Sandboxie 4.02/4.04 not fully compatible with EMET 4.0

Listing issues addressed in beta version 4.05
dismaze
Posts: 8
Joined: Thu Jul 12, 2012 2:57 pm

Sandboxie 4.02/4.04 not fully compatible with EMET 4.0

Post by dismaze » Mon Jul 08, 2013 10:40 am

OS:Windows 7 32 bit

Sandboxie Version:4.02/4.04

Problem:When use Sandboxie's right click button to start any program, even the program is under EMET list, EMET.dll still won't be loaded, but if let Sandboxie open Windows Explorer first, than open the program, EMET.dll will be loaded properly. The problem is the same as http://www.sandboxie.com/phpbb/viewtopic.php?t=15260

Also even add SandboxieDcomLaunch.exe, SandboxieRpcSs.exe to EMET list, EMET.dll won't be loaded, they will not be protected by EMET; but SbieCtrl.exe, SbieSvc.exe is ok, will show they are protected by EMET, that make me confuse.

Please take a look of this problem, thank you.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Jul 08, 2013 10:49 am

In that topic that you linked I did fix (at the time) the same problem that you are describing here.
But I can check again specifically on 32-bit Windows 7.
Can you quote a specific version number for EMET ?
tzuk

dismaze
Posts: 8
Joined: Thu Jul 12, 2012 2:57 pm

Post by dismaze » Mon Jul 08, 2013 11:22 am

OK, EMET version number is 4.0.4913.26122.

nsb
Posts: 15
Joined: Fri Nov 16, 2012 1:34 pm

Post by nsb » Thu Jul 11, 2013 5:29 am

regarding google chrome, sandboxie prevents the injection of emet.dll within the memory space of the parent process.
The injection of the dll is instead allowed correctly for its child processes.



EMET 4.0.4913.26122
Sbxie 4.04
OS: 8x64

nsb
Posts: 15
Joined: Fri Nov 16, 2012 1:34 pm

Post by nsb » Thu Jul 11, 2013 10:03 am

Hi, tzuk:
i observ the same behaviour even in the case of IE 10 where infact the dll is injected only within the slave (child) process.. :(

DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Post by DR_LaRRY_PEpPeR » Thu Jul 11, 2013 10:14 am

Of course the child processes get it OK. Start.exe is not involved in starting them, which seems to be the problem!

Hasn't this been the case each time there's an issue...?
XP Home-as-Pro SP3 (Admin) w/ continued updates (Embedded/POSReady 2009)
> Permissions + "2-level" SRP, latest Sandboxie (Pro/registered), EMET 4, no anti-anything (ever)
Did I make tzuk crazed... in his last days? :o

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Thu Jul 18, 2013 7:38 am

I looked into this and I can see the problem, but I don't know if I am going to fix it.

The thing is that I want to prevent the "application compatibility layer" DLL (AppHelp.dll) from loading into Sandboxie programs like Start.exe because if one mistakenly sets the option "run this program in compatibility mode for another versions of Windows" then it introduces strange problems in Sandboxie. This has happened in the past.

On the other hand, EMET is relying on that DLL to inject itself into programs, and therein lies the problem, because Start.exe does not load the AppHelp.dll.

Now one kind of fix is to run your browser as a forced program and then Start.exe is not involved and EMET DLLs are injected correctly, but I understand not everyone uses the forced program feature.

So a possible workaround is to create a special shortcut that uses an intermediate program. Right-click New > Shortcut on the desktop, then paste:

Code: Select all

"C:\Program Files\Sandboxie\Start.exe" explorer "C:\Program Files\Internet Explorer\iexplore.exe"
So you're getting Explorer.exe to launch Internet Explorer (or whatever browser) and Explorer.exe will load AppHelp.dll and will inject EMET into the new process it is starting.

Hope this helps.
tzuk

blasev
Posts: 20
Joined: Mon Apr 11, 2011 3:30 am

Post by blasev » Sun Jul 21, 2013 9:07 am

thx for the fix, confirmed to be working on chrome + emet 4.0

nsb
Posts: 15
Joined: Fri Nov 16, 2012 1:34 pm

Post by nsb » Mon Jul 22, 2013 4:44 pm

Following your hint, everything works as expected.

I was wondering though if it is an expected behaviour that explorer.exe is terminated automatically after a short time frame...

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Jul 23, 2013 2:58 am

Yes, sandboxed Explorer.exe will do that.
tzuk

nsb
Posts: 15
Joined: Fri Nov 16, 2012 1:34 pm

Post by nsb » Tue Jul 23, 2013 6:26 am

txs a lot, Tzuk!

Although applying the workaround it fixes the problem related to the browser, the problem remains in the case of downloading a pdf file.
Even if the player is emetized, Sandboxie prevents the loading of the dll inside the memory space of the reader...

ssj100
Posts: 945
Joined: Thu Apr 23, 2009 1:21 am
Contact:

Post by ssj100 » Tue Jul 23, 2013 6:42 am

tzuk wrote:I looked into this and I can see the problem, but I don't know if I am going to fix it.

The thing is that I want to prevent the "application compatibility layer" DLL (AppHelp.dll) from loading into Sandboxie programs like Start.exe because if one mistakenly sets the option "run this program in compatibility mode for another versions of Windows" then it introduces strange problems in Sandboxie. This has happened in the past.

On the other hand, EMET is relying on that DLL to inject itself into programs, and therein lies the problem, because Start.exe does not load the AppHelp.dll.

Now one kind of fix is to run your browser as a forced program and then Start.exe is not involved and EMET DLLs are injected correctly, but I understand not everyone uses the forced program feature.

So a possible workaround is to create a special shortcut that uses an intermediate program. Right-click New > Shortcut on the desktop, then paste:

Code: Select all

"C:\Program Files\Sandboxie\Start.exe" explorer "C:\Program Files\Internet Explorer\iexplore.exe"
So you're getting Explorer.exe to launch Internet Explorer (or whatever browser) and Explorer.exe will load AppHelp.dll and will inject EMET into the new process it is starting.

Hope this helps.
Sorry for potentially hijacking this thread, but I was wondering whether this workaround would also fix this issue?:
http://www.sandboxie.com/phpbb/viewtopic.php?t=15797
Sandboxie + SUA + DEP
Windows Firewall + NAT Router
Drive SnapShot (on-demand)

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Jul 23, 2013 7:30 am

No, you're talking about injecting using Win32 hooks, EMET is injecting using the Windows compatibility layer.
tzuk

dismaze
Posts: 8
Joined: Thu Jul 12, 2012 2:57 pm

Post by dismaze » Tue Jul 23, 2013 10:17 am

Thanks for the workaround. But, I know it is difficult, I still hope one day there is a normal way to use EMET 4 with Sandboxie 4 without using other workaround.

Also can you please take a look of Malwarebytes Anti-Exploit?It has a similar problem, too.

The three products both have ability to protect user from zero day exploit, if user can combine these together, I think it will very effective to defend bad things from web.

dismaze
Posts: 8
Joined: Thu Jul 12, 2012 2:57 pm

Post by dismaze » Tue Aug 13, 2013 1:09 am

Run a browser under Sandboxie directly(without open Windows Explorer), HitmanPro.Alert can inject it's hmpalert.dll to the browser or any other process, that's really a surprise.

Locked

Who is online

Users browsing this forum: No registered users and 2 guests