Anti-Keylogger Tester (AKLT) shows sandboxie doesn't block some keyloggers based on user space API. we may improve the defense with the help of sysinternals Desktops which uses a Windows desktop object for each virtual desktop.
Can sandboxie add a option to enable blocking SetThreadDesktop API to prevent sandboxed process from changing thread's desktop object and hooking into processes in another virtual desktops?
block SetThreadDesktop
-
sbieuser
If we execute AKLT in virtual Desktop A of sysinternals Desktops, AKLT's tests can't capture keystrokes inputed into the windows of virtual Desktop B.
But real malware may first switch to Desktop B through SetThreadDesktop(), then use the similar APIs illustrated in AKLT to capture keystrokes inputed in desktop B.
If sandboxie blocks SetThreadDesktop(), sandboxed malware won't success in this case.
But real malware may first switch to Desktop B through SetThreadDesktop(), then use the similar APIs illustrated in AKLT to capture keystrokes inputed in desktop B.
If sandboxie blocks SetThreadDesktop(), sandboxed malware won't success in this case.
-
sbieuser
AKLT's tests capture keystrokes by invoking GetKeyState()/GetAsyncKeyState()/GetKeyboardState() every 10ms, no hooks are created, sandboxie can't block it.
running sandboxed malware in different virtual desktop and blocking SetThreadDesktop() is a simple way to resolve this problem. Of course, sandboxie may find a better way to defend evil behaviors similar with AKLT directly.
running sandboxed malware in different virtual desktop and blocking SetThreadDesktop() is a simple way to resolve this problem. Of course, sandboxie may find a better way to defend evil behaviors similar with AKLT directly.
-
KIM
What exactly is the problem? SBIE is to run an application securely (sandboxed).
If you need specific 'anti-malware' protection then consider adding specific anti-malware software.
When a software run as Admin then it can do whatever it wants - mind it.
Just check matousec or other review sites for more specific info.
If you need specific 'anti-malware' protection then consider adding specific anti-malware software.
When a software run as Admin then it can do whatever it wants - mind it.
Just check matousec or other review sites for more specific info.
It would be inappropriate, I think, for Sandboxie to prevent snooping on another desktop, as you suggest, while doing nothing to prevent snooping on the same desktop, which would be the much more common case.
And on the other hand, monitoring keystrokes is not always snooping. A game that uses GetKeyState() to know which keys you're holding down is not a keylogger.
My point is that anti-keylogging is a complex subject in its own right, best left to programs dedicated to combat that particular problem.
The bottom line is that I'm sorry but at this time I am not looking into adding anti-keylogger features to Sandboxie.
And on the other hand, monitoring keystrokes is not always snooping. A game that uses GetKeyState() to know which keys you're holding down is not a keylogger.
My point is that anti-keylogging is a complex subject in its own right, best left to programs dedicated to combat that particular problem.
The bottom line is that I'm sorry but at this time I am not looking into adding anti-keylogger features to Sandboxie.
tzuk
Who is online
Users browsing this forum: No registered users and 1 guest
