This thread is intended for a discussion of technical Sandboxie topics, including technical tests. The thread for Sandboxie updates and other Sandboxie topics is here. This first post discusses a test of code injection within a sandboxed program. One can test some proofs of concept that mimic real malware (but aren't malware) on Windows XP with the code from book "Practical Malware Analysis" at hxxp://practicalmalwareanalysis.com/labs/. Here's a test I did of one of the "Practical Malware Analysis" files on a Windows XP SP3 virtual machine with Sandboxie 4.12 (all default settings): 1. Ran TCPView unsandboxed. 2. Ran sandboxed file Lab19-02.exe. (This mimics what could happen if you got hit by an exploit). Lab19-02.exe launches two instances of Internet Explorer (iexplore.exe) sandboxed and injects code into one (or both?) of the instances. Network activity for the sandboxed iexplore.exe is shown in TCPView. iexplore.exe attempts to connect to local network IP address 192.168.200.2 on TCP port 13330. If it connects, a remote shell is established. I used Hercules on a different virtual machine with IP address 192.168.200.2 to listen to port 13330. A remote shell was indeed established. I used some commands like "dir" in Hercules which were sent to the "victimized" virtual machine and executed in a sandboxed cmd.exe; the command results from the "victimized" virtual machine were sent back to Hercules for display.