Is this a bug?

Please post your problem description here

Moderator: Barb@Invincea

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Is this a bug?

Post by Buster » Sat Jan 24, 2009 7:45 pm

tzuk: I was trying some stuff in order to try to hide Sandboxie from sandboxed applications and I added Sandboxie´s path to "Blocked Access".

The result of doing this is that nothing will run sandboxed.

Is this a bug or not?

To me seems like Sandboxie is blocking access to itself, not blocking a sandboxed application operation. I mean that when I run NOTEPAD.EXE sandboxed, NOTEPAD.EXE never requests access to Sandboxie directory so NOTEPAD.EXE should run fine.

Just let me know your thoughts about this, please.

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Sat Jan 24, 2009 10:02 pm

I'm guessing it has to do with the path to SbieDll.dll being blocked. This DLL is loaded into every process running sandboxed. To do this, the process has to be able to access the DLL.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Jan 25, 2009 2:29 am

wraithdu wrote:I'm guessing it has to do with the path to SbieDll.dll being blocked. This DLL is loaded into every process running sandboxed. To do this, the process has to be able to access the DLL.
I guess that´s correct but it´s not the sandboxed application who requires the access to SbieDll.dll, it´s Sandboxie which is a non sandboxed application.

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Sun Jan 25, 2009 3:21 am

Actually no, it is the process that requires access. The most likely method tzuk is using to inject SbieDll.dll into a process is by using CreateRemoteThread() to cause the process to call LoadLibrary() on SbieDll.dll. This means it is the sandboxed process itself that loads SbieDll.dll, so it must be able to access the DLL for the function call to succeed. If the DLL injection fails, then Sandboxie probably terminates the application immediately.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Jan 25, 2009 5:19 am

Probably it´s like you say but let´s wait for tzuk´s response.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sun Jan 25, 2009 3:33 pm

In principle wraithdu is correct, any sandboxed program has "C:\Path\To\Sandboxie\SbieDll.dll" listed as a mandatory (or a "static import") DLL that has to load. If it can't be loaded (because of the closed path, in this case) then the program can't load.

But the injection isn't accomplished using CreateRemoteThing() because that would inject the DLL too late -- only after all other static import DLLs have already been loaded and initialized.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Jan 25, 2009 4:45 pm

tzuk wrote:In principle wraithdu is correct, any sandboxed program has "C:\Path\To\Sandboxie\SbieDll.dll" listed as a mandatory (or a "static import") DLL that has to load. If it can't be loaded (because of the closed path, in this case) then the program can't load.

But the injection isn't accomplished using CreateRemoteThing() because that would inject the DLL too late -- only after all other static import DLLs have already been loaded and initialized.
And could you make the necessary changes to make possible to apply a closed path to Sandboxie´s folder and allow the sandboxing of applications anyway?

I remember reading a post from you saying that would be easy for an application to detect if it´s being sandboxed or not. I was thinking about the issue and I thought there are 3 possible ways to check that:

1) Checking if Sandboxie is installed. It may not really mean if the application is being sandboxed but it would be a good clue.

The solution to avoid this kind of detection would be applying a closed path to Sandboxie´s folder.

2) Using FindWindow/EnumProcess.

I´m working in a DLL that after injected would hide Sandboxie´s processes to sandboxed applications.

3) Checking the registry for Sandboxie´s entries.

I could use the option of blocking access to Sandboxie´s registry entries.

I´m not sure if Sandboxie would refuse to work as in first case due Sandboxie needs access to certain registry keys.

At the moment I´m unable to think of a way an application could notice if it´s being sandboxed or not.

Sandboxie is being more and more popular and I think a way to hide Sandboxie´s execution is becoming interesting.

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Sun Jan 25, 2009 5:21 pm

But the sandboxed process can still look into its own memory and see the SbieDll.dll is loaded. You can't prevent that. So closing Sandboxie's program folder is moot.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Jan 26, 2009 1:51 am

wraithdu wrote:But the sandboxed process can still look into its own memory and see the SbieDll.dll is loaded. You can't prevent that. So closing Sandboxie's program folder is moot.
What API or method would they use to check it?

Mark_
Posts: 111
Joined: Wed Dec 31, 2008 3:48 pm

Post by Mark_ » Mon Jan 26, 2009 8:17 am

Buster wrote:
wraithdu wrote:But the sandboxed process can still look into its own memory and see the SbieDll.dll is loaded. You can't prevent that. So closing Sandboxie's program folder is moot.
What API or method would they use to check it?
alot possibilities here, just to name a few:
  • Toolhelp stuff, (Module32First, Module32Next)
  • Loadlibrary
  • GetModuleHandle
  • Direct memory reading
  • ReadProcessMemory

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Jan 26, 2009 8:59 am

Mark_ wrote:alot possibilities here, just to name a few:
  • Toolhelp stuff, (Module32First, Module32Next)
  • Loadlibrary
  • GetModuleHandle
  • Direct memory reading
  • ReadProcessMemory
I´m already working in Module32First/Next. The same could be done with ReadProcessMemory and GetModuleHandle. It´s just question of hooking the APIs.

I don´t know about direct memory reading.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Jan 26, 2009 9:56 am

Buster, if you want my advice, drop it. It's true that simple malware might use simple techniques to detect Sandboxie like GetModuleHandle. But it should not be hard for anyone taking it seriously to come up with ten different fool-proof ways to detect Sandboxie.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Jan 26, 2009 12:36 pm

Ok.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Aug 29, 2010 7:10 am

He he he... I just found this post. :D

I didn´t follow your tip, tzuk. I didn´t drop it. :P

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sun Aug 29, 2010 3:13 pm

Well I'm still right on the principle of the issue. :P But yeah, I accept that hiding GetModuleHandle has definitely let you run some trojans that would otherwise not run.
tzuk

Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Venga and 20 guests