SYSENTER/interrupt 2Eh System Call Blocking

Ideas for enhancements to the software
Post Reply
MessageBoxA
Posts: 17
Joined: Wed Dec 29, 2010 2:53 pm

SYSENTER/interrupt 2Eh System Call Blocking

Post by MessageBoxA » Wed Mar 30, 2011 8:40 pm

tzuk,

Thanks for this great piece of software. I am a security researcher and I have been using your product for a number of years for researching/reversing/analyzing malware. I have a swarm of 12 automated honey pots which spider around the net collecting viri/trojan/rootkit. Your sandbox is running on all of the servers. :)

Anyway I have some suggestions for you to consider:

1.) I would like to be able to block specific ntoskrnl and win32k system calls. It would be great if I could add something like this into the INI:

Block_SysCall 0x121b, 0xbf, 0x184

2.) Some of my honey pots are running a custom 'Windows Embedded' based on the XP kernel. It would be great if SandBoxie patched KiUserExceptionDispatcher and verified the exception chain. This would be analogous to the Microsoft SEHOP implementation in >= Vista operating systems.

I have a few more ideas but most of them can be accomplished with your SBIE DLL API.

Thanks for listening. :)

-MessageBoxA

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Thu Mar 31, 2011 8:54 am

Your first suggestion is not going to be possible on 64-bit Windows thanks to PatchGuard. On the one hand it prevents code hooks on KiFastSystemCallEntry (if I have the name right), on the other hand it prevents modifications to the system MSR register, which says where SYSENTER jumps to. And as far as I know there isn't an official interface for syscall hooking. So basically you're asking me to develop a 32-bit-only feature, and with 32-bit fading away, slowly but surely, I'm sorry, but I don't think it is a good investment of my time.

It would seem the same rationale also applies to some extent to your second suggestion, where you want me to develop a feature for XP which already exists on more recent versions of Windows.

And on a more general note, I don't see the direct relevance of these features to Sandboxie. I did not design Sandboxie as a malware analysis tool, and while it is possible to use Sandboxie for that, I will probably not be developing features that have little or no use, other than malware analysis.
tzuk

MessageBoxA
Posts: 17
Joined: Wed Dec 29, 2010 2:53 pm

Post by MessageBoxA » Fri Apr 01, 2011 7:51 pm

tzuk,

I can see your point and completely understand. Unfortunately thanks to PatchGuard my only option on 64 bit Vista+ is to bootkit my workstations and servers. It makes me wonder if a commercial bootkit would be a useful security product.

Its just that several times each year I have 3-4 zero-day exploits/privilege escalation in my possession and sometimes they take as long as 4-5 months to be patched in some cases. Through some experimentation I have discovered that I can prevent some of these exploits by assigning the number of system calls available to specific applications on an as-needed basis.

Thanks for listening,
-MessageBoxA

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests