Feature to retain files

Buster · Post by **Buster** » Thu Aug 07, 2008 11:24 am

tzuk wrote:Buster, Sandboxie does not block API hooking, what are you talking about.

I just tried running sandboxed StraceNT and it works fine.

There is nothing that prevents you from writing a similar utility that intercepts the DeleteFile API and cancels the calls in some cases.

The method I know to do API hooking requires DLL injection which is not allowed under Sandboxie.

I don´t know how to intercept APIs in a manner Sandboxie allows it.

tzuk · Post by **tzuk** » Thu Aug 07, 2008 6:07 pm

Once again you're making an absolute claims, based on what? Obviously a sandboxed program can't inject code or data into a program running outside that sandbox. But within a sandbox, it is permitted.

You can put this setting in Sandboxie.ini:

Code: Select all

InjectDll=c:\path\outside\sandbox\my.dll

This is a per-sandbox setting, so put it under [DefaultBox]. The DLL, which should be located outside the sandbox, will be loaded after all other statically-imported DLLs have loaded and initialized, but before the program itself begins execution.

Buster · Post by **Buster** » Thu Aug 07, 2008 7:35 pm

tzuk wrote:You can put this setting in Sandboxie.ini:
Code: Select all
InjectDll=c:\path\outside\sandbox\my.dll
This is a per-sandbox setting, so put it under [DefaultBox]. The DLL, which should be located outside the sandbox, will be loaded after all other statically-imported DLLs have loaded and initialized, but before the program itself begins execution.

I added that line to my Sandboxie.ini but I still get the SBIE2103 error message. Don´t know if I did something incorrect or anything else fails.

If you want I can send the executable that launches the DLL and you verify if it can run under Sandboxie.

Let me know, please.

tzuk · Post by **tzuk** » Fri Aug 08, 2008 10:37 am

Buster did you take the time to read the text in the message SBIE2103? It clearly states it denied an attempt to load a driver. You can either turn off this protection, or use some other tool that doesn't try to load a driver.

My suggestion with the InjectDll setting is that you can write your own DLL that intercepts the DeleteFile API (or whatever) and handle it in some custom way. For example, log or cancel some of the requests. And once you write such a DLL, what InjectDll can do for you is save you the trouble of coming up with a way to inject your DLL into a sandboxed program.

Which also means that if you don't care to write your own DLL, then InjectDll is probably not going to offer anything for you.

Buster · Post by **Buster** » Fri Aug 08, 2008 11:01 am

tzuk wrote:Buster did you take the time to read the text in the message SBIE2103? It clearly states it denied an attempt to load a driver. You can either turn off this protection, or use some other tool that doesn't try to load a driver.

My suggestion with the InjectDll setting is that you can write your own DLL that intercepts the DeleteFile API (or whatever) and handle it in some custom way. For example, log or cancel some of the requests. And once you write such a DLL, what InjectDll can do for you is save you the trouble of coming up with a way to inject your DLL into a sandboxed program.

Which also means that if you don't care to write your own DLL, then InjectDll is probably not going to offer anything for you.

Of course I readed the message. I can not turn off that protection because I am running malwares and that would not be a good idea.

I´m not sure to understand you. I already wrote my own DLL that intercepts file deletion and cancel some of the requests. The problem is using that DLL under Sandboxie and I don´t know any other way to do the same task without loading a driver.

From your comment I get you suggest to write a DLL that does not use any way to inject itself and I use the InjectDll to do that. That would be a valid option but I don´t know how to write such DLL.

Any tip you can give to me?

tzuk · Post by **tzuk** » Fri Aug 08, 2008 11:07 am

This is too vague, but my first suggestion would be, load the driver outside the sandbox? It's not like you can load a driver on a per-process basis, a driver is something you can only load once into the system. So load it outside the sandbox. The code that uses the driver can still run in the sandbox.

In any case I have to go now so we can pick this up later on.

Buster · Post by **Buster** » Fri Aug 08, 2008 1:00 pm

tzuk wrote:This is too vague, but my first suggestion would be, load the driver outside the sandbox? It's not like you can load a driver on a per-process basis, a driver is something you can only load once into the system. So load it outside the sandbox. The code that uses the driver can still run in the sandbox.

In any case I have to go now so we can pick this up later on.

Let me know how to make it more concrete.

I loaded the DLL (it uses madCodeHook, you may heard of it) outside the sandbox.

When I run a program (MALWARE.EXE) not sandboxed, my DLL does not allow the deletion of files by MALWARE.EXE. (All programs may delete files except MALWARE.EXE)

When I run MALWARE.EXE sandboxed, my DLL does not take effect and files get removed from the sandbox contents folder.

I can send you the launcher for the DLL, the DLL and a MALWARE.EXE file example so you can check yourself that it´s like I say.

Anyway your method of writing a DLL that disallow file deletion and loading it through InjectDll sounds as better method.

If you explain how to make it I could write such DLL that could be used as a plugin.

This would resolve also the feature request of SJ2571.

tzuk · Post by **tzuk** » Sat Aug 09, 2008 3:52 pm

I am not familiar with madCodeHook. What I meant was rewriting user-mode exports like DeleteFileW so it branches to your code which can make a decision whether to call the old code or return a success status, in effect turning the request into a no-op.

Check this link, it may have some hints for you how to get started with this concept:

http://forum.sysinternals.com/forum_posts.asp?TID=13138

Buster · Post by **Buster** » Wed Aug 13, 2008 5:29 am

I could not use any information to write such DLL, which does not mean the information is not there. Probably it´s just me that don´t know how to use it.

If anyone smarter is able to write a DLL that avoids deleting files inside a sandbox he will be welcome.

tzuk · Post by **tzuk** » Wed Aug 13, 2008 11:19 am

Did you check out the Detours library from Microsoft?

Buster · Post by **Buster** » Wed Aug 13, 2008 1:01 pm

tzuk wrote:Did you check out the Detours library from Microsoft?

Yes, I have been looking at Detours but I have no clue about how to write the required DLL.

If anyone was able to put an example of a working-injectable DLL would be much easier.

raid · Post by **raid** » Mon Sep 22, 2008 3:15 am

Buster wrote:In my case I´ld like the feature because I want to have the possibility of preventing sandboxed programs from deleting files.

Why?

Some malwares, for whatever reason, during their installation on a system abort it and delete extracted contents.

For me would be pretty interesting to be able to keep the files that malwares create and try to delete.

I believe other malware researchers would find interesting too that ability in SandBoxie.

That is exactly why I asked about it in the thread, keeping a sandboxed file from deleting...
http://www.sandboxie.com/phpbb/viewtopi ... 6734#26734

Sandboxie Support

Feature to retain files

Who is online