Block Process Access

Homi Hesumaki · Post by **Homi Hesumaki** » Sat Oct 08, 2011 12:44 pm

Hi guys I'm very new in this. I realized that theres a DLL we can download before this will work, where is the dll to download? =o or am i missing out on something?

wraithdu · Post by **wraithdu** » Sat Oct 08, 2011 12:59 pm

Are you serious? Everything you need is in the first post, and additional documentation is in the download.

Homi Hesumaki · Post by **Homi Hesumaki** » Sat Oct 08, 2011 2:21 pm

LOL sorry! well i see 3 links on your 1st post that i can download on.

1. x86 VC
2. x64 vc
3. the testing program

i thought there is a dll file i can download? =o~

MaAtKo · Post by **MaAtKo** » Fri Oct 28, 2011 4:00 pm

Hi guys
i downloaded sbiextra v1.0.0.17, but there is a need of a password. How do I get that one? Thanks in advance.

Buster · Post by **Buster** » Sat Oct 29, 2011 3:30 am

MaAtKo wrote:Hi guys
i downloaded sbiextra v1.0.0.17, but there is a need of a password. How do I get that one? Thanks in advance.

Look at the file name and make a guess...

sbiextra_1.0.0.17_pass=zer0dev.zip

sjd · Post by **sjd** » Sun Oct 30, 2011 12:03 pm

wraithdu wrote:Have you installed the VC++ 2010 runtimes as the first post mentions? If so, you'll have to start a bug report thread as to why Sandboxie is not seeing that installation for injected DLLs.

I did install the VC runtimes and ran a repair just to be sure it installed correctly. The problem still exists so I'll post in the Problem Report board as you suggested. Thanks.

dontbotherme · Post by **dontbotherme** » Wed Feb 08, 2012 9:33 am

the tasklist command can't be blocked , if the program use pipe to get the result , it can also get the process list , how to prevent it ?

Buster · Post by **Buster** » Wed Feb 08, 2012 10:59 am

dontbotherme wrote:the tasklist command can't be blocked , if the program use pipe to get the result , it can also get the process list , how to prevent it ?

It´s not possible to do it from inside. You must run something like HideDriver in real system and hide the processes you want from there.

Note: HideDriver only works under 32-bit.

mede5 · Post by **mede5** » Wed Feb 29, 2012 9:40 pm

wraithdu wrote: sbiextra v1.0.0.17
(md5: 4b1705e8cb98ffddb970b8426bfdc772)

wraithdu, I don't know if you're still following this thread, but if you do please have a look at this:

Code: Select all

$ wget http://zer0dev.com/dld/download.php?id=5
--2012-02-29 21:36:58--  http://zer0dev.com/dld/download.php?id=5
Resolving zer0dev.com... 69.163.150.234
Connecting to zer0dev.com|69.163.150.234|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: ../files/Sandboxie/sbiextra_1.0.0.17_pass=zer0dev.zip [following]
--2012-02-29 21:36:58--  http://zer0dev.com/files/Sandboxie/sbiextra_1.0.0.17_pass=zer0dev.zip
Reusing existing connection to zer0dev.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 628764 (614K) [application/zip]
Saving to: `sbiextra_1.0.0.17_pass=zer0dev.zip'

100%[======================================>] 628,764     94.5K/s   in 7.1s    

2012-02-29 21:37:05 (87.1 KB/s) - `sbiextra_1.0.0.17_pass=zer0dev.zip' saved [628764/628764]

$ md5sum sbiextra_1.0.0.17_pass\=zer0dev.zip 
6fb1279b90af37b9bbd4cd926b73e3c9  sbiextra_1.0.0.17_pass=zer0dev.zip
$ sha1sum sbiextra_1.0.0.17_pass\=zer0dev.zip 
a40f18ba914e9aa55f36e4c0858c39fe3e5fcd12  sbiextra_1.0.0.17_pass=zer0dev.zip

As I'm sure you can easily tell the md5 sum does not match the one you listed here... ?

HolySimpsons · Post by **HolySimpsons** » Sat Mar 03, 2012 12:13 pm

Hello there,

at first I wanna thank you very much for your efforts, wraithdu!!!

I've got a little question..
When I installed both runtime librarys and added both dlls - will spyware in one sandbox not be able to find emails downloaded (e.g. by thunderbird) in another sandbox?
In other words it makes one Sandbox secure from attacks from another, right?
It might not have been the purpose, but it should work shouldn't it?

I might delete all sensitive data outside sandboxes and transfer it in a save sandbox. After that the malware from another sandbox wouldn't have any chance to steal any of those sensitive data, right?
If that works, this is a great advantage for the security issues of sandboxie.

nevermind · Post by **nevermind** » Thu Mar 08, 2012 7:35 pm

HolySimpsons wrote: I might delete all sensitive data outside sandboxes and transfer it in a save sandbox. After that the malware from another sandbox wouldn't have any chance to steal any of those sensitive data, right?

I'm not sure why you expect malware in any of your your sandboxes but if you get any in a sandbox which injects sbiextra.dll then it should not be able to access the memory of any other process outside its own sandbox - that includes the host processes. So if you limit file access in that malware-prone sandbox so that it can't access your "sensitive" stuff you should be fine without running them in a separate sandbox - unless you want it that way.

Now if only wraithdu could comment on the different md5sum above...

nevermind · Post by **nevermind** » Thu Mar 08, 2012 7:51 pm

nevermind wrote:Now if only wraithdu could comment on the different md5sum above...

Hmmmm... what do you think about this? After extracting the password-protected .zip archive:

https://www.virustotal.com/file/b68d905 ... /analysis/

SHA256: b68d9059c59d1f3ede5d9aaebb17f18754c669ace3acbf34eda337bf278869f1
File name: sbiextra_1.0.0.17.zip
Detection ratio: 4 / 43
Analysis date: 2011-09-30 10:09:35 UTC ( 5 months, 1 week ago )

Code: Select all

Antivirus                  Result                                Update
Comodo                   UnclassifiedMalware         20110929
eTrust-Vet                Win32/YahLover.HidI_I     20110930
McAfee                     Artemis!EB96CBE7887D   20110930
McAfee-GW-Edition  Artemis!EB96CBE7887D   20110930

nevermind · Post by **nevermind** » Thu Mar 08, 2012 8:03 pm

Looks like the md5sum listed in the 1st post corresponds to the .zip archive within the password-protected .zip archive:

Code: Select all

$ md5sum sbiextra_1.0.0.17.zip 
4b1705e8cb98ffddb970b8426bfdc772 *sbiextra_1.0.0.17.zip

Also, a rescan on VirusTotal generates 2 warnings:
https://www.virustotal.com/file/b68d905 ... 331254566/

Jotti generates one warning:
http://virusscan.jotti.org/en/scanresul ... 5cf39c713f

needsomehelpplease · Post by **needsomehelpplease** » Thu Mar 08, 2012 10:00 pm

I used to inject sbieinj.dll in all my sandboxes on my old win xp sp2 machine and it worked great - thanks wraithdu!

Had to reinstall OS from scratch, I updated to SP3, new Sandboxie, new everything... unfortunately now sbiextra.dll doesn't seem to work and I am running out of ideas why :(

Current setup:

Win XP SP3 x86
Microsoft Visual C++ 2010 x86 Redistributable 10.0.40219

Sandboxie 3.64
sbiextra v1.0.0.17 with correct InjectDll line for default sandbox in Sandboxie.ini, ShowDebugInfo set to 1 in sbiextra.ini
system rebooted

DbgView started, Capture Win32, Kernel and Events set to on
Calculator started outside any sandbox
cmd.exe started inside default sandbox
injtest.exe <pid_of_calculator> started from cmd.exe inside default sandbox - it can read process handle, memory, list window names...
DbgView window remains empty all the time - absolutely nothing at all

Can anybody suggest what may be wrong? :(

needsomehelpplease · Post by **needsomehelpplease** » Fri Mar 23, 2012 10:16 am

Ok, so 2 weeks have passed... anybody...?

Sandboxie Support

Block Process Access

Dont know what to do

Password

Re: Password

Re: Block Process Access

MD5 fingerprint mismatch and antivirus scans

Re: MD5 fingerprint mismatch and antivirus scans - UPDATE

sbiextra not working - no idea why

Re: sbiextra not working - no idea why

Who is online