Getting Starter sample plugin to run in Acrobat protected mode

Question

I need some help getting the Acrobat SDK Starter plugin to work in protected mode.

I'm developing on a 64-bit Windows machine.

I have 32-bit Adobe Acrobat DC installed. I'm signed into my Adobe developer account when I run it.

I'm building the solution "C:\Acrobat_DC_SDK_Windows_2021_v3\Adobe\Acrobat DC SDK\Version 1\PluginSupport\Samples\Starter\win32\Starter.sln" successfully using Visual Studio 2019, using configuration Debug, platform Win32.

I have not made any code changes to the Starter sample plugin.

I'm copying the resulting "C:\Acrobat_DC_SDK_Windows_2021_v3\Adobe\Acrobat DC SDK\Version 1\PluginSupport\Samples\Starter\win32\Debug\Starter.api" file to "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\plug_ins\starter.api".

The plugin loads fine when protected mode is deactivated - when I run "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe" from Visual Studio so that the debugger is attached to it from the start, my breakpoint in DllMain gets hit.

I found that when I turn protected mode on and restart Acrobat DC, my breakpoint in DllMain does not get hit.

I started following the documentation at https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/sandboxprotections.html

In the registry, under "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\" I created a DWORD value "bUseWhitelistConfigFile" and set its value to 1.

I created a file "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\ProtectedModeWhitelistConfig.txt" whose contents are:

FILES_ALLOW_ANY = c:\*
EVENTS_ALLOW_ANY = MS*
REG_ALLOW_ANY = HKEY_CLASSES_ROOT\*
REG_ALLOW_ANY = HKEY_CURRENT_USER\*
REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\*
REG_ALLOW_ANY = HKEY_USERS\*
REG_ALLOW_ANY = HKEY_CURRENT_CONFIG\*

In the registry, under "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\", I created a new key "cProtectedModeConfigFiles".

Under that key I created a string value whose name "starter.api" and whose value is set to "starterpolicy.txt".

I created a file "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\starterpolicy.txt" whose contents are:

FILES_ALLOW_ANY = c:\*
EVENTS_ALLOW_ANY = MS*
REG_ALLOW_ANY = HKEY_CLASSES_ROOT\*
REG_ALLOW_ANY = HKEY_CURRENT_USER\*
REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\*
REG_ALLOW_ANY = HKEY_USERS\*
REG_ALLOW_ANY = HKEY_CURRENT_CONFIG\*

Still, when I run "C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe" from Visual Studio so that the debugger is attached to it from the start, my breakpoint in DllMain gets hit.

In Acrobat, from the main menu, I selected Preferences > Security (Enhanced) and checkd the "Create Protected Mode log file" checkbox. I restarted Acrobat.

The Protected Mode log file now shows this:

[12:14/12:33:44] Adobe Acrobat Protected Mode Logging Initiated
[12:14/12:33:44] Found custom policy file: C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\ProtectedModeWhitelistConfig.txt
[12:14/12:33:44] Adding custom policy: FILES_ALLOW_ANY = c:\*
[12:14/12:33:44] Adding custom policy: EVENTS_ALLOW_ANY = MS*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_CLASSES_ROOT\*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_USERS\*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_CONFIG\*
[12:14/12:33:44] Found custom policy file: C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\starterpolicy.txt
[12:14/12:33:44] Adding custom policy: FILES_ALLOW_ANY = c:\*
[12:14/12:33:44] Adding custom policy: EVENTS_ALLOW_ANY = MS*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_CLASSES_ROOT\*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_USERS\*
[12:14/12:33:44] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_CONFIG\*

and yet still I don't hit my breakpoints in DllMain that are hit when protected mode is turned off.

My guess is that instead of attaching the debugger to Acrobat.exe, I just need to attach to child process of Acrobat.exe.

But which process should I attach the debugger to?

Any help would be appreciated, thanks.

Obviously, once this is working, I may need to trim down some of the permissions I granted the Starter plugin. Safe to say, most of them are not necessary.

Agent-Smith.dev · Answer

I also have the problem that Visual Studio 2022 sometimes does not hit the breakpoints of my plug in. However, I don't think this is a proteced mode problem, rather than a Visual Studio issue.

What I do, I place a window call in my plug in (usually in InitInstance() for a MFC-DLL), e.g.:

AfxMessageBox("StartingPlugIn - Now, you're able to connect your debugger");

When the box shows up, I manually connect the debugger. with acrobat.exe.

Afterwards (clicking in the box) any breakbpoint raises.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded