Sandbox delete command - Snapshot tool

If it's not about a problem in the program
Post Reply
bassmastergg
Posts: 13
Joined: Fri Mar 10, 2017 12:50 pm

Sandbox delete command - Snapshot tool

Post by bassmastergg » Fri Jun 16, 2017 9:30 pm

Hi there,

I'm not sure if this is the correct forum for this question, so please let me know.

I have been creating a little program to use as a sandbox deletion tool which in essence allows a sandbox to be loaded from an initial snapshot. It works for the most part but I am having issues with saving deletions in the snapshot. The deleted item will re-appear after the snapshot is loaded. I am assuming because sandbox deletions are stored elsewhere. How can I determine which files were deleted from the sandbox?

Again apologies if this is in the wrong place.

Thanks for any help :D

Brummelchen
Posts: 388
Joined: Sun Oct 12, 2008 9:13 pm

Re: Sandbox delete command - Snapshot tool

Post by Brummelchen » Sat Jun 17, 2017 11:15 am

you assume wrong - deleted means deleted - and not deleted in the basket. you need a good recovery program.

for more information fear the manual please, that explains it all, you dont need any other third-party program:
https://www.sandboxie.com/index.php?StartCommandLine
https://www.sandboxie.com/index.php?Del ... invocation
allows a sandbox to be loaded from an initial snapshot.
you need to create such template yourself and copy it with its new name to the place where you want to use it
(within the sandboxie root folder)

HTH

bassmastergg
Posts: 13
Joined: Fri Mar 10, 2017 12:50 pm

Re: Sandbox delete command - Snapshot tool

Post by bassmastergg » Sat Jun 17, 2017 12:36 pm

Brummelchen wrote:
Sat Jun 17, 2017 11:15 am
allows a sandbox to be loaded from an initial snapshot.
you need to create such template yourself and copy it with its new name to the place where you want to use it
(within the sandboxie root folder)
Thats exactly what i am doing. I am using my own delete command to store a snapshot of the deleted sandbox. If there already is a snapshot I am copying the snapshot I saved into the sandboxie root folder. My current implementation does work except in the case where you try to load a snapshot with files that were deleted (i.e. when I have opened a sandboxed windows explorer, deleted a file and saved a snapshot). When you then browser to that location in a sandboxed windows explorer the deleted files are still there.

What I have noticed is when a sandbox is deleted a bunch of "RegHive" files are packed together in the "__Delete_(sandbox name)_(some random number)_" processed sandbox folder. Which is why I am assuming some metadata about a sandbox must be restored elsewhere.

Thanks again

Brummelchen
Posts: 388
Joined: Sun Oct 12, 2008 9:13 pm

Re: Sandbox delete command - Snapshot tool

Post by Brummelchen » Sat Jun 17, 2017 3:06 pm

ok, i see.

still not right. when sandboxie is going to delete a box its process are going to terminated, and it is renamed with a random number to prevent access that time, there exist no status or anything else. if you delete a file in the box and it is still present in your snapshot then you have a mismatch between your snapshot tool and sandboxie deleting process or it is not in the box but outside - you can not delete files outside from inside.

thats why i pointed to the command list - you need to determine all processes (or terminate them), take a snapshot and then delete. i dont save snapshots but i can determine number of processes and start deletion when zero active. between there is no action from sandboxie.

hint: when you have a view to the mounted reghive (in registry editor) sandboxie will throw a message and sandbox is not deleted.

and again: NO meta!

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Re: Sandbox delete command - Snapshot tool

Post by Guest10 » Sat Jun 17, 2017 3:43 pm

bassmastergg wrote:
Fri Jun 16, 2017 9:30 pm
I have been creating a little program to use as a sandbox deletion tool which in essence allows a sandbox to be loaded from an initial snapshot. It works for the most part but I am having issues with saving deletions in the snapshot. The deleted item will re-appear after the snapshot is loaded. I am assuming because sandbox deletions are stored elsewhere.
If an file inside of the sandbox is deleted by a sandboxed program, and there is no file with that same name in the corresponding location outside of the sandbox, then that file should truly be deleted from the sandbox.
I tested that and the file was truly deleted.

If a file with the same name exists in the corresponding location outside of the sandbox, then the file is not truly deleted inside of the sandbox, but is given a file "Creation" date that pre-dates DOS: an illegal "Creation" date, which has the effect of hiding that file when a sandboxed program looks at the files in that folder:
May 23, 1986

An UNsandboxed program will still see the file in the sandbox folder, with its new (and illegal) "Creation" date and it's old "Modified" date.

If I remember correctly, Sandboxie is also supposed to make that deleted file a 0 byte file in the sandbox.
That does not appear to be happening in my test.


File outside of the sandbox:
C:\Users\(username)\Downloads\dbug.txt

File inside of a sandbox, in a corresponding location:
C:\Sandbox\(username)\TestBox\user\current\Downloads\dbug.txt

If a sandboxed program deletes dbug.txt (in the sandbox), it is marked with an illegal "Creation' date, to hide it from sandboxed programs.
However, as I said above, I seem to recall that the file inside of the sandbox should also be set to 0 bytes, but I don't see that happening in my test.

I talked about this in my second post in this old thread (from 2012), when I was still using Windows XP:
viewtopic.php?f=11&t=13353
including the part where the deleted file in the sandbox should be set to a 0 byte file.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

bassmastergg
Posts: 13
Joined: Fri Mar 10, 2017 12:50 pm

Re: Sandbox delete command - Snapshot tool

Post by bassmastergg » Sat Jun 17, 2017 4:08 pm

Guest10 wrote:
Sat Jun 17, 2017 3:43 pm
If a file with the same name exists in the corresponding location outside of the sandbox, then the file is not truly deleted inside of the sandbox, but is given a file "Creation" date that pre-dates DOS: an illegal "Creation" date, which has the effect of hiding that file when a sandboxed program looks at the files in that folder:
May 23, 1986
Ahh this is exactly what I am looking for, i see where my issue lies now, thanks very much :)

Brummelchen
Posts: 388
Joined: Sun Oct 12, 2008 9:13 pm

Re: Sandbox delete command - Snapshot tool

Post by Brummelchen » Sun Jun 18, 2017 4:28 am

thank you for clearfying. i did not know about but my assumption was not wrong when thinking about some file outside of the box. maybe a ican check that with the prefetch folder, that is one major routine in my programs, i ever wondered that those entries are still present, i never looked at the date.
-------------------------------------
you can not buy or install security!

RooJ
Posts: 82
Joined: Sun Dec 21, 2014 2:47 pm

Re: Sandbox delete command - Snapshot tool

Post by RooJ » Sun Jun 18, 2017 6:43 am

bassmastergg wrote:
Sat Jun 17, 2017 4:08 pm
Guest10 wrote:
Sat Jun 17, 2017 3:43 pm
If a file with the same name exists in the corresponding location outside of the sandbox, then the file is not truly deleted inside of the sandbox, but is given a file "Creation" date that pre-dates DOS: an illegal "Creation" date, which has the effect of hiding that file when a sandboxed program looks at the files in that folder:
May 23, 1986
Ahh this is exactly what I am looking for, i see where my issue lies now, thanks very much :)
Just to add to this, the date doesn't actually predate DOS, initial release of DOS was 1981 apparently and the date sandboxie uses looks legal.

The date sandboxie uses is actually 23/05/1986 04:47:02.25 pm (note the .25 at the end). If you manually set a date just to 23/05/1986 it won't be hidden by sandboxie. I believe the reasoning for using this date is the following:

Date: 23/05/1986 04:47:02.25 pm
Filetime: 121617208222500000
Filetime in Hex: 01B01234DEAD44A0

Notice 1234DEAD :D

Edit: The date may be affected by UK daylight saving time so could be out an hour (03:47:02.25 pm) but filetime should be accurate.

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Re: Sandbox delete command - Snapshot tool

Post by Guest10 » Sun Jun 18, 2017 9:40 am

My memory was wrong about the meaning of the Creation date.
I have found how the program's creator worded it:
tzuk wrote:
Thu Apr 05, 2007 7:38 pm
The file creation date is changed to a special magic number for deleted files. In a file properties dialogs, it shows Friday, May 23, 1986, 15:47:02.
I also found another post from a forum member who stated that the deleted file should be set to 0 bytes.
MitchE323 wrote:
Mon Jan 26, 2009 5:53 pm
Before we put this problem to bed, could someone please try to explain to me what happened to cause this.
If you open Windows Explorer sandboxed and delete a file, of course the real file is not going to be deleted. Sandboxie creates a zero-byte file corresponding to the deleted file, in that sandbox. That sandboxed file will have a creation date of 1986.
At some point Sandboxie stopped setting the deleted file to 0 bytes.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

RooJ
Posts: 82
Joined: Sun Dec 21, 2014 2:47 pm

Re: Sandbox delete command - Snapshot tool

Post by RooJ » Sun Jun 18, 2017 11:10 am

I believe sandboxie only creates a 0 byte file if there's no matching file already in the sandbox. If the file exists both on the system and in the sandbox (in the same path) then only the creation date is changed and the file is otherwise unchanged. Not sure if it's always been this way.

bassmastergg
Posts: 13
Joined: Fri Mar 10, 2017 12:50 pm

Re: Sandbox delete command - Snapshot tool

Post by bassmastergg » Sun Jun 18, 2017 1:59 pm

I put in the fix for my tool to ensure the creation date is maintained when copying files and folders from the snapshot into the Sandboxie root and I can confirm that it works as expected :D, thanks for all the help guys.

The question now stands is do I improve the tool to truncate file size and empty folders that are "deleted" to save on snapshot space :wink:

Brummelchen
Posts: 388
Joined: Sun Oct 12, 2008 9:13 pm

Re: Sandbox delete command - Snapshot tool

Post by Brummelchen » Sun Jun 18, 2017 2:56 pm

i wont do that - neither those files affect sandboxie usage nor can you evaluate if those files are still needed, in special 0-byte files. empty folders same. if you zip your box it is waste of time to do a full analysis of files before.

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests