Sandboxie and Reflective Memory Injection [SOLVED]

[Der Moloch]

Here's the thing.

There is a person on another forum who is postulating that Sandboxie doesn't protect a process running outside Sandboxie from reflective memory injection from a process running inside Sandboxie. He also said that Sandboxie would have to detect the reflective memory injection in order to block it.

My answer was that this wouldn't work by default and that no detection would be necessary due to the way that Sandboxie applies Windows security features like integrity levels, where a process with integrity level untrusted cannot alter the memory of a process with a higher integrity level, like svchost.exe.

Still it would be nice if Invincea could clarify on this matter.

[Syrinx]

I already commented over there but basically the end assumption is totally mis-formed. The lack of preventing it within the box does not mean it would let it do the same out of the box. After all that supposed 'testing' it wouldn't have been much to actually try it and find out instead of making a wildly incorrect guess. :-/ My guess is the person who wrote it doesn't know enough about how sandboxie or windows works in general and isn't qualified to to preform such tests for anyone but themselves or they were trying to pull something off intentionally.... I had missed that they tested it in XP but even so programs can't modify the memory of programs outside unless the user opens a hole allowing it.

[Curt@invincea]

As Syrinx stated, sandboxed applications cannot write to the address space of a process outside the sandbox.