When I run injtest.exe 4032 (wow.exe) I get this:
"The procedure entry point RegGetValueW could not be located in ADVAPI32.dll"
System-Wide process/thread snapshot handle:
0x00000114
Data Read from process [4032]:
0x4D5A90000300000004000000FFFF0000
Process module snapshot handle:
0x00000128
Hope this helps.
Block Process Access
-
hch
@wraithdu
I have no idea what that process is - it's strange... the ID that appears in the debug view doesn't seem to exist in either sandboxie or task manager. (I tried a few times, each time the ID doesn't exist)
regarding the latest version, explorer does run now, but it starts up with an error "The procedure entry point RegGetValueW could not be located in the dynamic link library ADVAPI32.dll". Both SandboxieRpcSs.exe and SandboxieDcomLaunch.exe are running, and the explorer window is visible and functioning
That would still be fine, except that the process blocking function does not seem to work anymore (even with other programs besides explorer.exe). I am now able to access unsandboxed processes even while inside the sandbox. Previously, the explorer.exe didn't work but the process blocking functions did.
I have no idea what that process is - it's strange... the ID that appears in the debug view doesn't seem to exist in either sandboxie or task manager. (I tried a few times, each time the ID doesn't exist)
regarding the latest version, explorer does run now, but it starts up with an error "The procedure entry point RegGetValueW could not be located in the dynamic link library ADVAPI32.dll". Both SandboxieRpcSs.exe and SandboxieDcomLaunch.exe are running, and the explorer window is visible and functioning
That would still be fine, except that the process blocking function does not seem to work anymore (even with other programs besides explorer.exe). I am now able to access unsandboxed processes even while inside the sandbox. Previously, the explorer.exe didn't work but the process blocking functions did.
-
hch
i've tried v1.0.0.3 and now there are no errors at all. However, the processes blocking function is not working (taskmanager can view unsandboxed processes, and the sandboxed processes can access unsandboxed processes).
DbgView no longer provides any useful information, only one line.
[3084] Sandboxie path: "C:\Program Files\Sandboxie\
=============================
To give an overview, here are the tried and tested results of all the versions.
v1.0.0.1 (First One)
Processes That Didn't Work - SandboxieRpcSs.exe and SandboxieDcomLaunch.exe
Explorer Functioning? - No
Process Reading Protected - Yes! (Sandboxed processes could not access unsandboxed processes)
v1.0.0.1 (Second One)
Processes That Didn't Work - SandboxieDcomLaunch.exe only
Explorer Functioning? - No
Process Reading Protected - Yes! (Sandboxed processes could not access unsandboxed processes)
v1.0.0.2
Processes That Didn't Work - All Processes Working
Explorer Functioning? - Yes (But with the error message "The procedure entry point RegGetValueW could not be located in the dynamic link library ADVAPI32.dll")
Process Reading Protected - No! (Sandboxed processes WERE ABLE TO access unsandboxed processes)
v1.0.0.3
Processes That Didn't Work - All Processes Working
Explorer Functioning? - Yes (No visible error messages)
Process Reading Protected - No! (Sandboxed processes WERE ABLE TO access unsandboxed processes)
Something must have broken the process protection between version 1.0.0.1(second one) and 1.0.0.2
DbgView no longer provides any useful information, only one line.
[3084] Sandboxie path: "C:\Program Files\Sandboxie\
=============================
To give an overview, here are the tried and tested results of all the versions.
v1.0.0.1 (First One)
Processes That Didn't Work - SandboxieRpcSs.exe and SandboxieDcomLaunch.exe
Explorer Functioning? - No
Process Reading Protected - Yes! (Sandboxed processes could not access unsandboxed processes)
v1.0.0.1 (Second One)
Processes That Didn't Work - SandboxieDcomLaunch.exe only
Explorer Functioning? - No
Process Reading Protected - Yes! (Sandboxed processes could not access unsandboxed processes)
v1.0.0.2
Processes That Didn't Work - All Processes Working
Explorer Functioning? - Yes (But with the error message "The procedure entry point RegGetValueW could not be located in the dynamic link library ADVAPI32.dll")
Process Reading Protected - No! (Sandboxed processes WERE ABLE TO access unsandboxed processes)
v1.0.0.3
Processes That Didn't Work - All Processes Working
Explorer Functioning? - Yes (No visible error messages)
Process Reading Protected - No! (Sandboxed processes WERE ABLE TO access unsandboxed processes)
Something must have broken the process protection between version 1.0.0.1(second one) and 1.0.0.2
Yeah, I'm aware of the progression of things. I just don't have an XP system to test, and Sandboxie won't install in my VirtualBox VM.
Your last results mean the DLL is not injected into the process, which is why the tests succeed/fail, depending how you look at it. The installation path to Sandboxie is found, so I don't know why yet. Try v1.0.0.4, and let's see if the sandboxie processes are enumerated correctly.
EDIT - I just noticed a " mark hiding in your output there. That might be the problem. Go ahead and test 1.0.0.4 anyway cause I want to see the output, but odds are it still won't work correctly.
Your last results mean the DLL is not injected into the process, which is why the tests succeed/fail, depending how you look at it. The installation path to Sandboxie is found, so I don't know why yet. Try v1.0.0.4, and let's see if the sandboxie processes are enumerated correctly.
EDIT - I just noticed a " mark hiding in your output there. That might be the problem. Go ahead and test 1.0.0.4 anyway cause I want to see the output, but odds are it still won't work correctly.
I'm getting similar results to what I posted before. Using the injtest.exe from within my sandbox, and specifying another sandboxed, as well as an unsandboxed calc.exe
I'm taking a wild guess and thinking that when it says "Data Read from Process [xxx]:" that it should be all 0's or say that it could not be read right?
I'm still getting
Data Read from process [2628]:
0x4D5A90000300000004000000FFFF0000
I'm taking a wild guess and thinking that when it says "Data Read from Process [xxx]:" that it should be all 0's or say that it could not be read right?
I'm still getting
Data Read from process [2628]:
0x4D5A90000300000004000000FFFF0000
I tried out 1.0.0.5 on my XP system at home, and I can get explorer.exe to open successfully, and the process blocking works. However I can't launch any programs or files from within a sandboxed explorer or cmd prompt. I'm not sure exactly why, but it surely has to do with the blocks in place. Do you guys get the same behavior?
I also see that non-existing PID in the Dbgview log. I'm guessing it is the PID of the new process which hasn't been fully created yet. Since it doesn't really exist yet, the DLL flags it as not-sandboxed and denies access. This probably causes CreateProcess to fail. I don't know how to work around that at the moment.
But ForcedProcess works, and anything started via Start.exe works as well.
I also see that non-existing PID in the Dbgview log. I'm guessing it is the PID of the new process which hasn't been fully created yet. Since it doesn't really exist yet, the DLL flags it as not-sandboxed and denies access. This probably causes CreateProcess to fail. I don't know how to work around that at the moment.
But ForcedProcess works, and anything started via Start.exe works as well.
I get
SBIE2313 - Could not execute SandboxieRpcSs.exe
and
SBIE2204 Cannot start sandboxed service RpcSs
When trying to run windows explorer.
Injtest returns the same values on sandboxed and nonsandboxed applications.
Me personally, I am fine not being able to run explorer - I figure that's the first thing something is going to try and hijack so I'll be keeping this version
SBIE2313 - Could not execute SandboxieRpcSs.exe
and
SBIE2204 Cannot start sandboxed service RpcSs
When trying to run windows explorer.
Injtest returns the same values on sandboxed and nonsandboxed applications.
Me personally, I am fine not being able to run explorer - I figure that's the first thing something is going to try and hijack so I'll be keeping this version
EDIT - Ok, so I finally got the errors you've described trying to run Firefox. Strange that it doesn't happen for the same programs on all systems. At this point, I don't have a solution. I have an idea for a possible cause that I'm running by tzuk in the hopes he'll have some insight. But as it is now, the DLL is functioning as designed. The key here is this unknown PID that keeps showing up in the Dbgview log and gets blocked.
I'll keep everyone posted on progress.
I'll keep everyone posted on progress.
-
hch
hi,
I've tested out v1.0.0.5. I'm getting the same errors as thantik, "SBIE2313 - Could Not Execute SandboxieRpcSs.exe" and "SBIE2204 - Cannot Start Sandboxed Service RpcSs". All in all, the functionality seems to be similar to v1.0.0.1
Process blocking does work, but explorer does not open.
DbgView output a lot of information this time round.
v1.0.0.5
Processes That Didn't Work - SandboxieRpcSs.exe and SandboxieDcomLaunch.exe
Explorer Functioning? - No
Process Reading Protected - Yes! (Sandboxed processes could not access unsandboxed processes)
p.s. I didn't get to try out version 1.0.0.4, by the time I checked this post again it was already replaced with 1.0.0.5
I've tested out v1.0.0.5. I'm getting the same errors as thantik, "SBIE2313 - Could Not Execute SandboxieRpcSs.exe" and "SBIE2204 - Cannot Start Sandboxed Service RpcSs". All in all, the functionality seems to be similar to v1.0.0.1
Process blocking does work, but explorer does not open.
DbgView output a lot of information this time round.
Code: Select all
[7624] "C:\Program Files\Sandboxie\SbieSvc.exe"
[7624] C:\Program Files\Sandboxie\SbieSvc.exe
[7624] Sandboxie path: C:\Program Files\Sandboxie\
[7624] C:\Program Files\Sandboxie\SandboxieBITS.exe
[7624] C:\Program Files\Sandboxie\SandboxieCrypto.exe
[7624] C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
[7624] C:\Program Files\Sandboxie\SandboxieEventSys.exe
[7624] C:\Program Files\Sandboxie\SandboxieRpcSs.exe
[7624] C:\Program Files\Sandboxie\SandboxieWUAU.exe
[7624] C:\Program Files\Sandboxie\SbieCtrl.exe
[7624] C:\Program Files\Sandboxie\SbieSvc.exe
[7624] C:\Program Files\Sandboxie\Start.exe
[7624] C:\WINDOWS\explorer.exe
[7624] Target proc is not an SBIE proc.
[7624] ----------
[7624] Injected into process: [7624] C:\WINDOWS\explorer.exe
[7624] Pointers:
[7624] SbieDll_Hook: 7D22BA00
[7624] SbieApi_QueryProcess: 7D2454A0
[7624] pNtOpenProcess: 00DF0BD0
[7624] pNtReadVirtualMemory: 00DF0BF0
[7624] pNtQuerySystemInformation: 00DF0C10
[7624] pCreateToolhelp32Snapshot: 00DF0C30
[7624] ----------
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtReadVirtualMemory intercepted
[7624] Allowing NtReadVirtualMemory
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtOpenProcess intercepted
[7624] Target PID: 7624
[7624] Allowing NtOpenProcess
[7624] NtOpenProcess intercepted
[7624] Target PID: 7624
[7624] Allowing NtOpenProcess
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtReadVirtualMemory intercepted
[7624] IsPIDSandboxed
[7624] Target PID: 7636
[7624] BoxName:
[7624] ImageName:
[7624] SidString:
[7624] SessionId: 0
[7624] Blocking NtReadVirtualMemory
Processes That Didn't Work - SandboxieRpcSs.exe and SandboxieDcomLaunch.exe
Explorer Functioning? - No
Process Reading Protected - Yes! (Sandboxed processes could not access unsandboxed processes)
p.s. I didn't get to try out version 1.0.0.4, by the time I checked this post again it was already replaced with 1.0.0.5
Alright! v1.0.0.6 should fix the problems. Since I was finally able to reproduce it, turns out I was right in my guess. The mysterious PID is what would be SandboxieRpcSs or SandboxieDcomLaunch (depending on the error). So I added another check: if the target process tests not sandboxed (which happens with our mysterious PID), then it checks if it is a child process of the currently sandboxed process and allows the call (since all child processes of sandboxed processes are also sandboxed). Now the PID is found.
With this change I was able to get Firefox to run, explorer to run, and I was able to launch other processes from a sandboxed cmd prompt and a sandboxed explorer window.
With this change I was able to get Firefox to run, explorer to run, and I was able to launch other processes from a sandboxed cmd prompt and a sandboxed explorer window.
Who is online
Users browsing this forum: No registered users and 0 guests
