ReHIPS + Sandboxie incompatibility affecting Google Chrome and other apps

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by Mr.X, Sep 4, 2022.

  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    I decided to create a separated thread for better exposure and others might post similar issues here.

    Issue:
    Google Chrome does not creates its GUI while running sandboxed on top of Sbie (not ReHIPS) and ReHIPS is installed in the same machine.

    Again as a reminder: Regarding ReHIPS + Sbie issue and while messing around with the ini file, I found that putting NoSecurityIsolation=y , Chrome opens again (although profile sync failed).


    Steps to reproduce the issue
    • Install Windows 10 x64 vm
    • Install Google Chrome
    • At this point you need to create profile which it has bookmarks and other settings if you like which might be synchronized
    • Install Sandboxie and force Chrome
    • Install ReHIPS
    • Activate it (important for it can unlock all features and remove restrictions)
    • Activate Learning Mode > Clic Yes
    • Enter key and activate it
    • Wait a few seconds for ReHIPS to install its rules automatically (be patient it takes only 2 min max)
    • Goto Settings > Programs tab > Isolated tab > Clic on Username > Select Chrome
    • Clic on - (minus blue button) to delete Chrome
    • Continue? > Yes
    • Click OK
    • Now you can tinker with Disable, Learning or Permissive Modes while trying to launch sandboxed Chrome on top of Sandboxie. You should see no Chrome's GUI at all
    • Insert a line in the ini file: NoSecurityIsolation=y
    • Sandbox icon turns to green, obviously
    • Launch Chrome again and it creates gui correctly
    • At this point there's no profile sync



    ReHIPS download
    Code:
    https://rehips.com/ReHIPSSetup2.6.0.zip

    The following activation keys are publicly available and legal to anyone willing to try the product (ReHIPS) before purchasing. They are not illegal by any means. They were released on 2017 at the product forums to use on virtual machines.
    https://forum.rehips.com/index.php?msg=16219
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Anyone having issues similar to mine feel free to post them here on this thread.
     
  3. henryg1

    henryg1 Registered Member

    Joined:
    Jun 14, 2020
    Posts:
    402
    Location:
    uk
    AAMOI is there a need to run both ReHIPPS and SBIE. I have Shadow Defender too, but I tended to use it when SBIE had problems running an installer, but that happens rarely now.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well that was actually my question. Why do people need ReHIPS and Sandboxie, I mean they both do the same right?
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    I need to run ReHIPS alongside Sandboxie to sandbox programs that are irremediably incompatible with Sandboxie.
    They both do similar things but in different way, different mechanisms.

    And I say irremediably incompatible cause perhaps I don't know how to properly configure Sandboxie but who knows, I don't waste time and go and isolate that program on top of ReHIPS. ReHIPS is much more compatible with any program (I think and have seen) due to it's different sandboxing mechanisms compared to Sandboxie.
     
  6. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    soo... vmware 16 has a HWID which is not listed under the free keys so not good
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    What HwID it has to ask @ fixer at the forums?
     
  8. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Sooo.... I can reproduce the issue in a test VM, the required minimum to get chrome show a window is NoSandboxieDesktop=y and UnrestrictedToken=y
    but UnrestrictedToken=y makes for an unsafe configuration nit more unsafe then a compartment type box though.

    As far as I can assess the situation the actual fix is NoSandboxieDesktop=y but this requires the process to have a mostly fully privileged token, hence it requires UnrestrictedToken=y

    I have observed that terminating the re hips service also allows chrome to start but ofcause that is not a viable solution.

    In my preliminary opinion the issue is with ReHIPS and their service messing with the process one way or an other, the simplest would be them checking if a process has loaded SbieDll.dll and if so don't mess with it.

    With regard to fixes on my side:

    I could look into messing with ReHIPS's service, perhaps it could be as simple as use ObCallbacks in the driver to block that service from being able to open handles on any sandboxed process.

    An other solution that would be more generic would be to use SandboxieLogon=y in combination with a change to the default desktops security descriptor to allow Sandboxie\[BoxName] users to access the real user desktop directly allowing to use NoSandboxieDesktop=y with a sandboxed token.
    The down side of this is that it would be equivalent security wise to OpenWinClass=* which is not recommended.



    PS: the VM's hwid is 66CED13691AF5E259B75854C65AD5E0699ADE84D


    PPS: seeing ReHIPS pricing makes me think Sandboxie-Plus features are far to cheep, LOL
     
    Last edited: Sep 5, 2022
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    This looks to me a good idea. Could you upload a test build please?
    I know.
    In my case I translated (and keep translating) ReHIPS gui to Spanish language and got a couple of lifetime licenses.
     
  10. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    in build 1.3.3 there will be an option
    DenyHostAccess=HIPSAgent64.exe,y
    with it chrome and co will work when re hips is installed

    EDIT: once 1.3.3 is out please review the changelog for the exact syntax and if i did not change the setting name by then
     
  11. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    ## [1.3.3 / 5.58.3] - 2022-09-??

    ### Added
    - added option to block host processes from accessing sandboxed once [#2132](https://github.com/sandboxie-plus/Sandboxie/issues/2132)
    -- usage: DenyHostAccess=Program.exe,y
    - added compatybility template for ReHIPS

    its in and seams working fine, but it proves that ReHIPS is somehow messing with processes it should not touch so ideally the issue should be fixed on their side,
    anyhow we have now a workable workaround that adds nice new functionality hence might be useful for other use cases in future as well.
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Thanks a lot David! :cool:
     
  13. EternalAbyss

    EternalAbyss Registered Member

    Joined:
    Aug 31, 2020
    Posts:
    6
    Location:
    Kentucky
    Awesome work David, that's great news I look forward to 1.3.3.
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    And thank you thank you for properly bringing this issue to David ;)
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK I see, I never really liked ReHIPS, too complex for me, but it doesn't use any virtualization, probably that's why it works with more apps. But seems it has been fixed now.
     
  16. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    I guess the next should be these two key scrambler thingies... that dont work with sb eider
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    I didn't understand, sorry David.
     
  18. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    some users reported some time ago that some 3rd party security software that is suposed to prevent keylogers does not play nice with sandboxie, so since we now are at a point to fix compatibility issue with missbehaving 3rd party security software, these tools would be a good next entry on the todo list
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Ah ok, incompatibilities you are talking about but not necessarily with ReHIPS, ok I got it.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Actually, I believe KeyScrambler worked correctly because of the template that's included in Sandboxie, but SpyShelter's keystroke encryption does not work for sandboxed apps. So if you install SpyShelter you should open a sandboxed Notepad, and then record keystrokes with this tool, you will see it will be able to record typed text, despite SpyShelter being active.

    https://www.snapfiles.com/get/antikeyloggertester.html
     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    This is ReHIPS template and it says ReHIPSService.
    Code:
    Tmpl.Title=ReHIPS
    Tmpl.Class=Security
    Tmpl.Url=https://rehips.com/
    Tmpl.Scan=s
    Tmpl.ScanService=ReHIPSService
    DenyHostAccess=HIPSAgent64.exe,y
    
    My system is a 64-bit OS and installed ReHIPS has a ReHIPSService64.exe. Do I need to edit such template to Tmpl.ScanService=ReHIPSService64 ?
    Note that I haven't seen any issues so far with the current template.
     
  23. busy

    busy Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    413
    ReHIPSService is the service name of the ReHIPSServiceXX.exe.

    To check it:
    Code:
    sc queryex type=service state=all | find /i "SERVICE_NAME: " | find /i "ReHIPS"
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.