?

                   

                  Activation of out-of-proc COM objects may fail even in the presence of your wildcard white-list because the latter only grants access to kernel objects and process launches.

                  1 person found this helpful
                  • 6. Re: Whitelist in Reader X doesn't work
                    Stanley Zhao Level 1

                    Thank you ashutoshmehra, here is more detail information of my problem:

                     

                    1. Is the COM object (whose creation is failing) in-proc or out-of-proc?

                    When running this line, an error thrown:

                    Proxy::IProxyPtr p(__uuidof(Proxy::LocalProxy));

                    Here, I used a Proxy.tlb and Proxy.dll (Created by .NET 2.0) as COM. Therefore, I think it's in-proc.

                     

                    2. What API are you using to create the COM object that is returning the error you mentioned? Is it CoCreateInstance? If so, could you try doing a CoGetClassObject() first and see if that fails as well.

                    I didn't use CoCreateInstance() or CoGetClassObject() to create COM object. I add a reference of Proxy.tlb and Proxy.dll in my plug-in project. Then, in codes, I used Proxy::IProxyPtr p(__uuidof(Proxy::LocalProxy)); to create the COM object "p". At this time, it failed.

                     

                    3. What operating system (WinXP or WinVista/Win7) is this?

                    Oh, forgot this. I am working on:

                    WinxXP SP3 32-bits

                    VS2005

                    Office 2007

                    Adobe Reader X

                     

                    Anything wrong with my codes? Thanks very much~

                    • 7. Re: Whitelist in Reader X doesn't work
                      Stanley Zhao Level 1

                      I am thinking if the codes always try to access the Proxy.tlb on Sandbox by default, though I set the white-list. If it is, that may be the reason why "Class not registered" shown. Because Proxy.tlb and Proxy.dll were not registered on Sandbox, that's true.

                       

                      But I cannot prove my thinking.

                      • 8. Re: Whitelist in Reader X doesn't work
                        Stanley Zhao Level 1

                        Another day passed...

                        I am still fighting with the issues.

                         

                        Now, my status is that, I found the reason why COM dll cannot be found (Class not registered).

                        Because it's strong named.

                         

                        If I make it none strong named DLL. It can be loaded successfully by plug-in.

                        But in my next step, I still get "Access Denied" COM error when I tried to use this COM object's method to access another resource. That's the 3rd-party application I want to used as host application.

                        Seems Protect Mode will still block out-side process even plug-in can load it with the help of white-list.

                         

                        Then, my current issues became to:

                        1.    How to make strong named DLL be loaded in Adobe Reader X in Protect Mode.
                        (BTW, I searched one way to deploy strong named DLL. Use GACUtil.exe, a tool to deploy DLL to GAC. I tried, DLL deployed to GAC successfully, but it still cannot be loaded by Plug-in.)

                        2.    Plug-in can access the none strong named DLL listed in white-list, but seems Protected Mode will block out-side process (the DLL) to access other resources.

                         

                        Any suggestion on this two issues is welcomed~

                         

                        Thanks for your help very much~

                        • 9. Re: Whitelist in Reader X doesn't work
                          ashutoshmehra Adobe Employee

                          A couple of reasons why loading strong-named assembly might be failing:

                           

                          1. Failure during DLL loading could be because the DLL image doesn't grant BUILTIN\Users or BUILTIN\Everyone access to READ the DLL. Since the DLL is loaded by CSRSS, in the absense of these rights, the sandbox process may be unable to load the DLL. Check that your assembly's DACL provides this access.

                          2. It is possible that certain cryptographic checks are performed when loading a strong-named assembly, and some of those cryptographic checks fail because of restricted access of the sandbox to the user's crypt store.

                           

                          Further, since your DLL is called Proxy, I imagine you are using out-of-proc COM. Enabling a whitelist rule (via PROCESS_ALL_EXEC) for EXE will not make your out-of-proc COM object activation work because PROCESS_ALL_EXEC only governs processes that are created directly from the sandbox (via, say, CreateProcess). (Out-of-process) COM activation is managed by a service and hence PROCESS_ALL_EXEC has no bearing on it.

                           

                          Is there a small plugin project that demonstrates this problem? Then I can debug it on my side and see if there's a way around.

                          • 10. Re: Whitelist in Reader X doesn't work
                            Stanley Zhao Level 1

                            Thank you very much ashutoshmehra, for your very useful information.

                             

                            You are right. I may be need to remove the strong name for all the DLLs I used. To support sandbox using them.

                             

                            What's your email? I want to create a demo to make this happen. Then, if you are free, you can help me debug my issue. I don't know how to make my DLL call out-of-proc methods.

                             

                             

                            • 11. Re: Whitelist in Reader X doesn't work
                              Stanley Zhao Level 1

                              Let me continue trace this issue.

                               

                              Now, removed all strongly name, it's OK that DLL can be loaded in plug-in.

                               

                              But it's blocked here, in this line:

                              _3rdProxy p = (_3rdProxy)Activator.GetObject(typeof(_3rdProxy), url);

                               

                              I tried to use this line get remote object, then, I can really use my DLL communicate with 3rd application.

                              But it sai: "Access Denied".

                               

                              Any body know how to set Adobe Reader to make it allow accessing remote object?

                               

                              Thanks very much~

                              • 12. Re: Whitelist in Reader X doesn't work
                                jlan000000

                                Any further progress on this issue.  I have a similar issue with my plugin.  We use an Active-X control that loads a COM object inproc.  I don't get an access denied error, but creating the Active-X Control just returns an empty handle with no further error messages.

                                • 13. Re: Whitelist in Reader X doesn't work
                                  Stanley Zhao Level 1

                                  Hi, no more progress of this issue. out-of-proc/Active-X is not supported by current Reader X SDK. Therefore, that's the root reason. I sent email to Adobe engineer, they said they are fixing this issue. And hope not more this issue on next release.

                                   

                                  BTW, I used another way do communicate with my plug-in and out-of-proc COM object. That's:

                                  1. I write files to disk in plug-in, to a specified folder which is watched by my out-of-proc COM application.

                                  2. When new file puts there, my out-of-proc COM application will open it and take content out.

                                   

                                  That solution works on my case. Not sure it will work for you. Because I am using the COM created by myself. It will do next communication with 3rd-party application, I can add logic about watching folder to my COM object.

                                  But for you, if you are using a 3rd-party COM, I am not sure you can use this solution.

                                  • 14. Re: Whitelist in Reader X doesn't work
                                    khansubhan88

                                    Hi Stanley Zhao

                                    I am facing the same issue. Since I am using acrobat reader DC please help me out how you get the solution.

                                     

                                     

                                    Thanks in advance.

                                    • 15. Re: Whitelist in Reader X doesn't work
                                      Stanley Zhao Level 1

                                      Hi, khansubhan88

                                      This project was made 5 years ago. I cannot remember all detail things now. And I don't have source code in my hand as well.

                                      But the overall solution used in the my project is that, define a local path in White box so that Plugin in running in sandbox can write file into the folder. Meanwhile, create a back-end service as a file watcher (I used C# to monitor the folder). Then, it will catch any new file create or update or delete event.

                                      I used this way to transfer/communicate information between plugin and other out-of process application.

                                       

                                      It works in my project and matches my requirement.

                                      Hope this idea will help you.

                                       

                                      Thanks,

                                      Stanley

                                      • 16. Re: Whitelist in Reader X doesn't work
                                        khansubhan88 Level 1

                                        Thanks for your reply :-)

                                         

                                        Basically what I am thinking that I am missing some parameter setting (Since I am not much aware of the policy setting parameters).

                                         

                                        Please see my "ProtectedModeWhitelistConfig" file setting contents:

                                         

                                        ;To be able to access ProLaw.exe from our Plugin

                                        PROCESS_ALL_EXEC = c:\*

                                         

                                         

                                        ;Files to Allow saving documents (Save as prolaw document)

                                        FILES_ALLOW_ANY = c:\*

                                        FILES_ALLOW_DIR_ANY= *

                                         

                                         

                                         

                                         

                                        ;Allowing the pipe

                                        NAMEDPIPES_ALLOW_ANY = *

                                         

                                         

                                        ;For not opening multiple prolaw because without this option, each time we open Reader, it opens a new Prolaw.

                                        ;MUTANT_ALLOW_ANY=*

                                         

                                         

                                        ;CL_5037 - For opening the Prolaw9Started event, signaling that the WCF pipes are ready

                                        ;EVENT_ALLOW_ANY=*ProLaw9Started*

                                         

                                         

                                        REG_ALLOW_ANY = HKEY_CLASSES_ROOT\*

                                        REG_ALLOW_ANY = HKEY_CURRENT_USER\*

                                        REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\*

                                        REG_ALLOW_ANY = HKEY_USERS\*

                                        REG_ALLOW_ANY = HKEY_CURRENT_CONFIG\*

                                         

                                         

                                        ;REG_ALLOW_ANY=HKEY_CURRENT_USER\SOFTWARE\Adobe*

                                        ;REG_ALLOW_ANY=HKEY_LOCAL_MACHINE\SOFTWARE\Adobe*

                                        ;REG_ALLOW_ANY=HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecent Application*

                                        ;REG_ALLOW_ANY=HKEY_USERS\*

                                        MUTANT_ALLOW_ANY =  *

                                        SECTION_ALLOW_ANY = *

                                        SECTION_ALLOW_ANY = \BaseNamedObjects\Local*

                                        EVENTS_ALLOW_ANY = MS*

                                        EVENTS_ALLOW_ANY = Gl*

                                        EVENTS_ALLOW_ANY = _fC*

                                        ;NAMEDPIPES_ALLOW_ANY = MS*

                                        ;FILES_ALLOW_DIR_ANY = c:\*

                                         

                                         

                                         

                                        And log file contents are:

                                         

                                        [10:09/12:01:38] Adobe Reader Protected Mode Logging Initiated

                                        [10:09/12:01:38] Found custom policy file: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ProtectedModeWhitelistConfig.txt

                                        [10:09/12:01:38] Adding custom policy: PROCESS_ALL_EXEC = c:\*

                                        [10:09/12:01:38] Adding custom policy: FILES_ALLOW_ANY = c:\*

                                        [10:09/12:01:38] Adding custom policy: FILES_ALLOW_DIR_ANY = *

                                        [10:09/12:01:38] Adding custom policy: NAMEDPIPES_ALLOW_ANY = *

                                        [10:09/12:01:38] Adding custom policy: REG_ALLOW_ANY = HKEY_CLASSES_ROOT\*

                                        [10:09/12:01:38] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\*

                                        [10:09/12:01:38] Adding custom policy: REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\*

                                        [10:09/12:01:38] Adding custom policy: REG_ALLOW_ANY = HKEY_USERS\*

                                        [10:09/12:01:38] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_CONFIG\*

                                        [10:09/12:01:38] Adding custom policy: MUTANT_ALLOW_ANY = \Sessions\2\BaseNamedObjects\*

                                        [10:09/12:01:38] Adding custom policy: SECTION_ALLOW_ANY = \Sessions\2\BaseNamedObjects\*

                                        [10:09/12:01:38] Adding custom policy: SECTION_ALLOW_ANY = \Sessions\2\BaseNamedObjects\\BaseNamedObjects\Local*

                                        [10:09/12:01:38] Adding custom policy: EVENTS_ALLOW_ANY = MS*

                                        [10:09/12:01:38] Adding custom policy: EVENTS_ALLOW_ANY = Gl*

                                        [10:09/12:01:38] Adding custom policy: EVENTS_ALLOW_ANY = _fC*

                                        [10:09/12:01:38] Unexpected CreateKey for: \REGISTRY\MACHINE\Software\Adobe

                                        [10:09/12:01:38] Real path: \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Adobe

                                        [10:09/12:01:38] NtCreateSection: STATUS_ACCESS_DENIED

                                        [10:09/12:01:38] real_path: \Cor_SxSPublic_IPCBlock

                                        [10:09/12:01:38] Consider modifying policy using this policy rule: SECTION_ALLOW_ANY

                                        [10:09/12:01:38] NtCreateSection: STATUS_ACCESS_DENIED

                                        [10:09/12:01:38] real_path: \Cor_SxSPublic_IPCBlock

                                        [10:09/12:01:38] Consider modifying policy using this policy rule: SECTION_ALLOW_ANY

                                        [10:09/12:01:38] NtCreateSection: STATUS_ACCESS_DENIED

                                        [10:09/12:01:38] real_path: \Cor_SxSPublic_IPCBlock

                                        [10:09/12:01:38] Consider modifying policy using this policy rule: SECTION_ALLOW_ANY

                                         

                                         

                                        Please help me out if you can. and also let me know if you need any info.

                                        • 17. Re: Whitelist in Reader X doesn't work
                                          khansubhan88 Level 1

                                          Hi ashutoshmehra

                                           

                                           

                                          Can you please also look into this.

                                           

                                          Thanks.

                                          • 18. Re: Whitelist in Reader X doesn't work
                                            Stanley Zhao Level 1

                                            I don't see anything wrong in your configuration file for white name list. Sorry that I could not help more based on current information. Did you try to not reading any register key? Seems something wrong when it is trying to read register keys.

                                            • 19. Re: Whitelist in Reader X doesn't work
                                              khansubhan88 Level 1

                                              Yes I have configured the policy for the registry key access. You can see below:

                                               

                                              REG_ALLOW_ANY = HKEY_CLASSES_ROOT\*

                                              REG_ALLOW_ANY = HKEY_CURRENT_USER\*

                                              REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\*

                                              REG_ALLOW_ANY = HKEY_USERS\*

                                              REG_ALLOW_ANY = HKEY_CURRENT_CONFIG\*