QQ stopped working after 5.14 update

[methou]

I'm on Windows 10 x64 with Sandboxie 5.14.
I use a rare program in the western world called QQ, it's something like Skype with heavy anti-debug techniques. You can get it from

Code: Select all

http://dldir1.qq.com/qqfile/qq/QQ7.9Light/14308/QQ7.9Light.exe

with

Code: Select all

D:\Downloads\Programs>fciv -sha1 QQ7.9Light.exe
//
// File Checksum Integrity Verifier version 2.05.
//
00c27b5f0c621f82efdf29f0f9120cd9965b9e15 qq7.9light.exe

It worked before with some minor problems:

• Slow startup;
  Sometimes require to start it twice to properly launch the program;
  QQScLauncher.exe should be used instead of QQ.exe

Otherwise, it's fine. Normally I would expect a login window, but with 5.14 update, now it just stopped showing any windows, as in program list:
After a while everything in the sandbox is gone.

[Syrinx]

I looked at this yesterday (I think it might be the same one at least)
http://forums.sandboxie.com/phpBB3/view ... 11&t=23382

Please check if this works for you and let me know if not.

Sandbox Settings > Resource Access > File Access > Direct Access > Edit/Add
\device\namedpipe\*qpipc_*

[KomeijiKuroko]

I looked at this yesterday (I think it might be the same one at least)
http://forums.sandboxie.com/phpBB3/view ... 11&t=23382

Please check if this works for you and let me know if not.

Sandbox Settings > Resource Access > File Access > Direct Access > Edit/Add
\device\namedpipe\*qpipc_*

Not work for me. I installed QQ ver8.6 in Sandbox, and executed "C:\Program Files (x86)\Tencent\QQ\Bin\QQ.exe" in Sandbox.
I add "\device\namedpipe\*qpipc_* " to Sandbox Settings > Resource Access > File Access > Direct Access and Full Access. Not work.
I even add * to IPC Acess, it still didn't work.
It crashed quickly with no any prompt and Sanboxie didn't show any error.

My Sandboxie version is 5.14, OS: Windows 10 Build 1607. 5.12 works well.

[Syrinx]

Sorry, not sure what else to try atm. I just ran it in a VM and the same line worked with both the 7.9 Light link and the 8.6 version from the website with SBIE 5.14 on Win 10 1607/14393.0 for me =(

Maybe it's another piece of software involved? Are you using any other Anti Virus/HIPS/Anti-Exploit or similar products?

[methou]

Sorry, not sure what else to try atm. I just ran it in a VM and the same line worked with both the 7.9 Light link and the 8.6 version from the website with SBIE 5.14 on Win 10 1607/14393.0 for me =(

Maybe it's another piece of software involved? Are you using any other Anti Virus/HIPS/Anti-Exploit or similar products?

Not working for me, though I'm on 14393.222. Very unlikely but can't rule out the possibility that maybe the .222 update killed it.

The only thing that's close to AV/HIPS/AntiExploit I have is IDA Pro, but it's not running. Maybe I'll use QQ elsewhere, but not on this machine.

[mBXAIPKvR]

10.0.14393, I can confirm that I am able to run QQ light 7.9 after adding "\device\namedpipe\*qpipc_* " to Sandbox Settings > Resource Access > File Access > Direct Access and Full Access.
I just installed QQ without sandboxie, and run it using sandboxie 5.14
I hope it works.

[Syrinx]

I updated the Win10 VM, now up to 14393.321 and it still works here when adding that. =(

I add "\device\namedpipe\*qpipc_* "

I see a space at the end of that quote where the last * is. If exists in the rule for sandboxie as well that might explain it. The second * should be the last thing in the rule.

Code: Select all

\device\namedpipe\*qpipc_*

IDA certainly doesn't qualify as a program that should interfere with anything here unless you're also trying to debug QQ or Sandboxie at the time but as you said it wasn't even running...

[firebug]

"\device\namedpipe\*qpipc_* "

Same problem here.
Maybe '\device\namedpipe\*qpipc_*' is indeed working, if install QQ OUTSIDE Sandboxie, and only run it IN Sandboxie.
However QQ is installed IN sandboxie on my laptop, and it's not working...

BTW, 'QQ and Sandboxie' is a well known issue and have already widely discussed in Chinese website, like:
解决QQ无法在沙盘中运行的问题 - Devymex - 博客园
在sandboxie中启动QQ的方法 | 老屋前的苦楝树
使用 Sandboxie 时遇到的一些问题 - V2EX
在Sandboxie中安装QQ的办法————标题要长————才能吸引眼球_安全工具区_安全区 卡饭论坛 - 互助分享 - 大气谦和!
找到在Sandboxie里使用新版QQ的方法了_安全工具区_安全区 卡饭论坛 - 互助分享 - 大气谦和!
win10下 sandboxie 运行 QQ . 无法打开空间 邮件 ._安全工具区_安全区 卡饭论坛 - 互助分享 - 大气谦和!

Basically, no perfect solution. I choose to use QQ portable version created by some famous cracker.

[Barb@Invincea]

Hello firebug,

What happens exactly when you install it inside the Sandboxed?
I just downloaded QQ International 2.11 and I was able to install it inside Sandboxie (latest beta) and Windows 10 x64.
I am looking at the Sign -in screen, I did not proceed from there.

If you can provide more info, I will have a look.

Regards,
Barb.-

[naturee]

It worked here. Maybe because I added the '\device\namedpipe\*qpipc_*' before install qq.

也许是因为我安装QQ之前添加了'\device\namedpipe\*qpipc_*，另外沙盘是新建的。

[firebug]

I just downloaded QQ International 2.11 and I was able to install it inside Sandboxie (latest beta) and Windows 10 x64.
I am looking at the Sign -in screen, I did not proceed from there

Yeah, 'QQ International' seems fine, however most people are not willing use this version, because it castrated a lot of features.
Try test 'QQ Light' version, given by @methou above, the installer of which is

Code: Select all

http://dldir1.qq.com/qqfile/qq/QQ7.9Light/14308/QQ7.9Light.exe

or 'QQ PC' version, the latest installer of which is

Code: Select all

http://dldir1.qq.com/qqfile/qq/QQ8.9/20026/QQ8.9.exe

Both which are widely used in China.

What happens exactly when you install it inside the Sandboxed?

Steps To Reproduce:
1) Add \device\namedpipe\*qpipc_* to Direct Access and Full Access. (option step)
2) Download Installer: http://dldir1.qq.com/qqfile/qq/QQ7.9Lig ... 9Light.exe
3) Install it IN sandboxie. leave all options default, untill finished.
4) After installation complete, the QQ Sign-in screen will automatically pop up, close it
5) Terminate all process in sandboxie, to ensure that is clean now.
6) start QQ.exe just installed manually.

Expected result:
The QQ Sign-in screen should pop out.

Actual result:
The QQ Sign-in screen can NOT pop out, and Sandboxie shows SBIE2103 'qqprotectx64' message.

[Syrinx]

While installing it inside a box (instead of outside like my last test) I did get a few errors.
I got these instead of any SBIE2203 but installation continued and seemed to complete properly.

SBIE2205 Service not implemented: TrustedInstaller C0190008
SBIE2205 Service not implemented: SxsInstallW
SBIE2205 Service not implemented: TrustedInstaller C0190008
SBIE2205 Service not implemented: SxsInstallW

After it was installed I did as you suggested then terminated the remaining programs. I then ran the QQ.exe and it started normally.
The last error I saw was from QQProtectUpd.exe which couldn't start because 'ATL80.DLL was missing from your computer.' This one took a few mins to pop up.
I assume this is related to the 2205 errors I pasted above so I manually installed VS C++ 2005 outside of the sandbox just to get this one out of the way.

I started thinking that the SBIE2203 error was odd since that is a driver block.
That mixed with an alert from Norton ConnectSafe DNS while trying to download the installer again left me wondering.
https://safeweb.norton.com/report/show? ... ir1.qq.com

Viruses Threats found: 6

I then realized with the update stuff going on in the background that maybe the program is getting this driver via the update so I left it open for a few minutes while the VM was online. This time the QQProtectUpd didn't run into the atl error but I still never saw a SBIE2203 error.
With the difference of the program trying to load a driver on your machine but not my VM, I wonder if it's detecting a VM and not attempting to download the driver?
I'll leave it running idle for a bit longer to see if it pops up later and update this if it does.

update:
I haven't seen the SBIE2203 error and the gui still loads for me. I did look around and found some sys files though.
C:\Sandbox\Test\DefaultBox\drive\C\Program Files (x86)\Common Files\Tencent\QQProtect\Bin\QQProtectX64.sys
C:\Sandbox\Test\DefaultBox\drive\C\Program Files (x86)\Common Files\Tencent\QQProtect\Bin\QDAntiDrv.sys
C:\Sandbox\Test\DefaultBox\drive\C\Program Files (x86)\Tencent\QQLite\Bin\ABL.sys
C:\Sandbox\Test\DefaultBox\drive\C\Program Files (x86)\Tencent\QQLite\Bin\PBL.sys

Why it has them and doesn't load them for me but does for you is currently a mystery. Do you happen to have any other Tencent software installed on the host? Does this SBIE2203 error only start if you login?

I suppose, either way, Sandboxie is working as designed by not allowing a service or driver to be added to the system then started. The thing with services and drivers is that once they are loaded, they could potentially be used to circumvent Sandboxie mitigating any protections you might hope to get from using it.

[firebug]

I started thinking that the SBIE2203 error was odd since that is a driver block.

Yeah, it indeed installs a driver.
In the past, I tried run 'services.msc' to see the whole OS service, and see a service named QPCore service (or similar name), whose file is QQProtect.exe
I googled a screenshot similar, link: http://s2.sinaimg.cn/mw690/002X3grdzy7661MWtnHc1&690

What is strange, is why in your test, QQ can be start without the driver loaded, and more, why QQProtect.exe can actually run IN your Sandboxie, which I see in the screenshot. It's a driver process, and should not be able to run IN SBIE, right?

Do you happen to have any other Tencent software installed on the host? Does this SBIE2203 error only start if you login?

I don't have other Tencent software. As a coincidence, I recently reinstall the whole OS, just have few software installed outside SBIE.

The time point SBIE2103 (not 2203 ) start, is when I run QQ.exe, not when tried to login by entering username paswd, because Log-in screen never have chance to pop up.
Create shortcut in Windows shell integration -> Double click shortcut in desktop -> SBIE2103 pop out without Log-in screen

Just for reference to others who also encounter this problem.
For now, I'm using a QQ unofficial modified version: http://www.zdfans.com/4978.html
which removed the drive module, so I can normally install and start it in Sandboxie.