I've updated the DLL to use a more reliable internal Sandboxie function to determine if the target process is sandboxed or not. Thanks tzuk!
Download from first post or the new 'Contributed Utilities' page (once tzuk updates it, check the MD5s).
Block Process Access
I have an update to the DLL that also hooks CreateToolhelp32Snapshot(), however I'd like some opinions before I finalize it.
For those not familiar with it, this function takes system snapshots of several kinds, and the information in the snapshot is determined by a set of flags:
- system-wide process and thread enumeration
- process specific module and heap enumeration
My current hook strips any system-wide snapshot flags, preventing process and thread enumeration. Then it looks at what is left in the flags parameter. If there are any process specific flags, it determines if the process is running sandboxed or not, and then allows or blocks the call.
What do you think about the blanket system-wide enumeration blocks? Is that going too far, or is it a good security measure? I want it to be secure, but not break functionality. Some possible changes:
- allow process enumeration, but not thread enumeration
- vice-versa
- allow both
Thoughts?
For those not familiar with it, this function takes system snapshots of several kinds, and the information in the snapshot is determined by a set of flags:
- system-wide process and thread enumeration
- process specific module and heap enumeration
My current hook strips any system-wide snapshot flags, preventing process and thread enumeration. Then it looks at what is left in the flags parameter. If there are any process specific flags, it determines if the process is running sandboxed or not, and then allows or blocks the call.
What do you think about the blanket system-wide enumeration blocks? Is that going too far, or is it a good security measure? I want it to be secure, but not break functionality. Some possible changes:
- allow process enumeration, but not thread enumeration
- vice-versa
- allow both
Thoughts?
Updated Test Version
If I could get some people to test this new version it would be very helpful! Instead of listing what's changed, I'm going to list what it does, since a lot has changed. The basic idea is the same, it blocks access from sandboxed processes to unsandboxed processes.
Functions hooked:
- NtOpenProcess
- NtQuerySystemInformation
- NtReadVirtualMemory
- CreateToolhelp32Snapshot
Behavior:
- blocks system-wide enumeration of running processes and threads (includes Toolhelp32 and PSAPI functions)
- blocks access to unsandboxed processes - cannot open processes, or read their memory
I want to be sure that I'm not going too far and breaking applications. I'm currently running the DLL, and so far I haven't had any problems, but a wider testbed would be nice. As before, a plethora of debug information can be seen by running Dbgview from Sysinternals. Once tested, I will release two versions with and without debug output to reduce size and increase performance (I'm sure only a very tiny bit).
The included 'injtest.exe' program has also changed. Now you have to provide a PID to it on the commandline. The easiest way is to open a sandboxed command prompt, navigate to 'injtest.exe', and type 'injtest.exe 1234' where 1234 is the PID of some sandboxed or unsandboxed process.
**snip**
See first post for the new release version.
Functions hooked:
- NtOpenProcess
- NtQuerySystemInformation
- NtReadVirtualMemory
- CreateToolhelp32Snapshot
Behavior:
- blocks system-wide enumeration of running processes and threads (includes Toolhelp32 and PSAPI functions)
- blocks access to unsandboxed processes - cannot open processes, or read their memory
I want to be sure that I'm not going too far and breaking applications. I'm currently running the DLL, and so far I haven't had any problems, but a wider testbed would be nice. As before, a plethora of debug information can be seen by running Dbgview from Sysinternals. Once tested, I will release two versions with and without debug output to reduce size and increase performance (I'm sure only a very tiny bit).
The included 'injtest.exe' program has also changed. Now you have to provide a PID to it on the commandline. The easiest way is to open a sandboxed command prompt, navigate to 'injtest.exe', and type 'injtest.exe 1234' where 1234 is the PID of some sandboxed or unsandboxed process.
**snip**
See first post for the new release version.
Last edited by wraithdu on Thu Feb 19, 2009 6:11 pm, edited 11 times in total.
-
hch
Hi, and thanks for this neat addon.
A question - seems like when I'm running andboxie with your injected dll, the process blocking features work, but I can't run a sandboxed instance of Windows Explorer anymore. I get the errors "SBIE2313 Could Not Execute SandboxieRpcSs.exe" and "SBIE2204 Cannot Start Sandboxed Service RpcSs", and windows explorer does not start. Without injecting the dll they work fine.
I'm wondering, is it supposed to be this way (a limitation) or is that just a bug (oversight). And what (if anything) can I do about it.
Once again, thanks for all your efforts, I'm sure they're appreciated by many people.
A question - seems like when I'm running andboxie with your injected dll, the process blocking features work, but I can't run a sandboxed instance of Windows Explorer anymore. I get the errors "SBIE2313 Could Not Execute SandboxieRpcSs.exe" and "SBIE2204 Cannot Start Sandboxed Service RpcSs", and windows explorer does not start. Without injecting the dll they work fine.
I'm wondering, is it supposed to be this way (a limitation) or is that just a bug (oversight). And what (if anything) can I do about it.
Once again, thanks for all your efforts, I'm sure they're appreciated by many people.
Explorer runs just fine on my Vista laptop. And I haven't had any errors from sandboxie processes either, regardless of what apps I'm running.
Which version of the DLL are you using, the one from the first post, or the test version? What OS are you using, any other security software? Could you run the debug version along with Dbgview and post the output?
Which version of the DLL are you using, the one from the first post, or the test version? What OS are you using, any other security software? Could you run the debug version along with Dbgview and post the output?
No problems here launching a sandboxed explorer on Vista SP1 using the 021309 test version. On a clean XP SP3, however, launching a sandboxed explorer fails for me with two messages:
"SBIE2313 Could not execute SandboxieDcomLaunch.exe (31)"
"SBIE2204 Cannot start sandboxed service DcomLaunch (0)"
The sandboxed explorer process is nevertheless enumerated in Sandboxie Control and Process Explorer. Tested using Sandboxie 3.35.10.
"SBIE2313 Could not execute SandboxieDcomLaunch.exe (31)"
"SBIE2204 Cannot start sandboxed service DcomLaunch (0)"
The sandboxed explorer process is nevertheless enumerated in Sandboxie Control and Process Explorer. Tested using Sandboxie 3.35.10.
Nick
-
hch
Hi,
I'm running Sandboxie 3.34 on Windows XP (Media Center Edition, Service Pack 2).
I tested with (both) the new dll and old dll versions. Both encounter the same issue.
I'm positive the injection works because I can run single, isolated applications successfully. The process memory restriction works perfectly. (I did a test, ran taskmanager sandboxed, then ran one sandboxed "calculator" app and one unsandboxed one. Only the sandboxed one was detected , which is correct). Therefore, the only problem is starting the Windows Explorer.
As nick s mentioned, the sandboxed explorer process does appear in the sandboxed process list, but the window does not show or function (probably due to the fact that SandboxieRpcSs.exe and SandboxieDcomLaunch.exe fail to load).
I'm running Sandboxie 3.34 on Windows XP (Media Center Edition, Service Pack 2).
I tested with (both) the new dll and old dll versions. Both encounter the same issue.
I'm positive the injection works because I can run single, isolated applications successfully. The process memory restriction works perfectly. (I did a test, ran taskmanager sandboxed, then ran one sandboxed "calculator" app and one unsandboxed one. Only the sandboxed one was detected , which is correct). Therefore, the only problem is starting the Windows Explorer.
As nick s mentioned, the sandboxed explorer process does appear in the sandboxed process list, but the window does not show or function (probably due to the fact that SandboxieRpcSs.exe and SandboxieDcomLaunch.exe fail to load).
-
hch
Sorry for the double post.
I downloaded dbgview, and perhaps this additional information may be helpful.
This is the output when attempting to run windows explorer sandboxed with the latest test version of the dll (and the above mentioned system specs)
[11284] Injected into process
[11284] Pointers:
[11284] SbieDll_Hook: 7D22BA00
[11284] SbieApi_QueryProcess: 7D2454A0
[11284] pNtReadVirtualMemory: 00DF0BD0
[11284] NtReadVirtualMemory intercepted
[11284] Target PID: 11284
[11284] BoxName: CrapBox
[11284] ImageName: explorer.exe
[11284] SidString: S-1-5-21-3509508797-2857804451-176231780-1005
[11284] SessionId: 0
[11284] Target is sandboxed, allowing NtReadVirtualMemory
[11284] NtReadVirtualMemory intercepted
[11284] Target PID: 13784
[11284] BoxName:
[11284] ImageName:
[11284] SidString:
[11284] SessionId: 0
[11284] Target not sandboxed, blocking NtReadVirtualMemory
========================================
To compare, the following is the output when attempting to run the windows Calculator app (which works).
[12360] Injected into process
[12360] Pointers:
[12360] SbieDll_Hook: 7D22BA00
[12360] SbieApi_QueryProcess: 7D2454A0
[12360] pNtReadVirtualMemory: 00DF0B70
I downloaded dbgview, and perhaps this additional information may be helpful.
This is the output when attempting to run windows explorer sandboxed with the latest test version of the dll (and the above mentioned system specs)
[11284] Injected into process
[11284] Pointers:
[11284] SbieDll_Hook: 7D22BA00
[11284] SbieApi_QueryProcess: 7D2454A0
[11284] pNtReadVirtualMemory: 00DF0BD0
[11284] NtReadVirtualMemory intercepted
[11284] Target PID: 11284
[11284] BoxName: CrapBox
[11284] ImageName: explorer.exe
[11284] SidString: S-1-5-21-3509508797-2857804451-176231780-1005
[11284] SessionId: 0
[11284] Target is sandboxed, allowing NtReadVirtualMemory
[11284] NtReadVirtualMemory intercepted
[11284] Target PID: 13784
[11284] BoxName:
[11284] ImageName:
[11284] SidString:
[11284] SessionId: 0
[11284] Target not sandboxed, blocking NtReadVirtualMemory
========================================
To compare, the following is the output when attempting to run the windows Calculator app (which works).
[12360] Injected into process
[12360] Pointers:
[12360] SbieDll_Hook: 7D22BA00
[12360] SbieApi_QueryProcess: 7D2454A0
[12360] pNtReadVirtualMemory: 00DF0B70
@hch
Ok, couple things here:
1) From your debug output, you're running the released version of the DLL from the first post, not the test version. The test version would show additional hooks on NtOpenProcess, NtQuerySystemInformation, and CreateToolhelp32Snapshot.
2) This means that explorer in XP can't even handle the one hook on NtReadVirtualMemory, lame.
Try a new build of the test version from this post
http://www.sandboxie.com/phpbb/viewtopi ... 3013#33013
In this version, I've placed an exclusion for explorer.exe on OS's below Vista / Server 2008, so the DLL won't be injected. Try it out and see if explorer works. Test on some other software also, just to see if XP is less tolerant of these kinds of restrictions versus Vista. Make sure to test software that also causes SandboxieRpcSs and SandboxieDcomLaunch to run. It could be a conflict with the Sandboxie processes on XP, and not explicitly with explorer.exe. If this is the case, I can make exclusions for the Sandboxie processes. Thanks!
Ok, couple things here:
1) From your debug output, you're running the released version of the DLL from the first post, not the test version. The test version would show additional hooks on NtOpenProcess, NtQuerySystemInformation, and CreateToolhelp32Snapshot.
2) This means that explorer in XP can't even handle the one hook on NtReadVirtualMemory, lame.
Try a new build of the test version from this post
http://www.sandboxie.com/phpbb/viewtopi ... 3013#33013
In this version, I've placed an exclusion for explorer.exe on OS's below Vista / Server 2008, so the DLL won't be injected. Try it out and see if explorer works. Test on some other software also, just to see if XP is less tolerant of these kinds of restrictions versus Vista. Make sure to test software that also causes SandboxieRpcSs and SandboxieDcomLaunch to run. It could be a conflict with the Sandboxie processes on XP, and not explicitly with explorer.exe. If this is the case, I can make exclusions for the Sandboxie processes. Thanks!
-
hch
@wriathdu
okay, i've tested out the version you've pointed me to. This time, the SandboxieRpcSs.exe process runs (last time it didnt, now it does), but I still get the error saying "Could not execute SandboxieDcomLaunch.exe" and "Cannot start sandboxed service DcomLaunch".
Overall it is still not functioning, though now I can see two processes in the sandboxie window (explorer.exe and SandboxieRpcSs.exe) compared to only explorer.exe last time.
This is the new debug output that I get when trying to open a sandboxed explorer with the new dll you directed me to.
[8988] ----------
[8988] Injected into process: [8988] C:\Program Files\Sandboxie\SandboxieRpcSs.exe
[8988] Pointers:
[8988] SbieDll_Hook: 7D22BA00
[8988] SbieApi_QueryProcess: 7D2454A0
[8988] pNtOpenProcess: 00290AD0
[8988] pNtReadVirtualMemory: 00290AF0
[8988] pNtQuerySystemInformation: 00290B10
[8988] pCreateToolhelp32Snapshot: 00290B30
[8988] ----------
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtReadVirtualMemory intercepted
[8988] IsPIDSandboxed
[8988] Target PID: 9108
[8988] BoxName:
[8988] ImageName:
[8988] SidString:
[8988] SessionId: 0
[8988] Blocking NtReadVirtualMemory
[2564]
[2564] TT: Radio state info: on
[1880] RCE3: DllMain(1): DLL_THREAD_ATTACH -------- (758) C:\Program Files\Dell\MediaDirect\PCMService.exe
[1880]
[2564]
[2564] TT: Radio state info: on
[1880] [PCMService] OnTimer_CheckUpdate()
[1880]
[1880] RCE3: DllMain(1): DLL_THREAD_ATTACH -------- (758) C:\Program Files\Dell\MediaDirect\PCMService.exe
I'm not sure what other software would cause those two processes to run, tell me so I can try it out.
And yes, I suppose a version with exceptions for the conflicting processes could be useful.
By the way, thanks for your help! Hope this can work out...
okay, i've tested out the version you've pointed me to. This time, the SandboxieRpcSs.exe process runs (last time it didnt, now it does), but I still get the error saying "Could not execute SandboxieDcomLaunch.exe" and "Cannot start sandboxed service DcomLaunch".
Overall it is still not functioning, though now I can see two processes in the sandboxie window (explorer.exe and SandboxieRpcSs.exe) compared to only explorer.exe last time.
This is the new debug output that I get when trying to open a sandboxed explorer with the new dll you directed me to.
[8988] ----------
[8988] Injected into process: [8988] C:\Program Files\Sandboxie\SandboxieRpcSs.exe
[8988] Pointers:
[8988] SbieDll_Hook: 7D22BA00
[8988] SbieApi_QueryProcess: 7D2454A0
[8988] pNtOpenProcess: 00290AD0
[8988] pNtReadVirtualMemory: 00290AF0
[8988] pNtQuerySystemInformation: 00290B10
[8988] pCreateToolhelp32Snapshot: 00290B30
[8988] ----------
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtQuerySystemInformation intercepted
[8988] Allowing NtQuerySystemInformation
[8988] NtReadVirtualMemory intercepted
[8988] IsPIDSandboxed
[8988] Target PID: 9108
[8988] BoxName:
[8988] ImageName:
[8988] SidString:
[8988] SessionId: 0
[8988] Blocking NtReadVirtualMemory
[2564]
[2564] TT: Radio state info: on
[1880] RCE3: DllMain(1): DLL_THREAD_ATTACH -------- (758) C:\Program Files\Dell\MediaDirect\PCMService.exe
[1880]
[2564]
[2564] TT: Radio state info: on
[1880] [PCMService] OnTimer_CheckUpdate()
[1880]
[1880] RCE3: DllMain(1): DLL_THREAD_ATTACH -------- (758) C:\Program Files\Dell\MediaDirect\PCMService.exe
I'm not sure what other software would cause those two processes to run, tell me so I can try it out.
And yes, I suppose a version with exceptions for the conflicting processes could be useful.
By the way, thanks for your help! Hope this can work out...
Ok, try the test version again, v1.0.0.2. This time I've excluded all Sandboxie processes, but not explorer. Hopefully the problem here is with the SB procs, at least it is judging by the errors you've mentioned. Thanks again for testing.
Out of curiosity, before you try the new version, see these lines?
Out of curiosity, before you try the new version, see these lines?
What process is PID 9108? You'll have to run the test again and look in TaskManager, as your PIDs will change and this number will probably be different. This is referring to SandboxieRpcSs.exe trying to read the memory of some unsandboxed process and being blocked.[8988] IsPIDSandboxed
[8988] Target PID: 9108
[8988] BoxName:
[8988] ImageName:
[8988] SidString:
[8988] SessionId: 0
[8988] Blocking NtReadVirtualMemory
-
ThantiK
Who is online
Users browsing this forum: No registered users and 1 guest
