Sandboxie Plus (Sbie fork)

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by DavidXanatos, Apr 9, 2020.

Thread Status:
Not open for further replies.
  1. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,131
    Location:
    Viena
    There is a distinction with regard to performance to be made here, the UI component has no affect on sand-boxed applications, it can be as bad performing as it will, it won't slow down the applications running in the various sandboxes in the least.

    A basic set of Qt5 Libs is about 27MB admittedly much more than just using MFC which is about 7MB, but nowadays 20 mb is nothing 50 mb is still nothing, etc...

    If one compares memory usage the difference is not that big, but admittedly how do you reasonably compare two completely different frameworks, how about comparing two tools as identical as they can be yet using different UI frameworks.
    For example ProcessHacker (plain C, no C++, no MFC) vs. TaskExplorer (Qt5) booth tools use even the same Backend library only the fronted is different. PH uses on my system 54MB of RAM while TaskExplorer clocks in at 91MB right now.
    Looking at the source code PH (not counting libs) is 3,1MB in size TE (not counting libs) is only 1,4MB also TE has a lot of PH functionality which is located in plugins I did not took into account here.
    IMHO that is a more than worth it trade of, especially if you take into account that time is one thing you can't buy more of...

    Now about the CPU Usage, admittedly that's probably where Qt really shows its weakness in comparison to plain C, I don't have a good way to compare this, but in my experience when working with larger lists or tree views that have to be frequently updated Qt can easily ground to a hold and clog up one entire CPU core.
    When idling TE's UI thread takes up about 8% of one CPU core, that sounds much, but hold on, PH also is not that easy on the CPU it UI thread still needs around 5% of one CPU core.
    Total CPU usage on my laptop is TE 0.9% and PH 0.6%.
    Now it took me days of optimizations to get TE there but its there.

    So I think overall Qt5 is not that bloated, at least not with regards to what counts most.
     
  2. diversenok

    diversenok Registered Member

    Joined:
    Oct 7, 2018
    Posts:
    18
    Location:
    Russia / Netherlands
    Sandboxie already has some security flaws, and the fact that it is open-source now provides us with an excellent opportunity to fix them. So I see the opposite trend here. I emailed Sophos a couple of severe unpublished vulnerabilities (an EoP and a sandbox escape) about eight months ago, and they haven't fixed them. I know that they were busy making Sandboxie open-source, but still. And now, I can look into the code and figure out how to fix them on my own. Or I can email them to DavidXanatos, and we can look into these issues together. With sandboxes like Shade (which is terrible from the security perspective), we have no such options. Hence, I don't think we should worry about someone purposefully weakening Sandboxie at this point, quite the opposite.
     
  3. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,396
    Location:
    Member state of European Union
    My friends do GUIs in C#. They use WPF and XAML. They like it.
     
  4. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,131
    Location:
    Viena
    I tried that for my PrivateWin10 tool and I am not impressed at all.
    Getting a sortable tree to work with WPF was a mess and needless much afford. I guess its more convenient if you are willing to buy 3rd party control's. But that's a no go for open source projects.
    And the performance seams in any case terrible even in comparison to an unoptimized Qt usage.

    .NET is great for rapid development of simple tools IMHO and it has a huge community what is a big plus.
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,999
    Location:
    .
    https://www.ghacks.net/2020/04/10/sandboxie-source-code/
     
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,999
    Location:
    .
    Any ideas how to get new Edge Windows Defender Smart Screen to work - in my new Edge sandbox? 5.33.6
    png_5721.png
    Edit:
    tried 5.40.1 as test with Windows Defender Smart Screen + block PUA On.
    png_5722.png
    Edit: reproduced -
    png_5727.png
     
    Last edited: Apr 11, 2020
  7. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    @DavidXanatos

    Thanks for taking the time to reply! CPU is IMO the only thing that matters here (RAM as you say vary little in difference, and nowadays a drop in a bucket), when interacting with the GUI, if there's any kind of delay or hang of any sort then that is bad, not everyone can run the latest 16 core whatever CPU from 2020, I can click SB now and it shows instant.

    Personally, I dropped your TE after really giving it a try to like it, I had to many gripes with it compared to PH (one of which was the small "hang" on startup it had). There's also size to consider (not that it matters much honestly) PH is something like ~5MB's, while your TE was over ~70MB's (IIRC) from all the QT stuff bundled with it.

    Anyway, one bit of advice I have is don't ignore your GitHub users/issues/pull requests like you do with your other projects, that's a good way to **** people off and not want to help anymore, you waste their time too by simply ignoring them, then they feel like ****, we probably don't want 100 forks of SB, instead focus on one.

    Another thing, sort of a request, is I hope you can implement into SB a feature that a old program did long ago called "SandboxDiff", as you can probably guess by the name, it told you what files and registry keys were /added /changed /removed when you ran something in SB while running SandboxDiff, it outputed results to a text/HTML file, it was clunky as hell to use but still useful, especially the registry stuff which isn't obvious at a glance what programs do when in SB, unlike just looking at the newly added/removed files in Windows Explorer afterwords. I'm sure you could streamline its use, or even make it more "basic" while still adding its functionality, maybe integrate its output to the UI instead of an exported file, etc.

    Old thread about SandboxDiff here:
    https://www.sandboxie.com/old-forums/viewtopicdbb3.html?f=22&t=3606

    EDIT: Hey @bjm_ ever hear of a word called "Edit"?
     
  8. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,131
    Location:
    Viena
    When I use TE I have it always running and opening it from tray is instant.
    I guess your use-case was "start it when needed and close again", right?
    For the Sandboxie use-case it is a resident application so the initial start delay should be negligible.

    About GitHub I know and I'm trying to improve, its probably not ideal to read a suggestion implement it a month later and than just write done here it is.
    Now I'm trying to give instant feedback even if its just Ok may be, duly noted, etc. right so the user know I read it.
    My social skills are abysmal, but I'm working on it.

    About SandboxDiff, something like this will be part of the "Better Analysis Infrastructure" I listed in the Roadmap draft, just unselected everything but the file/registry API calls.

    Cheers
    David X.
     
  9. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    Yes that's my use-case for Task Managers, now I don't want to say PH is perfect in this regards, there is a tiny tiny hang as well, which I think is related to "Check images for digital signatures" option, but it was still much less then what TE did from what I remember, and this was personally a deal breaker for me, but that's the price you pay with TE, more info being presented to you all at once, longer startups, convenience vs. performance.
     
  10. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,131
    Location:
    Viena
  11. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    200
    Is the 32-bit installer for XP (posted in the old invincea thread) affected in any way by this?
     
  12. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,131
    Location:
    Viena
    Build 5.40.1 has only fixes for a recent version of win 10 so for windows xp just continue using the _xp from the first release.
     
  13. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,999
    Location:
    .
    5.40.1
    png_5726.png png_5725.png
    png_5729.png png_5728.png
     
    Last edited: Apr 11, 2020
  14. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,131
    Location:
    Viena
    mmh... the MSIserver service starts though, that you see that by there being two msiexec.exe instances one of them started with the /V argument.
    So there must be a second issue strangely enough it seams not to happen with other msi packages, hmm....
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,999
    Location:
    .
    Can you suggest msi package/s for me to test.
    I don't need (read must have) msi to run sandbox'd.
    My 12 years with Sanboxie has been mostly browsers.
    png_5725.png
    Just curiosity testing msi.
    Regards
     
    Last edited: Apr 11, 2020
  16. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    Paint.NET
    Mumble
    PDF-XChange Editor
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,999
    Location:
    .
    png_5729.png png_5730.png
    Code:
    Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
    === Logging stopped: 4/11/2020  18:58:20 ===
    png_5731.png png_5732.png
     
  18. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,131
    Location:
    Viena
    Yea the mumble one is also strange the error comes after everything was installed when it is supposed to close.

    EDIT:
    Ok thats what is happening:
    The MSIserver service needs to start an instance of msiexec.exe from SysWOW64 i.e. the 32 bit version.
    On windows 1803 that works as it should on 1903 not anymore, will have to investigate why not...


    About paint.net sandboxed needier 1803 nor 1903 work, the initial error is also not MSIserver related but a windows version check fails :/ so while it may later on be affected by the aforementioned issue, there is a unrelated issue with windows version detection while sandboxed :/
     
    Last edited: Apr 12, 2020
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,549
    Location:
    Outer space
    Sandboxie is compiled with DEP and ASLR, but do you also plan on compiling it with more migitations like CFG and Spectre flags?
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    Sounds cool to me. :thumb:

    Would be cool if you could make a "block all except" function when it comes to blocking acces to folders. So certain apps should be able to get access to folders. More protection against outbound access is not really needed since we already got excellent third party firewalls. The GUI could use a face lift, but it must not become bloated. I believe there was already an option to allow driver installation, but they removed it. And lastly, can you perhaps explain how Altiris SVS is different when it comes to Application Virtualization? Also, I hope you will be able to fix the problem with MSI files.
     
  21. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,131
    Location:
    Viena
    One thing after the other first there are more than enough bugs and incompatibilities to fix, before introducing new once :D


    IMHO that can't be being able to load a driver into the real kernel is a major potential security whole. And creating a dummy windows kernel is a lot of work, to much for what little benefit that would have.
    Now with being GPL we can just take a part of WINE and those skip most of the work.

    SVS never provided any kind of protection, it was all about Software deployment, there was a standalone version, but their main use case was application deployment from central servers. So that in a central point you could switch applications on and off on all the machines in the network.

    The deployed software was not isolated from the host OS but once a software package was enabled its files and registry entries appeared to all processes on the system. I don't remember how conflicts were handled I haven't used it for a long time, I think you had ignore lists for what packages shouldn't see which other once.

    So you could activate an MS Office package and some thing that integrates with it like lets say EndNote and than on the system it looked and behaved as if these two applications would be really installed, the EndNote plugin for word was loaded and functional, etc...
     
  22. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    I should probably start reporting this kind of stuff to GitHub, so more eyes and ideas on issues happen, and I'm sure you'd prefer that right? Bug reporting to go to GitHub instead of these forums?

    Anyway, this ones a quickie because you seem bored with nothing to do (lol, probably very busy).

    Can you take a look at this very simple program called CSVpad and figure out why it doesn't run in Sandboxie, it's just a portable CSV editor, I've reported it long ago officially but considering what it is, it was probably the lowest of low of priorities to them to fix, never did, and always wondered why it ran fine outside, but errors inside... But hey, maybe this "bug" can lead to fixing other similar issues.

    CSVpad v1.2:
    https://www.trustfm.net/software/utilities/CSVpad.php
     
  23. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    1,131
    Location:
    Viena
    I will take a look...
    Yes, creating GitHub issues for bugs helps me keep track of what needs fixing.
     
  24. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .
    I figured, it also shows the public that this "SB" fork is active and alive when there's active discourse happening there on GitHub and not on some dumb little forum only a few eyes see.
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,549
    Location:
    Outer space
    True :argh: But at least it is on the to do list.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.