Problems whith HIDS

[Unknown_User_750]

Hi !!!

I had some problems with two different HIDS.

[1] RkUnhooker (http://rkunhooker1.narod.ru/)
RkU (kPl66.exe) can't run ... impossible to launch its driver.

Do you know the reason ?

Same version of RkU (v3.30) runs very well outside Sandboxie and detects all its hooks (hundreds).
... ... ...
Any comment about those hooks ? Do you know what botknopq.sys is ?


[2] IceSword (http://mail2.ustc.edu.cn/~jfpan/)
The fist time I tried to launch IceSword 1.20 into Sandboxie, it runns whithout problem. Next times, it appeared a problem similar to that of RkU. Its driver can't be loaded.

Do you know the reason ?
IceSword 1.20 runs perfectly outside Sandboxie ...


Kind regards.
@+ Txon.

[SnDPhoenix]

I guarentee you will be able to fix both problems by doing this:

1. Delete the contents of your SB
2. Edit your configuration and change this line "BlockDrivers=y" to "BlockDrivers=n"

one word of warning though, enabling drivers in Sandboxie will weaken its security.

[Unknown_User_750]

Thank you for this solution SnDPhoenix, I understand that enabling all the drivers in Sandboxie will weaken its security.
Is it possible in a future to allow selected drivers (to enable their corresponding software) ?

I tested Sandboxie whith a demonstration rootkit rku_demo - rkstart.exe (http://www.open-files.com/forum/index.p ... opic=31332).
Sandboxie blocks nothing especially its driver which is the dangerous component.

Fortunately, terminating sandboxed processes stops rku_demo. Congratulations, few tools are able to do it.

@+

[SnDPhoenix]

Well glad its working for you now, BUT, i think you have the wrong idea about what Sandboxie is supposed to do, Sandboxie is NOT the same sort of software as System Safety Monitor, its purpose isnt to block certain programs from opening, or blocking hooks, or blocking calls or rootkits etc. its purpose is to enable you to run whatever you want without having to worry about it screwing up your real HD, because everything is contained inside of a sandbox, (hence the name), so as long as it isnt leaking outside the sandbox, everything is fine.

[Unknown_User_750]

I know nothing about System Safety Monitor (I just read it's a HIPS or something like that) and I know that Sandboxie is neither a HIDS nor a HIPS.

The problem is with all I "get" from internet and is stored in the sandbox(es). Before tranfering files for permanent disk storage I need to know what is dangerous and that's difficult if I can't run utilities as HIPS or HIDS to help me.

Kind regards.
@+

[tzuk]

Sandboxie blocks nothing especially its driver which is the dangerous component.

I wonder ... the screenshot shows RKSTART.EXE running, ok, but does this really mean a driver has been loaded into the system?

[Unknown_User_750]

Hi tzuk !

Yes, the driver RKdemo12.sys is loaded in the kernel.
It emits a significant sound. It is perfectly audible.

You can try it. It is not really dangerous : it's just a demo rootkit.
You can test another one ... Unreal.A developped by the same team.

@+

[tzuk]

Yes, the driver RKdemo12.sys is loaded in the kernel.

Maybe the driver was already loaded by the time RKSTART runs sandboxed?

I'm asking because some months ago, a year maybe ... There was this same thing with IceSword. Someone said they could start IceSword sandboxed and use it freely.

As it turned out, what happened was that IceSword was used once outside the sandbox, which pre-loaded the driver. So even the sandboxed IceSword could use it.

Maybe with RKSTART the same thing is happening.

You can try it. It is not really dangerous : it's just a demo rootkit.

I am interested, but I can't download stuff from that forum. It wants registration and I can't figure out if there is a way to register. If your answer to my first question is negative, then can you send me the file by email?

[Unknown_User_750]

Hi !

Thanks for your answer tzuk.

[1] IceSword.
You're may be right. I don't remenber if I launched IceSword outside Sandboxie and then closed it before trying it into Sandboxie.
I'll repeat the test in a few days.
[2] rku_demo.
I'm quite sure I launched it directly into Sandboxie, but I'll try it again on a new test. I'll try too the rootkit Unreal.A

Have you tried to launch any rootkits as Vanquish, fhide, pe386 ... into Sandboxie ? (SnDPhoenix, I know that Sandboxie isn't System Safety Monitor).

Which are the software prohibited in Sandboxie? Which are the rules of prohibition? Are all the intrusions into the kernel blocked?

What about the numerous Sandboxie hooks shown by RkUnhooker ?

Kind regards.
Txon.

[tzuk]

Which are the software prohibited in Sandboxie? Which are the rules of prohibition? Are all the intrusions into the kernel blocked?

Have you tried to launch any rootkits as Vanquish, fhide, pe386 ... into Sandboxie ? (SnDPhoenix, I know that Sandboxie isn't System Safety Monitor).

Sandboxie strips the privileges needed to start drivers. For the purpose of loading a driver into the system, it's as if the sandboxed program is running under a limited user account.

I have not played extensively with rootkits, but I've tested Sandboxie with some drivers, enough to make sure what I said in the paragraph above, works.

But if I'm wrong and your rootkit demo/whatever does circumvent this protection, then I'd like to see it and fix it.

What about the numerous Sandboxie hooks shown by RkUnhooker ?

It's user mode hooks. There are no kernel mode SSDT hooks in Sandboxie. The protection is implemented some other way.