Block Process Access

Utilities designed for use with Sandboxie
Homi Hesumaki
Posts: 4
Joined: Thu Oct 06, 2011 6:41 pm

Dont know what to do

Post by Homi Hesumaki » Sat Oct 08, 2011 12:44 pm

Hi guys I'm very new in this. I realized that theres a DLL we can download before this will work, where is the dll to download? =o or am i missing out on something?

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Sat Oct 08, 2011 12:59 pm

Are you serious? Everything you need is in the first post, and additional documentation is in the download.

Homi Hesumaki
Posts: 4
Joined: Thu Oct 06, 2011 6:41 pm

Post by Homi Hesumaki » Sat Oct 08, 2011 2:21 pm

LOL sorry! well i see 3 links on your 1st post that i can download on.

1. x86 VC
2. x64 vc
3. the testing program

i thought there is a dll file i can download? =o~

MaAtKo

Password

Post by MaAtKo » Fri Oct 28, 2011 4:00 pm

Hi guys
i downloaded sbiextra v1.0.0.17, but there is a need of a password. How do I get that one? Thanks in advance.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Password

Post by Buster » Sat Oct 29, 2011 3:30 am

MaAtKo wrote:Hi guys
i downloaded sbiextra v1.0.0.17, but there is a need of a password. How do I get that one? Thanks in advance.
Look at the file name and make a guess...

sbiextra_1.0.0.17_pass=zer0dev.zip

sjd
Posts: 24
Joined: Sun Jan 31, 2010 12:16 pm

Post by sjd » Sun Oct 30, 2011 12:03 pm

wraithdu wrote:Have you installed the VC++ 2010 runtimes as the first post mentions? If so, you'll have to start a bug report thread as to why Sandboxie is not seeing that installation for injected DLLs.
I did install the VC runtimes and ran a repair just to be sure it installed correctly. The problem still exists so I'll post in the Problem Report board as you suggested. Thanks.

dontbotherme
Posts: 1
Joined: Wed Feb 08, 2012 8:43 am

Post by dontbotherme » Wed Feb 08, 2012 9:33 am

the tasklist command can't be blocked , if the program use pipe to get the result , it can also get the process list , how to prevent it ?

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Wed Feb 08, 2012 10:59 am

dontbotherme wrote:the tasklist command can't be blocked , if the program use pipe to get the result , it can also get the process list , how to prevent it ?
It´s not possible to do it from inside. You must run something like HideDriver in real system and hide the processes you want from there.

Note: HideDriver only works under 32-bit.

mede5

Re: Block Process Access

Post by mede5 » Wed Feb 29, 2012 9:40 pm

wraithdu wrote: sbiextra v1.0.0.17
(md5: 4b1705e8cb98ffddb970b8426bfdc772)
wraithdu, I don't know if you're still following this thread, but if you do please have a look at this:

Code: Select all

$ wget http://zer0dev.com/dld/download.php?id=5
--2012-02-29 21:36:58--  http://zer0dev.com/dld/download.php?id=5
Resolving zer0dev.com... 69.163.150.234
Connecting to zer0dev.com|69.163.150.234|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: ../files/Sandboxie/sbiextra_1.0.0.17_pass=zer0dev.zip [following]
--2012-02-29 21:36:58--  http://zer0dev.com/files/Sandboxie/sbiextra_1.0.0.17_pass=zer0dev.zip
Reusing existing connection to zer0dev.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 628764 (614K) [application/zip]
Saving to: `sbiextra_1.0.0.17_pass=zer0dev.zip'

100%[======================================>] 628,764     94.5K/s   in 7.1s    

2012-02-29 21:37:05 (87.1 KB/s) - `sbiextra_1.0.0.17_pass=zer0dev.zip' saved [628764/628764]

$ md5sum sbiextra_1.0.0.17_pass\=zer0dev.zip 
6fb1279b90af37b9bbd4cd926b73e3c9  sbiextra_1.0.0.17_pass=zer0dev.zip
$ sha1sum sbiextra_1.0.0.17_pass\=zer0dev.zip 
a40f18ba914e9aa55f36e4c0858c39fe3e5fcd12  sbiextra_1.0.0.17_pass=zer0dev.zip
As I'm sure you can easily tell the md5 sum does not match the one you listed here... ?

HolySimpsons
Posts: 20
Joined: Thu Mar 25, 2010 8:36 am

Post by HolySimpsons » Sat Mar 03, 2012 12:13 pm

Hello there,

at first I wanna thank you very much for your efforts, wraithdu!!!


I've got a little question..
When I installed both runtime librarys and added both dlls - will spyware in one sandbox not be able to find emails downloaded (e.g. by thunderbird) in another sandbox?
In other words it makes one Sandbox secure from attacks from another, right?
It might not have been the purpose, but it should work shouldn't it?

I might delete all sensitive data outside sandboxes and transfer it in a save sandbox. After that the malware from another sandbox wouldn't have any chance to steal any of those sensitive data, right?
If that works, this is a great advantage for the security issues of sandboxie.

nevermind

Post by nevermind » Thu Mar 08, 2012 7:35 pm

HolySimpsons wrote: I might delete all sensitive data outside sandboxes and transfer it in a save sandbox. After that the malware from another sandbox wouldn't have any chance to steal any of those sensitive data, right?
I'm not sure why you expect malware in any of your your sandboxes but if you get any in a sandbox which injects sbiextra.dll then it should not be able to access the memory of any other process outside its own sandbox - that includes the host processes. So if you limit file access in that malware-prone sandbox so that it can't access your "sensitive" stuff you should be fine without running them in a separate sandbox - unless you want it that way.

Now if only wraithdu could comment on the different md5sum above...

nevermind

MD5 fingerprint mismatch and antivirus scans

Post by nevermind » Thu Mar 08, 2012 7:51 pm

nevermind wrote:Now if only wraithdu could comment on the different md5sum above...
Hmmmm... what do you think about this? After extracting the password-protected .zip archive:

https://www.virustotal.com/file/b68d905 ... /analysis/

SHA256: b68d9059c59d1f3ede5d9aaebb17f18754c669ace3acbf34eda337bf278869f1
File name: sbiextra_1.0.0.17.zip
Detection ratio: 4 / 43
Analysis date: 2011-09-30 10:09:35 UTC ( 5 months, 1 week ago )

Code: Select all

Antivirus                  Result                                Update
Comodo                   UnclassifiedMalware         20110929
eTrust-Vet                Win32/YahLover.HidI_I     20110930
McAfee                     Artemis!EB96CBE7887D   20110930
McAfee-GW-Edition  Artemis!EB96CBE7887D   20110930

nevermind

Re: MD5 fingerprint mismatch and antivirus scans - UPDATE

Post by nevermind » Thu Mar 08, 2012 8:03 pm

Looks like the md5sum listed in the 1st post corresponds to the .zip archive within the password-protected .zip archive:

Code: Select all

$ md5sum sbiextra_1.0.0.17.zip 
4b1705e8cb98ffddb970b8426bfdc772 *sbiextra_1.0.0.17.zip
Also, a rescan on VirusTotal generates 2 warnings:
https://www.virustotal.com/file/b68d905 ... 331254566/

Jotti generates one warning:
http://virusscan.jotti.org/en/scanresul ... 5cf39c713f

needsomehelpplease

sbiextra not working - no idea why

Post by needsomehelpplease » Thu Mar 08, 2012 10:00 pm

I used to inject sbieinj.dll in all my sandboxes on my old win xp sp2 machine and it worked great - thanks wraithdu!

Had to reinstall OS from scratch, I updated to SP3, new Sandboxie, new everything... unfortunately now sbiextra.dll doesn't seem to work and I am running out of ideas why :(

Current setup:

Win XP SP3 x86
Microsoft Visual C++ 2010 x86 Redistributable 10.0.40219

Sandboxie 3.64
sbiextra v1.0.0.17 with correct InjectDll line for default sandbox in Sandboxie.ini, ShowDebugInfo set to 1 in sbiextra.ini
system rebooted

DbgView started, Capture Win32, Kernel and Events set to on
Calculator started outside any sandbox
cmd.exe started inside default sandbox
injtest.exe <pid_of_calculator> started from cmd.exe inside default sandbox - it can read process handle, memory, list window names...
DbgView window remains empty all the time - absolutely nothing at all

Can anybody suggest what may be wrong? :(

needsomehelpplease

Re: sbiextra not working - no idea why

Post by needsomehelpplease » Fri Mar 23, 2012 10:16 am

Ok, so 2 weeks have passed... anybody...?

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests