Question regarding Sandboxed programs that attempt to delete

Utilities designed for use with Sandboxie
tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Wed Sep 24, 2008 10:25 am

GetModuleFileName. Pass NULL in the first parameter.

http://msdn.microsoft.com/en-us/library ... S.85).aspx
tzuk

raid
Posts: 58
Joined: Sat Aug 23, 2008 12:17 am
Location: TN, USA
Contact:

Post by raid » Wed Sep 24, 2008 2:41 pm

tzuk wrote:I don't see Sandboxie as a malware research tool, so I'm not going to add features that are dedicated to malware research. Buster, I've already mentioned the InjectDll setting which would let you inject DLLs into sandboxed programs. All you need is to write a small DLL that hooks DeleteFile and prevent the deletion. Maybe you and guys can team up and figure out how to do that.
Perfectly understandable Tzuk. Although, Sandboxie does a fine job of assisting in malware research. You've really got one fantastic little program.

I will be purchasing a license for it very soon. Your a professional author and have gone out of your way as far as I'm concerned to answer my question.

Thanks again!
Everything is so different, yet I am the same...

dynarx
Posts: 174
Joined: Mon Apr 02, 2007 9:31 pm
Location: New South Wales, Australia

Post by dynarx » Wed Sep 24, 2008 8:20 pm

raid wrote:You've really got one fantastic little program.
Little it may be, but as we say round here, it's not the amount of code in the fight that counts, but the amount of fight in the code! :wink:

Just passing, don't mind me :D

Cheers, all.
Dynarx

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Thu Sep 25, 2008 2:44 am

Would be anyone able to code the same stuff tzuk did but in Delphi?

Ruhe
Posts: 803
Joined: Thu Jul 03, 2008 8:56 am
Location: Germany
Contact:

Post by Ruhe » Thu Sep 25, 2008 2:54 am

I'm a home and hobby Delphi coder but always have problems to read this C/C++ stuff.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Thu Sep 25, 2008 3:46 am

Ruhe wrote:I'm a home and hobby Delphi coder but always have problems to read this C/C++ stuff.
I´m in the same situation. :wink:

Ruhe
Posts: 803
Joined: Thu Jul 03, 2008 8:56 am
Location: Germany
Contact:

Post by Ruhe » Sun Sep 28, 2008 7:30 am

After some tries, I'm not able to convert this code to Delphi.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Wed Oct 01, 2008 5:47 am

http://www.megaupload.com/?d=EDI97UO3

There you can get a working DLL to avoid file deletion with source code included in Delphi.

I was unable to convert tzuk´s code so I used a hooking unit from other person.

tzuk: a question...

I tried to hook NtSetInformationFile from ntdll.dll but Sandboxie rejects to inject the DLL and aborts opening a sandbox.

Why does it happen?

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Wed Oct 01, 2008 9:56 am

up!

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Wed Oct 01, 2008 10:41 am

I don't know why it happens.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Wed Oct 01, 2008 12:15 pm

Fixed, thanks!

What about NtSetInformationFile from ntdll.dll? Do you know why it happens?

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Thu Oct 02, 2008 5:26 pm

I don't know why it happens.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Thu Oct 02, 2008 6:01 pm

Sorry, I thought you were meaning other thing.

If I send you the DLL could you check what´s going wrong?

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Thu Oct 02, 2008 6:21 pm

No, Buster, I am sorry but I don't think that's a good idea for me to debug your DLL.
tzuk

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests