Sandboxie technical tests and other technical topics discussion thread

Well, it seems I can't edit quite old post.
The above in #317 was wrong, malware can still bypass deephook by calling Native APIs as long as that deephook targets Windows API imported from kernelbase.dll.

 

Perhaps a dumb question, but isn't hooking of the Native API a so called "user mode hook"?

 

Native API hook is a name based on what it hooks and don't imply what hooking method is used, so either user mode or kernel mode hooking can hook Native API.
But it seems placing user mode inline hook for Native API call imported from ntdll.dll is not trivial in 64 bit because the 1st instruction of Naive APIs (at least Zw* APIs) is 3 bytes, no more 5 bytes.

 

OK thanks, I didn't know that. Like I said, this subject is quite confusing. I really admire the programmers of certain security tools (like SBIE), it's quite mind boggling when I read about the Windows OS architecture and the protection methods that are available.

 

Can you sandbox Window processes? Which ones can you do, if so?

 

Hi DX2, I think Pete means, No forcing. You do not want to Force Windows processes. But running something like Windows Explorer sandboxed is OK. In fact, using a sandboxed Windows Explorer for navigating and running suspicious files is the safest way to do it with SBIE. There is nothing that wont run sandboxed if you open the file or exe by getting to it with a sandboxed Explorer. Thats not always the case with Forced folders.

I think you are using the paid version, if you are and have your USB drives as Forced folders, plug a Flash drive, after inserting the drive, if you open Sandboxie control, you ll see Windows explorer running in there. That is because when you Force your USB drives, the USB drive folder pops up using a sandboxed version of Windows explorer. DX2, anything that's in there, if it attempts to run, will run sandboxed.

So, running sandboxed, yes, its OK. Forcing, terrible idea. But don't worry, if you try to Force the wrong folder or process, Sandboxie lets you know with a message like the one in the picture.


Bo

 

Thanks for the help. I only have the free version for now, but thinking about buying it. I'm glad I found out before I tried anything

 

The SBIE message tells you if you are trying to force something that you shouldn't, you dont have to worry about making an error.

By the way, you can run a sandboxed Windows explorer with the free version. Look in the SBIE folder in Start menu, there you ll see an option to do it. If you run Windows explorer from there, it will attempt to run in your DefaultBox. If your DefaultBox is restricted, it wont run. If its not Start Run restricted, it will run.

If your DefaultBox is restricted, you can create a new sandbox and name it Windows explorer, and set it up for you to run Windows explorer there. After creating the sandbox, you right click Windows explorer and choose to run it in the new sandbox.

Or, to make things easier, you can create a sandboxed shortcut for Windows explorer and run it from there instead of having to right click explorer, to do that go to:

Sandboxie control>Configure>Windows shell integration, Click "Add shortcut icons", choose the new sandbox that you named Windows explorer, Click OK, find Windows explorer in one of the menus, Click it, after clicking it, you'll find your sandboxed Windows explorer shortcut in your desktop.

You can use the sandboxed explorer for navigating to your Downloads folder, USB drives, suspicious files and anywhere in your computer. And restrict the new sandbox as you wish. For example, No internet access, Drop Rights, allow only a few programs to run, etc.

Bo

 

Thats how I made my Chrome shortcut, through the shell intergration, saves a lot of time. Again, thanks for all that information, it really helps out a lot.

 

My pleasure, DX2.

Bo

 

Another system process you might want to sandbox sometimes is cmd.exe.
This works in similar way with sandboxing explorer, i.e. sandboxed program launcher.
I use this when I want to sandbox some of command line programs.
Since those programs don't have GUI, if I just sandboxed those programs I can't see whether all programs are properly sandboxed. But if I sandbox cmd.exe and launch programs form there, I'm 100% sure all programs are sandboxed as I can see "#" and sandbox name in the DOS window.

 

I haven't got any problem, though it may be because my programs don't need admin right.
Of course forcing cmd is bad idea, it can cause lots of problems.
Anyway try it first and see if trouble occur.

 

I agree with Yuki on this. We should be able to run CMD or any file in our computers sandboxed. To Sandboxie, all files are the same and are treated the same way: Read only.

Bo

 

To avoid confusion, sandboxing cmd is more for usability, though overall it also will serve for security.

E.g. OfficeMalScanner produces some files which need close looking into current directory and also into temp folder, so I have to go up and down with cd command or directly open them with correct path (I prefer former).
But if I only force OMS, then while OMS itself is sandboxed it's interface cmd.exe is NOT sandboxed so if I navigate to that directory within cmd, then can't find the files as they are in sandboxed environment.

But if I sandbox cmd first, no worry about that and all work are done within same sandbox.

Yeah, and I reminded that iexplore.exe is also system process.

 

It's the first time I'm using SBIE in realtime instead of on-demand, and I have a couple of noob questions:

1 Is it possible to make the browser download files into the "real" desktop, but when the file is run, it should opened sandboxed?
2 If I make opera.exe the only app to have access to the internet, only Opera v12 works, but Opera 26 does not. Any ideas?

 

Rasheed, for #1, you need to allow Direct access to the Desktop in Sandbox settings. That would make downloads go straight though to your desktop, bypassing sandboxing. But for files in the Desktop to run sandboxed automatically, you would have to Force the Desktop. And that is probably not a good idea. I suggest you create a folder in your desktop for downloads and set it up as Forced folder. And then, allow Direct file access to it. Make sure to set your browser to download into this folder.

For #2, I am not an Opera user. So I am not sure what runs when you run Opera 26. But you can figure that out easily. After right clicking Opera 26 icon and running it sandboxed, you can see the Opera exes that ran. Go to Sandbox settings>Restrictions>Start Run access, Click Add program, Look at the Window to the extreme left, there you ll see all the exes that have recently run sandboxed. It should be easy for you to figure out what needs to be to allowed by looking at that window.

Bo

 

@ bo elam

Thanks for the feedback.

About 1, the "Direct access" does not seem to download apps to the real desktop, I don't get it. And having to force the whole desktop means that all apps that I run manually will also run sandboxed, so that is indeed a bit of a deal breaker.

About 2, I have tried everything, but Opera 26 refuses to connect, perhaps this is some kind of bug? Because SBIE should allow "opera.exe" anyway. Of course as a workaround I can make it launch (or install) it in a separate sandbox.

 

Make sure to follow the correct path to the real Desktop and it should work.

Sandbox settings>Resource access>File access>Direct access, Click Add, and add either the real desktop or the Downloads folder that I suggested you create.

And yes, forcing the Desktop is a bad idea, that's why I suggest you create a download folder and place it in your desktop. And force that one. Rasheed, I am not familiar with Opera, get me the link for version 26 and I ll check it out later.

IMPORTANT: To better your chances of getting Open file path to work, set your browser to download to the same folder that you are allowing Direct file access to. Perhaps you havent set that correctly.

Bo

 

Rasheed, looking at this part of your post again, I think you ought to create the separate sandbox for Opera and at first, run Opera unrestricted. Then later, after you see what runs and requires internet access, try restricting it. Perhaps a setting is keeping Opera from connecting in the sandbox where you are trying to run it.

Bo

 

Yes, I did something wrong, apparently I have more than 1 desktop, but it works now. But I guess the only true solution would be a "tracking system", so SBIE will save the file to the real desktop, but it will know that the file came from a sandboxed process. It will therefore automatically sandbox the file. This is the way that BufferZone worked.

Another thing that would make sense is that only executable files that are saved to the real desktop are sandboxed, SBIE should not sandbox shortcuts that point to apps inside "Program Files". Of course this should all be optional.

Yes, I will do some testing, but I'm almost sure that it must be some kind of weird bug.

 

And Defense wall does. To have something like that in Sandboxie, the way SBIE works would change and it would be kind of difficult to have a free version of Sandboxie. Besides that, Sandboxie doesn't need something like that anyway since all changes are gone when you delete the sandbox, except the few files that you might decide to recover out of the sandbox. With this other sandboxing programs, changes remain in the system so there is a purpose to have a window for tracking changes and files created by sandboxed applications. But not in Sandboxie.

Rasheed, Sandboxie is an application sandbox. It has to force programs to run sandboxed when you force a folder or a program.

There was a problem when Opera 25 came out but it was fixed right away. Get me the link for Opera 26 so I don't download the wrong installer and I ll check it out later.

Bo

 

Does Sandboxie contain exploits like Hollow Processing or Heap Spray?