Block Process Access

tzuk · Post by **tzuk** » Tue Apr 20, 2010 9:20 am

ComputerNoob, was your sandbox initially populated by software running under Sandboxie version 3.42 ? Because something related to WinSxS DLLs (like that VC redist) has changed in version 3.43.18 and perhaps this is related. More here:

http://www.sandboxie.com/phpbb/viewtopic.php?t=7178

ComputerNoob · Post by **ComputerNoob** » Wed Apr 21, 2010 10:24 am

@Guest10
Thanks for taking the time to test the problem. I really appreciate it and you have saved me a of time indeed.

@wraithdu
With the help of Guest10 and the test of your own. I think now I can pretty much rule out that there is any problem with your DLL. I am sorry to have said that in my previous statements. Anyway, I think I will update my XP to SP3 later to see if the problem go away.

@tzuk

ComputerNoob, was your sandbox initially populated by software running under Sandboxie version 3.42 ? Because something related to WinSxS DLLs (like that VC redist) has changed in version 3.43.18 and perhaps this is related. More here:

Unfortunately, no. Thanks for helping me in this problem though, but since it seems that I'm the only who have this particular problem, so don't worry about it. I think I will deal with this problem later when I have time. Thanks again.

gjf · Post by **gjf** » Fri May 14, 2010 6:47 am

Hi all!

Looks like latest sbiextra.dll does not work correctly in last builds with other injected dlls. Let me clarify.

I am using 3.45.10 on Win XP Pro SP3 x86. There are three injected dlls:

Code: Select all

InjectDll=C:\Program Files\Sandboxie\Buster Sandbox Analyzer\Dll\LOG_API.dll 
InjectDll=C:\Program Files\Sandboxie\Buster Sandbox Analyzer\Dll\sbiextra.dll
InjectDll=C:\Program Files\Sandboxie\Buster Sandbox Analyzer\Dll\antidel.dll
OpenWinClass=TFormBSA
ConfigLevel=6
Enabled=y
NotifyInternetAccessDenied=y
BoxNameTitle=n
BorderColor=#0000FF

All dlls work well excepts sbiextra.dll. Nevertheless it loads successfully:

Code: Select all

Executing: c:\sandbox\test!!!\injtest.exe
LoadLibrary(d:\program files\sandboxie\buster sandbox analyzer\sbiextra.dll) [c:\sandbox\test!!!\injtest.exe]
GetModuleHandle(KERNEL32.DLL) [c:\sandbox\test!!!\injtest.exe]
GetModuleHandle(KERNEL32) [c:\sandbox\test!!!\injtest.exe]
GetModuleHandle(PGORT90.dll) [c:\sandbox\test!!!\injtest.exe]
OpenProcess(c:\sandbox\test!!!\injtest.exe) [c:\sandbox\test!!!\injtest.exe]
CreateRemoteThread(c:\sandbox\test!!!\injtest.exe) [c:\sandbox\test!!!\injtest.exe]
LoadLibrary(d:\program files\sandboxie\buster sandbox analyzer\antidel.dll) [c:\sandbox\test!!!\injtest.exe]
RegOpenKeyEx(HKLM\SYSTEM\CurrentControlSet\Control\Session Manager) [c:\sandbox\test!!!\injtest.exe]
RegOpenKeyEx(HKLM\Software\Microsoft\Ole) [c:\sandbox\test!!!\injtest.exe]
RegOpenKeyEx(HKLM\SOFTWARE\Microsoft\OLEAUT) [c:\sandbox\test!!!\injtest.exe]
RegOpenKeyEx(HKLM\SOFTWARE\Microsoft\OLEAUT\UserEra) [c:\sandbox\test!!!\injtest.exe]
LoadLibrary(kernel32.dll) [c:\sandbox\test!!!\injtest.exe]
LoadLibrary(advapi32.dll) [c:\sandbox\test!!!\injtest.exe]
LoadLibrary(oleaut32.dll) [c:\sandbox\test!!!\injtest.exe]
LoadLibrary(user32.dll) [c:\sandbox\test!!!\injtest.exe]
RegOpenKeyEx(HKCU\Software\Borland\Locales) [c:\sandbox\test!!!\injtest.exe]
RegOpenKeyEx(HKLM\Software\Borland\Locales) [c:\sandbox\test!!!\injtest.exe]
RegOpenKeyEx(HKCU\Software\Borland\Delphi\Locales) [c:\sandbox\test!!!\injtest.exe]
LoadLibrary(d:\program files\sandboxie\buster sandbox analyzer\antidel.rus) [c:\sandbox\test!!!\injtest.exe]
LoadLibrary(d:\program files\sandboxie\buster sandbox analyzer\antidel.ru) [c:\sandbox\test!!!\injtest.exe]
LoadLibrary(comctl32.dll) [c:\sandbox\test!!!\injtest.exe]
LoadLibrary(comdlg32.dll) [c:\sandbox\test!!!\injtest.exe]
................................

But after that the whole test is failed.

In the case of

Code: Select all

InjectDll=C:\Program Files\Sandboxie\Buster Sandbox Analyzer\Dll\sbiextra.dll

only the test is passed.

Possibly due to change of dll injection mechanism in Sandboxie?

wraithdu · Post by **wraithdu** » Fri May 14, 2010 7:03 pm

Sorry, but I do not understand what you are trying to say. The DLL seems to be loaded... but what test is failed exactly? Are you running the test correctly? If you can provide a step by step process to reproduce your 'failure' results and information on what OS you are running, that would be helpful.

Generally, if sbiextra.dll works alone, but not with the other dlls, then there is a conflict somewhere with the other dlls, not Sandboxie itself. It could be one of the other dlls is hooking the same function(s) and is not coded correctly, I do not know.

gjf · Post by **gjf** » Fri May 14, 2010 9:01 pm

OS: Windows XP SP3 Pro Rus
"Test" means injtest.exe included in the archive. And it fails according all three criterias mentioned in readme file.

If sbiextra conflicts with two other dlls then I assume they should expect problem during work. But it is not observed.

Please let me know about any additional information that can help.

lgy · Post by **lgy** » Tue Jun 01, 2010 6:14 am

Nice work!

Cheers!

Thanks · Post by **Thanks** » Wed Jun 02, 2010 2:02 am

hi, wraithdu, good job .

would you hook some more APIs to defend keylogger which is sandboxed ?

cheers

wraithdu · Post by **wraithdu** » Wed Jun 02, 2010 8:53 am

If you can be more specific about what APIs you would be interested in having the DLL block, I can look into it. I am not a researcher though and have no interest in studying keyloggers to figure out what needs to be done.

Buster · Post by **Buster** » Wed Jun 02, 2010 9:16 am

Keyloggers usually use one of next APIs:

GetAsyncKeyState
GetKeyState
GetKeyboardState
GetRawInputData (I think this one calls one of the above but not sure)
SetWindowsHookEx

Buster · Post by **Buster** » Wed Jun 02, 2010 9:32 am

btw... nowadays there are even sound loggers!

wraithdu · Post by **wraithdu** » Wed Jun 02, 2010 9:55 am

Doesn't Sandboxie block at least some of those? No sense duplicating functionality.

tzuk · Post by **tzuk** » Wed Jun 02, 2010 10:13 am

No, none of these are blocked. SetWindowsHookEx gets special treatment so the hook code is installed only in programs in the sandbox, but that doesn't really count as blocking anything.

wraithdu · Post by **wraithdu** » Wed Jun 02, 2010 6:06 pm

Thanks tzuk. Any idea about what Buster said, that GetRawInputData might call one of the other functions? Are the others low enough to bother hooking? I'd have to download the free IDT Pro again otherwise.

tzuk · Post by **tzuk** » Wed Jun 02, 2010 6:13 pm

No idea, sorry. But I do think a lot of legitimate programs use these. For example I recently added a check for holding Ctrl+Shift while you right-click Run Sandboxed. That's GetAsyncKeyState right there, but clearly not a key-logger.

Buster · Post by **Buster** » Wed Jun 02, 2010 6:25 pm

I just made a test and no, GetRawInputData doesn´t call other APIs.

I agree with tzuk, lots of applications make use of those APIs, almost every application.

In my test a keylogger was able to log the keys pressed in an unsandboxed NOTEPAD.EXE. I guess the objective would be blocking sandboxed applications from logging keystrokes from unsandboxed applications but I don´t know if that´s possible. tzuk will know better than me.

I was taking a look at GetRawInputData information at MSDN and I don´t see how could be possible to filter data between sandboxed/unsandboxed source.

Sandboxie Support

Block Process Access

Who is online