Sandboxie-Plus v1.3.0

This build adds 2 new isolation mechanisms to increase security of hardened boxes, hence boxes previously designated hardened will now be downgraded in the UI to normal, and the hardened icons will be used to the new box type.
The first isolation mechanism "SysCallLockDown=y" limits the amount of ntdll syscalls which are executed with the original process token to a list of known approved syscalls
The second isolation mechanism "RestrictDevices=y" leverages rule specificity to limit the accessible driver/device endpoints to a list of known required endpoints plus whatever the user opens using the resource access rules.

Download: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.3.0

Changelog
Added

• Added hook configuration for ntoskrnl/ntdll
  -- individual ntdll hooks can be disabled using "DisableWinNtHook=..."
• Added new Super Extra Security Enhanced Box Mode to enable set "UseSecurityMode=y"
  -- then this setting is enabled it combines "SysCallLockDown=y" that limits the use of Nt system calls with "DropAdminRights=y" and "RestrictDevices=y"
  -- Only calls configured in the global section as "ApproveWinNtSysCall=..."/"ApproveWin32SysCall=..." wil be executed with the original token
  -- all not aproved Nt sys calls will be executed with the sandboxed token, this may break compatybility in certain scenarios
  -- hence additional syscalls may need to be allowed, this is to be done in the [GlobalSettings] and the driver must be restarted
  -- Note: Boxes created as Security Enhanced with prior builds will be displayed in the UI to normal from now on
  -- The Security Enhanced icons are now repurposed for the new Super Extra Security Enhanced Box Mode
  -- Note: The new enhanced security features require a supporter certificate
• added browse option to the force processes tab

Changed

• replaced the "DeviceSecurity" template with a dedicated setting "RestrictDevices=y"
  -- Note: when needed more "NormalPipePath=..." entries can be added to open specific devices
• rule specificity is now even more specific a exact rule now overrules once that end with a wildcard

 

Thank you.
Installer not signed?

 

Yes for the preview builds its expedient to skip this step.

 

OK got it, thanks.

 

This setting makes some of my portable apps not to run throwing an error:

Code:

The application was unable to start correctly (0xc0000005)

All of my portables are in a user partition different than system partition (C:)
------------
I guess this is part of my answer no?
If so, I'd like to have an example of required syntax to properly fix it.

 

The partition is not the problem, perhaps these apps need some more syscalls to be approved, if you tell me where to download the apps which don't work i can take a look into it.

 

You add entries like following

Code:

# atom stuff

ApproveWinNtSysCall=AddAtom
ApproveWinNtSysCall=AddAtomEx
ApproveWinNtSysCall=FindAtom
ApproveWinNtSysCall=DeleteAtom


# allowed win32 sys calls

ApproveWin32SysCall=GdiDdDDI*

to the [GlobalSettings]

you can get a list of all syscalls known in windows here: https://j00ru.vexillium.org/syscalls/nt/64/

As you see you skip the Nt prefix in the name, also you can use * to indicate a wildcard if you need to approve a larger amount of syscalls at once

PS: very important all these settings require the driver to be reloaded in order to take effect

 

oh how could i have missed that

ApproveWinNtSysCall=OpenKeyEx

was missing, willbe added to the tempaltes.ini of the next build but for now you can add it to the global section of your sandboxie.ini

 

It worked for the following portables, at least they run or open right away:
µTorrent - now runs but there's an issue when closing - cant save data to resume file
FastStone Capture
foobar2000
IrfanView
SUMo - runs now but has some config issues
Word - not saving docs properly
Chrome's bookmarks loading quite slow.

 

ok then you need to add more syscalls, you can enable syscall tracing


and use the trace monitor in monitor mode


to get a list of all not yet approved syscalls i.e. status empty and not O (like "Open") then you can add all of them to your global section and once you validated that you havnt mised any and every thign works fine, you start commenting them out in large batches like 10 at a time if you run into an issue to found out which of the last commended out is the colprit and you proceed with the process untill you have found all that you need, also please share your findings so that thay can be added to the next version of the templates.ini

PS: you can copy all of the entries cleanely by sellecting them and then using the context menu copy cell option if multiple rows are marked copy cell copies all cells of the selected rows

 

Thanks for the new version. I installed it over 1.2.8 and so far I haven't encountered any major problems.

Issue: 'UseRuleSpecificity' setting appears as unticked in the UI, although it is defined by a template. (UseRuleSpecificity=y)

 

Not yet approved syscalls for portable SUMo and uTorrent without selecting the culprits:

Spoiler: Not yet approved syscalls

Code:

AlertThreadByThreadId
AllocateLocallyUniqueId
AllocateReserveObject
AllocateVirtualMemoryEx
AlpcCreateSecurityContext
AlpcSetInformation
CreateIoCompletion
CreateThreadEx
CreateTimer
CreateTimer2
CreateWorkerFactory
EnumerateKey
EnumerateValueKey
GetMUIRegistryInfo
InitializeNlsFiles
IsUILanguageComitted
MapViewOfSectionEx
NotifyChangeMultipleKeys
QueryDebugFilterState
QueryEvent
QueryInformationThread
QueryLicenseValue
QuerySecurityAttributesToken
QuerySecurityObject
QueryTimerResolution
QueryVolumeInformationFile
ReadFile
ReadVirtualMemory
RegisterThreadTerminatePort
ReleaseMutant
ReleaseSemaphore
ReleaseWorkerFactoryWorker
ResumeThread
SetInformationObject
SetTimer2
SetTimerEx
SetUuidSeed
SetValueKey
WaitForAlertByThreadId
WaitForMultipleObjects
WriteVirtualMemory
AllocateVirtualMemory
AlpcDeleteSecurityContext
AlpcDisconnectPort
AlpcQueryInformation
ApphelpCacheControl
AssociateWaitCompletionPacket
CancelWaitCompletionPacket
ClearEvent
CreateWaitCompletionPacket
DelayExecution
FreeVirtualMemory
GetCurrentProcessorNumber
ProtectVirtualMemory
QueryDirectoryFile
QueryInformationFile
QueryInformationProcess
QueryInformationToken
QueryKey
QueryObject
QueryPerformanceCounter
QuerySection
QuerySymbolicLinkObject
QuerySystemInformationEx
QueryValueKey
QueryVirtualMemory
QueryWnfStateData
SetEvent
SetInformationFile
SetInformationKey
SetInformationVirtualMemory
SetInformationWorkerFactory
TestAlert
UnmapViewOfSection
UnmapViewOfSectionEx
UpdateWnfStateData
WaitForMultipleObjects32
WorkerFactoryWorkerReady
WriteFile
Close
WaitForSingleObject
WaitForWorkViaWorkerFactory
AllocateUuids              
QueryDefaultLocale        
SetWnfProcessNotificationEvent
RemoveIoCompletion        
SubscribeWnfStateChange    
UnsubscribeWnfStateChange  
AlpcCreatePortSection      
AlpcCreateSectionView      
AlpcDeletePortSection      
AlpcDeleteSectionView      
PowerInformation          
PrivilegeCheck            
SetWnfProcessNotificationEvent
TraceEvent                
LockFile                  
UnlockFile                
QueryDefaultLocale        
RemoveIoCompletion        
SetIoCompletion            
SubscribeWnfStateChange    
UnsubscribeWnfStateChange

Spoiler: Approved syscalls in GlobalSettings

Code:

ApproveWinNtSysCall=AlertThreadByThreadId
ApproveWinNtSysCall=AllocateLocallyUniqueId
ApproveWinNtSysCall=AllocateReserveObject
ApproveWinNtSysCall=AllocateVirtualMemoryEx
ApproveWinNtSysCall=AlpcCreateSecurityContext
ApproveWinNtSysCall=AlpcSetInformation
ApproveWinNtSysCall=CreateIoCompletion
ApproveWinNtSysCall=CreateThreadEx
ApproveWinNtSysCall=CreateTimer
ApproveWinNtSysCall=CreateTimer2
ApproveWinNtSysCall=CreateWorkerFactory
ApproveWinNtSysCall=EnumerateKey
ApproveWinNtSysCall=EnumerateValueKey
ApproveWinNtSysCall=GetMUIRegistryInfo
ApproveWinNtSysCall=InitializeNlsFiles
ApproveWinNtSysCall=IsUILanguageComitted
ApproveWinNtSysCall=MapViewOfSectionEx
ApproveWinNtSysCall=NotifyChangeMultipleKeys
ApproveWinNtSysCall=QueryDebugFilterState
ApproveWinNtSysCall=QueryEvent
ApproveWinNtSysCall=QueryInformationThread
ApproveWinNtSysCall=QueryLicenseValue
ApproveWinNtSysCall=QuerySecurityAttributesToken
ApproveWinNtSysCall=QuerySecurityObject
ApproveWinNtSysCall=QueryTimerResolution
ApproveWinNtSysCall=QueryVolumeInformationFile
ApproveWinNtSysCall=ReadFile
ApproveWinNtSysCall=ReadVirtualMemory
ApproveWinNtSysCall=RegisterThreadTerminatePort
ApproveWinNtSysCall=ReleaseMutant
ApproveWinNtSysCall=ReleaseSemaphore
ApproveWinNtSysCall=ReleaseWorkerFactoryWorker
ApproveWinNtSysCall=ResumeThread
ApproveWinNtSysCall=SetInformationObject
ApproveWinNtSysCall=SetTimer2
ApproveWinNtSysCall=SetTimerEx
ApproveWinNtSysCall=SetUuidSeed
ApproveWinNtSysCall=SetValueKey
ApproveWinNtSysCall=WaitForAlertByThreadId
ApproveWinNtSysCall=WaitForMultipleObjects
ApproveWinNtSysCall=WriteVirtualMemory
ApproveWinNtSysCall=AllocateVirtualMemory
ApproveWinNtSysCall=AlpcDeleteSecurityContext
ApproveWinNtSysCall=AlpcDisconnectPort
ApproveWinNtSysCall=AlpcQueryInformation
ApproveWinNtSysCall=ApphelpCacheControl
ApproveWinNtSysCall=AssociateWaitCompletionPacket
ApproveWinNtSysCall=CancelWaitCompletionPacket
ApproveWinNtSysCall=ClearEvent
ApproveWinNtSysCall=CreateWaitCompletionPacket
ApproveWinNtSysCall=DelayExecution
ApproveWinNtSysCall=FreeVirtualMemory
ApproveWinNtSysCall=GetCurrentProcessorNumber
ApproveWinNtSysCall=ProtectVirtualMemory
ApproveWinNtSysCall=QueryDirectoryFile
ApproveWinNtSysCall=QueryInformationFile
ApproveWinNtSysCall=QueryInformationProcess
ApproveWinNtSysCall=QueryInformationToken
ApproveWinNtSysCall=QueryKey
ApproveWinNtSysCall=QueryObject
ApproveWinNtSysCall=QueryPerformanceCounter
ApproveWinNtSysCall=QuerySection
ApproveWinNtSysCall=QuerySymbolicLinkObject
ApproveWinNtSysCall=QuerySystemInformationEx
ApproveWinNtSysCall=QueryValueKey
ApproveWinNtSysCall=QueryVirtualMemory
ApproveWinNtSysCall=QueryWnfStateData
ApproveWinNtSysCall=SetEvent
ApproveWinNtSysCall=SetInformationFile
ApproveWinNtSysCall=SetInformationKey
ApproveWinNtSysCall=SetInformationVirtualMemory
ApproveWinNtSysCall=SetInformationWorkerFactory
ApproveWinNtSysCall=TestAlert
ApproveWinNtSysCall=UnmapViewOfSection
ApproveWinNtSysCall=UnmapViewOfSectionEx
ApproveWinNtSysCall=UpdateWnfStateData
ApproveWinNtSysCall=WaitForMultipleObjects32
ApproveWinNtSysCall=WorkerFactoryWorkerReady
ApproveWinNtSysCall=WriteFile
ApproveWinNtSysCall=Close
ApproveWinNtSysCall=WaitForSingleObject
ApproveWinNtSysCall=WaitForWorkViaWorkerFactory
ApproveWinNtSysCall=AllocateUuids                
ApproveWinNtSysCall=QueryDefaultLocale          
ApproveWinNtSysCall=SetWnfProcessNotificationEvent
ApproveWinNtSysCall=RemoveIoCompletion          
ApproveWinNtSysCall=SubscribeWnfStateChange      
ApproveWinNtSysCall=UnsubscribeWnfStateChange    
ApproveWinNtSysCall=AlpcCreatePortSection        
ApproveWinNtSysCall=AlpcCreateSectionView        
ApproveWinNtSysCall=AlpcDeletePortSection        
ApproveWinNtSysCall=AlpcDeleteSectionView        
ApproveWinNtSysCall=PowerInformation            
ApproveWinNtSysCall=PrivilegeCheck              
ApproveWinNtSysCall=SetWnfProcessNotificationEvent
ApproveWinNtSysCall=TraceEvent                  
ApproveWinNtSysCall=LockFile                    
ApproveWinNtSysCall=UnlockFile                  
ApproveWinNtSysCall=QueryDefaultLocale          
ApproveWinNtSysCall=RemoveIoCompletion          
ApproveWinNtSysCall=SetIoCompletion              
ApproveWinNtSysCall=SubscribeWnfStateChange      
ApproveWinNtSysCall=UnsubscribeWnfStateChange

Still need to comment the out to find the culprit/s

PS Also I noticed Google Chrome loads bookmarks faster...

PS2: I think finding the culprits among those syscall lines will be a PITA...

 

OK I think I found the missing syscall. Yes only one
ApproveWinNtSysCall=SetInformationFile

Approving this one solved my issues with Chrome's bookmarks, uTorrent, Word not saving docs properly and SUMo corrupting its own settings.
Geez.

 

Also these two syscalls solved two more issues with two more apps, XMind and PDF Reducer Pro:
ApproveWinNtSysCall=CreatePrivateNamespace
ApproveWinNtSysCall=AlpcCreateSecurityContext

 

UseRuleSpecificity should not be included in any template anymore, are you using a custom templete?

 

Yes, I am using a custom template for it. Rule specificity is working but appears unticked.

Code:

Tmpl.Title=Prevents access to other sandbox folders
NormalFilePath=X:\SandboxFolder\%USER%\%SANDBOX%\*
WriteFilePath=*\SandboxFolder\*
UseRuleSpecificity=y
Tmpl.Class=Local

 

Which ini? since a few builds BoxDisplayOrder is storred in the plus ini and no longer in the normal ini

 

this is the regular sandboxie.ini which has teh core configuration, the UI configuration of sandman is stored separately in C/users/name/appdata/local/sbie+/sbie+ini
The reason is that the regular ini is managed by the service and driver, while for the UI we want to use options even when the core components are shut down, hence the sue of an own ini.

 

yes the values in the sandboxie.ini are deprecated but are not being cleaned up, in cast the user wants to use sbiectrl.exe at some point, and have he last preste kept

 

No doubt I'm probably the only Sandboxie user on this forum (and elsewhere) that keeps the "plus" version up-to-date and hopes for the best that nothing breaks after the latest iteration
without the slightest inclination to tinker with the settings.

 

Is BoxCollapsedView= also deprecated in Sandboxie.ini?

 

Not also its deprecated in Sandboxie.ini and now located in Sandboxie-Plus.ini